The document discusses the state of IT security based on statistics from 2011. It notes that the average cost of a security breach was $7.2 million and impacted $6.5 billion for U.S. businesses. Most breaches (92%) were avoidable through basic security practices. Major attacks in 2011 included breaches at Sony, Citibank, and RSA. Trends show attacks are exploiting software vulnerabilities and automated tools are making cybercrime more sophisticated and widespread. Looking ahead, challenges include threats to critical infrastructure, mobile security risks from BYOD, and state-sponsored cyber attacks.

1. State of IT Security
Arun Bhatia
Feb 09, 2012
HP EC1
©2011 Hewlett-Packard Development Company, L.P. The information
contained herein is subject to change without notice

2. Cost of security breach
Cost of breach - Ponemon 2011 - ~ USD 6.75-7.2 million *
2011 stats - Source: Online Trust Alliance (OTA)
·558 breaches
·126 million records
·76% server exploits
·92% avoidable
·$318 cost per record
·$7.2 million average cost of each breach
·$6.5 billion impact to U.S. businesses
Education (schools and colleges) represented 13% of the incidents, government agencies 15%,
health care providers 29% and business 43%.
Source: Privacy Rights Clearinghouse (PRC)
Most alarming is that 96% were avoidable through simple steps and internal controls.
Source: Verizon 2011 Data Breach Notification report
Two out of five companies that experience a catastrophe or an extended system outage never
resume operations, and of those that do, one-third go out of business within two years”
Source: GartnerGroup
* Cost to individuals could be up to USD 14b

3. 2011 – Year of the hacker
Attack history
• Epsilon, Sony, Citibank, RSA
• SCADA under threat Wikileaks, Diginotar
• 10 days of rain.
• Anonymous, Lulzsec
2102...and its just January
•Zappos
•Symantec code theft
•India MI disclosure

4. Trends
•Attacks use the allowed ports on the firewall - and use Application/software
vulnerabilities
• Zero day exploits, Underground exploits market
•Corporatization and nationalization of cybercrime.
•Availability of sophisticated automated tools; crimeware
•Commoditization of IT - tablets, smartphones, BYOD
• Corporatization and nationalization of cybercrime - why Russia and the Eastern bloc
•UK ICO, US Critical Infra protection/DHS/Cyber Czar
• APTs, SCADA - Tilded platform (Stuxnet/doqu)
•Hacktivism
•Social networks and Social Engineering
•Piracy and IP - SOPA/PIPA, megaupload, filesonic
•Piracy - Google's policy change

5. What to expect next ?
•Just literacy is not enough, be careful and be sceptic
•Opportunities in 2012 - London Olympics, Mayan calendar
•Challenges for corporations and nations - Internet and computing power as means of
collaboration/trade/info sharing/business ….for the bad guys too, APTs again,
politicization of cyber crime
•Websense labs - almost 50% data loss happens over the web
• Move to https - IDS/IDP, AV etc are left in the dark
•Effects on other industries - financial risk, cyber insurance
•DPA/SOPA/PIPA/ACTA/TPPA, Precise Act, NSTIC, India IT Act of 20xx
•BYOD - the most popular acronym of the year
•Heterogeneous environ
•Not just MS any more
•Malware on MAC
•Blended attacks
•Can I keep all my eggs in (on) the same basket (cloud)?
•Recent NIST advisory
•Open-everything
•Mobility + Social N/w + Cloud + (NFC etc)

6. Personal responsibility
•Humans are the weakest link, Security is a people and management problem, Einstein
said…universe and human stupidity is infinite.
•Password change check
•Email text replacement in forums
•Ego-surfing
•Unknown senders
•Bank and work passwords
•Credit card CVC
•Password safes
•Gmail OTP and dashboard
•Truecrypt, Preyproject, TOR Project

7. Corporate responsibility
•Policy, protection, compliance, IP
• Open discussion - HP sec policy

8. Thank you
arun.bhatia@hp.com
8 © Copyright 2011 Hewlett-Packard Development Company, L.P.