Anyone who has been in Information Security for any length of time knows the difficultly of getting people to listen — the frustrating challenge in convincing people to take security seriously. In the enterprise, every single InfoSec budget dollar is painfully scrutinized. Every security decision resisted. Many feel that no matter what InfoSec pros say or do, those they’re responsible for protecting prefer to wait for something bad to happen first. In the meantime InfoSec laments how no one listens, and when an incident eventually does happen, it will ambulance chase and cry “told you so!” Maybe the resistance is warranted though. Maybe after the world spends $75 billion annually on InfoSec, only to see the hacks large and small continue on, become more damaging, and threat actors more brazen, people are justifiably skeptical of our value. In the eyes of many, InfoSec at best is seen as a necessary evil. InfoSec’s performance (or lack thereof) and this skepticism is why we now see billions of dollars flowing toward cyber-insurance premiums to cover breach costs, dollars NOT going directly toward preventing break-ins. This is a wake-up call and clear signal that InfoSec is in the midst of an credibility crisis, a crisis that puts everyone at risk. It also doesn’t help when the websites of security certification providers are laced with malware, when popular security software packages such as anti-virus are riddled with vulnerabilities that make customers less safe, or when major incident response vendors themselves suffer their own data breaches. Our work is too important to continue with the status quo. We need to turn things around, and as such, InfoSec has an important choice to make. InfoSec can either choose to continue pointing fingers, complaining about the same things over and over year after year, or as an industry we can take responsibility and do something about it. First and foremost, we must find ways to improve InfoSec’s credibility and measurably prove its worth. One way to do that, a way that stands above all others, is for security vendors to contractually guarantee that their products and services will perform as advertised. Guarantees like we see and expect from every other major industry in the world. InfoSec is an incredibly confusing space, littered with snake-oil and charlatans, so when security vendors are willing to provide guarantees and SLAs, it builds trust that differentiates them like nothing else can. Security guarantees are the biggest opportunity for every security practitioner and vendor to make a real difference and everyone needs to get involved.

1. INFOSEC’S CREDIBILITY CRISIS IS
ALSO OUR BIGGEST OPPORTUNITY
JEREMIAH GROSSMAN
@jeremiahg
https://www.jeremiahgrossman.com/
http://blog.jeremiahgrossman.com/

2. JEREMIAH GROSSMAN
WHO I AM…
▸ Professional Hacker
▸ OWASP Person of the Year (2015)
▸ International Speaker
▸ Black Belt in Brazilian Jiu-Jitsu
▸ Founder of WhiteHat Security

3. AREAS OF INTEREST
▸ Intersection of security guarantees and cyber-insurance
▸ Malware / Ransomware
▸ Easing the burden of vulnerability remediation
▸ Security crowd-sourcing
▸ Industry skill shortage

4. “I OFTEN SAY THAT WHEN YOU
CAN MEASURE WHAT YOU ARE
SPEAKING ABOUT, AND EXPRESS
IT IN NUMBERS, YOU KNOW
SOMETHING ABOUT IT;
BUT WHEN YOU CANNOT
MEASURE IT, WHEN YOU CANNOT
EXPRESS IT IN NUMBERS, YOUR
KNOWLEDGE IS OF A MEAGRE
AND UNSATISFACTORY KIND."
Lord Kelvin

5. “2015 GLOBAL SPENDING ON
INFORMATION SECURITY IS SET
TO GROW BY CLOSE TO 5% THIS
YEAR TO TOP $75BN,
ACCORDING TO THE LATEST
FIGURES FROM GARTNER”
The Wall Street Journal
GROWTH INDUSTRY

6. ORGANIZED CRIME
NATION-STATE TERRORISM?
HACKTIVISTS

7. 1,083,252,900 SITESNETCRAFT: APRIL 2016 WEB SERVER SURVEY

8. VERIZON DATA BREACH INVESTIGATIONS REPORT (2016)
FREQUENCY OF INCIDENT CLASSIFICATION PATTERNS
OVER TIME ACROSS CONFIRMED DATA BREACHES.

9. VERIZON DATA BREACH INVESTIGATIONS REPORT (2016)
INCIDENT PATTERNS BY INDUSTRY
(ONLY CONFIRMED DATA BREACHES)

10. TRUSTWAVE GLOBAL SECURITY REPORT (2016)
METHODS OF INTRUSION

11. VERIZON DATA BREACH INVESTIGATIONS REPORT (2016)
TOP 10 THREAT ACTION VARIETIES
WITHIN WEB APP ATTACK BREACHES

12. VULNERABILITY LIKELIHOOD (1 OR MORE)
WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015
70%!
56%!
47%!
29%! 26%! 24%!
16%! 15%! 11%! 11%! 8%! 6%! 6%! 6%! 5%!
0%!
10%!
20%!
30%!
40%!
50%!
60%!
70%!
80%!
90%!
100%!
InsufficientTransportLayer
Inform
ation
Leakage!
C
ross
Site
Scripting!Brute
Force!
C
ontentSpoofing!
C
ross
Site
RequestForgery!
U
RL
RedirectorAbuse!
Predictable
Resource
Location!
Session
Fixation!
InsufficientAuthorization!
D
irectory
Indexing!
Abuse
ofFunctionality!
SQ
L
Injection!
InsufficientPassw
ord
Recovery!
Fingerprinting!

13. VERACODE: STATE OF SOFTWARE SECURITY REPORT VOL 6, FALL 2015
TOP 10 VULNERABILITY CATEGORIES
BY PROGRAMMING LANGUAGE

14. AVERAGE TIME-TO-FIX (DAYS)
WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015
73!
97! 99! 108! 111!
130! 132! 136!
158! 160!
191! 192!
227!
0!
50!
100!
150!
200!
250!
Transportation!
Arts
&
Entertainm
ent!
Accom
m
odation!
Professional&
Scientific!
Public
Adm
inistration!O
therServices!
Inform
ation!
EducationalServices!
H
ealth
C
are
&
Social!
Finance
&
Insurance!M
anufacturing!
U
tilities!
RetailTrade!

15. WINDOWS OF EXPOSURE
WHITEHAT’S WEBSITE SECURITY STATISTICS REPORT 2015
60%!
38%!
52%!
39%!
9%!
11%!
11%!
14%!
10%!
14%!
12%!
11%!
11%!
16%!
11%!
18%!
11%!
22%!
14%!
17%!
Retail Trade!
Information!
Health Care &!
Social Assistance!
Finance &!
Insurance!
Always Vulnerable!
Frequently Vulnerable (271-364 days a year)!
Regularly Vulnerable (151-270 days a year)!
Occasionally Vulnerable (31-150 days a year)!
Rarely Vulnerable (30 days or less a year)!

16. VERACODE: STATE OF SOFTWARE SECURITY REPORT VOL 6, FALL 2015
PERCENT VULNERABILITIES
FOUND VS. FIXED

17. TRUSTWAVE GLOBAL SECURITY REPORT (2016)
APPLICATION SECURITY

18. “IN 2014, 71% OF SECURITY PROFESSIONALS SAID THEIR
NETWORKS WERE BREACHED. 22% OF THEM VICTIMIZED
6 OR MORE TIMES. THIS INCREASED FROM 62% AND 16%
RESPECTIVELY FROM 2013.”
“52% SAID THEIR ORGANIZATIONS WILL LIKELY BE
SUCCESSFULLY HACKED IN THE NEXT 12 MONTHS.”
“THIS IS UP FROM 39% IN 2013.”
Survey of Security Professionals by CyberEdge
HAVE YOU BEEN HACKED? DO YOU THINK YOU’LL BE HACKED AGAIN?

19. CYBER EDGE GROUP: 2015 CYBERTHREAT DEFENSE REPORT
NORTH AMERICA & EUROPE
HOW MANY TIMES DO YOU ESTIMATE THAT YOUR ORGANIZATION’S
GLOBAL NETWORK HAS BEEN COMPROMISED BY A SUCCESSFUL
CYBERATTACK WITHIN THE LAST 12 MONTHS?

20. CYBER EDGE GROUP: 2015 CYBERTHREAT DEFENSE REPORT
NORTH AMERICA & EUROPE
WHAT IS THE LIKELIHOOD THAT YOUR ORGANIZATION’S
NETWORK WILL BECOME COMPROMISED BY A
SUCCESSFUL CYBERATTACK IN 2015?

21. DO YOU EXPECT A CYBERATTACK TO STRIKE YOUR
ORGANIZATION IN 2015? (N = 3,435)
A. YES 46%
B. NO 24%
C. UNSURE 30%
Respondents are global business and IT professionals who are members of ISACA.
DO YOU THINK YOU’LL BE HACKED AGAIN?

22. “71% WERE AFFECTED BY A
SUCCESSFUL CYBERATTACK IN 2014,
BUT ONLY 52% EXPECT TO FALL VICTIM
AGAIN IN 2015.”
2015 CYBERTHREAT DEFENSE REPORT
NORTH AMERICA & EUROPE
APATHY OR PRAGMATISM?

23. RANGE OF EXPECTED LOSSES
RECORDS PREDICTION
(LOWER)!
AVERAGE
(LOWER)!
EXPECTED AVERAGE
(UPPER)!
PREDICTION
(UPPER)!
100! $1,170! $18,120! $25,450! $35,730! $555,660!
1,000! $3,110! $52,260! $67,480! $87,140! $1,461,730!
10,000! $8,280! $143,360! $178,960! $223,400! $3,866,400!
100,000! $21,900! $366,500! $474,600! $614,600! $10,283,200!
1,000,000! $57,600! $892,400! $1,258,670! $1,775,350! $27,500,090!
10,000,000! $150,700! $2,125,900! $3,338,020! $5,241,300! $73,943,950!
100,000,000! $392,000! $5,016,200! $8,852,540! $15,622,700! $199,895,100!
VERIZON DATA BREACH INVESTIGATIONS REPORT (2015)

24. DOWNSIDE PROTECTION
CYBER-INSURANCE
▸ As of 2014, American businesses
were expected to pay up to $2
billion on cyber-insurance
premiums, a 67% spike from $1.2
billion spent in 2013.
▸ Current expectations by one
industry watcher suggest 100%
growth in insurance premium
activity, possibly 130% growth.

25. “ACCORDING TO PWC, THE
CYBER INSURANCE MARKET
IS SET TO TRIPLE IN THE NEXT
FEW YEARS AND WILL REACH
$7.5 BILLION BY 2020.”
Dark Reading
BOOMING INDUSTRY

26. “THE LARGEST BARRIER TO GROWTH IS
LACK OF ACTUARIAL DATA ABOUT
CYBERATTACKS, BUT THIS IS QUICKLY
CHANGING WITH CONTINUED CYBER
ASSAULTS.”
“ABI RESEARCH FORECASTS THE MARKET
TO HIT US $10 BILLION BY 2020.”
ABI Research
DATA IS LACKING

27. “ABOUT A THIRD OF U.S. COMPANIES
ALREADY HAVE SOME FORM OF
CYBER-INSURANCE COVERAGE,
ACCORDING TO A REPORT
PRICEWATERHOUSECOOPERS
RELEASED LAST YEAR.”
The Parallax
BUY WHATEVER THERE IS

28. SMALL PAYOUTS. LARGE PAYOUTS.
BREACH CLAIMS
▸ Target spent $248 million after
hackers stole 40 million payment
card accounts and the personal
information of up to 70 million
customers. The insurance payout,
according to Target, will be $90
million.
▸ Home Depot reported $43 million in
expenses related to its September
2014 hack, which affected 56 million
credit and debit card holders.
Insurance covered only $15 million.

29. LOTS OF INSURERS GETTING INTO THE BUSINESS
BREACH CLAIMS
▸ “Anthem has $150 million to $200
million in cyber coverage,
including excess layers, sources
say.”
▸ “Insurers providing excess layers of
cyber coverage include: Lloyd’s of
London syndicates: operating units
of Liberty Mutual Holding Co.;
Zurich Insurance Group; and CNA
Financial Corp., sources say.:

30. “AVERAGE RATES FOR RETAILERS SURGED 32% IN
THE FIRST HALF OF THIS YEAR, AFTER STAYING
FLAT IN 2014, ACCORDING TO PREVIOUSLY
UNREPORTED FIGURES FROM MARSH.”
“AND EVEN THE BIGGEST INSURERS WILL NOT
WRITE POLICIES FOR MORE THAN $100 MILLION
FOR RISKY CUSTOMERS.”
The Security Ledger
INCIDENTS DRIVING UP COST OF PREMIUMS

31. “DHS IS LOOKING AT
ALTERNATIVES TO INCENTIVIZE
BETTER SECURITY IN VARIOUS
INDUSTRIES AND IS LOOKING AT
CYBER INSURANCE AS ONE OF
THOSE MEANS.”
Federal Times
GOVERNMENT ACTION

32. 2014 – 2015
NEW SECURITY INVESTMENT VS. CYBER-INSURANCE
$3,800,000,000
$3,200,000,000
Informa(on Security Spending (Global)
~ $3.8 billion in new spending (+4.7%)
Cyber-Security Insurance
~$3.2 billion in spending (+67%)

33. EVER NOTICE HOW
EVERYTHING IN THE
INFORMATION SECURITY
INDUSTRY IS SOLD “AS IS”?
NO GUARANTEES
NO WARRANTIES
NO RETURN POLICIES

34. INFORMATION SECURITY
THE
$75 BILLION
GARAGE SALE

35. INFOSEC’S BIGGEST OPPORTUNITY
SECURITY GUARANTEES

37. “WHITEHAT RECENTLY STRUCK A PARTNERSHIP WITH
FRANCHISE PERILS, AN INSURER OF ONLINE RETAIL
WEBSITES, BY WHICH FRANCHISE PERILS WILL
CONTRIBUTE TOWARD THE PURCHASE OF WHITEHAT’S
FLAGSHIP SERVICE, SENTINEL, FOR ANY ONLINE
RETAILER PURCHASING A CYBER POLICY.”
“WHITEHAT WILL GIVE IT A HIGHER SCORE IN ITS
WHITEHAT SECURITY INDEX, RANGING FROM 0 TO 800—
SIMILAR TO A CREDIT RATING FOR CONSUMERS.”
Third Certainty
HOW ONE COMPANY IS DOING IT

38. “THE ONLY TWO
PRODUCTS NOT COVERED
BY PRODUCT LIABILITY
ARE RELIGION AND
SOFTWARE, AND
SOFTWARE SHALL NOT
ESCAPE MUCH LONGER.”
Dan Geer
CISO, In-Q-Tel

39. HACK YOURSELF FIRST.
Jeremiah Grossman
@jeremiahg
https://www.facebook.com/jeremiahgrossman
https://www.linkedin.com/in/grossmanjeremiah
https://www.jeremiahgrossman.com/
http://blog.jeremiahgrossman.com/
I'M OK WITH IT BEING
AWKWARD BETWEEN US