Hacking the Bank: Figuring Out What the Cost of Hacks May Be

so what's up everybody before we get started have a just a couple of little prizes to give away just because I can alright so in the past year so we've all heard a lot about about a lot of breaches and you know big-name companies getting tossed out thrown down punched in the eye whatever what's the biggest name company you can think of RSA who anyone else HBGary where was that

and Sony all right that wasn't in the past year all right so my name is Gilles Jones and this is me as you can tell by that awesome headshot I work at y-hat security I'm on the in the TRC we do web application security I've been doing e-commerce stuff for about three years now and I've gotten a couple of bounties from Facebook and all kinds of fun stuff like that and more importantly than anything else you'll learn about me I'm a hacker I am NOT a mathematician I got into this because I had questions and got a lot of I don't knows and you know like any hacker I've figured hey you know I need to find this solution this

is why I had security were one of the leaders in web application security testing continuous assessments all that fun stuff these are just a couple of the big name companies that have been breached just in the past year you'll see a bunch of names from Sony to the New York Stock Exchange to government agencies and you have to wonder when big name companies get breached you know what the you know whether or not they actually really solid details on cost and whatnot and this is one of my favorite quotes by the way it's not about Matt it's about money and way too many companies now are practicing well I like to call zombie financials which is essentially the

practice that was popularized back in the 60s but it's kind of come to a head more recently as companies are fighting tooth and nail for you know higher stock prices and you know to yield return to their shareholders it's basically concealing any losses that you make and twisting them on the books to make it look like a game you know it's basically raising the dead and it can be summed up in the word which is unreal and you know what one of the best examples of unreal accounting was from Enron back in the late the late 90s and basically they had been twisting the numbers and you know cranes subsidiaries and you know one-off companies at such a

rate that they lost their money and when that came to light everything went to pieces and the company went under alright so a typical breach there are some solid losses and the estimates that we have going around right now are generally unsourced and they're just people pulling numbers out of you know out of a hat essentially you know Forster cost loss estimate was in front in 2008 their estimates were ninety to three hundred and five dollars now adjusted you know with biannual inflation adjustments on these costs it comes out to be about three hundred and fifty six dollars on the high end of the breach and so you know to me that is just as

unrealistic as saying that you know the cost per record is you know a dollar you know you have to find something in the middle and nothing nothing is a better example of that than a large large-scale breach that someone mentioned earlier that was somewhere between seventy seven million and a hundred million records that were actually breached now the company reported over and over again that only a hundred and seventy million dollars were actually lost now according to the Forrester scale you know the number should have been closer to nine billion and on the high end closer to three thirty five point six billion now I'm not saying one's right I'm not saying one's wrong I'm just saying there

has to be a middle ground where a sweet spot and so what you know so you know some numbers are getting fudged around you know it is it that big of a deal yeah you know when if you're basing your budget requests for your security program on publicly cited numbers whether it be from a random company acts or random company why and they're under selling what they actually spent you're getting the short end of the stick and you know to me it seems to be a snowballing problem if you report less you get less and the less you get the more you'll actually spend in security spending so so I came up with a list of

eight points to actually look at after a breach now in the interest of time I'm only covering four because in my test presentation it went for an hour and a half so so I'm only doing four and then I'm releasing the paper to have some of the other ones you know if you're interested come talk to me afterwards and I'll I'll go through every one of them with you but the first one is personnel costs now RSA breach [Music]

um no all right the the the question was if I was going to create a Excel spreadsheet where you could put in numbers and get a number out note because like I said I'm not a mathematician you know and honestly cost estimates are very specialized an individualized per company so you know what works for a company a will not work for company why I'm just providing a very general overview of what you need to look at in your cost accounting so unfortunately no there won't be a spreadsheet now with with the RSA breach this past year they said that there were somewhere around twenty five thousand security clients now these are corporate clients and some of their larger clients

have over a hundred thousand key fobs you know per client now if we assume you know just for the sake of speculation that no corporate client has less than ten thousand fobs which you know I think is relatively safe estimation just for the sake of modeling that's two hundred and fifty million devices that need to be replaced now not even factoring in the costs of physical Hardware replacement think about the sheer manpower that would be required to index to associate tokens to double check the association of tokens to package to repackage you know to pallet and ship 250 million devices that's not a two-man job hell that's not a 30 person job you know that's a multiple business unit

undertaking over several months and you know the average fortune fortune 500 salary is somewhere around sixty five to seventy thousand dollars a year now if you factor in overtime or anything like that it comes out to be about about five thousand a month before before overtime and can easily mount up to be fifteen and if you're paying thirty people you know to be there for entire month overtime and whatnot the expenses can get out of hand very quickly and the second one is technical infrastructure cost during an attack most of time you'll have to replace some kind of hardware you'll have to replace you know put in place some kind of DDoS mitigation and so many websites now are

based off of cloud providers that you know for every cycle that you consume over a certain level you'll have to pay and even if you didn't intend it Amazon will charge you so quit quick shirt question does anyone just name a cloud provider

yeah

oh yeah benefits and everything thank you for pointing that out all right so he pointed out quite accurately that even though the actual salary of an employee only may be sixty to seventy thousand dollars that the actual cost for the company for having them and could be you know two to three times that for you know additional benefits or whatever else and I really love that because you know I'm trying to learn and you know that's the whole purpose of this you know it's purpose of b-sides we're here to learn all right so you know you have to bring in consultants and you know all kinds of stuff to you know either do Incident Response or to fix your solutions or

whatever and now if you take your total income and divide that by your by the amount of days the duration of the attack the amount of bandwidth consumed and the cost of the bandwidth plus the amount of mitigation provider such as Akamai or you know anyone else and add in the consultant cost your average cost there would be your your cost per day now interesting case study I came across was a local police department in the kind of the Midwest this is a relatively small town they have about I think they have ten to fifteen thousand people but they had a 500-person policing force now the hackers in this case bypassed their their network control mechanisms

and were able to access their sequel database which essentially stored all of their police officer and and violate our information so if you had ever been arrested ever been pulled over your information was in the database including your social security number your everything and if you pay tickets your credit was in there this was not good for anybody thence it took four to six weeks of consultancy work and the estimated costs for a very very small-scale hack was two million dollars just for consultants like that's a real cost associated with breaches and I I just you know when something like that happens you definitely have to be if you fall out of compliance you have to be recertified

and you know it doesn't matter whether it's a name line compliancy or not you know PCI Sox HIPAA you know all the names we love to hate with PCI especially the initial cost of compliance can go up to five hundred thousand dollars now god help you if you have to be sarbanes-oxley compliant because the initial cost there you go up the 1.7 million just for initial compliance now if you fall out of compliance and you have to be recertified you essentially have to go through the entire compliant certification process again now that's every time you get breached if you fall out of compliance and with HIPAA if you have to be HIPAA compliant the penalties can be even worse because

if you're a hospital and you get breached you could have to actually close your doors and not reopen because but is evil now how many of you heard about the anonymous stock exchange shenanigans back in October yeah a couple people all right so that they took down the website for a total of a minute now this shouldn't have been a big deal you know it shouldn't have been a problem no new stock train was available for a minute let's just try and figure out for a second how much trading didn't happen now if you take the MAL currency trade in one day and multiply it by the amount of minutes at a time seven times seven

sixty you can come to a pretty safe estimate of a permanent cost of what the unrealized trading was so in September 2011 the month prior to the attack the reported amount of trading was fifty point nine billion shares now if you factor that into October's overall amount of trading you divide by 21 days at 7 hours apiece it comes out to be like 5 million per minute that isn't traded now if you factor in that because of the outage one minute on either side a individual wasn't able to get a proper cost estimate of a particular share automated automated trading solutions wouldn't be able to get an accurate measure so they wouldn't be able to trade so I factored in a

minute on either side so the approximate trades that weren't able to be made were 17 million now if each trade is 10 or $15 that comes to 170 million bucks that wasn't traded in that time and one minute doesn't translate as easily mentally as you know 170 million dollars now here's one that actually took me by surprise now when you're breached lawsuits are pretty much a given you know if your client data is disclosed no matter to you know if it's a state-sponsored Act or if it's a you know an anonymous attacker or whatever your customers aren't going to be happy about it now in 2011 there hasn't been any settled case law of breaches in 2011

because it takes anywhere from two to three years for a lawsuit class-action or otherwise to just state through the system but for cases from 2008 the estimated amount per record was a thousand dollars now at least one if not two or three cases have been settled that actually awarded class-action status where they got a thousand per record no for 2011 it's kind of difficult to determine how many lawsuits have actually been filed because some of them are some of them are sealed you know pending pending whether or not they are awarded class-action status but I'm gonna show you a couple from 2008 well first of all this is a rather entertaining one there was a rather

large Bank this past year who their user management essentially on the end of a URL they had your user number now you could actually change five there to six and have complete access to someone else's account not only could you access it you could transfer money now I'm not sure how that got passed the QA process but regardless it did and they paid dearly for it now initially they reported that 200,000 accounts were actually affected and this is what got me interested in this in the first place 200,000 and counsel are affected after a lawsuit by the state of Connecticut it actually came out that the number was two times as high that that actually 400,000 accounts had

been affected the the company had willfully withheld two hundred thousand breach notifications and 2.7 million was reported actually stolen with one percent of the affected accounts actually being defrauded and you know that comes out to be about four thousand customers or seven hundred dollars an account that seems to be a little bit whole of a number and kind of low you know if you're actually actively stealing money now another Bank I'm starting to see a trend here in 2008 had to pay three hundred and fifty thousand to the state of Connecticut after a internal actor took information and sold on the black market now they had to pay twenty five thousand dollars to any Connecticut resident who had to take

proactive measure to prevent exploitation of their account now they had to reimburse them any out-of-pocket expenses fudge alert charges and credit monitoring and the actual insider was forced to pay like 1.2 million dollars now this bank in 2008 had a twenty four percent market share of the bank market in Connecticut there were thirty three point five million residents now if we estimate that 2.5 million mate are actually over eighteen and are actually banking age then there would be about 600,000 that were actually customers now 600,000 people mandated to receive 25,000 each comes out to be about 15 billion dollars I you know I that's Connecticut alone I would have liked to seen that reported I

would like to seen that and have that to show to my CIO to be able to justify to my CFO that you know hey you want that happen in to us I don't think someone would be able to say no to that 15 billion dollars should put someone out of business so I basically wanted to do this to try and to try and show you that there's a lot of stuff that needs to be factored into a cost analysis and there's that there's more than this but but when you go back to your organization and inevitably have a breach look at what it costs you and think about the effect of not properly reporting it and what that could do to

other people and basically the beam breach can affect you so much more than the initial design of your network and these are all my sources for the presentation if you happen to want to look at them and thank you any questions [Applause]

the Forrester report yeah all right so Forrester is a analyst firm that typically provides cost analysis and market analysis stuff for security and whatnot they did a cost report back in 2008 where they estimated different different organizational statuses and you know stuff and classified it by you know different industries and stuff so it was it was something like ninety one hundred and five and three hundred and five dollars per record that they cited the cost would be and yeah

thank you yeah

all right so that wasn't something I actually researched however you know just gut instinct most of the lawsuits I've seen actually come across have been you know things that resulted in sequel injection where actual records were disclosed you know whereas you know some you know number rotation insufficient authorization stuff could also result in it but sequel injection would be my primary thought

yeah

yeah unfortunately I don't that was a third hand story Oh second hands story but you know they kind of asked me not to really say names or anything because they got owned pretty harsh but yeah unfortunately no

yeah

yeah yeah so the so the typical markup on the tokens as I was able to find like I said there there are four or five other categories that you know I wasn't able to cover because of previous time issues but the market the average markup amount for those tokens was like I think 10 to 15% so on a you know production cost of 20 bucks the actual retail amount would be somewhere between ten and fifteen above that so 30 the 35 is the average retail that I was able to find online now no no no just the raw tokens yeah absolutely because you know in that actually hold on

but yeah so cost of replacement you have to factor in the actual fiscal production of the replacement the cost to get into the customers hand as well as any loss on the retail markup so you know you're getting into a three factor cost analysis there for just for just replacement anyone else

yeah

so one cost estimate that that actually I'm kind of proud of was in order to estimate soft losses which is you know customer change you take the the customer spending for the 12 months prior to the breach then you basically divide that by the by 12 and then subtract the amount of the amount of customer spending for the month after the breach and the amount of change between those two is the actual number for the for the estimated customer change or the customer confidence loss

yeah

yeah so the estimated the numbers I've seen for that are anywhere from like five to seven percent customer attrition for an actual security breach and but those were relatively unsourced numbers so you know take them with a grain of salt I'm sorry

so all of the actual analysis yeah is there any way we could turn off these lights or down some all right so the the analysis that did was actually like business of consumer I'm not really providing any business business stuff but that's something I'm definitely going to look at in the future

so to be a hundred okay so the question was where the liability would lie in the RSA example in the case that you know one of the company's got breached so honestly I can't really speak to that again going to you know gut instinct it would probably be the you know what yeah unfortunately I can't speak to that you know I I can't even start to think what the what the intricacies there would be absolutely but that was an awesome question so

alright alright impress me with something business-related for a raffle thing anybody Alex anything

absolutely yeah to some effect you

I got two for you everybody in this chain is not out this organization

so not only does it drop

yeah yeah

well so if if you're looking at a inbound call amount that is matching the amount of records that were actually disclosed if you're looking at you know 10% of the actual disclosed record holders calling in to you and you have to sign a you know call center or something like that you're getting numbers you know per call phone numbers of you know five five bucks a call you know whatever you know and you get billions of records disclose you're looking at you know two or three hundred million dollars just in you know phone calls you know much less you know class-action lawsuits or you know anything else so you know ten fifteen billion dollar you know number in that

case I think is somewhat reasonable but

absolutely Oh what's up

so no the closest thing to that I've seen was a that there was a report before Congress back in 2006 that said that basically a after a breach there was a attrition rate of that people that would absolutely sever their relationship of I think 15% and that may may sever it of about the same I but as to that exact thing I don't have any research into that but very it's an interesting thought I'm not sure how you would actually come to those numbers though anyone else

I'm not gonna comment on there

yeah but uh sure

alright guys I tell you what you know you get along one time and then the next time