2. Todayās topic
ā¢ What cyber threats will your business
face in 2015?
ā¢ From cyber criminals to nation states
and hacktivists, threats are evolving
ā¢ What should you be doing now?
ā¢ The best use of resources to protect
your business
3. The agenda
ā¢ Defining moments of 2015
ā¢ Lessons for 2015
ā¢ Threats and responses
ā¢ Strategies for success
4. Q1: Which 2014 security news
story concerns you the most?
ā¢ Sony Pictures hacks
ā¢ JPMorgan Chase breach
ā¢ PSN DDoS attack
ā¢ Community Health Systems breach
ā¢ None of the above
5. Defining moments: Sony+
ā¢ Last year it was Snowden/Target
ā¢ This year itās Sony
ā¢ Also maybe JP Morgan Chase
ā¢ With a touch of The Home Depot
ā¢ Plus The Home of a Despot
ā¢ Some politics and NSA
ā¢ And a sprinkle of IoT
6. Defining moments
ā¢ Are teaching moments
ā¢ If we donāt learn from 2014
ā¢ 2015 wonāt be
any better
7. Sony Pictures epic hack
ā¢ Data destroyed, stolen, exposed
ā¢ System availability denied/degraded
ā¢ Present and former employees
personally impacted
ā¢ Lawsuits
ā¢ Brand damage
8. Systemic security failure?
ā¢ A history of being attacked
ā¢ A ālive with the risk attitudeā
ā¢ Known weaknesses not remedied
ā¢ PWC audit second half of July
ā One firewall and more than 100 other devices
not monitored by corporate security team
ā Monitored by studioās in-house group
ā "Security incidents impacting these network or
infrastructure devices may not be detected or
resolved timely"
9. Lesson #1
ā¢ Donāt leave unencrypted audit reports in
executive email inboxes
ā¢ Donāt put into unencrypted email anything
you may later regret saying or sharing
(words, images, reports, etc.)
ā¢ Most email is unencrypted
ā¢ If they own your account, encryption is
not going to keep secrets
10. Lesson #2
ā¢ Make your security awesome before
you antagonize known hackers
ā¢ Or donāt antagonize known hackers
ā¢ Try asking your head of security if
heās okay with you taunting hackers
ā¢ If he says yes, get a second opinion
11. Lesson #3
ā¢ Hacktivism is here
to stay
ā¢ The Internet is
fundamentally
asymmetric
ā¢ May discretion be
the better part of
cyber valor?
12. JPMorgan Chase hack
ā¢ Deeper and wider than first announced
ā¢ āThis was a sophisticated attack with
nation state overtonesā
13.
14. Lesson #4
ā¢ Do all the right things all the time
ā¢ Yes, I know that is very hard to do
ā¢ But the scale of targeted attack
activity is higher than ever
ā¢ E.g. fewer cyber attacks on retailers,
but more efficient*
*IBM 2014 Retail Intelligence Report
15. Lesson #5
ā¢ Donāt play the āsophisticated nation
state attackā card
ā¢ It makes you look bad later
ā¢ Both JPMorgan and Sony Pictures
have tried this
ā¢ Why? Lays groundwork for legal
defense against negligence claims*
16. The Home Depot et al.
ā¢ Point of sale hacking continues, plus
SQL injection attacks on retailers
ā¢ Look for more of the same, even as
chip cards start to take over
ā¢ Transition period may offer points of
entry for hackers
ā¢ Card data still useful for online fraud
17. Q2: Chip cards are coming and
they are hard to fake, so the
people who now make money
from card fraud will:
ā¢ Get jobs
ā¢ Try a different kind of fraud
18. Lesson #6
ā¢ Crime displacement
ā¢ EMV technology will make it harder
to turn stolen payment card data into
fake cards
ā¢ The people who buy card data to
make fake cards will turn to other
forms of crime: Identity theft?
19. Tax ID fraud
ā¢ Cost taxpayers $5 billion in 2013
ā¢ Will be big in 2015
ā¢ An easy alternative to card fraud
ā¢ IRS needs to do more, but congress
cut the IRS budget
ā¢ File early with fingers crossed
ā¢ Takes 9 months to correct (average)
20. Some politics and NSA
ā¢ NSA court cases and legislation will
keep privacy top of mind for many
ā¢ Political stalemate and lack of trust
will hamper efforts to:
ā Share data between .gov and .com
ā Boost spending on cybercrime
deterrence
21. And a sprinkle of IoT
ā¢ The Internet of Things will continue
to grow and get hacked
ā¢ Security threat to organizations still
low relative to BYOD
ā¢ Except in sectors that use SCADA
ā¢ Privacy and rights issues may
emerge re: webcams, company
monitoring of IoT devices
22.
23. Lesson #7
ā¢ Threatscape is wider than ever
ā¢ Cyber Crime, Inc. continues to dominate
ā Data about people = money
ā¢ Nation state hacking
ā From secret sauce to state secrets
ā¢ The resurgence of hacktivism
ā¢ All of the traditional IT security risks
ā Current and former employees, competitors,
natural/human disasters (stormy weather?)
24. Wildcards
ā¢ New forms of payment and currency:
ā Apple Pay and other digital wallets
ā Bitcoin and other virtual currencies
ā¢ Regional conflicts
ā¢ The weather
25. Q3: A disaster puts your offices
and computer off limits for 3
days. Are you:
ā¢ Well prepared with a written plan
ready to execute
ā¢ Somewhat prepared
ā¢ Not clear on how you would cope
ā¢ In deep trouble
26. Security strategies: BCM/IR
ā¢ Business Continuity Management and
Incident Response meansā¦
ā¢ Preparing to respond to:
ā Security breaches, data theft
ā Privacy incidents, internal fraud
ā Extreme weather, man-made disasters
ā¢ At all levels:
ā Communications, people, processes, data
and systems, recovery, analysis
27. Security strategies: Backup
ā¢ The ultimate protection against
ā Data loss and data ransom
ā User error and system failure
ā Natural and man-made disasters
ā¢ Review current strategies and test
current implementations
ā¢ Consider all options (cloud, physical)
28. Strategies: Encryption
ā¢ Time to do more encryption, not less
ā¢ Encryption products have improved
ā¢ Offer protection in case of breach
ā¢ Encrypt in transit as well as at rest
ā¢ Check your cloud providerās use of
encryption e.g. between data centers
29. Strategies: Policy/compliance
ā¢ Start of the new year is a good time
to check:
ā¢ Are your information security policies
complete and up-to-date
ā New technologies, new data, new hires
ā¢ Are you aware of new laws affecting
your compliance around privacy,
data protection?
30. Strategies for success
ā¢ Are you responsible for protecting
data and systems?
ā¢ Donāt panic, you are not alone
ā¢ Leverage heightened awareness
(courtesy Snowden-Target-
HomeDepot-Sony-JPMorgan)
ā¢ Take a structured approach
31.
32. You are not alone
ā¢ Network with others, across
departments up/down the org chart
ā¢ Within and beyond the organization
ā¢ Chamber, BBB, SBA
ā¢ ISSA, ISACA, (ISC)2, IAPP
ā¢ ISACs, InfraGard, NCSA, VB
ā¢ NIST, SOeC
33. IT Security and Privacy Groups
ā¢ See attachments
ā¢ Get involved
34. Revisit roadblocks
ā¢ In 2015 the public and press will be
on high alert re: privacy and security
ā¢ Bosses may not ālikeā security but
breaches = lost customers, lost
revenue, lost jobs
ā¢ Employees make be more interested
in security than you think
36. Last word: Due care
ā¢ Remember: complying with rules &
regulations (e.g. PCI, HIPAA, SOX)
is not the same as being secure
ā¢ Your security will be judged in the
courts: media, public opinion, law
ā¢ Liability under law hinges on
reasonableness, due care
37. Thank you! Have a safer 2015!
ā¢ stephen.cobb@eset.com
ā¢ WeLiveSecurity.com
ā¢ www.eset.com
ā¢ www.slideshare.net/zcobb