2015: The year-ahead-in-cyber-security
ā¢Download as PPTX, PDFā¢
3 likesā¢4,072 views
How is the landscape changing for cybersecurity and what do businesses need to know to protect themselves?
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to 2015: The year-ahead-in-cyber-security
Similar to 2015: The year-ahead-in-cyber-security (20)
More from Stephen Cobb
More from Stephen Cobb (10)
Recently uploaded
Recently uploaded (20)
2015: The year-ahead-in-cyber-security
- 1. 2015: Examining the threatscape for the year ahead Stephen Cobb, CISSP Senior Security Researcher
- 2. Todayās topic ā¢ What cyber threats will your business face in 2015? ā¢ From cyber criminals to nation states and hacktivists, threats are evolving ā¢ What should you be doing now? ā¢ The best use of resources to protect your business
- 3. The agenda ā¢ Defining moments of 2015 ā¢ Lessons for 2015 ā¢ Threats and responses ā¢ Strategies for success
- 4. Q1: Which 2014 security news story concerns you the most? ā¢ Sony Pictures hacks ā¢ JPMorgan Chase breach ā¢ PSN DDoS attack ā¢ Community Health Systems breach ā¢ None of the above
- 5. Defining moments: Sony+ ā¢ Last year it was Snowden/Target ā¢ This year itās Sony ā¢ Also maybe JP Morgan Chase ā¢ With a touch of The Home Depot ā¢ Plus The Home of a Despot ā¢ Some politics and NSA ā¢ And a sprinkle of IoT
- 6. Defining moments ā¢ Are teaching moments ā¢ If we donāt learn from 2014 ā¢ 2015 wonāt be any better
- 7. Sony Pictures epic hack ā¢ Data destroyed, stolen, exposed ā¢ System availability denied/degraded ā¢ Present and former employees personally impacted ā¢ Lawsuits ā¢ Brand damage
- 8. Systemic security failure? ā¢ A history of being attacked ā¢ A ālive with the risk attitudeā ā¢ Known weaknesses not remedied ā¢ PWC audit second half of July ā One firewall and more than 100 other devices not monitored by corporate security team ā Monitored by studioās in-house group ā "Security incidents impacting these network or infrastructure devices may not be detected or resolved timely"
- 9. Lesson #1 ā¢ Donāt leave unencrypted audit reports in executive email inboxes ā¢ Donāt put into unencrypted email anything you may later regret saying or sharing (words, images, reports, etc.) ā¢ Most email is unencrypted ā¢ If they own your account, encryption is not going to keep secrets
- 10. Lesson #2 ā¢ Make your security awesome before you antagonize known hackers ā¢ Or donāt antagonize known hackers ā¢ Try asking your head of security if heās okay with you taunting hackers ā¢ If he says yes, get a second opinion
- 11. Lesson #3 ā¢ Hacktivism is here to stay ā¢ The Internet is fundamentally asymmetric ā¢ May discretion be the better part of cyber valor?
- 12. JPMorgan Chase hack ā¢ Deeper and wider than first announced ā¢ āThis was a sophisticated attack with nation state overtonesā
- 14. Lesson #4 ā¢ Do all the right things all the time ā¢ Yes, I know that is very hard to do ā¢ But the scale of targeted attack activity is higher than ever ā¢ E.g. fewer cyber attacks on retailers, but more efficient* *IBM 2014 Retail Intelligence Report
- 15. Lesson #5 ā¢ Donāt play the āsophisticated nation state attackā card ā¢ It makes you look bad later ā¢ Both JPMorgan and Sony Pictures have tried this ā¢ Why? Lays groundwork for legal defense against negligence claims*
- 16. The Home Depot et al. ā¢ Point of sale hacking continues, plus SQL injection attacks on retailers ā¢ Look for more of the same, even as chip cards start to take over ā¢ Transition period may offer points of entry for hackers ā¢ Card data still useful for online fraud
- 17. Q2: Chip cards are coming and they are hard to fake, so the people who now make money from card fraud will: ā¢ Get jobs ā¢ Try a different kind of fraud
- 18. Lesson #6 ā¢ Crime displacement ā¢ EMV technology will make it harder to turn stolen payment card data into fake cards ā¢ The people who buy card data to make fake cards will turn to other forms of crime: Identity theft?
- 19. Tax ID fraud ā¢ Cost taxpayers $5 billion in 2013 ā¢ Will be big in 2015 ā¢ An easy alternative to card fraud ā¢ IRS needs to do more, but congress cut the IRS budget ā¢ File early with fingers crossed ā¢ Takes 9 months to correct (average)
- 20. Some politics and NSA ā¢ NSA court cases and legislation will keep privacy top of mind for many ā¢ Political stalemate and lack of trust will hamper efforts to: ā Share data between .gov and .com ā Boost spending on cybercrime deterrence
- 21. And a sprinkle of IoT ā¢ The Internet of Things will continue to grow and get hacked ā¢ Security threat to organizations still low relative to BYOD ā¢ Except in sectors that use SCADA ā¢ Privacy and rights issues may emerge re: webcams, company monitoring of IoT devices
- 23. Lesson #7 ā¢ Threatscape is wider than ever ā¢ Cyber Crime, Inc. continues to dominate ā Data about people = money ā¢ Nation state hacking ā From secret sauce to state secrets ā¢ The resurgence of hacktivism ā¢ All of the traditional IT security risks ā Current and former employees, competitors, natural/human disasters (stormy weather?)
- 24. Wildcards ā¢ New forms of payment and currency: ā Apple Pay and other digital wallets ā Bitcoin and other virtual currencies ā¢ Regional conflicts ā¢ The weather
- 25. Q3: A disaster puts your offices and computer off limits for 3 days. Are you: ā¢ Well prepared with a written plan ready to execute ā¢ Somewhat prepared ā¢ Not clear on how you would cope ā¢ In deep trouble
- 26. Security strategies: BCM/IR ā¢ Business Continuity Management and Incident Response meansā¦ ā¢ Preparing to respond to: ā Security breaches, data theft ā Privacy incidents, internal fraud ā Extreme weather, man-made disasters ā¢ At all levels: ā Communications, people, processes, data and systems, recovery, analysis
- 27. Security strategies: Backup ā¢ The ultimate protection against ā Data loss and data ransom ā User error and system failure ā Natural and man-made disasters ā¢ Review current strategies and test current implementations ā¢ Consider all options (cloud, physical)
- 28. Strategies: Encryption ā¢ Time to do more encryption, not less ā¢ Encryption products have improved ā¢ Offer protection in case of breach ā¢ Encrypt in transit as well as at rest ā¢ Check your cloud providerās use of encryption e.g. between data centers
- 29. Strategies: Policy/compliance ā¢ Start of the new year is a good time to check: ā¢ Are your information security policies complete and up-to-date ā New technologies, new data, new hires ā¢ Are you aware of new laws affecting your compliance around privacy, data protection?
- 30. Strategies for success ā¢ Are you responsible for protecting data and systems? ā¢ Donāt panic, you are not alone ā¢ Leverage heightened awareness (courtesy Snowden-Target- HomeDepot-Sony-JPMorgan) ā¢ Take a structured approach
- 32. You are not alone ā¢ Network with others, across departments up/down the org chart ā¢ Within and beyond the organization ā¢ Chamber, BBB, SBA ā¢ ISSA, ISACA, (ISC)2, IAPP ā¢ ISACs, InfraGard, NCSA, VB ā¢ NIST, SOeC
- 33. IT Security and Privacy Groups ā¢ See attachments ā¢ Get involved
- 34. Revisit roadblocks ā¢ In 2015 the public and press will be on high alert re: privacy and security ā¢ Bosses may not ālikeā security but breaches = lost customers, lost revenue, lost jobs ā¢ Employees make be more interested in security than you think
- 35. If all else fails try fear of headlines
- 36. Last word: Due care ā¢ Remember: complying with rules & regulations (e.g. PCI, HIPAA, SOX) is not the same as being secure ā¢ Your security will be judged in the courts: media, public opinion, law ā¢ Liability under law hinges on reasonableness, due care
- 37. Thank you! Have a safer 2015! ā¢ stephen.cobb@eset.com ā¢ WeLiveSecurity.com ā¢ www.eset.com ā¢ www.slideshare.net/zcobb