How is the landscape changing for cybersecurity and what do businesses need to know to protect themselves?

1. 2015: Examining the
threatscape for the
year ahead
Stephen Cobb, CISSP
Senior Security Researcher

2. Today’s topic
• What cyber threats will your business
face in 2015?
• From cyber criminals to nation states
and hacktivists, threats are evolving
• What should you be doing now?
• The best use of resources to protect
your business

3. The agenda
• Defining moments of 2015
• Lessons for 2015
• Threats and responses
• Strategies for success

4. Q1: Which 2014 security news
story concerns you the most?
• Sony Pictures hacks
• JPMorgan Chase breach
• PSN DDoS attack
• Community Health Systems breach
• None of the above

5. Defining moments: Sony+
• Last year it was Snowden/Target
• This year it’s Sony
• Also maybe JP Morgan Chase
• With a touch of The Home Depot
• Plus The Home of a Despot
• Some politics and NSA
• And a sprinkle of IoT

6. Defining moments
• Are teaching moments
• If we don’t learn from 2014
• 2015 won’t be
any better

7. Sony Pictures epic hack
• Data destroyed, stolen, exposed
• System availability denied/degraded
• Present and former employees
personally impacted
• Lawsuits
• Brand damage

8. Systemic security failure?
• A history of being attacked
• A “live with the risk attitude”
• Known weaknesses not remedied
• PWC audit second half of July
– One firewall and more than 100 other devices
not monitored by corporate security team
– Monitored by studio’s in-house group
– "Security incidents impacting these network or
infrastructure devices may not be detected or
resolved timely"

9. Lesson #1
• Don’t leave unencrypted audit reports in
executive email inboxes
• Don’t put into unencrypted email anything
you may later regret saying or sharing
(words, images, reports, etc.)
• Most email is unencrypted
• If they own your account, encryption is
not going to keep secrets

10. Lesson #2
• Make your security awesome before
you antagonize known hackers
• Or don’t antagonize known hackers
• Try asking your head of security if
he’s okay with you taunting hackers
• If he says yes, get a second opinion

11. Lesson #3
• Hacktivism is here
to stay
• The Internet is
fundamentally
asymmetric
• May discretion be
the better part of
cyber valor?

12. JPMorgan Chase hack
• Deeper and wider than first announced
• “This was a sophisticated attack with
nation state overtones”

14. Lesson #4
• Do all the right things all the time
• Yes, I know that is very hard to do
• But the scale of targeted attack
activity is higher than ever
• E.g. fewer cyber attacks on retailers,
but more efficient*
*IBM 2014 Retail Intelligence Report

15. Lesson #5
• Don’t play the “sophisticated nation
state attack” card
• It makes you look bad later
• Both JPMorgan and Sony Pictures
have tried this
• Why? Lays groundwork for legal
defense against negligence claims*

16. The Home Depot et al.
• Point of sale hacking continues, plus
SQL injection attacks on retailers
• Look for more of the same, even as
chip cards start to take over
• Transition period may offer points of
entry for hackers
• Card data still useful for online fraud

17. Q2: Chip cards are coming and
they are hard to fake, so the
people who now make money
from card fraud will:
• Get jobs
• Try a different kind of fraud

18. Lesson #6
• Crime displacement
• EMV technology will make it harder
to turn stolen payment card data into
fake cards
• The people who buy card data to
make fake cards will turn to other
forms of crime: Identity theft?

19. Tax ID fraud
• Cost taxpayers $5 billion in 2013
• Will be big in 2015
• An easy alternative to card fraud
• IRS needs to do more, but congress
cut the IRS budget
• File early with fingers crossed
• Takes 9 months to correct (average)

20. Some politics and NSA
• NSA court cases and legislation will
keep privacy top of mind for many
• Political stalemate and lack of trust
will hamper efforts to:
– Share data between .gov and .com
– Boost spending on cybercrime
deterrence

21. And a sprinkle of IoT
• The Internet of Things will continue
to grow and get hacked
• Security threat to organizations still
low relative to BYOD
• Except in sectors that use SCADA
• Privacy and rights issues may
emerge re: webcams, company
monitoring of IoT devices

23. Lesson #7
• Threatscape is wider than ever
• Cyber Crime, Inc. continues to dominate
– Data about people = money
• Nation state hacking
– From secret sauce to state secrets
• The resurgence of hacktivism
• All of the traditional IT security risks
– Current and former employees, competitors,
natural/human disasters (stormy weather?)

24. Wildcards
• New forms of payment and currency:
– Apple Pay and other digital wallets
– Bitcoin and other virtual currencies
• Regional conflicts
• The weather

25. Q3: A disaster puts your offices
and computer off limits for 3
days. Are you:
• Well prepared with a written plan
ready to execute
• Somewhat prepared
• Not clear on how you would cope
• In deep trouble

26. Security strategies: BCM/IR
• Business Continuity Management and
Incident Response means…
• Preparing to respond to:
– Security breaches, data theft
– Privacy incidents, internal fraud
– Extreme weather, man-made disasters
• At all levels:
– Communications, people, processes, data
and systems, recovery, analysis

27. Security strategies: Backup
• The ultimate protection against
– Data loss and data ransom
– User error and system failure
– Natural and man-made disasters
• Review current strategies and test
current implementations
• Consider all options (cloud, physical)

28. Strategies: Encryption
• Time to do more encryption, not less
• Encryption products have improved
• Offer protection in case of breach
• Encrypt in transit as well as at rest
• Check your cloud provider’s use of
encryption e.g. between data centers

29. Strategies: Policy/compliance
• Start of the new year is a good time
to check:
• Are your information security policies
complete and up-to-date
– New technologies, new data, new hires
• Are you aware of new laws affecting
your compliance around privacy,
data protection?

30. Strategies for success
• Are you responsible for protecting
data and systems?
• Don’t panic, you are not alone
• Leverage heightened awareness
(courtesy Snowden-Target-
HomeDepot-Sony-JPMorgan)
• Take a structured approach

32. You are not alone
• Network with others, across
departments up/down the org chart
• Within and beyond the organization
• Chamber, BBB, SBA
• ISSA, ISACA, (ISC)2, IAPP
• ISACs, InfraGard, NCSA, VB
• NIST, SOeC

33. IT Security and Privacy Groups
• See attachments
• Get involved

34. Revisit roadblocks
• In 2015 the public and press will be
on high alert re: privacy and security
• Bosses may not “like” security but
breaches = lost customers, lost
revenue, lost jobs
• Employees make be more interested
in security than you think

35. If all else fails try fear of headlines

36. Last word: Due care
• Remember: complying with rules &
regulations (e.g. PCI, HIPAA, SOX)
is not the same as being secure
• Your security will be judged in the
courts: media, public opinion, law
• Liability under law hinges on
reasonableness, due care

37. Thank you! Have a safer 2015!
• stephen.cobb@eset.com
• WeLiveSecurity.com
• www.eset.com
• www.slideshare.net/zcobb