The document outlines the evolving cyber threats businesses will face in 2015, stressing the importance of learning from past incidents like the Sony Pictures and JPMorgan Chase hacks. Key lessons include the necessity of robust security measures, awareness of potential crime displacement due to new technologies, and the need for comprehensive business continuity and incident response planning. It emphasizes the importance of compliance and proactive engagement in security strategies to mitigate risks.

1. 2015: Examining the
threatscape for the
year ahead
Stephen Cobb, CISSP
Senior Security Researcher

2. Today’s topic
• What cyber threats will your business
face in 2015?
• From cyber criminals to nation states
and hacktivists, threats are evolving
• What should you be doing now?
• The best use of resources to protect
your business

3. The agenda
• Defining moments of 2015
• Lessons for 2015
• Threats and responses
• Strategies for success

4. Q1: Which 2014 security news
story concerns you the most?
• Sony Pictures hacks
• JPMorgan Chase breach
• PSN DDoS attack
• Community Health Systems breach
• None of the above

5. Defining moments: Sony+
• Last year it was Snowden/Target
• This year it’s Sony
• Also maybe JP Morgan Chase
• With a touch of The Home Depot
• Plus The Home of a Despot
• Some politics and NSA
• And a sprinkle of IoT

6. Defining moments
• Are teaching moments
• If we don’t learn from 2014
• 2015 won’t be
any better

7. Sony Pictures epic hack
• Data destroyed, stolen, exposed
• System availability denied/degraded
• Present and former employees
personally impacted
• Lawsuits
• Brand damage

8. Systemic security failure?
• A history of being attacked
• A “live with the risk attitude”
• Known weaknesses not remedied
• PWC audit second half of July
– One firewall and more than 100 other devices
not monitored by corporate security team
– Monitored by studio’s in-house group
– "Security incidents impacting these network or
infrastructure devices may not be detected or
resolved timely"

9. Lesson #1
• Don’t leave unencrypted audit reports in
executive email inboxes
• Don’t put into unencrypted email anything
you may later regret saying or sharing
(words, images, reports, etc.)
• Most email is unencrypted
• If they own your account, encryption is
not going to keep secrets

10. Lesson #2
• Make your security awesome before
you antagonize known hackers
• Or don’t antagonize known hackers
• Try asking your head of security if
he’s okay with you taunting hackers
• If he says yes, get a second opinion

11. Lesson #3
• Hacktivism is here
to stay
• The Internet is
fundamentally
asymmetric
• May discretion be
the better part of
cyber valor?

12. JPMorgan Chase hack
• Deeper and wider than first announced
• “This was a sophisticated attack with
nation state overtones”

14. Lesson #4
• Do all the right things all the time
• Yes, I know that is very hard to do
• But the scale of targeted attack
activity is higher than ever
• E.g. fewer cyber attacks on retailers,
but more efficient*
*IBM 2014 Retail Intelligence Report

15. Lesson #5
• Don’t play the “sophisticated nation
state attack” card
• It makes you look bad later
• Both JPMorgan and Sony Pictures
have tried this
• Why? Lays groundwork for legal
defense against negligence claims*

16. The Home Depot et al.
• Point of sale hacking continues, plus
SQL injection attacks on retailers
• Look for more of the same, even as
chip cards start to take over
• Transition period may offer points of
entry for hackers
• Card data still useful for online fraud

17. Q2: Chip cards are coming and
they are hard to fake, so the
people who now make money
from card fraud will:
• Get jobs
• Try a different kind of fraud

18. Lesson #6
• Crime displacement
• EMV technology will make it harder
to turn stolen payment card data into
fake cards
• The people who buy card data to
make fake cards will turn to other
forms of crime: Identity theft?

19. Tax ID fraud
• Cost taxpayers $5 billion in 2013
• Will be big in 2015
• An easy alternative to card fraud
• IRS needs to do more, but congress
cut the IRS budget
• File early with fingers crossed
• Takes 9 months to correct (average)

20. Some politics and NSA
• NSA court cases and legislation will
keep privacy top of mind for many
• Political stalemate and lack of trust
will hamper efforts to:
– Share data between .gov and .com
– Boost spending on cybercrime
deterrence

21. And a sprinkle of IoT
• The Internet of Things will continue
to grow and get hacked
• Security threat to organizations still
low relative to BYOD
• Except in sectors that use SCADA
• Privacy and rights issues may
emerge re: webcams, company
monitoring of IoT devices

23. Lesson #7
• Threatscape is wider than ever
• Cyber Crime, Inc. continues to dominate
– Data about people = money
• Nation state hacking
– From secret sauce to state secrets
• The resurgence of hacktivism
• All of the traditional IT security risks
– Current and former employees, competitors,
natural/human disasters (stormy weather?)

24. Wildcards
• New forms of payment and currency:
– Apple Pay and other digital wallets
– Bitcoin and other virtual currencies
• Regional conflicts
• The weather

25. Q3: A disaster puts your offices
and computer off limits for 3
days. Are you:
• Well prepared with a written plan
ready to execute
• Somewhat prepared
• Not clear on how you would cope
• In deep trouble

26. Security strategies: BCM/IR
• Business Continuity Management and
Incident Response means…
• Preparing to respond to:
– Security breaches, data theft
– Privacy incidents, internal fraud
– Extreme weather, man-made disasters
• At all levels:
– Communications, people, processes, data
and systems, recovery, analysis

27. Security strategies: Backup
• The ultimate protection against
– Data loss and data ransom
– User error and system failure
– Natural and man-made disasters
• Review current strategies and test
current implementations
• Consider all options (cloud, physical)

28. Strategies: Encryption
• Time to do more encryption, not less
• Encryption products have improved
• Offer protection in case of breach
• Encrypt in transit as well as at rest
• Check your cloud provider’s use of
encryption e.g. between data centers

29. Strategies: Policy/compliance
• Start of the new year is a good time
to check:
• Are your information security policies
complete and up-to-date
– New technologies, new data, new hires
• Are you aware of new laws affecting
your compliance around privacy,
data protection?

30. Strategies for success
• Are you responsible for protecting
data and systems?
• Don’t panic, you are not alone
• Leverage heightened awareness
(courtesy Snowden-Target-
HomeDepot-Sony-JPMorgan)
• Take a structured approach

32. You are not alone
• Network with others, across
departments up/down the org chart
• Within and beyond the organization
• Chamber, BBB, SBA
• ISSA, ISACA, (ISC)2, IAPP
• ISACs, InfraGard, NCSA, VB
• NIST, SOeC

33. IT Security and Privacy Groups
• See attachments
• Get involved

34. Revisit roadblocks
• In 2015 the public and press will be
on high alert re: privacy and security
• Bosses may not “like” security but
breaches = lost customers, lost
revenue, lost jobs
• Employees make be more interested
in security than you think

35. If all else fails try fear of headlines

36. Last word: Due care
• Remember: complying with rules &
regulations (e.g. PCI, HIPAA, SOX)
is not the same as being secure
• Your security will be judged in the
courts: media, public opinion, law
• Liability under law hinges on
reasonableness, due care

37. Thank you! Have a safer 2015!
• stephen.cobb@eset.com
• WeLiveSecurity.com
• www.eset.com
• www.slideshare.net/zcobb