This document summarizes a presentation on cyber threats given by Kevin J. Murphy. The presentation covered recent cyber crimes like retail data breaches at Target and Home Depot, vulnerabilities like Heartbleed, and geopolitical cyber attacks from groups like the Syrian Electronic Army. Murphy emphasized practicing defense in depth, defending identities, networks and data, training security teams, and thinking like attackers to prevent unexpected threats. Audience members discussed lessons from their industries and ways to anticipate new attack vectors.

1. Kevin J. Murphy, CISSP, CISM, CGEIT
Cyber Security Defense Update
Director, Windows Security Architecture

2. Agenda
 Cyber Crime
 Vulnerabilities
 Cyber attacks
 Cross-industry discussion
Expectations
 Interactive dialogue
 Learn from other industries
 Think outside the box
 What are the attackers goals?
 What would you do if you were the attacker?
 What can you do that the attacker won’t be
expecting?
2/24/2015 2

3. Cyber Threats - Definitions
 Cyber Crime = $$$ Motivated
 Credit cards, bank accounts
 APT = Nation State Espionage
 Steal your Intellectual Property
 Cyber war = Destructive
 Geopolitical Conflict
 Economic Attack
 Element of modern warfare
 Iran, Syria, N Korea, Al Qaeda, Russia,
etc.
2/24/2015 3

4. 2/24/2015 4

5. 2014 Cyber Crime Attacks
 Retail Data Breaches
 Point of Sale (POS) system
vulnerabilities
 Reporting requirements under GLB Act
 Some of the victims
 Target, Home Depot, Michaels, Neiman
Marcus, Jimmy Johns, Staples, Dairy
Queen, PF Chang’s, etc. etc.
 Analysis?
 Look at your 3rd Party attack vectors
 Understand your POS vendors security
Plans2/24/2015 5

6. 2014 Cyber Crime Attacks
Home Depot – a different nuance
 Credit card’s were offered for sale on a
website that traffics in stolen card data
 Cards presented as:
 "American Sanctions”
 "European Sanctions”
 Analysis?
 Cyber Crime is now Geopolitical
 Adapt the Chip and Pin technology
2/24/2015 6

7. 2014 Cyber Crime Attacks
 Banking Data Breaches
 2014 Verizon Data Breach Investigations
Report analyzed 1,367 data-loss
incidents last year, they found that 465
were financial institutions
 Data Breach Losses Top More Than 78
Million Records to Date in 2014
 Analysis?
 Ideas?
2/24/2015 7

8. 2014 Vulnerabilities
 3rd Party Vulnerabilities
2/24/2015 8

9. 2014 Vulnerabilities
 Heartbleed (Open SSL)
 SSL 3.0
 How many of you thought you
had to monitor your 3rd party
appliances for vulnerabilities?
 And Patching!
 Analysis?
 Heartbleed’s lesson – “If you own
SSL you own the internet”
2/24/2015 9

10. 3rd world Cyber attacks
 Syrian Electronic Army
2/24/2015 10
What did they learn by this reaction?

11. Cyber warfare is dangerous
 Potential for huge economic impact
 Geopolitically motivated
 No cold-war type “rules”
 No international agreement
 Anonymous attacks have no limits
and pose little risk to the attacker
2/24/2015 11

12. Geopolitical attacks
 Critical Infrastructure
2/24/2015 12

13. Cross-industry Discussion
 What have you observed in your
industry?
 Lessons learned?
 Preventions to share with the
room?
2/24/2015 13

14. 2/24/2015 14

15. Prevention
 Defense in Depth
 Defend your identity systems
 Harden your AD
 Office hours for auth changes
 Get rid of passwords- use 2 factor auth
 Application level attack
 Delete forwarding rules after you reset our
password
 Make sure your account saves sent mail in
your sent file
2/24/2015 15

16. Prevention
 Defense in Depth
 Defend your perimeter - Next Gen
Firewalls
 Defend your network
 Segment your network
 Monitor, IDS, IPS
 Remove remote admin where possible
2/24/2015 16

17. Prevention
 Defend your data
 Encrypt, monitoring, HIDS, SIEM
 Stay current in patching, A/V scanning
 Offline back ups
 Train your security team
 Learn from other industries
 Stay current on the threats
 Stay current on the vendor response to the
threats
 Stay current on secure systems
configurations2/24/2015 17

18. Prevention
 Business Continuity Cyber war
Scenario
 Train it - Test it
 Cold back up systems
 Remember a cyber war attack can
infect any system connected to the
network
 Primary and fail-over sites could be
infected all at once
2/24/2015 18

19. Prevention
 Get ahead of the attacker by
anticipating the new vectors of attack
 Threat assessments and models for
your IT Infrastructure and apps.
2/24/2015 19

20. Prevention
 Constantly reevaluate AD for new threats
 Pen test
 Code sign your internal apps and applets
 Security scan 3rd party vendor apps.
2/24/2015 20

21. Prevention
 Your turn – What else do you
recommend?
 What can you do that is not in that the
attacker won’t expect?
2/24/2015 21

22. Resources
 Books
 Economics & Strategies of Data Security, Daniel Geer Jr.
http://www.amazon.com/Economics-Strategies-Data-Security-
DANIEL/dp/B001LZM1BY
 Papers
 2014 Data Breach Investigations Report
http://www.verizonenterprise.com/DBIR/2014/
 The Inevitability of Failure: The Flawed Assumption of Security in Modern
Computing Environments, Peter A. Loscocco, Stephen D. Smalley,
Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John F. Farrell;
National Security Agency
http://www.windowsecurity.com/whitepapers/The_Inevitability_of_Failure
_The_Flawed_Assumption_of_Security_in_Modern_Computing_Environ
ments_.html
 Contact Me:
 http://www.linkedin.com/pub/kevin-murphy/5/256/863
2/24/2015 22