Jason Smith, IE's Compliance & Security Consultant, gives practical cybersecurity advice and reviews common threats and trends you should be aware of.

1. <#>
2018 Cyber Security
Threats & Trends
2018 NCLGISA Fall Symposium – October 24, 2018

2. <#>
Jason Smith
Security & Compliance Consultant
Internetwork Engineering – Strategic Consulting
Introduction

3. <#>
In The News

4. <#>
Trouble at Facebook … and
elsewhere
50 Million Facebook
Accounts Affected

5. <#>
This is why it really sucks!
• Facebook Single Sign-on affected
• Annuity Attack Issues
• User Apathy

6. <#>
2018 – 2019 Cyber Security Trends
• We expect to see up to a 60%
increase, with an increase in
sophistication.
• Contributing Factors:
• Very automated and opportunistic
= low upfront cost.
• Easily monetized
• Integrates well with other attack
goals.
• Security budgets appear stagnate,
board stakeholder interest waning,
breaches generally viewed as BAU
• Contributing Factors:
• Lack of vendor innovation
• EDR market saturation – confusing
consumers
• Recent huge breaches, including
Equifax
Ransomware Increase Stakeholder Apathy

7. <#>
2018 – 2019 Cyber Security Trends
• Expect to see significant
increase in the number and
sophistication of these attacks.
• Contributing Factors:
• Wild west development, minimal
standards
• Widespread consumer adoption
• Easily integrated into multi vector
attacks (WFH bridge)
• Expect to see attackers shift
to more targeted attacks, by
leveraging new and cheap
data analysis tools (Python,
R, Power BI)
• Contributing Factors
• Cyber crime business model
• More effective use of available
resources, higher ROI.
IOT Exploitation Leveraging Big Data

8. <#>
2018 – 2019 Cyber Security Trends
• Security Resources tend to be only
available during concern about a
breach or immediately following a
breach.
• Contributing Factors:
• Security, Compliance, and
Governance are cost centers, not
profit centers.
• ROI is rarely captured effectively and
the “story” isn’t told well.
• Attackers will continue to
leverage mis managed cloud
infrastructure.
• Contributing Factors
• Poor design and implementation –
rush to deploy
• Misperception of XaaS
technology and management
• Poorly secured middle layer
(Mesos) and transport layers
Sec Resource Scarcity March to the Cloud

9. <#>
Increased Staffing
The Issue - Funding
Training
Professional Services
Security Tools
As a Service
$ $ $
$ $ $
$ $ $
$ $ $
$ $ $

10. <#>
Choose your battles wisely.
Avoid spending on knee
jerk, point solutions.
What to Do …
Focus on your risk.
Remember, hackers tend to
opportunistic first.
Back to the basics. Security hygiene, risk
assessments, user awareness training.
Get involved with other IT areas and
departments. What is the near term and long
term IT strategy and how can it be secured.
Demonstrate value (metrics, KPIs, show up!

11. <#>
”Just showing up is half the
battle.”
Woody Allen

12. <#>
• Relating the funding need to the business
• Understanding your audience
• Supporting the case with data
• What is the cost to do nothing?
Building the Case

13. <#>
Too Many EDR Solutions
Endpoint Detection & Response

14. <#>
How do you know what you
actually need?

15. <#>
Do a RISK Assessment!!
IT’s All About RISK!!!
Understand your network
Understand your data, and how it is consumed!

16. <#>
-Too Complex
- Too much time for
approval
- SCOPING 
RFPs, RFQs, and more fun!

17. <#>
Business Continuity – Disaster Recovery

18. <#>
Who Has to Comply with PCI?
• All merchants and service providers who store, transmit, or process
credit cards must comply with all requirements.
• A merchant cannot outsource its PCI DSS responsibility
• Merchants CAN outsource operational responsibility for maintaining security
controls
• The card brands have outlined various reporting levels based on
volume of card transactions.
• Acquirer will determine a merchant’s reporting level and reporting obligations
• Merchant may have more than one acquirer (merchant ID)

19. <#>
Significant Changes for Service Providers
Security Controls Monitoring (Requirements 10.8 and 10.8.1)
The following processes need to be added to the incident response/problem
management programs:
• Restoring security functions
• Identifying and documenting the duration of the security failure
• Identifying and documenting the cause(s) of failure, including the root cause
and documenting remediation required to address the root cause
• Identifying and addressing any security issues that arose during the failure
• Performing a risk assessment to determine whether further actions are
required as a result of the security failure
• Implementing controls to prevent the cause of failure from reoccurring
• Resuming monitoring of security controls

20. <#>
Service Provider – Big Changes …

21. <#>
SAQ Changes

22. <#>
PCI DSS 3.0 Req:1.1.2, 1.1.3 Diagrams
CDE Data Flow Network Diagram of CDE

23. <#>
Connect with IE!
Visit us online at: www.ineteng.com
Follow us on social media: Twitter | LinkedIn
Join us at one of our next Security User Groups
in Charlotte or Raleigh

24. <#>
Thank you!
Questions?
Jason Smith
IE Strategic Consulting – Cyber Security
@smith380