2015: Examining the threatscape for the year ahead

Stephen Cobb, CISSP

Senior Security Researcher

Today’s topic

• What cyber threats will your business face in 2015?

• From cyber criminals to nation states and hacktivists, threats are evolving

• What should you be doing now?• The best use of resources to protect

your business

The agenda

• Defining moments of 2015• Lessons for 2015• Threats and responses• Strategies for success

Q1: Which 2014 security news story concerns you the most?

• Sony Pictures hacks• JPMorgan Chase breach• PSN DDoS attack • Community Health Systems breach• None of the above

Defining moments: Sony+

• Last year it was Snowden/Target• This year it’s Sony• Also maybe JP Morgan Chase • With a touch of The Home Depot• Plus The Home of a Despot• Some politics and NSA• And a sprinkle of IoT

Defining moments

• Are teaching moments• If we don’t learn from 2014• 2015 won’t be

any better

Sony Pictures epic hack

• Data destroyed, stolen, exposed• System availability denied/degraded• Present and former employees

personally impacted• Lawsuits• Brand damage

Systemic security failure?

• A history of being attacked• A “live with the risk attitude”• Known weaknesses not remedied• PWC audit second half of July

– One firewall and more than 100 other devices not monitored by corporate security team

– Monitored by studio’s in-house group– "Security incidents impacting these network or

infrastructure devices may not be detected or resolved timely"

Lesson #1

• Don’t leave unencrypted audit reports in executive email inboxes

• Don’t put into unencrypted email anything you may later regret saying or sharing (words, images, reports, etc.)

• Most email is unencrypted• If they own your account, encryption is

not going to keep secrets

Lesson #2

• Make your security awesome before you antagonize known hackers

• Or don’t antagonize known hackers• Try asking your head of security if

he’s okay with you taunting hackers• If he says yes, get a second opinion

Lesson #3

• Hacktivism is here to stay

• The Internet is fundamentally asymmetric

• May discretion be the better part of cyber valor?

JPMorgan Chase hack

• Deeper and wider than first announced• “This was a sophisticated attack with

nation state overtones”

Lesson #4

• Do all the right things all the time• Yes, I know that is very hard to do• But the scale of targeted attack

activity is higher than ever• E.g. fewer cyber attacks on retailers,

but more efficient*

*IBM 2014 Retail Intelligence Report

Lesson #5

• Don’t play the “sophisticated nation state attack” card

• It makes you look bad later• Both JPMorgan and Sony Pictures

have tried this• Why? Lays groundwork for legal

defense against negligence claims*

The Home Depot et al.

• Point of sale hacking continues, plus SQL injection attacks on retailers

• Look for more of the same, even as chip cards start to take over

• Transition period may offer points of entry for hackers

• Card data still useful for online fraud

Q2: Chip cards are coming and they are hard to fake, so the people who now make money from card fraud will:• Get jobs• Try a different kind of fraud

Lesson #6

• Crime displacement• EMV technology will make it harder

to turn stolen payment card data into fake cards

• The people who buy card data to make fake cards will turn to other forms of crime: Identity theft?

Tax ID fraud

• Cost taxpayers $5 billion in 2013• Will be big in 2015• An easy alternative to card fraud• IRS needs to do more, but congress

cut the IRS budget• File early with fingers crossed• Takes 9 months to correct (average)

Some politics and NSA

• NSA court cases and legislation will keep privacy top of mind for many

• Political stalemate and lack of trust will hamper efforts to:– Share data between .gov and .com– Boost spending on cybercrime

deterrence

And a sprinkle of IoT

• The Internet of Things will continue to grow and get hacked

• Security threat to organizations still low relative to BYOD

• Except in sectors that use SCADA• Privacy and rights issues may

emerge re: webcams, company monitoring of IoT devices

Lesson #7

• Threatscape is wider than ever• Cyber Crime, Inc. continues to dominate

– Data about people = money

• Nation state hacking– From secret sauce to state secrets

• The resurgence of hacktivism• All of the traditional IT security risks

– Current and former employees, competitors, natural/human disasters (stormy weather?)

Wildcards

• New forms of payment and currency:– Apple Pay and other digital wallets– Bitcoin and other virtual currencies

• Regional conflicts• The weather

Q3: A disaster puts your offices and computer off limits for 3 days. Are you:

• Well prepared with a written plan ready to execute

• Somewhat prepared• Not clear on how you would cope• In deep trouble

Security strategies: BCM/IR

• Business Continuity Management and Incident Response means…

• Preparing to respond to:– Security breaches, data theft– Privacy incidents, internal fraud– Extreme weather, man-made disasters

• At all levels:– Communications, people, processes, data

and systems, recovery, analysis

Security strategies: Backup

• The ultimate protection against – Data loss and data ransom– User error and system failure– Natural and man-made disasters

• Review current strategies and test current implementations

• Consider all options (cloud, physical)

Strategies: Encryption

• Time to do more encryption, not less• Encryption products have improved• Offer protection in case of breach• Encrypt in transit as well as at rest• Check your cloud provider’s use of

encryption e.g. between data centers

Strategies: Policy/compliance

• Start of the new year is a good time to check:

• Are your information security policies complete and up-to-date– New technologies, new data, new hires

• Are you aware of new laws affecting your compliance around privacy, data protection?

Strategies for success

• Are you responsible for protecting data and systems?

• Don’t panic, you are not alone• Leverage heightened awareness

(courtesy Snowden-Target-HomeDepot-Sony-JPMorgan)

• Take a structured approach

You are not alone

• Network with others, across departments up/down the org chart

• Within and beyond the organization• Chamber, BBB, SBA• ISSA, ISACA, (ISC)2, IAPP• ISACs, InfraGard, NCSA, VB• NIST, SOeC

IT Security and Privacy Groups

• See attachments• Get involved

Revisit roadblocks

• In 2015 the public and press will be on high alert re: privacy and security

• Bosses may not “like” security but breaches = lost customers, lost revenue, lost jobs

• Employees make be more interested in security than you think

If all else fails try fear of headlines

Last word: Due care

• Remember: complying with rules & regulations (e.g. PCI, HIPAA, SOX) is not the same as being secure

• Your security will be judged in the courts: media, public opinion, law

• Liability under law hinges on reasonableness, due care

Thank you! Have a safer 2015!

• stephen.cobb@eset.com• WeLiveSecurity.com• www.eset.com• www.slideshare.net/zcobb