Post on 13-Jul-2015
Today’s topic
• What cyber threats will your business
face in 2015?
• From cyber criminals to nation states
and hacktivists, threats are evolving
• What should you be doing now?
• The best use of resources to protect
your business
The agenda
• Defining moments of 2015
• Lessons for 2015
• Threats and responses
• Strategies for success
Q1: Which 2014 security news
story concerns you the most?
• Sony Pictures hacks
• JPMorgan Chase breach
• PSN DDoS attack
• Community Health Systems breach
• None of the above
Defining moments: Sony+
• Last year it was Snowden/Target
• This year it’s Sony
• Also maybe JP Morgan Chase
• With a touch of The Home Depot
• Plus The Home of a Despot
• Some politics and NSA
• And a sprinkle of IoT
Sony Pictures epic hack
• Data destroyed, stolen, exposed
• System availability denied/degraded
• Present and former employees
personally impacted
• Lawsuits
• Brand damage
Systemic security failure?
• A history of being attacked
• A “live with the risk attitude”
• Known weaknesses not remedied
• PWC audit second half of July
– One firewall and more than 100 other devices not monitored by corporate security team
– Monitored by studio’s in-house group
– "Security incidents impacting these network or infrastructure devices may not be detected or resolved timely"
Lesson #1
• Don’t leave unencrypted audit reports in
executive email inboxes
• Don’t put into unencrypted email anything
you may later regret saying or sharing
(words, images, reports, etc.)
• Most email is unencrypted
• If they own your account, encryption is
not going to keep secrets
Lesson #2
• Make your security awesome before
you antagonize known hackers
• Or don’t antagonize known hackers
• Try asking your head of security if
he’s okay with you taunting hackers
• If he says yes, get a second opinion
Lesson #3
• Hacktivism is here to stay
• The Internet is fundamentally asymmetric
• May discretion be the better part of cyber valor?
JPMorgan Chase hack
• Deeper and wider than first announced
• “This was a sophisticated attack with
nation state overtones”
Lesson #4
• Do all the right things all the time
• Yes, I know that is very hard to do
• But the scale of targeted attack
activity is higher than ever
• E.g. fewer cyber attacks on retailers,
but more efficient*
*IBM 2014 Retail Intelligence Report
Lesson #5
• Don’t play the “sophisticated nation
state attack” card
• It makes you look bad later
• Both JPMorgan and Sony Pictures
have tried this
• Why? Lays groundwork for legal
defense against negligence claims*
The Home Depot et al.
• Point of sale hacking continues, plus
SQL injection attacks on retailers
• Look for more of the same, even as
chip cards start to take over
• Transition period may offer points of
entry for hackers
• Card data still useful for online fraud
Q2: Chip cards are coming and
they are hard to fake, so the
people who now make money
from card fraud will:
• Get jobs
• Try a different kind of fraud
Lesson #6
• Crime displacement
• EMV technology will make it harder
to turn stolen payment card data into
fake cards
• The people who buy card data to
make fake cards will turn to other
forms of crime: Identity theft?
Tax ID fraud
• Cost taxpayers $5 billion in 2013
• Will be big in 2015
• An easy alternative to card fraud
• IRS needs to do more, but congress
cut the IRS budget
• File early with fingers crossed
• Takes 9 months to correct (average)
Some politics and NSA
• NSA court cases and legislation will
keep privacy top of mind for many
• Political stalemate and lack of trust
will hamper efforts to:
– Share data between .gov and .com
– Boost spending on cybercrime
deterrence
And a sprinkle of IoT
• The Internet of Things will continue to grow and get hacked
• Security threat to organizations still low relative to BYOD
• Except in sectors that use SCADA
• Privacy and rights issues may emerge re: webcams, company monitoring of IoT devices
Lesson #7
• Threatscape is wider than ever
• Cyber Crime, Inc. continues to dominate– Data about people = money
• Nation state hacking– From secret sauce to state secrets
• The resurgence of hacktivism
• All of the traditional IT security risks– Current and former employees, competitors,
natural/human disasters (stormy weather?)
Wildcards
• New forms of payment and currency:
– Apple Pay and other digital wallets
– Bitcoin and other virtual currencies
• Regional conflicts
• The weather
Q3: A disaster puts your offices
and computer off limits for 3
days. Are you:
• Well prepared with a written plan
ready to execute
• Somewhat prepared
• Not clear on how you would cope
• In deep trouble
Security strategies: BCM/IR
• Business Continuity Management and Incident Response means…
• Preparing to respond to:
– Security breaches, data theft
– Privacy incidents, internal fraud
– Extreme weather, man-made disasters
• At all levels:
– Communications, people, processes, data and systems, recovery, analysis
Security strategies: Backup
• The ultimate protection against
– Data loss and data ransom
– User error and system failure
– Natural and man-made disasters
• Review current strategies and test
current implementations
• Consider all options (cloud, physical)
Strategies: Encryption
• Time to do more encryption, not less
• Encryption products have improved
• Offer protection in case of breach
• Encrypt in transit as well as at rest
• Check your cloud provider’s use of
encryption e.g. between data centers
Strategies: Policy/compliance
• Start of the new year is a good time to check:
• Are your information security policies complete and up-to-date
– New technologies, new data, new hires
• Are you aware of new laws affecting your compliance around privacy, data protection?
Strategies for success
• Are you responsible for protecting
data and systems?
• Don’t panic, you are not alone
• Leverage heightened awareness
(courtesy Snowden-Target-
HomeDepot-Sony-JPMorgan)
• Take a structured approach
You are not alone
• Network with others, across
departments up/down the org chart
• Within and beyond the organization
• Chamber, BBB, SBA
• ISSA, ISACA, (ISC)2, IAPP
• ISACs, InfraGard, NCSA, VB
• NIST, SOeC
Revisit roadblocks
• In 2015 the public and press will be
on high alert re: privacy and security
• Bosses may not “like” security but
breaches = lost customers, lost
revenue, lost jobs
• Employees make be more interested
in security than you think
Last word: Due care
• Remember: complying with rules &
regulations (e.g. PCI, HIPAA, SOX)
is not the same as being secure
• Your security will be judged in the
courts: media, public opinion, law
• Liability under law hinges on
reasonableness, due care