2015: Examining the

threatscape for the

year ahead

Stephen Cobb, CISSP

Senior Security Researcher

Today’s topic

• What cyber threats will your business

face in 2015?

• From cyber criminals to nation states

and hacktivists, threats are evolving

• What should you be doing now?

• The best use of resources to protect

your business

The agenda

• Defining moments of 2015

• Lessons for 2015

• Threats and responses

• Strategies for success

Q1: Which 2014 security news

story concerns you the most?

• Sony Pictures hacks

• JPMorgan Chase breach

• PSN DDoS attack

• Community Health Systems breach

• None of the above

Defining moments: Sony+

• Last year it was Snowden/Target

• This year it’s Sony

• Also maybe JP Morgan Chase

• With a touch of The Home Depot

• Plus The Home of a Despot

• Some politics and NSA

• And a sprinkle of IoT

Defining moments

• Are teaching moments

• If we don’t learn from 2014

• 2015 won’t be

any better

Sony Pictures epic hack

• Data destroyed, stolen, exposed

• System availability denied/degraded

• Present and former employees

personally impacted

• Lawsuits

• Brand damage

Systemic security failure?

• A history of being attacked

• A “live with the risk attitude”

• Known weaknesses not remedied

• PWC audit second half of July

– One firewall and more than 100 other devices not monitored by corporate security team

– Monitored by studio’s in-house group

– "Security incidents impacting these network or infrastructure devices may not be detected or resolved timely"

Lesson #1

• Don’t leave unencrypted audit reports in

executive email inboxes

• Don’t put into unencrypted email anything

you may later regret saying or sharing

(words, images, reports, etc.)

• Most email is unencrypted

• If they own your account, encryption is

not going to keep secrets

Lesson #2

• Make your security awesome before

you antagonize known hackers

• Or don’t antagonize known hackers

• Try asking your head of security if

he’s okay with you taunting hackers

• If he says yes, get a second opinion

Lesson #3

• Hacktivism is here to stay

• The Internet is fundamentally asymmetric

• May discretion be the better part of cyber valor?

JPMorgan Chase hack

• Deeper and wider than first announced

• “This was a sophisticated attack with

nation state overtones”

Lesson #4

• Do all the right things all the time

• Yes, I know that is very hard to do

• But the scale of targeted attack

activity is higher than ever

• E.g. fewer cyber attacks on retailers,

but more efficient*

*IBM 2014 Retail Intelligence Report

Lesson #5

• Don’t play the “sophisticated nation

state attack” card

• It makes you look bad later

• Both JPMorgan and Sony Pictures

have tried this

• Why? Lays groundwork for legal

defense against negligence claims*

The Home Depot et al.

• Point of sale hacking continues, plus

SQL injection attacks on retailers

• Look for more of the same, even as

chip cards start to take over

• Transition period may offer points of

entry for hackers

• Card data still useful for online fraud

Q2: Chip cards are coming and

they are hard to fake, so the

people who now make money

from card fraud will:

• Get jobs

• Try a different kind of fraud

Lesson #6

• Crime displacement

• EMV technology will make it harder

to turn stolen payment card data into

fake cards

• The people who buy card data to

make fake cards will turn to other

forms of crime: Identity theft?

Tax ID fraud

• Cost taxpayers $5 billion in 2013

• Will be big in 2015

• An easy alternative to card fraud

• IRS needs to do more, but congress

cut the IRS budget

• File early with fingers crossed

• Takes 9 months to correct (average)

Some politics and NSA

• NSA court cases and legislation will

keep privacy top of mind for many

• Political stalemate and lack of trust

will hamper efforts to:

– Share data between .gov and .com

– Boost spending on cybercrime

deterrence

And a sprinkle of IoT

• The Internet of Things will continue to grow and get hacked

• Security threat to organizations still low relative to BYOD

• Except in sectors that use SCADA

• Privacy and rights issues may emerge re: webcams, company monitoring of IoT devices

Lesson #7

• Threatscape is wider than ever

• Cyber Crime, Inc. continues to dominate– Data about people = money

• Nation state hacking– From secret sauce to state secrets

• The resurgence of hacktivism

• All of the traditional IT security risks– Current and former employees, competitors,

natural/human disasters (stormy weather?)

Wildcards

• New forms of payment and currency:

– Apple Pay and other digital wallets

– Bitcoin and other virtual currencies

• Regional conflicts

• The weather

Q3: A disaster puts your offices

and computer off limits for 3

days. Are you:

• Well prepared with a written plan

ready to execute

• Somewhat prepared

• Not clear on how you would cope

• In deep trouble

Security strategies: BCM/IR

• Business Continuity Management and Incident Response means…

• Preparing to respond to:

– Security breaches, data theft

– Privacy incidents, internal fraud

– Extreme weather, man-made disasters

• At all levels:

– Communications, people, processes, data and systems, recovery, analysis

Security strategies: Backup

• The ultimate protection against

– Data loss and data ransom

– User error and system failure

– Natural and man-made disasters

• Review current strategies and test

current implementations

• Consider all options (cloud, physical)

Strategies: Encryption

• Time to do more encryption, not less

• Encryption products have improved

• Offer protection in case of breach

• Encrypt in transit as well as at rest

• Check your cloud provider’s use of

encryption e.g. between data centers

Strategies: Policy/compliance

• Start of the new year is a good time to check:

• Are your information security policies complete and up-to-date

– New technologies, new data, new hires

• Are you aware of new laws affecting your compliance around privacy, data protection?

Strategies for success

• Are you responsible for protecting

data and systems?

• Don’t panic, you are not alone

• Leverage heightened awareness

(courtesy Snowden-Target-

HomeDepot-Sony-JPMorgan)

• Take a structured approach

You are not alone

• Network with others, across

departments up/down the org chart

• Within and beyond the organization

• Chamber, BBB, SBA

• ISSA, ISACA, (ISC)2, IAPP

• ISACs, InfraGard, NCSA, VB

• NIST, SOeC

IT Security and Privacy Groups

• See attachments

• Get involved

Revisit roadblocks

• In 2015 the public and press will be

on high alert re: privacy and security

• Bosses may not “like” security but

breaches = lost customers, lost

revenue, lost jobs

• Employees make be more interested

in security than you think

If all else fails try fear of headlines

Last word: Due care

• Remember: complying with rules &

regulations (e.g. PCI, HIPAA, SOX)

is not the same as being secure

• Your security will be judged in the

courts: media, public opinion, law

• Liability under law hinges on

reasonableness, due care

Thank you! Have a safer 2015!

• stephen.cobb@eset.com

• WeLiveSecurity.com

• www.eset.com

• www.slideshare.net/zcobb