The Year Ahead in Cyber Security: 2014 edition
-
date post
22-Sep-2014 -
Category
Business
-
view
236 -
download
1
description
Transcript of The Year Ahead in Cyber Security: 2014 edition
2014: The year ahead in cyber security
Stephen Cobb, CISSP
Senior Security Researcher
Today’s topic
• What cyber threats will your business face in 2014?
• From cyber criminals to digital privacy concerns, the landscape is shifting
• What should you be doing now?• The best use of resources to protect
your business
The agenda
• Defining moments• Key concerns• Threats and responses• Strategies for success
Q1: Which 2013 security news story concerns you the most?
• The Target breach• The Snowden/NSA revelations • The hacking of Adobe• None of the above
Defining moments: Snowden
• Intensity of digital surveillance has returned privacy to the top of the public agenda (#1 worry in 1999)
• This impacts customer attitudes to commercial use of data (tracking ads, data mining, cookies, etc.)
• Activity like TAO may undermine trust in security of commercial systems
Defining moments: Target
• Not just numbers (40-70-110 million)• The “biggest” breach because we all
shop there, for all kinds of stuff• The business of Cybercrime Inc.
becoming public knowledge• Companies have no excuse for
under-estimating threat level
Key concern #1: Threats
• Cyber Crime, Inc. – Data about people = money
• Nation state hacking– From secret sauce to state secrets
• All of the traditional threats– Disgruntled and unethical employees,
competitors, natural/human disasters
Key concern #2: Privacy
• People concerned about collection of digital information: 69%*
• Same for NSA, online services, web sites, phone companies, retailers
• Using Internet less and changing behavior because of Snowden– 1 in 5 doing less banking/emailing
Washington Post survey
Key concern #3: Backup
• The ultimate protection against – Data loss and data ransom– User error and system failure– Natural and man-made disasters
• Review current strategies and test current implementations
• Consider all options (cloud, physical)
Q2: A disaster puts your offices and computer off limits for 3 days. Are you:
• Well prepared with a written plan ready to execute
• Somewhat prepared• Not clear on how you would cope• In deep trouble
#4 Business Continuity (IR)
• Preparing to respond to:– Security breaches, data theft– Privacy incidents, internal fraud– Extreme weather, man-made disasters
• At all levels:– Communications, people, processes,
data and systems, recovery, analysis
#5 Encryption
• Despite the NSA news, it is time to do more encryption, not less
• Encryption products have improved• Offer protection in case of breach• Encrypt in transit as well as at rest• Check your cloud provider’s use of
encryption e.g. between data centers
#6 Policy/compliance
• Are your information security policies complete and up-to-date– New technologies, new data, new hires
• Are you aware of new laws affecting your compliance around privacy, data protection?
Strategies for success
• Responsible for protecting data and systems?
• Don’t panic, you are not alone• Leverage heightened awareness
(courtesy Snowden/Target/etc.)• Take a structured approach
You are not alone
• Network with others, across departments up/down the org chart
• Within and beyond the organization• Chamber, BBB, SBA• ISSA, ISACA, (ISC)2, IAPP• ISACs, InfraGard
IT Security and Privacy Groups• (ISC)2 = International Information System Security
Certification Consortium, http://www.isc2.org• ISAC = Information Sharing and Analysis Center, http
://www.isaccouncil.org• ISSA = Information Systems Security Association, http
://www.issa.org• ISACA = Information Systems Audit and Control
Association, http://www/isaca.org• Infragard, http://www.infragard.net• CompTIA = Computing Technology Industry Association,
http://www.comptia.org• IAPP = The International Association of Privacy
Professionals, http://www.privacyassociation.org
Revisit roadblocks
• In 2014 the public and press are on high alert re: privacy and security
• Bosses may not “like” security but breaches, lost customers, lost revenue and painfully real
• Employees make be more interested in security than you think
If all else fails try fear of headlines
Leverage resources
• Large organizations should not duplicate efforts in common areas:– Identity Management, Forensics,
Threat intelligence
• Encourage employees who “get” security issues
• Grow internal talent v. hire
Thank you!
• [email protected]• WeLiveSecurity.com• www.eset.com