2014: The year ahead in cyber security

Stephen Cobb, CISSP

Senior Security Researcher

Today’s topic

• What cyber threats will your business face in 2014?

• From cyber criminals to digital privacy concerns, the landscape is shifting

• What should you be doing now?• The best use of resources to protect

your business

The agenda

• Defining moments• Key concerns• Threats and responses• Strategies for success

Q1: Which 2013 security news story concerns you the most?

• The Target breach• The Snowden/NSA revelations • The hacking of Adobe• None of the above

Defining moments: Snowden

• Intensity of digital surveillance has returned privacy to the top of the public agenda (#1 worry in 1999)

• This impacts customer attitudes to commercial use of data (tracking ads, data mining, cookies, etc.)

• Activity like TAO may undermine trust in security of commercial systems

Defining moments: Target

• Not just numbers (40-70-110 million)• The “biggest” breach because we all

shop there, for all kinds of stuff• The business of Cybercrime Inc.

becoming public knowledge• Companies have no excuse for

under-estimating threat level

Key concern #1: Threats

• Cyber Crime, Inc. – Data about people = money

• Nation state hacking– From secret sauce to state secrets

• All of the traditional threats– Disgruntled and unethical employees,

competitors, natural/human disasters

Key concern #2: Privacy

• People concerned about collection of digital information: 69%*

• Same for NSA, online services, web sites, phone companies, retailers

• Using Internet less and changing behavior because of Snowden– 1 in 5 doing less banking/emailing

Washington Post survey

Key concern #3: Backup

• The ultimate protection against – Data loss and data ransom– User error and system failure– Natural and man-made disasters

• Review current strategies and test current implementations

• Consider all options (cloud, physical)

Q2: A disaster puts your offices and computer off limits for 3 days. Are you:

• Well prepared with a written plan ready to execute

• Somewhat prepared• Not clear on how you would cope• In deep trouble

#4 Business Continuity (IR)

• Preparing to respond to:– Security breaches, data theft– Privacy incidents, internal fraud– Extreme weather, man-made disasters

• At all levels:– Communications, people, processes,

data and systems, recovery, analysis

#5 Encryption

• Despite the NSA news, it is time to do more encryption, not less

• Encryption products have improved• Offer protection in case of breach• Encrypt in transit as well as at rest• Check your cloud provider’s use of

encryption e.g. between data centers

#6 Policy/compliance

• Are your information security policies complete and up-to-date– New technologies, new data, new hires

• Are you aware of new laws affecting your compliance around privacy, data protection?

Strategies for success

• Responsible for protecting data and systems?

• Don’t panic, you are not alone• Leverage heightened awareness

(courtesy Snowden/Target/etc.)• Take a structured approach

You are not alone

• Network with others, across departments up/down the org chart

• Within and beyond the organization• Chamber, BBB, SBA• ISSA, ISACA, (ISC)2, IAPP• ISACs, InfraGard

IT Security and Privacy Groups• (ISC)2 = International Information System Security

Certification Consortium, http://www.isc2.org• ISAC = Information Sharing and Analysis Center, http

://www.isaccouncil.org• ISSA = Information Systems Security Association, http

://www.issa.org• ISACA = Information Systems Audit and Control

Association, http://www/isaca.org• Infragard, http://www.infragard.net• CompTIA = Computing Technology Industry Association,

http://www.comptia.org• IAPP = The International Association of Privacy

Professionals, http://www.privacyassociation.org

Revisit roadblocks

• In 2014 the public and press are on high alert re: privacy and security

• Bosses may not “like” security but breaches, lost customers, lost revenue and painfully real

• Employees make be more interested in security than you think

If all else fails try fear of headlines

Leverage resources

• Large organizations should not duplicate efforts in common areas:– Identity Management, Forensics,

Threat intelligence

• Encourage employees who “get” security issues

• Grow internal talent v. hire

Thank you!

• stephen.cobb@eset.com• WeLiveSecurity.com• www.eset.com