cyber sec update secure world seattle nov 13, 2014
TRANSCRIPT
Kevin J. Murphy, CISSP, CISM, CGEIT
Cyber Security Defense Update
Director, Windows Security Architecture
Agenda
Cyber Crime
Vulnerabilities
Cyber attacks
Cross-industry discussion
Expectations
Interactive dialogue
Learn from other industries
Think outside the box
What are the attackers goals?
What would you do if you were the attacker?
What can you do that the attacker won’t be expecting?
2/24/2015 2
Cyber Threats - Definitions
Cyber Crime = $$$ Motivated
Credit cards, bank accounts
APT = Nation State Espionage
Steal your Intellectual Property
Cyber war = Destructive
Geopolitical Conflict
Economic Attack
Element of modern warfare
Iran, Syria, N Korea, Al Qaeda, Russia, etc.
2/24/2015 3
2014 Cyber Crime Attacks Retail Data Breaches
Point of Sale (POS) system vulnerabilities
Reporting requirements under GLB Act
Some of the victims
Target, Home Depot, Michaels, Neiman Marcus, Jimmy Johns, Staples, Dairy Queen, PF Chang’s, etc. etc.
Analysis?
Look at your 3rd Party attack vectors
Understand your POS vendors security Plans 2/24/2015 5
2014 Cyber Crime Attacks
Home Depot – a different nuance
Credit card’s were offered for sale on a website that traffics in stolen card data
Cards presented as:
"American Sanctions”
"European Sanctions”
Analysis?
Cyber Crime is now Geopolitical
Adapt the Chip and Pin technology
2/24/2015 6
2014 Cyber Crime Attacks
Banking Data Breaches
2014 Verizon Data Breach Investigations Report analyzed 1,367 data-loss incidents last year, they found that 465 were financial institutions
Data Breach Losses Top More Than 78 Million Records to Date in 2014
Analysis?
Ideas?
2/24/2015 7
2014 Vulnerabilities
Heartbleed (Open SSL)
SSL 3.0
How many of you thought you had to monitor your 3rd party appliances for vulnerabilities?
And Patching!
Analysis?
Heartbleed’s lesson – “If you own SSL you own the internet”
2/24/2015 9
Cyber warfare is dangerous
Potential for huge economic impact
Geopolitically motivated
No cold-war type “rules”
No international agreement
Anonymous attacks have no limits and pose little risk to the attacker
2/24/2015 11
Cross-industry Discussion
What have you observed in your industry?
Lessons learned?
Preventions to share with the room?
2/24/2015 13
Prevention Defense in Depth
Defend your identity systems
Harden your AD
Office hours for auth changes
Get rid of passwords- use 2 factor auth
Application level attack
Delete forwarding rules after you reset our password
Make sure your account saves sent mail in your sent file
2/24/2015 15
Prevention Defense in Depth
Defend your perimeter - Next Gen Firewalls
Defend your network
Segment your network
Monitor, IDS, IPS
Remove remote admin where possible
2/24/2015 16
Prevention Defend your data
Encrypt, monitoring, HIDS, SIEM
Stay current in patching, A/V scanning
Offline back ups
Train your security team
Learn from other industries
Stay current on the threats
Stay current on the vendor response to the threats
Stay current on secure systems configurations
2/24/2015 17
Prevention
Business Continuity Cyber war Scenario
Train it - Test it
Cold back up systems
Remember a cyber war attack can infect any system connected to the network
Primary and fail-over sites could be infected all at once
2/24/2015 18
Prevention
Get ahead of the attacker by anticipating the new vectors of attack
Threat assessments and models for your IT Infrastructure and apps.
2/24/2015 19
Prevention
Constantly reevaluate AD for new threats
Pen test
Code sign your internal apps and applets
Security scan 3rd party vendor apps.
2/24/2015 20
Prevention
Your turn – What else do you recommend?
What can you do that is not in that the attacker won’t expect?
2/24/2015 21
Resources Books
Economics & Strategies of Data Security, Daniel Geer Jr. http://www.amazon.com/Economics-Strategies-Data-Security-DANIEL/dp/B001LZM1BY
Papers
2014 Data Breach Investigations Report http://www.verizonenterprise.com/DBIR/2014/
The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments, Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John F. Farrell; National Security Agency http://www.windowsecurity.com/whitepapers/The_Inevitability_of_Failure_The_Flawed_Assumption_of_Security_in_Modern_Computing_Environments_.html
Contact Me:
http://www.linkedin.com/pub/kevin-murphy/5/256/863
2/24/2015 22