Embed Size (px)
Citation preview
@MATTHEWPASCUCCIWWW.FRONTLINESENTINEL.COM
The State of Cyber Security 2015
2015 - A Year in Review
Agenda Year in Review The major risks of the year Where we’ve succeeded Emerging Trends
Notable Hacks of 2015
Politicians Are Waking Up
CISA (Computer Information Sharing Bill)Prime Minister David Cameron looking to
pass anti-terror bill to allow GCHQ to decrypt communications
Constant talks with China about espionageFBI fighting for an encrypted backdoorThe OPM hack was the last strawThe NSA in the news dailyCyberWar? What is it?
Where Have All The Good Guys Gone?
The lack of Cyber security talent is scary: 451 Research stated: 34.5% of project delays due to
lack of staff How can we get students educated in Cyber
Security? NSA/DHS created “Centers of Excellence” with
scholarships Why isn’t this drawing people in?
How can we entice people to our industry: Stats that people would be interested, but know
nothing about Colleges doing a better job? Remove the stigma of “hacker lifestyle”
Privacy in the New Security
Privacy jobs are starting to explode CIPP certifications are in great demand
Companies over the next couple years will see a wave of new privacy law hit them The EU laws are slowly making their way across the Atlantic Safe Harbor laws
Technology vendors are now using privacy as a selling point Apple, Twitter, etc.
Everyone from Grandma to CEO is concernedEff.org (Electronic Frontier Foundation)
Edward Snowden gets a Twitter Account
Find a Happy Place
Phishing is Still Killing Us
Educate, Educate, EducateTest your users with fake phishingRun competitions and make it fun
What to look for? Review real phishing emails, etc.
Keep metrics and show improvementsMake sure executive admins are awareInvest in a strong mail filterNot just email anymore, SMS, social media, etcThis is your biggest threat right now. Fix it.
Phishing Stats
According to Verizon: 95% of espionage attacks involve phishing. Nearly 80% of all malware attacks come from
phishing Almost 50% of recipients open emails and click on
phishing links within the first hour. There’s a 71% chance that phishing links are clicked
on a Windows machine. Technical emails are the most common messages to be
clicked on with a 21.3% click rate. iOS devices have a 16% click through rate, highest
amongst mobile devices.
Don’t DDoS me, bro!
This is still a problem. It’s not going away.Protonmail just got hit with a DDoS
Needed upstream providers and DDoS equipment to defend
Are you ready for a DDoS attack?How would you react to a DDoS randsom?DDoS comes in many different flavors.
Volumetric Application Hybrid
DDoS smoke screens. Beware!
Coding Standards Need To Change
When will we follow the “OWASP Top 10”?Jim Manico, Manicode Security, says he needs $4
billion dollars to fix the state of application security.
SDLC’s being followed? Are they even there?Are you using proper release management?Constant vulnerability scanning
Static Analysis Dynamic Analysis
Mobile apps are a threat. Let’s not let history repeat itself.
Vulnerabilities on the Rise
Vulnerabilities are everywhere! Critical infrastructure Homes Business
Companies selling zero days and researches finding them Double edged sword
SSL is dead: Heartbleed, POODLE, FREAK, BEAST, etcRemediation plan? How long? What’s your risk
appetite? Legacy systems still can’t get updatedPatches? We don’t need no stinking patches.
Mobile is Here to Stay
Do you “BYOD”? How are corporate apps being developed? Used?
Deployed?Steps to lock down a mobile device
Encryption Container DLP
Mobile OWASP Top 10 We’re moving down the path of this being the biggest
threat
How do you “Incident Response”?
Red team drills Determine what your worst nightmare is and live it.
Runbooks Recording the steps to remediate your worst
nightmares.SWAT Teams
Getting a team of talented people to run the incident.Relationships with law enforcement
If you don’t have this already you’re wasting time.
Third Party Vendors = Weakest Link
Huge risk, just ask TargetLower the risk by performing third party risk
reviewsCreate policy and forms to have vendors fill
outThis is your data and environment. In order
to do business with them they need to be assessed Creation of legal contracts
When are you notified of a breach? Indemnification
Review of vendors internal workings How do they perform security
Do You Know Where Your Data Is?
Sensitive Data Do you know where your sensitive data is? What is sensitive data?
DLP Network Endpoint Honeyfiles
Insider threats The Edward Snowden Effect (for better or worse) This is dangerous because you’re giving them access,
they don’t need to break in first
Privileged Attack Hacks On The Rise
CyberArk recently put out a survey saying 88% of all companies are susceptible to privileged attack hacks.
Windows environments are at greater risk, but there are Linux concerns too.
Randomization of accounts, including local and service accounts, is key to stopping abuse.
Session management and jump boxes are needed.
Once an internal account is taken, it’s a matter of time before things go south.
What We Get Right
The Boardroom is Noticing
Funding is growing (hopefully you see it too) There has been an increase all round in funding Exponential jump from 5 years ago
Cyber threats have become topic of concern Management is asking questions that they didn’t 5
years ago This is no longer compliance related People are realizing this could effect their wallets
Security Mentality Is Growing
The Media Media hype draws attention (for better or worse) It’s all around us and it’s soaking into our culture
The education of the normal user is growing. It might not seem like that, but it’s on everyone’s mind.
We have to harness this curiosity and mold it. This is the “Golden Age of Security Awareness”.
Up and Coming Trends
Managed Security Services Providers (MSSP)
Why aren’t we doing this more? Who has a fully staffed team monitoring 24x7? Who doesn’t? Would you consider this?
Trust is a risk, but so is not doing anything. Acquire additional services, or limit to in-house only? Create retainers for services on demand:
Malware reverse engineer Digital Forensics Etc.
Deception in Depth
Hackers don’t play fair. Neither should you!Start using deception as a defense technique
Concerned with prevention only, not detection Sea change in managements thinking Honeypots Honeytokens Darknet alerting Sinkholes
Many new vendors coming out with deception tools An area I hope grows in the future
Cloud Based Security on the Rise
Cloud based security tools Two-factor authentication DDoS protection Identity management SIEM Endpoint protection
Cloud Security Alliance Star Registry
Secure Hosting Amazon has made considerable advances in security
services (WAF, Security Assessment, HSM, firewall, etc.)
Cyber Insurance
This is on the rise and you need it.It’s used for homes, cars and businesses. Why not
cyber attacks? Target was given $90 million from insurance and paid $162
million out of pocket Understand the legal nuisances of cyber insurance
Timeframes Logs Etc.
Run through a dry run of contacting insurance Who are you going to call? Who needs to be involved (insurance, law enforcement, etc.)
Determine who you’ll be working with Know if you need to bring something to the table
“Threat Intel” or “Sharing is Caring”
Threat intelligence has grown over the past year
The use of STIX/TAXII as a frameworkMultiple vendors creating vendor related
intel Trusted circles Situational awareness Companies
ISAC’s (Information Sharing and Analysis Centers) are being established: FS-ISAC (Financial Services ISAC) NH-ISAC (National Health ISAC) E-ISAC (Electricity ISAC)
Machine Learning and Behavioral Analysis
Signatures have failed. Long live Behavioral Analysis.
Next Generation anti-malware/virus Basing attacks off certain analysis, not signatures.
Limited set of instructions and less updating. Prevention with limited updating is key.
Machine Learning network based systems Determines how attacks work and alerts on risk. Profiling of users normal activity. Review of what is considered out of the norm between
east-west traffic.
Questions?
I know you have some. Lets hear them.
