Cyber Sec Update Secure World Seattle Nov 13, 2014

Kevin J. Murphy, CISSP, CISM, CGEIT

Cyber Security Defense Update

Director, Windows Security Architecture

Agenda

Cyber Crime

Vulnerabilities

Cyber attacks

Cross-industry discussion

Expectations

Interactive dialogue

Learn from other industries

Think outside the box

What are the attackers goals?

What would you do if you were the attacker?

What can you do that the attacker won’t be expecting?

2/24/2015 2

Cyber Threats - Definitions

Cyber Crime = $$$ Motivated

Credit cards, bank accounts

APT = Nation State Espionage

Steal your Intellectual Property

Cyber war = Destructive

Geopolitical Conflict

Economic Attack

Element of modern warfare

Iran, Syria, N Korea, Al Qaeda, Russia, etc.

2/24/2015 3

2/24/2015 4

2014 Cyber Crime Attacks Retail Data Breaches

Point of Sale (POS) system vulnerabilities

Reporting requirements under GLB Act

Some of the victims

Target, Home Depot, Michaels, Neiman Marcus, Jimmy Johns, Staples, Dairy Queen, PF Chang’s, etc. etc.

Analysis?

Look at your 3rd Party attack vectors

Understand your POS vendors security Plans 2/24/2015 5

2014 Cyber Crime Attacks

Home Depot – a different nuance

Credit card’s were offered for sale on a website that traffics in stolen card data

Cards presented as:

"American Sanctions”

"European Sanctions”

Analysis?

Cyber Crime is now Geopolitical

Adapt the Chip and Pin technology

2/24/2015 6

2014 Cyber Crime Attacks

Banking Data Breaches

2014 Verizon Data Breach Investigations Report analyzed 1,367 data-loss incidents last year, they found that 465 were financial institutions

Data Breach Losses Top More Than 78 Million Records to Date in 2014

Analysis?

Ideas?

2/24/2015 7

2014 Vulnerabilities 3rd Party Vulnerabilities

2/24/2015 8

2014 Vulnerabilities

Heartbleed (Open SSL)

SSL 3.0

How many of you thought you had to monitor your 3rd party appliances for vulnerabilities?

And Patching!

Analysis?

Heartbleed’s lesson – “If you own SSL you own the internet”

2/24/2015 9

3rd world Cyber attacks

Syrian Electronic Army

2/24/2015 10

What did they learn by this reaction?

Cyber warfare is dangerous

Potential for huge economic impact

Geopolitically motivated

No cold-war type “rules”

No international agreement

Anonymous attacks have no limits and pose little risk to the attacker

2/24/2015 11

Geopolitical attacks

Critical Infrastructure

2/24/2015 12

Cross-industry Discussion

What have you observed in your industry?

Lessons learned?

Preventions to share with the room?

2/24/2015 13

2/24/2015 14

Prevention Defense in Depth

Defend your identity systems

Harden your AD

Office hours for auth changes

Get rid of passwords- use 2 factor auth

Application level attack

Delete forwarding rules after you reset our password

Make sure your account saves sent mail in your sent file

2/24/2015 15

Prevention Defense in Depth

Defend your perimeter - Next Gen Firewalls

Defend your network

Segment your network

Monitor, IDS, IPS

Remove remote admin where possible

2/24/2015 16

Prevention Defend your data

Encrypt, monitoring, HIDS, SIEM

Stay current in patching, A/V scanning

Offline back ups

Train your security team

Learn from other industries

Stay current on the threats

Stay current on the vendor response to the threats

Stay current on secure systems configurations

2/24/2015 17

Prevention

Business Continuity Cyber war Scenario

Train it - Test it

Cold back up systems

Remember a cyber war attack can infect any system connected to the network

Primary and fail-over sites could be infected all at once

2/24/2015 18

Prevention

Get ahead of the attacker by anticipating the new vectors of attack

Threat assessments and models for your IT Infrastructure and apps.

2/24/2015 19

Prevention

Constantly reevaluate AD for new threats

Pen test

Code sign your internal apps and applets

Security scan 3rd party vendor apps.

2/24/2015 20

Prevention

Your turn – What else do you recommend?

What can you do that is not in that the attacker won’t expect?

2/24/2015 21

Resources Books

Economics & Strategies of Data Security, Daniel Geer Jr. http://www.amazon.com/Economics-Strategies-Data-Security-DANIEL/dp/B001LZM1BY

Papers

2014 Data Breach Investigations Report http://www.verizonenterprise.com/DBIR/2014/

The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments, Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John F. Farrell; National Security Agency http://www.windowsecurity.com/whitepapers/The_Inevitability_of_Failure_The_Flawed_Assumption_of_Security_in_Modern_Computing_Environments_.html

Contact Me:

http://www.linkedin.com/pub/kevin-murphy/5/256/863

2/24/2015 22