This document provides a review and outlook on cybersecurity in 2015 and emerging trends. It summarizes major hacks in 2015, such as the OPM hack, and discusses how politicians are increasingly focused on cybersecurity issues. It notes challenges such as the lack of cybersecurity talent and discusses trends like the growing importance of privacy, mobile security risks, and the use of deception techniques in cyber defenses. The document outlines both ongoing issues like phishing and areas that are improving, such as increased awareness and funding for cybersecurity. It explores emerging trends including managed security services, cloud-based security tools, cyber insurance, threat intelligence sharing, and the potential of machine learning and behavioral analysis.
4. Politicians Are Waking Up
CISA (Computer Information Sharing Bill)
Prime Minister David Cameron looking to pass anti-
terror bill to allow GCHQ to decrypt communications
Constant talks with China about espionage
FBI fighting for an encrypted backdoor
The OPM hack was the last straw
The NSA in the news daily
CyberWar? What is it?
5. Where Have All The Good Guys Gone?
The lack of Cyber security talent is scary:
451 Research stated: 34.5% of project delays due to lack of staff
How can we get students educated in Cyber Security?
NSA/DHS created “Centers of Excellence” with scholarships
Why isn’t this drawing people in?
How can we entice people to our industry:
Stats that people would be interested, but know nothing about
Colleges doing a better job?
Remove the stigma of “hacker lifestyle”
6. Privacy in the New Security
Privacy jobs are starting to explode
CIPP certifications are in great demand
Companies over the next couple years will see a wave
of new privacy law hit them
The EU laws are slowly making their way across the Atlantic
Safe Harbor laws
Technology vendors are now using privacy as a
selling point
Apple, Twitter, etc.
Everyone from Grandma to CEO is concerned
Eff.org (Electronic Frontier Foundation)
9. Phishing is Still Killing Us
Educate, Educate, Educate
Test your users with fake phishing
Run competitions and make it fun
What to look for?
Review real phishing emails, etc.
Keep metrics and show improvements
Make sure executive admins are aware
Invest in a strong mail filter
Not just email anymore, SMS, social media, etc
This is your biggest threat right now. Fix it.
10. Phishing Stats
According to Verizon:
95% of espionage attacks involve phishing.
Nearly 80% of all malware attacks come from phishing
Almost 50% of recipients open emails and click on phishing
links within the first hour.
There’s a 71% chance that phishing links are clicked on a
Windows machine.
Technical emails are the most common messages to be clicked
on with a 21.3% click rate.
iOS devices have a 16% click through rate, highest amongst
mobile devices.
11. Don’t DDoS me, bro!
This is still a problem. It’s not going away.
Protonmail just got hit with a DDoS
Needed upstream providers and DDoS equipment to defend
Are you ready for a DDoS attack?
How would you react to a DDoS randsom?
DDoS comes in many different flavors.
Volumetric
Application
Hybrid
DDoS smoke screens. Beware!
12. Coding Standards Need To Change
When will we follow the “OWASP Top 10”?
Jim Manico, Manicode Security, says he needs $4
billion dollars to fix the state of application security.
SDLC’s being followed? Are they even there?
Are you using proper release management?
Constant vulnerability scanning
Static Analysis
Dynamic Analysis
Mobile apps are a threat. Let’s not let history repeat
itself.
13. Vulnerabilities on the Rise
Vulnerabilities are everywhere!
Critical infrastructure
Homes
Business
Companies selling zero days and researches finding them
Double edged sword
SSL is dead: Heartbleed, POODLE, FREAK, BEAST, etc
Remediation plan? How long? What’s your risk appetite?
Legacy systems still can’t get updated
Patches? We don’t need no stinking patches.
14. Mobile is Here to Stay
Do you “BYOD”?
How are corporate apps being developed? Used? Deployed?
Steps to lock down a mobile device
Encryption
Container
DLP
Mobile OWASP Top 10
We’re moving down the path of this being the biggest threat
15. How do you “Incident Response”?
Red team drills
Determine what your worst nightmare is and live it.
Runbooks
Recording the steps to remediate your worst nightmares.
SWAT Teams
Getting a team of talented people to run the incident.
Relationships with law enforcement
If you don’t have this already you’re wasting time.
16. Third Party Vendors = Weakest Link
Huge risk, just ask Target
Lower the risk by performing third party risk reviews
Create policy and forms to have vendors fill out
This is your data and environment. In order to do
business with them they need to be assessed
Creation of legal contracts
When are you notified of a breach?
Indemnification
Review of vendors internal workings
How do they perform security
17. Do You Know Where Your Data Is?
Sensitive Data
Do you know where your sensitive data is?
What is sensitive data?
DLP
Network
Endpoint
Honeyfiles
Insider threats
The Edward Snowden Effect (for better or worse)
This is dangerous because you’re giving them access, they
don’t need to break in first
18. Privileged Attack Hacks On The Rise
CyberArk recently put out a survey saying 88% of all
companies are susceptible to privileged attack hacks.
Windows environments are at greater risk, but there
are Linux concerns too.
Randomization of accounts, including local and
service accounts, is key to stopping abuse.
Session management and jump boxes are needed.
Once an internal account is taken, it’s a matter of
time before things go south.
20. The Boardroom is Noticing
Funding is growing (hopefully you see it too)
There has been an increase all round in funding
Exponential jump from 5 years ago
Cyber threats have become topic of concern
Management is asking questions that they didn’t 5 years ago
This is no longer compliance related
People are realizing this could effect their wallets
21. Security Mentality Is Growing
The Media
Media hype draws attention (for better or worse)
It’s all around us and it’s soaking into our culture
The education of the normal user is growing. It
might not seem like that, but it’s on everyone’s mind.
We have to harness this curiosity and mold it. This is
the “Golden Age of Security Awareness”.
23. Managed Security Services Providers (MSSP)
Why aren’t we doing this more?
Who has a fully staffed team monitoring 24x7?
Who doesn’t? Would you consider this?
Trust is a risk, but so is not doing anything.
Acquire additional services, or limit to in-house only?
Create retainers for services on demand:
Malware reverse engineer
Digital Forensics
Etc.
24. Deception in Depth
Hackers don’t play fair. Neither should you!
Start using deception as a defense technique
Concerned with prevention only, not detection
Sea change in managements thinking
Honeypots
Honeytokens
Darknet alerting
Sinkholes
Many new vendors coming out with deception tools
An area I hope grows in the future
25. Cloud Based Security on the Rise
Cloud based security tools
Two-factor authentication
DDoS protection
Identity management
SIEM
Endpoint protection
Cloud Security Alliance
Star Registry
Secure Hosting
Amazon has made considerable advances in security services
(WAF, Security Assessment, HSM, firewall, etc.)
26. Cyber Insurance
This is on the rise and you need it.
It’s used for homes, cars and businesses. Why not cyber
attacks?
Target was given $90 million from insurance and paid $162 million
out of pocket
Understand the legal nuisances of cyber insurance
Timeframes
Logs
Etc.
Run through a dry run of contacting insurance
Who are you going to call?
Who needs to be involved (insurance, law enforcement, etc.)
Determine who you’ll be working with
Know if you need to bring something to the table
27. “Threat Intel” or “Sharing is Caring”
Threat intelligence has grown over the past year
The use of STIX/TAXII as a framework
Multiple vendors creating vendor related intel
Trusted circles
Situational awareness Companies
ISAC’s (Information Sharing and Analysis Centers)
are being established:
FS-ISAC (Financial Services ISAC)
NH-ISAC (National Health ISAC)
E-ISAC (Electricity ISAC)
28. Machine Learning and Behavioral Analysis
Signatures have failed. Long live Behavioral Analysis.
Next Generation anti-malware/virus
Basing attacks off certain analysis, not signatures. Limited set
of instructions and less updating.
Prevention with limited updating is key.
Machine Learning network based systems
Determines how attacks work and alerts on risk.
Profiling of users normal activity.
Review of what is considered out of the norm between east-
west traffic.