This document provides a review and outlook on cybersecurity in 2015 and emerging trends. It summarizes major hacks in 2015, such as the OPM hack, and discusses how politicians are increasingly focused on cybersecurity issues. It notes challenges such as the lack of cybersecurity talent and discusses trends like the growing importance of privacy, mobile security risks, and the use of deception techniques in cyber defenses. The document outlines both ongoing issues like phishing and areas that are improving, such as increased awareness and funding for cybersecurity. It explores emerging trends including managed security services, cloud-based security tools, cyber insurance, threat intelligence sharing, and the potential of machine learning and behavioral analysis.

1. @ M A T T H E W P A S C U C C I
W W W . F R O N T L I N E S E N T I N E L . C O M
The State of Cyber Security
2015

2. 2015 - A Year in Review
 Agenda
 Year in Review
 The major risks of the year
 Where we’ve succeeded
 Emerging Trends

3. Notable Hacks of 2015

4. Politicians Are Waking Up
 CISA (Computer Information Sharing Bill)
 Prime Minister David Cameron looking to pass anti-
terror bill to allow GCHQ to decrypt communications
 Constant talks with China about espionage
 FBI fighting for an encrypted backdoor
 The OPM hack was the last straw
 The NSA in the news daily
 CyberWar? What is it?

5. Where Have All The Good Guys Gone?
 The lack of Cyber security talent is scary:
 451 Research stated: 34.5% of project delays due to lack of staff
 How can we get students educated in Cyber Security?
 NSA/DHS created “Centers of Excellence” with scholarships
 Why isn’t this drawing people in?
 How can we entice people to our industry:
 Stats that people would be interested, but know nothing about
 Colleges doing a better job?
 Remove the stigma of “hacker lifestyle”

6. Privacy in the New Security
 Privacy jobs are starting to explode
 CIPP certifications are in great demand
 Companies over the next couple years will see a wave
of new privacy law hit them
 The EU laws are slowly making their way across the Atlantic
 Safe Harbor laws
 Technology vendors are now using privacy as a
selling point
 Apple, Twitter, etc.
 Everyone from Grandma to CEO is concerned
 Eff.org (Electronic Frontier Foundation)

7. Edward Snowden gets a Twitter Account

8. Find a Happy Place

9. Phishing is Still Killing Us
 Educate, Educate, Educate
 Test your users with fake phishing
 Run competitions and make it fun
 What to look for?
 Review real phishing emails, etc.
 Keep metrics and show improvements
 Make sure executive admins are aware
 Invest in a strong mail filter
 Not just email anymore, SMS, social media, etc
 This is your biggest threat right now. Fix it.

10. Phishing Stats
 According to Verizon:
 95% of espionage attacks involve phishing.
 Nearly 80% of all malware attacks come from phishing
 Almost 50% of recipients open emails and click on phishing
links within the first hour.
 There’s a 71% chance that phishing links are clicked on a
Windows machine.
 Technical emails are the most common messages to be clicked
on with a 21.3% click rate.
 iOS devices have a 16% click through rate, highest amongst
mobile devices.

11. Don’t DDoS me, bro!
 This is still a problem. It’s not going away.
 Protonmail just got hit with a DDoS
 Needed upstream providers and DDoS equipment to defend
 Are you ready for a DDoS attack?
 How would you react to a DDoS randsom?
 DDoS comes in many different flavors.
 Volumetric
 Application
 Hybrid
 DDoS smoke screens. Beware!

12. Coding Standards Need To Change
 When will we follow the “OWASP Top 10”?
 Jim Manico, Manicode Security, says he needs $4
billion dollars to fix the state of application security.
 SDLC’s being followed? Are they even there?
 Are you using proper release management?
 Constant vulnerability scanning
 Static Analysis
 Dynamic Analysis
 Mobile apps are a threat. Let’s not let history repeat
itself.

13. Vulnerabilities on the Rise
 Vulnerabilities are everywhere!
 Critical infrastructure
 Homes
 Business
 Companies selling zero days and researches finding them
 Double edged sword
 SSL is dead: Heartbleed, POODLE, FREAK, BEAST, etc
 Remediation plan? How long? What’s your risk appetite?
 Legacy systems still can’t get updated
 Patches? We don’t need no stinking patches.

14. Mobile is Here to Stay
 Do you “BYOD”?
 How are corporate apps being developed? Used? Deployed?
 Steps to lock down a mobile device
 Encryption
 Container
 DLP
 Mobile OWASP Top 10
 We’re moving down the path of this being the biggest threat

15. How do you “Incident Response”?
 Red team drills
 Determine what your worst nightmare is and live it.
 Runbooks
 Recording the steps to remediate your worst nightmares.
 SWAT Teams
 Getting a team of talented people to run the incident.
 Relationships with law enforcement
 If you don’t have this already you’re wasting time.

16. Third Party Vendors = Weakest Link
 Huge risk, just ask Target
 Lower the risk by performing third party risk reviews
 Create policy and forms to have vendors fill out
 This is your data and environment. In order to do
business with them they need to be assessed
 Creation of legal contracts
 When are you notified of a breach?
 Indemnification
 Review of vendors internal workings
 How do they perform security

17. Do You Know Where Your Data Is?
 Sensitive Data
 Do you know where your sensitive data is?
 What is sensitive data?
 DLP
 Network
 Endpoint
 Honeyfiles
 Insider threats
 The Edward Snowden Effect (for better or worse)
 This is dangerous because you’re giving them access, they
don’t need to break in first

18. Privileged Attack Hacks On The Rise
 CyberArk recently put out a survey saying 88% of all
companies are susceptible to privileged attack hacks.
 Windows environments are at greater risk, but there
are Linux concerns too.
 Randomization of accounts, including local and
service accounts, is key to stopping abuse.
 Session management and jump boxes are needed.
 Once an internal account is taken, it’s a matter of
time before things go south.

19. What We Get Right

20. The Boardroom is Noticing
 Funding is growing (hopefully you see it too)
 There has been an increase all round in funding
 Exponential jump from 5 years ago
 Cyber threats have become topic of concern
 Management is asking questions that they didn’t 5 years ago
 This is no longer compliance related
 People are realizing this could effect their wallets

21. Security Mentality Is Growing
 The Media
 Media hype draws attention (for better or worse)
 It’s all around us and it’s soaking into our culture
 The education of the normal user is growing. It
might not seem like that, but it’s on everyone’s mind.
 We have to harness this curiosity and mold it. This is
the “Golden Age of Security Awareness”.

22. Up and Coming Trends

23. Managed Security Services Providers (MSSP)
 Why aren’t we doing this more?
 Who has a fully staffed team monitoring 24x7?
 Who doesn’t? Would you consider this?
 Trust is a risk, but so is not doing anything.
 Acquire additional services, or limit to in-house only?
 Create retainers for services on demand:
 Malware reverse engineer
 Digital Forensics
 Etc.

24. Deception in Depth
 Hackers don’t play fair. Neither should you!
 Start using deception as a defense technique
 Concerned with prevention only, not detection
 Sea change in managements thinking
 Honeypots
 Honeytokens
 Darknet alerting
 Sinkholes
 Many new vendors coming out with deception tools
 An area I hope grows in the future

25. Cloud Based Security on the Rise
 Cloud based security tools
 Two-factor authentication
 DDoS protection
 Identity management
 SIEM
 Endpoint protection
 Cloud Security Alliance
 Star Registry
 Secure Hosting
 Amazon has made considerable advances in security services
(WAF, Security Assessment, HSM, firewall, etc.)

26. Cyber Insurance
 This is on the rise and you need it.
 It’s used for homes, cars and businesses. Why not cyber
attacks?
 Target was given $90 million from insurance and paid $162 million
out of pocket
 Understand the legal nuisances of cyber insurance
 Timeframes
 Logs
 Etc.
 Run through a dry run of contacting insurance
 Who are you going to call?
 Who needs to be involved (insurance, law enforcement, etc.)
 Determine who you’ll be working with
 Know if you need to bring something to the table

27. “Threat Intel” or “Sharing is Caring”
 Threat intelligence has grown over the past year
 The use of STIX/TAXII as a framework
 Multiple vendors creating vendor related intel
 Trusted circles
 Situational awareness Companies
 ISAC’s (Information Sharing and Analysis Centers)
are being established:
 FS-ISAC (Financial Services ISAC)
 NH-ISAC (National Health ISAC)
 E-ISAC (Electricity ISAC)

28. Machine Learning and Behavioral Analysis
 Signatures have failed. Long live Behavioral Analysis.
 Next Generation anti-malware/virus
 Basing attacks off certain analysis, not signatures. Limited set
of instructions and less updating.
 Prevention with limited updating is key.
 Machine Learning network based systems
 Determines how attacks work and alerts on risk.
 Profiling of users normal activity.
 Review of what is considered out of the norm between east-
west traffic.

29. Questions?
I know you have some. Lets hear them.