Cyber Crime Seminar Jan 2015

Cyber Security 2014 Update

Kevin J. Murphy, CISSP, CISM, CGEIT

January 12, 2015http://www.linkedin.com/pub/kevin-murphy/5/256/863

Agenda Cyber Crime Cyber Warfare Government Help Discussion

Note: Intelligence verses Evidence

04/15/2023 2

Cyber Threats - Definitions Cyber Crime

$$$ Motivated- Credit cards, bank accounts

Non $$$ - Denial of Service (DDOS) APT = Nation State Espionage

Steal your Intellectual Property Cyber war = Destructive

Geopolitical Conflict Economic Attack Element of modern warfare

04/15/2023 3

2014 Cyber Crime Attacks

Banking Data Breaches 2014 Verizon Data Breach Investigations

Report analyzed 1,367 data-loss incidents last year, they found that 465 were financial institutions

Data Breach Losses Top More Than 78 Million Records to Date in 2014

04/15/2023 4

04/15/2023 5

2014 Cyber Crime Attacks Retail Data Breaches

Point of Sale (POS) system vulnerabilities

Reporting requirements under GLB Act Some of the victims

Target, Home Depot, Michaels, Neiman Marcus, Jimmy Johns, Staples, Dairy Queen, PF Chang’s, etc. etc.

Analysis? Look at your 3rd Party attack vectors Understand your POS vendors security

Plans 04/15/2023 6

2014 Cyber Crime Attacks 3rd Party Vulnerabilities

04/15/2023 7

2014 Cyber Crime Attacks

Home Depot – a different nuance Credit card’s were offered for sale on a

website that traffics in stolen card data Cards presented as:

"American Sanctions” "European Sanctions”

Analysis? Cyber Crime is now Geopolitical

04/15/2023 8

2014 Cyber Crime Attacks

Sony– Nation States enter Cyber Crime N Korea - Denial of Service to achieve a

political agenda Someone counterattacks N Korea

Analysis: When does a cyber attack become an act

of war? No international agreement What is a legal response to a nation-state

attack on a public company?

04/15/2023 9

2014 Cyber Crime Attacks

Sony–Analysis: Does Sony have a legal right to

counterattack? The US Dept. of Defense has the

Constitutional charter to provide for the common defense Can the DoD defend US companies?

War was traditionally between nation states until recently: Taliban ISIS Cyber Warfare04/15/2023 10

Cyber warfare is dangerous

Potential for huge economic impact Geopolitically motivated No cold-war type “rules” No international agreement Anonymous attacks have no limits

and pose little risk to the attacker

04/15/2023 11

Welcome to the Internet World

Low barriers to entry.

Any country willing to invest in a modern data center and to train its staff can join in this high tech world of modern espionage.

Welcome to the Internet World The speed, accuracy, and volume of

internet-based intelligence collected by foreign intelligence organizations has increased almost exponentially compared to the previous Cold War methods.

The cost and risk associated with this method is dramatically lower than that of the Cold War.

Low-cost, low-risk ,and high-return espionage is very lucrative

Cyber War verses the Cold War model No Détente.

Anonymity—nation states that can operate in the cyber world with anonymity will also act far more aggressively and destructively if the attack cannot be attributed to any particular actor.

This creates a very dangerous and potentially very destructive cyber battlefield of anonymous attackers.

3rd world Cyber attacks

Syrian Electronic Army

04/15/2023 15

What did they learn by this reaction?

Geopolitical attacks

Critical Infrastructure

04/15/2023 16

Understanding Your Attacker China gets the most press about APT

mainly because its methods of attack seem to indicate that they really don’t care that you know they are attacking you.

After all, what can you do about it?

Eventually all industrialized nations will have some sort of capability as a necessary part of competing in a global world.

The Legal Landscape International laws or agreements will not stop

APTs. It is just too lucrative and everyone is doing it.

Physical attack = physical evidence

APT attacks leave a great deal of “reasonable doubt” to attribute to the attacker

Legal Extradition—If you have evidence, cases can only be reliably brought upon an attacker in your own country.

It is unlikely that you will be able to take legal action against a state-sponsored attack group or a nation itself.

Legal Landscape Legal rulings in both the US and the EU

The major software and hardware vendors must share data about their products so the competitive landscape remains fair for all vendors and to preserve consumer choice.

Some software vendors must document all operating system APIs and have the API technical details available for use by application -layered products including competing products.

What was designed to benefit consumers through free market competition has also provided potential attackers with a wealth of information about your systems technical details.

Government Help

Governments only have three tools to help: Intelligence on the threat The legal process Diplomacy Counter Attack?

Government Help

Intelligence on the Threat: Intelligence on the threat is limited until an

attack has actually occurred. That is a bit after the fact to protect the enterprise.

Diplomacy: Cyber espionage is just too lucrative for the

attacking governments to come to any global agreement to limit it.

Government Help

Government cannot defend your network or your company from cyber attack.

Resources Books

Economics & Strategies of Data Security, Daniel Geer Jr. http://www.amazon.com/Economics-Strategies-Data-Security-DANIEL/dp/B001LZM1BY

Papers 2014 Data Breach Investigations Report

http://www.verizonenterprise.com/DBIR/2014/

The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments, Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John F. Farrell; National Security Agency http://www.windowsecurity.com/whitepapers/The_Inevitability_of_Failure_The_Flawed_Assumption_of_Security_in_Modern_Computing_Environments_.html

Contact Me: http://www.linkedin.com/pub/kevin-murphy/5/256/863

04/15/2023 23