Embed Size (px)
Citation preview
Cyber Security 2014 Update
Kevin J. Murphy, CISSP, CISM, CGEIT
January 12, 2015http://www.linkedin.com/pub/kevin-murphy/5/256/863
Agenda Cyber Crime Cyber Warfare Government Help Discussion
Note: Intelligence verses Evidence
04/15/2023 2
Cyber Threats - Definitions Cyber Crime
$$$ Motivated- Credit cards, bank accounts
Non $$$ - Denial of Service (DDOS) APT = Nation State Espionage
Steal your Intellectual Property Cyber war = Destructive
Geopolitical Conflict Economic Attack Element of modern warfare
04/15/2023 3
2014 Cyber Crime Attacks
Banking Data Breaches 2014 Verizon Data Breach Investigations
Report analyzed 1,367 data-loss incidents last year, they found that 465 were financial institutions
Data Breach Losses Top More Than 78 Million Records to Date in 2014
04/15/2023 4
04/15/2023 5
2014 Cyber Crime Attacks Retail Data Breaches
Point of Sale (POS) system vulnerabilities
Reporting requirements under GLB Act Some of the victims
Target, Home Depot, Michaels, Neiman Marcus, Jimmy Johns, Staples, Dairy Queen, PF Chang’s, etc. etc.
Analysis? Look at your 3rd Party attack vectors Understand your POS vendors security
Plans 04/15/2023 6
2014 Cyber Crime Attacks 3rd Party Vulnerabilities
04/15/2023 7
2014 Cyber Crime Attacks
Home Depot – a different nuance Credit card’s were offered for sale on a
website that traffics in stolen card data Cards presented as:
"American Sanctions” "European Sanctions”
Analysis? Cyber Crime is now Geopolitical
04/15/2023 8
2014 Cyber Crime Attacks
Sony– Nation States enter Cyber Crime N Korea - Denial of Service to achieve a
political agenda Someone counterattacks N Korea
Analysis: When does a cyber attack become an act
of war? No international agreement What is a legal response to a nation-state
attack on a public company?
04/15/2023 9
2014 Cyber Crime Attacks
Sony–Analysis: Does Sony have a legal right to
counterattack? The US Dept. of Defense has the
Constitutional charter to provide for the common defense Can the DoD defend US companies?
War was traditionally between nation states until recently: Taliban ISIS Cyber Warfare04/15/2023 10
Cyber warfare is dangerous
Potential for huge economic impact Geopolitically motivated No cold-war type “rules” No international agreement Anonymous attacks have no limits
and pose little risk to the attacker
04/15/2023 11
Welcome to the Internet World
Low barriers to entry.
Any country willing to invest in a modern data center and to train its staff can join in this high tech world of modern espionage.
Welcome to the Internet World The speed, accuracy, and volume of
internet-based intelligence collected by foreign intelligence organizations has increased almost exponentially compared to the previous Cold War methods.
The cost and risk associated with this method is dramatically lower than that of the Cold War.
Low-cost, low-risk ,and high-return espionage is very lucrative
Cyber War verses the Cold War model No Détente.
Anonymity—nation states that can operate in the cyber world with anonymity will also act far more aggressively and destructively if the attack cannot be attributed to any particular actor.
This creates a very dangerous and potentially very destructive cyber battlefield of anonymous attackers.
3rd world Cyber attacks
Syrian Electronic Army
04/15/2023 15
What did they learn by this reaction?
Geopolitical attacks
Critical Infrastructure
04/15/2023 16
Understanding Your Attacker China gets the most press about APT
mainly because its methods of attack seem to indicate that they really don’t care that you know they are attacking you.
After all, what can you do about it?
Eventually all industrialized nations will have some sort of capability as a necessary part of competing in a global world.
The Legal Landscape International laws or agreements will not stop
APTs. It is just too lucrative and everyone is doing it.
Physical attack = physical evidence
APT attacks leave a great deal of “reasonable doubt” to attribute to the attacker
Legal Extradition—If you have evidence, cases can only be reliably brought upon an attacker in your own country.
It is unlikely that you will be able to take legal action against a state-sponsored attack group or a nation itself.
Legal Landscape Legal rulings in both the US and the EU
The major software and hardware vendors must share data about their products so the competitive landscape remains fair for all vendors and to preserve consumer choice.
Some software vendors must document all operating system APIs and have the API technical details available for use by application -layered products including competing products.
What was designed to benefit consumers through free market competition has also provided potential attackers with a wealth of information about your systems technical details.
Government Help
Governments only have three tools to help: Intelligence on the threat The legal process Diplomacy Counter Attack?
Government Help
Intelligence on the Threat: Intelligence on the threat is limited until an
attack has actually occurred. That is a bit after the fact to protect the enterprise.
Diplomacy: Cyber espionage is just too lucrative for the
attacking governments to come to any global agreement to limit it.
Government Help
Government cannot defend your network or your company from cyber attack.
Resources Books
Economics & Strategies of Data Security, Daniel Geer Jr. http://www.amazon.com/Economics-Strategies-Data-Security-DANIEL/dp/B001LZM1BY
Papers 2014 Data Breach Investigations Report
http://www.verizonenterprise.com/DBIR/2014/
The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments, Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John F. Farrell; National Security Agency http://www.windowsecurity.com/whitepapers/The_Inevitability_of_Failure_The_Flawed_Assumption_of_Security_in_Modern_Computing_Environments_.html
Contact Me: http://www.linkedin.com/pub/kevin-murphy/5/256/863
04/15/2023 23
