Presentation is loading. Please wait.

Presentation is loading. Please wait.

BRUCE P. TIS, PH.D. FEBRUARY 26, 2015 STATE OF SECURITY IN 2014 & WHAT CAN WE EXPECT IN 2015.

Similar presentations


Presentation on theme: "BRUCE P. TIS, PH.D. FEBRUARY 26, 2015 STATE OF SECURITY IN 2014 & WHAT CAN WE EXPECT IN 2015."— Presentation transcript:

1 BRUCE P. TIS, PH.D. FEBRUARY 26, 2015 STATE OF SECURITY IN 2014 & WHAT CAN WE EXPECT IN 2015

2

3 HP SECURITY RESEARCH CYBER RISK REPORT THEMES OF 2014 Well known attacks/techniques still commonplace Misconfigurations are still a problem Newer technologies, new avenues of attack Gains by determined adversaries Cyber-security legislation on the horizon The challenge of secure coding Complementary protection technologies

4 5 BIGGEST SECURITY FAILURES 2014 SNAPCHAT New Years Day 4 million username-phone number records uploaded to Internet October hundreds of supposedly deleted photos and videos posted online December business secrets revealed when s leaked as part of Sony Hack

5 HEARTBLEED, SHELLSHOCK AND POODLE Heartbleed – OpenSSL flaw that compromises “secure” communication between browsers and Web servers (500,000 servers) Shellshock – flaw in Bash command line interface, allows hacker to run arbitrary script on Web server (compromise millions of servers) POODLE vulnerability in SSL protocol (capture cookies that authenticate secure Web connections)

6 APPLE ICLOUD Labor Day weekend private nude photos of actresses started appearing online Bypassed Apple’s online security to access people’s automatically created iCloud backups of iPhone photos Targeted attack on user names, passwords, security questions Attackers used social engineering, phishing and publically known information Used Elcomsoft Phone Password Breaker to download iCloud backups Apples’ response was to improve authentication, patch vulnerability in Find my iPhone service

7 HOME DEPOT DATA BREACH September payment data systems breached (5 months worth of data) 56 million credit and debit cards, numbers, expiration dates, CVVs 53 million customer addresses Gained access to Home Depot’s network by using login credentials of one of its vendors and exploiting unpatched Windows vulnerability Installed malware on self-checkout registers Cost to Home Depot million

8 SONY PICTURES ENTERTAINMENT DATABASE THEFT Guardians of Peace (GOP) claimed 100TB data stolen Nov 24 staffers at Sony Pictures Entertainment had computer screens hijacked by a grinning skull Gigabytes of data began appearing online Actors & executives’ social security numbers (47,000) Corporate s, passwords, security certificates Unpublished scripts Financial and legal information 4 entire unreleased Sony movies

9 SONY PICTURES ENTERTAINMENT DATABASE THEFT Threats made if the movie “The Interview” was released Movie theaters refused to show movie Claims that hackers were from North Korea later modified from a hotel in Thailand Cost to Sony $100 Million (previous attacks in 2011 which shutdown Play Station network involved loss of 77 Million PII records and cost Sony $170 Million)

10 TOP 10 DATA BREACHES 2014 Ebay million J.P. Morgan Chase - 76 Million Home Depot - 56 Million Community Health System - 45 Million Michaels Stores Million Texas Health and Human Services Million Neiman Marcus Million Goodwill Industries - 868,000 Oregon Employment - 850,000 U.S. Postal Service - 800,000

11 RANSOMWARE Cryptolocker carried over from 2013 Trojan contracted by opening a.zip file in a socially engineered spam Downloads encryption key from command and control server Encrypts all files on system User prompted to pay hundreds of $ to get key to decrypt Infected 234,000 computers – ½ in US $27 million in ransom payments made in first two months Other ransomware emerged - CryptoWall

12 TOP 5 SECURITY THREATS FOR 2015 IoT - increasing number of vulnerabilities in internet capable devices Sophisticated DDos attacks – more advanced techniques beyond flooding with traffic Social Media attacks - infect and spread, stolen credentials, click through to dubious links, inappropriate or malicious content Mobile Malware Third party attacks – trusted partners that may not have appropriate security measures in place

13 TOP SECURITY PREDICTIONS Attacks on the Internet of Things focus on smart home automation Mobile devices more attractive targets Machine learning will be a game changer in the fight against cybercrime Privacy will continue to be sacrificed for mobile apps Ransomware scans Prominent data leaks DDos attacks will continue User behaviour as move beyond passwords The Cloud Cyber security strengthened by closer industry partnerships

14 2015 THREAT PREDICTIONS Cyber espionage – state affiliated (87%), organized crime (11%) Internet of Things – IP cameras, smart meters, healthcare devices, SCADA devices Privacy –government and business grapple with what is fair and authorized to personal information Ransomware - evolve methods of propagation, encryption and targets Mobile – new technologies, app store abuse Point of Sale Malware beyond Windows – shellshock vulnerability continue for years on TVs, routers, flight systems, industrial controllers, critical infrastructure vulnerabilities

15 TOP ENTERPRISE CYBER SECURITY PREDICTIONS FOR Point of sale attacks increase Cyber Security and Breach Insurance Cyber Criminals leveraging APT (advanced persistent threat) tools, tactics and procedures Apple products increasingly targeted Mobile Big data used to improve the ability to monitor and protect networks Public/private cyber threat data sharing Politically motivated Cyber attacks Critical infrastructure attacks become a reality Honeypots used in production for enterprise security Threat sharing and collaboration will become a regulation/compliance requirement

16 WHAT HAS HAPPENED ALREADY Android malware (Android/PowerOffHijack.A) that makes calls or take pictures even if phone shut down Lenovo pre-installed Superfish adware pusher, analyzes images and presents ads, sees user traffic and can alter it violating chain of trust with destination, vulnerable to man in the middle attacks PrivDog similar to Superfish but considered worse

17 WHAT HAS HAPPENED ALREADY Stolen SIM card keys from European manufacturer Gemalto allows NSA and British counterpart to secretly monitor global communications Carbanak Cybergang steals $1 billion from 100 financial institutions worldwide Anthem data breach SSN of more than million PII including SSN. News report this week mentioned almost a million in Mass

18 REFERENCES HP Cyber Risk Report 2015 – executive summary 5 worst security fails of and Beyond Online Threat Report Worst security breaches of the year Security Review Top 5 security threats for 2015 Top enterprise cyber security predictions for Threatstream


Download ppt "BRUCE P. TIS, PH.D. FEBRUARY 26, 2015 STATE OF SECURITY IN 2014 & WHAT CAN WE EXPECT IN 2015."

Similar presentations


Ads by Google