Dave Mahon

CenturyLink and Cyber Security

C H I E F S E C U R I T Y O F F I C E R , C E N T U R Y L I N K

Security Concerns: What Keeps You Up at Night?

IDC Worldwide Big Data & Analytics Report for 2015

Am I meeting the latest regulatory requirements?

Will I pass the audit?

Do I need cyber insurance?

What sort of policy? What’s the cost?

Am I personally liable should

something happen to the company?

Is my brandat risk?

2

Am I going to get

breached?

783 US. data breaches tracked in 2014, with a 261% increase in size over 2013!

70 M credit cards compromised due to vendor leak

56 M credit cards leaked after security turnover & software issues.

Digital business assets exploited, damaging the brand, and taking down parts of the network for months.

$200 Million+$200 Million

$15 Million+

2014: The Year of the Data Breach

3

Five Primary Sources of Threats: Inside and Outside The Network

Employees

Malicious or not, represent up to 40%

of data breaches

INSIDER THREATS

Where is the danger? Top threats in 2014:

1. Malicious Code 2. Web-based attacks3. Web application attacks 4. Botnets5. DDos

6. Spam7. Phishing8. Exploit Kits9. Data Breaches10.Physical damage / threat / loss

11. Insider threats12. Information Leakage13. Identity Theft / Fraud14. Cyber espionage15. Ransomare

Protesters with an Axe to Grind

Promote political ends by targeting

specific companies

HACKTIVISTS

Zealots with Strong Views

Seek revenge, damage, change

TERRORISTS

Well Funded Criminals

Seek companies with customers and money to lose

CYBER CRIMINALS

Government Funded

Espionage

Target governments and private industry to further political change

STATE SPONSORED

4

Where is the Weakest Link in Your IT Security Strategy?

Watch our video to learn more about your potential vulnerabilities

info.centurylinkforbusiness.com/IT-Security_Weakest-Link.html

How the Underground Economy Works

Source: Michael Yip, The University of Southhampton, Oct 2012

ATTACK SERVICES

Zero-dayexploit finders

Malwareauthors

Botnetherders

Spammers Phishers

Intruders &Crackers

Rogue web admins

Rogue Hosting

Spoof websitedesigners

Bank datastealers

Plastic vendors& encoders

Cashiers Scammers

Identity theft & fraud

Carders

DELIVERY

BLENDEDSERVICES

FINANCIAL CRIME/INDENTITY THEFT

Game login/Envelopestealers

Virtual assettraders

Blackmailers Gangs/Mafia

TRADITIONAL ORGANISEDCRIMINAL GROUPS

VIRTUAL ASSETSTRADING

Virtual currency sellers

Mules/Drops

Exchangers

MONEY LAUNDERING

Security Serviceproviders

Needed by all parties

Flow of demand

Potential influence

Attack Example: State-Sponsored Espionage

Send Spearphishing Email

May 2013

Gain Access to network, steals token data

Using stolen RSA token data and credentials, logs into Lockheed’s VPN.

Attack detected only after an attempt to steal data.

March 2012

VictimsAerospace and defense organizations, computer hardware and software, legal, energy/gas, finance, telecommunications, mainly in the US

StolenIntellectual property: technology blueprints proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and executive email address /contact lists.

The Chinese People’s Liberation Army (PLA) accessed hundreds of terabytes of data from over 141 organizations from 2006 – 2011

Impact

Wanted by the FBI

7

Attack Example: Cyber-Criminals

“The biggest hack in U.S. retail history”

• $148M hard costs in 6 months• Loss consumer confidence • CEO/top execs forced to resign• 90 lawsuits in 90 days• USG investigations• Total costs could reach billions • 40 million Target customer credit card information• 70 million customer personal information

Target’s Point of Sale (POS) systems were infected with a “RAM scraping” attack. Unencrypted credit card data was collected as it passed through the infected machine’s memory before being transferred to Target’s payment processing provider. Target’s intrusion detection and anti-virus systems alerted on the malware but it was not acted upon.

September 2013

Rinat Shabayev develops BlackPOS malware and sells it online.

November 2013

In 2 days, Malware had reached most Target POS devices, and intruders were collecting live credit card transactions.

Phishing email sent to Target’s payment processing contractor Fazio Mechanical.

Hackers steal credentials and gain remote access to Target’s billing system.

Stolen data is FTP’d to external servers and appears for sale in online black markets.

Hackers move laterally inside Target’s network to access POS Systems and install BlackPOS malware.

December 2013

Impact

8

9

• Spearphishing attack • Similar malware, attack infrastructure, and tactics

previously used by North Korea.• Stole large amounts of sensitive corporate and

personal data. • Released destructive malware that deleted data and

rendered thousands of Sony computers inoperable.• Released Sony’s sensitive data to the public.

• Sensitive data made public including emails, scripts, salaries, and 47,000 employee records.

• Corporate data deleted • Thousands of employee computers

unusable• Damage to company image with

public, employees and industry talent.

• Financial cost of both remediating the attack & limiting movie’s release.Likely to prevent the release of Sony‘s movie, “The

Interview,” depicting a fictional plot to assassinate North Korea’s leader.

What?

9

Attack Example: Terrorists

Why?

Impact

Attack Example: Hacktivists

10

Offshoot of Anonymous LulzSec & Sony Pictures

May - June 2011

UAT Students “Join”LulzSec

Hack Sony Pictures website, access account info

Post stolen data on Pastebin

Goal: To “have fun,” embarrass website owners, ridicule security measures

Victim: Sony Pictures, protesting their action against a hacker for “jailbreaking” PS3

Impact: 37,000 comprehensive customer contact records including passwords stolen

Cody Kretsinger, 23(AKA “Recursion”)

Raynoldo Rivera, 18(AKA “Neuron”)

April 2012

Downloads first classified documents as Dell contractor in Hawaii

Edward Snowden - “Whistleblower”American cybersecurity expert, former CIA system admin and counter intelligence trainer at Defense Intelligence Agency (DIA). Leaked millions of classified documents to journalists.

Charged with: violating the Espionage Act, theft of government property, unauthorized communication of national defense information, and willful communication of classified intelligence. Fled to Russia in 2013 where he remains today.

Dec-Jan 2013

Flies to Hong Kong, reveals numerous NSA docs to Greenwald & Poitras

Snowden connects with reporter/ filmmaker Glenn Greenwald

New job gives him greater access to classified docs. Download 1.7 M files using spider program

First article published, Snowden goes public.

Leaks 1st intelligence reports, takes leave of absence after 4 weeks on the job.

Attack Example: Insider Threats

March 2013 April 2013 May 2013 June 2013

11

Collaborating On NISTCyber Security Framework

CenturyLink CEO on committee

Active contributor/participant

Who We Work With: CenturyLink Works with Many Government and Private Entities for National Security and Customer Protection

Permanent seat on NCCIC floor

Member ofCyber UnifiedCoordinationGroup

DEFENSE HOMELAND SECURITY JUSTICE

FCC

WHITE HOUSE, STATE, COMMERCE, AND STATE GOVERNMENTS PRIVATE SECTOR

Network Service Provider (NSP) Security (NSP-SEC)

Network Information Sharing Exchange (NSIE)

Defense Industrial Base Information Sharing Exchange (DSIE)

OPS-Trust

24/7 presence within DHS

CSRIC Working Groups

DIB Cyber Security / Information Assurance

Botnet TakedownsAPT Mitigations Global Infrastructure

Alliance for Internet Safety

12

13

INTEGRATING DATA FOR HOLISTIC THREAT PICTURE

1 Confidential

Enterprise Managed Security Portfolio

CENTURYLINK DATACENTER

MANAGED HOSTING

ENVIRONMENT

BranchOffice

CUSTOMER PREMISES

Headquarters

Fully Managed Defense-In-Depth Security

Security Services

CenturyLink SOC Comprehensive set of security products and services at the customer premise, in the network and at the

data center managed through the Security Operations Centers 24/7 Monitoring , Management and Incident Response Security Services Web Portal

IAAS CLOUD COMPUTING CONTROLS

• Robust reporting and self management portal

• Monitored and managed, with configuration support

•Security functionality provided from the network

NETWORK-BASED SERVICES

Corporate Firewall

Internet

Corporate Network

ThreatIntelligence

InternetTraffic

Analysis

CommercialSecurityProducts

CorporateNetworkTraffic

CriticalInfrastructure

ProtectionECS / IPSS

OpenSource

Thank YouDave Mahon

Let us help you discover & overcome your infrastructure’s more vulnerable points

Take the Assessment