Post on 11-Apr-2017
Welcome to
Mark StephenConference Chair
@bbcscotland#scotsecure
Ray BuggDIGIT
@digitfyi#scotsecure
www.digit.fyi
www.digitleaders.com
DI Eamonn KeanePolice Scotland
@policescotland#scotsecure
What can we do to fight back? Scot- Secure Conference March 2017.
Agenda
Scottish, UK & Global Perspective!
The current threat landscape!
The challenges to LE & Policing!
The LE response - NCCU & Police Scotland!
Are we getting the message across?
What can we do to fight back?
Collaboration & Prevention.
Good News - Look Forward!
ORIGINAL HUB CONCEPT SG/NCSC EUROPOL
POLICE / SENIOR TECH COMMUNITY /
INVESTIGATIONS .
TIER 4 SCOTLANDS TECH COMMUNITY DEVELOPMENT
TIER 3 ACADEMIA / R & D
TIER 2 SOC / TRUSTED PARTNERS
TIER 1 APPRENTICES / GRADUATES
Cyber Regional Organised Crime Units
Stalking
Bullying
Cyber Fraud
SOCG
Sexual Offenders
Indecent
images of
children
Cyber
dependent
crimes e.g.
hacking,
malware,
DDoS
An
ti-so
cia
l beh
avio
ur
Cyber T
erro
rism
is impacting on the police response across
the full crime spectrum.
http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.accenture.com/us-en/Pages/insight-highlights-insurance-three-ways-fight-insurance-fraud.aspx&ei=aqXUVPmgB8ysU8aWgqAN&bvm=bv.85464276,d.d24&psig=AFQjCNH-QMGcxPIDGrqPsNaf51UMN21AQA&ust=1423308312578590https://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=https://peatimes.com/twitter-to-control-social-media-bullying/&ei=CKjUVKiDM8zzUtuXg8gN&bvm=bv.85464276,d.d24&psig=AFQjCNGX0qsf5T1gvvW1pcXExMYRkzOshQ&ust=1423309134252744http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.pligofsj.com/blog/entryid/5151/hackers-hit-the-seas-the-worlds-maritime-cyber-security-problem&ei=R6vUVKbjKYb5UNy3hIAK&bvm=bv.85464276,d.d24&psig=AFQjCNGNQyPr-RqoBUtOwd7PfcvwCxtkLQ&ust=1423309990343098http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.lifewithoutpink.com/2011/05/23/your-childsdigital-footprint/&ei=Z63UVNLVKIvpUs7HgZgN&bvm=bv.85464276,d.d24&psig=AFQjCNGepkyGQFXFUtZB_9wOBRwTTaEtLQ&ust=1423310529014835http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://yourdesignguys.com/wp-security-plus/&ei=v_zZVLWlHcSsUbKvgKAB&bvm=bv.85464276,d.d24&psig=AFQjCNGLcAhV38CTQP7RW7A997lK0RZwSA&ust=1423658517431520
What we do know!!
The cyber threat to UK business is significant
and growing.
This threat is varied and adaptable.
The rise of internet connected devices gives
attackers more opportunity! The past year has been punctuated by cyber
attacks on a scale and boldness not seen before! The UK & Scottish government is committed to making the UK a
secure and resilient digital nation
Under-reporting.
Scenario 2 Malware
15
Malware Phishing Ransom-ware
SocialEngineer
Hacker
Some Brief Examples The Usual Suspects
Key questions that all CEOs & CISOs should be asking this week?
"Are we vulnerable to a cyber intrusion, SQL injection, ransomware or DDoS based attacks?
"What assurance activity have we done to confirm that we are not vulnerable?
"If we were compromised, would an attacker be able to gain access to unencrypted sensitive data?
Are we satisfied have we engaged sufficient 3rd party security provision?"
What is our company ethos & posture on security?
What and how vibrant is your overarching cyber security policy?
Cyber Attacks are on the rise
22
The Main Threats
Hacktivism Organised Crime Espionage Hacking organisations they dont
agree with Politically motivated Mainly defacement of websites
and public disclosure ofinformation
Organised but disperse. Anonymous, New World Hacking,
Lizard Squad
Well funded cyber crime groups Financially motivated Mainly ransomware, stealing of
personal info/credit card info, andhacking.
Highly organised and well funded Carbanak Cyber Gang, Janus Sec
etc.
State sponsored Politically & Financially motivated Mainly covert hacking and custom
malware- targeting sensitive IP andCNI.
Extremely organised and wellfunded
TAO, APT 28, APT 17, Bureau 21
23
The Main Threats
Bedroom Hackers
Teenagers with a point toprove
Motivated by recognition andquick cash
Mainly defacement ofwebsites and publicdisclosure of information
Have been quite successful atlow hanging fruit.
They have been individuals orfront people of a group
Growing Cadre of Hacking Groups
Anoymous!
LulzSec
Lizard Squad!
New World Hacking Team!
DD4BC!.
The Impact Team.
The Armada Collective!.
Syrian Electronic Army
16.66
PhantomSec
ORGANISED CRIME
The skillsets
Feezan Hameed
60 - 113 million Frauds
Vishing / Social engineering of Banking customers
Data acquired including account details/passwords
Money trasferred online mule account networks
Uk wide investigation
Numerous UK Law Enforcement
Arrested in Paris on false passport
Convicted and sentenced to 11 years imprisonment
Customer education?
Op Backbone UK Bank
Frauds
Exfiltration of bank customer data
Bank employee
Live customer data for sale on dark web
Data used to commit further frauds
Customer data recovered at home address
Arrested / Convicted
23,000 seized POCA from account
Print? Business Need/Auditable?
Operation Mouse - Police Scotland Website
Operation Vulcanalia
The NCCU/PSOS Operation Vulcanalia targeted
users of the Netspoof DDoS-for-hire tool.
Based on intelligence gathered by the West
Midlands Regional Cyber Crime Unit, a week of
action in December 2016 saw more than 60
individuals targeted, resulting in 12 arrests,
over 30 cease and desist notices served, two
cautions issued and one protective visit made.
The Avalanche network
was used as a delivery platform to launch and manage mass global
malware attacks and money mule recruiting campaigns. It has
caused an estimated EUR 6 million in damages in concentrated
cyberattacks on online banking systems in Germany alone. The
global effort to take down this network involved the crucial support
of prosecutors and investigators from 30 countries. As a result, 5
individuals were arrested, 37 premises were searched, and 39
servers were seized. Victims of malware infections were identified
in over 180 countries. Also, 221 servers were put offline through
abuse notifications sent to the hosting providers. The operation
marks the largest-ever use of sinkholing to combat botnet
infrastructures and is unprecedented in its scale, with over 800,000
domains seized, sinkholed or blocked.
Cyber Resilience is thorough Preparation
Overarching Cyber Security Strategy!
Pre-planned Exercise.
Incident Management & Response Plan.
Communications Strategy.
Investigative Strategy.
Incident Manager & Team
Gold, Silver, Bronze.
Mitigation & Recovery Strategy.
Logistics - Contingency
Scotlands Future
International Collaboration
Government - L.E Industry Academia Collaboration
Joint Working - Intelligence, Technical, Disruption
Prevention/ Education
Curriculum for 21st Century
Upskill Children & Wider Population
Target Harden Existing Business
SBRC Role
Cyber Security Grow as Industry Sector
Cyber Essentials &
Cyber Essential Plus
Cyber Essentials concentrates on five key controls.
These are:
1. Boundary firewalls and internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management
Fighting back: what can we do?
Reporting means we can fight back!
Cyber Policing Structure NCCU - Regional Hubs- Prevention
European & Global Co-operation EC3.
Innovative Partnerships.
Organisational growth and transformation.
Education, prevention & unprecedented collaboration.
The Cyber Academy & Scottish Academia R & D.
Inspire and enthuse - SQA National Progression Awards
SBRC Supporting vulnerable SMEs.
Multi agency, multi disciplined teams protecting Scotland.
European Union General Data Protection
Regulation (GDPR)
Recap
Cyber Essential
Cyber Essentials plus
Govt backed / Industry supported
Basic Cyber security hygiene
Report to Police / Certuk / Govcert
Share - CiSP
Intel / Europol paints Cyber picture
Human ! Staff education/awareness
Staff privileges
Nice v risk?
Data breach test of scrutiny did we REALLY do ALL we could?
Thank you for listening
Any Questions?
Eamonn.keane2@scotland.pnn.police.uk
mailto:Eamonn.keane2@scotland.pnn.police.uk
Dr Keith NicholsonCyber Security Scotland
#scotsecure
SCOT-SECURE 2017
CYBER DEFENCE STRATEGY FORTHREAT RISK REDUCTION
Dr Keith Nicholson
Cyber Security
Scotland
March 2017
Dr Keith NicholsonIndependent Cyber Security Advisor 25+ years experience in digital
technologies , IT audit and cyber security
Qualified in cyber security (CISM CISA)
Scottish Government advisor in Cyber Security
Member Cross Public Sector Cyber Group
Member Cyber Leaders Board
Advisor across Public Sector (e.g. SNH, SEPA, SFC, Revenue Scotland)
Cyber Security
ScotlandNon-Profit Organisation
established to provide independent advice & services on all aspects of cyber security to public bodies to help create the intelligent client.
provides honest-broker guidance on ICT, cyber security strategy development, tender specifications, procurement exercises and project management to deliver Best Value.
BUILDING A CYBER DEFENCE STRATEGY
Challenges: IT Team Management expectations on skills Winning investment & management buy-in Not just a technical issue
BUILDING A CYBER DEFENCE STRATEGY
Challenges: Board Lack of cyber understanding
Failure to appreciate risk & ROI
Belief technology is silver bullet
Lack of integration of HR, Finance & Procurement as well as IT in cyber defence strategy
Cyber Defence: BUILDING A RESILIENT ORGANISATION
Secure technology Challenging suppliers - lifecycle & supply
chain Training and awareness in staff Policies & procedures in HR, Finance,
Procurement, IT Senior management responsibility Becoming an intelligent client: Know what
you dont know
THREATRESEARCH
Threat Risk Areas
KEY CYBER THREATRISK AREAS
Procurement
Payroll
Data Theft
Disruption
THREAT VECTORS
Culture & Behaviours (Poor and well-intentioned)
Technical
GoalsCredential theft; Financial gain; service disruption
Incident Patterns
NB: Classification can vary between sectors
Data Breach Patterns
Current Common Threats
Malware Ransomware
Credential theft webmail; keylogging
Drive-by downloads from websites
POS attacks
DDoS transactional servers / websites
Web site defacement
Dark web malware / hackers for hire; risk-reward model
TEC
HN
ICA
L &
PEO
PLE
BA
SED
Common attack vectors
BEHAVIOURALVULNERABILITIES
Domestic technology use = embedded behaviours brought into workplace
Changing attitudes to privacy and sharing personal information
TECHNICAL
Phishing - Email malware ransomware, key loggers
Email attachments e.g. invoices
Email person pretext (e.g. Im xxxs boss; CFO instructing invoice approval)
Vishing elicitation of key information in conversation
Threat Data
Time to compromise 82% in minutes (phishing to steal credentials)
Time to exfiltration 68% in days (capture & export data)
Detection deficit only ca 20% attacks detected within days1
68% attacks are malware, 32% by pretext2
1 Verizon 2016 Data Breach Investigations Report2 HMG, Ipsos MORI, University of Portsmouth, Cyber Security Breaches Survey May 2016
Oldies still goodies top 10 vulnerabilities older than one year
Software vulnerabilities time between publication and exploitation: Adobe, Microsoft, Oracle fastest to be
compromised Apple and Mozilla slowest
Helps focus patch management
CYBER DEFENCESTRATEGY
5-Step Threat Reduction Strategy
1. Recognise the threat & take responsibility at Board level Exec & Non-Exec
2. Risk & Business Impact assessment of technical & organisational vulnerabilities
3. Secure the technology (resources prioritised via Risk & Business Impact assessment)
4. Create a cyber-aware culture
5. Evolve to become an Intelligent Client
Becoming the Intelligent Client
Recognise what you dont know (Known Unknowns) Audit systems, policies & procedures via critical friend
Recognise you dont know what you dont know! (Unknown Unknowns) Get Directors and staff training both technical and general awareness
Challenge suppliers: service lifecycle and supply chain; build security into procurement specifications
Dont rely only on supplier advice (Audit Scotland)
Seek honest broker independent advice where needed
CYBER DEFENCEACTION PLAN
1. Assess and test Cyber Awareness Maturity level: At board level Amongst general staff Amongst technical teams
2. Undertake a Cyber Security audit with risk assessment to: Identify technical & cultural vulnerabilities and threats Prioritise resource allocations proportionate to risk Identify staff skills gaps
3. Create a staff development strategy for ongoing awareness / technical training
4. Develop a Proactive & Responsive Cyber Strategy, Policies & Continuous Improvement Plan to address continuing and changing threats
Cyber Defence Action Plan
Summary
Needs Board & Senior Management commitment risk awareness, RoI and investment buy-in
Cross-organisation responsibility: HR for OD, staff training and vetting; Finance, Procurement for fraud detection; IT for
technology
Define your needs and challenges Technological as well as Staff and Suppliers via Gap Analysis
Set realistic development plan & expectations Cultural change is not achieved overnight
Keep your eye on the threat Staff development Continuous improvement plan Monitor, mentor, measure
THANK YOU
KEITH NICHOLSONT: 01847 500 101M: 07899 062 965E: KNICHOLSON@CYBERSECURITY.SCOT
Jenny RadcliffeSocial Engineer & Negotiator
@Jenny_Radcliffe#scotsecure
People Hacking
The Human Factor in Security
Jenny Radcliffe 2017
Humans
Predictable?
Motivation
Motivation
Humans
Thank You! @Jenny_ Radcliffe
www.jennyradcliffe.com
Rik FergusonTrend Micro
@rik_ferguson#scotsecure
Ransomware, the scourge of 2016
Rik Ferguson
Vice President Security Research
Trend Micro
(Not so) Humble Beginnings
Ransomware Evolution
Ransomware Evolution
Image credit: www.botnets.fr
Ransomware Evolution - CryptoLocker
Ransomware in 2016
2016 Losses $1B
246 new families in 2016 alone compared to 29 for 2015. 748%increase.
PhishMe Report: As of the end of
Q316, 97% of all phishing emails contained crypto-ransomware
InfoBlox Report: Ransomware Domains Up By 35 fold In Q116
Ransomware Targeting Businesses
Ransomware Infection Vectors
UK Ransomware Survey
Just over two thirds (69%) of UK ITDMs have heard about ransomware and know how it works.
Four fifths (82%) consider ransomware to be a threat to their organization, while 18% do not.
The average ransomware request received was 540, although for 20% of those infected, the request was more than 1,000.
Nine in ten (89%) reported a time limit on paying the ransom, with the time limit being 19 hours on average.
Organizations affected by ransomware estimate they spent 33 man hours on average fixing the issues caused by the ransomware infection.
UK Ransomware Survey
Two thirds (65%) ended up paying the ransom. However, only 45% of those infected got their data back through this mean while 20% paid a ransom and did not get their data back.
The three most common reasons for paying the ransom:
They were worried about being fined if the data was lost 37%
The data was highly confidential 32%
The ransom amount was low enough to count as cost to business 29%
Seven in ten (69%) think their organization will be targeted by ransomware in the next 12 months.
77% have an incident response plan in case of infection with ransomware
Only 44% have tested their incident response plan, while a third (33%) have a plan in place without testing it.
Notable Ransomware Families
2016
A ROGUES GALLERY
2
Locky Malicious Macros
Ransom_LOCKY is requesting
0.5 Bitcoin ransom ($209.27)
Crysis A Hands-On Threat Actor
A sample infection flow of Crysis via an RDP brute force attack
Cerber A Ransomware FactoryIt replaces the system's current wallpaper with the this image:
Stampado Ransomware as a Service
Exploits and Exploit Kits in 2016
A DECLINING INDUSTRY?
2
The demise of the Exploit Kit?
Neutrino Price Increase
$3,500
$7,000
$0
$1,000
$2,000
$3,000
$4,000
$5,000
$6,000
$7,000
$8,000
Neutrino Price per Month
Before Angler Disappeared
After Angler Disappeared
Rate of Vulnerability Additions to Exploit Kits
Exploit Kit / Ransomware RelationshipExploit Kit
Delivered Ransomware
(2015)
Delivered Ransomware
(2016)
AnglerCRYPWALL, CRYPTESLA,
CRILOCK
CRYPWALL, CRYPTESLA,
CRILOCK, WALTRIX,
CRYPMIC
Neutrino CRYPWALL, CRYPTESLA
CRYPWALL, CRYPTESLA,
CERBER, WALTRIX, LOCKY,
CRYPMIC
Magnitude CRYPWALLCRYPWALL, CERBER,
LOCKY, MILICRY
Rig CRYPWALL, CRYPTESLA
GOOPIC, CERBER,
CRYPMIC, LOCKY,
CRYPHYDRA,
CRYPTOLUCK, MILICRY
NuclearCRYPWALL, CRYPTESLA,
CRYPCTB, CRYPSHEDCRYPTESLA, LOCKY
SundownCRYPTOSHOCKER, LOCKY,
PETYA, MILICRY
CVE-2013-2551Affected software: Microsoft Internet Explorer 610
Description: A use-after-free vulnerability that lets attackers remotely execute arbitrary code via a specially crafted site that triggers access to a
deleted object
CVE-2015-0311Affected software: Adobe Flash Player 13.0.0.262, 14.x, 15.x, and 16.x16.0.0.287 on Microsoft Windows and 11.2.202.438 on Linux
Description: An Adobe Flash Player buffer overflow vulnerability that allows attackers to remotely execute arbitrary code via unknown vectors
CVE-2015-0359Affected software: Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before
11.2.202.457 on Linux
Description: An Adobe Flash Player memory corruption vulnerability that allows attackers to execute arbitrary code when the application is used;
failed exploitation attempts likely result in denial of service (DoS)
CVE-2014-0515Affected software: Adobe Flash Player before 11.7.700.279 and 11.8.x13.0.x before 13.0.0.206 on Microsoft Windows and Mac OS X and
before 11.2.202.356 on Linux
Description: An Adobe Flash Player buffer overflow vulnerability that occurs when parsing a compiled shader in a Flash object, which allows
attackers to run some processes and run arbitrary shellcode
CVE-2014-0569Affected software: Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and before 11.2.202.411 on Linux
Description: An Adobe Flash Player remote integer overflow vulnerability that lets attackers execute arbitrary code via unspecified vectors
Top Vulnerabilities Within Exploit Kits
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/2603/internet-explorer-use-after-free-vulnerability-cve20132551http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/6177/adobe-flash-player-buffer-overflow-vulnerability-cve20150311http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/7473/adobe-flash-player-memory-corruption-vulnerability-cve20150359http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/5895/adobe-flash-player-buffer-overflow-vulnerability-cve20140515http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/3527/adobe-flash-player-remote-integer-overflow-vulnerability-cve20140569
Ransomware Blocks in 2016
2016 Total: ~1B
Fundamental Best Practices
Employee EducationAwareness, best practices, simulation testing
Keep Current with PatchingMinimize exploits of vulnerabilities
Access ControlLimit access to business critical data
Back-up and RestoreAutomated: 3 copies, 2 formats, 1 air-gapped from network
Smart Protection Network in 2016
received 2.8T
reputation queries
from customers
identified 130M
new unique threats
Blocked 1B
ransomware threats
blocked 81B
total threats
Thank YouRik Ferguson
Trend Micro
@rik_ferguson
Questions & Discussion
Refreshments & Networking
How To Transform Technical Security Data Into Business Ready Metrics
Sean Lever
The Security Assurance Measurement Problem
Transforming Security Data into Business Metrics
How Tenable Helps Bridge the Gap
Agenda
The Security Assurance Measurement Problem
CISOs use existing security metrics that are expressed in technical security terms, and
are oriented toward technical security decisions. They report on what they can vs. what they
should.
Gartner: Sharpen Your Security Metrics to Make Them Relevant and Effective, July 10, 2015
BITS AND BYTES DONT BELONG IN THE BOARDROOM
THANKS FOR THE 300 PAGESECURITY REPORT- Nobody, Ever, Said
51%Of CxOs believe there is a 1 in 4 chance that a data breach
will have a material impact on their organisation
80%
Source: Securing the C-suite: - IBM Institute for Business Value, February 2016
Of CISOs say their top risks are increasing
Scale Venture Partners and Wisegate Survey, Assessing and Managing IT Security Risks, June 2014
COMPILING METRICS
CAN BE DIFFICULT
Measured Quantity of Malware Detected
According to the State ofMetric Based Security Survey
Transforming Security Data into Business Ready Metrics
What is a Metric?
METRICSQUANTIFIABLE MEASURES
TRACKTO
PERFORMANCE
ARE
METRICSROSETTA STONE
BUSINESSO FCOMMUNICATION
AR
ETHE
Aligning Metrics to the Business
Metric
Control
Policy
Objective
Monitoring
Control Activities
Risk Assessment
Control Environment
Wisdom
Knowledge
Information
Data
Defining a Metric
Operations
Compliance
Reporting
Business Objective
Security Outcome
Policy Statement
Control Metric
ExamplesOperations
% Critical Systems Patched Within Target Days
% Critical Systems Without Updated Virus Definitions
Compliance
% Critical Systems Within Compliance
Reporting
by Site/Location
by Business Unit
Characteristics
1. Specific
2. Measurable
3. Actionable
4. Relevant
5. Timely
What is a SMART Metric?
How Do I Share Metrics?
Where Do I Start?
Security FrameworksBusiness Frameworks
National Cyber Security Centre (NCSC)
National Cyber Security Centre (NCSC)
National Cyber Security Centre (NCSC)
How Tenable Helps Bridge the Gap
Define security metrics that map to your unique business objectives
Collect comprehensive, reliable data to assess security and compliance
Use easy-to-read report card format to communicate security posture to execs
Validate that security program controls are in place and delivering intended results to maximize your return on investment
Measuring Security Assurance
INTEGRATEDPLATFORM
SCCV HOSTDATA
PASSIVELISTENING
INTELLIGENT CONNECTORS
AGENT
SCANNING
ACTIVESCANNING
Cloud DevicesUsersEndpointNetworksWeb Virtual
Tenable Solution Components
Mobile
Assurance Report Cards
Operations
Compliance
Reporting
Business Objective
Security Objective
Policy Statement
Control Metric
Tenable Critical Cyber Controls
ARCs for Specific Concerns
Geographic ARCs
Figuring out the right metrics and compiling them can be challenging
Metrics provide clear insight into how successfully well the IT security team is meeting security and business objectives
Tenables sensors and ARCs help you turn technical data into metrics executives can understand
Summary
Read the eBook:
Using Security Metrics to Drive Action
Download the Whitepaper:
Measuring Security Assurance Turn Technical Data into Metrics
Executives Can Understand
Next Steps
Questions?
Social Engineering A Career in Engineering whilst being on the Social
The Art of Manipulating Peopleor
The Most Important Role for a Security Practitioner is to Eradicate the Need to Pre-
Append words to the Term Security
The Greatest Risk we face as Risk Owners are from those with whom we are sharing
the risk.
Person of Interest
Tatty Teddy Rick Steenfield
Practical Examples
Tatty Teddy
Twitter on Tatty Teddy
Over a number of years tweeted as fan.
On occasion principle retweeted.
Interaction Progressed to principle commenting.
Fan moves to interact in DM, principle replies
Fan tweets evolve becoming more personal
Tatty Teddy
Principle attempts to ignore and manage fan
Principle sensitively declinesManagement Company running a competition
Winner of Meet & Greet announced.
Fan requests a meet & greet.
Fan interaction turns hostile
Fan makes direct threats and becomes hostile online
Tatty Teddy
> After being single all my life and approaching my 38th birthday, I've > taken the plunge and signed up with POF. Have never had so much as a > proper date in all my life, and it's been years since I was even > remotely looked at by a woman, so I'm not expecting much.>> Having looked at who's available in my local area, there isn't much > going. There are one or two women who are nice looking, but I look > very young for my age, don't fancy women near to my own age (many > 30-35s almost look old enough to be my mother), and I feel awkward at > the thought of looking at women in their late 20s who I might actually > find attractive. But I'd probably have nothing in common with them.
Tatty Teddy
Principle attempts to ignore and manage fan
Principle sensitively declinesManagement Company running a competition
Winner of Meet & Greet announced.
Fan requests a meet & greet.
Fan interaction turns hostile
Fan makes direct threats and becomes hostile online
Tatty Teddy
Alexa Ray Joel
o Alexa, come away with me! I want to take you away! To a place where no-one
can ever hurt you! We can go anywhere. I know places. Places where we can be
alone~or in a big city.It doesn't matter. I want to live a "normal" life with you. I
want to watch you grow old with me, and maybe have a couple of children. You
can be anything you can imagine! A doctor, a factory worker, a scientist, a
photographer! Anything you want. I just have this dream of you and me in a
house and pets and you can be my wife, and I can be your loveslave. Anything
you want. It will be great! We can have a lot of fun together! So, get back to me!
Tell me to go to Hell, tell me that I'm crazy, just tell me how you feel. I love you
and I want you to be happy.
Alexa Ray Joel
Messages Start September 4rth
5th Recounting a Nightmare.
7th Message of Hate.
Last Message 13th November.
Alexa Ray Joel
Alexa Ray Joel
Rick Steenfield 20s Chicago McDonalds .
Attended Gordon Central High School.
Legend going back to High School
Alexa Ray Joel
Alexa Ray Joel
Social Engineering - Profiling
What do you want~
Something about me being a lazy drink~I
waste~good
please!~Let me go!
Alexa Ray Joel
One of a handful reporting same geo location.
Similar Interests, Likes.
I envy you~the way you can sing
wrong~I just like them forever!
but here I go~up on the stage, anyway
Alexa Ray Joel
Alexa Ray Joel
Sheryl Finley [Billy Joel] hired a bodyguard to protect his daughter and contacted [Paul] McCartney, who recommended a Europe-based private-security firm not bound by the same legal restrictions as the police, [Post] sources said.
McCartney's people found the stalker in Austin, Minn.
Alexa Ray Joel
Securing People
Training, understanding, malice.
Educate your colleagues.
Educate your Stakeholders.
You cant address this with technology.
Securing People
You do not know the people you are trusting.
Recognise that as a Risk.
Quantify the risk.
Accept it or mitigate it.
Crime is on the increase
Your stakeholders are being targeted.
Sensitive Assets can take many forms.
Its Risk introduced by cyber or just security
Stop referring to cyber security.
Thank You
CYBER RESILIENCETHINKING BEYOND BUILDING THE WALLS HIGHER
Rick Hemsley
March 23, 2017
SECURITYACCENTURE
Copyright 2017 Accenture Security. All rights reserved. 175
BY THE NUMBERSDEFENDING AND EMPOWERING THE DIGITAL BUSINESS
STREAMLINE CLOUD MIGRATION ACTIVITIES BY 20%
YEARS OF EXPERIENCE HELPING CLIENTS SECURE THEIR ORGANIZATIONS20+
15,000+ SECURITY DEVICES MANAGED
2 Security Centers of Excellence Manila & Buenos Aires
30MILLION+digital identities managed
>30xFASTERdetection rates of incidents for multiple clients
5,000+ PEOPLE
330+clients spanning 67 countries
5,000+ security risks mitigated / year
350+pending and issued patents related to security
Cloud security, management and control for 20,000+ cloud computing instances
raw security events processed daily5B+
Running some of the largest SIEM deploymentsin the world
Cyber Fusion Centers4
Bangalore
Prague
Washington, DC
Tel Aviv
Security analytics that handle
BILLIONSof events
ONEMILLION+endpoints managed
HOW OFTEN DO YOU HEAR ABOUT SECURITY IN DAY-TO-DAY MEDIA STORIES?
A.
NEVER
B. C.
WEEKLY NEARLY DAILY
Copyright 2017 Accenture Security. All rights reserved. 176
Thieves steal $101M; governor of Bangladesh central bank resigns
FROM THE HEADLINES
The Economist : The Dhaka Caper article, March 19, 2016.
www.identityforce.com/blog/oracle-data-breach
www.zdnet.com/pictures/biggest-hacks-security-data-breaches-2016/6/
Yahoo hack: 1bn accounts compromised by biggest data breach in history
LinkedIn hack hits headlines again: Records stolen to 117 million accounts
The Guardian: Article by Sam Thielman, December 15, 2016.
Oracle Data Breach: MICROS System Compromised by Hackers
Copyright 2017 Accenture Security. All rights reserved. 177
WHAT HAVE WE TRADITIONALLY DONE?
Resistance
Copyright 2017 Accenture Security. All rights reserved. 178
ATTACKERS MODIFY THEIR TACTICS
Copyright 2017 Accenture Security. All rights reserved. 179
MODERN THREATSCYBER CRIME OR CYBER ENABLED CRIME IS BIG BUSINESS AND COMPANIES ARE
TARGETED FOR THEIR DATA OR COMPANIES ARE TARGETED FOR THEIR MONETARY
BENEFITS (ONE AND SAME?)
Activist Groups
Corporate Espionage
State Sponsored
Employees or Partners
Organized Crime
Copyright 2017 Accenture Security. All rights reserved. 180
SOPHISTICATED, WELL-FUNDED CYBERCRIMINALS ARE OUTPACING DIGITAL BUSINESSESALTHOUGH THE RISE OF DIGITAL HAS REVOLUTIONIZED HOW BUSINESSES WORK
AND SERVE THEIR CUSTOMERS, IT HAS ALSO ADDED NEW DIMENSIONS OF RISK
23% increase in exposed identities with nine mega-
breaches in 20151
Increase in Spear-Phishing Campaigns Targeting Employees
20154
Increase in Ransomware moving beyond PCs to smart phones, Mac, and Linux
systems2 OT systems next?
Costs to businesses per yeardue to cyber attacks (initial
damage + ongoing disruption)5
Global corporate spending on Cyber Security by 20203
New unique pieces of malware in 20151
References: 1 and 2. Symantec Internet Security Threat Report Apr 2016 [Mega-breach defined as >10 million records) 3. "Companies Lose $400 Billion to Hackers Each Year, Inc., September 8, 2015.4. Symantec Internet Security Threat Report Apr 20165. "Lloyds CEO: Cyber attacks cost companies $400 billion every year," Fortune, Jan 23, 2015
3
~.5
billion
35%$ 170
billion
55%430
million
$ 400
billion
Copyright 2017 Accenture Security. All rights reserved. 181
https://resource.elq.symantec.com/LP=2899?CID=70138000000jQ7vAAE&MC=198199&oc=NA&OT=WP&TT=PS&om_sem_cid=biz_sem_s115207826697434|pcrid|78260258929|pmt|b|plc||pdv|chttp://www.inc.com/will-yakowicz/cyberattacks-cost-companies-400-billion-each-year.htmlhttp://www.symantec.com/security_response/publications/threatreport.jsphttps://resource.elq.symantec.com/LP=2899?CID=70138000000jQ7vAAE&MC=198199&oc=NA&OT=WP&TT=PS&om_sem_cid=biz_sem_s115207826697434|pcrid|78260258929|pmt|b|plc||pdv|chttp://fortune.com/2015/01/23/cyber-attack-insurance-lloyds/
THE VOLUME OF ATTACKS ATTAINS ITS OWN DARWINIAN SOPHISTICATIONBEYOND CARBANAK AND SWIFT, CYBER RISK WILL CONTINUE TO MORPH AND BECOME
MORE SOPHISTICATED. AS THE CONTROLS IMPROVE, THE ATTACKS CHANGE.
Example
New
Cyber
Risks
People are the weakest link
Social engineering / phishing
messages clever enough to fool
everyone
Greatest risks are cross silo
Security vs
Fraud vs
Customer Risk vs
Vendor Risk
Command and control:
Clever mechanisms hide communication protocols once a breach has happened, e.g. Amazon HTTP requests
Switch to Physical:
USB drives, printers, computers or any other hardware that can be compromised and then installed on the network
SMS:
Weaknesses in the telecom infrastructure allow SMS based dual factor authentication to be compromised
Ransomware attacks digital infrastructure:
Exploiting Android and Apple iOS can wreak havoc on applications, mobile devices and Internet of Things
Copyright 2017 Accenture Security. All rights reserved. 182
NEW REGULATION = NEW REQUIREMENTS WHAT IS THE GDPR?THE GENERAL DATA PROTECTION REGULATION (GDPR) APPLIES TO ALL BUSINESSES WHO HAVE CUSTOMERS AND/OR OPERATIONS WITHIN THE EUROPEAN UNION. BUSINESS HAVE NEW REQUIREMENTS TO MEET.
3X as many articles as the incumbent privacy directive
18months until new regulation is expected to become fully enforceable
Member states have harmonised a regulatory framework28
1EU-level supervisory authority* governing going forward*however, there are many regulatory bodies (e.g. FCA and PRA) that can take action against the Data Controller or Data Processor
You need to report an incident without undue delay to the
Supervisory Authority, no more than 72 hours after finding it.
Youll need to appoint a Data Protection Officer if you monitor on a large scale or process special
data.
Estimated DPO requirement: 28,000 in EU, 75,000 globally
Youll have tighter restrictions around consent.
Get the consent balance right so you dont scare off customers.
Youll need to cover more personal data.
Now including physical, physiological, economic, mental, genetic, cultural & social identity.
Youll need to be able to Erase all of an individuals personal data
which is likely to be in many parts of that organisation or with data
processors.
Youll need to be able to give an individual all of their personal
data. Where is it, what format, how to extract it, how to port it, etc.
New Regulation
In reality, it means fines up to 4000X previous levels and personal liability for management and/or the board.
New Requirements
Copyright 2017 Accenture Security. All rights reserved. 183
WHAT IS CYBER RESILIENCE?
Cyber
Resilience
Overview:
It is the ability to operate the business processes in
normal and adverse scenarios without adverse
outcomes. Specifically, resiliency strengthens the
firms ability to identify, prevent, detect and respond
to process or technology failures and recover, while
reducing customer harm, reputational damage and
financial loss
External Sourcesof Cyber Risk Hacktivism
Hacker/Lone Wolf
Nation State Attacks
Insider Data Leakage
Social Engineering
Internal Originsof Cyber Risk Digital Banking Services
Payments
Electronic Trading
Third Parties
Technology Infrastructure
CYBER RISK CAN MANIFEST ITSELF ACROSS SEVERAL DIMENSIONS, MAKING IT
DIFFICULT TO DETECT, MEASURE, AND CONTROL
Common characteristics of resilient businesses:
More secure processes and systems
Strong controls with a strong control environment
A solid risk culture
Digitized and automated processes
Copyright 2017 Accenture Security. All rights reserved. 184
PREPAREBusiness strategy alignment Assessment & architecture
Operating model governanceRisk & compliance
Culture changeRed-teaming
DETECTVulnerability management
Threat intelligenceSecurity monitoring
Cyber threat analytics
PREVENT
Digital identity
Application & data security
Platform &
infrastructure security
RESPOND& RECOVER
Incident responseremediation
Business continuity
MOBILE ON PREMISES
CLOUD IoT
MORE SIMPILY?
Copyright 2017 Accenture Security. All rights reserved.
Business-driven
Threat-centric
Digitally protected
Adaptive responses
Agile delivery
HOW DO WE ACHIEVE CYBER RESILIENCE?
Adopt a different mind setUnderstand our adversary, their objectives, strategies, tactics, and operating methods
Think about different threats Those inside the organisation often have the keys to the kingdom yet can often be the cause, intentionally or accidentally, of breaches
Organise ourselves Move beyond technical silos, think holistically about cyber across the organisation
Preparation is key Incident Response is critical and with GDPR it will only become more so
Copyright 2017 Accenture Security. All rights reserved. 186
1. Not Measuring the right things Move to business alignment
2. Assuming controls are sufficient Stress test prove controls and people
3. Assume perimeter Begin inside out
4. Static plans doing the same thing over and over Innovate
5. Limit security as a purely technical Issue Everyone's mission H&S for 21st Century
6. Disengagement All leadership aligned and communicating singing from the same hymn sheet
WHAT ARE THE CHALLENGES WE NEED TO OVERCOME?
Copyright 2017 Accenture Security. All rights reserved. 187
5 KEY PRIORITIES TO HELP MANAGE CYBER RISKS EFFECTIVELY
Copyright 2017 Accenture Security. All rights reserved. 188
1. Training and Risk Culture Taking what is unique in your organization and infusing the right cyber risk behaviors
2. Controls Identify weak points building a robust set of controls across operations, business and IT
3. Measurement with a Purpose What is going on without your leaderships knowledge creating metrics that expose the risks
4. Operating Model How does your leadership work with the rest of the organization - assigning clear lines of accountability and ownership
5. Resilience At some point things will go wrong, be prepared (and have leadership prepared!)
PREPAREBusiness strategy alignment Assessment & architecture
Operating model governanceRisk & compliance
Culture changeRed-teaming
DETECTVulnerability management
Threat intelligenceSecurity monitoring
Cyber threat analytics
PREVENT
Digital identity
Application & data security
Platform &
infrastructure security
RESPOND& RECOVER
Incident responseremediation
Business continuity
MOBILE ON PREMISES
CLOUD IoT
MORE SIMPILY AGAIN?
How do we respond?
What is the impact?
How do we organize?
How do we monitor?
Risk Identification Aggregated set of typical risk associated with Cyber Risk
Risk Events - Scenarios which can impact the organization specific to cyber threats
Business and IT Controls Oversight of the controls and their testing programs and how to leverage COBIT, ISA, ISO/IEC, NIST controls
Operating Model Specifying the structure with people, organization, roles, tools and processes to govern
Detection and Identification Tools and metrics to identify and log aspects to mange operations
Operational Monitoring Aligning the tools to identify and detect threats along with their escalation and oversight
Event Response Plan Structure to identify and manage action plans
Crisis Management Structure to manage incidents and notify impacted parties
TO OPERATE AND GROW CONFIDENTLY IN A RAPIDLY EVOLVING THREAT LANDSCAPE, ORGANIZATIONS NEED TO ADDRESS SECURITY ON THREE DIMENSIONS
Copyright 2017 Accenture Security. All rights reserved. 190
Empower business growth & secure operations
Harden the organization to make cyber attacks difficult
Detect and remediate successful cyber attacks
Establish and maintain customer trust by meeting expectations for the privacy and protection of their data.
Maintain IT hygiene to eliminate exposure to known vulnerabilities.
Use threat intelligence to anticipate cyber attacks and take preemptive defense measures.
Enable capabilities that enhance customer and employee experience.
Meet compliance and regulatory obligations.
Enable secure adoption of new technologies.
Implement technology such as encryption and two-factor authentication to increase the difficulty of successful cyber attack.
Implement security discipline beyond the security organization (e.g. secure coding, network segmentation, training & awareness).
Detect in-flight cyber attacks.
Use red teams to test cyber defense effectiveness.
Prepare and test incident response plans.
Goal: Ensure that expectations for privacy and compliance are met, and that the business is protected from routine malicious behaviors.
Goal: Raise the cost of attack to adversaries, reducing their incentive to attack lower-value targets.
Goal: Detect & respond to successful cyber attacks, minimize the impact of cyber attacks.
IF YOU TAKE NOTHING ELSE AWAY
ADOPT A WHEN, NOT IF MINDSET
PREPARE FOR BUSINESS DISRUPTION KNOW WHAT YOU WILL DO
& GDPR IS COMING!!!
Copyright 2017 Accenture Security. All rights reserved. 191
THANK YOU
Man-in-the-Middle Application Security
Ian McGowan Bio
Ian is a Managing Consultant at Barrier Networks and has 18 years experience working in network and application security.
He has worked as a web application security architect and application security operations lead and understands the challenge organisations face when trying to integrate security controls into the modern software development life cycle.
Talk Overview
Overview of Web Application Security challenges
How Web Application Firewalling (WAF) can help
Advances in WAF technology
Anti-Fraud techniques
Summary
Verizon DBIR 2016
Attack Surface
Data
Stolen User Credentials/F
raud
Phishing Network DDoS
Attacks
Application Vuln Exploits
Recon.Port scan
Attacks against SSL Vul
Application attacksNetwork attacks Session attacks
DNS Amplification/Cache Poisioning Application
DDoS AttacksBotnet/SPAMMan in the
MiddleMan In The
Browser
Clientside Attacks
DNS Attacks
MalwareBusiness Logic
Abuse
Data
Focus of Attacks
Stolen User Credentials/F
raud
Phishing Network DDoS
Attacks
Application Vuln Exploits
Recon.Port scan
Attacks against SSL Vul
DNS Amplification/Cache Poisoning Application
DDoS AttacksBotnet/SPAMMan in the
MiddleMan In The
Browser
DNS Attacks
MalwareBusiness Logic
Abuse
ATTACKS ARE DISPROPORTIONTELY TARGETING THESE AREAS
APPLICATION PROTECTION
USER ACCESS AND CREDENTIALS
DataApplication attacksNetwork attacks Session attacksClientside Attacks
DNS Attacks
Data
State of Application Delivery Report
Yearly report by F5 Networks
2200 responders
Understanding trends
Most popular application services deployed
Most important application services deployed
Application Services to be Deployed 2017
Top 3 Security Services Planned Globally
Most Important to Responders
WebApp Security Challenges
Complexity of the application
Complexity of the attacks
User controls the Endpoint
SDLC Challenges
Secure coding is difficult, expensive and slow.
Developers are usually under time constraints
The focus is on delivery and not security
We need to change our approach to software development
OWASP Top 10
Top 10 AppSec Risk
There are more than 10!
These arent going away
Time to adjust our approach?
Placement of Controls
Prevention is betterthan a cure.
Closing the barn door
Production vulnerability
Timelines to consider:
Undetected period Time to mitigate Window of exposure
WAF is Effective
Firewall vs WAF
Firewall is network focused
NG Firewall is content focused
WAF is application focused
Reverse Proxy Architecture
AppSec Policy Enforcement Point
WAF provides the ability to enforce policy
Positive vs Negative Policy
WAF Policy
WAF Benefits
Mitigate SQLi Insecure Direct Object Reference Layer 7 DDoS Protection Session & Login Tracking Web Scraping Prevention Brute Force Attack Prevention XML Schema Validation JSON, AJAX and Web Services
DAST Integration
Dynamic Application Security Testing
Early detection of vulnerabilities Continuous assessment Remediate code vulnerability in situ Automated virtual patches
Eurograbber Campaign
Financial Service Crimeware
Targeted Users
30,000 affected
Zeus Trojan & ZITMO
Stopped by Web Fraud Control
Eurograbber Campaign Overview
Step 2: Initial Compromise of the DOM
Step 2: DOM Injection
Step 3: Trojan Relays Mobile # to C2
Recap so far..
Step 4: SMS Sent by C2 / Dropzone
Step 5: Validation Request
Step: Exploitation Confirmation
Compromise Success / Failure Logic
Complexity of Attack
Next Steps
Laptop/PC & Mobile Device are now compromised.
What next?
Trojan Operation
Web Fraud Prevention Benefits
Detection of DOM compromise
Application level encryption
Automated action detection
Web Fraud Control Efficacy
Major European Bank:
detected and blocked fraudulent transactions in the sum of 500,000 Euro in two days.
ROI on the pilot first two days thats a new thing in the security field ...
Take Aways
AppSec controls have advanced significantly. We must adjust our approach before its too late. Layered defence.
Clientless solution, enabling 100% coverage
Protect Online User
Desktop, tablets & mobile devices
On All Devices
No software or user involvement required
Full Transparency
Targeted malware, MITB, zero-days, MITM,
phishing automated transactions
Prevent Fraud
Alerts and customizable rules
In Real Time
Scot Secure 2017
Thank you!
Welcome Back
Dan HuntLloyds Banking Group
#scotsecure
EVERYTHING YOU WANTED TO KNOW ABOUT PHISHING
BUT WERE TOO AFRAID TO CLICK
Dan Hunt, Lloyds Banking Group
Brief Introduction Etymology: Phreaking (Phone Hacking) + Fishing
Definition: Phishing is the attempt to coerce recipient action, often for malicious reasons, by
disguising oneself as a trustworthy entity in electronic communications
Effectively a con trick, same as any other
Concepts can be applied to other -ishings;
Vishing: Voice-based
Smishing: SMS-based
Phishing emails can be used to harvest sensitive data and deploy malware
Unsuccessful phishing attempts can be used to infer how well-protected an organisation is
It is very, very easy and very, very effective
Average engagement-rate is 20%
ROI is high
Why?
Who?
Phishing- Mass audience- Low sophistication, generic (Delivery/HMRC scams)
Spear Phishing- Targeted at SMEs / high risk colleagues- Tailored content (Conferences, subscriptions)
Whaling- Targeted at CEOs / Exec level- Highly tailored content- Long-game strategy (Waterholes etc)
How?
How?
Data harvestedMalware deployed
What? (Strategic) Reduce the engagement rate on phishing emails;
Gateway filtering & blocking
Employee Education & Testing:
Studies find that the 20% click rate falls to 13% percent if employees go through just three simulation exercises, to 4% afterthe fourth and 0.2% after the fifth.
Have colleagues know what to doand who to tell.
What? (Immediate) Awareness of Red Flags
Mismatch of sender imagery
Impersonal (Dear Customer)
Misspellings
False sense of urgency
Email/web domains dont match
What? (Final Thoughts)When sent an email that youre not expecting, even if it appears to be from someone you know, consider the following;
WHY am I being sent this email?
WHO is sending it to me?
WHAT do they want me to do?
WHERE could it lead me?
THINK BEFORE YOU CLICK
Stu HirstSkyscanner
@StuHirstInfoSec#scotsecure
DevSecOpsA 2-year journey of success & failure!
@StuHirstinfosec
Skyscanner
TIRED??!!!
@StuHirstinfosec
Skyscanner
@StuHirstinfosec
Skyscanner
@StuHirstinfosec
Skyscanner
@StuHirstinfosec
Skyscanner
@StuHirstinfosec
Who are we?What do I do?What am I presenting?
Skyscanner 2014
Skyscanner Security in 2014
Skyscanner 2017
Skyscanner Security in 2017
WE HAVE A LOGO N EVERYTHING!
@StuHirstinfosec
Strategy
@StuHirstinfosec
Skyscanner 2017
My most successful strategy?
ISO27001?Cyber Essentials?BSIMM?A.N.Other?
Nope, its been speaking to people and sharing learnings.
@StuHirstinfosec
Skyscanner 2017
Longer term;
Split security into focused areas; we now have SECOPSand PRODUCT SECURITY
@StuHirstinfosec
AWS
@StuHirstinfosec
Skyscanner 2017
@StuHirstinfosec
1. TEACH2. CONTINUOUS AUDITING &
ALERTING3. OPEN SOURCE TOOLING
(Scout2, SecurityMonkey etc)4. AUTOMATION
Adventures in Bug Bounties
@StuHirstinfosec
Skyscanner 2017
Initial scheme Qualys scans
2 week scheme glut!
365 scheme needs constant researcher rotation, refuse to pay for crap bugs, weed out the XSS guys!
@StuHirstinfosec
Skyscanner 2017
Ideal outcomes; Weed out certain types of bug in
your code altogether Make researchers work harder
for their cash! Scale the scheme &
make it more valuableover time
@StuHirstinfosec
DevOps & Security
NOT
DevOps & Security
2FA
@StuHirstinfosec
Two-factor
Two-Factor All The
Things VPN
Windows / MAC
Login
Web portals
Apps
SSO
Data (especially PII)
@StuHirstinfosec
User Data
User Data Implemented new MINIMUM STANDARDS for user data
Privacy BY DESIGN!
Examples;
Only stored in agreed places (e.g. AWS)
Minimum encryptions levels when
transferring
Same for data at rest (AES256)
Bcrypt / Argon2 for hashing
Only using TLS
Get rid of old ciphers
Segment the network
Tighten up access controls to the data
@StuHirstinfosec
Passwords
@StuHirstinfosec
Skyscanner 2017
@StuHirstinfosec
Get rid of credentials in code; GitHub/GitLab etc
Credstash Git Secrets GitLeaks (have fun!)
Skyscanner 2017
Passwords in Plain Text?! Dude, its 2017.
@StuHirstinfosec
Two-factor/Passwords
Password solutions
@StuHirstinfosec
SIEM
@StuHirstinfosec
Skyscanner 2017
There are lots of SIEM solutions
BUT HOW ARE YOU USING
THEM?!@StuHirstinfosec
Skyscanner 2017
@StuHirstinfosec
Skyscanner 2017
@StuHirstinfosec
Skyscanner 2017
Endpoint Protection
@StuHirstinfosec
Anti malware
Endpoint Protection
Awareness
@StuHirstinfosec
What we do
What we do: Security Champions
@StuHirstinfosec
What we do
What we do: Crypto & Bug Challenges
@StuHirstinfosec
Hosted in AWS cheap, easy to build!
What we do
What we do: Crypto & Bug Challenges
@StuHirstinfosec
Security Swag -everyone loves t-shirts & stickers!
What we do
What we do: Security Meet Up
@stuhirstinfosec
Employees
Employee behaviour.blog post
Take Humans out of the equation
@StuHirstinfosec
Phishing
Phishing why not take humans
out of the equation?
Sandbox links & attachments (Uber built this themselves)
Protect against Impersonation
Learning (especially from failure!)
@StuHirstinfosec
Culture
Culture -No fear
This is the moment of my failure and I am not scared
What we do
Announcing failure
Weekly PRODOPS
ReviewNO BLAME! Its a learning exercise
@StuHirstInfosec
What we do
LearningCybrary, PluralSight, Twitter, Blogs
Some thoughts to leave you with
Stats
Not everything is critical!
Simple and quick wins are GOOD wins!
Try and increase the likelihood of an employee telling
you about an event or potential attack
Run attack simulations. Break something before
someone else does!
FORGET ABOUT TRYING TO REDUCE MEANINGLESS STATS
IF YOU GO FROM 48% TO 32% ON FIRE, YOURE STILL ON FIRE!
(Zane Lackey, ex-Etsy)
Scaremongering
Security Scaremongering
Scaremongering
Security Scaremongering
Scaremongering
Security Scaremongering
The greatest period of impact was from
February 13 and February 18 with around 1 in
every 3,300,000 HTTP requests through
Cloudflare potentially resulting in memory
leakage (thats about 0.00003% of requests)
Some thoughts to take away
Reward people
For making you aware of
issues.
You feel good, they feel good
& theyre likely to tell others.
What next?
Shout about your successes!
Security is as
important as any
other business unit
So shout about
successes you have
Positive PR across
the business
thank you@stuhirstinfosec
Learn with Skyscanner
Follow Skyscanner @CodeVoyagers
on Twitter
Read a backlog of our learnings at
codevoyagers.com
Sign up for our Skyscanner Code
Voyagers newsletter learnings from
our successes and failures or search
http://9nl.it/scotsecure_cvnewsletter
http://9nl.it/scotsecure_CVtwitterhttp://9nl.it/scotsecure_cvbloghttp://9nl.it/scotsecure_cvnewsletterhttp://9nl.it/scotsecure_cvnewsletter
Prof Bill BuchananEdinburgh Napier Uni
@billatnapier#scotsecure
Questions & Discussion
Drinks& Networking
www.digitleaders.com