7. Agenda
Scottish , UK & Global Perspective!
The current threat landscape!
Incident Planning & Response!.
Prevention.
“cotla d’s future.
Signposting.
8. Key questions that all CEOs and CISOs should
be asking this week?
• "Are we vulnerable to SQL injection, ransomware or DDoS
ased atta ks?
• "What assurance activity have we done to confirm that
e are ot ul era le?
• "If we were compromised, would an attacker be able to
gai a ess to u e r pted se siti e data?
• "What assurance activity have we done to confirm this
position?"
• What is our o pa posture o se urit ?
15. SOC
CYBER
ATTACKS
VOLUME
CYBERCRIME
• International highly skilled cyber-criminals, often working
together
• Responsible for 262,000 UK infections and losses > £500m
• Distributed Denial of Service (DDoS) – BBC, HSBC)
• Ransomware (Police Scotland, SPA)
• Data Theft and extortion (TalkTalk, Ashley Madison)
• 2.5 million cybercrimes in the UK annually
• Economic Crime
• Extortion
• Offences against children (CSE)
27. Five key cyber crime threats
• Malware targeting businesses & individual users for fraud.
APT s, ‘AT“,
• Network intrusion ('hacking') DDoS, XSS. Spear-phishing.
• Enablers of cyber dependent crime (e.g. money laundering /
digital currencies / anonymisation).
• C er ri e 'as a ser i e
• Targeted disruption of access to UK networked systems and
services (e.g. DDOS / Ransomware)
28. Old bugs come home to roost…
SHELLSHOCK – HEARTBLEED – DRIDEX –
CRYPTOWALL - POODLE… LOCKY
38. Reporting of Cyber Incidents
• Incident evaluation and early reporting.
• Police Scotland 101 – Incident No. & Action Fraud.
• Business continuity and impact our prime consideration.
• ICT response and mitigation. Scene preservation?
• Where possible preserve original copies of emails, attachments,
device images and logs.
• Is there a mandatory obligation to report?
• Report to Cert UK / GovCert UK .
• Report to Scottish Government if appropriate.
• Identify point of contact for law enforcement to facilitate enquiries
and evidence gathering.
• Submit attack details to CISP platform if appropriate share.cisp.org.uk
(can assist with mitigation and fix)
39.
40. Cyber Essentials &
Cyber Essential Plus
Cyber Essentials concentrates on five key controls.
These are:
1. Boundary firewalls and internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management
48. Applying probabilistic mathematics and machine learning to
cyber threat discovery
Sam Alderman-Miller
Account Manager
Sam.alderman-miller@darktrace.com
49.
50.
51.
52.
53.
54. Enterprise Immune System Approach
Self-learning
Develops mathematical models of normal
behavior
Understands behaviour
For every individual user, device and the
enterprise as a whole
Adaptive
Constantly calculates probabilities based on
evolving evidence
Real-time
Detects threats as they happen
55. Conclusion
• Sophisticated Threat Detection
• Threat is inside and always will be
• Traditional approaches are insufficient
• Threats are constantly evolving
• Using Machine Learning for ‘Immune System’ Defence
• Does not need to know what ‘bad’ looks like in advance
• Learns normal and abnormal behaviours in real time
• Detects threats that bypass traditional security controls
• Provides complete visibility into your network
104. Who are ZoneFox?
• Cyber Security focussed on directly
monitoring and protecting your data
• Customers in Software Gaming, Asset
Management, Hi-Tech Manufacturing
and Online Gambling…........
107. Did I mention
that I am leaving
next week?
I e just ee
offered job with
our biggest
competitor
I reall
annoyed that I
did t get that
promotion
Your top-performing team…..
108. Sssshhhhh – Don’t tell anybody but I have
this embarrassing problem
• Vormetric Insider Threat Report –
• Only 11% of respondents felt that their
organization was not vulnerable to insider
attacks
• Globally, 89% of respondents felt that their
organization was now more at risk from an
insider attack
• 34% felt very or extremely vulnerable.
109. What and where are people stealing data
• Top theft locations
• Databases (49%)
• File Servers (39%)
• Top Data stolen
• Customer Lists
• Contracts
• Sensitive commercial data
• R&D
110. Leavers – this is hypothetical, right?
• Leavers are insiders and therefore you
have an insider threat challenge
• Mostly existing security is “Outward-
looking”
• Has it worked?
111. The Cost of a Breach
• Cost of a breach comes from two things:
- Time taken to discover it
- Cost of investigating and remediating
• Verizon Data Breach Report 2015 – “growing
‘detection deficit’ between attackers and
defenders.”
• This ‘detection deficit’ means that a typical breach
will take ~200 days to discover
• If you discovered that, how much effort would
have to be spent investigating?
112. But Breaches are a US thing…......
90%large organisations breached (up from 81%)
74%smaller organisations (up from 60%)
113. Cost of a breach
£1.46 - £3.14M
large organisation (was £600k – £1.15M)
£75 - £311ksmaller organisation (was £65k - £115k)
114. Staff related security breaches
(source PWC/BIS’ 2015 Information Security Breaches Survey)
75%large organisations
31%smaller organisations
115. But I have a load of defences….....
External Protection
Who?
When?
Why did ’t
I know at
the time?
?
? ?
My Organisation
116. Why Gardening Leave (and what is it?)
• “an employee's suspension
from work …typically to
prevent them from
…accessing confidential
information.”
• Use it to protect from
‘poaching’ of customers, etc
118. The Financial Costs of Insider Data Theft
£30,000
Research from the legal firm EMW indicated that small
businesses typically incur this cost for legal work in a insider
theft (2012 research)
?
The value of the data stolen
The number of High Court cases relating to the theft of
confidential information by insiders (employees)
increased by 250% between 2010 and 2012.
121. What did they try to steal
• 182,000 Files:
• Results of confidential product testing
• CAD designs for prototypes and new products
• Bills of Materials for new designs
• Printed Circuit board designs
• Contracts and agreements with research and
manufacturing partners.
• The value?
£10 million
122. What went wrong?
• Technical controls and HR Processes broke
down
• Lack of visibility of the endpoint
• Leaving processes (including gardening
leave) were too late
• Stolen data was collected in advance of
submitting resignation.
123. What are the alternatives?
External Protection
My Organisation
124. Incident Response for a leaver
• Global company
• Unusual behaviour – times, locations, volumes, etc
• Theft followed by taking laptop home
• Senior Legal.
• Incident response ~4 hours
How long would it
take you?
125. Key takeaways
- Compromise is highly likely
- People steal data before they
resign
- Protect your inside too - the
threat is as likely (if not more
likely) to come from inside your
organisation.
- Focus on reducing cost by
detecting threats sooner and
responding quickly
128. The New European Framework
for Data Protection
- state of play?
Per Johansson
Edinburgh, 21 April 2016
129. Who am I?
– Swedish lawyer
– Industry consultant
– European Data Protection Supervisor (EDPS)
– European Parliament - Scotland
130. The European Parliament in the
Member States
The European Parliament operates an ‘Information Office’ in
the national capitals of all 28 EU Member States.
Since 1999, it has also operated a smaller 'branch' office in
the larger Member States, opening offices in Barcelona,
Edinburgh, Marseilles, Milan, Munich & Wrocław (2011).
131. The European Parliament Office in Scotland
aims to increase awareness of the
Parliament and the impact of its activities in
Scotland, as well as highlighting the work
of the six Scottish Members of the European
Parliament (MEPs).
132. General remarks
Reasons for reform
• Technological change
• Legal certainty
• Harmonisation in the internal market
• Need for change in the area of police and judicial
cooperation
• Global dimension
→ Regulation for general principles
Directive for law enforcement
133. The EU DP reform:
Enhances harmonisation of data protection
Reinforces position and rights of data subject
Strengthens responsibility of data controller
Strengthens supervision and enforcement
General remarks
134. • The “Ordinary” legislative procedure
– Commission proposals – January 2012
– Joint legislative responsibility between European Parliament and
Council of Ministers
– “Readings”
– Negotiations between three institutions
= Changes all the way
The legislative procedure
135. Where are we now?
• Council (final) agreement October 2015
• Plenary vote EP 14 April 2016 = LAW
• Entry into force 20 days after publication in the EU
Official Journal
• Regulation – MS law 2 years after entry into force.
• Directive – 2 year period of implementation dead-line
for MS
• Directive only applicable to those measures where
the UK has opted in.
136. Scope
Territorial scope:
- An establishment of a controller or processor
within EU, regardless of where the processing
takes place
- ‘Offering of goods and services to’ or ‘monitoring
behaviour of’ data subjects in the EU
137. Data controllers/processors
Security of processing (32)
Implementation of appropriate tech and org measures
such as...
Pseudonymisation and encryption
Systems functionality, restoration and regular testing
Assessment of the security level
Risks
138. Data controllers/processors
Designation of data protection officers (37 onwards)
Where:
- Public authority or body
- Core activity = regular and systematic monitoring of data
subjects
- large scale of special categories of data
Tasks:
- Inform and advise
- Monitor the implementation
- Contact point
139. Data controllers/processors
Notification of data breaches (33)
Controller notification to the supervisory authority
within 72 hours
Processor shall notify controller
Data protection Impact assessment (35)
New tech, high risk to rights and freedoms to natural
persons
140. Data controllers/processors
Strengthen responsibilities of the controller
→ Accountability (24 onwards):
- “measures to ensure and demonstrate
compliance with the Regulation”
- Where proportionate “implementation of appropriate data
protection policies”
141. Data controllers/processors
Information and communication
- Concise, transparent, intelligible, easily accessible, clear
and plain language (12)
- Procedures and mechanisms (12)
- Content of the information (13, 14)
142. Data controllers/processors
Data protection by design and by default (25)
Documentation – Records in writing (electronic form)
(30)
Processors – Records of processing activities (30)
143. Supervision and Enforcement
– One stop shop – ‘main establishment’ (4(16), 56)
– Consistency mechanism (63 onwards)
• Cooperation between authorities and COM
– European Data Protection Board (68)
– Sanctions (83)
• Up to € 20M or 4% of annual worldwide turnover
144. Data subjects
Definition of consent (7)
- Controller burden of proof - demonstrate
- Distinguishable – in plain language
- Withdrawal
145. Data subjects
“Right to be forgotten” (17)
– Erasure without undue delay
– Reasonable steps to inform other controllers
» Available tech and cost of implementation
146. Data subjects
Profiling (22)
Only if:
- Performance of a contract + safeguards
- Union or Member State law
- Explicit Consent of the data subject +
safeguards
And : not based solely on special categories of
data
147. Thank you for your attention
epedinburgh@ep.europa.eu
EDPS website on DP reform:
http://www.edps.europa.eu/EDPSWEB/edps/cache/off/
Consultation/Reform_package
160. Scott Barnett
Cyber & Fraud
Intelligence Lead
how threat intelligence can
prevent data breaches and
other cyber attacks – and how
you can get and apply some of
this stuff
Cyber Crystal Balls
162. 164
a tool for decision
making
information
+ analysis
+ inferences
=
Planning –
Intelligence
Requirements
Collection – of
information
and monitoring
for triggers
Analysis –
turning
information
into
intelligence
Dissemination
– delivering to
the right
people at the
right time
Feedback – re-
evaluating
requirements,
taking stock
what is intelligence?
Our mission: to provide forewarning of security threats to RBS
to minimise harm to our customers, staff, and business
163. Exposure
VulnerabilityCapability
Intent
what is a threat?
har ful age ts’
intentions
+
tools, tactics and
procedures (TTPs)
INHERENT THREAT
how exposed your
business is to these
actions
+
any vulnerability
that makes harmful
outcomes more
likely
RESIDUAL THREAT
har ful outco es resulti g fro a e tity’s actio s i pursuit of its goals
Source: CBEST framework
165
164. • Provide a forecast
of the a k s
strategic threat
landscape
Forecast
• Join the dots
between strategic
and operational
threats
Link
• Co te tualise ig
ti ket e e ts i
terms of what they
mean for RBS – so
hat?
Context
• Identify new and
emerging threats
and attack
techniques
Identify
• Collect external
information and
fuse it with
internal sources
Collect
• Proportionate,
timely, actionable
intelligence
Deliver
what can threat intelligence do
for you?
166
197. $ WHOAMI
MIKEY & KYLE
▸ 2nd BSc Ethical Hacking @ Abertay University, Dundee
▸ Work for Scottish Business Resilience Centre (SBRC)
▸ OSINT, Footprinting, Outreach
▸ Mikey: Cryptography, Defence, Counter-terrorism
▸ Kyle: OSINT, Footprinting, Counter-terrorism
198. THE ORDER, UNLESS WE GET SIDETRACKED
WHAT’S ALL THIS THEN?
1. Staying Updated
2. Data Protection, Encryption & Backups
3. Passwords
4. Phishing Emails & Malicious Websites
5. Social Media
199. SECURITY IS A PROCESS, NOT
A PRODUCT.
Bruce Schneier, April 2000
THREAT MODEL 101
203. DON’T BE AN EASY TARGET
UPDATES MATTER
▸ Will protect you against a lot of threats
▸ low effort > high reward
▸ Windows 10, 8.1, 8, 7 get security updates
▸ Windows XP doesn’t get any updates
▸ OS X 10.11 (El Capitan), 10.10 (Yosemite), 10.9
(Mavericks) get security updates
208. BACKUP THE BACKUPS
BACKUPS WILL SAVE YOUR BUSINESS
▸ Will save you time & money
▸ Onsite & Offsite backup
▸ Daily, Weekly, Monthly
▸ Easy to restore in event of a disaster
224. MASK ATTACK
JULIA1984
‣ (26 + 26 +10) = 629
= 1315 = 13 Quadrillion @ 100M/s
‣ The above password matches a simple but common
pattern. A name and year appended to it.
‣ We can also configure the attack to try the upper-case
letters only on the first position.
http://hashcat.net/wiki/doku.php?id=mask_attack
225. MASK ATTACK
JULIA1984
‣ (26 + 26 +10) = 629
= 1315 = 13 Quadrillion @ 100M/s
‣ The above password matches a simple but common
pattern. A name and year appended to it.
‣ We can also configure the attack to try the upper-case
letters only on the first position.
‣ Down to 370 Billion combinations @ 100M/s
http://hashcat.net/wiki/doku.php?id=mask_attack
227. REDUCE THE NUMBER OF PASSWORDS YOU NEED TO KNOW
PASSWORD MANAGERS
▸ Last Pass (all platforms) (cloud based)
▸ 1Password (all platforms, best on Apple) (Dropbox sync)
▸ Demo!
228. REDUCE THE NUMBER OF PASSWORDS YOU NEED TO KNOW
PASSWORD MANAGERS
▸ Last Pass (all platforms) (cloud based)
▸ 1Password (all platforms, best on Apple) (Dropbox sync)
▸ Demo!
▸ Auto fill, in the browser Chrome, Firefox, Safari
▸ Generate unique long passwords for each site
229. IF YOU DO ANYTHING, PLEASE DO THIS!
TWO FACTOR AUTHENTICATION (2FA)
▸ twofactorauth.org
▸ Google Authenticator
▸ Authy
▸ YubiKeys
234. SCOT-SECURE
REAL OR FAKE
▸ Padlock
▸ URL
▸ How did you get there?
▸ Apply common sense
▸ Browser extensions
▸ HTTPS Everywhere
▸ uBlock Origin
Safari
Chrome
Chrome
Firefox
239. PASS THESE ON
THINK ABOUT THESE THINGS, PLEASE?
▸ Update, backup and encrypt your devices
▸ Encrypt the most critical sensitive information
▸ If you can encrypt it all, Full Disk Encryption
▸ Long passwords, don't worry about complexity
▸ Get a password manager (LastPass & 1Password)
▸ Use Google Chrome, if you can
▸ Think about how you got to the site, did you expect the email?
240. LAST CHANCE
THE LINKS
▸ Chrome security usability: youtu.be/XfFjde0UPbY
▸ Very strong passwords: theintercept.com/2015/03/26/
passphrases-can-memorize-attackers-cant-guess/
▸ Which sites use Two Factor Auth: twofactorauth.org