Scotland's 2nd Annual Cyber Security Conference, attended by 190 Infosec & Business Leaders 21st April 2016.

1. #scotsecure
Welcome to

2. #scotsecure
Mark Stephen
BBC Scotland

3. www.mobile-scotland.com
2nd Annual Mobile Scotland
26th May Edinburgh

4. www.scot-cloud.com
3rd Annual Scot-Cloud
21st June Edinburgh

5. #scotsecure
DI Eamonn Keane
Police Scotland

6. Investigating Cybercrime in the UK
Be the Hunter!!
Cybercrime / DI Eamonn Keane
Specialist Crime Division

7. Agenda
Scottish , UK & Global Perspective!
The current threat landscape!
Incident Planning & Response!.
Prevention.
“cotla d’s future.
Signposting.

8. Key questions that all CEOs and CISOs should
be asking this week?
• "Are we vulnerable to SQL injection, ransomware or DDoS
ased atta ks?
• "What assurance activity have we done to confirm that
e are ot ul era le?
• "If we were compromised, would an attacker be able to
gai a ess to u e r pted se siti e data?
• "What assurance activity have we done to confirm this
position?"
• What is our o pa posture o se urit ?

10. Cybercrime Cost

12. Cyber Regional Organised Crime Units

13. Cybercrime!

14. Stalking
Bullying
Cyber Fraud
SOCG
Sexual Offenders
Indecent
images of
children
Cyber
dependent
crimes e.g.
hacking,
malware,
DDoS
Anti-socialbehaviour
CyberTerrorism
is impacting on the police response across
the full crime spectrum.

15. SOC
CYBER
ATTACKS
VOLUME
CYBERCRIME
• International highly skilled cyber-criminals, often working
together
• Responsible for 262,000 UK infections and losses > £500m
• Distributed Denial of Service (DDoS) – BBC, HSBC)
• Ransomware (Police Scotland, SPA)
• Data Theft and extortion (TalkTalk, Ashley Madison)
• 2.5 million cybercrimes in the UK annually
• Economic Crime
• Extortion
• Offences against children (CSE)

17. Your Title Here
1980’s Policing

18. I ca do ore da age o y laptop
in my pyjamas, before my first cup of
Earl Grey, than you can do in a year in
the field.
Q - Skyfall

20. Cyber Attacks are on the rise

23. Ransomware - Glasgow Hairdressers

25. ORGANISED CRIME

27. Five key cyber crime threats
• Malware targeting businesses & individual users for fraud.
APT s, ‘AT“,
• Network intrusion ('hacking') DDoS, XSS. Spear-phishing.
• Enablers of cyber dependent crime (e.g. money laundering /
digital currencies / anonymisation).
• C er ri e 'as a ser i e
• Targeted disruption of access to UK networked systems and
services (e.g. DDOS / Ransomware)

28. Old bugs come home to roost…
SHELLSHOCK – HEARTBLEED – DRIDEX –
CRYPTOWALL - POODLE… LOCKY

30. Virtual Currencies

31. http://www.mcafee.com/uk/resources/white-papers/wp-
Cybercrime-as-a-Service

32. Cyber Resilience is thorough Preparation
Overarching Cyber Security Strategy!
Pre-planned Exercise.
Incident Management & Response Plan.
Communications Strategy.
Investigative Strategy.
Incident Manager & Team
Gold, Silver, Bronze.
Mitigation & Recovery Strategy.
Logistics - Contingency

34. Security Incident Event Management &
Security Operations Centre

35. The layered approach!

36. Reconnaissance.

37. The threats are evolving, so must your
security tools.

38. Reporting of Cyber Incidents
• Incident evaluation and early reporting.
• Police Scotland 101 – Incident No. & Action Fraud.
• Business continuity and impact our prime consideration.
• ICT response and mitigation. Scene preservation?
• Where possible preserve original copies of emails, attachments,
device images and logs.
• Is there a mandatory obligation to report?
• Report to Cert UK / GovCert UK .
• Report to Scottish Government if appropriate.
• Identify point of contact for law enforcement to facilitate enquiries
and evidence gathering.
• Submit attack details to CISP platform if appropriate share.cisp.org.uk
(can assist with mitigation and fix)

40. Cyber Essentials &
Cyber Essential Plus
Cyber Essentials concentrates on five key controls.
These are:
1. Boundary firewalls and internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management

42. Our priorities
Education &
Awareness
Partnerships
Develop
Capacity &
Capability
Detect &
Prosecute
Offenders

45. The Future
Industry
Academia &
Law
Enforcement
National
Cyber
Centre -
GCHQ
?£1.9 billion UK
Government
investment in
Cyber by 2020
Scottish
Cyber
Centre

46. Thank you for listening
Any Questions?
Eamonn.keane2@scotland.pnn.police.uk

47. #scotsecure
Sam Alderman-Miller
Darktrace

48. Applying probabilistic mathematics and machine learning to
cyber threat discovery
Sam Alderman-Miller
Account Manager
Sam.alderman-miller@darktrace.com

54. Enterprise Immune System Approach
Self-learning
Develops mathematical models of normal
behavior
Understands behaviour
For every individual user, device and the
enterprise as a whole
Adaptive
Constantly calculates probabilities based on
evolving evidence
Real-time
Detects threats as they happen

55. Conclusion
• Sophisticated Threat Detection
• Threat is inside and always will be
• Traditional approaches are insufficient
• Threats are constantly evolving
• Using Machine Learning for ‘Immune System’ Defence
• Does not need to know what ‘bad’ looks like in advance
• Learns normal and abnormal behaviours in real time
• Detects threats that bypass traditional security controls
• Provides complete visibility into your network

56. Thank You

57. #scotsecure
Colin Keltie
Standard Life

58. #scotsecure
Questions &
Discussion

59. #scotsecure
Breakout Details on
Back of Badge

60. ©2015 Check Point Software Technologies Ltd. 60©2015 Check Point Software Technologies Ltd.
Moving from detection
to prevention in the
real world
Aatish Pattni
Head of Threat Prevention, Northern Europe
CHECK POINT

61. ©2015 Check Point Software Technologies Ltd. 61©2015 Check Point Software Technologies Ltd.
Available
Skills
END USERS
STAKEHOLDERS
YOUR NETWORK
YOUR
SECURITY
POSTURE
3rd
Parties Vendors

62. ©2015 Check Point Software Technologies Ltd. 62
COST OVER TIME:CostofBreach
Direct loss: $162,000,000
Estimated indirect loss: >$1
Billion
The financial impact GROWS dramatically with
TIME

63. ©2015 Check Point Software Technologies Ltd. 63
Businesses Are Not Immune

64. ©2015 Check Point Software Technologies Ltd. 64
NEXT GENERATION
MALWARE
HIDDEN
POLYMORPHIC
SOPHISTICATED
AND PROGRAMMABLE
USES MULTIPLE
ENTRY POINTS

65. ©2015 Check Point Software Technologies Ltd. 65
NEXT GENERATION ACTORS
ADOPT CLOUD
LEVERAGE COMMUNITIES
USE AGILE PROGRAMMING
OUTSOURCE

66. ©2015 Check Point Software Technologies Ltd. 66
THE REST OF 2016
THEFT
DISRUPTION
SUPPLY CHAIN ATTACKS
INDUSTRIAL ESPIONAGE
NATION-STATE
NEW THREAT ACTORS
RANSOMWARE
BOTS
PHISING
LISTENERS

67. ©2015 Check Point Software Technologies Ltd. 68
WE KNOW…
Some Infections Will Inevitably Happen
2,122
CONFIRMED
DATA BREACHES
79,790
SECURITY
INCIDENTS
How Can We Efficiently Respond?
Source: Verizon: 2015 Data Breach

68. ©2015 Check Point Software Technologies Ltd. 69
How do we
PREVENT unknown
malware entering
the network?

69. ©2015 Check Point Software Technologies Ltd. 70
SECURED
GATEWAY OR END POINT
MINIMISE END USER DISRUPTION

70. ©2015 Check Point Software Technologies Ltd. 71
DAILY UPDATES
FROM 150,000+
CUSTOMERS
10,000,000
Bad-Reputation
Events
700,000
Malware
Connections
Events
30,000
Malware
Files
Events

71. ©2015 Check Point Software Technologies Ltd. 72
How do we
RESPOND with the
people we have?

72. ©2015 Check Point Software Technologies Ltd. 73
DO YOU UNDERSTAND THE ATTACK?
54%
43%
63%
41%
32% 33%
0%
10%
20%
30%
40%
50%
60%
70%
Who Attack
Method
Where When Why Defense
Method
Source: Ponemon: Threat Intelligence & Incident Response: A Study of U.S. & EMEA
Organizations: February 2014
% do t
know how
to defend

73. ©2015 Check Point Software Technologies Ltd. 74
LOOK INSIDE THE MACHINE
Automatically
Analyse
Triggers
Create
Actionable
Insights
Remediate
Record all End Point Activity

74. ©2015 Check Point Software Technologies Ltd. 75
Summary
Detail
How Did the Malware Get In?

75. ©2015 Check Point Software Technologies Ltd. 76
Investigation Trigger
Identify the process
that accessed the
C&C server
Identify Attack
Origin
Chrome exploited
while browsing
Dropped
Malware
Dropper
downloads and
installs malware
Exploit Code
Dropper process
launched by
Chrome
Activate Malware
Scheduled task
launches after
boot
Attack traced even
across system
boots

76. ©2015 Check Point Software Technologies Ltd. 77
Malicious
Activities
Drill-Down
Detail
Severity
Is There an Infection?
UNDERSTAND THE INCIDENT

77. ©2015 Check Point Software Technologies Ltd. 78
FROM UNDERSTANDING TO ACTION
Generate
Remediatio
n Script
How Should You Respond? How Can You
Clean it?

78. ©2015 Check Point Software Technologies Ltd. 79
Incident
Understanding
Visibility
Immediate Content
Delivery
Prevention
TO DEAL WITH UNKNOWN THREATS

79. ©2015 Check Point Software Technologies Ltd. 80
Unprecedented protection against targeted
attacks & unknown malware
Sandboxing
Evasion-
resistant
malware
protection
Extraction
Immediate
delivery of
cleaned
content
Forensics
Automated
analysis &
remediation

80. ©2015 Check Point Software Technologies Ltd. 82©2015 Check Point Software Technologies Ltd.
Aatish Pattni | Head of Threat Prevention,
Northern Europe
THANK YOU
apattni@checkpoint.com
uk.linkedin.com/in/aatishpattni
@TishPattni

81. Protecting your business,
brand, and customer
experience from modern
malware
Martin Budd
Security Sales Manager - UKISSA

82. © F5 Networks, Inc 84
Application evolution vs business
challenges
Web
based
Mobile Cloud API
Agile code
development
Skills
shortgae
Advanced
threats
Risk now
stopping
innovation

83. © F5 Networks, Inc 85
Why is the risk from malware
and fraud increasing ??

84. © F5 Networks, Inc 86
Browser is the Weakest Link
End point risks to “Data In Use”
HTTP/HTTPS
Secured
Data center
WAF
HIPS
Traffic
Management
NIPS
DLP
Network
firewall
SIEM Leveraging
Browser
application
behavior
• Caching content, disk
cookies, history
• Add-ons, Plug-ins
Manipulating user
actions:
• Social engineering
• Weak browser
settings
• Malicious data theft
• Inadvertent data loss
Embedding
malware:
• Keyloggers
• Framegrabbers
• Data miners
• MITB / MITM
• Phishers / Pharmers
Hmmmm…Customer Browser

85. © F5 Networks, Inc 87
HaaS

86. © F5 Networks, Inc 88
Is the Security Perimeter Dead?
application
endpoint

87. © F5 Networks, Inc 89
The Application Perimeter/Protection
Network Threats Application Threats
of attacks are
focused here
25%
of security
investment
90%
of attacks are
focused here
75%
of security
investment
10%

88. © F5 Networks, Inc 90
Endpoint Perimeter/Protection
Traditional enterprise perimeter Customer protection
Protection
MDM, AV, Proxy, Sandbox
>90
% Protection
<10
%

89. © F5 Networks, Inc 91
Old rope for new money!
Malware InfectionCredential Acquisition
Transaction Manipulation

90. © F5 Networks, Inc 92
Man In
The Browser
Credential/Information
Mobile
Malware
Transaction
/Credential
Form
Grabbing &
Keyloggers
Credential/
Information
Man In
The Middle
Transaction
RAT and
Back Connect
Transaction
Modern malware using new techniques to achieve age old
objectives
A problem for banks and enterprises alike

91. © F5 Networks, Inc 93
Traditional malware detection
• Focused on enterprise boundary and employees
• Based on signature detection
• Focused identifying cause not effect
• Reactive not pro-active
• Sandboxes etc – patient zero
• Analyzes browser for traces of common malware (i.e., Zeus, Citadel, Carberp, Hesperbot, Dyre, …
`

92. 61%
of breaches are caused by stolen credentials

93. © F5 Networks, Inc 95
How Phishing Works
The attacker access
the real web page
The attacker saves a
copy of the web pages
to their own web server
The attacker sends a phishing
request to many victims
The victim visits what they
think is a legitimate site but
is actually the phishing site
The victim provides
confidential data directly
to the hacker
So how can we protect ourselves?

94. © F5 Networks, Inc 96
Web injection
So how can we protect ourselves?

95. © F5 Networks, Inc 97
Credential /Form Grabbing
The victim is infected
with malware
The victim makes a secure
connection to a web site
This triggers to
malware to run
The victim enters data
into the web form
This content can be
stolen by the malware
The victim submits
the web form
The information is encrypted
and sent to the web server
The information is also sent
to the drop zone in clear text
Password
revealer
icon
So how can we protect ourselves?

96. © F5 Networks, Inc 98
• Uniquely analyzes user interaction with the browser
• Detects automatic transaction
• Ensure integrity of transaction data
• Trigger alerts upon detecting non-human behavior
Automatic Transaction Detection – MITM
MY BANK.COM
• Gather client details related to
the transaction
• Run a series of checks to
identify suspicious activity
• Assign risk score to transaction
• Send alert based on score
My Bank.com

97. © F5 Networks, Inc 99
What do businesses need?
Clientless solution,
enabling 100%
coverage
Protect Online User
Desktop, tablets &
mobile devices
On All Devices
No software or user
involvement required
Full Transparency
Targeted malware,
MITB, zero-days,
MITM, phishing
automated
transactions…
Prevent Malware
attacks and Fraud Alerts and
customizable rules
In Real Time

98. © F5 Networks, Inc 100
F5’s Comprehensive Approach
Malware Detection
Advanced Phishing
Detection
Application Layer
Encryption
Automatic Transaction
Detection

99. © F5 Networks, Inc 101
APPLICATIONACCESS
Enterprise
Mobility Gateway
Access
Federation
Remote Access
App Access
Management
Secure Web
Gateway
Application Protection Capabilities
Protecting your applications
regardless of where they live
Securing access from
any user on any device
Strongest set of application
security controls that reduce risk
APPLICATIONPROTECTION
IP Intelligence
Web Fraud
Protection
Hybrid WAF
SSL Inspection
DDoS Protection
DNS Security
Network Firewall

100. © F5 Networks, Inc 102
Application evolution vs business
challenges
Web
based
Mobile Cloud API
Enable Agile
code
development
Reduce skills
required
Increase
protection
against
Advanced
threats
Enable
innovation

102. Gardening Leave
Will it help to weed out the bad guys?

103. Background
Matt Little
CTO, ZoneFox

104. Who are ZoneFox?
• Cyber Security focussed on directly
monitoring and protecting your data
• Customers in Software Gaming, Asset
Management, Hi-Tech Manufacturing
and Online Gambling…........

105. Our Customers

106. Leavers and the Problem
with Gardening Leave

107. Did I mention
that I am leaving
next week?
I e just ee
offered job with
our biggest
competitor
I reall
annoyed that I
did t get that
promotion
Your top-performing team…..

108. Sssshhhhh – Don’t tell anybody but I have
this embarrassing problem
• Vormetric Insider Threat Report –
• Only 11% of respondents felt that their
organization was not vulnerable to insider
attacks
• Globally, 89% of respondents felt that their
organization was now more at risk from an
insider attack
• 34% felt very or extremely vulnerable.

109. What and where are people stealing data
• Top theft locations
• Databases (49%)
• File Servers (39%)
• Top Data stolen
• Customer Lists
• Contracts
• Sensitive commercial data
• R&D

110. Leavers – this is hypothetical, right?
• Leavers are insiders and therefore you
have an insider threat challenge
• Mostly existing security is “Outward-
looking”
• Has it worked?

111. The Cost of a Breach
• Cost of a breach comes from two things:
- Time taken to discover it
- Cost of investigating and remediating
• Verizon Data Breach Report 2015 – “growing
‘detection deficit’ between attackers and
defenders.”
• This ‘detection deficit’ means that a typical breach
will take ~200 days to discover
• If you discovered that, how much effort would
have to be spent investigating?

112. But Breaches are a US thing…......
90%large organisations breached (up from 81%)
74%smaller organisations (up from 60%)

113. Cost of a breach
£1.46 - £3.14M
large organisation (was £600k – £1.15M)
£75 - £311ksmaller organisation (was £65k - £115k)

114. Staff related security breaches
(source PWC/BIS’ 2015 Information Security Breaches Survey)
75%large organisations
31%smaller organisations

115. But I have a load of defences….....
External Protection
Who?
When?
Why did ’t
I know at
the time?
?
? ?
My Organisation

116. Why Gardening Leave (and what is it?)
• “an employee's suspension
from work …typically to
prevent them from
…accessing confidential
information.”
• Use it to protect from
‘poaching’ of customers, etc

117. Does it protect your data?

118. The Financial Costs of Insider Data Theft
£30,000
Research from the legal firm EMW indicated that small
businesses typically incur this cost for legal work in a insider
theft (2012 research)
?
The value of the data stolen
The number of High Court cases relating to the theft of
confidential information by insiders (employees)
increased by 250% between 2010 and 2012.

119. A real-life example from ZoneFox

121. What did they try to steal
• 182,000 Files:
• Results of confidential product testing
• CAD designs for prototypes and new products
• Bills of Materials for new designs
• Printed Circuit board designs
• Contracts and agreements with research and
manufacturing partners.
• The value?
£10 million

122. What went wrong?
• Technical controls and HR Processes broke
down
• Lack of visibility of the endpoint
• Leaving processes (including gardening
leave) were too late
• Stolen data was collected in advance of
submitting resignation.

123. What are the alternatives?
External Protection
My Organisation

124. Incident Response for a leaver
• Global company
• Unusual behaviour – times, locations, volumes, etc
• Theft followed by taking laptop home
• Senior Legal.
• Incident response ~4 hours
How long would it
take you?

125. Key takeaways
- Compromise is highly likely
- People steal data before they
resign
- Protect your inside too - the
threat is as likely (if not more
likely) to come from inside your
organisation.
- Focus on reducing cost by
detecting threats sooner and
responding quickly

126. #scotsecure
Welcome Back

127. #scotsecure
Per Johansson
European Parliament

128. The New European Framework
for Data Protection
- state of play?
Per Johansson
Edinburgh, 21 April 2016

129. Who am I?
– Swedish lawyer
– Industry consultant
– European Data Protection Supervisor (EDPS)
– European Parliament - Scotland

130. The European Parliament in the
Member States
The European Parliament operates an ‘Information Office’ in
the national capitals of all 28 EU Member States.
Since 1999, it has also operated a smaller 'branch' office in
the larger Member States, opening offices in Barcelona,
Edinburgh, Marseilles, Milan, Munich & Wrocław (2011).

131. The European Parliament Office in Scotland
aims to increase awareness of the
Parliament and the impact of its activities in
Scotland, as well as highlighting the work
of the six Scottish Members of the European
Parliament (MEPs).

132. General remarks
Reasons for reform
• Technological change
• Legal certainty
• Harmonisation in the internal market
• Need for change in the area of police and judicial
cooperation
• Global dimension
→ Regulation for general principles
Directive for law enforcement

133. The EU DP reform:
 Enhances harmonisation of data protection
 Reinforces position and rights of data subject
 Strengthens responsibility of data controller
 Strengthens supervision and enforcement
General remarks

134. • The “Ordinary” legislative procedure
– Commission proposals – January 2012
– Joint legislative responsibility between European Parliament and
Council of Ministers
– “Readings”
– Negotiations between three institutions
= Changes all the way
The legislative procedure

135. Where are we now?
• Council (final) agreement October 2015
• Plenary vote EP 14 April 2016 = LAW
• Entry into force 20 days after publication in the EU
Official Journal
• Regulation – MS law 2 years after entry into force.
• Directive – 2 year period of implementation dead-line
for MS
• Directive only applicable to those measures where
the UK has opted in.

136. Scope
Territorial scope:
- An establishment of a controller or processor
within EU, regardless of where the processing
takes place
- ‘Offering of goods and services to’ or ‘monitoring
behaviour of’ data subjects in the EU

137. Data controllers/processors
 Security of processing (32)
 Implementation of appropriate tech and org measures
 such as...
 Pseudonymisation and encryption
 Systems functionality, restoration and regular testing
 Assessment of the security level
 Risks

138. Data controllers/processors
 Designation of data protection officers (37 onwards)
Where:
- Public authority or body
- Core activity = regular and systematic monitoring of data
subjects
- large scale of special categories of data
Tasks:
- Inform and advise
- Monitor the implementation
- Contact point

139. Data controllers/processors
 Notification of data breaches (33)
 Controller notification to the supervisory authority
within 72 hours
 Processor shall notify controller
 Data protection Impact assessment (35)
 New tech, high risk to rights and freedoms to natural
persons

140. Data controllers/processors
Strengthen responsibilities of the controller
→ Accountability (24 onwards):
- “measures to ensure and demonstrate
compliance with the Regulation”
- Where proportionate “implementation of appropriate data
protection policies”

141. Data controllers/processors
 Information and communication
- Concise, transparent, intelligible, easily accessible, clear
and plain language (12)
- Procedures and mechanisms (12)
- Content of the information (13, 14)

142. Data controllers/processors
 Data protection by design and by default (25)
 Documentation – Records in writing (electronic form)
(30)
 Processors – Records of processing activities (30)

143. Supervision and Enforcement
– One stop shop – ‘main establishment’ (4(16), 56)
– Consistency mechanism (63 onwards)
• Cooperation between authorities and COM
– European Data Protection Board (68)
– Sanctions (83)
• Up to € 20M or 4% of annual worldwide turnover

144. Data subjects
 Definition of consent (7)
- Controller burden of proof - demonstrate
- Distinguishable – in plain language
- Withdrawal

145. Data subjects
 “Right to be forgotten” (17)
– Erasure without undue delay
– Reasonable steps to inform other controllers
» Available tech and cost of implementation

146. Data subjects
 Profiling (22)
Only if:
- Performance of a contract + safeguards
- Union or Member State law
- Explicit Consent of the data subject +
safeguards
And : not based solely on special categories of
data

147. Thank you for your attention
epedinburgh@ep.europa.eu
EDPS website on DP reform:
http://www.edps.europa.eu/EDPSWEB/edps/cache/off/
Consultation/Reform_package

148. #scotsecure
Wendy Goucher
Goucher Consulting

149. © Goucher Consulting Ltd, 2016
You get what you
Give
Cyber Security Communication reconsidered
Wendy Goucher
Information Security Specialist

150. © Goucher Consulting Ltd, 2016
Staff are your
“Human Firewall”
152

151. © Goucher Consulting Ltd, 2016 153
Fighting ‘Cyber’

152. © Goucher Consulting Ltd, 2016
• Clear, operationally effective policies,
procedures and controls.
• Good communication of the policies,
procedures and controls.
• A darn good reason why they should
follow them.
154
Secure operations
come from:

153. © Goucher Consulting Ltd, 2016 155
Wendy’s Wheels
Driver Induction Training
Policies, Procedures & Controls

154. © Goucher Consulting Ltd, 2016 156

155. © Goucher Consulting Ltd, 2016 157
Motivation

156. © Goucher Consulting Ltd, 2016 158
Your staff care

157. © Goucher Consulting Ltd, 2016
159
People care about their own security.
They won’t automatically care about yours if you don’t seem to.Think about the security message
you are really sending.

158. © Goucher Consulting Ltd, 2016
Thank you
Wendy Goucher

159. #scotsecure
Scott Barnett
Royal Bank of Scotland

160. Scott Barnett
Cyber & Fraud
Intelligence Lead
how threat intelligence can
prevent data breaches and
other cyber attacks – and how
you can get and apply some of
this stuff
Cyber Crystal Balls

161. what is
threat
intelligence?
163

162. 164
a tool for decision
making
information
+ analysis
+ inferences
=
Planning –
Intelligence
Requirements
Collection – of
information
and monitoring
for triggers
Analysis –
turning
information
into
intelligence
Dissemination
– delivering to
the right
people at the
right time
Feedback – re-
evaluating
requirements,
taking stock
what is intelligence?
Our mission: to provide forewarning of security threats to RBS
to minimise harm to our customers, staff, and business

163. Exposure
VulnerabilityCapability
Intent
what is a threat?
har ful age ts’
intentions
+
tools, tactics and
procedures (TTPs)
INHERENT THREAT
how exposed your
business is to these
actions
+
any vulnerability
that makes harmful
outcomes more
likely
RESIDUAL THREAT
har ful outco es resulti g fro a e tity’s actio s i pursuit of its goals
Source: CBEST framework
165

164. • Provide a forecast
of the a k s
strategic threat
landscape
Forecast
• Join the dots
between strategic
and operational
threats
Link
• Co te tualise ig
ti ket e e ts i
terms of what they
mean for RBS – so
hat?
Context
• Identify new and
emerging threats
and attack
techniques
Identify
• Collect external
information and
fuse it with
internal sources
Collect
• Proportionate,
timely, actionable
intelligence
Deliver
what can threat intelligence do
for you?
166

165. kill chains and
attacker
mindsets
167

166. 168

167. construct
threat
delivery
infection
manipulation
impact
botnet / tool
target
vulnerabilities
bandwidth
loss of service
DDoS
169

168. 170
2006

169. 171

170. 172

171. 173

172. 174
2010

173. 175

174. 176

175. 177
2016

176. 178

177. 179

178. 180

179. 181

180. 182

181. 183
how can threat
intelligence
help?

182. construct
threat
delivery
infection
manipulation
impact
botnet / tool
target
vulnerabilities
bandwidth
loss of service
DDoS
184

183. construct
threat
delivery
infection
manipulation
impact
early
warning
attack
scripts
rulesets
other
techniques
recovery
advice
botnet / tool
target
vulnerabilities
bandwidth
loss of service

184. construct
threat
delivery
infection
manipulation
impact
early
warning
threat
indicators
Technical
mitigants
situational
awareness
shared
experience

185. 187

186. 188

187. 189

188. 190

189. 191

190. 192

191. Scott Barnett
scott.barnett@rbs.co.uk

192. #scotsecure
Questions &
Discussion

193. www.mobile-scotland.com
2nd Annual Mobile Scotland
26th May Edinburgh

194. www.scot-cloud.com
3rd Annual Scot-Cloud
21st June Edinburgh

195. Drinks &
Networking Upstairs
Hosted By

196. SCOT-SECURE 2016
MICHAEL JACK & KYLE BOWES

197. $ WHOAMI
MIKEY & KYLE
▸ 2nd BSc Ethical Hacking @ Abertay University, Dundee
▸ Work for Scottish Business Resilience Centre (SBRC)
▸ OSINT, Footprinting, Outreach
▸ Mikey: Cryptography, Defence, Counter-terrorism
▸ Kyle: OSINT, Footprinting, Counter-terrorism

198. THE ORDER, UNLESS WE GET SIDETRACKED
WHAT’S ALL THIS THEN?
1. Staying Updated
2. Data Protection, Encryption & Backups
3. Passwords
4. Phishing Emails & Malicious Websites
5. Social Media

199. SECURITY IS A PROCESS, NOT
A PRODUCT.
Bruce Schneier, April 2000
THREAT MODEL 101

200. HACKERS ARE LAZY
Johnny Appleseed
THREAT MODEL 101

201. "I DON'T NEED TO RUN FASTER
THAN THE BEAR: I ONLY NEED
TO RUN FASTER THAN YOU."
Johnny Appleseed
THREAT MODEL 101

202. UPDATE NOW
A CRITICAL PAIN IN THE ASS

203. DON’T BE AN EASY TARGET
UPDATES MATTER
▸ Will protect you against a lot of threats
▸ low effort > high reward
▸ Windows 10, 8.1, 8, 7 get security updates
▸ Windows XP doesn’t get any updates
▸ OS X 10.11 (El Capitan), 10.10 (Yosemite), 10.9
(Mavericks) get security updates

204. WINDOWS 7: WINDOWS UPDATE - TURN IT ON!

205. WINDOWS 7: WINDOWS UPDATE - ENABLE AUTOMATIC UPDATES

206. OS X 10.11 (EL CAPITAN) - SYSTEM PREFERENCES > APP STORE

207. BACKUP THE DATA!
BACKUPS ALL THE WAY DOWN

208. BACKUP THE BACKUPS
BACKUPS WILL SAVE YOUR BUSINESS
▸ Will save you time & money
▸ Onsite & Offsite backup
▸ Daily, Weekly, Monthly
▸ Easy to restore in event of a disaster

209. STORAGE IS CHEAP

210. WINDOWS 7: BACKUP & RESTORE - SET UP BACKUP

211. OS X 10.11 (EL CAPITAN) - TIME MACHINE

212. ENCRYPTION

214. https://youtu.be/XfFjde0UPbY

215. SOMETHING YOU KNOW, A PASSWORD FOR EXAMPLE

216. SOMETHING YOU KNOW, A PASSWORD FOR EXAMPLE

217. PASSWORD-PROTECT-DOCUMENTS-WORKBOOKS-AND-PRESENTATIONS
WHAT TO ENCRYPT
▸ Encrypt everything, if you can, Full Disk Encryption
▸ Windows: BitLocker/ Drive Encryption
▸ Mac: FileVault
▸ Customer personal and payment information
▸ Microsoft Office Button > Prepare > Encrypt Document
▸ Smart Phones & Tablets
▸ iOS > Settings > Touch ID & Passcode > Erase Data
▸ Android > Settings > Security > Encryption > Encrypt

218. PASSWORDS
SIZE MATTERS!

219. STATISTICAL ANALYSIS (LINKEDIN 160K & ROCK YOU 14M)

220. STATISTICAL ANALYSIS (LINKEDIN 160K & ROCK YOU 14M)

221. �
THE WORST PASSWORDS
• qwerty
• 696969
• mustang
• letmein
• baseball
• michael
• football
• 123456
• password
• 12345678
• 1234
• master
• 12345
• dragon

222. TRIES ALL COMBINATIONS
FROM A GIVEN KEYSPACE. IT
IS THE EASIEST OF ALL THE
ATTACKS.
hashcat.netwikidoku.phpid=brute_force_attack
BRUTE FORCE

223. MASK ATTACK
JULIA1984
‣ (26 + 26 +10) = 629
= 1315 = 13 Quadrillion @ 100M/s
http://hashcat.net/wiki/doku.php?id=mask_attack

224. MASK ATTACK
JULIA1984
‣ (26 + 26 +10) = 629
= 1315 = 13 Quadrillion @ 100M/s
‣ The above password matches a simple but common
pattern. A name and year appended to it.
‣ We can also configure the attack to try the upper-case
letters only on the first position.
http://hashcat.net/wiki/doku.php?id=mask_attack

225. MASK ATTACK
JULIA1984
‣ (26 + 26 +10) = 629
= 1315 = 13 Quadrillion @ 100M/s
‣ The above password matches a simple but common
pattern. A name and year appended to it.
‣ We can also configure the attack to try the upper-case
letters only on the first position.
‣ Down to 370 Billion combinations @ 100M/s
http://hashcat.net/wiki/doku.php?id=mask_attack

226. HTTPS://THEINTERCEPT.COM/2015/03/26/PASSPHRASES-CAN-MEMORIZE-ATTACKERS-CANT-GUESS/
PASSPHRASES
▸ Never give them away!
▸ Your trick isn't clever
▸ Space bar is your friend
▸ Length > complexity
▸ Tell a story

227. REDUCE THE NUMBER OF PASSWORDS YOU NEED TO KNOW
PASSWORD MANAGERS
▸ Last Pass (all platforms) (cloud based)
▸ 1Password (all platforms, best on Apple) (Dropbox sync)
▸ Demo!

228. REDUCE THE NUMBER OF PASSWORDS YOU NEED TO KNOW
PASSWORD MANAGERS
▸ Last Pass (all platforms) (cloud based)
▸ 1Password (all platforms, best on Apple) (Dropbox sync)
▸ Demo!
▸ Auto fill, in the browser Chrome, Firefox, Safari
▸ Generate unique long passwords for each site

229. IF YOU DO ANYTHING, PLEASE DO THIS!
TWO FACTOR AUTHENTICATION (2FA)
▸ twofactorauth.org
▸ Google Authenticator
▸ Authy
▸ YubiKeys

230. PHISHING EMAILS
DON’T CLICK THAT LINK

231. OS X Mail
Legit, Gmail
Spam, Gmail

232. MALICIOUS WEBSITES
WATERING HOLE

233. THIS IS NOT THE
WEBSITE YOU ARE
LOOKING FOR

234. SCOT-SECURE
REAL OR FAKE
▸ Padlock
▸ URL
▸ How did you get there?
▸ Apply common sense
▸ Browser extensions
▸ HTTPS Everywhere
▸ uBlock Origin
Safari
Chrome
Chrome
Firefox

235. https://youtu.be/XfFjde0UPbY

236. SOCIAL MEDIA
FACEBOOK, TWITTER, LINKEDIN &
INSTAGRAM

238. �����

239. PASS THESE ON
THINK ABOUT THESE THINGS, PLEASE?
▸ Update, backup and encrypt your devices
▸ Encrypt the most critical sensitive information
▸ If you can encrypt it all, Full Disk Encryption
▸ Long passwords, don't worry about complexity
▸ Get a password manager (LastPass & 1Password)
▸ Use Google Chrome, if you can
▸ Think about how you got to the site, did you expect the email?

240. LAST CHANCE
THE LINKS
▸ Chrome security usability: youtu.be/XfFjde0UPbY
▸ Very strong passwords: theintercept.com/2015/03/26/
passphrases-can-memorize-attackers-cant-guess/
▸ Which sites use Two Factor Auth: twofactorauth.org