Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Scot Secure 2019 Edinburgh (Day 2)

237 visualizaciones

Publicado el

The national Scot-Secure Summit is the largest annual Cyber Security Conference in Scotland: the event brings together senior IT leaders and Information Security personnel, providing a unique forum for knowledge exchange, discussion and high-level networking.

The conference programme is focussed on promoting best-practice cyber security; looking at the current trends, the key threats - and offering practical advice on improving resilience and implementing effective security measures.

Publicado en: Tecnología
  • Sé el primero en comentar

Scot Secure 2019 Edinburgh (Day 2)

  1. 1. Welcome to ScotSecure 2019 #scotsecure
  2. 2. Mark Stephen BBC Scotland @bbcscotland #scotsecure
  3. 3. Federico Chorosky Quorum Cyber @fedechorosky #scotsecure
  4. 4. Why we do what we do An exploration of an industry that is quickly losing its soul
  5. 5. Who do I think I am?
  6. 6. What I see when I look out What we did differently An invitation
  7. 7. What I see when I look out What we did differently An invitation
  8. 8. Cynicism Anger Fear Toxic behaviours Apathy Disenfranchised individuals Twitter mobs Lack of real messages “Giveaways” that mean nothing Blame
  9. 9. We need to build vehicles for our beliefs and do something awesome
  10. 10. & IntentionalityDrive
  11. 11. What I see when I look out What we did differently An invitation
  12. 12. I spend an inordinate amount of time on this
  13. 13. do the right thing
  14. 14. … but it wasn’t enough
  15. 15. What Why How
  16. 16. “The goal is not to do business with everybody who needs what we have What we do, serves as the proof of what we believe The goal is to do business with people who believe what we believe”
  17. 17. We protect those that cannot protect themselves We fight bullies
  18. 18. By creating simple, clear, innovative products and services that provide great customer experience
  19. 19. We make the invisible, visible. Today we sell a collection of products and services such as Consulting and Big Red Button
  20. 20. What I see when I look out What we did differently An invitation
  21. 21. Find your bully Stop blaming Keep talking
  22. 22. Eleanor McHugh Consultant #scotsecure
  23. 23. Rory Alsop ISF @roryalsop #scotsecure
  24. 24. • • • • • •
  25. 25. • • • • •
  26. 26. • • •
  27. 27. • • • • • • • •
  28. 28. • • • • •
  29. 29. • • • • • • •
  30. 30. • • • • •
  31. 31. Panel Harry McLaren – Cyber Scotland Connect Federico Chorosky – Quorum Cyber Elaine McKechnie – CYBG, SwiT Eleanor McHugh – Consultant Rory Alsop – ISF #scotsecure
  32. 32. Refreshments & Networking #scotsecure
  33. 33. Leo Cunningham Zonal @zonaluk Gaye Cleary Grant McGregor @cleary_gfm #scotsecure
  34. 34. Building and improving the effectiveness of security functions in SME environments Leo Cunningham InfoSec and Compliance Manger (and Group DPO)
  35. 35. ▪ Transitioning from an outsourced model ▪ Creating the next iteration of the security function and strategy ▪ Building cultural awareness to reduce business risk day to day ▪ Learnings from challenges and successes Agenda
  36. 36. Transitioning from an outsourced model
  37. 37. ✓ Reduce costs ✓ Your data is yours ✓ Risk Control ✓ Improved SLA
  38. 38. Creating the next iteration of the security function and strategy
  39. 39. ▪ Understanding your business is key to helping you decide what happens next ▪ Focus on the people who do the ‘doing’ and make the ‘decisions’ ▪ Conduct a gap analysis ▪ What are you missing? ▪ Remember those cost savings that you’ve just made? ▪ Formulate a TOM/Roadmap to keep you focused ▪ Begin cultural change and adoption
  40. 40. Building cultural awareness to reduce business risk day to day
  41. 41. Learnings from challenges and successes
  42. 42. Not everyone gets it!
  43. 43. CHAMPIONS
  44. 44. Questions?
  45. 45. Building a Sound Foundation in Information Security with Cyber Essentials Gaye Cleary Information Security Consultant Grant McGregor Ltd COPYRIGHT & COMMERCIAL CONFIDENCE The copyright in this work is vested in Grant McGregor Ltd and this document is issued in commercial confidence for the purpose only for which it is supplied. It must not be reproduced in whole or in part except under an agreement or with the consent in writing of Grant McGregor Ltd and then only on the condition that this notice is included in any such reproduction. No information as to the contents or subject matter of this document or any part thereof arising directly or indirectly there from shall be given orally or in writing or communicated in any manner whatsoever to any third party being an individual firm or company or any employee thereof, without the prior written consent of Grant McGregor Ltd.
  46. 46. More This Not so much This Background MSc ASDF Edinburgh Napier Cyber Essentials Assessor Former Unix Sybase DBA Interested in Data Protection
  47. 47. Grant McGregor An IASME Certifying Body
  48. 48. Questions ??? Q&A after
  49. 49. 1. Why do a presentation about “the basics”?
  50. 50. SOPHOSLABS 2019 THREAT REPORT • Close holes in firewalls • Use MFA • Distrust unknown files and links • Keep up to date with operating system and software patches • Change default passwords
  51. 51. SingHealth cyberattack Singapore’s most serious breach of public data to date Committee of Inquiry (COI), Jan 2019 • A disturbing number of staff fell prey to phishing emails twice or more • Review the efficacy of the email-protection measures • Conduct regular audits/checks to bridge “gaps” between policy and practice • Insufficient scope in vulnerability assessments • Citrix servers should have had 2FA enabled for admin accounts • Admin accounts must have tighter control and greater monitoring
  52. 52. SamSam SamSam attackers want easy targets, entering networks using exploits in internet-facing servers: the JBoss application server, or by brute-forcing RDP passwords. Getting a few of the basics right gives a very good chance of keeping them out. ▪ Strict patching protocol for OSs and all the applications that run on them. ▪ Lock down RDP ✓ Limit the rate of password retries ✓ Automatically lock accounts after a number of failed login attempts. ✓ Require multi-factor authentication. ✓ Educate users about strong passwords and the dangers of password reuse. ✓ Have staff access RDP through a VPN and Limit access to specific IP addresses, ranges or geographies.
  53. 53. Why aren’t we doing the basics? • Assume we’re doing them already • Where to start, what to include, exclude? • Getting overwhelmed More than 22,000 new vulnerabilities disclosed in 2018. • IT is often reactive rather than proactive
  54. 54. . Cyber Essentials – Where did it come from? • Based on investigations into corporate compromises in 2014 • Identified most effective controls, to defend against commodity attacks ➢ practical to implement ➢ relatively straight forward to test • Intended to be a first step in the journey to protecting your organisation in cyber space. • Not intended to be a silver-bullet for all forms of cyber attack
  55. 55. ICO- Guide to GDPR (Security)  We have put in place basic technical controls such as those specified by established frameworks like Cyber Essentials? … “A good starting point is to make sure that you’re in line with the requirements of Cyber Essentials – a government scheme that includes a set of basic technical controls you can put in place relatively easily.”
  56. 56. . Some Observations on Cyber Essentials •Combining Technical Controls with Business Processes •Getting a Handle on Vulnerabilities and Patching •Common failings and problem areas
  57. 57. 2. Technical Controls with Business Processes Is there a gap between policy and practice?
  58. 58. IT Threat Landscape An ever changing beast
  59. 59. CRAB RANSOMEWARE Now in its fifth version, this file-locking malware continues to be updated at an aggressive pace. Its developers are constantly releasing new versions of it, with new, more sophisticated samples being made available to bypass cybersecurity vendors’ countermeasures. decryption-tool-released-for-free-no-more-ransom (Oct 2018)
  60. 60. 2018 Verizon Data Breach Investigations Report "At least 37% of malware hashes appear once, never to be seen again"
  61. 61. Technical Controls with Business Processes Close the gap between policy and practice Policy Life Cycle • Identify Need • Develop and Approve • Publish • Review and Maintain
  62. 62. Some examples of Cyber Essentials Questions looking for policy and/or practice
  63. 63. Firewall A4.2 When you first receive an internet router or hardware firewall device it will have had a default pass-word on it. Has this initial password been changed on all such devices? How do you achieve this?
  64. 64. Firewall A4.6 If you do have services enabled on your firewall, do you have a process to ensure they are disabled in a timely manner when they are no longer required? Describe the process. A4.5 Do you have any services enabled that are accessible externally from your internet routers or hardware firewall devices for which you do not have a documented business case?
  65. 65. Supported Software A6.2 Are all applications on your devices supported by a supplier that produces regular fixes for any security problems? • Can you answer this is you don’t maintain a software register? • Can you answer this is your employees have local admin rights? • Are you confident that old versions of software have been removed?
  66. 66. Users with Admin Privileges A7.5 Do you have a formal process for giving someone access to systems at an “administrator” level? Describe the process.
  67. 67. 3. Vulnerabilities and Patching more than 22,000 new vulnerabilities disclosed in 2018 Where to start?
  68. 68. Patching A6.4 Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release? Describe how do you achieve this. A6.5 Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Adobe Flash) installed within 14 days of release? Describe how you achieve this. Applies to: Servers, Computers, Laptops, Tablets, Mobile Phones, Routers and Firewalls
  69. 69. Vulnerabilities in scope for Cyber Essentials For cyber Essentials, we’re considering an attacker had some technical knowledge, they were sitting somewhere on the Internet, and were using what we called ‘commodity’ attack tools.
  70. 70. Vulnerabilities in scope for Cyber Essentials • attack vector: network only • attack complexity: low only • privileges required: none only • user interaction: none only • exploit code maturity: functional or high • report confidence: confirmed or high
  71. 71. e.g. Vector String from Microsoft CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  72. 72. Looking back to June 2017 How would Cyber Essentials Fare in protecting against Not Petya?
  73. 73. About half MS Bulletins in 2017 are critical Patching for Cyber Essentials
  74. 74. Vulnerabilities patched in ms17-010 Base Score: 8.1 (Temporal Score: 7.3) CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C Vulnerability title CVE number Publicly disclosed Exploited Windows SMB Remote Code Execution Vulnerability CVE-2017-0143 No No Windows SMB Remote Code Execution Vulnerability CVE-2017-0144 No No Windows SMB Remote Code Execution Vulnerability CVE-2017-0145 No No Windows SMB Remote Code Execution Vulnerability CVE-2017-0146 No No Windows SMB Remote Code Execution Vulnerability CVE-2017-0148 No No Windows SMB Information Disclosure Vulnerability CVE-2017-0147 No No
  75. 75. Exploit Details Security Tracker: Updated: May 14 2017 Original Entry Date: Mar 14 2017 A tool named 'ETERNALBLUE' that exploits one of these vulnerabilities is publicly available. [Editor's note: One of these vulnerabilities is being exploited by the WannaCrypt malware.]
  76. 76. Exploit details readily available
  77. 77. More Exploit details
  78. 78. Not Petya - Would having CE have helped? One Attack Vector: Trick a user logged in as an admin or domain admin into running a booby-trapped email attachment that installs and runs the malware with high privileges. CE ✓ Some Mitigations • Patch your computers to stop the SMB exploits CE * • Disable SMBv1 CE ✓ • Block outside access to ports 137, 138, 139 and 445 CE ✓ • Follow best practices and not allow local administrators carte blanche over the network – and tightly limit access to domain admins. You'd be surprised how many outfits are too loose with their admin controls. CE ✓
  79. 79. 3. Common Failings and Problem Areas
  80. 80. Renewing Just resubmitting last years answers Cyber Essentials is constantly updating based on new threats and deeper understanding of the threat landscape IASME have monthly webinars and an assessor forum for assessors to keep up to date on current guidance
  81. 81. Devices in Scope A2.7 Please list the quantities of tablets and mobile devices within the scope of this assessment. You must include model and operating system version for all devices. • Are all mobile devices still supported, updating the OS? • Restrict which devices can access business data via cloud, e.g. office365
  82. 82. Devices in Scope A2.9Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers). !! Remember routers and firewalls in home offices !!
  83. 83. Remote access to firewall config A4.8 Are your internet routers or hardware firewalls configured to allow access to their configuration settings over the internet?
  84. 84. Software firewalls disabled NCSC advise that having local firewalls on hosts will help prevent lateral spreading of malware throughout your organisation Also protects devices brought outside your network perimeter
  85. 85. Admin users on Mac Mac - All users have Admin credentials by default Create standard privilege accounts for all users
  86. 86. Admin Users Browsing the internet A7.7 How do you ensure that administrator accounts are not used for accessing email or web browsing? • Most malware is delivered by email or web downloads • Only use admin for administrative activities e.g installing software or making configuration changes • For patch downloads, ensure you’re accessing trusted links - not googling
  87. 87. Why might you use Cyber Essentials as your starting point? • Clearly defined scope • Framework for basic controls and procedures • Deliberately prescriptive • More thorough and complete than you might think • UK standard to protect organisations from real attacks • ICO recommend it
  88. 88. My Advice… Gaye Cleary Information Security Consultant, Grant McGregor Take Things A Step At A Time
  89. 89. Gerry Grant Converged Communications @gerrytonic Jacob Cordran Swarm Online @swarmonline #scotsecure
  90. 90. From dodgy disks ….. To crypto mining….
  91. 91. Agenda • A brief history • Key trends & observations • Why the tactics are changing • Lessons to learn • How to protect ourselves
  92. 92. 🤦‍ ♂️
  93. 93. 🤦‍ ♂️
  94. 94. What now?
  95. 95. Ransomware • Moving to enterprise • Much more targeted • Greater potential damage, the greater potential return • Ryuk specially targets high value systems
  96. 96. Chase the easy money • Better defenses • Better awareness • Consumers mainly using phones/tablets • Cloud back-ups
  97. 97. Back to stealth – Crypto mining • Works in the background • Quick return • Infect the user OR the website • Low barrier to entry • IoT led bot net Cryptomining?
  98. 98. Supply Chain • Compromise the developer/update • Pushed to LOTS of users • Trust • Software often signed
  99. 99. Target lots of people at once • Poisoned Chrome extensions • Wordpress plug-ins • Docker images • Repositories • Typo squatting • Formjacking • Immensely increase attack surface
  100. 100. Formjacking • Infect website with JavaScript • Capture CC details • Just ask Ticketmaster or BA
  101. 101. Cloudy Stuff
  102. 102. The dream • It has everything • Poor security measures • 70 million records exposed on S3 buckets (Symantec) • No need to use an exploit • Tools to search for exposed S3 buckets
  103. 103. Malware
  104. 104. Collaboration • Historically known for one utility • Hybrid malware • Mine crypto AND send spam • Authors working together for greater impact
  105. 105. Phishing
  106. 106. It still works • 76% of organisations experienced an attack in 2018 (IT Professionals Security report) • Vary infrastructure • Vary length of attacks • Hosted infrastructure & Cloud to hide in legit sites
  107. 107. Passwords
  108. 108. They are not going away • One weak password can result in compromise • Password reuse is killing us • Collection 1 (and Collection 2-5) • 2.2 BILLION passwords out there
  109. 109. Nation State
  110. 110. Becoming more open • Winter Olympics take down • Elections, again • Catphishing • Much more open
  111. 111. Wrap it up
  112. 112. Conclusion • The more we way know, the better we can prepare • Attackers are ‘Living off the land’ • Infection rates correlate to human development factors and technology readiness • Tactics will always adapt
  113. 113. Conclusion • Use trusted sources • Configuration • Access Controls • Be aware and act if suspicious • Training • Consistency
  114. 114. Inconsistency is the biggest threat to an organisation. There are always groups inside a company that think what they do is too important, or too different, and will push for an exception. In 2019 leaders need to help their teams understand that exceptions create risk for the organisation. Jeff Brown, Vice president and CISO, Raytheon
  115. 115. Questions?
  116. 116. Security by Design: Securing Entry Points across the Organisation Jacob Cordran Technical Director, SwarmOnline @vuln_
  117. 117. Common vulnerabilities (yes, still) Security by design (aka good habits) Who/what are you protecting against? What can the bad guys/bots see? Securing entry points (incl. physical ones) The value of collaboration
  118. 118. Information has a value Often electronic; but not necessarily so Everybody’s responsibility Administrative, logical & physical controls
  119. 119. How many security controls do I need?
  120. 120. LAIRSLAYERS
  121. 121. People and systems are fallible Build in redundancy Don’t rely on a single control You already know how to do this!
  122. 122. Data breaches and security incidents are frequent But do we truly learn from them? Could the aviation industry teach us a lesson?
  123. 123. A culture of openness and sharing of information Every incident is an opportunity to improve procedures ‘Just Culture’ ensures reporters aren’t penalised
  124. 124. vulnerabilities STILL existCommonBasic
  125. 125. Wedding lists tend to be very public John Lewis do offer a guest password Not everyone uses it…
  126. 126. What just happened?! Bought 5 items at £10 each £ 50 But also bought -6 (negative six!) at £8 each -£ 48 We are charged the difference £ 2
  127. 127. The order is partially validated after payment
  128. 128. Expected the transaction to fail at every step Easy to fix but a significant impact Do negative numbers count as hacking?! YES.
  129. 129. The verb to ‘hack’ has become part of our everyday language e.g. ‘Lifehacks’
  130. 130. Use something in a way other than as intended Doesn’t have to be malicious Can be consented to You can be a hacker too!
  131. 131. Finding a target can be as easy as searching for one. What isYOUR online footprint?
  132. 132. Live demo?
  133. 133. Not just servers and databases Individual PCs, laptops, mobile devices Online services (email, file sharing, etc.) In the Cloud and on-premise Do you have an asset register?
  134. 134. Who is in your building right now? Are they meant to be there? Who can see your screen? Lock it EVERY time your device is unattended Challenge anyone you don’t recognise
  135. 135. You don’t need to be big to have written policies Get ahead of the (mandatory) game Less regulated = MORE responsibility! Do the right thing regardless Write your own Be realistic What are you trying to protect?
  136. 136. Ask yourself and your team awkward questions Wear a hi-viz vest Talk to others – think like an aviator Be an (ethical) hacker Be observant Make security a habit
  137. 137. Jacob Cordran Technical Director, SwarmOnline @vuln_
  138. 138. Avoiding commodity cybercrime
  139. 139. Name the aircraft…
  140. 140. Shenyang FC-31 (China) ($70m) F-35 Lightning II (USA) ($120m) Name the aircraft…
  141. 141. Name the virus…
  142. 142. Name the virus… Wannacry, May 2017
  143. 143. Good news slide Most of us don’t need to worry about state sponsored espionage Commodity cybercrime is easier to mitigate than you might think
  144. 144. Proliferation Hyper-connectivity Bad news slide 4 trends will make the situation worse before it gets better MonetisationApathy
  145. 145. What to do 1. Treat cyber insecurity as a risk issue rather than compliance.
  146. 146. What to do 1. Treat cyber insecurity as a risk issue rather than compliance. 2. Expect to have a problem,and have a plan for your own personal Dido Harding day.
  147. 147. What to do 1. Treat cyber insecurity as a risk issue rather than compliance. 2. Expect to have a problem, and have a plan for your own personal Dido Harding day. 3. Focus on the basics - know your network - patch your network - configure your network
  148. 148. What we do 1. Treat cyber insecurity as a risk issue rather than compliance. 2. Expect to have a problem, and have a plan for your own personal Dido Harding day. 3. Focus on the basics - know your network - patch your network - configure your network
  149. 149. What we do We make it quick and easy to improve cyber security posture
  150. 150. What we do Get well plans, peer rating, performance trends, expert help
  151. 151. What we do Get well plans are tailored to your business
  152. 152. What we do Manage risk across your supply chain
  153. 153. What we do Automate Cyber Essentials Plus certification There are probably no more than 2,000 organisations in the UK with Cyber Essentials Plus - 5yrs - 22,000 certifications - 4,000 (20%) CES Plus The current scheme is broken - Difficulty (scale vs ignorance) - Logistics - Quality - Perceived lack of value
  154. 154. What we do Automate Cyber Essentials Plus certification There are probably no more than 2,000 organisations in the UK with Cyber Essentials Plus - 5yrs - 22,000 certifications - 4,000 (20%) CES Plus The current scheme is broken - Difficulty (scale vs ignorance) - Logistics - Quality - Perceived lack of value We need to remove the barriersto Cyber Essentials Plusadoption - Automation - Increased quality and consistency - Self-service - Lowered costs - Demonstrable business value Success factors - Assurance - Confidence - Value - Legacy
  155. 155. About Us • Formed in 2014 • Directors from QinetiQ/Cheltenham • Based in Tewkesbury • 45 staff • Professional Services • CyberScore™
  156. 156. +44 (0) 333 305 7650