Infosec lecture-final

  • 144 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
144
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. © Cyberkryption 2013Can you protect and secure your data to preventdamage to your reputation ?Date: 16th April 2013 By: Paul Dutot
  • 2. © Cyberkryption 2013About MeFormer Air Traffic Engineer – 15 YearsIncorporated Engineer / Chartered IT ProfessionalMCTS / MCSE / Solaris / Security +Offensive Security Certified ProfessionalTiger Scheme Qualified Security TesterInformation Security / Penetration TestingOwner – Cyberkryption.com1Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPQuestions at the end please
  • 3. © Cyberkryption 2013AgendaIntroduction to Information Security - A History.Components of Information Security - ISO 27001 Definitions / CIA Triad / PDCA CycleKey Features and Benefits of Information SecuritySecurity Types – Offensive and DefensiveScenario 1 - Contact information on your public facing website.Scenario 2 - Running a wireless network for business.Scenario 3 – Running web applications or a website for your business?Barriers to AdoptionEnforcement2Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITP
  • 4. © Cyberkryption 2013Introduction to Information Security3Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPHistory1940 – 1945 Enigma MachineJulius Cesar circa 50 B.C 2004 - GCHQ Cheltenham"Its so easy to get into corporate networks that a determined 12-year-old with good Internet access could download the tools“James Lewis - Centre for Strategic and International Studies –Advisor to Congress and Obama“Cyber attacks can cost billions of dollars, lead to stolen industry secrets and placethe U.S. at a competitive disadvantage” – President Barrack Obama20 12 - Data Loss 2012 - Cost to IndividualsEspionage – Financial services
  • 5. © Cyberkryption 2013Introduction to Information SecurityInformation Security – ‘preservation of confidentiality, integrity and availability ofinformation; in addition to other properties such as authenticity, accountability, nonrepudiation and reliability’An information Asset – ‘anything that has value to an organization’Confidentiality – ‘information is not made available or disclosed to unauthorizedindividuals, processes or entities’Integrity – ‘safeguarding of the accuracy and completeness of an information asset’Availability – ‘being accessible and useable upon demand by an authorized entity’IT Security – Information Security applied to technology4Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPISO 27001 - Definitions
  • 6. © Cyberkryption 2013Introduction to Information SecurityCIA Triad5Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPAvailability
  • 7. © Cyberkryption 2013Introduction to Information SecurityPlan Do Check Act Cycle6Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPPlanDoCheckActContinuous Improvement CycleCentral part of any information security strategy.Can be formalised in an information security management system (ISMS)Should be part of Business Risk Mitigation
  • 8. © Cyberkryption 2013Introduction to Information SecurityBenefits7Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPImproves Business Processes – a comprehensive information security policy will improve theefficacy of other business processes such as disaster recovery and business continuityGain a Competitive Advantage - Taking every measure to protect your business data can onlyincrease the level of confidence that your clients have in your business.Business Resilience - The protection of business critical information is crucial tothe productivity and continuity of your organisation.Meet Regulatory and Compliance Demands - The need to comply with statutory, contractualor regulatory obligations is necessary for the majority of businesses in all market sectors suchas JFSC.Risk Mitigation – Implementing an information security strategy will make certainthat you can react.Peace Of Mind
  • 9. © Cyberkryption 2013Introduction to Information SecurityKey Features – An Formula One Pit Stop Analogy8Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPIt should benefit whole organisationShould balance business needs vs. riskIt should have people controlsIt should have technical controlsPeople v Technical should be 50 / 50 splitPayment Card Industry Data SecurityStandard (PCI-DSS) is a good exampleThe whole organisation must participatewith leadership from above
  • 10. © Cyberkryption 2013Introduction to Information SecuritySecurity Types – Defensive and Offensive Security9Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPReactionary and takes no account of ‘human factors’Any information security strategy should contain both elementsSecurity testing from an attacker’s ‘point of view’It is designed to specifically target your company’s infrastructureand identify security issues or confirm security posture. It iscommonly called Penetration Testing / Vulnerability AssessmentsAnti virus, systems patching and firewallsOffensive SecurityDefensive Security
  • 11. © Cyberkryption 2013Scenario 1Public Contact Information10Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPObjective: To put our contact details on our website so we can be contactedeasier. Benefit 10/10Risks: We suffer spam or malicious email such as a phishing email. Risk 2/10BusinessPerspectiveMalcontent’sPerspectiveIf they are giving out email information so easily we should be able to get plenty ofother information to help us. We can send them a malicious email to try to get afoothold inside their network.There are 3 forms of phishing = mass mailing, spear phishing and whaling.We can entice them to a similar website to get users reveal their information!Metasploit Pro has a social engineering module for phishing attacks. We can alsodo this manually but a lot more work
  • 12. © Cyberkryption 2013Scenario 1Public Contact Information11Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPMeet Toddington International100’s of places to search for informationIn 18 handy categories !Including Social Media and username searches.Pipl – a people search engineGoogle Hacking DatabaseJigsaw – great for business infoShodan – device search engineMaltego can automate this for us. Howeverwith practice you find a lot of information abouta company within one hour
  • 13. © Cyberkryption 2013Scenario 1Public Contact Information12Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPPeople ControlsControl BenefitPlan User AwarenessTraining on phishingAppraise users of emailtesting1. Reduce risk of compromise2. Network of ‘sensors’ to warn IT of potential attacks3. Users become more security aware in their personalinternet life1. Users are aware that testing is being conducted andare not surprisedDo Conduct email phishingsecurity testing1. Simulates a real world attack2. Identifies weaknesess i.e spots where your securityismost vulnerable3. Controls Risk – Provide targeted security awarenesstraining and tweak technical controlsCheck See how effectiveemail phishingcampaign was andinteract with usersaccordinglyBoth the users and the company are now more aware oftheir risk exposureAct Redefine TestingParametersTesting will now become more targeted
  • 14. © Cyberkryption 2013Scenario 1Public Contact Information13Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPTechnical ControlsControl BenefitPlan Check technicalsystems are patchedand up to dateCheck configurationsof technical controlsand proceduresYour controls and procedures have been reviewed.Honestly, when did you last do this ?Do Conduct email phishingsecurity testingTests efficacy of technical controls and proceduresCheck See how effectivetechnical controls andprocedures.Both the users and the company are now more aware oftheir technical controls and any changes neededAct Redefine TestingParametersTechnical controls will improve
  • 15. © Cyberkryption 2013Scenario 1Public Contact Information14Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITP01020304050607080901001101201301401501601701801902001 2 3 4 5 6 7 8 9 10 11Number On WebsiteNumber Of Email AddressesVcards for IndivdualsDip Test – Legal Sector JerseyThe data was obtained simply by browsing their websites. We also found a few LinkedIn profiles as well as a CV ortwo!! The picture is very similar in other sectors such as banking, trust and small businesses.
  • 16. © Cyberkryption 2013Scenario 1Public Contact Information15Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPCase Study RSAAttackers used a targeted email.They attached an excel spread sheettitled “Recruitment Plan”.The technical solutions did their job.One of the targets took it out of his junk email folder.The rest is history !!!1/ 3 of all RSA token had to be replaced.Cost : $66M between April to June 2011.
  • 17. © Cyberkryption 2013Scenario 2Running a wireless network for business16Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPObjective: To have a wireless network so that we can use wireless devices suchas laptops and tablets and clients can connect to it when doing business with us.Benefit 10/10Risks: We will have it installed by IT or our IT service provider. Risk 0/10Have they set this up properly? Do they know what information is being broadcast ?Do they monitor their wireless ? Is there intrusion or rogue access point detection ?Do they patch their wireless devices ? Is there an open WI-FI access point ?Are they running WPA2 with WI-FI Protected Setup ?If any are yes; we possibly have access to their internal network !!!BusinessPerspectiveMalcontent’sPerspective
  • 18. © Cyberkryption 2013Scenario 2Running a wireless network for business17Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPGreen = open network | Yellow = weak encryption | Red = maybe secureMeet Wigle.net
  • 19. © Cyberkryption 2013Scenario 2Running a wireless network for business18Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPMeet MiniPwner. Would you notice this on a desk ? Probably.But what about if it tangled up in a load of cables or under a desk ?Battery poweredCustom WI-FI Access pointCan send connections to theoutside world !!Costs less than £50 to buildIt’s only 5.7cm squareIt can scan your network forvulnerabilities
  • 20. © Cyberkryption 2013Scenario 2Public Contact Information19Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPPeople ControlsControl BenefitPlan Check procedures areup to date and havebeen reviewedYour controls and procedures have been reviewed.Honestly, when did you last do this?Do Conduct wirelesssecurity awarenesstrainingTests efficacy of people controls and proceduresCheck See how effectivetechnical controls andprocedures.Both the users and the company are now more aware oftheir procedures and any changes neededAct Redefine TestingParametersProcedures will improve
  • 21. © Cyberkryption 2013Scenario 2Public Contact Information20Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPTechnical ControlsControl BenefitPlan Check technicalsystems are patchedand up to dateCheck configurationsof technical controlsand proceduresYour controls and procedures have been reviewed.Honestly, when did you last do this?Do Conduct wirelesssecurity testingTests efficacy of technical controls and proceduresCheck See how effectivetechnical controls andprocedures.Both the users and the company are now more aware oftheir technical controls and any changes neededAct Redefine TestingParametersTechnical controls will improve
  • 22. © Cyberkryption 2013Scenario 2Survey carried out 12-15th December 2011 - survey of 13,168 access pointsState of WI-FI Security Lecture for BCS in March 201213.9 % (1835) = no encryption19.37% (2551) = WEP33.27 % (4386) are insecure i.e. WEP or No Encryption53.9% (7097) are made by Netgear29.1% (2066) of Netgear routers are insecureA States Of Jersey building has no encryption i.e open still one year later!!!21Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPRunning a wireless network DIP Test - WI-FI Security Jersey 2011
  • 23. © Cyberkryption 2013Scenario 222Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPRunning a wireless network Demo 1 – WPS InsecurityA good WPA2 password would take more than a lifetime to brute force attackIf WPS is enabled then this can reduce to 3-5 hoursReaver can do this and it has the ability to save a sessions. It can also beinstalled on an android smartphone!!!!
  • 24. © Cyberkryption 2013Scenario 323Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPRunning web applications or a website for businessObjective: To have a web applications to fulfil a business service online or awebsite to promote our businessRisks: We will have it built by a local web design company who provide apackage including hosting. Risk 2/10BusinessPerspectiveMalcontent’sPerspectiveA ‘yes’ to any of the above could mean you are vulnerable to exploitationIs this website running on shared hosting ?Is the website or application security outdated ?Is debugging information available ?Is there a file upload facility ?
  • 25. © Cyberkryption 2013Scenario 324Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPThe dangers of shared hosting for business What is Shared Hosting ?Company A – Static SiteCompany B - WordPressCompany C – JoomlaEach website is a folder on the serverThe database on the server iscommon to all sitesThe firewall is common to all sites andunder the control of the ISP.But it is cheap web hostingIt is not suitable for business thatwould require control of firewalls anddatabasesIt is also very difficult to makesecure!!
  • 26. © Cyberkryption 2013Scenario 325Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPThe dangers of shared hosting for business The Directory Symlink attackCompany A – Static SiteCompany B - WordPressCompany C – JoomlaCompany B is the targetThe attacker finds a pluginvulnerability in Company C’swebsite.The attacker then creates Symlinks toread configuration files on all sites.The attacker logs into thedatabase on Company B and C,changing the website adminpassword.The attacker logs into the webadmin portal = Game Over!!You only need one vulnerable sitefor this attack to work !!It is not uncommon for there tobe up to 30-50 websites on a largeshared hosting server.There are tools and scripts available on the internet !!!
  • 27. © Cyberkryption 2013Scenario 326Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPThe dangers of shared hosting for business The File Upload RiskCompany A• The attacker logs in to thedatabase and changes theadmin password.Company A allows file uploadsThe attacker uploads the appropriateshellThe attacker then triggers executionof the shell program.The attacker receives a commandprompt from the webserver.The attacker now has permissionsof the webserverIf he can elevate privileges = GameOverFile Type protection can bebypassed using an interceptingproxyWe could always upload a trojan filefor them to download
  • 28. © Cyberkryption 2013Scenario 327Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPThe dangers of shared hosting for business The File Upload Risk DemoDVWA Demo
  • 29. © Cyberkryption 2013OWASP 201328Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPOpen Web Applications Security Project1. Injection - we can inject code into the application in some form e.g. SQL via a field2. Cross Site Scripting - Can we cause a malicious script to be included from a different domain when abrowser visits an infected page.3. Session Authentication and Management – We need to know who you are? What rights you have andmanage correct exchanges of information4. Insecure direct object reference – we need to check to see if you are authorised for a file or resource.6. Security Misconfiguration – no need to explain.5. Cross Site Request Forgery – can we get a logged in user to include a malicious request from a differentdomain to trick the application into changing something e.g. router admin password !!7. Insecure Cryptographic Storage – we don’t protect important information with as good encryption aswe should have done.8. Failure to Restrict URL Access – are you authorised to browse to a url ? Think admin area of website9. Insufficient Transport Layer Protection – we need to protect important data when we send it.10. Unvalidated Redirects and Forwards – we should not just send the browser to somewhere withoutfirst checking i.e. hsbc.c0.uk is not hsbc.co.uk
  • 30. © Cyberkryption 2013Scenario 329Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPRunning web applications or a website for businessDebugging information available
  • 31. © Cyberkryption 2013Scenario 330Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPRunning web applications or a website for businessPoor authentication handling.
  • 32. © Cyberkryption 2013Scenario 331Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPRunning web applications or a website for businessPoor ‘404’ error handling.Since January 20132 x debugging information1 x authentication1 x error handlingSecurity testing would have found all these errors
  • 33. © Cyberkryption 2013Barriers to Adoption32Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPA local law firms website was hacked with a page inserted to an online pharmacy sellingViagraBecame public on the 4th December 2012The solution is to build a new website ?Need to fix the security problem with the current one !!Apathy: A Case Study‘While we have ventured out into some new areas such as conveyancing and wills, we do not sellViagra. We have contacted our website provider who has stated that it is the first time he hasexperienced an event such as this and we have since taken steps to ensure that it is very unlikely tohappen again. We have, however, made use of the occasion to examine our website and plan a re-launch in the near future. Sadly, it has meant that our on-line procedural guide to the Royal CourtRules is temporarily unavailable.’Google ranked the site as being compromised shortly after
  • 34. © Cyberkryption 2013 33Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPApathy: A Case StudyThis is how Google ranked the firm on the 1st February 2013 – 59 days of reputationaldamageBarriers to Adoption
  • 35. © Cyberkryption 2013 34Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPApathy: A Case StudyThis is how Google ranked the firm on the 22nd March 2013 – 108 days of reputationaldamage and no new website.Would you trust them with your information ?Barriers to Adoption
  • 36. © Cyberkryption 2013 35Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPFurther BarriersIt is an Intangible BenefitThought to be IT’s problemIt is not well understood in business terms – for example fire risks are well understoodand have controls such as smoke detectors and a fire evacuation plan which areroutinely tested. The same cannot be said for IT SecurityBoard level disconnect – IT & Information Security are not routinely discussed at boardlevel.Barriers to AdoptionEconomic Conditions – Security becomes a low priorityLack of regulatory appetite in Jersey – No Information Commissioner and JFSC = noneed for business to do anything!!
  • 37. © Cyberkryption 2013Enforcement36Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPUK Information Commissioner OfficeDM Design, Glasgow based marketing company fined £90,000 after 2,000 complaintsabout unwanted marketing calls.Nursing and Midwifery Council was fined £150,000 for the loss of 3 DVD’s containingsensitive data about a misconduct hearing and evidence from vulnerable children.Sony fined £250,000 for loss of ‘gamers’ data after the Sony PlayStation network washacked.Greater Manchester Police fined £120,000 for not protecting personnel data.Stock on Trent fined £120,000 for emailing of sensitive children data to the wrongperson.Prudential fined £50,000 after merging of account data led to one account being creditedwrongly
  • 38. © Cyberkryption 2013Further Information37Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPLinksKrebbs on SecurityUK Cabinet Office Cybercrime Reporthttps://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60943/the-cost-of-cyber-crime-full-report.pdfVerizon Data Breach Report 2012 - http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf?__ct_return=1IBM Xforce Security Report - http://www-03.ibm.com/press/uk/en/pressrelease/38928.wssSolutionary Global Threat Intelligence Report - http://blog.solutionary.com/blog/?Tag=GTIRUK Information Commissioners Office - http://www.ico.gov.uk/Jersey Data Protection - http://www.dataprotection.gov.je/cms/default.htm
  • 39. © Cyberkryption 2013Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AST: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.comPaul DutotIEng MIET MBCS CITPQuestions ?