Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

People the biggest cyber risk

266 views

Published on

An analysis of Cyber Security publications sees >99% devoted to the technology of attack and defence, with <1% examining the biggest risk of all - People. But every Cyber hack, attack or failure involving technology, starts with some human indiscretion, error, fallibility, stupidity, revenge, malice, or act of vandalism.

This near exclusive focus on the technology is analogous to bolting the stable door after the horse has bolted, and it results in a vast redirection and waste of resources. In complete contrast, our adversaries (The Dark Side) are more cunning. It really is time to reconsider our strategy if we are to stem the growing tide of attacks.

For sure, people cannot ‘do’ security! And why should they? It really is the responsibility of industry who ought to be designing and supplying inherently secure products that defend users against themselves and The Dark Side. To engineer this would mean the deployment of systems to monitor the behaviours of people, devices, systems, applications and networks.

We have to establish patterns of behaviour at all levels if we are to detect and combat the exceptions that might constitute an attack. And whilst our knowledge of human behaviours and sociology are extensive, we know almost nothing about devices, systems, applications and networks. Perhaps even more threatening is our total lack of knowledge about Things: aka the IoT.

In this presentation we illustrate the fallibilities of people as well as some of their devious activities and propose some solutions.

Published in: Internet
  • DOWNLOAD FULL BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

People the biggest cyber risk

  1. 1. PeopleThe Biggest Cyber Risk Peter Cochrane cochrane.org.uk UCISA Security Conference Birmingham 3 May 2018 https://www.uos.ac.uk
  2. 2. T H E D A R K S I D E To defeat them, think as they do! “Never interrupt your enemy when he is making a mistake.” ― Napoléon “A wise man gets more use from his enemies than a fool from his friends.” ― Baltasar Gracián “To become a good defender you must first become a good attacker” ― Me “To know your Enemy, you must become your Enemy” ― Sun Tzu
  3. 3. C Y B E R C R I M E Abridged history & cost Banking Malware Crypto-Currency Attacks Bitcoin Wallet Stealer Device & Account Hijacking RansomeWare EPoS Attack Cyber WarfareSocial Engineering DoS, DDoS Infected eMail RansomeWare Identity Theft DNS Attack BotNets Site Sabotage SQL Attack Spam Identity Theft Phishing Trojan Worms Virus 1997 2004 2007 >1000 Bn Attack Total > $2000 Bn Cost of global cyber crime Today 2013 Almost all of these attacks/attack-types can be traced back to human operators exploiting the fallibilities of individuals who have volunteered vital information by falling victim to scams, spams and trickery Social engineering is one of the most powerful tools to be widely exploited by the ‘Dark Side’ - and the approach can span to dumb and very obvious to the highly sophisticated and hard to detect
  4. 4. C Y B E R At t a c k R a p i d l y c h a n g i n g p r o f i l e s Fun Fame Notoriety Vandalism Limited Skills Limited Resources Tend to be Sporadic Rogue States Criminals Hacker Groups Hacktivist Amateurs Money Sharing Organic Dispersed Unbounded Huge Effort Progressive Cooperatives Self Organising Vast Resources Massive Market Aggregated Skills Semi-Professional Substantial Networks Skilled Political Idealists Emotional Relentless Dedicated Cause Driven Vast Networks Varied Missions Targeted Attacks Evolving Community Drugs Fraud Global Extreme Extortion Business Unbounded Professional Well Managed Well Organised Ahead of the Curve Orchestrated Effort Extremely Profitable Syndicated Resources Massive Attack Surface Vast up-to-date Abilities Covert Money WarFare Influence Pervasive Disruption Espionage Professional Sophisticated Well Organised Extreme Creativity Orchestrated Effort Political Influencers ~Unlimited Resources Tech/Thought Leaders Regime Destabilisation Population Manipulation Military and Civil Domains Almost all attacks/attack-types can be traced back to human fallibility and ambition exploitation
  5. 5. W H AT W E D E T E C T Possibly just the tip of an iceberg We need to start looking below the surface of obviousness for the hidden sophistication of the many stealth attacks that we suspect are happening that we cannot see! Ransomeware Phishing Crypto-WalletDoD/DDoS SQLi // XSS Man-in-The Middle URL Spoofing Cloaking Malware Covert Plant Visitors Insiders Outsiders Alongsiders Customers Contractors WiFi Tunnels Implants Malware Networks Diversions Brute Force Decoys
  6. 6. P E RV E R S I T Y Irrational situations by design Our vehicles, white and brown goods are designed to be reliable - and ‘we’ don’t expect to have to get our tools out every week to keep them running ! Reliability, resilience, and trouble free longevity is designed in from concept through design, production, delivery, and customer use Customers no longer understand how they work and certainly do not possess the skills to service and do repairs!
  7. 7. P E RV E R S I T Y Irrational situations by design Non-intuitive language, choices, configurations and options cause endless frustration
  8. 8. P E RV E R S I T Y Irrational situations by design Why does industry assume people to be capable of managing their own PC, laptop, tablet, mobile; whilst ensuring they are also always secure? I see 7 year old machines that have never had an OS update and with no security software Owners oblivious to bot nets and their vital contribution to their global success… They don’t care because they have no clue…and why should they ?
  9. 9. i n c o n v e n i e n C E FaceBook Cambridge Analytica + GDPR A month of repetitious chaos trying to get legal, fix problems and patch security vulnerabilities Home Academia and Lab Company on The Road In just 3 contiguous weeks 4 x OS upgrades over ’N’ widely distributed devices + 163 App updates
  10. 10. T H E I OT Problem amplifier Exponentially increasing the Attack Surface and the inherent complexity - but will be in every home and office, workplace, pocket and vehicle - not to mention every component, item of clothing and food +++ For The Dark Side this is as good as it gets! A great dumb question form 2017: “Why would anyone want to attack my toaster” Doh!
  11. 11. S H E E R S C A L E > 1 0 0 - 1 0 0 0 B n t h i n g s A l w a y s o n l i n e = A l w a y s a t R i s k G O O D N E W S = M a j o r i t y o f I o T d e v i c e s w i l l n e v e r c o n n e c t t o t h e I n t e r n e t ! ! This graphic by Beecham Research really conveys the IoT/M2M complexity to come
  12. 12. Iot NIGHTMare Food & toasters to vehicles https://www.youtube.com/watch?v=RZVYTJarPFs
  13. 13. Broadcasting Malware Responding with updated protection Wider Network Updated Latest Solution Update Dynamic isolation of infected devices and components leading to repair Auto-immunity A mix of clean and infected
  14. 14. Auto-immunity Mirrors biological forebears Applied everywhere 24 x 7 ICs ISPs WiFi Hubs LANs Cards Traffic Servers Circuits Devices Internet Networks Organisations Companies Platforms Groups People Mobile Fixed
  15. 15. Main Event ? Decoy ? Masking ? Diversion ? Tunnel set up ? Infiltration ? Intel Ops ? Implant ? Theft ? Tests ? +++
  16. 16. AL MALWARE SPECIATION The Dark Side are at the leading edge - are we?
  17. 17. Get our act together The essentials shopping list is reasonably short Global monitoring and shared situational awareness Cooperative environments on attacks and solutions Universal sharing of identified attacks/developments Address cloaking & decoy customer sites/net nodes Behavioural analysis of networks, devices, people To continue and expand all established efforts Auto-Immunity for all devices including IoT Secure wireless channels - invisible signals
  18. 18. Get our act together The essentials shopping list is reasonably short Global monitoring and shared situational awareness Cooperative environments on attacks and solutions Universal sharing of identified attacks/developments Address cloaking & decoy customer sites/net nodes Behavioural analysis of networks, devices, people To continue and expand all established efforts Auto-Immunity for all devices including IoT Secure wireless channels - invisible signals GDPR FALLS FAR SHORT • It involves manual processes • It is far too slow • It is not automated • No effective a responses • A hinderance not a gain • Advantageous to the Dark Side
  19. 19. WHEN WE FIX THE TECH A r e w e t h e n c l o s e t o b e i n g s a f e ?
  20. 20. AFRAID NOT ! M o r e h u r d l e s t o j u m p
  21. 21. PEOPLE THE PROBLEM I m p o s s i b l e t o c o n t r o l - c h a n g e t o o s l o w
  22. 22. S P A N O F H U M A N I T Y Impossible to fully define/understand predispositions Honest Dishonest Opportunist Hacker Black Hat White Hat Silly Extreme Careless Helpful Hapless Naive Arrogant Ignorant Unthinking Emotional Analytical Hacktivist Old Tired Distressed Confused Technophobe Technophile Depressed ill Nervous Professional Young Blue Collar Unemployed Employed Educated Uneducated Poor Rich Caring Uncaring BiasedAccepting Unaccepting loner Team Player Social Networker Insider Outsider Untidy Reckless Careful Good Bad Evil
  23. 23. C a r e l ess London is a safe city ! I was working in London and stopped for a coffee break in Soho… Soho A smart young man walked in and I spotted his badge !
  24. 24. C a r e l ess London is a safe city ! I was working in London and stopped for a coffee break in Soho… Soho A smart young man walked in and I spotted his badge ! He sat right in front of me and this is what my mobile phone could see as he booted up !
  25. 25. C a r e l ess London is a safe city ! I was working in London and stopped for a coffee break in Soho… Soho A smart young man walked in and I spotted his badge ! He sat right in front of me and this is what my mobile phone could see as he booted up ! Coffee Shop Protocol • Sit as far back from the door as possible ; ideally with no one to the rear or the sides • Check for overhead cameras • Do not wear identifying insignia of any kind • Do not boot up to an identifying company, country, government, agency badge • Check and be aware N, E, S, W
  26. 26. L O U D & R U D E There is always a price to pay ! The group next to my colleague had just chanced upon the perfect name for their new company. So he bought the domain name and all the variants before they had completed their meeting!
  27. 27. U n t i dy Litter Bug :-) Dropped receipt to a wet floor - I picked it up and this caught my eye And then the fun started !
  28. 28. U n t i dy Litter Bug :-) Dropped receipt to a wet floor - I picked it up and this caught my eye And then the fun started ! I Followed to a Coffee Shop A few minutes listening and observing aided by Goole and FaceBook and I had: Full name & address Telephone Number eMail Address Date of Birth Some History +++ My final act was to explain to this gentleman just how expensive litter might be…and he really ought to take care! I Followed to a Coffee Shop A few minutes listening and observing aided by Goole and FaceBook and I had: Full name & address Telephone Number eMail Address Date of Birth Some History +++ My final act was to explain to this gentleman just how expensive litter might be…and he really ought to take care!
  29. 29. O p P o rt u n i s t i c Unintended revelations & consequences TRUTH ENGINES An End Game Company Dr Peter Cochrane EU Concept Consultant DAY 1: Pass Card for an undefined meeting
  30. 30. O p P o rt u n i s t i c Unintended revelations & consequences TRUTH ENGINES An End Game Company Dr Peter Cochrane EU Concept Consultant DAY 1: Pass Card for an undefined meeting TRUTH ENGINES An End Game Company Peter Cochrane Internal Affairs Advisor DAY 2: Pass Card as a member of staff
  31. 31. O p P o rt u n i s t i c Unintended revelations & consequences TRUTH ENGINES An End Game Company Dr Peter Cochrane EU Concept Consultant DAY 1: Pass Card for an undefined meeting TRUTH ENGINES An End Game Company Peter Cochrane Internal Affairs Advisor DAY 2: Pass Card as a member of staff I Was Invited to Test a Companies Revised Security My way in was to simply massage my security pass from visitor to employee I then played the role of an old boy not really up to the modern world of IT and so many wonderfully kind people came forward to help me access networks, rooms and facilities My secret? Wear a suite and a tie & look very respectable…everyone knows that hackers wear hoodies!
  32. 32. A stack of papers readable at a glance E X H I B I T I O N I S TS Government employees bragging ME Three identical laptops Three Mobiles all the same
  33. 33. A stack of papers readable at a glance E X H I B I T I O N I S TS Government employees bragging ME Three identical laptops Three Mobiles all the same In < 1hour of looking & listening I had: All there names Mobile numbers + eMail addresses Unit Codes Postal Drop Building floor and room IT Support Number and log in Who was at their meeting Meeting agenda Who said what Decisions made Project Code Name Organisations involved Objectives and progress The name of a ‘Secret Project’ Talked about in euphemisms +++++
  34. 34. THE KIND & HELPFUL Sophisticated phishing attacks https://www.youtube.com/watch?v=lc7scxvKQOo
  35. 35. T H E G O O D N E W S Habitualities are near impossible to hide We have so very many individually identifiable idiosyncrasies and routines that they define who and what we are to a high very degree of accuracy - especially when combined with biometrics
  36. 36. D e v i c e t h e f t Or is their something more here This is a high risk crime with a good chance of getting caught in the act or getting caught on camera.. Why would anyone do this for a few ££ an hour, or is there hidden value add that we are not seeing? https://www.youtube.com/watch?v=TWilMUpEMEk https://www.youtube.com/watch?v=tSKXZnfOe60
  37. 37. U P T H E VA L U E 100s of hack tutorials on-line A naked mobile device is one price A live mobile device with all the log-in and personal data accessible is a much better deal !
  38. 38. B E H a V I O U R A L A N A LY S I S Might just be the ‘king pin’ that holds together our security Just as we can be identified by where and what we eat, say, do; and how we walk, talk, type, behave; the friends and colleagues we meet; there is an equivalency for us and all our devices ! Sociology of People Sociology of Things
  39. 39. WO RT H R EA D I N G Strategy without tactics is the slowest route to victory Tactics without strategy is the noise before defeat Be so subtle that you are invisible Be so mysterious you are intangible Then you will control your rivals’ fate Supreme art of war applicable today ~5C BC
  40. 40. T h a n k Y o u cochrane.org.uk We posses superior technology, networks and brains - if we lose this war it is down to our organisational inabilities …and the Dark Side will have an easy win! https://www.uos.ac.uk

×