1. Lipstick on a Pig
Professor John Walker MFSoc CRISC CISM ITPC CITP SIRM FBCS FRSA
Director of CSIRT & Cyber Forensics
INTEGRAL SECURITY XSSURANCE Ltd
24 Lime Street | London | EC3M 7HS
Mobile: +44 (0) 7881 625140
Office: +44 (0) 2032 894449
2. History
Based on case histories, media reports, and statements from the Met Police Computer Crime Unit, there is
strong evidence to suggest Cyber Criminality [in all forms] are winning.
At the First Digital/Cyber Forensics event hosted by the Forensic
Science Society – York, on 03/02/14, the expert panel observed:
a. Most companies subjected to Security/Pen Testing have
Multiples of significant [repeated] vulnerabilities!
b. The Black Hats are Winning [Proven by case histories]
c. Criminality excesisise high degrees of innovation & imagination
http://itsecurityguru.org/water-water-everywhere-byte-eat/#.UwHtII2PNhE
3. Tick Boxes Lead to Compliance – NOT always Security
On the 13th February 2014, I participated in a Webinar for info security.
A question was posed:
Q: What does Tick Box Security NOT Tell You?
The Answer
A: What the Successful Attacker Knows!
http://www.infosecurity-magazine.com/webinar/443/testing-your-businesss-ability-to-defend-its-digital-and-physical-workplace-/view.aspx
4. Mediocrity will NOT Suffice
It was the BofE who were the main orchestrators of
Waking Shark II – Yet they have a number of significant
security exposures, and vulnerabilities, of which they
have been informed under respectful, Channelled
Disclosure Notification – With no response, or action.
If we are to lead the riotous path to evolve security
and to protect the public, then it must surly follow
a route to secure our infrastructures, and not just
Ignore the open states of potential compromise!
We must take the Threat serious – or there is no point.
In fact
we are already here!
See article in Digital Forensics Magazine – [If you want a cope just drop me a line].
Waking Shark II – Security , or PR http://www.informationsecuritybuzz.com/waking-shark-2/
5. DDoS
DDoS has ben growing in popularity year, on year, with the throughput of adverse traffic increasing - & it requires
zero skill to join in:
8. Intelligent Postures & Response
Know your Critical assets
Find out what you ‘Don’t Know’
Consider the element of Data Leakage – Conduct a Triage
Conduct Intelligent Testing
Know your Business Exposure
Employ Situational Awareness Practices
Evolve an Incident Response Process, and Capability [Not just Lights on stuff]
Don’t do ‘Lip-Service’ do ‘Security’
9. The CSIRT Framework
LAB
[ISO/IEC 17025]
CSIRT Document
Registers
An example of a CSIRT[1] Framework, encompassing:
GRC &
Case Management
Document Registers – with Version Control
LAB
GRC & Case Management
ISO 27001 – Statement of Applicability [SOA]
Run-Books [Storey Boards]
Policies & Processes
CSIRT Incident
TOR/Processes
CSIRT Incident
Response Policy
ISO/IEC 27001
Segment SOA
CSIRT Procedures
Tools & Apps
CSIRT Run-Books
Investigations
[PAS 555]
Acquisition
DoS/DDoS
Abusive Images
[COPIN/SAP]
•
•
•
•
•
•
Image Extraction
Abusive Images
Phishing
Malware
[Virus – Trojan]
Legislation
[e.g. DPA/ITA]
[1] Computer Security Incident Response Team
10. Five Simple Conclusions
• Possibly there is need to instil more ethics in those organisations who have failed to meet their
obligations.
• Maybe it’s a case of Less ‘Tick Box’ Compliance, and More Operational Security.
• Could it be that we have reached the time where the levels of Insecurity and Security Braches are
implying we need to get Back-to-Basics.
• Above all, has the time arrived which dictates that we need to rethink what security is, how it can be
best accomplished, and how we can serve our public better, without the need for such
government, or EU enforcement?
• However, it really is about understanding, and appreciating what Cyber Risk really is 2014 >>, and
the associated ramifications of what uninformed exposure could mean to the business.
Donald Rumsfeld - There are known unknowns; that is to say, there are things that we now know we don't know. . . . . .
11. The ULTIMATE Conclusion
We must recognise the onslaught, and success of Cyber Crime in all forms – and it is time to address it
Full on – with commitment – and above all, we must not , by implication, or suggestion of complacency
become a part of the problem.
To quote GCHQ/CESG from the mid eighties: We see the computer virus as a nuisance, & a passing threat!
To quote CPNI from 6 years ago: The Cyber Threat is over hyped!