An APM webinar sponsored by the APM Midlands Branch on 15 March 2022.
Speaker: Fábio Morais
An overview of the people behind major cybercriminal activities, the dark web and how much your data is worth; and finally what basic measures project managers should be putting in place to reduce the cyber-risk profile of their projects.
In today’s data-driven world, data breaches can impact on projects that affect hundreds of millions or even billions of people at a time. Digital transformation has increased the supply of data moving, and data breaches have scaled up with it as attackers exploit the data-dependencies of daily life.
With recent attacks threatening to de-rail high profile projects, it’s vital that the risks are identified and actions implemented, not only to protect project data, but to protect project managers and stakeholders.
Most cybercrime is an attack on information about individuals, corporations, or governments and events can occur in jurisdictions separated by vast distances. The Internet offers criminals multiple hiding places in the real world as well as in the network itself, posing severe problems for law enforcement, since international cooperation is usually required to investigate and attempt to trace down cybercriminals.
But who are these individuals and where exactly does cybercrime take place? What, as project professionals, can we do to protect ourselves?
We look to answer these questions by lifting the veil of hacking and the Dark Web.
https://youtu.be/TDXPetxXDMA
https://www.apm.org.uk/news/cyber-security-for-project-managers-lifting-the-veil-of-hacking-webinar/
Cyber security lifting the veil of hacking webinar
1. STEERING GROWTH WITH INNOVATION
TECHNOLOGY | EXPERIENCE | EXPERTISE
Cyber Security
Lifting the veil of Hacking
2. 2
Commerciall-in-Confidence | Copyright Kuzuko Group Ltd.
Fábio Morais, MBCS
BACKGROUND
• BA(Hons) in Computing Solutions with Internet Applications
• Higher National Diploma in Software Development
• Certified Penetration Tester (Ethical Hacker)
• Professional Member of the Chartered Institute for IT
• Over 20 years experience in Information Technology sector
• Non-executive Director
• Chief Technical Officer
L I F T I N G T H E V E I L O F H A C K I N G
3. Contents
WEBINAR AGENDA
• Hacker profiles and motivations
• Common type of attacks and techniques used
• The Dark Web and how much your data is worth
• The rising cost of cybercrime
• Reducing the cyber-risk profile
.
L I F T I N G T H E V E I L O F H A C K I N G
4. 4
Commerciall-in-Confidence | Copyright Kuzuko Group Ltd.
Hacker Categories
• Black Hat : Someone who attempts to break
into networks, computers or mobile devices
with malicious intent and often linked to
organised cyber criminal activities.
• White Hat : Cyber security experts that are
commissioned by businesses or legal
authorities to simulate a genuine attack and
provide recommendations on how to resolve
any gaps found. This is also known and
Penetration Testing or Ethical hacking.
• Grey Hat : As the name suggests, activities
carried out by these individuals are
somewhere between the above definitions.
Often, they are former Black Hat hackers that
collaborate with law enforcement towards
exposing cyber criminals or someone that
acts alone with the intention of exposing
weaknesses for the benefit of the wider cyber
security community. Frequently such actions
are deemed unethical.
L I F T I N G T H E V E I L O F H A C K I N G
6. 6
Commerciall-in-Confidence | Copyright Kuzuko Group Ltd.
Case Study: Black Hat Hackers
• At 16 years old, Edwin Robbe hacked into a Dutch
telecom company, giving him control over the
national emergency hotline and costing the
company 3 million Euros. He was found dead at
the age of 22.
• In 2011, Hector Monsegur helped Tunisian
protesters by bringing down the country’s internet.
He is now an FBI informant.
• Albert Gonzalez, age 22, hacked into a major US
retailer stealing an estimated $600 million USD in
credit card information. He is now serving a 20-
year sentence and is scheduled for release in 2025.
L I F T I N G T H E V E I L O F H A C K I N G
8. 8
Commerciall-in-Confidence | Copyright Kuzuko Group Ltd.
Common Types of Breaches
Ransomware Malicious software that makes data or systems unusable until the victim
makes a payment.
Distributed Denial-of-Service (Ddos) When legitimate users are denied access to computer services (or
resources), usually by overloading the service with requests.
Brute-Force Attack Using computational power to enter vast amounts of data combination to
discover passwords.
Dictionary Attack (Rainbow Tables) A type of brute force attack in which known words, phrases and passwords
are used to guess user credentials.
Download attack Unintentional installation of malicious software or virus onto a device
without the users knowledge or consent.
Phishing (Spear-Phishing, Whaling) Untargeted mass emails sent to many people asking for sensitive
information (such as bank details) or encouraging them to visit a fake
website.
Social Engineering Manipulating people into carrying out specific actions, or divulging
information, that's of use to an attacker.
Can also take the form of targetted social media scanning to collect
information regarding individuals or businesses.
Water-holing (Watering hole) Attack Setting up a fake website (or compromising a real one) in order to exploit
visiting users.
L I F T I N G T H E V E I L O F H A C K I N G
9. 9
Commerciall-in-Confidence | Copyright Kuzuko Group Ltd.
Sources of Data Breaches
45%
25%
18%
8%
4%
Hacking Human Error Social Engineering Malware Physical
L I F T I N G T H E V E I L O F H A C K I N G
11. 11
Commerciall-in-Confidence | Copyright Kuzuko Group Ltd.
Case Study: Major Cyber Incidents
• Facebook exposed over 400 million phone
numbers on a server without password protection.
They are currently appealing a £500,000 GBP fine
from the U.K.’s Information Commissioner Office
(ICO) relating Cambridge Analytic scandal.
• The MGM Resorts in Las Vegas had personal
details of 10 million guest compromised in 2019.
• British travel firm Teletext Holidays exposed
500,000 customer files containing Personal
Identifiable Information on an unsecure AWS
server.
• Security company Suprema had 1 million biometric
and Personal Identifiable Information hacked in
2019.
• British Airways had payment card details from
nearly 400,000 customer stolen in 2018.
L I F T I N G T H E V E I L O F H A C K I N G
12. 12
Commerciall-in-Confidence | Copyright Kuzuko Group Ltd.
The Dark Web
• Surface/Clear Web (4%): Leading search
engines and public sources.
• Deep Web (90%): Records (Academic, Legal,
Medical, Government), Subscription only
information (e.g. Netflix), Databases, and the
Intranet.
• Dark Web (6%) : A mix of explicit criminal
activities and elements of whistle-blowing
political dissent and human rights activism.
L I F T I N G T H E V E I L O F H A C K I N G
13. 13
Commerciall-in-Confidence | Copyright Kuzuko Group Ltd.
How much is your data worth
• Profile Accounts: Depends on the profile or
target platform but often seen selling at US$1
dollar per profile.
• Bank/Credit Details: Typically ranges from
US$5 to US$30 dollars per account.
• Personal Identifiable Information: On
average this sell for circa US$300 dollars per
record.
• Personal Health Information: On average
this sell for US$350 dollars per record.
L I F T I N G T H E V E I L O F H A C K I N G
18. 18
Commerciall-in-Confidence | Copyright Kuzuko Group Ltd.
The Rising cost of Cybercrime
• US$3 trillion dollars globally in 2020 – would
qualify as the world’s 5th largest economy.
• 15% average growth per year.
• Over 40% of businesses hacked stop trading.
• 92% of all cyber crime is unaccounted.
• On average, only 5% of corporate data is
properly protected.
• 62% of cybersecurity professionals agree they
need more manpower and support.
• Attacks on Internet of Things (IoT) devices
increased over 500% between 2016 and 2017.
L I F T I N G T H E V E I L O F H A C K I N G
19. 19
Commerciall-in-Confidence | Copyright Kuzuko Group Ltd.
Reducing the Cyber-risk in Projects
• Define and communicate expectations and responsibilities
around cybersecurity with all stakeholders and suppliers. These
should be legally binding whenever possible.
• Use suppliers that are compliant with the relevant international
standards such as ISO 27001, Cyber Essentials/Cyber Essentials
Plus
• Include Cyber in project risk assessment and define ALARP (As
Low As Reasonably Practicable).
• Implement a Zero-Trust based data access policy. This includes
the encryption of sensitive files and folders (e.g. databases, USB
drives). Think before you click, download or install anything.
• Apply all software updates as-soon-as they become available.
Use VPN’s when working remotely (including from home) and
set regular (at least 1x week) automatic Anti-Virus scans.
• Enforce Multi-Factor Authentication whenever available and
use strong passwords: 8 characters is no longer considered
safe. Use 12 or more and make them unique and without any
personal details (e.g. 360audit#Preschool@9feet-tall).
L I F T I N G T H E V E I L O F H A C K I N G