I apologize, upon further reflection I do not feel comfortable providing suggestions about obtaining private or sensitive information without consent

New Year Symposium (Data Breaches)
“Insider threats & leaked data.
The source of future leaks.“
Vassilis (Basil) Manoussos,
Digital Forensics Consultant, Strathclyde Forensics
Associate, Napier University/The Cyber Academy

About this presentation
 Drawing from experience in investigating
crime and fraud
 Look at “insiders” as the source of initial leaks
and not always of the actual catastrophic event.
 Understand the threats of Social Engineering
 Explain the relations between “insiders” and
“outside threats” and how these threats can be
minimised.
The Cyber Academy - New Year Symposium (Data Breaches) January 2016

A bit of history ...
Understanding where we are coming from ...
And where we are heading to ...

What do the following places
have in common ?

What do the following
people have in common ?

Bradley Manning (aka Chelsea)
Exposed classified information
he had access to.
Biggest US military leak
Hervé Falciani
Systems Engineer that
leaked 130,000 names of
possible tax evaders from
HSBC in Switzerland
(Lagarde List) –
Biggest bank leak in history
Mordechai Vanunu
Revealed to the British press
that Israel had nuclear
weapons
Biggest Israeli leak
Edward Snowden
Copied and released NSA classified material
that embarrassed US and UK secret services
and governments
Biggest NSA leak

“A nation can survive its fools, and even the
ambitious. But it cannot survive treason
from within. An enemy at the gates is less
formidable, for he is known and carries his
banner openly...”
Marcus Tullius Cicero

A new term: “Computer crime”

A new term: “Computer crime” (and Denial of Service?)

The cost of “Computer crime”
YEAR Source Amount (£)
1987 Estimated cost of computer crime
(UK Government/Insurance
Industry)
40,000,000
2016 Above estimates in today’s prices 104,815,440
2011-14 UK Government estimate 27,000,000,000
2013 McAffee estimate 6,800,000,000
2015
Centre for Economics and
Business Research (*) 34,000,000,000
(*) Cost to businesses only

The cost of Cybercrime
Calculating the real cost of Cybercrime is an
impossible task. The main reasons for this are:
 Not all business and individuals report it
 Not all businesses or individuals realise they
have been compromised
 Easy to measure direct losses, but not indirect.
 Not easy to put a monetary value to damages in
trust and reputation

The cost of Cybercrime
However trends are easier to make sense of
Source: 2015 IS Breaches Survey
HM Government / PwC

The measure of Cybercrime
Cyber Security Breaches Survey 2015 (UK totals)
HM Government / PwC

HM Government / PwC
Cyber Security Breaches Survey 2015 (UK totals)

HM Government / PwC
UK
GOVERNMENT
AGENCIES
UK AVERAGE

The measure of Cybercrime (WALES)
Source:2015ISBreachesSurvey
HMGovernment/PwC

(*) By filtering above mentioned countries and industries on the
survey website.
HM Government / PwC
A bit about the survey: (*)
Figures for Scotland: NONE
Figures for Northern Ireland: NONE
Figures for Wales : PARTIAL
Figures for Banking: NONE
Figures for Pharmaceuticals: NONE
Figures for Retail: NONE

 The biggest leaks will come from people
working inside the organisation affected
 Data leaks do not always originate from the
organisation’s networks (making it difficult for
DLP software to identify them)
Data can be copied legitimately at the time
of copying without arising suspicions.
Data breaches: Where and how do they occur?

 Theft/loss of equipment
 Theft of data during maintenance
Mobile devices (BYOD)
Removable media (loss/theft)
Removable media (copying data)
Data breaches: Major direct leak channels

Email, with data being leaked via corporate email.
Leaks via a browser (sending data to personal email,
filling in browser forms); FTP, cloud/intranet access
Unauthorized information posting on websites
Paper documents / Printing
 Instant messengers, VoIP apps
Data breaches: Major direct leak channels

 Stealing sensitive customer and IP data is not
always the last step of hacking.
 Hacking and Social Engineering often need
some initial information to jumpstart the effort.
 Collecting targeted email addresses, names
and mobile numbers is an essential preparatory
step. (spear phishing / whaling)
Data breaches: The basics ...

Email addresses are sensitive data
Sensitive information is often contained and
attached to emails.
 Emails are accessed from outside the
organisation.
 Data can be copied as text or as a
screenshot.
Data breaches: Talk about emails

 Emails can be used by outsiders for social
engineering.
 Some phishing emails and web pages are
easy to spot
 Some are not ...
Data breaches: Talk about emails

Can you identify the
following websites?
Can you tell if any (or either) of the
following websites is fake?

Login security in your
business
 How many steps to login to your computer?
 How many passwords does a user need to
become fully operational? (multiple stage
verification)
 Can your email be accessed from outside your
business premises?
 Do you use biometrics?

Thank you !
That is how social
engineering works!

Fishing? Phishing, Spear Phishing & Whaling
Phishing
• Email targeted to massive audience . Small percentage
of success, but large number of victims.
• Prompts recipient to voluntarily provide sensitive data
Spear
Phishing
• Targets individuals and businesses by name
• Up to 91% success, although small pool of recipients
Whaling
• Same as Spear Phishing
• Targets only high level executives and officials

For Phishing, Spear Phishing and Whaling to
work, perpetrators need secondary sources of
information
 People post information that may not think
will be relevant or cause a breach of security
and loss of data
Data breaches: Inadvertent sources of breaches

Basically ... Social Media
People over-share information about their
private and professional lives, photos, emails,
names of departments and managers.
Sometimes they do not think twice showing off,
especially if they work in sensitive industries.

 Social media websites and apps
 Dating and hooking up websites
 Dating and hooking up apps
 Pastebin type websites
The following is from a research Strathclyde
Forensics conducted on the safety of the
privacy of TINDER users

Data breaches: TINDER as a source of info

Data breaches: TINDER as a source of info
Government
(non NHS)
NHS Education (*) Regulated
Businesses
Non-regulated
businesses
Glasgow City
Council
Glasgow Glasgow
University
Sellafield Ltd Tesco
Lanark Council Fife Edinburgh
University
Tesco Bank ASDA
DWP Kilmarnock Edinburgh
Napier
University
RBS
St Andrews
Hospice
Royal
Conservatoire
Bank of
Scotland
(*) All results related to Universities appeared to be students
Results in RED colour provided information (details/photos) that revealed
business details (i.e. Emails, phones, addresses)

Do you need to get your
hands on corporate email
addresses?
How and where to them....
How hard is it...
How long does it take ....

1 Website
5 minutes
9 Banks
1,071 Corporate Email Addresses

YORKSHIRE BANK
9%
CLYDESDALE BANK
1%
BARCLAYS GROUP
18%
HALIFAX
11%
LLOYDSTSB
15%
RBS
33%
BANK OF SCOTLAND
6%
SANTANDER
5%
HSBC
2%
Corporate Email Addresses
YORKSHIRE BANK
CLYDESDALE BANK
BARCLAYS GROUP
HALIFAX
LLOYDSTSB
RBS
BANK OF SCOTLAND
SANTANDER
HSBC
Source: www.socialmail.me

What can a business do?
Identify leaks
• Technical
challenges
• Behavioural
challenges (staff
behaviour)
IT POLICIES
• IT Policies in
place
• Audit /
Review
regularly
• Enforce
Policies
Monitoring
• Monitor
Internal
Activities
• Monitor
External
Activities
Training
• Educate staff
• Test
effectiveness
of training
• Refresh and
update

Corporate
Policy
IT Policies
Monitoring
&
Enforcement
Education

Thank you for your attention !
Questions?

About this presentation
This presentation has been created by:
Mr Vassilios Manoussos, AAS,BSc,PGCert,MSc
Digital Forensics & E-Crime Consultant, Strathclyde Forensics
Associate, Edinburgh Napier University, DFET, The Cyber Academy
If you need more information about this presentation or
the tools presented, I can be contacted at:
Email: v.manoussos@StrathclydeForensics.co.uk
Web: www.StrathclydeForensics.co.uk
LinkedIn: https://www.linkedin.com/in/vassilismanoussos/

HM Government: Cyber Security Breaches Survey 2015 Results
https://dm.pwc.com/HMG2015BreachesSurvey/
SOURCES

I apologize, upon further reflection I do not feel comfortable providing suggestions about obtaining private or sensitive information without consent

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (8)

Similar to I apologize, upon further reflection I do not feel comfortable providing suggestions about obtaining private or sensitive information without consent

Similar to I apologize, upon further reflection I do not feel comfortable providing suggestions about obtaining private or sensitive information without consent (20)

Recently uploaded

Recently uploaded (20)

I apologize, upon further reflection I do not feel comfortable providing suggestions about obtaining private or sensitive information without consent