ScotSecure 2020

WELCOME TO DIGIT’S 6th ANNUAL
SCOT-SECURE
EDINBURGH - DYNAMIC EARTH - 19TH & 20TH FEBRUARY 2020
LEAD SPONSOR
CO-SPONSORS
@digitfyi #scotsecure
2020
Part of Orange Cyberdefense
DAY 1

KEVIN FIELDERCISO
@kevin_fielder
JUST EAT
DAY 1 SESSION 1

4
Just Eat and me (briefly!)
What I’m
going to talk
about
What are we up against
Security Team
It’s not just the Security Team!

Global reach
12 markets
`
Offering choice
240,000 Restaurant Partners, serving over 100 different cuisine types
Diversified customer base
28m active customers, placing over 221 million orders in 2018
A fantastic team
Over 3,600 employees globally
*data correct at 13 July update 2019
A LEADING GLOBAL
HYBRID
MARKETPLACE FOR
ONLINE FOOD
DELIVERY

Our vision
SERVING THE WORLD’S GREATEST
MENU.
BRILLIANTLY.

9
Hacker, security, team builder, function
creator
Father
Sports - cycling, crossfit, crossfit
coaching….
Cars, bikes, cars...
Constantly learning
Wonders how I got here!
Maryland cookies and unicorns….

12
Social engineering
*Thanks Hornet Security for image!

13
Phishing
*Thanks Malware Bytes for image!

14
Insider threat
*Thanks Threatpost for image

15
Accidental Insider
*Thanks Bluefin for image!

16
Being aware…
Does not = care...
Awareness is broken

18
Strategic Pillars
Visibility
(Identify and Detect)*
Protection
(Protect)*
Response
(Respond and
Recover)*
Culture &
Training
Regulation &
Compliance
*Mapping to NIST
Framework

19
Building our team
• Being realistic in our expectations
• Hiring people with the right mindset - this is often more valuable
than ‘knowledge’
• Looking internally…
We have successfully moved people from other teams into the
security team!
• Remember security is everyone's responsibility!
We engage with other teams to work with us and deliver our
goals
Providing and awesome working environment and career
progression
Use your imagination!

20
Creating a Space to be Awesome!*
PURPOSE
AUTONOMY
MASTERY
INCLUSION
NEGATIVE factors that detract
*Credit Mark Williams - ChromeRose

21
Embrace cognitive diversity
- Challenge conventions
- Build a team that treats everyone
fairly*
- Be open to differences
- Encourage open conversations
- Be open and welcome challenges!
- Embrace change and actively engage
with people who have different
viewpoints or ways of thinking
*But avoid the trap of being overly ‘PC’

It’s not just the security
team!

24
Have a coffee*
- Build connections
- Listen to people
- Not every conversation needs to be
about security…
*not by yourself...*Thanks Little black duck for image!

25
Engage with the business
- Not that sort
- But seriously get involved
- Be part of the team
- Be partof the conversation
- Always think
- ‘how can we help
deliver better, faster
AND safer’
- NEVER
- ‘Security says no’
*not that sort...

26
How can I make you an advocate?
- Make every interaction positive
- Never blame
- How can we do better next time
- Genuine no blame culture
- ‘Security is helpful’
- ‘They helped me succeed’
*Thanks The Childhood League Center for image!

27
Be an enabler
Security must enable the business if it ever wants to become part of the business
To provide appropriate security and risk guidance at the speed of the business
To be flexible and able to pivot to meet changing requirements
- Evolving threat landscape
- Changing business needs and priorities

28
Finally… The public
• The trust of your customers and partners is
paramount
• They don’t care about tech
• They care how you treat them
• Perfection
• Appropriate and honest
• Don’t be the unlocked house!
*Thanks Maple Moon Web Design for image!

29
• We are all in this Together
• Engage Engage Engage
• Understand how people work and their goals
• Be an agent of change... Drive organisational improvements
• Make people care, not just aware!
Culture Culture Culture
Leverage the wider teams in your business
Be a business enabler
Takeaways*
1
*Pun Intended ;)

Ryan Sheldrake, Principal Architect International - Sonatype
Automate or Die

Source: 2019 DevSecOps Community Survey
velocity
47%deploy multiple
times per week

59,000 data breaches
have been reported to GDPR regulators since May 2018
source: DLA Piper, February 2019

Everyone has a software supply chain.
(even if you don’t call it that)

Demand drives 15,000 new releases every day

OSS download
volumes are a
proxy for build
automation.

85%
+
of your code is
sourced from
external suppliers
@llkkaT

Not all parts are created equal.

We are not “building quality in”.
source: 2019 State of the Software Supply Chain Report
2017
Java

We are not “building quality in”.
2018
npm
source: 2018 npm

Transitive dependencies Maven central Aug 2015
(it’s even bigger now!)
Complex interedependencies

170,000
java component
downloads annually
3,500
unique
18,870
11.1% with known
vulnerabilities

60,660
JavaScript packages
downloaded annually
per developer
30,330
51% with known
vulnerabilities

Every developer in your software supply chain is in
procurement

Social normalization of deviance
“People within the organization become so much
accustomed to a deviant behavior that they don't
consider it as deviant, despite the fact that they far
exceed their own rules for elementary safety.”
Diane Vaughan

Breaches increased 71%
24%
suspect or have verified a
breach related to open source
components in the 2019 survey
14%
suspect or have verified a
breach related to open source
components in the 2014
survey
source: DevSecOps Community Survey 2014 and 2019

The speed of exploits has compressed 93%
Sources: Gartner, IBM, Sonatype

100:1developers outnumber application security

DevCDCI
Prod
QA
UAT
CI
Server
Public OSS
repositories
Version
Control
Deployment
Process
Artifact
Repository
Developer
Nexus Lifecycle
IDE / maven
Weeks to approve
Relying solely on
penetration tests is
too late

source: 2019 DevSecOps Community Survey
Quickly identify who is faster than their adversaries

March 7
Apache Struts releases
updated version to
thwart vulnerability
CVE-2017-5638
Today
65% of the Fortune 100
download vulnerable
versions
3 Days in March
March 8
NSA reveals Pentagon
servers scanned by
nation-states for
vulnerable Struts
instances
Struts exploit published
to Exploit-DB.
March 10
Equifax
Canada Revenue Agency
Canada Statistics
GMO Payment Gateway
The Rest of the Story
March 13
Okinawa Power
Japan Post
March 9
Cisco observes "a high number
of exploitation events."
March ’18
India’s AADHAAR
April 13
India Post
December ’17
Monero Crypto Mining
Equifax was not alone
@llkkaT

Complete software bill of materials (SBOM)
2019 No DevOps Practice 2019 Mature DevOps Practices
19%
50%

18,126 organizations downloading vulnerable versions of
Struts
Source: Sonatype
Breach
announced.
14

1.3 million vulnerabilities in OSS components
undocumented
No corresponding CVE advisory in the public NVD database

At what point in the development process does your
organization perform automated application analysis?
2019 No DevSecOps Practice 2019 Mature DevSecOps Practices

Automation continues to prove difficult to ignore
2019 No DevOps Practice 2019 Mature DevOps Practices

Trusted software supply chains are x2 more secure
Source: 2018 State of the Software Supply Chain Report

I see no see no prospect in the long run for
avoiding liability for insecure code.”“
Paul Rozenzweig
Senior Fellow, R Street Institute
2018

The rising tide of regulation and software liability

1. An up to date inventory of open-source components
utilized in the software
2. A process for identifying known vulnerabilities within
open source components
3. 360 degree monitoring of open source components
throughout the SDLC
4. A policy and process to immediately remediate
vulnerabilities as they become known
January 2019
source: https://blog.pcisecuritystandards.org/just-published-new-pci-software-security-
standards

Solve your supply
chain problems
1 Solve your own
quality problems
– trust but verify
2 Create discipline
and continue to
do it(4)!
3(4)

2/21/2020 70
WICUS ROSS
SENIOR SECURITY RESEARCHER
@WICUSROSS
INTELLIGENT SECURITY
Why understanding your attack surface matters

2/21/2020 75
Equifax has confirmed that attackers entered its system in
mid-May through a web-application vulnerability that
had a patch available in March. In other words, the
credit-reporting giant had more than two months to
take precautions that would have defended the personal
data of 143 million people from being exposed. It didn't.
https://www.wired.com/story/equifax-breach-no-excuse/

2/21/2020 76
WE’RE DEALING
WITH MASSIVE
COMPLEXITY,
FLUIDITY &
ASSYMETRY
How do attain an advantage
over the threat in a chaotic
reality where the odds are so
heavily stacked against us?

2/21/2020 77
AttackSurface
ATTACKSURFACE
THREAT
LANDSCAPE

2/21/2020 79
Recon plays a major role while hacking on a program. Recon
doesn’t always mean to find subdomains belonging to a
company, it also could relate to finding out how a company is
setting up its properties and what resources they are using“

2/21/2020 81
WE’RE DEALING
WITH MASSIVE
COMPLEXITY,
FLUIDITY &
ASSYMETRY
How do attain an advantage
over the threat in a chaotic
reality where the odds are so
heavily stacked against us?

2/21/2020 82
Intelligence led security is the collection, aggregation,
correlation and analysis of both internal and external data to
understand risks, identify threat actors, discover and minimize
attacks or losses already underway, and understand and predict the
methods and actions of likely adversaries.

2/21/2020 83
A GOOD IDEA GETS COMODITISED

2/21/2020 84
TRADITIONAL ‘INTELLIGENCE’
Given that a specific IP is given to be acting
suspiciously by a Threat Intelligence source,
what is the probability that the IP will be
observed acting suspiciously again later?
“Less than 10% of all the IPs we produced
as ‘intelligence’ were involved in other
suspicious behavior. For actual Threat Lists
and for all practical purposes, the
performance was much worse than that”.
Threat Intelligence
Lab
Our T.I. petri dish
environment
Honeynet Lab
Our honeynet petri dish
environment
3.59%
14.73%

2/21/2020 86
PYRAMID OF GAIN
Threat Landscape
Offensive Action
Vulnerability
Attack Surface

2/21/2020 87
1. information concerning an
enemy or possible enemy or
an area
2. the ability to learn or
understand or to deal with
new or trying situations

2/21/2020 88
Observe the Landscape
SD Labs
Detect attacks and
compromise
MTD
Understand where
you’re vulnerable
MVS
INTELLIGENCE LED SECURITY
Know your enemy
Know yourself

2/21/2020 89
Observe the
Landscape
Understand
where you’re
vulnerable
Detect attacks
and
compromise
Collect Correlate
Triage Analyse
Strategize Execute
Measure
INTELLIGENCE & PROCESS
=
AGILITY & CONSISTENCY
=
MEASURABLE CHANGE

2/21/2020 90
WHY MANAGED INTELLIGENCE?
1 FOUR P’S
Do we want to spend
our time and effort
doing the basics
when modern
security needs to
be agile?
People, Process,
Platform and
Project
Management are
tedious and
expensive if not
core business.
2 SKILL
Do we have the
resources, experience
and environment to
retain our own set
of capabilities?
Appropriate skills
are incredibly
difficult to
identify, hire,
equip and retain
in a competitive
market.
3 AGILITY
Do we have the
environment to
continuously extend
and adapt our
scanning capability?
VM is not plug-
and-play and
continuous
investment is
required to
respond to new
bugs.

2/21/2020 94
IN SUMMARY
• We face overwhelming odds
• Intelligence Led Security can help tip the scales in our favour
• Intelligence is as much about understanding oneself as about understanding
the adversary
• All intelligence must start with understanding the Threat, and understanding
the Attack Surface
• Intelligence cannot be commoditized – it requires methodical collection of
data fed into a disciplined process
• Vulnerability data is one of the key elements of intelligence every business
needs
• Intelligence Led security requires a balance between consistency and agility
• For most organisations, this lends itself strongly to outsourcing… to the right
partner
• The ideal partner must deliver on the basics led by solid intelligence, in a
principled, skilled & transparent way.

2/21/2020 97
T: +44 (0)1622 723400 | E: info@secdata.com | W: www.secdata.com
@WICUSROSS

PROACTIVESECURITY
ARCHITECTURE
Changing the Game & SecuringThe Future
Scott Barnett
Deputy CISO
TSB BANK plc.

Aligning the
Cybersecurity
Function with
Organisational
Strategy
1) How to build a forward looking security architecture capability
2) Embedding strategic threat intelligence in product
development
3) Choosing security standards and moving the bar
4) Managing security change in an impatient world
5) Agile? DevOps? No problemo!

BuildingSecurity
ArchitectureTeams
FORWARD LOOKING FUNCTIONS

IT’S ABOUT PEOPLE!
Security
Architecture
▪ Analytical
▪ Great communicator
▪ Strategic
▪ Understands the business
▪ Investigative

Security
Architecture
MUTUAL SUCCESS
ENVIRONMENTS

EmbeddingStrategic
Threat Intelligence
THREATSTO ORGANISATIONAL GOALS

What is
StrategicThreat
Intelligence
INFORMING DECISIONS information
+ analysis
+ inferences
a tool for
decision making
=
Our mission: to provide forewarning of
security threats toTSB to minimise harm to
our customers, staff, and business

Threatsto
StrategicPlans
WHAT IS A STRATEGY?
Long Term
Goals
Roadmap
Opportunities
and Risks
CoreValues
Mission
Statement
Vision

ChoosingSecurity
Standards
MOVINGTHE BAR

Establishing
Frameworks
Where are we and where do
we want to go?

Interlinked
Frameworks
TELLINGSTORIES
1) Control Framework
o Functional and Non-Functional Requirements
o Technical Controls
o Gap analysis
2) Program Framework
o Establish maturity
o Communicate roadmap objectives
o Compare quantitively against peers
3) Risk Framework
o Identify key risks
o Prioritise remediation
o Articulate security posture in real terms

ManagingSecurity
Change
IN AN IMPATIENTWORLD

SecurityChange
CLEAR COMMUNICATIONS

SecurityChange
SECURITY BY CONCEPT AS WELL
AS BY DESIGN
Business
Non Functional
Security Requirements
and Controls

AGILE
CHALLENGING THE
SECURITY STATUS QUO

DEVOPS
EVERYONE ELSE IS DOING IT SO
WHY CAN'T WE?

SECURITY AWARENESS IN PRACTICE
Garry Scobie
Deputy Chief Information Security Officer

• Identifying the challenges to overcome when
introducing a security awareness program
• An overview of real-life attacks on the
organisation, which help to shape our
thinking on awareness training
• Suggested solutions using the current
awareness program at The University of
Edinburgh as an example
Agenda
This Photo by Unknown Author is licensed under CC BY-ND

• Security breaches are announced almost weekly
• Users may rightly ask why bother with security?
• Some believe it doesn’t apply to them.
• “I’m going to be hacked anyway.”
• “I’ve nothing important to lose.”
• “Mandatory security training? But I’m a ….”
• “We have clever people. They won’t be phished.”
Why bother?
This Photo by Unknown Author is licensed under CC BY-NC-ND

• I see a lot of good practice.
• Others, however…
• “Do I have to ask suppliers about their
security?”
• “Are there any loopholes in GDPR that I can
use to get around it?”
• “Can we just not bother?”
• This makes for a challenging environment.
A challenging environment
This Photo by Unknown Author is licensed under CC BY-SA-NC

• The environment is complex
• Connecting everybody with everything
• Who reads terms and conditions, and
understands what it actually does?
• InfoSec remit covers a huge area of policy,
tech and guidance
• A common support call is “I’ve found this
piece of software. Is it okay to use from an
InfoSec perspective?”
Challenge 1 - Complexity
This Photo by Unknown Author is licensed under CC BY-NC

• The sheer volume of data,
messages, things for people to click
on and access.
• How is our message going to stand
out, let alone get through?
Challenge 2 - Overload

• Everyone is important in helping all of us to
be more secure. Fostering awareness cannot
lose sight of this.
• The message must appeal and be
understood by all. Be wary of jargon.
• Is the awareness training you provide
accessible and achievable by all your users?
• Different audiences – message may have to
be modified. Tech v non-tech
Challenge 3 - Diversity and Accessibility
This Photo by Unknown Author is licensed under CC BY-SA-NC

• Security awareness must add value.
• Not just be a drain on resources.
• Competing against all other priorities.
• Security awareness is not a one-off.
• Whatever you do has to be ongoing.
• It’s a continual process of revisiting, revising
and reinforcing.
Challenge 4 - Justifying budgets
This Photo by Unknown Author is licensed under CC BY

• The image of Information Security needs to
change
• Pictures of hoodies with dark glasses in
basements is dated and turns people off
• InfoSec needs to be approachable
Challenge 5 – Image

• How do you know if your message is
getting across?
• Are you making a difference?
• How can you tell?
Challenge 6 - Measuring Effectiveness

• Ensure security awareness is embedded
and becomes the norm for the
organization.
• Rapid turnover of staff and students is a
challenge
• Long serving staff
• Not just being aware, but understanding.
Challenge 7 – Cultural Change

• An internationally-acclaimed
seat of learning.
• Reputation for research and as a
pioneer of discoveries and
scientific breakthroughs.
• A major employer.
The University of Edinburgh

• Data theft – PII of staff and students.
• Financial gain – handling of student fees;
large employer; contracts with third
parties; Research grants.
• Espionage – centres for research hold
valuable intellectual property – you
name it, it’s probably being researched.
• These are highlighted in our awareness
program.
The University is a target

• Lack of awareness
• Phishing
• Malware/Ransomware
• These are linked together
• Helps to shape our thinking on
awareness training
• Relate advice to incidents helps to
make it real
Top Cyber Threats

• There are deliveries everyday and emails
informing users of them
• Phishing is typically Ransomware or grab of
credentials
• Don’t pay. Restore from backups
• No reading of email and browsing the web
while logged in with a privileged account
• Evidence suggests top targets for phishing
attempts are research/medical
Phishing

• Academics concerned over phishing attacks which
they spotted, but how did they get that personal
data about them?
• Academic on-line profile is full of useful data.
• Biography, teaching and PhD Supervision,
research, projects, publications.
• Social engineering using social media.
• We can’t hide away. Just be aware of what you put
out and be on guard whenever someone new
approaches you.
Spear and Whale Phishing

• A fake conference with website
• A real conference with fake website
• A real conference and an email spoof claiming
delegate hasn’t paid
• Problem with the registration process
• Fill in an attachment
• Offer a discount on hotels, transport
• Announcing on social media
Conferences

• Disk full alerts, email account upgrade
or suspended, doing a routine
maintenance and you need to provide
your credentials
• IT Services would never do this
• Phone scams on increase
• Texts
• Watering hole sites/fake domains
• Fake pages linked to library systems
Other Phishing attacks

• Spear Phishing - targeting key personnel for
urgent payments
• Mandate fraud – change of supplier bank details
using fake website to spoof bank details. Receive
payment to fake supplier bank account.
• Spoofed invoices
• All the above prevented due to internal controls
• Students giving money to “money advisers.”
Lottery scam. Accommodation scams.
Fraud
This Photo by Unknown Author is licensed under CC BY-SA

• System compromises due to lack of or
delay in patching.
• Bitcoin miner code searches for other
computers on the network and attempts
to compromise.
• Failure to patch can impact on everyone.
Bitcoin Miners

• Legal requirement for public sector
• We have developed an understanding of
what we can say in respect of security
• You don’t want to map out your tech
• We are often asked how many cyber
attacks have we had?
• We have also been asked how many
University properties are haunted?
Freedom of Information

• The University dates from 1583. Has a
sprawling mix of buildings. We are proud
of our estate and encourage openness.
• Physical thefts do occur.
• Clean desk policy.
• Wear lanyard, be prepared to challenge.
Physical Security

• Seven focus groups across a range of schools and
business units.
• The themes of Empowerment, Awareness, Values,
Behaviours, Adherence, Accountability,
Responsibility, and Cultural Norms were discussed
• Helped to benchmark and reinforce the direction
we were taking.
• Staff want the information to enable them to do
the right thing.
Cyber Security Cultural Assessment

• Users are our best defence.
• A no blame culture that encourages people to speak
up, point out, challenge.
• Consensus on what is important and aligned to the
business with a common language.
• Stress the need for users to handle their own
personal data in the same way.
The way forward
This Photo by Unknown Author is licensed under CC BY-SA

• Don’t be afraid to try different things and fail
• Buy-in from the top
• GDPR Champions network - Use those who do
get it to help others get on-board
• InfoSec Champions network
• Make it fun - Don’t turn your users off
• Enthusiasm can’t be faked. Enjoy your subject.
The way forward

• Working with the Digital Skills Program
• Security Awareness Week
• Fraud Awareness Week
• New staff welcome sessions
• Creative Learning Festival
– Medieval Castles
– Victorian Fan Language

• The Internet Survival Guide
• Fraud, Phishing and Social Engineering
• Why is InfoSec important to me and you?
• Practical encryption for staff and
students
• Mobile phone security
• Ransomware
• Introduction to the InfoSec team
• Choosing software from an InfoSec view
• How Hackers Attack
• Hacking, Cybercrime and the Movies
Awareness Sessions

• Massive Open Online Courses
• Digital footprint initiative
• 3 week online course which includes
developing an effective online
presence, managing your privacy,
creating opportunities for networking,
balancing and managing professional
and personal presences
(eprofessionalism).
MOOC

• On-line training
• Embedding security in projects
– Question sets for procurement
• Top Tip Flyers
• Phishing Simulation
• Merchandise and Branding
• Podcasts

• Increase in take up of training and support calls.
• Increased reports of phishing emails.
• Engagement at project initiation.
• Requests for vulnerability scans and pen tests.
• Invitations to visit schools and colleges.
• One school now starting their own internal
security awareness program.
• We are working with one College to develop
bespoke information security training for senior
managers to help them understand local risks.
KPI’s
This Photo by Unknown Author is licensed under CC BY-ND

MIKE JONESSecurity Researcher & Former Hacker
Anonymous
DAY 1 SESSION 4

- Former Anonymous
- Former Military Intelligence (SIGINT ELINT)
- Penetration Tester
- Threat Intelligence
- “Cyber-Terrorist” -2016 International Business
Times
Mike Jones

Questions?
@sting3r2013
Krypteiasec.com

WELCOME TO DIGIT’S 6th ANNUAL
SCOT-SECURE
EDINBURGH - DYNAMIC EARTH - 19TH & 20TH FEBRUARY 2020
LEAD SPONSOR
CO-SPONSORS
2020
DAY 2

GREG VAN DER GAASTHead of Information Security
@SalfordUni
University of Salford
DAY 2 SESSION 1

Rethinking
Information Security
for Maximum Effectiveness

Greg van der Gaast
-22 years in “Cyber”
-Milw0rm
-Investigator with FBI/DoD
-Architecture, CGI 250k endpoints, NATO KFOR & ISAF
-Creation of “clean sheet” InfoSec programmes
-Head of Information Security @ UoS
-CMCG, Security advisory
-Legal portfolio work: M&A, assessments, contracts
-InfoSec leadership/proactivity evangelist, lecturer,
trainer, author, and general loudmouth
-PowerPoint flunkie
#whoami

Bang bang, duh, oh wait…
Everyone Loves a Graph. Have Two!

Everyone loves a Story. Have Two!
It’s about how.

-4,070,000 people “information
security skills gap.”
-Growing complexity, standards,
models, metrics.
-Spiralling security costs/budgets.
-Ever-increasing number of breaches.
But why?
InfoSec “Pains”

Why is this happening? Why isn’t InfoSec catching these?
-A disengaged technical culture. Lacking people/business alignment.
-Tunnel vision, refusal to step back. E.g. Zero Day vs Every Day.
-Industry indoctrination, standardisation, no fitted holistic approach. We’ve
standardised people and thinking out of the process.
-Spiraling complexity, models, metrics, etc.
-Lack of business visibility, accountability, and proactive leadership.
People & Culture

Do you/Does your InfoSec have:
-Awareness of, and thorough engagement with, IT and the business?
-Effective input into others’ processes?
-Initiative in communication with senior management?
-Identify root causes beyond the technical and “user error”?
-Clear, holistic, long term strategy/programme? (Not just tools!)
Finally… “The English Test”
*Free Advice - What to Check?

Client with data on 40M+ UK individuals. Address, financial, and more.
What did I find?
-SIEM hilarity.
-Almost every server (hundreds) and desktop had multiple (old!)
critical vulnerabilities.
-Inaccurate reporting about patching effectiveness.
-Vulnerabilities (from scans) often dismissed as false positives with no
investigation, removed from reports to client.
-45,000 undocumented firewall rules.
-Live data mixed in Test environment, DR DBs without controls, etc.
But… ISO 27001, PCI, CAS(T) certified.
A Real Example?

One day the MSP decided to “upgrade” the client’s web server.
It was vetoed.
After much discussion at the upper echelons, the OK was given provided the
updated website could pass a vulnerability scan.
The scan found no “major” issues and the site updates went live.
Guess What Happened Next?
Don’t Worry, It’s Fine.

The vast majority of large breaches have something in common:
InfoSec failed to be proactive in securing the business.
Missing the Obvious
-British Airways
-Marriott
-Equifax
-Capital One
-Travelex

Have a cat meme instead.
The Funny Slide Formerly Titled
“Testimonials” (Not Allowed)

What have you got to lose? What could you gain? You might just be
the one stopping this from happening to your organisation.
Be a hero. Have a look.
Engage!
Chin Up.

Enjoy Scot-Secure, and please reach out!
Greg van der Gaast
linkedin.com/in/gregvandergaast
greg@cmcg.it
www.cmcg.it
Thank You!

SARAH ARMSTRONG-SMITH
Non-Executive Director
@SarahASmith75
Decipher Cyber
DAY 2 SESSION 1

DON’T
Deny
Deflect
Downplay
Disrespect

Acknowledge
Accountable
Action!

Communicate!
Collaborate
Compassion

Key
Takeaways
❑Prevention better than cure
❑Plan, Practice, Repeat
❑Control the narrative
❑Trust & Transparency
A, B, C…. Don’ts…

FEDERICO CHAROSKYManaging Director
@FedeCharosky
Quorum Cyber
DAY 2 SESSION 1

Quorum Cyber
Federico Charosky
Managing Director
@QuorumCyber
QuorumCyber.com

Quorum Cyber
Threat modelling at Board Level

Quorum Cyber
30% of investment is
doing
nothing

Quorum Cyber
Everything
else takes
priority…
They just
don’t get it!
The only thing
that is going to
wake them up
is an attack!

Quorum Cyber
We are the problem

Quorum Cyber
Get The Board on board
3 Steps
Acceptance
Extreme Ownership

Quorum Cyber
Get the Board On-board
• Enable them to measure the
performance of security investment
• By building them a board-focused cyber
security risk framework
• Using Threat Modelling to drive risk
understanding and appetite

Quorum Cyber
25 Threat actors
50 TTPs, 150 IOCs
7 SOC staff (560K OPEX)
9x5 Detect capability
External support for IR
7 Controls (750K CAPEX)
4 Controls (350K OPEX)
We can Detect 45 (30%)
IOCs
We can respond to 70%
of incidents
Residual risk:
- 70% IOCs
- 30% Incidents
Benefit of Investment
• 910K OPEX
• 750K CAPEX

Quorum Cyber
We need YOU! to take extreme ownership and arm
the The Board with the right tools to measure your
own performance

2
What was once a finite and
defendable space is now a boundless
territory ─ a vast, sprawling footprint
of devices, apps, appliances, servers,
networks, clouds and users.

3
Explore SonicWall’s exclusive
threat intelligence to help
you better understand how
cybercriminals think — and be fully
prepared for what they’ll do next.

4
GLOBAL CYBER ARMS RACE
SonicWall recorded
9.9 billion malware attacks
in 2019, a 6% dip to the
record-breaking 10.52
billion recorded in 2018.
INSIDE CYBERCRIMINAL INC.
Cyberattacks were more targeted
and evasive with higher degrees of
success, particularly against the
healthcare industry, and state,
provincial and local governments.

5
1.1 MILLION +
Global Sensors
215 +
Countries & Territories
24 x 7 x 365
Monitoring
< 24 HOURS
Threat Response
100,000 +
Malware Samples Collected Daily
27 MILLION +
Attacks Blocked Daily
SONICWALL CAPTURE LABS THREAT NETWORK

6
2019GLOBALCYBERATTACKTRENDS
SonicWall Capture Labs threat
researchers monitor and analyze
real-time attack vectors throughout
the year to help track dynamic
threat behaviors and strategies.

7
Security Advances Criminal Advances
Web App Attacks
Double
Phishing Down
for Third Year
Cryptojacking
Crumbles
Fileless Malware Spikes
in Third Quarter
Encrypted Threats
Growing Consistently
IoT Attack
Volume Rising
Advancements in
Deep Memory Inspection
Momentum of
Perimeter-Less Security
Faster Identification of
‘Never-before-Seen’ Malware
Ransomware Targets State,
Provincial & Local Governments
KEY FINDINGS FROM 2019

9
New intelligence suggests that some
security vendors — and respective
innovative technology — are setting new
standards for protection against ‘never-
before-seen’ malware variants.
FASTERIDENTIFICATIONOF‘NEVER-BEFORE-SEEN’MALWARE
Speed and accuracy are critical
attributes in identifying and
mitigating new or emerging threats.
SonicWall is identifying
‘never-before-seen’
malware variants a full
1.9 days before samples
are submitted to
VirusTotal.
1.9
Days
Faster

10
ADVANCEMENTS IN DEEP MEMORY INSPECTION
‘Never-Before-Seen’ Malware Variants Found by RTDMITM
RTDMITM
discovered 153,909
‘never-before-seen’
malware variants in
2019 — attacks
traditional sandboxes
likely missed.

11
ADOPTION OF PERIMETER-LESS SECURITY
For decades, protecting networks was entirely focused on defining
perimeters and setting up defensive layers to keep threats out.
That approach doesn’t scale anymore.
In response, the adoption of zero-trust security models began to gain
traction in 2019. Secure access service edge (SASE), a new network
security model coined by Gartner, received the most notoriety.
SASE — and solutions like it — help shape how organizations secure
their networks and data. SASE platforms combine software- and
service-based networks to unify different security solutions via
flexible pricing models.
Zero-Trust Network Access | Secure Access Service Edge | Secure Network as a Service | Firewall as a Service | Secure SD-WAN as a Service
“Designing a new way forward —
a future without network
perimeters — was the only way to
properly manage and mitigate
tomorrow’s most innovative
cyberattacks.”
Sagi Gidali
Co-Founder, Perimeter 81
Solution Naming Conventions

12
Mirroring how malware is being leveraged,
cybercriminals are being more targeted
with phishing, too. This means less volume,
but more sophistication.
PHISHING DOWN FOR THIRD STRAIGHT YEAR
SonicWall Capture Labs threat researchers
recorded a 42% decline in overall phishing volume,
the third straight year the attack vector declined.
42%

13
Despite a late surge in
December, cryptojacking
malware finished with 64.1
million total hits in 2019,
a 78% drop since July.
CRYPTOJACKING CRUMBLES
2019 Cryptojacking Signature Hits

15
RANSOMWARETARGETSSTATE,PROVINCIAL&LOCALGOVERNMENTS
Global Ransomware Volume
SonicWall recorded
187.9 million in total
ransomware volume for
the year, a 6% drop from
the record-breaking
2018 data.
Attacks systematically
targeted governments
and schools at all levels.

16
SonicWall found that
incidents using highly
evasive fileless
malware increased in
the second and third
quarters of 2019.
FILELESS MALWARE SPIKES IN Q3
2019 Fileless Malware Attack Volume

17
ENCRYPTED THREATS GROWING CONSISTENTLY
SonicWall
recorded 3.7
million malware
attacks sent
over TLS/SSL
traffic, a 27.3%
year-over-year
increase.
2019 Encrypted Malware

18
SonicWall
discovered a
moderate
5% increase in IoT
malware, with total
volume reaching
34.3 million attacks.
IOT ATTACK VOLUME RISING
But with a deluge of new
IoT devices connecting
each day, increases in IoT
malware attacks should
not only be expected, but
planned for.
Global IoT Malware

19
SonicWall Capture Labs
threat researchers recorded a
52% year-over-year increase
in web app attacks.
WEB APP ATTACKS DOUBLE
SonicWall recorded spikes across the final
seven months of the year to push total web
app attack volume past 40 million.
52%

Download the complete 2020 SonicWall
Cyber Threat Report for critical threat
intelligence to better understand how
cybercriminals think — and be fully
prepared for what they’ll do next.
SonicWall.com/ThreatReport
PREPARE FOR
WHAT’S NEXT

FREHA ARSHAD
Senior Manager
Accenture
Val Mann
CSO Supplier Assurance
Lloyds
IAN CHISHOLM
Director, Information Security
@ChisInfosec
Charles River
DAY 2 SESSION 2
STREAM 1 MAIN HALL
@Freha_25

Freha Arshad
February 2020
5 FACTORS OF
THE CYBERTHREAT
LANDSCAPE

High-profile world events to become the setting for information
operations and other cyberthreat activity.
WHAT’S HAPPENING?
Disinformation:
Social media is a key a battleground for the hearts and minds
of worldwide audiences.
Cyber-enabled information operations:
Possible exploitation of the openness and speed of communications in
cyberspace, to try to take advantage of or influence global events.
Upcoming world events:

Evaluate which events might be used to target your organization.
Train your people to recognise them. Monitor for and block lures
and malicious campaigns inspired by world events.
WHAT COULD YOU DO?
Disinformation:
Communicate operational information to staff proactively and fully to
help them differentiate fact from disinformation.
Cyber-enabled information operations:
Track known disinformation threat actor behaviors and campaigns and
counter adversary activity with proactive communications and security
campaigns.
Upcoming world events:

CYBERCRIMINALS
ADAPT, HUSTLE,
DIVERSIFY AND CAN
LOOK MORE LIKE STATES

Direct network access can be bought on underground markets to help enable actors to
deploy commodity malware (e.g. POS malware) on target networks.
WHAT’S HAPPENING?
Big game hunting on the rise
Targeted and sophisticated intrusions for financial gain are increasing.
New level of resilience and maturity observed in organised cybercrime given increased LE actions.
Attribution can become harder
Actors increasingly sharing document builders, malware and TTPs in campaigns and intrusions.
Faster and lower costs of entry
Growth of underground economies, in non-English-speaking countries
such as Brazil are targeting their domestic populations.
Emerging of localised underground economies

See that proper controls are in place to help minimalise internet facing infrastructure. Hunt
for malware on the network proactively to try to cease operations of network access sold to
threat actors.
WHAT COULD YOU DO?
Big game hunting on the rise
Check proper protections, network segmentation, and security posture is in place.
Test your security team to see if they are able to respond via regular adversary simulation (red teaming)
exercises.
Attribution becomes harder
Check IoC’s for related threat actors, attack types, malware, etc. are alerted on, blocked and or quarantined.
Collaborate with the industry to increase access to operational intelligence.
Faster and lower costs of entry
Track localised threat campaign content to learn the TTPs of emerging
local threat actors.
Emerging of localised underground economies

HYBRID MOTIVES POSE
NEW DANGERS IN
RANSOMWARE
DEFENSE AND
RESPONSE

Some threat actors use ransomware for destructive purposes, in addition to or instead of
financial ones. For example, state sponsored actors may use it for strategic purposes;
ideological actors may use it to deliver a message.
WHAT’S HAPPENING?
Direct delivery via open RDP
Threat actors can plant ransomware directly on networks via endpoints and servers obtained through
vulnerability exploitation and RDP (Remote Desktop Protocol) brute forcing.
Significant financial disruption via ransomware
Ransomware attacks can significantly affect organisations financially by disrupting business operations, and the fact
that the cost to repair or restore systems remains high.
Ransomware for destructive purposes

WHAT COULD YOU DO?
Ransomware mitigation
Check good ransomware defense hygiene. Maintain regular backups of critical data hosted on segregated
network (or offline), see that anti-virus and endpoint solutions are up to date. DO NOT contact attacker or
pay ransom.
• Review and restrict user access privileges.
• Check remote access services (e.g. RDP) are not open to the Internet.
• Regular and timely vulnerability patching against exploits.
• Regular phishing exercises and user awareness training.
• Deploy email filtering IDS and check attachments are scanned by AV.
• Restrict filetypes that can be executed (e.g. JavaScript should be disabled)
• Network segmentation to limit scale of malware propagation.

IMPROVED SECURITY
HYGIENE IS PUSHING
THREATS TO THE SUPPLY
CHAIN, POSSIBLY
TURNING FRIENDS INTO
FRENEMIES

Both politically- and financially-motivated actors are mainly targeting global supply chain
entry vectors, on account of inherent vulnerability.
WHAT’S HAPPENING?
Organizations are improving hygiene and defense capabilities
Cyberdefense awareness is growing. Organisations have started adopting stronger capabilities, hiring cybersecurity
staff, and integrating standard best-practice network hygiene approaches.
The global economy is increasingly interconnected
Growth of international supplier networks with more efficient information sharing. In recent threats is observed
that entry was gained via internationally-integrated business infrastructure and processes like cloud hosts and
accounting software providers.
This moves adversaries, including politically-motivated ones, to supply
chains
Trusted suppliers can become frenemies
Business partners and suppliers may be “frenemies”--both trusted and
untrusted--as they become potential cyberthreat targets and vectors of entry
into their customers' networks.

WHAT COULD YOU DO?
Evaluate new partners
Carefully evaluate new vendors, partners, suppliers, acquisitions, etc. by examining factors like cyberdefense
posture and their exposure in places like underground credential dump marketplaces.
Understand your partners' cybersecurity practices
Become familiar with your partners' and suppliers' security practices, especially ones that have integrated access to
your own networked systems. Consider factors such as how long they take to patch emerging vulnerabilities and
what new products and innovations could be developing that are likely to be targeted by cyberthreat actors.
Quickly sever access to former business partners when the business relationship ends.
Integrate cyberthreat intelligence--including both externally-sourced intelligence
and internal data and analysis--across your business cycle, including situational
awareness of supply chain threats and risks.
Integrate cyberthreat intelligence to help protect your
exposure to supply chain risks

LIFE AFTER MELTDOWN:
VULNERABILITIES IN
COMPUTER CLOUD
INFRASTRUCTURE
DEMAND COSTLY
SOLUTIONS

WHAT’S HAPPENING?
Side-channel CPU vulnerabilities:
• New class of CPU vulnerabilities that affect both serves and workstations
• Multi-tenant cloud providers potential targets for exploitation
• Vulnerabilities in the underlying shared hardware could violate security isolation guarantees
• Adversaries can use side-channel CPU vulnerabilities to read sensitive data from other hosts on the same
physical server
• Number of Side-Channel CPU vulnerabilities has been on the rise

WHAT COULD YOU DO?
Mitigate now:
• Mitigations available for most platforms, cloud deployments, and software
• New Compiler flags : software should be rebuilt
• Mitigations can come at a cost of reduced performance
• Leads to increase of compute costs for most enterprises
• New hardware addresses most known vulnerabilities
Understand and keep track of the threats:
• Understanding the threats posed by CPU vulnerabilities is important to have a risk
mitigation strategy
• Risk mitigation strategy can be vastly different for each organization
• Risk acceptance: On-premises cloud an option

DECISION SUPPORT
Answers to the right questions can help protect your business
Strategic
(IT Management/CISO)
DESIRED OUTCOMESGOVERNANCE LEVEL QUESTION
Operational
(Incident-response team)
Tactical
(IT Operations/SOC)
Manage Risk through Context
Broad and Deep
Understanding of Threats
Timely, Relevant, and
Effective Decisions
WHO?
WHY?
WHEN?
WHERE?
HOW?
WHAT?
WHY?

RISK MANAGEMENT WITH THREAT INTEL
Balanced and resilient risk management with the help of cyber-threat intelligence:
Managing Cyber Risk
Active risk awareness and risk management drive continual adjustment to the threat landscape and adapt
security processes.
Regulatory
Change
Changes in
Threat Landscape
Changes in
Business Ops
(e.g., M&A)
New and Emerging
Tech and Tools
Corporate Policy
and Objectives
Develop
Intelligence Requirements
Collect Against Intelligence
Requirements
Act on
Intelligence Requirements

Securing a complex
enterprise
MAKING THE BEST OF A BAD THING

What do we
have here?
18000 staff
50000 IT-connected assets
Doubled in size in 4 years
Frequent acquisition and integration
110 sites worldwide – Los Angeles to Tokyo
Growing in China

Threat
Landscape
•Pre-clinical drug testing and research
•Including animal testing
•Data Integrity is main part of “CIA”
My environment:
•Nation states (accelerate research, Panda)
•Animal rights activists
•Huntingdon “SHAC”
•PETA
•Anti-USA (Kitten, Chollima, Bear APT’s)
•Opportunistic (ransomware, CEO fraud)
Specific threat actors

Common
Challenges
What
assets/networks/remote
access points do you
have in your environment?
Active
vulnerability
scanning of *ALL*
possible ranges
(10.0.0.0/8)
Every acquisition is
different – many have little
or no InfoSec
Rip and replace
Inherited, and legacy environments
Siemens delivered BRAND NEW Server
2000 driven device

Preparing for
a major
incident
Write your incident response plan. Socialise
and exercise it with your team
Share your plan with stakeholders
Don’t forget Marketing, Board, Legal, HR, DP
Do you need/want to retain external legal
advisors?

Mid-incident
Do you have your essential
roles filled?
Have your IR leads been
trained?
Remember your scribe, and
handovers
Keep the circle small

Post-incident
Lessons
learned
Support and training
Zero-blame environment – can’t be
afraid to make mistakes
Seek forgiveness, not permission
Exercise DFIR procedures – plenty,
and often.

Learn from
your own
mistakes
What worked well?
What didn’t?
No such thing as too much
documentation.

Skills Gap?
What Skills gap?
•Global IT security
skills shortages
have now
surpassed four
million,
according
to (ISC)2.
“4 million
unfilled
positions”

Stress and
burnout
Average tenure of a CISO is
Just 26 Months
 88%: "moderately or tremendously stressed"
 48%: detrimental impact on their mental
health
 40%: affected their relationships with their
partners or children
 32%: repercussions on their marriage or
romantic relationships
 32%: affected their personal friendships
 23%: turned to medication or alcohol
https://www.zdnet.com/article/average-tenure-of-a-ciso-is-just-26-months-due-to-
high-stress-and-burnout/

CHIEF SECURITY OFFICE
SUPPLIER ASSURANCE
Supplier Assurance – Why bother?

Classification: Limited
Helping Britain prosper is our purpose and includes the
way in which we interact with our suppliers.
Our portfolio of brands gives us a presence in nearly
every community in Britain and this reach is
complemented by our network of suppliers.
Our suppliers are an essential part of Lloyds Banking
Group and play a vital role in supporting the Group’s
purpose and vision of Helping Britain prosper, to remain
the best bank for customers and deliver sustainable
growth.
Supplier Assurance is about protecting the networks,
systems and data of Lloyds Banking Group and our
suppliers from ever evolving malicious threats and
attacks. These attacks could be made on our supply chain
potentially giving the intruder a way into LBG.
Add a Footer 236
Started in Intelligent Finance just as it launched in 2001 working as
the IT Resource Manager
• Supported Government by writing the National occupational
Standards for IT and Project Management
• Encouraged young women to consider IT as a career by IF
sponsoring “Computer Clubs 4 Girls”
Moved into Change Management and led the operations and risk
function for the newly created Lloyds Banking Group Change
function.
2015 saw me move into Supplier Assurance, starting with a small
team which has rapidly expanded.

SUMMARY
Cyber security is increasingly a priority issue for
organisations. 78% of businesses (vs. 74% in 2018) and 75%
of charities (vs. 53% in 2018) now rate it as a high priority.
This year, 32% of businesses and 22% of charities have
identiﬁed breaches or attacks. Among these organisations,
the most common attacks are:
• phishing emails (80% of businesses and 81% of
charities experiencing breaches or attacks)
• others impersonating their organisation online (28%
and 20%)
• viruses or other malware, including ransomware
(27% and 18%).
Businesses and charities are taking action on cyber security
as a result of the General Data Protection Regulation (GDPR)
introduced in May 2018. However, many could still take a
more holistic approach around staff engagement and
training.
Many could also review their risk management approaches.
Only 58% of businesses and 53% of charities have taken
action towards 5 or more of the Government’s 10 Steps to
Cyber Security.
Add a Footer 237
32% 22%
Of businesses/charities
identified cyber
security breaches or
attacks in the last 12
months
Is the average annual cost for
businesses/charities that lost
data or assets after breaches
£4,180/£9,470
Key: UK BUSINESSES
UK CHARITIES
EXPERIENCE OF BREACHES OR ATTACKS
Among the 32%/22% identifying breaches or attacks:
32%
29%
Needed new
measures to
prevent future attacks
27%
32%
Took up staff
time dealing with
breaches or attacks
19%
21%
Had staff stopped
from carrying out
daily work
48%
39%
Identified at least
one breach or
attack a month
Data taken from the Department for Digital, Culture, Media and Sport 1 Cyber Security Breaches Survey 2019:Statistical Release

Dealing with Breaches
or Attacks
Add a Footer 238
57
33
5
62
27
6
UK CHARITIES
% immediately
% within 24 hours
% within a week
% longer than a week (2% for
businesses and5% for charities)
% don’t know (3% for
businesses and 1% for charities)
UK BUSINESSESTIME TAKEN TO IDENTIFY THE MOST
DISRUPTIVE BREACH OR ATTACK OF THE
LAST 12 MONTHS
Q. How long was it, if any time at all,
between this breach or attack occurring
and it being identified as a breach?
62 57
27 33
6 5
Bases: 616 businesses that recalled their most disruptive breach or attack in the last 12 months; 185 charities

What are Lloyds
Banking Group doing to
improve the security
posture of the supplier
community?
Add a Footer 239
Lloyds Banking group Chief Security Office (CSO) 3rd
Party strategy for 2020 is to “enhance the supplier
assurance end-to-end journey, to improve the
context, understanding and risk management of the
supplier”.
7% 2%
2018
2019
Key:
49
10
HPFs Raised
126
26
OFs Raised
2.7
1.25
Avg HPF per review Avg OF per review
7
2.25
% of 2018 / 2019
findings raised
associated with
Law Firms
We continue to see a decrease in findings when we compare
2018 / 2019
1877 / 2118
Is the total findings
raised for all suppliers
throughout 2018 / 2019
Criticality Assessment Tool:
Segments the supplier based on four key domains:
• Cyber
• Resilience
• Data Privacy
• Conduct
Tailored Test plan:
Based on the segmentation, intelligence findings and
previous reviews.
Assurance Reviews:
One to four days onsite
Cyber SMEs conduct the review
Remediation:
Security SME to Supplier interaction to ensure all
findings are suitably evidenced and closed out
timeously.
Our bespoke E&A programme is already paying dividends. When we look at specific supplier
groups, we have seen a decrease in the number of findings being raised year on year.
The graph below demonstrates the improved position with Law Firms in respect of issues raised
against DLP from 2018/2019.

SECURITY APPRAISAL SCORECARD
Add a Footer 240
STRIDE
Spoofing Identity
Impersonating something or someone else
Tampering
Modifying data or code
Repudiation
Claiming to have not performed an action
Information Disclosure
Exposing information to someone not authorised
to see it
Denial of Service
Deny access to or degrade service to users
Elevation of Privilege
Gain capabilities without proper authorisation

EDUCATION & AWARENESS
Add a Footer 241
It is my Team’s
responsibility to provide
specialist security
knowledge to aid in
reducing supply chain risk,
and we have created a
bespoke engagement site
to provide our suppliers
and supplier managers with
the best Education &
Awareness modules we
can.
Throughout the year we
run face to face sessions
with suppliers, refresh
previous learning modules
to keep them current and
run internal online sessions
for our supplier managers.

HELPING BRITAIN PROSPER
The management of our supply chains remains to be one of the
highest risks for the Group. Suppliers play an important role in
the IT operations of every organization, and Lloyds Banking Group
is no exception. Whether it's the purchasing of hardware or
software, the commissioning of Cloud services, or perhaps
working with law firms or external consultants, our suppliers are
fundamental to
Our third-party assessments helps to improve supplier's security
posture and improve the financial services supply chain whilst
Helping Britain Prosper.
Add a Footer 242

PAUL PATRAS
Associate Professor, The School of Informatics
MALCOLM GRAHAM
Deputy Chief Constable
Police Scotland
HANNAH RUDMAN
Strategic Transformation Director
@hannahrudman
Wallet.Services
@paulpatras
@wallet.services
@DCCMGraham
DAY 2 SESSION 3
STREAM 6 MAIN HALL

@wallet_service
s
/wallet_service
s
wallet.service
s
Dr Hannah Rudman
Director of Strategic Transformation
hannah@wallet.services
07971282261

Team
Chair: Carolyn Jameson
ex-CLO: Skyscanner, Ctrip
Now: CLO, Trustpilot
2017-19: Raised < £1.2m, Cash flow positive, 13 people (8 devs)

Traction
PRIVATE SECTOR
PUBLIC
SECTOR

Dr Hannah Rudman
breaches in 2018
6,500 records exposed
4.5bn
Facebook fined
£5bn
BA fined
£183m

We need to share data to complete
shared goals
Building systems for sharing data is
expensive
BUSINESSES
NEED DATA

WHY HAVE
WE NOT SOLVED
THIS?
• We are starting at the wrong place
• We keep building walls
• Walls work until the threat changes
• We keep changing what we do

OUR LAST LINE
OF DEFENSE SHOULD
BE OUR FIRST
• You cant lose what you don’t have
• We should adopt the strategy of “when” not “if”
• Data should be stored in a method that if it gets
breached it is beyond use
• Everything should be protected unless it is
classified as non sensitive

Dr Hannah Rudman
There are significant IT,
trust, transparency and
security dangers
The Internet and organisational IT is not
designed for sharing sensitive data

Dr Hannah Rudman
DLT means you can securely share data with
confidence
Even if it’s stolen or
intercepted, data cannot
be viewed or altered

Dr Hannah Rudman
Multiparty private permissioned DLT networks

Permissioned DLT via wallet services makes the network
cybersecure
Wallet services facilitate highly granular access permissions across multiple organisations
Name
Big Org Ltd.
Registration #
15474821
Registered Address
3 Lady Lawson Street
Name
Small Org Ltd.
Registration #
453657684
Registered Address
156 Bread Street

Wallet services
SICCAR’s wallet services give granular
access permissions verifying
organisations onto the network and
validating the delegates via
authorised ID data
Active Directory
Delegates of orgs bring own ID
(e.g. email username, password,
biometric ID validated by org
AD)

Cybersecurity Value
• Authentication and authorisation to access SICCAR is using the
latest industry standards
• All data that is added to a SICCAR process is encrypted by default
• Permissioning to this data is agreed by all the parties, and written
to the ledger as part of publishing a process
• Data can only be decrypted if a user is a member of a wallet that
data was sent to
• Access to the wallets is controlled by the owning organization by
adding and removing employees from the wallets which can be
managed using the organizations pre-existing user directory. (AD).

Anonymously reporting
cybersecurity breaches in oil
and gas sector
• More cyber attacks on Industrial Control
Systems
• Joint ventures = complex ecosystems of
computing, networking and physical
systems
• Little intersection of IT and OT
• Low sector cyber maturity
• Reputation and brand matters

ASSURING ANONYMITY & SENDING CYBER-ATTACK DATA
VALIDATING & ADVISING
WORKFLOW
PROCESS
Operator Tier 1 Operator Tier 1

CLAIM: I AM A
VERIFIED DELEGATE
[DEVICE ID + SECURITY
CERTIFICATE] + ORG
[AUTH ID]
Org 1
ATTESTATION:
IS VALID ORG
Org 2
ASSURING CLAIMS & ATTESTATIONS FOR GUARANTEEING
ANONYMITY
CLAIM: I AM A
VERIFIED DELEGATE
[DEVICE ID + SECURITY
CERTIFICATE] + ORG
[AUTH ID]
ATTESTATION:
IS VALID ORG
DELEGATED
DISCLOSURES

THANK YOU
FOR JOINING
DIGIT!
LEAD SPONSOR
CO-SPONSORS
See you at the next event…
www.digit.fyi/digit-scotland-events

ScotSecure 2020

More Related Content

What's hot

Similar to ScotSecure 2020

More from Ray Bugg

Recently uploaded

ScotSecure 2020