5. Cyber Security
The ICSA Technology Conference 2016
ICSA: THE GOVERNANCE INSTITUTE 4TH NOVEMBER 2016
6. Cyber security – everyone’s pet subject
• Undoubtedly the topic of the moment
• But, is it anything new?
• How worried should we really be?
• How, in practical terms, do we understand and tackle ‘cyber
threat’?
7. Questions…
“What are we doing
about Cyber?” “Can we be
hacked?”
“What is our current
level of Cyber risk?”
“Should we be
doing penetration
testing?”
“Can’t we just take
out insurance?”
8. It’s an opportunity for the authorities too
“The biggest threat to the UK way of life will
come from cyber terrorism rather than
traditional attacks on cities and people”.
David Blunkett
“If the US government does not improve
cyber defences, we will leave our nation and
our economy vulnerable".
Barak Obama
“Cyber security is a Tier 1 threat to the
nation and has become a strategic risk
management issue for all organisations.”
MI6
9. Hardware and software vendors…
…are never blind to a sales and
marketing opportunity either!
10. Threat landscape
• Main themes over the last year.
• The risk landscape is dynamic and continuously evolving.
• Cybercrime in Financial Services is the domain of organised criminals -
focussed on monetising their technical advantage.
• Ransom-ware
• Phishing
• Data theft
• Wire-fraud (and ‘whale phishing’)
• Smaller organisations are as equally likely to be in the firing line as large
firms. Their relative lack of resources mean that they are easier to
compromise and exploit.
• Increased reliance on third party suppliers – a significant hidden
security risk.
• The threat therefore remains real, current and relevant to all.
18. Cyber Crime Business Model
Compromised
System
Steal CPU Cycles
Steal Bandwidth
Steal Data
Mine bitcoins
DDOS
Send spam
Credential theft
Identity theft
20. Ransomware Rogues Gallery
Name AIDS Trojan
Date Dec 1989
Spread Diskette
Ransom $189 (by post)
Encryption Symmetric
(file names only)
21. Ransomware Rogues Gallery
Name Reveton Cryptolocker Cryptowall 2.0 Locky
Date May 2012 Sep 2013 Sep 2014 Feb 2016
Spread Exploit kits
(web)
Email Malvertising Email
Ransom $200
by Ukash,
Bitcoin
$400 by Ukash
or Bitcoin
$500 or bitcoin $300 - $400
Tor, Bitcoin
Encryption various RSA-2048 bit Including
network drives
RSA- 2048 bit RSA-2048 + AES-256
including network
drives also web site
version.
30. Vulnerable Systems
3.2 million ‘at risk’ machines
Scan for JBoss
vulnerability
CVE-2010-0738
Install web shell
2100 installed web shells
31. A Future Ransomware Model
Establish initial
access
Escalate
privileges
Identify critical
systems
Install
ransomware
Collect
payment
Scan for
vulnerabilities
Maximising lost value for the victim
Minimising costs for the attacker
33. Incident response: what to do in
the event of a cyber breach
Mark Child, Managing Director and
Neil May, Senior Manager, Technology Risk
Management
GLE Consulting Limited
34. What To Do In The Event of A
Cyber Breach
Incident Response
ICSA: THE GOVERNANCE INSTITUTE 4TH NOVEMBER 2016
35. You might be feeling a bit like this…
Rabbit in the headlights!
37. The big question is …
Is this really an entirely new threat that
we are facing?
38. Our view
But, there are some trends:
― We are noticing more and larger breaches.
― Breaches and data leaks are making the news – there is public, media and regulatory interest.
― The criminals are getting smarter.
The threat is NOT new.
‘Cyber’ is a convenient label for
information risk in the 21st Century
39. Our view – how do we respond?
Pursue a strategy of defence-in-depth
Avoid our historic fixation on ‘the perimeter’
This is not a purely technical problem.
The solution is not necessarily a technical one.
Technical controls remain key.
The weakest links are likely to be:
Your people
Your third party suppliers & partners
And
So
But
40. Summary
― ‘Cyber threat’ is nothing new – in our view!
― But it is serious.
― Target defence in depth.
― Staff, contractors and suppliers are now your weakest link.
― Get back to basics on information governance
― Apply technology solutions intelligently to support & enable.
45. Case studies – poor practices
― October 2015
― Cause: Simple (and old) technical exploit (executed by a 15 year-old boy)
― Immediate result: 150,000 customer records stolen (0ver 15,000 full bank details)
― Incident/crisis management extremely poor:
― CEO unprepared & poorly briefed
― Scope of breach massively over-estimated
― Response ill-judged (500,000 customers given ‘free upgrade’)
― Impacts:
― REPUTATION – Lost 95,000 customers in year 1
― FINANCIAL – Current financial cost estimated at £60m
― REGULATORY – Formally sanctioned by ICO (Fined 400k)
46. Case studies – insider threat
― December 2014
― Cause: Malicious software deployed via ‘phishing’ attack used to obtain IDs and passwords
― Politically motivated
― Immediate result: 100 terabytes of data stolen (the whole of the “.co.uk” domain is only 68
Tb)
― Data included entire movies, financials, staff data, salary data, email records
― Data posted on the internet for download
― Impacts:
― REPUTATION – Deputy CEO forced to resign due to damaging email content
― FINANCIAL – Current financial cost estimated at $15m (impact reduced by
insurances and managed legal response).
47. Case studies – third party
― Spring 2014
― Cause: Security compromise at third party AirCon and Ventilation contractor – access gained
to Target’s network.
― Immediate result: 70m customer records and 40m credit card records harvested across
1,797 stores over extended period
― Data downloaded by criminals in Russia.
― Impacts:
― FINANCIAL – Current financial cost to Target estimated at $61m (Industry-wide costs estimated at
$200m)
48. Get back to basics
― It’s not just about the enemy at the gates (i.e. the perimeter)
― The perimeter is hard to define these days
― We cannot rely solely upon prevention – our detection and response capability must improve.
We need to take the threat seriously.
49. Get back to basics
― Technology and tools of the highest quality can be undermined by weaknesses in basic
security practices.
― Or by a flawed corporate culture.
― Cyber/Information risk is a problem for the entire business to resolve – not just IT!
― Today’s cyber criminals recognise this and exploit it by adopting a range of approaches which
step away from the purely technical and exploit weaknesses in the way that organisations
manage, control and interact with their information.
― A full frontal assault is unlikely to be profitable – an attacker will target compromise from the
inside. And they can be very patient.
50. Get back to basics
Fundamentally, addressing the Cyber Threat means going back to basics, looking again at your
organisation and the controls you already have:
― Understanding your people – what threats do they pose? After all there is no patch for
stupidity!
― Understanding your organisation’s information, where it is and how it is used.
― Identifying the main risks to physical and information assets.
― Ensuring that the right measures are adopted to mitigate risk to within acceptable levels –
balancing cost versus risk.
51. Get back to basics – governance foundations
Unless the foundations of good information and security governance are working well, any
investment in security technology will most likely be wasted. Fundamental areas for focus are:
― Staff security training and awareness.
― Robust oversight and management of third party suppliers
― Software & hardware patch management
― Intelligent management & admin of user access.
― Clear policies on security, acceptable system use and social media.
People. Process. Tools. In that order!
52. Get back to basics – making it work
For effective and sustainable governance:
― Setting, maintaining and continuing to evolve the “tone at the top”.
― Monitoring of information risk management by the Board of Directors.
― Ongoing, practical and relevant awareness training.
― Independent assurance.
― Regular, risk-based security testing. Inside and outside the perimeter.
53. What happens if a security breach occurs?
― If a security breach occurs, organisations that follow clearly documented plans to reduce the
impact of the breach have a much better chance of staying out of the law courts and avoiding
punishment
― Most organisations unfortunately don't have good systems for actually managing the
problem. If a breach occurs, the law is really concerned with your behaviour at that point in
time. You can't unravel the past and pretend the breach didn't occur, it's what you do from
that point on that will determine your culpability
― On top of having well documented systems and procedures, organisations need to have
clearly defined actions for dealing with a breach and limiting the damage to those affected.
This is likely to involve multiple disciplines that could include information security specialists,
IT resources, a PR agency, legal advice and credit reporting services
― If you adopt an honourable stance from the outset, doing the right thing at the right time, then
your legal team is in a very strong position to defend you to the regulator arguing that you're
not the kind of organisation that has the profile that requires all of the effect of the law and
therefore the punishment
54. How to protect organisations from security breaches
― Take some basic steps to "build a protective shield”, most notably:
― Build a single unified security policy
― Ensure information security forms part of any contract initiation
― Make security part of the process when any project is initiated
― Employee adequacy – ensure you have processes for handling new employees, changes of job, and
for employees exiting the company; show that they were made aware of security requirements
― Third-party assurance – have processes in place to guard information held by third parties
― Culture – have a managerial structure in place that demonstrates a chain of responsibility for handling
security and reporting errors
― ‘Tone at the top’
― Shared ownership of good practices
― Openness & transparency – continuous improvement
55. State of the Nation – addressing Cyber Risk
Four golden rules our plan is founded upon
Over 75% of attacks exploit failures to put in
place basic controls
Get the basics right
You have to prioritize where you spend your
money to defend yourself, so build a fortress
around your most critical asset.
Look after the crown jewels
Invest in understanding who might attack you,
why and how, so that you can anticipate the most
likely scenarios and defend those assets that are
most likely to get attacked.
Do your homework on your enemies
Security and resilience can affect nearly every
part of an organization. Strategies to protect IT
security and business resiliency should align with
an organization’s broader goals – from protecting
intellectual property to maximizing productivity to
finding new ways to delight customers.
Treat cyber risk as an opportunity to look
closely at your business
56. Solving the big ‘Board reporting
problem’ in cyber
Jon Hawes, Security Intelligence Strategist,
Panaseer
65. NHS Cyber Attacks – The Telegraph 1st Nov 2016
“…hacking is "no longer the stuff of spy thrillers and action
movies" but a clear and present threat…”
“…Ben Gummer, minister for Cabinet, says that "large
quantities of sensitive data" held by the NHS and the
Government is being targeted by hackers…”
“…Ministers will also unveil a Cyber Security Research Institute,
a "virtual collection of UK universities" which will work towards
making passwords obsolete…”
66. Cyber Fraud
“…Online fraudsters stole £10.9bn in the UK last year…”
“…39% (of respondents), questioned by “Get Safe Online” said
they were a victim of cybercrime, but did not report it…”
“…53% received phishing messages…”
Extract from The Telegraph 20th October 2016
67. Cyber Crime is a War Zone
“Rouse him, and learn the principle of his activity or inactivity. Force
him to reveal himself, so as to find out his vulnerable spots.”
“If you know the enemy and know yourself you need not fear the
results of a hundred battles”
- Sun Tzu, Military General, Strategist & Philosopher, 5th Century
BC, China
Deception is a powerful, effective, but under utilised tool –
(at least by defenders)
Full range of “effects” on adversaries possible through deception
68. Effects Attacker Defender
Fail to observe
Prevent the defender from detecting the attack. Prevent the attacker from discovering their target.
Reveal
Trick the defender into providing access. Trick the attacker into revealing their presence.
Waste Time
Focus the defender’s attention on the wrong aspects of
the incident.
Focus the attacker’s efforts on the wrong target.
Deception Effects - Attacker & Defender
69. Operation Mincemeat - 1943
Successful British disinformation plan during the
Second World War to cover the invasion of Italy from
North Africa. To convince the Germans that, instead
of attacking Sicily, the Allied armies would invade
Greece.
70.
71. Operation Mincemeat - 1943
Successful British disinformation plan
during the Second World War to cover
the invasion of Italy from North Africa.
To convince the Germans that, instead
of attacking Sicily, the Allied armies
would invade Greece.
This was accomplished by persuading
the Germans that they had, by
accident, intercepted "top secret"
documents giving details of Allied war
plans.
73. Attack Surface
From ordinary consumers, to a single-office business, through
the regulatory bodies, to the national and global giants
The environment dictates the approach – no “Silver Bullet”
Layered security – combining multiple mitigating security
controls to cost effectively protect resources & data
74. Attack Attribution
At which point in the attack do you realise that you have been
hacked
TalkTalk, DNC, Yahoo
There are very few “smoking guns” visible
Attacks that often begin with broadly targeted phishing, that can
introduce & run new binaries on victims networks, & that
connect to random internal hosts using exfiltrated credentials ,
can still remain hidden for a year
75. Examples of Global IT Vendors’ Vulnerabilities
Microsoft
Microsoft August (2016) Patch Tuesday, included five updates rated
critical out of a total of nine, bringing the number of patches for the year-
to-date at 103
SAP
There are vulnerabilities in almost every SAP module; CRM, EP, and SRM
are leaders among them ERPScan SAP Cyber Threat
Report2016
Oracle MICROS (and others)
In total, more than one million PoS terminals around the world could be
at risk, should the attacks prove to have been deeper than the
companies are currently publicly admitting
Computing Aug
76. Dwell Time/Residency
Mandiant reported that attackers on average lurked on a
network for 205 days before being discovered¹
Microsoft recently reported they place the number at more
than 200 days to detect a security breach and 80 days to contain
it²
1. https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf
2. https://blogs.windows.com/windowsexperience/2016/03/01/announcing-windows-defender-advanced-threat-
protection
77. Plausible Deniability & Malware Intrusion
Plausible deniability refers to circumstances where a denial of
responsibility or knowledge of wrong doing cannot be proved as
true or untrue due to a lack of evidence proving the allegation
It is a basic law for the cheat and the deceiver. Be able to offer up
an excuse that cannot be disproved easily and that makes sense
for the situation
78. Trickle-down Effects
Increasing rapidity of car-trickle-down; yester-years’ top end car
innovations eventually migrate through the models becoming standard
options in lower-priced vehicles
This pattern of innovation holds true in virtually every field, including
cyber- security
Malware as a Service (MaaS) – moving from the heavily funded
specialist cyber experts down into the mass market
MaaS now commonly available at very low cost through the darknet and
sites such TOR, I2p
81. Honeypots
Venus Flytrap in Action
(triggered honeypot)
Trojan Horse (passive honeypot)
Greeks built, used to enter the
city of Troy and win the 10 year
Trojan war - 4th Century story
Cartography: A trap street (passive
honeypot) is a fictitious entry in the
form of a misrepresented street, for
the purpose of "trapping" potential
copyright violators
83. Honeypot Principle
Focus on detecting threats
Here, we’d like to know immediately someone has broken into the network and in
places they shouldn’t be
Ensure the honeypot looks appealing to the attacker
The honeypot must look legitimate & enticing
In this attack scenario the defender has particular advantage
Once attackers initially land inside your internal network, they’re at a disadvantage.
They don’t know the lay of the land and they need to explore it (reconnaissance),
while remaining hidden
84. Defence through Deception
Deception is a highly effective solution for protecting
environments; used to confuse, delay and redirect the enemy
Lured to the Canary Honeypot, the attacker will be tricked into
engaging with that device and believe they are being successful
in their attack
85. Canary – Today and Tomorrow
Canary - great for remote sites but what about our VM data
centres?
What about integration with established enterprise monitoring
frameworks such as Openview, CA or Microsoft SCOM?
Console management limit on the number of deployed Canaries?
Are “Canarytokens” part of tomorrow’s planning?
87. Tokens
Tokens - In general, a token is an object that represents something
else, such as another object (either physical or virtual), or an
abstract concept. In computer systems, there are a number of
types of tokens, both hardware and software
In human terms, a token of trust can exist between two parties
with such levels of trust reinforced through personal introductions
with other parties
A token generation & management platform, designed
specifically for high security multi-services in public and private
clouds,
greatly enhances trustworthy information handling
88. Identification with Passwords
Any directory service or management
platform holding passwords becomes a
target by the attacker for credentials’ theft
Passwords are fundamentally flawed:
Often easy to guess
Are reused across different services
Are written down or stored or shared
Can be intercepted
Are expensive to maintain
29% of all cybercrime is from stolen
passwords
89. Identification WITHOUT Password
The Problem
The password has outlived it’s usefulness
Secure Cloudlink’s Response
Patented and highly secure tokenised message management
solution assures password redundancy
User credentials are not transmitted, stored or replicated
Secure digital services - a snap for the user
Randomised, encrypted, key generation –
no consistent key to be stolen
91. Immediate Low-risk Considerations
People protection: Continuous inter-active education on the threats & risks
posed by cyber-criminals through the deployment of Phish5 email phishing
simulations with supporting education processes
Network hardening: Rapid deployment of customisable, low-cost, capex-
free, Canary honeypots throughout the strategic points on the network
Access & authorisation protection: Review and assess the usage &
costs (direct/indirect) of passwords in your own organisation – test the results
against Secure Cloudlink
Information handling assurance: Regular external, expert assessment &
audit of network, data governance practices and procedures
92. Security Through Obscurity
Warfare - The Social Threat
Attack Surface, Attribution, Residency, Deniability -
Livingroom to Boardroom
Honeypots & Tokens – Evolution Mimicked
Identification and Authorisation – New Pathway
93. Thank you
Trust in “THIS”
Security through Obscurity
Ray Dalgarno
ray@cybercast.co
94. New and evolving forms of malware
Mark Olding, Senior Enterprise Presales
Consultant, Kaspersky Labs
95. The what, how, who and why of computer malware
Mark Olding
Senior Enterprise Presales Consultant
96. THE SCALE OF THE THREAT
1
NEW VIRUS EVERY
HOUR
1994
1
NEW VIRUS EVERY
MINUTE
2006
1
NEW VIRUS EVERY
SECOND
2011
310,000
NEW SAMPLES EVERY
DAY
2016
THE SCALE OF THE THREAT
98. TRENDS AND THREATS
Internet of Things
Big Data Fragmentation of the internet
Cloud & Virtualization
Consumerisation & Mobility
Critical Infrastructure at risk
Increasing online
commerce
Privacy & Data
protection challenge
Online
banking at risk
Mobile threats
Decreasing costs of APTs
Merger of cyber crime and APTs
Supply chain attacks
Internet of Things
Targeting
hotel networks
Ransomware
programs
Cyber mercenariesMassive data
leaks
Malware for ATMs
Financial phishing attacks
Attacks on
PoS terminals
Threats to
Smart Cities
‘Wipers’ & Cyber - sabotage
Targeted Attacks
101. WEB-BASED THREATS
Kaspersky Lab discovered 798,113,087 web attacks in 2015
25 attacks per second
1,518 attacks per minute
2.1 million attacks per day 91,000 attacks per hour
107. CONSUMER THREATS IN 2015
0
50000
100000
150000
200000
250000
300000
350000
400000
450000
Users
Users
2 MILLION ATTEMPTS
In 2015, Kaspersky Lab solutions blocked
attempts to launch malware capable of
stealing money via on-line banking on almost
2 million computers
This number is 2.8%
higher than in 2014
112. HOW THE CARBANAK CYBERGANG STOLE $1bn
Carbanak sent
backdoor as an
attachment
Bank employee
Emails with exploits
Credentials stolen
100s of machines infected
In search of admin PC
Admin
REC
CASH
TRANSFER
SYSTEMS
1. Infection 2. Harvesting Intelligence
Intercepting the clerk’s screen
3. Mimicking the staff
How the money was stolen
Online – Banking
Money was transferred to the
fraudsters accounts
E- Payment Systems
Money was transferred to banks in
China and the US
A targeted attack on a bank
Inflated account balances
The extra funds were pocketed via a
fraudulent transaction
Inflated account balances
The extra funds were pocketed via a
fraudulent transaction
Controlling ATMS
Orders to dispense cash at a pre-
determined time
113. MAC MALWARE
In 2012, the flashback botnet was
discovers, consisting of 700,000
computers all running under
MAC OSX
Cybercriminals repeatedly use
MAC malware when launching
targeted attacks
MACs can unknowingly pass PC
malware onto PCs in your
network
117. • Evaluate the risks
• Patch OS and applications
• Mange your network
• Secure your systems
Multi-layered protection
Not just endpoints
Default-Deny
Encrypt
Don’t forget mobile
• Educate staff
RIGHT NOW
118. • Stop fire fighting
Create a strategy
• It’s bigger than IT
• Delegate to experts
Assessment
Incident response
Analysis
TOMORROW
119. • ‘The end of APTs’
• Alternative payment systems and stock exchange
• Sabotage, extortion and shame
• Ransomware
• Trusted resources
• From ‘APT-as-a-Service’ to ‘Access-as-a-service’
• Balkanisation
• Transportation
• ‘Crypto-apocalypse
FUTURE PROSPECTS