Why Teams call analytics are critical to your entire business
Wax Switch
1.
2. LEADING COMMENT
It is about time companies/country leaders took ownership of their high risk activities. We seem to live in a
collective ‘denial-of-the-obvious’. Besides all the warnings and many facts that seem to be exist!
Senior Information Security Professional 27/10/2014
Denial
3. SIT-REP 14
Dublin comment 2014: At the Breaking Down the Silo’s ISACA event in Dublin in 2014 the question of over 280 delegates:
‘Do you feel your organisation is secure from Cyber Attack’ - The response was = 0
A response which is reflective in many other circumstances – including the Forensic Science event held in February 2014.
QSA Comment: When a QSA was asked why a site could be assessed as secure, when it have clear and proven high risk
vulnerability They responded:
‘Because that part of the associated security vulnerabilities are not included in the scope of the assessment’
Oil Industry Comment: When asked why their Cloud Providers were not subjected to an in-depth Due-Diligence, the response
Was as follows:
‘Because we engage with low cost providers, and cannot expect robust security’
4. EXAMPLE 1 – BANK of England-20/10/14
The Bank-of-England [BoE] outage occurred on 20/10/14 [The Start of Get Safe Week!] when it was decided to take down the
Chaps Payment System. As you can imagine for such a critical system the impact on ordinary people, and businesses was
significant, if not in some cases devastating.
Was it caused by: a. A Security Event, b. A badly applied change, c. Component Failure, or d. Something else?
Question: But with any of the aforementioned impacts with such a Critical System, are they tolerable in 2014 – 15 – 16 . . ?
As an open observation, anyone practices in the art of OSINT will notice that, notwithstanding
great initiatives such as Waking Shark, and Waking Shark II they may observe that the BoE do
suffer high degrees of Data Leakage which has been Proven to be exploitable – which for such a
core and prestigious institution is worrying!
And would you believe it if you were to learn a UK core bank has suffered a security breach which saw it connected back
to Chinese Servers [.com.cn] from a Core Switch along with Remote Access potentials– I know – it could never happen!
5. EXAMPLE 1 + DATA LEAKAGE & OSINT
As an example of what titbits are made available to passers by – take a core bank as of 28/10/14 which is publically exposing:.
a. 122 internal PC’s
b. User associations [e.g. Andrew G****]
c. 71 associated servers and IP
d. Bank Tree listing Authorised Users+ 20 other servers
e. 11 associated domains
f. 19 pptx files with varying amounts of Meta Data
g. 100 xls [as above]
h. 89 xlsx [as above]
i. Plus multiples of Word and PDF’s – insecure, and with variable security
j. Track Changes still in place in some documents – revealing hidden content
k. 60 + email addresses [some with .gsi.gov extensions]
l. Internal Extensions Numbers associated with personalities
m. 250+ O/S types including NT 4.0, XP, Server 2003, and Windows 7
All very useful intelligence to the off-line attacker to use as a Footprinting and Social Engineering materials
Lite-Touch Exploitability was tested – and Proven
6. BANK CLOSURES
Example – October 2014 - Lloyds to close 200 branches in the UK, drop 9,000 jobs – and all with the prospect of moving
services to On-line, and offshore.
We are now clearly in the grip of the ‘Digital Channel’, and as one senior banking expert commented – ‘We will see a very
Different shape for banking of the future’.
2020 > Dependent on Technology, Dependent on Complexity, Dependent on the Internet, and as may be inferred from
the BoE debacle we should expect issues.
In the new age of Digital Banking, may one assume that the Industry of Cyber Criminality will continue to evolve?
Will 2020 be the age of ‘EoL’ – Everything-on-Line
7. EXAMPLE 2 – USA 9/11/10
As amazing as it may seem – one lone engineer
changing over a piece of equipment on 9/11/11
managed to black out 5 million homes in Southern
California, caused chaos to flight traffic and road
transportation, and resulted in Nuclear Reactors having
to be closed down.
8. EXAMPLE 3 – SAMBA SHARE 2010 - BANK
Another UK Bank – this time the exposure was the result of over inflated profiles [e.g. Senior Security Consultants]
conjoined with a complete lacking of technologic security.
Notwithstanding the Bank ran in-depth external and internal Penetration
Testing, they, and their Third Party Providers failed to notice that 80%
of the Banks financial traffic was passing via an unsecured SAMBA
Environment!
The same Bank under the stewardship of the same Senior Security Consultant had accidently migrated PCI-DSS data
into a Cloud environment [which could not be backed out].
This same Bank had also lost over £50m to what they referred to as an Unknown Transaction – the funds simply
were not accounted for!
As I said, this is a UK Bank!
9. EXAMPLE 5 – UTILITY ‘GAS’ COMPANY - 2014
In the utility arena – take the large Gas Utility Sector Company who regularly suffer unauthorised incursions,
successful Phishing Attacks, Malware, and have an internal LAN environment which exposes systems and data to theft
and compromise.
This same company breach the Data Protection Act by allowing access to Personal Data, fail to meet the requirements
of PCI-DSS, and do not have any standards which underpin robust security – they are wide open.
With t break in contracted relationships wit their Third Party Supplier, Malware Infections, suspicious creation of
Privileged Accounts, and other such security related events are processed via ITIL and will be detected, and
responded to up to 30 days post the incident!
This is a UK Plc
And when It comes to Smart Meters, Connected Homes, and their associated Cloud environments!!!!
And some of these orghanisations have won BCS awards in 2014 – Clearly Security is not an issue!
10. BRING YOUR OWN DISASTER – 2014 SYTLE
Many examples of doing it wrong:
a. Not considering the Legal Implications [Lawyers]
b. Ineffective Controls [Oil & Gas]
c. BYOD by Evolution and not by Authority
d. BYOD and the Office Public AP
e. BYOD and Policies
f. BYOD and Acceptable Use Policies
g. Disposal/Somatization Policies
h. Employee Exit Process
i. Data Classification
And sometimes forgotten, but very much connected with BYOD is the element of Communications . . .
11. THE SECURITY INDUSTRY - 2014
When I was Chair of a Security Event some two years ago I discovered that the Access Point was Hacker-Engineered and
Compromised. Having informed the Delegates, I noticed that in most cases it made no difference – they continued to
use and surf!
But then, when attending another this year, whilst I was listening to a presentation on the
Subject of PCI-DSS, and Compliance, I noticed that some Delegate systems were attached
to the Hotel AP, and looked a tad insecure – I looked, proved, and stopped.
Conclusion: Time for some to eat their own dog food [Sorry]
12. DDoS - 2014
The tool that is/has proven to be the attackers choice for a sustained period.
Growing in power, and has imaginative use to underpin Cyber Attack, or other
Points of leverage – e.g. Cyber Extortion.
Did you know that on 28/10/14 Global DDoS were running at 67% of what is
Accepted as the seasonal/time norm – examples over a 24 hour period:
Taiwan = 61
New Jersey = 7
California = 153
Brazil = 27
Dominican Republic = 1
Guatemala = 1
El Salvador = 2
Belize = 1
New York = 16
Indiana = 52
Belgium = 4
13. CRIMINAL CURRENCY of CHOICE - BITCOIN
When we consider the Age of Cyber Crime, we also need to consider
the currency – enter Bitcoin.
14. STANDARDS ARE DOMINANT - 2014
Standards are Dominant – followed to the letter in some cases, but they do not equal SECUIRTY
And some get overlooked! ITA 2000
15. CYBER WARFARE & CYBERCONFLICT
Statement by a CPNI Agent
Some 7 years back:
The Cyber Risk is over-hyped!
16. FAILING INNOCENCE
Very few organisations understand, or recognise their legal obligations when dealing with Paedophilic Materials, and
Discoveries relating the Child Abuse Images – lacking Procedures, Processes, Polices, and thus are on occasion exposed
to being culpable of Criminal Acts – FACT.
17. AUTOMATION – IN WE ‘WE’ TRUST
When I worked for GM in 1999, I attended a meeting which was introducing a new on-board
car computer system – I asked if they had considered security? Had It been evaluated? And
I proposed we consider an on-board Firewall! - The response was:
‘Who is the security nutter?’
Automation also tends to be driven by factors
which can and do forget security!