SlideShare a Scribd company logo

Wax Switch

Download as PPTX, PDF
Prof John Walker FRSA Purveyor Dark Intelligence
Prof John Walker FRSA Purveyor Dark Intelligence

Question - are we delivering Robust Secure Systems? Or are we planning the future for Technological Meltdown?

Technology
1 of 19
LEADING COMMENT It is about time companies/country leaders took ownership of their high risk activities. We seem to live in a collective ‘denial-of-the-obvious’. Besides all the warnings and many facts that seem to be exist! Senior Information Security Professional 27/10/2014 Denial
SIT-REP 14 Dublin comment 2014: At the Breaking Down the Silo’s ISACA event in Dublin in 2014 the question of over 280 delegates: ‘Do you feel your organisation is secure from Cyber Attack’ - The response was = 0 A response which is reflective in many other circumstances – including the Forensic Science event held in February 2014. QSA Comment: When a QSA was asked why a site could be assessed as secure, when it have clear and proven high risk vulnerability They responded: ‘Because that part of the associated security vulnerabilities are not included in the scope of the assessment’ Oil Industry Comment: When asked why their Cloud Providers were not subjected to an in-depth Due-Diligence, the response Was as follows: ‘Because we engage with low cost providers, and cannot expect robust security’
EXAMPLE 1 – BANK of England-20/10/14 The Bank-of-England [BoE] outage occurred on 20/10/14 [The Start of Get Safe Week!] when it was decided to take down the Chaps Payment System. As you can imagine for such a critical system the impact on ordinary people, and businesses was significant, if not in some cases devastating. Was it caused by: a. A Security Event, b. A badly applied change, c. Component Failure, or d. Something else? Question: But with any of the aforementioned impacts with such a Critical System, are they tolerable in 2014 – 15 – 16 . . ? As an open observation, anyone practices in the art of OSINT will notice that, notwithstanding great initiatives such as Waking Shark, and Waking Shark II they may observe that the BoE do suffer high degrees of Data Leakage which has been Proven to be exploitable – which for such a core and prestigious institution is worrying! And would you believe it if you were to learn a UK core bank has suffered a security breach which saw it connected back to Chinese Servers [.com.cn] from a Core Switch along with Remote Access potentials– I know – it could never happen!
EXAMPLE 1 + DATA LEAKAGE & OSINT As an example of what titbits are made available to passers by – take a core bank as of 28/10/14 which is publically exposing:. a. 122 internal PC’s b. User associations [e.g. Andrew G****] c. 71 associated servers and IP d. Bank Tree listing Authorised Users+ 20 other servers e. 11 associated domains f. 19 pptx files with varying amounts of Meta Data g. 100 xls [as above] h. 89 xlsx [as above] i. Plus multiples of Word and PDF’s – insecure, and with variable security j. Track Changes still in place in some documents – revealing hidden content k. 60 + email addresses [some with .gsi.gov extensions] l. Internal Extensions Numbers associated with personalities m. 250+ O/S types including NT 4.0, XP, Server 2003, and Windows 7 All very useful intelligence to the off-line attacker to use as a Footprinting and Social Engineering materials Lite-Touch Exploitability was tested – and Proven
BANK CLOSURES Example – October 2014 - Lloyds to close 200 branches in the UK, drop 9,000 jobs – and all with the prospect of moving services to On-line, and offshore. We are now clearly in the grip of the ‘Digital Channel’, and as one senior banking expert commented – ‘We will see a very Different shape for banking of the future’. 2020 > Dependent on Technology, Dependent on Complexity, Dependent on the Internet, and as may be inferred from the BoE debacle we should expect issues. In the new age of Digital Banking, may one assume that the Industry of Cyber Criminality will continue to evolve? Will 2020 be the age of ‘EoL’ – Everything-on-Line
EXAMPLE 2 – USA 9/11/10 As amazing as it may seem – one lone engineer changing over a piece of equipment on 9/11/11 managed to black out 5 million homes in Southern California, caused chaos to flight traffic and road transportation, and resulted in Nuclear Reactors having to be closed down.
EXAMPLE 3 – SAMBA SHARE 2010 - BANK Another UK Bank – this time the exposure was the result of over inflated profiles [e.g. Senior Security Consultants] conjoined with a complete lacking of technologic security. Notwithstanding the Bank ran in-depth external and internal Penetration Testing, they, and their Third Party Providers failed to notice that 80% of the Banks financial traffic was passing via an unsecured SAMBA Environment! The same Bank under the stewardship of the same Senior Security Consultant had accidently migrated PCI-DSS data into a Cloud environment [which could not be backed out]. This same Bank had also lost over £50m to what they referred to as an Unknown Transaction – the funds simply were not accounted for! As I said, this is a UK Bank!
EXAMPLE 5 – UTILITY ‘GAS’ COMPANY - 2014 In the utility arena – take the large Gas Utility Sector Company who regularly suffer unauthorised incursions, successful Phishing Attacks, Malware, and have an internal LAN environment which exposes systems and data to theft and compromise. This same company breach the Data Protection Act by allowing access to Personal Data, fail to meet the requirements of PCI-DSS, and do not have any standards which underpin robust security – they are wide open. With t break in contracted relationships wit their Third Party Supplier, Malware Infections, suspicious creation of Privileged Accounts, and other such security related events are processed via ITIL and will be detected, and responded to up to 30 days post the incident! This is a UK Plc And when It comes to Smart Meters, Connected Homes, and their associated Cloud environments!!!! And some of these orghanisations have won BCS awards in 2014 – Clearly Security is not an issue!
BRING YOUR OWN DISASTER – 2014 SYTLE Many examples of doing it wrong: a. Not considering the Legal Implications [Lawyers] b. Ineffective Controls [Oil & Gas] c. BYOD by Evolution and not by Authority d. BYOD and the Office Public AP e. BYOD and Policies f. BYOD and Acceptable Use Policies g. Disposal/Somatization Policies h. Employee Exit Process i. Data Classification And sometimes forgotten, but very much connected with BYOD is the element of Communications . . .
THE SECURITY INDUSTRY - 2014 When I was Chair of a Security Event some two years ago I discovered that the Access Point was Hacker-Engineered and Compromised. Having informed the Delegates, I noticed that in most cases it made no difference – they continued to use and surf! But then, when attending another this year, whilst I was listening to a presentation on the Subject of PCI-DSS, and Compliance, I noticed that some Delegate systems were attached to the Hotel AP, and looked a tad insecure – I looked, proved, and stopped. Conclusion: Time for some to eat their own dog food [Sorry]
DDoS - 2014 The tool that is/has proven to be the attackers choice for a sustained period. Growing in power, and has imaginative use to underpin Cyber Attack, or other Points of leverage – e.g. Cyber Extortion. Did you know that on 28/10/14 Global DDoS were running at 67% of what is Accepted as the seasonal/time norm – examples over a 24 hour period: Taiwan = 61 New Jersey = 7 California = 153 Brazil = 27 Dominican Republic = 1 Guatemala = 1 El Salvador = 2 Belize = 1 New York = 16 Indiana = 52 Belgium = 4
CRIMINAL CURRENCY of CHOICE - BITCOIN When we consider the Age of Cyber Crime, we also need to consider the currency – enter Bitcoin.
STANDARDS ARE DOMINANT - 2014 Standards are Dominant – followed to the letter in some cases, but they do not equal SECUIRTY And some get overlooked! ITA 2000
CYBER WARFARE & CYBERCONFLICT Statement by a CPNI Agent Some 7 years back: The Cyber Risk is over-hyped!
FAILING INNOCENCE Very few organisations understand, or recognise their legal obligations when dealing with Paedophilic Materials, and Discoveries relating the Child Abuse Images – lacking Procedures, Processes, Polices, and thus are on occasion exposed to being culpable of Criminal Acts – FACT.
AUTOMATION – IN WE ‘WE’ TRUST When I worked for GM in 1999, I attended a meeting which was introducing a new on-board car computer system – I asked if they had considered security? Had It been evaluated? And I proposed we consider an on-board Firewall! - The response was: ‘Who is the security nutter?’ Automation also tends to be driven by factors which can and do forget security!
REAL IMPACT - THE COMPUTER AGE Yerkes & Dodson Law
THANK YOU

Recommended

News letter feb 11
News letter feb 11News letter feb 11
News letter feb 11
captsbtyagi
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security PresentationDecember ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentation
whmillerjr
 
News letter oct 12
News letter oct 12News letter oct 12
News letter oct 12
Capt SB Tyagi, COAC'CC*,FISM,CSC,
 
Neira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf ready
Neira Jones
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
Marco Morana
 
Online terms & conditions
Online terms & conditionsOnline terms & conditions
Online terms & conditions
Prof. Jacques Folon (Ph.D)
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012
Marco Morana
 
Cyber
Cyber Cyber
Cyber
Alberto Peñaranda Echevarría
 

Recommended

News letter feb 11
News letter feb 11News letter feb 11
News letter feb 11
captsbtyagi
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security PresentationDecember ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentation
whmillerjr
 
News letter oct 12
News letter oct 12News letter oct 12
News letter oct 12
Capt SB Tyagi, COAC'CC*,FISM,CSC,
 
Neira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf ready
Neira Jones
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
Marco Morana
 
Online terms & conditions
Online terms & conditionsOnline terms & conditions
Online terms & conditions
Prof. Jacques Folon (Ph.D)
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012
Marco Morana
 
Cyber
Cyber Cyber
Cyber
Alberto Peñaranda Echevarría
 
IDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber SecurityIDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber Security
inside-BigData.com
 
Cybersecurity tips for employees
Cybersecurity tips for employeesCybersecurity tips for employees
Cybersecurity tips for employees
Priscila Bernardes
 
Dharmes Mistry Tony De Bree S O A Business Persp V1a
Dharmes Mistry Tony De Bree S O A Business Persp V1aDharmes Mistry Tony De Bree S O A Business Persp V1a
Dharmes Mistry Tony De Bree S O A Business Persp V1a
SOA Symposium
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Hamisi Kibonde
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires Superhumans
Dinesh O Bareja
 
Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry
BrianHuntMSFCPACRISC
 
BYOD - Bringing Technology to work | Sending Data Everywhere
BYOD - Bringing Technology to work | Sending Data EverywhereBYOD - Bringing Technology to work | Sending Data Everywhere
BYOD - Bringing Technology to work | Sending Data Everywhere
Jim Brashear
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan
 
Spotlight on Technology 2017
Spotlight on Technology 2017Spotlight on Technology 2017
Spotlight on Technology 2017
Craig Devlin
 
FACT vs. FICTION: The Reality of eClosing and RON during and after COVID-19
FACT vs. FICTION: The Reality of eClosing and RON during and after COVID-19FACT vs. FICTION: The Reality of eClosing and RON during and after COVID-19
FACT vs. FICTION: The Reality of eClosing and RON during and after COVID-19
Sauce Marketing
 
A6704d01
A6704d01A6704d01
A6704d01
mudigonda
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
Julius Clark, CISSP, CISA
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
Julius Clark, CISSP, CISA
 
State of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderState of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry Insider
Ben Johnson
 
Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective
Omlis
 
Julius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers Miserable
Julius Clark, CISSP, CISA
 
I 9 Services
I 9 ServicesI 9 Services
I 9 Services
tessamiller1
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach
Aviva Spectrum™
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
Dinesh O Bareja
 
CRI Retail Cyber Threats
CRI Retail Cyber ThreatsCRI Retail Cyber Threats
CRI Retail Cyber Threats
OCTF Industry Engagement
 
Bo e v1.0
Bo e v1.0Bo e v1.0
Bo e v1.0
Prof John Walker FRSA Purveyor Dark Intelligence
 

More Related Content

What's hot

Dharmes Mistry Tony De Bree S O A Business Persp V1a
Dharmes Mistry Tony De Bree S O A Business Persp V1aDharmes Mistry Tony De Bree S O A Business Persp V1a
Dharmes Mistry Tony De Bree S O A Business Persp V1a
SOA Symposium
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Hamisi Kibonde
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan
 
FACT vs. FICTION: The Reality of eClosing and RON during and after COVID-19
FACT vs. FICTION: The Reality of eClosing and RON during and after COVID-19FACT vs. FICTION: The Reality of eClosing and RON during and after COVID-19
FACT vs. FICTION: The Reality of eClosing and RON during and after COVID-19
Sauce Marketing
 
Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective
Omlis
 

What's hot (20)

IDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber SecurityIDC Best Practices in Private Sector Cyber Security
IDC Best Practices in Private Sector Cyber Security
 
Cybersecurity tips for employees
Cybersecurity tips for employeesCybersecurity tips for employees
Cybersecurity tips for employees
 
Dharmes Mistry Tony De Bree S O A Business Persp V1a
Dharmes Mistry Tony De Bree S O A Business Persp V1aDharmes Mistry Tony De Bree S O A Business Persp V1a
Dharmes Mistry Tony De Bree S O A Business Persp V1a
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires Superhumans
 
Cyber Risk for Construction Industry
Cyber Risk for Construction Industry Cyber Risk for Construction Industry
Cyber Risk for Construction Industry
 
BYOD - Bringing Technology to work | Sending Data Everywhere
BYOD - Bringing Technology to work | Sending Data EverywhereBYOD - Bringing Technology to work | Sending Data Everywhere
BYOD - Bringing Technology to work | Sending Data Everywhere
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
 
Spotlight on Technology 2017
Spotlight on Technology 2017Spotlight on Technology 2017
Spotlight on Technology 2017
 
FACT vs. FICTION: The Reality of eClosing and RON during and after COVID-19
FACT vs. FICTION: The Reality of eClosing and RON during and after COVID-19FACT vs. FICTION: The Reality of eClosing and RON during and after COVID-19
FACT vs. FICTION: The Reality of eClosing and RON during and after COVID-19
 
A6704d01
A6704d01A6704d01
A6704d01
 
Information Security for Small Business
Information Security for Small BusinessInformation Security for Small Business
Information Security for Small Business
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
 
State of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderState of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry Insider
 
Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective
 
Julius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers MiserableJulius Clark is Making Criminal Hackers Miserable
Julius Clark is Making Criminal Hackers Miserable
 
I 9 Services
I 9 ServicesI 9 Services
I 9 Services
 
Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach Cyber Security: User Access Pitfalls, A Case Study Approach
Cyber Security: User Access Pitfalls, A Case Study Approach
 
Compliance Awareness
Compliance AwarenessCompliance Awareness
Compliance Awareness
 

Similar to Wax Switch

Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
Livingstone Advisory
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber Resiliency
EnergySec
 

Similar to Wax Switch (20)

CRI Retail Cyber Threats
CRI Retail Cyber ThreatsCRI Retail Cyber Threats
CRI Retail Cyber Threats
 
Bo e v1.0
Bo e v1.0Bo e v1.0
Bo e v1.0
 
Cloud risk management
Cloud risk managementCloud risk management
Cloud risk management
 
Issue identification cloud computing
Issue identification cloud computingIssue identification cloud computing
Issue identification cloud computing
 
Fraud and Security in Uncharted Territory: Considerations in the Age of COVID-19
Fraud and Security in Uncharted Territory: Considerations in the Age of COVID-19Fraud and Security in Uncharted Territory: Considerations in the Age of COVID-19
Fraud and Security in Uncharted Territory: Considerations in the Age of COVID-19
 
Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...Current enterprise information security measures continue to fail us. Why is ...
Current enterprise information security measures continue to fail us. Why is ...
 
Under thehood
Under thehoodUnder thehood
Under thehood
 
Lipstick on a pig
Lipstick on a pigLipstick on a pig
Lipstick on a pig
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...A holistic approach to risk management 20210210 w acfe france & cyber rea...
A holistic approach to risk management 20210210 w acfe france & cyber rea...
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
 
Cybersecurity op de bestuurstafel
Cybersecurity op de bestuurstafelCybersecurity op de bestuurstafel
Cybersecurity op de bestuurstafel
 
Energy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber ResiliencyEnergy Industry Organizational Strategies to Increase Cyber Resiliency
Energy Industry Organizational Strategies to Increase Cyber Resiliency
 
Take Down
Take DownTake Down
Take Down
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
 
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
Singapore Cybersecurity Strategy and Legislation (for SMU Law School 2019)
 
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
 
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...
 
Dr K Subramanian
Dr K SubramanianDr K Subramanian
Dr K Subramanian
 

More from Prof John Walker FRSA Purveyor Dark Intelligence

Bt tower v1.1
Bt tower v1.1Bt tower v1.1
Bt tower v1.1
Prof John Walker FRSA Purveyor Dark Intelligence
 

More from Prof John Walker FRSA Purveyor Dark Intelligence (10)

Forensics Expo, London 2015
Forensics Expo, London 2015Forensics Expo, London 2015
Forensics Expo, London 2015
 
White hat march15 v2.2
White hat march15 v2.2White hat march15 v2.2
White hat march15 v2.2
 
White Hat 6 March 2015 v2.2
White Hat 6 March 2015 v2.2White Hat 6 March 2015 v2.2
White Hat 6 March 2015 v2.2
 
DarkWeb
DarkWebDarkWeb
DarkWeb
 
Cyber Threats
Cyber ThreatsCyber Threats
Cyber Threats
 
APT Event - New York
APT Event - New YorkAPT Event - New York
APT Event - New York
 
Info sec 12 v1 2
Info sec 12 v1 2Info sec 12 v1 2
Info sec 12 v1 2
 
Info leakage 200510
Info leakage 200510Info leakage 200510
Info leakage 200510
 
Bt tower v1.1
Bt tower v1.1Bt tower v1.1
Bt tower v1.1
 
Ctf110213 public
Ctf110213 publicCtf110213 public
Ctf110213 public
 

Recently uploaded

API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

Wax Switch

  • 1.
  • 2. LEADING COMMENT It is about time companies/country leaders took ownership of their high risk activities. We seem to live in a collective ‘denial-of-the-obvious’. Besides all the warnings and many facts that seem to be exist! Senior Information Security Professional 27/10/2014 Denial
  • 3. SIT-REP 14 Dublin comment 2014: At the Breaking Down the Silo’s ISACA event in Dublin in 2014 the question of over 280 delegates: ‘Do you feel your organisation is secure from Cyber Attack’ - The response was = 0 A response which is reflective in many other circumstances – including the Forensic Science event held in February 2014. QSA Comment: When a QSA was asked why a site could be assessed as secure, when it have clear and proven high risk vulnerability They responded: ‘Because that part of the associated security vulnerabilities are not included in the scope of the assessment’ Oil Industry Comment: When asked why their Cloud Providers were not subjected to an in-depth Due-Diligence, the response Was as follows: ‘Because we engage with low cost providers, and cannot expect robust security’
  • 4. EXAMPLE 1 – BANK of England-20/10/14 The Bank-of-England [BoE] outage occurred on 20/10/14 [The Start of Get Safe Week!] when it was decided to take down the Chaps Payment System. As you can imagine for such a critical system the impact on ordinary people, and businesses was significant, if not in some cases devastating. Was it caused by: a. A Security Event, b. A badly applied change, c. Component Failure, or d. Something else? Question: But with any of the aforementioned impacts with such a Critical System, are they tolerable in 2014 – 15 – 16 . . ? As an open observation, anyone practices in the art of OSINT will notice that, notwithstanding great initiatives such as Waking Shark, and Waking Shark II they may observe that the BoE do suffer high degrees of Data Leakage which has been Proven to be exploitable – which for such a core and prestigious institution is worrying! And would you believe it if you were to learn a UK core bank has suffered a security breach which saw it connected back to Chinese Servers [.com.cn] from a Core Switch along with Remote Access potentials– I know – it could never happen!
  • 5. EXAMPLE 1 + DATA LEAKAGE & OSINT As an example of what titbits are made available to passers by – take a core bank as of 28/10/14 which is publically exposing:. a. 122 internal PC’s b. User associations [e.g. Andrew G****] c. 71 associated servers and IP d. Bank Tree listing Authorised Users+ 20 other servers e. 11 associated domains f. 19 pptx files with varying amounts of Meta Data g. 100 xls [as above] h. 89 xlsx [as above] i. Plus multiples of Word and PDF’s – insecure, and with variable security j. Track Changes still in place in some documents – revealing hidden content k. 60 + email addresses [some with .gsi.gov extensions] l. Internal Extensions Numbers associated with personalities m. 250+ O/S types including NT 4.0, XP, Server 2003, and Windows 7 All very useful intelligence to the off-line attacker to use as a Footprinting and Social Engineering materials Lite-Touch Exploitability was tested – and Proven
  • 6. BANK CLOSURES Example – October 2014 - Lloyds to close 200 branches in the UK, drop 9,000 jobs – and all with the prospect of moving services to On-line, and offshore. We are now clearly in the grip of the ‘Digital Channel’, and as one senior banking expert commented – ‘We will see a very Different shape for banking of the future’. 2020 > Dependent on Technology, Dependent on Complexity, Dependent on the Internet, and as may be inferred from the BoE debacle we should expect issues. In the new age of Digital Banking, may one assume that the Industry of Cyber Criminality will continue to evolve? Will 2020 be the age of ‘EoL’ – Everything-on-Line
  • 7. EXAMPLE 2 – USA 9/11/10 As amazing as it may seem – one lone engineer changing over a piece of equipment on 9/11/11 managed to black out 5 million homes in Southern California, caused chaos to flight traffic and road transportation, and resulted in Nuclear Reactors having to be closed down.
  • 8. EXAMPLE 3 – SAMBA SHARE 2010 - BANK Another UK Bank – this time the exposure was the result of over inflated profiles [e.g. Senior Security Consultants] conjoined with a complete lacking of technologic security. Notwithstanding the Bank ran in-depth external and internal Penetration Testing, they, and their Third Party Providers failed to notice that 80% of the Banks financial traffic was passing via an unsecured SAMBA Environment! The same Bank under the stewardship of the same Senior Security Consultant had accidently migrated PCI-DSS data into a Cloud environment [which could not be backed out]. This same Bank had also lost over £50m to what they referred to as an Unknown Transaction – the funds simply were not accounted for! As I said, this is a UK Bank!
  • 9. EXAMPLE 5 – UTILITY ‘GAS’ COMPANY - 2014 In the utility arena – take the large Gas Utility Sector Company who regularly suffer unauthorised incursions, successful Phishing Attacks, Malware, and have an internal LAN environment which exposes systems and data to theft and compromise. This same company breach the Data Protection Act by allowing access to Personal Data, fail to meet the requirements of PCI-DSS, and do not have any standards which underpin robust security – they are wide open. With t break in contracted relationships wit their Third Party Supplier, Malware Infections, suspicious creation of Privileged Accounts, and other such security related events are processed via ITIL and will be detected, and responded to up to 30 days post the incident! This is a UK Plc And when It comes to Smart Meters, Connected Homes, and their associated Cloud environments!!!! And some of these orghanisations have won BCS awards in 2014 – Clearly Security is not an issue!
  • 10. BRING YOUR OWN DISASTER – 2014 SYTLE Many examples of doing it wrong: a. Not considering the Legal Implications [Lawyers] b. Ineffective Controls [Oil & Gas] c. BYOD by Evolution and not by Authority d. BYOD and the Office Public AP e. BYOD and Policies f. BYOD and Acceptable Use Policies g. Disposal/Somatization Policies h. Employee Exit Process i. Data Classification And sometimes forgotten, but very much connected with BYOD is the element of Communications . . .
  • 11. THE SECURITY INDUSTRY - 2014 When I was Chair of a Security Event some two years ago I discovered that the Access Point was Hacker-Engineered and Compromised. Having informed the Delegates, I noticed that in most cases it made no difference – they continued to use and surf! But then, when attending another this year, whilst I was listening to a presentation on the Subject of PCI-DSS, and Compliance, I noticed that some Delegate systems were attached to the Hotel AP, and looked a tad insecure – I looked, proved, and stopped. Conclusion: Time for some to eat their own dog food [Sorry]
  • 12. DDoS - 2014 The tool that is/has proven to be the attackers choice for a sustained period. Growing in power, and has imaginative use to underpin Cyber Attack, or other Points of leverage – e.g. Cyber Extortion. Did you know that on 28/10/14 Global DDoS were running at 67% of what is Accepted as the seasonal/time norm – examples over a 24 hour period: Taiwan = 61 New Jersey = 7 California = 153 Brazil = 27 Dominican Republic = 1 Guatemala = 1 El Salvador = 2 Belize = 1 New York = 16 Indiana = 52 Belgium = 4
  • 13. CRIMINAL CURRENCY of CHOICE - BITCOIN When we consider the Age of Cyber Crime, we also need to consider the currency – enter Bitcoin.
  • 14. STANDARDS ARE DOMINANT - 2014 Standards are Dominant – followed to the letter in some cases, but they do not equal SECUIRTY And some get overlooked! ITA 2000
  • 15. CYBER WARFARE & CYBERCONFLICT Statement by a CPNI Agent Some 7 years back: The Cyber Risk is over-hyped!
  • 16. FAILING INNOCENCE Very few organisations understand, or recognise their legal obligations when dealing with Paedophilic Materials, and Discoveries relating the Child Abuse Images – lacking Procedures, Processes, Polices, and thus are on occasion exposed to being culpable of Criminal Acts – FACT.
  • 17. AUTOMATION – IN WE ‘WE’ TRUST When I worked for GM in 1999, I attended a meeting which was introducing a new on-board car computer system – I asked if they had considered security? Had It been evaluated? And I proposed we consider an on-board Firewall! - The response was: ‘Who is the security nutter?’ Automation also tends to be driven by factors which can and do forget security!
  • 18. REAL IMPACT - THE COMPUTER AGE Yerkes & Dodson Law