Scot-Tech Engagement's Cyber Security Conference for Scottish Business, held 30th April 2015, Edinburgh. For more information contact ray@scot-tech.com.
Please note further presentations will be added once speakers have approved
12. 12
Q2 2014 (IDC):
301.3M Smart Phones Shipped
Android 84.7% Market
February:
Drive-By Mobile
(DriveGenie)
June:
Pletor Mobile Ransom
(Doc Encryption)
July:
Dorkbot/Ngrbot
Kamikaze
2014 Threat Landscape Developments
Feb 13
IoT:
The Moon Worm
Linksys Routers
Heartbleed
Vulnerable OpenSSL
Apr 07
Apple iCloud
Ransomware
$100 EUR
Oleg Pliss
May 26 Jun 23
Havex RAT
OPC Server Spy
Aug 05
Cybervor
1.2B User & Pass
500M emails
Aug 15
Supervalu Data Breach,
200 Stores Affected
Evernote Hack
164,644 Forum
Members
Jun 10
Evernote Hack
50M Users
Mar
2013
13. 13
No One Is Immune
Have you changed your password yet?
14. 14
ebay – The Impact by the Numbers
262,800
Number of Passwords changed in a year
(Average 2 minutes/password)
551 Man/years wasted changing passwords
145 M User accounts compromised
525,600 Minutes in a year
17. 17
Collaborative Approach to Addressing Advanced Threats
http://www.networkworld.com/news/2013/103013-gartner-defense-attacks-275438.html?page=2
18. 18
Focus on Three Key Actions
Step 1 - Mitigation
• Mitigate threats before they enter
your network
• Proactive is key
Step 2 - Detection
• Discover threats that have
or tried to enter the network
Step 3 - Remediation
• Respond to any threats that
have breached the network
19. 19
Mitigation
DetectionRemediation
A Structured Approach for Maximum Protection
Access Control
• Reduce Attack
Surface
Threat Prevention
• Inspect and block
threats
Threat Detection
• Identify new
incidents
Continuous
Monitoring
• Assess, audit,
improve
Incident Response
• Validate and contain
23. 23
Operating Systems and Software Require Constant Updates
12%
52%
24%
3%
9%
Installed PC Operating Systems*
Windows 8/8.1
Windows 7
Windows XP
Windows Vista
Other
*Net Applications September 2014
24. 24
Not All Anti-Virus Solutions are Equal
Detection
Technology
Network
Placement
Operational
Efficacy
26. 26
Payload Analysis (aka “sandboxing”)
What is it?
» Virtual container, reflecting an end user desktop, in which
untrusted programs can be safely examined
What happens in it?
» Code is executed in an contained, virtual environment
» Activity is logged and is analyzed for suspect characteristics
» Rating is determined based on system, file, web and traffic activity
Why is it important?
» Traditional security looks at static attributes (signature, heuristic,
pattern, reputation, etc.) rather than dynamic activity
» In many cases, a site or code is just the first, small stage
Unsafe action, escape attempt
Controlled communication
inspection
X
27. 27
A Deeper Level of Analysis
Network Behavior Analysis
» Establish baselines of normal traffic patterns, look for anomalies
Network Forensics
» Capture and replay network traffic for incident response
Payload Analysis
» Execute code in a contained, “sandbox” environment
Endpoint Behavior Analysis
» Monitor the production system configuration for anomalies
Endpoint Forensics
» Collect data from endpoints to aid in incident response and forensics
28. 28
Technology Hype and Hysteria
VISIBILITY
TIME
Technology
Trigger
Peak of Inflated
Expectations
Trough of
Disillusionment
Slope of
Enlightenment
Plateau of Productivity
29. 29
A Word of Caution
http://www.darkreading.com/attacks-breaches/the-increasing-failure-of-malware-sandbo/240159977
40. • We are a unique organisation comprising of contributions
and secondments from the Police, Scottish Government,
Fire Services, Scottish Clearing Banks, investors and our
membership.
• Vision
• Creating a secure & resilient Scotland for business to flourish in
• Stakeholders
• Scottish Government, Police Scotland, Members
67. Quick test
1. Where is data?
2. Who has access?
3. What happens when a vendor suffers?
4. What are the ramifications of internally-
sourced breach?
5. What do you plan to do when you have a
data breach?
This is an introduction to the Fortinet portfolio of solution products. In this presentation what we are attempting to do is to introduce advanced technology products to position in solutions along with Fortigate family. The Advanced technologies consists of 26 products and obviously to try and introduce all of these is difficult so what we have attempted to do in this presentation is focus on a small number of these to help in the introduction and solution proposal process.
Rather than look at products we would like to try and understand the customer issues on a day to day basis. By doing this it help us understand exactly what challenges they are facing. If we can then position our solutions in understanding this the message is far easier to understand.
First of all we look at cost now this will come in two forms operational and capital. While the capital cost is often the initial discussion the operational and ongoing costs are becoming more and more important in a maturing market. The market has matured significantly to the point where certain technologies are accepted as working. This started with some of the most simple switching and wireless technologies and is now moving towards some of the more complex firewall/NGFW and UTM solutions. Customers are now accepting that with over 2million devices shipped the technology is stable. While they may want to test performance and stability of new products core technology is often accepted and mature.
Next we look at consolodation. We all see the investigation of SDN however most organization's are cautious about putting critical applications onto an unproven and immature technology. They are however keen to put mature proven solutions that have migrated to a VM environment and Fortinet have a number of solutions that provide this. One of the challenges that still exist for enterprises is manpower. Experienced technical people are expensive, if they are available at all and while it is accepted that they are needed anything that can be done to help them and make their job simpler is classed a huge benefit. Therefore if I can supply or purchase a solution from a single vendor that simplifies management and suport then this is seen as a huge advantage.
Next is security, obviously no one can foresee exactly what is coming from around the corner however with combining technology and intelligence it gives us the best possibility of detection and reaction to threats or breaches. It is at this point that we must stress the need to not think of if but when the breach will happen as it is only with this approach can damage limitation be achieved.
.
12
18
19
So what is sandboxing and why has it gotten so much publicity? In fact, sandboxing is not new. It’s been part of application development and testing for many years and is an integral part of a lot of applications. What is new about it is its use in network security; taking a suspicious sample, placing it in a controlled environment and see what happens.
Good morning ladies & gentlemen, it’s a pleasure to be here today and I feel humble alongside all of these fantastic speakers . My thanks to the Scot- Secure team for the invite and to the sponsors who make events like today possible.
My input today will hopefully give you some insight in respect of what kind of support SBRC can bring to your company either as direct support or to support you helping Scottish businesses improve security and resilience.
Our vision presents a wide spectrum of opportunity which is reflected in our core work streams
Physical security, Financial sector resilience, Anti illicit Trade, Vulnerable customers / Adults at risk of financial harm, Night time and leisure economy, Retail and tourism, secure transport and haulage, SABRE training in resilience and security for business and Cyber and e-crime
Our product in whatever form that takes is designed on the requirements of our stakeholders. We have heard from police Scotland today about the threat so we need to support their proactivity in raising awareness, reduce incidents. Statistic from government suggest that in 2014 60% of small businesses have experienced a cyber breach and we know from our members that they sense vulnerability around doing business online and a lack of knowledge or understanding how to address or even start to address the risk.
This has driven our response to provide accessible and practical support arouind digital security. We have developed a project alongside our Scottish Universities to develop some core products …..
The first is our FOOTPRINT Exercise
Security of individuals who may be at risk (blackmail / kidnap)
Risk to the security of the business from Social Engineering
Risk to reputational damage
The footprint is about understanding and acknowledging what information is available from there you can take action to mitigate against the threat.
There are also things you can do to reduce risk items from your profile and although cyber It experts will council that it is difficult if not impossible to clear data from the internet totally it is definitely possible to reduce the visibility of data.
We also provide a supply chain review service.
Much like the resilience you will have designed into your business process in regard to all its aspects, supply of raw materials or transport.
Supply chain in digital terms is very much the same, who provides your servers, who hosts your website, what is your exposure is it customer based, does in support or provide internal processes. Basically if some aspect of your digital supply chain is compromised what does it do to you.
Again understanding that threat is key supported by technical detail to ask your digital suppliers to ensure they are meeting your needs.
The final service is our Cyber Security Assessment
To use that term it is what it says on the tin, I am not by any means an expert in the technical aspects of hacking, digital infiltration, denial of service, theft of data, logic bombs.
But our Ethical Hackers are and with this service they will come in and review how you business is digitally networked internally and externally what access does it facilitate and how secure is it.
The core part of the service is the penetration testing, looking for ways in which your systems could be compromised by an unauthorised individual and that person can be from a hacker sitting hundreds of miles away or an ex member of staff.
The process also looks at existing security from technology to password management. What would your team your staff do if they found a USB in the company car park ….. Beside the directors parking space ????
We have provided companies with reassurance that they have good levels of protection but equally we have shocked a financial based company when our security team showed them how we accessed all their client data through a CCTV system patched into the network …. Being able to view the premises in the event of an alarm activation on an iPad at home lost its appeal !
The purpose of the video shows that digital security is not just about the systems.
As we saw in the video physical methods where used, identity theft, fake id card, tailgating to bypass access control systems. These type of methods will be used to get around your security as reflected in the cartoon if you have firewalls and encryption it can be circumvented by the human intervention.
That can be intentional or unintentional, a blackmailed member of staff a sub contractor. So you need to seriously consider the Insider Threat aspect.
The importance of Insider Threat should not be overlooked and although it does have a wider reach than just the just Cyber it is a very much being utilised in the Cyber threat arena.
Consider the recent Sony breach there is certainly clear indicators now that whoever it was that broke into the system the door was opened from someone on the inside ?
Joining Promoting and Leavers
Security and Access Controls
Social Networking, Cyber Impersonation and Infiltration
Staff Monitoring, Critical Behaviours, Risk Identification and Integrity Testing
Procurement, Fraud/Counterfeiting and Organised Crime
Investigation and Post Incident Management
MINDSET – The position needs to move away from will I be a target to I am a target
E-trader accreditation is a simple entry level standard provided by the SBRC achieving this baseline provides reassurance of a core level of data/ It security. Once achieved businesses can e-trader mark on websites and documentation.
CE and CE plus are similar, provided by the Government with CE being a self assessment and CE Plus a physical audit.
Full accreditation and use of the mark is a paid for service but what is clear is that even prior to that the guidance with these schemes and associated checklists provide a base for a cyber / digital security strategy.
The innovation voucher scheme is worth quickly mentioning as it can provide up to £5000 worth of funding to innovate and improve Cyber Security.
Cyber streetwise provides an online resource on practical support on how to defend your business
In August of 2014 an engineer at a globally recognised engineering company downloaded and installed a perfectly legal piece of backup software on his laptop
He configured it to reach out to a number of network locations to create an incremental backup
At the end of the week he’d managed to collect and archive 180,000 files into a single location.
He proceeded to unplug his laptop from the network and transfer the archive file onto his USB drive which had podcasts and other personal data on it.
If the engineering company hadn’t been running ZoneFox they would not have known that the files consisted of CAD files with next-gen product designs, source code, testing information, contracts, sales information, and so on.
Normally this might have been OK, depending on his role and the context of the situation. But when you combine this with the fact that he had just handed in his notice and it was known that he was about to work at a competitor it was a sure sign that the engineering firm had a problem on their hands.
With these insights, they were able to speak to him and ensure that over £10m worth of intellectual property and business data didn’t walk straight to a competitor
Today I’m going to tell you the story of how we took a technically interesting idea from a lab bench, tested it in the market, to a product that’s helping real businesses solve real issues.
It all started in 2005 (10 years ago, wow!)
Prof Buchanan and I realised that existing investigations were based on audit data that wasn’t fit for purpose
We realised that we needed to come up with a form of data that could better describe activities occurring on an end point.
For example, we could gather logs about whether a user had logged onto or off a machine, but we didn’t understand fully what had happendd inbetween. We could try and rely on netowkr evidence, but if the user performed all of their activities locally then there would be no trail ofevidence.
PoC
Build Tech Team
Give me a mentor
Build an initial board
Get us working as a porper company with board meeting etc
Initial technical test sites, alpha product, feedback
The problem was cyber security; I don’t know if you remember but 2008 was when there number of instances of cyber incidents started to hit the news. It was a drip back then, but it was certainly the start of something.
We had a technology looking for a problem
We knew it would be useful, but we didn’t know how to
What we didn’t know then, was that we were about to tap into some crucial themes that are defining the way in which the market thinks about security today.
So what did we learn?
The crunchy exterior
Defence in depth
In a perimterless world, this is a problem.
Talk about the fact that antivoris is increasginly ineffective against malware and 0-day attacks
We learned that our customers wanted to stay as agile and innovative as us, and that the classic view of security was getting not necessarily compatible with that goal, or with the change in the threat landscape
The changing landscape; Malware being a huge problem, the change in sophistication of threat actors
Innovative threats require innovative solutions.
Volume, and sophistication of threat
Hacktivism and fun
A recognition that criminal gangs have moved from Credit Card information
So why do security incidents occur?
Swiss Cheese Security Model
Alignment of factors
All too often the reason for incidents in the modern enterprise.
Some of the reasons are to do with the fact that {NEXT SLIDE}
Complexity; lack of visibility into highly complex systems which is being compounded by the perimeterless enterprise. BYOD, and complex layers of abstraction.
For
The implementation of tightly secured systems did not necessarily fit in with the business needs or desires of the organisation.
Visibility is going to be key in the next wave of security deployments. Currently it’s hard to tell if the controls and other systems in place are actually working. Combine that with the fact that
Flexibility; it turns out that innovative companies find a hard balance keeping their systems secure and allowing their employees
Tie it all together in terms of the Engineering case study;
Multiple things went wrong to allow him to take the information
The controls set up to stop him from installing software failed, and they didn’t know about it
Improper configuration of access controls; why was he allowed to access areas outwith his level?
The issue then becomes when he does access, providing enough visibility to know when the removal of files is an issue, ie on departing a firm