PowerPoint Presentation
Lipstick on a Pig
Professor John Walker MFSoc CRISC CISM ITPC CITP SIRM FBCS
FRSADirector of CSIRT & Cyber ForensicsINTEGRAL SECURITY
XSSURANCE Ltd
24 Lime Street | London | EC3M 7HS
Mobile: +44 (0) 7881 625140
Office: +44 (0) 2032 894449
History
Based on case histories, media reports, and statements from the
Met Police Computer Crime Unit, there isstrong evidence to suggest
Cyber Criminality [in all forms] are winning.
http://itsecurityguru.org/water-water-everywhere-byte-eat/#.UwHtII2PNhE
At the First Digital/Cyber Forensics event hosted by the
ForensicScience Society York, on 03/02/14, the expert panel
observed:
a. Most companies subjected to Security/Pen Testing have
Multiples of significant [repeated] vulnerabilities!
b. The Black Hats are Winning [Proven by case histories] c.
Criminality excesisise high degrees of innovation &
imagination
Tick Boxes Lead to Compliance NOT always Security
On the 13th February 2014, I participated in a Webinar for info
security.
A question was posed:
Q: What does Tick Box Security NOT Tell You?
The Answer
A: What the Successful Attacker Knows!
http://www.infosecurity-magazine.com/webinar/443/testing-your-businesss-ability-to-defend-its-digital-and-physical-workplace-/view.aspx
Mediocrity will NOT Suffice
It was the BofE who were the main orchestrators ofWaking Shark
II Yet they have a number of significantsecurity exposures, and
vulnerabilities, of which they have been informed under respectful,
Channelled Disclosure Notification With no response, or action.
If we are to lead the riotous path to evolve securityand to
protect the public, then it must surly followa route to secure our
infrastructures, and not justIgnore the open states of potential
compromise!
We must take the Threat serious or there is no point.
Waking Shark II Security , or PR
http://www.informationsecuritybuzz.com/waking-shark-2/
In factwe are already here!
See article in Digital Forensics Magazine [If you want a cope
just drop me a line].
DDoS
DDoS has ben growing in popularity year, on year, with the
throughput of adverse traffic increasing - & it requires zero
skill to join in:
The Statistics you Know and those you may NOT!
Play Safe
WiFi everywhere but still not being used security, or
sensibly
An example:
Intelligent Postures & Response
Know your Critical assetsFind out what you Dont KnowConsider the
element of Data Leakage Conduct a TriageConduct Intelligent
TestingKnow your Business ExposureEmploy Situational Awareness
PracticesEvolve an Incident Response Process, and Capability [Not
just Lights on stuff]Dont do Lip-Service do Security
CSIRT Document Registers
ISO/IEC 27001 Segment SOA
CSIRT Incident Response Policy
CSIRT Incident TOR/Processes
Tools & Apps
CSIRT Run-Books
CSIRT Procedures
DoS/DDoS
Abusive Images
Malware[Virus Trojan]
Acquisition
Image Extraction
Phishing
GRC & Case Management
Abusive Images[COPIN/SAP]
Investigations[PAS 555]
Legislation[e.g. DPA/ITA]
LAB[ISO/IEC 17025]
The CSIRT Framework
An example of a CSIRT[1] Framework, encompassing:
Document Registers with Version Control
LAB
GRC & Case Management
ISO 27001 Statement of Applicability [SOA]
Run-Books [Storey Boards]
Policies & Processes
[1] Computer Security Incident Response Team
Possibly there is need to instil more ethics in those
organisations who have failed to meet their obligations.
Maybe its a case of Less Tick Box Compliance, and More
Operational Security.
Could it be that we have reached the time where the levels of
Insecurity and Security Braches are implying we need to get
Back-to-Basics.
Above all, has the time arrived which dictates that we need to
rethink what security is, how it can be best accomplished, and how
we can serve our public better, without the need for such
government, or EU enforcement?
However, it really is about understanding, and appreciating what
Cyber Risk really is 2014 >>, and the associated
ramifications of what uninformed exposure could mean to the
business.
Donald Rumsfeld - There are known unknowns; that is to say,
there are things that we now know we don't know. . . . . .
Five Simple Conclusions
We must recognise the onslaught, and success of Cyber Crime in
all forms and it is time to address it
Full on with commitment and above all, we must not , by
implication, or suggestion of complacency become a part of the
problem.
To quote GCHQ/CESG from the mid eighties: We see the computer
virus as a nuisance, & a passing threat!
To quote CPNI from 6 years ago: The Cyber Threat is over
hyped!
The ULTIMATE Conclusion
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
17/02/2014
Click to edit Master title style
Click to edit Master subtitle style
17/02/2014
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
17/02/2014
Click to edit Master title style
Click to edit Master text styles
17/02/2014
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
17/02/2014
Click to edit Master title style
Click to edit Master text styles
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
Click to edit Master text styles
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
17/02/2014
Click to edit Master title style
17/02/2014
17/02/2014
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
Click to edit Master text styles
17/02/2014
Click to edit Master title style
Click to edit Master text styles
17/02/2014
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
17/02/2014
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
17/02/2014
