Scot Secure 2016

#scotsecure

Welcome to

#scotsecure

Mark Stephen

BBC Scotland

www.mobile-scotland.com

2nd Annual Mobile Scotland

26th May Edinburgh

www.scot-cloud.com

3rd Annual Scot-Cloud

21st June Edinburgh

#scotsecure

DI Eamonn Keane

Police Scotland

Investigating Cybercrime in the UK

Be the Hunter!!

Cybercrime / DI Eamonn Keane

Specialist Crime Division

Agenda

Scottish , UK & Global Perspective!

The current threat landscape!

Incident Planning & Response!.

Prevention.

“cotla d’s future.Signposting.

Key questions that all CEOs and CISOs should

be asking this week?

• "Are we vulnerable to SQL injection, ransomware or DDoS

ased atta ks?• "What assurance activity have we done to confirm that

e are ot ul era le?• "If we were compromised, would an attacker be able to

gai a ess to u e r pted se siti e data?• "What assurance activity have we done to confirm this

position?"

• What is our o pa posture o se urit ?

Cybercrime Cost

Cyber Regional Organised Crime Units

Cybercrime!

Stalking

Bullying

Cyber FraudSOCG

Sexual Offenders

Indecent images of children

Cyber dependent crimes e.g.

hacking, malware,

DDoS

An

ti-social b

ehavio

ur

Cyber T

errorism

is impacting on the police response across the full crime spectrum.

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.accenture.com/us-en/Pages/insight-highlights-insurance-three-ways-fight-insurance-fraud.aspx&ei=aqXUVPmgB8ysU8aWgqAN&bvm=bv.85464276,d.d24&psig=AFQjCNH-QMGcxPIDGrqPsNaf51UMN21AQA&ust=1423308312578590

https://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=https://peatimes.com/twitter-to-control-social-media-bullying/&ei=CKjUVKiDM8zzUtuXg8gN&bvm=bv.85464276,d.d24&psig=AFQjCNGX0qsf5T1gvvW1pcXExMYRkzOshQ&ust=1423309134252744

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.pligofsj.com/blog/entryid/5151/hackers-hit-the-seas-the-worlds-maritime-cyber-security-problem&ei=R6vUVKbjKYb5UNy3hIAK&bvm=bv.85464276,d.d24&psig=AFQjCNGNQyPr-RqoBUtOwd7PfcvwCxtkLQ&ust=1423309990343098

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.lifewithoutpink.com/2011/05/23/your-childsdigital-footprint/&ei=Z63UVNLVKIvpUs7HgZgN&bvm=bv.85464276,d.d24&psig=AFQjCNGepkyGQFXFUtZB_9wOBRwTTaEtLQ&ust=1423310529014835

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://yourdesignguys.com/wp-security-plus/&ei=v_zZVLWlHcSsUbKvgKAB&bvm=bv.85464276,d.d24&psig=AFQjCNGLcAhV38CTQP7RW7A997lK0RZwSA&ust=1423658517431520

SOC

CYBER ATTACKS

VOLUME CYBERCRIME

• International highly skilled cyber-criminals, often working together

• Responsible for 262,000 UK infections and losses > £500m

• Distributed Denial of Service (DDoS) – BBC, HSBC)• Ransomware (Police Scotland, SPA)• Data Theft and extortion (TalkTalk, Ashley Madison)

• 2.5 million cybercrimes in the UK annually• Economic Crime• Extortion• Offences against children (CSE)

Your Title Here

1980’s Policing

I ca do ore da age o y laptop in my pyjamas, before my first cup of

Earl Grey, than you can do in a year in

the field.Q - Skyfall

Cyber Attacks are on the rise

Ransomware - Glasgow Hairdressers

ORGANISED CRIME

Five key cyber crime threats

• Malware targeting businesses & individual users for fraud.

APT s, ‘AT“, • Network intrusion ('hacking') DDoS, XSS. Spear-phishing.

• Enablers of cyber dependent crime (e.g. money laundering /

digital currencies / anonymisation).

• C er ri e 'as a ser i e• Targeted disruption of access to UK networked systems and

services (e.g. DDOS / Ransomware)

Old bugs come home to roost… SHELLSHOCK – HEARTBLEED – DRIDEX –CRYPTOWALL - POODLE… LOCKY

Virtual Currencies

http://www.mcafee.com/uk/resources/white-papers/wp-cybercrime-exposed.pdf

Cybercrime-as-a-Service

Cyber Resilience is thorough Preparation

Overarching Cyber Security Strategy!

Pre-planned Exercise.

Incident Management & Response Plan.

Communications Strategy.

Investigative Strategy.

Incident Manager & Team

Gold, Silver, Bronze.

Mitigation & Recovery Strategy.

Logistics - Contingency

Security Incident Event Management & Security Operations Centre

The layered approach!

Reconnaissance.

The threats are evolving, so must your security tools.

Reporting of Cyber Incidents • Incident evaluation and early reporting.

• Police Scotland 101 – Incident No. & Action Fraud.

• Business continuity and impact our prime consideration.

• ICT response and mitigation. Scene preservation?

• Where possible preserve original copies of emails, attachments,

device images and logs.

• Is there a mandatory obligation to report?

• Report to Cert UK / GovCert UK .

• Report to Scottish Government if appropriate.

• Identify point of contact for law enforcement to facilitate enquiries

and evidence gathering.

• Submit attack details to CISP platform if appropriate share.cisp.org.uk

(can assist with mitigation and fix)

Cyber Essentials & Cyber Essential Plus

Cyber Essentials concentrates on five key controls.These are:

1. Boundary firewalls and internet gateways2. Secure configuration3. Access control4. Malware protection5. Patch management

Our priorities

Education & Awareness Partnerships

Develop Capacity & Capability

Detect & Prosecute Offenders

The Future

IndustryAcademia &

Law Enforcement

National Cyber

Centre -GCHQ

?£1.9 billion UK Government

investment in Cyber by 2020

Scottish Cyber Centre

Thank you for listening

Any Questions?

[email protected]

mailto:[email protected]

#scotsecure

Sam Alderman-Miller

Darktrace

Applying probabilistic mathematics and machine learning to cyber threat discovery

Sam Alderman-Miller

Account Manager

[email protected]

Enterprise Immune System Approach

Self-learningDevelops mathematical models of normal behavior

Understands behaviourFor every individual user, device and the enterprise as a whole

AdaptiveConstantly calculates probabilities based on evolving evidence

Real-timeDetects threats as they happen

Conclusion• Sophisticated Threat Detection

• Threat is inside and always will be

• Traditional approaches are insufficient

• Threats are constantly evolving

• Using Machine Learning for ‘Immune System’ Defence

• Does not need to know what ‘bad’ looks like in advance

• Learns normal and abnormal behaviours in real time

• Detects threats that bypass traditional security controls

• Provides complete visibility into your network

Thank You

#scotsecure

Colin Keltie

Standard Life

#scotsecure

Questions &

Discussion

#scotsecure

Breakout Details on

Back of Badge

©2015 Check Point Software Technologies Ltd. 60©2015 Check Point Software Technologies Ltd.

Moving from detection to prevention in the real world

Aatish PattniHead of Threat Prevention, Northern Europe

CHECK POINT


Available Skills

END USERS

STAKEHOLDERS

YOUR NETWORK

YOUR SECURITY POSTURE

3rd

Parties Vendors

©2015 Check Point Software Technologies Ltd. 62

COST OVER TIME:C

ost o

f Bre

ach

Direct loss: $162,000,000Estimated indirect loss: >$1

Billion

The financial impact GROWS dramatically with TIME


Businesses Are Not Immune


NEXT GENERATION MALWARE

HIDDEN

POLYMORPHIC

SOPHISTICATEDAND PROGRAMMABLE

USES MULTIPLE ENTRY POINTS


NEXT GENERATION ACTORS

ADOPT CLOUD

LEVERAGE COMMUNITIES

USE AGILE PROGRAMMING

OUTSOURCE


THE REST OF 2016

THEFT

DISRUPTION

SUPPLY CHAIN ATTACKS

INDUSTRIAL ESPIONAGE

NATION-STATE

NEW THREAT ACTORS

RANSOMWARE

BOTS

PHISING

LISTENERS


WE KNOW…Some Infections Will Inevitably Happen

2,122CONFIRMED

DATA BREACHES

79,790SECURITY INCIDENTS

How Can We Efficiently Respond?

Source: Verizon: 2015 Data Breach

Investigations Report


How do we

PREVENT unknown

malware entering

the network?


SECUREDGATEWAY OR END POINT

MINIMISE END USER DISRUPTION


DAILY UPDATES FROM 150,000+ CUSTOMERS

10,000,000Bad-ReputationEvents

700,000

MalwareConnections Events

30,000

MalwareFiles Events


How do we

RESPOND with the

people we have?


DO YOU UNDERSTAND THE ATTACK?

54%

43%

63%

41%

32% 33%

0%

10%

20%

30%

40%

50%

60%

70%

Who Attack

Method

Where When Why Defense

MethodSource: Ponemon: Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations: February 2014

% do t know how to defend


LOOK INSIDE THE MACHINE

Automatically Analyse Triggers

Create Actionable

InsightsRemediate

Record all End Point Activity


Summary

Detail

How Did the Malware Get In?


Investigation Trigger

Identify the process that accessed the

C&C server

Identify Attack Origin

Chrome exploited while browsing

Dropped Malware

Dropper downloads and installs malware

Exploit Code

Dropper process launched by

Chrome

Activate Malware

Scheduled task launches after

boot

Attack traced even across system

boots


MaliciousActivities

Drill-DownDetail

Severity

Is There an Infection?

UNDERSTAND THE INCIDENT


FROM UNDERSTANDING TO ACTION

Generate Remediatio

n Script

How Should You Respond? How Can You Clean it?


Incident Understanding

Visibility

Immediate Content Delivery

Prevention

TO DEAL WITH UNKNOWN THREATS


Unprecedented protection against targeted attacks & unknown malware

Sandboxing

Evasion-resistant malware

protection

Extraction

Immediate delivery of

cleaned content

Forensics

Automated analysis &

remediation


Aatish Pattni | Head of Threat Prevention, Northern Europe

THANK YOU

[email protected]

uk.linkedin.com/in/aatishpattni

@TishPattni

Protecting your business, brand, and customer experience from modern malware

Martin Budd

Security Sales Manager - UKISSA

© F5 Networks, Inc 84

Application evolution vs business challenges

Web based

Mobile Cloud API

Agile code development

Skills shortgae

Advanced threats

Risk now stopping

innovation


Why is the risk from malware and fraud increasing ??


Browser is the Weakest LinkEnd point risks to “Data In Use”

HTTP/HTTPS

Secured

Data center

WAF

HIPS

Traffic Management

NIPS

DLP

Network firewall

SIEM Leveraging

Browser

application

behavior• Caching content, disk

cookies, history

• Add-ons, Plug-ins

Manipulating user

actions:• Social engineering

• Weak browser

settings

• Malicious data theft

• Inadvertent data loss

Embedding

malware:• Keyloggers

• Framegrabbers

• Data miners

• MITB / MITM

• Phishers / Pharmers

Hmmmm…Customer Browser


HaaS


Is the Security Perimeter Dead?

application

endpoint


The Application Perimeter/Protection

Network Threats Application Threats

of attacks are

focused here

25% of security

investment

90% of attacks are

focused here

75% of security

investment

10%


Endpoint Perimeter/Protection

Traditional enterprise perimeter Customer protection

Protection

MDM, AV, Proxy, Sandbox

>90

% Protection

<10

%


Old rope for new money!

Malware InfectionCredential Acquisition

Transaction Manipulation


Man In The Browser

Credential/Information

Mobile Malware

Transaction/Credential

Form Grabbing & Keyloggers

Credential/Information

Man In The Middle

Transaction

RAT andBack Connect

Transaction

Modern malware using new techniques to achieve age old objectives

A problem for banks and enterprises alike


Traditional malware detection

• Focused on enterprise boundary and employees

• Based on signature detection

• Focused identifying cause not effect

• Reactive not pro-active

• Sandboxes etc – patient zero

• Analyzes browser for traces of common malware (i.e., Zeus, Citadel, Carberp, Hesperbot, Dyre, …

`

61%

of breaches are caused by stolen credentials


How Phishing Works

Drop Zone

The attacker access

the real web page

The attacker saves a

copy of the web pages

to their own web server

The attacker sends a phishing

request to many victims

The victim visits what they

think is a legitimate site but

is actually the phishing site

The victim provides

confidential data directly

to the hacker

So how can we protect ourselves?


Web injection



Credential /Form Grabbing

The victim is infected

with malware

The victim makes a secure

connection to a web site

This triggers to

malware to run

The victim enters data

into the web form

This content can be

stolen by the malware

The victim submits

the web form

The information is encrypted

and sent to the web server

The information is also sent

to the drop zone in clear text

Password

revealer

icon



• Uniquely analyzes user interaction with the browser

• Detects automatic transaction

• Ensure integrity of transaction data

• Trigger alerts upon detecting non-human behavior

Automatic Transaction Detection – MITM

MY BANK.COM

• Gather client details related to

the transaction

• Run a series of checks to

identify suspicious activity

• Assign risk score to transaction

• Send alert based on score

My Bank.com


What do businesses need?

Clientless solution, enabling 100%

coverage

Protect Online User

Desktop, tablets & mobile devices

On All Devices

No software or user involvement required

Full Transparency

Targeted malware, MITB, zero-days, MITM, phishing

automated transactions…

Prevent Malware

attacks and Fraud Alerts and customizable rules

In Real Time


F5’s Comprehensive Approach

Malware DetectionAdvanced Phishing

Detection

Application Layer Encryption

Automatic Transaction Detection


AP

PLI

CA

TIO

N A

CC

ES

S

Enterprise Mobility Gateway

Access Federation

Remote Access

App AccessManagement

Secure Web Gateway

Application Protection Capabilities

Protecting your applications regardless of where they live

Securing access from any user on any device

Strongest set of application security controls that reduce risk

AP

PLI

CA

TIO

N P

RO

TE

CT

ION

IP Intelligence

Web Fraud Protection

Hybrid WAF

SSL Inspection

DDoS Protection

DNS Security

Network Firewall


Application evolution vs business challenges

Web based

Mobile Cloud API

Enable Agile code

development

Reduce skills required

Increase protection

against Advanced

threats

Enable innovation

Gardening Leave

Will it help to weed out the bad guys?

Background

Matt LittleCTO, ZoneFox

Who are ZoneFox?

• Cyber Security focussed on directly

monitoring and protecting your data

• Customers in Software Gaming, Asset

Management, Hi-Tech Manufacturing

and Online Gambling…........

Our Customers

Leavers and the Problem with Gardening Leave

Did I mention

that I am leaving

next week?

I e just ee offered job with

our biggest

competitor

I reall annoyed that I

did t get that promotion

Your top-performing team…..

Sssshhhhh – Don’t tell anybody but I have this embarrassing problem

• Vormetric Insider Threat Report –

• Only 11% of respondents felt that their organization was not vulnerable to insider attacks

• Globally, 89% of respondents felt that their organization was now more at risk from an insider attack

• 34% felt very or extremely vulnerable.

What and where are people stealing data

• Top theft locations• Databases (49%)• File Servers (39%)

• Top Data stolen• Customer Lists• Contracts• Sensitive commercial data• R&D

Leavers – this is hypothetical, right?

• Leavers are insiders and therefore you have an insider threat challenge

• Mostly existing security is “Outward-looking”

• Has it worked?

The Cost of a Breach

• Cost of a breach comes from two things:- Time taken to discover it- Cost of investigating and remediating

• Verizon Data Breach Report 2015 – “growing ‘detection deficit’ between attackers and defenders.”

• This ‘detection deficit’ means that a typical breach will take ~200 days to discover

• If you discovered that, how much effort would have to be spent investigating?

But Breaches are a US thing…......

90%large organisations breached (up from 81%)

74%smaller organisations (up from 60%)

Cost of a breach

£1.46 - £3.14Mlarge organisation (was £600k – £1.15M)

£75 - £311k smaller organisation (was £65k - £115k)

Staff related security breaches

(source PWC/BIS’ 2015 Information Security Breaches Survey)

75% large organisations

31% smaller organisations

But I have a load of defences….....

External Protection

Who?

When?

Why did ’t I know at

the time?

?

? ?My Organisation

Why Gardening Leave (and what is it?)

• “an employee's suspension from work …typically to prevent them from …accessing confidential information.”

• Use it to protect from ‘poaching’ of customers, etc

Does it protect your data?

The Financial Costs of Insider Data Theft

£30,000Research from the legal firm EMW indicated that small businesses typically incur this cost for legal work in a insider theft (2012 research)

? The value of the data stolen

The number of High Court cases relating to the theft of confidential information by insiders (employees) increased by 250% between 2010 and 2012.

A real-life example from ZoneFox

What did they try to steal

• 182,000 Files:• Results of confidential product testing• CAD designs for prototypes and new products• Bills of Materials for new designs• Printed Circuit board designs• Contracts and agreements with research and

manufacturing partners.• The value?

£10 million

What went wrong?

• Technical controls and HR Processes broke down

• Lack of visibility of the endpoint• Leaving processes (including gardening

leave) were too late• Stolen data was collected in advance of

submitting resignation.

What are the alternatives?

External Protection

My Organisation

Incident Response for a leaver

• Global company• Unusual behaviour – times, locations, volumes, etc• Theft followed by taking laptop home• Senior Legal.• Incident response ~4 hours

How long would it take you?

Key takeaways

- Compromise is highly likely

- People steal data before they resign

- Protect your inside too - the threat is as likely (if not more likely) to come from inside your organisation.

- Focus on reducing cost by detecting threats sooner and responding quickly

#scotsecure

Welcome Back

#scotsecure

Per Johansson

European Parliament

The New European Framework for Data Protection

- state of play?

Per Johansson

Edinburgh, 21 April 2016

Who am I?

– Swedish lawyer

– Industry consultant

– European Data Protection Supervisor (EDPS)

– European Parliament - Scotland

The European Parliament in the Member States

The European Parliament operates an ‘Information Office’ in the national capitals of all 28 EU Member States.

Since 1999, it has also operated a smaller 'branch' office in the larger Member States, opening offices in Barcelona, Edinburgh, Marseilles, Milan, Munich & Wrocław (2011).

The European Parliament Office in Scotland aims to increase awareness of the

Parliament and the impact of its activities in Scotland, as well as highlighting the work

of the six Scottish Members of the European Parliament (MEPs).

General remarks

Reasons for reform

• Technological change

• Legal certainty

• Harmonisation in the internal market

• Need for change in the area of police and judicial cooperation

• Global dimension

→ Regulation for general principles Directive for law enforcement

The EU DP reform:

Enhances harmonisation of data protection Reinforces position and rights of data subject Strengthens responsibility of data controller Strengthens supervision and enforcement

General remarks

• The “Ordinary” legislative procedure– Commission proposals – January 2012

– Joint legislative responsibility between European Parliament andCouncil of Ministers

– “Readings”

– Negotiations between three institutions

= Changes all the way

The legislative procedure

Where are we now?

• Council (final) agreement October 2015

• Plenary vote EP 14 April 2016 = LAW

• Entry into force 20 days after publication in the EU Official Journal

• Regulation – MS law 2 years after entry into force.• Directive – 2 year period of implementation dead-line

for MS

• Directive only applicable to those measures where the UK has opted in.

Scope

Territorial scope:

- An establishment of a controller or processor within EU, regardless of where the processing takes place

- ‘Offering of goods and services to’ or ‘monitoring behaviour of’ data subjects in the EU

Data controllers/processors

Security of processing (32) Implementation of appropriate tech and org measures

such as...

Pseudonymisation and encryption

Systems functionality, restoration and regular testing

Assessment of the security level Risks


Designation of data protection officers (37 onwards)

Where:- Public authority or body- Core activity = regular and systematic monitoring of data subjects- large scale of special categories of data

Tasks: - Inform and advise- Monitor the implementation

- Contact point


Notification of data breaches (33)

Controller notification to the supervisory authority within 72 hours

Processor shall notify controller

Data protection Impact assessment (35)

New tech, high risk to rights and freedoms to natural persons


Strengthen responsibilities of the controller

→ Accountability (24 onwards):

- “measures to ensure and demonstrate compliance with the Regulation”

- Where proportionate “implementation of appropriate data protection policies”


Information and communication

- Concise, transparent, intelligible, easily accessible, clear and plain language (12)

- Procedures and mechanisms (12)

- Content of the information (13, 14)


Data protection by design and by default (25)

Documentation – Records in writing (electronic form)(30)

Processors – Records of processing activities (30)

Supervision and Enforcement

– One stop shop – ‘main establishment’ (4(16), 56)

– Consistency mechanism (63 onwards)• Cooperation between authorities and COM

– European Data Protection Board (68)

– Sanctions (83)

• Up to € 20M or 4% of annual worldwide turnover

Data subjects

Definition of consent (7)

- Controller burden of proof - demonstrate

- Distinguishable – in plain language

- Withdrawal

Data subjects

“Right to be forgotten” (17)

– Erasure without undue delay

– Reasonable steps to inform other controllers

» Available tech and cost of implementation

Data subjects

Profiling (22)Only if:- Performance of a contract + safeguards- Union or Member State law- Explicit Consent of the data subject +

safeguards

And : not based solely on special categories of data

Thank you for your attention

[email protected]

EDPS website on DP reform:http://www.edps.europa.eu/EDPSWEB/edps/cache/off/

Consultation/Reform_package

http://www.edps.europa.eu/EDPSWEB/edps/cache/off/�Consultation/Reform_package

#scotsecure

Wendy Goucher

Goucher Consulting

© Goucher Consulting Ltd, 2016

You get what you Give

Cyber Security Communication reconsidered

Wendy GoucherInformation Security Specialist


Staff are your

“Human Firewall”

152

© Goucher Consulting Ltd, 2016 153

Fighting ‘Cyber’


• Clear, operationally effective policies, procedures and controls.

• Good communication of the policies, procedures and controls.

• A darn good reason why they should follow them.

154

Secure operations come from:


Wendy’s Wheels

Driver Induction Training

Policies, Procedures & Controls



Motivation


Your staff care


159

People care about their own security.They won’t automatically care about yours if you don’t seem to.Think about the security message

you are really sending.


Thank you

Wendy Goucher

#scotsecure

Scott Barnett

Royal Bank of Scotland

Scott Barnett

Cyber & Fraud

Intelligence Leadhow threat intelligence can

prevent data breaches and

other cyber attacks – and how

you can get and apply some of

this stuff

Cyber Crystal Balls

what isthreat

intelligence?

163

164

a tool for decision making

information+ analysis+ inferences=

Planning –Intelligence

Requirements

Collection – of information

and monitoring for triggers

Analysis –turning

information into

intelligence

Dissemination – delivering to

the right people at the

right time

Feedback – re-evaluating

requirements, taking stock

what is intelligence?Our mission: to provide forewarning of security threats to RBS

to minimise harm to our customers, staff, and business

Exposure

VulnerabilityCapability

Intent

what is a threat?

har ful age ts’ intentions+tools, tactics and procedures (TTPs)

INHERENT THREAT

how exposed your

business is to these actions

+any vulnerability

that makes harmful

outcomes more likely

RESIDUAL THREAT

har ful outco es resulti g fro a e tity’s actio s i pursuit of its goalsSource: CBEST framework

165

• Provide a forecast of the a k s

strategic threat landscape

Forecast

• Join the dots between strategic and operational

threats

Link

• Co te tualise ig ti ket e e ts i

terms of what they mean for RBS – so

hat?

Context

• Identify new and emerging threats

and attack techniques

Identify

• Collect external information and

fuse it with internal sources

Collect

• Proportionate, timely, actionable

intelligence

Deliver

what can threat intelligence do for you?

166

kill chains and attacker mindsets

167

168

construct threat

delivery

infection

manipulation

impact

botnet / tool

target

vulnerabilities

bandwidth

loss of service

DDoS

169

170

2006

171

172

173

174

2010

175

176

177

2016

178

179

180

181

182

183

how can threat intelligence

help?

construct threat

delivery

infection

manipulation

impact

botnet / tool

target

vulnerabilities

bandwidth

loss of service

DDoS

184

construct threat

delivery

infection

manipulation

impact

early warning

attack scripts

rulesets

other techniques

recovery advice

botnet / tool

target

vulnerabilities

bandwidth

loss of service

construct threat

delivery

infection

manipulation

impact

early warning

threat indicators

Technical mitigants

situational awareness

shared experience

187

188

189

190

191

192

Scott Barnett

[email protected]

#scotsecure

Questions &

Discussion

www.mobile-scotland.com

2nd Annual Mobile Scotland

26th May Edinburgh

www.scot-cloud.com

3rd Annual Scot-Cloud

21st June Edinburgh

Drinks &

Networking Upstairs

Hosted By

SCOT-SECURE 2016MICHAEL JACK & KYLE BOWES

$ WHOAMI

MIKEY & KYLE

▸ 2nd BSc Ethical Hacking @ Abertay University, Dundee

▸ Work for Scottish Business Resilience Centre (SBRC)

▸ OSINT, Footprinting, Outreach

▸ Mikey: Cryptography, Defence, Counter-terrorism

▸ Kyle: OSINT, Footprinting, Counter-terrorism

THE ORDER, UNLESS WE GET SIDETRACKED

WHAT’S ALL THIS THEN?

1. Staying Updated

2. Data Protection, Encryption & Backups

3. Passwords

4. Phishing Emails & Malicious Websites

5. Social Media

SECURITY IS A PROCESS, NOT A PRODUCT.

Bruce Schneier, April 2000

THREAT MODEL 101

HACKERS ARE LAZY

Johnny Appleseed

THREAT MODEL 101

"I DON'T NEED TO RUN FASTER THAN THE BEAR: I ONLY NEED TO RUN FASTER THAN YOU."

Johnny Appleseed

THREAT MODEL 101

UPDATE NOWA CRITICAL PAIN IN THE ASS

DON’T BE AN EASY TARGET

UPDATES MATTER

▸ Will protect you against a lot of threats

▸ low effort > high reward

▸ Windows 10, 8.1, 8, 7 get security updates

▸ Windows XP doesn’t get any updates

▸ OS X 10.11 (El Capitan), 10.10 (Yosemite), 10.9

(Mavericks) get security updates

WINDOWS 7: WINDOWS UPDATE - TURN IT ON!

WINDOWS 7: WINDOWS UPDATE - ENABLE AUTOMATIC UPDATES

OS X 10.11 (EL CAPITAN) - SYSTEM PREFERENCES > APP STORE

BACKUP THE DATA!BACKUPS ALL THE WAY DOWN

BACKUP THE BACKUPS

BACKUPS WILL SAVE YOUR BUSINESS

▸ Will save you time & money

▸ Onsite & Offsite backup

▸ Daily, Weekly, Monthly

▸ Easy to restore in event of a disaster

STORAGE IS CHEAP

WINDOWS 7: BACKUP & RESTORE - SET UP BACKUP

OS X 10.11 (EL CAPITAN) - TIME MACHINE

ENCRYPTION

https://youtu.be/XfFjde0UPbY

SOMETHING YOU KNOW, A PASSWORD FOR EXAMPLE

SOMETHING YOU KNOW, A PASSWORD FOR EXAMPLE

PASSWORD-PROTECT-DOCUMENTS-WORKBOOKS-AND-PRESENTATIONS

WHAT TO ENCRYPT

▸ Encrypt everything, if you can, Full Disk Encryption

▸ Windows: BitLocker/ Drive Encryption

▸ Mac: FileVault

▸ Customer personal and payment information

▸ Microsoft Office Button > Prepare > Encrypt Document

▸ Smart Phones & Tablets

▸ iOS > Settings > Touch ID & Passcode > Erase Data

▸ Android > Settings > Security > Encryption > Encrypt

PASSWORDSSIZE MATTERS!

STATISTICAL ANALYSIS (LINKEDIN 160K & ROCK YOU 14M)

STATISTICAL ANALYSIS (LINKEDIN 160K & ROCK YOU 14M)

�

THE WORST PASSWORDS

• qwerty

• 696969

• mustang

• letmein

• baseball

• michael

• football

• 123456

• password

• 12345678

• 1234

• master

• 12345

• dragon

TRIES ALL COMBINATIONS FROM A GIVEN KEYSPACE. IT IS THE EASIEST OF ALL THE ATTACKS.

hashcat.netwikidoku.phpid=brute_force_attack

BRUTE FORCE

MASK ATTACK

JULIA1984

‣ (26 + 26 +10) = 629 = 1315 = 13 Quadrillion @ 100M/s

http://hashcat.net/wiki/doku.php?id=mask_attack

MASK ATTACK

JULIA1984

‣ (26 + 26 +10) = 629 = 1315 = 13 Quadrillion @ 100M/s

‣ The above password matches a simple but common

pattern. A name and year appended to it.

‣ We can also configure the attack to try the upper-case

letters only on the first position.


MASK ATTACK

JULIA1984

‣ (26 + 26 +10) = 629 = 1315 = 13 Quadrillion @ 100M/s

‣ The above password matches a simple but common

pattern. A name and year appended to it.

‣ We can also configure the attack to try the upper-case

letters only on the first position.

‣ Down to 370 Billion combinations @ 100M/s


HTTPS://THEINTERCEPT.COM/2015/03/26/PASSPHRASES-CAN-MEMORIZE-ATTACKERS-CANT-GUESS/

PASSPHRASES

▸ Never give them away!

▸ Your trick isn't clever

▸ Space bar is your friend

▸ Length > complexity

▸ Tell a story

REDUCE THE NUMBER OF PASSWORDS YOU NEED TO KNOW

PASSWORD MANAGERS

▸ Last Pass (all platforms) (cloud based)

▸ 1Password (all platforms, best on Apple) (Dropbox sync)

▸ Demo!

REDUCE THE NUMBER OF PASSWORDS YOU NEED TO KNOW

PASSWORD MANAGERS

▸ Last Pass (all platforms) (cloud based)

▸ 1Password (all platforms, best on Apple) (Dropbox sync)

▸ Demo!

▸ Auto fill, in the browser Chrome, Firefox, Safari

▸ Generate unique long passwords for each site

IF YOU DO ANYTHING, PLEASE DO THIS!

TWO FACTOR AUTHENTICATION (2FA)

▸ twofactorauth.org

▸ Google Authenticator

▸ Authy

▸ YubiKeys

http://twofactorauth.org

PHISHING EMAILSDON’T CLICK THAT LINK

OS X Mail

Legit, Gmail

Spam, Gmail

MALICIOUS WEBSITESWATERING HOLE

THIS IS NOT THE WEBSITE YOU ARE LOOKING FOR

SCOT-SECURE

REAL OR FAKE▸ Padlock

▸ URL

▸ How did you get there?

▸ Apply common sense

▸ Browser extensions

▸ HTTPS Everywhere

▸ uBlock Origin

Safari

Chrome

Chrome

Firefox

https://youtu.be/XfFjde0UPbY

SOCIAL MEDIA

FACEBOOK, TWITTER, LINKEDIN & INSTAGRAM

��

PASS THESE ON

THINK ABOUT THESE THINGS, PLEASE?

▸ Update, backup and encrypt your devices

▸ Encrypt the most critical sensitive information

▸ If you can encrypt it all, Full Disk Encryption

▸ Long passwords, don't worry about complexity

▸ Get a password manager (LastPass & 1Password)

▸ Use Google Chrome, if you can

▸ Think about how you got to the site, did you expect the email?

LAST CHANCE

THE LINKS

▸ Chrome security usability: youtu.be/XfFjde0UPbY

▸ Very strong passwords: theintercept.com/2015/03/26/

passphrases-can-memorize-attackers-cant-guess/

▸ Which sites use Two Factor Auth: twofactorauth.org

Technology

Scot Secure 2016