Upload
ray-bugg
View
404
Download
0
Embed Size (px)
Citation preview
#scotsecure
Welcome to
#scotsecure
Mark Stephen
BBC Scotland
www.mobile-scotland.com
2nd Annual Mobile Scotland
26th May Edinburgh
www.scot-cloud.com
3rd Annual Scot-Cloud
21st June Edinburgh
#scotsecure
DI Eamonn Keane
Police Scotland
Investigating Cybercrime in the UK
Be the Hunter!!
Cybercrime / DI Eamonn Keane
Specialist Crime Division
Agenda
Scottish , UK & Global Perspective!
The current threat landscape!
Incident Planning & Response!.
Prevention.
“cotla d’s future.Signposting.
Key questions that all CEOs and CISOs should
be asking this week?
• "Are we vulnerable to SQL injection, ransomware or DDoS
ased atta ks?• "What assurance activity have we done to confirm that
e are ot ul era le?• "If we were compromised, would an attacker be able to
gai a ess to u e r pted se siti e data?• "What assurance activity have we done to confirm this
position?"
• What is our o pa posture o se urit ?
Cybercrime Cost
Cyber Regional Organised Crime Units
Cybercrime!
Stalking
Bullying
Cyber FraudSOCG
Sexual Offenders
Indecent images of children
Cyber dependent crimes e.g.
hacking, malware,
DDoS
An
ti-social b
ehavio
ur
Cyber T
errorism
is impacting on the police response across the full crime spectrum.
SOC
CYBER ATTACKS
VOLUME CYBERCRIME
• International highly skilled cyber-criminals, often working together
• Responsible for 262,000 UK infections and losses > £500m
• Distributed Denial of Service (DDoS) – BBC, HSBC)• Ransomware (Police Scotland, SPA)• Data Theft and extortion (TalkTalk, Ashley Madison)
• 2.5 million cybercrimes in the UK annually• Economic Crime• Extortion• Offences against children (CSE)
Your Title Here
1980’s Policing
I ca do ore da age o y laptop in my pyjamas, before my first cup of
Earl Grey, than you can do in a year in
the field.Q - Skyfall
Cyber Attacks are on the rise
Ransomware - Glasgow Hairdressers
ORGANISED CRIME
Five key cyber crime threats
• Malware targeting businesses & individual users for fraud.
APT s, ‘AT“, • Network intrusion ('hacking') DDoS, XSS. Spear-phishing.
• Enablers of cyber dependent crime (e.g. money laundering /
digital currencies / anonymisation).
• C er ri e 'as a ser i e• Targeted disruption of access to UK networked systems and
services (e.g. DDOS / Ransomware)
Old bugs come home to roost… SHELLSHOCK – HEARTBLEED – DRIDEX –CRYPTOWALL - POODLE… LOCKY
Virtual Currencies
http://www.mcafee.com/uk/resources/white-papers/wp-cybercrime-exposed.pdf
Cybercrime-as-a-Service
Cyber Resilience is thorough Preparation
Overarching Cyber Security Strategy!
Pre-planned Exercise.
Incident Management & Response Plan.
Communications Strategy.
Investigative Strategy.
Incident Manager & Team
Gold, Silver, Bronze.
Mitigation & Recovery Strategy.
Logistics - Contingency
Security Incident Event Management & Security Operations Centre
The layered approach!
Reconnaissance.
The threats are evolving, so must your security tools.
Reporting of Cyber Incidents • Incident evaluation and early reporting.
• Police Scotland 101 – Incident No. & Action Fraud.
• Business continuity and impact our prime consideration.
• ICT response and mitigation. Scene preservation?
• Where possible preserve original copies of emails, attachments,
device images and logs.
• Is there a mandatory obligation to report?
• Report to Cert UK / GovCert UK .
• Report to Scottish Government if appropriate.
• Identify point of contact for law enforcement to facilitate enquiries
and evidence gathering.
• Submit attack details to CISP platform if appropriate share.cisp.org.uk
(can assist with mitigation and fix)
Cyber Essentials & Cyber Essential Plus
Cyber Essentials concentrates on five key controls.These are:
1. Boundary firewalls and internet gateways2. Secure configuration3. Access control4. Malware protection5. Patch management
Our priorities
Education & Awareness Partnerships
Develop Capacity & Capability
Detect & Prosecute Offenders
The Future
IndustryAcademia &
Law Enforcement
National Cyber
Centre -GCHQ
?£1.9 billion UK Government
investment in Cyber by 2020
Scottish Cyber Centre
#scotsecure
Sam Alderman-Miller
Darktrace
Applying probabilistic mathematics and machine learning to cyber threat discovery
Sam Alderman-Miller
Account Manager
Enterprise Immune System Approach
Self-learningDevelops mathematical models of normal behavior
Understands behaviourFor every individual user, device and the enterprise as a whole
AdaptiveConstantly calculates probabilities based on evolving evidence
Real-timeDetects threats as they happen
Conclusion• Sophisticated Threat Detection
• Threat is inside and always will be
• Traditional approaches are insufficient
• Threats are constantly evolving
• Using Machine Learning for ‘Immune System’ Defence
• Does not need to know what ‘bad’ looks like in advance
• Learns normal and abnormal behaviours in real time
• Detects threats that bypass traditional security controls
• Provides complete visibility into your network
Thank You
#scotsecure
Colin Keltie
Standard Life
#scotsecure
Questions &
Discussion
#scotsecure
Breakout Details on
Back of Badge
©2015 Check Point Software Technologies Ltd. 60©2015 Check Point Software Technologies Ltd.
Moving from detection to prevention in the real world
Aatish PattniHead of Threat Prevention, Northern Europe
CHECK POINT
©2015 Check Point Software Technologies Ltd. 61©2015 Check Point Software Technologies Ltd.
Available Skills
END USERS
STAKEHOLDERS
YOUR NETWORK
YOUR SECURITY POSTURE
3rd
Parties Vendors
©2015 Check Point Software Technologies Ltd. 62
COST OVER TIME:C
ost o
f Bre
ach
Direct loss: $162,000,000Estimated indirect loss: >$1
Billion
The financial impact GROWS dramatically with TIME
©2015 Check Point Software Technologies Ltd. 63
Businesses Are Not Immune
©2015 Check Point Software Technologies Ltd. 64
NEXT GENERATION MALWARE
HIDDEN
POLYMORPHIC
SOPHISTICATEDAND PROGRAMMABLE
USES MULTIPLE ENTRY POINTS
©2015 Check Point Software Technologies Ltd. 65
NEXT GENERATION ACTORS
ADOPT CLOUD
LEVERAGE COMMUNITIES
USE AGILE PROGRAMMING
OUTSOURCE
©2015 Check Point Software Technologies Ltd. 66
THE REST OF 2016
THEFT
DISRUPTION
SUPPLY CHAIN ATTACKS
INDUSTRIAL ESPIONAGE
NATION-STATE
NEW THREAT ACTORS
RANSOMWARE
BOTS
PHISING
LISTENERS
©2015 Check Point Software Technologies Ltd. 68
WE KNOW…Some Infections Will Inevitably Happen
2,122CONFIRMED
DATA BREACHES
79,790SECURITY INCIDENTS
How Can We Efficiently Respond?
Source: Verizon: 2015 Data Breach
Investigations Report
©2015 Check Point Software Technologies Ltd. 69
How do we
PREVENT unknown
malware entering
the network?
©2015 Check Point Software Technologies Ltd. 70
SECUREDGATEWAY OR END POINT
MINIMISE END USER DISRUPTION
©2015 Check Point Software Technologies Ltd. 71
DAILY UPDATES FROM 150,000+ CUSTOMERS
10,000,000Bad-ReputationEvents
700,000
MalwareConnections Events
30,000
MalwareFiles Events
©2015 Check Point Software Technologies Ltd. 72
How do we
RESPOND with the
people we have?
©2015 Check Point Software Technologies Ltd. 73
DO YOU UNDERSTAND THE ATTACK?
54%
43%
63%
41%
32% 33%
0%
10%
20%
30%
40%
50%
60%
70%
Who Attack
Method
Where When Why Defense
MethodSource: Ponemon: Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations: February 2014
% do t know how to defend
©2015 Check Point Software Technologies Ltd. 74
LOOK INSIDE THE MACHINE
Automatically Analyse Triggers
Create Actionable
InsightsRemediate
Record all End Point Activity
©2015 Check Point Software Technologies Ltd. 75
Summary
Detail
How Did the Malware Get In?
©2015 Check Point Software Technologies Ltd. 76
Investigation Trigger
Identify the process that accessed the
C&C server
Identify Attack Origin
Chrome exploited while browsing
Dropped Malware
Dropper downloads and installs malware
Exploit Code
Dropper process launched by
Chrome
Activate Malware
Scheduled task launches after
boot
Attack traced even across system
boots
©2015 Check Point Software Technologies Ltd. 77
MaliciousActivities
Drill-DownDetail
Severity
Is There an Infection?
UNDERSTAND THE INCIDENT
©2015 Check Point Software Technologies Ltd. 78
FROM UNDERSTANDING TO ACTION
Generate Remediatio
n Script
How Should You Respond? How Can You Clean it?
©2015 Check Point Software Technologies Ltd. 79
Incident Understanding
Visibility
Immediate Content Delivery
Prevention
TO DEAL WITH UNKNOWN THREATS
©2015 Check Point Software Technologies Ltd. 80
Unprecedented protection against targeted attacks & unknown malware
Sandboxing
Evasion-resistant malware
protection
Extraction
Immediate delivery of
cleaned content
Forensics
Automated analysis &
remediation
©2015 Check Point Software Technologies Ltd. 82©2015 Check Point Software Technologies Ltd.
Aatish Pattni | Head of Threat Prevention, Northern Europe
THANK YOU
uk.linkedin.com/in/aatishpattni
@TishPattni
Protecting your business, brand, and customer experience from modern malware
Martin Budd
Security Sales Manager - UKISSA
© F5 Networks, Inc 84
Application evolution vs business challenges
Web based
Mobile Cloud API
Agile code development
Skills shortgae
Advanced threats
Risk now stopping
innovation
© F5 Networks, Inc 85
Why is the risk from malware and fraud increasing ??
© F5 Networks, Inc 86
Browser is the Weakest LinkEnd point risks to “Data In Use”
HTTP/HTTPS
Secured
Data center
WAF
HIPS
Traffic Management
NIPS
DLP
Network firewall
SIEM Leveraging
Browser
application
behavior• Caching content, disk
cookies, history
• Add-ons, Plug-ins
Manipulating user
actions:• Social engineering
• Weak browser
settings
• Malicious data theft
• Inadvertent data loss
Embedding
malware:• Keyloggers
• Framegrabbers
• Data miners
• MITB / MITM
• Phishers / Pharmers
Hmmmm…Customer Browser
© F5 Networks, Inc 87
HaaS
© F5 Networks, Inc 88
Is the Security Perimeter Dead?
application
endpoint
© F5 Networks, Inc 89
The Application Perimeter/Protection
Network Threats Application Threats
of attacks are
focused here
25% of security
investment
90% of attacks are
focused here
75% of security
investment
10%
© F5 Networks, Inc 90
Endpoint Perimeter/Protection
Traditional enterprise perimeter Customer protection
Protection
MDM, AV, Proxy, Sandbox
>90
% Protection
<10
%
© F5 Networks, Inc 91
Old rope for new money!
Malware InfectionCredential Acquisition
Transaction Manipulation
© F5 Networks, Inc 92
Man In The Browser
Credential/Information
Mobile Malware
Transaction/Credential
Form Grabbing & Keyloggers
Credential/Information
Man In The Middle
Transaction
RAT andBack Connect
Transaction
Modern malware using new techniques to achieve age old objectives
A problem for banks and enterprises alike
© F5 Networks, Inc 93
Traditional malware detection
• Focused on enterprise boundary and employees
• Based on signature detection
• Focused identifying cause not effect
• Reactive not pro-active
• Sandboxes etc – patient zero
• Analyzes browser for traces of common malware (i.e., Zeus, Citadel, Carberp, Hesperbot, Dyre, …
`
61%
of breaches are caused by stolen credentials
© F5 Networks, Inc 95
How Phishing Works
Drop Zone
The attacker access
the real web page
The attacker saves a
copy of the web pages
to their own web server
The attacker sends a phishing
request to many victims
The victim visits what they
think is a legitimate site but
is actually the phishing site
The victim provides
confidential data directly
to the hacker
So how can we protect ourselves?
© F5 Networks, Inc 96
Web injection
So how can we protect ourselves?
© F5 Networks, Inc 97
Credential /Form Grabbing
The victim is infected
with malware
The victim makes a secure
connection to a web site
This triggers to
malware to run
The victim enters data
into the web form
This content can be
stolen by the malware
The victim submits
the web form
The information is encrypted
and sent to the web server
The information is also sent
to the drop zone in clear text
Password
revealer
icon
So how can we protect ourselves?
© F5 Networks, Inc 98
• Uniquely analyzes user interaction with the browser
• Detects automatic transaction
• Ensure integrity of transaction data
• Trigger alerts upon detecting non-human behavior
Automatic Transaction Detection – MITM
MY BANK.COM
• Gather client details related to
the transaction
• Run a series of checks to
identify suspicious activity
• Assign risk score to transaction
• Send alert based on score
My Bank.com
© F5 Networks, Inc 99
What do businesses need?
Clientless solution, enabling 100%
coverage
Protect Online User
Desktop, tablets & mobile devices
On All Devices
No software or user involvement required
Full Transparency
Targeted malware, MITB, zero-days, MITM, phishing
automated transactions…
Prevent Malware
attacks and Fraud Alerts and customizable rules
In Real Time
© F5 Networks, Inc 100
F5’s Comprehensive Approach
Malware DetectionAdvanced Phishing
Detection
Application Layer Encryption
Automatic Transaction Detection
© F5 Networks, Inc 101
AP
PLI
CA
TIO
N A
CC
ES
S
Enterprise Mobility Gateway
Access Federation
Remote Access
App AccessManagement
Secure Web Gateway
Application Protection Capabilities
Protecting your applications regardless of where they live
Securing access from any user on any device
Strongest set of application security controls that reduce risk
AP
PLI
CA
TIO
N P
RO
TE
CT
ION
IP Intelligence
Web Fraud Protection
Hybrid WAF
SSL Inspection
DDoS Protection
DNS Security
Network Firewall
© F5 Networks, Inc 102
Application evolution vs business challenges
Web based
Mobile Cloud API
Enable Agile code
development
Reduce skills required
Increase protection
against Advanced
threats
Enable innovation
Gardening Leave
Will it help to weed out the bad guys?
Background
Matt LittleCTO, ZoneFox
Who are ZoneFox?
• Cyber Security focussed on directly
monitoring and protecting your data
• Customers in Software Gaming, Asset
Management, Hi-Tech Manufacturing
and Online Gambling…........
Our Customers
Leavers and the Problem with Gardening Leave
Did I mention
that I am leaving
next week?
I e just ee offered job with
our biggest
competitor
I reall annoyed that I
did t get that promotion
Your top-performing team…..
Sssshhhhh – Don’t tell anybody but I have this embarrassing problem
• Vormetric Insider Threat Report –
• Only 11% of respondents felt that their organization was not vulnerable to insider attacks
• Globally, 89% of respondents felt that their organization was now more at risk from an insider attack
• 34% felt very or extremely vulnerable.
What and where are people stealing data
• Top theft locations• Databases (49%)• File Servers (39%)
• Top Data stolen• Customer Lists• Contracts• Sensitive commercial data• R&D
Leavers – this is hypothetical, right?
• Leavers are insiders and therefore you have an insider threat challenge
• Mostly existing security is “Outward-looking”
• Has it worked?
The Cost of a Breach
• Cost of a breach comes from two things:- Time taken to discover it- Cost of investigating and remediating
• Verizon Data Breach Report 2015 – “growing ‘detection deficit’ between attackers and defenders.”
• This ‘detection deficit’ means that a typical breach will take ~200 days to discover
• If you discovered that, how much effort would have to be spent investigating?
But Breaches are a US thing…......
90%large organisations breached (up from 81%)
74%smaller organisations (up from 60%)
Cost of a breach
£1.46 - £3.14Mlarge organisation (was £600k – £1.15M)
£75 - £311k smaller organisation (was £65k - £115k)
Staff related security breaches
(source PWC/BIS’ 2015 Information Security Breaches Survey)
75% large organisations
31% smaller organisations
But I have a load of defences….....
External Protection
Who?
When?
Why did ’t I know at
the time?
?
? ?My Organisation
Why Gardening Leave (and what is it?)
• “an employee's suspension from work …typically to prevent them from …accessing confidential information.”
• Use it to protect from ‘poaching’ of customers, etc
Does it protect your data?
The Financial Costs of Insider Data Theft
£30,000Research from the legal firm EMW indicated that small businesses typically incur this cost for legal work in a insider theft (2012 research)
? The value of the data stolen
The number of High Court cases relating to the theft of confidential information by insiders (employees) increased by 250% between 2010 and 2012.
A real-life example from ZoneFox
What did they try to steal
• 182,000 Files:• Results of confidential product testing• CAD designs for prototypes and new products• Bills of Materials for new designs• Printed Circuit board designs• Contracts and agreements with research and
manufacturing partners.• The value?
£10 million
What went wrong?
• Technical controls and HR Processes broke down
• Lack of visibility of the endpoint• Leaving processes (including gardening
leave) were too late• Stolen data was collected in advance of
submitting resignation.
What are the alternatives?
External Protection
My Organisation
Incident Response for a leaver
• Global company• Unusual behaviour – times, locations, volumes, etc• Theft followed by taking laptop home• Senior Legal.• Incident response ~4 hours
How long would it take you?
Key takeaways
- Compromise is highly likely
- People steal data before they resign
- Protect your inside too - the threat is as likely (if not more likely) to come from inside your organisation.
- Focus on reducing cost by detecting threats sooner and responding quickly
#scotsecure
Welcome Back
#scotsecure
Per Johansson
European Parliament
The New European Framework for Data Protection
- state of play?
Per Johansson
Edinburgh, 21 April 2016
Who am I?
– Swedish lawyer
– Industry consultant
– European Data Protection Supervisor (EDPS)
– European Parliament - Scotland
The European Parliament in the Member States
The European Parliament operates an ‘Information Office’ in the national capitals of all 28 EU Member States.
Since 1999, it has also operated a smaller 'branch' office in the larger Member States, opening offices in Barcelona, Edinburgh, Marseilles, Milan, Munich & Wrocław (2011).
The European Parliament Office in Scotland aims to increase awareness of the
Parliament and the impact of its activities in Scotland, as well as highlighting the work
of the six Scottish Members of the European Parliament (MEPs).
General remarks
Reasons for reform
• Technological change
• Legal certainty
• Harmonisation in the internal market
• Need for change in the area of police and judicial cooperation
• Global dimension
→ Regulation for general principles Directive for law enforcement
The EU DP reform:
Enhances harmonisation of data protection Reinforces position and rights of data subject Strengthens responsibility of data controller Strengthens supervision and enforcement
General remarks
• The “Ordinary” legislative procedure– Commission proposals – January 2012
– Joint legislative responsibility between European Parliament andCouncil of Ministers
– “Readings”
– Negotiations between three institutions
= Changes all the way
The legislative procedure
Where are we now?
• Council (final) agreement October 2015
• Plenary vote EP 14 April 2016 = LAW
• Entry into force 20 days after publication in the EU Official Journal
• Regulation – MS law 2 years after entry into force.• Directive – 2 year period of implementation dead-line
for MS
• Directive only applicable to those measures where the UK has opted in.
Scope
Territorial scope:
- An establishment of a controller or processor within EU, regardless of where the processing takes place
- ‘Offering of goods and services to’ or ‘monitoring behaviour of’ data subjects in the EU
Data controllers/processors
Security of processing (32) Implementation of appropriate tech and org measures
such as...
Pseudonymisation and encryption
Systems functionality, restoration and regular testing
Assessment of the security level Risks
Data controllers/processors
Designation of data protection officers (37 onwards)
Where:- Public authority or body- Core activity = regular and systematic monitoring of data subjects- large scale of special categories of data
Tasks: - Inform and advise- Monitor the implementation
- Contact point
Data controllers/processors
Notification of data breaches (33)
Controller notification to the supervisory authority within 72 hours
Processor shall notify controller
Data protection Impact assessment (35)
New tech, high risk to rights and freedoms to natural persons
Data controllers/processors
Strengthen responsibilities of the controller
→ Accountability (24 onwards):
- “measures to ensure and demonstrate compliance with the Regulation”
- Where proportionate “implementation of appropriate data protection policies”
Data controllers/processors
Information and communication
- Concise, transparent, intelligible, easily accessible, clear and plain language (12)
- Procedures and mechanisms (12)
- Content of the information (13, 14)
Data controllers/processors
Data protection by design and by default (25)
Documentation – Records in writing (electronic form)(30)
Processors – Records of processing activities (30)
Supervision and Enforcement
– One stop shop – ‘main establishment’ (4(16), 56)
– Consistency mechanism (63 onwards)• Cooperation between authorities and COM
– European Data Protection Board (68)
– Sanctions (83)
• Up to € 20M or 4% of annual worldwide turnover
Data subjects
Definition of consent (7)
- Controller burden of proof - demonstrate
- Distinguishable – in plain language
- Withdrawal
Data subjects
“Right to be forgotten” (17)
– Erasure without undue delay
– Reasonable steps to inform other controllers
» Available tech and cost of implementation
Data subjects
Profiling (22)Only if:- Performance of a contract + safeguards- Union or Member State law- Explicit Consent of the data subject +
safeguards
And : not based solely on special categories of data
Thank you for your attention
EDPS website on DP reform:http://www.edps.europa.eu/EDPSWEB/edps/cache/off/
Consultation/Reform_package
#scotsecure
Wendy Goucher
Goucher Consulting
© Goucher Consulting Ltd, 2016
You get what you Give
Cyber Security Communication reconsidered
Wendy GoucherInformation Security Specialist
© Goucher Consulting Ltd, 2016
Staff are your
“Human Firewall”
152
© Goucher Consulting Ltd, 2016 153
Fighting ‘Cyber’
© Goucher Consulting Ltd, 2016
• Clear, operationally effective policies, procedures and controls.
• Good communication of the policies, procedures and controls.
• A darn good reason why they should follow them.
154
Secure operations come from:
© Goucher Consulting Ltd, 2016 155
Wendy’s Wheels
Driver Induction Training
Policies, Procedures & Controls
© Goucher Consulting Ltd, 2016 156
© Goucher Consulting Ltd, 2016 157
Motivation
© Goucher Consulting Ltd, 2016 158
Your staff care
© Goucher Consulting Ltd, 2016
159
People care about their own security.They won’t automatically care about yours if you don’t seem to.Think about the security message
you are really sending.
© Goucher Consulting Ltd, 2016
Thank you
Wendy Goucher
#scotsecure
Scott Barnett
Royal Bank of Scotland
Scott Barnett
Cyber & Fraud
Intelligence Leadhow threat intelligence can
prevent data breaches and
other cyber attacks – and how
you can get and apply some of
this stuff
Cyber Crystal Balls
what isthreat
intelligence?
163
164
a tool for decision making
information+ analysis+ inferences=
Planning –Intelligence
Requirements
Collection – of information
and monitoring for triggers
Analysis –turning
information into
intelligence
Dissemination – delivering to
the right people at the
right time
Feedback – re-evaluating
requirements, taking stock
what is intelligence?Our mission: to provide forewarning of security threats to RBS
to minimise harm to our customers, staff, and business
Exposure
VulnerabilityCapability
Intent
what is a threat?
har ful age ts’ intentions+tools, tactics and procedures (TTPs)
INHERENT THREAT
how exposed your
business is to these actions
+any vulnerability
that makes harmful
outcomes more likely
RESIDUAL THREAT
har ful outco es resulti g fro a e tity’s actio s i pursuit of its goalsSource: CBEST framework
165
• Provide a forecast of the a k s
strategic threat landscape
Forecast
• Join the dots between strategic and operational
threats
Link
• Co te tualise ig ti ket e e ts i
terms of what they mean for RBS – so
hat?
Context
• Identify new and emerging threats
and attack techniques
Identify
• Collect external information and
fuse it with internal sources
Collect
• Proportionate, timely, actionable
intelligence
Deliver
what can threat intelligence do for you?
166
kill chains and attacker mindsets
167
168
construct threat
delivery
infection
manipulation
impact
botnet / tool
target
vulnerabilities
bandwidth
loss of service
DDoS
169
170
2006
171
172
173
174
2010
175
176
177
2016
178
179
180
181
182
183
how can threat intelligence
help?
construct threat
delivery
infection
manipulation
impact
botnet / tool
target
vulnerabilities
bandwidth
loss of service
DDoS
184
construct threat
delivery
infection
manipulation
impact
early warning
attack scripts
rulesets
other techniques
recovery advice
botnet / tool
target
vulnerabilities
bandwidth
loss of service
construct threat
delivery
infection
manipulation
impact
early warning
threat indicators
Technical mitigants
situational awareness
shared experience
187
188
189
190
191
192
Scott Barnett
#scotsecure
Questions &
Discussion
www.mobile-scotland.com
2nd Annual Mobile Scotland
26th May Edinburgh
www.scot-cloud.com
3rd Annual Scot-Cloud
21st June Edinburgh
Drinks &
Networking Upstairs
Hosted By
SCOT-SECURE 2016MICHAEL JACK & KYLE BOWES
$ WHOAMI
MIKEY & KYLE
▸ 2nd BSc Ethical Hacking @ Abertay University, Dundee
▸ Work for Scottish Business Resilience Centre (SBRC)
▸ OSINT, Footprinting, Outreach
▸ Mikey: Cryptography, Defence, Counter-terrorism
▸ Kyle: OSINT, Footprinting, Counter-terrorism
THE ORDER, UNLESS WE GET SIDETRACKED
WHAT’S ALL THIS THEN?
1. Staying Updated
2. Data Protection, Encryption & Backups
3. Passwords
4. Phishing Emails & Malicious Websites
5. Social Media
SECURITY IS A PROCESS, NOT A PRODUCT.
Bruce Schneier, April 2000
THREAT MODEL 101
HACKERS ARE LAZY
Johnny Appleseed
THREAT MODEL 101
"I DON'T NEED TO RUN FASTER THAN THE BEAR: I ONLY NEED TO RUN FASTER THAN YOU."
Johnny Appleseed
THREAT MODEL 101
UPDATE NOWA CRITICAL PAIN IN THE ASS
DON’T BE AN EASY TARGET
UPDATES MATTER
▸ Will protect you against a lot of threats
▸ low effort > high reward
▸ Windows 10, 8.1, 8, 7 get security updates
▸ Windows XP doesn’t get any updates
▸ OS X 10.11 (El Capitan), 10.10 (Yosemite), 10.9
(Mavericks) get security updates
WINDOWS 7: WINDOWS UPDATE - TURN IT ON!
WINDOWS 7: WINDOWS UPDATE - ENABLE AUTOMATIC UPDATES
OS X 10.11 (EL CAPITAN) - SYSTEM PREFERENCES > APP STORE
BACKUP THE DATA!BACKUPS ALL THE WAY DOWN
BACKUP THE BACKUPS
BACKUPS WILL SAVE YOUR BUSINESS
▸ Will save you time & money
▸ Onsite & Offsite backup
▸ Daily, Weekly, Monthly
▸ Easy to restore in event of a disaster
STORAGE IS CHEAP
WINDOWS 7: BACKUP & RESTORE - SET UP BACKUP
OS X 10.11 (EL CAPITAN) - TIME MACHINE
ENCRYPTION
https://youtu.be/XfFjde0UPbY
SOMETHING YOU KNOW, A PASSWORD FOR EXAMPLE
SOMETHING YOU KNOW, A PASSWORD FOR EXAMPLE
PASSWORD-PROTECT-DOCUMENTS-WORKBOOKS-AND-PRESENTATIONS
WHAT TO ENCRYPT
▸ Encrypt everything, if you can, Full Disk Encryption
▸ Windows: BitLocker/ Drive Encryption
▸ Mac: FileVault
▸ Customer personal and payment information
▸ Microsoft Office Button > Prepare > Encrypt Document
▸ Smart Phones & Tablets
▸ iOS > Settings > Touch ID & Passcode > Erase Data
▸ Android > Settings > Security > Encryption > Encrypt
PASSWORDSSIZE MATTERS!
STATISTICAL ANALYSIS (LINKEDIN 160K & ROCK YOU 14M)
STATISTICAL ANALYSIS (LINKEDIN 160K & ROCK YOU 14M)
�
THE WORST PASSWORDS
• qwerty
• 696969
• mustang
• letmein
• baseball
• michael
• football
• 123456
• password
• 12345678
• 1234
• master
• 12345
• dragon
TRIES ALL COMBINATIONS FROM A GIVEN KEYSPACE. IT IS THE EASIEST OF ALL THE ATTACKS.
hashcat.netwikidoku.phpid=brute_force_attack
BRUTE FORCE
MASK ATTACK
JULIA1984
‣ (26 + 26 +10) = 629 = 1315 = 13 Quadrillion @ 100M/s
http://hashcat.net/wiki/doku.php?id=mask_attack
MASK ATTACK
JULIA1984
‣ (26 + 26 +10) = 629 = 1315 = 13 Quadrillion @ 100M/s
‣ The above password matches a simple but common
pattern. A name and year appended to it.
‣ We can also configure the attack to try the upper-case
letters only on the first position.
http://hashcat.net/wiki/doku.php?id=mask_attack
MASK ATTACK
JULIA1984
‣ (26 + 26 +10) = 629 = 1315 = 13 Quadrillion @ 100M/s
‣ The above password matches a simple but common
pattern. A name and year appended to it.
‣ We can also configure the attack to try the upper-case
letters only on the first position.
‣ Down to 370 Billion combinations @ 100M/s
http://hashcat.net/wiki/doku.php?id=mask_attack
HTTPS://THEINTERCEPT.COM/2015/03/26/PASSPHRASES-CAN-MEMORIZE-ATTACKERS-CANT-GUESS/
PASSPHRASES
▸ Never give them away!
▸ Your trick isn't clever
▸ Space bar is your friend
▸ Length > complexity
▸ Tell a story
REDUCE THE NUMBER OF PASSWORDS YOU NEED TO KNOW
PASSWORD MANAGERS
▸ Last Pass (all platforms) (cloud based)
▸ 1Password (all platforms, best on Apple) (Dropbox sync)
▸ Demo!
REDUCE THE NUMBER OF PASSWORDS YOU NEED TO KNOW
PASSWORD MANAGERS
▸ Last Pass (all platforms) (cloud based)
▸ 1Password (all platforms, best on Apple) (Dropbox sync)
▸ Demo!
▸ Auto fill, in the browser Chrome, Firefox, Safari
▸ Generate unique long passwords for each site
IF YOU DO ANYTHING, PLEASE DO THIS!
TWO FACTOR AUTHENTICATION (2FA)
▸ twofactorauth.org
▸ Google Authenticator
▸ Authy
▸ YubiKeys
PHISHING EMAILSDON’T CLICK THAT LINK
OS X Mail
Legit, Gmail
Spam, Gmail
MALICIOUS WEBSITESWATERING HOLE
THIS IS NOT THE WEBSITE YOU ARE LOOKING FOR
SCOT-SECURE
REAL OR FAKE▸ Padlock
▸ URL
▸ How did you get there?
▸ Apply common sense
▸ Browser extensions
▸ HTTPS Everywhere
▸ uBlock Origin
Safari
Chrome
Chrome
Firefox
https://youtu.be/XfFjde0UPbY
SOCIAL MEDIA
FACEBOOK, TWITTER, LINKEDIN & INSTAGRAM
�����
PASS THESE ON
THINK ABOUT THESE THINGS, PLEASE?
▸ Update, backup and encrypt your devices
▸ Encrypt the most critical sensitive information
▸ If you can encrypt it all, Full Disk Encryption
▸ Long passwords, don't worry about complexity
▸ Get a password manager (LastPass & 1Password)
▸ Use Google Chrome, if you can
▸ Think about how you got to the site, did you expect the email?
LAST CHANCE
THE LINKS
▸ Chrome security usability: youtu.be/XfFjde0UPbY
▸ Very strong passwords: theintercept.com/2015/03/26/
passphrases-can-memorize-attackers-cant-guess/
▸ Which sites use Two Factor Auth: twofactorauth.org