Scot Secure 2017

Welcome to

Mark StephenConference Chair

@bbcscotland#scotsecure

Ray BuggDIGIT

@digitfyi#scotsecure

www.digit.fyi

www.digitleaders.com

DI Eamonn KeanePolice Scotland

@policescotland#scotsecure

What can we do to fight back? Scot- Secure Conference March 2017.

Agenda

Scottish, UK & Global Perspective!

The current threat landscape!

The challenges to LE & Policing!

The LE response - NCCU & Police Scotland!

Are we getting the message across?

What can we do to fight back?

Collaboration & Prevention.

Good News - Look Forward!

ORIGINAL HUB CONCEPT SG/NCSC EUROPOL

POLICE / SENIOR TECH COMMUNITY /

INVESTIGATIONS .

TIER 4 SCOTLANDS TECH COMMUNITY DEVELOPMENT

TIER 3 ACADEMIA / R & D

TIER 2 SOC / TRUSTED PARTNERS

TIER 1 APPRENTICES / GRADUATES

Cyber Regional Organised Crime Units

Stalking

Bullying

Cyber Fraud

SOCG

Sexual Offenders

Indecent

images of

children

Cyber

dependent

crimes e.g.

hacking,

malware,

DDoS

An

ti-so

cia

l beh

avio

ur

Cyber T

erro

rism

is impacting on the police response across

the full crime spectrum.

http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.accenture.com/us-en/Pages/insight-highlights-insurance-three-ways-fight-insurance-fraud.aspx&ei=aqXUVPmgB8ysU8aWgqAN&bvm=bv.85464276,d.d24&psig=AFQjCNH-QMGcxPIDGrqPsNaf51UMN21AQA&ust=1423308312578590https://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=https://peatimes.com/twitter-to-control-social-media-bullying/&ei=CKjUVKiDM8zzUtuXg8gN&bvm=bv.85464276,d.d24&psig=AFQjCNGX0qsf5T1gvvW1pcXExMYRkzOshQ&ust=1423309134252744http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.pligofsj.com/blog/entryid/5151/hackers-hit-the-seas-the-worlds-maritime-cyber-security-problem&ei=R6vUVKbjKYb5UNy3hIAK&bvm=bv.85464276,d.d24&psig=AFQjCNGNQyPr-RqoBUtOwd7PfcvwCxtkLQ&ust=1423309990343098http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.lifewithoutpink.com/2011/05/23/your-childsdigital-footprint/&ei=Z63UVNLVKIvpUs7HgZgN&bvm=bv.85464276,d.d24&psig=AFQjCNGepkyGQFXFUtZB_9wOBRwTTaEtLQ&ust=1423310529014835http://www.google.co.uk/url?sa=i&rct=j&q=&esrc=s&frm=1&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://yourdesignguys.com/wp-security-plus/&ei=v_zZVLWlHcSsUbKvgKAB&bvm=bv.85464276,d.d24&psig=AFQjCNGLcAhV38CTQP7RW7A997lK0RZwSA&ust=1423658517431520

What we do know!!

The cyber threat to UK business is significant

and growing.

This threat is varied and adaptable.

The rise of internet connected devices gives

attackers more opportunity! The past year has been punctuated by cyber

attacks on a scale and boldness not seen before! The UK & Scottish government is committed to making the UK a

secure and resilient digital nation

Under-reporting.

Scenario 2 Malware

15

Malware Phishing Ransom-ware

SocialEngineer

Hacker

Some Brief Examples The Usual Suspects

Key questions that all CEOs & CISOs should be asking this week?

"Are we vulnerable to a cyber intrusion, SQL injection, ransomware or DDoS based attacks?

"What assurance activity have we done to confirm that we are not vulnerable?

"If we were compromised, would an attacker be able to gain access to unencrypted sensitive data?

Are we satisfied have we engaged sufficient 3rd party security provision?"

What is our company ethos & posture on security?

What and how vibrant is your overarching cyber security policy?

Cyber Attacks are on the rise

22

The Main Threats

Hacktivism Organised Crime Espionage Hacking organisations they dont

agree with Politically motivated Mainly defacement of websites

and public disclosure ofinformation

Organised but disperse. Anonymous, New World Hacking,

Lizard Squad

Well funded cyber crime groups Financially motivated Mainly ransomware, stealing of

personal info/credit card info, andhacking.

Highly organised and well funded Carbanak Cyber Gang, Janus Sec

etc.

State sponsored Politically & Financially motivated Mainly covert hacking and custom

malware- targeting sensitive IP andCNI.

Extremely organised and wellfunded

TAO, APT 28, APT 17, Bureau 21

23

The Main Threats

Bedroom Hackers

Teenagers with a point toprove

Motivated by recognition andquick cash

Mainly defacement ofwebsites and publicdisclosure of information

Have been quite successful atlow hanging fruit.

They have been individuals orfront people of a group

Growing Cadre of Hacking Groups

Anoymous!

LulzSec

Lizard Squad!

New World Hacking Team!

DD4BC!.

The Impact Team.

The Armada Collective!.

Syrian Electronic Army

16.66

PhantomSec

ORGANISED CRIME

The skillsets

Feezan Hameed

60 - 113 million Frauds

Vishing / Social engineering of Banking customers

Data acquired including account details/passwords

Money trasferred online mule account networks

Uk wide investigation

Numerous UK Law Enforcement

Arrested in Paris on false passport

Convicted and sentenced to 11 years imprisonment

Customer education?

Op Backbone UK Bank

Frauds

Exfiltration of bank customer data

Bank employee

Live customer data for sale on dark web

Data used to commit further frauds

Customer data recovered at home address

Arrested / Convicted

23,000 seized POCA from account

Print? Business Need/Auditable?

Operation Mouse - Police Scotland Website

Operation Vulcanalia

The NCCU/PSOS Operation Vulcanalia targeted

users of the Netspoof DDoS-for-hire tool.

Based on intelligence gathered by the West

Midlands Regional Cyber Crime Unit, a week of

action in December 2016 saw more than 60

individuals targeted, resulting in 12 arrests,

over 30 cease and desist notices served, two

cautions issued and one protective visit made.

The Avalanche network

was used as a delivery platform to launch and manage mass global

malware attacks and money mule recruiting campaigns. It has

caused an estimated EUR 6 million in damages in concentrated

cyberattacks on online banking systems in Germany alone. The

global effort to take down this network involved the crucial support

of prosecutors and investigators from 30 countries. As a result, 5

individuals were arrested, 37 premises were searched, and 39

servers were seized. Victims of malware infections were identified

in over 180 countries. Also, 221 servers were put offline through

abuse notifications sent to the hosting providers. The operation

marks the largest-ever use of sinkholing to combat botnet

infrastructures and is unprecedented in its scale, with over 800,000

domains seized, sinkholed or blocked.

Cyber Resilience is thorough Preparation

Overarching Cyber Security Strategy!

Pre-planned Exercise.

Incident Management & Response Plan.

Communications Strategy.

Investigative Strategy.

Incident Manager & Team

Gold, Silver, Bronze.

Mitigation & Recovery Strategy.

Logistics - Contingency

Scotlands Future

International Collaboration

Government - L.E Industry Academia Collaboration

Joint Working - Intelligence, Technical, Disruption

Prevention/ Education

Curriculum for 21st Century

Upskill Children & Wider Population

Target Harden Existing Business

SBRC Role

Cyber Security Grow as Industry Sector

Cyber Essentials &

Cyber Essential Plus

Cyber Essentials concentrates on five key controls.

These are:

1. Boundary firewalls and internet gateways

2. Secure configuration

3. Access control

4. Malware protection

5. Patch management

Fighting back: what can we do?

Reporting means we can fight back!

Cyber Policing Structure NCCU - Regional Hubs- Prevention

European & Global Co-operation EC3.

Innovative Partnerships.

Organisational growth and transformation.

Education, prevention & unprecedented collaboration.

The Cyber Academy & Scottish Academia R & D.

Inspire and enthuse - SQA National Progression Awards

SBRC Supporting vulnerable SMEs.

Multi agency, multi disciplined teams protecting Scotland.

European Union General Data Protection

Regulation (GDPR)

Recap

Cyber Essential

Cyber Essentials plus

Govt backed / Industry supported

Basic Cyber security hygiene

Report to Police / Certuk / Govcert

Share - CiSP

Intel / Europol paints Cyber picture

Human ! Staff education/awareness

Staff privileges

Nice v risk?

Data breach test of scrutiny did we REALLY do ALL we could?

Thank you for listening

Any Questions?

[email protected]

mailto:[email protected]

Dr Keith NicholsonCyber Security Scotland

#scotsecure

SCOT-SECURE 2017

CYBER DEFENCE STRATEGY FORTHREAT RISK REDUCTION

Dr Keith Nicholson

Cyber Security

Scotland

March 2017

Dr Keith NicholsonIndependent Cyber Security Advisor 25+ years experience in digital

technologies , IT audit and cyber security

Qualified in cyber security (CISM CISA)

Scottish Government advisor in Cyber Security

Member Cross Public Sector Cyber Group

Member Cyber Leaders Board

Advisor across Public Sector (e.g. SNH, SEPA, SFC, Revenue Scotland)

Cyber Security

ScotlandNon-Profit Organisation

established to provide independent advice & services on all aspects of cyber security to public bodies to help create the intelligent client.

provides honest-broker guidance on ICT, cyber security strategy development, tender specifications, procurement exercises and project management to deliver Best Value.

BUILDING A CYBER DEFENCE STRATEGY

Challenges: IT Team Management expectations on skills Winning investment & management buy-in Not just a technical issue

BUILDING A CYBER DEFENCE STRATEGY

Challenges: Board Lack of cyber understanding

Failure to appreciate risk & ROI

Belief technology is silver bullet

Lack of integration of HR, Finance & Procurement as well as IT in cyber defence strategy

Cyber Defence: BUILDING A RESILIENT ORGANISATION

Secure technology Challenging suppliers - lifecycle & supply

chain Training and awareness in staff Policies & procedures in HR, Finance,

Procurement, IT Senior management responsibility Becoming an intelligent client: Know what

you dont know

THREATRESEARCH

Threat Risk Areas

KEY CYBER THREATRISK AREAS

Procurement

Payroll

Data Theft

Disruption

THREAT VECTORS

Culture & Behaviours (Poor and well-intentioned)

Technical

GoalsCredential theft; Financial gain; service disruption

Incident Patterns

NB: Classification can vary between sectors

Data Breach Patterns

Current Common Threats

Malware Ransomware

Credential theft webmail; keylogging

Drive-by downloads from websites

POS attacks

DDoS transactional servers / websites

Web site defacement

Dark web malware / hackers for hire; risk-reward model

TEC

HN

ICA

L &

PEO

PLE

BA

SED

Common attack vectors

BEHAVIOURALVULNERABILITIES

Domestic technology use = embedded behaviours brought into workplace

Changing attitudes to privacy and sharing personal information

TECHNICAL

Phishing - Email malware ransomware, key loggers

Email attachments e.g. invoices

Email person pretext (e.g. Im xxxs boss; CFO instructing invoice approval)

Vishing elicitation of key information in conversation

Threat Data

Time to compromise 82% in minutes (phishing to steal credentials)

Time to exfiltration 68% in days (capture & export data)

Detection deficit only ca 20% attacks detected within days1

68% attacks are malware, 32% by pretext2

1 Verizon 2016 Data Breach Investigations Report2 HMG, Ipsos MORI, University of Portsmouth, Cyber Security Breaches Survey May 2016

Oldies still goodies top 10 vulnerabilities older than one year

Software vulnerabilities time between publication and exploitation: Adobe, Microsoft, Oracle fastest to be

compromised Apple and Mozilla slowest

Helps focus patch management

CYBER DEFENCESTRATEGY

5-Step Threat Reduction Strategy

1. Recognise the threat & take responsibility at Board level Exec & Non-Exec

2. Risk & Business Impact assessment of technical & organisational vulnerabilities

3. Secure the technology (resources prioritised via Risk & Business Impact assessment)

4. Create a cyber-aware culture

5. Evolve to become an Intelligent Client

Becoming the Intelligent Client

Recognise what you dont know (Known Unknowns) Audit systems, policies & procedures via critical friend

Recognise you dont know what you dont know! (Unknown Unknowns) Get Directors and staff training both technical and general awareness

Challenge suppliers: service lifecycle and supply chain; build security into procurement specifications

Dont rely only on supplier advice (Audit Scotland)

Seek honest broker independent advice where needed

CYBER DEFENCEACTION PLAN

1. Assess and test Cyber Awareness Maturity level: At board level Amongst general staff Amongst technical teams

2. Undertake a Cyber Security audit with risk assessment to: Identify technical & cultural vulnerabilities and threats Prioritise resource allocations proportionate to risk Identify staff skills gaps

3. Create a staff development strategy for ongoing awareness / technical training

4. Develop a Proactive & Responsive Cyber Strategy, Policies & Continuous Improvement Plan to address continuing and changing threats

Cyber Defence Action Plan

Summary

Needs Board & Senior Management commitment risk awareness, RoI and investment buy-in

Cross-organisation responsibility: HR for OD, staff training and vetting; Finance, Procurement for fraud detection; IT for

technology

Define your needs and challenges Technological as well as Staff and Suppliers via Gap Analysis

Set realistic development plan & expectations Cultural change is not achieved overnight

Keep your eye on the threat Staff development Continuous improvement plan Monitor, mentor, measure

THANK YOU

KEITH NICHOLSONT: 01847 500 101M: 07899 062 965E: [email protected]

Jenny RadcliffeSocial Engineer & Negotiator

@Jenny_Radcliffe#scotsecure

People Hacking

The Human Factor in Security

Jenny Radcliffe 2017

Humans

Predictable?

Motivation

Humans

Thank You! @Jenny_ Radcliffe

www.jennyradcliffe.com

Rik FergusonTrend Micro

@rik_ferguson#scotsecure

Ransomware, the scourge of 2016

Rik Ferguson

Vice President Security Research

Trend Micro

(Not so) Humble Beginnings

Ransomware Evolution

Ransomware Evolution

Image credit: www.botnets.fr

Ransomware Evolution - CryptoLocker

Ransomware in 2016

2016 Losses $1B

246 new families in 2016 alone compared to 29 for 2015. 748%increase.

PhishMe Report: As of the end of

Q316, 97% of all phishing emails contained crypto-ransomware

InfoBlox Report: Ransomware Domains Up By 35 fold In Q116

Ransomware Targeting Businesses

Ransomware Infection Vectors

UK Ransomware Survey

Just over two thirds (69%) of UK ITDMs have heard about ransomware and know how it works.

Four fifths (82%) consider ransomware to be a threat to their organization, while 18% do not.

The average ransomware request received was 540, although for 20% of those infected, the request was more than 1,000.

Nine in ten (89%) reported a time limit on paying the ransom, with the time limit being 19 hours on average.

Organizations affected by ransomware estimate they spent 33 man hours on average fixing the issues caused by the ransomware infection.

UK Ransomware Survey

Two thirds (65%) ended up paying the ransom. However, only 45% of those infected got their data back through this mean while 20% paid a ransom and did not get their data back.

The three most common reasons for paying the ransom:

They were worried about being fined if the data was lost 37%

The data was highly confidential 32%

The ransom amount was low enough to count as cost to business 29%

Seven in ten (69%) think their organization will be targeted by ransomware in the next 12 months.

77% have an incident response plan in case of infection with ransomware

Only 44% have tested their incident response plan, while a third (33%) have a plan in place without testing it.

Notable Ransomware Families

2016

A ROGUES GALLERY

2

Locky Malicious Macros

Ransom_LOCKY is requesting

0.5 Bitcoin ransom ($209.27)

Crysis A Hands-On Threat Actor

A sample infection flow of Crysis via an RDP brute force attack

Cerber A Ransomware FactoryIt replaces the system's current wallpaper with the this image:

Stampado Ransomware as a Service

Exploits and Exploit Kits in 2016

A DECLINING INDUSTRY?

2

The demise of the Exploit Kit?

Neutrino Price Increase

$3,500

$7,000

$0

$1,000

$2,000

$3,000

$4,000

$5,000

$6,000

$7,000

$8,000

Neutrino Price per Month

Before Angler Disappeared

After Angler Disappeared

Rate of Vulnerability Additions to Exploit Kits

Exploit Kit / Ransomware RelationshipExploit Kit

Delivered Ransomware

(2015)

Delivered Ransomware

(2016)

AnglerCRYPWALL, CRYPTESLA,

CRILOCK

CRYPWALL, CRYPTESLA,

CRILOCK, WALTRIX,

CRYPMIC

Neutrino CRYPWALL, CRYPTESLA

CRYPWALL, CRYPTESLA,

CERBER, WALTRIX, LOCKY,

CRYPMIC

Magnitude CRYPWALLCRYPWALL, CERBER,

LOCKY, MILICRY

Rig CRYPWALL, CRYPTESLA

GOOPIC, CERBER,

CRYPMIC, LOCKY,

CRYPHYDRA,

CRYPTOLUCK, MILICRY

NuclearCRYPWALL, CRYPTESLA,

CRYPCTB, CRYPSHEDCRYPTESLA, LOCKY

SundownCRYPTOSHOCKER, LOCKY,

PETYA, MILICRY

CVE-2013-2551Affected software: Microsoft Internet Explorer 610

Description: A use-after-free vulnerability that lets attackers remotely execute arbitrary code via a specially crafted site that triggers access to a

deleted object

CVE-2015-0311Affected software: Adobe Flash Player 13.0.0.262, 14.x, 15.x, and 16.x16.0.0.287 on Microsoft Windows and 11.2.202.438 on Linux

Description: An Adobe Flash Player buffer overflow vulnerability that allows attackers to remotely execute arbitrary code via unknown vectors

CVE-2015-0359Affected software: Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before

11.2.202.457 on Linux

Description: An Adobe Flash Player memory corruption vulnerability that allows attackers to execute arbitrary code when the application is used;

failed exploitation attempts likely result in denial of service (DoS)

CVE-2014-0515Affected software: Adobe Flash Player before 11.7.700.279 and 11.8.x13.0.x before 13.0.0.206 on Microsoft Windows and Mac OS X and

before 11.2.202.356 on Linux

Description: An Adobe Flash Player buffer overflow vulnerability that occurs when parsing a compiled shader in a Flash object, which allows

attackers to run some processes and run arbitrary shellcode

CVE-2014-0569Affected software: Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and before 11.2.202.411 on Linux

Description: An Adobe Flash Player remote integer overflow vulnerability that lets attackers execute arbitrary code via unspecified vectors

Top Vulnerabilities Within Exploit Kits

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/2603/internet-explorer-use-after-free-vulnerability-cve20132551http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/6177/adobe-flash-player-buffer-overflow-vulnerability-cve20150311http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/7473/adobe-flash-player-memory-corruption-vulnerability-cve20150359http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/5895/adobe-flash-player-buffer-overflow-vulnerability-cve20140515http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/3527/adobe-flash-player-remote-integer-overflow-vulnerability-cve20140569

Ransomware Blocks in 2016

2016 Total: ~1B

Fundamental Best Practices

Employee EducationAwareness, best practices, simulation testing

Keep Current with PatchingMinimize exploits of vulnerabilities

Access ControlLimit access to business critical data

Back-up and RestoreAutomated: 3 copies, 2 formats, 1 air-gapped from network

Smart Protection Network in 2016

received 2.8T

reputation queries

from customers

identified 130M

new unique threats

Blocked 1B

ransomware threats

blocked 81B

total threats

Thank YouRik Ferguson

Trend Micro

@rik_ferguson

Questions & Discussion

Refreshments & Networking

How To Transform Technical Security Data Into Business Ready Metrics

Sean Lever

The Security Assurance Measurement Problem

Transforming Security Data into Business Metrics

How Tenable Helps Bridge the Gap

Agenda

The Security Assurance Measurement Problem

CISOs use existing security metrics that are expressed in technical security terms, and

are oriented toward technical security decisions. They report on what they can vs. what they

should.

Gartner: Sharpen Your Security Metrics to Make Them Relevant and Effective, July 10, 2015

BITS AND BYTES DONT BELONG IN THE BOARDROOM

THANKS FOR THE 300 PAGESECURITY REPORT- Nobody, Ever, Said

51%Of CxOs believe there is a 1 in 4 chance that a data breach

will have a material impact on their organisation

80%

Source: Securing the C-suite: - IBM Institute for Business Value, February 2016

Of CISOs say their top risks are increasing

Scale Venture Partners and Wisegate Survey, Assessing and Managing IT Security Risks, June 2014

COMPILING METRICS

CAN BE DIFFICULT

Measured Quantity of Malware Detected

According to the State ofMetric Based Security Survey

Transforming Security Data into Business Ready Metrics

What is a Metric?

METRICSQUANTIFIABLE MEASURES

TRACKTO

PERFORMANCE

ARE

METRICSROSETTA STONE

BUSINESSO FCOMMUNICATION

AR

ETHE

Aligning Metrics to the Business

Metric

Control

Policy

Objective

Monitoring

Control Activities

Risk Assessment

Control Environment

Wisdom

Knowledge

Information

Data

Defining a Metric

Operations

Compliance

Reporting

Business Objective

Security Outcome

Policy Statement

Control Metric

ExamplesOperations

% Critical Systems Patched Within Target Days

% Critical Systems Without Updated Virus Definitions

Compliance

% Critical Systems Within Compliance

Reporting

by Site/Location

by Business Unit

Characteristics

1. Specific

2. Measurable

3. Actionable

4. Relevant

5. Timely

What is a SMART Metric?

How Do I Share Metrics?

Where Do I Start?

Security FrameworksBusiness Frameworks

National Cyber Security Centre (NCSC)

How Tenable Helps Bridge the Gap

Define security metrics that map to your unique business objectives

Collect comprehensive, reliable data to assess security and compliance

Use easy-to-read report card format to communicate security posture to execs

Validate that security program controls are in place and delivering intended results to maximize your return on investment

Measuring Security Assurance

INTEGRATEDPLATFORM

SCCV HOSTDATA

PASSIVELISTENING

INTELLIGENT CONNECTORS

AGENT

SCANNING

ACTIVESCANNING

Cloud DevicesUsersEndpointNetworksWeb Virtual

Tenable Solution Components

Mobile

Assurance Report Cards

Operations

Compliance

Reporting

Business Objective

Security Objective

Policy Statement

Control Metric

Tenable Critical Cyber Controls

ARCs for Specific Concerns

Geographic ARCs

Figuring out the right metrics and compiling them can be challenging

Metrics provide clear insight into how successfully well the IT security team is meeting security and business objectives

Tenables sensors and ARCs help you turn technical data into metrics executives can understand

Summary

Read the eBook:

Using Security Metrics to Drive Action

Download the Whitepaper:

Measuring Security Assurance Turn Technical Data into Metrics

Executives Can Understand

Next Steps

Questions?

Social Engineering A Career in Engineering whilst being on the Social

The Art of Manipulating Peopleor

The Most Important Role for a Security Practitioner is to Eradicate the Need to Pre-

Append words to the Term Security

The Greatest Risk we face as Risk Owners are from those with whom we are sharing

the risk.

Person of Interest

Tatty Teddy Rick Steenfield

Practical Examples

Tatty Teddy

Twitter on Tatty Teddy

Over a number of years tweeted as fan.

On occasion principle retweeted.

Interaction Progressed to principle commenting.

Fan moves to interact in DM, principle replies

Fan tweets evolve becoming more personal

Tatty Teddy

Principle attempts to ignore and manage fan

Principle sensitively declinesManagement Company running a competition

Winner of Meet & Greet announced.

Fan requests a meet & greet.

Fan interaction turns hostile

Fan makes direct threats and becomes hostile online

Tatty Teddy

> After being single all my life and approaching my 38th birthday, I've > taken the plunge and signed up with POF. Have never had so much as a > proper date in all my life, and it's been years since I was even > remotely looked at by a woman, so I'm not expecting much.>> Having looked at who's available in my local area, there isn't much > going. There are one or two women who are nice looking, but I look > very young for my age, don't fancy women near to my own age (many > 30-35s almost look old enough to be my mother), and I feel awkward at > the thought of looking at women in their late 20s who I might actually > find attractive. But I'd probably have nothing in common with them.

Tatty Teddy

Principle attempts to ignore and manage fan

Principle sensitively declinesManagement Company running a competition

Winner of Meet & Greet announced.

Fan requests a meet & greet.

Fan interaction turns hostile

Fan makes direct threats and becomes hostile online

Tatty Teddy

Alexa Ray Joel

o Alexa, come away with me! I want to take you away! To a place where no-one

can ever hurt you! We can go anywhere. I know places. Places where we can be

alone~or in a big city.It doesn't matter. I want to live a "normal" life with you. I

want to watch you grow old with me, and maybe have a couple of children. You

can be anything you can imagine! A doctor, a factory worker, a scientist, a

photographer! Anything you want. I just have this dream of you and me in a

house and pets and you can be my wife, and I can be your loveslave. Anything

you want. It will be great! We can have a lot of fun together! So, get back to me!

Tell me to go to Hell, tell me that I'm crazy, just tell me how you feel. I love you

and I want you to be happy.

Alexa Ray Joel

Messages Start September 4rth

5th Recounting a Nightmare.

7th Message of Hate.

Last Message 13th November.

Alexa Ray Joel

Alexa Ray Joel

Rick Steenfield 20s Chicago McDonalds .

Attended Gordon Central High School.

Legend going back to High School

Alexa Ray Joel

Alexa Ray Joel

Social Engineering - Profiling

What do you want~

Something about me being a lazy drink~I

waste~good

please!~Let me go!

Alexa Ray Joel

One of a handful reporting same geo location.

Similar Interests, Likes.

I envy you~the way you can sing

wrong~I just like them forever!

but here I go~up on the stage, anyway

Alexa Ray Joel

Alexa Ray Joel

Sheryl Finley [Billy Joel] hired a bodyguard to protect his daughter and contacted [Paul] McCartney, who recommended a Europe-based private-security firm not bound by the same legal restrictions as the police, [Post] sources said.

McCartney's people found the stalker in Austin, Minn.

Alexa Ray Joel

Securing People

Training, understanding, malice.

Educate your colleagues.

Educate your Stakeholders.

You cant address this with technology.

Securing People

You do not know the people you are trusting.

Recognise that as a Risk.

Quantify the risk.

Accept it or mitigate it.

Crime is on the increase

Your stakeholders are being targeted.

Sensitive Assets can take many forms.

Its Risk introduced by cyber or just security

Stop referring to cyber security.

Thank You

CYBER RESILIENCETHINKING BEYOND BUILDING THE WALLS HIGHER

Rick Hemsley

March 23, 2017

SECURITYACCENTURE

Copyright 2017 Accenture Security. All rights reserved. 175

BY THE NUMBERSDEFENDING AND EMPOWERING THE DIGITAL BUSINESS

STREAMLINE CLOUD MIGRATION ACTIVITIES BY 20%

YEARS OF EXPERIENCE HELPING CLIENTS SECURE THEIR ORGANIZATIONS20+

15,000+ SECURITY DEVICES MANAGED

2 Security Centers of Excellence Manila & Buenos Aires

30MILLION+digital identities managed

>30xFASTERdetection rates of incidents for multiple clients

5,000+ PEOPLE

330+clients spanning 67 countries

5,000+ security risks mitigated / year

350+pending and issued patents related to security

Cloud security, management and control for 20,000+ cloud computing instances

raw security events processed daily5B+

Running some of the largest SIEM deploymentsin the world

Cyber Fusion Centers4

Bangalore

Prague

Washington, DC

Tel Aviv

Security analytics that handle

BILLIONSof events

ONEMILLION+endpoints managed

HOW OFTEN DO YOU HEAR ABOUT SECURITY IN DAY-TO-DAY MEDIA STORIES?

A.

NEVER

B. C.

WEEKLY NEARLY DAILY


Thieves steal $101M; governor of Bangladesh central bank resigns

FROM THE HEADLINES

The Economist : The Dhaka Caper article, March 19, 2016.

www.identityforce.com/blog/oracle-data-breach

www.zdnet.com/pictures/biggest-hacks-security-data-breaches-2016/6/

Yahoo hack: 1bn accounts compromised by biggest data breach in history

LinkedIn hack hits headlines again: Records stolen to 117 million accounts

The Guardian: Article by Sam Thielman, December 15, 2016.

Oracle Data Breach: MICROS System Compromised by Hackers


WHAT HAVE WE TRADITIONALLY DONE?

Resistance


ATTACKERS MODIFY THEIR TACTICS


MODERN THREATSCYBER CRIME OR CYBER ENABLED CRIME IS BIG BUSINESS AND COMPANIES ARE

TARGETED FOR THEIR DATA OR COMPANIES ARE TARGETED FOR THEIR MONETARY

BENEFITS (ONE AND SAME?)

Activist Groups

Corporate Espionage

State Sponsored

Employees or Partners

Organized Crime


SOPHISTICATED, WELL-FUNDED CYBERCRIMINALS ARE OUTPACING DIGITAL BUSINESSESALTHOUGH THE RISE OF DIGITAL HAS REVOLUTIONIZED HOW BUSINESSES WORK

AND SERVE THEIR CUSTOMERS, IT HAS ALSO ADDED NEW DIMENSIONS OF RISK

23% increase in exposed identities with nine mega-

breaches in 20151

Increase in Spear-Phishing Campaigns Targeting Employees

20154

Increase in Ransomware moving beyond PCs to smart phones, Mac, and Linux

systems2 OT systems next?

Costs to businesses per yeardue to cyber attacks (initial

damage + ongoing disruption)5

Global corporate spending on Cyber Security by 20203

New unique pieces of malware in 20151

References: 1 and 2. Symantec Internet Security Threat Report Apr 2016 [Mega-breach defined as >10 million records) 3. "Companies Lose $400 Billion to Hackers Each Year, Inc., September 8, 2015.4. Symantec Internet Security Threat Report Apr 20165. "Lloyds CEO: Cyber attacks cost companies $400 billion every year," Fortune, Jan 23, 2015

3

~.5

billion

35%$ 170

billion

55%430

million

$ 400

billion


https://resource.elq.symantec.com/LP=2899?CID=70138000000jQ7vAAE&MC=198199&oc=NA&OT=WP&TT=PS&om_sem_cid=biz_sem_s115207826697434|pcrid|78260258929|pmt|b|plc||pdv|chttp://www.inc.com/will-yakowicz/cyberattacks-cost-companies-400-billion-each-year.htmlhttp://www.symantec.com/security_response/publications/threatreport.jsphttps://resource.elq.symantec.com/LP=2899?CID=70138000000jQ7vAAE&MC=198199&oc=NA&OT=WP&TT=PS&om_sem_cid=biz_sem_s115207826697434|pcrid|78260258929|pmt|b|plc||pdv|chttp://fortune.com/2015/01/23/cyber-attack-insurance-lloyds/

THE VOLUME OF ATTACKS ATTAINS ITS OWN DARWINIAN SOPHISTICATIONBEYOND CARBANAK AND SWIFT, CYBER RISK WILL CONTINUE TO MORPH AND BECOME

MORE SOPHISTICATED. AS THE CONTROLS IMPROVE, THE ATTACKS CHANGE.

Example

New

Cyber

Risks

People are the weakest link

Social engineering / phishing

messages clever enough to fool

everyone

Greatest risks are cross silo

Security vs

Fraud vs

Customer Risk vs

Vendor Risk

Command and control:

Clever mechanisms hide communication protocols once a breach has happened, e.g. Amazon HTTP requests

Switch to Physical:

USB drives, printers, computers or any other hardware that can be compromised and then installed on the network

SMS:

Weaknesses in the telecom infrastructure allow SMS based dual factor authentication to be compromised

Ransomware attacks digital infrastructure:

Exploiting Android and Apple iOS can wreak havoc on applications, mobile devices and Internet of Things


NEW REGULATION = NEW REQUIREMENTS WHAT IS THE GDPR?THE GENERAL DATA PROTECTION REGULATION (GDPR) APPLIES TO ALL BUSINESSES WHO HAVE CUSTOMERS AND/OR OPERATIONS WITHIN THE EUROPEAN UNION. BUSINESS HAVE NEW REQUIREMENTS TO MEET.

3X as many articles as the incumbent privacy directive

18months until new regulation is expected to become fully enforceable

Member states have harmonised a regulatory framework28

1EU-level supervisory authority* governing going forward*however, there are many regulatory bodies (e.g. FCA and PRA) that can take action against the Data Controller or Data Processor

You need to report an incident without undue delay to the

Supervisory Authority, no more than 72 hours after finding it.

Youll need to appoint a Data Protection Officer if you monitor on a large scale or process special

data.

Estimated DPO requirement: 28,000 in EU, 75,000 globally

Youll have tighter restrictions around consent.

Get the consent balance right so you dont scare off customers.

Youll need to cover more personal data.

Now including physical, physiological, economic, mental, genetic, cultural & social identity.

Youll need to be able to Erase all of an individuals personal data

which is likely to be in many parts of that organisation or with data

processors.

Youll need to be able to give an individual all of their personal

data. Where is it, what format, how to extract it, how to port it, etc.

New Regulation

In reality, it means fines up to 4000X previous levels and personal liability for management and/or the board.

New Requirements


WHAT IS CYBER RESILIENCE?

Cyber

Resilience

Overview:

It is the ability to operate the business processes in

normal and adverse scenarios without adverse

outcomes. Specifically, resiliency strengthens the

firms ability to identify, prevent, detect and respond

to process or technology failures and recover, while

reducing customer harm, reputational damage and

financial loss

External Sourcesof Cyber Risk Hacktivism

Hacker/Lone Wolf

Nation State Attacks

Insider Data Leakage

Social Engineering

Internal Originsof Cyber Risk Digital Banking Services

Payments

Electronic Trading

Third Parties

Technology Infrastructure

CYBER RISK CAN MANIFEST ITSELF ACROSS SEVERAL DIMENSIONS, MAKING IT

DIFFICULT TO DETECT, MEASURE, AND CONTROL

Common characteristics of resilient businesses:

More secure processes and systems

Strong controls with a strong control environment

A solid risk culture

Digitized and automated processes


PREPAREBusiness strategy alignment Assessment & architecture

Operating model governanceRisk & compliance

Culture changeRed-teaming

DETECTVulnerability management

Threat intelligenceSecurity monitoring

Cyber threat analytics

PREVENT

Digital identity

Application & data security

Platform &

infrastructure security

RESPOND& RECOVER

Incident responseremediation

Business continuity

MOBILE ON PREMISES

CLOUD IoT

MORE SIMPILY?

Copyright 2017 Accenture Security. All rights reserved.

Business-driven

Threat-centric

Digitally protected

Adaptive responses

Agile delivery

HOW DO WE ACHIEVE CYBER RESILIENCE?

Adopt a different mind setUnderstand our adversary, their objectives, strategies, tactics, and operating methods

Think about different threats Those inside the organisation often have the keys to the kingdom yet can often be the cause, intentionally or accidentally, of breaches

Organise ourselves Move beyond technical silos, think holistically about cyber across the organisation

Preparation is key Incident Response is critical and with GDPR it will only become more so


1. Not Measuring the right things Move to business alignment

2. Assuming controls are sufficient Stress test prove controls and people

3. Assume perimeter Begin inside out

4. Static plans doing the same thing over and over Innovate

5. Limit security as a purely technical Issue Everyone's mission H&S for 21st Century

6. Disengagement All leadership aligned and communicating singing from the same hymn sheet

WHAT ARE THE CHALLENGES WE NEED TO OVERCOME?


5 KEY PRIORITIES TO HELP MANAGE CYBER RISKS EFFECTIVELY


1. Training and Risk Culture Taking what is unique in your organization and infusing the right cyber risk behaviors

2. Controls Identify weak points building a robust set of controls across operations, business and IT

3. Measurement with a Purpose What is going on without your leaderships knowledge creating metrics that expose the risks

4. Operating Model How does your leadership work with the rest of the organization - assigning clear lines of accountability and ownership

5. Resilience At some point things will go wrong, be prepared (and have leadership prepared!)

PREPAREBusiness strategy alignment Assessment & architecture

Operating model governanceRisk & compliance

Culture changeRed-teaming

DETECTVulnerability management

Threat intelligenceSecurity monitoring

Cyber threat analytics

PREVENT

Digital identity

Application & data security

Platform &

infrastructure security

RESPOND& RECOVER

Incident responseremediation

Business continuity

MOBILE ON PREMISES

CLOUD IoT

MORE SIMPILY AGAIN?

How do we respond?

What is the impact?

How do we organize?

How do we monitor?

Risk Identification Aggregated set of typical risk associated with Cyber Risk

Risk Events - Scenarios which can impact the organization specific to cyber threats

Business and IT Controls Oversight of the controls and their testing programs and how to leverage COBIT, ISA, ISO/IEC, NIST controls

Operating Model Specifying the structure with people, organization, roles, tools and processes to govern

Detection and Identification Tools and metrics to identify and log aspects to mange operations

Operational Monitoring Aligning the tools to identify and detect threats along with their escalation and oversight

Event Response Plan Structure to identify and manage action plans

Crisis Management Structure to manage incidents and notify impacted parties

TO OPERATE AND GROW CONFIDENTLY IN A RAPIDLY EVOLVING THREAT LANDSCAPE, ORGANIZATIONS NEED TO ADDRESS SECURITY ON THREE DIMENSIONS


Empower business growth & secure operations

Harden the organization to make cyber attacks difficult

Detect and remediate successful cyber attacks

Establish and maintain customer trust by meeting expectations for the privacy and protection of their data.

Maintain IT hygiene to eliminate exposure to known vulnerabilities.

Use threat intelligence to anticipate cyber attacks and take preemptive defense measures.

Enable capabilities that enhance customer and employee experience.

Meet compliance and regulatory obligations.

Enable secure adoption of new technologies.

Implement technology such as encryption and two-factor authentication to increase the difficulty of successful cyber attack.

Implement security discipline beyond the security organization (e.g. secure coding, network segmentation, training & awareness).

Detect in-flight cyber attacks.

Use red teams to test cyber defense effectiveness.

Prepare and test incident response plans.

Goal: Ensure that expectations for privacy and compliance are met, and that the business is protected from routine malicious behaviors.

Goal: Raise the cost of attack to adversaries, reducing their incentive to attack lower-value targets.

Goal: Detect & respond to successful cyber attacks, minimize the impact of cyber attacks.

IF YOU TAKE NOTHING ELSE AWAY

ADOPT A WHEN, NOT IF MINDSET

PREPARE FOR BUSINESS DISRUPTION KNOW WHAT YOU WILL DO

& GDPR IS COMING!!!


THANK YOU

Man-in-the-Middle Application Security

Ian McGowan Bio

Ian is a Managing Consultant at Barrier Networks and has 18 years experience working in network and application security.

He has worked as a web application security architect and application security operations lead and understands the challenge organisations face when trying to integrate security controls into the modern software development life cycle.

Talk Overview

Overview of Web Application Security challenges

How Web Application Firewalling (WAF) can help

Advances in WAF technology

Anti-Fraud techniques

Summary

Verizon DBIR 2016

Attack Surface

Data

Stolen User Credentials/F

raud

Phishing Network DDoS

Attacks

Application Vuln Exploits

Recon.Port scan

Attacks against SSL Vul

Application attacksNetwork attacks Session attacks

DNS Amplification/Cache Poisioning Application

DDoS AttacksBotnet/SPAMMan in the

MiddleMan In The

Browser

Clientside Attacks

DNS Attacks

MalwareBusiness Logic

Abuse

Data

Focus of Attacks

Stolen User Credentials/F

raud

Phishing Network DDoS

Attacks

Application Vuln Exploits

Recon.Port scan

Attacks against SSL Vul

DNS Amplification/Cache Poisoning Application

DDoS AttacksBotnet/SPAMMan in the

MiddleMan In The

Browser

DNS Attacks

MalwareBusiness Logic

Abuse

ATTACKS ARE DISPROPORTIONTELY TARGETING THESE AREAS

APPLICATION PROTECTION

USER ACCESS AND CREDENTIALS

DataApplication attacksNetwork attacks Session attacksClientside Attacks

DNS Attacks

Data

State of Application Delivery Report

Yearly report by F5 Networks

2200 responders

Understanding trends

Most popular application services deployed

Most important application services deployed

Application Services to be Deployed 2017

Top 3 Security Services Planned Globally

Most Important to Responders

WebApp Security Challenges

Complexity of the application

Complexity of the attacks

User controls the Endpoint

SDLC Challenges

Secure coding is difficult, expensive and slow.

Developers are usually under time constraints

The focus is on delivery and not security

We need to change our approach to software development

OWASP Top 10

Top 10 AppSec Risk

There are more than 10!

These arent going away

Time to adjust our approach?

Placement of Controls

Prevention is betterthan a cure.

Closing the barn door

Production vulnerability

Timelines to consider:

Undetected period Time to mitigate Window of exposure

WAF is Effective

Firewall vs WAF

Firewall is network focused

NG Firewall is content focused

WAF is application focused

Reverse Proxy Architecture

AppSec Policy Enforcement Point

WAF provides the ability to enforce policy

Positive vs Negative Policy

WAF Policy

WAF Benefits

Mitigate SQLi Insecure Direct Object Reference Layer 7 DDoS Protection Session & Login Tracking Web Scraping Prevention Brute Force Attack Prevention XML Schema Validation JSON, AJAX and Web Services

DAST Integration

Dynamic Application Security Testing

Early detection of vulnerabilities Continuous assessment Remediate code vulnerability in situ Automated virtual patches

Eurograbber Campaign

Financial Service Crimeware

Targeted Users

30,000 affected

Zeus Trojan & ZITMO

Stopped by Web Fraud Control

Eurograbber Campaign Overview

Step 2: Initial Compromise of the DOM

Step 2: DOM Injection

Step 3: Trojan Relays Mobile # to C2

Recap so far..

Step 4: SMS Sent by C2 / Dropzone

Step 5: Validation Request

Step: Exploitation Confirmation

Compromise Success / Failure Logic

Complexity of Attack

Next Steps

Laptop/PC & Mobile Device are now compromised.

What next?

Trojan Operation

Web Fraud Prevention Benefits

Detection of DOM compromise

Application level encryption

Automated action detection

Web Fraud Control Efficacy

Major European Bank:

detected and blocked fraudulent transactions in the sum of 500,000 Euro in two days.

ROI on the pilot first two days thats a new thing in the security field ...

Take Aways

AppSec controls have advanced significantly. We must adjust our approach before its too late. Layered defence.

Clientless solution, enabling 100% coverage

Protect Online User

Desktop, tablets & mobile devices

On All Devices

No software or user involvement required

Full Transparency

Targeted malware, MITB, zero-days, MITM,

phishing automated transactions

Prevent Fraud

Alerts and customizable rules

In Real Time

Scot Secure 2017

Thank you!

Welcome Back

Dan HuntLloyds Banking Group

#scotsecure

EVERYTHING YOU WANTED TO KNOW ABOUT PHISHING

BUT WERE TOO AFRAID TO CLICK

Dan Hunt, Lloyds Banking Group

Brief Introduction Etymology: Phreaking (Phone Hacking) + Fishing

Definition: Phishing is the attempt to coerce recipient action, often for malicious reasons, by

disguising oneself as a trustworthy entity in electronic communications

Effectively a con trick, same as any other

Concepts can be applied to other -ishings;

Vishing: Voice-based

Smishing: SMS-based

Phishing emails can be used to harvest sensitive data and deploy malware

Unsuccessful phishing attempts can be used to infer how well-protected an organisation is

It is very, very easy and very, very effective

Average engagement-rate is 20%

ROI is high

Why?

Who?

Phishing- Mass audience- Low sophistication, generic (Delivery/HMRC scams)

Spear Phishing- Targeted at SMEs / high risk colleagues- Tailored content (Conferences, subscriptions)

Whaling- Targeted at CEOs / Exec level- Highly tailored content- Long-game strategy (Waterholes etc)

How?

Data harvestedMalware deployed

What? (Strategic) Reduce the engagement rate on phishing emails;

Gateway filtering & blocking

Employee Education & Testing:

Studies find that the 20% click rate falls to 13% percent if employees go through just three simulation exercises, to 4% afterthe fourth and 0.2% after the fifth.

Have colleagues know what to doand who to tell.

What? (Immediate) Awareness of Red Flags

Mismatch of sender imagery

Impersonal (Dear Customer)

Misspellings

False sense of urgency

Email/web domains dont match

What? (Final Thoughts)When sent an email that youre not expecting, even if it appears to be from someone you know, consider the following;

WHY am I being sent this email?

WHO is sending it to me?

WHAT do they want me to do?

WHERE could it lead me?

THINK BEFORE YOU CLICK

Stu HirstSkyscanner

@StuHirstInfoSec#scotsecure

DevSecOpsA 2-year journey of success & failure!

@StuHirstinfosec

Skyscanner

TIRED??!!!

@StuHirstinfosec

Skyscanner

@StuHirstinfosec

Skyscanner

@StuHirstinfosec

Who are we?What do I do?What am I presenting?

Skyscanner 2014

Skyscanner Security in 2014

Skyscanner 2017

Skyscanner Security in 2017

WE HAVE A LOGO N EVERYTHING!

@StuHirstinfosec

Strategy

@StuHirstinfosec

Skyscanner 2017

My most successful strategy?

ISO27001?Cyber Essentials?BSIMM?A.N.Other?

Nope, its been speaking to people and sharing learnings.

@StuHirstinfosec

Skyscanner 2017

Longer term;

Split security into focused areas; we now have SECOPSand PRODUCT SECURITY

@StuHirstinfosec

AWS

@StuHirstinfosec

Skyscanner 2017

@StuHirstinfosec

1. TEACH2. CONTINUOUS AUDITING &

ALERTING3. OPEN SOURCE TOOLING

(Scout2, SecurityMonkey etc)4. AUTOMATION

Adventures in Bug Bounties

@StuHirstinfosec

Skyscanner 2017

Initial scheme Qualys scans

2 week scheme glut!

365 scheme needs constant researcher rotation, refuse to pay for crap bugs, weed out the XSS guys!

@StuHirstinfosec

Skyscanner 2017

Ideal outcomes; Weed out certain types of bug in

your code altogether Make researchers work harder

for their cash! Scale the scheme &

make it more valuableover time

@StuHirstinfosec

DevOps & Security

NOT

DevOps & Security

2FA

@StuHirstinfosec

Two-factor

Two-Factor All The

Things VPN

Windows / MAC

Login

Web portals

Apps

SSO

Data (especially PII)

@StuHirstinfosec

User Data

User Data Implemented new MINIMUM STANDARDS for user data

Privacy BY DESIGN!

Examples;

Only stored in agreed places (e.g. AWS)

Minimum encryptions levels when

transferring

Same for data at rest (AES256)

Bcrypt / Argon2 for hashing

Only using TLS

Get rid of old ciphers

Segment the network

Tighten up access controls to the data

@StuHirstinfosec

Passwords

@StuHirstinfosec

Skyscanner 2017

@StuHirstinfosec

Get rid of credentials in code; GitHub/GitLab etc

Credstash Git Secrets GitLeaks (have fun!)

Skyscanner 2017

Passwords in Plain Text?! Dude, its 2017.

@StuHirstinfosec

Two-factor/Passwords

Password solutions

@StuHirstinfosec

SIEM

@StuHirstinfosec

Skyscanner 2017

There are lots of SIEM solutions

BUT HOW ARE YOU USING

THEM?!@StuHirstinfosec

Skyscanner 2017

@StuHirstinfosec

Skyscanner 2017

Endpoint Protection

@StuHirstinfosec

Anti malware

Endpoint Protection

Awareness

@StuHirstinfosec

What we do

What we do: Security Champions

@StuHirstinfosec

What we do

What we do: Crypto & Bug Challenges

@StuHirstinfosec

Hosted in AWS cheap, easy to build!

What we do

What we do: Crypto & Bug Challenges

@StuHirstinfosec

Security Swag -everyone loves t-shirts & stickers!

What we do

What we do: Security Meet Up

@stuhirstinfosec

Employees

Employee behaviour.blog post

Take Humans out of the equation

@StuHirstinfosec

Phishing

Phishing why not take humans

out of the equation?

Sandbox links & attachments (Uber built this themselves)

Protect against Impersonation

Learning (especially from failure!)

@StuHirstinfosec

Culture

Culture -No fear

This is the moment of my failure and I am not scared

What we do

Announcing failure

Weekly PRODOPS

ReviewNO BLAME! Its a learning exercise

@StuHirstInfosec

What we do

LearningCybrary, PluralSight, Twitter, Blogs

Some thoughts to leave you with

Stats

Not everything is critical!

Simple and quick wins are GOOD wins!

Try and increase the likelihood of an employee telling

you about an event or potential attack

Run attack simulations. Break something before

someone else does!

FORGET ABOUT TRYING TO REDUCE MEANINGLESS STATS

IF YOU GO FROM 48% TO 32% ON FIRE, YOURE STILL ON FIRE!

(Zane Lackey, ex-Etsy)

Scaremongering

Security Scaremongering

Scaremongering

Security Scaremongering

The greatest period of impact was from

February 13 and February 18 with around 1 in

every 3,300,000 HTTP requests through

Cloudflare potentially resulting in memory

leakage (thats about 0.00003% of requests)

Some thoughts to take away

Reward people

For making you aware of

issues.

You feel good, they feel good

& theyre likely to tell others.

What next?

Shout about your successes!

Security is as

important as any

other business unit

So shout about

successes you have

Positive PR across

the business

thank you@stuhirstinfosec

Learn with Skyscanner

Follow Skyscanner @CodeVoyagers

on Twitter

Read a backlog of our learnings at

codevoyagers.com

Sign up for our Skyscanner Code

Voyagers newsletter learnings from

our successes and failures or search

http://9nl.it/scotsecure_cvnewsletter

http://9nl.it/scotsecure_CVtwitterhttp://9nl.it/scotsecure_cvbloghttp://9nl.it/scotsecure_cvnewsletterhttp://9nl.it/scotsecure_cvnewsletter

Prof Bill BuchananEdinburgh Napier Uni

@billatnapier#scotsecure

Questions & Discussion

Drinks& Networking

www.digitleaders.com