Embed Size (px)
Citation preview
BCI North Midlands regional forum Meeting (17/09/2015)
Office of the Public Guardian, Birmingham,B1 1TF
TIME ITEM
8.00 – 8.30 Arrival, Tea/Coffee – networking opportunity
8.30 – 8.45 Welcome, Housekeeping & Introductions
8.50 – 09.10
Janet Poole - BCI Update
09.10 – 10.00 Simon Plummer of EON UK- Presentation with Q&A : Cyber Security
10.00 – 10.40
Tea & Coffee Break
10.40 – 12.10 Steve Webb – Exercising (Group Activity)
12.10 – 12.30 BC Surgery
12.30 Wrap up and close
Introduction to Information and Cyber Security
Simon Plummer – UK Information Security Manager E.ON UK
4
Overview– Introduction
– What is ‘Information and Cyber Security’
– Case Study – London 2012 Olympics
– What threats are on the horizon…and now?
– Security Risks and impacts
– Case Study – Ashley Madison
– Hacking the Human
– Initiatives and standards
5
Introduction– Simon Plummer - UK Information Security Manager E.ON UK
– Background in IT, now circa 7 years in security related roles
– Currently responsible for Information security for our UK operations covering approximately 10,000 staff
– Member of the IISP (Institute for Information Security Practitioners)
– ISO27001:2013 Certified Lead Implementer
– Currently working towards CESG Certified Professional Scheme (CCP)
6
What is ‘Information and Cyber Security’• Information security, sometimes shortened to InfoSec, is the practice of
defending information from unauthorised activity such as;
– Access, – Use, – Disclosure, – Disruption, – Modification, – Perusal, – Inspection, – Recording– Destruction.
• It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).
• https://en.wikipedia.org/wiki/Information_security
7
What is ‘Information and Cyber Security’
• “Cyber security, is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorised access. In a computing context, the term security generally implies cybersecurity” whatis.techtarget.com/definition/cybersecurity
8
Scenario – London 2012 Olympics
9
–GCHQ and CESG intelligence identified a genuine threat to the electricity infrastructure prior to the opening ceremony.
–Top 5 Cyber Risks Mobile and Tablet Risk Drive-By Downloads Information Phishing Search Engine Poisoning Ticketing Scams
–Protective measures identified 166m Security related events–783 required full investigation (more than 55 per day!)–six serious events within a 10 day period–No outages or disruption was reportedhttp://www.bbc.co.uk/news/uk-23195283http://www.insidegovernment.co.uk/new-upload/gerrypennell.pdfhttp://www.threatmetrix.com/threatmetrix-identifies-the-top-five-cybersecurity-threats-of-olympic-proportions/
Case Study – London 2012 Olympics
10
What threats are on the horizon…and now
– International Interest – Generally state sponsored
– Aiming at intellectual property, intelligence, acquisitions and mergers
– Seeking to gain economic advantage
– Hacktivism– Can be a range of drivers
– Malicious, disruptive
– Massively increased capabilities
– Cyber meets physical
– Organised
11
What threats are on the horizon…and now
– Industrial Competitor– Financial and economic gain
– National and international
– Organised Crime– Capability increasing, however services can be paid for at little cost
– Financially driven (Fraud, sale of valuable information, ransom)
– Effects both business and individuals
– Insider / Employee– Lack of awareness
– Focus of physical security generally doesn’t include
• ‘IT’ and information
– Can be ‘begrudged’ or compromised
12
Case Study – Ashley Madison
• …The facts
– In excess of 30 million account details stolen
– Personal details
– Poor security – no email ownership/verification
• …The ramifications
– Extortion/Blackmail
– Financial Liabilities
– Work and home life disruption
– Economic implications
– Threat to life
13
Hacking the Human
– InfoSec is about people – historically focus is on technical countermeasures
– Humans are unfortunately the ‘soft spot’
– Technical controls can assist, however without the culture there are many
challenges
– Policies generally don’t work
– Culture change
– Social Engineering
14
Hacking the Human – Social Engineering Lifecycle
15
Questions/Discussion?
16
Initiatives and Standards
17
18
Resources– https://uk.linkedin.com/pub/simon-plummer/28/65b/3a7– https://www.getsafeonline.org/– http://www.cpni.gov.uk/– http://www.cpni.gov.uk/advice/cyber/– http://www.cpni.gov.uk/highlights/cyber-advice-businesses/– https://www.cert.gov.uk/– https://www.cert.gov.uk/cisp/– http://www.cesg.gov.uk/
– London 2012 Cyber Security : Experiences from the games
– http://www.mcafee.com/uk/resources/reports/rp-hacking-human-os.pdf
– GCHQ – Government Communications Headquarters
– CESG – Communications-Electronics Security Group (dropped in 2002)
– CPNI – Centre for the Protection of National Infrastructure
This presentation was delivered at a BCI forum event. For details of upcoming events please click here.
For details of BCI membership please click here.
