If you can't read please download the document
View
426
Download
2
Embed Size (px)
Citation preview
PowerPoint Presentation
Lipstick on a Pig
Professor John Walker MFSoc CRISC CISM ITPC CITP SIRM FBCS FRSADirector of CSIRT & Cyber ForensicsINTEGRAL SECURITY XSSURANCE Ltd
24 Lime Street | London | EC3M 7HS
Mobile: +44 (0) 7881 625140
Office: +44 (0) 2032 894449
History
Based on case histories, media reports, and statements from the Met Police Computer Crime Unit, there isstrong evidence to suggest Cyber Criminality [in all forms] are winning.
http://itsecurityguru.org/water-water-everywhere-byte-eat/#.UwHtII2PNhE
At the First Digital/Cyber Forensics event hosted by the ForensicScience Society York, on 03/02/14, the expert panel observed:
a. Most companies subjected to Security/Pen Testing have Multiples of significant [repeated] vulnerabilities!
b. The Black Hats are Winning [Proven by case histories] c. Criminality excesisise high degrees of innovation & imagination
Tick Boxes Lead to Compliance NOT always Security
On the 13th February 2014, I participated in a Webinar for info security.
A question was posed:
Q: What does Tick Box Security NOT Tell You?
The Answer
A: What the Successful Attacker Knows!
http://www.infosecurity-magazine.com/webinar/443/testing-your-businesss-ability-to-defend-its-digital-and-physical-workplace-/view.aspx
Mediocrity will NOT Suffice
It was the BofE who were the main orchestrators ofWaking Shark II Yet they have a number of significantsecurity exposures, and vulnerabilities, of which they have been informed under respectful, Channelled Disclosure Notification With no response, or action.
If we are to lead the riotous path to evolve securityand to protect the public, then it must surly followa route to secure our infrastructures, and not justIgnore the open states of potential compromise!
We must take the Threat serious or there is no point.
Waking Shark II Security , or PR http://www.informationsecuritybuzz.com/waking-shark-2/
In factwe are already here!
See article in Digital Forensics Magazine [If you want a cope just drop me a line].
DDoS
DDoS has ben growing in popularity year, on year, with the throughput of adverse traffic increasing - & it requires zero skill to join in:
The Statistics you Know and those you may NOT!
Play Safe
WiFi everywhere but still not being used security, or sensibly
An example:
Intelligent Postures & Response
Know your Critical assetsFind out what you Dont KnowConsider the element of Data Leakage Conduct a TriageConduct Intelligent TestingKnow your Business ExposureEmploy Situational Awareness PracticesEvolve an Incident Response Process, and Capability [Not just Lights on stuff]Dont do Lip-Service do Security
CSIRT Document Registers
ISO/IEC 27001 Segment SOA
CSIRT Incident Response Policy
CSIRT Incident TOR/Processes
Tools & Apps
CSIRT Run-Books
CSIRT Procedures
DoS/DDoS
Abusive Images
Malware[Virus Trojan]
Acquisition
Image Extraction
Phishing
GRC & Case Management
Abusive Images[COPIN/SAP]
Investigations[PAS 555]
Legislation[e.g. DPA/ITA]
LAB[ISO/IEC 17025]
The CSIRT Framework
An example of a CSIRT[1] Framework, encompassing:
Document Registers with Version Control
LAB
GRC & Case Management
ISO 27001 Statement of Applicability [SOA]
Run-Books [Storey Boards]
Policies & Processes
[1] Computer Security Incident Response Team
Possibly there is need to instil more ethics in those organisations who have failed to meet their obligations.
Maybe its a case of Less Tick Box Compliance, and More Operational Security.
Could it be that we have reached the time where the levels of Insecurity and Security Braches are implying we need to get Back-to-Basics.
Above all, has the time arrived which dictates that we need to rethink what security is, how it can be best accomplished, and how we can serve our public better, without the need for such government, or EU enforcement?
However, it really is about understanding, and appreciating what Cyber Risk really is 2014 >>, and the associated ramifications of what uninformed exposure could mean to the business.
Donald Rumsfeld - There are known unknowns; that is to say, there are things that we now know we don't know. . . . . .
Five Simple Conclusions
We must recognise the onslaught, and success of Cyber Crime in all forms and it is time to address it
Full on with commitment and above all, we must not , by implication, or suggestion of complacency become a part of the problem.
To quote GCHQ/CESG from the mid eighties: We see the computer virus as a nuisance, & a passing threat!
To quote CPNI from 6 years ago: The Cyber Threat is over hyped!
The ULTIMATE Conclusion
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
17/02/2014
Click to edit Master title style
Click to edit Master subtitle style
17/02/2014
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
17/02/2014
Click to edit Master title style
Click to edit Master text styles
17/02/2014
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
17/02/2014
Click to edit Master title style
Click to edit Master text styles
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
Click to edit Master text styles
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
17/02/2014
Click to edit Master title style
17/02/2014
17/02/2014
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
Click to edit Master text styles
17/02/2014
Click to edit Master title style
Click to edit Master text styles
17/02/2014
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
17/02/2014
Click to edit Master title style
Click to edit Master text styles
Second level
Third level
Fourth level
Fifth level
17/02/2014