SlideShare ist ein Scribd-Unternehmen logo

Infosec lecture-final

Paul Dutot IEng MIET MBCS CITP OSCP CSTM
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
Technologie
1 von 39
© Cyberkryption 2013 Can you protect and secure your data to prevent damage to your reputation ? Date: 16th April 2013 By: Paul Dutot
© Cyberkryption 2013 About Me Former Air Traffic Engineer – 15 Years Incorporated Engineer / Chartered IT Professional MCTS / MCSE / Solaris / Security + Offensive Security Certified Professional Tiger Scheme Qualified Security Tester Information Security / Penetration Testing Owner – Cyberkryption.com 1 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Questions at the end please
© Cyberkryption 2013 Agenda Introduction to Information Security - A History. Components of Information Security - ISO 27001 Definitions / CIA Triad / PDCA Cycle Key Features and Benefits of Information Security Security Types – Offensive and Defensive Scenario 1 - Contact information on your public facing website. Scenario 2 - Running a wireless network for business. Scenario 3 – Running web applications or a website for your business? Barriers to Adoption Enforcement 2 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP
© Cyberkryption 2013 Introduction to Information Security 3 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP History 1940 – 1945 Enigma MachineJulius Cesar circa 50 B.C 2004 - GCHQ Cheltenham "It's so easy to get into corporate networks that a determined 12- year-old with good Internet access could download the tools“ James Lewis - Centre for Strategic and International Studies – Advisor to Congress and Obama “Cyber attacks can cost billions of dollars, lead to stolen industry secrets and place the U.S. at a competitive disadvantage” – President Barrack Obama 20 12 - Data Loss 2012 - Cost to IndividualsEspionage – Financial services
© Cyberkryption 2013 Introduction to Information Security Information Security – ‘preservation of confidentiality, integrity and availability of information; in addition to other properties such as authenticity, accountability, non repudiation and reliability’ An information Asset – ‘anything that has value to an organization’ Confidentiality – ‘information is not made available or disclosed to unauthorized individuals, processes or entities’ Integrity – ‘safeguarding of the accuracy and completeness of an information asset’ Availability – ‘being accessible and useable upon demand by an authorized entity’ IT Security – Information Security applied to technology 4 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP ISO 27001 - Definitions
© Cyberkryption 2013 Introduction to Information Security CIA Triad 5 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Availability
© Cyberkryption 2013 Introduction to Information Security Plan Do Check Act Cycle 6 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Plan Do Check Act Continuous Improvement Cycle Central part of any information security strategy. Can be formalised in an information security management system (ISMS) Should be part of Business Risk Mitigation
© Cyberkryption 2013 Introduction to Information Security Benefits 7 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Improves Business Processes – a comprehensive information security policy will improve the efficacy of other business processes such as disaster recovery and business continuity Gain a Competitive Advantage - Taking every measure to protect your business data can only increase the level of confidence that your clients have in your business. Business Resilience - The protection of business critical information is crucial to the productivity and continuity of your organisation. Meet Regulatory and Compliance Demands - The need to comply with statutory, contractual or regulatory obligations is necessary for the majority of businesses in all market sectors such as JFSC. Risk Mitigation – Implementing an information security strategy will make certain that you can react. Peace Of Mind
© Cyberkryption 2013 Introduction to Information Security Key Features – An Formula One Pit Stop Analogy 8 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP It should benefit whole organisation Should balance business needs vs. risk It should have people controls It should have technical controls People v Technical should be 50 / 50 split Payment Card Industry Data Security Standard (PCI-DSS) is a good example The whole organisation must participate with leadership from above
© Cyberkryption 2013 Introduction to Information Security Security Types – Defensive and Offensive Security 9 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Reactionary and takes no account of ‘human factors’ Any information security strategy should contain both elements Security testing from an attacker’s ‘point of view’ It is designed to specifically target your company’s infrastructure and identify security issues or confirm security posture. It is commonly called Penetration Testing / Vulnerability Assessments Anti virus, systems patching and firewalls Offensive Security Defensive Security
© Cyberkryption 2013 Scenario 1 Public Contact Information 10 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Objective: To put our contact details on our website so we can be contacted easier. Benefit 10/10 Risks: We suffer spam or malicious email such as a phishing email. Risk 2/10Business Perspective Malcontent’s Perspective If they are giving out email information so easily we should be able to get plenty of other information to help us. We can send them a malicious email to try to get a foothold inside their network. There are 3 forms of phishing = mass mailing, spear phishing and whaling. We can entice them to a similar website to get users reveal their information! Metasploit Pro has a social engineering module for phishing attacks. We can also do this manually but a lot more work
© Cyberkryption 2013 Scenario 1 Public Contact Information 11 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Meet Toddington International 100’s of places to search for information In 18 handy categories ! Including Social Media and username searches. Pipl – a people search engine Google Hacking Database Jigsaw – great for business info Shodan – device search engine Maltego can automate this for us. However with practice you find a lot of information about a company within one hour
© Cyberkryption 2013 Scenario 1 Public Contact Information 12 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP People Controls Control Benefit Plan User Awareness Training on phishing Appraise users of email testing 1. Reduce risk of compromise 2. Network of ‘sensors’ to warn IT of potential attacks 3. Users become more security aware in their personal internet life 1. Users are aware that testing is being conducted and are not surprised Do Conduct email phishing security testing 1. Simulates a real world attack 2. Identifies weaknesess i.e spots where your securityis most vulnerable 3. Controls Risk – Provide targeted security awareness training and tweak technical controls Check See how effective email phishing campaign was and interact with users accordingly Both the users and the company are now more aware of their risk exposure Act Redefine Testing Parameters Testing will now become more targeted
© Cyberkryption 2013 Scenario 1 Public Contact Information 13 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Technical Controls Control Benefit Plan Check technical systems are patched and up to date Check configurations of technical controls and procedures Your controls and procedures have been reviewed. Honestly, when did you last do this ? Do Conduct email phishing security testing Tests efficacy of technical controls and procedures Check See how effective technical controls and procedures. Both the users and the company are now more aware of their technical controls and any changes needed Act Redefine Testing Parameters Technical controls will improve
© Cyberkryption 2013 Scenario 1 Public Contact Information 14 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP 0 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170 180 190 200 1 2 3 4 5 6 7 8 9 10 11 Number On Website Number Of Email Addresses Vcards for Indivduals Dip Test – Legal Sector Jersey The data was obtained simply by browsing their websites. We also found a few LinkedIn profiles as well as a CV or two!! The picture is very similar in other sectors such as banking, trust and small businesses.
© Cyberkryption 2013 Scenario 1 Public Contact Information 15 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Case Study RSA Attackers used a targeted email. They attached an excel spread sheet titled “Recruitment Plan”. The technical solutions did their job. One of the targets took it out of his junk email folder. The rest is history !!! 1/ 3 of all RSA token had to be replaced. Cost : $66M between April to June 2011.
© Cyberkryption 2013 Scenario 2 Running a wireless network for business 16 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Objective: To have a wireless network so that we can use wireless devices such as laptops and tablets and clients can connect to it when doing business with us. Benefit 10/10 Risks: We will have it installed by IT or our IT service provider. Risk 0/10 Have they set this up properly? Do they know what information is being broadcast ? Do they monitor their wireless ? Is there intrusion or rogue access point detection ? Do they patch their wireless devices ? Is there an open WI-FI access point ? Are they running WPA2 with WI-FI Protected Setup ? If any are yes; we possibly have access to their internal network !!! Business Perspective Malcontent’s Perspective
© Cyberkryption 2013 Scenario 2 Running a wireless network for business 17 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Green = open network | Yellow = weak encryption | Red = maybe secure Meet Wigle.net
© Cyberkryption 2013 Scenario 2 Running a wireless network for business 18 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Meet MiniPwner. Would you notice this on a desk ? Probably. But what about if it tangled up in a load of cables or under a desk ? Battery powered Custom WI-FI Access point Can send connections to the outside world !! Costs less than £50 to build It’s only 5.7cm square It can scan your network for vulnerabilities
© Cyberkryption 2013 Scenario 2 Public Contact Information 19 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP People Controls Control Benefit Plan Check procedures are up to date and have been reviewed Your controls and procedures have been reviewed. Honestly, when did you last do this? Do Conduct wireless security awareness training Tests efficacy of people controls and procedures Check See how effective technical controls and procedures. Both the users and the company are now more aware of their procedures and any changes needed Act Redefine Testing Parameters Procedures will improve
© Cyberkryption 2013 Scenario 2 Public Contact Information 20 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Technical Controls Control Benefit Plan Check technical systems are patched and up to date Check configurations of technical controls and procedures Your controls and procedures have been reviewed. Honestly, when did you last do this? Do Conduct wireless security testing Tests efficacy of technical controls and procedures Check See how effective technical controls and procedures. Both the users and the company are now more aware of their technical controls and any changes needed Act Redefine Testing Parameters Technical controls will improve
© Cyberkryption 2013 Scenario 2 Survey carried out 12-15th December 2011 - survey of 13,168 access points State of WI-FI Security Lecture for BCS in March 2012 13.9 % (1835) = no encryption 19.37% (2551) = WEP 33.27 % (4386) are insecure i.e. WEP or No Encryption 53.9% (7097) are made by Netgear 29.1% (2066) of Netgear routers are insecure A States Of Jersey building has no encryption i.e open still one year later!!! 21 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Running a wireless network DIP Test - WI-FI Security Jersey 2011
© Cyberkryption 2013 Scenario 2 22 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Running a wireless network Demo 1 – WPS Insecurity A good WPA2 password would take more than a lifetime to brute force attack If WPS is enabled then this can reduce to 3-5 hours Reaver can do this and it has the ability to save a sessions. It can also be installed on an android smartphone!!!!
© Cyberkryption 2013 Scenario 3 23 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Running web applications or a website for business Objective: To have a web applications to fulfil a business service online or a website to promote our business Risks: We will have it built by a local web design company who provide a package including hosting. Risk 2/10 Business Perspective Malcontent’s Perspective A ‘yes’ to any of the above could mean you are vulnerable to exploitation Is this website running on shared hosting ? Is the website or application security outdated ? Is debugging information available ? Is there a file upload facility ?
© Cyberkryption 2013 Scenario 3 24 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP The dangers of shared hosting for business What is Shared Hosting ? Company A – Static Site Company B - WordPress Company C – Joomla Each website is a folder on the server The database on the server is common to all sites The firewall is common to all sites and under the control of the ISP. But it is cheap web hosting It is not suitable for business that would require control of firewalls and databases It is also very difficult to make secure!!
© Cyberkryption 2013 Scenario 3 25 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP The dangers of shared hosting for business The Directory Symlink attack Company A – Static Site Company B - WordPress Company C – Joomla Company B is the target The attacker finds a plugin vulnerability in Company C’s website. The attacker then creates Symlinks to read configuration files on all sites. The attacker logs into the database on Company B and C, changing the website admin password. The attacker logs into the web admin portal = Game Over!! You only need one vulnerable site for this attack to work !! It is not uncommon for there to be up to 30-50 websites on a large shared hosting server. There are tools and scripts available on the internet !!!
© Cyberkryption 2013 Scenario 3 26 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP The dangers of shared hosting for business The File Upload Risk Company A • The attacker logs in to the database and changes the admin password. Company A allows file uploads The attacker uploads the appropriate shell The attacker then triggers execution of the shell program. The attacker receives a command prompt from the webserver. The attacker now has permissions of the webserver If he can elevate privileges = Game Over File Type protection can be bypassed using an intercepting proxy We could always upload a trojan file for them to download
© Cyberkryption 2013 Scenario 3 27 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP The dangers of shared hosting for business The File Upload Risk Demo DVWA Demo
© Cyberkryption 2013 OWASP 2013 28 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Open Web Applications Security Project 1. Injection - we can inject code into the application in some form e.g. SQL via a field 2. Cross Site Scripting - Can we cause a malicious script to be included from a different domain when a browser visits an infected page. 3. Session Authentication and Management – We need to know who you are? What rights you have and manage correct exchanges of information 4. Insecure direct object reference – we need to check to see if you are authorised for a file or resource. 6. Security Misconfiguration – no need to explain. 5. Cross Site Request Forgery – can we get a logged in user to include a malicious request from a different domain to trick the application into changing something e.g. router admin password !! 7. Insecure Cryptographic Storage – we don’t protect important information with as good encryption as we should have done. 8. Failure to Restrict URL Access – are you authorised to browse to a url ? Think admin area of website 9. Insufficient Transport Layer Protection – we need to protect important data when we send it. 10. Unvalidated Redirects and Forwards – we should not just send the browser to somewhere without first checking i.e. hsbc.c0.uk is not hsbc.co.uk
© Cyberkryption 2013 Scenario 3 29 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Running web applications or a website for business Debugging information available
© Cyberkryption 2013 Scenario 3 30 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Running web applications or a website for business Poor authentication handling.
© Cyberkryption 2013 Scenario 3 31 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Running web applications or a website for business Poor ‘404’ error handling. Since January 2013 2 x debugging information 1 x authentication 1 x error handling Security testing would have found all these errors
© Cyberkryption 2013 Barriers to Adoption 32 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP A local law firms website was hacked with a page inserted to an online pharmacy selling Viagra Became public on the 4th December 2012 The solution is to build a new website ? Need to fix the security problem with the current one !! Apathy: A Case Study ‘While we have ventured out into some new areas such as conveyancing and wills, we do not sell Viagra. We have contacted our website provider who has stated that it is the first time he has experienced an event such as this and we have since taken steps to ensure that it is very unlikely to happen again. We have, however, made use of the occasion to examine our website and plan a re- launch in the near future. Sadly, it has meant that our on-line procedural guide to the Royal Court Rules is temporarily unavailable.’ Google ranked the site as being compromised shortly after
© Cyberkryption 2013 33 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Apathy: A Case Study This is how Google ranked the firm on the 1st February 2013 – 59 days of reputational damage Barriers to Adoption
© Cyberkryption 2013 34 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Apathy: A Case Study This is how Google ranked the firm on the 22nd March 2013 – 108 days of reputational damage and no new website. Would you trust them with your information ? Barriers to Adoption
© Cyberkryption 2013 35 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Further Barriers It is an Intangible Benefit Thought to be IT’s problem It is not well understood in business terms – for example fire risks are well understood and have controls such as smoke detectors and a fire evacuation plan which are routinely tested. The same cannot be said for IT Security Board level disconnect – IT & Information Security are not routinely discussed at board level. Barriers to Adoption Economic Conditions – Security becomes a low priority Lack of regulatory appetite in Jersey – No Information Commissioner and JFSC = no need for business to do anything!!
© Cyberkryption 2013 Enforcement 36 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP UK Information Commissioner Office DM Design, Glasgow based marketing company fined £90,000 after 2,000 complaints about unwanted marketing calls. Nursing and Midwifery Council was fined £150,000 for the loss of 3 DVD’s containing sensitive data about a misconduct hearing and evidence from vulnerable children. Sony fined £250,000 for loss of ‘gamers’ data after the Sony PlayStation network was hacked. Greater Manchester Police fined £120,000 for not protecting personnel data. Stock on Trent fined £120,000 for emailing of sensitive children data to the wrong person. Prudential fined £50,000 after merging of account data led to one account being credited wrongly
© Cyberkryption 2013 Further Information 37 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Links Krebbs on Security UK Cabinet Office Cybercrime Report https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60943/the-cost-of-cyber-crime- full-report.pdf Verizon Data Breach Report 2012 - http://www.verizonenterprise.com/resources/reports/rp_data- breach-investigations-report-2012-ebk_en_xg.pdf?__ct_return=1 IBM Xforce Security Report - http://www-03.ibm.com/press/uk/en/pressrelease/38928.wss Solutionary Global Threat Intelligence Report - http://blog.solutionary.com/blog/?Tag=GTIR UK Information Commissioners Office - http://www.ico.gov.uk/ Jersey Data Protection - http://www.dataprotection.gov.je/cms/default.htm
© Cyberkryption 2013 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Questions ?

Empfohlen

Key Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexKey Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexIBM Security
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryWilliam McBorrough
 
The importance of information security nowadays
The importance of information security nowadaysThe importance of information security nowadays
The importance of information security nowadaysPECB
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information securityethanBrownusa
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...International Federation of Accountants
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityHackerOne
 
Cyber Secuirty Visualization
Cyber Secuirty VisualizationCyber Secuirty Visualization
Cyber Secuirty VisualizationDoug Cogswell
 

Empfohlen

Key Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexKey Findings from the 2015 IBM Cyber Security Intelligence Index
Key Findings from the 2015 IBM Cyber Security Intelligence IndexIBM Security
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryWilliam McBorrough
 
The importance of information security nowadays
The importance of information security nowadaysThe importance of information security nowadays
The importance of information security nowadaysPECB
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information securityethanBrownusa
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...International Federation of Accountants
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityHackerOne
 
Cyber Secuirty Visualization
Cyber Secuirty VisualizationCyber Secuirty Visualization
Cyber Secuirty VisualizationDoug Cogswell
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security RiskMurray Security Services
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services OverviewCasey Lucas
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomIBM Security
 
Cyber security
Cyber securityCyber security
Cyber securityVaibhav Jain
 
Compliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies aheadCompliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies aheadIBM Security
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing OCTF Industry Engagement
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approachesvngundi
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptxGovt. P.G. College Sendhwa, Barwani (M.P.)
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?PECB
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...Nicolas Beyer
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
ISMS-Information Security Management System-Σύστημα Διαχείρισης Πληροφοριακής...
ISMS-Information Security Management System-Σύστημα Διαχείρισης Πληροφοριακής...ISMS-Information Security Management System-Σύστημα Διαχείρισης Πληροφοριακής...
ISMS-Information Security Management System-Σύστημα Διαχείρισης Πληροφοριακής...Papadakis K.-Cyber-Information Warfare Analyst & Cyber Defense/Security Consultant-Hellenic MoD
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
 
Cyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate BoardsCyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate BoardsCheffley White
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnKloudLearn
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceSymantec
 
Cyber Security Vendor Risk Management /Supply Chain Risk Management
Cyber Security Vendor Risk Management /Supply Chain Risk ManagementCyber Security Vendor Risk Management /Supply Chain Risk Management
Cyber Security Vendor Risk Management /Supply Chain Risk ManagementMafazo: Digital Solutions
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security LandscapeArrow ECS UK
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityPECB
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk MitigationMukalele Rogers
 

Weitere ähnliche Inhalte

Was ist angesagt?

IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services OverviewCasey Lucas
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomIBM Security
 
Compliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies aheadCompliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies aheadIBM Security
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approachesvngundi
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?PECB
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...Nicolas Beyer
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and riskEY
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
 
Cyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate BoardsCyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate BoardsCheffley White
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnKloudLearn
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceSymantec
 
Cyber Security Vendor Risk Management /Supply Chain Risk Management
Cyber Security Vendor Risk Management /Supply Chain Risk ManagementCyber Security Vendor Risk Management /Supply Chain Risk Management
Cyber Security Vendor Risk Management /Supply Chain Risk ManagementMafazo: Digital Solutions
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security LandscapeArrow ECS UK
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityPECB
 

Was ist angesagt? (20)

Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
 
IBM Security Services Overview
IBM Security Services OverviewIBM Security Services Overview
IBM Security Services Overview
 
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
 
Cyber security
Cyber securityCyber security
Cyber security
 
Compliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies aheadCompliance is a pit stop – your destination lies ahead
Compliance is a pit stop – your destination lies ahead
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing
 
Cyber Security Strategies and Approaches
Cyber Security Strategies and ApproachesCyber Security Strategies and Approaches
Cyber Security Strategies and Approaches
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
 
What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?What trends will 2018 bring for Business Continuity Professionals?
What trends will 2018 bring for Business Continuity Professionals?
 
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
PAC Webinar - "Show me the money!" - evaluating market opportunities in cyber...
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
Insights into cyber security and risk
Insights into cyber security and riskInsights into cyber security and risk
Insights into cyber security and risk
 
ISMS-Information Security Management System-Σύστημα Διαχείρισης Πληροφοριακής...
ISMS-Information Security Management System-Σύστημα Διαχείρισης Πληροφοριακής...ISMS-Information Security Management System-Σύστημα Διαχείρισης Πληροφοριακής...
ISMS-Information Security Management System-Σύστημα Διαχείρισης Πληροφοριακής...
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
 
Cyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate BoardsCyber-risk Oversight Handbook for Corporate Boards
Cyber-risk Oversight Handbook for Corporate Boards
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - Kloudlearn
 
A Manifesto for Cyber Resilience
A Manifesto for Cyber ResilienceA Manifesto for Cyber Resilience
A Manifesto for Cyber Resilience
 
Cyber Security Vendor Risk Management /Supply Chain Risk Management
Cyber Security Vendor Risk Management /Supply Chain Risk ManagementCyber Security Vendor Risk Management /Supply Chain Risk Management
Cyber Security Vendor Risk Management /Supply Chain Risk Management
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security Landscape
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information Security
 

Ähnlich wie Infosec lecture-final

Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk MitigationMukalele Rogers
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_servicesG. Subramanian
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
An insight into information security.pptx
An insight into information security.pptxAn insight into information security.pptx
An insight into information security.pptxSecurityium
 
netwealth and Sense Of Security webinar: What you need to know about cyber se...
netwealth and Sense Of Security webinar: What you need to know about cyber se...netwealth and Sense Of Security webinar: What you need to know about cyber se...
netwealth and Sense Of Security webinar: What you need to know about cyber se...netwealthInvest
 
Concept Of Cyber Security.pdf
Concept Of Cyber Security.pdfConcept Of Cyber Security.pdf
Concept Of Cyber Security.pdfFahadZaman38
 
2017 october supplementary_reading
2017 october supplementary_reading2017 october supplementary_reading
2017 october supplementary_readingseadeloitte
 
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber AttacksA Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber AttacksIRJET Journal
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration RecommendationsMeg Weber
 
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Proofpoint
 
Cyber Security at CTX15, London
Cyber Security at CTX15, LondonCyber Security at CTX15, London
Cyber Security at CTX15, LondonJohn Palfreyman
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfCareerera
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
 
Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective Omlis
 
gkkSecurity essentials domain 1
gkkSecurity essentials domain 1gkkSecurity essentials domain 1
gkkSecurity essentials domain 1Anne Starr
 

Ähnlich wie Infosec lecture-final (20)

Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
IT Security and Risk Mitigation
IT Security and Risk MitigationIT Security and Risk Mitigation
IT Security and Risk Mitigation
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_services
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
unit-1-is1.pptx
unit-1-is1.pptxunit-1-is1.pptx
unit-1-is1.pptx
 
An insight into information security.pptx
An insight into information security.pptxAn insight into information security.pptx
An insight into information security.pptx
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
netwealth and Sense Of Security webinar: What you need to know about cyber se...
netwealth and Sense Of Security webinar: What you need to know about cyber se...netwealth and Sense Of Security webinar: What you need to know about cyber se...
netwealth and Sense Of Security webinar: What you need to know about cyber se...
 
Concept Of Cyber Security.pdf
Concept Of Cyber Security.pdfConcept Of Cyber Security.pdf
Concept Of Cyber Security.pdf
 
2017 october supplementary_reading
2017 october supplementary_reading2017 october supplementary_reading
2017 october supplementary_reading
 
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber AttacksA Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration Recommendations
 
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
Inside The 10 Biggest and Boldest Insider Threats of 2019-2020
 
Cyber Security at CTX15, London
Cyber Security at CTX15, LondonCyber Security at CTX15, London
Cyber Security at CTX15, London
 
Top Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdfTop Cyber Security Interview Questions and Answers 2022.pdf
Top Cyber Security Interview Questions and Answers 2022.pdf
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
 
Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective
 
Information security
Information securityInformation security
Information security
 
gkkSecurity essentials domain 1
gkkSecurity essentials domain 1gkkSecurity essentials domain 1
gkkSecurity essentials domain 1
 

Mehr von Paul Dutot IEng MIET MBCS CITP OSCP CSTM

Mehr von Paul Dutot IEng MIET MBCS CITP OSCP CSTM (10)

Welcome to the #WannaCry Wine Club
Welcome to the #WannaCry Wine ClubWelcome to the #WannaCry Wine Club
Welcome to the #WannaCry Wine Club
 
Scanning Channel Islands Cyberspace
Scanning Channel Islands Cyberspace Scanning Channel Islands Cyberspace
Scanning Channel Islands Cyberspace
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEO
 
Logicalis Security Conference
Logicalis Security ConferenceLogicalis Security Conference
Logicalis Security Conference
 
Letter anonymous-II
Letter anonymous-IILetter anonymous-II
Letter anonymous-II
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
 
Practical Cyber Defense
Practical Cyber DefensePractical Cyber Defense
Practical Cyber Defense
 
A Letter from Anonymous to the Jersey Finance Industry
A Letter from Anonymous to the Jersey Finance IndustryA Letter from Anonymous to the Jersey Finance Industry
A Letter from Anonymous to the Jersey Finance Industry
 
Path to Surfdroid
Path to SurfdroidPath to Surfdroid
Path to Surfdroid
 
WI-FI Security in Jersey 2011
WI-FI Security in Jersey 2011WI-FI Security in Jersey 2011
WI-FI Security in Jersey 2011
 

Kürzlich hochgeladen

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 

Kürzlich hochgeladen (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

Infosec lecture-final

  • 1. © Cyberkryption 2013 Can you protect and secure your data to prevent damage to your reputation ? Date: 16th April 2013 By: Paul Dutot
  • 2. © Cyberkryption 2013 About Me Former Air Traffic Engineer – 15 Years Incorporated Engineer / Chartered IT Professional MCTS / MCSE / Solaris / Security + Offensive Security Certified Professional Tiger Scheme Qualified Security Tester Information Security / Penetration Testing Owner – Cyberkryption.com 1 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Questions at the end please
  • 3. © Cyberkryption 2013 Agenda Introduction to Information Security - A History. Components of Information Security - ISO 27001 Definitions / CIA Triad / PDCA Cycle Key Features and Benefits of Information Security Security Types – Offensive and Defensive Scenario 1 - Contact information on your public facing website. Scenario 2 - Running a wireless network for business. Scenario 3 – Running web applications or a website for your business? Barriers to Adoption Enforcement 2 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP
  • 4. © Cyberkryption 2013 Introduction to Information Security 3 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP History 1940 – 1945 Enigma MachineJulius Cesar circa 50 B.C 2004 - GCHQ Cheltenham "It's so easy to get into corporate networks that a determined 12- year-old with good Internet access could download the tools“ James Lewis - Centre for Strategic and International Studies – Advisor to Congress and Obama “Cyber attacks can cost billions of dollars, lead to stolen industry secrets and place the U.S. at a competitive disadvantage” – President Barrack Obama 20 12 - Data Loss 2012 - Cost to IndividualsEspionage – Financial services
  • 5. © Cyberkryption 2013 Introduction to Information Security Information Security – ‘preservation of confidentiality, integrity and availability of information; in addition to other properties such as authenticity, accountability, non repudiation and reliability’ An information Asset – ‘anything that has value to an organization’ Confidentiality – ‘information is not made available or disclosed to unauthorized individuals, processes or entities’ Integrity – ‘safeguarding of the accuracy and completeness of an information asset’ Availability – ‘being accessible and useable upon demand by an authorized entity’ IT Security – Information Security applied to technology 4 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP ISO 27001 - Definitions
  • 6. © Cyberkryption 2013 Introduction to Information Security CIA Triad 5 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Availability
  • 7. © Cyberkryption 2013 Introduction to Information Security Plan Do Check Act Cycle 6 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Plan Do Check Act Continuous Improvement Cycle Central part of any information security strategy. Can be formalised in an information security management system (ISMS) Should be part of Business Risk Mitigation
  • 8. © Cyberkryption 2013 Introduction to Information Security Benefits 7 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Improves Business Processes – a comprehensive information security policy will improve the efficacy of other business processes such as disaster recovery and business continuity Gain a Competitive Advantage - Taking every measure to protect your business data can only increase the level of confidence that your clients have in your business. Business Resilience - The protection of business critical information is crucial to the productivity and continuity of your organisation. Meet Regulatory and Compliance Demands - The need to comply with statutory, contractual or regulatory obligations is necessary for the majority of businesses in all market sectors such as JFSC. Risk Mitigation – Implementing an information security strategy will make certain that you can react. Peace Of Mind
  • 9. © Cyberkryption 2013 Introduction to Information Security Key Features – An Formula One Pit Stop Analogy 8 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP It should benefit whole organisation Should balance business needs vs. risk It should have people controls It should have technical controls People v Technical should be 50 / 50 split Payment Card Industry Data Security Standard (PCI-DSS) is a good example The whole organisation must participate with leadership from above
  • 10. © Cyberkryption 2013 Introduction to Information Security Security Types – Defensive and Offensive Security 9 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Reactionary and takes no account of ‘human factors’ Any information security strategy should contain both elements Security testing from an attacker’s ‘point of view’ It is designed to specifically target your company’s infrastructure and identify security issues or confirm security posture. It is commonly called Penetration Testing / Vulnerability Assessments Anti virus, systems patching and firewalls Offensive Security Defensive Security
  • 11. © Cyberkryption 2013 Scenario 1 Public Contact Information 10 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Objective: To put our contact details on our website so we can be contacted easier. Benefit 10/10 Risks: We suffer spam or malicious email such as a phishing email. Risk 2/10Business Perspective Malcontent’s Perspective If they are giving out email information so easily we should be able to get plenty of other information to help us. We can send them a malicious email to try to get a foothold inside their network. There are 3 forms of phishing = mass mailing, spear phishing and whaling. We can entice them to a similar website to get users reveal their information! Metasploit Pro has a social engineering module for phishing attacks. We can also do this manually but a lot more work
  • 12. © Cyberkryption 2013 Scenario 1 Public Contact Information 11 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Meet Toddington International 100’s of places to search for information In 18 handy categories ! Including Social Media and username searches. Pipl – a people search engine Google Hacking Database Jigsaw – great for business info Shodan – device search engine Maltego can automate this for us. However with practice you find a lot of information about a company within one hour
  • 13. © Cyberkryption 2013 Scenario 1 Public Contact Information 12 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP People Controls Control Benefit Plan User Awareness Training on phishing Appraise users of email testing 1. Reduce risk of compromise 2. Network of ‘sensors’ to warn IT of potential attacks 3. Users become more security aware in their personal internet life 1. Users are aware that testing is being conducted and are not surprised Do Conduct email phishing security testing 1. Simulates a real world attack 2. Identifies weaknesess i.e spots where your securityis most vulnerable 3. Controls Risk – Provide targeted security awareness training and tweak technical controls Check See how effective email phishing campaign was and interact with users accordingly Both the users and the company are now more aware of their risk exposure Act Redefine Testing Parameters Testing will now become more targeted
  • 14. © Cyberkryption 2013 Scenario 1 Public Contact Information 13 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Technical Controls Control Benefit Plan Check technical systems are patched and up to date Check configurations of technical controls and procedures Your controls and procedures have been reviewed. Honestly, when did you last do this ? Do Conduct email phishing security testing Tests efficacy of technical controls and procedures Check See how effective technical controls and procedures. Both the users and the company are now more aware of their technical controls and any changes needed Act Redefine Testing Parameters Technical controls will improve
  • 15. © Cyberkryption 2013 Scenario 1 Public Contact Information 14 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP 0 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 160 170 180 190 200 1 2 3 4 5 6 7 8 9 10 11 Number On Website Number Of Email Addresses Vcards for Indivduals Dip Test – Legal Sector Jersey The data was obtained simply by browsing their websites. We also found a few LinkedIn profiles as well as a CV or two!! The picture is very similar in other sectors such as banking, trust and small businesses.
  • 16. © Cyberkryption 2013 Scenario 1 Public Contact Information 15 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Case Study RSA Attackers used a targeted email. They attached an excel spread sheet titled “Recruitment Plan”. The technical solutions did their job. One of the targets took it out of his junk email folder. The rest is history !!! 1/ 3 of all RSA token had to be replaced. Cost : $66M between April to June 2011.
  • 17. © Cyberkryption 2013 Scenario 2 Running a wireless network for business 16 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Objective: To have a wireless network so that we can use wireless devices such as laptops and tablets and clients can connect to it when doing business with us. Benefit 10/10 Risks: We will have it installed by IT or our IT service provider. Risk 0/10 Have they set this up properly? Do they know what information is being broadcast ? Do they monitor their wireless ? Is there intrusion or rogue access point detection ? Do they patch their wireless devices ? Is there an open WI-FI access point ? Are they running WPA2 with WI-FI Protected Setup ? If any are yes; we possibly have access to their internal network !!! Business Perspective Malcontent’s Perspective
  • 18. © Cyberkryption 2013 Scenario 2 Running a wireless network for business 17 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Green = open network | Yellow = weak encryption | Red = maybe secure Meet Wigle.net
  • 19. © Cyberkryption 2013 Scenario 2 Running a wireless network for business 18 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Meet MiniPwner. Would you notice this on a desk ? Probably. But what about if it tangled up in a load of cables or under a desk ? Battery powered Custom WI-FI Access point Can send connections to the outside world !! Costs less than £50 to build It’s only 5.7cm square It can scan your network for vulnerabilities
  • 20. © Cyberkryption 2013 Scenario 2 Public Contact Information 19 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP People Controls Control Benefit Plan Check procedures are up to date and have been reviewed Your controls and procedures have been reviewed. Honestly, when did you last do this? Do Conduct wireless security awareness training Tests efficacy of people controls and procedures Check See how effective technical controls and procedures. Both the users and the company are now more aware of their procedures and any changes needed Act Redefine Testing Parameters Procedures will improve
  • 21. © Cyberkryption 2013 Scenario 2 Public Contact Information 20 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Technical Controls Control Benefit Plan Check technical systems are patched and up to date Check configurations of technical controls and procedures Your controls and procedures have been reviewed. Honestly, when did you last do this? Do Conduct wireless security testing Tests efficacy of technical controls and procedures Check See how effective technical controls and procedures. Both the users and the company are now more aware of their technical controls and any changes needed Act Redefine Testing Parameters Technical controls will improve
  • 22. © Cyberkryption 2013 Scenario 2 Survey carried out 12-15th December 2011 - survey of 13,168 access points State of WI-FI Security Lecture for BCS in March 2012 13.9 % (1835) = no encryption 19.37% (2551) = WEP 33.27 % (4386) are insecure i.e. WEP or No Encryption 53.9% (7097) are made by Netgear 29.1% (2066) of Netgear routers are insecure A States Of Jersey building has no encryption i.e open still one year later!!! 21 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Running a wireless network DIP Test - WI-FI Security Jersey 2011
  • 23. © Cyberkryption 2013 Scenario 2 22 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Running a wireless network Demo 1 – WPS Insecurity A good WPA2 password would take more than a lifetime to brute force attack If WPS is enabled then this can reduce to 3-5 hours Reaver can do this and it has the ability to save a sessions. It can also be installed on an android smartphone!!!!
  • 24. © Cyberkryption 2013 Scenario 3 23 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Running web applications or a website for business Objective: To have a web applications to fulfil a business service online or a website to promote our business Risks: We will have it built by a local web design company who provide a package including hosting. Risk 2/10 Business Perspective Malcontent’s Perspective A ‘yes’ to any of the above could mean you are vulnerable to exploitation Is this website running on shared hosting ? Is the website or application security outdated ? Is debugging information available ? Is there a file upload facility ?
  • 25. © Cyberkryption 2013 Scenario 3 24 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP The dangers of shared hosting for business What is Shared Hosting ? Company A – Static Site Company B - WordPress Company C – Joomla Each website is a folder on the server The database on the server is common to all sites The firewall is common to all sites and under the control of the ISP. But it is cheap web hosting It is not suitable for business that would require control of firewalls and databases It is also very difficult to make secure!!
  • 26. © Cyberkryption 2013 Scenario 3 25 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP The dangers of shared hosting for business The Directory Symlink attack Company A – Static Site Company B - WordPress Company C – Joomla Company B is the target The attacker finds a plugin vulnerability in Company C’s website. The attacker then creates Symlinks to read configuration files on all sites. The attacker logs into the database on Company B and C, changing the website admin password. The attacker logs into the web admin portal = Game Over!! You only need one vulnerable site for this attack to work !! It is not uncommon for there to be up to 30-50 websites on a large shared hosting server. There are tools and scripts available on the internet !!!
  • 27. © Cyberkryption 2013 Scenario 3 26 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP The dangers of shared hosting for business The File Upload Risk Company A • The attacker logs in to the database and changes the admin password. Company A allows file uploads The attacker uploads the appropriate shell The attacker then triggers execution of the shell program. The attacker receives a command prompt from the webserver. The attacker now has permissions of the webserver If he can elevate privileges = Game Over File Type protection can be bypassed using an intercepting proxy We could always upload a trojan file for them to download
  • 28. © Cyberkryption 2013 Scenario 3 27 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP The dangers of shared hosting for business The File Upload Risk Demo DVWA Demo
  • 29. © Cyberkryption 2013 OWASP 2013 28 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Open Web Applications Security Project 1. Injection - we can inject code into the application in some form e.g. SQL via a field 2. Cross Site Scripting - Can we cause a malicious script to be included from a different domain when a browser visits an infected page. 3. Session Authentication and Management – We need to know who you are? What rights you have and manage correct exchanges of information 4. Insecure direct object reference – we need to check to see if you are authorised for a file or resource. 6. Security Misconfiguration – no need to explain. 5. Cross Site Request Forgery – can we get a logged in user to include a malicious request from a different domain to trick the application into changing something e.g. router admin password !! 7. Insecure Cryptographic Storage – we don’t protect important information with as good encryption as we should have done. 8. Failure to Restrict URL Access – are you authorised to browse to a url ? Think admin area of website 9. Insufficient Transport Layer Protection – we need to protect important data when we send it. 10. Unvalidated Redirects and Forwards – we should not just send the browser to somewhere without first checking i.e. hsbc.c0.uk is not hsbc.co.uk
  • 30. © Cyberkryption 2013 Scenario 3 29 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Running web applications or a website for business Debugging information available
  • 31. © Cyberkryption 2013 Scenario 3 30 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Running web applications or a website for business Poor authentication handling.
  • 32. © Cyberkryption 2013 Scenario 3 31 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Running web applications or a website for business Poor ‘404’ error handling. Since January 2013 2 x debugging information 1 x authentication 1 x error handling Security testing would have found all these errors
  • 33. © Cyberkryption 2013 Barriers to Adoption 32 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP A local law firms website was hacked with a page inserted to an online pharmacy selling Viagra Became public on the 4th December 2012 The solution is to build a new website ? Need to fix the security problem with the current one !! Apathy: A Case Study ‘While we have ventured out into some new areas such as conveyancing and wills, we do not sell Viagra. We have contacted our website provider who has stated that it is the first time he has experienced an event such as this and we have since taken steps to ensure that it is very unlikely to happen again. We have, however, made use of the occasion to examine our website and plan a re- launch in the near future. Sadly, it has meant that our on-line procedural guide to the Royal Court Rules is temporarily unavailable.’ Google ranked the site as being compromised shortly after
  • 34. © Cyberkryption 2013 33 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Apathy: A Case Study This is how Google ranked the firm on the 1st February 2013 – 59 days of reputational damage Barriers to Adoption
  • 35. © Cyberkryption 2013 34 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Apathy: A Case Study This is how Google ranked the firm on the 22nd March 2013 – 108 days of reputational damage and no new website. Would you trust them with your information ? Barriers to Adoption
  • 36. © Cyberkryption 2013 35 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Further Barriers It is an Intangible Benefit Thought to be IT’s problem It is not well understood in business terms – for example fire risks are well understood and have controls such as smoke detectors and a fire evacuation plan which are routinely tested. The same cannot be said for IT Security Board level disconnect – IT & Information Security are not routinely discussed at board level. Barriers to Adoption Economic Conditions – Security becomes a low priority Lack of regulatory appetite in Jersey – No Information Commissioner and JFSC = no need for business to do anything!!
  • 37. © Cyberkryption 2013 Enforcement 36 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP UK Information Commissioner Office DM Design, Glasgow based marketing company fined £90,000 after 2,000 complaints about unwanted marketing calls. Nursing and Midwifery Council was fined £150,000 for the loss of 3 DVD’s containing sensitive data about a misconduct hearing and evidence from vulnerable children. Sony fined £250,000 for loss of ‘gamers’ data after the Sony PlayStation network was hacked. Greater Manchester Police fined £120,000 for not protecting personnel data. Stock on Trent fined £120,000 for emailing of sensitive children data to the wrong person. Prudential fined £50,000 after merging of account data led to one account being credited wrongly
  • 38. © Cyberkryption 2013 Further Information 37 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Links Krebbs on Security UK Cabinet Office Cybercrime Report https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60943/the-cost-of-cyber-crime- full-report.pdf Verizon Data Breach Report 2012 - http://www.verizonenterprise.com/resources/reports/rp_data- breach-investigations-report-2012-ebk_en_xg.pdf?__ct_return=1 IBM Xforce Security Report - http://www-03.ibm.com/press/uk/en/pressrelease/38928.wss Solutionary Global Threat Intelligence Report - http://blog.solutionary.com/blog/?Tag=GTIR UK Information Commissioners Office - http://www.ico.gov.uk/ Jersey Data Protection - http://www.dataprotection.gov.je/cms/default.htm
  • 39. © Cyberkryption 2013 Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com Paul Dutot IEng MIET MBCS CITP Questions ?