Weitere ähnliche Inhalte
Ähnlich wie Infosec lecture-final
Ähnlich wie Infosec lecture-final (20)
Mehr von Paul Dutot IEng MIET MBCS CITP OSCP CSTM
Mehr von Paul Dutot IEng MIET MBCS CITP OSCP CSTM (10)
Kürzlich hochgeladen (20)
Infosec lecture-final
- 1. © Cyberkryption 2013
Can you protect and secure your data to prevent
damage to your reputation ?
Date: 16th April 2013 By: Paul Dutot
- 2. © Cyberkryption 2013
About Me
Former Air Traffic Engineer – 15 Years
Incorporated Engineer / Chartered IT Professional
MCTS / MCSE / Solaris / Security +
Offensive Security Certified Professional
Tiger Scheme Qualified Security Tester
Information Security / Penetration Testing
Owner – Cyberkryption.com
1
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Questions at the end please
- 3. © Cyberkryption 2013
Agenda
Introduction to Information Security - A History.
Components of Information Security - ISO 27001 Definitions / CIA Triad / PDCA Cycle
Key Features and Benefits of Information Security
Security Types – Offensive and Defensive
Scenario 1 - Contact information on your public facing website.
Scenario 2 - Running a wireless network for business.
Scenario 3 – Running web applications or a website for your business?
Barriers to Adoption
Enforcement
2
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
- 4. © Cyberkryption 2013
Introduction to Information Security
3
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
History
1940 – 1945 Enigma MachineJulius Cesar circa 50 B.C 2004 - GCHQ Cheltenham
"It's so easy to get into corporate networks that a determined 12-
year-old with good Internet access could download the tools“
James Lewis - Centre for Strategic and International Studies –
Advisor to Congress and Obama
“Cyber attacks can cost billions of dollars, lead to stolen industry secrets and place
the U.S. at a competitive disadvantage” – President Barrack Obama
20 12 - Data Loss 2012 - Cost to IndividualsEspionage – Financial services
- 5. © Cyberkryption 2013
Introduction to Information Security
Information Security – ‘preservation of confidentiality, integrity and availability of
information; in addition to other properties such as authenticity, accountability, non
repudiation and reliability’
An information Asset – ‘anything that has value to an organization’
Confidentiality – ‘information is not made available or disclosed to unauthorized
individuals, processes or entities’
Integrity – ‘safeguarding of the accuracy and completeness of an information asset’
Availability – ‘being accessible and useable upon demand by an authorized entity’
IT Security – Information Security applied to technology
4
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
ISO 27001 - Definitions
- 6. © Cyberkryption 2013
Introduction to Information Security
CIA Triad
5
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Availability
- 7. © Cyberkryption 2013
Introduction to Information Security
Plan Do Check Act Cycle
6
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Plan
Do
Check
Act
Continuous Improvement Cycle
Central part of any information security strategy.
Can be formalised in an information security management system (ISMS)
Should be part of Business Risk Mitigation
- 8. © Cyberkryption 2013
Introduction to Information Security
Benefits
7
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Improves Business Processes – a comprehensive information security policy will improve the
efficacy of other business processes such as disaster recovery and business continuity
Gain a Competitive Advantage - Taking every measure to protect your business data can only
increase the level of confidence that your clients have in your business.
Business Resilience - The protection of business critical information is crucial to
the productivity and continuity of your organisation.
Meet Regulatory and Compliance Demands - The need to comply with statutory, contractual
or regulatory obligations is necessary for the majority of businesses in all market sectors such
as JFSC.
Risk Mitigation – Implementing an information security strategy will make certain
that you can react.
Peace Of Mind
- 9. © Cyberkryption 2013
Introduction to Information Security
Key Features – An Formula One Pit Stop Analogy
8
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
It should benefit whole organisation
Should balance business needs vs. risk
It should have people controls
It should have technical controls
People v Technical should be 50 / 50 split
Payment Card Industry Data Security
Standard (PCI-DSS) is a good example
The whole organisation must participate
with leadership from above
- 10. © Cyberkryption 2013
Introduction to Information Security
Security Types – Defensive and Offensive Security
9
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Reactionary and takes no account of ‘human factors’
Any information security strategy should contain both elements
Security testing from an attacker’s ‘point of view’
It is designed to specifically target your company’s infrastructure
and identify security issues or confirm security posture. It is
commonly called Penetration Testing / Vulnerability Assessments
Anti virus, systems patching and firewalls
Offensive Security
Defensive Security
- 11. © Cyberkryption 2013
Scenario 1
Public Contact Information
10
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Objective: To put our contact details on our website so we can be contacted
easier. Benefit 10/10
Risks: We suffer spam or malicious email such as a phishing email. Risk 2/10Business
Perspective
Malcontent’s
Perspective
If they are giving out email information so easily we should be able to get plenty of
other information to help us. We can send them a malicious email to try to get a
foothold inside their network.
There are 3 forms of phishing = mass mailing, spear phishing and whaling.
We can entice them to a similar website to get users reveal their information!
Metasploit Pro has a social engineering module for phishing attacks. We can also
do this manually but a lot more work
- 12. © Cyberkryption 2013
Scenario 1
Public Contact Information
11
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Meet Toddington International
100’s of places to search for information
In 18 handy categories !
Including Social Media and username searches.
Pipl – a people search engine
Google Hacking Database
Jigsaw – great for business info
Shodan – device search engine
Maltego can automate this for us. However
with practice you find a lot of information about
a company within one hour
- 13. © Cyberkryption 2013
Scenario 1
Public Contact Information
12
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
People Controls
Control Benefit
Plan User Awareness
Training on phishing
Appraise users of email
testing
1. Reduce risk of compromise
2. Network of ‘sensors’ to warn IT of potential attacks
3. Users become more security aware in their personal
internet life
1. Users are aware that testing is being conducted and
are not surprised
Do Conduct email phishing
security testing
1. Simulates a real world attack
2. Identifies weaknesess i.e spots where your securityis
most vulnerable
3. Controls Risk – Provide targeted security awareness
training and tweak technical controls
Check See how effective
email phishing
campaign was and
interact with users
accordingly
Both the users and the company are now more aware of
their risk exposure
Act Redefine Testing
Parameters
Testing will now become more targeted
- 14. © Cyberkryption 2013
Scenario 1
Public Contact Information
13
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Technical Controls
Control Benefit
Plan Check technical
systems are patched
and up to date
Check configurations
of technical controls
and procedures
Your controls and procedures have been reviewed.
Honestly, when did you last do this ?
Do Conduct email phishing
security testing
Tests efficacy of technical controls and procedures
Check See how effective
technical controls and
procedures.
Both the users and the company are now more aware of
their technical controls and any changes needed
Act Redefine Testing
Parameters
Technical controls will improve
- 15. © Cyberkryption 2013
Scenario 1
Public Contact Information
14
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
0
10
20
30
40
50
60
70
80
90
100
110
120
130
140
150
160
170
180
190
200
1 2 3 4 5 6 7 8 9 10 11
Number On Website
Number Of Email Addresses
Vcards for Indivduals
Dip Test – Legal Sector Jersey
The data was obtained simply by browsing their websites. We also found a few LinkedIn profiles as well as a CV or
two!! The picture is very similar in other sectors such as banking, trust and small businesses.
- 16. © Cyberkryption 2013
Scenario 1
Public Contact Information
15
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Case Study RSA
Attackers used a targeted email.
They attached an excel spread sheet
titled “Recruitment Plan”.
The technical solutions did their job.
One of the targets took it out of his junk email folder.
The rest is history !!!
1/ 3 of all RSA token had to be replaced.
Cost : $66M between April to June 2011.
- 17. © Cyberkryption 2013
Scenario 2
Running a wireless network for business
16
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Objective: To have a wireless network so that we can use wireless devices such
as laptops and tablets and clients can connect to it when doing business with us.
Benefit 10/10
Risks: We will have it installed by IT or our IT service provider. Risk 0/10
Have they set this up properly? Do they know what information is being broadcast ?
Do they monitor their wireless ? Is there intrusion or rogue access point detection ?
Do they patch their wireless devices ? Is there an open WI-FI access point ?
Are they running WPA2 with WI-FI Protected Setup ?
If any are yes; we possibly have access to their internal network !!!
Business
Perspective
Malcontent’s
Perspective
- 18. © Cyberkryption 2013
Scenario 2
Running a wireless network for business
17
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Green = open network | Yellow = weak encryption | Red = maybe secure
Meet Wigle.net
- 19. © Cyberkryption 2013
Scenario 2
Running a wireless network for business
18
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Meet MiniPwner. Would you notice this on a desk ? Probably.
But what about if it tangled up in a load of cables or under a desk ?
Battery powered
Custom WI-FI Access point
Can send connections to the
outside world !!
Costs less than £50 to build
It’s only 5.7cm square
It can scan your network for
vulnerabilities
- 20. © Cyberkryption 2013
Scenario 2
Public Contact Information
19
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
People Controls
Control Benefit
Plan Check procedures are
up to date and have
been reviewed
Your controls and procedures have been reviewed.
Honestly, when did you last do this?
Do Conduct wireless
security awareness
training
Tests efficacy of people controls and procedures
Check See how effective
technical controls and
procedures.
Both the users and the company are now more aware of
their procedures and any changes needed
Act Redefine Testing
Parameters
Procedures will improve
- 21. © Cyberkryption 2013
Scenario 2
Public Contact Information
20
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Technical Controls
Control Benefit
Plan Check technical
systems are patched
and up to date
Check configurations
of technical controls
and procedures
Your controls and procedures have been reviewed.
Honestly, when did you last do this?
Do Conduct wireless
security testing
Tests efficacy of technical controls and procedures
Check See how effective
technical controls and
procedures.
Both the users and the company are now more aware of
their technical controls and any changes needed
Act Redefine Testing
Parameters
Technical controls will improve
- 22. © Cyberkryption 2013
Scenario 2
Survey carried out 12-15th December 2011 - survey of 13,168 access points
State of WI-FI Security Lecture for BCS in March 2012
13.9 % (1835) = no encryption
19.37% (2551) = WEP
33.27 % (4386) are insecure i.e. WEP or No Encryption
53.9% (7097) are made by Netgear
29.1% (2066) of Netgear routers are insecure
A States Of Jersey building has no encryption i.e open still one year later!!!
21
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Running a wireless network DIP Test - WI-FI Security Jersey 2011
- 23. © Cyberkryption 2013
Scenario 2
22
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Running a wireless network Demo 1 – WPS Insecurity
A good WPA2 password would take more than a lifetime to brute force attack
If WPS is enabled then this can reduce to 3-5 hours
Reaver can do this and it has the ability to save a sessions. It can also be
installed on an android smartphone!!!!
- 24. © Cyberkryption 2013
Scenario 3
23
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Running web applications or a website for business
Objective: To have a web applications to fulfil a business service online or a
website to promote our business
Risks: We will have it built by a local web design company who provide a
package including hosting. Risk 2/10
Business
Perspective
Malcontent’s
Perspective
A ‘yes’ to any of the above could mean you are vulnerable to exploitation
Is this website running on shared hosting ?
Is the website or application security outdated ?
Is debugging information available ?
Is there a file upload facility ?
- 25. © Cyberkryption 2013
Scenario 3
24
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
The dangers of shared hosting for business What is Shared Hosting ?
Company A – Static Site
Company B - WordPress
Company C – Joomla
Each website is a folder on the server
The database on the server is
common to all sites
The firewall is common to all sites and
under the control of the ISP.
But it is cheap web hosting
It is not suitable for business that
would require control of firewalls and
databases
It is also very difficult to make
secure!!
- 26. © Cyberkryption 2013
Scenario 3
25
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
The dangers of shared hosting for business The Directory Symlink attack
Company A – Static Site
Company B - WordPress
Company C – Joomla
Company B is the target
The attacker finds a plugin
vulnerability in Company C’s
website.
The attacker then creates Symlinks to
read configuration files on all sites.
The attacker logs into the
database on Company B and C,
changing the website admin
password.
The attacker logs into the web
admin portal = Game Over!!
You only need one vulnerable site
for this attack to work !!
It is not uncommon for there to
be up to 30-50 websites on a large
shared hosting server.
There are tools and scripts available on the internet !!!
- 27. © Cyberkryption 2013
Scenario 3
26
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
The dangers of shared hosting for business The File Upload Risk
Company A
• The attacker logs in to the
database and changes the
admin password.
Company A allows file uploads
The attacker uploads the appropriate
shell
The attacker then triggers execution
of the shell program.
The attacker receives a command
prompt from the webserver.
The attacker now has permissions
of the webserver
If he can elevate privileges = Game
Over
File Type protection can be
bypassed using an intercepting
proxy
We could always upload a trojan file
for them to download
- 28. © Cyberkryption 2013
Scenario 3
27
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
The dangers of shared hosting for business The File Upload Risk Demo
DVWA Demo
- 29. © Cyberkryption 2013
OWASP 2013
28
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Open Web Applications Security Project
1. Injection - we can inject code into the application in some form e.g. SQL via a field
2. Cross Site Scripting - Can we cause a malicious script to be included from a different domain when a
browser visits an infected page.
3. Session Authentication and Management – We need to know who you are? What rights you have and
manage correct exchanges of information
4. Insecure direct object reference – we need to check to see if you are authorised for a file or resource.
6. Security Misconfiguration – no need to explain.
5. Cross Site Request Forgery – can we get a logged in user to include a malicious request from a different
domain to trick the application into changing something e.g. router admin password !!
7. Insecure Cryptographic Storage – we don’t protect important information with as good encryption as
we should have done.
8. Failure to Restrict URL Access – are you authorised to browse to a url ? Think admin area of website
9. Insufficient Transport Layer Protection – we need to protect important data when we send it.
10. Unvalidated Redirects and Forwards – we should not just send the browser to somewhere without
first checking i.e. hsbc.c0.uk is not hsbc.co.uk
- 30. © Cyberkryption 2013
Scenario 3
29
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Running web applications or a website for business
Debugging information available
- 31. © Cyberkryption 2013
Scenario 3
30
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Running web applications or a website for business
Poor authentication handling.
- 32. © Cyberkryption 2013
Scenario 3
31
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Running web applications or a website for business
Poor ‘404’ error handling.
Since January 2013
2 x debugging information
1 x authentication
1 x error handling
Security testing would have found all these errors
- 33. © Cyberkryption 2013
Barriers to Adoption
32
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
A local law firms website was hacked with a page inserted to an online pharmacy selling
Viagra
Became public on the 4th December 2012
The solution is to build a new website ?
Need to fix the security problem with the current one !!
Apathy: A Case Study
‘While we have ventured out into some new areas such as conveyancing and wills, we do not sell
Viagra. We have contacted our website provider who has stated that it is the first time he has
experienced an event such as this and we have since taken steps to ensure that it is very unlikely to
happen again. We have, however, made use of the occasion to examine our website and plan a re-
launch in the near future. Sadly, it has meant that our on-line procedural guide to the Royal Court
Rules is temporarily unavailable.’
Google ranked the site as being compromised shortly after
- 34. © Cyberkryption 2013 33
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Apathy: A Case Study
This is how Google ranked the firm on the 1st February 2013 – 59 days of reputational
damage
Barriers to Adoption
- 35. © Cyberkryption 2013 34
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Apathy: A Case Study
This is how Google ranked the firm on the 22nd March 2013 – 108 days of reputational
damage and no new website.
Would you trust them with your information ?
Barriers to Adoption
- 36. © Cyberkryption 2013 35
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Further Barriers
It is an Intangible Benefit
Thought to be IT’s problem
It is not well understood in business terms – for example fire risks are well understood
and have controls such as smoke detectors and a fire evacuation plan which are
routinely tested. The same cannot be said for IT Security
Board level disconnect – IT & Information Security are not routinely discussed at board
level.
Barriers to Adoption
Economic Conditions – Security becomes a low priority
Lack of regulatory appetite in Jersey – No Information Commissioner and JFSC = no
need for business to do anything!!
- 37. © Cyberkryption 2013
Enforcement
36
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
UK Information Commissioner Office
DM Design, Glasgow based marketing company fined £90,000 after 2,000 complaints
about unwanted marketing calls.
Nursing and Midwifery Council was fined £150,000 for the loss of 3 DVD’s containing
sensitive data about a misconduct hearing and evidence from vulnerable children.
Sony fined £250,000 for loss of ‘gamers’ data after the Sony PlayStation network was
hacked.
Greater Manchester Police fined £120,000 for not protecting personnel data.
Stock on Trent fined £120,000 for emailing of sensitive children data to the wrong
person.
Prudential fined £50,000 after merging of account data led to one account being credited
wrongly
- 38. © Cyberkryption 2013
Further Information
37
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Links
Krebbs on Security
UK Cabinet Office Cybercrime Report
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/60943/the-cost-of-cyber-crime-
full-report.pdf
Verizon Data Breach Report 2012 - http://www.verizonenterprise.com/resources/reports/rp_data-
breach-investigations-report-2012-ebk_en_xg.pdf?__ct_return=1
IBM Xforce Security Report - http://www-03.ibm.com/press/uk/en/pressrelease/38928.wss
Solutionary Global Threat Intelligence Report - http://blog.solutionary.com/blog/?Tag=GTIR
UK Information Commissioners Office - http://www.ico.gov.uk/
Jersey Data Protection - http://www.dataprotection.gov.je/cms/default.htm
- 39. © Cyberkryption 2013
Cyberkryption | Floor 1 | Liberation Station | Esplanade | St.Helier | Jersey | JE2 3AS
T: +44 (0) 1534 719 123 | http://www.cyberkryption.com | enquiries@cyberkryption.com
Paul Dutot
IEng MIET MBCS CITP
Questions ?