Cyber attacks have been hitting the headlines for years; but in spite of the risks, the reputational damage and the rising cost of fines, there is still an endless stream of businesses being exposed for security failings. ​ ​The scale of the problem is vast: Accenture’s recent 2016 Global Security Report highlighted “an astounding level of breaches” with the organisations surveyed facing more than 80 targeted attacks every year, of which a third were successful. Much has been made of the evolving threat landscape and increasing sophistication of attacks. But whilst there is evidence to support the growing complexity of the challenge, all too often the analysis of these high-profile attacks determines basic, foundational security principles were ignored. ​ ​Some commentators argue that the persistence of failings is a direct reflection of organisational priorities, and that while businesses may talk a good game, security is not yet given the attention that it requires at board level. This leaves CISOs and IT leaders fighting a losing battle to secure adequate attention and investment for an area of the business which does not generate revenue. ​ ​This conference will look at raising security standards across the business, exploring some of the most persistent problems from IT infrastructure to staff engagement. Amidst a backdrop of perpetual media hysteria, turbulent markets and looming regulatory change, it can prove difficult to establish a coherent picture of the threat, never mind what action to take. The conference will help contextualise the challenging landscape and discuss how to deliver meaningful improvements and end to end organisational resilience.

1. Welcome to

2. Mark Stephen
Conference Chair
@bbcscotland
#scotsecure

3. Ray Bugg
DIGIT
@digitfyi
#scotsecure

4. www.digit.fyi

5. www.digitleaders.com

6. DI Eamonn Keane
Police Scotland
@policescotland
#scotsecure

7. What can we do to fight back?
Scot- Secure Conference
March 2017.

8. Agenda
Scottish, UK & Global Perspective!
The current threat landscape!
The challenges to LE & Policing!
The LE response - NCCU & Police Scotland!
Are we getting the message across?
What can we do to fight back?
Collaboration & Prevention.
Good News - Look Forward!

11. ORIGINAL HUB CONCEPT
SG/NCSC EUROPOL
POLICE / SENIOR TECH COMMUNITY /
INVESTIGATIONS .
TIER 4 – SCOTLAND’S TECH COMMUNITY
DEVELOPMENT
TIER 3 – ACADEMIA / R & D
TIER 2– SOC / TRUSTED PARTNERS
TIER 1– APPRENTICES / GRADUATES

12. Cyber Regional Organised Crime Units

13. Stalking
Bullying
Cyber Fraud
SOCG
Sexual Offenders
Indecent
images of
children
Cyber
dependent
crimes e.g.
hacking,
malware,
DDoS
Anti-socialbehaviour
CyberTerrorism
is impacting on the police response across
the full crime spectrum.

14. What we do know!!
• The cyber threat to UK business is significant
and growing.
• This threat is varied and adaptable.
• The rise of internet connected devices gives
attackers more opportunity!
• The past year has been punctuated by cyber
attacks on a scale and boldness not seen before!
• The UK & Scottish government is committed to making the UK a
secure and resilient digital nation
• Under-reporting.

15. Scenario 2 – Malware
Malware Phishing Ransom-
ware
Social
Engineer
Hacker
Some Brief Examples… The Usual Suspects

16. Key questions that all CEOs & CISO’s should
be asking this week?
• "Are we vulnerable to a cyber intrusion, SQL injection,
ransomware or DDoS based attacks?“
• "What assurance activity have we done to confirm that
we are not vulnerable?“
• "If we were compromised, would an attacker be able to
gain access to unencrypted sensitive data?“
• “Are we satisfied have we engaged sufficient 3rd party
security provision?"
• “What is our company ethos & posture on security?”
• “What and how vibrant is your overarching cyber security
policy?”

17. Cyber Attacks are on the rise

22. The Main Threats…
Hacktivism Organised Crime Espionage
• Hacking organisations they don’t
agree with
• Politically motivated
• Mainly defacement of websites
and public disclosure of
information
• Organised but disperse.
• Anonymous, New World Hacking,
Lizard Squad
• Well funded cyber crime groups
• Financially motivated
• Mainly ransomware, stealing of
personal info/credit card info, and
hacking.
• Highly organised and well funded
• Carbanak Cyber Gang, Janus Sec
etc.
• State sponsored
• Politically & Financially motivated
• Mainly covert hacking and custom
malware- targeting sensitive IP and
CNI.
• Extremely organised and well
funded
• TAO, APT 28, APT 17, Bureau 21

23. The Main Threats…
Bedroom Hackers
• Teenagers with a point to
prove
• Motivated by recognition and
quick cash
• Mainly defacement of
websites and public
disclosure of information
• Have been quite successful at
‘low hanging fruit.
• They have been individuals or
‘front people’ of a group

24. Growing Cadre of Hacking Groups
Anoymous!
LulzSec
Lizard Squad!
New World Hacking Team!
DD4BC!.
The Impact Team.
The Armada Collective!.
Syrian Electronic Army
16.66
PhantomSec

25. ORGANISED CRIME

26. The skillsets

28. • Feezan Hameed
• £60 - £113 million Frauds
• Vishing / Social engineering of
Banking customers
• Data acquired including account
details/passwords
• Money trasferred online – mule
account networks
• Uk wide investigation
• Numerous UK Law Enforcement
• Arrested in Paris on false passport
• Convicted and sentenced to 11 years
imprisonment
• Customer education?

29. Op Backbone
•UK Bank
•Frauds
•Exfiltration of bank customer data
•Bank employee
•Live customer data for sale on dark web
•Data used to commit further frauds
•Customer data recovered at home address
•Arrested / Convicted
•£23,000 seized POCA from account
•Print? Business Need/Auditable?

30. Operation Mouse - Police Scotland Website
Operation Vulcanalia
The NCCU/PSOS Operation Vulcanalia targeted
users of the Netspoof DDoS-for-hire tool.
Based on intelligence gathered by the West
Midlands Regional Cyber Crime Unit, a week of
action in December 2016 saw more than 60
individuals targeted, resulting in 12 arrests,
over 30 cease and desist notices served, two
cautions issued and one protective visit made.
The Avalanche network
was used as a delivery platform to launch and manage mass global
malware attacks and money mule recruiting campaigns. It has
caused an estimated EUR 6 million in damages in concentrated
cyberattacks on online banking systems in Germany alone. The
global effort to take down this network involved the crucial support
of prosecutors and investigators from 30 countries. As a result, 5
individuals were arrested, 37 premises were searched, and 39
servers were seized. Victims of malware infections were identified
in over 180 countries. Also, 221 servers were put offline through
abuse notifications sent to the hosting providers. The operation
marks the largest-ever use of sinkholing to combat botnet
infrastructures and is unprecedented in its scale, with over 800,000
domains seized, sinkholed or blocked.

31. Cyber Resilience is thorough Preparation
Overarching Cyber Security Strategy!
Pre-planned Exercise.
Incident Management & Response Plan.
Communications Strategy.
Investigative Strategy.
Incident Manager & Team
Gold, Silver, Bronze.
Mitigation & Recovery Strategy.
Logistics - Contingency

33. Scotland’s Future
• International Collaboration
• Government - L.E – Industry – Academia Collaboration
• Joint Working - Intelligence, Technical, Disruption
• Prevention/ Education
• Curriculum for 21st Century
• Upskill Children & Wider Population
• Target Harden Existing Business
• SBRC Role
• Cyber Security Grow as Industry Sector

36. Cyber Essentials &
Cyber Essential Plus
Cyber Essentials concentrates on five key controls.
These are:
1. Boundary firewalls and internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management

37. Fighting back: what can we do?
• Reporting means we can fight back!
• Cyber Policing Structure – NCCU - Regional Hubs- Prevention
• European & Global Co-operation EC3.
• Innovative Partnership’s.
• Organisational growth and transformation.
• Education, prevention & unprecedented collaboration.
– The Cyber Academy & Scottish Academia R & D.
– Inspire and enthuse - SQA National Progression Awards
– SBRC – Supporting vulnerable SMEs.
– Multi agency, multi disciplined teams protecting Scotland.

39. European Union General Data Protection
Regulation (GDPR)

40. Recap
• Cyber Essential
• Cyber Essentials plus
• Govt backed / Industry supported
• Basic Cyber security hygiene
• Report to Police / Certuk / Govcert
• Share - CiSP
• Intel / Europol – paints Cyber picture
• Human ! Staff education/awareness
• Staff privileges
• Nice v risk?
• Data breach test of scrutiny – did we REALLY do ALL we could?

41. Thank you for listening
Any Questions?
Eamonn.keane2@scotland.pnn.police.uk

42. Dr Keith Nicholson
Cyber Security Scotland
#scotsecure

43. SCOT-SECURE 2017
CYBER DEFENCE STRATEGY FOR
THREAT RISK REDUCTION
Dr Keith Nicholson
Cyber Security
Scotland
March 2017

44. Dr Keith Nicholson
Independent Cyber Security Advisor
• 25+ years’ experience in digital
technologies , IT audit and cyber
security
• Qualified in cyber security (CISM CISA)
• Scottish Government advisor in Cyber
Security
• Member Cross Public Sector Cyber
Group
• Member Cyber Leaders Board
• Advisor across Public Sector (e.g. SNH,
SEPA, SFC, Revenue Scotland)
Cyber Security
Scotland
Non-Profit Organisation
● established to provide
independent advice & services on
all aspects of cyber security to
public bodies to help create the
intelligent client.
● provides “honest-broker”
guidance on ICT, cyber security
strategy development, tender
specifications, procurement
exercises and project management
to deliver Best Value.

45. BUILDING A CYBER DEFENCE STRATEGY
Challenges: IT Team
 Management expectations on skills
 Winning investment & management buy-in
 Not just a technical issue

46. BUILDING A CYBER DEFENCE STRATEGY
Challenges: Board
 Lack of cyber understanding
 Failure to appreciate risk & ROI
 Belief technology is silver bullet
 Lack of integration of HR, Finance &
Procurement as well as IT in cyber
defence strategy

47. Cyber Defence:
BUILDING A RESILIENT ORGANISATION
 Secure technology
 Challenging suppliers - lifecycle & supply
chain
 Training and awareness in staff
 Policies & procedures in HR, Finance,
Procurement, IT
 Senior management responsibility
 Becoming an intelligent client: Know what
you don’t know

48. THREAT
RESEARCH

49. Threat Risk Areas
KEY CYBER THREAT
RISK AREAS
• Procurement
• Payroll
• Data Theft
• Disruption
THREAT VECTORS
• Culture &
Behaviours
(Poor and well-
intentioned)
• Technical
Goals
Credential theft; Financial gain; service disruption

50. Incident Patterns
NB: Classification can vary between sectors

51. Data Breach Patterns

52. Current Common Threats
• Malware – Ransomware
• Credential theft – webmail; keylogging
• Drive-by downloads from websites
• POS attacks
• DDoS – transactional servers / websites
• Web site defacement
• Dark web – malware / hackers for hire;
risk-reward model
TECHNICAL&PEOPLEBASED

53. Common attack vectors
BEHAVIOURAL
VULNERABILITIES
• Domestic technology use =
embedded behaviours
brought into workplace
• Changing attitudes to privacy
and sharing personal
information
TECHNICAL
• Phishing - Email – malware –
ransomware, key loggers
• Email attachments – e.g.
“invoices”
• Email – person pretext (e.g. I’m
xxx’s boss; CFO instructing invoice
approval)
• Vishing – elicitation of key
information in conversation

54. Threat Data
• Time to compromise – 82% in
minutes (phishing to steal
credentials)
• Time to exfiltration – 68% in days
(capture & export data)
• Detection deficit – only ca 20%
attacks detected within days1
• 68% attacks are malware, 32% by
pretext2
1 Verizon 2016 Data Breach Investigations Report
2 HMG, Ipsos MORI, University of Portsmouth,
Cyber Security Breaches Survey May 2016
• Oldies still goodies – top 10
vulnerabilities older than one year
• Software vulnerabilities – time
between publication and
exploitation:
– Adobe, Microsoft, Oracle fastest to be
compromised
– Apple and Mozilla slowest
• Helps focus patch management

55. CYBER DEFENCE
STRATEGY

56. 5-Step Threat Reduction Strategy
1. Recognise the threat & take responsibility at
Board level – Exec & Non-Exec
2. Risk & Business Impact assessment of
technical & organisational vulnerabilities
3. Secure the technology
(resources prioritised via Risk & Business
Impact assessment)
4. Create a cyber-aware culture
5. Evolve to become an Intelligent Client

57. Becoming the Intelligent Client
 Recognise what you don’t know
(Known Unknowns) – Audit systems, policies &
procedures via “critical friend”
 Recognise you don’t know what you don’t know!
(Unknown Unknowns) – Get Directors and staff
training both technical and general awareness
 Challenge suppliers: service lifecycle and supply chain;
build security into procurement specifications
 Don’t rely only on supplier advice
(Audit Scotland)
 Seek “honest broker” independent advice where
needed

58. CYBER DEFENCE
ACTION PLAN

59. 1. Assess and test Cyber Awareness Maturity level:
• At board level
• Amongst general staff
• Amongst technical teams
2. Undertake a Cyber Security audit with risk assessment to:
• Identify technical & cultural vulnerabilities and threats
• Prioritise resource allocations proportionate to risk
• Identify staff skills gaps
3. Create a staff development strategy for ongoing awareness
/ technical training
4. Develop a Proactive & Responsive Cyber Strategy, Policies
& Continuous Improvement Plan to address continuing and
changing threats
Cyber Defence Action Plan

60. Summary
• Needs Board & Senior Management commitment
– risk awareness, RoI and investment buy-in
• Cross-organisation responsibility:
– HR for OD, staff training and vetting; Finance, Procurement for fraud detection; IT for
technology
• Define your needs and challenges
– Technological as well as Staff and Suppliers via Gap Analysis
• Set realistic development plan & expectations
– Cultural change is not achieved overnight
• Keep your eye on the threat
– Staff development
– Continuous improvement plan
– Monitor, mentor, measure

61. THANK YOU
KEITH NICHOLSON
T: 01847 500 101
M: 07899 062 965
E: KNICHOLSON@CYBERSECURITY.SCOT

62. Jenny Radcliffe
Social Engineer & Negotiator
@Jenny_Radcliffe
#scotsecure

63. People Hacking
The Human Factor in Security
Jenny Radcliffe 2017©

64. Humans

66. Predictable?

68. Motivation

75. Motivation

82. Humans

83. Thank You!
@Jenny_ Radcliffe
www.jennyradcliffe.com

84. Rik Ferguson
Trend Micro
@rik_ferguson
#scotsecure

85. Ransomware, the scourge of 2016
Rik Ferguson
Vice President Security Research
Trend Micro

86. (Not so) Humble Beginnings

87. Ransomware Evolution

88. Ransomware Evolution
Image credit: www.botnets.fr

89. Ransomware Evolution - CryptoLocker

90. Ransomware in 2016
• 2016 Losses $1B
• 246 new families in 2016 alone
compared to 29 for 2015. 748%
increase.
• PhishMe Report: As of the end of
Q3’16, 97% of all phishing emails
contained crypto-ransomware
• InfoBlox Report: Ransomware
Domains Up By 35 fold In Q1’16

91. Ransomware Targeting Businesses

92. Ransomware Infection Vectors

93. UK Ransomware Survey
• Just over two thirds (69%) of UK ITDMs have heard about
ransomware and know how it works.
• Four fifths (82%) consider ransomware to be a threat to their
organization, while 18% do not.
• The average ransomware request received was £540, although for
20% of those infected, the request was more than £1,000.
• Nine in ten (89%) reported a time limit on paying the ransom, with
the time limit being 19 hours on average.
• Organizations affected by ransomware estimate they spent 33 man
hours on average fixing the issues caused by the ransomware
infection.

94. UK Ransomware Survey
• Two thirds (65%) ended up paying the ransom. However, only 45% of those
infected got their data back through this mean while 20% paid a ransom and did
not get their data back.
• The three most common reasons for paying the ransom:
– They were worried about being fined if the data was lost – 37%
– The data was highly confidential – 32%
– The ransom amount was low enough to count as cost to business – 29%
• Seven in ten (69%) think their organization will be targeted by ransomware in the
next 12 months.
• 77% have an incident response plan in case of infection with ransomware
– Only 44% have tested their incident response plan, while a third (33%) have a
plan in place without testing it.

95. Notable Ransomware Families
2016
A ROGUES GALLERY
2

96. Locky – Malicious Macros
Ransom_LOCKY is requesting
0.5 Bitcoin ransom ($209.27)

97. Crysis – A Hands-On Threat Actor
A sample infection flow of Crysis via an RDP brute force attack

98. Cerber A Ransomware Factory
It replaces the system's current wallpaper with the this image:

99. Stampado – Ransomware as a Service

100. Exploits and Exploit Kits in 2016
A DECLINING INDUSTRY?
2

101. The demise of the Exploit Kit?

102. Neutrino Price Increase
$3,500
$7,000
$0
$1,000
$2,000
$3,000
$4,000
$5,000
$6,000
$7,000
$8,000
Neutrino Price per Month
Before Angler Disappeared
After Angler Disappeared

103. Rate of Vulnerability Additions to Exploit Kits

104. Exploit Kit / Ransomware Relationship
Exploit Kit
Delivered Ransomware
(2015)
Delivered Ransomware
(2016)
Angler
CRYPWALL, CRYPTESLA,
CRILOCK
CRYPWALL, CRYPTESLA,
CRILOCK, WALTRIX,
CRYPMIC
Neutrino CRYPWALL, CRYPTESLA
CRYPWALL, CRYPTESLA,
CERBER, WALTRIX, LOCKY,
CRYPMIC
Magnitude CRYPWALL
CRYPWALL, CERBER,
LOCKY, MILICRY
Rig CRYPWALL, CRYPTESLA
GOOPIC, CERBER,
CRYPMIC, LOCKY,
CRYPHYDRA,
CRYPTOLUCK, MILICRY
Nuclear
CRYPWALL, CRYPTESLA,
CRYPCTB, CRYPSHED
CRYPTESLA, LOCKY
Sundown
CRYPTOSHOCKER, LOCKY,
PETYA, MILICRY

105. CVE-2013-2551
Affected software: Microsoft Internet Explorer® 6–10
Description: A use-after-free vulnerability that lets attackers remotely execute arbitrary code via a specially crafted site that triggers access to a
deleted object
CVE-2015-0311
Affected software: Adobe Flash Player 13.0.0.262, 14.x, 15.x, and 16.x–16.0.0.287 on Microsoft Windows® and 11.2.202.438 on Linux
Description: An Adobe Flash Player buffer overflow vulnerability that allows attackers to remotely execute arbitrary code via unknown vectors
CVE-2015-0359
Affected software: Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before
11.2.202.457 on Linux
Description: An Adobe Flash Player memory corruption vulnerability that allows attackers to execute arbitrary code when the application is used;
failed exploitation attempts likely result in denial of service (DoS)
CVE-2014-0515
Affected software: Adobe Flash Player before 11.7.700.279 and 11.8.x–13.0.x before 13.0.0.206 on Microsoft Windows and Mac® OS X® and
before 11.2.202.356 on Linux
Description: An Adobe Flash Player buffer overflow vulnerability that occurs when parsing a compiled shader in a Flash object, which allows
attackers to run some processes and run arbitrary shellcode
CVE-2014-0569
Affected software: Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and before 11.2.202.411 on Linux
Description: An Adobe Flash Player remote integer overflow vulnerability that lets attackers execute arbitrary code via unspecified vectors
Top Vulnerabilities Within Exploit Kits

106. Ransomware Blocks in 2016
2016 Total:
~1B

107. Fundamental Best Practices
Employee Education
Awareness, best practices,
simulation testing
Keep Current with Patching
Minimize exploits of
vulnerabilities
Access Control
Limit access to business critical data
Back-up and Restore
Automated: 3 copies, 2 formats, 1
air-gapped from network

108. Smart Protection Network in 2016
… received 2.8T
reputation queries
from customers
… identified 130M
new unique threats
… Blocked 1B
ransomware threats
… blocked 81B
total threats

109. Thank You
Rik Ferguson
Trend Micro
@rik_ferguson

110. Questions
& Discussion

111. Refreshments
& Networking

113. How To Transform Technical
Security Data Into Business Ready
Metrics
Sean Lever

114. The Security Assurance Measurement Problem
Transforming Security Data into Business Metrics
How Tenable Helps Bridge the Gap
Agenda

115. The Security Assurance
Measurement Problem

116. “CISOs use existing security
metrics that are expressed in
technical security terms, and
are oriented toward technical
security decisions. They report
on what they can vs. what they
should.”
Gartner: Sharpen Your Security Metrics to Make
Them Relevant and Effective, July 10, 2015

117. BITS AND BYTES DON’T BELONG
IN THE BOARDROOM

118. “THANKS FOR THE 300 PAGE
SECURITY REPORT”
- Nobody, Ever, Said

119. 51%Of CxOs believe there is a 1 in
4 chance that a data breach
will have a material impact on
their organisation
80%
Source: Securing the C-suite: - IBM Institute for Business Value, February 2016
Of CISO’s say their top risks
are increasing
Scale Venture Partners and Wisegate Survey, Assessing and Managing IT Security Risks, June 2014

120. COMPILINGMETRICS
CANBEDIFFICULT

121. Measured Quantity of
Malware Detected
According to the “State of
Metric Based Security” Survey

122. Transforming Security Data into
Business Ready Metrics

123. What is a Metric?
METRICSQUANTIFIABLE MEASURES
TRACK
TO
PERFORMANCE
ARE

124. METRICS
ROSETTA STONE
BUSINESS
O
F
COMMUNICATION
AR
ETHE

125. Aligning Metrics to the Business
Metric
Control
Policy
Objective
Monitoring
Control Activities
Risk Assessment
Control
Environment
Wisdom
Knowledge
Information
Data

126. Defining a Metric
Operations
Compliance
Reporting
Business
Objective
Security
Outcome
Policy
Statement
Control Metric

127. Examples
Operations
% Critical Systems Patched Within Target Days
% Critical Systems Without Updated Virus Definitions
Compliance
% Critical Systems Within Compliance
Reporting
<Metric> by Site/Location
<Metric> by Business Unit
Characteristics
1. Specific
2. Measurable
3. Actionable
4. Relevant
5. Timely
What is a SMART Metric?

128. How Do I Share Metrics?

129. Where Do I Start?
Security FrameworksBusiness Frameworks

130. National Cyber Security Centre (NCSC)

131. National Cyber Security Centre (NCSC)

132. National Cyber Security Centre (NCSC)

133. How Tenable Helps Bridge the
Gap

134. ✓ Define security metrics that map to your unique
business objectives
✓ Collect comprehensive, reliable data to assess security
and compliance
✓ Use easy-to-read report card format to communicate
security posture to execs
✓ Validate that security program controls are in place and
delivering intended results to maximize your return on
investment
Measuring Security Assurance

135. INTEGRATED
PLATFORM
SCCV HOST
DATA
PASSIVE
LISTENING
INTELLIGENT
CONNECTORS
AGENT
SCANNING
ACTIVE
SCANNING
Cloud DevicesUsersEndpointNetworksWeb Virtual
Tenable Solution Components
Mobile

136. Assurance Report Cards
Operations
Compliance
Reporting
Business
Objective
Security
Objective
Policy
Statement
Control Metric

137. Tenable Critical Cyber Controls

138. ARCs for Specific Concerns

139. Geographic ARCs

140. Figuring out the “right” metrics and compiling them
can be challenging
Metrics provide clear insight into how successfully
well the IT security team is meeting security and
business objectives
Tenable’s sensors and ARCs help you turn technical
data into metrics executives can understand
Summary

141. • Read the eBook:
Using Security Metrics to Drive Action
• Download the Whitepaper:
Measuring Security Assurance – Turn Technical Data into Metrics
Executives Can Understand
Next Steps

142. Questions?

144. Social Engineering – A Career in Engineering whilst being on
the Social
The Art of Manipulating People
or

146. The Most Important Role for a Security
Practitioner is to Eradicate the Need to Pre-
Append words to the Term Security

147. The Greatest Risk we face as Risk Owners
are from those with whom we are sharing
the risk.

148. Person of Interest

150. Tatty Teddy Rick Steenfield
Practical Examples

151. Tatty Teddy
Twitter on Tatty Teddy
Over a number of years tweeted as fan.
On occasion principle retweeted.
Interaction Progressed to principle commenting.
Fan moves to interact in DM, principle replies
Fan tweets evolve becoming more personal

152. Tatty Teddy
Principle attempts to ignore and manage fan
Principle sensitively declines
Management Company running a competition
Winner of Meet & Greet announced.
Fan requests a meet & greet.
Fan interaction turns hostile
Fan makes direct threats and becomes hostile online

156. Tatty Teddy
> After being single all my life and approaching my 38th birthday, I've
> taken the plunge and signed up with POF. Have never had so much as a
> proper date in all my life, and it's been years since I was even
> remotely looked at by a woman, so I'm not expecting much.
>
> Having looked at who's available in my local area, there isn't much
> going. There are one or two women who are nice looking, but I look
> very young for my age, don't fancy women near to my own age (many
> 30-35s almost look old enough to be my mother), and I feel awkward at
> the thought of looking at women in their late 20s who I might actually
> find attractive. But I'd probably have nothing in common with them.

157. Tatty Teddy
Principle attempts to ignore and manage fan
Principle sensitively declines
Management Company running a competition
Winner of Meet & Greet announced.
Fan requests a meet & greet.
Fan interaction turns hostile
Fan makes direct threats and becomes hostile online

158. Tatty Teddy

159. Alexa Ray Joel

160. o Alexa, come away with me! I want to take you away! To a place where no-one
can ever hurt you! We can go anywhere. I know places. Places where we can be
alone~or in a big city.It doesn't matter. I want to live a "normal" life with you. I
want to watch you grow old with me, and maybe have a couple of children. You
can be anything you can imagine! A doctor, a factory worker, a scientist, a
photographer! Anything you want. I just have this dream of you and me in a
house and pets and you can be my wife, and I can be your loveslave. Anything
you want. It will be great! We can have a lot of fun together! So, get back to me!
Tell me to go to Hell, tell me that I'm crazy, just tell me how you feel. I love you
and I want you to be happy.
Alexa Ray Joel

161. Messages Start September 4rth
5th – Recounting a Nightmare.
7th – Message of Hate.
Last Message – 13th November.
Alexa Ray Joel

162. Alexa Ray Joel

163. Rick Steenfield – 20’s – Chicago – McDonalds .
Attended Gordon Central High School.
Legend going back to High School
Alexa Ray Joel

164. Alexa Ray Joel

165. Social Engineering - Profiling
What do you want~
Something about me being a lazy drink~I
waste~good
please!~Let me go!
Alexa Ray Joel

166. One of a handful reporting same geo location.
Similar Interests, Likes.
I envy you~the way you can sing
wrong~I just like them forever!
but here I go~up on the stage, anyway
Alexa Ray Joel

167. Alexa Ray Joel

168. Sheryl Finley [Billy Joel] hired a bodyguard to protect his
daughter and contacted [Paul] McCartney,
who recommended a Europe-based
private-security firm not bound by the
same legal restrictions as the police, [Post]
sources said.
McCartney's people found the stalker in
Austin, Minn.
Alexa Ray Joel

169. Securing People
Training, understanding, malice.
• Educate your colleagues.
• Educate your Stakeholders.
• You cant address this with technology.

170. Securing People
You do not know the people you are trusting.
• Recognise that as a Risk.
• Quantify the risk.
• Accept it or mitigate it.

171. Crime is on the increase
• Your stakeholders are being targeted.
• Sensitive Assets can take many forms.
• Its Risk introduced by cyber or just security
• Stop referring to cyber security.

172. Thank You

173. CYBER RESILIENCE…THINKING
BEYOND BUILDING THE
WALLS HIGHER
Rick Hemsley
March 23, 2017
SECURITY
ACCENTURE

174. Copyright © 2017 Accenture Security. All rights reserved. 175
BY THE NUMBERSDEFENDING AND EMPOWERING THE DIGITAL BUSINESS
STREAMLINE CLOUD MIGRATION ACTIVITIES BY 20%
YEARS OF EXPERIENCE
HELPING CLIENTS
SECURE THEIR
ORGANIZATIONS
20+
15,000+ SECURITY DEVICES
MANAGED
2 Security
Centers of
Excellence
Manila &
Buenos Aires
30
MILLION+
digital
identities
managed
>30x
FASTER
detection rates of
incidents for multiple
clients
5,000+ PEOPLE
330+clients spanning
67 countries
5,000+security risks mitigated / year
350+
pending and
issued patents related
to security
Cloud security, management and control for
20,000+ cloud computing instances
raw security
events
processed
daily5B+
Running some of
the largest
SIEM deployments
in the world
Cyber
Fusion
Centers4Bangalore
Prague
Washington, DC
Tel Aviv
Security analytics that handle
BILLIONS
of events
ONE
MILLION+
endpoints
managed

175. HOW OFTEN DO YOU HEAR ABOUT SECURITY IN DAY-
TO-DAY MEDIA STORIES?
A.
NEVER
B. C.
WEEKLY NEARLY DAILY
Copyright © 2017 Accenture Security. All rights reserved. 176

176. Thieves steal $101M; governor of
Bangladesh central bank resigns
FROM THE HEADLINES
© The Economist : The Dhaka Caper article, March 19, 2016.
www.identityforce.com/blog/oracle-data-breach
www.zdnet.com/pictures/biggest-hacks-security-data-breaches-2016/6/
Yahoo hack: 1bn accounts
compromised by biggest data breach in
history
LinkedIn hack hits headlines again: Records
stolen to 117 million accounts
© The Guardian: Article by Sam Thielman, December 15, 2016.
Oracle Data Breach: MICROS System
Compromised by Hackers
Copyright © 2017 Accenture Security. All rights reserved. 177

177. WHAT HAVE WE TRADITIONALLY DONE?
Resistance
Copyright © 2017 Accenture Security. All rights reserved. 178

178. ATTACKERS MODIFY THEIR TACTICS
Copyright © 2017 Accenture Security. All rights reserved. 179

179. MODERN THREATS
CYBER CRIME OR CYBER ENABLED CRIME IS BIG BUSINESS AND COMPANIES ARE
TARGETED FOR THEIR DATA OR COMPANIES ARE TARGETED FOR THEIR MONETARY
BENEFITS (ONE AND SAME?)
Activist Groups
Corporate
Espionage
State Sponsored
Employees
or Partners
Organized Crime
Copyright © 2017 Accenture Security. All rights reserved. 180

180. SOPHISTICATED, WELL-FUNDED CYBERCRIMINALS ARE OUTPACING
DIGITAL BUSINESSES
ALTHOUGH THE RISE OF DIGITAL HAS REVOLUTIONIZED HOW BUSINESSES WORK
AND SERVE THEIR CUSTOMERS, IT HAS ALSO ADDED NEW DIMENSIONS OF RISK
23% increase in exposed
identities with nine mega-
breaches in 20151
Increase in Spear-Phishing
Campaigns Targeting Employees
20154
Increase in Ransomware moving beyond
PCs to smart phones, Mac, and Linux
systems2 OT systems next?
Costs to businesses per year
due to cyber attacks (initial
damage + ongoing disruption)5
Global corporate
spending on Cyber
Security by 20203
New unique pieces of
malware in 20151
References:
1 and 2. Symantec Internet Security Threat Report Apr 2016 [Mega-breach defined as >10 million records)
3. "Companies Lose $400 Billion to Hackers Each Year,” Inc., September 8, 2015.
4. Symantec Internet Security Threat Report Apr 2016
5. "Lloyd’s CEO: Cyber attacks cost companies $400 billion every year," Fortune, Jan 23, 2015
3
~.5
billion
35%
$ 170
billion
55%
430
million
$ 400
billion
Copyright © 2017 Accenture Security. All rights reserved. 181

181. THE VOLUME OF ATTACKS ATTAINS ITS OWN DARWINIAN
SOPHISTICATION
BEYOND CARBANAK AND SWIFT, CYBER RISK WILL CONTINUE TO MORPH AND BECOME
MORE SOPHISTICATED. AS THE CONTROLS IMPROVE, THE ATTACKS CHANGE.
Example
New
Cyber
Risks
People are the weakest link
• Social engineering / phishing
messages clever enough to fool
everyone
Greatest risks are cross silo
• Security vs
• Fraud vs
• Customer Risk vs
• Vendor Risk
Command and control:
• Clever mechanisms hide communication protocols once a
breach has happened, e.g. Amazon HTTP requests
Switch to Physical:
• USB drives, printers, computers or any other hardware that can
be compromised and then installed on the network
SMS:
• Weaknesses in the telecom infrastructure allow SMS based dual
factor authentication to be compromised
Ransomware attacks digital infrastructure:
• Exploiting Android and Apple iOS can wreak havoc on
applications, mobile devices and Internet of Things
Copyright © 2017 Accenture Security. All rights reserved. 182

182. NEW REGULATION = NEW REQUIREMENTS
WHAT IS THE GDPR?
THE GENERAL DATA PROTECTION REGULATION (GDPR) APPLIES TO ALL BUSINESSES WHO HAVE CUSTOMERS
AND/OR OPERATIONS WITHIN THE EUROPEAN UNION. BUSINESS HAVE NEW REQUIREMENTS TO MEET.
3X as many articles as the incumbent privacy
directive
18
months until new regulation is expected to
become fully enforceable
Member states have harmonised a
regulatory framework28
1
EU-level supervisory authority*
governing going forward
*however, there are many regulatory bodies (e.g.
FCA and PRA) that can take action against the Data
Controller or Data Processor
You need to report an incident
without undue delay to the
Supervisory Authority, no more
than 72 hours after finding it.
You’ll need to appoint a Data
Protection Officer if you monitor
on a large scale or process special
data.
Estimated DPO requirement: 28,000 in
EU, 75,000 globally
You’ll have tighter restrictions
around consent.
Get the consent balance right so
you don’t scare off customers.
You’ll need to cover more personal
data.
Now including physical,
physiological, economic, mental,
genetic, cultural & social identity.
You’ll need to be able to Erase all
of an individuals personal data
which is likely to be in many parts
of that organisation or with data
processors.
You’ll need to be able to give an
individual all of their personal
data. Where is it, what format, how
to extract it, how to port it, etc.
New Regulation
In reality, it means fines up to 4000X previous levels and personal liability for management and/or the
board.
New Requirements
Copyright © 2017 Accenture Security. All rights reserved. 183

183. WHAT IS CYBER RESILIENCE?
Cyber
Resilience
Overview:
It is the ability to operate the business processes in
normal and adverse scenarios without adverse
outcomes. Specifically, resiliency strengthens the
firm’s ability to identify, prevent, detect and respond
to process or technology failures and recover, while
reducing customer harm, reputational damage and
financial loss
External Sources
of Cyber Risk
• Hacktivism
• Hacker/Lone Wolf
• Nation State Attacks
• Insider Data Leakage
• Social Engineering
Internal Origins
of Cyber Risk
• Digital Banking Services
• Payments
• Electronic Trading
• Third Parties
• Technology Infrastructure
CYBER RISK CAN MANIFEST ITSELF ACROSS SEVERAL DIMENSIONS, MAKING IT
DIFFICULT TO DETECT, MEASURE, AND CONTROL
Common characteristics of resilient businesses:
• More secure processes and systems
• Strong controls with a strong control environment
• A solid risk culture
• Digitized and automated processes
Copyright © 2017 Accenture Security. All rights reserved. 184

184. PREPARE
Business strategy alignment
Assessment & architecture
Operating model governance
Risk & compliance
Culture change
Red-teaming
DETECT
Vulnerability management
Threat intelligence
Security monitoring
Cyber threat analytics
PREVENT
Digital identity
Application & data security
Platform &
infrastructure security
RESPOND
& RECOVER
Incident response
remediation
Business continuity
MOBILE ON PREMISES
CLOUD IoT
MORE SIMPILY?
Copyright © 2017 Accenture Security. All rights reserved.
Business-driven
Threat-centric
Digitally protected
Adaptive responses
Agile delivery

185. HOW DO WE ACHIEVE CYBER RESILIENCE?
Adopt a different mind set…
Understand our adversary, their objectives, strategies, tactics, and operating methods
Think about different threats …
Those inside the organisation often have the ‘keys to the kingdom’ yet can often be the cause, intentionally or
accidentally, of breaches
Organise ourselves …
Move beyond technical silos, think holistically about cyber across the organisation
Preparation is key …
Incident Response is critical and with GDPR it will only become more so
Copyright © 2017 Accenture Security. All rights reserved. 186

186. 1. Not Measuring the right things  Move to business alignment
2. Assuming controls are sufficient  Stress test prove controls and people
3. Assume perimeter  Begin inside out
4. Static plans … doing the same thing over and over  Innovate
5. Limit security as a purely technical Issue  Everyone's mission H&S for 21st Century
6. Disengagement  All leadership aligned and communicating ‘singing from the same
hymn sheet’
WHAT ARE THE CHALLENGES WE NEED TO OVERCOME?
Copyright © 2017 Accenture Security. All rights reserved. 187

187. 5 KEY PRIORITIES TO HELP MANAGE CYBER RISKS
EFFECTIVELY
Copyright © 2017 Accenture Security. All rights reserved. 188
1. Training and Risk Culture – Taking what is unique in your organization and infusing the right cyber risk
behaviors
2. Controls – Identify weak points – building a robust set of controls across operations, business and IT
3. Measurement with a Purpose – What is going on without your leadership’s knowledge – creating metrics
that expose the risks
4. Operating Model – How does your leadership work with the rest of the organization - assigning clear lines
of accountability and ownership
5. Resilience – At some point things will go wrong, be prepared (and have leadership prepared!)

188. PREPARE
Business strategy alignment
Assessment & architecture
Operating model governance
Risk & compliance
Culture change
Red-teaming
DETECT
Vulnerability management
Threat intelligence
Security monitoring
Cyber threat analytics
PREVENT
Digital identity
Application & data security
Platform &
infrastructure security
RESPOND
& RECOVER
Incident response
remediation
Business continuity
MOBILE ON PREMISES
CLOUD IoT
MORE SIMPILY AGAIN?
How do we
respond?
What is the
impact?
How do we
organize?
How do we
monitor?
Risk Identification – Aggregated set of typical risk
associated with Cyber Risk
Risk Events - Scenarios which can impact the
organization specific to cyber threats
Business and IT
Controls – Oversight of
the controls and their testing
programs and how to leverage
COBIT®, ISA, ISO/IEC, NIST controls
Operating Model –
Specifying the structure with people,
organization, roles, tools and processes
to govern
Detection and Identification – Tools and metrics to identify and log
aspects to mange operations
Operational Monitoring – Aligning the tools to identify and detect threats
along with their escalation and oversight
Event Response Plan – Structure to identify and
manage action plans
Crisis Management – Structure to manage
incidents and notify impacted parties

189. TO OPERATE AND GROW CONFIDENTLY IN A RAPIDLY EVOLVING
THREAT LANDSCAPE, ORGANIZATIONS NEED TO ADDRESS SECURITY
ON THREE DIMENSIONS
Copyright © 2017 Accenture Security. All rights reserved. 190
Empower business growth &
secure operations
Harden the organization to
make cyber attacks difficult
Detect and remediate
successful cyber attacks
Establish and maintain customer trust by meeting
expectations for the privacy and protection of
their data.
Maintain IT hygiene to eliminate exposure to
known vulnerabilities.
Use threat intelligence to anticipate cyber attacks
and take preemptive defense measures.
Enable capabilities that enhance customer and
employee experience.
Meet compliance and regulatory obligations.
Enable secure adoption of
new technologies.
Implement technology such as encryption and
two-factor authentication to increase the
difficulty of successful cyber attack.
Implement security discipline beyond the security
organization (e.g. secure coding, network
segmentation, training & awareness).
Detect in-flight cyber attacks.
Use red teams to test cyber
defense effectiveness.
Prepare and test incident
response plans.
Goal: Ensure that expectations for privacy and
compliance are met, and that the business is
protected from routine malicious behaviors.
Goal: Raise the cost of attack to adversaries,
reducing their incentive
to attack lower-value targets.
Goal: Detect & respond to successful cyber
attacks, minimize the impact of cyber attacks.

190. IF YOU TAKE NOTHING ELSE AWAY…
ADOPT A WHEN, NOT IF MINDSET …
PREPARE FOR BUSINESS DISRUPTION KNOW
WHAT YOU WILL DO …
& GDPR IS COMING!!!
Copyright © 2017 Accenture Security. All rights reserved. 191

191. THANK YOU

192. Man-in-the-Middle Application Security

193. Ian McGowan Bio
Ian is a Managing Consultant at Barrier Networks and has 18 years
experience working in network and application security.
He has worked as a web application security architect and application
security operations lead and understands the challenge organisations
face when trying to integrate security controls into the modern
software development life cycle.

194. Talk Overview
• Overview of Web Application Security challenges
• How Web Application Firewalling (WAF) can help
• Advances in WAF technology
• Anti-Fraud techniques
• Summary

195. Verizon DBIR 2016

196. Attack Surface
Data
Stolen User
Credentials/F
raud
Phishing Network
DDoS
Attacks
Application
Vuln Exploits
Recon.
Port scan
Attacks against
SSL Vul
Application attacksNetwork attacks Session attacks
DNS
Amplification/C
ache Poisioning Application
DDoS AttacksBotnet/SPAM
Man in the
Middle
Man In The
Browser
Clientside Attacks
DNS Attacks
Malware
Business Logic
Abuse
Data

197. Focus of Attacks
Stolen User
Credentials/F
raud
Phishing Network
DDoS
Attacks
Application
Vuln Exploits
Recon.
Port scan
Attacks against
SSL Vul
DNS
Amplification/C
ache Poisoning Application
DDoS AttacksBotnet/SPAM
Man in the
Middle
Man In The
Browser
DNS Attacks
Malware
Business Logic
Abuse
ATTACKS ARE DISPROPORTIONTELY TARGETING THESE AREAS
APPLICATION
PROTECTION
USER ACCESS AND
CREDENTIALS
DataApplication attacksNetwork attacks Session attacksClientside Attacks
DNS Attacks
Data

198. State of Application Delivery Report
Yearly report by F5 Networks
2200 responders
Understanding trends
Most popular application services deployed
Most important application services deployed

199. Application Services to be Deployed 2017

200. Top 3 Security Services Planned Globally

201. Most Important to Responders

202. WebApp Security Challenges
• Complexity of the application
• Complexity of the attacks
• User controls the Endpoint

203. SDLC Challenges
• Secure coding is difficult, expensive and slow.
• Developers are usually under time constraints
• The focus is on delivery and not security
• We need to change our approach to software
development

204. OWASP Top 10
Top 10 AppSec Risk
There are more than 10!
These aren’t going away
Time to adjust our approach?

205. Placement of Controls
Prevention is better
than a cure.

206. Closing the barn door…
Production vulnerability
Timelines to consider:
• Undetected period
• Time to mitigate
• Window of exposure

207. WAF is Effective

208. Firewall vs WAF
• Firewall is network focused
• NG Firewall is content focused
• WAF is application focused

209. Reverse Proxy Architecture

210. AppSec Policy Enforcement Point
WAF provides the ability to enforce policy
Positive vs Negative Policy
WAF Policy

211. WAF Benefits
• Mitigate SQLi
• Insecure Direct Object Reference
• Layer 7 DDoS Protection
• Session & Login Tracking
• Web Scraping Prevention
• Brute Force Attack Prevention
• XML Schema Validation
• JSON, AJAX and Web Services

212. DAST Integration
Dynamic Application Security Testing
• Early detection of vulnerabilities
• Continuous assessment
• Remediate code vulnerability in situ
• Automated virtual patches

213. Eurograbber Campaign
Financial Service Crimeware
Targeted Users
30,000 affected
Zeus Trojan & ZITMO
Stopped by Web Fraud Control

214. Eurograbber Campaign Overview

215. Step 2: Initial Compromise of the DOM

216. Step 2: DOM Injection

217. Step 3: Trojan Relays Mobile # to C2

218. Recap so far..

219. Step 4: SMS Sent by C2 / Dropzone

220. Step 5: Validation Request

221. Step: Exploitation Confirmation

222. Compromise Success / Failure Logic

223. Complexity of Attack

224. Next Steps
Laptop/PC & Mobile Device are now compromised.
What next?

225. Trojan Operation

226. Web Fraud Prevention Benefits
• Detection of DOM compromise
• Application level encryption
• Automated action detection

227. Web Fraud Control Efficacy
Major European Bank:
“…detected and blocked fraudulent transactions in the
sum of 500,000 Euro in two days.
…ROI on the pilot first two days – that’s a new thing in
the security field ...”

228. Take Aways
• AppSec controls have advanced significantly.
• We must adjust our approach before it’s too late.
• Layered defence.
Clientless solution,
enabling 100% coverage
Protect Online User
Desktop, tablets &
mobile devices
On All Devices
No software or user
involvement required
Full Transparency
Targeted malware, MITB,
zero-days, MITM,
phishing automated
transactions…
Prevent Fraud
Alerts and customizable
rules
In Real Time

229. Scot Secure 2017
Thank you!

230. Welcome Back

231. Dan Hunt
Lloyds Banking Group
#scotsecure

232. EVERYTHING YOU WANTED
TO KNOW ABOUT PHISHING
BUT WERE TOO AFRAID TO CLICK
Dan Hunt, Lloyds Banking Group

233. Brief Introduction
• Etymology: Phreaking (Phone Hacking) + Fishing
• Definition: “Phishing is the attempt to coerce
recipient action, often for malicious reasons, by
disguising oneself as a trustworthy entity in
electronic communications”
• Effectively a con trick, same as any other
• Concepts can be applied to other -ishings;
• Vishing: Voice-based
• Smishing: SMS-based

234. • Phishing emails can be used to harvest sensitive data
and deploy malware
• Unsuccessful phishing attempts can be used to infer how
well-protected an organisation is
• It is very, very easy and very, very effective
• Average engagement-rate is 20%
• ROI is high
Why?

235. Who?
Phishing
- Mass audience
- Low sophistication, generic (Delivery/HMRC scams)
Spear Phishing
- Targeted at SMEs / high risk colleagues
- Tailored content (Conferences, subscriptions)
Whaling
- Targeted at CEOs / Exec level
- Highly tailored content
- Long-game strategy (Waterholes etc)

236. How?

237. How?
Data harvested
Malware deployed

238. What? (Strategic)
• Reduce the engagement rate on phishing emails;
• Gateway filtering & blocking
• Employee Education & Testing:
• Studies find that the 20% click rate falls to 13%
percent if employees go through just three
simulation exercises, to 4% after
the fourth and 0.2% after the fifth.
• Have colleagues know what to do
and who to tell.

239. What? (Immediate)
• Awareness of Red Flags
• Mismatch of sender imagery
• Impersonal (Dear Customer)
• Misspellings
• False sense of urgency
• Email/web domains don’t match

240. What? (Final Thoughts)
When sent an email that you’re not expecting, even if
it appears to be from someone you know, consider the
following;
• WHY am I being sent this email?
• WHO is sending it to me?
• WHAT do they want me to do?
• WHERE could it lead me?
THINK BEFORE YOU CLICK

241. Stu Hirst
Skyscanner
@StuHirstInfoSec
#scotsecure

242. DevSecOps
A 2-year journey of success &
failure!
@StuHirstinfosec

243. Skyscanner
TIRED??!!!
@StuHirstinfosec

244. Skyscanner
@StuHirstinfosec

245. Skyscanner
@StuHirstinfosec

246. Skyscanner
@StuHirstinfosec

247. Skyscanner
@StuHirstinfosec
Who are we?
What do I do?
What am I presenting?

248. Skyscanner 2014
Skyscanner Security in 2014…

249. Skyscanner 2017
Skyscanner Security in 2017…
WE HAVE A LOGO
N’ EVERYTHING!
@StuHirstinfosec

250. Strategy…
@StuHirstinfosec

251. Skyscanner 2017
My most successful strategy?
ISO27001?
Cyber Essentials?
BSIMM?
A.N.Other?
Nope, it’s been speaking to people
and sharing learnings. @StuHirstinfosec

252. Skyscanner 2017
Longer term;
Split security into focused
areas; we now have SECOPS
and PRODUCT SECURITY
@StuHirstinfosec

253. AWS…
@StuHirstinfosec

254. Skyscanner 2017
@StuHirstinfosec
1. TEACH
2. CONTINUOUS AUDITING &
ALERTING
3. OPEN SOURCE TOOLING
(Scout2, SecurityMonkey etc)
4. AUTOMATION

255. Adventures in Bug
Bounties…
@StuHirstinfosec

256. Skyscanner 2017
Initial scheme – Qualys scans
2 week scheme – glut!
365 scheme – needs constant
researcher rotation, refuse to pay
for crap bugs, weed out the XSS
guys!
@StuHirstinfosec

257. Skyscanner 2017
Ideal outcomes;
• Weed out certain types of bug in
your code altogether
• Make researchers work harder
for their cash!
• Scale the scheme &
make it more valuable
over time
@StuHirstinfosec

258. DevOps & Security
NOT

259. DevOps & Security

260. 2FA…
@StuHirstinfosec

261. Two-factor
Two-Factor All The
Things
• VPN
• Windows / MAC
Login
• Web portals
• Apps
• SSO

262. Data (especially PII)…
@StuHirstinfosec

263. User Data
User Data Implemented new MINIMUM STANDARDS for
user data
Privacy BY DESIGN!
Examples;
• Only stored in agreed places (e.g. AWS)
• Minimum encryptions levels when
transferring
• Same for data at rest (AES256)
• Bcrypt / Argon2 for hashing
• Only using TLS
• Get rid of old ciphers
• Segment the network
• Tighten up access controls to the data
@StuHirstinfosec

264. Passwords…
@StuHirstinfosec

265. Skyscanner 2017
@StuHirstinfosec
• Get rid of credentials in code;
GitHub/GitLab etc
• Credstash
• Git Secrets
• GitLeaks (have fun!)

266. Skyscanner 2017
Passwords in Plain Text?!
Dude, it’s 2017.
@StuHirstinfosec

267. Two-factor/Passwords
Password solutions
@StuHirstinfosec

268. SIEM…
@StuHirstinfosec

269. Skyscanner 2017
There are lots of SIEM solutions
BUT HOW ARE
YOU USING
THEM?!
@StuHirstinfosec

270. Skyscanner 2017
@StuHirstinfosec

271. Skyscanner 2017
@StuHirstinfosec

272. Skyscanner 2017

273. Endpoint Protection…
@StuHirstinfosec

274. Anti malware
Endpoint Protection

275. Awareness…
@StuHirstinfosec

276. What we do…
What we do: Security Champions
@StuHirstinfosec

277. What we do…
What we do: Crypto & Bug Challenges
@StuHirstinfosec
Hosted in AWS –
cheap, easy to
build!

278. What we do…
What we do: Crypto & Bug Challenges
@StuHirstinfosec
Security Swag -
everyone loves t-
shirts & stickers!

279. What we do…
What we do: Security Meet Up
@stuhirstinfosec

280. Employees
Employee behaviour….blog post

281. Take Humans out of the
equation…
@StuHirstinfosec

282. Phishing
Phishing – why not take humans
out of the equation?
• Sandbox links &
attachments
(Uber built this
themselves)
• Protect against
Impersonation

283. Learning (especially
from failure!) …
@StuHirstinfosec

284. Culture
Culture -No fear
“This is the moment of my failure and I am not scared”

285. What we do
Announcing failure…
Weekly PRODOPS
Review
NO BLAME! It’s a learning exercise
@StuHirstInfosec

286. What we do
Learning…
Cybrary, PluralSight, Twitter, Blogs

287. Some thoughts to leave
you with…

288. Stats
Not everything is critical!
• Simple and quick wins are GOOD wins!
• Try and increase the likelihood of an employee telling
you about an event or potential attack
• Run attack simulations. Break something before
someone else does!
FORGET ABOUT TRYING TO REDUCE MEANINGLESS STATS
IF YOU GO FROM 48% TO 32% ON FIRE, YOU’RE STILL ON FIRE!
(Zane Lackey, ex-Etsy)

289. Scaremongering
Security Scaremongering

290. Scaremongering
Security Scaremongering

291. Scaremongering
Security Scaremongering
“The greatest period of impact was from
February 13 and February 18 with around 1 in
every 3,300,000 HTTP requests through
Cloudflare potentially resulting in memory
leakage (that’s about 0.00003% of requests)”

292. Some thoughts to take away
Reward people…
For making you aware of
issues.
You feel good, they feel good
& they’re likely to tell others.

293. What next?
Shout about your successes!
• Security is as
important as any
other business unit
• So shout about
successes you have
• Positive PR across
the business

294. thank you
@stuhirstinfosec

295. Learn with Skyscanner
• Follow Skyscanner @CodeVoyagers
on Twitter
• Read a backlog of our learnings at
codevoyagers.com
• Sign up for our Skyscanner Code
Voyagers newsletter learnings from
our successes and failures or search
http://9nl.it/scotsecure_cvnewsletter

296. Prof Bill Buchanan
Edinburgh Napier Uni
@billatnapier
#scotsecure

297. Questions
& Discussion

298. Drinks
& Networking

299. www.digitleaders.com