Cyber attacks have been hitting the headlines for years; but in spite of the risks, the reputational damage and the rising cost of fines, there is still an endless stream of businesses being exposed for security failings.
The scale of the problem is vast: Accenture’s recent 2016 Global Security Report highlighted “an astounding level of breaches” with the organisations surveyed facing more than 80 targeted attacks every year, of which a third were successful. Much has been made of the evolving threat landscape and increasing sophistication of attacks. But whilst there is evidence to support the growing complexity of the challenge, all too often the analysis of these high-profile attacks determines basic, foundational security principles were ignored.
Some commentators argue that the persistence of failings is a direct reflection of organisational priorities, and that while businesses may talk a good game, security is not yet given the attention that it requires at board level. This leaves CISOs and IT leaders fighting a losing battle to secure adequate attention and investment for an area of the business which does not generate revenue.
This conference will look at raising security standards across the business, exploring some of the most persistent problems from IT infrastructure to staff engagement. Amidst a backdrop of perpetual media hysteria, turbulent markets and looming regulatory change, it can prove difficult to establish a coherent picture of the threat, never mind what action to take. The conference will help contextualise the challenging landscape and discuss how to deliver meaningful improvements and end to end organisational resilience.
7. What can we do to fight back?
Scot- Secure Conference
March 2017.
8. Agenda
Scottish, UK & Global Perspective!
The current threat landscape!
The challenges to LE & Policing!
The LE response - NCCU & Police Scotland!
Are we getting the message across?
What can we do to fight back?
Collaboration & Prevention.
Good News - Look Forward!
9.
10.
11. ORIGINAL HUB CONCEPT
SG/NCSC EUROPOL
POLICE / SENIOR TECH COMMUNITY /
INVESTIGATIONS .
TIER 4 – SCOTLAND’S TECH COMMUNITY
DEVELOPMENT
TIER 3 – ACADEMIA / R & D
TIER 2– SOC / TRUSTED PARTNERS
TIER 1– APPRENTICES / GRADUATES
14. What we do know!!
• The cyber threat to UK business is significant
and growing.
• This threat is varied and adaptable.
• The rise of internet connected devices gives
attackers more opportunity!
• The past year has been punctuated by cyber
attacks on a scale and boldness not seen before!
• The UK & Scottish government is committed to making the UK a
secure and resilient digital nation
• Under-reporting.
15. Scenario 2 – Malware
Malware Phishing Ransom-
ware
Social
Engineer
Hacker
Some Brief Examples… The Usual Suspects
16. Key questions that all CEOs & CISO’s should
be asking this week?
• "Are we vulnerable to a cyber intrusion, SQL injection,
ransomware or DDoS based attacks?“
• "What assurance activity have we done to confirm that
we are not vulnerable?“
• "If we were compromised, would an attacker be able to
gain access to unencrypted sensitive data?“
• “Are we satisfied have we engaged sufficient 3rd party
security provision?"
• “What is our company ethos & posture on security?”
• “What and how vibrant is your overarching cyber security
policy?”
22. The Main Threats…
Hacktivism Organised Crime Espionage
• Hacking organisations they don’t
agree with
• Politically motivated
• Mainly defacement of websites
and public disclosure of
information
• Organised but disperse.
• Anonymous, New World Hacking,
Lizard Squad
• Well funded cyber crime groups
• Financially motivated
• Mainly ransomware, stealing of
personal info/credit card info, and
hacking.
• Highly organised and well funded
• Carbanak Cyber Gang, Janus Sec
etc.
• State sponsored
• Politically & Financially motivated
• Mainly covert hacking and custom
malware- targeting sensitive IP and
CNI.
• Extremely organised and well
funded
• TAO, APT 28, APT 17, Bureau 21
23. The Main Threats…
Bedroom Hackers
• Teenagers with a point to
prove
• Motivated by recognition and
quick cash
• Mainly defacement of
websites and public
disclosure of information
• Have been quite successful at
‘low hanging fruit.
• They have been individuals or
‘front people’ of a group
24. Growing Cadre of Hacking Groups
Anoymous!
LulzSec
Lizard Squad!
New World Hacking Team!
DD4BC!.
The Impact Team.
The Armada Collective!.
Syrian Electronic Army
16.66
PhantomSec
28. • Feezan Hameed
• £60 - £113 million Frauds
• Vishing / Social engineering of
Banking customers
• Data acquired including account
details/passwords
• Money trasferred online – mule
account networks
• Uk wide investigation
• Numerous UK Law Enforcement
• Arrested in Paris on false passport
• Convicted and sentenced to 11 years
imprisonment
• Customer education?
29. Op Backbone
•UK Bank
•Frauds
•Exfiltration of bank customer data
•Bank employee
•Live customer data for sale on dark web
•Data used to commit further frauds
•Customer data recovered at home address
•Arrested / Convicted
•£23,000 seized POCA from account
•Print? Business Need/Auditable?
30. Operation Mouse - Police Scotland Website
Operation Vulcanalia
The NCCU/PSOS Operation Vulcanalia targeted
users of the Netspoof DDoS-for-hire tool.
Based on intelligence gathered by the West
Midlands Regional Cyber Crime Unit, a week of
action in December 2016 saw more than 60
individuals targeted, resulting in 12 arrests,
over 30 cease and desist notices served, two
cautions issued and one protective visit made.
The Avalanche network
was used as a delivery platform to launch and manage mass global
malware attacks and money mule recruiting campaigns. It has
caused an estimated EUR 6 million in damages in concentrated
cyberattacks on online banking systems in Germany alone. The
global effort to take down this network involved the crucial support
of prosecutors and investigators from 30 countries. As a result, 5
individuals were arrested, 37 premises were searched, and 39
servers were seized. Victims of malware infections were identified
in over 180 countries. Also, 221 servers were put offline through
abuse notifications sent to the hosting providers. The operation
marks the largest-ever use of sinkholing to combat botnet
infrastructures and is unprecedented in its scale, with over 800,000
domains seized, sinkholed or blocked.
33. Scotland’s Future
• International Collaboration
• Government - L.E – Industry – Academia Collaboration
• Joint Working - Intelligence, Technical, Disruption
• Prevention/ Education
• Curriculum for 21st Century
• Upskill Children & Wider Population
• Target Harden Existing Business
• SBRC Role
• Cyber Security Grow as Industry Sector
34.
35.
36. Cyber Essentials &
Cyber Essential Plus
Cyber Essentials concentrates on five key controls.
These are:
1. Boundary firewalls and internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management
37. Fighting back: what can we do?
• Reporting means we can fight back!
• Cyber Policing Structure – NCCU - Regional Hubs- Prevention
• European & Global Co-operation EC3.
• Innovative Partnership’s.
• Organisational growth and transformation.
• Education, prevention & unprecedented collaboration.
– The Cyber Academy & Scottish Academia R & D.
– Inspire and enthuse - SQA National Progression Awards
– SBRC – Supporting vulnerable SMEs.
– Multi agency, multi disciplined teams protecting Scotland.
44. Dr Keith Nicholson
Independent Cyber Security Advisor
• 25+ years’ experience in digital
technologies , IT audit and cyber
security
• Qualified in cyber security (CISM CISA)
• Scottish Government advisor in Cyber
Security
• Member Cross Public Sector Cyber
Group
• Member Cyber Leaders Board
• Advisor across Public Sector (e.g. SNH,
SEPA, SFC, Revenue Scotland)
Cyber Security
Scotland
Non-Profit Organisation
● established to provide
independent advice & services on
all aspects of cyber security to
public bodies to help create the
intelligent client.
● provides “honest-broker”
guidance on ICT, cyber security
strategy development, tender
specifications, procurement
exercises and project management
to deliver Best Value.
45. BUILDING A CYBER DEFENCE STRATEGY
Challenges: IT Team
Management expectations on skills
Winning investment & management buy-in
Not just a technical issue
46. BUILDING A CYBER DEFENCE STRATEGY
Challenges: Board
Lack of cyber understanding
Failure to appreciate risk & ROI
Belief technology is silver bullet
Lack of integration of HR, Finance &
Procurement as well as IT in cyber
defence strategy
47. Cyber Defence:
BUILDING A RESILIENT ORGANISATION
Secure technology
Challenging suppliers - lifecycle & supply
chain
Training and awareness in staff
Policies & procedures in HR, Finance,
Procurement, IT
Senior management responsibility
Becoming an intelligent client: Know what
you don’t know
52. Current Common Threats
• Malware – Ransomware
• Credential theft – webmail; keylogging
• Drive-by downloads from websites
• POS attacks
• DDoS – transactional servers / websites
• Web site defacement
• Dark web – malware / hackers for hire;
risk-reward model
TECHNICAL&PEOPLEBASED
53. Common attack vectors
BEHAVIOURAL
VULNERABILITIES
• Domestic technology use =
embedded behaviours
brought into workplace
• Changing attitudes to privacy
and sharing personal
information
TECHNICAL
• Phishing - Email – malware –
ransomware, key loggers
• Email attachments – e.g.
“invoices”
• Email – person pretext (e.g. I’m
xxx’s boss; CFO instructing invoice
approval)
• Vishing – elicitation of key
information in conversation
54. Threat Data
• Time to compromise – 82% in
minutes (phishing to steal
credentials)
• Time to exfiltration – 68% in days
(capture & export data)
• Detection deficit – only ca 20%
attacks detected within days1
• 68% attacks are malware, 32% by
pretext2
1 Verizon 2016 Data Breach Investigations Report
2 HMG, Ipsos MORI, University of Portsmouth,
Cyber Security Breaches Survey May 2016
• Oldies still goodies – top 10
vulnerabilities older than one year
• Software vulnerabilities – time
between publication and
exploitation:
– Adobe, Microsoft, Oracle fastest to be
compromised
– Apple and Mozilla slowest
• Helps focus patch management
56. 5-Step Threat Reduction Strategy
1. Recognise the threat & take responsibility at
Board level – Exec & Non-Exec
2. Risk & Business Impact assessment of
technical & organisational vulnerabilities
3. Secure the technology
(resources prioritised via Risk & Business
Impact assessment)
4. Create a cyber-aware culture
5. Evolve to become an Intelligent Client
57. Becoming the Intelligent Client
Recognise what you don’t know
(Known Unknowns) – Audit systems, policies &
procedures via “critical friend”
Recognise you don’t know what you don’t know!
(Unknown Unknowns) – Get Directors and staff
training both technical and general awareness
Challenge suppliers: service lifecycle and supply chain;
build security into procurement specifications
Don’t rely only on supplier advice
(Audit Scotland)
Seek “honest broker” independent advice where
needed
59. 1. Assess and test Cyber Awareness Maturity level:
• At board level
• Amongst general staff
• Amongst technical teams
2. Undertake a Cyber Security audit with risk assessment to:
• Identify technical & cultural vulnerabilities and threats
• Prioritise resource allocations proportionate to risk
• Identify staff skills gaps
3. Create a staff development strategy for ongoing awareness
/ technical training
4. Develop a Proactive & Responsive Cyber Strategy, Policies
& Continuous Improvement Plan to address continuing and
changing threats
Cyber Defence Action Plan
60. Summary
• Needs Board & Senior Management commitment
– risk awareness, RoI and investment buy-in
• Cross-organisation responsibility:
– HR for OD, staff training and vetting; Finance, Procurement for fraud detection; IT for
technology
• Define your needs and challenges
– Technological as well as Staff and Suppliers via Gap Analysis
• Set realistic development plan & expectations
– Cultural change is not achieved overnight
• Keep your eye on the threat
– Staff development
– Continuous improvement plan
– Monitor, mentor, measure
90. Ransomware in 2016
• 2016 Losses $1B
• 246 new families in 2016 alone
compared to 29 for 2015. 748%
increase.
• PhishMe Report: As of the end of
Q3’16, 97% of all phishing emails
contained crypto-ransomware
• InfoBlox Report: Ransomware
Domains Up By 35 fold In Q1’16
93. UK Ransomware Survey
• Just over two thirds (69%) of UK ITDMs have heard about
ransomware and know how it works.
• Four fifths (82%) consider ransomware to be a threat to their
organization, while 18% do not.
• The average ransomware request received was £540, although for
20% of those infected, the request was more than £1,000.
• Nine in ten (89%) reported a time limit on paying the ransom, with
the time limit being 19 hours on average.
• Organizations affected by ransomware estimate they spent 33 man
hours on average fixing the issues caused by the ransomware
infection.
94. UK Ransomware Survey
• Two thirds (65%) ended up paying the ransom. However, only 45% of those
infected got their data back through this mean while 20% paid a ransom and did
not get their data back.
• The three most common reasons for paying the ransom:
– They were worried about being fined if the data was lost – 37%
– The data was highly confidential – 32%
– The ransom amount was low enough to count as cost to business – 29%
• Seven in ten (69%) think their organization will be targeted by ransomware in the
next 12 months.
• 77% have an incident response plan in case of infection with ransomware
– Only 44% have tested their incident response plan, while a third (33%) have a
plan in place without testing it.
105. CVE-2013-2551
Affected software: Microsoft Internet Explorer® 6–10
Description: A use-after-free vulnerability that lets attackers remotely execute arbitrary code via a specially crafted site that triggers access to a
deleted object
CVE-2015-0311
Affected software: Adobe Flash Player 13.0.0.262, 14.x, 15.x, and 16.x–16.0.0.287 on Microsoft Windows® and 11.2.202.438 on Linux
Description: An Adobe Flash Player buffer overflow vulnerability that allows attackers to remotely execute arbitrary code via unknown vectors
CVE-2015-0359
Affected software: Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before
11.2.202.457 on Linux
Description: An Adobe Flash Player memory corruption vulnerability that allows attackers to execute arbitrary code when the application is used;
failed exploitation attempts likely result in denial of service (DoS)
CVE-2014-0515
Affected software: Adobe Flash Player before 11.7.700.279 and 11.8.x–13.0.x before 13.0.0.206 on Microsoft Windows and Mac® OS X® and
before 11.2.202.356 on Linux
Description: An Adobe Flash Player buffer overflow vulnerability that occurs when parsing a compiled shader in a Flash object, which allows
attackers to run some processes and run arbitrary shellcode
CVE-2014-0569
Affected software: Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and before 11.2.202.411 on Linux
Description: An Adobe Flash Player remote integer overflow vulnerability that lets attackers execute arbitrary code via unspecified vectors
Top Vulnerabilities Within Exploit Kits
107. Fundamental Best Practices
Employee Education
Awareness, best practices,
simulation testing
Keep Current with Patching
Minimize exploits of
vulnerabilities
Access Control
Limit access to business critical data
Back-up and Restore
Automated: 3 copies, 2 formats, 1
air-gapped from network
108. Smart Protection Network in 2016
… received 2.8T
reputation queries
from customers
… identified 130M
new unique threats
… Blocked 1B
ransomware threats
… blocked 81B
total threats
116. “CISOs use existing security
metrics that are expressed in
technical security terms, and
are oriented toward technical
security decisions. They report
on what they can vs. what they
should.”
Gartner: Sharpen Your Security Metrics to Make
Them Relevant and Effective, July 10, 2015
118. “THANKS FOR THE 300 PAGE
SECURITY REPORT”
- Nobody, Ever, Said
119. 51%Of CxOs believe there is a 1 in
4 chance that a data breach
will have a material impact on
their organisation
80%
Source: Securing the C-suite: - IBM Institute for Business Value, February 2016
Of CISO’s say their top risks
are increasing
Scale Venture Partners and Wisegate Survey, Assessing and Managing IT Security Risks, June 2014
125. Aligning Metrics to the Business
Metric
Control
Policy
Objective
Monitoring
Control Activities
Risk Assessment
Control
Environment
Wisdom
Knowledge
Information
Data
127. Examples
Operations
% Critical Systems Patched Within Target Days
% Critical Systems Without Updated Virus Definitions
Compliance
% Critical Systems Within Compliance
Reporting
<Metric> by Site/Location
<Metric> by Business Unit
Characteristics
1. Specific
2. Measurable
3. Actionable
4. Relevant
5. Timely
What is a SMART Metric?
134. ✓ Define security metrics that map to your unique
business objectives
✓ Collect comprehensive, reliable data to assess security
and compliance
✓ Use easy-to-read report card format to communicate
security posture to execs
✓ Validate that security program controls are in place and
delivering intended results to maximize your return on
investment
Measuring Security Assurance
140. Figuring out the “right” metrics and compiling them
can be challenging
Metrics provide clear insight into how successfully
well the IT security team is meeting security and
business objectives
Tenable’s sensors and ARCs help you turn technical
data into metrics executives can understand
Summary
141. • Read the eBook:
Using Security Metrics to Drive Action
• Download the Whitepaper:
Measuring Security Assurance – Turn Technical Data into Metrics
Executives Can Understand
Next Steps
151. Tatty Teddy
Twitter on Tatty Teddy
Over a number of years tweeted as fan.
On occasion principle retweeted.
Interaction Progressed to principle commenting.
Fan moves to interact in DM, principle replies
Fan tweets evolve becoming more personal
152. Tatty Teddy
Principle attempts to ignore and manage fan
Principle sensitively declines
Management Company running a competition
Winner of Meet & Greet announced.
Fan requests a meet & greet.
Fan interaction turns hostile
Fan makes direct threats and becomes hostile online
153.
154.
155.
156. Tatty Teddy
> After being single all my life and approaching my 38th birthday, I've
> taken the plunge and signed up with POF. Have never had so much as a
> proper date in all my life, and it's been years since I was even
> remotely looked at by a woman, so I'm not expecting much.
>
> Having looked at who's available in my local area, there isn't much
> going. There are one or two women who are nice looking, but I look
> very young for my age, don't fancy women near to my own age (many
> 30-35s almost look old enough to be my mother), and I feel awkward at
> the thought of looking at women in their late 20s who I might actually
> find attractive. But I'd probably have nothing in common with them.
157. Tatty Teddy
Principle attempts to ignore and manage fan
Principle sensitively declines
Management Company running a competition
Winner of Meet & Greet announced.
Fan requests a meet & greet.
Fan interaction turns hostile
Fan makes direct threats and becomes hostile online
160. o Alexa, come away with me! I want to take you away! To a place where no-one
can ever hurt you! We can go anywhere. I know places. Places where we can be
alone~or in a big city.It doesn't matter. I want to live a "normal" life with you. I
want to watch you grow old with me, and maybe have a couple of children. You
can be anything you can imagine! A doctor, a factory worker, a scientist, a
photographer! Anything you want. I just have this dream of you and me in a
house and pets and you can be my wife, and I can be your loveslave. Anything
you want. It will be great! We can have a lot of fun together! So, get back to me!
Tell me to go to Hell, tell me that I'm crazy, just tell me how you feel. I love you
and I want you to be happy.
Alexa Ray Joel
161. Messages Start September 4rth
5th – Recounting a Nightmare.
7th – Message of Hate.
Last Message – 13th November.
Alexa Ray Joel
165. Social Engineering - Profiling
What do you want~
Something about me being a lazy drink~I
waste~good
please!~Let me go!
Alexa Ray Joel
166. One of a handful reporting same geo location.
Similar Interests, Likes.
I envy you~the way you can sing
wrong~I just like them forever!
but here I go~up on the stage, anyway
Alexa Ray Joel
168. Sheryl Finley [Billy Joel] hired a bodyguard to protect his
daughter and contacted [Paul] McCartney,
who recommended a Europe-based
private-security firm not bound by the
same legal restrictions as the police, [Post]
sources said.
McCartney's people found the stalker in
Austin, Minn.
Alexa Ray Joel
170. Securing People
You do not know the people you are trusting.
• Recognise that as a Risk.
• Quantify the risk.
• Accept it or mitigate it.
171. Crime is on the increase
• Your stakeholders are being targeted.
• Sensitive Assets can take many forms.
• Its Risk introduced by cyber or just security
• Stop referring to cyber security.
188. PREPARE
Business strategy alignment
Assessment & architecture
Operating model governance
Risk & compliance
Culture change
Red-teaming
DETECT
Vulnerability management
Threat intelligence
Security monitoring
Cyber threat analytics
PREVENT
Digital identity
Application & data security
Platform &
infrastructure security
RESPOND
& RECOVER
Incident response
remediation
Business continuity
MOBILE ON PREMISES
CLOUD IoT
MORE SIMPILY AGAIN?
How do we
respond?
What is the
impact?
How do we
organize?
How do we
monitor?
Risk Identification – Aggregated set of typical risk
associated with Cyber Risk
Risk Events - Scenarios which can impact the
organization specific to cyber threats
Business and IT
Controls – Oversight of
the controls and their testing
programs and how to leverage
COBIT®, ISA, ISO/IEC, NIST controls
Operating Model –
Specifying the structure with people,
organization, roles, tools and processes
to govern
Detection and Identification – Tools and metrics to identify and log
aspects to mange operations
Operational Monitoring – Aligning the tools to identify and detect threats
along with their escalation and oversight
Event Response Plan – Structure to identify and
manage action plans
Crisis Management – Structure to manage
incidents and notify impacted parties
193. Ian McGowan Bio
Ian is a Managing Consultant at Barrier Networks and has 18 years
experience working in network and application security.
He has worked as a web application security architect and application
security operations lead and understands the challenge organisations
face when trying to integrate security controls into the modern
software development life cycle.
194. Talk Overview
• Overview of Web Application Security challenges
• How Web Application Firewalling (WAF) can help
• Advances in WAF technology
• Anti-Fraud techniques
• Summary
196. Attack Surface
Data
Stolen User
Credentials/F
raud
Phishing Network
DDoS
Attacks
Application
Vuln Exploits
Recon.
Port scan
Attacks against
SSL Vul
Application attacksNetwork attacks Session attacks
DNS
Amplification/C
ache Poisioning Application
DDoS AttacksBotnet/SPAM
Man in the
Middle
Man In The
Browser
Clientside Attacks
DNS Attacks
Malware
Business Logic
Abuse
Data
197. Focus of Attacks
Stolen User
Credentials/F
raud
Phishing Network
DDoS
Attacks
Application
Vuln Exploits
Recon.
Port scan
Attacks against
SSL Vul
DNS
Amplification/C
ache Poisoning Application
DDoS AttacksBotnet/SPAM
Man in the
Middle
Man In The
Browser
DNS Attacks
Malware
Business Logic
Abuse
ATTACKS ARE DISPROPORTIONTELY TARGETING THESE AREAS
APPLICATION
PROTECTION
USER ACCESS AND
CREDENTIALS
DataApplication attacksNetwork attacks Session attacksClientside Attacks
DNS Attacks
Data
198. State of Application Delivery Report
Yearly report by F5 Networks
2200 responders
Understanding trends
Most popular application services deployed
Most important application services deployed
202. WebApp Security Challenges
• Complexity of the application
• Complexity of the attacks
• User controls the Endpoint
203. SDLC Challenges
• Secure coding is difficult, expensive and slow.
• Developers are usually under time constraints
• The focus is on delivery and not security
• We need to change our approach to software
development
204. OWASP Top 10
Top 10 AppSec Risk
There are more than 10!
These aren’t going away
Time to adjust our approach?
226. Web Fraud Prevention Benefits
• Detection of DOM compromise
• Application level encryption
• Automated action detection
227. Web Fraud Control Efficacy
Major European Bank:
“…detected and blocked fraudulent transactions in the
sum of 500,000 Euro in two days.
…ROI on the pilot first two days – that’s a new thing in
the security field ...”
228. Take Aways
• AppSec controls have advanced significantly.
• We must adjust our approach before it’s too late.
• Layered defence.
Clientless solution,
enabling 100% coverage
Protect Online User
Desktop, tablets &
mobile devices
On All Devices
No software or user
involvement required
Full Transparency
Targeted malware, MITB,
zero-days, MITM,
phishing automated
transactions…
Prevent Fraud
Alerts and customizable
rules
In Real Time
232. EVERYTHING YOU WANTED
TO KNOW ABOUT PHISHING
BUT WERE TOO AFRAID TO CLICK
Dan Hunt, Lloyds Banking Group
233. Brief Introduction
• Etymology: Phreaking (Phone Hacking) + Fishing
• Definition: “Phishing is the attempt to coerce
recipient action, often for malicious reasons, by
disguising oneself as a trustworthy entity in
electronic communications”
• Effectively a con trick, same as any other
• Concepts can be applied to other -ishings;
• Vishing: Voice-based
• Smishing: SMS-based
234. • Phishing emails can be used to harvest sensitive data
and deploy malware
• Unsuccessful phishing attempts can be used to infer how
well-protected an organisation is
• It is very, very easy and very, very effective
• Average engagement-rate is 20%
• ROI is high
Why?
238. What? (Strategic)
• Reduce the engagement rate on phishing emails;
• Gateway filtering & blocking
• Employee Education & Testing:
• Studies find that the 20% click rate falls to 13%
percent if employees go through just three
simulation exercises, to 4% after
the fourth and 0.2% after the fifth.
• Have colleagues know what to do
and who to tell.
239. What? (Immediate)
• Awareness of Red Flags
• Mismatch of sender imagery
• Impersonal (Dear Customer)
• Misspellings
• False sense of urgency
• Email/web domains don’t match
240. What? (Final Thoughts)
When sent an email that you’re not expecting, even if
it appears to be from someone you know, consider the
following;
• WHY am I being sent this email?
• WHO is sending it to me?
• WHAT do they want me to do?
• WHERE could it lead me?
THINK BEFORE YOU CLICK
251. Skyscanner 2017
My most successful strategy?
ISO27001?
Cyber Essentials?
BSIMM?
A.N.Other?
Nope, it’s been speaking to people
and sharing learnings. @StuHirstinfosec
256. Skyscanner 2017
Initial scheme – Qualys scans
2 week scheme – glut!
365 scheme – needs constant
researcher rotation, refuse to pay
for crap bugs, weed out the XSS
guys!
@StuHirstinfosec
257. Skyscanner 2017
Ideal outcomes;
• Weed out certain types of bug in
your code altogether
• Make researchers work harder
for their cash!
• Scale the scheme &
make it more valuable
over time
@StuHirstinfosec
263. User Data
User Data Implemented new MINIMUM STANDARDS for
user data
Privacy BY DESIGN!
Examples;
• Only stored in agreed places (e.g. AWS)
• Minimum encryptions levels when
transferring
• Same for data at rest (AES256)
• Bcrypt / Argon2 for hashing
• Only using TLS
• Get rid of old ciphers
• Segment the network
• Tighten up access controls to the data
@StuHirstinfosec
282. Phishing
Phishing – why not take humans
out of the equation?
• Sandbox links &
attachments
(Uber built this
themselves)
• Protect against
Impersonation
288. Stats
Not everything is critical!
• Simple and quick wins are GOOD wins!
• Try and increase the likelihood of an employee telling
you about an event or potential attack
• Run attack simulations. Break something before
someone else does!
FORGET ABOUT TRYING TO REDUCE MEANINGLESS STATS
IF YOU GO FROM 48% TO 32% ON FIRE, YOU’RE STILL ON FIRE!
(Zane Lackey, ex-Etsy)
291. Scaremongering
Security Scaremongering
“The greatest period of impact was from
February 13 and February 18 with around 1 in
every 3,300,000 HTTP requests through
Cloudflare potentially resulting in memory
leakage (that’s about 0.00003% of requests)”
292. Some thoughts to take away
Reward people…
For making you aware of
issues.
You feel good, they feel good
& they’re likely to tell others.
293. What next?
Shout about your successes!
• Security is as
important as any
other business unit
• So shout about
successes you have
• Positive PR across
the business
295. Learn with Skyscanner
• Follow Skyscanner @CodeVoyagers
on Twitter
• Read a backlog of our learnings at
codevoyagers.com
• Sign up for our Skyscanner Code
Voyagers newsletter learnings from
our successes and failures or search
http://9nl.it/scotsecure_cvnewsletter