Scot Secure 2018

Welcome To
Scot-Secure 2018
#scotsecure

Mark Stephen
BBC Scotland
#scotsecure

Det Supt Nicola Burnett
Police Scotland
@digitfyi
#scotsecure

OFFICIAL: NONE
OFFICIAL: NONE
DSU Nicola Burnett
Specialist Crime Division
Scot-Secure 2018.

OFFICIAL: NONE
OFFICIAL: NONE
Agenda
1. Police Scotland's role
2. A more resilient Scotland
3. Challenges & Threats
4. Cybercrime Capability Programme
5. Incident Planning & Response
6. Collaboration

OFFICIAL: NONE
OFFICIAL: NONE
Cybercrime – it’s our job
Police & Fire Reform (Scotland) Act 2012
• To prevent & detect crime
• To maintain order
• To protect life & property
• To take such lawful measures, and make such reports to the appropriate
prosecutor, as may be needed to bring offenders with all due speed to
justice
• Where required to serve and execute a warrant, citation or deliverance
issued, or process duly endorsed, by a Lord Commissioner of Justiciary,
sheriff, justice of the peace or stipendiary magistrate in relation to
criminal proceedings
and
• To attend court to give evidence

OFFICIAL: NONE
OFFICIAL: NONE
What is Cybercrime??????

OFFICIAL: NONE
OFFICIAL: NONE
So what are the challenges/threats?
• Global, international, industrial & automated
• Jurisdictional reach
• Increased criminal opportunities
• Anyone can be (or hire) a cyber criminal!
• Lack of clear & concise statistical data
• Underreporting
• Technological advances provide opportunities but does
increase the threat of cybercrime - The ‘Internet of Things’
• Social media as an attack vector
• Data Analytics
• Disaster Recovery & Business Continuity

OFFICIAL: NONE
OFFICIAL: NONE
Scenario 2 – Malware
Some Brief Examples… The Usual Suspects
Malware
Phishing
Ransom-
ware Hacker
Social
Engineer

OFFICIAL: NONE
OFFICIAL: NONE
Operation Escalade

OFFICIAL: NONE
OFFICIAL: NONE
OFFICIAL: NONE
OFFICIAL: NONE
• Feezan Hameed
• £60 - £113 million Frauds
• Vishing / Social engineering of Banking
customers.
• Data acquired including account
details/passwords.
• Money transferred online – mule
account networks.
• UK wide investigation
• Numerous UK Law Enforcement
agencies.
• Arrested in Paris on false passport
• Convicted and sentenced to 11 years
imprisonment

OFFICIAL: NONE
OFFICIAL: NONE
Is this cybercrime?

OFFICIAL: NONE
OFFICIAL: NONE
Spread the social word but maybe not the
image!! - Sexting

OFFICIAL: NONE
OFFICIAL: NONE
Digital
Transformation:
• A key challenge for Police Scotland
• Pace of change will increase and
accelerate
– Empowering our staff to be agile and
innovative.
– Ensuring our staff are informed and
appropriately trained.
• How to win public and political
confidence – values endure
– Ethics, Proportionality, Transparency
Our ability to respond to technology determines
capabilities which determines effectiveness and
improves delivery and service!!

OFFICIAL: NONE
OFFICIAL: NONE
CyberCrime Capability Programme Vision
Our People are equipped with the knowledge
and capability and our infrastructure
designed to deliver an excellent service to all
our communities in support of digital,
technological and cyber advances.

OFFICIAL: NONE
OFFICIAL: NONE
What we will do ……
Digital
Knowledge
and Skills
Digital
Investigative,
Intelligence and
Analytical
Capacity and
Capability
Digital Safety
Prevention and
Resilience
Digital Forensic
Services
Enhanced Management
Information and Threat
Assessment to augment
effective decision making within
PSOS by providing an improved
intelligence and analytical
capability, current demand
analysis and opportunities to
exploit the criminal digital
footprint
Improved
safety/prevention/resilience
service to all Scottish
communities to support
victims and potential victims
of CyberCrime. PSOS will be a
Public Sector Cyber Catalyst in
proactively communicating the
Scottish Government Cyber
Resilience message
Digital and technological
investigative capability will
be enhanced by delivering a
workforce with the skills &
knowledge to ensure that
we are appropriately
equipped to provide
investigative services when
tackling any crime with a
digital, technological or
CyberCrime facet
Improved quality of digital
forensic services as a result
of investing in the capability
and capacity required to
keep pace with digital,
technological and
CyberCrime advances

OFFICIAL: NONE
OFFICIAL: NONE
The story so far….
• Forensic Telephony Extractions - Kiosks
• Data Exploitation - Nuix
• Integration - Digital Forensic Hubs
• Increase in specialist Cyber resources
• Established Cybercrime Safety,
Prevention & Resilience Unit
• Technical Surveillance for the
21st Century – TS21C

SBRC CYBER EXPERT
GROUP
TRUSTED
PARTNERS
SCOTTISH CRIME
CAMPUS CYBER HUB
NATIONAL
CYBER AWARDS
ETHICAL HACKING
COMMS SERVICES
ACCREDITING
PRACTITIONERS
8 MEMBERSHIP
GROUPS
ABERTAY UNIVERSITY
CYBER QUARTER
PUBLIC
AWARENESS
INIIATIVES
SCOTLAND’S
CYBER ECO SYSTEM
UK GOVERNMENT
CYBER STRATEGY
SCOTTISH GOVERNMENT CYBER
RESILIENCE STRATEGY
POLICE SCOTLAND STRATEGIC PLANS
SCOTTISH CYBER HUB
EDUCATION
PROSPERITYANDSAFETY
ENFORCEMENT
PREVENTION
UK GOV
(ENGLAND
& WALES)
& OTHER LEA
INDUSTR
Y
&
OTHER
SECTORS
SCOTTISH
GOV
COSLA
SOLAS
SG CYBER
LEADERS BOARD
SCOTTISH GOVERNMENT
CYBER RESILIENCE TEAM
SCOTTISH GOVT
RESILIENCE ROOM
SGoRR
SCOTTISH
ENTERPRISE
HIGHLANDS
AND ISLANDS
SKILLS DEVELOPMENT
SCOTLAND
HMICS
SKILLS
COMMITTEE
COMMS
COMMITTEE
RESEARCH &
INNOVATION
COMMITTEE
PUBLIC SECTOR
COMMITTEE
BUSINESS
COMMITTEE
(HMIC)
HER MAJESTY’S INSPECTORATE
OF CONSTABULARY
ACTION FRAUD CISP
NATIONAL CYBERCRIME UNIT
CITY OF
LONDON POLICE
NATIONAL BUSINESS
CRIME CENTRE
NATIONAL CYBER
SECURITY CENTRE (NCSC)
NATIONAL POLICE
CHIEF’S COUNCIL NPCC
FBI
UK ROCU’s
INVESTIGATIONS & PROTECT
POLICE
SCOTLAND
PS TRAINING,
LEARNING
& DEVELOPMENT
NATIONAL INTELLIGENCE
BUREAU
COVERT INTERNET
INVESTIGATIONS
MAJOR CRIME
DIGITAL MEDIA
INVESTIGATION
INTELLIGENCE SUPPORT,
DEVELOPMENT & ANALYTICS
PUBLIC PROTECTION
C3 ACR
LOCAL CRIME &
LOCAL POLICING
SAFER COMMUNITIES
PROTECT OFFICERS &
WEB CONSTABLES
OCCTU – TSU, SOU
CTSA, CT & PREVENT
POLICE SCOTLAND
NATIONAL CYBER
CRIME UNIT & FORENSICS
2026, DEPP, CAM &
TRANSFORMATION
PROJECTS
SCOTTISH SECURITY
INSTITUTE
ACADEMIA
NAPIER UNIVERSITY
SCOTTISH CENTRE
FOR POLICING RESEARCH
APPRENTICESHIPS
GRADUATE SKILLS
AND RECRUITMENT
GLASGOW
CALEDONIAN
UNIVERSITY COURSE
DEVELOPMENT
DEPT OF FORENSIC SCIENCE
DUNDEE UNIVERSITY
UNIVERSITY OF EDINBURGH
ABERTAY UNIVERSITY
SCOTTISH INFORMATICS AND
COMPUTER SCIENCE ALLIANCE
FINTECH &
FINANCIAL SERVICES
FSB
SIDI
TRADE ASSOCIATIONS
CYBER SECURITY
INDUSTRY
DEFENCE
OIL & GAS
SCOTLAND IS
3RD SECTOR
CYBER
INCIDENT
RESPONSE
EDUCATION
SCOTLAND
People /
Organisations
Functions/
Initiatives Committees Vision/Strategy
TRAINING
121 PUBLIC SECTOR
BODIES
SERVICE INDUSTRY
CivTech
SG INITIATIVE
HALO PROJECT

OFFICIAL: NONE
OFFICIAL: NONE
Thank you for listening
Any Questions?
Nicola.Burnett@scotland.pnn.police.uk
DigitalTechReview@scotland.pnn.police.uk

Ed Tucker
DP Governance
@Teddybreath
#scotsecure

SUPERIOR BUSINESS INTELLIGENCE
DP Governance

Who are DPG?
Practitioners in Data protection

Who am I?
European CISO of the Year
Security Leader of the Year
UK IT Industry Security Professional of the Year
Former Head of Cyber for HMRC

THE CURRENT LANDSCAPE
• Attacks are on an exponential rise
• Attackers are getting more and more sophisticated
• Nation States / APT
• Zero days galore
• It is a matter of WHEN not IF

BUT IS IT REALLY?
• 99.9% of attacks are not super sophisticated nation state zero day
mega attacks
• Most attacks are generic, not targeted
• Most attacks are avoidable, and easily defensible
• You don’t need to purchase next, next, next generation magic
beans!

SO WHAT IS THE TRUTH?
• Most organisations are really bad at the basics
• Most foundations are weak, leading to easy compromise
• Attackers, believe it or not, like the easy route. It is the path of
least resistance, the most cost effective, and hey it works!
• Because, most organisations are rubbish at the basics

WHAT DO I MEAN?
• Policies, written in the ivory tower, with no business or customer empathy,
that frankly nobody reads, let alone adheres to
• What does my network look like? Which one?
• Firewalls with so many rules there almost no point having them
• Completely flat architectures, putting data at risk
• Admins with internet access
• Unknown number assets and people vs reality
• Once a year Security Awareness CBT nonsense
• Maybe some monitoring, maybe some of the right things, maybe some actual
logs. Doubt it though
• It’s an open door to an attacker! Of any kind!

SO WHAT’S THE ANSWER?
• Back to basics, the stuff you’ve been saying you’ve been doing for
years. Probably badly.
• Its time to do things differently.
• Recognising that controls are only effective when business focused
and within business operation.
• Give yourself breathing space, start with external firewalls.
• Come down from the ivory tower and into the customer base.
• Encryption isn’t the only answer! And sometimes not a good one!
IT IS HARD THOUGH. IF IT WAS EASY WE’D ALL BE BETTER AT IT!

MOST OF ALL
• Don’t believe the hype of the industry!
• It is predicated on FEAR, because FEAR sells. FEAR = MONEY
• Basic security foundations
• It’s not all zero day and super sophisticated nonsense!
• It is basics! Basics done badly leaves gaping holes. I don’t need to be
super sophisticated to go through an open door.
• Stop chasing buzzwords, like AI, BigData, IoT, whatever!

NOW?
• Check the rules on your external firewalls.
• 80 / 443 / 25 / 53 / DONE!
• Find if your admins have internet access!
• Use things like GDPR to help you. TOMS anyone?
• Security is a business wide responsibility, starting with the board.
• Use your inevitable ‘Digital Transformation’.
• Most of all, be honest with yourselves!

Lisa Forte
Red Goat Cyber Security
@redgoatcyber
#scotsecure

LISA FORTE
UK Counter Terrorism Intelligence Services
South West Police Cyber Crime Unit
Red Goat Cyber Security, Partner
Social Engineering Training
Cyber Attack Response Simulation
Social Engineering Pen Test
Enhanced Vulnerability Assessments
Penetration Testing

S O C I A L E N G I N E E R I N G
V E C TO R S
Phishing
Vishing
Impersonation
Smishing

A £1.7m
mistake
4 Eyes
Facebook Access
Training
Have a plan

The USB Stic k & the
whistle -blowe r

Cultural
Differences
& Social
Engineering

L e s s o n s t o L e a r n
Have a plan and test it
Review online information
Share Intelligence
Stop social media access on
work devices
Test your staff & security
Invest in good training

C O N TA C T U S
R e d - G o a t . c o m @ R e d G o a t C y b e r
i n f o @ r e d -
g o a t . c o m
l i n k e d i n . c o m / i n / l i s a - f o r t e /

Mark Menzies
Check Point
@checkpointsw
#scotsecure

52©2018 Check Point Software Technologies Ltd.©2018 Check Point Software Technologies Ltd.
Mark Menzies | Security Engineer
BALANCING SECURITY AND
FUNCTIONALITY
[Internal Use] for Check Point employees
Securing our digital world

53©2018 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees
2017
WannaCry
Thousands of enterprises in over 99 countries
NotPetya
Completely shutting down an entire country and
impacting over 60 more
WAS A CYBER-SECURITY
WAKE-UP CALL

THE GLOBAL RISKS REPORT 2018

WE ARE AT AN
INFLECTION POINT !
1990 2000 2010 2017
THREATS
Networks
Gen II
Applications
Gen III
Payload
Gen IV
Virus
Gen I
Mass
Gen V

56©2018 Check Point Software Technologies Ltd. 56©2018 Check Point Software Technologies Ltd.
ATTACKS VS PROTECTIONS
Gen I
Late 1980s –
PC attacks - standalone
Virus
Gen II
Mid 1990s –
Attacks from the internet
Networks
Gen III
Early 2000s -
Exploiting vulnerabilities
in applications
Applications
The Anti Virus
The Firewall
Intrusion
Prevention (IPS)
Gen IV
2010 -
Polymorphic Content
Payload
SandBoxing
and Anti-Bot

WHERE ARE WE?
1990 2000 2010 2015 2017
THREATS
PROTECTIONSNetworks
Gen II
Applications
Gen III
Payload
Gen IV
Virus
Gen I
Enterprises
are between
Gen 2-3
2.8
Mass
Gen V

58©2018 Check Point Software Technologies Ltd. 58©2018 Check Point Software Technologies Ltd. [Internal Use] for Check Point employees
2018 – GEN V OF ATTACKS
Large scale (across country and industry)
State-sponsored technologies
Multi-vector (network, cloud, mobile)

GEN IV PROTECTION IS NO
LONGER ENOUGH!
Gen IV
PAYLOAD
SandBoxing
and Anti-Bot
2010 -
Polymorphic Content
WE NEED PREVENTION (NOT-JUST DETECTION)
COVERING NEW ENTRY POINTS – CLOUD, MOBILE
REAL-TIME ACTION

60©2018 Check Point Software Technologies Ltd.
SAAS SECURITY
ADAPTIVE
CLOUD
SECURITY
MOBILE APP
SCANNING
SDN MICRO-
SEGEMENTATION
CLOUD
SECURITY
AUTO-SCALE
ORCHESTRATION
ACCOUNT
TAKEOVER
PREVENTION
HYPERVISOR
LEVEL SECURITY
PUBLIC-CLOUD
AUTOPROVISION
MOBILE CODE
ANALYSIS
MOBILE AI AND
MACHINE
LEARNING
DISK
ENCRYPTION
MEDIA
ENCRYPTION
MOBILE SMS
PHISHING
MOBILE MAN
IN THE MIDDLE
ATTACK
BLUETOOTH
ATTACK
DETECTION
SS7 ATTACK
PREVENTION
ADVANCED
JAILBREAK
PROTECTION
MEMORY
ANALYSIS
THREAT
EXTRACTION
HUMAN
INTERACTION
SIMULATION
INTRUSION
PREVENTION
DOMAIN
PREDICTION
MACHINE
LEARNING
ANTI-
RANSOMWARE
CPU LEVEL
SANDBOX
ENDPOINT
FORENSICS
CAMPAIGN
HUNTING
IMAGE FILE
SANITIZER
ENDPOINT
EXPLOITATION
DETECTION
FLASH
EMULATION
INTRUSION
PREVENTION
DOMAIN
PREDICTION
DECOYS &
TRAPS
ANTI-
RANSOMWARE
CPU LEVEL
SANDBOX
CPU EXPLOIT
DETECTOR
MACRO
ANALYSIS
OS-LEVEL
SANDBOX
DROPPED FILES
EMULATION
TRANSPARENT
HTTPS
INSPECTION
STATIC
ANALYZER
LOW LATENCY
FIREWALL
INTEGRATED
PACKET
CAPTURE
SCALABLE
IDENTITY
ACCESS
VIRTUAL
SYSTEMS (VSX)
MULTICORE
VPN
SECURE-XL
SSL INSPECTION
NATIONWIDE
PROTECTION
VERTICAL
SCALING
ZONE-BASED
SECURITY
CONTENT
AWARENESS
NETWORK
ENCRYPTION
ICS/SCADA
PROTECTION
APPLICATION
CONTROL
USER-CHECK
URL FILTERING
HTTP 2.0
DLP
ICS/SCADA
PROTECTION
LARGE SCALE
MANAGEMENT
REST APIS
SECURITY
ADVISOR
SECURITY
MANAGEMENT
PORTAL
EVENT
CORRELATION

61©2018 Check Point Software Technologies Ltd.[Internal Use] for Check Point employees
“It will
never
happen to
me”
“It takes me 6 months to
implement each technology.
20 technologies –
will get me to 2025”
“That’s really
complicated”“No way to
stop attacks.”
SO WHY ARE WE STILL GEN 2.8 PROTECTION?

LOOKS IMPOSSIBLE?
MIRACLES TAKE A LITTLE LONGER.
(Various..)
THE IMPOSSIBLE WE
DO IMMEDIATELY

TO PROTECT AGAINST MEGA ATTACKS WE
NEED A NEW GENERATION OF PROTECTION

WHAT COMPONENTS DO WE NEED?

MAKING GEN V POSSIBLE
SS7 ATTACK
PREVENTION
LARGE SCALE
MANAGEMENT
MOBILE MAN
IN THE
MIDDLE
ATTACK
MEMORY
ANALYSIS
PUBLIC-CLOUD
AUTOPROVISION
THREAT
EXTRACTION
NETWORK
ENCRYPTION
REST APIs ORCHESTRATION
CPU LEVEL
SANDBOX
ADAPTIVE
CLOUD
SECURITY
CLOUD
SECURITY
AUTO-SCALE
THE CYBER SECURITY ARCHITECTURE OF THE FUTURE

INFINITY IS BUILT ON 3 LINES OF
DEFENSE
PREVENTION
Real prevention capabilities
of unknown threats
1
CONTAINMENT
Isolate infected machines
immediately
2
ANALYSIS
Understand business
impact
3

ONGOING UPON DETECTION
BEHAVIORAL ANALYSIS
Constantly monitor for ransomware
specific behaviors
DATA SNAPSHOTS
Continuously create short-term file
backups
QUARANTINE
Stop and quarantine all
elements of the attack
RESTORE
Restore encrypted files
from snapshots
ANALYZE
Initiate forensic analysis to
analyze attack details
RANSOMWARE PROTECTION IS ON
PREVENT RANSOMWARE

Is this attack Real?
What events occurred?
1
What was the
business impact
2
What were the action
taken to remediate?
3
Show me the attack
flow
4
UNDERSTAND INCIDENTS

©2018 Check Point Software Technologies Ltd.
TO SUMMARIZE…

WE ARE AT AN
INFLECTION POINT !
1990 2000 2010 2017
THREATS
Networks
Gen II
Applications
Gen III
Payload
Gen IV
Virus
Gen I
Mass
Gen V
PROTECTIONS

71©2018 Check Point Software Technologies Ltd.©2018 Check Point Software Technologies Ltd.
THANK YOU

Questions & Discussion
#scotsecure

Refreshments & Networking
Check rear of badges for
breakout allocation
#scotsecure

Welcome Back to
Scot-Secure18
#scotsecure

Maggie De Jager & Kate Goldman
easyJet & KBG Solutions
@easyjet
#scotsecure

Your Cybersecurity
Strategy Needs
Work

Success in the digital era is
dependent on an organisation’s
ability to simultaneously create
and protect competitive advantage.

Your cybersecurity strategy
needs to be:
- holistic across this new ecosystem
- integrated with business strategy
- culturally-relevant
- agile

1. Companies are leaving value on the
table as well as putting operations at
risk by treating cybersecurity as an
add on, as opposed to central tenant
and integrating at every level.
2. Competitive advantage comes from the
unique layering of your business
strategy with Cyber Security,
underpinned by IT Best practice, a
primed culture, and operational
efficiency.

The breadth and depth of the
challenge calls for leaders in
Cyber, in IT overall, who can
operate as master change agents.
They will need to drive the creation
of a cohesive set of new business-
relevant capabilities. Cyber is the
nervous system running through all
of it.

1. Correct Assessment of the
Threat Environment
Knowing and surveying your unique
place in the continually evolving
allows you to adapt, change, and
react at speed.

2. Full Visibility of the
Digital Ecosystem
True digital situation awareness
is becoming more achievable with:
• Internal Cybersecurity
approaches using the newer ‘next
generation’ technologies
• E2e visibility across your value
chain

3. Converge IT/Business/Cyber
Strategy
The convergence of the Business,
Digital, and Cyber Strategy requires
all business functions working
together in new ways. A continual
and agile approach to strategy and
business planning, that is
integrated and holistic.

4. Engagement and Partnering
Capability
Cybersecurity can no longer be the
concern of IT; it needs to be
everyone’s business. Connecting
with, working in, and developing
trusted relationships across your
organisational ecosystem is
critical.

5. Team Culture Primed for
Change
Culture eats strategy for
breakfast… even your cybersecurity
strategy.
Harness culture for change, for
security, and for growth.

Additional
Questions
– How well do you include cybersecurity planning in your overall
organizational strategic planning process?
– How well do you ensure alignment between your cybersecurity planning
and your organization’s overall strategic planning?
– How does your strategy development process stimulate and incorporate
innovation in cybersecurity policies and operations?
– How well and often do you collect and analyze relevant data and develop
information on cybersecurity for your strategic planning process?
– How do you decide which key cybersecurity processes will be accomplished
by your workforce and which by external suppliers and partners?
– What are your organization’s key cybersecurity-related strategic objectives
and timetable for achieving them?
– How do your organization’s key cybersecurity-related strategic objectives
align with your organization’s overall strategic objectives?
– How well do your strategic objectives achieve appropriate balance among
varying and potentially competing cybersecurity needs, customer and
stakeholder requirements, and business objectives?

Information Security Champions
Maggie de Jager – Information Security GRC

Agenda
> About me
> About easyJet
> Challenges for information security
> So how did we do it?
> Success factors
> Closing

About me
> Background in Internal Audit and Risk Management
> Specialising in Information Security since 2013
> Currently at easyJet in the Information Security Governance, Risk and Compliance team
@magsdj

About easyJet
Vision:
to be Europe’s leading short-haul airline,
making travel easy and affordable for both
leisure and business travellers.

Our Network
140 airports in 35 countries
890 routes operated
81 million customers

Our fleet
285 aircraft
A319
A320
A321 Coming soon

Our people
>over 12 000 people

Information Security for all functions
> Training and awareness requirements:
▪ Training tailored to job function
▪ Delivery method relevant to job function
▪ Timing – all at the same time? In phases?
▪ Employee stakeholder requirements (workers councils, unions)
> Understanding the business
▪ What does each function need from InfoSec?
▪ Unique requirements? Communication, sharing data with partners
▪ Where are the risks?
> Challenges
▪ Diverse workforce
▪ Diverse working patterns & schedules
▪ Diverse employee contracts
▪ Third party partners – Ground operations, Call centres
▪ Regulatory obligations

So how did we do it?
> Representative in each team / function who acts as an InfoSec Champion
> Our Champion to the business
▪ encouraging training
▪ contact person for queries
▪ Help with our communication strategy
> Business team’s Champion to InfoSec
▪ Come with questions
▪ Identify new requirements where InfoSec can help
▪ Reporting problems / incidents

Success factors (1)
> Identify key stakeholders, and get their buy in first
> AMB was asked to nominate champions
> Clear charter / roles and responsibilities for champions – what’s in it for you?
> Monthly meetings, structured format
> Use of technology to include geographically diverse Champions
> Resource website for Champions to use including FAQ’s, example goals for performance management; hints &
tips; contact details

Success factors (2)
> Measuring success:
▪ Successful projects e.g. annual awareness drive; November InfoSafe month; GDPR; Personal drive clean up
▪ KPIs for InfoSec team
▪ 2 way communication with champions – we continually ask how to improve the programme and implement their ideas
▪ InfoSec attending business team meetings and stand-ups
> Plans for the future:
▪ More champions!
▪ Additional training and opportunities for Champions
▪ Champions to help deliver new technology projects

Summary
> In a complex environment, a traditional approach if doomed to fail
> Engage the right stakeholders from the start
> Don’t just transfer work; make it worth it for the Champions
> This is our approach – but will it work for you?

Christian Troon
Pinsent Masons
@christiantoon
#scotsecure

Creating and implementing
an information
security strategy blueprint

Creating and implementing a
disruptive and innovative
security strategy blueprint

The views and opinions expressed in this presentation and on the following slides are solely
those of the presenter and do not contain nuts. Do try this at home. Do not operate heavy
machinery within 200m of this talk. Please direct all complaints and legal queries to:
Donald Trump, The White House, 1600 Pennsylvania Avenue NW, Washington DC 20500, United States
of America The views and opinions expressed in this presentation and on the following slides are
solely those of the presenter and do not contain nuts. Do try this at home. Do not operate heavy
of America

Culture
WTF
Aware
Understand
Adopt
Commit

Review presentation
performance
indicators

Jordan Schroeder
UCSS
@tisinourselves
#scotsecure

INEFFECTIVE COMMUNICATION
WHY THE ORGANISATION DOESN’T CARE
JORDAN M. SCHROEDER, CISSP, CISM
UCSS CIO & CISO
SCOT-SECURE
MARCH 2018

WHY DOESN’T THE
ORGANISATION CARE?

I saw opportunity
He saw liability

HOW DO WE RESPOND?
•Judgmental
•Dismissive
•“They just don’t get it”

THE ORGANISATION CARES ABOUT
OTHER THINGS

1. CLOSELY ALIGN THE RISK TO WHAT
THEY CARE ABOUT

Business goals
Personal goals
Personal risk

3. GIVE THEM DATA IN LINE WITH THEIR
GOALS

NOT “YOU SHOULD” IN GRAPH FORM

METRICS
•Risk-owner-driven
•Offer a menu
•Trends and relevance to goal impacts
•Must trigger decisions and action

ACTION ITEMS
1.Add 1 business leadership source to your news feed
2.Take a manager out for coffee
3.Drop “should” from your vocabulary
4.Start a Risk Metrics menu

JORDAN M. SCHROEDER, CISSP, CISM
•Managing CISO, UCSS
•Security.StackExchange.com
Moderator
•Author of Advanced
Persistent Training

Closing Panel
Christian Troon Kate Goldman
Maggie De Jager Jordan Schroeder
#scotsecure

Drinks & Networking
Sponsored by
&
#scotsecure

A SOC for the
rest of us
(10 years of hard lessons)

“Having a SOC is not the end
of the battle…
…it’s the beginning of
fighting back”

OUR SERVICES
• SecurityAssesments
• Security Policy Review
• Footprinting
• Social Engineering
• TrainingandAwareness
• Tabletop exercises

Ethical Hacking
• Bsc Ethical Hacking
• Abertay University
• Established 2006
• “Ittakes a thief to catch a
thief

THEREWASACARDTHATYOUFILLEDINWITHYOURADDRESS,ANDTHE
COMPANYWOULDMAILYOUSOMEANTS.MYFRIENDEXPRESSED
SURPRISETHATYOUCOULDGETANTSSENTTOYOUINTHEMAIL.
IREPLIED:“WHAT’SREALLYINTERESTINGISTHATTHESEPEOPLEWILL
SENDATUBEOFLIVEANTSTOANYONEYOUTELLTHEMTO.”
BruceSchneller

STRATEGY
GAMES
If this,then what?

WHAT DO
YOU SEE?
WHAT DOES
A HACKER
SEE?

YOUHAVETOPEN-TESTMYENVIRONMENTONLYTHROUGHTHEFIREWALL,
DON’TSPEAR-PHISHMYSTAFF,ANDONLYTARGETTHISSPECIFICIP
ADDRESS.YOUMUSTBREAKINUNDER30MINUTES,WHILESTANDINGONA
DONKEY,WITHYOURDOMINANTHANDTIEDBEHINDYOURBACK.
JohnnyAppleseed

COMPLIANCE ≠SECURITY
It’sjust the beginning

EXPLOITING TRUST-
SOFTWARE
• Where isthe
communication?
• NotPetya - Software update
targeted
• Target- HVAC System
targeted

EXPLOITING TRUST-HUMAN
• PeopleshareWAY too much
• Sometimes it’s too easy,
people circumvent the rules
• What hasn’tbeendone?
• Tenders,job adverts etc
• Trust but verify

NOT JUSTFOR
THE BASICS
Petrol tanks
exposed

NOT JUSTFORTHE BASICS
FTPwith no password

BLACKHAT
REPORT-2017
• 81%of hackers could identify andexfiltrate data in lessthan 12
hours
• 75%of the time organisationsonly focus on critical andhigh
vulnerabilities after apen test
• 64%of hackers frustrated that organisationsdon’t fix the things
they knew were broken
• 84%of hackers usedsocialengineeringaspart of their attack
strategy

THE EASY
• Google researchshowed
48%pluggedin
• Firstone took 6 minutes
• 68%wanted to return the
USBto the rightful owner
• Someof them just wanted a
new USBstick

Who are Sapphire
GDPR
Insider Threat
Risk Management
Forensic Readiness
ISO27001 Fundamentals
ISO27001 Internal Auditors
Cyber Security for Executives
Cyber Security Fundamentals
Business Continuity Planning Exercises
Business Continuity Planning Fundamentals
Certified Information Security Managers (CISM)
Certified in Risk & Information Systems Controls (CRISC)

Digital Forensic Readiness Planning

Proactive planning for a digital investigation of admissible
evidence; related monitoring processes, collection processes
and capabilities; storage requirements and costs.
The goal of computer forensics Investigation and Examination is to
examine digital media in a forensically sound manner with the aim of
identifying, preserving, recovering, analysing and presenting facts and
opinions about the digital information
Digital Forensic Investigation and Examination

Evan Dooley Nick Leeson John Rusnack
History
Following some of the major financial scandals of the late 1990s and
early 2000s, new strands of legislation and regulation impose on
businesses the requirement to produce and preserve a wide variety of
business records.
Security Breaches

Data BreachesDigital Forensic Readiness

Business Continuity
Disaster Recovery
IT Resilience
Incident Management
Forensic Readiness
Corporate good practice

.
Useful documentation:

Investigation of major incident
Defence against lawsuits
Evidence to resolve a commercial dispute
Deterrent to insider threat attacks
Example of Benefits:
Prove violation of a Corporate Policy
Demonstrate regulatory requirements have been met
Reduce the time and costs of an investigation
Demonstrates corporate governance of information assets

1. To gather admissible evidence legally
2. To gather evidence targeting the potential crimes and disputes that may adversely impact on the
organisation.
3. To allow investigations to proceed at a cost in proportion to the incident
4. To minimise interruption to the business from any investigations
5. To ensure that the evidence makes a positive impact on the outcome of any legal actions
Objectives:

Scenari
o
Driven
Identify
Sources
Collection
Requirements
Legally
Admissible
Forensic
Readines
s Policy
Documenting
Case
Legal
Review
Monitorin
g
10
STEPS
Escalation
Process
Staff
Training

• Threats and extortion
• Information compromise
• Accidents and negligence
• Stalking and harassment
• Commercial disputes
• Intellectual Property rights infringement
• Economic crime
• Email, internet or social media abuse
`
Step 1: Define the Business Scenarios that require Digital Evidence
• Employee disciplinary issues
• Contractual disputes
• Unauthorized access by employees
• Malware
• Hacking
• Theft of computer resources
• Failure of computer systems
• Privacy invasion and identity theft
`
Digital Forensic Readiness - Examples
Identify
Sources
Scenari
o
Driven

Step 1: Define the Business Scenarios that require Digital Evidence
Digital Forensic Readiness - Examples
• Threats and extortion
• Information compromise
• Accidents and negligence
• Stalking and harassment
• Commercial disputes
• Intellectual Property rights infringement
• Economic crime
• Email, internet or social media abuse
• Employee disciplinary issues
• Contractual disputes
• Unauthorized access by employees
• Malware
• Hacking
• Theft of computer resources
• Failure of computer systems
• Privacy invasion and identity theft
`
Business Scenarios Threats What do they want
Money
Information
Disruption
Fun
Competitive advantage
Revenge
Discredit the brand
`
Risk Assessment
Scenari
o
Driven

Digital Forensic Readiness Planning Identify
Sources
Identify available sources and different type of potential evidence
STEP 2
• Email, Instant messaging, web-based email, chat rooms. newsgroup, social media etc .
• System and management files
• Equipment such as routers, firewalls, servers and workstations.
• Monitoring software such as intrusion detection software, packet sniffers, keyboard loggers
• CCTV, door access records, phone logs
• General logs such as access logs, printer logs, web traffic, internal network logs, internet traffic,
database transactions, commercial transactions etc.
• Portable devices
• Application software
• Back-ups and archives.

• BYOD (PC’s, Phones, Tablets etc)
• Social Media
• CCTV
• VOIP
• Cloud
• IOT
Technology Challenges
Digital Forensic Readiness Identify
Sources

Step 3
Determine the evidence collection requirement
Digital Forensic Readiness
• Where is data generated?
• What format is it in?
• How long is it stored for?
• How is it currently controlled, secured and managed?
• Who has access to the data?
• How much is produced?
• Is it archived? If so where and for how long?
• How much is reviewed?
• What additional evidence sources could be enabled?
• Who is responsible for this data?
• Who is the formal owner of the data?
• How could it be made available to an investigation?
• What business processes does it relate to?
• Does it contain personal information?
Scenarios Available sources
Evidence Collection
Requirement
COST BENEFITS ANALYSIS

Step 4
Establish a capability for securely gathering legally admissible evidence to meet the
requirement
Legally
Admissible
Evidence being gathered Legal Advice
Business Personal
Email
Log
Files
Social
media
STOP
Possible Evidence

Step 4
requirement
• Monitoring should be targeted at specific problems
• It should only be gathered for defined purposes and
nothing more
• Staff should be told what monitoring is happening
except in exceptional circumstances.
Legally
Admissible

Step 4
requirement
Legislation
Telecommunications (Lawful Business
Practice) (Interception of Communications)
Regulations 2000
Legally
Admissible

Lawful Business Practice Regulation
Lawful Business Practice Regulations are designed to meet the legitimate
needs of businesses to manage their information systems, making use of
the capabilities of modern communications technology, but in a way that is
consistent with high standards of privacy.
Please Note: These are not exemptions from the Data Protection Act.
Legally
Admissible

Everyone has the right to respect for their private and family life, their
home and their correspondence.
Legally
Admissible
Article 8: Right to Respect for Private and Family Life

Step 5
Establish a Forensic Readiness Policy including the secure storage and handling of potential
evidence
Forensic
Readines
s Policy
Policy Structure
• Senior Management Commitment
• Standards & legislation to comply with (e.g. ISO 27037:2012 Guidelines for identification, collection,
acquisition, and preservation of digital evidence)
• Process for instigating an investigation
• Who can conduct investigations (competence levels)
• Resources required
• Examination locations
• Evidence Storage
• Equipment and software tools required
• Use of external resources
• Requirements for building evidence based cases
• Training and Development

Monitorin
g
Step 6
Ensure monitoring is targeted to detect and deter major incidents
Escalation
Process
Step 7
Specify circumstances when escalation to a full investigation should be launched
Staff
Training
Step 8
Train staff in incident awareness and understanding of their role the evidence
processes and the legal aspects of evidence
Documentin
g Case
Step 9
Document and evidence based case describing the incident and the impacts.
WHO, WHAT, WHY, WHEN, WHERE AND HOW

Step 10
Ensure legal review to facilitate action in response to the incident.
Digital Forensic Readiness Legal
Review
At key times during the collating of the digital forensics it is good practice to review the case from a legal standpoint to advise
on the strength of the case and suggest whether additional measures should be taken.
Legal Advisors should be trained and experienced in the appropriate cyber laws and evidence admissibility.
Advice may include:
• Any liabilities from the incident and how they can be managed
• Findings and prosecuting/punishing of culprits
• Legal and regulatory constraints on what can be taken
• Reputation protection and PR issues
• When/if to advise partners, customers and investors
• How to deal with employees
• Resolving commercial disputes

Key Points
• Forensic Readiness is an organisations ability to use digital evidence when required
• Its aim is to maximise an organisation’s ability to gather and use digital evidence whilst minimising the
costs of related investigations.
• Forensic Readiness is an integral part of Information Security
• Forensic Readiness should be part of an information security risk assessment
• It is closely related to Incident Response and Business Continuity
• Requires the secure preservation and continuity of evidenced maintained.
• Links to security monitoring to detect and deter issues that may have a major business impact
• Forensic Readiness should be part of an organisation's security training programme.
• Develop and implement a Forensic Readiness Policy

Alan Moffat
Alan.Moffat@sapphire.net
www.sapphire.net

Teamwork Through Technology
Building bridges between operations and security

A few questions before we begin…
Think about who would have this answer

How many endpoints are on your
network right now?
Where do you get this information?

What applications are installed on
those endpoints right now?
How old is this answer?

Are they all patched and updated
right now?
How do you know what to patch?

Who is on your network right now?
How are their permissions decided and
enforced?

What are they doing right now?
What were they doing yesterday?

What Organizations Are Actually Facing
12–20%
of Endpoints
Are Unmanaged1
60% of Endpoints
Are Missing 6+
Critical Patches1
99 Days
to Detect a
Security Incident3
Only 50%
of Security
Alerts Investigated2
1) Avg. results from Tanium Security Hygiene assessments
2) Cisco Cybersecurity Report 2017
3) Mandiant M-Trends 2017

The Result: Endpoint Basics Are Difficult
The Wannacry Ransomware Attack Highlights The Problem
150
Countries
10K
Organizations
Prevention:
1 Windows Patch
And then there was Petya…

Why Do Organizations Struggle With These Issues?
Teams are held back by limited endpoint tools
Incomplete Visibility
Unknown devices.
Incomplete endpoint data.
Out-of-date databases.
Limited Control
Low confidence in ability
to remediate failures or
to fully remediate
security incidents.
Slow to Use
Response time in
hours, days, or weeks.
High network load.

219
SIEM
SIEM data sources
● “Critical” system logs
○ Domain controllers
○ Database and application servers
○ Key user workstations
● Network device logs
○ Firewalls
○ DNS
○ Proxies
● Security tools
○ Network IDS / IPS
○ Anti-malware
○ EDR / EPP

220
SIEM
?
?
? ?
?
? ?
?? ??
?
?
?
? ?
Common challenges
● Gaps in coverage
○ Types of systems
○ “Event” vs. stateful data
● Data quality
○ Fire-hose of events
○ Correlation is expensive & hard
● Hijacked by other stakeholders
○ “IT Audit said we had to log all Deny
events at our perimeter firewalls”
○ “We can’t ingest any more events…”

221
CMDB
CMDB / asset inventory data sources
● Directory services
○ Active Directory
○ LDAP
○ IAM tools
● Systems management tools
○ SCOM, SCCM
● CMDB discovery tools
● Vulnerability discovery tools

222
CMDB
?
?
?
?
?
?
?
?
?
?
Common challenges
● Gaps in endpoint coverage
○ Operating system
○ Device / system type
● Data quality
○ Infrequent data collection
○ Incomplete data collection
○ Redundant or improperly grouped
assets
● Siloed to specific stakeholders
○ Often disconnected from SOC &
CIRT operations

223
?
?
? ?
?
? ?
?? ??
?
?
?
? ?
?
?
?
?
?
?
?
?
?
?
CMDBSIEM
?
?
?
?
? ?

225
The weekend
after
WannaCry...
We don’t know which systems
have SMB1 disabled.
“
”
We can only confirm that 60%
of our Windows servers have
been patched.
“
”
Our last vulnerability scan
reported 15% more Windows
systems than what’s under
management by SCCM.
“
”
We don’t know which systems
have been rebooted.
“
”

226
We found 12 weeks was where
most organizations had
completed their patch process
‘on time’ may be seven days for
[critical] findings,
Verizon DBIR 2017
“
”

227
The lack of a comprehensive and constantly-updated
source-of-truth for endpoint information is a
foundational source of confusion and conflict,
hindering our ability to perform any* essential security
or operations function.
*vulnerability identification, patching, malware prevention, detection and response, software
deployments, infrastructure changes and much more

Why is Operations so hard right now?

Why is Security so hard right now?

Questions?
tyler.oliver@tanium.com @oliverit

Scot Secure 2018

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Scot Secure 2018

Ähnlich wie Scot Secure 2018 (20)

Mehr von Ray Bugg

Mehr von Ray Bugg (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Scot Secure 2018