1. Welcome to
ScotSecure
2019
#scotsecure

2. Mark Stephen
BBC Scotland
@bbcscotland
#scotsecure

3. Federico Chorosky
Quorum Cyber
@fedechorosky
#scotsecure

5. Why we do what we do
An exploration of an industry that is quickly losing its soul

6. Who do I think I am?

7. What I see when I look
out
What we did differently An invitation

8. What I see when I look
out
What we did differently An invitation

9. Cynicism
Anger
Fear Toxic behaviours
Apathy
Disenfranchised individuals
Twitter mobs
Lack of real
messages
“Giveaways” that mean nothing
Blame

11. We need to build vehicles for our beliefs
and do something awesome

12. & IntentionalityDrive

13. What I see when I look
out
What we did differently An invitation

14. I spend an inordinate amount of time on this

15. do the right thing

16. … but it wasn’t enough

17. What
Why
How

18. “The goal is not to do
business with everybody who
needs what we have
What we do, serves as the proof of what we believe
The goal is to do business with
people who believe what we
believe”

19. We protect those that cannot protect themselves
We fight bullies

20. By creating simple, clear, innovative
products and services
that provide great customer experience

21. We make the invisible, visible.
Today we sell a collection of
products and services such as
Consulting and Big Red Button

22. What I see when I look
out
What we did differently An invitation

23. Find
your
bully
Stop
blaming
Keep
talking

25. Eleanor McHugh
Consultant
#scotsecure

26. Rory Alsop
ISF
@roryalsop
#scotsecure

28. •
•
•
•
•
•

29. •
•
•
•
•

30. •
•
•

31. •
•
•
•
•
•
•
•

32. •
•
•
•
•

33. •
•
•
•
•
•
•

34. •
•
•
•
•

36. Panel
Harry McLaren – Cyber Scotland Connect
Federico Chorosky – Quorum Cyber
Elaine McKechnie – CYBG, SwiT
Eleanor McHugh – Consultant
Rory Alsop – ISF
#scotsecure

37. Refreshments
&
Networking
#scotsecure

38. Leo Cunningham
Zonal
@zonaluk
Gaye Cleary
Grant McGregor
@cleary_gfm
#scotsecure

39. Building and improving the effectiveness
of security functions in SME environments
Leo Cunningham
InfoSec and Compliance Manger (and Group DPO)

40. ▪ Transitioning from an outsourced model
▪ Creating the next iteration of the security function and strategy
▪ Building cultural awareness to reduce business risk day to day
▪ Learnings from challenges and successes
Agenda

41. Transitioning from an outsourced model

44. ✓ Reduce costs
✓ Your data is yours
✓ Risk Control
✓ Improved SLA

45. Creating the next iteration of the security
function and strategy

46. ▪ Understanding your business is key to helping you decide what happens next
▪ Focus on the people who do the ‘doing’ and make the ‘decisions’
▪ Conduct a gap analysis
▪ What are you missing?
▪ Remember those cost savings that you’ve just made?
▪ Formulate a TOM/Roadmap to keep you focused
▪ Begin cultural change and adoption

48. Building cultural awareness to reduce business
risk day to day

51. Learnings from challenges and successes

53. Not everyone gets it!

59. CHAMPIONS

60. Questions?
leo.cunnigham@zonal.co.uk
Linkedin.com/in/leocunningham1

61. Building a Sound Foundation in Information Security
with Cyber Essentials
Gaye Cleary
Information Security Consultant
Grant McGregor Ltd
COPYRIGHT & COMMERCIAL CONFIDENCE
The copyright in this work is vested in Grant McGregor Ltd and this document is issued in commercial confidence for the purpose only for which it is supplied.
It must not be reproduced in whole or in part except under an agreement or with the consent in writing of Grant McGregor Ltd and then only on the condition that this notice is included in any such reproduction.
No information as to the contents or subject matter of this document or any part thereof arising directly or indirectly there from shall be given orally or in writing or communicated in any manner whatsoever to any third party
being an individual firm or company or any employee thereof, without the prior written consent of Grant McGregor Ltd.

62. More
This
Not
so
much
This
Background
MSc ASDF Edinburgh
Napier
Cyber Essentials Assessor
Former Unix Sybase DBA
Interested in Data
Protection

63. Grant McGregor
An IASME Certifying
Body

64. Questions ???
Q&A after

65. 1. Why do a presentation about “the basics”?

66. SOPHOSLABS 2019 THREAT REPORT
• Close holes in firewalls
• Use MFA
• Distrust unknown files and links
• Keep up to date with operating system and software
patches
• Change default passwords
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophoslabs-2019-threat-report.pdf

67. SingHealth cyberattack
Singapore’s most serious breach of public data to date
Committee of Inquiry (COI), Jan 2019
• A disturbing number of staff fell prey to phishing emails twice or more
• Review the efficacy of the email-protection measures
• Conduct regular audits/checks to bridge “gaps” between policy and
practice
• Insufficient scope in vulnerability assessments
• Citrix servers should have had 2FA enabled for admin accounts
• Admin accounts must have tighter control and greater monitoring
https://www.channelnewsasia.com/news/singapore/singhealth-coi-report-it-security-recommendations-11104458

68. SamSam
SamSam attackers want easy targets, entering networks using exploits in
internet-facing servers: the JBoss application server, or by brute-forcing RDP
passwords. Getting a few of the basics right gives a very good chance of
keeping them out.
▪ Strict patching protocol for OSs and all the applications that run on them.
▪ Lock down RDP
✓ Limit the rate of password retries
✓ Automatically lock accounts after a number of failed login attempts.
✓ Require multi-factor authentication.
✓ Educate users about strong passwords and the dangers of password
reuse.
✓ Have staff access RDP through a VPN and Limit access to specific IP
addresses, ranges or geographies.
nakedsecurity.sophos.com/2018/08/02/how-to-defend-yourself-against-samsam-ransomware/

69. Why aren’t we doing the basics?
• Assume we’re doing them already
• Where to start, what to include, exclude?
• Getting overwhelmed
More than 22,000 new vulnerabilities disclosed in 2018.
https://www.riskbasedsecurity.com/2019/02/more-than-22000-vulnerabilities-disclosed-in-2018/
• IT is often reactive rather than proactive

70. .
Cyber Essentials – Where did it come from?
• Based on investigations into corporate compromises in 2014
• Identified most effective controls, to defend against commodity attacks
➢ practical to implement
➢ relatively straight forward to test
• Intended to be a first step in the journey to protecting your organisation in
cyber space.
• Not intended to be a silver-bullet for all forms of cyber attack
https://www.cyberessentials.ncsc.gov.uk/2017/11/27/a-brief-history-of-cyber-essentials

71. ICO- Guide to GDPR (Security)
 We have put in place basic technical controls such as those specified by
established frameworks like Cyber Essentials?
…
“A good starting point is to make sure that you’re in line with the
requirements of Cyber Essentials – a government scheme that includes a
set of basic technical controls you can put in place relatively easily.”
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/

72. .
Some Observations on Cyber Essentials
•Combining Technical Controls with Business Processes
•Getting a Handle on Vulnerabilities and Patching
•Common failings and problem areas

73. 2. Technical Controls with Business Processes
Is there a gap between policy and practice?

74. IT Threat Landscape
An ever changing beast

75. CRAB RANSOMEWARE
Now in its fifth version, this file-locking malware
continues to be updated at an aggressive
pace. Its developers are constantly releasing
new versions of it, with new, more
sophisticated samples being made available to
bypass cybersecurity vendors’
countermeasures.
https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-
decryption-tool-released-for-free-no-more-ransom (Oct 2018)

76. 2018 Verizon Data Breach Investigations Report
"At least 37% of malware hashes appear once, never to be
seen again"
https://www.researchgate.net/publication/324455350_2018_Verizon_Data_Breach_Investigations_Report

77. Technical Controls with Business Processes
Close the gap between policy and practice
Policy Life Cycle
• Identify Need
• Develop and Approve
• Publish
• Review and Maintain

78. Some examples of Cyber Essentials Questions
looking for policy and/or practice

79. Firewall
A4.2 When you first receive an internet router or
hardware firewall device it will have had a default
pass-word on it.
Has this initial password been changed on all such
devices?
How do you achieve this?

80. Firewall
A4.6 If you do have services enabled on your firewall, do you
have a process to ensure they are disabled in a timely manner
when they are no longer required?
Describe the process.
A4.5 Do you have any services enabled that are accessible
externally from your internet routers or hardware firewall
devices for which you do not have a documented business
case?

81. Supported Software
A6.2 Are all applications on your devices supported by a supplier
that produces regular fixes for any security problems?
• Can you answer this is you don’t maintain a software register?
• Can you answer this is your employees have local admin rights?
• Are you confident that old versions of software have been
removed?

82. Users with Admin Privileges
A7.5 Do you have a formal process for giving
someone access to systems at an
“administrator” level? Describe the process.

83. 3. Vulnerabilities and Patching
more than 22,000 new vulnerabilities disclosed in 2018
Where to start?

84. Patching
A6.4 Are all high-risk or critical security updates for operating systems
and firmware installed within 14 days of release? Describe how do
you achieve this.
A6.5 Are all high-risk or critical security updates for applications
(including any associated files and any plugins such as Adobe Flash)
installed within 14 days of release? Describe how you achieve this.
Applies to: Servers, Computers, Laptops,
Tablets, Mobile Phones, Routers and Firewalls

85. Vulnerabilities in scope for Cyber Essentials
For cyber Essentials, we’re
considering an attacker had
some technical knowledge,
they were sitting somewhere on
the Internet, and were using
what we called ‘commodity’
attack tools.

86. Vulnerabilities in scope for Cyber Essentials
• attack vector: network only
• attack complexity: low only
• privileges required: none only
• user interaction: none only
• exploit code maturity: functional or high
• report confidence: confirmed or high

87. e.g. Vector String from Microsoft
https://portal.msrc.microsoft.com/en-us/security-guidance
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0603
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

88. Looking back to June 2017
How would Cyber Essentials
Fare in protecting against Not
Petya?

89. About half MS Bulletins in 2017 are critical
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
Patching for Cyber Essentials

90. Vulnerabilities patched in ms17-010
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
Base Score: 8.1 (Temporal Score: 7.3)
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147
Vulnerability title CVE number Publicly disclosed Exploited
Windows SMB Remote Code Execution Vulnerability CVE-2017-0143
No No
Windows SMB Remote Code Execution Vulnerability CVE-2017-0144
No No
Windows SMB Remote Code Execution Vulnerability CVE-2017-0145
No No
Windows SMB Remote Code Execution Vulnerability CVE-2017-0146
No No
Windows SMB Remote Code Execution Vulnerability CVE-2017-0148
No No
Windows SMB Information Disclosure Vulnerability CVE-2017-0147
No No

91. Exploit Details
Security Tracker:
Updated: May 14 2017
Original Entry Date: Mar 14 2017
A tool named 'ETERNALBLUE' that exploits one of these
vulnerabilities is publicly available.
[Editor's note: One of these vulnerabilities is being exploited by
the WannaCrypt malware.]
https://www.securitytracker.com/id/1037991

92. Exploit details readily available
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147

93. More Exploit details
https://www.cvedetails.com/cve/CVE-2017-0147

94. Not Petya - Would having CE have helped?
One Attack Vector: Trick a user logged in as an admin or domain
admin into running a booby-trapped email attachment that installs
and runs the malware with high privileges. CE ✓
Some Mitigations
• Patch your computers to stop the SMB exploits CE *
• Disable SMBv1 CE ✓
• Block outside access to ports 137, 138, 139 and 445 CE ✓
• Follow best practices and not allow local administrators carte
blanche over the network – and tightly limit access to domain
admins. You'd be surprised how many outfits are too loose with
their admin controls. CE ✓
https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/

95. 3. Common Failings and Problem Areas

96. Renewing
Just resubmitting last years answers
Cyber Essentials is constantly updating based on
new threats and deeper understanding of the threat
landscape
IASME have monthly webinars and an assessor
forum for assessors to keep up to date on current
guidance

97. Devices in Scope
A2.7 Please list the quantities of tablets and mobile devices
within the scope of this assessment. You must include model and
operating system version for all devices.
• Are all mobile devices still supported, updating the OS?
• Restrict which devices can access business data via cloud,
e.g. office365

98. Devices in Scope
A2.9Please provide a list of network equipment that
will be in scope for this assessment (including
firewalls and routers).
!! Remember routers and firewalls in home offices !!

99. Remote access to firewall config
A4.8 Are your internet routers or hardware
firewalls configured to allow access to their
configuration settings over the internet?

100. Software firewalls disabled
NCSC advise that having local firewalls on hosts will help
prevent lateral spreading of malware throughout your
organisation
Also protects devices brought outside your network
perimeter
https://www.ncsc.gov.uk/guidance/preventing-lateral-movement

101. Admin users on Mac
Mac - All users have Admin credentials by
default
Create standard privilege accounts for all users

102. Admin Users Browsing the internet
A7.7 How do you ensure that administrator accounts are not
used for accessing email or web browsing?
• Most malware is delivered by email or web downloads
• Only use admin for administrative activities e.g installing software or
making configuration changes
• For patch downloads, ensure you’re accessing trusted links - not
googling

103. Why might you use Cyber Essentials as
your starting point?
• Clearly defined scope
• Framework for basic controls and procedures
• Deliberately prescriptive
• More thorough and complete than you might think
• UK standard to protect organisations from real attacks
• ICO recommend it

104. My Advice…
Gaye Cleary
Information Security Consultant, Grant
McGregor
gaye.cleary@grantmcgregor.co.uk
linkedin.com/in/gayecleary
Take Things A Step At A Time

105. Gerry Grant
Converged Communications
@gerrytonic
Jacob Cordran
Swarm Online
@swarmonline
#scotsecure

107. From dodgy disks …..
To crypto mining….

108. Agenda
• A brief history
• Key trends & observations
• Why the tactics are changing
• Lessons to learn
• How to protect ourselves

121. 🤦‍
♂️

124. 🤦‍
♂️

138. What now?

139. Ransomware
• Moving to enterprise
• Much more targeted
• Greater potential damage, the
greater potential return
• Ryuk specially targets high
value systems

140. Chase the easy money
• Better defenses
• Better awareness
• Consumers mainly using
phones/tablets
• Cloud back-ups

141. Back to stealth – Crypto mining
• Works in the background
• Quick return
• Infect the user OR the
website
• Low barrier to entry
• IoT led bot net Cryptomining?

142. Supply Chain
• Compromise the
developer/update
• Pushed to LOTS of users
• Trust
• Software often signed

143. Target lots of people at once
• Poisoned Chrome extensions
• Wordpress plug-ins
• Docker images
• Repositories
• Typo squatting
• Formjacking
• Immensely increase attack
surface

144. Formjacking
• Infect website with JavaScript
• Capture CC details
• Just ask Ticketmaster or BA

145. Cloudy Stuff

146. The dream
• It has everything
• Poor security measures
• 70 million records exposed on
S3 buckets (Symantec)
• No need to use an exploit
• Tools to search for exposed
S3 buckets

147. Malware

148. Collaboration
• Historically known for one
utility
• Hybrid malware
• Mine crypto AND send spam
• Authors working together for
greater impact

149. Phishing

150. It still works
• 76% of organisations
experienced an attack in
2018 (IT Professionals
Security report)
• Vary infrastructure
• Vary length of attacks
• Hosted infrastructure & Cloud
to hide in legit sites

151. Passwords

152. They are not going away
• One weak password can
result in compromise
• Password reuse is killing us
• Collection 1 (and Collection
2-5)
• 2.2 BILLION passwords out
there

153. Nation State

154. Becoming more open
• Winter Olympics take down
• Elections, again
• Catphishing
• Much more open

155. Wrap it up

156. Conclusion
• The more we way know, the better we can prepare
• Attackers are ‘Living off the land’
• Infection rates correlate to human development factors and
technology readiness
• Tactics will always adapt

157. Conclusion
• Use trusted sources
• Configuration
• Access Controls
• Be aware and act if suspicious
• Training
• Consistency

158. Inconsistency is the biggest threat to an
organisation. There are always groups
inside a company that think what they
do is too important, or too different, and
will push for an exception. In 2019
leaders need to help their teams
understand that exceptions create risk
for the organisation.
Jeff Brown, Vice president and CISO, Raytheon

159. Questions?
cybersecurity@converged.co.uk

160. Security by Design:
Securing Entry Points across the Organisation
Jacob Cordran
Technical Director, SwarmOnline
@vuln_

161. Common vulnerabilities (yes, still)
Security by design (aka good habits)
Who/what are you protecting against?
What can the bad guys/bots see?
Securing entry points (incl. physical ones)
The value of collaboration

162. Information has a value
Often electronic; but not necessarily so
Everybody’s responsibility
Administrative, logical & physical controls

163. How many security controls do I need?

165. LAIRSLAYERS

166. People and systems are fallible
Build in redundancy
Don’t rely on a single control
You already know how to do this!

167. Data breaches and security incidents are frequent
But do we truly learn from them?
Could the aviation industry teach us a lesson?

168. A culture of openness and sharing of information
Every incident is an opportunity to improve procedures
‘Just Culture’ ensures reporters aren’t penalised

170. vulnerabilities STILL existCommonBasic

171. Wedding lists tend to be very public
John Lewis do offer a guest password
Not everyone uses it…

174. What just happened?!
Bought 5 items at £10 each £ 50
But also bought -6 (negative six!) at £8 each -£ 48
We are charged the difference £ 2

177. The order is partially validated after payment

178. Expected the transaction to fail at every step
Easy to fix but a significant impact
Do negative numbers count as hacking?!
YES.

180. The verb to ‘hack’ has become part of our
everyday language
e.g. ‘Lifehacks’

181. Use something in a way other than as intended
Doesn’t have to be malicious
Can be consented to
You can be a hacker too!

182. Finding a target can be as easy as searching for one.
What isYOUR online footprint?

183. Live demo?

184. Not just servers and databases
Individual PCs, laptops, mobile devices
Online services (email, file sharing, etc.)
In the Cloud and on-premise
Do you have an asset register?

186. Who is in your building right now?
Are they meant to be there?
Who can see your screen?
Lock it EVERY time your device is unattended
Challenge anyone you don’t recognise

187. You don’t need to be big to have written policies
Get ahead of the (mandatory) game
Less regulated = MORE responsibility!
Do the right thing regardless
Write your own
Be realistic
What are you trying to protect?

188. Ask yourself and your team awkward questions
Wear a hi-viz vest
Talk to others – think like an aviator
Be an (ethical) hacker
Be observant
Make security a habit

189. Jacob Cordran
Technical Director, SwarmOnline
@vuln_

190. Avoiding commodity cybercrime
info@cyberscore.com www.cyberscore.com

191. Name the aircraft…

192. Shenyang FC-31 (China)
($70m)
F-35 Lightning II (USA)
($120m)
Name the aircraft…

193. Name the virus…

194. Name the virus…
Wannacry, May 2017

195. Good news slide
Most of us don’t need to worry about
state sponsored espionage
Commodity cybercrime is easier to
mitigate than you might think

196. Proliferation Hyper-connectivity
Bad news slide
4 trends will make the situation worse before it gets
better
MonetisationApathy

197. What to do
1. Treat cyber insecurity as a risk
issue rather than compliance.

198. What to do
1. Treat cyber insecurity as a risk
issue rather than compliance.
2. Expect to have a problem,and
have a plan for your own
personal Dido Harding day.

199. What to do
1. Treat cyber insecurity as a risk
issue rather than compliance.
2. Expect to have a problem,
and have a plan for your own
personal Dido Harding day.
3. Focus on the basics
- know your network
- patch your network
- configure your network

200. What we do
1. Treat cyber insecurity as a risk
issue rather than compliance.
2. Expect to have a problem,
and have a plan for your own
personal Dido Harding day.
3. Focus on the basics
- know your network
- patch your network
- configure your network

201. What we do
We make it quick and easy to improve cyber security posture

202. What we do
Get well plans, peer rating, performance trends, expert help

203. What we do
Get well plans are tailored to your business

204. What we do
Manage risk across your supply chain

205. What we do
Automate Cyber Essentials Plus certification
There are probably no more than
2,000 organisations in the UK with
Cyber Essentials Plus
- 5yrs
- 22,000 certifications
- 4,000 (20%) CES Plus
The current scheme is broken
- Difficulty (scale vs ignorance)
- Logistics
- Quality
- Perceived lack of value

206. What we do
Automate Cyber Essentials Plus certification
There are probably no more than
2,000 organisations in the UK with
Cyber Essentials Plus
- 5yrs
- 22,000 certifications
- 4,000 (20%) CES Plus
The current scheme is broken
- Difficulty (scale vs ignorance)
- Logistics
- Quality
- Perceived lack of value
We need to remove the barriersto
Cyber Essentials Plusadoption
- Automation
- Increased quality and consistency
- Self-service
- Lowered costs
- Demonstrable business value
Success factors
- Assurance
- Confidence
- Value
- Legacy

207. About Us
• Formed in 2014
• Directors from QinetiQ/Cheltenham
• Based in Tewkesbury
• 45 staff
• Professional Services
• CyberScore™

208. www.cyberscore.com
twitter.com/XQCyber
facebook.com/cyberscore
info@xqcyber.com
+44 (0) 333 305 7650