The national Scot-Secure Summit is the largest annual Cyber Security Conference in Scotland: the event brings together senior IT leaders and Information Security personnel, providing a unique forum for knowledge exchange, discussion and high-level networking.
The conference programme is focussed on promoting best-practice cyber security; looking at the current trends, the key threats - and offering practical advice on improving resilience and implementing effective security measures.
18. “The goal is not to do
business with everybody who
needs what we have
What we do, serves as the proof of what we believe
The goal is to do business with
people who believe what we
believe”
19. We protect those that cannot protect themselves
We fight bullies
20. By creating simple, clear, innovative
products and services
that provide great customer experience
21. We make the invisible, visible.
Today we sell a collection of
products and services such as
Consulting and Big Red Button
22. What I see when I look
out
What we did differently An invitation
39. Building and improving the effectiveness
of security functions in SME environments
Leo Cunningham
InfoSec and Compliance Manger (and Group DPO)
40. ▪ Transitioning from an outsourced model
▪ Creating the next iteration of the security function and strategy
▪ Building cultural awareness to reduce business risk day to day
▪ Learnings from challenges and successes
Agenda
46. ▪ Understanding your business is key to helping you decide what happens next
▪ Focus on the people who do the ‘doing’ and make the ‘decisions’
▪ Conduct a gap analysis
▪ What are you missing?
▪ Remember those cost savings that you’ve just made?
▪ Formulate a TOM/Roadmap to keep you focused
▪ Begin cultural change and adoption
61. Building a Sound Foundation in Information Security
with Cyber Essentials
Gaye Cleary
Information Security Consultant
Grant McGregor Ltd
COPYRIGHT & COMMERCIAL CONFIDENCE
The copyright in this work is vested in Grant McGregor Ltd and this document is issued in commercial confidence for the purpose only for which it is supplied.
It must not be reproduced in whole or in part except under an agreement or with the consent in writing of Grant McGregor Ltd and then only on the condition that this notice is included in any such reproduction.
No information as to the contents or subject matter of this document or any part thereof arising directly or indirectly there from shall be given orally or in writing or communicated in any manner whatsoever to any third party
being an individual firm or company or any employee thereof, without the prior written consent of Grant McGregor Ltd.
66. SOPHOSLABS 2019 THREAT REPORT
• Close holes in firewalls
• Use MFA
• Distrust unknown files and links
• Keep up to date with operating system and software
patches
• Change default passwords
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophoslabs-2019-threat-report.pdf
67. SingHealth cyberattack
Singapore’s most serious breach of public data to date
Committee of Inquiry (COI), Jan 2019
• A disturbing number of staff fell prey to phishing emails twice or more
• Review the efficacy of the email-protection measures
• Conduct regular audits/checks to bridge “gaps” between policy and
practice
• Insufficient scope in vulnerability assessments
• Citrix servers should have had 2FA enabled for admin accounts
• Admin accounts must have tighter control and greater monitoring
https://www.channelnewsasia.com/news/singapore/singhealth-coi-report-it-security-recommendations-11104458
68. SamSam
SamSam attackers want easy targets, entering networks using exploits in
internet-facing servers: the JBoss application server, or by brute-forcing RDP
passwords. Getting a few of the basics right gives a very good chance of
keeping them out.
▪ Strict patching protocol for OSs and all the applications that run on them.
▪ Lock down RDP
✓ Limit the rate of password retries
✓ Automatically lock accounts after a number of failed login attempts.
✓ Require multi-factor authentication.
✓ Educate users about strong passwords and the dangers of password
reuse.
✓ Have staff access RDP through a VPN and Limit access to specific IP
addresses, ranges or geographies.
nakedsecurity.sophos.com/2018/08/02/how-to-defend-yourself-against-samsam-ransomware/
69. Why aren’t we doing the basics?
• Assume we’re doing them already
• Where to start, what to include, exclude?
• Getting overwhelmed
More than 22,000 new vulnerabilities disclosed in 2018.
https://www.riskbasedsecurity.com/2019/02/more-than-22000-vulnerabilities-disclosed-in-2018/
• IT is often reactive rather than proactive
70. .
Cyber Essentials – Where did it come from?
• Based on investigations into corporate compromises in 2014
• Identified most effective controls, to defend against commodity attacks
➢ practical to implement
➢ relatively straight forward to test
• Intended to be a first step in the journey to protecting your organisation in
cyber space.
• Not intended to be a silver-bullet for all forms of cyber attack
https://www.cyberessentials.ncsc.gov.uk/2017/11/27/a-brief-history-of-cyber-essentials
71. ICO- Guide to GDPR (Security)
We have put in place basic technical controls such as those specified by
established frameworks like Cyber Essentials?
…
“A good starting point is to make sure that you’re in line with the
requirements of Cyber Essentials – a government scheme that includes a
set of basic technical controls you can put in place relatively easily.”
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/
72. .
Some Observations on Cyber Essentials
•Combining Technical Controls with Business Processes
•Getting a Handle on Vulnerabilities and Patching
•Common failings and problem areas
73. 2. Technical Controls with Business Processes
Is there a gap between policy and practice?
75. CRAB RANSOMEWARE
Now in its fifth version, this file-locking malware
continues to be updated at an aggressive
pace. Its developers are constantly releasing
new versions of it, with new, more
sophisticated samples being made available to
bypass cybersecurity vendors’
countermeasures.
https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-
decryption-tool-released-for-free-no-more-ransom (Oct 2018)
76. 2018 Verizon Data Breach Investigations Report
"At least 37% of malware hashes appear once, never to be
seen again"
https://www.researchgate.net/publication/324455350_2018_Verizon_Data_Breach_Investigations_Report
77. Technical Controls with Business Processes
Close the gap between policy and practice
Policy Life Cycle
• Identify Need
• Develop and Approve
• Publish
• Review and Maintain
78. Some examples of Cyber Essentials Questions
looking for policy and/or practice
79. Firewall
A4.2 When you first receive an internet router or
hardware firewall device it will have had a default
pass-word on it.
Has this initial password been changed on all such
devices?
How do you achieve this?
80. Firewall
A4.6 If you do have services enabled on your firewall, do you
have a process to ensure they are disabled in a timely manner
when they are no longer required?
Describe the process.
A4.5 Do you have any services enabled that are accessible
externally from your internet routers or hardware firewall
devices for which you do not have a documented business
case?
81. Supported Software
A6.2 Are all applications on your devices supported by a supplier
that produces regular fixes for any security problems?
• Can you answer this is you don’t maintain a software register?
• Can you answer this is your employees have local admin rights?
• Are you confident that old versions of software have been
removed?
82. Users with Admin Privileges
A7.5 Do you have a formal process for giving
someone access to systems at an
“administrator” level? Describe the process.
83. 3. Vulnerabilities and Patching
more than 22,000 new vulnerabilities disclosed in 2018
Where to start?
84. Patching
A6.4 Are all high-risk or critical security updates for operating systems
and firmware installed within 14 days of release? Describe how do
you achieve this.
A6.5 Are all high-risk or critical security updates for applications
(including any associated files and any plugins such as Adobe Flash)
installed within 14 days of release? Describe how you achieve this.
Applies to: Servers, Computers, Laptops,
Tablets, Mobile Phones, Routers and Firewalls
85. Vulnerabilities in scope for Cyber Essentials
For cyber Essentials, we’re
considering an attacker had
some technical knowledge,
they were sitting somewhere on
the Internet, and were using
what we called ‘commodity’
attack tools.
86. Vulnerabilities in scope for Cyber Essentials
• attack vector: network only
• attack complexity: low only
• privileges required: none only
• user interaction: none only
• exploit code maturity: functional or high
• report confidence: confirmed or high
87. e.g. Vector String from Microsoft
https://portal.msrc.microsoft.com/en-us/security-guidance
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0603
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
88. Looking back to June 2017
How would Cyber Essentials
Fare in protecting against Not
Petya?
89. About half MS Bulletins in 2017 are critical
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
Patching for Cyber Essentials
90. Vulnerabilities patched in ms17-010
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
Base Score: 8.1 (Temporal Score: 7.3)
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0147
Vulnerability title CVE number Publicly disclosed Exploited
Windows SMB Remote Code Execution Vulnerability CVE-2017-0143
No No
Windows SMB Remote Code Execution Vulnerability CVE-2017-0144
No No
Windows SMB Remote Code Execution Vulnerability CVE-2017-0145
No No
Windows SMB Remote Code Execution Vulnerability CVE-2017-0146
No No
Windows SMB Remote Code Execution Vulnerability CVE-2017-0148
No No
Windows SMB Information Disclosure Vulnerability CVE-2017-0147
No No
91. Exploit Details
Security Tracker:
Updated: May 14 2017
Original Entry Date: Mar 14 2017
A tool named 'ETERNALBLUE' that exploits one of these
vulnerabilities is publicly available.
[Editor's note: One of these vulnerabilities is being exploited by
the WannaCrypt malware.]
https://www.securitytracker.com/id/1037991
92. Exploit details readily available
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147
94. Not Petya - Would having CE have helped?
One Attack Vector: Trick a user logged in as an admin or domain
admin into running a booby-trapped email attachment that installs
and runs the malware with high privileges. CE ✓
Some Mitigations
• Patch your computers to stop the SMB exploits CE *
• Disable SMBv1 CE ✓
• Block outside access to ports 137, 138, 139 and 445 CE ✓
• Follow best practices and not allow local administrators carte
blanche over the network – and tightly limit access to domain
admins. You'd be surprised how many outfits are too loose with
their admin controls. CE ✓
https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/
96. Renewing
Just resubmitting last years answers
Cyber Essentials is constantly updating based on
new threats and deeper understanding of the threat
landscape
IASME have monthly webinars and an assessor
forum for assessors to keep up to date on current
guidance
97. Devices in Scope
A2.7 Please list the quantities of tablets and mobile devices
within the scope of this assessment. You must include model and
operating system version for all devices.
• Are all mobile devices still supported, updating the OS?
• Restrict which devices can access business data via cloud,
e.g. office365
98. Devices in Scope
A2.9Please provide a list of network equipment that
will be in scope for this assessment (including
firewalls and routers).
!! Remember routers and firewalls in home offices !!
99. Remote access to firewall config
A4.8 Are your internet routers or hardware
firewalls configured to allow access to their
configuration settings over the internet?
100. Software firewalls disabled
NCSC advise that having local firewalls on hosts will help
prevent lateral spreading of malware throughout your
organisation
Also protects devices brought outside your network
perimeter
https://www.ncsc.gov.uk/guidance/preventing-lateral-movement
101. Admin users on Mac
Mac - All users have Admin credentials by
default
Create standard privilege accounts for all users
102. Admin Users Browsing the internet
A7.7 How do you ensure that administrator accounts are not
used for accessing email or web browsing?
• Most malware is delivered by email or web downloads
• Only use admin for administrative activities e.g installing software or
making configuration changes
• For patch downloads, ensure you’re accessing trusted links - not
googling
103. Why might you use Cyber Essentials as
your starting point?
• Clearly defined scope
• Framework for basic controls and procedures
• Deliberately prescriptive
• More thorough and complete than you might think
• UK standard to protect organisations from real attacks
• ICO recommend it
104. My Advice…
Gaye Cleary
Information Security Consultant, Grant
McGregor
gaye.cleary@grantmcgregor.co.uk
linkedin.com/in/gayecleary
Take Things A Step At A Time
139. Ransomware
• Moving to enterprise
• Much more targeted
• Greater potential damage, the
greater potential return
• Ryuk specially targets high
value systems
140. Chase the easy money
• Better defenses
• Better awareness
• Consumers mainly using
phones/tablets
• Cloud back-ups
141. Back to stealth – Crypto mining
• Works in the background
• Quick return
• Infect the user OR the
website
• Low barrier to entry
• IoT led bot net Cryptomining?
142. Supply Chain
• Compromise the
developer/update
• Pushed to LOTS of users
• Trust
• Software often signed
143. Target lots of people at once
• Poisoned Chrome extensions
• Wordpress plug-ins
• Docker images
• Repositories
• Typo squatting
• Formjacking
• Immensely increase attack
surface
146. The dream
• It has everything
• Poor security measures
• 70 million records exposed on
S3 buckets (Symantec)
• No need to use an exploit
• Tools to search for exposed
S3 buckets
150. It still works
• 76% of organisations
experienced an attack in
2018 (IT Professionals
Security report)
• Vary infrastructure
• Vary length of attacks
• Hosted infrastructure & Cloud
to hide in legit sites
152. They are not going away
• One weak password can
result in compromise
• Password reuse is killing us
• Collection 1 (and Collection
2-5)
• 2.2 BILLION passwords out
there
156. Conclusion
• The more we way know, the better we can prepare
• Attackers are ‘Living off the land’
• Infection rates correlate to human development factors and
technology readiness
• Tactics will always adapt
157. Conclusion
• Use trusted sources
• Configuration
• Access Controls
• Be aware and act if suspicious
• Training
• Consistency
158. Inconsistency is the biggest threat to an
organisation. There are always groups
inside a company that think what they
do is too important, or too different, and
will push for an exception. In 2019
leaders need to help their teams
understand that exceptions create risk
for the organisation.
Jeff Brown, Vice president and CISO, Raytheon
160. Security by Design:
Securing Entry Points across the Organisation
Jacob Cordran
Technical Director, SwarmOnline
@vuln_
161. Common vulnerabilities (yes, still)
Security by design (aka good habits)
Who/what are you protecting against?
What can the bad guys/bots see?
Securing entry points (incl. physical ones)
The value of collaboration
162. Information has a value
Often electronic; but not necessarily so
Everybody’s responsibility
Administrative, logical & physical controls
166. People and systems are fallible
Build in redundancy
Don’t rely on a single control
You already know how to do this!
167. Data breaches and security incidents are frequent
But do we truly learn from them?
Could the aviation industry teach us a lesson?
168. A culture of openness and sharing of information
Every incident is an opportunity to improve procedures
‘Just Culture’ ensures reporters aren’t penalised
184. Not just servers and databases
Individual PCs, laptops, mobile devices
Online services (email, file sharing, etc.)
In the Cloud and on-premise
Do you have an asset register?
185.
186. Who is in your building right now?
Are they meant to be there?
Who can see your screen?
Lock it EVERY time your device is unattended
Challenge anyone you don’t recognise
187. You don’t need to be big to have written policies
Get ahead of the (mandatory) game
Less regulated = MORE responsibility!
Do the right thing regardless
Write your own
Be realistic
What are you trying to protect?
188. Ask yourself and your team awkward questions
Wear a hi-viz vest
Talk to others – think like an aviator
Be an (ethical) hacker
Be observant
Make security a habit
197. What to do
1. Treat cyber insecurity as a risk
issue rather than compliance.
198. What to do
1. Treat cyber insecurity as a risk
issue rather than compliance.
2. Expect to have a problem,and
have a plan for your own
personal Dido Harding day.
199. What to do
1. Treat cyber insecurity as a risk
issue rather than compliance.
2. Expect to have a problem,
and have a plan for your own
personal Dido Harding day.
3. Focus on the basics
- know your network
- patch your network
- configure your network
200. What we do
1. Treat cyber insecurity as a risk
issue rather than compliance.
2. Expect to have a problem,
and have a plan for your own
personal Dido Harding day.
3. Focus on the basics
- know your network
- patch your network
- configure your network
201. What we do
We make it quick and easy to improve cyber security posture
202. What we do
Get well plans, peer rating, performance trends, expert help
203. What we do
Get well plans are tailored to your business
205. What we do
Automate Cyber Essentials Plus certification
There are probably no more than
2,000 organisations in the UK with
Cyber Essentials Plus
- 5yrs
- 22,000 certifications
- 4,000 (20%) CES Plus
The current scheme is broken
- Difficulty (scale vs ignorance)
- Logistics
- Quality
- Perceived lack of value
206. What we do
Automate Cyber Essentials Plus certification
There are probably no more than
2,000 organisations in the UK with
Cyber Essentials Plus
- 5yrs
- 22,000 certifications
- 4,000 (20%) CES Plus
The current scheme is broken
- Difficulty (scale vs ignorance)
- Logistics
- Quality
- Perceived lack of value
We need to remove the barriersto
Cyber Essentials Plusadoption
- Automation
- Increased quality and consistency
- Self-service
- Lowered costs
- Demonstrable business value
Success factors
- Assurance
- Confidence
- Value
- Legacy
207. About Us
• Formed in 2014
• Directors from QinetiQ/Cheltenham
• Based in Tewkesbury
• 45 staff
• Professional Services
• CyberScore™