Unifying the
Global Response
to Cybercrime
Cyber Security – awareness,
vulnerabilities and solutions
Prof. Manel Medina
Scientific Coordinator of APWG.eu
Founder of esCERT-inLab-UPC
Director MsC Cibersecurity – UPC-Talent
manel@apwg.eu – medina@escert.upc.edu

Content
2
• Awareness
– Threats to IoT/ICS/SCADA, CIIP:
• CPS, Protocols, supply chain, dependencies
– Threats from IoT:
• DDoS, cascade effects
• Vulnerabilities
– Resilience of IoT platforms:
• Access control, identification, back doors, malware…
• Solutions
– Response to cyber-attacks:
• Recovery, Restore
• Conclusions

AWARENESS
3

4

Threats to IoT: Who?
• Script kiddies: no money interest, no professionals,
repeated errors.
• GrayHats: shared criminal and not criminal activities.
SPAMmers spread any kind of emails
• Blackhats: experts, toolkits, business models, unique and
novel,
• States Sponsored: economic and security interest.
Technical
• Hacktivists
• Leaks: criminals that have patience and technical
expertise. Wait years to rob the information they want.
Apply to industry and government. Regional business.
5

Threats to IoT: Why?
• Script kiddies: Show their skills and our weakiness.
• GrayHats: 3rd part services: Politics, socials, cultural
• Blackhats: Economics
• States Sponsored: Steal estrategic Information
• Hacktivists: same as above
• Leaks: criminals that have patience and technical
expertise, wait years to rob the information they
want. Apply to industry and government. Regional
business
6

7

Tendencies: long term  Cyber-war
• Cyber-guns: Hacking Team
• Department of Defense Concludes Three-Weeks of Cyber War Games
http://bit.ly/1uLsdsS http://bit.ly/1eGaGPA
• Cyber attack on U.S. power grid could rack up $1 trillion in losses, study says -
SC Magazine http://ow.ly/PmQyO
• 3 dangerous habits that make companies less #cyber secure:
http://lmt.co/1Ga2v7w #GartnerSEC (by @LM_AngelaHeise)
• How Secure Is Your Small Business? 5 Tips to Protect Against Modern Cyber
Attacks. by @jcmason http://entm.ag/1Af8Cbu via @Entrepreneur
• Cibercrimen: https://www.amazon.es/CIBERCRIMEN-Manel-Medina-
ebook/dp/B010GJOUDM
8

Threats to IoT: What?
• CIIP: IoT/ICS/SCADA:
– CPS,
– Protocols,
– supply chain,
– Dependencies of IoT from service providers
• Defcon conf.: hacking an electronic wheelchair or
bluetooth lock from a quarter-mile away
• Hack a real car
• Intercept flying airplane communications
9

Threats to IoT: What?
10

Threats FROM IoT: What?
11
• 6.8B devices
• 20 B by 2020
• 50 families
• 3 attacks in
3 weeks
• Just PoC

Threats FROM IoT: What?
• DDoS:
– Authentication
– Malware
– Protocol bugs
• Cascade effects
– supply chain,
– Dependencies of CI from IoT
12

VULNERABILITIES
13

Who do we trust?
14
• 90% of incidents start from inside the
organization
– Spear-phishing
– Ransomware
– Lack of skills or capabilities
– Lack of awareness
– Human Errors
• Internal Audit: Readiness

So, what? Cybersecurity life cycle
15
• Plan:
– Goals, Strategy, Timeframe, Resources
• Do:
– Assets, Threats & Vulnerability identification
– Risk Analysis (evaluation), Management
• Check
– Measure: people, cybersecurity tools,
– Monitor: network, CPS, behaviour
• Act:
– Response, Recovery, Restore, (minimise impact)
– Learn, Report (internal & external), Review/update

External support
16
• CISO
– Business aware
• External providers
– Learn from others’ errors
– Intelligence information
– New Attack patterns

SOLUTIONS TO CYBER ATTACKS
17

Cooperation & coordination Plan
• Risk & impact evaluation & analysis
• Personnel roles & responsibilities
• Cooperation opportunities & covert channels
• Plan ciber-exercises & training.
• Document lessons learnt
• Schedule plan’s updates.
18

Risk Management: Resilience
• Impact on Organization’s mission: Business
continuity
– Identify areas of risk
– Incident response capabilities
• Risk tolerance: Regulatory environment
• Budget: ROSI, implementation Phases, priorities
• Policy adoption & Procedures implementation.
– Early Detection
– Quick response
– Identification & selection of controls
19

Risk Response Strategy
• Probability:
– Avoidance,
– Perimeter,
– Training,
– Readiness,
– Resilience.
• Impact:
– Detection,
– Mitigation,
– Response,
– Recovery
• Risk Acceptance &
Transfer
20

Resilience Assessment Summary
• Where: Available / Collectable data
• What: Scope: Scenario (set of assets)
• How: Time-frame: rigorousness, meaningful.
• Aim: Co. Social responsibility: risk culture
• Who: Compliance & sectorial regulation
• When: Changing environment: external
(hacktivism), internal (infrastructure, asset values),
growth, customers sensitivity
22

Roadmap 2018
• Cybersecurity culture: raise awareness
• Risk measurement and analysis
• Protection: risk reduction and impacts
mitigation
• Detection and management of events
• Collaboration and coordination
• Research, Development and Innovation
• Continuing and efficient training and education
23

Short-term corporative strategy
• Cyber- Responsibility:
– Cyber-risk
– Cyber-trust
– Cyber-insurance
– Hiring of cyber-security profiles
• 3 levels education
– Corporate management
– Cybersecurity management and operations
– ICT Operations
– Final end-user
24

Education and awareness
Continuous training TITULACIÓN Oficial
LE Operations and maintenance (on-line, in-house) Continuous education (PsG)
SME Operations (capsule, education module) Experts (MsC)
25
Shared (or not) responsibilities:
- Data Protection Officer
- Chief Information Security Officer
- Intelligence Officer
- Information Systems Auditor
- Computer Sec. Incident Coordinator
- Data breach communication advisor
- Operation…
- Training…

CORPORATE PROTECTION
TOOLS & STRATEGIES
26

5 essential cybersecurity measures
• Perimeter: Firewall & gateways
• Safe Configuration
• Access Control
• Anti-malware Protection
• Patch & updates management

Best practices in IoT cybersecurity
• Back-up data and configuration choices
• Protect programs and data with e-Signature or
hash
• Documents Mid-Long term Archive
• Anti-DDoS
• User and devices Access Control
• Access & operations: logs & warnings
• User & TIC staff training & awareness

29
Recommendations
• Review network infrastructure and ICT policy
• Foster internal capacity building
• Take any guidelines or collective recommendation
• External consultants to identify planning
• Establish secure communication channels with
team(s) of incident coordination
• Establish cooperation agreements cyber security
management and incident response
• Get some certification / audit

external help: Cyber-guards
• Capability to
– mitigate / recover
• Private vs. Public:
– Incibe
– CERT_SI
– CESIcat
– CERT.EU
– …
– esCERT.UPC
30
European
CERT (?)
n/g CERT
Sectorial
CERT
Industry
n/g CERT
Sectorial
CERT
SME
n/g CERT
CIIP CERT
CI
ENISA
 user ->CPD -> SOC -> CSIRT -> CERT

Final remarks
• Legal requirements:
– Risk analysis
– Incident reporting
• Self-protection:
– internal controls
– Use safe devices
– Update software and passwords
• Provide evidences of:
– capabilities
– good practices
– External audits
• Subcontract external experts
31

PREGUNTAS (& RESPUESTAS)
Muchas gracias
por la atención!
Prof. Manel Medina
Coordinador científico de APWG.eu
Fundador esCERT-inLab-UPC
Director Máster Ciberseguridad – UPC-Talent
manel@apwg.eu – medina@escert.upc.edu
605 284 388