1.
Cyber Security:
Guarding Against
Unknown Threats
Short-term benefits of static
security controls do not scale
well with the long-term
consequences of adaptive
attack vectors!!
Dr. Gregory Epiphaniou

2.
Rafael
Narezzi
Cyber Defense
Strategist
A specialist in cybersecurity with more than 20 years of experience. Rafael Narezzi
works with the financial sector where data security is paramount. He is the Chief
Technology Officer (CTO) 4cyberSec where he works as a Senior Advisor providing
end-to-end security for C-Suite levels and lecture for MSc Cyber Security for West
London University.
Rafael is based in London, UK, and holds a master's degree in forensic
computing, cybersecurity and counter-terrorism from Northumbria
University and now started his PhD on CyberSecurity under Wolverhampton
University.
https://www.linkedin.com/in/narezzi/
Global Speaker:
 London 2017 – ISMG Summit
 Amsterdam 2017 – Unleash the Cyber Security
 Prague 2018 – Cyber Central
 Brazil 2018 – Febraban
 ELITE EU CISO Summit Portugual
 London REGEX Summit Fintech Cyber Security 2018
 Brazil 2018 – Cyber Security Summit
 Singapore 2018 – Cyber Security Summit
 London 2018 – ISMG.io – Cyber Security
 London 2018 – Enterprise Cyber Security
 Berlin 2018 – Cyber Security
 Brazil 2018 - ATM18

3.
Rafael Narezzi
Board after breach looking for answers
It is not a question if an attack will come, it is when, or maybe it is already
happening, time frame to recognise an attack is 99 days. (if)

4.
Is the Ciso become a tick box?

5.
Is the Ciso
become a
tick box?

6.
Cyber Security = Very Stressful Job
World Economic Forum: Cyber-Attacks Third Most Likely Global Risk in 2018

7.
Motivation
• “The cybercrime
economy has now become
a kind of mirror image of
contemporary capitalism.”
Dr McGuire
“If you know the enemy
and know yourself, you
need not fear the result of
a hundred battles. If you
know yourself but not the
enemy, for every victory
gained you will also suffer
a defeat. If you know
neither the enemy nor
yourself, you will succumb
in every battle.” Sun Tzu

8.
CyberCrime as a business
• Cybercriminals can cash out with an
ROI of almost 1500% for each 1
USD$
• 80% of Hackers work with or are
part of an organised crime Group
*2014 Study rand Corporation
1 – Are highly organized
2 – Working as a group around the
world
3 – Creative (high skills)
4 – Very objective
5 – Very Profitable (high profitability)
(Business Approach)
Financially-driven motivation represent the single most driver for the Cybercrime

9.
CyberCrime
1 – Very organized
2 – working as a group around
the world
3 – Creative
4 – Very objective
5 – Very Profitable $$$
Normal behaviour across the
board?
‘This won’t happen to us!...Who
wants to hack us?...Why? We
are nobody!’
It costs too much!
Are we changing now?
Question: Who in the audience has a incident plan now?

10.
World Economy

11.
GDP (PIB) vs Cybercrime
GDP Doesn’t Work In A Digital Economy – The Wall Street Journal
Cyber Crime Costs Projected To Reach $2 Trillion by 2019 – Forbes (+-1.5%)
• The true size of the 2016 digital economy is US $11.5 trillion globally. That is,
15.5% of global GDP. This is roughly three times larger than traditional
measurements.
• The digital economy is 18.4% of GDP in advanced economies – which range
from 35% to 10% of GDP — and 10% in developing economies, with a range of
19% to 2% of GDP. The U.S. has the largest digital economy at 35% of GDP.
• The global digital economy almost doubled between 2000 and 2016, growing
2.5 times faster than global GDP over this period. China’s share has tripled,
from 4% of GDP in 2000 to 13% in 2016.
• During the past three decades, every dollar invested in digital technologies
added $20 to GDP on average, 6.7 times higher than non-digital investments
which added $3 for every dollar invested.
• Assuming current growth rates of digital investments over the next 10 years,
the report estimates that by 2025 the digital economy will be $23 trillion
globally, or 24.3% of global GDP.

12.
CyberCrime vs CyberEducation
Cybercrime Revenues $1.5 Trillion

13.
CyberCrime vs CyberEducation
“Cyber Education ”
Maturity level is not in the
right level and regulators
are forcing companies to
change/adapt over
regulations.
Forcing by regulations in order for
companies to beef up their security -
but the rationale behind how much
do you believe in such a thing as
CyberCrime?
However, wouldn't that be by itself a
good motivator for adversaries to
intensify their efforts?
In the other hand we might create a
weaponing of the GDPR or
Regulations against your business,
who would be the first business to go
under as severe consequences?
GDPR would become the new
Ransomware where the 'chantage'
would become the way to Extortion
money, adding the 72 hours time.
“Chantage” French world = the
extortion of money by blackmail.
September 2018 - https://www.euractiv.com/section/cybersecurity/news/companies-
may-try-to-bypass-gdpr-fines-by-negotiating-with-cybercriminals-europol-say/

14.
Are you negligent?
• Business Strategy
• Cyber Security is
everyone’s
responsibility!
• Cyber Resilience
You need to be
aware and
awake, otherwise
your business -
and everyone - is
negligent and the
business could
turn from
profitable to loss!
DLA Piper paid 15,000 hours of IT overtime after NotPetya
attack
https://www.itnews.com.au/news/dla-piper-paid-15000-hours-of-it-overtime-after-notpetya-attack-490495

15.
Equifax Case
Maturity
level to deal
with a
breach?
-%35.19
146 million people, 99
million addresses,
209,000 payment
cards, 38,000 drivers'
licenses and 3,200
passports
https://www.theregister.co.uk/2018/05/0
8/equifax_breach_may_2018/

16.
Wannacry Successful ?
Should we consider this as a test to the world?
Yes, it is 2018 and Boing has been hit with Wannacry

17.
WannaCry Lessons, learned?
After this incident, have we learned the lesson?
Yes / No ?

18.
Patch Management
becomes a problem
Constantly evolving systems are hard
to secure as security testing on them
becomes more complicated
Microsoft disables 'buggy' Intel patch
Availability vs Patch Management
Microsoft disables 'buggy' Intel patch
“Software caused many machines to reboot
or shut down and Intel later told people not
to install it.”
BBC News UK

19.
BIO hacking
BioHacking/ Ransomware?
“Ransom to keep you alive”
Almost half a million pacemakers need a firmware
update to avoid getting hacked
The FDA estimates that 465,000 vulnerable
devices have been implanted in patients in the US.
Hackers could use “commercially available”
equipment to change the devices’ programming.
Researchers found that pacemaker programmers
could intercept the device using equipment that
cost anywhere between $15 to $3,000
Black Hat hacker details lethal wireless attack on
insulin pumps
https://www.extremetech.com/extreme/92054-
black-hat-hacker-details-wireless-attack-on-
insulin-pumps

20.
HARDWARE Hacking
More Attacks on hardware are coming in the future, the sad reality is that
patching hardware is much more difficult than software, you might need
to replace the complete system in some instances.
• 1969: Core Memory Worst Case Noise
• 1994: Pentium floating point error
• 2005: Cache side-channels Attacks
• 2015: DDR3: RowHammer
• 2017: Meltdown, Spectre
• 2018: AMD Flaws….
• 2018 : Glitch – ANDROID’s
• 2018: At Risk’ To Eight New Spectre-Style Flaws
• More to come
Threat landscape is incising significant turning hardware's the new trends
for attacks
(Meltdown/Spectre), 2018 would become the year where hardware is
exploited, most business couldn't afford to replace all hardware
infrastructure that has been affected by one of the exploits.

21.
Risk acceptance
• It’s important to highlight how
cybercrime has created it’s own economy
from explore to advanced attacks as the
unknown/lack factor of knowledge of
individuals.

22.
Total protection is impossible.
“Some attacks will get through. What
you need to do [at that point] is
cauterise the damage“ and keep
"running/up"
Damage reputation cost more than an investment on CyberSecurity this is without considering
other vectors
Embrace for the impact

23.
“We’re not training you to fight. We’re training you to be
peaceful and awake and avoid fights. But if you have to get in
one . . . and I guess the philosophy is also that if you’re
competent at fighting that actually decreases the probably that
you’re going to have to fight because when someone pushes
you you’re going to be able to respond with confidence. And
with any luck, and this is certainly the case with bullies, with
any luck you with any show of confidence with related to a
show of dominance, is going to be enough to make the bully
back off. And so this strength that you develop in your
monstrousness is the best guarantee of peace.”
- Jordan Peterson
Action point – Martial Arts

24.
Embrace for the impact
- How cyber weapon's creates the hackers playgrounds (wannacry and Petya) and those
become a stock market controlled by cyber criminals.
- Snowden Leaks $52 Billion Intelligence Budget, Reveals “Offensive Cyber Operations”
https://techcrunch.com/2013/08/29/snowden-leaks-52-billion-intelligence-budget-reveals-offensive-cyber-operations/
- GCHQ and the Ministry of Defence - UK, said: “Offensive cyber will be an increasing part
of the UK’s security toolkit.”
-Would Wannacry considered as an military exercise in order to test the defence systems
around the world?
“Microsoft hits out at US government ‘stockpiling’ of cyber weapons”
https://www.ft.com/content/5540194a-38fe-11e7-821a-6027b8a20f23
“A new Cyber Weapon may be targeting GPS Signals” = Foodchain affect?
https://www.newscientist.com/article/2143499-ships-fooled-in-gps-spoofing-attack-
suggest-russian-cyberweapon/

25.
Cyber threat Intelligence
Why thinking like your enemy is a valuable strategy
for your business for your Cyber Security Portfolio.

26.
Embrace for the impact

27.
Embrace for the impact

28.
Embrace for the impact

29.
Embrace for the impact
Doxxing
Ransomware

30.
Data
The Use of the Media as Weapon of Mass Psychological Destruction = Data
Weapons of Mass Pshycological Destruction Who use them by Larry C. James
Ph.D., Terry L. Oroszi Ed.
- Cyber Psychology Weapon
- Machine learning
- Weaponing Data against economies = Alter the path = Hacking
- Facebook is now offering the 1st Data bounty leak
- GDPR / Australian data protection regulations

31.
Motivational
Question it is not when your business would get hacked!
The answer is how available, prepared in handling crisis and mature your business?

32.
Hong Kong Monetary Authority

33.
Lessons
HKMA’s Cybersecurity Fortification Initiative (CFI) has three main elements:
i. Cyber Resilience Assessment Framework – includes an inherent risk assessment,
maturity assessment, and an intelligence-led cyber-attack simulation testing
(iCAST);
ii. Professional Development Programme – seeks to increase supply of qualified
cyber-security professionals in Hong Kong; HKMA is working with the HK Institute
of Bankers and the HK Applied Science and Technology Research Institute (ASTRI)
to develop a localised certification scheme and training programme for cyber-
security professionals; and
iii. Cyber Intelligence Sharing Platform – seeks to provide an effective
infrastructure for sharing intelligence on cyber-attacks; being set up by the HKMA
together with the HK Association of Banks (HKAB) and ASTRI.
*******Regulate data sharing as a fundamental component of the risk
reduction process.******

34.
At Glance
At glance
• Microsoft spend 17.4 Billions USD in Marketing/Sales VS 2 billions USD in
research to fix bugs or vulnerabilities.
• NSA spend $52 Billion Intelligence Budget, Reveals “Offensive Cyber to find
zero-days or “Cyber weapons”
Bug hunters for legitimate sources, though, aren’t compensated anywhere near
what Black Hats are for a zero-day vulnerabilities
Companies and organizations can be fined the higher of €10,000,000 or 2% of
global turnover and depending on the violation it could exceed €20,000,000 or 4%
of global turnover. Yes, you guessed right GDPR is coming...

35.
At Glance
At glance
• Microsoft spend 17.4 Billions USD in Marketing/Sales VS 2 billions USD in
research to fix bugs or vulnerabilities.
• NSA spend $52 Billion Intelligence Budget, Reveals “Offensive Cyber to find
zero-days or “Cyber weapons”
Bug hunters for legitimate sources, though, aren’t compensated anywhere near
what Black Hats are for a zero-day vulnerabilities
Companies and organizations can be fined the higher of €10,000,000 or 2% of
global turnover and depending on the violation it could exceed €20,000,000 or 4%
of global turnover. Yes, you guessed right GDPR is coming...
“However, wouldn't that be by itself a good motivator for adversaries to intensify
their efforts?”

36.
Summary
Conclusion: That investments still weak on Cyber Security, the frontline always will
demand humans, mainly because the attacks come from humans and they are
designed to break security including any machine learning(that helps us to be
faster for identification), only a professional can help with plan, closing gaps from
a risk matrix and decision on tools should be at the professional choice vs
company gaps.
Fighting Cyber Threats: Implementing Cyber Information Sharing
Cyber threat intelligence sharing must be made an acceptable daily risk for all
organisations actively engaging in cyber operations.
Adapt cyber defence quicker than attack evolvement is an open issue linked to our
inherently static controls

37.
Home work
1 - Has the business understood and addressed the relevant legal and regulatory
requirements?
2 - Is there a clear risk-management process in place, with appropriate ownership?
3 - Does the Business have a clear inventory of its Information Assets?
4 - Have third parties/outsourced operations been considered?
5 - Is the business prepared for a cyberattack?
6 - Who owns cyber risk within the organisation?
7 - Who manages cyber risk within the organisation?
8 - Does the board receive regular briefings on the organisation’s cyber risk and
security posture?(Does the board wants to be aware?)
9 - Has the organisation demonstrated an ability to detect and respond to both
internal and external incidents?
10 - How is the level of exposure communicated up to the board?

38.
• Constantly evolving systems are hard to secure as security testing on
them becomes more complicated
• Cyber threat intelligence sharing must be made an acceptable daily risk
for all organisations actively engaging in cyber operations
• Patch management is still an open issue for cheap devices
• Ransoms in bitcoins can turn cryptoviral extortion software into a "stock
exchange market" regulator controlled by cyber criminals
• We must bridge the gap between cyber decision-making needs and
cyber decision-making capabilities.
• Regulate data sharing as a fundamental component of the risk reduction
process.
• Resilience of cyber-physical systems is more important than
confidentiality
• EDoS attacks in the Cloud is the new shifting paradigm on violations
against availability
• Adapt cyber defence quicker than attack evolvement is an open issue
linked to our inherently static controls
Critical thinking to share for answers?

39.
• Has the business understood and addressed the relevant legal and regulatory requirements?
Cyber attacks can expose sensitive data held by businesses; this could be employee, customer and/or
supplier data, potentially placing a business in breach of its contractual duties, duties of confidentiality and
duties of care to third parties. Businesses may be required to investigate breaches and to notify regulators,
law enforcement agencies, business partners and other people affected; or to implement major changes to
their business systems and operations; or may be dragged into litigation. This is a complex area of
regulation, but there should be a robust understanding of the relevant data protection and privacy laws,
such as the EU General Data Protection Regulation.
• Is there a clear risk-management process in place, with appropriate ownership?
​This concerns the business ownership of the risk at an appropriate level of seniority (and an
acknowledgment that this is not just an IT issue) and ensuring that processes are in place for managing the
risk to an acceptable level. The risk management process should also be the primary mechanism for
supplying the board with relevant information, such as possible financial penalties for data losses, to enable
the board to determine the level of risk the business can afford to take.
• Does the Business have a clear inventory of its Information Assets?
The board should fully understand the type and sensitivity of the information the business holds in order
that it can put in place appropriate arrangements for its security and its handling or transmission to third
parties. Larger businesses should strongly consider compiling an Information Asset register.
• Have third parties/outsourced operations been considered?
Management of cyber risks should also entail an understanding of how the business deploys third parties or
outsourced operations. This requires an understanding of the business data to which third parties have
access and then addressing risk through a number of different means, although primarily it is critical to
build clear expectations with third parties at the outset of the relationship. In addition, robust due diligence
should be incorporated into contracts/agreements, including those for assessments/audits, certification of
controls and reporting of critical security metrics.
• Is the business prepared for a cyberattack?
This is about the ability of an organisation to detect and respond to a cyberattack, and then to return to
business as usual. This is important as a measure of business resilience and it is therefore important that
these arrangements are tested regularly to give the board confidence that they will be effective when they
are needed