LEADING COMMENT

It is about time companies/country leaders took ownership of their high risk activities. We seem to live in a collective ‘denial-of-the-obvious’. Besides all the warnings and many facts that seem to be exist!

Senior Information Security Professional 27/10/2014

Denial

SIT-REP 14

Dublin comment 2014: At the Breaking Down the Silo’s ISACA event in Dublin in 2014 the question of over 280 delegates:

‘Do you feel your organisation is secure from Cyber Attack’ - The response was = 0

A response which is reflective in many other circumstances – including the Forensic Science event held in February 2014.

QSA Comment: When a QSA was asked why a site could be assessed as secure, when it have clear and proven high risk vulnerability They responded:

‘Because that part of the associated security vulnerabilities are not included in the scope of the assessment’

Oil Industry Comment: When asked why their Cloud Providers were not subjected to an in-depth Due-Diligence, the response Was as follows:

‘Because we engage with low cost providers, and cannot expect robust security’

EXAMPLE 1 – BANK of England-20/10/14

The Bank-of-England [BoE] outage occurred on 20/10/14 [The Start of Get Safe Week!] when it was decided to take down the Chaps Payment System. As you can imagine for such a critical system the impact on ordinary people, and businesses was significant, if not in some cases devastating.

Was it caused by: a. A Security Event, b. A badly applied change, c. Component Failure, or d. Something else?

Question: But with any of the aforementioned impacts with such a Critical System, are they tolerable in 2014 – 15 – 16 . . ?

As an open observation, anyone practices in the art of OSINT will notice that, notwithstanding great initiatives such as Waking Shark, and Waking Shark II they may observe that the BoE do suffer high degrees of Data Leakage which has been Proven to be exploitable – which for such a core and prestigious institution is worrying!

And would you believe it if you were to learn a UK core bank has suffered a security breach which saw it connected backto Chinese Servers [.com.cn] from a Core Switch along with Remote Access potentials– I know – it could never happen!

EXAMPLE 1 + DATA LEAKAGE & OSINT

As an example of what titbits are made available to passers by – take a core bank as of 28/10/14 which is publically exposing:.

a. 122 internal PC’sb. User associations [e.g. Andrew G****]c. 71 associated servers and IPd. Bank Tree listing Authorised Users+ 20 other serverse. 11 associated domainsf. 19 pptx files with varying amounts of Meta Datag. 100 xls [as above]h. 89 xlsx [as above]i. Plus multiples of Word and PDF’s – insecure, and with variable securityj. Track Changes still in place in some documents – revealing hidden contentk. 60 + email addresses [some with .gsi.gov extensions]l. Internal Extensions Numbers associated with personalitiesm. 250+ O/S types including NT 4.0, XP, Server 2003, and Windows 7

All very useful intelligence to the off-line attacker to use as a Footprinting and Social Engineering materials

Lite-Touch Exploitability was tested – and Proven

BANK CLOSURES

Example – October 2014 - Lloyds to close 200 branches in the UK, drop 9,000 jobs – and all with the prospect of moving services to On-line, and offshore.

We are now clearly in the grip of the ‘Digital Channel’, and as one senior banking expert commented – ‘We will see a very Different shape for banking of the future’.

2020 > Dependent on Technology, Dependent on Complexity, Dependent on the Internet, and as may be inferred from the BoE debacle we should expect issues.

In the new age of Digital Banking, may one assume that the Industry of Cyber Criminality will continue to evolve?

Will 2020 be the age of ‘EoL’ – Everything-on-Line

EXAMPLE 2 – USA 9/11/10

As amazing as it may seem – one lone engineerchanging over a piece of equipment on 9/11/11managed to black out 5 million homes in Southern California, caused chaos to flight traffic and road transportation, and resulted in Nuclear Reactors having to be closed down.

EXAMPLE 3 – SAMBA SHARE 2010 - BANK

Another UK Bank – this time the exposure was the result of over inflated profiles [e.g. Senior Security Consultants] conjoined with a complete lacking of technologic security.

Notwithstanding the Bank ran in-depth external and internal PenetrationTesting, they, and their Third Party Providers failed to notice that 80%of the Banks financial traffic was passing via an unsecured SAMBA Environment!

The same Bank under the stewardship of the same Senior Security Consultant had accidently migrated PCI-DSS datainto a Cloud environment [which could not be backed out].

This same Bank had also lost over £50m to what they referred to as an Unknown Transaction – the funds simplywere not accounted for!

As I said, this is a UK Bank!

EXAMPLE 5 – UTILITY ‘GAS’ COMPANY - 2014

In the utility arena – take the large Gas Utility Sector Company who regularly suffer unauthorised incursions, successful Phishing Attacks, Malware, and have an internal LAN environment which exposes systems and data to theft and compromise.

This same company breach the Data Protection Act by allowing access to Personal Data, fail to meet the requirements of PCI-DSS, and do not have any standards which underpin robust security – they are wide open.

With t break in contracted relationships wit their Third Party Supplier, Malware Infections, suspicious creation ofPrivileged Accounts, and other such security related events are processed via ITIL and will be detected, and responded to up to 30 days post the incident!

This is a UK Plc

And when It comes to Smart Meters, Connected Homes, and their associated Cloud environments!!!!And some of these orghanisations have won BCS awards in 2014 – Clearly Security is not an issue!

BRING YOUR OWN DISASTER – 2014 SYTLE

Many examples of doing it wrong:

a. Not considering the Legal Implications [Lawyers]b. Ineffective Controls [Oil & Gas] c. BYOD by Evolution and not by Authorityd. BYOD and the Office Public APe. BYOD and Policiesf. BYOD and Acceptable Use Policiesg. Disposal/Somatization Policiesh. Employee Exit Processi. Data Classification

And sometimes forgotten, but very much connected with BYOD is the element of Communications . . .

THE SECURITY INDUSTRY - 2014

When I was Chair of a Security Event some two years ago I discovered that the Access Point was Hacker-Engineered andCompromised. Having informed the Delegates, I noticed that in most cases it made no difference – they continued touse and surf!

But then, when attending another this year, whilst I was listening to a presentation on theSubject of PCI-DSS, and Compliance, I noticed that some Delegate systems were attached to the Hotel AP, and looked a tad insecure – I looked, proved, and stopped.

Conclusion: Time for some to eat their own dog food [Sorry]

DDoS - 2014

The tool that is/has proven to be the attackers choice for a sustained period.Growing in power, and has imaginative use to underpin Cyber Attack, or otherPoints of leverage – e.g. Cyber Extortion.

Did you know that on 28/10/14 Global DDoS were running at 67% of what isAccepted as the seasonal/time norm – examples over a 24 hour period:

Taiwan = 61New Jersey = 7California = 153Brazil = 27Dominican Republic = 1Guatemala = 1El Salvador = 2Belize = 1New York = 16Indiana = 52Belgium = 4

CRIMINAL CURRENCY of CHOICE - BITCOIN

When we consider the Age of Cyber Crime, we also need to considerthe currency – enter Bitcoin.

STANDARDS ARE DOMINANT - 2014

Standards are Dominant – followed to the letter in some cases, but they do not equal SECUIRTY

And some get overlooked!ITA 2000

CYBER WARFARE & CYBERCONFLICT

Statement by a CPNI AgentSome 7 years back:

The Cyber Risk is over-hyped!

FAILING INNOCENCE

Very few organisations understand, or recognise their legal obligations when dealing with Paedophilic Materials, andDiscoveries relating the Child Abuse Images – lacking Procedures, Processes, Polices, and thus are on occasion exposedto being culpable of Criminal Acts – FACT.

AUTOMATION – IN WE ‘WE’ TRUST

When I worked for GM in 1999, I attended a meeting which was introducing a new on-board car computer system – I asked if they had considered security? Had It been evaluated? And I proposed we consider an on-board Firewall! - The response was:

‘Who is the security nutter?’

Automation also tends to be driven by factorswhich can and do forget security!

REAL IMPACT - THE COMPUTER AGE

Yerkes & Dodson Law

THANK YOU