Presentation on theme: "Before we start - if you found a USB drive in your car park or in your driveway What would you do with it. 50% of people would plug it in and 80% would."— Presentation transcript:
Before we start - if you found a USB drive in your car park or in your driveway What would you do with it. 50% of people would plug it in and 80% would plug it in if it had some type of logo on it
Why Cyber criminals are smarter than we think they are! A study on future crime and how we can stop it
Technology = advantage Business uses Technology to gain an advantage over their opposition or competition. Advantage through better management or the use of cutting edge ideas. The bad guys, the criminals and cyber criminals, have already developed ways to use technology well before it has been released to the general public. or is it? Business and users are always playing catch up. Business and users are always reactive
Linear vs. Exponential growth Technological growth is not linear, it is exponential
Linear vs. Exponential growth So 30 years since the introduction of the internet as a linear time line is equivalent to more than 10,000 years exponentially growth in technology. 30 linear steps is here to the door, 30 exponential steps is here to the moon The reason for that growth. Technology builds on technology, information and systems. Anything available at the time.
The Apollo Landing Speaking of the moon - The whole of NASA at the time of the first moon landing had less computing power than a single IPhone 4
Crime is exponential as well. In the old days it was Mano au Mano - one person stealing from one person. We then added stage coaches, trains and banks one person stealing from a number of people. The Sony hack in 2011 was one person stealing from 70 million people.
Mobile phones and pagers Mexican drug lords with their own complete mobile phone system
That was the normal criminals and terrorist what about the cyber criminal
Android Phones September 2008 released to the world on HTC’s Dream People started Download banking apps from the android market The android market went live at the same time All were fake! In the first month 50,000 banking apps were downloaded
Flashlight Apps Both android and IOS 75% have a malware component Seems to be the easiest to get through the vetting process Why do you need a location service for a light?
Stuxnet - a virus / worm designed to cross the interface between normal business systems and access low end command and control systems, believed to have been produced by CIA and Israel. Duqo and flame followed - derivative of stuxnet but changed, encrypted payload and no longer targeted at specific types of computers The problem with these types of attacks, once in the wild they are very hard to control.
Spear phishing attacks are laser guided - the RSA hack is a classic example it was specifically targeted at a specific group of 5 people. Low tech works just as well QANTAS lounge, coffee shop
Diverse IT In 2011 Diverse IT, a domain and website hosting company were hacked. 30 Minutes from total control to loosing everything. They didn’t see it happening and once they did they had no control – they lost everything.
http://www.youtube.com/watch?v=4ErEBkj_3PY Vijay Kumar: Robots that fly (the TED presentation) Now Criminalise Them
The ability to download hacking tools means that a determined 12-year old with some basic computer skills can become a successful hacker. For the more advanced, there are cyber crime black markets that sell personal data, credit card information, tools, passwords, and successful exploits. Criminals can rent “bot-nets” from the cyber- criminal underworld or even purchase complete online stores to collect personal information or to sell bogus products
An Example For $4000.00 you can purchase a malware / spyware creator, all packaged up. You have to be able to speak and read Russian and be willing to have a criminal check but it comes with everything you need to be a cyber criminal including a guarantee and 24/7 tech support.
This is a competitive market, with price wars, guarantees, and special offers. Hacking has become a big business, not only because the Internet is now “where the money is,” but because most networks, despite claims to the contrary, are inadequately defended.
These are script kiddies – using predefined systems, software and information created by others to attack people on the internet. They are a serious problem! Because of them everyone who uses an internet facing system is vulnerable – mobile phone, tablet, computer, cloud based systems
A bigger problem is the real bad guys, the “black hats”. The real hackers. The ones that actually know what they are doing and have ways of getting round security and destroying your business, stealing your money and compromising your identity.
A criminal organisation in the Ukraine set itself up as a marketing company: Selling software and websites – malware infected They are so sophisticated that in 2012 Only 5% of the people knew they were doing something illegal Generated 500 Million Euros in revenue Had all of the correct staffing including a call centre Legitimate offices and payed taxes
That was then, what about the future? The bad guys are smart The bad guys are persistent The bad guys are well educated in computer systems The bad guys are developing more and more sophisticated ways of gaining access to your systems and information
How do the bad guys gain access? They use Viruses, malware, spyware, ransom ware, RATs and focused hacking attacks They have sophisticated command and control systems Use and create Bot nets They use sophisticated encrypted comms systems Rent cloud space, super computer cycles and bot nets – with a stolen credit cards of course Paid in Bit coins Everyone is a target If that doesn’t work they use social engineering and Industrial espionage – usb in the car park
What do they want They want your Money They want everyone's information – staff, users, management, clients. They want your Ideas and Intellectual Property
Once they have it they trade the information with their illegal friends – the Black market A confirmed credit card number, with name and security code will net anyware from $20.00 to $350.00 each depending on number and viability.
The cost to everyone 2 trillion dollar industry – world wide There are unaccountable number of lives destroyed The actual loss of intellectual property cannot be measured
Against bad guys how can we hope to protect ourselves? We have to protect: Ourselves Your staff, users and clients Your assets Your personal and business knowledge and your Intellectual property
These are the easiest to bring up to a level of awareness We also have to protect the innocent, the unaware, the uneducated and the ill-informed people among us. They are the ones with the most to loose.
Internet Addresses The internet as we know it today has: 4,294,967,296 addresses 340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion, 463 sextillion, 463 quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million, 211 thousand and 456. The new internet IPv6 has 340,282,366,920,938,463,463,374,607,431,768,211,456
Why is this important Everything is coming out with the ability to have an IP address configured to it. Sim cards, RFID Chips, small computer – now 2 x 2 milometers Making everything Internet aware creates its own problems. Increasing your businesses Threat Vectors
Recently Large multi national defence company in Dallas was compromised. The IT manager was an IT Nazi and could not believe that his system had been compromised. He narrowed it down to the board room because of information that became available on the internet. He assumed it was the phone system or an insider and took the necessary steps It was in fact the Air Conditioning system that had been plugged into his network
I don’t know about you but I consider the Internet a very dangerous place. I compare it to walking down a dark alley, with your hands and feet shackled, a large amount of money in your wallet and a large flashing neon sign saying “ROB ME”
Start Here? A holistic system with more than one component Business needs a framework A system of interlocking components working together
Which framework The business model for internet security COSO - Enterprise Risk Management Integrated Framework
How about a simple framework? A framework for building a secure business environment A framework that includes the four pillars of business security A framework that allows future requirements to be plugged into it without changing A framework that grows with your business They are
Technology All of those technology components Firewalls and operating systems Applications Encryption Cloud based and BYOD Wireless and VPN Anti Virus Best Practice
Management A management process and we need to know who is involved in it. The three “P’s” – Processes, Policies, Procedures Auditing Reporting Training
Compliance Regulations and what you need from them to protect yourself This is probably the most difficult component to define because all businesses are different
This is a framework that creates a secure environment for your business. These four components, working together creates a cyber security business framework This is a framework that tightens up your business cyber security as you add components to it.
There are lots of frameworks out there but most are produced by companies that say – “Buy my widget and you will be secure” – from the high end like Cisco, Fortinet, Juniper, Microsoft to the low end like d-link and netcomm. A good framework has to have certain Features That is not holistic!
The framework has to be agnostic No one thing is going to do the job but one thing from any supplier can do a job. Each piece, is a piece in a puzzle and it is a large puzzle with a very defined goal – protect the business The more you spend the better the features and the better the solution but you can start with the most basic and build on the components
Your Framework has to be manageable Like most things in business you have to be able to manage the process You need to have checks and balances in place so that critical and crucial data is not lost or misplaced It has to have some level of ROI - although like Insurance this is very difficult to define and calculate.
Your framework has to build defence in depth Each component needs to add and build up to strengthen the environment Each component has to support the other parts of the framework Each additional component has to be stronger that its predecessor.
Your framework has to be stable The framework should have the flexibility but also have the strength to protect your business.
Your framework has to work With each piece that is added there has to be accountability Each component has to strengthen the whole not create problems and holes in your security
Cyber Security is not only an IT Problem, Cyber Security is a whole of business problem that needs a whole of business solution and more importantly cyber security is a management role for C level Execs and Board Members
But its not just up to them Everyone is responsible If you see something wrong say something In most cases the people at the Coal Face are the people who will notice something different
Lastly Cyber security is MY problem. I have to look at it in that context. Cyber security is MY problem, I am the Master of my own destiny. Cyber security is MY problem and If I want protection, I have to be the one protecting. Cyber security is MY problem and I have to protect myself and not rely on others to do that for me.
Do a independent security audit, and although audits are not cheap it is the best place to start Train your staff - awareness is the key - use either a room based system or an internet based system but build up your staffs cyber security awareness Get involved
Do an Audit This is necessary to cyber security as it gives you a baseline You have facts not hear say and mumbo jumbo – the ICT world is full of mumbo jumbo Management can make fact based decisions You can see what is needed to ensure your businesses viability
Train your staff Get your staff to understand that they need to help themselves before they can help you Start with some type of training package. Continue training with fortnightly, monthly or quarterly updates Use technology Get them thinking Run a competition
These are the basics to protect your staff Use Strong passwords Use Unique passwords Use the newest operating system and applications you can afford and keep them updated Use a good Anti Virus Be paranoid Use Common sense
Need Help? Fill in the form on your table and we will quite happily come and discuss your personal requirements. Go to www.securitypolicytraining.com.au and sign up for the basic cyber security awareness course. There is a code at your table that will allow for the first 10 people to do the course for freewww.securitypolicytraining.com.au
This deck will be available from our website for a limited time, I will email you the link over the next couple of days. A video of this presentation will also be available. If you are in management I hope that I have given you food for thought, if not I suggest that you have a word to management about a business and management wide response to cyber crime and cyber security.
Ideas Do you have a plan for going dark virtual credit cards Broken windows – get them fixed