1. Risk appetite vs. resilience Professor John Walker MFSoc CRISC CISM ITPC CITP FBCS FRSA Director of CSIRT & Cyber Forensics INTEGRAL SECURITY XSSURANCE Ltd 24 Lime Street | London | EC3M 7HS Mobile: +44 (0) 7881 625140 Office: +44 (0) 2032 894449 INTEGRAL SECURITY XSSURANCE Ltd

2. Just thinking!Circa - 2008Circa - 1984 INTEGRAL SECURITY XSSURANCE Ltd 3. ber-Secret Handbook Basic Rule: Blend in with the crowd, disperse into the stream. Keep a low profile. Don't try to be special. Remember, when in Rome, do as Romans do. Don't try to be a smart ass. Feds are many, Anonymous is Legion, but you are only one. Heroes only exist in comic books keep that in mind! There are no old heroes; there are only young hero's, and dead hero's! Anonymous The ber-Secret Handbook Version 2.0 - Date 20.02.11 INTEGRAL SECURITY XSSURANCE Ltd 4. We are secure echo, echo We here it all of the time companies claiming they are secure but if that is the case, how can we account for example, consider what is to come in this presentation - and:The PCI-DSS Compliant deployment which was insecure, and hosting vulnerabilities and exposures [which were not in scope of the assessment As advised by the attending QSA] it was not thus important that the environment was insecure the weighting was based on the fact that it had ticked-the-box. INTEGRAL SECURITY XSSURANCE Ltd 5. examples Company 1: Compromised by Modem Installation! Company 2: Hosting a Paedophile Global Share on their Internal Network! Company 3: Leaking their entire Membership Database! Company 4: Hosting a complexly insecure SMABA Share! Company 5: Connected to .mz Domains, with Remote Access Enabled! Company 6: Compromised by Microsoft Office 2010 installation! INTEGRAL SECURITY XSSURANCE Ltd 6. Misplaced appetite With a business financial deal, considering the Risk Appetite, the assessment may be something like: a+b=d R=x [x-Ra=y] y-e =m However, with Cyber Risks, they are not as quantifiable of Financial Risk, and thus the calculations can be flawed, and thus hold higher potential for uncontrolled escalations of exposure and they continually occur! INTEGRAL SECURITY XSSURANCE Ltd 7. the route to insecurity This point cannot be emphasized enough - the real hackers exploit the subliminal, & grey spaces all of the time (the areas of the unknown) using Advanced Google Command Line Strings) to discover rich targets. An example is the filetype operator, which opens up an interesting playground for the true hacker. Consider the query: (filetype:pdf | filetype:xls)-inurl:pdfor link:www.who.com INTEGRAL SECURITY XSSURANCE Ltd 8. More Examples . . . Obama-Care Web Site impact on Reputation! Cyber Monday Lack of Investment . . What does the indicate? 9. The imposition of metadata One BIG misunderstood element of insecurity, is that of MetaData many businesses still do not understand the implications of Data Leakage! An example of 22 leaks.And see:http://www.thedatachain.com/articles/2011/9/understanding_the_correlation_between_data_leakage_ INTEGRAL SECURITY XSSURANCE Ltd 10. Reporting a mix of ethics The missing element can be that of Reporting [or NOT] as may be the case where companies make their own internal judgment call as to the important, and exposure of the incident take the company who had their own way of dealing with this Discuss: The full account is published in:http://www.itgovernance.co.uk/shop/p-1338-the-true-cost-of-information-security-breaches-and-cyber-c INTEGRAL SECURITY XSSURANCE Ltd 11. The feeding of cyber crime What needs to be appreciated is, where there is variance with obligations, and standards, there will be exposure and it is here where, by inference, business actually works hand-in-hand, to feed the world of Cyber Crime Where there is Corporate Negligence, there will also be the poetical for insecurity, and exposure! INTEGRAL SECURITY XSSURANCE Ltd 12. ultimatum Ultimately, security needs to change approaches to influence behaviour, and drive change in the organization. Why? When a group of accomplished German Hackers were asked, how they got so smart to be able to compromise, and infiltrate corporate environment they responded: We aren't that smart, its the business who are leaving silly exposures in place, and not doing security properly! INTEGRAL SECURITY XSSURANCE Ltd 13. To conclude Possibly there is need to instil more ethics in those organisations who have failed to meet their obligations. Maybe its a case of Less Tick Box Compliance, and More Operational Security.Above all, has the time arrived which dictates that we need to rethink what security is, how it can be best accomplished, and how we can serve our public better, without the need for such government, or EU enforcement?However, it really is about understanding, and appreciating what Cyber Risk really is 2014 >>, and the associated ramifications of what uninformed exposure could mean to the businessCould it be that we have reached the time where the levels of Insecurity and Security Braches are implying we need to get Back-to-Basics.Donald Rumsfeld - There are known unknowns; that is to say, there are things that we now know we don't know. . . . . . INTEGRAL SECURITY XSSURANCE Ltd 14. Thank you for Watching INTEGRAL SECURITY XSSURANCE Ltd 24 Lime Street | London | EC3M 7HS Mobile: +44 (0) 7881 625140 Office: +44 (0) 2032 894449 INTEGRAL SECURITY XSSURANCE Ltd