Take Down

0000000000000000000000 Professor John Walker FBCS CISM CRISC ITPC CITP FRSA MSSoc 000000000000000

Take-Down 2014[AKA – The Yellow Brick Road to Insecurity]

http://www.cytelligence.co.uk/

00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

000000000000000000000000000000000000000000000000000000000000000000000000000000000

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

CTI Cytelligence LtdMember ENISA CEI Listed Experts - http://www.enisa.europa.eu/Registered International Expert WitnessEditorial Board – Cyber Security Research Institute (CRSI)Microsoft PartnerFreelance WriterInternational PresenterVisiting Professor School of Science and Technology NTUVisiting Professor/Lecturer – University of Slovenia30 Years Experience in the Fields of Infosecurity, and Cyber100+ Papers Published Internationally Presented 100+ Internationally

Who AM I


http://www.enisa.europa.eu/

Die Hard – 4 – With Nails

Fiction-or-Fact!


One overall Society Wide implication is, by Socio-Economic Implication we [the Global Village] have embedded the environment of Internet dependencies into the very fabric of our lives – Cloud has expand these dependencies.

Social, Business, Government, all of which are now entwined into the interconnected environment, the Genie is Out, and may not be placed back in the bottle.

Business Operations are highly dependent - Governments are highly reliant on Internet Operability. Socially be it from IP TV, VoIP, or even Home working, again dependency is high . . . . Making it, and us an ideal surface of Attack.

This dependency on an environment with no real Governance, Cross Boarder Control, or for that SLA, makes us significantly vulnerable, in the Medium to Long Term . . . and it WILL have consequences!

Socio-Economic Implications


SITREP – 11/02/13/14

Criminals are Winning – and the Rewards are HIGHhttp://www.bankinfosecurity.co.uk/blogs/new-fraud-scheme-launched-via-chat-p-1403

Hacktivists are, well Active (NOT forgetting Cyber Radicals)

PCI-DSS has been found to be FLAWED

The Standard of ‘Overcompensation’

Skills Low – they need to be honed

International Threats Ignored

Too many Reports – NOT enough Action

Lack of Reporting

Lack of Public Security Awarenesshttp://www.cytelligence.co.uk/

http://www.bankinfosecurity.co.uk/blogs/new-fraud-scheme-launched-via-chat-p-1403

a) Malware – Once considered by Government Agencies [GCHQ/CESG] to be a passing nuisance - is now a significant threat and in a new guise!

b) SPAM – Thought to only be a communication which had to be managed [House or Lords Technology Committee]. Now a major conduit for Malware, and other adverse infiltrations!

c) Cyber Intelligence Gathering [OSINT] is a reality and not a myth [consider the Cuckoos Egg]!

d) Cyber Attacks have taken place against the UK, US, and Germany to name but a few – Titan Rain!

e) Root Servers are regular targets!

f) IP is everywhere [Including Fridges] and so the threats are commensurate and rising – The Dirty Shirt!

Yesterdays Threat


1. DNS

2. Exposures & Vulnerabilities

3. Users – Education & Awareness (Not me Gov)

4. Patch & Fix (or NOT)

5. Bleeding Edge Technologies

6. Virtualisation & Cloud (and its not new)

7. Lack of Standards

8. New Age Malware (Smart Cell Phone)

Some Good Bad Examples


When Contracting out into a Specialty Third Parties there is an expectation that they will provision the required level of Best Practice support to secure the enterprise under contract, and do what they say they do – as stated in the following article form published in Secure Computing magazine, by a CSIO representing a well known Big Name Third Party:

The Promise of Third Parties


Problem was – when working with a major brandCompany this same supplier was supporting, they did notfollow any such path, and the service was so wantingit left [and is leaving today] that client exposed to Uncontrolled Security Incidents, Exposure to Malware, and Insider Threats to mention just three of many shortfalls.

LONDON, Jan/07: The Director General of MI5 warned British companies of possible cyber-attacks originating from China.

The Prime Minister's office accused China of engaging in state-sponsored espionage targeting integral parts of Britain's economy, using the computer infrastructure of Banks and financial services.

April 2010 the Cabinet Office assessed the threat from Electronic Attack from Russia, and China was rated SEVERE. Better late than never:

Copyright SBLTD 2012

Real-Time, Real-World


Unrestricted Warfare is a book on military strategy written in 1999 by two colonels in the People's Liberation Army, Qiao Liang and Wang Xiangsui.

Unrestricted Warfare


Copy supplied as a ‘Hand-Out-1’

Public Exposures

http://www.computing.co.uk/ctg/opinion/1844378/incidents-hotels-sow-reservations-security

Hotels & Public Access Points can present very insecure & hostile environments which can & do exposure their users!

Example of a deployed Access Point at a well know London Hotel which is compromised & possibly being exploited today!


1. Large Global Oil & Gas – Insecure SCADA

2. UK Smart Metering – Open to Abuse

3. Connected Homes – Hacked and Insecure

4. Major London Based Bank - Compromised

5. London City Insurance Broker – Total Insecurity

6. Scot’s Care Home Hacked – Heating Systems]

7. Betting Agency – Cyber and DDoS Attack

8. Operational Security – Learning on the Job!!!

Exposures 2013/14


DDoS

DDoS has been growing in popularity year-on-year, with the throughput of adverse traffic increasing - it requires zero skill to join in and to play:


Attacks – 2012 - 2013

Hong Kong = 66Turkey = 52Poland = 10Brazil = 19California = 20

Turkey = 161California = 22

South Korea = 24Japan = 36Venezuela = 15Brazil = 34California = 24Indiana = 25Australia = 4

Italy = 24California = 30Brazil = 53

Venezuela = 11

California = 31

California = 33

California = 38Honk Kong = 50

Italy = 20China = 428Global Attacks


DDoS


Mediocrity will NOT Suffice

It was the BofE who were the main orchestrators ofWaking Shark II – Yet they have a number of significantsecurity exposures, and vulnerabilities, of which they have been informed under respectful, ChannelledDisclosure Notification – With no response, or action.

If we are to lead the riotous path to evolve securityand to protect the public, then it must surly followa route to secure our infrastructures, and not justIgnore the open states of potential compromise!

We must take the Threat serious – or there is no point.

Waking Shark II – ‘Hand Out-2’

In factwe are already here!

See article in Digital Forensics Magazine – [If you want a cope just drop me a line].


The Statistics


Critical Unacceptable Exposures

If I were to tell you that because of a breakdown in processthere are potentially hundreds of Highly ClassifiedSoft Copy Files sitting on Laptops, Servers, unencrypted, and then just left there – TS, STRAP etc would you believeme? – And such documents are replicated in a veryuncontrolled manner.

If I were to tell you that FOI has been employed in anunthinking way and exposed lives to threat – would youbelieve me? – then you should!!


Critical Infrastructures Exposed

By the very nature of what the Power Industry supply, and support -they are a Target! – But they don’t seem to know it!


911 – The Power Event?


Play Safe – The Vulnerability of WiFi

WiFi everywhere – but still not being used security, or sensibly –

An example:


Advanced Threats

Called Advanced Threats, Advanced Persistent Threats [APT], Advanced Evasion Techniques [AET] – they are all New Age Cyber Threats that carry Payload.

And it is highly likely they are responsible for many of the well Publicised security breaches, and the state of Assumed Compromise.


Firewall Evasion


Proven Real-Time & in Lab Conditionsby Nottingham Trent University inResearch Partnership with CommercialVendors – Firewalls Can Be Broken!

The advent of the Smart Cell Pones – (Hand Held Micro Computers) host a vast range of features, and are no longer simple devices which just make Telephone Calls.

They are installed with high capacity storage capabilities well in excess of their early Big Brothers and Sisters based on 8086 Chips.

They are hosting Bluetooth, WiFi (802.11 . ..), and Web Access – they talk to the Internet, and communicate into Clouds.__________________________________________________________________________

They are also enjoying the interest of Malware Writers, and currently there are approximately 300 such applications in circulation.

The AV Companies are responding with early solutions . . . . But they are the new target

And User are happy to Accept All Access to All Things!!!

Smart Phones and BYOD


Cyber Attacks of eCrime/eFraud are, Phishing, RockPhish and FastFlux, Scams (419), Spear Phishing, Malware, Botnets, Rootkits, and DoS/DDoS are some examples of the methods of choice of Criminals, Organised Crime, and Hacktivist to attack business, systems, and the end-user community alike.

These acts are remote from the enterprise perimeter, so physical

assess may prove to be impossible as the related artifacts will be dynamic.

The Missing element is the CSIRT First Responder Digital Forensics, and Investigative Response.

Advanced Threats


Distance Based Digital Forensics should be triggered by the manifestation of impact from any one of many variations of attack conditions – and Footprinting can also include eMail based Social Engineering - This is a Real-Time Map of an attacks on against an on-line betting deployment.

Logs, Alerts, and Notifications should notify adverse conditions.

Cyber Extortion – Anatomy of Attack


Radicals 5/11/12


Islamic Jihad – Its Serious

Global Islamic Media Front's(GIMF)


•Times are Changing – Consider!• East Midlands Airport• Stephen Timm’s • Chicago• Mumbai (x2)

May we conclude that, if the prospect of ‘Radicalisation’ is interwoven in our Society, should we expect to see more use of Cyber Tools to support these missions in 2014! –Low Cost Munitions, with High Impact Potentials!

Physical Threats – Real Time


From Russia with Love - CaaS

Source = Trend Microhttp://www.cytelligence.co.uk/

Just 8 years ago a CPNI Agent commented that the Cyber Threat was over-hyped!

Cyber War is now considered to be a reality, and represents an Aggressive capability which hostile nations may utilise against a target.

Cyber War capabilities exist in Nations where their internal technology Capabilities are extremely low, but they do have high capabilities to attack outside their logical boarders.

It is anticipated that Cyber War will be an activity which would be a joined force alongside Kinetic Warfare.

In certain conditions, Cyber War holds the potential to escalate into Kinetic engagements.

Early singes have been seen of Hostile Government Capabilities – North Korea.

See: http://www.scmagazineuk.com/north-korean-electro-magnetic-pulse-able-to-attack-us-via-south-pole/article/369451/

CyberWar - CyberConflict


Abusive Images - Accepted

See: http://www.scmagazineuk.com/1-in-5-corporate-networks-host-child-sex-abuse-content/article/368786/


Upon engaging with an event classified as Distance Forensics (the Unknown) DO:

a) Triage the event - traceb) Contain all Dynamic Artifacts (Logs, traces, events, eMail (including headers)c) Conduct Intelligence Gathers from known facts, to reveal the unknown circumstance,d) Taxonomy of the attack type (e.g. below, Utube Page containing Malware)e) Investigate Logs/Service Desk Reports, and any other form of possible informationf) Confirm with other CSIRT Members their status – communicate the event for purposeof Situational Awarenessg) Documenth) Real-Time Threats Assessmenti) Monitorj) Preserve Artifacts & Evidencek) Assess need for Third Party Reporting – Law Enforcement Vice (CMA), DPA68, PCI-DSS, ISP etcl) Consider Corporate Communications Positionm) Consider taking down impacted systems/or reducing their operability -n) Assess any Sprawl Conditions

Response - DOING


Intelligent Postures & Response

Know your Critical assetsFind out what you ‘Don’t Know’Consider the element of Data Leakage – Conduct a TriageConduct Intelligent TestingKnow your Business ExposureEmploy Situational Awareness PracticesEvolve an Incident Response Process, and Capability [Not just Lights on stuff]Don’t do ‘Lip-Service’ do ‘Security’Take the Threat Seriously



Hand Out-3

Take Down

Technology

Transcript of Take Down