Trust Mattas Cyber Security Event Slides

1

https:/ /www.trustmatta.com© 2015 Matta Consult ing Limited. All Rights Reserved.

Taking StockPast and C urrent Landscape and W here to Focus Resources Today

2


Matta is an award winning security consultancy based in London since 2001. In 2002 They were the first company to demonstrate how Google Dorking could be used in cybersecurity after mapping an internal network of the CIA -https:/ /www.trustmatta.com/downloads/pdf/Matta_Counterintelligence.pdf

In 2003 they set up the first 'Test the Tester' program nicknamed 'Sent inel' to evaluate the quality and effect iveness of penetrat ion testers, which they ran on behalf of Financial inst itut ions against all the big global security firms for several years.

Mat taAward winning security since 2001

You can observe a lot just by watching. (Yogi Berra)

At this time, the technical director also released the first book on professional penetration testing - O 'R eilly's 'Network Security Assessment'

M ore recently, they have spoken at Black Hat, and won the prestigiousPW NIE Award for security R esearch. Today they are focused on helpingcompanies with some of the more difficult challenges in Cybersecurity"

https://www.trustmatta.com/downloads/pdf/Matta_Counterintelligence.pdf

3


Nick Basket tFO UNDER

Nick founded Mat ta in 2001, and is a founding member of the Cyber Security Council. He advises a number of companies on cyber security st rategy at board level. Helping them develop effect ive st rategies that fit their business model, as well as advising smaller security companies on how to commercialise their ideas.

Chairman, Non Executive Director, Cybersecurity and M ining Companies

About Me

4


What We Do?Your great subtitle in this line

Blended product and consultancy service to outsource finding malware on clients network.

Advanced behavioural analysis means we find M alware and anomylous traffic quickly and accurately.

MalgorithmicsO ld school hacking using modern techniques . W e break into systems and applications and give a board report on how we did it.

Red TeamM atta 360 is a full service secure systems administration and escrow service

Matta 360Pre-configured security configurations ready to roll out across your network:- W ireless- SSL- R DP

Power PacksPenetration testing, code auditing, secure design services and more.

Consultancy

5


Agenda

● Security by the numbers● Excit ing regulatory developments● Pract ical Advice on Internal Network Security

6


Security By Numbers

7


Profile of CyberSecurity is Increasing

● Reputat ional damage amplified by social media● Difficult to quant ify, but has real impact on GDP● Has potent ial to materially negat ively affect a countries

compet it iveness through loss of IPR

8


Impact at Nat ion Level

* Abreviated numbers from McAfee economic impact report

9


90% 74% £3m £311k

Big Co Breachesincrease from 81% in 2014

Little Co B reaches increase from 60% in 2014

M ax Cost to B igCoThe costs of the most expensive breaches ranged from £1.46m to £3.14m

M ax Cost to LittleCosmaller companies costed their breaches at between £75-£311k

++ Breaches ++ CostsM ore Breaches more costs

* All figures for 2015 - source PwC 2015 breach report

10


FTP

SSL

SMB

RDP

Wireless

Config MistakesCommon Areas of M isconfigurtion

11


Excit ing Regulatory Developments

12


Changes

● GDPR● EU Safe Harbour● Briefly CISA Impact to EU● Update on Directors Responsibilit ies

13


● The EU General Data Protect ion Regulat ion● Under “t rilogue” negot iat ion● Due 2015/16 and effect ive two years’ later● Now is the t ime to prepare● Just looking at key changes

GDPR

* Informat ion provided by Sheridans Solicitors

14


● Increased fines to €1,000,000 / 2%global annual turnover● Applies to both data controllersand processors● Requirement for Privacy Impact Assessments● Minimisat ion and privacy by design● Consent more difficult to obtain

GDPR


15


The 8th data protect ion principle provides that “Personal datashall not be t ransferred to a country or territory outside theEuropean Economic Area (EEA) unless that country or territoryensures an adequate level of protect ion for the rights andfreedoms of data subjects in relat ion to the processing of personaldata.”Does not apply to data which simply passes through a country int ransit to another dest inat ion in the EEA.

Internat ional Transfers (pre GDPR)


16


● Safe Harbour was supposed to ensure EU data principles were maintained cross border

● Snowden revelations promted legal student, Schrems to challenge the effectiveness

● EU courts agreed and companies can no longer transfer EU citizens data to the US

17


To t ransfer personal data outside of the EEA:

● Consent● Adequate Protect ion● Model Clauses

● Limited Except ions● Binding Corporate Rules

Safe Harbor is no more.

As of the morning of Tuesday 6 October, any data t ransfers which were legit imate only on the basis of Safe Harbor are now unlawful.


18


● Proposed asa threat intelligence sharing law● Offers indmenity in Ant i-Trust and FOI Act● Advocates - will help indust ry react to threats● Opponents - enablesmasssurveilance and putsdata at risk● Passed by Senate end of Oct , not law yet

CISA

19


● Sep 2015, ICO chief saysDirectorsshould be personally liable● Feb 2015, FCA int roducesSMRfor NED’s● Legal responsibilit ies isusually with C-Level execs

Board Responsibilit ies

20


● Sep 2015, ICO chief says Directorsshould be personally liable

● Feb 2015, FCA int roducesSMRfor NED’s● Legal responsibilit ies is usually with C-

Level execs

The Indust ry Track Record

Measures of Maturity

Immature Basic Managed Established Predictable Optimizing

People • Leadership at all levels • Culture: skills, competencies and expected behaviours

Process• Threat surveillance and intelligence • Incident and event response• Testing (technical, procedural, scenario)

Structure • Accountability and Responsibilities • Integration of cyber-resilience into enterprise-wide risk management and governance processes

Information• Confidentiality; Integrity; and Availability• Prioritised information assets (differentiated protection)• Release, Retention and Disposal of information assets

Technology

• Firewalls • Secure Configuration • User Access Control • Malware Protection • Patch Management

Cyber Resilience Base Line Review

Threats

Governance & Accountability

Analysis, Educate, Exercise and Implement

Leadership & Culture

Common Vision and Purpose

Stakeholders

22


Pract ical Internal Security

23


Are You Doing This?

24


Many companies do not know what is on their network.

Consider 802.1x on switches to harvest MAC addresses you can then query to determine what ’s out there

Improve visibility of t raffic.

● Baseline what is anomylous

● Decide what ’s important and then measure it

● Hold quarterly reviews● Communicate upwards

Stronger 3rd party controls. Review:

● Development process● Procurement● 3rd party relat ionships

Some IdeasSpending time on what’s important

Segregate internal network.

Still too many flat networks without adequate protection between segments

25


Time Matrix

Not UrgentImportant

UrgentNot Important

Not UrgentNot Important

UrgentImportant

Not Urgent Urgent

Not Important

Important

26


● You define malware● Product -led solut ions● Why most companies fail to manage the threat

The Most Pernicious Threat

27


How Long it Takes

28


● Run assembler code to check if you’re on the metal● Check some regist ry set t ings that VM’s / Sandboxesoften have● Enumerate Services● Look for Enterprise Apps (what no exchange server?…hmmm)● Install a stub and don’t run without it● Bind the executable to the original machine via a digital signature and

only run if verified● Spawn dummy processesand monitor if they are being monitored● Just wait ...

Host Malware Evasion

29


● Period – 7 days● Total number of records: 10,416,501● 4,237 active IPs being monitored● 1.2GB meta data analysed per week● 12 infected machines with confidence 100%● 4 of them run unknown malware● 3 suspected infections.. confidence (various)● http://www.sophos.com/en-us/threat-center/threat-

analyses/viruses-and-spyware/Troj~Foreign-R/detailed-analysis.aspx

Client ’s 1st week on Malgorithmics

30


Authent icat ionW hen is less security more secure

31


Secure by DesignFixing it later is not as effective as

building it right. Building it right

means you less maintenance costHold the Code

You may think you own your code,

but what happens when there’s a

dispute with your developers?

Integrate SecurityUse DR EAD and a methodical

approach to ensure processes are

baked inDedicate a ResourceIf you can’t dedicate a resource for

managing external systems, consider

outsourcing it.

Validate, ValidateM istakes happen at any time, not

just once a year. R educe validation

costs with a secure design

Cloud Sysadmin and Code EscrowExternal systems need better management

32


Bonus Demo

33


Install from Githubhttps:/ /github.com/jordan-wright/dumpmon follow the readme instruct ions

Choose Mongo or text file configure to use Mongo DB or just write out to a text file

Edit the REGEXEdit the REGEX to search for data you need to monitor

DumpmonM onitor the pastebin eco systems

https://github.com/jordan-wright/dumpmon

34


Switchboard: +44(0)203 051 [email protected]

Direct: +44 (0)203 051 3420 x2010

[email protected]

Contact UsW e are nice people

35


THANK YOU

Trust Mattas Cyber Security Event Slides

Internet

Transcript of Trust Mattas Cyber Security Event Slides