Before we start - if you found a USB drive in your car park or in your driveway What would you do with it. 50% of people would plug it in and 80% would.

Before we start - if you found a USB drive in your car park or in your driveway What would you do with it. • 50% of people would plug it in and • 80% would plug it in if it had some type of logo

on it

Why Cyber criminals are smarter than we think they are!

A study on future crime and how we can stop it

Technology = advantageBusiness uses Technology to gain an advantage over their opposition or competition. Advantage through better management or the use of cutting edge ideas.

The bad guys, the criminals and cyber criminals, have already developed ways to use technology well before it has been released to the general public.

or is it?

Business and users are always playing catch up.Business and users are always reactive

Linear vs. Exponential growth

Technological growth is not linear, it is exponential

Linear vs. Exponential growth

So 30 years since the introduction of the internet as a linear time line is equivalent to more than 10,000 years exponentially growth in technology.

30 linear steps is here to the door, 30 exponential steps is here to the moon

The reason for that growth. Technology builds on technology, information and systems. Anything available at the time.

The Apollo Landing

Speaking of the moon - The whole of NASA at the time of the first moon landing had less computing power than a single IPhone 4

A little History on Cyber Crime

Crime is exponential as well.

In the old days it was Mano au Mano - one person stealing from one person.

We then added stage coaches, trains and banks one person stealing from a number of people.

The Sony hack in 2011 was one person stealing from 70 million people.

Mobile phones and pagers

Mexican drug lords with their own complete mobile phone system

The Mumbai terrorist attack (Raj hotel 2008)

That was the normal criminals and terrorist what about the cyber criminal

Android PhonesSeptember 2008 released to the world on HTC’s Dream

People started Download banking apps from the android market

The android market went live at the same time

All were fake!

In the first month 50,000 banking apps were downloaded

Flashlight Apps

Both android and IOS75% have a malware componentSeems to be the easiest to get through the vetting processWhy do you need a location service for a light?

Stuxnet - a virus / worm designed to cross the interface between normal business systems and access low end command and control systems, believed to have been produced by CIA and Israel. Duqo and flame followed - derivative of stuxnet but changed, encrypted payload and no longer targeted at specific types of computers

The problem with these types of attacks, once in the wild they are very hard to control.

Spear phishing attacks are laser guided - the RSA hack is a classic example it was specifically targeted at a specific group of 5 people.

Low tech works just as wellQANTAS lounge, coffee shop

That was the past what about the present

Diverse ITIn 2011 Diverse IT, a domain and website hosting company were hacked.

30 Minutes from total control to loosing everything.

They didn’t see it happening and once they did they had no control – they lost everything.

http://www.youtube.com/watch?v=4ErEBkj_3PY

Vijay Kumar: Robots that fly (the TED presentation)

Now Criminalise Them

The ability to download hacking tools means that a determined 12-year old with some basic computer skills can become a successful hacker.

For the more advanced, there are cyber crime black markets that sell personal data, credit card information, tools, passwords, and successful exploits.

Criminals can rent “bot-nets” from the cyber-criminal underworld or even purchase complete online stores to collect personal information or to sell bogus products

An Example

For $4000.00 you can purchase a malware / spyware creator, all packaged up. You have to be able to speak and read Russian and be willing to have a criminal check but it comes with everything you need to be a cyber criminal including a guarantee and 24/7 tech support.

This is a competitive market, with price wars, guarantees, and special offers.

Hacking has become a big business, not only because the Internet is now “where the money is,” but because most networks, despite claims to the contrary, are inadequately defended.

These are script kiddies – using predefined systems, software and information created by others to attack people on the internet.

They are a serious problem! Because of them everyone who uses an internet facing system is vulnerable – mobile phone, tablet, computer, cloud based systems

A bigger problem is the real bad guys, the “black hats”. The real hackers. The ones that actually know what they are doing and have ways of getting round security and destroying your business, stealing your money and compromising your identity.

A criminal organisation in the Ukraine set itself up as a marketing company:• Selling software and websites – malware

infected

They are so sophisticated that in 2012

• Only 5% of the people knew they were doing something illegal

• Generated 500 Million Euros in revenue

• Had all of the correct staffing including a call centre

• Legitimate offices and payed taxes

The bad guys are coming!

That was then, what about the future?

• The bad guys are smart• The bad guys are persistent• The bad guys are well educated in

computer systems• The bad guys are developing more and

more sophisticated ways of gaining access to your systems and information

How do the bad guys gain access?

• They use Viruses, malware, spyware, ransom ware, RATs and focused hacking attacks

• They have sophisticated command and control systems• Use and create Bot nets• They use sophisticated encrypted comms systems• Rent cloud space, super computer cycles and bot nets –

with a stolen credit cards of course• Paid in Bit coins

Everyone is a target

If that doesn’t work they use social engineering and Industrial espionage – usb in the car park

What do they want

• They want your Money

• They want everyone's information – staff, users, management, clients.

• They want your Ideas and Intellectual Property

Once they have it they trade the information with their illegal friends – the Black market

A confirmed credit card number, with name and security code will net anyware from $20.00 to $350.00 each depending on number and viability.

The cost to everyone

• 2 trillion dollar industry – world wide

• There are unaccountable number of lives destroyed

• The actual loss of intellectual property cannot be measured

Against bad guys how can we hope to protect ourselves?

We have to protect: • Ourselves• Your staff, users and clients• Your assets• Your personal and business knowledge and

your Intellectual property

These are the easiest to bring up to a level of awareness

We also have to protect the innocent, the unaware, the uneducated and the ill-informed people among us.

They are the ones with the most to loose.

The internet of Everything

Internet AddressesThe internet as we know it today has:

4,294,967,296 addresses

340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion, 463 sextillion, 463 quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million, 211 thousand and 456.

The new internet IPv6 has340,282,366,920,938,463,463,374,607,431,768,211,456

Why is this importantEverything is coming out with the ability to have an IP address configured to it.

Sim cards, RFID Chips, small computer – now 2 x 2 milometers

Making everything Internet aware creates its own problems.

Increasing your businesses Threat Vectors

RecentlyLarge multi national defence company in Dallas was compromised. The IT manager was an IT Nazi and could not believe that his system had been compromised.

He narrowed it down to the board room because of information that became available on the internet. He assumed it was the phone system or an insider and took the necessary steps

It was in fact the Air Conditioning system that had been plugged into his network

Maybe we need some sort of guru

I don’t know about you but I consider the Internet a very dangerous place.

I compare it to walking down a dark alley, with your hands and feet shackled, a large amount of money in your wallet and a large flashing neon sign saying “ROB ME”

How do we protect ourselves

Start Here?A holistic system with more than one component

Business needs a framework

A system of interlocking components working

together

Which framework

The business model for internet security

COSO - Enterprise Risk Management Integrated Framework

How about a simple framework?A framework for building a secure business environment

A framework that includes the four pillars of business security

A framework that allows future requirements to be plugged into it without changing

A framework that grows with your business

They are

Technology

All of those technology components Firewalls and operating systemsApplicationsEncryptionCloud based and BYODWireless and VPNAnti VirusBest Practice

ManagementA management process and we need to know who is involved in it.The three “P’s” – Processes, Policies, Procedures

AuditingReportingTraining

Adaptability

Risk AssessmentRisk ManagementDisaster RecoveryBusiness ContinuityCyber ResilienceCulture

Compliance

Regulations and what you need from them to protect yourselfThis is probably the most difficult component to define because all businesses are different

This is a framework that creates a secure environment for your business.

These four components, working together creates a cyber security business framework

This is a framework that tightens up your business cyber security as you add components to it.

There are lots of frameworks out there but most are produced by companies that say – “Buy my widget and you will be secure” – from the high end like Cisco, Fortinet, Juniper, Microsoft to the low end like d-link and netcomm.

A good framework has to have certain Features

That is not holistic!

The framework has to be agnosticNo one thing is going to do the job but one thing from any supplier can do a job.

Each piece, is a piece in a puzzle and it is a large puzzle with a very defined goal – protect the business

The more you spend the better the features and the better the solution but you can start with the most basic and build on the components

Your Framework has to be manageable

Like most things in business you have to be able to manage the processYou need to have checks and balances in place so that critical and crucial data is not lost or misplacedIt has to have some level of ROI - although like Insurance this is very difficult to define and calculate.

Your framework has to build defence in depth

Each component needs to add and build up to strengthen the environmentEach component has to support the other parts of the frameworkEach additional component has to be stronger that its predecessor.

Your framework has to be stable

The framework should have the flexibility but also have the strength to protect your business.

Your framework has to work

With each piece that is added there has to be accountability

Each component has to strengthen the whole not create problems and holes in your security

Cybersecurity is not someone else's problem.

Cyber Security is not only an IT Problem,

Cyber Security is a whole of business problem that needs a whole of business solution

and more importantly cyber security is a management role for C level Execs and Board Members

But its not just up to them

Everyone is responsible

If you see something wrong say something

In most cases the people at the Coal Face are the people who will notice something different

LastlyCyber security is MY problem. I have to look at it in that context. Cyber security is MY problem, I am the Master of my own destiny. Cyber security is MY problem and If I want protection, I have to be the one protecting. Cyber security is MY problem and I have to protect myself and not rely on others to do that for me.

First Steps!

• Do a independent security audit, and although audits are not cheap it is the best place to start• Train your staff - awareness is the

key - use either a room based system or an internet based system but build up your staffs cyber security awareness • Get involved

Do an Audit

• This is necessary to cyber security as it gives you a baseline

• You have facts not hear say and mumbo jumbo – the ICT world is full of mumbo jumbo

• Management can make fact based decisions• You can see what is needed to ensure your

businesses viability

Train your staffGet your staff to understand that they need to help themselves before they can help youStart with some type of training package.Continue training with fortnightly, monthly or quarterly updatesUse technologyGet them thinkingRun a competition

These are the basics to protect your staff

• Use Strong passwords• Use Unique passwords• Use the newest operating system and

applications you can afford and keep them updated

• Use a good Anti Virus• Be paranoid• Use Common sense

Need Help?

Fill in the form on your table and we will quite happily come and discuss your personal requirements.

Go to www.securitypolicytraining.com.au and sign up for the basic cyber security awareness course. There is a code at your table that will allow for the first 10 people to do the course for free

Questions

?

This deck will be available from our website for a limited time, I will email you the link over the next couple of days.

A video of this presentation will also be available.

If you are in management I hope that I have given you food for thought, if not I suggest that you have a word to management about a business and management wide response to cyber crime and cyber security.

Ideas

• Do you have a plan for going dark• virtual credit cards• Broken windows – get them fixed