People the biggest cyber risk

1. PeopleThe Biggest Cyber Risk Peter Cochrane cochrane.org.uk UCISA Security Conference Birmingham 3 May 2018 https://www.uos.ac.uk

2. T H E D A R K S I D E To defeat them, think as they do! “Never interrupt your enemy when he is making a mistake.” ― Napoléon “A wise man gets more use from his enemies than a fool from his friends.” ― Baltasar Gracián “To become a good defender you must ﬁrst become a good attacker” ― Me “To know your Enemy, you must become your Enemy” ― Sun Tzu

3. C Y B E R C R I M E Abridged history & cost Banking Malware Crypto-Currency Attacks Bitcoin Wallet Stealer Device & Account Hijacking RansomeWare EPoS Attack Cyber WarfareSocial Engineering DoS, DDoS Infected eMail RansomeWare Identity Theft DNS Attack BotNets Site Sabotage SQL Attack Spam Identity Theft Phishing Trojan Worms Virus 1997 2004 2007 >1000 Bn Attack Total > $2000 Bn Cost of global cyber crime Today 2013 Almost all of these attacks/attack-types can be traced back to human operators exploiting the fallibilities of individuals who have volunteered vital information by falling victim to scams, spams and trickery Social engineering is one of the most powerful tools to be widely exploited by the ‘Dark Side’ - and the approach can span to dumb and very obvious to the highly sophisticated and hard to detect

4. C Y B E R At t a c k R a p i d l y c h a n g i n g p r o f i l e s Fun Fame Notoriety Vandalism Limited Skills Limited Resources Tend to be Sporadic Rogue States Criminals Hacker Groups Hacktivist Amateurs Money Sharing Organic Dispersed Unbounded Huge Effort Progressive Cooperatives Self Organising Vast Resources Massive Market Aggregated Skills Semi-Professional Substantial Networks Skilled Political Idealists Emotional Relentless Dedicated Cause Driven Vast Networks Varied Missions Targeted Attacks Evolving Community Drugs Fraud Global Extreme Extortion Business Unbounded Professional Well Managed Well Organised Ahead of the Curve Orchestrated Effort Extremely Profitable Syndicated Resources Massive Attack Surface Vast up-to-date Abilities Covert Money WarFare Influence Pervasive Disruption Espionage Professional Sophisticated Well Organised Extreme Creativity Orchestrated Effort Political Influencers ~Unlimited Resources Tech/Thought Leaders Regime Destabilisation Population Manipulation Military and Civil Domains Almost all attacks/attack-types can be traced back to human fallibility and ambition exploitation

5. W H AT W E D E T E C T Possibly just the tip of an iceberg We need to start looking below the surface of obviousness for the hidden sophistication of the many stealth attacks that we suspect are happening that we cannot see! Ransomeware Phishing Crypto-WalletDoD/DDoS SQLi // XSS Man-in-The Middle URL Spooﬁng Cloaking Malware Covert Plant Visitors Insiders Outsiders Alongsiders Customers Contractors WiFi Tunnels Implants Malware Networks Diversions Brute Force Decoys

6. P E RV E R S I T Y Irrational situations by design Our vehicles, white and brown goods are designed to be reliable - and ‘we’ don’t expect to have to get our tools out every week to keep them running ! Reliability, resilience, and trouble free longevity is designed in from concept through design, production, delivery, and customer use Customers no longer understand how they work and certainly do not possess the skills to service and do repairs!

7. P E RV E R S I T Y Irrational situations by design Non-intuitive language, choices, conﬁgurations and options cause endless frustration

8. P E RV E R S I T Y Irrational situations by design Why does industry assume people to be capable of managing their own PC, laptop, tablet, mobile; whilst ensuring they are also always secure? I see 7 year old machines that have never had an OS update and with no security software Owners oblivious to bot nets and their vital contribution to their global success… They don’t care because they have no clue…and why should they ?

9. i n c o n v e n i e n C E FaceBook Cambridge Analytica + GDPR A month of repetitious chaos trying to get legal, ﬁx problems and patch security vulnerabilities Home Academia and Lab Company on The Road In just 3 contiguous weeks 4 x OS upgrades over ’N’ widely distributed devices + 163 App updates

10. T H E I OT Problem amplifier Exponentially increasing the Attack Surface and the inherent complexity - but will be in every home and ofﬁce, workplace, pocket and vehicle - not to mention every component, item of clothing and food +++ For The Dark Side this is as good as it gets! A great dumb question form 2017: “Why would anyone want to attack my toaster” Doh!

11. S H E E R S C A L E > 1 0 0 - 1 0 0 0 B n t h i n g s A l w a y s o n l i n e = A l w a y s a t R i s k G O O D N E W S = M a j o r i t y o f I o T d e v i c e s w i l l n e v e r c o n n e c t t o t h e I n t e r n e t ! ! This graphic by Beecham Research really conveys the IoT/M2M complexity to come

12. Iot NIGHTMare Food & toasters to vehicles https://www.youtube.com/watch?v=RZVYTJarPFs

13. Broadcasting Malware Responding with updated protection Wider Network Updated Latest Solution Update Dynamic isolation of infected devices and components leading to repair Auto-immunity A mix of clean and infected

14. Auto-immunity Mirrors biological forebears Applied everywhere 24 x 7 ICs ISPs WiFi Hubs LANs Cards Traffic Servers Circuits Devices Internet Networks Organisations Companies Platforms Groups People Mobile Fixed

15. Main Event ? Decoy ? Masking ? Diversion ? Tunnel set up ? Infiltration ? Intel Ops ? Implant ? Theft ? Tests ? +++

16. AL MALWARE SPECIATION The Dark Side are at the leading edge - are we?

17. Get our act together The essentials shopping list is reasonably short Global monitoring and shared situational awareness Cooperative environments on attacks and solutions Universal sharing of identified attacks/developments Address cloaking & decoy customer sites/net nodes Behavioural analysis of networks, devices, people To continue and expand all established efforts Auto-Immunity for all devices including IoT Secure wireless channels - invisible signals

18. Get our act together The essentials shopping list is reasonably short Global monitoring and shared situational awareness Cooperative environments on attacks and solutions Universal sharing of identified attacks/developments Address cloaking & decoy customer sites/net nodes Behavioural analysis of networks, devices, people To continue and expand all established efforts Auto-Immunity for all devices including IoT Secure wireless channels - invisible signals GDPR FALLS FAR SHORT • It involves manual processes • It is far too slow • It is not automated • No effective a responses • A hinderance not a gain • Advantageous to the Dark Side

19. WHEN WE FIX THE TECH A r e w e t h e n c l o s e t o b e i n g s a f e ?

20. AFRAID NOT ! M o r e h u r d l e s t o j u m p

21. PEOPLE THE PROBLEM I m p o s s i b l e t o c o n t r o l - c h a n g e t o o s l o w

22. S P A N O F H U M A N I T Y Impossible to fully deﬁne/understand predispositions Honest Dishonest Opportunist Hacker Black Hat White Hat Silly Extreme Careless Helpful Hapless Naive Arrogant Ignorant Unthinking Emotional Analytical Hacktivist Old Tired Distressed Confused Technophobe Technophile Depressed ill Nervous Professional Young Blue Collar Unemployed Employed Educated Uneducated Poor Rich Caring Uncaring BiasedAccepting Unaccepting loner Team Player Social Networker Insider Outsider Untidy Reckless Careful Good Bad Evil

23. C a r e l ess London is a safe city ! I was working in London and stopped for a coffee break in Soho… Soho A smart young man walked in and I spotted his badge !

24. C a r e l ess London is a safe city ! I was working in London and stopped for a coffee break in Soho… Soho A smart young man walked in and I spotted his badge ! He sat right in front of me and this is what my mobile phone could see as he booted up !

25. C a r e l ess London is a safe city ! I was working in London and stopped for a coffee break in Soho… Soho A smart young man walked in and I spotted his badge ! He sat right in front of me and this is what my mobile phone could see as he booted up ! Coffee Shop Protocol • Sit as far back from the door as possible ; ideally with no one to the rear or the sides • Check for overhead cameras • Do not wear identifying insignia of any kind • Do not boot up to an identifying company, country, government, agency badge • Check and be aware N, E, S, W

26. L O U D & R U D E There is always a price to pay ! The group next to my colleague had just chanced upon the perfect name for their new company. So he bought the domain name and all the variants before they had completed their meeting!

27. U n t i dy Litter Bug :-) Dropped receipt to a wet floor - I picked it up and this caught my eye And then the fun started !

28. U n t i dy Litter Bug :-) Dropped receipt to a wet floor - I picked it up and this caught my eye And then the fun started ! I Followed to a Coffee Shop A few minutes listening and observing aided by Goole and FaceBook and I had: Full name & address Telephone Number eMail Address Date of Birth Some History +++ My ﬁnal act was to explain to this gentleman just how expensive litter might be…and he really ought to take care! I Followed to a Coffee Shop A few minutes listening and observing aided by Goole and FaceBook and I had: Full name & address Telephone Number eMail Address Date of Birth Some History +++ My ﬁnal act was to explain to this gentleman just how expensive litter might be…and he really ought to take care!

29. O p P o rt u n i s t i c Unintended revelations & consequences TRUTH ENGINES An End Game Company Dr Peter Cochrane EU Concept Consultant DAY 1: Pass Card for an undeﬁned meeting

30. O p P o rt u n i s t i c Unintended revelations & consequences TRUTH ENGINES An End Game Company Dr Peter Cochrane EU Concept Consultant DAY 1: Pass Card for an undefined meeting TRUTH ENGINES An End Game Company Peter Cochrane Internal Affairs Advisor DAY 2: Pass Card as a member of staff

31. O p P o rt u n i s t i c Unintended revelations & consequences TRUTH ENGINES An End Game Company Dr Peter Cochrane EU Concept Consultant DAY 1: Pass Card for an undefined meeting TRUTH ENGINES An End Game Company Peter Cochrane Internal Affairs Advisor DAY 2: Pass Card as a member of staff I Was Invited to Test a Companies Revised Security My way in was to simply massage my security pass from visitor to employee I then played the role of an old boy not really up to the modern world of IT and so many wonderfully kind people came forward to help me access networks, rooms and facilities My secret? Wear a suite and a tie & look very respectable…everyone knows that hackers wear hoodies!

32. A stack of papers readable at a glance E X H I B I T I O N I S TS Government employees bragging ME Three identical laptops Three Mobiles all the same

33. A stack of papers readable at a glance E X H I B I T I O N I S TS Government employees bragging ME Three identical laptops Three Mobiles all the same In < 1hour of looking & listening I had: All there names Mobile numbers + eMail addresses Unit Codes Postal Drop Building ﬂoor and room IT Support Number and log in Who was at their meeting Meeting agenda Who said what Decisions made Project Code Name Organisations involved Objectives and progress The name of a ‘Secret Project’ Talked about in euphemisms +++++

34. THE KIND & HELPFUL Sophisticated phishing attacks https://www.youtube.com/watch?v=lc7scxvKQOo

35. T H E G O O D N E W S Habitualities are near impossible to hide We have so very many individually identiﬁable idiosyncrasies and routines that they deﬁne who and what we are to a high very degree of accuracy - especially when combined with biometrics

36. D e v i c e t h e f t Or is their something more here This is a high risk crime with a good chance of getting caught in the act or getting caught on camera.. Why would anyone do this for a few ££ an hour, or is there hidden value add that we are not seeing? https://www.youtube.com/watch?v=TWilMUpEMEk https://www.youtube.com/watch?v=tSKXZnfOe60

37. U P T H E VA L U E 100s of hack tutorials on-line A naked mobile device is one price A live mobile device with all the log-in and personal data accessible is a much better deal !

38. B E H a V I O U R A L A N A LY S I S Might just be the ‘king pin’ that holds together our security Just as we can be identiﬁed by where and what we eat, say, do; and how we walk, talk, type, behave; the friends and colleagues we meet; there is an equivalency for us and all our devices ! Sociology of People Sociology of Things

39. WO RT H R EA D I N G Strategy without tactics is the slowest route to victory Tactics without strategy is the noise before defeat Be so subtle that you are invisible Be so mysterious you are intangible Then you will control your rivals’ fate Supreme art of war applicable today ~5C BC

40. T h a n k Y o u cochrane.org.uk We posses superior technology, networks and brains - if we lose this war it is down to our organisational inabilities …and the Dark Side will have an easy win! https://www.uos.ac.uk

People the biggest cyber risk

Esté a ler uma amostra.

Confira estes a seguir

People the biggest cyber risk

Mais Conteúdo rRelacionado

Diapositivos para si (10)

Semelhante a People the biggest cyber risk (20)

Mais de University of Hertfordshire (20)

Mais recentes (20)