slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Before we start - if you found a USB drive in your car park or in your driveway What would you do with it. PowerPoint Presentation
Download Presentation
Before we start - if you found a USB drive in your car park or in your driveway What would you do with it.

Loading in 2 Seconds...

play fullscreen
1 / 67

Before we start - if you found a USB drive in your car park or in your driveway What would you do with it. - PowerPoint PPT Presentation

  • Uploaded on

Before we start - if you found a USB drive in your car park or in your driveway What would you do with it. . 50% of people would plug it in and 80% would plug it in if it had some type of logo on it. Why Cyber criminals are smarter than we think they are!.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Before we start - if you found a USB drive in your car park or in your driveway What would you do with it.' - simeon

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Before we start - if you found a USB drive in your car park or in your driveway

What would you do with it.

  • 50% of people would plug it in and
  • 80% would plug it in if it had some type of logo on it
why cyber criminals are smarter than we think they are

Why Cyber criminals are smarter than we think they are!

A study on future crime and how we can stop it

technology advantage

or is it?

Technology = advantage

Business uses Technology to gain an advantage over their opposition or competition. Advantage through better management or the use of cutting edge ideas.

The bad guys, the criminals and cyber criminals, have already developed ways to use technology well before it has been released to the general public.

Business and users are always playing catch up.

Business and users are always reactive

linear vs exponential growth
Linear vs. Exponential growth

Technological growth is not linear, it is exponential

linear vs exponential growth1
Linear vs. Exponential growth
  • The reason for that growth. Technology builds on technology, information and systems. Anything available at the time.

So 30 years since the introduction of the internet as a linear time line is equivalent to more than 10,000 years exponentially growth in technology.

30 linear steps is here to the door, 30 exponential steps is here to the moon

the apollo landing
The Apollo Landing

Speaking of the moon - The whole of NASA at the time of the first moon landing had less computing power than a single IPhone 4


Crime is exponential as well.

In the old days it was Mano au Mano - one person stealing from one person.  

We then added stage coaches, trains and banks one person stealing from a number of people.  

The Sony hack in 2011 was one person stealing from 70 million people.  


Mobile phones and pagers

Mexican drug lords with their own complete mobile phone system

android phones
Android Phones

September 2008 released to the world on HTC’s Dream

The android market went live at the same time

People started Download banking apps from the android market

In the first month 50,000 banking apps were downloaded

All were fake!

flashlight apps
Flashlight Apps

Both android and IOS

75% have a malware component

Seems to be the easiest to get through the vetting process

Why do you need a location service for a light?


Stuxnet- a virus / worm designed to cross the interface between normal business systems and access low end command and control systems, believed to have been produced by CIA and Israel.    

Duqoand flame followed - derivative of stuxnet but changed, encrypted payload and no longer targeted at specific types of computers

The problem with these types of attacks, once in the wild they are very hard to control.


Spear phishing attacks are laser guided - the RSA hack is a classic example it was specifically targeted at a specific group of 5 people.

Low tech works just as well

QANTAS lounge, coffee shop

diverse it
Diverse IT

In 2011 Diverse IT, a domain and website hosting company were hacked.

30 Minutes from total control to loosing everything.

They didn’t see it happening and once they did they had no control – they lost everything.


Vijay Kumar: Robots that fly (the TED presentation)

Now Criminalise Them


The ability to download hacking tools means that a determined 12-year old with some basic computer skills can become a successful hacker.

For the more advanced, there are cyber crime black markets that sell personal data, credit card information, tools, passwords, and successful exploits.

Criminals can rent “bot-nets” from the cyber-criminal underworld or even purchase complete online stores to collect personal information or to sell bogus products

an example
An Example

For $4000.00 you can purchase a malware / spyware creator, all packaged up. You have to be able to speak and read Russian and be willing to have a criminal check

but it comes with everything you need to be a cyber criminal including a guarantee and 24/7 tech support.


This is a competitive market, with price wars, guarantees, and special offers.

Hacking has become a big business, not only because the Internet is now “where the money is,” but because most networks, despite claims to the contrary, are inadequately defended.


These are script kiddies – using predefined systems, software and information created by others to attack people on the internet.

  • They are a serious problem!
  • Because of them everyone who uses an internet facing system is vulnerable – mobile phone, tablet, computer, cloud based systems

A bigger problem is the real bad guys, the “black hats”. The real hackers.

  • The ones that actually know what they are doing and have ways of getting round security and destroying your business, stealing your money and compromising your identity.

They are so sophisticated that in 2012

  • A criminal organisation in the Ukraine set itself up as a marketing company:
    • Selling software and websites – malware infected
  • Legitimate offices and payed taxes
  • Had all of the correct staffing including a call centre
  • Generated 500 Million Euros in revenue
  • Only 5% of the people knew they were doing something illegal
that was then what about the future
That was then, what about the future?
  • The bad guys are smart
  • The bad guys are persistent
  • The bad guys are well educated in computer systems
  • The bad guys are developing more and more sophisticated ways of gaining access to your systems and information
how do the bad guys gain access
How do the bad guys gain access?

Everyone is a target

  • They use Viruses, malware, spyware, ransom ware, RATs and focused hacking attacks
  • They have sophisticated command and control systems
  • Use and create Bot nets
  • They use sophisticated encrypted commssystems
  • Rent cloud space, super computer cycles and bot nets – with a stolen credit cards of course
  • Paid in Bit coins
  • If that doesn’t work they use social engineering and
  • Industrial espionage – usb in the car park
what do they want
What do they want
  • They want your Money
  • They want your Ideas and Intellectual Property
  • They want everyone's information – staff, users, management, clients.

Once they have it they trade the information with their illegal friends – the Black market

  • A confirmed credit card number, with name and security code will net anyware from $20.00 to $350.00 each depending on number and viability.
the cost to everyone
The cost to everyone
  • 2 trillion dollar industry – world wide
  • The actual loss of intellectual property cannot be measured
  • There are unaccountable number of lives destroyed
against bad guys how can we hope to protect ourselves
Against bad guys how can we hope to protect ourselves?

We have to protect:

  • Ourselves
  • Your staff, users and clients
  • Your assets
  • Your personal and business knowledge and your Intellectual property

We also have to protect the innocent, the unaware, the uneducated and the ill-informed people among us.

  • They are the ones with the most to loose.
  • These are the easiest to bring up to a level of awareness
internet addresses
Internet Addresses

The internet as we know it today has:

4,294,967,296 addresses

  • The new internet IPv6 has
  • 340,282,366,920,938,463,463,374,607,431,768,211,456

340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion, 463 sextillion, 463 quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million, 211 thousand and 456.

why is this important
Why is this important

Everything is coming out with the ability to have an IP address configured to it.

Sim cards, RFID Chips, small computer – now 2 x 2 milometers

Making everything Internet aware creates its own problems.

Increasing your businesses Threat Vectors


Large multi national defence company in Dallas was compromised. The IT manager was an IT Nazi and could not believe that his system had been compromised.

  • He narrowed it down to the board room because of information that became available on the internet. He assumed it was the phone system or an insider and took the necessary steps
  • It was in fact the Air Conditioning system that had been plugged into his network

I don’t know about you but I consider the Internet a very dangerous place.

I compare it to walking down a dark alley, with your hands and feet shackled, a large amount of money in your wallet and a large flashing neon sign saying “ROB ME”

start here
Start Here?
  • A holistic system with more than one component
  • A system of interlocking components workingtogether
  • Business needs a framework
which framework
Which framework

COSO - Enterprise Risk

Management Integrated Framework

The business model for internet security

how about a simple framework
How about a simple framework?
  • A framework that grows with your business

A framework for building a secure business environment

  • They are
  • A framework that allows future requirements to be plugged into it without changing
  • A framework that includes the four pillars of business security

All of those technology components

Firewalls and operating systems



Cloud based and BYOD

Wireless and VPN

Anti Virus

Best Practice


A management process and we need to know who is involved in it.

The three “P’s” –








Risk Assessment

Risk Management

Disaster Recovery

Business Continuity

Cyber Resilience



Regulations and what you need from them to protect yourself

This is probably the most difficult component to define because all businesses are different


These four components, working together creates a cyber security business framework

This is a framework that creates a secure environment for your business.

  • This is a framework that tightens up your business cyber security as you add components to it.

There are lots of frameworks out there but most are produced by companies that say – “Buy my widget and you will be secure” – from the high end like Cisco, Fortinet, Juniper, Microsoft to the low end like d-link and netcomm.

  • That is not holistic!
  • A good framework has to have certain Features
the framework has to be agnostic
The framework has to be agnostic

No one thing is going to do the job but one thing from any supplier can do a job.

Each piece, is a piece in a puzzle and it is a large puzzle with a very defined goal – protect the business

The more you spend the better the features and the better the solution but you can start with the most basic and build on the components

your framework has to be manageable
Your Framework has to be manageable

Like most things in business you have to be able to manage the process

You need to have checks and balances in place so that critical and crucial data is not lost or misplaced

It has to have some level of ROI - although like Insurance this is very difficult to define and calculate.

your framework has to build defence in depth
Your framework has to build defence in depth

Each component needs to add and build up to strengthen the environment

Each component has to support the other parts of the framework

Each additional component has to be stronger that its predecessor.

your framework has to be stable
Your framework has to be stable

The framework should have the flexibility but also have the strength to protect your business.

your framework has to work
Your framework has to work

With each piece that is added there has to be accountability

Each component has to strengthen the whole not create problems and holes in your security


Cyber Security is not only an IT Problem,

Cyber Security is a whole of business problem that needs a whole of business solution

and more importantly cyber security is a management role for C level Execs and Board Members


But its not just up to them

Everyone is responsible

If you see something wrong say something

In most cases the people at the Coal Face are the people who will notice something different


Cyber security is MY problem.   I have to look at it in that context.   

Cyber security is MY problem, I am the Master of my own destiny.   

Cyber security is MY problem and If I want protection, I have to be the one protecting.   

Cyber security is MY problem and I have to protect myself and not rely on others to do that for me.


Do a independent security audit, and although audits are not cheap it is the best place to start

  • Train your staff - awareness is the key - use either a room based system or an internet based systembut build up your staffs cyber security awareness
  • Get involved
do an audit
Do an Audit
  • This is necessary to cyber security as it gives you a baseline
  • You have facts not hear say and mumbo jumbo – the ICT world is full of mumbo jumbo
  • Management can make fact based decisions
  • You can see what is needed to ensure your businesses viability
train your staff
Train your staff

Get your staff to understand that they need to help themselves before they can help you

Start with some type of training package.

Continue training with fortnightly, monthly or quarterly updates

Use technology

Get them thinking

Run a competition

these are the basics to protect your staff
These are the basics to protect your staff
  • Use Strong passwords
  • Use Unique passwords
  • Use the newest operating system and applications you can afford and keep them updated
  • Use a good Anti Virus
  • Be paranoid
  • Use Common sense
need help
Need Help?

Fill in the form on your table and we will quite happily come and discuss your personal requirements.

Go to and sign up for the basic cyber security awareness course. There is a code at your table that will allow for the first 10 people to do the course for free


This deck will be available from our website for a limited time, I will email you the link over the next couple of days.  

A video of this presentation will also be available.  

If you are in management I hope that I have given you food for thought, if not I suggest that you have a word to management about a business and management wide response to cyber crime and cyber security.

  • Do you have a plan for going dark
  • virtual credit cards
  • Broken windows – get them fixed