Loading in 2 Seconds...
Loading in 2 Seconds...
Before we start - if you found a USB drive in your car park or in your driveway What would you do with it. . 50% of people would plug it in and 80% would plug it in if it had some type of logo on it. Why Cyber criminals are smarter than we think they are!.
Before we start - if you found a USB drive in your car park or in your driveway
What would you do with it.
A study on future crime and how we can stop it
Business uses Technology to gain an advantage over their opposition or competition. Advantage through better management or the use of cutting edge ideas.
The bad guys, the criminals and cyber criminals, have already developed ways to use technology well before it has been released to the general public.
Business and users are always playing catch up.
Business and users are always reactive
Technological growth is not linear, it is exponential
So 30 years since the introduction of the internet as a linear time line is equivalent to more than 10,000 years exponentially growth in technology.
30 linear steps is here to the door, 30 exponential steps is here to the moon
Speaking of the moon - The whole of NASA at the time of the first moon landing had less computing power than a single IPhone 4
In the old days it was Mano au Mano - one person stealing from one person.
We then added stage coaches, trains and banks one person stealing from a number of people.
The Sony hack in 2011 was one person stealing from 70 million people.
Mexican drug lords with their own complete mobile phone system
That was the normal criminals and terrorist what about the cyber criminal
September 2008 released to the world on HTC’s Dream
The android market went live at the same time
People started Download banking apps from the android market
In the first month 50,000 banking apps were downloaded
All were fake!
Both android and IOS
75% have a malware component
Seems to be the easiest to get through the vetting process
Why do you need a location service for a light?
Stuxnet- a virus / worm designed to cross the interface between normal business systems and access low end command and control systems, believed to have been produced by CIA and Israel.
Duqoand flame followed - derivative of stuxnet but changed, encrypted payload and no longer targeted at specific types of computers
The problem with these types of attacks, once in the wild they are very hard to control.
Spear phishing attacks are laser guided - the RSA hack is a classic example it was specifically targeted at a specific group of 5 people.
Low tech works just as well
QANTAS lounge, coffee shop
In 2011 Diverse IT, a domain and website hosting company were hacked.
30 Minutes from total control to loosing everything.
They didn’t see it happening and once they did they had no control – they lost everything.
Now Criminalise Them
The ability to download hacking tools means that a determined 12-year old with some basic computer skills can become a successful hacker.
For the more advanced, there are cyber crime black markets that sell personal data, credit card information, tools, passwords, and successful exploits.
Criminals can rent “bot-nets” from the cyber-criminal underworld or even purchase complete online stores to collect personal information or to sell bogus products
For $4000.00 you can purchase a malware / spyware creator, all packaged up. You have to be able to speak and read Russian and be willing to have a criminal check
but it comes with everything you need to be a cyber criminal including a guarantee and 24/7 tech support.
This is a competitive market, with price wars, guarantees, and special offers.
Hacking has become a big business, not only because the Internet is now “where the money is,” but because most networks, despite claims to the contrary, are inadequately defended.
These are script kiddies – using predefined systems, software and information created by others to attack people on the internet.
A bigger problem is the real bad guys, the “black hats”. The real hackers.
Everyone is a target
Once they have it they trade the information with their illegal friends – the Black market
We have to protect:
We also have to protect the innocent, the unaware, the uneducated and the ill-informed people among us.
The internet as we know it today has:
340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion, 463 sextillion, 463 quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million, 211 thousand and 456.
Everything is coming out with the ability to have an IP address configured to it.
Sim cards, RFID Chips, small computer – now 2 x 2 milometers
Making everything Internet aware creates its own problems.
Increasing your businesses Threat Vectors
Large multi national defence company in Dallas was compromised. The IT manager was an IT Nazi and could not believe that his system had been compromised.
I don’t know about you but I consider the Internet a very dangerous place.
I compare it to walking down a dark alley, with your hands and feet shackled, a large amount of money in your wallet and a large flashing neon sign saying “ROB ME”
COSO - Enterprise Risk
Management Integrated Framework
The business model for internet security
A framework for building a secure business environment
All of those technology components
Firewalls and operating systems
Cloud based and BYOD
Wireless and VPN
A management process and we need to know who is involved in it.
The three “P’s” –
Regulations and what you need from them to protect yourself
This is probably the most difficult component to define because all businesses are different
These four components, working together creates a cyber security business framework
This is a framework that creates a secure environment for your business.
There are lots of frameworks out there but most are produced by companies that say – “Buy my widget and you will be secure” – from the high end like Cisco, Fortinet, Juniper, Microsoft to the low end like d-link and netcomm.
No one thing is going to do the job but one thing from any supplier can do a job.
Each piece, is a piece in a puzzle and it is a large puzzle with a very defined goal – protect the business
The more you spend the better the features and the better the solution but you can start with the most basic and build on the components
Like most things in business you have to be able to manage the process
You need to have checks and balances in place so that critical and crucial data is not lost or misplaced
It has to have some level of ROI - although like Insurance this is very difficult to define and calculate.
Each component needs to add and build up to strengthen the environment
Each component has to support the other parts of the framework
Each additional component has to be stronger that its predecessor.
The framework should have the flexibility but also have the strength to protect your business.
With each piece that is added there has to be accountability
Each component has to strengthen the whole not create problems and holes in your security
Cyber Security is a whole of business problem that needs a whole of business solution
and more importantly cyber security is a management role for C level Execs and Board Members
Everyone is responsible
If you see something wrong say something
In most cases the people at the Coal Face are the people who will notice something different
Cyber security is MY problem. I have to look at it in that context.
Cyber security is MY problem, I am the Master of my own destiny.
Cyber security is MY problem and If I want protection, I have to be the one protecting.
Cyber security is MY problem and I have to protect myself and not rely on others to do that for me.
Do a independent security audit, and although audits are not cheap it is the best place to start
Get your staff to understand that they need to help themselves before they can help you
Start with some type of training package.
Continue training with fortnightly, monthly or quarterly updates
Get them thinking
Run a competition
Fill in the form on your table and we will quite happily come and discuss your personal requirements.
Go to www.securitypolicytraining.com.au and sign up for the basic cyber security awareness course. There is a code at your table that will allow for the first 10 people to do the course for free
This deck will be available from our website for a limited time, I will email you the link over the next couple of days.
A video of this presentation will also be available.
If you are in management I hope that I have given you food for thought, if not I suggest that you have a word to management about a business and management wide response to cyber crime and cyber security.