2015 a cybersecurity year - coding the...

Robert Annett @robert_annett

2015 A CyberSecurity Year

Why was 2015

special?

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Source: http://www.bloomberg.com/graphics/2014-data-breaches/

Note

• The data taken is not necessarily about the target breached

• Sensitivity for the client does not necessarily indicate effect on the data holder

• Number of records does not necessarily indicate sensitivity

• Number of records and sensitivity does not necessary indicate financial cost

Who has borne the

consequences?

What effect has this had?

F.U.D

Regulation

Regulation

Different per region e.g. EU Different per country/state Different per industry Can be contradictory

Many regulators are now introducing regulation to protect data. However…

Some UK Regulatory Authorities

• ICO • FCA • PRA • FRC • GMC • MHRA

• OFCOM • ONR • OFGEM • OFWAT • EA • …

This is NOT exhaustive!

Example recent Cybersecurity Regulation/Guidance (Mainly Financial Services)

• European Commission • EU Cybersecurity Strategy (Action 124)(2014) • Directive on network and information security (2014) • Policy on Critical Information Infrastructure Protection (CIIP) (2013)

• EBA (European Banking Authority) • Guidelines on the security of internet payments (December 2014)

• HMG Department of Business, Innovation and Skills (Cabinet Office) • Cyber Essentials Scheme (June 2014) • Guiding principles on cyber security (Dec 2013)

• CERT-UK National Computer Emergency Response Team, The National Cyber Security Strategy (2013) • BoE – CBEST Vulnerability Testing Framework (2013-2015) • FCA (Financial Conduct Authority)

• Handbook specifies best practices/NIST • Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services (November 2015)

• AIMA (Alternative Investment Management Association) • Guide to sound practices for Cybersecurity (October 2015)

• HFSB (Hedge Fund Standards Board) - Cyber Security for Hedge Fund Managers (May 2015) • SEC (Security and Exchange Commission) Office of Compliance Inspections and Examinations

• Cybersecurity Examination Initiative(September 2015) • Division of Investment Management – Cybersecurity Guidance Update (April 2015)

• FINRA (Financial Industry Regulatory Authority) - Report on Cybersecurity Practices (Feb 2015) • NYSE - Navigating the Digital Age: Cybersecurity Guide (October 2015) A 355 page book!

This is NOT exhaustive!

Irony of the week!

Enforcement

• Serious Organised Crime Agency (SOCA) e-crime unit

• The Police Central e-crime Unit (PCeU)

• The Medicines and Healthcare products Regulatory Agency (MHRA)

• H.M. Revenue & Customs • Child Exploitation and

Online Protection (CEOP) • National Crime Agency NCA

• National Fraud Agency NFA • National Fraud Intelligence

Bureau (NFIB) • Office of Fair Trading

(OFT) • Cyber Security Operations

Centre (CSOC) • EuroPol Cybercrime Center

(EC3) • IntelPol • GCHQ

Who do you report cybercrime to?

This is NOT exhaustive!

Money

Products

There has been an

Explosion Of cybersecurity products and services

Products

• Virus Scanners • Malware scanner • Spam Filters • Phishing Filters • Email Link Rewriters • Malicious Website Detection • Cyber Security Training • Firewalls • Pentests • Intrusion detectors

• Mobile Device Managers • Authentication devices • Password storage • Behavioural Detectors • Data loss prevention systems • DarkWeb Monitoring • Risk Alerting • Tiger Team Reviews • Cyber Insurance

This is NOT exhaustive!

Some products and services

provide little value

Due Diligence

Do you know what your

vendors processes are?

Do you know who your

vendors really are?

Do your vendors

subcontract?

Where are they

located?Safe Harbour?

You may also be the

subject of a DDQ

Some Actions

Perform an

audit of your current equipment, data and processes

Identify your

‘crown jewels’

Identify if any

regulation applies

What are the relevant

best practices?

Do you have

Disaster Recovery Plan Business Continuity Plan Incident Response Plan Data Access Policies Data Protection Policies

“ ”60% of threats are

caused by ‘People Issues’ rather than technology

Verizon 2015 Data Breach Investigations Report

Consider the People as well

Security training (job relevant) Phishing Training Data loss training Incident Reporting Password choice

discuss!Let’s now

robert.annett@codingthearchitecture.com

@robert_annett on Twitter