1 Script The May 2015 THE NEWSLETTER KEEPING YOU CONNECTED WITH CREST UK Cyber Security: The role of insurance ALSO INSIDE Update from Ian Glover Record numbers at Congress 2015 A review of CRESTCon Congress Inspired Careers: Internships New Members AGM review CREST Industrial Control project - status UK Cyber Security: The role of insurance Getting to know you? Member Focus New Exam: Threat Intelligence Manager CREST shortlisted in SC Magazine Awards Cyber Essentials Update Call for reasons to work in Cyber Security What s in your loft?
2 AN UPDATE FROM IAN GLOVER Welcome to the latest edition of SCRIPT, packed with useful information and views. But before you browse through the rest of the content, I hope you will take a minute for a whistle-stop round-up of what is proving to be a busy and exciting time for CREST and its members. The buzz and enthusiasm around CREST was captured at last month s CRESTCon and IISP Congress, with 21 exhibitors, 14 sponsors, 350 delegates, live demos, two streams of firstclass presentations and of course some excellent networking opportunities. It was really good to see CREST Australia represented by Greg Rudd who was warmly welcomed and presented with a wide range of views. I hope those of you who attended found it enjoyable and valuable and we look forward to seeing even more of you all next year. CREST is increasing its level of influence in the support of its members and the buying community with the increase in membership. We are now in a position where we represent a significant proportion of the technical security professional services in the UK with significant increase in international interest and support. It is interesting to note that despite a significant increase in the level of understanding of CREST s role in supporting the buying community and the increase in members there, have been no complaints around CREST members passed to CREST over the last 12 months. When looking at examinations we have also had very healthy take up and now have 569 CREST qualified individuals. Simulated Attack Specialist and Simulated Attack Manager are proving particularly popular, with the STAR/CBEST Threat Intelligence Manager launched last month and new examinations for Intrusion Analyst and Mobile Applications Testing on the way. Our aim to support learning and development has led to the first six CREST accredited courses all listed on our website for recommended examination preparation. In addition, we are in dialogue with a small number of Universities with a view to them proctoring CREST Practitioner examinations to provide a better geographic spread. Bournemouth University will be managing the CREST Academic Partnership Programme for 12 months and meeting with other Academic Partners to determine the preferred deliverables from the scheme. CREST continues its support in encouraging the very best youth into our industry. We are working with the Tech Partnership on the creation of higher apprenticeships specifically designed for the technical security industry. We are very much trailblazing the way on new internships in line with government and industry initiatives. CREST has taken over some of the responsibility from the Tech Partnership on providing young people with internship opportunities. Internships provide young people with invaluable work experience and employers with the opportunity to try before they buy. The take up of interns into full employment by the CREST member companies has been really high. If you think that you may be able to use an Intern please let me have your details as soon as possible to take advantage of the summer internship opportunities. The opportunities provided and case studies will have a significant amount of profile as they will also form part of the new Inspired Careers website project supported by BIS which is likely to have a Ministerial launch later this year. We are continuing to develop a better relationship with specialist recruitment companies and individuals by working on a Code of Conduct and possibly some form of membership status, with the aim of improving the recruitment experience, promoting CREST and ensuring recruiters act in a professional and ethical manner. In addition to the paper and ebook formats, all the CREST research publications are now available to download from the CREST website. These can all be used IPR free provided that reference is given in the original document. This will allow members and others the opportunity to brand them within their own marketing portfolio. Please contact Elaine Luck (elaine. for the full branding guidelines. We have also had a great deal of really positive feedback on the Cyber Security Incident Response Maturity model, again freely available from the CREST website. The tool is now being used by members for private and public sector companies in the UK and Australia. Again if you would like any additional information on the tool please contact me. We have started this year s programme of research projects with workshops on the accreditation of SOC providers. We have also started the research project on the assurance of industrial control systems. This work is being undertaken with the full support of authorities in the UK and USA. Invitations for the working group have been issued and we are also embarking on more research projects including SCADA and secure software research projects. Work on internationalisation is also accelerating and CREST Australia now has 19 members and has issued some 70 exam certificates. We are looking closely at how we move forward into other regions and what we want to achieve. We are in dialogue with the governments and regulatory bodies over possible new chapters and are also working to promote the use of CREST approved companies abroad. As part of this we went to RSA in San Francisco, funded by UK Government. This is only a snapshot of what is happening at CREST so please read on for more information and contact me if you have further questions or if you have ideas to contribute to our ongoing success. Ian Glover, CREST President
3 Record numbers at CRESTCon & IISP Congress 2015 CRESTCon, held alongside IISP Congress, took place on 18th March at the Royal College of Surgeons in London. This year tickets sold out more than two weeks ahead of the event and a waiting list was put into effect. Our apologies to anyone who was unable to get hold of a ticket but we look forward to seeing you next year. Just remember to book early. We do hope to provide more capacity in response to the growing levels of support for the event across the CREST and IISP communities and the information security industry as a whole. Most of the presentations from Stream 1 and Stream 2 are available to download from dropbox at:https:// AABNq7zAXSXkZDswbC_CA_qca?dl=0 Videos of some of the presentations and interviews with the speakers are also available on the CREST YouTube channel: https://www.youtube.com/playlist?list=plz2xfvi KjM5u1mARreGCSTNVIc0cb4D2x Thank you to everyone who has provided feedback, both in person and through the online survey. We will certainly be putting some of your thoughts and ideas into practice for next year. There is still time to complete the survey at: https://www.surveymonkey.com/s/9hdk557 A big thank you also to all of our sponsors; without you it wouldn t be possible. HP (Headline), Mandiant - a Fireye company (Silver), 7Safe, BitSight, CheckSec, CISCO, Digital Shadows, Gotham Digital Sciences, Infosecure Group, PwC, QinetiQ, NCC, Nettitude, Royal Holloway, Security Alliance & Titania.
4 A review of CRESTCon & IISP Congress By Artur Gemes, student at Bristol University As a student attending for the first time, the idea of the CRESTCon & IISP Congress was quite daunting. With the presentations aimed at security professionals, and some of the biggest names in the industry attending and presenting, I was worried that I would find myself out of place. To my great relief I quickly found that this was not the case, and within minutes of sitting down for the first talk of Stream 1 I realised that I had made the right decision by attending. I thoroughly enjoyed all the talks, and I found that none of them were too technical to follow, although I think a few times some prior knowledge would have gone a long way in helping me understand the subject of the talk. I especially enjoyed the talk by consultants Dor Tumarkin and Kyle Lovett from Cisco, which focused on highlighting the issues with home modem routers, and the talk by developer Steve Elliott from Context Information Security, which was his story behind developing RDP-Replay, a tool for taking an RDP packet capture and replaying the session as a real time video. Dor Tumarkin and Kyle Lovett s talk about modem routers was a real eye opener to just how terrible security is on home office devices. Even though you know at the back of your mind that a home office device won t offer a great deal of security, when you are presented with the facts it suddenly becomes a lot more real. Although the talk almost had a bit of a doomsday feel to it, the presentation was brilliant, and really highlighted the need for regulating manufacturers and vendors with regards to the security of their products. Steve Elliott s story of how he made RDP-Replay was fascinating. He explained the main challenges he faced while producing the software which involved tackling encryption and learning the intricacies of RDP. He then demonstrated what RDP-Replay is capable of by showing a video produced by the software of a threat actor that had infiltrated a business network. The bit of the talk I found most interesting was how the videos produced by RDP- Replay helped build a profile of the threat actor, and how it also lead to the discovery of other infected machines. After a brief Q&A it was clear that the talk impressed the whole room, and that many in the audience would be eagerly awaiting the potential release of the tool. The frequent tea and lunch breaks were a good opportunity to digest the talks, look around the stands, and to meet some interesting people in the industry. I was able to find out about job opportunities at numerous companies, as well as hear about personal experiences from staff within those companies. Hearing about how people got into the industry in the first place was also interesting. It was comforting to know that some of the clearly very knowledgeable people had entered the industry at a much later stage in their career than I am attempting to. To add a little perspective, I am a Computer Science student at the University of Bristol and I was attending the event with two other students from the university. Our courses have some overlap, but the main thing we have in common is our membership of InfoSec Bristol, a student-led group with the aim of providing students with opportunities to learn about, discuss and practice penetration testing and digital forensics. Although our courses give a bit of an introduction to computer security, most of our knowledge and skills in the field have been attained by seeking out challenges online (there are numerous sites online providing challenges for all skill ranges) and attending hackathon-style events at the university.
5 On top of the regular information stands that various vendors had set up at the event, there were two unique stands which I felt really added value to the event. The first was NCC Group s small demo stand that showed how a malicious Blu-ray Disk could be used to gain privileged access on a Blu-ray Disk player, or even on a computer that had PowerDVD installed. This went hand in hand with their presentation about hardware hacking and IoT devices (delivered by NCC security consultants Stuart Criddle and Brendan Saunders). I found that this talk was a good introduction to those with little experience in hardware security, and it definitely inspired me to look at common appliances around the house in a new light. The second was HP s interesting challenge stand. The objective was to break into mocked-up Taliban servers in order to gain access codes to various parts of a missile system that was aimed at London, and to then use the access privileges gained to aim the missiles into the sea instead. There was a small, USB missile launcher that could be controlled from the virtual system for a bit of added fun, and a large score board showing the current progress and completion times for each challenger. This could be seen by everyone, which really added to the competition. Even though I had minimal experience I decided to take a crack at the challenge - I m not one to pass up such a learning opportunity. The challenges were quite quick to do, and I imagine for someone who had a good deal of experience they would have been quite easy too. For those that didn t, help was at hand to guide you through, and even I managed to finish in about 10 minutes. Challenges involved some arbitrary code execution, breaking into badly configured Apache Tomcat servers, and required some basic knowledge of nmap and ncat. Overall the conference was a brilliant experience. I thoroughly enjoyed all of the talks, and learnt a great deal from each. The stands were very approachable, even as a student, and the atmosphere was relaxed throughout the day. This was especially true of the closing drinks, which provided a final opportunity for networking and discussion of the day s events. I would urge anyone interested in information security to attend the event if they get the opportunity, it may well be just what s needed to kick-start their career in the field. I look forward to CRESTCon & IISP Congress 2016.
6 Inspired Careers: Internships The Inspired Careers interactive careers hub launches for comment next month and will advertise a wide range of internships, alongside other employment opportunities. We encourage all CREST members to consider offering an internship place or first job and use Inspired Careers to promote it and your company to the next generation of talent. Inspired Careers brings together information on the wide range of careers available in the industry and helps people to choose not only what they want to do now, but also to plan out their own career path. Alongside the job and internship ads, the hub has information on relevant professional and academic courses, articles, whitepapers and social media advice. One of the key areas of content are the Day in the Life films that show real people talking about their job roles. Internships for students in higher education play an important role in developing our cyber security workforce by providing the opportunity to experience the cyber security work environment. Benefits for employers include having high-calibre students in their team whom they might want to employ, offering significant reductions in long and short term employment costs. Employers can also develop contacts through those students with one or more universities and play a part in developing this industry. If you haven t offered internships before, we urge you to consider doing so. The interactive hub is being operated by CREST with UK Government National Cyber Security Programme funding and support from other leading professional bodies. If you would like more information on how you can get involved, please contact
7 Members New First Base Technologies LLP Founded in 1989 by Peter Wood, First Base Technologies LLP provides independent security consultancy, testing and security awareness services. We pride ourselves on being ethical, pragmatic and professional, delivering quality services on time and within budget. The independence of our advice is guaranteed, since we have no commercial involvement in product sales or installation. You will appreciate our commitment to maintaining a long-term business relationship, with expert opinion available on demand whenever you need it. Our CREST membership and our ISO 9001 and ISO certifications demonstrate a dedication to quality service and information security management that you can depend on. We don t just talk about information security, we live and breathe it. Experts in their fields, our people are thought leaders in security counter-measures, analysis and emerging technologies. They work to the highest professional and ethical standards, whether they are providing advice, testing your defences or helping educate your staff. You can be sure that your information security is in safe hands. We have always prided ourselves on our professionalism, quality of service and cyber security skills. Joining CREST was a natural step for us, demonstrating our commitment to the best possible cyber security services for our client and business partners. Peter Wood, CEO, First Base Technologies LLP SureCloud Since 2006, SureCloud s security testing and assurance services have helped organisations secure their information assets, systems and data. Service offerings include network and application penetration testing, physical security and social engineering, design and architecture review, information security consulting, a range of managed services, and bespoke services tailored to suit individual requirements. All SureCloud Services are underpinned by the SureCloud Platform an innovative, cloud-based system allowing project stakeholders to collaborate and manage all aspects of services from start-up, execution, delivery through to post-test support. A vulnerability management system ensures that it is no longer necessary to trawl through static PDF reports to analyse vulnerabilities. In addition SureCloud helps to automate IT Governance, Risk and Compliance (GRC) processes, such as Compliance Audits, Risk Assessments, Incident Management, Policy Compliance and Third Party Supplier Management programmes. The SureCloud Platform supports an agile approach to implementation and per user pricing which dramatically reduces the total cost of ownership. SureCloud is headquartered in Reading, Berks, with more than 350 customers throughout the UK from the Retail, Legal, Travel, Financial Services and Government sectors. For more information visit SureCloud is delighted to become a CREST member company. CREST is setting the standard for security services companies and their consultants. We are confident that this further enhances our proposition to clients and are looking forward to being more involved in the CREST community moving forward. In addition, SureCloud is now in a position to offer Cyber Essentials audits through the SureCloud Platform, our innovative Governance, Risk and Compliance (GRC) solution. - Richard Hibbert, CEO, SureCloud Limited
8 AGM review This year the CREST AGM took place at the Royal College of Surgeons in London on the 17th of March, the day prior to the CRESTcon & IISP Congress. We had a great turnout with 36 representatives from 23 companies in attendance. There have been some changes to the board members as we said goodbye to two very long standing CREST Executive members, involved with CREST from the very beginning: Paul Docherty who managed CREST finances for many years and Paul Vlissidis, who led Marketing for CREST, both of whom were instrumental in the establishment of CREST and have been important contributors to its growth and development. Also Punam Tiwari (IRM), who contributed in a legal capacity, has stepped down - we are grateful for her contribution and wish her well. They will all be missed. And with that, we welcome three new members to the Executive: Ken Munro, Pen Test Partners LLP Ken has over15 years in the industry, in both Sales and Technology, and has experience of running security companies of all sizes. He specialises in engagement with the press and journalists in the promotion of the Information Security industry and security best practice in general. Mark Turner, NCC Group Mark is responsible for the Operations, Management and Development for a team of 80 people within NCC Group. Mark is passionate about developing the UK IT Security industry and making it the most professional and highest regarded in the world. As such, he founded BSides Manchester a free event to the participants and is keen to continue his contribution to the security community with CREST. He is also active in the development of the next generation of security professionals and is currently working in an advisory capacity with a University on the design and content of a new Information Security degree. Martin Walsham, Info-Assure Ltd Martin is responsible for the security testing, security assurance and cyber security incident response services within Info-Assure. He is a CLAS Consultant and has provided security assurance guidance across a wide cross-section of Government including Education, Transport, Justice, Policing, Health, Defence and local Government. Martin s background is in standards compliance and development and he has a keen interest in professionalising the cyber security services and in the recognition of CREST within the UK and overseas. Congratulations to Paul Midian, PwC, who has been re-elected and retains the Chairmanship of the Executive. Paul also holds the Standards and Operations portfolio on the Executive and has been involved in the CREST organisation since its inception. Paul is a director at PwC and is an accomplished consultancy practice head and information security consultant with 20 years experience. Previously, Paul was a Director at Information Risk Management Plc. During his tenure revenue increased by over 75% and the company won the Secure Computing Information Security Consultancy of the Year 2013 award. He has led consulting teams for most of his career and prior to working at IRM he was Head of Security Testing at Siemens Enterprise Communications (formerly Insight Consulting).
9 CREST Industrial Control Systems Technical Security Assurance project - current status T he CREST Industrial Control System (ICS) Technical Security Assurance project has now commenced. Initial research is being undertaken with a particular focus on reviewing current standards and good practice in this area including the DHS / CPNI document Cyber Security Assessments for Industrial Control Systems. The main objective of this research initiative is to produce a Guide that will help organisations determine what they need to do to secure ICS environments, the best approach to take, and where to go for the right kind of help. The final Guide will be released for use in the public domain and will be free of intellectual property restrictions. A number of CREST Members have already been interviewed and have provided deep insights into the unique challenges of technical security testing in ICS environments. Those Members with a particular interest or expertise in this area are encouraged to contact the project manager Andrew Wilson The requirements workshop for this project is due to be held in June and Members are invited to register to attend this event by contacting Elaine Luck
10 UK Cyber Security: The role of insurance
11 L ast month the UK Government released its report on joint initiatives between government and the insurance sector to tackle cyber risk. You may have already seen it but if not, here is a link to the report: https://www.gov.uk/government/publications/uk-cyber-security-the-role-of-insurance The report heavily references the Cyber Essentials Scheme and recognises that cyber insurance is an increasingly important risk management tool that should be implemented alongside more technical security controls. CREST welcomes the report s endorsement of the Cyber Essentials Scheme. The insurance industry now has an easily accessible standard on which it can layer cyber insurance products. We can all look forward to working closely with the insurance sector to integrate these services to the benefit of businesses operating in the UK.
12 to Getting to know you Name: Andrew Gill Company: Professional: What was your first role in information security and how did it come about? In terms of roles, this is my first official job/role in infosec. I did, however, complete a 3 month internship back in summer 2014 with Context Information Security which was my first step into working in infosec. At what point did you realise you wanted a career in infosecurity? I ve always been an old school hacker, not the media s depiction of the word, I enjoy taking things apart and hacking them to work better or do things they shouldn t. I didn t decide I wanted a career in infosec, I sort of fell into it. If I was to dial it down to a time in my life it was when I accidently chose the wrong (right) university course in 5 th year of secondary school. What degree or other qualification did you do and how did it help get you into infosecurity? BEng Digital Security, Forensics and Ethical Hacking (one of the longest degree titles at my university) from Glasgow Caledonian University. Also currently studying for my SANS GPEN & CREST CRT What has been your biggest professional achievement to date and why? My biggest professional achievement to date is landing a job right out of university! What is your best advice to anyone entering a career in infosecurity? Look at events related to security like conferences, read a lot, make sure you have soft skills like speaking to people as they are a massive bonus. You only need to stand out on paper once, you could be the best person on the planet at hacking, you could have the best skills but if you can t talk to someone about it and explain it you re not going to get very far. It s the skills you learn from reading and playing with things that keep you the job, it s the people skills that allow you to progress to the next level, gain new skills/contacts and progress. What are the best and the worst parts of your current role The best and worst part combined of my current role is that I work from home, you might wonder why it is both the best and worst? Well its brilliant don t get me wrong, I can rock up out of bed at quarter to nine and be working by 9 which is a bonus, however it lacks the social interaction of working in an office where you are speaking to folk when getting coffee and lunch, which is always nice as I m a social kind of IT guy. Dell SecureWorks Job Title: Penetration Tester/Security Consultant What surprised you the most when you started working in this field? How easy it is to learn things on the job and also how unaware clients are of security, the naivety of some people is scary. How do you see the industry developing in the future? It is an ever growing industry and it s only going to continue. The way that technology is going a lot of technology companies are forgetting about security vs features, and even now there are masses of devices that hit the market and boom within a week or two they ve been hacked. Personal: What has been your biggest personal achievement to date and why? To date my biggest personal achievement was in 2009 when I achieved my 1st Dan Blackbelt in Karate, then proceeded to teach it for 5 years. I still teach now when I can. What is your claim to fame? I ve been on the BBC a couple of times in photos and in video clips related to karate and infosec (just not at the same time) How would you describe yourself (not what you do) in Twitter fashion (140 characters or less)? I m a ninja people person technology geek. I like electronic music too! What is your biggest weakness? Not sure, if that was phrased in terms of martial arts I d say I fight southpaw and it can be counterproductive sometimes. If you could have dinner with anyone, past or present, who would it be and why? Simon Peg or Jim Jeffries as they re really decent funny guys. Do you have any pets? Technically no, however my girlfriend has a cat and a dog both of which I look after sometimes so does that count? Do you have a celebrity doppelganger? Yes, I look a lot like Jesse Eisenberg specifically when he starred in the social network.
13 Member focus Gotham Digital Science (GDS) is a leading international information security consulting firm focused on security testing, secure development lifecycle consulting, and security research. GDS works with clients across a range of sectors, including financial services, government (as a CESG CHECK provider), technology, retail, and energy. Since its founding in 2005, GDS has expanded to currently serving its international clientele from its UK office in London, and its US offices in New York and Charlotte (North Carolina). On the security testing side, GDS s highly skilled security consultants assess custom applications for clients be they web application, mobile applications or embedded hardware, as well as performing complex network and infrastructure penetration testing and Red Teaming assessments underpinned by the security research team at GDS Labs. On the secure development lifecycle side, GDS s consulting team work with clients on how they can add security into their software development lifecycle, including providing subject matter expertise assistance, process and business transformation, and solution integration and training. CREST membership was a natural choice for GDS, both as a pathway for certifying our staff as well for the company said Justin Clarke, Director at Gotham Digital Science, We have benefited from CREST membership through being accredited as a CBEST penetration testing provider, as well as a Cyber Essentials certifying body. GDS uses CREST certifications as part of the core technical development syllabus for its UK based staff, and looks forward to starting the same process with its US based staff in the near future due to the international recognition of CREST certifications.
14 The Script FEBRUARY 2015 New Exam: CREST Certified Threat Intelligence Manager An update from David Cannings, Project Coordinator The Certified Threat Intelligence Manager exam has now been launched, following successful alpha and beta exams earlier this year. The examination is aimed at individuals who manage engagements to collect, analyse and disseminate threat intelligence to clients. It covers the core principles of how to obtain data and turn it into intelligence in a safe, controlled manner. Why is it important? Awareness of threat intelligence is increasing among the buying community, especially with the introduction of the CREST STAR and Bank of England CBEST schemes. The ability to supply high quality threat intelligence whilst conforming to stringent ethical and legal standards requires careful management during an engagement. The CCTIM qualification provides assurance that an individual has reached the appropriate standard for delivering these services. Who is it for? The examination is aimed at individuals who have experience managing a team producing threat intelligence. This is a broad discipline and it is recognised that individuals will have different expertise, therefore the examination covers a mixture of traditional intelligence analysis and technical content relating to current cyber threats. How can I find out more? The syllabus and notes for candidates documents have been published on the CREST website and are available for download. CREST is thankful to NCC Group, Digital Shadows, MWR Infosecurity, PwC, Intelliagg, BAE Systems, Control Risks, Mandiant, Nettitude and Verizon for their assistance during the exam beta process. The CCTIM exam is now live and bookings can be made through CREST.
15 The Script FEBRUARY 2015 CREST shortlisted in SC Magazine Awards CREST has been named as one of the finalists in this year s prestigious SC Magazine Awards, in the category for Best Professional Training or Certification Programme. The place on the shortlist reflects CREST s wide range of work in this area including the CBEST and STAR schemes in partnership with the Bank of England and the development of the technical assessment and certification framework for the UK Government s Cyber Essentials and Cyber Essentials Plus initiative. It also recognises the increasing importance of CREST accreditations across government and industry to ensure the highest levels of knowledge, skills and competence. CREST is delighted to have reached the SC Awards finals at the end of what has been an exciting 12 months. Despite setting the bar very high, 2014 saw CREST s membership grow by 40%, with almost 45% increase in exams taken, but more importantly an increase in the level of influence and the recognition by the buying community. As well as increasing the levels of professionalism in the industry, it also means that the UK s talent pool is growing and includes some of the brightest and most capable security experts in the industry. We also congratulate other CREST members who have made the finals: Context Information Security, KPMG, NCC Group and Nettitude. The Awards, judged by a panel of experts from the information security profession, are designed to honour professionals working to secure enterprises of all sizes and the vendors that deliver innovative security technologies. The presentations to the winners of the SC Magazine Awards 2015, Europe will be made on Tuesday 2 June at the Grosvenor House Hotel on Park Lane.
16 How do you steal $60 million in 60 seconds? he digitalization of our lives has radically changed the way we live, love, work and play. Unfortunately, it also has changed the way criminals perpetrate crimes, says Andrzej Kawalec, TChief Technologist at HP Enterprise Security Services.
17 The Script MAY 2105 In the on going fight against cybercrime, it s vital to understand your adversary. Modern cyber criminals have evolved from the mafia families of the 50s, the drug cartels of the 90s and todays eastern European criminal syndicates. They hold a significant competitive advantage over companies trying to protect their digital assets and national law enforcement. Let s consider how innovative this dark world of crime has become. It is a criminal world which operates the most sophisticated and vertically integrated global network ever conceived and they have stayed one step ahead of us with every law passed or procedure put in place. This shadowy network generates more than $104 billion in illegal revenue each year, and perpetrates 16 cybercrimes per second. This is a world where bank accounts and national secrets are ripped apart and sold to the highest bidder every day. They are better funded, do not respect national borders and use the anonymity of the internet to collaborate freely. Two thirds of cyber criminals are under the age of 24, as a global industry they understand how individuals and organizations are using new digital platforms, they are able to exploit the opportunities offered by the new style of it in much the same way commercial businesses do. Stealth and speed are a criminal s greatest assets. In addition, traditional and cyber criminals are coming together to execute orchestrated global crime sprees. Traditional criminals can buy hacking-as-a-service offerings online with free tech support, dashboards to track the performance of malware. And when its job is complete, they just stop paying for it. For example, a global criminal ring recently hacked into a bank s network, took control of a handful of pre-paid debit cards and increased the accounts to an unlimited level. Then they sent those details around the world, where well-coordinated gangs walked from ATM to ATM with the magnetic strip information withdrawing handfuls of cash. One gang in New York City hit 2,000 ATMs in a matter of minutes. This crime allowed the perpetrators to walk away with between $45 and $60 million in cash. But the damage wasn t done at the ATMs, it was done within the bank s network. Today, you don t steal money, you steal the means of getting the money. So how do criminals get into our networks? There is a five-step cyber kill chain that starts with research. Typically access to networks is coming from valid credentials and cyber criminals forcing their way into our networks. Once they are in, they take their time to figure out what the assets are and capture that data. Eighty percent of data breaches happen at the application layer, and it typically takes 243 days to detect a breach. On average criminals are able to hide inside our networks for upward of eight months, taking their time to understand our systems, applications, customer and employee details, and intellectual property. Our research shows that we are losing the battle. The time it takes us to remediate a cyber attack has grown from under two weeks in 2010 to over a month in The way our industry has handled cyber security actually hands a huge advantage to the criminals. We share our security standards and vulnerabilities, but often do not share how the criminals got in, what holes they exploited or what information they were after. We are actually helping them perpetrate the same crimes over and over again across different companies in similar industries around the world. Eighty percent of the average IT budget is spent on creating barriers and building perimeter controls. However, network barriers just don t exist anymore, and this approach isn t helping us stop losses from attacks. Criminals are already on the inside and every organization must plan for a significant cyber breach. To turn the tide on cyber criminals, we must use their own tricks against them. We must target them, and disrupt their business model, manage our risk and extend our capabilities. Our collaboration and innovation must be around real-time visibility, sharing intelligence and understanding what s happening at a global and local level. At HP, we have realized that one of the best ways to disrupt cyber criminals before they get in is sharing that breach intelligence securely and confidentially among our customer network. You shouldn t have to go it alone. After all, the criminals have learned that pooling intelligence leads to great rewards. Let s take a page from their playbook and share our security intelligence because with an anti-cybercrime intelligence network in place, it will become much harder to steal $60 million in 60 seconds. Related video Watch Andrzej Kawalec present How do you steal $60m in sixty seconds? at HP Discover Related SlideShare Cyber crime is wreaking havoc Read: The financial services sector must be prepared, says Daniel Chaplin, CTO Office at HP Enterprise Security Services.
18 CREST is exhibiting at Infosecurity Europe, stand number K48 20th Infosecurity Europe Intelligent Security: Protect. Detect. Respond. Recover The theme for this year s Infosecurity Europe is Intelligent Security: Protect. Detect. Respond. Recover. As organisations accept that it s no longer a case of if, but when they will be breached, information security practices are evolving with greater emphasis on building cyber resilience. As information security professionals face a multitude of conflicting risks and priorities, their challenge is to develop an Intelligent Security strategy, tailored to the organisation s risk profile, and balancing protection and detection with the ability to respond and recover. Free seminar programme The Infosecurity Europe seminar programme will address how organisations can develop an Intelligent Security strategy, providing attendees with the tools, techniques and strategies they need to optimise their security posture to protect against the latest threats, whilst ensuring they have robust response and recovery capabilities in place to withstand the impact of a breach and build cyber resilience. Providing a varied host of learning opportunities, ranging from panel discussions and presentations to workshops and training courses, the Infosecurity Europe seminar programme enables access to strategic and technical content in an array of different formats. The seminar programme has been put together following extensive research with the Information Security community and an Advisory Council of CISOs to identify the topics, issues and challenges that are important to them, to ensure that attendees leave with actionable business intelligence, knowledge and insight that they can apply directly to their role to benefit themselves and their organisation. Infosecurity Europe 2015 Keynote Stage This year s Keynote Stage agenda will address the theme of Intelligent Defence: Protect, Detect, Respond, Recover. As hyper-connected organisations evolve, expanding the network perimeter, adopting new technologies and working practices and facing an increasingly complex threat landscape, information security strategies need to evolve too. During the three days of Infosecurity Europe 2015, the Keynote Stage, the vibrant hub of the seminar programme will provide attendees with direct access to unrivalled information security knowledge and expertise from some of the industry s leading end-user practitioners, policy-makers, analysts and thought-leaders. Delegates will gain new ideas, insight and actionable intelligence to enable them to secure the connected enterprise. Deletes will leave with strategic insight and practical tips that will enable them to streamline their information security strategy, accelerate the effectiveness of their security tactics and enhance their professional skills. Establishing an enterprise-wide cyber security culture Security has often been an after-thought in business, with a perceived conflict between security, and agility and flexibility. Increasingly however, as cyber security and resilience move up the board agenda, organisations are realising that for information security to be truly effective, all sectors of the business need to be engaged. But what are the key steps to creating an information security culture within an organisation to ensure that the user is the front line of defence? What approaches can be adopted to motivate the workforce and change the culture? How can organisations encourage a holistic security culture that goes beyond simply raising awareness? Infosecurity Europe 2015 delegates will gain practical insight into how to build a cyber-security culture within their organisation. Understanding the cyber adversary The Sony breach has made headlines around the world. Whilst the finger has been pointed firmly in the direction of North Korea by US law enforcement, dissenters have suggested other actors may be responsible including an ex Sony employee and hacktivists. Others suggest North Korea may have hired hackers from outside its borders. Whatever the truth, the diversity of the cybercrime landscape has been thrown into stark relief and it raises the questions Who is the cybercriminal? What motivates them? And who is targeting you and your organisation? Attendees will delve into the who, what and why of the cybercriminal and gain up-to-the minute intelligence to get into the mind of the attacker, to drive strategies to protect your organisation. Building resilience and an effective incident response capability Regardless of the measures an organisation adopts to protect itself, it will be breached. As a result, incident response and business continuity are gaining attention as organisations focus on building cyber resilience to mitigate the risk and ensure that they are able to withstand the impact of a breach. But what are the critical measures that an organisation should take to ensure that they respond and recover from an attack as rapidly and efficiently as possible, limiting the financial, operational and business impact? Delegates will gain insight into best practice incident response and business continuity. Building a next-generation cyber-security roadmap The rapid pace of change and transformation within organisations often puts information security functions on the back foot as they attempt to keep up with evolution of new technologies and business practices, and employee and customer behaviour. As organisations move from a legacy environment with clear perimeters and controls to a connected and collaborative structure, information security practices need to develop to balance security with business mobility and agility. At the same time, information security functions need to protect the expanding enterprise as mergers and acquisitions confound an already complex business landscape. And all this is against a background of increased sensitivity to privacy and the Internet of Things. Delegates will discover how to keep pace with the business to optimise security whilst enabling innovation and agility. Speakers already confirmed to speak in the Keynote Stage at Infosecurity Europe include senior representatives from GCHQ, National Crime Agency, DWP, PT Portugal, Europol, Kentucky Health, BBC, Richemont International, John Lewis, Bank of England, The Noble Group, FCC Group and NATS. For more information about what s on for 2015, the seminar sessions and to register for the event please visit
19 02-04 June 2015 Olympia London Intelligent security Protect. Detect. Respond. Recover. You can t put a price on high-quality education REGISTER for the world s biggest free Infosecurity Education Programme! CELEBRATING 20 YEARS JUNE15 OLYMPIALONDONUK REGISTER FREE NOW Access to the experts and industry leaders Learn from inspirational speakers Network, share, collaborate and build relationships Discover new and innovative security solutions Earn CPD and CPE credits by attending the free education programme Managed by: Part of: Engage with Infosecurity Europe on #infosec Advert 216x280 AW.indd 1 21/01/ :50
20 Cyber Essentials Update The implementation period for Cyber Essentials has now come to an end and CREST has been formally appointed as a Scheme Accreditation Body. There are now 36 member companies who have been through the formal accreditation process and are now accredited as a Certification Body under CREST. Call for reasons to work in Cyber Security CREST is working with other industry bodies to improve the careers information available in schools, colleges and universities on careers in cyber security. The first item will be a poster to encourage people into the cyber security profession. Please could you your top 3 reasons why someone should consider a career in cyber security to We will compile the results to come up with a list of the ten most popular that will be used to create the poster. We will also publish the results in the next issue of Script. What s in your loft? We all have some obsolete computer hardware, gadgets or old research papers lurking in the loft, the garage or even under the stairs that we have kept hold of for the sake of nostalgia or just because we have not got round to getting rid of them. Please send in your pictures and descriptions of the oldest or oddest that help to paint a picture of how the industry has, or has not, changed and we will feature them in the next issue Script. 522 Uxbridge Road, Pinner, Middlesex, HA5 3PU. CREST is a not for profit company registered in the UK with company number