SecureTheBreach

THE HACKERS ARE COMING
Join us for a lightning debate on enterprise security: December 7, 14:30 GMT
Gemalto
2017 looks like it could be the year of the big one. But there are steps you can take to mitigate the threat. We hope you’ve enjoyed the conversation. We'll be posting blogs and videos, and don't forget to read the comic http://www6.gemalto....
Cyber Investigators Chronicles
Unmask hackers and protect your data! Every day, 3.7 million records are stolen. So it’s not a matter of if your organization will be hacked, but when.
SPCoulson
My prediction for 2007 will be
more of the same ...

* Big companies still breached.
* Ransomware will still take out hospitals.
* Celeb will get attacked using a DDoS and we'll wonder why
* IoT will still be a pain!
* Cars will still be vulnerable
Peter W. Singer All agree. Cars is going to be interesting one to follow, especially as see more driverless car prototypes and use
Peter W. Singer but what are your predictions for what will be different?
SPCoulson Agreed. I read once, All code is vulnerable. Enough time has to pass for us to work out why. Cars, planes, boats and toasters.
Jason Hart What’s different now from last year’s prediction? Why will these attacks get worse? The first generation of cyber attacks were about cutting access to data, and then we moved on to data theft.
Jason Hart @Hart_Jason Now, we’re starting to see evidence of that stolen data being altered before transition from one machine to another, effecting all elements of operations.
Lewis Morgan Calling IoT a pain is an understatement :)
SPCoulson I think the only difference will be more criminals having a go... The tools are readily available for curious people to attempt a large scale attack. We saw that with LOIC and now with Mirai.
Neira Jones I think we might see the 1st physical injury due to #cybercrime #IoT
SPCoulson @neirajones I agree on that.
Peter W. Singer I was at a session where someone talked about the need to pentest a new shower. people were like "why"? The answer was that it could be altered from afar to shoot out scalding water
SPCoulson and this is why we can't have nice things.
Lewis Morgan @neirajones Agreed. "How did you break your leg?" "The internet did it" - imagine saying that 10 years ago.
Neira Jones exactly my point. And we have all seen the attacks on hospitals.
Jason Hart @LewisMorgan_ The proliferation of the Internet of Things means hackers have a seemingly infinite number of different attack surfaces and personas that they can manipulate.
Gemalto @neirajones so a car crash? or out of control smart device?
SPCoulson @neirajones it would be interesting to see attacks on medical records so that someone has an un-needed operation and the hospital is liable as they were not secure enough
Jason Hart @Hart_Jason Your Fitbit as an example, look at the number of people who touch it—the user, the manufacturer, the cloud provider hosting the IT infrastructure, the third parties accessing it via an API, etc.
Neira Jones Any of these...
Jason Hart @Hart_Jason This creates a cross-pollination of risk that the security industry has not seen before, and that’s just one person’s “thing.”
SPCoulson @Gemalto kettle blows up as the turn off signal was disrupted.
Neira Jones @Hart_Jason Ah yes. Excellent point, which brings me to Supply Chain Due Diligence...
SPCoulson @neirajones that's the one Neira ... global supply chain. Where your data exists in multiple countries under multiple laws.
Peter W. Singer @neirajones But how can we get better at this? So hard to control? and also have risk not just in software but the hardware side, chips themselves, the attack baked in (scenario in my GhostFleet book)
SPCoulson Is the answer that all data being passed over the internet has to be encrypted and only those with valid decryption key can see it?
Gemalto
We wrote a comic for people not intimately versed in security to understand the threats that are out there. Is there more we can do to raise awareness @peterwsinger?
Peter W. Singer One fun project I am helping to launch this week is trying to enlist Hollywood into the effort
Peter W. Singer I am writing you from LA, where @NewAmerica and UCLA are bringing our top cybersecurity experts to meet with writers and producers. We'll have folks from CyberCommand and various firms, ethical hackers etc and ~60 entertainment industry people
Peter W. Singer The idea is to try to recreate in cybersecurity what happened with public health projects, where medical experts worked to help not only aid in stories but inject key public health messages (like cancer screening). Can we do same in Cybersecurity?
Gemalto so do you think that Hollywood's approach so far to hacking has been too dramatic and not based in reality? Can you recall one of the worst offenders?
Peter W. Singer Given how so many attacks take advantage of lack of user awareness, the hope is that even small levels of greater realism and awareness could have a big impact
Peter W. Singer Plus, wouldn't it be great if movie/TV shows on this topic were just a bit better? They don't have the best track record :)
SPCoulson CSI Cyber, Mr Robot, Hackers 2 and 3 ... Oh wait ... you are right. They don't have a great track record.
Peter W. Singer That is one of the issues, this cross between it being super complex, only the wizard can pull it off, and thus there is nothing that you can do to protect yourself. but also it portrays as simple, just bang on a keyboard for under 30seconds to do
Peter W. Singer A related issue is the characters themselves, every one of them sullen loners, usually in a hoodie. They also are predominantly male or if a girl, a goth
SPCoulson The reason why is Pen Tests are boring to watch !
Peter W. Singer Now we all know folks like that, but it is not the entire field. More importantly, how does it shape both public perceptions of it, and whether young people want to go into it? This is key given human workforce talent gap for industry as whole
Peter W. Singer As one young person put it to me, "I dont see myself in those shows."
Gemalto and a skateboard is an obligatory prop! Swordfish seemed entirely unplausible too. Would you say that reusing passwords and phishing seem to be the topics most in need of being addressed?
SPCoulson I see nothing wrong here ... http://uproxx.com/we...
Neira Jones YES.
Peter W. Singer A Swordfish reference! yes, those would be good. But also imagine a world where more people/firms had multi-factor or encryption. Indeed, Donald Trump would not be president in that world.
Peter W. Singer For those tracking the DNC/Podesta email breaches, the news today was that Trump again denied Russia had any role in it “I don’t believe it. I don’t believe they interfered.”
Peter W. Singer Sorry to get "political" but it is a good illustration of both need for greater cybersecurity awareness and looming problems of attribution, when a leader disagrees with what his briefers are saying
Gemalto So is this the new playground of spycraft then?
Jason Hart
Are CEOs ignorant of cyber security?
Neira Jones Well, they are certainly more aware now...
Gemalto Asia Perhaps lack of mandatory laws to reveal breaches in several countries help them to remain ignorant.
Neira Jones compliance is certainly a driver.
Neira Jones but bad public exposure in same sector is another driver.
Lewis Morgan @neirajones 100% agree. I'd hate to imagine the start of global security if there were no compliance requirements...
Gemalto Asia @neirajones isn't there any universal body fighting to make it mandatory everywhere?
Lewis Morgan *state, not start :)
Peter W. Singer I would say not ignorant of the growing risk, but ignorant of how to weigh it/what to do about it. Depends on sector though, some like Banking, they tend to have better handle, other like retail/health, are well behind
Lewis Morgan The EU GDPR is certainly going to help
Neira Jones No Universal Body, but plenty of bodies... They have to cooperate.
Peter W. Singer To say "ignorant" is not an indictment or mean spirited. It is just that this wasnt in their background or training. The problem is that will stay this way for long time. MBA programs still don't teach executives the base level things they need
Jason Hart Breaches will continue to happen to expect otherwise would be unrealistic. But as their scale and complexity grows, focusing on them first would take up all of an organisation’s IT security bandwidth.
Jason Hart A better starting point is to know what you are trying to protect.
Neira Jones Hence the importance of the "Modern CISO"...
Peter W. Singer An executive (not just the CISO) has to have some general understanding of this topic area, as they will be making decisions related to it. Cost of worst breaches is often determined not by IT dept but how CEO, public affairs, legal dept (mis)handled
SPCoulson Shoudl they be a non-executive and therefore have no direct relationship to prfit etc? Their advice would be impartial?
Neira Jones Yes, but the "Modern CISO", commercially & business aware should be able to express risk.
Neira Jones @SPCoulson What an excellent idea! I'm game ;)
SPCoulson @neirajones thought you might be? The Virtual Modern CISO?