The Future of Professional Certification and Bug Bounty Programs

so thank for that I think you've also come into something that just said crest presentation on the on the invitation I actually provided a much more detailed definition of what it was I was going to talk about so so I apologize for that anybody who saw Steve Boehner's presentation earlier this morning then I've taken his approach of first of all talking about my holidays so so this is our essay this is a much better thing than swimming in cold water so so and really the reason for putting this up in terms of making sure we have some theme to it so that I can claim that hire a motorcycle should be charged to crest is

that I've been a geek for a very long time really before it is sexy and professional and and therefore I think I look really cool but if you look at a picture of me on that Indian RSA that you can see I lost one of my lenses out of my sunglasses and I didn't know for a half a day and the Americans never told me really they thought is something medical and therefore didn't tell me and also and the Steep honor thing that I think also think you should actually have a hat so the best thing to do at RSA is to hire an Indian motor so I can go to Palo Alto much better than trying

to swim across the ocean for no apparent reason and potentially get eaten by sharks oh so that's the background to it I've been doing this type of work for a very long time now so it's more than it's almost 40 years and therefore I've seen a lot of things but I think right now there is significant changes happening in the industry and stuff that I think that the industry should be aware of and should actually try and address for those of you don't know crest crest has four primary purposes there is the accreditation of companies through our company membership scheme in the UK we have 87 companies that cover threat intelligence penetration testing cyber security the ladies internet

response in Australia we have 26 members in Southeast Asia we now have eight members but that's increasing quite quickly I run some schemes on behalf at the NSA in the United States that gives me about 16 NSA type members and about four u.s. members and so the whole envelope in terms of opening up that professionalization of the industry is happening quite quickly and really to some of the standards and we've said we combine that with our professional qualifications and again if this was a full of room full of all the young people that should be here then what we're talking about there is trying to move forward with around about 1800 hours after a really good degree

course so if you're abot a for example doing some of the technical Network security stuff then I think you stand half a chance with a couple of work placements to be able to step in and do our lowest level exam which is their practitioner level we then step up from that to register it around about 6,000 hours and then our certified about 10,000 hours and we retest people every three years and then there's some specialist areas that's going on ultimately we're moving towards a fellowship model as well and then we're also working with some other organizations looking at a formal Charter which is very much in line with some of the work that's been done in

physicians for example so that chartered status is a really important thing and I think what we've done is we've leapfrogged a number of areas of IT we've come from a backwater technical penetration testing area to actually be probably one of the more professional areas of the IT industry we try the professional qualifications and the membership together with codes of conduct basically if an organization fails its code of conduct and I conduct I can demonstrate that there is absolutely justification for removing somebody then they can't do work for the Bank of England in the UK that would take them out of financial services authority work top-tier UK financial services either back to back agreement with GCHQ so if their part the check

scheme where you get them removed from that as well either back to back agreement at the NSA they dunk on insta response schemes for the NSA and I'm having similar arrangements being put in place for Hong Kong Malaysia and Singapore as well as some of the other european central countries so all of a sudden that stick for actually doing things in a professional way is quite significant we tie that together with the individual codes of conduct as well and again it's incumbent on the individual doing that type of work to understand the organizations they work for underneath that we then do knowledge sharing the professional development we don't do training we only do the certification we believe there's a

potential conflict of interest at the professional level and it's not what other professions do but their knowledge sharing is broken down into running development workshops for people within the industry and primarily they'd look at two areas so we look at development of the industry itself we're currently looking at Sauk accreditation there's a Internet workshop doing all four I'll work on that on the moan we're looking at industrial control systems there's a document that's just about to relieve be released in conjunction with CP and I though the Cabinet Office part of the UK government and then we combine those sorts of activities with what we believe is our social responsibility so so our gender balance with our industry we're

trying to actively address by pulling together a lot of the women's groups and making sure they're adequately addressed and making sure we're improving the marketing message and at the same time we work with people like the National Crime Agency on intervention points to stop young people going into cybercrime and some of that links into some of the work we also do with the national Autism Society so a lot of it is really relevant stuff in terms of trying to professionalize the image of the industry and trying to make sure that we're providing tools and processes to help us the professional development we tried very much together with our academic partners and there's a really good academic partner program again

student membership is available for free we have about 160 hours worth of professional content available on their YouTube channels and again that's all free so access to really good information on both careers and in terms of up-to-date information around what's happening in the industry is there and then we tie that together with again things like our conference Kreskin which we're going to run next week moving into the areas then I've mentioned a couple of schemes schemes is a really odd word that's used quite a lot in the industry our definition of a scheme is the combination of some former company accreditation with some form of professional membership for the individuals carrying out that work so in

other words the buying community has access to a trusted organisation who utilizes skilled knowledgeable and competent individuals that's the way that we define it there's a number of things that we do so I've mentioned the crest penetration testing but we also do cyber security incident response there's a scheme for that called a CSI asking that's a prerequisite for the government cio asking which is the cyber Incident Response scheme and that's for state-sponsored attack very serious organized crime and other areas of threat that the UK security authorities may be interested in in addition to the Incident Response then we run the serious scheme on behalf of the NSA so we do all these accreditations for the

us-based companies on their major Incident Response scheme as well against Bates great sponsors attack very serious organized crime is their primary areas and now we're looking to extend that out we're also working with the NSA in terms of looking at vulnerability assessment organizations and I think again that's something we're trying to encourage the UK government to look at in collaboration that international collaboration is really important we also then run some other ones right at the bottom of the tree then you've got cyber essentials again where the architects of cyber Central's the UK government hasn't quite implemented it in the way that we envisage so I really like the standard I think there are some slight issues with the

way it's been implemented but again I think it's a good indication of basic cyber hygiene cyber essentials plus is what all organisations should be aiming for when it's the minimum standard that we put in place and then we start to run right the other end of the scale some of the critical national infrastructure areas so we have something called star which is simulated or situational targeted attack on the spots combination of threat intelligence and red teaming really is what we're talking about there what we've done is we were asked to do that as a generic and then extended out to areas of the critical national infrastructure so the one we've done so far is CBEST over here which is for the

Bank of England they've looked at so far the 35 of the 36 systemic risk areas that are within the UK financial services this isn't losing a number of people's accounts this is if you take the interconnectivity between the banking system in the UK down then the UK economy suffers significantly so it's that level of impact rule proper critical national infrastructure stuff and then we've just launched to investing which is for the telecommunications agency with off chrome DCMS and also with the six major telecom providers in the UK who are all bought on a natural fit they're competing with each other to be the first organisation to go through a team-based activity at which point if

you combine things like cheque and you can provide things like some of the other things that I've been mentioning you you think it's quite crowded confusing landscape in in actual fact we have a strategy and we understand how a lot of these things will fit together but really what we're trying to do is to look at elements associated with trying to reduce the threat reduce the vulnerable to see avoid detect and recover avoidance I don't think he's really an option anymore the idea that you don't go on the to that shopping or you don't do transactions over the internet or you just block everything off it's really not an option even in the industrial control systems area we're seeing really

quite critical industrial control systems being linked on serve internet gateways so they can remotely manage and remotely monitor at that point all other physical air gapping that's gone on in terms of old industrial control systems just goes completely out of the window so what we're trying to do really is reduces fret reduce vulnerability detect recover if you take that first one as I say I've been doing this for a long time and and really the concept to reducing the threat there's been some who have talked about a lot in actual fact we haven't done hardly anything about it at all in actual fact whenever we've talked about reducing threat generally we've been talking about reducing

vulnerabilities so reducing threat is really trying to dissuade people from going into the sort of adversary also in other words attack scenarios to try to attack our systems or have the judicial system that is actually in place that would make that unattractive for somebody to move into their area given that cyber related crime is is the most fast increasing sector and in that particular marketplace and some people are saying it's already exceeded the drug trafficking which is just quite incredible and there is good indications that even if they isn't true we're talking about serious amounts of money here then that reduction of threat side of things really hasn't worked and we need to do more on it

Kress can't do that alone and our crest members can't but what we are trying to do is to work with other agencies like the National Crime with National Crime Agency the NCA Titan from Met Police we're starting to work with Europe hold Interpol to try to look at the intervention points to stop young people running the cybercrime or now I've stand downstairs then we've got this particular guide now this has formed part of the NCO strategy for rent we've started to work with the counterterrorism people the anti-gang people and the sexual grooming people to look at the social engineering aspects associated with trying to reduce the threat of young people going into crime in this area and there is absolute

evidence that people have been groomed into this space systematically and on volume so anything we can do with this on the international stage really important if what he wants to contribute to any of that or I've got ideas about intervention points and we can include within the program then police can talk to us the next thing is penetration testing and that's what crest is most most known for and the implementation of technical standards to reduce vulnerabilities so really the penetration testing side of things is a really important aspect what we're trying to do there is to identify vulnerabilities within systems and organizations trying to exploit those in some form or another and then provide security improvement programs in terms

of the technical content absolutely what we should be trying to do the difficulty with that is what type of penetration test should we do if you're a small organization with hardly any assets no links on to personal information or financial records that's significantly different from critical national infrastructure so how do you work out as a buyer what it is you should be buying and procuring in this particular area in addition to that if we do penetration tests and we don't actually put the results of those tests in a way that's understandable to management we're really struggling that we're not necessarily doing a particularly good job and if you don't tie those into some of the other technical standards and

even some of the management standards like 27001 in other words if the recommendations don't go into the security improvement plan then we're in a real difficult place because we're not being heard in terms of the recommendations that they're being suggested we're working very closely with with people like Psi Psi remember but we're also working with they'll our QA and some of the other people from the standards institutions to try to understand how some of the statements they make about penetration testing actually linking to what we should be doing in terms of standards in this area and I think relatively soon we'll see much more technically competent things coming out you could argue that the 27001 review she already cover those

sorts of things the difficulty I have is that the the auditors some of the senior auditors are not tech so in other words they can't even read a vulnerability assessment report their traditional auditors looking at policy process control without too much under control over them my argument is the standards not wrong what we need to do is drop skilled the audit community as I think we need to do in terms of not skinning some of the accreditation people they're doing work on behalf of government throughout the world so we need to upskill as well as bringing new talent on but that concept to tie those two things together is really important to us if you then look at some of those

schemes and some of those approaches then we can start to think about how we break this stuff down so right the bottom of the stack here we've got vulnerability analysis we then got defined scope penetration testing so this is we want you to test this website or this piece of kit or this piece of IOT device so in other words we've just testing this almost from a security perspective in the same way as we would perform its analysis and other things we then move on to objective led so in other words we're trying to do we're trying to find a particular flag within a quite a confined sector in other words we're still doing penetration testing

it's slightly broader but it's still objective now in terms of getting validation and assurance that a particular functional service is secure we then move up to a simulated target and tackle response and at this point here this is what the UK will call red teaming in the US they use the term red teaming for almost anything from from vulnerability assessment upwards but from our perspective this is using highly skilled individuals that are fully cognizant of the impact they would have via such tests go wrong putting into a proper management framework and combining that with threat intelligence now that's a significantly different position than what we're doing at the bottom here and what we're trying to do

there is to actually align the level of assurance required by their by the threats of the organization and I think at that point our buyers will understand what they should be buying and they should hopefully be more intelligent in the way they buy those services if you look particularly at the vulnerability analysis side of things as we're seeing more automated attack tools what we're also seeing is better and more automated vulnerability assessment tools and I think as an industry we are looking at the past so again if you look at institutions like this the concept of a paramedic or even a paralegal and those sorts of things in terms of the professional disappearing the use of

artificial intelligence and some form of big data analytics are absolutely getting rid of that concept of a power person and I think in our industry we have the opportunity to look at that from a tall outcome perspective to understand what services have been provided by vulnerability assessment organizations and to do that in a more pragmatic way but you can see all of a sudden we then start to have a stack that we can start to apply which allows us to start to answer this question about how do we decide what level of penetration testing is required or even what level of incident response is required in terms of understanding our organizations and what they look like and what types of

services they should be procuring because at that point we can then start to look at a stack in Reverse so the very small businesses no access to financial information or personal information cyber Central's probably good enough again I think there should be a vulnerability assessment in there and that's what the crest version of cyber central serve requires because we need to validate if somebody says they have a firewall in place they've actually first bought one secondly you have taken out in the box and thirdly they've put it somewhere sensible on the network the first level without that form of assessment doesn't really do that the next level up from that we do some desktop review but again very basic

but we're looking at small organizations and we've tried to align with PCI DSS so in other words things you would be required to do from the payments industry where you hopefully are replicating those throughout other industries and then you move into penetration testing and I think that should probably be cut in half I think there are two elements associated with that with slightly different approaches and then a top level there we've got the threat intelligence no penetration testing or red teaming with Intel so at that bottom level sauber essentials really simple five mandatory controls I quite like it obviously we can add some more stuff in there but basically secure configuration not an unreasonable thing

to ask for boundary and firewall in the internet connections access control and administrative access particular on privileged accounts is still quite incredible but I'm amazed really by why people don't look at that at all a patch management still a major problem so we design cyber essentials for small enterprise that's that was the homework that we were given to go away and look at this and now it's been applied to very large organizations I think that's quite difficult thing to do because they're the scoping aspects but a really interesting thing is we've got large organized failing on patch management and bounder and follow-on internet go was quite true and driving this you can get on the first run and the ladder in

terms of basic cyber hygiene for a large organization providing services to government it's a scary place to be and in finding malware protection again dove the move toward ransomware octa with another whole presentation on ransomware but our standing in the u.s. about three weeks ago next to a children's cancer charity you've just been read some work for $9,000 these people are really not very nice um that's the way it does self-assessment we require a vulnerability scan at all levels and then we do an internal assessment in terms of the the desktop build the interesting thing about this is that I think what we're trying to do why things like cyber essentials is to manage our

existing threat profile so what we're now seeing is is a flood on the marketplace of vailable attack tools help YouTube videos that tell you how to extract the money security attack on demand we write them you know so so you only go to a well rated a tech organization to help you there's some money-back guarantee so if you can't actually extract ransomware and you don't make any money on it they will give your money back you know this is quite an interesting trust model and the business so what does that say to me I'm a business person I'm not a very nice business person at that point because I'm attacking children's charities but I'm making a shitload of money really a

shitload of money so what would I do with that money I'd invest in my second generation tools but what I've got is a legacy system here so as a businessperson I look at that legacy and I think well that's got a reasonable tail on it what I'm going to do is maximize the amount of money I'll get from that I'll flood it onto the marketplace and make it available to other people that will also confuse the defense industry because they'll be so busy looking at this stuff which is now being proliferating I won't be looking at my more advanced attacks and that I'm absolutely sure is what's happening if I was doing that and I was looking at my

marketing department and bearing in mind these organizations have huge amount of daters and very good marketing departments I'd be using artificial intelligence big data analytics to make sure that people open emails make sure they're absolutely addressed to the right person in the language you're expecting at a time we're expecting on subject there it's 50 and I'll be using my big data analytics to make sure I'm targeting people very consistent basis so in other words using whaling but on a mass space and that's what I think we're moving towards and therefore a lot of this basic cyber hygiene is going to be no good for the future and we really should be investing in this in terms of an industry to think

about what we're going to do in terms of next generation attack tools very scary and at the moment my only answer is go to the clownfish for a small organization the idea of having a corner shop there being the Mafia and knocking on your door pretty scary place to be and I don't know how you can protect yourself particularly as the police wouldn't come so there's no recognition for good standards it is another really interesting thing so if you take we will issue you a certificate of cyber Central's and cyber centers plus awesome you put five basic controls in place and you've got a little bit of configuration on your desktop build you know it was

really good but the next level up you get nothing so at that point we have to think about how we reward organizations for doing better and again looking at that what we need to do is the more formal links into those existing security standards it should form part 27 2001 and for Part B static ocean service we should look at trying to give something to the the chief information officers and those responsible for security for doing a good job in relation to the types of threats the organization is exposed to and that link with our existing standards is something we haven't done basically well yet but we are working really hard to try to correct that it's in a difficult thing

because if you take the ice home change cycle which takes a very long time which is why we've never gone the ice over in terms of crest because we evolved so quickly but that link into that I think will provide the opportunity providing that reward for organizations doing more we also need to establish minimum standards that are too prescriptive and can evolve quickly so again if you look at 27001 you would look at the control set that's available to you you look at the statement applicability you can basically say I accept that level of risk I don't think in certain instances you should be able to accept a level of risk for a basic cyber hygiene control

or if you're running part the critical national infrastructure for the water or guess really I don't think that's an appropriate thing to do so I do think we should look at those statements of applicability and we need to look at those in terms of minimum standards and I think there needs to be some refinement according to the sector and type of organization you operating within but I don't think it's beyond the wit of man to actually understand how to do that and how to put some proper stuff in place for minimum standards and again that could give us that opportunity for providing a further level of certification but I think that should probably be done through the

answer committees critical national infrastructure so then we jump really from that bottom and mid tier up to up to the areas critical national infrastructure really interesting on a global basis everybody is scared rightly so I think I write an academic come back to us in response to something we'd written last week who said this isn't really a problem it's just all being made up really you think about the massive amount of opportunities for ransomware if we took down a National Grid you imagine the chaos we could cause you look at some of the relationships between very serious organized crime and some of the governmental systems throughout the world they are very close very closer they live they live together we got a

request from the Israeli government very pneumonias rainiest at the moment for department for international trade is a very friendly nation for us to deal with but they're asking for exports they're asking crest remember companies have you got any Explorer so you'd like to sell us that we might stick in our back pocket if you don't think that's attack I think again you'd be very surprised and even our government is now coming out and saying what we need to do is is to have some form of offensive capability in this space that sends some quite strong messages to the rest of the world if we're doing it and we're quite conservative then certainly the Americans would do it because there are

shouting about it quite a lot and you can imagine what the rest of the world is doing in terms of that this is a real problem and what we need to do is to address it on a global basis I used to work the Siemens Siemens is responsible for a lot of industrial control systems kit and a lot of that needs to get taken down so I can say that it was a long time ago and hopefully they've corrected it but if you look at that then there are certain tools and processes and bits of kit that's available to industrial control systems that need to be improved in terms of their security offer and at the moment we're not putting

pressure on those suppliers to do that and I think again with some form of strategy for their critical national infrastructure and a global basis we should be doing that what we were asked to do by the UK government and and some other organizations was to look at our existing penetration testing services and to identify an approach that be suitable for critical national infrastructure basically we looked at the side elements the skill knowledge and competence and the individual our standards company research etc and and put all that together in terms of this is what a good penetration test looks like but what's missing from that is in cement information that you get up through a certain UK and other search

throughout the world and then up-to-date threat intelligence the emergence of the threat intelligence industry we haven't tied down certainly okay I'll be really honest so I haven't drilled them down the information about incidents as much that I'd like you know information exchanges I think are working very well but we have an integrated data information flow into our processes but the up-to-date threat Intel is absolutely something we've been doing and that emergence of the threat intelligence industry for the first time ever Berrien have burning one how old I am and how long I've been talking about the threat is the first time ever I can actually almost put my hand on my heart and so we were actually doing something

about threat and we are monitoring it and we are doing it from Ogier political perspective a big data analytics perspective we are looking at specific dark web analysis we looking individual targets and organizations in doing that that emerging threat intelligence industry is really I think a fantastic thing the problem I have with that going back to the motorcycle picture is that last year when I went to RSA everybody had threatened till on their stand I walked round nobody did threat until some of them had a sock someone had a piece of software that gathers some information and maybe sent out some alerts everybody looked at how much Mandy it was worth I think really and thought well I'm probably

going to up my value of my organisation by three four points by put and threat until in there and out of the e really without very much consideration we do a lot of analysis in terms of how suitable the organisation is and I think again where help we're helping very quickly to mature that market place but it's emerging threat intelligence industry is really interesting because we can do it for intelligent slow penetration testing so the concept we that is what we're trying to do is do an evidence-based and contextualize penetration tests so in other words when we go back and present to senior boards we're not saying here's a whole pile of IP addresses here's some of the

vulnerabilities hopefully we've got rid of some of the false positives and maybe you might want to do something about your configuration management what we are saying is we are seeing on the dark web this software attack these are the types of advocates that are coming through this is how they're targeting your organization this is what they're doing about it and this is how we prove - you're vulnerable and therefore you really need to be doing stuff on this otherwise you're exposed and you're going to be exposed in the short term none of this we've got a five year window where I'm not going to be management director anymore and I've gone this is this could happen tomorrow

and you're going to be standing up in front of a pack committee trying to explain to the government why you failed and if you look at all the gdpr stuff you know at that point I think you're buggered really not at all I'd probably use in public but I really think you're in a difficult position so it's evidence-based contextualized threat intelligence LED penetration testing is capturing the imagination around the world and the UK is leading this big time we have massive opportunities for taking that early adopter benefit and again what we should be doing as an industry supported by government is to pull those things together into a more strategic objective coming into that then as I've mentioned

before we're already running two schemes on behalf of the UK so we're running some called CBEST which is the thing that's run on behalf of the Bank of England it's their scheme but we provide the certifications for the individuals and we do all the heavy lifting and the accreditations for the companies and we're doing the same thing for telecommunications in the UK we're also working with a civil nuclear and I'm starting to talk to rail and I've started talk to those space agencies so we are starting to pull together some of those things in Hong Kong there's something called ICAST which is the equivalent of CBEST and we're supporting that through the Hong Kong government

Singapore are very close on their heels in terms of trying to do the same type of thing in Holland you've got something called Tiber which is being used by the existing Cresta member companies and crest qualified individuals they haven't actually developed the scheme and then such a structured ways I'd like to see but they're implementing that and they were starting our further conversations with European Central Bank to the got rolling this out through 23 European countries despite us leaving Europe so so really there's continuing to talk to us because we are the best game on the street and probably the only people that can actually drive this process forward in terms of raising the level of

professionalization what I want to do in there is to identify structure so this is Ian's idea of what this might look like this should be the government strategy in terms of what this should look like so what we're trying to do here is move from financial services there is a check plus it's AG best now which is horrible that they're looking at but the idea is you've got telecommunication supported by space and transport because you can't run telecommunications through that space and then on the energy side you can't do anything for that energy so we're trying to protect that once we've done that as a little group we then drop down to the emergency services through the other

areas of the critical national infrastructure and what it looks like there is a idea about how we can do this within the UK and again I think if we can adopt this fast enough it's a global offering that the UK can take to a global market and use the cybersecurity industry as being one of the new industry leaders in this particular space in terms of extra opportunities as well as demonstrating good governance within our own our own model so this is what we're trying to do what I'm then suggesting is that we have a domestic CNI strategy group that pulls together I've already doing that I'm trying to pull together the existing people into one place and then having a primary

contact group and the ozone for people on the ground so a strategic group and then an operational group and then tying that together with the International Strategy Group I'm going talking to Syntel about telecommunications and as I've indicated to you we're already talking to the two financial services authorities throughout the world and then tying that together in the international CNI community group as well so now to about sharing this information about what we're doing in terms of vulnerability assessment penetration testing and threat intelligence and then having suitable representatives from the regulator nominating government departments and for the UK at their very least the NCSC and again what we're trying to do there is make sure the information flows are

going backwards and forwards the idea behind this is that China has been attacked in the sector the same way they are investing more in IPR than the UK and European combined so again they are subject to these type attacks and ransomware they're going to be the biggest users technology in the world absolutely their population is being attacked by ransomware and other things that that we've seen already and again your idea that we can only have friends or phones it's quite a u.s. perspective of life there are bad guys and good guys is the way though I don't like to describe it but is terms that they use a lot but in actual fact what we have is very serious organized crime

groups we have lesser organized crimes groups and then we have organizations and individuals that need protecting I don't care whereabouts in the world they are what we should all be doing is trying to reduce the threat and therefore reduce the recovery time for organizations the interesting thing about that is we can then start to exercise things so so at that point I used to be a fellow of the business continuity planning Institute and I stopped paying my fees because they wouldn't talk to me about cyber attacks it was all about what happens when the other next flood we lose the power supply or the disk brake and I'm certain I've really got to think about this

stuff because we need to tie in monitoring their login we need to have all sorts of other stuff to enable us to do it even though I think the big four should be looking at this from our boardroom perspective so for example if you pay ransomware so you look at this 9,000 dollars to actually recover something that's a barking really in terms of what it would cost you to reconstitute but if you pay that and you can ensure against it which is a really odd thing um then in actual fact you and you could trace the money undoubtedly some of that money is going to go to organized crime that's illegal I'm turtling some of that is going to be

useful funding terrorist absolutely illegal so you mentioned standing up there going yep we paid and then somebody else from from the BBC stands up and says do you realise you're funded organized crime surely there isn't your most appropriate thing and you should have had appropriate controls in place that is not somewhere what not to be and that debate about the ethics in sochi ated with it with a board or what no idea what griemann perfect got saravana it's a really interesting concept and there's a number of other issues in terms of the ethics associated with what we're doing in this particular space this allows us to exit again exercise our continuity plan to get through life scenarios and the game

using that threat intelligence and we can start to tie the end in terms of incident response for cyber related issues that detection for us is really important and what we actually want to do is to move towards a continual threat monitoring perspective so in other words we've got our socks which I'm going to come on to in a moment but in addition to that what we've actually got is the opportunity for doing continual threat my trip so the idea behind that is that the moment the threat analysis we use into things like sea vest and tea beds are looking specifically as your organisation our particular point in time if we can flip that on its head and do continual threat

monitoring your idea of starting to see what's coming over the hill errors is a really good concept and for the first time ever is a concept that we can introduce and we can use that to actually try to do something about it which I'll come to in a minute you then needs to link that together with sock so a secure operation center so in other words what we're having at the moment is a large number of organisations are establishing either their own sock or their peculiarities room through another organization the problem with that is what does a good soft look like a good sock isn't something that's got a load of tools that nobody turns on or

understands but that's generally the way it sulk and it's not the most sexiest looking kit in the world because I don't care what it looks like as long as they actually provides the function so this concept of having something with a sock accreditation is something we're moving towards and again I think that's likely to be three or four levels it will tie in things like ISO 20000 which is the IT infrastructure library element in terms of the management of that process but it'll also tie in outcome based assessment so in other words we'll run a tech profiles against the sock to make sure that I pick them up and react to them appropriately you tie that together

with the threat intelligence then all of a sudden you are doing monitoring about what's happening on your network traffic and also you're using threat intentions to try to anticipate and maybe upping your level of heightened awareness in terms of what's going on in your community at that particular point in time so in other words using continual threat analysis or threat intelligence what we can do is we can heighten our awareness so if we see other organizations being attacked or we see our advocates changing or using different techniques we raise the profile of that in the organization we make sure our soccers mawla where we make sure end-users are more aware you making sure a sysadmin people don't don't take all

the telephone calls we make sure we heighten our physical security stop people doing drops and all the other aspects for the first time we can up that level of awareness based on proper threat intelligence in other words contextualized we can do a configuration review so if we understand what sort of Tech's have been undertaken we can therefore look at our configuration and think are we as secure as we should be against this form of asset so we can review that and maybe might change if necessary if necessary we can update make sure if it's patch just go through that extra little bit of vigilance to make sure everything is tidied up and you are defending the best way you can

and maybe even procure a penetration test so in other words to validate it in a real-life scenario to say this is the scenario we're anticipating how good are we to defend ourselves in that deposition this hasn't been done anywhere and I think if we can start to build this then all of a sudden they're going to be much more proactive in terms of what we do and we can move to this concept for the first time ever in terms of implication before attack so in other words we're seeing the floods coming down the river and now what we're going to do is lift all the furniture and the kit up to the third floor you know it's

as simple as that but in a technical context is the first time ever we've had the opportunity to do that and then finally we've got recover which is quite a difficult thing to do as I've said it's not as straightforward you might think even with things like ransomware but the idea is that we're trying to develop these schemes to put some structure on it and to enable organizations to understand how to buy good so in other words at the time of implication when I used to have a professional services firm if somebody phoned me up and when we've got a big problem can you help I still really smile because at that point I'm not in a

open competition ITT they haven't even mentioned the price to me they've mentioned the quality or who I'm going to put in there and basically I'm just got a rival on the door and do my very best you know that's that's almost as as good as it gets for a professional services firm and but what we're trying to do is to provide some of that assessment upfront in terms of what good looks like we're also providing assessment tools that look at that from a perspective of understanding what type of skier you need level which also think is really important so therefore coming back to this sort of stack so if we understand that the lowest level is what we need in

terms of some form of incident response right the way up to we really need to understand how to react to this I think the different levels and the different types of organizations will be will be quite good in terms of the overall structure of what needs to be done we're also trying to help by providing maturity models and again if you go on the cresst website these are all free we've got we're just about to launch run on penetration testing programs but the cyber security incident response maturity model is really good for this this allows you to assess the level you're at in terms of your level of maturity not exercising your business continuity plans but seeing what

management structures you've got in place what escalation to go in place what capability you've got within the organisation and make decisions early and before the invocation about the types of organisations you may wish to utilize should you experience a problem it's a really good thing and again the quest as a not-for-profit organisation gives this stuff away it's actually got a really valuable tool so what we're trying to do there is reduce the threat through trying to do things to stop people going into crime reducing the vulnerability through traditional penetration testing and vulnerability assessment detection through improvements in terms of sake and in terms of the threat intelligence and then recovery through trying to make organisations more mature and having

selection processes already in place they're helping them by sensible ones by good as part of the program I was also asked to have a little look at bug bounties really interesting subject so all my self closed one book and I've opened another one now but bug bouncers I think is really interesting it went away and now it's certainly coming back and there's a lot of people that are now investing some significant money in pub mentor to our activities so individuals or researchers recognize and compensation for finding that abilities so in other words organisations opening themselves up to attack by anybody 1995 was probably around about the first one again Netscape using their bug bounty program

they put fifty thousand dollars aside to pay people if they found it doesn't actually say how much they spent at that $50,000 Facebook then had their white hat Debbie can't you could do everything like buying a t-shirt or some really good value for money that and again what they were trying to do is to provide the opportunity for people to test quite a wide range of their their portfolio at the moment or certain two years ago India was the largest number of bug bounties in terms of the individuals participating with an average finding per bug bear this in mind its per bag not per individual of about thirteen hundred dollars the u.s. came second around about $2,700 $2,200 Brazil and

then UK around about three so you could you could surmise from that if you could find a bug and it's quite significant it's probably going to be worth on average around about three thousand dollars um hack the Pentagon was also opened again I have some problems with some of the ideas it's late to come out with 138 unique bugs and they made a big song and dance about it seven seventy one thousand dollars is what they they allocated that's an average of five hundred and sixty dollars five hundred and sixteen dollars per bug uber five thousand dollars if you can take over their account ten thousand dollars you can take down their production service number that bearing

in mind that you can ransomware somebody like a children's charity and get five thousand dollars more you know almost you look at the two things do you think way lesser oddity and what's the reality with so what you've actually got is a whole host of people other people in white they're doing shed loads of work not finding anything at all every time they find a bug son ds3 family and then you've got a few though actually are identifying things and maybe get a smooth revenue from it then you've got a couple that are identifying stuff and then you've got some real creamy people and they're quite lucky because I get nearly enough they're actually making a

reasonable amount of money but the vast majority of people wake up no money for spending all for a lot of time I'm not saying that's bad it's a better hobby than sitting there playing Drent Gran Turismo or something else but but I think people need to go in there with their eyes open in terms of what it's all about and if you look at why some of these things are doing it I've spoken to a lot of the bug bounty organizations in the US which were probably mature there is this client view so the client view is it's a really cost-effective way of winding vulnerabilities 516 dollars for a major vulnerability that's pretty good value

for the NSA I think for a government Fed system probably slightly level of confidence I'm confident enough to open mine that works out come and attack me because right so therefore they've probably done it how old Pomerleau testing up front to make sure things are actually quite secure before they open up to a bug bounty program salsa hacker friendly don't want to hack us because you can hack us if you like and if you find stuff and tell us we'll pay you that's quite a friendly you know I don't like the word hacker but yeah Bernsen but it's quite interesting in terms of being that friendly person has been open to to paying people researchers for

doing this type of work the issue they've got is completely moving the IPR protection if they lose all their IP I never open up everything how they're going to defend themselves no recourse on unethical issues so in other words if they use different forms of attack all to start to do things that are really bad how can you need have a recourse against it unresolved fun ability to remain in the public domain particularly they don't pay somebody so if a few fan of vulnerability somebody else is reported they don't do anything about it why wouldn't you dump that in the public eye if I was that way inclined I probably would no contractual relationship or protection on either

side so there's no guarantee of payment and there is no real relationship between that contract which is quite interesting because at that point you start to have different models and we're starting to see different models of bug bounty coming through so the target organization with a virtual hand straight to the resort researchers nothing in place in terms of contractual restrictions what we start to see now is the target organ organization with a formal contract with a bug bounty company who then has an informal virtual handshake where the rest of the researchers so the organization is trying to protect itself through contracts so the bug bounty organisation who then has an informal relationship so it's quite a difficult thing I do think

you need to understand where the money's going and who's got the contractual obligations if you go into this what we're also looking at here is the employer view could be used for talent spotting and that's certainly what was happening in the States the vast majority of people that were finding the significant vulnerabilities are now employed by those organizations might be a way with juicing costs why am I paying 89 thousand pounds a year for a really good pen tester when I could be paying 516 pound per vulnerability it's quite an interesting business model individuals got the opportunity to hone their talents in their own time go away and do your own research but don't do it on my

time it's quite a good idea but we are seeing individuals doing work in their firms time or because of their names they're being associated with their organisation even though they're doing bug bounty work and I think as an employer you'd have to look at that very carefully because you wouldn't normally expect to provide that opportunity for people employment contracts therefore may preclude a sec tivity and the use of employee develop tools may breach their IPRs so in other words I develop my attack tour and why my particular script if I'm using that and I've developed in with ferns time and I'm using that to get bug bounty money then surely the money should come back to the

organisation that's a big high PR issue I think you should shrink-wrap products may breach any licensing agreements so again if they're using stuff bought by your employer then if you use that for a different purpose that breaches licensing and the uncontrolled use of internet-based tools can introduce vulnerabilities on your systems as well so there's quite a difference and I don't think that's been articulated from the from the industry from the researchers view potential income potential kudos within their organisations and within their community potential employment opportunities for those that aren't currently in work but they're unsure about the legal position on use of tools there's no guarantee of payment and really some of it is a

terrible hourly rate you know you can spend an awful lot of time and get absolutely nothing please view quite interesting here because they're trying to get a view on this and these are the two bits I've got from the police agencies I'm working with their view is it encourages the use of B&E in there of illegal software that's that's pretty close to the mark really because if you're actually going to get up into that small group of people to actually make any money of this you're going to be using some advanced attack tools and therefore you're probably going to be downloading explicitly illegal software which the NCAA and some of the other police forces are absolutely against new

probably get a season desist notice you know so it's quite difficult and it also provides the potential opportunities for grooming and therefore if you're going on those areas again the idea of identifying legitimate employers is just exactly the same for other employers because because the other employers in the cyber labels cybercrime absolutely are looking at this is a way of grooming people out industry for you I think it's really to be established and don't knowa but really what we think about it yet so what I'm asking is you can help me with this have you contributed to a bug bounty program you know what was your experience please let me know you know you can email me directly I love my

email on the last slide do you have any opinions you know is what I'm saying close to the truth complete rubbish I don't know I I made this up at a moment in terms of what it looks like I think it's roughly true I've tried a fellow they sit with a few people but at a moment it's just my view would you be willing to respond to a questionnaire you know write to me and say yes I would you know we've had some experience I'd like to give you my feedback on this because I think bug bounties awesome or I've had really bad experiences now and really I like those balances of those two and would you be willing to be

interviewed I think it's part of that as well so really I'm just providing you with the opportunity to come and help provide us with an opinion volunteer to be interviewed officer participate maybe in a workshop and read the results of the research because I think it could impact you and certainly some of the younger people that are attending this event so that's a really quick run through to quite complicated subjects my hope it's given you some idea about the direction of play for both the lower tier penetration testing and vulnerability assessment and what we're doing in terms of the threat intentions and the sort of career pathways and as things are available to people looking

at this space but also that we haven't got the all the answers and there's new things coming along all the time which we as a as an industry and if we want to be viewed as being a profession we have to have an opinion on and it's your responsibility I think to contribute to this so thank you very much for listening to me thank you [Applause] some questions so the question is should should there be some some view in terms of whether an organization has to adhere to a cyber essentials type standard the UK government is putting in their procurement frameworks right now whether or not it's appropriate to put it in all of those so if you supply kit for a

nuclear submarine or one of the new aircraft carriers is Cyrus Central's the right thing you should be validated against it is a big question I think what we're seeing is going into the procurement frameworks and into supply chain I wouldn't like it to be a standard because I think it needs to evolve quickly we we haven't adequately considered cloud or how we accredit cloud type services and I think there's some other bits that fit round it like awareness and things that I think we should actually put in there if we're going to suggest this is the level and demonstrable 'ti of assurance said so we're talking about different forms of bug bounty so - the answer is I haven't

investigated that in very much detail at all I know it's going on and it's just a different way of trying to recompense somebody for the amount of time they're spending and also it pulls together the concept of having a group group research opportunity where you can come together and actually do things together I think it's not a bad idea I think it struggles with some of the same problems we've got in terms of contractual obligations but again right to me I'm really interested in genuine Lee I'm really interested to try to get a view on what these things are and if there's variations on how these schemes have been implemented our grid you like to learn

I've got no idea really what the legal implications are so if you allow people to attack you as I say I think the legal position is you can leave your doors and windows open at that point your insurance company probably won't pay and I don't think law enforcement they're going to be that interest in helping you so it falls into that type of area I don't think law and I don't think insurance as a view on this at all which again is why I think this is quite a valid piece of research so we have some view I should have probably cooked insurers down on that list I didn't think about it and for the next

presentation on this suit we'll be there

[Music]

so we're talking about the scope of a cyber century view if you look at the definition the eye was originally given by CSG as it was at a time in terms of this then they were saying all of your internet facing connections should form part of your cyber sentries review that's a big thing when we launched it Barclays somebody from Berkeley is a senior person stood up and said we are committed to put Barclays through cyber essentials and you can see the guy who's responsible for it go white really yeah because how many interconnections have they got and how many outward facing things they've got to the internet it's a massive undertaking so at that point

you've got to think about the scope and issues as I say I think people are manipulating the standard I do think we should have a scope statement in there now which we don't have we do in 27 one at the moment we don't have that in terms of cyber essentials it's a company certificate but I think we should at the very minimum introduce the same definition of what the scope includes as we do in 27001 review it's one of the reasons why if they'd have given me homework to look at large enterprise I wouldn't have come up with the idea of sovereign centuries and cyber essentials plus in its current form all same that I

still really like as a standard thank you very much [Applause]