3. Based on a real project
Identities protected and altered – does not
affect the process that was used
A sensitive defence organisation needs to be
more cost effective
Already has long term outsource partner
Mid contract break point drives improvement
Perception that security experts will say no
This is based on current policy
4.
5. Research and advice across defence sector
Many highly sensitive contracts and
relationships
Key target for traditional and cyber attack
Already outsourced support in many areas
but all delivered from inside UK
Urgent need to make more savings
Concept is to move back office processing
and support to a low cost labour country
6. Use the process to establish threats and
exploits
Look at sensitivity of assets affected
See if controls and mitigations can reduce
these to acceptable levels
Stop or go ahead and accepts residual risks
Sounds simple but only works if you
understand how the exploits will happen
7. Move offshore :
No classified material at all
Human resource basic records
Travel expenses fulfilment
Purchase order ledger
Order generation
Payment of suppliers
8. Agree some risks to privacy sensitive records
No classified material included so low risk
Bulk data sets to be protected no copying or
transport in country
Staff in country to be vetted
Buildings to be secured to higher level
Subcontract suppliers to be vetted
Extra monitoring to be established
9. Threats from individuals, petty criminals and
other low grade threat actors
Opportunistic not organised
No strategic goal
Security first response is NO
Little explanation but just a risk we don’t
need to take
10. Leadership want to make the savings
Security role to establish the REAL risks
Then find ways of reducing them
Explain the result to leaders so they can
decide if the residual risks are acceptable
Key is to find a way we can all say yes to a
desirable initiative not find reasons to say no!
11. Threat sources FIS, competitors and sophisticated activist
groups
Want to reverse engineer size of cyber defences on new
order for sensitive web hosting contract
Purchase order ledger is moved offshore
Use open source to establish likely timing of orders for
components and services
Penetrate data centre offshore via traditional human
methods or cyber attack
Collect and analyse project identifiers in database
Collect orders and establish scale of servers and defences
Mobilise denial of service resources now known to be able
to destroy hosting at will
12. Threat actors FIS, crime, competitors
want to identify targets for corruption related to specific
contracts
HR and travel expenses moved offshore
Use open source material to identify timing of contract
negotiation and award
Target country is known - penetrate data centre or create and
remove copy (could acquire rotating backups)
Mine travel expenses to find all trips to target country in window
and create long list
Qualify list with HR system look for expensive life, large family,
lower bonus etc
Go back to expenses to find detailed behaviours, bar bills,
timing, phone call duration ..........
Short list targets and move to more traditional methods
13. Open source used to index low grade bulk data
Structure of data is as valuable as the data itself
Mining and profiling used to enrich data
Traditional methods still needed but this improves
chance of success significantly
Access to data set or actual system is assumed in
target country despite countermeasures
Attacks are cyber used to enhance traditional
approaches
14. Scramble data before off shoring
Remove structure from orders
Reassemble in UK
Anonymous HR records with numeric identifiers
and address data and other pointers removed
Scramble travel expenses and make claim to index
number not person
Other similar methods to scramble data and
remove structure
All reinserted in secure enclave in UK
15. Off shoring can go ahead with residual risk
lower than original solution
Savings reduced by about 20% to pay for
enclave in UK
Information asset owners much more aware
of real high impact risks
Partnership with outsource provider
strengthened
Partner takes security function into other
customers as expert adviser and secures new
business
16. Threats from sophisticated sources not well
understood by asset owners
Assumption that security will say NO!
Savings reduced but project still went ahead
and delivered a large net saving
After solution risks were lower than original
solution
Ready for next break point off shoring can
now go to any country even very high
risk/low cost environments