…Maybe more than WTGR`s classes!!!

Transcription

…Maybe more than WTGR’s classes!!!
George Platsis
Risk Management for Digital Industries | MGD 426
at University of Toronto (Mississauga) | 30 OCT 2014
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Do you do this?
Once upon a time, we did…
Now, not so much.
So what changed?
…for Charlie,
A lot…
The threats have changed…
But do we know any better?
Actual e-mail
August 2014
Good morning George,
I hope all is well.
I was wondering if you could give me insight on how
cyber-security works and what the costs involved are.
“Translated” e-mail
August 2014
Good morning George,
I hope all is well.
I was wondering if you could give me insight on how an
automobile works and how much one costs.
Spot what doesn’t belong
How about now?
You know…most don’t…
This is what most see.
Most cyber strategies…
No, you are not.
Statistics overload…
Let’s look at the numbers we have to deal with.
Where are you in cyberspace?
Everybody with a device is an actor, with different intent
 Individuals
 Corporations
 Nations
 Criminals
 Terrorists
 Hybrids
 For hires, for fun
…the list is endless
It’s pretty crowded
 2000 (AFP, 2011)
 250 million internet users
 2008 (US-CERT, 2010)
 Broadband connectivity up 850%
 2009 (US-CERT, 2010)
 4 billion mobile phone users
 2011 (Internet Statistics, 2012)
 2.1 billion internet users
 2015 (Levin, 2012)
 Mobile industry worth $170 billion
 2020? (Tolentino, 2012)
 35 billion devices worldwide
Waldo can show
up where you
least expect him
How fast are we moving?...
 In 1997:
 10 year-olds could create web pages and 15 new
websites every minute (Tenet, 2012)
 In 2012 (this information is two years old!!!):
 One person can register 14,962 domains in 24 hours
(Sloan, 2012).
 Google alone can detect 9,500 new malicious
websites per day (Mills, 2012).
 80,000 new variant types of malicious code into the
Internet everyday.
Faster please…
 Happening Every Minute (Spencer, 2012):
 48 hours of YouTube video is upload;
 Over 200,000,000 e-mails are sent;
 Over 2,000,000 Google searches are performed;
 Over 700,000 pieces of content shared on Facebook;
 Over 100,000 Tweets happen;
 47,000 App downloads from the Apple Store alone;
 Nearly 600 websites are created;
 Nearly 350 new blog posts on Wordpress alone;
 Nearly 7,000 new photos between Flickr and Instagram;
 217 new mobile web users come online.
A little faster you say?...
 How fast?...in PFLOPS
 2008 (USA)

IBM Roadrunner/1.026
 2011 (Japan)
 Fujitsu K Computer/10.51
 2013 (China)
 Tianhe-2/33.83
 2017 (USA)
 Department of Energy 100-200?
1 PFLOP = 1,000,000,000,000,000
Computations Per Second
OK, a big mess, gotcha…







www.you-should-have-a-headache-by-now.com
Cultural challenges
Different meanings
Misunderstandings
Language barriers
Growing disparity
Equalizer?...maybe
Who makes the rules?
A brave new domain
Cost
Capability
Cyber threat evolution
1990s
2000s
2007 >>>
Viruses
Worms
Botnets
Living in constant cyber attack world
Today
APT,
Insiders
Unusual marriages
Terrorism
Insurgency
The 21st Century Man-Made
Challenge: Politics, Narcotics,
Religion, Extremism,
Technology, Protest, Revolt, and
more, all coming together
Organized Crime
Increased Capability
War with a Superpower?
 Likely impossible…
 Servers spread & strong defences
 …but what about disruption?...
 Leads to confusion
 …and critical infrastructure?...
 Can easily begin to cascade
 …and communications?...
 May not be reliable
 …and social reaction?...
 Can you live without your phone?
 …what about the economy?
 We are dependent on each other
The Power of One
 Asymmetric
 One person can change the world
 Motivated by…
 Money
 Ideology
 Sex & Compromise
 Ego
 “Us versus Them” Worldview
 Vision of “ultimate victory”
 Capable
 Technology is the enabler
 Have sophisticated training
The Insider
 Profile?
 37 year old male most likely
 Knowledge of the safeguards
 Who conducts theft?
 41% from those who protect you
 Disgruntled and laid-off workers
 59% of fired workers have stolen
 67% use information for new job
 Widespread concern
 42% believe biggest threat
 Hard to detect until it’s too late
You actually understand this?
This guy is pretty smart
James Comey, FBI Director
http://www.cbsnews.com/news/fbi-director-jamescomey-on-threat-of-isis-cybercrime/ 10:00 minute mark
th
20
Century Weapons
Kinetic Warfare
Nuclear Weapons
Economy
Cyberspace
st
21
Century Weapons
Kinetic Warfare
Nuclear Weapons
Economy
Cyberspace
Why hack?...
 Malicious code designed to take control of certain
functions and act discreetly (such as placing longdistance phone calls, snooping capabilities, enabling
the camera, or altering the calendar);
 Replacing common applications with similar versions
that have malware embedded in them;
…continued…
Always ask WHY!!!
 Modify communication protocols, such as Wi-Fi and
Bluetooth, to gain access with no authentication;
 Access corporate databases;
 Modify, steal, or delete vital contact information; and
 Attack the battery of the phone by keeping the device
continually alive.
CANNOT FORMULATE A STRATEGY FOR RISK
MANAGEMENT IF YOU DO NOT KNOW WHY YOU
ARE DOING IT!!!
Okay, what now?...Policies (I)
 Identify and authenticate users to prevent
unauthorized access
 Enforce the principle of at least privilege to ensure that
authorized access was necessary and appropriate
 Establish sufficient boundary protection mechanisms
 Apply encryption to protect sensitive data on networks
and portable devices
 Log, audit, and monitor security-relevant events
Okay, what now?...Policies (II)
 Restrict physical access to information assets
 Configure network devices and services to prevent
unauthorized access
 Assign incompatible duties to different individuals or
groups so that no one individual can controls all
aspects of the information system
 Maintain and test continuity of operation plans
Okay, what now?...Be Smart (I)
 Google says it will not share personal information with
companies, organizations, and individuals
(INDIVIDUALS?!) outside of Google unless certain
circumstances apply (Google, 2012):
 The user gives the consent;
 Domain administrators request it;
 External processing; and
 Legal reasons.
Okay, what now?...Be Smart (II)
 93% of consumers worldwide use search engines;
 75% of users never scroll past the first page of results;
 57% of internet users use a search engine every day;
 46% of searches are for product information; and
 The ranking of search engines as of September 2010 is:
84.73% for Google, 6.35% for Yahoo, 3.31% for Baidu,
3.30% for Bing, 0.71% for ASK, 0.40% for AOL, 0.20%
for all the rest.
(Barkha, 2012)
Okay, what now?...Be Smart (III)
 Downloading more than a movie…but that’s the hook!
 Many popular pirate search engines have
advertisements from Fortune 500 companies, including
targeted ads from ISPs that are attractive to high
bandwidth users;
 Nearly a fifth of all internet traffic is from peer-to-peer
filesharing; and
 Internet advertising, in the United States alone,
averaged at almost $8 billion US per quarter in 2011.
(Busch, 2012)
Tactics stay the same…
BECAUSE WE ARE MORONS IN CYBERSPACE!!!
 Sophistication of the attack may have become more
complex, the tactics can very much stay the same,
including (Fox, 2012):










E-mail Social Engineering/Spear Phishing;
Web download;
USB key malware;
Network scans that seek opportunities or exploits;
Guessing or Social Engineering passwords;
Wi-Fi compromises;
Stolen credentials from third-party sites;
Compromising web-based databases;
Exploiting password reset services to hijack accounts; and
Using insiders.
We need to be smarter.
Cyber Awareness Stages
 Ignorance
 Constituted awareness
 Actualization
 A cyber mindset
(Raduege, 2008)
Be smart
 Comprehensive plan
 Developing analysis and warning
capabilities
 Provide and coordinate incident
response and recovery planning,
along with testing and exercises
 Support efforts that seek to minimize
the impact to infrastructure
control systems
 Strengthen cybersecurity on an
international level
Actual e-mail Part II
September 2014
I thought of you and business continuity at work
yesterday. We had a bad thunderstorm that knocked
down our internet connection at the satellite office…
…you have to pay a monthly fee but it is far cheaper than
not being able to be in business for a few hours (not to
mention the angry clients who don't understand about
the internet being down).
Decision-maker buy-in?
 Speak THEIR language:
 $$$
 You will be sued
 You will be fired
 You will be forced to testify
 Or suffer an outage
 $$$ (again)
 Actual e-mail Part II
 Pay me now, pay me later
Would you still do this?
Question time
Thank you!
George Platsis
[email protected]

…Maybe more than WTGR`s classes!!!

Transcription

Similar documents

Image - Mississauga.ca

IGGYS promo card v5 - small

TRANSPORTATION

The Wonder Women Concert | Mississauga`s insauga

BIRTH(+)FACT(x)DEATH(

FACeTS FACeTS - A Snowmobile for George

Winter 2014 Newsletter PDF - The Community Foundation of

Jury Report mb.pub

Mississauga Media Kit

January - Ontario Zoroastrian Community Foundation