…Maybe more than WTGR`s classes!!!
Transcription
…Maybe more than WTGR`s classes!!!
…Maybe more than WTGR’s classes!!! George Platsis Risk Management for Digital Industries | MGD 426 at University of Toronto (Mississauga) | 30 OCT 2014 Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Do you do this? Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Once upon a time, we did… Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Now, not so much. Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 So what changed? …for Charlie, A lot… Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 The threats have changed… Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 But do we know any better? Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Actual e-mail August 2014 Good morning George, I hope all is well. I was wondering if you could give me insight on how cyber-security works and what the costs involved are. Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 “Translated” e-mail August 2014 Good morning George, I hope all is well. I was wondering if you could give me insight on how an automobile works and how much one costs. Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Spot what doesn’t belong Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 How about now? Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 You know…most don’t… Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 This is what most see. Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Most cyber strategies… Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 No, you are not. Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Statistics overload… Let’s look at the numbers we have to deal with. Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Where are you in cyberspace? Everybody with a device is an actor, with different intent Individuals Corporations Nations Criminals Terrorists Hybrids For hires, for fun …the list is endless Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 It’s pretty crowded 2000 (AFP, 2011) 250 million internet users 2008 (US-CERT, 2010) Broadband connectivity up 850% 2009 (US-CERT, 2010) 4 billion mobile phone users 2011 (Internet Statistics, 2012) 2.1 billion internet users 2015 (Levin, 2012) Mobile industry worth $170 billion 2020? (Tolentino, 2012) 35 billion devices worldwide Waldo can show up where you least expect him Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 How fast are we moving?... In 1997: 10 year-olds could create web pages and 15 new websites every minute (Tenet, 2012) In 2012 (this information is two years old!!!): One person can register 14,962 domains in 24 hours (Sloan, 2012). Google alone can detect 9,500 new malicious websites per day (Mills, 2012). 80,000 new variant types of malicious code into the Internet everyday. Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Faster please… Happening Every Minute (Spencer, 2012): 48 hours of YouTube video is upload; Over 200,000,000 e-mails are sent; Over 2,000,000 Google searches are performed; Over 700,000 pieces of content shared on Facebook; Over 100,000 Tweets happen; 47,000 App downloads from the Apple Store alone; Nearly 600 websites are created; Nearly 350 new blog posts on Wordpress alone; Nearly 7,000 new photos between Flickr and Instagram; 217 new mobile web users come online. Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 A little faster you say?... How fast?...in PFLOPS 2008 (USA) IBM Roadrunner/1.026 2011 (Japan) Fujitsu K Computer/10.51 2013 (China) Tianhe-2/33.83 2017 (USA) Department of Energy 100-200? 1 PFLOP = 1,000,000,000,000,000 Computations Per Second Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 OK, a big mess, gotcha… www.you-should-have-a-headache-by-now.com Cultural challenges Different meanings Misunderstandings Language barriers Growing disparity Equalizer?...maybe Who makes the rules? Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 A brave new domain Cost Capability Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Cyber threat evolution 1990s 2000s 2007 >>> Viruses Worms Botnets Living in constant cyber attack world Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Today APT, Insiders Unusual marriages Terrorism Insurgency The 21st Century Man-Made Challenge: Politics, Narcotics, Religion, Extremism, Technology, Protest, Revolt, and more, all coming together Organized Crime Increased Capability Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 War with a Superpower? Likely impossible… Servers spread & strong defences …but what about disruption?... Leads to confusion …and critical infrastructure?... Can easily begin to cascade …and communications?... May not be reliable …and social reaction?... Can you live without your phone? …what about the economy? We are dependent on each other Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 The Power of One Asymmetric One person can change the world Motivated by… Money Ideology Sex & Compromise Ego “Us versus Them” Worldview Vision of “ultimate victory” Capable Technology is the enabler Have sophisticated training Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 The Insider Profile? 37 year old male most likely Knowledge of the safeguards Who conducts theft? 41% from those who protect you Disgruntled and laid-off workers 59% of fired workers have stolen 67% use information for new job Widespread concern 42% believe biggest threat Hard to detect until it’s too late Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 You actually understand this? Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 This guy is pretty smart James Comey, FBI Director http://www.cbsnews.com/news/fbi-director-jamescomey-on-threat-of-isis-cybercrime/ 10:00 minute mark Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 th 20 Century Weapons Kinetic Warfare Nuclear Weapons Economy Cyberspace Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 st 21 Century Weapons Kinetic Warfare Nuclear Weapons Economy Cyberspace Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Why hack?... Malicious code designed to take control of certain functions and act discreetly (such as placing longdistance phone calls, snooping capabilities, enabling the camera, or altering the calendar); Replacing common applications with similar versions that have malware embedded in them; …continued… Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Always ask WHY!!! Modify communication protocols, such as Wi-Fi and Bluetooth, to gain access with no authentication; Access corporate databases; Modify, steal, or delete vital contact information; and Attack the battery of the phone by keeping the device continually alive. CANNOT FORMULATE A STRATEGY FOR RISK MANAGEMENT IF YOU DO NOT KNOW WHY YOU ARE DOING IT!!! Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Okay, what now?...Policies (I) Identify and authenticate users to prevent unauthorized access Enforce the principle of at least privilege to ensure that authorized access was necessary and appropriate Establish sufficient boundary protection mechanisms Apply encryption to protect sensitive data on networks and portable devices Log, audit, and monitor security-relevant events Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Okay, what now?...Policies (II) Restrict physical access to information assets Configure network devices and services to prevent unauthorized access Assign incompatible duties to different individuals or groups so that no one individual can controls all aspects of the information system Maintain and test continuity of operation plans Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Okay, what now?...Be Smart (I) Google says it will not share personal information with companies, organizations, and individuals (INDIVIDUALS?!) outside of Google unless certain circumstances apply (Google, 2012): The user gives the consent; Domain administrators request it; External processing; and Legal reasons. Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Okay, what now?...Be Smart (II) 93% of consumers worldwide use search engines; 75% of users never scroll past the first page of results; 57% of internet users use a search engine every day; 46% of searches are for product information; and The ranking of search engines as of September 2010 is: 84.73% for Google, 6.35% for Yahoo, 3.31% for Baidu, 3.30% for Bing, 0.71% for ASK, 0.40% for AOL, 0.20% for all the rest. (Barkha, 2012) Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Okay, what now?...Be Smart (III) Downloading more than a movie…but that’s the hook! Many popular pirate search engines have advertisements from Fortune 500 companies, including targeted ads from ISPs that are attractive to high bandwidth users; Nearly a fifth of all internet traffic is from peer-to-peer filesharing; and Internet advertising, in the United States alone, averaged at almost $8 billion US per quarter in 2011. (Busch, 2012) Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Tactics stay the same… BECAUSE WE ARE MORONS IN CYBERSPACE!!! Sophistication of the attack may have become more complex, the tactics can very much stay the same, including (Fox, 2012): E-mail Social Engineering/Spear Phishing; Web download; USB key malware; Network scans that seek opportunities or exploits; Guessing or Social Engineering passwords; Wi-Fi compromises; Stolen credentials from third-party sites; Compromising web-based databases; Exploiting password reset services to hijack accounts; and Using insiders. Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 We need to be smarter. Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Cyber Awareness Stages Ignorance Constituted awareness Actualization A cyber mindset (Raduege, 2008) Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Be smart Comprehensive plan Developing analysis and warning capabilities Provide and coordinate incident response and recovery planning, along with testing and exercises Support efforts that seek to minimize the impact to infrastructure control systems Strengthen cybersecurity on an international level Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Actual e-mail Part II September 2014 I thought of you and business continuity at work yesterday. We had a bad thunderstorm that knocked down our internet connection at the satellite office… …you have to pay a monthly fee but it is far cheaper than not being able to be in business for a few hours (not to mention the angry clients who don't understand about the internet being down). Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Decision-maker buy-in? Speak THEIR language: $$$ You will be sued You will be fired You will be forced to testify Or suffer an outage $$$ (again) Actual e-mail Part II Pay me now, pay me later Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Would you still do this? Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426 Question time Thank you! George Platsis [email protected] Delivered by G. Platsis (platsis.com) at U of T Mississauga 2014 Oct 30th in MGD426