…Maybe more than WTGR`s classes!!!

Transcription

…Maybe more than WTGR`s classes!!!
…Maybe more than WTGR’s classes!!!
George Platsis
Risk Management for Digital Industries | MGD 426
at University of Toronto (Mississauga) | 30 OCT 2014
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Do you do this?
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Once upon a time, we did…
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Now, not so much.
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
So what changed?
…for Charlie,
A lot…
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
The threats have changed…
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
But do we know any better?
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Actual e-mail
August 2014
Good morning George,
I hope all is well.
I was wondering if you could give me insight on how
cyber-security works and what the costs involved are.
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
“Translated” e-mail
August 2014
Good morning George,
I hope all is well.
I was wondering if you could give me insight on how an
automobile works and how much one costs.
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Spot what doesn’t belong
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
How about now?
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
You know…most don’t…
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
This is what most see.
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Most cyber strategies…
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
No, you are not.
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Statistics overload…
Let’s look at the numbers we have to deal with.
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Where are you in cyberspace?
Everybody with a device is an actor, with different intent
 Individuals
 Corporations
 Nations
 Criminals
 Terrorists
 Hybrids
 For hires, for fun
…the list is endless
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
It’s pretty crowded
 2000 (AFP, 2011)
 250 million internet users
 2008 (US-CERT, 2010)
 Broadband connectivity up 850%
 2009 (US-CERT, 2010)
 4 billion mobile phone users
 2011 (Internet Statistics, 2012)
 2.1 billion internet users
 2015 (Levin, 2012)
 Mobile industry worth $170 billion
 2020? (Tolentino, 2012)
 35 billion devices worldwide
Waldo can show
up where you
least expect him
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
How fast are we moving?...
 In 1997:
 10 year-olds could create web pages and 15 new
websites every minute (Tenet, 2012)
 In 2012 (this information is two years old!!!):
 One person can register 14,962 domains in 24 hours
(Sloan, 2012).
 Google alone can detect 9,500 new malicious
websites per day (Mills, 2012).
 80,000 new variant types of malicious code into the
Internet everyday.
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Faster please…
 Happening Every Minute (Spencer, 2012):
 48 hours of YouTube video is upload;
 Over 200,000,000 e-mails are sent;
 Over 2,000,000 Google searches are performed;
 Over 700,000 pieces of content shared on Facebook;
 Over 100,000 Tweets happen;
 47,000 App downloads from the Apple Store alone;
 Nearly 600 websites are created;
 Nearly 350 new blog posts on Wordpress alone;
 Nearly 7,000 new photos between Flickr and Instagram;
 217 new mobile web users come online.
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
A little faster you say?...
 How fast?...in PFLOPS
 2008 (USA)

IBM Roadrunner/1.026
 2011 (Japan)
 Fujitsu K Computer/10.51
 2013 (China)
 Tianhe-2/33.83
 2017 (USA)
 Department of Energy 100-200?
1 PFLOP = 1,000,000,000,000,000
Computations Per Second
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
OK, a big mess, gotcha…







www.you-should-have-a-headache-by-now.com
Cultural challenges
Different meanings
Misunderstandings
Language barriers
Growing disparity
Equalizer?...maybe
Who makes the rules?
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
A brave new domain
Cost
Capability
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Cyber threat evolution
1990s
2000s
2007 >>>
Viruses
Worms
Botnets
Living in constant cyber attack world
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Today
APT,
Insiders
Unusual marriages
Terrorism
Insurgency
The 21st Century Man-Made
Challenge: Politics, Narcotics,
Religion, Extremism,
Technology, Protest, Revolt, and
more, all coming together
Organized Crime
Increased Capability
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
War with a Superpower?
 Likely impossible…
 Servers spread & strong defences
 …but what about disruption?...
 Leads to confusion
 …and critical infrastructure?...
 Can easily begin to cascade
 …and communications?...
 May not be reliable
 …and social reaction?...
 Can you live without your phone?
 …what about the economy?
 We are dependent on each other
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
The Power of One
 Asymmetric
 One person can change the world
 Motivated by…
 Money
 Ideology
 Sex & Compromise
 Ego
 “Us versus Them” Worldview
 Vision of “ultimate victory”
 Capable
 Technology is the enabler
 Have sophisticated training
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
The Insider
 Profile?
 37 year old male most likely
 Knowledge of the safeguards
 Who conducts theft?
 41% from those who protect you
 Disgruntled and laid-off workers
 59% of fired workers have stolen
 67% use information for new job
 Widespread concern
 42% believe biggest threat
 Hard to detect until it’s too late
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
You actually understand this?
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
This guy is pretty smart
James Comey, FBI Director
http://www.cbsnews.com/news/fbi-director-jamescomey-on-threat-of-isis-cybercrime/ 10:00 minute mark
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
th
20
Century Weapons
Kinetic Warfare
Nuclear Weapons
Economy
Cyberspace
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
st
21
Century Weapons
Kinetic Warfare
Nuclear Weapons
Economy
Cyberspace
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Why hack?...
 Malicious code designed to take control of certain
functions and act discreetly (such as placing longdistance phone calls, snooping capabilities, enabling
the camera, or altering the calendar);
 Replacing common applications with similar versions
that have malware embedded in them;
…continued…
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Always ask WHY!!!
 Modify communication protocols, such as Wi-Fi and
Bluetooth, to gain access with no authentication;
 Access corporate databases;
 Modify, steal, or delete vital contact information; and
 Attack the battery of the phone by keeping the device
continually alive.
CANNOT FORMULATE A STRATEGY FOR RISK
MANAGEMENT IF YOU DO NOT KNOW WHY YOU
ARE DOING IT!!!
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Okay, what now?...Policies (I)
 Identify and authenticate users to prevent
unauthorized access
 Enforce the principle of at least privilege to ensure that
authorized access was necessary and appropriate
 Establish sufficient boundary protection mechanisms
 Apply encryption to protect sensitive data on networks
and portable devices
 Log, audit, and monitor security-relevant events
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Okay, what now?...Policies (II)
 Restrict physical access to information assets
 Configure network devices and services to prevent
unauthorized access
 Assign incompatible duties to different individuals or
groups so that no one individual can controls all
aspects of the information system
 Maintain and test continuity of operation plans
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Okay, what now?...Be Smart (I)
 Google says it will not share personal information with
companies, organizations, and individuals
(INDIVIDUALS?!) outside of Google unless certain
circumstances apply (Google, 2012):
 The user gives the consent;
 Domain administrators request it;
 External processing; and
 Legal reasons.
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Okay, what now?...Be Smart (II)
 93% of consumers worldwide use search engines;
 75% of users never scroll past the first page of results;
 57% of internet users use a search engine every day;
 46% of searches are for product information; and
 The ranking of search engines as of September 2010 is:
84.73% for Google, 6.35% for Yahoo, 3.31% for Baidu,
3.30% for Bing, 0.71% for ASK, 0.40% for AOL, 0.20%
for all the rest.
(Barkha, 2012)
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Okay, what now?...Be Smart (III)
 Downloading more than a movie…but that’s the hook!
 Many popular pirate search engines have
advertisements from Fortune 500 companies, including
targeted ads from ISPs that are attractive to high
bandwidth users;
 Nearly a fifth of all internet traffic is from peer-to-peer
filesharing; and
 Internet advertising, in the United States alone,
averaged at almost $8 billion US per quarter in 2011.
(Busch, 2012)
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Tactics stay the same…
BECAUSE WE ARE MORONS IN CYBERSPACE!!!
 Sophistication of the attack may have become more
complex, the tactics can very much stay the same,
including (Fox, 2012):










E-mail Social Engineering/Spear Phishing;
Web download;
USB key malware;
Network scans that seek opportunities or exploits;
Guessing or Social Engineering passwords;
Wi-Fi compromises;
Stolen credentials from third-party sites;
Compromising web-based databases;
Exploiting password reset services to hijack accounts; and
Using insiders.
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
We need to be smarter.
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Cyber Awareness Stages
 Ignorance
 Constituted awareness
 Actualization
 A cyber mindset
(Raduege, 2008)
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Be smart
 Comprehensive plan
 Developing analysis and warning
capabilities
 Provide and coordinate incident
response and recovery planning,
along with testing and exercises
 Support efforts that seek to minimize
the impact to infrastructure
control systems
 Strengthen cybersecurity on an
international level
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Actual e-mail Part II
September 2014
I thought of you and business continuity at work
yesterday. We had a bad thunderstorm that knocked
down our internet connection at the satellite office…
…you have to pay a monthly fee but it is far cheaper than
not being able to be in business for a few hours (not to
mention the angry clients who don't understand about
the internet being down).
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Decision-maker buy-in?
 Speak THEIR language:
 $$$
 You will be sued
 You will be fired
 You will be forced to testify
 Or suffer an outage
 $$$ (again)
 Actual e-mail Part II
 Pay me now, pay me later
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Would you still do this?
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426
Question time
Thank you!
George Platsis
[email protected]
Delivered by G. Platsis (platsis.com) at U of T Mississauga
2014 Oct 30th in MGD426