4. Agenda So what can we do to reduce the likelihood? Can you prevent state sponsored intrusion? Is defence in depth just a feel good distraction? If they [cyber criminals] want your IP then is it just a matter of time? Elastic cloud computing or elastic intrusion?
5.
6.
7. Agenda So what can we do to reduce the likelihood? Can you prevent state sponsored intrusion? Is defence in depth just a feel good distraction? If they [cyber criminals] want your IP then is it just a matter of time? Elastic cloud computing or elastic intrusion?
23. Agenda So what can we do to reduce the likelihood? Can you prevent state sponsored intrusion? Is defence in depth just a feel good distraction? If they [cyber criminals] want your IP then is it just a matter of time? Elastic cloud computing or elastic intrusion?
24.
25.
26.
27. Agenda So what can we do to reduce the likelihood? Can you prevent state sponsored intrusion? Is defence in depth just a feel good distraction? If they [cyber criminals] want your IP then is it just a matter of time? Elastic cloud computing or elastic intrusion?
28.
29. Agenda So what can we do to reduce the likelihood? Can you prevent state sponsored intrusion? Is defence in depth just a feel good distraction? If they [cyber criminals] want your IP then is it just a matter of time? Elastic cloud computing or elastic intrusion?
30. Risk taker Risk averse How do you see it? Cloud provider Start-up Mature business CIO Business unit Legal Governance Security (E.g., Cost dominated) (E.g., Risk dominated) CISO
31.
32.
33.
34.
35. Agenda So what can we do to reduce the likelihood? Can you prevent state sponsored intrusion? Is defence in depth just a feel good distraction? If they [cyber criminals] want your IP then is it just a matter of time? Elastic cloud computing or elastic intrusion?
36.
37.
38.
39.
40.
41. Agenda So what can we do to reduce the likelihood? Can you prevent state sponsored intrusion? Is defence in depth just a feel good distraction? If they [cyber criminals] want your IP then is it just a matter of time? Elastic cloud computing or elastic intrusion?
42.
Hinweis der Redaktion
Sponsored intrusion is a deliberate targeted attempt by a hostile party to gain unlawful access to another network and systems, and ultimately a) steal their intellectual property, b) complete some malicious electronic act causing destruction and/or collapse The attack is funded and supported, possibly by the state Coordinated and employs a good level of expertise and sophistication The network and systems under attack can be in the same country as the attacker, but often the attack will be launched into another countries territory Cybercrime is the training ground for cyberwarfare Cyberspace is a crime syndicates dream
Intrusion attacks, highly sophisticated across multiple surfaces The ‘as a service model’ has been available to cyber criminals and state sponsored organisations for some time Exponential computing power is available, and now offered as a service through the cloud ~real-time password computation Everything is hackable ~TPM Cyptoprocessor, Chris Tarnovsky People are fallible, social engineers are feasting at the all you can eat buffet of social networking sites ~we help the intrusion process, insecure technology, ubiquitous trust Present an easy target, may as well advertise
What if your company is high-profile and symbolic of a countries national identity McDonald’s = USA Defacements and hacking associated with multinational companies or product lines, and high-profile organisations McDonald’s, Skype, Mazda, Burger King, Pepsi, Fujifilm, Volkswagen, Sprite, Gillette, Fanta, Daihatsu, and Kia United Nations, Havard University, Microsoft, Royal Dutch Shell, the National Basketball Association The intrusion attack on your company may come from an unexpected quarter Not in it for financial gain A foreign power attempting to overthrow the capitalist dictator
GhostNet, Chinese espionage ring 1,300 infected computers in 103 countries 30% located in government offices, media companies and non-government organisations (NGOs) RAT named gh0st RAT, complete control of host computer Actvate web cam and conduct audio and video surveillance Search for and exfiltrate sensitive documents Initiate key logging to capture usernames and passwords Variant of an old Spear Phishing scheme Attacker sends out carefully worded email message to an organisation or company that features highly focused content
African IT experts estimate an 80% infection rate on all PCs continent-wide, including government computers ~a cyber pandemic Unable to afford anti-virus software Dial-up download times make updates obsolete Broadband service is now delivered mid 2010 providing a massive, target-rich environment 100 Million computers available for botnet herders to add infected hosts 1 Million hosts could generate enough traffic to take most Fortune 500 companies collectively offline
1st Age: Servers Servers FTP, Telnet, Mail, Web. These were the things that consumed bytes from a bad guy The Hack left a foot print 2nd Age: Browsers Javascript, ActiveX, Java, Image formats, DOMs These are the things that are getting locked down Slowly Incompletely 3rd Age: Passwords Gaining someone's password is the skeleton key to their life and your business Totally invisible – no trace
You are a target or will become a target where your data is held alongside valuable information Governance/Compliance: maze of data handling rules Legal maturity: Cloud models complex hard to define, poor or non existent legal structures and precedents Cost: driving utilisation of possible high-risk providers SaaS, PaaS, DaaS, etc cloud providers and sub providers who?, where?, what? Data aggregation done at different levels in the cloud, multiple copies of data in the cloud, how to assure deletion of this data Data is fungible and can be transferred to lowest cost cloud provider, without consent of customer – low cost provider may have poor or non existent policy and security
Firewalls can't manage access to cloud applications because by definition these applications are accessed over the Internet outside the corporate firewall Poor system authentication, authorisation and accounting (AAA) could facilitate unauthorised access to resources, privileges escalation, impossibility of tracking the misuse of resources and security incidents in general – insecure storage of cloud access credentials by customer, insufficient roles available, credentials stored on a transitory machine. Cloud makes password based authentication attacks (trend of fraudster using a Trojan to steal corporate passwords) much more impactful since corporate applications are now exposed to the internet.
The advent of the netcentric world has changed the threat environment dramatically Organisations need to reassess how they collect, analyse and use intelligence Offence must inform defence Looking forward, proactive Reduce your attractiveness, make someone else the target There is a need to find the right balance between security and transparency – pragmatic approach
Drive change from the top, implement governance structures that are aware and monitoring, put the CISO on the Board Deliver Social Media Policy Threat modelling, coupled with a risk assessment and risk management program to focus resources appropriately Testing high risk groups of people within the organisation for social engineering attacks Implement 2-factor authentication for all remote users
Duty of prevention, technical capacity of trace programs to trace attacks back to their point of origin, and attribution