Download - Nsa spying gem_2013_final
12023-04-08
The potential consequences of the NSA (and GHCQ) spying on the mobile enterprise
And what you can/should do about itClaus Cramon Houmann
Banque Öhman
2Öhman
Banque Öhman 2023-04-08
Key take aways:
• The known and the ”feared” extents of the NSA spying & others who spy
• Spyware exists which can take full control of any mobile device, not to mention laptops
• Defend your enterprise with Defense in depth which includes devices outside the perimeter
• Make sure you know which data leaves the perimeter• Do your risk assessments and protect against your REAL
threats• Consider any data that leaves the perimeter lost
3Öhman
Banque Öhman 2023-04-08
Why am I here presenting this?
• June 6th• ..and since then • Truth has been
coming out • That affects us all
4Öhman
Banque Öhman 2023-04-08
Initial releases from Snowden trove• PRISM, XKEYSCORE, other programs that combined SPY on
our lives -> and remove much of our privacy & security– Calls being recorded in the US – private AND corporate – Metadata for all calls and Internet in the US – -> this alone is a quite a risk for companies operating in the US
• But THEN started the real revelations that concern any company, worldwide....
5Öhman
Banque Öhman 2023-04-08
!Collect everything!• It turns out that the NSA&Partners collect everything (almost)
– Your calls– Your metadata– Your e-mails– Your google searches– Your banking
transactions– Your social
media activity• They are intercepting, analyzing and storing almost all
Internet traffic. If they cant decrypt it, it just gets stored longer until they can
6Öhman
Banque Öhman 2023-04-08
!Tailored access!
• It’s not enough to just collect and store everything• NSA actively hacks states, companies and private individuals• To make this EASIER they have also weakened an unknown
amount of cryptographic standards and tools
7Öhman
Banque Öhman 2023-04-08
Red flags – special NSA target areas• Any bank with a swift code• Anyone using encryption• Anyone doing anything in the middle east• Anything to do with oil or gas (energy)• Anyone building security system / Infosec systems
8Öhman
Banque Öhman 2023-04-08
But wait...this doesnt affect my company
•Raise your hand if you’re thinking this right now
9Öhman
Banque Öhman 2023-04-08
My guess
• Is that around 25% of people present raised their hands• I hope for 0• If 25% raised their hands, another 25% didnt – only due to
normal classroom psychology
10Öhman
Banque Öhman 2023-04-08
Why are those raised hands wrong?• Others have the means to exploit cryptographic weaknesses
– China, Russia, serious competitors?• The NSA passes information to US Government (and others?),
it’s conceivable that information from NSA spying ends up in US corp hands (http://www.zerohedge.com/contributed/2013-10-21/nsa-busted-conducting-industrial-espionage-france-mexico-brazil-china-and-all)– This has happened before (echelon anno 2000 in BBC report fx)
- Anyone can potentially get at your data! Especially on exposed locations such as mobile devices
11Öhman
Banque Öhman 2023-04-08
But then...what can we do?
• Risk Management – mitigate the risks to acceptable levels• Defense-in-depth: Defend your data, wherever and whenever
appropriate. Follow the booming market for innovative tools – eventually someone will find a way to protect smartphones/tablets acceptably. Laptops already protectable
• ENCRYPT. EVERYTHING. NOW.• Manage where your data is.
Control that policies are followed.• Awareness training & GRC
implementation/improvement
12Öhman
Banque Öhman 2023-04-08
Defense-in-depth. Isnt is simple and beatiful?
13Öhman
Banque Öhman 2023-04-08
The future brings....
• European or Global Crypto-standards institute• Advanced malware protection tools (AMP’s), also for phones
and tablets• Changes to how NSA spies on US citizens...but how about the
rest of us....?• Fortress Europe? Fortress South-america? Fortress Russia?
14Öhman
Banque Öhman 2023-04-08
About me
• Claus Cramon Houmann, 38, married to Tina and I have 3 lovely kids
• CISSP, ITIL Certified Expert, Prince2 practitioner• You can contact me anytime:
– Skype: Claushj0707– Twitter: @claushoumann
• Sources used:– Richard Stiennon’s presentation: ”How the surveillance state is
changing IT security forever”– Tidbits from @mikko’s TEDx presentation recently
15Öhman
Banque Öhman 2023-04-08
Questions?