The Future of

Cyber Risks

Internet of Things

Cyber Governance

&

Lucknow (India),February 22nd, 2015

Dinesh O Bareja db@dineshbareja.com

This is a Web Distribution Version

• This presentation has been optimized for distribution via the web as a PDF which means that animation panes have been deleted and expanded. This will allow full content on animated slides to be visible and readable

• The intent is to make sure that the animations do not appear with unreadable clutter

• The images that have been used are sourced freely from the Internet using multiple search resources. Our logic is that if your creations are searchable then they are usable for representation AND we never use any such images in ANY of our commercial works

• All our works that are put up as ‘distribution’ versions are published under Creative Commons license and are non-commercial –these are available for download from common document sites on the internet or from our website

• If some images are deleted (due to watermarked copyright notices or stringent usage policies) the slide will only show a hyperlink to it. You can follow the link to see the image.

• This is done if I have received an objection or a take-down notice from the copyright owner

• I/We make every effort to include a link or name to the copyright owner of the image(s) that have been used in this presentationand please accept our sincere apologies in case any image has not been individually acknowledged

• Copyright notices or watermarks are not removed from images or text which are not purchased, however, we may say that practically all text is our own creation

• Inspite of all the above and other declarations, if you have objections to the use (as owner of any of the IP used in this presentation / paper) you may please send an email to us and we shall remove the same right away (please do remember to include your communication coordinates and the URL where you spotted this infringement

You should presumethat someday, we will be

able to make machines thatcan reason, think and dothings better than we can.-Sergei Brin, co-founder Google (07-2014) ’‘

AGENDA

GOVERNANCE .. QUICK LOOK AT ISSUES

CHALLENGES AND OPTIONS

RISKS OF THE FUTURE… AS THEY TAKE BIRTH

TODAY - INTERNET OF THINGS

A B

rie

f In

tr

od

uc

tio

nDinesh O BarejaCISA, CISM, ITIL, ISMS, Cert ERM, Cert IPR

• Principal Advisor – Pyramid Cyber Security & Forensic Pvt Ltd

• COO – Open Security Alliance

• Co-Founder – Indian Honeynet Project

• Member IGRC – Bombay Stock Exchange

• Ex Cyber Surveillance Advisor – CDRC (Jharkhand Police – Special Branch)

Enterprise & Government Policy Development; Cyber Security Strategy, Design, Architecture; Current State Security Assessment, Audit & Optimization; Governance, Risk Management;

ABOUT ME

It is time the infosec community got up

to highlight weakness in governance

and THE thinking OF our government’s

on cyber security AT THE national AND

STATE LEVEL

And REALIZE THE

The increasing inability to control

(cyber) related incidents with the

looming threats of cyber war /

terrorism / espionage / crime

…What is it (dictionary)

•government; exercise of authority control

•Governance (noun) - the persons (or

committees or departments etc.) who

make up a body for the purpose of

administering something;

GOVERNANCE

A body for the purpose of administering something;

SO Let Us Take A Look

At what We Have To

Govern…..

http://www.considerati.com

With Great

opportunity

come great

risksAnd

this is what

we are

trying

to govern and

control

http://www.publicpolicy.telefonica.com/blogs/blog/2015/01/02/internet-governance-debate-what-are-our-beliefs/

We are trying

to manage a

system that is

represented

like a

building

that is

permanently

under

construction

This is the fundamental truth

about management

You cannot control what you cannot measure

CONTROL

You cannot manage what you cannot control

MANAGE

Current State

of

- Cyber Security,

- CYBER Governance,

- CYBER-ANYTHING

•Multiple organizations: LEA, Government,

Defence, Large Enterprises, NGOs etc. exist

and

•Everyone does their “own thing”

•All are ‘de facto’ experts

Cu

rr

en

t C

YB

ER

STA

TE

•Everyone wants to protect his/herteir

thought, (ass)ets, technology

• And believes that his/her/their system is

handmade by God!

•SO…. Chaos and confusion reigns supreme

Cu

rr

en

t C

YB

ER

STA

TE

•Multiple organizations: LEA, Government,

Defence, Large Enterprises, NGOs etc.

•Everyone does their “own thing”

•Protect my thought, (ass)ets, technology

•All are ‘de facto’ experts

•Everyone’s system in handmade by God!

•SO…. Chaos and confusion reigns supreme

Cu

rr

en

t C

YB

ER

STA

TE

Way Ahead (my own thoughts)

• Cyber Security must be entrusted (at national level) to one authority and organization

• Designate the President / PMO as C-in-C as this is a frontier, a battleground

• Cybercrime, Terrorism, War, Attacks, Espionage, Reputation, Information Exchange, Development of Offensive Capabilities et al cannot be decided upon by a NCSC

•I had done a presentation on Governance a few years earlier and it was as relevant as it was then as it is now…

•Normally I do not use my old slides but I find this is still an area which needs the same old stuff…

• As per my agenda today I had said that we would take a look at OPTIONS … Option in the middle of all this confusion etc ….

• This is my own conceptual framework to bring direction and order at a national / state level

• It may not be the silver bullet, but like I say if there is good silver in the bullet at least we have started the journey to kill the problem

• The concept presented may not be the silver bullet,

• but

• like I say - if there is good silver in the bullet at least we have started the journey to kill the problem

Second Line of Command (Operational and Strategic)

Commander in ChiefPM / President

NSA NCSCDefence Chief

of StaffHead of

IntelligenceMHACERT

LEA, Industry Rep & Bodies

Cyber Security Organizations and Organizations with Cyber Command Centers

State Cyber Security Centers

Sectoral CERTsNTRO(cyber)

NCIIPCIB, RAW, NIA,

DIADefense CERTs, DIA, DRDO etc

Academia Participants

CyberCrimePolice Stations

CCTNS, NATGRID

Information & Data Library

Online Battalions

General areas n.e.s.

Continuing Education &

Training

Control and Operational Areas (national and state level)

Capacity Building

Capability Building

Citizen Outreach

Sectoral Departments

Critical Infrastructure

Education and Training

International Relations

Policy & Regulations

Offensive and Defensive

Knowledge Repository

Domestic Relationships

Risk Advisories

Intelligence Gathering

Research and Development

Public Private Partnership

Public Relations

Security Clearance

Think Tank Testing GroupTalent

IdentificationResponsible Disclosure

Field Organizations and Teams

CERT Incident Response

Awareness, Education,

TrainingDevelopers

Embedded Cyber

Patrollers

Reporting and Measurement

Skill Development

Audit, Risk, Technology C

on

cept

ua

l g

ov

er

na

nc

e

fr

am

ew

or

k

http://www.slideshare.net/DiploFoundation/presentation-at-the-arab-igf-consultations-in-dubai-5th-march-2013

This is where we are – Square 1

Shock & Awe! Questions, Questions and Questions !

This was said by… -Albert Einstein

This really does not happen in real life!

I have yet to see a hacker who is genteel, good mannered and follows such etiquette

<LOL>

Moving on… the 2nd part of my talk

• We’ve seen how orderly or disorderly we are (big deal, we are like that only and it is not just us but the whole world)

• Lets move on to something more exciting – our future, tomorrow, kal / kaal …

•

• The Internet of Things

BADThe Internet of Things is also the Internet of Bad Things!

The universe

soon in your

hand!

The world is coming to rest in your palm

What’s the

Internet

of Things

From any time, any place connectivity for anyone,

we will now have connectivity for anything!

Gart

ne

r H

ype C

yc

le f

or

Em

er

gin

g

Tec

hn

olo

gie

s -

20

14

A few technologies which are making news are marked and the IoT is poised on the top ready to make the journey ahead

(…) it takes many decades from the excitement of

inception for these technologies to fully work. In the case

of the automobile, the technology took 40 years to go from

merely “working” to eventually becoming fully part of our

lives. It took 80 years, from 1880 to 1960 for the

technology to become comfortable. The final phase of a

technology is for it to disappear. As John Seely Brown

puts it: “Technology has not fully arrived until it

disappears—until it is so much a part of us that we don’t

see it.” (Brian Arthur, “Myths and Realities of the High-

Tech Economy”)

WE ARE

Pandasecurity.com

WE WANT

LIFE

HOME

S

LIFEST

YLE

http://www.toptechnews.com/article/index.php?story_id=11100BDJN996

Toto's new Intelligence Toilet II monitors weight, blood sugar levels, and other vital signs, transferring data to your computer for analysis via WiFi.

ADAPTIVE CRUISE CONTROL: ADJUSTS AND DRIVES WITHIN THE LANES

CARS

SMART PARKING

GRIDS

& M

ETERS

http://emfsafetynetwork.org/wp-content/uploads/2011/03/DSC_0097.jpg

Smart meters will work with real-time energy displays showing energy use around the home. Photograph: Energy Retailers Association/PA

DRO

NES

exciting new developments

SMART

• Light bulbs that change depending on your

mood

• Refrigerators that talk with your smartphone

• Efficiency across industries

• Cost savings in healthcare

IoT

exciting new

developments

Nanoparticles in drug delivery

Nano robots in bloodstream (can cure cancer

Wearables (Google glass)

Aur Bhi Acchedin

For

* For more good days”

SMART

IoTIoT technologies and services generated

global revenues of $4.8 trillion in 2012

To reach

$8.9 trillion by 2020

growing at a compound annual rate (CAGR) of 7.9%.

SMART

IoT50 billion connected devices by 2020

Each person will have more than 6

devices

IoT device will more than double

(4.9 billion this year)

Human dependency on all devices will grow and grow…

RISKS

televi

sion

RISKSThe smart TV recognizes voice commands so it is in listening mode and also listens to any conversation in the room while trying to figure out a command.. Is this shared at the back end ??

Look at the future differently

• Neither software nor email security will be enough

• To protect (IoT) against future attacks from cybercriminals

• Develop strategies in preparation "for the onslaught of Internet enabled devices“

• Prepare for the fast approaching army of networked devices

http://fortifyprotect.com/HP_IoT_Research_Study.pdf

Any connected consumer

electronic appliance may

become a zombie for a

botnet. Imagine the power of

a DDoS using all the TV sets

of one brand.

Ransomware may shoot up.

What if a ransomware hits

the same TV sets or consumer

appliance

Will the brand pay the

ransom? Will you pay to get

back your connected fridge?"

RISKS

RISKS

• Security flaw that could allow unlocking doors of up to 2.2 million Minis, BMWs, and Rolls-Royce models

• They all are equipped with BMW’s ConnectedDrive software which uses on-board SIM cards

• Potentially hackers gain access to the onboard vehicle computer systems that manage everything from engines and brakes to even the air conditioning

Our national RISKS are unique

The real india .. In the

villages. Soon to be zapped by

technology benefits and

technology crime!

And we will become lazier by the day !

http://www.intel.com/communities/pix/other/Newsroom_UK_InternetOfThings_1024x1448.jpg

ABOUT

ME

CONTACT

INFORMATION

E dinesh@opensecurityalliance.org

@bizsprite

L: linkedin.com/in/dineshbareja

+91.9769890505

dineshobareja

dineshobareja

infosecgallery.blgspot.com

securambling.blogspot.com

Information Security professionalworks hard to be abreast oftechnology, risks, threats,opportunities and looks forwardto the excitement of the future..

This document has been created by IndiaWatch., Open Security Alliance., Dinesh O Bareja

Released in the public domain under Creative Commons License (Attribution- Noncommercial 2.5 India)

http://creativecommons.org/licenses/by-nc-sa/2.5/in/

The information and practices listed in this document are provided as is and for guidance purposes only and should not be

construed to be a standard (unless mentioned otherwise). Readers are urged to make informed decisions before adopting the

information given in this document.

The author(s) may not be held responsible, or liable, in any event and for any issues arising out of the use of the information and / or

guidelines included in this document. Further, we do not give any warranty on accuracy, completeness, functionality, usefulness or

other assurances as to the content in the document. We disclaim all responsibility for any losses, damage caused or attributed, directly

or indirectly, from reliance on and the use of such information.

Readers are welcome to provide feedback to the authors using the contact information provided in this document. This document

has been prepared for general public distribution so all animations have been converted to static images.

Graphics and images are usually obtained from the internet and royalty free sources and are usually acknowledged by us. Errors may

be expected in this practice and this is not intentional.-we resect creative rights and request owner(s) to inform us of any inadvertent

omission. Any trademarks or companies may be displayed or mentioned with the purpose of establishing a point or for better

understanding and we do not claim any exclusivity or relationship with their respective owers.

License and Copyright

Acknowledgements & DisclaimerVarious resources on the internet have been referred to contribute to the information presented. Images have been acknowledged (above) where possible. Any company names,brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive orotherwise) by the author(s), unless otherwise mentioned. Apologies for any infraction, as this would be wholly unintentional, and objections may please be communicated to usfor remediation of the erroneous action(s).