governance and iot cyber risks - presented at defcon-owasp lucknow, india
TRANSCRIPT
The Future of
Cyber Risks
Internet of Things
Cyber Governance
&
Lucknow (India),February 22nd, 2015
Dinesh O Bareja [email protected]
This is a Web Distribution Version
• This presentation has been optimized for distribution via the web as a PDF which means that animation panes have been deleted and expanded. This will allow full content on animated slides to be visible and readable
• The intent is to make sure that the animations do not appear with unreadable clutter
• The images that have been used are sourced freely from the Internet using multiple search resources. Our logic is that if your creations are searchable then they are usable for representation AND we never use any such images in ANY of our commercial works
• All our works that are put up as ‘distribution’ versions are published under Creative Commons license and are non-commercial –these are available for download from common document sites on the internet or from our website
• If some images are deleted (due to watermarked copyright notices or stringent usage policies) the slide will only show a hyperlink to it. You can follow the link to see the image.
• This is done if I have received an objection or a take-down notice from the copyright owner
• I/We make every effort to include a link or name to the copyright owner of the image(s) that have been used in this presentationand please accept our sincere apologies in case any image has not been individually acknowledged
• Copyright notices or watermarks are not removed from images or text which are not purchased, however, we may say that practically all text is our own creation
• Inspite of all the above and other declarations, if you have objections to the use (as owner of any of the IP used in this presentation / paper) you may please send an email to us and we shall remove the same right away (please do remember to include your communication coordinates and the URL where you spotted this infringement
You should presumethat someday, we will be
able to make machines thatcan reason, think and dothings better than we can.-Sergei Brin, co-founder Google (07-2014) ’‘
AGENDA
GOVERNANCE .. QUICK LOOK AT ISSUES
CHALLENGES AND OPTIONS
RISKS OF THE FUTURE… AS THEY TAKE BIRTH
TODAY - INTERNET OF THINGS
A B
rie
f In
tr
od
uc
tio
nDinesh O BarejaCISA, CISM, ITIL, ISMS, Cert ERM, Cert IPR
• Principal Advisor – Pyramid Cyber Security & Forensic Pvt Ltd
• COO – Open Security Alliance
• Co-Founder – Indian Honeynet Project
• Member IGRC – Bombay Stock Exchange
• Ex Cyber Surveillance Advisor – CDRC (Jharkhand Police – Special Branch)
Enterprise & Government Policy Development; Cyber Security Strategy, Design, Architecture; Current State Security Assessment, Audit & Optimization; Governance, Risk Management;
ABOUT ME
It is time the infosec community got up
to highlight weakness in governance
and THE thinking OF our government’s
on cyber security AT THE national AND
STATE LEVEL
And REALIZE THE
The increasing inability to control
(cyber) related incidents with the
looming threats of cyber war /
terrorism / espionage / crime
…What is it (dictionary)
•government; exercise of authority control
•Governance (noun) - the persons (or
committees or departments etc.) who
make up a body for the purpose of
administering something;
GOVERNANCE
A body for the purpose of administering something;
SO Let Us Take A Look
At what We Have To
Govern…..
http://www.publicpolicy.telefonica.com/blogs/blog/2015/01/02/internet-governance-debate-what-are-our-beliefs/
We are trying
to manage a
system that is
represented
like a
building
that is
permanently
under
construction
This is the fundamental truth
about management
You cannot control what you cannot measure
CONTROL
You cannot manage what you cannot control
MANAGE
•Multiple organizations: LEA, Government,
Defence, Large Enterprises, NGOs etc. exist
and
•Everyone does their “own thing”
•All are ‘de facto’ experts
Cu
rr
en
t C
YB
ER
STA
TE
•Everyone wants to protect his/herteir
thought, (ass)ets, technology
• And believes that his/her/their system is
handmade by God!
•SO…. Chaos and confusion reigns supreme
Cu
rr
en
t C
YB
ER
STA
TE
•Multiple organizations: LEA, Government,
Defence, Large Enterprises, NGOs etc.
•Everyone does their “own thing”
•Protect my thought, (ass)ets, technology
•All are ‘de facto’ experts
•Everyone’s system in handmade by God!
•SO…. Chaos and confusion reigns supreme
Cu
rr
en
t C
YB
ER
STA
TE
Way Ahead (my own thoughts)
• Cyber Security must be entrusted (at national level) to one authority and organization
• Designate the President / PMO as C-in-C as this is a frontier, a battleground
• Cybercrime, Terrorism, War, Attacks, Espionage, Reputation, Information Exchange, Development of Offensive Capabilities et al cannot be decided upon by a NCSC
•I had done a presentation on Governance a few years earlier and it was as relevant as it was then as it is now…
•Normally I do not use my old slides but I find this is still an area which needs the same old stuff…
• As per my agenda today I had said that we would take a look at OPTIONS … Option in the middle of all this confusion etc ….
• This is my own conceptual framework to bring direction and order at a national / state level
• It may not be the silver bullet, but like I say if there is good silver in the bullet at least we have started the journey to kill the problem
• The concept presented may not be the silver bullet,
• but
• like I say - if there is good silver in the bullet at least we have started the journey to kill the problem
Second Line of Command (Operational and Strategic)
Commander in ChiefPM / President
NSA NCSCDefence Chief
of StaffHead of
IntelligenceMHACERT
LEA, Industry Rep & Bodies
Cyber Security Organizations and Organizations with Cyber Command Centers
State Cyber Security Centers
Sectoral CERTsNTRO(cyber)
NCIIPCIB, RAW, NIA,
DIADefense CERTs, DIA, DRDO etc
Academia Participants
CyberCrimePolice Stations
CCTNS, NATGRID
Information & Data Library
Online Battalions
General areas n.e.s.
Continuing Education &
Training
Control and Operational Areas (national and state level)
Capacity Building
Capability Building
Citizen Outreach
Sectoral Departments
Critical Infrastructure
Education and Training
International Relations
Policy & Regulations
Offensive and Defensive
Knowledge Repository
Domestic Relationships
Risk Advisories
Intelligence Gathering
Research and Development
Public Private Partnership
Public Relations
Security Clearance
Think Tank Testing GroupTalent
IdentificationResponsible Disclosure
Field Organizations and Teams
CERT Incident Response
Awareness, Education,
TrainingDevelopers
Embedded Cyber
Patrollers
Reporting and Measurement
Skill Development
Audit, Risk, Technology C
on
cept
ua
l g
ov
er
na
nc
e
fr
am
ew
or
k
http://www.slideshare.net/DiploFoundation/presentation-at-the-arab-igf-consultations-in-dubai-5th-march-2013
This is where we are – Square 1
Shock & Awe! Questions, Questions and Questions !
This really does not happen in real life!
I have yet to see a hacker who is genteel, good mannered and follows such etiquette
<LOL>
Moving on… the 2nd part of my talk
• We’ve seen how orderly or disorderly we are (big deal, we are like that only and it is not just us but the whole world)
• Lets move on to something more exciting – our future, tomorrow, kal / kaal …
•
• The Internet of Things
What’s the
Internet
of Things
From any time, any place connectivity for anyone,
we will now have connectivity for anything!
Gart
ne
r H
ype C
yc
le f
or
Em
er
gin
g
Tec
hn
olo
gie
s -
20
14
A few technologies which are making news are marked and the IoT is poised on the top ready to make the journey ahead
(…) it takes many decades from the excitement of
inception for these technologies to fully work. In the case
of the automobile, the technology took 40 years to go from
merely “working” to eventually becoming fully part of our
lives. It took 80 years, from 1880 to 1960 for the
technology to become comfortable. The final phase of a
technology is for it to disappear. As John Seely Brown
puts it: “Technology has not fully arrived until it
disappears—until it is so much a part of us that we don’t
see it.” (Brian Arthur, “Myths and Realities of the High-
Tech Economy”)
LIFEST
YLE
http://www.toptechnews.com/article/index.php?story_id=11100BDJN996
Toto's new Intelligence Toilet II monitors weight, blood sugar levels, and other vital signs, transferring data to your computer for analysis via WiFi.
GRIDS
& M
ETERS
http://emfsafetynetwork.org/wp-content/uploads/2011/03/DSC_0097.jpg
Smart meters will work with real-time energy displays showing energy use around the home. Photograph: Energy Retailers Association/PA
exciting new developments
SMART
• Light bulbs that change depending on your
mood
• Refrigerators that talk with your smartphone
• Efficiency across industries
• Cost savings in healthcare
IoT
exciting new
developments
Nanoparticles in drug delivery
Nano robots in bloodstream (can cure cancer
Wearables (Google glass)
SMART
IoTIoT technologies and services generated
global revenues of $4.8 trillion in 2012
To reach
$8.9 trillion by 2020
growing at a compound annual rate (CAGR) of 7.9%.
SMART
IoT50 billion connected devices by 2020
Each person will have more than 6
devices
IoT device will more than double
(4.9 billion this year)
televi
sion
RISKSThe smart TV recognizes voice commands so it is in listening mode and also listens to any conversation in the room while trying to figure out a command.. Is this shared at the back end ??
Look at the future differently
• Neither software nor email security will be enough
• To protect (IoT) against future attacks from cybercriminals
• Develop strategies in preparation "for the onslaught of Internet enabled devices“
• Prepare for the fast approaching army of networked devices
http://fortifyprotect.com/HP_IoT_Research_Study.pdf
Any connected consumer
electronic appliance may
become a zombie for a
botnet. Imagine the power of
a DDoS using all the TV sets
of one brand.
Ransomware may shoot up.
What if a ransomware hits
the same TV sets or consumer
appliance
Will the brand pay the
ransom? Will you pay to get
back your connected fridge?"
RISKS
RISKS
• Security flaw that could allow unlocking doors of up to 2.2 million Minis, BMWs, and Rolls-Royce models
• They all are equipped with BMW’s ConnectedDrive software which uses on-board SIM cards
• Potentially hackers gain access to the onboard vehicle computer systems that manage everything from engines and brakes to even the air conditioning
Our national RISKS are unique
The real india .. In the
villages. Soon to be zapped by
technology benefits and
technology crime!
ABOUT
ME
CONTACT
INFORMATION
@bizsprite
L: linkedin.com/in/dineshbareja
+91.9769890505
dineshobareja
dineshobareja
infosecgallery.blgspot.com
securambling.blogspot.com
Information Security professionalworks hard to be abreast oftechnology, risks, threats,opportunities and looks forwardto the excitement of the future..
This document has been created by IndiaWatch., Open Security Alliance., Dinesh O Bareja
Released in the public domain under Creative Commons License (Attribution- Noncommercial 2.5 India)
http://creativecommons.org/licenses/by-nc-sa/2.5/in/
The information and practices listed in this document are provided as is and for guidance purposes only and should not be
construed to be a standard (unless mentioned otherwise). Readers are urged to make informed decisions before adopting the
information given in this document.
The author(s) may not be held responsible, or liable, in any event and for any issues arising out of the use of the information and / or
guidelines included in this document. Further, we do not give any warranty on accuracy, completeness, functionality, usefulness or
other assurances as to the content in the document. We disclaim all responsibility for any losses, damage caused or attributed, directly
or indirectly, from reliance on and the use of such information.
Readers are welcome to provide feedback to the authors using the contact information provided in this document. This document
has been prepared for general public distribution so all animations have been converted to static images.
Graphics and images are usually obtained from the internet and royalty free sources and are usually acknowledged by us. Errors may
be expected in this practice and this is not intentional.-we resect creative rights and request owner(s) to inform us of any inadvertent
omission. Any trademarks or companies may be displayed or mentioned with the purpose of establishing a point or for better
understanding and we do not claim any exclusivity or relationship with their respective owers.
License and Copyright
Acknowledgements & DisclaimerVarious resources on the internet have been referred to contribute to the information presented. Images have been acknowledged (above) where possible. Any company names,brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive orotherwise) by the author(s), unless otherwise mentioned. Apologies for any infraction, as this would be wholly unintentional, and objections may please be communicated to usfor remediation of the erroneous action(s).