internet security past, present, and the future
DESCRIPTION
Internet Security Past, Present, and the Future. Ehsan Foroughi M.Sc., CISSP, CISM. Information Security Triad (CIA). Integrity. Confidentiality. Availability. Security Concepts. Confidentiality Integrity Availability Authenticity Non-repudiation. Ref: Wikipedia. - PowerPoint PPT PresentationTRANSCRIPT
Internet SecurityPast, Present, and the Future
Ehsan ForoughiM.Sc., CISSP, CISM
Information Security Triad (CIA)
Availability
Confi
dent
iality Integrity
Confidentiality Integrity Availability Authenticity Non-repudiation
Security Concepts
Ref: Wikipedia
Cyber Security in Canada
Cybercrime costs businesses in US $8.9 B in 2012 – increase of %38 from 2010
On average security breaches◦ Take 24 days to spot◦ Take 40 days to clean◦ Take $592,000 to clean up per incident◦ Increase of %42 in cleanup cost from 2011
In a study of 56 organizations:◦ $8.9M in cyber security/crime cost per
organization per year◦ Security tools lowered cost by $1.6M
Cost of Cyber Crime
Cost of Cyber Crime
Average Cost of Cyber Security Attacks Per Second By Industry
Ref: Enlight Research
Targeted Attacks
Ref: HP Ponemon Report
TJX Companies: 94 Million CC exposed (2006)
Conficker Worm Botnet: Affected 15M systems at its peak. (2008)
Heartland Payment Systems: 134 Million CC data lost (2008)
Stuxnet attack on Iran Nuclear Plants: Damage Cost ?? (2010)
Sony network breach of 77 M accounts, cost $171 M (2011)
Incidents
44%
30%
19%
5% 2%Biggest hit to businesses
Lost InformationBusiness DisruptionLost RevenueEquipment DamageOther
Cost of Cyber Crime
Ref: Businessweek
Infrastructure Security (Network / Internet Security)
Application Security Physical Security (Environmental Security) Operational and Process Security Cryptography e-Forensics Governance & Compliance Business Continuity and Disaster Recovery
Planning (BCP / DRP)
Subject Areas in Cyber Security
Internet Security Threats
Vulnerability(Weakness)
Insecure Design /
Architecture
Software Bugs
(Errors)
Spoofing / Phishing
Malware
Denial of Service
int main() { char buffer[4]; int some_variable = 1; ... strcpy("Test", &buffer);
Software Bugs: Buffer Overflow
T e s t \0
def Withdraw(user, value):balance = AccountBalance(user)if balance < value:
Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)
Software Bugs: Race Condition
def Withdraw(user, value):balance = AccountBalance(user)if balance < value:
Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)
Software Bugs: Race Condition
$90 $90$100 $10
$10
def Withdraw(user, value):balance = AccountBalance(user)if balance < value:
Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)
Software Bugs: Race Condition
$90 $90$100 $100
$10 $10
def Withdraw(user, value):balance = AccountBalance(user)if balance < value:
Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)
Software Bugs: Race Condition
$90 $90$100 $100
$10 $10
2003 Blackout
Trojan Horses Viruses Worms Rootkits Botnets Spyware
Malware
Sending Spam Email
Stealing Passwords and Information
Using Resources
Malware: Goals
USB Disk
Shared Network Drives
Pop-ups and download links
Insecure Network
Malware: Transfer Mediums
Distributed Denial of Service Attack Grudge factor Oct 2012 attack on banks by Izzad-Dinal-
Qassam Hackers◦ CapitalOne◦ HSBC◦ SunTrust
Anonymous group crippled Visa, MasterCard, PayPal over WikiLeaks
Denial of Service
import smtplibfrom email import MIMETexts = smtplib.SMTP('localhost')msg = MIMEText.MIMEText('Hello from Microsoft.')msg['Subject'] = 'This is a test'msg['From'] = '[email protected]'msg['To'] = '[email protected]'ret = s.sendmail(msg['From'], [msg['To']],
msg.as_string())s.close()
Spoofing Example: Email
Let’s Rethink Email Security
Email Security
NPIBOEFT
Security Tools: Cryptography
NPIBOEFT
Security Tools: Cryptography
N P I B O E F T
NPIBOEFT
Security Tools: Cryptography
N
M
P
O
I
H
B
A
O
N
E
D
F
E
T
S
Confidentiality Integrity Authenticity
Cryptography
Alice Bob
Charlie
Symmetric Key Cryptography Shared Secret Encryption Only Usages:
◦ Password Protected Zip Files◦ WEP-Shared (WiFi)◦ SSL / HTTPS
01011001
11001101
10010100
11001101
01011001
A -> B
Public Key Cryptography
Ref: Wikipedia
Public Key Cryptography Encryption
Authenticity (Signing)
Usages:◦ Email Validation (PGP)◦ Authentication / Login◦ Banking
Antivirus replacement: Microsoft Malicious Software Removal Tools
Malware Removal: Malware-bytes Browsers:
◦ Use Chrome ◦ Stay away from Internet Explorer
Email Security: Web-mails such as Gmail Password Management: PasswordSafe,
LastPass, etc
Tools for Personal Security
Payment Card Industry Data Security Standard (PCI-DSS)◦ Liability!
Privacy Laws: Canada Privacy Act 1983 ISO 27001: Information Security
Management Systems
Compliance
Innternational Information Systems Security Certification Consortium - (ISC)²
Non-profit (since 1989) Focused on IT Security 90,000 Members Certified Information Systems Security
Professional (CISSP) Certified Secure Software Lifecycle
Professional (CSSLP) CISSP: US DoD and NSA requirement
Associations - (ISC)2
Information Systems Audit and Control Association (previously)
Non-profit (since 1967) Focused on IT Governance and Audit 95,000 Members Certified Information Systems Auditor (CISA) Certified Information Security Manager
(CISM) Continuing Education Point system, called
CPE
Associations - ISACA
Open Web Application Security Project (OWASP)
Non-profit Open source Focused on Securing Web
Associations – OWASP
Questions?