nsa spying gem_2013_final

Download Nsa spying gem_2013_final

Post on 19-Nov-2014




0 download

Embed Size (px)


A presentation describing why companies should take the consequences of the global spying & encryption weakening into account when assessing risks


  • 1. Banque hmanThe potential consequences of the NSA (and GHCQ) spying on the mobile enterprise And what you can/should do about it Claus Cramon Houmann2013-11-14

2. Banque hman2013-11-14Key take aways: The known and the feared extents of the NSA spying & others who spy Spyware exists which can take full control of any mobile device, not to mention laptops Defend your enterprise with Defense in depth which includes devices outside the perimeter Make sure you know which data leaves the perimeter Do your risk assessments and protect against your REAL threats Consider any data that leaves the perimeter lost2 hman 3. Banque hmanWhy am I here presenting this? June 6th ..and since then Truth has been coming out That affects us all3 hman2013-11-14 4. Banque hman2013-11-14Initial releases from Snowden trove PRISM, XKEYSCORE, other programs that combined SPY on our lives -> and remove much of our privacy & security Calls being recorded in the US private AND corporate Metadata for all calls and Internet in the US -> this alone is a quite a risk for companies operating in the US But THEN started the real revelations that concern any company, worldwide....4 hman 5. Banque hman2013-11-14!Collect everything! It turns out that the NSA&Partners collect everything (almost) Your calls Your metadata Your e-mails Your google searches Your banking transactions Your social media activity They are intercepting, analyzing and storing almost all Internet traffic. If they cant decrypt it, it just gets stored longer until they can5 hman 6. Banque hman!Tailored access! Its not enough to just collect and store everything NSA actively hacks states, companies and private individuals To make this EASIER they have also weakened an unknown amount of cryptographic standards and tools6 hman2013-11-14 7. Banque hmanRed flags special NSA target areas Any bank with a swift code Anyone using encryption Anyone doing anything in the middle east Anything to do with oil or gas (energy) Anyone building security system / Infosec systems7 hman2013-11-14 8. Banque hmanBut wait...this doesnt affect my company Raise your hand if youre thinking this right now8 hman2013-11-14 9. Banque hmanMy guess Is that around 25% of people present raised their hands I hope for 0 If 25% raised their hands, another 25% didnt only due to normal classroom psychology9 hman2013-11-14 10. Banque hman2013-11-14Why are those raised hands wrong? Others have the means to exploit cryptographic weaknesses China, Russia, serious competitors? The NSA passes information to US Government (and others?), its conceivable that information from NSA spying ends up in US corp hands (http://www.zerohedge.com/contributed/2013-10-21/nsabusted-conducting-industrial-espionage-france-mexico-brazilchina-and-all) This has happened before (echelon anno 2000 in BBC report fx)- Anyone can potentially get at your data! Especially on exposed locations such as mobile devices 10 hman 11. Banque hmanBut then...what can we do? Risk Management mitigate the risks to acceptable levels Defense-in-depth: Defend your data, wherever and whenever appropriate. Follow the booming market for innovative tools eventually someone will find a way to protect smartphones /tablets acceptably. Laptops already protectable ENCRYPT. EVERYTHING. NOW. Manage where your data is. Control that policies are followed. Awareness training & GRC implementation/improvement11 hman2013-11-14 12. Banque hmanDefense-in-depth. Isnt is simple and beatiful?12 hman2013-11-14 13. Banque hman2013-11-14The future brings.... European or Global Crypto-standards institute Advanced malware protection tools (AMPs), also for phones and tablets Changes to how NSA spies on US citizens...but how about the rest of us....? Fortress Europe? Fortress South-america? Fortress Russia?13 hman 14. Banque hman2013-11-14About me Claus Cramon Houmann, 38, married to Tina and I have 3 lovely kids CISSP, ITIL Certified Expert, Prince2 practitioner You can contact me anytime: Skype: Claushj0707 Twitter: @claushoumann Sources used: Richard Stiennons presentation: How the surveillance state is changing IT security forever Tidbits from @mikkos TEDx presentation recently 14 hman 15. Banque hmanQuestions?15 hman2013-11-14