Threats from the Economical ImprovementWhy the economy on emerging countries can pose as a threat to cyber security and how to improve the protection through continuous education

1

Eduardo Vianna de Camargo NevesConviso IT Security, Operations ManagerOWASP Global Education Committee Member

Monday, September 20, 2010

OverviewThe increase of global economy and their reflections on BRIC countries, are changing how these societies make business and interact with the rest of the world

Companies from Brazil, India, Russia and China are not working only on their own markets anymore

A new mid-class with access to credit lines and technology is impulsing commerce on new markets and becoming one economic power

Cyber crime is raising in the same proportion, following the money and profiling new opportunities with a lower risk

2Conviso IT Security | Threats from the Economical Improvement

Monday, September 20, 2010

OverviewThis presentation will focus on Brazil and a proposal to contribute on cyber crime prevention and reduction through education on computer security for the society

This is an on-going project which are being improved and will be presented with new data at OWASP AppSec DC, on November 2010

A white paper is being produced with collaboration from other companies and independent researchers to improve content and allow new deliveries

An OWASP Project will be launched on 2011 to support this initiative as part of Global Education Committee efforts on Latin America, supporters and contributors are welcome

3Conviso IT Security | Threats from the Economical Improvement

Monday, September 20, 2010

Changes on economy and society

4Conviso IT Security | Threats from the Economical Improvement

Monday, September 20, 2010

Welcome to a Brave New World

5

Brazil, Russian Federation, India and China had made impressive changes on their economies and transform how their society are dealing with it

Brazil is a world-leader on agribusiness and lead specific high-tech sectors such as airplane production and oil exploration

Russia is the world's second largest oil exporter and largest gas exporter and the economy is growing since 2001

India is one of the fastest growing telecom markets in the world and maintains a unemployment rate of 10.7% on 2009

China contributed 1/3 of global economic growth in 2004 and accounted for half of global growth in metals demand

Source: The World Factbook by CIA

Conviso IT Security | Threats from the Economical Improvement

Monday, September 20, 2010

The Role of a New SocietyAccording to the World Bank, developing countries' share in world trade rose from 16% in 1990 to 30% in 2006, led by China and with Brazil and India not far behind

The urban Chinese middle class will spend close to $2.3 trillion a year by 2025, while India's one should grow from 5 percent today to over 40 percent of the nation over the next 20 years

In Brazil, 10 million people gained Internet between 2005 and 2007, making a total with access to nearly 40 million, or 29% of the population

Companies, Governments and the society in all those countries are becoming stronger and using technology to support their grow

6Conviso IT Security | Threats from the Economical Improvement

Source: The World Bank

Monday, September 20, 2010

Reflections on cyber-crimeThe ties between economics and information security was discussed by Ross Anderson and other authors. The improvement of BRIC countries’ economies brings new topics

Governments are not ready to deal with a change on the society which is creating millions of new users of Internet based services

Companies are dealing with new threats using old technologies, the Market for Lemons is here

People are buying computers and smart phones to be on line but they really don’t understand the risks and impacts of a connected world

7Conviso IT Security | Threats from the Economical Improvement

Monday, September 20, 2010

The results are on our sightCyber crime is increasing world-wide and besides the fact that numbers are very complicated, there are some questions which can lead a discussion on causes and solutions

Governments are not ready to deal with a change on the society which is creating millions of new users of Internet based services

Companies are dealing with new threats using old technologies, the Market for Lemons is here

People are buying computers and smart phones to be on line but they really don’t understand the risks and impacts of a connected world

8Conviso IT Security | Threats from the Economical Improvement

Monday, September 20, 2010

The Brazilian Scenario

9Conviso IT Security | Threats from the Economical Improvement

Monday, September 20, 2010

Conviso IT Security | Threats from the Economical Improvement

The Economic Redemption

10

As a result of deep changes started on 1994 and maintained by all Governments, Brazil is now watching a new and continuous social improvement

Almost 52% of the population are in Mid-Class, comparing to a rate of 32% on 1992

10 million people gained Internet between 2005 and 2007, making a total with access to nearly 40 million, or 29% of the population

The number of credit cards rose from 27 million on 2006 to 150 million in 2009

Source: BBC and Reuters

Monday, September 20, 2010

Conviso IT Security | Threats from the Economical Improvement

Timeline

Cyber crime are being conducted in Brazil since 2001. Attacks are increasing, being more sophisticated and trending to client-side approaches and target hosts in other countries

11

Year Attack Trend Incidents onCERT.BR Fraud %

2001 • Initial deployment of rudimentary keyloggers• Brute force attacks on bank sites

5,997 0%

2004 • Increase in sophisticated phishing• DNS compromises widely used (“pharming”)

75,722 5%

2007 • Trojans delivered via drive-by downloads• Malware modifying client’s hosts file

160,080 28%

2009 • Usage of XSS and CSRF• Identity Theft

358,343 69%Source: CERT.BR

Monday, September 20, 2010

Conviso IT Security | Threats from the Economical Improvement

Cyber Crime Evolution

Fraud, are still the major issues, however a new trend is being observed on the last three years

Social networks are being used to share criminal information, from child pornography to kidnapping. The damage is affecting local and international companies as co-responsible

Attacks are moving from trojans to exploration of common flaws on web sites such as XSS and CSRF to support fraud and identity theft

Brazil’s electrical grid was supposed targeted by crackers, however data leakage on Government web sites and systems are becoming a routine

12

Source: Safernet.org.br, Symantec and Conviso Security Labs

Monday, September 20, 2010

Why you should care aboutUSA is accounted for 19% of Internet based attacks but the BRIC countries also compose a large slice of this problem

13Conviso IT Security | Threats from the Economical Improvement

Source: Internet Security Threat report, by Symantec

60%8%

4%3%6%

19%

USABrazilRussiaIndiaChinaWorld

21%

And there are a lot of space to grow

Monday, September 20, 2010

The Call for Education

14Conviso IT Security | Threats from the Economical Improvement

Monday, September 20, 2010

Education is the KeyWe do not believe that education only for the community is enough to transform this scenario. A more comprehensive approach must be delivered for three major areas.

The Government must understand how fragile web security can be and prepare their own strategies do deal with

Companies must understand how to buy, develop and maintain secure applications for their customers

The academia must change their directions. Security is not optional and all programers and managers must understand that as part of their competencies

15Conviso IT Security | Threats from the Economical Improvement

Monday, September 20, 2010

The OWASP RoleThere are several OWASP Projects ready to be used by anyone which needs to make more secure software, so a “packing strategy” is required to make them more palatable for different audiences

Governments must understand why application security matters and must be a strategy for the country and an obligation to their citizens

Companies must promote security in all business areas and relate this achievement on the executive agenda

The Academia must include computer security on several areas as a common discipline like statistics and math. Specialization is great, but do not achieve the responsible parties

16Conviso IT Security | Threats from the Economical Improvement

Monday, September 20, 2010

Conclusions

17Conviso IT Security | Threats from the Economical Improvement

Monday, September 20, 2010

Next StepsThis is a simple but ambitious project which we believe will change how people understand application security on the BRIC countries and several complementary steps are required

Specific competencies to support delivery process

Effort allocation to adapt current content to the reality in each country

Leaders to support the overall development and achieve other countries with similar situation than Brazil

18Conviso IT Security | Threats from the Economical Improvement

Monday, September 20, 2010

AcknowledgementsThe following companies, organizations and individuals supported this research and sponsored this presentation:

Conviso IT Security: Sponsored my travel and is supporting this research (Disclaimer: I am one of the parters)

OWASP Connections Committee: Partially sponsored my expenses, thank you very much Dinis!

Anchises Moraes Guimaraes De Paula: IT Security researcher working with me on this development. You can tweet him at @anchisesbr

All images used in this presentation are licensed on Creative Commons and the original sources can be reached clicking on them

19Conviso IT Security | Threats from the Economical Improvement

Monday, September 20, 2010

Threats from the Economical ImprovementWhy the economy on emerging countries can pose as a threat to cyber security and how to improve the protection through continuous education

20

Eduardo Vianna de Camargo NevesConviso IT Security, Operations ManagerOWASP Global Education Committee Member

Monday, September 20, 2010