CYBER FUTURE: SECURITY AND PRIVACY DOOMED? · CYBER FUTURE: SECURITY AND PRIVACY DOOMED? 21...
-
Upload
trinhtuong -
Category
Documents
-
view
275 -
download
1
Transcript of CYBER FUTURE: SECURITY AND PRIVACY DOOMED? · CYBER FUTURE: SECURITY AND PRIVACY DOOMED? 21...
CYBER FUTURE: SECURITY AND PRIVACY DOOMED?
21 September 2017
Rob Clyde, CISM, NACD Board Leadership FellowManaging Director, Clyde Consulting LLCVice-Chair, ISACAExecutive Chair White Cloud SecurityExecutive Advisor to BullGuard and HyTrust
NEW MANUFACTURING COMPANIES AREREALLY SOFTWARE COMPANIES
3
“Tesla is a software company as much as it is a hardware company." –Elon Musk, Tesla CEO
OLD MANUFACTURING COMPANIES ARE SOFTWARE COMPANIES TOO?
4
"If you went to bed last night as an industrial company, you're going to wake up today as a software and analytics company,"Jeff Immelt, CEO General Electric
SOON EVERY BUSINESS WILL BE A DIGITAL BUSINESS…
5
…WITH SOFTWARE AT THE CORE
DIGITAL OUTAGES LIKE THOSE AT THE AIRLINES AND NEW YORK STOCK EXCHANGE ARE THE NEW NATURAL DISASTERS
6
British Airways computer glitch causes big delays at multiple airports
FTC Opens Probe into Equifax Data BreachApache Struts flaw was known to be critical and should have been addressed, security researchers say.The US Federal Trade Commission (FTC) has launched a formal investigation into the massive data breach of Equifax, which yesterday confirmed its failure to address a previously disclosed Apache Struts vulnerability that was exploited in the attack.Meanwhile, Equifax share prices continued to plummet this week - now 35% lower than before the breach - in an ominous sign of the breach's potential finanical devastation to the credit-monitoring firm.
9/14/2017
Equifax Reports Data Breach Possibly Affecting 143 Million U.S. Consumers
Social Security numbers, birth dates, addresses and driver’s license numbers exposed
By AnnaMaria Andriotis and Ezequiel MinayaUpdated Sept. 8, 2017 9:48 a.m. ET
CYBER ATTACKS HAVE MAJOR IMPACTS
8
CONNECTED DEVICES ON PUBLIC INTERNET
9
10
USING THE INTERNET OF THINGS TO SPY?
11 | 9/20/2017
“In the future, intelligence services might use the internet of things for identification, surveillance, monitoring, location tracking, and targeting for recruitment”, says James Clapper, US director of national intelligence.
Photograph: Alex Brandon/AP
MIGHT USE INTERNET TO SPY?
12
WASHINGTON — WikiLeaks on Tuesday released thousands of documents that it said described sophisticated software tools used by the Central Intelligence Agency to break into smartphones, computers and even Internet-connected televisions.
If the documents are authentic, as appeared likely at first review, the release would be the latest coup for the anti-secrecy organization and a serious blow to the C.I.A., which maintains its own hacking capabilities to be used for espionage.
Source: https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html?_r=0
The C.I.A. headquarters in Langley, Va. If the WikiLeaks documents are authentic, the release would be a serious blow to the C.I.A. CreditJason Reed/Reuters
RANSOMWARE EXPLODINGRansomware is profitable• PCs and MACs both attacked• Encrypts data to deny access to data users• Half of financially motivated malware is ransomware• Average ransom: $300 – 2015, $1000 – 2016• 70% of Enterprise victims paid• 45% of Enterprise victims paid over $20K
Defense:• App white listing or trust lists (top defense US-CERT)• Use OpenDNS and similar tools• Backups; however, cloud backups and storage are
also being attacked (airgap?)
Ransomware be applied to IOT?• Home lockout?• Car lockout?• Pacemaker function? Source: Verizon, Symantec, Lancope, IBM Security, Intel/McAfee
SAN FRANCISCO TRANSPORTATION HIT WITH RANSOMWARE
14
City lets people ride for free until fare machines restored to service
RANSOMWARE OPERATORS ADOPT TYPICAL BUSINESS PRACTICES
15
Technical Support Time Limited Offers Try Before You Buy
APP CONTROL RECOMMENDED AS #1 MITIGATION STRATEGY
16
Run only known trusted apps
The Australian Government issued mandatory application whitelisting usage requirements to protect their “high value” systems
NEXT GENERATION WHITE LISTING“TRUSTED APP” TECHNOLOGY
Run only trusted apps or scripts
• Pull rather than push trust lists to ensure updates
• Handles application updates automatically
• Allow trust of applications, application families (e.g., Microsoft Office), or software publishers
• Crowdsourcing—allow individuals and organizations to publish their own trusted app lists
• Allow organization to control which lists to use
17 Source: White Cloud Security
Experts you trust
Apps you trust
Software you trust
SOON EVERYTHING WILL BE CONNECTED…
19 https://schrier.wordpress.com/2015/05/25/the-internet-of-first-responder-things-iofrt/
LENOVO IOT VIDEO
20
RISK FROM CONNECTED MEDICAL DEVICES
J&J insulin pump (Animus OneTouch Ping)
• Unencrypted command traffic
• Might receive unauthorized insulin injections
St. Jude pacemaker
• MedSec found many vulnerabilities, including wireless master key
• MuddyWaters shorted the stock
• Bad PR
21
SMART TV SECURITY CONCERNS
• Microphone may always be on (for voice commands)
• Risk that attacker could turn on webcam
• Activity on Smart TV is tracked and may be shared with social media
• Like with smartphones, malicious apps could be downloaded
22
Smart TVs in the office:• Consider not connecting to Internet; if you do, connect to a
Guest network• Take care as to which features and apps are enabled• Turn off or disable microphone and webcam• If possible, lockout others from changing TV settings
CLOUDPETS
23
CLOUDPETS TEDDY BEAR HACKED
24
Hackers hold MILLIONS of voice recordings to ransom after creepy CloudPets teddy bears leak private data of parents and children• Leak left private messages of families exposed online
for several days• Leak also exposed 800,000 account email addresses
and passwords• The company 'Spiral Toys' has chosen not to tell
affected families• Hackers have now taken the database down and
demanded a ransom of $1190 in bitcoins from parents
By Harry Pettit For MailonlinePublished: 15:34 GMT, 28 February 2017
source: http://www.dailymail.co.uk/sciencetech/article-4267276/Toys-leak-2MILLION-voice-recordings-kids-online.html#ixzz4a4UEaNBp
The exposed database was easy for cyber-criminals to find using a search engine called Shodan, which is designed to find unprotected websites and databases…
VULNERABLE SMART THERMOSTAT RISKS
. . .The HVAC system dormant hours—in other words when the climate control is off or in standby—would at the minimum be a security risk because it could give a potential robber times when the home may be empty.
An expensive problem that could be created through a thermostat hack is that malicious damage could be launched by raising temperatures too high or low. Winter-time damage could include freezing, burst water pipes.
Credit: Torbjörn Arvidso
CONNECTED CARS ARE AT RISK
27
As the researchers stated, the remote hacks likely work on all Tesla models, but on the parked Model S P85, the researchers remotely opened the sunroof, turned on the turn signal, and changed the position of the driver’s seat.
SOON OUR CARS WILL AUTOMATICALLY DRIVE MOST US
28
Uber launches self-driving cars in Pittsburg
…THERE IS A DARK SIDE
29
INSECURE IOT DEVICES AND PRIVACY
30
“All too often for other pieces of major industrial machinery, the controls are sitting there in plain sight or hidden behind the most rudimentary credentials. In 2012, simply attempting to log in as “root” or “admin”, with the password being the same again, was sufficient for another group of anonymous internet explorers to gain access to over 400,000 devices. With the rise of internet-connected devices since this study was conducted, that number is likely to be far higher.”
SHODAN.IO WEBCAM BROWSER
31
DEF CON: IOT VILLAGE
Total of 113 vulnerabilities found in two DEF CON events
• 50 different devices• 39 brand name manufacturers
75% of tested smart locks easily compromised (attacker can open)
32Source: http://www.darkreading.com/attacks-breaches/iot-village-at-def-con-24-uncovers-extensive-security-flaws-in-connected-devices/d/d-id/1326928
“MORE LOCKUPS”
To access on PC:1. click view > slide master2. click on the desired “more
lockup” and copy (CTRL+C)
3. exit out of the slide master view by clicking view >normal
4. navigate to desired slide and paste in “more lockup” (CTRL+V)
To access on Mac:1. click view > master >
slide master2. click on the desired “more
lockup” and copy (CMD+C)3. exit out of the slide master
view by clicking view >normal
4. navigate to desired slide and paste in “more lockup” (CMD+V)
100,000+Unique Scans
Per week
5%Of Scans Have Vulnerabilitie
s
iotscanner.bullguard.com
INTERNET OF THINGS – THE END OF PRIVACY?
34 | 9/20/2017
Introducing more private information about ourselves
Traditional Personally Identifying Information
New IoT Personal DataWhat? Where? When? Why?
Date of Birth
SSN/Govt. ID Number
Credit Card Number
Name
Address
Glucose level
Weight
Calories
GPS location
Heart rate
Sleep
Mood
Surrounding images
Driving habits
Blood pressure
Travel routeUsername Exercise route
END OF PRIVACY?
35
Source: ISACA 2014 Risk Reward Barometer
The New Yorker 1993 The New Yorker 2015“On the Internet, nobody knows you’re a dog.”
IOT – RECOMMENDATIONS FOR ORGANIZATIONS
• Safely embrace Internet of Things devices in the workplace to keep competitive advantage
• Require wireless IoT devices be connected through the workplace guest network or other isolated segment, rather than internal network
• Ensure all workplace devices owned by organization are updated quickly when security upgrades are released
• Scan networks for IoT devices; monitor for and block dangerous traffic to or from IoT devices
• Ensure default passwords are changed and strong
• Provide cybersecurity training for all employees to demonstrate their awareness of best practices of cybersecurity and the different types of cyberattacks
• Ensure that IT and security professionals are ISACA certified36
56% of tested devices using OpenSSL had not been updated in
over 50 months- 2015 Cisco Annual Security Report
AUGMENTED REALITY DISRUPTING THE WAY WE SEE THE WORLD
37
Opening up new ways of attracting customers and doing business
38
BUT THERE IS A DARK SIDE TO AUGMENTED REALITY
39
• Distracted walking and driving• Associates social media information with location• Shows posted, geotagged racy images and video• Criminals use augmented reality to lure victims to location• Gangs and terror groups virtually mark territory and targets
Mobile apps like Layar, Wikitude World Browser, etc. showaugmented reality view using camera and geotags. Risks:
AUGMENTED REALITY OPPORTUNITY AND CHALLENGES
40 Source: ISACA Risk Reward Barometer – Nov. 2016
HYPER REALITY OPPORTUNITY AND DANGER
41
Cloud enables the digital business
CLOUD – ALL YOU NEED IS AN IDEA AND A CREDIT CARD
One thing to play with it…
…Another thing to depend on it
Reintroduce control…
…without reintroducing friction
43
WHAT LIMITS CLOUD ADOPTION?
What factors are limiting your adoption of virtual/private, community and public clouds today? • Encryption helps, but key management is critical• Regulatory, sensitivity and privacy issues may require that
some data is restricted to certain physical locations• Restrict sensitive workloads (e.g., PCI) to trusted hardware and software
server stack• Only allow certain workloads to run on hardware in approved physical location• Only allow certain workload data to be decrypted in approved physical location• Cloud solutions require a combination of capabilities to achieve "defense in
depth" and compliance readiness
44
Key Elements
THE WORKLOAD: Workload
Infrastructure
Management
Data
→ Key Management→ Encryption→ Admin rights
Management
→ Role-based access control
→ Secondary Approval → Multi-factor
authentication
Policy
→ Automation for workload policy
→ Any cloud abstraction→ Workload and asset
tagging
Infrastructure
→ Boundary-based policy
→ Tag policy→ Hypervisor hardening
Data
The New Atomic Unit of ITCOMPUTE | NETWORK | STORAGE
Source: HyTrust
WORKLOAD: THE ATOMIC UNIT OF IT
WORKLOAD SECURITY USE CASES
Eliminate privileged account misuse
Halt data breaches on clouds
Address audit and compliance issues
Remove costly infrastructure air gaps
Meet data residency requirements
Stop accidental downtime
Source: HyTrust
CONSIDER ADDING SECONDARY APPROVAL CONTROLS
AdministratorSecondary Approval Administrators
Hypervisor or Cloud Control
Add-onVirtual Infrastructure
Does not need secondary approval
NOTAPPROVED
Source: HyTrust
BIG DATA AND ANALYTICS APPLICATIONS
48
Curing Cancer
Reducing Energy Costs
Predicting WeatherPredicting Consumer behavior
Build Better Cars
Security Intelligenceand Fraud Detetction
100 zettabytes by 2025!
BIG DATA PRIVACY CONCERNS
De-Identifed” Information Can Be “Re-Identified”: data collectors claim that the aggregated information has been “de-identified”, however, it is possible to re-associate “anonymous” data with specific individuals, especially since so much information is linked with smartphones
Possible Deduction of Personally Identifiable Information: non-personal data could be used to make predictions of a sensitive nature, like health condition, financial status, etc.
Data Sovereignty Issues: Many countries or regions (like the EU), may have requirements that certain personal data and the processing of that data remain in the country or region
Right to be forgotten: Some areas like the EU have a “right to be forgotten” that may be challenging to implement in a Big Data environment.
http://www.ftc.gov/public-statements/2012/03/big-data-big-issues
USING BIG DATA TO PREDICT CRIME
50 | 9/20/2017
Source: NetworkWorld, Sep 20, 2014
Crime Hot Spots in London
Soldiers' suicide risk predictable with Big Data, study says, Patricia Kime, Nov. 12, 2014
What about predicting crime by particular individuals? Will we have predictive
capabilities like those in the movie Minority Report, but through Big Data?
51
DARPA CYBER GRAND CHALLENGE AT DEFCON 2016
• 7 teams competing with individual supercomputers with Machine Learning programs
• Attacking other systems and defending your own
• “Mayhem” took the top prize of $2M
52
Is the future of hacking AI?
Is the future of cyber defense AI?
53
Private and Safe?
QUESTIONS?
54
55
Rob Clyde, CISM, NACD Board Leadership FellowVice-Chair, ISACA InternationalExecutive Chair, Board of Directors, White Cloud SecurityManaging Director, Clyde Consulting LLCExecutive Advisor to BullGuard and HyTrust
Email: [email protected] Site: www.isaca.org