can we still trust the internet, or anything connected to it · can we still trust the internet, or...
TRANSCRIPT
Nr.: 115 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
Can we still trust the internet,or anything connected to it ?
15 october 2015Presenter : Paul De Vroede
Information Security OfficerAgentschap Facilitair Bedrijf
Vlaamse overheid
Classification: not public yet
Nr.: 215 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
WARNING:
This presentation has
an unusually high
‘FUD’ factor (*)
Disclaimer
* FUD : Fear, Uncertainty & Doubt
Nr.: 315 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
Last 6 years : Information Security Officer @ Agentschap
Facilitair Bedrijf, Vlaamse overheid
- 15.000 PC endpoints
- >2 TerraByte browsing download /day(avg. 700 Mbit/s)
before that : 11 Years ICT Security Officer combined with
ICT mgmt function in European HQ of large multinational
@pauldevroede
expresses his own opinion in this presentation
BIO: Paul DE VROEDE
Nr.: 415 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
Agenda
• A 2015 ‘Tragic Quadrant’ of insecurity
• Some recent observations
• Back to InfoSec school : the CIA triad
• Where does it all go wrong ?
• (How) can we fix this ?
Nr.: 515 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
A 2015 ‘Tragic Quadrant’ of insecurity
• Car hacking
Nr.: 615 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
A 2015 ‘Tragic Quadrant’ of insecurity
• Car hacking
Nr.: 715 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
A 2015 ‘Tragic Quadrant’ of insecurity
• Car hacking
• Malvertising
• Fingerprint
leakage
• Internet
of Things
• Flash/0-day
• Mass surveillance
• Security
products
• Malbehaving Apps
Nr.: 815 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
Some recent observations
Nr.: 915 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
Chatham House report
(5 oct 2015):
“The researchers found
that many nuclear power
plant systems were not "air
gapped" from the Internet
and that they had virtual
private network access that
operators were
"sometimes unaware of.”
"It would be extremely
difficult to cause a
meltdown (...) but it would
be possible for a state
actor to do...” (FT.com)
Some recent observations
Nr.: 1015 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
Some recent observations
Nr.: 1115 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
Cookies (and other methods of tracking and privacy-
deteriorating stuff).
Yes please, I would like to have that “free lunch” !
Some recent observations
Nr.: 1215 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
Source : https://www.ernw.de/download/ERNW_DCVI_TargetedAttacks.pdf
Some recent observations
Nr.: 1315 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
Do we even know what we will be up against ?
Some recent observations
Nr.: 1415 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
Just making sure : Does anybody need some medical
assistance at this point in the presentation ?
Intermediate question
Nr.: 1515 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
Back to Infosec school : the CIA triad
Incidents affecting integrity
will have dramatic
consequences !
Nr.: 1615 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
Where does it all go wrong, is it Dave’s fault
?
Nr.: 1715 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
Where does it all go wrong, is it Dave’s fault
?
Disclaimer : if you disagree, please contact Mr. Einstein, not the presenter
Remark : I agree, but not when referring to the end-user, but to us all (see further)
Nr.: 1815 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
Where does it all go wrong (please fill in)
?Many TCP/IP protocols lack security options (such as authentication), we were
going to network universities and assumed we would not hack/spy each other
Old architecture (flat networks, but does R&D need to talk to Marketing ?)
Bad decisions : does everything need to be online ?
A lot of bad design/build/installs/configurations
(human error)
Bad practices and operations
Investment in technology, but not in skills/resources
Browser extensions/plug-ins/new functions
(some) Users
Software ! Software ! Software ! Software !
Nr.: 1915 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
(How) can we fix this ?
New and ‘more secure’ protocols ?
(But look at adoption rate of DNSSec, startTLS, …)
Isolation/virtualization/segmentation, … X-ation : ex.Qubes OS, Cloud Isolation
Platforms, etc. ?
Liablity for Software vendors ? More regulation and bigger ‘penalties’ ?
Transparancy in Software code (Open Source) ? Some say it might prevent cases
like VW’s Diesel “cheating code”. Might also need look at HW, and how about
Intellectual Property ?
Segmentation on Internet (how would that look like) ?
More skills, more people (rather than products, SIEM or analytics) ?
Honestly ? I don’t know… I hope you can tell me in the coming hour !
Nr.: 2015 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public
Closing Thought (or rather food for though)
A car is a product we buy (in the future rent, some say), and that can bring us to
wonderful places. So is our internet connected PC. We can wreck the car by
driving careless, as we can wreck our PC (or consequently our bank-account) if we
‘operate’ it without thinking (and without some knowledge/skill). We can still start
‘surfing’ the web without a drivers license, though (and have our PC harm other
people if it becomes part of a botnet, e.g.).
But we don’t accept our cars to have faults, why do we accept it from the internet,
and from the computers and the software we use ? We (will) have people killed as
a consequence of internet-related security incidents.
If you don’t see the internet (and the PC connected to it) as a ‘product’ for which
we could claim flawless functionality, could it be compared then with a utility like
gas or electricity ? Do we expect those to be ‘safe’ ? Those can only be installed
by accredited installers, and (in-house) installations are thoroughly verified before
being connected to the supply-network. Is that even possible with the internet, and
would it make a difference ?