Internet SecurityPast, Present, and the Future
Ehsan ForoughiM.Sc., CISSP, CISM
Information Security Triad (CIA)
Availability
Con
fiden
tial
ity Integrity
Confidentiality Integrity Availability Authenticity Non-repudiation
Security Concepts
Ref: Wikipedia
Cyber Security in Canada
Cybercrime costs businesses in US $8.9 B in 2012 – increase of %38 from 2010
On average security breaches◦ Take 24 days to spot◦ Take 40 days to clean◦ Take $592,000 to clean up per incident◦ Increase of %42 in cleanup cost from 2011
In a study of 56 organizations:◦ $8.9M in cyber security/crime cost per
organization per year◦ Security tools lowered cost by $1.6M
Cost of Cyber Crime
Cost of Cyber Crime
Average Cost of Cyber Security Attacks Per Second By Industry
Ref: Enlight Research
Targeted Attacks
Ref: HP Ponemon Report
TJX Companies: 94 Million CC exposed (2006)
Conficker Worm Botnet: Affected 15M systems at its peak. (2008)
Heartland Payment Systems: 134 Million CC data lost (2008)
Stuxnet attack on Iran Nuclear Plants: Damage Cost ?? (2010)
Sony network breach of 77 M accounts, cost $171 M (2011)
Incidents
44%
30%
19%
5% 2%
Biggest hit to businesses
Lost InformationBusiness DisruptionLost RevenueEquipment DamageOther
Cost of Cyber Crime
Ref: Businessweek
Infrastructure Security (Network / Internet Security)
Application Security Physical Security (Environmental Security) Operational and Process Security Cryptography e-Forensics Governance & Compliance Business Continuity and Disaster Recovery
Planning (BCP / DRP)
Subject Areas in Cyber Security
Internet Security Threats
Vulnerability(Weakness)
Insecure Design /
Architecture
Software Bugs
(Errors)
Spoofing / Phishing
Malware
Denial of Service
int main() { char buffer[4]; int some_variable = 1; ... strcpy("Test", &buffer);
Software Bugs: Buffer Overflow
T e s t \0
def Withdraw(user, value):balance = AccountBalance(user)if balance < value:
Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)
Software Bugs: Race Condition
def Withdraw(user, value):balance = AccountBalance(user)if balance < value:
Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)
Software Bugs: Race Condition
$90 $90
$100 $10
$10
def Withdraw(user, value):balance = AccountBalance(user)if balance < value:
Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)
Software Bugs: Race Condition
$90 $90
$100 $100
$10 $10
def Withdraw(user, value):balance = AccountBalance(user)if balance < value:
Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)
Software Bugs: Race Condition
$90 $90
$100 $100
$10 $10
2003 Blackout
Trojan Horses Viruses Worms Rootkits Botnets Spyware
Malware
Sending Spam Email
Stealing Passwords and Information
Using Resources
Malware: Goals
USB Disk
Shared Network Drives
Pop-ups and download links
Insecure Network
Malware: Transfer Mediums
Distributed Denial of Service Attack Grudge factor Oct 2012 attack on banks by Izzad-Dinal-
Qassam Hackers◦ CapitalOne◦ HSBC◦ SunTrust
Anonymous group crippled Visa, MasterCard, PayPal over WikiLeaks
Denial of Service
import smtplibfrom email import MIMETexts = smtplib.SMTP('localhost')msg = MIMEText.MIMEText('Hello from Microsoft.')msg['Subject'] = 'This is a test'msg['From'] = '[email protected]'msg['To'] = '[email protected]'ret = s.sendmail(msg['From'], [msg['To']],
msg.as_string())s.close()
Spoofing Example: Email
Let’s Rethink Email Security
Email Security
NPIBOEFT
Security Tools: Cryptography
NPIBOEFT
Security Tools: Cryptography
N P I B O E F T
NPIBOEFT
Security Tools: Cryptography
N
M
P
O
I
H
B
A
O
N
E
D
F
E
T
S
Confidentiality Integrity Authenticity
Cryptography
Alice Bob
Charlie
Symmetric Key Cryptography Shared Secret Encryption Only Usages:
◦ Password Protected Zip Files◦ WEP-Shared (WiFi)◦ SSL / HTTPS
01011001
11001101
10010100
11001101
01011001
A -> B
Public Key Cryptography
Ref: Wikipedia
Public Key Cryptography Encryption
Authenticity (Signing)
Usages:◦ Email Validation (PGP)◦ Authentication / Login◦ Banking
Antivirus replacement: Microsoft Malicious Software Removal Tools
Malware Removal: Malware-bytes Browsers:
◦ Use Chrome ◦ Stay away from Internet Explorer
Email Security: Web-mails such as Gmail Password Management: PasswordSafe,
LastPass, etc
Tools for Personal Security
Payment Card Industry Data Security Standard (PCI-DSS)◦ Liability!
Privacy Laws: Canada Privacy Act 1983 ISO 27001: Information Security
Management Systems
Compliance
Innternational Information Systems Security Certification Consortium - (ISC)²
Non-profit (since 1989) Focused on IT Security 90,000 Members Certified Information Systems Security
Professional (CISSP) Certified Secure Software Lifecycle
Professional (CSSLP) CISSP: US DoD and NSA requirement
Associations - (ISC)2
Information Systems Audit and Control Association (previously)
Non-profit (since 1967) Focused on IT Governance and Audit 95,000 Members Certified Information Systems Auditor (CISA) Certified Information Security Manager
(CISM) Continuing Education Point system, called
CPE
Associations - ISACA
Open Web Application Security Project (OWASP)
Non-profit Open source Focused on Securing Web
Associations – OWASP
Questions?