tommi rintala delektre ltd. 17-18 aug, 2015 rintala delektre ltd. 17-18 aug, 2015 cybsec-101...
TRANSCRIPT
CybSec-101
Delektre Oy
● Product design and development– Health
– Energy
– Transport
● Keywords:– Modular design
– Usability
– Security
CybSec-101
Tommi Rintala, CV
● MsEcon, Bachelor of Science● Software industry● System admin
– Unix, Linux, Windows, MacOS
● Networking– Network administration
– Firewalls, internetworking, mobile networks
● Research
CybSec-101
Day 0: Pre-study
● Monitoring Security in Cloud Environments– Change of mental attitude
● Metrics That Work: Practical Cyber-Security Risk Measurements– Gathering data
● Building a Security Analysis Initiative– Analysis
CybSec-101
Day 1: Waking the Awareness
● Big picture, general info: ”why we should be concerned about security?”
● Examples● What is Cyber Security● Cloud & IoT; ”What should we know?”● Policy related issues● Social Hacking; ”How it is done?”
CybSec-101
Day 2: Technical Issues
● Point of attacks; including methods and tools● Protection of yourself, org and practices● Public key exchange; IPSec & Co● Demos
CybSec-101
Day 3: Audit and Standards
● KATAKRI (Kansallinen Tietoturvakriteeristö); what it is, and why we should know about it?
● BSI (Bundesamt für Sicherheit in der Informationstechnik) Standards– Information Security Management Systems (100-1)
– IT-Grundschutz Methodology (100-2)
– Risk Analysis Based on IT-Grundschutz (100-3)
– Business Continuity Management (100-4)
CybSec-101
Motivation & Background
● In this course the following keywords occur:– (data) Integrity
● Accuracy and consistency of data
– Identification● Of person, resource, or other party
– Digital signatures
– Authenticated encryption (AE)
CybSec-101
Scope of this course
● This course is about– Motivation towards secure thinking
– Basics everybody should know
– ”Meta framework” how to think
● This course is not about– Algorithm analysis
– Complexity analysis
– Deep weakness analysis
CybSec-101
Motto
If you know the enemy and know yourself you need not fear the results of a hundred battles
[Sun Tzu]
CybSec-101
Big Picture
Complexity of Devices, Services, Roles and (Business) Models:
BYODURL
HTTP
Microsoft
LinuxTwitter
Verisign
JavaScript
VPN
Client / Server
UML
ProgrammingAndroid
iPhone 7
PHP
OOP
PostscriptCorba
Perl
High Performance Computing
AutoCad JavaElektronics
CybSec-101
It's complicated world, but
● When you take a new device in use, do you read:– User manuals
– License terms
– Copyright notices
● In your mobile phone package, they consist from several hundred A4 pages of text....
CybSec-101
I give you more reasons to hate me
● If you build a wall around your house:– You think like a mason
– You want that your wall is complete
– You fix all the small holes
● The Criminals think otherwise:– They wan't to know how to go over, under or figure out-
of-box way to get pass your defense
– They call fire department to tear down your wall and work with what remains....
CybSec-101
Headlines from my ”network”
● Attackers use Google Drive, Dropbox to breach companies
● Hacking Team's RCS Android: The most sophisticated Android Malware ever exposed [Remote Control System Android]
● Corporate Networks can be compromised via Windows Updates
● NIST releases SHA-3 Cryptographic hash standard
CybSec-101
Attackers use Google Drive, Dropbox to breach companies
● Man in the Cloud attack● No account username or password required● No user interaction required (click etc..)● Based on sync protocol
– Very hard to detect / protect from
● http://www.net-security.org/secworld.php?id=18719
CybSec-101
Hacking Team's RCS Android: The most sophisticated Android malware
ever exposed● Deliver as fake app in Google Play, SMS, or email
message (URL link)● Root privileges; shell backdoors, RCS
– Screenshots, photos, microphone, capture voice calls, record location, capture WiFi, capture online-account passwords, contacts, decode IM messages, SMS, MMS, eMail messges, …
● Removal protection● http://www.net-security.org/malware_news.php?
id=3080
CybSec-101
Corporate networks can be compromised via Windows Updates● Based on insecurely configured WSUS
(Windows Server Update Services)● Windows default is to use WSUS via HTTP (not
HTTPS)● Malificious third party (USB) driver injection● How about (security) weak driver for device X?● http://www.net-security.org/secworld.php?
id=18725
CybSec-101
NIST releases SHA-3 cryptographic hash standard
● Next generation tool for securing the integrity of electronic information
● Released on August 6th 2015, was developed for nine years!!
● Developed using public competition● Does not replace SHA-2, but…● http://www.net-security.org/secworld.php?
id=18720
CybSec-101
Examples of Attacks
● Russian Trolls Factory● ”Chinese” Espionage Cases● Automobile Hacks:
– RollJam (Kamkar@DefCon $32,00)
– Controlled (Toyota, Chrysler, Ford)
– …
● Automation system hacks– ….
CybSec-101
History – don't ignore it
● It is very rare thing – in IT world – that you are the target of a totally new attack
● Hence, know your history:– The Cuckoo's Egg: Tracking a Spy Through the
Maze of Computer Espionage by Clifford Stoll (1989).
CybSec-101
Things to avoid
● Password helpers (programs which remember your passwords)
● Opening links from phone/email programs● Opening attachments without running them
through virus scanners● Playing ”free” games → Ads● Is it worth be involved in participation
programs?
CybSec-101
Security Attack Types
● Viruses and Worms● Trojans and other security threats● Network Attacks
– Social engineering, Phishing attacks, Social Phishing, Spear Phishing Attack, Watering Hole Attacks, Whaling, Voice Phising, Port Scanning, Spoofing, Network sniffing, Denial-of-Service and DdoS, ICMP flood (ping), Ping of death, Ping Smurf, SYN Flood, Buffer Overflow, Botnet
CybSec-101
Security Attack Positions
● Client directed spoofing, spying, recording● Man in the middle● How to analyse the rest?
CybSec-101
Data
● What is the core (valuable) data:– That you work with
– Belongs to your organisation
● What creates the value to your data?● Can you (or organisation) filter some of the
valuable data? (see next slide)
CybSec-101
Things to DO
● Updating your phone, laptop, tablet according to policy of your organisation
● Installing virus scanners to phones, tables and all other devices
● Separate your ”working” and ”home” profiles
CybSec-101
Cyber Security
● Cyber Security is broad subject:– Computers & other devices; Networks; Humans
– Interaction between these
● Data (created or collected) handling, transfer and storage
● Covers topics from terrorism and crime to user being in uncomfort zone
CybSec-101
Motivation
● Somebody want's your:– Money
– Resources (CPU cycles), cause it is as valuable
– Images, contacts, accounts, passwords; since they can be changed into resources or money
– Identification; which can be put together from the above information and is valuable for someone.
CybSec-101
Cyber Security (2)
● How can we ”fix” this:– In Sweden (2014), local police has given a warning
about crime leagues, who oberserve people at parking space of mall. When ”suitable” victim arrives, criminals fetch the address from (public) web service and rob the house during shopping tour.
CybSec-101
OpenStack Cloud Sec Architecture
ADAPTER STORE REGISTRY GLANCE API GLANCE
QUEUE
SCHEDULER NOVA
TEXT
STORAGE SWIFT PRIVATE IP VIRTUAL
swift database
SSL
SECURE SHELL
STORE OBJECT
SWITCH PRIVATE
MANAGEMENT THREAT
SWITCH PUBLIC
INTERNET
SWITCH BASTION
API NOVA PROXY HOST BASTION FIREWALL APPLICATION
DEMILITARIZED ZONE
CINDER
SWITCH PRIVATE
KEYSTONE QUANTUM HORIZON
QUEUE SCHEDULER NOVA
COMPONENT CLUSTER 2
INSTANCES COMPUTE INSTANCES COMPUTE
INSTANCES COMPUTE INSTANCES COMPUTE
NOVA COMPUTE CLUSTER
SWIFT
ADMINISTRATIVE CONNECTIONS (SSH)
INTER-COMPONENT CONNECTIONS (SSL/TLS)
CybSec-101
Cloud and IoT
● Why cloud is growing?– Business case: it is (relatively) cheap to offer cloud
service – than to test functionality with several different configurations. Cloud requires only one API!!
– Good practices in API design make services easy to approach.
– Users find it good: data is roamable to every device and every (physical) location
CybSec-101
What is IoT?
● Internet of Things– Connect all devices to internet
– Easy connectivity; easy to use kits
– More data to networks
● Internet of Worms?
CybSec-101
Home Automation Example
● Measure: room temperatures, electricity consumption, CO2, CO, Outside Temp, water consumption, moisture
● Control lights, doors, AC● Security Devices (cameras, movement detectors,
IR, ...)● IoT system vs. ”own custom solution”● Monitoring vs. Control● What is CORE data?
CybSec-101
What to think ahead?
● Ownership of data (created or gathered)?● Life-time of data● To who data is released to?● Authentication to could/web services?● Authorization to data access● The actions to perform when ”project” ends
CybSec-101
Future predictions
● New services and business models will arise● Number of items measured will increase and
more data will be available● New possibilities for illegal activities will arise● By being active, allows oneself to choose the
direction one is going
CybSec-101
Policies
● While we walk our digital footpath, we are governed by policies:– Finnish law
– Funet Networking Policy
– VAMK Computer Policy
– Social code of conduct
CybSec-101
Social Engineering
● No matter your security equipment and procedures; the most easily exploitable aspect is the human infrastructure
● Social engineering is about:– Information gathering
– Mixing several techniques and models
– Creating a trust
– Control
CybSec-101
Social Engineering (2)
● In advance, you should think:– What you can talk about
– What you cannot talk about
– To whom can you talk about
– Where can you talk about
CybSec-101
Communication Theory
Shannon-Weaver (1947)
InformationSource
Transmitter Channel Receiver Destination
Noise
SignalIN
SignalOUT
CybSec-101
Communication Problems
● Technical problems – How accurately message is transmitted
● Semantic problem – How precisely the meaning is converged
● Effetiveness problem – How effectively received message affects behaviour on destination
Shannon-Weaver (1947)
CybSec-101
Data
CRC / HASH
CommunicationEncryption
Key
Decryption
Key2
Key Exchange
Data
CRC / HASH
Secure Communication in Nutshell
(1) (2) (4) (5) (6)
(3)
CybSec-101
Problems in Communication
● Identification of sender/receiver– Authentication of
recipents
– Trust of identification validity
● Integrity of data (message)
● Key exchange
● Trust of communication channel
● Using point-2-point encryption
● MAC / hash● Outsourcing
trust to 3rd party
● Anonymous / public services
● Using several methods for authentication
CybSec-101
HTTP(S)
● Certificate:– Hierarchy of certificates!!
– Client/Server certificate
– Issued To
– Issued By
– Period of Validity
– Fingerprints
CybSec-101
HTTPS Communication
Keystore Browser DNS Server Issuer
Nameresolution
Enc Get /
Encrypted result
Get clientcertificate
Server Certificates
Enc Get /image.png
Encrypted result
CybSec-101
Thougth to end day 1
● It is not possible to protect yourself from all possible attacks, however...
… it is generally known, that if you are not the easiest pray, you can avoid a lot of havoc.
CybSec-101
More information
● www.imperva.com● www.net-security.com● www.viestintavirasto.fi/kyberturvallisuus.html● Social Engineering – The Art of Human Hacking
by Christopher Hadnagy (2011)● Cyber 24-7: Risks, leadership and sharing:
sound advice for board members, the C-suite and non-technical executives by Peter Odell