you better wake up€¦ · amazon ec2 elastic compute cloud public ip ranges – feb 3, 2012 dear...

Being a CISO in 2.012 ? You better wake up !

Digital Trust Protecting information in a connected world

13.03.2012, Geneva

Bruno Kerouanton Infosec expert, CISSP, MS

CISO – Republic and Canton of Jura

SO, WHAT IS GOING ON ?

©2012 bruno.kerouanton.net

Fundamental questions

• Where is my data ?

• How do I access it ?

• Who can access it ?

• What is my data ?

• When will be the next infowar ?


Mobility

Social Cloud

2.012 IT trends

Fundamental questions

• Where is my data ? – In the Cloud ?

• How do I access it ? – Using Mobility, BYOD ?

• Who can access it ? – Social media users ?

• What is my data ? – Amongst Big data ?

• When will be the next infowar ? – Already started ?


Mobility

Social Cloud

2.012 IT trends

ACCESSING DATA


2.012, the post-PC era?

Evolution keeps going

From notepad…

From notepad…

…to tablet

10’000 iPhones 5’000 iPad Per hour !!! build,

then sold Around

The new workplace

• Work anywhere, anytime from any device

• Bring Use your own device


BYOD vs UYOD

• Bring your own device ?

– At the office

• Use your own device !

– Everywhere

CISOs have new challenges to deal with…


The rise of Apple in enterprise

• This is a fact (Gartner)

• Total cost (TCO) much higher than expected. eg: MsOffice

• Apple stays an end-user focused company – No long-term support, incl. Patches

– Non-negotiable warranty

– Some features not available for business


iPad, Android : who is the owner ?

• Users buy iPads and Android, but technically don’t own those devices.

• Apple, Google locks everything, from OS to Apps.

Better security… by obscurity ?

Your company is still blind !


In short

• People will not only tend to bring their own devices at the office,

• But also want to use the same system for everything, everywhere…

• A system that IT doesn’t control anymore !

Be prepared.


STORING DATA


In 2.012, where is my data ?

Google

Facebook

Apple iCloud

Amazon S3/EC2

Microsoft Azure

Huge data monsters centers !

Everything is there… just hoping Infosec is adequate !

Prefab datacenters : scalability

More innovation in last 5 years than previous 15 Each week, Amazon adds 5 times the capacity it had in 2000 ! Datacenters are build with modular systems ©2012 bruno.kerouanton.net

Amazon Perdrix

Microsoft Azure ITPAC

IT security in a cloud context Amazon EC2 Elastic Compute Cloud Public IP Ranges – Feb 3, 2012

Dear Amazon EC2 customer, we are pleased to announce that as part of our ongoing expansion, we have added new public IP ranges. The current Amazon EC2 public address ranges are:

Sincerely,

The Amazon EC2 Team


US East (Northern Virginia) EU (Ireland)

72.44.32.0/19 184.72.128.0/17 79.125.0.0/17 46.137.128.0/18

67.202.0.0/18 184.72.64.0/18 46.51.128.0/18 176.34.128.0/17

75.101.128.0/17 50.16.0.0/15 46.51.192.0/20 176.34.64.0/18

174.129.0.0/16 50.19.0.0/16 46.137.0.0/17

204.236.192.0/18 107.20.0.0/14

184.73.0.0/16 23.20.0.0/14 Asia Pacific (Singapore)

175.41.128.0/18 46.137.192.0/18

US West (Northern California) 122.248.192.0/18 46.51.216.0/21

50.18.0.0/16 204.236.128.0/18

184.169.128.0/17 184.72.0.0/18 Asia Pacific (Tokyo)

175.41.192.0/18 103.4.8.0/21

US West (Oregon) 46.51.224.0/19 176.34.0.0/18

50.112.0.0/16 176.32.64.0/19 54.248.0.0/15

South America (Sao Paulo)

177.71.128.0/17

SwissTopo, a good example


SwissTopo, a good example


Does that mean decreased Infosec ?

Cloud IT risks

• The Cloud itself may be secure (I tend to believe so)

• But is your Internet resilient ?

• Are your IT processes able to run *without* Internet ? (in case of DDoS, or… cyberwar !)

Just think about it when doing your security Assessment


Where is REALLY your data ?

Sharepoint/corporate portals are often too restrictive and complex to use.

So, your data getting out-of-control

• Users tend to copy/paste data to more convenient media (dropbox …)

(DLP) Data Leak Prevention is a myth…


EVOLVING THREATS

Part 1


And Infosec ???

Everything mixes-up

Is Privacy already a lost battle ?

Is it

• A security issue ?

• legal ?

• Society ?

2.012, rise of the Hacktivists Offers a brand name for coordination Offers attack tools and tutorials Societal and political motivations Motivated youngsters, but often not informed «Anarchic» methods

Rarely oversees the long term effects…

Wikileaks and others

• Wikileaks publishes «censored» information – Contributions by individuals, or by Anonymous – They claim freedom of speech, – But forget that some info can harm if released

• State security, • Personal data,…

eg: HB-Gary private messages.

Although such disclosures cannot be avoided, it is wise to publish before they do it. Be transparent ! An Information war is currently going on


Impact of the economic crisis

Unemployment rising rise of potential attackers

Mafias already know that, and hire attackers and mules in

low-cost countries.

Eg: Training lessons for future

Botnet managers !

Mafias didn’t wait to extend their criminal businesses on Internet, Facebook and others…

And Cybercrime • «Rent-a-Botnet» ! (using Amazon EC2)

– Zeus, Aurora, Torpig...

• Infect PCs and mobiles, send spam • Steal data, impersonate websites…

In 2.012, nothing changes about methods, goals and techniques.

Rise of iPads et other Android smartphones

tend to slow down a bit the issue

A word about the Dark Web

Also known as «Deep web», «Invisible web» • Not indexed by search engines

• Not accessible by normal means (Proxy, TOR)

• Virtually uncontrolable, resilient and anonymous

• Contains illegal stuff – Child pornography, arms, drugs websites,…

• Virtual currency (Bitcoin) for transactions

A «safe place» for Mafias and cyber-activists…

A proof that they learn new technologies faster than us…


Cyberwar 2.012

More and more countries are building a military national Cyberdefense strategy. Some of them are also expanding their Cybercommando and Attack teams

Les Etats se préparent à des attaques et ripostes informatiques. Le cas «Stuxnet» ?

Will cyber-dissuasion replace nuclear dissuasion ?

National Cyber security Strategies

• France, Germany, Holland, UK, Switzerland

– Now have official cyberdefense strategies

Not counting USA, China !

Seen as important as nuclear defense


EVOLVING TECHNOLOGIES


End-user vulns

Most patched apps :

• Oracle Java

• Adobe Flash

• Adobe Acrobat

• Sysadmins spend a lot of time patching systems…

• App-Stores doesn’t seem to solve the problem

• We will have to deal with that for a long time ! ©2012 bruno.kerouanton.net

The two-dot-zero-twelve Era

HTML 5 Ruby on Rails Web Services Social media Most companies still aren’t ready yet…


What is HTML 5 and why should you care ?

Dynamic contents

«Super cookies»

Embed rich contents

Javascript powered


Deploying DNSSEC

• Internet dependant business

• Cloud computing

All rely on DNS and SSL

Securing DNS is necessary

In progress, but far from achievement,

And… DNSSEC relies on SSL


SSL Certificate theft…

2.011, the black year for SSL registrars

• DigiNotar, Comodo, RSA

All were hacked.

Stolen : SSL root certificates

Impact: huge ! Now, can we trust Internet ?


EVOLVING OURSELVES


Infosec : loosing grip ?


What is wrong with Infosec ?

• What is wrong with our vision of Infosec ?

• Just about everything !

• Priorities, Standards, methodologies, technologies, skills…

• Do you agree ?


Is PDCA obsolete ?

• PDCA (Plan, Do, Check Act)

– Useful but slow process.

– Inadequate in our fast-moving environment

• OODA (Observe, Orient, Decide, Act)

– Military origin

– Should be used to act in faster decision-making


Loosing confidence ?

• Companies spend more and more on Infosec

• Threats are increasing drastically

Is Infosec a failure ?


Perhaps not

• Cloud companies hires smart people – Roads and buildings

• Users are smart too, let they drive on the road – Car drivers

But training is primordial !

Be transparent – Be smart – Be visible !


Infosec in 2.012

• Information Security… what is it really about ?

• It may be the right time to redefine what is Infosec !

• Business also has got to refocus on their goals

Teaching and explaining Infosec to citizens, Training IT professionals.

A challenge for our future, our society and our lives…

The future of the CISO


Thank you for your attention

Contact

Bruno.Kerouanton.net


you better wake up€¦ · amazon ec2 elastic compute cloud public ip ranges – feb 3, 2012 dear...

Documents