you better wake up€¦ · amazon ec2 elastic compute cloud public ip ranges – feb 3, 2012 dear...
TRANSCRIPT
Being a CISO in 2.012 ? You better wake up !
Digital Trust Protecting information in a connected world
13.03.2012, Geneva
Bruno Kerouanton Infosec expert, CISSP, MS
CISO – Republic and Canton of Jura
SO, WHAT IS GOING ON ?
©2012 bruno.kerouanton.net
Fundamental questions
• Where is my data ?
• How do I access it ?
• Who can access it ?
• What is my data ?
• When will be the next infowar ?
©2012 bruno.kerouanton.net
Mobility
Social Cloud
2.012 IT trends
Fundamental questions
• Where is my data ? – In the Cloud ?
• How do I access it ? – Using Mobility, BYOD ?
• Who can access it ? – Social media users ?
• What is my data ? – Amongst Big data ?
• When will be the next infowar ? – Already started ?
©2012 bruno.kerouanton.net
Mobility
Social Cloud
2.012 IT trends
ACCESSING DATA
©2012 bruno.kerouanton.net
2.012, the post-PC era?
Evolution keeps going
From notepad…
From notepad…
…to tablet
10’000 iPhones 5’000 iPad Per hour !!! build,
then sold Around
The new workplace
• Work anywhere, anytime from any device
• Bring Use your own device
©2012 bruno.kerouanton.net
BYOD vs UYOD
• Bring your own device ?
– At the office
• Use your own device !
– Everywhere
CISOs have new challenges to deal with…
©2012 bruno.kerouanton.net
The rise of Apple in enterprise
• This is a fact (Gartner)
• Total cost (TCO) much higher than expected. eg: MsOffice
• Apple stays an end-user focused company – No long-term support, incl. Patches
– Non-negotiable warranty
– Some features not available for business
©2012 bruno.kerouanton.net
iPad, Android : who is the owner ?
• Users buy iPads and Android, but technically don’t own those devices.
• Apple, Google locks everything, from OS to Apps.
Better security… by obscurity ?
Your company is still blind !
©2012 bruno.kerouanton.net
In short
• People will not only tend to bring their own devices at the office,
• But also want to use the same system for everything, everywhere…
• A system that IT doesn’t control anymore !
Be prepared.
©2012 bruno.kerouanton.net
STORING DATA
©2012 bruno.kerouanton.net
In 2.012, where is my data ?
Apple iCloud
Amazon S3/EC2
Microsoft Azure
Huge data monsters centers !
Everything is there… just hoping Infosec is adequate !
Prefab datacenters : scalability
More innovation in last 5 years than previous 15 Each week, Amazon adds 5 times the capacity it had in 2000 ! Datacenters are build with modular systems ©2012 bruno.kerouanton.net
Amazon Perdrix
Microsoft Azure ITPAC
IT security in a cloud context Amazon EC2 Elastic Compute Cloud Public IP Ranges – Feb 3, 2012
Dear Amazon EC2 customer, we are pleased to announce that as part of our ongoing expansion, we have added new public IP ranges. The current Amazon EC2 public address ranges are:
Sincerely,
The Amazon EC2 Team
©2012 bruno.kerouanton.net
US East (Northern Virginia) EU (Ireland)
72.44.32.0/19 184.72.128.0/17 79.125.0.0/17 46.137.128.0/18
67.202.0.0/18 184.72.64.0/18 46.51.128.0/18 176.34.128.0/17
75.101.128.0/17 50.16.0.0/15 46.51.192.0/20 176.34.64.0/18
174.129.0.0/16 50.19.0.0/16 46.137.0.0/17
204.236.192.0/18 107.20.0.0/14
184.73.0.0/16 23.20.0.0/14 Asia Pacific (Singapore)
175.41.128.0/18 46.137.192.0/18
US West (Northern California) 122.248.192.0/18 46.51.216.0/21
50.18.0.0/16 204.236.128.0/18
184.169.128.0/17 184.72.0.0/18 Asia Pacific (Tokyo)
175.41.192.0/18 103.4.8.0/21
US West (Oregon) 46.51.224.0/19 176.34.0.0/18
50.112.0.0/16 176.32.64.0/19 54.248.0.0/15
South America (Sao Paulo)
177.71.128.0/17
SwissTopo, a good example
©2012 bruno.kerouanton.net
SwissTopo, a good example
©2012 bruno.kerouanton.net
Does that mean decreased Infosec ?
Cloud IT risks
• The Cloud itself may be secure (I tend to believe so)
• But is your Internet resilient ?
• Are your IT processes able to run *without* Internet ? (in case of DDoS, or… cyberwar !)
Just think about it when doing your security Assessment
©2012 bruno.kerouanton.net
Where is REALLY your data ?
Sharepoint/corporate portals are often too restrictive and complex to use.
So, your data getting out-of-control
• Users tend to copy/paste data to more convenient media (dropbox …)
(DLP) Data Leak Prevention is a myth…
©2012 bruno.kerouanton.net
EVOLVING THREATS
Part 1
©2012 bruno.kerouanton.net
And Infosec ???
Everything mixes-up
Is Privacy already a lost battle ?
Is it
• A security issue ?
• legal ?
• Society ?
2.012, rise of the Hacktivists Offers a brand name for coordination Offers attack tools and tutorials Societal and political motivations Motivated youngsters, but often not informed «Anarchic» methods
Rarely oversees the long term effects…
Wikileaks and others
• Wikileaks publishes «censored» information – Contributions by individuals, or by Anonymous – They claim freedom of speech, – But forget that some info can harm if released
• State security, • Personal data,…
eg: HB-Gary private messages.
Although such disclosures cannot be avoided, it is wise to publish before they do it. Be transparent ! An Information war is currently going on
©2012 bruno.kerouanton.net
Impact of the economic crisis
Unemployment rising rise of potential attackers
Mafias already know that, and hire attackers and mules in
low-cost countries.
Eg: Training lessons for future
Botnet managers !
Mafias didn’t wait to extend their criminal businesses on Internet, Facebook and others…
And Cybercrime • «Rent-a-Botnet» ! (using Amazon EC2)
– Zeus, Aurora, Torpig...
• Infect PCs and mobiles, send spam • Steal data, impersonate websites…
In 2.012, nothing changes about methods, goals and techniques.
Rise of iPads et other Android smartphones
tend to slow down a bit the issue
A word about the Dark Web
Also known as «Deep web», «Invisible web» • Not indexed by search engines
• Not accessible by normal means (Proxy, TOR)
• Virtually uncontrolable, resilient and anonymous
• Contains illegal stuff – Child pornography, arms, drugs websites,…
• Virtual currency (Bitcoin) for transactions
A «safe place» for Mafias and cyber-activists…
A proof that they learn new technologies faster than us…
©2012 bruno.kerouanton.net
Cyberwar 2.012
More and more countries are building a military national Cyberdefense strategy. Some of them are also expanding their Cybercommando and Attack teams
Les Etats se préparent à des attaques et ripostes informatiques. Le cas «Stuxnet» ?
Will cyber-dissuasion replace nuclear dissuasion ?
National Cyber security Strategies
• France, Germany, Holland, UK, Switzerland
– Now have official cyberdefense strategies
Not counting USA, China !
Seen as important as nuclear defense
©2012 bruno.kerouanton.net
EVOLVING TECHNOLOGIES
©2012 bruno.kerouanton.net
End-user vulns
Most patched apps :
• Oracle Java
• Adobe Flash
• Adobe Acrobat
• Sysadmins spend a lot of time patching systems…
• App-Stores doesn’t seem to solve the problem
• We will have to deal with that for a long time ! ©2012 bruno.kerouanton.net
The two-dot-zero-twelve Era
HTML 5 Ruby on Rails Web Services Social media Most companies still aren’t ready yet…
©2012 bruno.kerouanton.net
What is HTML 5 and why should you care ?
Dynamic contents
«Super cookies»
Embed rich contents
Javascript powered
©2012 bruno.kerouanton.net
Deploying DNSSEC
• Internet dependant business
• Cloud computing
All rely on DNS and SSL
Securing DNS is necessary
In progress, but far from achievement,
And… DNSSEC relies on SSL
©2012 bruno.kerouanton.net
SSL Certificate theft…
2.011, the black year for SSL registrars
• DigiNotar, Comodo, RSA
All were hacked.
Stolen : SSL root certificates
Impact: huge ! Now, can we trust Internet ?
©2012 bruno.kerouanton.net
EVOLVING OURSELVES
©2012 bruno.kerouanton.net
Infosec : loosing grip ?
©2012 bruno.kerouanton.net
What is wrong with Infosec ?
• What is wrong with our vision of Infosec ?
• Just about everything !
• Priorities, Standards, methodologies, technologies, skills…
• Do you agree ?
©2012 bruno.kerouanton.net
Is PDCA obsolete ?
• PDCA (Plan, Do, Check Act)
– Useful but slow process.
– Inadequate in our fast-moving environment
• OODA (Observe, Orient, Decide, Act)
– Military origin
– Should be used to act in faster decision-making
©2012 bruno.kerouanton.net
Loosing confidence ?
• Companies spend more and more on Infosec
• Threats are increasing drastically
Is Infosec a failure ?
©2012 bruno.kerouanton.net
Perhaps not
• Cloud companies hires smart people – Roads and buildings
• Users are smart too, let they drive on the road – Car drivers
But training is primordial !
Be transparent – Be smart – Be visible !
©2012 bruno.kerouanton.net
Infosec in 2.012
• Information Security… what is it really about ?
• It may be the right time to redefine what is Infosec !
• Business also has got to refocus on their goals
Teaching and explaining Infosec to citizens, Training IT professionals.
A challenge for our future, our society and our lives…
The future of the CISO
©2012 bruno.kerouanton.net
Thank you for your attention
Contact
Bruno.Kerouanton.net
©2012 bruno.kerouanton.net