390 likes | 709 Views
Internet Security Past, Present, and the Future. Ehsan Foroughi M.Sc., CISSP, CISM. Information Security Triad (CIA). Integrity. Confidentiality. Availability. Security Concepts. Confidentiality Integrity Availability Authenticity Non-repudiation. Ref: Wikipedia.
E N D
Internet SecurityPast, Present, and the Future Ehsan Foroughi M.Sc., CISSP, CISM
Information Security Triad (CIA) Integrity Confidentiality Availability
Security Concepts • Confidentiality • Integrity • Availability • Authenticity • Non-repudiation Ref: Wikipedia
Cost of Cyber Crime • Cybercrime costs businesses in US $8.9 B in 2012 – increase of %38 from 2010 • On average security breaches • Take 24 days to spot • Take 40 days to clean • Take $592,000 to clean up per incident • Increase of %42 in cleanup cost from 2011 • In a study of 56 organizations: • $8.9M in cyber security/crime cost per organization per year • Security tools lowered cost by $1.6M
Cost of Cyber Crime Average Cost of Cyber Security Attacks Per Second By Industry Ref: Enlight Research
Targeted Attacks Ref: HP Ponemon Report
Incidents • TJX Companies: 94 Million CC exposed (2006) • Conficker Worm Botnet: Affected 15M systems at its peak. (2008) • Heartland Payment Systems: 134 Million CC data lost (2008) • Stuxnet attack on Iran Nuclear Plants: Damage Cost ?? (2010) • Sony network breach of 77 M accounts, cost $171 M (2011)
Cost of Cyber Crime Ref: Businessweek
Subject Areas in Cyber Security • Infrastructure Security (Network / Internet Security) • Application Security • Physical Security (Environmental Security) • Operational and Process Security • Cryptography • e-Forensics • Governance & Compliance • Business Continuity and Disaster Recovery Planning (BCP / DRP)
Internet Security Threats Malware Software Bugs (Errors) Vulnerability (Weakness) Denial of Service Insecure Design / Architecture Spoofing / Phishing
Software Bugs: Buffer Overflow int main() { char buffer[4]; intsome_variable = 1; ... strcpy("Test", &buffer); T e s t \0
Software Bugs: Race Condition def Withdraw(user, value): balance = AccountBalance(user) if balance < value: Exit(Error) balance = balance – value AccountBalance(user) = balance PayOut(value) Exit(Ok)
Software Bugs: Race Condition def Withdraw(user, value): balance = AccountBalance(user) if balance < value: Exit(Error) balance = balance – value AccountBalance(user) = balance PayOut(value) Exit(Ok) $90 $90 $100 $10 $10
Software Bugs: Race Condition def Withdraw(user, value): balance = AccountBalance(user) if balance < value: Exit(Error) balance = balance – value AccountBalance(user) = balance PayOut(value) Exit(Ok) $90 $90 $100 $100 $10 $10
Software Bugs: Race Condition def Withdraw(user, value): balance = AccountBalance(user) if balance < value: Exit(Error) balance = balance – value AccountBalance(user) = balance PayOut(value) Exit(Ok) $90 $90 $100 $100 2003 Blackout $10 $10
Malware • Trojan Horses • Viruses • Worms • Rootkits • Botnets • Spyware
Malware: Goals • Sending Spam Email • Stealing Passwords and Information • Using Resources
Malware: Transfer Mediums • Email • USB Disk • Shared Network Drives • Pop-ups and download links • Insecure Network
Denial of Service • Distributed Denial of Service Attack • Grudge factor • Oct 2012 attack on banks by Izzad-Dinal-Qassam Hackers • CapitalOne • HSBC • SunTrust • Anonymous group crippled Visa, MasterCard, PayPal over WikiLeaks
Spoofing Example: Email import smtplib from email import MIMEText s = smtplib.SMTP('localhost') msg = MIMEText.MIMEText('Hello from Microsoft.') msg['Subject'] = 'This is a test' msg['From'] = 'bill.gates@microsoft.com' msg['To'] = 'ehsanf@gmail.com' ret = s.sendmail(msg['From'], [msg['To']], msg.as_string()) s.close()
Security Tools: Cryptography • NPIBOEFT
Security Tools: Cryptography • NPIBOEFT N P I B O E F T
Security Tools: Cryptography • NPIBOEFT N P I B O E F T M O H A N D E S
Cryptography • Confidentiality • Integrity • Authenticity Alice Bob Charlie
Symmetric Key Cryptography • Shared Secret • Encryption Only • Usages: • Password Protected Zip Files • WEP-Shared (WiFi) • SSL / HTTPS 01011001 11001101 10010100 A -> B 11001101 01011001
Public Key Cryptography Ref: Wikipedia
Public Key Cryptography • Encryption • Authenticity (Signing) • Usages: • Email Validation (PGP) • Authentication / Login • Banking
Tools for Personal Security • Antivirus replacement: Microsoft Malicious Software Removal Tools • Malware Removal: Malware-bytes • Browsers: • Use Chrome • Stay away from Internet Explorer • Email Security: Web-mails such as Gmail • Password Management: PasswordSafe, LastPass, etc
Compliance • Payment Card Industry Data Security Standard (PCI-DSS) • Liability! • Privacy Laws: Canada Privacy Act 1983 • ISO 27001: Information Security Management Systems
Associations - (ISC)2 • Innternational Information Systems Security Certification Consortium - (ISC)² • Non-profit (since 1989) • Focused on IT Security • 90,000 Members • Certified Information Systems Security Professional (CISSP) • Certified Secure Software Lifecycle Professional (CSSLP) • CISSP: US DoD and NSA requirement
Associations - ISACA • Information Systems Audit and Control Association (previously) • Non-profit (since 1967) • Focused on IT Governance and Audit • 95,000 Members • Certified Information Systems Auditor (CISA) • Certified Information Security Manager (CISM) • Continuing Education Point system, called CPE
Associations – OWASP • Open Web Application Security Project (OWASP) • Non-profit • Open source • Focused on Securing Web