1 / 27

Cybersecurity What you need to know

Cybersecurity What you need to know. Sponsored by:. Introduction. Presenter: Sam Bailey Employee and/or consultant:. Inventor: numerous patents granted and pending (US & abroad)

Download Presentation

Cybersecurity What you need to know

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cybersecurity What you need to know Sponsored by: PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  2. Introduction Presenter: Sam Bailey Employee and/or consultant: Inventor: numerous patents granted and pending (US & abroad) Areas of expertise: Served on global standards bodies for EMV and payment security, application security, applied hacking, biometrics, mobile commerce, secure element, HCE, strategy Etc. PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  3. Problem: Designed security, purchased tools, great staff, nice person, active in church; but I got hacked http://www.nytimes.com/2013/12/20/technology/target-stolen-shopper-data.html?_r=0 Am I the problem? PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  4. Problem: • Popular technology, mass adoption - Risk Neutral • Business models use popular technology - Risk Averse Game: • Software and hardware have bugs - mouse find cheese • Software and hardware integrity can be compromised - mouse move cheese • Marketing and public relations = smoke and mirrors Remedy: • People solve problems if they have the truth about the trap (threat intelligence), second mouse gets the cheese • Sources sited, example and recommendations provided PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  5. Threat Intelligence Can you handle the truth about security?! PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  6. Research – bugs monetized • Repair and awareness delayed https://www.nsslabs.com/reports/known-unknowns-0 PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  7. Truth about vulnerabilities Who moved the cheese? https://www.nsslabs.com/reports/known-unknowns-0 PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  8. Problem (static = sitting duck) http://list.cs.northwestern.edu/mobile/droidchameleon_tifs.pdf PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  9. Truth - point solutions fail against state-of-the-art “code level” attacks Finding 2 At least 43% signatures are not based on code- level artifacts. That is, these are based on file names, check- sums (or binary sequences) or information easily obtained by the PackageManager API. http://list.cs.northwestern.edu/mobile/droidchameleon_tifs.pdf PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  10. IBM: Malicious code top incident http://public.dhe.ibm.com/common/ssi/ecm/en/sew03031usen/SEW03031USEN.PDF PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  11. Recap • Everyone hacked technically or socially, get over it, fix it • Software and hardware has bugs • Cat and Mouse … when discovered, when revealed, when remediated • Advance attacks operate at code level • Static security - sitting duck for state-of-the-art • Security = quality • Attacks transform (payload, strategy, vector, target etc. e.g. Stuxnet) • State-of-the-art code level attacks defeat point solutions. Must protect code (asset) e.g. Target PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  12. Target intel (code level attack) • Target made some mistakes (human) • Target’s defense: the dice were loaded • Criminals can modify trusted software (malware) • Hackers encrypted data and used anti forensics techniques to hide from intrusion detection for months PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  13. OpenRCE = Free Code Altering Tools30,000+ users12,000+ AfghanistanOne of many FREE websites and toolsiOS, Android, Arm, Windows, Linux, etc. PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  14. We pay for products We pay for security We pay for bug bounty Executives resign, stock and revenue drop, brand equity degraded (e.g. Target) Criminals weapons are FREE Criminals go Free (if in Russia) Dice and game loaded PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  15. Code Hack – How do they do it? • Recon • Get the object, binary or executable • Reverse engineer – free, paid tools • Analyze for vulnerabilities • Inject vulnerability • Repack/Resign/Deploy PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  16. How do they do it? Note: This is a very simple example to demonstrate how easy it is to use open source tools to reverse engineer code. These methods should only be used for security research and awareness. These methods should not be used for exposing intellectual property, injecting malicious code or any unethical or criminal activity. PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  17. Hack Code/Malware (Android)Step 1. Develop application, App Store, Phone PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  18. Hack Code/Malware (Android)Step 2. Get app from device or store PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  19. Hack Code/Malware (Android)Step 3. Convert .apk to .jar, Use open source free tool dex2jar PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  20. Hack Code/Malware (Android)Step 4. Read Jar with Free jd-gui, options: inject malware, build new .apkhttps://code.google.com/p/dex2jar/wiki/ModifyApkWithDexTool PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  21. Security requires new math Protectiontime ≥ Detectiontime + Reactiontime Consider effectiveness of each step based on time (reality) Move away from fortress mentality Know and protect your assets – popular technology (apps, mobile, wearable) … no firewall PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  22. Layers are important • Software and point solutions fail like rockets (quality) • Layered strategy and failover required • Balance Security in Depth & Breadth PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  23. Layers are important OSI (Open Source Interconnection) 7 Layer Model – security SWAG Application (7) – Very Poor Presentation (6) – Poor Session (5) – Good Transport (4) – Good Network (3) – Good Data Link (2) Very Good Physical (1) Good to Poor http://www.escotal.com/osilayer.html PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  24. Innovation • Mobile Payment Financial Services and OEM’s realize mobile platforms risk neutral and vulnerable to attack • Google developed alternate technology for mobile payment security • Competing Telecom, Financial and OEM business models driving innovation • Financial services embracing mixed strategy, smart card EMV for credit cards and non-card Host-based Card Emulation (HCE) for mobile • HCE side steps Telecom control of SIM (UICC, Subscriber Identity Module) • UICC or HCE will drastically change Cybersecurity for commerce, physical access, marketing, loyalty and computer security • These Cybersecurity technologies are business model driven and should be tracked as a possible threat and/or opportunity PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  25. Innovation: UICC versus HCEMobile commerce, loyalty, authentication and building accessCountermeasure for crypto and key exploits in mobileUses JavaCard. JavaCard used in DOD CAC Data routed from NFC Directly to secure element (A) or Host CPU (B) B) NFCcard emulation without a secure element. A) NFC card emulation with a secure element. Google, Financial Services, NFC Manufactures and army of developers (value creation) Google Wallet no longer supports Secure Element (UICC) Telecom and UICC/NFC Chip Manufacturers Telecoms’ partnered – ISIS Payment Financials shifting to HCE http://developer.android.com/guide/topics/connectivity/nfc/hce.html PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  26. Recommendations • Application Security is an emerging discipline, training required • Countermeasures can be inserted in code to harden asset and reduce detection down to seconds versus months for IDS, SIEM and SPLUNK • Applications level countermeasures can resist malware insertion • Secure SDLC required with continuous improvement • Proper cryptography implementation reduces data leakage in memory e.g. Target memory parser • Advanced security practitioners must write code to compete with hackers • Strategy should leverage code level exploit scenarios and testing • Threat intelligence should include code level situational awareness • Education and awareness should focus on how unprotected code can leak intellectual property, keys and privacy data on app stores • Stop firing C-Level executives; accept truth, continuously improve • Balance industry best practices with innovation and custom defense layer as backup to point solutions (harden applications, UICC or HCE for keys) PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

  27. Q/AWrap-upThank You PRIVATE, PROPRIETARY, LOCKED. Confidential information of Staffing Technologies.

More Related