CYBER FUTURE: SECURITY AND PRIVACY DOOMED? ?· CYBER FUTURE: SECURITY AND PRIVACY DOOMED? 21 September…

  • Published on
    29-Jun-2018

  • View
    213

  • Download
    1

Embed Size (px)

Transcript

  • CYBER FUTURE: SECURITY AND PRIVACY DOOMED?

    21 September 2017

    Rob Clyde, CISM, NACD Board Leadership FellowManaging Director, Clyde Consulting LLCVice-Chair, ISACAExecutive Chair White Cloud SecurityExecutive Advisor to BullGuard and HyTrust

  • NEW MANUFACTURING COMPANIES AREREALLY SOFTWARE COMPANIES

    3

    Tesla is a software company as much as it is a hardware company." Elon Musk, Tesla CEO

  • OLD MANUFACTURING COMPANIES ARE SOFTWARE COMPANIES TOO?

    4

    "If you went to bed last night as an industrial company, you're going to wake up today as a software and analytics company,"Jeff Immelt, CEO General Electric

  • SOON EVERY BUSINESS WILL BE A DIGITAL BUSINESS

    5

    WITH SOFTWARE AT THE CORE

  • DIGITAL OUTAGES LIKE THOSE AT THE AIRLINES AND NEW YORK STOCK EXCHANGE ARE THE NEW NATURAL DISASTERS

    6

    British Airways computer glitch causes big delays at multiple airports

  • FTC Opens Probe into Equifax Data BreachApache Struts flaw was known to be critical and should have been addressed, security researchers say.The US Federal Trade Commission (FTC) has launched a formal investigation into the massive data breach of Equifax, which yesterday confirmed its failure to address a previously disclosed Apache Struts vulnerability that was exploited in the attack.Meanwhile, Equifax share prices continued to plummet this week - now 35% lower than before the breach - in an ominous sign of the breach's potential finanical devastation to the credit-monitoring firm.

    9/14/2017

    Equifax Reports Data Breach Possibly Affecting 143 Million U.S. Consumers

    Social Security numbers, birth dates, addresses and drivers license numbers exposed

    By AnnaMaria Andriotis and Ezequiel MinayaUpdated Sept. 8, 2017 9:48 a.m. ET

    CYBER ATTACKS HAVE MAJOR IMPACTS

  • 8

  • CONNECTED DEVICES ON PUBLIC INTERNET

    9

  • 10

  • USING THE INTERNET OF THINGS TO SPY?

    11 | 9/20/2017

    In the future, intelligence services might use the internet of things for identification, surveillance, monitoring, location tracking, and targeting for recruitment, says James Clapper, US director of national intelligence.

    Photograph: Alex Brandon/AP

  • MIGHT USE INTERNET TO SPY?

    12

    WASHINGTON WikiLeaks on Tuesday released thousands of documents that it said described sophisticated software tools used by the Central Intelligence Agency to break into smartphones, computers and even Internet-connected televisions.

    If the documents are authentic, as appeared likely at first review, the release would be the latest coup for the anti-secrecy organization and a serious blow to the C.I.A., which maintains its own hacking capabilities to be used for espionage.

    Source: https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html?_r=0

    The C.I.A. headquarters in Langley, Va. If the WikiLeaks documents are authentic, the release would be a serious blow to the C.I.A. CreditJason Reed/Reuters

    http://topics.nytimes.com/top/reference/timestopics/organizations/w/wikileaks/index.html?inline=nyt-orghttps://wikileaks.org/ciav7p1/http://topics.nytimes.com/top/reference/timestopics/organizations/c/central_intelligence_agency/index.html?inline=nyt-orghttps://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html?_r=0

  • RANSOMWARE EXPLODINGRansomware is profitable PCs and MACs both attacked Encrypts data to deny access to data users Half of financially motivated malware is ransomware Average ransom: $300 2015, $1000 2016 70% of Enterprise victims paid 45% of Enterprise victims paid over $20K

    Defense: App white listing or trust lists (top defense US-CERT) Use OpenDNS and similar tools Backups; however, cloud backups and storage are

    also being attacked (airgap?)

    Ransomware be applied to IOT? Home lockout? Car lockout? Pacemaker function? Source: Verizon, Symantec, Lancope, IBM Security, Intel/McAfee

  • SAN FRANCISCO TRANSPORTATION HIT WITH RANSOMWARE

    14

    City lets people ride for free until fare machines restored to service

  • RANSOMWARE OPERATORS ADOPT TYPICAL BUSINESS PRACTICES

    15

    Technical Support Time Limited Offers Try Before You Buy

  • APP CONTROL RECOMMENDED AS #1 MITIGATION STRATEGY

    16

    Run only known trusted apps

    The Australian Government issued mandatory application whitelisting usage requirements to protect their high value systems

  • NEXT GENERATION WHITE LISTINGTRUSTED APP TECHNOLOGY

    Run only trusted apps or scripts

    Pull rather than push trust lists to ensure updates

    Handles application updates automatically

    Allow trust of applications, application families (e.g., Microsoft Office), or software publishers

    Crowdsourcingallow individuals and organizations to publish their own trusted app lists

    Allow organization to control which lists to use

    17 Source: White Cloud Security

    Experts you trust

    Apps you trust

    Software you trust

  • SOON EVERYTHING WILL BE CONNECTED

    19 https://schrier.wordpress.com/2015/05/25/the-internet-of-first-responder-things-iofrt/

  • LENOVO IOT VIDEO

    20

  • RISK FROM CONNECTED MEDICAL DEVICES

    J&J insulin pump (Animus OneTouch Ping)

    Unencrypted command traffic

    Might receive unauthorized insulin injections

    St. Jude pacemaker

    MedSec found many vulnerabilities, including wireless master key

    MuddyWaters shorted the stock

    Bad PR

    21

  • SMART TV SECURITY CONCERNS

    Microphone may always be on (for voice commands)

    Risk that attacker could turn on webcam

    Activity on Smart TV is tracked and may be shared with social media

    Like with smartphones, malicious apps could be downloaded

    22

    Smart TVs in the office: Consider not connecting to Internet; if you do, connect to a

    Guest network Take care as to which features and apps are enabled Turn off or disable microphone and webcam If possible, lockout others from changing TV settings

  • CLOUDPETS

    23

  • CLOUDPETS TEDDY BEAR HACKED

    24

    Hackers hold MILLIONS of voice recordings to ransom after creepy CloudPets teddy bears leak private data of parents and children Leak left private messages of families exposed online

    for several days Leak also exposed 800,000 account email addresses

    and passwords The company 'Spiral Toys' has chosen not to tell

    affected families Hackers have now taken the database down and

    demanded a ransom of $1190 in bitcoins from parents

    By Harry Pettit For MailonlinePublished: 15:34 GMT, 28 February 2017

    source: http://www.dailymail.co.uk/sciencetech/article-4267276/Toys-leak-2MILLION-voice-recordings-kids-online.html#ixzz4a4UEaNBp

    The exposed database was easy for cyber-criminals to find using a search engine called Shodan, which is designed to find unprotected websites and databases

    http://www.dailymail.co.uk/home/search.html?s=&authornamef=Harry+Pettit+For+Mailonlinehttp://www.dailymail.co.uk/sciencetech/article-4267276/Toys-leak-2MILLION-voice-recordings-kids-online.html#ixzz4a4UEaNBp

  • VULNERABLE SMART THERMOSTAT RISKS

    . . .The HVAC system dormant hoursin other words when the climate control is off or in standbywould at the minimum be a security risk because it could give a potential robber times when the home may be empty.

    An expensive problem that could be created through a thermostat hack is that malicious damage could be launched by raising temperatures too high or low. Winter-time damage could include freezing, burst water pipes.

    Credit: Torbjrn Arvidso

  • CONNECTED CARS ARE AT RISK

    27

    As the researchers stated, the remote hacks likely work on all Tesla models, but on the parked Model S P85, the researchers remotely opened the sunroof, turned on the turn signal, and changed the position of the drivers seat.

  • SOON OUR CARS WILL AUTOMATICALLY DRIVE MOST US

    28

    Uber launches self-driving cars in Pittsburg

  • THERE IS A DARK SIDE

    29

  • INSECURE IOT DEVICES AND PRIVACY

    30

    All too often for other pieces of major industrial machinery, the controls are sitting there in plain sight or hidden behind the most rudimentary credentials. In 2012, simply attempting to log in as root or admin, with the password being the same again, was sufficient for another group of anonymous internet explorers to gain access to over 400,000 devices. With the rise of internet-connected devices since this study was conducted, that number is likely to be far higher.

  • SHODAN.IO WEBCAM BROWSER

    31

  • DEF CON: IOT VILLAGE

    Total of 113 vulnerabilities found in two DEF CON events

    50 different devices 39 brand name manufacturers

    75% of tested smart locks easily compromised (attacker can open)

    32Source: http://www.darkreading.com/attacks-breaches/iot-village-at-def-con-24-uncovers-extensive-security-flaws-in-connected-devices/d/d-id/1326928

    http://www.darkreading.com/attacks-breaches/iot-village-at-def-con-24-uncovers-extensive-security-flaws-in-connected-devices/d/d-id/1326928

  • MORE LOCKUPS

    To access on PC:1. click view > slide master2. click on the desired more

    lockup and copy (CTRL+C)

    3. exit out of the slide master view by clicking view >normal

    4. navigate to desired slide and paste in more lockup (CTRL+V)

    To access on Mac:1. click view > master >

    slide master2. click on the desired more

    lockup and copy (CMD+C)3. exit out of the slide master

    view by clicking view >normal

    4. navigate to desired slide and paste in more lockup (CMD+V)

    100,000+Unique Scans

    Per week

    5%Of Scans Have Vulnerabilitie

    s

    iotscanner.bullguard.com

  • INTERNET OF THINGS THE END OF PRIVACY?

    34 | 9/20/2017

    Introducing more private information about ourselves

    Traditional Personally Identifying Information

    New IoT Personal DataWhat? Where? When? Why?

    Date of Birth

    SSN/Govt. ID Number

    Credit Card Number

    Name

    Address

    Glucose level

    Weight

    Calories

    GPS location

    Heart rate

    Sleep

    Mood

    Surrounding images

    Driving habits

    Blood pressure

    Travel routeUsername Exercise route

  • END OF PRIVACY?

    35

    Source: ISACA 2014 Risk Reward Barometer

    The New Yorker 1993 The New Yorker 2015On the Internet, nobody knows youre a dog.

    http://nyr.kr/1FSLIEY

  • IOT RECOMMENDATIONS FOR ORGANIZATIONS

    Safely embrace Internet of Things devices in the workplace to keep competitive advantage

    Require wireless IoT devices be connected through the workplace guest network or other isolated segment, rather than internal network

    Ensure all workplace devices owned by organization are updated quickly when security upgrades are released

    Scan networks for IoT devices; monitor for and block dangerous traffic to or from IoT devices

    Ensure default passwords are changed and strong

    Provide cybersecurity training for all employees to demonstrate their awareness of best practices of cybersecurity and the different types of cyberattacks

    Ensure that IT and security professionals are ISACA certified36

    56% of tested devices using OpenSSL had not been updated in

    over 50 months- 2015 Cisco Annual Security Report

  • AUGMENTED REALITY DISRUPTING THE WAY WE SEE THE WORLD

    37

    Opening up new ways of attracting customers and doing business

  • 38

  • BUT THERE IS A DARK SIDE TO AUGMENTED REALITY

    39

    Distracted walking and driving Associates social media information with location Shows posted, geotagged racy images and video Criminals use augmented reality to lure victims to location Gangs and terror groups virtually mark territory and targets

    Mobile apps like Layar, Wikitude World Browser, etc. showaugmented reality view using camera and geotags. Risks:

  • AUGMENTED REALITY OPPORTUNITY AND CHALLENGES

    40 Source: ISACA Risk Reward Barometer Nov. 2016

  • HYPER REALITY OPPORTUNITY AND DANGER

    41

  • Cloud enables the digital business

  • CLOUD ALL YOU NEED IS AN IDEA AND A CREDIT CARD

    One thing to play with it

    Another thing to depend on it

    Reintroduce control

    without reintroducing friction

    43

  • WHAT LIMITS CLOUD ADOPTION?

    What factors are limiting your adoption of virtual/private, community and public clouds today? Encryption helps, but key management is critical Regulatory, sensitivity and privacy issues may require that

    some data is restricted to certain physical locations Restrict sensitive workloads (e.g., PCI) to trusted hardware and software

    server stack Only allow certain workloads to run on hardware in approved physical location Only allow certain workload data to be decrypted in approved physical location Cloud solutions require a combination of capabilities to achieve "defense in

    depth" and compliance readiness

    44

  • Key Elements

    THE WORKLOAD: Workload

    Infrastructure

    Management

    Data

    Key Management Encryption Admin rights

    Management

    Role-based access control

    Secondary Approval Multi-factor

    authentication

    Policy

    Automation for workload policy

    Any cloud abstraction Workload and asset

    tagging

    Infrastructure

    Boundary-based policy

    Tag policy Hypervisor hardening

    Data

    The New Atomic Unit of ITCOMPUTE | NETWORK | STORAGE

    Source: HyTrust

    WORKLOAD: THE ATOMIC UNIT OF IT

  • WORKLOAD SECURITY USE CASES

    Eliminate privileged account misuse

    Halt data breaches on clouds

    Address audit and compliance issues

    Remove costly infrastructure air gaps

    Meet data residency requirements

    Stop accidental downtime

    Source: HyTrust

  • CONSIDER ADDING SECONDARY APPROVAL CONTROLS

    AdministratorSecondary Approval Administrators

    Hypervisor or Cloud Control

    Add-onVirtual Infrastructure

    Does not need secondary approval

    NOTAPPROVED

    Source: HyTrust

  • BIG DATA AND ANALYTICS APPLICATIONS

    48

    Curing Cancer

    Reducing Energy Costs

    Predicting WeatherPredicting Consumer behavior

    Build Better Cars

    Security Intelligenceand Fraud Detetction

    100 zettabytes by 2025!

    http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.sonoma.edu/uaffairs/socialmedia/&ei=RDTaVLjEDcSzogTH1oL4Bg&bvm=bv.85464276,d.cGU&psig=AFQjCNHermo4o8VLOsS2t2xEMOzvuHL33A&ust=1423672768857054http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0CAcQjRw&url=http://www.motortrend.com/oftheyear/car/1301_2013_motor_trend_car_of_the_year_tesla_model_s/&ei=QO1fVf3rMYX3oASGn4CgAw&bvm=bv.93990622,d.cGU&psig=AFQjCNHpK8AgKU42jXt3yg6ob12w_m_zCg&ust=1432436398116660

  • BIG DATA PRIVACY CONCERNS

    De-Identifed Information Can Be Re-Identified: data collectors claim that the aggregated information has been de-identified, however, it is possible to re-associate anonymous data with specific individuals, especially since so much information is linked with smartphones

    Possible Deduction of Personally Identifiable Information: non-personal data could be used to make predictions of a sensitive nature, like health condition, financial status, etc.

    Data Sovereignty Issues: Many countries or regions (like the EU), may have requirements that certain personal data and the processing of that data remain in the country or region

    Right to be forgotten: Some areas like the EU have a right to be forgotten that may be challenging to implement in a Big Data environment.

    http://www.ftc.gov/public-statements/2012/03/big-data-big-issues

  • USING BIG DATA TO PREDICT CRIME

    50 | 9/20/2017

    Source: NetworkWorld, Sep 20, 2014

    Crime Hot Spots in London

    Soldiers' suicide risk predictable with Big Data, study says, Patricia Kime, Nov. 12, 2014

    What about predicting crime by particular individuals? Will we have predictive

    capabilities like those in the movie Minority Report, but through Big Data?

  • 51

  • DARPA CYBER GRAND CHALLENGE AT DEFCON 2016

    7 teams compe...