CybSec-101

Introduction to Cyber Security

Tommi RintalaDelektre Ltd.

17-18 Aug, 2015

CybSec-101

Delektre Oy

● Product design and development– Health

– Energy

– Transport

● Keywords:– Modular design

– Usability

– Security

CybSec-101

Tommi Rintala, CV

● MsEcon, Bachelor of Science● Software industry● System admin

– Unix, Linux, Windows, MacOS

● Networking– Network administration

– Firewalls, internetworking, mobile networks

● Research

CybSec-101

Course Structure

Day 1

Day 2

Day 3

Day 0:Pre-Study

Tech

nica

l Det

ails

CybSec-101

Day 0: Pre-study

● Monitoring Security in Cloud Environments– Change of mental attitude

● Metrics That Work: Practical Cyber-Security Risk Measurements– Gathering data

● Building a Security Analysis Initiative– Analysis

CybSec-101

Day 1: Waking the Awareness

● Big picture, general info: ”why we should be concerned about security?”

● Examples● What is Cyber Security● Cloud & IoT; ”What should we know?”● Policy related issues● Social Hacking; ”How it is done?”

CybSec-101

Day 2: Technical Issues

● Point of attacks; including methods and tools● Protection of yourself, org and practices● Public key exchange; IPSec & Co● Demos

CybSec-101

Day 3: Audit and Standards

● KATAKRI (Kansallinen Tietoturvakriteeristö); what it is, and why we should know about it?

● BSI (Bundesamt für Sicherheit in der Informationstechnik) Standards– Information Security Management Systems (100-1)

– IT-Grundschutz Methodology (100-2)

– Risk Analysis Based on IT-Grundschutz (100-3)

– Business Continuity Management (100-4)

CybSec-101

CybSec-101

Motivation & Background

● In this course the following keywords occur:– (data) Integrity

● Accuracy and consistency of data

– Identification● Of person, resource, or other party

– Digital signatures

– Authenticated encryption (AE)

CybSec-101

Scope of this course

● This course is about– Motivation towards secure thinking

– Basics everybody should know

– ”Meta framework” how to think

● This course is not about– Algorithm analysis

– Complexity analysis

– Deep weakness analysis

CybSec-101

Motto

If you know the enemy and know yourself you need not fear the results of a hundred battles

[Sun Tzu]

CybSec-101

Big Picture

Complexity of Devices, Services, Roles and (Business) Models:

Facebook

BYODURL

HTTP

Microsoft

LinuxTwitter

Verisign

JavaScript

VPN

Client / Server

UML

ProgrammingAndroid

iPhone 7

PHP

OOP

PostscriptCorba

Perl

High Performance Computing

AutoCad JavaElektronics

CybSec-101

It's complicated world, but

● When you take a new device in use, do you read:– User manuals

– License terms

– Copyright notices

● In your mobile phone package, they consist from several hundred A4 pages of text....

CybSec-101

I give you more reasons to hate me

● If you build a wall around your house:– You think like a mason

– You want that your wall is complete

– You fix all the small holes

● The Criminals think otherwise:– They wan't to know how to go over, under or figure out-

of-box way to get pass your defense

– They call fire department to tear down your wall and work with what remains....

CybSec-101

Headlines from my ”network”

● Attackers use Google Drive, Dropbox to breach companies

● Hacking Team's RCS Android: The most sophisticated Android Malware ever exposed [Remote Control System Android]

● Corporate Networks can be compromised via Windows Updates

● NIST releases SHA-3 Cryptographic hash standard

CybSec-101

Attackers use Google Drive, Dropbox to breach companies

● Man in the Cloud attack● No account username or password required● No user interaction required (click etc..)● Based on sync protocol

– Very hard to detect / protect from

● http://www.net-security.org/secworld.php?id=18719

CybSec-101

Hacking Team's RCS Android: The most sophisticated Android malware

ever exposed● Deliver as fake app in Google Play, SMS, or email

message (URL link)● Root privileges; shell backdoors, RCS

– Screenshots, photos, microphone, capture voice calls, record location, capture WiFi, capture online-account passwords, contacts, decode IM messages, SMS, MMS, eMail messges, …

● Removal protection● http://www.net-security.org/malware_news.php?

id=3080

CybSec-101

Corporate networks can be compromised via Windows Updates● Based on insecurely configured WSUS

(Windows Server Update Services)● Windows default is to use WSUS via HTTP (not

HTTPS)● Malificious third party (USB) driver injection● How about (security) weak driver for device X?● http://www.net-security.org/secworld.php?

id=18725

CybSec-101

NIST releases SHA-3 cryptographic hash standard

● Next generation tool for securing the integrity of electronic information

● Released on August 6th 2015, was developed for nine years!!

● Developed using public competition● Does not replace SHA-2, but…● http://www.net-security.org/secworld.php?

id=18720

CybSec-101

Examples of Attacks

● Russian Trolls Factory● ”Chinese” Espionage Cases● Automobile Hacks:

– RollJam (Kamkar@DefCon $32,00)

– Controlled (Toyota, Chrysler, Ford)

– …

● Automation system hacks– ….

CybSec-101

History – don't ignore it

● It is very rare thing – in IT world – that you are the target of a totally new attack

● Hence, know your history:– The Cuckoo's Egg: Tracking a Spy Through the

Maze of Computer Espionage by Clifford Stoll (1989).

CybSec-101

Things to avoid

● Password helpers (programs which remember your passwords)

● Opening links from phone/email programs● Opening attachments without running them

through virus scanners● Playing ”free” games → Ads● Is it worth be involved in participation

programs?

CybSec-101

Security Attack Types

● Viruses and Worms● Trojans and other security threats● Network Attacks

– Social engineering, Phishing attacks, Social Phishing, Spear Phishing Attack, Watering Hole Attacks, Whaling, Voice Phising, Port Scanning, Spoofing, Network sniffing, Denial-of-Service and DdoS, ICMP flood (ping), Ping of death, Ping Smurf, SYN Flood, Buffer Overflow, Botnet

CybSec-101

Security Attack Positions

● Client directed spoofing, spying, recording● Man in the middle● How to analyse the rest?

CybSec-101

Data

● What is the core (valuable) data:– That you work with

– Belongs to your organisation

● What creates the value to your data?● Can you (or organisation) filter some of the

valuable data? (see next slide)

CybSec-101

Sensitivedata

Sensitivedata

Publicly available data

Restricted accessibility

CybSec-101

Things to DO

● Updating your phone, laptop, tablet according to policy of your organisation

● Installing virus scanners to phones, tables and all other devices

● Separate your ”working” and ”home” profiles

CybSec-101

Cyber Security

● Cyber Security is broad subject:– Computers & other devices; Networks; Humans

– Interaction between these

● Data (created or collected) handling, transfer and storage

● Covers topics from terrorism and crime to user being in uncomfort zone

CybSec-101

Motivation

● Somebody want's your:– Money

– Resources (CPU cycles), cause it is as valuable

– Images, contacts, accounts, passwords; since they can be changed into resources or money

– Identification; which can be put together from the above information and is valuable for someone.

CybSec-101

Cyber Security (2)

● How can we ”fix” this:– In Sweden (2014), local police has given a warning

about crime leagues, who oberserve people at parking space of mall. When ”suitable” victim arrives, criminals fetch the address from (public) web service and rob the house during shopping tour.

CybSec-101

OpenStack Cloud Sec Architecture

ADAPTER STORE REGISTRY GLANCE API GLANCE

QUEUE

SCHEDULER NOVA

TEXT

STORAGE SWIFT PRIVATE IP VIRTUAL

swift database

SSL

SECURE SHELL

STORE OBJECT

SWITCH PRIVATE

MANAGEMENT THREAT

SWITCH PUBLIC

INTERNET

SWITCH BASTION

API NOVA PROXY HOST BASTION FIREWALL APPLICATION

DEMILITARIZED ZONE

CINDER

SWITCH PRIVATE

KEYSTONE QUANTUM HORIZON

QUEUE SCHEDULER NOVA

COMPONENT CLUSTER 2

INSTANCES COMPUTE INSTANCES COMPUTE

INSTANCES COMPUTE INSTANCES COMPUTE

NOVA COMPUTE CLUSTER

SWIFT

ADMINISTRATIVE CONNECTIONS (SSH)

INTER-COMPONENT CONNECTIONS (SSL/TLS)

CybSec-101

Cloud and IoT

● Why cloud is growing?– Business case: it is (relatively) cheap to offer cloud

service – than to test functionality with several different configurations. Cloud requires only one API!!

– Good practices in API design make services easy to approach.

– Users find it good: data is roamable to every device and every (physical) location

CybSec-101

What is IoT?

● Internet of Things– Connect all devices to internet

– Easy connectivity; easy to use kits

– More data to networks

● Internet of Worms?

CybSec-101

Home Automation Example

● Measure: room temperatures, electricity consumption, CO2, CO, Outside Temp, water consumption, moisture

● Control lights, doors, AC● Security Devices (cameras, movement detectors,

IR, ...)● IoT system vs. ”own custom solution”● Monitoring vs. Control● What is CORE data?

CybSec-101

What to think ahead?

● Ownership of data (created or gathered)?● Life-time of data● To who data is released to?● Authentication to could/web services?● Authorization to data access● The actions to perform when ”project” ends

CybSec-101

Future predictions

● New services and business models will arise● Number of items measured will increase and

more data will be available● New possibilities for illegal activities will arise● By being active, allows oneself to choose the

direction one is going

CybSec-101

Policies

● While we walk our digital footpath, we are governed by policies:– Finnish law

– Funet Networking Policy

– VAMK Computer Policy

– Social code of conduct

CybSec-101

Social Engineering

● No matter your security equipment and procedures; the most easily exploitable aspect is the human infrastructure

● Social engineering is about:– Information gathering

– Mixing several techniques and models

– Creating a trust

– Control

CybSec-101

Social Engineering (2)

● In advance, you should think:– What you can talk about

– What you cannot talk about

– To whom can you talk about

– Where can you talk about

CybSec-101

Communication Theory

Shannon-Weaver (1947)

InformationSource

Transmitter Channel Receiver Destination

Noise

SignalIN

SignalOUT

CybSec-101

Communication Problems

● Technical problems – How accurately message is transmitted

● Semantic problem – How precisely the meaning is converged

● Effetiveness problem – How effectively received message affects behaviour on destination

Shannon-Weaver (1947)

CybSec-101

Data

CRC / HASH

CommunicationEncryption

Key

Decryption

Key2

Key Exchange

Data

CRC / HASH

Secure Communication in Nutshell

(1) (2) (4) (5) (6)

(3)

CybSec-101

Problems in Communication

● Identification of sender/receiver– Authentication of

recipents

– Trust of identification validity

● Integrity of data (message)

● Key exchange

● Trust of communication channel

● Using point-2-point encryption

● MAC / hash● Outsourcing

trust to 3rd party

● Anonymous / public services

● Using several methods for authentication

CybSec-101

HTTP(S)

● Certificate:– Hierarchy of certificates!!

– Client/Server certificate

– Issued To

– Issued By

– Period of Validity

– Fingerprints

CybSec-101

HTTPS Communication

Keystore Browser DNS Server Issuer

Nameresolution

Enc Get /

Encrypted result

Get clientcertificate

Server Certificates

Enc Get /image.png

Encrypted result

CybSec-101

Thougth to end day 1

● It is not possible to protect yourself from all possible attacks, however...

… it is generally known, that if you are not the easiest pray, you can avoid a lot of havoc.

CybSec-101

More information

● www.imperva.com● www.net-security.com● www.viestintavirasto.fi/kyberturvallisuus.html● Social Engineering – The Art of Human Hacking

by Christopher Hadnagy (2011)● Cyber 24-7: Risks, leadership and sharing:

sound advice for board members, the C-suite and non-technical executives by Peter Odell