1/05/2013

1

ACS VICTORIAN SIG – INFORMATION SECUIRY

THE FUTURE OF SECURITY

Professor Matt Warren,

School of Information Systems, Deakin University

www.mjwarren.com

A view of the future

• Microsoft’s view of the future.

http://www.youtube.com/watch?v=peSYlJlg14E

• What will be the security implications?

1/05/2013

2

CIA Triangle

• Initial security concept developed with the introduction of the mainframe.

• C.I.A. triangle was standard based on confidentiality, integrity, and availability.

3

Comments from History

• Computer abuse – where a victim suffered, or could have suffered, a loss and a perpetrator made, or could have made a gain.

• Don Parker 1983 – Fighting Computer Crime

1/05/2013

3

AusCert 2012

• Over 90% of respondents deployed firewalls, anti-spam filters and anti-virus software.

• Two-thirds of respondents had documented incident management plans, however only 12% had a forensic plan.

• Over 20% of organisations know they experienced a cyber incident in the previous 12 months, with 20% of these organisations experiencing more than 10 incidents.

5

AusCert 2012• Of the organisations which know they experienced cyber incidents:

17% suffered from loss of confidential or proprietary information, 16% encountered a denial-of-service attack, and 10% financial fraud.

6

1/05/2013

4

AusCert 2012

• The most common responses as to why incidents were successful, were that they used powerful automated attack tools, or exploited unpatched or unprotected software vulnerabilities or misconfigured operating systems, applications or network devices.

Security Link to the Past

• Authentication – we are still using security features from the 80’s.

• User name and password.

1/05/2013

5

We are dealing with the consequences

Associated Press – Twitter hacking

We are dealing with the consequences

• One tweet.

• For a moment in time - $US136.5 billion lost of the S&P 500 index's value. A quick recovery once the hoax was identified.

1/05/2013

6

We are dealing with the consequences

• Syrian Electronic army blamed for the incident.

• Phishing attack on journalists (from a number of media organisations).

• One username and password for the AP twitter –shared with many users.

The response

• Twitters response.

• Considering two test verification:

• 1) User name & Password

• 2) SMS code or secret code.

Issue – usability.

1/05/2013

7

Next Generation

• What does the future offer from a security perspective.

• Lets look into the future.

CIA Triangle – still relevant

14

1/05/2013

8

The following trends

• The following themes and trends are based on a proposed CRC looking at Cyber Security in an Australian context.

Ultra Speed Networks and Defence

Faster networks allows for faster access and data transfer rates. But faster networks allow faster DDOS attacks, spread of malware, real time impacts.

New approaches to intrusion detection and response are needed to address highly increased transmission speeds and diversity of devices prevalent in cyberspace today and in the future.

1/05/2013

9

Ultra Speed Networks and Defence

Cyber protection systems will need innovative techniques and technologies to detect intrusions as perpetrators operate across an increasingly complex milieu of threat vectors.

Resilient Systems

With a society increasingly reliant on internetconnectivity recovery from any form of attack.

To protect society, organisational and individual interests more robust and resilient primary systems in the cyber infrastructure are needed.

1/05/2013

10

Resilient Systems

Solutions will require systems to be self-aware

and self-repairing, and a composite approach where systems combine to produce an overall architecture stronger than its component parts.

Current focus of the Australian government.

Wireless, Mobile, Cloud

Wireless and mobile networks, and cloud computing all impact how and where we store and access our data.

Individuals using an array of personal devices for workplace activity create an incredibly complex environment for managing and using commercially sensitive data to meet organisational outcomes.

1/05/2013

11

Trends – Australian 28th March, 2013

• SALES of tablet computers will surpass sales of both desktop and portable PC sales by 2014.

• A report by the research firm IDC said worldwide shipments of these devices -- personal computers, tablets and smartphones -- grew 29.1 per cent in 2012 to 1.2 billion units with a value of $US576.9 billion.

• The expansion was largely driven by 78.4 per cent growth in tablet shipments, which hit 128 million in 2012.

Trends - Australian 11th April, 2013

• Decline in PC sales – Windows 8 - First-quarter shipments of PCs fell 14 per cent from the same time last year, according to International Data Corp.

• That's the deepest quarterly drop since the firm started tracking the industry in 1994.

1/05/2013

12

Trends

• Decline in traditional technologies – alternative technologies – e.g. Chromebook, Ubuntu, Apple. Unknown security issues?

• Decline in traditional computers and replacement of alternative devices, e.g. security issues of Android - two to nine million total downloads of affected malware apps (bad news) from Google Play.

IPV6 and the Internet of ThingsIPv6 presents significant opportunities for the expansion of the Internet and services, truly allowing “things” to be connected. IPv4 has approximately 4.2 billion unique addresses, but once IPv6 is fully adopted there will be approximately 1000 IP addresses for every square metre of the Earth’s surface.

Forensics issues – since in theory every transaction could have a allocated IP address.

Many new types of IP connected devices.

1/05/2013

13

Other Considerations

• Complexity – the complexity of technologies, complexity of systems, complexity of security risks.

• Cyber espionage / Cyber warfare.

• Harder to implement effective information Security management.

Other Considerations

• Tools needed – as the complexity of security develops, so does the need to develop new software tools to manage the complexity.

• Who has responsibility for security – is it governments, corporations or individuals?

1/05/2013

14

Increased Attack Vectors

• Malware – increased in sophistication of malware, e.g. Stuxnet;

• Linked to other attack vectors – social engineering;

• Malware for all devices.

Massive impacts of attacks

• The impacts of attacks will impact millions and billions of users. Attacks could cause global impacts.

• We are already seeing this with the impacts of social networking attacks. Security failures will have big impacts.

1/05/2013

15

Online Identity

• The importance of our online identity / online brand.

• Identity theft will become a greater issues.

• Google is preparing for all aspects of the lifecycle including the afterlife.

Google Afterlife

• Google - ‘Inactive Account’ settings page, which allows a Google user to clarify what they want done with their YouTube, Gmail, and Google+ accounts after they die or are otherwise unable to use their account.

• Google Users can choose to have their data deleted after three, six, or twelve months of inactivity or can share their data with friends or relatives.

1/05/2013

16

Google Afterlife

Complexity of attacks

• How to deal with complex security attacks?

• Social aspects of attacks – extension of phishing attacks.

• How to plan for complex attacks – will security risk analysis have a future?

• The role of government in protecting against attacks?

1/05/2013

17

Hacktivsm

• In the broadest term it is the use of technology as a means of protest to promote political ends. The aims of the protest would depend upon the group;

• Small groups have the power to cause major impacts (real and media reported) based upon their activities.

Anonymous

1/05/2013

18

Ethical issues - Data Ownership

• Data Owner: responsible for the security and use of a particular set of information.

• Data Custodian: responsible for storage, maintenance, and protection of information .

• Data Users: end users who work with information to perform their daily jobs supporting the mission of the organisation.

35

Auscert Survey (2012)

• Responses indicated that 65% of participating organisations had IT security staff with tertiary level IT qualifications.

• More than 50% of participating organisations had IT security staff with some type of vendor based IT certifications.

• Almost 35% of participating organisations had IT security staff with no formal training, although most of these staff had more than five years working in the IT security industry.

36

1/05/2013

19

Auscert Survey (2012)

• These findings indicate that some organisations may need to improve the skill set of their IT security staff.

• This was supported by the additional finding that 55% of respondents thought their organisation needs to do more to ensure their IT security staff have an appropriate level of qualification, training, experience and awareness.

37

Professional Aspects

• Greater focus on quality security qualifications / academic and professional.

• International aspects of Security Professional development, accreditation.

• Security qualifications in all aspects of security.

1/05/2013

20

Professional Aspects

• The professional nature / needs an development of security professionals.

• A greater global demand for security professionals and a greater demand for all roles to have a security component.

Human Elements

• Cyber Safety – becomes important for entire populations.

• The professional nature of security needs the development of IT and business professionals.

1/05/2013

21

Current Views of Cyber Security

• Official Government Viewpoint.

http://www.youtube.com/watch?v=UIIY9AQSqbY

• Governments are taken Cyber Security seriously now, what will happen in the future?

Conclusion

• What have we learned from the past?

• What will the future bring from a security perspective?

• The world will become smaller as technology transform society. Security will become an even greater issue.

1/05/2013

22

Thank You

For Your Time