Upload
issa-france-security-tuesday
View
622
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Slides de support utilisés par M. Enrico Branca lors du Security Tuesday du 19 novembre 2013 : "Celui qui part à la chasse"
Citation preview
Security Tuesday
"Celui qui part à la chasse"
19 novembre 2013Enrico Branca
Definition
"the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used
regardless of the form the data may take (electronic, physical, etc...) "
(http://en.wikipedia.org/wiki/Information_security)
"Safe-guarding an organization's data from unauthorized access or modification to ensure its availability, confidentiality, and integrity."
(http://www.businessdictionary.com/definition/information-security.html)
2
Information Security
Combine basic principles in information security:
1) You cannot secure what you cannot manage
2) You cannot manage what you cannot measure
3) You cannot measure what you are not aware of
WITH MONEY
4) You cannot make monetize what you are not aware it even exists
NEW TASK “Measure” information security to sell it
3
Information Security
Definition of 'Quantitative Analysis'
A business or financial analysis technique that seeks to understand behavior by using complex mathematical and statistical modeling, measurement and research.
By assigning a numerical value to variables, quantitative analysts try to replicate reality mathematically.
(http://www.investopedia.com/terms/q/quantitativeanalysis.asp)
Quantitative research
"The objective of quantitative research is to develop and employ mathematical models, theories and/or hypotheses pertaining to phenomena. The process of
measurement is central to quantitative research because it provides the fundamental connection between empirical observation and mathematical
expression of quantitative relationships. Quantitative data is any data that is in numerical form such as statistics, percentages, etc."
(http://en.wikipedia.org/wiki/Quantitative_research)
4
Quantitative Information Security
-- 1998 --
“Quantitative Evaluation of Information System Security”
(http://homepages.laas.fr/deswarte/Publications/98107.pdf)
-- 2004 --
"Computer Security Strength & Risk: A Quantitative Approach"
(http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.9.5276&rep=rep1&type=pdf)
-- 2009 --
"Computer Safety, Reliability, and Security"
(28th International Conference, SAFECOMP 2009, ISBN 978-3-642-04468-7)
-- 2012 --
Towards quantitative measures of Information Security: A Cloud Computing case study
(sdiwc.net/digital-library/web-admin/upload-pdf/00000315.pdf)
-- 2013 --
"A QUANTITATIVE, EXPERIMENTAL APPROACH TO MEASURING PROCESSOR SIDE-CHANNEL SECURITY"
(http://www.cs.columbia.edu/~jdd/papers/micro13_svf.pdf)
5
Quantitative Information Security
6
Google Search Trends
"..vocabulary evolved also, shifting from ‘economic war’, ‘competitive intelligence’ and ‘economic watch’ only, to ‘economic intelligence’, which aims to encompass all aspects
of the globalised risks and opportunities and that is based on an upstream understanding and a multidisciplinary approach of the threats that need to be
addressed.“
"Today, economic intelligence is recognised as a professional tool for strategy and management for States and companies in the globalised world. Its implementation is
based on three main pillars:
(1) The mastering of strategic information
(2) Economic security, which is defensive and directed at protecting economic assets
(3) Influence –active or offensive–, be at the cutting edge for seeking opportunities and innovation and to be able to act on one’s environment (regulations, norms, image…) and not only be passively dependent on it
(http://www.realinstitutoelcano.org/wps/portal/rielcano_eng/Content?WCM_GLOBAL_CONTEXT=/elcano/elcano_in/zonas_in/defense+security/ari134-2010)
7
Economic Intelligence (English)
« Avantage concurrentiel de l'intelligence économique »
• détecter ce qui peut donner à l'entreprise un avantage concurrentiel
• mobiliser les acteurs internes de l'entreprise
• tirer les conclusions pour la meilleure exploitation possible
8
Intelligence Economique
L'information fournie doit présenter
certaines qualités :
1) exactitude
2) mise à jour
3) liée au contexte.
De manière formelle:
1) elle doit être traitée rapidement
2) être explicite
3) accessible économiquement.
-- 1999 --
" L'intelligence économique "
Achard, Pierre, Bernat, Jean-Pierre, BBF, 1999, n° 6, p. 123-125
-- 2003 --
"INTELLIGENCE ÉCONOMIQUE ÉCONOMIQUE ET STRATÉGIQUE"
(http://www.adec.fr/files_upload/documentation/200607201512060.Cigref_IE_internet.pdf)
-- 2009 --
"Guide des bonnes pratiques en matière d’intelligence économique"
(http://c.asselin.free.fr/french/guide_des_bonnes_pratiques_en_matiere_d_ie-1.pdf)
-- 2011 --
"Le concept français d’ “intelligence économique”: histoire et tendances"
(http://archivesic.ccsd.cnrs.fr/docs/00/64/64/67/PDF/MHArtIEfrWorkingpaper20101213FRfinal.pdf)
-- 2012 --
"L’INFORMATION AU CŒUR DE L’INTELLIGENCE ECONOMIQUE STRATEGIQUE"
http://rrien.univ-littoral.fr/wp-content/uploads/2012/03/doc27-rri.pdf
9
Intelligence Economique
Internet-Wide Scan Data Repository (https://scans.io/)
The Internet-Wide Scan Data Repository is a public archive of research data collected through active scans of the public Internet.
The repository is hosted by the ZMap Team at the University of Michigan and was founded in collaboration with Rapid7.
• University of Michigan · HTTPS Ecosystem Scans
• University of Michigan · Hurricane Sandy ZMap Scans
• Rapid7 · Critical.IO Service Fingerprints
• Rapid7 · SSL Certificates
• Rapid7 · Reverse DNS
• Rapid7 · HTTP-GET (port 80)
•A JSON interface to the repository is available at https://scans.io/json
10
Open Data Sources
Internet Census 2012
“Port scanning /0 using insecure
embedded devices” (Carna Botnet)
http://internetcensus2012.bitbucket.org/paper.html
All data collected during the Internet Census 2012 is available for download via BitTorrent.
The full download is 568GB large. Decompressing all data results in 9TB of raw log files in text format. If recompressed into gzip files the
dataset should be ~1.5TB.
http://internetcensus2012.bitbucket.org/download.html
11
Open Data Sources
12
Open Data Sources
Institut national de la statistique et des études économiqueshttp://www.insee.fr/fr/bases-de-donnees/default.asphttp://www.bdm.insee.fr/bdm2/index.action
Plateforme d’ouverture des données publiqueshttp://www.data.gouv.fr/
Linked Open Data Around-The-Clockhttp://latc-project.eu/datasets
Pan European data portalhttp://publicdata.eu/dataset
European Union Open Data Portalhttp://open-data.europa.eu/
13
Server Access Logs
TOP 5 - BOT useragents (sample from 2012 logs)
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 2910357
Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) 1067432
Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html) 632752
Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots) 619931
Mozilla/5.0 (compatible; Ezooms/1.0; [email protected]) 479867
TOP 5 - BROWSER useragents (sample from 2012 logs)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) 1824893
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 806615
Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 646110
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) 433263
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 387967
Google query for Web Server logs
intext:"Mozilla/5.0" filetype:txt
filetype:log user_agents
14
Server Access Logs
156
2474
18322
31049
31951
35699
72027
Alcatel
MOTOROLA
LG
SonyEricsson
BlackBerry
Nokia
HTC
User Agents by Phone Manufacturer User Agents by Operating System
SunOS Android Linux Mac Windows
5653
18687
20093
67470
1007251
5517233
9725335
12949308
16339858
Microsoft Office
SeaMonkey
Iceweasel
Outlook-Express
Opera
Chrome
Safari
Firefox
MSIE
User Agents by Browser
961715
1066292812469607
13850653
Presto AppleWebKit Trident Gecko
User Agents by Layout Engine
15
Bots behavior (example)On Bots – analysis 2005/2006 – http://drunkmenworkhere.org/219
YAHOO
MSNBOT
16
Data Analysis ConstantsEconomic Parameters for FRANCE
Average work hours a week 35 A
Days of festivities a year 122 B
Average days on holidays 35 C
Average working days a year 208 D
Average working hours a year 3120 E
Company tax rate 19.6 % F
Private tax rate 45 % G
Average monthly salary (gross) 2764 € H
Constants for IT market in France (as averages)
Cost Server Install or Restore 6000 € M
Server worked daily in France 30 N
Daily Financial loss (Server Down) 1500 € P
Days to reconfigure a server 7 Q
Cost SSL Certificate (2048bit RSA) 500 € R
Cost Securing Server Installation 2000 € S
Systems that could to be secured 52568234 T
Systems with faulty SSL setup 11360349 U
Average daily cost of IT engineer 990 € WCost of an offline server in the SME market:
“Financial loss + Restore + New SSL certificate”
[(P) X (Q)] + [(M) x 1] + [(R) x 1] = 17.000 €
Cost to fix all systems with faulty SSL setup:
{[(W) + (S) + (R)] x (U)} = 39.647.618.010 €
Market for server security maintenance:
Market = {[(T) x (S)] + [(W) x (Q) x (T)]}
Market: 574.570.797.620 €
17
Secure Communication Market
( Some examples of worst cases)
18
Secure Communication MarketQuestion : Is there a market for secure communication?
Inventing some numbers :
• 97.454.086 Total IP
• 66.365.935 No SSL
• 31.088.151 SSL
• 19.727.802 Safe SSL
• 18.360.349 Weak SSL
• 18.213.972 Self-Signed Certs
• 19.312.637 No Trusted Certs
• 29.525.183 Weak Ciphers
• 33.724.344 Weak Keys
• 58.321.312 Old Software
74%
73%
59%
53%
19%
26%
27%
41%
47%
81%
1
2
3
4
5
WEAK SSL DETAILS
Series1 Series2
0.00
10,000,000.00
20,000,000.00
30,000,000.00
40,000,000.00
50,000,000.00
60,000,000.00
70,000,000.00
80,000,000.00
90,000,000.00
100,000,000.00
1 2 3 4 5
SSL USAGE
(fictional data)
19
Estimate Cyber Security MarketParameters
A= 100.000 servers B= 50.000 SSL srv. C= 40.000 vulner.
D= 35 working hours/week E= 5 hours/day F= 19.6% corp.tax
G= 45% indiv.tax H= 6000€ install server J= 1500€/day finan. loss
K= 500€ cert cost L= 2000€ check server M= 7 days to install server
N= 3960€ gross salary/month O= project time 3 years P= 4 hours check server
Total working days/year= 365 - 122 (festivities) - 35 (holiday) = 208 days
Total working hours/year= 208 x 5 = 1040 hours
Annual Salary= (N x 12) = 47520€ / year
Human Daily Cost= (N x 12) / 208 = 228.46 €
Technical Cost reinstall 1 server= H + (Jx7) + K = 17.000 €
Human cost reinstall 1 server= (228.46 x 7) = 1599.22 €
Total Cost reinstall 1 server= 17.000 + 1599.22 = 18599.22 €
20
Estimate Cyber Security MarketTechnical Cost reinstall 1 server= H + (Jx7) + K = 17.000 €
Human cost reinstall 1 server= (228.46 x 7) = 1599.22 €
Total Cost reinstall 1 server= 17.000 + 1599.22 = 18599.22 €
Total Cost reinstall 40.000 SSL server= (18599.22 x 40.000) = 743.968.800 €
Total Cost maintain 40.000 SSL server= (L x 40.000) = 80.000.000 €
Total cost secure 40.000 SSL servers= 743.968.800 + 80.000.000 = 823.968.800 €
People to check 40.000 SSL servers in 3 years= ((P x 40.000) / (1040 x 3))= 51
Vulnerable Servers = 18.360.349
Problematic SSL servers = 8.996.571
Total cost secure SSL servers = 185.322.345.274,62 €
People to check SSL servers in 3 years= ((P x 8966571) / (1040 x 3))= 11495
Total Cost reinstall ALL server= (18599.22 x 18.360.349) = 341.488.170.327,78 €
Total Cost maintain ALL server= (L x 18.360.349) = 36.720.698.000 €
Total cost secure ALL servers= 378.208.868.327,78 €
People to check ALL servers in 3 years= ((P x 18.360.349) / (1040 x 3))= 23.539
21
Secure Communication MarketHow big is the market for IT servermaintenance to change SSL certs?
Data analysis revealed that the market isestimated to be on average 185 billion euro andwill involve 11.495 IT professionals over aperiod of time of 3 years.
Server Preparedness level
Safe Risky No Data
Unsafe Vulnerable(fictional data)
22
Estimate Cyber Security MarketCan you estimate the market sizerelated to cyber defense security?
A research on revealed that France has apotential market of 378 billion euro with anaverage cost for each cyber attack of 17.500euro.
The forecasted potential market for cybercriminal resulted to be 341 billion euro andthis risk could be mitigated byimplementing a cyber defense system.
An investment of 37 billion euro tomaintain and check current servers wouldprevent all potential losses and ensure anincrease in skilled engineers of around23.539 units.
Server Preparedness level
Safe Risky No Data
Unsafe Vulnerable(fictional data)
23
EXTRA
EXTRA SECTIONHOW TO DEVELOP A LOGICAL MODEL
(Example)
24
EXTRA – DEVELOPING A MODEL“What is our company’s exposure to cyber attacks and cyber risks?”
To answer we have first to understand the question and to do so we divide it in logical sections.
1. our: client is interested in a comparison between he and everyone else, a reference is needed
2. company: information about the business, not related to private or governmental entities
3. exposure: psychological aspect, how client feels unprotected compared to his peers
4. risk: psychological aspect, not measurable unless derived from impact and probability
5. cyber: identifies the environment in which the client perceives a problem, so the subject
6. attacks: psychological aspect, non measurable unless derived from surrounding environment
And now that we know what the client wants we can rewrite the question in a way that can allow
us to take direct and measurable actions:
“Can we tell the client how well he operates, compared to his peers operating in the same
business environment, by measuring the probability of being a target and the impact of this action
and generate a relative measure of the risk related to the subject, so he can understand how
distant his way of conducting the business is to the reference of the industry?”
25
EXTRA – DEVELOPING A MODELPREPARATION (PREREQUISITES):
1. Find the list of businesses (peers) that are competitors or providers of our client [Peers]
2. Find the market in which both client and peers are operating [Environment]
3. Find which kind of operational indicators (KPI) are important for the client [ClientKPI]
4. Find which kind of operational indicators (KPI) are important for the peers [PeersKPI]
5. Find which kind of operational indicators (KPI) are important for the subject [SubjectKPI]
6. Find which kind of technical indicators are relevant for client [ClientTI]
7. Find which kind of technical indicators are relevant for peers [PeersTI]
8. Find which kind of technical indicators are relevant for subject [SubjectTI]
9. Find or create a table that measures the probability an action has to happen [Probability]
10. Find or create a table that measures how important is the impact of a given action [Impact]
To correlate the information we assign a code to each prerequisite action:
1 = [Peers] 2 = [Environment] 3 = [ClientKPI]
4 = [PeersKPI] 5 = [SubjectKPI] 6 = [ClientTI]
7 = [PeersTI] 8 = [SubjectTI] 9 = [Probability]
10 = [Impact]
26
EXTRA – DEVELOPING A MODELThe “+” sign represents a correlation been created between two objects.
11=[1]+[2]= [Market] 12=[3]+[6]= [ClientIndex] 13=[4]+[7]= [PeersIndex]
14=[5]+[8]= [SubjectIndex] 15=[9]+[10]= [Risk] 16=[11]+[15]= [MarketRisk]
17=[12]+[15]= [ClientRisk] 18=[13]+[15]= [PeersRisk] 19=[14]+[15]= [SubjectRisk]
20=[16]+[19]= [EnvironmentRisk] 21=[17]+[18]= [BusinessRisk]
22=[20]+[21]= [IndustryRisk] 23=[3]+[4]= [DomainKPI]
24=[6]+ [7]= [DomainTI] 25=[15]+[23]= [PerformanceRisk]
26=[15]+[24]= [OperationalRisk] 27=[23]+[24]= [IndustryAverage]
28=[25]+[26]= [EconomicalRisk] 29=[27]+[28]= [IndustryReference]
The system of measurements has converted quantitative data, indicators, in human emotions,
risk and fear, and now we have to convert again fear into something measurable, so it can be
measured and managed as expected by the society and therefore used in business.
Sub-Question-1: (quantitative)
“how well he operates, compared to his peers?”
Answer= “[12] + [27]”
Sub-Question-2: (qualitative)
“a relative measure of the risk related to the subject?”
Answer= “[17] + [19]”
27
EXTRA – DEVELOPING A MODEL