Upload
svavar-ingi-hermannsson
View
80
Download
6
Tags:
Embed Size (px)
Citation preview
Hvert er þroskastig netöryggismála á Íslandi?
OWASP Iceland – apríl 2014Svavar Ingi HermannssonKPMG, Ráðgjafarsvið
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
1
Dagskrá
KynningTilgangurHeildarmynd
– Almennar forsendurNetið skoðað
– Aðferðir– Niðurstöður
Varnarþættir– Eftirlitsþættir
Yfirlit
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
2
Hver er ég?Svavar Ingi Hermannsson hefur sérhæft sig í tölvuöryggi síðustu 15 ár og hefur gengt ýmsum störfum tengt forritun og ráðgjöf í tölvuöryggi (innbrotsprófanir, veikleikagreiningar, kóðarýni, stjórnun upplýsingaöryggis (þar á meðal ISO/IEC 27001 og PCI DSS)).
Svavar hefur kennt við Háskóla Íslands og Háskólann í Reykjavik, auk þess að hafa haldið námskeið fyrir viðskiptavini KPMG.
Svavar var formaður faghóps um öryggismál hjá Skýrslutæknifélaginu frá 2007 til 2012.
Svavar er með ýmsar gráður, meðal annars: CISSP, CISA, CISM.
Kynning
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
3
Tilgangur rannsóknarinnar?
KPMG hafði áhuga á að vita þroskastig upplýsinga og netöryggismála á íslandi.
Spurning; Hvernig er netöryggi á Íslandi háttað?
Við fundum engar rannsóknir sem gáfu heildaryfirlit yfir núverandi stöðu mála.
Takmarkað af upplýsingum til staðar.
Margar spurningar, fá svör
Púslum raðað saman
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
5
Rannsókn – Almennar forsendur – Menntun / Vitund
Ýmsir þættir sem hafa áhrif á netöryggi: Menntun / Vitund
Þáttaka stjórnenda /
Fjárhagslegirþættir
Símenntun /Upplýsinga-
öryggisvottanir
Mennta kerfið
Netöryggi
Á háskóla stigi: -Ef boðið hefur verið upp á kúrsa í tölvuöryggi þá hafa þeir verið valkúrsar.-Margir tölvuöryggiskúrsar í gegnum tíðina hafa lagt áherslu á dulkóðun.
Hvernig styður núverandi menntakerfi við Vitundarvakningu í upplýsingaöryggi?
Á grunnskóla / gagnfræðiskólastigi? - Það eru tækifæri til að byrja þar - Öryggisvitund snemma
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
6
Rannsókn – Almennar forsendur – Upplýsingaöryggisgráður
Ýmsir þættir sem hafa áhrif á netöryggi: Upplýsingaöryggisgráður
Þáttaka stjórnenda /
Fjárhagslegir þættir
Menntakerfið
Netöryggi
What security certifications is the industry using?
15
CEH
16
CISA
6
CISSP
4
CISM
Source: (https://www.isaca.org/)Source: (https://www.eccouncil.org)Source: (https://www.isc2.org)
Símenntun /Upplýsinga-
öryggisvottanir
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
7
Rannsókn – Almennar forsendur – Aðgengilegar upplýsingar
Fjöldi ISO/IEC 27001 vottaðra fyrirtækja á Íslandi
Fjöldi tilkynntra afskræmdra vefsíðna á íslenskum lénum fyrir árið 2013, dagsetning 10.09.2013 (zone-h.org)
#fjöldi skráðra .is léna 45.201
# tilkynntar afskræmingar 823
Það er tilhneiging að gera lítið úr afhausunum vefsíðna
Það sem þau halda að það sé!Það sem við vitum að það er!
20
Netið skoðað
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
9
Netið skoðað – Allir vinir í skóginum
Við vildum prófa allt… hinsvegar
Við framkvæmdum ekki veikleikagreiningu á netunum sem við skönnuðum.
Áhættan var talin of mikil!
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
10
Hvað var skoðað?
?Ísland (port skönnun)
Netupplýsingar aðgengilegar almenningi
(570 aðilar)
IPv4
Opin port
Keyrandi þjónustur
Vefmiðlarar
WCMS
DNS
Tveir stærstu þættir rannsóknarinnar
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
11
Aðferðir?
? ?
Allar IPv4 úthlutaðar til Íslands skannaðar, 770.000 IP tölur í heildina
Reykjavik Internet Exchange – RIX This is a list of Autonomous System Numbers that are, to the best of our knowledge, registered to Icelandic entities and are in use in Iceland. From the networks originated by these AS numbers we derive a list of IP networks in use in Iceland.
Please note that this is not a geo-location service, as there are always networks in use in Iceland that are originated by external AS numbers or by AS numbers registered to foreign or international service providers. Some networks, registered to Icelandic entities, are in use abroad, partially or totally. When we refer to Icelandic AS-numbers or networks, please bear this in mind.
Rannsóknin spannaði júní – ágúst 2013.
Notast við•ADSL tengingu •Port skanna•Sérsniðin skönnunar og greiningar tól•Landið skannað: 100 port
Source: (http://www.rix.is/english/is-as-nets-en.html)
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
12
Rannsókn – Skönnun á IP tölum Íslands
Skönnun á öllum IPv4 sem tilheyra Íslandi, Í heildina 770.000 IP tölur
Open ports
37.970
Http
13.924
Https
1949
Telnet
9670
POP3
1383
FTP
6021 2026
CISCO
CISCOTelnet
755
Honey pots = 2
Lénin skoðuð
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
14
Rannsókn – Lénin
Uppbygging rannsóknarinnar og umfang fyrir íslensku lénin.
300 stærstu
Stærstu 300 fyrirtækin byggt á veltu fyrir árið 2012
Í heildina var notast við 570 lén í rannsókninni
Sérvaldiraðilar
Ýmsir aðilar úr fjármála og opinbera atvinnugeiranum
Á þessari kynningu munum við einbeita okkur að
heildinni auk þess sem eftirfarandi þrjár
atvinnugreinar eru skoðaðar:Public – Financial -
Healthcare
Atvinnu-greinar
Flokkað í 37 atvinnugreinar
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
15
Niðurstöður – Vefmiðlarar
• Rannsóknin skoðaði vefmiðlarana sem hýstu 570 lénin
• Áhætta er skilgreind sem mikil eða lítil34,5% 36%
Low Risk High Risk
Heildar niðurstöður
29,5%
Information not available
22%
41%
38%
33%
35%
41%
25%
33%
36%
41%
30%
36%
35%
37%
58%
47%
42%
17%
33%
30%
29%
22%
17%
20%
0% 20% 40% 60% 80% 100%
Opinberir Aðilar
Almennur Iðnaður
Fjármálafyrirtæki
Matvælaiðnaður
Ýmis Þjónusta
Heildverslun
Fiskvinnsla og Útgerð
Heilsugæsla
Atvi
nnug
eiri
Webserver niðurstöður eftir atvinnugeirum
Low Risk High Risk Not known
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
16
Niðurstöður – Web Content Management Systems (WCMS)
• Rannsóknin skoðaði WCMS í notkun hjá 570 lénunum.
• Áhætta er skilgreind sem mikil eða lág.
8% 12%
Low Risk High Risk
80%
Information not available
Heildar niðurstöður
2%
12%
8%
6%
6%
15%
4%
7%
5%
15%
18%
3%
10%
15%
33%
7%
93%
73%
75%
91%
84%
70%
63%
87%
0% 20% 40% 60% 80% 100%
Opinberir Aðilar
Almennur Iðnaður
Fjármálafyrirtæki
Matvælaiðnaður
Ýmis Þjónusta
Heildverslun
Fiskvinnsla og Útgerð
Heilsugæsla
Atvi
nnug
eiri
WebCMS niðurstöður eftir atvinnugeirum
Low Risk High Risk Not known
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
17
Niðurstöður – Web Content Management Systems (WCMS) - framhald
• Hversu mörg óþekkt WCMS voru Íslensk af þessum 570?
Íslensk WCMS: 40,7%
WCMS - A
WCMS - B
WCMS - C
Dreifing
15,9 %
11 %
11 %
Dreifing WCMS
68%
27%
58%
21%
19%
22%
21%
53%
0% 20% 40% 60% 80%
Opinberir Aðilar
Almennur Iðnaður
Fjármálafyrirtæki
Matvælaiðnaður
Ýmis Þjónusta
Heildverslun
Fiskvinnsla og Útgerð
Heilsugæsla
Hlutfall
Atvi
nnug
eiri
Hlutfall íslenskra vefja eftir atvinnugeirum
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
18
Niðurstöður – DNS
• Hvernig er dreifingin á DNS skráningu?• Fjöldi DNS miðlara fyrir 570 lénin: 309
SP A
SP B
SP C
Dreifing léna
16,9 %
11,5 %
9 %
Stærstu DNS miðlararnir
Bind
Microsoft
Unknown / hidden
Hlutdeild
32 %
5,2 %
61,5 %
DNS útgáfur
Bind sem lekur upplýsingum um stýrikerfi: 46
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
19
Niðurstöður – TLS/SSL
• Hversu margar einstakar IP tölur voru fyrir 570 lénin? 342 IP tölur• Hversu margar af þessum 342 IP tölum bjóða upp á TLS/SSL? 188 (55%)
Weak Cipher
SSLv2
MD5
Veikleikar sem fundust
96,3 %
39,4 %
4,8 %
Veikleikar skoðaðir:
Self signed
Expired
Veikleikar sem fundust
16,5 %
15,4 %
Aðrir þættir:
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
20
Niðurstöður – FTP
• Hversu margar af 342 IP tölunum bjóða upp á FTP? 152• Hversu margar af þessum 152 auglýsa TLS/SSL stuðning? 21 (13,8%)
Microsoft
Vsftpd
Proftpd
Hlutdeild
26,3 %
17,1 %
14,5 %
Dreifing milli tegunda
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
21
Niðurstöður – Dreifing á IP tölur
• Hvernig er dreifingunni háttað fyrir þessar 342 IP tölur með tilliti til 570 l?• Hversu stór hluti léna er á umfangsmestu IP tölurnar?
34 umfangsmestu
IP tölur
Aðrar IP tölur
Teknar eru fyrir 34 stærstu af 342
38 %
62 %
Dreifing léna á IP tölur
555555
666
788
1011
1214
1632
0 10 20 30 40
rrr.rrr.rrrqqq.qqq.qqqppp.ppp.pppooo.ooo.ooonnn.nnn.nnn
mmm.mmm.mmmlll.lll.lll
kkk.kkk.kkkjjj.jjj.jjjiii.iii.iii
hhh.hhh.hhhggg.ggg.ggg
fff.fff.fffeee.eee.eeeddd.ddd.dddccc.ccc.ccc
bbb.bbb.bbbaaa.aaa.aaa
Lén
IP tö
lur
Fjöldi síðna á hverja IP tölu
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
22
Niðurstöður – Dreifing milli þjónustuaðila
• Hvernig var dreifingin milli þjónustuaðila fyrir þessi 570 lén?
SP A
SP B
SP C
Hlutdeild
7,3 %
5,3 %
4,9 %
Dreifing ÞjónustuaðilaÞj. 19%
Þj 29%
Þj. 38%
Þj. 47%
Þj. 57%
Þj. 66%Þj. 7
5%Þj. 86%
Þj. 96%
Aðrir37%
Dreifing á lénum milli þjónustuaðila
Dreifing þar sem Þjónustuaðilar eru þekktir:
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
23
Niðurstöður – Umfang og frávik nafnamiðlara
• Hverjir eru stærstu nafnamiðlararnir?• Hversu mikið frávik eru á milli stærstu og minnstu nafnamiðlara hjá hverjum
þjónustuaðila?
77781010101012131516
242426
4052
6697
0 20 40 60 80 100 120
Nafnamiðlari 19Nafnamiðlari 18Nafnamiðlari 17Nafnamiðlari 16Nafnamiðlari 15Nafnamiðlari 14Nafnamiðlari 13Nafnamiðlari 12Nafnamiðlari 11Nafnamiðlari 10Nafnamiðlari 9Nafnamiðlari 8Nafnamiðlari 7Nafnamiðlari 6Nafnamiðlari 5Nafnamiðlari 4Nafnamiðlari 3Nafnamiðlari 2Nafnamiðlari 1
Lén
Þjón
ustu
aðili
Umfang nafnamiðlara hjá þjónustuaðila
0%0%0%0%0%0%0%0%0%
6%10%
14%20%
42%46%
50%50%
71%88%
0% 20% 40% 60% 80% 100%
Nafnamiðlari 19Nafnamiðlari 15Nafnamiðlari 14Nafnamiðlari 11Nafnamiðlari 10
Nafnamiðlari 9Nafnamiðlari 7Nafnamiðlari 5Nafnamiðlari 2Nafnamiðlari 1
Nafnamiðlari 13Nafnamiðlari 18Nafnamiðlari 12
Nafnamiðlari 6Nafnamiðlari 3
Nafnamiðlari 16Nafnamiðlari 4
Nafnamiðlari 17Nafnamiðlari 8
Frávik (munur á stærsta og lægsta nafnamiðlara)
Þjón
ustu
aðili
Frávik á nafnamiðlurum þjónustuaðila
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
24
Varnarþættir
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
25
Hvaða fyrirbyggjandi stýringar og eftirlitsþættir eru í boði?
Australian Government – Department of Defense
“At least 85% of the targeted cyber intrusions that Defense Signals Directorate
(DSD) responds to in 2011 could be prevented by following the Top 4 mitigation
strategies listed in our Strategies to Mitigate Targeted Cyber Intrusions”
Helstu 35 eftirlitsþættirnir og stýringarnar
http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
26
Helstu 35 eftirlitsþættirnir og stýringarnar
http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
Stóra spurningin / YfirlitHvert er þroskastig netöryggismála á Íslandi?
© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firmsof the KPMG network of independent firms are affiliated with KPMG International. KPMGInternational provides no client services.
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.
The information contained herein is of a general nature and is not intended to address thecircumstances of any particular individual or entity. Although we Endeavour to provide accurate andtimely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such informationwithout appropriate professional advice after a thorough examination of the particular situation.
kpmg.com/socialmedia