Hvert er þroskastig netöryggismála á Íslandi?

OWASP Iceland – apríl 2014Svavar Ingi HermannssonKPMG, Ráðgjafarsvið

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

1

Dagskrá

KynningTilgangurHeildarmynd

– Almennar forsendurNetið skoðað

– Aðferðir– Niðurstöður

Varnarþættir– Eftirlitsþættir

Yfirlit

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

2

Hver er ég?Svavar Ingi Hermannsson hefur sérhæft sig í tölvuöryggi síðustu 15 ár og hefur gengt ýmsum störfum tengt forritun og ráðgjöf í tölvuöryggi (innbrotsprófanir, veikleikagreiningar, kóðarýni, stjórnun upplýsingaöryggis (þar á meðal ISO/IEC 27001 og PCI DSS)).

Svavar hefur kennt við Háskóla Íslands og Háskólann í Reykjavik, auk þess að hafa haldið námskeið fyrir viðskiptavini KPMG.

Svavar var formaður faghóps um öryggismál hjá Skýrslutæknifélaginu frá 2007 til 2012.

Svavar er með ýmsar gráður, meðal annars: CISSP, CISA, CISM.

Kynning

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

3

Tilgangur rannsóknarinnar?

KPMG hafði áhuga á að vita þroskastig upplýsinga og netöryggismála á íslandi.

Spurning; Hvernig er netöryggi á Íslandi háttað?

Við fundum engar rannsóknir sem gáfu heildaryfirlit yfir núverandi stöðu mála.

Takmarkað af upplýsingum til staðar.

Margar spurningar, fá svör

Púslum raðað saman

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

5

Rannsókn – Almennar forsendur – Menntun / Vitund

Ýmsir þættir sem hafa áhrif á netöryggi: Menntun / Vitund

Þáttaka stjórnenda /

Fjárhagslegirþættir

Símenntun /Upplýsinga-

öryggisvottanir

Mennta kerfið

Netöryggi

Á háskóla stigi: -Ef boðið hefur verið upp á kúrsa í tölvuöryggi þá hafa þeir verið valkúrsar.-Margir tölvuöryggiskúrsar í gegnum tíðina hafa lagt áherslu á dulkóðun.

Hvernig styður núverandi menntakerfi við Vitundarvakningu í upplýsingaöryggi?

Á grunnskóla / gagnfræðiskólastigi? - Það eru tækifæri til að byrja þar - Öryggisvitund snemma

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

6

Rannsókn – Almennar forsendur – Upplýsingaöryggisgráður

Ýmsir þættir sem hafa áhrif á netöryggi: Upplýsingaöryggisgráður

Þáttaka stjórnenda /

Fjárhagslegir þættir

Menntakerfið

Netöryggi

What security certifications is the industry using?

15

CEH

16

CISA

6

CISSP

4

CISM

Source: (https://www.isaca.org/)Source: (https://www.eccouncil.org)Source: (https://www.isc2.org)

Símenntun /Upplýsinga-

öryggisvottanir

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

7

Rannsókn – Almennar forsendur – Aðgengilegar upplýsingar

Fjöldi ISO/IEC 27001 vottaðra fyrirtækja á Íslandi

Fjöldi tilkynntra afskræmdra vefsíðna á íslenskum lénum fyrir árið 2013, dagsetning 10.09.2013 (zone-h.org)

#fjöldi skráðra .is léna 45.201

# tilkynntar afskræmingar 823

Það er tilhneiging að gera lítið úr afhausunum vefsíðna

Það sem þau halda að það sé!Það sem við vitum að það er!

20

Netið skoðað

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

9

Netið skoðað – Allir vinir í skóginum

Við vildum prófa allt… hinsvegar

Við framkvæmdum ekki veikleikagreiningu á netunum sem við skönnuðum.

Áhættan var talin of mikil!

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

10

Hvað var skoðað?

?Ísland (port skönnun)

Netupplýsingar aðgengilegar almenningi

(570 aðilar)

IPv4

Opin port

Keyrandi þjónustur

Vefmiðlarar

WCMS

DNS

Tveir stærstu þættir rannsóknarinnar

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

11

Aðferðir?

? ?

Allar IPv4 úthlutaðar til Íslands skannaðar, 770.000 IP tölur í heildina

Reykjavik Internet Exchange – RIX This is a list of Autonomous System Numbers that are, to the best of our knowledge, registered to Icelandic entities and are in use in Iceland. From the networks originated by these AS numbers we derive a list of IP networks in use in Iceland.

Please note that this is not a geo-location service, as there are always networks in use in Iceland that are originated by external AS numbers or by AS numbers registered to foreign or international service providers. Some networks, registered to Icelandic entities, are in use abroad, partially or totally. When we refer to Icelandic AS-numbers or networks, please bear this in mind.

Rannsóknin spannaði júní – ágúst 2013.

Notast við•ADSL tengingu •Port skanna•Sérsniðin skönnunar og greiningar tól•Landið skannað: 100 port

Source: (http://www.rix.is/english/is-as-nets-en.html)

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

12

Rannsókn – Skönnun á IP tölum Íslands

Skönnun á öllum IPv4 sem tilheyra Íslandi, Í heildina 770.000 IP tölur

Open ports

37.970

Http

13.924

Https

1949

Telnet

9670

POP3

1383

FTP

6021 2026

CISCO

CISCOTelnet

755

Honey pots = 2

Lénin skoðuð

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

14

Rannsókn – Lénin

Uppbygging rannsóknarinnar og umfang fyrir íslensku lénin.

300 stærstu

Stærstu 300 fyrirtækin byggt á veltu fyrir árið 2012

Í heildina var notast við 570 lén í rannsókninni

Sérvaldiraðilar

Ýmsir aðilar úr fjármála og opinbera atvinnugeiranum

Á þessari kynningu munum við einbeita okkur að

heildinni auk þess sem eftirfarandi þrjár

atvinnugreinar eru skoðaðar:Public – Financial -

Healthcare

Atvinnu-greinar

Flokkað í 37 atvinnugreinar

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

15

Niðurstöður – Vefmiðlarar

• Rannsóknin skoðaði vefmiðlarana sem hýstu 570 lénin

• Áhætta er skilgreind sem mikil eða lítil34,5% 36%

Low Risk High Risk

Heildar niðurstöður

29,5%

Information not available

22%

41%

38%

33%

35%

41%

25%

33%

36%

41%

30%

36%

35%

37%

58%

47%

42%

17%

33%

30%

29%

22%

17%

20%

0% 20% 40% 60% 80% 100%

Opinberir Aðilar

Almennur Iðnaður

Fjármálafyrirtæki

Matvælaiðnaður

Ýmis Þjónusta

Heildverslun

Fiskvinnsla og Útgerð

Heilsugæsla

Atvi

nnug

eiri

Webserver niðurstöður eftir atvinnugeirum

Low Risk High Risk Not known

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

16

Niðurstöður – Web Content Management Systems (WCMS)

• Rannsóknin skoðaði WCMS í notkun hjá 570 lénunum.

• Áhætta er skilgreind sem mikil eða lág.

8% 12%

Low Risk High Risk

80%

Information not available

Heildar niðurstöður

2%

12%

8%

6%

6%

15%

4%

7%

5%

15%

18%

3%

10%

15%

33%

7%

93%

73%

75%

91%

84%

70%

63%

87%

0% 20% 40% 60% 80% 100%

Opinberir Aðilar

Almennur Iðnaður

Fjármálafyrirtæki

Matvælaiðnaður

Ýmis Þjónusta

Heildverslun

Fiskvinnsla og Útgerð

Heilsugæsla

Atvi

nnug

eiri

WebCMS niðurstöður eftir atvinnugeirum

Low Risk High Risk Not known

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

17

Niðurstöður – Web Content Management Systems (WCMS) - framhald

• Hversu mörg óþekkt WCMS voru Íslensk af þessum 570?

Íslensk WCMS: 40,7%

WCMS - A

WCMS - B

WCMS - C

Dreifing

15,9 %

11 %

11 %

Dreifing WCMS

68%

27%

58%

21%

19%

22%

21%

53%

0% 20% 40% 60% 80%

Opinberir Aðilar

Almennur Iðnaður

Fjármálafyrirtæki

Matvælaiðnaður

Ýmis Þjónusta

Heildverslun

Fiskvinnsla og Útgerð

Heilsugæsla

Hlutfall

Atvi

nnug

eiri

Hlutfall íslenskra vefja eftir atvinnugeirum

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

18

Niðurstöður – DNS

• Hvernig er dreifingin á DNS skráningu?• Fjöldi DNS miðlara fyrir 570 lénin: 309

SP A

SP B

SP C

Dreifing léna

16,9 %

11,5 %

9 %

Stærstu DNS miðlararnir

Bind

Microsoft

Unknown / hidden

Hlutdeild

32 %

5,2 %

61,5 %

DNS útgáfur

Bind sem lekur upplýsingum um stýrikerfi: 46

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

19

Niðurstöður – TLS/SSL

• Hversu margar einstakar IP tölur voru fyrir 570 lénin? 342 IP tölur• Hversu margar af þessum 342 IP tölum bjóða upp á TLS/SSL? 188 (55%)

Weak Cipher

SSLv2

MD5

Veikleikar sem fundust

96,3 %

39,4 %

4,8 %

Veikleikar skoðaðir:

Self signed

Expired

Veikleikar sem fundust

16,5 %

15,4 %

Aðrir þættir:

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

20

Niðurstöður – FTP

• Hversu margar af 342 IP tölunum bjóða upp á FTP? 152• Hversu margar af þessum 152 auglýsa TLS/SSL stuðning? 21 (13,8%)

Microsoft

Vsftpd

Proftpd

Hlutdeild

26,3 %

17,1 %

14,5 %

Dreifing milli tegunda

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

21

Niðurstöður – Dreifing á IP tölur

• Hvernig er dreifingunni háttað fyrir þessar 342 IP tölur með tilliti til 570 l?• Hversu stór hluti léna er á umfangsmestu IP tölurnar?

34 umfangsmestu

IP tölur

Aðrar IP tölur

Teknar eru fyrir 34 stærstu af 342

38 %

62 %

Dreifing léna á IP tölur

555555

666

788

1011

1214

1632

0 10 20 30 40

rrr.rrr.rrrqqq.qqq.qqqppp.ppp.pppooo.ooo.ooonnn.nnn.nnn

mmm.mmm.mmmlll.lll.lll

kkk.kkk.kkkjjj.jjj.jjjiii.iii.iii

hhh.hhh.hhhggg.ggg.ggg

fff.fff.fffeee.eee.eeeddd.ddd.dddccc.ccc.ccc

bbb.bbb.bbbaaa.aaa.aaa

Lén

IP tö

lur

Fjöldi síðna á hverja IP tölu

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

22

Niðurstöður – Dreifing milli þjónustuaðila

• Hvernig var dreifingin milli þjónustuaðila fyrir þessi 570 lén?

SP A

SP B

SP C

Hlutdeild

7,3 %

5,3 %

4,9 %

Dreifing ÞjónustuaðilaÞj. 19%

Þj 29%

Þj. 38%

Þj. 47%

Þj. 57%

Þj. 66%Þj. 7

5%Þj. 86%

Þj. 96%

Aðrir37%

Dreifing á lénum milli þjónustuaðila

Dreifing þar sem Þjónustuaðilar eru þekktir:

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

23

Niðurstöður – Umfang og frávik nafnamiðlara

• Hverjir eru stærstu nafnamiðlararnir?• Hversu mikið frávik eru á milli stærstu og minnstu nafnamiðlara hjá hverjum

þjónustuaðila?

77781010101012131516

242426

4052

6697

0 20 40 60 80 100 120

Nafnamiðlari 19Nafnamiðlari 18Nafnamiðlari 17Nafnamiðlari 16Nafnamiðlari 15Nafnamiðlari 14Nafnamiðlari 13Nafnamiðlari 12Nafnamiðlari 11Nafnamiðlari 10Nafnamiðlari 9Nafnamiðlari 8Nafnamiðlari 7Nafnamiðlari 6Nafnamiðlari 5Nafnamiðlari 4Nafnamiðlari 3Nafnamiðlari 2Nafnamiðlari 1

Lén

Þjón

ustu

aðili

Umfang nafnamiðlara hjá þjónustuaðila

0%0%0%0%0%0%0%0%0%

6%10%

14%20%

42%46%

50%50%

71%88%

0% 20% 40% 60% 80% 100%

Nafnamiðlari 19Nafnamiðlari 15Nafnamiðlari 14Nafnamiðlari 11Nafnamiðlari 10

Nafnamiðlari 9Nafnamiðlari 7Nafnamiðlari 5Nafnamiðlari 2Nafnamiðlari 1

Nafnamiðlari 13Nafnamiðlari 18Nafnamiðlari 12

Nafnamiðlari 6Nafnamiðlari 3

Nafnamiðlari 16Nafnamiðlari 4

Nafnamiðlari 17Nafnamiðlari 8

Frávik (munur á stærsta og lægsta nafnamiðlara)

Þjón

ustu

aðili

Frávik á nafnamiðlurum þjónustuaðila

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

24

Varnarþættir

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

25

Hvaða fyrirbyggjandi stýringar og eftirlitsþættir eru í boði?

Australian Government – Department of Defense

“At least 85% of the targeted cyber intrusions that Defense Signals Directorate

(DSD) responds to in 2011 could be prevented by following the Top 4 mitigation

strategies listed in our Strategies to Mitigate Targeted Cyber Intrusions”

Helstu 35 eftirlitsþættirnir og stýringarnar

http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

26

Helstu 35 eftirlitsþættirnir og stýringarnar

http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm

Stóra spurningin / YfirlitHvert er þroskastig netöryggismála á Íslandi?

© 2014 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firmsof the KPMG network of independent firms are affiliated with KPMG International. KPMGInternational provides no client services.

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.

The information contained herein is of a general nature and is not intended to address thecircumstances of any particular individual or entity. Although we Endeavour to provide accurate andtimely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such informationwithout appropriate professional advice after a thorough examination of the particular situation.

kpmg.com/socialmedia

Spurningar?shermannsson@kpmg.is