CYBER FUTURE: SECURITY AND PRIVACY DOOMED?isaca.ro/wp-content/uploads/2017/12/Robert-Clyde-ISACA... · 2017. 12. 20. · Ransomware got a proverbial shot in the arm earlier this year

CYBER FUTURE: SECURITY AND PRIVACY DOOMED?

December 8, 2017

1

ROB CLYDECISM, NACD BOARD LEADERSHIP FELLOWVICE-CHAIR, ISACAMANAGING DIRECTOR, CLYDE CONSULTING LLCEXECUTIVE CHAIR WHITE CLOUD SECURITYEXECUTIVE ADVISOR TO BULLGUARD AND HYTRUST

THE FUTURE:DIGITAL BY DEFAULT

12/4/20172

NEW MANUFACTURING COMPANIESARE REALLY SOFTWARE COMPANIES

12/4/20173

E L O N M U S KT E S L A C E O

“Tesla is a software company as much as it is a hardware company”

OLD MANUFACTURING COMPANIESARE SOFTWARE COMPANIES TOO?

“If you went bed last nightas an industrial company, you’re going to wake up today as a software and analytics company”

12/4/20174

J E F F I M M E L TG E N E R A L E L E C T R I C C E O

digital business with software at the core

12/4/20175

USING THE INTERNET OF THINGS TO SPY?

12/4/2017 ® 2017 ISACA. All Rights Reserved.7 Photograph Source: Alex Brandon/AP

US Intelligence Chief: We Might Use the Internet of Things to Spy On You

“In the future, intelligence services might use the internet of things for identification, surveillance, monitoring, location tracking and targeting for recruitment”, says James Clapper, US director of national intelligence.

INTERNET-CONNECTED SURVEILLANCE?

12/4/2017 ® 2017 ISACA. All Rights Reserved.8

Source: https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html

WikiLeaks Releases Trove of Alleged C.I.A. Hacking Documents

WikiLeaks released thousands of documents that it said described sophisticated software tools used by the Central Intelligence Agency to break into smartphones, computer and even internet-connected televisions.

If the documents are authentic, as appeared likely at first review, the release would be the latest coup for the anti-secrecy organization and a serious blow to the C.I.A.

INTERNET-CONNECTED SURVEILLANCE?

12/4/2017 ® 2017 ISACA. All Rights Reserved.9

https://www.wsj.com/article_email/chinas-tech-giants-have-a-second-job-helping-the-government-see-everything-1512056284-lMyQjAxMTI3MzA2MTIwNjE0Wj/?mg=prod/accounts-wsj

China’s Tech Giants Have a Second Job: Helping Beijing Spy on Its People

Tencent and Alibaba are among the firms that assist authorities in hunting down criminal suspects, silencing dissent and creating surveillance cities

RANSOMS GETTING MORE EXPENSIVE

12/4/201710

Ransomware got a proverbial shot in the arm earlier this year following the WannaCry attacks and it looks as if hackers are getting more brazen with their requests as a result.

Web hosting company Nayana, based in South Korea, was attacked with the Erebus ransomware on June 10. The company ultimately had to pay a fee of 397.6 Bitcoin (approximately $1 million), the largest ransomware paid ever.

Published June 21, 2017

Erebus ransomware targets vulnerable Linux serversSome Nayana servers were running 2008 versions

Ransomware attack costs South Korean company $1M, largest payment ever

RANSOMWARE OPERATORS ADOPT TYPICAL BUSINESS PRACTICES

12/4/201711

TECHNICAL SUPPORT TIME LIMITED OFFERS TRY BEFORE YOU BUY

APP CONTROL RECOMMENDED AS #1 MITIGATION STRATEGY

THE AUSTRALIAN GOVERNMENT issued mandatory application whitelisting usage requirements to protect their “high value” systems

12/4/2017 ® 2017 ISACA. All Rights Reserved.12

RUN ONLY KNOWN TRUSTED APPS

SOON EVERYTHING WILL BE CONNECTED

12/4/2017 ® 2017 ISACA. All Rights Reserved.13 Source: https://schrier.wordpress.com/2015/05/25/the-internet-of-first-responder-things-iofrt/

OFFICE SUPPLIES SURVEILLENCE

COOKING IMPLEMENTS

UTILITIES

HOME APPLIANCES

12/4/2017 ® 2017 ISACA. All Rights Reserved.14

SMART TV SECURITY CONCERNS

MICROPHONE MAY ALWAYS BE ON (for voice commands)

Risk that attacker could turn on webcam

Activity on Smart TV is tracked and may be shared with social media

Like with smartphones, malicious apps could be downloaded

12/4/201715

SMART TVS IN THE OFFICE:

Consider not connecting to Internet; if you do, connect to a Guest network

Take care as to which features and apps are enabled

Turn off or disable microphone and webcam

If possible, lockout others from changing TV settings

CONNECTED CARS ALSO AT RISK

12/4/2017 ® 2017 ISACA. All Rights Reserved.16

Researchers Remotely Hack Tesla Model S While it’s Being Driven

The remote hacks likely work on all Tesla models, but on the parked Model S P85, the researchers remotely opened the sunroof, turned on the turn signal, and changed the position of the driver’s seat.

Researchers also hacked a 75D model while it was moving, controlling the brakes from 12 miles away.

INSECURE IOT DEVICES AND PRIVACY

12/4/2017 ® 2017 ISACA. All Rights Reserved.17

Search engine lets users find live video of sleeping babies

In 2012, simply attempting to log in as “root” or “admin”, with the password being the same again, was sufficient for another group of anonymous internet explorers to gain access to over 400,000 devices. With the rise of internet-connected devices since this study was conducted, that number is likely to be far higher.”

SHODAN.IO WEBCAM BROWSER

12/4/201718

IOT NETWORK SCANNER (FREE)IOTSCANNER.BULLGUARD.COM

12/4/201719

UNIQUE SCANS PER WEEK100K+

OF SCANS HAVE VULNERABILITIES5%

DEF CON: IOT VILLAGE

Total of 113 vulnerabilities found in two DEF CON events

12/4/2017 ® 2017 ISACA. All Rights Reserved.20

DIFFERENT DEVICES50BRAND NAMEMANUFACTURERS39

75%OF TESTED SMART LOCKSEASILY COMPROMISED

Source: http://www.darkreading.com/attacks-breaches/iot-village-at-def-con-24-uncovers-extensive-security-flaws-in-connected-devices/d/d-id/1326928

Audio feeds

Web browsing

Video feeds

Health & fitness data

Location

Sleep habits

Weight

Eating habits

Security

Driving habits

THE END OF PRIVACY?NOT JUST TRADITIONAL PII ANYMORE

Source: BullGuard Sofware

END OF PRIVACY

12/4/2017 ® 2017 ISACA. All Rights Reserved.22

IS PRIVACY DEAD?

Source: ISACA 2014 Risk Reward Barometer

ATTITUDE TOWARD DECREASING LEVEL OF

PERSONAL PRIVACY

VERY CONCERNED

SOMEWHAT CONCERNED

NOT CONCERNED DON’T BELIEVE IT’S DECREASING

69%

25%

4% 2%

END OF PRIVACY

12/4/2017 ® 2017 ISACA. All Rights Reserved.23

THEN AND NOW

“On the Internet, nobody knows you’re a dog.”

“Remember when, on the Internet, nobody knew who you were?”

1993 2017

BIG DATA AND ANALYTICS APPLICATIONS

10012/4/2017 ® 2017 ISACA. All Rights Reserved.24

PREDICTING CONSUMER BEHAVIOR

CURING CANCER PREDICTING WEATHER

REDUCING ENERGY COSTS

BUILD BETTER CARS

SERCURITY INTELLIGENCE AND FRAUD DETECTION

ZETTABYTES BY 2025!

BIG DATA PRIVACY CONCERNS

“DE-IDENTIFED” INFORMATION CAN BE “RE-IDENTIFIED”Data collectors claim that the aggregated information has been “de-identified”, however, it is possible to re-associate “anonymous” data with specific individuals, especially since so much information is linked with smartphones

12/4/2017 ® 2017 ISACA. All Rights Reserved.25

DATA SOVEREIGNTY ISSUESMany countries or regions (like the EU), may have requirements that certain personal data and the processing of that data remain in the country or region

POSSIBLE DEDUCTION OF PERSONALLY IDENTIFIABLE INFORMATIONNon-personal data could be used to make predictions of a sensitive nature, like health condition, financial status, etc.

RIGHT TO BE FORGOTTENThe EU’s GDPR has a “right to be forgotten” that may be challenging to implement in a Big Data environment.

What about predicting crime by particular individuals? Will we have predictive capabilities LIKE THOSE IN THE MOVIE MINORITY REPORT, BUT THROUGH BIG DATA?

12/4/201726 ® 2017 ISACA. All Rights Reserved.

USING BIG DATA TO PREDICT CRIME

12/4/2017 ® 2017 ISACA. All Rights Reserved.27

Source: https://thenextweb.com/artificial-intelligence/2017/08/01/this-cia-funded-tool-predicts-crime-before-it-happens/

This CIA-funded tool predicts crime before it happens

. . . The ‘eye in the sky’ — Palantir’s term, not mine —sifts through massive amounts of data, attempting to better derive useful information from its contents. . . .

But it’s on the streets of Chicago and Los Angeles that . . . an Orwellian future is becoming reality. There, Palantir’s algorithms monitor previous crime data to create “hot spots” law enforcement officials then use to determine which areas need a larger police presence.

12/4/2017 ® 2017 ISACA. All Rights Reserved.28

ALPHAGO ZERO SURPASSES ALL PREVIOUS VERSIONS WITHOUT HUMAN INPUT

12/4/2017 ® 2017 ISACA. All Rights Reserved.29 Source: DeepMind

DARPA CYBER GRAND CHALLENGEAT DEFCON

7 TEAMS

12/4/2017 ® 2017 ISACA. All Rights Reserved.30

competing with individual supercomputers with machine learning programs

ATTACKINGother systems and defending your own

“MAYHEM”took the top prize of $2M

12/4/2017 ® 2017 ISACA. All Rights Reserved.31

IS THE FUTURE OF HACKING AI?

IS THE FUTURE OF CYBER DEFENSE AI?

??

THE FUTURE:DIGITAL BY DEFAULTPRIVATE AND SAFE?

12/4/201732

QUESTIONS?

12/4/201733

12/4/201734

ROB CLYDECISM, NACD Board Leadership Fellow

Vice-Chair, ISACA International

Executive Chair, Board of Directors, White Cloud Security

Managing Director, Clyde Consulting LLC

Executive Advisor to Bullguard and Hytrust

rclyde@isaca.org

E M A I Linfo@isaca.org

W E B S I T Ewww.isaca.org