CYBER FUTURE: SECURITY AND PRIVACY DOOMED?isaca.ro/wp-content/uploads/2017/12/Robert-Clyde-ISACA... · 2017. 12. 20. · Ransomware got a proverbial shot in the arm earlier this year
Post on 01-Jan-2021
4 Views
Preview:
Transcript
CYBER FUTURE: SECURITY AND PRIVACY DOOMED?
December 8, 2017
1
ROB CLYDECISM, NACD BOARD LEADERSHIP FELLOWVICE-CHAIR, ISACAMANAGING DIRECTOR, CLYDE CONSULTING LLCEXECUTIVE CHAIR WHITE CLOUD SECURITYEXECUTIVE ADVISOR TO BULLGUARD AND HYTRUST
THE FUTURE:DIGITAL BY DEFAULT
12/4/20172
NEW MANUFACTURING COMPANIESARE REALLY SOFTWARE COMPANIES
12/4/20173
E L O N M U S KT E S L A C E O
“Tesla is a software company as much as it is a hardware company”
OLD MANUFACTURING COMPANIESARE SOFTWARE COMPANIES TOO?
“If you went bed last nightas an industrial company, you’re going to wake up today as a software and analytics company”
12/4/20174
J E F F I M M E L TG E N E R A L E L E C T R I C C E O
digital business with software at the core
12/4/20175
USING THE INTERNET OF THINGS TO SPY?
12/4/2017 ® 2017 ISACA. All Rights Reserved.7 Photograph Source: Alex Brandon/AP
US Intelligence Chief: We Might Use the Internet of Things to Spy On You
“In the future, intelligence services might use the internet of things for identification, surveillance, monitoring, location tracking and targeting for recruitment”, says James Clapper, US director of national intelligence.
INTERNET-CONNECTED SURVEILLANCE?
12/4/2017 ® 2017 ISACA. All Rights Reserved.8
Source: https://www.nytimes.com/2017/03/07/world/europe/wikileaks-cia-hacking.html
WikiLeaks Releases Trove of Alleged C.I.A. Hacking Documents
WikiLeaks released thousands of documents that it said described sophisticated software tools used by the Central Intelligence Agency to break into smartphones, computer and even internet-connected televisions.
If the documents are authentic, as appeared likely at first review, the release would be the latest coup for the anti-secrecy organization and a serious blow to the C.I.A.
INTERNET-CONNECTED SURVEILLANCE?
12/4/2017 ® 2017 ISACA. All Rights Reserved.9
https://www.wsj.com/article_email/chinas-tech-giants-have-a-second-job-helping-the-government-see-everything-1512056284-lMyQjAxMTI3MzA2MTIwNjE0Wj/?mg=prod/accounts-wsj
China’s Tech Giants Have a Second Job: Helping Beijing Spy on Its People
Tencent and Alibaba are among the firms that assist authorities in hunting down criminal suspects, silencing dissent and creating surveillance cities
RANSOMS GETTING MORE EXPENSIVE
12/4/201710
Ransomware got a proverbial shot in the arm earlier this year following the WannaCry attacks and it looks as if hackers are getting more brazen with their requests as a result.
Web hosting company Nayana, based in South Korea, was attacked with the Erebus ransomware on June 10. The company ultimately had to pay a fee of 397.6 Bitcoin (approximately $1 million), the largest ransomware paid ever.
Published June 21, 2017
Erebus ransomware targets vulnerable Linux serversSome Nayana servers were running 2008 versions
Ransomware attack costs South Korean company $1M, largest payment ever
RANSOMWARE OPERATORS ADOPT TYPICAL BUSINESS PRACTICES
12/4/201711
TECHNICAL SUPPORT TIME LIMITED OFFERS TRY BEFORE YOU BUY
APP CONTROL RECOMMENDED AS #1 MITIGATION STRATEGY
THE AUSTRALIAN GOVERNMENT issued mandatory application whitelisting usage requirements to protect their “high value” systems
12/4/2017 ® 2017 ISACA. All Rights Reserved.12
RUN ONLY KNOWN TRUSTED APPS
SOON EVERYTHING WILL BE CONNECTED
12/4/2017 ® 2017 ISACA. All Rights Reserved.13 Source: https://schrier.wordpress.com/2015/05/25/the-internet-of-first-responder-things-iofrt/
OFFICE SUPPLIES SURVEILLENCE
COOKING IMPLEMENTS
UTILITIES
HOME APPLIANCES
12/4/2017 ® 2017 ISACA. All Rights Reserved.14
SMART TV SECURITY CONCERNS
MICROPHONE MAY ALWAYS BE ON (for voice commands)
Risk that attacker could turn on webcam
Activity on Smart TV is tracked and may be shared with social media
Like with smartphones, malicious apps could be downloaded
12/4/201715
SMART TVS IN THE OFFICE:
Consider not connecting to Internet; if you do, connect to a Guest network
Take care as to which features and apps are enabled
Turn off or disable microphone and webcam
If possible, lockout others from changing TV settings
CONNECTED CARS ALSO AT RISK
12/4/2017 ® 2017 ISACA. All Rights Reserved.16
Researchers Remotely Hack Tesla Model S While it’s Being Driven
The remote hacks likely work on all Tesla models, but on the parked Model S P85, the researchers remotely opened the sunroof, turned on the turn signal, and changed the position of the driver’s seat.
Researchers also hacked a 75D model while it was moving, controlling the brakes from 12 miles away.
INSECURE IOT DEVICES AND PRIVACY
12/4/2017 ® 2017 ISACA. All Rights Reserved.17
Search engine lets users find live video of sleeping babies
In 2012, simply attempting to log in as “root” or “admin”, with the password being the same again, was sufficient for another group of anonymous internet explorers to gain access to over 400,000 devices. With the rise of internet-connected devices since this study was conducted, that number is likely to be far higher.”
SHODAN.IO WEBCAM BROWSER
12/4/201718
IOT NETWORK SCANNER (FREE)IOTSCANNER.BULLGUARD.COM
12/4/201719
UNIQUE SCANS PER WEEK100K+
OF SCANS HAVE VULNERABILITIES5%
DEF CON: IOT VILLAGE
Total of 113 vulnerabilities found in two DEF CON events
12/4/2017 ® 2017 ISACA. All Rights Reserved.20
DIFFERENT DEVICES50BRAND NAMEMANUFACTURERS39
75%OF TESTED SMART LOCKSEASILY COMPROMISED
Source: http://www.darkreading.com/attacks-breaches/iot-village-at-def-con-24-uncovers-extensive-security-flaws-in-connected-devices/d/d-id/1326928
Audio feeds
Web browsing
Video feeds
Health & fitness data
Location
Sleep habits
Weight
Eating habits
Security
Driving habits
THE END OF PRIVACY?NOT JUST TRADITIONAL PII ANYMORE
Source: BullGuard Sofware
END OF PRIVACY
12/4/2017 ® 2017 ISACA. All Rights Reserved.22
IS PRIVACY DEAD?
Source: ISACA 2014 Risk Reward Barometer
ATTITUDE TOWARD DECREASING LEVEL OF
PERSONAL PRIVACY
VERY CONCERNED
SOMEWHAT CONCERNED
NOT CONCERNED DON’T BELIEVE IT’S DECREASING
69%
25%
4% 2%
END OF PRIVACY
12/4/2017 ® 2017 ISACA. All Rights Reserved.23
THEN AND NOW
“On the Internet, nobody knows you’re a dog.”
“Remember when, on the Internet, nobody knew who you were?”
1993 2017
BIG DATA AND ANALYTICS APPLICATIONS
10012/4/2017 ® 2017 ISACA. All Rights Reserved.24
PREDICTING CONSUMER BEHAVIOR
CURING CANCER PREDICTING WEATHER
REDUCING ENERGY COSTS
BUILD BETTER CARS
SERCURITY INTELLIGENCE AND FRAUD DETECTION
ZETTABYTES BY 2025!
BIG DATA PRIVACY CONCERNS
“DE-IDENTIFED” INFORMATION CAN BE “RE-IDENTIFIED”Data collectors claim that the aggregated information has been “de-identified”, however, it is possible to re-associate “anonymous” data with specific individuals, especially since so much information is linked with smartphones
12/4/2017 ® 2017 ISACA. All Rights Reserved.25
DATA SOVEREIGNTY ISSUESMany countries or regions (like the EU), may have requirements that certain personal data and the processing of that data remain in the country or region
POSSIBLE DEDUCTION OF PERSONALLY IDENTIFIABLE INFORMATIONNon-personal data could be used to make predictions of a sensitive nature, like health condition, financial status, etc.
RIGHT TO BE FORGOTTENThe EU’s GDPR has a “right to be forgotten” that may be challenging to implement in a Big Data environment.
What about predicting crime by particular individuals? Will we have predictive capabilities LIKE THOSE IN THE MOVIE MINORITY REPORT, BUT THROUGH BIG DATA?
12/4/201726 ® 2017 ISACA. All Rights Reserved.
USING BIG DATA TO PREDICT CRIME
12/4/2017 ® 2017 ISACA. All Rights Reserved.27
Source: https://thenextweb.com/artificial-intelligence/2017/08/01/this-cia-funded-tool-predicts-crime-before-it-happens/
This CIA-funded tool predicts crime before it happens
. . . The ‘eye in the sky’ — Palantir’s term, not mine —sifts through massive amounts of data, attempting to better derive useful information from its contents. . . .
But it’s on the streets of Chicago and Los Angeles that . . . an Orwellian future is becoming reality. There, Palantir’s algorithms monitor previous crime data to create “hot spots” law enforcement officials then use to determine which areas need a larger police presence.
12/4/2017 ® 2017 ISACA. All Rights Reserved.28
ALPHAGO ZERO SURPASSES ALL PREVIOUS VERSIONS WITHOUT HUMAN INPUT
12/4/2017 ® 2017 ISACA. All Rights Reserved.29 Source: DeepMind
DARPA CYBER GRAND CHALLENGEAT DEFCON
7 TEAMS
12/4/2017 ® 2017 ISACA. All Rights Reserved.30
competing with individual supercomputers with machine learning programs
ATTACKINGother systems and defending your own
“MAYHEM”took the top prize of $2M
12/4/2017 ® 2017 ISACA. All Rights Reserved.31
IS THE FUTURE OF HACKING AI?
IS THE FUTURE OF CYBER DEFENSE AI?
??
THE FUTURE:DIGITAL BY DEFAULTPRIVATE AND SAFE?
12/4/201732
QUESTIONS?
12/4/201733
12/4/201734
ROB CLYDECISM, NACD Board Leadership Fellow
Vice-Chair, ISACA International
Executive Chair, Board of Directors, White Cloud Security
Managing Director, Clyde Consulting LLC
Executive Advisor to Bullguard and Hytrust
rclyde@isaca.org
E M A I Linfo@isaca.org
W E B S I T Ewww.isaca.org
top related