Ehsan Foroughi M.Sc., CISSP, CISM. Availability Confidentiality Integrity.

Internet SecurityPast, Present, and the Future

Ehsan ForoughiM.Sc., CISSP, CISM

Information Security Triad (CIA)

Availability

Con

fiden

tial

ity Integrity

Confidentiality Integrity Availability Authenticity Non-repudiation

Security Concepts

Ref: Wikipedia

Cyber Security in Canada

Cybercrime costs businesses in US $8.9 B in 2012 – increase of %38 from 2010

On average security breaches◦ Take 24 days to spot◦ Take 40 days to clean◦ Take $592,000 to clean up per incident◦ Increase of %42 in cleanup cost from 2011

In a study of 56 organizations:◦ $8.9M in cyber security/crime cost per

organization per year◦ Security tools lowered cost by $1.6M

Cost of Cyber Crime

Cost of Cyber Crime

Average Cost of Cyber Security Attacks Per Second By Industry

Ref: Enlight Research

Targeted Attacks

Ref: HP Ponemon Report

TJX Companies: 94 Million CC exposed (2006)

Conficker Worm Botnet: Affected 15M systems at its peak. (2008)

Heartland Payment Systems: 134 Million CC data lost (2008)

Stuxnet attack on Iran Nuclear Plants: Damage Cost ?? (2010)

Sony network breach of 77 M accounts, cost $171 M (2011)

Incidents

44%

30%

19%

5% 2%

Biggest hit to businesses

Lost InformationBusiness DisruptionLost RevenueEquipment DamageOther

Cost of Cyber Crime

Ref: Businessweek

Infrastructure Security (Network / Internet Security)

Application Security Physical Security (Environmental Security) Operational and Process Security Cryptography e-Forensics Governance & Compliance Business Continuity and Disaster Recovery

Planning (BCP / DRP)

Subject Areas in Cyber Security

Internet Security Threats

Vulnerability(Weakness)

Insecure Design /

Architecture

Software Bugs

(Errors)

Spoofing / Phishing

Malware

Denial of Service

int main() { char buffer[4]; int some_variable = 1; ... strcpy("Test", &buffer);

Software Bugs: Buffer Overflow

T e s t \0

def Withdraw(user, value):balance = AccountBalance(user)if balance < value:

Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)

Software Bugs: Race Condition

def Withdraw(user, value):balance = AccountBalance(user)if balance < value:

Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)

Software Bugs: Race Condition

$90 $90

$100 $10

$10

def Withdraw(user, value):balance = AccountBalance(user)if balance < value:

Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)

Software Bugs: Race Condition

$90 $90

$100 $100

$10 $10

def Withdraw(user, value):balance = AccountBalance(user)if balance < value:

Exit(Error)balance = balance – valueAccountBalance(user) = balancePayOut(value) Exit(Ok)

Software Bugs: Race Condition

$90 $90

$100 $100

$10 $10

2003 Blackout

Trojan Horses Viruses Worms Rootkits Botnets Spyware

Malware

Sending Spam Email

Stealing Passwords and Information

Using Resources

Malware: Goals

Email

USB Disk

Shared Network Drives

Pop-ups and download links

Insecure Network

Malware: Transfer Mediums

Distributed Denial of Service Attack Grudge factor Oct 2012 attack on banks by Izzad-Dinal-

Qassam Hackers◦ CapitalOne◦ HSBC◦ SunTrust

Anonymous group crippled Visa, MasterCard, PayPal over WikiLeaks

Denial of Service

import smtplibfrom email import MIMETexts = smtplib.SMTP('localhost')msg = MIMEText.MIMEText('Hello from Microsoft.')msg['Subject'] = 'This is a test'msg['From'] = '[email protected]'msg['To'] = '[email protected]'ret = s.sendmail(msg['From'], [msg['To']],

msg.as_string())s.close()

Spoofing Example: Email

Let’s Rethink Email Security

Email Security

NPIBOEFT

Security Tools: Cryptography

NPIBOEFT

Security Tools: Cryptography

N P I B O E F T

NPIBOEFT

Security Tools: Cryptography

N

M

P

O

I

H

B

A

O

N

E

D

F

E

T

S

Confidentiality Integrity Authenticity

Cryptography

Alice Bob

Charlie

Symmetric Key Cryptography Shared Secret Encryption Only Usages:

◦ Password Protected Zip Files◦ WEP-Shared (WiFi)◦ SSL / HTTPS

01011001

11001101

10010100

11001101

01011001

A -> B

Public Key Cryptography

Ref: Wikipedia

Public Key Cryptography Encryption

Authenticity (Signing)

Usages:◦ Email Validation (PGP)◦ Authentication / Login◦ Banking

Antivirus replacement: Microsoft Malicious Software Removal Tools

Malware Removal: Malware-bytes Browsers:

◦ Use Chrome ◦ Stay away from Internet Explorer

Email Security: Web-mails such as Gmail Password Management: PasswordSafe,

LastPass, etc

Tools for Personal Security

Payment Card Industry Data Security Standard (PCI-DSS)◦ Liability!

Privacy Laws: Canada Privacy Act 1983 ISO 27001: Information Security

Management Systems

Compliance

Innternational Information Systems Security Certification Consortium - (ISC)²

Non-profit (since 1989) Focused on IT Security 90,000 Members Certified Information Systems Security

Professional (CISSP) Certified Secure Software Lifecycle

Professional (CSSLP) CISSP: US DoD and NSA requirement

Associations - (ISC)2

Information Systems Audit and Control Association (previously)

Non-profit (since 1967) Focused on IT Governance and Audit 95,000 Members Certified Information Systems Auditor (CISA) Certified Information Security Manager

(CISM) Continuing Education Point system, called

CPE

Associations - ISACA

Open Web Application Security Project (OWASP)

Non-profit Open source Focused on Securing Web

Associations – OWASP

Questions?