Nsa spying gem_2013_final


Published on

A presentation describing why companies should take the consequences of the global spying & encryption weakening into account when assessing risks

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Nsa spying gem_2013_final

  1. 1. Banque Öhman The potential consequences of the NSA (and GHCQ) spying on the mobile enterprise And what you can/should do about it Claus Cramon Houmann 2013-11-14
  2. 2. Banque Öhman 2013-11-14 Key take aways: • The known and the ”feared” extents of the NSA spying & others who spy • Spyware exists which can take full control of any mobile device, not to mention laptops • Defend your enterprise with Defense in depth which includes devices outside the perimeter • Make sure you know which data leaves the perimeter • Do your risk assessments and protect against your REAL threats • Consider any data that leaves the perimeter lost 2 Öhman
  3. 3. Banque Öhman Why am I here presenting this? • June 6th • ..and since then • Truth has been coming out • That affects us all 3 Öhman 2013-11-14
  4. 4. Banque Öhman 2013-11-14 Initial releases from Snowden trove • PRISM, XKEYSCORE, other programs that combined SPY on our lives -> and remove much of our privacy & security – Calls being recorded in the US – private AND corporate – Metadata for all calls and Internet in the US – -> this alone is a quite a risk for companies operating in the US • But THEN started the real revelations that concern any company, worldwide.... 4 Öhman
  5. 5. Banque Öhman 2013-11-14 !Collect everything! • It turns out that the NSA&Partners collect everything (almost) – – – – – Your calls Your metadata Your e-mails Your google searches Your banking transactions – Your social media activity • They are intercepting, analyzing and storing almost all Internet traffic. If they cant decrypt it, it just gets stored longer until they can 5 Öhman
  6. 6. Banque Öhman !Tailored access! • It’s not enough to just collect and store everything • NSA actively hacks states, companies and private individuals • To make this EASIER they have also weakened an unknown amount of cryptographic standards and tools 6 Öhman 2013-11-14
  7. 7. Banque Öhman Red flags – special NSA target areas • • • • • Any bank with a swift code Anyone using encryption Anyone doing anything in the middle east Anything to do with oil or gas (energy) Anyone building security system / Infosec systems 7 Öhman 2013-11-14
  8. 8. Banque Öhman But wait...this doesnt affect my company • Raise your hand if you’re thinking this right now 8 Öhman 2013-11-14
  9. 9. Banque Öhman My guess • Is that around 25% of people present raised their hands • I hope for 0 • If 25% raised their hands, another 25% didnt – only due to normal classroom psychology 9 Öhman 2013-11-14
  10. 10. Banque Öhman 2013-11-14 Why are those raised hands wrong? • Others have the means to exploit cryptographic weaknesses – China, Russia, serious competitors? • The NSA passes information to US Government (and others?), it’s conceivable that information from NSA spying ends up in US corp hands (http://www.zerohedge.com/contributed/2013-10-21/nsabusted-conducting-industrial-espionage-france-mexico-brazilchina-and-all) – This has happened before (echelon anno 2000 in BBC report fx) - Anyone can potentially get at your data! Especially on exposed locations such as mobile devices 10 Öhman
  11. 11. Banque Öhman But then...what can we do? • Risk Management – mitigate the risks to acceptable levels • Defense-in-depth: Defend your data, wherever and whenever appropriate. Follow the booming market for innovative tools – eventually someone will find a way to protect smartphones /tablets acceptably. Laptops already protectable • ENCRYPT. EVERYTHING. NOW. • Manage where your data is. Control that policies are followed. • Awareness training & GRC implementation/improvement 11 Öhman 2013-11-14
  12. 12. Banque Öhman Defense-in-depth. Isnt is simple and beatiful? 12 Öhman 2013-11-14
  13. 13. Banque Öhman 2013-11-14 The future brings.... • European or Global Crypto-standards institute • Advanced malware protection tools (AMP’s), also for phones and tablets • Changes to how NSA spies on US citizens...but how about the rest of us....? • Fortress Europe? Fortress South-america? Fortress Russia? 13 Öhman
  14. 14. Banque Öhman 2013-11-14 About me • Claus Cramon Houmann, 38, married to Tina and I have 3 lovely kids • CISSP, ITIL Certified Expert, Prince2 practitioner • You can contact me anytime: – Skype: Claushj0707 – Twitter: @claushoumann • Sources used: – Richard Stiennon’s presentation: ”How the surveillance state is changing IT security forever” – Tidbits from @mikko’s TEDx presentation recently 14 Öhman
  15. 15. Banque Öhman Questions? 15 Öhman 2013-11-14