• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Information Security past, present and future -  Nothing new under the sun ? (Infosecurity.nl 2012)
 

Information Security past, present and future -  Nothing new under the sun ? (Infosecurity.nl 2012)

on

  • 1,488 views

You read that a simple trojan can bring down the biggest part of local government and people still store clear-text passwords in databases that consequently are stolen with the 10.000s, you would ...

You read that a simple trojan can bring down the biggest part of local government and people still store clear-text passwords in databases that consequently are stolen with the 10.000s, you would think there is in the world of ICT-security.
Despite carloads of marketing-material and a continuous stream of catchy new terminology and technology, old security-attacks still are viable and get a hacker were he wants to go. In a short, to-the-point presentation we will talk about which lessons you should learn from the past and what new challenges lay ahead. This is a practical, technical talk with real-life examples.

Statistics

Views

Total Views
1,488
Views on SlideShare
1,482
Embed Views
6

Actions

Likes
1
Downloads
3
Comments
0

3 Embeds 6

https://twitter.com 2
http://www.linkedin.com 2
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Information Security past, present and future -  Nothing new under the sun ? (Infosecurity.nl 2012) Information Security past, present and future -  Nothing new under the sun ? (Infosecurity.nl 2012) Presentation Transcript

    • Nihil novi sub solem?Security: Past, present and future... Jan Guldentops ( j@ba.be ) BA N.V. ( http://www.ba.be )
    • My personal story● Jan Guldentops (° 1973) ● Historian by Education, ICT consultant & researcher by vocation, security-guy by accident ● Strong background in: – Open Source / Linux ( since 1993 ) – Research ( BA Testlab ) – Security● Better Access / BA N.V. (°1996) ● Small team of consultants ● Macguyver, security and infrastructure projects
    • For the record:I never considered myself a security-expert...
    • Belgium Online● 1996 exposed security-problems in the first Belgian internet-bank● Amateurism – browseable cgi-bin-dir – clear-text, downloadable perlscripts – mainframe userid/password connection – (internal) documentation downloadable – debug logging to a browseable directory – ...● “experts” ● Built by Netvision ( later Ubizen now Verizon )
    • In security there is often a bigdifference between reality and theory, marketing and sales
    • What did I think in 1996 would be fixed by Now?
    • User Authentication● We still mostly use userid/passwords for authentication ● Strong, tokenbased authentication ?● Often no centralised user / role management system● Bad passwords / usage● Clear-text storage of userid / passwords● ...
    • E-mail● Has become one of the most important forms of communication...● BUT ● Nobody encrypts, signs his e-mail ● Still use SMTP with all its problems ● We havent fundamentally solved the spam-problem● Often it is a miracle e-mail works at all
    • IPv6● 1996 we already were running out of ip- adresses ( “Imminent death of the internet, episode 3097”)● Adaption of IPV6 is still pretty marginal● In Belgian one of the companies developing smart metering uses IPV4 adresses in the most recent design!
    • Encryption● We still dont encrypt everything ! ● Disks ● Devices ● Communications● And if we use encryption we often use it in a bad, insecure way.● Basic awareness of how encryption works is quite rare even with IT-professionals.
    • Secure communications● We still communicate clear text or use badly setup encryption! ● No use of third party signed certificates in for instance web applications ● Man-in-the-middle attacks are still easy to do ● You can still sniff passwords !
    • Amateurism● Security is in a lot of projects still a side-show● Even for security orientated companies● Biggest example is the Diginotar case...
    • The official report :The successful hack implies that the current network setup and / or procedures at DigiNotarare not sufficiently secure to prevent this kind of attack.The most critical servers contain malicious software that can normally be detected byanti-virus software. The separation of critical components was not functioning or was not inplace. We have strong indications that the CA-servers, although physically very securelyplaced in a tempest proof environment, were accessible over the network from themanagement LAN.The network has been severely breached. All CA servers were members of one Windowsdomain, which made it possible to access them all using one obtained user/passwordcombination. The password was not very strong and could easily be brute-forced.The software installed on the public web servers was outdated and not patched.No antivirus protection was present on the investigated servers.An intrusion prevention system is operational. It is not clear at the moment why it didn ‟t blocksome of the outside web server attacks. No secure central network logging is in place.
    • Good system administration● Integrity checks ● For instance host based IDS● Centralized tamper-proof logging● Decent password policies● Automated, regular security-updates● Etc.
    • Business Continuity● Correct risk assessment is still a problem ● RTO ● RPO● Testing and common sense are often forgotten● We still see major data loss problems on a regular basis● RT @JeremiadLee: There’s an assumption that when you host in the cloud, the datacenter is well above sea level.
    • Security awareness is incredibly low
    • Operating systems● Are still not secure● Not only a problem of the OS anymore but all the components in it ( java, flash, browsers, etc.)● Also a enduser problem : ● e.g. SE Linux everybody turns it off
    • What has been fixed ?
    • Cyber police● In 1996 there hardly existed anything like a computer crime unit or a Digitale recherche● Now there is an infrastructure and professionals for this.● But often money is wasted by politicians ● Digitale meldpunten ● Etc.
    • Law itself● In 1996 there was no law allowing us to prosecute cybercriminals.● A whole framework has been put in place.● But the balance between privacy / civil rights and the war on cybercrime is always delicate. ● Especially when it concerns copyright.
    • Best practices There now is a complete framework of bestpractices, advisories, trainings, certifications, etc.
    • Other changes
    • M(o)ore● Moores law is still working : ● Exponential growth of the available bandwidth ● Computing power● Globalisation● Doesnt make it easier ● Encryption can be broken more quickly ● Denial-of-service attacks get more lethal
    • Cloud / Cloud washing● One million different definitions : ● Private / public / hybride ● SAAS, PAAS, IAAS,● A lot is marketing blabla and Cloud washing● But it doesnt change the basic security paradigm: ● CIA● Cloud doesnt change the rules !
    • ICT has lost control● IT / Security manager were always no-men● In the past they were the ones that are the alfa and omega of what happens in an enterprise / organisation● Is being challenged by : ● Consumerism ● BYOD
    • Mobilisation● Perimeter has completely disappeared● Enormous consequences we are still getting to grasp with : ● Network ● Authentication ● Devices ● Data Leakage ● ...
    • Cyber criminals have organized● 1996 organized crime was not really big in cyberspace● Hackers were mostly cyberpunks● Now organized crime going for the big money ● Scamming ● Trade and industrial secrets ● Hacking ● Blackmail...
    • Privacy Impact● We did the “Dave”-project for Febelfin ● Idea is to create awareness to be careful what you post on the internet ● http://www.youtube.com/watch?v=F7pYHN9iC9I● 3 factors ● What we give away ourself on social media, blog, etc. ● Open, often governmental data ● What large players (Google, Facebook) do with this data● One rule: everything you post on the net is public !
    • The future ?● There is only one security killer product : common sense, everything is marketing ! ● Be critical !● Standards and frameworks should not be paper tigers but practical tools.● Create awareness on every level from the enduser, over the IT-staff to highest management level.● If you go cloud, get legal and real guarantees
    • Questions ? Jan Guldentops j@ba.beTwitter: JanGuldentops