"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Nsa spying gem_2013_final
1. Banque Öhman
The potential consequences of the
NSA (and GHCQ) spying on the mobile
enterprise
And what you can/should do about it
Claus Cramon Houmann
2013-11-14
2. Banque Öhman
2013-11-14
Key take aways:
• The known and the ”feared” extents of the NSA spying &
others who spy
• Spyware exists which can take full control of any mobile
device, not to mention laptops
• Defend your enterprise with Defense in depth which includes
devices outside the perimeter
• Make sure you know which data leaves the perimeter
• Do your risk assessments and protect against your REAL
threats
• Consider any data that leaves the perimeter lost
2
Öhman
3. Banque Öhman
Why am I here presenting this?
• June 6th
• ..and since then
• Truth has been
coming out
• That affects us all
3
Öhman
2013-11-14
4. Banque Öhman
2013-11-14
Initial releases from Snowden trove
• PRISM, XKEYSCORE, other programs that combined SPY on
our lives -> and remove much of our privacy & security
– Calls being recorded in the US – private AND corporate
– Metadata for all calls and Internet in the US
– -> this alone is a quite a risk for companies operating in the US
• But THEN started the real revelations that concern any
company, worldwide....
4
Öhman
5. Banque Öhman
2013-11-14
!Collect everything!
• It turns out that the NSA&Partners collect everything (almost)
–
–
–
–
–
Your calls
Your metadata
Your e-mails
Your google searches
Your banking
transactions
– Your social
media activity
• They are intercepting, analyzing and storing almost all
Internet traffic. If they cant decrypt it, it just gets stored
longer until they can
5
Öhman
6. Banque Öhman
!Tailored access!
• It’s not enough to just collect and store everything
• NSA actively hacks states, companies and private individuals
• To make this EASIER they have also weakened an unknown
amount of cryptographic standards and tools
6
Öhman
2013-11-14
7. Banque Öhman
Red flags – special NSA target areas
•
•
•
•
•
Any bank with a swift code
Anyone using encryption
Anyone doing anything in the middle east
Anything to do with oil or gas (energy)
Anyone building security system / Infosec systems
7
Öhman
2013-11-14
8. Banque Öhman
But wait...this doesnt affect
my company
• Raise your hand if you’re
thinking this right now
8
Öhman
2013-11-14
9. Banque Öhman
My guess
• Is that around 25% of people present raised their hands
• I hope for 0
• If 25% raised their hands, another 25% didnt – only due to
normal classroom psychology
9
Öhman
2013-11-14
10. Banque Öhman
2013-11-14
Why are those raised hands wrong?
• Others have the means to exploit cryptographic weaknesses
– China, Russia, serious competitors?
• The NSA passes information to US Government (and
others?), it’s conceivable that information from NSA spying
ends up in US corp hands
(http://www.zerohedge.com/contributed/2013-10-21/nsabusted-conducting-industrial-espionage-france-mexico-brazilchina-and-all)
– This has happened before (echelon anno 2000 in BBC report fx)
- Anyone can potentially get at your data! Especially on
exposed locations such as mobile devices
10
Öhman
11. Banque Öhman
But then...what can we do?
• Risk Management – mitigate the risks to acceptable levels
• Defense-in-depth: Defend your data, wherever and whenever
appropriate. Follow the booming
market for innovative tools –
eventually someone will find a
way to protect smartphones
/tablets acceptably. Laptops
already protectable
• ENCRYPT. EVERYTHING. NOW.
• Manage where your data is.
Control that policies are followed.
• Awareness training & GRC
implementation/improvement
11
Öhman
2013-11-14
13. Banque Öhman
2013-11-14
The future brings....
• European or Global Crypto-standards institute
• Advanced malware protection tools (AMP’s), also for phones
and tablets
• Changes to how NSA spies on US citizens...but how about the
rest of us....?
• Fortress Europe? Fortress South-america? Fortress Russia?
13
Öhman
14. Banque Öhman
2013-11-14
About me
• Claus Cramon Houmann, 38, married to Tina and I have 3
lovely kids
• CISSP, ITIL Certified Expert, Prince2 practitioner
• You can contact me anytime:
– Skype: Claushj0707
– Twitter: @claushoumann
• Sources used:
– Richard Stiennon’s presentation: ”How the surveillance state is
changing IT security forever”
– Tidbits from @mikko’s TEDx presentation recently
14
Öhman