jan guldentops - The changing world and the technical impact on your security
Infosecurity 2011The changing world and the technical impact on your security Jan Guldentops ( email@example.com ) BA N.V. ( http://www.ba.be )
Who am i ?Jan Guldentops Historian by education, techie by vocation > 15 years experience in the field of networking and security. Strong focus on open source / standards in my solutions Open source fundamentalist after houres Founder / consultant @ BA since 1996 Do a lot of research
Who is BA ?BA Team of technical consultants Design – built – support – troubleshoot Strong R&D division doing tests in our lab and researching new technology Focus on infrastructure / networking / security Vendor neutral advice Focus on openess Open standards / source
Security – what is it ? (again) CIA CONFIDENTIALITY INTEGRITY AVAILIBILITY(+ Accountability, Non-repudiation, Authenticity, Reliability)
What is it not ?Marketing : Abused by the sales guy Abused by the marketing guy Abused by the politicianFUD Fear Uncertainty DoubtMythology
Confessions of a dangerous mind Ive been playing with security /insecurity my whole life Intellectual challenge198* Arms race around copyright protection First BBS systems Phreaking Bypassing analog PBXes Green numbers
Confessions of a dangerous mind199* @University Got a big network / internet to play with Linux “discussed” securityproblems with staff 1996 exposed security-problems in thefirst Belgian Online bank 1998 proved and documentedproblems in Lotus Notes / Domino 2001 proved / documented problems
I sometimes feel so 1996People are still... well... people (and this also applies to ICT / security “experts”) e.g. Passwords Social engineering All the other human vices
I sometimes feel so 1996Websites are still being hacked byscriptkiddies with simple tools Got an LSEC statistic yesterday In 2010 16134 .be were defaced!Encryption is still not used everywhere Or we use selfsigned certificates !SMTP is still not fixed!Relatively simple worms and virusescan still cause havoc Stuxnet, Conficker
I sometimes feel so 1996 Companies still dont think aboutsecurity when designing a(web)application : Play around with webscarab or firebugOn 99% of my customers networks ican still set up a reverse tunnel ! Ssh on an open tcp/port Openvpn Tunnel over dns
Yelo is bedoeld voor residentieel gebruik. De meeste klanten gebruiken Yelo dan ook thuis, via een beveiligd thuisnetwerk. Voor hen is er geen enkel probleem
What has changed ?Moores Law CPU 1996 i had a Pentium 1 - 133Mhz workstation, now I have some quad core Intel processor Or I can rent tempory computing power in the cloud from Amazon (EC2) Networking 1996 I had an expensive 64Kbit ISDN internet connection at home, now we have all Mbits of connectivity
What has changed ?Speed You could get away with security stupidities for weeks, months, years. Now a stupidity like an open proxy or an sshd with a trivial password gets hacked in minute.Legal framework We have a CCU now They have laws to prosecute cybercriminals
What has changed ?Perimeter has disappearedThe scope of who attacks you isdifferent ? Globalisation Used to be cyberpunks Now organized crime, nations (cyberwar), etc.People live their lives
Trends in 2010/11?Data leakage We are loosing confidential information to the outside world Mobile devices Phones, smartphones, laptops, ipads, etc. Public services Theft Once it is out there you are never getting it back in !
Trends in 2010/11?New civil movements People organising on the internet via facebook, twitter, etc. Using the internet for communication But also going for orchestrated Dos- attacks LOIC aka Low Orbit Ion Cannon Examples : Revolutions in the middle east Movement supporting wikileaks What if you are the target ?
Trends in 2010/11?Social media People are living their lives online Putting potentialy confidential and dangerous info on their profiles We see a lot of targeted attacks based on info gained from social media. Information is leaking out of your organisation Social networks are not very secure Session key sniffing, no encryption, bad privacy Instant news reputation / crisis management
Trends in 2010/11?Consumerism Bringing consumer applications / toys into the corporate organisation e.g. The ipad But also using google docs, facebook, msn, etc. For business purposes Security is the last thing on their mind, ICT looses controll 0/1 approach -> IT becomes mister no Often pushed by the higher management
Trends in 2010/11?Hacking tools get GUIS Everybody is a threat Goes further then scriptkiddies Really everbody can hack “sneakers” has become a reality Examples : Firesheep Aircrack-NG, backtrack Speeds up security !
How are we going to fix this ?There is no technology fix for all this Next generation firewalls look promising Palo Alto Becomes a marketing term everybody uses like UTMGood security practices ! Create / Implement a good security policy Audit Limit accessEducate your users