Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cloud, social networking   and BYOD collide!                     Peter Wood                  Chief Executive Officer      ...
Who is Peter Wood?  Worked in computers & electronics since 1969  Founded First Base in 1989 (one of the first ethical hac...
CloudSlide 3           © First Base Technologies 2012
Whats Different in Cloud                                                           Security ~                             ...
Whats Different in CloudSlide 5                           © First Base Technologies 2012
Whats Different in CloudSlide 6                           © First Base Technologies 2012
Just a little brainstormSlide 7                              © First Base Technologies 2012
Social NetworkingSlide 8                       © First Base Technologies 2012
Yada yada yada • People have always talked about work to their friends • What has changed is the nature of how we interact...
Social networks vulnerabilitiesSlide 10                              © First Base Technologies 2012
Social networks vulnerabilitiesSlide 11                              © First Base Technologies 2012
Why APT worksSlide 12                   © First Base Technologies 2012
BYODSlide 13          © First Base Technologies 2012
Data loss           • Unencrypted storage and backup           • Poor or missing passwords and PINs           • No automat...
Network spoofing     • Mobile devices use wireless           communications exclusively and           often public WiFi   ...
Spyware           http://www.f-secure.com/en/web/labs_global/whitepapers/reportsSlide 16                                  ...
UI impersonation       • Malicious app creates UI that impersonates that of the         phone’s native UI or the UI of a l...
BYOD risks           •   Data loss: a stolen or lost phone with unprotected memory allows an               attacker to acc...
The CollisionSlide 19                   © First Base Technologies 2012
How Security sees Management?Slide 20                           © First Base Technologies 2012
How Management sees Security?Slide 21                           © First Base Technologies 2012
The Solution?Slide 22                   © First Base Technologies 2012
Make it real!           Identify real threats                     Identify real impact                                   D...
Now for the science bit …Slide 24                           © First Base Technologies 2012
Business Impact Level           A successful exploit will result in compromise of           Confidentiality, Integrity or ...
Threat Actors           • System and Service Users             - Regular users, admins, end users, shared service users   ...
Threat Actor Capability           1. Very little: almost no capabilities or              resources           2. Little: an...
Threat Actor Motivation           1. Very low: Indifferent           2. Low: Curious           3. Medium: Interested      ...
Threat = Capability x MotivationSlide 29                              © First Base Technologies 2012
Example Threat Actor AnalysisSlide 30                            © First Base Technologies 2012
Risk = Impact x ThreatSlide 31                            © First Base Technologies 2012
Example Risk for Impact Level of 3Slide 32                               © First Base Technologies 2012
Example Prioritised Risk ListSlide 33                             © First Base Technologies 2012
Run a WorkshopSlide 34                    © First Base Technologies 2012
Now you’ve added value!Slide 35                         © First Base Technologies 2012
Or …           Management          SecuritySlide 36                            © First Base Technologies 2012
Which results in …Slide 37                        © First Base Technologies 2012
Need more information?                Peter Wood               Chief Executive Officer           First Base Technologies L...
Upcoming SlideShare
Loading in …5
×

Cloud, social networking and BYOD collide!

747 views

Published on

Working with a variety of multi-national organisations has shown Peter Wood that conventional security thinking has failed to address the challenge that the product of these areas has presented us - so how do we deal with this brave new world?

Published in: Technology
  • Be the first to comment

Cloud, social networking and BYOD collide!

  1. 1. Cloud, social networking and BYOD collide! Peter Wood Chief Executive Officer First•Base Technologies
  2. 2. Who is Peter Wood? Worked in computers & electronics since 1969 Founded First Base in 1989 (one of the first ethical hacking firms) CEO First Base Technologies LLP Social engineer & penetration tester Conference speaker and security ‘expert’ Member of ISACA Security Advisory Group Vice Chair of BCS Information Risk Management and Audit Group UK Chair, Corporate Executive Programme FBCS, CITP, CISSP, MIEEE, M.Inst.ISP Registered BCS Security Consultant Member of ACM, ISACA, ISSA, MensaSlide 2 © First Base Technologies 2012
  3. 3. CloudSlide 3 © First Base Technologies 2012
  4. 4. Whats Different in Cloud Security ~ THEM Security ~ YOU SaaS Software as a Service IaaS PaaS Platform as a Service Infrastructure as a ServiceSlide 4 © First Base Technologies 2012
  5. 5. Whats Different in CloudSlide 5 © First Base Technologies 2012
  6. 6. Whats Different in CloudSlide 6 © First Base Technologies 2012
  7. 7. Just a little brainstormSlide 7 © First Base Technologies 2012
  8. 8. Social NetworkingSlide 8 © First Base Technologies 2012
  9. 9. Yada yada yada • People have always talked about work to their friends • What has changed is the nature of how we interact • We talk about our lives on our blogs, on social networking sites such as Facebook and Twitter, and on message boards pertaining to the work were doing • What was once intimate and ephemeral is now available to the whole world, indexed by Google, and archived for posterity • A good open-source intelligence gatherer can learn a lot about what a company is doing by monitoring its employees’ online activities Bruce SchneierSlide 9 © First Base Technologies 2012
  10. 10. Social networks vulnerabilitiesSlide 10 © First Base Technologies 2012
  11. 11. Social networks vulnerabilitiesSlide 11 © First Base Technologies 2012
  12. 12. Why APT worksSlide 12 © First Base Technologies 2012
  13. 13. BYODSlide 13 © First Base Technologies 2012
  14. 14. Data loss • Unencrypted storage and backup • Poor or missing passwords and PINs • No automatic screen lock • Mobile apps often store sensitive data such as banking and payment system PIN numbers, credit card numbers, or online service passwordsSlide 14 © First Base Technologies 2012
  15. 15. Network spoofing • Mobile devices use wireless communications exclusively and often public WiFi • SSL can fall victim to a downgrade attack if app allows degrading HTTPS to HTTP • SSL could also be compromised if app does not fail on invalid certificates, enabling MITM attacksSlide 15 © First Base Technologies 2012
  16. 16. Spyware http://www.f-secure.com/en/web/labs_global/whitepapers/reportsSlide 16 © First Base Technologies 2012
  17. 17. UI impersonation • Malicious app creates UI that impersonates that of the phone’s native UI or the UI of a legitimate application • Victim is asked to authenticate and ends up sending their credentials to an attacker http://blogs.mcafee.com/mcafee-labs/android-malware-pairs-man-in-the-middle-with-remote-controlled-banking-trojanSlide 17 © First Base Technologies 2012
  18. 18. BYOD risks • Data loss: a stolen or lost phone with unprotected memory allows an attacker to access the data on it • Unintentional data disclosure: most apps have privacy settings but many users are unaware that data is being transmitted, let alone know of the existence of the settings to prevent this • Network spoofing attacks: an attacker deploys a rogue network access point and intercepts user’s data or conducts MITM attacks • Phishing: an attacker collects user credentials using fake apps or messages that seem genuine. • Spyware: the smartphone has spyware installed allowing an attacker to access or infer personal data • Surveillance: spying using open microphone and/or camera • Diallerware: an attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers. • Financial malware: malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.Slide 18 © First Base Technologies 2012
  19. 19. The CollisionSlide 19 © First Base Technologies 2012
  20. 20. How Security sees Management?Slide 20 © First Base Technologies 2012
  21. 21. How Management sees Security?Slide 21 © First Base Technologies 2012
  22. 22. The Solution?Slide 22 © First Base Technologies 2012
  23. 23. Make it real! Identify real threats Identify real impact Demonstrate the riskSlide 23 © First Base Technologies 2012
  24. 24. Now for the science bit …Slide 24 © First Base Technologies 2012
  25. 25. Business Impact Level A successful exploit will result in compromise of Confidentiality, Integrity or Availability of an asset • Level 1: negligible impact • Level 2: limited consequences • Level 3: significant impact • Level 4: very high impact, requiring external assistance and possible financial support • Level 5: major risk which seriously endangers business processes and prevents continuitySlide 25 © First Base Technologies 2012
  26. 26. Threat Actors • System and Service Users - Regular users, admins, end users, shared service users • Direct Connections - Service providers, other business units • Indirect Connections - Network users, internet users • Supply Chain - Developers, hardware support • Physically Present - Regular users, admins, visitors, war drivers, intrudersSlide 26 © First Base Technologies 2012
  27. 27. Threat Actor Capability 1. Very little: almost no capabilities or resources 2. Little: an average untrained computer user 3. Limited: a trained computer user 4. Significant: a full-time well-educated computer expert using publicly available tools 5. Formidable: a full-time well-educated computer expert using bespoke attacksSlide 27 © First Base Technologies 2012
  28. 28. Threat Actor Motivation 1. Very low: Indifferent 2. Low: Curious 3. Medium: Interested 4. High: Committed 5. Very high: FocusedSlide 28 © First Base Technologies 2012
  29. 29. Threat = Capability x MotivationSlide 29 © First Base Technologies 2012
  30. 30. Example Threat Actor AnalysisSlide 30 © First Base Technologies 2012
  31. 31. Risk = Impact x ThreatSlide 31 © First Base Technologies 2012
  32. 32. Example Risk for Impact Level of 3Slide 32 © First Base Technologies 2012
  33. 33. Example Prioritised Risk ListSlide 33 © First Base Technologies 2012
  34. 34. Run a WorkshopSlide 34 © First Base Technologies 2012
  35. 35. Now you’ve added value!Slide 35 © First Base Technologies 2012
  36. 36. Or … Management SecuritySlide 36 © First Base Technologies 2012
  37. 37. Which results in …Slide 37 © First Base Technologies 2012
  38. 38. Need more information? Peter Wood Chief Executive Officer First Base Technologies LLP peterw@firstbase.co.uk http://firstbase.co.uk http://white-hats.co.uk http://peterwood.com Twitter: peterwoodxSlide 38 © First Base Technologies 2012

×