(Mis)trust in the cyber era

496 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
496
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

(Mis)trust in the cyber era

  1. 1. Information Security Summit 2013 October 23rd 2013 @ Hong Kong (Mis)trust in the Cyber Era Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA Principal Consultant
  2. 2. Who Am I? Albert Hui GREM, GCIA, GCIH, GCFA, GCFE, GPEN, GXPN, GAWN, GSNA, CISA SANS Advisory Board Member GRC Consultant for Banks, Government and Critical Infrastructures. Spoken at Black Hat, HTCIA-AP, and Economist Corporate Network. Former HKUST lecturer.
  3. 3. Agenda 1. Trust Defined 2. Ramifications of Trusting Another Party 3. Privacy at Stake 4. The Solution?
  4. 4. A Story of Trust and (Alleged) Betrayal
  5. 5. Dropbox’s Clarification
  6. 6. Dropbox’s Clarification (cont.)
  7. 7. Sad but True “If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to have access to the plaintext.” Bruce Schneier
  8. 8. Understanding Trust
  9. 9. Why Important to Reflect on Trust? 1 𝑅𝑖𝑠𝑘 = 𝑇𝑟𝑢𝑠𝑡
  10. 10. What Exactly is Trust? Faith Evidenced Assurance Knowing Reality Ideal
  11. 11. Trust Outsourcing
  12. 12. Risk is Often Outsourced Insurance Hedging
  13. 13. Trust is Often Outsourced Too
  14. 14. Public Key Infrastructure Simplified Certificate Authority Alice Bob
  15. 15. Compromised Root Certificate Authorities
  16. 16. Signed Malware Stuxnet, Duqu, …
  17. 17. Transitive Trust
  18. 18. Reality RISK OUTSOURCING TRUST OUTSOURCING 1. Assess risks 1. Transfer trust 2. Treat some risks 2. 3. Terminate some risks 4. Tolerate some risks Trust that transferee is trustworthy (secure, reliable and aligns with your risk appetite & risk strategy) 5. Transfer remaining risks
  19. 19. Trust Crowdsourcing
  20. 20. Herd Mentality
  21. 21. Open Source’s “Many Eyes” Claim Evidence to the Contrary Generates Predictable Keys (CVE-2008-0166)
  22. 22. Privacy
  23. 23. Recap “If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to have access to the plaintext.” Bruce Schneier
  24. 24. Privacy Seppuku
  25. 25. The Public-Private Surveillance Partnership
  26. 26. Technologically Speaking A court order is no different from an insider attack.
  27. 27. Suggestions 1. Conservative in assessing trust outsourcing risks. 2. Be skeptical. 3. Defense in depth. 4. End-to-end encryption.
  28. 28. Thank You albert@securityronin.com

×