1.
Threats from the Economical Improvement
Why the economy on emerging countries can pose as a threat to
cyber security and how to improve the protection through
continuous education
Eduardo Vianna de Camargo Neves
Conviso IT Security, Operations Manager
OWASP Global Education Committee Member
1
Thursday, October 21, 2010 1

2.
Overview
The increase of global economy and their reflections on BRIC countries,
are changing how these societies make business and interact with the
rest of the world
Companies from Brazil, India, Russia and China are not working only on
their own markets anymore
A new mid-class with access to credit lines and technology is impulsing
commerce on new markets and becoming one economic power
Cyber crime is raising in the same proportion, following the money and
profiling new opportunities with a lower risk
Conviso IT Security | Threats from the Economical Improvement 2
Thursday, October 21, 2010 2

3.
Overview
This presentation will focus on Brazil and a proposal to contribute on
cyber crime prevention and reduction through education on computer
security for the society
This is an on-going project which are being improved and will be
presented with new data at OWASP AppSec DC, on November 2010
A white paper is being produced with collaboration from other
companies and independent researchers to improve content and allow
new deliveries
An OWASP Project will be launched on 2011 to support this initiative as
part of Global Education Committee efforts on Latin America, supporters
and contributors are welcome
Conviso IT Security | Threats from the Economical Improvement 3
Thursday, October 21, 2010 3

4.
Changes on economy and society
Conviso IT Security | Threats from the Economical Improvement 4
Thursday, October 21, 2010 4

5.
Welcome to a Brave New World
Brazil, Russian Federation, India and China had made impressive changes
on their economies and transform how their society are dealing with it
Brazil is a world-leader on agribusiness and lead specific high-tech
sectors such as airplane production and oil exploration
Russia is the world's second largest oil exporter and largest gas exporter
and the economy is growing since 2001
India is one of the fastest growing telecom markets in the world and
maintains a unemployment rate of 10.7% on 2009
China contributed 1/3 of global economic growth in 2004 and accounted
for half of global growth in metals demand
Source: The World Factbook by CIA
Conviso IT Security | Threats from the Economical Improvement 5
Thursday, October 21, 2010 5

6.
The Role of a New Society
According to the World Bank, developing countries' share in world trade
rose from 16% in 1990 to 30% in 2006, led by China and with Brazil and
India not far behind
The urban Chinese middle class will spend close to $2.3 trillion a year by
2025, while India's one should grow from 5 percent today to over 40
percent of the nation over the next 20 years
In Brazil, 10 million people gained Internet between 2005 and 2007,
making a total with access to nearly 40 million, or 29% of the population
Companies, Governments and the society in all those countries are
becoming stronger and using technology to support their grow
Source: The World Bank
Conviso IT Security | Threats from the Economical Improvement 6
Thursday, October 21, 2010 6

7.
Reflections on cyber-crime
The ties between economics and information security was discussed by
Ross Anderson and other authors. The improvement of BRIC countries’
economies brings new topics
Governments are not ready to deal with a change on the society which is
creating millions of new users of Internet based services
Companies are dealing with new threats using old technologies, the
Market for Lemons is here
People are buying computers and smart phones to be on line but they
really don’t understand the risks and impacts of a connected world
Conviso IT Security | Threats from the Economical Improvement 7
Thursday, October 21, 2010 7

8.
The results are on our sight
Cyber crime is increasing world-wide and besides the fact that numbers
are very complicated, there are some questions which can lead a
discussion on causes and solutions
Governments are not ready to deal with a change on the society which is
creating millions of new users of Internet based services
Companies are dealing with new threats using old technologies, the
Market for Lemons is here
People are buying computers and smart phones to be on line but they
really don’t understand the risks and impacts of a connected world
Conviso IT Security | Threats from the Economical Improvement 8
Thursday, October 21, 2010 8

9.
The Brazilian Scenario
Conviso IT Security | Threats from the Economical Improvement 9
Thursday, October 21, 2010 9

10.
The Economic Redemption
As a result of deep changes started on 1994 and maintained by all
Governments, Brazil is now watching a new and continuous social
improvement
Almost 52% of the population are in Mid-Class, comparing to a rate of
32% on 1992
10 million people gained Internet between 2005 and 2007, making a
total with access to nearly 40 million, or 29% of the population
The number of credit cards rose from 27 million on 2006 to 150 million in
2009
Source: BBC and Reuters
Conviso IT Security | Threats from the Economical Improvement 10
Thursday, October 21, 2010 10

11.
Timeline
Cyber crime are being conducted in Brazil since 2001. Attacks are
increasing, being more sophisticated and trending to client-side
approaches and target hosts in other countries
Incidents on
Year Attack Trend Fraud %
CERT.BR
2001 • Initial deployment of rudimentary keyloggers
5,997 0%
• Brute force attacks on bank sites
2004 • Increase in sophisticated phishing
75,722 5%
• DNS compromises widely used (“pharming”)
2007 • Trojans delivered via drive-by downloads
160,080 28%
• Malware modifying client’s hosts file
2009 • Usage of XSS and CSRF
358,343 69%
• Identity Theft
Source: CERT.BR
Conviso IT Security | Threats from the Economical Improvement 11
Thursday, October 21, 2010 11

12.
Cyber Crime Evolution
Fraud, are still the major issues, however a new trend is being observed
on the last three years
Social networks are being used to share criminal information, from child
pornography to kidnapping. The damage is affecting local and
international companies as co-responsible
Attacks are moving from trojans to exploration of common flaws on web
sites such as XSS and CSRF to support fraud and identity theft
Brazil’s electrical grid was supposed targeted by crackers, however data
leakage on Government web sites and systems are becoming a routine
Source: Safernet.org.br, Symantec and Conviso Security Labs
Conviso IT Security | Threats from the Economical Improvement 12
Thursday, October 21, 2010 12

13.
Why you should care about
USA is accounted for 19% of Internet based attacks but the BRIC
countries also compose a large slice of this problem
8% USA
21% 4%
3%
60% Brazil
Russia
India
6%
China
World
19%
And there are a lot
of space to grow
Source: Internet Security Threat report, by Symantec
Conviso IT Security | Threats from the Economical Improvement 13
Thursday, October 21, 2010 13

14.
The Call for Education
Conviso IT Security | Threats from the Economical Improvement 14
Thursday, October 21, 2010 14

15.
Education is the Key
We do not believe that education only for the community is enough to
transform this scenario. A more comprehensive approach must be
delivered for three major areas.
The Government must understand how fragile web security can be and
prepare their own strategies do deal with
Companies must understand how to buy, develop and maintain secure
applications for their customers
The academia must change their directions. Security is not optional and
all programers and managers must understand that as part of their
competencies
Conviso IT Security | Threats from the Economical Improvement 15
Thursday, October 21, 2010 15

16.
The OWASP Role
There are several OWASP Projects ready to be used by anyone which
needs to make more secure software, so a “packing strategy” is required
to make them more palatable for different audiences
Governments must understand why application security matters and
must be a strategy for the country and an obligation to their citizens
Companies must promote security in all business areas and relate this
achievement on the executive agenda
The Academia must include computer security on several areas as a
common discipline like statistics and math. Specialization is great, but do
not achieve the responsible parties
Conviso IT Security | Threats from the Economical Improvement 16
Thursday, October 21, 2010 16

17.
Conclusions
Conviso IT Security | Threats from the Economical Improvement 17
Thursday, October 21, 2010 17

18.
Next Steps
This is a simple but ambitious project which we believe will change how
people understand application security on the BRIC countries and several
complementary steps are required
Specific competencies to support delivery process
Effort allocation to adapt current content to the reality in each country
Leaders to support the overall development and achieve other countries
with similar situation than Brazil
Conviso IT Security | Threats from the Economical Improvement 18
Thursday, October 21, 2010 18

19.
Acknowledgements
The following companies, organizations and individuals supported this
research and sponsored this presentation:
Conviso IT Security: Sponsored my travel and is supporting this research
(Disclaimer: I am one of the parters)
Anchises Moraes Guimaraes De Paula: IT Security researcher working
with me on this development. You can tweet him at @anchisesbr
All images used in this presentation are licensed on Creative Commons
and the original sources can be reached clicking on them
Conviso IT Security | Threats from the Economical Improvement 19
Thursday, October 21, 2010 19

20.
Threats from the Economical Improvement
Why the economy on emerging countries can pose as a threat to
cyber security and how to improve the protection through
continuous education
Eduardo Vianna de Camargo Neves
Conviso IT Security, Operations Manager
OWASP Global Education Committee Member
20
Thursday, October 21, 2010 20