The document discusses the significance of cybersecurity in protecting computer systems and data from various threats, including malicious attacks and data breaches. It outlines different types of cybersecurity threats, such as social engineering and ransomware, and emphasizes the importance of safety and reliability in technology, particularly in the context of IoT devices. The conclusion highlights the growing financial and social risks associated with cybersecurity incidents and the need for proactive measures during the design phase of technology.

1. THE IMPORTANCE OF
CYBERSECURITY
26/05/2021

2. www.nalys-group.com
INTRODUCTION

3. www.nalys-group.com
WHAT IS CYBERSECURITY
Protection of computer systems from
information disclosure, theft or damage to their
hardware, software, or electronic data as well
as from disruption or misdirection of the
service they provide.
( Wikipedia )
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

4. www.nalys-group.com
WHAT IS IT NOT
• Protection of the personal data privacy
➔ Privacy ➔ GDPR
• Data Availability in case of an accident
➔ Business continuity
• Make sure your servers are always online
➔ Reliability and redundancy
• Make sure your system always behave correctly
➔ Safety
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

5. www.nalys-group.com
IOT PERSPECTIVE
Safety
Protecting the user of the device.
Ex: Your car or plane may not crash even if it experiences issues
Security
Protecting the device from the malicious user
Ex: One try to inject a virus into your phone while clicking on a web
page.
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

6. www.nalys-group.com
THE GRAY ZONE
The brake control software in your car must be:
• Bug free
• Not be upgradable by anybody …
to avoid breaking its safety features
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion
Safety
Security
If there is water in you washing machine,
the door must stay locked
Your locker may only be opened with your key,
so your belongings are safe

7. www.nalys-group.com
CYBERSECURITY AND
OTHER CONCERNS
Cybersecurity is part of a global set of concerns that at
the end aims at making sure that :
• Your personal data can only be accessed and modified by you
or somebody you trust
• The system you use always behaves as specified
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion
Cybersecurity
Reliability
Privacy
Safety

8. www.nalys-group.com
WHEN IT GOES
WRONG

9. www.nalys-group.com
IMPACT OF A
CYBERSECURITY ACCIDENT
• Low impact : You don’t notice or you are only annoyed
o Ex: Viruses, zombie machines (parasitism)
• High impact : There is a financial or social damage
o Ex: everybody knows you have a mistress/ see you naked
o Ex: Ransomware, Bitcoin Heist…
• Life threatening : Lives are at stake
o Ex : F-35 hack target identification compromised
o Ex : Ransomware attack on german hospital caused death

10. www.nalys-group.com
HACKERS : MEN IN BLACK OR MEN IN WHITE
White hats or Ethical hackers.
They are paid to find the vulnerabilities in your infrastructure
Black hats or the « bad guys »
They do that for money or to cause damages. Sometimes they even
work for the state
They both like to party
DEFCON and BlackHat convention is the place to be to learn about
the hot topics in term of cybersecurity (like how to hack your Tesla)

11. www.nalys-group.com
CERT
Computer Emergency Response Team
Team in a company responsible to monitor attacks and to
respond to them as fast as possible, limiting the damages
caused.
Examples:
o Cert.be for Belgium
o CERT-EU : for Europe and NATO has also one
o US-CERT
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

12. www.nalys-group.com
ATTACK TYPES
Common attacks
• Social engineering : trick people into give you information of
somebody else
• Viruses : Tojan, worms, ransomware...
• Denial of Service / Brute force : using Botnet
• Targetted attacks : StuxNet…  typically performed by states.
Side channel attacks
• DPA : Differential Power Attacks
• Statistical time analysis
• Probing using EM probes or microscopes…
Stealing company secrets (blueprints…)
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

13. www.nalys-group.com
SECURITY STANDARDS
National Security and Militrary
o Common Criteria : Regulates how to develop secure IT
products
▪ Ex: RedHaT, MacOSX, TPM 2 chips, MySQL, Oracle DB…
o Tempest : regulation about electromagnetic emissions
Industry specific standards
o Payment : PCI-DSS
o CCNA, CompTIA
o ANSI Coding rules,
o OWASP…
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

14. www.nalys-group.com
THE TECHNICAL SIDE

15. www.nalys-group.com
INTRODUCTION
• Requirements :Target of Evaluation in Common Criteria…
• Cryptography : algorithms and procedures
• Concepts : need to know, layered security, access control…
• Technologies : TLS, TPM 2.0, TrustZone…
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

16. www.nalys-group.com
COMMON CRITERIA
• Target of Evaluation (ToE) : What are ou protecting
• Protection Profile (PP) : Defines threats, roles, security
objectives, SFR,SAR…
• Security Target : describe the security problem and “how” to
address it.
• Security functional requirement : requirements about security
• Security Assurance requirements : number : how strict are you
➔ Define an Evaluation Assurance Level
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

17. www.nalys-group.com
CONCEPTS – LAYERED
PROTECTION
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion
Hardware
Chips. Ex:TPM
2
Board Mechanics Detect physical intrusion
DPA, probing
Operating System
Libraries Filesystem/Data
Access
rights
Network
Application

18. www.nalys-group.com
CONCEPTS – LAYERED
PROTECTION
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion
Each security layer protects against the flaws of the previous
layer

19. www.nalys-group.com
TPM 2.0 – THE SECURITY
CHIP INSIDE YOUR PC
• X86 processors have no HW security features
• UEFI starts without any security
• The TPM 2.0 is unable to verify if a request is made by a trusted party.
• The TPM 2.0 sees only « The Processor »
• UEFI + TPM 2.0 security can be fooled
o Managment engine
o Malicious code in other HW subsystems
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion
TPM 2.0 Chip
Secure
VAULT
Crypto
Engine
X86 Processor
 Unencrypted link
 No string authentication
UEFI Settings

20. www.nalys-group.com
TPM 2.0 – THE SECURITY
CHIP INSIDE YOUR PC
• System is vulnerable before and during UEFI boot process
• Prevent installation of SW not signed by Microsoft (or Apple if
you have a Mac)
Consequence
• It doesn’t protect your privacy
• It doesn’t protect you from any malicious program
It has nothing to do with cybersecurity
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

21. www.nalys-group.com
TRUSTZONE
Hardware and Software Solution
• Hardware
o Virtual second core with segregation of memory accesses
o HW vendor specific additions to provide end to end solution
• Software
o OP-Tee : secure firmware
o TF-A : secure pre-bootloader that initialize the TrustZone
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

22. www.nalys-group.com

23. www.nalys-group.com
TRUSTZONE - SOFTWARE

24. www.nalys-group.com
TRUSTZONE -SOFTWARE

25. www.nalys-group.com
CRYPTOGRAPHY
• Confidentiality : encryption/decryption using a key
o Key length is a measure of the algorithm strength
• Authenticity: Use of certificates to authenticatethe user
o Need a « Root of Trust » : Something/somebody that can tell you
if the data are real
• Integrity : Use of secure hashes. Impossible for a Man in the
Middle to rebuild a correct hash without the correct key
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

26. www.nalys-group.com
SYMETRIC ENCRYPTION
(DES – AES)
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

27. www.nalys-group.com
ASYMETRIC ENCRYPTION
( RSA - ECDA)
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

28. www.nalys-group.com
ASYMETRIC ENCRYPTION -
PKI
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

29. www.nalys-group.com
FACT NUMBERS

30. www.nalys-group.com
AN EXPLOSION OF POSSIBILITIES

31. www.nalys-group.com
IOT FACTS AND NUMBERS
• Revenue is $212 billion worldwide
• 2020 : 20.4 billion IoT devices online – 2025 : 75 billion devices
• 1 trillion dollar spent on IoT this year
• 847 zettabytes (1021) of data generated
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

32. www.nalys-group.com
CYBERSECURITY FACTS
AND NUMBERS
• 10.5 trillion $ damage by 2025
• 1 trillion dollars spent on Cybersecurity this year
• More than 400 Million user records stolen in 2020
• 50m$ -70m$ in ransomware
• Bitcoins worth 530m$ stolen in 2019
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

33. www.nalys-group.com
CONCLUSION

34. www.nalys-group.com
• Cybersecurity carries a huge financial/social risk
• Risk is growing exponentially – Follows the IoT trend
• Must be taken into account during design phase
• It will never be perfect – You will be hacked someday
• Challenging technological problem
• Even more challenging procedural problem
Introduction
When it goes wrong
Technical side
Facts numbers
Conclusion

35. THANK YOU FOR
YOUR ATTENTION 35

36. www.nalys-group.com
CONTACT
• Benoit Callebaut : bcallebaut@nalys-group.com
• Ntech : ntech@nalys-group.com
www.ntech-events.com