Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

IT and Systems Security - The Bigger Picture

326 visualizaciones

Publicado el

Every profession, along with education courses, has now been parsed into specialisms - as series of ‘soda straws’ or pipes giving a narrow view and focus with little chance of ‘cross-pollination’. Even IT and Systems Security is now sliced into many different facets spanning coding and encryption through to malware; electronic and physical attacks; technology and people.

Covering all of these specialisms in a single course can be difficult let alone a single lecture. But this lecture attempts to do just that (or at least a large slice of it) in a 3-hour session of two 90min sessions. It is done so against the backdrop of an established set of Security Laws.

The primary objective is to give the student a broad view of the wider threats and how they are perpetrated and linked together. Some technical aspects are not explicitly included, but they are reserved for other detailed sessions.

Publicado en: Internet
  • Earn $90/day Working Online. You won't get rich, but it is going to make you some money! ♥♥♥ http://ishbv.com/ezpayjobs/pdf
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • DOWNLOAD FULL BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • Sé el primero en recomendar esto

IT and Systems Security - The Bigger Picture

  1. 1. I T a n d S y s t e m s S E C U R I T Y T h e B i g g e r P i c t u r e Prof Peter Cochrane OBE petercochrane.com S e n t i e n t S y s t e m s R e s e a r c h
  2. 2. A C AT A N D M O U S E G A M E Attackers have the advantage - Defenders on the back foot
  3. 3. what we know for sure Attacks are escalating The Dark Side is winning The attack surface is increasing Cyber disruption costs are growing Companies do not collaborate and share The attackers operate an open market All our security tools are reactive Attacker rewards are on the up People are the biggest risk There are no silver bullets It is time to rethink our strategy and solution space More of the same but better & faster will not change the game… …we have to think anew -get out of the box and do something very different !
  4. 4. T H E B I G P I C T U R E Cyber security is no longer contained The Dark Side are winning because they are 100% committed and see this war as total; a much wider conflict than CYBER alone… They are far more integrated and sharing - than we are and operate as a virtualised workforce driven by money and evil intent… We do not anticipate their innovation, tactics, tools, attacks, and we don’t think as they do…we are always on the back foot! Develop Dark Side technology Start thinking like the enemy Develop better radar systems Build automatic react systems Cooperate on developments War game attack scenarios Anticipate the next attack Share all data & solutions We need to:
  5. 5. Breaking into most companies isn’t difficult! Reality 1
  6. 6. i n f i lt r a t i o n ! Te c h n o l o g y i s n o t t h e o n l y w a y • External services people • Visiting trades and repair crews • Unauthorised info focussed visits • Hardware/software plants in equipment • Memory sticks in rest rooms • +++ Open Screens Open Access Paper Notes Open Desks Telephone Numbers Namers Contacts Data Devices urls
  7. 7. • Carless and loud discussions • Open screens readily visible • Poor security of devices • Shoulder surfing o p p o rt u n i s t i c ! • Careless PIN and PassWord use • Devices left unguarded • Open phone and SMS • Paper notes
  8. 8. The biggest threats are inside the FireW all Rogue: Equipment Networks Chips Code Ports People Lax: People Visitors Security Operations Reality 2
  9. 9. No single solution can deal with all forms of attack…or indeed many types of mono-mode attack Reality 3
  10. 10. Distributed Attacks demand a Distributed Defence Dynamic Attackers necessitate Dynamic Defenders We can act alone or we can unite and act together Reality 4
  11. 11. People remain the single biggest security riskReality 5
  12. 12. If we continue to do what we’ve always done our security exposure and damage sustained accelerate… Reality 6
  13. 13. Laws of security... 1) There is always a threat 2) It is always in a direction you’re not looking 3) Perceived risk/threat never equals reality 4) Nothing is 100% secure 5) People are always the primary risk 6) Resources are deployed inversely proportional to actual risk
  14. 14. Laws of security... 7) You need two security groups - defenders & attackers 8) Security & operational requirements are mutually exclusive 9) Legislation is always > X years behind 10) Security standards are an oxymoron 11) Security people are never their own customer 12) Cracking systems is far more fun than defending them
  15. 15. Laws of security... 13) Hackers are smarter than you - they are younger! 14) Hackers are not the biggest threat - governments are! 15) As life becomes faster it becomes less secure 16) Connectivity and data half lives are getting shorter too 17) We are most at risk during a time of transition 18) The weakest link generally defines the outcome
  16. 16. The entire planet…Mobile Devices, Clouds, IoT AT TA C K S U R FA C E “A fully connected planet proffers the duality of the greatest risk and the biggest security opportunity”
  17. 17. “We will need far more than smarter firewalls and malware protection… ” To m o r r ow “All our defence solutions and mechanisms will have to be evolutionary and automated”
  18. 18. Where does it generally come from ? • From a direction you are not looking • By a mechanism you didn’t contemplate • At a time that is really inconvenient D E AT H / D E F E AT/ Fa i l u r e
  19. 19. W A R FA R E Scale of Potential Devastation Potential Depth of Penetration Geographical Metaphysical Technological Psychological Ecological Biological Physical Virtual Real A wider perspective Land Sea Air Space Cyber Information ??? ??? ??? ???
  20. 20. Cyber-Info War Nuclear-Warfare Bio-Chemical Warfare W A R FA R E Scale of Potential Devastation Potential Depth of Penetration Geographical Metaphysical Technological Psychological Ecological Biological Physical Virtual Real Total Extinction Trigger Event CatalystA wider perspective Land Sea Air Space Cyber Information ??? ??? ??? ???
  21. 21. Cyber-Info War Nuclear-Warfare Bio-Chemical Warfare W A R FA R E Scale of Potential Devastation Potential Depth of Penetration Geographical Metaphysical Technological Psychological Ecological Biological Physical Virtual Real Total Extinction Trigger Event CatalystA wider perspective Land Sea Air Space Cyber Information THERE IS ONLY W AR AND EVERY DOMAIN IS INTERCONNECTED Governments AND The Military Can no longer protect their citizens ??? ??? ??? ???
  22. 22. USA LEADING THE WAY ? Social division, breakdown of law and order The Cult of Trump
  23. 23. S U P R E M U M? B e t t e r t h a n a n y o t h e r U S P r e s i d e n t e v e r ! T h e ‘ l e a d e r ’ o f t h e f r e e w o r l d h a s s e t a n e w s t a n d a r d t h a t o t h e r s n o w f e e l f r e e t o f o l l o w ! We n o w h a v e a p a n d e m i c o f l i e s i n p o l i t i c s , m e d i a a n d b u s i n e s s + + +
  24. 24. S U P R E M U M? B e t t e r t h a n a n y o t h e r U S P r e s i d e n t e v e r ! T h e ‘ l e a d e r ’ o f t h e f r e e w o r l d h a s s e t a n e w s t a n d a r d t h a t o t h e r s n o w f e e l f r e e t o f o l l o w ! We n o w h a v e a p a n d e m i c o f l i e s i n p o l i t i c s , m e d i a a n d b u s i n e s s + + + Does anyone care anym ore
  25. 25. LANDSCAPE of liars Banks Media Moguls Groups Criminals Politicians Terrorists Individuals Institutions Industrialists Rogue States Governments Political Factions +++++ Hackers Despots Dictators Reporters Executives Extremists Companies Conspirators The Paranoid The Vulnerable The Disaffected The Mischievous The Disadvantaged +++++ Elusive Amoral Corrupt Dynamic Dedicated Unethical Disguised Nefarious Transient Relentless Dedicated Networked Distributed Untraceable Multi-Media Evolutionary Camouflaged Multi-Faceted Multi-Dimensional
  26. 26. N ot h i n g is is o l at e d E v e r y t h i n g & e v e r y o n e i s n o w c o n n e c t e d Ecology Economics Technology Society Politics Markets Industry Education Policing Defence Commerce Security Logistics ing Co ies “In networked and fast moving world simple minded thinking, approximations, ignorance and lies are dangerous - they destroy companies and countries” Trade “Siloed thinking is very dangerous - but the dominant mode”
  27. 27. EXTREME W EAPONS
  28. 28. A Ts u n a m i o f l i es Rel entles sly gen erated and distributed “We are overwhelmed by information flows from every direction and for every purpose - we are long past the point of being able to cope - and we need machine help to find, filter, validate what we actually need to read and watch” “The process is now being automated aka Malware fashion - and we have no effective defence in place”
  29. 29. I G N O R A N C E Unlimited & unbounded It takes far less thought, effort and energy to dismiss wisdom and deny a truth, than to blindly accepting the ridiculous Truths are hard won: and often very difficult to establish and accept. They can demand deep thought, energy, and freedom of thought, an acceptance of debate, reason and education!
  30. 30. I G N O R A N C E Unlimited & unbounded It takes far less thought, effort and energy to dismiss wisdom and deny a truth, than to blindly accepting the ridiculous Truths are hard won: and often very difficult to establish and accept. They can demand deep thought, energy, and freedom of thought, an acceptance of debate, reason and education! Oh, and by-the-way: man d i d n o t l a n d o n t h e m o o n ! I t w a s a l l a government spoof and it was filmed in a studio!!
  31. 31. Bigger and propagate faster, further, and deeper than the truth and validated information….and now growing in volume, extremism and span LIES & FAKE NEWS
  32. 32. Bigger and propagate faster, further, and deeper than the truth and validated information….and now growing in volume, extremism and span Sim ple & Easy to Grasp Plays to DispositionsLIES & FAKE NEWS Creates social division, social instability, unease, dissatisfaction, paranoia, extremism, rebellion, social instability leading to violence… No Thinking Required Reinforces Prejudices
  33. 33. Bigger and propagate faster, further, and deeper than the truth and validated information….and now growing in volume, extremism and span Sim ple & Easy to Grasp Plays to DispositionsLIES & FAKE NEWS Creates social division, social instability, unease, dissatisfaction, paranoia, extremism, rebellion, social instability leading to violence… No Thinking Required Reinforces Prejudices A lie can travel round the world and back again whilst truth is lacing up its boots MarkTwain 1921
  34. 34. I G N O R A N C E & L I ES T h e b i g g e s t t h r e a t & c h a l l e n g e e v e r ?
  35. 35. MORE: Context/ Meaning Extractor Inference Engine Primary Source Identifier Fact Checkers Style History Publications Behaviours Library of Lies Trending Analysis Running Veracity Rating AI Lie Detection slideshare.net/PeterCochrane/how-to-build-a-truth-engine
  36. 36. PeopleThe Biggest Cyber Risk C Y B E R & I N FO W A R
  37. 37. B E H AV I O U R S People Machines Networks Human Fallibility = Primary Failure Mechanism Start Finish Breaks Uploads Browsing Downloads Connections SocialNets Individuals Population Contacts Mobility Content Mobility Storage Devices Apps +++ Patterns say it all very early!
  38. 38. B E H AV I O U R S People Machines Networks Human Fallibility = Primary Failure Mechanism Start Finish Breaks Uploads Browsing Downloads Connections SocialNets Individuals Population Contacts Mobility Content Mobility Storage Devices Apps +++ Patterns say it all very early! Human Fallibility = Primary Failure Mechanism B e h a v i o u r a l A nalysis is a largely unused tool But A I Is A Gam e Changer Human Fallibility = Primary Failure t h e p a t t e r n s c r e a t e d o f t e n d e f y h u m a n a b i l i t i e s a n d A I i s e m p l o y e d
  39. 39. T H E D A R K S I D E To defeat them, think as they do! “Never interrupt your enemy when he is making a mistake.” ― Napoléon “A wise man gets more use from his enemies than a fool from his friends.” ― Baltasar Gracián “To become a good defender you must first become a good attacker” ― Me “To know your Enemy, you must become your Enemy” ― Sun Tzu
  40. 40. C Y B E R C R I M E A b r i d g e d h i s t o r y a n d c o s t Banking Malware Crypto-Currency Attacks Bitcoin Wallet Stealer Device & Account Hijacking RansomeWare EPoS Attack Fake News Propaganda Social Engineering DoS, DDoS Infected eMail RansomeWare Identity Theft DNS Attack BotNets Site Sabotage SQL Attack Spam Identity Theft Phishing Trojan Worms Virus 1997 2004 2007 Estimated >>1000 Bn Attacks Total > $2000 Bn Cost of global cyber crime Today 2013 Almost all attacks/attack-types can be traced back to the exploiting of individuals who have volunteered vital info by falling victimto scams, spams and trickery Social engineering is one of the most powerful tools to be widely exploited by the ‘Dark Side’ - and the approach can span to dumb and very obvious to the highly sophisticated and hard to detect
  41. 41. C Y B E R At t a c k R a p i d l y c h a n g i n g p r o f i l e s Fun Fame Notoriety Vandalism Limited Skills Limited Resources Tend to be Sporadic Rogue States Criminals Hacker Groups Hacktivist Amateurs Money Sharing Organic Dispersed Unbounded Huge Effort Progressive Cooperatives Self Organising Vast Resources Massive Market Aggregated Skills Semi-Professional Substantial Networks Skilled Political Idealists Emotional Relentless Dedicated Cause Driven Vast Networks Varied Missions Targeted Attacks Evolving Community Drugs Fraud Global Extreme Extortion Business Unbounded Professional Well Managed Well Organised Ahead of the Curve Orchestrated Effort Extremely Profitable Syndicated Resources Massive Attack Surface Vast up-to-date Abilities Covert Money WarFare Influence Pervasive Disruption Espionage Professional Sophisticated Well Organised Extreme Creativity Orchestrated Effort Political Influencers ~Unlimited Resources Tech/Thought Leaders Regime Destabilisation Population Manipulation Military and Civil Domains Almost all attacks/attack-types can be traced back to human fallibility and ambition exploitation
  42. 42. W H AT W E D E T E C T P o s s i b l y j u s t t h e t i p o f a n i c e b e r g We need to start looking below the surface of obviousness for the hidden sophistication of the many stealth attacks that we suspect are happening that we cannot see! Ransomeware Phishing Crypto-WalletDoD/DDoS SQLi // XSS Man-in-The Middle URL Spoofing Cloaking Malware Covert Plant Visitors Insiders Outsiders Alongsiders Customers Contractors WiFi Tunnels Implants Malware Networks Diversions Brute Force Decoys
  43. 43. PERVERSITY Irrational situations by design Our vehicles, white and brown goods are designed to be reliable - and ‘we’ don’t expect to have to get our tools out every week to keep them running ! Reliability, resilience, and trouble free longevity is designed in from concept through design, production, delivery, and customer use Customers no longer understand how they work and certainly do not possess the skills to service and do repairs!
  44. 44. PERVERSITY Irrational situations by design Non-intuitive language, choices, configurations and options cause endless frustration
  45. 45. PERVERSITY Irrational situations by design I see 7 year old machines that have never had an OS update and with no security software Owners oblivious to bot nets and their vital contribution to their global success… They don’t care because they have no clue…and why should they ?
  46. 46. PERVERSITY Irrational situations by design I see 7 year old machines that have never had an OS update and with no security software Owners oblivious to bot nets and their vital contribution to their global success… They don’t care because they have no clue…and why should they ? Why does industry assume people to be capable of managing their own PC, laptop, tablet, mobile; whilst ensuring they are also always secure? Industry needs to get a grip with fit for purpose products that have integrated security - managed for life as a part of
  47. 47. i n c o n v e n i e n C E FaceBook Cambridge Analytica + GDPR A month of repetitious chaos trying to get legal, fix problems and patch security vulnerabilities Home Academia and Lab Company on The Road In just 3 contiguous weeks 4 x OS upgrades over ’N’ widely distributed devices + 163 App updates
  48. 48. T H E I OT Problem amplifier Exponentially increasing the Attack Surface and the inherent complexity - but will be in every home and office, workplace, pocket and vehicle - not to mention every component, item of clothing and food +++ For The Dark Side this is as good as it gets! A great dumb question form 2017: “Why would anyone want to attack my toaster” Doh!
  49. 49. S H E E R S C A L E > 1 0 0 - 1 0 0 0 B n t h i n g s This graphic by Beecham Research really conveys the IoT/M2M complexity to come
  50. 50. S H E E R S C A L E > 1 0 0 - 1 0 0 0 B n t h i n g s A l w a y s o n l i n e = A l w a y s a t R i s k G O O D N E W S = M a j o r i t y o f I o T d e v i c e s w i l l n e v e r c o n n e c t t o t h e I n t e r n e t ! ! This graphic by Beecham Research really conveys the IoT/M2M complexity to come
  51. 51. Iot NIGHTMare Food & toasters to vehicles https://www.youtube.com/watch?v=RZVYTJarPFs
  52. 52. Broadcasting Malware Responding with updated protection Wider Network Updated Latest Solution Update Dynamic isolation of infected devices and components leading to repair Auto-immunity A m i x o f c l e a n a n d i n f e c t e d
  53. 53. A Multiplicity of channels Attack detection/exposure/thwarting using access diversity BlueTooth Short Range Device to Cloud Device to Device WiFi, WiMax Medium Range WLAN/Cloud Integrated and intelligent security systems embedded into all products and components ZigBe/Other ?? Car-to-Car Direct Communications Defence opportunities in channel/device/system diversity A wide plurality of channel detection and protection Attacks almost never isolated or single sourced Not restricted to single channel/attempt Secure attack and infection isolation Diverse immunity/support access Distributed info sharing GEO info location 3, 4, 5 G Long Range Device to Net Device to Cloud SatCom Broadcast
  54. 54. Auto-immunity Mirrors biological forebears Applied everywhere 24 x 7 ICs ISPs WiFi Hubs LANs Cards Traffic Servers Circuits Devices Internet Networks Organisations Companies Platforms Groups People Mobile Fixed
  55. 55. A uto - i m m u n ity F i g h t i n g f i r e w i t h f i r e
  56. 56. A va s t s p e c t r u m The Dark Side is involved in every space Main Event ? Decoy ? Masking ? Diversion ? Tunnel set up ? Infiltration ? Intel Ops ? Implant ? Theft ? Tests ? +++ https://www.youtube.com/watch?v=1wq6LIjPHkk
  57. 57. AL MALWARE SPECIATION The Dark Side are at the leading edge - are we?
  58. 58. Get our act together The essentials shopping list is reasonably short Global monitoring and shared situational awareness Cooperative environments on attacks and solutions Universal sharing of identified attacks/developments Address cloaking & decoy customer sites/net nodes Behavioural analysis of networks, devices, people To continue and expand all established efforts Auto-Immunity for all devices including IoT Secure wireless channels - invisible signals
  59. 59. Get our act together The essentials shopping list is reasonably short Global monitoring and shared situational awareness Cooperative environments on attacks and solutions Universal sharing of identified attacks/developments Address cloaking & decoy customer sites/net nodes Behavioural analysis of networks, devices, people To continue and expand all established efforts Auto-Immunity for all devices including IoT Secure wireless channels - invisible signals GDPR FALLS FAR SHORT • It involves manual processes • It is far too slow • It is not automated • No effective a responses • A hinderance not a gain • Advantageous to the Dark Side
  60. 60. WHEN WE FIX THE TECH A r e w e t h e n c l o s e t o b e i n g s a f e ?
  61. 61. AFRAID NOT ! M o r e h u r d l e s t o j u m p
  62. 62. PEOPLE THE PROBLEM I m p o s s i b l e t o c o n t r o l - c h a n g e t o o s l o w
  63. 63. S P A N O F H U M A N I T Y Impossible to fully define/understand predispositions Honest Dishonest Opportunist Hacker Black Hat White Hat Silly Extreme Careless Helpful Hapless Naive Arrogant Ignorant Unthinking Emotional Analytical Hacktivist Old Tired Distressed Confused Technophobe Technophile Depressed ill Nervous Professional Young Blue Collar Unemployed Employed Educated Uneducated Poor Rich Caring Uncaring BiasedAccepting Unaccepting loner Team Player Social Networker Insider Outsider Untidy Reckless Careful Good Bad Evil
  64. 64. Hobbies ! W e i r d / C r a z y ? - A i r l i n e s e c u r i t y - P u b l i c t a r g e t s - B r e a k i n g i n - S o c i a l d a t a + + + +
  65. 65. C a r e l ess London is a safe city ! I was working in London and stopped for a coffee break in Soho… Soho A smart young man walked in and I spotted his badge !
  66. 66. C a r e l ess London is a safe city ! I was working in London and stopped for a coffee break in Soho… Soho A smart young man walked in and I spotted his badge ! He sat right in front of me and this is what my mobile phone could see as he booted up !
  67. 67. C a r e l ess London is a safe city ! I was working in London and stopped for a coffee break in Soho… Soho A smart young man walked in and I spotted his badge ! He sat right in front of me and this is what my mobile phone could see as he booted up ! Coffee Shop Protocol • Sit as far back from the door as possible ; ideally with no one to the rear or the sides • Check for overhead cameras • Do not wear identifying insignia of any kind • Do not boot up to an identifying company, country, government, agency badge • Check and be aware N, E, S, W
  68. 68. L O U D & RU D E There is always a price to pay ! The group next to my colleague had just chanced upon the perfect name for their new company. So he bought the domain name and all the variants before they had completed their meeting!
  69. 69. U n t i dy L i t t e r B u g : - )
  70. 70. U n t i dy L i t t e r B u g : - ) Dropped receipt to a wet floor - I picked it up and this caught my eye And then the fun started ! I Followed to a Coffee Shop A few minutes listening and observing aided by Goole and FaceBook and I had: Full name & address Telephone Number eMail Address Date of Birth Some History +++ My final act was to explain to this gentleman just how expensive litter might be…and he really ought to take care! I Followed to a Coffee Shop A few minutes listening and observing aided by Goole and FaceBook and I had: Full name & address Telephone Number eMail Address Date of Birth Some History +++ My final act was to explain to this gentleman just how expensive litter might be…and he really ought to take care!
  71. 71. A stack of papers readable at a glance EXHIBITIONISTS Government employees bragging ME Three identical laptops Three Mobiles all the same
  72. 72. A stack of papers readable at a glance EXHIBITIONISTS Government employees bragging ME Three identical laptops Three Mobiles all the same In < 1hour of looking & listening I had: All there names Mobile numbers + eMail addresses Unit Codes Postal Drop Building floor and room IT Support Number and log in Who was at their meeting Meeting agenda Who said what Decisions made Project Code Name Organisations involved Objectives and progress The name of a ‘Secret Project’ Talked about in euphemisms +++++
  73. 73. OpPortunistic Unintended revelations & consequences TRUTH ENGINES An End Game Company Dr Peter Cochrane EU Concept Consultant DAY 1: Pass Card for an undefined meeting
  74. 74. OpPortunistic Unintended revelations & consequences TRUTH ENGINES An End Game Company Dr Peter Cochrane EU Concept Consultant DAY 1: Pass Card for an undefined meeting TRUTH ENGINES An End Game Company Peter Cochrane Internal Affairs Advisor DAY 2: Pass Card as a member of staff
  75. 75. OpPortunistic Unintended revelations & consequences TRUTH ENGINES An End Game Company Dr Peter Cochrane EU Concept Consultant DAY 1: Pass Card for an undefined meeting TRUTH ENGINES An End Game Company Peter Cochrane Internal Affairs Advisor DAY 2: Pass Card as a member of staff I Was Invited to Test a Companies Revised Security My way in was to simply massage my security pass from visitor to employee I then played the role of an old boy not really up to the modern world of IT and so many wonderfully kind people came forward to help me access networks, rooms and facilities My secret? Wear a suite and a tie & look very respectable…everyone knows that hackers wear hoodies!
  76. 76. THE KIND & HELPFUL S o p h i s t i c a t e d p h i s h i n g a t t a c k s https://www.youtube.com/watch?v=lc7scxvKQOo
  77. 77. T H E G O O D N E W S Habitualities are near impossible to hide We have so very many individually identifiable idiosyncrasies and routines that they define who and what we are to a high very degree of accuracy - especially when combined with biometrics
  78. 78. D evi c e t h e ft Or is their something more here This is a high risk crime with a good chance of getting caught in the act of getting caught on camera. Why would anyone do this for a few ££ an hour, or is there hidden value add that we are not seeing? https://www.youtube.com/watch?v=TWilMUpEMEk https://www.youtube.com/watch?v=tSKXZnfOe60
  79. 79. UP THE VALUE 100s of hack tutorials on-line A naked mobile device is one price A live mobile device with all the log-in and personal data accessible is a much better deal !
  80. 80. B E H a V I O U R A L A N A LYS I S Might just be the ‘king pin’ that holds together our security Just as we can be identified by where and what we eat, say, do; and how we walk, talk, type, behave; the friends and colleagues we meet; there is an equivalency for us and all our devices ! Sociology of People Sociology of Things
  81. 81. R E A LT I M E R E C O G N I T I O N China leading the way with social grooming as a first step
  82. 82. WO RT H R EA D I N G Strategy without tactics is the slowest route to victory Tactics without strategy is the noise before defeat Be so subtle that you are invisible Be so mysterious you are intangible Then you will control your rivals’ fate Supreme Art of War applicable today ~5C BC
  83. 83. They just love our habitual nature…weak and repeated passwords….singular storage, OS and apps.… ...but Clouds presents opportunities to break it all up to provide super security ! ..recognisable and repeated patterns of behaviour are there bread and butter… T H E D A R K S I D E Loves and exploits our mono-cultures
  84. 84. Half Lives of knowledge, data, info, and location, connection, is going to get much shorter A DVA NTAG E Transience is speeding up!
  85. 85. C L O U D P OT E N T I A L Far more than apps, storage and backup Clouds of all sizes can form and dissipate by demand ...with the clustering of people & devices +
  86. 86. B i g g e s t R i s k Service providers do not guarantee your data!
  87. 87. App App App App App Storage Storage Corporate Corporate Corporate Personal PersonalStorage One of many Connection Clouds Clouds Great Potential New modes of working + more security degrees of freedom
  88. 88. P a rs e d d ata Incredibly difficult to intercept and locate, and reassemble… Routed to diverse/dispersed clouds
  89. 89. P a rs e d &EC RY PT E D R a n d o m i s e d P a r s i n g & E n c r y p t i o n + C l o u d A l l o c a t i o n p o s s i b l y t h e highest degree of security available!
  90. 90. O BS C U RAT I O N Getting cheaper and easier Volume False Files Encryption File Coding Block Chain Parsed Files Multi-Format Multi-Channel Embedded Files Distributed Files Embedded Coding Distributed Storage Multi-Service Providers Obscure Addressing A priori Knowledge Multiple Networks Multiple Devices False Addressing Multi OS/Apps Multi Couds Decoy Files Biometrics Multi-HDs Data Path Cloaking +++++
  91. 91. Many networks to attack not just one 3,4,5G, LTE, WiFi WiFi WiMax BlueTooth ++ A dva ntag e 1
  92. 92. Many OS types to attack not just one A dva ntag e 2
  93. 93. Many applications to attack not just one A dva ntag e 3
  94. 94. Interface Boards Chips Config Firmware Huge device variance A dva ntag e 4
  95. 95. Circuitry Layout Antennas Analogue Design Facilities Huge hardware and circuit variance A dva ntag e 5
  96. 96. On Grid/Cloud On & Off Grid/Cloud Off Grid/Cloud A dva ntag e 6 Fixed Mobile Irregular: Use Needs Habits Devices Working Locations Requirements Connectivity Suppliers Facilities Projects Clouds Teams +++
  97. 97. On Grid/Cloud On & Off Grid/Cloud Off Grid/Cloud C o n f o u n d i n g b e h a v i o u r s A dva ntag e 6 Fixed Mobile Irregular: Use Needs Habits Devices Working Locations Requirements Connectivity Suppliers Facilities Projects Clouds Teams +++ LAN DSL WiFi Fibre 3,4,5G BlueTooth
  98. 98. The Cloud offers the most potent defence and the most creative options for data storage
  99. 99. Live fire & Education Make it real, make it effective and up to date War Games - Spoof Attacks Rewards for the Alert Regular Briefings Constant Watch
  100. 100. Live fire & Education Make it real, make it effective and up to date War Games - Spoof Attacks Rewards for the Alert Regular Briefings Constant Watch The military play all day and go into war now and again We are in a war every day but never play !
  101. 101. The Art of War by Sun Tzu, 600 BC “Speed is the essence of war. Take advantage of the enemy's unpreparedness; travel by unexpected routes and strike him where he has taken no precautions” “It is fatal to enter any war without the will to win it” General Douglas McArthur
  102. 102. T h a n k Y o u petercochrane.com We posses superior technology, networks and brains - if we lose this war it is down to our organisational inabilities …and the Dark Side will have an easy win! https://www.uos.ac.uk

×