Cyber as WMD- April 2015- GFSU
-
Upload
mohit-rampal -
Category
Documents
-
view
158 -
download
0
Transcript of Cyber as WMD- April 2015- GFSU
© 2014 All Rights Reserved
2
• Indian power companies want ban on Chinese equipment on security fears
• Power transmission infrastructure in the country’s 18 major cities could be potentially hacked leading to national security threats and major disruption of power if the concerns of a prominent trade body are to be believed.
• These cities are spread across Rajasthan, Madhya Pradesh and Tamil Nadu and they are currently implementing smart grid projects. They could be exposing themselves to the threat of monitoring systems deployed by foreign firms, it is being feared.
2015 NEWS
© 2014 All Rights Reserved
3
• Cisco CEO John Chambers has warned that 2015 will be a worse year for hack attacks on businesses in a world where an increasing number of devices are connected to the internet.
• “The average attack, you get 90 percent of the data you want in like nine hours, and yet most of the companies don't find out for three to four months," he said. The warning comes after a year of high-profile cyber-security breaches that were a disaster for many businesses.
• Investment bank JPMorgan was hit with two attacks last year, while a
number of flaws in internet security and mobile software were found.
2015 NEWS
© 2014 All Rights Reserved
4
Today’s world is filled with complexity
New threats are waiting for cracks to appear
See the cracks
Know the threats
Build a more resilient world
LANDSCAPE TODAY
© 2014 All Rights Reserved
6
INDIA PERSPECTIVE • Lack of Cyber Security Professionals
• Cyber Security is more reactive than proactive
• Spending on creating COE’s missing
• Highly Vulnerable Verticals : • Power & Utilities
• Internal Security
• Financial Organizations
• Telecom
• Defense & Paramilitary Forces
• Manufacturing
• Smart Cities
© 2014 All Rights Reserved
7
THE KNOWN AND THE UNKNOWN
Known Vulnerability Management
Unknown Vulnerability Management (UVM)
Total Vulnerability Management
SAST Approach 1980-
PC Lint, OSS, Coverity, Fortify,
IBM, Microsoft ...
Whitebox testing
DAST Approach 2000-
Fuzzing: Codenomicon
Defensics, Peach, Sulley
Blackbox testing
1995-2000 Satan/Saint
1999- Nessus, ISS
Re
acti
ve
Pro
acti
ve
Bottom line: All systems have vulnerabilities. - Both complimentary categories needs to be covered.
2000- Qualys, HP, IBM, Symantec ... 2013: Codenomicon AppCheck
© 2014 All Rights Reserved
8
WHY ATTACK
• Gain Access to control and compromise smart network
• A Terrorist wanted to damage chemical plant processes, oil and gas pipelines, Power generation and transmission equipment, or contaminate water supply etc.
• Someone might set up an attack for espionage (industrial) purposes or to generate “false” information
• Enemy Countries so as to be able to cripple infrastructure which affecting the economy
© 2014 All Rights Reserved
9
CYBER AS A WMD
• How does it work? • State Sponsored Cyber Terrorists acquire devices / applications
• Use Fuzzing tools to find vulnerabilities both Known and Unknown
• Use Known vulnerabilities to create diversion attacks
• Exploit the Unknown Vulnerability by writing malwares around them
• Use tools to monitor end points which are unsecured
• Explore vulnerable End points etc. for creating Botnets and insert the unknown vulnerability
• These Unknown attacks go undiscoverable as perimeter security can not detect them
© 2014 All Rights Reserved
10
CYBER AS A WMD
• How does it work? • Compromise the Power Network – denial of service or unavailability of
power to critical networks etc.
• Compromise the Telecom Network
• Contaminate the Water Supply
• Unavailability of Banking Networks and Stock Market
• Transport system collapse
• Collapse of Defense Machinery and equipment
© 2014 All Rights Reserved
13
CYBER AS A WMD- WHAT CAN BE COMPROMISED
Smart City
Telecom
Utilities
Public Services
Building
Transport
© 2014 All Rights Reserved
15
INTERNET OF THINGS = FUTURE CHALLENGE FOR SECURITY TESTING
1875 1900 1925 1950 1975 2000 2025
50 B
5.0 B
~0.5 B PLACES
PEOPLE
THINGS
Inflection points
Global Connectivity
Personal Mobile
Digital Society Sustainable World
Source: Ericsson
© 2014 All Rights Reserved
16
CYBER AS A WMD - OUTCOME
• Nation in state of Disaster resulting in Inflation and unavailability of all resources leading indirectly to death with no discovery of where the attack happened from
• NEWS 2015 – India-Bangladesh World Cup MATCH BANGLADESHI HACKERS WERE TRYING TO ATTACK NSE
© 2014 All Rights Reserved
17
HOW IS IT “SECURITY” COMPROMISED ?
• Confidentiality : A zero day attack is used to compromise a specific computer program, which often crashes as a result… Hacker can spawn new processes
• Integrity : Hacker controlled
processes can now change
anything in the system
• Availability : Hacker controlled
processes can now eavesdrop on
all data and communications
© 2014 All Rights Reserved
18
CYBER THREATS : MORE PROFESSIONAL & SOPHISTICATED
• Cyber Attacks: Internet-based incidents involving politically or financially motivated attacks on information and information systems.
• Zero-day Vulnerabilities, Or Unknown Vulnerabilities: Software flaws that make exploitation and other illegal activities towards information systems possible
• Proactive Cyber Defense: acting in anticipation to oppose an attack against computers and networks.
© 2014 All Rights Reserved
19
CYBER AS A WMD – RISK MITIGATION
• Being Proactive rather than reactive • Having a security process in place • Processes for known and unknown vulnerability management & security
testing before deployment • Understanding code decay and its impact • Real time monitoring and analysis of data to be proactive • Identifying unknown vulnerabilities and drawing a map towards
remediation • Secure the Supply Chain to ensure “ WE KNOW WHAT WE BUY ” • Using of tools to automate the process to ensure no human bypass is done • Security of All devices by proactive security testing from Known and
Unknown Vulnerabilities
© 2014 All Rights Reserved
20
BUT I WAS TOLD/PROMISED/CERTIFIED/ … THAT I AM SECURE!
Did you actually test and validate
that you are?
Or were just happy that because it is
certified, you are safe?
We call this faith-based security
© 2014 All Rights Reserved
21
ABOUT CODENOMICON
• Started as a Research Project in 1996 & Commercially started operations in 2001
• Global Offices in Finland, Germany, US, Singapore, India
• DEFENSICS™ security test platform
• CLARIFIED™ advanced cyber security monitoring solution
• Market segments • Carrier, Defense, Government, networking equipment, software
developers,
• Any customer concerned about security of protocols deployed in products, services or internal IT infrastructure