Cyber Attacks in the Era of Covid-19 and Possible Solution ...
(Mis)trust in the cyber era
-
Upload
albert-hui -
Category
Technology
-
view
286 -
download
1
Transcript of (Mis)trust in the cyber era
(Mis)trust in the Cyber Era
Information Security Summit 2013
Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA
Principal Consultant
October 23rd 2013 @ Hong Kong
Who Am I?
Albert HuiGREM, GCIA, GCIH, GCFA, GCFE,GPEN, GXPN, GAWN, GSNA, CISA
SANS Advisory Board Member
GRC Consultant for Banks,Government and Critical Infrastructures.
Spoken at Black Hat, HTCIA-AP,andEconomist Corporate Network.
Former HKUST lecturer.
Agenda1. Trust Defined
2. Ramifications of Trusting Another Party
3. Privacy at Stake
4. The Solution?
A Story ofTrust and (Alleged) Betrayal
Dropbox’s Clarification
Dropbox’s Clarification (cont.)
Sad but True
“If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to have access to the plaintext.”
Bruce Schneier
Understanding Trust
Why Importantto Reflect on Trust?
𝑅𝑖𝑠𝑘 =1
𝑇𝑟𝑢𝑠𝑡
What Exactly is Trust?
Faith KnowingEvidencedAssurance
IdealReality
TrustOutsourcing
Risk is Often Outsourced
Insurance
Hedging
Trust is Often Outsourced Too
Public Key Infrastructure Simplified
Certificate Authority
Alice Bob
Root Certificate AuthoritiesCompromised
Malware
Stuxnet, Duqu, …
Signed
Transitive Trust
RealityRISK OUTSOURCING
1. Assess risks
2. Treat some risks
3. Terminate some risks
4. Tolerate some risks
5. Transfer remaining risks
TRUST OUTSOURCING
1. Transfer trust
2. Trust that transferee is trustworthy (secure, reliable and aligns with yourrisk appetite & risk strategy)
Trust Crowdsourcing
Herd Mentality
Open Source’s “Many Eyes” ClaimEvidence to the Contrary
Generates Predictable Keys(CVE-2008-0166)
Privacy
Recap
“If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to have access to the plaintext.”
Bruce Schneier
Privacy Seppuku
The Public-PrivateSurveillance Partnership
Technologically Speaking
A court order is no different from an insider attack.
Suggestions1. Conservative in assessing trust outsourcing risks.
2. Be skeptical.
3. Defense in depth.
4. End-to-end encryption.
Thank You