(Mis)trust in the cyber era

29
(Mis)trust in the Cyber Era Information Security Summit 2013 Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA Principal Consultant October 23 rd 2013 @ Hong Kong

TAGS:

Transcript of (Mis)trust in the cyber era

Page 1: (Mis)trust in the cyber era

(Mis)trust in the Cyber Era

Information Security Summit 2013

Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA

Principal Consultant

October 23rd 2013 @ Hong Kong

Page 2: (Mis)trust in the cyber era

Who Am I?

Albert HuiGREM, GCIA, GCIH, GCFA, GCFE,GPEN, GXPN, GAWN, GSNA, CISA

SANS Advisory Board Member

GRC Consultant for Banks,Government and Critical Infrastructures.

Spoken at Black Hat, HTCIA-AP,andEconomist Corporate Network.

Former HKUST lecturer.

Page 3: (Mis)trust in the cyber era

Agenda1. Trust Defined

2. Ramifications of Trusting Another Party

3. Privacy at Stake

4. The Solution?

Page 4: (Mis)trust in the cyber era
Page 5: (Mis)trust in the cyber era

A Story ofTrust and (Alleged) Betrayal

Page 6: (Mis)trust in the cyber era

Dropbox’s Clarification

Page 7: (Mis)trust in the cyber era

Dropbox’s Clarification (cont.)

Page 8: (Mis)trust in the cyber era

Sad but True

“If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to have access to the plaintext.”

Bruce Schneier

Page 9: (Mis)trust in the cyber era

Understanding Trust

Page 10: (Mis)trust in the cyber era

Why Importantto Reflect on Trust?

𝑅𝑖𝑠𝑘 =1

𝑇𝑟𝑢𝑠𝑡

Page 11: (Mis)trust in the cyber era

What Exactly is Trust?

Faith KnowingEvidencedAssurance

IdealReality

Page 12: (Mis)trust in the cyber era

TrustOutsourcing

Page 13: (Mis)trust in the cyber era

Risk is Often Outsourced

Insurance

Hedging

Page 14: (Mis)trust in the cyber era

Trust is Often Outsourced Too

Page 15: (Mis)trust in the cyber era

Public Key Infrastructure Simplified

Certificate Authority

Alice Bob

Page 16: (Mis)trust in the cyber era

Root Certificate AuthoritiesCompromised

Page 17: (Mis)trust in the cyber era

Malware

Stuxnet, Duqu, …

Signed

Page 18: (Mis)trust in the cyber era

Transitive Trust

Page 19: (Mis)trust in the cyber era

RealityRISK OUTSOURCING

1. Assess risks

2. Treat some risks

3. Terminate some risks

4. Tolerate some risks

5. Transfer remaining risks

TRUST OUTSOURCING

1. Transfer trust

2. Trust that transferee is trustworthy (secure, reliable and aligns with yourrisk appetite & risk strategy)

Page 20: (Mis)trust in the cyber era

Trust Crowdsourcing

Page 21: (Mis)trust in the cyber era

Herd Mentality

Page 22: (Mis)trust in the cyber era

Open Source’s “Many Eyes” ClaimEvidence to the Contrary

Generates Predictable Keys(CVE-2008-0166)

Page 23: (Mis)trust in the cyber era

Privacy

Page 24: (Mis)trust in the cyber era

Recap

“If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to have access to the plaintext.”

Bruce Schneier

Page 25: (Mis)trust in the cyber era

Privacy Seppuku

Page 26: (Mis)trust in the cyber era

The Public-PrivateSurveillance Partnership

Page 27: (Mis)trust in the cyber era

Technologically Speaking

A court order is no different from an insider attack.

Page 28: (Mis)trust in the cyber era

Suggestions1. Conservative in assessing trust outsourcing risks.

2. Be skeptical.

3. Defense in depth.

4. End-to-end encryption.

Page 29: (Mis)trust in the cyber era

Thank You

[email protected]


Cyber Attacks in the Era of Covid-19 and Possible Solution ...

Cyber Attacks in the Era of Covid-19 and Possible Solution ...

Cyber Era - Securing the Future

Cyber Era - Securing the Future

Mis 510 cyber analytics project report

Mis 510 cyber analytics project report

KOMUNIKASI DAKWAH DI ERA CYBER Julis Suriani

KOMUNIKASI DAKWAH DI ERA CYBER Julis Suriani

RiskTeller: Predicting the Risk of Cyber Incidentsabout cyber security incidents, often reaching the front pages of mainstream media, shows that the cyber crime era finally arrived.

RiskTeller: Predicting the Risk of Cyber Incidentsabout cyber security incidents, often reaching the front pages of mainstream media, shows that the cyber crime era finally arrived.

Mis-Era of Innovation

Mis-Era of Innovation

Prathamesh Bhurke Prasad Kodre Kiran Viswanathan Vanitha Venkatnarayanan Cyber Analytics Project MIS 510 February 27, 2014.

Prathamesh Bhurke Prasad Kodre Kiran Viswanathan Vanitha Venkatnarayanan Cyber Analytics Project MIS 510 February 27, 2014.

A New Era In Information Security and Cyber Liability Risk

A New Era In Information Security and Cyber Liability Risk

CYBER THREAT HUNTING - Industry-Era · Cyber threat hunting is one of the best approaches to investigate potential compromises, detect advanced threats, and improve cyber defenses.

CYBER THREAT HUNTING - Industry-Era · Cyber threat hunting is one of the best approaches to investigate potential compromises, detect advanced threats, and improve cyber defenses.

Cyber security mis

Cyber security mis

cation in CS, Cyber Security Operations, Info Networking ... · Technology (CSIT), Management Information Systems (MIS), Cyber Security Operations, and Information Networking and

cation in CS, Cyber Security Operations, Info Networking ... · Technology (CSIT), Management Information Systems (MIS), Cyber Security Operations, and Information Networking and

RiskTeller: Predicting the Risk of Cyber Incidentss3.eurecom.fr/~balzarot/leyla/riskteller.pdfabout an imminent “cyber crime era”; the constant stream of news about cyber security

RiskTeller: Predicting the Risk of Cyber Incidentss3.eurecom.fr/~balzarot/leyla/riskteller.pdfabout an imminent “cyber crime era”; the constant stream of news about cyber security

Memahami Cyber Security Di Era Industri4

Memahami Cyber Security Di Era Industri4

CLTC WHITE PAPER SERIES Cyber Industrial Policy in an Era ... · 1 CYBER INDUSTRIAL POLICY IN AN ERA OF STRATEGIC COMPETITION Contents Executive Summary 3 Industrial Policy 101 4

CLTC WHITE PAPER SERIES Cyber Industrial Policy in an Era ... · 1 CYBER INDUSTRIAL POLICY IN AN ERA OF STRATEGIC COMPETITION Contents Executive Summary 3 Industrial Policy 101 4

Cyber Security: Hacker Web and Shodan MIS 510 Ali Hassan Alenizi, Farah J Jafar, Nikhar Shah, Yirong Zhu.

Cyber Security: Hacker Web and Shodan MIS 510 Ali Hassan Alenizi, Farah J Jafar, Nikhar Shah, Yirong Zhu.

Cyber Security in the AI and Big Data Era · 2020-02-17 · Cyber Security in the AI and Big Data Era 22th April, 2020 JW Marriott Hotel Hanoi Event brochure MINISTRY OF INFORMATION

Cyber Security in the AI and Big Data Era · 2020-02-17 · Cyber Security in the AI and Big Data Era 22th April, 2020 JW Marriott Hotel Hanoi Event brochure MINISTRY OF INFORMATION

The New Era of Cyber-Threats: Shifting to Self … in...• Understand the new trends in today’s cyber-threats, including automated attacks, and ‘trust attacks’ • Learn about

The New Era of Cyber-Threats: Shifting to Self … in...• Understand the new trends in today’s cyber-threats, including automated attacks, and ‘trust attacks’ • Learn about

PHISH-PROOF USERS WEBINAR - SecureAuth...• Cyber attacks are increasing despite increasing security investment • Cyber attackers are often taking path of least resistance and mis-using

PHISH-PROOF USERS WEBINAR - SecureAuth...• Cyber attacks are increasing despite increasing security investment • Cyber attackers are often taking path of least resistance and mis-using

CLTC WHITE PAPER SERIES Cyber Industrial Policy in an Era ...

CLTC WHITE PAPER SERIES Cyber Industrial Policy in an Era ...

Cyber Laws - PANKAJ PATILHarish Chander, Cyber Laws and It Protection, PHI Publication. By Prof. Pankaj R. Patil Understanding Computers, Internet and Cyber Laws Modern Era - There

Cyber Laws - PANKAJ PATILHarish Chander, Cyber Laws and It Protection, PHI Publication. By Prof. Pankaj R. Patil Understanding Computers, Internet and Cyber Laws Modern Era - There