Security in the Internet - Threats and Mitigation · 2014-11-27 · •Rapid security test of all...
Transcript of Security in the Internet - Threats and Mitigation · 2014-11-27 · •Rapid security test of all...
Security in the Internet -Threats and Mitigation
Consilierul Comercial al Ambasadei Austriei
București, România, 30.6.2011
Version: 1.0
Author: Markus Robin
Responsible: Markus Robin
Date: 28.6.2011
Confidentiality: Public
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
SEC Consult– Who we are
Canada
India
Singapore
SEC Consult Office
SEC Consult Headquarter
Other SEC Consult Clients
LithuaniaGermany
Austria Central and Easter Europe
• Leading in IT-Security Services and Consulting
• Founded 2002
• Headquarters near Vienna, Austria
• Delivery Centers in Austria, Germany, Lithuania and Singapore
• SEC Consul Vulnerability Lab
• Strong customer base in Central and Eastern Europe
• ISO/IEC 27001 certified
• 30+ security experts
2
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
Certificates (excerpt)
Publications (excerpt)
3
Our employees - Internationally accepted information security specialists
ISO 27001
Lead AuditorONR 17700 Auditor
Speakers at global conferences (excerpt)
Co-authors of international guidelines und standards (excerpt)
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
4
EEmployee
PProcess
TTechnology
The SEC Consult security frameworkStrategy and focus
Evaluation of the current state and transparency
Implementationand support
Planning & prioritisation
Continuous improvement
Security awareness training
Security KPIs und reporting
Forensic analysis
Audit of specific systems and services
Vulnerability-/Patchlevelmanagement
External audit
SEC Consult Academy
Implementation of an ISMS according to ISO 27001
Master plan
Business Continuity Management according to BS 25999
Incident management
Certification of web applications according to A7700
“Rent a CISO”
Secure system integration of (standard-)software
Secure software development
Risk analysisSecurity policy
Internal audit
Audit of web applications
Social engineeringSensibilisation
DR-Planning
• Mobile devices
• Clients
• VoIP
• WLAN
• Backoffice-systems
• DMZ
• …
Data protection audit19
„MVIS"
PCI On-Site audit
PCI Compliance
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
Competitor about SEC Consult…
Dan Kaminsky, Head of Reserch of the USSecurity Consultancy IOActive*:
“The Austrian company SEC Consult helped tomaintain the security of the global internetinfrastructure. Their security specialists havemanaged to deduce the attack in short time fromvery limited data. SEC Consult with such smartpeople is a global top league securityconsulting company. Thank you for the effortson the industry-wide level and also many thanksfor the responsible handling with this extremelysensitive issue.”
5
*Source: Dan Kaminsky concerning joint effort with SEC Consult to mitigate global DNS Cache Poisoning threat in August 2008
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
US-Präsident Obama
6
Quelle: www.geekonomicsbook.com
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
Why are hackers so successful?
7
Sources: http://www.digitaljournal.com/article/308409
http://www.information-age.com/channels/security-and-
continuity/news/1633128/citigroup-says-and3627m-was-stolen-after-
cyber-attack.thtm
http://www.reuters.com/article/2011/06/13/us-imf-cyberattack-
idUSTRE75A20720110613l
http://www.pcmag.com/article2/0,2817,2386512,00.asp
http://www.siliconrepublic.com/strategy/item/22182-sony-hacks-
highlight-need/
http://www.guardian.co.uk/government-computing-
network/2011/jun/21/information-security-central-government
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
The Fraud Triangle
8
Donald R. Cressey
Sources: http://en.wikipedia.org/wiki/Donald_Cressey#cite_note-4
http://www.navran.com/article-psychology-of-fraud.html
Definitions:
• Motive can be understood as the moving force or drive that causes an individual to act and specific
fashion or towards a specific goal.
• Opportunity can be characterized as the presence of circumstances that are conducive to and/or
consistent with the action being considered.
• Rationalizations are the lies we tell ourselves to give us permission to do what we know is wrong.
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
New “opportunities” for hackers on just one day (24.6.2011)…
9
Sources: http://www.securityfocus.com/
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
How do you distinguish a secure software from an insecure software?
10
Sources: http://www.spiegel.de/auto/werkstatt/0,1518,489777,00.html
http://auto.t-online.de/c/16/58/35/20/16583520.html
A B
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
By testing them for security!
11
Sources: http://www.spiegel.de/auto/werkstatt/0,1518,489777,00.html
http://images.marken.auto-motor-und-sport.de/media/mdb/30799.jpg
SurvivedDead
A B
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
Impact of insecure, „toxic“ software -Confidentiality
• Stolen and misuse of credit card numbers
• Stolen and misuse of bank account numbers
• Stolen and misuse of company secrets
• Stolen and misuse of identity information
• Read everything you write
• Hear everything you sayon the mobile phone
• …
You loose customers, brand reputation, revenue and profit.
12
Sources http://www.ft.com/cms/s/0/eed31c7c-9857-11e0-ae45-00144feab49a.html#axzz1QU1W6ryR
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
Impact of insecure, „toxic“ software -Availability
• Stop your website
• Stop your web shop
• Stop your portal
• Stop your email
• Stop your internal network
• Stop your power supply
• Stop your access to the internet
• Stop your coffee machine
• …
You loose customers, brand reputation, revenue and profit.
13
Sources: http://online.wsj.com/article/SB10001424052702304231204576405662433553544.html?mod=googlenews_wsj
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
Impact of insecure, „toxic“ software -Integrity
• Change the content of your website (defacement)
• Change the balance of your bank account
• Change the speed of your machines (“Stuxnet”)
• Embarrassing/illegal contenton your “home”-share
• …
• You loose customers, brand reputation, revenue and profit.
14
Source shttp://www.zone-h.org/archive/filter=1/domain=.ro/fulltext=1/page=5
http://www.zone-h.org/mirror/id/14232154
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
Insecure, “toxic” software is ubiquitous
„More than 50% of all software products tested by SEC Consult have critical security vulnerabilities and therefore are toxic for its owner“, SEC Consult
15
Sources: http://www.businessinsider.com/unsold-cars-around-the-world-2009-2
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
Where to begin? … Inspect!
Technology:
• Rapid security test of all web sites and web applications
• Rapid security test of the internalLAN network and internalapplication
People & Process:
• Gap-Analysis of your Information Security Management System (ISMS) compared to ISO/IEC 27001
-> Security Remediation plan
SEC Consult offer: Security Baseline Inspection
16
Source: http://img.directindustry.de/images_di/photo-g/werkstatt-hebebuhne-275871.jpg
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
What is a must to avoid insecure “toxic” software? (1)
Early warning system for new security vulnerabilities in software
• Know your risk!
• Act not react!
SEC Consult offer: Managed Vulnerability Information Service (MVIS) (https://www.sec-consult.com/files/MVIS_folder_en.pdf)
17
Sources: http://www.welt.de/vermischtes/article2696169/Bojen-fuer-Tsunami-Fruehwarnsystem-gestohlen.html
http://smartklean.wordpress.com/2010/12/03/are-you-and-your-family-exposed-to-toxic-surfactants/toxic-2/
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
What is a must to avoid insecure “toxic” software? (2)
Request state-of-the-art application security based on ÖNORM A 7700 (www.a7700.org) for all web applications
• Applicable in whole European Union (due to CEN)
• Clear requirements for security of web applications
• Easy to communicate to software vendors and providers
SEC Consult offer: Software Requirement Guidelines
18
Source: http://www.denvergov.org/PortofEntry/tabid/395277/Default.aspx
http://smartklean.wordpress.com/2010/12/03/are-you-and-your-family-exposed-to-toxic-surfactants/toxic-2/
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
What is a must to avoid insecure “toxic” software? (3)
No new software without security crash test
• Know how secure or insecure is the software you buy
• Get more attention of software vendor for security fixes
• Reduce price of fixing security bugs. Significant cost saving!
SEC Consult offer: Security Quality Gate for Software/Applications
19
Source: http://smartklean.wordpress.com/2010/12/03/are-you-and-your-family-exposed-to-toxic-surfactants/toxic-2/
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
Why SEC Consult?
• Helps you to avoid insecure, “toxic” software
• Highly skilled international security experts
• High reputation and highly trusted in Austria and Romania
• Independent of software vendors
20
© 2011 SEC ConsultUnternehmensberatung GmbH –
All rights reserved
Version/Date: 1.0/28.6.2011Confidentiality Class: Public
21
Contacting SEC Consult
Mooslackengasse 17
A-1190 Vienna
Austria
Tel: +43-1-890 30 43-0
Fax: +43-1-890 30 43-15Email: [email protected]
www.sec-consult.com
Austria
Bockenheimer Landstrasse 17-19
D-60325 Frankfurt am Main
Germany
Tel: +49 (69) 175373 43
Fax: +49 (69) 175373 44Email: [email protected]
www.sec-consult.com
Germany