Security in the Internet - Threats and Mitigation · 2014-11-27 · •Rapid security test of all...

Security in the Internet -Threats and Mitigation

Consilierul Comercial al Ambasadei Austriei

București, România, 30.6.2011

Version: 1.0

Author: Markus Robin

Responsible: Markus Robin

Date: 28.6.2011

Confidentiality: Public

© 2011 SEC ConsultUnternehmensberatung GmbH –

All rights reserved

Version/Date: 1.0/28.6.2011Confidentiality Class: Public

SEC Consult– Who we are

Canada

India

Singapore

SEC Consult Office

SEC Consult Headquarter

Other SEC Consult Clients

LithuaniaGermany

Austria Central and Easter Europe

• Leading in IT-Security Services and Consulting

• Founded 2002

• Headquarters near Vienna, Austria

• Delivery Centers in Austria, Germany, Lithuania and Singapore

• SEC Consul Vulnerability Lab

• Strong customer base in Central and Eastern Europe

• ISO/IEC 27001 certified

• 30+ security experts

2


All rights reserved


Certificates (excerpt)

Publications (excerpt)

3

Our employees - Internationally accepted information security specialists

ISO 27001

Lead AuditorONR 17700 Auditor

Speakers at global conferences (excerpt)

Co-authors of international guidelines und standards (excerpt)


All rights reserved


4

EEmployee

PProcess

TTechnology

The SEC Consult security frameworkStrategy and focus

Evaluation of the current state and transparency

Implementationand support

Planning & prioritisation

Continuous improvement

Security awareness training

Security KPIs und reporting

Forensic analysis

Audit of specific systems and services

Vulnerability-/Patchlevelmanagement

External audit

SEC Consult Academy

Implementation of an ISMS according to ISO 27001

Master plan

Business Continuity Management according to BS 25999

Incident management

Certification of web applications according to A7700

“Rent a CISO”

Secure system integration of (standard-)software

Secure software development

Risk analysisSecurity policy

Internal audit

Audit of web applications

Social engineeringSensibilisation

DR-Planning

• Mobile devices

• Clients

• VoIP

• WLAN

• Backoffice-systems

• DMZ

• …

Data protection audit19

„MVIS"

PCI On-Site audit

PCI Compliance


All rights reserved


Competitor about SEC Consult…

Dan Kaminsky, Head of Reserch of the USSecurity Consultancy IOActive*:

“The Austrian company SEC Consult helped tomaintain the security of the global internetinfrastructure. Their security specialists havemanaged to deduce the attack in short time fromvery limited data. SEC Consult with such smartpeople is a global top league securityconsulting company. Thank you for the effortson the industry-wide level and also many thanksfor the responsible handling with this extremelysensitive issue.”

5

*Source: Dan Kaminsky concerning joint effort with SEC Consult to mitigate global DNS Cache Poisoning threat in August 2008


All rights reserved


US-Präsident Obama

6

Quelle: www.geekonomicsbook.com


All rights reserved


Why are hackers so successful?

7

Sources: http://www.digitaljournal.com/article/308409

http://www.information-age.com/channels/security-and-

continuity/news/1633128/citigroup-says-and3627m-was-stolen-after-

cyber-attack.thtm

http://www.reuters.com/article/2011/06/13/us-imf-cyberattack-

idUSTRE75A20720110613l

http://www.pcmag.com/article2/0,2817,2386512,00.asp

http://www.siliconrepublic.com/strategy/item/22182-sony-hacks-

highlight-need/

http://www.guardian.co.uk/government-computing-

network/2011/jun/21/information-security-central-government

http://www.digitaljournal.com/article/308409

http://www.information-age.com/channels/security-and-continuity/news/1633128/citigroup-says-and3627m-was-stolen-after-cyber-attack.thtml






















http://www.reuters.com/article/2011/06/13/us-imf-cyberattack-idUSTRE75A20720110613l







http://www.pcmag.com/article2/0,2817,2386512,00.asp

http://www.siliconrepublic.com/strategy/item/22182-sony-hacks-highlight-need/









http://www.guardian.co.uk/government-computing-network/2011/jun/21/information-security-central-government












All rights reserved


The Fraud Triangle

8

Donald R. Cressey

Sources: http://en.wikipedia.org/wiki/Donald_Cressey#cite_note-4

http://www.navran.com/article-psychology-of-fraud.html

Definitions:

• Motive can be understood as the moving force or drive that causes an individual to act and specific

fashion or towards a specific goal.

• Opportunity can be characterized as the presence of circumstances that are conducive to and/or

consistent with the action being considered.

• Rationalizations are the lies we tell ourselves to give us permission to do what we know is wrong.

http://en.wikipedia.org/wiki/Donald_Cressey











All rights reserved


New “opportunities” for hackers on just one day (24.6.2011)…

9

Sources: http://www.securityfocus.com/


All rights reserved


How do you distinguish a secure software from an insecure software?

10

Sources: http://www.spiegel.de/auto/werkstatt/0,1518,489777,00.html

http://auto.t-online.de/c/16/58/35/20/16583520.html

A B

http://www.spiegel.de/auto/werkstatt/0,1518,489777,00.html





All rights reserved


By testing them for security!

11

Sources: http://www.spiegel.de/auto/werkstatt/0,1518,489777,00.html

http://images.marken.auto-motor-und-sport.de/media/mdb/30799.jpg

SurvivedDead

A B

http://www.spiegel.de/auto/werkstatt/0,1518,489777,00.html


All rights reserved


Impact of insecure, „toxic“ software -Confidentiality

• Stolen and misuse of credit card numbers

• Stolen and misuse of bank account numbers

• Stolen and misuse of company secrets

• Stolen and misuse of identity information

• Read everything you write

• Hear everything you sayon the mobile phone

• …

You loose customers, brand reputation, revenue and profit.

12

Sources http://www.ft.com/cms/s/0/eed31c7c-9857-11e0-ae45-00144feab49a.html#axzz1QU1W6ryR


All rights reserved


Impact of insecure, „toxic“ software -Availability

• Stop your website

• Stop your web shop

• Stop your portal

• Stop your email

• Stop your internal network

• Stop your power supply

• Stop your access to the internet

• Stop your coffee machine

• …

You loose customers, brand reputation, revenue and profit.

13

Sources: http://online.wsj.com/article/SB10001424052702304231204576405662433553544.html?mod=googlenews_wsj


All rights reserved


Impact of insecure, „toxic“ software -Integrity

• Change the content of your website (defacement)

• Change the balance of your bank account

• Change the speed of your machines (“Stuxnet”)

• Embarrassing/illegal contenton your “home”-share

• …

• You loose customers, brand reputation, revenue and profit.

14

Source shttp://www.zone-h.org/archive/filter=1/domain=.ro/fulltext=1/page=5

http://www.zone-h.org/mirror/id/14232154


All rights reserved


Insecure, “toxic” software is ubiquitous

„More than 50% of all software products tested by SEC Consult have critical security vulnerabilities and therefore are toxic for its owner“, SEC Consult

15

Sources: http://www.businessinsider.com/unsold-cars-around-the-world-2009-2


All rights reserved


Where to begin? … Inspect!

Technology:

• Rapid security test of all web sites and web applications

• Rapid security test of the internalLAN network and internalapplication

People & Process:

• Gap-Analysis of your Information Security Management System (ISMS) compared to ISO/IEC 27001

-> Security Remediation plan

SEC Consult offer: Security Baseline Inspection

16

Source: http://img.directindustry.de/images_di/photo-g/werkstatt-hebebuhne-275871.jpg


All rights reserved


What is a must to avoid insecure “toxic” software? (1)

Early warning system for new security vulnerabilities in software

• Know your risk!

• Act not react!

SEC Consult offer: Managed Vulnerability Information Service (MVIS) (https://www.sec-consult.com/files/MVIS_folder_en.pdf)

17

Sources: http://www.welt.de/vermischtes/article2696169/Bojen-fuer-Tsunami-Fruehwarnsystem-gestohlen.html

http://smartklean.wordpress.com/2010/12/03/are-you-and-your-family-exposed-to-toxic-surfactants/toxic-2/

https://www.sec-consult.com/files/MVIS_folder_en.pdf























All rights reserved



Request state-of-the-art application security based on ÖNORM A 7700 (www.a7700.org) for all web applications

• Applicable in whole European Union (due to CEN)

• Clear requirements for security of web applications

• Easy to communicate to software vendors and providers

SEC Consult offer: Software Requirement Guidelines

18

Source: http://www.denvergov.org/PortofEntry/tabid/395277/Default.aspx


http://www.a7700.org/

http://www.denvergov.org/PortofEntry/tabid/395277/Default.aspx





















All rights reserved



No new software without security crash test

• Know how secure or insecure is the software you buy

• Get more attention of software vendor for security fixes

• Reduce price of fixing security bugs. Significant cost saving!

SEC Consult offer: Security Quality Gate for Software/Applications

19

Source: http://smartklean.wordpress.com/2010/12/03/are-you-and-your-family-exposed-to-toxic-surfactants/toxic-2/





















All rights reserved


Why SEC Consult?

• Helps you to avoid insecure, “toxic” software

• Highly skilled international security experts

• High reputation and highly trusted in Austria and Romania

• Independent of software vendors

20


All rights reserved


21

Contacting SEC Consult

Mooslackengasse 17

A-1190 Vienna

Austria

Tel: +43-1-890 30 43-0

Fax: +43-1-890 30 43-15Email: [email protected]

www.sec-consult.com

Austria

Bockenheimer Landstrasse 17-19

D-60325 Frankfurt am Main

Germany

Tel: +49 (69) 175373 43

Fax: +49 (69) 175373 44Email: [email protected]

www.sec-consult.com

Germany

Security in the Internet - Threats and Mitigation · 2014-11-27 · •Rapid security test of all...

Documents

Transcript of Security in the Internet - Threats and Mitigation · 2014-11-27 · •Rapid security test of all...