in security risk
play

(IN)SECURITY , RISK & THE LIFECYCLE OF VULNERABILITIES Dr. - PowerPoint PPT Presentation

Oct 01, 2023 •119 likes •788 views

(IN)SECURITY , RISK & THE LIFECYCLE OF VULNERABILITIES Dr. Stefan Frei Security Architect at Swisscom frei@techzoom.net Twitter @stefan_frei Cyber & Networking Security Networking security has become critical issue for all types

  1. (IN)SECURITY , RISK & THE LIFECYCLE OF VULNERABILITIES Dr. Stefan Frei Security Architect at Swisscom frei@techzoom.net Twitter @stefan_frei

  2. Cyber & Networking Security § Networking security has become critical issue for all types of industries § But in many aspects, cyber security differs fundamentally from past challenges NetSec 2015 Slide 2

  3. What makes the cyber world special? § Communication between people, machines and devices § Increase of computing performance § Price erosion § Software eats the world NetSec 2015 Slide 3

  4. Technology & Innovation In just two decades, new technologies and the Internet transformed society and businesses alike We had little time to learn or adopt – as individuals, society or industry We have to adopt to permanent change and high dynamics 1 Million Years 50 Years NetSec 2015 Slide 4

  5. The Environment Internet usage has grown to more than three billion users The number of targets, revenue per target and type of exploitation has also evolved rapidly: § Networking evolved from dedicated point to point connections to ubiquitous communication between people, platforms, and applications § Vulnerabilities in applications and devices are now globally exposed and accessible NetSec 2015 Slide 5

  6. Why is network security an issue? Infinite Interactions, Protocols, Service, Apps § Economy and our life increasingly depend on the Internet § Distributed information systems have become critical infrastructures Open Systems § technology is standardized and is no longer a secret Insecurity driven by organized adversaries § Entirely new «business models» NetSec 2015 Slide 6

  7. Security has become critical § Security § Security is one of the hidden building blocks of the Internet § The limits of security imply the limits of the Internet § Growing online business attracts attackers § Attackers increase the cost of doing business online § But the business opportunities of being on the Internet far outweigh the risks Market acceptance Serious Use of Internet (since 2000) Time Early Hype Trough of Adoption (late 90s) Disillusionment (mid 90s) (2000-2003) NetSec 2015 Slide 7

  8. Internet Security Evolution Figure courtesy Engin Kirda, Northwestern University NetSec 2015 Slide 8

  9. The Threat Environment Fast growing segment Personal Theft Gain Motivation Author Tools created by of Personal experts are used Fame Tools by less-skilled Vandalism criminals, for personal gain Curiosity Script- Hobbyist Expert Kiddy Hacker Attackers’ Expertise NetSec 2015 Slide 9

  10. complexity • complexity and interaction between systems is growing continously • complexity is the worst enemy of security

  11. Network of People, Devices, and Services The increasing number of new ways of interaction also create novel attack paths which are not predictable by definition NetSec 2015 Slide 11

  12. Complex Adaptive System (CAS) § Connectivity A decision on one part will affect all other related parts § Co-Evolution Elements can change based on their interaction between one another and the environment § Sensitive Dependence Sensitivity to initial conditions (non-linearity, cascades) § Emergent Order Potential for emergent and unpredictable behaviour Source: http://web.mit.edu/esd.83/www/notebook/Complex%20Adaptive%20Systems.pdf NetSec 2015 Slide 12

  13. Strategies to Handle Unpredictability Men Nature, Evolution § Predict and model risks § No attempt to predict risks Prevent Shocks Absorb Shocks § Relies on accuracy of § Relies on redundancy and models and probabilities robustnes § Optimization: § Absorption: short term gain, efficiency long term survival, diversity > fragile > anti-fragile Source: Antifragile: Things That Gain from Disorder, by Nassim Nicholas Taleb NetSec 2015 Slide 13

  14. Innovation & Price Erosion § Continued miniaturisation and price erosion § Today’s transistors are 90,000x more efficient and 60,000x cheaper than in 1971 § A car today would cost USD 0.25 and consume 0.2 ml/100 km of fuel Source: The Economist, The End of Moore's Law NetSec 2015 Slide 14

  15. today attackers can afford functionality and tools that were beyond their reach a decade ago

  16. Innovation & Price Erosion Nonexistent or previously unavailable technologies become common goods Software Defined Radio 15 Years USD 500 USD 500,000 Revalidate security assumptions based on the (A) limited availability, (B) unaffordability, or (B) limited performance of a technology NetSec 2015 Slide 16

  17. Examples of new Attack Vectors § Software Defined Radios (SDR) § All radio communication and protocols without hard crypto protection are highly exposed § Drones § Drones easily bypass perimeters to sniff or insert eavesdropping devices § Robots § Robots can access areas not accessible by humans. Remotely controlled to manipulate, monitor, or take other actions NetSec 2015 Slide 17

  18. Playground for Software Defined Radios (SDR) § Unsecured communication and networks are exposed NetSec 2015 Slide 18

  19. WHO ARE THE ATTACKERS?

  20. Attacker Motivation § Ego § Show the world what one can do, impress peers § To live some fantasy of omnipotence § Revenge, destruction, creation of fear § Cyber warfare § Terrorism § Secret service activities (Stuxnet 2010, Snowden/NSA 2013) § Revenge (e.g. a disgruntled employee) ‏ § Criminal intent § Blackmail, racketeering (Schutzgelderpressung) § Credit card fraud § Infiltrating e-banking § Spamming, phishing NetSec 2015 Slide 20

  21. What can attackers do? § Attack flow of information § Abuse Systems § Send fake messages § Infiltrate system with attack code § Replay messages § Modify web pages § Modify messages in transit § change content § Denial of service (DOS) § place attack code § Overload system resources § Hijack sessions § Internet infrastructure § E-banking § DNS, BGP, ARP § Identity theft § Unauthorized access to § Social engineering services § Break crypto § Infiltrate security protocols § etc. or processes (e.g. MITM) NetSec 2015 Slide 21

  22. Where are the attack targets? § Local Attacks: Client-side attacks dominate § Browser attacks targeting plug-ins § IFrame based attacks are now prevalent § Attacks of all shapes and sizes § Anti-virus worms § Social networking attacks – Twitter & Facebook § Phishing - banking industry is target #1 § Web mines - www.goggle.com rather than www.google.com § Documents - PDFs are not safe! § Data stored on end-points is often most valuable and the least protected! NetSec 2015 Slide 22

  23. Actors & Attackers Attacker Objectives Resources Proceeding • Information • Enormous • Build & buy know-how • Fighting Crime/ financial resources • Persistent & well Nation States, Terrorism • Focus on result, hidden attacks Agencies • Espionage not cost • Subversion of supply • Sabotage chain Targeted • Damage • Considerable • Buy know-how on • Attention financial resources black market • Manipulation of politics • Potentially large • Physical attacks Terrorists • Fear Uncertantity and network of Doubt (FUD) supporters • Financial • Business • Exsisting gangs • Make money in • Per case groups of (Organized) long term specialists Crime • Profit/loss driven • Bribery • Mass attention • Minimal financial • Highly motivated Opportunistic • Damage resources amateurs & Hacktivists, • Denounce • Large reach specialists Groups vulnerabilities in • Develops systems/organizations unpredictable momentum • Fame • Minimal financial • Available tools Vandals, • Reputation resources and Script Kiddies know-how NetSec 2015 Slide 23

  24. Actor: Nation States § Nation States § Virtually unlimited resources § The have a mandate by law to do certain things § Access (technical or legal) to critical components of the Internet infrastructure (like backbone) § Attacks on the integrity of the supply chain § Espionage and sabotage NetSec 2015 Slide 24

  25. Actor: Terrorists § Terrorists § Maximize attention/publicity § Spread Uncertainty Doubt and Fear (FUD) § Misuse of services with large number of followers/large audience (Twitter, Facebook, TV, ..) § Targeting large events (Sports, conferences, ..) NetSec 2015 Slide 25

  26. Cyber | Crime – All New? § Crime & Organized Crime § The first law code ever edited (code of Hammurabi) documents that organized crime was very real 4000 years ago Long history of the dark that developed itself in the middle of people, and society Code of Hammurabi § Cyber § Term coined by Norbert Wiener in 1948, used in reference to the control of complex systems § Today: Mesh of computers, networks, and lots of people Cyber Threats Short history of new technologies NetSec 2015 Slide 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz

Risk Assessment the Heart of Risk-based Security BARRY KOUNS CEO AT RISK BASED SECURITY Session Overview Warm-up Quiz Introduction to our security challenge What is Risk-based Security? The language of risk some

787 views • 53 slides
Degrees of Risk Defining a Risk Management Framework for Climate Security Nick Mabey, E3G

Degrees of Risk Defining a Risk Management Framework for Climate Security Nick Mabey, E3G

Degrees of Risk Defining a Risk Management Framework for Climate Security Nick Mabey, E3G February 2011 Background to the Report Builds on E3Gs climate security work since 2005 Seminars with climate and security experts in 2009-10

811 views • 51 slides
Integrated Security Curriculum Conceptions of SECURITY RISK THREATS TECH VALUES The Big

Integrated Security Curriculum Conceptions of SECURITY RISK THREATS TECH VALUES The Big

5/18/2017 Integrated Security Curriculum Conceptions of SECURITY RISK THREATS TECH VALUES The Big Picture: Integrated Security Pathways Cyber Security ISERC Student portal National Security Studies CAPSTONE: Gateway course Peace Studies

298 views • 3 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Quantitative Information Security Risk Management Effective risk management for small/medium

Quantitative Information Security Risk Management Effective risk management for small/medium

Realistic and Affordable Quantitative Information Security Risk Management Effective risk management for small/medium businesses Walter Williams Who am I Walt Williams, CISSP, SSCP, CEH, CPT, MCP Director of Security and Compliance at

756 views • 50 slides
Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1 Overview Elements of Risk Analysis Quantitative vs Qualitative Analysis One Risk Analysis framework Slide #2 Reading Material Chapter

706 views • 32 slides
Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2009 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2009 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2009 Slide #1 Overview Elements of Risk Analysis Quantitative vs Qualitative Analysis One Risk Analysis framework Slide #2 Reading Material Chapter

793 views • 32 slides
INFORMATION RISK MANAGEMENT PROGRAM The Need for a Risk Management Program Information Security

INFORMATION RISK MANAGEMENT PROGRAM The Need for a Risk Management Program Information Security

INFORMATION TECHNOLOGY SERVICES INFORMATION RISK MANAGEMENT PROGRAM The Need for a Risk Management Program Information Security & Privacy Office June 8, 2017 Why Unit Risk Management Programs Are Important For the most part FSU has enjoyed

402 views • 9 slides
Risk Percep+on and the Acceptance of New Security Technology

Risk Percep+on and the Acceptance of New Security Technology

Risk Percep+on and the Acceptance of New Security Technology Marian Harbach, Sascha Fahl, MaAhew Smith Usable Security and Privacy Lab Leibniz Universitt

224 views • 11 slides
Information security risk assessments Lecture #3 Security in Organizations 2011 Eric Verheul

Information security risk assessments Lecture #3 Security in Organizations 2011 Eric Verheul

Information security risk assessments Lecture #3 Security in Organizations 2011 Eric Verheul 1 Literature Main literature for this lecture: 1. The ISO 27005 standard The NIST Special Publication 800- 30: Risk management 2. Guide for

929 views • 55 slides
Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer Security Logistics intermission Day 2: Intro to Software and OS Security Example security failures Stephen McCamant University of Minnesota, Computer

395 views • 7 slides
Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer

Outline Security risk and management Some terminology CSci 5271 Introduction to Computer Security Logistics intermission Day 2: Intro to Software and OS Security Example security failures Stephen McCamant University of Minnesota, Computer

608 views • 8 slides
Android Security Security Philosophy Humans have difficulty understanding risk Safer to

Android Security Security Philosophy Humans have difficulty understanding risk Safer to

Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy cornerstones Need to

582 views • 37 slides
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005 Risk

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005 Risk

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005 Risk Management Operational security is not about being able to create and maintain absolute security. Its about a pragmatic approach to risk

494 views • 14 slides
Security Risk Assessment and Risk Treatment for Integrated Modular Communication Hamid Asgari,

Security Risk Assessment and Risk Treatment for Integrated Modular Communication Hamid Asgari,

Security Risk Assessment and Risk Treatment for Integrated Modular Communication Hamid Asgari, Senior Member IEEE , Sarah Haines, and Adrian Waller Thales UK Limited, Research & Technology, Worton Drive, Worton Grange Business Park, Reading

635 views • 7 slides
MRO SAC Hosted Webinar Information Risk Management Framework Catherine Sherwood, Manager

MRO SAC Hosted Webinar Information Risk Management Framework Catherine Sherwood, Manager

MRO SAC Hosted Webinar Information Risk Management Framework Catherine Sherwood, Manager Information Security Risk, MISO David Day, Information Security Risk Analyst, MISO Joe Polen, Executive Director, Security Controls and Engagement

375 views • 21 slides
Data Society the Impact of Data Sharing on Our Everydays Life 1 st Swiss Workshop on Data

Data Society the Impact of Data Sharing on Our Everydays Life 1 st Swiss Workshop on Data

Data Society the Impact of Data Sharing on Our Everydays Life 1 st Swiss Workshop on Data Science ZHAW School of Engineering, Winterthur 21 March 2014 Andr Golliez Managing Partner itopia ag President Opendata.ch, Swiss Chapter of the

656 views • 30 slides
A brief introduction to information security Part I Tyler Moore Computer Science &

A brief introduction to information security Part I Tyler Moore Computer Science &

Notes A brief introduction to information security Part I Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX August 23, 2012 Some definitions Computer systems and networks Notes Outline Some definitions 1 What is

582 views • 10 slides
The Dark Side of Digital Financial Transformation: Cybersecurity and Technological Risk Douglas

The Dark Side of Digital Financial Transformation: Cybersecurity and Technological Risk Douglas

The Dark Side of Digital Financial Transformation: Cybersecurity and Technological Risk Douglas W. Arner Kerry Holdings Professor in Law University of Hong Kong Douglas.Arner@hku.hk FinTech Evolution and Typology FinTech Evolution The

1.13k views • 27 slides
UART Thou Mad? Mickey and Toby Legal Notice Our opinion is our own. It DOES NOT IN ANY WAY

UART Thou Mad? Mickey and Toby Legal Notice Our opinion is our own. It DOES NOT IN ANY WAY

UART Thou Mad? Mickey and Toby Legal Notice Our opinion is our own. It DOES NOT IN ANY WAY represent the view of our employers. whoami - Mickey whoami - Toby Agenda Intro UART o Background o Finding it Embedded systems overview

493 views • 24 slides
Dave Oran Network Systems Research & Design A solicitation from DARPA U.S. Defense

Dave Oran Network Systems Research & Design A solicitation from DARPA U.S. Defense

Dave Oran Network Systems Research & Design A solicitation from DARPA U.S. Defense Advanced Research Projects Agency A Broad Agency Announcement , which is a non-secret, open request for proposals You can find it at

211 views • 6 slides
Acknowledgment Thanks to the many IBM colleagues who contribute to and support different

Acknowledgment Thanks to the many IBM colleagues who contribute to and support different

M ULTI -V EHICLE M AP F USION USING GNU R ADIO O PTIMIZATION AND A CCELERATION O PPORTUNITIES Augusto Vega Akin Sisbot Alper Buyuktosunoglu Arun Paidimarri David Trilla John-David Wellman Pradip Bose IBM T. J. Watson Research Center IBM

662 views • 31 slides
15-780: IntroductionandHistoryofAI J. Zico Kolter and Tuomas Sandholm January 11, 2016 1

15-780: IntroductionandHistoryofAI J. Zico Kolter and Tuomas Sandholm January 11, 2016 1

15-780: IntroductionandHistoryofAI J. Zico Kolter and Tuomas Sandholm January 11, 2016 1 What is AI? (Some) history of AI (Some) current applications of AI Overview of course 2 WhatisAI? 3 Someclassicdefinitions Buildings

392 views • 35 slides
Virtual Deobfuscator Removing virtualization obfuscations from malware a DARPA Cyber Fast

Virtual Deobfuscator Removing virtualization obfuscations from malware a DARPA Cyber Fast

Virtual Deobfuscator Removing virtualization obfuscations from malware a DARPA Cyber Fast Track funded effort Approved for Public Release, Distribution Unlimited 1 Overview What is virtualization obfuscations? Why we care What

1.34k views • 34 slides

More recommend