Security needs For companies in the network age. Bernhard M. Hämmerli

Size: px

Start display at page:

Download "Security needs For companies in the network age. Bernhard M. Hämmerli"

Phebe Brown
7 years ago
Views:

1 Security needs For companies in the network age Bernhard M. Hämmerli

2 Content Content Threat Situation 2014 / 15: The Challenge Option to React to the Challenge Questions / Discussion

3 Threat Situation 2014 / 15: The Challenge

4 Recent Threats 2013: Snowden Reference Material for Experts Top level Diplomat US Victoria Nuland, : Astonished on speech quality of Russian surveillance 20. November 2014: NSA Director (Video) January 7, 15: Angela Merkel: Server Down

5 Sony Attack: November 25, 2014 Sony attack (Nord Korea): The attack also resulted in the destruction of about threequarters of the computers and servers at Sony firm s main operations, according to a weekend report in the New York Times. Data released online showed that the attackers accessed a wide variety of data, including a list of employee salaries and bonuses; social security numbers and dates of birth; employee performance reviews; criminal background checks and termination records; correspondence about employee medical conditions; passport and visa information for film actors and crew; internal s; and unreleased films. Could this happen to businesses in Europe? ny%20cyber%20attack_

6 2012, Palo Alto Networks

Angela Merkel Web is Down: 7.1.2015, 14:54 Hackerangriff auf Websites der Kanzlerin Angela Merker (NZZ) Am Mittwoch 7.1.2014 waren einzelne Websites der Bundesregierung nicht erreichbar.

7 Angela Merkel Web is Down: , 14:54 Hackerangriff auf Websites der Kanzlerin Angela Merker (NZZ) Am Mittwoch waren einzelne Websites der Bundesregierung nicht erreichbar. Laut Medienberichten sollen sie von ukrainischen Separatisten gehackt worden sein.

8 Charlie Hebdo Attack: January 7, 2015 Terror Expert Guido Steinberg: «Today we have to consider always that attacks could happen.» What could cyber-space(-defence) contribute to avoid such attack?

9 Technical options for attacks Blue Eye Version: What we want to see Publicly known vulnerabilities Script kiddies Cheap Without supplier support: Vulnerabilities as a service rented or bought for Crime Scene or Government Moderate prize Self-researched Vulnerabilities Very high effort With supplier support of commercial of the shelf software / service Terms & Conditions Direct Access to Servers e.g. PRISM Lawful Interception cheap Big data analytics statistic criteria evaluated by algorithms very cheap stats only cheap

10 Technical options for attacks Realistic Version today: What we hate to see Publicly known vulnerabilities Script kiddies Cheap Without supplier support: Vulnerabilities as a service rented or bought for Crime Scene or Government Moderate prize Self-researched Vulnerabilities Very high effort With supplier support of commercial of the shelf software / service Terms & Conditions Direct Access to Servers e.g. PRISM Lawful Interception cheap Big data analytics statistic criteria evaluated by algorithms very cheap stats only cheap

11 Film Grid USA, NSA Director Adm. Michael Rogers

12 China s Off-Sitch for US Power Grid?

13 Statistics: Number of vulnerabilities source: Microsoft Security Intelligence Report Volume 17 Slide 13

14 Statistics: Type of exploits source: Microsoft Security Intelligence Report Volume , Palo Alto Networks. Confidential and Proprietary.

A New Breed of Malware 100% % Malware Without Anti-Virus Coverage 80% 60% 54% of malware found with WildFire are not covered by traditional AV at time of detection

15 A New Breed of Malware 100% % Malware Without Anti-Virus Coverage 80% 60% 54% of malware found with WildFire are not covered by traditional AV at time of detection 40% of malware still not covered after 7 days 40% 20% 0% Day 0 Day 1 Day 2 Day 3 Day 4 Day 5 Day 6 Day , Palo Alto Networks. Confidential and Proprietary.

16 Analysis of today s cyber situation A tomic B iological C hemical Weapons Weapons Weapons Digital Weapons

17 Digital Weapons NSA builds digital Weapons: Edward Snowden said that NSA prepares for Cyber War. Targets are successful operations and the option to deny credibly the involvement into the operation.» Von Fabian Vogt, :12. heise.de Passive Data collection was yesterday: Today National Security Agency (NSA) der USA wants the digital Superiority and Dominance in the net. Source: German magazine «Spiegel», citing whistle blower Edward Snowden. The documents contain also a clear position to enter digital weapons. Recruiting has according job description: this proves It is real!

18 Digital Weapons NSA builds digital Weapons: Edward Snowden said that NSA prepares for Cyber War. Targets are successful operations and the option to deny credibly the involvement into the operation.» Von Fabian Vogt, :12. heise.de Passive Data collection was yesterday: Today National Security Agency (NSA) der USA wants the digital Superiority and Dominance in the net. Source: German magazine «Spiegel», citing whistle blower Edward Snowden. The documents contain also a clear position to enter digital weapons. Recruiting has according job description: this proves It is real!

19 Conclusion on the Challenge Threats have massively increased: It is easier and cheaper to generate Advanced Malware Updates are used because of cost / inconveniencies with average delay of 48 days! Open Windows of private home 50+ Nations explicitly engage in cyberspace with according commands The Challenge: We need more experts to defend values like sovereignty and democracy. Time-to-Market of defence is crucial We need spaces (physical and cyber) where we can relax, feel secure and know we are private: Today this is not cyber space!

20 Policy Issue Ownership of Vulnerability and Thread Information Raise Within NIS-P DG-connect & ENISA By WG2

21 Important Question on Threat Information Policy issue: Who is the owner of vulnerability and threat information? Is it the supplier of software / hardware? Is it the person who have bought the installation? The service provider if any? Has the MS or EU a right to request that all this information must pass through MS or EU respectively is - because of speed double distributed? Any other situation? Why is this tat important? It could be that supplier know exactly about vulnerability of clients / countries / critical infrastructure probably by far better than owner or operator. For me this is not along the lines, which my internal code of ethics is established.

22 Option to React to the Challenge

23 Due Diligence in Cyber Security SME, SOHO, Citizen Use updates timely Use a good malware protection software / advanced threat management Take responsibility when using USB Sticks, opening attachments and clicking links. (S)ME, Enterprises using more security Outsource security in professional Security Operation Centre SOC 24x7 with 5-7 job profiles Join Information Sharing Arrangements Be prepared for resilience, i.e. from fail safe to safe fail i.e. react & response must be integral part of security concepts.

24 Final Thoughts Richard Clarke: Three laws on Cyber-Security: 1. Don t buy a computer! But if you really need one then 2. Don t switch the computer on! But if you really need to switch it on 3. Don t plug the computer into the net! And how we should behave? 1. The fact that we know more, does should not fundamentally change out behaviour. 2. In many cases it is irrelevant whether others are listening. 3. Processing of ones data is expensive, and will be done with good arguments only! 4. Big Worry: Our data will be stored life long and could be evaluated any time others want to Be careful and minimal with data creation!!! 5. And for really confidential stuff: Apply the three laws on Cyber Security!

25 Questions / Discussion

26 Appendix

Proposal for CEPIS Activities. Bernhard M. Hämmerli

Proposal for CEPIS Activities. Bernhard M. Hämmerli Proposal for CEPIS Activities Bernhard M. Hämmerli PISA ICT Study 09.04.2014 Scenario / Proposal Quite difficult curriculum discussions in many countries, e.g. in CH: Informatics at schools is very hard