Anthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown

Transcription

1 Anthony J. Keane, MSc, PhD and Jason Flood, MSc Information Security & Digital Forensics Research Group Institute of Technology Blanchardstown 1

2 Protected networks are continuously being successfully attacked The lack of security is inherent in modern information systems. More complexity means more places to attack. There are multiple ways around each defense. It s easier to attack systems than defend them. It s easier to break things than to fix them. And there is plenty of evidence of this 2

3 Reports from Many Sources The Annual Survey Reports from Security Companies, Financial Sectors, Government Organisations, EU Parliament Reports, etc. All give a picture of Society under Attack, for example: Symantec recorded 5.5 Billion malware attacks in incidents with over 174 million compromised records reported in Data Breach Investigations Report 2012 Verzion 2012 found that 92% of attacks were not difficult and that 85% of successful network intrusion take months to discover. And there is also the News Media 3

4 4

5 Hacking as a Service? DDoS attack on demand 5

6 EU Strategic Priorities 1.Achieving Cyber Resilience 2.Drastically Reducing Cyber Crime 3.Developing Cyber Defense Policy 4.Developing the Industrial & Technology resources for cyber security 5.Establishing a coherent international cyberspace policy 6

7 WHO. Lots of people. Kids, students, adults, you, me, everyone WHY. Many reasons. Money, fun, challenge, etc WHEN. All the time 24/7 It is a big World and everyone has a computer HOW. Monitor and Research. This is the smoking gun. 7

8 Visualisation of Attack Can see (in logs) Can not see (from activity) 8

9 Knowing WHERE to look and WHAT to look for is the issue However. 9

10 What are the Threats to Your Network? 10

11 What we know we know it is not like this How many mistakes did you spot? 11

12 What we know Cyber Security is Expensive Global cybersecurity spending: $60 billion in 2012 Cyber Security M&A, pwc, Fortune 500 companies surveyed: Spending $5.3 billion per year on cybersecurity. Stopping 69% of attacks. Deloitte Report 2013 Irish Information Security and Cybercrime Survey states that 135,000 is the average cost of a cybercrime incident in Ireland. 12

13 What we know Viruses Trojans Malware Firewalls Log files Audit trails Policies & Guidelines Governance & Compliance Peoples and their bad habits 13

14 Methodology for an attack Reconnaissance Scanning and Enumeration Gaining Access Denial of Service Failed Tactic of last resort An action of desperation Relatively unskilled attacker Success Escalation of Privilege Maintaining Access Covering Tracks Backdoors 14

15 What we don t know.. What people will do next? What criminals will do next? Where the next weakness will be? What some of the malware actually does? Who can we really trust? What should we be teaching our students in colleges? What training should IT Administrators be doing on a continuous basis? 15

16 What we know (or suspect) we don t know: The next Zero Day attack? What new malware will target? Real impact of always connected technology? What the next generation of vulnerable software products will be? What will the future be like? 16

17 What we don t know about unknowns: We know we don t know about unknowns The future will reveal all So what can we do about it? We can become HACKERS 17

18 What is Gamification? Gamification is the use of game design techniques and game mechanics to solve problems and engage audiences. Encapsulated in Capture-the-Flag Competitions Consists of computer networks of servers with various challenges usually given as levels and increasing in difficulty as levels increase (just like in gaming). As in LIFE, so as in the GAME 18

19 How can Gamification help? 1. Engagement Gamification projects are easy to join and low cost approach to education. 2. Knowledge Know-How Engaging with problem solving techniques through challenging levels force participants to identify their own skill deficiency and improve on it. 3. Addition Enjoyable approach to learning and testing. 4. Rewards Being a better hacker gives a different perspective to defending your network. 19

20 Cyber Challenge Competition at IRISS

21 Annual Cyber Security Challenge As part of IRISSCERT's annual Conference on Cybercrime we run Ireland's premier Cyber Security Challenge. This year's challenge is being run for us by the Irish Honeynet Chapter out of ITB. The goal of the Cyber Security Challenge is to identify Ireland's top cyber security experts. IRISSCERT's Cyber Security Challenge sees teams compete against each other in a controlled environment to determine which one will be the first to exploit weaknesses in a number of systems and declare victory. The purpose IRISSCERT's Cyber Security Challenge competition is to demonstrate how attackers could gain access to your systems and allow you to learn from the event on how to prevent such attacks from impacting your network. 21

22 21 st Nov. Next Cyber Challenge at IRISS 2013 Sign up now at 22

23 Game Methodology Know Your Tools Scanning Gaining Access Own the System Block out Others Exploring System Capturing the Flag Move to Next Level 23

24 Gamification Development Not just about computers Also about attacking control systems domestic appliances fridges, Smart TVs, etc new technology for planes, trains and cars anything that looks attractive to hack Also about people and people networking 24

25 Practice Makes Perfect Tools and Techniques Skills and Time Knowing what is possible and how to prevent it Knowing what to do next 25

26 Gamification can develop and improve network security skills: 1. Problem Solving 2. Knowledgeable of Hacking Tools/Techniques 3. Knowledgeable of Network Defenses 4. Improved Basic and Advanced Skills 5. Learning to Think as an Attacker 6. Continuous Life-Long Learning 7. Knowing you can not be Complacent 26

27 You don t have to out run the bear be the bear Thank you for listening.. Any Questions? 27