can we still trust the internet, or anything connected to it · can we still trust the internet, or...

Nr.: 115 october 2015EEMA Fireside – “Can we still trust the internet ?” – classification : public

Can we still trust the internet,or anything connected to it ?

15 october 2015Presenter : Paul De Vroede

Information Security OfficerAgentschap Facilitair Bedrijf

Vlaamse overheid

Classification: not public yet


WARNING:

This presentation has

an unusually high

‘FUD’ factor (*)

Disclaimer

* FUD : Fear, Uncertainty & Doubt


Last 6 years : Information Security Officer @ Agentschap

Facilitair Bedrijf, Vlaamse overheid

- 15.000 PC endpoints

- >2 TerraByte browsing download /day(avg. 700 Mbit/s)

before that : 11 Years ICT Security Officer combined with

ICT mgmt function in European HQ of large multinational

@pauldevroede

expresses his own opinion in this presentation

BIO: Paul DE VROEDE


Agenda

• A 2015 ‘Tragic Quadrant’ of insecurity

• Some recent observations

• Back to InfoSec school : the CIA triad

• Where does it all go wrong ?

• (How) can we fix this ?


A 2015 ‘Tragic Quadrant’ of insecurity

• Car hacking



• Car hacking



• Car hacking

• Malvertising

• Fingerprint

leakage

• Internet

of Things

• Flash/0-day

• Mass surveillance

• Security

products

• Malbehaving Apps


Some recent observations


Chatham House report

(5 oct 2015):

“The researchers found

that many nuclear power

plant systems were not "air

gapped" from the Internet

and that they had virtual

private network access that

operators were

"sometimes unaware of.”

"It would be extremely

difficult to cause a

meltdown (...) but it would

be possible for a state

actor to do...” (FT.com)



Cookies (and other methods of tracking and privacy-

deteriorating stuff).

Yes please, I would like to have that “free lunch” !



Source : https://www.ernw.de/download/ERNW_DCVI_TargetedAttacks.pdf



Do we even know what we will be up against ?



Just making sure : Does anybody need some medical

assistance at this point in the presentation ?

Intermediate question


Back to Infosec school : the CIA triad

Incidents affecting integrity

will have dramatic

consequences !


Where does it all go wrong, is it Dave’s fault

?


Where does it all go wrong, is it Dave’s fault

?

Disclaimer : if you disagree, please contact Mr. Einstein, not the presenter

Remark : I agree, but not when referring to the end-user, but to us all (see further)


Where does it all go wrong (please fill in)

?Many TCP/IP protocols lack security options (such as authentication), we were

going to network universities and assumed we would not hack/spy each other

Old architecture (flat networks, but does R&D need to talk to Marketing ?)

Bad decisions : does everything need to be online ?

A lot of bad design/build/installs/configurations

(human error)

Bad practices and operations

Investment in technology, but not in skills/resources

Browser extensions/plug-ins/new functions

(some) Users

Software ! Software ! Software ! Software !


(How) can we fix this ?

New and ‘more secure’ protocols ?

(But look at adoption rate of DNSSec, startTLS, …)

Isolation/virtualization/segmentation, … X-ation : ex.Qubes OS, Cloud Isolation

Platforms, etc. ?

Liablity for Software vendors ? More regulation and bigger ‘penalties’ ?

Transparancy in Software code (Open Source) ? Some say it might prevent cases

like VW’s Diesel “cheating code”. Might also need look at HW, and how about

Intellectual Property ?

Segmentation on Internet (how would that look like) ?

More skills, more people (rather than products, SIEM or analytics) ?

Honestly ? I don’t know… I hope you can tell me in the coming hour !


Closing Thought (or rather food for though)

A car is a product we buy (in the future rent, some say), and that can bring us to

wonderful places. So is our internet connected PC. We can wreck the car by

driving careless, as we can wreck our PC (or consequently our bank-account) if we

‘operate’ it without thinking (and without some knowledge/skill). We can still start

‘surfing’ the web without a drivers license, though (and have our PC harm other

people if it becomes part of a botnet, e.g.).

But we don’t accept our cars to have faults, why do we accept it from the internet,

and from the computers and the software we use ? We (will) have people killed as

a consequence of internet-related security incidents.

If you don’t see the internet (and the PC connected to it) as a ‘product’ for which

we could claim flawless functionality, could it be compared then with a utility like

gas or electricity ? Do we expect those to be ‘safe’ ? Those can only be installed

by accredited installers, and (in-house) installations are thoroughly verified before

being connected to the supply-network. Is that even possible with the internet, and

would it make a difference ?

can we still trust the internet, or anything connected to it · can we still trust the internet, or...

Documents