Cyber Security -An Overview

By

K Atique –e- Rabbani B Tech (Hons), Statistics, Univ of Bradford, UK, FCA

Managing Director, The Computers Ltd (Estd 1983)

Consultant, Atique Rabbani Consulting (ICT | Financial | IS Audit | Cyber Security)

Cyber Security – An Overview

• Imagine you are in 10,000 BC in Stone age guarding your Cave without a door

• When you are guarding it you have negligible risk (risk is you fall asleep)

• When another person guards it risk is obviously enhanced

Cyber Security – An Overview

•Fast forward to your home in Dhaka – you now have a door with a lock. • It is secure but risk is you may lose the key and it falls in wrong hands.

Cyber Security – An Overview

• Now with a leap of faith in technology you install an access control electronic lock which can be opened by placing a plastic card in front of it.

• It is more secure but it may malfunction or some smart alec can produce a fake card and open your door.

Cyber Security – An Overview

• Now imagine your home turns into a smart home. Your door lock has sensors and internet connection so that you can open/lock it with your cell phone from anywhere.

• Now the global intruder does not have to physically be in front of your door. He can hack into your IOT lock sitting on other side of the world. Door opens and his Dhaka associate does the clean up job!

• So you get a perspective of what we are getting into.

Cyber Security – A definition 1/2

a. Cyber is ethereal.

b. Cyber here relates to the virtual world created by Computers and Internet.

c. Cyber security is protection of computer system which is connected to other systems through Internet or other means – physical or wireless.

d. There is a computer in everything now – smart phone, tabs, watches, other smart devices.

Cyber Security – A definition 2/2

a. IOT – Internet of Things are all kind of devices with sensors and connectivity (via Internet).

b. Rather it should have been termed Smart Connection of Things (SCOT)

c. IOT is taking security to a new and complex dimension.

d. World is headed towards IOE (Internet of everything) – smart connection of devices and living objects.

Cyber Security – A recent case/breach 1/2

a. In Cyber world one has a weak link at its peril/ danger.

b. Tackling Cyber is more of a management issue.

c. More we embrace Cyber more alert and smart has to be our overall management.

d. Cyber may not give a callous, lethargic or procrastinating manager a second chance

e. In Feb 2016 Bangladesh Bank was under cyber attack

f. Attempt to steal USD 951 million (through fraudulent instructions via SWIFT)

Cyber Security – A recent case/breach 2/2

a. 5 out of 35 fraudulent instructions went through

b. Dridex Malware (Software used to damage computer systems) may have been used. Dridex malware in particular steals bank credentials.

c. Through Word or Excel attachment a malware is installed which then opens up the system for others to get in.

d. Just like pushing a small boy through a window opening who then opens the house for the thieves.

Cyber Security – Vulnerabilities 1/2

a. ICT/Digital has taken the world unawares; techies are always on a learning curve and whatever they provide mostly are far from robust and mature.

b. Vulnerabilities arise because there are these often undiscovered flaws in the system

c. Attacker finds about the flaw

d. Attacker then exploits using the flaw

e. Vulnerability Management is therefore crucial

f. Identify vulnerabilities -> Classify Vulnerabilities ->Remediate Vulnerabilities ->Mitigate vulnerabilities

Cyber Security – Vulnerabilities 2/2

a. Vulnerability can be defined as where the probability of threat capability exceeds the ability to resist the threat

b. Arises from human naivety/ error of judgment - poses the greatest threat

c. Vulnerability issue spreads over the whole spectrum – hardware, devices, software, networks, personnel, site, organization

d. Source of Vulnerability -not learning from past mistakes. For example most vulnerabilities discovered in IPv4 protocol software were discovered in the new IPv6 implementations

Cyber Security – Types of Threats 1/5

a. Threats come in all innovative ways.

b. Slip in through a back door ie bypass normal access/ authentication – this is called Backdoor

c. Plot to make the service unavailable – Denial of Service (DOS)

d. Attack from multiple points to make the service unavailable – Distributed denial of service (DDOS)

Cyber Security – Types of Threats 2/5

a. DDOS use a cluster of PCs to attack the service provider – this is called a Botnet (comes from Robot Network meant in a malicious way) and its member PCs are called Zombie PCs

b. Innocent PCs/ Systems can be tricked into participating in these DDOS attacks without them knowing

c. An unauthorized person can directly access the system, make modifications, copy data as in Direct Access Attack. Disk Encryption (make all data unreadable through encryption software) is done to prevent these.

Cyber Security – Types of Threats 3/5

a. Listening to conversation between host and network or picking up data from electro magnetic transmissions of standalone devices – this is Eavesdropping.

b. Masquerade as a known source and steal/ damage information - Spoofing

c. Users are misled into giving personal information through, say, fake websites - Phishing

Cyber Security – Types of Threats 4/5

a. Hijacking your clicks. Using multiple transparent or Opaque layers users are led into believing they are clicking on their page but they are not - Clickjacking

b. A standard user can fool the system to access restricted data – Privilege Escalation

c. Perpetrator impersonating as MD/CEO asks for confidential information – Social Engineering. This scam cost USD 2 Bn in 2 years around 2016 in US.

Cyber Security – Types of Threats 5/5

Cyber Security – Attacker’s motivation 1/2

a. Know your enemy – may be the first step in preventing them from doing so

b. Financial gain – stolen debit and credit card information can be sold in Dark Web

c. Cyber crime estimated at over USD 2 trillion problem – no short of attackers who want a share of the pie

d. Cybercriminals use financial malware such as Carbanak, Dyre, Dridex, Rovnix and Shifu to steal funds directly from victims’ bank accounts

e. Vanity, Revenge, Outrage

Cyber Security – Attacker’s motivation 2/2

a. Ransomware - extort money from victims using Cryptolocker and such

b. Sabotage – Power companies, Water Systems, Chemical Companies can be the target by groups moved by political, ideological beliefs

c. State sponsored – industrial espionage – target is sensitive information that has military, economic and political value

Cyber Security – Prevention - ‘Security by design’ 1/2

a. Security by design – security cannot be an afterthought – it has to be main stream

b. Software has to be designed from the ground up to be secure

c. There are many techniques for ensuring security by design

d. One is Principle of Least privilege – one is allowed the minimum privilege to carry out the required function. Thus if attacker gains access it has only limited access to the system.

Cyber Security – Prevention - ‘Security by design’ 2/2

a. Defense in depth where the design is such that more than one subsystem needs to be violated to compromise the integrity of the total system.

b. Audit trails – smart trail so that exceptions are notified immediately

c. Full disclosure of all vulnerabilities so that window of vulnerability is kept to a minimum

d. ‘Fail –secure’ so that like ‘fail-safe’ in engineering no harm will come to pass in case of failure

Cyber Security –Security Measures 1/3

a. Threat prevention, detection, and response – three processes for an ideal state of computer "security“

b. Three processes (p d r) calls for a. account access controls b. Cryptography (protect private messages) c. Firewall (properly configured protects

unauthorized access) d. Intrusion Detection System (IDS) products

detect network attacks in progress and assists in post attack forensics

e. Response can be any or all of upgrades for protection, notification to authorities, counter attacks, complete destruction of compromised system

Cyber Security –Security Measures 2/3

a. (Contd) Three processes (p d r) calls for a. Big Data (Data are churned out in huge

numbers by Mobiles, software logs, cameras, microphones, RFID and other smart devices) is a term for datasets that too large or complex

b. Big Data can give trends. Insights can be obtained through predictive analysis

c. Machine Learning is where machine learns without being programmed.

d. Big Data, Machine Learning can be used to detect advanced persistent threats (APT).

e. APT are work of organized groups/ Government who persistently and effectively target an entity

Cyber Security – Security Measures Big Data 3/3

Cyber Security – Need for a Country Strategy

• As Bangladesh digitally connects within and without to the whole world Bangladesh needs a Cyber Security strategy.

• A strategy that will support economic growth, protect critical infrastructure and its citizens.

• Cyber Security Strategy will deliver if it has underlying layers of good governance and fair legal environment.

Cyber Security – Conclusion

As responsible citizens we must be aware and engage.

Thank you