Dimitrios Stergiou

About Dimitrios

• Has a keen interest in Information Security (10 years and counting)

• Currently holds: CISSP, CISA, CISM, BS 7799 LA, CCSP

• Newbie Python coder

• Amateur social engineer • Loves vendor t-shirts • Avid World of Warcraft gamer

Security and Quantum Computing

So, what do we talk about

• History lesson • Threats • Compliance • Information Security

• And no, I am not selling

anything, don’t panic

What we don’t talk about

• ROI (ROSI) – Actually we do

• APT • Cyber- • Hacker

– Attacker

• SSL / PKI

A bit of history • Early Internet era

– Exploit vulnerabilities – Take pride

• 10 years later – Attack the server – Steal or destroy data

• Last 5 years – Attack the application – Steal / hold data – Financial gain

… and more recently

What causes the issues then?

1. Malware 2. Malicious insiders 3. Known vulnerabilities 4. Careless employees 5. Mobile devices 6. Social networking 7. Social engineering 8. Zero-day exploits 9. Cloud computing

Oh well, what now

Meet Information Security Compliance Standards

Information Security Compliance • Payment Card Industry Data

Security Standard (PCI DSS) • ISO 27000 series • Health Insurance Portability

and Accountability Act (HIPAA) • Sarbanes-Oxley Act (SOX) • Federal Information Security

Management Act (FISMA) • Bundesamt fur Sicherheit in

der Informationstechnik (BSI) • SAS 70 Type 2 • National / other standards

A typical example

How it’s all done

Policy Policy

Procedure Procedure

Guideline Guideline

Audit records Audit records

… that now I take you now through the compliance process

(Doing only) Compliance fails

Why?

• “Word” engineering • Checklist approach • Baseline becomes

“the ceiling” • Snapshot in time • Non-continuous

process

The audit has finished…

• Management thinks that compliance equals security

• Does enough to “pass” the audit

• Do not talk security until next audit

• Business as usual

Meanwhile, developers…

And Security people… Process / Procedure / Guideline / Standard Instruction / Audit / Vulnerability / Risk Threat / Exploit / Attack Vector / <buzz>

And attackers are efficient!

In touch with reality

As a result

The “sad” day comes when management realizes that

Or even worse:

Bottom line

s/YOU/Compliance/g

But Compliance can be the answer if

• It comes as a by-product of a security management program

• It is used in a bottom-top approach

• It can “secure” budget for security

• It does not become panacea

Security Management

• Reputation • Regulation • Revenue • Resilience • Recession

Do we REALLY need security?

But are you 100% sure we need it?

Könsneutral / Jämställdhet

Security management mini-HOWTO

Risk management

Risk assessment

Risk analysis

Determination of scope

of information security

Creation of

executive policy

Development of systematic

risk assessment

method

Identification of

information assets

Estimation of

threats and

vulnerabilities

Inventory of assets

Risk

evaluation

Risk assessment

report

Risk

treatment

Risk

acceptance

Risk analysis

table

List of

assets

Risk assessment procedures

Plan D • C • A

P D

C A

The “checklist” approach

1. Device inventory 2. Software inventory 3. Secure system device configuration 4. Secure network device configuration 5. Boundary defense 6. Monitoring and analysis of audit logs 7. Application software security 8. Control administrative privileges 9. “Need-to-know” access 10. Vulnerability assessment

11. Account monitoring 12. Malware defenses 13. Control network ports 14. Wireless control 15. Data Loss Prevention 16. Secure Network Design 17. Penetration test 18. Incident response 19. Data recovery 20. Training

The IT Security field is always in need of new clichés!

• Nothing will ever be 100% secure

• Know thy risk • Security is the

means, not the end • Security yes,

obscurity no • Talk to them, not at

them

What is that ROI again?

Why we don’t talk about ROI "ROI" as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. Bruce Schneier

Net Present Value (NPV)

C0 = Initial investment B1 = Benefit for Year 1 t = Time period k = discount rate (average cost of capital) • NPV > 0 Go ahead • NPV < 0 Project cancelled • NPV =0 Can do, can ignore, no difference

Net Present Value (Example)

Net Present Value (discount rate = 15%)

C0 T1 T2

Initial Investment -200,000

Annual benefits 400,000 400,000

Annual operating costs -100,000 -100,000

Net Cash Flow -200,000 300,000 300,000

NPV -200,000 + 300,000 /(1.15)1 300,000 / (1.15)2

NPV -200,000 + 260,870 + 226,843

NPV = 287,713

Internal Rate of Return (IRR)

C0 = Initial investment B1 = Benefit for Year 1 t = Time period k = cost of capital • IRR > k Go ahead • IRR < k Project cancelled • IRR =k Can do, can ignore, no difference

Net Present Value (Example)

Internal rate of return (k = 15%)

C0 T1 T2

Initial Investment -200,000

Annual benefits 400,000 400,000

Annual operating costs -100,000 -100,000

Net Cash Flow -200,000 300,000 300,000

IRR 0 = -200,000 + 300,000 / (1+IRR)

+ 300,000 / (1+IRR)2

IRR = 118.61 %

Unfortunately

Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted. “Albert Einstein”

you need 1337 skillz to be hax0r?

• Beware of “script kiddies”

• Fame seekers • Insider pwnage • Revenge!!! • Demo (3 slides

to go)

Good keywords to Google

• metasploit • set • w3af • nmap • nessus • beef • sqlmap

Are you talking to me?

• Blog: blog.nihilnovo.eu

• Twitter: twitter.com/dstergiou

• Email:dstergiou@gmail.c

om

Demo

• Client-side attack with IE • Browser exploitation