information security in the gaming world
TRANSCRIPT
Dimitrios Stergiou
About Dimitrios
• Has a keen interest in Information Security (10 years and counting)
• Currently holds: CISSP, CISA, CISM, BS 7799 LA, CCSP
• Newbie Python coder
• Amateur social engineer • Loves vendor t-shirts • Avid World of Warcraft gamer
Security and Quantum Computing
So, what do we talk about
• History lesson • Threats • Compliance • Information Security
• And no, I am not selling
anything, don’t panic
What we don’t talk about
• ROI (ROSI) – Actually we do
• APT • Cyber- • Hacker
– Attacker
• SSL / PKI
A bit of history • Early Internet era
– Exploit vulnerabilities – Take pride
• 10 years later – Attack the server – Steal or destroy data
• Last 5 years – Attack the application – Steal / hold data – Financial gain
… and more recently
What causes the issues then?
1. Malware 2. Malicious insiders 3. Known vulnerabilities 4. Careless employees 5. Mobile devices 6. Social networking 7. Social engineering 8. Zero-day exploits 9. Cloud computing
Oh well, what now
Meet Information Security Compliance Standards
Information Security Compliance • Payment Card Industry Data
Security Standard (PCI DSS) • ISO 27000 series • Health Insurance Portability
and Accountability Act (HIPAA) • Sarbanes-Oxley Act (SOX) • Federal Information Security
Management Act (FISMA) • Bundesamt fur Sicherheit in
der Informationstechnik (BSI) • SAS 70 Type 2 • National / other standards
A typical example
How it’s all done
Policy Policy
Procedure Procedure
Guideline Guideline
Audit records Audit records
… that now I take you now through the compliance process
(Doing only) Compliance fails
Why?
• “Word” engineering • Checklist approach • Baseline becomes
“the ceiling” • Snapshot in time • Non-continuous
process
The audit has finished…
• Management thinks that compliance equals security
• Does enough to “pass” the audit
• Do not talk security until next audit
• Business as usual
Meanwhile, developers…
And Security people… Process / Procedure / Guideline / Standard Instruction / Audit / Vulnerability / Risk Threat / Exploit / Attack Vector / <buzz>
And attackers are efficient!
In touch with reality
As a result
The “sad” day comes when management realizes that
Or even worse:
Bottom line
s/YOU/Compliance/g
But Compliance can be the answer if
• It comes as a by-product of a security management program
• It is used in a bottom-top approach
• It can “secure” budget for security
• It does not become panacea
Security Management
• Reputation • Regulation • Revenue • Resilience • Recession
Do we REALLY need security?
But are you 100% sure we need it?
Könsneutral / Jämställdhet
Security management mini-HOWTO
Risk management
Risk assessment
Risk analysis
Determination of scope
of information security
Creation of
executive policy
Development of systematic
risk assessment
method
Identification of
information assets
Estimation of
threats and
vulnerabilities
Inventory of assets
Risk
evaluation
Risk assessment
report
Risk
treatment
Risk
acceptance
Risk analysis
table
List of
assets
Risk assessment procedures
Plan D • C • A
P D
C A
The “checklist” approach
1. Device inventory 2. Software inventory 3. Secure system device configuration 4. Secure network device configuration 5. Boundary defense 6. Monitoring and analysis of audit logs 7. Application software security 8. Control administrative privileges 9. “Need-to-know” access 10. Vulnerability assessment
11. Account monitoring 12. Malware defenses 13. Control network ports 14. Wireless control 15. Data Loss Prevention 16. Secure Network Design 17. Penetration test 18. Incident response 19. Data recovery 20. Training
The IT Security field is always in need of new clichés!
• Nothing will ever be 100% secure
• Know thy risk • Security is the
means, not the end • Security yes,
obscurity no • Talk to them, not at
them
What is that ROI again?
Why we don’t talk about ROI "ROI" as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. Bruce Schneier
Net Present Value (NPV)
C0 = Initial investment B1 = Benefit for Year 1 t = Time period k = discount rate (average cost of capital) • NPV > 0 Go ahead • NPV < 0 Project cancelled • NPV =0 Can do, can ignore, no difference
Net Present Value (Example)
Net Present Value (discount rate = 15%)
C0 T1 T2
Initial Investment -200,000
Annual benefits 400,000 400,000
Annual operating costs -100,000 -100,000
Net Cash Flow -200,000 300,000 300,000
NPV -200,000 + 300,000 /(1.15)1 300,000 / (1.15)2
NPV -200,000 + 260,870 + 226,843
NPV = 287,713
Internal Rate of Return (IRR)
C0 = Initial investment B1 = Benefit for Year 1 t = Time period k = cost of capital • IRR > k Go ahead • IRR < k Project cancelled • IRR =k Can do, can ignore, no difference
Net Present Value (Example)
Internal rate of return (k = 15%)
C0 T1 T2
Initial Investment -200,000
Annual benefits 400,000 400,000
Annual operating costs -100,000 -100,000
Net Cash Flow -200,000 300,000 300,000
IRR 0 = -200,000 + 300,000 / (1+IRR)
+ 300,000 / (1+IRR)2
IRR = 118.61 %
Unfortunately
Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted. “Albert Einstein”
you need 1337 skillz to be hax0r?
• Beware of “script kiddies”
• Fame seekers • Insider pwnage • Revenge!!! • Demo (3 slides
to go)
Good keywords to Google
• metasploit • set • w3af • nmap • nessus • beef • sqlmap
Are you talking to me?
• Blog: blog.nihilnovo.eu
• Twitter: twitter.com/dstergiou
• Email:[email protected]
om
Demo
• Client-side attack with IE • Browser exploitation