1 / 36

Internet Security Past, Present, and the Future

Internet Security Past, Present, and the Future. Ehsan Foroughi M.Sc., CISSP, CISM. Information Security Triad (CIA). Integrity. Confidentiality. Availability. Security Concepts. Confidentiality Integrity Availability Authenticity Non-repudiation. Ref: Wikipedia.

jed
Download Presentation

Internet Security Past, Present, and the Future

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet SecurityPast, Present, and the Future Ehsan Foroughi M.Sc., CISSP, CISM

  2. Information Security Triad (CIA) Integrity Confidentiality Availability

  3. Security Concepts • Confidentiality • Integrity • Availability • Authenticity • Non-repudiation Ref: Wikipedia

  4. Cyber Security in Canada

  5. Cost of Cyber Crime • Cybercrime costs businesses in US $8.9 B in 2012 – increase of %38 from 2010 • On average security breaches • Take 24 days to spot • Take 40 days to clean • Take $592,000 to clean up per incident • Increase of %42 in cleanup cost from 2011 • In a study of 56 organizations: • $8.9M in cyber security/crime cost per organization per year • Security tools lowered cost by $1.6M

  6. Cost of Cyber Crime Average Cost of Cyber Security Attacks Per Second By Industry Ref: Enlight Research

  7. Targeted Attacks Ref: HP Ponemon Report

  8. Incidents • TJX Companies: 94 Million CC exposed (2006) • Conficker Worm Botnet: Affected 15M systems at its peak. (2008) • Heartland Payment Systems: 134 Million CC data lost (2008) • Stuxnet attack on Iran Nuclear Plants: Damage Cost ?? (2010) • Sony network breach of 77 M accounts, cost $171 M (2011)

  9. Cost of Cyber Crime Ref: Businessweek

  10. Subject Areas in Cyber Security • Infrastructure Security (Network / Internet Security) • Application Security • Physical Security (Environmental Security) • Operational and Process Security • Cryptography • e-Forensics • Governance & Compliance • Business Continuity and Disaster Recovery Planning (BCP / DRP)

  11. Internet Security Threats Malware Software Bugs (Errors) Vulnerability (Weakness) Denial of Service Insecure Design / Architecture Spoofing / Phishing

  12. Software Bugs: Buffer Overflow int main() { char buffer[4]; intsome_variable = 1; ... strcpy("Test", &buffer); T e s t \0

  13. Software Bugs: Race Condition def Withdraw(user, value): balance = AccountBalance(user) if balance < value: Exit(Error) balance = balance – value AccountBalance(user) = balance PayOut(value) Exit(Ok)

  14. Software Bugs: Race Condition def Withdraw(user, value): balance = AccountBalance(user) if balance < value: Exit(Error) balance = balance – value AccountBalance(user) = balance PayOut(value) Exit(Ok) $90 $90 $100 $10 $10

  15. Software Bugs: Race Condition def Withdraw(user, value): balance = AccountBalance(user) if balance < value: Exit(Error) balance = balance – value AccountBalance(user) = balance PayOut(value) Exit(Ok) $90 $90 $100 $100 $10 $10

  16. Software Bugs: Race Condition def Withdraw(user, value): balance = AccountBalance(user) if balance < value: Exit(Error) balance = balance – value AccountBalance(user) = balance PayOut(value) Exit(Ok) $90 $90 $100 $100 2003 Blackout $10 $10

  17. Malware • Trojan Horses • Viruses • Worms • Rootkits • Botnets • Spyware

  18. Malware: Goals • Sending Spam Email • Stealing Passwords and Information • Using Resources

  19. Malware: Transfer Mediums • Email • USB Disk • Shared Network Drives • Pop-ups and download links • Insecure Network

  20. Denial of Service • Distributed Denial of Service Attack • Grudge factor • Oct 2012 attack on banks by Izzad-Dinal-Qassam Hackers • CapitalOne • HSBC • SunTrust • Anonymous group crippled Visa, MasterCard, PayPal over WikiLeaks

  21. Spoofing Example: Email import smtplib from email import MIMEText s = smtplib.SMTP('localhost') msg = MIMEText.MIMEText('Hello from Microsoft.') msg['Subject'] = 'This is a test' msg['From'] = 'bill.gates@microsoft.com' msg['To'] = 'ehsanf@gmail.com' ret = s.sendmail(msg['From'], [msg['To']], msg.as_string()) s.close()

  22. Let’s Rethink Email Security

  23. Email Security

  24. Security Tools: Cryptography • NPIBOEFT

  25. Security Tools: Cryptography • NPIBOEFT N P I B O E F T

  26. Security Tools: Cryptography • NPIBOEFT N P I B O E F T M O H A N D E S

  27. Cryptography • Confidentiality • Integrity • Authenticity Alice Bob Charlie

  28. Symmetric Key Cryptography • Shared Secret • Encryption Only • Usages: • Password Protected Zip Files • WEP-Shared (WiFi) • SSL / HTTPS 01011001 11001101 10010100 A -> B 11001101 01011001

  29. Public Key Cryptography Ref: Wikipedia

  30. Public Key Cryptography • Encryption • Authenticity (Signing) • Usages: • Email Validation (PGP) • Authentication / Login • Banking

  31. Tools for Personal Security • Antivirus replacement: Microsoft Malicious Software Removal Tools • Malware Removal: Malware-bytes • Browsers: • Use Chrome • Stay away from Internet Explorer • Email Security: Web-mails such as Gmail • Password Management: PasswordSafe, LastPass, etc

  32. Compliance • Payment Card Industry Data Security Standard (PCI-DSS) • Liability! • Privacy Laws: Canada Privacy Act 1983 • ISO 27001: Information Security Management Systems

  33. Associations - (ISC)2 • Innternational Information Systems Security Certification Consortium - (ISC)² • Non-profit (since 1989) • Focused on IT Security • 90,000 Members • Certified Information Systems Security Professional (CISSP) • Certified Secure Software Lifecycle Professional (CSSLP) • CISSP: US DoD and NSA requirement

  34. Associations - ISACA • Information Systems Audit and Control Association (previously) • Non-profit (since 1967) • Focused on IT Governance and Audit • 95,000 Members • Certified Information Systems Auditor (CISA) • Certified Information Security Manager (CISM) • Continuing Education Point system, called CPE

  35. Associations – OWASP • Open Web Application Security Project (OWASP) • Non-profit • Open source • Focused on Securing Web

  36. Questions?

More Related