Download presentation
Presentation is loading. Please wait.
Published byPhoenix Keen Modified over 9 years ago
1
Secrets of Superspies Ira Winkler, CISSP winkler@isag.com +1-410-544-3435
2
Copyright ISAG 2 The Second Worst Spy in the World
3
Copyright ISAG 3 The Worst Spy in the World
4
Copyright ISAG 4 They are Everything You Want They kill people They blow things up They infiltrate enemy positions Their enemies fear them
5
Copyright ISAG 5 But… They kill people They blow things up Their enemies know who they are They always get caught
6
Copyright ISAG 6 How Can You Miss This?
7
Copyright ISAG 7 What Do Spies Really Do? They determine requirements They collect information They analyze information They re-evaluate their needs Collection is the apparent focus, but it is the requirements that are most critical
8
Copyright ISAG 8 Science vs Art Hackers like to portray themselves as “artists” Spies are “scientists” There is a repeatable process to what they do which is required for expertise Ability vs. Practice vs. Training You need two No training makes you dangerous
9
Copyright ISAG 9 Spies Protect Themselves From Other Spies Counterintelligence They know the tricks of the trade, so they know what to expect They know they have to be right 100% of the time, while their adversary just has to be right once There is nothing there about protecting computers for the sake of protecting computers
10
Copyright ISAG 10 The Key Spies focus on Information Technology is only important in that it provides access Different classifications get different levels of protection While there is tremendous threat, the actual losses are relatively small
11
Copyright ISAG 11 Risk Risk = ( Threat * Vulnerability Countermeasures ) * Value
12
Copyright ISAG 12 Risk Broken Down Threat – Who or What is out to get you Vulnerability – Your weaknesses that allow the Threat to exploit you Value – Value of your information or services at risk Countermeasures – Measures taken to mitigate the Risk
13
Copyright ISAG 13 What’s Important to You? People focus on the Threat Spies acknowledge the Threat is a given Threat is irrelevant –For the most part They focus on mitigating Vulnerabilities
14
Copyright ISAG 14 Case Study #1 Compromise of nuclear secrets Full scale espionage simulation No holds barred attack Multi-faceted attack –Open source research –Misrepresentation –Walk through facilities –Internal hacking
15
Copyright ISAG 15 Background Organization is very large with a large central organization Had traditional security issues, but no major issues that they knew about Organization as a whole experienced massive layoffs Only one security manager at HQ, with an intern, and no unit security managers
16
Copyright ISAG 16 Restaurant Fishbowl Facility Access Unlocked Door Security Office Company Badge Fake Signature Locate Empty Office Ethernet Port Nuclear Reactor Designs Company Operator Graphics Department IP Address Proposal Prep Dept Enter Facility Simple Hack Audit Logs India Hack
17
Copyright ISAG 17 Results Nuclear reactor designs compromised Emerging technologies compromised Production potentially compromised National security implications It was extremely simple ID card was unnecessary
18
Copyright ISAG 18 Believe it or Not Critical compromises accomplished within a half day No reports of any activities India hack was previously unknown
19
Copyright ISAG 19 Case Study #2 Placement of a person as a temporary employee in a high tech firm Full scale industrial espionage simulation No holds barred attack Multi-faceted attack –Open source research –Misrepresentation –Walk through facilities –Internal hacking –Internal coordination of external accomplices
20
Copyright ISAG 20 Background Company has many emerging developments Developments valued in excess of $10 Billion by Wall Street analysts Company has experienced several cases of industrial espionage Research mentality of openness causes an operational security nightmare Security manager is very well aware of the threat –Secures what he can
21
Copyright ISAG 21 Open Source Info Researcher Team Leader Meeting Minutes Business Manager Government Affairs User IDPassword Critical Servers Knowledge as the Key Walk Through Portable Computer Internet Security Scanner Smart Card SLIP/PPP Vulnerability Scanner Inside Account & Accomplices TELNETPassword File Prioritized Accounts Crack Phone Directory Accounts Manufacturing Information Other Sensitive Information Misc. Data Forgery Misc. Data Root Access NFS Manufacturing Data Patent Applications Other Sensitive Information “Everything a competitor may want on all but one top development.” Manufacturing Data Sensitive Data
22
Copyright ISAG 22 Results All but one emerging development was seriously compromised Information valued in the billions of dollars Pending litigation posture compromised Patent applications compromised What else is there to say
23
Copyright ISAG 23 Believe it or Not Critical compromises accomplished within one and a half days No reports of any activities They have much better than average security –Technical Security –Physical Security
24
Copyright ISAG 24 Remember Risk Risk = ( Threat * Vulnerability Countermeasures ) * Value
25
Copyright ISAG 25 Threat and Decisions The Vulnerabilities exploited were all preventable People are however fascinated by Threat It only takes bad intent to accomplish what was demonstrated –True for any attack Stop treating the bad guys as celebrities
26
Copyright ISAG 26 What is a Spy’s Security Program? The implementation of Countermeasures Spies determine the Vulnerabilities that will most likely be exploited They then implement Countermeasures to mitigate the Vulnerabilities Defense in Depth
27
Copyright ISAG 27 Optimizing Risk Cost Countermeasures Vulnerabilities Risk Optimization Point
28
Copyright ISAG 28 Potential Loss Should Drive Budget Most security programs are determined by money available –Risk is a result, not a consideration Security program budgets should be a factor of Optimized Risk –Risk is the driver for the budget Remember, there is a great deal of ROI for most Countermeasures –There are only two ways to hack a computer
29
Copyright ISAG 29 The Two Ways to Hack a Computer Take advantage of problems in the software –OS, applications, firmware –Your custom designed software Take advantage of configuration errors –The way users and administrators configure the systems
30
Copyright ISAG 30 Why is Bristow the Worst Spy? She runs into good security programs She runs into redundant security measures The Countermeasures catch her She is not a real spy to begin with Alias actually demonstrates good security programs
31
Copyright ISAG 31 Make Bad Movies The reason they are bad spies is because the producers want “good” movies They have to have dramatic tension Defense in Depth accomplishes this They want intrigue and sex I’m still waiting for that myself
32
Copyright ISAG 32 Awareness Training Awareness
33
Copyright ISAG 33 Summary The real spies are sadly better than Bond and Bristow Countermeasures should not result from budgets and vendor hype Information and services focus, not computer focus There should be Defense in Depth You must focus on Countermeasures that mitigate Vulnerabilities Realistic security is achievable –Just look at Bristow and Bond
34
Copyright ISAG 34 For More Information
35
Copyright ISAG 35 For More Information Ira Winkler, CISSP, CISM ira@isag.com +1-410-544-3435
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.