Applications - The New Cyber Security Frontier

Applications ::
The new Cybersecurity frontier
Mano Paul
CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA
CEO, SecuRisk Solutions
Mano.Paul(at)SecuRiskSolutions(dot)com
Securitybyte & OWASP Confidential

Who am I?
(ISC)2’s Software Assurance Advisor

Founder - SecuRisk Solutions, Express Certifications & AppSentinel
ISSA – Industry Representative
Invited Speaker @ OWASP, CSI, Catalyst, SC World Congress, …
Information Security Program Manager – Dell Inc.
Author
– Official (ISC)2 Guide to the CSSLP
– Information Security Management Handbook
Shark Biologist, Bahamas
SharkTalk podcaster
On LinkedIn/Facebook/Twitter
Securitybyte & OWASP Confidential Securitybyte & OWASP AppSec Conference 2009 2
Who I am NOT!
NOT
ME
☺
What are we here to talk about?
Cybersecurity
Applications
Applications and Cybersecurity
Live Free or Die Hard
Matt Farrell: Jesus Christ. It's a fire sale.

John McClane: What?
Matt Farrell: It's a fire sale.
Deputy Director Miguel Bowman: Hey! We don't
know that yet.
Taylor: Yeah, it's a myth anyway. It can't be done.
Matt Farrell: Oh, it's a myth? Really? <censored>
John McClane: Hey, what's a fire sale?
Matt Farrell: It's a three-step... it's a three-step
systematic attack on the entire national
infrastructure. Okay, step one: take out all the
transportation. Step two: the financial base and
telecoms. Step three: You get rid of all the
utilities. Gas, water, electric, nuclear. Pretty much
anything that's run by computers which... which
today is almost everything. So that's why they call
it a fire sale, because everything must go.
Hollywood – not too far from reality
2007 : Estonia hacked

– Government Ministry & Political parties (Defense)
– Newspapers (Communications)
– Banking and Private Companies (Financial/Utilities)
2008 : Nation State Georgia – First Cyberwar
2009 : The Shadow of the Gaza Conflict –
Cyberwar against Israel
2009 : Brazil Broken (Nov 6th, 2009)
2010 : Digital Hackistan ?
Cybersecurity
Pronounciation: sai-ber-si-kyur-a-te
Securing Cyberspace
Kinetic (physical) using Non-kinetic (electronic)
Definition: Measures taken to protect a
computer or computer system (as on the
Internet) against unauthorized access of attack.
Merriam-Webster’s
“Protecting pretty much anything that

runs by computers – which is everything
today!” – Die Hard Definition
Why are we where we are?
Army secures land space

Airforce secures air space
Navy secures sea space
But what about space that

is not land, not air, nor
sea?
– Cyber
Why are we where we are? – Contd.
Seconomics ( a new term coined! )

– Cost of insecure software - $180,000,000,000,000
Wars are won by bits and bytes
– Cyber-chess with an invisible enemy
– Whoever controls the Information can deal the
checkmate
IT - Internet Terrorism?
– Cyberbullies
Securing Cyberspace – Easily said than done!
No borders – Big Firewall

Highly interconnected
Short arm of the law
Privacy invasion
Polymorphic threats
Cybersecurity Threat agents
Human
Non Human
– Malicious Software
– Technology
• VoIP
• Pervasive computing
• Web 2.0wned - Social Netmares
Malicious Software a.k.a. Malware
Malware
Proliferative Stealthware
Viruses &
Spyware &
Worms Trojans Rootkits
Adware
(Web Worms)
Slap in the face-book
Tax Refund
An Oxymoron Is IRS.gov and
Tax.gov the same?
I had to recently open the ‘Rootkits’ book
I sent my wife a link on facebook and then
The IRS is pleased? it
What currency
is this?
Hmmm
happened … $ with ,
Command and control

Phishing Hooks
Should this not be
the usual
3-5 business days?
facebook
And ofcourse
the legitimate
security warning!
What’s in common with these threats?
Are Applications
Run Applications
Exploit Applications
Applications
– The Weakest Link?
What’s wiring this evolving world?
“In the 80’s we wired the world with cables

and in the 90’s we wired the world with
computer networks. Today we are wiring the
world with applications using web services
and mashups. Having skilled professionals
capable of designing and developing secure
software is now critical to this evolving
world.”
Mark Curphey
Director & Product Unit Manager, Microsoft
Founder of OWASP
Application a.k.a. Software a.k.a. System
Abstracted business functionality

Standalone or SaaS
Conduits to data
Dude, where’s my data?
Data will continue to be the primary motive

behind future cyber crime - whether targeting
traditional fixed computing or mobile
applications. Data will drive cyber attacks for
years to come. The data motive is woven
through all emerging cybersecurity threats,
whether botnets, malware, blended threats,
mobile threats or cyber warfare attacks.
Emerging Cyber Threats Report for 2009
Agar poolis ko mila tho?
Sachin: Hey Zara, lag gaya hai, lag

gaya hai; Oot oot sab kuch chod kar
bhag
(Zara, we have been caught; get up,
get up, leave everything and run)
Sachin: Yeh kya kar raha hai thu?

(What are you doing?)
Zara: Data hai yis mai hi hai!
(All the data are in these!)
Zara: Agar poolis ko mila tho?
(What if the police get a hold of it?)
DAD against CIA – Data issues
Disclosure - Attack against Confidentiality

Alteration - Attack against Integrity
Destruction - Attack against Availability
Application vulnerabilities – Opening the door to Cybercrime
- Injection
- Script
- Overflow
- Disclosure
- Session
- Cryptographic Source: OWASP Top 10 2007
What we need – First Steps - Holistic Security!
People, Process and Technology

Network, Hosts and Applications
Securing the Weak Link - People
SecuriTRAINED
– Aware
– Trained
– Educated
Certified Secure Software Lifecycle Professional
(CSSLP)
It’s the People
Securing the Weak Link - Process
For the first time in

India – 2 day
CSSLP training at
this conference.
2
Source: (ISC) CSSLP Coursework
Don’t miss out!
“The CSSLP Training
will cover each area
in more depth.”
Process – Secure Design!
Process – Writing Secure Code
Secure the Weak Link - Technology
Tools and Checklists caveat

Validation & Verification (V&V)
Certification & Accreditation (C&A)
Defense in Depth
Software Security
Input validation Session management
Authentication Parameter manipulation
Authorization Cryptography
Sensitive data protection Exception management
Configuration management Auditing / Logging
Web Server Database Server
Firewall
Firewall
Network Security
Routers
Firewalls
Switches
Host Security
Network Patches Accounts Ports
Services Files / directories Registry
Protocols Auditing / logging Shares
Host
Detained in Brazil/Brasil!
Let me tell you what happened to me when I

was returning to the USA from Brazil (as the
Americans spell it) / Brasil (as the English spell
it)
What Next?
Security in the Skies

– Cloud computing S2aaS
Virtualization
Smart Grids
Digital ants
Cybersecure Applications
– Reliable
– Resilient
– Recoverable
– Software seatbelts
If history is any predictor of the future …
2008 2009 2010
Thank you!
Applications ::
The new Cybersecurity frontier
Mano Paul
CSSLP, CISSP, MCAD, MCSD, CompTIA Network+, ECSA
CEO, SecuRisk Solutions
Mano.Paul(at)SecuRiskSolutions(dot)com
Securitybyte & OWASP Confidential

Backup Slides
CSSLP™ - Certified Secure Software Lifecycle
Professional
(ISC)2 newest 7 Key Areas

certification – Concepts
Base credential – Requirements
Professional – Design
certification program – Implementation
– Testing
Caters to various
– Acceptance
stakeholders
– Deployment,
Operations,
Maintenance and
Disposal
Data Protection warrants Application Security!
In transit
In storage
In archives
What Cybersecurity is Not?

Applications - The New Cyber Security Frontier

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Applications - The New Cyber Security Frontier

Încărcat de

Drepturi de autor:

Formate disponibile

Applications ::

The new Cybersecurity frontier

Securitybyte & OWASP Confidential

(ISC)2’s Software Assurance Advisor

Applications and Cybersecurity

Matt Farrell: Jesus Christ. It's a fire sale.

2007 : Estonia hacked

“Protecting pretty much anything that

Army secures land space

But what about space that

Seconomics ( a new term coined! )

No borders – Big Firewall

Command and control

“In the 80’s we wired the world with cables

Abstracted business functionality

Data will continue to be the primary motive

Sachin: Hey Zara, lag gaya hai, lag

Sachin: Yeh kya kar raha hai thu?

Disclosure - Attack against Confidentiality

People, Process and Technology

It’s the People

For the first time in

Tools and Checklists caveat

Let me tell you what happened to me when I

Security in the Skies

2008 2009 2010

Securitybyte & OWASP Confidential

(ISC)2 newest 7 Key Areas

S-ar putea să vă placă și