SlideShare a Scribd company logo

Cyber as WMD- April 2015- GFSU

Mohit Rampal
Mohit Rampal
1 of 25
Download to read offline
© 2014 All Rights Reserved 1 @codenomicon Mohit Rampal CYBER AS WMD
© 2014 All Rights Reserved 2 • Indian power companies want ban on Chinese equipment on security fears • Power transmission infrastructure in the country’s 18 major cities could be potentially hacked leading to national security threats and major disruption of power if the concerns of a prominent trade body are to be believed. • These cities are spread across Rajasthan, Madhya Pradesh and Tamil Nadu and they are currently implementing smart grid projects. They could be exposing themselves to the threat of monitoring systems deployed by foreign firms, it is being feared. 2015 NEWS
© 2014 All Rights Reserved 3 • Cisco CEO John Chambers has warned that 2015 will be a worse year for hack attacks on businesses in a world where an increasing number of devices are connected to the internet. • “The average attack, you get 90 percent of the data you want in like nine hours, and yet most of the companies don't find out for three to four months," he said. The warning comes after a year of high-profile cyber- security breaches that were a disaster for many businesses. • Investment bank JPMorgan was hit with two attacks last year, while a number of flaws in internet security and mobile software were found. 2015 NEWS
© 2014 All Rights Reserved 4 Today’s world is filled with complexity New threats are waiting for cracks to appear See the cracks Know the threats Build a more resilient world LANDSCAPE TODAY
© 2014 All Rights Reserved 5 HEARTBLEED, SHELLSHOCK, POODLE Year 2014: … …
© 2014 All Rights Reserved 6 INDIA PERSPECTIVE • Lack of Cyber Security Professionals • Cyber Security is more reactive than proactive • Spending on creating COE’s missing • Highly Vulnerable Verticals : • Power & Utilities • Internal Security • Financial Organizations • Telecom • Defense & Paramilitary Forces • Manufacturing • Smart Cities
© 2014 All Rights Reserved 7 THE KNOWN AND THE UNKNOWN Known Vulnerability Management Unknown Vulnerability Management (UVM) Total Vulnerability Management SAST Approach 1980- PC Lint, OSS, Coverity, Fortify, IBM, Microsoft ... Whitebox testing DAST Approach 2000- Fuzzing: Codenomicon Defensics, Peach, Sulley Blackbox testing 1995-2000 Satan/Saint 1999- Nessus, ISS ReactiveProactive Bottom line: All systems have vulnerabilities. - Both complimentary categories needs to be covered. 2000- Qualys, HP, IBM, Symantec ... 2013: Codenomicon AppCheck
© 2014 All Rights Reserved 8 WHY ATTACK • Gain Access to control and compromise smart network • A Terrorist wanted to damage chemical plant processes, oil and gas pipelines, Power generation and transmission equipment, or contaminate water supply etc. • Someone might set up an attack for espionage (industrial) purposes or to generate “false” information • Enemy Countries so as to be able to cripple infrastructure which affecting the economy
© 2014 All Rights Reserved 9 CYBER AS A WMD • How does it work? • State Sponsored Cyber Terrorists acquire devices / applications • Use Fuzzing tools to find vulnerabilities both Known and Unknown • Use Known vulnerabilities to create diversion attacks • Exploit the Unknown Vulnerability by writing malwares around them • Use tools to monitor end points which are unsecured • Explore vulnerable End points etc. for creating Botnets and insert the unknown vulnerability • These Unknown attacks go undiscoverable as perimeter security can not detect them
© 2014 All Rights Reserved 10 CYBER AS A WMD • How does it work? • Compromise the Power Network – denial of service or unavailability of power to critical networks etc. • Compromise the Telecom Network • Contaminate the Water Supply • Unavailability of Banking Networks and Stock Market • Transport system collapse • Collapse of Defense Machinery and equipment
© 2014 All Rights Reserved 11 CYBER AS A WMD- WHAT CAN BE COMPROMISED
© 2014 All Rights Reserved 12 CYBER AS A WMD- WHAT CAN BE COMPROMISED
© 2014 All Rights Reserved 13 CYBER AS A WMD- WHAT CAN BE COMPROMISED Smart City Telecom Utilities Public Services Building Transport
© 2014 All Rights Reserved 14 CYBER AS A WMD- WHAT CAN BE COMPROMISED
© 2014 All Rights Reserved 15 INTERNET OF THINGS = FUTURE CHALLENGE FOR SECURITY TESTING 1875 1900 1925 1950 1975 2000 2025 50 B 5.0 B ~0.5 BPLACES PEOPLE THINGS Inflection points Global Connectivity Personal Mobile Digital Society Sustainable World Source: Ericsson
© 2014 All Rights Reserved 16 CYBER AS A WMD - OUTCOME • Nation in state of Disaster resulting in Inflation and unavailability of all resources leading indirectly to death with no discovery of where the attack happened from • NEWS 2015 – India-Bangladesh World Cup MATCH BANGLADESHI HACKERS WERE TRYING TO ATTACK NSE
© 2014 All Rights Reserved 17 HOW IS IT “SECURITY” COMPROMISED ? • Confidentiality : A zero day attack is used to compromise a specific computer program, which often crashes as a result… Hacker can spawn new processes • Integrity : Hacker controlled processes can now change anything in the system • Availability : Hacker controlled processes can now eavesdrop on all data and communications
© 2014 All Rights Reserved 18 CYBER THREATS : MORE PROFESSIONAL & SOPHISTICATED • Cyber Attacks: Internet-based incidents involving politically or financially motivated attacks on information and information systems. • Zero-day Vulnerabilities, Or Unknown Vulnerabilities: Software flaws that make exploitation and other illegal activities towards information systems possible • Proactive Cyber Defense: acting in anticipation to oppose an attack against computers and networks.
© 2014 All Rights Reserved 19 CYBER AS A WMD – RISK MITIGATION • Being Proactive rather than reactive • Having a security process in place • Processes for known and unknown vulnerability management & security testing before deployment • Understanding code decay and its impact • Real time monitoring and analysis of data to be proactive • Identifying unknown vulnerabilities and drawing a map towards remediation • Secure the Supply Chain to ensure “ WE KNOW WHAT WE BUY ” • Using of tools to automate the process to ensure no human bypass is done • Security of All devices by proactive security testing from Known and Unknown Vulnerabilities
© 2014 All Rights Reserved 20 BUT I WAS TOLD/PROMISED/CERTIFIED/ … THAT I AM SECURE! Did you actually test and validate that you are? Or were just happy that because it is certified, you are safe? We call this faith-based security
© 2014 All Rights Reserved 21 ABOUT CODENOMICON • Started as a Research Project in 1996 & Commercially started operations in 2001 • Global Offices in Finland, Germany, US, Singapore, India • DEFENSICS™ security test platform • CLARIFIED™ advanced cyber security monitoring solution • Market segments • Carrier, Defense, Government, networking equipment, software developers, • Any customer concerned about security of protocols deployed in products, services or internal IT infrastructure
© 2014 All Rights Reserved 22 SAMPLE CUSTOMER LIST
© 2014 All Rights Reserved 23 Bharat Electronics Few selected Asia-Pacific reference customers:
© 2014 All Rights Reserved 24 Strength in visibility
© 2014 All Rights Reserved 25 THANK YOU! QUESTIONS? MOHIT RAMPAL : MOHIT@CODENOMICON.COM

Recommended

Cyber Security at CTX15, London
Cyber Security at CTX15, LondonCyber Security at CTX15, London
Cyber Security at CTX15, LondonJohn Palfreyman
 
Smarter Cyber Security
Smarter Cyber SecuritySmarter Cyber Security
Smarter Cyber SecurityJohn Palfreyman
 
Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018 Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018 African Cyber Security Summit
 
Technology Disruption in the New Normal, Digital Inclusion and the Law
Technology Disruption in the New Normal, Digital Inclusion and the LawTechnology Disruption in the New Normal, Digital Inclusion and the Law
Technology Disruption in the New Normal, Digital Inclusion and the LawBenjamin Ang
 
Principals of IoT security
Principals of IoT securityPrincipals of IoT security
Principals of IoT securityIoT613
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropePositive Hack Days
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...Cybersecurity Education and Research Centre
 
Third Annual Mobile Threats Report
Third Annual Mobile Threats ReportThird Annual Mobile Threats Report
Third Annual Mobile Threats ReportJuniper Networks
 

Recommended

Cyber Security at CTX15, London
Cyber Security at CTX15, LondonCyber Security at CTX15, London
Cyber Security at CTX15, LondonJohn Palfreyman
 
Smarter Cyber Security
Smarter Cyber SecuritySmarter Cyber Security
Smarter Cyber SecurityJohn Palfreyman
 
Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018 Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018 African Cyber Security Summit
 
Technology Disruption in the New Normal, Digital Inclusion and the Law
Technology Disruption in the New Normal, Digital Inclusion and the LawTechnology Disruption in the New Normal, Digital Inclusion and the Law
Technology Disruption in the New Normal, Digital Inclusion and the LawBenjamin Ang
 
Principals of IoT security
Principals of IoT securityPrincipals of IoT security
Principals of IoT securityIoT613
 
Industrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropeIndustrial Cybersecurity and Critical Infrastructure Protection in Europe
Industrial Cybersecurity and Critical Infrastructure Protection in EuropePositive Hack Days
 
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...National Critical Information Infrastructure Protection Centre (NCIIPC): Role...
National Critical Information Infrastructure Protection Centre (NCIIPC): Role...Cybersecurity Education and Research Centre
 
Third Annual Mobile Threats Report
Third Annual Mobile Threats ReportThird Annual Mobile Threats Report
Third Annual Mobile Threats ReportJuniper Networks
 
Cyber Security in the time of COVID -19
Cyber Security in the time of COVID -19Cyber Security in the time of COVID -19
Cyber Security in the time of COVID -19fingerprint.sh
 
IoT Devices Expanding Your Digital Footprint
IoT Devices Expanding Your Digital FootprintIoT Devices Expanding Your Digital Footprint
IoT Devices Expanding Your Digital FootprintSurfWatch Labs
 
Adapting to changing cyber security threats in South East Asia (IFRI 2020)
Adapting to changing cyber security threats in South East Asia (IFRI 2020)Adapting to changing cyber security threats in South East Asia (IFRI 2020)
Adapting to changing cyber security threats in South East Asia (IFRI 2020)Benjamin Ang
 
Cyber Security - ICCT Colleges
Cyber Security - ICCT CollegesCyber Security - ICCT Colleges
Cyber Security - ICCT CollegesPotato
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityIT Governance Ltd
 
50+ facts about State of CyberSecurity in 2015
50+ facts about State of CyberSecurity in 201550+ facts about State of CyberSecurity in 2015
50+ facts about State of CyberSecurity in 2015Marcos Ortiz Valmaseda
 
Lessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportLessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportBenjamin Ang
 
Security economics
Security economicsSecurity economics
Security economicsYansi Keim
 
All The Things: Security, Privacy & Safety in a World of Connected Devices
All The Things: Security, Privacy & Safety in a World of Connected DevicesAll The Things: Security, Privacy & Safety in a World of Connected Devices
All The Things: Security, Privacy & Safety in a World of Connected DevicesJohn D. Johnson
 
Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...
Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...
Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...Cyren, Inc
 
Singapore Cybersecurity Strategy and Legislation (2018)
Singapore Cybersecurity Strategy and Legislation (2018)Singapore Cybersecurity Strategy and Legislation (2018)
Singapore Cybersecurity Strategy and Legislation (2018)Benjamin Ang
 
Cyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass HousesCyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass HousesPaige Rasid
 
IOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringIOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringPotato
 
AVG Q3 2012 Threat Report
AVG Q3 2012 Threat ReportAVG Q3 2012 Threat Report
AVG Q3 2012 Threat ReportAVG Technologies AU
 
Cyber resilient infrastructure infographic
Cyber resilient infrastructure infographicCyber resilient infrastructure infographic
Cyber resilient infrastructure infographicAtkins
 
Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructureNeha Agarwal
 
Iot Security and Privacy at Scale
Iot Security and Privacy at ScaleIot Security and Privacy at Scale
Iot Security and Privacy at ScaleWinston Morton
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of ThingsChristopher Frenz
 
Hide Android applications in images
Hide Android applications in imagesHide Android applications in images
Hide Android applications in imagesAnge Albertini
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
sebis research profile
sebis research profilesebis research profile
sebis research profilesebistum
 
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...viaForensics
 

More Related Content

What's hot

Cyber Security in the time of COVID -19
Cyber Security in the time of COVID -19Cyber Security in the time of COVID -19
Cyber Security in the time of COVID -19fingerprint.sh
 
IoT Devices Expanding Your Digital Footprint
IoT Devices Expanding Your Digital FootprintIoT Devices Expanding Your Digital Footprint
IoT Devices Expanding Your Digital FootprintSurfWatch Labs
 
Adapting to changing cyber security threats in South East Asia (IFRI 2020)
Adapting to changing cyber security threats in South East Asia (IFRI 2020)Adapting to changing cyber security threats in South East Asia (IFRI 2020)
Adapting to changing cyber security threats in South East Asia (IFRI 2020)Benjamin Ang
 
Cyber Security - ICCT Colleges
Cyber Security - ICCT CollegesCyber Security - ICCT Colleges
Cyber Security - ICCT CollegesPotato
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityIT Governance Ltd
 
50+ facts about State of CyberSecurity in 2015
50+ facts about State of CyberSecurity in 201550+ facts about State of CyberSecurity in 2015
50+ facts about State of CyberSecurity in 2015Marcos Ortiz Valmaseda
 
Lessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportLessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportBenjamin Ang
 
Security economics
Security economicsSecurity economics
Security economicsYansi Keim
 
All The Things: Security, Privacy & Safety in a World of Connected Devices
All The Things: Security, Privacy & Safety in a World of Connected DevicesAll The Things: Security, Privacy & Safety in a World of Connected Devices
All The Things: Security, Privacy & Safety in a World of Connected DevicesJohn D. Johnson
 
Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...
Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...
Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...Cyren, Inc
 
Singapore Cybersecurity Strategy and Legislation (2018)
Singapore Cybersecurity Strategy and Legislation (2018)Singapore Cybersecurity Strategy and Legislation (2018)
Singapore Cybersecurity Strategy and Legislation (2018)Benjamin Ang
 
Cyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass HousesCyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass HousesPaige Rasid
 
IOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringIOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringPotato
 
Cyber resilient infrastructure infographic
Cyber resilient infrastructure infographicCyber resilient infrastructure infographic
Cyber resilient infrastructure infographicAtkins
 
Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructureNeha Agarwal
 
Iot Security and Privacy at Scale
Iot Security and Privacy at ScaleIot Security and Privacy at Scale
Iot Security and Privacy at ScaleWinston Morton
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of ThingsChristopher Frenz
 

What's hot (18)

Cyber Security in the time of COVID -19
Cyber Security in the time of COVID -19Cyber Security in the time of COVID -19
Cyber Security in the time of COVID -19
 
IoT Devices Expanding Your Digital Footprint
IoT Devices Expanding Your Digital FootprintIoT Devices Expanding Your Digital Footprint
IoT Devices Expanding Your Digital Footprint
 
Adapting to changing cyber security threats in South East Asia (IFRI 2020)
Adapting to changing cyber security threats in South East Asia (IFRI 2020)Adapting to changing cyber security threats in South East Asia (IFRI 2020)
Adapting to changing cyber security threats in South East Asia (IFRI 2020)
 
Cyber Security - ICCT Colleges
Cyber Security - ICCT CollegesCyber Security - ICCT Colleges
Cyber Security - ICCT Colleges
 
Using international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber securityUsing international standards to improve Asia-Pacific cyber security
Using international standards to improve Asia-Pacific cyber security
 
50+ facts about State of CyberSecurity in 2015
50+ facts about State of CyberSecurity in 201550+ facts about State of CyberSecurity in 2015
50+ facts about State of CyberSecurity in 2015
 
Lessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI ReportLessons learned from the SingHealth Data Breach COI Report
Lessons learned from the SingHealth Data Breach COI Report
 
Security economics
Security economicsSecurity economics
Security economics
 
All The Things: Security, Privacy & Safety in a World of Connected Devices
All The Things: Security, Privacy & Safety in a World of Connected DevicesAll The Things: Security, Privacy & Safety in a World of Connected Devices
All The Things: Security, Privacy & Safety in a World of Connected Devices
 
Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...
Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...
Webinar: Can a Light Bulb Really Pose a Security Threat? A Practical Look at ...
 
Singapore Cybersecurity Strategy and Legislation (2018)
Singapore Cybersecurity Strategy and Legislation (2018)Singapore Cybersecurity Strategy and Legislation (2018)
Singapore Cybersecurity Strategy and Legislation (2018)
 
Cyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass HousesCyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass Houses
 
IOT Security - ICCT College of Engineering
IOT Security - ICCT College of EngineeringIOT Security - ICCT College of Engineering
IOT Security - ICCT College of Engineering
 
AVG Q3 2012 Threat Report
AVG Q3 2012 Threat ReportAVG Q3 2012 Threat Report
AVG Q3 2012 Threat Report
 
Cyber resilient infrastructure infographic
Cyber resilient infrastructure infographicCyber resilient infrastructure infographic
Cyber resilient infrastructure infographic
 
Protection of critical information infrastructure
Protection of critical information infrastructureProtection of critical information infrastructure
Protection of critical information infrastructure
 
Iot Security and Privacy at Scale
Iot Security and Privacy at ScaleIot Security and Privacy at Scale
Iot Security and Privacy at Scale
 
Securing the Internet of Things
Securing the Internet of ThingsSecuring the Internet of Things
Securing the Internet of Things
 

Viewers also liked

Hide Android applications in images
Hide Android applications in imagesHide Android applications in images
Hide Android applications in imagesAnge Albertini
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
sebis research profile
sebis research profilesebis research profile
sebis research profilesebistum
 
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...viaForensics
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014viaForensics
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxviaForensics
 
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got StolenOne Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got StolenOpenDNS
 
Cyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-pptCyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-pptMohit Rampal
 
Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream PresentationBlackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream PresentationOpenDNS
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search EngineInMobi Technology
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?anupriti
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...arnaudsoullie
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 

Viewers also liked (18)

Hide Android applications in images
Hide Android applications in imagesHide Android applications in images
Hide Android applications in images
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
sebis research profile
sebis research profilesebis research profile
sebis research profile
 
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
Beginners guide-to-reverse-engineering-android-apps-pau-oliva-fora-viaforensi...
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
Mobile analysis-kung-fu-santoku-style-viaforensics-rsa-conference-2014
 
Via forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linuxVia forensics thotcon-2013-mobile-security-with-santoku-linux
Via forensics thotcon-2013-mobile-security-with-santoku-linux
 
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got StolenOne Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
One Phish, Two Phish, Red Phish, Your Account Details Just Got Stolen
 
Cyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-pptCyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-ppt
 
Blackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream PresentationBlackhat USA 2015: BGP Stream Presentation
Blackhat USA 2015: BGP Stream Presentation
 
M.Tech. Cyber Security & Incident Response
M.Tech. Cyber Security & Incident ResponseM.Tech. Cyber Security & Incident Response
M.Tech. Cyber Security & Incident Response
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search Engine
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?APT 28 :Cyber Espionage and the Russian Government?
APT 28 :Cyber Espionage and the Russian Government?
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
Introduction to Industrial Control Systems : Pentesting PLCs 101 (BlackHat Eu...
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
Social Media at NASA, 2012 Edition
Social Media at NASA, 2012 EditionSocial Media at NASA, 2012 Edition
Social Media at NASA, 2012 Edition
 

Similar to Cyber as WMD- April 2015- GFSU

Follow the Money, Follow the Crime
Follow the Money, Follow the CrimeFollow the Money, Follow the Crime
Follow the Money, Follow the CrimeIBM Security
 
Cyber crime in a Smart Phone & Social Media Obsessed World
Cyber crime in a Smart Phone & Social Media Obsessed WorldCyber crime in a Smart Phone & Social Media Obsessed World
Cyber crime in a Smart Phone & Social Media Obsessed WorldJohn Palfreyman
 
Securing Systems of Engagement
Securing Systems of EngagementSecuring Systems of Engagement
Securing Systems of EngagementJohn Palfreyman
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...Shah Sheikh
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityAhmed Habib
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?360mnbsu
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Imperva
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 
Mobile Security BROCHURE (1)
Mobile Security BROCHURE (1)Mobile Security BROCHURE (1)
Mobile Security BROCHURE (1)Rhys A. Mossom
 
Cyber security general perspective a
Cyber security general perspective aCyber security general perspective a
Cyber security general perspective amarukanda
 
REPORT USE OF CYBERSECURITY.pptx
REPORT USE OF CYBERSECURITY.pptxREPORT USE OF CYBERSECURITY.pptx
REPORT USE OF CYBERSECURITY.pptxeresavenzon
 
Windstream Cloud Security Presentation
Windstream Cloud Security PresentationWindstream Cloud Security Presentation
Windstream Cloud Security PresentationIdeba
 
Covid 19, How A Pandemic Situation Shapes Cyber Threats
Covid 19, How A Pandemic Situation Shapes Cyber ThreatsCovid 19, How A Pandemic Situation Shapes Cyber Threats
Covid 19, How A Pandemic Situation Shapes Cyber ThreatsArun Kannoth
 
43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx
43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx
43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptxPradeeshSAI
 
Webinar: CYREN WebSecurity for Enterprise
Webinar: CYREN WebSecurity for EnterpriseWebinar: CYREN WebSecurity for Enterprise
Webinar: CYREN WebSecurity for EnterpriseCyren, Inc
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
Cybersecurity Risk from User Perspective
Cybersecurity Risk from User PerspectiveCybersecurity Risk from User Perspective
Cybersecurity Risk from User PerspectiveAvinantaTarigan
 
Is6120 data security presentation
Is6120 data security presentationIs6120 data security presentation
Is6120 data security presentationJamesDempsey1
 

Similar to Cyber as WMD- April 2015- GFSU (20)

Follow the Money, Follow the Crime
Follow the Money, Follow the CrimeFollow the Money, Follow the Crime
Follow the Money, Follow the Crime
 
Cyber crime in a Smart Phone & Social Media Obsessed World
Cyber crime in a Smart Phone & Social Media Obsessed WorldCyber crime in a Smart Phone & Social Media Obsessed World
Cyber crime in a Smart Phone & Social Media Obsessed World
 
Securing Systems of Engagement
Securing Systems of EngagementSecuring Systems of Engagement
Securing Systems of Engagement
 
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
DTS Solution - ISACA UAE Chapter - ISAFE 2014 - RU PWNED - Living a Life as a...
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network security
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
 
Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016Top Cyber Security Trends for 2016
Top Cyber Security Trends for 2016
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 
Mobile Security BROCHURE (1)
Mobile Security BROCHURE (1)Mobile Security BROCHURE (1)
Mobile Security BROCHURE (1)
 
Cyber security general perspective a
Cyber security general perspective aCyber security general perspective a
Cyber security general perspective a
 
REPORT USE OF CYBERSECURITY.pptx
REPORT USE OF CYBERSECURITY.pptxREPORT USE OF CYBERSECURITY.pptx
REPORT USE OF CYBERSECURITY.pptx
 
Windstream Cloud Security Presentation
Windstream Cloud Security PresentationWindstream Cloud Security Presentation
Windstream Cloud Security Presentation
 
Covid 19, How A Pandemic Situation Shapes Cyber Threats
Covid 19, How A Pandemic Situation Shapes Cyber ThreatsCovid 19, How A Pandemic Situation Shapes Cyber Threats
Covid 19, How A Pandemic Situation Shapes Cyber Threats
 
43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx
43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx
43080d37-44e9-4b2f-9cb5-ceb90f3fab98.pptx
 
Webinar: CYREN WebSecurity for Enterprise
Webinar: CYREN WebSecurity for EnterpriseWebinar: CYREN WebSecurity for Enterprise
Webinar: CYREN WebSecurity for Enterprise
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
IAM for mobile and BYOD
IAM for mobile and BYODIAM for mobile and BYOD
IAM for mobile and BYOD
 
Cybersecurity Risk from User Perspective
Cybersecurity Risk from User PerspectiveCybersecurity Risk from User Perspective
Cybersecurity Risk from User Perspective
 
Is6120 data security presentation
Is6120 data security presentationIs6120 data security presentation
Is6120 data security presentation
 

Cyber as WMD- April 2015- GFSU

  • 1. © 2014 All Rights Reserved 1 @codenomicon Mohit Rampal CYBER AS WMD
  • 2. © 2014 All Rights Reserved 2 • Indian power companies want ban on Chinese equipment on security fears • Power transmission infrastructure in the country’s 18 major cities could be potentially hacked leading to national security threats and major disruption of power if the concerns of a prominent trade body are to be believed. • These cities are spread across Rajasthan, Madhya Pradesh and Tamil Nadu and they are currently implementing smart grid projects. They could be exposing themselves to the threat of monitoring systems deployed by foreign firms, it is being feared. 2015 NEWS
  • 3. © 2014 All Rights Reserved 3 • Cisco CEO John Chambers has warned that 2015 will be a worse year for hack attacks on businesses in a world where an increasing number of devices are connected to the internet. • “The average attack, you get 90 percent of the data you want in like nine hours, and yet most of the companies don't find out for three to four months," he said. The warning comes after a year of high-profile cyber- security breaches that were a disaster for many businesses. • Investment bank JPMorgan was hit with two attacks last year, while a number of flaws in internet security and mobile software were found. 2015 NEWS
  • 4. © 2014 All Rights Reserved 4 Today’s world is filled with complexity New threats are waiting for cracks to appear See the cracks Know the threats Build a more resilient world LANDSCAPE TODAY
  • 5. © 2014 All Rights Reserved 5 HEARTBLEED, SHELLSHOCK, POODLE Year 2014: … …
  • 6. © 2014 All Rights Reserved 6 INDIA PERSPECTIVE • Lack of Cyber Security Professionals • Cyber Security is more reactive than proactive • Spending on creating COE’s missing • Highly Vulnerable Verticals : • Power & Utilities • Internal Security • Financial Organizations • Telecom • Defense & Paramilitary Forces • Manufacturing • Smart Cities
  • 7. © 2014 All Rights Reserved 7 THE KNOWN AND THE UNKNOWN Known Vulnerability Management Unknown Vulnerability Management (UVM) Total Vulnerability Management SAST Approach 1980- PC Lint, OSS, Coverity, Fortify, IBM, Microsoft ... Whitebox testing DAST Approach 2000- Fuzzing: Codenomicon Defensics, Peach, Sulley Blackbox testing 1995-2000 Satan/Saint 1999- Nessus, ISS ReactiveProactive Bottom line: All systems have vulnerabilities. - Both complimentary categories needs to be covered. 2000- Qualys, HP, IBM, Symantec ... 2013: Codenomicon AppCheck
  • 8. © 2014 All Rights Reserved 8 WHY ATTACK • Gain Access to control and compromise smart network • A Terrorist wanted to damage chemical plant processes, oil and gas pipelines, Power generation and transmission equipment, or contaminate water supply etc. • Someone might set up an attack for espionage (industrial) purposes or to generate “false” information • Enemy Countries so as to be able to cripple infrastructure which affecting the economy
  • 9. © 2014 All Rights Reserved 9 CYBER AS A WMD • How does it work? • State Sponsored Cyber Terrorists acquire devices / applications • Use Fuzzing tools to find vulnerabilities both Known and Unknown • Use Known vulnerabilities to create diversion attacks • Exploit the Unknown Vulnerability by writing malwares around them • Use tools to monitor end points which are unsecured • Explore vulnerable End points etc. for creating Botnets and insert the unknown vulnerability • These Unknown attacks go undiscoverable as perimeter security can not detect them
  • 10. © 2014 All Rights Reserved 10 CYBER AS A WMD • How does it work? • Compromise the Power Network – denial of service or unavailability of power to critical networks etc. • Compromise the Telecom Network • Contaminate the Water Supply • Unavailability of Banking Networks and Stock Market • Transport system collapse • Collapse of Defense Machinery and equipment
  • 11. © 2014 All Rights Reserved 11 CYBER AS A WMD- WHAT CAN BE COMPROMISED
  • 12. © 2014 All Rights Reserved 12 CYBER AS A WMD- WHAT CAN BE COMPROMISED
  • 13. © 2014 All Rights Reserved 13 CYBER AS A WMD- WHAT CAN BE COMPROMISED Smart City Telecom Utilities Public Services Building Transport
  • 14. © 2014 All Rights Reserved 14 CYBER AS A WMD- WHAT CAN BE COMPROMISED
  • 15. © 2014 All Rights Reserved 15 INTERNET OF THINGS = FUTURE CHALLENGE FOR SECURITY TESTING 1875 1900 1925 1950 1975 2000 2025 50 B 5.0 B ~0.5 BPLACES PEOPLE THINGS Inflection points Global Connectivity Personal Mobile Digital Society Sustainable World Source: Ericsson
  • 16. © 2014 All Rights Reserved 16 CYBER AS A WMD - OUTCOME • Nation in state of Disaster resulting in Inflation and unavailability of all resources leading indirectly to death with no discovery of where the attack happened from • NEWS 2015 – India-Bangladesh World Cup MATCH BANGLADESHI HACKERS WERE TRYING TO ATTACK NSE
  • 17. © 2014 All Rights Reserved 17 HOW IS IT “SECURITY” COMPROMISED ? • Confidentiality : A zero day attack is used to compromise a specific computer program, which often crashes as a result… Hacker can spawn new processes • Integrity : Hacker controlled processes can now change anything in the system • Availability : Hacker controlled processes can now eavesdrop on all data and communications
  • 18. © 2014 All Rights Reserved 18 CYBER THREATS : MORE PROFESSIONAL & SOPHISTICATED • Cyber Attacks: Internet-based incidents involving politically or financially motivated attacks on information and information systems. • Zero-day Vulnerabilities, Or Unknown Vulnerabilities: Software flaws that make exploitation and other illegal activities towards information systems possible • Proactive Cyber Defense: acting in anticipation to oppose an attack against computers and networks.
  • 19. © 2014 All Rights Reserved 19 CYBER AS A WMD – RISK MITIGATION • Being Proactive rather than reactive • Having a security process in place • Processes for known and unknown vulnerability management & security testing before deployment • Understanding code decay and its impact • Real time monitoring and analysis of data to be proactive • Identifying unknown vulnerabilities and drawing a map towards remediation • Secure the Supply Chain to ensure “ WE KNOW WHAT WE BUY ” • Using of tools to automate the process to ensure no human bypass is done • Security of All devices by proactive security testing from Known and Unknown Vulnerabilities
  • 20. © 2014 All Rights Reserved 20 BUT I WAS TOLD/PROMISED/CERTIFIED/ … THAT I AM SECURE! Did you actually test and validate that you are? Or were just happy that because it is certified, you are safe? We call this faith-based security
  • 21. © 2014 All Rights Reserved 21 ABOUT CODENOMICON • Started as a Research Project in 1996 & Commercially started operations in 2001 • Global Offices in Finland, Germany, US, Singapore, India • DEFENSICS™ security test platform • CLARIFIED™ advanced cyber security monitoring solution • Market segments • Carrier, Defense, Government, networking equipment, software developers, • Any customer concerned about security of protocols deployed in products, services or internal IT infrastructure
  • 22. © 2014 All Rights Reserved 22 SAMPLE CUSTOMER LIST
  • 23. © 2014 All Rights Reserved 23 Bharat Electronics Few selected Asia-Pacific reference customers:
  • 24. © 2014 All Rights Reserved 24 Strength in visibility
  • 25. © 2014 All Rights Reserved 25 THANK YOU! QUESTIONS? MOHIT RAMPAL : MOHIT@CODENOMICON.COM