Transcription
The Good The Bad The UglyIntroduction to Cyber Securityिशवकुमार G. Sivakumar சிவகுமாComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bombay)siva@iitb.ac.in Setting the Stage (Some recent incidents) The Good (The Dream: AI meets Web 3.0 & SMAC IoT) The Bad (The Nightmare: Computer & Network Security) The Ugly? (Deception Technologies and Behaviour Analysis)िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyCompromising the Supply Chainिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityAre some countries moretrustworthy than others?Computer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyCan this happen to you?िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyblackMailDear All,There is a very ingenious blackmailing email circulatingaround asking for money in bitcoins. . they all have afew similar features: They include a password thatyou probably have used Claim to have installedmalware, and record video ofyou through your webcam. Threaten to reveal your adultwebsite habits and send videos.Subject: 15xxxxxxx@iitb.ac.in is hackedFrom: 15xxxxxxx@iitb.ac.inDate: Thu, October 18, 2018 4:35 pmHello!My nickname in DARKNET is derrik82. I hacked thismailbox more than six months ago, through it I infectedyour operating system with a virus (trojan) created by meand have been monitoring you for a long time.So, your password from 15xxxxxxx@iitb.ac.in is xxxxxxxxxEven if you changed the password after that - it does notmatter, my virus.I was most struck by the intimate content sites that youoccasionally visit. You have a very wild imagination, I tellyou!.Send the above amount on my BTC wallet (bitcoin):1EZS92K4xJbymDLwG4F7PNF5idPE62e9XYSince reading this letter you have 48 hours! Demand bitcoins.िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyInsider Attacks CBI Paytm .[From https://en.wikipedia.org/wiki/Insider threat] A report published on the insider threat in the U.S. financialsector[6] gives some statistics on insider threat incidents:80% of the malicious acts were committed at work duringworking hours; 81% of the perpetrators planned their actions beforehand; 33% of the perpetrators were describedas ”difficult” and 17% as being ”disgruntled”.The insider was identified in 74% of cases. Financial gainwas a motive in 81% of cases, revenge in 23% of cases,and 27% of the people carrying out malicious acts were infinancial difficulties at the time.िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyPartial Landscape (from CISO/CTO perspective)िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyCyber Security Framework, NIST (April 2018) CSWP/NIST.CSWP.04162018.pdfCommon taxonomy and mechanism for Describing current cybersecurity posture Target state for cybersecurity Identify and prioritize opportunities forimprovement within the context of a continuousand repeatable process Assess progress Communicate with stakeholders aboutcybersecurity riskNot one size fits all!We will return to this framework at the end.िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyOne Single Truth?िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber Securityअ -गज ायःComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyStone Age to Information AgeHomo Erectus, Homo Sapiens, Homo Deus [Yuval NoahHarari], 21 LessonsTechnology (Wikipedia Definition)Technology is the usage and knowledge of tools, techniques, crafts, systems or methods of organization in order tosolve a problem or serve some purpose.Zero, Wheel, Printing Press, Radio, Lasers, .Any sufficiently advanced technology is indistinguishable from magic. [Arthur C. Clarke] Why Information Technology is different?Transistor, VLSI, Microprocessor, . Danger: Computers are coming! Taking away our jobs!Construction, Farming, Banking, Surgery, Composing music, Teaching!Be very scared!िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyWeb 1.0, Web 2.0, Web 3.0Web 1.0 [1990-2005] (Right to Information) Internet: Info anytime, anywhere, any form Like drinking water from a fire hose Search Engines to the rescueWeb 2.0 [2005-2015] (Right to Assembly) Social Networking (Twitter, Facebook, Kolaveri, Flash crowds) Producers, not only consumers (Wikipedia, blogs, .) Proliferated unreliable, contradictory information? Facilitated malicious uses including loss of privacy, security.Web 3.0 [current] (AI & ML meet Semantic Web) Intelligent Agents that “understand” What do you want when you get up and put on computer? I have a dream!(MLK)िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyOpen Enterprises of the FutureWhat the Future Holds?Modify a Google Calendar to allow a colleague to add a Faaso’sroll order to a meeting invite that can be picked up by Ola anddelivered by a drone to a client’s office five minutes before thescheduled meeting starts.What this needs? Multi-Party Services Orchestration Transparent Information Flow Transparent Event Flow Semantic Consistency Network and Protocol Adaptability End-to-End Security Business ManagementIn the Security context, this is securing M2M communications!िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyArtificial Intelligence & Machine Learning Can AI of computers match NS of humans? Old Joke: Out of sight, out of mind Consider chess, once the holy grail of AI.Does not play the human way at all! Mostly parallelized search inhardware (200 million positions/second!) December 2017: AlphaGo Zero used reinforcement learning to teachitself chess in 4 hours! Beat world’s best program Stockfishcomprehensively!िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyDeep PatientAre doctors practicing pThe machine was given noinformation about how the humanbody works or how diseases affectus. It found correlations that let itpredict the onset of some diseasesmore accurately than ever, and somediseases, such as schizophrenia, forthe first time at all. It does this bycreating a vast network of weightedconnections that is just too complexfor us to understand.िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The Ugly3rd platform: SMAC IoT Main Frame (1960s .)Mobile Client Server (1990s .) Today (Handheld, PervasiveComputing)Social3rd PlatformAnalyticsInternetof ThingsCloudिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The Ugly3rd platform: SMAC IoTMobile What’s App (how manyengineers?) Facebook, Twitter, GooglePlus.Social Web 2.0 (Right to Assembly) Crowdsourcing (Wikipedia)3rd Platform Crowdfunding (no banks!)AnalyticsInternetof ThingsCloudिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The Ugly3rd platform: SMAC IoT Phone (Smart, Not-so-smart!)MobileSocial Wearables! (Google glass,Haptic) Internet of “Me” (highlypersonalized) Business (nogeneric products!)3rd Platform BYOx: Device security,App/content managementAnalyticsnightmare. Data Loss Prevention (FortressApproach - Firewall, IDS/IPS won’t work!)Internetof ThingsCloudिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The Ugly3rd platform: SMAC IoT Big DataMobileSocial Volume, Variety, Velocity,Veracity ACID properties Database notneeded Hadoop, Map Reduce, NoSql3rd Platform Knowledge is Power!Analytics Collect,Analyse, Infer, PredictInternetof ThingsCloudिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The Ugly3rd platform: SMAC IoT Moore’s lawMobileSocial What could fit in a building .room . pocket . blood cell! Containers Analogy fromShipping3rd Platform VMs separate OS from baremetal (at great costAnalyticsHypervisor, OS image) Docker- separates apps fromOS/infra using containers.Internetof Things Like IaaS, PaaS, SaaS Haveyou heard of CaaS?Cloudिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The Ugly3rd platform: SMAC IoTMobileSocial Sensors (Location,Temperature, Motion, Sound,Vibration, Pressure, Current,.) Device Eco System (SmartPhones, Communicate with somany servers!)3rd Platform Business Use Cases (Ola Cabs,Home Depot, PhilipsHealthcare, .)Internetof ThingsCloudिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber Security Ambient Services (Maps,Messaging, Traffic modellingAnalyticsand prediction, .) Impact on wireless bandwdith,storage, analytics (velocity ofBIG data, not size)Computer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyInternet’s NightmareMatch the following!ProblemsHighly contagious virusesDefacing web pagesCredit card number theftOn-line scamsIntellectual property theftWiping out dataDenial of serviceSpam E-mailsReading private filesSurveillanceAttackersUnintended blundersDisgruntled employees or customersOrganized crimeForeign espionage agentsHackers driven by technical challengePetty criminalsOrganized terror groupsInformation warfare. Crackers vs. Hackers Note how much resources available to attackers.िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyAtlas.arbor.netिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyAtlas.arbor.netिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyAtlas.arbor.netिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyReal-time Intelligence- atlas.arbor.netिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyWho is scanning?िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyWho is hosting phising sites?िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyMalicious Serversिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyInternet Attacks Toolkits (Youtube)िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyInternet Attack TrendsFrom training material at http://www.cert-in.org.in/िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyWhat is a Computer Network?िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglySo, what’s Internet? A bottom-up collection (interconnection) of networks TCP/IP is the only common factor Bureaucracy-free, reliable, cheap Decentralized, democratic, chaoticं ु ई (IIT Bombिशवकुमार G.InternetSivakumar சிவகுமாComputer Science and Engineering भारतीय ूौ ोिगकी सं ान मबSociety (www.isoc.org)Introduction to Cyber Security
The Good The Bad The UglyPacket Switching in Internetिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyExchanging SecretsGoalA and B to agree on a secret number. But, C can listen to all theirconversation.Solution?A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyExchanging SecretsGoalA and B to agree on a secret number. But, C can listen to all theirconversation.Solution?A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyMutual AuthenticationGoalA and B to verify that both know the same secret number. Nothird party (intruder or umpire!)Solution?A tells B: I’ll tell you first 2 digits, you tell me the last two.िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyMutual AuthenticationGoalA and B to verify that both know the same secret number. Nothird party (intruder or umpire!)Solution?A tells B: I’ll tell you first 2 digits, you tell me the last two.िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyZero-Knowledge ProofsGoalA to prove to B that she knows how to solve the cube. Withoutactually revealing the solution!Solution?A tells B: Close your eyes, let me solve it.िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyZero-Knowledge ProofsGoalA to prove to B that she knows how to solve the cube. Withoutactually revealing the solution!Solution?A tells B: Close your eyes, let me solve it.िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyCryptography and Data Security sine qua non [without this nothing :-] Historically who used first? (L & M) Code Language in joint families!िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyVulnerabilities Application Security Buggy code Buffer Overflows Host Security Server side (multi-user/application) Client side (virus)िशवकुमार G. Sivakumar சிவகுமாComputer Science and Engineering Transmission SecurityIntroduction to Cyber Securityभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglySecurity RequirementsInformal statements (formal is much harder) Confidentiality Protection from disclosure to unauthorized persons Integrity Assurance that information has not been modified unauthorizedly. Authentication Assurance of identity of originator of information. Non-Repudiation Originator cannot deny sending the message. Availability Not able to use system or communicate when desired. Anonymity/Pseudonomity For applications like voting, instructor evaluation. Traffic Analysis Should not even know who is communicating with whom. Why? Emerging Applications Online Voting, Auctions (more later)And all this with postcards (IP datagrams)!िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglySecurity Mechanisms System Security: “Nothing bad happens to my computersand equipment”virus, trojan-horse, logic/time-bombs, . Network Security: Authentication Mechanisms “you are who you say you are” Access Control Firewalls, Proxies “who can do what” Data Security: “for your eyes only” Encryption, Digests, Signatures, .िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyNetwork Security Mechanism Layersिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyThreat-Defence Matrix2 types of organizations- those who have been compromised andthose who do not know that they have been compromised!ThreatDefenceExampleKnownKnownMalware, DoS, SQL Injection .This is Hygiene, but what’s your score?VA-PT, IS-AuditKnownUnknownZero-Day, APT,Risk Analysis and MitigationSandbox (Evasion e.g. Macro on File-Close)Threat Hunting (Has it happened to us?)Unknown Unknown? (Kill chain)ReconLateral ShiftExfiltrationिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyTackling the Known-Known िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityAnti-VirusFirewallPatch ManagementIDS/IPSWAF.Computer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyTackling the Known-UnKnown (Threat Hunting)Slide borrowed from CERT-IN workshop (July 2018)िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyTackling the UnKnown-UnKnownDeception Technologies Decoys Fake servers/services (ATM, Swift, .) Must blend and adapt (not stale) . Lures Vulnerable Ports/Services Mis-configuration Breadcrumbs Mis-direction File with credentials/mis-directionिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyTackling the UnKnown-UnKnownUser and Endpoint Behaviour Analysis Try saying I love you 10 times everyday to your spouse! All antennas will go up! All defence mechanisms will be strengthened.AI/Machine Learning to the resue. Behaviour profiling (Baseline) Watch for anamolies Correlate with threats Reduce false positivesिशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
The Good The Bad The UglyWhat next?िच नीया िह िवपदां आदावेव ूितिबयाु ं ूदी े वि ना गृहेन कू पखननं य The effect of disasters should be thought of beforehand. It is notappropriate to start digging a well when the house is ablaze withfire.आचाया त प् ादमाद े पादं िश ः मेधया ।सॄ चािर ः पादं पादं कालबमेण च ॥one fourth from the teacher,one fourth from own intelligence,one fourth from classmates,and one fourth only with time.िशवकुमार G. Sivakumar சிவகுமாIntroduction to Cyber SecurityComputer Science and Engineeringभारतीय ूौ ोिगकी सं ान मबं ु ई (IIT Bomb
Introduction to Cyber Security िशवकुमारG. Sivakumar சிவகுமா Computer Science and Engineering भारतीयूौ ोिगकीसं ानम बईुं (IIT Bombay) siva@iitb.ac.in Setting the Stage (Some recent incidents) The Good (The Dream: AI meets Web 3.0 & SMAC IoT)
