View
559
Download
0
Category
Tags:
Preview:
DESCRIPTION
Presentation by Evert Smith at the University of Pretoria to the honors class of 2008. The presentation begins by naming the different domains of security and an explanation of C.I.A. A graphical illustration of how attack sophistication vs intruder knowledge has changed between 1990 and 2004 is given. The presentation ends with an explanation of what the security theater is and a few interesting IT security news.
Citation preview
THE THEATER WE CALL SECURITY
…. we come in
Presented by Evert Smith21 July 2008
Introd
uctio
n
Intr
odut
ion
Dom
ains
of Se
curity
C.I.A
Cau
se a
nd E
ffec
t
Entr
opy
Secu
rity
The
ater
New
sbyt
es
INTRODUCTION
Background
theBreakdown• whatisIS ? The light• whatDoesitTake? The Fu
- the person- the skill
Who
IAm
•Uni
vVan
Pta
•SACS,
SPI
,
PwC,
Se
nsep
ost
Background
the domains of security
Security Management Practices Security Architecture and Models Preventive Maintenance Application Development Security Operations Security Physical Security CryptographyTelecommunications, Network, and Internet Security Business Continuity Planning Law, Investigations, and Ethics
Security is about C.I.A
Risk drives infosec
Decisions & Importance decided by the C.I.A factor
Examples of C.I.A- Email interception- Cheque fraud- Messy computer room
AvailabilityIntegrity
Confidentiality
Recent SA
Example ?
Why do we have issues ? (I’ve been using this for years – cuz it hasn’t changed)
• Technology becoming more complex → SLOC • The Internet not designed to be safe → Redundancy• Socio-economical changes → Social networks• Rushed, Like Whatever → Time is money
* C++#include <iostream>int main(){std::cout << “Hello World!\n”;}* C++|C++/CLIint main(){System::Console::WriteLine(”Hello World!”);}
* AssemblyIDEALMODEL SMALLSTACK 100hDATASEGHW DB “hello, world”, 13, 10, ‘$’CODESEGBegin:MOV AX, @dataMOV DS, AXMOV DX, OFFSET HWMOV AH, 09HINT 21HMOV AX, 4C00HINT 21HEND Begin
* awkBEGIN { print “Hello World!” }* Windows API (in Borland Pascal)
program Hello;uses WinTypes, WinProcs;constszClassName = ‘PASCLASS32′;function WndProc(Window: HWnd; Message, WParam: Word;LParam: Longint): Longint; export;varLPPaint : TPaintStruct;TheDC : HDC;beginWndProc := 0;case Message ofwm_Destroy:beginPostQuitMessage(0);Exit;end;wm_Paint:beginTheDC := BeginPaint(Window, LPPaint);TextOut(TheDC, 5, 5, ‘hello, world’, 12);end;end;WndProc := DefWindowProc(Window, Message, WParam, LParam);end;procedure WinMain;varWindow: HWnd;Message: TMsg;constWindowClass: TWndClass = (style: 0;lpfnWndProc: @WndProc;cbClsExtra: 0;cbWndExtra: 0;hInstance: 0;hIcon: 0;hCursor: 0;hbrBackground: 0;lpszMenuName: szClassName;lpszClassName: szClassName);beginif HPrevInst = 0 thenbeginWindowClass.hInstance := HInstance;WindowClass.hIcon := LoadIcon(0, idi_Application);WindowClass.hCursor := LoadCursor(0, idc_Arrow);WindowClass.hbrBackground := GetStockObject(white_Brush);if not RegisterClass(WindowClass) thenHalt(255);end;Window := CreateWindow(szClassName,‘Win32 Pascal Program’,ws_OverlappedWindow,cw_UseDefault,cw_UseDefault,cw_UseDefault,cw_UseDefault,0,0,HInstance,nil);ShowWindow(Window, CmdShow);UpdateWindow(Window);while GetMessage(Message, 0, 0, 0) dobeginTranslateMessage(Message);DispatchMessage(Message);end;Halt(Message.wParam);end;beginWinMain;end.
Entropy:
VirusesPatchesSpamPhishing / PharmingHoaxesApathyMalware/SpywareHackers
Are you contributing?
Who is credited in being the father of the Internet?Arpanet, Vint Cerf, Bob Khan et al (1975 TCP/IP)
Who invented the mouse ?Douglas Engelbart (1964)
Who invented e-mail?Ray Tomlinson (1971)
Who invented the WWW<html>Tim Brenners-Lee (1988)
Security Theater
• Your desk – good defence against nucular attacks
• Airports in the US i.e. Liquid ban, profiling. Gun-shirts • Shopping malls intensly in your face i.e. Bag checks, guards in general
• Personal computer security – it’s a joke
Security theater consists of security countermeasures intended to provide the feeling of improved security while doing
little or nothing to actually improve security
Who says nucular
?
Security Theater – the human touch
• Security design is about psychology - ignored and exploited
• The pig vs Security
Those who desire to give up freedom in order to gain
security, will not have, nor do they deserve, either one.
• Unpatched Windows PCs "Own3d" In Less Than Four Minutes (or Maybe 16 Hours) t
• Spammer Gets 30 Months for Inundating AOL
• Charges Against New Zealand Botmaster Dropped
• Rogue Employee Locks San Francisco's Network
• Review site furious over McAfee SiteAdvisor 'false alert‘
• Facebook Bug Exposes Members' Data
#!/bin/bash
# Funcion to prompt questions from audience and appear # to look intelligent
while [ ! –lt audience. bored ] do verbose answering of questions sleep like foreverdone echo “That’s All Folks. Thanks for Listening.”
….this is where
#!/bin/bash
evert@sensepost.com
….this is where
“It’s a pity you have to pay for awesomeness”
Recommended