World War 3

QuoteHuman has to learn only one thing from history. That they have not learnt anything from History.

World WarsWW

1WW

2 History says Mankind fight for new

space War fare & strategy

changes France defeated in 6

weeks even though 6 Bn franc defence set up before WW2 after WW 1 learning

Only unchanged and deciding factor in WAR is “Human”- Still not replaceable

Weapons•Machine Gun• Poison gas• Submarine• Airplane• TankStrategy• Fought from Trenches• Supported by army• Static with little

mobility

Weapons• All of WW1• Paratrooper• Nuclear bomb •Missiles • Advanced sub / Jet Planes / Radar• Encrypted communicationStrategy• Blitzkrieg• Propaganda• Kamikaze

WW3 is Cyber War

• Fight for new “space” is now “Cyber space”• War fare changed to “Information Technology” • With time strategy & weapons changed, can’t rely on old methods• CW involved country, government agency, extremely skilled people- All

fighting remotely, unseen by victims • Intentions: Destroy e-space, financial gains, e-terrorism, e-ransom, brand

destruction, people confidence shaking Remember Strategy and Skilled army together “Win” in history of manpower

Cyber War Scene• Battle field: Cyber space• Goals to win: Political and Financial - Crime + Sabotage + Espionage +

Intellectual property • Warfare: Intelligent unseen snipers using e-tools• Army: 60 Mn command and control centre. 67% are known CnCC,

204 countries involved• Research: 51 countries has cyber research espionage labs • Internal threats: Lots of inside trading and hedging in financial

markets No zero day defence by companies and new attacks are made with newly written non repeated malicious scripts

• Enemies: No one knows, almost every one on internet is suspected. Even your own government is watching and tracking all activity

• Allies: Can’t trust any country or human being • Defence is not knowing Offence Strategy and strength

Offence Evolution

Virus & WormsMalware for financial gain

APT- Advanced Persistent

Threats

Key and Certificate

based attacks1990

20002007

2010

State backed hacks

2012

MelissaCode Red

Mvdoom, Bagle,DM5v

Zeus, Aurora,Conflicker

Spyeye, Dugu,Diginotar, Comodo, Bit9

Stuxnet, Sony ,Iran nuclear, Extremist linked

Objective

Threats

Examples

IT disruption, User machine

damage

Hacker financial

gain

Focus company /

agency

Exploit mass users

Government backed

Network based

E mail, Application

based

Social Engineeringbased

Application based

Politically motivated

Consumerization, social, mobile, cloud, big data and IoT are all contributing an increased risk of security and data breaches

“With continuing trends in cloud, consumerization, mobility and the "next big thing", the way IT is delivered is changing. Each brings new threats and breaks old security processes.”–Gartner

“Information security must evolve from just an IT project to the core of critical business decisions. You must protect enterprise data from compromise and drive innovation at the same time.” –Gartner

“Increasing use of cloud-based services, user mobility and multiple devices is adding complexity to security, particularly identity management requirements.” –Ovum

New age technology brings newSecurity challenge and we need to device new defense strategy

New fronts of attacks pouring in

Timing: 24.11.14, planed for past one yearWhat was compromised: 100 TB of Data, unreleased movies, confidential communications and reports. Wiper malware installed to delete rest of data, salary data,Culprits: GOP (Guardian of Peace), North Korea backed hackers (Really??)Motive: Prevent release of film “Interview” on North Korea leaderOther damages: Network was down for days, employees were asked not to attend office, hackers posted 4 unreleased movies, legal proceedings against hackers, hiring of security agencies to damage control, controversies etc.

Case study - SonyWhen: April, 2011What was compromised: Personal information of millions of customers, including their names, email addresses, dates of birth and account passwordsCulprits: Hackers Motive: Financial gain, $ 171 Mn loss to SonyAftermath: Breach of UK Data protection act and penalty of GBP 250K, shaken customer confidence

Case studyTarget Corporation (Retail Company) When: November - December, 2013What was compromised: 40 millions of customers credit card and 70 Million other detailsMotive: Financial gainHow: Target was using BMC Remedy Performance Management tool. One user “BEST_USER” with Admin right and password “BACKUPU$R” was compromised. Hackers took away data through Internet.Impact: Sales down just before Christmas, CISO resigned, 3 other retails were attacked using similar technique

IRAN NUCLEAR FACILITY What was compromised: Centrifuge pumps in Iranian Nuclear secret facilityMotive: Political How: One USB was dropped at facility doped with “STUXNET”. It was highly sophisticated malware made by super skilled team backed by some nations. It spread and infected PLC in plant. Made all machines malfunction. Currently many modified versions of STUXNET available on Internet.

Stats - Analysis • About Defence in depth is just not enough• Hacking seen in spite of lots of traditional tools• Analysis by Human is inevitable• Continuous improvement in skills and tools is imperative to win• Complete information security life cycle protection required

Why you should worry about CW• Brand value at stake• Company potential target due to high business visibility • Reputed brand for country attracts enemy government • Loss to company can cause economical damage to country • Can attract lots of attention if hacked• Huge financial gain to attackers• Can shake client and investors confidence

Current Defence • Most companies are putting complicated

defence in depth defence - proxy, gateways, DLP etc.

• China 3 PLA and Russia RBN easily breached Defence in depth

• Offence and defence are completely dislocated

• Focus is on Tools implementation• Signature based 25 years old defence model • Human intelligence is not fully used• Attack mentality not understood to strategize

How to win the CW3

• Threat Modelling• Continuous upgrade of Security Strategy• Align with business• Are we sufficient resourceful to defend?• Defend after to study Hacker mindshare• Relook at Dash board• Automate security and operation activities to reduce human errors• Analyze every possible pattern to catch suspects

Sameer Paradia (CGEIT, CISM, CISSP) (sameer_m_paradia@yahoo.com)Practicing IT Security Services and Outsourcing for past 22+ yearsPhoto acknowledgment: https://www.flickr.com/photos/babalas_shipyards/5339531237/in/photostream/

http://www.flickr.com/photos/forgetmeknottphotography/7003899183/sizes/l/in/photostream/

Thank you so much!!