Technical Security Summit 2018 in Frankfurt - Monday

in #security6 years ago (edited)

This week I am allowed to join a training session about IT Security in Frankfurt/Germany.
Here are my notes and thoughts, that I got during the Sessions:

We have come to stay

Malware has come to stay. We have to accept it. Malware has been proven as a working weapon in Kosovo, Iran and Syria, were it has destroyed the funtionality of the air force and factories.

The NSA has set a big pressure to the biggest companies in the USA to install a backdoor in their tools.

Mirai

Mirai is a botnet that uses IoT devices (webcams, toaster, sensors,…) to create Denial of Service attacks.
It scans IoT devices and finds a lot of old and unsecure victims. It logs in via Telnet and finds very often leaks in this cheap hardware. Then it takes contact to Command and Control servers. When these servers decide to attack a platform, than all infected IoT devices open a connection to this server, which creates massive traffic.

Innovation or fully secure

The Indian company jeo (which means "live" (or oil if you read it in the mirror)) has been build in a few years from scratch. Security was a big part of it from the beginning. They got 100 Mio users in a short time. They have had no big security incidents in that time.
Media don't talk fair about security. They only point on companies, when they have been hacked. It is only viewed from one side.
Karsten_Nohl.png
Karsten Nohl

We will never be able to create 100% security and it would be a failure if we try to do it.
There is an example with our children. If we would keep them away from every danger, we would not leave them out of our houses. That doesn't work. It is always also a matter of trust.

Passwords are an old and overcome solution. They are from the 80s of the last century, but are integrated into Windows, Kerberos and Active Directory. You are not able to get rid of it, when you use this software.
Passwords can be hacked very easily be social engineering. Every 10th try is successful.

A car has been taken over by a smartphone. First the brakes have been deactivated and after that the wheel.

Emotet

Emotet is a very dangerous, clever and invisible worm.
You can get infected by clicking on a link in a mail and download a word-document and execute the macro.
It is also enough, if one person in your local network does it. Because this worm scans the local network for unsecure leaks in the SMB-service.
This worm steals and hacks passwords from the browsers and sends it ot the comand and control (C2) servers. Emotet can download every malware, that the C2 server wants to install. It has been used as a banking trojaner.
It often changes ist form and the data it sends is encrypted so it often cannot be seen by a virus scanner.

Quantentechnology and Informationsecurity

NSA says, that the RSA-Security (a lot of technologies (i.e. blockchain) bases on it) is not secure in the future. As soon as the quantum computers are working, RSA-coded data can be hacked.
(The thing is, no one knows if and when this will happen).
Symmetric encryption is probably secure in the future, asymmetric not. (It stil depends on the lenght of the keys).
We need to install new crypto technologies.
We also need exchangeable crypto-algorithm modules.



Bundesamt für Sicherheit in der Informationstechnik (BSI)

Blameless security

Blameless Security is an approach for security experts (i.e. operation, developers, testers,…) to work hand in hand. They should use some methods and tools for it.
When a security issue has happened, nobody should get punished.
There should be an meeting with one expert from each team and one moderator. Fingerpointing is forbidden and who does it has to leave the confcall.
In this meeting you should create a "root cause origin tree", that means all the facts, that led to the facts, … that led to the issue, should be considered.
After that find actions to mitigate the risks.
It is better to create secure systems than to secure your systems.
Bundesamt für Sicherheit in der Informationstechnik (BSI)

Blameless security

Blameless Security is an approach for security experts (i.e. operation, developers, testers,…) to work hand in hand. They should use some methods and tools for it.
When a security issue has happened, nobody should get punished.
There should be an meeting with one expert from each team and one moderator. Fingerpointing is forbidden and who does it has to leave the meeting.
In this meeting you should create a "root cause origin tree", that means all the facts, that led to the facts, … that led to the issue, should be considered.
After that, find actions to mitigate the risks.
It is better to create secure systems than to secure your systems.

Andreas Hauke, SAP

These were just some short notices that I made because they were new or important to me. We have had much more stuff and it should be no discrimination, when I don't write about it.

Regards, Achim Mertens

Sort:  

Thanks for sharing your notes and thoughts, @achimmertens! (Bookmarked for future read.)

A huge hug from @amico! ;)

Biggest Airdrop Ever 30 STEEM Free Giveaway

This is a limited time offer only for 5 days. Join and get 30 steem on your Account.

JOIN NOW

Coin Marketplace

STEEM 0.35
TRX 0.12
JST 0.040
BTC 70601.11
ETH 3576.21
USDT 1.00
SBD 4.78