Cysec PDF

The Good The Bad The Ugly
Introduction to Cyber Security
िशवकुमार G. Sivakumar சிவகுமா
Computer Science and Engineering

भारतीय ूौोिगकी संान मबं ु ई (IIT Bombay)
[email protected]
• Setting the Stage (Some recent incidents)
• The Good (The Dream: AI meets Web 3.0 & SMAC + IoT)
• The Bad (The Nightmare: Computer & Network Security)
• The Ugly? (Deception Technologies and Behaviour Analysis)
िशवकुमार G. Sivakumar சிவகுமா Computer Science and Engineering भारतीय ूौोिगकी संान मबं ु ई (IIT Bomb
Compromising the Supply Chain
Are some countries more

trustworthy than others?
Can this happen to you?
blackMail
Dear All,
There is a very ingenious blackmailing email circulating
around asking for money in bitcoins. ... they all have a Subject: [email protected] is hacked
few similar features: From: [email protected]
Date: Thu, October 18, 2018 4:35 pm
Hello!
• They include a password that My nickname in DARKNET is derrik82. I hacked this
mailbox more than six months ago, through it I infected
you probably have used your operating system with a virus (trojan) created by me
and have been monitoring you for a long time.
• Claim to have installed So, your password from [email protected] is xxxxxxxxx
Even if you changed the password after that - it does not
malware, and record video of matter, my virus
...
you through your webcam. I was most struck by the intimate content sites that you
occasionally visit. You have a very wild imagination, I tell
• Threaten to reveal your adult you!
...
website habits and send videos Send the above amount on my BTC wallet (bitcoin):
1EZS92K4xJbymDLwG4F7PNF5idPE62e9XY
... Since reading this letter you have 48 hours!
• Demand bitcoins...
Insider Attacks
• CBI
• Paytm
• ...
[From https://en.wikipedia.org/wiki/Insider_threat] A re-

port published on the insider threat in the U.S. financial
sector[6] gives some statistics on insider threat incidents:
80% of the malicious acts were committed at work during
working hours; 81% of the perpetrators planned their ac-
tions beforehand; 33% of the perpetrators were described
as ”difficult” and 17% as being ”disgruntled”.
The insider was identified in 74% of cases. Financial gain
was a motive in 81% of cases, revenge in 23% of cases,
and 27% of the people carrying out malicious acts were in
financial difficulties at the time.
Partial Landscape (from CISO/CTO perspective)
Cyber Security Framework, NIST (April 2018) (CEO

perspective)
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Common taxonomy and mechanism for

• Describing current cybersecurity posture
• Target state for cybersecurity
• Identify and prioritize opportunities for
improvement within the context of a continuous
and repeatable process
• Assess progress
• Communicate with stakeholders about
cybersecurity risk
Not one size fits all!
We will return to this framework at the end.
One Single Truth? अ-गज ायः
Stone Age to Information Age
Homo Erectus, Homo Sapiens, Homo Deus [Yuval Noah
Harari], 21 Lessons
Technology (Wikipedia Definition)

Technology is the usage and knowledge of tools, techniques, crafts, systems or methods of organization in order to
solve a problem or serve some purpose.
Zero, Wheel, Printing Press, Radio, Lasers, ...
Any sufficiently advanced technology is indistinguishable from magic. [Arthur C. Clarke]
• Why Information Technology is different?

Transistor, VLSI, Microprocessor, ...
• Danger: Computers are coming! Taking away our jobs!
Construction, Farming, Banking, Surgery, Composing music, Teaching!
Be very scared!
Web 1.0, Web 2.0, Web 3.0

Web 1.0 [1990-2005] (Right to Information)
• Internet: Info anytime, anywhere, any form
• Like drinking water from a fire hose
• Search Engines to the rescue
Web 2.0 [2005-2015] (Right to Assembly)

• Social Networking (Twitter, Facebook, Kolaveri, Flash crowds)
• Producers, not only consumers (Wikipedia, blogs, ...)
• Proliferated unreliable, contradictory information?
• Facilitated malicious uses including loss of privacy, security.
Web 3.0 [current] (AI & ML meet Semantic Web)

• Intelligent Agents that “understand”
• What do you want when you get up and put on computer?
• I have a dream!(MLK)
Open Enterprises of the Future
What the Future Holds?

Modify a Google Calendar to allow a colleague to add a Faaso’s
roll order to a meeting invite that can be picked up by Ola and
delivered by a drone to a client’s office five minutes before the
scheduled meeting starts.
What this needs?

• Multi-Party Services Orchestration
• Transparent Information Flow
• Transparent Event Flow
• Semantic Consistency
• Network and Protocol Adaptability
• End-to-End Security
• Business Management
In the Security context, this is securing M2M communications!

Artificial Intelligence & Machine Learning

• Can AI of computers match NS of humans?
• Old Joke: Out of sight, out of mind
• Consider chess, once the holy grail of AI.
Does not play the human way at all! Mostly parallelized search in
hardware (200 million positions/second!)
• December 2017: AlphaGo Zero used reinforcement learning to teach
itself chess in 4 hours! Beat world’s best program Stockfish
comprehensively!
Deep Patient
Are doctors practicing medical

science?
https://www.nature.com/articles/srep
The machine was given no
information about how the human
body works or how diseases affect
us. It found correlations that let it
predict the onset of some diseases
more accurately than ever, and some
diseases, such as schizophrenia, for
the first time at all. It does this by
creating a vast network of weighted
connections that is just too complex
for us to understand.
3rd platform: SMAC + IoT

• Main Frame (1960s ...)
Mobile • Client Server (1990s ...)
Social • Today (Handheld, Pervasive
Computing)
3rd Platform
Analytics
Internet
of Things
Cloud

• What’s App (how many
Mobile
engineers?)
Social
• Facebook, Twitter, GooglePlus
...
• Web 2.0 (Right to Assembly)
• Crowdsourcing (Wikipedia)
3rd Platform • Crowdfunding (no banks!)

Analytics
Internet
of Things
Cloud

• Phone (Smart, Not-so-smart!)
Mobile • Wearables! (Google glass,
Social Haptic)
• Internet of “Me” (highly
personalized) Business (no
generic products!)
• BYOx: Device security,
3rd Platform App/content management
Analyticsnightmare.
Internet
• Data Loss Prevention (Fortress
of Things Approach - Firewall, IDS/IPS -
won’t work!)
Cloud

• Big Data
Mobile • Volume, Variety, Velocity,
Social Veracity
• ACID properties Database not
needed
• Hadoop, Map Reduce, NoSql
3rd Platform
• Knowledge is Power!
• Collect,
Analytics Analyse, Infer, Predict
Internet
of Things
Cloud

• Moore’s law
Mobile • What could fit in a building ..
Social room ... pocket ... blood cell!
• Containers Analogy from
Shipping
• VMs separate OS from bare
3rd Platform metal (at great cost-
AnalyticsHypervisor, OS image)
• Docker- separates apps from

Internet
of Things OS/infra using containers.
• Like IaaS, PaaS, SaaS Have
you heard of CaaS?
Cloud

• Sensors (Location,
Mobile
Temperature, Motion, Sound,
Vibration, Pressure, Current,
Social ....)
• Device Eco System (Smart
Phones, Communicate with so
many servers!)
3rd Platform
• Ambient Services (Maps,
Messaging, Traffic modelling
Analytics
and prediction, ...)
Internet • Business Use Cases (Ola Cabs,
of Things Home Depot, Philips
Healthcare, ...)
• Impact on wireless bandwdith,
Cloud storage, analytics (velocity of
BIG data, not size)
Internet’s Nightmare
Match the following!

Problems Attackers
Highly contagious viruses Unintended blunders
Defacing web pages Disgruntled employees or customers
Credit card number theft Organized crime
On-line scams Foreign espionage agents
Intellectual property theft Hackers driven by technical challenge
Wiping out data Petty criminals
Denial of service Organized terror groups
Spam E-mails Information warfare
Reading private files ...
Surveillance ...
• Crackers vs. Hackers
• Note how much resources available to attackers.
Atlas.arbor.net
Atlas.arbor.net
Atlas.arbor.net
Real-time Intelligence- atlas.arbor.net
Who is scanning?
Who is hosting phising sites?
Malicious Servers
Internet Attacks Toolkits (Youtube)
Internet Attack Trends

From training material at http://www.cert-in.org.in/
What is a Computer Network?
So, what’s Internet?

• A bottom-up collection (interconnection) of networks
• TCP/IP is the only common factor

• Bureaucracy-free, reliable, cheap
• Decentralized, democratic, chaotic
िशवकुमार•G.Internet
Sivakumar சிவகுமா ं ु ई (IIT Bomb
Computer Science and Engineering भारतीय ूौोिगकी संान मब
Society (www.isoc.org)
Packet Switching in Internet
Exchanging Secrets
Goal
A and B to agree on a secret number. But, C can listen to all their
conversation.
Solution?
A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.
Exchanging Secrets
Goal
A and B to agree on a secret number. But, C can listen to all their
conversation.
Solution?
A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.
Mutual Authentication
Goal
A and B to verify that both know the same secret number. No
third party (intruder or umpire!)
Solution?
A tells B: I’ll tell you first 2 digits, you tell me the last two...
Mutual Authentication
Goal
A and B to verify that both know the same secret number. No
third party (intruder or umpire!)
Solution?
A tells B: I’ll tell you first 2 digits, you tell me the last two...
Zero-Knowledge Proofs
Goal
A to prove to B that she knows how to solve the cube. Without
actually revealing the solution!
Solution?
A tells B: Close your eyes, let me solve it...
Zero-Knowledge Proofs
Goal
A to prove to B that she knows how to solve the cube. Without
actually revealing the solution!
Solution?
A tells B: Close your eyes, let me solve it...
Cryptography and Data Security
• sine qua non [without this nothing :-]

• Historically who used first? (L & M)
• Code Language in joint families!
Vulnerabilities
• Application Security
• Buggy code
• Buffer Overflows
• Host Security
• Server side (multi-user/application)
• Client side (virus)
• Transmission Security
Security Requirements
Informal statements (formal is much harder)

• Confidentiality Protection from disclosure to unauthorized persons
• Integrity Assurance that information has not been modified unauthorizedly.
• Authentication Assurance of identity of originator of information.
• Non-Repudiation Originator cannot deny sending the message.
• Availability Not able to use system or communicate when desired.
• Anonymity/Pseudonomity For applications like voting, instructor evaluation.
• Traffic Analysis Should not even know who is communicating with whom. Why?
• Emerging Applications Online Voting, Auctions (more later)
And all this with postcards (IP datagrams)!
Security Mechanisms
• System Security: “Nothing bad happens to my computers

and equipment”
virus, trojan-horse, logic/time-bombs, ...
• Network Security:
• Authentication Mechanisms “you are who you say you are”
• Access Control Firewalls, Proxies “who can do what”
• Data Security: “for your eyes only”
• Encryption, Digests, Signatures, ...
Network Security Mechanism Layers
Threat-Defence Matrix
2 types of organizations- those who have been compromised and

those who do not know that they have been compromised!
Threat Defence Example
Known Known Malware, DoS, SQL Injection ..
This is Hygiene, but what’s your score?
VA-PT, IS-Audit
Known Unknown Zero-Day, APT,
Risk Analysis and Mitigation
Sandbox (Evasion e.g. Macro on File-Close)
Threat Hunting (Has it happened to us?)
Unknown Unknown ???? (Kill chain)
Recon
Lateral Shift
Exfiltration
Tackling the Known-Known
• Anti-Virus
• Firewall
• Patch Management
• IDS/IPS
• WAF
• ..
Tackling the Known-UnKnown (Threat Hunting)
Slide borrowed from CERT-IN workshop (July 2018)
Tackling the UnKnown-UnKnown
Deception Technologies
• Decoys
• Fake servers/services (ATM, Swift, ...)
• Must blend and adapt (not stale)
• ...
• Lures
• Vulnerable Ports/Services
• Mis-configuration
• Breadcrumbs
• Mis-direction
• File with credentials/mis-direction
Tackling the UnKnown-UnKnown
User and Endpoint Behaviour Analysis

• Try saying I love you 10 times everyday to your spouse!
• All antennas will go up!
• All defence mechanisms will be strengthened.
AI/Machine Learning to the resue.
• Behaviour profiling (Baseline)
• Watch for anamolies
• Correlate with threats
• Reduce false positives
What next?
िचनीया िह िवपदां आदावेव ूितिबया

ु ं ूदीे विना गृहे
न कू पखननं य
The effect of disasters should be thought of beforehand. It is not
appropriate to start digging a well when the house is ablaze with
fire.
आचायात प् ादमादे पादं िशः मेधया ।

सॄचािरः पादं पादं कालबमेण च ॥
one fourth from the teacher,
one fourth from own intelligence,
one fourth from classmates,
and one fourth only with time.

Cysec PDF

Uploaded by

Copyright:

Available Formats

Cysec PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cysec PDF

Uploaded by

Copyright:

Available Formats

The Good The Bad The Ugly

Introduction to Cyber Security

िशवकुमार G. Sivakumar சிவகுமா

Computer Science and Engineering

Compromising the Supply Chain

Are some countries more

Can this happen to you?

[From https://en.wikipedia.org/wiki/Insider_threat] A re-

Partial Landscape (from CISO/CTO perspective)

Cyber Security Framework, NIST (April 2018) (CEO

Common taxonomy and mechanism for

We will return to this framework at the end.

One Single Truth? अ-गज ायः

Stone Age to Information Age

Homo Erectus, Homo Sapiens, Homo Deus [Yuval Noah

Technology (Wikipedia Definition)

solve a problem or serve some purpose.

Zero, Wheel, Printing Press, Radio, Lasers, ...

Any sufficiently advanced technology is indistinguishable from magic. [Arthur C. Clarke]

• Why Information Technology is different?

Web 1.0, Web 2.0, Web 3.0

• Like drinking water from a fire hose

• Search Engines to the rescue

Web 2.0 [2005-2015] (Right to Assembly)

• Producers, not only consumers (Wikipedia, blogs, ...)

• Proliferated unreliable, contradictory information?

• Facilitated malicious uses including loss of privacy, security.

Web 3.0 [current] (AI & ML meet Semantic Web)

• What do you want when you get up and put on computer?

Open Enterprises of the Future

What the Future Holds?

What this needs?

• Transparent Information Flow

• Transparent Event Flow

• Network and Protocol Adaptability

In the Security context, this is securing M2M communications!

Artificial Intelligence & Machine Learning

Are doctors practicing medical

3rd platform: SMAC + IoT

3rd platform: SMAC + IoT

3rd Platform • Crowdfunding (no banks!)

3rd platform: SMAC + IoT

3rd platform: SMAC + IoT

3rd platform: SMAC + IoT

• Docker- separates apps from

3rd platform: SMAC + IoT

Match the following!

Real-time Intelligence- atlas.arbor.net

Who is hosting phising sites?

Internet Attacks Toolkits (Youtube)

Internet Attack Trends

What is a Computer Network?

So, what’s Internet?

• TCP/IP is the only common factor

Packet Switching in Internet

Cryptography and Data Security

• sine qua non [without this nothing :-]

Informal statements (formal is much harder)