(mis)trust in the cyber era

(Mis)trust in the Cyber Era

Information Security Summit 2013

Albert Hui GREM, GCFA, GCFE, GCIA, GCIH, GXPN, GPEN, GAWN, GSNA, CISA

Principal Consultant

October 23rd 2013 @ Hong Kong

Who Am I?

Albert HuiGREM, GCIA, GCIH, GCFA, GCFE,GPEN, GXPN, GAWN, GSNA, CISA

SANS Advisory Board Member

GRC Consultant for Banks,Government and Critical Infrastructures.

Spoken at Black Hat, HTCIA-AP,andEconomist Corporate Network.

Former HKUST lecturer.

Agenda1. Trust Defined

2. Ramifications of Trusting Another Party

3. Privacy at Stake

4. The Solution?

A Story ofTrust and (Alleged) Betrayal

Dropbox’s Clarification

Dropbox’s Clarification (cont.)

Sad but True

“If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to have access to the plaintext.”

Bruce Schneier

Understanding Trust

Why Importantto Reflect on Trust?

𝑅𝑖𝑠𝑘 =1

𝑇𝑟𝑢𝑠𝑡

What Exactly is Trust?

Faith KnowingEvidencedAssurance

IdealReality

TrustOutsourcing

Risk is Often Outsourced

Insurance

Hedging

Trust is Often Outsourced Too

Public Key Infrastructure Simplified

Certificate Authority

Alice Bob

Root Certificate AuthoritiesCompromised

Malware

Stuxnet, Duqu, …

Signed

Transitive Trust

RealityRISK OUTSOURCING

1. Assess risks

2. Treat some risks

3. Terminate some risks

4. Tolerate some risks

5. Transfer remaining risks

TRUST OUTSOURCING

1. Transfer trust

2. Trust that transferee is trustworthy (secure, reliable and aligns with yourrisk appetite & risk strategy)

Trust Crowdsourcing

Herd Mentality

Open Source’s “Many Eyes” ClaimEvidence to the Contrary

Generates Predictable Keys(CVE-2008-0166)

Privacy

Recap

“If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to have access to the plaintext.”

Bruce Schneier

Privacy Seppuku

The Public-PrivateSurveillance Partnership

Technologically Speaking

A court order is no different from an insider attack.

Suggestions1. Conservative in assessing trust outsourcing risks.

2. Be skeptical.

3. Defense in depth.

4. End-to-end encryption.

Thank You

albert@securityronin.com