Security Tuesday

"Celui qui part à la chasse"

19 novembre 2013Enrico Branca

Definition

"the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used

regardless of the form the data may take (electronic, physical, etc...) "

(http://en.wikipedia.org/wiki/Information_security)

"Safe-guarding an organization's data from unauthorized access or modification to ensure its availability, confidentiality, and integrity."

(http://www.businessdictionary.com/definition/information-security.html)

2

Information Security

Combine basic principles in information security:

1) You cannot secure what you cannot manage

2) You cannot manage what you cannot measure

3) You cannot measure what you are not aware of

WITH MONEY

4) You cannot make monetize what you are not aware it even exists

NEW TASK “Measure” information security to sell it

3

Information Security

Definition of 'Quantitative Analysis'

A business or financial analysis technique that seeks to understand behavior by using complex mathematical and statistical modeling, measurement and research.

By assigning a numerical value to variables, quantitative analysts try to replicate reality mathematically.

(http://www.investopedia.com/terms/q/quantitativeanalysis.asp)

Quantitative research

"The objective of quantitative research is to develop and employ mathematical models, theories and/or hypotheses pertaining to phenomena. The process of

measurement is central to quantitative research because it provides the fundamental connection between empirical observation and mathematical

expression of quantitative relationships. Quantitative data is any data that is in numerical form such as statistics, percentages, etc."

(http://en.wikipedia.org/wiki/Quantitative_research)

4

Quantitative Information Security

-- 1998 --

“Quantitative Evaluation of Information System Security”

(http://homepages.laas.fr/deswarte/Publications/98107.pdf)

-- 2004 --

"Computer Security Strength & Risk: A Quantitative Approach"

(http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.9.5276&rep=rep1&type=pdf)

-- 2009 --

"Computer Safety, Reliability, and Security"

(28th International Conference, SAFECOMP 2009, ISBN 978-3-642-04468-7)

-- 2012 --

Towards quantitative measures of Information Security: A Cloud Computing case study

(sdiwc.net/digital-library/web-admin/upload-pdf/00000315.pdf)

-- 2013 --

"A QUANTITATIVE, EXPERIMENTAL APPROACH TO MEASURING PROCESSOR SIDE-CHANNEL SECURITY"

(http://www.cs.columbia.edu/~jdd/papers/micro13_svf.pdf)

5

Quantitative Information Security

6

Google Search Trends

"..vocabulary evolved also, shifting from ‘economic war’, ‘competitive intelligence’ and ‘economic watch’ only, to ‘economic intelligence’, which aims to encompass all aspects

of the globalised risks and opportunities and that is based on an upstream understanding and a multidisciplinary approach of the threats that need to be

addressed.“

"Today, economic intelligence is recognised as a professional tool for strategy and management for States and companies in the globalised world. Its implementation is

based on three main pillars:

(1) The mastering of strategic information

(2) Economic security, which is defensive and directed at protecting economic assets

(3) Influence –active or offensive–, be at the cutting edge for seeking opportunities and innovation and to be able to act on one’s environment (regulations, norms, image…) and not only be passively dependent on it

(http://www.realinstitutoelcano.org/wps/portal/rielcano_eng/Content?WCM_GLOBAL_CONTEXT=/elcano/elcano_in/zonas_in/defense+security/ari134-2010)

7

Economic Intelligence (English)

« Avantage concurrentiel de l'intelligence économique »

• détecter ce qui peut donner à l'entreprise un avantage concurrentiel

• mobiliser les acteurs internes de l'entreprise

• tirer les conclusions pour la meilleure exploitation possible

8

Intelligence Economique

L'information fournie doit présenter

certaines qualités :

1) exactitude

2) mise à jour

3) liée au contexte.

De manière formelle:

1) elle doit être traitée rapidement

2) être explicite

3) accessible économiquement.

-- 1999 --

" L'intelligence économique "

Achard, Pierre, Bernat, Jean-Pierre, BBF, 1999, n° 6, p. 123-125

-- 2003 --

"INTELLIGENCE ÉCONOMIQUE ÉCONOMIQUE ET STRATÉGIQUE"

(http://www.adec.fr/files_upload/documentation/200607201512060.Cigref_IE_internet.pdf)

-- 2009 --

"Guide des bonnes pratiques en matière d’intelligence économique"

(http://c.asselin.free.fr/french/guide_des_bonnes_pratiques_en_matiere_d_ie-1.pdf)

-- 2011 --

"Le concept français d’ “intelligence économique”: histoire et tendances"

(http://archivesic.ccsd.cnrs.fr/docs/00/64/64/67/PDF/MHArtIEfrWorkingpaper20101213FRfinal.pdf)

-- 2012 --

"L’INFORMATION AU CŒUR DE L’INTELLIGENCE ECONOMIQUE STRATEGIQUE"

http://rrien.univ-littoral.fr/wp-content/uploads/2012/03/doc27-rri.pdf

9

Intelligence Economique

Internet-Wide Scan Data Repository (https://scans.io/)

The Internet-Wide Scan Data Repository is a public archive of research data collected through active scans of the public Internet.

The repository is hosted by the ZMap Team at the University of Michigan and was founded in collaboration with Rapid7.

• University of Michigan · HTTPS Ecosystem Scans

• University of Michigan · Hurricane Sandy ZMap Scans

• Rapid7 · Critical.IO Service Fingerprints

• Rapid7 · SSL Certificates

• Rapid7 · Reverse DNS

• Rapid7 · HTTP-GET (port 80)

•A JSON interface to the repository is available at https://scans.io/json

10

Open Data Sources

Internet Census 2012

“Port scanning /0 using insecure

embedded devices” (Carna Botnet)

http://internetcensus2012.bitbucket.org/paper.html

All data collected during the Internet Census 2012 is available for download via BitTorrent.

The full download is 568GB large. Decompressing all data results in 9TB of raw log files in text format. If recompressed into gzip files the

dataset should be ~1.5TB.

http://internetcensus2012.bitbucket.org/download.html

11

Open Data Sources

12

Open Data Sources

Institut national de la statistique et des études économiqueshttp://www.insee.fr/fr/bases-de-donnees/default.asphttp://www.bdm.insee.fr/bdm2/index.action

Plateforme d’ouverture des données publiqueshttp://www.data.gouv.fr/

Linked Open Data Around-The-Clockhttp://latc-project.eu/datasets

Pan European data portalhttp://publicdata.eu/dataset

European Union Open Data Portalhttp://open-data.europa.eu/

13

Server Access Logs

TOP 5 - BOT useragents (sample from 2012 logs)

Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) 2910357

Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm) 1067432

Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html) 632752

Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots) 619931

Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com) 479867

TOP 5 - BROWSER useragents (sample from 2012 logs)

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) 1824893

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) 806615

Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 646110

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0) 433263

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 387967

Google query for Web Server logs

intext:"Mozilla/5.0" filetype:txt

filetype:log user_agents

14

Server Access Logs

156

2474

18322

31049

31951

35699

72027

Alcatel

MOTOROLA

LG

SonyEricsson

BlackBerry

Nokia

HTC

User Agents by Phone Manufacturer User Agents by Operating System

SunOS Android Linux Mac Windows

5653

18687

20093

67470

1007251

5517233

9725335

12949308

16339858

Microsoft Office

SeaMonkey

Iceweasel

Outlook-Express

Opera

Chrome

Safari

Firefox

MSIE

User Agents by Browser

961715

1066292812469607

13850653

Presto AppleWebKit Trident Gecko

User Agents by Layout Engine

15

Bots behavior (example)On Bots – analysis 2005/2006 – http://drunkmenworkhere.org/219

YAHOO

MSNBOT

GOOGLE

16

Data Analysis ConstantsEconomic Parameters for FRANCE

Average work hours a week 35 A

Days of festivities a year 122 B

Average days on holidays 35 C

Average working days a year 208 D

Average working hours a year 3120 E

Company tax rate 19.6 % F

Private tax rate 45 % G

Average monthly salary (gross) 2764 € H

Constants for IT market in France (as averages)

Cost Server Install or Restore 6000 € M

Server worked daily in France 30 N

Daily Financial loss (Server Down) 1500 € P

Days to reconfigure a server 7 Q

Cost SSL Certificate (2048bit RSA) 500 € R

Cost Securing Server Installation 2000 € S

Systems that could to be secured 52568234 T

Systems with faulty SSL setup 11360349 U

Average daily cost of IT engineer 990 € WCost of an offline server in the SME market:

“Financial loss + Restore + New SSL certificate”

[(P) X (Q)] + [(M) x 1] + [(R) x 1] = 17.000 €

Cost to fix all systems with faulty SSL setup:

{[(W) + (S) + (R)] x (U)} = 39.647.618.010 €

Market for server security maintenance:

Market = {[(T) x (S)] + [(W) x (Q) x (T)]}

Market: 574.570.797.620 €

17

Secure Communication Market

( Some examples of worst cases)

18

Secure Communication MarketQuestion : Is there a market for secure communication?

Inventing some numbers :

• 97.454.086 Total IP

• 66.365.935 No SSL

• 31.088.151 SSL

• 19.727.802 Safe SSL

• 18.360.349 Weak SSL

• 18.213.972 Self-Signed Certs

• 19.312.637 No Trusted Certs

• 29.525.183 Weak Ciphers

• 33.724.344 Weak Keys

• 58.321.312 Old Software

74%

73%

59%

53%

19%

26%

27%

41%

47%

81%

1

2

3

4

5

WEAK SSL DETAILS

Series1 Series2

0.00

10,000,000.00

20,000,000.00

30,000,000.00

40,000,000.00

50,000,000.00

60,000,000.00

70,000,000.00

80,000,000.00

90,000,000.00

100,000,000.00

1 2 3 4 5

SSL USAGE

(fictional data)

19

Estimate Cyber Security MarketParameters

A= 100.000 servers B= 50.000 SSL srv. C= 40.000 vulner.

D= 35 working hours/week E= 5 hours/day F= 19.6% corp.tax

G= 45% indiv.tax H= 6000€ install server J= 1500€/day finan. loss

K= 500€ cert cost L= 2000€ check server M= 7 days to install server

N= 3960€ gross salary/month O= project time 3 years P= 4 hours check server

Total working days/year= 365 - 122 (festivities) - 35 (holiday) = 208 days

Total working hours/year= 208 x 5 = 1040 hours

Annual Salary= (N x 12) = 47520€ / year

Human Daily Cost= (N x 12) / 208 = 228.46 €

Technical Cost reinstall 1 server= H + (Jx7) + K = 17.000 €

Human cost reinstall 1 server= (228.46 x 7) = 1599.22 €

Total Cost reinstall 1 server= 17.000 + 1599.22 = 18599.22 €

20

Estimate Cyber Security MarketTechnical Cost reinstall 1 server= H + (Jx7) + K = 17.000 €

Human cost reinstall 1 server= (228.46 x 7) = 1599.22 €

Total Cost reinstall 1 server= 17.000 + 1599.22 = 18599.22 €

Total Cost reinstall 40.000 SSL server= (18599.22 x 40.000) = 743.968.800 €

Total Cost maintain 40.000 SSL server= (L x 40.000) = 80.000.000 €

Total cost secure 40.000 SSL servers= 743.968.800 + 80.000.000 = 823.968.800 €

People to check 40.000 SSL servers in 3 years= ((P x 40.000) / (1040 x 3))= 51

Vulnerable Servers = 18.360.349

Problematic SSL servers = 8.996.571

Total cost secure SSL servers = 185.322.345.274,62 €

People to check SSL servers in 3 years= ((P x 8966571) / (1040 x 3))= 11495

Total Cost reinstall ALL server= (18599.22 x 18.360.349) = 341.488.170.327,78 €

Total Cost maintain ALL server= (L x 18.360.349) = 36.720.698.000 €

Total cost secure ALL servers= 378.208.868.327,78 €

People to check ALL servers in 3 years= ((P x 18.360.349) / (1040 x 3))= 23.539

21

Secure Communication MarketHow big is the market for IT servermaintenance to change SSL certs?

Data analysis revealed that the market isestimated to be on average 185 billion euro andwill involve 11.495 IT professionals over aperiod of time of 3 years.

Server Preparedness level

Safe Risky No Data

Unsafe Vulnerable(fictional data)

22

Estimate Cyber Security MarketCan you estimate the market sizerelated to cyber defense security?

A research on revealed that France has apotential market of 378 billion euro with anaverage cost for each cyber attack of 17.500euro.

The forecasted potential market for cybercriminal resulted to be 341 billion euro andthis risk could be mitigated byimplementing a cyber defense system.

An investment of 37 billion euro tomaintain and check current servers wouldprevent all potential losses and ensure anincrease in skilled engineers of around23.539 units.

Server Preparedness level

Safe Risky No Data

Unsafe Vulnerable(fictional data)

23

EXTRA

EXTRA SECTIONHOW TO DEVELOP A LOGICAL MODEL

(Example)

24

EXTRA – DEVELOPING A MODEL“What is our company’s exposure to cyber attacks and cyber risks?”

To answer we have first to understand the question and to do so we divide it in logical sections.

1. our: client is interested in a comparison between he and everyone else, a reference is needed

2. company: information about the business, not related to private or governmental entities

3. exposure: psychological aspect, how client feels unprotected compared to his peers

4. risk: psychological aspect, not measurable unless derived from impact and probability

5. cyber: identifies the environment in which the client perceives a problem, so the subject

6. attacks: psychological aspect, non measurable unless derived from surrounding environment

And now that we know what the client wants we can rewrite the question in a way that can allow

us to take direct and measurable actions:

“Can we tell the client how well he operates, compared to his peers operating in the same

business environment, by measuring the probability of being a target and the impact of this action

and generate a relative measure of the risk related to the subject, so he can understand how

distant his way of conducting the business is to the reference of the industry?”

25

EXTRA – DEVELOPING A MODELPREPARATION (PREREQUISITES):

1. Find the list of businesses (peers) that are competitors or providers of our client [Peers]

2. Find the market in which both client and peers are operating [Environment]

3. Find which kind of operational indicators (KPI) are important for the client [ClientKPI]

4. Find which kind of operational indicators (KPI) are important for the peers [PeersKPI]

5. Find which kind of operational indicators (KPI) are important for the subject [SubjectKPI]

6. Find which kind of technical indicators are relevant for client [ClientTI]

7. Find which kind of technical indicators are relevant for peers [PeersTI]

8. Find which kind of technical indicators are relevant for subject [SubjectTI]

9. Find or create a table that measures the probability an action has to happen [Probability]

10. Find or create a table that measures how important is the impact of a given action [Impact]

To correlate the information we assign a code to each prerequisite action:

1 = [Peers] 2 = [Environment] 3 = [ClientKPI]

4 = [PeersKPI] 5 = [SubjectKPI] 6 = [ClientTI]

7 = [PeersTI] 8 = [SubjectTI] 9 = [Probability]

10 = [Impact]

26

EXTRA – DEVELOPING A MODELThe “+” sign represents a correlation been created between two objects.

11=[1]+[2]= [Market] 12=[3]+[6]= [ClientIndex] 13=[4]+[7]= [PeersIndex]

14=[5]+[8]= [SubjectIndex] 15=[9]+[10]= [Risk] 16=[11]+[15]= [MarketRisk]

17=[12]+[15]= [ClientRisk] 18=[13]+[15]= [PeersRisk] 19=[14]+[15]= [SubjectRisk]

20=[16]+[19]= [EnvironmentRisk] 21=[17]+[18]= [BusinessRisk]

22=[20]+[21]= [IndustryRisk] 23=[3]+[4]= [DomainKPI]

24=[6]+ [7]= [DomainTI] 25=[15]+[23]= [PerformanceRisk]

26=[15]+[24]= [OperationalRisk] 27=[23]+[24]= [IndustryAverage]

28=[25]+[26]= [EconomicalRisk] 29=[27]+[28]= [IndustryReference]

The system of measurements has converted quantitative data, indicators, in human emotions,

risk and fear, and now we have to convert again fear into something measurable, so it can be

measured and managed as expected by the society and therefore used in business.

Sub-Question-1: (quantitative)

“how well he operates, compared to his peers?”

Answer= “[12] + [27]”

Sub-Question-2: (qualitative)

“a relative measure of the risk related to the subject?”

Answer= “[17] + [19]”

27

EXTRA – DEVELOPING A MODEL

28

THANK YOU

enrico.branca@awebof.info