Internet (or Cyber) Governance has a long way to go and is presently fraught with confusion - this being a global phenomenon. Then there is the Internet of Things coming up at top speed which means that we have to face up to the risks that come with the convenience ! A solution for governance and some insight into the IoT risks were presented at the Defcon-OWASP Conference in Lucknow (India) on February 22, 2015
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
1. The Future of
Cyber Risks
Internet of Things
Cyber Governance
&
Lucknow (India),February 22nd, 2015
Dinesh O Bareja
db@dineshbareja.com
2. This is a Web Distribution Version
• This presentation has been optimized for distribution via the web as a PDF which means that animation panes have been
deleted and expanded. This will allow full content on animated slides to be visible and readable
• The intent is to make sure that the animations do not appear with unreadable clutter
• The images that have been used are sourced freely from the Internet using multiple search resources. Our logic is that if your
creations are searchable then they are usable for representation AND we never use any such images in ANY of our commercial
works
• All our works that are put up as ‘distribution’ versions are published under Creative Commons license and are non-commercial –
these are available for download from common document sites on the internet or from our website
• If some images are deleted (due to watermarked copyright notices or stringent usage policies) the slide will only show a
hyperlink to it. You can follow the link to see the image.
• This is done if I have received an objection or a take-down notice from the copyright owner
• I/We make every effort to include a link or name to the copyright owner of the image(s) that have been used in this presentation
and please accept our sincere apologies in case any image has not been individually acknowledged
• Copyright notices or watermarks are not removed from images or text which are not purchased, however, we may say that
practically all text is our own creation
• Inspite of all the above and other declarations, if you have objections to the use (as owner of any of the IP used in this
presentation / paper) you may please send an email to us and we shall remove the same right away (please do remember to
include your communication coordinates and the URL where you spotted this infringement
3. You should presume
that someday, we will be
able to make machines that
can reason, think and do
things better than we can.
-Sergei Brin, co-founder Google (07-2014)
’
‘
4. AGENDA
GOVERNANCE .. QUICK LOOK AT ISSUES
CHALLENGES AND OPTIONS
RISKS OF THE FUTURE… AS THEY TAKE BIRTH
TODAY - INTERNET OF THINGS
5. ABriefIntroduction
Dinesh O Bareja
CISA, CISM, ITIL, ISMS, Cert ERM, Cert IPR
• Principal Advisor – Pyramid Cyber Security & Forensic Pvt Ltd
• COO – Open Security Alliance
• Co-Founder – Indian Honeynet Project
• Member IGRC – Bombay Stock Exchange
• Ex Cyber Surveillance Advisor – CDRC (Jharkhand Police – Special Branch)
Enterprise & Government Policy Development;
Cyber Security Strategy, Design, Architecture;
Current State Security Assessment, Audit &
Optimization; Governance, Risk Management;
ABOUT ME
6. It is time the infosec community got up
to highlight weakness in governance
and THE thinking OF our government’s
on cyber security AT THE national AND
STATE LEVEL
And REALIZE THE
The increasing inability to control
(cyber) related incidents with the
looming threats of cyber war /
terrorism / espionage / crime
8. …What is it (dictionary)
•government; exercise of authority control
•Governance (noun) - the persons (or
committees or departments etc.) who
make up a body for the purpose of
administering something;
GOVERNANCE
9. A body for the purpose
of administering
something;
SO Let Us Take A Look
At what We Have To
Govern…..
15. •Multiple organizations: LEA, Government,
Defence, Large Enterprises, NGOs etc. exist
and
•Everyone does their “own thing”
•All are ‘de facto’ experts
CurrentCYBERSTATE
16. •Everyone wants to protect his/herteir
thought, (ass)ets, technology
• And believes that his/her/their system is
handmade by God!
•SO…. Chaos and confusion reigns supreme
CurrentCYBERSTATE
17. •Multiple organizations: LEA, Government,
Defence, Large Enterprises, NGOs etc.
•Everyone does their “own thing”
•Protect my thought, (ass)ets, technology
•All are ‘de facto’ experts
•Everyone’s system in handmade by God!
•SO…. Chaos and confusion reigns supreme
CurrentCYBERSTATE
18. Way Ahead (my own thoughts)
•Cyber Security must be entrusted (at national
level) to one authority and organization
•Designate the President / PMO as C-in-C as this is
a frontier, a battleground
•Cybercrime, Terrorism, War, Attacks, Espionage,
Reputation, Information Exchange, Development
of Offensive Capabilities et al cannot be decided
upon by a NCSC
19. •I had done a presentation on
Governance a few years earlier and it
was as relevant as it was then as it is
now…
•Normally I do not use my old slides but I
find this is still an area which needs the
same old stuff…
20. •As per my agenda today I had said that we would
take a look at OPTIONS … Option in the middle of
all this confusion etc ….
•This is my own conceptual framework to bring
direction and order at a national / state level
•It may not be the silver bullet, but like I say if there
is good silver in the bullet at least we have started
the journey to kill the problem
21. • The concept presented may not be the silver
bullet,
• but
• like I say - if there is good silver in the bullet at
least we have started the journey to kill the
problem
22. Second Line of Command (Operational and Strategic)
Commander in Chief
PM / President
NSA NCSC
Defence Chief
of Staff
Head of
Intelligence
MHACERT
LEA, Industry
Rep & Bodies
Cyber Security Organizations and Organizations with Cyber Command Centers
State Cyber
Security Centers
Sectoral CERTs
NTRO(cyber)
NCIIPC
IB, RAW, NIA,
DIA
Defense CERTs,
DIA, DRDO etc
Academia
Participants
CyberCrime
Police Stations
CCTNS,
NATGRID
Information &
Data Library
Online
Battalions
General areas
n.e.s.
Continuing
Education &
Training
Control and Operational Areas (national and state level)
Capacity
Building
Capability
Building
Citizen
Outreach
Sectoral
Departments
Critical
Infrastructure
Education
and Training
International
Relations
Policy &
Regulations
Offensive and
Defensive
Knowledge
Repository
Domestic
Relationships
Risk
Advisories
Intelligence
Gathering
Research and
Development
Public Private
Partnership
Public
Relations
Security
Clearance
Think Tank Testing Group
Talent
Identification
Responsible
Disclosure
Field Organizations and Teams
CERT Incident
Response
Awareness,
Education,
Training
Developers
Embedded
Cyber
Patrollers
Reporting and
Measurement
Skill
Development
Audit, Risk,
Technology
Conceptualgovernance
framework
25. This really does not
happen in real life!
I have yet to see a
hacker who is genteel,
good mannered and
follows such etiquette
<LOL>
26. Moving on… the 2nd part of my talk
•We’ve seen how orderly or disorderly we are (big
deal, we are like that only and it is not just us but
the whole world)
•Lets move on to something more exciting – our
future, tomorrow, kal / kaal …
•
• The Internet of Things
31. (…) it takes many decades from the excitement of
inception for these technologies to fully work. In the case
of the automobile, the technology took 40 years to go from
merely “working” to eventually becoming fully part of our
lives. It took 80 years, from 1880 to 1960 for the
technology to become comfortable. The final phase of a
technology is for it to disappear. As John Seely Brown
puts it: “Technology has not fully arrived until it
disappears—until it is so much a part of us that we don’t
see it.” (Brian Arthur, “Myths and Realities of the High-
Tech Economy”)
40. exciting new developments
SMART
•Light bulbs that change depending on your
mood
•Refrigerators that talk with your smartphone
•Efficiency across industries
•Cost savings in healthcare
IoT
43. SMART
IoTIoT technologies and services generated
global revenues of $4.8 trillion in 2012
To reach
$8.9 trillion by 2020
growing at a compound annual rate (CAGR) of 7.9%.
44. SMART
IoT50 billion connected devices by 2020
Each person will have more than 6
devices
IoT device will more than double
(4.9 billion this year)
47. television
RISKSThe smart TV recognizes voice commands so it is in listening mode
and also listens to any conversation in the room while trying to figure
out a command.. Is this shared at the back end ??
48. Look at the future differently
• Neither software nor email security will be enough
• To protect (IoT) against future attacks from
cybercriminals
• Develop strategies in preparation "for the onslaught of
Internet enabled devices“
• Prepare for the fast approaching army of networked
devices
49. http://fortifyprotect.com/HP_IoT_Research_Study.pdf
Any connected consumer
electronic appliance may
become a zombie for a
botnet. Imagine the power of
a DDoS using all the TV sets
of one brand.
Ransomware may shoot up.
What if a ransomware hits
the same TV sets or consumer
appliance
Will the brand pay the
ransom? Will you pay to get
back your connected fridge?"
RISKS
50. RISKS
• Security flaw that could allow unlocking doors
of up to 2.2 million Minis, BMWs, and Rolls-
Royce models
• They all are equipped with BMW’s
ConnectedDrive software which uses on-board
SIM cards
• Potentially hackers gain access to the onboard
vehicle computer systems that manage
everything from engines and brakes to even
the air conditioning
56. This document has been created by IndiaWatch., Open Security Alliance., Dinesh O Bareja
Released in the public domain under Creative Commons License (Attribution- Noncommercial 2.5 India)
http://creativecommons.org/licenses/by-nc-sa/2.5/in/
The information and practices listed in this document are provided as is and for guidance purposes only and should not be
construed to be a standard (unless mentioned otherwise). Readers are urged to make informed decisions before adopting the
information given in this document.
The author(s) may not be held responsible, or liable, in any event and for any issues arising out of the use of the information and / or
guidelines included in this document. Further, we do not give any warranty on accuracy, completeness, functionality, usefulness or
other assurances as to the content in the document. We disclaim all responsibility for any losses, damage caused or attributed, directly
or indirectly, from reliance on and the use of such information.
Readers are welcome to provide feedback to the authors using the contact information provided in this document. This document
has been prepared for general public distribution so all animations have been converted to static images.
Graphics and images are usually obtained from the internet and royalty free sources and are usually acknowledged by us. Errors may
be expected in this practice and this is not intentional.-we resect creative rights and request owner(s) to inform us of any inadvertent
omission. Any trademarks or companies may be displayed or mentioned with the purpose of establishing a point or for better
understanding and we do not claim any exclusivity or relationship with their respective owers.
License and Copyright
Acknowledgements & Disclaimer
Various resources on the internet have been referred to contribute to the information presented. Images have been acknowledged (above) where possible. Any company names,
brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or
otherwise) by the author(s), unless otherwise mentioned. Apologies for any infraction, as this would be wholly unintentional, and objections may please be communicated to us
for remediation of the erroneous action(s).