1. Nihil novi sub solem?Security: Past, present and future... Jan Guldentops ( j@ba.be ) BA N.V. ( http://www.ba.be )

2. My personal story Jan Guldentops ( 1973) Historian by Education, ICT consultant & researcher byvocation, security-guy by accident Strong background in: Open Source / Linux ( since 1993 ) Research ( BA Testlab ) Security Better Access / BA N.V. (1996) Small team of consultants Macguyver, security and infrastructure projects 3. For the record:I never considered myself a security-expert... 4. Belgium Online 1996 exposed security-problems in the first Belgianinternet-bank Amateurism browseable cgi-bin-dir clear-text, downloadable perlscripts mainframe userid/password connection (internal) documentation downloadable debug logging to a browseable directory ... experts Built by Netvision ( later Ubizen now Verizon ) 5. In security there is often a bigdifference between reality andtheory, marketing and sales 6. What did I think in 1996 would be fixed by Now? 7. User Authentication We still mostly use userid/passwords forauthentication Strong, tokenbased authentication ? Often no centralised user / role managementsystem Bad passwords / usage Clear-text storage of userid / passwords ... 8. E-mail Has become one of the most important forms ofcommunication... BUT Nobody encrypts, signs his e-mail Still use SMTP with all its problems We havent fundamentally solved the spam-problem Often it is a miracle e-mail works at all 9. IPv6 1996 we already were running out of ip-adresses ( Imminent death of the internet,episode 3097) Adaption of IPV6 is still pretty marginal In Belgian one of the companies developingsmart metering uses IPV4 adresses in the mostrecent design! 10. Encryption We still dont encrypt everything ! Disks Devices Communications And if we use encryption we often use it in abad, insecure way. Basic awareness of how encryption works isquite rare even with IT-professionals. 11. Secure communications We still communicate clear text or use badlysetup encryption! No use of third party signed certificates in forinstance web applications Man-in-the-middle attacks are still easy to do You can still sniff passwords ! 12. Amateurism Security is in a lot of projects still a side-show Even for security orientated companies Biggest example is the Diginotar case... 13. The official report :The successful hack implies that the current network setup and / or procedures at DigiNotarare not sufficiently secure to prevent this kind of attack.The most critical servers contain malicious software that can normally be detected byanti-virus software. The separation of critical components was not functioning or was not inplace. We have strong indications that the CA-servers, although physically very securelyplaced in a tempest proof environment, were accessible over the network from themanagement LAN.The network has been severely breached. All CA servers were members of one Windowsdomain, which made it possible to access them all using one obtained user/passwordcombination. The password was not very strong and could easily be brute-forced.The software installed on the public web servers was outdated and not patched.No antivirus protection was present on the investigated servers.An intrusion prevention system is operational. It is not clear at the moment why it didn t blocksome of the outside web server attacks. No secure central network logging is in place. 14. Good system administration Integrity checks For instance host based IDS Centralized tamper-proof logging Decent password policies Automated, regular security-updates Etc. 15. Business Continuity Correct risk assessment is still a problem RTO RPO Testing and common sense are often forgotten We still see major data loss problems on aregular basis RT @JeremiadLee: Theres an assumption thatwhen you host in the cloud, the datacenter iswell above sea level. 16. Security awareness is incredibly low 17. Operating systems Are still not secure Not only a problem of the OS anymore but allthe components in it ( java, flash, browsers,etc.) Also a enduser problem : e.g. SE Linux everybody turns it off 18. What has been fixed ? 19. Cyber police In 1996 there hardly existed anything like acomputer crime unit or a Digitale recherche Now there is an infrastructure and professionalsfor this. But often money is wasted by politicians Digitale meldpunten Etc. 20. Law itself In 1996 there was no law allowing us toprosecute cybercriminals. A whole framework has been put in place. But the balance between privacy / civil rightsand the war on cybercrime is always delicate. Especially when it concerns copyright. 21. Best practices There now is a complete framework of bestpractices, advisories, trainings, certifications, etc. 22. Other changes 23. M(o)ore Moores law is still working : Exponential growth of the available bandwidth Computing power Globalisation Doesnt make it easier Encryption can be broken more quickly Denial-of-service attacks get more lethal 24. Cloud / Cloud washing One million different definitions : Private / public / hybride SAAS, PAAS, IAAS, A lot is marketing blabla and Cloud washing But it doesnt change the basic securityparadigm: CIA Cloud doesnt change the rules ! 25. ICT has lost control IT / Security manager were always no-men In the past they were the ones that are the alfaand omega of what happens in an enterprise /organisation Is being challenged by : Consumerism BYOD 26. Mobilisation Perimeter has completely disappeared Enormous consequences we are still getting tograsp with : Network Authentication Devices Data Leakage ... 27. Cyber criminals have organized 1996 organized crime was not really big incyberspace Hackers were mostly cyberpunks Now organized crime going for the big money Scamming Trade and industrial secrets Hacking Blackmail... 28. Privacy Impact We did the Dave-project for Febelfin Idea is to create awareness to be careful what you post on theinternet http://www.youtube.com/watch?v=F7pYHN9iC9I 3 factors What we give away ourself on social media, blog, etc. Open, often governmental data What large players (Google, Facebook) do with this data One rule: everything you post on the net is public ! 29. The future ? There is only one security killer product :common sense, everything is marketing ! Be critical ! Standards and frameworks should not bepaper tigers but practical tools. Create awareness on every level from theenduser, over the IT-staff to highestmanagement level. If you go cloud, get legal and real guarantees 30. Questions ? Jan Guldentopsj@ba.beTwitter: JanGuldentops