Defence – Beating the Odds with Knowledge

René Pfeiffer/ October 13, 2015/ Conference, Discussion, Mission Statement, Training

When did you write your last business letter? You probably don’t recall, because you write one all of the time. When did you last use ink and paper to do this? If you can’t remember the answer to this question, don’t bother trying. Digital communication is part of our daily life, not only in the business world. We are very accustomed to communicate in the here and now, up to the point where being offline feels unnatural. In turn this means that we are constantly exposed to networks of all kinds, especially the Internet. Our door is open all around the clock. We can’t close it any more, thus openly inviting every kind of threat also using networks. It’s time to seriously think about this. What does it mean? What do we need to do to defend ourselves?

Cyber Crime and Data Punishment

Everything is now cyber these days. Criminals turned cyber, security did so as well. The military clads its strategy and tactics in fancy cyber words. Politics has discovered the word cyber, as have journalists and advertisers. Using this word is dangerous, because it hides how the digital world really works, and it gives everything a slightly mystical touch. When it comes to defending your data, the last thing you want is a hood over your head. You need to clearly see what it going on, who is up against you, and what attack tools are in play. You need knowledge and hard facts. Distractions and misunderstandings are your enemy, so are meaningless buzzwords.

Hive Mind Technology

The realm of information security covers a lot of terrain. Decades ago it was just systems with locally stored data and a juvenile Internet expanding its nodes. Even though you had security incidents in the past, the impact was not widely spread across the globe. This is different now. The growth has a side effect. Once upon a time the security problems of the day could mostly be solved by engineers themselves. Now you need a mixed team of legal experts, developers, engineers, security researchers, mathematicians (when it comes to algorithms), psychologists, executive managers, manufacturers, and government officials. And this is just the tip of the iceberg.

When security experts demonstrated design flaws of Chrysler Jeeps in July 2015, the automobile manufacturer had to recall 1.4 million cars. The implications are huge. Does a vehicle still has its permit? How do you get 1.4 million car owners to fix the problem in time? Who decides on a fine, and who has to pay the price? Can the insurance companies demand higher contributions for networked vehicles? High profile issues like this raise a lot of questions.

Even if you don’t own a car, you probably have household appliances. This is even worse, because the Internet of Things is around the corner. It has already arrived. There are networked toasters, coffee machines, electric kettles, bathroom scales, light/LED bulbs, washing machines, TV sets, cameras, space heaters, switches, plugs, thermostats, microwave ovens, shoes (!), toothbrushes, watches, drones (well, of course), barbecue grills (complete with their own research department), beds, golf clubs, and many more devices available right away. The number is growing by the second. Will these devices contain flaws that affect your security in any way? Most definitely.

Back to Business

What does this all mean for businesses? How do you secure the data of your organisation and your customers? Well, unfortunately there are no solutions which will address all of the risks you are facing. We are not dealing with the common cold where rest and tea will help you get better. Businesses use a vast number of devices and software, all interconnected by software. Even security researcher cannot keep up with the pace of the market. Smartphones are a prime example. New models, apps, and operating systems appear faster than you can test for security vulnerabilities and design flaws. In turn you will have a hard time regulating smartphone behaviour. It gets worse. Thousands of European companies rely on the ubiquitous cloud services. The word cloud hides a lot, just like cyber does. For example a lot of cloud services are based in the USA and do not follow the European data protection laws. The EU commission tried to solve this dilemma by creating the „Safe Harbor“ agreement where US companies voluntarily declare to follow European data protection principles. The NSA scandal broke the trust, and the European Court of Justice revoked this agreement in October.

All of this illustrates that you need to know a lot of what is going on behind the scenes. You must not rely on anecdotes or cute stories. You need the facts to decide what technology to use, what to avoid, and what to improve. Above all you have to constantly question yourself and the solutions you use. Admitting failures and analysing the circumstances that led to an incident is something the business world desperately needs. This, and learning from a mixed audience of experts from different fields of activity. Face it, not even a superhero could hope to save your digital world all by him- or herself. Don’t repeat this mistake. The road to data leaks is paved with overconfidence.

Open Your World

The annual DeepSec In-Depth Security Conference tries to address every aspect of information security. This means to assemble experts from academics, government, industry, users, developers, and the underground hacking community. Information security is a challenge which can only be addressed by a combined effort. And it’s not all about theory. A lot of presentations discuss approaches without diving deep into the details. Therefore the next conference offers hands-on trainings covering all you need to know: You want solutions that actually work in actual environments, and you want practical experience with attack/defence tools in order to gauge what you need to defend against.

The workshops last two days, so that you have a chance to gain in-depth knowledge. The range of topics is tailored for everyone trying to defend against modern threats.

  • Cryptographic Attacks – You will learn all about attacks against cryptography used in your software applications. A lot has changed in the past two years, and even though you don’t need to catch up on the mathematics, you most certainly don’t want to endanger your customers by using outdated encryption.
  • Hacking Web Applications – Since everyone has a presence in the World Wide Web, this is your front door. This door should be as safe as possible, because everyone will see it. Sadly developers do not always think outside the box and rely on assumptions attackers will not agree on. Don’t trust the browser and learn what to expect from random Internet clients.
  • Exploiting devices being used in the Internet of Things – A certain class of hardware processors is widely used for controlling and measuring. This training explains how the processor works and how attackers will try to make it run their code instead of yours.
  • Testing the security of the next-generation Internet protocols (IPv6) – Even if you have no idea what the next-generation Internet looks like, you are already using it. Every modern operating system supports these new protocols and has it enabled by default. Just because something works without being noticed, it doesn’t mean it should be ignored. Remember, you have to know what’s going on. This training will show you what to look out for when connecting to the Internet.
  • Windows PowerShell for penetration testers – Testing your own defences is a good idea. Do it before your adversaries do it for you. The method is called penetration testing. This workshop deals with the Microsoft Windows platform and its tools, and how they can be used to your advantage.
  • Social Engineering and Security Awareness – The most dangerous device in your business is the telephone. A simple phone call can cancel out the most expensive security solutions. The human factor is a strong one, and once your employees are persuaded to open the draw-bridge disaster strikes. You need to know how human interaction works and what the signs of abuse are. A trained psychologist will show you what to expect and how to defend yourself.
  • Developing and Using Threat Intelligence – Do you know who your enemies are and what they want? If not, then it’s time to find out. The technique is called threat intelligence. This workshop will teach you how you can set up a proper threat assessment based on the data you have at your disposition.
  • Secure Web Development – Developers have a bad reputation when it comes to information security. The reasons are manifold, but it is definitely not ignorance. You just have to adapt to certain coding styles and use the right tools to test your code. Once you do that, your software improves a lot. This training will give everyone dealing with code an advantage.
  • Practical Incident Handling – As said before, sooner or later something will happen. What do you do then? Have you ever imagined how a day at the office looks like when the main server(s) were compromised? Every organisation is subject to fire regulations. You might even have to do a fire drill once a year. You should do the same on the digital side. Have a simulated incident and think about what needs to be done to recover. This is important especially if real damage is involved and you need to contact the authorities. They might want some answers before they can help you.

The selection covers a wide variety of topics. It gives you an idea where to start when it comes to defence. It really doesn’t matter if you are ready to dive deep into the technology involved or if you stay above to see the big picture. You need to know how your organisation’s IT environment work, what its shortcomings are and where its strengths lie. Practice in the lab will save you unpleasant surprises during your busiest days at the office.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.

1 Comment

Comments are closed.