Here are some notes on the first day of PST2012. These notes are personal and biased in the sense that they reflect what topics did ping me. As such, they are not exhaustively representing the content of the various presentations.
Today’s challenges of cybercrime (E. FREYSSINET)
Eric is the head of the cyber crime department of French gendarmerie. As such, he has a deep knowledge of today’s cybercrime as he is fighting it.
He first presented the big trends and issues:
- Data to analyze is exploding
- Organized crime; interestingly, organized crime entered the game only lately. The target that attracted organized crime was car theft that required electronic specialist due to increased electronic defense; then, organized crime jumped to electronic money.
- Cryptography becomes more generalized. It has impact. for instance, house search has to occur at a time of the day when the computer is already switched on.
Then he described more some cases. A few excerpt:
- Crime against children; This is one of the most important threat handled by his team (25% of the cases). Several hundreds cases per year in France. The best defense is the education of children
Attacks on IT system; Botnets become the core element of many IT attacks. Often individuals do the tools, and are hired by organization that install such infrastructure. Interestingly, many SMEs are attacking each others!
There is a real business approach behind such crime. Carders are offering professional sites with customer supports. Malware is sold with a licensing approach, CMS,…
Then he presented a typical attack: the police ransomware. A malware blocks the computer, sometimes encrypts data and display a message supposed to be issued by police claiming that you violated the law and have to pay a fine. 10% of the infected people pay the alleged fine.
Can we protect against the unknown? (D. BIZEUL, Cassidian, Head of Security Assurance)
The focus of the presentation is on APT (Advanced Persistent Threat)
The six steps of APT:
- Information gathering
- Vulnerability identification
- Spear phishing/RAT installation
- Pass the hash protection/ propagation (for escalation)
- Malware and pack of tools
Detection of steps 3 to 6 should use reputation evaluation, Statistics and of course log. Thus, it is recommended to have savvy IT team, cyber intelligence, IDS/IPS and SIEM & SOC. Cyber intelligence is key.
CERT, CSIRT (O. CALEFF, Devoteam)
Presentation of what a CERT/CSIRT is , and how it works.
Cyber defense tools: the sourcefire example (Y. LE BORGNE)
He explains how an Intrusion Prevention System (IPS) works:
- Stage 1: decoder of packets
- Stage 2: pre-processor to normalize data
- Stage 3: Rules engine
Why are there still intrusions?
- The client side is more prevalent and it is the best place to attack.
- File complexity is a good vector for malware
- IDS exploitation is too complex
- IPS needs skill for exploitation
Evolution of Snort
New pre-processors (gtp, modbus…), http compression.
The message is that human is the key element. Thus, they claim to simplify the task by focusing the reporting.
APT is more a buzz word. It is not new. The most important aspect is the Persistent Threat aspect.
Keynote: The authorization leap from rights to attributes: Maturation or Chaos? (R. Sandhu)
Ravi is the father of Role Based Access Control (RBAC). Will RBAC be replaced by Attribute Based Access Control? In any case, we’re going towards flexible policy. According to him, the main issue with Access Control is and will always be the analog hole. The main defect of RBAC is that it does not offer an extension framework. Thus, it is difficult to cope with short comings; ABAC has the advantage to offer inherent extensibility by adding for instance attributes.
Security policy requires Policy Enforcement, Policy Specifications and Policy Administration.
He believes in Security as a Service because there will be an incentive to properly secure stuff else you change the service provider.
Arxan (M. NOCTOR)
Nothing new. If you don’t know Arxan, and if you need software tamper resistance, visit their site.
CODENOMICON (R. Kuipers)
How to strip off a TV set? He highlights the risk of connected TVs that are not secure at all, although they may handle confidential data such as credit card number.
Secure IC (P. NGUYEN)
Silicon Security; Usual presentation on side channel attacks. The new attacks are Correlation Power Analysis and Mutual Information Analysis (new since 2010) The new trend is to use Information Theory realted metrics. They have a dual rail family with formally proved security (to be presented at CHES2012)