際際滷

際際滷Share a Scribd company logo

Information Security in the Gaming World

?
?
Dimitrios Stergiou
Dimitrios Stergiou

The document provides an overview of Dimitrios Stergiou's background and interests in information security. It discusses his certifications and hobbies, including being an amateur social engineer and World of Warcraft gamer. The document then covers various topics related to information security, including the history of attacks, common issues and risks, and approaches to meeting compliance standards. It notes that while compliance is important, security management must go beyond checklists to be truly effective. The document provides examples of frameworks for security management and risk assessment.

1 of 45
Dimitrios Stergiou
About Dimitrios ? Has a keen interest in Information Security (10 years and counting) ? Currently holds: CISSP, CISA, CISM, BS 7799 LA, CCSP ? Newbie Python coder ? Amateur social engineer ? Loves vendor t-shirts ? Avid World of Warcraft gamer
Security and Quantum Computing
So, what do we talk about ? History lesson ? Threats ? Compliance ? Information Security ? And no, I am not selling anything, don¨t panic
What we don¨t talk about ? ROI (ROSI) C Actually we do ? APT ? Cyber- ? Hacker C Attacker ? SSL / PKI
A bit of history ? Early Internet era C Exploit vulnerabilities C Take pride ? 10 years later C Attack the server C Steal or destroy data ? Last 5 years C Attack the application C Steal / hold data C Financial gain
´ and more recently
What causes the issues then? 1. Malware 2. Malicious insiders 3. Known vulnerabilities 4. Careless employees 5. Mobile devices 6. Social networking 7. Social engineering 8. Zero-day exploits 9. Cloud computing
Oh well, what now Meet Information Security Compliance Standards
Information Security Compliance ? Payment Card Industry Data Security Standard (PCI DSS) ? ISO 27000 series ? Health Insurance Portability and Accountability Act (HIPAA) ? Sarbanes-Oxley Act (SOX) ? Federal Information Security Management Act (FISMA) ? Bundesamt fur Sicherheit in der Informationstechnik (BSI) ? SAS 70 Type 2 ? National / other standards
A typical example
How it¨s all done Policy Procedure Guideline Audit records
´ that now I take you now through the compliance process
Information Security in the Gaming World
(Doing only) Compliance fails
Why? ? ^Word ̄ engineering ? Checklist approach ? Baseline becomes ^the ceiling ̄ ? Snapshot in time ? Non-continuous process
The audit has finished´ ? Management thinks that compliance equals security ? Does enough to ^pass ̄ the audit ? Do not talk security until next audit ? Business as usual
Meanwhile, developers´
And Security people´ Process / Procedure / Guideline / Standard Instruction / Audit / Vulnerability / Risk Threat / Exploit / Attack Vector / <buzz>
And attackers are efficient! In touch with reality
As a result The ^sad ̄ day comes when Or even worse: management realizes that
Bottom line s/YOU/Compliance/g
But Compliance can be the answer if ? It comes as a by-product of a security management program ? It is used in a bottom-top approach ? It can ^secure ̄ budget for security ? It does not become panacea
Security Management ? Reputation ? Regulation ? Revenue ? Resilience ? Recession
Do we REALLY need security?
But are you 100% sure we need it?
K?nsneutral / J?mst?lldhet
Security management mini-HOWTO Plan D?C?A Risk management Determination of scope of information Risk assessment security Risk analysis Development Identification Estimation Creation of systematic of Risk Risk of of Risk P D risk threats executive assessment information and evaluation acceptance A C treatment policy method assets vulnerabilities Risk List Risk Risk assessment of analysis assessment procedures assets table report Inventory of assets
The ^checklist ̄ approach 1. Device inventory 11. Account monitoring 2. Software inventory 12. Malware defenses 3. Secure system device configuration 13. Control network ports 4. Secure network device configuration 14. Wireless control 5. Boundary defense 15. Data Loss Prevention 6. Monitoring and analysis of audit logs 16. Secure Network Design 7. Application software security 17. Penetration test 8. Control administrative privileges 18. Incident response 9. ^Need-to-know ̄ access 19. Data recovery 10. Vulnerability assessment 20. Training
The IT Security field is always in need of new clich└s! ? Nothing will ever be 100% secure ? Know thy risk ? Security is the means, not the end ? Security yes, obscurity no ? Talk to them, not at them
Information Security in the Gaming World
Information Security in the Gaming World
What is that ROI again?
Why we don¨t talk about ROI "ROI" as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. Bruce Schneier
Net Present Value (NPV) C0 = Initial investment B1 = Benefit for Year 1 t = Time period k = discount rate (average cost of capital) ? NPV > 0 Go ahead ? NPV < 0 Project cancelled ? NPV =0 Can do, can ignore, no difference
Net Present Value (Example) Net Present Value (discount rate = 15%) C0 T1 T2 Initial Investment -200,000 Annual benefits 400,000 400,000 Annual operating costs -100,000 -100,000 Net Cash Flow -200,000 300,000 300,000 NPV -200,000 + 300,000 /(1.15)1 300,000 / (1.15)2 NPV -200,000 + 260,870 + 226,843 NPV = 287,713
Internal Rate of Return (IRR) C0 = Initial investment B1 = Benefit for Year 1 t = Time period k = cost of capital ? IRR > k Go ahead ? IRR < k Project cancelled ? IRR =k Can do, can ignore, no difference
Net Present Value (Example) Internal rate of return (k = 15%) C0 T1 T2 Initial Investment -200,000 Annual benefits 400,000 400,000 Annual operating costs -100,000 -100,000 Net Cash Flow -200,000 300,000 300,000 IRR 0 = -200,000 + 300,000 / + 300,000 / (1+IRR)2 (1+IRR) IRR = 118.61 %
Unfortunately Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted. ^Albert Einstein ̄
Information Security in the Gaming World
you need 1337 skillz to be hax0r? ? Beware of ^script kiddies ̄ ? Fame seekers ? Insider pwnage ? Revenge!!! ? Demo (3 slides to go)
Information Security in the Gaming World
Good keywords to Google ? metasploit ? set ? w3af ? nmap ? nessus ? beef ? sqlmap
Are you talking to me? ? Blog: blog.nihilnovo.eu ? Twitter: twitter.com/dstergiou ? Email:dstergiou@gmail.c om
Demo ? Client-side attack with IE ? Browser exploitation

More Related Content

Information Security in the Gaming World

  • 2. About Dimitrios ? Has a keen interest in Information Security (10 years and counting) ? Currently holds: CISSP, CISA, CISM, BS 7799 LA, CCSP ? Newbie Python coder ? Amateur social engineer ? Loves vendor t-shirts ? Avid World of Warcraft gamer
  • 4. So, what do we talk about ? History lesson ? Threats ? Compliance ? Information Security ? And no, I am not selling anything, don¨t panic
  • 5. What we don¨t talk about ? ROI (ROSI) C Actually we do ? APT ? Cyber- ? Hacker C Attacker ? SSL / PKI
  • 6. A bit of history ? Early Internet era C Exploit vulnerabilities C Take pride ? 10 years later C Attack the server C Steal or destroy data ? Last 5 years C Attack the application C Steal / hold data C Financial gain
  • 7. ´ and more recently
  • 8. What causes the issues then? 1. Malware 2. Malicious insiders 3. Known vulnerabilities 4. Careless employees 5. Mobile devices 6. Social networking 7. Social engineering 8. Zero-day exploits 9. Cloud computing
  • 9. Oh well, what now Meet Information Security Compliance Standards
  • 10. Information Security Compliance ? Payment Card Industry Data Security Standard (PCI DSS) ? ISO 27000 series ? Health Insurance Portability and Accountability Act (HIPAA) ? Sarbanes-Oxley Act (SOX) ? Federal Information Security Management Act (FISMA) ? Bundesamt fur Sicherheit in der Informationstechnik (BSI) ? SAS 70 Type 2 ? National / other standards
  • 12. How it¨s all done Policy Procedure Guideline Audit records
  • 13. ´ that now I take you now through the compliance process
  • 16. Why? ? ^Word ̄ engineering ? Checklist approach ? Baseline becomes ^the ceiling ̄ ? Snapshot in time ? Non-continuous process
  • 17. The audit has finished´ ? Management thinks that compliance equals security ? Does enough to ^pass ̄ the audit ? Do not talk security until next audit ? Business as usual
  • 19. And Security people´ Process / Procedure / Guideline / Standard Instruction / Audit / Vulnerability / Risk Threat / Exploit / Attack Vector / <buzz>
  • 20. And attackers are efficient! In touch with reality
  • 21. As a result The ^sad ̄ day comes when Or even worse: management realizes that
  • 23. But Compliance can be the answer if ? It comes as a by-product of a security management program ? It is used in a bottom-top approach ? It can ^secure ̄ budget for security ? It does not become panacea
  • 24. Security Management ? Reputation ? Regulation ? Revenue ? Resilience ? Recession
  • 25. Do we REALLY need security?
  • 26. But are you 100% sure we need it?
  • 28. Security management mini-HOWTO Plan D?C?A Risk management Determination of scope of information Risk assessment security Risk analysis Development Identification Estimation Creation of systematic of Risk Risk of of Risk P D risk threats executive assessment information and evaluation acceptance A C treatment policy method assets vulnerabilities Risk List Risk Risk assessment of analysis assessment procedures assets table report Inventory of assets
  • 29. The ^checklist ̄ approach 1. Device inventory 11. Account monitoring 2. Software inventory 12. Malware defenses 3. Secure system device configuration 13. Control network ports 4. Secure network device configuration 14. Wireless control 5. Boundary defense 15. Data Loss Prevention 6. Monitoring and analysis of audit logs 16. Secure Network Design 7. Application software security 17. Penetration test 8. Control administrative privileges 18. Incident response 9. ^Need-to-know ̄ access 19. Data recovery 10. Vulnerability assessment 20. Training
  • 30. The IT Security field is always in need of new clich└s! ? Nothing will ever be 100% secure ? Know thy risk ? Security is the means, not the end ? Security yes, obscurity no ? Talk to them, not at them
  • 33. What is that ROI again?
  • 34. Why we don¨t talk about ROI "ROI" as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. Bruce Schneier
  • 35. Net Present Value (NPV) C0 = Initial investment B1 = Benefit for Year 1 t = Time period k = discount rate (average cost of capital) ? NPV > 0 Go ahead ? NPV < 0 Project cancelled ? NPV =0 Can do, can ignore, no difference
  • 36. Net Present Value (Example) Net Present Value (discount rate = 15%) C0 T1 T2 Initial Investment -200,000 Annual benefits 400,000 400,000 Annual operating costs -100,000 -100,000 Net Cash Flow -200,000 300,000 300,000 NPV -200,000 + 300,000 /(1.15)1 300,000 / (1.15)2 NPV -200,000 + 260,870 + 226,843 NPV = 287,713
  • 37. Internal Rate of Return (IRR) C0 = Initial investment B1 = Benefit for Year 1 t = Time period k = cost of capital ? IRR > k Go ahead ? IRR < k Project cancelled ? IRR =k Can do, can ignore, no difference
  • 38. Net Present Value (Example) Internal rate of return (k = 15%) C0 T1 T2 Initial Investment -200,000 Annual benefits 400,000 400,000 Annual operating costs -100,000 -100,000 Net Cash Flow -200,000 300,000 300,000 IRR 0 = -200,000 + 300,000 / + 300,000 / (1+IRR)2 (1+IRR) IRR = 118.61 %
  • 39. Unfortunately Everything that can be counted does not necessarily count; everything that counts cannot necessarily be counted. ^Albert Einstein ̄
  • 41. you need 1337 skillz to be hax0r? ? Beware of ^script kiddies ̄ ? Fame seekers ? Insider pwnage ? Revenge!!! ? Demo (3 slides to go)
  • 43. Good keywords to Google ? metasploit ? set ? w3af ? nmap ? nessus ? beef ? sqlmap
  • 44. Are you talking to me? ? Blog: blog.nihilnovo.eu ? Twitter: twitter.com/dstergiou ? Email:dstergiou@gmail.c om
  • 45. Demo ? Client-side attack with IE ? Browser exploitation