際際滷

際際滷Share a Scribd company logo

AVSEC are you flying cybersafe?

Jorge Sebastiao
Jorge Sebastiao

This document discusses cyber risks in modern aviation. It outlines various cyber threats such as hacking into aircraft systems through entertainment systems or exploiting outdated radio systems. The document emphasizes that effective countermeasures require moving beyond outdated security assumptions to approaches like continuous vulnerability management, reputation management, and empowering end users. The goal is achieving total integrated security through approaches like information security management and vertical computer emergency response team integration.

1 of 25
Is your flying CyberSafe? Cyber Risks Of Modern Aviation 10th Oct, Dubai, UAE Jorge Sebastiao, CISSP ICT Security Expert Cloud Practice Leader http://linkedin.com/in/sebastiao/ Twitter: @4jorge
Disclaimer & Copyright Please note that this presentation is for informational, knowledge sharing and educational purposes only. Any comments or statements made herein do not necessarily reflect the views of Huawei. The information is intended for the recipient's use only and should not be cited, reproduced or distributed to any third party without the prior consent of the authors. Although great care is taken to ensure accuracy of information neither the author, nor Huawei can be held responsible for any decision made on the basis of the information cited. The content of this presentation is based on information gathered in good faith from both primary and secondary sources and is believed to be correct at the time of publication. The author can however provide no guarantee regarding the accuracy of this content and therefore accepts no liability whatsoever for any actions taken that subsequently prove incorrect. The practices listed in the document are provided as is and as guidance and the author and Huawei do not claim that these comprise the only practices to be followed. The readers are urged to make informed decisions in their usage. The information presented in this presentation is not intended to be, and should not be construed as, an offer to sell any products or services or a solicitation of an offer to buy any products or services . Any such offer or sale will be made pursuant to, and the information presented at this meeting is qualified in its entirety by, authorized offering documents and related disclosure schedules or similar disclosure documentation. All logos and brand names belong to their respective owners and we do not claim any relationship or association, implied or otherwise, with them. Use of any materials by virtue of relationships and associations, if any, are mentioned explicitly. Author has taken care to attribute all sources for external materials used in this presentation, and any oversight is regretted. If you, as owner, or as viewer, find any reason to dispute the use of these materials kindly communicate the same to author. Any omissions, in terms of attribution, may be due to an error of author and not intentional.
Sampling of Cyber Risk Users & Social MediaRadios GPS Drones PRN Legacy Systems
SDR Radios
SDR Intercept - Disrupt
Radios
Taking control Drone GPS
Taking control ADS-B
Drones Risks
Instagram Boarding Passes
PNR
Hack Airplanes though Entertainment system
0 Day Exploits - Guaranteed
Cyberspace CharacteristicsAsymmetric Attribution Problems No Borders Complex Interconnected Systems
Our security enemy is? Security Nightmare
Outdated Assumptions?
Effective Countermeasures
Wrong Skills?
CONSEQUENCE LIKLIEHOOD FV T Risk Group 1 Risk Group 2 Risk Group 3 HighLow L o w H i g h RESPONSE PROTECTION Target Risk Risk Reduction Strategies!
Infosec Knowledge Base Response Build Airport Cyber Security Intelligence Multiple Sources Intel Partners, Vendors, CERT , Internal Security Research Internet, Mailing lists and other sources Incidence Response
Road to Security Metrics Security Metrics KPIs, Testing Results CSA Controls, Compliance, Operational, Financial CoBIT SOX ISMS ISO27001 PCI HIPAA Time Based Security ISMS ISO22301 ISMS ISO20000
Final Goal Is Total Integrated Security Information Security Management IoT, Device Security Management
Winning the War Red Teaming Solve Attribution Continuous Vulnerability Mgmt Crowd Sourcing/Bug Bounty Fusing Crisis Management Vertical CERT Integration Encryption Exchange Knowledge Data Leak Prevention Threat Management Reputation Management Big Data Honeynets Machine Learning Sandbox Security Metrics Empower end users Continuous Training Attack / Take down
Dont bring a knife to gun fight
Jorge Sebastiao, CISSP ICT Security Expert Cloud Practice Leader http://linkedin.com/in/sebastiao/ Twitter: @4jorge

More Related Content

AVSEC are you flying cybersafe?

  • 1. Is your flying CyberSafe? Cyber Risks Of Modern Aviation 10th Oct, Dubai, UAE Jorge Sebastiao, CISSP ICT Security Expert Cloud Practice Leader http://linkedin.com/in/sebastiao/ Twitter: @4jorge
  • 2. Disclaimer & Copyright Please note that this presentation is for informational, knowledge sharing and educational purposes only. Any comments or statements made herein do not necessarily reflect the views of Huawei. The information is intended for the recipient's use only and should not be cited, reproduced or distributed to any third party without the prior consent of the authors. Although great care is taken to ensure accuracy of information neither the author, nor Huawei can be held responsible for any decision made on the basis of the information cited. The content of this presentation is based on information gathered in good faith from both primary and secondary sources and is believed to be correct at the time of publication. The author can however provide no guarantee regarding the accuracy of this content and therefore accepts no liability whatsoever for any actions taken that subsequently prove incorrect. The practices listed in the document are provided as is and as guidance and the author and Huawei do not claim that these comprise the only practices to be followed. The readers are urged to make informed decisions in their usage. The information presented in this presentation is not intended to be, and should not be construed as, an offer to sell any products or services or a solicitation of an offer to buy any products or services . Any such offer or sale will be made pursuant to, and the information presented at this meeting is qualified in its entirety by, authorized offering documents and related disclosure schedules or similar disclosure documentation. All logos and brand names belong to their respective owners and we do not claim any relationship or association, implied or otherwise, with them. Use of any materials by virtue of relationships and associations, if any, are mentioned explicitly. Author has taken care to attribute all sources for external materials used in this presentation, and any oversight is regretted. If you, as owner, or as viewer, find any reason to dispute the use of these materials kindly communicate the same to author. Any omissions, in terms of attribution, may be due to an error of author and not intentional.
  • 3. Sampling of Cyber Risk Users & Social MediaRadios GPS Drones PRN Legacy Systems
  • 5. SDR Intercept - Disrupt
  • 11. PNR
  • 13. 0 Day Exploits - Guaranteed
  • 15. Our security enemy is? Security Nightmare
  • 19. CONSEQUENCE LIKLIEHOOD FV T Risk Group 1 Risk Group 2 Risk Group 3 HighLow L o w H i g h RESPONSE PROTECTION Target Risk Risk Reduction Strategies!
  • 20. Infosec Knowledge Base Response Build Airport Cyber Security Intelligence Multiple Sources Intel Partners, Vendors, CERT , Internal Security Research Internet, Mailing lists and other sources Incidence Response
  • 21. Road to Security Metrics Security Metrics KPIs, Testing Results CSA Controls, Compliance, Operational, Financial CoBIT SOX ISMS ISO27001 PCI HIPAA Time Based Security ISMS ISO22301 ISMS ISO20000
  • 22. Final Goal Is Total Integrated Security Information Security Management IoT, Device Security Management
  • 23. Winning the War Red Teaming Solve Attribution Continuous Vulnerability Mgmt Crowd Sourcing/Bug Bounty Fusing Crisis Management Vertical CERT Integration Encryption Exchange Knowledge Data Leak Prevention Threat Management Reputation Management Big Data Honeynets Machine Learning Sandbox Security Metrics Empower end users Continuous Training Attack / Take down
  • 24. Dont bring a knife to gun fight
  • 25. Jorge Sebastiao, CISSP ICT Security Expert Cloud Practice Leader http://linkedin.com/in/sebastiao/ Twitter: @4jorge