Cyber security is an arms race between offensive and defensive capabilities, and unfortunately, we are losing this battle. As users, we want better technology doing cooler things enabling us to do more. But the more we have, the more we rely on it, and the more complex these systems become.
Complexity is the enemy of security. In fact, complexity is a nemesis of security,
which is one of the main reasons why we’re losing this arms race.
I’m going to get you up to speed on security bugs and vulnerabilities and how they
affect your security. A security bug and a vulnerability are actually the same thing. So they’re synonyms for each other. So if I say security bug or vulnerability, it’s the same thing. And it’s an
error. It’s an error written into software that creates a potential for a threat agent,
such as a hacker, to exploit it. So an example might be the recent Heartbleed bug which you may have heard about because it was on mainstream news. This is a bug in something called Open
SSL which enables the decryption of internet traffic sent to vulnerable sites. So for example, maybe you have a online bank. If it was susceptible to the Heartbleed bug, and when you were sending your username and password, somebody may, if the bug was in that bank, able to decrypt and get access to your username and password. Security bugs will always exist as long as humans write software. That might not be forever, but humans are fallible, so as long as humans write software, there’s going to
be security bugs. And it’s no surprise really if you consider something like the Windows operating
system. It’s made up of millions and millions of lines of code. Humans are fallable, we
will make mistakes, there will be security bugs. On the left here, you can see a diagram that represents your computer, and on the right, we have a diagram that represents the internet. On each side we have things that you care about. Security bugs can exist in your operating system, firmware, applications, things like Outlook, your media player, Adobe Acrobat. In a particular risk, they can exist in your browser and the extensions and add-ons within the browser. So for example, there can be a security bug in your Internet Explorer. You visit a website which has special code on it. You won’t see that this code is one there, and this will install malware on your machine and take it over through that vulnerability.
And maybe the consequences are that they choose to encrypt all your files and hold them to ransom until you pay the money to decrypt it, and that’s known as Ransomware. Because you have things you care about online, we have to consider the security bugs that exist on internet sites and on the internet infrastructure. So maybe you use Dropbox and there is a bug that is discovered by Dr. Evil on Dropbox, which gives him access to your files. And because Dropbox stores encryption keys, so encryption isn’t going to save you, he will then have access to your files. There are two main types of bugs. Really, it’s best to draw a distinction between, and those are the Known and Unknown bugs. So if we start with the Known bugs, known bugs of vulnerabilities have patches, and if you patch your system, you are safe against that bug. And we’ll cover the best and easiest way to do patching of all the things that need patching as we go through. And then you have the Unknown bug, also can be referred to as zero-days. These are much harder to protect against as there is no patch. So we’ll cover later techniques to protect against these, and these are referred to in the security industry
as a compensating control. I’m going to bring up a spreadsheet to give you a little bit more of an insight intothe world of the cyber criminal. Your budding, entrepreneur hacker doesn’t even need to be particularly skilled these days. He can go purchase an already made exploit kit. If you look at this spreadsheet, here along the top, these are the various popular exploit kits that are available at the moment and to purchase. And down here are the
various vulnerabilities, what they affect down here. And, as a budding, hacking entrepreneur, we can look through here and see which particular vulnerability we might want to use. Okay, we might want to exploit Internet Explorer, so there you go, we can use this one. And here we can see that this one allows the remote attacker to execute arbitrary code by a crafted website that triggers access to a detailed object. That really means that if you click on a link or go anywhere with an Internet Explorer browser, is susceptible to this vulnerability, they can take over your machine. And if we’re not feeling like potentially buying an exploit kit, you can look online for the exploit. And we can see here this is the code to run the exploit. So I hope that gives you a better idea about what security bugs are and vulnerabilities. And later on, we’re going to be going through the ways to mitigate against the Known vulnerabilities and the Unknown vulnerabilities.
Complexity is the enemy of security. In fact, complexity is a nemesis of security,
which is one of the main reasons why we’re losing this arms race.
I’m going to get you up to speed on security bugs and vulnerabilities and how they
affect your security. A security bug and a vulnerability are actually the same thing. So they’re synonyms for each other. So if I say security bug or vulnerability, it’s the same thing. And it’s an
error. It’s an error written into software that creates a potential for a threat agent,
such as a hacker, to exploit it. So an example might be the recent Heartbleed bug which you may have heard about because it was on mainstream news. This is a bug in something called Open
SSL which enables the decryption of internet traffic sent to vulnerable sites. So for example, maybe you have a online bank. If it was susceptible to the Heartbleed bug, and when you were sending your username and password, somebody may, if the bug was in that bank, able to decrypt and get access to your username and password. Security bugs will always exist as long as humans write software. That might not be forever, but humans are fallible, so as long as humans write software, there’s going to
be security bugs. And it’s no surprise really if you consider something like the Windows operating
system. It’s made up of millions and millions of lines of code. Humans are fallable, we
will make mistakes, there will be security bugs. On the left here, you can see a diagram that represents your computer, and on the right, we have a diagram that represents the internet. On each side we have things that you care about. Security bugs can exist in your operating system, firmware, applications, things like Outlook, your media player, Adobe Acrobat. In a particular risk, they can exist in your browser and the extensions and add-ons within the browser. So for example, there can be a security bug in your Internet Explorer. You visit a website which has special code on it. You won’t see that this code is one there, and this will install malware on your machine and take it over through that vulnerability.
And maybe the consequences are that they choose to encrypt all your files and hold them to ransom until you pay the money to decrypt it, and that’s known as Ransomware. Because you have things you care about online, we have to consider the security bugs that exist on internet sites and on the internet infrastructure. So maybe you use Dropbox and there is a bug that is discovered by Dr. Evil on Dropbox, which gives him access to your files. And because Dropbox stores encryption keys, so encryption isn’t going to save you, he will then have access to your files. There are two main types of bugs. Really, it’s best to draw a distinction between, and those are the Known and Unknown bugs. So if we start with the Known bugs, known bugs of vulnerabilities have patches, and if you patch your system, you are safe against that bug. And we’ll cover the best and easiest way to do patching of all the things that need patching as we go through. And then you have the Unknown bug, also can be referred to as zero-days. These are much harder to protect against as there is no patch. So we’ll cover later techniques to protect against these, and these are referred to in the security industry
as a compensating control. I’m going to bring up a spreadsheet to give you a little bit more of an insight intothe world of the cyber criminal. Your budding, entrepreneur hacker doesn’t even need to be particularly skilled these days. He can go purchase an already made exploit kit. If you look at this spreadsheet, here along the top, these are the various popular exploit kits that are available at the moment and to purchase. And down here are the
various vulnerabilities, what they affect down here. And, as a budding, hacking entrepreneur, we can look through here and see which particular vulnerability we might want to use. Okay, we might want to exploit Internet Explorer, so there you go, we can use this one. And here we can see that this one allows the remote attacker to execute arbitrary code by a crafted website that triggers access to a detailed object. That really means that if you click on a link or go anywhere with an Internet Explorer browser, is susceptible to this vulnerability, they can take over your machine. And if we’re not feeling like potentially buying an exploit kit, you can look online for the exploit. And we can see here this is the code to run the exploit. So I hope that gives you a better idea about what security bugs are and vulnerabilities. And later on, we’re going to be going through the ways to mitigate against the Known vulnerabilities and the Unknown vulnerabilities.