Information Security

Essentials
AQEEL AHMAD
CTO, E2E GROUP
https://e2egoc.com

V 3.3
What comes to mind?

• Hackers
• Cyber terrorists
I am the • Organized Attacks
• Viruses
Victim • Trojan Horses
• Ransomware
• Yahoodi Sazish
Reality is slightly different

• Human Negligence
• Lax Email Habits
• Poor Backup Practices
I am the • Misdelivery
• Weak Passwords
Weak Link • Reused Passwords
• Sharing Passwords unsafely
• Installing untrusted applications
• Poor security on mobile devices
 Cyber Attacks
System Others
misconfiguration 5%
5%

Stolen/lost
device
8%

Phishing
38%
Inadvertant
disclosure
12%

Network
Intrusion
32%

source: ic3.gov
SECURITY LANDSCAPE
Phishing

Malware Web jacking

Spoofing
Vulnerability
Denial of
Software Service
Authentication Systematic
Security
Attacks
Spamming
IDS/WAF etc.
Security

Strength

Frequency

Sharing
Passwords
Passwords
Individual Two Factor
Site trust
Security Authentication

GDPR etc. Wi-Fi Trust Vaults

Privacy

Network
Firewalls etc.
Security

Webcams
Device Security
IoT etc
False Sense of Safety

Over
Confidence

Ignorance
Personal data is a tradable commodity

Dark web

Breach monetization Malware

Marketplaces Forums Repositories

Account
Social
Passwords Email Coworker Hire a Cyber Custom
Security Credit cards Documents Spying Ransomware
($1 per Addresses Data Hitman Malware
Numbers
account)
have I been pwnd?
Before the victim knows -
Partially public - $$ Fully Public - $
$$$$
https://haveibeenpwned.com
Most Terrifying Vulnerabilities in Recent Times

 Stagefright (2015): Remote Code Execution through buffer overflow.

Android devices receiving video message on lock screen. MPEG
preload memory allocation flaw: when allocated REALLY large
number.
 WannaCry Ransomware/EternalBlue (2017): Also RCE through buffer
overflow. Windows. Huge Impact (200k victims across 150 countries)
 Shellshock (2013): Linux Bash shell vulnerability. Send and execute
any code through script parameter.
 DNS Cache Poisoning: All traffic is routed to malicious sites.
 ROW Hammer (2014): A program breaching the boundaries of its
own allocated memory. Reach out of OS records and potentially
grant yourself full access to all memory. Program could be as small
as a simple Javascript on a web page.
What to do as Software Engineers

 User/Password is NOT enough

 Use SSO with MFA
 Resist creating public end points
 Create an access tunnel if you can. e.g. VPN
 Migrating to security is often unacceptable for end users
 Design these constraints from day 1. Even in your prototypes
 Don’t underestimate Encryption
 Don’t overestimate Hashing (dehash.me)
 Include Security Components in Project Estimation
 Learn to Pentest yourself
 Design Log monitoring for threat detection and alerting
 Security Awareness Trainings
 Human is the weakest link
Choosing a Cloud Architecture

Type of Cloud Service Security Ownership and Complexity

IaaS Full

PaaS Partial

SaaS Minimal
A Real Life Example
What to do as an Internet Citizen

 Periodically check yourself on haveibeenpwnd.com

 Don’t reuse passwords
 Secure sharing of passwords
 Avoid user/pwd based registration. Use SSO
 Setup 2FA on your primary accounts
 Learn to see through phishing emails
 Don’t trust Public Wifi
 Use a good password manager
 Learn to check website certificates
Helpful Resources

 https://haveibeenpwned.com/
 https://howsecureismypassword.net/
 https://codebeautify.org/send-snap-message
 https://bitwarden.com/
 https://www.lastpass.com/
 https://vimeo.com/154958732
(Presentation by the author of Have I been Pwned)
Thank You & Questions