WHAT I LEARNED AFTER SEVERAL DAYS RUNNING SOME HONEYPOT SYSTEM?
Jefferson Souza Macedo (Brazil)
Honeypot, a purposely compromised environment that is designed to be attacked, is not a new concept and can offer a powerful and exciting way of learning about attackers’ techniques and methods, but some security administrators commonly does not think on solutions like this during an investigation or even to catch cybercriminals injuring their systems and infrastructure.
Not only independent researchers and curious people use honeypot systems, since some years, IT security firms also benefits from honeypot usage, because it helps to understand the intruder intention and movement, as well as capture new malware samples for analysis, making them one step ahead cybercriminals and improving their defense products like anti viruses, analysis and decryption tools.
During this research, many different types of honeypot system was found. While the development of commercial honeypots seems to have lost steam, there is a variety of innovative and freely available honeypot tools. More than 20 different sensors, mainly based on Linux OS was found.
Given the importance of this concept and it valuable help to improve the network and systems defense, as well as create new ones, this research aims to present all information gathered through a PoC (Proof of Concept) using some VPS’es (Virtual Private Servers) and other open source resources. For this proof four different honeypot instances were built and kept under monitoring while receiving random attacks from different attackers around the world during one month. Some compromised environment used on this PoC, includes SSH environments and Industrial Control Systems sensors, both increasingly used considering the new wave of The Internet of Things. In addition, based on the result collected from those attacks, some lessons learned and advices on how to avoid attack and improve the defense of systems and networks will be presented.
A short questionnaire based on honeypot usage was also applied during this research, where the goal was verifying the intention of information security involved person to use a honeypot system in a long prize.
PRIORITIZATION OF CYBER SECURITY CONTROLS USING AHP AND FUZZY
Leonardo Formoso Moreira (Brazil)
This study aims to present a proposal to use AHP (Analytic Hierarchy Process) and Fuzzy for prioritization and qualitative definition of compliance for CSC Critical Security Controls within a consultative proposal and focused on the main activities of an organization. The CSC is a set of cyber security controls worldwide known that uses the best practices to help companies and organizations to raise their level of maturity and protection in cyber security. The AHP methodology allows prioritization based on the comparison in pairs, providing a concise and coherent analysis of a complex multi-objective problem. In a few simple steps, AHP allows you to prioritize these criteria and assist in decision making. The fuzzy sets linguistic variables to use imprecise, vague and inconsistent human knowledge within complex problems, such as providing a qualitative level of risk based on more than 30 different cyber controls. Through union of these three methodologies, a simple, fast and concise methods for setting priorities in cyber security was established, as well as the level of compliance to controls proposed by the CSC.
LA INDUSTRIA DEL RANSOMWARE BRASILEÑO, UN NEGOCIO DE EXPORTACIÓN
Santiago Martin Pontiroli (Argentina) and Roberto Francisco Martinez (Mexico)
Durante el año 2016 hemos sido testigos de cómo la epidemia del ransomware se ha convertido en la amenaza con mayor crecimiento en el ecosistema del malware actual. Los secuestros extorsivos a través de medios informáticos han pasado a ser un dolor de cabeza no sólo para usuarios hogareños sino también para empresas de todo tipo, notando en el último periodo un incremento marcado en los ataques dirigidos y la instalación de ransomware en forma manual.
A nivel global estamos hablando de la aparición de más de 60 familias de ransomware nuevas durante el año pasado solamente, y miles de variantes que son creadas en forma diaria. Un negocio de mil millones de dólares es más que tentador para un criminal que hoy en día sólo necesita una inversión mínima para participar en un esquema que ha demostrado ser increíblemente lucrativo y preocupantemente simple a la vez.
Desde América Latina, Brasil siempre ha estado a la vanguardia de la industria del malware, con desarrollos artesanales de troyanos bancarios que han llegado a convertirse en leyendas del mundo de los ataques financieros. A través de la facilidad y rapidez que otorgan los pagos mediante criptomonedas, y la protección relativa de las redes anónimas, los criminales brasileños han encontrado un abanico de nuevas oportunidades en el mundo de los secuestros extorsivos virtuales.
Analicemos el código y funcionamiento de las creaciones más relevantes en el mundo del ransomware brasileño, su forma de operar, y las novedades que han introducido en este negocio global. Desde servicios como Stampado hasta Philadelphia, pasando por TeamXRat y otras campañas devastadoras, recorramos todo el proceso de infección, entendiendo los actores involucrados y cómo estar preparados ante su próximo golpe.
Gabriel Bergel (Chile)
This talk addresses the (in) security of point of sales POS, (payment devices) for operating credit cards and debit cards, and the associated international security standards, which have been and remain being the most popular types of fraud in South America, from the classic skimmer, eavesdropping, modification and installation of third software to hardware tampering POS, focusing on the POS Tampering, how the criminal gangs are organized, who they are, which are the implemented countermeasures, EMV CHIP and its main vulnerabilities and the current trend of “Contactless’ NFC and poor security of the protocol. This talk shows how is implemented in Chile NFC (EMV) payment technologies, some weaknesses and non-secure implementations.
. Financial institutions
. Private sector
Is this an important issue? The POS are the main mode used for credit and debit card payments face to face (the others are self-service devices). Fraud by tampering has been very effective in South America. There is organized crime associated with this crime. EMV and NFC are global trends for safer and faster payments with debit and credit cards, however safety in this type of technology has deficiencies which may allow for performing actions between the chip and the POS, supplanting the identity or accessing restricted areas in the credit card. As an example, we will show you a POS tampered (If the police didn´t detect at the airport).
ELEVATING THE FRAUD IN POINT OF SALE (POS) TO ANOTHER LEVEL
Thiago Bordini (Brazil)
The presentation is the result of the investigation process involving the fraud in the Point of Sale (PoS) systems, which in a single establishment in Brazil caused a loss of more than R$ 1.5M or approximated U$ 0.5M.
The PoS is a system that allows the transmission of financial information related to the use of debit or credit card. It is the system responsible for making the communication between the merchant and the credit card company, allowing the money to be properly passed on to business.
During the presentation, also will be shown all the vulnerabilities exploited by fraudsters, as well as other possible attacks that could be carried out using the same technique, where depending on the establishment the fraudsters could easily lead to financial losses greater than the case of Target 2013 and HomeDepot in 2014.
The complete mapping of the work was the result of a long investigation using the cyber intelligence and counterintelligence techniques to be able to identify the suspects of illegal practices.
The result of over 6 months of private research will be presented in an unprecedented manner in the event, so that it can be demonstrated throughout the investigative process used, strategies and technologies used, all with the purpose of identifying the Tactics, Techniques and Procedures (TTP) fraudsters to contain or eliminate the effectiveness of the attack.
HACKING AND BITCOINS (NOT HACKING BITCOINS) – HOW CRYPTOCURRENCIES ARE CHANGING THE BUSINESS MODELS OF CYBERCRIMINALS
Alberto Daniel Hill (Uruguay)
Presentation will be based on a research in the darknet that took five months and allowed to collect plenty of material regarding the way cybercriminals do business there, their wide range of services they offer, and tools they sell, prices to access to first-class hacking tools and how to start being nobody, being unable to contact the leaders of the cybercriminal organizations to gain the trust of many groups and being able to get anything they had to offer.
It also received the collaboration of someone with a great knowledge of the cryptocurrency market, that oversaw a very importance exchange in Latin America, and was victim of hacking twice. He allowed me to analyze the site after the first hack and the results are going to be shown. A couple of minutes are used to explain the situation of Venezuela regarding cybercrime, and cryptocurrencies, as well as the situation of Latin America compared to the rest of the world.
It will also describe two major hacking events in very important exchanges and explain the things that are known about them.
ADAPT OR DISAPPEAR – FROM GUNS TO CRYPTOGRAPHY – THE EVOLUTION FROM CRIME TO CYBERCRIME
Alberto Daniel Hill (Uruguay)
This presentation is about the natural evolution that we could see in crime, where criminals should adapt to the new scenarios, learn new skills, and adapt their business models to the fast changes in society. So far, they are doing a great job, most of them have a great talent, so it is a big challenge to protect ourselves to this reality. It doesn’t matter whether we are a taxi driver, a writer, an employee of any company, we are ALL targets of the bad guys.
Most of the inputs are taken from an on-going research on the deep web, organized cybercrime, we after many months interacting with them, I arrived to results that I think can be useful to be better prepared whenever the target becomes us.
I will describe the way these organizations work today and how Latin America is either affected or part of this problem. The role it plays blockchain above all, and then cryptocurrencies in this economy, and how it is adapting and moving from bitcoins, to cryptocurrencies such as monero to avoid laundry detection.
I will talk about the amount of money that is presumed this business generates and the impact with other aspects of economy and the links with other actors such as malware developers, ransomware as a service, and how anyone now, just with the desire and the resources, can cause a lot of harm.
We end with tips on how to cope with the mayor issues and try to see the trends and where is cybercrime moving to in a near future.
HOW TO HANDLE CYBER SECURITY CHALLENGES IN BIG PROJECTS
Luiz Vieira (Brazil)
The talk aims to explain how to deal with information security challenges in a complex scenario, with few resources, small team, but with a high level of specialization.
A case study will be presented based on the Rio 2016 Summer Olympic Games, where the speaker assumed the position of Information Security Manager, in the most critical area of the project, responsible for processing and delivering the results of all competitions to clients around the world. Real-time and flawless.
The assembled structure, the effort expended, the proposed solutions to the faced problems, and the lessons learned at the end of the project will be explained with real examples throughout the project.
A four-year project, with no possibility of extension, with the obligation to be delivered on time, and with the quality expected of an international project, with critical clients, with no possibility of failure, and above all: where all The IT staff would need to remain anonymous without exposure in the media because any exposure would be due to failures.
This is the scene of the biggest sporting event in the world, involving dozens of countries, working in a continuous effort and with a common goal. A scenario that will not be repeated in our country. The presenter will explain the performance of his security team, and the challenges encountered, as well as the solutions to achieve the success of such a project.
QUANTITATIVE STUDY OF PROFESSIONAL TRENDS IN THE WORLD OF CYBERSECURITY
Jose Antonio Lagos Melo (Chile)
With the advancement of information technologies and digital transformation, many countries and organizations are developing this concept, rethinking the value to customers and creating new operational models to take advantage of competitive advantages. Probably the most used technologies are based on incorporating aspects of Big Data, Internet Mobile, Cloud Computing and Internet of Things (IoT), which will undoubtedly modify the digital business. Such is the relevance of the digital subject that several countries look at digital transformation as a key element for the development of their economies, as we observed how the European Commission in May 2015, launched measures designed to create a single digital market in Europe with an estimated of 415 billion euros increasing the European GDP. On the other hand, another great economic power such as China actively seeks to improve the development of e-commerce, industrial networks, internet banking, as well as to facilitate companies to increase the international presence of the Internet. This leads to a new and great challenge for professionals working in the field of cybersecurity. Given the above, the progress of the development of digital transformation in both countries and organizations strategies, the implementation of measures of Cybersecurity, whether at the level of regulations or by companies, will bring new challenges to professionals That are developed in this area, so it will be necessary to understand what the trends relevant to the professional development will be based on the new risks present.
The study objective will allow us to understand if people working in cybersecurity issues perform or not management functions, their academic training, their level of remuneration, to understand what are the relevant factors for a successful career in the field of security, such as Also understand the skills currently required to cope with current needs and what is the vision of skills required in 3 more years.
The design of the study was based on the quantitative method, which consisted of structuring a questionnaire that allowed to measure the trends by means of the professionals who work in the cybersecurity industry and how some of these are visualized for the next 3 years. Demographic elements and other elements important to the analysis are included, such as required skills, staff turnover, welfare aspects, among others. The survey was applied between January and February of 2017 from the world of cybersecurity of the main industries. The results of this study show important issues between the perceptions in relation to current and future skills, also in the aspects that cause well-being to remain in current jobs and in perceived remuneration. On the other hand, it allows to visualize the vision from the own professionals of the world of the cybersecurity in relation to the evolution of the abilities required to face these new challenges.
FROM BIG DATA TO CUSTOMER INTELLIGENCE
Jorge Mario Ochoa (Guatemala)
We have a lot of information in our IPS, HIPS, SIEM, Firewall, WAF, Content Filter, etc. But are we use this information to provide Business Intelligence? Or furthermore are we showing this information to the Right Customer?
The Customer is not just the IT department, we will dive through the Data, Analytics, Business Intelligence to show some examples of Customer Intelligence. Information Security is only an Enabler when we provide the right information to the right customer at the right moment.
Information Security is there for the business and not the other way around.
. What problems we solve?
. What needs we are identified?
. Are we adding value according to the perspective of our Customers?
Those questions will provide a starting point to build a path on how we can be considered as enablers.
DISPOSITIVOS MÓVEIS – SEGURANÇA E GESTÃO
NETWORK ACCESS CONTROL FRAMEWORK FOR THE CURRENT LANDSCAPE
Everth Hernandez (Mexico)
With users carrying both IT-managed and personal devices, and connecting from anywhere to perform work related tasks, IT now must deal with internal resources being accessed from coffee shops and airports, as well as internal documents (engineering plans, HR information, sales data) making it onto smart phones, tablets and USB sticks. Providing proper privileges regardless of device is forcing IT to look at context to help bring people and devices onto wired and wireless networks.
Other issues include new threats due to malware specifically targeting mobile apps, zero day attacks being launched due to these apps being used in the office on a regular basis, and the fact that mobile devices are easily shared. This requires that context be shared with third party solutions that perform post-authentication services.
To address these issues, we are proposing a framework for network access control that provides a holistic approach regardless of location, time, device with real-time sharing of context that gives visibility for accurate policy enforcement with integrated workflows between security protection tools for efficiency and speed. The proposed framework has 4 different stages that will be discussed: visibility, policy, automation and enforcement. We will discuss also the importance of user behavior monitoring through analytics once access has been granted to prevent data exfiltration events.
GARANTIA DE SOFTWARE E SEGURANÇA DE APLICATIVOS
A MORTE DO PENTEST
Adilson Santos da Rocha (Brazil)
Demonstrar para o público que a forma atual de consumo do serviço de Teste de Intrusão (Pentest), e como é ofertado pela indústria de segurança da informação, não gera valor para segurança como um todo, tornando um desperdício de recursos técnicos, operacionais e financeiros
Abordar as principais falhas do consumo deste serviço e alguns aspectos negativos que deixam a empresa em risco.
Como as empresas utilizam o Pentest de forma ineficiente:
. Lidar com os resultados subjetivos;
. A capacidade do profissional que realiza o teste como principal ponto de medida de eficiência;
. As mais importantes mudanças neste mercado nos últimos anos;
. Processo não orientado por ferramenta;
. Repetir o mesmo pentest obtêm-se resultados diferentes;
. Como confiar em um serviço não auditável;
. O resultado de um Pentest se torna obsoleto diante de mudanças no ambiente;
. Uso de engenharia social não relatado nos relatórios de Pentest;
Também serão abordados alguns aspectos positivos do serviço, tais como:
. Uso correto do Pentest em um processo de gestão de vulnerabilidades e risco
. Métrica para Impacto de Risco
. Defesa Ativa
E por fim demonstrar como testes de segurança automatizados, direcionados e auditáveis podem ser inseridos nos processos de gestão de riscos e na operação das empresas, melhorando todos os produtos, gerando economia de recursos técnicos, operacionais e financeiros.
Traçando um paralelo com a produção de automóveis que utilizam modelos de qualidade e garantia japoneses dos anos 90 e aperfeiçoados até a data de hoje.
GESTÃO DE IDENTIDADE/ACESSO
NEW TECHNOLOGIES -PHYSICAL ACCESS CONTROL MANAGEMENT
Jonathan Damásio Medeiros (Brazil)
Introduce how new technologies for physical access control management can increase security, reduce costs, increase productivity, and drive customer business. In addition, a real case will be presented using new technologies. Finally, what are the main requirements that new technologies need to meet are presented.
GOVERNANÇA, REGULAMENTAÇÃO & COMPLIANCE
ISO 27001, MORE THAN A STANDARD, A PARTNER
Jorge Mario Ochoa (Guatemala)
On several times, we have heard about ISO (International Organization for Standardization), ISO 9001 is one of the most important standards of ISO, in most cases organizations implement ISO 9001 to win contracts requiring such certification or to compete with certified companies offering the same service.
But when we talk about ISO 27001, is a little more difficult to convince senior management of the need to implement this standard Information Security, especially when the risk assessment it is not an exact science, that is, we cannot prevent that we will have a malware attack or a leak of confidential information that could result in significant fines or compensation payments in 2 weeks or 2 years. Furthermore, normally ISO 27001 is not as well known or required by regulatory agencies or clients.
The first step in implementing ISO 27001 is to present a business case that reflects the benefits for the organization. The best scenario for the ISO 27001 certification is that the organization can obtain contracts that require the service provider must be certified to provide services. In this case, it could easily be calculated the ROI (return on investment) and benefits of certification. Another business case could be the reduction in the insurance policy for the certification.
When investing in the ISO 27001 certification does not reflect an ROI so obvious, we could consider implementing of ISO 27001 without being certified, ISO 27001 will allow you to have a framework that provides control objectives, clearly defined controls and a family guides to facilitate the implementation path.
ISO 27001 is a standard globally used, considers the most significant risks and provides us a structure to implement controls to manage our risks according to our risk appetite, but even more important is the fact that like all certifiable ISO standards seeks the continuous improvement in our processes. If we decide to start with the ISO 27001 certification, we must have a solid business case, approved by senior management or if we decide to implement ISO 27001, without applying to the certification we must be convinced of the benefits that the standard will bring to our organization and can show the before and after in monetary terms to maintain the system.
It should be noted that the only certifiable standard of the ISO 27000 family is the ISO 27001 standard and that is why we must focus exclusively on those requirements, we can take into consideration the guidelines of the ISO 27000 family, but an auditor can only take the ISO 27001 standard criteria and content of our policies and procedures. For example, an auditor may not ask us to have implemented a control according to the ISO 27002 guideline, since the objective of ISO 27002 is to provide guidance in implementing controls.
DATA PRIVACY AND LEGAL FRAMEWORK
Paulo Purkyt (Brazil)
The purpose is to present the issues of data protection and privacy focus on the current situation of Brazil legal framework of “Marco Civil da Internet” (MCI) and the updated draft legislation, as well present the issues in (des)agreement with US and European Community law in this matter.
About MCI, relevant issue that has exposed a resistance, especially related to the application providers, refers to the point that (Article 11) in any collection operation, storage, custody and treatment records, personal data or communications providers connection and internet applications in which at least one of these acts occur in Brazil, should be obligatorily respected Brazilian law regarding the rights to privacy, protection of personal data and the confidentiality of private communications and records, supplemented that in any collection operation, storage, custody and treatment records, personal data or communications connection providers and internet applications in which at least one of these acts occur in Brazil, must be adhered to Brazilian law related to data privacy, protection of personal data and the confidentiality of private communications and records, even if the activities are carried out by a legal entity based abroad, since provide service to the Brazilian public, or at least one member of the same economic group owns establishment in Brazil.
There are draft laws, being processed in both, the House of Representatives and the Senate, seeking to fill and regulate specific situations in the processing of personal data. In the case of the Senate there is the PLS 330-2013 and the House of Representatives PL 4060-2012 (already built into the PL 5276-2012). Most likely the law will be sanctioned will be a union of these two legislative projects.
The duties related to data collection, safety and supply information the authorities under the law, covers any Company that has the reach of its services in Brazil even it has servers or headquarter in another country It is clear that, in the present, and even more with the bills pending before the need for compliance measures scenario guaranteed control risk and ensure planning and more controlled running the business.
Thinking about the legal framework it is possible to analyze the impacts on the business environment and the need to adapt processes and technical requirements for compliance issues that the legal framework requires.
Exploring these topics, it will create a unique strategic view how legal frameworks demands security and both mitigate risks in business with a checklist to be performed in any tech project.
NETWORK NEUTRALITY REGULATION
Paulo Purkyt (Brazil)
At early beginning (1991), internet had free flow of packets with basic TCP/IP protocol control roles base on RCF 1180. Less than a decade after the internet complexity growth in connection size, bandwidth and application utilization has become a media to new businesses.
At this environment, new data flows controls needed to be created to guarantee the applications worked fine and manage the quality. So, video and transactions traffic received a higher prioritization them the email or web navigations traffic.
This possibility of traffic prioritization over the internet brought also new business possibilities that could provide some better users experience over the net at one application and a not so good experience to others users underneath the “same” internet.
The network neutrality is a technical, business or a legal issue? What are the main issues addresses in these regulations that should be complying? How turn regulation in benefits to the business?
The purpose of this session is to present the issues of network neutrality focus on the current situation of Brazil legal framework of “Marco Civil da Internet” (MCI) legislation, as well present the issues in (des)agreement with US and European Community regulation in this matter and help to address the main issue in each one.
Thinking about the legal framework it is possible to analyze the impacts on the business environment and the need to adapt processes and technical requirements for compliance issues that the legal framework requires.
Exploring these topics, it will create a unique strategic view how legal frameworks demands neutrality over the internet.
INTERNET DAS COISAS
DDOS PREVENTION IN IOT ENVIRONMENT USING SDN CONTROLLERS
José Wagner Bungart and Alexssandro Augusto Reginato (Brazil)
The need for an evolution in the way networks communicate has long been discussed, infrastructure and protocols no longer support the growth of the Internet, both in complexity and performance. Traditional networks rely on special algorithms, implemented in dedicated hardware for specific functions. They have the Data Plan and Control Plan on the same equipment. Simple packet forwarding functions performed by the Data Plane are on the same hardware that deals with protocols, more complex decisions such as routing, filtering, congestion handling and packet prioritization. Hardware and software coupling makes application development unviable to meet specific needs.
This interdependence of software and hardware motivated the creation of the SDN (Software Defined Network), with the objective of decoupling the Data Plan from the Control Plan, leaving only the packets forwarding in Data Plan, distributed in the network equipment. The complexity of the Control Plan belongs to controllers, allowing administrators to centrally program specific needs of the network, i.e. network security prevention.
SDN was developed for wired networks, with typical use for Data Centers and corporate network backbones, without wireless functionalities, specifically for wireless sensor networks (WSN). During the last years researches using SDN Controllers in WSN, acting as a base station, proved that it is a feasible architecture and can help to enhance WSN security.
IoT is based on WSN communication, academia and industry has been widely discussing the sensor threats in IoT. This work proposes a method to preserve energy in sensors and actuators in WSN under a DDoS attack. Energy saving is a recurring theme in WSN research. The life cycle of a sensor or actuator often depends on batteries. In this way, the optimized use of the devices will prolong the time they will be operational.
SDN Controllers can suffer DDoS attacks and send a lot of requests to the sensors, draining its battery energy. This work proposes an algorithm based on risk analysis to prevent impacts in WSN sensors. Controllers has the communication profile from each sensor and its remaining battery energy.
If a suspicious traffic is identified by the controller, i.e. the number of request grows from 200pps to 1000pps to the same sensor, the controller will analyze the sensor power and decides if sends the request to the target or not. In parallel, the controller will send an ICMP Quench to sender, asking to decrease the requests. If the requests do not decrease after 3 requests, controller will run the prevention attack algorithm, sending requests to the sensor based on its remaining battery, the less energy it has the less requests it will receive. This system can preserve sensor energy during an SDN Controller attack, increasing IoT availability.
IOP (INTERNET OF PEOPLE)
Patricio Carranza (Argentina)
A child who begins his or her school education in 2017 will finish the studies in 2030. However, we continue to educate our children to live in a world that no longer exists.
Internet of Things (IoT) faces today a revolution that will opacify the Industrial Revolution. The interconnection of all “things”, the application of new processes and the generation of unthinkable volumes of data compel us to rethink the educational processes.
Governments, businesses and civil organizations must commit to modernizing and recreating local and regional regulations, refining business models and ensuring democratic access to services and knowledge.
With the arrival of the Internet of Things (IoT), the Internet ceases to be a communications service to become the territory in which we live.
Internet de las Cosas (IoT) transforms education needs in an innovative and disruptive way: we cannot expect different results by always doing the same thing. Most of the jobs we know today will cease to exist in the next 10 years. We must imagine the future and build a new educational system for the inhabitants of this new territory; An educational system that prepares the citizens of 2030.
CAN 3D DIGITALIZATION DATA OF A CRIME SCENE BE CONSIDERED SCIENTIFIC EVIDENCE?
João Rocha (Brazil)
It’s not a one size fits all approach; Court has basic expectation that a crime scene will be documented in “as is” condition to allow impartial evaluation. Forensic evidence requires positional information to evaluate it in proper context. Crime scenes must often be processed before the facts are known. It is not always clear what measurements are required. It is often impossible to return to a crime scene to gather measurements later. However, tridimensional digitalization allow extraction from data at any time in the future making it possible to virtually return to the scene. As accreditation becomes more widespread agencies may find the equipment and methods they use no longer meet the standard: which leads to pursue 1) scientifically accurate data; 2) traceability to known standards; 3) known/potential error rate. Within this discussion is valid to question data access and audit of collect data such as imagery, radar, laser, thermal and airborne. Prevent and control data manipulation within certified methods is crucial to protect evidence from discredit. 3D spatial digitalization is inevitable at this given time in technology developments, this session will behold along data sensors, collection methods and data processing, treatment and manipulation and propose how society can benefit from a mutual discussion for admissibility of scientific evidence.
SEGURANÇA NA NUVEM
CASB, & CSG X SHADOW IT AND BUSINESS STRATEGY – WHAT’S COMING FOR THE FUTURE?
Ricardo Giorgi and Willen van Dinteren Neto (Brazil)
Probably, in the second half of 2018, these technologies will be used in a massive way. There are several vendors offering features and solutions to implement security scenarios in the cloud, in an increasingly permissive environment, without often evaluating the IT and Security teams, based on strategic business decisions and agility.
CASB is the nomenclature of Gartner, CSG is the nomenclature of Forrester. The topic has gained relevance, but there are still divergences of how to name this type of solution.
Shadow IT is a theme that comes running out, because Cloud solutions are easy to deploy, and the decision to use or not is being taken and deployed by professionals connected to the business and not by the IT and Security teams. This fact creates a huge paradox either by arbitrary decision-making or because IT like “No Whistle.” In this way, there will be a need to talk about CASB with Sales, Marketing, Board of Directors etc., that is, even the speakers we are talking about are traditionally changing their beliefs and paradigms.
CASE STUDY: HOW WE’VE SECURED A FINANCIAL MOBILE APP USING A CLOUD COMPUTING BACKEND WITHOUT PENALIZING THE USER EXPERIENCE
Anderson Dadario and Candido Sales (Brazil)
This is a case study presentation on how we’ve secured a financial mobile application – where financial means that users will input their credit card data and make payments from the app – that uses a backend hosted by a Cloud Computing Provider (Amazon Web Services). Our challenge was to simultaneously be able to secure highly sensitive data without penalizing the user experience. For that we needed to develop multiple security layers invisible to the user that goes beyond the basic security found in the apps. We’ve tied Android KeyStore, Libsodium, RSA, AES, Docker Container Technology, Amazon Web Services, and more pieces together to provide a comprehensive protection for the end users.
In this talk we will share how the architecture was developed and how it went step-by-step. To put in practice all security controls, a synchronism between the application security team, the mobile development team (Android), the backend development team (Node JS) and the infrastructure team was mandatory. We’d love to share the lessons learned, gotchas and more tips to help security be implemented in other companies as well.