Slides de support utilisés par M. Enrico Branca lors du Security Tuesday du 19 novembre 2013 : "Celui qui part à la chasse"

1. Security Tuesday
"Celui qui part à la chasse"
19 novembre 2013
Enrico Branca

2. Information Security
Definition
"the practice of defending information from unauthorized access,
use, disclosure, disruption, modification, perusal, inspection,
recording or destruction. It is a general term that can be used
regardless of the form the data may take (electronic, physical, etc...) "
(http://en.wikipedia.org/wiki/Information_security)
"Safe-guarding an organization's data from unauthorized access or
modification to ensure its availability, confidentiality, and integrity."
(http://www.businessdictionary.com/definition/informationsecurity.html)
2

3. Information Security
Combine basic principles in information security:
1) You cannot secure what you cannot manage
2) You cannot manage what you cannot measure
3) You cannot measure what you are not aware of
WITH MONEY
4) You cannot make monetize what you are not aware it
even exists
NEW TASK  “Measure” information security to sell it
3

4. Quantitative Information Security
Definition of 'Quantitative Analysis'
A business or financial analysis technique that seeks to understand behavior by
using complex mathematical and statistical modeling, measurement and research.
By assigning a numerical value to variables, quantitative analysts try to replicate
reality mathematically.
(http://www.investopedia.com/terms/q/quantitativeanalysis.asp)
Quantitative research
"The objective of quantitative research is to develop and employ mathematical
models, theories and/or hypotheses pertaining to phenomena. The process of
measurement is central to quantitative research because it provides the
fundamental connection between empirical observation and mathematical
expression of quantitative relationships. Quantitative data is any data that is in
numerical form such as statistics, percentages, etc."
(http://en.wikipedia.org/wiki/Quantitative_research)
4

5. Quantitative Information Security
-- 1998 -“Quantitative Evaluation of Information System Security”
(http://homepages.laas.fr/deswarte/Publications/98107.pdf)
-- 2004 -"Computer Security Strength & Risk: A Quantitative Approach"
(http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.9.5276&rep=rep1&type=pdf)
-- 2009 -"Computer Safety, Reliability, and Security"
(28th International Conference, SAFECOMP 2009, ISBN 978-3-642-04468-7)
-- 2012 -Towards quantitative measures of Information Security: A Cloud Computing case study
(sdiwc.net/digital-library/web-admin/upload-pdf/00000315.pdf)
-- 2013 -"A QUANTITATIVE, EXPERIMENTAL APPROACH TO MEASURING PROCESSOR SIDE-CHANNEL SECURITY"
(http://www.cs.columbia.edu/~jdd/papers/micro13_svf.pdf)
5

6. Google Search Trends
6

7. Economic Intelligence (English)
"..vocabulary evolved also, shifting from ‘economic war’, ‘competitive intelligence’ and
‘economic watch’ only, to ‘economic intelligence’, which aims to encompass all aspects
of the globalised risks and opportunities and that is based on an upstream
understanding and a multidisciplinary approach of the threats that need to be
addressed.“
"Today, economic intelligence is recognised as a professional tool for strategy and
management for States and companies in the globalised world. Its implementation is
based on three main pillars:
(1) The mastering of strategic information
(2) Economic security, which is defensive and directed at protecting economic assets
(3) Influence –active or offensive–, be at the cutting edge for seeking opportunities
and innovation and to be able to act on one’s environment (regulations, norms,
image…) and not only be passively dependent on it
(http://www.realinstitutoelcano.org/wps/portal/rielcano_eng/Content?WCM_GLOBAL_CONTEXT=/elcano/elca
no_in/zonas_in/defense+security/ari134-2010)
7

8. Intelligence Economique
« Avantage concurrentiel de l'intelligence économique »
• détecter ce qui peut donner à l'entreprise un avantage
concurrentiel
• mobiliser les acteurs internes de l'entreprise
• tirer les conclusions pour la meilleure exploitation possible
L'information fournie doit présenter
certaines qualités :
1) exactitude
2) mise à jour
3) liée au contexte.
8
De manière formelle:
1) elle doit être traitée rapidement
2) être explicite
3) accessible économiquement.

9. Intelligence Economique
-- 1999 -" L'intelligence économique "
Achard, Pierre, Bernat, Jean-Pierre, BBF, 1999, n° 6, p. 123-125
-- 2003 -"INTELLIGENCE ÉCONOMIQUE ÉCONOMIQUE ET STRATÉGIQUE"
(http://www.adec.fr/files_upload/documentation/200607201512060.Cigref_IE_internet.pdf)
-- 2009 --
"Guide des bonnes pratiques en matière d’intelligence économique"
(http://c.asselin.free.fr/french/guide_des_bonnes_pratiques_en_matiere_d_ie-1.pdf)
-- 2011 -"Le concept français d’ “intelligence économique”: histoire et tendances"
(http://archivesic.ccsd.cnrs.fr/docs/00/64/64/67/PDF/MHArtIEfrWorkingpaper20101213FRfinal.pdf)
-- 2012 -"L’INFORMATION AU CŒUR DE L’INTELLIGENCE ECONOMIQUE STRATEGIQUE"
http://rrien.univ-littoral.fr/wp-content/uploads/2012/03/doc27-rri.pdf
9

10. Open Data Sources
Internet-Wide Scan Data Repository (https://scans.io/)
The Internet-Wide Scan Data Repository is a public archive of research data collected
through active scans of the public Internet.
The repository is hosted by the ZMap Team at the University of Michigan and was founded in
collaboration with Rapid7.
• University of Michigan · HTTPS Ecosystem Scans
• University of Michigan · Hurricane Sandy ZMap Scans
• Rapid7 · Critical.IO Service Fingerprints
• Rapid7 · SSL Certificates
• Rapid7 · Reverse DNS
• Rapid7 · HTTP-GET (port 80)
•A JSON interface to the repository is available at https://scans.io/json
10

11. Open Data Sources
Internet Census 2012
“Port scanning /0 using insecure
embedded devices” (Carna Botnet)
http://internetcensus2012.bitbucket.org/paper.html
All data collected during the Internet Census 2012 is available for
download via BitTorrent.
The full download is 568GB large. Decompressing all data results in
9TB of raw log files in text format. If recompressed into gzip files the
dataset should be ~1.5TB.
http://internetcensus2012.bitbucket.org/download.html
11

12. Open Data Sources
European Union Open Data Portal
http://open-data.europa.eu/
Pan European data portal
http://publicdata.eu/dataset
Linked Open Data Around-The-Clock
http://latc-project.eu/datasets
Plateforme d’ouverture des données publiques
http://www.data.gouv.fr/
12
Institut national de la statistique et des études économiques
http://www.insee.fr/fr/bases-de-donnees/default.asp
http://www.bdm.insee.fr/bdm2/index.action

13. Server Access Logs
Google query for Web Server logs
 intext:"Mozilla/5.0" filetype:txt
 filetype:log user_agents
TOP 5 - BOT useragents (sample from 2012 logs)
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)
Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)
Mozilla/5.0 (compatible; Ezooms/1.0; ezooms.bot@gmail.com)
2910357
1067432
632752
619931
479867
TOP 5 - BROWSER useragents (sample from 2012 logs)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
1824893
806615
646110
433263
387967
13

14. Server Access Logs
User Agents by Phone Manufacturer
HTC
User Agents by Operating System
72027
Nokia
35699
BlackBerry
31951
SonyEricsson
31049
LG
MOTOROLA
Alcatel
18322
2474
156
SunOS
User Agents by Layout Engine
10662928
12469607
14
AppleWebKit
Trident
Linux
Mac
Windows
User Agents by Browser
13850653
961715
Presto
Android
Gecko
MSIE
Firefox
Safari
Chrome
Opera
Outlook-Express
Iceweasel
SeaMonkey
Microsoft Office
16339858
12949308
9725335
5517233
1007251
67470
20093
18687
5653

15. Bots behavior (example)
On Bots – analysis 2005/2006 – http://drunkmenworkhere.org/219
YAHOO
MSNBOT
15
GOOGLE

16. Data Analysis Constants
Economic Parameters for FRANCE
Constants for IT market in France (as averages)
Average work hours a week
35
A
Cost Server Install or Restore
6000 €
M
Days of festivities a year
122
B
Server worked daily in France
30
N
Average days on holidays
35
C
Daily Financial loss (Server Down)
1500 €
P
Average working days a year
208
D
Days to reconfigure a server
7
Q
Average working hours a year
3120
E
Cost SSL Certificate (2048bit RSA)
500 €
R
19.6 %
F
Cost Securing Server Installation
2000 €
S
45 %
G
Systems that could to be secured
52568234
T
2764 €
H
Systems with faulty SSL setup
11360349
U
990 €
W
Company tax rate
Private tax rate
Average monthly salary (gross)
Cost of an offline server in the SME market:
“Financial loss + Restore + New SSL certificate”
[(P) X (Q)] + [(M) x 1] + [(R) x 1] = 17.000 €
Cost to fix all systems with faulty SSL setup:
{[(W) + (S) + (R)] x (U)} = 39.647.618.010 €
16
Average daily cost of IT engineer
Market for server security maintenance:
Market = {[(T) x (S)] + [(W) x (Q) x (T)]}
Market: 574.570.797.620 €

17. Secure Communication Market
( Some examples of worst cases)
17

18. Secure Communication Market
Question : Is there a market for secure communication?
(fictional data)
Inventing some numbers :
• 97.454.086 Total IP
• 18.213.972 Self-Signed Certs
• 66.365.935 No SSL
• 19.312.637 No Trusted Certs
• 31.088.151 SSL
• 29.525.183 Weak Ciphers
• 19.727.802 Safe SSL
• 33.724.344 Weak Keys
• 18.360.349 Weak SSL
• 58.321.312 Old Software
WEAK SSL DETAILS
Series1
5
4
3
19%
SSL USAGE
Series2
81%
53%
47%
59%
41%
2
73%
27%
1
74%
26%
100,000,000.00
90,000,000.00
80,000,000.00
70,000,000.00
60,000,000.00
50,000,000.00
40,000,000.00
30,000,000.00
20,000,000.00
10,000,000.00
0.00
1
18
2
3
4
5

19. Estimate Cyber Security Market
Parameters
A= 100.000 servers
B= 50.000 SSL srv.
C= 40.000 vulner.
D= 35 working hours/week E= 5 hours/day
F= 19.6% corp.tax
G= 45% indiv.tax
H= 6000€ install server
J= 1500€/day finan. loss
K= 500€ cert cost
L= 2000€ check server
M= 7 days to install server
N= 3960€ gross salary/month O= project time 3 years P= 4 hours check server
Total working days/year= 365 - 122 (festivities) - 35 (holiday) = 208 days
Total working hours/year= 208 x 5 = 1040 hours
Annual Salary= (N x 12) = 47520€ / year
Human Daily Cost= (N x 12) / 208 = 228.46 €
Technical Cost reinstall 1 server= H + (Jx7) + K = 17.000 €
Human cost reinstall 1 server= (228.46 x 7) = 1599.22 €
Total Cost reinstall 1 server= 17.000 + 1599.22 = 18599.22 €
19

20. Estimate Cyber Security Market
Technical Cost reinstall 1 server= H + (Jx7) + K = 17.000 €
Human cost reinstall 1 server= (228.46 x 7) = 1599.22 €
Total Cost reinstall 1 server= 17.000 + 1599.22 = 18599.22 €
Total Cost reinstall 40.000 SSL server= (18599.22 x 40.000) = 743.968.800 €
Total Cost maintain 40.000 SSL server= (L x 40.000) = 80.000.000 €
Total cost secure 40.000 SSL servers= 743.968.800 + 80.000.000 = 823.968.800 €
People to check 40.000 SSL servers in 3 years= ((P x 40.000) / (1040 x 3))= 51
Vulnerable Servers = 18.360.349
Problematic SSL servers = 8.996.571
Total cost secure SSL servers = 185.322.345.274,62 €
People to check SSL servers in 3 years= ((P x 8966571) / (1040 x 3))= 11495
Total Cost reinstall ALL server= (18599.22 x 18.360.349) = 341.488.170.327,78 €
Total Cost maintain ALL server= (L x 18.360.349) = 36.720.698.000 €
Total cost secure ALL servers= 378.208.868.327,78 €
People to check ALL servers in 3 years= ((P x 18.360.349) / (1040 x 3))= 23.539
20

21. Secure Communication Market
How big is the market for IT server
maintenance to change SSL certs?
Data analysis revealed that the market is
estimated to be on average 185 billion euro and
will involve 11.495 IT professionals over a
period of time of 3 years.
Server Preparedness level
Safe
Unsafe
21
Risky
Vulnerable
No Data
(fictional data)

22. Estimate Cyber Security Market
Can you estimate the market size
related to cyber defense security?
A research on revealed that France has a
potential market of 378 billion euro with an
average cost for each cyber attack of 17.500
euro.
The forecasted potential market for cyber
criminal resulted to be 341 billion euro and
this risk could be mitigated by
implementing a cyber defense system.
Server Preparedness level
Safe
Unsafe
22
Risky
Vulnerable
No Data
An investment of 37 billion euro to
maintain and check current servers would
prevent all potential losses and ensure an
increase in skilled engineers of around
23.539 units.
(fictional data)

23. EXTRA
EXTRA SECTION
HOW TO DEVELOP A LOGICAL MODEL
(Example)
23

24. EXTRA – DEVELOPING A MODEL
“What is our company’s exposure to cyber attacks and cyber risks?”
To answer we have first to understand the question and to do so we divide it in logical sections.
1. our: client is interested in a comparison between he and everyone else, a reference is needed
2. company: information about the business, not related to private or governmental entities
3. exposure: psychological aspect, how client feels unprotected compared to his peers
4. risk: psychological aspect, not measurable unless derived from impact and probability
5. cyber: identifies the environment in which the client perceives a problem, so the subject
6. attacks: psychological aspect, non measurable unless derived from surrounding environment
And now that we know what the client wants we can rewrite the question in a way that can allow
us to take direct and measurable actions:
“Can we tell the client how well he operates, compared to his peers operating in the same
business environment, by measuring the probability of being a target and the impact of this action
and generate a relative measure of the risk related to the subject, so he can understand how
distant his way of conducting the business is to the reference of the industry?”
24

25. EXTRA – DEVELOPING A MODEL
PREPARATION (PREREQUISITES):
1. Find the list of businesses (peers) that are competitors or providers of our client [Peers]
2. Find the market in which both client and peers are operating [Environment]
3. Find which kind of operational indicators (KPI) are important for the client [ClientKPI]
4. Find which kind of operational indicators (KPI) are important for the peers [PeersKPI]
5. Find which kind of operational indicators (KPI) are important for the subject [SubjectKPI]
6. Find which kind of technical indicators are relevant for client [ClientTI]
7. Find which kind of technical indicators are relevant for peers [PeersTI]
8. Find which kind of technical indicators are relevant for subject [SubjectTI]
9. Find or create a table that measures the probability an action has to happen [Probability]
10. Find or create a table that measures how important is the impact of a given action [Impact]
To correlate the information we assign a code to each prerequisite action:
1 = [Peers]
4 = [PeersKPI]
7 = [PeersTI]
10 = [Impact]
25
2 = [Environment]
5 = [SubjectKPI]
8 = [SubjectTI]
3 = [ClientKPI]
6 = [ClientTI]
9 = [Probability]

26. EXTRA – DEVELOPING A MODEL
The “+” sign represents a correlation been created between two objects.
11=[1]+[2]= [Market]
12=[3]+[6]= [ClientIndex]
13=[4]+[7]= [PeersIndex]
14=[5]+[8]= [SubjectIndex]
15=[9]+[10]= [Risk]
16=[11]+[15]= [MarketRisk]
17=[12]+[15]= [ClientRisk]
18=[13]+[15]= [PeersRisk]
19=[14]+[15]= [SubjectRisk]
20=[16]+[19]= [EnvironmentRisk]
21=[17]+[18]= [BusinessRisk]
22=[20]+[21]= [IndustryRisk]
23=[3]+[4]= [DomainKPI]
24=[6]+ [7]= [DomainTI]
25=[15]+[23]= [PerformanceRisk]
26=[15]+[24]= [OperationalRisk]
27=[23]+[24]= [IndustryAverage]
28=[25]+[26]= [EconomicalRisk]
29=[27]+[28]= [IndustryReference]
The system of measurements has converted quantitative data, indicators, in human emotions,
risk and fear, and now we have to convert again fear into something measurable, so it can be
measured and managed as expected by the society and therefore used in business.
Sub-Question-1: (quantitative)
“how well he operates, compared to his peers?”
Answer= “[12] + [27]”
26
Sub-Question-2: (qualitative)
“a relative measure of the risk related to the subject?”
Answer= “[17] + [19]”

27. EXTRA – DEVELOPING A MODEL
27

28. THANK YOU
enrico.branca@awebof.info
28