SlideShare a Scribd company logo

The importance of Cybersecurity

B
Benoit Callebaut

The document discusses the significance of cybersecurity in protecting computer systems and data from various threats, including malicious attacks and data breaches. It outlines different types of cybersecurity threats, such as social engineering and ransomware, and emphasizes the importance of safety and reliability in technology, particularly in the context of IoT devices. The conclusion highlights the growing financial and social risks associated with cybersecurity incidents and the need for proactive measures during the design phase of technology.

Software
1 of 36
Downloaded 16 times
1
2
3
Most read
4
5
6
Most read
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Most read
27
28
29
30
31
32
33
34
35
36
THE IMPORTANCE OF CYBERSECURITY 26/05/2021
www.nalys-group.com INTRODUCTION
www.nalys-group.com WHAT IS CYBERSECURITY Protection of computer systems from information disclosure, theft or damage to their hardware, software, or electronic data as well as from disruption or misdirection of the service they provide. ( Wikipedia ) Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com WHAT IS IT NOT • Protection of the personal data privacy ➔ Privacy ➔ GDPR • Data Availability in case of an accident ➔ Business continuity • Make sure your servers are always online ➔ Reliability and redundancy • Make sure your system always behave correctly ➔ Safety Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com IOT PERSPECTIVE Safety Protecting the user of the device. Ex: Your car or plane may not crash even if it experiences issues Security Protecting the device from the malicious user Ex: One try to inject a virus into your phone while clicking on a web page. Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com THE GRAY ZONE The brake control software in your car must be: • Bug free • Not be upgradable by anybody … to avoid breaking its safety features Introduction When it goes wrong Technical side Facts numbers Conclusion Safety Security If there is water in you washing machine, the door must stay locked Your locker may only be opened with your key, so your belongings are safe
www.nalys-group.com CYBERSECURITY AND OTHER CONCERNS Cybersecurity is part of a global set of concerns that at the end aims at making sure that : • Your personal data can only be accessed and modified by you or somebody you trust • The system you use always behaves as specified Introduction When it goes wrong Technical side Facts numbers Conclusion Cybersecurity Reliability Privacy Safety
www.nalys-group.com WHEN IT GOES WRONG
www.nalys-group.com IMPACT OF A CYBERSECURITY ACCIDENT • Low impact : You don’t notice or you are only annoyed o Ex: Viruses, zombie machines (parasitism) • High impact : There is a financial or social damage o Ex: everybody knows you have a mistress/ see you naked o Ex: Ransomware, Bitcoin Heist… • Life threatening : Lives are at stake o Ex : F-35 hack target identification compromised o Ex : Ransomware attack on german hospital caused death
www.nalys-group.com HACKERS : MEN IN BLACK OR MEN IN WHITE White hats or Ethical hackers. They are paid to find the vulnerabilities in your infrastructure Black hats or the « bad guys » They do that for money or to cause damages. Sometimes they even work for the state They both like to party DEFCON and BlackHat convention is the place to be to learn about the hot topics in term of cybersecurity (like how to hack your Tesla)
www.nalys-group.com CERT Computer Emergency Response Team Team in a company responsible to monitor attacks and to respond to them as fast as possible, limiting the damages caused. Examples: o Cert.be for Belgium o CERT-EU : for Europe and NATO has also one o US-CERT Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com ATTACK TYPES Common attacks • Social engineering : trick people into give you information of somebody else • Viruses : Tojan, worms, ransomware... • Denial of Service / Brute force : using Botnet • Targetted attacks : StuxNet…  typically performed by states. Side channel attacks • DPA : Differential Power Attacks • Statistical time analysis • Probing using EM probes or microscopes… Stealing company secrets (blueprints…) Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com SECURITY STANDARDS National Security and Militrary o Common Criteria : Regulates how to develop secure IT products ▪ Ex: RedHaT, MacOSX, TPM 2 chips, MySQL, Oracle DB… o Tempest : regulation about electromagnetic emissions Industry specific standards o Payment : PCI-DSS o CCNA, CompTIA o ANSI Coding rules, o OWASP… Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com THE TECHNICAL SIDE
www.nalys-group.com INTRODUCTION • Requirements :Target of Evaluation in Common Criteria… • Cryptography : algorithms and procedures • Concepts : need to know, layered security, access control… • Technologies : TLS, TPM 2.0, TrustZone… Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com COMMON CRITERIA • Target of Evaluation (ToE) : What are ou protecting • Protection Profile (PP) : Defines threats, roles, security objectives, SFR,SAR… • Security Target : describe the security problem and “how” to address it. • Security functional requirement : requirements about security • Security Assurance requirements : number : how strict are you ➔ Define an Evaluation Assurance Level Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com CONCEPTS – LAYERED PROTECTION Introduction When it goes wrong Technical side Facts numbers Conclusion Hardware Chips. Ex:TPM 2 Board Mechanics Detect physical intrusion DPA, probing Operating System Libraries Filesystem/Data Access rights Network Application
www.nalys-group.com CONCEPTS – LAYERED PROTECTION Introduction When it goes wrong Technical side Facts numbers Conclusion Each security layer protects against the flaws of the previous layer
www.nalys-group.com TPM 2.0 – THE SECURITY CHIP INSIDE YOUR PC • X86 processors have no HW security features • UEFI starts without any security • The TPM 2.0 is unable to verify if a request is made by a trusted party. • The TPM 2.0 sees only « The Processor » • UEFI + TPM 2.0 security can be fooled o Managment engine o Malicious code in other HW subsystems Introduction When it goes wrong Technical side Facts numbers Conclusion TPM 2.0 Chip Secure VAULT Crypto Engine X86 Processor  Unencrypted link  No string authentication UEFI Settings
www.nalys-group.com TPM 2.0 – THE SECURITY CHIP INSIDE YOUR PC • System is vulnerable before and during UEFI boot process • Prevent installation of SW not signed by Microsoft (or Apple if you have a Mac) Consequence • It doesn’t protect your privacy • It doesn’t protect you from any malicious program It has nothing to do with cybersecurity Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com TRUSTZONE Hardware and Software Solution • Hardware o Virtual second core with segregation of memory accesses o HW vendor specific additions to provide end to end solution • Software o OP-Tee : secure firmware o TF-A : secure pre-bootloader that initialize the TrustZone Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com
www.nalys-group.com TRUSTZONE - SOFTWARE
www.nalys-group.com TRUSTZONE -SOFTWARE
www.nalys-group.com CRYPTOGRAPHY • Confidentiality : encryption/decryption using a key o Key length is a measure of the algorithm strength • Authenticity: Use of certificates to authenticatethe user o Need a « Root of Trust » : Something/somebody that can tell you if the data are real • Integrity : Use of secure hashes. Impossible for a Man in the Middle to rebuild a correct hash without the correct key Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com SYMETRIC ENCRYPTION (DES – AES) Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com ASYMETRIC ENCRYPTION ( RSA - ECDA) Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com ASYMETRIC ENCRYPTION - PKI Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com FACT NUMBERS
www.nalys-group.com AN EXPLOSION OF POSSIBILITIES
www.nalys-group.com IOT FACTS AND NUMBERS • Revenue is $212 billion worldwide • 2020 : 20.4 billion IoT devices online – 2025 : 75 billion devices • 1 trillion dollar spent on IoT this year • 847 zettabytes (1021) of data generated Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com CYBERSECURITY FACTS AND NUMBERS • 10.5 trillion $ damage by 2025 • 1 trillion dollars spent on Cybersecurity this year • More than 400 Million user records stolen in 2020 • 50m$ -70m$ in ransomware • Bitcoins worth 530m$ stolen in 2019 Introduction When it goes wrong Technical side Facts numbers Conclusion
www.nalys-group.com CONCLUSION
www.nalys-group.com • Cybersecurity carries a huge financial/social risk • Risk is growing exponentially – Follows the IoT trend • Must be taken into account during design phase • It will never be perfect – You will be hacked someday • Challenging technological problem • Even more challenging procedural problem Introduction When it goes wrong Technical side Facts numbers Conclusion
THANK YOU FOR YOUR ATTENTION 35
www.nalys-group.com CONTACT • Benoit Callebaut : bcallebaut@nalys-group.com • Ntech : ntech@nalys-group.com www.ntech-events.com

More Related Content

PPTX
Microsoft word ppt presentation
vethics
 
PPTX
Social Media Cyber Security Awareness Briefing
Department of Defense
 
PDF
Business Analysis Fundamentals
waelsaid75
 
PDF
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPSX
Introduction to Business Analysis
Shwetha-BA
 
PPT
Nerve Impulse
scuffruff
 
PPT
Business Analyst Training
Craig Brown
 
PPTX
Big Data Analytics for Smart Health Care
Eshan Bhuiyan
 
Microsoft word ppt presentation
vethics
 
Social Media Cyber Security Awareness Briefing
Department of Defense
 
Business Analysis Fundamentals
waelsaid75
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Introduction to Business Analysis
Shwetha-BA
 
Nerve Impulse
scuffruff
 
Business Analyst Training
Craig Brown
 
Big Data Analytics for Smart Health Care
Eshan Bhuiyan
 

What's hot (20)

PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
PDF
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Edureka!
 
PDF
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
PPTX
Cybersecurity Awareness
JoshuaWisniewski3
 
PPTX
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
PPTX
cyber security presentation.pptx
kishore golla
 
PDF
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Edureka!
 
PPTX
Cybersecurity 1. intro to cybersecurity
sommerville-videos
 
PPTX
Information Security Awareness
SnapComms
 
PPTX
Cyber security
Manjushree Mashal
 
PDF
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
Edureka!
 
PPT
Cyber Security and Cyber Awareness
Jay Nagar
 
PPTX
Cyber security system presentation
A.S. Sabuj
 
PPTX
The CIA triad.pptx
GulnurAzat
 
PDF
Introduction to Cybersecurity
Krutarth Vasavada
 
PPTX
Role of Forensic Triage In Cyber Security Trends 2021
Amrit Chhetri
 
PPTX
Cybersecurity
Foram Gosai
 
PDF
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 
PPTX
cyber security
BasineniUdaykumar
 
PPTX
Presentation of Social Engineering - The Art of Human Hacking
msaksida
 
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Edureka!
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Cybersecurity Awareness
JoshuaWisniewski3
 
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
cyber security presentation.pptx
kishore golla
 
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Edureka!
 
Cybersecurity 1. intro to cybersecurity
sommerville-videos
 
Information Security Awareness
SnapComms
 
Cyber security
Manjushree Mashal
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
Edureka!
 
Cyber Security and Cyber Awareness
Jay Nagar
 
Cyber security system presentation
A.S. Sabuj
 
The CIA triad.pptx
GulnurAzat
 
Introduction to Cybersecurity
Krutarth Vasavada
 
Role of Forensic Triage In Cyber Security Trends 2021
Amrit Chhetri
 
Cybersecurity
Foram Gosai
 
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 
cyber security
BasineniUdaykumar
 
Presentation of Social Engineering - The Art of Human Hacking
msaksida
 
Ad

Similar to The importance of Cybersecurity (20)

PPT
Beware the Firewall My Son: The Workshop
Michele Chubirka
 
PPT
Network Security Tools and applications
webhostingguy
 
PPTX
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
PDF
IDC Security 2014, Endpoint Security in Depth
Ken Tulegenov
 
PDF
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Michele Chubirka
 
PPTX
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
PPTX
Malware Analysis
Ramin Farajpour Cami
 
PPT
Introduction to Hacking
Rishabha Garg
 
PPT
Ecommerce Security
Rebecca Jones
 
PPTX
Prevent Getting Hacked by Using a Network Vulnerability Scanner
GFI Software
 
PDF
SecurityOperations
Antonio (Tony) Robinson
 
PPTX
Big Bang Theory: The Evolution of Pentesting High Security Environments
Joe McCray
 
PPTX
LIS3353 SP12 Week 9
Amanda Case
 
PDF
Finding the needle in the hardware haystack - HRES (1)
Tim Wright
 
PPTX
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
DOCX
Security technology
Praveen Kumar V
 
PDF
Super1
neelakanteswarreddy
 
PPTX
AktaionPPTv5_JZedits
Rod Soto
 
PPTX
Regan, Keller, SF State Securing the vendor mr&ak
DET/CHE Directors of Educational Technology - California in Higher Education
 
PPTX
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
Beware the Firewall My Son: The Workshop
Michele Chubirka
 
Network Security Tools and applications
webhostingguy
 
Keynote at the Cyber Security Summit Prague 2015
Claus Cramon Houmann
 
IDC Security 2014, Endpoint Security in Depth
Ken Tulegenov
 
Beware the Firewall My Son: The Jaws That Bite, The Claws That Catch!
Michele Chubirka
 
Keynote Information Security days Luxembourg 2015
Claus Cramon Houmann
 
Malware Analysis
Ramin Farajpour Cami
 
Introduction to Hacking
Rishabha Garg
 
Ecommerce Security
Rebecca Jones
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
GFI Software
 
SecurityOperations
Antonio (Tony) Robinson
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Joe McCray
 
LIS3353 SP12 Week 9
Amanda Case
 
Finding the needle in the hardware haystack - HRES (1)
Tim Wright
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
Security technology
Praveen Kumar V
 
Super1
neelakanteswarreddy
 
AktaionPPTv5_JZedits
Rod Soto
 
Regan, Keller, SF State Securing the vendor mr&ak
DET/CHE Directors of Educational Technology - California in Higher Education
 
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
Ad

Recently uploaded (20)

PPTX
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PPTX
Materi-Enum-and-Record-Data-Type (1).pptx
RanuFajar1
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
DOCX
The Five Best AI Cover Tools in 2025.docx
aivoicelabofficial
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PPT
JAVA ppt tutorial basics to learn java programming
pradeepjava2016
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
Materi_Pemrograman_Komputer-Looping.pptx
RanuFajar1
 
PPTX
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Materi-Enum-and-Record-Data-Type (1).pptx
RanuFajar1
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
The Five Best AI Cover Tools in 2025.docx
aivoicelabofficial
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
JAVA ppt tutorial basics to learn java programming
pradeepjava2016
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Materi_Pemrograman_Komputer-Looping.pptx
RanuFajar1
 
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Introduction Database Management System for Course Database
ReinertYosua
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 

The importance of Cybersecurity

  • 3. www.nalys-group.com WHAT IS CYBERSECURITY Protection of computer systems from information disclosure, theft or damage to their hardware, software, or electronic data as well as from disruption or misdirection of the service they provide. ( Wikipedia ) Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 4. www.nalys-group.com WHAT IS IT NOT • Protection of the personal data privacy ➔ Privacy ➔ GDPR • Data Availability in case of an accident ➔ Business continuity • Make sure your servers are always online ➔ Reliability and redundancy • Make sure your system always behave correctly ➔ Safety Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 5. www.nalys-group.com IOT PERSPECTIVE Safety Protecting the user of the device. Ex: Your car or plane may not crash even if it experiences issues Security Protecting the device from the malicious user Ex: One try to inject a virus into your phone while clicking on a web page. Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 6. www.nalys-group.com THE GRAY ZONE The brake control software in your car must be: • Bug free • Not be upgradable by anybody … to avoid breaking its safety features Introduction When it goes wrong Technical side Facts numbers Conclusion Safety Security If there is water in you washing machine, the door must stay locked Your locker may only be opened with your key, so your belongings are safe
  • 7. www.nalys-group.com CYBERSECURITY AND OTHER CONCERNS Cybersecurity is part of a global set of concerns that at the end aims at making sure that : • Your personal data can only be accessed and modified by you or somebody you trust • The system you use always behaves as specified Introduction When it goes wrong Technical side Facts numbers Conclusion Cybersecurity Reliability Privacy Safety
  • 9. www.nalys-group.com IMPACT OF A CYBERSECURITY ACCIDENT • Low impact : You don’t notice or you are only annoyed o Ex: Viruses, zombie machines (parasitism) • High impact : There is a financial or social damage o Ex: everybody knows you have a mistress/ see you naked o Ex: Ransomware, Bitcoin Heist… • Life threatening : Lives are at stake o Ex : F-35 hack target identification compromised o Ex : Ransomware attack on german hospital caused death
  • 10. www.nalys-group.com HACKERS : MEN IN BLACK OR MEN IN WHITE White hats or Ethical hackers. They are paid to find the vulnerabilities in your infrastructure Black hats or the « bad guys » They do that for money or to cause damages. Sometimes they even work for the state They both like to party DEFCON and BlackHat convention is the place to be to learn about the hot topics in term of cybersecurity (like how to hack your Tesla)
  • 11. www.nalys-group.com CERT Computer Emergency Response Team Team in a company responsible to monitor attacks and to respond to them as fast as possible, limiting the damages caused. Examples: o Cert.be for Belgium o CERT-EU : for Europe and NATO has also one o US-CERT Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 12. www.nalys-group.com ATTACK TYPES Common attacks • Social engineering : trick people into give you information of somebody else • Viruses : Tojan, worms, ransomware... • Denial of Service / Brute force : using Botnet • Targetted attacks : StuxNet…  typically performed by states. Side channel attacks • DPA : Differential Power Attacks • Statistical time analysis • Probing using EM probes or microscopes… Stealing company secrets (blueprints…) Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 13. www.nalys-group.com SECURITY STANDARDS National Security and Militrary o Common Criteria : Regulates how to develop secure IT products ▪ Ex: RedHaT, MacOSX, TPM 2 chips, MySQL, Oracle DB… o Tempest : regulation about electromagnetic emissions Industry specific standards o Payment : PCI-DSS o CCNA, CompTIA o ANSI Coding rules, o OWASP… Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 15. www.nalys-group.com INTRODUCTION • Requirements :Target of Evaluation in Common Criteria… • Cryptography : algorithms and procedures • Concepts : need to know, layered security, access control… • Technologies : TLS, TPM 2.0, TrustZone… Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 16. www.nalys-group.com COMMON CRITERIA • Target of Evaluation (ToE) : What are ou protecting • Protection Profile (PP) : Defines threats, roles, security objectives, SFR,SAR… • Security Target : describe the security problem and “how” to address it. • Security functional requirement : requirements about security • Security Assurance requirements : number : how strict are you ➔ Define an Evaluation Assurance Level Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 17. www.nalys-group.com CONCEPTS – LAYERED PROTECTION Introduction When it goes wrong Technical side Facts numbers Conclusion Hardware Chips. Ex:TPM 2 Board Mechanics Detect physical intrusion DPA, probing Operating System Libraries Filesystem/Data Access rights Network Application
  • 18. www.nalys-group.com CONCEPTS – LAYERED PROTECTION Introduction When it goes wrong Technical side Facts numbers Conclusion Each security layer protects against the flaws of the previous layer
  • 19. www.nalys-group.com TPM 2.0 – THE SECURITY CHIP INSIDE YOUR PC • X86 processors have no HW security features • UEFI starts without any security • The TPM 2.0 is unable to verify if a request is made by a trusted party. • The TPM 2.0 sees only « The Processor » • UEFI + TPM 2.0 security can be fooled o Managment engine o Malicious code in other HW subsystems Introduction When it goes wrong Technical side Facts numbers Conclusion TPM 2.0 Chip Secure VAULT Crypto Engine X86 Processor  Unencrypted link  No string authentication UEFI Settings
  • 20. www.nalys-group.com TPM 2.0 – THE SECURITY CHIP INSIDE YOUR PC • System is vulnerable before and during UEFI boot process • Prevent installation of SW not signed by Microsoft (or Apple if you have a Mac) Consequence • It doesn’t protect your privacy • It doesn’t protect you from any malicious program It has nothing to do with cybersecurity Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 21. www.nalys-group.com TRUSTZONE Hardware and Software Solution • Hardware o Virtual second core with segregation of memory accesses o HW vendor specific additions to provide end to end solution • Software o OP-Tee : secure firmware o TF-A : secure pre-bootloader that initialize the TrustZone Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 25. www.nalys-group.com CRYPTOGRAPHY • Confidentiality : encryption/decryption using a key o Key length is a measure of the algorithm strength • Authenticity: Use of certificates to authenticatethe user o Need a « Root of Trust » : Something/somebody that can tell you if the data are real • Integrity : Use of secure hashes. Impossible for a Man in the Middle to rebuild a correct hash without the correct key Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 26. www.nalys-group.com SYMETRIC ENCRYPTION (DES – AES) Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 27. www.nalys-group.com ASYMETRIC ENCRYPTION ( RSA - ECDA) Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 28. www.nalys-group.com ASYMETRIC ENCRYPTION - PKI Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 31. www.nalys-group.com IOT FACTS AND NUMBERS • Revenue is $212 billion worldwide • 2020 : 20.4 billion IoT devices online – 2025 : 75 billion devices • 1 trillion dollar spent on IoT this year • 847 zettabytes (1021) of data generated Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 32. www.nalys-group.com CYBERSECURITY FACTS AND NUMBERS • 10.5 trillion $ damage by 2025 • 1 trillion dollars spent on Cybersecurity this year • More than 400 Million user records stolen in 2020 • 50m$ -70m$ in ransomware • Bitcoins worth 530m$ stolen in 2019 Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 34. www.nalys-group.com • Cybersecurity carries a huge financial/social risk • Risk is growing exponentially – Follows the IoT trend • Must be taken into account during design phase • It will never be perfect – You will be hacked someday • Challenging technological problem • Even more challenging procedural problem Introduction When it goes wrong Technical side Facts numbers Conclusion
  • 35. THANK YOU FOR YOUR ATTENTION 35
  • 36. www.nalys-group.com CONTACT • Benoit Callebaut : bcallebaut@nalys-group.com • Ntech : ntech@nalys-group.com www.ntech-events.com