1 / 39

Cybersecurity : defending our digital future

Cybersecurity : defending our digital future. Mike Burmester Center for Security and Assurance in IT, Florida State University, 3 rd Annual TechExpo , Tallahassee May 6 th 2010. Talkthrough. Background the White House Cyberspace Policy Review Emerging network technologies

ludlow
Download Presentation

Cybersecurity : defending our digital future

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybersecurity: defending our digital future Mike Burmester Center for Security and Assurance in IT, Florida State University,3rd Annual TechExpo, Tallahassee May 6th 2010

  2. Talkthrough • Background • the White House Cyberspace Policy Review • Emerging network technologies • Wireless, ubiquitous • Cloud applications, intelligent networks • What next! • The adversary • We are behind the learning curve; the hackers are ahead • Security threats • How can we defend our digital future? • Near-term and midterm plans • Methodology • Technical aspects, technical analysis TechExpo 2010

  3. Background In Feb 2009 the President directed a 60-day “clean-slate” review to assess U.S. policies and structures for cybersecurity. In March 2009 the Cyberspace Policy Review was published The Cybersecurity Review recommends general guidelines, regarding the • Strategy • Policy, and • Standards for securing operations in cyberspace. “…our approach over the past 15 years has failed to keep pace with the threat.” TechExpo 2010

  4. Background What is Cyberspace? “ . . . the interdependent network of information technology infrastructures, including • the Internet • Telecommunications networks • Computer systems • Embedded processors and • Controllers in critical industries Common usage of the term also refers to the • Virtual environment of information and interactions between people TechExpo 2010

  5. Background What is Cyberspace? ---a historical perspective • 1985 a system of mainframe computers (NSFNET) • 1990 the Internet and Web applications • 2000 + Wireless networks • 2008 + Cloud applications • 20?? The Internet of Things • 20?? Virtual life? How can we secure a structure that keeps morphing? TechExpo 2010

  6. Emerging Network Technologiesthe wireless medium, at the beginning . . . Wireless technology offers unparalleled opportunities Some time ago … • Telegraph • Radio communication • Amateur radio • TV TechExpo 2010

  7. Emerging Network Technologiesthe wireless medium, more recently Wireless technology offers unparalleled opportunities • Wireless technology • Cellular systems (3G and beyond) TechExpo 2010

  8. Emerging Network TechnologiesBluetooth, Wi-Fi, sensors, RFIDs Short range point-to-point • Bluetooth Personal Area networks • Wi-Fi technologies • Wireless sensor networks • RFID (Radio Frequency Identification) systems TechExpo 2010

  9. Emerging Network TechnologiesSensor networks • Factory floor automation • Boarder fencing • Military applications TechExpo 2010

  10. RFID deployments • A RFID road pricing gantry in Singapore & an RFID tag • RFIDs tags used in libraries • Airports –checking luggage • U.S. (electronic) passports TechExpo 2010

  11. Wireless technologies Long range point-to-point • WiMAX technologies TechExpo 2010

  12. Wireless technologieswith no infrastructure • Mobile ad hoc networks (MANETs) • Disaster recovery TechExpo 2010

  13. ad hoc Vehicle-to-Vehicle communication • VANETs TechExpo 2010

  14. Ubiquitous networks • Network all applications ! The Internet of Things IP backbone Further networks Server Router TechExpo 2010

  15. What next ! Cloud applications ??? Delegate applications • Start with the Internet cloud • Delegate applications to the cloud TechExpo 2010

  16. . . . and next! Emerging technologies • Robotics • Nanotechnology • molecular self-assembly • developing new materials • Biotechnology • Analyzing the myriad simultaneous cellular activities • Living systems can be regarded as communication systems: they transmit the genome of the organism by replication/transcription and translation. TechExpo 2010

  17. Beyond next ! Intelligent Networking ??? TechExpo 2010

  18. Beyond . . . the beyond Virtual Networking and Environments • Current Definition (academic) A technology used to control remotely located computers and applications over the Internet • White House Policy Review definition of Cyberspace A virtual environment of information and interactions between people • Cyberspace= the digital network infrastructure + cloud applications + virtual network technology + emerging technologies + intelligent networking TechExpo 2010

  19. Now, the bad . . . The adversary (the hackers) TechExpo 2010

  20. The adversary Portrait of a Computer Criminal • Amateurs • Normal people, maybe disgruntled over some negative work situation • Have committed most of computer crimes to date • Crackers or Hackers • Often high school/university students: cracking is seen as the ultimate victimless crime • Attack for curiosity, self-satisfaction and personal gain • Career criminals • Understand the targets of computer crime • Usually begin as computer professionals who later engage in computer crime finding the prospects and payoff good. • Electronic spies and information brokers who recognize that trading in companies secrets can be lucrative TechExpo 2010

  21. The adversary It is worse ! A simple Google search key words: Chinese, threat, cyberspace • MI5 alert on China’s cyberspace spy threat (Times Online): Dec 1, 2007 . . . The Government has openly accused China of carrying out state-sponsored espionage against vital parts of Britain's economy, including . . . • U.S. military flags China cyber threat 2008-03-06 . . . The U.S. DoD warned in an annual report released this week that China continues to develop its abilities to wage war in cyberspace as part of a doctrine of "non-contact" warfare TechExpo 2010

  22. The adversary . . . much worse ! key words: France, threat, cyberspace • NATO chief calls attention to threats from cyberspace • Mar 4, 2010 . . . NATO is facing new threats in cyberspace that cannot be met by lining up soldiers and tanks, the alliance's secretary-general said Thursday in an apparent reference to terror groups and criminal networks key words: International, threat, cyberspace • Threat of next world war may be in cyberspace Oct 6, 2009 . . . The next world war could happen in cyberspace and that would be a catastrophe. We have to make sure that all countries understand that in that war . . . TechExpo 2010

  23. The adversary New technologies can be abused • Are we prepared for intelligent networks ? • Who will manage them ? • Do we want • Centralized, or • Decentralized management • Who will protect our resources ? • What are the threats ? TechExpo 2010

  24. Security Threats • Confidentiality • Eavesdropping (wiretapping) • Privacy • Anonymity (Big Brother) • Integrity • Data integrity: protection against unauthorized modifications, data corruption, deletion . . . • Source or destination integrity: protections against spoofing attacks, man-in-the middle attacks • Availability • Coverage & deployment • Information data accuracy: traffic control • Dependable data transport: what about transmission/ omission /congestion errors? • What about malicious faults ? TechExpo 2010

  25. The Internet is hacker’s paradise Security Threats Perceived or Real • Impersonation Attacks • Denial of Service Attacks • Session Tampering and Highjacking • Man-in-the-Middle Attacks TechExpo 2010

  26. Can we protect Digital resources ? • There are some very good cryptographic tools that can be used to protect digital resources • Many of these tools have proven security • The problem is usually bad implementations • The best cryptographic security is point-to-pointsecurity(such as VPN) The source & destination • are mutually authenticated (with public key cryptography) • exchange privately a fresh secret key (with public key cryptography) • use symmetric key encryption scheme to encrypt exchanged data (with symmetric key cryptography) TechExpo 2010

  27. Can wireless technology be made secure ? • Point-to-point security • Authentication usually involves certificates (a trusted third party certifies the public key of the entities) and a cryptographic handshake • WIMAX uses the Extensible Authentication Protocol for this purpose • For encryption it uses block ciphers such as DES3 or AES • This offers protection at the protocol layer • There are still problems at the physical layer, such as jamming attacks (Denial-of-Service), or flooding attacks • Security vs. functionality tradeoff • Rule of thumb: the more security the less functionality … • Holistic security TechExpo 2010

  28. Cybersecurity Policy ReviewNear-Term Plan • Appoint cybersecurity coordinator • Prepare a national strategy • Designate cyberscurity as a priority . . . • Designate a privacy/civil liberties official • Formulate coherent unified policy guidance that clarifies roles, responsibilities . . . for cybersecurity activities across the Federal government • Initiate a public awareness and education campaign to promote cybersecurity TechExpo 2010

  29. Cybersecurity Policy Review Near-Term Plan • Develop government positions for an international cybersecurity policy framework • Prepare a cybersecurity incident response plan • Develop a framework for R&D strategies that focuses on game-changing technologies . . . to enhance the security, reliability, resilience, and trustworthiness . . . • Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests . . . TechExpo 2010

  30. Cybersecurity Policy Review Midterm-Plan (14 items) • Support key education programs and R&D research to ensure the Nation’s continued ability to compete in the information age economy • Expand and train the workforce, including attracting and retaining cybersecurity expertise in the Federal government. • Develop solutions for emergency communications capabilities during a time of natural disaster, crisis, or conflict . . . • Encourage collaboration between academic and industrial laboratories to develop migration paths and incentives for the rapid adoption of research and technology innovations TechExpo 2010

  31. Are we willing to pay the price ?. . . . . . . . we may have to . . . whether we like it or not . . . TechExpo 2010

  32. Methodology for Security • Resiliency • Against physical damage, unauthorized manipulation, and electronic assault. In addition to protection of the information itself, • A risk mitigation strategy with focus on devices used to access the infrastructure, the services provided by the infrastructure, the means of moving storing and processing information • A strategy for prevention, mitigation and response against threats • Encouraging innovation • Harness the benefits of innovation • Not create policy and regulation that inhibits innovation • Maintain National Security/Emergency Preparedness Capabilities TechExpo 2010

  33. White House Cybersecurity PlanRSA –03/2010 The Comprehensive National Security Initiative (12 items) • Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections • Deploy an intrusion detection system of sensors across the Federal enterprise • Deploy intrusion prevention systems across the Federal enterprise • Coordinate and redirect R&D efforts • Connect current cyber ops centers to enhance situational awareness • Develop a government-wide cyber counter intelligence plan TechExpo 2010

  34. White House Cybersecurity Plan Revealed at RSA –03/2010 The Comprehensive National Security Initiative (12 items) • Increase the security of our classified networks • Expand cyber education • Define and develop enduring "leap-ahead" technology, strategies, and programs • Develop enduring deterrence strategies and programs • Develop a multi-pronged approach for global supply chain risk management • Define the Federal role for extending cybersecurity into critical infrastructure domains TechExpo 2010

  35. Cybersecurity PlanTechnical aspects • Deploy an ID system of sensors across the Federal enterprise • Einstein 2 capability Signature-based sensors that analyze network flow information to identify potential malicious activity while conducting automatic full packet inspection of traffic entering or exiting U.S. Government networks for malicious activity • Deploy IP systems across the Federal enterprise • Einstein 3 capability Real-time full packet inspection and threat-based decision-making on network traffic entering or leaving these Executive Branch networks • Identify and characterize malicious network traffic to enhance cybersecurity analysis, situational awareness and security response • Automatically detect and respond appropriately to cyber threats before harm is done, providing an intrusion prevention system supporting dynamic defense TechExpo 2010

  36. Cybersecurity PlanTechnical analysis • Einstein 2 capability Signature-based sensors will only detect copycat attacks: one-off attacks will not be checked • Einstein 3 capabilitywill not detect unpredictable attacks that mimic normal behavior • Threat-based decision-makingon network traffic however may deal with the consequences of such attacks • Markovianprofiling is a good approach for threat based decision making TechExpo 2010

  37. The most important technical point in this review is the realization that one cannot achieve cybersecurity solely by protecting individual components: there is no way to determine what happens when NIAP-reviewed products are all combined into a composite IT system. Quite right, and too little appreciated; security is a systems property, and in fact, part of the entire design-and-build processSteven M Bellovin Holistic Security . . . the Universal-Composability Framework may ultimately prove to be just a first step toward a complete solutionJoan Feigenbaum . . . the main feature of the UC Framework is that the security of a composite system can derived from the security of its components without need for holistic reassessment Mike Burmester TechExpo 2010

  38. Thanks for listening! TechExpo 2010

  39. .Raise your hands if you have any questions TechExpo 2010

More Related