1 / 48

Cybersecurity & Cyberwar What Everyone Needs to Know Part 3

Cybersecurity & Cyberwar What Everyone Needs to Know Part 3. Ranette Halverson Department of Computer Science - MSU. 1. Don’t’ Get Fooled: Why can’t we build a new, more Secure Internet?. Good question! .secure Model “Secure, protected zone” Security is required No hosted malware

shelley
Download Presentation

Cybersecurity & Cyberwar What Everyone Needs to Know Part 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cybersecurity & CyberwarWhat Everyone Needs to Know Part 3 Ranette Halverson Department of Computer Science - MSU

  2. 1. Don’t’ Get Fooled: Why can’t we build a new, more Secure Internet? • Good question! • .secure Model • “Secure, protected zone” • Security is required • No hosted malware • Fully implemented top-of-line protections • Rapid vulnerability patching • How can you enforce???

  3. Can .secure work? • Only secures the websites • Assures you which web sites are safe • Website won’t “attack” you, but site could be breached • No protection from malicious actors • Scale (size) • Bigger NW  More Security Problems • Smaller NW  Not Useful • Companies can reduce or separate NWs • Air gap doesn’t always work

  4. 2. Rethink Security DNS Changer virus – 2012 • Estonia-based, cybercriminal ring • Infected 570K computers worldwide • Caused uses to use criminals DNS servers, then to fraudulent web sites (est. $14 M) • FBI – took control but couldn’t shut it down – No internet • 9 months: provided service & notified victims (cost $87K) • Finally, “unplugged”

  5. What is Resilience? • Ability to Adapt & Recover from Adverse Conditions • Not specific to computing… • With respect to organizations & systems • Prepared for attacks • Maintain functionality while under attack • Intrusion Tolerance ~ accept attacks happen, keep systems running whatever the damage • Capacity to work under degraded conditions • Recover quickly • Learn from mistakes

  6. Continuity Plans & Fault Tolerance • Old: Natural Disasters ~ Goal - Up & Running Fast • Fire, Redundancy, Reliability • E.G. Space Shuttle • New: Cyber Attack ~ Goal – preserve functions • Quickly lock-down data, turn-on defenses, shut down NW, fail gracefully • Never critical failure from single attack • Distributed control & services • Failure must be evident • Metrics

  7. Human Component • Adaptability & Recovery requires Individuals & Processes • Don’t Freak Out – Keep Calm & Carry On Challenges & Conflicts • Fear drives up budgets, drives down confidence • Redundancy is wasteful • Resiliency is understanding how different pieces fit together, how to keep them together, how to bring them back together after attack

  8. 3. Reframe the Problem (and the Solution): What can we learn from Public Health? Centers for Disease Control = 1947 • Understand emerging threats, determine trusted partners, share information with everyone Cyber CDC needed • Research & information sharing, cooperation & collaboration • Threat & incident watch, data dissemination, threat analysis, intervention recommendations, coordination of prevention • Transparency – like person with unreported disease

  9. 4. Learn from History: What can (real) Pirates teach us about Cybersecurity? • Omit this section • Interesting reading

  10. 5. Protect World Wide Governance for the WWW: What is the role of International Institutions? International Telegraph Union (ITU) – 1865 • Nations convened, agreed to set of standards for TELEGRAPH • Included privacy • But nations “reserve right to stop any transmission considered dangerous for state security, or in violation of national laws, public order, or morals” • Ensured Governments would retain control

  11. International TelecommunicationsUnion • Name change + radio  telephone • 2012 – Dubai meeting - considered Internet • Digital version of the Cold War • Proposal to include Internet passed • ½ nations disagreed & walked out • Unenforceable • Control vs. Open Internet

  12. Governance of WWW & Internet • Differing points of view • Governments should control WWW & internet • Governments should have no role • Declaration of Independence of Cyberspace, J. Barlow (p181) – Electronic Frontier Foundation • https://www.eff.org/cyberspace-independence • Do you agree?

  13. Problems with Declaration • Governments see internet as crucial to • Global commerce & communication • National security • Economic prosperity • There is no “Free” part of the internet • Every piece of equipment within country is subject to laws • People using internet are subject to laws of residence • Governments uncomfortable with unregulated, uncontrollable

  14. 6. “Graft” the Rule of Law: Do we need a Cyberspace Treaty? • We all follow HUNDREDS of rules daily! • Name some! -- What would happen if we didn’t? • Do we need Cyber Rules? Do we want them? • Countries say they want a Cyberspace Treaties….but those with most power, want to keep it!

  15. Why the Reticence about Treaty? • Powerful fear it will restrict them, allow others to catch up, or others will ignore • Different priorities by various states • Like 1967 Outer Space Treaty • No one owns space, used for lots of things, prohibits harmful interference, bans launch of nuclear weapons • Also, Antarctica • Challenge – Cyberspace is different from anything else • “Control expectations & developing principles, rules & procedures, & norms about how states behave with respect to the domain”

  16. 2001 Council of Europe’s Convention on Cybercrime • US, Japan, Canada & South Africa joined Europe • Could develop into greater treaty • GRAFT – horticulture term • Rather than start anew, build off established frameworks & common interests, • “Everyone” wants internet to run smoothly & cyber crime to be controlled

  17. More here….????

  18. 7. Understand Limits of State in Cyberspace: Why can’t the Government Handle it? • 1440 – Gutenberg Printing Press • The first Information Revolution •  Wars  Nation-States as we know today • Govt. still have difficulty keeping up • Pirate Bay (see video) ~ peer-to-peer sharing • Some prosecuted, but couldn’t stop site from moving • WikiLeaks – Julian Assange • Protected by Ecuador (William Snowden by Russia) • Switzerland, Sweden, Australia

  19. Limits of Governments - Cyberspace • Other Governments don’t cooperate • Limited by territory • Most Cyberspace controlled by private entities • “98% of US govt. communications, including classified, travel over civilian-owned-&-operated NWs & systems” (Adm. McConnell) • Early days, “1-company monopolies” – telephone, power • Inability to control or prioritize (packets) • Need balance

  20. 8. Rethink Government’s Role: How to better Organize for Cybersecurity? • Governments move slowly! (At least in the US!!) • 2004 GAO – Need National Cybersecurity Policy – still none • No substantive cyber-legislation since 2002 • Federal Risk & Authorization Management Program (FedRAMP) • 2013 – one-time security certification for contractors • Took 6 months to get first company certified! • Overall in US - Mixed-up collection of policies, intelligence, sharing (or not) among agencies

  21. Concerns with Government Involvement~~ Intelligence Agencies • Privacy – spying on private citizens! • It has happened ~ It is still happening (in US) • Focus on espionage • Operate with less oversight & transparency • Great responsibility, little power! • Several other agencies & departments – develop standards • Overlap, gaps, conflicts, few incentives

  22. Other US Agencies - Departments • Develop standards for various industries • NIST, Federal Reserve, NERC • Problems with multiple overseers: • Overlap, gaps, conflicts, few incentives, unclear standards • No clear delineation of authority & leadership • One Solution: Buying Power ($100 billion/year) • Example: COBOL • Government Requirements become Standards

  23. Spam levels around the world drop by 70% • Could have been a hews headline in 2008. How? Brian Krebs, Washington Post • Investigating McColo – web hosting co., Calif., - hosting large number of cybercriminal gangs • Contacted large ISPs, asked them to stop providing service • Hurricane Electric – dropped McColo • Visa & child porn, 2002 ~ terminated & reported • 80% sites shut down or couldn’t accept Visa • Lessons learned – need cooperation & action!

  24. 9. Approach It as a Public-Private Problem: How do we better Coordinate Defense? • Some companies monitor & to stop questionable activities • Digital currencies – Bit Coin, Linden Dollar (Second Life) • Can be used by everyone, w/o banks • Easy for criminals to use , no tracking, no banks, gambling, money laundering • ISPs – recognize unusual traffic • Anti-Bot Code of Conduct – US – Voluntary – supported by ISPs • Companies: protect “self” – not “cooperative” w/ law enf.

  25. Cost vs. Risk ~ Public vs. Private • Hard to justify paying for unseen risk (Consider MSU) • Public infrastructure – too big for one entity to manage • Need Security Standards – private & public cooperation • Too many choices & companies offering services • US + SANS (private) + others  consortium; UK joined • Developed 20 controls  addresses KNOWN threats • No consensus: Government vs. Private • Major Co. Lack of cooperation with Govt. ~ Apple, Yahoo

  26. 10. Exercise Is Good for You: How can webetter PREPAREfor Cyber Incidents? • Red Team – improve preparation – e.g. Facebook 2013 • Test Beds – simulations, NW, environments • Honeypot – Honeynet – isolated, open to attacks • Cyber Range – offensive test bed (Stuxnet??) • Practices • Identify deficiencies, develop new plans, understand extent • Strengthen defences, diffuse tensions

  27. Obstacles in Exercises • TESTS: Too specific vs. Too general • Self Test – do they really “try” hard • Must have specific stated goals, purpose • Who’s goals?? Everyone is different! • Interactions with others hard to simulate

  28. 11. Build Cybersecurity Incentives: Why should I do what you want? Few incentives but to protect self! What’s happening? • Individual Bad Security – endangers others • No updates, lack of transparency & security • Incentives not understood – no financial return • Too many involved – Who’s responsible? • Ex: Android phone: Google, Mfg., Carrier? • Security makes thing worse?? TRUSTe(certify)

  29. Some Successful incentives • Limited Liability for Credit Card Customers • CVV – asking limits merchant liability, illegal to store • Payment Card Industry Data Security Standards

  30. Why not security? • $ spent on security is not spent on company goal • Leaders don’t understand long-term rick & cost • Need consumer awareness & demand • May need government requirements • Price of defense is more than price of attack • New Markets – e.g. Selling Zero Days

  31. 12. Learn to Share: How can we betterCollaborateon Information? SHARE! • Banking ~ Takedown Companies • Find fake sites & remove • Lack of sharing cost clients $330 M • Some info can only be determined via the attack! • Malware digital signature • Address very specific target • Time sensitive • Sharing can help the adversary adjust

  32. Sharing ~ With whom? How? • Centralized vs. Decentralized • Information Sharing & Analysis Centers (ISACs - 1998) • Organized around specific industries ~ e.g. IT-ISAC • Few formal procedures • DoD – “anonymous” system for contractors & vendors • Companies Fear Sharing

  33. 13. Demand Disclosure: What is the Role of Transparency? Laws? • California 2003 – data breaches must be disclosed ~ bill delayed (not just digital) • 2004 state DB breached & legislators info. Released • 2005 Law went into effect! • 2013 – 46 states have similar laws • Disclosure  Accountability • 2011 study: 500 of 1000 companies chose not to investigate breaches of security

  34. 14. Get “Vigorous” about Responsibility: How can we create Accountability for Security? Lack of Accountability & Enforcement • HIPPA: Medical records: fines, prosecution • 2003-2006 – 19,420 complaints, NO penalties • 1/3 corporate boards address Cyber Issues (2012) • “Low-hanging fruit” (= easy) • Exploitation of widely know vulnerabilities • Default passwords, unpatched systems, lack of security • Stupid Humans 

  35. Compliance vs. Security • Govt. Regulations  Compliance • Govt. Regulations make companies Nervous! • What’s the difference?? Why is this bad?? • Compliance replaces accountability • Liability, Cyber Insurance  Can increase accountability • Insurance enforces good practices • Need Education • Risk, Overall cost

  36. 15. Find the IT Crowd: How do we solve the Cyber People Problem? • Two problems ~ Numbers & Talent • Normal Us & lack of knowledge & Lack of Cyber professionals • Small talent Pool – E.G. Homeland Security stats • 2008: 40 cybersecurity employees • 2012: 400 + 1500 contractors • 2013: add 600 • US has only 3% to 10% cyber personnel needed • Govt. is contracting out more & more

  37. Actual Personnel Issues ~ Various Stats • Quality: satisfied with 40% of applicants • Bidding War among companies (Most >$100,000) • Govt. hires ~ Trains ~ Lose to private industry $$$ • Inflexibility of Govt. & Corporate vs. Smaller Private Co.

  38. Solutions to Cyber Security Problem? • Collaboration: Private & Public sectors • Enable govt. to compete with public sector • Hiring, pay scales, personnel exchanges • Bigger Pipeline in Education • STEM Education deficient • 2004 ~ 60K CMPS Majors; 2013 ~ 38K • Training for non-cyber personnel • Programs – most I’ve never heard of! (p.239)

  39. 16. Do Your Part: Protecting Myself (& the Internet)? WE must do our part – take the initiative! We have met the enemy, & he is us! ~ Pogo • Australian Study – prevent 85% of successful intrusions • Whitelisting, Rapid patching, Restrict administrator access • USAF Base Commander – demanded 1-digit password • Ret. Army officer: most important for cybersecurity • “Stop being so *#$* stupid on computers!”

  40. Practical Actions! • Passwords: Update often ~ Use strong passwords, esp. email ~ don’t share or reuse ~ use password manager • Access: Don’t use real answers on security questions • Multi-factor Authentication: password + card/biometric, etc. • SW: Keep up-to-date • Secure your wireless NW (encryption, passwords), don’t use unencrypted “free” WiFi • back-up, Back-Up, BACK-UP!!! • Use highest privacy/security setting

  41. Practical Actions (more) • Behavior: careful clicking links, opening attachments • Mobile Devices: Take care with mobile devices, don’t allow location information • Sharing information voluntarily • Facebook, Twitter, Instagram

  42. Conclusion ~ 5 key trends…Where is Cybersecurity headed next? • Rise of Cloud Computing • Big Data • Mobile Revolution • Demographic Shift • Internet of Things

  43. 1. Rise of Cloud Computing • Subscription service • Limitless computational resources • Save 40% to 80% costs • Changing balance of cyberspace power • Individual machines not so important • Cloud security personnel probably better than local • New Security Issues • Concentrated Risk • Is our data separated??

  44. 2. Big Data • Quantity + Meta-data • Unprecedented knowledge ~ may breakdown social, legal, ethical boundaries • New Applications: Netflix • Massive: data distribution & customer preference analysis • Lots of unknowns regarding the data

  45. 3. Mobile Revolution ~ 1973 • Unbelievably Everything! • Battle of Bandwidth • Security Risks are Mobile • Who should have oversight for “mobile”? • Where will it end?

  46. 4. Demographic Shift • Once a western phenomenon, now truly world-wide! • New values, uses, culture • What does this mean for the future?

  47. 5. Internet of Things ~ IoT • Digital Systems fully embedded into Real World • Everything can be linked to a web-enabled device to collect & make use of data • World of Distributed Sensors • Interoperability ~ an obstacle? • Threat: Now even my refrigerator is open to attack! Door locks!

  48. ConclusionWhat do I really need to know in the end? • Knowns • Known Unknowns • Unknown Unknowns • Accept & Manage Risks

More Related