Cybersecurity : defending our digital future

CYBERSECURITY: DEFENDING OUR DIGITAL

FUTURE

Mike BurmesterCenter for Security and Assurance in IT, Florida State

University,3rd Annual TechExpo, Tallahassee May 6th 2010

Talkthrough

1. Background the White House Cyberspace Policy Review

2. Emerging network technologies Wireless, ubiquitous Cloud applications, intelligent networks What next!

3. The adversary We are behind the learning curve; the hackers are ahead Security threats

4. How can we defend our digital future? Near-term and midterm plans Methodology Technical aspects, technical analysis

TechExpo 2010May 6th 2010 2

In Feb 2009 the President directed a 60-day “clean-slate” review to assess U.S. policies and structures for cybersecurity.

In March 2009 the Cyberspace Policy Review was published

The Cybersecurity Review recommends general guidelines, regarding the

Strategy

Policy, and

Standards

for securing operations in cyberspace.

Background

May 6th 2010 TechExpo 2010

“…our approach over the past 15 years has failed to keep pace with the threat.”

3

What is Cyberspace? “ . . . the interdependent network of information technology infrastructures, including

the Internet

Telecommunications networks

Computer systems

Embedded processors and

Controllers in critical industries

Common usage of the term also refers to the

Virtual environment of information and interactions between people

Background

May 6th 2010 TechExpo 2010 4

What is Cyberspace? ---a historical perspective

1985 a system of mainframe computers (NSFNET)

1990 the Internet and Web applications

2000 + Wireless networks

2008 + Cloud applications

20?? The Internet of Things

20?? Virtual life?

How can we secure a structure that keeps morphing?

Background


Emerging Network Technologiesthe wireless medium, at the beginning . . .

Wireless technology offers unparalleled opportunities

Some time ago …

Telegraph Radio communication Amateur radio TV


Emerging Network Technologiesthe wireless medium, more recently

Wireless technology offers unparalleled opportunities

Wireless technology

― Cellular systems

(3G and beyond)


Emerging Network TechnologiesBluetooth, Wi-Fi, sensors, RFIDs

Short range point-to-point―Bluetooth

Personal Area networks―Wi-Fi technologies―Wireless sensor networks― RFID (Radio Frequency

Identification) systems


Emerging Network TechnologiesSensor networks

Factory floor automation

Boarder fencing

Military applications


RFID deployments

A RFID road pricing gantry

in Singapore & an RFID tag

RFIDs tags used in libraries

Airports –checking luggage

U.S. (electronic) passports


http://en.wikipedia.org/wiki/Image:ERPBugis.JPG

http://upload.wikimedia.org/wikipedia/commons/3/35/Us-passport.jpg

Wireless technologies

Long range point-to-point― WiMAX technologies


Wireless technologieswith no infrastructure

Mobile ad hoc networks (MANETs)

Disaster recovery


Vehicle-to-Vehicle communication

VANETs

TechExpo 2010

ad

hoc

May 6th 2010 13

Ubiquitous networks Network all applications ! The Internet of

Things

TechExpo 2010

IP backbone

Server

Router

Furth

er

network

s

May 6th 2010 14

What next !

Cloud applications ???

Delegate applications

Start with the Internet cloud

Delegate applications to the cloud


. . . and next! Emerging technologies

Robotics Nanotechnology

―molecular self-assembly―developing new materials

Biotechnology―Analyzing the myriad simultaneous cellular

activities―Living systems can be regarded as

communication systems: they transmit the genome of the organism by replication/transcription and translation.


Beyond next !Intelligent Networking ???


Beyond . . . the beyond

Virtual Networking and Environments

Current Definition (academic) A technology used to control remotely located

computers and applications over the InternetWhite House Policy Review definition of Cyberspace

A virtual environment of information and interactions between people

Cyberspace = the digital network infrastructure + cloud applications + virtual network technology + emerging technologies + intelligent networking


Now, the bad . . .


The adversary (the hackers)

May 6th 2010

The adversary Portrait of a Computer Criminal

Amateurs ― Normal people, maybe disgruntled over some negative work

situation― Have committed most of computer crimes to date

Crackers or Hackers― Often high school/university students: cracking is seen as the

ultimate victimless crime― Attack for curiosity, self-satisfaction and personal gain

Career criminals― Understand the targets of computer crime― Usually begin as computer professionals who later engage in

computer crime finding the prospects and payoff good.― Electronic spies and information brokers who recognize that trading

in companies secrets can be lucrative TechExpo 2010 20

May 6th 2010

The adversary It is worse !

A simple Google search

key words: Chinese, threat, cyberspace MI5 alert on China’s cyberspace spy threat (Times Online): Dec 1, 2007 . . . The Government has openly accused China of carrying out state-sponsored espionage against vital parts of Britain's economy, including . . .

U.S. military flags China cyber threat

2008-03-06 . . . The U.S. DoD warned in an annual report released this week that China continues to develop its abilities to wage war in cyberspace as part of a doctrine of "non-contact" warfare

TechExpo 2010 21

May 6th 2010

The adversary . . . much worse !

key words: France, threat, cyberspace NATO chief calls attention to threats from cyberspace

Mar 4, 2010 . . . NATO is facing new threats in cyberspace that cannot be met by lining up soldiers and tanks, the alliance's secretary-general said Thursday in an apparent reference to terror groups and criminal networks

key words: International, threat, cyberspace Threat of next world war may be in cyberspace

Oct 6, 2009 . . . The next world war could happen in cyberspace and that would be a catastrophe. We have to make sure that all countries understand that in that war . . .

TechExpo 2010 22

The adversary New technologies can be abused

― Are we prepared for intelligent networks ?― Who will manage them ? ― Do we want

―Centralized, or―Decentralized management

― Who will protect our resources ?― What are the threats ?


Security Threats Confidentiality

― Eavesdropping (wiretapping)― Privacy ― Anonymity (Big Brother)

Integrity― Data integrity: protection against unauthorized modifications,

data corruption, deletion . . . ― Source or destination integrity: protections against spoofing

attacks, man-in-the middle attacks Availability

― Coverage & deployment― Information data accuracy: traffic control ― Dependable data transport: what about transmission/

omission /congestion errors?― What about malicious faults ?


The Internet is hacker’s paradise

Security Threats Perceived or Real Impersonation Attacks Denial of Service Attacks Session Tampering and Highjacking Man-in-the-Middle Attacks


Can we protect Digital resources ?

There are some very good cryptographic tools that can be used to protect digital resources

Many of these tools have proven security The problem is usually bad implementations The best cryptographic security is point-to-point

security (such as VPN) The source & destination

― are mutually authenticated (with public key cryptography)― exchange privately a fresh secret key (with public key

cryptography)― use symmetric key encryption scheme to encrypt exchanged

data (with symmetric key cryptography)


Can wireless technology be made secure ?

Point-to-point security― Authentication usually involves certificates (a trusted third party

certifies the public key of the entities) and a cryptographic handshake

― WIMAX uses the Extensible Authentication Protocol for this purpose

― For encryption it uses block ciphers such as DES3 or AES

This offers protection at the protocol layer― There are still problems at the physical layer, such as jamming

attacks (Denial-of-Service), or flooding attacks

Security vs. functionality tradeoff― Rule of thumb: the more security the less functionality …

Holistic security


Cybersecurity Policy ReviewNear-Term Plan

1. Appoint cybersecurity coordinator

2. Prepare a national strategy

3. Designate cyberscurity as a priority . . .

4. Designate a privacy/civil liberties official

5. Formulate coherent unified policy guidance that clarifies roles, responsibilities . . . for cybersecurity activities across the Federal government

6. Initiate a public awareness and education campaign to promote cybersecurity


Cybersecurity Policy Review Near-Term Plan

7. Develop government positions for an international cybersecurity policy framework

8. Prepare a cybersecurity incident response plan

9. Develop a framework for R&D strategies that focuses on game-changing technologies . . . to enhance the security, reliability, resilience, and trustworthiness . . .

10. Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests . . .


Cybersecurity Policy Review Midterm-Plan (14 items)

3. Support key education programs and R&D research to ensure the Nation’s continued ability to compete in the information age economy

4. Expand and train the workforce, including attracting and retaining cybersecurity expertise in the Federal government.

9. Develop solutions for emergency communications capabilities during a time of natural disaster, crisis, or conflict . . .

11. Encourage collaboration between academic and industrial laboratories to develop migration paths and incentives for the rapid adoption of research and technology innovations


Are we willing to pay the price ?. . . . . . . .


we may have to . . . whether we like it or not . . .

May 6th 2010

Methodology for Security Resiliency

― Against physical damage, unauthorized manipulation, and electronic assault. In addition to protection of the information itself,

― A risk mitigation strategy with focus on devices used to access the infrastructure, the services provided by the infrastructure, the means of moving storing and processing information

― A strategy for prevention, mitigation and response against threats

Encouraging innovation― Harness the benefits of innovation ― Not create policy and regulation that inhibits innovation

Maintain National Security/Emergency Preparedness Capabilities

TechExpo 2010 32

White House Cybersecurity Plan

RSA –03/2010

The Comprehensive National Security Initiative (12 items)

1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections

2. Deploy an intrusion detection system of sensors across the Federal enterprise

3. Deploy intrusion prevention systems across the Federal enterprise

4. Coordinate and redirect R&D efforts

5. Connect current cyber ops centers to enhance situational awareness

6. Develop a government-wide cyber counter intelligence plan


White House Cybersecurity Plan Revealed at RSA –03/2010

The Comprehensive National Security Initiative (12 items)

7. Increase the security of our classified networks8. Expand cyber education 9. Define and develop enduring "leap-ahead"

technology, strategies, and programs10. Develop enduring deterrence strategies and

programs 11. Develop a multi-pronged approach for global supply

chain risk management 12. Define the Federal role for extending cybersecurity

into critical infrastructure domainsTechExpo 2010May 6th 2010 34

Cybersecurity PlanTechnical aspects

2. Deploy an ID system of sensors across the Federal

enterpriseEinstein 2 capability Signature-based sensors that analyze network flow information to identify potential malicious activity while conducting automatic full packet inspection of traffic entering or exiting U.S. Government networks for malicious activity

3. Deploy IP systems across the Federal enterprise Einstein 3 capability Real-time full packet inspection and threat-based decision-making on network traffic entering or leaving these Executive Branch networksIdentify and characterize malicious network traffic to enhance cybersecurity analysis, situational awareness and security responseAutomatically detect and respond appropriately to cyber threats before harm is done, providing an intrusion prevention system supporting dynamic defense


Cybersecurity PlanTechnical analysis

Einstein 2 capability Signature-based sensors will only detect copycat attacks: one-off attacks will not be checked

Einstein 3 capability will not detect unpredictable attacks that mimic normal behavior

Threat-based decision-making on network traffic however may deal with the consequences of such attacks

Markovian profiling is a good approach for threat based decision making


The most important technical point in this review is the realization that one cannot achieve cybersecurity solely by protecting individual

components: there is no way to determine what happens when NIAP-reviewed products are all combined into a composite IT system.

Quite right, and too little appreciated; security is a systems property, and in fact, part of the entire design-and-build process

Steven M Bellovin

Holistic Security


. . . the Universal-Composability Framework may ultimately prove to be just a first step toward a complete solution

Joan Feigenbaum

. . . the main feature of the UC Framework is that the security of a composite system can

derived from the security of its components without need for holistic reassessment

Mike Burmester

Thanks for listening!



.

Raise your hands if you have any questions

Documents

Cybersecurity : defending our digital future