Upload
ludlow
View
23
Download
0
Embed Size (px)
DESCRIPTION
Cybersecurity : defending our digital future. Mike Burmester Center for Security and Assurance in IT, Florida State University, 3 rd Annual TechExpo , Tallahassee May 6 th 2010. Talkthrough. Background the White House Cyberspace Policy Review Emerging network technologies - PowerPoint PPT Presentation
Citation preview
CYBERSECURITY: DEFENDING OUR DIGITAL
FUTURE
Mike BurmesterCenter for Security and Assurance in IT, Florida State
University,3rd Annual TechExpo, Tallahassee May 6th 2010
Talkthrough
1. Background the White House Cyberspace Policy Review
2. Emerging network technologies Wireless, ubiquitous Cloud applications, intelligent networks What next!
3. The adversary We are behind the learning curve; the hackers are ahead Security threats
4. How can we defend our digital future? Near-term and midterm plans Methodology Technical aspects, technical analysis
TechExpo 2010May 6th 2010 2
In Feb 2009 the President directed a 60-day “clean-slate” review to assess U.S. policies and structures for cybersecurity.
In March 2009 the Cyberspace Policy Review was published
The Cybersecurity Review recommends general guidelines, regarding the
Strategy
Policy, and
Standards
for securing operations in cyberspace.
Background
May 6th 2010 TechExpo 2010
“…our approach over the past 15 years has failed to keep pace with the threat.”
3
What is Cyberspace? “ . . . the interdependent network of information technology infrastructures, including
the Internet
Telecommunications networks
Computer systems
Embedded processors and
Controllers in critical industries
Common usage of the term also refers to the
Virtual environment of information and interactions between people
Background
May 6th 2010 TechExpo 2010 4
What is Cyberspace? ---a historical perspective
1985 a system of mainframe computers (NSFNET)
1990 the Internet and Web applications
2000 + Wireless networks
2008 + Cloud applications
20?? The Internet of Things
20?? Virtual life?
How can we secure a structure that keeps morphing?
Background
May 6th 2010 TechExpo 2010 5
Emerging Network Technologiesthe wireless medium, at the beginning . . .
Wireless technology offers unparalleled opportunities
Some time ago …
Telegraph Radio communication Amateur radio TV
TechExpo 2010May 6th 2010 6
Emerging Network Technologiesthe wireless medium, more recently
Wireless technology offers unparalleled opportunities
Wireless technology
― Cellular systems
(3G and beyond)
TechExpo 2010May 6th 2010 7
Emerging Network TechnologiesBluetooth, Wi-Fi, sensors, RFIDs
Short range point-to-point―Bluetooth
Personal Area networks―Wi-Fi technologies―Wireless sensor networks― RFID (Radio Frequency
Identification) systems
TechExpo 2010May 6th 2010 8
Emerging Network TechnologiesSensor networks
Factory floor automation
Boarder fencing
Military applications
TechExpo 2010May 6th 2010 9
RFID deployments
A RFID road pricing gantry
in Singapore & an RFID tag
RFIDs tags used in libraries
Airports –checking luggage
U.S. (electronic) passports
TechExpo 2010May 6th 2010 10
Wireless technologies
Long range point-to-point― WiMAX technologies
TechExpo 2010May 6th 2010 11
Wireless technologieswith no infrastructure
Mobile ad hoc networks (MANETs)
Disaster recovery
TechExpo 2010May 6th 2010 12
Vehicle-to-Vehicle communication
VANETs
TechExpo 2010
ad
hoc
May 6th 2010 13
Ubiquitous networks Network all applications ! The Internet of
Things
TechExpo 2010
IP backbone
Server
Router
Furth
er
network
s
May 6th 2010 14
What next !
Cloud applications ???
Delegate applications
Start with the Internet cloud
Delegate applications to the cloud
TechExpo 2010May 6th 2010 15
. . . and next! Emerging technologies
Robotics Nanotechnology
―molecular self-assembly―developing new materials
Biotechnology―Analyzing the myriad simultaneous cellular
activities―Living systems can be regarded as
communication systems: they transmit the genome of the organism by replication/transcription and translation.
TechExpo 2010May 6th 2010 16
Beyond next !Intelligent Networking ???
TechExpo 2010May 6th 2010 17
Beyond . . . the beyond
Virtual Networking and Environments
Current Definition (academic) A technology used to control remotely located
computers and applications over the InternetWhite House Policy Review definition of Cyberspace
A virtual environment of information and interactions between people
Cyberspace = the digital network infrastructure + cloud applications + virtual network technology + emerging technologies + intelligent networking
May 6th 2010 TechExpo 2010 18
Now, the bad . . .
May 6th 2010 TechExpo 2010 19
The adversary (the hackers)
May 6th 2010
The adversary Portrait of a Computer Criminal
Amateurs ― Normal people, maybe disgruntled over some negative work
situation― Have committed most of computer crimes to date
Crackers or Hackers― Often high school/university students: cracking is seen as the
ultimate victimless crime― Attack for curiosity, self-satisfaction and personal gain
Career criminals― Understand the targets of computer crime― Usually begin as computer professionals who later engage in
computer crime finding the prospects and payoff good.― Electronic spies and information brokers who recognize that trading
in companies secrets can be lucrative TechExpo 2010 20
May 6th 2010
The adversary It is worse !
A simple Google search
key words: Chinese, threat, cyberspace MI5 alert on China’s cyberspace spy threat (Times Online): Dec 1, 2007 . . . The Government has openly accused China of carrying out state-sponsored espionage against vital parts of Britain's economy, including . . .
U.S. military flags China cyber threat
2008-03-06 . . . The U.S. DoD warned in an annual report released this week that China continues to develop its abilities to wage war in cyberspace as part of a doctrine of "non-contact" warfare
TechExpo 2010 21
May 6th 2010
The adversary . . . much worse !
key words: France, threat, cyberspace NATO chief calls attention to threats from cyberspace
Mar 4, 2010 . . . NATO is facing new threats in cyberspace that cannot be met by lining up soldiers and tanks, the alliance's secretary-general said Thursday in an apparent reference to terror groups and criminal networks
key words: International, threat, cyberspace Threat of next world war may be in cyberspace
Oct 6, 2009 . . . The next world war could happen in cyberspace and that would be a catastrophe. We have to make sure that all countries understand that in that war . . .
TechExpo 2010 22
The adversary New technologies can be abused
― Are we prepared for intelligent networks ?― Who will manage them ? ― Do we want
―Centralized, or―Decentralized management
― Who will protect our resources ?― What are the threats ?
TechExpo 2010May 6th 2010 23
Security Threats Confidentiality
― Eavesdropping (wiretapping)― Privacy ― Anonymity (Big Brother)
Integrity― Data integrity: protection against unauthorized modifications,
data corruption, deletion . . . ― Source or destination integrity: protections against spoofing
attacks, man-in-the middle attacks Availability
― Coverage & deployment― Information data accuracy: traffic control ― Dependable data transport: what about transmission/
omission /congestion errors?― What about malicious faults ?
TechExpo 2010May 6th 2010 24
The Internet is hacker’s paradise
Security Threats Perceived or Real Impersonation Attacks Denial of Service Attacks Session Tampering and Highjacking Man-in-the-Middle Attacks
TechExpo 2010May 6th 2010 25
Can we protect Digital resources ?
There are some very good cryptographic tools that can be used to protect digital resources
Many of these tools have proven security The problem is usually bad implementations The best cryptographic security is point-to-point
security (such as VPN) The source & destination
― are mutually authenticated (with public key cryptography)― exchange privately a fresh secret key (with public key
cryptography)― use symmetric key encryption scheme to encrypt exchanged
data (with symmetric key cryptography)
TechExpo 2010May 6th 2010 26
Can wireless technology be made secure ?
Point-to-point security― Authentication usually involves certificates (a trusted third party
certifies the public key of the entities) and a cryptographic handshake
― WIMAX uses the Extensible Authentication Protocol for this purpose
― For encryption it uses block ciphers such as DES3 or AES
This offers protection at the protocol layer― There are still problems at the physical layer, such as jamming
attacks (Denial-of-Service), or flooding attacks
Security vs. functionality tradeoff― Rule of thumb: the more security the less functionality …
Holistic security
TechExpo 2010May 6th 2010 27
Cybersecurity Policy ReviewNear-Term Plan
1. Appoint cybersecurity coordinator
2. Prepare a national strategy
3. Designate cyberscurity as a priority . . .
4. Designate a privacy/civil liberties official
5. Formulate coherent unified policy guidance that clarifies roles, responsibilities . . . for cybersecurity activities across the Federal government
6. Initiate a public awareness and education campaign to promote cybersecurity
TechExpo 2010May 6th 2010 28
Cybersecurity Policy Review Near-Term Plan
7. Develop government positions for an international cybersecurity policy framework
8. Prepare a cybersecurity incident response plan
9. Develop a framework for R&D strategies that focuses on game-changing technologies . . . to enhance the security, reliability, resilience, and trustworthiness . . .
10. Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests . . .
TechExpo 2010May 6th 2010 29
Cybersecurity Policy Review Midterm-Plan (14 items)
3. Support key education programs and R&D research to ensure the Nation’s continued ability to compete in the information age economy
4. Expand and train the workforce, including attracting and retaining cybersecurity expertise in the Federal government.
9. Develop solutions for emergency communications capabilities during a time of natural disaster, crisis, or conflict . . .
11. Encourage collaboration between academic and industrial laboratories to develop migration paths and incentives for the rapid adoption of research and technology innovations
TechExpo 2010May 6th 2010 30
Are we willing to pay the price ?. . . . . . . .
TechExpo 2010May 6th 2010 31
we may have to . . . whether we like it or not . . .
May 6th 2010
Methodology for Security Resiliency
― Against physical damage, unauthorized manipulation, and electronic assault. In addition to protection of the information itself,
― A risk mitigation strategy with focus on devices used to access the infrastructure, the services provided by the infrastructure, the means of moving storing and processing information
― A strategy for prevention, mitigation and response against threats
Encouraging innovation― Harness the benefits of innovation ― Not create policy and regulation that inhibits innovation
Maintain National Security/Emergency Preparedness Capabilities
TechExpo 2010 32
White House Cybersecurity Plan
RSA –03/2010
The Comprehensive National Security Initiative (12 items)
1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet Connections
2. Deploy an intrusion detection system of sensors across the Federal enterprise
3. Deploy intrusion prevention systems across the Federal enterprise
4. Coordinate and redirect R&D efforts
5. Connect current cyber ops centers to enhance situational awareness
6. Develop a government-wide cyber counter intelligence plan
TechExpo 2010May 6th 2010 33
White House Cybersecurity Plan Revealed at RSA –03/2010
The Comprehensive National Security Initiative (12 items)
7. Increase the security of our classified networks8. Expand cyber education 9. Define and develop enduring "leap-ahead"
technology, strategies, and programs10. Develop enduring deterrence strategies and
programs 11. Develop a multi-pronged approach for global supply
chain risk management 12. Define the Federal role for extending cybersecurity
into critical infrastructure domainsTechExpo 2010May 6th 2010 34
Cybersecurity PlanTechnical aspects
2. Deploy an ID system of sensors across the Federal
enterpriseEinstein 2 capability Signature-based sensors that analyze network flow information to identify potential malicious activity while conducting automatic full packet inspection of traffic entering or exiting U.S. Government networks for malicious activity
3. Deploy IP systems across the Federal enterprise Einstein 3 capability Real-time full packet inspection and threat-based decision-making on network traffic entering or leaving these Executive Branch networksIdentify and characterize malicious network traffic to enhance cybersecurity analysis, situational awareness and security responseAutomatically detect and respond appropriately to cyber threats before harm is done, providing an intrusion prevention system supporting dynamic defense
TechExpo 2010May 6th 2010 35
Cybersecurity PlanTechnical analysis
Einstein 2 capability Signature-based sensors will only detect copycat attacks: one-off attacks will not be checked
Einstein 3 capability will not detect unpredictable attacks that mimic normal behavior
Threat-based decision-making on network traffic however may deal with the consequences of such attacks
Markovian profiling is a good approach for threat based decision making
TechExpo 2010May 6th 2010 36
The most important technical point in this review is the realization that one cannot achieve cybersecurity solely by protecting individual
components: there is no way to determine what happens when NIAP-reviewed products are all combined into a composite IT system.
Quite right, and too little appreciated; security is a systems property, and in fact, part of the entire design-and-build process
Steven M Bellovin
Holistic Security
TechExpo 2010May 6th 2010 37
. . . the Universal-Composability Framework may ultimately prove to be just a first step toward a complete solution
Joan Feigenbaum
. . . the main feature of the UC Framework is that the security of a composite system can
derived from the security of its components without need for holistic reassessment
Mike Burmester
Thanks for listening!
TechExpo 2010May 6th 2010 38
May 6th 2010 TechExpo 2010 39
.
Raise your hands if you have any questions