Cybersecurity Update - Amazon Web Services...DDoS attacks email propagation of malicious code “stealth”/advanced scanning techniques widespread attacks on DNS infrastructure executable

1

Cybersecurity Update

Dr. Nader Mehravari, MBCP, MBCI

Cyber Risk and Resilience Management TeamCERT Division

Software Engineering InstituteCarnegie Mellon [email protected]

http://www.cert.org/resilience/

April 20-22, 2015Talking Stick Resort ● Scottsdale, AZ

Next Generation Resilience

2© 2014 Carnegie Mellon University

Outline

Setting the Stage• Protecting organizational mission

• Relationship to the rest of this course

• Scope of our discussion

• How has the problem changed over the years?

A Look at Recent Events

Threat Environment

Recent Statistics

Selected Hot Topics

Cybersecurity Policy / Regulation / Legislation

Cybersecurity is a Business Continuity Issue

Summary

Takeaways


CERT | Software Engineering Institute | Carnegie Mellon

Software Engineering Institute (SEI)

• Federally funded research and development center based at Carnegie Mellon University

• Basic and applied research in partnership with government and private organizations

• Helps organizations improve development, operation, and management of software-intensive and networked systems

CERT – Anticipating and solving our

nation’s cybersecurity challenges

• Largest technical program at SEI

• Focused on internet security, secure systems, operational resilience, and coordinated response to security issues


CMU-SEI-CERT Cyber Resilience Team

Engaged in

• Applied research

• Education & training

• Putting into practice

• Enabling our federal, state, and commercial partners

In areas dealing with

• Operational Resilience

• Resilience Management

• Operation Risk Management

• Integration of cybersecurity, business continuity, & disaster recovery

2


What is this session all about?

What’s new?

What has

changed?

New players

New risks and

concerns

What’s in the

news?

New policies

& regulations

New things to

worry about

Questions to

ask

How is it

related to rest

of this event?

Why is it

important?

Cybersecurity Update


He is not going to

make a cybersecurity

experts out of you.


Outline

Setting the Stage

• Protecting organizational mission





Threat Environment

Recent Statistics

Selected Hot Topics



Summary

Takeaways


“… When I started my career, in the late 80s, if

there was a bank robbery, the pool of suspects

was limited to the people who were in the vicinity

at the time. Now when a bank is robbed the pool

of suspects is limited to the number of people in

the world with access to a $500 laptop and an

Internet connection…”

Shawn Henry

former FBI Executive Assistant Director

2013

3


“… Cybercrime is 'the greatest transfer of wealth

in history…”

U.S. Army Gen. (retired) Keith B. Alexander

Former Director of the National Security Agency (NSA) &

Former Commander of US Cyber Command

2012


Setting the Stage

Why a discussion of

cybersecurity at a

business continuity

conference?


Protecting Organizational Mission

Organization

Mission


Services and Products

Outputs of an organization

Can be internally or externally focused

Collectively they enable an organization’s mission

or Products

or Products

or Products

Se

rvic

eo

r Pro

du

ct

Organization

Mission

4


Productive Activities or Business Processes

Activities that the organization (and/or its suppliers) perform to ensure that services and products are generated

A service or product is made up of one or more business processes

or P

rod

ucts

or P

rod

ucts

or P

rod

ucts

Serv

ice

or P

rod

uct

Organization

MissionProductive

Activity or

Business

Process

A

Productive

Activity or

Business

Process

B

Productive

Activity or

Business

Process

C

Productive

Activity or

Business

Process

D


Assets

Something of value to the organization

Asset value relates to the importance of the asset in meeting the service mission.

or P

rod

ucts

or P

rod

ucts

or P

rod

ucts

Serv

ice

or P

rod

uct

Organization

MissionProductive

Activity or

Business

Process

A

Productive

Activity or

Business

Process

B

Productive

Activity or

Business

Process

C

Productive

Activity or

Business

Process

D

Assets


Asset Types

Something of value to the organization

Asset value relates to the importance of the asset in meeting the service mission.

or P

rod

ucts

or P

rod

ucts

or P

rod

ucts

Se

rvic

eo

r Pro

du

ct

Organization

MissionProductive

Activity or

Business

Process

A

Productive

Activity or

Business

Process

B

Productive

Activity or

Business

Process

C

Productive

Activity or

Business

Process

D

People

Assets

Information

Assets

Technology

Assets

Facility

Assets

Supply

Chain


or P

rod

ucts

or P

rod

ucts

or P

rod

ucts

Se

rvic

eo

r Pro

du

ct

Organization

MissionProductive

Activity or

Business

Process

A

Productive

Activity or

Business

Process

B

Productive

Activity or

Business

Process

C

Productive

Activity or

Business

Process

D

People

Assets

Information

Assets

Technology

Assets

Facility

Assets

Supply

Chain

Asset Disruption

X

XXX

Realized operational risk

resulting in asset disruption

5


Operational Resilience Starts at the Asset Level

Asset

Manage Consequences of Risk

Keep assets productive

during adversity

(e.g., Disaster Recovery, Business

Continuity, Pandemic Planning, Crisis

Management, COOP)

Manage Conditions of Risk

Keep assets from

exposure to disruption

(e.g., Information Security; Cyber

Protection; Fault-Tolerance & High-

Availability Designs)

SustainProtectEvent


Analogy:Protection and Sustainment Strategies

Protection Activities

• Translates into activities designed to keep assets from exposure to disruption

• Example: “information security” activities

Sustainability Activities

• Translates into activities designed to keep assets productive during adversity

• E.g., “business continuity” activities


or P

rod

ucts

or P

rod

ucts

or P

rod

ucts

Se

rvic

eo

r Pro

du

ct

Organization

MissionProductive

Activity or

Business

Process

A

Productive

Activity or

Business

Process

B

Productive

Activity or

Business

Process

C

Productive

Activity or

Business

Process

D

People

Assets

Information

Assets

Technology

Assets

Facility

Assets

Supply

Chain

Operational Resilience Starts at the Asset Level

X

XXX

Realized operational risk

resulting in asset disruption


or P

rod

ucts

or P

rod

ucts

or P

rod

ucts

Se

rvic

eo

r Pro

du

ct

Organization

MissionProductive

Activity or

Business

Process

A

Productive

Activity or

Business

Process

B

Productive

Activity or

Business

Process

C

Productive

Activity or

Business

Process

D

People

Assets

Information

Assets

Technology

Assets

Facility

Assets

Supply

Chain

Organizational Context for Resilience Activities

Operational

Resilience

Management

Systems

Crisis

Mgmt.

Information

Security

IT Disaster

Recovery

Examples:

• Disaster Recovery Planning

• Business Continuity Planning

• Information Security

• COOP

• Cybersecurity Protection

• Risk Management

• Crisis Management

• Emergency Management

• Pandemic Planning

• Supply Chain Continuity

• Etc, Etc, Etc…

Business

Continuity

6


Scope

of Our

Discussion


What do people

mean by these

terms?


Regardless of what the instructor

tells you, there are no universally

agreed upon definitions or scopes

for these terms…


Cyber Ecosystem Perspective

Cyber Ecosystem

A global information

environment comprised of

1. both private and public

sector information

infrastructure,

2. the entities that it interacts

with (e.g., people,

information, technologies,

facilities), and

3. the environment that it

operates in.

7


Critical Infrastructure Perspective Cyber Ecosystems Perspective

Confidentiality Integrity Availability

Authentication Nonrepudiation


Information Technology and Operational Technology

Operational

Technology

Information

Technology


Cybersecurity

Cybersecurity is a superset of the practices embodied in IT security,

information security, and OT security.

Cybersecurity

Information

Security

IT Security

OT Security

Note: Again, not universally agreed upon definitions or scopes.

8


How has the problem changed?


Yesterday it would have been about…

Internet

Iron Mountain Storage

Backup Tape

DR Site

Business Location

LA

N


Today it has to deal with…

Application complexities

Business process

complexities

and more…


Ever-Increasing Capability & Complexity

SLOC = Source Lines of Code

Biplane Apollo Lunar Module SR-71 F-35

0 SLOC 2K SLOC 500K SLOC 9.9M SLOC

F U N C T I O N A L I T Y & C O M P L E X I T Y

O P E R A T I O N A L R I S K

9


Ever-Increasing Capability & Complexity

F U N C T I O N A L I T Y & E F F I C I E N C Y

O P E R A T I O N A L R I S K

Legacy Electric Grid Modern Smart Grid


Yesterday’s Preparedness Planning

Continuity of Operation

(COOP) Business

Continuity

Emergency

Management

IT Disaster Recovery


IT Disaster Recovery

Today’s Preparedness Planning

Continuity of Operation

(COOP) Business

Continuity

Emergency

Management

Supply Chain

Continuity

Crisis

ManagementContingency Planning

Pandemic

Planning

Preparedness

Planning

Operational Risk

Management

Enterprise Risk Management

IT Operations

Privacy

Risk

Management

Workforce

Continuity

Cyber Protection

Crisis Communications

Information

Security


Geographic Boundaries Disappear in Cyberspace

10


http://www.threatgeek.com/2012/06/threattoons-fbi-most-wanted.html


We Depend on Evolving Cyber Ecosystems


Attack Sophistication vs. Intruder Technical Knowledge

DDoS attacks

email propagation of malicious code

“stealth”/advanced scanning techniques

widespread attacks on DNS infrastructure

executable code attacks (against

browsers)automated widespread

attacks

GUI intruder tools

hijacking sessions

Internet social engineering attacks

packet spoofingautomated

probes/scans

widespread

denial-of-service

attacks

techniques to analyze code for vulnerabilities

without source code

increase in worms

sophisticated command

& control

anti-forensic techniques

home users targeted

distributed attack tools

increase in wide-scale Trojan horse distribution

Windows-based remote controllable Trojans

(Back Orifice)

1990 2010

coordinatedcyber-physical

attacks

malicious counterfeithardware

control systems targeted

supply-chain compromises

widespread attacks on web applications

massive botnets

adaptive, high-impact, targeted attacks on

critical infrastructures

persistent malware infiltration & persistent surveillance

widespread attacks on client-side software

increase in targeted phishing & vishing

widespread attacks using NNTP to distribute attack

High

Low

Atta

ck S

op

his

ticatio

n

Avera

ge I

ntr

ud

er

Kn

ow

led

ge


Expanding Risk Environment

• Globalization

• Operational complexity

• Pervasive use of technology

• Intertwining of cyber and physical domains

• Increased role of cybersecurity in securing physical assets

• Movement toward intangible assets

• Global economic pressures

•Regulatory and legal boundaries

• Geo-political pressures

11


Today’s Business Environment

Severity of

Operational

Glitches

Business Consequences

of Operational GlitchesToday

Yesterday

Today’s Business Environment is Much Less Forgiving

A B


August 13, 2012


… 4 months later


Before June 17, 2014 – Open for Business & Hiring

12


After June 17, 2014 – Out of Business


Business Failures Following 2001 Japan Earthquake, Tsunami, & Nuclear Disaster


How else have things changed?

Where was the information stored?

Who had control over the information?

Who valued the information?

Who created the information?


Where was the information stored?

13


Who had control over the information?


Who valued the information?


Who created the information?


Outline

Setting the Stage






Threat Environment

Recent Statistics

Selected Hot Topics



Summary

Takeaways

14




Have you noticed an

increased level of cyber

attacks in the recent

headlines?


March 2011


April 17, 2011

15


May 2011


March 30, 2012 March 30, 2012


July 26, 2012


August 16, 2012

Destructive attack (wiper virus)

and DDOS at the same time

16


October 17, 2012


January 26, 2013


Late 2012 – Early 2013


April 23, 2013

17


May 23, 2013


June 5, 2013


June2013


June 25, 2013

18


December 2013


Anatomy of Target Breach

Source: http://securityintelligence.com/target-breach-protect-against-similar-attacks-retailers/#.U9-17GP5dJu


Reputation Damage


http://www.threatgeek.com/2014/03/threattoons-new-normal.html

19


February 11, 2014


February 18, 2014


April 2014


20


How bad was (is) it?

OpenSSL is an implementation of the Transport Security Layer (TSL) protocol

• Two thirds of Internet webservers use OpenSSL

• 17.5% are believed to have been running vulnerable versions

No credentials are needed to exploit the vulnerability

• Enables access to privileged data (certificates, passwords, etc.)

• Attacker can go undetected in logs

The vulnerability has been around since March 2012

• First admitted discovery: April 1, 2014

• Reported widely publicly: April 7, 2014


August 4, 2014


November 10, 2014


November 24, 2014

21


A Discussion of Sony Incident

How did it happen?

Who did it?

How long had Sony been breached before discovery?

What was the impact?

• What was stolen?

• What was disrupted?

• What was destroyed?

What were the business continuity and disaster recovery

aspects?


February 4, 2015


Outline

Setting the Stage






Threat Environment

Recent Statistics

Selected Hot Topics



Summary

Takeaways


Threat Environment

22


Director of National Intelligence – 1/26/15


Director of National Intelligence – 1/26/15

U.S Intelligence Community

Worldwide Threat Categories

1. Cyber

2. Counterintelligence

3. Terrorism

4. WDM and Proliferation

5. Space and Counterspace

6. Transnational Organized Crime

7. Economic and Natural Resources

8. Human Security


Business Continuity Institute – February 2015

This year’s top dozen threats to

business continuity are:

1. Cyber attack

2. Unplanned IT and telecom outages

3. Data breach

4. Interruption to utility supply

5. Supply Chain Disruption

6. Security Incidents

7. Adverse weather

8. Human Illness

9. Fire

10. Act of terrorism

11. Health & Safety incident

12. Transport Network Disruption


Gov’t Accountability Office – Feb. 2015

23


Reflections on the 10th Anniversary of 9/11 Commission Report – July 2014


Traditional Threats

Worms

Trojans

Viruses

Spyware

Botnets

Social Engineering Attacks

Spear Phishing

Baiting

Buffer Overflows and SQL Injections


More Modern Threats

Traditional signature-based security defenses — including

IPS, NGFW, and anti-virus products — are mainly designed to

detect known threats. But today, it’s the unknown threats that

are making the biggest headlines.

Zero-Day Threats

Advanced Persistent Threats

Polymorphic Threats

Blended Threats

Etc., Etc., Etc…


Mandiant 2015 “M-Trends” Report

Across the Cyber Threat Landscape

24


Actors and Attacks

Actors Attack Example Motivation Outcomes

Cyber

Criminals

Bank account takeover via

malware

Financial gain Financial loss for the

victim

Insiders

Fake invoicing; Disclosure of

proprietary information

Financial gain;

Political; Grudge

Financial loss for

organization;

Disclosure of

sensitive information

Hacktivists

Anonymous attacks on

payment processors in

defense of WikiLeaks founder

Making political or

social statements

Service disruption

Cyber

Espionage

Actors

Gmail account takeover of

Chinese dissidents; Theft of

IP from manufacturers

Revenge, Financial

gain

Fear among

dissidents; Financial

loss

Nation-States

Iran is attacked with Stuxnet;

US bank website attacked

with DDOS

Political Service disruption


Random Attacks vs. Targeted Attacks

Random Attacks

• Viruses

• Worms

• Port scans

• Phishing

Targeted Attacks

• Denial of service

• Theft of service

• Information theft

• IP theft


Advanced Targeted Attacks(a.k.a. Advanced Persistent Threats (APT))

A threat that is advanced (by some measure) and intents to

get in and persist in your environment

Advanced in the sense of bypassing traditional defense

mechanisms such as:

Secure Email Gateway

FirewallIntrusion Detection/Prevention

Endpoint Protection

Secure Web Gateway


High Level Lifecycle of a Typical APT Attack

Initial intrusion through system exploitation

Malware is installed on compromised system

Outbound connection is initiated

Attacker spreads laterally

Compromised data is extracted

25


Targeted Attacks are Hard to Detect

How are compromises

detected?

How long before the

compromises are

detected?

69%of victims were notified

by an external entity

205median number of days

before detection

2015 Mandiant “M-Trends” Report


http://www.threatgeek.com/2012/09/threattoons-the-cybersecurity-savanna.html


Outline

Setting the Stage






Threat Environment

Recent Statistics

Selected Hot Topics



Summary

Takeaways


Recent Statistics

26


2014 National Preparedness Report

Assessment of Current Capabilities Based on State Preparedness


Verizon Annual Data Breach Report - 2014

Percent of breaches per threat actor



Number of breaches per threat action category



Frequency of incident classification patterns

27







Industries Targeted by Cyber Threat Actors



How compromises are

detected

Time to discovery

28



Phishing Email Trends


Ponemon 2014 Cost of Data Breach Study

Average per capital cost of data breach in USA

Average organizational cost of data breach in USA

Per capital cost = Total cost of breach / size of data breach

Measured in $1,000,000s



Per capital cost by industry



Root cause of the data breach

Per capita cost root causes

29



Impact of factors on the per capita cost of data breach



Does the organization have a data breach protection or cyber

insurance policy?


Raytheon Privileged User Risk Study


Arbor Networks 2015 Worldwide Infrastructure Security Report

Most Significant Operational Threats Experienced

30


Arbor Networks 2015 Worldwide Infrastructure Security Report

Size of the Largest Reported DDoS Attack


Outline

Setting the Stage






Threat Environment

Recent Statistics

Selected Hot Topics



Summary

Takeaways


Blurring of Cyber/Physical Security


The 3Gs of Traditional Physical Security

Guns

Guards

Gates

31


Traditional Protection of Critical Infrastructure


Smart Grid

Source: Con Edison


Intertwining of Physical and Cyber Domains

Potential modes of attack

• Physical only attack

• Cyber only attack

• Physical-enabled cyber attack

• Cyber-enabled physical attack

Physical

Security

Cybersecurity

Physical

protection of

cyber assets

Cyber

protection of

physical assets


Example: Stuxnet

32


January 2012


October 17, 2012


June 25, 2013


February 11, 2014

33


http://www.threatgeek.com/2013/08/threattoons-the-scada-game.html


Security of the Internet of Things


THINGS

BUSINESSES

PEOPLE

BUSINESSES

PEOPLEPEOPLE

Internet

Facilitating digital

communications

among people

(e.g., email)

eCommerce

Facilitating business

transactions between

people and business

(e.g., Amazon.com)

IoT / IoE

Internet of Things/Everything


Internet of Things

34


Example: Burberry


Example: Huggies TweetPee


Example: Tweeting Moisture Sensor


Example: Internet of “Everything”

35


Observations from a Recent IOT Study

Internet of Things Research Report,

Hewlett Packard, July 2014


Marketplace for Adversaries


Marketplace for Adversaries

There is an active black market for

• Actors (e.g., cyber criminals for hire)

• Infrastructure (e.g., botnets to rent)

• Tools (e.g., exploit kits)

• Takes (e.g., credit card and personal information)


Flow of “Goods” in the Marketplace

Research

Infiltration

Discovery

Capture

Exfiltration

• Research on people and systems of potential targets

• Develop profiles for sale

• People who are good at breaking in buy profiles• Determine what toolkits should be built• Trick us to give them credentials• Discover a bunch of access points

• They come into our environment through access point they purchased

• They explore our environment (where sensitive data is kept; what counter measure are there; what does the network look like)

• They develop a killer map

• Use the killer map to collect valuable information assets

• Take it out or destroy it

36


Structural Imbalance


But the statistics look bad…

How much are we spending?

$46 BILLIONGlobal Spend on Cybersecurity

Generally speaking, organizations are doing a relatively good job of protecting themselves; blocking most of what is coming at them.


How well are we doing?

20%Increase in

number of breaches

30%Increase in

cost of a single breach

Why do the statistics look bad?


There is an structural imbalance

They only need to be right

ONE TIME We have to be right

EVERY TIME

37


Dealing with the Structural Imbalance

Majority of the budget (86%) is spent in trying to stop

adversaries’ infiltration.

• i.e., in the 2nd step in the “Marketplace for Adversaries” diagram

• We keep looking for the silver bullet

Organizations are over invested in

• products and technology

Organizations are not investing enough in

• People

• Processes


Other Hot Topics


Insider Threat – The Enemy from Within

A current or former employee, contractor, or business partner

who meets the following criteria:

• has or had authorized access to an organization’s network, system, or data

• has intentionally exceeded or intentionally used that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems


Insider Threat – Examples

38


Types of Insider Crimes

Insider IT sabotage

• Deletion of information

• Bringing down systems

• Web site defacement to embarrass organization

Insider theft of intellectual property

• Proprietary engineering designs, scientific formulas, etc.

• Proprietary source code

• Confidential customer information

• Industrial Espionage

Insider fraud

• Theft and sale of confidential information

• Modification of critical data for pay

• Stealing of money

National Security Espionage

• Spies against the U.S.


How bad is the insider threat problem?


How bad is the insider threat problem?


Cyber Insurance

A contract between an insurer and a company to protect

against certain losses related to cyber risks

• One element of an organization’s cyber-risk treatment strategy

Imp

act

Transfer Avoid

Accept Mitigate

Likelihood of Occurrence

Prevent, Detect, Remediate

Insure, Hedge

39


Cyber Insurance – Key Coverage Types

First Party(Protection for direct cost from the incident)

Second Party(Liability protection for harm to others)

• Business interruptions

• Remediation costs to respond to an

incident such as:

• Consultants

• Investigation,

• Notifying third party victims

• Legal liability for loss or breach of

data, including defense and

settlement costs

• Fines or penalties imposed by laws

or regulations

• Law suits and associated settlement

costs


Cyber Insurance - Considerations

Some organizations are reluctant to report cyber incidents

because it might affect relationship with customers, partners,

and investors

Insurers are generally interested in insuring the “good” risk

only

Organizations find it difficult to determine the right level of

coverage

Brokers are often not security savvy and may not know what

risks you need to insure against

Consistent, accurate, and repeatable methods to measure

(estimate) an organizations’ cyber risk


Cyber Workforce

“… As adversaries exploit the Cyberspace domain for their

military, economic, and political advantage, operations in

cyberspace are evolving from an afterthought to a fundamental

element for achieving all missions. The Department must

similarly evolve the workforce to address the needs of the

domain…”


Securing Nomadic/Mobile/BYOD Environments

What happens to concepts of:

• Defense in depth

• Boundary

• Ownership

• Physical security

• Infrastructure

• Trust model

• Etc…

40


The Dark Corner of the Web

The Deep Web – Part of the Internet that is not accessible

through the commercial search engines

The Darknet – Part of the Deep Web where one can operate

in anonymity


What?

How much?

When?

Where?

For what?

How long?

Government Surveillance

Multifaceted role of government within the Internet

• User— Government agencies us the Internet to do deliver their services

— Government is a large enterprise whose customers are citizens

• Protector— Of the Internet itself

— Of the users of the Internet

• Exploiter— If a federal agency becomes aware of a vulnerability, should

they share that information with others or should they keep it to themselves so that they can exploit it at a later time?

• Access to Data— Government has national security and public safety missions

— It needs access to data to achieve these missions

— “Access to data” = “Surveillance”

— Security vs. Civil Liberty vs. Privacy


Government Surveillance – Snowden Case


Government Surveillance

41


Outline

Setting the Stage






Threat Environment

Recent Statistics

Selected Hot Topics



Summary

Takeaways


Policy / Regulation / Legislation


Source of Cybersecurity Regulations

In the United States, cybersecurity regulation comprises:

Legislation from Congress Directives from the Executive Branch


Existing Cybersecurity Regulations

There are very few federal cybersecurity regulations, and the ones that exist focus on specific industries.

The three main cyber-security regulations are:

They do not specify what cyber-security measures must be implemented and require only a “reasonable” level of security.

The vague language of these regulations leaves much room for interpretation

1996 Health Insurance Portability and Accountability Act Healthcare

Organizations

1999 Gramm-Leach-Bliley Act Financial

Institutions

2002 Homeland Security Act, which included the

Federal Information Security Management Act (FISMA)

Federal

Agencies

42


Congressional Cybersecurity Activities

Congress has been holding hearings related to cybersecurity

every year since 2001

Number of bills/resolutions/hearings introduced with

provisions related to cybersecurity

111th Congress(January 2009 – January 2011)

60+

112th Congress(January 2011 – January 2013)

70+

113th Congress(as of June 24, 2014)

70+


Cybersecurity Legislation

The Obama Administration sent Congress a package of

legislative proposals in May 2011

• To give the federal government new authority to ensure that corporations that own the assets most critical to the nation’s security and economic prosperity are adequately addressing the risks posed by cybersecurity threats.

No comprehensive cybersecurity legislation

has been enacted since 2002.


Role of Federal Government?


Role of Federal Government?

43


Late 2012 – Early 2013


Observation

It has taken us centuries to determine norms of behavior and

rules of engagement in physical world.

Policies and doctrines around kinetic attacks on US interests

are mature, but fail to provide needed clarity when applied to

cyber-based attacks, especially those of foreign state actors.

For example…


Question: Enable active defenses?

An active shooter in a bank lobby would likely meet deadly

force in response

Should organizations be legally allowed to fight back when

under cyber attack?


July 12, 2013

44


Question: National defenses

If a foreign state fired a missile at a US bank HQ, it would

meet immediate military defense

Should military-grade cyber defenses be deployed to protect

US businesses that are under attack by foreign states?


Question: Update Posse Comitatus Act?

The unprecedented scale of recent attacks warrant re-

examination of our national readiness to respond and defend

against state actors in cyberspace

Suppose DOD had the best response, would it be allowed to

act?

Do we need another exception to the Posse Comitatus Act to

enable military cyber response to large-scale cyber attacks on

US critical infrastructure?


Outline

Setting the Stage






Threat Environment

Recent Statistics

Selected Hot Topics



Summary

Takeaways


Cybersecurity is a

Business Continuity Issue

A discussion of how recent cybersecurity

observations affect business continuity and

disaster recovery community

45


Fallouts of Cyber Attacks

The most frequent fallouts of cyber attacks that we hear about

• Disclosure of privately identifiable information

• Theft of intellectual property

• Loss of credit card information

• Revealing of company proprietary information

• Exposure of corporate email messages

• Leak of trade secrets

However, cyber adversaries are interested in more than that

• Causing operational havoc

• Forcing the shutdown of the day-to-day business operations

• Affecting delivery of products and services


Summary


In Closing (in no particular order)

The attack landscape has drastically changed

• Dynamic and expanding

• A vast majority of the attacks have transitioned from the network & transport layer to the application layer

Traditional signature-based protection techniques (e.g., anti-virus, IPS, FW)

• Are primarily meant to detect known threats while unknown threats are the ones causing the biggest havocs

Advanced Threats Bypass Traditional Defenses

• Traditional defense-in-depth components are still necessary, but are no longer sufficient.


In Closing (in no particular order)

The subject has evolved from hacking for fun and/or

recognition to attacks for profit and/or political gain.

Unlike historical kinetic attacks, barriers to entry for malicious

actors are low, and government intervention is not visible.

We are developing and proliferating technologies faster than

we can characterize the security implications and mitigate

associated risks

Ever increasing intertwining of physical and cyber domain.

46


In Closing


Prevention is futile


Cybersecurity is a risk management issue

(Not a technology issue)


Cybersecurity is a discussion topic for the Board

(Not for the data center)

Source: Ponemon Institute Research Report. July 17, 2014

47


Compliance ≠ Security


Source: https://www.idradar.com/news-stories/identiy-protection/Target-Dropped-The-Ball-On-Breach-Detection-Report-Says


ProtectionActivities

SustainmentActivities

Continually balance

protection and sustainment activities


ProtectionActivities

SustainmentActivities

Integrate and coordinate all

operational risk management activities

48


Integrate and coordinate all

operational risk management activities


Invest in people and process

(Not only in technology)

Thank you for your attention…


References

• Nader Mehravari, “Resilience Management,” a course module in the CISO Executive Education and Certification Program, Heinz College, Carnegie Mellon University, 2013, http://www.heinz.cmu.edu/school-of-information-systems-and-management/chief-information-security-officer-executive-education-and-certification-program/index.aspx

• Joshua Corman, “Managing Operational Threat,” a presentation delivered in the CISO Executive Education and Certification Program, Heinz College, Carnegie Mellon University, March 7, 2013, http://www.heinz.cmu.edu/school-of-information-systems-and-management/chief-information-security-officer-executive-education-and-certification-program/index.aspx

• Nader Mehravari, “Achieving Organizational Mission Through Resilience Management,” A Discussion with CERT Experts: Constructing a Secure Cyber Future, Part of SEI Webinar Series, April 30, 2013, https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=583853&sessionid=1&key=5E4796946B6897C34F544ADD1D1E1641&sourcepage=register

• Rich Pethia, “20+ Years of Cyber (in)Security,” A Discussion with CERT Experts: Constructing a Secure Cyber Future, Part of SEI Webinar Series, April 30, 2013, https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=583853&sessionid=1&key=5E4796946B6897C34F544ADD1D1E1641&sourcepage=register

• John Seabrook, “Network Insecurity,” The New Yorker, May 20, 2013, pp. 64-70.

• Lisa Daniel, “DOD Needs Industry’s Help to Catch Cyber Attacks, Commander Says,” American Forces Press Services, March 27, 2012, http://www.defense.gov/news/newsarticle.aspx?id=67713

• Emil Protalinski, “NSA: Cybercrime is the greatest transfer of wealth in history,” ZDNet, July 10, 2012, http://www.zdnet.com/nsa-cybercrime-is-the-greatest-transfer-of-wealth-in-history-7000000598/

• Caralli, Richard A.; Allen, Julia H.; White, David W. CERT® Resilience Management Model: A Maturity Model for Managing Operational Resilience. Addison-Wesley, 2011.

• “Introduction to the CERT Resilience Management Model, “ Software Engineering Institute Training, http://www.sei.cmu.edu/training/p66.cfm

• R.H. Zakon “Hobbes' Internet Timeline 10.2” http://www.zakon.org/robert/internet/timeline/

• ISC Internet Host Count History http://www.isc.org/solutions/survey/history

• Verisign “The Domain Name Industry Brief” http://www.verisigninc.com/en_US/why-verisign/research-trends/domain-name-industry-brief/

49


References

• Netcraft Web Server Survey http://news.netcraft.com/archives/category/web-server-survey/

• Facebook statistics http://newsroom.fb.com/content/default.aspx?NewsAreaId=22

• ARPANET Maps – http://som.csudh.edu/cis/lpress/history/arpamaps/ and http://mappa.mundi.net/maps/maps_001/map_0699.html

• Joshua Corman and David Etue, “Adversary ROI: Evaluating Security from the Threat Actor’s Perspective,” RSA US Conference, 2012, http://www.slideshare.net/DavidEtue/adversary-roi-evaluating-security-from-the-threat-actors-perspective

• Joshua Corman, “A Replaceability Continuum,” Cognitive Dissidents Joshua Corman Blog, October 24, 2011, http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/

• Andrew Wells, Earl Perkins, and Juergen Weiss, “Definition: Cybersecurity,” Gartner report # G00252816, Jun3 7, 2013.

• Lawrence Pingree and Neil MacDonald, “Best Practices for Mitigating Advanced Persistent Threats,” Gartner report # G00224682, January 18, 2012.,” IEEE Spectrum, February 2013.

• James Clapper, “Worldwide Threat Assessment of US Intelligence Community,” statement delivered to Senate Select Committee on Intelligence, March 12, 2013.

• James Clapper, “Worldwide Threat Assessment of US Intelligence Community,” statement delivered to Senate Select Committee on Intelligence, January 29, 2014.

• U.S. Government Accountability Office (GAO), “Cybersecurity – Threats Impacting the Nation,” April 24, 2012.

• Gary Stoneburner, “Toward a Unified Security/Safety Model,” Computer, August 2006.

• Ron Ross, “Managing Enterprise Security Risk with NIST Standards,” Computer, August 2007.

• Doug MacDonald, Samuel L Clements, Scott W Patrick, Casey Perkins, George Muller, Mary J Lancaster, Will Hutton, “Cyber/Physical Security Vulnerability Assessment Integration,” Innovative Smart Grid Technologies (ISGT), 2013 IEEE PES, February 24-27, 2013.

• U.S. Department of Homeland Security, “National Preparedness Report,” March 30, 2013

• U.S. Department of Defense, “Resilient Military Systems and the Advanced Cyber Threats,” DoD Defense Science Board Task Force Report, January 2013.


References

• Verizon, “2013 Data Breach Investigations Report,”

• Earl Perkins, “The Impact of Critical Infrastructure Protection Standards on Security,” Gartner report # G00230036, March 12, 2013.

• U.S. Government Accountability Office (GAO), “High-Risk Series – An Update,” February 2013.

• Bradford Willke, “Securing the Nation’s Critical Cyber Infrastructure,” U.S. Department of Homeland Security, Paril 14, 2010.

• David Kushner, “The Real Story of Stuxnet,” IEEE Spectrum, February 2013.

• Roger G. Johnston, “Being Vulnerable to the Threat of Confusing Threats with Vulnerabilities,” Journal of Physical Security 4(2), pp

30-34, 2010.

• Steve Pipper, Definitive Guide to Next-Generation Threat Protection, Cyberedge Press, ISBN: 978-0-9888233-0-3, 2013.

• Siobhan Gorman, “Should Companies Be Required to Meet Certain Minimum Cybersecurity Protections?” Wall Street Journal, May

10, 2013,

• “FireEye Advanced Threat Reportt – 2H 2012,” FireEye, http://www2.fireeye.com/rs/fireye/images/fireeye-advanced-threat-report-

2h2012.pdf

• Ponemon Institute, “2014 Cost of Data Breach Study: Global Analysis,” May 2014.

• Neil McDonald, “Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence,” Gartner,

Report # G00252476, May 30, 2013.

• Raytheon, “Privileged Users: Superman or Superthreat? A Privileged User Risk Whitepaper,” 2014.

• Verizon, “Verizon 2014 PCI Compliance Report,” 2014.

• Verizon, “Verizon 2014 Data Breach Investigations Report,” 2014.

• Verizon, “Verizon 2014 Data Breach Investigations Report – Executive Summary,” 2014.

• Rita Tehan, “Cybersecurity: Authoritative Reports and Resources, by Topic,” Congressional Research Service, May 30, 2014.


References

• US Government Accounting Office, “High-Risk Series – AN Update,” February 2013.

• Finding a Path Forward in an Increasingly Conflicted Digital World, Arthur W. Coviello, 2014 RSA Conference Keynote Address, https://www.youtube.com/watch?v=aB2gG-cRj10

• Conundrums in Cyberspace: Exploiting Security in the Name of, well, Security, Scott Charney, Corporate VP, Trustworthy Computing, MS, 2014 RSA Conference Keynote Address, https://www.youtube.com/watch?v=ajYuqW4npiw

• Nawaf BItar, “The Next World War Will be Fought in Silicon Valley,” 2014 RSA Conference Keynote Address, https://www.youtube.com/watch?v=XKkwL0gTN4w

• Art Gilliland, “Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy, RSA 2014 keynote, https://www.youtube.com/watch?v=hgeBk84CaQg

• Stephen Trilling, “Future of Security.” RSA 2014 Keynote, http://www.rsaconference.com/videos/125/the-future-of-security

• Kevin Mandia, State of the Hack: One Year after the APT1 Report, RSA 2014 Keynote, http://www.rsaconference.com/videos/128/state-of-the-hack-one-year-after-the-apt1-report

• Lawrence Orans, “The Cyber Threat Landscape,” 2014 Gartner Security and Risk Management Summit, 23-26 June 2014, National Harbor, MD.

• Juergen Weiss, “Understanding Terms and Clauses of Your Cyber Insurance,” 2014 Gartner Security and Risk Management Summit, 23-26 June 2014, National Harbor, MD.

• Richard Steinbert, “Reconstructing Risk Management,” 2014 Gartner Security and Risk Management Summit, 23-26 June 2014, National Harbor, MD.

• Eric Ahlm, “Extending Secure Access in a Mobile, BYOD and Cloud App World,” 2014 Gartner Security and Risk Management Summit, 23-26 June 2014, National Harbor, MD.

• Avivah Litan, “Fighting Cyberthreats With Layered Context Aware Security and Fraud Prevention,” 2014 Gartner Security and Risk Management Summit, 23-26 June 2014, National Harbor, MD.

• Ruggero Contu, “Nexus Forces Shaping Security,” 2014 Gartner Security and Risk Management Summit, 23-26 June 2014, National Harbor, MD.


References

• Neil MacDonald, “Architecting a New Approach for Continuous Advanced Threat Protection,” 2014 Gartner Security and Risk

Management Summit, 23-26 June 2014, National Harbor, MD.

• Earl Perkins and Ray Wagner, “Top Security Trends and Take-aways for 2014 and 2015,” 2014 Gartner Security and Risk


• Carsten Casper, “The NSA, Google and Radically Redefining Privacy for the 21st Century,” 2014 Gartner Security and Risk


50


Notices

Copyright 2015 Carnegie Mellon University

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This material has been approved for public release and unlimited distribution.

This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].

Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.

DM-0002226

Documents

Cybersecurity Update - Amazon Web Services...DDoS attacks email propagation of malicious code “stealth”/advanced scanning techniques widespread attacks on DNS infrastructure executable