Title: Cybersecurity: defending our digital future
1Cybersecurity defending our digital future
- Mike Burmester
- Center for Security and Assurance in IT,
Florida State University,3rd Annual TechExpo,
Tallahassee May 6th 2010
2Talkthrough
- Background
- the White House Cyberspace Policy Review
- Emerging network technologies
- Wireless, ubiquitous
- Cloud applications, intelligent networks
- What next!
- The adversary
- We are behind the learning curve the hackers
are ahead - Security threats
- How can we defend our digital future?
- Near-term and midterm plans
- Methodology
- Technical aspects, technical analysis
3Background
- In Feb 2009 the President directed a 60-day
clean-slate review to assess U.S. policies and
structures for cybersecurity. - In March 2009 the Cyberspace Policy Review was
published - The Cybersecurity Review recommends general
guidelines, regarding the - Strategy
- Policy, and
- Standards
- for securing operations in cyberspace.
our approach over the past 15 years has failed
to keep pace with the threat.
4Background
- What is Cyberspace?
- . . . the interdependent network of information
technology infrastructures, including - the Internet
- Telecommunications networks
- Computer systems
- Embedded processors and
- Controllers in critical industries
- Common usage of the term also refers to the
- Virtual environment of information and
interactions between people
5Background
- What is Cyberspace? ---a historical perspective
- 1985 a system of mainframe computers (NSFNET)
- 1990 the Internet and Web applications
- 2000 Wireless networks
- 2008 Cloud applications
- 20?? The Internet of Things
- 20?? Virtual life?
- How can we secure a structure that keeps morphing?
6Emerging Network Technologiesthe wireless
medium, at the beginning . . .
- Wireless technology offers unparalleled
opportunities - Some time ago
- Telegraph
- Radio communication
- Amateur radio
- TV
-
7Emerging Network Technologiesthe wireless
medium, more recently
- Wireless technology offers unparalleled
opportunities - Wireless technology
- Cellular systems
(3G and beyond)
8Emerging Network TechnologiesBluetooth, Wi-Fi,
sensors, RFIDs
- Short range point-to-point
- Bluetooth
Personal Area networks - Wi-Fi technologies
- Wireless sensor networks
- RFID (Radio Frequency Identification) systems
9Emerging Network TechnologiesSensor networks
- Factory floor automation
- Boarder fencing
- Military applications
10RFID deployments
- A RFID road pricing gantry
- in Singapore an RFID tag
- RFIDs tags used in libraries
- Airports checking luggage
- U.S. (electronic) passports
11Wireless technologies
- Long range point-to-point
- WiMAX technologies
12Wireless technologieswith no infrastructure
- Mobile ad hoc networks
- (MANETs)
- Disaster recovery
-
13Vehicle-to-Vehicle communication
14Ubiquitous networks
- Network all applications ! The Internet of Things
15What next !
- Cloud applications ???
- Delegate applications
- Start with the Internet cloud
- Delegate applications to the cloud
16. . . and next! Emerging technologies
- Robotics
- Nanotechnology
- molecular self-assembly
- developing new materials
- Biotechnology
- Analyzing the myriad simultaneous cellular
activities - Living systems can be regarded as communication
systems they transmit the genome of the organism
by replication/transcription and translation.
17Beyond next !
- Intelligent Networking ???
18Beyond . . . the beyond
- Virtual Networking and Environments
- Current Definition (academic)
- A technology used to control remotely located
computers and applications over the Internet - White House Policy Review definition of
Cyberspace - A virtual environment of information and
interactions between people - Cyberspace the digital network
infrastructure - cloud
applications - virtual
network technology - emerging
technologies - intelligent
networking
19Now, the bad . . .
The adversary (the hackers)
20The adversary Portrait of a Computer Criminal
- Amateurs
- Normal people, maybe disgruntled over some
negative work situation - Have committed most of computer crimes to date
- Crackers or Hackers
- Often high school/university students cracking
is seen as the ultimate victimless crime - Attack for curiosity, self-satisfaction and
personal gain - Career criminals
- Understand the targets of computer crime
- Usually begin as computer professionals who later
engage in computer crime finding the prospects
and payoff good. - Electronic spies and information brokers who
recognize that trading in companies secrets can
be lucrative
21The adversary It is worse !
- A simple Google search
- key words Chinese, threat, cyberspace
- MI5 alert on Chinas cyberspace spy threat (Times
Online) Dec 1, 2007 . . . The Government has
openly accused China of carrying out
state-sponsored espionage against vital parts of
Britain's economy, including . . . - U.S. military flags China cyber threat
- 2008-03-06 . . . The U.S. DoD warned in an
annual report released this week that China
continues to develop its abilities to wage war in
cyberspace as part of a doctrine of "non-contact"
warfare
22The adversary . . . much worse !
- key words France, threat, cyberspace
- NATO chief calls attention to threats from
cyberspace - Mar 4, 2010 . . . NATO is facing new threats in
cyberspace that cannot be met by lining up
soldiers and tanks, the alliance's
secretary-general said Thursday in an apparent
reference to terror groups and criminal networks - key words International, threat, cyberspace
- Threat of next world war may be in cyberspace
- Oct 6, 2009 . . . The next world war could
happen in cyberspace and that would be a
catastrophe. We have to make sure that all
countries understand that in that war . . .
23The adversary New technologies can be abused
- Are we prepared for intelligent networks ?
- Who will manage them ?
- Do we want
- Centralized, or
- Decentralized management
- Who will protect our resources ?
- What are the threats ?
24Security Threats
- Confidentiality
- Eavesdropping (wiretapping)
- Privacy
- Anonymity (Big Brother)
- Integrity
- Data integrity protection against unauthorized
modifications, data corruption, deletion . . . - Source or destination integrity protections
against spoofing attacks, man-in-the middle
attacks - Availability
- Coverage deployment
- Information data accuracy traffic control
- Dependable data transport what about
transmission/ omission /congestion errors? - What about malicious faults ?
25The Internet is hackers paradise
- Security Threats Perceived or Real
- Impersonation Attacks
- Denial of Service Attacks
- Session Tampering and Highjacking
- Man-in-the-Middle Attacks
26Can we protect Digital resources ?
- There are some very good cryptographic tools that
can be used to protect digital resources - Many of these tools have proven security
- The problem is usually bad implementations
- The best cryptographic security is point-to-point
security (such as VPN) - The source destination
- are mutually authenticated (with public key
cryptography) - exchange privately a fresh secret key (with
public key cryptography) - use symmetric key encryption scheme to encrypt
exchanged data
(with symmetric key cryptography)
27Can wireless technology be made secure ?
- Point-to-point security
- Authentication usually involves certificates (a
trusted third party certifies the public key of
the entities) and a cryptographic handshake - WIMAX uses the Extensible Authentication Protocol
for this purpose - For encryption it uses block ciphers such as DES3
or AES - This offers protection at the protocol layer
- There are still problems at the physical layer,
such as jamming attacks (Denial-of-Service), or
flooding attacks - Security vs. functionality tradeoff
- Rule of thumb the more security the less
functionality - Holistic security
28Cybersecurity Policy ReviewNear-Term Plan
- Appoint cybersecurity coordinator
- Prepare a national strategy
- Designate cyberscurity as a priority . . .
- Designate a privacy/civil liberties official
- Formulate coherent unified policy guidance that
clarifies roles, responsibilities . . . for
cybersecurity activities across the Federal
government - Initiate a public awareness and education
campaign to promote cybersecurity
29Cybersecurity Policy Review Near-Term Plan
- Develop government positions for an international
cybersecurity policy framework - Prepare a cybersecurity incident response plan
- Develop a framework for RD strategies that
focuses on game-changing technologies . . . to
enhance the security, reliability, resilience,
and trustworthiness . . . - Build a cybersecurity-based identity management
vision and strategy that addresses privacy and
civil liberties interests . . .
30Cybersecurity Policy Review Midterm-Plan (14
items)
- Support key education programs and RD research
to ensure the Nations continued ability to
compete in the information age economy - Expand and train the workforce, including
attracting and retaining cybersecurity expertise
in the Federal government. - Develop solutions for emergency communications
capabilities during a time of natural disaster,
crisis, or conflict . . . - Encourage collaboration between academic and
industrial laboratories to develop migration
paths and incentives for the rapid adoption of
research and technology innovations
31Are we willing to pay the price ?. . . . . . . .
we may have to . . .
whether we like it or not . . .
32Methodology for Security
- Resiliency
- Against physical damage, unauthorized
manipulation, and electronic assault. In addition
to protection of the information itself, - A risk mitigation strategy with focus on devices
used to access the infrastructure, the services
provided by the infrastructure, the means of
moving storing and processing information - A strategy for prevention, mitigation and
response against threats - Encouraging innovation
- Harness the benefits of innovation
- Not create policy and regulation that inhibits
innovation - Maintain National Security/Emergency Preparedness
Capabilities
33White House Cybersecurity PlanRSA 03/2010
- The Comprehensive National Security Initiative
(12 items) - Manage the Federal Enterprise Network as a single
network enterprise with Trusted Internet
Connections - Deploy an intrusion detection system of sensors
across the Federal enterprise - Deploy intrusion prevention systems across the
Federal enterprise - Coordinate and redirect RD efforts
- Connect current cyber ops centers to enhance
situational awareness - Develop a government-wide cyber counter
intelligence plan
34White House Cybersecurity Plan Revealed at RSA
03/2010
- The Comprehensive National Security Initiative
(12 items) - Increase the security of our classified networks
- Expand cyber education
- Define and develop enduring "leap-ahead"
technology, strategies, and programs - Develop enduring deterrence strategies and
programs - Develop a multi-pronged approach for global
supply chain risk management - Define the Federal role for extending
cybersecurity into critical infrastructure domains
35Cybersecurity PlanTechnical aspects
- Deploy an ID system of sensors across the Federal
enterprise - Einstein 2 capability Signature-based sensors
that analyze network flow information to identify
potential malicious activity while conducting
automatic full packet inspection of traffic
entering or exiting U.S. Government networks for
malicious activity - Deploy IP systems across the Federal enterprise
- Einstein 3 capability Real-time full packet
inspection and threat-based decision-making on
network traffic entering or leaving these
Executive Branch networks - Identify and characterize malicious network
traffic to enhance cybersecurity analysis,
situational awareness and security response - Automatically detect and respond appropriately to
cyber threats before harm is done, providing an
intrusion prevention system supporting dynamic
defense
36Cybersecurity PlanTechnical analysis
- Einstein 2 capability Signature-based sensors
will only detect copycat attacks one-off
attacks will not be checked - Einstein 3 capability will not detect
unpredictable attacks that mimic normal behavior - Threat-based decision-making on network traffic
however may deal with the consequences of such
attacks - Markovian profiling is a good approach for
threat based decision making
37The most important technical point in this review
is the realization that one cannot achieve
cybersecurity solely by protecting individual
components there is no way to determine what
happens when NIAP-reviewed products are all
combined into a composite IT system. Quite
right, and too little appreciated security is a
systems property, and in fact, part of the entire
design-and-build processSteven M Bellovin
. . . the Universal-Composability Framework may
ultimately prove to be just a first step toward a
complete solutionJoan Feigenbaum
. . . the main feature of the UC Framework is
that the security of a composite system can
derived from the security of its components
without need for holistic reassessment Mike
Burmester
38Thanks for listening!
39.Raise your hands if you have any questions