CYBERSECURITY CYBERWAR WHAT EVERYONE NEEDS TO KNOW PART
CYBERSECURITY & CYBERWAR WHAT EVERYONE NEEDS TO KNOW PART 3 Ranette Halverson Department of Computer Science - MSU 1
1. Don’t’ Get Fooled: Why can’t we build a new, more Secure Internet? ■ Good question! ■. secure Model – “Secure, protected zone” ■ Security is required – No hosted malware – Fully implemented top-of-line protections – Rapid vulnerability patching ■ How can you enforce? ? ? 2
Can. secure work? ■ Only secures the websites – Assures you which web sites are safe – Website won’t “attack” you, but site could be breached – No protection from malicious actors ■ Scale (size) – Bigger NW More Security Problems – Smaller NW Not Useful – Companies can reduce or separate NWs ■ Air gap doesn’t always work 3
2. Rethink Security DNS Changer virus – 2012 ■ Estonia-based, cybercriminal ring ■ Infected 570 K computers worldwide ■ Caused uses to use criminals DNS servers, then to fraudulent web sites (est. $14 M) ■ FBI – took control but couldn’t shut it down – No internet – 9 months: provided service & notified victims (cost $87 K) – Finally, “unplugged” 4
What is Resilience? ■ Ability to Adapt & Recover from Adverse Conditions – Not specific to computing… ■ With respect to organizations & systems – Prepared for attacks – Maintain functionality while under attack ■ Intrusion Tolerance ~ accept attacks happen, keep systems running whatever the damage 1. Capacity to work under degraded conditions 2. Recover quickly 3. Learn from mistakes 5
Continuity Plans & Fault Tolerance ■ Old: Natural Disasters ~ Goal - Up & Running Fast – Fire, Redundancy, Reliability – E. G. Space Shuttle ■ New: Cyber Attack ~ Goal – preserve functions – Quickly lock-down data, turn-on defenses, shut down NW, fail gracefully – Never critical failure from single attack ■ Distributed control & services ■ Failure must be evident ■ Metrics 6
Human Component ■ Adaptability & Recovery requires Individuals & Processes ■ Don’t Freak Out – Keep Calm & Carry On Challenges & Conflicts ■ Fear drives up budgets, drives down confidence ■ Redundancy is wasteful ■ Resiliency is understanding how different pieces fit together, how to keep them together, how to bring them back together after attack 7
3. Reframe the Problem (and the Solution): What can we learn from Public Health? Centers for Disease Control = 1947 ■ Understand emerging threats, determine trusted partners, share information with everyone Cyber CDC needed ■ Research & information sharing, cooperation & collaboration ■ Threat & incident watch, data dissemination, threat analysis, intervention recommendations, coordination of prevention 8
4. Learn from History: What can (real) Pirates teach us about Cybersecurity? ■ Omit this section ■ Interesting reading 9
5. Protect World Wide Governance for the WWW: What is the role of International Institutions? International Telegraph Union (ITU) – 1865 ■ Nations convened, agreed to set of standards for TELEGRAPH – Included privacy ■ But nations “reserve right to stop any transmission considered dangerous for state security, or in violation of national laws, public order, or morals” ■ Ensured Governments would retain control 10
International Telecommunications Union ■ Name change + radio telephone ■ 2012 – Dubai meeting - considered Internet – Digital version of the Cold War ■ Proposal to include Internet passed – ½ nations disagreed & walked out – Unenforceable – Control vs. Open Internet 11
Governance of WWW & Internet ■ Differing points of view – Governments should control WWW & internet – Governments should have no role – Declaration of Independence of Cyberspace, J. Barlow (p 181) – Electronic Frontier Foundation – https: //www. eff. org/cyberspace-independence ■ Do you agree? 12
Problems with Declaration 1. Governments see internet as crucial to – Global commerce & communication – National security – Economic prosperity 2. There is no “Free” part of the internet – Every piece of equipment within country is subject to laws – People using internet are subject to laws of residence 3. Governments uncomfortable with unregulated, uncontrollable 13
6. “Graft” the Rule of Law: Do we need a Cyberspace Treaty? ■ We all follow HUNDREDS of rules daily! – Name some! -- What would happen if we didn’t? ■ Do we need Cyber Rules? Do we want them? ■ Countries say they want a Cyberspace Treaties…. but those with most power, want to keep it! 14
Why the Reticence about Treaty? 1. Powerful fear it will restrict them, allow catch up, or others will ignore 2. Different priorities by various states q Like 1967 Outer Space Treaty others to q No one owns space, used for lots of things, prohibits harmful interference, bans launch of nuclear weapons q Also, Antarctica q Challenge – Cyberspace is different from anything else q “Control expectations & developing principles, rules & procedures, & norms about how states behave with respect to the domain” 15
2001 Council of Europe’s Convention on Cybercrime ■ US, Japan, Canada & South Africa joined Europe ■ Could develop into greater treaty ■ GRAFT – horticulture term – Rather than start anew, build off established frameworks & common interests, – “Everyone” wants internet to run smoothly & cyber crime to be controlled 16
More here…. ? ? 17
7. Understand Limits of State in Cyberspace: Why can’t the Government Handle it? ■ 1440 – Gutenberg Printing Press – The first Information Revolution – Wars Nation-States as we know today – Govt. still have difficulty keeping up ■ Pirate Bay (see video) ~ peer-to-peer sharing – Some prosecuted, but couldn’t stop site from moving ■ Wiki. Leaks – Julian Assange – Protected by Ecuador (William Snowden by Russia) – Switzerland, Sweden, Australia 18
Limits of Governments - Cyberspace ■ Other Governments don’t cooperate ■ Limited by territory ■ Most Cyberspace controlled by private entities – “ 98% of US govt. communications, including classified, travel over civilian-owned-&-operated NWs & systems” (Adm. Mc. Connell) ■ Early days, “ 1 -company monopolies” – telephone, power ■ Inability to control or prioritize (packets) ■ Need balance 19
8. Rethink Government’s Role: How to better Organize for Cybersecurity? ■ Governments move slowly! (At least in the US!!) – 2004 GAO – Need National Cybersecurity Policy – still none – No substantive cyber-legislation since 2002 ■ Federal Risk & Authorization Management Program (Fed. RAMP) – 2013 – one-time security certification for contractors – Took 6 months to get first company certified! ■ Overall in US - Mixed-up collection of policies, intelligence, 20
Concerns with Government Involvement ~~ Intelligence Agencies ■ Privacy – spying on private citizens! – It has happened ~ It is still happening (in US) ■ ■ Focus on espionage Operate with less oversight & transparency Great responsibility, little power! Several other agencies & departments – develop standards – Overlap, gaps, conflicts, few incentives 21
Other US Agencies - Departments ■ Develop standards for various industries ■ NIST, Federal Reserve, NERC ■ Problems with multiple overseers: – Overlap, gaps, conflicts, few incentives, unclear standards – No clear delineation of authority & leadership ■ One Solution: Buying Power ($100 billion/year) – Example: COBOL – Government Requirements become Standards 22
Spam levels around the world drop by 70% ■ Could have been a hews headline in 2008. How? Brian Krebs, Washington Post ■ Investigating Mc. Colo – web hosting co. , Calif. , - hosting large number of cybercriminal gangs ■ Contacted large ISPs, asked them to stop providing service – Hurricane Electric – dropped Mc. Colo ■ Visa & child porn, 2002 ~ terminated & reported – 80% sites shut down or couldn’t accept Visa ■ Lessons learned – need cooperation & action! 23
9. Approach It as a Public-Private Problem: How do wemonitor better& Coordinate ■ Some companies to stop questionable activities Defense? ■ Digital currencies – Bit Coin, Linden Dollar (Second Life) – Can be used by everyone, w/o banks – Easy for criminals to use , no tracking, no banks, gambling, money laundering ■ ISPs – recognize unusual traffic – Anti-Bot Code of Conduct – US – Voluntary – supported by ISPs ■ Companies: protect “self” – not “cooperative” w/ law enf. 24
Cost vs. Risk ~ Public vs. Private ■ Hard to justify paying for unseen risk (Consider MSU) ■ Public infrastructure – too big for one entity to manage ■ Need Security Standards – private & public cooperation – Too many choices & companies offering services ■ US + SANS (private) + others consortium; UK joined – Developed 20 controls addresses KNOWN threats ■ No consensus: Government vs. Private – Major Co. Lack of cooperation with Govt. ~ Apple, Yahoo 25
10. Exercise Is Good for You: How can we for Cyber ■ Redbetter Team – PREPARE improve preparation – e. g. Facebook 2013 Incidents? ■ Test Beds – simulations, NW, environments ■ Honeypot – Honeynet – isolated, open to attacks ■ Cyber Range – offensive test bed (Stuxnet? ? ) ■ Practices – Identify deficiencies, develop new plans, understand extent – Strengthen defences, diffuse tensions 26
Obstacles in Exercises ■ TESTS: Too specific vs. Too general ■ Self Test – do they really “try” hard ■ Must have specific stated goals, purpose – Who’s goals? ? Everyone is different! ■ Interactions with others hard to simulate 27
11. Build Cybersecurity Incentives: Why should I do what you want? Few incentives but to protect self! What’s happening? ■ ■ Individual Bad Security – endangers others No updates, lack of transparency & security Incentives not understood – no financial return Too many involved – Who’s responsible? – Ex: Android phone: Google, Mfg. , Carrier? ■ Security makes thing worse? ? TRUSTe (certify) 28
Some Successful incentives ■ Limited Liability for Credit Card Customers ■ CVV – asking limits merchant liability, illegal to store ■ Payment Card Industry Data Security Standards 29
Why not security? ■ ■ ■ $ spent on security is not spent on company goal Leaders don’t understand long-term rick & cost Need consumer awareness & demand May need government requirements Price of defense is more than price of attack ■ New Markets – e. g. Selling Zero Days 30
12. Learn to Share: How can we better Collaborate on Information? SHARE! ■ Banking ~ Takedown Companies – Find fake sites & remove – Lack of sharing cost clients $330 M ■ Some info can only be determined via the attack! – – Malware digital signature Address very specific target Time sensitive Sharing can help the adversary adjust 31
Sharing ~ With whom? How? ■ Centralized vs. Decentralized ■ Information Sharing & Analysis Centers (ISACs - 1998) – Organized around specific industries ~ e. g. IT-ISAC – Few formal procedures ■ Do. D – “anonymous” system for contractors & vendors ■ Companies Fear Sharing 32
13. Demand Disclosure: What is the Role of Transparency? Laws? ■ California 2003 – data breaches must be disclosed ~ bill delayed (not just digital) – 2004 state DB breached & legislators info. Released – 2005 Law went into effect! – 2013 – 46 states have similar laws ■ Disclosure Accountability – 2011 study: 500 of 1000 companies chose not to investigate breaches of security 33
14. Get “Vigorous” about Responsibility: How can we create Accountability for Security? Lack of Accountability & Enforcement ■ HIPPA: Medical records: fines, prosecution – 2003 -2006 – 19, 420 complaints, NO penalties ■ 1/3 corporate boards address Cyber Issues (2012) ■ “Low-hanging fruit” (= easy) – Exploitation of widely know vulnerabilities – Default passwords, unpatched systems, lack of security – Stupid Humans 34
Compliance vs. Security ■ Govt. Regulations Compliance – – Govt. Regulations make companies Nervous! What’s the difference? ? Why is this bad? ? Compliance replaces accountability Liability, Cyber Insurance Can increase accountability ■ Insurance enforces good practices ■ Need Education – Risk, Overall cost 35
15. Find the IT Crowd: How do we solve the Cyber People Problem? ■ Two problems ~ Numbers & Talent – Normal Us & lack of knowledge & Lack of Cyber professionals ■ Small talent Pool – E. G. Homeland Security stats – 2008: 40 cybersecurity employees – 2012: 400 + 1500 contractors – 2013: add 600 ■ US has only 3% to 10% cyber personnel needed ■ Govt. is contracting out more & more 36
Actual Personnel Issues ~ Various Stats ■ ■ Quality: satisfied with 40% of applicants Bidding War among companies (Most >$100, 000) Govt. hires ~ Trains ~ Lose to private industry $$$ Inflexibility of Govt. & Corporate vs. Smaller Private Co. 37
Solutions to Cyber Security Problem? 1. Collaboration: Private & Public sectors 2. Enable govt. to compete with public sector • Hiring, pay scales, personnel exchanges 3. Bigger Pipeline in Education • STEM Education deficient • 2004 ~ 60 K CMPS Majors; 2013 ~ 38 K 4. Training for non-cyber personnel 5. Programs – most I’ve never heard of! (p. 239) 38
16. Do Your Part: Protecting Myself (& the Internet)? WE must do our part – take the initiative! We have met the enemy, & he is us! ~ Pogo § Australian Study – prevent 85% of successful intrusions § Whitelisting, Rapid patching, Restrict administrator access § USAF Base Commander – demanded 1 -digit password § Ret. Army officer: most important for cybersecurity § “Stop being so *#$* stupid on computers!” 39
Practical Actions! ■ Passwords: Update often ~ Use strong passwords, esp. email ~ don’t share or reuse ~ use password manager ■ Access: Don’t use real answers on security questions ■ Multi-factor Authentication: password + card/biometric, etc. ■ SW: Keep up-to-date ■ Secure your wireless NW (encryption, passwords), don’t use unencrypted “free” Wi. Fi ■ back-up, Back-Up, BACK-UP!!! ■ Use highest privacy/security setting 40
Practical Actions (more) ■ Behavior: careful clicking links, opening attachments ■ Mobile Devices: Take care with mobile devices, don’t allow location information ■ Sharing information voluntarily – Facebook, Twitter, Instagram 41
Conclusion ~ 5 key trends… Where is Cybersecurity headed next? 1. 2. 3. 4. 5. Rise of Cloud Computing Big Data Mobile Revolution Demographic Shift Internet of Things 42
1. Rise of Cloud Computing v Subscription service v Limitless computational resources v Save 40% to 80% costs v Changing balance of cyberspace power v Individual machines not so important v Cloud security personnel probably better than local v New Security Issues v Concentrated Risk v Is our data separated? ? 43
2. Big Data v Quantity + Meta-data v Unprecedented knowledge ~ may breakdown social, legal, ethical boundaries v New Applications: Netflix v Massive: data distribution & customer preference analysis v Lots of unknowns regarding the data 44
3. Mobile Revolution ~ 1973 ■ ■ Unbelievably Everything! Battle of Bandwidth Security Risks are Mobile Who should have oversight for “mobile”? ■ Where will it end? 45
4. Demographic Shift ■ Once a western phenomenon, now truly world-wide! – New values, uses, culture ■ What does this mean for the future? 46
5. Internet of Things ~ Io. T ■ Digital Systems fully embedded into Real World ■ Everything can be linked to a web-enabled device to collect & make use of data ■ World of Distributed Sensors ■ Interoperability ~ an obstacle? ■ Threat: Now even my refrigerator is open to attack! Door locks! 47
Conclusion What do I really need to know in the end? ■ ■ Knowns Known Unknowns Accept & Manage Risks 48
- Slides: 48