'Electronic Pearl Harbor' Winn Schwartau 'Digita - PowerPoint PPT Presentation

Loading...

PPT – 'Electronic Pearl Harbor' Winn Schwartau 'Digita PowerPoint presentation | free to download - id: bd00-ZjA1Y



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

'Electronic Pearl Harbor' Winn Schwartau 'Digita

Description:

'Electronic Pearl Harbor' Winn Schwartau 'Digital Waterloo' ... Freight Information Systems, A Scoping Study, National Research Council ... – PowerPoint PPT presentation

Number of Views:284
Avg rating:3.0/5.0
Slides: 87
Provided by: billn152
Learn more at: http://www.issa-nova.org
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: 'Electronic Pearl Harbor' Winn Schwartau 'Digita


1
  • Bill Neugent
  • 17 July 2003

The views expressed are those of the author and
boy do they not reflect the official policy or
position of The MITRE Corp.
2
Outline
  • Cyberterrorism!
  • Who is to blame?
  • Whats really happening?
  • The simple solution
  • National strategy
  • Conclusion

3
Global Reach Interconnected Interdependence
  • Our cyber-based assets sit on one interwoven rug
    of global communications
  • Global Internet
  • Global Public Switched Network
  • Cyberterrorism issues
  • Availability The rug can be pulled out from
    under us
  • Access Cyberterrorists are seconds away

4
The Dilemma
  • Power travels at light speed
  • Power networks are controlled by computers
  • Communication signals travel at light speed
  • Communication networks are controlled by computers

Remote control makes it possible to ruin a
complex network
5
Whats At Risk?
6
Supervisory Control and Data Acquisition Were
SCADA On Thin Ice
  • Underlies gas and oil, water and sewer,
    electronic power distribution
  • 3 million SCADA systems in use
  • Increased use of Windows, UNIX
  • Utilities connecting SCADA to corporate networks,
    Internet, wireless networks

Stratum8 Networks, 30 October 2002, New Layer of
Internet Security is Required to Protect Critical
Systems that Manage Oil, Natural Gas, and
Electricity Resources
7
So You Say Youre Not On The Internet
  • Nearly every bank in the United States runs its
    operations on an internal network that connects
    to the Internet.

Maybe your front door isnt
Sandeep Junnarkar, CNET News, 1 May 2002
8
Beware On Net In 2003
  • CIA warns of Net terror threat
  • IDC prediction for 2003
  • Major cyberterrorism event will disrupt economy,
    bring Internet to its knees for at least a day or
    two
  • Professional cyber attack could do several
    hundred billion dollars in damage to U.S.

Declan McCullagh, 29 October 2002, CIA warns of
Net terror threat, CNET News 12 December 2002,
IDC Cyberterror and other prophecies, CNET
News 27 February 2002, A Letter From
Concerned Scientists, to President Bush
9
Shouts of Warning
  • Electronic Pearl Harbor Winn Schwartau
  • Digital Waterloo
  • Center for Strategic and International Studies
  • Digital Armageddon
  • Sen. Charles Schumer, D-N.Y.

10
Outline
  • Cyberterrorism!
  • Who is to blame?
  • Whats really happening?
  • The simple solution
  • National strategy
  • Conclusion

11
Users
12
Bullies
13
What Motivates Bullies?
  • The reason the software you buy isnt secure is
    that companies dont care.
  • The reason is there is no liability for
    producing a shoddy product.
  • Bruce Schneier

IDG News Service, 19 November 2002, COMDEX
Panel Accept the Net is vulnerable to attack
14
Complexity
  • Software more complex than any other human
    construct
  • No two parts alike
  • Software differs profoundly from computers,
    buildings, or automobiles, where repeated
    elements abound
  • Rapid time to market
  • Armies of programmers work independently
  • Complex legacy software carried forward

Frederick Brooks
15
Industry Complexity
  • Example freight information systems involve
    changing mix of companies
  • Carriers, shippers, distributors, freight
    forwarders, government agencies, e.g., Customs
  • Many interconnections, no integration hard to
  • Establish consistent security baseline
  • Establish security standards for transactions,
    e.g., e-documents
  • Identify and authenticate users and systems

800,000 hazmat shipments/day in U.S.
  • Transportation Research Board Special Report 274,
    2003, Cybersecurity of
  • Freight Information Systems, A Scoping Study,
    National Research Council

16
Market Forces Made Us Do It
  • Competition keeps profit margins low, forces
    cost-saving
  • Internet has become critical dependency
  • Freight information systems efficient, reliable
  • Customers have lower inventories, just-in-time
    inbound material strategies

Market forces Computer-enabled
efficiencies Critical dependencies
  • Transportation Research Board Special Report 274,
    2003, Cybersecurity of
  • Freight Information Systems, A Scoping Study,
    National Research Council

17
Competition
  • Got to drop this extra security weight

18
Deregulation
  • Weve delegated public safety and national
    security to market forces

Scott Charney, April 2003, PBS Frontline story
on Cyberwar!
19
The Issue Closing The Gap
  • Security needed against state-sponsored attacks
  • Security provided by market-based solutions

20
The Inescapable ConclusionWere Toast
21
Outline
  • Cyberterrorism!
  • Who is to blame?
  • Whats really happening?
  • The simple solution
  • National strategy
  • Conclusion

22
Terrorist Know-How, Resources
  • We train the world
  • Try to find an American in an American grad
    school
  • Funding

23
Terrorist Requirement
  • Make headline news
  • Whats the visual?

After a bomb
After a cyberattack
TV news producer, judging whether to include
coverage of a fire
24
Prognosis For Cyberterrorism
  • Not top terrorist priority
  • Definitely on their to-do list
  • Much terrorist research and preparation for
    cyberterrorism
  • Col Bradley K. Ashley, USAF, Anatomy of
    Cyberterrorism--Is America Vulnerable?
  • Winter 2002/2003, IA Newsletter, Vol. 5., No. 4.,
    IA Technology Analysis Center (IATAC)

25
Computer Crime Were Being Robbed
  • Credit card fraud
  • 5.2 percent of online shoppers
  • U.S. annual losses estimated in billions
  • Identity theft
  • 1.9 percent of online shoppers (300K people)
  • 2 billion lost/year in U.S
  • Top consumer complaint in U.S., per FTC
  • Spyware
  • 40 of companies infected

Greg Sandoval, War on cybercrime--we're
losing, ZdNet News, 14 May 2002 Robert Moritz,
When Someone Steals Your Identity, Parade
Magazine, 6 July 2003
26
Losses and Costs
  • Expected 2003 losses from computer crime
  • 2.8 billion in U.S.
  • 25 percent increase
  • 15 billion in world
  • Jon Swartz, USA Today, 9 February 2003, Firms
    hacking-related insurance costs soar.
  • Washington Monthly, November 2002, The Myth
    of Cyberterrorism, there are many ways
  • terrorists can kill youcomputers arent one of
    them

27
An Interesting Case
  • Exec received demand for 1 million, or brokerage
    network would crash
  • Team spent night searching for malicious code
  • System failed as promised
  • Extortionist threatened to crash system during
    peak trading hours
  • Brokerage paid

Sandeep Junnarkar, CNET News.com, 30 April 2002
28
Vulnerabilities Reported
4,000 3,000 2,000 1,000
2002 4,129
2001 2,437
2000 1,090
1999 417
1998 262
CERT/CC
29
Vulnerabilities Costed
  • Were fast approaching the point at which
    were spending more money to find, patch, and
    correct vulnerabilities than we pay for the
    software
  • John Gilligan
  • USAF CIO
  • (formerly DOE CIO)

Washington Monthly, November 2002, The Myth of
Cyberterrorism
30
Are You On The Patch?
  • Weve treated this as housekeeping problem what
    if its more?
  • What are the limits of our ability to patch?

31
How Bad Is It Really?
  • Sanctum broke into 98 percent of 350 corporate
    sites it audited
  • Average attack took two hours
  • Government Red Teams succeed every single time
  • PC World Communications, 23 August 2002,
    Cyberterrorism Scenarios Scrutinized
  • Richard Clarke, April 2002, PBS Frontline
    story on Cyberwar!

32
Security on the Internet
  • PSINet set up unprotected server
  • Was attacked 467 times within 24 hours

Graham Hayday, Silicon.com, 29 January
2003, Exposed servermagnet for hack attacks
33
What Can Happen
Code Red To see an animation, go to
http//www.caida.org/analysis/security/code-red/c
oderedv2_analysis.xmlanimations
Slammer To see an animation, go to
http//www.caida.org/analysis/security/sapphire/s
apphire-2f-30m-2003-01-25.gif
http//www.caida.org/
34
Slammer
  • 250 times faster than Code Red
  • Within ten minutes, most of systems hit had been
    infected
  • Traveled in 404-byte packet
  • Crippled sensitive systems, including banking
    operations and 911 centers
  • Prevented many ATM withdrawals

Ted Bridis, Associated Press, Internet attack's
disruptions more serious than many thought
possible 27 Jan 2003
35
Implications
  • Slammer infected few systems -- 75,000
  • What if vulnerability existed on millions of
    systems?

36
There is no current defenseagainst such a
real-time threat
37
Opportunities
  • March 2003 flaw in ntdll.dll
  • On all W2K systems -- huge installed base
  • Accessed by multiple apps, services
  • Zero-day flaw
  • Significant recent vulnerabilities
  • Sendmail (poke through firewalls)
  • Email address validity checking
  • Long email addresses
  • Macromedia Flash
  • 75 percent of PCs

38
Why Havent Adversaries Exploited These?
  • Its hard
  • Weve been lucky

39
Vulnerabilities Ripen With Age
  • Holes remain unpatched
  • Hackers develop easy-to-use exploits
  • Enable kids to launch sophisticated attacks

A kid, even a smart kid, should not be able
to vandalize modern civilization
40
Wish List For An Adversary
  • Intelligence
  • What we know, what we intend
  • Reconnaissance for targeting
  • Fund raising
  • Money laundering
  • Everyone needs the Internet
  • Recruitment
  • Collaboration
  • Command and control

To adversaries, maybe our nets are worth more up
than down
41
Ultimate Disaster Scenario?
  • AMERICAN ECONOMY STRUCK BY BUSINESS FAILURES
  • Loss of confidence in U.S. goods
  • Dartmouth study of business failures shows many
    could have been induced by cyber means
  • Could focus on confidentiality and denial of
    service be misplaced?

Scott Borg
42
Its Not Always BadWhen Security and Secrecy Fail
  • Chinese Health Minister and Beijing Mayor
    dismissed for cover-up
  • At the Iraqi Intelligence Service, a man walked
    up with a grimy sack of documents and tapes.
    Tell the world what happened here, he said.

Melinda Liu, Rod Nordland and Evan Thomas,
NEWSWEEK, 28 April 2003, The Saddam Files
43
Outline
  • Cyberterrorism!
  • Who is to blame?
  • Whats really happening?
  • The simple solution
  • National strategy
  • Conclusion

44
Get Money
  • Show vulnerability
  • Scan for vulnerabilities
  • Map network
  • Red team as outsider
  • Red team as authorized insider
  • Show threat
  • Deploy intrusion detection system
  • Scan for unauthorized wireless
  • Monitor Internet usage
  • Prove threat is real
  • Produce near-term results

45
Get People
  • Empower engineers
  • Provide challenge, authority, resources
  • Approaches explored in labs
  • Build partnerships
  • Internal security committee
  • Business units
  • Infrastructure, service providers
  • Legal, human resources
  • External
  • Infrastructure, service providers
  • Software vendors
  • Business partners, e.g., critical infrastructure
    sector
  • Law enforcement, counterintelligence,
    counterterrorism

46
A Defense-in-Depth Consideration
  • Poor security often due to lack of qualified
    people
  • Layered security creates more work, not more
    people

47
Simplify Architecture (Pg 1 of 2)
  • Firewall enterprise
  • Castle walls and gates enable control
  • Firewall desktops
  • Manage enterprise security
  • Network management centers
  • Central policy management, e.g., Netegrity
  • Consider server-based architecture
  • E.g., thin clients, Citrix Secure Gateway
  • Password management, e.g., single sign-on
  • Identity management

Applies to home computers
48
Simplify Architecture (Pg 2 of 2)
  • Manage configurations
  • Get it secure
  • Configuration management configuration guidance
    and tools, best practices
  • Keep it secure
  • Patch management prioritize patches against
    configurations, policies, vulnerabilities test
    patches
  • Compliance management

Applies to home computers
49
CIOs Choice
  • Chaos
  • Diverse hardware and software
  • Applications testing
  • Staff training
  • Non-interoperable applications
  • Assimilation by The Borg
  • Homogeneous hardware and software
  • Applications and infrastructure part of a
    coherent, holistic whole

50
The More Integrated And Interoperable You Are,
The Easier You Fall
Defense-in-depth becomes more critical
51
Secure Architecture (Pg 1 of 2)
  • Ensure robust foundation
  • Protection, resilience, emergency operation
  • Not fully Internet-dependent
  • Able to counter denial of service attacks
  • Create risk domains
  • DMZ for sharing with outsiders
  • Castle keep for crown jewels
  • Strengthen systems, e.g., Host Intrusion
    Prevention Systems (HIPS) such as Okena
    StormWatch, Entercept
  • Protect data, e.g., Digital Rights Management
    (DRM)-like technology such as Authentica, Liquid
    Machines
  • Deploy strong authentication
  • E.g., Public key infrastructure, access tokens

52
Secure Architecture (Pg 2 of 2)
  • Deploy automatic malware protection
  • Desktop, e.g., HIPS, Symantec AntiVirus, TripWire
  • Email gateway, e.g., Trend VirusWall
  • eManager plug-in to block installer patches,
    registry files, etc.
  • Deploy automatic backup infrastructure
  • E.g., Veritas NetBackup
  • Monitor and respond
  • Security Information Management System (SIMS)
  • Harness deluge of event data, e.g., ArcSight,
    netForensics
  • Integrate with operations, configuration
    management
  • Trap professional adversaries
  • E.g., honeytokens

Applies to home computers
53
From Desktops to Belt-Tops
  • Laptop
  • Personal Digital Assistant (PDA)/Palm PC
  • Cell phone
  • Display of alerts, messages
  • All wireless
  • All will include microphones

54
Insurance
  • PRO
  • Market-based
  • Transfers risks to business
  • Promotes best practices
  • CON
  • Lack of actuarial data
  • Existing data doesnt scale to disasters
  • Assume defenses evolve in step with attacks

55
ConfrontUltimate Threats
56
Nanotechnology
Past
Future
.
(smart dust)
57
Users
  • 75 immediately gave passwords when asked
  • 15 more required social engineering
  • password 12, name 16, football team 11
  • 75 knew coworkers passwords
  • 67 used same password for everything
  • Personal banking, Web site access
  • 91 of men circulated dirty pictures or jokes
  • 40 of women did same
  • If discovering a salary file, 75 would read it
  • 38 would pass file around office

User Survey--Infosecurity Europe 2003
58
Two Things To Count On
  • Users will click on attachments
  • Users will hit Reply All

59
User-Based Security
  • Picture a vehicle with an independent steering
    wheel on each tire.

60
Build Culture Of Secure Behavior
  • Eliminate passwords--go to tokens, biometrics
  • Train users in what is sensitive
  • Train users against social engineering
  • Monitor user activities
  • Enforce secure behavior

Train, Monitor, Enforce
61
Its Who You Know
  • 80 percent of murder victims killed by someone
    they knew
  • 22 percent killed by people with whom they had
    romantic involvement

The Bureau of Justice Statistics Murder in
Large Urban Counties Study, 1988
62
Separation of Power In Government
Humans dont deal well with absolute power
63
Separation of Power In Systems
  • Study of over 100 espionage cases showed 55 of
    spies were network or system administrators

Data is from the Espionage Database Project of
the Defense Personnel Security Research Center
64
Insider Monitoring Industry Is Doing It
  • 50 workers At Dow Chemical Co.'s headquarters
    site were fired and another 200 disciplined for
    distributing pornographic or violent pictures
  • Merck fired two workers and disciplined dozens of
    others for inappropriate use of the Internet
  • Xerox Corporation fired 40 workers and the New
    York Times terminated 23 employees for similar
    offences
  • Royal and Sun Alliance has sacked 10 people and
    suspended at least 77 over the distribution of
    lewd" email
  • Download Evidence Eliminator now before it's
    too late!

Most Fortune 500 companies monitor employee use
of the Internet
Incident data taken from http//www.evidence-elimi
nator.com Brad Stone, Is the Boss Watching?
NEWSWEEK, 30 September 2002
65
Collateral Benefits of Insider Monitoring
  • Reclaim bandwidth
  • Avoid liability
  • Reclaim excess labor hours
  • Discover what your people are doing

UK study -- more employees disciplined for misuse
of Internet and email than any other reason
66
Insider Monitoring At One Agency
  • Employee use of business applications
    automatically compared against criteria that
    characterize fraud
  • Leads forwarded to investigative organization
  • 20 of leads identify employees committing fraud
    or other criminal violations
  • In FY01, almost 400 internal investigations
    initiated based on automatically generated leads
  • Bribery
  • Embezzlement
  • Trading of insider information

67
Quis Custodiet Ipsos Custodies?
  • Who guards the guards?
  • Who watches the watchers?
  • Much data from insider monitoring is not crimes
    but sins
  • By gathering sensitive data on our people, we
    create a vulnerability
  • Inside entrepreneurs
  • Foreign adversaries
  • Legal discovery

68
Outline
  • Cyberterrorism!
  • Who is to blame?
  • Whats really happening?
  • The simple solution
  • National strategy
  • Conclusion

69
National Strategy to Secure Cyberspace
  • Create cyberspace security response system
  • Establish threat and vulnerability reduction
    program
  • Improve training and awareness
  • Secure government systems
  • Work internationally

70
New Government Players
  • Department of Homeland Security office of
    cybersecurity
  • Paul Kurtz, NSC, Special Assistant to the
    President for Critical Infrastructure Protection
  • Lt Col Greg Rattrey, NSC, Director of
    Cybersecurity

71
High-Level Strategy--Work As Team
  • Share information
  • Work together
  • Break problem up into pieces
  • Tackle each independently, in parallel
  • Ensure results can be integrated
  • Government assistance without regulation

72
Information Sharing Analysis Centers (ISACs)
  • Electric Power (NERC)
  • Telecommunications (NCS/NCC)
  • Information Technology (LLC., Internet Security
    Systems)
  • Banking Finance (LLC., Predictive Systems)
  • Water Supply (AMWA)
  • Surface Transportation (AAR)
  • Oil Gas (LLC., Predictive Systems)
  • Emergency Fire Services (USFA)
  • Emergency Law Enforcement (NIPC/ELES Forum)
  • Food (FMI)
  • Chemicals Industry (ACC/ChemTrec)

Others under development
73
Risks of Sharing
  • Antitrust law
  • Price fixing, restraint of trade, discrimination
    against certain customers
  • Freedom of Information Act (FOIA)
  • Privacy concerns, loss of proprietary data,
    exposure of vulnerabilities and weaknesses
  • Critical Information Infrastructure Protection
    and the Law, An Overview of Key Issues,
  • April 2003, National Academy of Engineering,
    National Research Council

74
Work Together Partnerships
Get involved
  • Partnership for Critical Infrastructure Security
  • 80-company organization that identifies
    vulnerabilities in the private sectors cyber
    infrastructure
  • National Infrastructure Simulation Analysis
    Center (NISAC)
  • Works with DHS, power, water, rail, banks to
    understand their interdependencies and harden
    critical junctures
  • Network Reliability and Interoperability Council
    (NRIC)
  • Coordinates voluntary best practices for the
    communications infrastructure

75
Partition ProblemGuidance and Tools
  • NSA-lead configuration guidance
  • Center for Internet Security (CIS) and SANS
    developing tools to rate compliance with guides
    and benchmarks
  • MITRE-led partnership to list Common
    Vulnerabilities and Exposures (CVE)
  • Partnership to develop an Open Vulnerability
    Assessment Language (OVAL), a consistent way to
    detect known vulnerabilities
  • SANS and General Services Administration (GSA)
    efforts to prioritize top vulnerabilities for
    action

76
Work Together Partnerships
Get involved
  • Partnership for Critical Infrastructure Security
  • 80-company organization that identifies
    vulnerabilities in the private sectors cyber
    infrastructure
  • National Infrastructure Simulation Analysis
    Center (NISAC)
  • Works with DHS, power, water, rail, banks to
    understand their interdependencies and harden
    critical junctures
  • Network Reliability and Interoperability Council
    (NRIC)
  • Coordinates voluntary best practices for the
    communications infrastructure

77
Government Actions Short of Regulation
  • Research
  • Network coordination in crises
  • Government/ISAC coordination
  • Information sharing about threats,
    vulnerabilities
  • Monitor self-regulation, threaten regulation if
    deficiencies not corrected by certain date
  • Do analysis to advise industry on investment
    priorities
  • Develop tools to help industry plan for and deal
    with attacks
  • Tax credits for investments on behalf of national
    security

78
In Defense Of Freedom
Prosecution
Privacy, civil liberty
National security
Prevention
You dont safeguard freedom by taking it away
79
Questions (1 of 2)
  • How do we redraw turf for cyber defense, offense,
    and intelligence? Homeland defense?
  • What are economic and political impacts of
    offensive and defensive cyber conflict?
  • How much active defense should we employ?
  • How do we attribute attacks in cyber-time?
  • How do we recognize state-sponsored attacks (and
    thus increase response options)?
  • How do we collect against and understand
    capabilities of cyber adversaries?

80
Questions (2 of 2)
  • What levels and distribution of security costs
    create problems for industry, customers?
  • Based on models of economic input and output,
    what changes might result from varying levels of
    security investment?
  • Do tight profit margins risk significant economic
    damage?
  • For national security investments that offer
    minimal advantage to companies, what government
    participation is best, e.g., tax credits?
  • Transportation Research Board Special Report 274,
    2003, Cybersecurity of
  • Freight Information Systems, A Scoping Study,
    National Research Council

81
Outline
  • Cyberterrorism!
  • Who is to blame?
  • Whats really happening?
  • The simple solution
  • National strategy
  • Conclusion

82
As For The Horror Of Cyberterrorism
83
Your Odds Are Good
Final 2000 data    Ten Leading Causes of Death
in the U.S.       Heart Disease 710,760
      Cancer 553,091       Stroke 167,661
      Chronic Lower Respiratory Disease 122,009
      Accidents 97,900       Diabetes
69,301       Pneumonia/Influenza 65,313
      Alzheimer's Disease 49,558
      Nephritis, nephrotic syndrome, and
nephrosis 37,251       Septicemia 31,224
Total murder victims (2000) 12,943
Worldwide death toll from terrorism in
2001 under 4,000
National Center for Health Statistics
Deaths/Mortality (All figures are for U.S.)
84
Actions
  • Avoid succumbing to cyberterrorism hype
  • Dont swallow it
  • Dont dismiss it

ACT
  • Counter Computer Crime using common practices
  • Tackle the Total problem
  • Insiders (trust no one)
  • Community partnerships (trust everyone)

85
If You Can, Remember A Fourth Thing
  • Sometimes the best way to raise cybersecurity
    awareness is not to tell people what to do but to
    show them what will happen if they dont.

86
Public Service Message
  • A CIO's worst nightmare played out in a
    riveting, action-packed story... I will likely
    forward the manuscript to Lin Wells.
  • John Gilligan, CIO, USAF
  • Anyone interested in the protection of our
    national infrastructure should read this book.
  • Margie Munson, former Director of DSS
  • Mike Munson, former Deputy Director of NRO
About PowerShow.com