Cybersecurity: defending our digital future

1
Cybersecurity defending our digital future

• Mike Burmester
• Center for Security and Assurance in IT,
  Florida State University,3rd Annual TechExpo,
  Tallahassee May 6th 2010

2
Talkthrough

• Background
• the White House Cyberspace Policy Review
• Emerging network technologies
• Wireless, ubiquitous
• Cloud applications, intelligent networks
• What next!
• The adversary
• We are behind the learning curve the hackers
  are ahead
• Security threats
• How can we defend our digital future?
• Near-term and midterm plans
• Methodology
• Technical aspects, technical analysis

3
Background

• In Feb 2009 the President directed a 60-day
  clean-slate review to assess U.S. policies and
  structures for cybersecurity.
• In March 2009 the Cyberspace Policy Review was
  published
• The Cybersecurity Review recommends general
  guidelines, regarding the
• Strategy
• Policy, and
• Standards
• for securing operations in cyberspace.

our approach over the past 15 years has failed
to keep pace with the threat.
4
Background

• What is Cyberspace?
• . . . the interdependent network of information
  technology infrastructures, including
• the Internet
• Telecommunications networks
• Computer systems
• Embedded processors and
• Controllers in critical industries
• Common usage of the term also refers to the
• Virtual environment of information and
  interactions between people

5
Background

• What is Cyberspace? ---a historical perspective
• 1985 a system of mainframe computers (NSFNET)
• 1990 the Internet and Web applications
• 2000 Wireless networks
• 2008 Cloud applications
• 20?? The Internet of Things
• 20?? Virtual life?
• How can we secure a structure that keeps morphing?

6
Emerging Network Technologiesthe wireless
medium, at the beginning . . .

• Wireless technology offers unparalleled
  opportunities
• Some time ago
• Telegraph
• Radio communication
• Amateur radio
• TV

7
Emerging Network Technologiesthe wireless
medium, more recently

• Wireless technology offers unparalleled
  opportunities
• Wireless technology
• Cellular systems
  (3G and beyond)

8
Emerging Network TechnologiesBluetooth, Wi-Fi,
sensors, RFIDs

• Short range point-to-point
• Bluetooth
  Personal Area networks
• Wi-Fi technologies
• Wireless sensor networks
• RFID (Radio Frequency Identification) systems

9
Emerging Network TechnologiesSensor networks

• Factory floor automation
• Boarder fencing
• Military applications

10
RFID deployments

• A RFID road pricing gantry
• in Singapore an RFID tag
• RFIDs tags used in libraries
• Airports checking luggage
• U.S. (electronic) passports

11
Wireless technologies

• Long range point-to-point
• WiMAX technologies

12
Wireless technologieswith no infrastructure

• Mobile ad hoc networks
• (MANETs)
• Disaster recovery

13
Vehicle-to-Vehicle communication

• VANETs

14
Ubiquitous networks

• Network all applications ! The Internet of Things

15
What next !

• Cloud applications ???
• Delegate applications
• Start with the Internet cloud
• Delegate applications to the cloud

16
. . . and next! Emerging technologies

• Robotics
• Nanotechnology
• molecular self-assembly
• developing new materials
• Biotechnology
• Analyzing the myriad simultaneous cellular
  activities
• Living systems can be regarded as communication
  systems they transmit the genome of the organism
  by replication/transcription and translation.

17
Beyond next !

• Intelligent Networking ???

18
Beyond . . . the beyond

• Virtual Networking and Environments
• Current Definition (academic)
• A technology used to control remotely located
  computers and applications over the Internet
• White House Policy Review definition of
  Cyberspace
• A virtual environment of information and
  interactions between people
• Cyberspace the digital network
  infrastructure
• cloud
  applications
• virtual
  network technology
• emerging
  technologies
• intelligent
  networking

19
Now, the bad . . .
The adversary (the hackers)
20
The adversary Portrait of a Computer Criminal

• Amateurs
• Normal people, maybe disgruntled over some
  negative work situation
• Have committed most of computer crimes to date
• Crackers or Hackers
• Often high school/university students cracking
  is seen as the ultimate victimless crime
• Attack for curiosity, self-satisfaction and
  personal gain
• Career criminals
• Understand the targets of computer crime
• Usually begin as computer professionals who later
  engage in computer crime finding the prospects
  and payoff good.
• Electronic spies and information brokers who
  recognize that trading in companies secrets can
  be lucrative

21
The adversary It is worse !

• A simple Google search
• key words Chinese, threat, cyberspace
• MI5 alert on Chinas cyberspace spy threat (Times
  Online) Dec 1, 2007 . . . The Government has
  openly accused China of carrying out
  state-sponsored espionage against vital parts of
  Britain's economy, including . . .
• U.S. military flags China cyber threat
• 2008-03-06 . . . The U.S. DoD warned in an
  annual report released this week that China
  continues to develop its abilities to wage war in
  cyberspace as part of a doctrine of "non-contact"
  warfare

22
The adversary . . . much worse !

• key words France, threat, cyberspace
• NATO chief calls attention to threats from
  cyberspace
• Mar 4, 2010 . . . NATO is facing new threats in
  cyberspace that cannot be met by lining up
  soldiers and tanks, the alliance's
  secretary-general said Thursday in an apparent
  reference to terror groups and criminal networks
• key words International, threat, cyberspace
• Threat of next world war may be in cyberspace
• Oct 6, 2009 . . . The next world war could
  happen in cyberspace and that would be a
  catastrophe. We have to make sure that all
  countries understand that in that war . . .

23
The adversary New technologies can be abused

• Are we prepared for intelligent networks ?
• Who will manage them ?
• Do we want
• Centralized, or
• Decentralized management
• Who will protect our resources ?
• What are the threats ?

24
Security Threats

• Confidentiality
• Eavesdropping (wiretapping)
• Privacy
• Anonymity (Big Brother)
• Integrity
• Data integrity protection against unauthorized
  modifications, data corruption, deletion . . .
• Source or destination integrity protections
  against spoofing attacks, man-in-the middle
  attacks
• Availability
• Coverage deployment
• Information data accuracy traffic control
• Dependable data transport what about
  transmission/ omission /congestion errors?
• What about malicious faults ?

25
The Internet is hackers paradise

• Security Threats Perceived or Real
• Impersonation Attacks
• Denial of Service Attacks
• Session Tampering and Highjacking
• Man-in-the-Middle Attacks

26
Can we protect Digital resources ?

• There are some very good cryptographic tools that
  can be used to protect digital resources
• Many of these tools have proven security
• The problem is usually bad implementations
• The best cryptographic security is point-to-point
  security (such as VPN)
• The source destination
• are mutually authenticated (with public key
  cryptography)
• exchange privately a fresh secret key (with
  public key cryptography)
• use symmetric key encryption scheme to encrypt
  exchanged data
  
  (with symmetric key cryptography)

27
Can wireless technology be made secure ?

• Point-to-point security
• Authentication usually involves certificates (a
  trusted third party certifies the public key of
  the entities) and a cryptographic handshake
• WIMAX uses the Extensible Authentication Protocol
  for this purpose
• For encryption it uses block ciphers such as DES3
  or AES
• This offers protection at the protocol layer
• There are still problems at the physical layer,
  such as jamming attacks (Denial-of-Service), or
  flooding attacks
• Security vs. functionality tradeoff
• Rule of thumb the more security the less
  functionality
• Holistic security

28
Cybersecurity Policy ReviewNear-Term Plan

• Appoint cybersecurity coordinator
• Prepare a national strategy
• Designate cyberscurity as a priority . . .
• Designate a privacy/civil liberties official
• Formulate coherent unified policy guidance that
  clarifies roles, responsibilities . . . for
  cybersecurity activities across the Federal
  government
• Initiate a public awareness and education
  campaign to promote cybersecurity

29
Cybersecurity Policy Review Near-Term Plan

• Develop government positions for an international
  cybersecurity policy framework
• Prepare a cybersecurity incident response plan
• Develop a framework for RD strategies that
  focuses on game-changing technologies . . . to
  enhance the security, reliability, resilience,
  and trustworthiness . . .
• Build a cybersecurity-based identity management
  vision and strategy that addresses privacy and
  civil liberties interests . . .

30
Cybersecurity Policy Review Midterm-Plan (14
items)

• Support key education programs and RD research
  to ensure the Nations continued ability to
  compete in the information age economy
• Expand and train the workforce, including
  attracting and retaining cybersecurity expertise
  in the Federal government.
• Develop solutions for emergency communications
  capabilities during a time of natural disaster,
  crisis, or conflict . . .
• Encourage collaboration between academic and
  industrial laboratories to develop migration
  paths and incentives for the rapid adoption of
  research and technology innovations

31
Are we willing to pay the price ?. . . . . . . .

we may have to . . .
whether we like it or not . . .
32
Methodology for Security

• Resiliency
• Against physical damage, unauthorized
  manipulation, and electronic assault. In addition
  to protection of the information itself,
• A risk mitigation strategy with focus on devices
  used to access the infrastructure, the services
  provided by the infrastructure, the means of
  moving storing and processing information
• A strategy for prevention, mitigation and
  response against threats
• Encouraging innovation
• Harness the benefits of innovation
• Not create policy and regulation that inhibits
  innovation
• Maintain National Security/Emergency Preparedness
  Capabilities

33
White House Cybersecurity PlanRSA 03/2010

• The Comprehensive National Security Initiative
  (12 items)
• Manage the Federal Enterprise Network as a single
  network enterprise with Trusted Internet
  Connections
• Deploy an intrusion detection system of sensors
  across the Federal enterprise
• Deploy intrusion prevention systems across the
  Federal enterprise
• Coordinate and redirect RD efforts
• Connect current cyber ops centers to enhance
  situational awareness
• Develop a government-wide cyber counter
  intelligence plan

34
White House Cybersecurity Plan Revealed at RSA
03/2010

• The Comprehensive National Security Initiative
  (12 items)
• Increase the security of our classified networks
• Expand cyber education
• Define and develop enduring "leap-ahead"
  technology, strategies, and programs
• Develop enduring deterrence strategies and
  programs
• Develop a multi-pronged approach for global
  supply chain risk management
• Define the Federal role for extending
  cybersecurity into critical infrastructure domains

35
Cybersecurity PlanTechnical aspects

• Deploy an ID system of sensors across the Federal
  enterprise
• Einstein 2 capability Signature-based sensors
  that analyze network flow information to identify
  potential malicious activity while conducting
  automatic full packet inspection of traffic
  entering or exiting U.S. Government networks for
  malicious activity
• Deploy IP systems across the Federal enterprise
• Einstein 3 capability Real-time full packet
  inspection and threat-based decision-making on
  network traffic entering or leaving these
  Executive Branch networks
• Identify and characterize malicious network
  traffic to enhance cybersecurity analysis,
  situational awareness and security response
• Automatically detect and respond appropriately to
  cyber threats before harm is done, providing an
  intrusion prevention system supporting dynamic
  defense

36
Cybersecurity PlanTechnical analysis

• Einstein 2 capability Signature-based sensors
  will only detect copycat attacks one-off
  attacks will not be checked
• Einstein 3 capability will not detect
  unpredictable attacks that mimic normal behavior
• Threat-based decision-making on network traffic
  however may deal with the consequences of such
  attacks
• Markovian profiling is a good approach for
  threat based decision making

37
The most important technical point in this review
is the realization that one cannot achieve
cybersecurity solely by protecting individual
components there is no way to determine what
happens when NIAP-reviewed products are all
combined into a composite IT system. Quite
right, and too little appreciated security is a
systems property, and in fact, part of the entire
design-and-build processSteven M Bellovin

• Holistic Security

. . . the Universal-Composability Framework may
ultimately prove to be just a first step toward a
complete solutionJoan Feigenbaum
. . . the main feature of the UC Framework is
that the security of a composite system can
derived from the security of its components
without need for holistic reassessment Mike
Burmester
38
Thanks for listening!
39
.Raise your hands if you have any questions