security 101: overview of information assurance...security 101: overview of information assurance...

Security101:OverviewofInformationAssurance

Dr.BarbaraEndicott-PopovskyICSDepartmentUHMUW/UHMCenterforIAandCybersecurity

PutinPraisesDNCHackButDeniesRussiaWasBehindIt

RussianPresidentVladimirPutinispraisingthehackthatbrokeintotheDemocraticNationalCommitteeandleakedinternalemailsonline-- butsaysRussiawasnotbehindit.

Cybersecurityexpertshavefingeredtwohackinggroups workingwiththeRussiangovernmentintheDNChack,whichtheFBIisalsoinvestigating,andDemocraticofficialssaythebreachwaspartoftheMoscow'sattempttoinfluencethepresidentialelectioninfavorofDonaldTrump.ThehackresultedintheousterofseveraltopDNCofficials,includingitsformerchair.

Thursday,PutinsaidthehackwasapublicservicebecauseitexposedtheDNC'sapparentfavoritismofClintonduringtheDemocraticpresidentialprimary,butclaimed,"Idon'tknowanythingaboutit."

"Listen,doesitevenmatterwhohackedthisdata?''Putinsaid."There'snoneedtodistractthepublic'sattentionfromtheessenceoftheproblembyraisingsomeminorissuesconnectedwiththesearchforwhodidit."

"Theimportantthingisthecontentthatwasgiventothepublic,"headded.Sep22016,10:36amET

http://www.nbcnews.com/card/putin-praises-dnc-hack-denies-russia-was-behind-it-n642061

iClicker Question:• Basedonwhatyouhavereadandheardaboutthishackhow

certainareyouthattheRussiansdidit?

a. Verysure:TheRussiansdidit,nodoubt!They’reevil!b. Sure:Iacceptthenewsmediareports—theyknowwhatthey’re

talkingabout.c. Neithersureorunsure:I’vejustheardaboutitandhavenoopinion.d. Unsure:Howdotheyknowforsure—onwhatevidence?e. Veryunsure:Attributionisverydifficulttodetermineabsolutelyon

Internetcommunications.Forexample,someonecouldhijackRussianservers.

iClicker:A:VerySureB:SureC:NeithersureorunsureD:UnsureE:Veryunsure

Thoughtquestion• AssumingthatthisisanattackontheUSelectoralprocess,wouldthisbe

anactofwar?– Forthatmatter,whenisanintrusiona“hack”(asimplecrime)and

whenisitanactofwar?– Howwillweknow?

• Thesearetoday’sstakes!WhateverhappenedtothekidsstayingupallnightonJolthackingintothePentagon?

CyberWar

http://www.foxnews.com/politics/2016/09/03/putin-calls-dnc-hack-public-service-denies-russias-involvement.html

Agenda

• Context• OverviewThreatLandscape• ThreatSpectrumEvolution• BreachTrends• StrategiesforOrganizationsandIndustries• DoControlsWork?• ChangingourMentalModels

CONTEXTHowdidwegethere?

1960-1980 1985 1995 -

Computer Security INFOSEC Information Assurance

Information System Security Revolution

Other Networks

PacketSwitch

Gateway

FileServer

Bridge

AttributeAgricultural

AgeIndustrial

AgeInformation

AgeWealth Land Capital KnowledgeAdvancement Conquest Invention Paradigm ShiftsTime Sun/Seasons Factory

WhistleTime Zones

Workplace Farm Capital equipment

Networks

OrganizationStructure

Family Corporation Collaborations

Tools Plow Machines ComputersProblem-solving Self Delegation IntegrationKnowledge Generalized Specialized InterdisciplinaryLearning Self-taught Classroom Online

Smashing

IndustrialAge

Infrastructure!

The Sorcerer’s Apprenticehttp://www.youtube.com/watch?v=4ryFOztZrrc

CertificateinIAandCybersecurtyICS426,425and491

SecurityPolliClicker Question:

Beforediscussingthethreatlandscape,howdoyoufeelaboutyouronline

securityingeneral?

A:VerySafeB:SafeC:OkayD:NotsafeE:Vulnerable

OVERVIEWOFTHREATLANDSCAPEWhat’scomingatus?

Threats

CriticalInfrastructure:AnIrresistibleTarget

THREATSPECTRUMEVOLUTIONWhynowissourgent:

Source:GBA

Today’sCriminalsComeinManyForms…allofwhichcandogreatharm

• Scriptkiddies

• Hacktivists

• CyberCriminals

• APTs/NationStatesIMAGESOURCE:http://upload.wikimedia.org/wikipedia/commons/4/48/Anonymus_logo.png

Source:GBA

DifferentFaces,SameBasicProcess

http://www.discoveringidentity.com/2013/03/11/mandiant-report-apt1-exposing-one-of-chinas-cyber-espionage-units/Source:GBA

CommonScriptKiddieAttackProgression

ScriptKiddieenjoyshackingandwantstobuild

reputation

IdentifiesTargetWebsite(s)

ScansforVulnerabilities

PubliclyPostsDataBreachInformationand/orboasts

aboutwhattheydid

DefacesWebsiteorStealsDatafromDatabase

ExploitsVulnerabilities

Source:GBA

• Hacked259websitesin90days

• Stoleandleakedinformation

• Defacedcorporatewebsites

ScriptKiddieDamage

ScreenshotofDefacementby15YearOldSource:GBA

NationStateActors:AdvancedPersistentThreats

• HighlySkilled

• NationStateSponsored

• Example:RBN

• Theyhavemoretime,andmoreresourcesthanyou• Ifyouaretargeted,theyWILLgetintoyoursystemhttp://rbnexploit.blogspot.com/ Source:GBA

Methodology/APTAttackProgression

http://www.www8-hp.com/ca/en/images/T-image__sw__insider-threat__560x342--C-tcm223-1357982--CT-tcm223-1237012-32.png

Thedetailschange,buttheprocessisgenerallythesame

Informationcitedfrom:

Source:GBA

Workspace1(workbooks)

• Discusswhoputthescriptkiddyoutofbusinessandwhy.

• Ifnationstatesandnationstate/criminalsarethemostdevastatingadversaries,whataretheimplicationstotheaverageperson/averagecompanydoingbusinessonline?

BREACHTRENDSStudythedata!

Top9PatternsofIntrusion

MaliciousIntrusionTrends

Source:VerizonDBR2016

MotivationsBehindAttacks

MaliciousTrendsandMotives

Whichcountriesgotattackedthemostandhow(2016)

http://www.hackmageddon.com/2016/02/16/january-2016-cyber-attacks-statistics/

MaliciousTrendsandMotives

http://www.hackmageddon.com/2016/02/16/january-2016-cyber-attacks-statistics/

SecurityPolliClicker:

Afterlearningaboutthethreatlandscape,nowhowdoyoufeelabout

youronlinesecurity?

A:VerySafeB:SafeC:OkayD:NotsafeE:Vulnerable

Workspace2(workbooks)

• Describehowyourownonlinebehaviorwillchangeasaresultofunderstandingthethreatsthatareoutthere.

https://www.stopthinkconnect.org/

STRATEGIESFORORGANIZATIONSANDINDUSTRIES

Howtomanageinthiscontext

IndustryStatus

• Industrylagsgovernment• Lackofawareness

– Literacy– Risks

• Profitmargins• Standardsofcare• Legalliabilityconcerns

• Criticalinfrastructure85%private

ChangeinPerceptionRequired

Today Whereweneedtogo

BasicIAPrinciples

SecurityServices IADesignApproach

SecurityGoals• Confidentiality(secrecy)

– Onlyauthorizedpartiescanaccessanasset• Integrity

– Onlyauthorizedpartiescanmodifiedanasset• Availability

– Assetsareaccessible/modifiablebyauthorizedpartiesatappropriatetimes

– Authorizedpartiescannotbedeniedaccesstotheasset• Audit

– Anattackercannothideitstracks– Forensicanalysisispossible

Testyourknowledge

iClicker:WhichofthefollowingsecuritygoalsamIapplyingifImakemyWebsiteaccessiblefrom9:00A.M.to3:00P.M.?

A:ConfidentialityB:IntegrityC:AvailabilityD:Audit

TestyourknowledgeiClicker:

Whichofthefollowingsecuritygoalswouldpreventpeoplewithoutappropriateaccessfrommodifyingfiles?

A:ConfidentialityB:IntegrityC:AvailabilityD:Audit

Testyourknowledge

iClicker:Whichofthefollowingsecuritygoalswouldrequireonlyanauthorizedpersoncangainaccesstoinformation?

A:ConfidentialityB:IntegrityC:AvailabilityD:Audit

TraditionalSecurityModel:McCumber Cube

Thru info statesSecurity Services

Controls

McCumber,John.ApplicationoftheComprehensiveINFOSECModel:MappingtheCanadianCriteriaforSystemsCertification,UnpublishedManuscript,fromtheProceedingsoftheFifthAnnualCanadianComputerSecurityConference,May1993.Ottawa,Canada.

46

ICISOPerspective

SecureandForensicReady

system

Workspace#2

• Describethethreesecurityservicesandhowtheyworktogether

• DescribehowtheMcCumber Cubeisusedtomanagecybersecurityinorganizations

DOCONTROLSWORK?Whatdowedowiththepeskyhumansinthesystem?

Trusting Controls Assumes:

• Designimplementsyourgoals

• Sumtotalofcontrolsimplementallgoals

• Implementationiscorrect

• Installation/administrationarecorrect

Bottomlineassumption:You Will Never Own a Perfectly Secure System!!!

You Will Never Own a Perfectly Secure System!!!

You Will Never Own a Perfectly Secure System!!!

51

RequiresChangeinStrategyforManagingNetworkedSystems

• Today’snetworkdefensestrategy• Ondefense• Incidentresponsefocusonpatchandrecover• Avoidanceoflegalpursuit

• Proposednetworkdefensestrategy• Onoffense• Assumebreach• Incidentresponsefocusonforensics

Survivability Strategy Tools

ResistanceAbility to repel attacks

• Firewalls• User authentication• Diversification

Recognition1) Ability to detect an attack or a probe2) Ability to react or adapt during an attack

• Intrusion detection systems

• Internal integrity checks

Recovery1) Provide essential services during attack2) Store services following an attack

• Incident response• Replication• Backup systems• Fault tolerant designs

3R Strategy for Managing Networked Systems Traditionally

CMU3RmodelofSurvivability

Survivability Strategy ToolsResistanceAbility to repel attacks

• Firewalls• User authentication• Diversification

Recognition1) Ability to detect an attack or a probe2) Ability to react or adapt during an attack

• Intrusion detection systems

• Internal integrity checks

Recovery1) Provide essential services during attack2) Store services following an attack

• Incident response• Replication• Backup systems• Fault tolerant designs

Redress1)Ability to hold intruders accountable in a

court of law.2)Ability to retaliate

• Digital Forensics• Legal remedies• Active defense

4R’s of Accountable Systems

Endicott-Popovsky,BarbaraandDeborahFrincke."AddingtheFourth'R':ASystemsApproachtoSolvingtheHacker'sArmsRace."Thirty-ninthAnnualHawaiiInternationalConferenceonSystemSciences:Symposium:SkilledHuman-intelligentAgentPerformance:Measurement,ApplicationandSymbiosis,Jan.2006..Kauai,HI.4Jan.2006.<http://www.itl.nist.gov/iaui/vvrg/hicss39>

Costs:

• Solution

• Value

• Potential losses

Risks:• Likelihood

• Potential impacts

Balance Risk vs. Cost

Workspace3(workbooks)

• Recallthatthe2016VerizonDataBreachReportindicatesthatmiscellaneouserrorsarethemostsignificantintrusiontrend.

• Ismanagingthetechnology,orthepeopleusingthetechnology,orboth,moreimportanttocybersecurityinanorganization?

• Justifyyouranswer.

CHANGINGOURMENTALMODELSEliminatingourscotomas

AttributeAgricultural

AgeIndustrial

AgeInformation

AgeWealth Land Capital KnowledgeAdvancement Conquest Invention Paradigm ShiftsTime Sun/Seasons Factory

WhistleTime Zones

Workplace Farm Capital equipment

Networks

OrganizationStructure

Family Corporation Collaborations

Tools Plow Machines ComputersProblem-solving Self Delegation IntegrationKnowledge Generalized Specialized InterdisciplinaryLearning Self-taught Classroom Online

ITManagementEvolution

• Mainframe– Access

• Limitedlists• Signinlogs• 7/24attendants

– Perimeterdefense• Closedareas• Cypherlockeddoors

– Discforensics

• Distributedprocessing– Authentication– Firewalls– Networkforensics

– IDS– Forensicreadiness– Drivesecuritytophysicallayer

ForensicsasaSecurityService:RevisedMcCumber Cube

Thru info statesSecurity Services

Controls

NonRepudiation

Maconachy,Vic.,CorySchou,DanRagsdaleandDougWelch.AModelforInformationAssurance:AnIntegratedApproach,fromtheProceedings oftheSecondAnnualConferenceoftheIEEESystems,ManandCyberneticsInformationAssuranceWorkshop,Jun.2001,WestPoint,NY:UnitedStatesMilitaryAcademy,pp.306-310

Embedding Hercule Poirotin Networks:

AddressingInefficienciesinDigitalForensicsInvestigations…

B. Endicott-Popovsky, PhD, UWD. Frincke, PhD, PNNL

ResearchGap

• AcomprehensivemethodologytoembedForensicReadiness :

• Knowledgeofadetective– Rulesofevidence– Legalrequirements– Courtroomadmissibilitystandards

• Knowledgeofnetworks

Workspace#4

• Whatisthevalueofaddingnon-repudiationasaserviceofcomputersecurity?

• Howwouldyoudescribeforensicreadiness?

Thoughtquestion• Webeganwiththeconundrumofcybercrimevs.cyberwarasitappliesto

theDNChack.• Wehavereviewedthethreatlandscapeandtheescalationofchallenges

facingusonline.• BesidesrealizingwemayalreadybeinWWIII,whatotherdramatic

societalchangesareimpliedbygoingdigital?

OctoberisNationalCyberSecurityAwarenessMonth

https://staysafeonline.org/ncsam/

.

.

.

.

.

..

.

.

.

.

.

.

.

.

.

.

.. .

.

.

.

.

.

.

.

.

.

.

.

RESISTANCE IS FUTILE.PREPARE TO BE ASSIMULATED?

.

.

.

.

.

.

.

. .

..

..

...

.

..

.

..

.

.

.

..

.

..

.

.

Species 8472

Courtesy:K.Bailey/E.Hayden,CISOs

Backup

CYBERUNEMPLOYMENTRATE=0%

EducationCertificateAA/BS/MSSFS

CertificationCISSPGIACCEH

Experience

Job/CareerAnalystEngineerArchitectAuditor

InternshipApprenticeshipPublicService

Asupply,notademandproblem

68

VeterantoSTEMPrograms9November2011

CIAC 1.0ExpertIAGraduates• SFSScholars

• TransitionedMilitary

EducationPrograms• 4Masterdegrees• 4Certificates• PhD’s• MOOC’s

Research• NSA/DoD• NSF

SecureCodeMilitarystudiesPedagogicalresearch

• NIST• DHS• PNNL

ACM2013

INPUT OUTPUT

PacificRimCollegiateCyberDefenseContest(PRCCDC)http://www.uwtv.org/video/player.aspx?dwrid=27982

NOTE: UW won Nationals in 2011 and 2012 !!

iClicker Question:• Basedonthisandotherrecenthacknews,howsafedoyou

feelaboutyourphotosandpersonalinformationareonline?a. Verysafe:Irarelythinkaboutcomputersecurity,asIhaveprotected

mydeviceswithappropriatesecuritymeasures.b. Safe:Ithinkaboutmyphotoandinformationsecurityfromtimeto

time.IamtypicallyworriedwhenIreadaboutitinthenews.c. Okay:Ithinkaboutsecurityonaregularbasis,butfeelsafebecause

Ikeepmydevicesup-to-dateandusesecuritymeasures.d. Notsafe:Iworryaboutsecurityalotandtendtoonlyusesocial

mediaonalimitedbasis.e. Vulnerable:Iamconstantlyworriedaboutsecurityandrarelydo

anythingonanetworkunlessIknowitissafe.

• Whydoyoufeelthisway?

iClicker:A:VerySafeB:SafeC:OkayD:NotsafeE:Vulnerable