cyber security in the three times: past, present & future · pdf file2 cyber security in...

Carnegie Mellon CyLab4720 FORBES AVENUECIC BUILDINGPITTSBURGH, PA 15213PH: 412.268.1870FX: 412.268.7675www.cylab.cmu.edu

Cyber Security in the Three Times: Past, Present & Future

CERT 20th Anniversary Seminar Series Pittsburgh, Pennsylvania, 7/22/08

2

Cyber Security in the Three TimesAgenda• Speaker’s Bio• CyLab’s Mission• Global Economy & Cyberspace• Glimpses Into the 21st Century Threat Matrix• Cyber Risks Timeline• Elements of A Holistic Program• Ruminations & Conclusions

Richard Power, Carnegie Mellon CyLab 2008

3

Harnessing the Future to Secure the Present


Richard Power• CyLab Distinguished Fellow• Director of Global Security Intelligence for Deloitte Touche Tohmatsu (2002-2005)• Editorial Director for Computer Security Institute (1994-2002)• Author of Five Books, Including

– Secrets Stolen/Fortunes Lost: Preventing Intellectual Property Theft & Economic Espionage in the 21st Century, (w/ Christopher Burgess)

– Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace• Author of War & Peace in Cyberspace, monthly column for Computer Fraud and Security

Journal (w/ Dario Forte)

4

CyLab’s MissionCyLab is …• A bold and visionary effort, which establishes public-private partnerships to develop

new technologies for measurable, available, secure, trustworthy, and sustainable computing and communications systems as well as to educate individuals at all levels.

• A dynamic matrix, in which great works are accomplished, great minds come together, and great careers are launched.

• A vital resource for government and business to draw on in addressing cyber risks that threaten national and economic security.

• A world leader in both technological research and the education of information assurance professionals,

CyLab harnesses the future to secure the present.


5

Harnessing the Future to Secure the PresentOne of the world’s premier centers for cyber security, dependability and privacy

• Largest U.S. university-based cyber security research & education program

• Computer Emergency Response Team (CERT)

• National Science Foundation (NSF) CyberTrust Center

• Key partner in NSF-funded Center for Team Research in Ubiquitous Secure Technology

• National Security Administration (NSA) Center of Academic Excellence in Information Assurance Education

Unique comprehensive approach• Multi-disciplinary, university-wide

– Faculty and researchers from six colleges of Carnegie Mellon

– 50+ faculty/researchers and 130+ graduate students

• Funded by private and public funds– Budget of approximately $12M in

fiscal year 2007 – Supported by 50 member private

companies and government research funds

• Global educational partnerships & initiatives: e.g., Taiwan, India, Portugal, Singapore, Greece, Japan, etc.


7

Benefits of CyLab Partners ProgramThe Four R’s of CyLab Partner Program Benefits --• Research

– Leverage CyLab researchers and facilities for your R&D• Recruitment

– Get inside track on hiring CyLab graduates to build your technology team

• Reputation– Embellish your image by association with leading research center

• Return on Investment– Cost-savings & boost in reputation translate into immediate ROI


8

The Web of Life

“All things are connected like the blood that unites us all. Man did not weave the Web of Life, he is merely a strand in it. Whatever he

does to the Web he does to himself.”

Chief Seattle,1854


9

Growth of the Global EconomyEveryone & Everything Everywhere is Connected …

2001: 34 nations sign “Free Trade Americas” pact for massive free-trade zone of 800 million people from Alaska to Argentina.1999: Euro, a common currency for 11 European nations. “Biggest economic event we’ll see in our lifetime.”1998: Asian economic crisis impacts the world.1995: General Agreement on Tariffs and Trade (GATT) signed.1994: North American Free Trade Agreement (NAFTA) signed.1992: Treaty on European Union (EU) signed.1989-1991: Collapse of Soviet Union, German reunification.

10

Growth of CyberspaceEveryone & Everything Everywhere is Connected …

• Radio -- 35 Years to Reach 50 Million People• TV -- 15 Years to Reach 50 Million People• WWW – 5 Years to Reach 50 Million People


11

As They Evolve, They Increasingly Interpenetrate

Global Economy Cyberspace

CyberspaceGlobal Economy

Global Economy Cyberspace

1980s

1990s

21st Century

Secrets Stolen/Fortunes Lost, Synergy Press, 2008

12

In 21st Century, They Occupy Same Space & Share Risk

Global Economy-- Competitors-- Espionage

Cyberspace-- Hackers-- Data Theft

CyberspaceGlobal Economy

Global Economy--- Hackers-- Data Theft

Cyberspace-- Competitors-- Espionage

1980s

1990s

21st Century


13

Yoga of the Three Times

In the 8th Century, this teaching was written down by Yeshe Tsogyal, Tibetan yogini and consort of the great sage, Padma Sambhava; it was then “hidden away amidst a cache of precious things” to be read by seekers of the future –

•• The yoga of the past not being practiced, The yoga of the past not being practiced, memory of the past remains latent. memory of the past remains latent.

•• The Future, not being welcomed,The Future, not being welcomed,is completely severed by the mind from the present.is completely severed by the mind from the present.

•• The Present not being fixable remains in the state of The Present not being fixable remains in the state of voidnessvoidness

(Tibetan Book of the Great Liberation, Ed. & Trans. by W.Y. Evans-Wentz, Oxford University, 1954)


14

Glimpses into the 21st Century Threat MatrixOn the dark side of cyberspace -- a rapidly expanding spectrum of risks & threats, ever-evolving in sophistication …

• Every technological advance for mobile workers offers new opportunities for cyber criminals and industrial spies

• Rise of organized crime in Eastern Europe was predicted 14 years ago, and yet, it has grown powerful & pervasive

• Not just petty crime, recent headlines highlight attacks on national security, financial markets & power grids

• Meanwhile, perennial threats, like the disgruntled or dishonest insider, continue unabated


15

Glimpses into the 21st Century Threat Matrix

•Bank: Rogue trader hacked computers (CNN, 1-27-08)

•Hackers darken cities, CIA says (Security Focus, 1-21-08)

• China has penetrated key U.S. databases (SC Magazine, 1-18-08)

• Wi-fi users, beware: Hot spots are weak spots (Wall Street Journal, 1-16-08)

• New mass hack strikes sites, confounds researchers (Computerworld, 1-14-08)

•Former Cox employee who shut down 911 gets jail time (SC Magazine, 1-11-08)

• Former New Jersey system administrator gets 30 months in prison for ‘logic bomb’(SC Magazine 1-9-08)

• Engineer: I stole IDs from hotel computers (Miami Herald, 1-9-08)

• Mass hack infects tens of thousands of sites (Computerworld, 1-7-08)

• FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack (Wired, 1-4-08)

• eBay goes far to fight fraud – all the way to Romania (L.A. Times, 12-26-07)

• Pune woman $12mn cyber theft (DNA, 12-28-07)

A random sampling from 30 days of newspaper headlines underscores the scope of the challenge


16


•Crimeware server exposes breadth of data theft (GCN, 5-6-08)

•Hackers' posts on epilepsy forum cause migraines, seizures (SMH, 5-8-08)

•Hacktivists collect fingerprint of fingerprint collector (Register, 3-30-08)

•Hackers Hijack a Half-million Sites In Latest Attack (Computerworld, 5-13-08)

•FBI Worried as DoD Sold C t f it N t ki G (CSO

• Rare SCADA vulnerability discovered (SC Magazine 5-9-08)

• Technology, media firms overconfident, unprepared for breaches: Deloitte survey (SC Magazine, 2-7-08)

• Hackers Focus on VoIP Accounts (WebProNews, 5-12-08)

• Hackers May Have Stolen Millions of Cards(Newsday 5-15-08)

• Hackers catch ride on Grand Theft Auto IV downloaders (Computer Weekly, 5-15-08)

• Russia’s state hackers target Radio Free Europe in Prague (Sunday Herald, 5-10-08)

Another random sampling from recent newspaper headlines underscores the scope of the challenge


17


•Spam Blockers Losing Ground on Sophisticated Attackers (6-08)

•Software Engineer First to be Sentenced Under Economic Espionage Act (6-18-08)

•Citibank Server Breach Likely Source of Compromised ATM Cards (6-18-08)

•Stolen Computer Holds Outsourced Human Resources Data (6-23-08)

•Marshall Islands hit by 'zombie' attack (6 25 08)

• Former Employee Allegedly Deleted Organ Bank Data (6-26-8)

• More Than 630,000 Laptops Lost at Airports Each Year (6-30-08)

• S.F. officials locked out of computer network (7-15-08)

• New trojan in the wild targeting multimedia files (SC Magazine, 7-14-08)

• Hackers break 3G iPhone lock (7-13-08)• Hackers Steal Millions From 7-Eleven ATM (AP, 7-3-08)

A random sampling from 30 days of newspaper headlines underscores the scope of the challenge


18

Glimpses into the 21st Century Threat MatrixTrends for 2008-2009 (it’s only going to get worse) --

• Increased professionalism and commercialization of malicious activities• Threats tailored for specific regions, Increasing numbers of multi-staged

attacks• Attackers targeting victims by first exploiting trusted entities• Convergence of attack methods• Automated evasion process • Advanced Web threats – laundering origins through the Web• Diversification of bot usage

(Symantec Internet Threat Report 2007)


19


Trends for 2008-2009 (it’s only going to get worse) --• Ratio of non-malicious to malicious software reaching tipping point, levels of malicious

code & unwanted programs will exceed number of legitimate software; security techniques will switch from blacklisting to whitelisting

• Forty-three percent of enterprises have little or no measures in place to address permissions or restrictions on removable media, less than 17% have related end-point security measures; attackers may introduce malicious code at one point or another during manufacture or distribution

• More advanced botnet threats that employ stealth methods such as steganography, allowing bot masters to exploit public forums and search engines

• As US national elections draw near, an increase in phishing, scams and malicious code targeting candidates, campaigns, etc.

(Symantec Internet Threat Report 2008)


20

Cyber Risks Timeline: 1996

• Senator Sam Nunn (D-GA) presiding• Witnesses included

– Keith Rhodes (GAO)– Jim Christy (DoD)– Peter Neumann (SRI)– John Deutch (CIA)– Roger Molander (RAND)– Jamie Gorelick (DoJ)– Richard Pethia (CERT)– Senator Patrick Leahy (D-VT)– Senator John Kyl (R-AZ)– Richard Power (CSI)

“Human beings are building systems, deploying them and breaking into them. So it is human beings that we have to reach in terms of training, awareness, and understanding their responsibility, not only to their corporations, or to their own job security, but to their country, and to the world.”– Testimony of Richard Power


US Senate Permanent Investigations Subcommittee Hearings on “Security In Cyberspace”

21

Cyber Risks Timeline: 1995-2002

CSI/FBI Computer Crime & Security SurveyCSI/FBI Computer Crime & Security Survey• Intent

– To Raise Awareness– Encourage Reporting of Cyber Crimes to Law Enforcement– Inspire In-Depth Research

• Methodology– Non-Scientific

• Trends– External Attacks on the Rise– Perpetrators Not Only Insiders or Juveniles– Significant Financial Losses


22

Internet As Frequent Point of Attack: 1996-2002

54

39 3844

24

54

31

18

70

33

12

74

52

35

47

57

28

51

59

22

38

0

10

20

30

40

50

60

70

80

1996199719981999200020012002

INTERNALSYSTEMS

REMOTEDIAL-IN

INTERNET

CSI/FBI 2002 Computer Crime and Security SurveySource: Computer Security Institute

2002: 414 Respondents/82%2001: 384 Respondents/72%2000: 443 Respondents/68%1999: 324 Respondents/62%1998: 279 Respondents/54%1997: 391 Respondents/69%1996: 174 Respondents/40%

% of Respondents

23

Financial Losses Summary: 1997-2002Total dollar losses:

1997: 249 respondents, US$100,119,555

1998: 241 respondents, US$136,822,000

1999: 163 respondents, US$123,779,000

2000: 273 respondents, US$ 265,589,940

2001: 196 respondents, US$ 377,828,700

2002: 223 respondents, US$ 455,848,000

Grand total: US$ 1,459,755,245

CSI/FBI 2002 Computer Crime and Security SurveySource: Computer Security Institute

24

False Notions about Cyber Crime & Cyber SecurityFalse Notions about Cyber Crime & Cyber Security

Cyber crime costs are exaggerated -- WRONGCyber crime is a rare occurrence -- WRONGInsiders 80% of problem, outsiders are only 20% -- WRONGProblem is mostly juvenile hackers -- WRONGEconomic espionage is done almost exclusively by the turning of insiders – WRONGSecurity technology = security -- WRONGSecurity policies & awareness posters = security -- WRONGBudget $$$ = security -- WRONGSecurity technology, policies, awareness posters & budget $$$ = security -- WRONG


25

Cyber Risks TimelineIn the late 1990s, “Current & Future Danger: A Primer on Cyber Crime & Information Warfare” Articulated Four Areas of Greatest Concern, They are Still the Four Areas of Greatest Concern:

• Electronic Commerce Crime• Economic Espionage• Infrastructure Attacks• Personal Cyber Insecurity


26

• False Meme: “The World Changed on 9/11.”– Some people simply woke up to the reality

of the world in which we lived in on 9/10• False Meme: “9/11 was the Result of

Intelligence Failures.”– Plenty of pre-9/11 intelligence, but what

happened to it?• Fear is Not Awareness

– Missed opportunity to raise awareness and education not only for the US populace, but the world …

9/11: Lessons Learned?9/11: Lessons Learned?Those Who Cannot Remember the Pastare Condemned to Repeat It

Richard Power/Dario Forte, Computer Fraud & Security Journal (2006)

27

Cyber Risks TimelineFrom Salgado in 1997 to TJX in 2006 …• Carlos Salgado (1997)

– 86,326 credit cards from 1,214 institutions– Based on average credit card fraud losses—e.g., $1,836 for fraudulent

credit application—potential impact could have been $1 billion– Cost of card reissue alone: $125 per card, $10,780,750

• TJ Maxx (2007)– A hacker or hackers stole data from at least 45.7 million credit and debit

cards of shoppers at off-price retailers including T.J. Maxx and Marshalls in a case believed to be the largest such breach of consumer information. (MSNBC, 3-30-07)


28

Cyber Risks Timeline

• Accessed telephone networks of AT&T, British Telecommunications, GTE, MCI, Southwestern Bell and Sprint

• Broke into credit-reporting databases of Equifax and TRW, and Nexis/Lexis databases

• Eavesdropped on phone conversations, compromised secure databases and redirected communications

• Accessed national power grid, air traffic control system and a digital cache of unpublished phone numbers at the White House

• Customers included private investigators, so-called ‘information brokers,’ and by way of middlemen, the Sicilian Mafia

• Price list included personal credit reports for $75; state motor vehicle records, $25; records from the FBI’s Crime Information Center, $100; address or phone number of any celebrity or important person, $500.

Blacknet was a hoax, but Phonemasters wasn’t…


29

Cyber Risks Timeline

• “The chain of command of a cybercrimegang is not unlike the Mafia, an evolution that shows how online crime is becoming a broad, well-organized endeavor. (IDG, 7-15-08)

• “Moroccan and European intelligence authorities continue to identify significant links between eCrime targeting Western financial institutions and active terrorist cells in Morocco.” (ISIGHT Partners, 5-20-08)

• “Likely that the use of Russian and Eastern European ‘botnet’ (large quantities of malware-infected computers) for political purposes will increase, due to their low cost, the difficulty in tracing their owners … (ISN, 3-15-08)

• “The notorious [RBN] has suddenly picked up from its St. Petersburg digs and diversified, spreading its unwholesome activity to new chunks of IP addresses, with RBN-like activity almost immediately appearing on newly registered blocks of Chinese and Taiwanese IP addresses …”(e-Week, 11-8-07 )

• “The FBI estimates all types of computer crime in the U.S. costs industry about $400 billion… A growing worry is that cybercrookscould target emergency services for extortion purposes…” (Reuters, 9-15-06)

• “The number of people engaged in cyber crime as a full-time ‘profession’ in Eastern Europe and, especially, in Asia is skyrocketing.” (SANS, 8-14-06)


The Scope of Eastern European & Asian Cybercrime

30

Warnings Unheeded, Lessons Unlearned

A Decade Passed Between Salgado’s Almost Completely Ignored Cyber Caper & the TJ Maxx Blockbuster;

Over A Decade has Passed Since the First Warnings of the Rise of Eastern European Organized Cyber Crime …


31

Warnings Unheeded, Lessons Unlearned

Here are Some Important Questions –

What Could Governments & Businesses Have Done?What Should Governments & Business Have Done?What Next Generation Risks & Threats Are We Ignoring Now?


32

In 20th Century, Privacy was Something You Had to Protect…In the 21st Century, Privacy is Something You Have to Create

• Identity theft• Financial fraud• Cyber vandalism• Cyber stalking• Cyber voyeurism• Recon for physical theft• Recon for physical violence• Character assassination• Intel gathering for blackmail• Intel gathering for social

engineering attacks• “John Deutch” factor

Wireless, Broadband, etc. Turn Home PCs into Both Targets & Bases

Personal Cyber Insecurity


33

Cyber Risks TimelineCyber Risks TimelineTen Years in the Wilderness – A Decade After Nunn Hearings• Bad Software (Microsoft is Not “the Evil Empire” But…)

– 2006: Bill Gates -- Man of The Year (Again)• “Microsoft perceives its customers to be developers, Apple perceives it customers to be

end users”• Only one US corporation that existed in 1900 still existed in 2000 (GE), but in 3000, there

will be two (GE & Microsoft)• Bill Gates belongs on TIME cover for his humanitarian efforts• Bill Gates does not belong keynoting RSA Conference -- three years in a row

– 2003: CTO Loses Job for Blast at Microsoft• Dan Geer, CTO for @Stake (which consults for Microsoft) fired for report calling Windows

a national cyber security threat• Signed by seven researchers, report said dominance of Microsoft software on PCs has

made networks susceptible to "massive, cascading failures," & that the complexity of the software made it particularly vulnerable to virus & other attacks


34

Cyber Risks TimelineCyber Risks TimelineTen Years in the Wilderness – A Decade After Nunn Hearings• Lack of Progress and/or Continuity in Government

– “Last year CSIA encouraged Congress & the Administration to raise the profile of information security; improve information sharing, threat analysis, & contingency planning; & to prioritize & fund research & development….Unfortunately there is no forward momentum or clear set of priorities for action in 2006.” (CISA, 2006)

– “For Chertoff to create a high-level cybersecurity position but neglect to fill that position after a year indicates that the Bush administration places a higher value on physical security than it does on the nation's information infrastructure. Meanwhile, the country lacks a leader with the clout to coordinate communications in the event of a massive IT disruption.” (Information Week, 7-06)

– “The Homeland Security Department is not ready for a cyberattack or a natural disaster that causes a major Internet disruption, according to a Government Accountability Report released today.” (FCW, 7-28-06)


35

One Step Forward, Two Steps Back or One Step Forward, Two Steps Back or ……

Five Expert Views– Becky Bace (Infidel/Trident)– Rik Farrow (www.spirit.com)– Justin Peltier (Peltier Associates)– Keith Rhodes (US GAO)– Gene Spafford (CERIAS)


In general, in terms of cyber security and cyber crime, would you say one step forward two steps back or two steps forward one step back? Or would you characterize it some other way?

36


“…seriously behind the power curve….cybersecurity and cybercrime suffer from the ‘one generation trailing’ problem - by definition, both are reactive disciplines, especially in the commercial arena - funding is applied to the problem only after someone has divined that there is a problem…

Another aspect that is frustrating to me personally is the lack of attention paid to security education. I can't think of any area that has more strategic impact on our industrial base and national security, yet public funding is consistently underbudgeted, mistargeted and misspent.”


Becky Bace, Infidel/Trident

37


“Have there been any steps forward at all? Identity theft is still on the rise, a large part of it due to identity info stolen via keystroke monitors or phishing/scam sites. This information is traded in large online bazaars, and it appears that law enforcement is doing little to stop this…. Has software security gotten any better? Nope….

Things have not gotten better. Instead, we continue to see a bandaidstyle approach – ‘Here, let me sell you ouranti-virus/anti-spyware/compliance-monitoring/firewall/NIPS/HIPS’…”


Rik Farrow, www.spirit.com

38


“One forward and two back…. Too many security technologies are entrenched in the corporate environment and not enough innovation is taking place. Most organizations are rolling out the same technologies that have failed time and time again, while the attackers are gaining complexity and new attacks at an almost monthly basis.

As long as security is mostly defined by one large enterprise firewall and a poorly configured IDS/IPS system, the attackers will still have an edge.”


Justin Peltier, Peltier Associates

39


“While our attack morphologies are getting much better (one step forward) the attack vectors are increasing in number and speed due to everyone having high speed internet access from their home (one step back) and due to the code getting buggier and buggier (one step back).

So, if my math is correct, that's one step forward, two steps back.”


Keith Rhodes, formerly US GAO, now Verizon

40


“It's almost like we are making no steps.

We have kept adding new technologies that are dangerous, seen our decision-makers choosing the path of least cost but significant danger, and they have consistently applied band-aides for the most current threat but failed to heed long-term advice, or provide investment for research to really break out of the rut they have gotten into.

Overall, I'm not very optimistic about the future.”


Gene Spafford, CERIAS, Purdue University

41

BeginnerBeginner’’s Minds Mind

• “In the beginner’s mind there are many possibilities, but in the expert’s there are few.”

• “The goal is always to keep our beginner’s mind.”

• “If you discriminate too much, you limit yourself.”

• “If your mind is empty, it is already ready for anything; it is open to everything.”

• “This is the real secret of the arts: always be a beginner.”

Shunryo Suzuki-Roshi


42

Information OperationsInformation OperationsGoals of Information Operations

• “The objective for all IO is to dominate the information battlefield by attacking the enemy’s information resources and decision-making capabilities while protecting your own resources and capabilities from all adversaries.

• “In other words, IO has two very simple goals:– Goal #1: Optimize the decision making of the friendly guys– Goal #2: Degrade the decision making of the bad guys– That’s IO in a nutshell.”

Col. Lawrence D. Dietz,US Army (Retired)


43

Infrastructure Attacks: What & How Infrastructure Attacks: What & How

• Information & Communications: Phones, Internet• Physical Distribution: Air traffic, rail, pipelines• Energy: Gas, oil, electric power industries• Banking & Finance: Banks, financial services, mutual

funds, stock & commodities exchanges• Vital Human Services: Water supply, emergency

services, vital records


Same Skills, Exploits, Modus Operandi, Opportunities are Seized by Common Cyber Criminals, (including badly designed software & lack of preparedness in government & business) --Only Better Financed, Better Equipped, And Operating With Relative Impunity

Mostly Privately Owned, Relied On for Public Good…

44

Glimpses into the 21Glimpses into the 21stst Century Threat MatrixCentury Threat Matrix

Imagine if…• On 911, the last image people saw

on their TVs was the WTC collapsing and then the phones went dead and the power grid failed

Imagine if…• On 911, after the initial attacks, as all

flights were grounded, those planes still in the air could not land because of a series of attacks on the air traffic control system


45

AlAl--Qaeda Targeted InfrastructureQaeda Targeted Infrastructure


“Routed thru switches in Saudi Arabia, Indonesia and Pakistan …”“Studied emergency telephone systems, electrical generation and transmission, water storage and distribution, nuclear power plants and gas facilities.“Some probes suggested planning for a conventional attack. But others homed in on a class of digital devices that allow remote control of services such as fire dispatch and of equipment such as pipelines. “More information about those devices -- and how to program them -- turned up on al Qaeda computers seized this year.“Most significantly, perhaps, U.S. investigators have found evidence in the logs that mark a browser's path through the Internet that al Qaeda operators spent time on sites that offer software and programming instructions for the digital switches that run power, water, transport and communications grids.”

(Washington Post, 6-26-02)

46

Lebanon 2006Lebanon 2006“What Hezbollah did was to monitor our radio and immediately send it to their Al-Manar TV, which broadcast it almost live, long before the official Israeli radio.” Hezbollah appears to have divided a three mile-wide strip along the Israeli-Lebanese border into numerous “killing boxes”. Each box was protected in classic guerrilla fashion with booby-traps, land mines, and even CCTV cameras to watch every step of the advancing Israeli army. (London Times, 8-27-06)

Israel…hacked into the television station of Hezbollah, emblazoning images on the screen showing pictures of corpses and claiming the Shiite militant group's leader Hassan Nasrallah was a liar….Israel also hacked into FM radio stations and instead of normal programs a two-minute recording was repeatedly broadcast…(Agence France-Presse, 8-2-06)

Hezbollah monitors Israeli and international television news footage of scenes from rocket landings inside Israel and has used the broadcasts the past few weeks to more accurately target installations in the Jewish state…(World Net Daily, 8-14-06)


47

Glimpses into the 21Glimpses into the 21STST Century Threat MatrixCentury Threat Matrix

Who & Why: Usual (& Unusual) Suspects?Who & Why: Usual (& Unusual) Suspects?• Jihadists

– Economic & Psychological Blow• Nation States (Hegemons & Rogues)

– Distract & Debilitate Adversary• Bizarro World (Cults & Loners)

– Hasten Apocalypse, Tear Down Social Order• Criminal Elements

– Extortion, Reprisal• Corporate and/or Internal Political Enemies

– Foil Competitors, Subvert Democratic Institutions


48

Truth is Stranger Than FictionTruth is Stranger Than Fiction1984: “Shoko Asahara had a one-room yoga school, a handful of devotees, and a dream: world domination. A decade later, AumSupreme Truth boasted 40,000 followers in six countries and a worldwide network ...” (David E. Kaplin, Cult At The End of the World)

1995: Aum Shinrikyo (Supreme Truth) cult carried six packages onto Tokyo subway trains … releasing deadly Sarin gas killing 12 persons and injuring more than 5,000. … first major attack using chemical weapons by a terrorist organisation … (History of War)

2000: Japan’s Defense Agency delayed deployment of a new computer system after discovering that it used software developed by members of Aum Shinri Kyo. The Defense Agency was only one of 90 government organizations and private companies that unknowingly ordered software produced by the cult. (BBC, 3-1-00)

2006: Japanese security officers raided 25 offices of the doomsday cult …after its founder lost a last appeal against his death sentence. (The Australian, 9-16-06)


49

Truth is Stranger Than FictionTruth is Stranger Than FictionTheodore John Kaczynski, a.k.a. the Unabomber, mathematician, genius, loner and Luddite

1978 – 1995: 15 bombings throughout the USA, killing 3 and wounding 23

4-24-95: New York Times receives a letter from the Unabomber, promising to stop sending bombs if a 29,000- to 37,000-word article written by the group is printed

9-19-95: Washington Post prints the Unabomber's 'manifesto' in an eight-page supplement

4-3-96: Kaczynski, living as a recluse in a one-room cabin, turned in by his brother who thought Kaczynski's writings bore a striking resemblance to the Unabomber's manifesto


50

Could the First Cyber War Be Domestic?Could the First Cyber War Be Domestic?

Avi Rubin:

"There are many things that we teach in Security 101 that were not understood by the developers of these machines…Within an hour of looking at the source code in the Diebold machines, we knew were looking at very bad code…”

(CBS, 1-3-03)


51

Could the First Cyber War Be Domestic?Could the First Cyber War Be Domestic?Examples of problems reported by GAO include…• Computer systems that fail to encrypt

data files containing cast votes, allowing them to be viewed or modified without detection by internal auditing systems;

• Systems that could allow individuals to alter ballot definition files so that votes cast for one candidate are counted for another;

• Weak controls that allowed the alteration of memory cards used in optical scan machines, potentially impacting election results.

(US GAO, 10-05)

Three fundamental points emerge from the NYU threat analysis…• All three voting systems have

significant security and reliability vulnerabilities, which pose a real danger to the integrity of national,state,and local elections.

• The most troubling vulnerabilities of each system can be substantially remedied if proper countermeasures are implemented at the state and local level.

• Few jurisdictions have implemented any of the key countermeasures that could make the least difficult attacks against voting systems much more difficult to execute successfully.

(Brennan Center, NYU, 6-06)Richard Power/Dario Forte, Computer Fraud & Security Journal (2006)

52

HegemonHegemon

• China Economy to Overtake U.S. by 2035, Research Institute Says (Bloomberg, 7-9-08)

• The 1.4 Trillion Dollar Question– “… the vast trade surplus—$1.4 trillion and counting,

going up by about $1 billion per day—that the Chinese government has mostly parked in U.S. Treasury notes…” Atlantic Monthly, Jan-Feb. ’08)

• China Corners Market in a High-Tech Necessity– China supplies about 95 percent of world's

consumption of “rare earths” (IHT, 1-22-06)


Consider the implications of these three news stories …

53

HegemonHegemon

More Congressional Computers Hacked from China(The Hill, 6-21-08)

• China Emerges As Leader in Cyberwarfare– Accused of Hacking Pentagon & Both British & German

governments (CSM 9-14-07)• Almost half of malicious sites tied to 10 networks

– 6 of 10 are Based in China (The Register, 6-24-08)


In relation to these three news stories …

54

HegemonHegemon

19th Century Empire was built largely on Sea Power20th Century Empire was built largely on Air Power …Will 21st Century Empire be won with Cyber Power?


55

Corporate CompetitorsCorporate Competitors

Recent High-Profile Stories Hint at Corporate Cyber War:• Haephrati: Top Israeli blue chip companies, including a high-tech giant that trades in

New York, are suspected of using illicit surveillance software to steal information from their rivals and enemies. The list of victims is equally impressive…(MSNBC, Associated Press, 6-1-05)

• HP: With Hewlett-Packard insiders and contractors facing fraud and conspiracy charges, a spotlight is being shone on the shady world of corporate intelligence. … a boardroom leak investigation that involved spying, accessing phone and fax records using false pretenses, and running a sting operation on a reporter, former HP chairwoman Patricia Dunn and four others were charged last week with fraud and conspiracy. (Information Week, 10-9-06)


56

Secrets Stolen/Fortunes LostSecrets Stolen/Fortunes Lost: Preventing Intellectual Property Theft & Economic Espionage in the 21st Century

• Synergy Press (Elseveir)• ISBN 978-1-59749-255-3

My Co-Author: Christopher Burgess• Senior Security Advisor, Cisco Systems• Thirty years as a Covert Officer in the CIA• Served as Senior Operations Officer and Chief of Station• Awarded Distinguished Career Intelligence Medal


57

Secrets Stolen/Fortunes LostThe Challenge• Insiders & Competitors

– The Two Most Tangible, Most Common & Most Destructive Threats• State Entities

– The Most Sophisticated & Most Formidable Threat• Counterfeiters, Pirates & Criminals

– The Most Insidious & Most Pervasive ThreatThe Strategy• Elements of A Holistic Approach• How to Sell Your Program


58

Secrets Stolen/Fortunes LostIndustrial Age Motives w/ Information Age Methods --

• “Michael Haephrati, a software developer, created a clever managed service whereby he would provide custom Trojan software to these private investigators who would then use social engineering techniques to get the targets to install the Trojan on internal systems. For a $2,000 fee Haephrati would host any stolen documents and key stroke logs on servers in Germany and the UK.

• “The police discovered the scheme when Haephrati's first wife took her computer in to them under suspicion of it being infected. Sure enough, it was, and the Israeli police tracked down the hosting servers and discovered thousands of documents from dozens of Israeli companies stored there.


59

Secrets Stolen/Fortunes LostUsing Trojan Horses Instead of Turning Insiders --

• “After three years four of the PI’s that used Michael Haephrati's Trojan software to gather competitive intelligence for their clients have finally been sentenced.

• “Eventually Haephrati and his current wife were extradited from England and supposedly sentenced to jail terms. … [Haephrati] claimed that there was no jail time, and that he was completely free. As a matter of fact he was going to continue to offer his Trojan Horse service but this time he would only work with ‘law enforcement agencies.’

• “What about the executives at Bezeq, Tami4, Pelephone, Cellcom, and the other companies that hired Private Investigators to engage in these activities?” (Network World, 4-30-08)


60

Elements of Security Mitigate Risks & Threats

Scope of Risks & Threats

PersonnelSecurity

PhysicalSecurity

InformationSecurity


61

When Integrated, They Further Mitigate Risks & Threats


PersonnelSecurity

PhysicalSecurity

CyberSecurity


62

Awareness & Intel Optimize Mitigating Factors


PersonnelSecurity

PhysicalSecurity

CyberSecurity

Awareness& Education

Intel


63

Awareness & Education: Model for Global ProgramAwareness & Education: Model for Global Program

• Specifications:– Adaptable to All Industries

& Sectors– Multi-Cultural, Multi-Lingual– Delivery System & Format for

Guidance on All Aspects of an Organization’s Security: Personnel, Physical, Cyber, etc.

• Goals:– Economic– Efficient– Effective

• Five Subject Areas:– Cyber Security– Information Age Espionage– Cyber Crime– Emergency Preparedness &

Response– Personnel Security– Physical Security

• Four Target Groups:– Total Workforce– IT Professionals– Human Resources & Operations– Executives & Support StaffRichard Power, Carnegie Mellon CyLab 2008

64

Awareness & Education: Model for Global ProgramAwareness & Education: Model for Global Program

• Practical Message for Entire Workforce– Practical Help for Both Work &

Home Life– Monthly E-mail Newsletter– New Hire Orientation Presentation– E-Learning Module– Annual Global Security Day– Translated into Local Languages

• Intensive Technical Training for IT Professionals– Quarterly– Regional– Expert Instructors from Outside– Attacks & Countermeasures– Incident Response, IDS, etc.– Certification Training


65

Awareness & Education: Model for A Global ProgramAwareness & Education: Model for A Global Program

• Intensive Training for Human Resources & Operations Professionals– Quarterly– Regional– Expert Instructors from Outside– Crisis Management– Business Continuity

• Executive Leadership & Staff– Executive Security Standards

• Information Security• Personnel Security• Physical Security

– Bi-Weekly Intel Briefing• 1 page organized into 5 sections

» Europe, Middle East & Africa» Asia-Pacific» Americas» Global» Cyberspace

• Includes threats & relevant initiatives


66

Awareness & Education: Secrets of SuccessAwareness & Education: Secrets of Success

• Intent – Engage– Enlighten– Empower

• Content– Intriguing Themes– Credible Sources– Plausible Scenarios– Relevant to Both Current

Events & Personal LifeRichard Power, Carnegie Mellon CyLab 2008

67

Secrets Stolen/Fortunes LostElements of A Holistic Program --• Personnel Security: Implement a "Personnel Security" program that

includes both background investigations & termination procedures. • Physical Security: Do not overlook the "Duh" factor.• Information Security: Recruit people with academic training (e.g., CyLab)

& professional certification (e.g., CISSP, CISM, etc.) Adopt best practices. Establish a baseline.

• Industry Outreach: Actively participate in industry working groups appropriate to your sector & environment. Sponsor research and education (e.g., CyLab)

• Government Liaison: Leverage your tax dollars.


68

Secrets Stolen/Fortunes LostElements of A Holistic Program --• Intelligence: You need both business & security intelligence. Someone

must be looking at both streams, with particulars of your enterprise in mind. • Awareness & Education: Train your workforce on an ongoing basis about

the threats of economic espionage, intellectual property theft, counterfeiting & piracy, & countermeasures

• Organization: Where security reports within an organization is the most vital issue.

• Legal Strategies: Don't let a small legal mind make decisions about big legal issues.


69

Conclusions

• No nation can go it alone• No corporation can go it alone• No individual or family can go it alone• A holistic approach integrates many elements --

• Both strategic & tactical• Both technical & non-technical• Both professional & public

21st Century Risks & Threats Demands A Holistic Approach


70

Conclusions

• Holistic Approach: Cyber Security, Physical Security & Personnel Security must be integrated – certainly at the operational level, preferably at the organizational level

• Culture of Security: Security Awareness & Education must be revolutionized –to communicate the holistic approach, and to engage and empower the individual

• Intelligent Approach: Intelligence and Risk Analysis must look at cyber security from the outside in, as well of from the inside out; e.g., dig into the front page stories and look for the cyber security implications, study the geopolitical and economic trends and look for the cyber security dimensions; do not limit your thinking to bits and bytes, or policies and standards, or attacks and countermeasures.

• Harnessing the Future to Secure the Present: Academic research into new technologies must receive unprecedented funding to lead in the development of strategies and solutions for mobility, secure home computing, critical infrastructure protection and other vital areas of concern

Four 21st Century Cyber Security Imperatives


71

Conclusions

In the Shadows of Cyberspace, Your Most In the Shadows of Cyberspace, Your Most Dangerous Adversary is Not the Hacker or the Dangerous Adversary is Not the Hacker or the Spy or the Cyber Criminal or the Disgruntled Spy or the Cyber Criminal or the Disgruntled Insider or even the Cyber Terrorist. Insider or even the Cyber Terrorist.

Whether You Operate in the Corporate World or Whether You Operate in the Corporate World or in the Government, Your Most Dangerous in the Government, Your Most Dangerous Adversary is Weak Leadership.Adversary is Weak Leadership.

Your Most Dangerous Adversary …


72

Conclusions

If Your Leaders are Small-Minded and Self-Serving, No Amount of Timely Intelligence, Sophisticated Technology, and World-Class Expertise Will Protect Your People, Your Secrets, Your Organizations, or Your Country.

Your Most Dangerous Adversary …


73

Conclusions

IT Supply Chain SecurityNot just IT supply chain, every supply chain – because the IT chain impacts them allLook for opportunistic random distribution

Virtual WorldsNot just money launderingCovert communication channelIncredible access into the minds of individuals & groupings, to exploit, target, shape them

GovernanceWhat should be discussed in the Board Room

Climate ChangeThe intersection of security & sustainability

Issues to Pursue Moving Forward


74

Contact Information

• e-mail: [email protected]• web: http://www.cylab.cmu.edu• snail mail: Carnegie Mellon University,

NASA AMES Research Park,Building 23 (MS21-11) Moffett Field, California, 94035-1000

• telephone: 650-335-2813

Richard Power


cyber security in the three times: past, present & future · pdf file2 cyber security in...

Documents