security 101: overview of information assurance...security 101: overview of information assurance...
TRANSCRIPT
Security101:OverviewofInformationAssurance
Dr.BarbaraEndicott-PopovskyICSDepartmentUHMUW/UHMCenterforIAandCybersecurity
PutinPraisesDNCHackButDeniesRussiaWasBehindIt
RussianPresidentVladimirPutinispraisingthehackthatbrokeintotheDemocraticNationalCommitteeandleakedinternalemailsonline-- butsaysRussiawasnotbehindit.
Cybersecurityexpertshavefingeredtwohackinggroups workingwiththeRussiangovernmentintheDNChack,whichtheFBIisalsoinvestigating,andDemocraticofficialssaythebreachwaspartoftheMoscow'sattempttoinfluencethepresidentialelectioninfavorofDonaldTrump.ThehackresultedintheousterofseveraltopDNCofficials,includingitsformerchair.
Thursday,PutinsaidthehackwasapublicservicebecauseitexposedtheDNC'sapparentfavoritismofClintonduringtheDemocraticpresidentialprimary,butclaimed,"Idon'tknowanythingaboutit."
"Listen,doesitevenmatterwhohackedthisdata?''Putinsaid."There'snoneedtodistractthepublic'sattentionfromtheessenceoftheproblembyraisingsomeminorissuesconnectedwiththesearchforwhodidit."
"Theimportantthingisthecontentthatwasgiventothepublic,"headded.Sep22016,10:36amET
http://www.nbcnews.com/card/putin-praises-dnc-hack-denies-russia-was-behind-it-n642061
iClicker Question:• Basedonwhatyouhavereadandheardaboutthishackhow
certainareyouthattheRussiansdidit?
a. Verysure:TheRussiansdidit,nodoubt!They’reevil!b. Sure:Iacceptthenewsmediareports—theyknowwhatthey’re
talkingabout.c. Neithersureorunsure:I’vejustheardaboutitandhavenoopinion.d. Unsure:Howdotheyknowforsure—onwhatevidence?e. Veryunsure:Attributionisverydifficulttodetermineabsolutelyon
Internetcommunications.Forexample,someonecouldhijackRussianservers.
iClicker:A:VerySureB:SureC:NeithersureorunsureD:UnsureE:Veryunsure
Thoughtquestion• AssumingthatthisisanattackontheUSelectoralprocess,wouldthisbe
anactofwar?– Forthatmatter,whenisanintrusiona“hack”(asimplecrime)and
whenisitanactofwar?– Howwillweknow?
• Thesearetoday’sstakes!WhateverhappenedtothekidsstayingupallnightonJolthackingintothePentagon?
CyberWar
http://www.foxnews.com/politics/2016/09/03/putin-calls-dnc-hack-public-service-denies-russias-involvement.html
Agenda
• Context• OverviewThreatLandscape• ThreatSpectrumEvolution• BreachTrends• StrategiesforOrganizationsandIndustries• DoControlsWork?• ChangingourMentalModels
CONTEXTHowdidwegethere?
1960-1980 1985 1995 -
Computer Security INFOSEC Information Assurance
Information System Security Revolution
Other Networks
PacketSwitch
Gateway
FileServer
Bridge
AttributeAgricultural
AgeIndustrial
AgeInformation
AgeWealth Land Capital KnowledgeAdvancement Conquest Invention Paradigm ShiftsTime Sun/Seasons Factory
WhistleTime Zones
Workplace Farm Capital equipment
Networks
OrganizationStructure
Family Corporation Collaborations
Tools Plow Machines ComputersProblem-solving Self Delegation IntegrationKnowledge Generalized Specialized InterdisciplinaryLearning Self-taught Classroom Online
Smashing
IndustrialAge
Infrastructure!
The Sorcerer’s Apprenticehttp://www.youtube.com/watch?v=4ryFOztZrrc
CertificateinIAandCybersecurtyICS426,425and491
SecurityPolliClicker Question:
Beforediscussingthethreatlandscape,howdoyoufeelaboutyouronline
securityingeneral?
A:VerySafeB:SafeC:OkayD:NotsafeE:Vulnerable
OVERVIEWOFTHREATLANDSCAPEWhat’scomingatus?
Threats
CriticalInfrastructure:AnIrresistibleTarget
THREATSPECTRUMEVOLUTIONWhynowissourgent:
Source:GBA
Today’sCriminalsComeinManyForms…allofwhichcandogreatharm
• Scriptkiddies
• Hacktivists
• CyberCriminals
• APTs/NationStatesIMAGESOURCE:http://upload.wikimedia.org/wikipedia/commons/4/48/Anonymus_logo.png
Source:GBA
DifferentFaces,SameBasicProcess
http://www.discoveringidentity.com/2013/03/11/mandiant-report-apt1-exposing-one-of-chinas-cyber-espionage-units/Source:GBA
CommonScriptKiddieAttackProgression
ScriptKiddieenjoyshackingandwantstobuild
reputation
IdentifiesTargetWebsite(s)
ScansforVulnerabilities
PubliclyPostsDataBreachInformationand/orboasts
aboutwhattheydid
DefacesWebsiteorStealsDatafromDatabase
ExploitsVulnerabilities
Source:GBA
• Hacked259websitesin90days
• Stoleandleakedinformation
• Defacedcorporatewebsites
ScriptKiddieDamage
ScreenshotofDefacementby15YearOldSource:GBA
NationStateActors:AdvancedPersistentThreats
• HighlySkilled
• NationStateSponsored
• Example:RBN
• Theyhavemoretime,andmoreresourcesthanyou• Ifyouaretargeted,theyWILLgetintoyoursystemhttp://rbnexploit.blogspot.com/ Source:GBA
Methodology/APTAttackProgression
http://www.www8-hp.com/ca/en/images/T-image__sw__insider-threat__560x342--C-tcm223-1357982--CT-tcm223-1237012-32.png
Thedetailschange,buttheprocessisgenerallythesame
Informationcitedfrom:
Source:GBA
Workspace1(workbooks)
• Discusswhoputthescriptkiddyoutofbusinessandwhy.
• Ifnationstatesandnationstate/criminalsarethemostdevastatingadversaries,whataretheimplicationstotheaverageperson/averagecompanydoingbusinessonline?
BREACHTRENDSStudythedata!
Top9PatternsofIntrusion
MaliciousIntrusionTrends
Source:VerizonDBR2016
MotivationsBehindAttacks
MaliciousTrendsandMotives
Whichcountriesgotattackedthemostandhow(2016)
http://www.hackmageddon.com/2016/02/16/january-2016-cyber-attacks-statistics/
MaliciousTrendsandMotives
http://www.hackmageddon.com/2016/02/16/january-2016-cyber-attacks-statistics/
SecurityPolliClicker:
Afterlearningaboutthethreatlandscape,nowhowdoyoufeelabout
youronlinesecurity?
A:VerySafeB:SafeC:OkayD:NotsafeE:Vulnerable
Workspace2(workbooks)
• Describehowyourownonlinebehaviorwillchangeasaresultofunderstandingthethreatsthatareoutthere.
https://www.stopthinkconnect.org/
STRATEGIESFORORGANIZATIONSANDINDUSTRIES
Howtomanageinthiscontext
IndustryStatus
• Industrylagsgovernment• Lackofawareness
– Literacy– Risks
• Profitmargins• Standardsofcare• Legalliabilityconcerns
• Criticalinfrastructure85%private
ChangeinPerceptionRequired
Today Whereweneedtogo
BasicIAPrinciples
SecurityServices IADesignApproach
SecurityGoals• Confidentiality(secrecy)
– Onlyauthorizedpartiescanaccessanasset• Integrity
– Onlyauthorizedpartiescanmodifiedanasset• Availability
– Assetsareaccessible/modifiablebyauthorizedpartiesatappropriatetimes
– Authorizedpartiescannotbedeniedaccesstotheasset• Audit
– Anattackercannothideitstracks– Forensicanalysisispossible
Testyourknowledge
iClicker:WhichofthefollowingsecuritygoalsamIapplyingifImakemyWebsiteaccessiblefrom9:00A.M.to3:00P.M.?
A:ConfidentialityB:IntegrityC:AvailabilityD:Audit
TestyourknowledgeiClicker:
Whichofthefollowingsecuritygoalswouldpreventpeoplewithoutappropriateaccessfrommodifyingfiles?
A:ConfidentialityB:IntegrityC:AvailabilityD:Audit
Testyourknowledge
iClicker:Whichofthefollowingsecuritygoalswouldrequireonlyanauthorizedpersoncangainaccesstoinformation?
A:ConfidentialityB:IntegrityC:AvailabilityD:Audit
TraditionalSecurityModel:McCumber Cube
Thru info statesSecurity Services
Controls
McCumber,John.ApplicationoftheComprehensiveINFOSECModel:MappingtheCanadianCriteriaforSystemsCertification,UnpublishedManuscript,fromtheProceedingsoftheFifthAnnualCanadianComputerSecurityConference,May1993.Ottawa,Canada.
46
ICISOPerspective
SecureandForensicReady
system
Workspace#2
• Describethethreesecurityservicesandhowtheyworktogether
• DescribehowtheMcCumber Cubeisusedtomanagecybersecurityinorganizations
DOCONTROLSWORK?Whatdowedowiththepeskyhumansinthesystem?
Trusting Controls Assumes:
• Designimplementsyourgoals
• Sumtotalofcontrolsimplementallgoals
• Implementationiscorrect
• Installation/administrationarecorrect
Bottomlineassumption:You Will Never Own a Perfectly Secure System!!!
You Will Never Own a Perfectly Secure System!!!
You Will Never Own a Perfectly Secure System!!!
51
RequiresChangeinStrategyforManagingNetworkedSystems
• Today’snetworkdefensestrategy• Ondefense• Incidentresponsefocusonpatchandrecover• Avoidanceoflegalpursuit
• Proposednetworkdefensestrategy• Onoffense• Assumebreach• Incidentresponsefocusonforensics
Survivability Strategy Tools
ResistanceAbility to repel attacks
• Firewalls• User authentication• Diversification
Recognition1) Ability to detect an attack or a probe2) Ability to react or adapt during an attack
• Intrusion detection systems
• Internal integrity checks
Recovery1) Provide essential services during attack2) Store services following an attack
• Incident response• Replication• Backup systems• Fault tolerant designs
3R Strategy for Managing Networked Systems Traditionally
CMU3RmodelofSurvivability
Survivability Strategy ToolsResistanceAbility to repel attacks
• Firewalls• User authentication• Diversification
Recognition1) Ability to detect an attack or a probe2) Ability to react or adapt during an attack
• Intrusion detection systems
• Internal integrity checks
Recovery1) Provide essential services during attack2) Store services following an attack
• Incident response• Replication• Backup systems• Fault tolerant designs
Redress1)Ability to hold intruders accountable in a
court of law.2)Ability to retaliate
• Digital Forensics• Legal remedies• Active defense
4R’s of Accountable Systems
Endicott-Popovsky,BarbaraandDeborahFrincke."AddingtheFourth'R':ASystemsApproachtoSolvingtheHacker'sArmsRace."Thirty-ninthAnnualHawaiiInternationalConferenceonSystemSciences:Symposium:SkilledHuman-intelligentAgentPerformance:Measurement,ApplicationandSymbiosis,Jan.2006..Kauai,HI.4Jan.2006.<http://www.itl.nist.gov/iaui/vvrg/hicss39>
Costs:
• Solution
• Value
• Potential losses
Risks:• Likelihood
• Potential impacts
Balance Risk vs. Cost
Workspace3(workbooks)
• Recallthatthe2016VerizonDataBreachReportindicatesthatmiscellaneouserrorsarethemostsignificantintrusiontrend.
• Ismanagingthetechnology,orthepeopleusingthetechnology,orboth,moreimportanttocybersecurityinanorganization?
• Justifyyouranswer.
CHANGINGOURMENTALMODELSEliminatingourscotomas
AttributeAgricultural
AgeIndustrial
AgeInformation
AgeWealth Land Capital KnowledgeAdvancement Conquest Invention Paradigm ShiftsTime Sun/Seasons Factory
WhistleTime Zones
Workplace Farm Capital equipment
Networks
OrganizationStructure
Family Corporation Collaborations
Tools Plow Machines ComputersProblem-solving Self Delegation IntegrationKnowledge Generalized Specialized InterdisciplinaryLearning Self-taught Classroom Online
ITManagementEvolution
• Mainframe– Access
• Limitedlists• Signinlogs• 7/24attendants
– Perimeterdefense• Closedareas• Cypherlockeddoors
– Discforensics
• Distributedprocessing– Authentication– Firewalls– Networkforensics
– IDS– Forensicreadiness– Drivesecuritytophysicallayer
ForensicsasaSecurityService:RevisedMcCumber Cube
Thru info statesSecurity Services
Controls
NonRepudiation
Maconachy,Vic.,CorySchou,DanRagsdaleandDougWelch.AModelforInformationAssurance:AnIntegratedApproach,fromtheProceedings oftheSecondAnnualConferenceoftheIEEESystems,ManandCyberneticsInformationAssuranceWorkshop,Jun.2001,WestPoint,NY:UnitedStatesMilitaryAcademy,pp.306-310
Embedding Hercule Poirotin Networks:
AddressingInefficienciesinDigitalForensicsInvestigations…
B. Endicott-Popovsky, PhD, UWD. Frincke, PhD, PNNL
ResearchGap
• AcomprehensivemethodologytoembedForensicReadiness :
• Knowledgeofadetective– Rulesofevidence– Legalrequirements– Courtroomadmissibilitystandards
• Knowledgeofnetworks
Workspace#4
• Whatisthevalueofaddingnon-repudiationasaserviceofcomputersecurity?
• Howwouldyoudescribeforensicreadiness?
Thoughtquestion• Webeganwiththeconundrumofcybercrimevs.cyberwarasitappliesto
theDNChack.• Wehavereviewedthethreatlandscapeandtheescalationofchallenges
facingusonline.• BesidesrealizingwemayalreadybeinWWIII,whatotherdramatic
societalchangesareimpliedbygoingdigital?
OctoberisNationalCyberSecurityAwarenessMonth
https://staysafeonline.org/ncsam/
.
.
.
.
.
..
.
.
.
.
.
.
.
.
.
.
.. .
.
.
.
.
.
.
.
.
.
.
.
RESISTANCE IS FUTILE.PREPARE TO BE ASSIMULATED?
.
.
.
.
.
.
.
. .
..
..
...
.
..
.
..
.
.
.
..
.
..
.
.
Species 8472
Courtesy:K.Bailey/E.Hayden,CISOs
Backup
CYBERUNEMPLOYMENTRATE=0%
EducationCertificateAA/BS/MSSFS
CertificationCISSPGIACCEH
Experience
Job/CareerAnalystEngineerArchitectAuditor
InternshipApprenticeshipPublicService
Asupply,notademandproblem
68
VeterantoSTEMPrograms9November2011
CIAC 1.0ExpertIAGraduates• SFSScholars
• TransitionedMilitary
EducationPrograms• 4Masterdegrees• 4Certificates• PhD’s• MOOC’s
Research• NSA/DoD• NSF
SecureCodeMilitarystudiesPedagogicalresearch
• NIST• DHS• PNNL
ACM2013
INPUT OUTPUT
PacificRimCollegiateCyberDefenseContest(PRCCDC)http://www.uwtv.org/video/player.aspx?dwrid=27982
NOTE: UW won Nationals in 2011 and 2012 !!
iClicker Question:• Basedonthisandotherrecenthacknews,howsafedoyou
feelaboutyourphotosandpersonalinformationareonline?a. Verysafe:Irarelythinkaboutcomputersecurity,asIhaveprotected
mydeviceswithappropriatesecuritymeasures.b. Safe:Ithinkaboutmyphotoandinformationsecurityfromtimeto
time.IamtypicallyworriedwhenIreadaboutitinthenews.c. Okay:Ithinkaboutsecurityonaregularbasis,butfeelsafebecause
Ikeepmydevicesup-to-dateandusesecuritymeasures.d. Notsafe:Iworryaboutsecurityalotandtendtoonlyusesocial
mediaonalimitedbasis.e. Vulnerable:Iamconstantlyworriedaboutsecurityandrarelydo
anythingonanetworkunlessIknowitissafe.
• Whydoyoufeelthisway?
iClicker:A:VerySafeB:SafeC:OkayD:NotsafeE:Vulnerable