Cybersecurity. Prof. Dr. Michael Waidner Technische Universität Darmstadt und Fraunhofer-Institut für Sichere Informationstechnologie SIT, Darmstadt

Transcription

1 Cybersecurity Prof. Dr. Michael Waidner Technische Universität Darmstadt und Fraunhofer-Institut für Sichere Informationstechnologie SIT, Darmstadt Konferenz»Digitale Wirtschaft und Cyberpolitik«Tönissteiner Kreis, Berlin, 6. März 2015

2 Agenda Digital Sovereignty: Objective and Reality Why is IT not Secure? What Needs to be Done? 2

3 »Digital Space«is Everywhere Connected, programmable, open and shared. Generating massive amounts of data, often sensitive, mostly unstructured. Every new technology, service, consumption, business model creates new security and privacy challenges. 3

4 Digital Sovereignty: Objective Self-determination in a digital world Self-determination 1.»Gestaltbarkeit«: Ability to Shape the Digital World 2. Security 3. Privacy 4. Trust in the Quality of 1-3 Citizen Enterprise Administration EU / States 4

5 Digital Sovereignty: Reality Gestaltbarkeit Security Privacy Trust Limited Cybercrime, sabotage, espionage, individual surveillance, censorship Mass surveillance, profiling, data persistence, scoring, data analytics Limited 5

6 Impact of Cybercrime and Espionage (Germany) Cyber attacks considered serious threat by 74% of all enterprises (1), 85% of all users (2) 49% of all attacks are»opportunistic«(3) Many got already hit by cyber attacks 38% of all users (1), 21% with identity theft (2) ; 30% of all enterprises with cyber crime (1), 54% with industrial espionage, >50% through»hacking«(4) Significant damages 40 M /a in reported cases of computer fraud (reality likely 11x) (5) ; 40 B /a (1,6% BIP) total cost of cyber crime (6), larger than total costs of car incidents ) Sources: (1) BITKOM 3/5 2014, (2) SCHUFA 9/2013, (3) IBM 3/2013, (4) Corporate Trust 7/2014, (5) BKA 8/2014, (6) Center for Strategic and International Studies 6/2014, (7) Bundesanstalt für Straßenwesen 8/2010 6

7 Prototypical Attacks Targeted, organized, financially or politically motivated Zeus Trojan and Botnet (2007) Jérôme Kerviel vs. Société Générale (2008) Anonymous (2008) False Flag Operations: Iranian Cyber Army vs. Baidu Search Engine (2010) DigiNotar (2011), RSA/Lockheed-Martin (2011), Saudi Aramco (2012), EADS (2012),... Stuxnet (2010) PRC Unit 61398, Shanghai (2013) NSA / GCHQ Programs (2013/14) 7

8 Snowden Revelations on NSA/GCHQ Activities PRISM TAO TEMPORA BULLRUN MYSTIC MUSCULAR HACIENDA etc. Mass surveillance of Internet and mobile networks Wiretapping of selected individuals, including Chanceller Merkel Suspicion of support for industrial espionage Circular trading to evade national law Direct access auf cables satellites, Internet backbone, cloud providers in the USA/UK and likely also in EU/Germany Manipulation of central infrastructures (SSL PKIs, DNS, BGP) Manipulation of supply chain (»Tailored Access Operations«) Systematic backdoors in NIST standards, in specific products Collection of vulnerabilities in products 8

9 Prototypical Attacks: Advanced Persistent Threat RSA / Lockheed-Martin, : Social engineering & phishing March 3: Fake to some RSA employees: [2011 Recruitment plan.xls] with embedded flash zero-day CVE in Adobe Flash Player. Planted Poison Ivy trojan horse. 2: Digital Shoulder Surfing Poison Ivy connects back to control server, giving full control to attacker. Attacker gradually moves towards higher value accounts and data. Sources: F-Secure, New York Times, Information Week : Collecting SecureID secret seed records, downloading them from staging server. RSA issues warning on March 17 Unusually fast (e.g., attack on Nortel went unnoticed for more then 10 years) 4: Exploiting compromised SecureID to break into the target systems at defense industry. June 3: Lockheed discloses a blocked attack, which exploited the breach at RSA. RSA announced replacement program for tokens (>40M tokens worldwide, Lockheed > ). August 2011: RSA acknowledge immediate 66M$ for recovery. March 27, 2012: NSA attributes attack to Chinese hackers 9

10 Domain Name System (DNS) and Vulnerabilities Critical part of the Internet Where is Authentication, blacklists, policies, certificates (SPF, DANE, ROVER, ) Redirect to incorrect hosts Victims: organisations, DNS and network operators, e.g., ICANN, ISC, Craigslist Against Internet clients, routers, e.g., for surveillance, censorship NSA, GCHQ, China Defences Non-crypto defences/ Encryption/ DNSSEC 10

11 Non-Crypto defences Security only against weak attackers Vulnerable [HS13a,HS13b,SW14,..] Domain Name System (DNS) Security Internet standards [RFC6056,RFC4697] OS software: CISCO, linux kernel Zonefile configuration, e.g., ORG Crypto-defences: DNSSEC Crypto-defences: Encryption Internet drafts DNS service providers: OpenDNS DNS software: Verisign, NL-labs, AFNIC Vulnerable: non-interoperable, insecure, not compatible with DNS, [Shulman14] Adjustment to Internet drafts, SW, IETF award Not (widely) deployed: only <5% validate responses, most zones not protected (<1% signed) Incorrect deployments NIST (2013) list of (>1000) financial US domains Only 14 deploy DNSSEC only 3 correctly! 11

12 Recommendations for DNS Security Mandate adoption of DNSSEC Internet providers, network operators, critical infrastructure providers Best practices, policies, regulations Deployment challenges and security problems Surveys and questionnaires for network operators Study of adoptions, detection of misconfigurations 17% of clients in Germany use foreign resolution services Outsourcing to third parties/ Misconfigurations/ Malware Outsourcing only to certified third parties Interoperability problems with existing infrastructure Large responses cipher suite negotiation Legacy network devices (1) identify legacy devices, (2) upgrade infrastructure 12

13 Border Gateway Protocol (BGP) Fraunhofer-Gesellschaft 2014 Delivery of traffic to remote destinations Long history of BGP prefix hijacks Reroute via/to incorrect networks Intercept/block/modify communication Frequent attacks: 2013, 1500 hijacks in 2 months Victims: financial institutions, ISPs, VoIP, govts... BGP hijacks range from benign misconfigurations, to censorship, DoS, and advanced attacks, such as surveillance and corporate or nation-state espionage Pakistan censored YouTube (2008) via false BGP updates Belarus/Iceland hijack (May 2013) Turkey blocked Twitter and hijacked entire Internet (2014) Canadian Bitcoin hijack (May 2014) Syria Telecom hijacks YouTube (Dec. 2014) Perpetrators: Great China Firewall, NSA, GCHQ, militaries, spammers 13

14 Belarus/Iceland Hijack (May 2013): BGP Hijack between Governments Last year during two months more than 1500 IP addresses were rerouted Targets Financial institutions VoiP providers Governments 14

15 Resource Public Key Infrastructure (RPKI) BGP Security Proposed and standardised more than a decade ago But, only less than 5% of the Internet prefixes are authenticated Security only if all networks between source/destination adopt Deployment obstacles Reliance on a single root of trust Significant (manual) deployment efforts Changes to the routing infrastructure Hierarchical Does not guarantee full security Even if widely adopted, vulnerable to next AS attack 15

16 Decentralised Infrastructure for Secure BGP Decentralised BGP Authentication Decentralised: no single root of trust No changes to existing infrastructure Easy adoption Automated registration/verification Differentiate connectivity failures vs malicious attacks Effective under partial adoption 16

17 Recommendations for BGP Security Identify suitable BGP security proposal Compare proposals: trust requirements, changes to infrastructure and ease of adoption, legal aspects (exposing neighbours and customers), political motivations Mandate adoption of BGP routing security Network operators and Internet providers Preliminary evaluation of security proposals, e.g., with universities, ISPs Best practices, policies, regulations Deployment challenges Study of common routing configuration practices: Traffic engineering/ Infrastructure support Networks and servers topology/architectures 17

18 Commercial Data Collection (Examples) Source: Company web site 18

19 Commercial Data Collection (Examples) Source: Company web site 19

20 What is at Risk? Informational Self-Determination: Individual: being observed / sense of being observed Industry, government, society: influence over public / individual opinion + loss of control over data collections Discrimination: Transparent citizens, enterprises Risk through centralized data silos Access by foreign services (e.g., as in PRISM) Access by criminals (e.g., malware via ads, prep social engineering via online social networks) 20

21 Research Challenges for Countering Loss of Privacy Established technology concepts data minimization, anonymity & pseudonymity, transparency & control don t work well in»new«environments Cloud Computing? Classical Internet Social Internet Internet of Things??? Big Data??? 21

23 Why is Information Technology not Secure? Several fundamental problems Insiders Usability Long Innovation Cycles Slow Adoption of Security Best Practices Software Quality 23

24 Why is Information Technology not Secure? Slow Adoption of Security Best Practices in Industry Firewall Risk assessment Disk encryption Strong authentication VPN / Network encryption Identity Management Governance (CISO, etc.) Auditing Security monitoring Mail encryption ISO 27001, etc. Data Leakage Prevention Cyber insurance Cloud monitoring Organisation Encryption Other State-of-the-art security could stop 80% of currently successful attacks Most product vulnerabilities could be identified automatically Source: Studie Industriespionage 2014; Corporate Trust, 30. Juli 2014 (Grafiken 24, 27, 29)

25 Why is Information Technology not Secure? Software Quality: Constant Number of New Vulnerabilities vulnerabilities in software products Slow adoption of Security & Privacy by Design Source (Disclosures): IBM X-Force 2013 Mid-Year Trend and Risk Report, September

27 Society and Citizens Make»Europe online«a trustworthy and secure place Selecting, configuring and using security features, products and services is difficult: Broaden scope and capabilities of consumer advisors The quality of security and privacy must be made visible: EU-level criteria, test and certifications Confidentiality of communications requires availability of technologies and infrastructures Support cross-eu infrastructure and tools for (end-to-end) encryption for citizens and enterprises Mandate (cloud,...) service provides to always offer an option supporting state-of-the-art security and privacy 27

28 Mechanism of Choice: End-to-End Encryption For , Chat, VOiP,... Cloud:»Volksverschlüsselung«Sender End-to-End Encryption Recipient Public Key Infrastructure Distribution and Certification of public Keys Challenges: Secure standards & implementation, usability, scalability 28

29 Industry and Government Make the EU a leader in cybersecurity preparedness and trustworthy ICT Necessary level of security and privacy must be turned from»competitive disadvantage«into»cost of doing business«mandatory minimum standards Encourage sharing of information within sectors Security and Privacy by Design Encourage adoption of SPbD principle Investment in standards, processes, tools Enterprise encryption, and other best practices Trustworthy ICT requires international cooperation Security testing / verification of any component Secure integration of (even untrusted) components Create a single market for security & privacy products Setting standards Address European market 29

30 Research European research agenda for security and privacy Security and Privacy Must be part of any project using / creating ICT Must be a first class topic of the EU research agenda Accelerate innovation cycles in cybersecurity Regular ICT: 1-5 years Security: >10 years Strong»Centers of Excellence«critical for success Research requires a critical mass of expertise 30

31 Prof. Dr. Michael Waidner Fraunhofer Institute for Secure Information Technology SIT Director Technische Universität Darmstadt Computer Science, Professor CASED & EC SPRIDE, Director Rheinstrasse 75, Darmstadt (Office) (Cell) 32