ETRAC Presentation ECCN 4E001.c intrusion software technology. Jim O Gorman, President October 15, 2015

Similar documents
Export Controls on Intrusion Software. Collin Anderson Tom Cross

I. The Proposed Interpretation of Intrusion Software Inappropriately Fails to Exclude Software for Defensive Activities

Network Incident Report

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Attachment A. Identification of Risks/Cybersecurity Governance

Acceptable Use Policy

Common Cyber Threats. Common cyber threats include:

City of Boston Department of Innovation and Technology Policy Title: Information Technology Resource Use Policy Effective Date: April 1, 2011

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Defending Against Data Beaches: Internal Controls for Cybersecurity

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

In-House Vs. Hosted Security. 10 Reasons Why Your is More Secure in a Hosted Environment

Application Security in the Software Development Lifecycle

Intrusion Software Tools and Export Control Introduction. Export Control in Context

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

OCIE CYBERSECURITY INITIATIVE

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

Data Security Incident Response Plan. [Insert Organization Name]

Defending Against Cyber Attacks with SessionLevel Network Security

Automotive Ethernet Security Testing. Alon Regev and Abhijit Lahiri

A Decision Maker s Guide to Securing an IT Infrastructure

Firewalls Overview and Best Practices. White Paper

Penetration Testing Service. By Comsec Information Security Consulting

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

CYBERTRON NETWORK SOLUTIONS

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

10 best practice suggestions for common smartphone threats

Post-Stuxnet Industrial Security: Zero-Day Discovery and Risk Containment of Industrial Malware

Practical Steps To Securing Process Control Networks

Service Schedule for Business Lite powered by Microsoft Office 365

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

ELECTRONIC INFORMATION SECURITY A.R.

Nine Steps to Smart Security for Small Businesses

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions

KEY STEPS FOLLOWING A DATA BREACH

What s New with HIPAA? Policy and Enforcement Update

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

If you do not wish to agree to these terms, please click DO NOT ACCEPT and obtain a refund of the purchase price as follows:

Getting Ahead of Malware

How To Protect A Web Application From Attack From A Trusted Environment

CITRIX SYSTEMS, INC. SOFTWARE LICENSE AGREEMENT

Enterprise PrivaProtector 9.0

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Securing OS Legacy Systems Alexander Rau

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

InnoCaption TM Service Terms of Use

Anti-exploit tools: The next wave of enterprise security

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Student Tech Security Training. ITS Security Office

CONTENTS. Security Policy

BROCADE COMMUNICATIONS SYSTEMS, INC. END USER SOFTWARE LICENSE AGREEMENT FOR BROCADE IP ANALYTICS PACK FOR VMWARE VREALIZE OPERATIONS

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

Chapter 6: Fundamental Cloud Security

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Acceptable Use Policy

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Page 1 of 15. VISC Third Party Guideline

Information Security and Electronic Communications Acceptable Use Policy (AUP)

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SYMANTEC SOFTWARE SERVICE LICENSE AGREEMENT Norton 360

Peer to Peer File Sharing and Copyright Infringement Policy

U. S. Attorney Office Northern District of Texas March 2013

Frontiers in Cyber Security: Beyond the OS

Comparison of Information Sharing, Monitoring and Countermeasures Provisions in the Cybersecurity Bills

Penetration Testing in Romania

Service Schedule for BT Business Lite Web Hosting and Business Lite powered by Microsoft Office 365

Course Descriptions November 2014

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Zurich Security And Privacy Protection Policy Application

Data Management Policies. Sage ERP Online

Security Services. 30 years of experience in IT business

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

MICROSOFT SOFTWARE LICENSE TERMS MICROSOFT SECURITY ESSENTIALS 1.0

Stephen Coty Director, Threat Research

Internet Safety and Security: Strategies for Building an Internet Safety Wall

Virtual Learning Tools in Cyber Security Education

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Information Security Engineering

Transcription:

ETRAC Presentation ECCN 4E001.c intrusion software technology Jim O Gorman, President October 15, 2015

Offensive Security - Projects Kali Linux (previously BackTrack Linux) Industry Standard Open source penetration testing platform Exploit DB Comprehensive archive of exploits, shellcode, and security papers comprising over 34,000 open source exploits CVE compliant Page: 2

Offensive Security - About Founded in 2007 Based on the belief that the only way to achieve sound defensive security is through an offensive approach Trainings and Certifications OSCP, OSCE, OSWP, OSWE, OSEE PWK, CTP, WiFu, AWE, AWAE Page: 3

Offensive Security - Services Provides highly advanced, team-based security assessments Clients include Fortune 100, Financial, Military, Law enforcement, and Healthcare Organizations Real world, maximum impact, extremely skilled and targeted hacker simulation Actively discovering and exploiting vulnerabilities in software such as Symantec, CA, HP, Microsoft Office, etc. Page: 4

Offensive Security - Overall Speaking strictly on behalf of Offensive Security Have engaged with various other organizations and individuals from the hacking community for input not enough input has been solicited from the hacking/information security community Page: 5

Proposed Technology Controls Proposed ECCN 4E001.c Technology required for the development of intrusion software Technology : Specific information necessary for the development, production, or use of a product. The information takes the form of technical data or technical assistance. 15 C.F.R. 772. Note 1: Technology is also specific information necessary for any of the following: operation, installation (including on-site installation), maintenance (checking), repair, overhaul, refurbishing, or other terms specified in ECCNs on the CCL that control technology. 15 C.F.R. 772. Technical data may take forms such as blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices such as disk, tape, read only memories. 15 C.F.R. 772 (Technical Note). Technical assistance may take forms such as instructions, skills, training, working knowledge, consulting services. Technical assistance may involve transfer of technical data. 15 C.F.R. 772 (Technical Note). Page: 6

Intrusion Software Proposed ECCN 4D004 Software specially designed or modified for the generation, operation or delivery of, or communication with intrusion software. Intrusion software. (Cat 4) Software specially designed or modified to avoid detection by monitoring tools, or to defeat protective countermeasures, of a computer or network-capable device, and performing any of the following: (a) The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or (b) The modification of the standard execution path of a program or process in order to allow the executions of externally provided instructions. Page: 7

What is the Policy rationale? Identity Theft Enforcement and The bad conduct is already unlawful: Restitution Act Computer Fraud and Abuse Act Electronic Communications Privacy Economic Espionage Act IP infringement Trespass, theft, etc Act Digital Millennium Copyright Act Cyber Security Enhancement Act Page: 8

ETRAC Question #1 Is it possible to interpret proposed ECCN 4E001.c and the definition of intrusion software in such a way that legitimate cybersecurity research would not be affected? : No The fundamental problem is that the definition of intrusion software begins too broadly, and then tries to except what is considered to be legitimate items The regulate broadly and then make exceptions framework is unworkable in a dynamic technology area Page: 9

ETRAC Question #1 Items explicitly not covered: Hypervisors (Note 1) Debuggers (Note 1) Software Reverse Engineering (SRE) tools (Note 1) Digital Rights Management (DRM) Software (Note 1) Software designed to be installed by manufacturers, administrators, or users, for the purpose of asset tracking or recovery (Note 1) Exploit samples (FAQ #1) Exploit proof of concepts (FAQ #1) Other forms of malware (FAQ#1) Information on how to search for, discover or identify a vulnerability in a system, including vulnerability scanning (FAQ #4) Information about a vulnerability, including the causes of a vulnerability (FAQ #4) Information on testing the vulnerability, including fuzzing or otherwise trying different inputs to determine what happens (FAQ #4) Information on analyzing the execution or functionality of programs and processes running on a computer, including decompiling or disassembling code and dumping memory (FAQ #4) Published information (License Exception TSU; FAQ #4) Software that permits automatic updates and antivirus tools (FAQ #8) Software that only leaves evidence of a successful security breach without further compromising or controll[ing] the system (FAQ #11) Software that is designed to destroy data or systems (FAQ #11) Port scanners, packet sniffers, and protocol analyzers (FAQ #12) Vulnerability scanner which just finds vulnerabilities in a system without actually exploiting them and extracting data (FAQ #12) Zero day exploits (FAQ #15) Open source security tools (e.g., Metaspolit, Kali Linux) (FAQ #21) General purpose tools, such as IDEs (FAQ #29) Page: 10

ETRAC Question #1 Information for the development of intrusion software Items expressly covered: that may accompany the disclosure of an exploit (FAQ #24) Information required for developing, testing, refining, and Jailbreaking technology for software that meets the evaluating intrusion software, in order, for example, [] to create a controllable exploit that can reliably and predictably defeat protective countermeasures and extract information (FAQ #4) definition of 4D004 (FAQ #26) Everything else required for the development of intrusion software Information on how to prepare the exploit for delivery or Required is met so long as the information is directed to integrate it into a command and delivery platform (FAQ #4) the intrusion aspects of the software and not just generic information that is not responsible for the controlled item. 15 C.F.R. 772. The development or production of the command and delivery platform itself (FAQ #4) Technical data sent to an anti-virus company or software Development is met so long as the information is related manufacturer if the data will not be made publicly available (FAQ #10) to design, design research, design analyses, design concepts, etc. 15 C.F.R. 772. Page: 11

ETRAC Question #1 Legitimate example of what is prohibited: Proprietary training course materials provided outside of the U.S. or to non-u.s. persons (i.e., information on how to prepare an exploit for delivery or integrate it into a command and delivery platform) (FAQ #4) Page: 12

ETRAC Question #1 Presumption of denial for exports there is a policy of presumptive denial for items that have or support rootkit or zero-day exploit capabilities Many legitimate uses for rootkit and zero-day exploit capabilities Page: 13

ETRAC Question #1 Legitimate example of what is prohibited: Delivery of a security report to non-u.s. companies, U.S. subsidiaries located abroad, or non-u.s. persons at a U.S. company Page: 14

ETRAC Question #1 Legitimate example of what is prohibited: Provision of security consulting services outside of the U.S. and to nonu.s. companies (assuming that performance of the services requires the export of 4D004 software modified for the generation, operation or delivery of, or communication with intrusion software ) Page: 15

ETRAC Question #1 Legitimate example of what is prohibited: Security researcher s communications beyond an exploit with non-u.s. companies, U.S. subsidiaries located abroad, or non-u.s. persons at a U.S. company Page: 16

ETRAC Question #2 Is it possible to develop a license exception, including but not limited to deemed exports and intra-corporate transfers, that will allow legitimate cybersecurity research to proceed without licensing delays and compliance burden? If so, what are the provisions of such a license exception? Page: 17

ETRAC Question #2 Best Approach: Remove technology controls altogether The proposed rule does not control exploits because we recognize they are necessary for research and legitimate end use Why then would we control the information required to develop an exploit when we do not even control the exploit itself? This makes no sense. This would be like controlling the instructions on how to develop a missile, but not controlling the missile itself. Page: 18

ETRAC Question #2 Alternative Approaches (All would be needed, not just some): LICENSE EXCEPTION FOR EDUCATION AND TRAINING LICENSE EXCEPTION FOR INTRA-COMPANY TRANSFERS LICENSE EXCEPTION FOR EXPORTS TO U.S. SUBSIDIARIES LICENSE EXCEPTION FOR EXPORTS TO CERTAIN FRIENDLY COUNTRIES LICENSE EXCEPTION FOR TECHNOLOGY EXCHANGES RELATED TO SECURITY RESEARCH AND DEVELOPMENT Page: 19

ETRAC Question #2 Education and Training Exception exports or reexports of educational and training technology and related items provided as part of a course or offering made generally available to the public Page: 20

ETRAC Question #2 Intra-Company Transfers exports or reexports of technology and related items by a U.S. company and its subsidiaries to foreign nationals who are employees, contractors, or interns of a foreign company that is a parent, subsidiary, or affiliate of the U.S. company Page: 21

ETRAC Question #2 Exports to U.S. Subsidiaries exports or reexports of technology and related items to any U.S. subsidiary, wherever located, provided that such item is for internal company use of the item Page: 22

ETRAC Question #2 Exports to Certain Friendly Countries exports or reexports of technology and related items to private sector end-users that are located in a country listed in Supplement No. 3 for internal company use of the item Page:23

ETRAC Question #2 Technology Exchanges Related to Security Research and Development exports or reexports of technology and related items within and across computer security research and development teams for discovering, evaluating, and countering threats, vulnerabilities, and exploits to computer or networks, provided that such threats, vulnerabilities, or exploits are made known or will be made known to the software vendor or publisher covers Bug Bounty Programs covers capture the flag programs Page: 24

ETRAC Question #3 Is there a license requirement (combination of destination/end user/end use) and regulatory interpretation that would address the exchanges of technology that are of concern (i.e., those not intended to ultimately improve cybersecurity) that would result in no licensing burden on legitimate technology exchanges? Page: 25

ETRAC Question #3 KEY CONCEPTS: BROAD EDUCATIONAL AND TRAINING EXCEPTION BROAD EXCEPTION FOR R&D WHERE VULNERABILITY WILL BE MADE KNOWN TO THE VENDOR BROAD EXCEPTION FOR EXPORTS TO FRIENDLY COUNTRIES AND U.S. SUBSIDIARIES WHERE SUCH ITEMS ARE FOR INTERNAL COMPANY USE Page:26

ETRAC Question #4 If none of the measures above would be adequate, what changes to the control text, including the definition of intrusion software, would be required to ensure that legitimate cybersecurity research will not be affected? Page:27

ETRAC Question #4 Focus on intrusion is misguided; its what happens after the intrusion occurs that matters Surveillance software is often the payload of the malicious intrusion; these payloads can be delivered many other ways Page: 28

Questions? 2015 Assessment Overview

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information