Cyber Security: Software Risk Management for Utilities



Similar documents
Scaling a Software Security Initiative: Lessons from the BSIMM

Software Security Touchpoint: Architectural Risk Analysis

Attack Trends software security? Gary McGraw, Ph.D. Chief Technology Officer, Cigital Cigital

Software Security Testing: Seeking security in an insecure world

Exploiting Online Games: Cheating massively distributed systems

Security testing has recently moved beyond the

CYBER SECURITY, A GROWING CIO PRIORITY

Development Processes (Lecture outline)

POLICIES TO MITIGATE CYBER RISK

Cyber Security Presentation. Ontario Energy Board Smart Grid Advisory Committee. Doug Westlund CEO, N-Dimension Solutions Inc.

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Secure by design: taking a strategic approach to cybersecurity

Software Security Engineering: A Key Discipline for Project Managers

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Application Security 101. A primer on Application Security best practices

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

Enterprise Cybersecurity: Building an Effective Defense

FREQUENTLY ASKED QUESTIONS

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Secure Software Development Trends in the Oil & Gas Sectors. How the Microsoft Security Development Lifecycle helps protect critical industries

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Introduction to Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing

Frost & Sullivan s. Aerospace, Defence & Security Practice. Global Industrial Cyber Security Trends

Challenges in Industrial IT-Security Dr. Rolf Reinema, Head of Technology Field IT-Security, Siemens AG Siemens AG All rights reserved

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

ICT SECURITY SECURE ICT SYSTEMS OF THE FUTURE

Secure Programming Lecture 9: Secure Development

In Building Security In, Gary McGraw proposes three pillars to use throughout the lifecycle: I: Applied Risk Management

Claes Rytoft, ABB, Security in Power Systems. ABB Group October 29, 2009 Slide 1

Learning objectives for today s session

Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing

Smart Grid Security: A Look to the Future

Breaking down silos of protection: An integrated approach to managing application security

CYBER SECURITY SERVICES PWNED

External Supplier Control Requirements

Cyber-Security. FAS Annual Conference September 12, 2014

Managing IT Security with Penetration Testing

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

112 BSIMM Activities at a Glance

IQware's Approach to Software and IT security Issues

Enterprise Cybersecurity: Building an Effective Defense

The Internet of Things (IoT) Opportunities and Risks

Survey on Application Security Programs and Practices

Weighted Total Mark. Weighted Exam Mark

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

Cyber Watch. Written by Peter Buxbaum

The 5 Cybersecurity Concerns You Can t Overlook

Cyber Risk to Help Shape Industry Trends in 2014

FORBIDDEN - Ethical Hacking Workshop Duration

Why You Need to Test All Your Cloud, Mobile and Web Applications

TUSKEGEE CYBER SECURITY PATH FORWARD

Cisco SAFE: A Security Reference Architecture

Impact of Data Breaches

UVic Department of Electrical and Computer Engineering

Who Are The Enemies? What Can They Do?

Prevent cyber attacks. SEE. what you are missing. Netw rk Infrastructure Security Management

Loophole+ with Ethical Hacking and Penetration Testing

What is Really Needed to Secure the Internet of Things?

7 Myths of Healthcare Cloud Security Debunked

Symantec Cyber Security Services: DeepSight Intelligence

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Internet Safety and Security: Strategies for Building an Internet Safety Wall

End-user Security Analytics Strengthens Protection with ArcSight

The Importance of Cybersecurity Monitoring for Utilities

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

N-Dimension Solutions Cyber Security for Utilities

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

Cutting Edge Practices for Secure Software Engineering

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Black Box versus White Box: Different App Testing Strategies John B. Dickson, CISSP

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

Continuous, proactive cybersecurity.

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Transcription:

Cyber Security: Software Risk Management for Utilities Gary McGraw, Ph.D. Chief Technology Officer, Cigital

Founded in 1992 to provide software security and software quality professional services Recognized experts in software security and software quality Widely published in books, white papers, and articles Industry thought leaders Cigital

The Problem

Internet adoption remains astounding 100% 90% 80% 70% 60% 50% Inte rne t(1991) 40% Ce ll P hone (1983) P C(1975) 30% V CR(1952) M icro w a ve (1953) 20% Te le vision(1926) Airpla ne (1903) 10% Autom obile (1886) Te le p hone (1876) 0% Ele ctricity(1873) 1 6 11 16 21 26 31 36 41 46 51 56 61 66 71 76 81 86 91 96 101 106 111 116

Malicious cyberactivity is occurring on an unprecedented scale with extraordinary sophistication. Dennis C. Blair, director of national intelligence to the Senate Intelligence Committee February 2nd Tag, you re it The Chinese attacks on Google are "a wake-up call to those who have not taken this problem seriously." Our nation s critical infrastructure is in the crosshairs. You are part of it.

In July 2009 at BlackHat (a hacker conference) consultant/hackerboy Mike Davis revealed Smart grid = dumb cyber risk design flaws in specific meter models (bought on ebay) poor crypto and authentication a simulated smart meter worm the potential for a meter botnet What could attackers do if they controlled thousands of your meters? If 50,000 meters went down, would a 30MW stability problem exist?

Today s computer and network security mechanisms are like the walls, moats, and drawbridges of medieval times. At one point, effective for defending against isolated attacks, mounted on horseback. Unfortunately, today s attackers have access to airplanes, GPS, and laserguided bombs! Defending castles is passé Your IT guy is probably not a real security guy anyway.

Software runs the smart grid. Internet-connected software. Broken software.

A big problem: more code, more bugs Millions of Lines 45 40 35 30 25 20 15 10 5 0 Win 3.1 (1990) Win NT (1995) Windows Complexity Win 95 (1997) NT 4.0 (1998) Win 98 (1999) NT 5.0 (2000) Win 2K (2001) XP (2002) 10000 9000 8000 7000 6000 5000 4000 3000 2000 1000 0 Software Vulnerabilities 8064 7236 5690 4129 3784 3780 2437 1090 2000 2001 2002 2003 2004 2005 2006 2007

Solving the Problem

Security is all about the software Old paradigm Defending the perimeter Network security Reactive IT/MIS/CISSP New paradigm Building secure systems Software security Proactive Software people The biggest risks lie in code hosted on the Net Application code is often developed in-house COTS security is a pervasive problem Software is the weakest link in the chain

Security must make business sense OPTIMAL LEVEL OF SECURITY AT MINIMUM COST COST ($) TOTAL COST COST OF SECURITY COUNTERMEASURES COST OF SECURITY BREACHES 0% SECURITY LEVEL 100%

Why risk management? Business understands the idea of risk, even software risk Technical perfection is impossible There is no such thing as 100% security Perfect quality is a myth Technical problems do not always spur action Answer the Who cares? question explicitly Help customers understand what they should do about software risk Build better software Who cares?

Security methods Code review Architectural risk analysts Penetration testing Vendor assessment COTS analysis BSIMM scoring http://bsi-mm.com

Where to Learn More

informit & Justice League www.informit.com No-nonsense monthly security column by Gary McGraw www.cigital.com/justiceleague In-depth thought leadership blog from the Cigital Principals Scott Matsumoto Gary McGraw Sammy Migues Craig Miller John Steven

IEEE Security & Privacy Magazine + 2 Podcasts Building Security In Software Security Best Practices column edited by John Steven www.computer.org/security/bsisub/ www.cigital.com/silverbullet www.cigital.com/realitycheck

Software Security: the book How to DO software security Best practices Tools Knowledge Cornerstone of the Addison- Wesley Software Security Series www.swsec.com

Cigital s Software Security Group invents and delivers Software Quality Management For more See the Addison-Wesley Software Security series Send e-mail: gem@cigital.com So now, when we face a choice between adding features and resolving security issues, we need to choose security. -Bill Gates

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information