Cyber Security and Science

Similar documents
The Science of Cyber Security. Peter Weinberger (Google Inc) (based on a study for DDR&E s Steven King, with no any conneceon to Google at all)

Network Security in Building Networks

Basic Computer Security Part 2

National Cyber Security Month 2015: Daily Security Awareness Tips

Must score 89% or above. If you score below 89%, we will be contacting you to go over the material individually.

Malware & Botnets. Botnets

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Internet threats: steps to security for your small business

Cybersecurity Best Practices

LBSEC.

4 Steps to Effective Mobile Application Security

Senaca Shield Presents 10 Top Tip For Small Business Cyber Security

Unity web- player issues in browsers & in client system

TUSKEGEE CYBER SECURITY PATH FORWARD

Cyber Security Threats

Cyber Security Presentation Cyber Security Month Curtis McNay, Director of IT Security

Promoting Network Security (A Service Provider Perspective)

Building The Human Firewall. Andy Sawyer, CISM, C CISO Director of Security Locke Lord

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Scott Lucas: I m Scott Lucas. I m the Director of Product Marketing for the Branch Solutions Business Unit.

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Introduction to Cyber Security / Information Security

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.

Data Loss Prevention in the Enterprise

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

DETECT. LEARN. ADAPT. DEFEND. WIN EVERY ATTACK.

Deter, Detect, Defend

Defending Against Data Beaches: Internal Controls for Cybersecurity

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

4/20/2015. Fraud Watch Campaign. AARP is Fighting for You. AARP is Fighting for You. Campaign Tactics. AARP can help you Spot & Report Fraud

Cyber Security. John Leek Chief Strategist

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

Trust the Innovator to Simplify Cloud Security

Perspectives on Cybersecurity in Healthcare June 2015

Content Teaching Academy at James Madison University

Protecting Your Organisation from Targeted Cyber Intrusion

Guideline on Safe BYOD Management

Small Business Cybersecurity Dos and Don ts. Helping Businesses Grow and Succeed For Over 30 Years. September 25, 2015 Dover Downs

High Speed Internet - User Guide. Welcome to. your world.

Top 10 Tips to Keep Your Small Business Safe

Cyber Exploits: Improving Defenses Against Penetration Attempts

A Small Business Approach to Big Business Cyber Security. Brent Bettis, CISSP 23 September, 2014

Hands on, field experiences with BYOD. BYOD Seminar

Mangesh Sawant. Information Security Risks for Business Professionals Traveling to China

Certified Secure Computer User

Certified Secure Computer User

EECS 588: Computer and Network Security. Introduction January 14, 2014

My CEO wants an ipad now what? Mobile Security for the Enterprise

Protecting Yourself from Identity Theft

Cybersecurity: Protecting Your Business. March 11, 2015

Small businesses: What you need to know about cyber security

EECS 588: Computer and Network Security. Introduction

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

Cyber Security. Securing Your Mobile and Online Banking Transactions

Common Cyber Threats. Common cyber threats include:

Computer Crime & Security Survey

The Evolution of Data Breaches

Who s Doing the Hacking?

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Fighting Advanced Threats

Activities for Protecting Your Identity and Computer for Middle and High School Students

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

How are we keeping Hackers away from our UCD networks and computer systems?

EC-Council. Certified Ethical Hacker. Program Brochure

Surviving and operating services despite highly skilled and well-funded organised crime groups. Romain Wartel, CERN CHEP 2015, Okinawa

Policing Together. A quick guide for businesses to Information Security and Cyber Crime

1. Ask what your financial institution knows or has personally experienced with regard to internal and external data breaches.

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

Presented by Evan Sylvester, CISSP

Cybersecurity Health Check At A Glance

ONLINE ACCESS ONLINE ACCESS FAQS FAQS

WHITE PAPER Security in M2M Communication What is secure enough?

Stable and Secure Network Infrastructure Benchmarks

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Cybersecurity Governance Update on New FFIEC Requirements

VeilMail Penetration Test Executive Summary PRESENTED TO: GREG ROAKE, CEO.TURNER TECHNOLOGIES LTD - VEILMAIL STEVE BYRNE, DIRECTOR.

Chris Boykin VP of Professional Services

Cyber Security Metrics Dashboards & Analytics

What Do You Mean My Cloud Data Isn t Secure?

Do You Know What You Don t Know?

Internet Security. For Home Users

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Detailed Description about course module wise:

10 Smart Ideas for. Keeping Data Safe. From Hackers

FERPA: Data & Transport Security Best Practices

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

SECURE YOUR BUSINESS WHEREVER IT TAKES YOU. Protection Service for Business

Global IT Security Risks: 2012

EC Council Certified Ethical Hacker V8

Defending against Cyber Attacks

THE 80/20 RULE FOR SECURITY

Google Identity Services for work

A practical guide to IT security

The Importance of Patching Non-Microsoft Applications

Secure Your Mobile Workplace

Transcription:

Cyber Security and Science Peter Weinberger pjw@googlecom Feb 9, 2011

These opinions are only mine, no one else s and even then, only today They may change at any time

Protecting intellectual property requires securing access How were HTTPS passwords being stolen in Tunisia? Why? Changed threat: it s not simple passwords but reused ones Passwords are not enough Need: 2nd factor Time-limited credential generated Generated credential bound to one machine Internal firewalls and checks and a sound methodology for vetting the security of all this

The technical picture Better Engineering Dynamic Defense Science and Advanced Technology Green (left) raises the general level of security Red (right) deals with the real world Robust Standards Monitoring, Machine Learning

The technical picture Better Engineering Dynamic Defense Science and Advanced Technology And then you need to understand the adversary s business model (goals) Robust Standards Monitoring, Machine Learning

Cyber security is a peculiar problem Generally security only gets worse over time ATM Skimmers House keys and lock bumping (look it up) Some of the cyber issues are unique We don t know what secure means (bad) The whole field is a human construct (good) The adversaries are adaptive and intelligent (bad) Perhaps they can be deterred Compared to other sorts of infrastructure, change is rapid

Cyber security is a peculiar problem A useful metaphor is human health Sanitation, building codes, food regulations Vaccination, public health, mosquito abatement Doctors, drugs, hospitals, nurses Darwinian adversaries, large research budgets Limited goals Personnel issues in education and training and seat belts, smoking regulation, and many more

The Chinese View ( 王 晨 : 关 于 我 国 互 联 网 发 展 和 管 April 29, 2010) On the development and management of the internet in our country http://wwwcecn/xwzx/gnsz/gdxw/201006/08/t20100608_21493632shtm (or hricorg) Internet security problems are becoming more conspicuous with each passing day Online information such as pornography and obscenities are seriously harming the physical and mental health of minors Criminal activities such as online fraud and theft are seriously harming public security Computer viruses and hacker attacks are posing serious threats to the security of the operation of the Internet Leaking of secrets via the Internet is posing serious threats to national security and interests

William Lynn s view On the other hand, I don t know how any of these things work, and I pretty much left off the technical side when I couldn t learn to program my VCR So the technical side of this is not going to be my strength But I want to talk a bit about the attributes of the threats IThis think thatattack we face, the vectors would that thosenot threats could come down, have and then succeeded about the strategy that ifwe re those developing at the Pentagon systems to deal with had at least been the military patched side of that threat And in the article and I ll start here, too I started with an incident which was a seminal moment for cybersecurity in the Pentagon It was an intrusion in 2008 into our networks, and that intrusion extended to our classified networks And we did not think our classified networks could be penetrated to that point So it was it was a fairly shocking development It happened with a thumb drive transferring data from the unclassified networks to the classified networks, happened in the Middle East

Who can bring better security? IE Mozilla Safari Chrome email office adobe IOS JUNOS etc mobile apps and broswers apps computer os computers network mobile network os mobile os Hardware, Huawei are done overseas Otherwise most of these companies are US windows osx unixoids ios android symbian

Who will bring better security? The general level of security is going to be improved (or not) depending on what these players do The security specialists will provide services that deal with day-to-day exigencies And big ISPs offer security services and what is the role of government? (precedents are uninspiring: effective regulation of new technology takes a generation or so) Anti-virus vendors make a useful thought experiment

For instance, browsers could help They could make sure you understand how you are connected: They could make sure you understand who you are connected to: And they could warn you about sites that contain malware Webmail already handles spam pretty well And law enforcement has helped (temporarily each time) with big actors Webmail could warn you about spear phishing (SPF, DKIM) secbrowsingappspotcom tells you about doubtful plugins

New technologies bring new opportunities for users and adversaries (and defenders) Cloud (whatever definition) churn and observation Browsers Malleable virtual operating system (standards based, limited backwards compatibility problems) Apply knowledge and techniques too radical for lower layers Whole new areas Cell phones (eg, malware pre-installed) Wireless everywhere Power meters and smart grid Multi-core CPU architectures

A sketch of some science Improve things all around Clear concepts (cryptography) Formal methods (Bug or necessary feature?) (M won t do P) Model checking and bug finding (DNSSEC and HTML5) Game theory (80111 ad hoc networks) Randomization (ASLR) React to events Machine learning (epidemiology example) Dynamic defense (speculative)

Cryptography Crucial to secure networking Public key encryption game Challenger created key, sends public key to Adversary Adversary send two distinct messages X, Y to Challenger Challenger picks one at random, say Z, Challenger encrypts Z and sends it to Adversary Can Adversary tell if Z came from X with probability > 1/2? Provide precisely quantifiable notions of security depending on the public key algorithm and the computational capabilities of the Adversary Proxy re-encryption Homomorphic encryption

Experiments? The goal of experiments ought to be generalizable knowledge There are non-experimental sciences (astronomy, epidemiology) There are non-quantitative sciences too (medicine) Sure it s complicated, but so is the world of biology Security metrics will be an adapting field (or useless) What can be learned from a series of test ranges? (possibly of increasing size)

Further opportunities for research Systems that present a lot of uncertainty to attackers Can the defense adapt faster than the attackers? Eg, randomization, virtualized rapid restart, heterogeneity Building secure systems out of insecure components Eg, multiple paths, auditing, checkpoints, virtualization Knowing the security state of a system by observation External observations, internal observations Are you doing what you claim to be? Multiple observations separated in time or space

And the cyber answer is? It s a manageable problem because we can see almost everything, if we look (it s a lot simpler than health) The big players will make the most difference (d oh) Substantial resources required (don t ask, I don t know) Intrinsically a technical field: adversaries do R&D, so must the forces of civilization Improve the security baseline and deal with day-to-day All the technology in the world won t make up for bad human factors

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information