Thank You To Our Sponsors

Thank You To Our Sponsors

Thank You To Our Sponsors

Thank You To Our Sponsors

Cybersecurity Panel Managing Risk in the Aerospace and Defense Industry Peter S. Chiou Principal Strategist and Business Development Manager for Azure DoD, Microsoft Isaac Potoczny-Jones Research Lead, Computer Security, Galois Special Agent Joshua Michaels FBI, Cyber Task Force

Aerospace & Defense Symposium Josh Michaels Special Agent Bomb Technician Cyber Task Force FBI Seattle Division

6/2/2015 UNCLASSIFIED

Cyber as an FBI Priority To protect the United States against: Terrorist attack Foreign intelligence operations and espionage Cyber-based attacks and high technology crimes Unique role as the only US agency with the authority to investigate both criminal and national security cyber security threats. 6/2/2015 UNCLASSIFIED

FBI Geography

Focus of Cyber Program Criminal and National Security Computer/Network Intrusions Botnets, Malware, Spear-phising, Viruses, Trojans, Spyware, Ransomware, Worms Differentiate intrusion from cyber enabled crimes Innocent Images National Initiative Intellectual Property Rights Internet Fraud Identify Theft 6/2/2015 UNCLASSIFIED

The Cyber Threats Landscape Cyber Threats Hacktivist Criminal Espionage Terrorist Warfare Computer network exploitation or attack to advance a political or social cause Financiallymotivated criminal enterprises conducting computer intrusions Nation-state actors conducting computer intrusions to illegally obtain information Use of computer network attack by terrorist groups to harm the U.S. critical infrastructure Nation-state actors using computer network operations to commit sabotage or disrupt critical systems Criminal National Security 6/2/2015 UNCLASSIFIED

Intended Targets Government Cleared Defense Contractors Universities High Tech/Research Financial Sector Natural resources Retail Litigation/Negotiation 6/2/2015 UNCLASSIFIED

Investigative Challenges Investigation vs. Mitigation Victim Incident Response Capabilities Volatility of Digital Evidence Volume of Digital Evidence Velocity of Legal Process Reliable cyber attack attribution Actors are usually overseas 6/2/2015 UNCLASSIFIED

attacker Web Proxies Onion Routers Botnets Compromised hosts VPS services Foreign ISPs Encryption ` 6/2/2015 UNCLASSIFIED victim

Biggest Security Risk? Personnel Opening an unexpected e-mail attachment or link from a colleague Using personal Web email for work Posting job details on social networking sites New personal gadgets on the corp network 6/2/2015 UNCLASSIFIED

6/2/2015 Personal computer use habits: Don t use Administrative User Account When Internet surfing or checking emails Always virus scan email attachments Don t update software at untrusted wi-fi networks Social Media site habits: Be selective with what you share with whom Frequently review privacy settings International Travel habits: Don t take your phone or laptop UNCLASSIFIED

Private Sector Partnerships & Resources InfraGard (www.infragard.org) Domestic Security Alliance Council (www.dsac.gov) National Cyber-Forensics Training Alliance (www.ncfta.net) Cyber Initiative and Resource Fusion Unit Information Sharing Analysis Centers (www.isaccouncil.org) Internet Crime Complaint Center (www.ic3.gov) 6/2/2015 UNCLASSIFIED

Questions? Josh Michaels Special Agent Bomb Technician Seattle FBI Cyber Task Force (206) 622-0460 joshua.michaels@ic.fbi.gov 6/2/2015 UNCLASSIFIED

Computer Science R&D and Cybersecurity Consulting Leaders in high assurance research and development Creating trustworthiness in critical systems Solving your hardest computer science problems Galois [gal-wah] Named after French mathematician Évariste Galois www.galois.com

Galois, Inc. Overview Outline Problems: Why the government is so involved in cybersecurity Challenges: Interests and needs sometimes conflict Policy: The government is making policy on cybersecurity every day And it s impacting you! Page 20 2015 Galois, Inc

ritical Galois, Inc. Overview Infrastructure is Vulnerable Chris Roberts has been working on The FBI says he sent airplane hacking commands to a plane for years. in flight via entertainment system. Supposedly his commands caused the plane to fly sideways. The security community doesn t believe him. Boeing says it s not possible. But no one is sure! Page 21 2015 Galois, Inc

No Serious Critical Infrastructure Galois, Inc. Overview Attacks Yet What s the formula for a serious attack? Motivation + Skill > Barrier to entry + Risk There s no money in it State-level / organized crime Systems are unusual Kinetic response Page 22 2015 Galois, Inc

orth Galois, Inc. Korea Overview took out Sony Pictures We know because we saw them do it. Motivation + Skill > Barrier to entry + Risk Politically Motivated Statelevel attack Plain old Windows Economic Sanctions Page 23 2015 Galois, Inc

If it hasn t happened, why are we Galois, Inc. Overview worried? Incidents can be dangerous Russia is accused of blowing up an oil pipeline in 2008 Cybersecurity hurts the economy The recent cyber attack cost Target $148 Million IP is stolen by industrial espionage Unit 61398 from Chinese People's Liberation Army (PLA) Incidents can have political / national security consequences Whitehouse and State Department email hack Incidents can be embarrassing Iran shut down a US casino because of its owners political views Page 24 2015 Galois, Inc

Users Free sites, apps, content Personal info kept confidential Limited financial risk Tension: Privacy vs. Profit Personal info: Marketing Tension: Regulation vs. Mediocre security: Costs Growth Limit liability: Risk Hide attacks: Brand Industry Protected from cyber attack, terrorists and illegal surveillance Access to legal security technology Industry held accountable Tension: Security vs. Surveillance Protect users with crypto Resist regulation: Costs Maintain access to PII Protect users from attackers Protect national security Legal framework for intercept Reelection Government Protect industry with law (e.g. CFAA, CISA) Protect users with regulation (e.g. HIPAA) Encryption challenges Backdoors for lawful intercept Protect national security interests User PII Botnets Intellectual property Identity theft Financial theft Other nations interests Espionage Cyber war Attackers

Federal Galois, Inc. Overview Cybersecurity Priorities Administration Priorities Protecting critical infrastructure and federal networks Solving strategic long-term problems around workforce DoD Strategy Build and maintain forces for cybersecurity operations Defend the homeland from cyber attack and deter threats Page 26 2015 Galois, Inc

Galois, Inc. Overview Cybersecurity Bills COICA (2010) - Combating Online Infringement and Counterfeits Act PIPA (2011-2012) - PROTECT IP Act SECURE-IT (2012) - Strengthening and Enhancing Cybersecurity SOPA (2011-2012) - Stop Online Piracy Act Big protests CISPA (2011-2015) - Cyber Intelligence Sharing and Protection Act CISA (2014) - Cybersecurity Information Sharing Act Page 27 2015 Galois, Inc

Cybersecurity Bills: Types of Galois, Inc. Overview legislation Requirements to secure critical infrastructure Optional cyber threat information sharing Government -> Companies Companies -> Government Immunity for companies sharing information Limiting surveillance / hacking tools (CFAA, Wassenaar) Surveillance laws PATRIOT Act Requirements to inform customers of attacks Mandatory backdoors in consumer products Increased penalties for hacking Increased anti-piracy / intellectual property laws Page 28 2015 Galois, Inc

Cybersecurity Galois, Inc. Overview Bills: Crystal Ball Increased requirements to secure critical infrastructure Why? An administration priority; it s already required for contractors Optional cyber threat information sharing with limited immunity Why? Congress has been trying to pass this for years Limiting export and sale of 0-Days and Intrusion Software Why? Draft rules already passed PATRIOT Act bulk data collection will expire May 31 Why? They ve started to shut it down Page 29 2015 Galois, Inc

ontractor Security Requirements Galois, Inc. Overview Based on NIST 800-53 Safeguarding Of Unclassified Controlled Technical Information It s a relatively new contracting rule that will be in most contracts Report cybersecurity incidents within 72 hours Assist the DoD in damage control New cybersecurity requirements Applies to anyone with technical information with this label: Distribution authorized to U.S. Government Agencies and their contractors... Other requests for this document shall be referred to Page 30 2015 Galois, Inc

ontractor Galois, Inc. Overview Security Requirements AC-2 ACCOUNT MANAGEMENT AC-3 (4) DISCRETIONARY ACCESS CONTROL AC-4 INFORMATION FLOW ENFORCEMENT AC-6 LEAST PRIVILEGE AC-7 UNSUCCESSFUL LOGON ATTEMPTS AC-11 (1) PATTERN-HIDING DISPLAYS AC-17 (2) PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION AC-18 (1) AUTHENTICATION AND ENCRYPTION AC-19 ACCESS CONTROL FOR MOBILE DEVICES AC-20 (1) LIMITS ON AUTHORIZED USE AC-20 (2) PORTABLE STORAGE DEVICES AC-22 PUBLICLY ACCESSIBLE CONTENT AT-2 SECURITY AWARENESS TRAINING AU-2 AUDIT EVENTS AU-3 CONTENT OF AUDIT RECORDS AU-6 (1) PROCESS INTEGRATION AU-7 AUDIT REDUCTION AND REPORT GENERATION AU-8 TIME STAMPS AU-9 PROTECTION OF AUDIT INFORMATION CM-2 BASELINE CONFIGURATION CM-6 CONFIGURATION SETTINGS CM-7 LEAST FUNCTIONALITY CM-8 INFORMATION SYSTEM COMPONENT INVENTORY CP-9 INFORMATION SYSTEM BACKUP IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS) IA-4 IDENTIFIER MANAGEMENT IA-5 (1) PASSWORD-BASED AUTHENTICATION IR-2 INCIDENT RESPONSE TRAINING IR-4 INCIDENT HANDLING IR-5 INCIDENT MONITORING IR-6 INCIDENT REPORTING MA-4 (6) CRYPTOGRAPHIC PROTECTION MA-5 MAINTENANCE PERSONNEL MA-6 TIMELY MAINTENANCE MP-4 MEDIA STORAGE MP-6 MEDIA SANITIZATION PE-2 PHYSICAL ACCESS AUTHORIZATIONS PE-3 PHYSICAL ACCESS CONTROL PE-5 ACCESS CONTROL FOR OUTPUT DEVICES PM-10 SECURITY AUTHORIZATION PROCESS RA-5 VULNERABILITY SCANNING SC-2 APPLICATION PARTITIONING SC-4 INFORMATION IN SHARED RESOURCES SC-7 BOUNDARY PROTEC SC-8 (1) CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION SC-13 CRYPTOGRAPHIC PROTECTION SC-15 COLLABORATIVE COMPUTING DEVICES SC-28 PROTECTION OF INFORMATION AT REST SI-2 FLAW REMEDIATION SI-3 MALICIOUS CODE PROTECTION SI-4 INFORMATION SYSTEM MONITORING Page 31 2015 Galois, Inc

Example: AC-6: Principle of Least Galois, Inc. Overview Privilege Only authorized accesses for users which are necessary to accomplish assigned tasks. I call it the Need to Know rule Page 32 2015 Galois, Inc

IST Galois, Inc. Risk Overview Management in Practice It s required across the federal government Categorize: Determine the level of Impact Low, Medium, High Select security controls: From NIST 800-53 New rules basically create a minimum standards Implement security controls: According to the plan Assess security controls: Are they sufficient? Authorize information system: Take accountability Monitor security controls: Adjust accordingly Page 33 2015 Galois, Inc

Galois, Inc. Overview What You Can Do Prepare for coming legislation with a good security plan Incident response plans, disclosure policies, threat sharing plans Implement Controlled Unclassified Technical Information rules These are now required for contractors Go beyond these to use the NIST Security Frameworks: Framework for Improving Critical Infrastructure Cybersecurity Risk Management Framework 800-53 Use these to develop your plans so you re in alignment Page 34 2015 Galois, Inc

Galois, Inc. Overview Opportunities Obama s 2016 budget has $16 Billion for defensive cybersecurity 10% increase over 2015 $5.5 Billion of that is DoD Align with Federal priorities Protect your parts of Federal networks and data Align with DoD priorities Help the DoD maintain dominance in the cyber domain Build cybersecurity into your products as a differentiator Not an afterthought Page 35 2015 Galois, Inc

Galois, Inc. Overview Thank you! Isaac Potoczny-Jones ijones@galois.com http://galois.com Page 36 2015 Galois, Inc