The Future of Cyber Security



Similar documents
The Challenge of Data and Application Security and Privacy (DASPY): Are We Up to It?

Cyber Security Research: A Personal Perspective

The Future of Access Control: Attributes, Automation and Adaptation

The Science, Engineering, and Business of Cyber Security

Cyber Security: Past, Present and Future

Security Models: Past, Present and Future

Cyber Security: What You Need to Know

The Science, Engineering, and Business of Cyber Security

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

How To Secure Cloud Computing

Research Topics in the National Cyber Security Research Agenda

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY

Foundations Applications Technologies

Introduction to Cyber Security / Information Security

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Top Ten Security and Privacy Challenges for Big Data and Smartgrids. Arnab Roy Fujitsu Laboratories of America

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Cloud security architecture

McAfee Server Security

CYBER SECURITY Audit, Test & Compliance

Brainloop Cloud Security

Managing business risk

What Directors need to know about Cybersecurity?

The Importance of Cyber Threat Intelligence to a Strong Security Posture

Bellevue University Cybersecurity Programs & Courses

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

Measuring Software Security

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao

Data Protection: From PKI to Virtualization & Cloud

Securing the Intelligent Network

Cybersecurity and internal audit. August 15, 2014

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

Cyber Security VTT and the Finnish Approach

On-Premises DDoS Mitigation for the Enterprise

AppGuard. Defeats Malware

PCI Data Security Standards (DSS)

Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

Session 14: Functional Security in a Process Environment

How To Protect Your Cloud From Attack

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

next generation privilege identity management

Cloud Security: Getting It Right

Understanding SCADA System Security Vulnerabilities

The Information Security Problem

Beyond the Hype: Advanced Persistent Threats

BlackRidge Technology Transport Access Control: Overview

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Developing Secure Software in the Age of Advanced Persistent Threats

ISM/ISC Middleware Module

Virtual Privacy vs. Real Security

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Technology Risk Management

Agile Information Security Management in Software R&D

Security Basics: A Whitepaper

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Cisco SAFE: A Security Reference Architecture

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Triangle InfoSeCon. Alternative Approaches for Secure Operations in Cyberspace

CompTIA Security+ (Exam SY0-410)

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

ADVANCED PERSISTENT THREATS & ZERO DAY ATTACKS

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

FORBIDDEN - Ethical Hacking Workshop Duration

Analyzing HTTP/HTTPS Traffic Logs

Security within a development lifecycle. Enhancing product security through development process improvement

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Enterprise Cybersecurity: Building an Effective Defense

Intel Enhanced Data Security Assessment Form

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

ESKISP Direct security testing

Information Security Services

MANAGEMENT SOLUTIONS SAFEGUARD BUSINESS CONTINUITY AND PRODUCTIVITY WITH MIMECAST

Cyber Security Risk Mitigation Checklist

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

50x Zettabytes*

Transcription:

Institute for Cyber Security The Future of Cyber Security Prof. Ravi Sandhu Executive Director and Endowed Chair ravi.sandhu@utsa.edu www.profsandhu.com www.ics.utsa.edu Ravi Sandhu 1

Cyber Security Status Cyber technologies and systems have evolved Cyber security goals have evolved Computer security Computer security + Communications security Separate and never shall meet TO Coupled and integrated Information assurance Mission assurance Cyber security research/practice have not kept up The gap is growing Ravi Sandhu 2

Cyber Security Status Mission assurance = Application assurance Latest technology: Cloud Computing Dominant issues: Cost and productivity Focus on core competence Availability Security Latest lesson (April-May 2011): Amazon outage 100s of companies with 24-72 hours downtime Netflix unaffected Ravi Sandhu 3

Cyber Security Doctrine Old think: protect the network, protect the information, protect the content Design to isolate and protect the network in face of system and security failures New think: protect the mission, protect the application, protect the service Design to operate through system and security failures Not possible without application context Most important recommendation Cyber security needs to be a proactive rather than reactive discipline Ravi Sandhu 4

Cyber security is all about trade-offs confidentiality integrity availablity usage privacy cost usability productivity Application context is necessary for tradeoffs Fundamental Premise Ravi Sandhu 5

Productivity-Security Cyber Security is all about tradeoffs Productivity Security Let s build it Cash out the benefits Next generation can secure it Let s not build it Let s bake in super-security to make it unusable/unaffordable Let s sell unproven solutions There is a middle ground We don t know how to predictably find it Ravi Sandhu 6

The ATM (Automatic Teller Machine) system is secure enough global in scope The ATM Paradox Not attainable via current cyber security science, engineering, doctrine not studied as a success story Similar paradoxes apply to on-line banking e-commerce payments Ravi Sandhu 7

Why is the ATM System Secure? Monetary loss is easier to quantify and compensate than information loss Security principles stop loss mechanisms audit trail (including physical video) retail loss tolerance with recourse wholesale loss avoidance Technical surprises no asymmetric cryptography no annonymity Application Centric Ravi Sandhu 8

PEI Models Security and system goals (objectives/policy) Necessarily informal P E I WHAT Policy models Specified using users, subjects, objects, admins, labels, roles, groups, etc. in an ideal setting. Security analysis (objectives, properties, etc.). M O D E L S HOW HOW Enforcement models Implementation models Approximated policy realized using system architecture with trusted servers, protocols, etc. Enforcement level security analysis (e.g. stale information due to network latency, protocol proofs, etc.). Technologies such as Cloud Computing, Trusted Computing, etc. Implementation level security analysis (e.g. vulnerability analysis, penetration testing, etc.) Concrete System Software and Hardware Ravi Sandhu 9

Secure Information Sharing (SIS) Goal: Share but protect Secure but insecure Containment challenge Client containment Ultimate assurance infeasible (e.g., the analog hole) Appropriate assurance achievable Server containment Will typically have higher assurance than client containment Policy challenge How to construct meaningful, usable, agile SIS policy How to develop an intertwined information and security model Ravi Sandhu 10

Group-Centric Secure Information Sharing Policy Models Operational aspects Group operation semantics o Add, Join, Leave, Remove, etc o Multicast group is one example Object model o Read-only o Read-Write (no versioning vs versioning) User-subject model o Read-only Vs read-write Policy specification Administrative aspects Authorization to create group, user join/leave, object add/remove, etc. join add Users Group Authz (u,o,r)? Objects leave remove Ravi Sandhu 11

Group-Centric Secure Information Sharing Enforcement Models 5.2 Set Leave-TS (u) = Current Time 6.2 Update: a. Remove_TS (o) = Current Time b. ORL = ORL U {id, Add_TS (o), Remove_TS (o)} CC Object Cloud Non-Group User 1.1 Request Join {AUTH = FALSE} 1.2 Authz Join {AUTH = TRUE} 5.1 Remove User (id) 6.1 Remove Object (o) GA TRM TRM TRM TRM Group Users 3. Read Objects User Attributes: {id, Join-TS, Leave-TS, ORL, gkey} Object Attributes: {id, Add-TS} ORL: Object Revocation List gkey: Group Key Ravi Sandhu 12

Trusted Computing Basic premise Software alone cannot provide an adequate foundation for trust Old style Trusted Computing (1970 1990 s) Multics system Capability-based computers Intel 432 vis a vis Intel 8086 Trust with security kernel based on military-style security labels Orange Book: eliminate trust from applications What s new (2000 s) Hardware and cryptography-based root of trust Trust within a platform Trust across platforms Rely on trust in applications Mitigate Trojan Horses and bugs by legal and reputational recourse Ravi Sandhu 13

Trusted Computing Basic principles Protect cryptographic keys At rest In motion In use Control which software can use the keys Marriage of cryptography and access control Ravi Sandhu 14

Cyber Security Research Foundations Security Models Formal methods Cryptography Application-Centric Secure information sharing Social computing Health care Data provenance Critical infrastructure Technology-Centric Cloud computing Smart grid Trusted computing Mission-aware diversity Attack-Centric Botnet and malware analysis Complex systems modeling Zero-day defense Moving target defense Ravi Sandhu 15

Microsec vs Macrosec Most cyber security thinking is microsec Most big cyber security threats are macrosec Microsec Retail attacks vs Targeted attacks 99% of the attacks are thwarted by basic hygiene and some luck 1% of the attacks are difficult and expensive, even impossible, to defend or detect Rational microsec behavior can result in highly vulnerable macrosec Ravi Sandhu 16

Cyber Security as a Discipline Computer Science Cyber Security Ravi Sandhu 17

Cyber Security as a Discipline Computer Science Cyber Security Ravi Sandhu 18

The Cyber Security System Challenge Wisdom from the past: Generally, security is a system problem. That is, it is rare to find that a single security mechanism or procedure is used in isolation. Instead, several different elements working together usually compose a security system to protect something. R. Gaines and N. Shapiro 1978. The challenge is how to develop a systems perspective on cyber security Ravi Sandhu 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information