The Nature of Cyber Security. Eugene H. Spafford

Similar documents
Breakthrough Cyber Security Strategies. Introducing Honeywell Risk Manager

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

External Supplier Control Requirements

Cybersecurity Best Practices

Defending Against Data Beaches: Internal Controls for Cybersecurity

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Cybersecurity: Protecting Your Business. March 11, 2015

Impact of Data Breaches

Practical Steps To Securing Process Control Networks

Enterprise Cybersecurity: Building an Effective Defense

Cybersecurity Awareness. Part 1

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

How-To Guide: Cyber Security. Content Provided by

Computer Security (EDA263 / DIT 641)

Security A to Z the most important terms

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

Report on CAP Cybersecurity November 5, 2015

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

The McAfee SECURE TM Standard

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

A Case for Managed Security

The Four-Step Guide to Understanding Cyber Risk

Information Security and Risk Management

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

ABB Automation Days, Madrid, May 25 th and 26 th, Patrik Boo What do you need to know about cyber security?

Enterprise Cybersecurity: Building an Effective Defense

Promoting Network Security (A Service Provider Perspective)

Defensible Strategy To. Cyber Incident Response

Data Management & Protection: Common Definitions

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

BBM 461: SECURE PROGRAMMING INTRODUCTION. Ahmet Burak Can

Auditing After a Cyber Attack JAX IIA Chapter Meeting Cybersecurity and Law Enforcement

IBM Security Strategy

The Information Security Problem

Cyber-Security Risk in the Global Organization:

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

Incident Response. Proactive Incident Management. Sean Curran Director

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Defending Against Cyber Attacks with SessionLevel Network Security

Issues in Information Systems Volume 15, Issue I, pp , 2014

2009 Antispyware Coalition Public Workshop

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

資 通 安 全 產 品 研 發 與 驗 證 (I) ICT Security Overview. Prof.. Albert B. Jeng ( 鄭 博 仁 教 授 ) 景 文 科 技 大 學 資 訊 工 程 系

PRINCIPLES AND PRACTICE OF INFORMATION SECURITY

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Top tips for improved network security

Security Management. Keeping the IT Security Administrator Busy

Financial Implications of Cybercrime Meeting the Information Security Management Challenge in the Cyber-Age

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Cyber Security, Fraud and Corporate Account Takeovers LBA Bank Counsel Conference December 2014

How to stay safe online

Information Technology Security Training Requirements APPENDIX A. Appendix A Learning Continuum A-1

INFORMATION SECURITY FOR YOUR AGENCY

Penetration Testing Service. By Comsec Information Security Consulting

9. Information Assurance and Security, Protecting Information Resources. Janeela Maraj. Tutorial 9 21/11/2014 INFO 1500

Monitoring mobile communication network, how does it work? How to prevent such thing about that?

THE THREE Es OF MODERN SECURITY FOR PHISHING

Reneaué Railton Sr. Informa2on Security Analyst, Duke Medicine Cyber Defense & Response

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY. Mark

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Don t Fall Victim to Cybercrime:

E-Business, E-Commerce

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Cybersecurity for the C-Level

INDUSTRY OVERVIEW: FINANCIAL

CSI/FBI 2000 COMPUTER CRIME AND SECURITY SURVEY

Cybersecurity and internal audit. August 15, 2014

Computer Security (EDA263 / DIT 641)

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

FORBIDDEN - Ethical Hacking Workshop Duration

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Module 5: Analytical Writing

Security Metrics What Can We Measure?

Application Intrusion Detection

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

7 VITAL FACTS ABOUT HEALTHCARE BREACHES.

Security Controls What Works. Southside Virginia Community College: Security Awareness

Transcription:

The Nature of Cyber Security Eugene H. Spafford

Presented as Keynote #2 at WORLDCOMP'11 The 2011 World Congress in Computer Science, Computer Engineering, and Applied Computing The Monte Carlo Resort and Casino, Las Vegas, NV, 18 July 2011 Thanks to Dr. Fariborz Farahmand for assistance with background research used in this presentation. Contact information for Professor Spafford may be found at http://spaf.cerias.purdue.edu

The Environment

The Environment

The Environment

The Environment

The Environment

The Environment

The Environment

The Environment

The Environment

The Environment

The Environment

The Environment

The Environment

The Environment And hundreds of other incidents this year alone. These are becoming so common that they aren t even reported as regular news.

The Magnitude Sources: ISS, NIST, FBI, McAfee Corp.

The Magnitude Over 8,000 publicly disclosed security-relevant flaws in software in 2010; similar pace in 2011 Sources: ISS, NIST, FBI, McAfee Corp.

The Magnitude Over 8,000 publicly disclosed security-relevant flaws in software in 2010; similar pace in 2011 Reported losses exceed $500 million per year in the U.S. alone Sources: ISS, NIST, FBI, McAfee Corp.

The Magnitude Over 8,000 publicly disclosed security-relevant flaws in software in 2010; similar pace in 2011 Reported losses exceed $500 million per year in the U.S. alone Unreported and cyber espionage losses are at least the same amount Sources: ISS, NIST, FBI, McAfee Corp.

The Magnitude Over 8,000 publicly disclosed security-relevant flaws in software in 2010; similar pace in 2011 Reported losses exceed $500 million per year in the U.S. alone Unreported and cyber espionage losses are at least the same amount Despite aggressive actions, SPAM still outweighs normal email by a ratio of 3 to 1 Sources: ISS, NIST, FBI, McAfee Corp.

Sources: McAfee Corp.

For 1st quarter 2011 malware Sources: McAfee Corp.

For 1st quarter 2011 malware Cellphone malware exceed 1000 different types Sources: McAfee Corp.

For 1st quarter 2011 malware Cellphone malware exceed 1000 different types 6 million new samples for regular computers Sources: McAfee Corp.

For 1st quarter 2011 malware Cellphone malware exceed 1000 different types 6 million new samples for regular computers Total known exceed 60 million Sources: McAfee Corp.

For 1st quarter 2011 malware Cellphone malware exceed 1000 different types 6 million new samples for regular computers Total known exceed 60 million Almost 1 million new password-theft Trojans Sources: McAfee Corp.

For 1st quarter 2011 malware Cellphone malware exceed 1000 different types 6 million new samples for regular computers Total known exceed 60 million Almost 1 million new password-theft Trojans Over 1.2 million unique fake antivirus programs Sources: McAfee Corp.

Sources: Privacy Rights Clearinghouse, McAfee Corp.

So far in 2011 Sources: Privacy Rights Clearinghouse, McAfee Corp.

So far in 2011 Over 300 data breach incidents disclosed with over 23 million records disclosed. Sources: Privacy Rights Clearinghouse, McAfee Corp.

So far in 2011 Over 300 data breach incidents disclosed with over 23 million records disclosed. New botnet infections fell to only 3 million per month. Sources: Privacy Rights Clearinghouse, McAfee Corp.

So far in 2011 Over 300 data breach incidents disclosed with over 23 million records disclosed. New botnet infections fell to only 3 million per month. 1.2% of searches & 49% of trending terms led to malicious WWW sites. Sources: Privacy Rights Clearinghouse, McAfee Corp.

So far in 2011 Over 300 data breach incidents disclosed with over 23 million records disclosed. New botnet infections fell to only 3 million per month. 1.2% of searches & 49% of trending terms led to malicious WWW sites. 2500 new phishing sites per day. Sources: Privacy Rights Clearinghouse, McAfee Corp.

Clearly, there is a problem Sources: U.S. Department of Commerce

Clearly, there is a problem But it isn t new! Some of us have been sounding the alarm for over 20 years. Spending on cyber security in the U.S. alone exceeds $8 billion a year but we are still falling behind. Sources: U.S. Department of Commerce

One contention Our approach has been based on ad hoc practice rather than formal science You are here Technology Engineering Science (Use) (Design) (Principles)

Hey, we do science!...don t we? Science is the formulation of hypotheses, experimentation, and analysis Experiments must be repeatable and subject to refutation

How often do you see accounts of experiments redone by others?

When did you last see negative results published? How often do you see accounts of experiments redone by others?

How many security papers have you seen with a formal null hypothesis, full listing of procedures and equipment, and statistical analysis of data?

Characteristics of a Science Common, precisely defined terms. Standard references that everyone in the field knows and cites. Standard, independent units of measure. Science uses prior results and builds on known foundations. Predictive rather than reactive.

Common, precisely defined terms? Virus Spam Hack Phishing Privacy Cyberwar

Standard references that everyone in the field knows and cites?

Standard, independent units of measure?

Standard, independent units of measure? What is a unit of confidentiality?

Standard, independent units of measure? What is a unit of confidentiality? How much privacy gain from quitting Facebook?

Standard, independent units of measure? What is a unit of confidentiality? How much privacy gain from quitting Facebook? If I delete a file, its confidentiality goes to 100% but availability goes to 0% not independent.

Science uses prior results and builds on known foundations? 8000+ new vulnerabilities per year? Buffer overflows still? (identified in 1960s) Weak passwords still? (identified in 1950s) 2011 cellphones with viruses? (identified in 1980s)

Predictive rather than reactive? Culture of penetrate and patch is pervasive Common tools such as intrusion detection and data exfiltration are all reactive We don t learn from the past, so never mind the future.

One View Focus on terms, but not principles or metrics. Bias towards model checking. (Typical) suggestion of large centers. Still focused on technology.

But what is Cyber Security? What are the real challenges? How do we define the field?

Basic observation (Spaf s 1st Axiom of Cyber Security):

Basic observation (Spaf s 1st Axiom of Cyber Security): Without computers, we would have no cyber abuse. And without people, we would have no cyber abuse. Thus, focusing on the technology is only part of the solution. We need to change the way we look at the field.

Cyber Security May Include Psychology Human factors Economics Education Risk management Criminology Computer architecture Physical plant protection Disaster recovery/continuity and more Organizational management

Example Our systems were designed by experts but for experts. We don t consider how novices view what we have built. No wonder they misuse it.

Need clear warnings

Inexpensive can be expensive

And not everything is Security About those 8000+ flaws per year Those are only the security-related flaws. How about all the other flaws in the software? Software engineering is the field to address this issue.

So, what else? Most physical sciences have observable constants and phenomena. What would be the equivalent of Planck s constant, or Avogadro's number? Most social sciences use stochastic methods on semi-static entities. Cyber changes too quickly. Much of what happens depends on human intent. Thus, it isn t obvious that there can be a true science of cyber security. But we can certainly do better.

Takeaway #1 There is a limit to how much we can improve our defenses simply by developing technology. The technology will be used by humans: humans who are uninformed, in a hurry, tired, clumsy, and make mistakes. The technology will also be used by humans who intend to circumvent, misuse and abuse it.

Takeaway #2 We have a lot to do to formalize and mature the field of cyber security. We can start by requiring at least basic scientific rigor in research. We need to stop being sloppy with our terminology. We can start asking that results be replicated, and negative results be shared.

Takeaway #3 We should think carefully about what basic cyber security properties are, and how to measure them. The traditional Confidentiality, Integrity, Availability model doesn t fit the bill. We will need to consider human factors and economics issues as components.

Takeaway #4 Cyber Security is not independent of other aspects of computing. We need to improve our software engineering, our operating systems, our human factors, our network protocols, This has implications for education in the field, too.

Takeaway #5 Cyber Security is not independent of other aspects of society. Pure defense is never enough. We need to improve our methods of investigation and prosecution to stop offenders and discourage abuse. We need to understand that our computing is used in places and cultures different from our own, and by people different than us.

Takeaway #6 If we aren t willing to make a significant investment to start from new foundations, it is certain that things will get worse. We are using artifacts we don t completely understand, purchased because of cost concerns, often developed in haste, with characteristics we can t measure, and a long history of flaws. This will not end well.

Thank You!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information