1 / 47

Outrunning the Bear: A Cautionary Tale

Outrunning the Bear: A Cautionary Tale. Dan Shoemaker, Director Centre for Assurance School of National Security Studies. Outrunning the Bear. The situation in cyber-space is a lot like what you’d face if you were out hiking And ran into a Grizzly bear. Outrunning the Bear.

kenda
Download Presentation

Outrunning the Bear: A Cautionary Tale

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Outrunning the Bear: A Cautionary Tale Dan Shoemaker, Director Centre for Assurance School of National Security Studies

  2. Outrunning the Bear • The situation in cyber-space is a lot like what you’d face if you were out hiking • And ran into a Grizzly bear.

  3. Outrunning the Bear It’s a fact that Grizzlies run a lot faster then humans. So you won’t be able to outrun it.

  4. Outrunning the Bear • But, you will always be safe As long as you can outrun somebody else!

  5. Outrunning the Bear • Thus, it is not as much a matter of being secure against any threat • As it is being secure enough to encourage cyber-predators to go after easier targets

  6. Why is this important? • Staying one step ahead of the rest of the herd is important because… No matter what you might think –You are at the mercy of any cyber-predator out there

  7. For the Ones Who Think They’re Safe • And if you think that you are protected by whatever countermeasures you’ve deployed • You are dangerously wrong.

  8. For the Ones Who Think They’re Safe • Serious attackers are not interested in the areas you have already secured. • They are looking for the places that are still vulnerable.

  9. There’s No Sheriff in Town The Current Facts of Life in Dodge City

  10. Consider This • A terrorist group announces that they will shut down the Pacific Northwest electrical power grid for six hours starting at 4:00 PM • They do so.

  11. Consider This • The same group then announces that they will disable the primary telecommunication trunk circuits between the U.S. East and West Coasts for a half day • They do so, despite our best efforts to defend against them

  12. Consider This • Then, they threaten to bring down the air traffic control system supporting New York City, grounding all traffic and diverting inbound traffic • And they do so.

  13. Consider This • Finally, they threaten to cripple e-commerce and credit card service for a week by using several hundred thousand stolen identities in millions of fraudulent transactions. • Their list of demands is posted in the New York Times, threatening further actions if those demands are not met

  14. Consider This • What makes this alarming is the fact that all of these events have already occurred Just not concurrently - or all by malicious intent.

  15. The Fact is • In fact any of these attacks, could be carried out by any adversary • All that is required is a competent attacker and the Internet

  16. For Instance • The maximum “safe” time for any targeted system is 20 minutes • It is estimated that up to one quarter of all PCs might be part of a botnet (Storm may have 1.5 million) • For any expert any SCADA penetration takes less than a day

  17. For Instance • Even the smallest nation-states and terrorist organizations can easily attack any system • Let alone better-organized groups such as Al Qaeda.  • Which raises the prospect of asymmetric cyber warfare on our own desktops, not places like Fallujah

  18. For Instance • Many nations, most prominently China and Iran, have been working diligently to developed their offensive capabilities in cyber-space.  • The Chinese military holds formal hacking competitions to identify and recruit talented members for its cyber army.

  19. For Instance • In that respect the Pentagon logged more than 79,000 attempted intrusions in 2005. • About 1,300 were successful, including the penetration of computers linked to the Army’s 101st and 82nd Airborne Divisions and the 4th Infantry Division.

  20. For Instance • These attacks are not just directed at the U.S. • The UK Ministry of Defense (MOD) reports that the Chinese military regularly penetrated computers in at least 10 Whitehall departments, including military files, • They also infiltrated German government defense systems this year.

  21. For Instance • In February a massive cyber attack on Estonia by Russian hackers demonstrated how potentially catastrophic a preemptive strike could be. • The attacks brought down government websites, a major bank and telephone networks.

  22. For Instance • The Pentagon, said that the Estonia attacks “may well turn out to be a watershed in terms of widespread awareness of the vulnerability of modern society”. • Congressional testimony has affirmed that a mass cyber attack could leave 70 per cent of the US without electrical power for six months

  23. For Instance • Since that time the Russian invasion of Georgia was preceded by a cyber-attack that essentially returned the military capability of the Georgians to the 18th Century. • And the U.S. military is much more dependent on its automated warfighting tools and communication capability than the Georgians. • It is estimated that as much as 90 percent of our military capability could be eliminated by a single EMP attack.

  24. Our Problems are Not Just Geopolitical It’s not Like Organized Crime has Missed this

  25. Crime • In the 1990s a typical cyber-crime was something like a criminal trespass, or a web-site defacement. • The cyber-criminals themselves were inclined to be counterculture types who worked alone and on the fringes.

  26. Crime • Now instead of being inspired by a need to prove their art, cyber-criminals are motivated by financial gain. • As such, the stereotype of the kid living on skittles in his mom’s basement, while doing seventy-two hour hacks • Has been replaced by a much darker and more complex persona

  27. Crime • Today crime in cyberspace is all about monetary gain • Cybercrime Costs the US Economy at Least $117 Billion Each Year • Which surpasses the costs associated with the War on Drugs and drug related crime

  28. The Consequences • The average company lost $350,424 in 2007 • That was up sharply from the $168,000 they reported the previous year

  29. The Consequences • In the annual survey conducted by the FBI, financial fraud overtook virus attacks as the source of the greatest financial loss • While insider threat surpassed virus incidents as the most prevalent overall security problem. • Which means that you are much more likely to be ripped off by your trusted insiders than you are any evil-doers from outside your organization

  30. The Consequences • Since insiders hold the keys to your electronic security protection there is no silver bullet • That is, the damage might be in the electronic domain but the problems are behavioral and managerial • and a lot of IT managers see that as Human Resource’s problem not theirs • For instance the City of San Francisco was held hostage by one of its disgruntled network administrators

  31. The Personal Impacts • In terms of individual loss: • The total one-year cost of identity fraud in the United States is around $56.6 billion. • There are around 10 million adult victims of identity fraud each year • The average fraud amount per case has increased from $5,249 to $6,383,

  32. Sin and the Road to Salvation “We have Met the Enemy And He is Us”

  33. We are ALL Sinners • The problem is that: • None of us have the slightest idea about all of the places that we are vulnerable • Nor do we know what actually threatens us • Nor do most of us think it is worth the time, money and inconvenience to find out

  34. We are ALL Sinners • Effective security solutionsare directly traceable to the requirements of the business case • Which means that they should originate and be championed above the IT function

  35. We are ALL Sinners • Effective security solutions are long-term and organization-wide • Which means that they have to be part of the conventional strategic planning process

  36. The Five Commandments • Identify all of your information assets: • Most organizations don’t really have their arms around their assets • Which makes it hard to guarantee complete protection

  37. The Five Commandments • Know the value of your information assets: • Most organizations don’t really know the value of any individual item of information • Which makes it hard to prioritize resources – there are never enough to protect everything

  38. The Five Commandments • Know what threatens each asset: • Most organizations don’t really know what threatens their information • Which makes it hard to arrange practical counter-measures that are both feasible and cost effective for the priority items that are at greatest risk

  39. The Five Commandments • Assign Responsibility: • There is never anybody specifically accountable if a breach does occur • And if there ever is that responsibility is not adjusted when changes occur • Which makes it hard to enforce continuous security discipline

  40. The Five Commandments • Manage the Process: • Information assurance is rarely approached as an integrated top-down management process • Instead it is piecemealed – generally based on function • So policy making technical, and operational activities are not coordinated

  41. How You will Know You’ve Achieved Righteousness • You will know you have achieved righteousness if you have produced: • A single coherent and seamless system • That rationally evolves to meet the changing threat picture

  42. How You will Know You’ve Achieved Righteousness • That system must be embedded in all necessary business processes to assure cost-effective long-term assurance • The system must provably address all likely threats, and incidents. • The system must provably integrate all requisite practices and technical controls into mutually interacting processes

  43. Help Along the Road to Righteousness • It is a lot to ask - to expect people to develop a correct and fully integrated system of processes and controls from scratch - • As such the guidance of a model, is important

  44. Help Along the Road to Righteousness • There are a number of models that could fulfill that requirement • Most people think that the ISO 27000 series will be the dominant approach • However DHS’s Essential Body of Knowledge (EBK) is also gotten some traction • As has FIPS 200 (for more technical solutions) • And an innumerable number of proprietary approaches

  45. In Summary • Ensuring trustworthy protection of information is difficult because the resource: • IS both intangible and dynamic • Involves an a symmetric threat environment • Typically requires major changes in behavior • The cost and effort of security is hard to justify based on the tangible consequences – until they happen

  46. In Summary • Nevertheless, given the nature of the evolving geopolitical and social threats it is something that we must do • Hopefully this talk has helped you better connect the dots between the things that might threaten you • And the necessity of committing the additional resources and effort to ensure a secure society

  47. Thank you for your attention • Dan Shoemaker dan.shoemaker@att.net • Centre for Assurance, School of National Security Studies • University of Detroit Mercy

More Related