470 likes | 622 Views
Outrunning the Bear: A Cautionary Tale. Dan Shoemaker, Director Centre for Assurance School of National Security Studies. Outrunning the Bear. The situation in cyber-space is a lot like what you’d face if you were out hiking And ran into a Grizzly bear. Outrunning the Bear.
E N D
Outrunning the Bear: A Cautionary Tale Dan Shoemaker, Director Centre for Assurance School of National Security Studies
Outrunning the Bear • The situation in cyber-space is a lot like what you’d face if you were out hiking • And ran into a Grizzly bear.
Outrunning the Bear It’s a fact that Grizzlies run a lot faster then humans. So you won’t be able to outrun it.
Outrunning the Bear • But, you will always be safe As long as you can outrun somebody else!
Outrunning the Bear • Thus, it is not as much a matter of being secure against any threat • As it is being secure enough to encourage cyber-predators to go after easier targets
Why is this important? • Staying one step ahead of the rest of the herd is important because… No matter what you might think –You are at the mercy of any cyber-predator out there
For the Ones Who Think They’re Safe • And if you think that you are protected by whatever countermeasures you’ve deployed • You are dangerously wrong.
For the Ones Who Think They’re Safe • Serious attackers are not interested in the areas you have already secured. • They are looking for the places that are still vulnerable.
There’s No Sheriff in Town The Current Facts of Life in Dodge City
Consider This • A terrorist group announces that they will shut down the Pacific Northwest electrical power grid for six hours starting at 4:00 PM • They do so.
Consider This • The same group then announces that they will disable the primary telecommunication trunk circuits between the U.S. East and West Coasts for a half day • They do so, despite our best efforts to defend against them
Consider This • Then, they threaten to bring down the air traffic control system supporting New York City, grounding all traffic and diverting inbound traffic • And they do so.
Consider This • Finally, they threaten to cripple e-commerce and credit card service for a week by using several hundred thousand stolen identities in millions of fraudulent transactions. • Their list of demands is posted in the New York Times, threatening further actions if those demands are not met
Consider This • What makes this alarming is the fact that all of these events have already occurred Just not concurrently - or all by malicious intent.
The Fact is • In fact any of these attacks, could be carried out by any adversary • All that is required is a competent attacker and the Internet
For Instance • The maximum “safe” time for any targeted system is 20 minutes • It is estimated that up to one quarter of all PCs might be part of a botnet (Storm may have 1.5 million) • For any expert any SCADA penetration takes less than a day
For Instance • Even the smallest nation-states and terrorist organizations can easily attack any system • Let alone better-organized groups such as Al Qaeda. • Which raises the prospect of asymmetric cyber warfare on our own desktops, not places like Fallujah
For Instance • Many nations, most prominently China and Iran, have been working diligently to developed their offensive capabilities in cyber-space. • The Chinese military holds formal hacking competitions to identify and recruit talented members for its cyber army.
For Instance • In that respect the Pentagon logged more than 79,000 attempted intrusions in 2005. • About 1,300 were successful, including the penetration of computers linked to the Army’s 101st and 82nd Airborne Divisions and the 4th Infantry Division.
For Instance • These attacks are not just directed at the U.S. • The UK Ministry of Defense (MOD) reports that the Chinese military regularly penetrated computers in at least 10 Whitehall departments, including military files, • They also infiltrated German government defense systems this year.
For Instance • In February a massive cyber attack on Estonia by Russian hackers demonstrated how potentially catastrophic a preemptive strike could be. • The attacks brought down government websites, a major bank and telephone networks.
For Instance • The Pentagon, said that the Estonia attacks “may well turn out to be a watershed in terms of widespread awareness of the vulnerability of modern society”. • Congressional testimony has affirmed that a mass cyber attack could leave 70 per cent of the US without electrical power for six months
For Instance • Since that time the Russian invasion of Georgia was preceded by a cyber-attack that essentially returned the military capability of the Georgians to the 18th Century. • And the U.S. military is much more dependent on its automated warfighting tools and communication capability than the Georgians. • It is estimated that as much as 90 percent of our military capability could be eliminated by a single EMP attack.
Our Problems are Not Just Geopolitical It’s not Like Organized Crime has Missed this
Crime • In the 1990s a typical cyber-crime was something like a criminal trespass, or a web-site defacement. • The cyber-criminals themselves were inclined to be counterculture types who worked alone and on the fringes.
Crime • Now instead of being inspired by a need to prove their art, cyber-criminals are motivated by financial gain. • As such, the stereotype of the kid living on skittles in his mom’s basement, while doing seventy-two hour hacks • Has been replaced by a much darker and more complex persona
Crime • Today crime in cyberspace is all about monetary gain • Cybercrime Costs the US Economy at Least $117 Billion Each Year • Which surpasses the costs associated with the War on Drugs and drug related crime
The Consequences • The average company lost $350,424 in 2007 • That was up sharply from the $168,000 they reported the previous year
The Consequences • In the annual survey conducted by the FBI, financial fraud overtook virus attacks as the source of the greatest financial loss • While insider threat surpassed virus incidents as the most prevalent overall security problem. • Which means that you are much more likely to be ripped off by your trusted insiders than you are any evil-doers from outside your organization
The Consequences • Since insiders hold the keys to your electronic security protection there is no silver bullet • That is, the damage might be in the electronic domain but the problems are behavioral and managerial • and a lot of IT managers see that as Human Resource’s problem not theirs • For instance the City of San Francisco was held hostage by one of its disgruntled network administrators
The Personal Impacts • In terms of individual loss: • The total one-year cost of identity fraud in the United States is around $56.6 billion. • There are around 10 million adult victims of identity fraud each year • The average fraud amount per case has increased from $5,249 to $6,383,
Sin and the Road to Salvation “We have Met the Enemy And He is Us”
We are ALL Sinners • The problem is that: • None of us have the slightest idea about all of the places that we are vulnerable • Nor do we know what actually threatens us • Nor do most of us think it is worth the time, money and inconvenience to find out
We are ALL Sinners • Effective security solutionsare directly traceable to the requirements of the business case • Which means that they should originate and be championed above the IT function
We are ALL Sinners • Effective security solutions are long-term and organization-wide • Which means that they have to be part of the conventional strategic planning process
The Five Commandments • Identify all of your information assets: • Most organizations don’t really have their arms around their assets • Which makes it hard to guarantee complete protection
The Five Commandments • Know the value of your information assets: • Most organizations don’t really know the value of any individual item of information • Which makes it hard to prioritize resources – there are never enough to protect everything
The Five Commandments • Know what threatens each asset: • Most organizations don’t really know what threatens their information • Which makes it hard to arrange practical counter-measures that are both feasible and cost effective for the priority items that are at greatest risk
The Five Commandments • Assign Responsibility: • There is never anybody specifically accountable if a breach does occur • And if there ever is that responsibility is not adjusted when changes occur • Which makes it hard to enforce continuous security discipline
The Five Commandments • Manage the Process: • Information assurance is rarely approached as an integrated top-down management process • Instead it is piecemealed – generally based on function • So policy making technical, and operational activities are not coordinated
How You will Know You’ve Achieved Righteousness • You will know you have achieved righteousness if you have produced: • A single coherent and seamless system • That rationally evolves to meet the changing threat picture
How You will Know You’ve Achieved Righteousness • That system must be embedded in all necessary business processes to assure cost-effective long-term assurance • The system must provably address all likely threats, and incidents. • The system must provably integrate all requisite practices and technical controls into mutually interacting processes
Help Along the Road to Righteousness • It is a lot to ask - to expect people to develop a correct and fully integrated system of processes and controls from scratch - • As such the guidance of a model, is important
Help Along the Road to Righteousness • There are a number of models that could fulfill that requirement • Most people think that the ISO 27000 series will be the dominant approach • However DHS’s Essential Body of Knowledge (EBK) is also gotten some traction • As has FIPS 200 (for more technical solutions) • And an innumerable number of proprietary approaches
In Summary • Ensuring trustworthy protection of information is difficult because the resource: • IS both intangible and dynamic • Involves an a symmetric threat environment • Typically requires major changes in behavior • The cost and effort of security is hard to justify based on the tangible consequences – until they happen
In Summary • Nevertheless, given the nature of the evolving geopolitical and social threats it is something that we must do • Hopefully this talk has helped you better connect the dots between the things that might threaten you • And the necessity of committing the additional resources and effort to ensure a secure society
Thank you for your attention • Dan Shoemaker dan.shoemaker@att.net • Centre for Assurance, School of National Security Studies • University of Detroit Mercy