1
Cybersecurity Update
Dr. Nader Mehravari, MBCP, MBCI
Cyber Risk and Resilience Management TeamCERT Division
Software Engineering InstituteCarnegie Mellon [email protected]
http://www.cert.org/resilience/
April 20-22, 2015Talking Stick Resort ● Scottsdale, AZ
Next Generation Resilience
2© 2014 Carnegie Mellon University
Outline
Setting the Stage• Protecting organizational mission
• Relationship to the rest of this course
• Scope of our discussion
• How has the problem changed over the years?
A Look at Recent Events
Threat Environment
Recent Statistics
Selected Hot Topics
Cybersecurity Policy / Regulation / Legislation
Cybersecurity is a Business Continuity Issue
Summary
Takeaways
3© 2014 Carnegie Mellon University
CERT | Software Engineering Institute | Carnegie Mellon
Software Engineering Institute (SEI)
• Federally funded research and development center based at Carnegie Mellon University
• Basic and applied research in partnership with government and private organizations
• Helps organizations improve development, operation, and management of software-intensive and networked systems
CERT – Anticipating and solving our
nation’s cybersecurity challenges
• Largest technical program at SEI
• Focused on internet security, secure systems, operational resilience, and coordinated response to security issues
4© 2014 Carnegie Mellon University
CMU-SEI-CERT Cyber Resilience Team
Engaged in
• Applied research
• Education & training
• Putting into practice
• Enabling our federal, state, and commercial partners
In areas dealing with
• Operational Resilience
• Resilience Management
• Operation Risk Management
• Integration of cybersecurity, business continuity, & disaster recovery
2
5© 2014 Carnegie Mellon University
What is this session all about?
What’s new?
What has
changed?
New players
New risks and
concerns
What’s in the
news?
New policies
& regulations
New things to
worry about
Questions to
ask
How is it
related to rest
of this event?
Why is it
important?
Cybersecurity Update
6© 2014 Carnegie Mellon University
He is not going to
make a cybersecurity
experts out of you.
7© 2014 Carnegie Mellon University
Outline
Setting the Stage
• Protecting organizational mission
• Relationship to the rest of this course
• Scope of our discussion
• How has the problem changed over the years?
A Look at Recent Events
Threat Environment
Recent Statistics
Selected Hot Topics
Cybersecurity Policy / Regulation / Legislation
Cybersecurity is a Business Continuity Issue
Summary
Takeaways
8© 2014 Carnegie Mellon University
“… When I started my career, in the late 80s, if
there was a bank robbery, the pool of suspects
was limited to the people who were in the vicinity
at the time. Now when a bank is robbed the pool
of suspects is limited to the number of people in
the world with access to a $500 laptop and an
Internet connection…”
Shawn Henry
former FBI Executive Assistant Director
2013
3
9© 2014 Carnegie Mellon University
“… Cybercrime is 'the greatest transfer of wealth
in history…”
U.S. Army Gen. (retired) Keith B. Alexander
Former Director of the National Security Agency (NSA) &
Former Commander of US Cyber Command
2012
10© 2014 Carnegie Mellon University
Setting the Stage
Why a discussion of
cybersecurity at a
business continuity
conference?
11© 2014 Carnegie Mellon University
Protecting Organizational Mission
Organization
Mission
12© 2014 Carnegie Mellon University
Services and Products
Outputs of an organization
Can be internally or externally focused
Collectively they enable an organization’s mission
or Products
or Products
or Products
Se
rvic
eo
r Pro
du
ct
Organization
Mission
4
13© 2014 Carnegie Mellon University
Productive Activities or Business Processes
Activities that the organization (and/or its suppliers) perform to ensure that services and products are generated
A service or product is made up of one or more business processes
or P
rod
ucts
or P
rod
ucts
or P
rod
ucts
Serv
ice
or P
rod
uct
Organization
MissionProductive
Activity or
Business
Process
A
Productive
Activity or
Business
Process
B
Productive
Activity or
Business
Process
C
Productive
Activity or
Business
Process
D
14© 2014 Carnegie Mellon University
Assets
Something of value to the organization
Asset value relates to the importance of the asset in meeting the service mission.
or P
rod
ucts
or P
rod
ucts
or P
rod
ucts
Serv
ice
or P
rod
uct
Organization
MissionProductive
Activity or
Business
Process
A
Productive
Activity or
Business
Process
B
Productive
Activity or
Business
Process
C
Productive
Activity or
Business
Process
D
Assets
15© 2014 Carnegie Mellon University
Asset Types
Something of value to the organization
Asset value relates to the importance of the asset in meeting the service mission.
or P
rod
ucts
or P
rod
ucts
or P
rod
ucts
Se
rvic
eo
r Pro
du
ct
Organization
MissionProductive
Activity or
Business
Process
A
Productive
Activity or
Business
Process
B
Productive
Activity or
Business
Process
C
Productive
Activity or
Business
Process
D
People
Assets
Information
Assets
Technology
Assets
Facility
Assets
Supply
Chain
16© 2014 Carnegie Mellon University
or P
rod
ucts
or P
rod
ucts
or P
rod
ucts
Se
rvic
eo
r Pro
du
ct
Organization
MissionProductive
Activity or
Business
Process
A
Productive
Activity or
Business
Process
B
Productive
Activity or
Business
Process
C
Productive
Activity or
Business
Process
D
People
Assets
Information
Assets
Technology
Assets
Facility
Assets
Supply
Chain
Asset Disruption
X
XXX
Realized operational risk
resulting in asset disruption
5
17© 2014 Carnegie Mellon University
Operational Resilience Starts at the Asset Level
Asset
Manage Consequences of Risk
Keep assets productive
during adversity
(e.g., Disaster Recovery, Business
Continuity, Pandemic Planning, Crisis
Management, COOP)
Manage Conditions of Risk
Keep assets from
exposure to disruption
(e.g., Information Security; Cyber
Protection; Fault-Tolerance & High-
Availability Designs)
SustainProtectEvent
18© 2014 Carnegie Mellon University
Analogy:Protection and Sustainment Strategies
Protection Activities
• Translates into activities designed to keep assets from exposure to disruption
• Example: “information security” activities
Sustainability Activities
• Translates into activities designed to keep assets productive during adversity
• E.g., “business continuity” activities
19© 2014 Carnegie Mellon University
or P
rod
ucts
or P
rod
ucts
or P
rod
ucts
Se
rvic
eo
r Pro
du
ct
Organization
MissionProductive
Activity or
Business
Process
A
Productive
Activity or
Business
Process
B
Productive
Activity or
Business
Process
C
Productive
Activity or
Business
Process
D
People
Assets
Information
Assets
Technology
Assets
Facility
Assets
Supply
Chain
Operational Resilience Starts at the Asset Level
X
XXX
Realized operational risk
resulting in asset disruption
20© 2014 Carnegie Mellon University
or P
rod
ucts
or P
rod
ucts
or P
rod
ucts
Se
rvic
eo
r Pro
du
ct
Organization
MissionProductive
Activity or
Business
Process
A
Productive
Activity or
Business
Process
B
Productive
Activity or
Business
Process
C
Productive
Activity or
Business
Process
D
People
Assets
Information
Assets
Technology
Assets
Facility
Assets
Supply
Chain
Organizational Context for Resilience Activities
Operational
Resilience
Management
Systems
Crisis
Mgmt.
Information
Security
IT Disaster
Recovery
Examples:
• Disaster Recovery Planning
• Business Continuity Planning
• Information Security
• COOP
• Cybersecurity Protection
• Risk Management
• Crisis Management
• Emergency Management
• Pandemic Planning
• Supply Chain Continuity
• Etc, Etc, Etc…
Business
Continuity
6
21© 2014 Carnegie Mellon University
Scope
of Our
Discussion
22© 2014 Carnegie Mellon University
What do people
mean by these
terms?
23© 2014 Carnegie Mellon University
Regardless of what the instructor
tells you, there are no universally
agreed upon definitions or scopes
for these terms…
24© 2014 Carnegie Mellon University
Cyber Ecosystem Perspective
Cyber Ecosystem
A global information
environment comprised of
1. both private and public
sector information
infrastructure,
2. the entities that it interacts
with (e.g., people,
information, technologies,
facilities), and
3. the environment that it
operates in.
7
25© 2014 Carnegie Mellon University
Critical Infrastructure Perspective Cyber Ecosystems Perspective
Confidentiality Integrity Availability
Authentication Nonrepudiation
27© 2014 Carnegie Mellon University
Information Technology and Operational Technology
Operational
Technology
Information
Technology
28© 2014 Carnegie Mellon University
Cybersecurity
Cybersecurity is a superset of the practices embodied in IT security,
information security, and OT security.
Cybersecurity
Information
Security
IT Security
OT Security
Note: Again, not universally agreed upon definitions or scopes.
8
29© 2014 Carnegie Mellon University
How has the problem changed?
30© 2014 Carnegie Mellon University
Yesterday it would have been about…
Internet
Iron Mountain Storage
Backup Tape
DR Site
Business Location
LA
N
31© 2014 Carnegie Mellon University
Today it has to deal with…
Application complexities
Business process
complexities
and more…
32© 2014 Carnegie Mellon University
Ever-Increasing Capability & Complexity
SLOC = Source Lines of Code
Biplane Apollo Lunar Module SR-71 F-35
0 SLOC 2K SLOC 500K SLOC 9.9M SLOC
F U N C T I O N A L I T Y & C O M P L E X I T Y
O P E R A T I O N A L R I S K
9
33© 2014 Carnegie Mellon University
Ever-Increasing Capability & Complexity
F U N C T I O N A L I T Y & E F F I C I E N C Y
O P E R A T I O N A L R I S K
Legacy Electric Grid Modern Smart Grid
34© 2014 Carnegie Mellon University
Yesterday’s Preparedness Planning
Continuity of Operation
(COOP) Business
Continuity
Emergency
Management
IT Disaster Recovery
35© 2014 Carnegie Mellon University
IT Disaster Recovery
Today’s Preparedness Planning
Continuity of Operation
(COOP) Business
Continuity
Emergency
Management
Supply Chain
Continuity
Crisis
ManagementContingency Planning
Pandemic
Planning
Preparedness
Planning
Operational Risk
Management
Enterprise Risk Management
IT Operations
Privacy
Risk
Management
Workforce
Continuity
Cyber Protection
Crisis Communications
Information
Security
36© 2014 Carnegie Mellon University
Geographic Boundaries Disappear in Cyberspace
10
37© 2014 Carnegie Mellon University
http://www.threatgeek.com/2012/06/threattoons-fbi-most-wanted.html
38© 2014 Carnegie Mellon University
We Depend on Evolving Cyber Ecosystems
39© 2014 Carnegie Mellon University
Attack Sophistication vs. Intruder Technical Knowledge
DDoS attacks
email propagation of malicious code
“stealth”/advanced scanning techniques
widespread attacks on DNS infrastructure
executable code attacks (against
browsers)automated widespread
attacks
GUI intruder tools
hijacking sessions
Internet social engineering attacks
packet spoofingautomated
probes/scans
widespread
denial-of-service
attacks
techniques to analyze code for vulnerabilities
without source code
increase in worms
sophisticated command
& control
anti-forensic techniques
home users targeted
distributed attack tools
increase in wide-scale Trojan horse distribution
Windows-based remote controllable Trojans
(Back Orifice)
1990 2010
coordinatedcyber-physical
attacks
malicious counterfeithardware
control systems targeted
supply-chain compromises
widespread attacks on web applications
massive botnets
adaptive, high-impact, targeted attacks on
critical infrastructures
persistent malware infiltration & persistent surveillance
widespread attacks on client-side software
increase in targeted phishing & vishing
widespread attacks using NNTP to distribute attack
High
Low
Atta
ck S
op
his
ticatio
n
Avera
ge I
ntr
ud
er
Kn
ow
led
ge
40© 2014 Carnegie Mellon University
Expanding Risk Environment
• Globalization
• Operational complexity
• Pervasive use of technology
• Intertwining of cyber and physical domains
• Increased role of cybersecurity in securing physical assets
• Movement toward intangible assets
• Global economic pressures
•Regulatory and legal boundaries
• Geo-political pressures
11
41© 2014 Carnegie Mellon University
Today’s Business Environment
Severity of
Operational
Glitches
Business Consequences
of Operational GlitchesToday
Yesterday
Today’s Business Environment is Much Less Forgiving
A B
42© 2014 Carnegie Mellon University
August 13, 2012
43© 2014 Carnegie Mellon University
… 4 months later
44© 2014 Carnegie Mellon University
Before June 17, 2014 – Open for Business & Hiring
12
45© 2014 Carnegie Mellon University
After June 17, 2014 – Out of Business
46© 2014 Carnegie Mellon University
Business Failures Following 2001 Japan Earthquake, Tsunami, & Nuclear Disaster
47© 2014 Carnegie Mellon University
How else have things changed?
Where was the information stored?
Who had control over the information?
Who valued the information?
Who created the information?
48© 2014 Carnegie Mellon University
Where was the information stored?
13
49© 2014 Carnegie Mellon University
Who had control over the information?
50© 2014 Carnegie Mellon University
Who valued the information?
51© 2014 Carnegie Mellon University
Who created the information?
52© 2014 Carnegie Mellon University
Outline
Setting the Stage
• Protecting organizational mission
• Relationship to the rest of this course
• Scope of our discussion
• How has the problem changed over the years?
A Look at Recent Events
Threat Environment
Recent Statistics
Selected Hot Topics
Cybersecurity Policy / Regulation / Legislation
Cybersecurity is a Business Continuity Issue
Summary
Takeaways
14
53© 2014 Carnegie Mellon University
A Look at Recent Events
54© 2014 Carnegie Mellon University
Have you noticed an
increased level of cyber
attacks in the recent
headlines?
55© 2014 Carnegie Mellon University
March 2011
56© 2014 Carnegie Mellon University
April 17, 2011
15
57© 2014 Carnegie Mellon University
May 2011
58© 2014 Carnegie Mellon University
March 30, 2012 March 30, 2012
59© 2014 Carnegie Mellon University
July 26, 2012
60© 2014 Carnegie Mellon University
August 16, 2012
Destructive attack (wiper virus)
and DDOS at the same time
16
61© 2014 Carnegie Mellon University
October 17, 2012
62© 2014 Carnegie Mellon University
January 26, 2013
63© 2014 Carnegie Mellon University
Late 2012 – Early 2013
64© 2014 Carnegie Mellon University
April 23, 2013
17
65© 2014 Carnegie Mellon University
May 23, 2013
66© 2014 Carnegie Mellon University
June 5, 2013
67© 2014 Carnegie Mellon University
June2013
68© 2014 Carnegie Mellon University
June 25, 2013
18
69© 2014 Carnegie Mellon University
December 2013
70© 2014 Carnegie Mellon University
Anatomy of Target Breach
Source: http://securityintelligence.com/target-breach-protect-against-similar-attacks-retailers/#.U9-17GP5dJu
71© 2014 Carnegie Mellon University
Reputation Damage
72© 2014 Carnegie Mellon University
http://www.threatgeek.com/2014/03/threattoons-new-normal.html
19
73© 2014 Carnegie Mellon University
February 11, 2014
74© 2014 Carnegie Mellon University
February 18, 2014
75© 2014 Carnegie Mellon University
April 2014
76© 2014 Carnegie Mellon University
20
77© 2014 Carnegie Mellon University
How bad was (is) it?
OpenSSL is an implementation of the Transport Security Layer (TSL) protocol
• Two thirds of Internet webservers use OpenSSL
• 17.5% are believed to have been running vulnerable versions
No credentials are needed to exploit the vulnerability
• Enables access to privileged data (certificates, passwords, etc.)
• Attacker can go undetected in logs
The vulnerability has been around since March 2012
• First admitted discovery: April 1, 2014
• Reported widely publicly: April 7, 2014
78© 2014 Carnegie Mellon University
August 4, 2014
79© 2014 Carnegie Mellon University
November 10, 2014
80© 2014 Carnegie Mellon University
November 24, 2014
21
81© 2014 Carnegie Mellon University
A Discussion of Sony Incident
How did it happen?
Who did it?
How long had Sony been breached before discovery?
What was the impact?
• What was stolen?
• What was disrupted?
• What was destroyed?
What were the business continuity and disaster recovery
aspects?
82© 2014 Carnegie Mellon University
February 4, 2015
83© 2014 Carnegie Mellon University
Outline
Setting the Stage
• Protecting organizational mission
• Relationship to the rest of this course
• Scope of our discussion
• How has the problem changed over the years?
A Look at Recent Events
Threat Environment
Recent Statistics
Selected Hot Topics
Cybersecurity Policy / Regulation / Legislation
Cybersecurity is a Business Continuity Issue
Summary
Takeaways
84© 2014 Carnegie Mellon University
Threat Environment
22
85© 2014 Carnegie Mellon University
Director of National Intelligence – 1/26/15
86© 2014 Carnegie Mellon University
Director of National Intelligence – 1/26/15
U.S Intelligence Community
Worldwide Threat Categories
1. Cyber
2. Counterintelligence
3. Terrorism
4. WDM and Proliferation
5. Space and Counterspace
6. Transnational Organized Crime
7. Economic and Natural Resources
8. Human Security
87© 2014 Carnegie Mellon University
Business Continuity Institute – February 2015
This year’s top dozen threats to
business continuity are:
1. Cyber attack
2. Unplanned IT and telecom outages
3. Data breach
4. Interruption to utility supply
5. Supply Chain Disruption
6. Security Incidents
7. Adverse weather
8. Human Illness
9. Fire
10. Act of terrorism
11. Health & Safety incident
12. Transport Network Disruption
88© 2014 Carnegie Mellon University
Gov’t Accountability Office – Feb. 2015
23
89© 2014 Carnegie Mellon University
Reflections on the 10th Anniversary of 9/11 Commission Report – July 2014
90© 2014 Carnegie Mellon University
Traditional Threats
Worms
Trojans
Viruses
Spyware
Botnets
Social Engineering Attacks
Spear Phishing
Baiting
Buffer Overflows and SQL Injections
91© 2014 Carnegie Mellon University
More Modern Threats
Traditional signature-based security defenses — including
IPS, NGFW, and anti-virus products — are mainly designed to
detect known threats. But today, it’s the unknown threats that
are making the biggest headlines.
Zero-Day Threats
Advanced Persistent Threats
Polymorphic Threats
Blended Threats
Etc., Etc., Etc…
92© 2014 Carnegie Mellon University
Mandiant 2015 “M-Trends” Report
Across the Cyber Threat Landscape
24
93© 2014 Carnegie Mellon University
Actors and Attacks
Actors Attack Example Motivation Outcomes
Cyber
Criminals
Bank account takeover via
malware
Financial gain Financial loss for the
victim
Insiders
Fake invoicing; Disclosure of
proprietary information
Financial gain;
Political; Grudge
Financial loss for
organization;
Disclosure of
sensitive information
Hacktivists
Anonymous attacks on
payment processors in
defense of WikiLeaks founder
Making political or
social statements
Service disruption
Cyber
Espionage
Actors
Gmail account takeover of
Chinese dissidents; Theft of
IP from manufacturers
Revenge, Financial
gain
Fear among
dissidents; Financial
loss
Nation-States
Iran is attacked with Stuxnet;
US bank website attacked
with DDOS
Political Service disruption
94© 2014 Carnegie Mellon University
Random Attacks vs. Targeted Attacks
Random Attacks
• Viruses
• Worms
• Port scans
• Phishing
Targeted Attacks
• Denial of service
• Theft of service
• Information theft
• IP theft
95© 2014 Carnegie Mellon University
Advanced Targeted Attacks(a.k.a. Advanced Persistent Threats (APT))
A threat that is advanced (by some measure) and intents to
get in and persist in your environment
Advanced in the sense of bypassing traditional defense
mechanisms such as:
Secure Email Gateway
FirewallIntrusion Detection/Prevention
Endpoint Protection
Secure Web Gateway
96© 2014 Carnegie Mellon University
High Level Lifecycle of a Typical APT Attack
Initial intrusion through system exploitation
Malware is installed on compromised system
Outbound connection is initiated
Attacker spreads laterally
Compromised data is extracted
25
97© 2014 Carnegie Mellon University
Targeted Attacks are Hard to Detect
How are compromises
detected?
How long before the
compromises are
detected?
69%of victims were notified
by an external entity
205median number of days
before detection
2015 Mandiant “M-Trends” Report
98© 2014 Carnegie Mellon University
http://www.threatgeek.com/2012/09/threattoons-the-cybersecurity-savanna.html
99© 2014 Carnegie Mellon University
Outline
Setting the Stage
• Protecting organizational mission
• Relationship to the rest of this course
• Scope of our discussion
• How has the problem changed over the years?
A Look at Recent Events
Threat Environment
Recent Statistics
Selected Hot Topics
Cybersecurity Policy / Regulation / Legislation
Cybersecurity is a Business Continuity Issue
Summary
Takeaways
100© 2014 Carnegie Mellon University
Recent Statistics
26
101© 2014 Carnegie Mellon University
2014 National Preparedness Report
Assessment of Current Capabilities Based on State Preparedness
102© 2014 Carnegie Mellon University
Verizon Annual Data Breach Report - 2014
Percent of breaches per threat actor
103© 2014 Carnegie Mellon University
Verizon Annual Data Breach Report - 2014
Number of breaches per threat action category
104© 2014 Carnegie Mellon University
Verizon Annual Data Breach Report - 2014
Frequency of incident classification patterns
27
105© 2014 Carnegie Mellon University
Verizon Annual Data Breach Report - 2014
106© 2014 Carnegie Mellon University
Verizon Annual Data Breach Report - 2014
107© 2014 Carnegie Mellon University
Mandiant 2015 “M-Trends” Report
Industries Targeted by Cyber Threat Actors
108© 2014 Carnegie Mellon University
Mandiant 2015 “M-Trends” Report
How compromises are
detected
Time to discovery
28
109© 2014 Carnegie Mellon University
Mandiant 2015 “M-Trends” Report
Phishing Email Trends
110© 2014 Carnegie Mellon University
Ponemon 2014 Cost of Data Breach Study
Average per capital cost of data breach in USA
Average organizational cost of data breach in USA
Per capital cost = Total cost of breach / size of data breach
Measured in $1,000,000s
111© 2014 Carnegie Mellon University
Ponemon 2014 Cost of Data Breach Study
Per capital cost by industry
112© 2014 Carnegie Mellon University
Ponemon 2014 Cost of Data Breach Study
Root cause of the data breach
Per capita cost root causes
29
113© 2014 Carnegie Mellon University
Ponemon 2014 Cost of Data Breach Study
Impact of factors on the per capita cost of data breach
114© 2014 Carnegie Mellon University
Ponemon 2014 Cost of Data Breach Study
Does the organization have a data breach protection or cyber
insurance policy?
115© 2014 Carnegie Mellon University
Raytheon Privileged User Risk Study
116© 2014 Carnegie Mellon University
Arbor Networks 2015 Worldwide Infrastructure Security Report
Most Significant Operational Threats Experienced
30
117© 2014 Carnegie Mellon University
Arbor Networks 2015 Worldwide Infrastructure Security Report
Size of the Largest Reported DDoS Attack
118© 2014 Carnegie Mellon University
Outline
Setting the Stage
• Protecting organizational mission
• Relationship to the rest of this course
• Scope of our discussion
• How has the problem changed over the years?
A Look at Recent Events
Threat Environment
Recent Statistics
Selected Hot Topics
Cybersecurity Policy / Regulation / Legislation
Cybersecurity is a Business Continuity Issue
Summary
Takeaways
119© 2014 Carnegie Mellon University
Blurring of Cyber/Physical Security
120© 2014 Carnegie Mellon University
The 3Gs of Traditional Physical Security
Guns
Guards
Gates
31
121© 2014 Carnegie Mellon University
Traditional Protection of Critical Infrastructure
122© 2014 Carnegie Mellon University
Smart Grid
Source: Con Edison
123© 2014 Carnegie Mellon University
Intertwining of Physical and Cyber Domains
Potential modes of attack
• Physical only attack
• Cyber only attack
• Physical-enabled cyber attack
• Cyber-enabled physical attack
Physical
Security
Cybersecurity
Physical
protection of
cyber assets
Cyber
protection of
physical assets
124© 2014 Carnegie Mellon University
Example: Stuxnet
32
125© 2014 Carnegie Mellon University
January 2012
126© 2014 Carnegie Mellon University
October 17, 2012
127© 2014 Carnegie Mellon University
June 25, 2013
128© 2014 Carnegie Mellon University
February 11, 2014
33
129© 2014 Carnegie Mellon University
http://www.threatgeek.com/2013/08/threattoons-the-scada-game.html
130© 2014 Carnegie Mellon University
Security of the Internet of Things
131© 2014 Carnegie Mellon University
THINGS
BUSINESSES
PEOPLE
BUSINESSES
PEOPLEPEOPLE
Internet
Facilitating digital
communications
among people
(e.g., email)
eCommerce
Facilitating business
transactions between
people and business
(e.g., Amazon.com)
IoT / IoE
Internet of Things/Everything
132© 2014 Carnegie Mellon University
Internet of Things
34
133© 2014 Carnegie Mellon University
Example: Burberry
134© 2014 Carnegie Mellon University
Example: Huggies TweetPee
135© 2014 Carnegie Mellon University
Example: Tweeting Moisture Sensor
136© 2014 Carnegie Mellon University
Example: Internet of “Everything”
35
137© 2014 Carnegie Mellon University
Observations from a Recent IOT Study
Internet of Things Research Report,
Hewlett Packard, July 2014
138© 2014 Carnegie Mellon University
Marketplace for Adversaries
139© 2014 Carnegie Mellon University
Marketplace for Adversaries
There is an active black market for
• Actors (e.g., cyber criminals for hire)
• Infrastructure (e.g., botnets to rent)
• Tools (e.g., exploit kits)
• Takes (e.g., credit card and personal information)
140© 2014 Carnegie Mellon University
Flow of “Goods” in the Marketplace
Research
Infiltration
Discovery
Capture
Exfiltration
• Research on people and systems of potential targets
• Develop profiles for sale
• People who are good at breaking in buy profiles• Determine what toolkits should be built• Trick us to give them credentials• Discover a bunch of access points
• They come into our environment through access point they purchased
• They explore our environment (where sensitive data is kept; what counter measure are there; what does the network look like)
• They develop a killer map
• Use the killer map to collect valuable information assets
• Take it out or destroy it
36
141© 2014 Carnegie Mellon University
Structural Imbalance
142© 2014 Carnegie Mellon University
But the statistics look bad…
How much are we spending?
$46 BILLIONGlobal Spend on Cybersecurity
Generally speaking, organizations are doing a relatively good job of protecting themselves; blocking most of what is coming at them.
143© 2014 Carnegie Mellon University
How well are we doing?
20%Increase in
number of breaches
30%Increase in
cost of a single breach
Why do the statistics look bad?
144© 2014 Carnegie Mellon University
There is an structural imbalance
They only need to be right
ONE TIME We have to be right
EVERY TIME
37
145© 2014 Carnegie Mellon University
Dealing with the Structural Imbalance
Majority of the budget (86%) is spent in trying to stop
adversaries’ infiltration.
• i.e., in the 2nd step in the “Marketplace for Adversaries” diagram
• We keep looking for the silver bullet
Organizations are over invested in
• products and technology
Organizations are not investing enough in
• People
• Processes
146© 2014 Carnegie Mellon University
Other Hot Topics
147© 2014 Carnegie Mellon University
Insider Threat – The Enemy from Within
A current or former employee, contractor, or business partner
who meets the following criteria:
• has or had authorized access to an organization’s network, system, or data
• has intentionally exceeded or intentionally used that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems
148© 2014 Carnegie Mellon University
Insider Threat – Examples
38
149© 2014 Carnegie Mellon University
Types of Insider Crimes
Insider IT sabotage
• Deletion of information
• Bringing down systems
• Web site defacement to embarrass organization
Insider theft of intellectual property
• Proprietary engineering designs, scientific formulas, etc.
• Proprietary source code
• Confidential customer information
• Industrial Espionage
Insider fraud
• Theft and sale of confidential information
• Modification of critical data for pay
• Stealing of money
National Security Espionage
• Spies against the U.S.
150© 2014 Carnegie Mellon University
How bad is the insider threat problem?
151© 2014 Carnegie Mellon University
How bad is the insider threat problem?
152© 2014 Carnegie Mellon University
Cyber Insurance
A contract between an insurer and a company to protect
against certain losses related to cyber risks
• One element of an organization’s cyber-risk treatment strategy
Imp
act
Transfer Avoid
Accept Mitigate
Likelihood of Occurrence
Prevent, Detect, Remediate
Insure, Hedge
39
153© 2014 Carnegie Mellon University
Cyber Insurance – Key Coverage Types
First Party(Protection for direct cost from the incident)
Second Party(Liability protection for harm to others)
• Business interruptions
• Remediation costs to respond to an
incident such as:
• Consultants
• Investigation,
• Notifying third party victims
• Legal liability for loss or breach of
data, including defense and
settlement costs
• Fines or penalties imposed by laws
or regulations
• Law suits and associated settlement
costs
154© 2014 Carnegie Mellon University
Cyber Insurance - Considerations
Some organizations are reluctant to report cyber incidents
because it might affect relationship with customers, partners,
and investors
Insurers are generally interested in insuring the “good” risk
only
Organizations find it difficult to determine the right level of
coverage
Brokers are often not security savvy and may not know what
risks you need to insure against
Consistent, accurate, and repeatable methods to measure
(estimate) an organizations’ cyber risk
155© 2014 Carnegie Mellon University
Cyber Workforce
“… As adversaries exploit the Cyberspace domain for their
military, economic, and political advantage, operations in
cyberspace are evolving from an afterthought to a fundamental
element for achieving all missions. The Department must
similarly evolve the workforce to address the needs of the
domain…”
156© 2014 Carnegie Mellon University
Securing Nomadic/Mobile/BYOD Environments
What happens to concepts of:
• Defense in depth
• Boundary
• Ownership
• Physical security
• Infrastructure
• Trust model
• Etc…
40
157© 2014 Carnegie Mellon University
The Dark Corner of the Web
The Deep Web – Part of the Internet that is not accessible
through the commercial search engines
The Darknet – Part of the Deep Web where one can operate
in anonymity
158© 2014 Carnegie Mellon University
What?
How much?
When?
Where?
For what?
How long?
Government Surveillance
Multifaceted role of government within the Internet
• User— Government agencies us the Internet to do deliver their services
— Government is a large enterprise whose customers are citizens
• Protector— Of the Internet itself
— Of the users of the Internet
• Exploiter— If a federal agency becomes aware of a vulnerability, should
they share that information with others or should they keep it to themselves so that they can exploit it at a later time?
• Access to Data— Government has national security and public safety missions
— It needs access to data to achieve these missions
— “Access to data” = “Surveillance”
— Security vs. Civil Liberty vs. Privacy
159© 2014 Carnegie Mellon University
Government Surveillance – Snowden Case
160© 2014 Carnegie Mellon University
Government Surveillance
41
161© 2014 Carnegie Mellon University
Outline
Setting the Stage
• Protecting organizational mission
• Relationship to the rest of this course
• Scope of our discussion
• How has the problem changed over the years?
A Look at Recent Events
Threat Environment
Recent Statistics
Selected Hot Topics
Cybersecurity Policy / Regulation / Legislation
Cybersecurity is a Business Continuity Issue
Summary
Takeaways
162© 2014 Carnegie Mellon University
Policy / Regulation / Legislation
163© 2014 Carnegie Mellon University
Source of Cybersecurity Regulations
In the United States, cybersecurity regulation comprises:
Legislation from Congress Directives from the Executive Branch
164© 2014 Carnegie Mellon University
Existing Cybersecurity Regulations
There are very few federal cybersecurity regulations, and the ones that exist focus on specific industries.
The three main cyber-security regulations are:
They do not specify what cyber-security measures must be implemented and require only a “reasonable” level of security.
The vague language of these regulations leaves much room for interpretation
1996 Health Insurance Portability and Accountability Act Healthcare
Organizations
1999 Gramm-Leach-Bliley Act Financial
Institutions
2002 Homeland Security Act, which included the
Federal Information Security Management Act (FISMA)
Federal
Agencies
42
165© 2014 Carnegie Mellon University
Congressional Cybersecurity Activities
Congress has been holding hearings related to cybersecurity
every year since 2001
Number of bills/resolutions/hearings introduced with
provisions related to cybersecurity
111th Congress(January 2009 – January 2011)
60+
112th Congress(January 2011 – January 2013)
70+
113th Congress(as of June 24, 2014)
70+
166© 2014 Carnegie Mellon University
Cybersecurity Legislation
The Obama Administration sent Congress a package of
legislative proposals in May 2011
• To give the federal government new authority to ensure that corporations that own the assets most critical to the nation’s security and economic prosperity are adequately addressing the risks posed by cybersecurity threats.
No comprehensive cybersecurity legislation
has been enacted since 2002.
167© 2014 Carnegie Mellon University
Role of Federal Government?
168© 2014 Carnegie Mellon University
Role of Federal Government?
43
169© 2014 Carnegie Mellon University
Late 2012 – Early 2013
170© 2014 Carnegie Mellon University
Observation
It has taken us centuries to determine norms of behavior and
rules of engagement in physical world.
Policies and doctrines around kinetic attacks on US interests
are mature, but fail to provide needed clarity when applied to
cyber-based attacks, especially those of foreign state actors.
For example…
171© 2014 Carnegie Mellon University
Question: Enable active defenses?
An active shooter in a bank lobby would likely meet deadly
force in response
Should organizations be legally allowed to fight back when
under cyber attack?
172© 2014 Carnegie Mellon University
July 12, 2013
44
173© 2014 Carnegie Mellon University
Question: National defenses
If a foreign state fired a missile at a US bank HQ, it would
meet immediate military defense
Should military-grade cyber defenses be deployed to protect
US businesses that are under attack by foreign states?
174© 2014 Carnegie Mellon University
Question: Update Posse Comitatus Act?
The unprecedented scale of recent attacks warrant re-
examination of our national readiness to respond and defend
against state actors in cyberspace
Suppose DOD had the best response, would it be allowed to
act?
Do we need another exception to the Posse Comitatus Act to
enable military cyber response to large-scale cyber attacks on
US critical infrastructure?
175© 2014 Carnegie Mellon University
Outline
Setting the Stage
• Protecting organizational mission
• Relationship to the rest of this course
• Scope of our discussion
• How has the problem changed over the years?
A Look at Recent Events
Threat Environment
Recent Statistics
Selected Hot Topics
Cybersecurity Policy / Regulation / Legislation
Cybersecurity is a Business Continuity Issue
Summary
Takeaways
176© 2014 Carnegie Mellon University
Cybersecurity is a
Business Continuity Issue
A discussion of how recent cybersecurity
observations affect business continuity and
disaster recovery community
45
177© 2014 Carnegie Mellon University
Fallouts of Cyber Attacks
The most frequent fallouts of cyber attacks that we hear about
• Disclosure of privately identifiable information
• Theft of intellectual property
• Loss of credit card information
• Revealing of company proprietary information
• Exposure of corporate email messages
• Leak of trade secrets
However, cyber adversaries are interested in more than that
• Causing operational havoc
• Forcing the shutdown of the day-to-day business operations
• Affecting delivery of products and services
178© 2014 Carnegie Mellon University
Summary
179© 2014 Carnegie Mellon University
In Closing (in no particular order)
The attack landscape has drastically changed
• Dynamic and expanding
• A vast majority of the attacks have transitioned from the network & transport layer to the application layer
Traditional signature-based protection techniques (e.g., anti-virus, IPS, FW)
• Are primarily meant to detect known threats while unknown threats are the ones causing the biggest havocs
Advanced Threats Bypass Traditional Defenses
• Traditional defense-in-depth components are still necessary, but are no longer sufficient.
180© 2014 Carnegie Mellon University
In Closing (in no particular order)
The subject has evolved from hacking for fun and/or
recognition to attacks for profit and/or political gain.
Unlike historical kinetic attacks, barriers to entry for malicious
actors are low, and government intervention is not visible.
We are developing and proliferating technologies faster than
we can characterize the security implications and mitigate
associated risks
Ever increasing intertwining of physical and cyber domain.
46
181© 2014 Carnegie Mellon University
In Closing
182© 2014 Carnegie Mellon University
Prevention is futile
183© 2014 Carnegie Mellon University
Cybersecurity is a risk management issue
(Not a technology issue)
184© 2014 Carnegie Mellon University
Cybersecurity is a discussion topic for the Board
(Not for the data center)
Source: Ponemon Institute Research Report. July 17, 2014
47
185© 2014 Carnegie Mellon University
Compliance ≠ Security
186© 2014 Carnegie Mellon University
Source: https://www.idradar.com/news-stories/identiy-protection/Target-Dropped-The-Ball-On-Breach-Detection-Report-Says
187© 2014 Carnegie Mellon University
ProtectionActivities
SustainmentActivities
Continually balance
protection and sustainment activities
188© 2014 Carnegie Mellon University
ProtectionActivities
SustainmentActivities
Integrate and coordinate all
operational risk management activities
48
189© 2014 Carnegie Mellon University
Integrate and coordinate all
operational risk management activities
190© 2014 Carnegie Mellon University
Invest in people and process
(Not only in technology)
Thank you for your attention…
192© 2014 Carnegie Mellon University
References
• Nader Mehravari, “Resilience Management,” a course module in the CISO Executive Education and Certification Program, Heinz College, Carnegie Mellon University, 2013, http://www.heinz.cmu.edu/school-of-information-systems-and-management/chief-information-security-officer-executive-education-and-certification-program/index.aspx
• Joshua Corman, “Managing Operational Threat,” a presentation delivered in the CISO Executive Education and Certification Program, Heinz College, Carnegie Mellon University, March 7, 2013, http://www.heinz.cmu.edu/school-of-information-systems-and-management/chief-information-security-officer-executive-education-and-certification-program/index.aspx
• Nader Mehravari, “Achieving Organizational Mission Through Resilience Management,” A Discussion with CERT Experts: Constructing a Secure Cyber Future, Part of SEI Webinar Series, April 30, 2013, https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=583853&sessionid=1&key=5E4796946B6897C34F544ADD1D1E1641&sourcepage=register
• Rich Pethia, “20+ Years of Cyber (in)Security,” A Discussion with CERT Experts: Constructing a Secure Cyber Future, Part of SEI Webinar Series, April 30, 2013, https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=583853&sessionid=1&key=5E4796946B6897C34F544ADD1D1E1641&sourcepage=register
• John Seabrook, “Network Insecurity,” The New Yorker, May 20, 2013, pp. 64-70.
• Lisa Daniel, “DOD Needs Industry’s Help to Catch Cyber Attacks, Commander Says,” American Forces Press Services, March 27, 2012, http://www.defense.gov/news/newsarticle.aspx?id=67713
• Emil Protalinski, “NSA: Cybercrime is the greatest transfer of wealth in history,” ZDNet, July 10, 2012, http://www.zdnet.com/nsa-cybercrime-is-the-greatest-transfer-of-wealth-in-history-7000000598/
• Caralli, Richard A.; Allen, Julia H.; White, David W. CERT® Resilience Management Model: A Maturity Model for Managing Operational Resilience. Addison-Wesley, 2011.
• “Introduction to the CERT Resilience Management Model, “ Software Engineering Institute Training, http://www.sei.cmu.edu/training/p66.cfm
• R.H. Zakon “Hobbes' Internet Timeline 10.2” http://www.zakon.org/robert/internet/timeline/
• ISC Internet Host Count History http://www.isc.org/solutions/survey/history
• Verisign “The Domain Name Industry Brief” http://www.verisigninc.com/en_US/why-verisign/research-trends/domain-name-industry-brief/
49
193© 2014 Carnegie Mellon University
References
• Netcraft Web Server Survey http://news.netcraft.com/archives/category/web-server-survey/
• Facebook statistics http://newsroom.fb.com/content/default.aspx?NewsAreaId=22
• ARPANET Maps – http://som.csudh.edu/cis/lpress/history/arpamaps/ and http://mappa.mundi.net/maps/maps_001/map_0699.html
• Joshua Corman and David Etue, “Adversary ROI: Evaluating Security from the Threat Actor’s Perspective,” RSA US Conference, 2012, http://www.slideshare.net/DavidEtue/adversary-roi-evaluating-security-from-the-threat-actors-perspective
• Joshua Corman, “A Replaceability Continuum,” Cognitive Dissidents Joshua Corman Blog, October 24, 2011, http://blog.cognitivedissidents.com/2011/10/24/a-replaceability-continuum/
• Andrew Wells, Earl Perkins, and Juergen Weiss, “Definition: Cybersecurity,” Gartner report # G00252816, Jun3 7, 2013.
• Lawrence Pingree and Neil MacDonald, “Best Practices for Mitigating Advanced Persistent Threats,” Gartner report # G00224682, January 18, 2012.,” IEEE Spectrum, February 2013.
• James Clapper, “Worldwide Threat Assessment of US Intelligence Community,” statement delivered to Senate Select Committee on Intelligence, March 12, 2013.
• James Clapper, “Worldwide Threat Assessment of US Intelligence Community,” statement delivered to Senate Select Committee on Intelligence, January 29, 2014.
• U.S. Government Accountability Office (GAO), “Cybersecurity – Threats Impacting the Nation,” April 24, 2012.
• Gary Stoneburner, “Toward a Unified Security/Safety Model,” Computer, August 2006.
• Ron Ross, “Managing Enterprise Security Risk with NIST Standards,” Computer, August 2007.
• Doug MacDonald, Samuel L Clements, Scott W Patrick, Casey Perkins, George Muller, Mary J Lancaster, Will Hutton, “Cyber/Physical Security Vulnerability Assessment Integration,” Innovative Smart Grid Technologies (ISGT), 2013 IEEE PES, February 24-27, 2013.
• U.S. Department of Homeland Security, “National Preparedness Report,” March 30, 2013
• U.S. Department of Defense, “Resilient Military Systems and the Advanced Cyber Threats,” DoD Defense Science Board Task Force Report, January 2013.
194© 2014 Carnegie Mellon University
References
• Verizon, “2013 Data Breach Investigations Report,”
• Earl Perkins, “The Impact of Critical Infrastructure Protection Standards on Security,” Gartner report # G00230036, March 12, 2013.
• U.S. Government Accountability Office (GAO), “High-Risk Series – An Update,” February 2013.
• Bradford Willke, “Securing the Nation’s Critical Cyber Infrastructure,” U.S. Department of Homeland Security, Paril 14, 2010.
• David Kushner, “The Real Story of Stuxnet,” IEEE Spectrum, February 2013.
• Roger G. Johnston, “Being Vulnerable to the Threat of Confusing Threats with Vulnerabilities,” Journal of Physical Security 4(2), pp
30-34, 2010.
• Steve Pipper, Definitive Guide to Next-Generation Threat Protection, Cyberedge Press, ISBN: 978-0-9888233-0-3, 2013.
• Siobhan Gorman, “Should Companies Be Required to Meet Certain Minimum Cybersecurity Protections?” Wall Street Journal, May
10, 2013,
• “FireEye Advanced Threat Reportt – 2H 2012,” FireEye, http://www2.fireeye.com/rs/fireye/images/fireeye-advanced-threat-report-
2h2012.pdf
• Ponemon Institute, “2014 Cost of Data Breach Study: Global Analysis,” May 2014.
• Neil McDonald, “Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence,” Gartner,
Report # G00252476, May 30, 2013.
• Raytheon, “Privileged Users: Superman or Superthreat? A Privileged User Risk Whitepaper,” 2014.
• Verizon, “Verizon 2014 PCI Compliance Report,” 2014.
• Verizon, “Verizon 2014 Data Breach Investigations Report,” 2014.
• Verizon, “Verizon 2014 Data Breach Investigations Report – Executive Summary,” 2014.
• Rita Tehan, “Cybersecurity: Authoritative Reports and Resources, by Topic,” Congressional Research Service, May 30, 2014.
195© 2014 Carnegie Mellon University
References
• US Government Accounting Office, “High-Risk Series – AN Update,” February 2013.
• Finding a Path Forward in an Increasingly Conflicted Digital World, Arthur W. Coviello, 2014 RSA Conference Keynote Address, https://www.youtube.com/watch?v=aB2gG-cRj10
• Conundrums in Cyberspace: Exploiting Security in the Name of, well, Security, Scott Charney, Corporate VP, Trustworthy Computing, MS, 2014 RSA Conference Keynote Address, https://www.youtube.com/watch?v=ajYuqW4npiw
• Nawaf BItar, “The Next World War Will be Fought in Silicon Valley,” 2014 RSA Conference Keynote Address, https://www.youtube.com/watch?v=XKkwL0gTN4w
• Art Gilliland, “Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy, RSA 2014 keynote, https://www.youtube.com/watch?v=hgeBk84CaQg
• Stephen Trilling, “Future of Security.” RSA 2014 Keynote, http://www.rsaconference.com/videos/125/the-future-of-security
• Kevin Mandia, State of the Hack: One Year after the APT1 Report, RSA 2014 Keynote, http://www.rsaconference.com/videos/128/state-of-the-hack-one-year-after-the-apt1-report
• Lawrence Orans, “The Cyber Threat Landscape,” 2014 Gartner Security and Risk Management Summit, 23-26 June 2014, National Harbor, MD.
• Juergen Weiss, “Understanding Terms and Clauses of Your Cyber Insurance,” 2014 Gartner Security and Risk Management Summit, 23-26 June 2014, National Harbor, MD.
• Richard Steinbert, “Reconstructing Risk Management,” 2014 Gartner Security and Risk Management Summit, 23-26 June 2014, National Harbor, MD.
• Eric Ahlm, “Extending Secure Access in a Mobile, BYOD and Cloud App World,” 2014 Gartner Security and Risk Management Summit, 23-26 June 2014, National Harbor, MD.
• Avivah Litan, “Fighting Cyberthreats With Layered Context Aware Security and Fraud Prevention,” 2014 Gartner Security and Risk Management Summit, 23-26 June 2014, National Harbor, MD.
• Ruggero Contu, “Nexus Forces Shaping Security,” 2014 Gartner Security and Risk Management Summit, 23-26 June 2014, National Harbor, MD.
196© 2014 Carnegie Mellon University
References
• Neil MacDonald, “Architecting a New Approach for Continuous Advanced Threat Protection,” 2014 Gartner Security and Risk
Management Summit, 23-26 June 2014, National Harbor, MD.
• Earl Perkins and Ray Wagner, “Top Security Trends and Take-aways for 2014 and 2015,” 2014 Gartner Security and Risk
Management Summit, 23-26 June 2014, National Harbor, MD.
• Carsten Casper, “The NSA, Google and Radically Redefining Privacy for the 21st Century,” 2014 Gartner Security and Risk
Management Summit, 23-26 June 2014, National Harbor, MD.
50
197© 2014 Carnegie Mellon University
Notices
Copyright 2015 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
This material has been approved for public release and unlimited distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.
DM-0002226