1

Outrunning the Bear: A Cautionary Tale

Dan Shoemaker, DirectorCentre for Assurance School of National Security Studies

2

Outrunning the Bear

The situation in cyber-space is a lot like what you’d face if you were out hiking

And ran into a Grizzly bear.

3

Outrunning the Bear

It’s a fact that Grizzlies run a lot faster then humans.

So you won’t be able to outrun it..

4

Outrunning the Bear

But, you will always be safe

As long as you can outrun somebody else!

5

Outrunning the Bear

Thus, it is not as much a matter of being secure against any threat

As it is being secure enough to encourage cyber-predators to go after easier targets

6

Why is this important?

Staying one step ahead of the rest of the herd is important because…

No matter what you might think – You are at the mercy of any cyber-predator out there

7

For the Ones Who Think They’re Safe

And if you think that you are protected by whatever countermeasures you’ve deployed

You are dangerously wrong.

8

For the Ones Who Think They’re Safe

Serious attackers are not interested in the areas you have already secured.

They are looking for the places that are still vulnerable.

9

There’s No Sheriff in Town

The Current Facts of Life in Dodge City

10

Consider This

A terrorist group announces that they will shut down the Pacific Northwest electrical power grid for six hours starting at 4:00 PM

They do so.

11

Consider This

The same group then announces that they will disable the primary telecommunication trunk circuits between the U.S. East and West Coasts for a half day

They do so, despite our best efforts to defend against them

12

Consider This

Then, they threaten to bring down the air traffic control system supporting New York City, grounding all traffic and diverting inbound traffic

And they do so.

13

Consider This

Finally, they threaten to cripple e-commerce and credit card service for a week by using several hundred thousand stolen identities in millions of fraudulent transactions.

Their list of demands is posted in the New York Times, threatening further actions if those demands are not met

14

Consider This

What makes this alarming is the fact that all of these events have already occurred

Just not concurrently - or all by malicious intent.

15

The Fact is

• In fact any of these attacks, could be carried out by any adversary

All that is required is a competent attacker and the Internet

16

For Instance

The maximum “safe” time for any targeted system is 20 minutes

It is estimated that up to one quarter of all PCs might be part of a botnet (Storm may have 1.5 million)

For any expert any SCADA penetration takes less than a day

17

For Instance

Even the smallest nation-states and terrorist organizations can easily attack any system

Let alone better-organized groups such as Al Qaeda. 

Which raises the prospect of asymmetric cyber warfare on our own desktops, not places like Fallujah

18

For Instance

Many nations, most prominently China and Iran, have been working diligently to developed their offensive capabilities in cyber-space. 

The Chinese military holds formal hacking competitions to identify and recruit talented members for its cyber army.

19

For Instance

In that respect the Pentagon logged more than 79,000 attempted intrusions in 2005.

About 1,300 were successful, including the penetration of computers linked to the Army’s 101st and 82nd Airborne Divisions and the 4th Infantry Division.

20

For Instance

These attacks are not just directed at the U.S.

The UK Ministry of Defense (MOD) reports that the Chinese military regularly penetrated computers in at least 10 Whitehall departments, including military files,

They also infiltrated German government defense systems this year.

21

For Instance

In February a massive cyber attack on Estonia by Russian hackers demonstrated how potentially catastrophic a preemptive strike could be.

The attacks brought down government websites, a major bank and telephone networks.

22

For Instance

The Pentagon, said that the Estonia attacks “may well turn out to be a watershed in terms of widespread awareness of the vulnerability of modern society”.

Congressional testimony has affirmed that a mass cyber attack could leave 70 per cent of the US without electrical power for six months

23

For Instance

Since that time the Russian invasion of Georgia was preceded by a cyber-attack that essentially returned the military capability of the Georgians to the 18th Century.

And the U.S. military is much more dependent on its automated warfighting tools and communication capability than the Georgians.

It is estimated that as much as 90 percent of our military capability could be eliminated by a single EMP attack.

24

Our Problems are Not Just Geopolitical

It’s not Like Organized Crime has Missed this

25

Crime

In the 1990s a typical cyber-crime was something like a criminal trespass, or a web-site defacement.

The cyber-criminals themselves were inclined to be counterculture types who worked alone and on the fringes.

26

Crime

Now instead of being inspired by a need to prove their art, cyber-criminals are motivated by financial gain.

As such, the stereotype of the kid living on skittles in his mom’s basement, while doing seventy-two hour hacks

Has been replaced by a much darker and more complex persona

27

Crime

Today crime in cyberspace is all about monetary gain

Cybercrime Costs the US Economy at Least $117 Billion Each Year

Which surpasses the costs associated with the War on Drugs and drug related crime

28

The Consequences

The average company lost $350,424 in 2007

That was up sharply from the $168,000 they reported the previous year

29

The Consequences

In the annual survey conducted by the FBI, financial fraud overtook virus attacks as the source of the greatest financial loss

While insider threat surpassed virus incidents as the most prevalent overall security problem.

Which means that you are much more likely to be ripped off by your trusted insiders than you are any evil-doers from outside your organization

30

The Consequences

Since insiders hold the keys to your electronic security protection there is no silver bullet

That is, the damage might be in the electronic domain but the problems are behavioral and managerial

and a lot of IT managers see that as Human Resource’s problem not theirs

For instance the City of San Francisco was held hostage by one of its disgruntled network administrators

31

The Personal Impacts

In terms of individual loss:

The total one-year cost of identity fraud in the United States is around $56.6 billion.

There are around 10 million adult victims of identity fraud each year

The average fraud amount per case has increased from $5,249 to $6,383,

32

Sin and the Road to Salvation“We have Met the Enemy And He is Us”

33

We are ALL Sinners

The problem is that:

None of us have the slightest idea about all of the places that we are vulnerable

Nor do we know what actually threatens us

Nor do most of us think it is worth the time, money and inconvenience to find out

34

We are ALL Sinners

Effective security solutions are directly traceable to the requirements of the business case

Which means that they should originate and be championed above the IT function

35

We are ALL Sinners

Effective security solutions are long-term and organization-wide

Which means that they have to be part of the conventional strategic planning process

36

The Five Commandments

• Identify all of your information assets:

• Most organizations don’t really have their arms around their assets

• Which makes it hard to guarantee complete protection

37

The Five Commandments

• Know the value of your information assets:

• Most organizations don’t really know the value of any individual item of information

• Which makes it hard to prioritize resources – there are never enough to protect everything

38

The Five Commandments

• Know what threatens each asset:

• Most organizations don’t really know what threatens their information

• Which makes it hard to arrange practical counter-measures that are both feasible and cost effective for the priority items that are at greatest risk

39

The Five Commandments

• Assign Responsibility:

• There is never anybody specifically accountable if a breach does occur

• And if there ever is that responsibility is not adjusted when changes occur

• Which makes it hard to enforce continuous security discipline

40

The Five Commandments

• Manage the Process:

• Information assurance is rarely approached as an integrated top-down management process

• Instead it is piecemealed – generally based on function

• So policy making technical, and operational activities are not coordinated

41

How You will Know You’ve Achieved Righteousness

You will know you have achieved righteousness if you have produced:

A single coherent and seamless system

That rationally evolves to meet the changing threat picture

42

How You will Know You’ve Achieved Righteousness

That system must be embedded in all necessary business processes to assure cost-effective long-term assurance

The system must provably address all likely threats, and incidents.

The system must provably integrate all requisite practices and technical controls into mutually interacting processes

43

Help Along the Road to Righteousness

It is a lot to ask - to expect people to develop a correct and fully integrated system of processes and controls from scratch -

As such the guidance of a model, is important

44

Help Along the Road to Righteousness

There are a number of models that could fulfill that requirement

Most people think that the ISO 27000 series will be the dominant approach

However DHS’s Essential Body of Knowledge (EBK) is also gotten some traction

As has FIPS 200 (for more technical solutions)

And an innumerable number of proprietary approaches

45

In Summary

Ensuring trustworthy protection of information is difficult because the resource:

IS both intangible and dynamic

Involves an a symmetric threat environment

Typically requires major changes in behavior

The cost and effort of security is hard to justify based on the tangible consequences – until they happen

46

In Summary

Nevertheless, given the nature of the evolving geopolitical and social threats it is something that we must do

Hopefully this talk has helped you better connect the dots between the things that might threaten you

And the necessity of committing the additional resources and effort to ensure a secure society

47

Thank you for your attention

Dan Shoemaker dan.shoemaker@att.net Centre for Assurance, School of National Security Studies University of Detroit Mercy