Difference between revisions of "The Cybersecurity Mess"
From Simson Garfinkel
Jump to navigationJump to search
Line 1: | Line 1: | ||
==Outline of Talk== | ==Outline of Talk== | ||
===Today's systems are less secure than those of the 1970s=== | |||
# Computers are more complex — more places to attack them. | |||
# There are multiple ways around each defense. | |||
# It’s easier to attack systems than defend them. | |||
# It’s easier to break things than to fix them. | |||
Consider last week's headlines from [http://www.infosecnews.org Info Sec News] | |||
# [ISN] [http://www.bloomberg.com/news/2014-03-18/irs-employee-took-home-data-on-20-000-workers-at-agency.html March 19: IRS Employee Took Home Data on 20,000 Workers at Agency] | |||
# [ISN] [http://www.washingtontimes.com/news/2014/mar/13/f-35-secrets-now-showing-chinas-stealth-fighter/ March 14 Top Gun Takeover: Stolen F-35 Secrets showing up in China's stealth fighter] (secrets stolen in Operation Byzantine Hades, circa 2007) | |||
# [ISN] [http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data March 13, 2014: Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It] (Businessweek; Target had deployed FireEye, the outsourced security firm in Bangalore noticed the malware, contacted Target's security team in Minneapolis, and nothing was done. Quotes Verizon Enterprise Solutions study that finds companies discover breaches through monitoring 31% of the time, but retailers only 5%.) | |||
# [ISN] [http://variety.com/2014/digital/news/chinas-hackers-to-target-u-s-entertainment-industry-security-firm-warns-1201131720/ March 14, 2014: China’s Hackers to Target U.S. Entertainment Industry, Security Firm Warns] (FireEye warns US film and entertainment that they will come under attack from Chinese hackers) | |||
# [ISN] [http://www.infosecnews.org/for-ec-council-mums-the-word/ March 13, 2014: For EC-Council, Mum's the word] | |||
# [ISN] [http://www.wired.com/threatlevel/2014/03/commuter-bus/ March 12, 2014: Reverse Wardriving: Tracking Apple and Google Commuter Buses by Their Wi-Fi Clouds] (36 Apple busses pass Kevin Poulsen's home each day) | |||
# Meanwhile, on March 19th SC Magazine reported [http://www.scmagazine.com/unpatched-servers-still-enabling-exploitation-of-two-year-old-php-vulnerability/article/338973/ Unpatched servers still enabling exploitation of two-year-old PHP vulnerability] | |||
Cybersecurity is expensive | ===The cybersecurity mess is technical and social.=== | ||
# Most attention is focused on technical issues: | |||
## Malware and anti-viruses | |||
## Access Controls, Authentication, Encryption & Quantum Computing | |||
## Supply chain issues | |||
# Non-technical issues are at the heart of the cybersecurity mess. | |||
## Education & career paths | |||
## Immigration | |||
## Manufacturing policy | |||
'''We would do better if we wanted to do better.''' | |||
===Technical Trends=== | |||
# High-capacity portable storage | |||
# Fully connected networks. | |||
# Multiple networks & bridging | |||
===Cybersecurity is expensive=== | |||
# Global cybersecurity spending: $60 billion in 2011 | |||
(Cyber Security M&A, pwc, 2011) | (Cyber Security M&A, pwc, 2011) | ||
# Bloomberg Government Study, "The Price of Cybersecurity: Big Investments, Small Improvements" (2012) | |||
## 172 Fortune 500 companies surveyed | |||
## Spending $5.3 billion per year on cybersecurity, stopped 69% of attacks | |||
## Raising spending to $10.2 billion would stop 84% of the attacks | |||
## Raising spending to $46.67 billion would stop 95% of attacks, the "highest attainable level." | |||
## 95% is not good enough. | |||
===Pair of Automotive papers=== | |||
* [http://www.autosec.org/pubs/cars-usenixsec2011.pdf Comprehensive Experimental Analyses of Automotive Attack Surfaces], Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, Tadayoshi Kohno. | |||
USENIX Security, August 10–12, 2011. | |||
* [http://www.autosec.org/pubs/cars-oakland2010.pdf Experimental Security Analysis of a Modern Automobile], Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage. | |||
IEEE Symposium on Security and Privacy, Oakland, CA, May 16–19, 2010 | |||
My vision of the future | ===My vision of the future=== | ||
# Technical societal collapse. | |||
# National Academies - "Severe Space Weather Events --- Understanding Societal and Economic Impacts, Workshop Report" (2008) | |||
# "According to a study by the Metach Corpo, the occurance today of an event like the 1921 sotmr would result in large-scale blackouts exposing more than 130 million people and would expose more than 350 transformers to the risk of permanent damage." (Transformers have manufacture lead times of 12 months or more.) | |||
==Cybersecurity Mess Slides== | ==Cybersecurity Mess Slides== |
Revision as of 08:28, 22 March 2014
Outline of Talk
Today's systems are less secure than those of the 1970s
- Computers are more complex — more places to attack them.
- There are multiple ways around each defense.
- It’s easier to attack systems than defend them.
- It’s easier to break things than to fix them.
Consider last week's headlines from Info Sec News
- [ISN] March 19: IRS Employee Took Home Data on 20,000 Workers at Agency
- [ISN] March 14 Top Gun Takeover: Stolen F-35 Secrets showing up in China's stealth fighter (secrets stolen in Operation Byzantine Hades, circa 2007)
- [ISN] March 13, 2014: Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It (Businessweek; Target had deployed FireEye, the outsourced security firm in Bangalore noticed the malware, contacted Target's security team in Minneapolis, and nothing was done. Quotes Verizon Enterprise Solutions study that finds companies discover breaches through monitoring 31% of the time, but retailers only 5%.)
- [ISN] March 14, 2014: China’s Hackers to Target U.S. Entertainment Industry, Security Firm Warns (FireEye warns US film and entertainment that they will come under attack from Chinese hackers)
- [ISN] March 13, 2014: For EC-Council, Mum's the word
- [ISN] March 12, 2014: Reverse Wardriving: Tracking Apple and Google Commuter Buses by Their Wi-Fi Clouds (36 Apple busses pass Kevin Poulsen's home each day)
- Meanwhile, on March 19th SC Magazine reported Unpatched servers still enabling exploitation of two-year-old PHP vulnerability
The cybersecurity mess is technical and social.
- Most attention is focused on technical issues:
- Malware and anti-viruses
- Access Controls, Authentication, Encryption & Quantum Computing
- Supply chain issues
- Non-technical issues are at the heart of the cybersecurity mess.
- Education & career paths
- Immigration
- Manufacturing policy
We would do better if we wanted to do better.
Technical Trends
- High-capacity portable storage
- Fully connected networks.
- Multiple networks & bridging
Cybersecurity is expensive
- Global cybersecurity spending: $60 billion in 2011
(Cyber Security M&A, pwc, 2011)
- Bloomberg Government Study, "The Price of Cybersecurity: Big Investments, Small Improvements" (2012)
- 172 Fortune 500 companies surveyed
- Spending $5.3 billion per year on cybersecurity, stopped 69% of attacks
- Raising spending to $10.2 billion would stop 84% of the attacks
- Raising spending to $46.67 billion would stop 95% of attacks, the "highest attainable level."
- 95% is not good enough.
Pair of Automotive papers
- Comprehensive Experimental Analyses of Automotive Attack Surfaces, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage, Karl Koscher, Alexei Czeskis, Franziska Roesner, Tadayoshi Kohno.
USENIX Security, August 10–12, 2011.
- Experimental Security Analysis of a Modern Automobile, Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, Stefan Savage.
IEEE Symposium on Security and Privacy, Oakland, CA, May 16–19, 2010
My vision of the future
- Technical societal collapse.
- National Academies - "Severe Space Weather Events --- Understanding Societal and Economic Impacts, Workshop Report" (2008)
- "According to a study by the Metach Corpo, the occurance today of an event like the 1921 sotmr would result in large-scale blackouts exposing more than 130 million people and would expose more than 350 transformers to the risk of permanent damage." (Transformers have manufacture lead times of 12 months or more.)
Cybersecurity Mess Slides
- 2013-May-16 — Talk to MIT Club of DC
- 2013-Jan-11 — Talk in Alexandria to Scholarship for Service students
- 2012-04-25 — First talk @MIT
Related Slides
Articles
- Garfinkel, S. The Cybersecurity Risk, Communications of the ACM, June 2012