Difference between revisions of "The Cybersecurity Mess"
From Simson Garfinkel
Jump to navigationJump to search
| Line 1: | Line 1: | ||
==Outline of Talk== | ==Outline of Talk== | ||
# | # Today's systems are less secure than those of the 1970s | ||
## Computers are more complex — more places to attack them. | |||
## There are multiple ways around each defense. | |||
## It’s easier to attack systems than defend them. | |||
## It’s easier to break things than to fix them. | |||
# Consider last week's headlines from [http://www.infosecnews.org Info Sec News] | |||
## [ISN] [http://www.bloomberg.com/news/2014-03-18/irs-employee-took-home-data-on-20-000-workers-at-agency.html March 19: IRS Employee Took Home Data on 20,000 Workers at Agency] | ## [ISN] [http://www.bloomberg.com/news/2014-03-18/irs-employee-took-home-data-on-20-000-workers-at-agency.html March 19: IRS Employee Took Home Data on 20,000 Workers at Agency] | ||
## [ISN] [http://www.washingtontimes.com/news/2014/mar/13/f-35-secrets-now-showing-chinas-stealth-fighter/ March 14 Top Gun Takeover: Stolen F-35 Secrets showing up in China's stealth fighter] (secrets stolen in Operation Byzantine Hades, circa 2007) | ## [ISN] [http://www.washingtontimes.com/news/2014/mar/13/f-35-secrets-now-showing-chinas-stealth-fighter/ March 14 Top Gun Takeover: Stolen F-35 Secrets showing up in China's stealth fighter] (secrets stolen in Operation Byzantine Hades, circa 2007) | ||
| Line 8: | Line 13: | ||
## [ISN] [http://www.infosecnews.org/for-ec-council-mums-the-word/ March 13, 2014: For EC-Council, Mum's the word] | ## [ISN] [http://www.infosecnews.org/for-ec-council-mums-the-word/ March 13, 2014: For EC-Council, Mum's the word] | ||
## [ISN] [http://www.wired.com/threatlevel/2014/03/commuter-bus/ March 12, 2014: Reverse Wardriving: Tracking Apple and Google Commuter Buses by Their Wi-Fi Clouds] (36 Apple busses pass Kevin Poulsen's home each day) | ## [ISN] [http://www.wired.com/threatlevel/2014/03/commuter-bus/ March 12, 2014: Reverse Wardriving: Tracking Apple and Google Commuter Buses by Their Wi-Fi Clouds] (36 Apple busses pass Kevin Poulsen's home each day) | ||
## Meanwhile, on March 19th SC Magazine reported [http://www.scmagazine.com/unpatched-servers-still-enabling-exploitation-of-two-year-old-php-vulnerability/article/338973/ Unpatched servers still enabling exploitation of two-year-old PHP vulnerability] | |||
The cybersecurity mess is technical and social. | |||
* Most attention is focused on technical issues: | |||
** Malware and anti-viruses | |||
*** Default allow vs. default deny | |||
** Access Controls, Authentication, Encryption & Quantum Computing | |||
** Supply chain issues | |||
* Cyberspace as a globally connected “domain” | |||
* Non-technical issues are at the heart of the cybersecurity mess. | |||
** Education & career paths | |||
** Immigration | |||
** Manufacturing policy | |||
* We will do better when we want to do better. | |||
==Cybersecurity Mess Slides== | ==Cybersecurity Mess Slides== | ||
Revision as of 19:33, 20 March 2014
Outline of Talk
- Today's systems are less secure than those of the 1970s
- Computers are more complex — more places to attack them.
- There are multiple ways around each defense.
- It’s easier to attack systems than defend them.
- It’s easier to break things than to fix them.
- Consider last week's headlines from Info Sec News
- [ISN] March 19: IRS Employee Took Home Data on 20,000 Workers at Agency
- [ISN] March 14 Top Gun Takeover: Stolen F-35 Secrets showing up in China's stealth fighter (secrets stolen in Operation Byzantine Hades, circa 2007)
- [ISN] March 13, 2014: Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It (Businessweek; Target had deployed FireEye, the outsourced security firm in Bangalore noticed the malware, contacted Target's security team in Minneapolis, and nothing was done. Quotes Verizon Enterprise Solutions study that finds companies discover breaches through monitoring 31% of the time, but retailers only 5%.)
- [ISN] March 14, 2014: China’s Hackers to Target U.S. Entertainment Industry, Security Firm Warns (FireEye warns US film and entertainment that they will come under attack from Chinese hackers)
- [ISN] March 13, 2014: For EC-Council, Mum's the word
- [ISN] March 12, 2014: Reverse Wardriving: Tracking Apple and Google Commuter Buses by Their Wi-Fi Clouds (36 Apple busses pass Kevin Poulsen's home each day)
- Meanwhile, on March 19th SC Magazine reported Unpatched servers still enabling exploitation of two-year-old PHP vulnerability
The cybersecurity mess is technical and social.
- Most attention is focused on technical issues:
- Malware and anti-viruses
- Default allow vs. default deny
- Access Controls, Authentication, Encryption & Quantum Computing
- Supply chain issues
- Malware and anti-viruses
- Cyberspace as a globally connected “domain”
- Non-technical issues are at the heart of the cybersecurity mess.
- Education & career paths
- Immigration
- Manufacturing policy
- We will do better when we want to do better.
Cybersecurity Mess Slides
- 2013-May-16 — Talk to MIT Club of DC
- 2013-Jan-11 — Talk in Alexandria to Scholarship for Service students
- 2012-04-25 — First talk @MIT
Related Slides
Articles
- Garfinkel, S. The Cybersecurity Risk, Communications of the ACM, June 2012
