Difference between revisions of "The Cybersecurity Mess"

From Simson Garfinkel
Jump to navigationJump to search
Line 34: Line 34:


===Cybersecurity is expensive===
===Cybersecurity is expensive===
# Global cybersecurity spending: $60 billion in 2011
# Global cybersecurity spending: $60 billion in 2011 (Cyber Security M&A, pwc, 2011)
(Cyber Security M&A, pwc, 2011)
# Bloomberg Government Study, "The Price of Cybersecurity: Big Investments, Small Improvements" (2012)
# Bloomberg Government Study, "The Price of Cybersecurity: Big Investments, Small Improvements" (2012)
## 172 Fortune 500 companies surveyed
## 172 Fortune 500 companies surveyed
Line 42: Line 41:
## Raising spending to $46.67 billion would stop 95% of attacks, the "highest attainable level."
## Raising spending to $46.67 billion would stop 95% of attacks, the "highest attainable level."
## 95% is not good enough.
## 95% is not good enough.
===Cybersecurity is undefined===
We don't have a good definition of cybersecurity
# "Preventing computers from being hacked"
# Using “network security” to secure desktops & servers
There is no way to measure cybersecurity
# Which OS is more secure?
# Which computer is more secure?
# Is “open source” more secure?


===Pair of Automotive papers===
===Pair of Automotive papers===

Revision as of 09:51, 22 March 2014

Outline of Talk

Today's systems are less secure than those of the 1970s

  1. Computers are more complex — more places to attack them.
  2. There are multiple ways around each defense.
  3. It’s easier to attack systems than defend them.
  4. It’s easier to break things than to fix them.

Consider last week's headlines from Info Sec News

  1. [ISN] March 19: IRS Employee Took Home Data on 20,000 Workers at Agency
  2. [ISN] March 14 Top Gun Takeover: Stolen F-35 Secrets showing up in China's stealth fighter (secrets stolen in Operation Byzantine Hades, circa 2007)
  3. [ISN] March 13, 2014: Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It (Businessweek; Target had deployed FireEye, the outsourced security firm in Bangalore noticed the malware, contacted Target's security team in Minneapolis, and nothing was done. Quotes Verizon Enterprise Solutions study that finds companies discover breaches through monitoring 31% of the time, but retailers only 5%.)
  4. [ISN] March 14, 2014: China’s Hackers to Target U.S. Entertainment Industry, Security Firm Warns (FireEye warns US film and entertainment that they will come under attack from Chinese hackers)
  5. [ISN] March 13, 2014: For EC-Council, Mum's the word
  6. [ISN] March 12, 2014: Reverse Wardriving: Tracking Apple and Google Commuter Buses by Their Wi-Fi Clouds (36 Apple busses pass Kevin Poulsen's home each day)
  7. Meanwhile, on March 19th SC Magazine reported Unpatched servers still enabling exploitation of two-year-old PHP vulnerability

The cybersecurity mess is technical and social.

  1. Most attention is focused on technical issues:
    1. Malware and anti-viruses
    2. Access Controls, Authentication, Encryption & Quantum Computing
    3. Supply chain issues
  2. Non-technical issues are at the heart of the cybersecurity mess.
    1. Education & career paths
    2. Immigration
    3. Manufacturing policy

We would do better if we wanted to do better.

Technical Trends

  1. High-capacity portable storage
  2. Fully connected networks.
  3. Multiple networks & bridging

Cybersecurity is expensive

  1. Global cybersecurity spending: $60 billion in 2011 (Cyber Security M&A, pwc, 2011)
  2. Bloomberg Government Study, "The Price of Cybersecurity: Big Investments, Small Improvements" (2012)
    1. 172 Fortune 500 companies surveyed
    2. Spending $5.3 billion per year on cybersecurity, stopped 69% of attacks
    3. Raising spending to $10.2 billion would stop 84% of the attacks
    4. Raising spending to $46.67 billion would stop 95% of attacks, the "highest attainable level."
    5. 95% is not good enough.

Cybersecurity is undefined

We don't have a good definition of cybersecurity

  1. "Preventing computers from being hacked"
  2. Using “network security” to secure desktops & servers

There is no way to measure cybersecurity

  1. Which OS is more secure?
  2. Which computer is more secure?
  3. Is “open source” more secure?

Pair of Automotive papers

USENIX Security, August 10–12, 2011.

IEEE Symposium on Security and Privacy, Oakland, CA, May 16–19, 2010

My vision of the future

  1. Technical societal collapse.
  2. National Academies - "Severe Space Weather Events --- Understanding Societal and Economic Impacts, Workshop Report" (2008)
  3. "According to a study by the Metach Corpo, the occurance today of an event like the 1921 sotmr would result in large-scale blackouts exposing more than 130 million people and would expose more than 350 transformers to the risk of permanent damage." (Transformers have manufacture lead times of 12 months or more.)

Cybersecurity Mess Slides

Related Slides

Articles