Docstoc

Cyber Security in the Three Times Past_ Present _ Future

Document Sample
Cyber Security in the Three Times Past_ Present _ Future Powered By Docstoc
					Carnegie Mellon CyLab
4720 FORBES AVENUE
CIC BUILDING
PITTSBURGH, PA 15213
PH: 412.268.1870
FX: 412.268.7675
www.cylab.cmu.edu




         Cyber Security in the Three Times:
                    Past, Present & Future
                           CERT 20th Anniversary Seminar Series
                               Pittsburgh, Pennsylvania, 7/22/08
                                 Cyber Security in the Three Times
Agenda
•   Speaker’s Bio
•   CyLab’s Mission
•   Global Economy & Cyberspace
•   Glimpses Into the 21st Century Threat Matrix
•   Cyber Risks Timeline
•   Elements of A Holistic Program
•   Ruminations & Conclusions



Richard Power, Carnegie Mellon CyLab 2008
                                                                2
       Harnessing the Future to Secure the Present
Richard Power
• CyLab Distinguished Fellow
• Director of Global Security Intelligence for Deloitte Touche Tohmatsu (2002-2005)
• Editorial Director for Computer Security Institute (1994-2002)
• Author of Five Books, Including
   – Secrets Stolen/Fortunes Lost: Preventing Intellectual Property Theft & Economic
      Espionage in the 21st Century, (w/ Christopher Burgess)
   – Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace
• Author of War & Peace in Cyberspace, monthly column for Computer Fraud and Security
  Journal (w/ Dario Forte)




    Richard Power, Carnegie Mellon CyLab 2008
                                                                                    3
                                                             CyLab’s Mission
CyLab is …
• A bold and visionary effort, which establishes public-private partnerships to develop
  new technologies for measurable, available, secure, trustworthy, and sustainable
  computing and communications systems as well as to educate individuals at all
  levels.
• A dynamic matrix, in which great works are accomplished, great minds come
  together, and great careers are launched.
• A vital resource for government and business to draw on in addressing cyber risks
  that threaten national and economic security.
• A world leader in both technological research and the education of information
  assurance professionals,
                         CyLab harnesses the future to secure the present.


Richard Power, Carnegie Mellon CyLab 2008
                                                                                          4
        Harnessing the Future to Secure the Present
One of the world’s premier centers for        Unique comprehensive approach
cyber security, dependability and privacy      • Multi-disciplinary, university-wide
 •   Largest U.S. university-based cyber            – Faculty and researchers from six
     security research & education program              colleges of Carnegie Mellon
 •   Computer Emergency Response Team               – 50+ faculty/researchers and
     (CERT)                                             130+ graduate students
 •   National Science Foundation (NSF)         • Funded by private and public funds
     CyberTrust Center                              – Budget of approximately $12M in
 •   Key partner in NSF-funded Center                   fiscal year 2007
     for Team Research in Ubiquitous Secure         – Supported by 50 member private
     Technology                                         companies and government research
 •   National Security Administration (NSA)             funds
     Center of Academic Excellence in          • Global educational partnerships & initiatives:
     Information Assurance Education             e.g., Taiwan, India, Portugal, Singapore,
                                                 Greece, Japan, etc.

 Richard Power, Carnegie Mellon CyLab 2008                                                  5
6
                              Benefits of CyLab Partners Program
The Four R’s of CyLab Partner Program Benefits --
 • Research
   – Leverage CyLab researchers and facilities for your R&D
 • Recruitment
   – Get inside track on hiring CyLab graduates to build your technology
     team
 • Reputation
   – Embellish your image by association with leading research center
 • Return on Investment
   – Cost-savings & boost in reputation translate into immediate ROI


Richard Power, Carnegie Mellon CyLab 2008                                  7
                                               The Web of Life


         “All things are connected like the blood that
         unites us all. Man did not weave the Web of
         Life, he is merely a strand in it. Whatever he
             does to the Web he does to himself.”

                                            Chief Seattle,1854


Richard Power, Carnegie Mellon CyLab 2008

                                                                 8
                           Growth of the Global Economy
Everyone & Everything Everywhere is Connected …

2001: 34 nations sign “Free Trade Americas” pact for massive free-trade
zone of 800 million people from Alaska to Argentina.
1999: Euro, a common currency for 11 European nations. “Biggest
economic event we’ll see in our lifetime.”
1998: Asian economic crisis impacts the world.
1995: General Agreement on Tariffs and Trade (GATT) signed.
1994: North American Free Trade Agreement (NAFTA) signed.
1992: Treaty on European Union (EU) signed.
1989-1991: Collapse of Soviet Union, German reunification.
                                                                          9
                                            Growth of Cyberspace
 Everyone & Everything Everywhere is Connected …

      • Radio -- 35 Years to Reach 50 Million People
      • TV -- 15 Years to Reach 50 Million People
      • WWW – 5 Years to Reach 50 Million People




Richard Power, Carnegie Mellon CyLab 2008
                                                               10
          As They Evolve, They Increasingly Interpenetrate
                                  1980s

   Global Economy                              Cyberspace

                                 1990s


        Global Economy                      Cyberspace


                                21st Century

            Global Economy                Cyberspace
Secrets Stolen/Fortunes Lost,
Synergy Press, 2008                                         11
In 21st Century, They Occupy Same Space & Share Risk
                        1980s

  Global Economy                     Cyberspace
  -- Competitors                      -- Hackers
  -- Espionage         1990s         -- Data Theft


     Global Economy              Cyberspace


                      21st Century

      Global Economy            Cyberspace
      --- Hackers               -- Competitors
      -- Data Theft              -- Espionage    Secrets Stolen/Fortunes Lost,
                                                 Synergy Press, 2008      12
                                                  Yoga of the Three Times

In the 8th Century, this teaching was written down by Yeshe Tsogyal, Tibetan
yogini and consort of the great sage, Padma Sambhava; it was then “hidden
away amidst a cache of precious things” to be read by seekers of the future –
     • The yoga of the past not being practiced,
       memory of the past remains latent.
     • The Future, not being welcomed,
       is completely severed by the mind from the present.
     • The Present not being fixable remains in the state of voidness

           (Tibetan Book of the Great Liberation, Ed. & Trans. by W.Y. Evans-Wentz, Oxford University,
                                                                                               1954)

 Richard Power, Carnegie Mellon CyLab 2008
                                                                                                   13
         Glimpses into the 21st Century Threat Matrix
On the dark side of cyberspace -- a rapidly expanding
 spectrum of risks & threats, ever-evolving in sophistication …

  • Every technological advance for mobile workers offers new opportunities
    for cyber criminals and industrial spies
  • Rise of organized crime in Eastern Europe was predicted 14 years ago,
    and yet, it has grown powerful & pervasive
  • Not just petty crime, recent headlines highlight attacks on national
    security, financial markets & power grids
  • Meanwhile, perennial threats, like the disgruntled or dishonest insider,
    continue unabated

 Richard Power, Carnegie Mellon CyLab 2008
                                                                               14
        Glimpses into the 21st Century Threat Matrix
A random sampling from 30 days of newspaper headlines
underscores the scope of the challenge
•Bank: Rogue trader hacked                  • Former New Jersey system administrator
 computers (CNN, 1-27-08)                     gets 30 months in prison for ‘logic bomb’
                                              (SC Magazine 1-9-08)
•Hackers darken cities, CIA says            • Engineer: I stole IDs from hotel computers
 (Security Focus, 1-21-08)                    (Miami Herald, 1-9-08)
• China has penetrated key U.S.             • Mass hack infects tens of thousands of sites
 databases (SC Magazine, 1-18-08)             (Computerworld, 1-7-08)
• Wi-fi users, beware: Hot spots are weak   • FAA: Boeing's New 787 May Be Vulnerable to
                                              Hacker Attack (Wired, 1-4-08)
  spots (Wall Street Journal, 1-16-08)
                                            • eBay goes far to fight fraud – all the way to
• New mass hack strikes sites, confounds      Romania (L.A. Times, 12-26-07)
  researchers (Computerworld, 1-14-08)
                                            • Pune woman $12mn cyber theft (DNA, 12-28-07)
•Former Cox employee who shut
 Richard 911 gets Mellon CyLab 2008
 downPower, Carnegiejail time (SC
                                                                                          15
         Glimpses into the 21st Century Threat Matrix
Another random sampling from recent newspaper headlines
underscores the scope of the challenge
•Crimeware server exposes breadth            • Rare SCADA vulnerability discovered (SC
 of data theft (GCN, 5-6-08)                   Magazine 5-9-08)
                                             • Technology, media firms overconfident,
•Hackers' posts on epilepsy forum
                                               unprepared for breaches: Deloitte survey
 cause migraines, seizures (SMH, 5-            (SC Magazine, 2-7-08)
 8-08)
                                             • Hackers Focus on VoIP Accounts (WebPro
•Hacktivists collect fingerprint of            News, 5-12-08)
 fingerprint collector (Register, 3-30-      • Hackers May Have Stolen Millions of Cards
 08)                                           (Newsday 5-15-08)
•Hackers Hijack a Half-million Sites         • Hackers catch ride on Grand Theft Auto IV
 In Latest Attack (Computerworld, 5-13-        downloaders (Computer Weekly, 5-15-08)
 08)                                         • Russia’s state hackers target Radio Free
 Richard Power, Carnegie Mellon CyLab 2008
•FBI Worried as DoD Sold                       Europe in Prague (Sunday Herald, 5-10-08)16
       Glimpses into the 21st Century Threat Matrix
A random sampling from 30 days of newspaper headlines
underscores the scope of the challenge
•Spam Blockers Losing Ground on           • Former Employee Allegedly Deleted Organ
 Sophisticated Attackers (6-08)             Bank Data (6-26-8)
                                          • More Than 630,000 Laptops Lost at Airports
•Software Engineer First to be              Each Year (6-30-08)
 Sentenced Under Economic                 • S.F. officials locked out of computer network
 Espionage Act (6-18-08)                    (7-15-08)
•Citibank Server Breach Likely            • New trojan in the wild targeting multimedia
 Source of Compromised ATM Cards            files (SC Magazine, 7-14-08)
 (6-18-08)                                • Hackers break 3G iPhone lock (7-13-08)
•Stolen Computer Holds Outsourced         • Hackers Steal Millions From 7-Eleven ATM
                                            (AP, 7-3-08)
 Human Resources Data (6-23-08)
                         hit CyLab 2008
•Marshall IslandsMellonby 'zombie'
 Richard Power, Carnegie
                                                                                      17
         Glimpses into the 21st Century Threat Matrix
Trends for 2008-2009 (it’s only going to get worse) --
  • Increased professionalism and commercialization of malicious activities
  • Threats tailored for specific regions, Increasing numbers of multi-staged
    attacks
  • Attackers targeting victims by first exploiting trusted entities
  • Convergence of attack methods
  • Automated evasion process
  • Advanced Web threats – laundering origins through the Web
  • Diversification of bot usage
                                             (Symantec Internet Threat Report 2007)



 Richard Power, Carnegie Mellon CyLab 2008
                                                                                      18
         Glimpses into the 21st Century Threat Matrix
Trends for 2008-2009 (it’s only going to get worse) --
  •   Ratio of non-malicious to malicious software reaching tipping point, levels of malicious
      code & unwanted programs will exceed number of legitimate software; security
      techniques will switch from blacklisting to whitelisting
  •   Forty-three percent of enterprises have little or no measures in place to address
      permissions or restrictions on removable media, less than 17% have related end-point
      security measures; attackers may introduce malicious code at one point or another
      during manufacture or distribution
  •   More advanced botnet threats that employ stealth methods such as steganography,
      allowing bot masters to exploit public forums and search engines
  •   As US national elections draw near, an increase in phishing, scams and malicious code
      targeting candidates, campaigns, etc.
                                                          (Symantec Internet Threat Report 2008)

 Richard Power, Carnegie Mellon CyLab 2008
                                                                                             19
                                                Cyber Risks Timeline: 1996
US Senate Permanent Investigations Subcommittee Hearings
on “Security In Cyberspace”
                                                   “Human beings are building systems,
•     Senator Sam Nunn (D-GA) presiding
•     Witnesses included
                                                   deploying them and breaking into
      –     Keith Rhodes (GAO)                     them. So it is human beings that we
      –     Jim Christy (DoD)                      have to reach in terms of training,
      –     Peter Neumann (SRI)
      –     John Deutch (CIA)
                                                   awareness, and understanding their
      –     Roger Molander (RAND)                  responsibility, not only to their
      –     Jamie Gorelick (DoJ)                   corporations, or to their own job
      –     Richard Pethia (CERT)
      –     Senator Patrick Leahy (D-VT)
                                                   security, but to their country, and to
      –     Senator John Kyl (R-AZ)                the world.”
      –     Richard Power (CSI)                    – Testimony of Richard Power

    Richard Power, Carnegie Mellon CyLab 2008
                                                                                       20
                                     Cyber Risks Timeline: 1995-2002
CSI/FBI Computer Crime & Security Survey
  • Intent
        – To Raise Awareness
        – Encourage Reporting of Cyber Crimes to Law Enforcement
        – Inspire In-Depth Research
  • Methodology
        – Non-Scientific
  • Trends
        – External Attacks on the Rise
        – Perpetrators Not Only Insiders or Juveniles
        – Significant Financial Losses



 Richard Power, Carnegie Mellon CyLab 2008
                                                                   21
      Internet As Frequent Point of Attack: 1996-2002
% of Respondents
          80                                                                                                 74
                                                                                                        70
          70
                                                                                                   59
          60         54 52                                                               54
                                                                                              57
                                51
                                                                                                                            1996
          50               44
                                                                                    47
                                                                                                                            1997
                                     38             39                             38
          40                                             35                                                                 1998
                                               33                                                                           1999
                                          31
                                                               28
          30                                              24
                                                                                                                            2000
                                                                    22                                                      2001
                                                                         18
          20                                                                                                                2002
                                                                              12
          10                                                                                                      2002: 414 Respondents/82%
                                                                                                                  2001: 384 Respondents/72%
                                                                                                                  2000: 443 Respondents/68%
             0                                                                                                    1999: 324 Respondents/62%
                        INTERNAL                          REMOTE                         INTERNET
                                                                                                                  1998: 279 Respondents/54%
                         SYSTEMS                          DIAL-IN                                                 1997: 391 Respondents/69%
                                                                                                                  1996: 174 Respondents/40%

 CSI/FBI 2002 Computer Crime and Security Survey
 Source: Computer Security Institute                                                                                                          22
                               Financial Losses Summary: 1997-2002
          Total dollar losses:
                         1997: 249 respondents, US$100,119,555
                         1998: 241 respondents, US$136,822,000
                         1999: 163 respondents, US$123,779,000
                         2000: 273 respondents, US$ 265,589,940
                         2001: 196 respondents, US$ 377,828,700
                         2002: 223 respondents, US$ 455,848,000

                                                  Grand total: US$ 1,459,755,245




CSI/FBI 2002 Computer Crime and Security Survey
Source: Computer Security Institute                                                23
        False Notions about Cyber Crime & Cyber Security

  Cyber crime costs are exaggerated -- WRONG
  Cyber crime is a rare occurrence -- WRONG
  Insiders 80% of problem, outsiders are only 20% -- WRONG
  Problem is mostly juvenile hackers -- WRONG
  Economic espionage is done almost exclusively by the turning of insiders – WRONG
  Security technology = security -- WRONG
  Security policies & awareness posters = security -- WRONG
  Budget $$$ = security -- WRONG
  Security technology, policies, awareness posters & budget $$$ = security -- WRONG




Richard Power, Carnegie Mellon CyLab 2008
                                                                                      24
                                             Cyber Risks Timeline
In the late 1990s, “Current & Future Danger: A Primer on Cyber
Crime & Information Warfare” Articulated Four Areas of Greatest
Concern, They are Still the Four Areas of Greatest Concern:
  •   Electronic Commerce Crime
  •   Economic Espionage
  •   Infrastructure Attacks
  •   Personal Cyber Insecurity




 Richard Power, Carnegie Mellon CyLab 2008
                                                                  25
                                                     9/11: Lessons Learned?
Those Who Cannot Remember the Past
are Condemned to Repeat It
   •    False Meme: “The World Changed on
        9/11.”
        –     Some people simply woke up to the reality
              of the world in which we lived in on 9/10
   •    False Meme: “9/11 was the Result of
        Intelligence Failures.”
        –     Plenty of pre-9/11 intelligence, but what
              happened to it?
   •    Fear is Not Awareness
        –     Missed opportunity to raise awareness
              and education not only for the US
              populace, but the world …


Richard Power/Dario Forte,
Computer Fraud & Security Journal (2006)                                 26
                                              Cyber Risks Timeline
From Salgado in 1997 to TJX in 2006 …
• Carlos Salgado (1997)
     – 86,326 credit cards from 1,214 institutions
     – Based on average credit card fraud losses—e.g., $1,836 for fraudulent
       credit application—potential impact could have been $1 billion
     – Cost of card reissue alone: $125 per card, $10,780,750
• TJ Maxx (2007)
     – A hacker or hackers stole data from at least 45.7 million credit and debit
       cards of shoppers at off-price retailers including T.J. Maxx and
       Marshalls in a case believed to be the largest such breach of consumer
       information. (MSNBC, 3-30-07)

 Richard Power, Carnegie Mellon CyLab 2008
                                                                               27
                                                    Cyber Risks Timeline
Blacknet was a hoax, but Phonemasters wasn’t…
 • Accessed telephone networks of AT&T, British Telecommunications, GTE,
   MCI, Southwestern Bell and Sprint
 • Broke into credit-reporting databases of Equifax and TRW, and Nexis/Lexis
   databases
 • Eavesdropped on phone conversations, compromised secure databases and
   redirected communications
 • Accessed national power grid, air traffic control system and a digital cache of
   unpublished phone numbers at the White House
 • Customers included private investigators, so-called ‘information brokers,’ and
   by way of middlemen, the Sicilian Mafia
 • Price list included personal credit reports for $75; state motor vehicle records,
   $25; records from the FBI’s Crime Information Center, $100; address or phone
   number of any celebrity or important person, $500.
Richard Power, Carnegie Mellon CyLab 2008
                                                                                       28
                                                            Cyber Risks Timeline
The Scope of Eastern European & Asian Cybercrime
•   “The chain of command of a cybercrime               •   “The notorious [RBN] has suddenly picked
    gang is not unlike the Mafia, an evolution              up from its St. Petersburg digs and
    that shows how online crime is becoming a               diversified, spreading its unwholesome
    broad, well-organized endeavor. (IDG, 7-15-             activity to new chunks of IP addresses, with
    08)                                                     RBN-like activity almost immediately
•   “Moroccan and European intelligence                     appearing on newly registered blocks of
    authorities continue to identify significant            Chinese and Taiwanese IP addresses …”
    links between eCrime targeting Western                  (e-Week, 11-8-07 )
    financial institutions and active terrorist cells   •   “The FBI estimates all types of computer
    in Morocco.” (ISIGHT Partners, 5-20-08)                 crime in the U.S. costs industry about $400
•   “Likely that the use of Russian and Eastern             billion… A growing worry is that cybercrooks
    European ‘botnet’ (large quantities of                  could target emergency services for
    malware-infected computers) for political               extortion purposes…” (Reuters, 9-15-06)
    purposes will increase, due to their low cost,      •   “The number of people engaged in cyber
    the difficulty in tracing their owners … (ISN,          crime as a full-time ‘profession’ in Eastern
    3-15-08)                                                Europe and, especially, in Asia is
                                                            skyrocketing.” (SANS, 8-14-06)
Richard Power, Carnegie Mellon CyLab 2008
                                                                                                     29
                Warnings Unheeded, Lessons Unlearned

A Decade Passed Between Salgado’s Almost Completely Ignored
Cyber Caper & the TJ Maxx Blockbuster;

Over A Decade has Passed Since the First Warnings of the Rise
of Eastern European Organized Cyber Crime …




Richard Power, Carnegie Mellon CyLab 2008
                                                                30
                 Warnings Unheeded, Lessons Unlearned

Here are Some Important Questions –

 What Could Governments & Businesses Have Done?
 What Should Governments & Business Have Done?
 What Next Generation Risks & Threats Are We Ignoring Now?




 Richard Power, Carnegie Mellon CyLab 2008
                                                             31
                                            Personal Cyber Insecurity
Wireless, Broadband, etc. Turn Home PCs into Both
Targets & Bases
                                                  •   Identity theft
                                                  •   Financial fraud
    In 20th Century, Privacy was                  •   Cyber vandalism
    Something You Had to Protect…                 •   Cyber stalking
    In the 21st Century, Privacy is               •   Cyber voyeurism
    Something You Have to Create                  •   Recon for physical theft
                                                  •   Recon for physical violence
                                                  •   Character assassination
                                                  •   Intel gathering for blackmail
                                                  •   Intel gathering for social
                                                      engineering attacks
Richard Power, Carnegie Mellon CyLab 2008
                                                  •   “John Deutch” factor
                                                                                      32
                                                         Cyber Risks Timeline
Ten Years in the Wilderness – A Decade After Nunn Hearings
• Bad Software (Microsoft is Not “the Evil Empire” But…)
     – 2006: Bill Gates -- Man of The Year (Again)
        • “Microsoft perceives its customers to be developers, Apple perceives it customers to be
           end users”
        • Only one US corporation that existed in 1900 still existed in 2000 (GE), but in 3000, there
           will be two (GE & Microsoft)
        • Bill Gates belongs on TIME cover for his humanitarian efforts
        • Bill Gates does not belong keynoting RSA Conference -- three years in a row
     – 2003: CTO Loses Job for Blast at Microsoft
        • Dan Geer, CTO for @Stake (which consults for Microsoft) fired for report calling Windows
           a national cyber security threat
        • Signed by seven researchers, report said dominance of Microsoft software on PCs has
           made networks susceptible to "massive, cascading failures," & that the complexity of the
           software made it particularly vulnerable to virus & other attacks
 Richard Power/Dario Forte,
 Computer Fraud & Security Journal (2006)                                                           33
                                                    Cyber Risks Timeline
Ten Years in the Wilderness – A Decade After Nunn Hearings
• Lack of Progress and/or Continuity in Government
    – “Last year CSIA encouraged Congress & the Administration to raise the profile of
      information security; improve information sharing, threat analysis, & contingency
      planning; & to prioritize & fund research & development….Unfortunately there is no
      forward momentum or clear set of priorities for action in 2006.” (CISA, 2006)
    – “For Chertoff to create a high-level cybersecurity position but neglect to fill that
      position after a year indicates that the Bush administration places a higher value on
      physical security than it does on the nation's information infrastructure. Meanwhile,
      the country lacks a leader with the clout to coordinate communications in the event
      of a massive IT disruption.” (Information Week, 7-06)
    – “The Homeland Security Department is not ready for a cyberattack or a natural
      disaster that causes a major Internet disruption, according to a Government
      Accountability Report released today.” (FCW, 7-28-06)
Richard Power/Dario Forte,
Computer Fraud & Security Journal (2006)                                                      34
                 One Step Forward, Two Steps Back or …

   Five Expert Views
         –   Becky Bace (Infidel/Trident)
         –   Rik Farrow (www.spirit.com)
         –   Justin Peltier (Peltier Associates)
         –   Keith Rhodes (US GAO)
         –   Gene Spafford (CERIAS)


    In general, in terms of cyber security and cyber crime, would you
    say one step forward two steps back or two steps forward one
    step back? Or would you characterize it some other way?


Richard Power/Dario Forte,
Computer Fraud & Security Journal (2006)                                35
                 One Step Forward, Two Steps Back or …

Becky Bace, Infidel/Trident
                          “…seriously behind the power curve….cybersecurity and
                          cybercrime suffer from the ‘one generation trailing’ problem - by
                          definition, both are reactive disciplines, especially in the
                          commercial arena - funding is applied to the problem only after
                          someone has divined that there is a problem…

                          Another aspect that is frustrating to me personally is the lack of
                          attention paid to security education. I can't think of any area that
                          has more strategic impact on our industrial base and national
                          security, yet public funding is consistently underbudgeted,
                          mistargeted and misspent.”


 Richard Power/Dario Forte,
 Computer Fraud & Security Journal (2006)                                                        36
                 One Step Forward, Two Steps Back or …

Rik Farrow, www.spirit.com
                          “Have there been any steps forward at all? Identity theft is still on the
                          rise, a large part of it due to identity info stolen via keystroke monitors
                          or phishing/scam sites. This information is traded in large online
                          bazaars, and it appears that law enforcement is doing little to stop
                          this…. Has software security gotten any better? Nope….

                          Things have not gotten better. Instead, we continue to see a bandaid
                          style approach – ‘Here, let me sell you our
                          anti-virus/anti-spyware/compliance-monitoring/firewall/NIPS/HIPS’…”




 Richard Power/Dario Forte,
 Computer Fraud & Security Journal (2006)                                                               37
                 One Step Forward, Two Steps Back or …

Justin Peltier, Peltier Associates
                          “One forward and two back…. Too many security technologies are
                          entrenched in the corporate environment and not enough
                          innovation is taking place. Most organizations are rolling out the
                          same technologies that have failed time and time again, while the
                          attackers are gaining complexity and new attacks at an almost
                          monthly basis.

                          As long as security is mostly defined by one large enterprise
                          firewall and a poorly configured IDS/IPS system, the attackers will
                          still have an edge.”




 Richard Power/Dario Forte,
 Computer Fraud & Security Journal (2006)                                                       38
                 One Step Forward, Two Steps Back or …

Keith Rhodes, formerly US GAO, now Verizon
                          “While our attack morphologies are getting much better (one step
                          forward) the attack vectors are increasing in number and speed
                          due to everyone having high speed internet access from their home
                          (one step back) and due to the code getting buggier and buggier
                          (one step back).

                          So, if my math is correct, that's one step forward, two steps back.”




 Richard Power/Dario Forte,
 Computer Fraud & Security Journal (2006)                                                        39
                 One Step Forward, Two Steps Back or …

Gene Spafford, CERIAS, Purdue University
                          “It's almost like we are making no steps.

                          We have kept adding new technologies that are dangerous, seen
                          our decision-makers choosing the path of least cost but significant
                          danger, and they have consistently applied band-aides for the most
                          current threat but failed to heed long-term advice, or provide
                          investment for research to really break out of the rut they have
                          gotten into.

                          Overall, I'm not very optimistic about the future.”




 Richard Power/Dario Forte,
 Computer Fraud & Security Journal (2006)                                                       40
                                                       Beginner’s Mind

• “In the beginner’s mind there are many
  possibilities, but in the expert’s there are few.”
• “The goal is always to keep our beginner’s
  mind.”
• “If you discriminate too much, you limit
  yourself.”
• “If your mind is empty, it is already ready for
  anything; it is open to everything.”
• “This is the real secret of the arts: always be a
  beginner.”
                                Shunryo Suzuki-Roshi



Richard Power, Carnegie Mellon CyLab 2008
                                                                    41
                                             Information Operations
Goals of Information Operations

• “The objective for all IO is to dominate the information battlefield by
  attacking the enemy’s information resources and decision-making
  capabilities while protecting your own resources and capabilities from all
  adversaries.
• “In other words, IO has two very simple goals:
   – Goal #1: Optimize the decision making of the friendly guys
   – Goal #2: Degrade the decision making of the bad guys
   – That’s IO in a nutshell.”
                                              Col. Lawrence D. Dietz,
                                              US Army (Retired)


Richard Power, Carnegie Mellon CyLab 2008
                                                                               42
                                       Infrastructure Attacks: What & How
 Mostly Privately Owned, Relied On for Public Good…
  • Information & Communications: Phones, Internet
  • Physical Distribution: Air traffic, rail, pipelines
  • Energy: Gas, oil, electric power industries
  • Banking & Finance: Banks, financial services, mutual
    funds, stock & commodities exchanges
  • Vital Human Services: Water supply, emergency
    services, vital records
 Same Skills, Exploits, Modus Operandi, Opportunities are
 Seized by Common Cyber Criminals, (including badly designed
 software & lack of preparedness in government & business) --
 Only Better Financed, Better Equipped, And Operating With
 Relative Impunity
Richard Power, Carnegie Mellon CyLab 2008
                                                                       43
        Glimpses into the 21st Century Threat Matrix

Imagine if…
• On 911, the last image people saw
  on their TVs was the WTC collapsing
  and then the phones went dead and
  the power grid failed

Imagine if…
• On 911, after the initial attacks, as all
  flights were grounded, those planes
  still in the air could not land because
  of a series of attacks on the air traffic
  control system


Richard Power, Carnegie Mellon CyLab 2008
                                                  44
                                   Al-Qaeda Targeted Infrastructure
 “Routed thru switches in Saudi Arabia, Indonesia and Pakistan …”
 “Studied emergency telephone systems, electrical generation and transmission, water
 storage and distribution, nuclear power plants and gas facilities.
 “Some probes suggested planning for a conventional attack. But others homed in on a
 class of digital devices that allow remote control of services such as fire dispatch and of
 equipment such as pipelines.
 “More information about those devices -- and how to program them -- turned up on al
 Qaeda computers seized this year.
 “Most significantly, perhaps, U.S. investigators have found evidence in the logs that mark
 a browser's path through the Internet that al Qaeda operators spent time on sites that
 offer software and programming instructions for the digital switches that run power, water,
 transport and communications grids.”
                                                            (Washington Post, 6-26-02)

Richard Power, Carnegie Mellon CyLab 2008
                                                                                               45
                                                                                Lebanon 2006
    “What Hezbollah did was to monitor our radio and
    immediately send it to their Al-Manar TV, which
    broadcast it almost live, long before the official Israeli
    radio.” Hezbollah appears to have divided a three mile-
    wide strip along the Israeli-Lebanese border into
    numerous “killing boxes”. Each box was protected in
    classic guerrilla fashion with booby-traps, land mines,
    and even CCTV cameras to watch every step of the
    advancing Israeli army. (London Times, 8-27-06)

    Israel…hacked into the television station of Hezbollah,      Hezbollah monitors Israeli and international
    emblazoning images on the screen showing pictures of         television news footage of scenes from
    corpses and claiming the Shiite militant group's leader      rocket landings inside Israel and has used
    Hassan Nasrallah was a liar….Israel also hacked into         the broadcasts the past few weeks to more
    FM radio stations and instead of normal programs a           accurately target installations in the Jewish
    two-minute recording was repeatedly broadcast…               state…(World Net Daily, 8-14-06)
    (Agence France-Presse, 8-2-06)


Richard Power, Carnegie Mellon CyLab 2008                                                                        46
                   Glimpses into the 21ST Century Threat Matrix
Who & Why: Usual (& Unusual) Suspects?
• Jihadists
   – Economic & Psychological Blow
• Nation States (Hegemons & Rogues)
   – Distract & Debilitate Adversary
• Bizarro World (Cults & Loners)
   – Hasten Apocalypse, Tear Down Social Order
• Criminal Elements
   – Extortion, Reprisal
• Corporate and/or Internal Political Enemies
   – Foil Competitors, Subvert Democratic Institutions
Richard Power, Carnegie Mellon CyLab 2008
                                                             47
                                            Truth is Stranger Than Fiction
                                  1984: “Shoko Asahara had a one-room yoga school, a handful of
                                  devotees, and a dream: world domination. A decade later, Aum
                                  Supreme Truth boasted 40,000 followers in six countries and a
                                  worldwide network ...” (David E. Kaplin, Cult At The End of the World)

                                  1995: Aum Shinrikyo (Supreme Truth) cult carried six packages onto
                                  Tokyo subway trains … releasing deadly Sarin gas killing 12 persons and
                                  injuring more than 5,000. … first major attack using chemical weapons by
                                  a terrorist organisation … (History of War)

                                  2000: Japan’s Defense Agency delayed deployment of a new computer
                                  system after discovering that it used software developed by members of
                                  Aum Shinri Kyo. The Defense Agency was only one of 90 government
                                  organizations and private companies that unknowingly ordered software
                                  produced by the cult. (BBC, 3-1-00)

                                  2006: Japanese security officers raided 25 offices of the doomsday cult …
                                  after its founder lost a last appeal against his death sentence. (The
                                  Australian, 9-16-06)
Richard Power, Carnegie Mellon CyLab 2008                                                                     48
                                            Truth is Stranger Than Fiction
                                 Theodore John Kaczynski, a.k.a. the Unabomber, mathematician,
                                 genius, loner and Luddite

                                 1978 – 1995: 15 bombings throughout the USA, killing 3 and
                                 wounding 23

                                 4-24-95: New York Times receives a letter from the Unabomber,
                                 promising to stop sending bombs if a 29,000- to 37,000-word article
                                 written by the group is printed

                                 9-19-95: Washington Post prints the Unabomber's 'manifesto' in an
                                 eight-page supplement

                                 4-3-96: Kaczynski, living as a recluse in a one-room cabin, turned in by
                                 his brother who thought Kaczynski's writings bore a striking
                                 resemblance to the Unabomber's manifesto



Richard Power, Carnegie Mellon CyLab 2008                                                                   49
       Could the First Cyber War Be Domestic?


 Avi Rubin:

 "There are many things that we teach
 in Security 101 that were not
 understood by the developers of
 these machines…Within an hour of
 looking at the source code in the
 Diebold machines, we knew were
 looking at very bad code…”

                                     (CBS, 1-3-03)


Richard Power/Dario Forte,
Computer Fraud & Security Journal (2006)             50
        Could the First Cyber War Be Domestic?
Examples of problems reported by GAO               Three fundamental points emerge from the
include…                                           NYU threat analysis…
  • Computer systems that fail to encrypt           • All three voting systems have
     data files containing cast votes, allowing        significant security and reliability
     them to be viewed or modified without             vulnerabilities, which pose a real danger
     detection by internal auditing systems;           to the integrity of national,state,and local
  • Systems that could allow individuals to            elections.
     alter ballot definition files so that votes    • The most troubling vulnerabilities of
     cast for one candidate are counted for            each system can be substantially
     another;                                          remedied if proper countermeasures are
  • Weak controls that allowed the                     implemented at the state and local level.
     alteration of memory cards used in             • Few jurisdictions have implemented
     optical scan machines, potentially                any of the key countermeasures that
     impacting election results.                       could make the least difficult attacks
                                 (US GAO, 10-05)       against voting systems much more
                                                       difficult to execute successfully.
                                                                     (Brennan Center, NYU, 6-06)
 Richard Power/Dario Forte,
 Computer Fraud & Security Journal (2006)                                                       51
                                                                                  Hegemon
       Consider the implications of these three news stories …
                                  • China Economy to Overtake U.S. by 2035, Research
                                    Institute Says (Bloomberg, 7-9-08)
                                  • The 1.4 Trillion Dollar Question
                                     – “… the vast trade surplus—$1.4 trillion and counting,
                                        going up by about $1 billion per day—that the
                                        Chinese government has mostly parked in U.S.
                                        Treasury notes…” Atlantic Monthly, Jan-Feb. ’08)
                                  • China Corners Market in a High-Tech Necessity
                                     – China supplies about 95 percent of world's
                                        consumption of “rare earths” (IHT, 1-22-06)




Richard Power, Carnegie Mellon CyLab 2008
                                                                                               52
                                                                                     Hegemon
       In relation to these three news stories …
                                  More Congressional Computers Hacked from China
                                    (The Hill, 6-21-08)
                                  • China Emerges As Leader in Cyberwarfare
                                      – Accused of Hacking Pentagon & Both British & German
                                        governments (CSM 9-14-07)
                                  • Almost half of malicious sites tied to 10 networks
                                      – 6 of 10 are Based in China (The Register, 6-24-08)




Richard Power, Carnegie Mellon CyLab 2008
                                                                                              53
                                                   Hegemon




     19th Century Empire was built largely on Sea Power
     20th Century Empire was built largely on Air Power …
     Will 21st Century Empire be won with Cyber Power?



Richard Power, Carnegie Mellon CyLab 2008
                                                            54
                                             Corporate Competitors

Recent High-Profile Stories Hint at Corporate Cyber War:
• Haephrati: Top Israeli blue chip companies, including a high-tech giant that trades in
  New York, are suspected of using illicit surveillance software to steal information from
  their rivals and enemies. The list of victims is equally impressive…(MSNBC,
  Associated Press, 6-1-05)
• HP: With Hewlett-Packard insiders and contractors facing fraud and conspiracy
  charges, a spotlight is being shone on the shady world of corporate intelligence. … a
  boardroom leak investigation that involved spying, accessing phone and fax records
  using false pretenses, and running a sting operation on a reporter, former HP
  chairwoman Patricia Dunn and four others were charged last week with fraud and
  conspiracy. (Information Week, 10-9-06)




 Richard Power, Carnegie Mellon CyLab 2008
                                                                                             55
                                   Secrets Stolen/Fortunes Lost
Secrets Stolen/Fortunes Lost: Preventing Intellectual Property
Theft & Economic Espionage in the 21st Century
   • Synergy Press (Elseveir)
   • ISBN 978-1-59749-255-3
My Co-Author: Christopher Burgess
   •   Senior Security Advisor, Cisco Systems
   •   Thirty years as a Covert Officer in the CIA
   •   Served as Senior Operations Officer and Chief of Station
   •   Awarded Distinguished Career Intelligence Medal




 Secrets Stolen/Fortunes Lost,
 Synergy Press, 2008                                              56
                                 Secrets Stolen/Fortunes Lost
The Challenge
• Insiders & Competitors
   – The Two Most Tangible, Most Common & Most Destructive Threats
• State Entities
   – The Most Sophisticated & Most Formidable Threat
• Counterfeiters, Pirates & Criminals
   – The Most Insidious & Most Pervasive Threat
The Strategy
• Elements of A Holistic Approach
• How to Sell Your Program

 Secrets Stolen/Fortunes Lost,
 Synergy Press, 2008                                                 57
                                      Secrets Stolen/Fortunes Lost
Industrial Age Motives w/ Information Age Methods --

•      “Michael Haephrati, a software developer, created a clever managed service
       whereby he would provide custom Trojan software to these private investigators
       who would then use social engineering techniques to get the targets to install the
       Trojan on internal systems. For a $2,000 fee Haephrati would host any stolen
       documents and key stroke logs on servers in Germany and the UK.
•      “The police discovered the scheme when Haephrati's first wife took her computer in
       to them under suspicion of it being infected. Sure enough, it was, and the Israeli
       police tracked down the hosting servers and discovered thousands of documents
       from dozens of Israeli companies stored there.



 Secrets Stolen/Fortunes Lost,
 Synergy Press, 2008                                                                        58
                                    Secrets Stolen/Fortunes Lost
Using Trojan Horses Instead of Turning Insiders --

• “After three years four of the PI’s that used Michael Haephrati's Trojan software to gather
  competitive intelligence for their clients have finally been sentenced.
• “Eventually Haephrati and his current wife were extradited from England and supposedly
  sentenced to jail terms. … [Haephrati] claimed that there was no jail time, and that he was
  completely free. As a matter of fact he was going to continue to offer his Trojan Horse
  service but this time he would only work with ‘law enforcement agencies.’
• “What about the executives at Bezeq, Tami4, Pelephone, Cellcom, and the other
  companies that hired Private Investigators to engage in these activities?” (Network World,
  4-30-08)




 Secrets Stolen/Fortunes Lost,
 Synergy Press, 2008                                                                       59
                  Elements of Security Mitigate Risks & Threats

                                Scope of Risks & Threats




                                                  Information
                 Personnel
                                                  Security
                 Security
                                      Physical
                                      Security


Secrets Stolen/Fortunes Lost,
Synergy Press, 2008                                             60
When Integrated, They Further Mitigate Risks & Threats
                                 Scope of Risks & Threats




                                          Personnel
                                           Security


                                   Physical            Cyber
                                   Security           Security



 Secrets Stolen/Fortunes Lost,
 Synergy Press, 2008                                             61
                 Awareness & Intel Optimize Mitigating Factors

                                Scope of Risks & Threats



                                        Personnel
                 Awareness               Security          Intel
                 & Education

                                 Physical            Cyber
                                 Security           Security



Secrets Stolen/Fortunes Lost,
Synergy Press, 2008                                                62
     Awareness & Education: Model for Global Program

• Specifications:                           •   Five Subject Areas:
   – Adaptable to All Industries                – Cyber Security
     & Sectors                                  – Information Age Espionage
   – Multi-Cultural, Multi-Lingual              – Cyber Crime
   – Delivery System & Format for               – Emergency Preparedness &
     Guidance on All Aspects of an                 Response
     Organization’s Security: Personnel,        – Personnel Security
     Physical, Cyber, etc.                      – Physical Security
• Goals:
   – Economic                               •   Four Target Groups:
   – Efficient                                  – Total Workforce
                                                – IT Professionals
   – Effective
                                                – Human Resources & Operations
Richard Power, Carnegie Mellon CyLab 2008       – Executives & Support Staff
                                                                                 63
        Awareness & Education: Model for Global Program

• Practical Message for Entire                • Intensive Technical Training
  Workforce                                     for IT Professionals
    –     Practical Help for Both Work &        –   Quarterly
          Home Life                             –   Regional
    –     Monthly E-mail Newsletter             –   Expert Instructors from Outside
    –     New Hire Orientation Presentation     –   Attacks & Countermeasures
    –     E-Learning Module                     –   Incident Response, IDS, etc.
    –     Annual Global Security Day            –   Certification Training
    –     Translated into Local Languages




Richard Power, Carnegie Mellon CyLab 2008
                                                                                      64
 Awareness & Education: Model for A Global Program

• Intensive Training for Human              • Executive Leadership & Staff
  Resources & Operations                      – Executive Security Standards
                                                 • Information Security
  Professionals
                                                 • Personnel Security
    –     Quarterly                              • Physical Security
    –     Regional                            – Bi-Weekly Intel Briefing
    –     Expert Instructors from Outside        • 1 page organized into 5 sections
    –     Crisis Management                          » Europe, Middle East & Africa
                                                     » Asia-Pacific
    –     Business Continuity
                                                     » Americas
                                                     » Global
                                                     » Cyberspace
                                                 • Includes threats & relevant initiatives


Richard Power, Carnegie Mellon CyLab 2008
                                                                                        65
                   Awareness & Education: Secrets of Success

  • Intent
       – Engage
       – Enlighten
       – Empower
  • Content
       – Intriguing Themes
       – Credible Sources
       – Plausible Scenarios
       – Relevant to Both Current
         Events & Personal Life
Richard Power, Carnegie Mellon CyLab 2008
                                                          66
                                 Secrets Stolen/Fortunes Lost
Elements of A Holistic Program --
• Personnel Security: Implement a "Personnel Security" program that
  includes both background investigations & termination procedures.
• Physical Security: Do not overlook the "Duh" factor.
• Information Security: Recruit people with academic training (e.g., CyLab)
  & professional certification (e.g., CISSP, CISM, etc.) Adopt best practices.
  Establish a baseline.
• Industry Outreach: Actively participate in industry working groups
  appropriate to your sector & environment. Sponsor research and education
  (e.g., CyLab)
• Government Liaison: Leverage your tax dollars.

 Secrets Stolen/Fortunes Lost,
 Synergy Press, 2008                                                        67
                                 Secrets Stolen/Fortunes Lost
Elements of A Holistic Program --
• Intelligence: You need both business & security intelligence. Someone
  must be looking at both streams, with particulars of your enterprise in mind.
• Awareness & Education: Train your workforce on an ongoing basis about
  the threats of economic espionage, intellectual property theft, counterfeiting
  & piracy, & countermeasures
• Organization: Where security reports within an organization is the most
  vital issue.
• Legal Strategies: Don't let a small legal mind make decisions about big
  legal issues.



 Secrets Stolen/Fortunes Lost,
 Synergy Press, 2008                                                          68
                                                  Conclusions
21st Century Risks & Threats Demands A Holistic Approach

           • No nation can go it alone
           • No corporation can go it alone
           • No individual or family can go it alone
           • A holistic approach integrates many elements --
              • Both strategic & tactical
              • Both technical & non-technical
              • Both professional & public

 Richard Power, Carnegie Mellon CyLab 2008
                                                               69
                                                                               Conclusions
   Four 21st Century Cyber Security Imperatives
           • Holistic Approach: Cyber Security, Physical Security & Personnel Security
             must be integrated – certainly at the operational level, preferably at the
             organizational level
           • Culture of Security: Security Awareness & Education must be revolutionized –
             to communicate the holistic approach, and to engage and empower the
             individual
           • Intelligent Approach: Intelligence and Risk Analysis must look at cyber
             security from the outside in, as well of from the inside out; e.g., dig into the front
             page stories and look for the cyber security implications, study the geopolitical
             and economic trends and look for the cyber security dimensions; do not limit
             your thinking to bits and bytes, or policies and standards, or attacks and
             countermeasures.
           • Harnessing the Future to Secure the Present: Academic research into new
             technologies must receive unprecedented funding to lead in the development of
             strategies and solutions for mobility, secure home computing, critical
             infrastructure protection and other vital areas of concern
Richard Power, Carnegie Mellon CyLab 2008                                                             70
                                                 Conclusions
Your Most Dangerous Adversary …
 In the Shadows of Cyberspace, Your Most
 Dangerous Adversary is Not the Hacker or the
 Spy or the Cyber Criminal or the Disgruntled
 Insider or even the Cyber Terrorist.

 Whether You Operate in the Corporate World or
 in the Government, Your Most Dangerous
 Adversary is Weak Leadership.



Richard Power/Dario Forte,
Computer Fraud & Security Journal (2006)                   71
                                             Conclusions
Your Most Dangerous Adversary …
If Your Leaders are Small-Minded and
Self-Serving, No Amount of Timely
Intelligence, Sophisticated Technology,
and World-Class Expertise Will Protect
Your People, Your Secrets, Your
Organizations, or Your Country.




  Richard Power/Dario Forte,
  Computer Fraud & Security Journal (2006)             72
                                                                     Conclusions
Issues to Pursue Moving Forward
IT Supply Chain Security
   Not just IT supply chain, every supply chain – because the IT chain impacts them all
   Look for opportunistic random distribution
Virtual Worlds
   Not just money laundering
   Covert communication channel
   Incredible access into the minds of individuals & groupings, to exploit, target, shape them
Governance
   What should be discussed in the Board Room
Climate Change
   The intersection of security & sustainability


Richard Power, Carnegie Mellon CyLab 2008
                                                                                            73
                                             Contact Information
Richard Power
• e-mail: richardpower@cmu.edu
• web: http://www.cylab.cmu.edu
• snail mail: Carnegie Mellon University,
  NASA AMES Research Park,
  Building 23 (MS21-11) Moffett Field, California, 94035-1000
• telephone: 650-335-2813



 Richard Power, Carnegie Mellon CyLab 2008
                                                                74

				
DOCUMENT INFO