Perspectives on Cybersecurity

Size: px

Start display at page:

Download "Perspectives on Cybersecurity"

Louisa Walters
5 years ago
Views:

1 Perspectives on Cybersecurity Beau Woods Cyber Safety Innovation Fellow, Atlantic Council Leader, I Am The Cavalry (.org) 2019 Winter Conference February 2, 2019

2 What s at stake

3 Mirai took out large parts of the Internet

4 Mirai took out large parts of the Internet Ukrainian grid black out by hacking

5 Mirai took out large parts of the Internet Ukrainian grid black out by hacking WannaCry shutters 30% of UK NHS

6 Mirai took out large parts of the Internet Ukrainian grid black out by hacking WannaCry shutters 30% of UK NHS NotPetya disrupts global logistics & manufacturing, including vaccines

7 Are you vulnerable?

8 Vulnerabilities reported to NIST per year

9 Software Complexity Modern Car Facebook Windows Vista Hadron Collider Boeing 787 Android Google Chrome Linux Kernel Mars Curiosity Hubble Telescope F-22 Raptor Space Shuttle Millions of Lines of Software Code

10 Supply Chain Vulnerabilities Millions of Lines of Software Code

11 Is this how hacks work? Highly Skilled Hacker Days Best Defenses Known/Available

12 OPM DNC Mirai WannaCry NotPetya Equifax Known but Unmitigated Vulnerabilities Known but Unmitigated Vulnerabilities Known but Unmitigated Vulnerabilities Known but Unmitigated Vulnerabilities Known but Unmitigated Vulnerabilities Known but Unmitigated Vulnerabilities

13 Forecasted Global Cybersecurity Spending, : $ 1 TrillionI Am The

14 ONE HUNDRED PERCENT of FORTUNE companies will be hacked over the same time period I Am The

15 In 2018, Apple became the world s first $1 Trillion company.

16 In 2019, Apple will spend around $1 Billion on security.

17 Last week, a 14-year old reported a major security flaw in Apple s products.

18 Are you vulnerable?

19 Know your hackers

Capabilities Nation State IR RU US UK FR IL NK SK CN AU Increasingly Willing Exploit Dev Coders Criminals DDoS Blackhat SEO Professional Operators Social

20 Capabilities Nation State IR RU US UK FR IL NK SK CN AU Increasingly Willing Exploit Dev Coders Criminals DDoS Blackhat SEO Professional Operators Social Bots Hosting Ransomware Botnets Accident Increasingly Hard to Distinguish 5kr1p7 K1dd13 Willingness Increasingly capable Hacktivists Terrorists Ideological

21 I Am The Cavalry Five Motivations of Security Researchers Protect Puzzle Pride/Prestige Profit/Payment Protest/Patriot

22 Jay Radcliffe Security researcher Diabetic patient Father of diabetic patient Protect

23 Vulnerability Research, Disclosure, and Law

24 Launched January 29

26 DMCA Rules Intended to fight counterfeiting of DVDs Makes illegal circumvention of a technical protection mechanism (TPM) to access copyrighted works CFAA is the primary tool to prosecute cybercrimes

to avoid any harm to individuals or the public US DOJ in favor of exemptions:

27 DMCA Exemptions Solely for good-faith security research On a lawfully acquired device With the authorization of the owner Conducted in an environment designed to avoid any harm to individuals or the public US DOJ in favor of exemptions: the DMCA was not created to protect [voting machines], and is ill-suited to do so.

28 Supply Chain Risk

29 Supply Chain Risk Vectors Supplier facilitated risk Implementation, operation, and maintenance Counterfeit Unverified components Malicious Taint Subverted components or systems Unintended Taint Known software vulnerabilities

32 Transparency & Awareness

33 Procurement Guidance

34 Perspectives on Cybersecurity Beau Woods Cyber Safety Innovation Fellow, Atlantic Council Leader, I Am The Cavalry (.org) 2019 Winter Conference February 2, 2019

35 Appendix

36 Coordinated Vulnerability Disclosure US Department of Commerce, NTIA Template ISO/IEC Standard for Vulnerability Disclosure ISO/IEC Standard for Vulnerability Handling Processes National Governor s Association US Department of Justice It Takes a Village Comic (Atlantic Council and HackerOne)

37 BSides Events Tracker Hackers: the Internet s immune system (TED Talk, Keren Elazari Can hackers break my heart (TEDx Talk, Marie Moe)

40 Countermeasures Situational Awareness Endpoint Security Active Defense Intrusion Prevention Anti-Everything Penetration Testing Threat Intelligence Security Monitoring Threat Hunting Operational Excellence Coordinated Vulnerability Disclosure DevSecOps Visible Ops Vulnerability Management Change Management Egress Filtering Network Admission Control Defensible Infrastructure Secure by Design Secure Baseline Configurations Secure Deployment Guidance Operating System and Software Support Lifetimes Software Updateable Software Ingredients or Components List Evidence Capture and Logging

41 Countermeasures Situational Awareness Operational Excellence Defensible Infrastructure $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $

42 Countermeasures Situational Awareness Operational Excellence Defensible Infrastructure $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $

43 Code of Practice for IoT Security 1. No default passwords 2. Coordinated vulnerability disclosure policy 3. Keep devices updated

Security Standardization and Regulation An Industry Perspective

Security Standardization and Regulation An Industry Perspective Dr. Ralf Rammig Siemens AG Megatrends Challenges that are transforming our world Digitalization In the future, we ll be living in a world