German OWASP Day 2016 CarIT Security: Facing Information Security Threats. Tobias Millauer

Similar documents
The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Threat analysis. Tuomas Aura CS-C3130 Information security. Aalto University, autumn 2017

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Security and Privacy in Car2Car Adhoc Networks

Internet of Things Security standards

Designing and Operating a Secure Active Directory.

CYBER RISK AND SHIPS :PRACTICAL ISSUES FOLLOWING BIMCO GUIDELINE

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

From Zero to Security Hero

Cybersecurity, safety and resilience - Airline perspective

Software Architectural Risk Analysis (SARA) Frédéric Painchaud Robustness and Software Analysis Group

Threat Modeling for System Builders and System Breakers!! Dan Copyright 2014 Denim Group - All Rights Reserved

Security and Architecture SUZANNE GRAHAM

How Threat Modeling Can Improve Your IAM Solution

*NSTAC Report to the President on the Internet of Things.

Threat Modeling OWASP. The OWASP Foundation Martin Knobloch OWASP NL Chapter Board

Software Architectural Risk Analysis (SARA): SSAI Roadmap

Overview of Information Security

Safety & Cybersecurity of embedded softwares in product and process

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Cyberspace : Privacy and Security Issues

Threat Modeling Using STRIDE

Security Policies and Procedures Principles and Practices

Security Standardization and Regulation An Industry Perspective

Objectives of the Security Policy Project for the University of Cyprus

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

SANS Institute , Author retains full rights.

Practical Guide to Securing the SDLC

Information technology Security techniques Information security controls for the energy utility industry

_isms_27001_fnd_en_sample_set01_v2, Group A

Information Technology Branch Organization of Cyber Security Technical Standard

The Common Controls Framework BY ADOBE

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Threat Modeling For Secure Software Design

Whiteboard Hacking / Hands-on Threat Modeling. Introduction

IANS Pragmatic Threat Modeling. Michael Pinch, IANS Faculty

LEXICON. An introduction to basic cybersecurity terminology and concepts THE (ISC) 2 CYBERSECURITY LEXICON 1

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Business continuity management and cyber resiliency

Secure Product Design Lifecycle for Connected Vehicles

NW NATURAL CYBER SECURITY 2016.JUNE.16

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

INTEGRATING AUTOMOTIVE HAZARD AND THREAT ANALYSIS METHODS: HOW DOES THIS FIT WITH ASSUMPTIONS OF THE SAE J3061

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Code of practice for information security management

Information Security Management System

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

The NIST Cybersecurity Framework

Medical Device Vulnerability Management

ISO/IEC Information technology Security techniques Code of practice for information security management

IoT & SCADA Cyber Security Services

Information Security Policy

Forensics and Active Protection

Security analysis and assessment of threats in European signalling systems?

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Information Assurance 101

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

NOSAC. Phase I and Phase II FINAL REPORT

Software Security Initiatives for Information Security Officers Marco Morana OWASP Cincinnati Chapter OWASP ISSA Cincinnati Chapter Meeting

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Must Have Items for Your Cybersecurity or IT Budget in 2018

ISO/IEC INTERNATIONAL STANDARD. Information technology Code of practice for information security management

ADIENT VENDOR SECURITY STANDARD

Juniper Vendor Security Requirements

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Procurement Language for Supply Chain Cyber Assurance

CYBER SECURITY AND MITIGATING RISKS

Development*Process*for*Secure* So2ware

Early Life Cycle Risk Analysis: Planning for Software Assurance

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Internet of Things Toolkit for Small and Medium Businesses

Cybersecurity requirements for financial services companies

Education Network Security

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

Embedding GDPR into the SDLC. Sebastien Deleersnyder Siebe De Roovere

Unit Compliance to the HIPAA Security Rule

Protecting your data. EY s approach to data privacy and information security

Towards Trustworthy Internet of Things for Mission-Critical Applications. Arjmand Samuel, Ph.D. Microsoft Azure - Internet of Things

Cyber Risks in the Boardroom Conference

InterCall Virtual Environments and Webcasting

Strategy is Key: How to Successfully Defend and Protect. Session # CS1, February 19, 2017 Karl West, CISO, Intermountain Healthcare

Catalog of Control Systems Security: Recommendations for Standards Developers. September 2009

Secure Access & SWIFT Customer Security Controls Framework

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Cybersecurity in Government

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

IT risks and controls

Security Management Seminar

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

LBI Public Information. Please consider the impact to the environment before printing this.

Cybersecurity Auditing in an Unsecure World

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version

Express Monitoring 2019

THE POWER OF TECH-SAVVY BOARDS:

Cyber Criminal Methods & Prevention Techniques. By

DEFINITIONS AND REFERENCES

Transcription:

German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer

Daimler Business Units German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer 29.11.2016 Page 2

Daimler 284,000 employees worldwide German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer 29.11.2016 Page 3

Daimler IT: 24x7x365 Present on 6 continents EMEA & Germany More than 500 sites cross linked NAFTA APAC IT services for 284.000 employees 15 1 Germany 9.136 locations in focus 41 Daimler group branches, 61 production locations, 9.034 distribution locations 19 6 LATAM German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer 29.11.2016 Page 4

The Connected Car "Doc, I'm gonna keep eating cheeseburgers until I have a heart attack. Then we'll deal with it." - Wendy Nather 4. Now we know how we should have done it. 1. What is Information Security? 3. We must finish now and deal with the consequences. 2. We don t have time for Information Security. German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer 29.11.2016 Page 5

The relationship of objects in a security chain Threat Exploits (Risk scenario) Security vulnerability Occurrence of Exposes Security event Classified as Security incident Implications on security (and safety) Asset German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer 29.11.2016 Page 6

Self-improvement for security leaders https://securityintelligence.com/self-improvement-agenda-for-cisos-what-is-top-of-mind-for-2015/ German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer 29.11.2016 Page 7

STRIDE Threat Model S Spoofing T Tampering R Repudiation I Information disclosure Authentication Integrity Non-Repudiation Confidentiality D Denial of service Availability E Elevation of privilege Authorization German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer 29.11.2016 Page 8

HEAVENS Security Model Security Attributes Confidentiality Integrity Availability Authenticity Authorization Non-repudiation Privacy Freshness Impact Security Objectives Operational Safety Privacy Financial Legislations https://www.sp.se/en/index/research/dependable_systems/heavens/sidor/default.aspx German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer 29.11.2016 Page 9

STRIDE Threat Model + HEAVENS Security Model S Spoofing T Tampering R Repudiation I Information disclosure Authentication, Freshness Integrity Non-Repudiation, Freshness Confidentiality, Privacy D Denial of service Availability E Elevation of privilege Authorization https://www.sp.se/en/index/research/dependable_systems/heavens/sidor/default.aspx German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer 29.11.2016 Page 10

Vehicle Cybersecurity Protective/preventive measures and techniques These measures, such as isolation of safety-critical control systems networks or encryption, implement hardware and software solutions that lower the likelihood of a successful hack and diminish the potential impact of a successful hack. Real-time intrusion (hacking) detection measures These measures continually monitor signatures of potential intrusions in the electronic system architecture. Real-time response methods These measures mitigate the potential adverse effects of a successful hack, preserving the driver's ability to control the vehicle. Assessment of solutions This involves methods such as information sharing and analysis of a hack by affected parties, development of a fix, and dissemination of the fix to all relevant stakeholders. German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer 29.11.2016 Page 11

Cybersecurity Best Practices for Modern Vehicles Vehicle Development Process With Explicit Cybersecurity Considerations Vulnerability Reporting/Disclosure Policy Vulnerability / Exploit / Incident Response Process Self-Auditing (Risk Assessments, Penetration Tests, Organizational Decisions) Fundamental Vehicle Cybersecurity Protections (see Details) Leadership Priority on Product Cybersecurity German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer 29.11.2016 Page 12

E-Safety Vehicle Intrusion Protected Applications Security threat severity class Safety Aspects of security threats Privacy Financial Operational 0 No injuries. No authorized access to data. No financial loss. No impact on operational performance. 1 Light or moderate injuries. Anonymous data only (no specific driver of vehicle data) Low-level loss. Impact not discernible to driver. 2 Severe injuries. / Light/moderate injuries for multiple vehicles Identification of vehicle or driver. / Anonymous data for multiple vehicles. Moderate loss. / Low losses for multiple vehicles. Driver aware of performance degradation. / Indiscernible impacts for multiple vehicles. 3 Life threatening or fatal injuries. / Serve injuries for multiple vehicles. Driver or vehicle tracking. Identification of driver or vehicle, for multiple vehicles. Heavy loss. / Moderate losses for multiple vehicles. Significant impact on performance. / Noticeable impact for multiple vehicles. 4 Life threatening or fatal injuries for multiple vehicles. Driver or vehicle tracking for multiple vehicles. Heavy losses for multiple vehicles Significant impact for multiple vehicles. http://www.evita-project.org/ German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer 29.11.2016 Page 13

Information Security Risk Management Treatment Strategy https://www.owasp.org/images/9/96/threatmatrix_medium.png German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer 29.11.2016 Page 14

CC0 Public Domain Information Security Risk Management "Doc, I'm gonna keep eating cheeseburgers until I have a heart attack. Then we'll deal with it." - Wendy Nather German OWASP Day 2016 CarIT Security: Facing Information Security Threats Tobias Millauer 29.11.2016 Page 15

Tobias Millauer Information Security Architect CarIT

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback