Current Threat Environment

Similar documents
2013 US State of Cybercrime Survey

ARINC653 AADL Annex Update

Cyber Threat Prioritization

Components and Considerations in Building an Insider Threat Program

Service Level Agreements: An Approach to Software Lifecycle Management. CDR Leonard Gaines Naval Supply Systems Command 29 January 2003

Empirically Based Analysis: The DDoS Case

Multi-Modal Communication

Kathleen Fisher Program Manager, Information Innovation Office

Fall 2014 SEI Research Review Verifying Evolving Software

COTS Multicore Processors in Avionics Systems: Challenges and Solutions

A Review of the 2007 Air Force Inaugural Sustainability Report

4. Lessons Learned in Introducing MBSE: 2009 to 2012

Architecting for Resiliency Army s Common Operating Environment (COE) SERC

DoD Common Access Card Information Brief. Smart Card Project Managers Group

COMPUTATIONAL FLUID DYNAMICS (CFD) ANALYSIS AND DEVELOPMENT OF HALON- REPLACEMENT FIRE EXTINGUISHING SYSTEMS (PHASE II)

Using Model-Theoretic Invariants for Semantic Integration. Michael Gruninger NIST / Institute for Systems Research University of Maryland

Information, Decision, & Complex Networks AFOSR/RTC Overview

Dana Sinno MIT Lincoln Laboratory 244 Wood Street Lexington, MA phone:

Preventing Insider Sabotage: Lessons Learned From Actual Attacks

Technological Advances In Emergency Management

75th Air Base Wing. Effective Data Stewarding Measures in Support of EESOH-MIS

FUDSChem. Brian Jordan With the assistance of Deb Walker. Formerly Used Defense Site Chemistry Database. USACE-Albuquerque District.

Energy Security: A Global Challenge

Space and Missile Systems Center

73rd MORSS CD Cover Page UNCLASSIFIED DISCLOSURE FORM CD Presentation

High-Assurance Security/Safety on HPEC Systems: an Oxymoron?

C2-Simulation Interoperability in NATO

Vision Protection Army Technology Objective (ATO) Overview for GVSET VIP Day. Sensors from Laser Weapons Date: 17 Jul 09 UNCLASSIFIED

Setting the Standard for Real-Time Digital Signal Processing Pentek Seminar Series. Digital IF Standardization

73rd MORSS CD Cover Page UNCLASSIFIED DISCLOSURE FORM CD Presentation

COUNTERING IMPROVISED EXPLOSIVE DEVICES

SURVIVABILITY ENHANCED RUN-FLAT

Office of Global Maritime Situational Awareness

The C2 Workstation and Data Replication over Disadvantaged Tactical Communication Links

Model-Driven Verifying Compilation of Synchronous Distributed Applications

Topology Control from Bottom to Top

Running CyberCIEGE on Linux without Windows

US Army Industry Day Conference Boeing SBIR/STTR Program Overview

ASSESSMENT OF A BAYESIAN MODEL AND TEST VALIDATION METHOD

Concept of Operations Discussion Summary

CENTER FOR ADVANCED ENERGY SYSTEM Rutgers University. Field Management for Industrial Assessment Centers Appointed By USDOE

Computer Aided Munitions Storage Planning

Directed Energy Using High-Power Microwave Technology

Space and Missile Systems Center

MODELING AND SIMULATION OF LIQUID MOLDING PROCESSES. Pavel Simacek Center for Composite Materials University of Delaware

Cloud Computing. Grace A. Lewis Research, Technology and Systems Solutions (RTSS) Program System of Systems Practice (SoSP) Initiative

VICTORY VALIDATION AN INTRODUCTION AND TECHNICAL OVERVIEW

Dr. Stuart Dickinson Dr. Donald H. Steinbrecher Naval Undersea Warfare Center, Newport, RI May 10, 2011

Accuracy of Computed Water Surface Profiles

Towards a Formal Pedigree Ontology for Level-One Sensor Fusion

Architectural Implications of Cloud Computing

Use of the Polarized Radiance Distribution Camera System in the RADYO Program

Distributed Real-Time Embedded Video Processing

Using Templates to Support Crisis Action Mission Planning

Corrosion Prevention and Control Database. Bob Barbin 07 February 2011 ASETSDefense 2011

2011 NNI Environment, Health, and Safety Research Strategy

Washington University

Balancing Transport and Physical Layers in Wireless Ad Hoc Networks: Jointly Optimal Congestion Control and Power Control

ASPECTS OF USE OF CFD FOR UAV CONFIGURATION DESIGN

ATCCIS Replication Mechanism (ARM)

An Update on CORBA Performance for HPEC Algorithms. Bill Beckwith Objective Interface Systems, Inc.

U.S. Army Research, Development and Engineering Command (IDAS) Briefer: Jason Morse ARMED Team Leader Ground System Survivability, TARDEC

Introducing I 3 CON. The Information Interpretation and Integration Conference

ENVIRONMENTAL MANAGEMENT SYSTEM WEB SITE (EMSWeb)

Center for Infrastructure Assurance and Security (CIAS) Joe Sanchez AIA Liaison to CIAS

By Derrick H. Karimi Member of the Technical Staff Emerging Technology Center. Open Architectures in the Defense Intelligence Community

A Distributed Parallel Processing System for Command and Control Imagery

Web Site update. 21st HCAT Program Review Toronto, September 26, Keith Legg

Monte Carlo Techniques for Estimating Power in Aircraft T&E Tests. Todd Remund Dr. William Kitto EDWARDS AFB, CA. July 2011

Edwards Air Force Base Accelerates Flight Test Data Analysis Using MATLAB and Math Works. John Bourgeois EDWARDS AFB, CA. PRESENTED ON: 10 June 2010

Speaker Verification Using SVM

SEI Webinar Series. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA January 27, Carnegie Mellon University

SINOVIA An open approach for heterogeneous ISR systems inter-operability

NEW FINITE ELEMENT / MULTIBODY SYSTEM ALGORITHM FOR MODELING FLEXIBLE TRACKED VEHICLES

Headquarters U.S. Air Force. EMS Play-by-Play: Using Air Force Playbooks to Standardize EMS

Guide to Windows 2000 Kerberos Settings

Using the SORASCS Prototype Web Portal

David W. Hyde US Army Engineer Waterways Experiment Station Vicksburg, Mississippi ABSTRACT

Wireless Connectivity of Swarms in Presence of Obstacles

PEO C4I Remarks for NPS Acquisition Research Symposium

Lessons Learned in Adapting a Software System to a Micro Computer

M&S Strategic Initiatives to Support Test & Evaluation

The CERT Top 10 List for Winning the Battle Against Insider Threats

DoD M&S Project: Standardized Documentation for Verification, Validation, and Accreditation

DEVELOPMENT OF A NOVEL MICROWAVE RADAR SYSTEM USING ANGULAR CORRELATION FOR THE DETECTION OF BURIED OBJECTS IN SANDY SOILS

Defense Hotline Allegations Concerning Contractor-Invoiced Travel for U.S. Army Corps of Engineers' Contracts W912DY-10-D-0014 and W912DY-10-D-0024

BUPT at TREC 2009: Entity Track

MATREX Run Time Interface (RTI) DoD M&S Conference 10 March 2008

INTEGRATING LOCAL AND GLOBAL NAVIGATION IN UNMANNED GROUND VEHICLES

Fall 2014 SEI Research Review FY14-03 Software Assurance Engineering

An Efficient Architecture for Ultra Long FFTs in FPGAs and ASICs

Ross Lazarus MB,BS MPH

Secure FAST: Security Enhancement in the NATO Time Sensitive Targeting Tool

HEC-FFA Flood Frequency Analysis

Spacecraft Communications Payload (SCP) for Swampworks

Nationwide Automatic Identification System (NAIS) Overview. CG 939 Mr. E. G. Lockhart TEXAS II Conference 3 Sep 2008

A Multilevel Secure MapReduce Framework for Cross-Domain Information Sharing in the Cloud

LARGE AREA, REAL TIME INSPECTION OF ROCKET MOTORS USING A NOVEL HANDHELD ULTRASOUND CAMERA

Maintenance Program and New Materials on Boeing Commercial Aircraft Joseph H. Osborne The Boeing Company Seattle, WA

Shallow Ocean Bottom BRDF Prediction, Modeling, and Inversion via Simulation with Surface/Volume Data Derived from X-Ray Tomography

Transcription:

Current Threat Environment Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213, PhD Technical Director, CERT mssherman@sei.cmu.edu 29-Aug-2014

Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 29 AUG 2014 4. TITLE AND SUBTITLE Current Threat Environment 6. AUTHOR(S) Sherman /Mark S. 2. REPORT TYPE N/A 3. DATES COVERED 5a. CONTRACT NUMBER 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 8. PERFORMING ORGANIZATION REPORT NUMBER 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR S ACRONYM(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release, distribution unlimited. 13. SUPPLEMENTARY NOTES The original document contains color images. 14. ABSTRACT 15. SUBJECT TERMS 11. SPONSOR/MONITOR S REPORT NUMBER(S) 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT SAR a. REPORT unclassified b. ABSTRACT unclassified c. THIS PAGE unclassified 18. NUMBER OF PAGES 16 19a. NAME OF RESPONSIBLE PERSON Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18

Copyright 2014 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material was prepared for the exclusive use of Participants of C3E Workshop and may not be used for any other purpose without the written consent of permission@sei.cmu.edu. Carnegie Mellon and CERT are registered marks of Carnegie Mellon University. DM-0001785 2

Current Threat Environment Usual view of threat environment Looking backwards from today s threats Looking forwards to future threats The need for prevention is pressing 3

Usual view of threat environment 90% of US busin ss s r port b ing h c d ~--- 59% r port b ing h ck d mort th n one -- ~=l.~~~.~(.:,'*fll TOTIUIAIWAI - ~ IIIII Target Earnings Slide 46% After Data Hreach S12J;r l2\\edu SI..MC:IIa1lo;o.v ~%01~) ~«< A ~ w ~ ~ ~ ~ ~ ~ ~ ~IJ J01J 2014 Sources: Poneman Institute, CNNMoney study, May 28, 2014; McAfee Quarterly Threat Report, June 2014; Wall Street Journal, Feb 26, 2014 retailcustomerexperience.com - 5_lessons_learned_from_recent_retail_data_breaches.pdf - Software Engineering Institute 4

Looking backwards from today s threats 92% of the 100,000 incidents from the last 10 years can be described by 9 basic patterns Insider misuse DOS attacks Cyber-espionage Crimeware Web app attacks Physical theft and loss Payment card skimmers Point-of-sale intrusions Miscellaneous errors 5

Looking forward to future threats Technology Evolving role of people in cyber security Learning from data: measurements, metrics, analysis 6

Cyber threats track evolution of technology Software is the new hardware Covering the next last mile Expanding endpoints 7

Software is the new hardware IT moving from specialized hardware to software, virtualized as Memory Storage Servers Switches Networks Cyber-physical systems (CPS) evolving to a computer with interesting peripherals Airplane function in software moved from 8% to 80% since 1960 Software defined radios drive communication Television evolved to digital signal processors Hardware security needs software analogs New programming models need secure coding guidelines Guard against side channel attacks enabled by virtualization 8

Covering the next last mile securing the border and end points The last mile has expanded to Cellular Main processor Base band processor Secure element (SIM) Industrial and home automation SCADA Bluetooth Zigbee Automotive Intravehicular: more than 50 networked processors Vehicle to infrastructure (V2I): congestion management, emergency services, law enforcement Vehicle to vehicle (V2): safety, efficiency Aviation Fly by wire Next Gen air traffic control Smart grid Embedded medical devices 9

Evolving role of people in cyber security Analysts: Soaring need for cyber analysts Bureau of Labor Statistics projects information security analyst jobs to increase by 20% or more through 2018 Need validated measurement and testing of needed skills, at individual and team level Optimizing analyst effectiveness: Automation assists analysts What can be automated and what left to the analyst Trade off between training and application Developers: Development becoming assembly over creation At least 75% of organizations rely on open source as the foundation of their applications Weak or absent security tracking in the software supply chain Adversaries: Culture role in cyber security Cultural influences on development and attack behavior 10

Learning from data: measurements, metrics, analysis Biggest challenges Determining leading indicators Reducing false positives Need to extract information from data from across the software lifecycle Applying techniques across disciplines including Metric and model definition Social and psychological experimentation Machine learning Statistical modeling Applications to Real-time analysis Retrospective insight 11

An ounce of prevention is worth a pound of cure We wouldn't have to spend so much time, money, and effort on network security if we didn't have such bad software security. Bruce Schneier in Viega and McGraw, Building Secure Software, 2001 13

The need for prevention is pressing 19% fail to carry out security requirement definition 27% do not practice secure design 30% do not use static analysis or manual code review during development 47% do not perform acceptance tests for thirdparty code Mission thread (Business process) More than 81% do not coordinate their security practices in various stages of the development life cycle. Source: Forrester Consulting, State of Application Security, January 2011 14

Security by default - Software Engineering Institute 15

Contact Information (412) 268-9223 mssherman@sei.cmu.edu Web Resources (CERT/SEI) http://www.cert.org/ http://www.sei.cmu.edu/ 16

Software Engineering Institute Carnegie Mellon University - Software Engineering Institute ( :m m :,.dt \lt llunl nh t.. sify 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback