Transcript of Homeland Security Advanced Research Projects Agency The Threat Landscape – A U.S. Perspective...
- Slide 1
- Homeland Security Advanced Research Projects Agency The Threat
Landscape A U.S. Perspective March 13, 2014 CSIT 2014 Belfast,
Northern Ireland Douglas Maughan Division Director
http://www.dhs.gov/cyber-research
- Slide 2
- Presenters Name June 17, 2003 Presentation Outline Threat Space
The Human Challenge Top Technical / Policy Challenges Critical
Infrastructure Security Software Assurance Mobile Device (and App)
Security Distributed Denial of Service Defenses Cyber-Physical
Systems Cybersecurity Workforce Legal and Ethical R&D Summary
2
- Slide 3
- Environment: Greater Use of Technology, More Threats, Less
Resources Globalization & Transportation Natural Disasters
& Pushing Beyond Design Limits Misuse of Technology Border
Security & Immigration Cyber Domain LESS RESOURCESLESS
RESOURCES MORE THREATS Violent Extremism Nature of Innovation Both
sides get to innovate Predictive & Reactive Aviation as an
example Low cost of entry Strategic potential Anywhere in the world
in 24 hours Historical Perspective Tenuous balance Insider
Threat
- Slide 4
- Presenters Name June 17, 2003 Malware Malicious software to
disrupt computers Viruses, worms, Theft of Intellectual Property or
Data Hactivism Cyber protests that are socially or politically
motivated Mobile Devices and Applications and their associated
Cyber Attacks Social Engineering Entice users to click on Malicious
Links Spear Phishing Deceptive communications (E-Mails, Texts,
Tweets) Domain Name System (DNS) Hijacking Router Security Border
Gateway Protocol (BGP) Hijacking Denial of Service (DOS) blocking
access to web sites Others .. Cyber Threats and Sources 4 Nation
States Cyber Criminals Hackers/Hacktivists Insider Threats
Terrorists, DTOs, etc.
- Slide 5
- Presenters Name June 17, 2003 Cyberspace Definitions Cyberspace
is [our nations critical infrastructures] nervous systemthe control
system of our country. Cyberspace is composed of hundreds of
thousands of interconnected computers, servers, routers, switches,
and fiber optic cables that allow our critical infrastructures to
work. National Strategy to Secure Cyberspace, 2003 Cyberspace means
the interdependent network of IT infrastructures, and includes the
internet, telecomms networks, computer systems, and embedded
processors and controllers in critical industries NSPD 54, 8 Jan
2008 A cyber environment includes users, networks, devices, all
software, processes, information in storage or transit,
applications, services, and systems that can be connected directly
or indirectly to networks. International Telecommunications Union
X.1205, Overview of Cybersecurity, Oct 2008 The terms cyber
security and information assurance refer to measures for protecting
computer systems, networks, and information from disruption or
unauthorized access, use, disclosure, modification, or destruction.
Federal Plan for Cyber Security and Information Assurance Research
and Development, Apr 2006 The interdependent network of information
and communications technology infrastructures, including the
Internet, telecommunications networks, computer systems and
networks, and embedded processors and controllers in facilities and
industries. White House Cyberspace Policy Review, May 2009 AND
PEOPLE!!!
- Slide 6
- 6 Example of a Cyber Intrusion Determined Attacker 1.Targeted
Phishing Email 2.User clicks on link to hostile website or opens
attachment 3.Infected computer beacons to attacker and waits for
commands 4.Attacker takes direct control of remote machine inside
encrypted session All traffic over common ports (25, 80, 443)
5.Attacker compromises administrator credentials 6.Attacker move
laterally through the network, compromising additional machines and
searches for desired information 7.Targeted information is packaged
and exfiltrated 8.Infected machines sit idle and wait for further
instructions or remove evidence of intrusion Unique IPs used for
each attack phase 8 1 2 34 5 7 6 6 6 6 6 7
- Slide 7
- Presenters Name June 17, 2003 Presentation Outline Threat Space
The Human Challenge Top Technical / Policy Challenges Critical
Infrastructure Security Software Assurance Mobile Device (and App)
Security Distributed Denial of Service Defenses Cyber-Physical
Systems Cybersecurity Workforce Legal and Ethical R&D Summary
7
- Slide 8
- Cybersecurity for the 16 Critical Infrastructure Sectors
Business / Personal Shopping & Banking Point of Sale (in
store/on line) See Target, for example Personal Social Media DHS
provides advice and alerts to the 16 critical infrastructure areas
DHS collaborates with sectors through Sector Coordinating Councils
(SCC) X X 8
- Slide 9
- Homeland Security Office of Cybersecurity and Communications
Executive Order (EO) on Improving Critical Infrastructure
Cybersecurity/ Policy Presidential Directive (PPD) on Critical
Infrastructure Security and Resilience Executive Order 13636:
Improving Critical Infrastructure Cybersecurity directs the
Executive Branch to: Develop a technology-neutral voluntary
cybersecurity framework Promote/incentivize adoption of
cybersecurity practices Increase the volume, timeliness and quality
of cyber threat information sharing Incorporate strong privacy and
civil liberties protections into every initiative to secure our
critical infrastructure Explore existing regulation to promote
cyber security Presidential Policy Directive-21: Critical
Infrastructure Security and Resilience replaces Homeland Security
Presidential Directive-7 and directs the Executive Branch to:
Develop a situational awareness capability that addresses both
physical and cyber aspects of how infrastructure is functioning in
near-real time Understand cascading consequences of infrastructure
failures Evaluate and mature the public-private partnership Update
the National Infrastructure Protection Plan Develop comprehensive
research and development plan 9 America must also face the rapidly
growing threat from cyber attacks Thats why, earlier today, I
signed a new executive order that will strengthen our cyber
defenses by increasing information sharing, and developing
standards to protect our national security, our jobs, and our
privacy. President Barack Obama, 2013 State of the Union Credit:
White House / Pete Souza
- Slide 10
- Presenters Name June 17, 2003 Software Assurance 10 Software is
everywhere, and WE ALL ARE VULNERABLE. Market pressures are forcing
early release of untested software. According to Trustwaves 2013
Global Security Report, SQL injections accounted for 26% of the
infiltration methods used by hackers in the data breaches it
analyzed in 2012.26% of the infiltration methods
- Slide 11
- Presenters Name June 17, 2003 More Software Numbers Poor
software quality has become one of the most expensive topics --
$150 + billion/yr. and $500+ billon/yr. worldwide Source: Capers
Jones Software failures account for 24% of all medical device
recalls Source: Threatpost via FDA Study NIST study suggests that
software errors cost US economy an estimated $59.5 billion
annually, of which 1/3 of costs or $22.2 billion could be removed
with improved software quality testing and tools
- Slide 12
- Presenters Name June 17, 2003 Software Evolution 12 Codebases
are HUMONGOUS Common software applications some apps scale near 60
MLOC Software Assurance tools typically cant scale this amount of
code Codebase size contributes to code complexity More features,
usually means more code Spaghetti code typically results in poor
quality of code 50 MLOC
- Slide 13
- Presenters Name June 17, 2003 Software Evolution - 2 13 DPL DL
DPL Every year we release data on the "Most Popular Programming
Languages" based on thousands of data points we've collected by
processing over 100,000+ coding tests and challenges by over 2,000+
employers CodeEval For the third year in a row, Python retains it's
#1 dominance followed by Java, C++, and Javascript. This year's
most noticeable changes were a 300% increase in Objective-C
submissions, a 100% surge in C#, as well as a 33% increase in
Javascript submissions while PHP lost -55%, Perl dropped -16%, and
Java shrank -14%.
- Slide 14
- Presenters Name June 17, 2003 SWAMP Vision Document
http://continuousassurance.org/wp-content/uploads/2013/10/SWAMP-
VISION-10.28.13.pdf The Software Assurance Marketplace has been
carefully constructed, developed and implemented with community
feedback. It is with this approach we expect the SWAMP to be a
revolutionizing force in the software assurance community for years
to come. A software assurance marketplace is a great place for the
community to meet for research collaboration and technical
exchange. The concept of the marketplace has influenced and shaped
the vision outlined in this document ideally the vision is to
provide a unique set of services and capabilities that can be
leveraged by the community, creating a collaborative marketplace
for continuous assurance. Kevin E. Greene, DHS S&T Software
Assurance Program Manager
- Slide 15
- Presenters Name June 17, 2003 Mobile Device Growth 15 Desktop
PC Portable PC Tablet Smartphone # Units Shipped (millions) 2012
Total: 1,201.1 2017 (Projected) Total: 2,250.3 1600 1200 700
200
- Slide 16
- Presenters Name June 17, 2003 2013 Mobile Threats / Vulns 16
Source:
http://www.symantec.com/security_response/publications/threatrepor
t.jsp?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedi
n_2013Apr_worldwide_ISTR18
http://www.symantec.com/security_response/publications/threatrepor
t.jsp?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedi
n_2013Apr_worldwide_ISTR18
- Slide 17
- Presenters Name June 17, 2003 2013 Mobile App Testing 17
TESTING RESULTS 50 POPULAR MOBILE APPS, IOS/ANDROID % With Issues
100% ~80% ~30% ~50% ~15% Stored Username Stored Password Medium or
High Risk Failed MITM Stored Username Stored Password Other Risks
Failed MiTM
- Slide 18
- Presenters Name June 17, 2003 18 DDoS Attacks 101 Command and
Control: Nation State, Criminal Organization, Hactivist groups,
etc. Victim is overwhelmed. Examples include: - 400 Gbps traffic to
10 Gbps access link - Millions of requests to server designed for
thousands - 1000s of 911 calls to a system designed for hundreds
Both brute force and clever ways to overwhelm the target Control
Over Vast Number of Compromised Devices: Desktops, laptops, and
even refrigerators!
http://thehackernews.com/2014/01/100000-refrigerators-and-other-home.html
Attack traffic originated from multiple locations throughout the
Internet
- Slide 19
- Presenters Name June 17, 2003 Threat: DDOS Volume 19 Challenge:
shift advantage in DDoS events toward defense Distributed Denial of
Service attacks render key systems and resources unavailable,
effectively denying users access to the service Current Advantage
Favors Attackers: Attack resources are cheap compromised machines
while defense requires provisioning Attackers easily cross
boundaries while defense requires cross-organization collaboration
NY Times: Attacks used the internet against itself to clog traffic
Attack traffic exceeds 400 Gbps! USA Today: Why DDoS attacks
continue to bedevil financial firms adversaries may potentially be
nation states eWeek: DHS, FBI Warn of Denial-of-Service Attacks on
Emergency Telephone Systems
- Slide 20
- Presenters Name June 17, 2003 Cyber-Physical Systems 20 Cyber
Physical Systems Are Becoming Ubiquitous: Smart cars, smart grids,
smart medical devices, smart manufacturing, smart homes, and so on
You will bet your life on many of these systems Fast moving field
focusing on functionality now and will bolt on security later
Drones Could Help Tulsa Firefighters During Search, Rescue PPD 21
Identifies critical infrastructure as interdependent functions and
systems in both the physical space and cyberspace and aims to
strengthen security and resilience against both the physical and
cyber attacks Just like the Internet in its early days, car
networks dont employ very much security Opportunity Now To Build
Security Into Emerging Cyber Physical Designs Transportation Auto,
UAVs, Aeronautical, Rail Manufacturing Healthcare Energy
Agriculture Emergency Response
- Slide 21
- Presenters Name June 17, 2003
http://www.nsf.gov/pubs/2014/nsf14542/nsf14542.htm
http://www.nsf.gov/pubs/2014/nsf14542/nsf14542.htm II.C.1 U.S. DHS
S&T Homeland Security Advanced Research Project Agency (HSARPA)
DHS S&T encourages R&D in cybersecurity to enhance the
resilience of critical information infrastructure. HSARPA has
particular interests in security technologies relevant to
cyber-physical systems. The NITRD CPS Senior Steering Group's 2012
CPS Vision Statement, which notes CPS research gaps, identifies
drivers and technologies for CPS related to transportation,
emergency response, energy, and healthcare are considered
especially relevant for HSARPA. Relevant technologies include
cybersecurity approaches for guarding against malicious attacks on
CPS as well as diagnostics and prognostics that aim to identify,
predict, and prevent or recover from faults.CPS Vision Statement
Recent Solicitation 21
- Slide 22
- Presenters Name June 17, 2003 Workforce Shortage 22 (Reuters) -
For the governments and corporations facing increasing computer
attacks, the biggest challenge is finding the right cyber warriors
to fight back. Hostile computer activity from spies, saboteurs,
competitors and criminals has spawned a growing industry of
corporate defenders who can attract the best talent from government
cyber units. The U.S. military's Cyber Command is due to quadruple
in size by 2015 with 4,000 new personnel while Britain announced a
new Joint Cyber Reserve last month. From Brazil to Indonesia,
similar forces have been set up. But demand for specialists has far
outpaced the number of those qualified to do the job, leading to a
staffing crunch as talent is poached by competitors offering big
salaries.
- Slide 23
- A N ATIONAL P ROBLEM 23 Enhance public awareness: (1) Augment
current messaging to promote policies and practices that support
Administration priorities, such as EO 13636 and PPD-21, and (2)
develop messaging that targets senior executives of critical
infrastructure companies (e.g., CEOs, Boards of Directors). Expand
the Pipeline: (1) Expand formal education at the post-secondary
level, including both four-year and two-year institutions and (2)
establish new National Academic Consortiums for Cybersecurity
Education (government, colleges/universities, high schools, middle
schools, technical academies, industry, professional organizations)
Evolve the profession: (1) Identify critical cybersecurity
workforce skills through a national cybersecurity Workforce
Inventory and Gap Analysis and continued development of
Cybersecurity Workforce Forecasting Tools and (2) provide access to
free or low-cost training for the identified critical skills. NICE
was established in support of the Comprehensive National
Cybersecurity Initiative (CNCI) Initiative 8: Expand Cyber
Education Interim Way Forward and is comprised of over 20 federal
departments and agencies.
- Slide 24
- Presenters Name June 17, 2003 Cybersecurity Education Cyber
Security Competitions (http://nationalccdc.org) National Initiative
for Cybersecurity Education (NICE) NCCDC (Collegiate); U.S. Cyber
Challenge (High School) Provide a controlled, competitive
environment to assess a students depth of understanding and
operational competency in managing the challenges inherent in
protecting a corporate network infrastructure and business
information systems. WHY Competitions? Hands-on approach better
than book learned; provides opportunities to perform real world
defense Measurable can determine if participants are getting
better/smarter Easier than internships, etc. for younger and
minority students Private sector companies can more easily provide
supporting funding 24
- Slide 25
- Who else is supporting these activities? NATIONAL CHAMPIONSHIP
April 25-27, 2014 in San Antonio, TX
- Slide 26
- Presenters Name June 17, 2003 Menlo Report Ethical Principles
Guiding Information and Communications Technology Research (ICTR)
Something similar to the Belmont Report for human subject research
(from 1970s) Respect for Persons Beneficence Justice Respect for
Law and Public Interest Companion Report 21 Case Studies examined
Legal and Ethical R&D 26
- Slide 27
- Presenters Name June 17, 2003 Summary Cybersecurity research is
a key area of innovation to support our global economic and
national security futures Must focus on the human aspect of
cyberspace - education, training, and awareness aspects of our
current and future cybersecurity workforce No shortage of technical
challenges Everyone gets to innovate in their own way Collaboration
is essential; no single government / university / company is going
to solve this problem alone Look at future technical agendas with
the most impact for the global community Need to continue strong
emphasis on technology transfer and experimental deployments
27
- Slide 28
- Presenters Name June 17, 2003 For more information, visit
http://www.dhs.gov/cyber-research http://www.dhs.gov/cyber-research
http://www.dhs.gov/st-csd Douglas Maughan, Ph.D. Division Director
Cyber Security Division Homeland Security Advanced Research
Projects Agency (HSARPA) douglas.maughan@dhs.gov 202-254-6145 /
202-360-3170 28
- Slide 29
- Slide 30
- Presenters Name June 17, 2003 Transition To Practice (TTP)
Program 30 R&D Sources DOE National Labs FFRDCs (Federally
Funded R&D Centers) Academia Small Business Transition
processes Testing & evaluation Red Teaming Pilot deployments
Utilization Open Sourcing Licensing New Companies Adoption by cyber
operations analysts Direct private- sector adoption Government use
Implement Presidential Memorandum Accelerating Technology Transfer
and Commercialization of Federal Research in Support of High-Growth
Businesses (Oct 28, 2011)