Cyber security innovation imho
-
Upload
w-fred-seigneur -
Category
Technology
-
view
328 -
download
3
description
Transcript of Cyber security innovation imho
Computer Security InnovationComputer Security Innovation
IMHOIMHO
Presented for your consideration by: Fred SeigneurPresented for your consideration by: Fred Seigneur
2014 Cybersecurity Innovation 2014 Cybersecurity Innovation Forum – Forum – Background and VisionBackground and Vision
In spite of this insightful and accurate assessment that our current approach to Cybersecurity is unsustainable, and non-scalable, rather little innovation to “define and embrace a fundamentally different approach to enterprise architecture security – one that builds security in from the beginning as a robust and solid foundation upon which to conduct our transactions” was presented.
Foundational WeaknessesFoundational Weaknesses
Helms DeepHelms Deep
Photo Source
Foundational WeaknessesFoundational Weaknesses
Such weaknesses exist, but are poorly understood and generally ignored
Photo Source
Computer Security - Defense in DepthComputer Security - Defense in Depth
Helms Deep had Defense in DepthHelms Deep had Defense in DepthPhoto Source
Computer Security - Defense in DepthComputer Security - Defense in Depth
But, the fatal flaw was in the foundationBut, the fatal flaw was in the foundationPhoto Source
The Root(s) of the ProblemThe Root(s) of the Problem
Today’s Operating Systems are not secure Today’s Operating Systems are not secure and are too complex to secure by retrofit.and are too complex to secure by retrofit.
Few Operating Systems or Applications Few Operating Systems or Applications are rugged. are rugged. Don’t verify inputs.Don’t verify inputs. Crash leaving attack vectors for malicious Crash leaving attack vectors for malicious
code.code.
Most current security “solutions” are Most current security “solutions” are “Band-Aid” approaches.“Band-Aid” approaches.
Operating Systems and Applications Operating Systems and Applications Lack a Basic Immune SystemLack a Basic Immune System
Like someone who must be Like someone who must be protected by an external protected by an external bubblebubble
What’s wrong with this What’s wrong with this picture?picture?
David Vetter, a young boy from Texas, David Vetter, a young boy from Texas, lived his life - in a plastic bubble. lived his life - in a plastic bubble. Nicknamed "Bubble Boy," David was born Nicknamed "Bubble Boy," David was born in 1971 with severe combined in 1971 with severe combined immunodeficiency, and was forced to live in immunodeficiency, and was forced to live in a specially constructed sterile plastic a specially constructed sterile plastic bubble from birth until he died at age 12.bubble from birth until he died at age 12.
Photo Source
Foundational Immune System Deficiencies Foundational Immune System Deficiencies Two very serious foundational software Two very serious foundational software
problemsproblems
Operating SystemsOperating Systems Applications SoftwareApplications Software
Both of these have the same root causeBoth of these have the same root cause
Software Developers do not write robust Software Developers do not write robust code. Why?code. Why?
They don’t know howThey don’t know how They don’t know why it’s importantThey don’t know why it’s important They did not learn how, or why it’s so criticalThey did not learn how, or why it’s so critical
Foundational Immune Foundational Immune Deficiencies (Cont.)Deficiencies (Cont.)
Two very serious foundational Two very serious foundational educational problemseducational problems
Software developers have NOT been Software developers have NOT been taught why or how to write robust and taught why or how to write robust and defensive code.defensive code.
Many CS Professors don’t know how to Many CS Professors don’t know how to write robust and defensive code, or why it write robust and defensive code, or why it is necessary to teach it.is necessary to teach it.
Long Term SolutionsLong Term Solutions Better EducationBetter Education
Better Computer Security EducationBetter Computer Security Education Better CS and Engineering EducationBetter CS and Engineering Education Include Basic Computer Security Education Include Basic Computer Security Education
Thread in Virtually All University/College Thread in Virtually All University/College DepartmentsDepartments
Create Demand for Foundational Security Create Demand for Foundational Security SolutionsSolutions IT Procurement Authorities & StaffIT Procurement Authorities & Staff UsersUsers University/College Accreditation AuthoritiesUniversity/College Accreditation Authorities
How Can This be Done?How Can This be Done? Some Universities understand these Some Universities understand these
issuesissues A few Educational Institutions have A few Educational Institutions have
realized that they can differentiate realized that they can differentiate themselves in the educational market by themselves in the educational market by implementing steps such as those above.implementing steps such as those above.
The Current State of Cyber The Current State of Cyber Security PracticeSecurity Practice
Patch known holesPatch known holes
Hope we fixed ALL the holesHope we fixed ALL the holes
Small leaks can get bigger and Small leaks can get bigger and some still remain undetectedsome still remain undetected
But, then …But, then …
It is not IF your dam will break, it’s WHENIt is not IF your dam will break, it’s WHEN
Plan AheadPlan Ahead
Your dam WILL breakYour dam WILL break Start planning a downstream dam ASAPStart planning a downstream dam ASAP Existing components, available today, can be Existing components, available today, can be
integrated to create a Secure Computing integrated to create a Secure Computing InFrastructure (SCIF*)InFrastructure (SCIF*)
* SCIF – A compartmentalized infrastructure for * SCIF – A compartmentalized infrastructure for processing sensitive informationprocessing sensitive information
Secure Computing InfrastructureSecure Computing InfrastructurePreliminary Block DiagramPreliminary Block Diagram
User M
od
e Partitio
ns
TrustedNetworkDrivers
Erlang Virtual
Machine
Separation Kernel (seL4)
Hardware w/Trusted Platform Module (TPM)
Kern
elM
od
e
User 1 Erlang
Program
User n Erlang
Program
Encryption
Services
Secure Computing Secure Computing InfrastructureInfrastructure
The block diagram in the previous slide is for the basic SCIF. It can The block diagram in the previous slide is for the basic SCIF. It can be used in an embedded system and executes Erlang functions as be used in an embedded system and executes Erlang functions as transactions. One envisioned application is as a Secure Network transactions. One envisioned application is as a Secure Network Interface (SNIF), which can be used to verify and authenticate Interface (SNIF), which can be used to verify and authenticate inputs to and outputs from a secure enclave. With two or more SCIF inputs to and outputs from a secure enclave. With two or more SCIF boards in a system, fault tolerance is supported using Erlang fault boards in a system, fault tolerance is supported using Erlang fault tolerance.tolerance.
Development of SCIF applications and Administration of the SCIF Development of SCIF applications and Administration of the SCIF and SNIF are supported via a virtualized instance of Linux, ruining and SNIF are supported via a virtualized instance of Linux, ruining atop seL4. This SCIF Management System (SMS) will also be fault atop seL4. This SCIF Management System (SMS) will also be fault tolerant, using Erlang's inherent fault tolerant capabilities.tolerant, using Erlang's inherent fault tolerant capabilities.
The same architecture can be used to host other Linux applications The same architecture can be used to host other Linux applications in a more trusted and fault tolerant environment than with off the in a more trusted and fault tolerant environment than with off the shelf Linux.shelf Linux.
Phased Integration PlanPhased Integration Plan
Phase I – Feasibility StudyPhase I – Feasibility Study Phase II - Proof of Concept/DemonstrationPhase II - Proof of Concept/Demonstration Phase III – Field TrialsPhase III – Field Trials