Keynote : CODE BLUE in the ICU! by Jeff Moss

3,365 views
3,096 views

Published on

Thinking about network safety in a public health light.

ネットワークの安全性を公衆衛生にたとえて解説。

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,365
On SlideShare
0
From Embeds
0
Number of Embeds
29
Actions
Shares
0
Downloads
79
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Keynote : CODE BLUE in the ICU! by Jeff Moss

  1. 1. Code Blue in the ICU! Thinking  about  network  safety  in  a  public  health  light   ©  Jeff  Moss  –  jm@defcon.org  
  2. 2. h@p://chrisharrison.net/  
  3. 3. 1. NaEon  States  want  SECRETS  
  4. 4. 1. NaEon  States  want  SECRETS   2. Organized  Criminals  want  MONEY  
  5. 5. 1. NaEon  States  want  SECRETS   2. Organized  Criminals  want  MONEY   3. Protesters  want  ATTENTION  
  6. 6. 1. NaEon  States  want  SECRETS   2. Organized  Criminals  want  MONEY   3. Protesters  want  ATTENTION   4. Hackers  &  researchers  want   KNOWLEDGE  
  7. 7. 1. NaEon  States  want  SECRETS   2. Organized  Criminals  want  MONEY   3. Protesters  want  ATTENTION   4. Hackers  &  researchers  want   KNOWLEDGE   That’s  you  guys!  
  8. 8. Hackers  &  Researchers  point  the  way!   -­‐ Discover  new  classes  of  vulnerabiliEes   -­‐ Expose  poor  product  security   -­‐ Spur  public  debate  
  9. 9. Hackers  &  Researchers  point  the  way!   -­‐ Discover  new  classes  of  vulnerabiliEes   -­‐ Expose  poor  product  security   -­‐ Spur  public  debate   Criminals  and  Governments  don’t  do  this   It’s  not  in  their  interests  
  10. 10. All  these  groups  need  the  net  to  work  
  11. 11. Q:  What  if  there  is  a  5th  group  that  doesn’t?  
  12. 12. Denial of service is increasing 0   00   00   00   00   00   00   00   2010   2011   Mar-­‐12   Oct-­‐12   Apr-­‐13   Feb-­‐14   Sept-­‐14  ?   DDoS  in  Gigabits  per  second   Gps  fl ?   NTP  RAMP   CloudFlare   DNS  RAMP   SpamHaus  
  13. 13. When  invesEng:   Specialize  for  larger  risk  /  returns  
  14. 14. When  invesEng:   Specialize  for  larger  risk  /  returns   Diversify  to  reduce  risk  /  returns  
  15. 15. We  now  have  clouds  of  complexity  
  16. 16. We  have  virtual  clouds  of  complexity  
  17. 17. The  failure  modes  of  Complex  systems   are  impossible  to  predict  
  18. 18. I  like  the  Code  Blue  press  release   “Code  Blue  is  a  hospital  emergency  code  that  indicates  a  paEent  in   need  of  immediate  medical  a@enEon,  or  that  calls  for  relevant  teams  to   respond  immediately.  We  named  the  conference  ajer  the  code   because  we  hope  to  save  the  world  by  combining  people’s  knowledge”   h@p://japandailypress.com/white-­‐hat-­‐hackers-­‐to-­‐gather-­‐at-­‐code-­‐blue-­‐cybersecurity-­‐conference-­‐in-­‐tokyo-­‐1043926/  
  19. 19. Public  health  analogy   •  No  one  thinks  they  are  going  to  cure  cancer   •  Diseases  are  “managed”,  very  few  are  ever  eliminated   •  It  is  possible  to  be  re-­‐infected  
  20. 20. Public  health  analogy   •  No  one  thinks  they  are  going  to  cure  cancer   •  No  administrator  thinks  they  can  ever  be  perfectly  secure   •  Diseases  are  “managed”,  very  few  are  ever  eliminated   •  Very  few  classes  of  vulnerabiliEes  are  ever  eliminated   •  It  is  possible  to  be  re-­‐infected   •  A  new  variant  of  an  old  vulnerability  can  re-­‐infect  your  systems  
  21. 21. This  is  a  healthy  way  of  thinking  
  22. 22. Perimeter  security   Involves:   Security  department   IT  department   ApplicaEon  teams  
  23. 23. an  arEst  Babis  Cloud  has  made  'hedonIsM(y)  trojaner',  an  installaEon  of  the  ancient  greek  trojan  horse  from  computer  keyboard  bu
  24. 24. They  are  already  inside  your  perimeter   Involves:   Security  department    Legal  department   IT  department      CommunicaEons   ApplicaEon  teams    Risk  Management              Public  RelaEons              Finance              R&D  
  25. 25. The  year  is  2014   • You  sEll  can’t  send  secure  email  easily   • You  can’t  have  a  secure  mobile  phone  call   • Web  browsing  securely  is  essenEally  impossible   • Name  resoluEon  is  insecure,  but  geqng  be@er   Why?  What  has  failed  us?  
  26. 26. We  are  running  out  of  opEons   1990s   • Consumer   SelecEon  
  27. 27. We  are  running  out  of  opEons   1990s   • Consumer   SelecEon   sumers  can’t  make  informed   Security  product  decisions  
  28. 28. We  are  running  out  of  opEons   1990s   • Consumer   SelecEon   2000s   • Insurance   Pressure   sumers  can’t  make  informed   Security  product  decisions  
  29. 29. We  are  running  out  of  opEons   1990s   • Consumer   SelecEon   2000s   • Insurance   Pressure   sumers  can’t  make  informed   Security  product  decisions   Lack  of  data  prevents  the   Crea>on  of  actuarial  tables  
  30. 30. We  are  running  out  of  opEons   1990s   • Consumer   SelecEon   2000s   • Insurance   Pressure   2010s   • RegulaEons sumers  can’t  make  informed   Security  product  decisions   Lack  of  data  prevents  the   Crea>on  of  actuarial  tables  
  31. 31. We  are  running  out  of  opEons   1990s   • Consumer   SelecEon   2000s   • Insurance   Pressure   2010s   • RegulaEons sumers  can’t  make  informed   ecurity  product  decisions   Lack  of  data  prevents  the   crea>on  of  actuarial  tables   Governments  are  reluctant regulate  the  fast  moving  inte
  32. 32. That  leaves  us   We  must  provide  leadership  and  direcEon  where   and  when  we  can   We  need  to  help  companies  do  the  right  thing   through  educaEon  and  configuraEon  
  33. 33. “First, Do No Harm” -Auguste François Chomel, 1847 Primum  non  nocere   “SomeEmes  it  may  be  be@er  to  not  do  something,  or  even  be@er  to  do   nothing,  than  to  risk  causing  more  harm  than  good.”  
  34. 34. “First, Do No Harm” -Auguste François Chomel, 1847 To  me  this  can  be  applied  to  informaEon  security  when  thought  of  as  a   public  safety  issue:   •  Do  no  harm  to  the  trust  of  users  –  be  open  about  your  policies   •  Be  honest  about  the  risks  of  using  technology   •  Do  not  let  wishful  thinking  influence  your  decisions  
  35. 35. Community Immunity (Also  known  as  Herd  Immunity  Theory)   “A  form  of  immunity  that  occurs  when  the  vaccinaEon   of  a  significant  porEon  of  a  populaEon  provides  a   measure  of  protecEon  for  individuals  who  have  not   developed  immunity.”  
  36. 36. Three Modes of Immunity
  37. 37. Three Modes of Immunity
  38. 38. Three Modes of Immunity
  39. 39. Community Immunity only applies to diseases that are contagious Disease    Transmission  Immunity  threshold   Mumps    Airborne  droplet    75  -­‐  86%   Pertussis    Airborne  droplet    92  -­‐  94%   Rubella    Airborne  droplet    80  -­‐  85%   Smallpox    Social  contact    83  -­‐  85%  
  40. 40. 1.  No  one  is  immunized  –  Contagious  disease  spreads  through  the   populaEon   2.  Some  of  the  populaEon  gets  immunized  –  Contagious  disease   spreads  through  some  of  the  populaEon   3.  Most  of  the  populaEon  is  immunized  –  Spread  of  contagious   disease  is  contained   Three Modes of Immunity
  41. 41. 1.  No  one  is  immunized  –  Contagious  disease  spreads  through  the   populaEon   Networks  and  systems  are  not  maintained  –  Malware  spreads  through   networks  without  noEce  and  li@le  to  stop  them   2.  Some  of  the  populaEon  gets  immunized  –  Contagious  disease  spreads   through  some  of  the  populaEon   3.  Most  of  the  populaEon  is  immunized  –  Spread  of  contagious  disease  is   contained   Three Modes of Immunity
  42. 42. 1.  No  one  is  immunized  –  Contagious  disease  spreads  through  the   populaEon   Networks  and  systems  are  not  maintained  –  Malware  spreads  through   networks  without  noEce  and  li@le  to  stop  them   2.  Some  of  the  populaEon  gets  immunized  –  Contagious  disease  spreads   through  some  of  the  populaEon   Some  networks  and  systems  are  not  maintained  –  Malware  is  someEmes   noEced  and  removed,  and  spreads  through  some  of  the  populaEon   3.  Most  of  the  populaEon  is  immunized  –  Spread  of  contagious  disease  is   contained   Three Modes of Immunity
  43. 43. 1.  No  one  is  immunized  –  Contagious  disease  spreads  through  the   populaEon   Networks  and  systems  are  not  maintained  –  Malware  spreads  through   networks  without  noEce  and  li@le  to  stop  them   2.  Some  of  the  populaEon  gets  immunized  –  Contagious  disease  spreads   through  some  of  the  populaEon   Some  networks  and  systems  are  not  maintained  –  Malware  is  someEmes   noEced  and  removed,  and  spreads  through  some  of  the  populaEon   3.  Most  of  the  populaEon  is  immunized  –  Spread  of  contagious  disease  is   contained   Most  all  networks  and  systems  are  maintained  –  Malware  is  noEced  most   of  the  Eme  and  removed,  acEons  are  taken  to  protect  other  systems   besides  your  own.   Three Modes of Immunity
  44. 44. 1.  No  one  is  immunized  –  Contagious  disease  spreads  through  the   populaEon   Networks  and  systems  are  not  maintained  –  Malware  spreads  through   networks  without  noEce  and  li@le  to  stop  them   2.  Some  of  the  populaEon  gets  immunized  –  Contagious  disease  spreads   through  some  of  the  populaEon   Some  networks  and  systems  are  not  maintained  –  Malware  is  someEmes   noEced  and  removed,  and  spreads  through  some  of  the  populaEon   3.  Most  of  the  populaEon  is  immunized  –  Spread  of  contagious  disease  is   contained   Most  all  networks  and  systems  are  maintained  –  Malware  is  noEced  most   of  the  Eme  and  removed,  acEons  are  taken  to  protect  other  systems   besides  your  own.   Three Modes of Immunity
  45. 45. Firewall  as  VaccinaEon?  
  46. 46. Vaccinate  yourself  and  others   Can  protecEng  your  network  and  systems  with  a  firewall  or   router  act  as  a  “virtual  vaccine”?   Can  your  network  peers  get  a  conferred  benefit?  
  47. 47. Don’t  do  anything  addiEonal  on  your  network   Don’t  go  out  of  your  way  to  monitor  your  systems   Don’t  stay  up  to  date  on  patches  or  applicaEon  updates   Do  Nothing  or  “Not  Immunized”  
  48. 48. Do  Nothing  or  “Not  Immunized”   PRO:   • Least  expensive  opEon,  no  training  or  changes  necessary   • Requires  no  network  or  applicaEon  modificaEons   CON:   • You  are  part  of  the  problem  and  possibly  causing  harm   • There  might  be  legal  consequences  
  49. 49. Protect  your  systems  and  applicaEons,  but  not  those  of  others   Protect  only  yourself  or  “ParEally  Immunized”  
  50. 50. Protect  your  systems  and  applicaEons,  but  not  those  of  others   Examples:   •  Secure  your  systems  by  patching,  updaEng,  selecEng  good  sojware   •  Filter  spoofed  inbound  traffic  to  your  network,  but  not  outbound   •  Enable  DNSSEC  validaEon  on  your  DNS,  but  do  not  sign  your  zones   •  Limit  spam  by  checking  for  SPF  records  and  using  DNS  blackholes,  but   not  publishing  your  own  SPF  records   Protect  only  yourself  or  “ParEally  Immunized”  
  51. 51. Protect only yourself or “Partially Immunized” PRO:   •  Lower  cost  that  being  fully  immunized   •  You  are  be@er  protecEng  your  systems  against  misuse  by  others   CON:   •  You  only  take  acEons  that  protect  your  systems  –  not  those  of  others   •  Higher  management  and  configuraEon  overhead  
  52. 52. Same  as  “ParEally  Immunized”  but  you  take  addiEonal  acEons     to  protect  those  around  you.   Protect yourself and others or “Fully Immunized”
  53. 53. Same  as  “ParEally  Immunized”  but  you  take  addiEonal  acEons   to  protect  those  around  you.   Examples:   •  Prevent  source  address  spoofing  from  leaving  your  network   •  DNSSEC  sign  your  zone  files  so  others  can  rely  on  the  data   •  Disable  recursion  on  your  name  servers  to  limit  AMP  a@acks   •  Publish  an  SPF  record  to  reduce  spam  by  telling  other  networks  about   your  mail  server   Protect yourself and others or “Fully Immunized”
  54. 54. Protect yourself and others or “Fully Immunized” PRO:   •  You  are  “conferring  an  immunity”  to  some  degree  to  others   •   Most  beneficial  to  all  users  of  the  internet   •   Best  security  stance  for  yourself  and  those  around  you   CON:   •   Most  expensive  to  maintain  due  to  configuraEon  maintenance   •   You  need  be@er  trained  staff  to  stay  current  on  best  pracEces  
  55. 55. DNSSEC  is  available  to  the  majority  of  internet  users     https://www.dnssec-deployment.org/
  56. 56. What  if  you  don’t  own  or  operate  a  network?  
  57. 57. Donate  Resources  
  58. 58. Donate resources
  59. 59. Donate resources h?p://folding.stanford.edu/  
  60. 60. Different communities Companies   Governments   Individuals  
  61. 61. Think  of  the  Future   Next  GeneraEon  technologies  are  starEng  to  be  deployed   Can  we  use  them  to  help  protect  ourselves  and  others?   DNSSEC  =  You  can  trust  the  answers  from  DNS   DANE  =  Risk  of  rogue  SSL  CAs  virtually  eliminated   IPv6  =  IPSEC  support,  less  NAT,  be@er  a@ribuEon,  future  growth
  62. 62. Has  thinking  about  network  heath  in  a  public  safety  light  helped?

×