SlideShare a Scribd company logo

New threats to cyber-security

Mark Sherman
Mark Sherman

Presentation at the 8ENISE conference on the new threats to cyber-security posed by increased substitution of software for hardware, virtualization, new end points from the Internet of Things and extensive use of open source to assemble applications.

Internet
1 of 15
Download to read offline
© 2014 Carnegie Mellon University 29-Oct-2014 S5: New Threats to Cyber-Security Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Mark Sherman, PhD Technical Director Cyber Security Foundations, CERT mssherman@sei.cmu.edu
2 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Copyright 2014 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University. DM-0001805
3 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University New Threats to Cyber-Security • Usual view of threat environment • Looking backwards from today’s threats • Looking forwards to future threats • The need for prevention is pressing
4 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Usual view of threat environment Sources: PonemanInstitute, CNNMoneystudy, May 28, 2014; McAfee Quarterly Threat Report, June 2014; Wall Street Journal, Feb 26, 2014 retailcustomerexperience.com -5_lessons_learned_from_recent_retail_data_breaches.pdf 47% of US adults had their personal information exposed by hackers Nearly 250,000,000 malware artifacts by 1Q14
5 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Looking backwards from today’s threats 92% of the 100,000 incidents from the last 10 years can be described by 9 basic patterns • Insider misuse • DOS attacks • Cyber-espionage • Crimeware • Web app attacks • Physical theft and loss • Payment card skimmers • Point-of-sale intrusions • Miscellaneous errors History will repeat itself, so future threats include today’s threats
6 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Looking forwards to future threats • Software is the new hardware • Covering the next last mile • Expanding endpoints • Development is now assembly Cyber threats track evolution of technology
7 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Software is the new hardware IT moving from specialized hardware to software, virtualizedas • Memory • Storage • Servers • Switches • Networks Cyber-physical systems (CPS) evolving to a computer with interesting peripherals • Airplane function in software moved from 8% to 80% since 1960 • Software defined radios drive communication • Television evolved to digital signal processors • Hardware security needs software analogs • New programming models need secure coding guidelines • Guard against side channel attacks enabled by virtualization
8 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University The last mile has expanded to • Cellular • Main processor • Base band processor • Secure element (SIM) • Automotive • Intravehicular: more than 50 networked processors • Vehicle to infrastructure (V2I): congestion management, emergency services, law enforcement • Vehicle to vehicle (V2V): safety, efficiency • Industrial and home automation • SCADA • Bluetooth • Zigbee • Aviation • Fly by wire • Next Gen air traffic control • Smart grid • Embedded medical devices Covering the next last mile –securing the border and end points
9 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Development is now assembly Business application Mongo DB Application server HTTP server XML Parser MySQL database SIP servlet container GIF library At least 75% of organizations rely on open source as the foundation of their applications
11 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Open source is probably not secure Heartbleed and Shellshock were found by exploitation Other open source software illustrates vulnerabilities from cursory inspection Source: Steve Christey(MITRE) & Brian Martin (OSF), Buying Into the Bias: Why Vulnerability Statistics Suck, https://media.blackhat.com/us-13/US-13-Martin-Buying-Into-The-Bias-Why-Vulnerability-Statistics- Suck-Slides.pdf
12 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University An ounce of prevention is worth a pound of cure “We wouldn't have to spend so much time, money, and effort on network security if we didn't have such bad software security.” Bruce Schneierin Viegaand McGraw, “Building Secure Software,” 2001
13 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University The need for prevention is pressing Mission thread(Business process) 19% fail to carry out security requirement definition 27% do not practice secure design 30% do not use static analysis or manual code review during development 47% do not perform acceptance tests for third- party code More than 81% do not coordinate their security practices in various stages of the development life cycle. Source: Forrester Consulting, “State of Application Security,” January 2011
14 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Foresight leads to proactive defense Tracking evolution of technology arms developers for securing the next generation of applications
15 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Contact Information Mark Sherman (412) 268-9223 mssherman@sei.cmu.edu Web Resources (CERT/SEI) http://www.cert.org/ http://www.sei.cmu.edu/
16 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University

Recommended

Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Avantika University
 
Cyber Security Threats and Data Breaches
Cyber Security Threats and Data BreachesCyber Security Threats and Data Breaches
Cyber Security Threats and Data Breaches
Bijay Senihang
 
Cyber Security PPT
Cyber Security PPTCyber Security PPT
Cyber Security PPT
ashish kumar
 
cyber security
cyber securitycyber security
cyber security
abithajayavel
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
Vicky Fernandes
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
imtnoida112
 
cyber security
cyber securitycyber security
cyber security
BasineniUdaykumar
 
Cyber Security Research Project Topics
Cyber Security Research Project TopicsCyber Security Research Project Topics
Cyber Security Research Project Topics
Matlab Simulation
 

Recommended

Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Avantika University
 
Cyber Security Threats and Data Breaches
Cyber Security Threats and Data BreachesCyber Security Threats and Data Breaches
Cyber Security Threats and Data Breaches
Bijay Senihang
 
Cyber Security PPT
Cyber Security PPTCyber Security PPT
Cyber Security PPT
ashish kumar
 
cyber security
cyber securitycyber security
cyber security
abithajayavel
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
Vicky Fernandes
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
imtnoida112
 
cyber security
cyber securitycyber security
cyber security
BasineniUdaykumar
 
Cyber Security Research Project Topics
Cyber Security Research Project TopicsCyber Security Research Project Topics
Cyber Security Research Project Topics
Matlab Simulation
 
cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptx
kishore golla
 
NACCTFO Cyber Security Presentation 2014 New Orleans
NACCTFO Cyber Security Presentation 2014 New OrleansNACCTFO Cyber Security Presentation 2014 New Orleans
NACCTFO Cyber Security Presentation 2014 New Orleans
Maurice Dawson
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
SAHANAHK
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Bhandari Hìmáñßhü
 
Cyber security
Cyber securityCyber security
Cyber security
Rishav Sadhu
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
Radar Cyber Security
 
What is Cyber Security - Avantika University
What is Cyber Security - Avantika UniversityWhat is Cyber Security - Avantika University
What is Cyber Security - Avantika University
Avantika University
 
Cyber security
Cyber security Cyber security
Cyber security
Sachith Lekamge
 
Cyber security system presentation
Cyber security system presentationCyber security system presentation
Cyber security system presentation
A.S. Sabuj
 
Cyber Security Presentation
Cyber Security PresentationCyber Security Presentation
Cyber Security Presentation
HaniyaMaha
 
Cyber security ppt
Cyber security pptCyber security ppt
Cyber security ppt
DebrajKarmakar
 
Cyber security
Cyber securityCyber security
Cyber security
Manjushree Mashal
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
Parab Mishra
 
Cyber Security 03
Cyber Security 03Cyber Security 03
Cyber Security 03
Home
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber Security
Nikunj Thakkar
 
Home cyber security
Home cyber securityHome cyber security
Home cyber security
Michael File
 
Cyber awareness program
Cyber awareness programCyber awareness program
Cyber awareness program
Avanzo net
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04
Kyle Lai
 
Cybersecurity technology adoption survey
Cybersecurity technology adoption surveyCybersecurity technology adoption survey
Cybersecurity technology adoption survey
Paperjam_redaction
 
Cyber security
Cyber securityCyber security
Cyber security
Komal Samdariya
 
Secure Web Apps Training at Corporate College
Secure Web Apps Training at Corporate CollegeSecure Web Apps Training at Corporate College
Secure Web Apps Training at Corporate College
WorkSmart Integrated Marketing
 
Security Firm Program - Corporate College
Security Firm Program - Corporate CollegeSecurity Firm Program - Corporate College
Security Firm Program - Corporate College
WorkSmart Integrated Marketing
 

More Related Content

What's hot

CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04
Kyle Lai
 

What's hot (20)

cyber security presentation.pptx
cyber security presentation.pptxcyber security presentation.pptx
cyber security presentation.pptx
 
NACCTFO Cyber Security Presentation 2014 New Orleans
NACCTFO Cyber Security Presentation 2014 New OrleansNACCTFO Cyber Security Presentation 2014 New Orleans
NACCTFO Cyber Security Presentation 2014 New Orleans
 
What is cyber security
What is cyber securityWhat is cyber security
What is cyber security
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025Cyber attacks and IT security management in 2025
Cyber attacks and IT security management in 2025
 
What is Cyber Security - Avantika University
What is Cyber Security - Avantika UniversityWhat is Cyber Security - Avantika University
What is Cyber Security - Avantika University
 
Cyber security
Cyber security Cyber security
Cyber security
 
Cyber security system presentation
Cyber security system presentationCyber security system presentation
Cyber security system presentation
 
Cyber Security Presentation
Cyber Security PresentationCyber Security Presentation
Cyber Security Presentation
 
Cyber security ppt
Cyber security pptCyber security ppt
Cyber security ppt
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 
Cyber Security 03
Cyber Security 03Cyber Security 03
Cyber Security 03
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber Security
 
Home cyber security
Home cyber securityHome cyber security
Home cyber security
 
Cyber awareness program
Cyber awareness programCyber awareness program
Cyber awareness program
 
CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04CyberSecurity - UH IEEE Presentation 2015-04
CyberSecurity - UH IEEE Presentation 2015-04
 
Cybersecurity technology adoption survey
Cybersecurity technology adoption surveyCybersecurity technology adoption survey
Cybersecurity technology adoption survey
 
Cyber security
Cyber securityCyber security
Cyber security
 

Similar to New threats to cyber-security

"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
Rinaldi Rampen
 
Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report
Mandar Kharkar
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolio
Rhys A. Mossom
 
Airport security 2013 john mc carthy
Airport security 2013 john mc carthyAirport security 2013 john mc carthy
Airport security 2013 john mc carthy
Russell Publishing
 

Similar to New threats to cyber-security (20)

Secure Web Apps Training at Corporate College
Secure Web Apps Training at Corporate CollegeSecure Web Apps Training at Corporate College
Secure Web Apps Training at Corporate College
 
Security Firm Program - Corporate College
Security Firm Program - Corporate CollegeSecurity Firm Program - Corporate College
Security Firm Program - Corporate College
 
Risks in the Software Supply Chain
Risks in the Software Supply Chain Risks in the Software Supply Chain
Risks in the Software Supply Chain
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply Chain
 
"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman"CERT Secure Coding Standards" by Dr. Mark Sherman
"CERT Secure Coding Standards" by Dr. Mark Sherman
 
Presentación AMIB Los Cabos
Presentación AMIB Los CabosPresentación AMIB Los Cabos
Presentación AMIB Los Cabos
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyser
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report Cisco 2014 - Anual Security Report
Cisco 2014 - Anual Security Report
 
Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software Security
 
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an UncertaintyCyber Security Trends - Where the Industry Is Heading in an Uncertainty
Cyber Security Trends - Where the Industry Is Heading in an Uncertainty
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application Security
 
Cisco 2014 Midyear Security Report
Cisco 2014 Midyear Security ReportCisco 2014 Midyear Security Report
Cisco 2014 Midyear Security Report
 
Security Awareness Training from KnowBe4
Security Awareness Training from KnowBe4Security Awareness Training from KnowBe4
Security Awareness Training from KnowBe4
 
Case Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographicCase Closed with IBM Application Security on Cloud infographic
Case Closed with IBM Application Security on Cloud infographic
 
Are Your IT Systems Secure?
Are Your IT Systems Secure?Are Your IT Systems Secure?
Are Your IT Systems Secure?
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolio
 
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile SecurityMojave Networks Webinar: A Three-Pronged Approach to Mobile Security
Mojave Networks Webinar: A Three-Pronged Approach to Mobile Security
 
Airport security 2013 john mc carthy
Airport security 2013 john mc carthyAirport security 2013 john mc carthy
Airport security 2013 john mc carthy
 

Recently uploaded

原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 

Recently uploaded (20)

best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 

New threats to cyber-security

  • 1. © 2014 Carnegie Mellon University 29-Oct-2014 S5: New Threats to Cyber-Security Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Mark Sherman, PhD Technical Director Cyber Security Foundations, CERT mssherman@sei.cmu.edu
  • 2. 2 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Copyright 2014 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University. DM-0001805
  • 3. 3 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University New Threats to Cyber-Security • Usual view of threat environment • Looking backwards from today’s threats • Looking forwards to future threats • The need for prevention is pressing
  • 4. 4 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Usual view of threat environment Sources: PonemanInstitute, CNNMoneystudy, May 28, 2014; McAfee Quarterly Threat Report, June 2014; Wall Street Journal, Feb 26, 2014 retailcustomerexperience.com -5_lessons_learned_from_recent_retail_data_breaches.pdf 47% of US adults had their personal information exposed by hackers Nearly 250,000,000 malware artifacts by 1Q14
  • 5. 5 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Looking backwards from today’s threats 92% of the 100,000 incidents from the last 10 years can be described by 9 basic patterns • Insider misuse • DOS attacks • Cyber-espionage • Crimeware • Web app attacks • Physical theft and loss • Payment card skimmers • Point-of-sale intrusions • Miscellaneous errors History will repeat itself, so future threats include today’s threats
  • 6. 6 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Looking forwards to future threats • Software is the new hardware • Covering the next last mile • Expanding endpoints • Development is now assembly Cyber threats track evolution of technology
  • 7. 7 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Software is the new hardware IT moving from specialized hardware to software, virtualizedas • Memory • Storage • Servers • Switches • Networks Cyber-physical systems (CPS) evolving to a computer with interesting peripherals • Airplane function in software moved from 8% to 80% since 1960 • Software defined radios drive communication • Television evolved to digital signal processors • Hardware security needs software analogs • New programming models need secure coding guidelines • Guard against side channel attacks enabled by virtualization
  • 8. 8 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University The last mile has expanded to • Cellular • Main processor • Base band processor • Secure element (SIM) • Automotive • Intravehicular: more than 50 networked processors • Vehicle to infrastructure (V2I): congestion management, emergency services, law enforcement • Vehicle to vehicle (V2V): safety, efficiency • Industrial and home automation • SCADA • Bluetooth • Zigbee • Aviation • Fly by wire • Next Gen air traffic control • Smart grid • Embedded medical devices Covering the next last mile –securing the border and end points
  • 9. 9 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Development is now assembly Business application Mongo DB Application server HTTP server XML Parser MySQL database SIP servlet container GIF library At least 75% of organizations rely on open source as the foundation of their applications
  • 10. 11 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Open source is probably not secure Heartbleed and Shellshock were found by exploitation Other open source software illustrates vulnerabilities from cursory inspection Source: Steve Christey(MITRE) & Brian Martin (OSF), Buying Into the Bias: Why Vulnerability Statistics Suck, https://media.blackhat.com/us-13/US-13-Martin-Buying-Into-The-Bias-Why-Vulnerability-Statistics- Suck-Slides.pdf
  • 11. 12 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University An ounce of prevention is worth a pound of cure “We wouldn't have to spend so much time, money, and effort on network security if we didn't have such bad software security.” Bruce Schneierin Viegaand McGraw, “Building Secure Software,” 2001
  • 12. 13 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University The need for prevention is pressing Mission thread(Business process) 19% fail to carry out security requirement definition 27% do not practice secure design 30% do not use static analysis or manual code review during development 47% do not perform acceptance tests for third- party code More than 81% do not coordinate their security practices in various stages of the development life cycle. Source: Forrester Consulting, “State of Application Security,” January 2011
  • 13. 14 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Foresight leads to proactive defense Tracking evolution of technology arms developers for securing the next generation of applications
  • 14. 15 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University Contact Information Mark Sherman (412) 268-9223 mssherman@sei.cmu.edu Web Resources (CERT/SEI) http://www.cert.org/ http://www.sei.cmu.edu/
  • 15. 16 Mark Sherman S5: New Threats to Cyber-Security © 2014 Carnegie Mellon University