Recommended
Recommended
More Related Content
Similar to IRMC_Crains_CIO_Awards_Detroit_Sep2012_ver2
Similar to IRMC_Crains_CIO_Awards_Detroit_Sep2012_ver2 (20)
More from Dr Robert D. Childs
IRMC_Crains_CIO_Awards_Detroit_Sep2012_ver2
- 1. National Defense University Information Resources Management College “The global hub for educating, informing, and connecting Information Age leaders.” Cyber Security: “Defending Industry & Economic Prosperity” Detroit, 27 September 2012 Dr. Robert D. Childs, Chancellor, National Defense University iCollege 1 Opinions and views expressed in this tutorial are those of the author and do not reflect the official policy or position of the Information Resources Management College, the National Defense University, the Department of Defense, or the U.S. Government.
- 2. 2 2“The global hub for educating, informing, and connecting Information Age leaders.” Agenda • Cyber Shockwave: the threat is here & now. • Four cyber threats to industry and U.S. economic prosperity. 1. “Securing the Cloud” – Cloud Computing security. 2. “The Insider Threat” – espionage, data exfiltration & lost of intellectual property. 3. “Attacks on Critical Infrastructure, Industrial Control Systems (ICS) and SCADA.” 4. “Social Media” – the cyber workforce & security • Educating the Cyber Workforce 29/25/2012
- 4. 4 4“The global hub for educating, informing, and connecting Information Age leaders.” Growth of the Asymmetric Cyber Threat 4 High Low Sophistication Sophistication of Hacking Tools & Elite Hackers Increasing 1980 1985 1990 1995 2000 Sophistication Required of Common Hackers Declining cross site scripting password guessing self‐replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing graphic user interface automated probes/scans denial of service www attacks “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools Staging sophisticated C2 2010 ~ 2015 …next? “Industry is getting hacked [and] government is getting hacked. What we need to do is come together and form best practices.” ‐Gen. Keith Alexander, U.S. Cyber Command 27 July 2012 Espionage & Data Exfiltration Tools Elite Hackers 12/2/2011
- 5. 5 5“The global hub for educating, informing, and connecting Information Age leaders.” Threat #1 ‐ “Securing the Cloud” • Cloud computing provides flexible, cost‐effective delivery of business or consumer IT services over the Internet. – Helps businesses improve service delivery, reduce IT management costs and respond to dynamic business requirements. – Cloud resources can be rapidly deployed, easily scaled, and respond to increased demand, regardless of the user location. • Public and private cloud models, or a hybrid approach using both models, are now in use. – Public clouds are acquired as a service and paid for on a per‐usage basis or by subscription. – Private clouds are owned and used by a single organization. – Private clouds offer many of the same benefits as public clouds, but give the owner greater flexibility and security. 5 IBM Global Technology Services Thought Leadership White Paper “Strategies for assessing cloud security,” Nov 2010
- 6. 6 6“The global hub for educating, informing, and connecting Information Age leaders.” Risk Concerns with Cloud Computing • Cloud computing introduces risk because essential services are often outsourced to 3rd party service providers. – Inside the cloud, it is difficult to physically locate where data is stored. – Business data is stored and processed externally in multiple unspecified locations [sometimes overseas]. • Security processes that were once visible on physical computer servers are now hidden behind layers of “virtual machine” servers. – Harder for users to maintain data integrity, privacy, security, service availability, and demonstrate compliance with federal & state regulations. – Users from different corporations and trust levels often share the same set of computing resources, but with different security requirements. • This lack of visibility can cause concerns about: – Data exposure, compromise, and theft [exfiltration]. – Application services & reliability. – Regulatory compliance. – Overall security management. 6 IBM Global Technology Services Thought Leadership White Paper “Strategies for assessing cloud security,” Nov 2010
- 8. 8 8“The global hub for educating, informing, and connecting Information Age leaders.” Threat #2 ‐ “The Insider Threat” • "In March 2012, it was reported that Blue Cross Blue Shield of Tennessee paid out a settlement of $1.5 million to the U.S. Department of Health and Human Services arising from potential violations stemming from the theft of 57 unencrypted computer hard drives that contained protected health information of over 1 million individuals." • "A retailer reported in May 2011 that it had suffered a breach of its customers’ card data. The company discovered tampering with the personal identification number (PIN) pads at its checkout lanes in stores across 20 states." • "In mid‐2009 a research chemist with DuPont Corporation reportedly downloaded proprietary information to a personal e‐mail account and thumb drive with the intention of transferring this information to Peking University in China and also sought Chinese government funding to commercialize research related to the information he had stolen." • "Between 2008 and 2009, a chemist with Valspar Corporation reportedly used access to an internal computer network to download secret formulas for paints and coatings, reportedly intending to take this proprietary information to a new job with a paint company in Shanghai, China." • "In December 2006, a product engineer with Ford Motor Company reportedly copied approximately 4,000 Ford documents onto an external hard drive in order to acquire a job with a Chinese automotive company." 89/25/2012 * "Cyber Threats Facilitate Ability to Commit Economic Espionage," U.S. government General Accountability Office (GAO) report # GAO‐12‐876T, dated 28 June 2012
- 9. 9 9“The global hub for educating, informing, and connecting Information Age leaders.” The Ultimate “Insider Threat” – Wiki‐Leaks 9/25/2012 9 Julian Assange, an Australian Internet activist,Bradley E. Manning, United States Army Pvt. Manning, disgruntled over U.S. war efforts, allegedly stole, downloaded and smuggled electronic documents out of the headquarters he was assigned disguised as music CDs. In 2010, over 391,832 secret documents on the Iraqi war, 77,000 classified Pentagon documents on the Afghan conflict, and 250,000 individual cables — the daily traffic between the State Department and more than 270 American diplomatic outposts around the world – were stolen and leaked to Internet activists. [http://topics.nytimes.com/top/reference/timestopics/organizations/w/wikileaks/index.html] Fareed Khan/Associated Press
- 11. 11 11“The global hub for educating, informing, and connecting Information Age leaders.” Steps for Protecting Against the “Insider Threat” • Designate a senior manager to overseeing business sensitive information sharing and safeguarding efforts for the company. – Have written policies acknowledged by all employees. • Implement an insider threat detection and prevention program. – Establish standards for what constitutes normal use and authorized access to business information. – Policies should also address the company’s right to monitor use of company network resources. • Perform self‐assessments of employee compliance with business sensitive information sharing and use policiess. – Results reported annually to a senior managers’ steering group or Board of Directors. 119/25/2012
- 12. 12 12“The global hub for educating, informing, and connecting Information Age leaders.” Threat #3 – “Attacks of ICS & SCADA Systems” • Information technology (IT) and software enable almost everything we do in the public & private sectors. – Especially in our critical infrastructures (water, electricity, transportation, financial, public health, emergency response, etc.). • Cyberspace interconnects this global network of Critical Infrastructure and Key Resources. • What controls our Critical Infrastructures? –Industrial control systems (ICS) –Supervisory control and data acquisition (SCADA) 9/25/2012 12
- 14. 14 14“The global hub for educating, informing, and connecting Information Age leaders.” Real Life: Malware Takes Down Production Line Case Profile: Daimler Chrysler Summary In August 2005, 13 US auto plants were shut down by a simple Internet worm. Despite professionally installed firewalls separating the Internet, the company network and the control network, the Zotob worm had made its way into the control system (probably via a laptop). Once in the control system, it was able to travel from plant to plant in seconds. Approximately 50,000 assembly line workers ceased work during the outages. Cause of incident Introduction of malicious code via a secondary pathway into the control network. Cost impact $14 Million (estimated) 14 Source: http://www.tofinosecurity.com/why/Case‐Profile‐Daimler‐Chrysler
- 15. 15 15“The global hub for educating, informing, and connecting Information Age leaders.” Compromising the Electrical Grid with a Smart Phone 9/25/2012 15 Max Cornelisse – Electrical Grid Video (in Danish) How easy is it to gain control of the electrical power running your business?
- 17. 17 17“The global hub for educating, informing, and connecting Information Age leaders.” How to Secure the Nation’s Critical Infrastructure • The Federal Energy Regulatory Commission (FERC) – Established a division to mitigate cyber threats on the electric grid [19 Sep 2012]. – Best practice & communications with private‐section businesses. – but, still lacks many of the enforcement capabilities (cyber legislation) it needs from Congress. • “Guide to Industrial Control Systems (ICS) Security” NIST Special Publication 800‐82 – Nat’l Institute of Standards & Technology (NIST) “Best Practices.” • Supervisory Control and Data Acquisition (SCADA) systems. • Distributed Control Systems (DCS). • Control system configurations, Programmable Logic Controllers (PLC). – Appendix C: lists approximately 30 national and international organizations developing secure operating procedures for ICS. 179/25/2012
- 18. 18 18“The global hub for educating, informing, and connecting Information Age leaders.” Threat #4 ‐ Social Media ‘Pros & Cons” Pros of social networking • Valuable for marketing, consumer outreach, releasing new product information, and personnel recruiting. • Communication between senior executives, employees, colleagues, and industry partners. • Often the primary means through which younger employees [“the Millennials”] communicate with friends and families. Potential security risks • Possible source of violations of company information use policies. • Proprietary information loss and exfiltration due to malware, social engineering, and phishing attacks. • Network bandwidth drain. 9/25/2012 18
- 19. 19 19“The global hub for educating, informing, and connecting Information Age leaders.” Social Media & the Cyber Workforce • As part of educating the workforce, there needs to be written social media policies on: – Video upload & download. – Blogs & online diary posts. – Text messaging use. – File sharing software use – e.g., Bit Torrent. – Using certain cell phone applications (“apps”) – e.g., GPS tracking for cyber stalking. – Lending corporate network access to 3rd parties using smart phone technology. • Policies should also address the company’s right to monitor use of company resources. 19
- 20. 20 20“The global hub for educating, informing, and connecting Information Age leaders.” Questions? Dr. Robert D. Childs Chancellor, National Defense University – iCollege 300 5th Avenue, Marshall Hall Washington, DC 20319 USA Office: 1 202 685 3886 Fax: 1 202 685 3974 e‐mail: ChildsRD@ndu.edu iCollege website: www.ndu.edu/iCollege 9/25/2012 20 Opinions and views expressed in this tutorial are those of the author and do not reflect the official policy or position of the Information Resources Management College, the National Defense University, the Department of Defense, or the U.S. Government.