Recommended
Recommended
More Related Content
Similar to Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
Similar to Where Bits & Bytes Meet Flesh and Blood - Joshua Corman (20)
More from SeniorStoryteller
More from SeniorStoryteller (20)
Recently uploaded
Recently uploaded (20)
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
- 1. November 15, 2016 Where Bits & Bytes Meet Flesh & Blood: DevOps, Cybersecurity, and the IoT Director | Cyber Statecraft Initiative Joshua Corman @joshcorman
- 2. www.iamthecavalry.org @iamthecavalry Safer | Sooner | Together @joshcorman @IamTheCavalry
- 3. Triggers…
- 14. CC : From: http://www.flickr.com/photos/maiabee/2760312781/
- 16. Disclosures
- 18. The Before Times Transition (5 years +/-) Better Times (2019 +/-) 2014 Pre-Market 1.0 2015 Hospira Precedent 2016 Post-Market 1.0 Manufacturer Disclosure
- 28. CC : From: http://www.flickr.com/photos/maiabee/2760312781/
- 29. X Axis: Time (Days) following initial HeartBleed disclosure and patch availability Y Axis: Number of products included in the vendor vulnerability disclosure Z Axis (circle size): Exposure as measured by the CVE CVSS score COMMERCIAL RESPONSES TO OPENSSL
- 31. https://www.usenix.org/system/files/login/articles/15_geer_0.pdf For the 41% 390 days CVSS 10s 224 days
- 32. 32
- 33. H.R. 5793 “Cyber Supply Chain Management and Transparency Act of 2014” • Elegant Procurement Trio 1) Ingredients: • Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk: • …and cannot use known vulnerable components for which a less vulnerable component is available (without a written and compelling justification accepted by $PROCURING_ENTITY) 3) Remediation: • …and must be patchable/updateable – as new vulnerabilities will inevitably be revealed
- 34. In 2013, 4,000 organizations downloaded a version of Bouncy Castle with a level 10 vulnerability 20,000 TIMES … Into XXX,XXX Applications… SEVEN YEARS after the vulnerability was fixed NATIONAL CYBER AWARENESS SYSTEM Original Notification Date: 03/30/2009 CVE-2007-6721 Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0 PROCUREMENT TRIO + BOUNCY CASTLE
- 35. ACME Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech Enterprise Bank Retail Manufacturing BioPharma Education High Tech TRUE COSTS (& LEAST COST AVOIDERS)
- 36. AT WHICH POINT… SW LIABILITY?
- 37. HHS Task Force FDA Guidance DOJ Work Group DOD Policy EU Guidance DOC/NTIA Guidance Presidential Commissio n Report FTC Guidelines Congression al Letters DOT Principles NHTSA Guidance DHS Guidance
- 44. Triggers…
- 45. Uncomfortable Truths Require Uncomfortable Response Joshua Corman @joshcorman Director | Cyber Statecraft Initiative
Editor's Notes
- IMG SRC: http://circa71.files.wordpress.com/2010/08/cuy-river-fire1.jpg In 1969, the Cuyahoga River in Ohio caught on fire and stayed on fire…. ….it took this to finally get serious discussion about pollution. We believe a similar trigger will likely be required to cause SW Liability and/or significant criminalization of research changes.
- IMG SRC: https://www.pcrisk.com/images/stories/news/blackenergy-malware.jpg
- IMG SRC: http://www.healthcareitnews.com/sites/default/files/hollywoodpresbyterian2hitn.png
- Artists MAR Williams – commision artwork by Joshua Corman and Brian Martin "Building a Better Anonymous" Series by Joshua Corman and Brian Martin: http://blog.cognitivedissidents.com/2011/12/20/building-a-better-anonymous-series-part-0/ http://bit.ly/vhaaAP
- Hyperconnected, software-defined everything
- See also: http://media.vanityfair.com/photos/566f300dc70e5cef14686b91/master/pass/junaid-hussain-isis-anonymous-hacker-a.jpg
- http://www.sfexaminer.com/imager/deepwater-horizon-oil-spill/b/big/2593933/f8a3/Gulf_Oil_Spill_Trial_Cong.jpg BP Oil Spill – weeks of oil flow – nightly news – brand damage - cost
- IMG SRC: http://www.healthcareitnews.com/sites/default/files/hollywoodpresbyterian2hitn.png
- From: http://www.flickr.com/photos/maiabee/2760312781/ CC status: share with attribution Credit: Maia Valenzuela
- http://www.k9tec.com/wp-content/uploads/2011/10/beware-of-dog-shepherd.jpg Vs https://img1.etsystatic.com/046/0/8940891/il_214x170.676543507_88cr.jpg https://www.iamthecavalry.org/oath/ ★ Third Party Collaboration Do you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith? A collaboration policy supports a positive, productive collaboration between the automotive industry and security researchers. Researchers are invited to contribute to automotive safety as willing allies to help discover and address flaws before adversaries and accidents can impact vehicle safety. Such coordinated exchanges are more positive, productive, and impactful than other alternatives. Your attestation serves as a commitment and a protocol for teaming. Key Elements: Standard Based: Use of vetted ISO standards for vendor side disclosure practice and for internal vulnerability handling (ISO 29147 and ISO 30111) accelerate an organization’s maturity and ensure predictable, normalized interfaces to researchers and facilitators. Positive Incentives: Positive “Recognition & Reward” systems can further encourage and stimulate participation in bug reporting. Several prominent “Hackathon,” “Hall of Fame,” and “Bug Bounty” programs have proven successful and continue to drive iterative improvements. Exemplars can be provided. Known Interfaces: Independent vulnerability disclosure coordinators have normalized the interfaces between affected manufacturers and third-party researchers. These include non-profits organizations, bug bounty companies and government agencies. This too can support both greater efficiency and greater participation.
- From: http://www.flickr.com/photos/maiabee/2760312781/ CC status: share with attribution Credit: Maia Valenzuela
- Qualitative takeaways: Virtually all major (and not so major) software vendors are building on a stack of open source (including security vendors). The breadth of use across some vendors, IBM most notably is remarkably high (open source is not just in a few rogue products). New discoveries are getting more serious over time. New discoveries are getting less vendor attention (fewer vendor disclosures) despite their being more serious. Vendors are responding to new discoveries at a somewhat slower pace. The significant increase in product disclosures after the later OpenSSL disclosures, which affect all versions of OpenSSL not just versions 1.0.1 or later, implies that many vendors and products were using old libraries (version 0.9.8 was first released in July, 2005). Total disclosures: 227 Total product instances affected by disclosures: 2,513 Mean time to repair: 35.8 Median time to repair: 22.0
- Here are just a few examples so you can see that this risk is real… Bouncy Castle is a popular open source component… and even after critical security alerts were issued in 2009, 4000 companies still downloaded it 20,000 times. And that was five years after a better, safer replacement was issued. This is a level 10 critical security risk. Imagine the exposed applications out there… maybe some of them store your personal credit card data or other personal information.
- IMG SRC: http://circa71.files.wordpress.com/2010/08/cuy-river-fire1.jpg In 1969, the Cuyahoga River in Ohio caught on fire and stayed on fire…. ….it took this to finally get serious discussion about pollution. We believe a similar trigger will likely be required to cause SW Liability and/or significant criminalization of research changes.