Presentation is loading. Please wait.

Presentation is loading. Please wait.

NDIA INCOTE Introduction to the SEI November 12, 2015

Similar presentations


Presentation on theme: "NDIA INCOTE Introduction to the SEI November 12, 2015"— Presentation transcript:

1 NDIA INCOTE Introduction to the SEI November 12, 2015

2 Notices Copyright 2015 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA C with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University. DM

3 Author Program SEI Vision: Leading and advancing software and cybersecurity to solve the nation's toughest problems 10/24/2017

4 Established as a DoD FFRDC at Carnegie Mellon University in 1984 Only DoD R&D center focused on software and cybersecurity Offices in Pittsburgh, Arlington, and Los Angeles About 600 staff (~400 tech staff)

5 Our Mission and Strategy
Author Program 10/24/2017 Our Mission and Strategy To support the Nation by advancing the science, technologies, and practices needed to acquire, develop, operate, and sustain software systems that are innovative, affordable, trustworthy, and enduring We achieve our mission through Research Collaboration Development and Demonstration Transition Research– advancing the science and practice Collaboration–bringing together and building on work found in industry, academia, and government Development and Demonstration–maturing promising technologies and practices and demonstrating their utility through trial application and prototypes Transition– propagating proven technologies and practices through publication, standards and other venues

6 Author Program 10/24/2017

7 We Serve a Broad Spectrum of Stakeholders
Author Program 10/24/2017 We Serve a Broad Spectrum of Stakeholders DoD and Federal customers Commercial organizations Researchers, developers, users, and acquirers—government, commercial, and academic Key industries and organizations with the potential to advance software engineering and related disciplines

8 SEI Software Solutions Division
Author Software Engineering Institute 10/24/2017 SEI Software Solutions Division The Software Solutions Division produces, and transitions to practice, methods, solutions, and services that measurably improve software-reliant systems—ensuring that critical mission capabilities are achieved in a predictable, affordable, and sustainable way. Focus areas include Agility at Scale/Development Techniques Cyber-Physical Systems, including autonomy Edge Computing Issues Lifecycle program support, from acquisition through sustainment, including Independent program reviews Empirical Research Office Measurement and Estimation Software Architecture

9 Author Software Engineering Institute
10/24/2017 SEI CERT Division The CERT Division produces, and transitions technologies and practices that reduce the opportunity for—and limit the damage of—cyber attacks. Focus areas include Cyber Risk Management Digital Intelligence & Investigations Insider Threat Incident Management Vulnerability Analysis Operational Resilience Secure Coding Cybersecurity Engineering Situational Awareness Workforce Development

10 Our Systems are Under Constant Attack

11 Attack Sophistication vs. Intruder Technical Knowledge
malicious counterfeit hardware High persistent malware infiltration & persistent surveillance Anticipated Attacks propagation of malicious code “stealth”/advanced scanning techniques adaptive, high-impact, targeted attacks on critical infrastructures sophisticated command & control control systems targeted widespread attacks using NNTP to distribute attack supply-chain compromises increase in worms coordinated cyber-physical attacks widespread attacks on DNS infrastructure increase in targeted phishing & vishing DDoS attacks massive botnets executable code attacks (against browsers) widespread attacks on client-side software Average Intruder Knowledge automated widespread attacks anti-forensic techniques Attack Sophistication home users targeted GUI intruder tools widespread attacks on web applications distributed attack tools hijacking sessions increase in wide-scale Trojan horse distribution Internet social engineering attacks widespread denial-of-service attacks techniques to analyze code for vulnerabilities without source code Windows-based remote controllable Trojans (Back Orifice) automated probes/scans packet spoofing 1990 2010 Low © 2007 Carnegie Mellon University

12 Our Systems are Increasingly Complex
Author Program 10/24/2017 Our Systems are Increasingly Complex 0 SLOC 2K SLOC 500K SLOC 9.9M SLOC Biplane No Code! Apollo Lunar Module Programmed on IBM punch cards – mostly hardcoded (like ROM). problem in the rendezvous radar interface stole approximately 13% of the computer's duty cycle, resulting in software restarts erroneous data caused the thrust of the LM's descent engine fluctuated wildly because the throttle control algorithm was only marginally stable SR-71: Innovation in the Astro-Intertial Nav system recording systems gathered information from the SLR and ELINT systems for ground analysis In the later years, a data-link system could send ASARS-1 and ELINT data from about 2,000 nmi (3,700 km) F-35: 2007/2008 LMC reported several TB of design data stolen; BAE reported cyber espionage of F-35; Possible interception of telemetry from test flights Pulleys and hydraulics could be physically tested, and the results of the test more easily observable/measurable. With software, deep inspection is more difficult, so the actual step-by-step operation is not as easy to inspect through testing, and certainly not as easily measured. So, while software has enabled higher degrees of features and functions, it comes with the tradeoff that potential failures may not be observable until they actually occur. Bi plane: encyclopediaofalabama.org Lunar module: clipart.dk.co.uk SR-71: fas.org F-35: wpclipart.com

13 Software and System Complexity Increases Cyber Attack Surface
Critical infrastructures Cloud/networked systems Legacy system upgrades Insider threats Mobile devices Complex software supply chain

14 Finding Exploits is a Matter of Time…
As of today, internet scans by MassScan reveal 300,000 of original 600,000 remain unpatched or unpatchable CVE /5/2014 CVSS Severity: 4.3 MEDIUM  SEIMENS * CVE /5/2014 CVSS Severity: 6.8 MEDIUM  SEIMENS * CVE /5/2014 CVSS Severity: 4.3 MEDIUM CVE /5/2014 CVSS Severity: 6.8 MEDIUM CVE /6/2014 CVSS Severity: 4.3 MEDIUM  SEIMENS * CVE /29/2014 CVSS Severity: 7.5 HIGH CVE /24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE /15/2014 CVSS Severity: 5.8 MEDIUM CVE /14/2014 CVSS Severity: 4.0 MEDIUM CVE /7/2014 CVSS Severity: 5.0 MEDIUM  HeartBleed CVE /25/2014 CVSS Severity: 4.3 MEDIUM CVE /24/2014 CVSS Severity: 4.3 MEDIUM CVE /14/2014 CVSS Severity: 1.9 LOW CVE /5/2014 CVSS Severity: 6.4 MEDIUM CVE /17/2014 CVSS Severity: 4.0 MEDIUM CVE /8/2014 CVSS Severity: 4.3 MEDIUM CVE /1/2014 CVSS Severity: 5.8 MEDIUM … NIST’s NVD (National Vulnerability Database_  SEIMENS was affected by 4 OpenSSL flaws beyond HeartBleed. One from 2010 “Several Siemens products used for process and network control and monitoring in critical infrastructure sectors are affected by four vulnerabilities in the company's OpenSSL cryptographic software library. The vulnerabilities – CVE , CVE , CVE , and CVE – can be exploited remotely, and fairly easily, to hijack a session as part of a man-in-the-middle attack or to crash the web server of the product, according to a Thursday ICS-CERT post. Siemens has already issued updates for APE versions prior to version and WinCC OA (PVSS), but has only issued temporary mitigations for CP1543-1, ROX 1, ROX 2, and S The products are typically used in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems sectors, according to the post.”

15 Mitigation Calls for Multi-Pronged Solution
Better software engineering practices Improved security and resilience practices Larger skilled workforce

16 Mitigation Calls for Multi-Pronged Solution
Better software engineering practices Improved security and resilience practices Larger skilled workforce

17 Get Software Right We wouldn't have to spend so much time, money, and effort on network security if we didn't have such bad software security.” TSP folks already know that fixing software earlier in the lifecycle is cheaper. This slide correlates that the same idea for security. Fixing security earlier is cheaper as well. If we have problems in the current threat environment and operations, lets look to see what can be done to solve them early in the software lifecycle. Bruce Schneier in Viega and McGraw, “Building Secure Software,” 2001

18 Catching Faults Early Saves Money
Faults accounts for 30‒50% percent of total software project costs Sources: Critical Code; NIST, NASA, INCOSE, and Aircraft Industry Studies

19 Mitigation Calls for Multi-Pronged Solution
Better software engineering practices Improved security and resilience practices Larger skilled workforce

20 Assets That Impact Operational Resilience
Facilities Information People Supply Chain / Raw Material Technology

21 Mitigation Calls for Multi-Pronged Solution
Better software engineering practices Improved security and resilience practices Larger skilled workforce

22 Develop Your Workforce: Recruit, Train, Educate, Retain
Author Program 10/24/2017 Develop Your Workforce: Recruit, Train, Educate, Retain The development of engineering and cyber professionals is not keeping pace with the exponential growth of challenges faced by the USG and all critical infrastructure sectors. Because software is pervasive, cybersecurity experts are needed in all industries and sectors. Cybersecurity education requires development of many competencies: both technical (ranging across software, systems, and network engineering disciplines) and managerial (governance, policy, regulation, practices) Matriculation in computer science programs is decreasing Focusing on national security problems is hindered by the number of available cybersecurity professionals who are US citizens. Non-technical personnel who are decision makers and users also require training and education. Retention is tough: lots of competition for a very limited pool. Computer science is the only one of the STEM (science, technology, engineering and mathematics) fields that has actually seen a decrease in student participation over the last 20 years, from 25% of high school students to only 19%, according to a 2011 study by the National Center for Education Statistics. In recent years more than half of U.S. engineering doctorates are earned by temporary visa holders. (“Science and Engineering Indicators 2012,” National Science foundation,

23 Get Some Help https://fedvte.usalearning.gov/
Training builds skills and capabilities Certifications test for baseline knowledge acquisition Both can be necessary but not sufficient – may not prove effectiveness or competency

24 Engage with Us… www.cert.org/engage Use our tools
Report a vulnerability Request an assessment Sponsor our research Read our blogs DevOps Blog CERT/CC Blog Contribute to the Secure Coding Wiki Stay informed via podcasts, webinars Attend an upcoming event Secure DevOps Symposium – Nov. 5 (Arlington, VA) Software Solutions Conference – Nov (Crystal City, VA) Learn from our training Collaborate with us

25 Contact Information Interoperable Acquisition for a Net-Centric World Systems-of-Systems Programmatics: Guidelines for Program Managers 03/15/07 May 9, 2007 Greg Such Mike Gagliardi Dr. Carol Woody Web Resources: © 2007 Carnegie Mellon University © 2007 Carnegie Mellon University


Download ppt "NDIA INCOTE Introduction to the SEI November 12, 2015"

Similar presentations


Ads by Google