Presentation is loading. Please wait.

Presentation is loading. Please wait.

CYBERCRIME & VULNERABILITY ISSUES: WHAT EMERGENCY MANAGERS NEED TO KNOW Jim Duncan, Security Engineer Juniper Networks, Secure Development Lifecycle Initiative.

Published byMelody Jerkins Modified over 9 years ago

Similar presentations

Presentation on theme: "CYBERCRIME & VULNERABILITY ISSUES: WHAT EMERGENCY MANAGERS NEED TO KNOW Jim Duncan, Security Engineer Juniper Networks, Secure Development Lifecycle Initiative."— Presentation transcript:

1 CYBERCRIME & VULNERABILITY ISSUES: WHAT EMERGENCY MANAGERS NEED TO KNOW Jim Duncan, Security Engineer Juniper Networks, Secure Development Lifecycle Initiative Tuesday, 2014-10-14 North Carolina Emergency Management Association Fall Conference

2 2 Copyright © 2014 Juniper Networks, Inc. www.juniper.net BRIEF BIOGRAPHY Subject-Matter Expert on software vulnerabilities Currently working on prevention of flaws (Juniper SDL program) Previously, product-security and cyber-security incident responder  Juniper, BB&T, Cisco, Penn State University, Old Dominion University  TRANSITS Instructor – helping National CSIRTs in emerging economies  Participant in multiple IRT and cybercrime-fighting forums (FIRST, ICASI)  Critical Infrastructure Protection evangelist (NIAC VDF, CVSS, ISACs)  Ideal candidate for the exit row! (Also soccer referee, parliamentarian, piano technician, pistolsmith, etc., can’t keep a job!)

3 3 Copyright © 2014 Juniper Networks, Inc. www.juniper.net WHY AM I HERE TODAY? Cybercrime and vulnerabilities are here to stay  You know that already; this will not be yet another trend report Technology Complexity – the Internet of Things – growing without bound  Implications for interactions with other disciplines both exciting and scary  Security, if any, is frequently low priority, or omitted from consideration entirely  Definitely no security in Version 0.1, which is what is deployed to first responders!  Technology is just a tool, you should not need to be an expert in it  How many of you are well-versed in internal combustion? My goal is impart observations, rules, etc., for thinking about cyber systems and understanding the larger threats and countermeasures

4 4 Copyright © 2014 Juniper Networks, Inc. www.juniper.net PROBLEMS

5 5 Copyright © 2014 Juniper Networks, Inc. www.juniper.net NATURE OF CYBERCRIME “Cybercriminals are business people, too.”  Amazing parallels to counterfeiting of old: front office, back office, etc.  Well-financed, distributed, smart, not greedy (mostly)  Misalignment of cultural expectations is a complicating factor  Definitions of “crimes” vary from place to place, hard to get support sometimes  Resourceful: example of CAPTCHA workaround  Well-researched: example of bank phishing aimed at small church officials  Follow the money and/or spirit: motivations explain a lot  All of the above apply to nation-state and populist activities, too

6 6 Copyright © 2014 Juniper Networks, Inc. www.juniper.net CONFIDENTIALITY/PRIVACY/REPUTATIONAL THREATS SWATting and EAS hijacks; not much help here except the obvious D0Xing of staff and officials – Internet-based embarrassment is deadly  Teach staff how to protect themselves online if you expect them to protect other people’s stuff online.  Consider reputation-monitoring services Monitor and prevent exfiltration of data in your stewardship  Don’t assume data was erased – it can never be completely erased  Use full-disk encryption and test it  Consider reputation-monitoring services for this as well

7 7 Copyright © 2014 Juniper Networks, Inc. www.juniper.net TELECOMMUNICATIONS THREATS DoS can’t be prevented, but often it can be managed  Various services for ensuring against DoS or mitigating once underway  Work with your ISP (maybe more than one ISP)  Make sure you have experts involved Telephony DoS is old, but new again  Multiple efforts in multiple countries to improve technological response  “Honeypots” deployed to look for TDoS, do-not-call violations, other errors  VoIP is exciting, isn’t it? Yeehaw!  Fundamental flaw: circuit-switched v. packet-switched security models

8 8 Copyright © 2014 Juniper Networks, Inc. www.juniper.net TRANSPORTATION THREATS GPS spoofing and jamming  Documented that thieves are using spoofing to hide stolen vehicles  Florida(?) motorist operated a cellphone jammer from his car during his daily commutes to force other motorists to put down their cellphones  Easy to imagine similar stunts to fraudulently redirect consumers away from competitors’ gas pumps or (pick a retail industry) How do you know your GPS is receiving correct data? Anyone? Highway sign hijacks are clever, but what if they are subtle?  Instead of “zombie” alerts, consider believable “Detour via…” instructions

9 9 Copyright © 2014 Juniper Networks, Inc. www.juniper.net ENVIRONMENTAL THREATS EMP and solar flares  Really naïve in this area, despite decades of study  Recent work very revealing and alarming, but seems to be ignored Structural HVAC, building & power controls, SCADA systems  Never underestimate the potential for someone to inadvertently connect these systems to something they shouldn’t be connected to  And never underestimate the ability of criminals to find them (e.g., Target)  What do you do when your EOC gets too hot? Too cold? Too wet? Dry?  Example of first World Trade Center attack in the early 1990s

10 10 Copyright © 2014 Juniper Networks, Inc. www.juniper.net CASE STUDY NOT YET PUBLISHED Analysis of pre-hospital information system used by EMTs  It was in another state, not North Carolina. Relax! Resume breathing… Criminals’ delight:  No AUP, no password policies  Ruggedized laptop running unpatched XP, plans to upgrade to Win7  No full-disk encryption  Brand-name software vendor truly did not keep PII on device, but…  Helpful cache was uncovered, unencrypted, with PII for 13,500 patients! THIS HAPPENED IN 2014!!! This is all too believable, unfortunately

11 11 Copyright © 2014 Juniper Networks, Inc. www.juniper.net SOLUTIONS

12 12 Copyright © 2014 Juniper Networks, Inc. www.juniper.net OCCAM’S RAZOR, HANLON’S RAZOR, ETC. Occam’s Razor: “When considering multiple possible causes, select the cause requiring the least complexity”  Not guaranteed to be correct, but likely Hanlon’s Razor: “Never attribute to malice that which is adequately explained by stupidity.” Duncan’s Corollary: “Never attribute to an attack that which is adequately explained by negligence.”  “Negligence” can be misconfiguration, software flaw, or user error  Example of inadvertent internally-sourced “attack”

13 13 Copyright © 2014 Juniper Networks, Inc. www.juniper.net AVOID BYSTANDER EFFECT/DIFFUSION OF DUTY First responders would never do this in the real world, but they fall prey to it in the cyber world: Don’t assume someone else will respond! Ask questions. Lots of questions.  Recipients of questions: be professional and answer appropriately  Consider documenting individual findings in “security observation reports” Advocate for proper brainstorming practices  In the first round, get the ideas out there; no vetting whatsoever  Second round, go back and evaluate the first-round responses  Disciplined facilitator is sometimes needed for this to be effective

14 14 Copyright © 2014 Juniper Networks, Inc. www.juniper.net REPLACE BLACKLISTING WITH WHITELISTING Blacklisting: “That, which is not expressly denied, is permitted.”  Far too many systems start out this way  Painful to go back and close up unnecessary ports/services/features Whitelisting: “That, which is not expressly permitted, is denied.”  Much safer  Start with all services disabled, then enable only those that are needed Example: Instead of allowing browsing everywhere, and then blocking access to a few pages, block all pages except for a selected few.

15 15 Copyright © 2014 Juniper Networks, Inc. www.juniper.net GET SMART AND STAY SMART ON CRYPTO “Gosh, crypto is hard!” Doesn’t have to be difficult to understand the basics  Key length is important: long, but not too long (time is an issue, too)  Key space should be as large as possible (or reasonably pragmatic)  Don’t keep plaintext and encrypted text around, close by  Repetition means something failed; algorithm selection is important  Watch out for so-called “security improvement trade-offs”  Example of password-typing alternate-left-right scheme (“key space”, above) Full-disk encryption is worth mentioning again, at this point

16 16 Copyright © 2014 Juniper Networks, Inc. www.juniper.net UNDERSTAND SPHERE OF ACTION Expectations and assumptions creep into our thought processes, distort our reasoning, and cause us to produce incorrect results Cyber threats are global but not the typical disasters most of you handle  Example of NRP and Lori Bush, “There’s the hurricane/forest fire/flood!” Cultural & linguistic differences affect results  Example of CAPTCHA workaround, earlier  Mismatch of importance regarding Asia/Pacific “loss of face”  Example of encipher/decipher v. encrypt/decrypt  Time and date formats (ISO-8601), ICS phonetic alphabet

17 17 Copyright © 2014 Juniper Networks, Inc. www.juniper.net POLICIES AND PROCEDURES No excuses for not having Acceptable Use Policies, Password Policies, Data Retention Policies, and so forth; write’em down, publicize them Don’t expect staff to pick good password management schemes; research apps, make recommendations (working group for NCEMA?) Consider implementing two-factor access schemes Remember that policies and guidelines should be viewed primarily as tools for education; enforcement comes only when education fails

18 18 Copyright © 2014 Juniper Networks, Inc. www.juniper.net FIGURE OUT WHAT HAPPENED LATER “Accountability is the price of openness.” [Daniel E. Geer, Sc.D.] No one builds a perfect system, so institute appropriate logging and auditing mechanisms so that after something goes wrong, you can backtrack to figure out what happened Study Ken Thompson’s “Reflections on Trusting Trust”  1984 ACM Turing Award lecture  Brilliant, short (3 pages) explanation on how all systems are flawed because humans are involved, and cannot be separated  Completely destroys the “Many eyes makes good security” argument

19 19 Copyright © 2014 Juniper Networks, Inc. www.juniper.net DON’T ATTEMPT TO BUILD PERFECT SYSTEMS “The perfect is the enemy of the good enough” (or something like that) Lots of unnecessary effort is expended on lofty conceptions of the really cool and awesomely beautiful solution to a basic problem Don’t build seamless systems, especially in an emergency “Make them seamful, but with beautiful seams.” [Mark Weiser]  Example from ruggedized telecom-in-a-box in Hurricane Katrina

20 20 Copyright © 2014 Juniper Networks, Inc. www.juniper.net BE PART OF THE SOLUTION, NOT THE PRECIPITATE Encourage proper brainstorming  Need sector-specific experts like you to think up interesting problems  We don’t know the stuff that you don’t even know you already know Roll up the results into tabletop exercises Collaborate with cybersecurity incident responders  We both learn from each other  We can help with cross-sector exercises  We’ll know who to call when we find something important

21 21 Copyright © 2014 Juniper Networks, Inc. www.juniper.net ANYTHING ELSE? Q&A Contact Information: Jim Duncan, jduncan@juniper.net, +1 919-608-0748jduncan@juniper.net

22

Download ppt "CYBERCRIME & VULNERABILITY ISSUES: WHAT EMERGENCY MANAGERS NEED TO KNOW Jim Duncan, Security Engineer Juniper Networks, Secure Development Lifecycle Initiative."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Chapter 1  Introduction 1 Chapter 1: Introduction.

Chapter 1  Introduction 1 Chapter 1: Introduction.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?

Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
Technology in Education Issues we need to know. Social, Ethical, and Legal. By: Kara Bushey ECED 201.

Technology in Education Issues we need to know. Social, Ethical, and Legal. By: Kara Bushey ECED 201.
Chapter 10 Schedule Your Schedule. Copyright 2004 by Pearson Education, Inc. Identifying And Scheduling Tasks The schedule from the Software Development.

Chapter 10 Schedule Your Schedule. Copyright 2004 by Pearson Education, Inc. Identifying And Scheduling Tasks The schedule from the Software Development.
Copyright © 2015 Juniper Networks, Inc. 1 Cybercrime & Vulnerability Issues: What Emergency Managers Need to Know North Carolina Emergency Management Association.

Copyright © 2015 Juniper Networks, Inc. 1 Cybercrime & Vulnerability Issues: What Emergency Managers Need to Know North Carolina Emergency Management Association.
Infotex Awareness Training Tools. m.infotex.com/tools Information Security Tools.

Infotex Awareness Training Tools. m.infotex.com/tools Information Security Tools.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.

Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
Engineering Secure Software. Lottery Story A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes.

Engineering Secure Software. Lottery Story A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
Why Cryptosystems Fail Ross Anderson Presented by Su Zhang 1.

Why Cryptosystems Fail Ross Anderson Presented by Su Zhang 1.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB

1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB
Reducing Crime in Cyberspace: A Privacy Industry View Stephanie Perrin Adam Shostack Zero-Knowledge Systems, Inc.

Reducing Crime in Cyberspace: A Privacy Industry View Stephanie Perrin Adam Shostack Zero-Knowledge Systems, Inc.
PART THREE E-commerce in Action Norton University E-commerce in Action.

PART THREE E-commerce in Action Norton University E-commerce in Action.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Similar presentations

Ads by Google