Presentation on theme: "Demythifying Cybersecurity* A glimpse of a secure cyber future"— Presentation transcript:
1Demythifying Cybersecurity* A glimpse of a secure cyber future Edward B. TalbotTom M. KroegerLivermore, CASandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.SAND Number : C* -
2Sandia has been dedicated to national security since 1949 A Mission-Driven Laboratory:Design and development of nonnuclear portions of US nuclear weaponsProduction of advanced componentsSafety, security, use controlTreaty verification, nonproliferation, and counterproliferationAdvanced military technologies and applicationsEnergy and environmentHomeland security and countering weapons of mass destructionI’m here to give you a bit of background on who we are and why we’re talking about cyber securitycame out of manhattan projectSandia has a long (but quiet) history of dealing with the nation’s thorniest but most important issues.Among other things we hold the fundamental responsibility for designing the technologies our nationsuses for nuclear weapons security & command and controlBut these days that is just part of what we do.In the last years we have used our expertise from our original work totake a more holistic approach to national security
3On the Internet nobody knows you’re a dog… Or it there is a man in the middle or who else is listening or if you are a bot.…or an adversary!
4The problem: we can’t trust our machines and we can’t live without them. Information systems have become too complex and too interconnected at all scales to ensure that they do not contain vulnerabilities.Multi-scale: micro (3 lines of code) -> human -> macro (Internet)Multi-discipline: device physics -> electronics -> computer architecture > software -> human factorsMulti-medium: photons -> electrons -> RFServersRoutersSwitchesFiberFirewallsDesktopsUsersWaferMaskProgrammingDieExample: push the power button 10 times to invoke tech support mode.…we are behind and falling further behind.
5Cybersecurity Manifesto The SituationCurrent cyber security approaches are fundamentally broken.Current cyber security strategies are reactive and asymmetric.Vulnerabilities in current implementations are virtually limitless.Threats are exploiting these vulnerabilities faster than we can detect and counter them.Current cyber security implementations compound the problem by creating the illusion of security.“We cannot solve our problems with the same thinking we used when we created them.” - Albert Einstein
6“The great enemy of the truth is very often not the lie, deliberate, contrived and dishonest, but the myth, persistent, persuasive and unrealistic.” John F. KennedySome MythsMyth 1: More layers of defense are better.Myth 2: Burdensome security is good security.Myth 3: Running my executables on my data on my system is secure because I control my system.Myth 4-…: ???Examples: We understand our adversaryMyth 5: We have to trust someone or something
7Modeling and Simulation Qualitative Assertions Quantitative Assertions We need to move cyber security from a craft/lore/myth to a scientific discipline.Craft/Lore/MythScienceTrial-and-errorTheoryReactiveRules of ThumbExperimentPredictiveModeling and SimulationSkill- / luck-basedAn exampleAlchemyChemistryOr biology or physics or mathematicsAmerican Engineers' Council for Professional Developmentdefines Engineering as “the creative application of scientific principles to design or develop structures, machines, apparatus, or manufacturing processes, or works utilizing them singly or in combination; or to construct or operate the same with full cognizance of their design; or to forecast their behavior under specific operating conditions; all as respects an intended function, economics of operation and safety to life and property.”Earth, Air, Fire, WaterPeriodic TableQualitative AssertionsQuantitative Assertions“The highest priority should be assigned to establishing research protocols to enable reproducible experiments…There is a science of cyber-security.”- Science of Cyber-Security, JASONs report dtd November 2010.
8Myth 1: More layers of defense are better. Layered defense is great for physical assets
9Myth 1: More layers of defense are better. Layered defense creates the illusion of impenetrability
10A common perception of the threat Microelectronics and SoftwarePCTargetsDefenses:FirewallsAnti-SpywareVirus DetectorsIntrusion Detection SystemsOffensive MethodsCyber
11Many threats are not obvious Myth 1: More layers of defense are better.Many threats are not obvious
12Response 1: Science-Based Cyber Security Myth 1: More layers of defense are better.Response 1: Science-Based Cyber SecurityC compilerVHDLFPGA – 500k logic elementsLots of states, lots of flexibility, lots of trouble.RefrigeratorControllerFew states, testable, provable.“Direct-to-gates” compiler
13Myth 1: More layers of defense are better. Response 1: Science-Based Cyber Security
14Myth 2: Burdensome security is good security. Increasing security burdenUser-selected passwords to constrained passwords2 factor: constrained passwords plus HSPD-12 badge3 factor: constrained passwords plus HSPD-12 badge plus fingerprintAre we more secure?Can we PROVE that we are more secure?Looking forward:Identity 2.0: Human-BadgeΞMachine-EnvironmentIdentity 3.0: HumanΞEnvironmente.g. Strong Kerberos++
15Rethinking our security approach. Myth 2: Burdensome security is good security.Rethinking our security approach.
16Continuous, adaptive identity authentication Myth 2: Burdensome security is good security.Continuous, adaptive identity authenticationEvent-based identity authentication is momentary (event-based)ConfidenceLogin (password)TimeContinuous, adaptive identity authentication is a continuous processProbabilistic (not deterministic)Approach: Multi-sensor fusion (example: Kalman filter using GPS, IMU, control laws, galvanic skin response, real-time DNA analysis, etc.)ConfidenceLogin (password)Predictable behaviorTimeEffective authentication requires unambiguous identity.
17Myth 2: Burdensome security is good security. Continuous, adaptive authentication provides unambiguous identity regardless of dynamics.If a control system can be built that enables this aircraft to return to base……a control system should be able to authenticate me despite changes in my dynamics
18“Cell phones show human movement predictable 93% of the time”* Myth 2: Burdensome security is good security.“Cell phones show human movement predictable 93% of the time”*INTEGRATION of existing sensorsEyesGait (feet, waist)GPS locationVoiceto provideContinuousReal-timeAdaptiveUnambiguousidentity authentication* -
19Myth 2: Burdensome security is good security. Response 2: Unambiguous identity as certain and intuitive as in the physical world.
20Myth 3: Running my executables on my data on my system is secure because I control my system. Woo-Hoo!!My ExecutableMy MachineMy JobMy ResultMy Data
21Cyber-attackers exploit complexity Myth 3: Running my executables on my data on my system is secure because I control my system.Cyber-attackers exploit complexityThe asymmetry:Defense: protect against every possible exploit (hard).Attack: find one unprotected vulnerability (easy).Linux kernel: 25 year old bug in the kernel was found two years ago.Vista rewrite: 6 major vulnerabilities identified in the first 3 months.Response 3: Reverse the asymmetryDefense: easy.Attack: hardApproach: tailor complexity for defense.Woo-Hoo!!??!!??“We cannot solve our problems with the same thinking we used when we created them.” - Albert Einstein
22Response 3: Reversing the asymmetry Myth 3: Running my executables on my data on my system is secure because I control my system.Response 3: Reversing the asymmetry??!!??Woo-Hoo!!Data Encryption:Data Obscuration:(“Concealment”)Robust, computationally hardFragile, Incomplete, easy to detect, crackThe Myth:“First, there are three general types of secrecy system:(1) concealment systems,…(2) privacy systems,…(3) cipher, code…”- From Communication Theory of Secrecy Systems, 1949, C. ShannonRandomization within the stack, library…The Reality:
23Monoclonal implementations share security holes. Myth 3: Running my executables on my data on my system is secure because I control my system.Monoclonal implementations share security holes.Woo-Hoo!!
24Multiple implementations randomize security holes. Myth 3: Running my executables on my data on my system is secure because I control my system.Multiple implementations randomize security holes.X??!!??XXMultiple-version codes enable security improvement statistics.
25Multiple computing implementations can randomize security vulnerabilities.
26Multiple communication paths can randomize security vulnerabilities.
27Multiple storage locations can randomize security vulnerabilities.
28Response 3: Reverse the asymmetry Myth 3: Running my executables on my data on my system is secure because I control my system.Response 3: Reverse the asymmetry
29A Challenge From the “Einstein-Roosevelt” letter: “Some recent work by E. Fermi and L. Szilard, which has been communicated to me in manuscript, leads me to expect that the element uranium may be turned into a new and important source of energy in the immediate future. Certain aspects of the situation which has arisen seem to call for watchfulness and if necessary, quick action on the part of the Administration. I believe therefore that it is my duty to bring to your attention the following facts and recommendations…”Feeling overwhelmed? Maybe even scared?
30Demythifying Cybersecurity MythsResponsesMyth 1: More layers of defense are better.Response 1: Provable, science-based cyber securityMove cyber security from a trade craft to scientific discipline. Limit complexity to enable provabilityMyth 2: Burdensome security is good security.Response 2: Unambiguous identity.Continuous, Adaptive AuthenticationMyth 3: Running my executables on my data on my system is secure because I control my system.Response 3: Reverse the asymmetryTurn complexity against the attackerAttacker faces a combinatorially hard problemFor further information:
31Sandia National Laboratories Edward B. TalbotManager, Information Assurance DepartmentSandia National LaboratoriesLivermore, CATom M. KroegerInformation Assurance Security DepartmentLivermore, CAAlbuquerque, NM“Exceptional service in the national interest”