Copyright © 2015 Juniper Networks, Inc. 1 Cybercrime & Vulnerability Issues: What Emergency Managers Need to Know North Carolina Emergency Management Association.

Slides:



Advertisements
Similar presentations
(nothing to see here). First thing you need to learn is that sysadmin is about people, not technology If youre a sysadmin so you dont have to deal with.
Advertisements

Chapter 1  Introduction 1 Chapter 1: Introduction.
CYBERCRIME & VULNERABILITY ISSUES: WHAT EMERGENCY MANAGERS NEED TO KNOW Jim Duncan, Security Engineer Juniper Networks, Secure Development Lifecycle Initiative.
Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Lecture 19 Page 1 CS 111 Online Protecting Operating Systems Resources How do we use these various tools to protect actual OS resources? Memory? Files?
Chapter 10 Schedule Your Schedule. Copyright 2004 by Pearson Education, Inc. Identifying And Scheduling Tasks The schedule from the Software Development.
The Philosophy of Exotischism Ignorance Is No Excuse 442 Most of us feel that we have a pretty good idea as to what is right and what is wrong, and we.
Infotex Awareness Training Tools. m.infotex.com/tools Information Security Tools.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Password Management for Multiple Accounts Some Security.
Engineering Secure Software. Lottery Story A Threat We Can’t Ignore  Documented incidents are prevalent Carnegie Melon’s SEI has studied over 700 cybercrimes.
Training Math Tutors To Tutor Developmental Math Students
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
Why Cryptosystems Fail Ross Anderson Presented by Su Zhang 1.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
The Philosophy of Exotischism Ignorance Is No Excuse 1 Most of us have heard the old expression "ignorance is no excuse for breaking the law". If courts.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Reducing Crime in Cyberspace: A Privacy Industry View Stephanie Perrin Adam Shostack Zero-Knowledge Systems, Inc.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Welcome to the wonderful world of……. . A Quick & Easy Guide.  What IS ?  A quick, easy and convenient way to send a letter to friends, family.
with Professor I. M. Smarter Jack Linton – Petal School District.
Student Forum March5, pm - Collaborate Students will share their thoughts on topics including: --experiences with online courses --ways instructors.
Being Audited – Life on the Other Side of the Fence.
Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
Software Engineering Experimentation Rules for Reviewing Papers Jeff Offutt See my editorials 17(3) and 17(4) in STVR
Lecture 17 Page 1 CS 236 Online Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption –With good encryption,
Lecture 7 Page 1 CS 236 Online Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know The.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)
Lecture-3.
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
Argumentative Writing. Elements of an Argumentative Essay  Introduction:  Attention-getter  Background Information  Thesis Statement  Supporting.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRE 1 Of Deadlocks and Peopleware - Collaborative Work Practices in Global Software Development Dr. Gabriela.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
By Liam Wright Manga comic group Japan SAFETY on your computer.
INTERNAL CONTROLS What are they? Why should I care?
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
Security Mindset Lesson Introduction Why is cyber security important?
© 2015 albert-learning.com How to talk to your boss How to talk to your boss!!
Lecture 3 Page 1 CS 236 Online Security Mechanisms CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Protection of Transportation Infrastructure from Cyber Attacks EXECUTIVE BRIEFING.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
CURRENT STATUS OF CYBERCRIME  Security is the fastest growing service in IT  Cyber Crime Costs $750 Billion annually  70% of threats arrive via .
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
3 Do you monitor for unauthorized intrusion activity?
Information Security.
Password Management Limit login attempts Encrypt your passwords
Control system network security issues and recommendations
Cybersecurity Awareness
Determined Human Adversaries: Mitigations
How to Mitigate the Consequences What are the Countermeasures?
The Psychology of Security
The Issues with Technology in education
We know who they are and what they do, but how do we help them?
Topic 5: Communication and the Internet
Determined Human Adversaries: Mitigations
16. Account Monitoring and Control
3 Do you monitor for unauthorized intrusion activity?
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
6. Application Software Security
3 Do you monitor for unauthorized intrusion activity?
Presentation transcript:

Copyright © 2015 Juniper Networks, Inc. 1 Cybercrime & Vulnerability Issues: What Emergency Managers Need to Know North Carolina Emergency Management Association Spring Conference, Wednesday, Jim Duncan Security Engineer Juniper Networks Secure Development Lifecycle Program

Copyright © 2015 Juniper Networks, Inc. 2 Brief Biography Currently working on prevention of flaws (Juniper SDL program) Previously, product-security and cyber-security incident responder Juniper, BB&T, Cisco, Penn State University, Old Dominion University TRANSITS Instructor – helping National CSIRTs in emerging economies Participant in multiple IRT and cybercrime-fighting forums (FIRST, ICASI) Critical Infrastructure Protection evangelist (NIAC VDF, CVSS, ISACs) I’m the guy you want to have sitting in the exit row on your flight! (Also soccer referee, parliamentarian, piano technician, pistolsmith, etc.) Subject-Matter Expert on software vulnerabilities & incident response

Copyright © 2015 Juniper Networks, Inc. 3 Why Am I Here today? Cybercrime and vulnerabilities are here to stay This will not be yet another trend report Intended as a complement to what you already heard from Tim Brown Complexity – the Internet of Things – growing without bound Implications for interactions with other disciplines both exciting and scary Security, if any, is frequently low priority, or omitted from consideration entirely Definitely no security in “Version 0.1”, which is what first responders get to use! Technology is just a tool, you should not need to be an expert in it How many of you are well-versed in internal combustion? Impart a framework for thinking about cyber systems, threats, remedies

Copyright © 2015 Juniper Networks, Inc. 4 Problems

Copyright © 2015 Juniper Networks, Inc. 5 Nature of Cybercrime Amazing parallels to counterfeiting of old: front office, back office, etc. Well-financed, distributed, smart, not greedy (mostly) Misalignment of cultural expectations is a complicating factor Definitions of “crimes” vary from place to place, hard to get support Resourceful: example of CAPTCHA workaround Well-researched: example of bank phishing of local church officials Follow the money and/or spirit: motivations explain a lot All of the above apply to nation-state and populist activities, too! Cybercriminals think of themselves as legitimate business people

Copyright © 2015 Juniper Networks, Inc. 6 Confidentiality/Privacy/Reputational Threats SWATting and EAS hijacks: not much help here except the obvious D0Xing of staff and officials – Internet embarrassment is deadly Teach staff how to protect themselves and their property online if you expect them to protect other people’s stuff online. Consider reputation-monitoring services and purchasing extra domains Monitor and prevent exfiltration of data in your stewardship Don’t assume data was erased – it can never be completely erased Use full-disk encryption and test it Consider reputation-monitoring services for this as well Every misdeed I see online has an analog in the real world

Copyright © 2015 Juniper Networks, Inc. 7 Telecommunications Threats DoS can’t be prevented, but often it can be managed Various services for ensuring against a DoS, or mitigating it once underway Work with your ISP (maybe more than one ISP) Make sure you have experts involved Telephony DoS is old, but new again Multiple efforts in multiple countries to improve technological response “Honeypots” deployed to look for TDoS, do-not-call violations, other errors VoIP is exciting, isn’t it? Yeehaw! Fundamental flaw: circuit-switched v. packet-switched security models Abundant prior art proves that in-band signaling is a bad, bad idea

Copyright © 2015 Juniper Networks, Inc. 8 Transportation Threats GPS spoofing and jamming Documented that thieves are using spoofing to hide stolen vehicles Florida motorist operated a cellphone jammer from his car during his daily commutes to force other drivers to put down their cellphones Easy to imagine similar stunts to fraudulently redirect consumers away from competitors’ gas pumps or (pick a retail industry) How do you know your GPS is receiving correct data? Anyone? Highway sign hijacks are clever, but what if they are subtle? Instead of “zombie” alerts, consider believable “Detour via…” instructions We’re a long way away from carburetion and breaker points

Copyright © 2015 Juniper Networks, Inc. 9 Environmental Threats EMP and solar flares Really naïve in this area, despite decades of study Recent work very revealing and alarming, but seems to be ignored Structural HVAC, building & power controls, SCADA systems Never underestimate the potential for someone to inadvertently connect these systems to something they shouldn’t be connected to And never underestimate the ability of criminals to find them (e.g., Target) What do you do when your EOC gets too hot? Too cold? Too wet? Dry? Example of first World Trade Center attack in the early 1990s There’s a reason armored vehicles don’t have power windows

Copyright © 2015 Juniper Networks, Inc. 10 Solutions

Copyright © 2015 Juniper Networks, Inc. 11 Occam’s Razor, Hanlon’s Razor, etc. Occam’s Razor: “When considering multiple possible causes, select the cause requiring the least complexity” Not guaranteed to be correct, but likely Hanlon’s Razor: “Never attribute to malice that which is adequately explained by stupidity.” Duncan’s Corollary: “Never attribute to an attack that which is adequately explained by negligence.” “Negligence” can be misconfiguration, software flaw, or user error Example of inadvertent internally-sourced “attack” “Don’t quote other people; tell me what you know.” [Samuel Johnson]

Copyright © 2015 Juniper Networks, Inc. 12 Avoid Bystander Effect/Diffusion of Duty First responders would never do this in the real world, but they let it happen in the cyber world: Don’t assume someone else will respond! Ask questions. Lots of questions. Lots and lots and lots of questions. Recipients of questions: be professional and answer appropriately Consider documenting individual findings in “security observation reports” Advocate for proper brainstorming practices In the first round, get the ideas out there; no vetting whatsoever Second round, go back and evaluate the first-round responses Disciplined facilitator is sometimes needed for this to be effective “Why didn’t somebody do something?!”

Copyright © 2015 Juniper Networks, Inc. 13 Replace Blacklisting with Whitelisting Blacklisting: “That, which is not expressly denied, is permitted.” Far too many systems start out this way Painful to go back and close up unnecessary ports/services/features Whitelisting: “That, which is not expressly permitted, is denied.” Much safer Start with all services disabled, then enable only those that are needed Example: Instead of allowing browsing everywhere, and then blocking access to a few pages, block all pages except for a selected few.

Copyright © 2015 Juniper Networks, Inc. 14 Get Smart and Stay Smart on Crypto Doesn’t have to be difficult to understand the basics Key length is important: long, but not too long (time is an issue, too) Key space should be as large as possible (or reasonably pragmatic) Don’t keep plaintext and encrypted text around, close by Repetition means something failed; algorithm selection is important Watch out for so-called “security improvement trade-offs” Example of password-typing alternate-left-right scheme (“key space”, above) Full-disk encryption is worth mentioning again, at this point “Gosh, crypto is hard!”

Copyright © 2015 Juniper Networks, Inc. 15 Understand Sphere of Action Expectations and assumptions creep into our thought processes, distort our reasoning, and cause us to produce incorrect results Cyber threats are global but are not the typical disasters you handle Example of NRP and Lori Bush, “There’s the hurricane/forest fire/flood!” Cultural & linguistic differences affect results Example of CAPTCHA workaround, earlier Mismatch of importance regarding Asia/Pacific “loss of face” Example of encipher/decipher v. encrypt/decrypt Time and date formats (ISO-8601), ICS phonetic alphabet In both cyber and physical realms

Copyright © 2015 Juniper Networks, Inc. 16 Policies and Procedures No excuses for not having Acceptable Use Policies, Password Policies, Data Retention Policies, and so forth; write’em down, publicize them Don’t expect staff to pick good password management schemes; research apps, make recommendations (working group for NCEMA?) Consider implementing two-factor access schemes Remember that policies and guidelines should be viewed primarily as tools for education; enforcement comes only when education fails Valuable tools for increasing and maintaining awareness

Copyright © 2015 Juniper Networks, Inc. 17 Figure Out What Happened Later “Accountability is the price of openness.” [Daniel E. Geer, Sc.D.] No one builds a perfect system, so institute appropriate logging and auditing mechanisms so that after something goes wrong, you can backtrack to figure out what happened Study Ken Thompson’s “Reflections on Trusting Trust” 1984 ACM Turing Award lecture Brilliant, short (3 pages) explanation on how all systems are flawed because humans are involved, and cannot be separated Completely destroys the “Many eyes makes good security” argument Don’t worry about culpability in the midst of an incident

Copyright © 2015 Juniper Networks, Inc. 18 Don’t Attempt To Build Perfect Systems Lots of unnecessary effort is expended on lofty conceptions of the really cool and awesomely beautiful solution to a basic problem Don’t build seamless systems, especially in an emergency “Make them seamful, but with beautiful seams.” [Mark Weiser] Example from ruggedized telecom-in-a-box in Hurricane Katrina “The perfect is the enemy of the good enough” (or similar)

Copyright © 2015 Juniper Networks, Inc. 19 Be Part of the Solution, Not the Precipitate Encourage proper brainstorming Need sector-specific experts like you to think up interesting problems We don’t know the stuff that you don’t even know you already know Roll up the results into tabletop exercises Collaborate with cybersecurity incident responders We both learn from each other We can help with cross-sector exercises We’ll know who to call when we find something important

Copyright © 2015 Juniper Networks, Inc. 20 Anything Else? Q&A Contact Information: Jim Duncan, +1

Thank You!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.