The White House Cyberspace Policy Review - FSU Computer Science

tansysoapweedΔίκτυα και Επικοινωνίες

16 Φεβ 2014 (πριν από 3 χρόνια και 1 μήνα)

59 εμφανίσεις

Mike Burmester

Center for Security and Assurance in IT, Florida State University,

3
rd

Annual
TechExpo
, Tallahassee May 6
th

2010

1.
Background


the White House Cyberspace Policy Review

2.
Emerging network technologies


Wireless, ubiquitous


Cloud applications, intelligent networks


What next!

3.
The adversary


We are behind the learning curve
;

the hackers are ahead


Security threats

4.
How can we defend our digital future?


Near
-
term and midterm plans


Methodology


Technical aspects,
technical analysis

TechExpo 2010

May 6th 2010

2

In Feb 2009 the President directed a 60
-
day
“clean
-
slate” review to assess U.S. policies
and structures for
cybersecurity
.

In March 2009 the
Cyberspace Policy Review
was published

The
Cybersecurity

Review recommends
general guidelines, regarding the

Strategy

Policy, and

Standards

for securing operations in cyberspace.

May 6th 2010

TechExpo 2010

“…
our approach over the

past 15 years has failed to

keep pace with the threat.


3

What is Cyberspace?

“ . .
. the interdependent network of information technology
infrastructures, including

the Internet

Telecommunications networks

Computer systems

Embedded processors and

Controllers in critical industries

Common usage of the term also refers to the

Virtual environment of information and interactions between people

May 6th 2010

TechExpo 2010

4

What is Cyberspace?
---
a historical perspective

1985 a system of mainframe computers (NSFNET)

1990 the Internet and Web applications

2000 + Wireless networks

2008 + Cloud applications

20?? The Internet of Things

20?? Virtual life?

How can we secure a structure that keeps morphing?

May 6th 2010

TechExpo 2010

5

Wireless technology offers
unparalleled opportunities

Some time ago …


Telegraph


Radio communication


Amateur radio


TV



TechExpo 2010

May 6th 2010

6

Wireless technology offers
unparalleled opportunities


Wireless technology


Cellular systems
(3G and beyond)

TechExpo 2010

May 6th 2010

7


Short range point
-
to
-
point


Bluetooth
Personal Area networks


Wi
-
Fi technologies


Wireless sensor networks



RFID (Radio Frequency
Identification) systems

TechExpo 2010

May 6th 2010

8



Factory floor automation


Boarder fencing


Military applications



TechExpo 2010

May 6th 2010

9



A RFID road pricing gantry


in Singapore & an RFID tag



RFIDs tags used in libraries


Airports

checking luggage


U.S. (electronic) passports



TechExpo 2010

May 6th 2010

10


Long range point
-
to
-
point



WiMAX technologies

TechExpo 2010

May 6th 2010

11

TechExpo 2010

May 6th 2010

12

TechExpo 2010

May 6th 2010

13


Network all applications ! The Internet of Things

TechExpo 2010

IP backbone

Server

Router

May 6th 2010

14

Cloud applications ???

Delegate applications

Start with the Internet cloud

Delegate applications to the
cloud

TechExpo 2010

May 6th 2010

15

TechExpo 2010

May 6th 2010

16

TechExpo 2010

May 6th 2010

17

May 6th 2010

TechExpo 2010

18

May 6th 2010

TechExpo 2010

19

May 6th 2010

TechExpo

2010

20

May 6th 2010

TechExpo 2010

21

May 6th 2010


key words:
France, threat, cyberspace

NATO chief calls attention to
threats

from
cyberspace



Mar 4, 2010 . . .
NATO is facing new threats in cyberspace that
cannot be met by lining up soldiers and tanks, the alliance's
secretary
-
general said Thursday in an apparent reference to terror
groups and criminal networks

key words:
International, threat, cyberspace

Threat of next world war may be in cyberspace


Oct 6, 2009

. . .
The next world war could happen in cyberspace and
that would be a catastrophe. We have to make sure that all countries
understand that in that war . . .



TechExpo 2010

22


Are we prepared for intelligent networks ?


Who will manage them ?


Do we want


Centralized, or


Decentralized management


Who will protect our resources ?


What are the threats ?



TechExpo 2010

May 6th 2010

23


Confidentiality


Eavesdropping (wiretapping)


Privacy


Anonymity (Big Brother)


Integrity


Data integrity: protection against unauthorized modifications, data
corruption, deletion . . .


Source or destination integrity: protections against spoofing attacks,
man
-
in
-
the middle attacks


Availability


Coverage & deployment


Information data accuracy
:
traffic control


Dependable data transport:

what about
transmission/ omission
/congestion errors
?


What about malicious faults ?




TechExpo 2010

May 6th 2010

24

Security Threats Perceived or Real


Impersonation Attacks


Denial of Service Attacks


Session Tampering and Highjacking


Man
-
in
-
the
-
Middle Attacks

TechExpo 2010

May 6th 2010

25


There are some very good cryptographic tools that can
be used to protect digital resources


Many of these tools have proven security


The problem is usually bad implementations


The best cryptographic security is
point
-
to
-
point

security

(such as VPN)


The source & destination


are mutually authenticated (with public key cryptography)


exchange privately a fresh secret key (with public key cryptography)


use symmetric key encryption scheme to encrypt exchanged data


(with symmetric key cryptography)


TechExpo 2010

May 6th 2010

26

TechExpo 2010

May 6th 2010

27

1.
Appoint
cybersecurity

coordinator

2.
Prepare a national strategy

3.
Designate
cyberscurity

as a priority . . .

4.
Designate a privacy/civil liberties official

5.
Formulate coherent unified policy guidance that clarifies
roles, responsibilities . . . for
cybersecurity

activities across
the Federal government

6.
Initiate a public awareness and education campaign to
promote
cybersecurity




TechExpo 2010

May 6th 2010

28

7.
Develop government positions for an international
cybersecurity

policy framework

8.
Prepare a
cybersecurity

incident response plan


9.
Develop a framework for R&D strategies that focuses on
game
-
changing technologies . . . to enhance the security,
reliability, resilience, and trustworthiness . . .

10.
Build a
cybersecurity
-
based identity management vision and
strategy that addresses privacy and civil liberties interests . . .








TechExpo 2010

May 6th 2010

29


3.
S
upport key education programs and R&D research to ensure the
Nation’s continued ability to compete in the information age economy

4.
Expand and train the workforce, including attracting and retaining
cybersecurity

expertise in the Federal government.


9.
Develop solutions for emergency communications capabilities
during a time of natural disaster, crisis, or conflict . . .


11.
Encourage collaboration between academic and industrial
laboratories to develop migration paths and incentives for the rapid
adoption of research and technology innovations






TechExpo 2010

May 6th 2010

30



TechExpo 2010

May 6th 2010

31

May 6th 2010


Resiliency


Against physical damage, unauthorized manipulation, and electronic
assault. In addition to protection of the information itself,


A risk mitigation strategy with focus on devices used to access the
infrastructure, the services provided by the infrastructure, the means of
moving storing and processing information


A strategy for prevention, mitigation and response against threats


Encouraging innovation


Harness the benefits of innovation


Not create policy and regulation that inhibits innovation


Maintain National Security/Emergency
Preparedness Capabilities


TechExpo 2010

32

The Comprehensive National Security Initiative (12 items)

1.
Manage the Federal Enterprise Network as a single network
enterprise with Trusted Internet Connections

2.
Deploy an intrusion detection system of sensors across the
Federal enterprise

3.
Deploy intrusion prevention systems across the Federal
enterprise

4.
Coordinate and redirect R&D efforts

5.
Connect current cyber ops centers to enhance situational
awareness

6.
Develop a government
-
wide cyber counter intelligence plan


TechExpo 2010

May 6th 2010

33

The Comprehensive National Security Initiative (12 items)

7.
Increase the security of our classified networks

8.
Expand cyber education

9.
Define and develop enduring "leap
-
ahead" technology,
strategies, and programs

10.
Develop enduring deterrence strategies and programs

11.
Develop a multi
-
pronged approach for global supply chain
risk management

12.
Define the Federal role for extending
cybersecurity

into
critical infrastructure domains

TechExpo 2010

May 6th 2010

34

2.
Deploy an ID system of sensors across the Federal enterprise

Einstein 2 capability

Signature
-
based sensors that analyze
network flow information to identify potential malicious activity while
conducting automatic full packet inspection of traffic entering or
exiting U.S. Government networks for malicious activity

3.
Deploy IP systems across the Federal enterprise

Einstein 3 capability

Real
-
time

full packet inspection and threat
-
based decision
-
making on network traffic entering or leaving these
Executive Branch networks

Identify and characterize malicious network traffic to enhance
cybersecurity

analysis, situational awareness and security response

Automatically detect and respond appropriately to cyber threats
before harm is done, providing an intrusion prevention system
supporting dynamic defense

TechExpo 2010

May 6th 2010

35


Einstein 2 capability
Signature
-
based sensors will
only detect
copycat

attacks:
one
-
off

attacks will not be
checked

Einstein 3 capability

will not detect unpredictable
attacks that mimic normal behavior

Threat
-
based decision
-
making

on network traffic
however may deal with the consequences of such
attacks

Markovian

profiling is a good approach for threat
based decision making

TechExpo 2010

May 6th 2010

36

TechExpo

2010

May 6th 2010

37


. . . the
Universal
-
Composability

Framework
may ultimately prove to be just a first step
toward a complete solution

Joan
Feigenbaum

. . .
the main feature of the
UC Framework
is that the security of a composite system can

derived from the security of its components
without need for holistic reassessment


Mike Burmester




TechExpo 2010

May 6th 2010

38

May 6th 2010

TechExpo

2010

39