homeland security advanced research projects agency
DESCRIPTION
Homeland Security Advanced Research Projects Agency. The Threat Landscape – A U.S. Perspective. March 13, 2014. CSIT 2014 Belfast, Northern Ireland Douglas Maughan Division Director. http:// www.dhs.gov/cyber-research. Threat Space The Human Challenge Top Technical / Policy Challenges - PowerPoint PPT PresentationTRANSCRIPT
Homeland Security Advanced Research Projects Agency
The Threat Landscape – A U.S. PerspectiveMarch 13, 2014
CSIT 2014Belfast, Northern Ireland
Douglas MaughanDivision Director
http://www.dhs.gov/cyber-research
Presenter’s Name June 17, 2003
Presentation Outline Threat Space
The Human Challenge
Top Technical / Policy Challenges Critical Infrastructure Security
Software Assurance
Mobile Device (and App) Security
Distributed Denial of Service Defenses
Cyber-Physical Systems
Cybersecurity Workforce
Legal and Ethical R&D
Summary
2
Environment: Greater Use of Technology, More Threats, Less Resources
Globalization & Transportation
Natural Disasters & Pushing
Beyond Design Limits
Misuse of Technology
Border Security & Immigration
Cyber Domain
LESS RESOURCES
MORE THREATS
Violent Extremism
Nature of Innovation
Both sides get to innovate
Predictive & Reactive
Aviation as an example …
Low cost of entry
Strategic potential
Anywhere in the world in 24 hours
Historical Perspective
Tenuous balance
Insider Threat
Presenter’s Name June 17, 2003
Malware – Malicious software to disrupt computers
Viruses, worms, … Theft of Intellectual Property or Data Hactivism – Cyber protests that are
socially or politically motivated Mobile Devices and Applications and their
associated Cyber Attacks Social Engineering – Entice users to click
on Malicious Links Spear Phishing – Deceptive
communications (E-Mails, Texts, Tweets) Domain Name System (DNS) Hijacking Router Security – Border Gateway
Protocol (BGP) Hijacking Denial of Service (DOS) – blocking
access to web sites Others …..
Cyber Threats and Sources
4
Nation States
Cyber Criminals
Hackers/Hacktivists
Insider Threats
Terrorists, DTOs, etc.
Presenter’s Name June 17, 2003
Cyberspace Definitions
“Cyberspace is [our nation’s critical infrastructures’]
nervous system—the control system of our country.
Cyberspace is composed of hundreds of thousands
of interconnected computers, servers, routers,
switches, and fiber optic cables that allow our critical
infrastructures to work.” National Strategy to
Secure Cyberspace, 2003
“Cyberspace means the interdependent
network of IT infrastructures, and
includes the internet, telecomms
networks, computer systems, and
embedded processors and controllers in
critical industries” NSPD 54, 8 Jan 2008
“A cyber environment includes users, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks. International Telecommunications Union X.1205, Overview of
Cybersecurity, Oct 2008
“The terms cyber security and information
assurance refer to measures for protecting
computer systems, networks, and information
from disruption or unauthorized access, use,
disclosure, modification, or destruction.”
Federal Plan for Cyber Security and
Information Assurance Research and
Development, Apr 2006
“The interdependent network of information and communications technology infrastructures, including the Internet, telecommunications networks, computer systems and networks, and embedded processors and controllers in facilities and industries.” White House Cyberspace Policy Review, May 2009
AND PEOPLE!!!
6
Example of a Cyber Intrusion
Determined Attacker
1. Targeted Phishing Email2. User clicks on link to hostile website or opens
attachment3. Infected computer beacons to attacker and waits
for commands4. Attacker takes direct control of remote machine
inside encrypted session
All traffic over common ports (25, 80, 443)
5. Attacker compromises administrator credentials6. Attacker move laterally through the network,
compromising additional machines and searches for desired information
7. Targeted information is packaged and exfiltrated8. Infected machines sit idle and wait for further
instructions or remove evidence of intrusion
Unique IPs used for each attack phase
81 2 3 4
5
7
6
6
66
6
7
Presenter’s Name June 17, 2003
Presentation Outline Threat Space
The Human Challenge
Top Technical / Policy Challenges Critical Infrastructure Security
Software Assurance
Mobile Device (and App) Security
Distributed Denial of Service Defenses
Cyber-Physical Systems
Cybersecurity Workforce
Legal and Ethical R&D
Summary
7
Cybersecurity for the 16 Critical Infrastructure Sectors
Business / Personal Shopping & Banking Point of Sale (in store/on line) – See “Target”, for example Personal Social Media …
DHS provides
advice and alerts to the 16 critical
infrastructure areas …
… DHS collaborates with sectors
through Sector Coordinating
Councils (SCC)
X X
8
HomelandSecurity Office of Cybersecurity and Communications
Executive Order (EO) on Improving Critical Infrastructure Cybersecurity/Policy Presidential Directive (PPD) on Critical Infrastructure Security and Resilience
Executive Order 13636: Improving Critical Infrastructure Cybersecurity directs the Executive Branch to: Develop a technology-neutral voluntary cybersecurity
framework Promote/incentivize adoption of cybersecurity practices Increase the volume, timeliness and quality of cyber
threat information sharing Incorporate strong privacy and civil liberties protections
into every initiative to secure our critical infrastructure Explore existing regulation to promote cyber security
Presidential Policy Directive-21: Critical Infrastructure Security and Resilience replaces Homeland Security
Presidential Directive-7 and directs the Executive Branch to:
– Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time
– Understand cascading consequences of infrastructure failures
– Evaluate and mature the public-private partnership– Update the National Infrastructure Protection Plan– Develop comprehensive research and development plan 9
“America must also face the rapidly growing threat from cyber attacks… That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy.”
President Barack Obama, 2013 State of the Union
Credit: White House / Pete Souza
Presenter’s Name June 17, 2003
Software Assurance
10
“Software is everywhere, and WE ALL ARE VULNERABLE. Market pressures are forcing early release of untested software.”According to Trustwave’s “2013 Global Security Report,” SQL injections accounted for 26% of the infiltration methods used by hackers in the data breaches it analyzed in 2012.
Presenter’s Name June 17, 2003
More Software Numbers
Poor software quality has become one of the most expensive topics -- $150 + billion/yr. and $500+ billon/yr. worldwideSource: Capers Jones
Software failures account for 24% of all medical device recalls Source: Threatpost via FDA Study
NIST study suggests that software errors cost US economy an estimated $59.5 billion annually, of which 1/3 of costs or $22.2 billion could be removed with improved software quality testing and tools
Presenter’s Name June 17, 2003
Software Evolution
12
Codebases are HUMONGOUS• Common software applications –
some apps scale near 60 MLOC• Software Assurance tools typically
can’t scale this amount of code• Codebase size contributes to code
complexity• More features, usually means more
code• Spaghetti code typically results in
poor quality of code
50 MLOC
Presenter’s Name June 17, 2003
Software Evolution - 2
13
DPL
DPL
DPL
DL
DPL
DPL
Every year we release data on the "Most Popular Programming Languages" based on thousands of data points we've collected by processing over 100,000+ coding tests and challenges by over 2,000+ employers – CodeEval
For the third year in a row, Python retains it's #1 dominance followed by Java, C++, and Javascript.This year's most noticeable changes were a 300% increase in Objective-C submissions, a 100% surge in C#, as well as a 33% increase in Javascript submissions while PHP lost -55%, Perl dropped -16%, and Java shrank -14%.
Presenter’s Name June 17, 2003
SWAMP Vision Document
http://continuousassurance.org/wp-content/uploads/2013/10/SWAMP-VISION-10.28.13.pdf
”The Software Assurance Marketplace has been carefully constructed, developed and implemented with community feedback. It is with this approach we expect the SWAMP to be a revolutionizing force in the software assurance community for years to come. A softwareassurance marketplace is a great place for the community to meet for research collaboration and technical exchange. The concept of the marketplace has influenced and shaped the vision outlined in this document – ideally the vision is to provide a unique set of services and capabilities that can be leveraged by the community, creating a collaborative marketplace for continuous assurance.” Kevin E. Greene, DHS S&TSoftware Assurance Program Manager
Presenter’s Name June 17, 2003
Mobile Device Growth
15
Desktop PCPortable PCTablet
Smartphone
# Un
its S
hipp
ed(m
illio
ns)
2012Total: 1,201.1
2017 (Projected) Total: 2,250.3
1600
1200
700
200
Presenter’s Name June 17, 2003
2013 Mobile Threats / Vuln’s
16
Source: http://www.symantec.com/security_response/publications/threatreport.jsp?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2013Apr_worldwide_ISTR18
Presenter’s Name June 17, 2003
2013 Mobile App Testing
17
TESTING RESULTS50 POPULAR MOBILE APPS, IOS/ANDROID
% With Issues
100%~80%
~30%
~50%
~15%
Stored UsernameStored Password
Medium or High RiskFailed MITM
StoredUsername
StoredPassword
OtherRisks
FailedMiTM
Presenter’s Name June 17, 200318
DDoS Attacks 101
Command and Control:Nation State, Criminal Organization,Hactivist groups, etc.
Victim is overwhelmed. Examples include: - 400 Gbps traffic to 10 Gbps access link - Millions of requests to server designed for thousands - 1000s of 911 calls to a system designed for hundreds
• Both brute force and clever ways to overwhelm the target
Control Over Vast Number of Compromised Devices:Desktops, laptops, and even refrigerators!http://thehackernews.com/2014/01/100000-refrigerators-and-other-home.html
Attack traffic originatedfrom multiple locations throughout the Internet
Presenter’s Name June 17, 2003
Threat: DDOS Volume
19
Challenge: shift advantage in DDoS events toward defense
Distributed Denial of Service attacks render key systems and resources unavailable, effectively denying users access to the service
Current Advantage Favors Attackers:• Attack resources are cheap compromised machines while defense requires provisioning• Attackers easily cross boundaries while defense requires cross-organization collaboration
NY Times: Attacks used the internet against itself to clog trafficAttack traffic exceeds 400 Gbps!
USA Today: Why DDoS attacks continue to bedevil financial firms … adversaries may potentially be nation states …
eWeek: DHS, FBI Warn of Denial-of-Service Attacks on Emergency Telephone Systems
Presenter’s Name June 17, 2003
Cyber-Physical Systems
20
Cyber Physical Systems Are Becoming Ubiquitous:• Smart cars, smart grids, smart medical devices,
smart manufacturing, smart homes, and so on • You will “bet your life” on many of these systems• Fast moving field focusing on functionality now
and will bolt on security later… Drones Could Help Tulsa Firefighters During Search, Rescue
PPD 21 Identifies critical infrastructure as “interdependent functions and systems in both the physical space and cyberspace” and aims to strengthen security and resilience “against both the physical and cyber attacks”
Just like the Internet in its early days, car networks don’t employ very much security”
Opportunity Now To Build Security Into Emerging Cyber Physical Designs
Transportation Auto, UAVs, Aeronautical, Rail
Manufacturing Healthcare Energy Agriculture Emergency Response
Presenter’s Name June 17, 2003
http://www.nsf.gov/pubs/2014/nsf14542/nsf14542.htm
II.C.1 U.S. DHS S&T Homeland Security Advanced Research Project Agency (HSARPA)
DHS S&T encourages R&D in cybersecurity to enhance the resilience of critical information infrastructure.
HSARPA has particular interests in security technologies relevant to cyber-physical systems. The NITRD CPS Senior Steering Group's 2012 CPS Vision Statement, which notes CPS research gaps, identifies drivers and technologies for CPS related to transportation, emergency response, energy, and healthcare are considered especially relevant for HSARPA. Relevant technologies include cybersecurity approaches for guarding against malicious attacks on CPS as well as diagnostics and prognostics that aim to identify, predict, and prevent or recover from faults.
Recent Solicitation
21
Presenter’s Name June 17, 2003
Workforce Shortage
22
(Reuters) - For the governments and corporations facing increasing computer attacks, the biggest challenge is finding the right cyber warriors to fight back. Hostile computer activity from spies, saboteurs, competitors and criminals has spawned a growing industry of corporate defenders who can attract the best talent from government cyber units.
The U.S. military's Cyber Command is due to quadruple in size by 2015 with 4,000 new personnel while Britain announced a new Joint Cyber Reserve last month. From Brazil to Indonesia, similar forces have been set up. But demand for specialists has far outpaced the number of those qualified to do the job, leading to a staffing crunch as talent is poached by competitors offering big salaries.
A NATIONAL PROBLEM
23
• Enhance public awareness: (1) Augment current messaging to promote policies and practices that support Administration priorities, such as EO 13636 and PPD-21, and (2) develop messaging that targets senior executives of critical infrastructure companies (e.g., CEOs, Boards of Directors).
• Expand the Pipeline: (1) Expand formal education at the post-secondary level, including both four-year and two-year institutions and (2) establish new National Academic Consortiums for Cybersecurity Education (government, colleges/universities, high schools, middle schools, technical academies, industry, professional organizations)
• Evolve the profession: (1) Identify critical cybersecurity workforce skills through a national cybersecurity Workforce Inventory and Gap Analysis and continued development of Cybersecurity Workforce Forecasting Tools and (2) provide access to free or low-cost training for the identified critical skills.
NICE was established in support of the Comprehensive National Cybersecurity Initiative (CNCI) – Initiative 8: Expand Cyber Education – Interim Way Forward and is comprised of over 20 federal departments and agencies.
Presenter’s Name June 17, 2003
Cybersecurity Education Cyber Security Competitions (http://nationalccdc.org)
National Initiative for Cybersecurity Education (NICE) NCCDC (Collegiate); U.S. Cyber Challenge (High School)
Provide a controlled, competitive environment to assess a student’s depth of understanding and operational competency in managing the challenges inherent in protecting a corporate network infrastructure and business information systems.
WHY Competitions? Hands-on approach better than “book learned”; provides opportunities to
perform “real world” defense
Measurable – can determine if participants are getting better/smarter
Easier than internships, etc. for younger and minority students
Private sector companies can more easily provide supporting funding
24
Who else is supporting these activities?
NATIONAL CHAMPIONSHIPApril 25-27, 2014 in San Antonio, TX
Presenter’s Name June 17, 2003 26
Menlo Report Ethical Principles Guiding
Information and Communications Technology Research (ICTR)
Something similar to the Belmont Report for human subject research (from 1970s) Respect for Persons Beneficence Justice Respect for Law and Public Interest
Companion Report 21 Case Studies examined
Legal and Ethical R&D
Presenter’s Name June 17, 2003
Summary
Cybersecurity research is a key area of innovation to support our global economic and national security futures
Must focus on the human aspect of cyberspace - education, training, and awareness aspects of our current and future cybersecurity workforce
No shortage of technical challenges Everyone gets to innovate in their own way Collaboration is essential; no single government / university /
company is going to solve this problem alone Look at future technical agendas with the most impact for the
global community
Need to continue strong emphasis on technology transfer and experimental deployments
27
Presenter’s Name June 17, 2003
For more information, visithttp://www.dhs.gov/cyber-research
http://www.dhs.gov/st-csd
Douglas Maughan, Ph.D.Division DirectorCyber Security DivisionHomeland Security Advanced Research Projects Agency (HSARPA)[email protected] / 202-360-3170
28
Presenter’s Name June 17, 2003
Transition To Practice (TTP) Program
30
R&D Sources DOE National
Labs FFRDC’s (Federally
Funded R&D Centers)
Academia Small Business
Transition processes
Testing & evaluation
Red Teaming Pilot
deployments
Utilization Open Sourcing Licensing New Companies Adoption by
cyber operations analysts
Direct private-sector adoption
Government use
Implement Presidential Memorandum – “Accelerating Technology Transfer and Commercialization of Federal Research in Support of High-Growth Businesses” (Oct 28, 2011)