ncsra symposium 2015€¦ · • control what a user can see on the internet to influence the...
TRANSCRIPT
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
NCSRA Symposium 2015
#NCSRA15 Wifi code: nbmc2015
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
ELLY VAN DEN HEUVEL INTRODUCTION
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
CHRIS KRUEGEL Securing the Future
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Securing the Future
Exploring Challenges and Opportunities for Research in
Computer Security
Christopher Kruegel UC Santa Barbara and Lastline, Inc.
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
The Future
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
The Future
Innovation and new technology
Advances in offensive technology
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
The Future
Disclaimer: My bias is that I am a systems security researcher.
Innovation and new technology
Advances in offensive technology
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Hype Cycle: Emerging Technologies
Source: Gartner, August 2015
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
#1: INTERNET OF THINGS
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
• Embedded software is everywhere – captured through many buzzwords
• pervasive, ubiquitous computing • Internet of Things (IoT)
– sensors and actuators
Blend between real and virtual worlds
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Massive Growth
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Security Challenges • Quantity has a quality all its own • Vulnerability analysis
– binary blobs (binary only, no OS or library abstractions) – software deeply connected with hardware
• Patch management – devices must be cheap – vendors might be long gone
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Security Challenges • Remote accessibility
– device authentication – access control (pacemaker during emergency) – stepping stone into inside of perimeter
• Additional vulnerability surface – attacks launched from physical world – supply chain attacks
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
#2: INFORMATION MANIPULATION
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Information Manipulation • Control what a user can see on the Internet to
influence the user’s mind and actions – Manipulate content and in turn, target the human mind,
instead of machines or code – Affect the users’ decision-making processes
• economic gain (buying) • influence (voting) • credibility (social world)
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
We “See” Only Some Information
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Information Flow
Publishers Internet Intermediaries Users
Event Web sites/portals ISPs/CDNs
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Information Flow
Publishers Internet Intermediaries Users
Event Web sites/portals ISPs/CDNs
Fake reviews Sock puppets Astroturf Misleading Wikipedia entries
Production Search-related attacks and misuses Performance degradation
Dissemination Pollution of browsing history Tracking of user activities
Consumption
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Taxonomy of Manipulation Production Dissemination Discovery
Changing the choice set
News agencies may choose not to report a story
Social network may remove (or add) content (e.g., Weibo censorship)
Search engine may change the set of results for different users (“filter bubbles”)
Changing the presentation layout (ordering, etc.)
Sites may move content to top/bottom of a page.
News outlets can use social networks to “broadcast” certain stories (e.g., NYTimes Twitter feed)
User profile pollution and poisoning can change the ranking of results
Changing the content Bogus reviews, “astroturfing”, false Wikipedia entries
“Sock puppets” can create/amplify false content
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
#3: HUMAN DATA
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Human Data • From personal data to data about a person
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Quantifiable Self • Initially, mostly fitness-related
metrics – steps, sleep, heart rate, …
• Newer wearable sensors go further – blood pressure, sweat, glucose
levels, … • Non-wearable biosensors
– typically take a drop of blood and run 100s of tests
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
One step further … • DNA analysis services
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Security Challenges • Risks are underrated
– attackers not yet targeting human data • everyone understands that a stolen credit card is bad • not clear why anyone would want your health data or DNA
– everyone happy to upload and share their human data – impossible to change
• changing your credit card number is trivial • what if attackers find a reason to access the information
• How can one provide services without revealing data?
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
#4: ADVANCED MALWARE
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Isn’t malware solved already?
26
Fraction of malware-related publications in Top-4 security conferences (NDSS, Oakland, Usenix Sec., CCS) over last 10 years
0,00%
2,00%
4,00%
6,00%
8,00%
10,00%
12,00%
14,00%
16,00%
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Malware (incl. Android)
Malware Publications
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
But the world has missed it …
27
Source: Google News Trends
Interest in Advanced Malware Protection
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
But the world has missed it …
28
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Lots of interesting things to do • Mobile malware – difference to traditional
malware implies opportunities and challenges – apps are much easier to analyze statically
• use of Dalvik bytecode instead of x86 – centralized control
• vet applications before they enter store • can remotely remove installed applications • carriers might have more complete picture of users and
traffic – interesting GUI issues
29
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Summary • Rapid technical progress and new attacks make increased
(research) efforts necessary to protect critical systems and data
• Four challenges/opportunities for future research 1) Secure the Internet of Things 2) Defend against Information Manipulation 3) Protect Human Data 4) Detect Advanced Malware
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Thank You!
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
MARTIN BORRETT Security - What matters?
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
RENÉ PENNING DE VRIES Chairman ICT in Topsectors
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
ICT KIA en Commit2Data: Open for Business!
02/11/2015 René Penning de Vries Boegbeeld ICT Team
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
p. Top Sectors and ICT: ICT Innovation Contract signed
, The ICT Team aims to enhance ICT based innovation. The ICT Team creates usage inspired public-private R&D partnerships. The ICT Team works across Top Sectors. The ICT team develops a Human Capital agenda and develops a Branding approach.
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
ICT One can Rely on ICT Systems for Monitoring and Control ICT for a connected World Data, Data, Data: Big Data
Energy Transition Life Science and Health Smart Industry Cyber Security
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
1. We have two new instruments to close the gap between R&D and application
2. Alignment with NCSRA on
program and HCA are logical next steps
ICT KIA en Commit2Data: Open for Business!
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
JAN PIET BARTHEL Program Manager Cybersecurity Research NWO
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
THIS CAP FITS ALL OF US
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
535 REGISTRATIONS SUBDIVISION
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
National & International Upcoming HIGHLIGHTS, EVENTS and CALLS for proposals
• CHIST-ERA call: deadline January 13, 2016 (EU 7 FP instrument) • National Cybersecurity Best Research Paper Award contest: March 22, 2016 • NWO-NSF call (US-NL) privacy research (MoU we are about to sign): deadlines Q1, Q2 2016 • Scientist on the Job instrument (NWO-TNO): Q1 2016 • Joint STW-NWO Physical Sciences call on Smart Industry (including cybersecurity): Q2 2016 • Cybersecurity Matchmaking Event: Q3 2016 • National call on cybersecurity research with MaGW/SIA: Q4 2016, synchronized with SBIR
tender: Q4 2016 • Joint call with DHS: Q1 2017 (Doug Maughan will explain) • (Third) NCSRA-Symposium: Q2 2017 • Two AiO - Multidisciplinary research call, Computer Sciences (EW) together with Social
Sciences (MaGW): 2017-2018 • SIA Taskforce for Applied Research will fund two HBO-lector positions,
one at NSCR (cybersecurity) and one at CWI-Amsterdam (big data and cybersecurity)
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
DOUGLAS MAUGHAN Division Director at DHS (US)
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
DHS 2016 Events and Activities
• DETER – Research Testbed – See http://cybersecurityexperimentation.org for more information
• PREDICT – Data Repository – Available to Dutch researchers through NCSC – Incorporation of additional data – Advances in ICTR Ethics
• Joint research call with Netherlands: Q1 2017 • Opening of DHS Silicon Valley Office
– Possible opportunities for young companies (age 6-24 months) to provide technologies for DHS operational applications
• Annual Principal Investigator Showcase and Technical Workshop: Feb 17-19, 2016 in WDC
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Joint Research Call Process
53
Notice of Intent Matchmaking Portal
Solicitation Published Proposals Submitted Proposals Reviewed
Notice of Award Procurement Actions DHS – US Performers NWO – NL Performers
Unofficially Today July 1, 2016 60 Days to Sept. 1 Sept 1, 2016 Nov 1, 2016 Completed Jan 1, 2017 Feb 1, 2017 Completed May 1, 2017
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Joint Research Call Process - 2
54
US Participants NL Participants Academic Industry Labs (e.g. DOE)
Academic (main applicant) Industry (co-applicant)
Possible Teams US Academic – NL Academic (with US and/or NL Industry) US Industry – NL Academic US Labs – NL Academic (with US and/or NL Industry)
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Joint Research Call Process - 3
55
Topics under consideration
• Identity Management • Data Analytics • Mobile Security • Cyber Physical Systems Security / IOT • Cybersecurity and the human factor
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
For more information, visit http://www.dhs.gov/cyber-research
Douglas Maughan, Ph.D. Division Director Cyber Security Division Homeland Security Advanced Research Projects Agency (HSARPA) [email protected] 202-254-6145 / 202-360-3170
56
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
HANS DE VRIES Head of NCSC
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
ELLY VAN DEN HEUVEL CONCLUSIONS
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
IIP-VV Board Dick Brandt Eelco Stofbergen Erik Poll Herbert Bos Jan Piet Barthel Michel van Eeten Paul de Jager Pieter Hartel Sandro Etalle Wim Hafkamp
NCSRA Symposium | 2 November 2015 Cybersecurity & Privacy research, education & innovation
Project Team Henk de Poot Jeroen van den Ham Joep van Wijk Juul Brouwers Karin van Es Kas Clark Mariska Warnars Marit van Galen Naomi Messing Tobias Paulissen