Cybersecurity - The University of Texas at Dallas

advertisement
Jonathan Shapiro
Director
Office of Research
Cybersecurity
Contact
Jonathan Shapiro
Director, Office of Research
Cyber Security Business Development
The University of Texas at Dallas
Direct
972-740-4339
Office
972-883-4501
Jon.Shapiro@UTDallas.edu
Personal Web Page
http://www.utdallas.edu/research/
Social Media
Blog - Cybersecurity at the University of Texas at Dallas
LinkedIn Group - Cybersecurity at the University of Texas at Dallas
Twitter - @CyberUTD
1
Cybersecurity
Cybersecurity is one of the most serious economic
and national security challenges we face as a
nation.
The Cyber Initiative at UTD is a critically important
public-private partnerships to develop new
technologies and skills that will lead to secure
computing, communications and control systems.
Cybersecurity
Research
The Cyber Initiative
at UT Dallas
• University-wide initiative that involves faculty and students from six
different departments and schools.
• UT Dallas' Cyber Security Research and Education Center was designated
as the NSA/DHS Center for Excellence in Education
• Eight areas of research and development have been designated,
encompassing range of technologies, industries and users.
• Focus
– Performing research to enhance and strengthen the security of computer systems and
networks
– Share our research results by publishing papers in premier journals and top conferences
– Foster interaction between Government, Industry and Academia in the field of
Cybersecurity
– Develop and teach a strong cyber security program which includes courses for cybercrime prevention, detection and analysis
– Initiate interdisciplinary programs integrating social sciences and information sciences
– Transfer the technologies from the university to commercial development efforts
Cybersecurity Research Areas
The Cyber Initiative at UT Dallas
Technical Research
• Secure & Available Networks
• Secure Cloud Computing
• Security Of Control Systems
• Software Security
• Secure Silicon
Cross Functional Research
• Cyber Security Risk
Management
• Emergency Preparedness
• Information Assurance
• Business Risk Analysis &
Economic Implications
• Public Policy Implications
• Threat Analysis & Modeling
• Criminology
School of Management
•
•
•
School of Engineering and
Computer Science
•
•
•
School of Economic,
Political & Policy Sciences
Arts and Technology
•
•
International Center for Decision
and Risk Analysis
Center for Information Technology
and Management
The Leadership Center
Cyber Security Research Center
Cybersecurity and Emergency
Preparedness Institute
Electrical, Mechanical and
Computer Science
Criminology
Economics
• Gaming and Simulation
5
Why Cybersecurity
6
Rapidly Expanding Market
• $55 billion cumulative Federal spending for cybersecurity between
2010 and 2015 at about 6.2% CAGR
• $10.5 billion Smart Grid Cyber Security
• $7,455m Utility infrastructure security expenditure
• $2.3 billion 2012 federal DOE budget for cyber resources and
development
• $6,902.4 million SCADA Security 2010 forecast to grow at 9.6%
through 2016 forecast to $14 billion
• $936.48 The Homeland Security Department million for
infrastructure protection and information security
• $500 million for Defense Advanced Research Project Agency
research and development in cybersecurity
• $300 million SFS funding over five years to fund up to 1,000
cybersecurity scholarships per year
Great Career Opportunity
• 700,000 new information security professionals in the Americas by 2015
• Top 10 Best Jobs in America – US News and World Report
• Acquisitions were mega-deals where public companies were taken private.
–
–
–
–
Intel, for instance, bought McAfee for $7.68 billion
HP bought ArcSight for $1.6 billion.
Symantec bought security divisions of Verisign for $1.3 billion.
IDC expects the security tech market to grow at a 14 percent compound
annual growth rate to $82 billion in 2012.
– Forrester says that security now accounts for 14 percent of the information
technology spending, compared to 8.2 percent in 2007.
• Venture Capital takes notice
– "It's an area of huge interest to us," said Bill Maris, managing partner for
Google Ventures
– Venture investment in the information-technology security sector this year
looks set to exceed last year's $432.3 million
– "There is absolutely no question that this sector is going to be at the focal
point in the future in terms of investments and IPO said Robert Francello,
head of equity trading at Apex Capital in San Francisco.
Data Security Analyst vs. Database Analyst.
2 years Experience
Dallas, TX location
28% higher pay
Certifications
• International Information Systems Security Certification
Consortium, Inc., (ISC)²
–
–
–
–
–
–
–
Certified Information Systems Security Professional (CISP)
Certified Information Systems Security Professional (CISSP )
Information Systems Security Architecture Professional (ISSAP)
Information Systems Security Management Professional (ISSMP)
Information Systems Security Engineering Professional (ISSEP)
Certification and Accreditation Professional (CAP CM)
Systems Security Certified Practitioner (SSCP )
• SANS Institute
– SANS Cyber Ranges Computer & Network Security Challenges
– SANS Cyber Guardian Program
– DoDD 8570 and GIAC Certification
11
A Declaration of Cyber-War
Stuxnet
• Last summer, the world’s top software-security experts were
panicked by the discovery of a Self-Directed Stealth Drone radically
different from and far more sophisticated than any they’d seen.
• A self-replicating computer virus, called a worm, was making its way
through thousands of computers around the world, searching for
small gray plastic boxes called programmable-logic controllers
(PLC)—tiny computers about the size of a pack of crayons, which
regulate the machinery in factories, power plants, and construction
and engineering projects
• Stuxnet is the Hiroshima of cyber-war. That is its true significance,
and all the speculation about its target and its source should not
blind us to that larger reality. We have crossed a threshold, and
there is no turning back.
12
What is Stuxnet
• Stuxnet is an advanced malware worm that was
discovered in July 2010. It has attacked Siemens
PCS7, S7 PLC, and WinCC systems around the
world.
• The management of many industrial sites feel
“safe” because they believe the Industrial
Control Systems (ICS) network are not
connected to the Internet.
• Some even believe their system is “air-gapped”
from their corporate network.
• A part of the genius of Stuxnet is that it
demonstrated how easy it is for an advanced
cyber threat to go from a USB key, an external
hard drive, an infected laptop or an infected
project file to a control system network.
13
Buy your test equipment on eBay
14
Operation Shady Rat
• Unprecedented Cyber-espionage
Campaign and Intellectual-Property
Bonanza
• Infiltrated the computer systems of
national governments, global
corporations, nonprofits, and other
organizations, with more than 70 victims
in 14 countries.
• Lifted from these highly secure servers,
among other sensitive property: countless
government secrets, e-mail archives, legal
contracts, and design schematics.
15
Operation Shady Rat
• Malicious program—a remote-access tool,
or rat
• Operation targeted a broad range of publicand private-sector organizations in almost
every country in Southeast Asia—but none
in China
• Government agencies in the United States,
Taiwan, South Korea, Vietnam, and Canada
Japan, Switzerland, the United Kingdom,
Indonesia, Denmark, Singapore, Hong Kong,
Germany, and India
• The category most heavily targeted was
defense contractors—13 in all
16
Operation Shady Rat
17
Operation Shady Rat
18
RSA Breach
• RSA is the security division of the hightech company EMC
• Its products protect computer networks
at the White House, the Central
Intelligence Agency, the National Security
Agency, the Pentagon, the Department of
Homeland Security, most top defense
contractors, and a majority of Fortune
500 corporations.
19
• That key fob, called a SecurID token, is RSA’s bestknown product. The strings of numbers on its
screen are generated by a microchip using the
SecurID algorithm and a unique cryptographic
seed.
• Company’s security system had identified “an
extremely sophisticated cyber attack in progress,”
an attack that “resulted in certain information
being exported from RSA’s systems,” some of
which was “specifically related to RSA’s SecurID
two-factor authentication products
20
RSA Breach
• Dmitri Alperovitch, vice president of threat
research at McAfee, “today we see pretty much
any company that has valuable intellectual
property or trade secrets of any kind being
pilfered continually, all day long, every day,
relentlessly.”
• On May 21, the computer systems of America’s
largest military contractor, Lockheed Martin,
detected an intruder
• L-3 Communications, which provides
intelligence, surveillance, and reconnaissance
technology to the U.S. government, had also
been attacked
21
• Finnish security company F-Secure assumes an employee of
RSA or its parent firm, EMC uploaded the malware to an
online virus scanning site
• RSA had already revealed that it had been breached after
attackers sent two different targeted phishing e-mails to four
workers at its parent company EMC.
• The e-mails contained a malicious attachment that was
identified in the subject line as “2011 Recruitment plan.xls.”
• The intruders succeeded in stealing information related to the
company’s SecurID two-factor authentication products.
22
Cyber Security and Critical Infrastructure
• Networks and control systems are under
repeated cyberattack, often from high-level
adversaries like foreign nation-states
"Security systems are overmatched by the threat and
very few companies are rising to the challenge posed
by state-sponsored or terrorist infiltration and
potential attack," said Jim Woolsey, former head of
the Central Intelligence Agency (CIA). “The real
answer is new technology, active cyber defense, and
distributed generation."
http://www.csmonitor.com/USA/2010/0128/Corporations-cyber-security-under-widespread-attack-survey-finds
Critical Infrastructure Sectors
IT Systems Vs Control Systems
•
•
•
•
•
•
•
•
SCADA (supervisory control and data acquisition)
generally refers to industrial control systems (ICS):
computer systems that monitor and control
industrial, infrastructure, or facility-based processes
Control Systems include SCADA, Program Control
Logic, Motor Controls, Power Electronics, and
Embedded Computing Systems
They are everywhere, in every industry
Mostly ignored by IT Security due to complexity,
proprietary nature, and different management teams
Ripe for exploitation
Intel, Microsoft, and security vendors have not paid
attention
Many are NOT PC’s
Many can be infected, and the devices cannot be
cleaned. Malware embeds itself in semiconductor
devices and memory
• The central SCADA
master system.
• Communications
network.
• RTU's. Remote
Telemetry (or Terminal)
Units.
• Field instrumentation.
Inherent Vulnerabilities
•
•
•
•
Two-way communications
Distributed connectivity
Customer usage data
Weak authentication and access
control
• Lack of adequate training
• Lack of standards and
interoperability
26
Critical Infrastructure Problem
• Vulnerability Assessments Have
Not Yet Completed
• Industry and Government Lack
Guidance for Conducting
Vulnerability Assessments
• Analysis of Public Works
Infrastructure (Including
Electricity) Has Not Completed
• Assessments to Date Do Not
Consistently Consider
Vulnerabilities to Longer-Term
Power Disruptions
27
Summary Critical Infrastructure
• Industrial Control Systems- SCADA
and PLCs are vulnerable to attack.
• We have no clear inventory of the
extent of the risk.
• Malware, infected silicon, and the
uses of hacking skills against Critical
Infrastructure are growing.
• Weak spares inventory due to Justin-Time manufacturing.
• Loss of Critical Infrastructure can
cause large residual economic
damage.
28
Von Neumann Machines
• A self-replicating machine is an artificial construct that is
theoretically capable of autonomously manufacturing a copy
of itself using raw materials taken from its environment
This year marks the 40th anniversary
of Creeper, the world’s first
computer virus. From Creeper to
Stuxnet, the last four decades saw
the number of malware instances
boom from 1,300 in 1990, to 50,000
in 2000, to over 200 million in 2010
29
Future Issues
•
•
•
•
•
•
•
•
•
Taboo Subject
Supply Chain “purity”
Skill shortages
Ignorance of potential “design risk”
problems
Cyber terrorism and extortion
Polymorphic malware
Defender verse Attacker
Constant growth in complexity and risk
Government to the rescue?
30
Download