Cybersecurity Panel
Managing Risk in the Aerospace and
Defense Industry
Peter S. Chiou – Principal Strategist and Business
Development Manager for Azure DoD, Microsoft
Isaac Potoczny-Jones – Research Lead, Computer
Security, Galois
Special Agent Joshua Michaels – FBI, Cyber Task
Force
Aerospace & Defense Symposium
Josh Michaels
UNCLASSIFIED 6/2/2015
Cyber as an FBI Priority
To protect the United States against:
•Terrorist attack
•Foreign intelligence
operations and espionage •Cyber-based attacks and high technology crimes
Unique role as the only US agency with the authority to
investigate both criminal and national security cyber security threats.
Focus of Cyber Program
Criminal and National Security
Computer/Network Intrusions
Botnets, Malware, Spear-phising, Viruses, Trojans,
Spyware, Ransomware, Worms …
Differentiate intrusion from cyber enabled crimes • Innocent Images National Initiative
• Intellectual Property Rights • Internet Fraud
The Cyber Threats Landscape
Hacktivist Computer network exploitation or attack to advance a political or social cause Criminal Financially-motivated criminal enterprises conducting computer intrusions Espionage Nation-state actors conducting computer intrusions to illegally obtain information Terrorist Use of computer network attack by terrorist groups toharm the U.S. critical infrastructure Warfare Nation-state actors using computer network operations to commit sabotage or disrupt critical systems Cyber Threats UNCLASSIFIED 6/2/2015
Intended Targets
• Government
• Cleared Defense Contractors
• Universities
• High Tech/Research
• Financial Sector
• Natural resources
• Retail
• Litigation/Negotiation
Investigative Challenges
• Investigation vs. Mitigation
• Victim Incident Response Capabilities
•
Volatility
of Digital Evidence
•
Volume
of Digital Evidence
•
Velocity
of Legal Process
• Reliable cyber attack attribution
• Actors are usually overseas
UNCLASSIFIED 6/2/2015
• Web Proxies
• Onion Routers
• Botnets
• Compromised hosts
• VPS services
• Foreign ISPs
• Encryption
` attackerUNCLASSIFIED
• Opening an unexpected e-mail attachment or
link from a colleague
• Using personal Web email for work
• Posting job details on social networking sites
• New personal gadgets on the corp network
Personnel
Biggest Security Risk ?
• Personal computer use habits:
– Don’t use Administrative User Account
• When Internet surfing or checking emails
– Always virus scan email attachments
– Don’t update software at untrusted wi-fi
networks
• Social Media site habits:
– Be selective with what you share with whom
– Frequently review privacy settings
Private Sector Partnerships & Resources
• InfraGard
(www.infragard.org)• Domestic Security Alliance Council
(www.dsac.gov)
• National Cyber-Forensics Training Alliance
(
www.ncfta.net)– Cyber Initiative and Resource Fusion Unit
• Information Sharing Analysis Centers
(www.isaccouncil.org)
• Internet Crime Complaint Center
(www.ic3.gov)
UNCLASSIFIED 6/2/2015
Questions?
Josh Michaels
Special Agent Bomb Technician
Seattle FBI Cyber Task Force
(206) 622-0460
Computer Science R&D
and Cybersecurity Consulting
• Leaders in high assurance research and development
• Creating trustworthiness in critical systems
• Solving your hardest computer science problems
Galois [gal-wah] Named after French mathematician Évariste Galois www.galois.com
• Galois, Inc. Overview
Outline
• Problems: Why the government is so involved in
cybersecurity
• Challenges: Interests and needs sometimes
conflict
• Policy: The government is making policy on
cybersecurity every day
© 2015 Galois, Inc Page 21
• Galois, Inc. Overview
Critical Infrastructure is Vulnerable
The FBI says he sent commands to a plane in flight via entertainment system. Chris Roberts has been working on airplane hacking for years. Supposedly his commands
caused the plane to “fly sideways”.
The security community doesn’t believe him.
Boeing says it’s not possible.
• Galois, Inc. Overview
No Serious Critical Infrastructure
Attacks Yet
What’s the formula for a serious attack?
Motivation + Skill > Barrier to
entry + Risk
Kinetic response There’s no money in it State-level / organized crime Systems are unusual© 2015 Galois, Inc Page 23
• Galois, Inc. Overview
North Korea took out Sony Pictures
We know because we saw them do it.
Motivation + Skill > Barrier to
entry + Risk
Economic Sanctions Politically Motivated State-level attack Plain old Windows© 2015 Galois, Inc Page 24
• Galois, Inc. Overview
If it hasn’t happened, why are we
worried?
• Incidents can be dangerous
• Russia is accused of blowing up an oil pipeline in 2008 • Cybersecurity hurts the economy
• The recent cyber attack cost Target $148 Million • IP is stolen by industrial espionage
• Unit 61398 from Chinese People's Liberation Army (PLA)
• Incidents can have political / national security consequences
• Whitehouse and State Department email hack • Incidents can be embarrassing
• Iran shut down a US casino because of its owners political views
Users
Government
Industry Attackers
• Personal info: Marketing • Mediocre security: Costs • Limit liability: Risk
• Hide attacks: Brand
• Free sites, apps, content • Personal info kept
confidential
• Limited financial risk Tension: Privacy vs. Profit
• Protect industry with law (e.g. CFAA, CISA)
• Protect users with regulation (e.g. HIPAA)
• Encryption challenges
• Backdoors for lawful intercept • Protect national security interests
• Protect users with crypto
• Resist regulation: Costs
• Maintain access to PII
• Protect users from attackers • Protect national security
• Legal framework for intercept • Reelection
• Protected from cyber attack, terrorists and illegal
surveillance
• Access to legal security technology
• Industry held accountable
Tension: Security vs. Surveillance Tension: Regulation vs. Growth • Other nations’ interests • Espionage • Cyber war • User PII • Botnets • Intellectual property • Identity theft • Financial theft
• Galois, Inc. Overview
Federal Cybersecurity Priorities
• Administration Priorities
• Protecting critical infrastructure and federal
networks
• Solving strategic long-term problems around
workforce
• DoD Strategy
• Build and maintain forces for cybersecurity
operations
• Defend the homeland from cyber attack and
deter threats
© 2015 Galois, Inc Page 27
• Galois, Inc. Overview
Cybersecurity Bills
• COICA (2010) - Combating Online Infringement
and Counterfeits Act
• PIPA (2011-2012) - PROTECT IP Act
• SECURE-IT (2012) - Strengthening and Enhancing
Cybersecurity…
• SOPA (2011-2012) - Stop Online Piracy Act – Big
protests
• CISPA (2011-2015) - Cyber Intelligence Sharing
and Protection Act
• CISA (2014) - Cybersecurity Information Sharing
Act
•
Cybersecurity Bills: Types of
Galois, Inc. Overviewlegislation
•
Requirements to secure critical infrastructure
•
Optional cyber threat information sharing
• Government -> Companies
• Companies -> Government
• Immunity for companies sharing information
•
Limiting surveillance / hacking tools (CFAA,
Wassenaar)
•
Surveillance laws – PATRIOT Act
• Requirements to inform customers of attacks
• Mandatory backdoors in consumer products
• Increased penalties for hacking
© 2015 Galois, Inc Page 29
• Galois, Inc. Overview
Cybersecurity Bills: Crystal Ball
• Increased requirements to secure “critical infrastructure” • Why? An administration priority; it’s already required for
contractors
• Optional cyber threat information sharing with limited immunity
• Why? Congress has been trying to pass this for years • Limiting export and sale of 0-Days and Intrusion Software
• Why? Draft rules already passed
• PATRIOT Act bulk data collection will expire May 31 • Why? They’ve started to shut it down
• Galois, Inc. Overview
Contractor Security Requirements
Based on NIST 800-53
Safeguarding Of Unclassified Controlled Technical
Information
• It’s a relatively new contracting rule that will be in most contracts
• Report cybersecurity incidents within 72 hours • Assist the DoD in damage control
• New cybersecurity requirements
• Applies to anyone with technical information with this label: Distribution authorized to U.S. Government Agencies and their contractors... Other requests for this document shall be referred to …
© 2015 Galois, Inc Page 31
• Galois, Inc. Overview
Contractor Security Requirements
• AC-2 ACCOUNT MANAGEMENT
• AC-3 (4) DISCRETIONARY ACCESS CONTROL
• AC-4 INFORMATION FLOW
ENFORCEMENT
• AC-6 LEAST PRIVILEGE
• AC-7 UNSUCCESSFUL LOGON
ATTEMPTS • AC-11 (1) PATTERN-HIDING DISPLAYS • AC-17 (2) PROTECTION OF CONFIDENTIALITY / INTEGRITY USING ENCRYPTION
• AC-18 (1) AUTHENTICATION AND ENCRYPTION
• AC-19 ACCESS CONTROL FOR
MOBILE DEVICES
• AC-20 (1) LIMITS ON AUTHORIZED USE
• AC-20 (2) PORTABLE STORAGE DEVICES
• AC-22 PUBLICLY ACCESSIBLE CONTENT
• AT-2 SECURITY AWARENESS TRAINING
• AU-2 AUDIT EVENTS • AU-3 CONTENT OF AUDIT
RECORDS
• AU-6 (1) PROCESS INTEGRATION
• AU-7 AUDIT REDUCTION AND REPORT GENERATION
• AU-8 TIME STAMPS
• AU-9 PROTECTION OF AUDIT INFORMATION • CM-2 BASELINE CONFIGURATION • CM-6 CONFIGURATION SETTINGS • CM-7 LEAST FUNCTIONALITY • CM-8 INFORMATION SYSTEM COMPONENT INVENTORY • CP-9 INFORMATION SYSTEM BACKUP
• IA-2 IDENTIFICATION AND AUTHENTICATION
(ORGANIZATIONAL USERS) • IA-4 IDENTIFIER MANAGEMENT • IA-5 (1) PASSWORD-BASED
AUTHENTICATION
• IR-2 INCIDENT RESPONSE TRAINING
• IR-4 INCIDENT HANDLING • IR-5 INCIDENT MONITORING • IR-6 INCIDENT REPORTING • MA-4 (6) CRYPTOGRAPHIC
PROTECTION
• MA-5 MAINTENANCE PERSONNEL
• MA-6 TIMELY MAINTENANCE
• MP-4 MEDIA STORAGE
• MP-6 MEDIA SANITIZATION
• PE-2 PHYSICAL ACCESS AUTHORIZATIONS • PE-3 PHYSICAL ACCESS
CONTROL
• PE-5 ACCESS CONTROL FOR OUTPUT DEVICES
• PM-10 SECURITY
AUTHORIZATION PROCESS • RA-5 VULNERABILITY SCANNING • SC-2 APPLICATION PARTITIONING • SC-4 INFORMATION IN SHARED RESOURCES • SC-7 BOUNDARY PROTEC • SC-8 (1) CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION • SC-13 CRYPTOGRAPHIC PROTECTION • SC-15 COLLABORATIVE COMPUTING DEVICES • SC-28 PROTECTION OF INFORMATION AT REST • SI-2 FLAW REMEDIATION • SI-3 MALICIOUS CODE
PROTECTION
• SI-4 INFORMATION SYSTEM MONITORING
• Galois, Inc. Overview
Example: AC-6: Principle of Least
Privilege
Only authorized accesses for users which
are necessary to accomplish assigned tasks.
© 2015 Galois, Inc Page 33
• Galois, Inc. Overview
NIST Risk Management in Practice
It’s required across the federal
government
• Categorize: Determine the level of “Impact” – Low,
Medium, High
• Select security controls: From NIST 800-53
• New rules basically create a minimum standards
• Implement security controls: According to the plan
• Assess security controls: Are they sufficient?
• Authorize information system: Take accountability
• Galois, Inc. Overview
What You Can Do
• Prepare for coming legislation with a good security plan • Incident response plans, disclosure policies, threat
sharing plans
• Implement “Controlled Unclassified Technical Information” rules
• These are now required for contractors
• Go beyond these to use the NIST Security Frameworks: • “Framework for Improving Critical Infrastructure
Cybersecurity”
• “Risk Management Framework” – 800-53
© 2015 Galois, Inc Page 35
• Galois, Inc. Overview
Opportunities
• Obama’s 2016 budget has $16 Billion for defensive cybersecurity
• 10% increase over 2015 • $5.5 Billion of that is DoD • Align with Federal priorities
• Protect your parts of Federal networks and data • Align with DoD priorities
• Help the DoD maintain dominance in the cyber domain • Build cybersecurity into your products as a differentiator
• Galois, Inc. Overview