• No results found

The Cyber Security Crisis

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "The Cyber Security Crisis"

Copied!
39
0
0

Loading.... (view fulltext now)

Download now ( 39 Page )

Full text

(1)

The Cyber Security Crisis

Eugene H. Spafford

Professor & Executive Director

CERIAS

(2)

The State of Cybersecurity

• Overwhelming vulnerabilities

– About 4000 in each of 2003, 2004 – Almost 4600 in 2005

– New ones reported @ 20 per day – 3/4 were simple design flaws

• Well over 120,000 known viruses & worms

– New ones reported at a rate of 50 per day

(3)

The Problem is Growing

• Damages “hidden” but mounting

– Viruses alone projected at over $60B damage per year

– Worldwide losses from all causes in excess of $105 Billion

– Spam is 90% of email at some ISPs

• Organized cyber crime is increasing

• Identity theft is #1 growth crime in US • 1 Billion online users; 2 billion by 2015

(4)

Recent Trends

Attacks Reported by CERT Reported Viruses 0 20000 40000 60000 80000 100000 120000 140000 160000 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003

(5)

Why?

Why is our information security

bad, and getting worse?

(6)

Design is unsound

• Increasing features & size of platforms

• Not based on secure design principles

• Coded by untrained personnel

• Confusing & unnecessary options • Inconsistent configurations

(7)

Where We Currently

Assure

Policy Development Deployment

Requirements &

Specifications V & V Operation & Maintenance Design

Disposal Current business practice

(8)

Operation is Unsafe

• Culture of patching

• Overly homogenous

• Acceptance of failures

• Myth of general

purpose

(9)

Insufficient Expertise

• Infosec requires more than CS

• Too few educational programs

• Insufficient support of R&D training

• Mistaking hacking for expertise

(10)

Major Failing #1

Failing to understand the problem

It’s the information, not the computer!

Original had

copyrighted cartoon. Reproduction would

(11)

Major Failing #2

Failing to understand the threat. Related to not understanding the motives and methods of the attackers.

(12)

Major Failing #3

Failing to

include the

people

Original had

copyrighted cartoon. Reproduction would

(13)

Major Failing #4

Failure to build to a sound design.

Too much

accommodation of bad legacy code.

(14)

Major Failing #5

Placing too much trust in market pressure to

provide

highly-trustable systems … and then not

using the market to good effect!

(15)

Major Failing #6

Relying on patching instead of on

getting it right the first time.

(16)

Major Failure #7

A failure to protect holistically.

Point protection is necessary but not sufficient.

(17)

Major Failing #8

• Failure to provide any adequate deterrence in addition to protection – lack of tools – lack of funding – lack of priority – international Original had copyrighted cartoon. Reproduction would

(18)

Major Failing #9

Too much

information is kept out of the hands of people who can

use it – Company reticence – Over-classification Original had copyrighted cartoon. Reproduction would

(19)

Who Can We Depend

On?

(20)
(21)

Law Enforcement?

• Limited tools

• Limited personnel

• Overemphasis on anti-terrorism

• International issues

• Limited prosecution

(22)
(23)

Other 99% Cyber 1%

For example: DHS

Attention

More is likely being spent to prevent you from taking nail clippers onboard airplanes than is being spent on Cyber Security.

Research

(24)

How about the Dept. of

Defense?

(25)
(26)

Don’t They Know?

• Reported to President Bush in 2/05 • Results: – Committee dissolved – Most of the recommendations ignored

(27)

Need Balance in Research

• What are the systems after next? • Need to grow the talent pool

• Need significant investment in R&D with longer focus

• Need investment in law enforcement

(28)

Current research

Mostly focused on fixing the past, on MilSec or on IP rights

• Fixes for Windows, Linux, TCP/IP v4 ... There is far more needed:

Malware, program flaws, privacy mechanisms, authentication, forensics, protocols, MLS

design, intrusion detection and prevention, covert channels, crypto, digital cash,

datamining, cyber terrorism, security

architecture, residues, data pedigree, self-checking code, DRM, ...

(29)

Federal Research Funding Share of GDP: 1970-2004 (obligations; ratio x 1000) 0 0.5 1.0 1.5 2.0 2.5 3.0 3.5 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 Sources: AAAS, NSF Federal Funds for Research and Development

FY2001-4

* Other includes research not classified (excludes development and R&D facilities)

Life Scis. Engineering Physical Scis. Env.Scis. Math/Comp. Scis. Social Sciences Psychology Other*

(30)
(31)

John Sargent, Senior Policy Analyst, U.S. Department of Commerce, presented to the Computing Research Association, 2/2004

IT, Science and Engineering Occupational Projections, 2002-2012 0 200000 400000 600000 800000 1000000 1200000 1400000 1600000 1800000

(32)

Funding out-of-balance

0 9,000 18,000 27,000 36,000 45,000 54,000 63,000 72,000 81,000 90,000 Likely US Losses US Market Funded Research

(33)
(34)

Not to Mention Things

Such as the DMCA….

Original had

copyrighted cartoon. Reproduction would

(35)

Dire, but not Hopeless

• Small, but growing number of dedicated researchers

• Active, concerned professional & commercial associations

– E.g. CSIA

• Increasing public awareness that there is a problem

(36)

Perhaps, most of all…

Original had

copyrighted cartoon. Reproduction would

(37)

The Future Does

Not

Need

to Look Like the Present

• Change requires

– Will

– Investment – People

• Need a total approach

• Build trust

(38)
(39)

For more information

• PITAC www.nitrd.gov/pitac/reports • CERIAS www.cerias.purdue.edu/ • USACM www.acm.org/usacm/

• CRA Grand Challenges

References

Download now ( PDF - 39 Page - 3.53 MB )

Related documents

Associations between abuse/neglect and ADHD from childhood to young adulthood:A prospective nationally-representative twin study

As in childhood, the association between abuse/neglect in adolescence and young adult ADHD extended to other forms of vic- timization: participants who reported being

Usability Requirements for the Framework for Self-Service Environments

 In case of incorrect data input, when saving the form, the user is displayed a conspicuously coloured error message at the upper part of a screen, with reference to the data

FAIR PARK. Report of the Mayor s Fair Park Task Force 3 September 2014 A PARK FOR ALL PEOPLE 2014 REPORT OF THE MAYOR S FAIR PARK TASK FORCE

This entity would also be expected to work collaboratively with the Park and Recreation Department, as well as the city to obtain the necessary permits and adequate security,

ISACA CyberSecurity Nexus

Because the study’s purpose was to measure information security characteristics such as knowledge of advanced persistent threats (APTs), internal controls, internal incidents, policy

Commercial Banks and Consumer Instalment Credit

If you are financing sales finance companies, personal finance companies, industrial banking companies or other instalment consumer credit financing. organizations, please

General Chemistry

The calculated dependence of the bonding energy of one atom with others (the dependence of the bonding energy on the first ionization energy of the second atom)

Annual Report on the Dodd-Frank Whistleblower Program. Fiscal Year 2011

Section 922 of the Dodd-Frank Act established the Securities and Exchange Commission Investor Protection Fund (“Fund”) to provide funding for the Commission's whistleblower award

BANKA SOCIETE GENERALE ALBANIA

14 Appendix II – Service Level Agreement & Warranty period for Maintenance works of Bank's network premises. All the bidders must indicate by fulfilling the table below