Slides from the LMTE Cyber Security Spring Summit held on 20th May 2015 at 99 Bishopsgate. Presenters included Adrian Rands of Quantemplate, Prof Roy Isbell from Warwick University, Daniel Beazer of Peer1 and Rashmi Knowles of RSA.
12. Professor Roy Isbell
Principal Fellow of the University of
Warwick, WMG Cyber Security Centre
Rashmi Knowles
Chief Security Architect at RSA,
The Security Division on EMC
Daniel Beazer
Senior Consulting Analyst,
Peer1 Hosting
14. “Cyber Hardening & the Future Enterprise”
(Exploring the Current & Future Limits of the Cyber
Environment)
Roy Isbell (Prof.) FIET FBCS CITP
LMTE
Cyber Security Special Spring Summit
16. Industry'Sectors'Breached'
(Guide'to'Who'is'Under'Threat)'
Cyber Hardening & the Future Enterprise
(Exploring the Current & Future Limits of the Cyber
Environment)
• Healthcare, retail, and education were ranked
highest for the number of data breach incidents
in 2014; the top three accounted for 58 percent
of all data breaches.
• The retail, computer software, and financial
sectors accounted for 92 percent of all the
identities exposed in 2014.
• This highlights that sectors involved in the
majority of data breaches don’t necessarily
result in the largest caches of stolen
identities, with the exception of retail.
20. Unusual'Cyber'
(Modulated'Water)'
140Bps - 100Gbs - 1Mbs - 1Mbs - 100Gbs
(Data Rates 35bps to 140bps)
PROCESS
• Modulated Water
• Electrical Pulses
• Data
• Network Data
• Processing
• Satellite Communications
• Network Data
• Processing
Cyber Hardening & the Future Enterprise
(Exploring the Current & Future Limits of the Cyber
Environment)
21. Secondary'Sector'
(Manufacturing'or'Goods'ProducBon)'
Food Supply & Demand Chain
Automated Manufacturing
Water Management
Utility Supply Management
Automated Food Processing/Production
Retail Management
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Source: unknown
Cyber Hardening & the Future Enterprise
(Exploring the Current & Future Limits of the Cyber
Environment)
26. Source:
Unknown Cyber–Physical
Engineered Systems
Cyber–Physical'Engineered'Systems'
(Adding'Sensing'&'ActuaBon)'
Cyber–Physical Engineered Systems
1. Effectively command and control systems that are
networked or distributed (i.e. employ networking
and/or communications).
2. Incorporate a degree of intelligence (adaptive or
predictive).
3. Work in real time to influence or actuate outcomes in
the physical world.
Cyber–Physical Engineered Systems
4. Found in transportation, utilities, buildings,
infrastructure & health care.
5. Use sensors to detect and measure physical
parameters and actuators to control physical
processes.
6. Utilise feedback loops for monitoring allowing
degrees of autonomy.
Cyber Hardening & the Future Enterprise
(Exploring the Current & Future Limits of the Cyber
Environment)
27. Integrated'Transport'
(Autonomous'Vehicles)'
Source: Rolls Royce Holdings
Autonomous Shipping Autonomous Road Trains
Source: Volvo
Autonomous Planes
Source: Northrop Grumman
Transport for
London is
considering plans to
roll out driverless
tube trains across
the Underground
network by 2020
Source: Transport For London
Autonomous Trains
The first
commercially
available semi
autonomous cars
will be available in
2014 (E&Y Report)
Cyber Hardening & the Future Enterprise
(Exploring the Current & Future Limits of the Cyber
Environment)
28. Complex'System'of'Systems'
(WHAT?'–'Complex'Cyber'Physical'Engineered'System)'
List of Technologies to Create a Self-driving Vehicle:
• Collision Avoidance (Steering)
• Vehicle-to-Vehicle Communication
• Vehicle-to-Infrastructure Communication
• Steer-by-Wire
• Lane Keeping
• Forward Collision Avoidance (Braking)
• Driver Performance Monitor
• Lane Sensing/Warning
• Active Roll Control
• Forward Collision Warning
• Adaptive Cruise Control
• Vision Enhancement
• Near Obstacle Detection
• Electronic Stability Control
• Adaptive Variable-Effort Steering
• Semi-Active Suspension
• Traction Control
• Anti-Lock Braking Systems
Source: Byron Shaw, GM MD of Advanced Technology
Cyber Hardening & the Future Enterprise
(Exploring the Current & Future Limits of the Cyber
Environment)
29. Sensor Systems
Connecting Systems
Complex'System'of'Systems'
(HOW?'–'External'Remote'Access)'
Sensor Systems – Constantly monitor the external
environment to build a 360
o
picture that provides
information to the command and control environment of
the vehicle. (Influence, Jamming & Spoofing)
Infotainment – a combination of information and
entertainment. (Access to vehicle subsystems for
information, disruption, modification & control).
Telematics – the integrated use of
telecommunications and informatics for control of
vehicles on the move. (Access for information,
disruption, modification & control).
Cyber Hardening & the Future Enterprise
(Exploring the Current & Future Limits of the Cyber
Environment)
30. Network'Based'ConnecBvity'
(HOW?'–'Expansion'of'the'AFack'Vectors)'
Mobile Phone App – Sync with Head
Unit. Head Unit OS – Windows,
Android or Linux Variants
Laptop Access – Through Vehicle WiFi
Hotspot
4G Access – Via Mobile
Device
New Vehicle Apps –
Access via Head Unit &
Mobile Device
5G Access – Via Mobile
Device
The Cloud –
Dedicated Cloud
Services or Generic
Web Access
All the Security Issues Associated With
Information Systems, Now Apply to
Connected Vehicles
Bluetooth – Device
Connect
Cyber Hardening & the Future Enterprise
(Exploring the Current & Future Limits of the Cyber
Environment)
31. Design'&'
Manufacture'
Sales'&'
DistribuBon'
Consumer'/'
Owner'
Disposal'
Maintenance'–'(Maintainer'/'Valet)'
Fuel'–'(Fossil'/'Gas'/'Bio'/'Electrical)'
Vehicle Lifecycle
Analysis of the vehicle lifecycle provides for identification of
those who are permitted to come into contact with the vehicle
and the level of access. These individuals provide identification
of the ‘Insiders’ for consideration of the ‘Insider Threat’
Vehicle'Lifecycle'
(HOW?'–'The'Insider'Threat)'
Maintainers – Have
physical access to the
vehicle via technical
equipment. Both the
equipment and the
personnel maybe an attack
vector
In addition the vehicle
software updating process
needs to be considered as
an attack vector.
The use of Power Line Carrier technology to
communicate between the vehicle, off-board
charger, and smart grid.
Cyber Hardening & the Future Enterprise
(Exploring the Current & Future Limits of the Cyber
Environment)
Access Control: (As a function of)
• Role – Role based access control is not
enough.
• Function – Consider adding function as an
additional factor.
• Time – Consider using time to achieve
removal of legacy access.
33. 1950 – 2050 Rise in Urban Population Source: WHO
Statistics
1. 60% World population urbanised by 2030
2. Urban population in developing countries will
more than double
3. New development often on coastal plains,
increasing risk from severe weather & global
warming.
Challenges
1. Developed countries existing infrastructures
already stretched.
2. Proactive management required for costly
and scarce resources.
3. Technological advances allowing
development of SMARTer cities.
4. Evolving systems of systems of systems(n)
with complex and/or cascading failure.
5. Greater automation and system autonomy
for cost reduction and improved productivity.
Research:
• The City as a Platform
• Understanding Cyber–Physical Engineered Systems
• Data & Systems Context
• Resilience of Systems & Services
• Deriving Cyber Security Needs
Cyber Hardening & the Future Enterprise
(Exploring the Current & Future Limits of the Cyber
Environment)
UrbanisaBon'
(The'Move'to'the'City)'
36. Access)
Informa>on)
CIA'Cyber'
AFack'
Triangle'
Capability)
CIA – Cyber Attack Triangle
Access – In order for any attack to even be contemplated
some form of access to the target is required. Access may be
physical or remote.
Capability – To effect a successful attack the attacker requires
the correct tools and techniques to interact with the target and
influence or affect the changes required to achieve the desired
outcome.
Information – Before either access or capability may be
achieved or determined, information (intelligence) on the target
is required. The level of detailed information will determine the
risk associated with any attack scenario being considered.
Like any three legged stool, absence of any leg renders
the stool useless.
AEack)Anatomy)
AEack)Anatomy)–'Each'aFack'follows'a'sequence'
of'acBviBes'with'each'acBvity,'once'completed'
providing'either'informaBon,'access'or'a'capability'
related'to'the'target'system.'
Cyber)AEack)Triangle)
The'Cyber'AFack'Triangle'
(WHEN?'–'Understanding'the'PreUrequisites'for'an'AFack)'
Cyber Hardening & the Future Enterprise
(Exploring the Current & Future Limits of the Cyber
Environment)
37. AFack'
MoBvators'
CRIME'
(Including'
Financial)'
(H)AckBvism'
Warfare'
Terrorism'
(Including'
Corporate'
Blackmail)'
Espionage'
(Including'
Industrial'
Espionage)'
Espionage – seeking unauthorised access to sensitive information
(intellectual property, commercial information, corporate strategies, personal
data, pattern of life) or using the vehicle as a reconnaissance tool:
• State
• Commercial
(H)Acktivism – seeking publicity or creating pressure on behalf of a specific
objective or cause:
• Disruption of specific businesses/organisations (supplier or end
user)
• Disruption of specific geographic areas (cities, routes)
Criminal – largely driven by financial gain, but may include gang related
violence:
• Theft of a vehicle
• Theft from a vehicle
• Hijack of a vehicle
• Kidnap of a vehicle’s occupant(s)
• Criminal damage
Terrorism:
• Use of vehicle as a weapon
• Attacks on vehicle and/or vehicle’s occupants
• Disruption of transport systems/infrastructure
Warfare – conflict between nation states
• Disruption of transport systems/infrastructure to deny operational
use
• Disable specific modes of transport or vehicle types
• Destruction of vehicles
AFack'MoBvators'
(Examples'Related'to'Autonomous/Connected'Vehicles)'
Cyber Hardening & the Future Enterprise
(Exploring the Current & Future Limits of the Cyber
Environment)
38. New'Models'for'EvaluaBng'Cyber'
Security'&'Safety'
Possession)/)Control)
Integrity)Availability)
U>lity)
Authen>city)
Confiden>ality)
Parker DB; 2002
Parkerian Hexad
ConfidenBality'
Integrity'Availability'
Bishop M. 2004
CIA Triad
ConfidenBality'
Possession/
Control'
Integrity'
AuthenBcity'Availability'
UBlity'
Safety'
Boyes H. 2014
Cyber Security for Autonomous Systems
Element) Relevance)to)CPES)
ConfidenBality' ProtecBon'of'personal'&'other'sensiBve'data'
Possession/Control' Prevent'unauthorised'manipulaBon'or'control'of'systems'
Integrity' Prevent'unauthorised'changes'to'or'deleBon'of'data'&'
maintenance'of'system'configuraBon'
AuthenBcity' PrevenBon'of'fraud'or'tampering'with'data'
Availability' Autonomous'Infrastructure'able'to'operate'without'disrupBon'or'
impairment'
UBlity' Maintaining'data'&'systems'in'a'useful'state'throughout'their'
lifecycle'
Safety' PrevenBon'of'harm'to'individuals,'assets'and'the'environment'
Cyber Hardening & the Future Enterprise
(Exploring the Current & Future Limits of the Cyber
Environment)
39. Autonomous'Systems'Defence'Capability'
Strategies'
Prevent – the prevention of unauthorised users gaining access
to subsystems, prevention of unauthorised modifications or
changes to a systems configuration, prevention of a system
going into an unsafe and unsecure mode of operation.
Protect – the protection of any data or information at rest, in
transit or in operation using strong cryptographic and hashing
techniques, the protection of the access portals from
unauthorised connection through strong authentication .
Detect – the detection of hardware, software modification
outside of operating parameters, the detection of unauthorised
activity within the system, the detection of anomalous activity
within operating parameters.
Deny – the denial of access either physical or remote, the denial
of code or hardware modification without approval, the denial of
an attack using active defence measures.
Respond – the ability to respond (automatically or otherwise) to
events before safety or security countermeasures are activated,
the ability to respond after safety or security countermeasures
have been activated.
Prevent'
Protect'
Detect'Deny'
Respond'
Cyber Hardening & the Future Enterprise
(Exploring the Current & Future Limits of the Cyber
Environment)
42. Thank You for Listening
Questions?
LMTE
Cyber Security Special Spring Summit
43. Where every interaction matters.
Risks and new technology
Presented by
Daniel Beazer
Senior Consulting Analyst
20th May 2015
44. Today’s Agenda
! Introduction to Peer1
! Changing face of risk in IT
! Traditional IT vs Agile
! A closer look at risk in two areas, one over
exaggerated the other under exaggerated
! Conclusions for the market
! A takeaway slide and Q&A
2Where every interaction matters.
15 30
45
45. We are not good at assessing risk
3
“If you both own a gun and a
swimming pool in your
backyard, the swimming pool
is about 100 times more likely
to kill a child than the gun is.”
46. Us in a nutshell
We are a global web infrastructure and cloud
hosting company specializing in customized
solutions for eCommerce, SaaS applications and
content publishing.
We use innovative technology to deliver
exceptionally responsive, reliable and secure
hosting experiences – we are obsessed with
customer experience.
Most importantly, we care.
4Where every interaction matters.
51. IT spend is no longer exclusively with IT
9Where every interaction matters.
▪ 21% of spend is now outside IT (Gartner CIO Survey Feb 2015)
▪ Mostly in marketing, where predictive analytics and other digital
tools can give enterprises competitive advantage
▪ All C-levels now make IT decisions (eg to buy iPads for sales)
▪ IT struggles to meet this demand
▪ AWS’s Stephen Schmidt ‘we don’t talk to IT’
▪ Many private (and public) clouds have been built and are unused
52. 10Where every interaction matters.
Traditional IT
• Top down command and control, everyone has to live with their
decisions
• Black box: no one outside the function can understand (even less
criticise) what they do
• Not aligned with any +ve business objectives, only negative
(keeping the lights on, stopping security breaches)
• The customers, ie groups within the business have no choice but
to use what IT offers
• Uses monolithic proprietary applications hosted in house with
strategic vendor, lead times, SLA, all below market
53. 11Where every interaction matters.
Traditional IT project
• Instructions received from another department
• Scope and specifications issued via RFP to vendors
• Plans are for maximum capacity
• Lengthy procurement process
• Monolithic hardware and software
• Long contract periods
• Testing staging and then live
• Up to a year for a new project
54. An agile IT project
Lead times < 1hour, no procurement
Usage based, automated, no contracts
Open source software (no time to negotiate)
No longer in house, distributed
Continuous live development
Tied to business outcomes
12Where every interaction matters.
On
Demand
55. 13
Use cases… from a cost of $20mn to
$5m and a lead time of a year to three
months
58. The security industry
16
• Generate most of the data in the
industry and create most of the noise
• True 3rd party advice hard to find:
industry analysts and consultants
have no incentive to doubt the
prevailing ethos
• Traditional ‘cleverest man in the room’
and FUD sales tactics
• MO consists of finding more problems
and defects so customers have to
spend more
• $76bn industry (Gartner 2015
estimate) vs Microsoft $86bn, IBM
$92bn
60. The security group in enterprise
18
Perverse incentives
• Rain dance argument
• The group in the business where
failure is rewarded
• More breaches = more budget if
politics are handled correctly
• Infosec/CISO group has little influence
• Buying a wall and a guard is enough
61. From the Annual Fraud Indicator
19Where every interaction matters.
▪ 67% of fraud is insider fraud
▪ Of the companies polled not one was able to recover the funds
▪ Online banking fraud £40mn
▪ Plastic card fraud £338mn
▪ Identity fraud £3.3bn
▪ Private sector fraud £15.5bn (40% of total)
62. Risks in the cloud
20Where every interaction matters.
63. Where we think the risks lie
21Where every interaction matters.
▪ 27% lack of visibility into who
can access data
▪ 18% lack of confidence in the
cloud providers security abilities
▪ 12% unclear liability if there is
an attack/loss of data
Source Gartner Survey December
2014
64. Where the risks really lie
22Where every interaction matters.
▪ Cloud collapse
- Brittle business often go bust (Nirvanix)
- Outages common
- No cover for outages/business risk in contracts
▪ But.. many back/up security advantages (see next slide)
▪ Complacency Security incidents mostly caused by customer usage, eg
sloppy code, old OSS, allowing ghost accounts from ex-employees to
profilerate
▪ Regulatory breaches Rogue cloud usage, uncontrolled SaaS is universal
Source Gartner Survey December
2014
65. ‘Cloud may secure than client server’
! Ability to reimage/remove software and transfer it to another makes it
harder to carry out attacks
! Organisations can secure end to end using encryption
! IT depts find it hard to compete with cloud providers scale
! Thousands of customers versus one,100Gbps vs 100Mbps of traffic
! Benefits of pooled resources, scaled security, DDOS
! The more physical the more insecure, paper, USBs (60% are lost
containing corporate data)
! Poorly maintained legacy equipment proliferates in enterprise
23Where every interaction matters.
Gus Hunt CTO, CIA
66. Conclusion
24Where every interaction matters.
▪ Opportunity for the market to drive best practices through genuine third
party advice / consulting
▪ Lower premiums for organisations with lower risk
▪ Test and monitor! … and use the cloud to analyse all that big data
67. Ten questions your cloud provider doesn’t want
you to ask
25Where every interaction matters.
▪ Can you give us your three year availability history?
▪ Can you prove to us you will be in business in three years time?
▪ Can we audit your data centre? Can our auditors?
▪ If your cloud node goes down just before Xmas how much will you pay me?
▪ Can you guarantee performance? How?
▪ Can you walk me through what happens if I suffer a security breach?
▪ Or I decide to leave?
▪ Can you guarantee my data will not remain on your platform once I am gone?