angelicaharris manager,cybersecurity canarie · >a successful cybersecurity program requires all...
TRANSCRIPT
Cybersecurity for Research SoftwareAngelica Harris | Manager, Cybersecurity | CANARIE
68
Wearewitnessestoevolution…
69
…advancementsinsoftwareandnetworking
70
…anddevelopersofresearchsoftware.(You,notme.)
71
Cognitivebiasesarelimitationsinourbrain’sabilitytoprocessinformation,whichcancauseillogicaldecisionmakingandpoorjudgment.
OvercomingCognitiveBiases
72
canarie.ca|@canarie_inc 73
Whatdoesthishavetodowithcybersecurity?
>Asuccessfulcybersecurityprogramrequiresallemployeestobeonthesamepageandrequiressupportandacceptance.
>Preventingbreachesrequireschangingbehaviourandreducingthenumberofopportunitiesforpeopletomakemistakes.
It’sahumanproblem.
74
canarie.ca|@canarie_inc 76
canarie.ca|@canarie_inc 77
Confidentiality,Integrity,Availability
>NRCChinesehack(CNE)costingCanadians100sofmillionsofdollars• http://www.theglobeandmail.com/news/national/federal-documents-say-2014-china-hack-cost-hundreds-of-millions-of-dollars/article34485219/
>Otherdocumentedcases• https://github.com/trustedci/OSCRP/blob/master/OSCRP.md• Embargoeddatareleased• Researchgrantsandacademicprizeslosttostolenresults• Scienceinstrumentimpairmentandopportunitiesforeverlost
Whenbadthingshappen…
78
canarie.ca|@canarie_inc 79
CyberKillChain
80
Source: darkreading.comfirstarticulatedbyLockheedMartin“killchain”
“…theonlyrealwaytoachievesounddefensivesecurityisthroughanoffensivemindsetandapproach.”
– KaliLinuxBlogOffensiveSecurity
canarie.ca|@canarie_inc 81
Whynotbecomeanethicalhacker?
canarie.ca|@canarie_inc 82
Whynotbecomeanethicalhacker?
Hackingtools:
https://kali.orghttps://www.offensive-security.com/https://codingsec.net/category/ethical-hacking-tutorials/https://github.com/secfigo/Awesome-Fuzzinghttps://github.com/dloss/python-pentest-toolshttps://www.metasploit.com/https://www.hex-rays.com/index.shtml
MonsterMitigation
83
Source:CommunityWeaknessEnumeration(http://cwe.mitre.org/index.html)
Top25MostDangerousSoftwareErrors
MonsterMitigation
84
Source:CommunityWeaknessEnumeration(http://cwe.mitre.org/index.html)
Top25MostDangerousSoftwareErrors
>Canada’sCyberSecurityStrategyhttps://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/cbr-scrt-strtgy/index-en.aspx
> CanadianCyberIncidentResponseCentrehttps://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/ccirc-ccric-en.aspx
>CanadianCyberThreatExchangehttps://cctx.ca
> CommunicationsSecurityEstablishmentITSAdviceandGuidancehttps://www.cse-cst.gc.ca/en/group-groupe/its-advice-and-guidance
CanadaandCybersecurity
85
canarie.ca|@canarie_inc 86
Soph
istication
2010 2011 2012 2013
Duration:3days4AttackVectorsAttackTarget:Visa,Mastercard
Duration:3days5AttackvectorsAttackTarget:HKEX
Duration:20days7+AttackvectorsAttackTarget:Vatican
Duration:7monthsMultipleattackvectorsAttackTarget:USBanks
> MonsterMitigationList• http://cwe.mitre.org/top25
> OpenWebApplicationSecurityProjectOWASP• https://www.owasp.org/index.php/Main_Page
> Microsoft• https://www.microsoft.com/en-us/SDL
> StaticandDynamicAnalysisTools• https://www.owasp.org/index.php/Source_Code_Analysis_Tools• https://en.wikipedia.org/wiki/Dynamic_program_analysis
> OtherLinks• http://www.itsecurityguru.org/2016/06/23/10-steps-to-addressing-the-human-vulnerability-in-cybersecurity/• https://dsimg.ubm-us.net/envelope/385633/510213/DR16_1611055__EditReport_Dec13_SecAppDev_Sponsored-
CloudPassage_FINAL.pdf
Appendix
87
Thank you!Questions?
88