I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015

Download I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015

Post on 13-Apr-2017

252 views

Category:

Technology

0 download

Embed Size (px)

TRANSCRIPT

The Cavalry Isnt Coming

I am The Cavalryhttp://iamthecavalry.org@iamthecavalry

Shouldnt you be also?

Claus cramon houmannInfosec Community Manager @ Peerlyst (A start-up Infosec community/Social platform that wants to turn the tables on cyber security)Infosec ConsultantThe Analogies contributorTwitter: @claushoumann

IdeaOur dependence on technology is growing faster than our ability to secure it

Quote: Josh Corman

3

IdeaOur society has evolved faster than our laws

Quote: Josh Corman

4

Idea

But why wait.......

Quote: Josh Corman

5

Where do we see connectivity now?In Our Bodies

In Our HomesIn Our Infrastructure

In Our Cars

6

Heartbleed + (UnPatchable) Internet of Things == ___ ?In Our Bodies

In Our HomesIn Our Infrastructure

In Our Cars

7

Say baby monitors again?In Our Homes

Source: Rapid7 research/Mark Stanislav: Baby monitors https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf

https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf vulnerable baby monitorsBaby monitors: Sure, but whos monitoring? Who do we want monitoring?8

Then

Source Wired: http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/9

But also

Source FDA.gov http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm456815.htm10

All Systems Fail** Yes; all

Nearly all merchants have been breached.Nearly all F100 have lost intellectual property and trade secrets.Acceptable fraud ratesWith consequences including flesh & blood what IS an acceptable failure rate for cars?11

Past versus Future

Bolt-On Vs Built-In

www.iamthecavalry.org @iamthecavalry

http://images.sodahead.com/polls/003737595/0f94b51deb8e40f8ba4ffa92da742877_xlarge.jpeg

12

Everything connected is vulnerable and can/will be hacked

Ouch!

Cars have computersComputers have security issuesSecurity issues in cars are safety issues

Safety issues can cost or imperil lives

But they wouldnt hurt you!

Public Infra

Id prefer that they couldnt hurt me

MURPHYS LAW PHOTO: http://www.localwineandspirits.com/labels/murphyslaw_front.jpgBOMB photo: http://tribune.com.pk/story/607940/casualties-four-li-militants-die-in-ied-explosion-in-khyber-agency/15

Someone will fix it for usChapter 2

A superhero to the rescue! We all love superheroes, right?17

Or not..Chapter 3

Lets create ripples

A DO-ocracy of doers.Where doing starts with empathy And by ripples I mean

Ripples interact21

Ripples can cause abnormally large waves22

Or a tsunami but tsunamis can change/break a lot of things and are a safety risk, and they create fear23

The Point?

Never Doubt that a Small group of thoughtful, committed citizens can change the world; Its the Only thing that ever has.

- Margaret MEAD(an American cultural anthropologist)

The

The Cavalry isnt coming It falls to usProblem StatementOur society is adopting connected technology faster than we are able to secure it.Mission StatementTo ensure connected technologies with the potential to impact public safety and human life are worthy of our trust.Collecting existing research, researchers, and resourcesConnecting researchers with each other, industry, media, policy, and legalCollaborating across a broad range of backgrounds, interests, and skillsetsCatalyzing positive action sooner than it would have happened on its ownWhy Trust, public safety, human lifeHow Education, outreach, researchWho Infosec research community WhoGlobal, grass roots initiativeWhatLong-term vision for cyber safety

MedicalAutomotiveConnectedHomePublicInfrastructure

I Am The Cavalry

Connections and Ongoing Collaborations5-Star Framework5-Star CapabilitiesSafety by Design Anticipate failure and plan mitigationThird-Party Collaboration Engage willing alliesEvidence Capture Observe and learn from failureSecurity Updates Respond quickly to issues discoveredSegmentation & Isolation Prevent cascading failureAddressing Automotive Cyber Systems

AutomotiveEngineers

SecurityResearchers

PolicyMakers

InsuranceAnalysts

AccidentInvestigatorsStandardsOrganizations

https://www.iamthecavalry.org/auto/5star/

Security researchers are also working on the issue, in our shared domain.Goal: More informed decision-making, not supplant their judgment with ours27

5-Star Cyber SafetyFormal CapacitiesSafety By DesignThird Party CollaborationEvidence CaptureSecurity UpdatesSegmentation and IsolationPlain SpeakAvoid FailureEngage Allies To Avoid FailureLearn From FailureRespond to FailureIsolate Failure

www.iamthecavalry.org @iamthecavalry

https://www.iamthecavalry.org/domains/automotive/5star/

Safety by Design28

1) Safety By DesignDo you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain?

www.iamthecavalry.org @iamthecavalry

https://www.iamthecavalry.org/domains/automotive/5star/

Safety by DesignDo you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain?The public is informed and assured of your commitment to safetywhen you publish the extent to whichyou ensure that software is reasonably free of flaws. The goal is to convey confidence to the general public and to allow consumers to make informed choices among market alternatives. Software manufacturers, such as Microsoft and others, make this attestation and could serve as a model for automakers.Key Elements:Standard Based:Use of vetted ISO, NIST, or Industry standards would both accelerate an organizations maturity and ensure more predictable, normalized, comprehensive practices.Supply Chain Rigor: Well-governed, traceable hardware & software supply chains enable more defensible products and more agile remediation times especially amidst variable quality, security, and provenance.Reduction of Elective Attack Surface & Complexity: There are relationships between security and: complexity, interfaces, attack surfaces, code flaws per thousand lines of code, etc. As such, more secure designs seek to minimize these types of exposure.Independent, AdversarialResilienceTesting:Adversarial testing should be carried out by qualified individuals,independent of thosewho designed and implemented the code. These individuals can be internal resources under a different organizational branch or third-parties.

29

1) Safety By Design

www.iamthecavalry.org @iamthecavalry

http://www.microsoft.com/en-us/sdl/video/default.aspx

https://www.iamthecavalry.org/domains/automotive/5star/

Safety by DesignDo you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain?The public is informed and assured of your commitment to safetywhen you publish the extent to whichyou ensure that software is reasonably free of flaws. The goal is to convey confidence to the general public and to allow consumers to make informed choices among market alternatives. Software manufacturers, such as Microsoft and others, make this attestation and could serve as a model for automakers.Key Elements:Standard Based:Use of vetted ISO, NIST, or Industry standards would both accelerate an organizations maturity and ensure more predictable, normalized, comprehensive practices.Supply Chain Rigor: Well-governed, traceable hardware & software supply chains enable more defensible products and more agile remediation times especially amidst variable quality, security, and provenance.Reduction of Elective Attack Surface & Complexity: There are relationships between security and: complexity, interfaces, attack surfaces, code flaws per thousand lines of code, etc. As such, more secure designs seek to minimize these types of exposure.Independent, AdversarialResilienceTesting:Adversarial testing should be carried out by qualified individuals,independent of thosewho designed and implemented the code. These individuals can be internal resources under a different organizational branch or third-parties.30

2) Third Party CollaborationDo you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith?

www.iamthecavalry.org @iamthecavalry

https://www.iamthecavalry.org/domains/automotive/5star/

Third Party CollaborationDo you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith?A collaborationpolicysupportsa positive, productive collaboration between the automotive industry and security researchers. Researchers are invited to contribute to automotive safety as willing allies to help discover and address flaws before adversaries and accidents canimpact vehicle safety. Such coordinated exchanges are more positive, productive, and impactful than otheralternatives.Your attestation serves as a commitment and aprotocolfor teaming.Key Elements:Standard Based: Use of vetted ISO standards for vendor side disclosure practice and for internal vulnerability handling (ISO 29147 and ISO 30111) accelerate an organizations maturity and ensure predictable, normalized interfaces to researchers andfacilitators.Positive Incentives: Positive Recognition & Reward systems can further encourage and stimulate participation in bug reporting. Several prominent Hackathon, Hall of Fame, and Bug Bounty programs have proven successful and continue to drive iterative improvements. Exemplars can be provided.Known Interfaces:Independent vulnerability disclosure coordinators have normalized the interfaces between affected manufacturers and third-party researchers. These include non-profits organizations, bug bounty companies and government agencies. This too can support both greater efficiency and greater participation.31

Vs 2) Third Party Collaboration

www.iamthecavalry.org @iamthecavalry

http://www.k9tec.com/wp-content/uploads/2011/10/beware-of-dog-shepherd.jpgVshttps://img1.etsystatic.com/046/0/8940891/il_214x170.676543507_88cr.jpg

https://www.iamthecavalry.org/domains/automotive/5star/

Third Party CollaborationDo you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith?A collaborationpolicysupportsa positive, productive collaboration between the automotive industry and security researchers. Researchers are invited to contribute to automotive safety as willing allies to help discover and address flaws before adversaries and accidents canimpact vehicle safety. Such coordinated exchanges are more positive, productive, and impactful than otheralternatives.Your attestation serves as a commitment and aprotocolfor teaming.Key Elements:Standard Based: Use of vetted ISO standards for vendor side disclosure practice and for internal vulnerability handling (ISO 29147 and ISO 30111) accelerate an organizations maturity and ensure predictable, normalized interfaces to researchers andfacilitators.Positive Incentives: Positive Recognition & Reward systems can further encourage and stimulate participation in bug reporting. Several prominent Hackathon, Hall of Fame, and Bug Bounty programs have proven successful and continue to drive iterative improvements. Exemplars can be provided.Known Interfaces:Independent vulnerability disclosure coordinators have normalized the interfaces between affected manufacturers and third-party researchers. These include non-profits organizations, bug bounty companies and government agencies. This too can support both greater efficiency and greater participation.32

3) Evidence CaptureDo your vehicle systems provide tamper evident, forensically-sound logging and evidence capture to facilitate safety investigations?

www.iamthecavalry.org @iamthecavalry

https://www.iamthecavalry.org/domains/automotive/5star/

Evidence CaptureDo your vehicle systems provide tamper evident, forensically-sound logging and evidence capture to facilitate safety investigations?Safetyinvestigations drive substantial improvements, and records of electronic systems operations give visibility into rootcauses that may otherwise be opaque. These records can plainly showsources of error, be they malfunctions, design defects, human error or deliberate attack.Those waiting for proofof hacking or electronic sabotage will not find evidence without such logging and evidence collection in place.This capability willrequire more effort, over time, than others on this list, but it is foundational for improving safety in the long-term so starting now will help us achieve this goal.Key Elements:Logging and Legal Standards: Lowest Common denominator syntax and verbosity would increase the value within a manufacturer and across the industry. Also, conforming to existing legal standards of care around cyber forensics would be prudent (e.g. for chain of evidence).Improve effectiveness ofNHTSA:The National Highway Transportation Safety Administration (NHTSA) investigates automobile safety issues. In the absence of a black box capability as in airplanes, these investigations lack full visibility into potential causes of safety issues.Collecting and retaining data as recommended will facilitate their investigations and improve their ability to perform causal analyses.Privacy Sensitivity: The universal benefits/subset of features of a black box as outlined here can meet its intended functions without requiring privacy and surveillance infractions of citizens across the complexities of various states/countries/jurisdictions. Debates over the capture of datalike GPS movement tracking or other recordings of citizens can be decoupled from safety to avoid unnecessary entanglement.33

3) Evidence Capture

www.iamthecavalry.org @iamthecavalry

https://anthrograph.files.wordpress.com/2012/04/blackbox1.jpg

https://www.iamthecavalry.org/domains/automotive/5star/

Evidence CaptureDo your vehicle systems provide tamper evident, forensically-sound logging and evidence capture to facilitate safety investigations?Safetyinvestigations drive substantial improvements, and records of electronic systems operations give visibility into rootcauses that may otherwise be opaque. These records can plainly showsources of error, be they malfunctions, design defects, human error or deliberate attack.Those waiting for proofof hacking or electronic sabotage will not find evidence without such logging and evidence collection in place.This capability willrequire more effort, over time, than others on this list, but it is foundational for improving safety in the long-term so starting now will help us achieve this goal...

Recommended

View more >