ACM Club Cyber Security Workshop

Source Presentation

This keynote was delivered at the Saint Paul College ACM Club Cyber Security Workshop on Wednesday, April 9, 2014, in the First Floor Auditorium. The workshop ran from 0800 to 1500 CT and framed the modern cybersecurity landscape as a high-stakes arena where well-funded adversaries need only find a single exploitable vulnerability, while defenders must protect everything.

About the Presenter

Matthew J. Harmon served as President of (ISC)² Twin Cities MN (isc2tc.org), Owner & Security Researcher at IT Risk Limited (itriskltd.com), SANS Instructor and Mentor for Cyber Aces, Organizer of Security B-Sides MSP 2014 (BSidesMSP.org), and United States National Body Liaison Officer & Subject Matter Expert. Certifications: CISSP, GSEC, GCIH, GCIA. Website: matthewjharmon.com.

What Does Cyber War Look Like?

The presentation opened with a series of visualizations of cyber conflict, including live attack maps from map.ipviking.com and cybermap.kaspersky.com. But the reality, Harmon argued, is less cinematic and more mundane – it looks like people at keyboards, quietly exploiting systems.

Adversary Advantage

Our adversaries are massively overcapitalized and have many more resources than we do. They don’t fight for a “security budget” – they have research and development budgets. They have all the time in the world. They only have to find one exploitable vulnerability to pivot from.

State of the Union: The Largest Breaches

The largest breaches at the time of the presentation told a stark story:

• Adobe (2013): 152 million records
• Heartland (2008): 130 million payment records
• Target (2013): 110 million records
• TJ Maxx (2007): 94 million transactions
• TRW (1984): 90 million credit reports
• Sony (2011): 77 million records
• Card Systems Inc (2005): 40 million
• Rock You Media (2009): 32 million
• US Dept of Veteran Affairs: 26 million

They all had anti-virus, firewalls, intrusion detection systems, certifications, multi-million dollar security programs, and security staff – but were still compromised.

The Information Security Community

That’s why Harmon was there representing the information security community. “We are the force multiplier. We learn, we do, we teach. We are changing the state of the industry.”

The Defender’s Advantage

We (should) know our networks and systems better than our adversaries. We set up traps. We set up fake devices. We go on the offensive. The Active Defense Harbinger Distribution (ADHD) was highlighted as one such tool: http://sourceforge.net/projects/adhd/.

Computer Security Careers: Then and Now

The old path into security careers ran through Mac User Groups, Linux User Groups, Windows User Groups, Usenet, Internet Relay Chat, and mailing lists. You started as a Systems Administrator or Network Administrator, then specialized in “security” – which meant configuration management, incident response, policy, or IT Audit. Organizations like ISACA (CISA), (ISC)² (CISSP), and 2600 Magazine meet-ups were the community anchors.

Now the landscape has expanded dramatically:

• Degree tracks like those at St Paul College
• ACM taking on Cyber Security Workshops
• SANS Institute certification programs
• International standards through SC 27 “IT Security Techniques”
• NIST Cyber Security Framework and NIST SP800 Series
• Very flexible industry with negative 4% unemployment
• Cross training and cross over in job roles
• Greater Twin Cities Metro as an innovation sector

Where Do We Go Tomorrow? Resilient Computing & Businesses

• Degree tracks plus apprenticeships for new professionals – must be nimble in a constantly changing industry and environment
• Cyber Security Center of Excellence for businesses with locally applicable technical controls
• Scripted systems administration (humans hands-off) using Ansible, Puppet, Chef
• Private Security Intelligence Officers?
• Silicon Plains? Silicon Lakes?

Community Groups and Specialties

Many groups and specialties exist and must work together: MN-ISSA, (ISC)² Twin Cities, DC612, ISACA, BCPA, Cloud Security Alliance, HTCIA, HI TECH. Cooperation instead of competition.

Beyond 1’s and 0’s

“You have the most important job in the world… and that job is protecting 1’s and 0’s on the Internet. Or is it?”

The Internet of Things

The scope extends far beyond traditional IT. The presentation highlighted threats to heart pace makers, blood insulin pumps, and Bluetooth-based attacks including Bluesnarfing, Bluejack, and Bluebug.

Critical Infrastructure

The talk covered threats to critical infrastructure including Zippe-type gas centrifuges with U-238 and U-235 (running TCP/IP over Serial), attacked by Stuxnet, and SCADA systems using 900 MHz backhaul with weak encryption. The sobering conclusion: organizations can be hacked out of business.

Resources

• SecurityWeekly.com
• isc2tc.org
• DarkReading.com
• isc.sans.org
• DataLossDB.org
• cybermap.kaspersky.com
• map.ipviking.com
• sans.org/critical-security-controls
• matthewjharmon.com

This work is licensed under the Creative Commons Attribution-NonCommercial 3.0 Unported License (http://creativecommons.org/licenses/by-nc/3.0/).