I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
•Download as PPTX, PDF•
0 likes•448 views
I gave this I am the Cavalry intro in Dublin at SourceConf Reboot 2015
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (17)
Similar to I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
Similar to I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015 (20)
More from Claus Cramon Houmann
Recently uploaded
Recently uploaded (20)
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
- 1. I AM THE CAVALRY http://iamthecavalry.org @iamthecavalry SHOULDN’T YOU BE ALSO?
- 2. CLAUS CRAMON HOUMANN Infosec Community Manager @ Peerlyst (A start-up Infosec community/Social platform that wants to turn the tables on cyber security) Infosec Consultant The Analogies contributor Twitter: @claushoumann
- 3. IDEA “Our dependence on technology is growing faster than our ability to secure it”
- 4. IDEA “Our society has evolved faster than our laws”
- 6. WHERE DO WE SEE CONNECTIVITY NOW? In Our Bodies In Our Homes In Our InfrastructureIn Our Cars
- 7. HEARTBLEED + (UNPATCHABLE) INTERNET OF THINGS == ___ ? In Our Bodies In Our Homes In Our InfrastructureIn Our Cars
- 8. SAY BABY MONITORS AGAIN? In Our Homes Source: Rapid7 research/Mark Stanislav: Baby monitors https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-
- 9. THEN
- 10. BUT ALSO
- 11. ALL SYSTEMS FAIL* * Yes; all
- 12. www.iamthecavalry.org @iamthecavalry Past versus Future Bolt-On Vs Built-In
- 13. EVERYTHING CONNECTED IS VULNERABLE AND CAN/WILL BE HACKED Ouch!
- 14. Cars have computers Computers have security issues Security issues in cars are safety issues Safety issues can cost or imperil lives
- 15. “BUT THEY WOULDN’T HURT YOU!” Public Infra “I’d prefer that they couldn’t hurt me…”
- 16. SOMEONE WILL FIX IT FOR US Chapter 2
- 20. A DO-OCRACY OF DO’ERS. W H ER E D OIN G STARTS W ITH EMPATHY And by ripples I mean
- 24. The Point?
- 25. NEVER DOUBT THAT A SMALL GROUP OF THOUGHTFUL, COMMITTED CITIZENS CAN CHANGE THE WORLD; IT’S THE ONLY THING THAT EVER HAS. - MAR GAR ET MEAD ( A N A M E R I C A N C U LT U R A L A N T H R O P O L O G I S T )
- 26. •The The Cavalry isn’t coming… It falls to us Problem Statement Our society is adopting connected technology faster than we are able to secure it. Mission Statement To ensure connected technologies with the potential to impact public safety and human life are worthy of our trust. Collecting existing research, researchers, and resources Connecting researchers with each other, industry, media, policy, and legal Collaborating across a broad range of backgrounds, interests, and skillsets Catalyzing positive action sooner than it would have happened on its own Why Trust, public safety, human life How Education, outreach, research Who Infosec research community Who Global, grass roots initiative WhatLong-term vision for cyber safety Medical Automotive Connected Home Public Infrastructure I Am The Cavalry
- 27. Connections and Ongoing Collaborations 5-Star Framework 5-Star Capabilities Safety by Design – Anticipate failure and plan mitigation Third-Party Collaboration – Engage willing allies Evidence Capture – Observe and learn from failure Security Updates – Respond quickly to issues discovered Segmentation & Isolation – Prevent cascading failure Addressing Automotive Cyber Systems Automotive Engineers Security Researchers Policy Makers Insurance Analysts Accident Investigators Standards Organizations https://www.iamthecavalry.org/auto/5star/
- 28. www.iamthecavalry.org @iamthecavalry 5-Star Cyber Safety Formal Capacities 1. Safety By Design 2. Third Party Collaboration 3. Evidence Capture 4. Security Updates 5. Segmentation and Isolation Plain Speak 1. Avoid Failure 2. Engage Allies To Avoid Failure 3. Learn From Failure 4. Respond to Failure 5. Isolate Failure
- 29. www.iamthecavalry.org @iamthecavalry Highlights from the past year • Atlantic Council workshop and paper1 • FDA Pre-Market Guidance and Workshop2 • IEEE Workshop • Embraced by healthcare community conferences • Atlantic Council Cyber Wednesday3 • Vulnerability Disclosure Policies • Vulnerability Disclosure Brainstorming and Education with FDA • Safety Communications BEFORE evidence of harm 1http://www.atlanticcouncil.org/publications/reports/the-healthcare-internet-of-things-rewards-and-risks 2http://www.fda.gov/MedicalDevices/NewsEvents/WorkshopsConferences/ucm412979.htm 3http://www.atlanticcouncil.org/events/webcasts/cyber-risk-wednesday-the-healthcare-internet-of-things-rewards-and-risks With FDA as a key partner
- 30. www.iamthecavalry.org @iamthecavalry And! • Dräger on board with I am the Cavalry as first medical device producer working directly in sync with us • Their Product Security Manager is even directly involved now
- 31. 5 STARS 5 star ICS 5 star IoT 5 star medical devices
- 32. AND MORE IN OTHER AREAS COMING We try to connect researchers to 1. Lawmakers to inform of meaningful changes to laws to enforce secure by default 2. Vendors/producers to inform of secure ways to build securely by design and of identified vulnerabilities 3. Purchasers of devices (example: Pacemakers, car distributors) to explain to them why they need to contractually demand security – if there is demand vendors will supply
- 33. WHAT YOU CAN DO Chapter 5
- 34. CONNECTIONS/CONNECTORS WANTED Breakers and Builders Legal and Policy Citizens, Connectors Parents/Guardians Community Leaders/Bloggers/Podcasters/etc.
- 35. MOUNT UP AND BE THE CAVALRY YOU DON’T ACTUALY NEED A HORSE
Editor's Notes
- Quote: Josh Corman
- Quote: Josh Corman
- Quote: Josh Corman
- https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf –vulnerable baby monitors Baby monitors: Sure, but who’s monitoring? Who do we want monitoring?
- Source Wired: http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
- Source FDA.gov http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm456815.htm
- Nearly all merchants have been breached. Nearly all F100 have lost intellectual property and trade secrets. Acceptable fraud rates… With consequences including flesh & blood… what IS an acceptable failure rate for cars?
- http://images.sodahead.com/polls/003737595/0f94b51deb8e40f8ba4ffa92da742877_xlarge.jpeg
- MURPHY’S LAW PHOTO: http://www.localwineandspirits.com/labels/murphyslaw_front.jpg BOMB photo: http://tribune.com.pk/story/607940/casualties-four-li-militants-die-in-ied-explosion-in-khyber-agency/
- A superhero to the rescue! We all love superheroes, right?
- Ripples interact
- Ripples can cause abnormally large waves
- Or a tsunami – but tsunami’s can change/break a lot of things and are a safety risk, and they create fear
- Security researchers are also working on the issue, in our shared domain. Goal: More informed decision-making, not supplant their judgment with ours
- https://www.iamthecavalry.org/domains/automotive/5star/ ★ Safety by Design
- https://www.iamthecavalry.org/domains/automotive/5star/ ★ Safety by Design Do you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain? The public is informed and assured of your commitment to safety when you publish the extent to which you ensure that software is reasonably free of flaws. The goal is to convey confidence to the general public and to allow consumers to make informed choices among market alternatives. Software manufacturers, such as Microsoft and others, make this attestation and could serve as a model for automakers. Key Elements: Standard Based: Use of vetted ISO, NIST, or Industry standards would both accelerate an organization’s maturity and ensure more predictable, normalized, comprehensive practices. Supply Chain Rigor: Well-governed, traceable hardware & software supply chains enable more defensible products and more agile remediation times – especially amidst variable quality, security, and provenance. Reduction of Elective Attack Surface & Complexity: There are relationships between security and: complexity, interfaces, attack surfaces, code flaws per thousand lines of code, etc. As such, more secure designs seek to minimize these types of exposure. Independent, Adversarial Resilience Testing: Adversarial testing should be carried out by qualified individuals, independent of those who designed and implemented the code. These individuals can be internal resources under a different organizational branch or third-parties.
- http://www.microsoft.com/en-us/sdl/video/default.aspx https://www.iamthecavalry.org/domains/automotive/5star/ ★ Safety by Design Do you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain? The public is informed and assured of your commitment to safety when you publish the extent to which you ensure that software is reasonably free of flaws. The goal is to convey confidence to the general public and to allow consumers to make informed choices among market alternatives. Software manufacturers, such as Microsoft and others, make this attestation and could serve as a model for automakers. Key Elements: Standard Based: Use of vetted ISO, NIST, or Industry standards would both accelerate an organization’s maturity and ensure more predictable, normalized, comprehensive practices. Supply Chain Rigor: Well-governed, traceable hardware & software supply chains enable more defensible products and more agile remediation times – especially amidst variable quality, security, and provenance. Reduction of Elective Attack Surface & Complexity: There are relationships between security and: complexity, interfaces, attack surfaces, code flaws per thousand lines of code, etc. As such, more secure designs seek to minimize these types of exposure. Independent, Adversarial Resilience Testing: Adversarial testing should be carried out by qualified individuals, independent of those who designed and implemented the code. These individuals can be internal resources under a different organizational branch or third-parties.
- https://www.iamthecavalry.org/domains/automotive/5star/ ★ Third Party Collaboration Do you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith? A collaboration policy supports a positive, productive collaboration between the automotive industry and security researchers. Researchers are invited to contribute to automotive safety as willing allies to help discover and address flaws before adversaries and accidents can impact vehicle safety. Such coordinated exchanges are more positive, productive, and impactful than other alternatives. Your attestation serves as a commitment and a protocol for teaming. Key Elements: Standard Based: Use of vetted ISO standards for vendor side disclosure practice and for internal vulnerability handling (ISO 29147 and ISO 30111) accelerate an organization’s maturity and ensure predictable, normalized interfaces to researchers and facilitators. Positive Incentives: Positive “Recognition & Reward” systems can further encourage and stimulate participation in bug reporting. Several prominent “Hackathon,” “Hall of Fame,” and “Bug Bounty” programs have proven successful and continue to drive iterative improvements. Exemplars can be provided. Known Interfaces: Independent vulnerability disclosure coordinators have normalized the interfaces between affected manufacturers and third-party researchers. These include non-profits organizations, bug bounty companies and government agencies. This too can support both greater efficiency and greater participation.
- http://www.k9tec.com/wp-content/uploads/2011/10/beware-of-dog-shepherd.jpg Vs https://img1.etsystatic.com/046/0/8940891/il_214x170.676543507_88cr.jpg https://www.iamthecavalry.org/domains/automotive/5star/ ★ Third Party Collaboration Do you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith? A collaboration policy supports a positive, productive collaboration between the automotive industry and security researchers. Researchers are invited to contribute to automotive safety as willing allies to help discover and address flaws before adversaries and accidents can impact vehicle safety. Such coordinated exchanges are more positive, productive, and impactful than other alternatives. Your attestation serves as a commitment and a protocol for teaming. Key Elements: Standard Based: Use of vetted ISO standards for vendor side disclosure practice and for internal vulnerability handling (ISO 29147 and ISO 30111) accelerate an organization’s maturity and ensure predictable, normalized interfaces to researchers and facilitators. Positive Incentives: Positive “Recognition & Reward” systems can further encourage and stimulate participation in bug reporting. Several prominent “Hackathon,” “Hall of Fame,” and “Bug Bounty” programs have proven successful and continue to drive iterative improvements. Exemplars can be provided. Known Interfaces: Independent vulnerability disclosure coordinators have normalized the interfaces between affected manufacturers and third-party researchers. These include non-profits organizations, bug bounty companies and government agencies. This too can support both greater efficiency and greater participation.
- https://www.iamthecavalry.org/domains/automotive/5star/ ★ Evidence Capture Do your vehicle systems provide tamper evident, forensically-sound logging and evidence capture to facilitate safety investigations? Safety investigations drive substantial improvements, and records of electronic systems operations give visibility into root causes that may otherwise be opaque. These records can plainly show sources of error, be they malfunctions, design defects, human error or deliberate attack. Those waiting for proof of hacking or electronic sabotage will not find evidence without such logging and evidence collection in place. This capability will require more effort, over time, than others on this list, but it is foundational for improving safety in the long-term so starting now will help us achieve this goal. Key Elements: Logging and Legal Standards: Lowest Common denominator syntax and verbosity would increase the value within a manufacturer and across the industry. Also, conforming to existing legal standards of care around cyber forensics would be prudent (e.g. for chain of evidence). Improve effectiveness of NHTSA: The National Highway Transportation Safety Administration (NHTSA) investigates automobile safety issues. In the absence of a “black box” capability as in airplanes, these investigations lack full visibility into potential causes of safety issues. Collecting and retaining data as recommended will facilitate their investigations and improve their ability to perform causal analyses. Privacy Sensitivity: The universal benefits/subset of features of a “black box” as outlined here can meet its intended functions without requiring privacy and surveillance infractions of citizens across the complexities of various states/countries/jurisdictions. Debates over the capture of data like GPS movement tracking or other recordings of citizens can be decoupled from safety to avoid unnecessary entanglement.
- https://anthrograph.files.wordpress.com/2012/04/blackbox1.jpg https://www.iamthecavalry.org/domains/automotive/5star/ ★ Evidence Capture Do your vehicle systems provide tamper evident, forensically-sound logging and evidence capture to facilitate safety investigations? Safety investigations drive substantial improvements, and records of electronic systems operations give visibility into root causes that may otherwise be opaque. These records can plainly show sources of error, be they malfunctions, design defects, human error or deliberate attack. Those waiting for proof of hacking or electronic sabotage will not find evidence without such logging and evidence collection in place. This capability will require more effort, over time, than others on this list, but it is foundational for improving safety in the long-term so starting now will help us achieve this goal. Key Elements: Logging and Legal Standards: Lowest Common denominator syntax and verbosity would increase the value within a manufacturer and across the industry. Also, conforming to existing legal standards of care around cyber forensics would be prudent (e.g. for chain of evidence). Improve effectiveness of NHTSA: The National Highway Transportation Safety Administration (NHTSA) investigates automobile safety issues. In the absence of a “black box” capability as in airplanes, these investigations lack full visibility into potential causes of safety issues. Collecting and retaining data as recommended will facilitate their investigations and improve their ability to perform causal analyses. Privacy Sensitivity: The universal benefits/subset of features of a “black box” as outlined here can meet its intended functions without requiring privacy and surveillance infractions of citizens across the complexities of various states/countries/jurisdictions. Debates over the capture of data like GPS movement tracking or other recordings of citizens can be decoupled from safety to avoid unnecessary entanglement.
- https://www.iamthecavalry.org/domains/automotive/5star/ ★ Security Updates Can your vehicles be securely updated in a prompt and agile manner? Security and functionality flaws require the ability to be remediated in a prompt, reliable, secure manner. If emergent security issues cannot be remediated quickly and easily, the window of exposure is increased and the cost of recall, repair, and restitution will grow significantly. The recent HeartBleed flaw put hundreds of thousands of devices at risk. Without the ability to update software in the field, similar flaws in automobiles would require carmakers to undertake a costly factory recall or accept the associated consequences of perpetual, critical security issues. Key Elements: Secure Updating System: While updating is a necessary capability, an insecure update design could facilitate adversaries or trigger accidents. Authenticity and quality verification preserves the integrity of the updates and leads to a safer mechanism that can prevent digital tampering or unexpected failures. Service Level Agreements (SLA): While it is critical to be able to update a vulnerable system, valuable aspects like Mean Time To Repair (MTTR) will vary amongst manufacturers. Those who commit to a faster delivery and/or a higher standard of quality will better ensure safety. Robust Notification/Communication: Public communication should be transparent and forthright. Decades of experience in the software industry have taught that the best way to ensure security and safety are: notification of when and where flaws exist, their severity, contents of the update, and clear instructions.
- https://www.iamthecavalry.org/domains/automotive/5star/ ★ Security Updates Can your vehicles be securely updated in a prompt and agile manner? Security and functionality flaws require the ability to be remediated in a prompt, reliable, secure manner. If emergent security issues cannot be remediated quickly and easily, the window of exposure is increased and the cost of recall, repair, and restitution will grow significantly. The recent HeartBleed flaw put hundreds of thousands of devices at risk. Without the ability to update software in the field, similar flaws in automobiles would require carmakers to undertake a costly factory recall or accept the associated consequences of perpetual, critical security issues. Key Elements: Secure Updating System: While updating is a necessary capability, an insecure update design could facilitate adversaries or trigger accidents. Authenticity and quality verification preserves the integrity of the updates and leads to a safer mechanism that can prevent digital tampering or unexpected failures. Service Level Agreements (SLA): While it is critical to be able to update a vulnerable system, valuable aspects like Mean Time To Repair (MTTR) will vary amongst manufacturers. Those who commit to a faster delivery and/or a higher standard of quality will better ensure safety. Robust Notification/Communication: Public communication should be transparent and forthright. Decades of experience in the software industry have taught that the best way to ensure security and safety are: notification of when and where flaws exist, their severity, contents of the update, and clear instructions.
- https://www.iamthecavalry.org/domains/automotive/5star/ ★ Segmentation and Isolation Do you have a published attestation of the physical and logical isolation measures you have implemented to separate critical systems from non-critical systems? If systems share the same memory, computing, and/or circuitry (as most current generation cars do), these systems allow for loss of life and limb. Such risks are entirely avoidable and merit a higher standard of care. For instance, a malicious InfoTainment application or a compromise over Bluetooth or wireless should never have the ability to take control over critical functions such as disabling the brakes, deploying airbags, or turning the steering wheel. Hacking the InfoTainment system should never cause an accident. Key Elements: “Air Gaps”: Physical separation is the only way to ensure that non-critical systems can not adversely impact primary, operational, and safety systems (e.g. Hacking the stereo can never cause a crash). While some manufacturers are planning, discussing, or implementing logical isolation techniques, methods to circumvent these measures are routinely discovered and demonstrated. System Integrity/Recovery: Techniques exist to indicate when a system has been compromised. Earlier detection can reduce the total duration and extent of the compromise as well as catalyze remediation. In some cases, a “fail safe” or “safe mode” can be an automatic fallback safety mechanism. Any choices should be scrutinized with experienced adversary/threat analysis as they may introduce new attack or denial of service opportunities. Enhanced Assurance: Given the potential for harm, a higher rigor and level of assurance is merited. Third-party review and validation of architecture, implementation, and adversary resilience testing can raise confidence. Similarly, Operating System choices such as Mandatory Access Control (MAC) architectures reduce risk. “Formal Methods” of engineering and more secure protocols merit consideration. Evaluation examples may be instructive (e.g. “Common Criteria EAL 5+”).
- http://www.bluebird-electric.net/submarines/submarine_pictures/skipjack_class_submarine_drawing_scorpion.gif https://www.iamthecavalry.org/domains/automotive/5star/ ★ Segmentation and Isolation Do you have a published attestation of the physical and logical isolation measures you have implemented to separate critical systems from non-critical systems? If systems share the same memory, computing, and/or circuitry (as most current generation cars do), these systems allow for loss of life and limb. Such risks are entirely avoidable and merit a higher standard of care. For instance, a malicious InfoTainment application or a compromise over Bluetooth or wireless should never have the ability to take control over critical functions such as disabling the brakes, deploying airbags, or turning the steering wheel. Hacking the InfoTainment system should never cause an accident. Key Elements: “Air Gaps”: Physical separation is the only way to ensure that non-critical systems can not adversely impact primary, operational, and safety systems (e.g. Hacking the stereo can never cause a crash). While some manufacturers are planning, discussing, or implementing logical isolation techniques, methods to circumvent these measures are routinely discovered and demonstrated. System Integrity/Recovery: Techniques exist to indicate when a system has been compromised. Earlier detection can reduce the total duration and extent of the compromise as well as catalyze remediation. In some cases, a “fail safe” or “safe mode” can be an automatic fallback safety mechanism. Any choices should be scrutinized with experienced adversary/threat analysis as they may introduce new attack or denial of service opportunities. Enhanced Assurance: Given the potential for harm, a higher rigor and level of assurance is merited. Third-party review and validation of architecture, implementation, and adversary resilience testing can raise confidence. Similarly, Operating System choices such as Mandatory Access Control (MAC) architectures reduce risk. “Formal Methods” of engineering and more secure protocols merit consideration. Evaluation examples may be instructive (e.g. “Common Criteria EAL 5+”).
- Conferences HIMSS Conference HIMSS Events Poland gov’t NH-ISAC/SANS in May FDA issued Safety Comm about Hospira pump PCA3 and PCA 5 as well, and we also issued a more generic one back in June 2013 that was not product specific. The key difference with this one is that this is the first time we strongly encouraged discontinued use of the device due to the cyber concerns.