Keynote : CODE BLUE in the ICU! by Jeff Moss
-
Upload
code-blue -
Category
Technology
-
view
108 -
download
1
description
Transcript of Keynote : CODE BLUE in the ICU! by Jeff Moss
Code Blue in the ICU! Thinking about network safety in a public health light
© Jeff Moss – [email protected]
h@p://chrisharrison.net/
1. NaEon States want SECRETS
1. NaEon States want SECRETS 2. Organized Criminals want MONEY
1. NaEon States want SECRETS 2. Organized Criminals want MONEY 3. Protesters want ATTENTION
1. NaEon States want SECRETS 2. Organized Criminals want MONEY 3. Protesters want ATTENTION 4. Hackers & researchers want KNOWLEDGE
1. NaEon States want SECRETS 2. Organized Criminals want MONEY 3. Protesters want ATTENTION 4. Hackers & researchers want KNOWLEDGE
That’s you guys!
Hackers & Researchers point the way!
-‐ Discover new classes of vulnerabiliEes -‐ Expose poor product security -‐ Spur public debate
Hackers & Researchers point the way!
-‐ Discover new classes of vulnerabiliEes -‐ Expose poor product security -‐ Spur public debate
Criminals and Governments don’t do this It’s not in their interests
All these groups need the net to work
Q: What if there is a 5th group that doesn’t?
Denial of service is increasing
0
100
200
300
400
500
600
700
2010 2011 Mar-‐12 Oct-‐12 Apr-‐13 Feb-‐14 Sept-‐14 ?
DDoS in Gigabits per second
Gps flow
?
NTP RAMP CloudFlare
DNS RAMP SpamHaus
When invesEng:
Specialize for larger risk / returns
When invesEng:
Specialize for larger risk / returns
Diversify to reduce risk / returns
We now have clouds of complexity
We have virtual clouds of complexity
The failure modes of Complex systems are impossible to predict
I like the Code Blue press release
“Code Blue is a hospital emergency code that indicates a paEent in need of immediate medical a@enEon, or that calls for relevant teams to respond immediately. We named the conference ajer the code because we hope to save the world by combining people’s knowledge”
h@p://japandailypress.com/white-‐hat-‐hackers-‐to-‐gather-‐at-‐code-‐blue-‐cybersecurity-‐conference-‐in-‐tokyo-‐1043926/
Public health analogy
• No one thinks they are going to cure cancer
• Diseases are “managed”, very few are ever eliminated
• It is possible to be re-‐infected
Public health analogy
• No one thinks they are going to cure cancer • No administrator thinks they can ever be perfectly secure • Diseases are “managed”, very few are ever eliminated
• Very few classes of vulnerabiliEes are ever eliminated • It is possible to be re-‐infected • A new variant of an old vulnerability can re-‐infect your systems
This is a healthy way of thinking
Perimeter security
Involves: Security department IT department ApplicaEon teams
German arEst Babis Cloud has made 'hedonIsM(y) trojaner', an installaEon of the ancient greek trojan horse from computer keyboard bu@ons.
They are already inside your perimeter
Involves: Security department Legal department IT department CommunicaEons ApplicaEon teams Risk Management
Public RelaEons Finance R&D
The year is 2014
• You sEll can’t send secure email easily • You can’t have a secure mobile phone call • Web browsing securely is essenEally impossible • Name resoluEon is insecure, but geqng be@er
Why? What has failed us?
We are running out of opEons
1990s
• Consumer SelecEon
We are running out of opEons
1990s
• Consumer SelecEon
Consumers can’t make informed Security product decisions
We are running out of opEons
1990s
• Consumer SelecEon
2000s
• Insurance Pressure
Consumers can’t make informed Security product decisions
We are running out of opEons
1990s
• Consumer SelecEon
2000s
• Insurance Pressure
Consumers can’t make informed Security product decisions
Lack of data prevents the Crea>on of actuarial tables
We are running out of opEons
1990s
• Consumer SelecEon
2000s
• Insurance Pressure
2010s
• RegulaEons
Consumers can’t make informed Security product decisions
Lack of data prevents the Crea>on of actuarial tables
We are running out of opEons
1990s
• Consumer SelecEon
2000s
• Insurance Pressure
2010s
• RegulaEons
Consumers can’t make informed security product decisions
Lack of data prevents the crea>on of actuarial tables
Governments are reluctant to regulate the fast moving internet
That leaves us
We must provide leadership and direcEon where and when we can
We need to help companies do the right thing through educaEon and configuraEon
“First, Do No Harm” - Auguste François Chomel, 1847
Primum non nocere “SomeEmes it may be be@er to not do something, or even be@er to do nothing, than to risk causing more harm than good.”
“First, Do No Harm” - Auguste François Chomel, 1847
To me this can be applied to informaEon security when thought of as a public safety issue:
• Do no harm to the trust of users – be open about your policies • Be honest about the risks of using technology • Do not let wishful thinking influence your decisions
Community Immunity (Also known as Herd Immunity Theory)
“A form of immunity that occurs when the vaccinaEon of a significant porEon of a populaEon provides a measure of protecEon for individuals who have not developed immunity.”
Three Modes of Immunity
Three Modes of Immunity
Three Modes of Immunity
Community Immunity only applies to diseases that are contagious
Disease Transmission Immunity threshold
Mumps Airborne droplet 75 -‐ 86%
Pertussis Airborne droplet 92 -‐ 94% Rubella Airborne droplet 80 -‐ 85% Smallpox Social contact 83 -‐ 85%
1. No one is immunized – Contagious disease spreads through the populaEon
2. Some of the populaEon gets immunized – Contagious disease spreads through some of the populaEon
3. Most of the populaEon is immunized – Spread of contagious disease is contained
Three Modes of Immunity
1. No one is immunized – Contagious disease spreads through the populaEon Networks and systems are not maintained – Malware spreads through networks without noEce and li@le to stop them
2. Some of the populaEon gets immunized – Contagious disease spreads through some of the populaEon
3. Most of the populaEon is immunized – Spread of contagious disease is contained
Three Modes of Immunity
1. No one is immunized – Contagious disease spreads through the populaEon Networks and systems are not maintained – Malware spreads through networks without noEce and li@le to stop them
2. Some of the populaEon gets immunized – Contagious disease spreads through some of the populaEon Some networks and systems are not maintained – Malware is someEmes noEced and removed, and spreads through some of the populaEon
3. Most of the populaEon is immunized – Spread of contagious disease is contained
Three Modes of Immunity
1. No one is immunized – Contagious disease spreads through the populaEon Networks and systems are not maintained – Malware spreads through networks without noEce and li@le to stop them
2. Some of the populaEon gets immunized – Contagious disease spreads through some of the populaEon Some networks and systems are not maintained – Malware is someEmes noEced and removed, and spreads through some of the populaEon
3. Most of the populaEon is immunized – Spread of contagious disease is contained Most all networks and systems are maintained – Malware is noEced most of the Eme and removed, acEons are taken to protect other systems besides your own.
Three Modes of Immunity
1. No one is immunized – Contagious disease spreads through the populaEon Networks and systems are not maintained – Malware spreads through networks without noEce and li@le to stop them
2. Some of the populaEon gets immunized – Contagious disease spreads through some of the populaEon Some networks and systems are not maintained – Malware is someEmes noEced and removed, and spreads through some of the populaEon
3. Most of the populaEon is immunized – Spread of contagious disease is contained Most all networks and systems are maintained – Malware is noEced most of the Eme and removed, acEons are taken to protect other systems besides your own.
Three Modes of Immunity
Firewall as VaccinaEon?
Vaccinate yourself and others
Can protecEng your network and systems with a firewall or router act as a “virtual vaccine”?
Can your network peers get a conferred benefit?
Don’t do anything addiEonal on your network Don’t go out of your way to monitor your systems Don’t stay up to date on patches or applicaEon updates
Do Nothing or “Not Immunized”
Do Nothing or “Not Immunized”
PRO: • Least expensive opEon, no training or changes necessary • Requires no network or applicaEon modificaEons
CON: • You are part of the problem and possibly causing harm • There might be legal consequences
Protect your systems and applicaEons, but not those of others
Protect only yourself or “ParEally Immunized”
Protect your systems and applicaEons, but not those of others
Examples: • Secure your systems by patching, updaEng, selecEng good sojware • Filter spoofed inbound traffic to your network, but not outbound
• Enable DNSSEC validaEon on your DNS, but do not sign your zones • Limit spam by checking for SPF records and using DNS blackholes, but not publishing your own SPF records
Protect only yourself or “ParEally Immunized”
Protect only yourself or “Partially Immunized”
PRO: • Lower cost that being fully immunized • You are be@er protecEng your systems against misuse by others
CON: • You only take acEons that protect your systems – not those of others • Higher management and configuraEon overhead
Same as “ParEally Immunized” but you take addiEonal acEons to protect those around you.
Protect yourself and others or “Fully Immunized”
Same as “ParEally Immunized” but you take addiEonal acEons to protect those around you.
Examples: • Prevent source address spoofing from leaving your network • DNSSEC sign your zone files so others can rely on the data • Disable recursion on your name servers to limit AMP a@acks • Publish an SPF record to reduce spam by telling other networks about your mail server
Protect yourself and others or “Fully Immunized”
Protect yourself and others or “Fully Immunized”
PRO: • You are “conferring an immunity” to some degree to others • Most beneficial to all users of the internet
• Best security stance for yourself and those around you
CON: • Most expensive to maintain due to configuraEon maintenance
• You need be@er trained staff to stay current on best pracEces
DNSSEC is available to the majority of internet users
https://www.dnssec-deployment.org/
What if you don’t own or operate a network?
Donate Resources
Donate resources
Donate resources
h?p://folding.stanford.edu/
Different communities
Companies Governments Individuals
Think of the Future
Next GeneraEon technologies are starEng to be deployed
Can we use them to help protect ourselves and others?
DNSSEC = You can trust the answers from DNS DANE = Risk of rogue SSL CAs virtually eliminated IPv6 = IPSEC support, less NAT, be@er a@ribuEon, future growth
Has thinking about network heath in a public safety light helped?