Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybersecurity Research Challenges

Published byFriedrich Heintze Modified over 6 years ago

Similar presentations

Presentation on theme: "Cybersecurity Research Challenges"— Presentation transcript:

1 Cybersecurity Research Challenges
Jeannette M. Wing Assistant Director Computer and Information Science and Engineering Directorate National Science Foundation and President’s Professor of Computer Science Carnegie Mellon University Cybersecurity Summit, Crystal City, VA May 8, 2008

2 Outline The Setting: Then and Now What’s Missing Long-term outlook
Big picture 5 new research areas Cybersecurity Jeannette M. Wing

3 The Setting: Then and Now
We are at risk. Increasingly, America depends on computers. They control power delivery, communications, aviation, and financial services. They are used to store vital information, from medical records to business plans to criminal records. Although we trust them, they are vulnerable—to the effects of poor design and insufficient quality control, to accident, and perhaps most alarmingly, to deliberate attack. The modern thief can steal more with a computer than with a gun. Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb. 1991 Computers at Risk, National Academies CSTB Study, p. 7. 8 networked systems 1999 Trust in Cyberspace, CSTB Study. 8 ubiquity 2001 September 11 everywhere, everyone, all the time, embedded, invisible, visible, mobile, wearable, handheld, remote, peta, tera, giga, mini, micro, nano, good guys, bad guys 2007 Improving Cybersecurity for the 21st Century, CSTB Study. Cybersecurity Jeannette M. Wing

4 Cybersecurity Jeannette M. Wing Credit: NCO/NITRD
Credit: U.S. Department of Homeland Security Credit: NCO/NITRD Cybersecurity Jeannette M. Wing

5 What’s Missing in Our Thinking
Be proactive, not reactive. We are using yesterday’s solutions to address today’s threats. We should be ready today for tomorrow’s threats. We are not. Anticipate the future. Long-term outlook Big picture view Foundational research Cybersecurity Jeannette M. Wing

6 Long-Term Outlook: Who and Why
Threats Today: hackers, criminals Tomorrow: organized crime, terrorists, nation-state, enemy state Motivation Today: fame, money Tomorrow: power, control Attacks Use cyberattack as an amplifier of a physical attack Cyberspace is an enabler Attack the Internet More likely as we put more key functionality on-line Use cyberspace to hide Today (2008) Cybersecurity Jeannette M. Wing

7 Long-Term Outlook: How
Today: code-level vulnerabilities Flaws in the code Tomorrow: component-level vulnerabilities Flaws in the design module, system, application, service, … aka interface mismatch, composition flaws, feature interaction, … Simple examples of design-level flaws - Netscape browser and Domain Name Server spoofing attack, Princeton [DFW96] - Google Desktop Search and Java applets, Rice [NFW04] - Microsoft Outlook and IE settings, Microsoft Research and Carnegie Mellon [PW05] Cybersecurity Jeannette M. Wing

8 Big Picture: It’s not just security
Cyber Security and Information Assurance Big Picture: It’s not just security Trustworthy systems Security Reliability Privacy Usability people hardware program prog. lang. O/S compiler system arch. application service High Confidence Systems Holistic view Technical: The whole stack  Non-Technical Psychology and human behavior - Usable security - Social engineering attacks - Privacy - Insider threat - Attacker’s motivation Economics, risk management, law, politics Cybersecurity Jeannette M. Wing

9 Cybersecurity Jeannette M. Wing Credit: NCO/NITRD

10 What’s Missing? 5. Usability 1.Foundations 2. Software security
4. Privacy 3. Metrics 2. Software security 2. Composability 5. Usability What’s Missing? Cybersecurity Jeannette M. Wing Credit: NCO/NITRD

11 1. Foundations New models, logics, and theories for analyzing and reasoning about Security Reliability Privacy Usability Crypto for quantum Cybersecurity Jeannette M. Wing

12 Foundations: Security Models
Yesterday: Security Perimeter - Bell-LaPadula model, Orange Book - Lampson’s access rights matrix - Secure O/S kernel Egeskov Slot, Denmark (1554) Today: “Security Without Borders” Spread of Code Red Worm 2001 drawbridge moat Where’s the perimeter? What do you try to protect? Cybersecurity Jeannette M. Wing

13 Foundations: Logics for Reasoning About Privacy
Do you read these? What are they saying? Can you trust them? This privacy statement goes on for seven screenfuls! Cybersecurity Credit: Microsoft Jeannette M. Wing

14 Foundations: Cryptography
Quantum/traditional cryptography immune to quantum-based attacks Traditional cryptography based on RSA is breakable by Shor’s quantum algorithm Credit: Oxford University Cybersecurity Jeannette M. Wing

15 2. Security Architectures
What we have Point solutions to point problems, e.g., Code-level solutions buffer overruns Firewalls for intrusion detection What we need Integration of solutions Up and down the vertical stack, from hardware to appl’ns. At each layer, e.g., routers and links at the network layer Compositionality of components and services Cybersecurity Jeannette M. Wing

16 Composition of Components and of Security Policies
Global Security Policy (GSP) Consider more simply, SPA  SPB: SPA  SPB  GSP SPA  SPB  SPA and SPA  SPB  SPB ? Local Security Policy (SPA) Local Security Policy (SPB) || Consider the composition A || B: A || B GSP A || B SPA and A || B SPB ? Component A Component B Cybersecurity Jeannette M. Wing

17 Google Desktop Search Google Desktop Search results
results Cybersecurity Jeannette M. Wing Credit: Google

18 Netscape and Domain Name Server
Give me an IP address for user.foo.com browser DNS server Here is one: Names to IP addresses mapping user.foo.com [ , , ] user.bar.com [ , ] Cybersecurity Jeannette M. Wing

19 3. Security Metrics Challenge #3:
Computing Research Associates Grand Challenges on Trustworthy Computing, November 16-18, Challenge #3: Within 10 years, develop quantitative information-systems risk management that is at least as good as quantitative financial risk management. Cybersecurity Jeannette M. Wing

20 Measuring the Relative Attack Surface
Windows NT 4 Windows 2000 Windows Server 2003 RASQ RASQ with IIS enabled RASQ with IIS Lockdown 100 200 300 400 500 600 700 3. Windows in “lockdown” mode for NT4.0 and 2000 are each more secure than raw mode. 1. Windows Server 2003 is “more secure” than previous versions. 2. Windows w/IIS enabled is only slightly worse for Windows Server 2003, in contrast to its predecessors. Cybersecurity Jeannette M. Wing

21 Attack Surface Attacks
system surface 1. Methods 2. Channels 3. Data Attacks Entry/Exit Points The attack surface of a system is the ways in which an adversary can enter the system and potentially cause damage. Reduce the attack surface  Increase system’s security Cybersecurity Jeannette M. Wing

22 4. Privacy Today: Threats to citizens’ privacy in many sectors of daily life Health, financial, e-commerce, social networks, e-voting Fundamental challenge: Once someone learns a secret about you, you cannot take away that knowledge Different from security (e.g., revoking access to a file, changing a lock on a door) Cybersecurity Jeannette M. Wing

23 Privacy: A Few Questions to Ponder
What does privacy mean? How do you state a privacy policy? How can you prove your system satisfies it? How do you reason about privacy? How do you resolve conflicts among different privacy policies? Are there things that are impossible to achieve wrt some definition of privacy? How do you implement practical mechanisms to enforce different privacy policies? As they change over time? How do you measure privacy? (Is that a meaningful question?) Cybersecurity Jeannette M. Wing

24 Privacy and Confidentiality
Doctor Billing bill X-ray Patient Database Only the doctor may see the privacy policy What other privacy policies does the database enforce? Unfortunately, such confidentiality policies are embedded in source code. Cybersecurity Jeannette M. Wing

25 Privacy and Software Analysis
extraction tool application code policy Cybersecurity Jeannette M. Wing

26 5. Usability The user is the weakest link in security. Challenges
Striking a balance between control and convenience Users are human. Targets of social engineering attacks Sources of insider threats Cybersecurity Jeannette M. Wing

27 Usable Security (IE) Clicking Your Way Through Security Cybersecurity
Jeannette M. Wing

28 Usable Privacy (Firefox)
Clicking Your Way Through Privacy Cybersecurity Jeannette M. Wing

29 Summary of Research Challenges
New research foci Theoretical foundations: models, logics, crypto Software architecture Metrics Privacy Usability Enhanced investments in existing research foci: Software security engineering Networking Testbeds Cybersecurity Jeannette M. Wing

30 Summary of What’s Missing
Anticipate tomorrow’s threat. Take a broad view. Long-term Holistic Research Basic research in new areas Enhanced investments in existing areas Education Cybersecurity Jeannette M. Wing

31 Good guys and bad guys are in a never-ending race!
Trustworthy Security Axiom Good guys and bad guys are in a never-ending race! The Good Guys try to ensure the Security Properties. The Bad Guys launch the Security Attacks. Cybersecurity Jeannette M. Wing

32 Thank you.

33 Academia-Industry Relations
Old Model Go it alone Individual work Slow, serial Focus on ideas Basic research Less focus on specific ideas Simpler regulations Funding sufficiency Companies had money Indirect benefits New Model Partnered Joint work Fast, parallel Focus on IP Bayh-Dole (1985) Applied research More focus on specific ideas Complex regulations Tax rules, export rules, COI Funding challenges Research $ at program manager level Direct benefits Cybersecurity Jeannette M. Wing

34 Credits Copyrighted material used under Fair Use. If you are the copyright holder and believe your material has been used unfairly, or if you have any suggestions, feedback, or support, please contact: Except where otherwise indicated, permission is granted to copy, distribute, and/or modify all images in this document under the terms of the GNU Free Documentation license, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation license” ( Cybersecurity Jeannette M. Wing

Download ppt "Cybersecurity Research Challenges"

Similar presentations

Cyber Crime and Technology

Cyber Crime and Technology
Operating System Security

Operating System Security
Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.

Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.
VM: Chapter 5 Guiding Principles for Software Security.

VM: Chapter 5 Guiding Principles for Software Security.
Bruce Schneier Lanette Dowell November 25, 2009. Introduction  “It is insufficient to protect ourselves with laws; we need to protect ourselves with.

Bruce Schneier Lanette Dowell November 25, Introduction  “It is insufficient to protect ourselves with laws; we need to protect ourselves with.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
A First Course in Information Security

A First Course in Information Security
Whitacre College of Engineering Panel Interdisciplinary Cybersecurity Education Texas Tech University NSF-SFS Workshop on Educational Initiatives in Cybersecurity.

Whitacre College of Engineering Panel Interdisciplinary Cybersecurity Education Texas Tech University NSF-SFS Workshop on Educational Initiatives in Cybersecurity.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Adam Leidigh Brandon Pyle Bernardo Ruiz Daniel Nakamura Arianna Campos.

Adam Leidigh Brandon Pyle Bernardo Ruiz Daniel Nakamura Arianna Campos.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.
BRAIN: Brain Research through Advancing Innovative Neurotechnologies Announced by President Obama in February 2013 as part of FY 2014 Budget Request to.

BRAIN: Brain Research through Advancing Innovative Neurotechnologies Announced by President Obama in February 2013 as part of FY 2014 Budget Request to.
Operating Systems AOIT Principles of Information Technology.

Operating Systems AOIT Principles of Information Technology.
4/2/03I-1 © 2001 T. Horton CS 494 Object-Oriented Analysis & Design Software Architecture and Design Readings: Ambler, Chap. 7 (Sections 7.1-7.3 to start.

4/2/03I-1 © 2001 T. Horton CS 494 Object-Oriented Analysis & Design Software Architecture and Design Readings: Ambler, Chap. 7 (Sections to start.
Security in Computer System 491 CS-G(172) By Manesh T

Security in Computer System 491 CS-G(172) By Manesh T
Information Ethics Prof. Madya Dr. Rozinah Jamaludin 11 March 2010.

Information Ethics Prof. Madya Dr. Rozinah Jamaludin 11 March 2010.
Computing and Communications and Biology Molecular Communication; Biological Communications Technology Workshop Arlington, VA 20 February 2008 Jeannette.

Computing and Communications and Biology Molecular Communication; Biological Communications Technology Workshop Arlington, VA 20 February 2008 Jeannette.

Similar presentations

Ads by Google