i am the cavalry (the cavalry is us) sourceconf september 2015

The Cavalry Isnt Coming

I am The Cavalryhttp://iamthecavalry.org@iamthecavalry

Shouldnt you be also?

Claus cramon houmannInfosec Community Manager @ Peerlyst (A start-up Infosec community/Social platform that wants to turn the tables on cyber security)Infosec ConsultantThe Analogies contributorTwitter: @claushoumann

IdeaOur dependence on technology is growing faster than our ability to secure it

Quote: Josh Corman

3

IdeaOur society has evolved faster than our laws

Quote: Josh Corman

4

Idea

But why wait.......

Quote: Josh Corman

5

Where do we see connectivity now?In Our Bodies

In Our HomesIn Our Infrastructure

In Our Cars

6

Heartbleed + (UnPatchable) Internet of Things == ___ ?In Our Bodies

In Our HomesIn Our Infrastructure

In Our Cars

7

Say baby monitors again?In Our Homes

Source: Rapid7 research/Mark Stanislav: Baby monitors https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf

https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf vulnerable baby monitorsBaby monitors: Sure, but whos monitoring? Who do we want monitoring?8

Then

Source Wired: http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/9

But also

Source FDA.gov http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm456815.htm10

All Systems Fail** Yes; all

Nearly all merchants have been breached.Nearly all F100 have lost intellectual property and trade secrets.Acceptable fraud ratesWith consequences including flesh & blood what IS an acceptable failure rate for cars?11

Past versus Future

Bolt-On Vs Built-In

www.iamthecavalry.org @iamthecavalry

http://images.sodahead.com/polls/003737595/0f94b51deb8e40f8ba4ffa92da742877_xlarge.jpeg

12

Everything connected is vulnerable and can/will be hacked

Ouch!

Cars have computersComputers have security issuesSecurity issues in cars are safety issues

Safety issues can cost or imperil lives

But they wouldnt hurt you!

Public Infra

Id prefer that they couldnt hurt me

MURPHYS LAW PHOTO: http://www.localwineandspirits.com/labels/murphyslaw_front.jpgBOMB photo: http://tribune.com.pk/story/607940/casualties-four-li-militants-die-in-ied-explosion-in-khyber-agency/15

Someone will fix it for usChapter 2

A superhero to the rescue! We all love superheroes, right?17

Or not..Chapter 3

Lets create ripples

A DO-ocracy of doers.Where doing starts with empathy And by ripples I mean

Ripples interact21

Ripples can cause abnormally large waves22

Or a tsunami but tsunamis can change/break a lot of things and are a safety risk, and they create fear23

The Point?

Never Doubt that a Small group of thoughtful, committed citizens can change the world; Its the Only thing that ever has.

- Margaret MEAD(an American cultural anthropologist)

The

The Cavalry isnt coming It falls to usProblem StatementOur society is adopting connected technology faster than we are able to secure it.Mission StatementTo ensure connected technologies with the potential to impact public safety and human life are worthy of our trust.Collecting existing research, researchers, and resourcesConnecting researchers with each other, industry, media, policy, and legalCollaborating across a broad range of backgrounds, interests, and skillsetsCatalyzing positive action sooner than it would have happened on its ownWhy Trust, public safety, human lifeHow Education, outreach, researchWho Infosec research community WhoGlobal, grass roots initiativeWhatLong-term vision for cyber safety

MedicalAutomotiveConnectedHomePublicInfrastructure

I Am The Cavalry

Connections and Ongoing Collaborations5-Star Framework5-Star CapabilitiesSafety by Design Anticipate failure and plan mitigationThird-Party Collaboration Engage willing alliesEvidence Capture Observe and learn from failureSecurity Updates Respond quickly to issues discoveredSegmentation & Isolation Prevent cascading failureAddressing Automotive Cyber Systems

AutomotiveEngineers

SecurityResearchers

PolicyMakers

InsuranceAnalysts

AccidentInvestigatorsStandardsOrganizations

https://www.iamthecavalry.org/auto/5star/

Security researchers are also working on the issue, in our shared domain.Goal: More informed decision-making, not supplant their judgment with ours27

5-Star Cyber SafetyFormal CapacitiesSafety By DesignThird Party CollaborationEvidence CaptureSecurity UpdatesSegmentation and IsolationPlain SpeakAvoid FailureEngage Allies To Avoid FailureLearn From FailureRespond to FailureIsolate Failure

www.iamthecavalry.org @iamthecavalry

https://www.iamthecavalry.org/domains/automotive/5star/

Safety by Design28

1) Safety By DesignDo you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain?

www.iamthecavalry.org @iamthecavalry

https://www.iamthecavalry.org/domains/automotive/5star/

Safety by DesignDo you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain?The public is informed and assured of your commitment to safetywhen you publish the extent to whichyou ensure that software is reasonably free of flaws. The goal is to convey confidence to the general public and to allow consumers to make informed choices among market alternatives. Software manufacturers, such as Microsoft and others, make this attestation and could serve as a model for automakers.Key Elements:Standard Based:Use of vetted ISO, NIST, or Industry standards would both accelerate an organizations maturity and ensure more predictable, normalized, comprehensive practices.Supply Chain Rigor: Well-governed, traceable hardware & software supply chains enable more defensible products and more agile remediation times especially amidst variable quality, security, and provenance.Reduction of Elective Attack Surface & Complexity: There are relationships between security and: complexity, interfaces, attack surfaces, code flaws per thousand lines of code, etc. As such, more secure designs seek to minimize these types of exposure.Independent, AdversarialResilienceTesting:Adversarial testing should be carried out by qualified individuals,independent of thosewho designed and implemented the code. These individuals can be internal resources under a different organizational branch or third-parties.

29

1) Safety By Design

www.iamthecavalry.org @iamthecavalry

http://www.microsoft.com/en-us/sdl/video/default.aspx

https://www.iamthecavalry.org/domains/automotive/5star/

Safety by DesignDo you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain?The public is informed and assured of your commitment to safetywhen you publish the extent to whichyou ensure that software is reasonably free of flaws. The goal is to convey confidence to the general public and to allow consumers to make informed choices among market alternatives. Software manufacturers, such as Microsoft and others, make this attestation and could serve as a model for automakers.Key Elements:Standard Based:Use of vetted ISO, NIST, or Industry standards would both accelerate an organizations maturity and ensure more predictable, normalized, comprehensive practices.Supply Chain Rigor: Well-governed, traceable hardware & software supply chains enable more defensible products and more agile remediation times especially amidst variable quality, security, and provenance.Reduction of Elective Attack Surface & Complexity: There are relationships between security and: complexity, interfaces, attack surfaces, code flaws per thousand lines of code, etc. As such, more secure designs seek to minimize these types of exposure.Independent, AdversarialResilienceTesting:Adversarial testing should be carried out by qualified individuals,independent of thosewho designed and implemented the code. These individuals can be internal resources under a different organizational branch or third-parties.30

2) Third Party CollaborationDo you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith?

www.iamthecavalry.org @iamthecavalry

https://www.iamthecavalry.org/domains/automotive/5star/

Third Party CollaborationDo you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith?A collaborationpolicysupportsa positive, productive collaboration between the automotive industry and security researchers. Researchers are invited to contribute to automotive safety as willing allies to help discover and address flaws before adversaries and accidents canimpact vehicle safety. Such coordinated exchanges are more positive, productive, and impactful than otheralternatives.Your attestation serves as a commitment and aprotocolfor teaming.Key Elements:Standard Based: Use of vetted ISO standards for vendor side disclosure practice and for internal vulnerability handling (ISO 29147 and ISO 30111) accelerate an organizations maturity and ensure predictable, normalized interfaces to researchers andfacilitators.P