Vision for Future & Emerging Risk Work (EFR Forum)

: June 23 2010 Claire Vishik

Agenda
Security Environment, new technology security penalty, anticipating emerging risks Looking at the big picture EFR Vision:
Expanding Topics Building Community of Stakeholders Addressing new problems

Next Steps

BACKGROUND & RATIONALE

3

Innovation Penalty
Technology innovation/security Technology innovations bring new security threats Smart phones, energy management, ubiquitous connectivity New behaviors and new technologies Creating additional vulnerabilities (e.g., social networks) New business models open new vulnerabilities E.g. medical home monitoring, online college classes Unintended consequences Cannot be anticipated in a reliable fashion

44

Todays Complex Environment

New threats from:
Social networking
Tools to perform security attacks are readily available and increasingly more efficient The tools are increasingly adapted to the intended environments

Web mash-ups
Drive-by downloads Mobile devices Hardware and firmware attacks Virtualization attacks
Cybercrime has been so profitable for organized crime that the mob is using it to fund its other underground exploits. And U.S. law enforcement is reaching around the world to reel it in.2

Cybercrime is Funding Organized Crime

Even power management tools

We see many signs that criminals are mimicking the practices embraced by successful, legitimate businesses to reap revenue and grow their enterprises.3

Tom Gillis, Vice President and General Manager, Cisco Security Products

Threats are more sophisticated and professional

5

Security Environment: Layers

Attack Targets/ Risk Area

Traditional

Attack Targets/ Risk Area

Growing

Emerging
Attack Area

Limited physical protections and more human interaction

Changing perimeters and increased access

Strongest physical isolation and lowest accessibility

encryption antitheft IPS/IDS

Measured launch Biometrics antivirus antispam Domain isloation encryption

antispam antivirus IPS/IDS IPS/IDS

encryption

content inspection

access control

Client Devices

Edge Systems

Back End Systems

New security threats accompany the emergence of new technologies; protecting one component is not enough

Technology Users: Continuum of Activities

At work At home
Other environments

Tools, behaviors, requirements, hours, interactions change

Activities change; boundary with work dissolved

Users continue to be connected to work and home as they pursue other interests

New security threats accompany the development of new behaviors as society changes
7

Because fragmented solutions are not sufficient

LOOK AT THE BIG PICTURE

General Approach Recommended

Look at the big picture Not islands of new technologies Not only well studied and popular areas of activities Look beyond the emergence of new ideas

To their adoption and deployment To how they are used

Look at complex, composite problems Introducing broadly applicable technology approaches Analyzing how they interact with societal and economic issues Look beyond technology Business models, economic incentives, users attitudes, participation, and awareness, availability of infrastructure

99

Environments, processes, and business models are very complex and diverse

WHY COMPOSITE PICTURE IS DIFFICULT

10

Diverse Ecosystem: All Components Need to Be Considered Better protection

Wirelessly Connected Devices External Constituencies (Organizations, Users)

CLOUD
Internet
Intranet

Private Networks Protected Connections

11

Varying Levels of Protection in Components of Complex Processes

1 Motion sensor No protection X 2 Sensor network Minimal protection Capture device Fair protection LAN 4 Fair protection 5 PCs in security office WAN 6 7 Security event server

We need to evaluate the technology space as a whole to change the game

12

Varying Levels of Privacy and Anonymity: Example

2 User sets up Anonymous donation User pays by credit card using the phone Credit card delivers payment to charity. 5 Charity publishes anonymous donation

Device & User Information

1
User accesses Charity Web site from a smart phone

Payment Information

Heterogeneous Networks

We need to evaluate many aspects beyond technology to design acceptable solutions

13

How can we anticipate emerging risks in a holistic way?

Accumulate information on 1 interdependencies to inform new models Develop methodologies to address 2 comprehensive risks for complex processes 3 Build a community of experts

4 Build validation practices

5 Ensure sufficient agility
14 1

How this program could progress

EFR FORUM VISION

15

EFR Forum
Multidisciplinary group of experts Tasked with the overall high level advisory role in the program

16

EFR Vision Summary

Evolution from the focus from in-depth vertical 1 scenarios to cross cutting topics and broader technology assessment 2 Fine-tuning/packaging of methodology
3 Unaided use of methodology to build an inventory of cases

4 Developing greater interest in data-related issues

Evaluation of feasibility of studying cutting edge technologies (in addition to advanced environments)

17 1

New topics
1 2 3

Cross cutting issues (not driven by technologies) Broad areas of security technologies and their potential effects Longer term innovation (10 years out) Innovative usages of technologies

4
5

New methodologies

18 1

Building Communities of Experts

1 2

Model necessary skills and define the community Attract key participants

Develop working models of dissemination and collaboration Develop a value model to encourage participation from community members

19 1

Potential Uses of Methodology

1

Comprehensive, technical and societal approach to the analysis of the technology innovation Preliminary multi-faceted assessment of longer term technology innovations, e.g. effect of quantum or molecular computing or new types of information transmission
Analysis of unexpected applications of emerging and mature technologies, e.g. a gadget that is a computer a wireless phone, a garage door opener and a TV remote control, among many other applications. Analysis of the data side of matters and its evolution Crystallization of the innovative methodology to outsource it to the expert community as a recognized risk analysis tool Detection of the effects of the technology innovation on the civic fabric of our society (our life, property, liberty, privacy, fair play, due process etc.), and to how we relate to each other

4 5

20 2

NEXT STEPS

21

We are in a better position now

1 2 3 4

We understand the issues and what we do not know -better

We have a technology foundation, access to growing computing power, ubiquitous connectivity We have a growing experience of collaboration among diverse technology community
Lessons learned from the earlier generations of technologies can be used to improve vision

5 We have helpful methodologies that we can build upon

22 2

THANK YOU!

23

BACKUP

24

Example Situations Requiring Trust

1 2 3 4 5 6

Access to mission critical systems Social networking Online banking and e-commerce Using an ATM in a foreign country Using medical services, accessing health records Updating/synchronising your devices via your computer Accessing premium content in a mobile setting Setting up and updating PCs for enterprise employees

7
8

25 2

Research Challenges
The research subject is very complex
1
Requires skills and input from diverse groups of stakeholders We dont have good models to work together in this fashion yet

We dont yet know the rules of the game

2
A broader analysis is necessary to consider game change New approaches to analysis are required

Defining operative trust parameters, trust information, and trust tools, from system and device architecture to behaviors and economic incentives is the type of a scientific problem we need to learn to solve Societal and economic components are crucial parts of the game
We need to learn to analyse these elements together with technology

4 5

Significant infrastructure investment is likely to be required

26 2

What We Need
1 2

New game changing ideas Multidisciplinary innovative approaches Early concern about adoption and deployment Broadly applicable standards

3
4 5 6 7

Economic incentives and business models to support deployment of new technologies Efficient use of diverse expertise of all stakeholders
Focus on hard problems

27 2