Slide1: KIRK BAILEY CISO, UNIVERSITY OF WASHINGTON Information Security at the UW


Slide2: BRIEFING AGENDA THE STATE OF THE CYBER-SECURITY WORLD IMPLICATIONS FOR ALL OF US AT UW GOOD IDEAS // BAD IDEAS? CONCLUSIONS (FOR NOW)


Slide3: “In the world of networked computers every sociopath is you neighbor.” - Dan Geer, Chief Scientist , Verdasys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . THE STATE OF THE CYBER-SECURITY WORLD 41,000,000 of ‘em out there!


Slide4: In the cyber-security world… the threat spectrum has changed dramatically during the last 18 months. Greed Business Mission Marketing Convenience Addiction Criminals Nation States’ Interests …have stunned the Security Industry and challenged all notions of privacy protection.


Slide5: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RESISTANCE IS FUTILE. PREPARE TO BE ASSIMULATED? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Species 8472


Slide6: LAW ENFORCEMENT AND “CULTIVATED” CONTACTS


Slide7: THE MOTIVE AND THREATS DATA HAS BECOME A VALUABLE COMMODITY. THE CASE CAN BE MADE THAT CYBER-CROOKS NOW VALUE YOUR DATA MORE THAN YOU AND THE ORGANIZATIONS THAT HAVE YOUR INFORMATION. $


Slide8: BIG MONEY LESS RISK MORE POWER FOR CRIMINALS… OBVIOUS MOTIVES


Slide9: RAPIDLY GROWING THREAT SPECTRUM CRIMINAL ELEMENTS ARE ACTIVELY FINANCING AND WORKING TO CONTROL MALWARE DEVELOPMENT AND DELIVERY SYSTEMS. SERIOUS CRIMINALS ARE NOW SEEKING CONTROL OF BOTNETS AND IMPROVING HOW THEY COVER THEIR TRACKS AND FOIL INVESTIGATIONS. THE NEW CRIMINAL ACTIVITIES AND INVESTMENTS ARE PRODUCING “CRIMEWARE” WITH BETTER TARGETING, PAYLOAD AND DELIVERY SYSTEMS. IT ALL MEANS THAT “ZERO DAY” EVENTS ARE MORE LIKELY WITH EVEN WORSE IMPLICATIONS THAN IMAGINED BEFORE.


Slide10: WHO ARE THEY – HOW BIG IS IT? THE INTELLIGENCE GATHERING HAS NOT HAD A LONG HISTORY OF COORDINATED EFFORTS BETWEEN PLAYERS THAT HAVE BEEN COMBATING CYBERCRIME. IT IS NOT A CLEAR PICTURE. WHAT IS KNOWN PROVIDES STRONG INDICATIONS OF HOW QUICKLY IT IS EVOLVING AND EXPANDING.


Slide11: A VIEW OF A SMALL PORTION OF ORGANIZED CYBER-CRIME AND GEOGRAPHY OF EVOLVING “CRIMEWARE” CYBER-CRIME GANGS PHISHING GROUPS (PGs) PROFILED AND TRACKED BY ANTI-PHISHING WORK GROUP CODERS FOR HIRE SOME CODERS ARE FLAMBOYANT IN THE ONLINE UNDERGROUD AND THEIR ONLINE COMMENTS ARE MONITORED.


Slide12: TERRORISM? WHAT ARE THEY DOING? HEROIN COCAINE METH MARIJUANA PRESCRIPTION DRUGS PORN HUMAN TRAFFICKING CHILD PORN SLAVERY PROSTITUTION ILLEGAL DRUGS ILLEGAL WEAPONS INDUSTRIAL ESPIONAGE SOFTWARE PIRACY MONEY LAUNDERING & MOVEMENT = TRADITIONAL INTERNATIONAL CRIME


Slide13: IT’S HARD TO FIND GOOD HELP. “BAD GUY” CODERS ARE NOW SELLING CODE TO CYBER-CROOKS WITH BACK DOORS AND HIDDEN TRICKS TO SKIM A SHARE OF THE DATA PLUNDERING. THESE CREEPS ARE CALLED “RIPPERS.” NOW HIRING! EASTERN EUROPEAN CRIMINAL-TYPES TURNUP IN LAS VEGAS AT DECON THIS YEAR LOOKING TO RECRUIT WITH BIG WADS OF CASH AND FANCY ROOMS AT THE BELLAGIO RESORT. IT’S A WAR…BAD BOTS VS REALLY UGLY BOTS. FOR THE SERIOUS CYBER-CRIMINALS ITS ABOUT SERIOUS MONEY AND THEY WANT ALL THE ADVANTAGES THEY CAN GET...INCLUDING CONTROL OF THE BOTNETS. IS IT THE END OF SCRIP KIDDIES AND SMALL-TME CROOKS?


Slide14: Farid Essebar -“diabl0” writes and Atilla Eifici -“coder” releases Zotob code and a few variants. F-SECURE MONITORS AND BLOGS ABOUT BOT WAR Unknown bad actors code and release a series of variants that attack and delete diabl0’s and coder’s bots There are Suspicions about a clutch of coders called “m00p”


Slide15: “www.ox90-team/~diablo” VERY SOON AFTER diabl0 & coder’s ARRESTS THE OX90 WEBSITE WAS DEFACED WITH THE MESSAGE: “IF YOU CONTINUE TO HOLD THIS PLACE TO TRAIN SCRIPT-KIDDIES – WE’LL BE BACK.”


Slide16: IT DOES NOT BODE WELL FOR FOLKS WHO ARE ACCOUNTIBLE FOR PROTECTING INSTITUTIONAL INFORMATION SYSTEMS AND DATA. IT LIKELY MEANS THAT WHEN WE HAVE FUTURE “MALWARE” OR “CRIMEWARE” ATTACKS WE CAN EXPECT MULTIPLE, MORE HARMFUL VARIANTS TO BE INTRODUCED FASTER WITH MORE PRECISION. IT MEANS THAT CYBER-CRIMINALS WILL CONTINUE TO LEAD THE ARMS RACE WITH THE SECURITY INDUSTRY. THEIR REFINED STRATEGIES AND TECHNICAL CAPABILITIES WILL MAKE IT NEARLY IMPOSSIBLE TO TRACK THEM DOWN (e.g. THE BRAZILIANS). FUTURE?… IF CYBER-GANGS ARE FIGHTING FOR CONTROL OF TECHNICAL RESOURCES AND PROFITS:


Slide17: THE MOST IMMEDIATE AND DANGEROUS THING HIGHLY MOTIVATED AND WELL FINANCED ATTACKS ARE COMING YOUR WAY. THEY ARE GOING TO PUMMEL YOUR INTERNET-FACING WEB-BASED APPLICATIONS FOR ALL THE DATA THEY CAN GET. THEY WILL TEST FOR EVERY SECURITY HOLE AND CODE VULNERABILITY TO BE FOUND. THEY WILL TRY TO DO IT QUIETLY, BUT IF THEY NEED TO BREAK THINGS THEY WILL. THEY WILL ALSO COME AT YOU IN THE FORM OF SOPHISTCATED “CRIMEWARE” THAT WILL COMPROMIZE AS MANY MACHINES AS POSSIBLE AND SUCK THEM DRY OF DATA. OH YAH…THEY WILL ALSO WANT TO KEEP CONTROL OF SEVERAL OF THE MACHINES. IT WON’T BE EASY TO TAKE THEM BACK EITHER. IT WILL BE EXPENSIVE.


Slide18: WHERE’S THE DATA? IS IT PROTECTED? IS IT GOOD ANYMORE? The impact of Business Mission Marketing and Convenience Addiction


Slide19: Data Sharing Information current as of 12/2001 Slides used with credit to D. Pierce and PrivacyActvitism.org


Slide20: Macy’s


Slide21: Federated


Slide22: Federated


Slide23: Federated


Slide24: Federated


Slide25: Amazon


Slide26: Amazon


Slide27: Amazon


Slide28: Amazon


Slide29: In the cyber-security world: The bad guys have the advantage and are seriously motivated. Protecting data from compromise is a very difficult challenge because of usage. Consequences and liabilities for not protecting data are growing. Disclosure laws throw a very bright spotlight on failures (new WA State law). Higher education is beginning to look incompetent.


Slide30: http://www.privacyrights.org/ar/ChronDataBreaches.htm IMPLICATIONS FOR ALL OF US AT UW Out of the 120 security breaches, listed in the Chronology of Data Breaches reported since the ChoicePoint Incident (February 15, 2005), 55 of them involved institutions of higher education. Univ. of CA, Berkeley Boston College Northwestern Univ. Univ. of NV., Las Vegas Calif. State Univ., Chico Univ. of CA, San Francisco Univ. of Chicago Tufts University Carnegie Mellon Univ. Mich. State Univ's Wharton Center Georgia Southern Univ. Oklahoma State Univ. Purdue Univ. Stanford Univ. Duke Univ. Kent State Univ. Univ. of Hawaii Univ. of Southern Calif. (USC) Mich. State Univ. Univ. of Colorado-Boulder Univ. of Washington (Med Center)


Slide31: What I’m always thinking about (good and bad ideas): Strategic and tactical security actions that make sense? Awareness program and targeted training? Incident response practices? Security policies and standards? Funding and support?


Slide32: VP C&C I-TAC (Information Technology Advisory Committee) PASS Council (Privacy Assurance and Systems Security Council) UW CISO (Chief Information Security Officer) UW Privacy Officer A-TAC (Academic Technology Advisory Committee) U-TAC (University Technology Advisory Committee) University of Washington Information Systems Security Program Governance SECURITY ACCOUNTIBILITY ADVISEMENT PROVOST OVERSIGHT & ADVISEMENT UW Med IT Services Security SecOps@C&C Campus Computing Directors And System Administrators C&C Security Solutions UW Medicine CIO/ISO UW MEDICINE Security Implementation Oversight Group UW MEDICINE ICR Compliance Work Group UW MEDICINE Security Work Group UW MEDICINE Confidentiality & Access Steering Committee HIPAA Compliance Officer


Slide33: CONCLUSIONS?