Pittsburgh, /7/2014. Cyber Vulnerabilities in the Intangible World

Similar documents
Guide to the SEI Partner Network

Software Sustainment: Continuous Engineering to

Carnegie Mellon University Notice

Mission Thread Workshop (MTW): Preparation and Execution

Cyber Affordance Visualization in Augmented Reality (CAVIAR)

When and Where to Apply the Family of Architecture- Centric Methods

Applying the Goal-Question-Indicator- Metric (GQIM) Method to Perform Military Situational Analysis

A Game-Theoretic Approach to Optimizing Behaviors in Acquisition

Mission Thread Workshop

Panel: Experiences with. Engineering in the Defense Industry. Moderator: Mary Ann Lapham, PMP, CSM

Overview of the New Introduction to CMMI Course and Changes to the Intermediate Concepts and Instructor Training Courses

Systems Engineering Capstone Marketplace Pilot

The impact of healthcare cybersecurity on SAUDI ARABIAN consumers. Accenture 2017 Consumer Survey on Healthcare Cybersecurity and Digital Trust

For More Information

INSIDER THREATS. DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems

Sustaining Software-Intensive Systems - A Conundrum

West Virginia Trading Partner Account Patient Roster User Guide. Date of Publication: 01/19/2016 Document Version: 1.0

Authorized licensed use limited to: UNIVERSITA MODENA. Downloaded on November 10,2011 at 14:46:47 UTC from IEEE Xplore. Restrictions apply.

Our Terms of Use and other areas of our Sites provide guidelines ("Guidelines") and rules and regulations ("Rules") in connection with OUEBB.

SATURN Sponsorship Opportunities. 13th Annual SEI Architecture Technology User Network Conference. May 1 4, 2017 Denver, Colorado

Lifecycle Models for Survivable Systems

Advanced Explosive Ordnance Disposal Robotic System (AEODRS)

Engaging the DoD Enterprise to Protect U.S. Military Technical Advantage

INFORMATION TECHNOLOGY, MOBILES DIGITAL MEDIA POLICY AND PROCEDURES

Castles in the Clouds: Do we have the right battlement? (Cyber Situational Awareness)

Joint Warfare System (JWARS)

Notre Dame College Website Terms of Use

TranSync Compliance Monitoring Manual. Homecare Provider/Authorized Monitors

CMMI: The DoD Perspective

Subj: ELECTRONIC WARFARE DATA AND REPROGRAMMABLE LIBRARY SUPPORT PROGRAM

AVIONICS CYBER TEST AND EVALUATION

SOUTH AFRICAN NATIONAL STANDARD

U.S. DEPARTMENT OF HOMELAND SECURITY

Integrating Software Architecture Evaluation in a DoD System Acquisition

To be prepared for war is one of the most effectual means of preserving peace.

Sentinel LDK. Migration Guide HASP HL to Sentinel LDK

Qualifications for Authorized Inspection

ST. JOSEPH COUNTY, INDIANA REQUEST FOR PROPOSALS ST. JOSEPH COUNTY ELECTION BOARD ELECTRONIC POLL-BOOKS. RELEASED January 19, 2016

Cybersecurity United States National Security Strategy President Barack Obama

Second Line of Defense Program

Research Proposal Major William Torn Tompkins ISR RTF Vigilant Horizons. Working Title

National Security and the Accelerating Risk of Climate Change

CYBER SECURITY PROTECTION. Section III of the DOD Cyber Strategy

17 th ITEA Engineering Workshop: System-of-Systems in a 3rd Offset Environment: Way Forward

Accommodation and Compliance Series. Personal Assistance Services (PAS) in the Workplace

Terms of Submission In order to participate, you must be at least eighteen (18) years old.

New Ways of Working - How Cross-Boundary Collaboration is Transforming Business

When you work with Walker Modular, you get a lot more than a bathroom in a box.

DoD Joint Federated Assurance Center (JFAC) 2017 Update

Department of Defense DIRECTIVE

Coast Guard Cyber Command. Driving Mission Execution CAPT John Felker Deputy Commander, CGCYBERCOM August 2011

3 rd Annual Electromagnetic Spectrum Operations Summit

Emergency Procedures at the Workplace

Introduction to Homeland Security. The Intelligence Community (IC) Director of National Intelligence (DNI) National Intelligence Coord.

COTS Selection and Adoption in a Small Business Environment. How Do You Downsize the Process?

DIUx Quarterly Results Q Silicon Valley Boston Austin Washington D.C.

Department of Defense DIRECTIVE

Supplement 2 Department of Defense FAR Supplement (DFARS) Government Contract Provisions

DM Quality Consulting, LLC

Talk IN THIS EDITION. Fall 2017

DEPARTMENT OF DEFENSE STANDARD PRACTICE

Sometimes different words, appropriate at different levels, all say

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

MCPON visits NAWCTSD Orlando seeking innovative ideas

MEMBERSHIP AGREEMENT FOR THE ANALYTIC TECHNOLOGY INDUSTRY ROUNDTABLE

The Only Government-wide Forum for Technology Transfer

Department of Defense INSTRUCTION

WARFIGHTER MODELING, SIMULATION, ANALYSIS AND INTEGRATION SUPPORT (WMSA&IS)

The best days in this job are when I have the privilege of visiting our Soldiers, Sailors, Airmen,

Improv DARPA-BAA Frequently Asked Questions (FAQs) as of 4/6/16

Update on SwAF replacement of Air Surveillance, Air Defence Sensors and ground based naval sensors

Personal Electronic Devices Acceptable Use Policy

UNCLASSIFIED R-1 ITEM NOMENCLATURE. FY 2014 FY 2014 OCO ## Total FY 2015 FY 2016 FY 2017 FY 2018

Presentation Notes Serving Those Who Serve

DEPARTMENT OF DEFENSE Defense Contract Management Agency HANDBOOK. Lead Platform Command

Employ Florida Marketplace Terms and Conditions Governing your access and use of the Employ Florida Marketplace (EFM)

Public Safety News Montgomery County Department of Public Safety

The Joint Force Air Component Commander and the Integration of Offensive Cyberspace Effects

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

WICareerPathways Website

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

M-COR Modular Hip System Surgical Technique Chart

A Tivoli Field Guide Maximo for the Nuclear Power Industry Duty Stations (Nuc) Release 7.51

System Security Engineering for Safer Systems

Boeing in Washington 2016 Impact

Successful disease management requires technology that can measure progress, show gaps

The State of US Voting System Security DEFCON Voting Machine Hacking Village July 2017

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON, DC

Proposal for the Suicide Bomb Detector Model # RDS400

US Economic Indicators: Industrial Production & Capacity Utilization

Lessons in Health IT. John Paganini, MBA, CPHIMS, CIIP Sr. Manager Interoperability Initiatives

GAO TACTICAL AIRCRAFT. Comparison of F-22A and Legacy Fighter Modernization Programs

Important: Please read these rules before entering this contest (the "Contest").

Protecting US Military s Technical Advantage: Assessing the Impact of Compromised Unclassified Controlled Technical Information

DEPARTMENT OF DEFENSE (DFAR) GOVERNMENT CONTRACT PROVISIONS

THE NAVY RESERVE. We cannot be the Navy we are today without our Reserve component. History of the Navy Reserve

Air Armament Symposium. 5 October 2011 Col Tim Morris, USAF Director of Development F-35 Lightning II Program

UNCLASSIFIED. UNCLASSIFIED Air Force Page 1 of 7 R-1 Line #198

UNCLASSIFIED. UNCLASSIFIED Air Force Page 1 of 5 R-1 Line #199

National IP Awards- 2018

Transcription:

Cyber Vulnerabilities in the Intangible World MACPA 2014 Government and Not for Profit Conference Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Robert Behler, Deputy Director and COO USAF Major General (ret.) April 25, 2014 Pittsburgh, 1910 2 1

Pittsburgh, 2010 3 The DoD is in the software business The B-52 lived and died on the quality of its sheet metal. Today our aircraft will live or die on the quality of our software. Quote: Delivering Military Software Affordably, Defense AT&L, March-April 2013 4 2

Increasing Complexity and Functionality Increase Attack Surface 9.9M SLOC Complexity 500K SLOC 2K Lines of Machine Code 0 SLOC Functionality Sourced from Washington Times and Atlantic Wire 5 Crown Jewels Vulnerabilities Critical infrastructures Insider threats Cloud/networked systems Insider threats Mobile devices Legacy system upgrades Complex software supply chain Emerging threats 6 3

Daunting Challenges Technology People Continuously emerging threat Making cyber resilience part of the business case 7 Cyber Attack Can Steal the Perception of Reality 8 4

2014 Super Bowl Wi-Fi Password Credentials Broadcast in Pre-Game Security Gaffe http://www.zdnet.com/super-bowl-wi-fi-password-credentials-broadcast-in-pre-game-security-gaffe-7000025865/ 9 Fake Netflix App Redirects Data to Attacker Targeted software supply chain for mobile devices New phones and tablets shipped with pre-installed fake Netflix app Phony app sends passwords and credit card information to Russia Phony Netflix apps were found on newly shipped mobile devices from four manufacturers (reported in March 2014) In the supply chain for new mobile devices, bundles of third-party applications are rarely run through anti-malware or privacy leak detection software. Security Analyst 10 5

Watering Hole Attack Uses VFW Website Used vulnerability in IE10 Served from VFW website during 2014 winter storm Pax and President s Day weekend Gave attacker access to site visitors important information In a watering hole strategy, an attacker plants malware on a website popular with targeted group. Possible object: targeting military service members to steal military intelligence. In addition to retirees, active military personnel use the VFW website. FireEye researchers 11 Make Cyber Resilience Part of the Business Case Astroinertial navigation system 12 6

The Ultimate Computer Technology Continuously emerging threat People Cyber resilience in the business case 13 Contact Information Robert Behler Deputy Director and COO Software Engineering Institute Telephone: +1 412-268-5800 Email: info@sei.cmu.edu Web www.sei.cmu.edu www.sei.cmu.edu/contact.cfm U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA Customer Relations Email: info@sei.cmu.edu Telephone: +1 412-268-5800 SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257 14 7

Copyright 2014 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. DM-0001174 15 8

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback