Cyber Vulnerabilities in the Intangible World MACPA 2014 Government and Not for Profit Conference Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Robert Behler, Deputy Director and COO USAF Major General (ret.) April 25, 2014 Pittsburgh, 1910 2 1
Pittsburgh, 2010 3 The DoD is in the software business The B-52 lived and died on the quality of its sheet metal. Today our aircraft will live or die on the quality of our software. Quote: Delivering Military Software Affordably, Defense AT&L, March-April 2013 4 2
Increasing Complexity and Functionality Increase Attack Surface 9.9M SLOC Complexity 500K SLOC 2K Lines of Machine Code 0 SLOC Functionality Sourced from Washington Times and Atlantic Wire 5 Crown Jewels Vulnerabilities Critical infrastructures Insider threats Cloud/networked systems Insider threats Mobile devices Legacy system upgrades Complex software supply chain Emerging threats 6 3
Daunting Challenges Technology People Continuously emerging threat Making cyber resilience part of the business case 7 Cyber Attack Can Steal the Perception of Reality 8 4
2014 Super Bowl Wi-Fi Password Credentials Broadcast in Pre-Game Security Gaffe http://www.zdnet.com/super-bowl-wi-fi-password-credentials-broadcast-in-pre-game-security-gaffe-7000025865/ 9 Fake Netflix App Redirects Data to Attacker Targeted software supply chain for mobile devices New phones and tablets shipped with pre-installed fake Netflix app Phony app sends passwords and credit card information to Russia Phony Netflix apps were found on newly shipped mobile devices from four manufacturers (reported in March 2014) In the supply chain for new mobile devices, bundles of third-party applications are rarely run through anti-malware or privacy leak detection software. Security Analyst 10 5
Watering Hole Attack Uses VFW Website Used vulnerability in IE10 Served from VFW website during 2014 winter storm Pax and President s Day weekend Gave attacker access to site visitors important information In a watering hole strategy, an attacker plants malware on a website popular with targeted group. Possible object: targeting military service members to steal military intelligence. In addition to retirees, active military personnel use the VFW website. FireEye researchers 11 Make Cyber Resilience Part of the Business Case Astroinertial navigation system 12 6
The Ultimate Computer Technology Continuously emerging threat People Cyber resilience in the business case 13 Contact Information Robert Behler Deputy Director and COO Software Engineering Institute Telephone: +1 412-268-5800 Email: info@sei.cmu.edu Web www.sei.cmu.edu www.sei.cmu.edu/contact.cfm U.S. Mail Software Engineering Institute Customer Relations 4500 Fifth Avenue Pittsburgh, PA 15213-2612 USA Customer Relations Email: info@sei.cmu.edu Telephone: +1 412-268-5800 SEI Phone: +1 412-268-5800 SEI Fax: +1 412-268-6257 14 7
Copyright 2014 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. Carnegie Mellon is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. DM-0001174 15 8