Cyber Security & e-Commerce

1. Cyber Security & e-Commerce NCMA – December Meeting December 14, 2000 (Updated 12/18/03) Robert E. Mahan Chief Information Officer Pacific Northwest National Laboratory Cyber

2. Definitions • Cyber Security • Cyber – automatic control, usually through some form of computing, network, electronics • Security – a state characterized by the freedom from danger, fear, anxiety Cyber

3. More Definitions • E-commerce • Business transactions in a cyber environment • Buy, sell, contract, bill, pay, etc. • Business-to-Business (B2B), Consumer (B2C) Cyber

4. E-Commerce – How Big (U.S.)? • Business (B2B) from U.S. Dept. Commerce • 1999 - $913B • 2000 - $997B • 2001 - $995B • Consumer (B2C) from U.S. Dept. of Commerce • 1999 – $15B • 2000 - $29B • 2001 – $34B • About 40M buyers • Point ? It is big business Cyber

5. What is the worry? (Requirements) • Confidentiality (secrecy, privacy) of the transaction • Integrity of the system and information associated with the transaction • Availability of the system and information so transactions can be completed • Authentication of the parties • Evidence that the transaction occurred as agreed to by both parties (non-repudiation) Cyber

6. What are the Solutions? • Confidentiality – Encryption in transit & at rest • Integrity – Message and file authentication codes • Availability – Systems secured against intrusion & denial of service • Authentication – From one-time passwords to token to biometric authenticators • Non-repudiation – Digital signatures • Basis for all of these is cryptography – elegant, mathematically provable – magical security dust! Cyber

7. So…What is the Problem? • There is no magical security dust • Mathematics is perfect, logical, and well-defined, but will only stay that way if perfectly implemented and used. • Mathematics are hard to implement correctly and harder to test • Easy to test functionality (does it do what it is designed to do?) • Hard to test security (does it stop what it is not designed to do?) • Yogi Berra: “In theory there is no difference between theory & practice. In practice there is.” Cyber

8. More problems! • Vendors create code with vulnerabilities • Users don’t install firewalls, intrusion or virus detection • System administrators don’t patch known holes • Users, share passwords, use lousy passwords, store them on their computers • Plenty of problems everywhere in the chain! • Biggest one is the carbon-based system! Cyber

9. Problems – the bottom line • Computers/networks are complex systems (the Internet is a system composed of millions of computers connected in a complex structure) • Every operating system, network system, and software application has bugs. • Even if we do it well, we typically only secure the parts, not the whole. • Security is only as strong as the weakest link! Cyber

10. For example – 7 days in March 2000 • 5,000 credit card # disclosed on the Internet • Taiwan reported 7,000 attempts by Chinese to enter Taiwanese security systems • Pretty Park e-mail worm released • 13 new vulnerabilities reported • 65 web sites defaced • 2 hackers arrested, 2 sentenced, 1 admitted hacking the RSA security site • ++++ more – not an unusual period of time! Cyber

11. Updated – 7 days in November 2001 • Playboy magazine credit cards stolen (since 1998) • Arab sites continue to be defaced, attacked • Nimda virus/worm still persists (since 9/18) • 4 vulnerabilities reported • 1M attacks on Port 138(Bios), 700k on port 80 • 2 hackers arrested, 1 indicted, 1 trial began, 1 pled guilty Cyber

12. Costs – Virus Infections • SirCam – $1.15B • Code Red – $2.62B • Love Bug – $8.75B • NIMDA - $2.6B • Slammer - $1B • Lost productivity – unusable systems/cleanup • Bottom Line – The costs are huge! Cyber

13. What Can We Do? • Prevent • Past focus, especially by auditors • Trouble is…..impossible to prevent • Detect • Emerging focus • Trouble is….detection is difficult • Respond • When all else fails • Investigate, remediate Cyber

14. What to Do – Extended by DoD • Protect – Lock it down up front • Detect – Watch for nefarious activity • React – When detected, observe in detail • Defend – From tracking to cutting off access • Reconstitute – Re-build breached system • Recover – Restore pre-attack state Cyber

15. Ok…, but How well must we do it? • Conventional approach – risk reduction • But….. Risk means reducing the event probability • Cannot explicitly identify the adversary or event • Adversary skill, resources, motive is unknown • Loss is unknown, may be large or small • Positive benefit is absence of the unknown loss • New approach – due care or due diligence, best business practices • Reality is BOTH - protection & risk management Cyber

16. No Brainers • Don’t share, disclose, or store passwords • Turn off unneeded services, disable file sharing • Apply patches for known vulnerabilities • Regularly scan systems for vulnerabilities • Use anti-virus software • Don’t open e-mail attachments w/o questioning the source and potential content • Don’t leave laptops unattended on travel Cyber

17. Slightly Brainier • Use a firewall – at home a Linksys router will do this very well – or use the XP firewall – or use a freeby like Zone Alarm on older systems • Don’t use free peer-to-peer, like KaZaA (music sharing) or Skype (IP telephone) – they come with built in Trojan Horses • Don’t store passwords unencrypted use something like Password Safe – or store them off-line • Backup, Backup, Backup Cyber

18. Summarizing • Bad news is: • There is no perfect security – no magic bullets • Even good security is hard • Security will negatively impact productivity • Good news • 90% of the problems are avoidable with a little effort • Cryptography can help a lot • Working on better ways to track down the bad guys • Problem is now more widely recognized Cyber