The Texas A&M University System Technology Summit FEBRUARY ...schd.ws/hosted_files/techsummit2017/1a/Cybersecurity Frontiers.pdf · The Texas A&M University System Technology Summit

“Cybersecurity Frontiers”

Dr. Daniel “Rags” Ragsdale

Director, Texas A&M Cybersecurity Center

The Texas A&M University System Technology Summit

FEBRUARY 21, 2017

MOODY GARDENS, GALVESTON, TEXAS

Bottom Line Up Front (BLUF)

• No greater threat to our

national and economic

security

• But all is not lost!

• The A&M System is poised to

lead

Texas A&M Cybersecurity Center

(TAMC2) Vision

• TAMC2 will make outsized contributions to social

good by advancing the knowledge and the

practice of cybersecurity, and by developing

transformational cybersecurity capabilities.

• Texas A&M, in collaboration with strategic

partners, will move to the international forefront of

cybersecurity research and education.

TAMC2 Mission

• Facilitate the conduct of ground-breaking, basic and applied cybersecurity research

• Develop novel and innovative methods for cybersecurity education, training, and workforce development

• Build mutually beneficial and fruitful partnerships with commercial, governmental, military, and academic partners

NSA/DHS National Center of

Academic Excellence

Texas A&M

Re-designated in 2016

– One of only 40

universities with two

designations

– Active application for

CAE in Cyber

Operations in 2017

Cybersecurity Center Highlights• Re-acquired NSA/DHS National Center of Academic Excellence

Designations for Cyber Defense Education and Research

• Sponsored Research and Grants– Acquired ~$950K in Educational Grants and Gifts

• Scholarships for 21 Students

– Proposed and Justified the $250K Cybersecurity Seed Grant Program

– Provided Grant Proposal Support

• Faculty – Proposed and justified the COE Cybersecurity Faculty Recruiting Initiative

– Formed the Cybersecurity Research Interest Group (RIG) – 50+ Faculty

• Students– Cybersecurity Undergraduate Minor

– Cybersecurity Club

– Graduate Initiatives

Trends…

Smart “*”? IoT?

http://www.business2community.com/cybersecurity/challenges-securing-internet-things-iot-technology-01456342

http://www.genco.com/insights/wp-content/uploads/2015/02/internet-OT.jpg

Shodan: Discover the Internet…

What we are hearing…

“IoT botnet bogs down

college campus network”

~CSO, 2/14/17

5,000 Devices, including refrigerators, vending

machines, and lights overwhelmed its network

with DNS requests for seafood sites…

“This was a mess. Short of replacing every

soda machine and lamp post, I was at a loss

for how to remediate the situation.”

Reported in Verizon's 2017 Data Breach Digest

What we are hearing…

“Krebs Calls Out Rutgers

University Student As Author

Of Mirai DDoS Botnet” ~ The Daily Targum, 1/23/17

Dates back to botnets that were used to attack Minecraft servers

The student was laughing and bragging about how he was going to get a security guy at the school fired, and how they raised school fees because of him

He didn’t really say why he did it, but I think he was just sort of experimenting with how far he could go with these attacks

What we are hearing…“How to minimize infection

from Xagent, the latest

malware threat to OS X”

~TechRepublic, 2/20/17

• Don't let your guard down regarding

emails and PDF attachments

• Install software only from authorized

developers

• Keep MacOS and applications up-to-

date

• Protect your iOS backupshttps://danielsaidi.files.wordpress.com/2011/05/imac.jpg

What we are hearing…

“IoT devices drive DDoS

attack traffic in Q4”

~Telcom.asia.net, 2/20/17

• 40% increase in mega Attacks

(greater than 100 Gbps)

• 58% of mega attacks directly

attributed to the Mirai IoT

botnet.

What We’re Reading…“How your DVR was hijacked to

help epic cyberattack” ~ USA Today 10/23/16

I am GUESSING that Twitter's DNS is

under attack

The massive siege on Dyn caused

outages on Amazon, Twitter, Netflix, Etsy

Mirai botnet built “using malware from

phishing emails to first infect a computer,

then spreads to everything [it can connect

to], taking over DVRs, cable set-top boxes,

routers, and cameras”

What We’re Reading…“5 Russian Banks Hit By IoT DDoS

Attack” ~ Dark Reading, 11/11/16

“…attackers used a variety of Internet of Things

devices like DVRs and webcams to launch the

DDoSes…”

“ …24,000 hijacked devices located in 30

countries”

“Russian banks floored by

withering DDoS attacks” ~ The Register 11/11/15

“If the default [manufacturer's ] password had

been changed, many of the webcams and

CCTV devices that formed the botnet army

would not have been successfully hijacked."

What we are Reading..

LastPass, Defender of Our

Passwords, Just Got Hacked

~ GIZMODO, 6/16/2016

• “No evidence that encrypted

user vault data was taken,

nor that LastPass user

accounts were accessed…”

• Enable two-factor

authentication

https://ytimg.googleusercontent.com/vi/_du1R45ErJo/hqdefault.jpg

What we are hearing…

“Report a Grim Reminder of

State Of Critical Infrastructure

Security” ~ Kaspersky Labs Threat Posts

9/30/2016

The NCCIC/ICS-CERT Annual Vulnerability

Coordination Report points out that nagging

issues continue to plague industrial control

systems (ICS) and SCADA systems,

notably

• Lack of access controls

• Poor software code quality, a

• [Weak or absent] cryptographic

security

What We’re Reading… How America’s 911 emergency

response system can be

hacked ~ Washington Post, 9/9/16

• “…effectively disable the 911 emergency

system across an entire state for an

extended period of time”

• A 911 “TDoS” attack against call centers

involving [a botnet of infected] phones

• A simulated cellular network based on

the 911 network in North Carolina.

What We’re Reading… Arizona Teen Arrested For

Disrupting iPhone 911

Emergency Service~ E Hacking News Post, 10/31/16

• Created a JavaScript exploit, which he

shared with his friends on Twitter and

other websites…”

• “Users who clicked on it had their

iPhones automatically and repeatedly

dial 911.

• Allegedly put the responders and

authorities ‘in immediate danger of

losing services to their switches’

What We’re Reading…

“Massive Friend Finder

Network Breach” ~Tech Target, 11/15/16

Of the more than 400 million

Friend Finder Network (FFN)

user accounts exposed,

-125.6 million had passwords

stored in plain text and

- 282 million passwords

stored using the obsolete SHA-

1 algorithm

http://fortune.com/2016/05/18/linkedin-data-breach-email-password/

The 25 Most Popular Passwords:

1. 123456

2. password

3. 12345

4. 12345678

5. qwerty

6. 123456789

7. 1234

8. baseball

9. dragon

10. football

11. 1234567

12. monkey

13. letmein

14. abc123

15. 111111

16. mustang

17. access

18. shadow

19. master

20. michael

21. superman

22. 696969

23. 123123

24. batman

25. trustno1

http://gizmodo.com/the-25-most-popular-

passwords-of-2014-were-all-doomed-1680596951

We're All Doomed!

What We’re Reading…Crypto-ransomware

Attacks Rise 5-fold to Hit

718K Users in One Year ~

Kaspersky Lab, June 23, 2016

“…one of the most dangerous types

of malware ever created”

This ransomware is now

one of the three most

common malware threats ~ZDNet 10/20/16

“The total cost of damages related

to these attacks is set to top $1 billion this

year”

Most Common Used Vectors to

Gain Access• Spear Phishing

– Email that appears to be from someone you know

– Often highly personalized

• Watering Hole Attacks– Attacker guesses or

observes websites a group use often uses and infects one or more of them with malware

• Less common: Pharming, XSS, SQL Injection, CXRF

How did we get here?

• Willy Sutton - Arms Race

• Market Forces– Demand for new features/functionality

– Time to Market (TTM)

• Ever-increasing – Complexity

– Interconnectivity

• The “Unholy Alliances”

• Research and Educational Practices

So, is there hope?

Cyber R&D and Industry Practices

• Mitigations– ASLR, DEP, Stack Cookies, Heap Protections, etc

• Secure Coding and Design– Microsoft Security Development Lifecycle

• Bug Bounties / Cyber Competitions

• IoC Sharing

• DARPA Cyber Grand Challenge

• Policy

• More informed workforce

But what can “responsible” citizens do?

Suffer• Accept

Inconvenience– Most restrictive

security settings• Browsers

• Java

• Javascript?

• Routers

• IoT devices

– No default passwords!

Use 2-Factor Authentication (2FA)

• A Type of multi-factor

authentication

– Know

– Have

– Are

• What do we all have?

Use Password Managers

• Passwords Guidelines– Change Passwords frequently

– Don’t share passwords

– Use “hard to guess,” i.e., hard to remember passwords

– Use unique passwords for every site

– Never save passwords locally

• Therefore : USE A PASSWORD MANAGER

• Typically installs as a browser plug-in to “handle capture and replay” of passwords

• Syncs passwords across multiple devices

• Often include a built-in “hard password” generator

http://www.techiewhizkid.com/wp-content/uploads/2016/02/password-manager-

windows-top.png

Other Best Practices • Use “modern” operating systems

• Keep all software up-to-date– opt-in for automatic updates

• Never click email links– Or, better yet, “disable” all email links

• Beware all attachments

• No thumb drives

• Don’t blindly click through warnings– Certs

– App permissions

• Demand better!

Additional Recommendations

• Encrypt and store sensitive data (and

backups) in the cloud and/or on removable

drives

• Use one mail address only for sensitive

transactions - never posted anywhere else

• Use one credit card for online “card not

present” transactions

Surviving on a Diet of Poisoned

Fruit: Report Recommendations

• Articulate a national security standard defining what it is imperative to protect in cyberspace

• Pursue a strategy that self-consciously sacrifices some cyber benefits in order to ensure greater security for key systems on which security depends

• Establish a federally funded research and development center focused on providing an elite cyber workforce for the federal government

35

• Demos

– SQL Injection

– Cross Site Scripting

– Sticky Keys (password reset)

– Password collector

– Kon-boot (Windows password bypass)

Bottom Line

• No greater threat to our

national and economic

security

• But all is not lost!

• The A&M System is poised to

lead

Questions / Discussion

[email protected]