Cyber Security: Current Trends, Challenges

1
Cyber SecurityCurrent Trends, Challenges
Solutions

• Rajeev Shorey (Ph.D)
• Fellow Indian National Academy of Engineering
• Fellow IETE
• Founding President Advisor
• NIIT University, India
• Formerly GM IBM Research
• www.niituniversity.in
• RACS, Bangalore
• 6 June 2013

2
Structure of the Talk

• Cyber Security
• Interesting Statistics
• ICT Cyber Security Scenario in India
• Challenges in Cyber Security
• Growth of Smart Services
• Smart Cars on Roads
• Vehicular Networks
• Emerging Paradigms in an ever Pervasive World
• Trends in Cyber Security
• Key Recommendations Conclusion

3
News this Morning !

• Hacking into the Indian Education System
• Indian student in Cornell University Debarghya
  Das hacks into ICSE, ISC database

4
Cyber Security

• Cyber Security is the body of technologies,
  processes and practices designed to protect
  networks, computers, programs and data from
  attack, damage or unauthorized access

5
Elements of Cyber Security

• Ensuring Cyber Security requires coordinated
  efforts throughout an information system
• Application security
• Information security
• Network security
• Disaster recovery / business continuity planning
• End-user education

6
Aspects of Cyber Security

• Research Development
• Security Policy, Compliance Assurance
• Enabling Legal Framework
• Security Incidents Early Warning Response
• Security Training
• Cooperation at the National Level
• International Cooperation

7
ICT Cyber Security Scenario in India
8
Interesting Statistics

• Internet Users in India
• 150 million
• 3rd largest Internet population after China US
• Mobile Phones in India
• Greater than 950 million
• Close to 50 million (6 of these mobile
  subscribers) access Internet via mobile handsets
• Ref http//techcircle.vccircle.com/2013/02/01/201
  3-india-internet-outlook/

9
Interesting Statistics

• Broadband Internet Users
• Current 20 Million users
• Target 600 Million by 2020
• Over 1 million websites operational under the
  .in domain

10
Critical Information Infrastructure of India

• 150 Internet and Telecom Service Providers
  offering the Internet, Mobile and Wireless
  connectivity to the large user base

11
Recent Alarming Reports

• India topped the list for malware source and
  destination !

12
Security Related Statistics

• India accounted for nearly 15 of the total
  malware email sightings in December12
• Russia 14
• Vietnam 5
• USA
• Ten times the computers that India has
• Accounted for only 3.8
• China
• 3

13
Transfer of botnet networks to India

• India emerged as the top generator of harmful
  emails
• Accounting for 10 of the total spam created in
  December12 the world over
• In comparison, India has just 2 of the total PCs
  in the world !

14
Cyber Security Incidents Reported to CERT-In
2004 - 2011
15
Broad Categories of Attacks Handled by CERT-in

• Identity theft-Spoofing, Phishing
• Malicious Code-Virus, Trojans, Root Kits, Bots
• Spam Open Proxy Servers
• Defacement of websites
• Malware Propagation through compromised websites
• Network Scanning/Probing
• DoS attacks
• Exploitation of H/W and S/W vulnerabilities
• Social Engineering
• Spyware and Adware
• Emerging threats RFID threats, VoIP threats,
  Embedded OS vulnerabilities

16
Challenges in Cyber Security
17
Next Generation of Real Time Control,
Communication and Computation
Communication
Computation
Internet
Added Dimension
Control
Sensors and Actuators
RFID Technology
18
Challenges in Cyber Security

• Fast and constantly evolving nature of security
  risks
• Ever evolving standards, technologies, services,
  applications
• Increasing complexity of systems
• Cyber Physical Systems (CPS)
• M2M
• Power Grids
• Automotive
• Aerospace,

19
Mobile Wireless Everywhere Heterogeneous
SystemsDistributed Complex SoftwareMultiple
InterfacesBring Your Own Devices (BYOD) Trend
20
Mobile Wireless Everywhere Heterogeneous
SystemsDistributed Complex SoftwareMultiple
Interfaces
SECURITY IS A HUGE CHALLENGE !
21
Why is Security a Challenge?

• Vulnerabilities
• Increasing number of sub-systems
• Increasing number of interfaces
• Huge Complex code
• Challenging to realize Symmetric Key Cryptography
  or Asymmetric Key Cryptography in an all
  pervasive/wireless setting
• M2M
• VANET

22
Mobile Applications Interfaces

• Mobile-centric applications and interfaces are
  one of the top strategic technology trends that
  enterprises have begin addressing
• Personal Cloud

23
Contextual Social Experience

• Context-aware computing is creating new user
  experiences and shaping their ecosystems
• Social media is providing key ingredients
  enabling context vendors to support these
  experiences

24
The Advent of Mobile Cloud Computing
25
The Internet of Things (IoT or M2M)

• Sensors, Appliances and Vehicles are joining the
  Internet
• Powerful concept
• You take a device that can be monitored and or
  controlled in the physical world and connect it
  to the 'Net such that it has a virtual
  doppelganger online
• This not only allows for things in the real world
  to be controlled by computers, it also allows for
  optimization of how, where, and when they are
  used

26

• The rise of the Internet of Things will be aided
  by the low cost of components
• Examples
• Electric Meters
• Household devices
• Monitoring Metering Devices

27
Internet of Things
IoT
28
The Growth of Smart ServicesSmart Cars
on Roads
29
Electronics, Controls Software
30
Electronics, Controls Software in Automotive
Sector

• Increasing role of Electronics and Software in
  the automotive sector
• From 15 in 1990s to 37 in the current decade,
  an exponential increase of 146
• Automotive electronics and control systems
• Key properties
• High-integrity
• Real-time
• Distributed
• Hybrid systems
• High end cars have more than 100 Million lines of
  code !

31
Progressive Auto Insurance
32
Snapshot Usage Based Insurance Program

• How Snapshot Works?
• The better we drive, the more we save with
  Snapshot
• The Snapshot device plugs easily into our car's
  diagnostic port and automatically keeps track of
  our good driving
• how often do we slam on the brakes?
• how many miles we drive?
• how often do we drive between midnight and 4 a.m.?

33
(No Transcript)
34
The OnStar System
Enterprise
Telematics Platform
Backend
OnStar Channel
Cellular Communication
35
OnStar Services

• Emergency
• Navigation
• Diagnostics
• Security
• Connections

36
Smart Cars on RoadsThe Growth of Vehicular
Networks
37
Driverless Car by Google
38
Smart Cars
39
Vehicular Networks Vehicle Safety Scenarios
40
Security Threats in Vehicular Systems
Figure Source http//ivc.epfl.ch/
41
Example Security Attributes for V2X Safety
Applications

• Message Integrity and Entity Authentication
• Message has been transmitted by a genuine
  vehicle, and has not been tampered with in
  transit
• Non-repudiation
• The receiver of a message is able to prove
  afterwards that the sender in fact did transmit
  this message.
• Privacy Multiple notions of privacy
• Anonymity Not possible to determine the identity
  of the vehicle from a message transmitted by the
  vehicle.
• Unlinkability Not possible to deduce that
  multiple transmissions were from the same
  vehicle.
• Correctness based on non-cryptographic techniques
• For detecting compromised/malfunctioning units

Design Objective Satisfy above attributes
without affecting performance of V2X Safety Apps
42
Securing Vehicular Communications
43
SECURITY ENGINEERING
Communications (Non Secure)
Rx
DSRC Radio
WME
V2V Plain msg
Tx
CM
V2V Plain msg
V2V Plain msg
CM
Data Plane
Management Plane
Safety Apps
General Apps
Other Apps
Communications (Secure)
IEEE 1609.2
UDP
WSMLME
Rx
IPLME
WSMP IEEE 1609.3
IP
DSRC Radio
WME
WME
V2V secure msg
Tx
LLC (IEEE 802.2)
LLCME
SCM
MAC (IEEE 1609.4)
MLME
V2V Secure msg
SCM
PHY (IEEE 802.11p)
V2V Plain msg
PLME
WAVE Wireless Access in Vehicular Environments
44
Research Challenges

• Emergence of Lightweight Protocols
• Lightweight Broadcast Authentication
• Lightweight Anonymity and Privacy
• Need for Performance Modeling and Analysis with
  Security

45
System with Signing and Verification
Application Layer
Application Layer
Security Layer
Security Layer
Crypto Server
Crypto Server
MAC Layer
MAC Layer
Wireless Medium

• tp Inter-arrival time between periodic
  broadcasts
• Pc Probability of collision in the wireless
  medium
• n total number of vehicles in the cell
• 1/ts service rate of the crypto server

46
Emerging Paradigms in Pervasive/Wireless Systems
47
A New WorldAll Pervasive World !
48
Pervasive Devices for Challenged People
Haptic Belt
Electric Wheel Chair Controlled by Eye Movements
49
Pervasive Healthcare
50
Mobile/Wireless Networks End-to-End Picture
IP Based Backbone
4G/LTE Base Station
GPRS/EDGE
Router
Body Area Networks
Cellular Network (Voice/Data/Video)
Relay Nodes
WLAN Access Point
Sink Node
Multihop Wireless Ad Hoc Network
RFID Reader
Cyber Physical Systems
51
Complex End-to-End Systems
Satellite Networks
Transportation Networks
52
Emerging Services Applications

• Intelligent Transportation Systems
• Healthcare
• Industrial Automation
• e Governance
• ...

53
Trends in Cybersecurity
54
Top Security Predictions

• Bring Your Own Device (BYOD) is here to stay !
• Mobile Adware (Madware) adds to the intensity
• Malware mutation and education
• Monetization of Social Networks introduces new
  dangers

55
Top Security Predictions

• Enterprise Mobility
• Mobile Enterprise
• Ransomware is the new scareware
• Cyber conflict becomes the norm

56
Security Big Data

• Need to practice Big Security with Big Data !

57
Mobile Analytics
Understanding the mobile sites, apps and ads and
how they drive business is becoming more
important every day
58
Next Gen Analytics for Security

• Advanced Analytics
• Predictive
• Collaborative
• Pervasive
• Organizations that deliver next generation
  advanced analytics will realize significant value
  in terms of innovation, productivity and growth

59
Mobile Crowdsourcing

• Jobs offered by this service are small bits of
  larger jobs which have been divided into many
  small parts and offered to many people
• Using crowdsourcing to get the job done

60
Security Predictions

• As users shift to mobile and cloud, so will the
  attackers
• Rapid rise of Android Malware !
• Emergence of new cloud-based services
• Dropbox

61
Mobile Malware
62
Threat Families and Variants by Platforms
Android Accounted For 79 Of All Mobile Malware
In 2012
Source http//techcrunch.com/2013/03/07/f-secure-
android-accounted-for-79-of-all-mobile-malware-in-
2012-96-in-q4-alone/
63
(No Transcript)
64
Mobile Threats by Type
65
ConclusionKey Recommendations
66
Challenges

• Major Security Challenges in the ever changing
  Seamless/Pervasive/Mobile/Wireless World !
• Cyber-Physical Systems will play an increasing
  role in all aspects of our life
• Increasing deployment of Server farms and Data
  Centres

67
Challenges

• Dire need for Security Engineering
• Need to improve our skills in Cyber Security
  round the clock
• Will give rise to a new generation of Learners
• Need for strong encryption protocols for any and
  all information stored online
• Data Anywhere, Anytime would require Security
  Anywhere, Anytime
• Dynamic policies and solutions would be the Key

68

• Managing increasingly complex systems will be a
  nightmare
• Nuclear Plants, Power Grids, CPS,

69
Thank YouWishing you Cybersecure Times Ahead
!

• rajeevshorey_at_gmail.com

70
Backup Slides
71
RD in Cyber Security

• Cryptography
• Cryptanalysis
• Steganography
• Network Monitoring
• Cyber Forensics
• Capacity development in the area of Cyber Security

72
Select Institutions in India Active in Cyber
Security Research

• IISc, Bangalore
• IIT Delhi
• IIT Kharagpur
• ISI Kolkata
• Defence Research Development Organization
  (DRDO)
• Private Organizations AirTight Networks,

73
CERT-In Statistics

• Year 2012
• Over 17,400 incidents have been handled
• 23,832 websites defacements have been tracked
• Frequent mock drills with key information
  infrastructure organizations
• CERT-In and US-CERT have jointly conducted a
  Cyber Security exercise in September 2012

74
The Role of CERT-in

• Indian Computer Emergency Response Team
• CERT-In is tracking the cyber security incidents
  in the country
• Provides proactive advice and timely response for
  mitigation of cyber security incidents

75
Cyber Security Training

• Training centres have been set up at CBI academy
  in several cities in India
• 21 Workshops have been conducted on specialized
  Cyber Security topics during 2012
• Over 740 people have been trained
• Cyber Appellate Tribunal (CAT)
• http//catindia.gov.in/Default.aspx

76
http//www.cert-in.org.in/
77
IDSA Task Force ReportInstitute for Defence
Studies Analysis
78
Key Recommendations

• Need to place special emphasis on building
  adequate technical capabilities in the following
• Cryptology
• Digital signatures
• Testing for malware in embedded systems
• Operating systems
• Fabrication of specialized chips for defence and
  intelligence functions
• Search engines
• Artificial intelligence
• Routers
• SCADA systems, etc

79
Recommendations

• Cyber security should be mandatory in CS/ECE
  curriculum and even separate programmes on cyber
  security should be contemplated
• Emphasis should be placed on developing and
  implementing standards and best practices in
  government functioning as well as in the private
  sector

80
Recommendations

• The impact of the emergence of new social
  networking media, and convergence of technologies
  on society including business, economy, national
  security should be studied with the help of
  relevant experts
• Include political scientists, sociologists,
  anthropologists, psychologists, and law
  enforcement experts
• Need for a strong International Cooperation

81
Recommendations

• Examine the impact of cloud computing and
  wireless technologies and formulate appropriate
  policies
• Make it a mandatory requirement for all
  government organizations and private enterprises
  to have a designated Chief Information
  Security Officer (CISO)
• Responsible for cyber security

82
References

• http//www.cert-in.org.in/

83
Networks in Space
84
(No Transcript)
85
Challenges

• Local regulations
• Data privacy restrictions

86
(No Transcript)
87
The Future is Mobile !

• 2008
• Tablets and Mobile PCs 0.04 bn
• Smartphones 0.2 bn
• 2017
• Tablets and Mobile PCs 0.7 bn
• Smartphones 3.1 bn
• Mobile Broadband Subscriptions
• 2008
• 0.1 bn
• 2017
• 5.0 bn

88
Reference SolutionPublic Key Infrastructure
(PKI)
CA
Message payload (m)
Node
Node
Digital signature on m
Digital certificate
Node
Node
Message Structure
PKI High-level Architecture

• How PKI enables nodes to talk to one another
• Asymmetric Key Cryptography A message is signed
  using the Private key of the sender and verified
  using the Public key of the sender.
• Certificate A message signed by a trusted entity
  called the Certificate Authority (CA) that binds
  a principal and its public key
• How PKI evicts compromised/malfunctioning nodes
  from system
• Certificate Revocation List (CRL) A message
  signed by the CA that lists all the revoked
  principals
• Freshness Certificate A message signed by the CA
  that a certificate is valid as of the time of
  signing (proposed alternative mechanism)