Motivation: recognizing the magnitude of the problem.
Anton Dahbura, Director of the Information Security Institute at the Johns Hopkins University's Whiting School of Engineering, set the day's agenda with a rehearsal of some recent incidents and developments, what he called his "Unlucky Top 13" list.
The Unlucky Top 13 of cyber threats and vulnerabilities.
A way of bringing out the nature of the threats we face in cyberspace by reviewing recent misfortunes, his list ran, in avowedly Lettermanesque reverse order, as follows:
13. The announcement in March of the Apache Struts bug's discovery.
12. Scams and thefts plague new cryptocurrencies.
11. Kaspersky security software is booted from US Government systems.
10. Discovery of Apple's questionable use of "differential privacy."
9. Apple's iPhone X with FaceID (researchers will test its robustness).
8. The US Navy investigated possible cyber causes of the USS McCain collision—nothing found, but it's interesting to see that cyber forensics are now a routine part of major accident investigations.
7. Ultrasonic hijacking of Siri and Alexa devices was demonstrated.
6. BlueBorne, a Bluetooth vulnerability, is discovered.
5. New flaws were found in DLink routers.
4. ExpensiveWall Android malware charges users for fake in-app purchases (without their knowledge).
3. Bugs are found in German voting software.
2. Symantec finds that hackers have gained direct access to at least twenty power companies.
1. And, of course. Equifax was breached.
We see, still, Social Security Numbers used as passwords, and that, Dahbura said, is "just awful." A combination of technical and policy solutions are necessary for identification. And he called for the credit card industry to complete EMV (Europay, Mastercard, and Visa, the relatively new chipped card standard) and to secure both online and telephone transactions.
The central lesson he drew from these observations, and which he commended to the conference, is that we need a serious national conversation about a national identity system.
The cyber risk landscape as seen from the perspective of the healthcare sector.
Stephanie Reel (CIO, the Johns Hopkins University Health Systems) brought the perspective of a healthcare organization (and a "hybrid organziation") to the discussion. She claimed that healthcare has surpassed financial services as the most-targeted sector. In some ways the sector's modernization has increased its vulnerabilities. Unification and aggregation of data have exposed the sector to "unintentional negligence among the players." That unification is striking: about 60% of patient data in the United States is currently held by a single vendor.
With greater risk has come more spending on security, and Reel pointed out that this is not only a direct expense, but it imposes opportunity costs as well. "Money spent on security is not being spent to cure disease," she said, nor is it being used to improve public health. But the reality of the threat requires that security be addressed. Ransomware has been a particular problem for healthcare, Reel said as she reviewed their own experience with the Medstar incident of 2016. Medical care and patient safety require that digitized records and networked devices have high availability, and it's that availability that ransomware attacks. Direct manipulation of medical devices themselves ("still sort of science fiction; we haven't seen it at Johns Hopkins") also remains a very real threat, although not yet a common one.
Reel seconded Dahbura's call for a national conversation about an identification system, and, although she feared that people were too ready to concede defeat on identity management, still closed on a hopeful note. She thought the tensions a hybrid organization like hers faces among the competing claims of security, operations, healthcare, research, and education could ultimately be resolved.
The Internet-of-things and its burgeoning contribution to attack surfaces.
Kevin Komegay, IoT Security Chaired Professor at Morgan State University's Center for Reverse Engineering and Assured Microelectronics, described the Internet-of-things (IoT) in the course of demonstrating how expansive this family of technologies has made attack surfaces.
IoT devices, he said, fundamentally do three things: they sense (that is, they interact with their environment), they process data, and they transmit data across networks. The vulnerabilities they bring with them are typically unintended channels for monitoring or interacting with a device. These side channels may be either passive or active.
The IoT has become pervasive, practically impossible for any enterprise to escape. Its very pervasiveness makes it difficult to manage, difficult to keep track off, sometimes even difficult to recognize as part of your enterprise.