Reiber-How to build resilience to cyberattacks中国第八届云计算大会

HowtobuildresiliencetocyberattacksJonathanReiberSeniorFellowUCBerkeleyCenterforLong-termCybersecurityHighconsequencerisksLION4.谢永江-网络漏洞的法律属性SonyPicturesEntertainment...Pervasivedestructiveattacks...Pervasivedestructiveattacks...or...culturesofcybersecurityandresiliencethattakerootStakeholdersTechnologyisnotthecenterofthestory……thatisusFourrecommendations•EveryorganizationneedsacyberstrategyFourrecommendations•Everyorganizationneedsacyberstrategy•GetthebasicsrightFourrecommendations•Everyorganizationneedsacyberstrategy•Getthebasicsright•Governmentandprivatesectortogether1.TheSharingofCyberThreatIndicatorsandDefensiveMeasuresbytheFederalGovernmentUnderCybersecurityInformationSharingActofSomeorganizationshavesecurityclearances;somedon’tesshareinformationaboutthreatsandbestpracticesiveMeasuresCybersecurityInformationSharingActnfederalentitiestoreportAutomatedIndicatorSharingAISsystemDHSwSAOsandISACssRelatedtotheReceiptofCyberThreatIndicatorsandDefensivealGovernmentormationsharingtheinformationnsthatarisefromviolationsoftherequirementswhichinclude“remedialtraining;lossofaccesstoinformation;lossofasecurityclearance;andterminationofemployment”4.ThePrivacyandCivilLibertiesFinalGuidelines:CybersecurityInformationSharingActof•ProtectingprivacyandcivillibertiesinCISA-compliantsharingofCTIsandDMssNotesthatDMsshouldincludenoinfothatcanidentifyspecificindividualsGuidanceonwhatinfonoticesthatdealwithnoncyberthreatindicatorsshouldunderwhichinformationaboutCTIsandDMsHowdoInternetandprivatecompaniesenterprisessharecyberthreatindicatorsanddefensivemeasureswithgovernment?•Adhoc:betweencompaniesandgovviesthattrusteachother•AutomatedIndicatorSharing(AIS),throughDHS•Standardizedfieldsforinputofrelevantinfo•Infoonlysharesonceanalyzed•DHSalsoprovidesanonlineformthatbusinessescanfillout•EmailtoNationalCybersecurityandCommunicationsIntegrationCenter(NCCIC)withinformationaboutCTIsandDMs.•InformationSharingandAnalysisCenters(ISACs)andInformationSharingandAnalysisOrganizations(ISAOs)whocommunicatewiththefederalgovernmentontheirbehalf•ISAOsandISACs•ISACs:fundedandoperatedbyprivateenterprises•Connectedtocriticalinfrastructuresectors(ITISAC,healthISAC)•ISAOs:shareinfoamongsmallbusiness,consulting,accounting,legalfirms•Internetcompanies:encouragedtojoinISAOsthroughworkshopsandpublicmeetingsthatareheldaroundthecountry.•Publicforums:expertsshareinformation•WhiteHouseCybersecurityCommission;Congress•CyberinformationSharingandCollaborationProgram•CompaniesgainaccesstoNCCICflooratDHS;classifiedclearances•DHS’sEnhancedCybersecurityServices(ECS)sharesinfowithcommercialISPs;opentoallpublicandprivateentitiesintheUnitedStates.•InfoandcollaborationwithUS-CERT•EnduringSecurityFramework•Adhocinformationsharingandcollaboration:vital!Trust!Penetrationtesting•Penetrationtestingroles•Alsoknownas“red-teaming”or“tigerteaming”•Purpose:emulate&breakintonetstofindvulnerabilities•Keydifferencebetweenattacker/pen-tester:permission•Haveauditorprotectedbylegalcounsel•Contractsshouldprotect;bespecific•Diversewaysofmanagingpentesters:•Internal;externalfirms;bugbounties•Governance:CertifiedPenetrationTester(CPT).•Certifications:CISSP;CEH.•WassanaarAgreements:legalregimescouldimposelimitsonondual-useexportcontrolstodobasicmonitoring•NeedtobecarefulabouthowwecontrolpentestingFourrecommendations•Everyo