The Effect of Firearms Legislation Upon Historical Reenactment Power Point Notes
Cyber Legislation is upon us...but are we ready?
-
Upload
sonatype -
Category
Technology
-
view
80 -
download
0
Transcript of Cyber Legislation is upon us...but are we ready?
![Page 1: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/1.jpg)
#RSAC
SESSION ID:
Joshua Corman
CyberLegislation Is Upon Us… But Are We Ready?
FRM-R03
CTO, Sonatype Founder, I am The Cavalry @joshcorman @iamthecavalry
![Page 2: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/2.jpg)
#RSAC @joshcorman
@iamthecavalry
2 10/23/2013 @joshcorman “It’s not enough to do your best; you must know what to do, and then do your best” Deming @joshcorman #RSAC
![Page 3: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/3.jpg)
#RSAC @joshcorman
@iamthecavalry
3
![Page 4: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/4.jpg)
#RSAC @joshcorman
@iamthecavalry
![Page 5: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/5.jpg)
#RSAC @joshcorman
@iamthecavalry
5 10/23/2013 @joshcorman
~ Marc Marc Andreessen 2011
![Page 6: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/6.jpg)
#RSAC @joshcorman
@iamthecavalry
6
![Page 7: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/7.jpg)
#RSAC @joshcorman
@iamthecavalry
7 10/23/2013 @joshcorman
Trade Offs Costs & Benefits
![Page 8: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/8.jpg)
#RSAC @joshcorman
@iamthecavalry Industrial Evolution
![Page 9: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/9.jpg)
THE REAL IMPLICATIONS OF HEARTBLEED
![Page 10: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/10.jpg)
BEYOND HEARTBLEED: OPENSSL IN 2014 (31 IN NIST’S NVD THRU DECEMBER)
10
CVE-‐2014-‐3470 6/5/2014 CVSS Severity: 4.3 MEDIUM ß SEIMENS * CVE-‐2014-‐0224 6/5/2014 CVSS Severity: 6.8 MEDIUM ß SEIMENS * CVE-‐2014-‐0221 6/5/2014 CVSS Severity: 4.3 MEDIUM CVE-‐2014-‐0195 6/5/2014 CVSS Severity: 6.8 MEDIUM CVE-‐2014-‐0198 5/6/2014 CVSS Severity: 4.3 MEDIUM ß SEIMENS * CVE-‐2013-‐7373 4/29/2014 CVSS Severity: 7.5 HIGH CVE-‐2014-‐2734 4/24/2014 CVSS Severity: 5.8 MEDIUM ** DISPUTED ** CVE-‐2014-‐0139 4/15/2014 CVSS Severity: 5.8 MEDIUM CVE-‐2010-‐5298 4/14/2014 CVSS Severity: 4.0 MEDIUM CVE-‐2014-‐0160 4/7/2014 CVSS Severity: 5.0 MEDIUM ß HeartBleed CVE-‐2014-‐0076 3/25/2014 CVSS Severity: 4.3 MEDIUM CVE-‐2014-‐0016 3/24/2014 CVSS Severity: 4.3 MEDIUM CVE-‐2014-‐0017 3/14/2014 CVSS Severity: 1.9 LOW CVE-‐2014-‐2234 3/5/2014 CVSS Severity: 6.4 MEDIUM CVE-‐2013-‐7295 1/17/2014 CVSS Severity: 4.0 MEDIUM CVE-‐2013-‐4353 1/8/2014 CVSS Severity: 4.3 MEDIUM CVE-‐2013-‐6450 1/1/2014 CVSS Severity: 5.8 MEDIUM …
As of today, internet scans by MassScan reveal 300,000 of original
600,000 remain unpatched or unpatchable
![Page 11: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/11.jpg)
#RSAC @joshcorman
@iamthecavalry Heartbleed + (UnPatchable) Internet of Things == ___ ?
In Our Bodies In Our Homes
In Our Infrastructure In Our Cars
![Page 12: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/12.jpg)
#RSAC @joshcorman
@iamthecavalry Sarcsm: I’m shocked!
12
![Page 13: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/13.jpg)
#RSAC @joshcorman
@iamthecavalry
![Page 14: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/14.jpg)
#RSAC @joshcorman
@iamthecavalry The Rugged Manifesto
I am rugged... and more importantly, my code is rugged.
I recognize that software has become a foundation of our modern world.
I recognize the awesome responsibility that comes with
this foundational role.
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer
than it was ever intended.
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical,
economic, and national security.
I recognize these things - and I choose to be rugged.
I am rugged because I refuse to be a source of vulnerability or weakness.
I am rugged because I assure my code will support its
mission.
I am rugged because my code can face these challenges and persist in spite of them.
I am rugged, not because it is easy, but because it is
necessary... and I am up for the challenge.
![Page 15: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/15.jpg)
#RSAC @joshcorman
@iamthecavalry
The Rugged Manifesto
I am rugged... and more importantly, my code is rugged.
I recognize that software has become a foundation of our modern world.
I recognize the awesome responsibility that comes with
this foundational role.
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer
than it was ever intended.
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical,
economic, and national security.
I recognize these things - and I choose to be rugged.
I am rugged because I refuse to be a source of vulnerability or weakness.
I am rugged because I assure my code will support its
mission.
I am rugged because my code can face these challenges and persist in spite of them.
I am rugged, not because it is easy, but because it is
necessary... and I am up for the challenge.
![Page 16: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/16.jpg)
![Page 17: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/17.jpg)
#RSAC @joshcorman
@iamthecavalry
Defensible Infrastructure 10%
Wri_en
OperaVonal Excellence
SituaVonal Awareness
Counter-‐measures
The so`ware & hardware we build, buy, and deploy. 90% of so`ware is assembled from 3rd
party & Open Source
MOST IMPACT: DEFENSIBLE INFRASTRUCTURE
![Page 18: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/18.jpg)
#RSAC @joshcorman
@iamthecavalry
18
Defensible Infrastructure
OperaVonal Excellence
SituaVonal Awareness
Counter-‐measures
![Page 19: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/19.jpg)
#RSAC @joshcorman
@iamthecavalry
19
Defensible Infrastructure
OperaVonal Excellence
SituaVonal Awareness
Counter-‐measures
DevOps
DevOps
DevOps
![Page 20: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/20.jpg)
#RSAC @joshcorman
@iamthecavalry
• The
The Cavalry isn’t coming… It falls to usıProblem Statement
Our society is adopeng connected technology faster than we are able to secure it.
Mission Statement To ensure connected technologies with the poteneal to impact public safety and human life are worthy of our trust.
CollecVng exiseng research, researchers, and resources ConnecVng researchers with each other, industry, media, policy, and legal
CollaboraVng across a broad range of backgrounds, interests, and skillsets Catalyzing posieve aceon sooner than it would have happened on its own
Why Trust, public safety, human life How Educaeon, outreach, research Who Infosec research community Who Global, grass roots inieaeve What Long-‐term vision for cyber safety
Medical Automoeve Connected Home Public
Infrastructure
I Am The Cavalryı
![Page 21: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/21.jpg)
#RSAC @joshcorman
@iamthecavalry
ConnecVons and Ongoing CollaboraVons
5-‐Star CapabiliVes « Safety by Design – Anecipate failure and plan miegaeon « Third-‐Party CollaboraVon – Engage willing allies « Evidence Capture – Observe and learn from failure « Security Updates – Respond quickly to issues discovered « SegmentaVon & IsolaVon – Prevent cascading failure
Addressing Automotive Cyber Systemsı
Automoeve Engineers
Security Researchers
Policy Makers
Insurance Analysts
Accident Invesegators
Standards Organizaeons
h_ps://www.iamthecavalry.org/auto/5star/
5-Star Frameworkı
![Page 22: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/22.jpg)
#RSAC @joshcorman
@iamthecavalry
spending a_ack risk
Source: Normalized CObIT spending across IDC, Gartner, The 451 Group; since groupings vary
Host Security ~$10B
Data Security ~$5B
People Security ~$4B
Network Security ~$20B
So`ware Security ~$0.5B
Assembled 3rd Party & OpenSource Components
~90% of most applicaeons
Almost No Spending
Wri_en Code Scanning
SW Status Quo: Most attacked; least spend Worse, w/in So`ware, exiseng dollars go to the <= 10% wri_en
![Page 23: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/23.jpg)
#RSAC @joshcorman
@iamthecavalry Insanity
![Page 24: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/24.jpg)
#RSAC @joshcorman
@iamthecavalry
Open source usage is
EXPLODING
Yesterday’s source code is now replaced with
OPEN SOURCE components
24 Source: Sonatype, Inc. analysis of (Maven) Central Repository component requests.
2013 2012 2011 2009 2008 2007 2010 2B 1B 500M 4B 6B 8B 13B 17B
2014
![Page 25: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/25.jpg)
#RSAC @joshcorman
@iamthecavalry
25
Now that so`ware is
ASSEMBLED… Our shared value becomes our shared a_ack surface
THINK LIKE AN ATTACKER
![Page 26: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/26.jpg)
#RSAC @joshcorman
@iamthecavalry One risky component,
now affects thousands of vicems
ONE EASY TARGET
26
THINK LIKE AN ATTACKER
![Page 27: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/27.jpg)
#RSAC @joshcorman
@iamthecavalry
Global Bank So`ware Provider So`ware
Provider’s Customer State University Three-‐Le_er
Agency Large Financial
Exchange Hundreds of Other
Sites
STRUTS
![Page 28: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/28.jpg)
#RSAC @joshcorman
@iamthecavalry w/many eyeballs, all bugs are SHALLOW? Struts
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
10.0 9.0 8.0 7.0 6.0 5.0 4.0 3.0 2.0 1.0
CVE-‐2005-‐3745
CVE-‐2006-‐1546 CVE-‐2006-‐1547
CVE-‐2006-‐1548 CVE-‐2008-‐6504 CVE-‐2008-‐6505 CVE-‐2008-‐2025 CVE-‐2007-‐6726 CVE-‐2008-‐6682
CVE-‐2010-‐1870
CVE-‐2011-‐2087
CVE-‐2011-‐1772
CVE-‐2011-‐2088 CVE-‐2011-‐5057
CVE-‐2012-‐0392 CVE-‐2012-‐0391
CVE-‐2012-‐0393
CVE-‐2012-‐0394
CVE-‐2012-‐1006 CVE-‐2012-‐1007
CVE-‐2012-‐0838
CVE-‐2012-‐4386
CVE-‐2012-‐4387
CVE-‐2013-‐1966 CVE-‐2013-‐2115 CVE-‐2013-‐1965
CVE-‐2013-‐2134 CVE-‐2013-‐2135
CVE-‐2013-‐2248
CVE-‐2013-‐2251 CVE-‐2013-‐4316
CVE-‐2013-‐4310
CVE-‐2013-‐6348 CVE-‐2014-‐0094
CVSS Latent 7-11 yrs
![Page 29: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/29.jpg)
#RSAC @joshcorman
@iamthecavalry In 2013, 4,000
organizaeons downloaded a version of Bouncy Castle
with a level 10 vulnerability
20,000 TIMES … Into XXX,XXX Applicaeons…
SEVEN YEARS a`er the vulnerability was fixed
NATIONAL CYBER AWARENESS SYSTEM Original Notification Date:
03/30/2009 CVE-2007-6721
Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0
BOUNCY CASTLE
![Page 30: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/30.jpg)
#RSAC @joshcorman
@iamthecavalry In December 2013,
6,916 DIFFERENT organizaeons downloaded
a version of h_pclient with broken ssl validaeon (cve-‐2012-‐5783)
66,824 TIMES …
More than ONE YEAR AFTER THE ALERT
NATIONAL CYBER AWARENESS SYSTEM Original Release Date:
11/04/2012 CVE-2012-5783
Apache Commons HttpClient 3.x CVSS v2 Base Score: 5.8 MEDIUM Impact Subscore: 4.9 Exploitability Subscore: 8.6
HTTPCLIENT 3.X
![Page 31: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/31.jpg)
#RSAC @joshcorman
@iamthecavalry
31
Current approaches
AREN’T WORKING TAKE COSTS OUT OF YOUR SUPPLY CHAIN
Component Selection DEVELOPMENT BUILD AND DEPLOY PRODUCTION COMPONENT
SELECTION
228K Unique components downloaded per
company
!
75% Lack meaningful controls over components in
apps !
X Average number of
suppliers per company
!
48 Different versions
of the same component downloaded
!
![Page 32: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/32.jpg)
IS IT TIME FOR A SOFTWARE SUPPLY CHAIN?
![Page 33: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/33.jpg)
#RSAC @joshcorman
@iamthecavalry
33
![Page 34: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/34.jpg)
H.R. 5793 “CYBER SUPPLY CHAIN MANAGEMENT AND TRANSPARENCY ACT OF 2014”
34
Elegant Procurement Trio 1) Ingredients: Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk: …and cannot use known vulnerable components for which a less vulnerable component is available (without a wri_en and compelling juseficaeon accepted by $PROCURING_ENTITY) 3) RemediaVon: …and must be patchable/updateable – as new vulnerabiliees will inevitably be revealed
![Page 35: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/35.jpg)
#RSAC @joshcorman
@iamthecavalry In 2013, 4,000
organizaeons downloaded a version of Bouncy Castle
with a level 10 vulnerability
20,000 TIMES … Into XXX,XXX Applicaeons…
SEVEN YEARS a`er the vulnerability was fixed
NATIONAL CYBER AWARENESS SYSTEM Original Notification Date:
03/30/2009 CVE-2007-6721
Bouncy Castle Java Cryptography API CVSS v2 Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0
PROCUREMENT TRIO + BOUNCY CASTLE
![Page 36: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/36.jpg)
TRUE COSTS & LEAST COST AVOIDERS: DOWNSTREAM
ACME
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
Enterprise
Bank
Retail
Manufacturing
BioPharma
Education
High Tech
![Page 37: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/37.jpg)
37 4/23/15
Product Vulnerability Disclosures Following the HeartBleed Announcement (Circle Size Indicates CVSS Severity Score)
F5
New OpenSSL Disclosures (Both CVSS Level 10)Here
IBM
Cisco
IBM
McAfee
Initial 'HeartBleed' OpenSSL Disclosure (CVSS Level 5 (underscored))
Numb
er of
Prod
ucts
Includ
ed in
Ann
ounc
emen
t
0
10
20
30
40
50
60
70
80
90
100
110
120
Days Since HeartBeed Announcement0 10 20 30 40 50 60 70 80 90 100 110 120
X Axis: Time (Days) following initial HeartBleed disclosure and patch availability Y Axis: Number of products included in the vendor vulnerability disclosure Z Axis (circle size): Exposure as measured by the CVE CVSS score
COMMERCIAL RESPONSES TO OPENSSL
![Page 38: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/38.jpg)
https://www.usenix.org/system/files/login/articles/15_geer_0.pdf
For the 41% 390 days (median 265 days). CVSS 10s 224 days.
![Page 39: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/39.jpg)
#RSAC @joshcorman
@iamthecavalry SW Supply Chains
39
Deming drove Toyota Supply Chains. We can EXTEND DevOps w/ his quality/safety pa_erns @joshcorman #RSAC
![Page 40: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/40.jpg)
#RSAC @joshcorman
@iamthecavalry
ON TIME. Faster builds. Fewer interrupVons. More innovaVon.
ON BUDGET. More efficient. More profitable. More compeVVve.
ACCEPTABLE QUALITY/RISK. Easier compliance. Higher quality. Built-‐in audit protecVon.
SW Supply Chain
DevOps / CD
Agile / CI
![Page 41: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/41.jpg)
#RSAC @joshcorman
@iamthecavalry SW Supply Chains
![Page 42: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/42.jpg)
#RSAC @joshcorman
@iamthecavalry
Toyota Advantage
Toyota Prius
Chevy Volt
Unit Cost 61% $24,200 $39,900
Units Sold 13x 23,294 1,788
In-‐House Produceon 50% 27% 54%
Plant Suppliers 16% (10x per) 125 800
Firm-‐Wide Suppliers 4% 224 5,500
Comparing the Prius and the Volt
![Page 43: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/43.jpg)
TWO LITTLE WORDS
![Page 44: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/44.jpg)
KNOWN VULNERABILITIES
![Page 45: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/45.jpg)
#RSAC @joshcorman
@iamthecavalry Bonus: Hot off the presses 2015 VZ DBIR
![Page 46: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/46.jpg)
#RSAC @joshcorman
@iamthecavalry
Proves HDMoore’s Law “MetaSploit”
![Page 47: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/47.jpg)
#RSAC @joshcorman
@iamthecavalry
Unknown
Order of operations
47 1) Got Logo? 2) HDMoore’s Law 3) CVSS + _
Known Vulnerabiliees
4) Other
![Page 48: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/48.jpg)
#RSAC @joshcorman
@iamthecavalry Heartbleed + (UnPatchable) Internet of Things == ___ ?
In Our Bodies In Our Homes
In Our Infrastructure In Our Cars
![Page 49: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/49.jpg)
H.R. 5793 “CYBER SUPPLY CHAIN MANAGEMENT AND TRANSPARENCY ACT OF 2014”
49
Elegant Procurement Trio 1) Ingredients: Anything sold to $PROCURING_ENTITY must provide a Bill of Materials of 3rd Party and Open Source Components (along with their Versions) 2) Hygiene & Avoidable Risk: …and cannot use known vulnerable components for which a less vulnerable component is available (without a wri_en and compelling juseficaeon accepted by $PROCURING_ENTITY) 3) RemediaVon: …and must be patchable/updateable – as new vulnerabiliees will inevitably be revealed
![Page 50: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/50.jpg)
#RSAC @joshcorman
@iamthecavalry
![Page 51: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/51.jpg)
www.iamthecavalry.org @iamthecavalryı
Automotive Cyber SafetyıFacts, Fiction, and a ‘Vehicle’
for Collaborationı
![Page 52: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/52.jpg)
www.iamthecavalry.org @iamthecavalryı
! $4f3 @ * $p33dı
![Page 53: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/53.jpg)
www.iamthecavalry.org @iamthecavalryı
All Systems Fail*ı
* Yes; allı
![Page 54: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/54.jpg)
www.iamthecavalry.org @iamthecavalryı
Poll ı
Does anyone think vehicles will not be
hacked? ı
![Page 55: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/55.jpg)
www.iamthecavalry.org @iamthecavalryı
![Page 56: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/56.jpg)
www.iamthecavalry.org @iamthecavalryı
![Page 57: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/57.jpg)
www.iamthecavalry.org @iamthecavalryı
“But they wouldn’t hurt you!”ı
Public Infra
“I’d prefer that they couldn’t hurt me…”ı
![Page 58: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/58.jpg)
www.iamthecavalry.org @iamthecavalryı
![Page 59: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/59.jpg)
www.iamthecavalry.org @iamthecavalryı
![Page 60: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/60.jpg)
www.iamthecavalry.org @iamthecavalryı
5-Star Cyber SafetyıFormal Capacitiesı1. Safety By Designı2. Third Party
Collaborationı3. Evidence Captureı4. Security Updatesı5. Segmentation and
Isolationı
Plain Speakı1. Avoid Failureı2. Engage Allies To
Avoid Failureı3. Learn From Failureı4. Respond to Failureı5. Isolate Failureı
![Page 61: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/61.jpg)
www.iamthecavalry.org @iamthecavalryı
1) Safety By DesignıDo you have a published attestation of your Secure Software Development Lifecycle, summarizing your design, development, and adversarial resilience testing programs for your products and your supply chain? ı
![Page 62: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/62.jpg)
www.iamthecavalry.org @iamthecavalryı
1) Safety By Designı
![Page 63: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/63.jpg)
www.iamthecavalry.org @iamthecavalryı
2) Third Party CollaborationıDo you have a published Coordinated Disclosure policy inviting the assistance of third-party researchers acting in good faith? ı
![Page 64: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/64.jpg)
www.iamthecavalry.org @iamthecavalryı
Vs ı
2) Third Party Collaborationı
![Page 65: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/65.jpg)
www.iamthecavalry.org @iamthecavalryı
3) Evidence CaptureıDo your vehicle systems provide tamper evident, forensically-sound logging and evidence capture to facilitate safety investigations? ı
![Page 66: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/66.jpg)
www.iamthecavalry.org @iamthecavalryı
3) Evidence Capture ı
![Page 67: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/67.jpg)
www.iamthecavalry.org @iamthecavalryı
4) Security Updates ıCan your vehicles be securely updated in a prompt and agile manner? ı
![Page 68: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/68.jpg)
www.iamthecavalry.org @iamthecavalryı
4) Security Updatesı
![Page 69: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/69.jpg)
www.iamthecavalry.org @iamthecavalryı
5) Segmentation and IsolationıDo you have a published attestation of the physical and logical isolation measures you have implemented to separate critical systems from non-critical systems? ı
![Page 70: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/70.jpg)
www.iamthecavalry.org @iamthecavalryı
5) Segmentation and Isolationı
![Page 71: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/71.jpg)
#RSAC
![Page 72: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/72.jpg)
www.iamthecavalry.org @iamthecavalryı
Microsoft (Then & Now)ı
![Page 73: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/73.jpg)
www.iamthecavalry.org @iamthecavalryı
Past versus Futureı
Bolt-On Vs Built-In ı
![Page 74: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/74.jpg)
www.iamthecavalry.org @iamthecavalryı
![Page 75: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/75.jpg)
www.iamthecavalry.org @iamthecavalryı
![Page 76: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/76.jpg)
www.iamthecavalry.org @iamthecavalryı
![Page 77: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/77.jpg)
www.iamthecavalry.org @iamthecavalryı
THANK YOUı
@joshcorman ı@iamthecavalry ı@OpenGarages ı
![Page 78: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/78.jpg)
#RSAC @joshcorman
@iamthecavalry
Defensible Infrastructure 10%
Wri_en
OperaVonal Excellence
SituaVonal Awareness
Counter-‐measures
GOOD, BAD, & UGLY! LAWS & E.O.S
![Page 79: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/79.jpg)
#RSAC @joshcorman
@iamthecavalry
79
Defensible Infrastructure
OperaVonal Excellence
SituaVonal Awareness
Counter-‐measures
![Page 80: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/80.jpg)
#RSAC @joshcorman
@iamthecavalry Triggers…
![Page 81: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/81.jpg)
#RSAC @joshcorman
@iamthecavalry Apply! “We get the CyberGov We Deserve!” u Choose:
u Lead, Follow, or Get Out Of The Way
u Review Pending/Coming CyberLegislation u To act in your own self-interest, one must know it J
u “Table Top” w/Your Executive Stakeholders! (BC/DR)
u YOU Are The Cavalry! u Look into ways to help w/ Public Safety & Human Life u www.iamthecavalry.org
![Page 82: Cyber Legislation is upon us...but are we ready?](https://reader031.fdocuments.us/reader031/viewer/2022020218/55a779441a28ab530a8b4942/html5/thumbnails/82.jpg)
#RSAC We Get The Government We Deserve…