Vector Cybersecurity Symposium 2019 Cybersecurity Best

Vector Cybersecurity Symposium 2019 Cybersecurity Best-Free PDF

  • Date:12 Jan 2020
  • Views:57
  • Downloads:0
  • Pages:20
  • Size:1.44 MB

Share Pdf : Vector Cybersecurity Symposium 2019 Cybersecurity Best

Download and Preview : Vector Cybersecurity Symposium 2019 Cybersecurity Best


Report CopyRight/DMCA Form For : Vector Cybersecurity Symposium 2019 Cybersecurity Best


Transcription:

1 Challenge Cybersecurity,2 Security Engineering Across the Life Cycle. 3 Case Study Vector Grey Box PenTesting,4 Conclusions and Outlook. 2 19 2019 Vector Consulting Services GmbH All rights reserved Any distribution or copying is subject to prior written approval by Vector V1 0 2019 04 03. Challenge Cybersecurity, Vector Client Survey 2019 The Fight of the Two Forces. 60 Mid term challenges Competitiveness,Quality Security. 50 Innovation Efficiency,Distributed teams,Connectivity.
40 Digital Competences,transformation,30 Complexity Innovation. 20 Flexibility,Compliance,10 Vector Client Survey 2019. Details www vector com trends, Others Short term challenges Horizontal axis shows short term challenges. 0 vertical axis shows mid term challenges,Sum 300 due to 5 answers per question. 0 10 20 30 40 50 60 70 Strong validity with 4 response rate of 2000. recipients from different industries worldwide, Safety and Security are Biggest Challenge Today and Tomorrow.
3 19 2019 Vector Consulting Services GmbH All rights reserved Any distribution or copying is subject to prior written approval by Vector V1 0 2019 04 03. Challenge Cybersecurity, ACES Autonomy Connectivity e Mobility Services Cyberattacks Hazards. OEM Suppliers ITS,Eavesdropping,Data leakage,Command injection. data corruption Man in the,back doors middle attacks. 4 5G Trojans,Physical attacks Ransomware Password,Sensor confusion attacks. Rogue clients,malwarePublic Clouds,Application Service.
vulnerabilities Provider, Automotive cybersecurity will be the major liability risk in the future. Average security gap is detected in 70 of cases by a third party and will be exploited. 4 19 2019 Vector Consulting Services GmbH All rights reserved Any distribution or copying is subject to prior written approval by Vector V1 0 2019 04 03. 1 Challenge Cybersecurity,2 Security Engineering Across the Life Cycle. 3 Case Study Vector Grey Box PenTesting,4 Conclusions and Outlook. 5 19 2019 Vector Consulting Services GmbH All rights reserved Any distribution or copying is subject to prior written approval by Vector V1 0 2019 04 03. Security Engineering Across the Life Cycle, Risk Based Security Engineering Covers the Entire Life Cycle. Assets Threats Security Mgmt in,and Risk Production.
Assessment Operation Service,Security Goals Security Case. and Assessment,Requirements Compliance,Technical Security. Security Concept Validation,Security Security,Implementation Verification. Systematic risk oriented security engineering across the life cycle. 1 Threat and risk analysis drive risk oriented hardening. 2 Verification and validation with grey box approach. 6 19 2019 Vector Consulting Services GmbH All rights reserved Any distribution or copying is subject to prior written approval by Vector V1 0 2019 04 03. Security Engineering Across the Life Cycle,From TARA to Requirements and Traceability. Requirements Architecture Test,Assets TARA Grey Box Penetration Test.
Security Goals Functional,Robustness Tests Fuzzing. Functional security Functional Tests,requirements cmp High lev el architecture. SW HW Security Testing,Task Handling, T ri gger T i m er Com T ask Di ag T ask M em T ask. Abstract m em ory Abstract m em ory,operati on operati on. Diagnostics M emory Handling Library, Indi cati ons Indi cati ons M em ory bl ock Abstract m em ory.
T ransm i t Indi cati ons Veri fi cati on Data Processi ng Stream Output operati on operati on M em ory I O. M em ory bl ock, T ri gger T i m er T ask T ransm i t Indi cati ons Data Processi ng Stream Output M em ory I O. operati on, Watchdog Timer Communication Stack Data Processing Delta Dow nload M ultiple M emory I O. Library M anager,Decrypti on Decom pressi on M em ory I O. Seed Key Decom pressi on operati on M em ory I O M em ory I O. Veri fi cati on Decrypti on,Technical security Unit Test. Interprocessor M emory Driv ers,Security M odule Decompression.
Communication,requirements Static Code Analysis, 7 19 2019 Vector Consulting Services GmbH All rights reserved Any distribution or copying is subject to prior written approval by Vector V1 0 2019 04 03. Security Engineering Across the Life Cycle, Security by Design and Security by Lifecycle Hardware Security Module HSM. HSM design objectives,Harden ECUs against SW and selected. HW attacks,Provide HW acceleration for crypto,functions Microcontroller. Support ECU to ECU communication Secure Zone,protection.
HSM profiles e g EVITA SW CPU,HSM full Crypto, Support strong authentication e g via RSA internal connection. Support complex block ciphers,High performance HW Secure Network. Crypto Memory Interface,HSM medium,Secure ECU 2 ECU communication. Secure critical sensors actuators vehicle network,Simple block ciphers. Low cost modules, 8 19 2019 Vector Consulting Services GmbH All rights reserved Any distribution or copying is subject to prior written approval by Vector V1 0 2019 04 03.
Security Engineering Across the Life Cycle, Safety and Security by Design MICROSAR 4 3 upwards. HW based Key Secure On Firewall ASIL A D, security secure management Board Intrusion hardened. boot and HSM crypto handling Communication Detection. Application,Boot vHSM DIAG MEM COM,Dcm Dem Nvm,Secure Addon Dpm Sem Enc NVM blocks SecOC PduR. Update Asymmetric,Crypto CRYPTO ETH V2G,vHSM vECUAuth. KeyM vSecMod OEM X,Updater Tls,CertM vKeyM vFVM,OEM X OEM X IPSec.
vEthFw vXMLSecurtity,Crypto SW Crypto vHSM,Microcontroller. 9 19 2019 Vector Consulting Services GmbH All rights reserved Any distribution or copying is subject to prior written approval by Vector V1 0 2019 04 03. Security Engineering Across the Life Cycle, Security Implementation Verification and Validation. Defensive coding e g memory allocation avoid,injectable code least privileges. Programming rules such as MISRA C SEI CERT,High cryptographic strength. in line with performance needs,Key management and HW based security.
Awareness and governance towards social engineering. V V Methods and Tools,Static dynamic code analyzer. Unit test with focused coverage e g MCDC,Interface scanner layered fuzzing tester. encryption cracker vulnerability scanner,Risk based penetration testing. Classic coverage test is not sufficient anymore Test for the known and for the unknown. Ensure automatic regression tests are running with each delivery. 10 19 2019 Vector Consulting Services GmbH All rights reserved Any distribution or copying is subject to prior written approval by Vector V1 0 2019 04 03. Security Engineering Across the Life Cycle, Vector SecurityCheck with COMPASS for TARA and Continuous Documentation. COMPASS information www vector com compass,Vector SecurityCheck facilitates.
Systematic risk assessment and mitigation, Traceability and Governance with auditable risk and measure list. Heuristic checklists with continuously updated threats and mitigation. 11 19 2019 Vector Consulting Services GmbH All rights reserved Any distribution or copying is subject to prior written approval by Vector V1 0 2019 04 03. 1 Challenge Cybersecurity,2 Security Engineering Across the Life Cycle. 3 Case Study Vector Grey Box PenTesting,4 Conclusions and Outlook. 12 19 2019 Vector Consulting Services GmbH All rights reserved Any distribution or copying is subject to prior written approval by Vector V1 0 2019 04 03. Case Study Vector Grey Box PenTesting,Vector Grey Box PenTesting. At Vector we have developed a grey box,security testing method for more.
efficiency and effectiveness,We follow the black box security. testing approach while considering,specific risks due to attacks and. implementation,Case study Gateway ECU,Assets and TARA with COMPASS Gateway. Test focus PenTesting based on,identified assets and risks. Quality results and findings,Cost and time effective.
Rather than brute force PenTest we deploy with clients the grey box PenTesting. based on TARA abuse misuse cases and architecture know how. 13 19 2019 Vector Consulting Services GmbH All rights reserved Any distribution or copying is subject to prior written approval by Vector V1 0 2019 04 03. Case Study Vector Grey Box PenTesting,Vector Grey Box PenTesting. On this basis we conduct a mini TARA and identify the attack vectors and scenarios for each asset. We refine these security goals into negative requirements e g misuse abuse confuse cases. functional and technical security requirements which help to achieve them. This allows setting priorities to subsequent PenTesting steps to connect with security risk i e window. of opportunity and attack consequences, 14 19 2019 Vector Consulting Services GmbH All rights reserved Any distribution or copying is subject to prior written approval by Vector V1 0 2019 04 03. Case Study Vector Grey Box PenTesting,Vector Grey Box PenTesting. By taking our TARA as input We put our focus into the Flash. asset and with physical access to the board we initiate an. attack to read the contents of the flash during runtime. After analyzing the data dump,we got from the flash we can read in clear text. The root certificate at address 0x06F2A0, i e while it is ok to read it it must be ensured to be.
not replaced,ECU specific key at address 0x06F6A0, Grey box PenTest yields higher detevtion effectiveness with much lower effort and time. 15 19 2019 Vector Consulting Services GmbH All rights reserved Any distribution or copying is subject to prior written approval by Vector V1 0 2019 04 03. Any distribution or copying is subject to prior written approval by Vector V1 0 2019 04 03 Design Defensive coding e g memory allocation avoid injectable code least privileges Programming rules such as MISRA C SEI CERT High cryptographic strength in line with performance needs Key management and HW based security Awareness and governance towards social engineering V amp V Methods and Tools

Related Books