Explore
For Enterprise
Join for Free
Log In

Arts and Humanities
Business
Computer Science
Data Science
Information Technology
Health
Math and Logic
Personal Development
Physical Science and Engineering
Social Sciences
Language Learning
Degrees and Certificates

Explore all of Coursera

Browse
Search
For Enterprise
Log In
Join for Free

Welcome Franscis Cianfrocca

Loading...

Cyber Attack Countermeasures

New York University Tandon School of Engineering

4.8 (223 ratings) | 4.1K Students Enrolled

Course 2 of 4 in the Introduction to Cyber Security Specialization

This course introduces the basics of cyber defense starting with foundational models such as Bell-LaPadula and information flow frameworks. These underlying policy enforcements mechanisms help introduce basic functional protections, starting with authentication methods. Learners will be introduced to a series of different authentication solutions and protocols, including RSA SecureID and Kerberos, in the context of a canonical schema. The basics of cryptography are also introduced with attention to conventional block ciphers as well as public key cryptography. Important cryptographic techniques such as cipher block chaining and triple-DES are explained. Modern certification authority-based cryptographic support is also discussed and shown to provide basis for secure e-commerce using Secure Sockets Layer (SSL) schemes.

Skills You'll Learn

Cybersecurity, Cryptography, Public-Key Cryptography

Reviews

4.8 (223 ratings)

5 stars
180 ratings
4 stars
40 ratings
3 stars
2 ratings
2 stars
1 ratings

JM

Jan 09, 2019

Good course. Very well though out approach towards teaching the subject. Engaging and informative. And it made learning a pleasure.

AA

Mar 28, 2018

Fantastic job by Dr. Amoroso as always. SImple, lucid and succinct explanation of complex subject matter with a personal touch.

From the lesson

Overview of Public Key Cryptographic Methods

This module introduces the basics of public key cryptography including an overview of SSL and CA applications.

Assignments and Reading2:56

CBC Mode Block Cryptography4:53

Conventional Cryptography Scaling Issues4:47

Public Key Crypto (Basics)5:10

Public Key – Secrecy4:31

Public Key – Digital Signature3:28

Cryptographic Message Exchange5:39

Diffie-Hellman Key Exchange7:32

Key Distribution and Certification Authority10:04

Secure Sockets Layer6:56

The Story of James Ellis and Clifford Cox10:06

Welcome Franscis Cianfrocca16:46

Taught By

Dr. Edward G. Amoroso
Research Professor, NYU and CEO, TAG Cyber LLC

Hi, everyone.

I'm Ned Amaroso, and this week I'm sitting with a very good friend of mine,

Francis Cianfrocca, who is the chairman and CTO of Bayshore Networks.

>> That's great.

>> Francis, welcome.

>> Always great to see you, Ed.

>> How do you like sitting out here in the park?

>> I think it's fantastic.

It's like a couple of old guys here just sitting and

we're going to break out the cards next and start playing cards here.

>> Well, talk about cyber security and we'll play cards.

>> Playing cards and cyber security are very tightly linked.

We know this.

There's literature on this.

>> [LAUGH] Why don't you share with our community a little bit about yourself,

tell us about your background.

>> Yeah, thank you.

So I'm a software engineer, software developer by profession and temperament.

But I came at it in an unusual way.

I've got an eclectic background.

I've always felt and observed that the most creative and

productive and effective software people tend to be a little bit different.

So I went to music school.

I've got a conservatory background.

It's kind of interesting, we're here at NYU at the Tandon School of Engineering

and I'm thinking it's a professional schools with a lot of young people

who made a career choice early and they're here to learn a pretty esoteric craft.

And that's what going to music school was like for me.

>> [LAUGH] >> So i'm feeling pretty comfortable here.

And of course great energy from these young people and

they're going to be producing our next generation of great things.

So it's wonderful stuff.

But I started, I had a fascination with electronics and

what I later understood to be electrical engineering.

Okay, from a very young age I started at that.

And I learned how to build digital logic back in the day.

Now you and I are old enough.

You had an Arpanet drop in your kitchen.

>> [LAUGH] >> Okay, and

I programmed Deck Elevens with an acoustic coupler and time share.

Im sure all of your listeners are young people listening to us,

are tired of hearing about old guys.

At least Im not old enough that I programmed on batch cards on an IBM 360,

I'm a little younger than that.

What I found is learning electronics was great because you get a physical sense,

a feel, for if you understand electrons and how charges move.

Then when you go to computers,

the way that we programs computers is that's the physical reality of it.

All right, and so I first learned assembly language at a certain point when I was

a very young person.

After that when you've done all this hobbyist electronic work

that kids can do very easily now.

You've got the Raspberry Pis and the Arduinos.

Build all that stuff, very good work to do, all right?

And when I first learned assembly language I said, okay, that's a shift register.

I can see how that works.

Every little construct in the center language for

a CPU maps directly to some pretty discrete piece of hardware.

If you understand the hardware, programing makes perfect sense.

And then, at a certain point I learned, you know,

you´re good friends with Ryan Curnahan, who wrote the C language.

I learned off the KNR book,

which I think is one of the jewels >> It is.

>> Of programming.

Of any kind of computer science literature.

And I learned off of their book.

And when I first learned CS, I thought, wow, what a high level language

>> [LAUGH]

>> This is going to be so easy.

[LAUGH] >> And so

that background really came in very handy.

>> Let's dive right into kind of the Bayshore Networks kind of value prop.

>> Sure. >> What you guys do is

where those electronics and electro-mechanical things touch computers,

there could be some real significant security threats that pop up.

Tell us about that.

That interface is pretty important, isn't it?

>> Yeah and its actually novel, its relatively new in the world.

I mean of course, we're talking about.

Industrial production like making cars, making gasoline, making electricity,

moving things, running an airline and moving airplanes, okay.

All these industrial things that require change in the physical world,

moving energy around.

>> Right. >> Right?

Moving atoms around well people know how to do this.

We're on, I think now, our third industrial revolution.

People will say that cyber is another industrial revolution, I believe that.

>> Right.

>> But there were a couple of people before it.

We know how to do all this stuff and if you go to people are in charge of

auto assembly plants right, they'll tell you.

We know how to do this.

Security has never been an issue for us, why?

Because we've always isolated our networks.

The automation that they use in those networks,

very much like computer networks.

Same technology.

Essentially the same stuff.

It's different optimizations.

Some stuff is different but it's still ease in that.

>> RIght. >> It's still network cables.

>> Right. >> Same voltages,

the same packet switching, same technologies but they've always

keep them isolated, strictly isolated and they've never had to think about security.

They think about safety.

That's top of mind for those guys.

>> They being, industrial engineers, operational.

>> Yeah what we call OT, operational technology, plant managers.

People who are responsible for delivering that value as a business, right?

Okay, great, so as with everything else, okay?

There's been a revolution over the last ten years.

Mostly because of small computing devices and real distribution of computing.

And this whole thing we call data science-

>> Right- >> Right?

Producing business value, and business insights, and process improvements, and

cost savings by processing information.

It's worked tremendously well for people like Amazon, and

for your old company AT&T.

And we all know and believe and

can see that if you could take the data that comes out of industrial

production environments, you could save a few pennies of fuel, etc., etc.

So what I call convergence between IT and

OT is when you take production environments that have hither to always

been isolated, because the connectivity is the same, the same networks.

You connect them right to computer networks either in the IT side or

in the Internet or customers and partners tremendously valuable,

tremendously worth doing, now you got that security problem right through that wire.

>> What are the threats?

I mean is it kind of across the board.

Like the usual kinds of hacking and access and denial of service,

do they all apply in that IT interface?

>> They do all apply but I think when, again and

you've been, I love talking to you because you're literally

one of the foremost security practitioners in America.

And you've been at this for years and years and years at Bell Labs and

then CSO at the great AT&T.

Yes, all the stuff you've been thinking about and your colleagues for

the last 20 years apply.

But there's more to it.

Specifically, the guys that run the industrial equipment,

first off, that stuff is never hardened, never made resistant.

It's highly functional.

People who make robots and pressure vessels and industrial equipment,

turbines and this stuff, jet engines, they compete with each other on features,

the features are available electronically, and therefore,

they present an enormous attack surface for attackers.

>> More features means less hardened, typically.

>> No. >> No?

>> No, more features typically what'd you

do and this is interesting.

I think there's interesting economics here.

We all use the computers that have a lot of hardening,

security hardening in the OS and even in the hardware.

When you make industrial hardware, you're so concerned about incredible reliability.

Computer, you reboot it if it hiccups.

And industrial machine like a PLC, you put it in and

you expect it to run flawlessly for 20 years regardless of the environment.

So tremendous amount of physical engineering goes into those devices to

make them highly reliable and

that precludes because you don't have the economics.

You don't have the dollars and

you don't have the compute power to put any hardening on them.

>> Yeah, makes sense.

>> Now you will hear expert people in cyber security say,

The way to solve the industrial security problem is to harden the devices.

It's a lot of good reasons, and that's one that's not going to happen.

>> You know one thing I've heard people say and

tell me what you think about this, they say.

It's like aphorism and security that people are the real problem.

>> Yeah. >> And

then if that were true then you'd say,

my gosh, industrial should be easy- >> Yeah.

>> User devices, there's no people- >> Yeah.

>> What do you think about that?

>> Here's what I think, and you're right.

The biggest vulnerabilities in cyber and

you know this as well as anybody in the world All right?

Come from people who, variety of reasons are.

>> Yeah. >> You know, they click on the wrong

link in the email.

>> Yeah. >> That's your aperture,

that's the way in for a bad guy.

>> Wow. >> Once he's in,

he can do all kinds of incredible things.

And the convergence boundary between the IT space and

the OT space is generally unprotected.

It`s not a perimeter.

You will usually not find firewalls there, although people are thinking this through.

What you really need to do,

to your point directly, because that was an insightful session, I thought,

you can harden yourself against the vulnerabilities that people present.

With machines, it's a lot more straightforward.

And what we've found in our work is approaches like statistical baselining,

anomaly detection, not useful.

And this is counterintuitive to a lot of people.

And we spent [LAUGH] a lot of time working on this prep and

I got the patents to prove it, all right.

>> Interesting.

>> But they are not that useful.

There's a much simpler way to do it.

If you think about industrial machines, right,

they're quite segregated in their functionality.

So it's not like you take two pieces of software, put them in one computer,

and they'll start interacting in ways that produce problems.

They're pretty segregated.

What we like to is think about transaction white listing Okay.

So across the boundary between IT world carpeted space,

I call it, and the cement floor space where the machines are.

I just want to inspect that traffic in a high level way,

protocol semantics and transactions.

And allow or

white list certain sets of transactions that are required for that process to run.

And basically block everything else.

If you think about that it's a technology akin to or analogous to a firewall.

But it requires more semantical awareness and

more domain knowledge is baked into it.

The same basic principle though.

And that's not that hard to do, and it's not a It's not that big a job for

someone with the requisite domain knowledge.

I can make a transactional white list for an auto assembly plant that's going to

protect them against 85 or 95% of the threats that they face.

The rest of it I don't worry about.

>> Let me ask you, part of the learning community here.

We've spent time looking at threats.

And applying them to different types of assets.

>> Yeah, yeah.

>> And I tried to make clear to the whole community that there are some threats that

are pretty frightening.

>> Yeah. >> Let me ask you.

You're an expert in Syria.

Do you think it's reasonable to imagine that hackers, nation states,

criminals, could do something truly awful to electromechanical systems,

like to rring down an airplane or to turn the power off in a city.

Or like these kind of really scary things.

I know you and I would both point to problems in the small.

>> Yes. >> But the question is.

[CROSSTALK] Do you ever sit and wonder and think, gosh, you know,

will these catastrophic things potentially happen and

will they affect cities, societies, people?

>> It's interesting we're having this conversation right after the want to

cry attack just a few days ago.

>> Yeah, ransomware attack.

>> A ransomware attack that went through an aperture that

turned out to have a tremendous surface underneath it.

>> Right. >> Okay, so I think.

>> Warm delivery.

>> Well, yes.

>> Microsoft vulnerability.

>> Yes, thank you, exactly, and the thing

that makes it industrial infrastructure what we call critical infrastructure,

as well as industrial production system is the difference between them.

And cyberspace is that the apertures for lateral attack are very restricted.

Something like WannaCry, in one weekend, can impact 100,000 organizations

because the lateral links, once you have an infiltration, are wide open.

That doesn't exist in the industrial world because, again,

the legacy of isolation and network segmentation.

>> So, that would throttle cascading.

>> Yeah. >> Where that explosion of cascade.

>> Yes. >> Would be more limited.

>> That's one part of the answer.

The other part of the answer is,

once you're in to a particular cyber physical space.

Your availability of really nasty attacks I would say is far

higher that it is with ordinary computers.

>> So it's a more laser focused problem, but once you're in-

>> You can do a lot of things.

>> It can be life critical things versus breaking into an office and

knocking out their computers.

>> Don't worry about, you may have heard this in the news, city of Dallas,

apparently, I'm not going to say any more about this, but the news stories will tell

you that somebody was able to infiltrate the tornado alarm system.

>> Yeah.

>> That affected the whole city of Dallas.

>> 2:00 in the morning everything blurring off.

>> So that is scary because that show you that is a lateral

attack potential that wasn't blocked and that's scary but that's the exception.

>> Yeah, you're right.

>> The real thing I worry about it is that industrial machines

never having been designed for remote access now can be exploited.

If they're exploits, they can

produce massive effects on safety and on public health and on the environment.

And so It's really just a matter of time.

And I'll tell you where, just to fill that in a little bit.

There was a famous exploited black hat at Defcon a couple years ago.

Chrysler, okay?

And this is in the news too, so I'm not- >> Right.

>> Not spilling anything.

And not saying that Chrysler is particularly vulnerable,

because they all are, okay?

But a couple of really smart guys figured out I can shut off

the vehicle systems and cause at highway speed cause this vehicle to stop running.

Catastrophic, okay.

What was really interesting because being dedicated white hat guys,

really smart hackers, okay?

The aperture that they exploited take them about a day to find.

The real exploit, the real damage, took them months of effort.

>> That's so interesting.

>> Okay,

because cyber physical systems are opaque in terms of the way they function.

But it's, you know, you mentioned Asian state earlier,

the entities with the biggest motivation, okay.

To figure out where those damage points potentially are, our nation states.

And it's a huge surface and it's very much a cause for concern.

>> I could listen to you all day long.

>> I could listen to you all day long.

>> Our time is limited.

Next time you come back, \will you sing for everyone next time?

>> I can sing for you right now.

>> Some italian opera.

Why don't you give a couple of bars like sing something that would be

a arrivederci, a thank you, a good luck.

>> No here's what it is.

There's a gentleman named Figaro who says [FOREIGN].

And he's talking to his friend who's just a young girl, who was crazy for

all the girls and the Count that they both work for, well she doesn't work for

the Count, he does okay, is going to ship her off to command an army regiment

to get her out of the neighborhood, okay So that's what that's all about.

>> That's fantastic.

Why don't you close us?

Why don't you say thanks to everybody in a nice, Italian song.

>> [FOREIGN] >> And thank you as well.

Thanks, we'll see you all next time.

Explore our Catalog

Join for free and get personalized recommendations, updates and offers.

Coursera provides universal access to the world’s best education, partnering with top universities and organizations to offer courses online.

© 2019 Coursera Inc. All rights reserved.

Download on the App Store

Get it on Google Play

Coursera
About
Leadership
Careers
Catalog
Certificates
MasterTrack™ Certificates
Degrees
For Enterprise
For Government

Community
Learners
Partners
Developers
Beta Testers
Translators

Connect
Blog
Facebook
LinkedIn
Twitter
Instagram
YouTube
Tech Blog

More
Terms
Privacy
Help
Accessibility
Press
Contact
Directory
Affiliates