a cyber security review
DESCRIPTION
A review of cyber security covering enterprise, consumer and critical infrastructure protection.TRANSCRIPT
A Cyber Security Review
Simon Moffatt CISSP CISA MBCS
November 2012
2
A Cyber Security Review
Table of ContentsSynopsis...............................................................................................................................3(Cyber) War On Terror........................................................................................................4
Motives............................................................................................................................4Targets.............................................................................................................................5Government Lead Defence.............................................................................................6
From Lone Wolves to Botnets, APT's to AET's..................................................................8Lone Wolves & Botnets..................................................................................................8APT's to AET's................................................................................................................9
Enterprise Protection..........................................................................................................11Attack Vectors and Entry Points...................................................................................11Basic Defence in Depth.................................................................................................12Offense and Response...................................................................................................14Enterprise Protection Conclusion..................................................................................15
Consumer Protection..........................................................................................................16Everything's Online.......................................................................................................16Vulnerabilities - Learning and Spotting........................................................................16Protection Steps.............................................................................................................17
Critical Infrastructure.........................................................................................................19Difference of Priorities: CIA to AIC.............................................................................19Vulnerabilities - Nature or Nurture?.............................................................................20Basic Security Erosion..................................................................................................21Recent Attacks and a Change in Culture.......................................................................21
Infosecprofessional.com2
3
A Cyber Security Review
Synopsis
The following paper covers a range of cyber security topics that were initially published
as separate articles for the Infosec Professional blog site between October to November
2012.
Infosecprofessional.com3
4
A Cyber Security Review
(Cyber) War On Terror
Any device that connects to the internet is now a potential target, with the motives now
becoming political, as control of the information highway becomes paramount.
US government security expert Richard A. Clarke, in his book Cyber War (May 2010),
defines "cyberwarfare", as "actions by a nation-state to penetrate another nation's
computers or networks for the purposes of causing damage or disruption". This initial
sentence is paraphrased straight from Wikipedia, but could just as well have come from a
sci-fi movie of the mid 1980's. Cyber war is no longer an imaginary concept, cocooned
in the realms of laser gun protection and x-ray vision. It's an everyday occurrence,
impacting governments, corporate enterprise and individuals.
Motives
Internet security in the past has mainly been focused on protecting privately held assets
(namely web, FTP and email servers) from being hacked. Hackers would come in
various different guises from the script kiddies learning to code, with ideas they had
learnt that day at college, right through to 'hacktervists', aiming to make a mark for
themselves by defacing a newspaper or corporate website. Today, attacks cover a range
of motives. Cash can be a main driver, especially behind many of the sophisticated
consumer focused malware attacks. Ransomware has recently hit the headlines, hitting
individuals with cash release clauses in order to return laptops and files in working order.
Online banking and financial services customers, have long time been hit by email
phishing and attempts to deceive individuals of their username and password details. The
main goal? Cash. Either through fraud of direct transfer, money has been the aim for the
armies of complex botnet operators.
Infosecprofessional.com4
5
A Cyber Security Review
The motive has advanced however, to a more country lead level and is now comfortably
embedded in the toolbox of military weapons. US Defence Secretary Leon Panetta, said
the cyber attack capability from countries like Iran was growing, and that US authorities
believed that Iran was behind several attacks on oil and gas companies in the Persian
Gulf. The main motive is to cause disruption.
Disruption causes panic and destabilization and ultimately acts as a propaganda tool to
show who really is in control of a particular asset or environment.
Targets
In early October 2012, the Pentagon confirmed that they themselves were on the
receiving end of a cyber attack. The White House would not confirm reports that the
attack originated in China, but did describe the incident as a 'spear-fishing' attempt.
The ongoing political isolation between the United States and Iran, has left many arguing
that the recent attacks on US government assets, are a direct retaliation for the monetary
sanctionscurrently imposed on Iran.
Conversely, the powerful Stuxnet worm found in 2010, which primarily focused on the
Siemens SCADA infrastructure within the Iran nuclear enrichment plants, was originally
developed with nation-state support, with many speculating Israeli backing.
The subtly and remote nature of cyber warfare, makes it's development seem natural, in a
time when political tensions are rising either due economic changes or the charge for
democracy.
Infosecprofessional.com5
6
A Cyber Security Review
The main targets generally seem to be the major infrastructure installations. As
disruption and denial-of-service seem to be the name of the game, water, electricity and
communications infrastructure would seem to have the biggest impact on a nations
general well being.
From a communications perspective, the aspect can be more subtle. Again in 2012, a US
House of Representatives Intelligence Committee directive, report that dealings with
Chinese telecoms supplier Huawei, should be banned. The UK, Australia and Canada are
looking to create similar intelligence reports, against a network provider that has invested
over £150m in the UK telecoms backbone in the last 10 years. Whilst a direct attack has
not been acknowledged, the gathering of intellectual property and clandestine scanning of
network traffic would be a major concern.
Government Lead Defence
The last 3 years has seen some significant strategic steps being taken by several
governments, when it comes to cyber security defence and offence.
In 2009, the US formed USCYBERCOM, a department of defence initiative to protect
the military's information networks. Also in 2009, Howard Schmidt took the role of
cyber security co-ordinator and advisor to the Obama administration. Although he retired
from the role this year, it earmarked a new beginning in cyber security management,
research and defence.
From a UK perspective, GCHQ performs in a similar vain to the US's National Security
Agency and has recently announced a new research capability, with partnerships with
several top UK universities. The partnerships aim to make it easier for businesses,
individuals and government to take informed decisions about how to implement better
cyber protection measures.
Infosecprofessional.com6
7
A Cyber Security Review
China too has recently released a new policy outlining it's approach to IT in general and
how to counteract and defend against online attacks.
Whilst the cost of attacks (and indeed the readiness for organisations and governments to
acknowledge being the victim of an attack), is largely unknown, many institutions are
putting in place infrastructure, personnel and policies to allow attack and defence
mechanisms based on internet resources to take place.
Infosecprofessional.com7
8
A Cyber Security Review
From Lone Wolves to Botnets, APT's to AET's
Cyber attacks in 2012, evolve from several different, highly optimised and professional
techniques for implementing and distributing malware. This can comprise of individual
'lone wolf' style attacks, right through to the complex networks of robots, capable of
distributing malware on a vast scale. I will briefly examine the components of an
Advanced Persistent Attack and the increasing rise of Advanced Evasion Techniques,
being used by malware to avoid detection.
Lone Wolves & Botnets
The Lone Wolf - In any walk of life the lone wolf is seen to be independent, agile and
potentially unpredictable. Whilst these characteristics are often seen to be difficult to
defend against in a cyber security landscape, being an individual can have it's limitations.
In the new dawn of the internet era (yes I know, what was that like?) in the early 90's,
the appearance of individual hackers was often portrayed as glamorous and cool. The
script-kiddy style attacker was generally male, 18-23 years old and a self-badged
nerd/geek/social outsider. Their main motive for attacking online systems was simply for
prestige and credibility, driving for acceptance of their technical aptitude.
Today, there has been a significant movement to a more targeted and explicitly
aggressive type of lone wolf attacker. The evolution from script-kiddy to lamer, to
cracker and fully fledged hacker has been swift, with tooling, training and support easily
available on line. Their main motives tend to political (hacktivist) or for automated
income, aiming to harvest and sell identity or banking data from individuals. If income is
the driver, the relative safety, anonymity and low investment costs often make on line
crime more effective than 'street' style criminality.
Infosecprofessional.com8
9
A Cyber Security Review
Botnets - Robot networks are large scale and complex attack systems. Often controlled
by organised criminals, a botnet contains several different components. The network
itself, is controlled by a 'bot-herder', which in turn manages several command and control
(C&C) centres. These C&C's then help to remotely manage the bots.
The bots are simply infected machines on the internet, belonging to everyday users,
unaware their machine is infected. These bots then combine, to perform an attack,
generally either of a denial of service style, utilising the large processing power available
to them, or a data harvesting exercise, often collecting personal information such as
identity or social security data.
The botnet owners, often have the ability to create their own bespoke malware, which can
be distributed online via email attachments, infected URL's (masked via phishing attacks,
or more latterly altered QR links) or other USB drops. The botnets are increasingly
becoming more 'professionalised' and sophisticated, adapting to new technologies
(Twitter has been used as a command channel, with encoded tweets used to contain C&C
messages). The main driver is cash. Automated income supplies are often the end goal,
which again, compared to street crime is often less risky and more rewarding.
APT's to AET's
Advanced Persistent Threats - APT's as the name suggests, are advanced targeted pieces
of cyber attack software, often developed by large scale organisations or even nation
states. APT's generally contain several different pieces of highly optimised components,
joined together to perform denial of service or data harvesting attacks. A botnet could be
involved in helping to execute the components. APT's often have a specific target, with
recent attacks being focused on SCADA style industrial control system and critical
infrastructures (Stuxnet, Duqu). The APT will contain an initial payload distributed via
social engineering techniques, USB drops, email and infected URL's. Once the initialiser
code is distributed, other secondary components such as access escalation tools,
data harvesters and propagators are often used to complete the attack.
Infosecprofessional.com9
10
A Cyber Security Review
Code is often self replicating and modifying, making detection and removal difficult. As
a result, the true impact of some of the more complex APT's is unknown.
Advanced Evasion Techniques - AET's are not themselves malware of pieces or specific
attack software. The evasion technique is a relatively new term, used to describe how
malware payloads are now using new approaches to avoid detection by next generation
firewalls (NGFW's) and intrusion detection systems (IDS's). AET's help to obfuscate the
underlying malware code, that helps to evade the often signature based approach to
checking inbound network traffic. There are several new tools on the market place, that
can help to test the underlying network security devices for any potential vulnerabilities
in the ability to prevent malware bypassing perimeter security. Whilst not all traffic
using an AET will be malware, it's another tool that is being used in the pursuit of
malware distribution.
Research by security firm Stonesoft, identified 147 possible atomic evasion techniques.
When thinking that techniques could be combined, that is a staggering array of new
vectors that could be exploited. Many of the techniques involve using unusual or rarely
used protocol properties or design flaws with regards to device memory or configuration.
As the number of services, users and online ecommerce transactions increase, so too will
the sophistication and professionalism of attackers and the software and techniques they
use.
Infosecprofessional.com10
11
A Cyber Security Review
Enterprise ProtectionAny device connected to the internet is open to attack from either highly complex botnets
right through to an individual port scanning for on line ftp or database servers. Corporate
networks are no stranger to being specifically targeted, or infected with malware that is
delivered via the public network.
Attack Vectors and Entry Points
Firewall & Network Perimeter - Historically, enterprise security was often viewed with
an 'us and them' mentality. Everything on the internal LAN was safe, anything past the
DMZ and on the internet was potentially bad. The main attack vector in, was through the
corporate firewall and any other perimeter network entry points. The firewall was seen
as the ultimate protection mechanism and as long as desktops had anti-virus software
installed, that was as much as many organisations needed to do.
USB - Desktop PC's where the end goal and they were attacked either through HTTP
payloads from websites of dubious origin, or malware was often distributed via email, in
attachments such as Excel spread sheets or files containing macro's. The profileration of
USB devices also assisted in the distribution of malware, as large files were often easier
to copy offline.
BYOD - Whilst those issues still exist in many organisations, cyber threats have evolved
significantly. Smartphones are omnipresent in the enterprise, whether via Bring Your
Own Devices (BYOD) or via internally managed hardware. This brings another
dimension. Not only is malware common across a variety of smartphone operating
systems, but the smartphones alter the perimeter of the 'safe' internal network.
Smartphones will have separate data network access, either via 3G/4G or wifi, for access
on unsecured networks (or at least unmanaged from the corporations perspective).
Infosecprofessional.com11
12
A Cyber Security Review
Add to that fact that they can also be used as network 'hotspots', bringing a smartphone to
work, could easily be creating a un-firewalled, un-managed router on every desktop.
Social Media & Social Engineering - The onset of social media has also brought
different angles. Not only are the numerous social media sites used for malware
distribution and botnet control, they also give an attacker a new level of information
when it comes to spear phishing or targetted attacks. Publicly held information about
senior individuals within an organisation, makes social engineering attacks more
sophisticated and more likely to succeed.
Basic Defence in Depth
Cyber protection (like any information security protection) is best applied when done in
depth. Having one secure layer of protection, no matter how complex, will be breached
at some time in the future. When it is, it's imperative to have several obfuscated layers
underneath.
Network Security - The network perimeter needs protecting. No doubt about that. Next-
generation firewalls provide high and low level OSI stack scanning. Gone are the days of
simple port blocking rules. Intrusion detection systems are also a default for many larger
organisations. The recent concept of advanced evasion techniques, brings in to question
the ability for the current batch of network perimeter devices, to be able to detect
complex network delivery configurations, that help to distribute malware payloads.
General network asset management and scanning is also important, not only to help
identify smartphone related hotspots and 'leaks' out to the internet, but also for
unauthorised devices, especially those configured to use IPv6 on IPv4 only networks.
Infosecprofessional.com12
13
A Cyber Security Review
Access Management - A long time problem for larger organisations, is the constant
provisioning and de-provisioning of user accounts. The use of least privilege is a must as
is regular certification (the checking of existing users and their access levels). Role based
access control can also be a major benefit, especially when it comes to the user on-
boarding process, however this can be complex to implement. Device level access
should also be well managed. Root or administrator equivalent access should be
restricted, a long with restricted file system access, with device management and
configuration changes not permitted. Unless it's required for the individuals role, policies
should be restrictive but not inhibitive.
Patching - The age old issue of patching. Software of course should be updated to the
level recommended by the vendor. The simple reason, is that from a management
perspective, the best support will be received from the vendor or partner, if the most
recent patches and service packs are installed. Zero-day attacks are now common
practice, with vulnerabilities being exploited before a patch has been provided. In this
case, there is a counter argument, to say that newer software could well be more 'buggy'
and vulnerable to attack, as it had less time in real world implementation environments.
From a simple risk management perspective however, applying patches as soon as
possible, can help to get the vendor to accept some of the recovery process, if a breach or
issue has occurred.
Anti-virus and URL Scanning - Anti-virus is again an age old issue from a management
perspective. From the initial anti-virus installation and build, to the distribution of new
definitions and then the scanning of machines and recording of infections, anti-virus is
key, but also a major headache. You're only as strong as the weakest link and it takes
only one machine not to be covered to cause an issue. Virus protection must now cover a
range of devices, from laptops, smart phones and print devices, to routers, firewalls and
switches, if they're sophisticated enough to have a basic operating system.
Infosecprofessional.com13
14
A Cyber Security Review
Metrics for coverage rates and infection rates are important, as it not only helps with
issue detection, but can also provide return on security investment data too - which will
help fund projects and build business cases.
URL scanners are also popular. This is more about the new concept of reputation based
analysis. By using data from other infected parties, databases can be built that can check
a formed URL to see if it has been involved with malicious activity or malware
distribution. The same concept can also be applied to public subnets.
Offense and Response
A key message from any CISO to the management board of an organisation, is that they
will be attacked and breached as some point. There is no such thing as total protection.
The same can be said of risk management. Risk's of a great scale can never be removed
entirely, simply reduced or transferred.
Incident Response - With that said, a strong process and control centre for data breach
and cyber attack recovery and incident response is important. That should include both
technical forensic tools and the correct people and processes in place to make them
effective. An incident should be properly assessed, with an understanding of the
impacted parties and the scope of the attack. Once a full understanding of the attack has
taken place, some 'stop the bleeding' style actions should be taken to limit the impact and
exposure. This could include tactical short term fixes or changes. Following this should
include a detailed root cause analysis phase, with more strategic remediation steps.
SIEM, Logging and Forensics - For an incident response to take place, that requires the
detection of an incident in the first place. In order to detect an attack requires several
interlinked and correlated pieces of security data.
Infosecprofessional.com14
15
A Cyber Security Review
Security Information & Event Monitoring (SIEM) tools should be used to centrally store
and manage logs from multiple devices. Signature based analysis can certainly help with
the scanning of known attacks, with behaviour profiling technologies helping with the
unknown. Forensics style analysis for post-incident management is also popular, with
secure duplication of logs and files often hashed to confirm a snapshot has taken place.
Enterprise Protection Conclusion
I think the main overriding aspect for enterprise cyber protection, is that as a large scale
organisation, you will be attacked at some point. That maybe a virus infection, data theft,
or a defaced website, but both proactive and reactive measures must be in place to make
risk management of the situation effective. Those measures must also be both technical
and personnel related.
Infosecprofessional.com15
16
A Cyber Security Review
Consumer Protection
Cyber attacks have been well documented in their ability to damage large organisations,
government websites and critical infrastructure. However, there is still a large volume of
non-technical home and mobile users who are ending up as the victim of on line attacks
and identity theft.
Everything's Online
Well, not quite everything, but most things. You can certainly do all you shopping on
line. Banking? Yep. Store your music, photo's and apps? Yep. Watch movies and TV?
Yep. Interact with other people? Yep. So, practical, every day aspects can generally be
automated and placed on line. The main consumers of on line products and services, is
obviously the 'digital native'. The generation Y'er's and below, who were literally born,
not with a silver spoon, but a smartphone hanging out of their mouth.
Laptops can obviously do everything a desktop could do, but faster and cheaper. With
the added option of being portable and using wireless networking. A laptop itself, would
be pretty useless without an internet connection. In reality, not many people would use a
laptop without the wifi or ethernet LAN connection disabled.
Vulnerabilities - Learning and Spotting
The use of more portable devices, including smart phones, has increased user
convenience, but also opened up a can of worms when it comes to security. Smartphones
are not really phones. They're computers, that happen to make calls. The phone itself
will contain considerable personal and potentially work related data. Contacts, emails,
attachments, internet browsing history, cookies, bookmarks, saved and cached passwords
and so on.
However, the main vulnerability with respect to consumers, is often not the technology
they use, but how they use it.
Infosecprofessional.com16
17
A Cyber Security Review
If you went to a new town or city and someone totally unknown, came up to you and
tried to sell you a second hand car, you would probably walk away. You don't know the
person's history or credibility and if you wanted to buy a car, you would want to see it,
get a review, test drive it and so on. Your basic inner-suspicions would take hold and
you would walk away.
Those same instincts should be applied to on line browsing, but many users are often
blinded by the technology and unfamiliar intermediate steps involved with buying
products and services on line. Phishing is popular, as is social engineering - we've all
heard the stories of the prince of Nigeria requiring urgent funds to allow safe passage for
their daughter who happens to be in your local town.
Protection Steps
Basic instincts count for a lot. If you receive an email from someone unknown, don't
expect it to contain winning lottery information, or a link to photo's from your past. How
could it? If an on line deal seems to cheap to be true, it probably is. Use sites that you are
familiar with. Reviews of products and services are now available for nearly everything
and are available free.
From a tech, perspective, treat your on line tooling the same as you would your physical
devices, like cars and cookers. Make sure they're up to date and well serviced. If your
laptop, operating system or browser is running an old version, get it updated with patches
and service packs. Anti-virus, anti-malware and firewall tools should be installed as a
minimum default and kept up to date too.
Don't use public wifi for things like on line banking, or if you absolutely have to, put in
place a local SSH tunnel to add some additional anti-sniffing protection. SSL is an
absolute must for any website that requires authentication, including remote email
viewing via IMAP or SMTP.
Infosecprofessional.com17
18
A Cyber Security Review
From a smart phone perspective, make sure the OS is up to date, use a 6 digit password to
access it (as opposed to a PIN), encrypt the local phone contents and set up insurances
and remote-wipe features in case of theft.
As more and more of our daily lives will involve on line transactions of some sort, the
unfamiliarity aspect of the tooling should fade, allowing our instincts to perform some
protection against social engineering, leaving technology to start the fight against APT's.
Infosecprofessional.com18
19
A Cyber Security Review
Critical InfrastructureSupervisory Control and Data Acquisition (SCADA) systems and Industrial Control
Systems (ICS) are two of the standard environments that can constitute a critical
environment. Whilst many financial services environments can be described as critical,
critical infrastructure is more focused on the key assets described by a government as
being essential to the standard function of the society and economy. This would include
key utilities such as electricity and water supply, public health institutions and national
security groups such as policing and the military.
In recent years they have been subject to specific and prolonged attacks, opening up long
standing vulnerabilities.
Difference of Priorities: CIA to AIC
The standard information security triad consists of confidentiality, integrity and
availability. The priorities for many business information systems will follow
the CIA approach in that order. Confidentiality is still the number one priority, with
things like access management, network perimeter security and data loss prevention
strategies still the number one budget grabber. The main driver behind such decisions, is
often related to the protection of intellectual property, client records or monetary
transactions. The output of many service related organisations, obviously takes on a
more intangible nature, placing a greater reliance on digital management, storage and
delivery of the processes and components that make that organisation work.
From a critical infrastructure perspective, I would argue the priorities with regards to the
security triad, alter, to focus more on availability, with integrity and confidential being
less important. An electrical generation plant has one main focus: generate and distribute
electricity. A hospital has one priority: keep people alive and improve their health.
Infosecprofessional.com19
20
A Cyber Security Review
These types of priorities, whilst relying on information systems substantially, are often
managed in a way that makes their delivery more important than the component systems
involved.
This difference in attitudes towards how security policies are implemented, can have a
significant impact on vulnerability and exploit management.
Vulnerabilities - Nature or Nurture?
Vulnerability management from a consumer or enterprise perspective is often applied via
a mixture of preventative and detective controls. Preventative comes in the form of
patching and updates, in an attempt to limit the window of opportunity from things like
zero-day attacks. Detective defence comes in the form of anti-virus and log management
systems, which help to minimise impact and identify where and when a vulnerability was
exploited. The many basic steps often associated with enterprise protection, are often not
always available within critical infrastructure environments.
Critical infrastructure is often built on top of legacy systems using out dated operating
systems and applications. These environments often fail to be patched due to the lack of
downtime or out of hours permitted work. ICS and energy generation systems, generally
don't have a 'downtime' period, as they work 24 x 7 x 365. Outage is for essential
maintenance only and preventative patching wont necessarily fall into being an essential
outage. Due to the age and heterogeneity of such systems, a greater focus on additional
patch management would seem natural. Many critical infrastructure environments are
also relatively mature in comparison to modern digital businesses.
Mechanisation of industrial and energy related tasks is well over a century old, with
computerization coming only in the last 35 years. This maturity, has often resulted in
cultural and personnel gaps when it comes to information security.
Infosecprofessional.com20
21
A Cyber Security Review
Basic Security Erosion
Some of the existing security related policies that have been implemented in critical
infrastructure environments are now starting to erode. The basic, but quite powerful and
preventative measure, of using air gapped networks to separate key systems from the
administrative side of the organisation, is now being eroded. The need for greater
management information, reporting and analytical systems, has lead to cross network
pollution. The low level programmable logic controllers (PLC's), used for single purpose
automation of electromechanical tasks, are now being exposed to the potential of the
public network. Through the connection of desktop and laptop devices to previously
secured networks, has brought the risk of infection from internet related malware a lot
higher.
Recent Attacks and a Change in Culture
The two major exploits, focused specifically on critical infrastructure related
environments in the last couple of years, have probably been the Stuxnet and Duqu
attacks. Whilst the motives for these attacks are maybe different to the standard monetary
or credibility drivers for malware, they illuminated the potentialfor mass disruption. As
with any security attack, post-incident awareness and increased focus often result, with
several new attempts at securing critical infrastructure now becoming popular. There are
several government lead and not-for-profit organisations that have contributed to security
frameworks for critical environments.
Kasperky labs also recently announced plans to develop a new build-from-the-ground-up
secure operating system, with a focus on critical environments.
Infosecprofessional.com21
22
A Cyber Security Review
Whilst previously only focused on the availability and delivery of key services and
products, critical infrastructure environments, now have to manage the increasing threat
posed by cyber attacks and malware exposure.
Infosecprofessional.com22