Information Security Implications for Emergency

Response Teams

Mark Lachniet

mlachniet@analysts.com

Analysts International

Introductions• Mark Lachniet (mlachniet@analysts.com)• Senior Security Engineer at Analysts

International – Sequoia Services Group• Technical lead for the AIC Security Group• Certified Information Systems Security

Professional (CISSP)• Member of the High Tech Crime

Investigation Association (HTCIA)• Technical certifications from Novell,

Microsoft, Linux Professional Institute, etc.• Formerly the I.S. Director at a K-12 School

district

A Show of Hands• How many are technical people? Are

you in Information Security?• How many are in law enforcement?• How many work for a utility or local

Government?• How many work for a university or

college?• How many work for a company?• How many are their organizations

primary ER coordinator?

Disclaimer• I work in information security, not in law

enforcement so my opinions about terrorism and emergency response are based on research and not on first hand experience

• I will not pretend to understand the intricacies of emergency management – you are the experts, so please tell me where wrong

• If you can think of an implication or issue, *please* raise your hand and speak up!

• All of the scenarios and information I will be talking about is all very well documented in libraries and on the Internet – if I can come up with it, anyone can

Purpose of Today’s Presentation• Discuss *some* of the aspects of information

security that are relevant to emergency response personnel:– The idea of “Cyber-Terrorism”– “Coordinated cyber attacks”– Interaction between the “virtual” and “real”

worlds (e.g. attacks that are actually possible)– Protection of support resources (ie,

communication systems, databases such as RamSafe, etc.)

• Provide an overview of some information security procedures and services that you should be using

Purpose of Today’s Presentation• Provide links, works cited and references for

continued research and investigation• Provide time for discussion (in person, via e-

mail or some other areas) about specific issues of concern

• Most importantly – to raise awareness. Things are bad in computer security, and we don’t want Michigan to be a casualty!

• My assumption is that this audience is primarily interested in hearing about those things that affect emergency response, so we will limit our scope to this

The CIA Triangle

Confidentiality

Integrity Availability

The CIA Triangle• Confidentiality– The unintended or unauthorized disclosure of

computer data or information

• Integrity– The unintended or unauthorized modification of

computer data or information

• Availability– The loss of service of critical applications, systems,

data, networks or computer services

• We need to worry about all three!

The Goal of Information Security• Simply put: “To be more annoying to break

into than your neighbor”• The house and neighborhood metaphor• Increase the “work factor” of attacking you by

erecting as many barriers as possible (defense in depth)

• Ultimately, network security is all about preserving the functionality of the organization. Technology is just the tool.

• For this audience, information security could mean the difference between a rapid response and lives, so the stakes are higher

Security, ER and the Internet• Thanks to the Internet, information about

how to break into computer systems is trivially easy to find

• The level of sophistication required to attack systems has been reduced greatly, leading to an army of “script kiddies”

• Information about Emergency Response, military tactics, bomb making, and a variety of other “intelligence” topics is also readily available to anyone who wants it

• *All* of the good guys are scrambling to keep up, but the genie is out of the bottle

“Cyber-Terrorism”• Is somewhat misunderstood and over-hyped

in the media• Can be defined as “Use of information

technology and means by terrorist groups and agents”

• A recent simulation of a so-called “Electronic Pearl Harbor” by a variety of law enforcement and computer types found that the threat was greatly over-hyped

• However, this is because the simulation focused primarily on an ALL-electronic attack on infrastructure, trying to burn up nuclear plants, etc

“Cyber-Terrorism”• The analogy is made that a cyber attack is

similar to a military bombing campaign• It is focused on destroying supporting

infrastructure, with the intent to cause chaos, reduce efficiency, and reduce morale

• Since military bombing campaigns (e.g. in WWII in the Pacific and in Germany) were not nearly as effective as hoped, it is assumed that a cyber attack would also not be very successful at disrupting infrastructure

• However, I believe this is a misunderstanding because of the way that a coordinated cyber attack / real world attack could occur

“Cyber-Terrorism”• People also rightly point out that the point of

terrorism is to instill terror into the populace to achieve a political goal

• While an attack just on technology might not do this, a cyber attack used in coordination with a real attack could cause a great deal of terror

• Take for example a bombing or bio-terrorist incident that was coordinated with an attack that hindered the “real world” response of emergency response crews

• Not only would people be worried about the direct terrorist threat, but also worried that the emergency response system was vulnerable

Factors Favoring the Attacker• Attackers can pick and choose their targets• A physical attack in one city may be more or

less the same as another city to a terrorist• However, the information security habits of

one company versus another, one school versus another, and ER organizations may vary greatly

• The attacker can take their time to find the one place that has poor information security, and leverage this in their attack

• Most organizations are so far behind in security that they would never know they were probed in the first place

Historical Attacks• In November, 2001 a man was sentenced to two

years in prison for using the Internet, a wireless radio and stolen control software to release up to one million liters of sewage from a treatment facility in Australia

• The scary part is that it was only on the 45th attempt at compromising the system that he succeeded. The first 44 attempts were never noticed

• This was only sewage, but it could have been any other type of SCADA (Supervisory Control And Data Acquisition) system – the same used by some power companies, water facilities, etc.

Recent History• After the outbreak of the “Slammer” worm

on the Internet this weekend, a number of fire department and 911 dispatch systems outside of Seattle, Washington reported that they had to resort to paper and pencil to conduct business for several hours

• This was from a simple worm (virus), and not even from a targeted attack

• In another example, in 1997 a Juvenile disabled a FAA radar tower by disrupting the telephone communication system it relied

• There are many other examples…

Scenario #1: Disrupt Communications

• Disable the fire/police department phone systems (including 911)

• PBX and telephone hacking (called “phreaking” has been around for years and is well documented)

• A hacker could also use previously-compromised machines with modems on them as “slaves” to attack communications such as:– Have several computers constantly dial each of the

ER response cell phones and pagers (rendering them useless)

– Fill up the 911 and ER phone queues, as well as those of adjoining municipalities

Scenario #1: Disrupt Communications

• Techniques also exist to jam up cell towers and phones using interference-generating equipment

• Other wireless technologies are just as susceptible, even peer-to-peer radio networks without repeaters, etc.

• MDTs (Mobile Data Terminals) in police cruisers could certainly be disrupted (especially at the transmitter)

• The latest version of Phrack (see links) contains detailed information about how to make a device to jam civilian GPS devices

Scenario #2 – Traffic Lights• Another way to inhibit ER efforts would be to

create a traffic situation that stopped emergency response personnel from easily reaching their destination

• What if all of the traffic lights were red or otherwise manipulated to cause large-scale traffic jams all around the city? All lanes of traffic would be clogged, and nobody could get out of the way for ambulances, police, etc.

• Even a emergency vehicle override wouldn’t work in this situation

• The latest version of Phrack has DETAILED information on how to hack into traffic light control systems

Scenario #3 – Misdirection• Although likely non-technical,

misdirection could also be a problem

• Creating a less critical emergency (such as one or more bomb scares) in other locations that the ER folks must respond to, and then hitting with a real attack elsewhere

• Releasing sewage, spreading talcum powder, lighting trashcans on fire, etc.

Scenario #4 Attack Computer Systems

• This is more of a “conventional” computer security issue

• Any computer, application or database that is going to be counted upon as a tool for ER can be a point of attack

• This could include email and paging systems, databases such as RamSafe, 911 call tracking systems, etc.

• If any computer technology is required to adequately do your job, it needs to be appropriate protected through appropriate information security practices and technologies

Common Security Practices• There are a lot of facets to information security. We

won’t have time to talk about them all, but here are a few things that are bare minimums to consider

• Security is a nascent field in many respects• Terminology, procedures and skill levels vary

drastically between people and organizations• Some disagreement over what best practices actually

are (i.e. the best placement of an IDS)• Few objective benchmarks to allow “apples to apples”

comparisons for HW, SW, Services• There is a big technical curve for security – you must

first be an expert in the technology, and then learn security on top of it

• Whether you do it internally or get external help, it needs to be done

What We Have to Work With

Common Security Services• A firewall and Internet border security is simply

not enough! This gives rise to the “candy” network – hard on the outside, soft on the inside (and tasty for attackers, too)

• Embrace the concept of “defense in depth.” In other words, have security at multiple layers and in many places to make attacks as difficult as possible.

• SEGREGATE YOUR CRITICAL DATA from everything else – internet, phones, everything

• The Michigan State Police are making a reasonably good attempt at protecting LEIN data in this way through the CJIS policy council

Vulnerability Assessments• Sometimes called “penetration testing”• Uses “human logic” and hacking tools• Companies such as mine make a business of this

because interpreting results and applying knowledge of the technologies involved is essential.

• The deliverable of a vulnerability assessment should include a list of all hosts, vulnerabilities, and some dialog on how to start fixing them

• Vulnerability assessments should be done regularly – new vulnerabilities come out all the time – so you must stay up to date

• Be warned – other people are assessing your network. Are you?

Security Assessment Services• Sometimes called an audit• Sometimes performed in a very limited capacity

by financial auditors (mainly backup systems)• Can be used to audit an actual environment

against a set criteria, for example to determine compliance

• Should be performed by one or more individuals with backgrounds in both network systems and organizational administration

• Takes a macroscopic view of the organization• Analyze technology as well as policies and

procedures, configurations, and other items that a tool cannot assess

Security Assessment Services• Uses interviews, inspection of documentation,

and manual analysis (depending upon the focus)

• Should make recommendations on a wide variety of things to improve security

• Should provide a description of the current situation, what best practices are, and what the recommended changes are

• Should provide for estimation of pricing and priority, so that it could be used as a planning document for department priorities and budgets

Operations Security• Concerned with ways to mitigate security

risks through administration – policies, procedures and practices

• The weakest link in the security chain are individual humans (or as Dilbert calls them, “in-duh-viduals”)

• Part of “defense in depth”• Administration support is critical to any

security initiative• Helps to minimize risk, respond to incidents,

and establish standards for how things should be done

Formal I.S. Staff Security Responsibilities

• Security it takes time! If nobody is given sufficient time to keep up with security, it will never happen

• The buck must stop somewhere. Who is responsible for it?

• Define explicit security responsibilities for one or more staff members such as firewall maintenance, log review, server patching, etc. (good on a resume)

• Document these responsibilities and how they are done – this will help in the case of a vacation or staff change (hit by a bus or wins the lotto, you choose)

• Provide tools and training opportunities (such as SANS, or Microsoft for K-12 security training)

• Put it in the budget!

Formal Employee Security Responsibilities

• Every computer user has responsibilities they must live up to (or not use the computers)

• For example - don’t share passwords, don’t write passwords on a sticky notes, don’t use your last name as your password, etc.

• Information privacy – don’t store important information in an inappropriate place

• Be aware of what is thrown into the trash – classify your data and protect it

Security Awareness• Staying abreast of the latest issues and

solutions in security is critical• Administrators must budget for and offer

training opportunities to technical staff• Administrators should require that technical

staff be signed up for security listserves such as:– BugTraq / NT BugTraq (www.securityfocus.com)– Microsoft Bulletins (security.microsoft.com)

• Consider conducting regular internal trainings on security topics

• Consider ways to keep staff up to speed

Physical Security• It is critical to maintain a physical “zone of

control” around important assets. Police departments do a good job of this, many others do not

• Without physical security, all other measures can be circumvented

• There are many types of physical attacks• Access to critical areas such as wiring closets

can provide unrestricted access to the network or damage of equipment (“oooh, look at the blinky lights”)

• Physical security is needed to prevent the loss of equipment

Logging and Reporting• In order to know how your systems are being

used, you need to log all activity• Use reporting tools to summarize and make

sense of it!• Its too hard and time consuming to scan

through logs to find suspicious information• Instead, use a log reporting tool to make sense

of it• These tools should summarize information

such as host and protocol activity, usage trends, most popular hosts, etc.

• The “Cheap Man’s Intrusion Detection”

Business Continuity Planning• In the event of a disaster (to the organization,

not externally) there needs to be a plan to keep working

• Of those organizations that experience a major disaster, two out of five will go out of business within five years. Although “the show must go on” for government, the cost in lost productivity and salary can be huge

• This means creating detailed plans for prevention, response and recovery of critical systems (both computer and otherwise)

• BCP is a detailed and time consuming process, but it must be done, and it must be maintained in perpetuity

General Information Security Web Sites

• http://www.securityfocus.com (sign up for bugtraq and read the articles)

• http://www.packetstormsecurity.org (seems to change a lot, but lots of dirt)

• http://www.microsoft.com/security• http://www.sans.org (check out the student

papers)• http://www.cert.org• http://www.gocsi.com• http://www.securityportal.com• http://www.isc2.org

Works Cited• PHRACK magazine:

http://www.phrack.org/show.php?p=60

• United States Strategic Bombing Survey http://www.anesi.com/ussbs01.htm

• Juvenile Hacker and FAA tower http://www.cybercrime.gov/juvenilepld.htm

• 911 systems disrupted by Slammer Worm http://www.msnbc.com/news/864184.asp?0cv=CB10

• CyberTerrorism – the Real Risks http://news.zdnet.co.uk/story/0,,t269-s2121358,00.html

• CyberTerrorism and Computer Technology http://www.counterterrorismtraining.gov/pubs/02.html

Discussion

Thank You!