managing security of the grid in the cloud - sans briefing...managing security of the grid in the...
TRANSCRIPT
Managing Security of the Grid in the CloudRaoul Chiesa, Senior Advisor on Cybercrime
ECU – Emerging Crimes Unit, UNICRI
United Nations Interregional Crime and Justice Research Institute (UNICRI)United Nations Interregional Crime and Justice Research Institute (UNICRI)
Disclaimer
The information contained in this presentation does not breakany intellectual property, nor does it provide detailedinformation that may be in conflict with actual known lawsinformation that may be in conflict with actual known laws.
Registered brands and logos belong to their legitimateRegistered brands and logos belong to their legitimateowners.
The opinion here represented are our personal ones and donot necessary reflect the United Nations nor UNICRI views.
Agenda
# whoisWhat’s all aboutA look insideSCADA & ICS
The SOVEMA case studyThe Cloud and SCADA: shared issuesThe BAD newsBe SECURE!To zoom in….C t t Q&AContacts, Q&A
#whois
Raoul “Nobody” Chiesa
• Old-school Hacker from 1986 to 1995
• Founder, @ Mediaservice.net (Est. 1997)@ ( )
• Supporting UNICRI since 2004; Cybercrime Advisor since 2005
• ENISA PSG, Advisor• Italian MoD OSN/CASD “CyberWorld” WG: Group Leader
• OSSTMM Key Contributor; HPP Project Manager; ISECOM International Trainerte at o a a e
• Member of CLUSIT, AIP/OPSI, TSTF.net (Telecom Security Task Force), APWG, ICANN, CyberDefcon, HostExploit, WINS, etc;
• I work worldwide (so I don’t get bored ;)
• My areas of interest: Pentesting, SCADA/DCS/PLC, National C iti l I f t t S it R&D E l iti i d t ffCritical Infrastructures, Security R&D+Exploiting weird stuff, , Security People, X.25, PSTN/ISDN, Hackers Profiling, Cybercrime, Information Warfare & “CyberWar”, Security methodologies vertical “hard-core” Trainingsmethodologies, vertical hard-core Trainings.
UNICRI
• UNICRI was created in 1968 to assistintergovernmental, governmental and non-governmental organizations in formulating andgovernmental organizations in formulating andimplementing improved policies in the field of crimeprevention and criminal justice. WHQ is in Turin,Italy, inside the United Nations InternationalT i i C (ITC/ILO)Training Campus (ITC/ILO).
• In a rapidly changing world, UNICRI’s major goalstoday are advancing security serving justice andtoday are advancing security, serving justice andbuilding peace.
• Our key areas of focus:Applied ResearchApplied ResearchCapacity BuildingTechnical Co-operation
Emerging Crimes Unit (ECU): deals with cyber• Emerging Crimes Unit (ECU): deals with cyber crimes, counterfeiting, environmental crimes, trafficking in stolen works of art…
Fake Bvlgari &Rolex, but also Viagra & Cialis (aka SPAM)Water systems with “sensors”…Guess how they update each others?
Email, chat&IM, Skype…
Cybercrime turnover?
“2011 Cybercrime financial turnover apparently scored up more thanappa e t y sco ed up o e t a
Drugs dealing, Human Trafficking and Weapons Trafficking turnovers”
Various sources (UN, USDOJ, INTERPOL -2010/2011)
Financial Turnover, estimation: 6-12 BLN USD$/year
Source: Group IB Report 2011Source: Group IB Report 2011
IEEE “Hacking Matrix”
http://spectrum.ieee.org/static/hacker-matrix
NCIs and Nation State attacks…
"In the very near future many conflicts will not take place on theopen field of battle, but rather in spaces on the Internet, fought
with the aid of information soldiers, that is hackers.Thi th t ll f f h k i t th thThis means that a small force of hackers is stronger than the
multi-thousand force of the current armed forces.“
Former D ma speaker Nikolai K r ano ich 2007Former Duma speaker Nikolai Kuryanovich, 2007
What’s all about
What’s all about
• We’ve got 3 different worlds here (just to make things “easier” ;)
• Logical Security
Cl d• Cloud
• SCADA/Industrial Automation
What’s all about /2
• Logical SecuritySince our today’s society is (nearly) totally depending on IT, Security become a mandatoryand strategic issueand strategic issueThus, we’re not able to rule it yet -> New challenges everyday, new “trends” (technologies)
Public vulns (both Full or Responsible disclosure ones)0-Days -> Black Market -> Underground EconomyCybercrime, Information Warfare, CyberWar (?)y , , y ( )GOVs & MILs entering in the game
Overall, already on its own it’s a very complex world…• Cloud
A really “fresh” brand new technologyA really fresh , brand new technology.The InfoSec community & Industry is missing:
Its backgrounds, history and field use -> InfoSec experts need time to learn from mistakesIncidents are already happeningIt calls for answers: best practices and security standards (CSA will help out here)It calls for answers: best practices and security standards (CSA will help out here)
• SCADA/Industrial AutomationOld technology Different views, needs and priorities when compared to InfoSec (i.e.: CIA vs AIC)Sec rit aspects ere not a prioritSecurity aspects were not a priorityA security bugs’ tsunami (i.e. 100 SCADA bugs in 100 days)
Increasing attention from Bug Hunters (Security Researchers) and Hackers (crackers?)Much more will come
Strategical asset > Interest from the Information Warfare perspectiveStrategical asset -> Interest from the Information Warfare perspective
A look inside
What’s this Cloud?
The very official, “serious” term: CloudComputing
• Wikipedia:Cloud computing is the delivery of computing as a service rather than acomputing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet).
• Henry J Sienkiewicz – DISA (DefenseHenry J. Sienkiewicz DISA (DefenseInformation Systems Agency)
A style of computing where massively scalable (and elastic) IT-related capabilities are provided “as a service” to external customers using Internet technologies.
“Cloud” /2
IaaS: Infrastructure As-a-ServiceProcessing, networking, storage,
virtualizationvirtualization
PaaS: Platform-As-a-Service• Applications development, pp p ,
platforms to develop and test and study SaaS applications. Intended for sw developerscommunitiescommunities.
SaaS: Software-As-a-Service• Pay-per-Use your applicationy p y pp
through the Web
XaaS: Whatever-As-a-Service:• Data As a Service (on line• Data-As-a-Service (on-line
storage or DaaS)• Cracking-As-a-Service?• DDoS-aaS?
History played back
Cloud’s fans and opponents (PROs/CONs)( / )
☺
Cloud sucks because...
It doesn’t have security
Cloud is cool because...
IDC/Gartner/whoever said it’s the
I want to manage my stuff on my own
I don’t go for cloud ‘cause I don’t have
future
It’s SO trendyI save moneyany stuff on cloud and I never will
I don’t cloud ‘cause I already have my
cloud: it’s my datacenter close to my
I save moneyThe son of a friend of mine runs a Facebook page with +1000 friends
d t ld th t l d i “ tcloud: it’s my datacenter, close to my
town
If it’s gonna rain, I’ll lose my data
and told me that cloud is a “must-have”
Because “everything is on the I t t”If it s gonna rain, I ll lose my data
On cloud they would steal my data and
the USA would read my emails
Internet”
SCADA & ICS
The Cloud and SCADA: shared issues
Known issues /1
Recording• Logging?
Whi h t f l ?• Which type of logs? • And what about the data-retention and privacy laws? • Where’s my data, in which country?
Access• Who can access my data?• What if I CAN’T access my own data??• What if I CAN T access my own data??
Backups and safeties• What is backuped?• What is backuped?• When?• How long (data retention, again)
Compliance• Which kind of Security Audits are allowed to be run?• What about Penetration Tests? Who will legally authorise the pentesters?g y p
Known issues /2
Lawful Interception• TLC Service providers must be compliance with LIS laws
L tt i il b th i t UE d t EU t i• Laws are pretty similar, both into UE and extra-EU countries
Legal• Where is the datacenter located?e e s t e datace te ocated• Local laws (i.e. Privacy)• Cloud Provider VS data management (privacy, once again)• Transferring this data abroad….?g
DLP (Data Loss Prevention)• How can I monitor what is happening to my boxes/applications/services?• what about Digital Forensics ?!? Insurance’s aspect (break ins)??• …what about Digital Forensics ?!? Insurance s aspect (break-ins)??
Hidden costs• Is there anything billed in an “hidden” way?• CPU?• Data Traffic?• Disk space & Backups quotas?
The bad news
First, “fresh” problems
September 8th, 2001
Google Docs stopped working….
30 minutes “black-out”30 minutes black out
Those data people was working on, got lost
And, people wasn’t able to work btw!!
While this news is from 2001, in the last 10 years a lot of similar incidents have happened
Unknown issues
DDoS attacks• Running on cloud can be extremely helpful when
mitigating DDoS attacksmitigating DDoS attacks • These attacks would not be “as much easy” to mitigate
within your standard infrastructure• On the other hand from an attacker’s point of viewOn the other hand, from an attacker s point of view,
the cloud infrastructure itself would represent a very powerful “shotgun”
Unknown issues /2
Password cracking• Attackers already have abused Cloud’s ISPs resourcesin order to run password cracking software:in order to run password cracking software:https://www.infosecisland.com/blogview/11018-Cracking-WPA-Protected-WiFi-in-Six-Minutes.html
• “Roth was able to crack 400000 passwords perRoth was able to crack 400000 passwords persecond”
http://www.darkreading.com/authentication/167901072/security/client-security/229301362/researcher-overcomes-legal-setback-over-y gcloud-cracking-suite.html
• “Apparent mis-translation by a German newspaper of English-speaking reports on researcher's Amazon EC2-
fbased password-cracking tool led to raid, frozen bank account”
• 11 Jan 2011 – Researcher cracks Wi-Fi passwords with A l d t il bl f 28 tAmazon cloud ... computers available for 28 cents perminute, the cost of the crack came to just $1.68.
http://www.theregister.co.uk/2011/01/11/amazon_cloud_wifi_cracking/g/
Be SECURE!
Be SECURE!
A good start from the folks at NIST & ENISA• NIST Releases Secure Cloud Computing Guidelines (September 15, 2011)2011)• Read the article on Infosec Island! (http://www.infosecisland.com)• NIST Cloud Computing Standards Roadmap
(NIST SP-500-291): http://www.nist.gov/manuscript-publication-f ?search.cfm?pub_id=909024
• The full document: http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/StandardsRoadmap/NIST_SP_500-291 Jul5A pdf291_Jul5A.pdf• ENISA, Cloud Computing - Benefits, risks and recommendations for information security, November 2009
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-i k trisk-assessment
• ENISA, Cloud Computing - SME Survey, November 2009http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-
sme-surveysme survey• ENISA, Cloud Computing Information Assurance Framework, November 2009
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-i f ti f kinformation-assuranceframework
To zoom in…
A gift for you all here! ☺
Get your own, FREE copy of “F3” (Freedom from Fear, the United Nations magazine) issue #7, totally focused on Cybercrimes!totally focused on Cybercrimes!
DOWNLOADDOWNLOAD:
www.FreedomFromFearMagazine.org
Or, email me and I will send you the full PDF (10MB)
Know your Enemy
Profiling Hackers: the Science of Criminal Profiling as applied to the World of Hacking
ISBN: 978-1-4200-8693-5-90000
Questions?
Contacts, Q&A
Raoul Chiesa
Thanks folks!
E-mail: [email protected]
Thanks folks!
http://www.unicri.it
UNICRI Cybercrime Home Page:y ghttp://www.unicri.it/emerging_crimes/cybercrime/
UNICRI Cybercrime Initiatives:htt // i i it/ i i / b i /i iti ti /http://www.unicri.it/emerging_crimes/cybercrime/initiatives/