Summer 2004 – Information Security

Carl Forde

Introduction

Purpose: To present an outline of my projects and learnings for thesummer.

Process: Present projects and learnings. Open the floor for questions.

Payoff:You will have an understanding of what I’veworked on, how I proceeded, the customers, the value to thecustomers, and what I’ve learned.

Project Overview

SCADA Security

ASAT Reporting (ongoing project)

Performance Metrics (summer project plan) in compliance with IT 1.5 of ASAT

Adware/Malware Removal Tools

Oracle Discoverer user manual

Other activities

Project 1: SCADA Security

Scope: Provide fast, safe solution to secure SCADA systems

Customers: All BU’s using a SCADA system

Value to Customer: Safe and secure system that will allow a BU to continue processes easily

Research: What is SCADA?

Supervisory Control and Data Acquisition (SCADA) networks contain computers and applications that perform key functions in providing essential services and commodities (e.g., electricity, natural gas, gasoline, water, waste treatment, transportation) to all Americans. As such, they are part of the nation’s critical infrastructure and require protection from a variety of threats that exist in cyber space today. SCADA networks were initially designed to maximize functionality, with little attention paid to security. As a result, performance, reliability, flexibility and safety of distributed control/SCADA systems are robust, while the security of these systems are often weak.

Analyze: The Problem At Hand

How much can we tighten security without impeding the system’s ability to perform its primary function?

Inventory: Identify Where SCADA Is Used

We must identify SCADA systems in use We must determine what security controls are already in

place Process Owner Site/Location Anti-virus Regular Security Audits Current Security Patches Network Access Restrictions (by device, by port) How many users have access to the SCADA system (either

directly or over the network)

SCADA Risks

Risks we must control Authorized internal users performing unauthorized

tasks. Email access by devices on the Process network. Internet access from the Process network. Wireless Connectivity.

Risks we cannot control Hackers have targeted SCADA systems in the past and will

do so more in the future. The number of hacking attacks continues to increase

dramatically.

Solutions to SCADA Security

Strong network access controls, much like a firewall, helps.

Intrusion Detection Systems (IDS) help-However, monitoring is very expensive and these are only

reactive systems.

Most Effective Solution

Personal hardware firewall limiting access to specific devices and only on specific ports.

A SCADA network is only as secure as its weakest connecting point. It is essential to implement firewalls.

What is a Firewall?

A firewall is basically the first line of defense for your network. The basic purpose of a firewall is to keep uninvited guests from browsing your network. A firewall can be a hardware device or a software application and generally is placed at the perimeter of the network to act as the gatekeeper for all incoming and outgoing traffic.

Project 2: ASAT Reporting (ongoing project)

Scope: ASATs bring value to Alcoa as it drives better processes and controls while helping us to manage our environment. Reports help keep track of Alcoa’s ASAT progress.

Customers: Shareholders, Investors, Customers, Suppliers, Co-workers, Internal/External Audit, and everyone who does business with Alcoa.

Value to Customer: Peace of mind to know that Alcoa is in compliance with all laws, is living our values (Integrity, EHS, Customer, Excellence, People, Profitability, and Accountability), and is in control.

Research: What is an ASAT?

The Alcoa Self Assessment Tool, or ASAT, introduced as a multi-discipline tool in June, 1998, is a set of Management Control Objectives which are available to self assessors and auditors who need to assure management, administrative departments, and processes are meeting the expectations of good control standards and practices at Alcoa.

The ASAT provides objective feedback and identifies weaknesses in internal controls and processes. This process of identifying weaknesses and addressing them allows locations to ensure that their control environments are strong and that they remain strong.

Sarbanes – Oxley Legislation

July 30, 2002, President Bush signed into law the Sarbanes-Oxley Act of 2002

In response to incidents of accounting irregularities The Act established the Public Company Accounting

Oversight Board (PCAOB) to oversee corporate governance, disclosure, and auditor standards

Section 404 requires certification of a company’s internal control system by the CEO, CFO, and the external auditors

Section 404 of the Act

Status of Section 404

Original deadline of 12/31/03 was changed to 12/31/04 to allow appropriate time for compliance with new guidance

Alcoa is moving forward in the assessment of our internal control system while the PCAOB (Public Company Accounting Oversight Board) prepares to publish further guidance on the certification process

What Other Companies Are Doing…

Article from CIOInsight.com - August 8, 2003 According to a survey conducted in April by AMR

Research Inc., about 85 percent of all public companies intend to change their IT systems as part of their efforts to comply with the law. And those companies are planning to spend $2.5 billion in 2003 alone on projects related to compliance.

To Insure SOX 404 Compliance….

I assisted with reviews of ASAT work, specifically of testing documentation.

I looked for the name or initials of the person who did the test, the date of completion, summary of results, how the test was produced, and any special sampling methods

This is the minimum information that must be in the TrendTracker ASAT test text area, with a hyperlink to supporting details.

I went through over 40 ASAT sections and found that most of this information was present.

I informed Bill Yurkovich if the documentation present was weak.

Scoring: Self Assessment Levels

Minimum Expectations Testing Action Plans Frequency

All applicable Minimum Expectations answered and thoroughly explained, giving the reader enough information to draw a clear conclusion.

Performed for all applicable Testing Suggestions for each objective.

Detailed action plans are developed, including an identified SPA and completion date. Progress is tracked on a regular basis. The action plans address the risk

All applicable minimum expectations and testing suggestions are completed in full at least every 18 months. The ASAT is part of an on-going management system.

All applicable Minimum Expectations are answered and thoroughly explained, giving the reader enough information to draw a clear conclusion.

The majority of applicable testing suggestions for each objective is completed in all applicable major areas.

Detailed action plans are developed, including an identified SPA and completion date. Progress is tracked on a regular basis. The action plans address the risk

No specific frequency stated. Most likely completed only in preparation of an audit.

All applicable Minimum Expectations are answered. Explanations are limited so that a clear conclusion cannot be made.

The majority of applicable testing suggestions for all objectives in at least one major area are completed. At least limited testing in the other applicable major areas

Actions plans are limited and may or may not include SPAs or completion dates.

No specific frequency stated. Most likely completed only in preparation of an audit.

Minimum Expectations are answered with little explanation. All minimum expectations may not be complete. No testing or limited testing.

Action plans are insufficient or are not developed. Control deficiencies are not addressed in a timely manner.

No specific frequency stated. Most likely completed only in preparation of an audit.

No Minimum Expectations are answered. No testing. No action plans.

3

2

1

Self Assessment Levels

Level

5

4

What Audit???

In Alcoa’s August 7 press release certifying our financial statements, Alain Belda said, “Alcoa has long had in place systems, procedures and controls to ensure the accuracy of our results, and we continually refine and improve upon these measures.”

Here at Alcoa an audit is not an event!Performing ASAT for the purpose of an upcoming audit is not a cost-effective use of resources and does not meet the requirements of ASAT Penetration Level 5. In fact, using this process is in violation of ABS principles because it results in the performance of two audits (a self-assessment and an internal audit). ASAT should not be done “for Audit,” but for the improvement of the process environment at each location.

How To Score Big: Obtain Level 5

To obtain a Level 5 in the ASAT process, a location is expected to have developed a “management system.” This entails performing a regular update of each location’s self-assessment. Audit has defined a regular update as at least once every 18 months. The update can be done all at one time, or it can be done in sections on an ongoing basis so that over an 18-month period, all of the objectives applicable to the location have been addressed and tested. Best practice is a 12-month schedule. Sustainability must be demonstrated in order to perform at an ASAT Level 5. This requires the completion of at least two ASAT cycles. The extent of testing completed in the ASAT should be based on the underlying risk of the process.

Good Idea: Performance Metrics!

IT1.5-A program of on-going measurement of management and administrative processes reflects performance against business objectives and customer requirements and is used to drive improvement.

Tools: Marsh TrendTracker

The TrendTracker software is a suite of applications designed to automate and consolidate the Alcoa Self-Assessment and Audit Processes. This solution is intended to make the ASAT and Audit processes more efficient and helps to ensure that Alcoa’s facilities operate in accordance with the appropriate corporate and governmental standards, recommendations and best practices.

Tools: Oracle Discoverer

With Discoverer, you can get and analyze data that you know is in Alcoa’s databases, without having to understand difficult database concepts.

Using Wizard windows and menus, Discoverer guides you through the steps to get and analyze data that supports your decisions. Discoverer does most of the hard work for you by going directly to the Oracle tables and pulling out the exact information you need without returning redundant and unnecessary information.

Good Idea: Oracle Discoverer Instructions!

Write up some detailed instructions on how to run a pre-made report in Oracle Discoverer

Oracle Discoverer Instructions

Part I – Running A Report

1) Open Internet Explorer 2) Go to the Alcoa Audit homepage

(http://intranet.alcoa.com/audit/default.asp?Level=1) 3) Click on “TrendTracker Web ASAT” at the top right 4) Click on “Launch TrendTracker” on the left menu 5) Click on the magnifying glass under iDiscoverer for the P650 instance

6) A new window will open 7) Click on the large image of a magnifying glass to launch Discoverer

8) When Discoverer launches enter your username in the field provided 9) Enter your password in the field provided 10) Leave the Database as P650 Important: Uncheck the “Oracle Applications User” box

11) Click connect or hit enter 12) Click the “Open an existing workbook” button

13) Click the “Database” button

Project 3: Adware/Malware Removal Tools

Scope: Research and test removal tools that will satisfy the needs of Alcoa at an Enterprise level

Customers: All Alcoa computer users

Value to Customer: Fixes these problems: Loss of bandwidth due to advertising traffic Loss of personal productivity due to users trying to cope with annoying pop-up

ads Increased costs and workload as the help desk personnel manually clean

workstations Loss of personal privacy due to cookies that track web surfing patterns degrade

the stability and usability of the workstation

Research: What is Adware/Malware?

Adware: Software that runs targeted advertisements on a PC and uses web-surfing patterns to target ads to users.

Malware: Malware, or Malicious Code, is a catch-all term used to refer to various types of software that can cause problems or damage your computer. The more common classes of program referred to as malicious code are viruses, worms, Trojan horses, macro viruses, and backdoors.

Research: Who is the BEST?

The BEST for Alcoa

What is needed for an Enterprise Solution: Central Management A management console that can manage thousands of clients Web Interface for remote monitoring Exception reporting and drill-down reporting Alerting (sms, pager, email) Delegated access control to management interface (ie, reports only) User, group and enterprise policies Integration with AD for users and group structure Extended actions (ignore, selective ignore, fence, delete, repair,

quarantine)

 

The BEST for Alcoa, continued

Minimum systems and network overhead Software distribution tools for agents and updates Hierarchical signature distribution Scheduled and push signature distribution Policy and update procedures that are location-dependent (ie.

Remote laptops) Remotely deployable repair/cleanup tools with rollback capability Proactive software action filters/warnings (ie. Warning, this

software is… continue or abort?) List of spyware filtered Around the clock lab to monitor threats, find new malware, and

distribute signatures Minimal end user controls ( locked local client) Scalable signature distribution facilities to meet demands of clients

Solution: The Sad Truth…

At this time there are no silver bullets. A combination of standards, procedures, and products will be required to reduce the different types of extended threats, including adware and malware. Although Microsoft’s XP Service Pack 2 will reduce the number of existing threats, additional software will always be necessary to protect users. These types of attacks will always be a threat because they do not attack the operating system but trick the user into compromising security.

Solutions: There is hope!

Some of the options that canbe implemented to reduce theextended threats are:

Tighten browser security settings, ie. disable Install on demand(IE) and Install on demand(other).

Tighten Web Gateway – create a block for the X-Stop box with a list of sites that have known advertisers, marketers, and junkware.

Deploy enterprise anti-spyware tools as they become available.

Other Activities

Intern Conference The famous NADC

(tour) ABS Training

Make to use Eliminate waste People linchpin the

system Teambuilding Exercise

Thank You Alcoa!