16th GCC eGov 2010 Conference

16th GCC e-Gov. & e-Serv. ForumCyber-war, Cyber-crimeRisks and Defensesjorge.sebastiao@its.ws

1

Scope of Security the internet3458_08_20012BGP Border Gate Protocol http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/bgp.htm

3

Spread of Code Red WormJuly 19 01:05:00 20014

Spread of WormJuly 19 20:15:00 2001Financial Cost: CodeRED Worm: $2.6 billion SQL Slammer Worm: 30min

- Infections doubled every 8.5 seconds- Spread 100X faster than Code RedAt peak, scanned 55 million hosts per second.COST: $1.2 billion

5This information is from the Cooperative Association for Internet Data Analysis and the University of California at San Diego. Largest Botnet BustedNetherlands-BotnetOct 2005Dutch authorities arrested three individuals last week accused of running one of the largest ever hacker botnetscomprising of zombie PCs. botnet consisted of over 100,000 systems that were commandeered using the W32.toxbot Internet worm Oct 2007Storm worm strikes back at security -Researcher says those discovered trying to defeat worm suffer DDoS attacks The Storm worm is fighting back against security researchers that seek to destroy it and has them running scared, Interop New York show attendees heard Tuesday.The worm can figure out which users are trying to probe its command-and-control servers, and it retaliates by launching DDoS attacks against them2007 Estonia vs RussiaEscalation from Political incidentOne of Most advanced EU InternetOver 2 Weeks complete shutdown1st massive external DDOS2nd massive internal DDOSNo eGov 0%No eBanking - 0%Severe Economiccost

8Estonia

Middle East: cyber-warCore hackers: less than 100provide the ideas, the toolsVolunteers and conscripts: +10000From all over the worldProvide brute force scanning and DoS powerCyber attack intensity has mirrored the intensity of fighting on the ground

Computer Associates International, Inc.ca.comJanuary 29, 2001 Other ExamplesMelissa Virus Estimated $80M Damages Hackers For Hire Pleaded Guilty break into: At&T, Gte, Sprint, Credit Card Numbers, Sold To Org. Crime In Italy, $2M DamagesChinese Hacker Attacked US Targets After Bombing Of Embassy In Belgrade Spy Plane Resulted In Largest Attach In History Computer Associates International, Inc.ca.comJanuary 29, 2001The most powerful cyber attack: propagandaOld fashionedSome faked in English papersThe Internet dissemination of the Abu Ghraib photos did more to damage the political interests of the U.S. than all of the cyber attacks since the beginning of the Internet age!

12Photo: antiwar.com ("60 Minutes" Logo Copyright CBS News: Reprinted for Fair Use)

Old-fashioned, but can beat Denial of Service and Web defacements by a mile.

Abu Ghraib the best example.

Digital cameras, e-mail.

eGovernment Impact

13Why Does This Happen?

FirewallIDSAnti-VirusAttackInfosec -Traditional ViewNet insecure because of lack of features crypto, authentication, filtering:Solution : better filtering, AES, PKI, IT Time-to-market is critical Microsoft philosophy ship every Tuesdayright by version 3Until 1999DDOS viruses now dont attack the infected machineuse it to attack others

Infosec - New ViewsAfter 2000Systems mostly insecure because the peopleBank customers suffer when poorly-designed bank systems make fraud and phishing easierCasino websites suffer when infected PCsrun DDoS attacks on themWebsites with a TRUSTe certification2X likely to be maliciousThe top Google ad 2X likely as the top free search result to be maliciousReport Govcert (NL) 2009Internet: Serious security flawsIncrease:No Contaminated ComputersCriminal Takeover Home ComputersOn-line activities, increase of vulnerabilitiesCareless management of personal information: social engineering attacksNew Weaknesses in Fundamental Infrastructure FoundBecoming Out-of-date of EncryptionNeed International co-operation and effective enforcementMore sophisticated Attacks

Security ThreatsEnvironmentalNaturalDisastersUnexpected(OOPS factor)Cyber terrorismVirusesThreatsIndustrialEspionage19 Business RisksEmployee & customer privacyLegislativeviolationsFinancial lossIntellectualcapitalLitigationPublicImage/TrustBusinessRisks20

Infrastructure Best Practices Why should you care?Avoiding complete loss of e-Gov & e-ServAvoidRevenue LossDamage to ReputationProductivityPerformance and GovernanceComplex Problem to SolveProtect critical business processesProtect critical supporting infrastructureProtect company data and Intellectual PropertyMeet Compliance regulations Manage People in the Process

22 Impact of Disaster23Productivity:Number of employees x impacted x hours out x burdened hours = ?productivity/ employees$ millionsminutesdaystime$ impact$ billionsRevenue:Direct loss, compensatory payment, lost future revenues, billing losses and investment lossesdirect financial/ customerDamaged reputation:Customers, competitors gain advantage, suppliers, financial markets, business partnersdamaged reputationGovernance & performance:Revenue recognition, cash flow, credit rating, stock price, regulatory finesGovernancePerformanceconstant increaseIndirect impact of downtime can befar more severe and unpredictableexponential increase23 eGov Importance of Infrastructure

IndiaPakistanEgyptSaudi ArabiaUAEKuwaitQatarBahrain60m12m6m4.7m1.7m0.8m0.3m0.2mRecent Middle East Dragging anchor cut two critical cables 85+ million users impact across eight countries Incident highlights potential terrorist opportunitiesResiliency is ABSOLUTELY CRITICAL Critical Infrastructure - cable cuts25Third undersea cable cut in Middle East - Sat Feb 2, 2008 3:10pm IST(Reuters) - A third undersea cable was cut on Friday, just two days after two breaks near Egypt disrupted Web access in parts of the Middle East and Asia, Indian-owned cable network operator FLAG Telecom said.Egypt lost more than half its Internet capacity because of Wednesday's breaks and intends to seek compensation, its ministry of communications said in a news release.India's booming outsourcing industry, which provides a range of back-office services, like insurance claims processing and customer support to overseas clients over the Internet, played down Wednesday's disruption, saying they had used back-up plans.Egyptian telecom authorities said about 55 percent of the country's Internet capacity had been restored by Friday, thanks to rerouting of traffic.The International Cable Protection Committee, an association of 86 submarine cable operators dedicated to safeguarding undersea cables, has declined to speculate on the cause of the breaches, saying investigations were underway.More than 95 percent of transoceanic telecoms and data traffic are carried by undersea, the rest by satellite.26Electrical Control System Attacks (SCADA)

27Nuclear Bomb - the EMP IssueThe most devastating sort of cyber attack on the U.S. would involve a decidedly kinetic weapon a nuclear bomb, detonated high over the Earth. Such an explosion would shut down all but the most hardened networks and computers within range; the Pentagon has hardened its most critical structures and weapons systems, such as nuclear-capable B-52 bombers, for such an eventuality.

Military needs hackers, StratCom chief says, October 2nd, 2008

New Complexity & ConflictDoes the defense of a country or a system depend on:least effort?best effort?sum of efforts?The last is optimal; the first is awfulSoftware is a mix: it depends on the worst effort of the least careful programmer, the best effort of the security architect, and the sum of efforts of the testersSolution: hire fewer better programmers, more testers, top architects, keep it simpleComplexity adds riskSystem calls in IIS

29 Implementation, Quality, Peer IssuesWhat does this code do?@P=split//,".URRUU\c8R";@d=split//,"\nrekcah xinU / lreP rehtona tsuJ";sub p{@p{"r$p","u$p"}=(P,P);pipe"r$p","u$p";++$p;($q*=2)+=$f=!fork;map{$P=$P[$f|ord($p{$_})&6];$p{$_}=/^$P/ix?$P:close$_}keys%p}p;p;p;p;p;map{$p{$_}=~/^[P.]/&& close$_}%p;wait until$?; map{ /^r/&&}%p;$_=$d[$q];sleep rand(2) if/\S/;print 30 Successful implementation requires

TechnologyProcess PeoplePeople is the biggest problem?

Computer Associates International, Inc.ca.comJanuary 29, 2001But security is also not just about technology but much more about people. As this example from Canada illustrates, must users always find a way around the barriers and control which are put in place by the business to prevent disasters or security breaches

Identity Theft and Phishing'The Hacker' Arrested for Phishing SchemeStephen Tidwell, Assistant Director in Charge of the FBIs Los Angeles Field Office. Goodin, who was known as The Hacker, was originally arrested in January 2006 on charges he operated an identity theft scheme known as phishing.

Identity Theft brokers

User Awareness Problem

AFP published this untouched photograph of a Hurricane Katrina evacuee and her debit card. What happened next was no surprise

Phishing, Hijacked

Phishing only started in 2004, but in 2006 it cost the UK 35m and the USA perhaps $200m ID Theft Exponential growthPhishing: Target Siteshttp://www.antiphishing.org/

Target customers of banks and online payment servicesObtain sensitive data from U.S. taxpayers by pretended IRS- emails Identity theft for social network sites, e.g. myspace.comRecently more non-financial brands were attacked including social networking, VOIP, and numerous large web-based email providers.

37Phishing: TechniquesUpward trend in number of phishing mails sentMassive increase of phishing sites over the pastIncreasing sophisticationLink manipulation, URL spellingWebsite address manipulationEvolution of phishing methods from shotgun-style emailImage phishingSpear phishing (targeted)Voice over IP phishingWhaling: High-profile people

http://www.antiphishing.org/

38What causes most incidents?Many incidents are due to a lack of security awareness:Attackers use tricksWeb links and pop-upsInstalling software

Avoid installing additional softwareFree versions of software may contain Trojan horses, spyware or other malicious software that could infect a PCPlug-ins may also contain malicious software

Some quick online research can often help identify malicious softwareIf a website requires a plug-in to view it, try to avoid using it

New Applications, New RisksSOASocialnetworksMobilityWirelessManyDevices

Mobiles are new Biggest Risk, Target

42

Social Networking is like the Hotel California. You can check out, but you can never leave Nipon Das to the New York Times

Risk Analysis provides focus for Security

Probability of LikelihoodSeverity of ConsequenceHighMediumLowLowMediumHighArea of Major ConcernManaging RiskThreatsVulnerabilitiesControlsRisksAssetsSecurityRequirementsBusinessImpactexploitexposeincreaseincreaseincreasehaveprotect againstmet byindicatereduceAssess and effective measuring of securityMeasuring of assets, risks and controlsDynamic measurement across all dimenssions Managing risk?

47Summary.Everyone likes an equation. Control is KeySo how do you implement security controls?Technical controls: Site implements a firewall to stop external attackers but allow academic collaboration.Education: Explain to users why there is a firewall (to stop attackers) and how to ask for exceptions (to allow collaboration).Administrative controls: The Security Policy states that Internet services must be used safely.

48 New Solutions-Reputation ManagementSeller reputationPeer-to-peerKey managementAnti-spam/IP reputationContent filteringAvatar ReputationSocial Network Peer ReputationUnified Communications (IM, SPIT/SPIM etc)

Standardisation bodiesISO/IEC - Wide scope of standardization. 27xxx and 13335IETF Focuses on Internet related technical Security requirementsNIST-CSRC (http://www.nist.gov/) Wide scope of coverage for both government and enterprise needs. OASIS (http://www.oasis-open.org/) - Application Vulnerability Description LanguageOGSF (Open Group Security Forum, http://www.opengroup.org/security/) - started Intrusion Attack and Response WorkshopBest practices and recommendationsCERT/CC (http://www.cert.org/)SANS (System Administration, Networking, and Security) Institute http://www.sans.org/ISACA (http://www.isaca.org/) Most noted for CoBIT framework fIT GovernanceISSA (http://www.issa.org/) GAISP (Generally Accepted Information Security Principles)Standards, GuidelinesISMS family of standards (ISO/IEC 27xxx)ISO/IEC 27001 ISMS (BS 7799-2)ISO/IEC 27002 ISO/IEC 17799 (BS 7799-1)ISO/IEC 27005 Infosec risk managementISO/IEC 27006 Guide to ISMS certification processISO/IEC 27003 ISMS implementation guideISO/IEC 27004 Infosec MetricsISO/IEC 27007 - Guideline for ISMS auditing ISO/IEC 27011 - ISMS implementation guideline for the telecommunications industryISO/IEC 27034 - a guideline for application security 51Standards, GuidelinesCOBITControl Objectives for Information & related Technology De-facto StandardIT governance framework and supporting toolsetBridge the gap between business and ITEnhance delivery of value by IT (business enabler)Emphasizes regulatory compliance and risk managementPerformance measurement ->effective resource utilizationUmbrella framework - Aligned with other frameworksE.g. COSO, ISO/IEC 27001, ISO/IEC 27001 Promoted by numerous regulations/regulator bodies

52Security Metrics

Incident Response Components(from RFC 2350)CSIRTsOrganisational form depends on type of organisation and required level of support to communitySecurity PolicyDefine what is required/allowed/acceptableIncident Response PolicyWhat is provided, who receives it and who provides supportIncident Response PlanWhich incidents will be responded and how

Response and Risk approachRisk Management and Business ControlsEventsIncidentsCrisesImpactMonitor & resolve the critical few with crisis management teamAssess impact of events & implement appropriate controlsMonitor & resolve at appropriate level using processesIncident ManagementProcessCrisis ManagementProcessIncident Handling Life Cycle

EmailHotline/PhoneAnalyzeCoordinate InformationandResponseObtain Contact InformationProvide Technical AssistanceIncident ReportTriageVulnerability ReportInformation RequestIDSOtherRole and Responsabilities eGovSecurity: CERTPrevention security incidentsGovernment BodyAdvice & security policiesCo-operation with Law EnforcementAwareness: informing the public about risksInitiating LegislationLaw EnforcementIntelligenceRange of CSIRT ServicesAlerts and AnnouncementsVulnerability Analysis and ResponseArtifact AnalysisEducation and TrainingIncident TracingIntrusion DetectionAuditing and Penetration TestingSecurity ConsultingRisk AnalysisSecurity Product DevelopmentCollaborationCoordination

Mandatory Services:Incident HandlingCommon CSIRT Services:

EU CERTS Action Plan 1Build resilience / Harden the infrastructureServers and links redundancySecurity of routing protocol / traffic exchangeSecurity of DNS serviceProfiling attackers and understanding their objectives (know your enemies)Response preparednessNational contingency plan for the InternetCyber exercises on National/international level are crucialStrengthen multinational cooperation for rapid response (formal rather than informal)Importance of CERTs/CSIRTs and their role for national and international cooperationMeasurement - monitoring of traffic to understand what is going on Action Plan - 2Technology will not be sufficientStudy the economics of security and cyber crimeSet-up Public Private Partnership (PPP)Example www.antiphishing.orgDevelop cross-sector and cross-organisational cooperation on National, EU and international levelsAgree on responsibilitys allocationInformation and best practices sharing importance of trustRaising awareness and education of individuals, public bodies, corporate users and service providers Acton Plan 3-Policy, Regulatory & Institutional Framework

ConclusionsThe complexity of Risks to global cybersecurity demand a global framework of response!The magnitude of the problem needs coordinated global response

Standards Organizations, CERTs can act as a catalyst and facilitator for a global response to cybercrime.

This will create a cyberspace safe fore-Government Corporation and people to service, trade, learn and enjoy.

Cannot solve alone Questions

+973-36040991jorge.sebastiao@its.ws