Blu3 - Jewish Community Relations Council or more security disciplines in Table 1, such as operations security (OPSEC). Facility security, personal protection, and information security

The contents of this unclassified report, compiled from various open sources, in no way represent the policies, views, or attitudes

of the United States Department of State, or the U.S. Government, except as otherwise noted (e.g. travel advisories, public

statements). All OSAC products are for internal U.S. private sector security purposes only. Publishing or distributing OSAC-

derived information in a manner inconsistent with this policy may result in the discontinuation of OSAC support.

Blu3

Product of the Research & Information Support Center (RISC)

The following report is based on open-source reporting.

November 18, 2014

Introduction

As the lives of individuals and the daily operations of organizations increasingly use and depend upon

online networks and resources, the line between security incidents in the cyber and physical worlds has

become blurred. Traditional security definitions and boundaries no longer apply uniformly. While many

security professionals may still consider cyber security a technical problem, today’s reality is an

intertwined cyber-physical world wherein cyber security issues often affect and cross over into the

physical realm (and vice versa) with direct, tangible impact. Billions of people worldwide are now online; it

has become another, if not the primary, domain that individuals and organizations depend upon to

communicate, increase efficiency, engage in commerce, store and publish information, and reduce costs.

Criminals, spies, terrorists, and hacktivists (hacker activists) also take advantage of these same benefits.

The proliferation of intersections between cyber and physical is increasing as a function of computing

device connectivity. People use numerous communications protocols to connect multiple devices to

various networks at work, at home, and on the go. An organization’s sensitive and proprietary systems,

once closed-off networks, are now accessible or controllable via remote or Internet access. Furthermore,

low-cost “smart” technology has been introduced into departments not traditionally overseen by technical

staff. According to Gartner, 26 billion devices will be part of the “Internet of Things” (IoT) by 2020. IoT is

the interconnection of atypical, non-computing devices – everything from smart thermostats and alarm

systems to medical monitoring devices and automobiles – to the Internet using a myriad of wireless

technologies. This wave of ubiquitous automation will likely create a surge of security implications in both

the cyber and physical realms, especially considering security has historically lagged behind technology.

Defenders must cover all points of attack, while attackers only have to identify the weakest point. An

increasing number of traditional security incidents have occurred because of weak links that existed in the

cyber realm; the converse is also true. Through the examination of security incidents, including the

highlighted examples in Table 1, this white paper will demonstrate the interwoven nature of the two

realms, reveal who has been affected, and provide best practices and countermeasures.

Table 1: Examples of examined security incidents with a cyber-traditional security nexus

•Chinese military hackers compromise facility access systems Facility Security

•Online information sharing facilitates kidnapping of billionaire's son Personal Protection

•Syrian spy cameras and microphones surveil activists and journalists Information Security

•Credit card breaches will continue after chip and PIN adoption Financial Security

•Terrorist-linked software developers hired for critical infrastructure work Personnel Security

•Hackers can cause traffic jams and misdirection Public Safety

•Cyber warfare becomes a component of international conflict National Security

Cyber Case Studies: The Traditional Security Nexus

http://en.wikipedia.org/wiki/Communications_protocol

http://www.gartner.com/newsroom/id/2636073





Agreement on the categorization of traditional security disciplines is difficult because there is much

overlap among them; cyber security is no different. Several other security sub-categories could fall under

one or more security disciplines in Table 1, such as operations security (OPSEC). Facility security,

personal protection, and information security are all common sub-categories of physical security.

Physical Security Case Studies

Physical security (defined as the physical protection of sensitive or proprietary information, people,

facilities, installations, or other sensitive materials, resources, or processes) is broad and multi-faceted. Its

key areas involve the physical protection of facilities, people, and information.

Facility Security

U.S. Steel

In May, a federal grand jury indicted five military officers in China’s People Liberation Army (PLA) Unit

61398 for computer hacking, economic espionage, identity theft, and other related offenses directed at six

U.S. private-sector organizations in the nuclear power, metals, and solar energy industries. This was the

first time the U.S. Government successfully brought criminal charges against nation-state actors for this

type of computer hacking. Most of the alleged criminal conduct involved information that was stolen while

the companies were in negotiations, partnerships, or trade litigations with Chinese state-owned

enterprises (SOEs).

One of the affected organizations, United States Steel Corporation (U.S. Steel), was involved in trade

cases with Chinese steel companies between 2009 and 2012. Shortly before the anticipated decision in

one of the cases, an indicted military hacker allegedly sent spear-phishing emails to U.S. Steel

employees – including those associated with the litigation. Some of the emails, which appeared to come

from the CEO, successfully tricked employees into clicking on malicious links, resulting in the installation

of malware and backdoor access on corporate computers. The hackers used more spear-phishing

emails, with the subject line “US Steel Industry Outlook,” to steal a list of about 1,700 company

computers, including servers that controlled physical access to the company’s facilities and emergency

response.

Although the indictment stated that vulnerable servers on that list were identified and exploited, it does

not confirm which ones were hacked or detail the extent of exploitation. Compromised facility access

systems could have enabled a Chinese competitor to target U.S. Steel’s business operations from a

physical security angle. However, most of the alleged activity conducted by the PLA 61398 hackers

resulted in intellectual property (IP) and trade secret theft.

Countermeasures

The U.S. Steel case study underscores the need for

segmentation or compartmentalization of critical systems

from public-facing networks via physical and/or logical

(software) means.

The case study also stresses the importance of cyber

security education, especially to protect against spear-

phishing tactics.

o Spear-phishing is used in over 90 percent of

advanced economic espionage attacks by nation-state or nation-state-sponsored actors.

Spear-phishing is used

in over 90 percent of

advanced economic

espionage attacks by

nation-state or nation-

state-sponsored actors.

https://www.opm.gov/policy-data-oversight/classification-qualifications/classifying-general-schedule-positions/standards/0000/gs0080.pdf

http://www.fbi.gov/pittsburgh/press-releases/2014/u.s.-charges-five-chinese-military-hackers-with-cyber-espionage-against-u.s.-corporations-and-a-labor-organization-for-commercial-advantage

http://www.bizjournals.com/pittsburgh/news/2014/05/19/hackers-posed-as-surma-on-email-to-access-u-s.html?page=all

http://www.justice.gov/iso/opa/resources/5122014519132358461949.pdf





o Spear-phishing was the predominant method allegedly used by the PLA 61398 hackers.

Segmentation and compartmentalization will likely become more important as the Internet of

Things expands, where thermostats, refrigerators, alarm systems, and security cameras could all

exist on the same network.

o A vulnerability in just one device could disclose the credentials to the entire network.

o Not only could an attacker turn off an alarm or security camera, but a threat actor could

use the cameras or smart meter readings to determine when a building is vacant in order

to break in.

o Manipulation of a thermostat to prompt a building evacuation could be the first step in a

plot to attack an organization’s physical security.

o In addition, networks that communicate without encryption, or with IoT devices that lack

physical protection, are exposed and vulnerable to attack.

Personal Protection

Social networking sites and social media sites have made collecting information on people and

organizations for social engineering, blackmail, and conducting traditional, economic, or industrial

espionage – in both the cyber and physical domains – much easier. However, information published on

these sites can also affect the physical security of people in an organization.

Mexican Drug Cartels and a Diverted Flight

Mexican drug cartels and organized crime groups (OCG) often glean personally identifiable information

(PII) from social networking and media sites to add legitimacy to extortion and kidnapping threats. They

regularly monitor social media target individuals, such as journalists disseminating “unfavorable”

information about illicit OCG activities. OCGs may also search for secure communication channels to

avoid detection by government and security authorities, and they are likely trying to diversify revenue

streams through hacking, counterfeiting, and ATM skimming activities. As such, there have been media

reports of kidnappings, enslavements, bribes, and coercions of computer programmers, engineers, and

telecommunications experts since at least 2009.

A hacking group called the Lizard Squad attacked Sony Online Entertainment in August 2014, causing

denial-of-service disruptions to Sony’s PlayStation Network servers and tweeting a hoax to American

Airlines about “receiving reports that [Sony Online Entertainment CEO]’s plane #362 from DFW to SAN

has explosives on-board.” The hackers were a previously-unknown group who claimed links to terrorism

to add credence to the hoax; therefore, American Airlines diverted the flight and security authorities

checked for explosives. The Lizard Squad had obtained the CEO’s flight information from cross-

referencing flight schedules with travel information he had posted on Twitter (see Figure 2).

http://www.wired.com/2012/11/zeta-radio/

http://www.forbes.com/sites/insertcoin/2014/08/24/sony-online-entertainment-presidents-flight-diverted-by-psn-hackers-bomb-threat/





Figure 2: Hacking group Lizard Squad devised a hoax using information gleaned from

Sony Online Entertainment CEO’s tweets

Private Celebrity Photos

Information found on social networking and media sites can be used to defeat security questions used to

reset passwords on online sites and services. This, in addition to the use of weak passwords, use of

repeated passwords across multiple sites, a lack of two-factor authentication, and the allowance of

unlimited password guesses on a cloud back-up service, contributed to the highly-publicized leaks of

private celebrity photos in 2014. Using information on the Internet to humiliate, blackmail, bully, stalk,

surveil, and/or kidnap a person may be the most frightening ways someone’s personal safety can be

compromised by cyber-related means.

Kaspersky Kidnapping

The highest-profile cyber surveillance, stalking, and abduction case involved Ivan Kaspersky, son of the

chairman and CEO of Russia-based Kaspersky Lab, one of the most prominent cyber security firms in the

world. Ivan Kaspersky was kidnapped for ransom in 2011 while walking to work from his Moscow

apartment. According to Russian media sources, amateurs – an older indebted couple – orchestrated the

plot and enlisted their son and two of his friends as “muscle” for the plot. The abductors stalked

Kaspersky and his girlfriend for several months prior to the kidnapping, determining his behavioral

patterns and discovering that he did not have a protective security detail. The kidnappers reportedly

obtained all the needed information from Kaspersky’s user profile on Vkontakte, a popular Russian social

networking site. His profile contained publicly-posted personal information, such as his real name, photo,

current school and area of study, girlfriend, work location, and the addresses of his last two apartments.

With this information, even amateurs could track and abduct the son of a prominent billionaire.

http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two-factor-authentication-right-now

https://en.wikipedia.org/wiki/Cloud_computing





Kaspersky was forced to call his father to relay the ransom demands. Fortunately, the cellphone he used

was tracked within six days, although there is conflicting reporting as to whether its location was tracked

by Russian security authorities or someone working directly for Kaspersky. The Russian System for

Operative Investigative Activities (SORM) lawfully enables authorities to monitor, record, analyze, and

retain all data that traverses Russian telephone and Internet networks, including all emails, telephone

calls, Internet browsing sessions, text messages, and fax transmissions. The abductors may have used

the same cellphone to make food deliveries, or had geolocation services enabled.

Countermeasures

The common thread in these personal safety attacks is the lack of operations security (OPSEC)

used in online interactions.

o Limiting the amount of publicly-available personal information online and turning off

geolocation services on social networking and media sites can go a long way in

preventing targeted attacks.

o Even in cases where permissions are set to limit the audience to online “friends,” it is

easy for the Internet savvy to use fake social networking site accounts to socially

engineer their way in.

o Potential targets should be made aware of what information about them is publicly

available online (or for a few dollars), to understand the ways they could be targeted.

o Posting information from wearable IoT devices with geolocation capabilities (GPS), like

fitness activity-monitoring devices, could also reveal regular routes or residential

addresses.

Only trusted third-party sites and services with stringent security measures should be used for

any off-site or cloud storage of sensitive files.

Other best practices to help counter attacks include separating work and personal accounts and

using fabricated information in password reset security questions.

Information Security

In addition to facilities and people, physical security protects sensitive or proprietary information from

sabotage or theft. Using cyber methods to destroy or steal information stored electronically is obvious, but

using cyber methods to obtain information that is not located on computer networks or electronic media is

less so. Stringent physical security measures and systems used in facilities to prevent adversaries from

overhearing information, gaining access to printed information, or discovering what physical security

systems or methods are in place, can be defeated by one compromised cellphone or computer.

Computers and cellphones contain cameras, microphones, and often tracking devices – the same

components that make up high-tech eavesdropping devices.

Syria: Non-Governmental Organizations, Journalists, and Activists

Violence from Syria’s civil war continues both on the ground and in the cyber realm. Pro-government

forces are circulating spyware to infiltrate, track, and gather intelligence against the opposition, which

often winds up in the hands of the Assad regime and results in arrests, raids, and attacks. In some cases,

suspected rebels have been rounded up and interrogated about activities they conducted on their

computers, without the interrogators needing to have physical access to the machines.

https://www.osac.gov/Pages/ContentReportDetails.aspx?cid=14953

https://www.eff.org/document/quantum-surveillance-familiar-actors-and-possible-false-flags-syrian-malware-campaigns





Pro-Assad hackers deploy malware that is usually in the form of a remote access toolkit (RAT), which

grants nearly full access to victim computers. Not only do the attackers have access to computer files, but

they can record everything that is typed or displayed on the screen, such as online communications,

emails, video calls, and chats on social networking sites. The spyware is able to obtain information not

normally in the cyber domain – it can turn on cameras to collect intelligence on locations, record sensitive

information posted within view, attribute online activities to specific users’ faces, and turn on microphones

to eavesdrop on conversations in the room.

The attackers use well-informed social engineering that is tailored to the interests, needs, and fears of the

opposition. For example, they have hidden malware in fake security tools, fake versions of privacy or

encryption software [such as virtual private network (VPN) clients and Skype encryption tools], bait

documents, and malicious links. One email promised documents and maps showing the movements of

fighting groups. Further, they compromised legitimate Facebook accounts, such as one belonging to the

head of the Transnational Syrian Opposition, to recommend the installation of malicious software.

When diplomatic efforts appeared to replace the possibility of U.S. military action in Syria, NGOs and

journalists working on the conflict were included as targets in the attackers’ phishing, social media, and

spear-phishing campaigns. In one instance, an NGO administrator received an email purporting to

contain video evidence of Syrian military abuses. The file played a video of a graphic execution while it

installed RAT malware.

Pro-government hacking campaigns followed similar methods until late last year, when security

researchers began to see attacks that they believed were “false flags.” The new campaigns seemed to

implicate pro-Assad hackers deliberately, but did not fit their techniques and tactics. For example, new

malware of unknown origin claimed to be from the Syrian Electronic Army, but specifically attacked

Mac computers, which are uncommon in the region. Mac computers are more popular with activists

and journalists covering Syrian issues from outside the country. Kaspersky Lab has attributed the

locations of attackers in recent Syria-related cyber attack campaigns to operations coming from Syria,

Lebanon, and Russia. This may indicate that Syrian government allies with significant hacking

capabilities, such as Hizballah, are secretly assisting in the attacks. Figure 3 shows the geographical

distribution of those targeted by recent cyber attacks.

Activists, journalists, and NGOs working on the Syrian conflict have become more knowledgeable of

the risks posed by these kinds of attacks. However, the attackers’ malware campaigns have become

increasingly innovative and sophisticated in 2014, with higher levels of social engineering. Analysis of

the cyber attacks, especially correlating new or resurging attack campaigns with current events, is

difficult.

https://en.wikipedia.org/wiki/Syrian_Electronic_Army

https://securelist.com/files/2014/08/KL_report_syrian_malware.pdf

https://securelist.com/files/2014/08/KL_report_syrian_malware.pdf





Figure 3: Recent Syria-related cyber attacks mostly affected victims in Syria and nearby countries

(Source: Kaspersky Lab)

Countermeasures

In addition to education on spear-phishing techniques and social networking/media site

compromise methods, organizations can prevent malware installation by keeping all software

up to date with upgrades and patches, and only downloading or obtaining trusted software

from authorized, authentic websites and stores.

Organizations should also be aware that there is a risk of surveillance or eavesdropping when

using computers and mobile electronic devices.

o Microphones can be physically switched off (not using software) or disconnected from

systems in sensitive areas.

o Covers or removable tape can be used to cover camera lenses when not in use.

o Cellphones can be left outside, or batteries can be temporarily removed, during

sensitive conversations in secure areas.

o Other best practices for safely using electronic devices abroad can be found in the

OSAC report on economic espionage trends.

Reverse Case: Physical Security Affecting Cyber Security

An exploited vulnerability in cyber security does not always defeat physical security, but physical access

to computing devices nearly always defeats cyber security. Lack of access control, locks, temperature

control, and backup power for high-value networks or server rooms could easily result in data loss or

compromise.

Additionally, most attacks against cellphones and mobile electronic devices require one or more of the

following:






An unencrypted connection to an unsecure or Wi-Fi network;

Falling prey to a malicious link or attachment in an email, social networking or media site, or text

message;

Software that is unpatched or out of date; or

Having physical access to the device.

Physical access is the easiest way to compromise laptops and mobile electronic devices. Abroad,

especially in locations with aggressive technical collectors, most security experts assume devices that are

out of direct physical control are compromised.

Financial Security Case Studies

Perhaps the greatest confluence of traditional and cyber security occurs in the finance industry, where

international commerce and financial services operate largely on a cashless framework. “Cyber” is losing

its place as a term in the finance industry vernacular. Excluding cash-only economies, monetary

exchanges and transactions are done electronically. Brazil was a pioneer in the adoption of electronic and

online financial systems 30 years ago and today has a large, robust banking community and e-commerce

sector. Even in several African countries, such as Kenya, mobile network penetration preceded that of

broadband Internet, and financial transactions by phone have become commonplace. With rapid

technological growth comes a general lag in implementing and enforcing cyber security legislations and

practices, usually creating lucrative environments for cyber criminals. As such, Brazil is a worldwide

hotspot for cyber crime, and in Africa, fraud conducted over mobile networks is prolific.

Major Credit Card Breaches of 2014

Especially in the United States, major data breaches seem to make the news headlines regularly,

contributing to the “Age of the Data Breach.” In 2014 alone, hackers have stolen over 500 million financial

records from the U.S. private sector. Of these, point-of-sale (POS) terminal malware exposed the financial

information of over 100 million credit cardholders, stealing the information while it was unencrypted in

memory or elsewhere in the transaction chain. EMV “chip and PIN” credit cards, wherein cards contain an

embedded microchip and are authenticated to bank servers using a personal identification number (PIN),

may be an answer. However, without end-to-end encryption of credit card data in a financial transaction

(including memory and storage), these breaches could still occur. Furthermore, stolen card information

still can be used fraudulently in online transactions, which cannot access the chip.

Credit card skimming, when criminals insert a rogue device into an ATM or POS terminal that copies

information stored on the magnetic strip, will likely decrease in countries that migrate fully to EMV chip

technology. However, chip and PIN cards are not immune to software flaws, incorrect implementation, or

more advanced skimming attacks that clone the chip or harvest the PIN.

As countries migrate to the EMV standard, payment networks have implemented liability shifts. In the

U.S., the card issuer is liable for fraudulent transactions, but in countries that have adopted EMV, liability

for fraudulent transactions has shifted to retailers and ATM owners who do not support it.

Countermeasures

Large credit card breaches will likely continue to occur because of the time required for a country to

completely adopt EMV technology, and as long as there are end-to-end encryption issues. However,

examination of the major credit card breaches in 2014 reveals other vulnerabilities that were involved in

the attacks.


http://blogs.hbr.org/2014/09/mobile-money-is-driving-africas-cashless-future/

http://www.cnbc.com/id/101180469

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

http://www.usatoday.com/story/news/politics/2014/10/20/secret-service-fbi-hack-cybersecuurity/17615029/

https://en.wikipedia.org/wiki/EMV

http://www.wired.com/2014/11/chip-n-pin-foreign-currency-vulnerability/

http://en.wikipedia.org/wiki/EMV#Vulnerabilities

https://en.wikipedia.org/wiki/EMV#Implementation





Computers on the same network as those in the POS transaction chain (without physical or

logical separation):

o Were open to Internet access;

o Had remote administration software installed;

o Had user accounts with access to email and Internet browsing (susceptible to spear-phishing

and drive-by downloads that install malware); and/or

o Were connected to third-party vendors or services, such as payment processor companies or

HVAC companies, that employ less stringent security measures.

Even organizations that employed stringent security software and response teams missed alerts

and warnings. This can happen when multiple offices are responsible for an organization’s overall

security, but there is no standard operating procedure to delineate individual responsibilities, and

when no formal breach response plan exists.

Compliance with new PCI-DSS 3.0 security standards will help address some of the vulnerabilities

affecting credit card transactions.

Personnel Security Case Studies

Personnel security assures the loyalty, reliability, suitability, and trustworthiness of employees and others

who work with or have access to sensitive information and material. It is often concerned with insider

threat. Economic (nation state) and industrial (corporate) espionage threat actors use social engineering

techniques, both cyber and traditional, to specifically target employees who have any access to sensitive

or IP-related information. Some insiders may be state-sponsored threat actors already embedded in U.S.

private-sector organizations, but many are coerced with promises of financial reward. Both economic and

industrial espionage actors lure employees with lucrative job opportunities at either state-owned

enterprises or competitors. Employees can also be coerced by nation-state governments to help their

home countries out of patriotism or loyalty.

Disgruntled employees are prime targets for economic and industrial espionage actors, wherein as many

as 75 percent of departing employees are disgruntled. According to client statistics compiled by cyber

security firm Websense, 65 percent of malicious insiders have already accepted a new job, and 25

percent of them hand over proprietary information to a foreign company or government (see Figure 4).

Figure 4: Threat profile of malicious insiders (Source: Websense)

http://www.fbi.gov/news/stories/2009/april/spearphishing_040109

http://www.microsoft.com/security/sir/glossary/drive-by-download-sites.aspx

https://www.pcisecuritystandards.org/pdfs/PCIDSS.pdf

https://www.opm.gov/policy-data-oversight/classification-qualifications/classifying-general-schedule-positions/standards/0000/gs0080.pdf

http://www.cbsnews.com/news/75-percent-of-departing-employees-are-disgruntled/





Jerome Kerviel and Societe General

For Jerome Kerviel, no encouragement or lure was needed in what became the biggest rogue trading

scandal in history. Kerviel, a trader for French multinational banking and financial services company

Societe Generale, was convicted in 2008 for breach of trust, forgery, and unauthorized use of the bank’s

computers. As an insider, he subverted controls and used an accumulation of privilege to go on a

gambling spree that resulted in a $7 billion loss for his employer. Since his release from prison in

September 2014, he was hired as an information systems and computer security consultant by Lemaire

Consultants and Associates.

Aum Shinrikyo

Aum Shinrikyo, a Japanese doomsday terrorist group, was responsible for many assassinations and the

1995 sarin gas nerve agent attacks on the Tokyo subway system that killed 12 people. Five years later,

security authorities realized that more than 80 Japanese companies and government organizations had

contracted computer companies affiliated with Aum Shinrikyo for software development. The Japanese

companies affected were major players in the electronics, food, banking, transportation, and metal

manufacturing fields, while some of the government agencies were responsible for construction,

education, postal services, and telecommunications.

Computer software development was a major source of revenue for Aum Shinrikyo. Many affected

organizations did not know they had ordered software from firms affiliated with the terrorist group because

their main suppliers had subcontracted the work. Additionally, most affiliates concealed their relationship

with Aum Shinrikyo. They developed about 100 different types of software, including customer

management, airline route management, and mainframe computer systems. The most prominent

corporate customer was Nippon Telegraph and Telephone (NTT), Japan’s main telephone and Internet

service provider, and the Defense Ministry of Japan. The concern that the terrorist group had inside

access to sensitive government and corporate computer systems became a widespread fear, as many

worried about acts of cyber terrorism and sabotage of vital communications and networks. Many affected

government agencies and companies were forced to suspend the use of purchased systems until they

could assure they were secure.

Countermeasures

The most effective countermeasure for insider threat is user education, especially as part of a

formalized insider threat program.

o The average employee is not aware that foreign governments, in addition to competitors,

attempt to recruit insiders.

o Coworkers have the best chance at identifying insider threat behavior in an organization.

o The CERT Insider Threat Center has published best practices for mitigating IP theft,

information systems sabotage, and fraud. Additionally, the FBI Counterintelligence

Division’s Insider Threat Program offers an extensive list of possible insider behavior and

risk indicators.

A great number of insiders are also unintentional.

o Although usually not as costly, many losses occur from negligent or uninformed

employees, who do not realize that they are not complying with cyber security best

practices.

http://www.nytimes.com/2000/03/02/world/japan-software-suppliers-linked-to-sect.html

http://www.cert.org/insider-threat/best-practices/index.cfm

http://www.fbi.gov/about-us/investigate/counterintelligence

http://www.fbi.gov/about-us/investigate/counterintelligence






o It often requires only one instance of human error, such as falling for a spear-phishing

scheme, for a major data breach or loss to occur in an organization.

The Aum Shinrikyo case stresses the importance of personnel security measures not only for

employees in the workplace, but also for all those who work with or have access to sensitive

information or systems in the entire supply chain.

Public Safety Case Studies

Public safety involves the prevention of and protection from events that could endanger or cause injury,

harm, or damage to the general public. The Aum Shinrikyo case highlights a cyber-related incident that

overlaps multiple security disciplines; it could have had long-reaching effects on the public safety in

Japan. Other examples of cyber incidents that could impact public safety involve event security and

terrorism.

Major Event Disruption

Hacktivists (hacker activists) have threatened mass disruptions at major events to publicize or bring

attention to their causes. Days before the opening ceremony at the London 2012 Summer Olympic

Games, British security services warned Olympics authorities about the threat of a cyber attack on the

stadium’s power supply. According to government investigations, the threat came from hacktivists that

were not credible. However, the threat led to checks on a back-up power system, including tests to

ensure functionality despite the strain from the stadium’s lighting and communications networks.

Traffic Light Hacks

Hacktivists have also threatened to hack into traffic control systems at major events, such as the 2014

FIFA World Cup, using vulnerabilities in traffic control systems that were recently published in two

separate studies. The studies revealed that traffic control systems could be disrupted or rendered

inoperable. One researcher used a remote-control drone and cheap programmable hardware to launch

an attack on a traffic system and sent fake data to sensors – small wireless vehicle detection devices

embedded in the ground that transmit information about automobile location and movement. Traffic could

be impacted if the sensors were wirelessly linked to traffic lights. The other research team showed that it

was possible to break into the wireless communications of another system’s traffic controllers because

there were no passwords in use and no encryption used in the transmissions.

Terrorists could exploit traffic control system vulnerabilities to direct traffic toward (or restrict it to) a

planned attack location. While the products detailed in the studies are deployed primarily in the U.S.,

about 200,000 of the sensors in one system are in use worldwide – such as the UK, France, and

Australia. Experts believe that many traffic infrastructure devices created by various vendors have similar

security properties due to a lack of security consciousness in the traffic control systems field.

Countermeasures

There are several practical ways that transportation departments, traffic light operators, and

equipment manufacturers can increase the security of their infrastructure:

o Enabling encryption on wireless networks,

o Blocking non-essential traffic from being sent on the network, and

o Updating device firmware regularly.

http://www.theguardian.com/sport/2012/aug/15/london-2012-cyber-attack-warning

https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Cerrudo

https://jhalderm.com/pub/papers/traffic-woot14.pdf

http://www.webopedia.com/TERM/F/firmware.html





The simplest solutions with the greatest impact are to enable passwords and not rely on

default login credentials.

The vulnerabilities in the traffic sensor system have been patched, with planned upgrades for

older models. However, the identity of the other vendor has not been disclosed, and their

vulnerabilities are still exploitable.

National Security Case Studies

National security refers to the protection of a nation through the use of economic power, political power,

military might, and diplomacy to ensure its survival. Accordingly, national security is dependent upon

military as well as non-military facets such as economic security, energy security, and environmental

security.

One of the most concerning national security issues with or without a cyber security nexus is the scale of

trade secret theft conducted against U.S. economic interests, especially those with foreign operations. In

addition, host country national security can affect the operations and welfare of U.S. private sector

organizations abroad. There are many possible attack vectors that could impact a country’s critical

infrastructure and therefore the operations of OSAC constituents. Furthermore, international and

intranational conflicts more frequently include cyber components.

Economic Damage by Espionage

Intellectual property theft, especially in the cyber domain, has been one of the most serious economic and

national security challenges the U.S. has faced over the past several years. The Commission on the Theft

of American Intellectual Property, in their 2013 IP Commission Report, estimated that the U.S. economy

is experiencing annual losses of over $300 billion a year to international trade secret theft. The report

concluded that better protection for IP, especially overseas, would add millions of jobs to the U.S.

economy, significantly bolster economic growth, encourage investment in research and development, and

improve innovation.

Critical Infrastructure Attacks

Threats to a host nation’s critical infrastructure include those against the financial services industry,

energy sector, water supply, transportation systems, public health services, and telecommunications

networks. Nation states have infiltrated or attacked critical infrastructures, often controlled and monitored

by industrial control systems (ICS), since at least 2003. Patching and updating ICS equipment can be

difficult because it is often old, sensitive, proprietary, or no longer supports software upgrades. Many

systems require continuous operation and cannot be rebooted after an update, especially if it takes

several hours to do so or there is a risk that the system may not work properly afterward.

Critical infrastructures that are accessible via the Internet are most vulnerable to attack. However, those

that isolate, or “air gap” their systems from the Internet are not impenetrable. Advanced nation-state

attacks on air-gapped systems have succeeded, e.g., the Stuxnet and Agent.btz campaigns, where

employees may have inserted malicious USB flash drives – planted outside targeted facilities – into

computers that were connected (or later connected) to the sensitive, isolated networks. The Stuxnet virus

destroyed nuclear centrifuges in Iran, and Agent.btz infiltrated both classified and unclassified U.S.

military networks. Other research suggests that the Stuxnet virus may have entered via hacked suppliers

of nuclear facility components. Additionally, the Shamoon virus, introduced by a disgruntled insider with

full systems access, destroyed 75 percent of the corporate data at Saudi Arabia’s national oil and natural

gas company.

http://threatpost.com/traffic-networks-company-patches-sensor-vulnerabilities


http://en.wikipedia.org/wiki/Industrial_control_system

http://www.nationaljournal.com/magazine/china-s-cyber-militia-20080531

http://www.businessinsider.com/stuxnet-was-far-more-dangerous-than-previous-thought-2013-11

http://www.wired.com/2008/11/army-bans-usb-d/

http://www.reuters.com/article/2014/03/12/us-russia-cyberespionage-idUSBREA2B25R20140312

http://www.engadget.com/2014/11/13/stuxnet-worm-targeted-companies-first/

https://www.tofinosecurity.com/blog/shamoon-malware-and-scada-security-%E2%80%93-what-are-impacts

http://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html?pagewanted=all





Actors based in China, Russia, and Iran have allegedly conducted cyber probes of U.S. grid systems;

cyber attacks have occurred against critical infrastructure in several other countries as well. In 2013, a

senior Israeli official revealed a foiled hacking attempt to break into the computers of the water system in

Haifa and stated that critical infrastructures in Israel undergo hundreds of cyber attacks every minute. In

2013 and 2014, private security researchers set up fake industrial control systems (“honeypots”) on the

Internet that emulated water pumping stations. Analysis of one decoy system revealed intrusion and

system modification attempts originating from several countries, as shown in Figure 5. Further, targeted

attacks to obtain statistics, diagnostics, and protocol information included a spear-phishing attack from

China, a commonly-known malware attack from Vietnam, and an unknown malware attack from Russia.

Figure 5: Water pumping station “honeypot” attacks by originating country with

highlighted exploitation methods (Source: Trend Micro)

Despite the vulnerabilities and reported intrusions of industrial control systems, it is rare for threat actors

to carry out significantly damaging or full-scale attacks. Many critical infrastructure systems in

technologically-advanced countries are air-gapping their most important systems from the Internet. Some

experts argue that a mass takeover of critical infrastructure is not likely because it is sufficiently

segmented, where only one component, area, or section could be affected at one time. Regardless, the

pervasiveness of cyber attacks on critical infrastructures and “cold war” tactics indicate that the definition

of national security has expanded to include a nation’s offensive and defensive cyber capabilities.

Cyber Component in International Conflicts

National governments use cyber tactics to help fight rebellions, oppositions, and terrorists internally (see

previous section on the Syrian civil war). However, they have also used cyber tactics as a component in

international conflicts. Cyber researchers have noted major spikes in malware traffic on corporate and

government networks preceding the Russia-Ukraine and Israel-Gaza conflicts, suggesting that conflict

occurring in the cyber realm could be used as a threat indicator or even a tripwire for kinetic attacks. Over

an 18-month period, as tensions rose between each pair of countries, so did the frequency of cyber

attacks between them. Attribution of the attacks becomes crucial, however, as a false flag or the

misidentification of a state-led cyber attack could lead to physical, armed conflict.

http://democrats.energycommerce.house.gov/sites/default/files/documents/Report-Electric-Grid-Vulnerability-2013-5-21.pdf

http://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat

http://www.timesofisrael.com/syria-attempted-to-sabotage-haifas-water/

http://en.wikipedia.org/wiki/Honeypot_(computing)

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf

http://www.technologyreview.com/news/529936/malware-traffic-spikes-preceded-russian-and-israeli-conflicts/





Russian Conflicts

Open-source reporting and private industry security research have accused Russia of conducting attacks

on telecommunications networks in its engagements with Estonia in 2007, Georgia in 2008, and Ukraine

in 2014. In a dispute that erupted over the Estonian removal of a Soviet war memorial in Tallinn, Russia

allegedly conducted a three-week cyber attack that took down Estonian systems that relied on Internet

technology – disabling voting, security, telephony, and 95 percent of banking operations. US-CERT

attributed the takedowns to distributed denial-of-service (DDoS) attacks. In 2008, the Russian invasion of

Georgia included disruption attacks that blocked Georgia’s banking, media, and government websites.

Internet connectivity within Georgia and to the outside world was impacted, and there were widespread

propaganda and website defacement campaigns against Georgian websites. In 2014, armed men raided

Ukrainian telecommunications facilities in Crimea, severing Internet and telephone services between the

region and the rest of Ukraine. However, this was accomplished by physically cutting telecommunications

lines, a military tactic that predates the Internet by decades. Russia also allegedly installed equipment

that blocked the mobile phones of Ukrainian members of parliament. Some Ukrainian government

agencies, including the Prime Minister’s office and at least 10 Ukrainian embassies abroad, were infected

with a Russian-linked cyber espionage campaign called the Snake malware, also referred to as

“Uroboros.” At least nine other countries’ embassies in Eastern Europe were also infected with the

malware, resulting in leaks of sensitive diplomatic information. And in September, the broadband network

of a major telecommunications provider in New Zealand ground to a halt for 36 hours when user

connections were co-opted to conduct a DDoS attack against websites in Ukraine and several large

international banks enforcing sanctions against Russia.

Predictably, the Russian government has denied state involvement in these attacks. Nonetheless,

investigations by private cyber security firms have determined that these attacks originated inside

Russia's borders. State-sponsored or Russian nationalist hackers could have been responsible for at

least some of the cyber campaigns. Cyber Berkut, a nationalist hacking group that emerged after the

dissolution of the “Berkut” Ukrainian special police force, took credit for the hacking of Ukraine’s electronic

election system prior to the 2014 presidential election. They took down the system via DDoS,

manipulated and destroyed data, and defaced the website to display fake election results.

Israel-Gaza Conflict

While Israel likely included a cyber component in its conflict with

Gaza, media reporting focused more on attacks that pro-Gaza

hackers conducted against Israel. Pro-Gaza hackers took control of

an Israeli satellite TV station to display propaganda, hacked into

emergency messaging systems to send false and threatening SMS

text messages to millions of Israeli civilians, and hacked the Israeli

Defense Forces’ Twitter account to report falsely that two rockets

from Gaza had hit the Dimona nuclear reactor and caused a leak.

While media reporting attributed the cyber attacks to Hamas, Israeli

security officials revealed that Iran may have also been involved.

One of the false emergency SMS text messages was an alert that

the airport in Tel Aviv had been hit by a rocket. Later that evening,

an OSAC constituent called the OSAC emergency duty phone to

confirm the attack after receiving a report from their security vendor

on the ground. However, the vendor was likely one of the many

who had received the hoax on their smartphones.

A constituent called

the OSAC emergency

duty phone to confirm

whether a rocket had

hit the Tel Aviv airport.

Their security vendor in

Israel likely received a

false SMS text alert

from the hacked

emergency messaging

system.

http://www.theguardian.com/world/2007/may/17/topstories3.russia

http://www.digitalattackmap.com/understanding-ddos/

http://www.atlanticcouncil.org/blogs/natosource/russian-cyber-policy-and-the-war-against-georgia

http://www.businessweek.com/articles/2014-03-10/cyberwar-in-ukraine-falls-far-short-of-russias-full-powers

http://www.ft.com/intl/cms/s/0/2352681e-1e55-11e4-9513-00144feabdc0.html

http://www.stuff.co.nz/technology/digital-living/61133831/russian-cyber-war-linked-to-spark-crash.html

http://www.csmonitor.com/World/Security-Watch/Cyber-Conflict-Monitor/2014/0617/Ukraine-election-narrowly-avoided-wanton-destruction-from-hackers-video

http://www.thedailybeast.com/articles/2014/07/26/israel-hamas-whatsapp-and-hacked-phones-in-the-gaza-psy-war.html

http://www.theregister.co.uk/2014/07/15/hamas_hack_israeli_sat_tv/

http://www.jpost.com/Israel-News/Watch-Live-Netanyahu-addresses-cyber-security-conference-375290





Terrorist Groups

The Islamic State of Iraq and the Levant (ISIL or ISIS) and Al-Qa’ida have not exhibited the ability to

conduct sophisticated cyber attacks, thus far only using social media networks and other online resources

to communicate, post propaganda, and recruit. Just as governments, militant groups, and terrorists may

receive physical assistance and arms support from their allies, they may also receive offensive cyber

training. Based on open-source reporting and past attack attribution, Iran, Syria, Hamas, Hizballah, and to

a lesser extent, pro-Islamic hacktivists, are the only adversaries in the Middle East and North Africa

region that have exhibited offensive cyber capabilities.

Countermeasures

Critical infrastructures should isolate their most important systems from public networks. Many ICS

devices are not only Internet-facing, but do not have security mechanisms to prevent unauthorized

access.

o Web-based ICS equipment that cannot be isolated from the Internet should use encrypted

communications.

o System administrators should set appropriately secure and non-default log-in credentials,

implement two-factor authentication, and disable insecure or unnecessary remote access

communications protocols.

o Organizations with aging, fragile, or sensitive industrial control systems can employ real-time

network monitoring and incident response. Otherwise, administrators should keep ICS

equipment up to date with software patches and fixes.

o Physical and logical (software-based) access control can prevent unauthorized employees or

contractors from accessing important equipment.

Air-gapped systems may still be vulnerable to attack by advanced nation-state threat actors.

o Education and training is the best way to protect against both insider threat and the

connection of unauthorized devices or external electronic media.

o Disabling or restricting computer ports that accept external electronic devices or media can

prevent the introduction of malware.

o Suppliers are usually much easier for hackers to exploit than the corporations or government

agencies using them.

Shodan is an online search engine that allows users to search for publicly-accessible devices and

computer systems that are connected to the Internet.

o Shodan users can locate systems including security cameras; heating and security control

systems for banks, universities, and large corporations; medical devices; and industrial

control systems (see Figure 6) for water plants, power grids, and nuclear power facilities.

o Users are primarily cyber security professionals, researchers, and law enforcement agencies,

and it is a useful tool for conducting penetration tests on, or “red teaming,” network resources

and systems.

o While cyber criminals can use the website, they have other effective methods to accomplish

the same task without detection. One recent honeypot study revealed intrusion attempts from

China-based attackers within two hours of connecting the decoy ICS equipment to the

Internet, before the system appeared on Shodan.

https://www.shodan.io/

http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-the-internet/

http://www.infosecisland.com/blogview/24037-The-Chinese-Truly-are-Attacking-our-Critical-Infrastructure.html





Figure 6: A map of industrial control systems that are directly connected to the Internet (Source: Shodan)

Outlook and Conclusion

Out of convenience, people and organizations have adopted technology into nearly every aspect of their

daily lives and operations. Physical devices are linking or connecting to the cyber realm at an exponential

rate. As atypical devices with “smart” functionalities and Internet capabilities become connected to the

Internet of Things, they also become hackable. Sharing or storing information on external networks also

relinquishes control of the data to third-party vendors and services. Even worse, technology adoption is

surpassing the ability to secure it. This is especially concerning as cyber security has become a

component of an organization’s overall security posture.

Supply chains today are large, complex, and often networked. It is

increasingly difficult to map all the systems, devices, and services

that support an organization’s operations, especially how they link

together. Security breaches occur when attackers probe and map

targeted networks before an organization can, seeking to exploit

the weakest spots and leveraging trusted third-party connections.

For example, hackers often compromise the email accounts of third

parties to send spear-phishing emails to higher-value targets with

stronger security postures. Suppliers – or even suppliers of

suppliers – are usually much easier to break into than the

corporations using them.

The convergence of traditional and cyber threats has created the need for integration of the security

disciplines. Adversaries have become more sophisticated in their exploits, often involving both traditional

and cyber attack vectors. Traditional security organizations and jobs are more frequently including cyber

security responsibilities as the line between cyber and real-world security incidents becomes indistinct.

Suppliers – or even

suppliers of suppliers –

are usually much

easier to break into

than the corporations

using them.

http://www.reuters.com/article/2014/10/21/us-usa-justice-cybersecurity-idUSKCN0IA0BM20141021?irpc=932





Information security – traditionally the protection of sensitive or proprietary information – and financial

security have almost become synonymous with cyber security because most information and financial

data is now transmitted and stored on computer networks.

According to former DHS Secretary Michael Chertoff, “one of the biggest misconceptions is that cyber

security is a hardware or software problem; the reality is that it is a people problem.” Understanding

adversaries and addressing both technical and human vulnerabilities is critical. A strong security posture

depends upon a culture where security is everyone’s responsibility, especially when the actions of one

person, or one weak link, can compromise the entire enterprise.

Examination of the case studies presented in this white paper reveals countermeasures that OSAC

constituents could incorporate into their security strategies to prevent or lessen the impact of security

incidents with a cyber nexus:

Segmenting, compartmentalizing, or isolating sensitive information and systems from public-

facing networks and unauthorized access;

Separating work and personal accounts and/or information;

Enforcing separation of duties and least privilege for employee, contractor, and vendor user

accounts;

Educating and training employees and third parties, including social engineering techniques

used by threat actors, and holding third parties accountable with service-level agreements;

Keeping software, including anti-virus and anti-malware software, up to date with security

patches and upgrades;

Incorporating security into technology development, maintenance, and the overall system

development life cycle process;

Only downloading or obtaining trusted software from authorized, authentic websites and

stores;

Practicing good operations security (OPSEC) in online interactions;

Encrypting sensitive information in transit and storage whenever possible;

Employing two-factor authentication, especially for remote access to internal networks and

external storage of sensitive files;

Employing and enforcing strong password strategies;

Disabling microphones and cameras in sensitive areas to prevent surveillance or

eavesdropping;

Remembering that physical access to unencrypted computing devices nearly always defeats

cyber security; and

Integrating cyber security into crisis management, disaster recovery, and incident response

plans and exercises.

Contact Information

For further information or inquiries, please contact OSAC’s Coordinator for Information Security & Cyber

Threats.

http://www.sans.org/reading-room/whitepapers/securecode/software-engineering-security-process-sdlc-1846

http://www.sans.org/reading-room/whitepapers/securecode/software-engineering-security-process-sdlc-1846





OSAC constituents can confidentially report traditional or cyber security incidents abroad on the OSAC

website at https://www.osac.gov/Pages/IncidentSubmission.aspx or by directly contacting the OSAC

Research and Analysis Unit (RAU).

Referenced OSAC Reports:

Trade Secret Theft: Trends in State-Sponsored Economic Espionage

OSAC Assessment: Sochi 2014 Winter Olympics (Information Security and Cyber Threats

section)

OSAC Assessment: 2014 FIFA World Cup (Information Security and Cyber Threats section)

https://www.osac.gov/Pages/IncidentSubmission.aspx



Documents

Blu3 - Jewish Community Relations Council or more security disciplines in Table 1, such as operations security (OPSEC). Facility security, personal protection, and information security