Upload
dana-nash
View
213
Download
0
Embed Size (px)
Citation preview
D2-02_09D2-02_09
Construction of Next-generation Security Construction of Next-generation Security
Infrastructure to Cope with Next Types of Infrastructure to Cope with Next Types of
Cyber AttacksCyber Attacks
Takehiro
Sueta Kyushu Electric Power Co.,
Inc.
Japan
CIGRE SC D2 ColloquiumCIGRE SC D2 ColloquiumNovember 2013November 2013
Mysore - KARNATAKA – INDIAMysore - KARNATAKA – INDIA
Haruki Terakura
NEC Corporation
Japan
p2Table of Contents
■ Overview of Security Measures and Current Issues in Japan
■ Background and Purpose
■ Construction of Next-generation Security Infrastructure
■ Overview of Outbound Content Security System Functions
■ Operational Status and Evaluation of Outbound Content Security System
■ Summary and Future Issues
■ Special Report Q&A
p3
Overview of Security Measures and Current Issues in Japan■ Transition of server attacks.
Aims of
Attacks
Attackers
Attack
Methods
Mischievous intent,Showing off
technical skills
Financial gain intent,Obstructive behavior
Industrial spy activities,Confidential Information
Individual actionSmall groups,
CriminalsOrganized groups,
Spies
Hacking,Web falsification
DoS attacks,Spam e-mails, etc. Targeted attacks
Attack methods are becoming more sophisticated. This makes it difficult to prevent damage from such attacks by using conventional security measures and therefore, construction of the next-generation security infrastructure is required.
p4Background and Purpose
Company
Public Office
Customer
Inside the Company
Servers
External Network (Internet)
Security functions
PC
Inbound communications
Access to KEPCO’s website, e-mail reception, etc.
Malware check on PC
BlockedBlocked
Illegal access such as an attack against servers
However, since these security measures present the risk of allowing unknown malware not identified by virus definition files to infiltrate the company, security measures need to be strengthened.
Pattern matching based on comparison with virus definition files
■ Security measures in Kyushu Electric Power Company (KEPCO)
p5
Construction of Next-generation Security Infrastructure
Company
Public Office
Customer
Inside the Company
Servers
External Network (Internet)
Security functions
PC
Inbound communications
Outbound communications
Information processing equipment
Access to KEPCO’s website, e-mail reception, etc.
■ KEPCO has introduced an outbound content security system.
This system detects the activities of a PC infected with bot by constantly monitoring and analyzing of communication packets.
Outbound Content Security System
p6
Overview of Outbound Content Security System Functions
Time
Communicationdetected
PC infectedwith bot
Communication with the command
-issuing server
Frequent communication probably by bot and
transmission of internal information
Frequent communicationdetected
Detection by the outbound contentsecurity system
Not detected
Bot activities
■ A bot-infected PC invariably communicate with the command-issuing server before transmission of internal information.
Breaches of confidential information can be prevented by identifying and investigating the PC that may be infected with bot at the point at which communication was first detected.
p7
Operational Status and Evaluation of Outbound Content Security System
Detection of illegal communication
External Network (Internet)
GET / HTTP/1.1USER-AGENT: mozilla/4.0 sbot2.0http://xxx.fjdiso.com/ss/cc/cc?v=3&i=f2a3eac8&r=e382d820391ddbcaddefa873802
GET / HTTP/1.1USER-AGENT: mozilla/4.0 sbot2.0http://xxx.fjdiso.com/ss/cc/cc?v=3&i=f2a3eac8&r=e382d820391ddbcaddefa873802
Identification of PC and investigation
Access to a registered command-issuing
server
Registered communication pattern as communication
from bot
System Administrator
■ KEPCO launched operation of the outbound content security system in August 2012.
■ So far, a number of incidents have been detected. Since the results of investigations of the PCs concerned showed that they were
infected with malware, the malware was eliminated.
The introduction of the outbound content security system has made it possible to discover malware infections from the content of communications, even if the malware is unknown.
p8Summary and Future Issues
■ Summary
The introduction of the outbound content security system has enabled the detection of malware infections even if the malware concerned is unknown and not identified by virus definition files.
As a result, it is now possible to discover the fact of malware infection at an early stage and prevent breaches of confidential information.
■ Future Issues
The outbound content security system overreacts to and detects even normal communications as communications carried out by malware, resulting in increased system operation workload.
=> We will determine optimum detection criteria to reduce incorrect detections caused by overreaction of the system.
p9Special Report Q & A
■ Will standardising communication protocols to support constant exchange of information and control commands between external consumers, their
appliances and utilities, help prevent security incidents?
=> (Answer) No, we don’t think so. We think it will increase the possibility of security incidents.
Because- Acquisition of technical skills related to standardising communication protocols is easier than for unique protocols.- Exploitation techniques will also become common knowledge.
Q2-1
- Presently Attackers use common communication protocols such as HTTP and FTP to issue commands to or exploit confidential information from PCs they have successfully hacked.- In the future If communication protocols are standardized, the possibility of exploitation by attackers will increase as we see nowadays.