ENGINEERING & CONSTRUCTION RISK INSTITUTEecrisponsor.org/PPlibrary/ECRI-EP-005 Cyber Security.pdf · Document number: ECRI-EP-005 Cyber Security Page 1 of 18 Revised: : 19 November

•

Document number:

ECRI-EP-005

Cyber Security

Page 1 of 18

Revised::

19 November 2015

DISCLAIMER

Engineering & Construction Risk Institute, Inc., a nonprofit corporation incorporated under the laws of the District of Columbia (“ECRI”), and its directors, officers, employees and advisers make no representations or warranties (express, implied or statutory) with respect to the accuracy or completeness of any information disseminated thereby or its suitability for any purpose and assume no responsibility for the content of such information or the consequences of use thereof, which shall be at the sole risk of the user thereof. References by ECRI to other organizations or individuals or their publications, programs, information or services does not imply any ECRI endorsement thereof or of any policies or positions advocated thereby or therein.

ENGINEERING & CONSTRUCTION RISK INSTITUTE

PURPOSE:

This paper outlines basic cyber security issues and notes measures for addressing them.

INTRODUCTION:

This is an update of the paper of the same title posted on the ECRI Website in November 2013 which drew substantially upon the presentation by Tom Roell, Group Executive, Parsons, entitled “Cyber Security – An Emergent Area of Risk,” delivered at the ECRI Sponsors’ Meeting in Cape Town 5 December 2012. Since the posting of this initial Cyber Security paper, cyber threats have continue to grow exponentially (averaging 66% annually in 2009 through 2014). As recently noted by James Clapper, US Director of National Security Intelligence: “Cyber threats to US national and economic security are increasing in frequency, scale, sophistication and severity of impact.” As stated by the Verizon 2014 Data Breach Investigations Report: “[T]he bad news ..is that the cybercriminals and other attackers are getting better at what they do, while the security community is not improving its game quickly enough to keep pace….After analysing 10 years of data, we realize that most organizations cannot keep up with cybercrime – and that the bad guys are winning.” Cyber attackers have not changed their previously known methodologies (the most common of which are noted alphabetically in the Glossary at Appendix 1) but are becoming ever more sophisticated in circumventing organizations’ new cyber security mechanisms and now are more dangerous and pose more risk to organizations than ever. Notably, sophisticated APT attacks (explained in the Glossary at Appendix 1), previously only a nation-state espionage methodology, are becoming commonplace among cyber criminals to collect useable and saleable information such as retail customer profiles and credit card data.

•

Document number:

ECRI-EP-005

Cyber Security

Page 2 of 18

Revised: 19 November 2015


DISCUSSION:

Trends There is general agreement among cyber security experts that the top cyber threats and issues emerging in 2014-2015 are the following1: • Technology Outpacing Security Mechanisms. Unmanaged deployment of cloud solutions within organizations is creating duplicated, security-deficient and incomplete repositories of information and gaps in the knowledge of the location of the information. This is enabling cyber criminals to use reputable services to bypass conventional digital defenses and even create cloud services of their own which attract unsuspecting users whose compromised data is then marketed by the cybercriminals. This problem will increase as the volume of information surges in the next two years. A significant emerging example is the fact that notwithstanding the extent to which BYOD trends (Bring Your Own Device to the workplace as discussed below) may be beneficial to collaboration, productivity and talent retention, they also present significant information security risks as malware reposing in the BYOD migrates to an organization’s systems. Organizations must improve their management of the integration of BYOD into their systems or face disastrous consequences. • Exploitation of Vulnerabilities. The discovery and exploitation of systemic vulnerabilities will continue to increase along with the malware by which nation state attackers or cybercriminals exploit them. There are now on-line international markets for these vulnerabilities as well as guidelines on how to exploit them. One example is the so-called “BERserk Vulnerability” which enables cyber criminals to circumvent RSA signature verification methodologies and insert cyber criminals as a man-in-the-middle between a banking website and a customer notwithstanding the bank’s confirmation to the customer of the confidentiality of the session. Another even more serious example is the so called “Shellshock Vulnerability” enabling an attacker to issue arbitrary commands to UNIX and LINUX systems which are instrumental in running many flight systems, industrial controls and critical infrastructure (numerous

1 The discussion of Trends is drawn substantially from the following invaluable resources, all of which are accessible on the Internet: Verizon Data Breach Investigations Reports for 2014 and 2015; Georgia Tech Information Security Center and Georgia Tech Research Emerging Cyber Threats Reports for 2014 and 2015; Information Security Center Threat Horizon Reports for 2014 and 2015; McAfee Labs Threat Predictions for 2014 and 2015; and Security Watch. There are numerous other authoritative cyber security resources accessible on the Internet as the cyber security industry continues its meteoric growth.

•

Document number:

ECRI-EP-005

Cyber Security

Page 3 of 18



systems of which are now connected to the internet and easily searchable). The full scope of this vulnerability is not yet fully understood but the US National Vulnerabilities Database rates its severity as 10 out of 10. By the date of the posting of this paper, most companies with sophisticated cyber defense capabilities have remediated the “Shellshock Vulnerability,” but this vulnerability, which can result in the complete compromise of an organization, underlines how important it is for organizations to have in place response plans which they can execute to respond to challenges like Shellshock. • Attacks on Reputation. The Information Security Forum’s Threat Horizon 2015 Report predicts that “business practices will be scrutinized, not only by watchdog bodies, but also by employees, contractors and customers. More insiders will emerge as more people place their own ethics and perspectives above those of their employees. Criticism will go viral … and will attract hacktivists who will initiate sympathetic cyber attacks….Whether something actually happened is secondary; organizations will be guilty until proven innocent. And the impact will be independent of whether the false claims are intentionally malicious … or the result of honest mistakes.” An example of the above is reflected in the Minutes of the presentation at the 3 June 2015 Sponsors Meeting by Fluor and CH2M entitled “Worker Welfare: Human Rights Considerations for Treatment of Foreign Workers.” • Increased Targeting of Mobile Devices. The targeting of the exponentially-increasing number of mobile devices is not yet a serious issue (except for Android devices) but is anticipated by all experts to become one commensurate with the expansion of new mobile technologies and the monetary transactions which they facilitate such as point of sale digital payments. Open and commercially-available malware source codes are now available which will enable cyber criminals, with no programming experience, to create and modify threats. Vulnerabilities of the functionalities of some digital payments of mobile devices have already been publicized. Recommended responses to this coming threat emphasize the importance of visibility (to facilitate awareness of the devices) and controls (to be exercised if necessary to defend against an attack). • “BYOD” (Bring Your Own Device (to your workplace)). The trend of employees bringing mobile devices into the workplace exacerbates external and internal cyber threats. These stem from mismanagement of the device, external manipulation of software vulnerabilities and the deployment of untested/unreliable business applications resulting in disclosures due to the loss of boundaries between work and personal data and more business information being held in an unprotected manner and, thus, becoming launch pads for attacks into corporate networks. Securing every employee-owned mobile may not be practical or desirable because these devices have proliferated so widely and yield cost savings and productivity gains, and management of employee devices raises privacy issues. An alternative mitigation is controlling where data is being sent and stored thereby protecting sensitive data from being leaked or stolen. • Data Privacy and Security Dynamics. Governmental efforts to address data privacy are reflected in the ever-expanding scope of data privacy rules replete with breach definitions and security

•

Document number:

ECRI-EP-005

Cyber Security

Page 4 of 18



specifications. The EU will lead this process with its 2016 Data Protection Regulations and other jurisdictions will follow with their own data protection laws imposing an increasingly costly and complex compliance burden on the private sector. One such complexity arises from the trend toward cloud computing services. Since Personally Identifiable Information protected by laws is often transferred across national borders and the referenced regulations vary among jurisdictions, companies need to resolve with their cloud provider where the information will be stored. In addition, the security controls applicable to unclassified information under US Defense Department Acquisition Regulation DFAR 204.3 are substantially more stringent than those applicable to the government agency itself and are likely to expand as agencies implement the guidelines issued in June 2015 by the National Institute of Standards and Technology entitled Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (NIST Special Publication 800-171) Recent EU data privacy decisions have created compliance uncertainties for companies which have not filed with the EU “Binding Corporate Rules” governing their data privacy regime. • “The Internet of Things” (“IOT”). In recent years, personal computers and servers have been supplanted by mobile devices connected to the internet. The current trend reflects the surge in sensors, consumer devices, industrial control sensors and other “things” being connected to the internet to enhance the monitoring of businesses and personal matters. The IOT is estimated to encompass between 15 and 25 billion connections in 2016. Unfortunately, there is an automaticity to connecting “things” to the internet without assessing whether they were ever intended to be so connected, e.g., industrial control systems which were never intended to be on the internet in the first palace and now, due to the latter, are open to cyber attacks. Particularly vulnerable are security updates, managed remotely by device manufacturers, which can risk compromising devices. Most “things” will not be sufficiently complex to run sophisticated software; thus, companies will need to use network-level monitoring to detect these devices and the security compromises which are affecting them. • Ransomware will increase in infecting end points using cloud based storage solutions and then exploiting the user’s cloud based access credentials to encrypt data backed up in the cloud rendering it inaccessible to the data owner until ransom is paid. Mobile devices will be a particular focus for this type of ransomware attack in light of the fact that mobile users increasingly depend on their devices for immediate access to critical information such as contacts, schedules, etc. Ransomware attacks are also being experienced in the internal systems of ECRI Sponsors which have a large amount of unstructured data, because cyber attackers are targeting mapped drives on file servers. If backups are not available, the business imperative to pay the ransom may be overwhelming. • Failings of Defenders. Verizon analysis of actual cyberattack incidents disclosed that, in 2014, 99.9% of exploited vulnerabilities were compromised more than a year after publication of a CVE

•

Document number:

ECRI-EP-005

Cyber Security

Page 5 of 18



(Common Vulnerabilities and Exposures2) identifying the vulnerability and a patch to cure it. The continued exploitation of long-publicized vulnerabilities reflects the lag in schedules for patching myriad vulnerabilities rather than daunting technological challenges. The solution starts with the incorporation of CVE Identifiers into an organization’s security tools which alerts the organization to the applicable CVE and enables it to prioritize the remediation of its vulnerabilities. At least two ECRI Sponsors now have rigorous time limits on the number of hours within which a patch must be installed. • Defender Detection Deficit. Recent analysis by Verizon of nearly 80,000 incidents and over 2,000 breaches in 2014 disclosed that attackers are far quicker at finding and exploiting vulnerabilities than defenders are in discovering and cutting them off. In 80% of the incidents analyzed, attackers’ time to compromise was days or hours while only 35% of breaches were detected by defenders in the same time frame. Even more concerning was data showing that this detection deficit between defenders and attackers has been increasing steadily over the past decade, a development which Verizon rates as one of the primary challenges of the security industry. A banner example of the latter was the recently- disclosed cyber espionage theft, likely by the Chinese government, of the personal data of 22 million persons including 5.6M sets of fingerprints from the US Government and the exfiltration of this data over a period of a year and a half before the breach was discovered. • Cyber Security Staffing Challenges. Skilled cyber security managerial and technical positions will become harder to staff until the education system produces sufficient specialists and they acquire the necessary experience. Efforts to outsource the cyber security function will lead to loss by organizations of the capability to build and drive their own information strategy in order to meet the needs of the business and respond to emerging threats. As a result of these dynamics, companies now find their capable cyber security staffs inundated with job offers. • Rogue Insider Concerns. Data analysis indicates that companies require, on average, 260 days to respond to insider attacks versus 170 days for other attacks and that resolution costs related to the former are far higher. Some previously-touted defenses have been shown, in practice, to be highly problematic, e.g., efforts to detect anomalies in employee conduct have been shown to produce too many false positives, and over-classification of data has been shown to swamp data-protection systems. More promising has been the modeling of user behavior based upon factors such as sick leave, reduced productivity or excessive spending for identifying personnel outside normal parameters. • Exploitation of Trust. Legitimate internet use is based upon the trust which a user places in the bona fides of the addressees with which it is communicating. Cyber attackers continue to increase their

2 The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publically-known information security vulnerabilities. The system is maintained with funding from the US Department of Homeland Security National Cyber Security Division. See: https://en.wikipedia.org/wiki/Common-Vulnerabilities-and-Exposures.

https://en.wikipedia.org/wiki/Common-Vulnerabilities-and-Exposures

•

Document number:

ECRI-EP-005

Cyber Security

Page 6 of 18



cyber attacks to exploit this trust by camouflaging malware to make it appear to be legitimate, e.g., 5 million such malware incidents in Q3- 2012 vs 40 million in Q3-2014. Users can no longer rely upon the trustworthiness of a single brand but must determine whether the trusted brand trusts other brands represented through the trusted brands’ on-line presence. For example, malicious advertisements appearing on popular websites such as You Tube and amazon.com implant Trojanware variants. Cyber attackers have also been successful in piggybacking malware onto legitimate communications from software providers as occurred with the so-called “Flame Espionage Malware” which hijacked Microsoft’s Windows update mechanism for distributing security patches. In combatting this rampant trend, security products will need to allow customers to define what should and should not be trusted and provide flexible controls that give trusted actors greater permissions while limiting those of others. • Secondary Attacks. Increasing in frequency are attacks upon one victim solely for the purpose of advancing a different attack on another victim. A prevalent example is the exploitation of the vulnerabilities of third party contractors and vendors as a means for accessing the main target’s data. This reality makes it incumbent upon companies to ensure, through due diligence and contractual arrangements, that their contractors and vendors have satisfactory cyber security regimes. Another widespread example is the hacking of a website in order to infect visitors to that website with malware. • Sharing Threat Indicators. A growing trend is the sharing of cyber threat intelligence across business and other communities with a view towards alerting the community to the spread of an attack. This is potentially valuable as, based upon RiskAnalytics research, 75% of attacks spread from victim A to Victim B within 24 hours and 40% of these attacks hit victim B within less than an hour. Obviously, the continuing challenge for such intelligence sharing schemes is the speed of these secondary attacks. • Counterproductive Cyber Defense Measures. As previously noted under the subheading, Rogue Insider Concerns, recent analysis indicates the over-classification of data and anomaly detection efforts have complicated rather than enhanced cyber defense. Another counterproductive measure has been Undifferentiated Cyber Alerts using “big data” analytic tools which sound alarms whenever something unusual occurs in the organization’s cyber space. This can easily overwhelm cyber defense resources as is evident when it is noted that the average organization receives 16,937 alerts a week. Without sophisticated threat intelligence, most are forced to play “Russian Roulette” in guessing which alert to investigate. The retail outlet, Target, guessed wrong on one of its alerts, and information from 70 million of its customers was scraped at points of sale. Cyber Defense3

3 The discussion of Cyber Defense is drawn substantially from the presentation by Tom Roell, Group Executive, Parsons, at the December 2012 Sponsors Meeting as supplemented by the resources cited.

•

Document number:

ECRI-EP-005

Cyber Security

Page 7 of 18



Cyber attacks cannot be stopped but can be reduced significantly by a cyber security culture and

prudent cyber defense processes. Any meaningful cybersecurity program is subject to the following

prerequisites:

• Senior Management Commitment. As is often said, “culture trumps process,” and without senior

managerial buy-in to cyber defense, the program will be deficient in content and/or implementation.

Leadership must understand that cybersecurity risk management is not merely an IT issue but a

fundamental requirement critical to a company’s performance of its mission and business function.

Leadership should establish an organizational risk tolerance and communicate it throughout the

organization, including guidance on how risk tolerance impacts ongoing decision making, and hold

senior company leaders accountable for their risk management decisions and for the implementation of

effective, organization-wide risk management programs.

• Cybersecurity Expertise. Cyber threats may seem innumerable, infinitely varied and ever

changing but Verizon’s analysis of thousands of incidents over the last 10 years indicates that 96% of

attacks fall into nine broad categories: miscellaneous errors; crimeware; insider misuse; physical

theft/loss; WEB app attacks; denial of service; cyber espionage; point of sale intrusions; and payment

card skimmers. The incidence of types of attacks vary widely across industries and across sectors

within industries. The employment and/or retention of experienced professional expertise is critical in

enabling a target to refine its defense strategies in order to optimize their effectiveness and cost

efficiency. Cyber security expertise is also critical in providing guidance with respect to the software and

hardware market and the daunting, and exponentially growing cyber security risks and plethora of

arcane terminology, guidelines, standards, organizations, publications and cyber security service

providers in the marketplace. This is particularly true in light of the fact that each company’s cyber

security program will need to be bespoke because there is no one-size-fits-all solution. Each company

will need to design and implement controls to reflect its unique situation and cyber threat priorities.

• Defense in Depth. Over the past decade, companies have moved from deploying a firewall, anti-

virus software and patch deployment systems to adopting a variety of other technologies, Security

Information and Event Management (SIEM), data loss preventions, identity and access management,

application firewalls and mobile device management. This technology-oriented focus drives cyber

security costs ever higher. Cost reductions and enhanced and simplified data and network protection,

however, are available through a more data-driven approach which focusses upon gathering more

information of a business’s specific security situation and current threats. Attack vectors may be

•

Document number:

ECRI-EP-005

Cyber Security

Page 8 of 18



addressed by a company mapping its network and assets, then prioritizing defenses by value,

vulnerability and criticality. These also may be addressed by kill-chain analysis to determine the steps

necessary to target a company’s valuable intellectual property with the goal of determining the current

state of the network and assets, what an attacker may be targeting and the business impact if the

attack is successful. For example, although 30% of artful phishing emails gain entry in approximately

three minutes, “a successful phishing campaign requires a series of ‘and’ statements for every step in a

campaign. With each added step, the probability of a system compromise goes down. For example, a

user needs to take action AND there needs to be a vulnerability in the system AND software has to be

quietly installed AND there has to be a communication path back to the attacker, and this is why…[ a

company needs a] ‘defense in depth’…[ in order,] at each phase of the attack, [to]… increase the

probability of detection and decrease the probability of success.”4

• Essential Cyber Defense Measures.

-- Prevention by implementation of the preventative measures listed in the NIST Standard5 or

other authoritative standard enhanced by latest intelligence to prevent a cyber attacker from gaining a

foothold in a company’s network.

-- Detection by application of people, processes and technology to correlate vast quantities of data

to alert cyber security specialists rapidly to malicious activity taking place.

-- Remediation by implementation of measures to overcome and recover from a successful

intrusion.

-- Monitoring and Reporting through application of technology (hardware and software) and

analysts to shift through vast amounts of data to ascertain the current security status of the network and

report, continuously, any malicious activity detected to personnel responsible for incident handling and

response procedures to isolate, eliminate and recover from an attack.

-- Incident Handling and Response through application of processes and procedures by the

incident response team to identify the who, what, when, where, why information and isolate and contain

the attack followed by execution of eradication procedures to recover from the attack while maintaining

network availability for business purposes.

-- Collection, analysis and sharing of incident data to create a rich information source that

can drive security program effectiveness.

4 Verizon, 2013 Data Breach Investigations Report, p. 38. 5 U.S. National Institute of Standards and Technology, Managing Information Security Risk (March 2011), NIST Special Publication 80-39 (accessible at http://nvrpubs.nistpubs/ir2013NIST.IR7298r2.pdf); and Federal Information Processing System (FIPS), description accessible at http://en.wikipedia.org/wiki/FIPS_140-2.

http://nvrpubs.nistpubs/ir2013NIST.IR7298r2.pdf

http://en.wikipedia.org/wiki/FIPS_140-2

•

Document number:

ECRI-EP-005

Cyber Security

Page 9 of 18



-- Regular measurement of the number of compromised systems and mean time to

detection to drive better practices.

-- Reporting, as appropriate, of significant cyber attacks to applicable national law

enforcement bodies.

-- Network Analysis via monitoring network traffic to detect what is happening or may have

happened previously.

-- Host Forensic Analysis of possibly compromised hardware devices in order to preserve

evidence for analysis in determining impacts upon the device.

-- Code Forensic / Malware Analysis of captured specimens of malware using special tools to

detect the code used in writing the malware, its operational characteristics and clues to its origin.

-- Vulnerability Assessment and Management through defining, identifying and classifying the

vulnerabilities of computers/networks to enhance the ability to manage risk associated with

vulnerabilities.

-- Cyber security Training for Personnel to incorporate security awareness training into personnel.

-- Countering Insider Attacks through conventional vetting of employee integrity, encouragement

of employees to report suspicious conduct, limitation of employees’ privileges to those necessary to

perform their job, efforts to control use of unapproved hardware and cancellation of network access as

part of standard employee termination processes.6

-- Cyber Threat Intelligence involving, for example, learning what known attackers are likely to do

and how far they are willing to go.”7 Potentially useful to cyber threat intelligence are cyber threat

information exchanges through participation in a group that shares information relating to cyber threats

while maintaining company confidentiality. Such a group might be privately coordinated, such as the

Information Security Forum, or government–sponsored as are the ten such US organizations noted

below.8 In addition, the annual reports of authoritative organizations on recent and likely imminent cyber

attacks are also potentially valuable intelligence resources.9 The “AEC Council” has been established

to share cyber security challenges and is comprised, to date, of: Parsons, Jacobs, CH2M, Parsons

6 See: Common Sense Guide to Mitigate Insider Threats,CERT Insider threat center, Carnegie Mellon University Software Engineering Institute. 7 Verizon, 2013 Data Breach Investigations Report, p.48. 8 Defense Intelligence Base (DIB); DIB Collaborative Information Sharing Environment (DCISE); DIB Cyber Pilot; DHS-Computer Emergency Response Team (CERT); Industrial Controls Systems Joint Working Group (ICSJWG); Information Sharing and Analysis centers (ISAC); Cyber Threat Intelligence Coordinating Group (CTICG); National Cybersecurity and Communications Integration center; and DOD Joint Cybersecurity Services Pilot (JCSP). 9 See Footnote 1 in this paper.

•

Document number:

ECRI-EP-005

Cyber Security

Page 10 of 18



Brinckerhoff, Fluor, CB&I, Arkadis, and Bechtel, but other companies are welcome to participate. The

CSO’s in these companies are meeting regularly to discuss common concerns.

-- Security Information and Event Management (SIEM) through the use of automated SIEM tools

to enhance data aggregation, correlation, alerting, dashboards, compliance and retention.10

-- Cyber Defense Mantras:

-- Offense Informs Defense: Use knowledge of actual attacks which have compromised

systems to provide the foundation for an effective defense;

-- Metrics11: Establish common metrics to provide a shared language for executives, IT

specialists, auditors and security officials to measure the effectiveness of security measures and adjust

them promptly as necessary.

-- Continuous Monitoring: Conduct continuous monitoring/auditing to test and validate

whether security measures are proactively and timely remediating vulnerabilities.

-- Automation: Automate defenses so that the organization can achieve reliable, scalable

and continuous measurement of adherence to the controls and related metrics.

Standards and Controls As noted above, there is a daunting array of numerous recommended standards and controls for cyber

defense tools and processes, navigation through which calls for professional cyber security guidance in

selection and implementation. Examples are:

-- The highly authoritative but encyclopedic standards contained in the (US) National Institute for

Standards Special Publication Series 800-39 entitled Managing Information Security Risk (NIST

Standards), the US Federal Information Processing System. (FIPS) 12and the US Defense Department

Acquisition Regulation DFAR 204.3 applicable to US Government contractors.

-- The information security management system standard issued by the International Organization

for Standardization (ISO) and the International Electrotechnical Commission (IEC) entitled ISO/IEC

27001, Information Technology - Security Techniques – Information Security Management Systems –

Requirements and ISO/IEC 27005, Information Technology – Security Techniques – Information

Security Risk Management Systems. These are formal specifications mandating specific requirements,

and certifications of compliance may be obtained from accredited certification and auditing

10 See: Enumeration of SIEM capabilities in Wikipedia at http://en.wikipedia.org/wiki/Security_information_and_event_management 11 Internet-accessible examples of metrics include Verizon’s Vocabulary for Event Recording and Incident Sharing (VERIS). 12 See Note 9.

http://en.wikipedia.org/wiki/Security_information_and_event_management

•

Document number:

ECRI-EP-005

Cyber Security

Page 11 of 18



organizations such as SRI (See: http://www.sriregistrar.com) . Numerous related ISO/IEC standards

addressing specific cyber security applications are listed at http://iso27001security.com/.

-- The Standard of Good Practice issued and updated annually by the Information Security Forum

(ISF), a London-based membership organization with a staff resident in several cities around the world

which coordinates programs for its members which are organized into regional chapters. This Standard

also covers requirements from other Standards such as the “Critical Security Controls” (discussed

below), the UK Government’s “10 Steps to Cyber Security,” the British Standards Institution’s PAS 555

and the Australian Governments “Strategies to Mitigate Targeted Cyber Intrusions.” ISF maintains that

its Standard of Good Practice is “the most business-focused all-in-one source of information security

controls available, enabling organizations to adopt good practice in response to evolving threats [such

as those arising from the introduction of mobile devices in the workplace and the development of cloud

infrastructure] and changing business requirements.”

-- Industry -specific cyber security standards such as the North American Electric Reliability

Corporation (NERC) Cyber Security Standards and the PCI Data Security Standard (PCI DSS), which

provides guidance for establishing a payment card data security process, the British Standards

Institution’s PAS 555 and the Australian Government’s “Strategies to Mitigate Targeted Cyber

Intrusions.”

“Critical Security Controls” (“CSC”)

In implementing the Cyber Defense Measures noted above, a company may wish to refer to the

“Critical Security Controls” (formerly known as the “SANS Top 20 Critical Security Controls” and now in

their fifth iteration) which reflect a distillation by a broad consensus of public and private sector experts

of those controls encompassed in the comprehensive NIST Standards referenced above which have

been proven to have high payoff and to support large-scale, standards-based security automation for

the management of cyber defense. They provide a prioritized, risk-based approach to security based

upon actual threats with focus upon automation to provide cost efficiency, measurable results,

scalability and reliability.

The Critical Security Controls are listed below along with an explanation of their rationale. The CSC

website is a model of clarity and contains a detailed explanation of the reasons for the criticality of each

control, how to implement it, procedures and tools for implementation, effectiveness metrics,

automation metrics, effectiveness tests and a system entity relationship diagram. Implementation of at

least the first five have been shown to prevent 85% of successful cyber attacks. Cyber security service

http://www.sriregistrar.com/

http://iso27001security.com/

•

Document number:

ECRI-EP-005

Cyber Security

Page 12 of 18



providers, such as McAfee, offer proprietary programs to facilitate the implementation of each of the

Critical Security Controls, and Verizon monitors their proven effectiveness annually.

CSC 1. Inventory of Authorized and Unauthorized Devices -- Actively manage (inventory, track and

correct) all hardware devices on the network so that only authorized devices are given access, and

unauthorized devices are found and prevented from gaining access.

CSC 2. Inventory of Authorized and Unauthorized Software – Actively manage inventory, track and

correct) all software on the network so that only authorized software is installed and can execute, and

that unauthorized and unmanaged software is found and prevented from installation or execution.

CSC 3. Secure Configurations for Hardware and Software on Laptops, Workstations, and

Servers – Establish, implement, and actively manage (track, report on, correct) the security

configuration of laptops, servers and workstations using a rigorous configuration management and

control process in order to prevent attackers from exploiting vulnerable services and settings.

CSC 4. Continuous Vulnerability Assessment and Remediation -- Continuously acquire, assess,

and take action on new information in order to identify vulnerabilities, remediate, and minimize the

window of opportunity for attackers. Potentially useful to cyber threat intelligence are cyber threat

information exchanges through participation in a group that shares information relating to cyber threats

while maintaining company confidentiality such as the “AEC Council” described on page 8 of this paper

or the Information Security Forum or government–sponsored groups such as the ten noted below.13 In

addition, as previously noted, the annual reports of authoritative organizations on recent and likely

imminent cyber attacks are also potentially valuable intelligence resources.

CSC 5. Malware Defenses – Control the installation, spread and execution of malicious code at

multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of

defense, data gathering, and corrective action.

CSC 6. Application Software Security -- Manage the security lifecycle of all in-house developed and

acquired software in order to prevent, detect and correct security weaknesses.

CSC 7. Wireless Device Control -- Use processes and tools to track/control/prevent/correct the

security use of wireless local area networks (LANS), access points, and wireless client systems.

CSC 8. Data Recovery Capability – Use processes and tools to properly back up critical information

13 Defense Intelligence Base (DIB); DIB Collaborative Information Sharing Environment (DCISE); DIB Cyber Pilot; DHS-Computer Emergency Response Team (CERT); Industrial Controls Systems Joint Working Group (ICSJWG); Information Sharing and Analysis Centers (ISAC); Cyber Threat Intelligence Coordinating Group (CTICG); National Cybersecurity and Communications Integration center; and DOD Joint Cybersecurity Services Pilot (JCSP).

•

Document number:

ECRI-EP-005

Cyber Security

Page 13 of 18



with a proven methodology for timely recovery of it.

CSC 9. Security Skills Assessment and Appropriate Training to Fill Gaps – For all functional roles

in the organization (prioritizing those mission-critical to the business and its security), identify the

specific knowledge, skills and abilities needed to support defense of the enterprise; develop and

execute an integrated plan to assess, identify gaps, and remediate through policy, organizational

planning, training and awareness programs.

CSC 10. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches –

Establish, implement and actively manage (track, report on, correct) the security configuration of

network infrastructure devices using a rigorous configuration management and change control process

in order to prevent attackers from exploiting vulnerable services and settings.

CSC 11. Limitations and Control of Network Ports, Protocols, and Services – Manage

(track/control/correct) the ongoing operational use of ports, protocols, and services on networked

devices in order to minimize windows of vulnerability available to attackers.

CSC 12. Controlled Use of Administrative Privileges – Use processes and tools to

track/control/prevent/correct the use, assignment, and configuration of administrative privileges on

computers, networks and applications. These processes include conventional vetting of employee

integrity, encouragement of employees to report suspicious conduct, limitation of employees’ privileges

to those necessary to perform their job, efforts to control use of unapproved hardware and cancellation

of network access as part of standard employee termination processes.14

CSC 13. Boundary Defense – Detect/prevent/correct the flow of information transferring networks of

different trust levels with a focus on security-damaging data.

CSC 14. Maintenance, Monitoring, and Analysis of Security Audit Logs – Collect, manage and

analyse audit logs of events that could help detect, understand or recover from an attack.

CSC 15. Controlled Access Based on the Need to Know – Use processes and tools used to

track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems)

according to the formal determination of which persons, computers and applications have a need and

right to access these critical assets based on an approved classification.

CSC 16. Account Monitoring and Control – Actively manage the life-cycle of system and application

accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to

leverage them.

CSC 17. Data Loss Prevention – Use processes and tools to prevent data exfiltration, mitigate the

effects of exfiltrated data, and ensure the privacy and integrity of sensitive information. CSC

14 See: Common Sense Guide to Mitigate Insider Threats,CERT Insider threat center, Carnegie Mellon University Software Engineering Institute. http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=34017

http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=34017

•

Document number:

ECRI-EP-005

Cyber Security

Page 14 of 18



18. Incident Response and Management – Protect the organization’s information, as well as its

reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined

roles, training, communications, management oversight) for quickly discovering an attack and then

effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the

network and systems.

CSC 19. Secure Network Engineering – Make security an inherent attribute of the enterprise by

specifying, designing, and building-in features that allow high confidence systems operations while

denying or minimizing opportunities for attackers.

CSC 20. Penetration Tests and Red Team Exercises – Test the overall strength of an organization’s

defenses (the technology, the processes, and the people) by simulating the objectives and actions of

an attacker.

Cyber Security Insurance? Cyber security insurance coverage is available in quantity at modest premiums and was useful to one ECRI Sponsor in covering the costs of recovery from a successful data breach which was corroborated by the FBI. The Georgia Tech Emerging Cyber Threats Report 2014, however, notes that “a lack of actuarial data on cyber attacks, the difficulty in quantifying damages, and disagreement on which security measures actually reduce the risk of a breach all make cyber insurance hard for many companies to justify as an expense.” Despite these reservations, this market appears to be maturing rapidly as a potentially significant future mitigator of cyber security risk.

•

Document number:

ECRI-EP-005

Cyber Security

Page 15 of 18



APPENDIX 1 GLOSSARY OF SOME COMMONLY USED CYBER SECURITY TERMS

Advanced Persistent Threats (APT).1 APT comprises a process employing a full menu of malware to gain and maintain access to cyber networks in order to steal data for an indefinite period and/or control a network including shutting it down. Previously, APT attacks were associated with governmental espionage programs but in 2014-2015, they have also become common tools for criminal enterprises. APT generally starts with a phishing campaign. Once backdoor access to a target’s network systems is established, the cyber attacker can send commands to the systems from outside the network which initiate outbound connections to the intruder’s command and control server thereby circumventing the target’s firewalls against external intrusions and essentially enabling the intruder to run wild in the target’s system.

These activities are a predicate to the next phase in which the intruder seeks to expand the intrusion into more resources in the network by obtaining usernames and passwords; gaining access to PKI certificates, VPN client software, privileged computers and other resources required to access data or systems with a preference for the privileged accounts, such as those of domain administrators, service accounts with domain privileges, local administrator accounts and privileged user accounts. In this phase, the intruder inundates the target system with algorithms aimed at discovering the “password hash” (mathematically generated from users’ passwords). This occurs simultaneously with the targeting of file servers, email servers and domain servers to obtain information on the target environment, i.e., internal networks, computers, trust relationships, users and groups. Techniques may include the performance of directory or network share listings, data search by file extension, key words and last-modified data. Some APT groups have developed custom scripts which automatically conduct the reconnaissance

•

Document number:

ECRI-EP-005

Cyber Security

Page 16 of 18



and data retrieval. The attacker then moves to other computers containing desired data or facilitating access to it in order to assure continuation of access to key systems from outside the network via the installation of new backdoors, varieties of malware on multiple computers and alternative command and control addresses and the use of valid VPN and PKI credentials, all in the interest of promoting survivability and redundancy and countering the target’s cyber security measures. In the final phase, the APT intruder typically compresses and packs the data into archive files (which the intruder may also password protect) and transfers these out of the network using existing backdoors, FTP and custom files transfer tools. BotNet – A collection of internet-connected computers whose security defenses have been breached and control ceded to a malicious party. Each computer (a “bot”) is compromised through penetration by software from a malicious distribution. The controller of a botnet is then able to direct the activities of these computers through communication channels formed by standards-based network protocols. Hacktivism – Attacks by a large variety of politically and ideologically-driven attackers on prominent organizations, such as ECRI Sponsors, for the purpose of disrupting thir operations or otherwise injuring them.

Keystroke Logging – The recordation and transmission to a cyber attacker of every key pressed on a computer. Phishing -- “Phishing” is a so-called “social engineering” cyber attack technique which seeks to exploit the trust of an email recipient in order to gain access to valuable information, often by inducing the recipient to click on an attachment which implants malware in the target’s system. Objectives may be bank account data, or, as increasingly more prevalent, the establishment of a persistent presence inside a target’s network facilitating undetected roaming therein by the attacker. Phishing accounts for more than two-thirds of all cyber attacks and more than 95% of those sponsored by governments. Security awareness training for employees can reduce but not eliminate phishing vulnerabilities. Research indicates that 23% of recipients now open phishing messages and 11% click on attachments. Phishing vulnerabilities will be exacerbated by the massive growth in the so-called “Internet of Things” in which machines (an estimated 50 billion by 2020), rather than persons, will be communicating with each other and assessing a sender’s trustworthiness. Although phishing cannot be completely prevented, post-phishing defenses provide opportunities to neutralize the attack as previously noted in this paper. RAM-scrapers – A type of malware which targets information stored in memory as opposed to information saved on a hard drive or being transmitted over a network, which is generally encrypted and hence inaccessible to attackers. RAM-scraper attacks have surged in the past three years as reflected in the 2013 RAM-scraper attack on Target in which the personal

•

Document number:

ECRI-EP-005

Cyber Security

Page 17 of 18



information of 70 million people was stolen. RAM-scraper attacks occur in the brief interval during which POS software temporarily decrypts data in order to enter the transaction information. These attacks can stem from exploitation of unpatched vulnerabilities or malware imported in the system via other attack techniques. Ransomware -- Software that holds a computer system captive by encrypting files on the hardrive or locking down the system while displaying that the system owner can pay a ransom to the cyber attacker to regain access to its computer system. Rootkit -- A set of tools used by an attacker after gaining root-level access to a host to conceal the attacker’s activities on the host and permit the attacker to maintain root-level access to the host through covert means and take full charge of the computer in order to, among other things, remotely execute files, access/steal information, modify system configurations, alter software including software that might detect the rootkit, install other concealed malware or control the computer as part of a botnet. Spyware -- Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge. Spoofing -- “IP spoofing” refers to sending a network packet that appears to come from a source other than its actual source. Various forms of spoofing include impersonating, masquerading, piggybacking, and mimicking. Its purpose is to gain illegal entry into a secure system and induce a user to take incorrect action. Trojan Horse -- A computer program that appears to have a useful or innocuous function, but contains a hidden code to exploit or damage a computer system. It neither replicates nor copies itself but is intended to stay in the system damaging or exploiting it by, for example, allowing a cyber attacker from a remote site to install a rootkit to take control of the system or infect a system with a virus. Virus -- A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use email programs to spread itself to other computers, or even erase everything on a hard disk. Watering Hole Attacks -- An attack intended to compromise a host or organization solely as a stepping stone into another more secure organization, which is the ultimate target. This may involve implanting malware in a website which the ultimate target is known to frequent, such as an energy research forum. The malware can then be delivered via SSL to the ultimate target inside valid content such as a research PDF thereby bypassing two or more layers of the

•

Document number:

ECRI-EP-005

Cyber Security

Page 18 of 18



ultimate target’s defence. A common services vendor may also be targeted to perform the same attack. Worm -- A self-contained program (or set of programs) that uses networking mechanisms to spread copies of itself to other computer systems. Unlike viruses, worms are not dependent upon actions by the computer user. In addition to spreading itself, a worm can consume network or local system services, cause a denial of services attack and deliver other malware. Zero-day Vulnerability – An undisclosed or uncorrected computer application vulnerability that can be exploited to adversely affect the computer programs, data, additional computers or a network through the insertion of malware. The term is derived from the fact that once a flaw becomes known, the programmer or developer has zero days to fix it. Such attacks may occur before the author of the code is aware of the vulnerability or in the interval between the time when a vulnerability is disclosed to users of the code and the availability of a patch for it.

Documents

ENGINEERING & CONSTRUCTION RISK INSTITUTEecrisponsor.org/PPlibrary/ECRI-EP-005 Cyber Security.pdf · Document number: ECRI-EP-005 Cyber Security Page 1 of 18 Revised: : 19 November