IT Security â€“ The Industry in the Focus of Cyber Attacks

AGCS Expert Days 2013 1

IT Security –The Industry in the Focus of Cyber Attacks

Lars Kroll, Dipl.-Ing. (FH)Cyber Security Strategist

Symantec Deutschland GmbH

Why Targeted Attacksare the PRIMARY threat


MAY 2012


Attackers have evolved

Hacker Professional Attackers


Hidden Lynx: Attackers for hire


Well resourced50-100 people

Diverse range of targets

Concurrent campaigns

Can penetrate tough targets

Hidden Lynx: Different teams


Team Naid Elite, Precise, SurgicalUses: Trojan.Naid Scope: Special operations (small team)Targets: Information of national interest Examples: Bit9 attack,

Operation Aurora

Team Moudoor Skilled, Prolific, IndiscriminantUses: Backdoor.Moudoor (custom “Gh0st RAT”)Scope: Wide scope attacks (large team)Targets: Financial sector, all levels of government, healthcare, education and legal

AGCS Expert Days 2013

Targeted Attacks

up 42% (yoy)

7

Targeted Attacks by Company Size


50%50%

9%9%

2%2%

1,501 to 2,500

3%3%

5%5%

31%31%

1,001 to 1,500501 to 1,000251 to 500

1 to 250

18%

Employees2,501+

50% 2,501+ 50% 1 to 2,500


Manufacturing

Finance, Insurance & Real Estate

Services – Non-Traditional

Government

Energy

Services – Professional

Wholesale

Retail

Aerospace

Transportation, Communications

Targeted Attacks by Industry

Anatomy of a Targeted Attack

ReconnaissanceReconnaissance

IncursionIncursion

DiscoveryDiscovery

CaptureCapture

ExfiltrationExfiltration



Industrial IT:What is so special?


Change of Industrial Systems ...


Source: Koramis AG

... has a Direct Impact on the Automation System

Ø Integration of business and technical processes

Ø Overlapping of classical IT techniques and methods


Two Worlds – Main Differences


Business Network Production Network

ConfidentialityIntegrityAvailabilty

AvailabiltyIntegrityConfidentiality

Two Worlds – Main Differences

Business IT Industrial IT

Latency Limited relevance Highly critical

Patch Management Often, up to daily Rarely, needs often additional approval from 3rd party vendor

Management Centralized Often standalone

Life time 3 - 5 years 5 - 20 years (unsupported OS like NT and older)

System changes Often Rarely

Availability Reboot is acceptable 24 x 7 x 356

Virusprotection Standard Complex, often not possible

Awareness Good Poor

Vulnerability checks Standard Rarely and complex (availability)


ACTUATORCONTROL SYSTEM

Searching for Vulnerabilities


SOFTWARE

OPERATING SYSTEM

HARDWARE

SOFTWARE

OPERATING SYSTEM

HARDWARECOM

MU

NIC

ATI

ON

COM

MU

NIC

ATI

ON

Searching for Vulnerabilities


UNAUTHORISED MODIFICATION

MALICIOUS SOFTWARE

CODE INJECTION

PRIVILEGE ESCALATION

INJECT COMMANDS

MAN-IN-MIDDLEDENIAL OF SERVICE

Vulnerabilities on SCADA Systems

19AGCS Expert Days 2013

How hard is it to hack an industrial facility ?


Shodan – Search Engine of ‘Things’


Green = ICS System connected to internet.

Source: Quantitatively Assessing and Visualising Industrial System Attack Surfaces, EP Leverett.http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf

Red = ICS Systemwith known vulnerability.

http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf

Ready Made Exploit Kits


Exploit packs for sale.

Increase in the number of publicly reported SCADA vulnerabilities

from 15 in 2010 to >129 in 2013!

Some parts of the story are funny…


Some parts of the story are funny…


How to handle this issue?


Strategy - Industrial Security

Physical SecurityIT Security

People

Organisational Security

26RSA Europe 2013

The accepted approach (VDI, VDE 2182)


Identify assets Analyse threats

Determine relevant security

objectives

Analyse and assess risk

Identify measures and assess

effectiveness

Select countermeasures

Implement countermeasures

Perform process audit

cyclid and triggered process

How to implement countermeasures?


Symantec Critical System Protection (CSP)


Auditing & Alerting

Network Protection

System Controls

Exploit Prevention

• Monitor logs & security events

• Consolidate & forward logs for archives and reporting

• Smart event response for quick action

• Limit network connectivity by application

• Restrict traffic flow inbound and outbound

• Close back doors (blocks ports)

• Locks down configuration & settings

• Enforces security policy

• De-escalates user privileges

• Prevents removable media use

• Restrict application & O/S behaviors

• Protect systems from buffer overflow

• Intrusion prevention for day-zero attacks

• Application control

Intrusion Detection System (IDS)Intrusion Detection System (IDS) Intrusion Prevention System (IPS)Intrusion Prevention System (IPS)

Least Privilege Application Control (LPAC) …


• Windows UAC• Google Chrome• Adobe Reader X• Android OS• Apple• SELinux & Others

Industry ExamplesAlso known as Sandboxing…

.. Processes

• Based on Fundamental Security Principles• Highly effective against malware (known & unknown)• Containment model limits the potential for exploitation• Proactive, policy-based security complements AV solutions• Applicable to all environments and applications• Dramatically improves security posture & reduces IA costs

USE CASE: Targeted Attacks

Issue

• Traditional AV type of technologies have limited option to prevent malicious insider or targeted attacks type of scenarios.

• Most of these features are disabled while they need Internet connectivity.

Solution

• CSP does not require Internet connectivity.

• CSP can address the most complex set of risks including Targeted Attacks and APT’s.

• CSP can also secure the system against malicious administrators or roots.


USE CASE End of Life operating system security

Issue

• Windows XP is de-facto operating system in ICS world. Windows XP will be EOL in 2014.

• Still Windows NT and 2000 are also popular ones today in production lines.

• No AV available and/or cannot handle the today's risk scenarios.

Solution

• CSP fully supports these EOL systems.

• CSP can protect the system against targeted attacks and malicious insiders.


USE CASENo option to deploy patches even they are available

Issue

• Cost of production downtime is considered to be too high or patches cannot be installed while they may break the ICS application.

Solution

• CSP sandboxing technology with behaviour controls can secure the system even that it has un-patched vulnerabilities.

• CSP also secures the applications on top of the operating systems.


USE CASEDisabled features of AV

Issue

• While most of the ICS networks are trying to be isolated it sets challenges for new AV product technologies that relay on-line connectivity e.g. use of reputation data.

• These new features are crucial from the security point of view but usually disabled in ICS systems.

Solution

• CSP does not need Internet or definitions.

• CSP operates with static and low maintenance policies in production lines to secure the system.


USE CASEPerformance overhead

Issue

• Most of the ICS systems are sensitive for delays caused by additional software.

• Applications that are introducing performance overhead are usually causing failures in ICS logic and hardware.

Solution

• CSP does not use file scanning technologies it is filtering system calls at kernel level.

• CSP has extremely low performance overhead because of this.


USE CASE All users use shared admin account with no password

Issue

• Traditional security law do not apply. All users are administrators and password is set to blank for various ICS related reasons.

Solution

• CSP can still secure and lockdown the system even that all are administrators or roots.

• CSP can limit the usage of the applications and make sure that applications cannot be used to malicious purpose.


Summary

• Industrial Security is complex

• Industrial Security is a process - not a single product

• The Compliance Approach should be the

prefered method


You won’t with just technology


peopletechnology

Check our Internet Security

Threat Report

Show your peers a Targeted Attack


LK_Security

[email protected]

mailto:[email protected]

Documents

IT Security â€“ The Industry in the Focus of Cyber Attacks