Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
AGCS Expert Days 2013 1
IT Security –The Industry in the Focus of Cyber Attacks
Lars Kroll, Dipl.-Ing. (FH)Cyber Security Strategist
Symantec Deutschland GmbH
Hidden Lynx: Attackers for hire
AGCS Expert Days 2013 5
Well resourced50-100 people
Diverse range of targets
Concurrent campaigns
Can penetrate tough targets
Hidden Lynx: Different teams
AGCS Expert Days 2013 6
Team Naid Elite, Precise, SurgicalUses: Trojan.Naid Scope: Special operations (small team)Targets: Information of national interest Examples: Bit9 attack,
Operation Aurora
Team Moudoor Skilled, Prolific, IndiscriminantUses: Backdoor.Moudoor (custom “Gh0st RAT”)Scope: Wide scope attacks (large team)Targets: Financial sector, all levels of government, healthcare, education and legal
Targeted Attacks by Company Size
AGCS Expert Days 2013 8
50%50%
9%9%
2%2%
1,501 to 2,500
3%3%
5%5%
31%31%
1,001 to 1,500501 to 1,000251 to 500
1 to 250
18%
Employees2,501+
50% 2,501+ 50% 1 to 2,500
AGCS Expert Days 2013 9
Manufacturing
Finance, Insurance & Real Estate
Services – Non-Traditional
Government
Energy
Services – Professional
Wholesale
Retail
Aerospace
Transportation, Communications
Targeted Attacks by Industry
Anatomy of a Targeted Attack
ReconnaissanceReconnaissance
IncursionIncursion
DiscoveryDiscovery
CaptureCapture
ExfiltrationExfiltration
AGCS Expert Days 2013 10
... has a Direct Impact on the Automation System
Ø Integration of business and technical processes
Ø Overlapping of classical IT techniques and methods
AGCS Expert Days 2013 14
Two Worlds – Main Differences
AGCS Expert Days 2013 15
Business Network Production Network
ConfidentialityIntegrityAvailabilty
AvailabiltyIntegrityConfidentiality
Two Worlds – Main Differences
Business IT Industrial IT
Latency Limited relevance Highly critical
Patch Management Often, up to daily Rarely, needs often additional approval from 3rd party vendor
Management Centralized Often standalone
Life time 3 - 5 years 5 - 20 years (unsupported OS like NT and older)
System changes Often Rarely
Availability Reboot is acceptable 24 x 7 x 356
Virusprotection Standard Complex, often not possible
Awareness Good Poor
Vulnerability checks Standard Rarely and complex (availability)
AGCS Expert Days 2013 16
ACTUATORCONTROL SYSTEM
Searching for Vulnerabilities
AGCS Expert Days 2013 17
SOFTWARE
OPERATING SYSTEM
HARDWARE
SOFTWARE
OPERATING SYSTEM
HARDWARECOM
MU
NIC
ATI
ON
COM
MU
NIC
ATI
ON
Searching for Vulnerabilities
AGCS Expert Days 2013 18
UNAUTHORISED MODIFICATION
MALICIOUS SOFTWARE
CODE INJECTION
PRIVILEGE ESCALATION
INJECT COMMANDS
MAN-IN-MIDDLEDENIAL OF SERVICE
Shodan – Search Engine of ‘Things’
AGCS Expert Days 2013 21
Green = ICS System connected to internet.
Source: Quantitatively Assessing and Visualising Industrial System Attack Surfaces, EP Leverett.http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf
Red = ICS Systemwith known vulnerability.
Ready Made Exploit Kits
AGCS Expert Days 2013 22
Exploit packs for sale.
Increase in the number of publicly reported SCADA vulnerabilities
from 15 in 2010 to >129 in 2013!
Strategy - Industrial Security
Physical SecurityIT Security
People
Organisational Security
26RSA Europe 2013
The accepted approach (VDI, VDE 2182)
AGCS Expert Days 2013 27
Identify assets Analyse threats
Determine relevant security
objectives
Analyse and assess risk
Identify measures and assess
effectiveness
Select countermeasures
Implement countermeasures
Perform process audit
cyclid and triggered process
Symantec Critical System Protection (CSP)
AGCS Expert Days 2013 29
Auditing & Alerting
Network Protection
System Controls
Exploit Prevention
• Monitor logs & security events
• Consolidate & forward logs for archives and reporting
• Smart event response for quick action
• Limit network connectivity by application
• Restrict traffic flow inbound and outbound
• Close back doors (blocks ports)
• Locks down configuration & settings
• Enforces security policy
• De-escalates user privileges
• Prevents removable media use
• Restrict application & O/S behaviors
• Protect systems from buffer overflow
• Intrusion prevention for day-zero attacks
• Application control
Intrusion Detection System (IDS)Intrusion Detection System (IDS) Intrusion Prevention System (IPS)Intrusion Prevention System (IPS)
Least Privilege Application Control (LPAC) …
AGCS Expert Days 2013 30
• Windows UAC• Google Chrome• Adobe Reader X• Android OS• Apple• SELinux & Others
Industry ExamplesAlso known as Sandboxing…
.. Processes
• Based on Fundamental Security Principles• Highly effective against malware (known & unknown)• Containment model limits the potential for exploitation• Proactive, policy-based security complements AV solutions• Applicable to all environments and applications• Dramatically improves security posture & reduces IA costs
USE CASE: Targeted Attacks
Issue
• Traditional AV type of technologies have limited option to prevent malicious insider or targeted attacks type of scenarios.
• Most of these features are disabled while they need Internet connectivity.
Solution
• CSP does not require Internet connectivity.
• CSP can address the most complex set of risks including Targeted Attacks and APT’s.
• CSP can also secure the system against malicious administrators or roots.
AGCS Expert Days 2013 31
USE CASE End of Life operating system security
Issue
• Windows XP is de-facto operating system in ICS world. Windows XP will be EOL in 2014.
• Still Windows NT and 2000 are also popular ones today in production lines.
• No AV available and/or cannot handle the today's risk scenarios.
Solution
• CSP fully supports these EOL systems.
• CSP can protect the system against targeted attacks and malicious insiders.
AGCS Expert Days 2013 32
USE CASENo option to deploy patches even they are available
Issue
• Cost of production downtime is considered to be too high or patches cannot be installed while they may break the ICS application.
Solution
• CSP sandboxing technology with behaviour controls can secure the system even that it has un-patched vulnerabilities.
• CSP also secures the applications on top of the operating systems.
AGCS Expert Days 2013 33
USE CASEDisabled features of AV
Issue
• While most of the ICS networks are trying to be isolated it sets challenges for new AV product technologies that relay on-line connectivity e.g. use of reputation data.
• These new features are crucial from the security point of view but usually disabled in ICS systems.
Solution
• CSP does not need Internet or definitions.
• CSP operates with static and low maintenance policies in production lines to secure the system.
AGCS Expert Days 2013 34
USE CASEPerformance overhead
Issue
• Most of the ICS systems are sensitive for delays caused by additional software.
• Applications that are introducing performance overhead are usually causing failures in ICS logic and hardware.
Solution
• CSP does not use file scanning technologies it is filtering system calls at kernel level.
• CSP has extremely low performance overhead because of this.
AGCS Expert Days 2013 35
USE CASE All users use shared admin account with no password
Issue
• Traditional security law do not apply. All users are administrators and password is set to blank for various ICS related reasons.
Solution
• CSP can still secure and lockdown the system even that all are administrators or roots.
• CSP can limit the usage of the applications and make sure that applications cannot be used to malicious purpose.
AGCS Expert Days 2013 36
Summary
• Industrial Security is complex
• Industrial Security is a process - not a single product
• The Compliance Approach should be the
prefered method
AGCS Expert Days 2013 37
Check our Internet Security
Threat Report
Show your peers a Targeted Attack
AGCS Expert Days 2013 39
LK_Security