Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Confidential DataDrivenSolutions
PlantCyberSecurityTheRiseofSecurityAnalytics
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101Purposeofpresentation
§ Inanutshell,wearegoingtochallengeyoutorethinkyourplantcybersecuritystrategyandmakeadjustmentstoprotectyourplantagainstfutureattacks.
§ Wewillgiveyouideastosecureyourplant—andfeelthatitissecure.
§ Wewillstresstoyouthevalueofdetectingandactingonintrusionsinsteadofpreventingthem.
§ Andyes,wewillchallengeyoutoremovevirusprotectionsoftwareandmalwareprotectionsoftwarefromyourplantcomputers.
Confidential DataDrivenSolutions
US
ISO 27001ISO 27002
SOX PCI
FIREWALL ACL
All employees, vendors, contractors, supplementary staff, past and present workers.
IT Manager, Director, CIO
THEM
ESPIONAGESABOTAGE
HACK DDOS
Anonymous persons, foreign government sponsored employees and…
Hacker, Cyber Terrorist
Usvs.ThemFRAUD THEFT
…all employees, vendors, contractors, supplementary staff, past and present workers.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101PresentationFlow
§ Firstwearegoingtogetourbearingswithsomedefinitionsanddiscusstheprosandconsoftypicalplantcybersecuritypractices.
§ Nextwewilldiscusswhythesemethodsarealwaysbehindthecurveandinfactprovideafalsesenseofsecurity.§ Don’tyouthinkthateverytimeyouhearaboutabreachinthenewsthatthecompanyaffectedmostlikelyhadsecuritymeasuresinplace?
§ Don’tyouthinkthattheirsecuritymeasuresareprobablysimilartoyours?§ Don’tyouthinktheyfelttheywereprepared?
§ Compliant?
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101Whatisplantcybersecurity?
Ingeneral,regardlessofindustry,thebasicdefinitionofplantcybersecurityis:
“Toprotectcriticaldigitalassetsandtheinformationtheycontainfromsabotageormalicioususe.”
Wearegoingtobreakthisdownintoitsbasicparts.
Confidential DataDrivenSolutions
SABOTAGEDIGITAL ASSETS MALICIOUS USE
• Steal Industrial secrets
• Disrupt competitor
• Computers
• Network Devices
• Media
• Identify theft
• Fraud
• Extortion
PartsofPlantCyberSecurity
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101Whataredigitalassets?
§ Digitalassetsincludeandnotlimitedto:§ Computers
§ Anycomputer,controlroomconsole,laptop,server,hand-heldorportabledevice,personalcomputer,vendorcomputer,engineeringstation,oranyothercomputingdevicethatcanaccessyourcontrolsystemnetwork.
§ NetworkDevices§ Anyrouter,switch,hub,ornetworkanalysisdevicethatcanaccessyourcontrolsystemnetwork.
§ StorageDevices§ Anydisk,floppy,DVD,CD,USB,internalorexternalharddrive,flashdrive,opticaldrive,orotherstoragedevicethatcanaccessyourcontrolsystemnetwork.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101WhatisSabotage?
§ Sabotagehasafewdifferentforms:§ Deliberateactionaimedatweakeningacorporationthroughsubversion,disruption,ordestruction.
§ Stealingofcommercialsecretsthathaverealcommercialvalue.§ Consciouswithdrawalofefficiencytocausesomechangeintheworkplace.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101WhatisMaliciousUse?
§ Themostcommontypesofmalicioususeofcyberdataareidentifytheftandfraud.§ Theseprimarilyareassociatedwithpersonalaccounts,retailwebsites,andbackofficesystems.
§ Withamanufacturer,whataretypesofmalicioususe?§ Makingpubliccorporatesecrets,recipes,formulas,manufacturingmethodologies.
§ Exposingcorporatefraudorwrongdoing;flawsinhiringandfiringpractices,forexample.
§ Poormediaexposure.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101TypicalMethodsofProtection
§ Separationofbusinesssystemsandmanufacturingsystems.§ Firewallstokeepintrudersout§ Networkisolation§ AccessControlLists(ACLs)§ Anti-Virus,spyware,andmalwaresoftwareprotection§ CompliancetosecuritystandardsforITandManufacturing§ Passwordmanagement§ Encryption
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101SeparationofBusinessandManufacturing
§ Althoughthereisalmostalwaysalinkbetweenabusinessnetworkandamanufacturingnetwork,keepingthisataminimumandtightlycontrolledisanecessity.§ Unauthorizedaccesstoaproductionnetworkdoesnotmeanthatbusinesssystemsareabletobereached.
§ Conversely,unauthorizedaccesstoabusinesssystemdoesnotmeanthattheproductionsystem,engineeringstations,etc.,areabletobereached.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101Firewalls
§ Afirewallisahardwareorsoftwareappliancethatusesrulestoallow/denynetworktrafficbasedonaddress,protocol,port,orapplication.§ AllowTCPport135,443,etc.§ DenyHTTPport80§ DenyFacebook,YouTube,etc.(requiresupdatedNext-Genfirewalls)§ Allow*.Oracle.com,*.Microsft.com§ Deny*.somebadsite.com
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101NetworkIsolation
§ Limittrafficthroughrouterandswitchconfigurationstoensureunwantedtrafficcannotaccessspecificnetworks.
§ Ensurethatawirelessconnectioncannotaccesscertainsystemsthatawiredconnectioncan.
§ Disableinterfacesthatlinknetworkstogetherthatarenotusedonaroutinebasis.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101AccessControlLists
§ Usinggroups,roles,andindividualpermissions,filesanddatacanbeprotected.
§ MostACLsuseandAllow/Denypolicythatcanacceptanobjecttype(group,role,account)tomanagepermissions.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101Anti-Virus,Spyware,andMalwareSoftware
§ Thesepackagesrunonindividualsystemsanduseaknowndatabasetoexamineexecutablesandexecutionsignaturesagainstknownthreats,viruses,spyware,ormalware.
§ Manyofferreal-timeprotectioninwhichtheyareconstantlyanalyzingsignatures,anddoingwhatisreferredtoasaheuristiccheckingtolookforknownbadbehavior(i.e.,portscanning,emailblasts,passwordcracking,etc.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101CompliancetoSecurityStandards
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101PasswordManagement
§ Passwordmanagementincludes:§ Whohasaccessandtowhat?§ Passwordexpiration§ Passwordcomplexityrules§ Keywordrules§ Cleartextorsecuretransmission.§ Storage
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101Encryption
§ Encryptioncanbeatnumerouslevels:§ Securitycommunicationprotocolswhenaccessingentitiesoutsideyourplant(httpsvshttp,forexample)
§ Passwords§ Applicationspassingsecuretokensvs.cleartextpasswords§ Filesystems,directories,files§ Code
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101AtypicalMethodsofCyberProtection
§ EnhancedPasswordManagement§ Theabilitytolistalluserswithaccesstospecificdigitalassets.
§ Whohastheenablepasswordtotherouter?§ Whichusershavebeengivenrootlevelaccess?
§ Passwordcomplexity§ Aggressivepasswordaging§ Completeaccessmaps(VPNàFirewallàNetworkDevicesàServersàApplications)
§ Medialockdown(USB,etc.)
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101DoTheseMethodsWork?
§ AskGoogle– hackedseveraltimesincluding5milliongmail accounts§ AskYahoo– 2013over1billionaccounts,2014over500millionaccounts§ AskE-bay– 2014over148millionaccounts§ AskSpotify– 2016,Spotifydeniesbutusersconfirmcredentialsonline§ AskTarget– 2013over40millioncreditcardscompromised§ AskSchnucks– 2013over2.4millioncreditcardscompromised§ AskIran- 2007Stuxnet attackedtheirnuclearfuelprogram§ AskDebbieWassermanSchultzandtheDNC!§ AccordingtoIBM’s2016CyberSecurityIntelligencereport,therewasariseof66%inthe
numberofmanufacturingcybersecurityincidentswitha30%chunkofthosebeingdirectedattheautomotiveindustry.
So,dothesemethodswork? YesandNo.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101ExcerptsfromMcAfeeArticleJune2014
§ …IntheUS,forexample,thegovernmentnotified3,000companiesin2013thattheyhadbeenhacked…
§ …TwobanksinthePersianGulflost$45millioninafewhours…§ …ABritishcompanyreportedthatitlost$1.3billionfromasingleattack…
§ …Brazilianbankssaytheircustomerslosemillionsannuallytocyberfraud…
§ …India’sCERTreportedthat308,371websiteswerehackedbetween2011andJune2013…
https://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101ArticleContinued
Mostcybercrimeincidentsgounreported.
Fewcompaniescomeforwardwithinformationonlosses.
WhenGooglewashackedin2010,another34Fortune500companies insectorsasdiverseasinformationtechnologyandchemicalsalsolostintellectualproperty.SomeoftheinformationontheincidentonlycametolightfromdocumentsmadepublicbyWikiLeaks.OnlyoneothercompanyreportedthatithadbeenhackedalongwithGoogle,anditsuppliednodetailsontheeffect.
https://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101ArticleContinued
Similarly,whenamajorUSbanklostseveralmilliondollarsinacyberincidentitpubliclydeniedanyloss,evenwhenlawenforcementandintelligenceofficialsconfirmeditinprivate.Fewofthebiggestcybercriminalshavebeencaughtor,inmanycases,evenidentified.
https://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101ForbesArticleJanuary2016
§ 'Crimewave'isanunderstatementwhenyouconsiderthecoststhatbusinessesaresufferingasaresultofcybercrime.'Epidemic'ismorelikeit.IBMCorp.'sChairman,CEOandPresident,Ginni Rometty,recentlysaidthatcybercrimemaybethegreatestthreattoeverycompany intheworld.
§ Threeyearsago,theThe WallStreetJournalestimatedthatthecostofcybercrimeintheU.S.wasapproximately$100billion.Theestimatedisputedotherreportswhichpeggedthenumbersbyasmuchastentimeshigher.
§ In2015,theBritishinsurancecompanyLloyd’sestimatedthatcyberattackscostbusinessesasmuchas$400billionayear,whichincludesdirectdamagepluspost-attackdisruptiontothenormalcourseofbusiness.Somevendorandmediaforecastsoverthepastyearputthecybercrimefigureashighas$500billionandmore.
https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#1a127b6b3a91
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101ForbesArticleJanuary2016(cont.)
§ From2013to2015thecybercrimecostsquadrupled,anditlooksliketherewillbeanotherquadruplingfrom2015to2019. Juniperresearchrecentlypredictedthattherapiddigitizationofconsumers’livesandenterpriserecordswillincreasethecostofdatabreachesto$2.1trilliongloballyby2019,increasingtoalmostfourtimestheestimatedcostofbreachesin2015.
§ TheWorldEconomicForum(WEF)saysasignificantportionofcybercrimegoesundetected,particularlyindustrialespionagewhereaccesstoconfidentialdocumentsanddataisdifficulttospot.Thosecrimeswouldarguablymovetheneedleonthecybercrimenumbersmuchhigher.
§ Largebanks,retailers,andfederalagenciesmaketheheadlineswhentheyarehacked - butallbusinessesareatrisk.AccordingtoMicrosoft,20%ofsmalltomidsizedbusinesseshavebeencybercrimetargets
https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#1a127b6b3a91
Confidential DataDrivenSolutions
2015 – 400 BILLION2013 – 100 BILLION 2019 – 2.1 TRILLION ESTIMATED
Thisisstaggering
LookAtTheNumbersFromPreviousSlide:• TheWorldEconomicForum(WEF)saysasignificantportion
ofcybercrimegoesundetected,particularlyindustrialespionagewhereaccesstoconfidentialdocumentsanddataisdifficult tospot.Thosecrimeswouldarguablymovetheneedleonthecybercrimenumbersmuchhigher.
• Largebanks,retailers,andfederalagenciesmaketheheadlineswhentheyarehacked - butallbusinessesareatrisk.According toMicrosoft, 20%ofsmalltomidsizedbusinesseshavebeencybercrimetargets
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101Re-asktheQuestion:Dotheywork?
§ Earlierwesaidyesandno.§ Yes theystopsomeattacks,but,No,thereisnoguaranteewithanysystemtoavoidallcybercrime.
§ Fromthenumbersitisclearthateventhoughwehavefirewalls,compliance,anti-virussoftware,andhaveadequatelyanalyzedourrisks—theattacksstillsucceed.§ Thisispartlyduetothenatureofthepreventionsoftware.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101Whyisitsuchastaggeringrise?
§ Thereareseveralreasons:§ Moreandmorebusinesseshaveonlinepresences.§ Withinbusinesses,thedesiretoconnectthebusinesstothemanufacturingforschedulingsystems,analytics,costsofproduction,meanthatmoreandmoredevicesandsystemsareinterconnected.
§ Socialinteractionandphishing§ Uninformedemployees§ Poormanagementofresourcesanddigitalassets§ Blacklistingvs.Whitelisting
Confidential DataDrivenSolutions
CasablancaNew York
Sydney
HQ Tokyo
Stockholm
InterconnectionandDataSharing
Confidential DataDrivenSolutions
Cross-PlatformThe idea of data everywhere and data on any device is great conceptually, however, it is a nightmare for the security analyst.
WindowsOS AppleOSAndroid OS
Apple
Android
MultiplePlatforms,MultipleCodeStreams
Confidential DataDrivenSolutions
We are so interconnected today that just a whiff of news is instantaneously spread around the globe.
Imagine unfounded rumors and brand damage. “I heard there was a massive data breach at Acme, Inc.” Whether true or not is irrelevant. If you were going to purchase from Acme, Inc. you are now thinking twice.
SocialInteraction
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101Phishing
§ ABingsearchofphishingshowsthefollowingdefinition:Phishingistheattempttoacquiresensitiveinformationsuchasusernames,passwords,andcreditcarddetails(andsometimes,indirectly,money),oftenformaliciousreasons,bymasqueradingasatrustworthyentityinanelectroniccommunication.Thewordisaneologismcreatedasahomophoneoffishingduetothesimilarityofusingabaitinanattempttocatchavictim.
§ Sometimesitissubtle:§ “Iamdoingasurveyforapaper,whichaccountingsystemdoyouuse?A,B,orC?
§ “DoyouuseSiemensorRockwelltocontrolyour…?”
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101UninformedEmployees
§ HowmanyofyouremployeeswouldpickupaUSBdrivenexttotheircarandplugitintotheirworkcomputer?§ Usingbooby-trappedUSBflashdrivesisaclassichackertechnique.Buthoweffectiveisitreally?§ AgroupofresearchersattheUniversityofIllinoisdecidedtofindout,dropping297USBsticksontheschool'sUrbana-Champaigncampuslastyear.
§ Asitturnsout,itreallyworks.§ Inanewstudy,theresearchersestimatethatatleast48percentofpeoplewillpickuparandomUSBstick,plugitintotheircomputers,andopenfilescontainedinthem.Moreover,practicallyallofthedrives(98percent)werepickedupormovedfromtheiroriginaldroplocation.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101PoorManagementofDigitalAssets
§ Whenwasthelasttimeyouhavehadapenetrationtestdonetoyourplant?§ Doyoureallyfeelyouhaveagraspofwhichusershaveaccesstowhat?Notjust
employees,butcontractorresources.§ Useraccountpasswordsarechangedregularlybutwhataboutsystem
passwords,router-enablepasswords,networkswitchpasswords,databasepasswords,ftppasswords?Thesearerarelychangedonaregularbasis.
§ Doyouchangeallpasswordswhensomeoneleaves?§ Doyounotifyallemployeesthatauserisnolongeremployed?§ Howoftendoyoupatchyoursystemsandupdatevirusdefinitions?Bestcaseis
usuallyevery30days.§ Doyoudocompliancetestingandquicklyfollow-upondeficientitems?
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101Blacklistingvs.Whitelisting
§ Blacklistingsoftwareisthetypicalwaymostanti-virus,spyware,andmalwaresoftwarework—theyscanfor“known”offenders.Somelookforbadbehavior,however,thebestcaseislookingforalreadyknownsignatures.
§ Whitelistingsoftwareistotalcontroloverwhatsoftwareandexecutablesareallowedtorunonasystem.Ahackercan’tjustexecutesoftwaresinceitishaltedbeforeitisexecuted.
BlacklistingisOK,butWhitelistingistheonlywaytogoforproductionmanufacturingsystems.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101WouldYouBlacklistAccesstoYourHome?
§ Inotherwords,aspeopleentered,youwouldrunabackgroundchecklookingforcriminalactivityorotherbadactivity.Youmightalsoimplementsomeheuristicmethodsandkicksomeoneoutwhowasrummagingthroughyourdeskdrawer.§ No,youwouldnotdothis.
§ Youwhitelist accesstoyourhome.Youhaveabsoluteauthoritytocontrolwhocomesinandwhoisallowedtostay.Thereisnounauthorizedaccess.
§ Intheeventofanintrusion,youdon’tsitbyandwaitforananti-virusupdate(i.e.,thepolice).No,youpickupabatorotherweaponanddefendyourhome.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101
Anti-Virus,Spyware,andMalwareUnderAttackWegettheseemailsallthetimefromnotableanti-viruscompanies:
Symantechasrecentlybecomeawareofamediumvulnerability inolderversionsoftheserveragent.Thelatestversionaddressesthisvulnerability innewinstallationsandwasreleasedFebruary15th,2017.Serveragentsthatarenotalreadyupgradedwillbeidentified intheSEPSBEcloudmanagementconsolestartingonMarch8th.Amanualupgradewillberequiredtoensureyouhavethelatestprotection.
YoucantakeimmediateactiontomanuallyupdatetothelatestversionoftheserveragentfortheSymantecEndpointProtectionSmallBusinessEdition.Formoreinformation pleasesee:https://support.symantec.com/en_US/article.HOWTO124395.html
Ifyoudonottakeaction,wewillbereleasingaLiveUpdate forserveragentsbeginning inApril.AnothernoticewillbesentclosertotheLUdate.
Moreinformation aboutthisvulnerabilitycanbefoundhere:https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170306_00
Note:ExistingredistributablepackageswillbedeprecatedonMarch8thandyouwillneedtogeneratenewones.
TheSymantecCustomerCommunications Team
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101ArticlefromMicrosoft
§ AnarticlefromtheMicrosoftSecurityTeamsaysthat“…industryreportsshowadvancedcyber-attackscangoundetectedforapproximately…
200days…”.
§ Itishardtofathom,for6.5months,acybercriminalmightbelurkingwithinyoursystems,extractingdata,stealingsecrets,etc.,allwhileyoufeelyoursystemsareprotectedbecauseyouhavedoneeverythingright.
https://info.microsoft.com/rs/157-GQE-382/images/EN-MSFT-SCRTY-CNTNT-Intelligent%20Security%20e-book%20-%20Lockheed%20Martin.pdfht.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101Whatdoes200dayslooklike?
InfectedToday
60daymark…virushasbeenrunning,gatheringdata,capturingpasswords,andtransmittingdata…for60days!
According toMicrosoftSecurityExperts,thisistypicallythefirsttimeyouranti-virussoftwarewilldetect,notify,andprotectagainstthevirus.Thisistheendofthe200daywindow.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101SoundsLikeYouHaveNoControl
Quitethecontrary.Youalwayshavecontrolifyoujusttakeit.
Wewillpresentyouwithtwodifferentoptions.§ Option1 - Staythecourseandbepartofthe2.1Trillionincybercrimestatisticsthatarepredictedby2019.
§ Option2 – Takecontrolofyourproductionsystemsandlockthemdowntotally,startusingsecurityanalyticstobeproactiveinsteadofreactive…andyes,removeyouranti-virus,spyware,andmalwaresoftwareafteryouimplementwhitelistsoftwareandChangeManagement.
Confidential DataDrivenSolutions
BeRealistic– Thissituationisnotyours
Confidential DataDrivenSolutions
Hollywood’sHacker– ProbablyNotYourHackerEither
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101ADoseofReality
§ Partofanycybersecuritystrategyhastoinvolveacomprehensiveriskassessment.§ Althoughweareallproudofourproductsandbusinesses,let’sexaminetherisk.§ Ifyoumaketwisty-tiesforbread,youareprobablyatamuchlowerlevelofriskthanafinancialinstitutionorlargeretailer,butifyoumakemilitarygradechemicalsyouareatahigherrisk.
§ HPorIBMbothprovidenetworkmanagementservicestootherorganizations;theyareatahigherriskthanyouraveragelocalITorganizationthatdoesthesamething.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101…ButEveryoneisAtRisk
AtForensicIT,onourfirstdayinanewoffice,auserpluggedinaservertotheinternetconnectiontofinishconfiguringitremotely(note:thefirewallwasdelayedbutuserwantedtoconfiguresoftware).Within12hourstheAdministratorpasswordwashacked.WedetermineditwasanautomatedhackfromChina.Asimplefixistoinstallthefirewallandconfiguresecurityappropriately,butstill…alittlescary.Therewerenogoodstoobtain,itwasjustaBOT/scriptrunningandtryingtoplantseedsforlater.Luckilywehadtheskillstofixandremovealltraces.
Confidential DataDrivenSolutions
Change Management and total system access control.
Implement Whitelist software (parallel or replace). Implement mechanisms to gather and use Security Analytics.
Consult security professionals, hire a person, or firm. Take it seriously. Get PEN Tested. Keep deadlines.
Document all systems, security mechanisms, backup schemes, disaster recover plans, etc.
Assess your risk. Identify all vulnerabilities.Start
Step3
Step1
Step2
Step4
RoadmaptoCyberSecurityFinish
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101RoadmapStep1- AssessYourRisk
§ Noteveryorganizationisatriskfromdirectattack.§ Understandingriskiskeytohowtobuildyourroadmaptocybersecuritysuccess.
§ Mostareatriskforindirectattacks,BOTS,script-kiddies,etc.§ Example:CryptoLocker isanastyvirusthatmanycompaniesgotcaughtbyduringthat200-daywindowfromMicrosoftandwereforcedtopaytohavetheirfilesunlocked.
§ Haveseriousdiscussionswithyourkeystakeholdersandtryandidentifyrisks.Putyourselfinahacker’sshoes.Whatdotheythink?
Confidential DataDrivenSolutions
Compromise individuals, look at contractors systems
Penetration attempts, port scanning, password cracking
Social engineering, phishing
Embed scripts and other programs to do reconnaissance
Look at new flaws in firewalls, systems, and anti-virus/spyware software.
Whatdoesahackerthink?
Confidential DataDrivenSolutions
86%
60%
90%
55%
80%
70%
65%
96%
Leave no stone unturned in your systems analysis. Hackers, BOTs, and script kiddies won’t.
Backups
DisasterPlans
PasswordsIdentified
ContractorAccess
RoadmapStep2- EvaluateYourSystems
Anti-virusUpdates
SystemPatches
FirmwareVersions
Hardware/SoftwareInventory
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101SecureYourPasswords§ Therearemanyprogramstohelpyoucreateverysecurepasswords.
§ WeuseKeePasswhichallowsyoutorevealthepasswordorcut/paste.ItgetsridofsimplepasswordslikePassword!
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101RoadmapStep3– PENTesting
§ Step3– PENTesting§ Oneofthebestinitialstepsistohaveaqualifiedorganizationdoproactivewhitehathackinginwhichthegoodguysanalyzeyoursystemsandtrytofindholesinyoursecurityplan.
§ Therearethreestepstothis:§ 3.1Testprep.Inthisstep,doyourbesttofindandfixwhatyoucan.§ 3.2ContractaPENTestingcompanyandexecuteadetailedSOW.§ 3.3Worktofixanyvulnerabilitiesuncovered.
Confidential DataDrivenSolutions
NOVEMBER
30In a few weeks you should be able to understand how at risk you are and what gapping holes exist.
3.1 PEN Testing PrepSet realistic but aggressive goals for this. Just think, a script-kiddie might be on your system “right now” doing this.
3.2 PEN Testing
DECEMBER
15With your consultants, create an aggressive strategy to fix what is broken.
3.3 Remediation
JANUARY
21
PlanYourWorkandWorkYourPlan
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101
RoadmapStep4– WhitelistSoftwareandChangeManagement
§ Step4iscrucialtoyoursuccess.§ 4.1InstallWhitelistsoftwareapplication
§ Rememberourdiscussiononwhitelistsoftware?Onyourproductionsystemthatiscommissioned,unchanging,justrunningandmakingyourwidgets,yoursecurityteamcanmapout:§ Everyexecutablethatruns(DLLs,OCXs,COMComponents)§ Everynetworkprotocol,address,andportinuse§ Everynetwork-awareapplicationandwhoittalksto(system,address,protocol,port,targetapplication)
§ Everyuseraccount
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101
RoadmapStep4– WhitelistSoftwareandChangeManagement(cont.)
§ InblacklistsoftwarelikeNortonorMcAfee,applicationsareabletorunandyour200-daywindowtocatchmostattacksisineffect.Willyouranti-virusreallycatchit?
§ Ifyouinstallwhitelistsoftware,firstofall,allaccessaccountswillbedisabled.Thehacker/BOT/script-kiddiewillnotevenfindanythingforAdmintotryandhack.§ Thisisalsoimpossiblebecausetheremoteaccessportsaredisabled!§ Fornovelty,assumetheygetpastthisandtheytrytokickoffascript/program;theywouldhavetodecryptthewhitelistdatabasepasswordwhichwouldinevitableinvolvetryingtoloadmoresoftware.
Everythingisshutdown.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101
RoadmapStep4– WhitelistSoftwareandChangeManagement(cont.)
§ 4.2ImplementChangeManagementSoftware.§ WithChange-Managementawarewhitelistsoftware,nothingcanbedone,altered,adjusted,unlessanApprovedCMR(ChangeManagementRequest)iscompleted.
§ Thisistotalaccesscontrol.§ Thisistotalprotection.§ Itdoesnotmatterwhenorifyouranti-virussoftwaregetsupdated,andinfact,afteraparallelinstallationforseveralmonths,wewouldencourageyoutofirstdisable,andeventuallydeleteyourblacklistsoftware.§ Whytaxyourproductionwithsoftwarethatconsumesresourcesbutdoesn’treallydoitsjob?
§ Thisistruecyber“security”.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101SoundsTooGoodToBeTrue
§ Whatarethedrawbacks,thissoundstoogoodtobetrue?§ Remember,wesaidyouarenever100%.PartofyourSecurityAnalyticsdataistobearminarmwithyourwhitelistsoftwarevendor.Theirsoftwarewillbeunderconstantattack.Evenso,thelayersofaccess(ports,accounts,whitelistapplications,etc.)makeitverydifficulttocompromise.
§ InternaldisgruntledemployeescansabotageyoursystemiftheyareontheACLandcangetyourqualifiedmanagerstoapproveCMRs.
§ Educationiskeyhere.BlindCMRapprovalsareano-noandhavingbackupsanddisasterrecoveryplansinplacearecrucialtothisinternalattack.
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101StillSoundsTooGoodToBeTrue
§ Oneotherdrawbackisthespeedofaccess.IttakestimetoapproveCMRs,ittakestimetodealwiththewhitelistsoftware.§ IfIhaveanemergencyandhavetodealwithoverridingCMRsitwillhurtmyproduction!§ Wewillconcedethatthismaybetrue,butwiththeuseofmobiledevicesandeasyCMRapprovalsthisisanacceptabledelay—wearetalkingminutes,nothours.
Confidential DataDrivenSolutions
HowdoIstart?
Confidential DataDrivenSolutions
Analyzes Risk
Researches Threats
Keeps you compliant
MonitorsSystems ManagementNot Distracted
• A security expert is a specialized person in the field of cyber security.
• How many of you have your system engineer or similar try doing their normal job…and…doing tasks for cyber security?
• They are up to date on breaches, constantly analyzing your systems, and are building a database of your business’ security analytics (users, systems, ACLS, protocols, ports, software, outside connections, etc.).
HireAnExpertPerson/Firm
Confidential DataDrivenSolutions
RUSSIA
CHINA
AUSTRALIA
EGYPT
FRANCEUSA
BRAZIL
A breach hits the news and it affects WonderWare software. Your security professional can immediately put monitoring into place to assess risk in offices or plants that have the effected software.
ProactiveResponse
Confidential DataDrivenSolutions
Onefocusedsecurityexpertiseasilyworththeirweightingold.
InvestInSecurityExpertorFirm
Confidential DataDrivenSolutions
Whataretheballparkcosts?
Confidential DataDrivenSolutions
50people$60k
Estimate 60k for a 50 person factory and roughly 90% of that for every 50 persons. This is of course dependent on the number of systems, types of platforms, etc.
150people$162k
300people$324k
500people$540k
ExpectCyberSecurityCoststoRisewithFactorySize
Confidential DataDrivenSolutions
01110010011011110110111101110100001000000110001101100001011101010111001101100101Summary
§ Thereisalwaysrisk.§ Balancingriskwithproductionneedscanbedifficulttomapout,however,youreffortswillnotbewasted.Itisnotdifficult,justdetailed.
§ Hackersareaheadofblacklistsoftwarevendorsandyoujustcannotaffordtobeunprotected.§ Thestatisticsandresearchareundeniable.JustaskGoogle…Yahoo…
§ ImplementingChangeManagementandawhitelistsoftwaremethodologycanprovideacybersecuritymodelthatdoesnotwaittoreact—itisaproactiveprotectionmethodologythatwillkeepyourproductionsecure.