Embed Size (px)
Citation preview
FEI Systems, Inc., ©2018
Supply Chain Risk ManagementThe call is NOT coming from inside the house!Prepared by:Jason TauleChief Security Officer / Chief Privacy Officer
Version 1.1June 1, 2018
But first, the legal mumbo jumbo…
Disclaimer / Warning
• This presentation is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.
• These opinions are not meant to defame, purge, humiliate, or injure anyone should you decide to act upon or reuse any information provided.
• All trademarks, service marks, collective marks, design rights, personality rights, copyrights, registered names, mottos, logos, avatars, insignias and marks used are the property of their respective owners.
• I the author of the content found herein assure you that any of the opinions expressed are my own and are the result of the way in which a mind uniquely wired as my own singularly interprets things.
• Do not listen to anything said if you are young, elderly, have a history of heart attack, stroke, or blood clot, are feeling dizzy, lightheaded or nauseated.
• Objects in the mirror may be closer than they appear
• Those of you with the home version, please feel free to follow along
• As Dennis Miller used to say, this is just my opinion, I could be mistaken
• As always, no wagering
• Stay alert as this performance may feature loud noises, pyrotechnics, strobe lights, or indiscriminately thrown air‐borne projectiles.
• This presentation is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.
• These opinions are not meant to defame, purge, humiliate, or injure anyone should you decide to act upon or reuse any information provided.
• All trademarks, service marks, collective marks, design rights, personality rights, copyrights, registered names, mottos, logos, avatars, insignias and marks used are the property of their respective owners.
• I the author of the content found herein assure you that any of the opinions expressed are my own and are the result of the way in which a mind uniquely wired as my own singularly interprets things.
• Objects in the mirror may be closer than they appear.
• Those of you with the home version, please feel free to follow along.
• As Dennis Miller used to say, this is just my opinion, I could be mistaken.
• As always, no wagering.
• Stay alert as this performance may feature loud noises, pyrotechnics, strobe lights, or indiscriminately thrown air‐borne projectiles.
Why are we here?
Introduction
• Briefing Purpose:• Share experiences so that we may learn from one another• Reduce the likelihood that any of us will be in the hot seat• Promote awareness of capabilities in support of increased partnership• Satisfy a few control requirements while we’re at it.
• Objectives:• Review security and privacy implications of recent and anticipated changes• Identify the hot button issues to be overcome• Share responses of high performing organizations• Discuss implementation time permitting.
Why should I listen to you?
Qualifications
• FEi:• IT‐Build‐to‐Suit• Design, Build, Host, & Maintain Systems for Leading
HIT players• Support 18+ US Federal Agencies• Integrated part of National Healthcare Eco System• 98% Developers & O&M • 10x Servers to People• More PHI/PII than typical Fortune 500.
• Security and Privacy• Direct and Indirect Target• Subject to every security regulation and mandate in
existence• Subject to 47 state & territory privacy rules• Small team of engineers, analysts, threat hunters,
and specialists whose job is to ensure these systems earn their ATO and don’t get compromised.
YEARS19
OF SUCCESS
Jason B. Taule C|CISO, CDPS, CGEIT, CHSIII, CISM, CRISC, CMC, CPCM, HCISPP, NSA‐IAM
• Reasoned:• Industry Luminary and 25+ year career information security and privacy specialist • Extensive experience and accomplishments at the nexus of public sector healthcare and cyber• Numerous certifications, published, and oft cited by media• Graduate of the FBI Citizen’s Academy• BBA College of William & Mary; MS Johns Hopkins University.
• Industry Contributor:• Health IT Standards Committee Transport & Security Workgroup Member• White House Invitee to President’s Precision Medicine Initiative Security Policy Roundtable• Member HITRUST Common Security Framework (CSF) Advisory Council• Member of the DHHS/CMS Information Security and Privacy Working Group• Member CISO Executive Network National Advisory Council• Board Member Howard County Economic Development Authority (HCEDA) Technology Council• Member of the Loyola Sellinger School ISOM Advisory Board• Leader of the HTC HACKIT Cyber Affinity Group and Driving force behind the HoCo CISO “CISO‐In‐Residencesm” program• Member of MD Governor's Internet Privacy Committee; Contributed to MD Data Security & Privacy Law• Member Colorado State Privacy Committee• DOJ invitee to annual economic crimes & new technology offenses symposium• Member of the Homeland Security Preparation and Response Team• Author and lead developer of the Security Maturity Model©.• (ISC)2 HCISPP Task Force helping create the industry's premiere security/privacy certification• Member of ISACA’s National Information Security Metrics Subcommittee• Field Editor of the IT Unified Compliance Framework
• Seasoned:• Currently serve as Chief Security and Privacy Officer at FEi Systems• Former CISO and CPO Civil and Health Services Group, Computer Sciences Corporation (CSC)• Former CISO, CRO, and CPO Health IT Solutions Division, General Dynamics Information Technology (GDIT)• Former Chief Information Security Officer for State Government• Former Principal in charge of information security practice of a large international IT consulting firm.
Introduction
“Go for a walk; cultivate hunches; write everything down, but keep your folders messy; embrace serendipity; make generative mistakes; take on multiple hobbies; frequent coffeehouses and other liquid networks; follow the links; let others build on your ideas; borrow, recycle; reinvent. Build a tangled bank.”
Steven Johnson, Where Good Ideas Come From: The Natural History of Innovation
Where do you get your ideas from?
The NSA Wish List
• The Infamous Leak:• Documents leaked by Edward Snowden referenced a “wish list” of future spy capabilities they hoped to develop.
• Among other things, spy agencies like NSA have a keen interest in hacking the firmware of systems.
• We should presume that the peer agencies of our adversaries have similar desires and capabilities.
• The Equation Group:• Advanced NSA tactical group and/or collection of tools.• Developed modules (EquationDrug and GrayFish) to re‐flash firmware on several dozen hard drive brands and steal data without crashing systems.
• Created invisible and unencrypted storage space on hard drives.
Never let a trusted colleagues misfortunes go to waste!
First Hand Experience
Errant Analog Modems HVAC Compromise
Errant Cellular Modems Partner Servers / POS Devices
For those who’ve been paying attention…
Abstract
• Premise:• We’ve achieved full compliance• We know compliance and security are not the same• The better we are at threat protection the more difficult our job becomes• They’re still getting in and data is still getting out.
• Conclusion?• Our proximity to full protection fosters a false sense of security• We missed something.
• Hypotheses:• It’s not a new avenue• It’s been there the entire time• We just weren’t paying attention.
What are we going to talk about today?
Agenda
• What we’ve been doing (i.e., a visit back to the controls):• FISMA / NIST / ISO / CoBIT• Other Authoritative Sources.
• What we need to be doing:• A few insightful stories• Some horrifying examples• Recommended solutions• References and tools.
• Issues and Answers.
Supply Chain Controls
The problems of the world cannot possibly be solved by skeptics or cynics whose horizons are limited by the obvious realities. We need men who can dream of things that never were.
John F. Kennedy
What fresh hell do you have to brief us about now?
Context
Source: Venafi
Wareware Netware Software Wetware Hardware
• SA‐4:• The organization includes requirements, descriptions, and criteria, explicitly or by reference, in the
acquisition contract for information system components.
• SA‐8:• Require the developer of information systems/components to enable integrity verification of
software and firmware
• SA‐11• The organization requires the developer of the information system/component to create and
produce evidence of security assessment and correct identified flaws.
• SA‐12: • The organization protects against supply chain threats to the information system, component,
service by employing best practices and methodologies.• Wherever possible, selecting components that have been previously reviewed by other government
entities (e.g., National Information Assurance Partnership [NIAP]) as part of a comprehensive, defense‐in‐breadth information security strategy.
• Protection of organizational information systems is accomplished through threat awareness, by the identification, management, and reduction of vulnerabilities at each phase of the life cycle and the use of complementary, mutually reinforcing strategies to respond to risk.
What does this have to do with anything?
Controls Mapping
What does this have to do with anything?
Controls Mapping
• AC‐6: • Explicitly authorize access to the control‐specified list of security functions at a minimum
(deployed in hardware, software, and firmware).• AT‐3:
• Provide the training necessary for individuals to carry out their responsibilities related to operations and supply chain security within the context of CMS’s information security and privacy programs.
• CA‐8:• Penetration testing can be conducted on the hardware, software, or firmware components.
• CM‐3, 5, & 8• Prior to implementation, the organization tests, validates, and documents changes to the
information system including modifications to hardware, software, or firmware components.• The information system prevents the installation of network and server software and
firmware components without verification that the component has been digitally signed.• Employs automated mechanisms no less than weekly to detect the presence of unauthorized
hardware, software, and firmware components.• MA‐2:
• Organizations consider supply chain issues associated with replacement components for information systems.
• SI‐7:• Employ integrity verification tools to detect unauthorized changes to software, firmware, and
information
Are you serious?
Other Authoritative Guidance
• NIST IR 7622:• FIPS 199/200 & SP 800‐53• SA Controls specify requirements, request information, and attest• Organizational (CIO, Contracts, Legal, Risk, CISO, BO, Finance).
Anything else?
SCRM
• NIST SP: 800‐161; OMB Memo: M‐16‐04• Practices (in no particular order) but that cover the full SDLC:
• 4.1 Uniquely Identify Supply Chain Elements, Processes, and Actors• 4.2 Limit Access and Exposure within the Supply Chain• 4.3 Establish and Maintain Provenance of Elements, Processes, Tools, and Data• 4.4 Share Information within Strict Limits• 4.5 Perform SCRM Awareness and Training• 4.6 Use Defensive Design for Systems, Elements, and Processes• 4.7 Perform Continuous Integrator Review• 4.8 Strengthen Delivery Mechanisms• 4.9 Assure Sustainment Activities and Processes• 4.10 Manage Disposal & Disposition Activities throughout the Life Cycle
• Perform Technical and Procedural audits (4.2.7)• Employ Red Team approaches.
Anyone here support FIPS 199 High Systems?
Controls Mapping – The Big Hammer
• SI‐7(14) ‐‐ Binary or Machine Executable Code:• The organization:
• Prohibits the use of binary or machine executable code from sources with limited or no warranty and without the provision of source code; and
• Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official.
• Supplemental Guidance (revised in 3.1):• This applies to all sources of binary or machine‐executable code including, for example,
commercial software/firmware and open source software. • Organizations assess software products without accompanying source code from sources with
limited or no warranty for potential security impacts. • Assessments recognize that these types of products may be difficult to review, repair, or
extend, given that organizations, in most cases, do not have access to the original source code, and there may be no owners who could make such repairs on behalf of organizations.
So why isn’t this happening?
Challenges
• Customer and Business Pressures:• Just In Time Manufacturing and Ordering• Virtual Organization with outsourced data centers and cloud providers• Intentional or unintentional compromise.
• Limited Deployments:• Paper‐based• Lack of tools and training• Misplaced Trust• Limited awareness• Limited identification as true root cause.
It’s called a chain for a reason…
The Case for Cyber in the Chain
• Business Dependency on Others:• Cyber security of any one organization within the chain is potentially only as strong as that of the weakest member of the supply chain.
• APTs work by identifying the organization with the weakest security within the supply chain, and leveraging the vulnerabilities present in their systems to gain access to other members of the supply chain.
• Although not always the case, it is often the smaller organizations within a supply chain who, due to more limited resources, have the weakest security.
• Risk Exists at all Phases:• An organization cannot be sure from where a risk will emerge. • Will it come from hardware, software, middleware or firmware?• Will it come from our personnel, our partners, or our suppliers?• What about the partners and suppliers of our partners and suppliers?• And for software, who wrote it? Who had access to it? Who has access to it Where is it stored? How can tampering in the code be detected?
How big is the problem?
Scope ‐‐ Human
• Employee Home Internet:• Resiliency• Security.
• Vendors:• SI (inventory, manage scope, by data and risk).
• Others:• Supplemental Staffing• Subcontractors• Contractors• Customers• Property Management • Building Engineers• Custodial Staff• Facility Security• Building Ownership• Other tenants (shared access).
How are bad actors taking advantage of the situation?
Types of Compromise
• Hardware – Network or computer hardware that is delivered with malware installed on it already:
• February 2015 • Superfish was pre‐installed on Lenovo notebooks• Intent was to help customers discover similar products to what they were viewing
• Intercepted HTTP(S) traffic using a self‐signed root certificate stored in the local certificate store – effectively a Man‐in‐the‐Middle attack.
• Software – Malware that is inserted into software or hardware:• Vulnerabilities in software applications and networks within the supply chain that are discovered by malicious hackers.
• Dragonfly cyber group infected ICS equipment providers with a Trojan.• This caused companies to install the malware when downloading software updates for computers running ICS equipment.
• https://www.esecurityplanet.com/network‐security/dragonfly‐attackers‐breach‐western‐energy‐companies.html.
So how might this affect us?
Third Party Interdependencies
• Open Source Software:• Cost pressures driving increased usage• Often the only alternative to customer development.
• Third Party Indemnification:• Questions abound regarding who is liable for what• Vendors still not regularly taking these issues seriously.
• Vulnerability Disclosures:• Vendors not disclosing to us• Vendors stop support• We use and deliver “solutions” to our customers.
Interrogation
“Tiny details imperceptible to us decide everything.”
W.G. Sebald
So where do you want to take this conversation?
Firmware
• Dictionary Definition:• (Noun) Permanent software programmed into read‐only memory.
• In Use:• In electronic systems and computing, a type of software that provides control, monitoring & data manipulation.
• Often found embedded in systems such as traffic lights, consumer appliances, digital watches, computers, computer peripherals, mobile phones, and digital cameras.
• In Reality:• The part of the system IT folks are afraid to touch for fear of breaking things.• The part of a system wily hackers have relied upon for decades to obtain undetected and unauthorized access.
• The part of a system that many security folks never thought or never knew to examine.
Tell me more…
Firmware
• The emerging threat:• Usually written with size and speed constraints in mind, almost never security.• Often assembled from unverified, third‐party components.• Billions of devices deployed worldwide, with minimal attention to security• Vendors either completely ignore or vastly underrate risk exposure.• Vendors stop updating legacy devices or go out of business• Users are unaware of security updates or how to apply them.
Is anyone besides you concerned about this?
Industry Statistics
How big is this problem?
IoT Market Growth
• 8.4B existing devices, with 5.5M devices coming online every day.
• All have embedded firmware.
• Who is protecting them?
• Who is protecting you from them?
Can you be more specific?
Representative Examples
• Devices found to have firmware issues and/or known to be at risk:• IP Cameras• Routers• Mobile Phones• IoT Devices (including Medical Devices)• Wi‐Fi Dongles• USB Keyboards• Computer Batteries.
• Scope of Contagion:• We have a 2319!!• We’re all most assuredly infected.
Example #1
Private Key
• Major US Auto Manufacturer:• Wi‐Fi‐enabled OBD‐II dongle used by service bay• Identified private code signing keys in firmware• Able to generate “malicious” firmware and upload to vehicle• Similar devices are available from numerous manufacturers for end user market.
Example #2
Backdoored Cameras
• Issues Identified with Camera Firmware:• Unauthorized access to video feeds• Unauthenticated remote backdoors• Stack based buffer overflows• Hardcoded backdoor credentials• Undocumented SSH with hard coded credentials• Backdoor access via Guest Wi‐Fi• Command injection via WLAN/LAN/WAN.
Example #3
Unauthenticated Root Shells
• Other Camera Related Issues:• The telnet server does require authentication, but unauthorized users can simply login with the username of root and no password:
• Provides root access• Ability to pivot to other systems• Brick the camera• Replace feeds.
Example #4
Router Backdoor
• Guest Wi‐Fi Network:• Created by default• Not encrypted • Initially segregated from local wired or Wi‐Fi• Requires password to access the internet.
• Internal Wi‐Fi Network:• Some router services are accessible by users on guest• Developer backdoor with flawed authentication• Specifically formatted requests allow:
• Unauthenticated users to retrieve guest PWs• Retrieval of all other Wi‐Fi PWs• Retrieval of admin password to router.
• Once rooted then …
Example #5
Vulnerable Command Interface
• Command Injection:• IoT devices come with web‐based admin consoles• Ship with unique admin PW and disabled WAN access• Underlying code flaws allow unauthorized attacker complete control:
• Only requires HTML support (no Java, Flash, etc.)• Injected command output is returned to the browser providing a shell to execute arbitrary
commands• Any malicious website visited can execute any command on the router with root• Pivot to entire network• Greater privileges than legitimate admin• Presence is not reflected in device admin interface.
Best and Final Example
Hard Coded Credentials
• IoT Device Maintenance / Remote Support:• Not unusual to find custom services• Not unusual to find services listening on specified ports• Authentication is required to upgrade firmware.
• Issue:• Hard‐coded credentials allow unauthorized use• Develop matching exploits based on reverse engineering.
What is wrong with current solutions?
State of Play
• Current controls are not up to the task:• AV tools weren’t designed to and therefore do not scan firmware.• Source code analysis tools require source code. Vendors typically do not offer or are reluctant to share.
• Existing tools don’t support embedded architectures.• Monitoring solutions are reactionary, designed to report vulnerabilities after an attack.
• Latest methods ignore existing devices that make up the Internet today and focus on hardening future firmware.
So what do you recommend we do about this?
Program Resolution
• Same as all other threats:• Assess your risk exposure• Make it a program not a project• Build on existing supply chain management.
• Same as vendor management:• List/Inventory• Primary and secondary contacts• Selection Criteria• Guidelines and controls and trust models• Recurring reviews/oversight• Distribution of labor• Trust but verify• Remediation Process• Firmware updates.
What have you done?
Lessons Learned
• Vendor Selection:• Prefer manufacturers who allow independent validation• Vet against anti‐counterfeiting laws• Source only from Trade Agreements Act (TAA) designated countries.
• Product Evaluation:• You get what you inspect not what you expect• Scan firmware• Engage vendors for resolution • Rescan• Monitor for change.
• Architectural Considerations:• Device Placement / Segmentation• Port Control• Disable unused interfaces• Disable consoles or password protect them• Remote Maintenance Controls• Firmware Update Policy• Insist on Code Signing (as a consumer)• Advocate for a write‐protect switch on the device side.
Resources
“Knowledge is of two kinds. We know a subject ourselves, or we know where we can find information on it.”
Samuel Johnson
So what tools are out there to help with this?
Marketscope
FIRMWARETOOLS
PARTIALSOLUTIONS
PERIPHERALSOLUTIONS
Binary Analysis
Source Code Analysis
Trusted Code
Firmware Patching
Image Analysis
Asset Discovery
Where can I get more information?
Resources
• NIST IR 7622• http://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7622.pdf
• NIST SP 800‐193, Platform Firmware Resiliency Guidelines• https://csrc.nist.gov/CSRC/media/Publications/sp/800‐
193/draft/documents/sp800‐193‐draft.pdf
• Managing Cyber Supply Chain Risks• http://www.advisenltd.com/wp‐
content/uploads/2013_OBPI_SupplyChainCyberRM_Whitepaper.pdf
• New Jersey Cybersecurity & Communications Integration Cell • https://www.cyber.nj.gov/threat‐analysis/supply‐chain‐compromise‐of‐third‐
parties‐poses‐increasing‐risk
• CERT‐UK: Cyber‐security Risks In The Supply Chain• https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/Cyber‐
security‐risks‐in‐the‐supply‐chain.pdf
• Binwalk (tool for analyzing, reverse engineering, & extracting firmware images)• https://github.com/ReFirmLabs/binwalk
Thank you for your time!
Conclusion
• Summary:• Firmware is every bit as vulnerable as hardware and software• Your controls must extend to all system components• Leverage an emerging crop of products and vendors• Expand your supply chain program accordingly.
• Who has the first question?
Want to continue the conversation?
Contact Information
• Thank you for your time!
Jason B. Taule C|CISO, CDPS, CGEIT, CHSIII, CISM, CRISC, CMC, CPCM, HCISPP, NSA‐IAMChief Security Officer / Chief Privacy Officer
9755 Patuxent Wood Drivep: +1‐443.393.2686 | m: +1‐410.340.5385 | f: +1‐410.715.6538 [email protected] | www.feisystems.com
