1 / 66

Bradford Willke, CISSP Cyber Security Advisor, Mid-Atlantic Region

Homeland Security Perspectives: Security Scenarios and Their Impact 19 September 2012 – InfraGard Special Event Columbus, Ohio. Bradford Willke, CISSP Cyber Security Advisor, Mid-Atlantic Region Office of Cyber Security & Communications National Protection and Programs Directorate

oriel
Télécharger la présentation

Bradford Willke, CISSP Cyber Security Advisor, Mid-Atlantic Region

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Homeland Security Perspectives: Security Scenarios and Their Impact19 September 2012 – InfraGard Special EventColumbus, Ohio Bradford Willke, CISSP Cyber Security Advisor, Mid-Atlantic Region Office of Cyber Security & Communications National Protection and Programs Directorate bradford.willke@dhs.gov

  2. Cyber Security: Trends and Issues 2

  3. Growth of Cyber Threats Flame Stuxnet Sophistication of Available Tools Growing Convergence High Staging Sophistication Required of Actors Declining Duqu “Stealth”/advanced scanning techniques Sophisticated C2 Cross site scripting / Phishing Denial of Service Distributed attack tools Packet spoofing www attacks Sniffers Automated probes/scans Sweepers GUI Sophistication Back doors Network mngt. diagnostics Disabling audits Hijacking sessions Burglaries Exploiting known vulnerabilities Password cracking Self-replicating code Password guessing Low 1990 1995 2000 2012 1980 1985 3

  4. 2011 – The Year of the Hack (1 of 2) 4

  5. 2011 – The Year of the Hack (2 of 2) 5

  6. Malware will continue to be a significant problem in 2012 • Because more security features are being installed into operating systems, hackers are increasingly likely to target hardware • Malware authors will reuse past code and improve existing malware • Similar to the ZeuS source code leak that led to a proliferation of ZeuS malware 2011, a similar phenomenon is expected in 2012 • Hackers will use legitimate, but compromised websites and target unpatched web plugins to spread malware • Experts predict that malware by spam will be delivered mainly by zipped malware attachments or links to malicious websites and drive-by downloads

  7. Attacks on mobile devices will continue to grow significantly • While other operating systems will not be entirely overlooked, many researchers expect mobile malware to heavily target the Android platform • Many researchers expect malicious actors to focus on financial applications for mobile devices as they represent the greatest potential for profit • The increasing use of employee-owned devices in the workplace has led some security experts to predict several significant organizational data breaches due to a lack of security oversight on personal devices

  8. Hacktivism will continue to expand beyond denial of service attacks • Hacktivists will increasingly steal and release data on political targets, especially private personal information • It is likely that larger hacktivist groups, like Anonymous, will spin off smaller elements based on more specific goals • Among several likely goals for Anonymous-style groups will be greater cooperation and coordination between hacktivists and physical protest demonstrators • Some security experts expect an off-shoot group to attempt more hardline attacks, possibly against financial institutions and critical infrastructure www.familysecuritymatters.org

  9. Experts predict that country-sponsored advanced persistent threats (APT) will be more numerous • With the funding and resources that a country can offer, these attacks are likely to be sophisticated and very difficult to detect and stop • Experts predict that these attacks will target critical infrastructure systems • Some experts do not predict outright cyber war in 2012. Instead, they predict that countries will continue to develop and carry out Stuxnet-style proof of concept attacks Stuxnet, Duqu, Flame… what’s next?

  10. Attacks on cloud-based services are inevitable • Because of increasing usage and lower costs, more individuals and organizations are moving data to the cloud • Some experts even predict that the cloud will begin to take over traditional infrastructure and become the primary computing environment • As a result, the cloud will continue to be an attractive target for cybercriminals who will continue attack and may succeed in penetrating cloud security defenses; some experts predict a major breach in 2012 • As users continue to migrate data to the cloud, cloud providers will begin to provide service management strategies

  11. Social media accounts are a major targets for hackers • Hijacked social media accounts will become valuable commodities on the online black market • A stolen account gives the thief access to personal information and a group of friends who grant that account a higher level of trust than e-mail from unknown persons • A higher level of trust from a known contact will be increasingly leveraged to create sophisticated targeted attacks • Traditional attacks on social networks will still continue, such as “like-jacking,” where scammers trick users into posting malicious links to their social networking profiles using attention-catching headlines

  12. Web and Client Side Attacks • Web and client side attacks are increasing • Organizations tend to focus patching and vulnerability scanning on the operating systems rather than web applications • Over half of the total number of attacks occur on Web applications • Capabilities of client side attacks are increasing (drag and drop) • The three main types of web vulnerabilities • SQL Injection: a vulnerability that allows a hacker to alter backend SQL database statements by manipulating user input. Web applications accept user input which is placed into a SQL statement. • Cross Site Scripting: allows an attacker to send malicious code to another user. Browsers don’t know which code is trusted so it executes the script, allowing the attacker to compromise the browser. • Buffer Overflows: occurs when a program writes data to a buffer, which overwrites adjacent memory. They result in erratic program behavior. UNCLASSIFIED // FOR OFFICIAL USE ONLY

  13. Other Cyber Security Trends • Existing Threats Expanding into New Problems • Malware, worms, and Trojan horses will continue to spread • Botnets and zombies will piggyback on legitimate network communications and continue to proliferate • Scareware (fake/rogue security software) • Attacks on client-side software • Changing Technical Environments • Attacks on social networking sites • Virtual environment cross pollination • Risks and vulnerabilities in cloud computing

  14. Attribution Challenges attacker • Web Proxy Services • Onion Routers • Botnets • Compromised hosts computers • Foreign ISPs • Encryption Highlights collaboration with Intelligence Community victim

  15. DHS Cyber Initiatives and Capabilities 15

  16. CS&C Structure CS&C discharges its responsibilities through four components: Office of Cybersecurity and Communications National Cybersecurity Office of National National Cyber and Communications Emergency Communication Security Division Integration Center Communications System (NCS) (NCSD) (NCCIC) (OEC) • Provides national common operational picture for cybersecurity and communications across Federal, State, local government, intelligence and law enforcement, and private sector communities • Supports the ability of emergency responders and government officials to continue to communicate during natural or man-made disasters • Ensures viable national security and emergency preparedness communications services and infrastructure during crises • Collaborates with public and private sector and international entities to secure cyberspace and America’s cyber and communications assets - Computer Telecommunications (NCC) (US – CERT) (ICS -

  17. OEC in Brief The mission of the Office of Emergency Communications(OEC) is to unify and lead the nationwide effort to improve emergency communications capabilities across all levels of government. • Responsibilities include: • Accelerate and attain interoperable and operable emergency communications nationwide through grants programs for funding and interoperability/operability public safety standards development. • Support interoperability assistance projects by identifying available spectrum, collecting requirements, procuring equipment, addressing policy issues, and collaborating agreements among Federal, State, and local agencies.

  18. NCS in Brief The mission of the National Communications System (NCS) is to enable national security and emergency preparedness (NS/EP) telecommunications during crisis. NCS works through a consortium of 24 Federal departments that lease or own significant telecommunications assets, facilities, and services. • Responsibilities include: • Provide and coordinate Federal Government NS/EP communications at all times – natural emergency, attack, recovery, and reconstitution. • Lead emergency support communications preparedness and response. • Manage the NS/EP communications services. • Lead Communications Sector risk assessment and steady-state planning. • Operate the National Coordinating Center for Telecommunications (NCC), a joint industry/Government-staffed center that assesses damage, identifies NS/EP requirements, and prioritizes restoration efforts.

  19. Provides emergency access and priority processing of telephone calls on the public telephone network during emergencies and network congestion. Select NCS Initiatives Government Emergency Telecommunications Service(GETS) Telecommunications Service Priority (TSP) Authorizes NS/EP organizations for priority treatment for new or restoration of voice and data circuits lost due to disasters to help with recovery. Enables priority transmission for emergency calls from cellular telephones by command and control personnel who manage and respond to NS/EP situations. Wireless Priority Service (WPS) SHAred RESources (SHARES) High Frequency Radio Enables NS/EP communications through a single Federal interagency emergency message handling and frequency radio spectrum management system. Participating radio stations accept and relay messages until a receiving station is able to deliver the message to the intended addressee. Gives industry-based advice to the President of the United States on the reliability and security of the information and communications infrastructure critical to national security and commercial interests. National Security Telecommunications Advisory Council(NSTAC)

  20. NCSD in Brief The mission of the National Cyber Security Division (NCSD) is to work collaboratively with public, private, and international entities to secure America’s information technology (IT) assets. Responsibilities include: • Provide cyber threat and vulnerability analysis, early warning, and incident response assistance for public and private sector constituents. • Conduct risk assessments of and mitigate vulnerabilities and threats to IT assets and activities affecting operation of Federal civilian government and private sector critical IT infrastructure in collaboration with the private sector, all levels of government, military, and intelligence stakeholders.

  21. ICS-CERT • The Industrial Control System – Computer Emergency Readiness Team (ICS-CERT) provides a control system security focus, in collaboration with US-CERT, to: • Respond to and analyze control systems related incidents • Conduct vulnerability & malware analysis • Provide onsite support for incident response and forensic analysis • Provide situational awareness in the form of actionable intelligence • Coordinate the responsible disclosure of vulnerabilities/mitigations • Share and coordinate vulnerability information & threat analysis through information products and alerts • ICS-CERT resources: • Control Systems Advisories and Reports • Monthly Monitor Newsletters • Incident Reporting System • Reference:http://www.us-cert.gov/control_systems/ics-cert/

  22. NCCIC in Brief The mission of the National Cybersecurity and Communications Center (NCCIC) is to serve as a national center for reporting of and mitigating communications and cybersecurity incidents. Sponsored by NCS and NCSD, NCCIC integrates communications and cybersecurity operations. • Responsibilities include: • Provide alerts, warnings, common operating picture on cyber and communications incidents in real time to virtual and on-site partners. • Work 24X7 with partners to mitigate incidents. • On-site partners include the Department of Defense, Federal Bureau of Investigation, Secret Service, Information Sharing and Analysis Centers (ISACs) and DHS components such as Office of Industry and Analysis. • Public and private sector partners share and receive information subject to information sharing protocols.

  23. Select NCCIC Initiatives Common Operational Picture Provides national common operating picture on cyber and communications incidents to virtual and on-site partners enabling all information to be known as it becomes known. 24 x 7 Integrated Operations and Assistance Operates 24 x 7 and works with all levels of government and private sector partners to diagnose, analyze, and mitigate incidents. Integrates communications and IT operations of US-CERT, ICS-CERT, and NCC, resulting in more effective and efficient responses to the convergence of those two sectors to mitigate and thwart malicious activity. Initial Alerts, Warnings, Analysis, and Reports Shares initial operational and intelligence analysis, guidance and mitigation strategies, fused analysis of reporting, latest developments and status of incidents and threats.

  24. CS&C Partnerships Partnerships are a force multiplier, facilitating more efficient and effective use of resources for all. CS&C partnerships and collaborative initiatives include but are not limited to: Cross-Sector Cybersecurity Working Group: Brings government and all CI sectors together to address risk across sectors. Shares protective measures, common vulnerabilities, and expertise in a comprehensive forum. Cybersecurity Partners Local Access Plan: Provides security-cleared CI owners and operators, State technology and law enforcement officials access to secret-level cybersecurity information via local fusion centers. Communications ISAC: Facilitates collaboration and information sharing among government and industry on vulnerabilities, threats, and intrusions, and performs analysis with the goal of averting or mitigating impact on the telecommunications infrastructure. Industrial Controls Systems Joint Working Group: Provides a vehicle for communicating and partnering across all CI Sectors between Federal agencies and private sector owners/operators of industrial control systems. 25

  25. Cyber Partnership Examples • AMSC Cyber Sub-Committee (Pittsburgh) • MS-ISAC (Multi-State Information Sharing and Analysis Center) • Philadelphia FBI Field Office – Computer Intrusion Threat Analysis System (CITAS) Project • VALGITE (Virginia Local Government IT Executives) • VOICCE (Virginia’s Operational Integration Cyber Center of Excellence

  26. Area Maritime Security Committee: Cyber Sub-Committee • DHS, USCG, CIKR, and Business Partnership • Committee Premises: • Incident response and continuity of operations still need work • Partners need credible planning templates and test-able scenarios • A SME database for cyber responders is useful and needed • Organizations need a “411” system for information on where to voluntarily report, request technical assistance, request non-technical incident handling, request law enforcement responses, to cyber incidents • Organizations would benefit from a local emergency management, “911-like,” function that mobilizes regional and local cyber responses – and creates a regional common operating picture

  27. CITAS Overview • FBI, InfraGard, and DCIS Project (Philadelphia-Area) • Project Premises: • Create a honeynet/ honeypot environment in the corporate DMZ • Create “look and feel” but non-referencing system(s) as targets • Take “what you know” and use it as a filter • Find the intermediary victims and unique signatures of adversaries (not just attacking systems) • Project Successes: • Notification to those already compromised • Active investigations of real adversaries • Improve signatures of known attacks

  28. MS-ISAC Overview • State, Local, Territorial, and Tribal Partnership • Operated by NY-based Center for Internet Security • Operational Services: • Incident coordination, handling, and response • “Albert” services for threat monitoring, detection, and prevention • Fee-for-Service model for vulnerability and “PEN” testing • Low cost ($.75/student) for annual cyber security awareness & training • FREEpost-incident vulnerability and mitigation service • Broad assistance with state and local incidents, much beyond cyber

  29. Building Cyber Resilience 30

  30. Characteristics of Resilience • Survivability (e.g., the capability of a system to fulfill its purpose in the presence of attacks or failures) • Disruption Tolerance (e.g., the ability for functions to continue to operate when the supporting infrastructure is not operating at an optimum level) • Being resilient may mean: • Remaining accessible whenever possible • Degrading gracefully when necessary • Ensuring correctness of operation, even if performance is degraded • Rapidly and automatically recovering from degradation • Ensuring that everyone knows the plan of action and what to do and can respond beyond their designated roles if necessary • Resilience is much more than fault-tolerance, although it does encompass fault tolerance

  31. Resilience Requirements • Resilience requirement is a constraint that the organization places on the productive capability of an asset to ensure that it remains viable and sustainable when placed into production to support a service • Three levels of resilience requirements: • Enterprise (reflects enterprise-level needs, expectations, and constraints) • Service (reflects resilience needs of a service in pursuit of its mission) • Asset (set by the asset owners to establish the asset’s protection and sustainment needs) • Resilience requirements must reflect organization’s risk tolerances and appetite, and forms the basis for asset protection and sustainment strategies • Protection and sustainment strategies determine the type and level of controls needed to satisfy resilience requirements (and thus, ensuring operational resilience)

  32. Cyber Resilience Barriers • Organizations may find it challenging to maintain cyber security operations in times of stress • Practices are not easily repeatable across the organization • Performance requirements are likely to fail • Key stakeholders are likely to lack situational awareness • Organizations may not be resilient if key personnel… • …are absent • …fail to understand the cause, scope, and scale of the threat, event, or incident • …fail to apply the appropriate tools, knowledge, and skills as to how to best prepare, respond, and recover • During times of stress, organizations are likely to: • Rely upon a high amount of interpersonal, yet informal, communication • Depend on skills, expertise, experience, and abilities of one or few people • As employees vary over time, organizations may find it challenging to maintain fidelity and institutional knowledge

  33. Improving Resilience • Define, standardize, document, and stabilize processes to manage cyber security through consistent, repeatable practices organization-wide • This enables personnel to behave in a manner that leads to uniformity in practices and effectiveness in decision-making over time and during times of stress, regardless of which personnel are charged with performing the activity • Process integration across cyber security domains (i.e., activities in one domain align with, inform, feed, and use output from other domains) • This enables personnel to leverage integrated standards, processes, and procedures to maintain performance over time and during times of stress • Define communication & notification channels to enable a common understanding to facilitate an effective response • This enables personnel & key stakeholders to have better situational awareness • Examine security evaluation results to determine the best course of action based on risk information specific to the operating environment • However, the organization may find that given time, budget, and resource constraints, existing activities and capabilities are performing at a level commensurate with its current needs

  34. Evaluating Cyber Resilience 35

  35. Example #1: Cyber Resilience Review 36

  36. Service-orientation Illustration Critical Service Critical Service Critical Service Organization Mission Business Processes people tech facilities info Critical Service Service Mission Service Mission Protect Protect Protect Protect Sustain Sustain Sustain Sustain Assets in Production Service Mission Operational risk can disrupt an asset, and lead to organizational disruption

  37. CRR Domains

  38. CRR Domain Goals • The 10 CRR domains represent key areas that typically contribute to an organization’s cyber security resilience • The domains focus on practices an organization should have in place to ensure the protection & sustainment of its critical service(s) • Each domain seeks to discover the current state of cyber security management practices by focusing on: • Documentation in place, and periodically reviewed & updated • Typically found in strategies, standards, policies, plans, processes, procedures, etc. • Communication & notification to all those who need to know • Execution/Implementation & analysis in a consistent, repeatable manner • Alignment of goals and practices within & across CRR domains • Participants will be asked to identify capacities & capabilities in performing, planning, managing, measuring, and defining cyber security practices and behaviors in each domain

  39. Number of Assessments

  40. CRR Architecture Focused Activity 10Domains Required (What to do to achievethe capability) Process Activities ProcessInstitutionalization Elements DomainGoals 4MIL Levels [per Domain] Making it Stick What to Do Expected (How to accomplishthe goal) DomainPractice Questions 13MIL Questions[per Domain]

  41. Objectives and Controls

  42. VulnerabilityManagement Purpose of Vulnerability Management To identify, analyze, and manage vulnerabilities in a critical service’s operating environment • Goal 1 – Conduct preparation for vulnerability analysis and resolution activities • Goal 2 – Establish and maintain a process for identifying and analyzing vulnerabilities • Goal 3 – Manage exposure to identified vulnerabilities • Goal 4 – Address the root causes of vulnerabilities Identify Evaluate Reduce/Mitigate Document Monitor Vulnerability Lifecycle PULL INFORMATION PUSHED INFORMATION Vulnerability Discovered Exploit Published Workaround Monitor Vendor Alert Vendor Patch Apply Patch

  43. Incident Management Purpose of Incident Management To establish processes to identify and analyze IT events, detect cyber security incidents, and determine an organizational response • Goal 1 – Establish a process for identifying, analyzing, responding to, and learning from incidents • Goal 2 – Establish a process for detecting, reporting, triaging, and analyzing events • Goal 3 – Declare and analyze incidents • Goal 4 – Establish a process for responding to and recovering from incidents • Goal 5 – Translate post-incident lessons learned into improvement strategies Detected/Notified Analyze- root-cause Respond- personnel- tools/training- authority Recover Monitor- post-mortem review- lessons learned SecurityIncident Declared Execute Incident Management Plan EvaluationCriteria SecurityEvent(s)

  44. Examples of External Dependences • Identify & assess risks due to external dependencies • What would happen if one of your dependencies “went away”? • Are there agreements/contracts in place with all dependencies? • Do they require facility access, remote access, administrator rights? • Managing your dependencies • Vendor contact list perhaps in the DR/BCP?

  45. MIL Level 5 – Defined All practices are performed (MIL-1); planned (MIL-2); managed (MIL-3); measured (MIL-4); and consistent across all internal constituencies who have a vested interest— processes/practices are defined by the organization and tailored by organizational units for their use, and supported by improvement information shared amongst organizational units. MIL Level 4 – Measured All practices are performed (MIL-1); planned (MIL-2); managed (MIL-3); and periodically evaluated for effectiveness, monitored & controlled, evaluated against its practice description & plan, and reviewed with higher-level management. Maturity Not Just Capability • A MIL (Maturity Indicator Level) measures process institutionalization, and describes attributes indicative of mature capabilities. MIL Level 3 – Managed All practices are performed (MIL-1); planned (MIL-2); and governed by the organization, appropriately staffed/funded, assigned to staff who are responsible/accountable & adequately trained, produces expected work products, placed under appropriate configuration control, and managed for risk. MIL Level 2 – Planned All practices are performed (MIL-1); and established, planned, supported by stakeholders, standards and guidelines. MIL Level 1 – Performed All practices are performed, and there is sufficient and substantial support for the existence of the practices. MIL Level 0 – Incomplete Practices are not being performed, or incompletely performed. 47

  46. Example #2: Nationwide Cyber Security Review 48

  47. The 2011 NCSR utilized a Control Maturity Model (CMM) to measure how effective the State and Local government’s risk management programs are at deploying a given cyber security control based on risk management processes. This system uses key milestones and benchmarks for measuring the effectiveness of control placement based on risk management processes. At the top-levels of the State or local governments, this is important since: Controls are certain to be both "in place" and "not in place" depending on entity risk, adoption, security governance, and many other factors; Centralized control and security management processes may not be supported by State or local government security governance models. Consequently, measuring the effectiveness or maturity of "process" may not be possible. Methodology: Overview

  48. NCSR Maturity Model

More Related