Cyber Security Exercises A Useful Tool for Business Continuity Managers. Gregory B. White, Ph.D. Director, UTSA/CIAS 2 March 2015

Transcription

1 Cyber Security Exercises A Useful Tool for Business Continuity Managers Gregory B. White, Ph.D. Director, UTSA/CIAS 2 March 2015

2 The University of Texas at San Antonio (UTSA) 2014 Ranked #1 Cybersecurity Program by Ponemon Inst. First Texas school designated an NSA / DHS Center of Academic Excellence in Information Assurance Education (re-designated as a CAE IA/CD with a focus area of Digital Forensics in 2014) UTSA has also received the COAE-Research designation Security programs and 3 centers in multiple departments BS in IA and concentrations in IA at the BS, MS, and PhD levels in Information Systems & Cyber Security (COB) Concentrations in Computer Security at the BS, MS, and PhD levels in Computer Science (COS) Research in various security topics at the PhD level in Electrical and Computer Engineering (COE) World-class Education and Research Outreach Programs with a National Impact

3 A sampling of security related courses Introduction to IA Intrusion Detection Digital Forensics Incident Response Secure Network Design Secure E-Commerce IA Policy SCADA Risk Assessment Cryptography Unix and Network Security Principles of Computer and Information Security Developing Secure Systems and Software Advanced topics in Computer Security Computer Security Practices 3

4 A sampling of security research areas Cyber Physical Systems Digital Forensics Data Mining Steganography Authentication Intrusion Detection/ Prevention Encryption Intelligent Agents Wireless Network Security Development of a Honey Community Botnet Detection, Analysis and Elimination Secure Information Sharing Trustworthy Cloud Computing Data Privacy Software Reliability and Security Community Computer Incident Response Malware Analysis 4

5 The Institute for Cyber Security (ICS) ICS performs Cyber security research in four major areas Foundations: Core principles, models and theories for Cyber security and their translation to practice Application-Centric: Theory and practice for new /emerging application areas: Technology-Centric: Theory and practice in new technologies that present new challenges: Attack-Centric: Malware analysis and detection Emphasis: Research, Development, Education

6 Center for Education and Research in Information and Infrastructure Security (CERI 2 S) Research in information assurance and security Cybersecurity workforce education Advanced Laboratory for Infrastructure Assurance and Security (ALIAS) Supports faculty research in broad spectrum of security-centric activities within the College of Business Laboratory for Advanced Information Security Education and Research (LAISER) Highly-secure environment to study cybersecurity phenomena CyberRange: study of advanced information assurance issues Behavioral Lab: research social science issues in cybersecurity Emphasis: Cybersecurity Research, Development, and Education in the Business Environment

7 Center for Infrastructure Assurance and Security (CIAS) The CIAS was founded in the summer of 2001 The operational security center at UTSA Having a significant impact on the nation! Three focus areas Cyber Defense Competition Program Collegiate, High School, Industry Middle School Program in development Lead on the development of a collegiate championship cup Cyber Security Training & Awareness Infrastructure Assurance Programs States, communities and other entities Emphasis: Competitions, State and Local Government Cyber Security, Training, Awareness, & Infrastructure Protection

8 Business Continuity, Disaster Recovery Some definitions so we are all on the same page Business Continuity: At its most simplistic level, business continuity is the ability to maintain operations/services in the face of a disruptive event. Disaster Recovery is a broad concept that can include recovery of people, facilities, and the like the coordinated activity of recovering IT systems following the complete or partial loss of a site due to a natural disaster or a security event. IDC-Best_Practices_in_Business_Continuity Disaster_Recovery.pdf

9 A common question How do I get senior management s attention or buy-in? Unfortunately, there is no single trick or silver bullet that will work for all organizations. FUD factor Regulations (especially with penalties) You have an incident Or maybe your chief competitor has an incident Conduct an exercise

10 Obtaining Interest in IT Continuity Best Practices in Business Continuity and Disaster Recovery An Incident Regulations Regulations Planning ahead? Planning ahead? An Incident

11 Some Basic Best Practices Create your plans (and obtain management buy-in)! Prioritize applications and determine SLAs for each based on the needs of the business. What is the cost of downtime for each application? Ensure you have the appropriate tools. Test your plans! Review your plans for adequacy (annually). (Also today you should examine use of the cloud )

12 Some advice The three most important things to implement for security/bc/dr: Backup! Backup!! Backup!!!

13 Business Continuity Management Another definition Business Continuity Management (BCM) is a management process that identifies risk, threats and vulnerabilities that could impact an entity's continued operations and provides a framework for building organizational resilience and the capability for an effective response. As opposed to Risk Avoidance or Prevention We can t avoid all risks and incidents, what we need to do is our best to manage them

14 5-step BCM Process Step 1: Program Management Obtain Executive support and commitment of resources, Step 2: Risk and Business Impact Analysis Determine and prioritize business activities that are critical Step 3: Identify Response Options Determine response options to meet overall objectives Step 4: Develop Response Plans Based on list of response options, develop best response plan Step 5: Train, Exercise and Maintain Used to ensure that what has been developed is appropriate, understood, and will actually work

15 Testing/Exercises Exercises provide an inexpensive (depending on the level of detail) way to build incident response skills and to identify potential discrepancies in your plans, processes, and training programs. Can be anything from a desk-top exercise to a fully-functional exercise.

16 Some Help NIST SP Computer Security Incident Handling Guide Appendix B Incident Handling Scenarios Includes scenario questions and sample scenarios NIST SP Guide to Malware incident Prevention and Handling Appendix B Malware Incident Handling Scenarios Includes scenario questions and sample scenarios NIST SP Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities Discusses tests, tabletop and functional exercises

17 SP sample questions What indications of the incident might the organization detect? Which indications would cause someone to think that an incident might have occurred? (Sections 3.2.2, 3.2.3) What strategy should the organization take to contain the incident? Why is this strategy preferable to others? (Section 3.3.1) What could happen if the incident were not contained? (Section 3.3.1)

18 SP sample scenario Scenario 5: Compromised Database Server On a Tuesday night, a database administrator performs some offhours maintenance on several production database servers. The administrator notices some unfamiliar and unusual directory names on one of the servers. After reviewing the directory listings and viewing some of the files, the administrator concludes that the server has been attacked and calls the incident response team for assistance. The team s investigation determines that the attacker successfully gained root access to the server 6 weeks ago. The following are additional questions for this scenario: 1. What sources might the team use to determine when the compromise had occurred? 2. How would the handling of this incident change if the team found that the database server had been running a packet sniffer and capturing passwords from the network? 3. How would the handling of this incident change if the team found that the server was running a process that would copy a database containing sensitive customer information each night and it to an external address?

19 SP sample scenario Scenario 5: Application Crashes On a Monday morning, the organization s help desk receives calls from three users who are having problems with their spreadsheet applications crashing repeatedly during use. As the day progresses, additional users call with similar problems. Most of the users are on the same team or related teams. 1. What types of malware could be causing the spreadsheet application crashes? What are the most likely non-malware causes? 2. What steps should be taken to determine if the crashes are caused by malware?

20 Beyond the NIST Pubs The NIST special pubs mentioned provide some useful scenarios that can be used for short training sessions of mostly IT and response personnel. Can also put several together for a more extensive exercise What is also needed, and may help in obtaining Executive-level support is a more extensive exercise that involves more than just IT staff.

21 What is your responsibility to the larger community? At the recent President s Cyber Security Summit an executive order signed to encourage sharing of information within industry and with the government. Government to serve as a broker of information Many in industry skeptical of this approach At the same time, there is a valid argument that can be made for the sharing of information and the benefit of doing so. An example would be the various industry ISACs

22 What about communities from a geographical perspective? Is there a possibility that a community (e.g. city) might be targeted for a cyber attack? (Yes! It has happened) Is it useful for the various entities (public and private sectors) to share information at some level? (again Yes!) Are communities ready for this sort of activity? (for the most part, No!) Is there a plan to help states and communities prepare? (Yes, it is called the Community Cyber Security Maturity Model CCSMM) Like a BCM for an organization, it needs to obtain executive level support. Exercises have proven useful to obtain this support.

23 Incidents Impacting States and Communities 2009 State of Virginia, extortion attempt In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :( For $10 million, I will gladly send along the password. You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I ll go ahead and put this baby out on the market and accept the highest bid.

24

25 Incidents Impacting States and Communities Anonymous attack on the City of Orlando (June 2011) The computer hacker group Anonymous credited with crashing the websites of Visa and MasterCard in support of Wikileaks launched what it called "Operation Orlando" on Tuesday, disabling a tourism website and the mayor's own campaign site. In news releases and s to the Orlando Sentinel, the loose-knit group issued a "declaration of war" and promised to bring down a different Orlando-related website every day. One hacker told the Orlando Sentinel the group may target Orlando police officers, state lawmakers and the Florida Democratic Party _1_hackers-attack-website-lake-eola-park

26 Incidents Impacting States and Communities 2012 Data Breach in South Carolina Data breach at the South Carolina Department of Revenue exposed millions of state taxpayers to identity theft. 3.8 million Social Security numbers, 3.3 million bank account numbers and information for nearly 700,000 businesses stolen Occurred after a Department of Revenue employee opened a phishing giving the hacker access to the department's data system During a period of weeks hacker scoured the department's system by remote access then, over a two-day period zipped 74.7 gigabytes of data which was then downloaded. State officials learned of the breach Oct. 10, 2012 from the U.S. Secret Service Cost so far is $25 million, including $12 million going to Experian to cover a year of state-paid credit monitoring.

27 Incidents Impacting States and Communities City of Detroit Addresses Security Breach 9/4/ The City of Detroit Department of Information Technology Services has determined that accounts created to order pre-home sale inspections through the City of Detroit Buildings, Safety Engineering and Environmental Department (BSEED) were the target of a recent low-level computer security breach. The compromised database, containing approximately 5,110 records, included only non-sensitive information such as addresses of properties and estimated home values. No personally identifying information was included in the database, nor was any credit card or other payment information. As a precaution, individuals who had an online account with BSEED will be receiving s about the data breach and what steps the City has taken to secure their information.

28 Community Cyber Security Exercises Lessons learned in communities applicable to organizations First community exercise was Dark Screen in Dozens of exercises have been conducted since then. As discussed in NIST SP , can be anywhere from a tabletop to a functional exercise. Most communities are at the beginning stages of establishing their programs and need top-level buy-in. The exercises have almost exclusively been tabletop events. Have been successful in getting mayors, city managers, chiefs of police or fire departments, heads of EOCs, etc. Note that these are NOT IT personnel! Exercises have been successful at making leaders aware of issues

29 Sample Dark Screen Event Friday, September 13, :01 AM (COSA, Bexar County, Infrastructure tables) The San Antonio Police Department, Bexar County Sheriff s office, and CPS receive an threatening to shut down San Antonio s power system. The anonymous sender claims to have inside knowledge of the CPS SCADA systems. The demands that San Antonio police stop its harassment of fighters for world justice. Question 1: (Infrastructure, COSA, Bexar tables) What actions would this report prompt? Who, if anybody, would your organization contact? How could this be adapted for industry?

30 Would Local LE Forward this to Anyone? Friday, 14 April 2006, 2:40 p.m. (Tyler Police Department) Possible War Driving During a routine stop for speeding, a police officer notices the occupants of a truck that was stopped have laptops and what appears to be oversized antennas mounted on the vehicle and connected to the laptops. When questioned about the equipment, the occupants (two males in their mid 20s) reply that the equipment is just computer stuff. The occupants agree to let the officer search the vehicle, but the officer does not find anything illegal just handheld global positioning systems and maps of the community and surrounding area. They were driving around facilities owned by the local power company. Would the State EOC want to know about this?

31 What about now? Saturday, 15 April 2006, 1:40 p.m. (Dallas Police Department) Possible War Driving During a routine stop for speeding, a police officer notices the occupants of a truck that was stopped have laptops and what appears to be oversized antennas mounted on the vehicle and connected to the laptops. When questioned about the equipment, the occupants (two males in their mid 20s) reply that the equipment is just computer stuff. The occupants agree to let the officer search the vehicle, but the officer does not find anything illegal just handheld global positioning systems and maps of the community and surrounding area. They were driving around facilities owned by the local power company. Would the State EOC want to know about this?

32 Or now? Saturday, 15 April 2006, 1:40 p.m. (Plano Police Department) Possible War Driving During a routine stop for speeding, a police officer notices the occupants of a truck that was stopped have laptops and what appears to be oversized antennas mounted on the vehicle and connected to the laptops. When questioned about the equipment, the occupants (two males in their mid 20s) reply that the equipment is just computer stuff. The occupants agree to let the officer search the vehicle, but the officer does not find anything illegal just handheld global positioning systems and maps of the community and surrounding area. They were driving around facilities owned by the local power company. Would the State EOC want to know about this?

33 El Paso Hudspeth Dallam Hartley Oldham Deaf Smith Sherman HansfordOchiltreeLipscomb Moore Roberts Hemphill Hutchinson Potter Does this now paint a picture that you d be interested in seeing? Gray Parmer Castro Swisher Briscoe Hall Childress Bailey Lamb Hale Carson 5B Wheeler RandallArmstrong Donley Collingsworth Hardeman Floyd Motley Cottle Wilbarger Foard Wichita Clay Cochran Hockley Archer Montague Lamar Lubbock CrosbyDickens King Knox Baylor Cooke Grayson Fannin Red Sub Sub River Delta Bowie 5A 5A Young 1A 1A Titus Yoakum Terry Lynn Garza Kent Stonewall Haskell Jack Wise Denton Collin Hunt Hopkins Throckmorton Cass Camp Rockwall Rains Scurry Wood Upshur Marion Gaines Dawson Jones Shackelford Palo Parker Borden Fisher Tarrant Stephens Pinto Dallas Kaufman Van 1B Zandt Harrison Gregg 4B Hood Johnson Ellis Smith Andrews Martin Howard Mitchell Nolan Taylor CallahanEastland ErathSomervell Henderson Panola Rusk Navarro Hill Glasscock Loving Winkler Ector Coke Coleman Comanche Bosque Cherokee Midland Sterling Runnels Brown Anderson Shelby Hamilton 6A Freestone Nacogdoches Culberson Ward McLennan Limestone San Augustine Crane Mills Tom Upton Reagan Green Concho Coryell 6C Leon Houston Sub Sabine Reeves Irion Falls Angelina Sub McCulloch San 2B Lampasas Saba Bell Trinity Robertson Jasper 4B Madison Newton Pecos Schleicher Menard Burnet Milam Polk Tyler Jeff 4A Crockett Mason Williamson Walker Llano Brazos San Davis 6B Grimes Sutton Jacinto Kimble Burleson 2C Blanco Montgomery Hardin Travis Lee Terrell Gillespie Washington 2B Liberty Orange Bastrop Presidio Kerr Hays Val Edwards Waller Kendall Austin Jefferson Brewster Verde Real Fayette Harris Comal Caldwell Bandera Chambers Colorado 2A Guadalupe Sub Fort Bend Kinney Uvalde Medina Bexar Gonzales Lavaca 2C Galveston Sub 3B Wilson Wharton Brazoria DeWitt 8A Atascosa Karnes Jackson Maverick Zavala Frio Victoria Goliad Matagorda Calhoun Dimmit La Salle Bee Refugio McMullen Live 3A Oak San Aransas Patricio Webb Jim Wells Nueces Duval Sub 4A The State s View Sub 8A Zapata Jim Hogg Kleberg Brooks Kenedy Franklin Morris If you could step back and view what is occurring around the state would you be interested if you suddenly could plot all of these and similar occurrences? Friday, 14 April Saturday, 15 April Monday, 17 April Starr 8A Hidalgo Willacy Cameron

34 Results Leaders came away from these exercises with an understanding that cyber infrastructures are important to the operation of a community. In many instances IT and DRP personnel had been trying to obtain support but had made little to no headway. The need to share information was more clearly understood. Still issues with implementation of info sharing programs. The lessons learned from these state and community exercises are directly applicable to industry as well. Industry ALSO has a role in the communities.

35 The goal is of course to avoid security events, and we should do all we can to protect our systems. But, what do we do about this?

36 And what about these? We ve all seen things like the following:

37 SECURITY CONTEST ANNOUNCEMENT You know Smokey is relying on you And McGruff has a job for you as well We are looking for ideas for a character and a slogan to energize the nation and help every citizen realize that they have a similar responsibility when it comes to cyber security and cyber crime. We will be awarding 2 prizes for this contest. A winner will be chosen for both the best slogan and best idea for a character. Winners can select their prize from the following list: Xbox One - Kindle Fire DHX 8.9 Playstation 4 - Microsoft Surface 2 64GB Nintendo Wii U - Asus Transformer T200 2-in-1 Nvidia Shield tablet (WiFi) - Dell Inspiron series laptop NVIDIA SHIELD Portable - Samsung Galaxy Tab ipad Air - ipad Mini

38 Creating a CULTURE OF SECURITY The same entry can win both prizes if the judges like both the character and its associated slogan. Otherwise, separate winners for each part will be selected. The contest is open to all citizens with a focus on students in grades K-12. Entries should include: Your name Your Grade and School, college/university, or organization/company Contact information for you or if you are under 18 for your parent/legal guardian A statement from your parent or legal guardian giving permission for you to enter the contest (if under 18) Your idea and/or drawing for either (or both) the slogan and/or the character Your choice of prize from the list above, should your entry be chosen as the winning entry A statement attesting to the fact that any slogan, image, or artwork is your own and that you give permission for the CIAS to use it in a national campaign on cyber security/crime. Entries must be received by midnight April 13, 2015 and should be either ed to cias@utsa.edu or mailed to UTSA/CIAS, attn: Culture of Security Contest, One UTSA Circle, San Antonio, TX Winners will be announced at the NCCDC banquet on April 26, 2015

39 Questions? Gregory B. White, Ph.D. Director, UTSA/CIAS