Security Essentials Start Here

Transcription

1 Security Essentials Start Here 5 best practices to secure your organization and prevent business injuring incidents Teodor Cimpoesu, Technical Director, UTI-CERT

2 certsign Clear legal requirements and compliance Disaster recovery and business continuity Trusted Introducer member ISO & 9001 compliance Regular internal pen testing and security audit Structure enhanced to cover variety of customers Oil and gas Utilities providers Banks Telecom Al around cyber security services and solutions Flexibility for special projects customized according to client needs Customizable services Adaptable SLA Training, Knowledge transfer and technical support

3 UTI-CERT SOC Consulting Vulnerability Assessment Security validation (Pen testing) Security consulting Managed Services Monitoring (SIEM) Network Security Communication Security Data Security Endpoint Security CSIRT Alerting Services Incident Handling Vulnerability Handling Forensics Malware Analysis Vulnerability Analysis Special Services Cyber Investigation Threat Intelligence Advanced Monitoring Special Projects Research & Development

4 1. Cybercrime & Risk

5 Cyber risks in global context Word Economic Forum study on global risks (2014) findings position Cyber attacks in high likelihood / high impact. Systemic risk is the risk of breakdowns in an entire system, as opposed to breakdowns in individual parts and components Systemic risks are characterized by: modest tipping points combining indirectly to produce large failures risk-sharing or contagion, as one loss triggers a chain of others hysteresis, or systems being unable to recover equilibrium after a shock Cyber risks in key areas (e.g. financial) and attacks on critical infrastructure pose a systemic risk Source: World Economic Forum, Global Risks 2014 Ninth Edition

6 Cyber risks in global context On the The Global Risks Interconnection Map we can see the links and potential influences of the systemic risks. The Technological Risks are strongly linked with geopolitical and economic risks. Organized crime risk has a direct link to them. Mitigating one area involves taking into consideration other indirect risk propagations as well. Source: World Economic Forum, Global Risks 2014 Ninth Edition

7 Global Cybercrime The Comprehensive study by United Nations Office on Drugs and Crime (2013) gives a perspective from GOV, COM, EDU view. Findings: - Laws are fragmented, lack procedural powers and hinder intl cooperation. - Law enforcement and criminal justice have limitations in their capacity to react and combat - Preventions activities are lacking / require strengthening Source: Comprehensive Study on Cybercrime, UN ODC

8 Global Cybercrime The Comprehensive study by United Nations Office on Drugs and Crime (2013) gives a perspective from GOV, COM, EDU view. Findings: - Laws are fragmented, lack procedural powers and hinder intl cooperation. - Law enforcement and criminal justice have limitations in their capacity to react and combat - Preventions activities are lacking / require strengthening Source: Comprehensive Study on Cybercrime, UN ODC

9 Accelerators: business ecosystem The increasing frequency, variety, and complexity of attacks are the product of an emerging cybercrimeas-a-service provider market. This market allows malicious parties to execute attacks at considerably lower cost, with considerably lower levels of technical savvy. Research-as-a-Service Vulnerabilities, Exploits, IDs Crimware-as-a-Service Development, Malware Services Infrastructure-as-a-Service Botnets, Hosting, Exploitpacks Hacking-as-a-service DoS, Password Cracking, Financials Source: Cybercrime Exposed. Cybercrime-as-a-Service, McAfee

10 Accelerators: Cheap & easy Source: Cybercrime Exposed. Cybercrime-as-a-Service, McAfee

11 Botnet business Global/Local Source: Anubis Networks

12 EU response to cybercrime Policies and directives The Cybersecurity Strategy of the EU (2013) Directive 2013/40/EU on attacks against information systems Directive 2011/92/EU on combating the sexual exploitation of children online and child abuse eprivacy Directive 2009/136/EC Framework Decision on combating fraud and counterfeit /413/JHA Institutions & Initiatives European Cybercrime Centre EUROPOL European Network and Information Security Agency (ENISA) Cybersecurity Strategy Strategic Priorities Achieving cyber resilience Drastically reducing cybercrime Developing cyberdefence policy and capabilities Develop the industrial and technological resources for cybersec Establish a coherent international cyberspace policy for EU Directive 2013/40/EU Deadline for transposition in the Member States Guidelines and best practices EU countries must: have an operational national point of contact, use the existing network of 24/7 contact points, respond to urgent requests for help within 8 hours to indicate whether and when a response may be provided, collect statistical data on cybercrime.

13 2. Defence Fundamentals

14 Step 1: Know - what is a best practice and why SANS Top20 Critical Security Controls 1 Inventory of Authorized and Unauthorized Devices 2 Inventory of Authorized and Unauthorized Software 3 Secure Configurations (HW/SW/Mobile/Stations/Servers) 4 Continuous Vulnerability Assessment and Remediation 5 Malware Defenses 6 Application Software Security 7 Wireless Access Control 8 Data Recovery Capability 9 Security Skills Assessment and Appropriate Training 10 Secure Configurations for Network Devices 11 Limitation and Control of Network Ports, Protocols&Services 12 Controlled Use of Administrative Privileges 13 Boundary Defense 14 Maintenance, Monitoring, and Analysis of Audit Logs 15 Controlled Access Based on the Need to Know 16 Account Monitoring and Control 17 Data Protection 18 Incident Response and Management 19 Secure Network Engineering 20 Penetration Tests and Red Team Exercises How to implement: Update structured information on your inventory & classification. Continue with Threat Modeling, that will give the focus areas. Evaluate written and technical policies. Test them in real life, daily operations. Segregate, separate, define roles and limit access. Understand & adopt Zero Trust Model. Ensure that there are written incident response procedures that include a definition of personnel roles for handling incidents. The procedures should define the phases of incident handling. Assign job titles and duties for handling IR Define management personnel who will support the incident handling process by acting in key decision-making roles. Org standards for time to report anomalous events Publish information regarding reporting anomalies and incidents to the incident handling team. Run awareness training. Source: SANS Institute Critical Security Controls

15 Step 1: Know - what is a best practice and why Modern Security Practices Intelligence driven defense Threat vector analysis Data exfiltration analysis Detection dominant design Zero trust model Intrusion kill chain Attack hunting Visibility analysis Data visualization Lateral movement analysis Data ingress/egress mapping Internal segmentation Network security monitoring Continuous monitoring

16 Step 1: Know - what is a best practice and why IDS & IPS with multiple deployment models DPI of IP & Serial SCADA protocols - DNP3, IEC 101/104/61850, ModBus. Each protocol packet is validated up to its function code and the command content. Model-based analytics for M2M sessions Self-learning of application behavioral model Signature Based for detect known vulnerability Task-based validation of H2M sessions Integration with physical security Authentication Proxy for access to end-devices o Encrypted VPN tunnels for inter-site connectivity

17 Step 2: Discover - Assets and configuration audit

18 Step 2: Discover Software Asset Management Microsoft SAM Control costs & risks Tackle complexity Optimize use of SW assets Grow/optimize the infrastructure Risk coverage Non-compliance Security Business down-time Legal & licensing Overspending on licensing Software conflicts

19 Step 3: Assess - the Threat (do Modeling) Methodologies, e.g. IDDIL/ATC : Covers critical security controls (SANS / ISO27001) I. Discovery Identify ASSETS Define the ATTACK SURFACE Decompose the SYSTEM Identify ATTACK VECTORS List THREAT ACTORS II. Implementation Analysis & assessment Triage Control Source: A Threat-Driven Approach to Cyber Security - Methodologies, Practices and Tools to Enable a Functionally Integrated Cyber Security Organization, Lockheed Martin Corp.

20 Step 3: Assess - The actual vulnerabilities (do Scan/Pentest)

21 Step 4: Monitor integrate, correlate, enrich Source: HP Security

22 Step 4: Monitor integrate, correlate, enrich Threat Intelligence The real-time collection, normalization, and analysis of the data generated by users, applications, and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization. Data collected and warehoused by Security Intelligence solutions includes logs, events, network flows, user identities and activity, asset profiles and locations, vulnerabilities, asset configurations, and external threat data. Security Intelligence provides analytics to answer fundamental questions that cover the before/during/after timeline of risk and threat management. Risk Management. Vulnerability Management. Configuration Monitoring. Patch Management. Threat Intelligence. Compliance Management. Reporting and Scorecards. SIEM. Log Management. Incident Response. Network and Host Intrusion Prevention. Network Anomaly Detection. Packet Forensics. Database Activity Monitoring. Data Loss Prevention. Source: IBM

23 Step 4: Monitor integrate, correlate, enrich Threat Intel (TI) Frameworks MAEC CAPEC OVAL CVE MMDEF IODEF YARA Indicators STIX Structured Threat Information expression (MITRE/OASIS) TAXII Trusted Automated exchange of Indicator Information (MITRE/OASIS) CYBOX Cyber Observable expression (MITRE/OASIS) OpenIOC Open Indicators of Compromise (FireEYE/Mandiant) IODEF Incident Object Description Exchange Format (IETF RFC5070). YARA - Yet Another Regex Analyzer binary pattern scanning (OSS) SNORT - real-time analysis of network traffic (CISCO). TAXII PCAP PCAPNG CYBOX STIX NetFlow S-Flow OpenIOC CEF Syslog Enumerations MMDEF - Malware Metadata Exchange Format (IEEE) MAEC - Malware Attribute Enumeration and Characterization (MITRE). CAPEC Common Attack Pattern Enumeration and Classification (MITRE). CVE - Common Vulnerabilities and Exposures (MITRE) CVSS - Common Vulnerability Scoring System (NIST) CPE Common Platform Enumeration (NIST) OVAL - Open Vulnerability and Assessment Language (MITRE) OSVDB - Open Sourced Vulnerability Database (OSF) JSON YAML XML MITRE Not-for-profit org that operates US federally funded research centers.

24 TI Case Study Anubis Network Cyberfeed Helping an energy company and its customers stopping cyber threats Challenge Availability and reliability of networks and infrastructure, which can be compromised by malware designed to impact network and employee productivity. Solution the company is now able to detect devices and machines related to information stealing Trojans using real-time security data feeds via API access, a live dashboard and plugins to its SIEM system (SPLUNK): Detect networks and devices compromised with persistent or new malware families; Understand malware landscape at the company, network, local, country level; Track botnet behavior, growth, dispersion and lifetime; Intercept and monitor communications between malware and C&C server; Ability to define business rules to query communication data details between compromised devices and C&C. Business benefits Amongst other client detected an infected internal machine that only appeared on weekend days. Used Cyberfeed to pinpoint the compromised machine finding it was a person accessing the network through an infected personal device.

25 Step 5: React timely & well-informed. Hunt for it. In reality, companies and organizations struggle with: Threat detection, investigation and incident response is immature Determining the root cause of incidents and then containing and remediating them is the tough nut Making use of security intelligence Evaluating assets risk state SIEM tools also require advanced skills and knowledge Many SIEM are verbose give too many FPs Many attacks spread over larger period of time and context may be lost / lacking

26 Step 5: React timely & well-informed. Hunt for it. Ideal SOC / IR Team Duty officer / Tier 1 Analyst takes care of all incoming requests. Ensure that all incidents have owners. Triage officer / Tier 1 Analyst deal with the reported incidents, decides whether it is an incident and is to be be handled, and by whom Incident handler / Tier 2 Incident Responder works on the incident: analyze data, create solutions, resolve the technical details and communicates about the progress to the manager and the constituents. Incident handler / Tier 3 Subject Matter Expert advanced analyst that deals with complex cases that involve a cross-filed investigation. Incident manager responsible for the coordination of all incident handling activities. Represents the team in communicating to the outside 3 rd parties. Services staffing: to deliver two core services of the distribution of advisory bulletins as well as incident handling: a minimum of 4 FTE. For a full service CSIRT during office hours, and maintaining systems: a minimum of 6 to 8 FTE. For a fully staffed 24x7 shift (2 shifts during out-of-office hours), the minimum is about 12 FTE. Source: Ten Strategies of a World-Class Cybersecurity Operations Center (MITRE)

27 Step 5: React timely & well-informed. Hunt for it. Investigative Lifecycle: Initial Evidence Create IOCs for Host&Network Deploy IOCs in the Enterprise e.g. IDS/SIEM Identify Additional Suspect Systems Collect Evidence Analyze Evidence Refine & Create new IOCs Source: An Introduction to OpenIOC, Mandiant

28 Step 5: React timely & well-informed. Hunt for it. Actually a Russian proverb, Доверяй но проверяй, Suzanne Massie, a writer on Russia, taught Pr. Ronald Raegan "The old mantra of trust but verify just isn t working. Never trust and verify is how we must apply security in this era of sophisticated breaches. Quote:

29 Questions? Thoughts? UTI-CERT Team contacts:

30 3. Research

31 clicksign Online Function as a service Private Key in Cloud Local Component: Web Browser Sign and Verify Web Service architecture Files Stored in Office 365 File always in the cloud, never on the local machine Native signatures, PDF signatures, CMS-RFC5652 signatures

32

33 WhatYouSeeIsNotWhatYouGet - WebRole1: web service interface - Share Point Worker: files manager - Signature Worker: signature manager

34 disksafe for the Cloud User interface and the driver were adapted to work with data in chunks Sync module ensures that data chunks are synchronized between local and cloud storage

35 Classic work patterns Pattern 1: 1. PC1 a virtual encrypted disk is created for sync with cloud storage 2. PC2 in the second PC, virtual encrypted disk is imported from the configured cloud storage folder 3. PC1 a secondary user is added for the second PC the entire file containing encrypted disk is synced to cloud storage by the client 4. PC2 the secondary user will be able to access the encrypted disk after he gets the entire file. On a large disk, any small modification triggers entire content synchronization Pattern 2: 1. PC1 a virtual encrypted disk is created. It is copied on a usb stick 2. PC2 in the second PC, virtual encrypted disk is imported from the usb stick 3. PC1 a file is created and stored in the virtual encrypted disk. The entire disk must be copied to usb stick 4. PC2 the disk is mounted from the usb stick

36 Cloud based work patterns Pattern 1: 1. PC1 a virtual encrypted disk is created for sync with Dropbox 2. PC2 in the second PC, virtual encrypted disk is imported 3. PC1 a secondary user is added for the second PC 4. PC2 the secondary user is able to access the encrypted disk Different from typical usage, when a user is added, instead of replicating all the data with the cloud only one chunk is synchronized Pattern 2: 1. PC1 a virtual encrypted disk is created for sync with Dropbox 2. PC2 in the second PC, virtual encrypted disk is imported 3. PC1 a file is created and stored in the virtual encrypted disk 4. PC2 the disk is mounted and the file is present Dependant on the size, when the file is stored on the disk, just the affected chunks are synced. Some real-life performance figures: * 4MB - 1Mb/s - 32s; 4MB - 10Mb/s - 3.2s; 4MB - 100Mb/s - 0.3s * 10MB - 1Mb/s- 80s; 10MB - 10Mb/s - 8s; 10MB - 100Mb/s - 0.8s

37 Computing on encrypted data

38 Experimental facts The practical implementation for determining X>Y and X=Y (followed by the corresponding experimental results) was built on top of HElib library. It consists in coding the corresponding compute recursive functions (C/C++ code). In this manner, we used the leveled version of the BGV FHE scheme (embedded in the 2014 version of HElib). The reported time for the comparison of two 8-bit integers, X > Y, is 12 seconds (for 128 bits of the claimed security and using one core of an Intel(R) Xeon(R) E at 3.6 GHz).

39 Experimental facts Finding the maximum number working with an encrypted array: Security bits Time sec Memory GB No of elements in the array - 16 The conducted tests involved an workstation with an x64 of opensuse 12.1 distribution (Intel i7-4710hq processor running at 3.5 GHz, one core and 8GB RAM). This is the needed time costs for the homomorphic evaluation of the GETMAX function for an array of integer values (of n = 8 bits length).

40 TTP The approach is straightforward, we use a webcrawler for the site and a browser extension for the user experience Cryptography comes into place with digital signatures and timestamping

41 TTP Firefox add-on works with our server sending captured images, Heritrix is used for crawling and storing data Signature service is used to sign and timestamp captured images and sites. Advanced signatures are used to be validated at a later point in time All signatures are stored for presentation to interested users.