13 Ways Through A Firewall What you don t know will hurt you

Transcription

1 13 Ways Through A Firewall What you don t know will hurt you Andrew Ginter VP Industrial Security Waterfall Security Solutions CIPS ICE: The Tech Day 2013 (Calgary) Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 2013

2 Firewalls Firewalls separate networks and subnetworks with different security / connectivity needs Often first investment any site makes when starting down the road to an ICS cyber security program Unified Threat Managers firewalls with stateful inspection, VPNs, in-line anti-virus scanning, intrusion detection, intrusion prevention, anti-spam, web filtering, and much more but are they secure? DNP3 DMZ in-between network(s) ICS best practice: layers of firewalls, layers of host and network-based defenses Photo: Red Tiger Security Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 2

3 Setup for Demo Scenarios Industrial firewall / UTM Business network my laptop + hacked host virtual machine Control network ICS server to attack / take over + one other ICS host virtual machine 2x virtual switches one for each network, each connected to firewall Consider only one-hop compromise into DMZ, or into ICS from DMZ Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 3

4 Compensating Measures Abbrev Graphic Compensating Measure 2-Factor authentication Encryption Better firewall rules Host intrusion detection / prevention system / SIEM Network intrusion detection / prevention system / SIEM Security updates / patch program Unidirectional security gateway Impact Would have prevented / detected the attack Would prevent / detect some variants of the attack Would not have prevented / detected the attack Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 4

5 #1 Phishing / Spam / Drive-By-Download Single most common way through (enterprise) firewalls Client on business network pulls malware from internet, or activates malware in attachment Spear-phishing carefully crafted to fool even security experts into opening attachment Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 5

6 #2 Social Engineering Steal a Password VPN password on sticky note on monitor, or under keyboard Call up administrator, weave a convincing tale of woe, and ask for the password Ask the administrator to give you a VPN account Shoulder-surf while administrator enters firewall password Guess Install a keystroke logger Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 6

7 #3 Compromise Domain Controller Create Account More generally abuse trust of external system Create account / change password of exposed ICS server, or firewall itself Other external trust abuse compromise external HMI, ERP, DCS vendor with remote access, WSUS server, DNS server, etc. Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 7

8 #4 Attack Exposed Servers Every exposed port is vulnerable: SQL injection buffer overflow default passwords hard-coded password denial of service / SYN-flood Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 8

9 #5 Attack ICS Clients via Compromised Servers Best practice: originate all cross-firewall TCP connections on ICS / trusted side Once established, all TCP connections are bi-directional attacks can flow back to clients: compromised web servers compromised files on file servers buffer overflows Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 9

10 #6 Session Hijacking / Man-in-the-Middle Requires access to communications stream between authorized endpoints eg: ARPSpoof (LAN), fake Wi-Fi access point, hacked DNS server Insert new commands into existing communications session Sniff / fake session ID / cookie and re-use Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 10

11 #7 Piggy-Back on VPN You may trust the person you have granted remote access, but should you trust their computer? Broad VPN access rules I trust this user to connect to any machine, on any port makes it easy for worms and viruses to jump Split-tunneling allows interactive remote control Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 11

12 #8 Firewall Vulnerabilities Firewalls are software. All large software artifacts have bugs, and some of those bugs are security vulnerabilities and zero-days Vendor back-doors / hard-coded passwords Supply chain issues do you trust the manufacturer? The manufacturer s suppliers? Occasional design vulnerabilities Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 12

13 #9 Errors and Omissions Modern firewalls require 6-8 weeks full-time training to cover all features and all configurations The smallest errors expose protected servers to attack Over time, poorly-managed firewalls increasingly resemble routers Well-meaning corporate IT personnel often control firewall configurations and can reach through to fix ICS hosts Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 13

14 #10 Forge an IP Address Most firewall rules are expressed in terms of IP addresses Any administrator can change the IP address on a laptop or workstation Works only if attacker is on same LAN segment as true IP address or WAN routers route response traffic to a different LAN May need ARPSpoof to block machine with real IP Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 14

15 #11 Bypass Network Security Perimeter Complex network architectures path from business network to ICS network through only routers exists, but is not obvious Rogue wireless access points Rogue cables well meaning technicians eliminate single point of failure in firewall ICS network extends outside of physical security perimeter Dial-up port Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 15

16 #12 Physical Access to Firewall If you can touch it, you can compromise it Reset to factory defaults Log in to local serial port, change settings with CLI Re-arrange wiring Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 16

17 #13 Sneakernet Removable media, especially USB sticks, carried past physical / cyber security perimeter Entire laptops, workstations and servers carried past physical / cyber security perimeter Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 17

18 Demo Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 18

19 Firewall Vulnerability Cross-Site Request Forgery Uses web browser credentials for logged-in sites Blind technique script cannot read from foreign web page Can however, push changed data to web server, as if user had pressed send Lesson: Cross-site scripting vulnerabilities are rampant in web applications of all kinds, including ICS applications. CSRF has been public knowledge for over a decade Mitigation: Modify web application to use hidden fields to echo random data back to web site on pages that change application state. Browsers prevent each site s scripts from seeing data coming from another site, so foreign scripts cannot echo random data back to protected website Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 19

20 Errors and Omissions andrews-machine address was really for an entire subnet See this only when you go to the screen which defines andrewsmachine address Correcting this problem is not sufficient the address was in the DHCP range See this only when you go to the DHCP server definition screen Andrew s machine needs to be given a static IP address Lesson: Full-featured firewalls are complex. Reviewing configurations to ensure they are safe is not straightforward. Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 20

21 Firewall Design Vulnerability Browsers enforce can t touch other site s web pages rule when scripts and web pages come from different sites Within a site, scripts can touch web pages at will this is how complex web applications work Hiding many web sites behind a single proxy address is very convenient web browser is your SSL client Web browsers cannot enforce can t touch other site s web pages rules when scripts and web pages all appear to originate at the same site Lesson: Clientless/browser SSL clients are designed to hide many sites behind one address. Unless browser designs or clientless SSL designs change, hosts behind such proxy-site web servers will always be vulnerable to each other s scripted attacks. Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 21

22 Hacking ICS Servers 100,000 Vulnerabilities A major vendor recently reported counting over 50,000 bufferoverflow-capable C library calls in one 2,000,000 LOC product All such calls are currently being replaced Do the math: Assume 2% of all overflow-capable calls are vulnerabilities 10 major vendors world-wide, in at least 5 verticals Assume at least 3 2MLOC products unique to each vertical Assume at least 75% of these products still written in C/C++ The math: 2% x 50,000 calls x 10 vendors x 5 verticals x 3 products x 75% = at least 100,000 vulnerabilities waiting to be found Lesson: Attacking firewall-exposed ICS servers with zero-day exploits will be straightforward for the foreseeable future Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 22

23 Keeping Score Graphic Score Impact 2 Would have prevented / detected the attack 1 Would prevent / detect some variants of the attack 0 Would not have prevented / detected the attack Score Abbrev Compensating Measure 7 2-Factor authentication 7 Encryption 11 Better firewall rules 8 Host intrusion detection / prevention system / SIEM 9 Network intrusion detection / prevention system / SIEM 9 Security updates / patch program 20 Unidirectional security gateway Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 23

24 Unidirectional Example: Historian Replication TX agent is conventional historian client request copy of new data as it arrives in historian RX agent is conventional historian collector drops new data into replica as it arrives from TX TX agent sends historical data and metadata to RX using nonroutable, point-to-point protocol Complete replica, tracks all changes, new tags, alerts in replica Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd. 24

25 Unidirectional Security Gateways Stronger Than Firewalls Firewalls are porous Given the elephants in the room, perimeter protection will always be disproportionately important: 100,000 vulnerabilities Plain-text device communications Dissonance between ECC and IT s constant change patch programs Long life-cycles for physical equipment If this topic was useful, a detailed whitepaper in the same theme is coming andrew. waterfall-security. com Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd.

26 Waterfall Security Solutions Headquarters in Israel, sales and operations office in the USA Hundreds of sites deployed in all critical infrastructure sectors Frost & Sullivan: Entrepreneurial Company of the Year Award for ICS network security Pike Research: Waterfall is key player in the cyber security market Gartner: IT and OT security architects should consider Waterfall for their operations networks Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors Market leader for server replication in industrial environments Proprietary Information -- Copyright 2013 by Waterfall Security Solutions Ltd.