Cyber Espionage “ The Internet is God’s gift to spies” Plus: The New Security Heroes Alan...
-
Upload
vincent-wright -
Category
Documents
-
view
218 -
download
1
Transcript of Cyber Espionage “ The Internet is God’s gift to spies” Plus: The New Security Heroes Alan...
Cyber Espionage“The Internet is God’s gift to spies”
Plus: The New Security HeroesAlan PallerThe SANS [email protected]
Topics for today
The Public Is Awakening editorial on Jan 26Why the 'China virus' hack at US
energy companies is worrisome by John Yemma, Editor
“The stakes in the global cyber-war are at least as high as those in the global war on terror.”
Four years building to public outrageAugust 29, 2005: Titan Rain
August 17, 2006: Gen. Lord Confirms
Titan Rain
“They hit hundreds of computers that night and morning alone
“At 10:23 p.m. PST, they found vulnerabilities at the U.S. Army Information Systems Engineering Command at Fort Huachuca, Arizona.
“At 1:19 am PST, they found the same hole in computers at the military's Defense Information Systems Agency in Arlington, Virginia.
“At 3:25 am, the Naval Ocean Systems Center, a defense department installation in San Diego, CA.
“At 4:46 am PST, the United States Army Space and Strategic Defense installation in Huntsville, AL.”
What kind of data did they take?“a huge collection of files had
been stolen from Redstone Arsenal, home to the Army Aviation and Missile Command. The attackers had grabbed specs for the aviation-mission-planning system for Army helicopters, as well as Falconview 3.2, the flight-planning software used by the Army and Air Force.”
Major General William Lord“China has downloaded 10 to 20 terabytes of data from the NIPRNet”
“They’re looking for your identity so they can get into the network as you,”
“There is a nation-state threat by the Chinese.”
Maj. Gen. William Lord, director of information, services and integration in the Air Force’s Office of
Warfighting Integration and Chief Information Officer
August 21, 2006 Government Computer News “Red Storm Rising”
October 6, 2006: Commerce BIS DivisionThe federal government's Commerce Department admitted Friday that heavy attacks on its computers by hackers working through Chinese servers have forced the bureau responsible for granting export licenses to lock down Internet access for more than a month.
Four years building to public outrageDec 1, 2007: 300 British Companies
Apr 8, 2009: The Grid
Four years building to public outrageJanuary 15, 2010Google & more
January 25, 2010: Oil Companies
Subcommittee on Emerging Threats, Cybersecurity, and Science and TechnologyApril 17, 2007 Chairman: Jim Langevin (RI)"We don't know who's inside our networks. We don't know what information has been stolen. We need to get serious about this threat to our national security."
State Dept witness: Don Reid, Senior Coordinator for Security Infrastructure
Commerce Dept witness: Dave Jarrell, Manager, Critical Infrastructure Protection Program
Setting the stage
Two responsesCommerce1. No idea when it got it
in, how it got in, or where it spread
2. Took 8 days to filter (ineffective)
3. Unable to clean the systems; forced to replace them
4. Do not know whether they have found or gotten rid of the infections
State1. Detected it
immediately
2. Put effective filter in place within 24 hours; shared filter with other agencies
3. Found two zero-days
4. Helped Microsoft and AV companies create patches and signatures
5. Cleaned infected systems, confident all had been found
What was the difference?Was it tools? No
◦Almost same commercial tools – Commerce had more commercial IPS/IDS
Was it skills? Yes◦Commerce – only experience was firewall
operations not even firewall engineering. No training other than prep for Security + and later for CISSP
◦State – experience and training in forensics, vulnerabilities and exploits, deep packet inspection, log analysis, script development, secure coding, reverse engineering. Plus counter intelligence. And managers with strong technical security skills.
How critical is the shortage of technical security skills? Jim Gosler (first director of CIA’s CITO – Clandestine
Information Technology Office) in a meeting in the Pentagon (10/08) with Bill Studeman, Lin Wells, Bob Lentz, Melissa Hathaway and several others:
“The US has nomore than 1,000 people with the advanced security skills to compete in cyberspace at world class levels – we need 20-30,000!”
No one disagreed
Other evidence of the shortage: “fratricide” among the integrators serving the Intelligence Community
Why these skills matterWicked Rose
Key weapons in the next war will be people with advanced, technical cyber security skills
Emerging Consensus in Military Cyber Skills Development
Offense and defense need the same deep technical skills but may diverge in late stages of development
Training should be phased with significant on the job experience between training elements
Team composition is equally important: different people will be better at some tasks than others; Model is special forces teams
The New Security Heroes
Alan [email protected]
Bringing about broad based change when no one works for you
The problem: CISOs are accountable for IT security
BUT.
directly supervise only a small part of the systems actually in use.
17
What makes a security hero? Radically improves security in ways that
can be measured reliably, and replicated Ensures operational people are not
asked to do the impossible. Ends the security wars with IT operations and with the audit staff.
Teaches others organizations how to do the same thing or provides the catalyst to allow others to do even more
Results in 12 Months
19
0.0
200.0
400.0
600.0
800.0
1,000.0
1,200.0
6/1/2008 7/21/2008 9/9/2008 10/29/2008 12/18/2008 2/6/2009 3/28/2009 5/17/2009 7/6/2009 8/25/2009
Domestic Sites
Foreign Sites
89% Reduction
90% Reduction
Proof: Federal Aurora Response
Google Hack IE Vulnerability – zero day IAVA and government noticesWhat percent of systems were
reported patched at DoD in four months?
What percent were actually patched at State in the first 9 days?
Google - Aurora Attack
2-Apr 4-Apr 6-Apr 8-Apr 10-Apr 12-Apr 14-Apr 16-Apr0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
MS10-018 Patch Coverage
Date
% B
oth
of
ap
pli
ca
ble
ho
sts
Re
po
rtin
g
an
d
P
atc
he
d
40 points : April 3 – 9, 201040 points : April 3 – 9, 201040 points : April 3 – 9, 201040 points : April 3 – 9, 2010
Risk scoring escalation from 40, 80, 120, 160 and then 320 points
21
Quantify Special Threats
MS10-012 Patch Feb- March 2010
He never visited any of the 200+ foreign sites
So how did he do it?
Continuous monitoring and high level data reporting
Also known as: Continuous C&A and Continuous FISMA Compliance
What allows continuous monitoring to work?It combines:• Reliability and fairness in the metrics• Authoritative consensus on what is
important enough to need to be measured
• But where did the consensus come from?
• And what else makes metrics effective?
23
Authoritative and ImportantHow can you prove you meet those criteria?
The big idea:
“Offense informs defense!”
Who understands offense?
NSA Red Teams NSA Blue Teams DoD Cyber Crime
Center (DC3) US-CERT (plus 3
agencies that were hit hard)
Top Commercial Pen Testers
Top Commercial Forensics Teams
JTF-GNO AFOSI Army Research
Laboratory DoE National
Laboratories State Dept.
Would they be willing to combine their knowledge of attacks and offense to define the most important defensive investments CIOs must make?
Result: Twenty Critical ControlsConsensus Audit Guidelines (CAG)
The twenty key controls1. 15 subject to automation: examples
1. Vulnerabilities2. Inventory3. Wireless4. Configuration
2. 5 that are important but cannot be easily automated
15 critical controls can be automated
Return
CAG ID Consensus Audit Guidelines NIST-800-53 CIRT Events11 mo
1 Inventory of authorized and unauthorized hardwareCM 1, CM 2, CM 3, ‐ ‐ ‐
CM 4, CM 5, ‐ ‐CM 8, CM 9 ‐ ‐ Multiple Tools
< 6%< 22%2 Inventory of authorized and unauthorized software CM 1, CM 2, CM 3, CM 5, CM 7, ‐ ‐ ‐ ‐ ‐
CM 8, CM 9, SA 7‐ ‐ ‐
3 Secure configurations for HW and SW, if available
CM 6, CM 7, CP 10, ‐ ‐ ‐IA 5, SC 7‐ ‐ Nominal
4 Secure configurations for network devices such as firewalls and routers
AC 4, CM 6, CM 7, ‐ ‐ ‐CP 10, IA 5, ‐ ‐RA 5, SC 7 ‐ ‐
Nominal
5 Boundary Defense AC 17, RA 5, SC 7, SI 4‐ ‐ ‐ ‐ < 7%
6 Maintenance/Analysis of complete security audit logs
AU 1, AU 2, AU 3, AU 4, AU 6, ‐ ‐ ‐ ‐ ‐AU 7, AU 9, AU 11, AU 12, CM 3, CM 5, CM 6, SI 4 ‐ ‐ ‐ ‐ ‐ ‐ ‐ ‐ Nominal
7 Application software security AC 4, CM 4, CM 7, RA 5, SA 3,‐ ‐ ‐ ‐ ‐ SA 4, SA 8, SA 11, SI 3 ‐ ‐ ‐ ‐ Decentralized
8 Controlled use of Administrative Privileges AC 6, AC 17, AT 2, AU 2 ‐ ‐ ‐ ‐ Nominal
9 Controlled access based on need to know AC 1, AC 2, AC 3, AC 6, AC 13‐ ‐ ‐ ‐ ‐ < 1%
10 Continuous vulnerability testing and remediation CA 2, CA 6, CA 7, RA 5, SI 2 ‐ ‐ ‐ ‐ ‐ Nominal
11 Dormant account monitoring and control AC 2, PS 4, PS 5 ‐ ‐ ‐ Nominal
12 Anti-malware defenses
AC 3, AC 4, AC 6, AC 17, AC 19, ‐ ‐ ‐ ‐ ‐AC 20, AT 2, AT 3, CM 5, MA 3, ‐ ‐ ‐ ‐ ‐MA 4, MA 5, MP 2, MP 4, PE 3, ‐ ‐ ‐ ‐ ‐
PE 4, PL 4, PS 6, RA 5, SA 7, ‐ ‐ ‐ ‐ ‐SA 12, SA 13, SC 3, SC 7, SC 11, ‐ ‐ ‐ ‐ ‐
SC 20, SC 21, SC 22, SC 23, ‐ ‐ ‐ ‐SC 25, SC 26, SC 27, SC 29, ‐ ‐ ‐ ‐
SC 30, SC 31, SI 3, SI 8 ‐ ‐ ‐ ‐
< 60%
13 Limitation and control of ports, protocols and services AC 4, CM 6, CM 7, SC 7‐ ‐ ‐ ‐ Not yet graded
14 Wireless device control AC 17‐ Nominal
15 Data leakage protection AC 2, AC 4, PL 4, SC 7, ‐ ‐ ‐ ‐SC 31, SI 4 ‐ ‐ Pending
But: “We don’t have a lot of money; how can we get started doing what State did ?”
John Gilligan’s answer: You already have most (70%) of the tools you
need to automate security risk measurement. The State Dept. will give you the software they
use to measure and display risk. This isn’t a money issue or a technology issue.
It’s a leadership issue. You don’t have to wait for someone to tell you to do it.
There is no other path available to CIOs and security managers to escape from the “compliance morass” and make a measureable difference in security.
A relevant story..
Dog chases truckTruck stopsDog thinks:“Now what do I do?”
Now What Do We Do?
We measure risk continuously and radically reduce the vulnerabilities (following the State Dept. model)
We build a cadre of skilled security architects We buy products/systems with security baked in We increase the rewards for security people with
key technical skills (licensing) We train system administrators to become the
human sensor network We support colleges only if they teach
programmers how to code securely We find and nurture young (and not-so-young)
people with extraordinary technical skills to become the cyber guardians/warriors for the future
How Automated Continuous Monitoring Works
Results in 12 Months
32
0.0
200.0
400.0
600.0
800.0
1,000.0
1,200.0
6/1/2008 7/21/2008 9/9/2008 10/29/2008 12/18/2008 2/6/2009 3/28/2009 5/17/2009 7/6/2009 8/25/2009
Domestic Sites
Foreign Sites
89% Reduction
90% Reduction
State Used the “20 Critical Controls” CAG ID Consensus Audit Guidelines NIST-800-53 CIRT Events
11 mo
1 Inventory of authorized and unauthorized hardware
CM 1, CM 2, CM 3, ‐ ‐ ‐CM 4, CM 5, ‐ ‐CM 8, CM 9 ‐ ‐
Multiple Tools < 6%< 22%2 Inventory of authorized and unauthorized software CM 1, CM 2, CM 3, CM 5, CM 7, ‐ ‐ ‐ ‐ ‐
CM 8, CM 9, SA 7‐ ‐ ‐
3 Secure configurations for HW and SW, if available
CM 6, CM 7, CP 10, ‐ ‐ ‐IA 5, SC 7‐ ‐ Nominal
4 Secure configurations for network devices such as firewalls and routers
AC 4, CM 6, CM 7, ‐ ‐ ‐CP 10, IA 5, ‐ ‐RA 5, SC 7 ‐ ‐
Nominal
5 Boundary Defense AC 17, RA 5, SC 7, SI 4‐ ‐ ‐ ‐ < 7%6 Maintenance/Analysis of
complete security audit logsAU 1, AU 2, AU 3, AU 4, AU 6, ‐ ‐ ‐ ‐ ‐
AU 7, AU 9, AU 11, AU 12, CM 3, CM 5, CM 6, SI 4 ‐ ‐ ‐ ‐ ‐ ‐ ‐ ‐ Nominal
7 Application software security AC 4, CM 4, CM 7, RA 5, SA 3,‐ ‐ ‐ ‐ ‐ SA 4, SA 8, SA 11, SI 3 ‐ ‐ ‐ ‐ Decentralized
8 Controlled use of Administrative Privileges AC 6, AC 17, AT 2, AU 2 ‐ ‐ ‐ ‐ Nominal9 Controlled access based on need to know AC 1, AC 2, AC 3, AC 6, AC 13‐ ‐ ‐ ‐ ‐ < 1%
10 Continuous vulnerability testing and remediation CA 2, CA 6, CA 7, RA 5, SI 2 ‐ ‐ ‐ ‐ ‐ Nominal11 Dormant account monitoring and control AC 2, PS 4, PS 5 ‐ ‐ ‐ Nominal
12 Anti-malware defenses
AC 3, AC 4, AC 6, AC 17, AC 19, ‐ ‐ ‐ ‐ ‐AC 20, AT 2, AT 3, CM 5, MA 3, ‐ ‐ ‐ ‐ ‐MA 4, MA 5, MP 2, MP 4, PE 3, ‐ ‐ ‐ ‐ ‐
PE 4, PL 4, PS 6, RA 5, SA 7, ‐ ‐ ‐ ‐ ‐SA 12, SA 13, SC 3, SC 7, SC 11, ‐ ‐ ‐ ‐ ‐
SC 20, SC 21, SC 22, SC 23, ‐ ‐ ‐ ‐SC 25, SC 26, SC 27, SC 29, ‐ ‐ ‐ ‐
SC 30, SC 31, SI 3, SI 8 ‐ ‐ ‐ ‐
< 60%
13 Limitation and control of ports, protocols and services AC 4, CM 6, CM 7, SC 7‐ ‐ ‐ ‐ Not yet graded14 Wireless device control AC 17‐ Nominal
15 Data leakage protection AC 2, AC 4, PL 4, SC 7, ‐ ‐ ‐ ‐SC 31, SI 4 ‐ ‐ Pending
Portrait of a security hero!
37
0.0
200.0
400.0
600.0
800.0
1,000.0
1,200.0
6/1/2008 7/21/2008 9/9/2008 10/29/2008 12/18/2008 2/6/2009 3/28/2009 5/17/2009 7/6/2009 8/25/2009
Domestic Sites
Foreign Sites
89% Reduction
90% Reduction