Great Lakes Business Recovery Group Managing Risk at the Borders of the Physical and I.T. Worlds...
-
Upload
vivian-gallagher -
Category
Documents
-
view
218 -
download
0
Transcript of Great Lakes Business Recovery Group Managing Risk at the Borders of the Physical and I.T. Worlds...
Great Lakes Business Recovery Group
Managing Risk at the Borders of the Physical and I.T. Worlds
Mark Lachniet
Analysts International
Introductions• Mark Lachniet ([email protected])• Technical Director, Security Services Group• Certified Information Systems Auditor
(CISA)• Certified Information Systems Security
Professional (CISSP)• Member of the High Tech Crime
Investigation Association (HTCIA)• Technical certifications from Novell,
Microsoft, Linux Professional Institute, etc.• Formerly the I.S. Director at a K-12 School
district
Agenda• I.T. and “real world” convergence• I.T. and the military• “cyber terrorism” defined and history• Real-world threats & crime• Physical security in prevention• Human resource security in prevention• Physical security during a disaster• Human resource security during a disaster• Discussion
A Show of Hands• How many are technical people? • Are you in Information Security?• Are you responsible for physical security?• Are you responsible for DR / BCP?• How many work for a utility or local
Government?• How many work for a university or college?• How many work for a healthcare
organization?
Disclaimer• I work in information security, not in law
enforcement or the military, so many of my opinions are based on research and commonly available information
• So called “cyber terrorism” hasn’t really become a big issue yet, and is a big unknown
• All of the scenarios and information I will be talking about is all very well documented in libraries and on the Internet – if I can come up with it, anyone can
• Better information is probably available, but the folks who have it aren’t talking
I.T. and Real World Convergence• It seems obvious, but I.T. is increasingly a
critical part of everyday life• In the physical sense, I.T. runs healthcare,
airplanes, electrical systems, lock systems, even 911 services and traffic lights
• In the economic data sense, I.T. is critical to the financial well being of our country
• This convergence will only continue – for example: IP Telephony, RFID, automation
• Even a simple disruption (let alone an intentional compromise) could potentially mean lives or large amounts of money
The CIA Triangle
Confidentiality
Integrity Availability
The CIA Triangle• Confidentiality– The unintended or unauthorized disclosure of
computer data or information
• Integrity– The unintended or unauthorized modification of
computer data or information
• Availability– The loss of service of critical applications, systems,
data, networks or computer services
• We need to worry about all three, especially in regulated industries!
The CIA Triangle – DR examples• Confidentiality (regulation: HIPAA, SB1386)– Disclosure of passwords from a “crash kit”
– Disclosure of protected information (PII, Financial) during the rush of system recovery
• Integrity (regulation example: Sarbanes-Oxley)– Compromise of systems during build
– Failure to implement correct internal controls (user auth and access) on rebuilt systems
• Availability (regulated by your desire to be paid)– The main point of DR efforts – should be pretty
well covered by your plans (recovery order based on criticality of servers, dependencies, etc.)
The Cost of Downtime• Many of you have probably analyzed how
much it costs your organization to have systems down
• Even if you cannot quantify the cost of lost business, you no doubt have 70% to 80% of your costs in labor
• If people can’t work, at least after a while, you are losing that money
• This is a problem at the organization level, but a REALLY big problem at the national level
• Due to this dependency, I.T. can be a target both for economic and real-world attacks by nation states and terrorists
I.T. and the Military / Intelligence• The military (and non-military intelligence
gathering organizations) use I.T. extensively• Many field-deployed systems are based on I.T.
systems (communication networks, GPS, targeting systems, NT4 e-mail systems, etc.)
• Have been used extensively for Information Operations (IO) – to craft perception or mislead
• For example – the Zapatista movement in Mexico has used the Internet to great success for cheap propaganda
• Also a big “leak” problem for the military, thanks to e-mail and blogs in the field
• Satellite video of surveillance drones in Afghanistan could be picked up by tuning home satellite dishes!
Military I.T. capabilities• People aren’t really talking about it too much,
but most big governments now have hacker “red teams” designed to break into networks and respond to intrusions (f.e. USA, China*)
• I.T. operations are inexpensive (both in terms of time and capital) and can be anonymous (and therefore less politically dangerous)
• I.T. is also a “soft target” even in governments, due to growth, small budgets, lack of expertise, etc.
• Therefore, I.T. operations are perfect for conducting asymmetrical conflicts, where direct conflict would not be successful
• See http://www.iwar.org.uk
“Cyber Terrorism”• Terrorism can be thought of as asymmetrical military
action, with the goal of low cost, high-impact action• “Cyber Terrorism” is therefore the embodiment of
asymmetrical warfare through I.T.• Instead of nation-states, the bigger fear is from
smaller players with a political agenda (e.g. Al Qaeda) that have little to lose
• “Cyberterrorism can be defined as the use of information technology by terrorist groups and individuals to further their agenda”
• Some folks will only refer to terrorism as something that has a violence component
• Others include economic impact, and perpetuating fear in society as being terrorist goals
How Real a Threat is “Cyber Terrorism”?• In my personal opinion it’s a big future problem!• Osama Bin Laden recently stated that he hopes to
“bleed” the US economically dry, like the USSR in Afghanistan (will they will try I.T.??)
• Affecting the economy through I.T. on a large scale would probably be difficult – people are too adaptable
• See the WWII strategic bombing study for problems with disrupting infrastructure
• However, there are a lot of SCADA-connected systems that are Internet accessible, hopefully with physical fail-safes (e.g. nuclear plants)
• There are also a lot of emergency support systems that are I.T. based – these are what I worry about
• The most likely scenario is a coordinated real-world and I.T. attack to act as a “force multiplier”
“Eligible Receiver”• http://www.pbs.org/wgbh/pages/frontline/shows/
cyberwar/warnings/index.html#mountainview• "Eligible Receiver is the code name of a 1997
internal exercise initiated by the Department of Defense. A "red team" of hackers from the National Security Agency (NSA) was organized to infiltrate the Pentagon systems. The red team was only allowed to use publicly available computer equipment and hacking software. Although many details about Eligible Receiver are still classified, it is known that the red team was able to infiltrate and take control of the Pacific command center computers, as well as power grids and 911 systems in nine major U.S. cities. "
Direct Real-World Attacks• In November, 2001 a man was sentenced to two
years in prison for using the Internet, a wireless radio and stolen control software to release up to one million liters of sewage from a treatment facility in Australia
• The scary part is that it was only on the 45th attempt at compromising the system that he succeeded. The first 44 attempts were never noticed
• This was only sewage, but it could have been any other type of SCADA (Supervisory Control And Data Acquisition) system – the same used by some power companies, water facilities, etc.
• No humans died, but a lot of fish did!
Direct Real-World Attacks• After the outbreak of the “Slammer” worm, a
number of fire department and 911 dispatch systems outside of Seattle, Washington reported that they had to resort to paper and pencil to conduct business for several hours
• This was from a simple worm (virus), and not even from a targeted attack
• In another example, in 1997 a Juvenile disabled a FAA radar tower by disrupting the telephone communication system it relied on
• In the big power failure of “the grid” a few years ago, I.T. was suspected (but not proven?)
• The same problems that can affect infrastructure can affect your DR plan!
I.T. Systems and Phones• There are several worms and virii that will
dial 911 once it is contracted (2) as well as a hack on WebTV to make it call 911
• Fortunately, these haven’t been coded into “zero day” exploits, such as an unknown flaw in Windows and released to the Internet (a dedicated group could do this!)
• If this were to have happened, it could have crippled 911 systems around the country
• From a DR perspective, analyze your plan’s reliance on telephone systems and pagers
• What if you can’t dial 911? Or the fire department? Or your PC supplier?
Phones and DR Plans• Do you rely on your PBX system for team
communication? Do you have land lines?• Do you have IP Telephony systems? If so, make sure
you secure them well!• Do you rely on cellular phones? In the event of the
disaster they may be too busy to use• Do you publish your emergency phone / pager
number? On the one hand, you probably need to, but on the other hand, a single jerk with an auto-dialing modem could tie it up!
• Do you have a backup plan in case all phones are down? (e.g. a place to physically meet?)
• Do you know where to drive to get more fuel for the generator? Alternate site provisions?
Traffic Flow Attacks• Simply working in Detroit might expose you
to traffic flow risks in your DR plan • If your plan calls on you to drive for
hardware, software, or to an alternate site, what happens if the roads are blocked?
• In the event of a major disaster, everyone might be trying to leave at the same time
• Also, it is possible for malicious individuals to manipulate traffic systems to intentionally mess up traffic lights
• http://www.themirt.com/ sells mobile infrared transmitters for emergency vehicles
Free Advertising for “The MIRT”
Traffic Flow Attacks• These can be used to turn a traffic light green so
traffic can clear and the emergency vehicle can go through
• These can be purchased by the public without a license (and they even have handy “stealth mounting” options)
• They are not universally used but…..• According to the Detroit News, there are “about
85 such intersections in Troy, along Big Beaver and Rochester Road and other main corridors. Farmington and Novi also have invested in the receivers, which can run $15,000 to $20,000 per intersection, including wiring and installation.”
Traffic Flow Attacks• What if all of the traffic lights were red or
otherwise manipulated to cause large-scale traffic jams all around the city? All lanes of traffic would be clogged, and nobody could get out of the way for ambulances, police, etc.
• Even a emergency vehicle override wouldn’t work in this situation (traffic backed all ways)
• On the other hand, maybe you should get one to help ensure the success of your DR plan
• In addition, the computer control systems are vulnerable to hacking
• A recent version of Phrack has DETAILED information on how to hack into traffic light control systems, above
Hacking Attacks• There are a lot of obvious ways that hacking could
lead to a disaster, or a failure of a critical DR support system
• Hacking into SCADA systems are one way• In healthcare, tampering with medical records could
lead to deadly prescriptions• A physical security system (badge system) could be
circumvented • A crafty compromise of a backup system could lead
to undiscovered data corruption, leading to an inability to recover
• UPS systems could be shut down or disabled• How likely is it? I use the Lachniet litmus test – if I
can do it… Someone else can too.
Data Security in a Disaster• There is always the risk of being hacked during
your recovery efforts• For example, building up machines with direct
Internet access is very dangerous• Many incidents of hacking have occurred while a
machine was being built – after the OS went on, but before it was patched and hardened
• Use a cheap NAT firewall for this purpose – don’t allow any incoming traffic
• Make sure security is particularly strong in build routines for mission-critical Internet facing servers
• Be wary of “temporary” passwords
The Criminal Element• Manipulation from a criminal is probably a
more likely scenario than anything else• To deal with this, consider ways to minimize
the opportunity for criminals to either cause disruptions, or take advantage of disasters
• This includes taking steps to secure your information resources (I.T. security)
• It also means physical security, both during regular operations and during an incident
• Should also consider employee screening practices to keep them out of the door
Securing I.T.
• Technical vulnerability assessments:– Internet facing devices– Internal servers and hosts– Web application and database security
• Comprehensive security audits• Secure border design• Extensive auditing and logging• Intrusion detection and prevention• Anti-virus• Strong authentication• Etc. etc. etc.
Physical Security• It is critical to maintain a physical “zone of
control” around important assets. • This should be done both before and after an
incident!• Without physical security, all other measures
can be circumvented• There are many types of physical attacks• Access to critical areas such as wiring closets
can provide unrestricted access to the network or damage of equipment (“oooh, look at the blinky lights”)
• Physical security is needed to prevent the loss of equipment
Physical Security• Is there a badge / access control system with
logging? Can it be easily circumvented? (e.g. barcodes, numeric keypads)
• Do badges have picture ID’s? Can you readily identify a visitor and the date of their visit?
• Are master keys all accounted for? Are there many of them?
• Are locks and codes changed when people leave the organization?
• Is there a physical security staff? Dogs? Receptionists who question visitors?
• Are staff members trained (and empowered) to recognize social engineering? question unknown people?
Physical Security• Are external areas well lit?• Are all wiring closets secure?• Are all hinges on the inside of doors?• Are doors frequently propped open by smokers? For
delivery people?• Do walls go all the way to the ceiling (and not just
stop at the drop ceiling)• Are there insecure wireless networks? • Are there live data jacks in public areas?• Is there an outsourced cleaning staff? Have they had
background checks?• Are vendors and service people accompanied when
on the premises?
Physical Security in DR• Are your “crash kits” secure? Are they in a car?
Under someone’s bed?• Can tapes and media be stolen? (and restored!)• Most importantly, how will you protect your people?
Are there procedures for workplace violence?• How will you protect your disaster location from
looting? (note: the fire department and police might not let you!)
• How secure is your alternate location? Is it a hotel, or true offsite location with formalized procedures?
• What is the security of both locations at night? During the day?
• Should you have provisions to hire a security guard to keep an eye on things?
Background Checks• On the prevention side, background checks
could go a long way to identify malevolent people
• Benefits of performing background checks:– Protect your employees, clients and property
from possible harm– Protect your organization from possible fraud– Minimize risk to your organization through
legal or civil liability– Promote the hiring of employees with good
character, work habits and proficiency at their job
Background Checks• Include state and federal criminal history checks• Consider credit history checks (a bad economic
situation may indicate a possible future problem)• Include verification with non-regulated certification
issuers such as vendor specific and technical certifications (CISSPs, MCSEs, etc.)
• Include verification of all listed employment and salary history
• Include verification of all higher education (college level)
• Include verbal verification of all character and employment references. For past employers, consider reaching the listed contact by calling the main organizational phone number, and verifying that the name, position, and phone number you were provided is correct prior to calling them.
Discussion
Mark Lachniet, CISSP, CISA
Technical Director, Security Group
Analysts International
(517) 336-1004 (voice)
(517) 336-1100 (fax)
mailto: [email protected]
http://lachniet.com/powerpoint
References• http://www.securityfocus.com (sign up for
bugtraq and read the articles)• http://www.packetstormsecurity.org (seems to
change a lot, but lots of dirt)• http://www.microsoft.com/security• http://www.sans.org (check out the student
papers)• http://www.cert.org• http://www.gocsi.com• http://www.securityportal.com• http://www.isc2.org
References• PHRACK magazine:
http://www.phrack.org/show.php?p=60
• United States Strategic Bombing Survey http://www.anesi.com/ussbs01.htm
• Juvenile Hacker and FAA tower http://www.cybercrime.gov/juvenilepld.htm
• 911 systems disrupted by Slammer Worm http://www.msnbc.com/news/864184.asp?0cv=CB10
• CyberTerrorism – the Real Risks http://news.zdnet.co.uk/story/0,,t269-s2121358,00.html
• CyberTerrorism and Computer Technology http://www.counterterrorismtraining.gov/pubs/02.html
References• http://www.911dispatch.com/911_file/
history/hacking911.html• http://www.ncsl.org/programs/lis/CIP/
cyberterrorism.htm• http://www.sophos.com/virusinfo/analyses/
bat911b.html• http://www.automationworld.com/articles/
Departments/924.html• http://lachniet.com/securitydocs/2004-10-26-
Pre-Employment-Screening-Best-Practices.pdf
• http://www.iwar.org.uk