Great Lakes Business Recovery Group

Managing Risk at the Borders of the Physical and I.T. Worlds

Mark Lachniet

mlachniet@analysts.com

Analysts International

Introductions• Mark Lachniet (mlachniet@analysts.com)• Technical Director, Security Services Group• Certified Information Systems Auditor

(CISA)• Certified Information Systems Security

Professional (CISSP)• Member of the High Tech Crime

Investigation Association (HTCIA)• Technical certifications from Novell,

Microsoft, Linux Professional Institute, etc.• Formerly the I.S. Director at a K-12 School

district

Agenda• I.T. and “real world” convergence• I.T. and the military• “cyber terrorism” defined and history• Real-world threats & crime• Physical security in prevention• Human resource security in prevention• Physical security during a disaster• Human resource security during a disaster• Discussion

A Show of Hands• How many are technical people? • Are you in Information Security?• Are you responsible for physical security?• Are you responsible for DR / BCP?• How many work for a utility or local

Government?• How many work for a university or college?• How many work for a healthcare

organization?

Disclaimer• I work in information security, not in law

enforcement or the military, so many of my opinions are based on research and commonly available information

• So called “cyber terrorism” hasn’t really become a big issue yet, and is a big unknown

• All of the scenarios and information I will be talking about is all very well documented in libraries and on the Internet – if I can come up with it, anyone can

• Better information is probably available, but the folks who have it aren’t talking

I.T. and Real World Convergence• It seems obvious, but I.T. is increasingly a

critical part of everyday life• In the physical sense, I.T. runs healthcare,

airplanes, electrical systems, lock systems, even 911 services and traffic lights

• In the economic data sense, I.T. is critical to the financial well being of our country

• This convergence will only continue – for example: IP Telephony, RFID, automation

• Even a simple disruption (let alone an intentional compromise) could potentially mean lives or large amounts of money

The CIA Triangle

Confidentiality

Integrity Availability

The CIA Triangle• Confidentiality– The unintended or unauthorized disclosure of

computer data or information

• Integrity– The unintended or unauthorized modification of

computer data or information

• Availability– The loss of service of critical applications, systems,

data, networks or computer services

• We need to worry about all three, especially in regulated industries!

The CIA Triangle – DR examples• Confidentiality (regulation: HIPAA, SB1386)– Disclosure of passwords from a “crash kit”

– Disclosure of protected information (PII, Financial) during the rush of system recovery

• Integrity (regulation example: Sarbanes-Oxley)– Compromise of systems during build

– Failure to implement correct internal controls (user auth and access) on rebuilt systems

• Availability (regulated by your desire to be paid)– The main point of DR efforts – should be pretty

well covered by your plans (recovery order based on criticality of servers, dependencies, etc.)

The Cost of Downtime• Many of you have probably analyzed how

much it costs your organization to have systems down

• Even if you cannot quantify the cost of lost business, you no doubt have 70% to 80% of your costs in labor

• If people can’t work, at least after a while, you are losing that money

• This is a problem at the organization level, but a REALLY big problem at the national level

• Due to this dependency, I.T. can be a target both for economic and real-world attacks by nation states and terrorists

I.T. and the Military / Intelligence• The military (and non-military intelligence

gathering organizations) use I.T. extensively• Many field-deployed systems are based on I.T.

systems (communication networks, GPS, targeting systems, NT4 e-mail systems, etc.)

• Have been used extensively for Information Operations (IO) – to craft perception or mislead

• For example – the Zapatista movement in Mexico has used the Internet to great success for cheap propaganda

• Also a big “leak” problem for the military, thanks to e-mail and blogs in the field

• Satellite video of surveillance drones in Afghanistan could be picked up by tuning home satellite dishes!

Military I.T. capabilities• People aren’t really talking about it too much,

but most big governments now have hacker “red teams” designed to break into networks and respond to intrusions (f.e. USA, China*)

• I.T. operations are inexpensive (both in terms of time and capital) and can be anonymous (and therefore less politically dangerous)

• I.T. is also a “soft target” even in governments, due to growth, small budgets, lack of expertise, etc.

• Therefore, I.T. operations are perfect for conducting asymmetrical conflicts, where direct conflict would not be successful

• See http://www.iwar.org.uk

“Cyber Terrorism”• Terrorism can be thought of as asymmetrical military

action, with the goal of low cost, high-impact action• “Cyber Terrorism” is therefore the embodiment of

asymmetrical warfare through I.T.• Instead of nation-states, the bigger fear is from

smaller players with a political agenda (e.g. Al Qaeda) that have little to lose

• “Cyberterrorism can be defined as the use of information technology by terrorist groups and individuals to further their agenda”

• Some folks will only refer to terrorism as something that has a violence component

• Others include economic impact, and perpetuating fear in society as being terrorist goals

How Real a Threat is “Cyber Terrorism”?• In my personal opinion it’s a big future problem!• Osama Bin Laden recently stated that he hopes to

“bleed” the US economically dry, like the USSR in Afghanistan (will they will try I.T.??)

• Affecting the economy through I.T. on a large scale would probably be difficult – people are too adaptable

• See the WWII strategic bombing study for problems with disrupting infrastructure

• However, there are a lot of SCADA-connected systems that are Internet accessible, hopefully with physical fail-safes (e.g. nuclear plants)

• There are also a lot of emergency support systems that are I.T. based – these are what I worry about

• The most likely scenario is a coordinated real-world and I.T. attack to act as a “force multiplier”

“Eligible Receiver”• http://www.pbs.org/wgbh/pages/frontline/shows/

cyberwar/warnings/index.html#mountainview• "Eligible Receiver is the code name of a 1997

internal exercise initiated by the Department of Defense. A "red team" of hackers from the National Security Agency (NSA) was organized to infiltrate the Pentagon systems. The red team was only allowed to use publicly available computer equipment and hacking software. Although many details about Eligible Receiver are still classified, it is known that the red team was able to infiltrate and take control of the Pacific command center computers, as well as power grids and 911 systems in nine major U.S. cities. "

Direct Real-World Attacks• In November, 2001 a man was sentenced to two

years in prison for using the Internet, a wireless radio and stolen control software to release up to one million liters of sewage from a treatment facility in Australia

• The scary part is that it was only on the 45th attempt at compromising the system that he succeeded. The first 44 attempts were never noticed

• This was only sewage, but it could have been any other type of SCADA (Supervisory Control And Data Acquisition) system – the same used by some power companies, water facilities, etc.

• No humans died, but a lot of fish did!

Direct Real-World Attacks• After the outbreak of the “Slammer” worm, a

number of fire department and 911 dispatch systems outside of Seattle, Washington reported that they had to resort to paper and pencil to conduct business for several hours

• This was from a simple worm (virus), and not even from a targeted attack

• In another example, in 1997 a Juvenile disabled a FAA radar tower by disrupting the telephone communication system it relied on

• In the big power failure of “the grid” a few years ago, I.T. was suspected (but not proven?)

• The same problems that can affect infrastructure can affect your DR plan!

I.T. Systems and Phones• There are several worms and virii that will

dial 911 once it is contracted (2) as well as a hack on WebTV to make it call 911

• Fortunately, these haven’t been coded into “zero day” exploits, such as an unknown flaw in Windows and released to the Internet (a dedicated group could do this!)

• If this were to have happened, it could have crippled 911 systems around the country

• From a DR perspective, analyze your plan’s reliance on telephone systems and pagers

• What if you can’t dial 911? Or the fire department? Or your PC supplier?

Phones and DR Plans• Do you rely on your PBX system for team

communication? Do you have land lines?• Do you have IP Telephony systems? If so, make sure

you secure them well!• Do you rely on cellular phones? In the event of the

disaster they may be too busy to use• Do you publish your emergency phone / pager

number? On the one hand, you probably need to, but on the other hand, a single jerk with an auto-dialing modem could tie it up!

• Do you have a backup plan in case all phones are down? (e.g. a place to physically meet?)

• Do you know where to drive to get more fuel for the generator? Alternate site provisions?

Traffic Flow Attacks• Simply working in Detroit might expose you

to traffic flow risks in your DR plan • If your plan calls on you to drive for

hardware, software, or to an alternate site, what happens if the roads are blocked?

• In the event of a major disaster, everyone might be trying to leave at the same time

• Also, it is possible for malicious individuals to manipulate traffic systems to intentionally mess up traffic lights

• http://www.themirt.com/ sells mobile infrared transmitters for emergency vehicles

Free Advertising for “The MIRT”

Traffic Flow Attacks• These can be used to turn a traffic light green so

traffic can clear and the emergency vehicle can go through

• These can be purchased by the public without a license (and they even have handy “stealth mounting” options)

• They are not universally used but…..• According to the Detroit News, there are “about

85 such intersections in Troy, along Big Beaver and Rochester Road and other main corridors. Farmington and Novi also have invested in the receivers, which can run $15,000 to $20,000 per intersection, including wiring and installation.”

Traffic Flow Attacks• What if all of the traffic lights were red or

otherwise manipulated to cause large-scale traffic jams all around the city? All lanes of traffic would be clogged, and nobody could get out of the way for ambulances, police, etc.

• Even a emergency vehicle override wouldn’t work in this situation (traffic backed all ways)

• On the other hand, maybe you should get one to help ensure the success of your DR plan

• In addition, the computer control systems are vulnerable to hacking

• A recent version of Phrack has DETAILED information on how to hack into traffic light control systems, above

Hacking Attacks• There are a lot of obvious ways that hacking could

lead to a disaster, or a failure of a critical DR support system

• Hacking into SCADA systems are one way• In healthcare, tampering with medical records could

lead to deadly prescriptions• A physical security system (badge system) could be

circumvented • A crafty compromise of a backup system could lead

to undiscovered data corruption, leading to an inability to recover

• UPS systems could be shut down or disabled• How likely is it? I use the Lachniet litmus test – if I

can do it… Someone else can too.

Data Security in a Disaster• There is always the risk of being hacked during

your recovery efforts• For example, building up machines with direct

Internet access is very dangerous• Many incidents of hacking have occurred while a

machine was being built – after the OS went on, but before it was patched and hardened

• Use a cheap NAT firewall for this purpose – don’t allow any incoming traffic

• Make sure security is particularly strong in build routines for mission-critical Internet facing servers

• Be wary of “temporary” passwords

The Criminal Element• Manipulation from a criminal is probably a

more likely scenario than anything else• To deal with this, consider ways to minimize

the opportunity for criminals to either cause disruptions, or take advantage of disasters

• This includes taking steps to secure your information resources (I.T. security)

• It also means physical security, both during regular operations and during an incident

• Should also consider employee screening practices to keep them out of the door

Securing I.T.

• Technical vulnerability assessments:– Internet facing devices– Internal servers and hosts– Web application and database security

• Comprehensive security audits• Secure border design• Extensive auditing and logging• Intrusion detection and prevention• Anti-virus• Strong authentication• Etc. etc. etc.

Physical Security• It is critical to maintain a physical “zone of

control” around important assets. • This should be done both before and after an

incident!• Without physical security, all other measures

can be circumvented• There are many types of physical attacks• Access to critical areas such as wiring closets

can provide unrestricted access to the network or damage of equipment (“oooh, look at the blinky lights”)

• Physical security is needed to prevent the loss of equipment

Physical Security• Is there a badge / access control system with

logging? Can it be easily circumvented? (e.g. barcodes, numeric keypads)

• Do badges have picture ID’s? Can you readily identify a visitor and the date of their visit?

• Are master keys all accounted for? Are there many of them?

• Are locks and codes changed when people leave the organization?

• Is there a physical security staff? Dogs? Receptionists who question visitors?

• Are staff members trained (and empowered) to recognize social engineering? question unknown people?

Physical Security• Are external areas well lit?• Are all wiring closets secure?• Are all hinges on the inside of doors?• Are doors frequently propped open by smokers? For

delivery people?• Do walls go all the way to the ceiling (and not just

stop at the drop ceiling)• Are there insecure wireless networks? • Are there live data jacks in public areas?• Is there an outsourced cleaning staff? Have they had

background checks?• Are vendors and service people accompanied when

on the premises?

Physical Security in DR• Are your “crash kits” secure? Are they in a car?

Under someone’s bed?• Can tapes and media be stolen? (and restored!)• Most importantly, how will you protect your people?

Are there procedures for workplace violence?• How will you protect your disaster location from

looting? (note: the fire department and police might not let you!)

• How secure is your alternate location? Is it a hotel, or true offsite location with formalized procedures?

• What is the security of both locations at night? During the day?

• Should you have provisions to hire a security guard to keep an eye on things?

Background Checks• On the prevention side, background checks

could go a long way to identify malevolent people

• Benefits of performing background checks:– Protect your employees, clients and property

from possible harm– Protect your organization from possible fraud– Minimize risk to your organization through

legal or civil liability– Promote the hiring of employees with good

character, work habits and proficiency at their job

Background Checks• Include state and federal criminal history checks• Consider credit history checks (a bad economic

situation may indicate a possible future problem)• Include verification with non-regulated certification

issuers such as vendor specific and technical certifications (CISSPs, MCSEs, etc.)

• Include verification of all listed employment and salary history

• Include verification of all higher education (college level)

• Include verbal verification of all character and employment references. For past employers, consider reaching the listed contact by calling the main organizational phone number, and verifying that the name, position, and phone number you were provided is correct prior to calling them.

Discussion

Mark Lachniet, CISSP, CISA

Technical Director, Security Group

Analysts International

(517) 336-1004 (voice)

(517) 336-1100 (fax)

mailto: mlachniet@analysts.com

http://lachniet.com/powerpoint

References• http://www.securityfocus.com (sign up for

bugtraq and read the articles)• http://www.packetstormsecurity.org (seems to

change a lot, but lots of dirt)• http://www.microsoft.com/security• http://www.sans.org (check out the student

papers)• http://www.cert.org• http://www.gocsi.com• http://www.securityportal.com• http://www.isc2.org

References• PHRACK magazine:

http://www.phrack.org/show.php?p=60

• United States Strategic Bombing Survey http://www.anesi.com/ussbs01.htm

• Juvenile Hacker and FAA tower http://www.cybercrime.gov/juvenilepld.htm

• 911 systems disrupted by Slammer Worm http://www.msnbc.com/news/864184.asp?0cv=CB10

• CyberTerrorism – the Real Risks http://news.zdnet.co.uk/story/0,,t269-s2121358,00.html

• CyberTerrorism and Computer Technology http://www.counterterrorismtraining.gov/pubs/02.html

References• http://www.911dispatch.com/911_file/

history/hacking911.html• http://www.ncsl.org/programs/lis/CIP/

cyberterrorism.htm• http://www.sophos.com/virusinfo/analyses/

bat911b.html• http://www.automationworld.com/articles/

Departments/924.html• http://lachniet.com/securitydocs/2004-10-26-

Pre-Employment-Screening-Best-Practices.pdf

• http://www.iwar.org.uk