national university information resources management college

National Defense UniversityInformation Resources Management College

“The global hub for educating, informing, and connecting Information Age leaders.”

Cyber Security: “Defending Industry & Economic Prosperity”Detroit, 27 September 2012

Dr. Robert D. Childs, Chancellor, National Defense University iCollege

1

Opinions and views expressed in this tutorial are those of the author and do not reflect the official policy or position of the Information Resources Management College, the National Defense University, the Department of Defense, or the U.S. Government.

22“The global hub for educating, informing, and connecting Information Age leaders.”

Agenda

• Cyber Shockwave: the threat is here & now.• Four cyber threats to industry and U.S. economic prosperity.1. “Securing the Cloud” – Cloud Computing

security.2. “The Insider Threat” – espionage, data

exfiltration & lost of intellectual property.3. “Attacks on Critical Infrastructure, Industrial

Control Systems (ICS) and SCADA.”4. “Social Media” – the cyber workforce & security

• Educating the Cyber Workforce

29/27/2012


The Cyber Security Epidemic*

9/27/2012 3

*

The trend continued in 2011

http://www.gartner.com/technology/core/home.jsp


Growth of the Asymmetric Cyber Threat

4

High

Low

Soph

istication

Sophistication ofHacking Tools & Elite Hackers

Increasing

1980 1985 1990 1995 2000

Sophistication Required of Common Hackers Declining

cross site scripting

password guessing

self‐replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sweepers

sniffers

packet spoofing

graphic user interface

automated probes/scans

denial of service

www attacks

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

Staging

sophisticated C2

2010 ~ 2015

…next?

“Industry is getting hacked [and] government is getting hacked. What we need to do is come

together and form best practices.”‐Gen. Keith Alexander,U.S. Cyber Command

27 July 2012

Espionage & Data Exfiltration

Tools

EliteHackers

12/2/2011


Threat #1 ‐ “Securing the Cloud”

• Cloud computing provides flexible, cost‐effective delivery of business or consumer IT services over the Internet. – Helps businesses improve service delivery, reduce IT management costs

and respond to dynamic business requirements.

– Cloud resources can be rapidly deployed, easily scaled, and respond to increased demand, regardless of the user location.

• Public and private cloud models, or a hybrid approach using both models, are now in use.– Public clouds are acquired as a service and paid for on a per‐usage

basis or by subscription.

– Private clouds are owned and used by a single organization.

– Private clouds offer many of the same benefits as public clouds, but give the owner greater flexibility and security.

5

IBM Global Technology ServicesThought Leadership White Paper“Strategies for assessing cloud security,” Nov 2010


Risk Concerns with Cloud Computing• Cloud computing introduces risk because essential services are often

outsourced to 3rd party service providers.– Inside the cloud, it is difficult to physically locate where data is stored.

– Business data is stored and processed externally in multiple unspecified locations [sometimes overseas].

• Security processes that were once visible on physical computer servers are now hidden behind layers of “virtual machine” servers. – Harder for users to maintain data integrity, privacy, security, service availability, and

demonstrate compliance with federal & state regulations.

– Users from different corporations and trust levels often share the same set of computing resources, but with different security requirements.

• This lack of visibility can cause concerns about:– Data exposure, compromise, and theft [exfiltration].

– Application services & reliability.

– Regulatory compliance.

– Overall security management.

6

IBM Global Technology ServicesThought Leadership White Paper“Strategies for assessing cloud security,” Nov 2010


Cloud Computing Security – Promises & Disappointments

79/27/2012


Threat #2 ‐ “The Insider Threat”• "In March 2012, it was reported that Blue Cross Blue Shield of Tennessee paid out a settlement of

$1.5 million to the U.S. Department of Health and Human Services arising from potential violations stemming from the theft of 57 unencrypted computer hard drives that contained protected health information of over 1 million individuals."

• "A retailer reported in May 2011 that it had suffered a breach of its customers’ card data. The company discovered tampering with the personal identification number (PIN) pads at its checkout lanes in stores across 20 states."

• "In mid‐2009 a research chemist with DuPont Corporation reportedly downloaded proprietary information to a personal e‐mail account and thumb drive with the intention of transferring this information to Peking University in China and also sought Chinese government funding to commercialize research related to the information he had stolen."

• "Between 2008 and 2009, a chemist with Valspar Corporation reportedly used access to an internal computer network to download secret formulas for paints and coatings, reportedly intending to take this proprietary information to a new job with a paint company in Shanghai, China."

• "In December 2006, a product engineer with Ford Motor Company reportedly copied approximately 4,000 Ford documents onto an external hard drive in order to acquire a job with a Chinese automotive company."

89/27/2012

* "Cyber Threats Facilitate Ability to Commit Economic Espionage," U.S. government General Accountability Office (GAO) report # GAO‐12‐876T, dated 28 June 2012


The Ultimate “Insider Threat” – Wiki‐Leaks

9/27/2012 9

Julian Assange, an Australian Internet activist,Bradley E. Manning, United States Army

Pvt. Manning, disgruntled over U.S. war efforts, allegedly stole, downloaded and smuggled electronic documents out of the headquarters he was assigned disguised as music CDs.

In 2010, over 391,832 secret documents on the Iraqi war, 77,000 classified Pentagon documents on the Afghan conflict, and 250,000 individual cables — the daily traffic between the State Department and more than 270

American diplomatic outposts around the world – were stolen and leaked to Internet activists. [http://topics.nytimes.com/top/reference/timestopics/organizations/w/wikileaks/index.html]

Fareed Khan/Associated Press

http://en.wikipedia.org/wiki/Julian_Assange

http://en.wikipedia.org/wiki/Internet_activism

http://en.wikipedia.org/wiki/United_States_Army


Data Protection Against Insider Threats

10


Steps for Protecting Against the “Insider Threat”• Designate a senior manager to overseeing business sensitive information sharing and safeguarding efforts for the company.– Have written policies acknowledged by all employees.

• Implement an insider threat detection and prevention program. – Establish standards for what constitutes normal use and authorized access to business information.

– Policies should also address the company’s right to monitor use of company network resources.

• Perform self‐assessments of employee compliance with business sensitive information sharing and use policiess.– Results reported annually to a senior managers’ steering group or Board of Directors.

119/27/2012


Threat #3 – “Attacks of ICS & SCADA Systems”

• Information technology (IT) and software enable almost everything we do in the public & private sectors.– Especially in our critical infrastructures (water, electricity, transportation, financial, public health, emergency response, etc.).

• Cyberspace interconnects this global network of Critical Infrastructure and Key Resources.

• What controls our Critical Infrastructures?– Industrial control systems (ICS)

–Supervisory control and data acquisition (SCADA)

9/27/2012 12


What Does an Attack on ICS/SCADA Look Like?

Suki Video

139/27/2012


Real Life: Malware Takes Down Production Line

Case Profile: Daimler Chrysler

Summary

In August 2005, 13 US auto plants were shut down by a simple Internet worm. Despite professionally installed firewalls separating the Internet, the company network and the control network, the Zotob worm had made its way into the control system (probably via a laptop).

Once in the control system, it was able to travel from plant to plant in seconds. Approximately 50,000 assembly line workers ceased work during the outages.

Cause of incident

Introduction of malicious code via a secondary pathway into the control network.

Cost impact

$14 Million (estimated)

14

Source: http://www.tofinosecurity.com/why/Case‐Profile‐Daimler‐Chrysler


Compromising the Electrical Grid with a Smart Phone

9/27/2012 15

Max Cornelisse – Electrical Grid Video (in Danish)

How easy is it to gain control of the electrical power running your business?


Attacking Critical Infrastructure

9/27/2012 16

Computer worms. A computer worm discovered can be designed to

specifically targets industrial software and equipment and cause physical destruction.

The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only specific SCADA systems that are configured to control and monitor specific industrial processes. For example, an electric power generator.


How to Secure the Nation’s Critical Infrastructure

• The Federal Energy Regulatory Commission (FERC)– Established a division to mitigate cyber threats to the electric grid ‐

[19 Sep 2012].

– Best practice & communications with private‐section businesses.

– but, still lacks many of the enforcement capabilities (cyber legislation) it needs from Congress.

• “Guide to Industrial Control Systems (ICS) Security” NIST Special Publication 800‐82

– Nat’l Institute of Standards & Technology (NIST) “Best Practices.”• Supervisory Control and Data Acquisition (SCADA) systems.

• Distributed Control Systems (DCS).

• Control system configurations, Programmable Logic Controllers (PLC).

– Appendix C: lists approximately 30 national and international organizations developing secure operating procedures for ICS.

179/27/2012


Threat #4 ‐ Social Media ‘Pros & Cons”

Pros of social networking

• Valuable for marketing, consumer outreach, releasing new product information, and personnel recruiting.

• Communication between senior executives, employees, colleagues, and industry partners.

• Often the primary means through which younger employees [“the Millennials”] communicate with friends and families.

Potential security risks

• Possible source of violations of company information use policies.

• Proprietary information loss and exfiltration due to malware, social engineering, and phishing attacks.

• Network bandwidth drain.

9/27/2012 18


Social Media & the Cyber Workforce

• As part of educating the workforce, there needs to be written social media policies on:– Video upload & download.– Blogs & online diary posts.– Text messaging use.– File sharing software use – e.g., Bit Torrent.– Using certain cell phone applications (“apps”) – e.g., GPS tracking for cyber stalking.

– Lending corporate network access to 3rd parties using smart phone technology.

• Policies should also address the company’s right to monitor use of company resources.

19


Questions?

Dr. Robert D. Childs

Chancellor, National Defense University – iCollege

300 5th Avenue, Marshall Hall

Washington, DC 20319 USA

Office: 1 202 685 3886

Fax: 1 202 685 3974

e‐mail: [email protected]

iCollege website: www.ndu.edu/iCollege

9/27/201220

Opinions and views expressed in this tutorial are those of the author and do not reflect the official policy or position of the Information Resources Management College, the National Defense University, the Department of Defense, or the U.S. Government.

mailto:[email protected]

http://www.ndu.edu/iCollege

national university information resources management college

Documents