Download Cyber-landmining SCADA Supervisory, Control And Data Acquisition

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
Document related concepts

Network tap wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Wireless security wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
Cyber Terrorism:
Strategic Problem Solving and Fresh
Insights
Yu Chien Siang
Ministry of Home Affairs
Singapore
Agenda
• Introduction
• Cyber-terrorism – why be
concerned?
• Some Attack Scenarios
• Singapore Experience Sharing
and Insights
• Conclusion
Cyber-terrorism: Why be
concerned?

The main targets have been
the websites of:
– the Estonian presidency and its
parliament
– almost all of the country‘s
government ministries
– political parties
– three of the country‘s six big
news organisations
– two of the biggest banks; and
firms specializing in
communications
Cyber-terrorism: Why be
concerned?
• DDoS attack involved systems:
– More then 300 Systems worldwide
– There is one System, coordinating the
DDOS attacks - 65.19.154.94, known
as a US Spamserver
– Russian Systems seems to be
involved as Command Server
• Impact Assessment
– Cyber attack on Estonia was
significant - the first time that a
country’s Internet system had been
attacked over a period of time, and
users were not able to access the
Internet across a range of functions
and services.
– Impact on real world - simultaneous
disruption to various parts of society,
causing some inconvenience and
probably financial costs. However,
there have been no known direct
fatalities or permanent loss of
information or data so far.
Cyber-terrorism: Why be
concerned?
SCADA
Supervisory, Control And Data Acquisition Sys
• Or Industrial Control System (ICS)
• Critical Infrastructure
–
–
–
–
–
Traffic control system (air, land, sea)
The MRT
The water in your country
The energy generators and distribution
…
SCADA Incidents
• Incident Worcester Air Traffic Communications
– In March 1997, a teenager in Worcester,
Massachusetts disabled part of the public
switching network using a dial-up modem
connected to the system. This knocked out phone
service at the control tower, airport security, the
airport fire department, the weather service, and
carriers that use the airport.
SCADA Incidents
• Incident Davis-Besse
– In August 2003, the Nuclear Regulatory
Commission confirmed that in January
2003, the Microsoft SQL Server worm
known as Slammer infected a private
computer network at the idled Davis-Besse
nuclear power plant in Oak Harbor, Ohio,
disabling a safety monitoring system for
nearly five hours.
– In addition, the plant’s process computer
failed, and it took about six hours for it to
become available again. Slammer
reportedly also affected communications
on the control networks of at least five
other utilities by propagating so quickly
that control system traffic was blocked.
SCADA Incidents
• Incident CSX Train Signaling System
– In August 2003, the Sobig computer virus was
blamed for shutting down train signaling systems
throughout the east coast of the U.S. The virus
infected the computer system at CSX Corp.’s
Jacksonville, Florida headquarters, shutting down
signaling, dispatching, and other systems
SCADA Threat Simulation Report
It’s a Digital LifeStyle!
Social
Networks
Cyber security – Why be concerned?
• Mobile Devices – lost and stolen notebooks,
PDAs, storage devices (e.g. USB devices)
• VOIP – eavesdropping of communications,
backdoor into our network
• Spam/Phishing – never-ending emails!
• Wireless Network – unauthenticated devices,
spoofed APs, MITM-attack, theft of credentials
• USB Devices– proxy for data theft and
propagation of malwares
Example of Trojan
• Poison Ivy
– ‘Remote Administration’ software (Trojan?)
– Free for download
• Capabilities
–
–
–
–
–
–
Bypass of Anti-virus & Firewall
Monitoring of User’s Screen
Key logging
File Transfer
Killing of Processes
Cleaning of traces
Demo …
Mpack – New
Generation of Malware
• Malware kit produced by
Russians, DTC (Dream Coders’
Team), and sold as commercial
software
– First released in December 2006,
currently version 0.94
– Approximately US$500-1000
– Technical support & regular
updates of exploit codes.
– Customised exploits, e.g. evade
AV software (US$50-150)
• Built-in intelligence
– Selective attacks, based on
targeted country domain
– Highly efficient. No brute-force,
target browser type
– Systematic. Keep track of its
victim (e.g. compromised
websites)
Layered Attack (Demo)
2
1
MPack
Victim
3
4
5&6
1. Victim visits YouTube video recommended by unknown person.
2. He finds the video interesting and decides to click on one of the links to a blog site
that has more to say about the video.
3. This blog turns out to be injected with an iframe that points to an MPack server.
4. Without his knowledge, the iframe will request for a page from the MPack server.
5. A downloader file is pushed to the victim’s web browser.
6. Downloader file will then download a malicious payload from MPack Server.
Attacks on Legitimate Websites
MITM Attack
• New Phishing Attacks using “Man in the
Middle (MITM)” technique
– WSNPOEM are the new Generation worm
– Successful attacks against Banks like ABN
Amro
– All these Banks used 2 Factor Authentication
with Hardware token
MITM Attack
Original Flow
Bank Server
Redirected Network Traffic
Victim
Attacker
Implications
• Can terrorist groups make use of malware to their
advantage?
– Gather funds
– Build up botnets (cyber-army?) for DDoS against critical
networks
– Hack into critical systems
• SCADA
• Financial systems
• Etc
– Many other unthinkable possibilities
• Underground economy making it easy to acquire
capabilities
– Hackers for hire
– Malware toolkits for sale
$
Singapore Experience
• IT Security Masterplan
– Formulated to combat cyber-threats
• Hacking,
• Virus attacks,
• Cyber-terrorism
– Some Key Initiatives
• National Cyberthreat Monitoring Centre (NCMC)
• National Authentication Framework (NAF)
• National Infocomm Security Awareness Programme
• Critical Infocomm Infrastructure Surety Assessment (CII-SA)
• Business Continuity Readiness Assessment Framework
• http://www.ida.gov.sg/Programmes/infrastructure
.aspx
Innovative Problem Solving
• Economics of Security
• Post Regulatory State
• Personal Security System and
Responsive Regulation
• Training and Security Awareness
Economics of Security
• People have realized that security failure is caused
at least as often by bad incentives as by bad
design. Systems are particularly prone to failure
when the person guarding them is not the person
who suffers when they fail.
• Is this like the Global Warming problem?
http://www.cl.cam.ac.uk/~twm29/science-econ.pdf
• Government cannot micromanage the information
security business, most of which is in any case
outside the UK. What it can do, and should do, is to
ensure that people and companies have the
necessary incentives to take responsibility for the
consequences of their actions, online as well as
offline. Ross Anderson, Cambridge, 23 2006
Lose-lose
• As the network is interdependent, a
successful attack on one system is then
likely to succeed on other systems as well
since they typically share the same
vulnerabilities via a common platform. This
means that one organization’s security is
negatively affected by the poor security
behaviour of another member of the network.
• Companies could never achieve 100%
security on their own because their risks are
often created by the behaviors of others who
also lack the incentive to heighten security.
Theoretically, it follows that an organization’s
“perverse incentives” not to invest drive
others to underinvest as well.
Perverse Incentives
• An incentive that has an unintended and undesirable effect.
E.g.
– In Hanoi, under French colonial rule, a program paying
people a bounty for each rat pelt handed in was intended to
exterminate rats. Instead it led to the farming of rats.
– Internet airline tickets sale via credit card promotes air travel,
but allows a Sep 11 attack to be executed quasi-free.
• Users are encouraged to use long passwords that are difficult
for an attacker to guess. However, such strong passwords are
hard to remember, leading users to write them down rather
than memorizing them.
• Digital Rights Management schemes are often used to
discourage illegal piracy by preventing copying of content,
which also has the effect of reducing its utility to paying
customers who want to play their purchased material on
multiple machines, or make backups. Since pirated content
usually does not contain DRM, user who do not want DRM
restrictions on their content will then pirate it.
Post Regulatory State
• Law’s capacity is limited. Control based on
law is marginal. State law is only effective if
linked to other processes.
• People do what they do, not because of the
law but because of : education, training, habit
and incentive etc. Regulations can’t work if
against economic benefits.
• Form: variety in norms, control mechanisms,
controller, controllees.
•
Colin Scott, Regulation in the Age of Governance: The Rise of the PostRegulatory State, June 2003,
http://www.anu.edu.au/NEC/NEC%20EVENTS/Events%202003/scott1.
pdf
Personal Security System
• Digital Online Registration and Identification
System (DORIS)
– Our first vision of a Personal Security
Device in hardware.
– The core of DORIS is a smart chip that
supports tri-interface, meaning contact,
contactless and USB.
– Multi form factor - plastic cards,
watches, key fobs, flash drives, SIMoverlay and other handheld devices
such as mobile phones.
– Provides
• Authentication
• Digital Signature
• Stores personal records (eg. Medical)
• etc
Personal Security System
• Dynamic Isolation of Virtualised
Applications (DIVA)
– The enhanced vision of a Personal
Security System that can support
soft or hard tokens like DORIS
– Trusted applications auto run from
any storage media under a ‘sandbox’
environment
– No requirements for administrator
privileges
– Compatible with any flash storage
Responsive Regulation
• The Personal Security strategy is a clever way of
exercising Responsive Regulation by bringing in
a new key actor, namely the citizen user.
• When the citizen becomes a principal part of the
regulatory community, it creates
– the opportunity of contractual agreements with
negotiated but enforceable conditions, and
– his need for diverse public services like egovernment would create the possibility of a
hierarchy of sanctions, to match the degree of
infringement, which could be cost effectively
monitored using electronic means based on
government standard protocols.
•
Ian Ayres and John Braithwaite, Oxford University Press, Responsive Regulation,
Transcending the Deregulation Debate.
Training & Security Awareness
• Training
– Annual Governmentware Seminar
• Into its 16th year
• Brings together professionals from
government, academia and
industry
• Raises awareness of latest security
threats
– CXO Training
• Instil within senior management the
need for security
• First-hand experience of cyberthreats
Conclusion
• Issues of Cyber-terrorism are related to:
– Infocomm convergence, hence dependency increases
– Transnational cybercrime, new forms e.g. cyber attacks
leading to cyber-extortion, cyber espionage which could
be the prelude to discovering infrastructure weaknesses
and social engineering, credit card attacks which could
lead to a massive financial system assault, money
laundering via electronic payments etc.
• Signals a need for greater cooperation and knowledge
sharing between countries
• A good way to network would be Governmentware 2008
– Theme: Positive Security: Empowering Business Models
for the Future
– Venue: Singapore
– See you there!
Related documents
ANALYSIS OF AlUMINUM NITIRDE (AlN) AND GRADED
ANALYSIS OF AlUMINUM NITIRDE (AlN) AND GRADED
the cost of cybercrime to australia $276323
the cost of cybercrime to australia $276323
Presentation
Presentation
Complexity Analysis
Complexity Analysis
APT-Tactics
APT-Tactics
No Slide Title
No Slide Title
Intelligent Chemical Injection Control
Intelligent Chemical Injection Control
Introduction - Computer Science
Introduction - Computer Science
Slides
Slides
Honeynet Project
Honeynet Project
Systems Security
Systems Security