csirs trabsport security september 2011 v 3.6
Post on 25-Jun-2015
437 Views
Preview:
TRANSCRIPT
Cyber Security in Real-Time Systems
Transport Security Event – Olympia“Advanced Persistent and Insider Threats”
David Spinks – Chairman CSIRS
September 2011CSIRS
Cyber Security in Real-Time Systems
CSIRSCyber Security in Real-Time Systems
Introduction
CSIRSCyber Security in Real-Time Systems
Linkedin CSIRS : http://www.linkedin.com/groupRegistration?gid=3623430
CSIRSCyber Security in Real-Time Systems
Why me?
1970/75 –Worlds First Large Scale Automation
1990 - 2000
Railtrack Safety Critical Software
Sizewell B Software Emergency Shut Down code validation
UK Government assessment of Embedded Software Aviation
CSIRSCyber Security in Real-Time Systems
Current Business Environments
&Drivers
Smart Grid
Cost Reduction by Private Utilities
Emerging ChangingThreat Profile
Integration Real Time <> Commercial IT
Real Time (SCADA) based on Windows
Use of wireless to effect remote management
Real Time designed by “engineers”
CSIRSCyber Security in Real-Time Systems
ThreatsCurrent Trends
Stuxnet Changed Everything
Expertise
GatherIntelligence
Social Engineering
Focused
The first advanced persistent threat APT
Why is APT different?
Multiple entry points across supplier chain
Focus on social engineering and use of insiders.
Gathering of intelligence across a range of suppliers.
Attack has a complex event sequence across multiple technologies.
Malware is sophisticated and likely developed and proved on test beds.
Do not to place in designs of Nuclear Plant in the public domain!
http://www.prleap.com/pr/167858/
eXtremeDB Embedded In-Memory Database Adds Safety and Efficiency In Nuclear Waste Processing Control System
So have there been any other APTs since Stuxnet?
Many successful security attacks have been designated as APT by the company that has been breached.
Closest to this model is the RSA breach entry via EMC and staff being exposed to Phishing attacks lack of RSA CSO ......
Farthest away is repeated breaches suffered by Sony ....
Many organisations have a history of under investment in Information Security ....
CSIRSCyber Security in Real-Time Systems
Insider Threats
What is an insider threat?
A breach or part of an attack executed from within the existing trust domain(s) by an individual who has some kind of existing authentications
The breach event may be deliberate or accidental. The individual may be a current or past employee, contractor, customer, partner or supplier.
The individual will have a “motive” which may or may not be logical.
Many insider threats will be trivial actions that form an intelligence gathering exercise
CSIRSCyber Security in Real-Time Systems
Why is an insider threat so dangerous?
Immediate compromise of traditional security perimeter!
Traditional baseline security measures are ineffective
Traditional concepts of “trust” are invalid - many frauds and thefts are executed with the assistance of employees and executives! No-one is immune to potential compromise.
Pilot studies using DLP software and tools show a staggering high number of deliberate security breaches executed by a high % of all staff. Ignorance of policy ... Finding ways around the rules. Stupidity!
CSIRSCyber Security in Real-Time Systems
Possible defence and detection
Security training and awareness
Communication and Implementation of penalties.
Concept of “you will be caught” and example will be made.
Security culture
Evaluation of suppliers and partners (supply chain!)
Use of DLP and Log Analysis
Good HR policies and procedures monitoring behaviours
CSIRSCyber Security in Real-Time Systems
CSIRSCyber Security in Real-Time Systems
What actions do we need to consider?
Understanding
Design Solution
Implement
Manage & Improve
Possible Cyber Security Solution
Implementation of baseline security
Implementation of APT detection and response
ISO 27001 CobiT 4.1/5.0
Implementation of baseline security examples
Robust Identity Management solutions RBAC
Basic log collection, analysis and reporting
Intrusion detection and prevention
Penetration testing of external facing firewalls
Security training and awareness (defending social engineering and phishing)
Encryption of critical and sensitive data
Mandatory no exceptions executive led will not detect or mitigate APT
Advanced security measures :
PKI/Digital signatures and key management
Data loss prevention proactive and reactive.
Integrated approach to log analysis (applications and IdM) real-time alerts to SOC
Applications and web hosting code analysis
Governance, Risk and Compliance in real-time
Security incident and near miss reporting.
Mandatory no exceptions executive led.
Conclusions :
APTs are very difficult to detect and once detected to then defend against
Expenditure on security processes and tools needs to be increased
Security should be implemented top down with executive sponsorship.
All employees are part of the defence silver bullets will not work.
CSIRSCyber Security in Real-Time Systems
Thank you
Q&A
david.spinks@hp.comdspinks41@gmail.com
top related