csirs trabsport security september 2011 v 3.6
TRANSCRIPT
![Page 1: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/1.jpg)
Cyber Security in Real-Time Systems
Transport Security Event – Olympia“Advanced Persistent and Insider Threats”
David Spinks – Chairman CSIRS
September 2011CSIRS
Cyber Security in Real-Time Systems
![Page 2: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/2.jpg)
CSIRSCyber Security in Real-Time Systems
Introduction
![Page 3: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/3.jpg)
CSIRSCyber Security in Real-Time Systems
Linkedin CSIRS : http://www.linkedin.com/groupRegistration?gid=3623430
![Page 4: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/4.jpg)
CSIRSCyber Security in Real-Time Systems
Why me?
![Page 5: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/5.jpg)
1970/75 –Worlds First Large Scale Automation
![Page 6: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/6.jpg)
1990 - 2000
Railtrack Safety Critical Software
Sizewell B Software Emergency Shut Down code validation
UK Government assessment of Embedded Software Aviation
![Page 7: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/7.jpg)
CSIRSCyber Security in Real-Time Systems
Current Business Environments
&Drivers
![Page 8: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/8.jpg)
Smart Grid
Cost Reduction by Private Utilities
Emerging ChangingThreat Profile
Integration Real Time <> Commercial IT
Real Time (SCADA) based on Windows
Use of wireless to effect remote management
Real Time designed by “engineers”
![Page 9: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/9.jpg)
CSIRSCyber Security in Real-Time Systems
ThreatsCurrent Trends
![Page 10: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/10.jpg)
Stuxnet Changed Everything
Expertise
GatherIntelligence
Social Engineering
Focused
The first advanced persistent threat APT
![Page 11: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/11.jpg)
Why is APT different?
Multiple entry points across supplier chain
Focus on social engineering and use of insiders.
Gathering of intelligence across a range of suppliers.
Attack has a complex event sequence across multiple technologies.
Malware is sophisticated and likely developed and proved on test beds.
![Page 12: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/12.jpg)
Do not to place in designs of Nuclear Plant in the public domain!
http://www.prleap.com/pr/167858/
eXtremeDB Embedded In-Memory Database Adds Safety and Efficiency In Nuclear Waste Processing Control System
![Page 13: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/13.jpg)
So have there been any other APTs since Stuxnet?
Many successful security attacks have been designated as APT by the company that has been breached.
Closest to this model is the RSA breach entry via EMC and staff being exposed to Phishing attacks lack of RSA CSO ......
Farthest away is repeated breaches suffered by Sony ....
Many organisations have a history of under investment in Information Security ....
![Page 14: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/14.jpg)
CSIRSCyber Security in Real-Time Systems
Insider Threats
![Page 15: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/15.jpg)
What is an insider threat?
A breach or part of an attack executed from within the existing trust domain(s) by an individual who has some kind of existing authentications
The breach event may be deliberate or accidental. The individual may be a current or past employee, contractor, customer, partner or supplier.
The individual will have a “motive” which may or may not be logical.
Many insider threats will be trivial actions that form an intelligence gathering exercise
CSIRSCyber Security in Real-Time Systems
![Page 16: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/16.jpg)
Why is an insider threat so dangerous?
Immediate compromise of traditional security perimeter!
Traditional baseline security measures are ineffective
Traditional concepts of “trust” are invalid - many frauds and thefts are executed with the assistance of employees and executives! No-one is immune to potential compromise.
Pilot studies using DLP software and tools show a staggering high number of deliberate security breaches executed by a high % of all staff. Ignorance of policy ... Finding ways around the rules. Stupidity!
CSIRSCyber Security in Real-Time Systems
![Page 17: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/17.jpg)
Possible defence and detection
Security training and awareness
Communication and Implementation of penalties.
Concept of “you will be caught” and example will be made.
Security culture
Evaluation of suppliers and partners (supply chain!)
Use of DLP and Log Analysis
Good HR policies and procedures monitoring behaviours
CSIRSCyber Security in Real-Time Systems
![Page 18: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/18.jpg)
CSIRSCyber Security in Real-Time Systems
What actions do we need to consider?
![Page 19: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/19.jpg)
Understanding
Design Solution
Implement
Manage & Improve
Possible Cyber Security Solution
Implementation of baseline security
Implementation of APT detection and response
ISO 27001 CobiT 4.1/5.0
![Page 20: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/20.jpg)
Implementation of baseline security examples
Robust Identity Management solutions RBAC
Basic log collection, analysis and reporting
Intrusion detection and prevention
Penetration testing of external facing firewalls
Security training and awareness (defending social engineering and phishing)
Encryption of critical and sensitive data
Mandatory no exceptions executive led will not detect or mitigate APT
![Page 21: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/21.jpg)
Advanced security measures :
PKI/Digital signatures and key management
Data loss prevention proactive and reactive.
Integrated approach to log analysis (applications and IdM) real-time alerts to SOC
Applications and web hosting code analysis
Governance, Risk and Compliance in real-time
Security incident and near miss reporting.
Mandatory no exceptions executive led.
![Page 22: Csirs Trabsport Security September 2011 V 3.6](https://reader033.vdocuments.site/reader033/viewer/2022052621/558c13d2d8b42a13148b4676/html5/thumbnails/22.jpg)
Conclusions :
APTs are very difficult to detect and once detected to then defend against
Expenditure on security processes and tools needs to be increased
Security should be implemented top down with executive sponsorship.
All employees are part of the defence silver bullets will not work.