CYBER SECURITY:

BUILDING DEFENSE, STAYING AHEAD

WHITE PAPER

Page i © 2014 LATA GIST & LATA LATA GIST Cyber Security White Paper

TABLE OF CONTENTS

PREFACE ........................................................................................ II INTRODUCTION ................................................................................ 1 KEY CHALLENGES ........................................................................... 1 TYPES OF CYBER THREATS .............................................................. 2 CYBER SECURITY EVOLVING THREATS ............................................. 4 CRITICAL PRIORITIES FOR CYBERSPACE SECURITY ............................ 6 MANAGING CYBER RISK .................................................................. 6 CYBER SECURITY FRAMEWORK ........................................................ 8 LATA GIST CYBER SECURITY DELIVERY FRAMEWORK ..................... 9 CONCLUSION ................................................................................ 11 REFERENCES ................................................................................ 11

Page ii

PREFACE

Protecting Critical Infrastructure from cyber attacks has emerged as one of the most significant challenges of the 21st century. Cyber crime and cyber terrorism are unseen vulnerabilities that affect nearly all of us in a myriad of ways—from personal information protection to national security concerns.

Because there are, at present, no fully established and effective solutions to the ever-increasing number and severity of cyber attacks, societies everywhere are grappling to find the most appropriate proactive remedies for mitigating, preparing for, responding to and recovering from the debilitating destruction that hackers and cyber criminals can wreak on corporations and governments.

With no assurance furthermore that such fixed cyber security solutions can be easily and quickly found, the dilemma of protecting the free flow of information worldwide is a cyber risk that the world will likely have to live with for a long time to come.

The LATA GIST Cyber Security Team is thus pleased to offer this White Paper in the hope that our collective thinking will contribute to greater awareness regarding all aspects of cyber security. Our team will continue to develop ways and means to assist our worldwide clients on cyber security. Our structured engineering approach for enhanced cyber security combined with up-to-date training program shall contribute to protecting national and corporate key infrastructure.

This White Paper is the result of efforts made by LATA GIST’s Cyber Security Team and so I wish to thank the outstanding cyber security professionals who contributed their vast expertise to this report. These include the following individuals:

From Los Alamos Technical Associates: Dr. Michael Oehler, Charles Floyd, Martin Johnson, Robert Hull, Jeanne Woodfin, Ray Bloch and Tom O’Brien.

Jeff Alvich, Strategic Management Associates Managing Director, and his Cyber Security Team including: Andrea Hoy (also Vice President, ISSA International Board of Directors); Jean Pawluk, Shannon Parks, and Kemal Piskin.

Finally, we greatly appreciate the efforts of Vik Chauhan, Vice Chairman, Cyber IPT, Network Centric Operations Industry Consortium (NCOIC).

Dr. Indu Singh, Executive Director Los Alamos Technical Associates

Global Institute for Security & Training February 2014

Page 1 © 2014 LATA GIST & LATA LATA GIST Cyber Security White Paper

INTRODUCTION

The internet was designed to share information, not protect it. Commerce and life is now shared on the net. As organizations exploit their digital assets, they create risks which must be managed. Initially, most organizations took a defensive posture focused solely on secure information technology and digital assets. Organizations soon learned it is not practical to protect everything, every time.

The Nation’s critical infrastructures are composed of public and private network in sectors such as agriculture, food, water, public health, emergency services, government, defense industrial base, information and telecommunications, energy, transportation, banking and finance, chemicals, and postal and shipping. Cyberspace is their central nervous system.

Cyberspace is composed of hundreds of thousands of interconnected computers, servers, routers, switches, and fiber optic cables that allow national critical infrastructures to work. Thus, the healthy functioning of cyberspace is essential to nation’s economy and security.

The speed and anonymity of cyber-attacks makes distinguishing among the actions of terrorists, criminals, and nation states difficult, a task which often occurs only after the fact, if at all.

We are facing the most serious economic and national security challenge of the 21st Century:

We are being exploited at unprecedented scale by a growing arrayof state and non-state actors

Adversaries are trying to maintain a persistent, pervasive presenceacross our networks

Corporations see the world differently than the state with intellectualproperty across all sectors being stolen

Government networks are being targeted to steal sensitiveinformation and gain understanding of mission critical dependenciesand vulnerabilities

The Government must take action to protect the critical componentsupon which the economy, government, and national security arebased from potential exploitation, disruption or destruction.

KEY CHALLENGES

Our economy and national security are fully dependent upon information technology and the information infrastructure. At the core of the information infrastructure upon which we depend is the Internet, a system originally designed to share unclassified research among

“Cyber is the risk intelligent exploitation of digital assets for a strategic advantage in achieving mission success and business operations through security of information, vigilance to emerging threats and resilience of operations.”

Federal Cyber Council

Page 2 © 2014 LATA GIST & LATA LATA GIST Cyber Security White Paper

scientists who were assumed to be uninterested in abusing the network. It is that same Internet that today connects millions of other computer networks making most of the nation’s essential services and infrastructures work. These computer networks also control physical objects such as electrical transformers, trains, pipeline pumps, chemical vats, radars, and stock markets, all of which exist beyond cyberspace.

The required technical sophistication to carry out such an attack is high—and partially explains the lack of a debilitating attack to date.

In the past, there was a single entity or one key player to be concerned about. Today’s threat may mean contending with one hacker’s code, another person who gather’s the code and sells it on their digital storefront, another person might buy the code and use it, others find vulnerabilities and keep their takeover secret till they need to use their botnets, still others, use the code to phish or pharm for identities which they turnaround and sell.

Challenges that are impacting the Cyber Security program for corporations and government institutions are:

Speed of the attacks

Sophistication of attacks

Faster detection of weakness

Distributed attacks

Paucity of Human Capital/Talent

Senior Level Support within an organization

Communications of Risk

Move from protecting the perimeter to protecting data

Cyber Security strategies and governance to address threats

Ineffective sharing of threats and mitigation information

Management oversight of 3rd Party Providers/ Supply Chain

Organizations understanding of risk

Preparation, Prevention, Mitigation, Response, Recovery

Training of personnel

Now more than ever, protecting technology assets and customer data from malicious damage and inappropriate use requires intelligent constraints on how employees, customers, and partners access the applications and data.

TYPES OF CYBER THREATS

We identify three broad classes of cyber-threats based on their objectives and targets:

1. CYBER-CRIME affects individuals in the form of identity theft, phishingor cyber vandalism. It usually exploits weaknesses in personal

CRITICAL LESSONS LEARNED: SAUDI ARAMCO CYBER ATTACK

Sophisticated and determinedcyber attackers are difficult tostop. Organizations shouldtherefore anticipate beingunder constant attack.

Avoidable non-compliance tocurrent information securitystandards leads to securityweaknesses.

Sound cybersecurityprotection must use up-to-date asset defense(protecting people,information, and technologyassets), and include training,comprehensive detection,and response/recoverytactics.

Alert security staff are able torapidly detect attacks inprogress, then fend off ormitigate those attacks –minimizing damage.

Practice security responseand use hands on drills toprove how strategiccommunication and decisionswill be done.

Execute daily backups of allcritical systems.

Page 3 © 2014 LATA GIST & LATA LATA GIST Cyber Security White Paper

networks and affects individuals performing regular tasks while being inter-connected.

2. ESPIONAGE consists of actors ranging from individuals with monetaryinterests, groups with political agendas, to state sponsored groupsthat target intellectual property and military secrets.

3. CYBER-WARFARE attempts to impair the functioning of critical

systemsii

, including state versus state and terrorism.

A combination of cyber-warfare along with a physical (kinetic) terror attack can amplify the effect of terrorism (e.g., disabling a 911 emergency system before a public bomb attack). Due to its wide utilization for global commerce and daily communication, computer and information networks at any organization are under attack from various potential actors, as shown in the Figure x below, ranging from poorly trained or careless employees to nation states.

Figure 1: Attack Vectors From Various Actors

The diverse nature of attackers makes it very difficult to implement a single technology solution that would then drive a direct cyber security regulation or analytical risk-based insurance market.

CRITICAL LESSONS LEARNED: TARGET RETAIL STORES

CYBER ATTACK

Corporate “hard” on theoutside, “soft” on the insidesystem defenses must besupplemented by additionalsecurity or else hackers canenter core systems and steallarge amounts of data.

Security staff must be well-trained and experienced indetecting, responding to andmitigating cyber attacks.Failure to do so can lead tomaximum losses. Targetunfortunately was unaware oftheir breach until notified bythe US Secret Service -maximizing losses incurred.

Adherence to current ITsecurity standards is critical.The Payment Card IndustrySecurity Standards Council,NIST, ISO, ISACA, and othergroups recommend stringentapproaches to cyberprotection and security.

Retailers should not collectand retain unnecessaryamounts of data aboutconsumers and purchases.Unused data should alwaysbe safely disposed of.

Customer data needs to beencrypted from retail points ofsale through credit cardprocessors to the banks andback again, as well as withindatabases.

Page 4 © 2014 LATA GIST & LATA LATA GIST Cyber Security White Paper

CYBER SECURITY EVOLVING THREATS

MOBILE DEVICES (NEW PLATFORM)

With the rapid increase in the use of mobile devices and improved functionality of smartphones and tablets, so will the use of these new platforms to execute malware. The executable applications infected with malware on the mobile devices could use the phone as a surveillance tool to gather more information. Governments and business are allowing the use of bring your own device (BYOD) into the workplace. Mobile devices are a direct link to personal and company information.

THE CLOUD

Cloud networks allow users to access data almost anywhere. Attackers may choose to use this for stealing of data, hijacking connection or causing a Denial of Service (DoS) attacks to prevent use or redirecting connection to a malicious site.

SOCIAL MEDIA

Social media sites allow complete strangers to gain more access of information about others by making the fraud more credible. With the speed of information and access to an individual’s entire social network this allows fraudsters to gain valuable information about the individual. A common way that a fraudster may mislead a user on Facebook, is my posting a message saying did you see this photo in which the user will click on the link that could be malicious content. Many of us use LinkedIn that contains our work history, schools we attended or professional organizations, making credible conversations with fraudsters that claim they are from our alumni association or professional organizations to gather further information.

EXPLOIT KITS

Exploit Kits are readily available, often found in the undergrounds or black-market channels. These kits could be purchased by anyone and requires no knowledge of how an exploit works. The exploits kits are equivalent to “For Dummies” book series for cyber assault world. These kits are pre-written code to target applications with a history of known security exploits or software that is not up-to-date. These exploit kits are used by the less sophisticated technical hackers. Nearly 70% of exploit kits originate from Russia.

TARGETED ATTACKS

The targeted and sophisticated attacks are capturing headlines and gaining popularity. There’s a higher payoff for cyber attacks on an enterprise level. Groups of cyber criminals and/or protestors target government and businesses website to bring awareness to their cause. These Hacktivists are likely here to stay in the future. Nation-state

Page 5 © 2014 LATA GIST & LATA LATA GIST Cyber Security White Paper

sponsored cyber attacks called “Cyber warfare” or Advanced Persistent Threats (APT) attacks are difficult to defend.

Governments and businesses need to protect their networks by staying current on the latest exploits and trends on cyber security to defend against these attacks.

TOP COMPUTER HACKERS

1. Amorphous Group: Eastern European group used malware tosnatch Target point-of-sale 40M customer’s data directly of thecards magnetic strip systems to credit, debit cards along withencrypted PIN numbers and 70M records containing customers’information. US Secret Service alerted the Target officials in mid-December 2013. Estimated total damage to banks and retailerscould exceed $18B. The malware, known as a memory scraper, hasbeen coined “Kaptoxa” after a word in its code — Kaptoxa isRussian slang for “potato” and is often used by undergroundcriminals to refer to credit cards.

2. Albert “segvec” Gonzalez: Part of the TJX & Marshalls identity theft ring that stole 36M credit card numbers. The cost of the hack is thought to exceed $400M USD.

3. ASTRA (Real Identity Classified): Greek mathematician who stoleand sold weapons technology data. Jailed for causing damages ofover $360M.

4. Anonymous: Hackivist group that campaigns for internet freedom.The Chinese government, the Vatican, the FBI and the CIA are justsome of its many targets.

5. Kevin Mitnick: Hacked the Pentagon, Nokia and Motorola. Huntedby the FBI and served five (5) years in jail. Once banned from usingthe internet and touching a keyboard for three (3) years.

6. Kevin Poulsen: Rigged a radio station call-in contest to win aPorsche. Jailed after breaking into federal databases and obtainingclassified US Air Force information.

7. Jonathan James: Forced NASA to shut down its network afterstealing software that controlled the living environment on theInternational Space Station.

8. Mathew Bevan and Richard Pryce: Hacked US military computersand used them to infiltrate foreign systems. Nearly sparked aninternational incident between the USA and North Korea.

9. Adrian Lamo: Hacked Yahoo, Microsoft, Google and the New YorkTimes. He went into hiding after turning WikiLeaks suspect, BardleyManning, over to the FBI.

Quantified Business ImpactAnalyses Identifying impactsand results of all potentialthreats.

Depicts time critical functions,recovery priorities, and inter-dependencies to aid decisionmakers in:

setting most effective timeobjectives for restoration

assigning priorities forresource allocation.

Page 6 © 2014 LATA GIST & LATA LATA GIST Cyber Security White Paper

10. LuzSec: Group that has attached Sony, News International, theCIA, the FBI and Scotland Yard. Several high-profile members havebeen arrested.

11. Gary McKinnon: Infiltrated 97 US military and NASA computers,installed hacking software and deleted files. McKinnon was lookingfor evidence of UFOs.

CRITICAL PRIORITIES FOR CYBERSPACE SECURITY

We recommend the following priorities in devising the National Cyber Defense:

1. A National Cyberspace Security Response System

2. A National Cyberspace Security Threat and Vulnerability ReductionProgram

3. A National Cyberspace Security Awareness and Training Program

4. Securing Governments’ Cyberspace

5. National Security and International Cyberspace

6. Cyber Security Global Cooperation Framework

The first priority focuses on improving our response to cyber incidents and reducing the potential damage from such events. The second, third, and fourth priorities aim to reduce threats from, and our vulnerabilities to, cyber attacks. The fifth priority is to prevent cyber attacks that could impact national security assets and to improve the international management of and response to such attacks. Finally, the sixth priority will be essential since Cyber Security is a global challenge, not just national issue.

MANAGING CYBER RISK

With the increasing cost and volume of data breaches, cyber security is quickly moving from being considered by business leaders as a purely technical issue to a larger business risk.

A comprehensive cyber security risk management program should engage the organization at all levels. The board of directors governs cyber security risks and threats by working with executive management to establish Key Performance Indicators (KPIs). The KPIs should be used to evaluate and monitor cyber security risk and threats. Senior leadership should assume the responsibility for implementing and maintaining the risk infrastructure people, process, and technology needed to manage and monitor cyber threats effectively. Business Units and function owner should conduct risk management and monitoring activities.

Page 7 © 2014 LATA GIST & LATA LATA GIST Cyber Security White Paper

The key methods for managing cyber security risks include:

1. Effective use of resources2. Internal controls3. Information sharing4. Technical improvements5. Aligning risks in classifications6. Behavioral/organizational improvements7. Continuous monitoring and mitigation8. Due diligence and risk management9. Testing and vulnerability assessments10. Refreshing cyber security strategies to address business needs and

threats11. Cyber security insurance

Cyber security is a concern for governance and a part of adequate risk management program. Whether an organization has a Risk Committee, or if they rely on an Audit Committee or other committees, there are two questions to ask to assess cyber security preparations: are the mitigation measures in place; and does the organization continuously monitor their performance. The goal is to combine constant automated diagnostic network monitoring with straightforward mitigation strategies that address the most frequently exploited vulnerabilities.

Below is the sample scale with estimates of probabilities for threats considered for Cyber Security Risk Assessment.

LEVEL PROBABILITY RISK DESCRIPTION

Rare Less than once every 2

years Low likelihood of significant

negative impact

Possible Less than once a year Moderate likelihood of

significant negative impact

Unlikely Once or twice a year Limited likelihood of

significant negative impact

Likely More than twice but less than ten times per year

Considerable likelihood of significant negative impact

Almost Certain

Ten time a year or greater High likelihood of significant

negative impact

Figure 2: Cyber Security Risk Assessment Estimate of Probabilities

ESTIMATE OF PROBABILITIES

Page 8 © 2014 LATA GIST & LATA LATA GIST Cyber Security White Paper

CYBER SECURITY FRAMEWORK

NIST CYBER SECURITY FRAMEWORK

U.S. President Obama issued Executive Order 13636, “Improving Critical Infrastructure Cyber security,” on February 12, 2013, which established that, “it is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” In enacting this policy, the Executive Order calls for the development of a voluntary risk-based Cyber security Framework – a set of industry standards and best practices to help organizations manage cyber security risks. The resulting Framework, created through collaboration between government and the private sector, uses a common language to address and manage cyber security risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses.

The Framework focuses on using business drivers to guide cyber security activities and consider cyber security risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cyber security activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align its cyber security activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cyber security risk. The Framework Core provides a set of activities to achieve specific cyber security outcomes, and references examples of guidance to achieve those outcomes. The Core is not a checklist of actions to perform. It presents key cyber security outcomes identified by industry as helpful in managing cyber security risk. The Core comprises four elements: Functions, Categories, Subcategories, and Informative References, depicted below.

Page 9 © 2014 LATA GIST & LATA LATA GIST Cyber Security White Paper

Figure 3: The NIST Cyber Security Framework Core elements

The Framework is designed to complement existing business and cyber security operations. It can serve as the foundation for a new cyber security program or a mechanism for improving an existing program. The following sections present different ways in which organizations can use the Framework.

LATA GIST CYBER SECURITY DELIVERY

FRAMEWORK

There are three critical concerns common to all levels of cyber attacks. First, networking creates vulnerability. Everyone from individuals to corporations to nations must be ever-vigilant to protect networked information that could be used against them. Second, protection keeps getting harder because there are more hackers, more sophisticated hackers, and more networks interconnected seamlessly to defend. Finally, hackers only have to find the weakest link in the network. They are often added by artificially intelligent tools that can identify and break that link. For example, there are a growing number of so-called black hat providers of hackers tools offered on the Internet cheaply.

Page 10 © 2014 LATA GIST & LATA LATA GIST Cyber Security White Paper

We can draw three key lessons from recent cyber security incidents:

1. There is an urgent need to establish a clear set of cyber securityguidelines and specific goals and objectives for corporations andgovernments with critical infrastructure.

2. Governments must be alert to protect their national networksthrough a variety of methods that include security codes,surveillance systems and eventually the employment of artificiallyintelligent “smart ware” to track down cyber terrorist and cybercriminals. These initiatives by governments must also addresscorporate data protection as well.

3. While promoting free global trade in information services and easeof access to key networks by private, corporate and governmentalusers, nations must strike a proper balance between nationalsecurity and individual liberties.

LATA GIST uses an established Cyber Security Delivery Framework to assist its global clients in securing cyber space as shown below:

Figure 4: LATA GIST Cyber Security Delivery Framework

Cyber Security Assessment by quantifying enterprise wide risk through LATA’s design based threat methodology we are able to map specific component vulnerability categorically to specified threats. This affords the most comprehensive mitigation strategy development and cost estimating culminating in a detailed cost benefit analysis summary.

Cyber Security Strategy and Policy to counter and mitigate the determined risks (environment) that have the most adverse effect on your business, resources and reputation caused by potential interruption is vital. Our team helps develop cyber security governance including new strategy and policy to prevent, protect and mitigate.

Cyber Security Roadmap beginning with program initiation and management that includes resilience strategy, recovery objectives, production and operation continuity, operational risk management and crisis management plans GIST conducts full spectrum business continuity. Included in the Roadmap are cyber architecture and technical plan.

Page 11 © 2014 LATA GIST & LATA LATA GIST Cyber Security White Paper

Cyber Security Pilot and Implementation through expert vendor agnostic third party maximizes return on investment. Quality control and cost benefit is measured in terms of tangible risk reduction for each mitigation strategy. Transparent and smooth integration of all component and ancillary systems combats potential loss of production and operating efficiency. Cyber Security pilot program is a way to ensure new strategy and plans are validated to meet organizational needs.

CONCLUSION

We are rushing toward tomorrow at an incredible speed. The advent of Internet, social media and the new electronic technologies promise us change at an incredible pace. The new electronic technologies and ways to use them can provide us promise or peril—sometimes both at the same time. Cyberspace has offered main kind direct pathways to rapidly building a knowledge-based society. The cyber criminals and cyber terrorist are bent on hijacking such enormous benefits to our societies. Creating cyber defense and staying ahead of these criminal minds seems to be the only option left for us to control and secure the information highway.

REFERENCES

1. The Safe City: Living Free in a Dangerous WorldDr. Joseph N. Pelton and Dr. Indu B. Singh, 2013

2. Joint Security Awareness Report (JSAR-12-241-01B) Shamoon/ DistTrackMalware (Update B)ISC-CERT Industrial Controls Computer Emergency Response TeamOctober 16, 2012 | last revised: January 03, 2014

3. ITP Hack or Attack? Shamoon and the Evolution of Cyber Conflict” workingpaper:Christopher Bronk, and Eneken Tikk-Ringas, February 1, 2013

4. In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back

New York Times, October 23 2012

5. Targeted attacks against the Energy SectorSymantec, January 2014

6. Fact Sheet: Quick Facts About Target | Target CorporateTarget press release, December 19, 2013

7. Target Confirms Unauthorized Access to Payment Card Data in U.S. StoresTarget press release, December 19, 2013

8. Target Provides Update on Data Breach and Financial PerformanceTarget press release, January 10, 2014

9. Payment Card Issue :response & resources related to Target's data breachTarget customer response, December 2013 – present

Page 12 © 2014 LATA GIST & LATA LATA GIST Cyber Security White Paper

10. Target Struck in the Cat-and-Mouse Game of Credit TheftThe New York Times, December 20, 2013

11. A Sneaky Path into Target Customers WalletsThe New York Times, January 18, 2014

12. Neiman Marcus Data Breach Worse Than First SaidThe New York Times, January 23, 2014

13. Cards Stolen in Target Breach Flood Underground MarketsKrebs on Security, January 27, 2014

14. Teenager is author of Blackbox / Kaptoxa Malware

IntelCrawler, January 17, 2014

15. Data Breaches What the Underground World of Carding RevealsKimberly Perritti

Cybersecurity standards enable organizations to use security techniques to minimize the number of successful cybersecurity attacks. These guides provide general outlines as well as specific techniques for implementing cybersecurity in both general enterprise and in the energy sector.

1. API Standard 780 Security Risk Assessment Methodology for the Petroleumand Petrochemical IndustriesAmerican Petroleum Institute, May 2013

2. COBIT 5 Business Framework for the Governance and Management ofEnterprise ITISACA, November 2013

3. ISO/IEC 27000 series collection: Information Security ManagementSystemsInternational Organization for Standardization

4. ISC-CERT Improving Industrial Control Systems Cybersecurity with defensein depth strategiesISC-CERT, October 2009

5. NIST Guide to Industrial Control Systems (ICS) SecurityNIST, April 2013

6. NIST Information Security Handbook: A Guide for ManagersNIST, March 2007

7. NIST Security and Privacy Controls for Federal Information Systems andOrganizationsNIST, April 2013

Page ii

Global Institute for Security & Training (GIST) 45240 Business Court Sterling, VA 20166-6703 USA

Phone: 1 (703) 709-9430 Fax: 1 (703) 709-9450 www.latagist.com