Beyond hackers, viruses and worms

Protecting critical activities fromcybercrime and cyber-terrorism

Information workshop at OECDParis, October 2004

1

Externalattacks

Virus, worm, trojan horse writers,Script kiddies & other hackers, Zombies in DDOS mode,Hactivists and spoof sitesOrganized crime\Cyber-warriors and cyber-terrorists… and more…

The Infosec theatre of warInternal headaches

Unaware users,Malicious insiders,Weak identity managementBack doors,Logical bombs,Undocumented functions… and more…

Generalvulnerabilities

Attack and responsedynamics

Information workshop at OECDParis, October 2004

2

Types of attack1010010101101010010010

Physical attacks

Syntactic attacks

Semantic attacks

Corrupt data in “trusted” systems Make computers perform

unexpected functions

Information workshop at OECDParis, October 2004

3

Stage 1: Policies, monitoring and compliance

Stage 2: Building protection features into systems

Stage 3: Operational administration and monitoring

Stage 4: Investigations and digital forensics

Protection against insider threats

Information workshop at OECDParis, October 2004

4

Malicious insider

opportunityknowledge

motivation

Queensland (AUS) Sunshine Coast, April 2001

Just one example

Disgruntled employee hacks into computerised sewage control system.Released one million litres of raw sewage.

Found guilty on 46 counts countsof computer hacking

Sentenced to two years in jail

What if he and others like himhad been suborned by terrorists

or a foreign government?

Information workshop at OECDParis, October 2004

5

Stage 1: Policies and compliance

Appropriate use of ICT resourcesAuthentication and identity managementAccess rights “need to know” or unrestrictedIrresponsibility, impropriety and fraudComputer crime and audit strategiesMonitoringWorker* references and credentials

* employee, temporary staff, contractors, consultants, interns,visitors, maintenance personnel, cleaners, etc.

Information workshop at OECDParis, October 2004

6

Stage 2: Building features

System design safeguards and controlsBack doors and logical bombsPartition of data in support of “need to know”Authentication systemsStorage safeguardsControls – qui custodiat custodies?Review and validation (no Easter Eggs, no undocumented functionality,

no unknown superusers, etc)

Information workshop at OECDParis, October 2004

7

Stage 3: Operational matters

Identity management and MACsSuperuser rights managementData rights (C, U, R)Disclosures and social engineeringMonitoring tools, privacy and ethicsControls – qui custodiat custodies?

Sys Admin

MAC = moves, additions and changesCUR = create, update, read only

Information workshop at OECDParis, October 2004

8

Investigation and digital forensics

Determining point of access and containmentSetting up trapsEvidence preservation and custody chainEvidence analysis and forensic toolsCollaboration between HR, Internal Audit and I.T.

Information workshop at OECDParis, October 2004

9

Organization’s metabolic rateAbility to recruit and trainCareer progress criteria

Background vetting/clearancesFlexible remuneration

Fast procurement processesBudgetary room to breathe

Culture of openness

Assumption: many critical infrastructures are managed with a slow metabolic rate

NOSlow Fast

YES

Information workshop at OECDParis, October 2004

10

From cybercrime to cyberterrorismSame skills, same tools, different intent

Achieve media coverageImpact economic systemsDestabilise civilian lifeAsymmetric warfare against law enforcementHurt trust in governments’ ability to protect citizensUse “successes” to gain more support for their cause

GunsExplosivesChemical weaponsBacteriological weapons

AND/OR

Information workshop at OECDParis, October 2004

11

Planning for defensive success

Are traditional infrastructure operations, audits, etcstill good enough

How do we learn how bad guys think and operate

What can we learn from the “bad guys”

How do we incorporate this culture into our defences

How many attended DEFCON or similar