Upload
ellen-hawkins
View
232
Download
2
Embed Size (px)
Citation preview
Copyright © 2009 AWWA 2
Welcome Back & Review
Interfaces Between Systems & Applications
Networks & Network Components
In-house vs. Hosted Solutions
Web Site and Portal Functions and Features
Security Issues
Course Conclusion
Agenda – Day 2
Copyright © 2009 AWWA 3
This is day 2 of the third course in a series of three that leads to a High-Tech Operator Certificate.
Today we’ll look at interfaces between systems & applications, networks & their components, in-house vs. hosted solutions, web site & portal functions & features, and security issues.
Welcome Back
Copyright © 2009 AWWA 4
Before we begin, let’s review.
What did you learn yesterday?
Introduce yourself
Your name
Where you are from
Share one thing from yesterday that really stuck out for you
Introductions and Review
Copyright © 2009 AWWA 5
By the end of today, you will be able to:
Identify 4 common information silos
Describe functions of common network components
Identify benefits of client-server and ASP solutions
Distinguish between web sites and portals
Identify 3 of the common system security weaknesses
Goals
Copyright © 2009 AWWA 6
Welcome Back & Review
Interfaces Between Systems & Applications
Networks & Network Components
In-house vs. Hosted Solutions
Web Site and Portal Functions and Features
Security Issues
Course Conclusion
Agenda – Day 2
Copyright © 2009 AWWA 8
Why is this a problem?
Inconsistent data
No cross-functional reports
Miss the big picture
Significant time spent collecting & analyzing data from multiple systems
Dependence on system owners to produce information
Inability to make timely decisions
Copyright © 2009 AWWA 10
Example Cross-Functional Processes and Systems
Process Related Systems
Purchasing CMMS, FIS
Work Orders CMMS, FIN, HR, GIS, SCADA
Customer Service CMMS, GIS
Customer Web Access CIS, GIS, CMMS
Budgeting FIS, HR, CMMS
Operations Management CMMS, FIN, HR, GIS, SCADA, CIS
Copyright © 2009 AWWA 11
Example Cross-Functional Business Process: Purchasing
Text
Text
Text
Text
Text
• Inventory Request
• Inventory Confirmation
• Purchase Order
• Payment
• Purchase Requisition
• Shipment Confirmation
Copyright © 2009 AWWA 13
Why Integrate?
Improved Customer Service
Improved Operational Efficiency
Cost Savings
Improved Management
Alignment with Strategic Goals
Copyright © 2009 AWWA 15
What if it works?
Better oversight
Improved analytics/decision support
Cross-application data analysis
Assess customer demand for services
Plan for resources to match demand
More accountability
React to changes efficiently/effectively
Allows for proactivity
Copyright © 2009 AWWA 16
Less Cost/More Revenue
More efficient work staff
Increased productivity
Cost/unit reductions with better accuracy for planning and analysis
Lower transactional & service cost with the Web
Potential to eliminate maintenance on redundant systems
Copyright © 2009 AWWA 17
Operational Efficiency
Eliminate dual entry/redundancy
Improved data quality
Improved analytics
Improved decision making
Improved business processes
Ability to plan to meet demands
Streamline/unify approaches
Ability to take advantage of best practices
Copyright © 2009 AWWA 18
Improved Customer Service
Customers Greater information availability Better response time Fewer, more-effective interactions
Employees Real-time data Better access to information More information to answer questions Increased visibility of the whole business process
Copyright © 2009 AWWA 19
Alignment with Strategic Goals
Improve customer service level
More-effective policymaking
Leverage technology investment
Expand Web-based functionality
Copyright © 2009 AWWA 20
Summary
Disparate systems have negative effects on business
Integration leverages staffing and technology investments
Integration efforts must be planned
Integration can enable your workforce to make better decisions and be more efficient
Copyright © 2009 AWWA 21
Welcome Back & Review
Interfaces Between Systems & Applications
Networks & Network Components
In-house vs. Hosted Solutions
Web Site and Portal Functions and Features
Security Issues
Course Conclusion
Agenda – Day 2
Copyright © 2009 AWWA 22
What is a Network?
A group of interconnected computers
Can be defined by scale
Personal Area Network (PAN)
Local Area Network (LAN)
Campus Area Network (CAM)
Metropolitan Area Network (MAN)
Wide Area Network (WAN)
Can be defined by communication protocol
Copyright © 2009 AWWA 23
Networks
Personal Area Network
Communicates among devices close to one person, typically within 20-30 feet.
May be hardwired or wireless.
Local Area Network
Covers a small geographic area (home, office, or building).
Most likely uses Ethernet technology.
Operate at speeds up to 10 Gbit/s.
Copyright © 2009 AWWA 24
Campus Area Network
Connects two or more LANs
Limited to a specific & contiguous area
Metropolitan Area Network
Connects two or more LANs or CANs
Does not extend beyond the boundaries of the town, city, or metropolitan area
Networks (cont.)
Copyright © 2009 AWWA 25
Wide Area Network
Covers a relatively broad geographic area (i.e., one city to another and one country to another country)
Often uses transmission facilities provided by common carriers, such as telephone companies
Networks (cont.)
Copyright © 2009 AWWA 26
Intranet
Intranet
Set of interconnected networks
Uses the Internet Protocol and Web browsers
Under the control of a single administrative entity, allowing only specific users
Closed to the rest of the world
Copyright © 2009 AWWA 27
Extranet
Extranet
Limited in scope to a single organization
Has limited connections outside the organization to the networks of one or more other organizations or entities
Copyright © 2009 AWWA 28
Network Hardware
All networks are made up of basic hardware building blocks to interconnect network nodes, such as Network Interface Cards (NICs), Bridges, Hubs, Switches, and Routers. In addition, some method of connecting these building blocks is required, usually in the form of galvanic cable (most commonly Category 5 cable). Less common are microwave links (as in IEEE 802.11) or optical cable ("optical fiber").
Copyright © 2009 AWWA 30
Network Card
A network card, network adapter or NIC (network interface card) allows computers to communicate over a network.
It provides physical access to a networking medium.
It connects to the network either by using cables or wirelessly.
Copyright © 2009 AWWA 31
Repeater
A repeater is an electronic device that receives a signal, removes noise, and re-transmits it at a higher level or higher power, or onto the other side of an obstruction, so that the signal can cover longer distances without degradation.
Available for all network communication media (T1, Ethernet, fiber optic, wireless, etc.)
Copyright © 2009 AWWA 32
Hubs & Switches
A hub contains multiple ports. When a packet arrives at one port, it is copied to all the ports of the hub.
Switches are like hubs, but associate addresses to ports and send traffic for a specific address only to the associated port.
Copyright © 2009 AWWA 33
Routers
Routers are networking devices that forward data packets between networks using headers and forwarding tables to determine the best path to forward the packets.
Routers work at the network layer of the TCP/IP model. Routers also provide interconnectivity between like and unlike media.
A router is connected to at least two networks, commonly two LANs or WANs or a LAN and its ISP's network.
Copyright © 2009 AWWA 34
Welcome Back & Review
Interfaces Between Systems & Applications
Networks & Network Components
In-house vs. Hosted Solutions
Web Site and Portal Functions and Features
Security Issues
Course Conclusion
Agenda – Day 2
Copyright © 2009 AWWA 35
In-House or ASP?
Where do you want your software hosted?
If you run it in-house, the solution is usually referred to as a client-server system
Vendor-run applications are referred to as application service provider (ASP) solutions
Both options provide distinct advantages: consider which are more important to you
Copyright © 2009 AWWA 36
Client-Server Solutions
Most software is locally hosted - the application and data reside on your in-house server. This gives you the greatest control over every aspect of your applications.
Having this total control comes at a cost, though.
It takes considerable expertise and effort to maintain the document database and keep it secure.
It often requires significant expense for consultants and hardware.
It gives you the responsibility of making regular backups in case of a system crash.
Copyright © 2009 AWWA 37
ASP Solutions
ASP solutions are gaining popularity.
The application and data reside on the supplier's servers, and your staff gets access through a Web browser or client software.
The database is maintained by the vendor’s IT staff.
Multiple layers of firewalls and security, UPSs, fail-over and reliable backups are all part of the package.
The biggest risk of on-line solutions is that they require an active Internet connection.
Copyright © 2009 AWWA 38
Costs
With a client-server system, you pay a lump sum upfront to buy and set up the system, including software and servers.
With on-line providers, you pay a smaller setup fee and then ongoing monthly payments based on usage.
Copyright © 2009 AWWA 39
Consider In-house IT Capabilities
If you have in-house IT staff, a client-server solution may be your best option.
Smaller organizations with little to no computer expertise are probably better off choosing an on-line solution.
Copyright © 2009 AWWA 40
Consider Level of Customization
ASPs can easily make basic changes in appearance and functionality, giving you some control over the application.
If you need extensive customization and integration, client-server solutions provide more flexibility (but at a premium price).
Copyright © 2009 AWWA 41
Consider Security
If have documents that you are legally required to protect, an in-house solution gives you direct responsibility for them.
In many cases, though, ASPs can provide better security than you could in your own data center, through more layers of security and larger IT staffs.
Copyright © 2009 AWWA 42
Consider the Potential Problems
Being unable to access your documents through an ASP while your Internet connection is down
or
Losing data and time because your in-house server crashes
ASPASP
Copyright © 2009 AWWA 43
Welcome Back & Review
Interfaces Between Systems & Applications
Networks & Network Components
In-house vs. Hosted Solutions
Web Site and Portal Functions and Features
Security Issues
Course Conclusion
Agenda – Day 2
Copyright © 2009 AWWA 44
Why Use the Web?
Accessible from anywhere Internet access is available
Ability to set different permission levels
Can be made secure
Copyright © 2009 AWWA 45
Web Site
A web site is a collection of Web pages, images, videos or other digital assets that is hosted on one or more Web servers, usually accessible via the Internet.
A Web page is a document, typically written in HTML, that is almost always accessible via HTTP, a protocol that transfers information from the Web server for display in a Web browser.
Copyright © 2009 AWWA 46
Web Pages
The pages of web sites are usually accessed from a common root URL (a.k.a. URI): the homepage, and usually reside on the same physical server.
The URLs of the pages organize them into a hierarchy, although the hyperlinks between them control how the reader perceives the overall structure and how the traffic flows between the different parts of the sites.
Copyright © 2009 AWWA 47
Web Server
A web site is hosted on a computer system known as a web server (a.k.a. HTTP server).
A system runs software that retrieves and delivers the Web pages in response to requests from the web site users.
Apache and Microsoft’s Internet Information Server (IIS) are commonly used Web server applications.
Copyright © 2009 AWWA 48
Accessing Web Pages
Web sites are written in, or dynamically converted to, HTML and are accessed using a software interface called a user agent.
Web pages can be viewed or otherwise accessed from a range of computer-based and Internet-enabled devices, including desktop computers, laptop computers, PDAs and cell phones.
<html><head><title>Title goes here</title></head><body><h1 align=right>Body goes here</h1><hr><h3 align=center>Headings are cool!</h3><p><b>I can use text links... Visit <a href="http://www.davesite.com/">Dave's Site</a>!</b><hr width="50">and Image Links... <a href="http://www.davesite.com/"><img src="http://www.davesite.com/graphx/davesmll.gif"></a></p></body></html>
Copyright © 2009 AWWA 49
Accessing Web Pages (cont.)
A static web site is one that has Web pages stored on the server in the same form as the user will view them. They are edited using three broad categories of software: Text editors such as Notepad or TextEdit, where the HTML
is manipulated directly within the editor program WYSIWYG editors such as Microsoft FrontPage and
Adobe Dreamweaver, where the site is edited using a GUI interface and the underlying HTML is generated automatically by the editor software
Template-based editors, such as Rapidweaver and iWeb, which allow users to quickly create web sites by just picking a suitable template from a palette and adding pictures and text to it without ever having to see any HTML code.
Copyright © 2009 AWWA 50
Why a Portal?
It provides a centralized application that serves as a gateway to the other applications within the same enterprise:
To share the information across applications.
To have a single access point to all applications over the Internet.
To personalize the applications and have the coupled applications coordinated.
To have administrative tools all in a single place to administer all the applications.
Copyright © 2009 AWWA 51
Advantages of Using Portals
Intelligent integration and access to enterprise content, applications and processes.
Improved communication and collaboration among customers, partners, and employees.
Unified, real-time access to information held in disparate systems.
Consistent headers, footers, color schemes, icons & logos, which give the user a sense of consistency, uniformity, and ease of navigation
Personalized user modification and maintenance of the web site presentation.
Copyright © 2009 AWWA 52
Portal Tools
Web portals have tools to:
Manage data
Manage applications
Manage information
Personalize views
Integrate legacy applications
Handle thousands of user requests
Copyright © 2009 AWWA 53
Corporate Portals Capabilities
Managing workflows
Increasing collaboration between work groups
Allowing content creators to self-publish their information
Allowing internal and external access to specific information using secure authentication
Copyright © 2009 AWWA 54
What’s Hot
Microsoft's SharePoint Portal Server line of products have been gaining popularity among corporations for building their portals, partly due to the tight integration with the rest of the Microsoft Office products.
Portals and databases are offered as ASP solutions.
Copyright © 2009 AWWA 55
Welcome Back & Review
Interfaces Between Systems & Applications
Networks & Network Components
In-house vs. Hosted Solutions
Web Site and Portal Functions and Features
Security Issues
Course Conclusion
Agenda – Day 2
Copyright © 2009 AWWA 56
IT Security Fundamentals
IT Security affects and is integrated into many areas: Security Management Practices Access Control Security Models and Architecture Physical Security Telecommunications and Networking Security Cryptography Disaster Recovery and Business Continuity Law, Investigation, and Ethics Application and System Development Operations Security
Copyright © 2009 AWWA 57
What do you want to protect?
Sensitive Data Employee Payroll and other
personal information
SCADA point lists
CCTV locations
Network Diagrams
Spread-Spectrum Radio Hopping Patterns
Passwords, PIN Codes
Org Charts, Vacation Schedules
Sensitive Systems Finance and Billing Systems
Physical Security System
SCADA / Process Control Systems
Routers and Network Equipment
System Administrator Workstations, Laptops
Anything else you need to run your business…
Copyright © 2009 AWWA 59
1. Inadequate security policies and procedures
Clash between operational culture & modern IT security methods.
Lack of appreciation of the risk involved with networking control systems.
Lack of adequate risk assessment.
No control system information security policy.
No auditing or enforcing of control system information security policy.
Copyright © 2009 AWWA 60
2. Inadequately designed defense-in-depth mechanisms
Emphasis on system availability and reliability, with security being an afterthought.
Insufficient investment to reengineer systems’ Web-based technology in accordance with appropriate risk assessment criteria.
Copyright © 2009 AWWA 61
3. Remote system access without appropriate access control
Inappropriate use of dial-up modems.
Use of commonly known passwords or no use of passwords.
Use of nonsecure control system connectivity to the corporate Local Area Network (LAN).
Allowing unauditable and nonsecured access by vendors for support.
Copyright © 2009 AWWA 62
4. Inadequate system admin mechanisms & software maintenance
Inadequate patch management.
Lack of appropriately applied real-time virus protection.
Inadequate account management.
Inadequate change control.
Inadequate software inventory.
Copyright © 2009 AWWA 63
5. Use of inadequately secured WiFi communication for control
Use of commercial off-the-shelf (COTS) consumer-grade wireless devices for control network data.
Use of outdated or deprecated security/encryption methods (e.g., WEP).
Copyright © 2009 AWWA 64
6. Use of nondedicated comm channels for command & control
Internet-based SCADA
Inappropriate use of control channels for noncontrol data. Asset management Power quality data files Metering Maintenance
Internet/Intranet connectivity initiated from control system networks. E-mail Web browsing File Sharing Instant Messaging
Copyright © 2009 AWWA 65
7. Lack of tools to detect and report inappropriate activity
Underutilized Intrusion Detection Systems (IDS)
Undermanaged network system
Implementation of immature Intrusion Prevention Systems (IPS)
Copyright © 2009 AWWA 66
8. Unauthorized apps or devices on control system networks
Unauthorized installation of additional software to control system devices (games, “weatherbug”, spyware).
Peripherals with noncontrol system interfaces (multi-function or multinetwork printers).
Nonsecure Web interfaces for control system devices.
Laptops.
USB memory.
Other portable devices (personal digital assistants [PDAs]).
Copyright © 2009 AWWA 67
9. Control systems command and control data not authenticated
Authentication for LAN-based control commands not implemented.
Immature technology for authenticated serial communications to field devices.
Copyright © 2009 AWWA 68
10. Inadequate critical support infrastructure
Inadequate uninterruptible power supply (UPS) or other power supply systems.
Inadequate or malfunctioning heating / ventilation / air conditioning (HVAC) systems.
Poorly defined “6-wall” boundary infrastructure (foam ceilings).
Insufficiently protected telecommunications infrastructure.
Inadequate or malfunctioning fire suppression systems. Lack of recovery plan. Insufficient testing or maintenance of redundant
infrastructure.
Copyright © 2009 AWWA 69
Threats – Outsiders
Groups Organized Crime “Hacktivists” Hacker Groups Foreign Intelligence Terrorists
Individuals Fraud / Scam Artists Curious Hackers Vandals
Copyright © 2009 AWWA 70
Threats – Insiders
Disgruntled:
Employees and Ex-Employees
Vendors and Ex-Vendors
“Gruntled” but overly curious:
Employees and Ex-Employees
Vendors and Ex-Vendors
Copyright © 2009 AWWA 71
Malware
Virus
Self-replicating
Trojan Horse
A “bad” program disguised as a “good” program
Spyware
From usage monitors to keyloggers and password-grabbers
Adware
You searched for product A and got pop-ups for competitor product B
“How did THAT get on MY computer?”
Weather monitors, custom cursors, screensavers, games, etc.
Once you have one, many more will follow…
Copyright © 2009 AWWA 72
Malware
Spam – Not the tasty Hormel kind…
“Legitimate” Unsolicited Commercial E-mail
“Adult” Web sites or services
Shady Sales Pitches from Forged IP addresses
“Rolex watches”, “Can you last 36 Hours”, “Hot stock tips”
Fraud and Phishing (more on this later)
You won the lottery!!!
Nigerian Oil Scam (aka 4-1-9 scam)
Pirated Software Products or Movies
Hidden Web “Bugs” in the Spam let the sender know you got it ok…
Not all spam will be caught by the spam filter (false negatives)
DON’T EVER, EVER, EVER REPLY TO SPAM OR CLICK ON ANYTHING IN THE MESSAGE
Recommend disabling “auto-preview” and “Preview Pane” in Outlook
Copyright © 2009 AWWA 73
Malware
EULA – End-User License Agreement The 30-page document that you didn’t read, but which
is legally binding and that you agreed to when you clicked “OK” (Kazaa, Gator / GAIN, Weatherbug, Screensavers)
You might have agreed to: Limit liability to company due to damages directly or indirectly
caused by the software Allow collection of data, including configuration information
and files Allow monitoring of activity, including Web surfing, e-mails,
user names, passwords, credit card numbers Allow installation of additional software without further
permission or notification
Copyright © 2009 AWWA 74
Malware
Symptoms
Computer running slow
Frequent crashes
Extra pop-ups
Slow network response time
Unfamiliar “Search Toolbars” Detection and Removal
Antivirus software for viruses but not spyware (EULA)
Free Spyware Detection such as Ad-Aware, Spybot Search & Destroy, Microsoft Anti-Spyware Beta
Commercial Spyware Detection
Copyright © 2009 AWWA 75
Social Engineering
Someone trying to get you to do something you shouldn’t do, or give them information you shouldn’t give out
Attacker will play on emotions with various tactics: Persuasion, Intimidation, Trust, Guilt, etc…
As technical controls are improved (firewalls, antivirus, etc.), social engineering becomes a more effective route
Copyright © 2009 AWWA 76
Social Engineering
“Hi, this is Mark over here at SCADA Masters. We’re consolidating your O&M documentation into a new format and I just wanted to verify that you guys are still using 142 for your hopping pattern…”
“This is Alan from Fruitdale Water District. We’re thinking about putting in a SCADA system and I was just wondering what you guys were using and how well it’s working out for you…”
“Hey, I’m sorry to bother you on a Friday – this will only take a second. I’m doing a survey for my Environmental Studies class and I wanted to ask you a few questions…”
“Could you fax me your org chart…?”
Copyright © 2009 AWWA 77
Social Engineering
From: Bob Stevens <[email protected]>
To: All Employees
Subject: Mandatory System Update
This is a mandatory system update to protect our employees from the recent Buster worm. Please click the following link to install this mandatory update:
https://intranetserver%40101%2e5%2e87%2e52/update05276.exe
Thanks,
Bob Stevens, System Administrator
(%40101%2e5%2e87%2e52 translates to @101.5.87.52)
Copyright © 2009 AWWA 78
Phishing
A type of social engineering that plays on fear
Almost always tries to get personal information
When in doubt, contact the supposed source directly (via phone or e-mail)
Never respond to or click on any part of the message
E-mail is like a postcard, anyone can easily forge the “from” address and make the message look real
Linked with virus spreaders and even organized crime
BE CAREFUL!!! Ask your system administrator!
Copyright © 2009 AWWA 81
Fake lotteries
How to spot…
Did you enter in a lottery?
Do they tell you not to tell anyone?
Ar thier a lot of mispllled words or phrases uncommon?
Do they ask you to send them a copy of your passport or other identification, important documents, etc.
Is there a “processing fee”? Often this is the scam itself.
Do you think they would really just e-mail you about it?
If it sounds too good to be true…
If all else… Entering in foreign lotteries is illegal!!!
Copyright © 2009 AWWA 82
Fake lotteries
FROM: THE DESK OF THE E-MAIL PROMOTIONSMANAGER,INTERNATIONAL PROMOTIONS/PRIZEAWARD DEPARTMENT MICROSOFT LOTTERY,UNITED KINGDOM. 61-70 Southampton Row,Bloomsbury, London, United Kingdom, WC1B 4ARMR. GABRIEL MARTINSPHONE #:+44 703-194-3199
REF NO: MSW-L/200-26937BATCH: 2005MJL-01
ELECTRONIC MAIL AWARD WINNING NOTIFICATION. AWARD PRESENTATION CENTER: UNITED KINGDOM
We are pleased to inform you of the announcement today of winners of the MSW MEGA JACKPOT LOTTO WINNINGS PROGRAMS held on 2nd SEPTEMBER 2005.Your company or your personal e-mail address, is attached to winning number 20-12DEC-2004-02MSW, With serial number S/N-00168 drew the lucky numbers 887-13-865-37-10-83, and consequently won in the first lottery category.
You have therefore been approved for lump sums pay out of GBP5,500,000.00 POUNDS in cash Credited to file REF NO:MSW-L/200-26937 this is from total prize money of GBP 27,500,000.00 POUNDS, shared among the Twenty (5) international winners in this category….
Copyright © 2009 AWWA 83
Fraudulent or Illegal Offers
“Rolex” Watches Just like the street peddlers in New York sell…
Low-cost prescription drugs It is currently illegal to purchase prescription drugs without
a prescription and/or from overseas sources
Low-cost Adobe Photoshop / Microsoft Office Illegal pirate / bootleg copies
Low-cost DVD movies Same thing…
University “diploma” based on “experience” (and your $) This won’t be from an accredited university
Copyright © 2009 AWWA 84
4-1-9 / Nigerian Oil Scam
From: JAMES ZUPP [[email protected]]
Subject: YOUR UTMOST ASSISTANCE AND HUMBLE COOPERATION REQUIRED
Dearest one,
This letter might come to you as a surprise as we have not met before,but I believe that you would be compelled to help me after going through the contents of this letter. My name is Mr James Zupp,a divorcee, I am a Zimbabwean of German Origin.I am a farmer,or rather I was a farmer in Zimbabwe.Basically, I was involved in Agricultural production,until August 2002, when the government of Robert Mugabe decided to seize all farm-land(s) owned by whites in Zimbabwe (without compensation). He (Robert Mugabe) did not stop at that; he also went on to expel all White farmers in Zimbabwe.He employed the services of his war veterans to undertake this seizure. I used the services of a Diplomatic Courier Company to move this money (registered as official documents) out of Zimbabwe to Europe.At present, my money totalling US$15,750,000. (Fifteen million, seven Hundred and fifty thousand United States Dollars) is in Europe and hopefully, it would be paid into an offshore account. Can you help me? Are you trustworthy? Can you handle this money? Are you capable of handling this money? If you can, please contact me on:[email protected]
….
Copyright © 2009 AWWA 85
Types of Tests
Vulnerability (or Security) Assessment
Looking for all weaknesses
Audit
Assessing to specific and predefined standards
Penetration Test (or Penetration Study)
Looking to exploit at least one specific vulnerability to gain access to restricted resources or systems for demonstration purposes (“prove it!”)
RAM-W Methodology
Copyright © 2009 AWWA 86
AWWA RAM-W Methodology
Originally developed by Sandia National Labs
Expansion on RAM (Risk Assessment Methodology). The W stands for Water.
Now run by American Water Works Association
Process of identifying and prioritizing assets by pair-wise comparison and spreadsheets
Little focus on SCADA
Only focused on “loss” of assets, not misuse
Copyright © 2009 AWWA 87
Why do a Penetration Test?
Moving from the Theoretical to the Real World
Simulates a real “Hacker Attack”
If successful, provides unquestionable evidence that specific vulnerabilities exist
If unsuccessful, provides a reasonable level of assurance that networks and systems are secure at that time
Very powerful in its form and presentation
Can find weaknesses and design flaws that nobody ever thought about
Copyright © 2009 AWWA 88
What does a Penetration Test Entail?
Black Box (Blind Test) vs. White Box (Engineering Study) Customer knows in advance vs. Customer response is being evaluated Architecture Review External Pen-Test vs. Internal Pen-Test Background Research and Document Grinding Social Engineering IP-based Network Vulnerability Scanning Identification of misconfigured Items Exploitation of found vulnerabilities (usually scripting and C code!) Password guessing and cracking Dial-up Telephone Audit (wardialing) 802.11x Wireless Ethernet audit (wardriving) Goal achieved, time limit reached, or testing halted Final Report and Presentation to Upper Management Plan for Ongoing Remediation Activities and Follow-on Testing