Cyber as WMD- April 2015- GFSU

© 2014 All Rights Reserved

1

@codenomicon

Mohit Rampal

CYBER AS WMD


2

• Indian power companies want ban on Chinese equipment on security fears

• Power transmission infrastructure in the country’s 18 major cities could be potentially hacked leading to national security threats and major disruption of power if the concerns of a prominent trade body are to be believed.

• These cities are spread across Rajasthan, Madhya Pradesh and Tamil Nadu and they are currently implementing smart grid projects. They could be exposing themselves to the threat of monitoring systems deployed by foreign firms, it is being feared.

2015 NEWS


3

• Cisco CEO John Chambers has warned that 2015 will be a worse year for hack attacks on businesses in a world where an increasing number of devices are connected to the internet.

• “The average attack, you get 90 percent of the data you want in like nine hours, and yet most of the companies don't find out for three to four months," he said. The warning comes after a year of high-profile cyber-security breaches that were a disaster for many businesses.

• Investment bank JPMorgan was hit with two attacks last year, while a

number of flaws in internet security and mobile software were found.

2015 NEWS

http://www.cnbc.com/id/102049505


4

Today’s world is filled with complexity

New threats are waiting for cracks to appear

See the cracks

Know the threats

Build a more resilient world

LANDSCAPE TODAY


5

HEARTBLEED, SHELLSHOCK, POODLE

Year 2014: …

…


6

INDIA PERSPECTIVE • Lack of Cyber Security Professionals

• Cyber Security is more reactive than proactive

• Spending on creating COE’s missing

• Highly Vulnerable Verticals : • Power & Utilities

• Internal Security

• Financial Organizations

• Telecom

• Defense & Paramilitary Forces

• Manufacturing

• Smart Cities


7

THE KNOWN AND THE UNKNOWN

Known Vulnerability Management

Unknown Vulnerability Management (UVM)

Total Vulnerability Management

SAST Approach 1980-

PC Lint, OSS, Coverity, Fortify,

IBM, Microsoft ...

Whitebox testing

DAST Approach 2000-

Fuzzing: Codenomicon

Defensics, Peach, Sulley

Blackbox testing

1995-2000 Satan/Saint

1999- Nessus, ISS

Re

acti

ve

Pro

acti

ve

Bottom line: All systems have vulnerabilities. - Both complimentary categories needs to be covered.

2000- Qualys, HP, IBM, Symantec ... 2013: Codenomicon AppCheck


8

WHY ATTACK

• Gain Access to control and compromise smart network

• A Terrorist wanted to damage chemical plant processes, oil and gas pipelines, Power generation and transmission equipment, or contaminate water supply etc.

• Someone might set up an attack for espionage (industrial) purposes or to generate “false” information

• Enemy Countries so as to be able to cripple infrastructure which affecting the economy


9

CYBER AS A WMD

• How does it work? • State Sponsored Cyber Terrorists acquire devices / applications

• Use Fuzzing tools to find vulnerabilities both Known and Unknown

• Use Known vulnerabilities to create diversion attacks

• Exploit the Unknown Vulnerability by writing malwares around them

• Use tools to monitor end points which are unsecured

• Explore vulnerable End points etc. for creating Botnets and insert the unknown vulnerability

• These Unknown attacks go undiscoverable as perimeter security can not detect them


10

CYBER AS A WMD

• How does it work? • Compromise the Power Network – denial of service or unavailability of

power to critical networks etc.

• Compromise the Telecom Network

• Contaminate the Water Supply

• Unavailability of Banking Networks and Stock Market

• Transport system collapse

• Collapse of Defense Machinery and equipment


11

CYBER AS A WMD- WHAT CAN BE COMPROMISED


12



13


Smart City

Telecom

Utilities

Public Services

Building

Transport


14



15

INTERNET OF THINGS = FUTURE CHALLENGE FOR SECURITY TESTING

1875 1900 1925 1950 1975 2000 2025

50 B

5.0 B

~0.5 B PLACES

PEOPLE

THINGS

Inflection points

Global Connectivity

Personal Mobile

Digital Society Sustainable World

Source: Ericsson


16

CYBER AS A WMD - OUTCOME

• Nation in state of Disaster resulting in Inflation and unavailability of all resources leading indirectly to death with no discovery of where the attack happened from

• NEWS 2015 – India-Bangladesh World Cup MATCH BANGLADESHI HACKERS WERE TRYING TO ATTACK NSE


17

HOW IS IT “SECURITY” COMPROMISED ?

• Confidentiality : A zero day attack is used to compromise a specific computer program, which often crashes as a result… Hacker can spawn new processes

• Integrity : Hacker controlled

processes can now change

anything in the system

• Availability : Hacker controlled

processes can now eavesdrop on

all data and communications


18

CYBER THREATS : MORE PROFESSIONAL & SOPHISTICATED

• Cyber Attacks: Internet-based incidents involving politically or financially motivated attacks on information and information systems.

• Zero-day Vulnerabilities, Or Unknown Vulnerabilities: Software flaws that make exploitation and other illegal activities towards information systems possible

• Proactive Cyber Defense: acting in anticipation to oppose an attack against computers and networks.


19

CYBER AS A WMD – RISK MITIGATION

• Being Proactive rather than reactive • Having a security process in place • Processes for known and unknown vulnerability management & security

testing before deployment • Understanding code decay and its impact • Real time monitoring and analysis of data to be proactive • Identifying unknown vulnerabilities and drawing a map towards

remediation • Secure the Supply Chain to ensure “ WE KNOW WHAT WE BUY ” • Using of tools to automate the process to ensure no human bypass is done • Security of All devices by proactive security testing from Known and

Unknown Vulnerabilities


20

BUT I WAS TOLD/PROMISED/CERTIFIED/ … THAT I AM SECURE!

Did you actually test and validate

that you are?

Or were just happy that because it is

certified, you are safe?

We call this faith-based security


21

ABOUT CODENOMICON

• Started as a Research Project in 1996 & Commercially started operations in 2001

• Global Offices in Finland, Germany, US, Singapore, India

• DEFENSICS™ security test platform

• CLARIFIED™ advanced cyber security monitoring solution

• Market segments • Carrier, Defense, Government, networking equipment, software

developers,

• Any customer concerned about security of protocols deployed in products, services or internal IT infrastructure


22

SAMPLE CUSTOMER LIST


23

Bharat Electronics

Few selected Asia-Pacific reference customers:


24

Strength in visibility


25

THANK YOU! QUESTIONS?

MOHIT RAMPAL : [email protected]

Documents

Cyber as WMD- April 2015- GFSU