Embed Size (px)
Citation preview
@codenomicon
CYBER SECURITY FOR CRITICAL INFRASTRUCTURE
Mohit Rampal - Regional Manager South Asia
10/9/2015 © 2014 All Rights Reserved
2
• Cyber Attacks: Internet-based incidents involving politically or financially motivated attacks on information and information systems.
• Zero-day Vulnerabilities, Or Unknown Vulnerabilities: Software flaws that make exploitation and other illegal activities towards information systems possible
• Proactive Cyber Defense: acting in anticipation to oppose an attack against computers and networks.
CYBER THREATS : MORE PROFESSIONAL & SOPHISTICATED
10/9/2015 © 2014 All Rights Reserved
3
• Zero-day exploits, the biggest threat to security as there are no defenses against them and the attacks can go unnoticed.
• Security landscape is changing: Governments, critical infrastructure providers and defense organizations increasingly rely on the Internet to perform mission-critical operations
• India , a soft state , 7500 km’s of coastline running through 9 states and 4 union territories
• Proactive Cyber Defence or active cyber defence (ACD) Is the Key way forward
• US, China etc. Spending on Cyber Security for Homeland defense & increase of Cyber Units & Cyber Warriors
• Cybercrime costs the United States approximately $100 billion annually
• Vulnerable Verticals : Energy & Utilities, Financial Organizations, Telecom, Defense & Paramilitary Forces, Manufacturing etc
WHY CYBER DEFENSE
10/9/2015 © 2014 All Rights Reserved
4
LESSONS FROM PAST CYBER ATTACKS
•Cyber attacks accompany physical attacks
•Cyber attacks are increasing in volume, sophistication, and coordination
•Cyber attacks are attracted to high-value targets
4
10/9/2015 © 2014 All Rights Reserved
5
CHANGING LANDSCAPE IN ICS THREATS…
10/9/2015 © 2014 All Rights Reserved
6
BRAVE NEW WORLD
WHAT WE HAD THEN WHAT WE HAVE NOW
Corporate private servers and data storage
Distributed data processing and storage
Controlled access: Corporate issued laptops, closed ecosystem handsets…
Ubiquitous access: BYOD, open platforms
Isolated domains: Industrial Control Systems, Healthcare devices, Mil/Gov Networks
Previously isolated domains getting interconnected: Remote connections to ICS systems, robots for remote surgery
Proprietary protocols for communication and custom made HW/SW
IP protocols, COTS HW, Open Source and commercial libraries for SW
What about our defenses
Antivirus, Firewall, IPS ???
10/9/2015 © 2014 All Rights Reserved
7
INDIA AND APAC ABUSE
09-10-2015 ©Copyright Codenomicon 2011 | Confidential
7
10/9/2015 © 2014 All Rights Reserved
8
SECURITY IN ICS
Designed to be isolated Connectivity over serial analogue circuits = Attacker needed to gain physical access to carry out attack Protocol designed for communication between trusted devices Protocols contain very little security features, such as encryption
10/9/2015 © 2014 All Rights Reserved
9
SECURITY IN ICS
• ICS systems interconnected with outside world using IP-based communications and control networks were integrated into larger corporate networks… • Reducing costs
• Improve efficiency
• Exposure to external attacks • Almost all ICS devices are either directly or indirectly connected to internet
• New Attack Surfaces
• The need to separate the corporate and production network is well known
– Often leads to ignorance of other equally critical interfaces
• Trusted third parties still having access to ICS network…
– Vendors?, System integrators?, Control engineers?
• Not forgetting, WebHMI, Wireless connection exposure
• Compromising security through end points
10/9/2015 9
10/9/2015 © 2014 All Rights Reserved
10
THE KNOWN AND THE UNKNOWN
Known Vulnerability Management Known Vulnerability Management
Unknown Vulnerability Management (UVM) Unknown Vulnerability Management (UVM)
Vulnerability Management
Total Vulnerability Management
SAST Approach 1980-
PC Lint, OSS, Coverity, Fortify, IBM, Microsoft ...
Whitebox testing
DAST Approach 2000-
Fuzzing: Codenomicon
Defensics, Peach, Sulley
Blackbox testing
1995-2000 Satan/Saint
1999- Nessus, ISS
2000- Qualys, HP, IBM, Symantec ... 2013: Codenomicon AppCheck
Re
acti
ve
Pro
acti
ve
Bottom line: All systems have vulnerabilities. - Both complimentary categories needs to be covered.
10/9/2015 © 2014 All Rights Reserved
11
11
UNKNOWN VULNERABILITY MANAGEMENT (UVM)
• Another name:
Zero-Day Vulnerability Management
• Process of: • Detecting attack vectors
• Finding zero-day vulnerabilities
• Building defenses
• Performing patch verification
• Deployment in one big security push
10/9/2015 © 2014 All Rights Reserved
12
• A testing technique where purposefully unexpected and/or invalid input data is fed to tested system in hope to find robustness and security problems
• Mutation/Template-Based Fuzzing • Quality of tests is based on the used template (seed) and mutation
technique
• Slow to execute, least bugs found
• Generational/Specification-Based Fuzzing • Full test coverage, as the model
is built from specification
• Fast to execute, most bugs found
WHAT IS FUZZING & TYPES OF FUZZING TECHNOLOGIES
10/9/2015 © 2014 All Rights Reserved
13
FUZZ TESTING MATURITY MODEL (FTMM)
• Based on ISO/IEC 15504 framework • Has 5 maturity levels (+ zero level for immature)
• Created to help in understanding the FTMM of a computer system or software • Differentiates system and interface level
• Does NOT address organizational or process maturity (BSIMM, Microsoft SDLC, Cisco SDLC, etc. should be used for this)
• Each level defines • Types of fuzz that needs to be performed
• Time that has to be spent fuzzing
• Amount of fuzz tests needed
• Additional metrics required to reach the level
10/9/2015 © 2014 All Rights Reserved
14
FTMM MATURITY LEVELS
0 – Immature
1 – Initial
2 - Defined
3 - Integrated
4 – Managed
Typ
es
of
Fuzz
ing
req
uir
ed
5 - Optimized Fu
zz t
ests
req
uir
ed
Fuzz
tim
e re
qu
ired
Att
ack
surf
ace
anal
ysis
req
uir
ed
Typ
es o
f in
stru
men
tati
on
re
qu
ired
Typ
es
of
failu
res
allo
wed
to
rem
ain
Fuzz
ing
nee
ds
to b
e p
art
of
org
aniz
atio
ns
SD
LC
Test
har
ne
ss in
tegr
atio
n
Man
ual
exe
cuti
on
Oth
er r
equ
irem
ents
Test
rep
ort
mu
st g
ener
ated
G (T)
O,A,D G, T, R
G and T
G, T, R
G) Generational, model based fuzzer T) Template/Mutational Fuzzer R) Random Fuzzer 1) Must use two different fuzzers 2) For each type of fuzzing
Infinite (2
1 hour
1000000
1000000 (G) 5000000 (T)
Infinite (2
100000
8 hours
8 hours
30 days
7 days
AS) non-DsS assertions, must be noted M) Must be mandatorily done Y) It is required that tests are also manually executed U) Must use two different fuzzers for each type B) Baseline test configuration must be documented
T or G O AS, TR
A
A
O
B
none M
X, C none
X TR
O) Human observation A) Automated instrumentation required D) Debugger integrated monitoring X) Required C) Code coverage/binary analysis required TR) Transient errors allowed, must be noted
TR
X
M
X
Y
X
X
X
X
X
B, U
X
X
X B
THANK YOU – QUESTIONS?
