Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Cyber Security: Threats and Needed Actions
1. Cyber Security: Threats and Needed Actions
John M. Gilligan
www.gilligangroupinc.com
Research Board
September 17, 2009
2. Topics
• Historical Perspectives
• Cyber Security Threats--A National Crisis
• White House Cyber Security Policy Review
• Near Term Opportunities
• Ongoing Efforts
• Longer term Needs
• Closing Thoughts
2
3. Historical Perspectives
• Internet, software industry, (personal)
computers—rooted in creativity not
engineering
• Security in the Cold War Era
– Security “Gurus”—Keepers of the Kingdom
• The World Wide Web changes the security
landscape-- forever
• Post Cold War: The Age of Information Sharing
Legacy of the past is now our “Achilles Heel”
3
4. Cyber Security Threats Today--A New “Ball Game”
• Our way of life depends on a reliable cyberspace
• Intellectual property is being downloaded at an alarming
rate
• Cyberspace is now a warfare domain
• Attacks increasing at an exponential rate (e.g. Conficker)
• Fundamental network and system vulnerabilities cannot
be fixed quickly
• Entire industries exist to “Band Aid” over engineering and
operational weaknesses
• Industry impacts can be profound (e.g., Heartland)
Cyber Security is a National Security Crisis! 4
6. Obama Cyberspace Policy Review—
“60 Day Review”
• The Nation is at a crossroads
• Cyberspace risks pose some of most serious
challenges to economic and national security
• Need to begin national dialogue on
cybersecurity
• Solutions must involve partnership with
private sector and international engagement
• White House must lead the way
6
7. Recommended Near-Term Actions
• Appoint White House Cybersecurity official and
supporting organization
• Prepare updated national strategy
• Designate cybersecurity as Presidential priority
• Initiate public awareness campaign and
strengthen international partnerships
• New policies regarding roles/responsibilities
• Prepare cyber incident response plan
• Develop research plan and vision for identity
management
On hold pending appointment of White House Cyber Czar
7
8. Government Actions
• Comprehensive National Cyber Initiative
(CNCI)
• Department of Homeland Security
Reorganization
• Smart Grid Cyber Security Initiative
• (Some) Public-Private Partnerships
– Defense Industrial Base (DIB)
– Other special relationships
• (Many) Legislative Proposals
8
9. An Effective Public-Private Partnership:
20 Critical Controls for Effective Cyber Defense*
• Underlying Rationale
– Let “Offense drive Defense”
– Focus on most critical areas
• CAG: Twenty security controls based on
attack patterns
• Government and Private Sector consensus
• Emphasis on auditable controls and
automated implementation/enforcement
• Pilots and standards for tools ongoing
* Also called the “Consensus Audit Guidelines” or “CAG” (http://www.sans.org/cag/) 9
10. Longer-Term Actions:
IT Reliably Enabling Business
• Change the dialogue: Reliable, resilient IT is fundamental to future
National Security and Economic Growth
• New business model for software industry
– First step—self certified, locked-down configurations
– Longer term—software with reliability warranties
• Redesign the Internet to provide reliable attribution, increased
security
• Get the “man out of the loop”—use automated tools (e.g., SCAP)
• Foster new IT services models
– Assume insecure environment
– Increased use of virtualization
– Secure “cloud”
• Develop professional cyberspace workforceNeed to Fundamentally “Change the Game” to Make Progress 10
11. Closing Thoughts
• Government and Industry need to treat cyber
security as an urgent priority
• Near-term actions important but need to
fundamentally change the game to get ahead of
the growing threat
• IT community needs to reorient the dialogue on
cyber security—the objective is reliable and
resilient information
• As an example, Cyber Security in DoD is more
mature—but still woefully inadequate
Cyber Security is Fundamentally a Leadership Issue!11
13. Security Content Automation Protocol (SCAP)
• What is it: A set of open standards that allows for
the monitoring, positive control, and reporting of
security posture of every device in a network.
• How is it implemented: Commercial products
implement SCAP protocols to exchange and
enforce configuration, security policy, and
vulnerability information.
• Where is it going: Extensions in development to
address software design weaknesses, attack
patterns, and malware attributes.
SCAP Enables Automated Tools To Implement And Enforce Secure Operations
13
14. Top 20 Cyber Attacks and Related Control
(not in priority order)
Attack Control Summary Comments
1. Scan for unprotected
systems on networks
Maintain inventory of
authorized and unauthorized
devices on networks
Find devices that can be
exploited to gain access to
other interconnected systems.
2. Scan for vulnerable versions
of software
Maintain inventory of
authorized and unauthorized
software
Find software versions that are
able to be exploited remotely
to gain entry to other systems.
3. Scan for software with weak
configurations
Implement secure
configurations for HW/SW
computer devices
Original configurations from
vendors often have
inadequate security controls
enabled.
4. Scan for network devices
with exploitable vulnerabilities
Implement secure
configurations for network
devices (routers, switches,
firewalls, etc.)
Network devices often
become less securely
configured over time unless
they are diligently maintained.
5. Attack boundary devices Implement multi-layered
boundary defenses
Attackers attempt to exploit
boundary systems (e.g., DMZ
or network perimeter) to gain
access to network or
interrelated networks
14
15. Top 20 Cyber Attacks and Related Control (Continued)
(not in priority order)
Attack Control Summary Comments
6. Attack without being
detected and maintain
long-term access due to
weak audit logs
Maintain and monitor
audit logs
Weak protection of or
inadequate logging and
monitoring permits
attackers to hide actions
7. Attack web-based or
other application software
Robust security controls
and testing of application
software
Longstanding code
weaknesses (e.g., SQL
injection, buffer overflows)
can be exploited
8. Gain administrator
privileges to control target
machines
Implement controlled use
of administrator privileges
Attacks exploit weak
protection or control over
administrator privileges
9. Gain access to sensitive
data that is not adequately
protected
Implement controlled
access based on need to
know
Once inside a system,
attackers exploit weak
access controls
10. Exploit newly
discovered and unpatched
vulnerabilities
Continuous vulnerability
assessment and
remediation
Attackers exploit the time
between vulnerability
discovery and patching 15
16. Top 20 Cyber Attacks and Related Control (Continued)
(not in priority order)
Attack Control Summary Comments
11. Exploit inactive user
accounts
Monitor and control user
accounts
Legitimate but inactive or
accounts of former
employees are exploited
12. Implement malware
attacks
Implement up-to-date anti-
virus, anti-spyware, and
Intrusion Prevention
System controls
Malware attacks continue
to evolve leaving non-
updated systems exposed
13. Exploit poorly
configured network
services
Limit and control network
ports, protocols and
services
Attackers focus on
unprotected or unneeded
ports and protocols
14. Exploit weak security
of wireless devices
Implement controls for
wireless devices
Example attacks include
unauthorized access from
parking lots, exploiting
traveling employees, etc.
15. Steal sensitive data Implement controls to
detect and prevent
unauthorized exfiltration
Includes both electronic
and physical (i.e., stolen
laptops) attacks 16
17. Top 20 Cyber Attacks and Related Control (Continued)
(not in priority order)
Attack Control Summary Comments
16. Map networks looking for
vulnerabilities
Implement secure network
engineering
Look for unprotected (i.e.,
weak) links or weak
filtering/controls in network
17. Attack networks and
systems by exploiting
vulnerabilities undiscovered by
target system personnel
Conduct penetration tests to
evaluate and exercise defenses
Attack exploits social
engineering and inability of
system to respond to
automated attacks
18. Attack systems or
organizations that have no or
poor attack response
Implement effective cyber
incident response capabilities
True magnitude and impact of
attack can be masked by
inadequate response
19. Change system
configurations and/or data so
that organization cannot
restore it properly
Implement data and system
recovery procedures
Leave backdoors or data errors
that permit future attacks or
disrupt operations
20. Exploit poorly trained or
poorly skilled employees
Conduct skills assessment and
ensure adequate training
across the enterprise
Attacks focus on manipulating
end users, administrators,
security operators,
programmers, or even system
owners 17