Module 11 Trends

Lesson Objectives Identify emerging trends and demonstrate an understanding of emerging technologies. Understand the Internet of Things (IoT) and how it expands the cyber “attack surface.” Be able to make educated predictions of what the future might look like for the cybersecurity critical infrastructure framework. Discuss ethical issues that can arise in relation to new technology and new defense strategies.

Critical Infrastructure Threat Trends Attacks on critical infrastructure systems continue to evolve and multiply. These include: Increased number of data integrity attacks Multiple Advanced Persistent Threat (APT) actors on the system Compromised infrastructure Many are covertly communicating data to embargoed countries Increased use of social engineering Growing attack surface with the Internet of Things (IoT)

Data Integrity Attacks "If you take a controlled system like the power grid or water system that involves machinery that's operated by computers and make some change in the operational instructions for that equipment, that can lead to some catastrophic results — power outages or changes in chemical balance.“ —Eddie Schwartz, international vice president, ISACA Rather than be satisfied with denial-of-service attacks that make the system unavailable, attackers will increasingly launch attacks that include modification of machine instructions or data sets that cause equipment to act on skewed data. From the NSTAC IoT Report to the President: “These systems also include any adaptive behaviors exhibited by the objects, either through pre-programmed or machine learning algorithms. Although these are automated behaviors, the fact that their functions can be reconfigured based on machine learning algorithms introduces a certain level of unpredictability. “ Citation: President’s National Security Telecommunications Advisory Committee. (2014). “Report to the President on the Internet of Things – Draft. Retrieved from: https://www.dhs.gov/sites/default/files/publications/IoT%20Final%20Draft%20Report%2011-2014.pdf

Multiple Advanced Persistent Threats An advanced persistent threat (APT) is a network attack in which an attacker gains unauthorized access and remains for a long period of time, undetected. Agencies are seeing multiple attackers on networks, sometimes warring with each other for dominance over the compromised system. This has given rise to research efforts to develop operating systems that can securely continue to operate, even with the presence of APTs on the network.

Compromised Infrastructure Critical infrastructure systems will be compromised and used to launch attacks against other systems. This is facilitated, in part, by the lack of security hardening on sensors and devices. In many cases, these devices and systems have been found to have default passwords or vulnerable legacy software in use. In some cases, systems are covertly communicating data, some of which is even encrypted, to embargoed countries. Increased use of social engineering Growing attack surface with the Internet of Things – Machine-to-Machine devices present a large attack surface for exploitation.

Increased Use of Social Engineering People will continue to be “the weak link” in the security chain. Historically, as systems become hardened, making them more difficult to hack into through system vulnerabilities, attacks against personnel in the workforce increase. Spear-phishing attacks contributed to a significant number of attacks against the manufacturing sector in 2015, according to ICS-CERT.

Growing Attack Surface with the “Internet of Things” IoT expands the attack surface and diversifies threat types with billions of connected devices. Secure and insecure locations Security may or may not be built in Not IT – but usually connected to the network New bleeding-edge protocols and technologies in use The small nature of the devices leave many vulnerable to attack Billions of connected devices – The IoT contains billions of devices and sensors that collect and distribute information. Most of these are in public and other insecure locations. Gartner forecasts that more than 20 billion devices will be in use worldwide by 2020. (http://www.gartner.com/newsroom/id/3165317) However, others estimate that as many as 50 billion IoT devices will be in use by 2020. (NSTAC Report to the President). The scale of deployment is larger than any seen before. Secure and insecure locations – Many of these sensors are located on oil pipelines or on railroad tracks and in other publicly accessible locations in remote locations, making them vulnerable to physical attacks (close-in attacks where the attacker has physical access to the device), as well as to cyber attacks if they are connected to a network to send data. Security may or may not be built in – Manufacturers and implementers of these devices are not as familiar with network threats as those that have worked within traditional cyber fields. As a result, security is sometimes not “baked” into the product when it is designed. Not IT – but usually connected to the network – Again, as with other cyber physical systems (such as HVAC systems), IoT implementers may lack the experience with networking technologies and attacks sufficiently to understand the threats to the network that the sensors present. As an example, a former student once told an instructor that his father installed pipeline sensors, placing a password of an “!” on the sensors. New bleeding-edge protocols and technologies in use – Many new protocols specific to this industry are on the rise. Additionally, these devices often use other vulnerable wireless protocols to communicate data to the controllers. The small nature of the devices leave many vulnerable to attack – Due to the size of the device, these sensors may be unable to support remote firmware updates or encryption for its communications across the network, or be able to support digitally signed (authenticated) pushes of updates. As a result, many systems, even those in smart cars, accept changes to firmware and programmatic code without validating the source.

Case Study: IoT Attacks On October 21, 2016, a Mirai botnet hacked into conneted home devices and launched a distributed denial-of-service attack against Dyn, a large domain name server that took down Twitter, Spotify, Reddit, the NY Times, Pinterest, PayPal, and other major websites, with attacks coming from millions of IP addresses at the same time. October 21, 2016, article on Engadget, “Blame the Internet of Thing’s for today’s web blackout” available at https://www.engadget.com/2016/10/21/mirai-botnet-hacked-cameras-routers-internet-outage/ Image source: Conditt, Jessica. (2016). Engadget. “Web Blackout.” via Engadget. Retrieved from https://www.engadget.com/2016/10/21/mirai-botnet-hacked-cameras-routers-internet-outage/ © 2017 AOL Inc. All rights reserved. © 2017 AOL Inc. All rights reserved. Conditt, Jessica. (Oct 21 2016). Engadget. “Web Blackout.” Retrieved from https://www.engadget.com/2016/10/21/mirai-botnet-hacked-cameras-routers-internet-outage/

Case Study 2: IoT Attacks Mirai is a malicious worm that spreads to connected Internet devices, such as cameras, insecure routers, digital video recorders, etc., by continuously scanning the Internet for these systems, looking for devices that have not changed their factory default passwords. Once compromised, these devices are turned into “bots” that allow an attacker to control them to attack other systems. In September 2016, a massive Mirai attack took down security site KrebsonSecurity, peaking at nearly 620Gbps. In that case, more than 145,000 devices were compromised and used in the attack.

Move to “Active Defense” Traditional incident response processes, while a significant part of an organization’s security program, are reactive in nature. In response to the increase of highly sophisticated attacks and vulnerable attack surfaces, and the rapidity of attacks, organizations and agencies are adopting more proactive measures, known as “active defense.” Active defense takes into consideration threat intelligence information (information about threats that is collected, analyzed, and shared among communities) to rapidly act on threat information.

Active Defense Components An active defense relies on the following components: Identification of mission-critical assets and systems that will be targets of attack Identification of “threat actors,” or those who would be most likely to attack these assets Knowledge of attacker tactics, techniques, and procedures (TTPs), identifying the methods that would be used by the attacker to attack the asset Using this knowledge, the organization can take steps to fortify (harden) the assets, increasing monitoring for anomalous events at vulnerable assets, installing additional security devices, such as firewalls, Intrusion Prevention Systems, or honeypots (the installation of fake servers designed to deceive or redirect attacker activities). While not entirely in scope of this introduction to the active defense concept, a good reference to use is Lockheed-Martin’s “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.” Focused principally on how to target and engage adversaries by understanding how they will attack, this paper describes the approaches that can be taken to defend the assets. The document is available for download from the National CyberWatch Center website, URL https://www.nationalcyberwatch.org/resource/intelligence-driven-computer-network-defense-informed-by-analysis-of-adversary-campaigns-and-intrusion-kill-chains-2/.

Ethical Issues Ethical and privacy issues are arising on a daily basis with critical infrastructure protection. Some of these issues include: The use of unmanned aerial vehicles (UAVs, or drones) to monitor critical infrastructure assets, such as oil pipelines, bridges, or power lines. This technology could be abused to spy on individuals, collecting unauthorized data. (Infosec Institute, 2014) Existing data privacy standards do not translate well into IoT. A Hewlett-Packard study performed in 2014 found that “more than 90 percent of all IoT devices examined collected at least one piece of personal information.” Of these devices, over 70% lacked sufficient authentication to the data on the device, as well as lacked encryption. (NSTAC, 2014) Can you think of other ethical issues associated with different sectors, such as the Financial Services Sector or the Healthcare and Public Health Sector? Infosec Institute. “Privacy and Security Issues for the Usage of Civil Drones.” April 25, 2014. Retrieved from http://resources.infosecinstitute.com/privacy-security-issues-usage-civil-drones/. Have students review the source document. President’s National Security Telecommunications Advisory Committee. (2014). “Report to the President on the Internet of Things.” Draft. Retrieved from: https://www.dhs.gov/sites/default/files/publications/IoT%20Final%20Draft%20Report%2011-2014.pdf. Additional issues might concern identifiable patient health information collected or with the potential manipulation of financial information.

Privacy-by-Design Implement privacy-by-design at project initiation. Privacy-by-design provides standards for: Privatizing, or anonymizing, data at collection so that it is collected anonymously but data can still be aggregated for analysis. NIST has begun a privacy engineering initiative, integrating the Fair Information Practice Principles (FIPPS) to risk management frameworks. This provides an excellent example of government and private sector collaboration to arrive at a solution. (NSTAC, 2014) Citation: President’s National Security Telecommunications Advisory Committee. (2014). “Report to the President on the Internet of Things – Draft. Retrieved from: https://www.dhs.gov/sites/default/files/publications/IoT%20Final%20Draft%20Report%2011-2014.pdf