Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alan Paller The SANS Institute

Published byVincent Wright Modified over 9 years ago

Similar presentations

Presentation on theme: "Alan Paller The SANS Institute"— Presentation transcript:

1 Alan Paller The SANS Institute apaller@sans.org
Cyber Espionage “The Internet is God’s gift to spies” Plus: The New Security Heroes Alan Paller The SANS Institute

2 Topics for today

3 The Public Is Awakening
editorial on Jan 26 Why the 'China virus' hack at US energy companies is worrisome by John Yemma, Editor “The stakes in the global cyber- war are at least as high as those in the global war on terror.”

4 Four years building to public outrage
August 29, 2005: Titan Rain August 17, 2006: Gen. Lord Confirms

5 Titan Rain “They hit hundreds of computers that night and morning alone “At 10:23 p.m. PST, they found vulnerabilities at the U.S. Army Information Systems Engineering Command at Fort Huachuca, Arizona. “At 1:19 am PST, they found the same hole in computers at the military's Defense Information Systems Agency in Arlington, Virginia. “At 3:25 am, the Naval Ocean Systems Center, a defense department installation in San Diego, CA. “At 4:46 am PST, the United States Army Space and Strategic Defense installation in Huntsville, AL.”

6 What kind of data did they take?
“a huge collection of files had been stolen from Redstone Arsenal, home to the Army Aviation and Missile Command. The attackers had grabbed specs for the aviation-mission- planning system for Army helicopters, as well as Falconview 3.2, the flight- planning software used by the Army and Air Force.”

7 Major General William Lord
“China has downloaded 10 to 20 terabytes of data from the NIPRNet” “They’re looking for your identity so they can get into the network as you,” “There is a nation-state threat by the Chinese.” Maj. Gen. William Lord, director of information, services and integration in the Air Force’s Office of Warfighting Integration and Chief Information Officer August 21, 2006 Government Computer News “Red Storm Rising” October 6, 2006: Commerce BIS Division The federal government's Commerce Department admitted Friday that heavy attacks on its computers by hackers working through Chinese servers have forced the bureau responsible for granting export licenses to lock down Internet access for more than a month.

8 Four years building to public outrage
Dec 1, 2007: 300 British Companies Apr 8, 2009: The Grid

9 Four years building to public outrage
January 15, 2010 Google & more January 25, 2010: Oil Companies

10 Setting the stage Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology April 17, 2007 Chairman: Jim Langevin (RI) "We don't know who's inside our networks. We don't know what information has been stolen. We need to get serious about this threat to our national security." State Dept witness: Don Reid, Senior Coordinator for Security Infrastructure Commerce Dept witness: Dave Jarrell, Manager, Critical Infrastructure Protection Program

11 Two responses Commerce State
No idea when it got it in, how it got in, or where it spread Took 8 days to filter (ineffective) Unable to clean the systems; forced to replace them Do not know whether they have found or gotten rid of the infections State Detected it immediately Put effective filter in place within 24 hours; shared filter with other agencies Found two zero-days Helped Microsoft and AV companies create patches and signatures Cleaned infected systems, confident all had been found

12 What was the difference?
Was it tools? No Almost same commercial tools – Commerce had more commercial IPS/IDS Was it skills? Yes Commerce – only experience was firewall operations not even firewall engineering. No training other than prep for Security + and later for CISSP State – experience and training in forensics, vulnerabilities and exploits, deep packet inspection, log analysis, script development, secure coding, reverse engineering. Plus counter intelligence. And managers with strong technical security skills.

13 How critical is the shortage of technical security skills?
Jim Gosler (first director of CIA’s CITO – Clandestine Information Technology Office) in a meeting in the Pentagon (10/08) with Bill Studeman, Lin Wells, Bob Lentz, Melissa Hathaway and several others: “The US has nomore than 1,000 people with the advanced security skills to compete in cyberspace at world class levels – we need 20-30,000!” No one disagreed Other evidence of the shortage: “fratricide” among the integrators serving the Intelligence Community

14 Why these skills matter
Wicked Rose Key weapons in the next war will be people with advanced, technical cyber security skills

15 Emerging Consensus in Military Cyber Skills Development
Offense and defense need the same deep technical skills but may diverge in late stages of development Training should be phased with significant on the job experience between training elements Team composition is equally important: different people will be better at some tasks than others; Model is special forces teams

16 The New Security Heroes
Alan Paller

17 Bringing about broad based change when no one works for you
The problem: CISOs are accountable for IT security BUT . directly supervise only a small part of the systems actually in use.

18 What makes a security hero?
Radically improves security in ways that can be measured reliably, and replicated Ensures operational people are not asked to do the impossible. Ends the security wars with IT operations and with the audit staff. Teaches others organizations how to do the same thing or provides the catalyst to allow others to do even more

19 Results in 12 Months

20 Proof: Federal Aurora Response
Google Hack IE Vulnerability – zero day IAVA and government notices What percent of systems were reported patched at DoD in four months? What percent were actually patched at State in the first 9 days?

21 Quantify Special Threats
Google - Aurora Attack MS Patch Feb- March 2010

22 He never visited any of the 200+ foreign sites So how did he do it?
Continuous monitoring and high level data reporting Also known as: Continuous C&A and Continuous FISMA Compliance

23 What allows continuous monitoring to work?
It combines: Reliability and fairness in the metrics Authoritative consensus on what is important enough to need to be measured But where did the consensus come from? And what else makes metrics effective?

24 Authoritative and Important How can you prove you meet those criteria?
The big idea: “Offense informs defense!”

25 Who understands offense?
NSA Red Teams Top Commercial Forensics Teams NSA Blue Teams DoD Cyber Crime Center (DC3) JTF-GNO AFOSI US-CERT (plus 3 agencies that were hit hard) Army Research Laboratory DoE National Laboratories Top Commercial Pen Testers State Dept. Would they be willing to combine their knowledge of attacks and offense to define the most important defensive investments CIOs must make?

26 Result: Twenty Critical Controls Consensus Audit Guidelines (CAG)
The twenty key controls 15 subject to automation: examples Vulnerabilities Inventory Wireless Configuration 5 that are important but cannot be easily automated

27 Anti-malware defenses Data leakage protection
15 critical controls can be automated Return CAG ID Consensus Audit Guidelines NIST CIRT Events 11 mo 1 Inventory of authorized and unauthorized hardware CM‐1, CM‐2, CM‐3,  CM‐4, CM‐5,  CM‐8, CM‐9  Multiple Tools < 6% < 22% 2 Inventory of authorized and unauthorized software CM‐1, CM‐2, CM‐3, CM‐5, CM‐7,  CM‐8, CM‐9, SA‐7 3 Secure configurations for HW and SW, if available CM‐6, CM‐7, CP‐10,  IA‐5, SC‐7 Nominal 4 Secure configurations for network devices such as firewalls and routers AC‐4, CM‐6, CM‐7,  CP‐10, IA‐5,  RA‐5, SC‐7  5 Boundary Defense AC‐17, RA‐5, SC‐7, SI‐4 < 7% 6 Maintenance/Analysis of complete security audit logs AU‐1, AU‐2, AU‐3, AU‐4, AU‐6,  AU‐7, AU‐9, AU‐11, AU‐12, CM‐3, CM‐5, CM‐6, SI‐4  7 Application software security AC‐4, CM‐4, CM‐7, RA‐5, SA‐3,  SA‐4, SA‐8, SA‐11, SI‐3  Decentralized 8 Controlled use of Administrative Privileges AC‐6, AC‐17, AT‐2, AU‐2  9 Controlled access based on need to know AC‐1, AC‐2, AC‐3, AC‐6, AC‐13 < 1% 10 Continuous vulnerability testing and remediation CA‐2, CA‐6, CA‐7, RA‐5, SI‐2  11 Dormant account monitoring and control AC‐2, PS‐4, PS‐5  12 Anti-malware defenses AC‐3, AC‐4, AC‐6, AC‐17, AC‐19,  AC‐20, AT‐2, AT‐3, CM‐5, MA‐3,  MA‐4, MA‐5, MP‐2, MP‐4, PE‐3,  PE‐4, PL‐4, PS‐6, RA‐5, SA‐7,  SA‐12, SA‐13, SC‐3, SC‐7, SC‐11,  SC‐20, SC‐21, SC‐22, SC‐23,  SC‐25, SC‐26, SC‐27, SC‐29,  SC‐30, SC‐31, SI‐3, SI‐8  < 60% 13 Limitation and control of ports, protocols and services AC‐4, CM‐6, CM‐7, SC‐7 Not yet graded 14 Wireless device control AC‐17 15 Data leakage protection AC‐2, AC‐4, PL‐4, SC‐7,  SC‐31, SI‐4  Pending

28 John Gilligan’s answer:
But: “We don’t have a lot of money; how can we get started doing what State did ?” John Gilligan’s answer: You already have most (70%) of the tools you need to automate security risk measurement. The State Dept. will give you the software they use to measure and display risk. This isn’t a money issue or a technology issue. It’s a leadership issue. You don’t have to wait for someone to tell you to do it. There is no other path available to CIOs and security managers to escape from the “compliance morass” and make a measureable difference in security.

29 A relevant story.. Dog chases truck Truck stops Dog thinks:
“Now what do I do?”

30 Now What Do We Do? We measure risk continuously and radically reduce the vulnerabilities (following the State Dept. model) We build a cadre of skilled security architects We buy products/systems with security baked in We increase the rewards for security people with key technical skills (licensing) We train system administrators to become the human sensor network We support colleges only if they teach programmers how to code securely We find and nurture young (and not-so-young) people with extraordinary technical skills to become the cyber guardians/warriors for the future

31 How Automated Continuous Monitoring Works

32 Results in 12 Months

33

34

35 Anti-malware defenses Data leakage protection
State Used the “20 Critical Controls” CAG ID Consensus Audit Guidelines NIST CIRT Events 11 mo 1 Inventory of authorized and unauthorized hardware CM‐1, CM‐2, CM‐3,  CM‐4, CM‐5,  CM‐8, CM‐9  Multiple Tools < 6% < 22% 2 Inventory of authorized and unauthorized software CM‐1, CM‐2, CM‐3, CM‐5, CM‐7,  CM‐8, CM‐9, SA‐7 3 Secure configurations for HW and SW, if available CM‐6, CM‐7, CP‐10,  IA‐5, SC‐7 Nominal 4 Secure configurations for network devices such as firewalls and routers AC‐4, CM‐6, CM‐7,  CP‐10, IA‐5,  RA‐5, SC‐7  5 Boundary Defense AC‐17, RA‐5, SC‐7, SI‐4 < 7% 6 Maintenance/Analysis of complete security audit logs AU‐1, AU‐2, AU‐3, AU‐4, AU‐6,  AU‐7, AU‐9, AU‐11, AU‐12, CM‐3, CM‐5, CM‐6, SI‐4  7 Application software security AC‐4, CM‐4, CM‐7, RA‐5, SA‐3,  SA‐4, SA‐8, SA‐11, SI‐3  Decentralized 8 Controlled use of Administrative Privileges AC‐6, AC‐17, AT‐2, AU‐2  9 Controlled access based on need to know AC‐1, AC‐2, AC‐3, AC‐6, AC‐13 < 1% 10 Continuous vulnerability testing and remediation CA‐2, CA‐6, CA‐7, RA‐5, SI‐2  11 Dormant account monitoring and control AC‐2, PS‐4, PS‐5  12 Anti-malware defenses AC‐3, AC‐4, AC‐6, AC‐17, AC‐19,  AC‐20, AT‐2, AT‐3, CM‐5, MA‐3,  MA‐4, MA‐5, MP‐2, MP‐4, PE‐3,  PE‐4, PL‐4, PS‐6, RA‐5, SA‐7,  SA‐12, SA‐13, SC‐3, SC‐7, SC‐11,  SC‐20, SC‐21, SC‐22, SC‐23,  SC‐25, SC‐26, SC‐27, SC‐29,  SC‐30, SC‐31, SI‐3, SI‐8  < 60% 13 Limitation and control of ports, protocols and services AC‐4, CM‐6, CM‐7, SC‐7 Not yet graded 14 Wireless device control AC‐17 15 Data leakage protection AC‐2, AC‐4, PL‐4, SC‐7,  SC‐31, SI‐4  Pending

36

37 Portrait of a security hero!

Download ppt "Alan Paller The SANS Institute"

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
James D. Brown Chief Engineer and Senior Fellow Information Resource Management L-3 Communications.

James D. Brown Chief Engineer and Senior Fellow Information Resource Management L-3 Communications.
Csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)

Csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)
Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.

Protection from Internet Theft By James Seegars. What Is Hacking? Definition – A)To change or alter(Computer Program) – B) To gain access to (a computer.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
ALAN PALLER THE SANS INSTITUTE Beyond Security Awareness!

ALAN PALLER THE SANS INSTITUTE Beyond Security Awareness!
DoD and Cyber-Terrorism Eric Fritch CPSC 620. What is cyber-terrorism? The premeditated, politically motivated attack against information, computer systems,

DoD and Cyber-Terrorism Eric Fritch CPSC 620. What is cyber-terrorism? "The premeditated, politically motivated attack against information, computer systems,
Brian Connett, LCDR, USN US NAVAL ACADEMY

Brian Connett, LCDR, USN US NAVAL ACADEMY
Information Assurance Efforts at the Defense Information Systems Agency & in the DoD Richard Hale Information Assurance Engineering Defense Information.

Information Assurance Efforts at the Defense Information Systems Agency & in the DoD Richard Hale Information Assurance Engineering Defense Information.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Information Visualization Solutions March 15-16, 2007 Information Visualization Solutions Team Overview & Analysis ~ Michael Hardy.

Information Visualization Solutions March 15-16, 2007 Information Visualization Solutions Team Overview & Analysis ~ Michael Hardy.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Solving the CIO’s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense John M. Gilligan www.gilligangroupinc.com National Summit on.

Solving the CIO’s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense John M. Gilligan National Summit on.
Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060

Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions 631-692-5175 Steve Katz, CISSP Security.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
Cyber Security for Smart Grid George Gamble Cyber Security Architect Black & Veatch.

Cyber Security for Smart Grid George Gamble Cyber Security Architect Black & Veatch.
US-CERT www.us-cert.gov National Cyber Security Division/ U.S. Computer Emergency Readiness Team (US-CERT) Overview Lawrence Hale Deputy Director, US-CERT.

US-CERT National Cyber Security Division/ U.S. Computer Emergency Readiness Team (US-CERT) Overview Lawrence Hale Deputy Director, US-CERT.

Similar presentations

Ads by Google