Securing Defence Networks: A Practical Approach by Arif Shoqui,

Cisco Public 1 © 2011 Cisco and/or its affiliates. All rights reserved.

Securing Defence Networks : A Practical Approach Sqn Ldr Shouqi (Retd) Chief Defence Architect, APAC

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2

• Identify leading vulnerabilities

• Analyze them

• Suggest some practical steps to mitigate the risk


• Technical Vulnerabilities

• Human Vulnerabilities

• Process Vulnerabilities


Source : HP tipping point


• Defence networks are air-gapped - Jumping the air gap is not easy

• Follow the KISS principle (Keep It Simple, Stupid)

•Web 1.0 Vs web 2.0

•Choose a browser, then disable all plug-ins and „cute‟ extras

•Move towards a simple Operating System with basic capabilities

•Simple databases with simple queries, sacrifice performance for security

•Configure or Compile out unused applications and infrastructure, have only what you need and use

• Data Transfer Controls – no movable storage, or use custom adaptors and drivers to prevent commercial storage being used

So what remains, then…..?


• Apple, HP, Sony have (inadvertently) shipped pre-owned hardware with malware in them*

• Compromised ICs are the ultimate sleeper cells – Gen Wesley Clark

• DARPA has a three year programme where : • MIT Engineers create chips with hardwired malware and,

• Three private companies are given a load of compromised and uncompromised chips, and devise tests to catch them

• In 2008 FBI announced a multi-year inquiry in counterfeit Cisco routers

Supply chain penetration is a serious threat….armies guard their installed hardware with their lives, but who guards the warehouse from where it was sourced?

*Source : Verizon executive Marcus Sachs, 2007 at Internet Security Alliance


Military

SI

Distributer Reseller

OEM

OEM

Fake? eBay?

Fake : $235

Orig : $ 1375


400 fake devices were supplied to the US military by authorized suppliers. There is an FBI investigation in progress………..though the intent was mercenary, it is an eminently exploitable channel….

HP, Nortel, Cisco and 3Com have all been hit by counterfeit equipment

Together, they formed AGMA (Alliance for Gray Market and Counterfeit Abatement)


Source :


• Social engineering – People are the biggest vulnerability • With hardware and software becoming increasingly secure, people have become the

preferred target.

• Endeavour to trigger strong human emotions that make someone more susceptible to bypass technical protections

• Human vulnerabilities – „the seven weaknesses‟ that are exploited • Greed

• Sexuality

• Trust

• Vanity

• Curiosity

• Compassion

• Anxiety

Kiddies attack technology, pro’s attack people……


• As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we‟re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.

• Greeting card:

• hxxp://xtremedefenceforce.com/[omitted] hxxp://elvis.com.au/[omitted]

• Merry Christmas! ___________________________________________ Executive Office of the President of the United States The White House 1600 Pennsylvania Avenue NW Washington, DC 20500

2 gigabytes of PDFs, Microsoft Word and Excel

documents from dozens of victims and uploaded to a

server in Belarus


Tickles people’s vanity…….WOW, I am invited!


• Compromised employees

• Go no further than WikiLeaks – allegedly kick started the Tunisian revolution, and the Arab spring

• DARPA has an ongoing project CINDER – Cyber INsiDER threat, whose purpose is to detect hostile behaviour, not ferret out people.

Dealing with the insider threat is very complex and difficult, with measures ranging from robust legislation to a very intelligent security operations centre

https://www.fbo.gov/index?s=opportunity&mode=form&id=cf11e81b7b06330fd249804f4c247606&tab=core&_cview=0


• Omega Corporation, leader is precision instrumentation and measurement devices

• Computerized their design and manufacture, sales took off and they beat competition hollow

• 25,000 different products, customizable to 500,000 distinct designs

• Software and databases controlled the entire process


• Tim Lloyd was a star employee, who got sidetracked as the organization grew.

• At some point he was fired for misbehavior.

• Few days later a logic bomb destroyed every bit of the software used to run the company.

• Omega never recovered their prime position.


• Baseline the network behaviour : traffic patterns, load patterns, resource utilization, port utilization, flow patterns

If you don’t know what is normal, how will you recognize the abnormal ?

• Inventory your applications

If you don’t know what should be running, how will you identify what should not be running ?

• Define access control and privilege levels

If you don’t know who should be there, how will you know who should not ?

A Security Operations Centre is the first practical step towards building security into people, policy and procedure – it can start small and scale up. Anomalous behaviour detection is the most effective way of dealing with insider threats AND compromised hardware


2


• Sensors are your eyes and ears on the network, they should like Caesar's wife – above suspicion

• The more the merrier – a large sensor base makes for early detection and good quality decisions (example – Ironport Vs Sophos Vs MacAfee Vs Symantec )

• A mix of network based sensors and host based sensors

• Always available, incorruptible, low overhead, flexible and configurable, scalable, fail gracefully

• Eventually all autonomous network sensors should be completely Indigenous, but a start has to be made somewhere


• Air Force Act, 1950 Part 1, Section 34(L)

“(l) knowingly does any act calculated to imperil the success of the military, naval or air forces of India or any forces co-operating therewith or any part of such forces;”

…….. shall, on conviction by court-martial, be liable to suffer death or such less punishment as is in this Act mentioned.

This is applicable only during active service, but here is a question

If someone, in gross violation of policy, uses a USB drive on an operational network, thereby infecting the network, which takes radars offline during active service five years thence, would he or she be subject to section 34(L) ?

Robust legislation, from which strong and clear rules and regulations are derived, which are then relentlessly enforced and monitored, is essential in tackling human vulnerabilities

Thank you.

Securing Defence Networks: A Practical Approach by Arif Shoqui,

Technology

Transcript of Securing Defence Networks: A Practical Approach by Arif Shoqui,