Securing Defence Networks: A Practical Approach by Arif Shoqui,
-
Upload
cisco-systems-connected-government -
Category
Technology
-
view
1.096 -
download
7
description
Transcript of Securing Defence Networks: A Practical Approach by Arif Shoqui,
Cisco Public 1 © 2011 Cisco and/or its affiliates. All rights reserved.
Securing Defence Networks : A Practical Approach Sqn Ldr Shouqi (Retd) Chief Defence Architect, APAC
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
• Identify leading vulnerabilities
• Analyze them
• Suggest some practical steps to mitigate the risk
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
• Technical Vulnerabilities
• Human Vulnerabilities
• Process Vulnerabilities
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Source : HP tipping point
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Source : HP tipping point
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
• Defence networks are air-gapped - Jumping the air gap is not easy
• Follow the KISS principle (Keep It Simple, Stupid)
•Web 1.0 Vs web 2.0
•Choose a browser, then disable all plug-ins and „cute‟ extras
•Move towards a simple Operating System with basic capabilities
•Simple databases with simple queries, sacrifice performance for security
•Configure or Compile out unused applications and infrastructure, have only what you need and use
• Data Transfer Controls – no movable storage, or use custom adaptors and drivers to prevent commercial storage being used
So what remains, then…..?
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
• Apple, HP, Sony have (inadvertently) shipped pre-owned hardware with malware in them*
• Compromised ICs are the ultimate sleeper cells – Gen Wesley Clark
• DARPA has a three year programme where : • MIT Engineers create chips with hardwired malware and,
• Three private companies are given a load of compromised and uncompromised chips, and devise tests to catch them
• In 2008 FBI announced a multi-year inquiry in counterfeit Cisco routers
Supply chain penetration is a serious threat….armies guard their installed hardware with their lives, but who guards the warehouse from where it was sourced?
*Source : Verizon executive Marcus Sachs, 2007 at Internet Security Alliance
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Military
SI
Distributer Reseller
OEM
OEM
Fake? eBay?
Fake : $235
Orig : $ 1375
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
400 fake devices were supplied to the US military by authorized suppliers. There is an FBI investigation in progress………..though the intent was mercenary, it is an eminently exploitable channel….
HP, Nortel, Cisco and 3Com have all been hit by counterfeit equipment
Together, they formed AGMA (Alliance for Gray Market and Counterfeit Abatement)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Source :
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
• Social engineering – People are the biggest vulnerability • With hardware and software becoming increasingly secure, people have become the
preferred target.
• Endeavour to trigger strong human emotions that make someone more susceptible to bypass technical protections
• Human vulnerabilities – „the seven weaknesses‟ that are exploited • Greed
• Sexuality
• Trust
• Vanity
• Curiosity
• Compassion
• Anxiety
Kiddies attack technology, pro’s attack people……
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
• As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we‟re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.
• Greeting card:
• hxxp://xtremedefenceforce.com/[omitted] hxxp://elvis.com.au/[omitted]
• Merry Christmas! ___________________________________________ Executive Office of the President of the United States The White House 1600 Pennsylvania Avenue NW Washington, DC 20500
2 gigabytes of PDFs, Microsoft Word and Excel
documents from dozens of victims and uploaded to a
server in Belarus
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Tickles people’s vanity…….WOW, I am invited!
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
• Compromised employees
• Go no further than WikiLeaks – allegedly kick started the Tunisian revolution, and the Arab spring
• DARPA has an ongoing project CINDER – Cyber INsiDER threat, whose purpose is to detect hostile behaviour, not ferret out people.
Dealing with the insider threat is very complex and difficult, with measures ranging from robust legislation to a very intelligent security operations centre
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
• Omega Corporation, leader is precision instrumentation and measurement devices
• Computerized their design and manufacture, sales took off and they beat competition hollow
• 25,000 different products, customizable to 500,000 distinct designs
• Software and databases controlled the entire process
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
• Tim Lloyd was a star employee, who got sidetracked as the organization grew.
• At some point he was fired for misbehavior.
• Few days later a logic bomb destroyed every bit of the software used to run the company.
• Omega never recovered their prime position.
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
• Baseline the network behaviour : traffic patterns, load patterns, resource utilization, port utilization, flow patterns
If you don’t know what is normal, how will you recognize the abnormal ?
• Inventory your applications
If you don’t know what should be running, how will you identify what should not be running ?
• Define access control and privilege levels
If you don’t know who should be there, how will you know who should not ?
A Security Operations Centre is the first practical step towards building security into people, policy and procedure – it can start small and scale up. Anomalous behaviour detection is the most effective way of dealing with insider threats AND compromised hardware
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
2
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
• Sensors are your eyes and ears on the network, they should like Caesar's wife – above suspicion
• The more the merrier – a large sensor base makes for early detection and good quality decisions (example – Ironport Vs Sophos Vs MacAfee Vs Symantec )
• A mix of network based sensors and host based sensors
• Always available, incorruptible, low overhead, flexible and configurable, scalable, fail gracefully
• Eventually all autonomous network sensors should be completely Indigenous, but a start has to be made somewhere
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
• Air Force Act, 1950 Part 1, Section 34(L)
“(l) knowingly does any act calculated to imperil the success of the military, naval or air forces of India or any forces co-operating therewith or any part of such forces;”
…….. shall, on conviction by court-martial, be liable to suffer death or such less punishment as is in this Act mentioned.
This is applicable only during active service, but here is a question
If someone, in gross violation of policy, uses a USB drive on an operational network, thereby infecting the network, which takes radars offline during active service five years thence, would he or she be subject to section 34(L) ?
Robust legislation, from which strong and clear rules and regulations are derived, which are then relentlessly enforced and monitored, is essential in tackling human vulnerabilities
Thank you.