390 likes | 616 Views
Cyber Espionage “ The Internet is God’s gift to spies” Plus: The New Security Heroes. Alan Paller The SANS Institute apaller@sans.org. Topics for today. The Public Is Awakening. editorial on Jan 26 Why the 'China virus' hack at US energy companies is worrisome
E N D
Cyber Espionage“The Internet is God’s gift to spies”Plus: The New Security Heroes Alan Paller The SANS Institute apaller@sans.org
The Public Is Awakening • editorial on Jan 26 Why the 'China virus' hack at US energy companies is worrisome by John Yemma, Editor “The stakes in the global cyber-war are at least as high as those in the global war on terror.”
Four years building to public outrage • August 29, 2005: Titan Rain • August 17, 2006: Gen. Lord Confirms
Titan Rain • “They hit hundreds of computers that night and morning alone • “At 10:23 p.m. PST, they found vulnerabilities at the U.S. Army Information Systems Engineering Command at Fort Huachuca, Arizona. • “At 1:19 am PST, they found the same hole in computers at the military's Defense Information Systems Agency in Arlington, Virginia. • “At 3:25 am, the Naval Ocean Systems Center, a defense department installation in San Diego, CA. • “At 4:46 am PST, the United States Army Space and Strategic Defense installation in Huntsville, AL.”
What kind of data did they take? • “a huge collection of files had been stolen from Redstone Arsenal, home to the Army Aviation and Missile Command. The attackers had grabbed specs for the aviation-mission-planning system for Army helicopters, as well as Falconview 3.2, the flight-planning software used by the Army and Air Force.”
Major General William Lord “China has downloaded 10 to 20 terabytes of data from the NIPRNet” “They’re looking for your identity so they can get into the network as you,” “There is a nation-state threat by the Chinese.” Maj. Gen. William Lord, director of information, services and integration in the Air Force’s Office of Warfighting Integration and Chief Information Officer August 21, 2006 Government Computer News “Red Storm Rising” October 6, 2006: Commerce BIS Division The federal government's Commerce Department admitted Friday that heavy attacks on its computers by hackers working through Chinese servers have forced the bureau responsible for granting export licenses to lock down Internet access for more than a month.
Four years building to public outrage Dec 1, 2007: 300 British Companies Apr 8, 2009: The Grid
Four years building to public outrage January 15, 2010 Google & more January 25, 2010: Oil Companies
Subcommittee on Emerging Threats, Cybersecurity, and Science and TechnologyApril 17, 2007 Chairman: Jim Langevin (RI)"We don't know who's inside our networks. We don't know what information has been stolen. We need to get serious about this threat to our national security." Setting the stage • State Dept witness: Don Reid, Senior Coordinator for Security Infrastructure • Commerce Dept witness: Dave Jarrell, Manager, Critical Infrastructure Protection Program
Two responses Commerce • No idea when it got it in, how it got in, or where it spread • Took 8 days to filter (ineffective) • Unable to clean the systems; forced to replace them • Do not know whether they have found or gotten rid of the infections State • Detected it immediately • Put effective filter in place within 24 hours; shared filter with other agencies • Found two zero-days • Helped Microsoft and AV companies create patches and signatures • Cleaned infected systems, confident all had been found
What was the difference? • Was it tools? No • Almost same commercial tools – Commerce had more commercial IPS/IDS • Was it skills? Yes • Commerce – only experience was firewall operations not even firewall engineering. No training other than prep for Security + and later for CISSP • State – experience and training in forensics, vulnerabilities and exploits, deep packet inspection, log analysis, script development, secure coding, reverse engineering. Plus counter intelligence. And managers with strong technical security skills.
How critical is the shortage of technical security skills? • Jim Gosler (first director of CIA’s CITO – Clandestine Information Technology Office) in a meeting in the Pentagon (10/08) with Bill Studeman, Lin Wells, Bob Lentz, Melissa Hathaway and several others: “The US has nomore than 1,000 people with the advanced security skills to compete in cyberspace at world class levels – we need 20-30,000!” • No one disagreed • Other evidence of the shortage: “fratricide” among the integrators serving the Intelligence Community
Why these skills matter Wicked Rose Key weapons in the next war will be people with advanced, technical cyber security skills
Emerging Consensus in Military Cyber Skills Development • Offense and defense need the same deep technical skills but may diverge in late stages of development • Training should be phased with significant on the job experience between training elements • Team composition is equally important: different people will be better at some tasks than others; Model is special forces teams
Alan Paller apaller@sans.org The New Security Heroes
Bringing about broad based change when no one works for you The problem: CISOs are accountable for IT security BUT . directly supervise only a small part of the systems actually in use.
What makes a security hero? • Radically improves security in ways that can be measured reliably, and replicated • Ensures operational people are notasked to do the impossible. Ends the security wars with IT operations and with the audit staff. • Teaches others organizations how to do the same thing or provides the catalyst to allow others to do even more
Proof: Federal Aurora Response • Google Hack • IE Vulnerability – zero day • IAVA and government notices • What percent of systems were reported patched at DoD in four months? • What percent were actually patched at State in the first 9 days?
Google - Aurora Attack Quantify Special Threats MS10-012 Patch Feb- March 2010
Continuous monitoring and high level data reporting He never visited any of the 200+ foreign sitesSo how did he do it? Also known as: Continuous C&A and Continuous FISMA Compliance
What allows continuous monitoring to work? It combines: • Reliability and fairness in the metrics • Authoritative consensus on what is important enough to need to be measured • But where did the consensus come from? • And what else makes metrics effective?
Authoritative and ImportantHow can you prove you meet those criteria? The big idea: “Offense informs defense!”
Who understands offense? • NSA Red Teams • NSA Blue Teams • DoD Cyber Crime Center (DC3) • US-CERT (plus 3 agencies that were hit hard) • Top Commercial Pen Testers • Top Commercial Forensics Teams • JTF-GNO • AFOSI • Army Research Laboratory • DoE National Laboratories • State Dept. Would they be willing to combine their knowledge of attacks and offense to define the most important defensive investments CIOs must make?
Result: Twenty Critical ControlsConsensus Audit Guidelines (CAG) • The twenty key controls • 15 subject to automation: examples • Vulnerabilities • Inventory • Wireless • Configuration • 5 that are important but cannot be easily automated
But: “We don’t have a lot of money; how can we get started doing what State did ?” John Gilligan’s answer: • You already have most (70%) of the tools you need to automate security risk measurement. • The State Dept. will give you the software they use to measure and display risk. • This isn’t a money issue or a technology issue. It’s a leadership issue. You don’t have to wait for someone to tell you to do it. • There is no other path available to CIOs and security managers to escape from the “compliance morass” and make a measureable difference in security.
A relevant story.. • Dog chases truck • Truck stops • Dog thinks: “Now what do I do?”
Now What Do We Do? • We measure risk continuously and radically reduce the vulnerabilities (following the State Dept. model) • We build a cadre of skilled security architects • We buy products/systems with security baked in • We increase the rewards for security people with key technical skills (licensing) • We train system administrators to become the human sensor network • We support colleges only if they teach programmers how to code securely • We find and nurture young (and not-so-young) people with extraordinary technical skills to become the cyber guardians/warriors for the future