260 likes | 376 Views
The Potential Impact of Recent Changes to the Texas Administrative Code on Cyber Threats. ISF, 2011 April 20, 2011 Dr. Robert Jamieson General Manager, LSS, Underwriters Laboratories. Agenda. A Brief Background on Cyber Threats The Cyber Security Issues we face
E N D
The Potential Impact of Recent Changes to the Texas Administrative Code on Cyber Threats ISF, 2011 April 20, 2011 Dr. Robert Jamieson General Manager, LSS, Underwriters Laboratories
Agenda • A Brief Background on Cyber Threats • The Cyber Security Issues we face • Our approach to these threats & issues • Changes on how we communicate • Changes to the Texas Administrative Code • Conclusions
Background • Birth of the Internet • ARPANET, Security, and the design of the Internet • The Internet as a Teenager • Demise of POTS • It’s Software not Hardware • How can I make a Buck at this???
Luckiest Person Alive Central Bank NigeriaCentral Business District,Abujah,Federal Capital Territory,P.M.B. 0187,Garki Abuja.Nigeria.Phone:++ 2347084835254Contract/Inheritance Payment File Approval:Didn’t you receive the mail I sent to you yesterday? Due to the urgency of the meeting held today and from the records of Outstanding contractors due for payment with the Federal Government Of Nigeria (FGN) your name and your email address was discovered as next on the list of the outstanding contractors who have not received their payments. I wish to inform you that your part payment is being processed and will be released to you as soon as you respond to this letter. Also note that from my record in my file your part payment outstanding is US$10M (Ten Million United States Dollars).Consequently, we received a directive from the office below to urgently release your inheritance fund to you with out further delay;UNITED NATIONS OFFICE801 Second Avenue , 2nd FloorNew York , NY 10017 USAMr. Anthony Walton,UN Vice ChairmanPlease re-confirm to me if this is Online with what you have in your record and also re-confirm to me the followings;(*) Your full name: (*) Your full address: (*) Your direct phone/mobile line: As soon as this information’s are received, the part payment will be transfer to you through your nominated Bank Account or through a certified Bank Draft by the Central Bank of Nigeria NOTE: You most identify this code Number (350CBN)Please reply to my alternative email address sanusilamido254@gmail.comYou can call my direct line +2347084835254 Take this very serious and stop any contact with those imposter's that are working against your fund.Best RegardsDr.LamidoSanusiC.B.N Governor
Payloads View Your Delivery Content (Urgent) From: SanusiLamaidosanders@mail.mn Message From Sanusi.rtf (6KB) I am MR.SANUSI LAMIDO AMINU the new appointed Governor of Central Bank Of Nigeria (CBN).Please view message for full details and reply me immediately. Thanks
Why is this important? • IT networks now support building systems, SCADA & PLC Systems, as well as telecommunications but are unprotected • These systems are highly vulnerable to attack • They operate our critical infrastructure
What can be done about Cyber Attacks? • Take Managerial Measures – Procurement, Design, Access Control, End-User Education, Compliance with standards • Take Technical Measures – Firewalls, IPS, Load Balancing, Software Updates • Conduct Penetration Testing • Procure equipment that have been tested to withstand vulnerabilities (ex. UL-2825)
What can be done about Cyber Attacks? • Design critical systems useing encryption (i.e. FIPS-140; ISO/IEC-19790) • Constantly deep scan systems to insure that it is “malware” free • Use physical separation of networks when possible for critical systems (air-gap) • Educate, educate, educate users on Social Engineering Cyber attacks
Cyber Security Focus Areas • Social Engineering related attacks (spam, phishing, etc.) • Malware (Trojans, Botnets, Key loggers, etc.) • Attacks on operating systems software (vulnerabilities & resiliencies)
Industry/Technology Transformation Short Product Development Life Cycles Large Product Selection Industry Rate of Product Innovation Interoperability Issues Security Issues Technology Requirements for Performance Standards Audit/Test/Certify Government
How are Governments Approaching the issues? • International examples – China, India, Russia, EU • US Examples – Texas, USG
Texas Administrative Code (H.B. 1830) SECTION 7. Subchapter B, Chapter 2059, Government Code Sec. 2059.060.VULNERABILITY TESTING OF NETWORK HARDWARE AND SOFTWARE (a) The department shall adopt rules requiring, in state agency contracts for network hardware and software, a statement by the vendor certifying that the network hardware or software, as applicable, has undergone independent certification testing for known and relevant vulnerabilities. (c) Unless otherwise provided by rule, the required certification testing must be conducted under maximum load conditions in accordance with published performance claims of a hardware or software manufacturer, as applicable.
UL 2825Outline of Investigation for Resiliency of Network Infrastructure Components
Scope of UL 2825 • This network device resiliency outline applies to the performance of individual network infrastructure equipment. • It is intended to determine the ability of such equipment to continue to operate as intended per the manufacturer’s claims of performance under specific network traffic while being subjected to exploits of published known vulnerabilities. • Main tests performed using BreakingPoint CTM • Traffic throughput • Traffic exception handling • Resiliency • 33 network application protocols
Applicable Products • Switches • Routers • Proxy Servers • Firewalls • Intrusion Prevention Systems • Load Balancers • Universal Threat Management • Converged Network Server Equipment
Product Certification Process • Manufacturer engages with a lab to assess products • Assessment performed under UL 2825 • If requirements met, the product is listed in an online certification directory • If product fails to meet all requirements, the lab should work with the manufacturer to address issues • Product is re-certified upon significant product changes or when new vulnerabilities that can possibly affect the product are published
UL 2825 ANSI Standard Process • Standards Technical Panel (STP) Consensus Formation • Manufacturers • End users • Academia, Subject Matter Experts • Government • Other SDOs • Next Edition of UL 2825 • Formation of STP for 2nd Edition UL 2825 • STP develops 2nd Edition • 2nd Edition is published with scope expansion
Conclusions • Technological change is accelerating and will continue to do so • Our communications paradigm has shifted • With this shift we have become highly vulnerable to cyber attacks (hacking, social network exploits, or worse) • We can do something about this but must develop and awareness in our community of the issue and solutions
Thank you for your kind attention Dr. Robert Jamieson General Manager Life Safety & Security Underwriters Laboratories e-mail: robert.jamieson@us.ul.com
Sources/Additional Reading • Clarke, R. & Kanake, R., (2010), Cyber War; The next threat to national security and what to do about it. New York, NY: Harper Books • Sommer, P., & Brown, I., (14 Jan, 2011), Reducing Systemic Cybersecurity Risk. OECD Report, Oxford University, UK