Gerald Fralick, CSO − October 16, 2014 How Secure is Our Nation’s Infrastructure: A Year in...
-
Upload
tristen-witt -
Category
Documents
-
view
214 -
download
0
Transcript of Gerald Fralick, CSO − October 16, 2014 How Secure is Our Nation’s Infrastructure: A Year in...
Gerald Fralick, CSO − October 16, 2014
How Secure is Our Nation’s
Infrastructure: A Year in
Review and What Lies Ahead
2
PRESIDENTIAL POLICY DIRECTIVE/PPD-21 The Nation's critical infrastructure provides the essential services that underpin American society. The PPD-
21 Directive establishes national policy on critical infrastructure security and resilience, and is a shared responsibility among the Federal, state, local, tribal, and territorial (SLTT) entities, and public and private owners and operators of critical infrastructure.
The PPD-21 Directive refines / clarifies the critical infrastructure-related functions, roles, and responsibilities across the Federal Government, and enhances overall coordination and collaboration.
Enable effective information exchange
Refine and clarify
Functional relationships
across Federal Government
Implement an integration and
analysis function
Strategic Imperatives to Strengthen Critical Infrastructure
3
Critical Infrastructure
What Is Critical Infrastructure?
Critical infrastructure is comprised of 16 major sectors, and is the backbone of our nation's economy, security and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, and the communication systems we rely on to stay in touch with friends and family.
Critical infrastructure is the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
4
Critical Infrastructure Sectors – Overview Chemical Sector: Composed of 5 main segments Basic Chemicals * Specialty Chemicals * Agricultural Chemicals * Pharmaceuticals * Consumer Products
Commercial Facilities: Composed of 8 Subsectors Public Assembly * Sports Leagues * Gaming * Lodging * Outdoor Events * Entertainment / Media * Real Estate * Retails
Critical Manufacturing: Comprised of 4 core manufacturing industries Machinery * Primary Metal * Electrical Equipment / Appliance / Component * Transportation Equipment
Dams
Defense Industrial Base: Components are: Companies – Domestic Entities * Companies – Foreign Entities * Production Assets in Various Countries
Emergency Services: Nation’s first line of defense Natural Threats * Cyber Related Threats * Workforce Threats * Manmade Threats
Energy Sector: Uniquely critical by providing an enabling function across all critical infrastructure sectorsNatural Gas * Petroleum * Electricity
Financial Services: Because cyber threats are a significant concern to this sector, the Treasury Department works closely with the US-CERT to indentify the latest threats to cyber infrastructure and disseminates threat information within the sector.
5
Critical Infrastructure Sectors – Overview Food and Agriculture: Critical dependencies with many sectors, but particularly with: Water / Wastewater Systems * Transportation Systems * Energy * Pharmaceuticals * Financial Services, Chemical, and Dam
Government Facilities: Includes buildings located in the US and overseas owned / leased by federal, state, local and tribal governments. Buildings * Education Facilities * National Monuments
Healthcare / Public Health : Protects all sectors of the economy from hazards such as terrorism, infectious diseases, etc. Symbiotic sectors: Communications * Emergency * Energy * Food / Ag * Info Technology * Transportation * Water / Wastewater
Information Technology: The heart of the nation’s security, economy, public health and safety sectors
Nuclear Reactors, Materials and Waste: Components are: Nuclear Fuel Cycle Facilities * Nuclear Power Plants * Radioactive Materials
* Non-Power Reactors * Decommissioned Nuclear Power Reactors * Manufacturers of Nuclear Reactors / Components * Transportation, Storage, and Disposal of Nuclear / Radioactive Waste Transportation System: Seven key subsectors: Aviation * Highway Infrastructure * Motor Carrier * Maritime * Mass Transit * Passenger Rail * Pipeline Systems * Freight Rail * Postal / Shipping
Water / Wastewater: Vulnerabilities are contamination with deadly agents and physical attacks (cyber / chemical)
Communications: Underlying to all operations of all businesses, public safety organizations, and government.
6
Critical Infrastructure - Summary
All 16 Sectors are dependent and interconnected, tied together.
A successful threat and attack to any one of them would be severely detrimental to the well being and fabric of the United States.
In the world of Information Technology, where are the holes, the vulnerabilities?
How do we as CISOs, CSO’s and IT Security specialists, detect, prevent security compromises and prove that our networks, end point products, and infrastructure are really secure?
The Year In Review:
What Has Changed
8
Trusted Sources – how do we decide who / what is a trusted source? How do we quantify / qualify “trusted”?
Supply Chain Security – closer scrutiny components and how / where our products are developed and manufactured.
Public perception and awareness of vulnerabilities and demand for reassurance that products / services / online websites are safe and secured.
Cost of Doing Business has increased:
- The CIO and Compliance Offices: No longer a luxury, but the cost of doing business in a global economy. * Key Skills: SIRT, Auditor, Software Security Architects, Ethical Hacker * Small Businesses not able to fund such an office can outsource to 3 rd parties
- Cybersecurity Programs are critical
- Cost of businesses who have been compromised to fix the infrastructure issues and lost revenue from reduced consumer spend from breeches. These costs are eventually passed to consumers.
Border Security in the US is highly vulnerable to infiltration, and breeches are at an all time high which, in turn, places our critical infrastructures at increased risk for terrorist and cyber attacks. One attack can cripple our entire nation and it’s economy with a domino effect.
Health and medical records are the new “hot commodity” of cyber attacks, even more valuable than credit card information. Once the health care information is stolen, this information is used to obtain pharmaceuticals, commit Medicare fraud and other crimes.
Increased use of ‘cloud’ services for business and personal use, which are very vulnerable to cyber crimes. Businesses often focus on the convenience and low cost of cloud services, but not enough focus on the potential for compromise to security and data breeches.
What Has ChangedThe risk of cyber and terrorist attacks against our critical infrastructures has never been higher.
9
Security Landscape (Customer Concerns):
PAST: 12 MONTHS AGO FUTURE: 12 – 18 MONTHS OUT
Malware Back Doors Spyware Holes in BIOS
Trust Worthy Personnel Screening Critical Infrastructure Cyber Security Framework
PRESENT: 2014
Supply Chain (Touch Points) Manufacturing / Assembly / Delivery Product Security (SIRT) Security Incident Response Team Software Development – Where? Design / Dev / Test / Authenticate & Validate Internet of Things
10
Liability Shift
Merchants that accept credit cards for payment, but do not have Chip and PIN available to consumers by October 2015 will be
held completely liable for breaches. Reference: http://blogs.wsj.com/corporate-intelligence/2014/02/06/october-2015-the-end-of-the-swipe-and-sign-credit-card/ On June 10th, 2014 the Security and Exchange Commissioner noted that a "…cyber attack may not have a direct material
adverse impact on the company itself, but that a loss of customers" , and to consider updating the SEC Cyber Security Guidance for breach disclosure and fines to businesses that suffer breaches. He strongly encouraged companies board of director's to take active roles in their risk management programs and apply frameworks like NIST Cyber Security Framework.
Reference: http://www.sec.gov/News/Speech/Detail/Speech/1370542057946 Reference: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm James Comey, Director of the Federal Bureau of Investigation (FBI), said last November that “resources devoted to cyber-based
threats will equal or even eclipse the resources devoted to non-cyber based terrorist threats.” Reference: http://www.hsgac.senate.gov/hearings/threats-to-the-homeland
The current cybersecurity attacks and breaches have highlighted the need for corporate responsibilities for compliance and security within their cybersecurity networks and IT infrastructures. The legal books are being “rewritten” with new laws and new cases resulting from these attacks.
Failure for CISO, CIO and CEO’s to address these pressing cyber security issues, will result in the liability falling back to them as corporate executives.
11
Not if, but WHEN….
Target BreachMalicious software in point of sale systemsCost = 148 million
Home DepotMalicious software in point of sale systems
Cost = Unknown
South CarolinaDepartment of
RevenueCost = ~36.6 million
The U.S. per record cost for a data breach averages $194
Target Data Breach
> 40 million credit cards stolen
State of South Carolina
16 million records stolen
Home Depot Breach
5 months & > 60 million credit cards
stolen
Fidelity Investments Attacked by the same group as JP Morgan Chase, but hackers were unable to penetrate any
of the security on their network systems
JP Morgan Chase76 million
households and 7 million business
affected
JP Morgan ChaseBreach penetrated
internal working systems in the bank
Cost = Unknown
Business and banks are not the only targets of cyber crime. Health care records are are rapidly becoming the new “hot commodity” and target of hackers. Between April – June 2014, hackers penetrated Community Health Systems resulting in 4.5 million health care records stolen.
12
Over the course of the year Network Infrastructure and Security has become even more important as cyber criminals become more aggressive and specific in their targets and attacks. Hardening network infrastructure is key to building immunity and resistance to the attacks
Weakness in network infrastructure results in high risk of cyber exploitation. Our nation’s critical infrastructures depend on the ‘wellness’ of their associated IT networks.
Perception was that any cyber attacks were / would be from external sources breaking through firewalls, etc.. , The Target security breach outlined that focus must also be on hardening network infrastructure internally to avoid compromise from within.
- Device Integrity
- Secure Management
- Secure Protocol Standards / Strong Cryptography
- Secure Logging
- Stringent regulations on BYOD programs (and use of thumb drives)
Network Infrastructure and Security
13
Mobility
Business Enablement
Compliance
Data Theft
Spear Phishing
Advanced Malware
Hactivist
Cloud (Vendor Management)
Threat Intelligence / Vetting
Insider Threat
Targeted Attackers / APT
Attack Preparation and Response (Incident Response Plans)
What’s on the CIO’s (CISO) Mind
With all the lapses in people, process, and technology; how do I not become the next victim or the next headline!
14
Secure Supply Chain Management: Key Questions for IT Industry Vendors:
Do you have a secure supply chain management program? (e.g. What is it based on?)
Does your program address hardware, firmware, and software that is packaged on the system?
What embedded software do you have on your devices?
How do you ensure that the firmware and software on your device had not been altered?
Does your code get reviewed externally for security vulnerabilities?
How do you ensure that unauthorized code is not inserted?
How do you ensure that counterfeit parts are not in your products?
Supply Chain Management
Hardware
• Baseboard• CPU• Memory• Hard Drive• HSM• Storage
Firmware
• BIOS• UEFI• BMC• TMM• Drivers (e.g. Audio,
Video)
Bundled Software
• Operating System (e.g. Windows 7, Windows 8)
• Internally Developed Software
• 3rd Party
System(s)Root of
Trust
15
“Bad BIOS” and “Bad USB” highly publicized issues in firmware allowing a malicious attacker to gain low level access to systems.
July 7th, 2014 – ZombieZero hit hardware scanners of large shipping and logistics companies. Suspected hardware supply chain management was the avenue of attack.
July 22nd, 2010 - Dell PowerEdge Motherboards Ship with Malware (Spybot Worm)
Source: http://www.zdnet.com/dell-poweredge-motherboards-ship-with-malware-3040089615/
June 16th, 2014 – Android smartphone shipped with spyware
Source: https://blog.gdatasoftware.com/blog/article/android-smartphone-shipped-with-spyware.html
A U.S. power plant was taken off line for three weeks when a computer virus attacked a turbine control system. The virus was introduced when a technician unknowingly inserted an infected USB computer drive into the network.
Source: http://www.theage.com.au/it-pro/government-it/malicious-virus-shuttered-power-plant-us-government-20130116-2cuox.html
Attacks Targeting Supply Chain
16
Analysis of End Point – Laptop Component Sourcing
Component Lenovo TP T440 HP E840 Dell Latitude 7440
CPU / Chipset / vPro Intel Intel IntelLCD Multiple; Asia LG; China LG; China
FPR Sensor Validity; China Validity; China Broadcom / ChinaSmart Card Reader Alcor; China Alcor; China O2Micro; China
Touchpad Synapatics; China Synaptics; China Alps; ChinaMemory Multiple; Asia Ramaxel; China Micron; Korea
HDD Multiple; Asia Hitachi; Thailand Seagate; KoreaWLAN Card Intel; China Intel; China Altheros; China
Ethernet Intel; China Intel; China Intel; ChinaTPM ST Micro; China Infineon; Asia Atmel; Asia
Super I/O Toshiba; China SMSC; Taiwan SMSC; TaiwanEmbedded Controller Microchip; Taiwan N/A SMSC; Taiwan
Assumption: HP and Dell, like Lenovo, have multiple sources
17
What Lies Ahead: A Call to Action
Assess and communicate security risks – adopt a uniform framework such as the NIST standards, and perform regular compliance assessments.
Better articulate risks and audit findings with business stakeholders – Perform routine reporting of cybersecurity threats to build support for security initiatives.
Explore creative paths to improve cybersecurity effectiveness within your organizations using the current federated governance models – create cybersecurity competency centers or pursue a shared services model.
Focus on audit and continuous monitoring of third party compliance – Focus on communicating cybersecurity policies and practices to partners.
More thorough vetting and screening process for vendors and employees who have access to sensitive information or technology. Closer scrutiny on internal “IT hygiene” practices.
Validation for supply chain “touchpoints”
Location of software code development
- Independent validation and verification of software code development / root of trust
18
Presidential Executive Order 13636 – “Improving Critical Infrastructure Cybersecurity”
- Calls for development of a voluntary cybersecurity Framework that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services.
- Developed in collaboration with industry
- Provides guidance to an organization on managing cybersecurity risk.
Framework Introduction
2014 LENOVO INTERNAL. ALL RIGHTS RESERVED.
19
Framework is a risk-based approach to managing cybersecurity risk
Composed of three parts:
- Framework Core: A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure
- Framework Implementation Tiers: Provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.
- Framework Profile: Represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario.
Framework Overview
2014 LENOVO INTERNAL. ALL RIGHTS RESERVED.
20
Functions – to organize basic cybersecurity activities at their highest level1. Identify – Develop organizational understanding to manage cybersecurity risk to systems, assets, data and
capabilities.
2. Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
3. Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
4. Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
5. Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Categories – subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities.
Subcategories – further divide a Category into specific outcomes of technical and/or management activities
Informative References – specific sections of standards, guidelines and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory.
Framework Core – Four Elements
2014 LENOVO INTERNAL. ALL RIGHTS RESERVED.
What Lies Ahead:
A Call to Action
22
Critical Infrastructure – Time to Comply
Supply Chain: How secure is your end product from point A (origination) to the point of delivery (Z)?
Unified Capabilities: Approved Products List (UC APL) - Unified Capabilities Approved Products List (UC APL) is a consolidated list of products that have completed Interoperability (IO) and Information Assurance (IA) certification, which is used by the US military, and managed by the Defense Information Systems Agency.
NIST - FIPS 140 – 2 (Cryptology): Federal Information Processing Standards (FIPS) 140-2 the standard for equipment used in US government IT applications & environments. This is a US standard, but for civilian agencies.
Common Criteria: Common Criteria are the civilian focused international standards that have been adopted by 26 member countries for security requirements for information technology products in both government and private sector use. This is a globally applicable standard.
Use of Government approved NIST & NSA test labs, 7 outside Ft. Meade, MD & NSA.
23
Critical Infrastructure – Proof of Security
Products
Networks
Infrastructure
Cloud
Data
Use of external cybersecurity standards, regulations, frameworks, and guidance.
24
Questions?
Jerry Fralick – Chief Security Officer
Think Business Group
Lenovo USA
1009 Think Place
Morrisville, NC 27560
919-257-6172