Information Security Implications for Emergency Response Teams Mark Lachniet [email protected]...
-
Upload
nicholas-french -
Category
Documents
-
view
219 -
download
0
Transcript of Information Security Implications for Emergency Response Teams Mark Lachniet [email protected]...
Information Security Implications for Emergency
Response Teams
Mark Lachniet
Analysts International
Introductions• Mark Lachniet ([email protected])• Senior Security Engineer at Analysts
International – Sequoia Services Group• Technical lead for the AIC Security Group• Certified Information Systems Security
Professional (CISSP)• Member of the High Tech Crime
Investigation Association (HTCIA)• Technical certifications from Novell,
Microsoft, Linux Professional Institute, etc.• Formerly the I.S. Director at a K-12 School
district
A Show of Hands• How many are technical people? Are
you in Information Security?• How many are in law enforcement?• How many work for a utility or local
Government?• How many work for a university or
college?• How many work for a company?• How many are their organizations
primary ER coordinator?
Disclaimer• I work in information security, not in law
enforcement so my opinions about terrorism and emergency response are based on research and not on first hand experience
• I will not pretend to understand the intricacies of emergency management – you are the experts, so please tell me where wrong
• If you can think of an implication or issue, *please* raise your hand and speak up!
• All of the scenarios and information I will be talking about is all very well documented in libraries and on the Internet – if I can come up with it, anyone can
Purpose of Today’s Presentation• Discuss *some* of the aspects of information
security that are relevant to emergency response personnel:– The idea of “Cyber-Terrorism”– “Coordinated cyber attacks”– Interaction between the “virtual” and “real”
worlds (e.g. attacks that are actually possible)– Protection of support resources (ie,
communication systems, databases such as RamSafe, etc.)
• Provide an overview of some information security procedures and services that you should be using
Purpose of Today’s Presentation• Provide links, works cited and references for
continued research and investigation• Provide time for discussion (in person, via e-
mail or some other areas) about specific issues of concern
• Most importantly – to raise awareness. Things are bad in computer security, and we don’t want Michigan to be a casualty!
• My assumption is that this audience is primarily interested in hearing about those things that affect emergency response, so we will limit our scope to this
The CIA Triangle
Confidentiality
Integrity Availability
The CIA Triangle• Confidentiality– The unintended or unauthorized disclosure of
computer data or information
• Integrity– The unintended or unauthorized modification of
computer data or information
• Availability– The loss of service of critical applications, systems,
data, networks or computer services
• We need to worry about all three!
The Goal of Information Security• Simply put: “To be more annoying to break
into than your neighbor”• The house and neighborhood metaphor• Increase the “work factor” of attacking you by
erecting as many barriers as possible (defense in depth)
• Ultimately, network security is all about preserving the functionality of the organization. Technology is just the tool.
• For this audience, information security could mean the difference between a rapid response and lives, so the stakes are higher
Security, ER and the Internet• Thanks to the Internet, information about
how to break into computer systems is trivially easy to find
• The level of sophistication required to attack systems has been reduced greatly, leading to an army of “script kiddies”
• Information about Emergency Response, military tactics, bomb making, and a variety of other “intelligence” topics is also readily available to anyone who wants it
• *All* of the good guys are scrambling to keep up, but the genie is out of the bottle
“Cyber-Terrorism”• Is somewhat misunderstood and over-hyped
in the media• Can be defined as “Use of information
technology and means by terrorist groups and agents”
• A recent simulation of a so-called “Electronic Pearl Harbor” by a variety of law enforcement and computer types found that the threat was greatly over-hyped
• However, this is because the simulation focused primarily on an ALL-electronic attack on infrastructure, trying to burn up nuclear plants, etc
“Cyber-Terrorism”• The analogy is made that a cyber attack is
similar to a military bombing campaign• It is focused on destroying supporting
infrastructure, with the intent to cause chaos, reduce efficiency, and reduce morale
• Since military bombing campaigns (e.g. in WWII in the Pacific and in Germany) were not nearly as effective as hoped, it is assumed that a cyber attack would also not be very successful at disrupting infrastructure
• However, I believe this is a misunderstanding because of the way that a coordinated cyber attack / real world attack could occur
“Cyber-Terrorism”• People also rightly point out that the point of
terrorism is to instill terror into the populace to achieve a political goal
• While an attack just on technology might not do this, a cyber attack used in coordination with a real attack could cause a great deal of terror
• Take for example a bombing or bio-terrorist incident that was coordinated with an attack that hindered the “real world” response of emergency response crews
• Not only would people be worried about the direct terrorist threat, but also worried that the emergency response system was vulnerable
Factors Favoring the Attacker• Attackers can pick and choose their targets• A physical attack in one city may be more or
less the same as another city to a terrorist• However, the information security habits of
one company versus another, one school versus another, and ER organizations may vary greatly
• The attacker can take their time to find the one place that has poor information security, and leverage this in their attack
• Most organizations are so far behind in security that they would never know they were probed in the first place
Historical Attacks• In November, 2001 a man was sentenced to two
years in prison for using the Internet, a wireless radio and stolen control software to release up to one million liters of sewage from a treatment facility in Australia
• The scary part is that it was only on the 45th attempt at compromising the system that he succeeded. The first 44 attempts were never noticed
• This was only sewage, but it could have been any other type of SCADA (Supervisory Control And Data Acquisition) system – the same used by some power companies, water facilities, etc.
Recent History• After the outbreak of the “Slammer” worm
on the Internet this weekend, a number of fire department and 911 dispatch systems outside of Seattle, Washington reported that they had to resort to paper and pencil to conduct business for several hours
• This was from a simple worm (virus), and not even from a targeted attack
• In another example, in 1997 a Juvenile disabled a FAA radar tower by disrupting the telephone communication system it relied
• There are many other examples…
Scenario #1: Disrupt Communications
• Disable the fire/police department phone systems (including 911)
• PBX and telephone hacking (called “phreaking” has been around for years and is well documented)
• A hacker could also use previously-compromised machines with modems on them as “slaves” to attack communications such as:– Have several computers constantly dial each of the
ER response cell phones and pagers (rendering them useless)
– Fill up the 911 and ER phone queues, as well as those of adjoining municipalities
Scenario #1: Disrupt Communications
• Techniques also exist to jam up cell towers and phones using interference-generating equipment
• Other wireless technologies are just as susceptible, even peer-to-peer radio networks without repeaters, etc.
• MDTs (Mobile Data Terminals) in police cruisers could certainly be disrupted (especially at the transmitter)
• The latest version of Phrack (see links) contains detailed information about how to make a device to jam civilian GPS devices
Scenario #2 – Traffic Lights• Another way to inhibit ER efforts would be to
create a traffic situation that stopped emergency response personnel from easily reaching their destination
• What if all of the traffic lights were red or otherwise manipulated to cause large-scale traffic jams all around the city? All lanes of traffic would be clogged, and nobody could get out of the way for ambulances, police, etc.
• Even a emergency vehicle override wouldn’t work in this situation
• The latest version of Phrack has DETAILED information on how to hack into traffic light control systems
Scenario #3 – Misdirection• Although likely non-technical,
misdirection could also be a problem
• Creating a less critical emergency (such as one or more bomb scares) in other locations that the ER folks must respond to, and then hitting with a real attack elsewhere
• Releasing sewage, spreading talcum powder, lighting trashcans on fire, etc.
Scenario #4 Attack Computer Systems
• This is more of a “conventional” computer security issue
• Any computer, application or database that is going to be counted upon as a tool for ER can be a point of attack
• This could include email and paging systems, databases such as RamSafe, 911 call tracking systems, etc.
• If any computer technology is required to adequately do your job, it needs to be appropriate protected through appropriate information security practices and technologies
Common Security Practices• There are a lot of facets to information security. We
won’t have time to talk about them all, but here are a few things that are bare minimums to consider
• Security is a nascent field in many respects• Terminology, procedures and skill levels vary
drastically between people and organizations• Some disagreement over what best practices actually
are (i.e. the best placement of an IDS)• Few objective benchmarks to allow “apples to apples”
comparisons for HW, SW, Services• There is a big technical curve for security – you must
first be an expert in the technology, and then learn security on top of it
• Whether you do it internally or get external help, it needs to be done
What We Have to Work With
Common Security Services• A firewall and Internet border security is simply
not enough! This gives rise to the “candy” network – hard on the outside, soft on the inside (and tasty for attackers, too)
• Embrace the concept of “defense in depth.” In other words, have security at multiple layers and in many places to make attacks as difficult as possible.
• SEGREGATE YOUR CRITICAL DATA from everything else – internet, phones, everything
• The Michigan State Police are making a reasonably good attempt at protecting LEIN data in this way through the CJIS policy council
Vulnerability Assessments• Sometimes called “penetration testing”• Uses “human logic” and hacking tools• Companies such as mine make a business of this
because interpreting results and applying knowledge of the technologies involved is essential.
• The deliverable of a vulnerability assessment should include a list of all hosts, vulnerabilities, and some dialog on how to start fixing them
• Vulnerability assessments should be done regularly – new vulnerabilities come out all the time – so you must stay up to date
• Be warned – other people are assessing your network. Are you?
Security Assessment Services• Sometimes called an audit• Sometimes performed in a very limited capacity
by financial auditors (mainly backup systems)• Can be used to audit an actual environment
against a set criteria, for example to determine compliance
• Should be performed by one or more individuals with backgrounds in both network systems and organizational administration
• Takes a macroscopic view of the organization• Analyze technology as well as policies and
procedures, configurations, and other items that a tool cannot assess
Security Assessment Services• Uses interviews, inspection of documentation,
and manual analysis (depending upon the focus)
• Should make recommendations on a wide variety of things to improve security
• Should provide a description of the current situation, what best practices are, and what the recommended changes are
• Should provide for estimation of pricing and priority, so that it could be used as a planning document for department priorities and budgets
Operations Security• Concerned with ways to mitigate security
risks through administration – policies, procedures and practices
• The weakest link in the security chain are individual humans (or as Dilbert calls them, “in-duh-viduals”)
• Part of “defense in depth”• Administration support is critical to any
security initiative• Helps to minimize risk, respond to incidents,
and establish standards for how things should be done
Formal I.S. Staff Security Responsibilities
• Security it takes time! If nobody is given sufficient time to keep up with security, it will never happen
• The buck must stop somewhere. Who is responsible for it?
• Define explicit security responsibilities for one or more staff members such as firewall maintenance, log review, server patching, etc. (good on a resume)
• Document these responsibilities and how they are done – this will help in the case of a vacation or staff change (hit by a bus or wins the lotto, you choose)
• Provide tools and training opportunities (such as SANS, or Microsoft for K-12 security training)
• Put it in the budget!
Formal Employee Security Responsibilities
• Every computer user has responsibilities they must live up to (or not use the computers)
• For example - don’t share passwords, don’t write passwords on a sticky notes, don’t use your last name as your password, etc.
• Information privacy – don’t store important information in an inappropriate place
• Be aware of what is thrown into the trash – classify your data and protect it
Security Awareness• Staying abreast of the latest issues and
solutions in security is critical• Administrators must budget for and offer
training opportunities to technical staff• Administrators should require that technical
staff be signed up for security listserves such as:– BugTraq / NT BugTraq (www.securityfocus.com)– Microsoft Bulletins (security.microsoft.com)
• Consider conducting regular internal trainings on security topics
• Consider ways to keep staff up to speed
Physical Security• It is critical to maintain a physical “zone of
control” around important assets. Police departments do a good job of this, many others do not
• Without physical security, all other measures can be circumvented
• There are many types of physical attacks• Access to critical areas such as wiring closets
can provide unrestricted access to the network or damage of equipment (“oooh, look at the blinky lights”)
• Physical security is needed to prevent the loss of equipment
Logging and Reporting• In order to know how your systems are being
used, you need to log all activity• Use reporting tools to summarize and make
sense of it!• Its too hard and time consuming to scan
through logs to find suspicious information• Instead, use a log reporting tool to make sense
of it• These tools should summarize information
such as host and protocol activity, usage trends, most popular hosts, etc.
• The “Cheap Man’s Intrusion Detection”
Business Continuity Planning• In the event of a disaster (to the organization,
not externally) there needs to be a plan to keep working
• Of those organizations that experience a major disaster, two out of five will go out of business within five years. Although “the show must go on” for government, the cost in lost productivity and salary can be huge
• This means creating detailed plans for prevention, response and recovery of critical systems (both computer and otherwise)
• BCP is a detailed and time consuming process, but it must be done, and it must be maintained in perpetuity
General Information Security Web Sites
• http://www.securityfocus.com (sign up for bugtraq and read the articles)
• http://www.packetstormsecurity.org (seems to change a lot, but lots of dirt)
• http://www.microsoft.com/security• http://www.sans.org (check out the student
papers)• http://www.cert.org• http://www.gocsi.com• http://www.securityportal.com• http://www.isc2.org
Works Cited• PHRACK magazine:
http://www.phrack.org/show.php?p=60
• United States Strategic Bombing Survey http://www.anesi.com/ussbs01.htm
• Juvenile Hacker and FAA tower http://www.cybercrime.gov/juvenilepld.htm
• 911 systems disrupted by Slammer Worm http://www.msnbc.com/news/864184.asp?0cv=CB10
• CyberTerrorism – the Real Risks http://news.zdnet.co.uk/story/0,,t269-s2121358,00.html
• CyberTerrorism and Computer Technology http://www.counterterrorismtraining.gov/pubs/02.html
Discussion
Thank You!