FEATURE
Jason Brvenik, Sourcefire.
1. A network identity context layer that monitors, prioritises and filters traffic at the edge. 2. Packet filtering and firewalling up to layer 7 to differentiate between packets carrying malicious and benign payloads – also at the edge and between network segments. 3. Visibility and access – a layer at the centre of the network that can monitor flows, detect anomalies and react and report when suspicious items are detected. 4. A central rules enforcement engine enabling consistent traffic management based on business and security policies, rather than device-centric technologies. A key issue here is that all these layers need to talk to each other, both within and outside the organisation in order to co-ordinate responses, according to Jason Brvenik, Sourcefire’s security strategy VP. He says that information sharing and trust models are needed for organisations in the same sectors. “Technologies to support that kind of
anonymous correlation and real-time dissemination of the threats exist so that we can stop an attack,” he says. “In the old days, threat vectors would have been one zero-day attack used against five financial institutions before somebody discovered it and by then it’s no longer useful. Now we can stop it the first time we see it and the other institutions will get immediate coverage. I think that will be the larger challenge in building a trust model for those things to occur.”
Conclusion Attacks are more varied and greater in intensity than ever before, they are more financially motivated than ever, and so trust must be established before access is granted. The right security model is of course a vague term, as the right approach depends on circumstances and the usual balance of risk versus costs versus convenience – a decision that can only be made in the boardroom. What’s clear is that security is an issue for the whole organisation and shouldn’t ignore end-user education as a core component of a security strategy. What’s also clear is that yesterday’s methods no longer work and need a complete rethink.
About the author Manek Dubash is a journalist with over 25 years experience. Focused on business and technology, he currently blogs on enterprise infrastructure for ZDNet UK, and contributes regularly to The Register, eWeek
and other outlets. His work has appeared in national newspapers as well as specialist technology journals and websites. In the past, he has held senior posts on major newsstand magazines, including PC Magazine UK, Practical Computing and Personal Computer World.
Resources • Friedman, Jeanne. ‘RSA Conference Survey Reveals Disparity between Security Needs and Technology Purchases’. RSA Conference. Accessed Feb 2011. . • Peterson, Gunnar. ‘Security Architecture Blueprint’. Artec Group, 2007. Accessed Feb 2011. . • Pavone, John. ‘Enterprise Security Architecture: managing security across the lifecycle’. Aspect Security, October 2007. Accessed Feb 2011. .
References 1. Oltsik, Jon. ‘The Network Security Architecture (NSA) Meets Web 2.0’. Enterprise Strategy Group, June 2009. Accessed Feb 2011. .
Cyber-terrorism in the process industry Eddy Willems, G Data Software Cyber-terrorism is an intimidating issue that often provokes fear. But while the public at large will often identify the process industry as a possible target for terrorists, the industry itself largely regards the threat as an unlikely scenario. 16
Computer Fraud & Security
Eddy Willems
It is true that many heavy security measures are in place to keep unauthorised people at bay, preventing them from March 2011
FEATURE potentially harming large parts of the UK’s population. These extend beyond physical security measures to protection for the computers and networks of enterprises in the process sector. Due to these measures, a virus will have a difficult time infecting these networks. The question that arises is how secure are those computers that aren’t part of the regular network? Some security experts say that all devices with an IP address are a potential hazard to security. In the future, this may very well be the case. For now, however, we should be primarily concerned about machines that can be described as actual computers even if their only function is to arrange the programming of an installation.
Aurora In December 2009 and January 2010 it became apparent that even large global enterprises can fall victim to malware attacks. That’s when the networks of several companies from the Fortune 100 were hacked in what were later named the Aurora attacks. The best-known victim of Aurora was Google China. Google itself alerted the media to the fact that its network had been invaded and a ferocious discussion about political matters of privacy and censorship in China followed. The controversy about this topic of principle completely sidelined the most important issue raised by Aurora: besides Google, over 30 other large enterprises – most, if not all, of whom had their networks protected by security or intrusion prevention software – were also successfully hacked, thanks to the high level of sophistication of the attack. Aurora succeeded in intruding the networks of these companies by using an – until then – undiscovered and therefore unpatched security vulnerability – a so-called zero-day flaw – in Internet Explorer. This vulnerability provided the malware with access to the system. In addition, the malware, which consisted of no fewer than 12 different programs, was encrypted several times to stay unde-
March 2011
tected for as long as possible while on the system.
“The attack employed the shrewd tactic of exploiting the immense popularity of social networks” To make sure the full potential of Aurora was reached, the writers wanted the program installed by the right people, with sufficient rights and authorisation on the system. The virus would be considered ‘successful’ only when it was able to gain control over user accounts with access to business-critical information. To achieve this, email links to an infected website were sent to carefully chosen employees of the targeted companies. However, unsolicited email often gets caught in spam filters and, if not, gets dismissed by the receiver more often than not. So the attack employed the shrewd tactic of exploiting the immense popularity of social networks. The attackers did not try to hack the social network accounts of the key figures in the company, but those of their online friends. Where this succeeded, status updates and messages were sent by these ‘friends’ to the actual target, including links to the infected website. This was a masterstroke, because a link posted by a friend is usually trusted and clicked on. And a visit to an infected site is enough to install the malware on the computer, fully automated and invisibly. The writers of Aurora seem to have thought of everything. By the time the malware was finally detected by security software, the targeted corporate information was already stolen. Aurora was described by experts as ‘the most sophisticated malware ever’ right after its discovery. The consequences for the attacked enterprises (and their customers) were more inconvenient than devastating, as the goal was corporate espionage. The attacks may have placed enormous stress on the IT managers of the targeted companies, but there was no potential risk to the overall population.
Stuxnet Occurring later that year, Stuxnet was the other big digital attack of 2010. Just like Aurora, Stuxnet was a piece of malware that consisted of multiple parts. But the developers of Stuxnet far exceeded the Aurora developers in one key aspect. Unlike Aurora, Stuxnet did not rely on one zero-day vulnerability, but used no fewer than four. Furthermore, an old zero-day flaw was used, dating from 2008. Microsoft patched the flaw in the same year, but there were many systems, including many process control systems, that never had this patch installed. Due to this gap in security many of these process control systems were wide open to the attack. In order to be categorised as legitimate software by Windows, the writers of Stuxnet did not opt for multilayer encryption like Aurora. Instead, the developers stole legitimate Windows certificates from the still active enterprises Realtek Semiconductors and JMicron.
“The attackers not only have an insight into all companycritical information on the system but, more importantly, they have complete control over the production” The malware was not meant to infect many computers, but rather to attack a target group of computers. To achieve this goal, the malware exploited infection vectors that required physical contact with infected devices. For instance, Stuxnet was able to spread via USB sticks and devices that support them, such as scanners and shared printers. In order to remain unnoticed, the malware took a slow approach and infected only three other PCs after the initial infection occurred. This shows a focus and discipline on the part of the malware writers that is completely uncharacteristic of the typical cyber-criminal. Once installed on a system, Stuxnet is intelligent enough to conduct a system scan to see if the newly infected host is up to date and capable of Computer Fraud & Security
17
FEATURE quickly discovering malware activity. It also checks whether the computer has Siemens Supervisory Control and Data Acquisition (SCADA) software installed. SCADA systems are widely used in the process industry as part of the process control system. Only if it finds the specific SCADA system will the malware engage in its main task – reprogramming the Programmable Logic Controller (PLC). When this is executed, the attackers not only have an insight into all company-critical information on the system but, more importantly, they have complete control over the production.
developed in such a short space of time. Even as one piece of malware is being developed, somewhere another group of developers is working on a new project that will put today’s attack to shame. It is very possible that the next ‘most sophisticated piece of malware’ is installing itself – completely under the radar – onto systems all over the world.
“Blackmail, extortion, total control over industrial processes, destruction and, especially in the case of process industry, damage to the health of the population seem to be the next goals”
“Executing software updates and installing patches should not be done in haste, but the Third, the goals seem to be escalatprocess of testing them should ing. A few years back, the ultimate goal be as swift as possible” of malware was to steal money from a Despite its self-imposed limitations when it comes to spreading, Stuxnet succeeded in infecting dozens of industrial enterprises all over the world. There are indications that the main target was the Iranian nuclear industry. Even though the malware was detected just in time, it is worrying that Stuxnet was able to get close to achieving its ultimate goal. The Iranian Government has admitted publically that its operations were harmed by Stuxnet.
Implications The Aurora and Stuxnet attacks lead us to various conclusions. First of all, the creation and use of malware is increasingly becoming a professional undertaking. Writing malware is not just a hobby of small-time crooks: it involves highly intelligent developers, financially supported by huge investors, possibly even by the governments of certain countries. A second conclusion is that cyberattacks are getting more and more sophisticated. Every time a new attack is discovered, experts are left wondering how this malware could have been 18
Computer Fraud & Security
bank account. Now, it has moved on to stealing data and corporate secrets. Blackmail, extortion, total control over industrial processes, destruction and – especially in the case of the process industry – damage to the health of the population seem to be the next goals. The latter may come across as a frightening future scenario. Malware has not yet been able to disrupt a society to that extent, but Stuxnet shows that it is a plausible scenario – not just in Iran, where the patching policy might not be as strict as we would like it to be, but also in the UK process industry where process control systems are regarded as less important when it comes to security. These machines are detached from the corporate network and people do not work directly with them, as they do on computers in the corporate network. The chance of infection is far from zero. The process control system may be an island, but it does have infrastructural connections to the ‘mainland’, even if it is only through people who have direct access to the systems. It is not impossible for the UK process industry to be hit by a cyber-attack; process sys-
tems are susceptible to attack and there is the potential for control over the processes to be lost. The implications of this are eye-opening as few cybersecurity experts make proper allowance for this vulnerability.
Countermeasures There is a dilemma from an IT perspective: patches can be harmful to process equipment and are therefore tested extensively before they are rolled out. The same applies to security software. Unfortunately, the long lead time this creates results in a shift in precedence: the security of the isolated systems loses priority and years can go by before a critical vulnerability in an operating system is patched, as Stuxnet painfully showed. To combat the threat of these types of attacks, it is crucial to recognise the urgency of securing process control systems – finding the perfect security solution for these systems should be the most important priority. Executing software updates and installing patches should not be done in haste, but the process of testing them should be as swift as possible, in order to fix vulnerabilities in the system quickly, securely and permanently. Another important point to consider is the awareness of employees who are potential targets of cyber-criminals, regardless of whether they are involved in the process control process. This means that they should be extremely careful about clicking on links in emails and on social networking sites, especially when they are at work. Furthermore, for safety reasons, USB flash drives should be banned from the workplace. These measures can be partially enforced by security policies, which will help employees understand why they have to deal with these limitations at work. Once educated, they are more accepting and will be more likely to try to avoid using devices and applications that expose the company network to danger.
March 2011
FEATURE
International co-operation With the measures described above, the risks of individual concerns are decreased. Yet this does not solve the problem of this new branch of organised crime. Fully addressing the issue would have to occur on an international level. It would require governments to come to an agreement, the same way they did over nuclear programmes, and commit to disassociating themselves from the development or financing of these types of cyber-attacks. In addition, governments should commit to procedures to disable future participation while pledging to investigate and punish responsible parties. Of course, these parties do everything in their power to remain anonymous, including using obfuscation tactics. It often happens that Chinese or Russian servers are used in cyber-attacks but this does not mean the perpetrators are actually located in those countries. Research into cyber-criminals can become public very quickly: it’s important, then, that governments and law enforcement organisations actively cooperate with foreign investigators or give investigators freedom to conduct their work in their jurisdictions, especially if they do not have the capabilities to do so themselves. Legal repercussions should be heavy and equal in all countries regardless of global status, thereby discouraging cyber-criminals from choosing countries with meagre punishments for cybercrime as their home base.
“For better prevention and investigation of cyber-attacks, international co-operation at political, police and judicial levels is essential”
March 2011
Besides political, police and judicial organisations, the whole international industrial sector should co-operate to minimise the risks of cyber-attacks. Understandably, enterprises are not keen on openly admitting that their systems have been hacked. However, other organisations will benefit from the knowledge and therefore this practice should be encouraged. When information about a cyber-attack is shared at an early stage, other companies can take measures against it. The industrial sector could also agree to fully co-operate in investigations of cyber-attacks, even if this means that production has to suffer temporarily, or that certain corporate secrets need to be disclosed to investigators. The last condition seems like a bitter pill to swallow, but the alternative is far worse. If serious malware gets its way, no production is possible at all and all corporate secrets will be out in the open.
Conclusion The threat of cyber-terrorism is no longer a problem of the future – Stuxnet has clearly shown it is a thing of the present. A targeted attack may cost companies dearly, both in terms of financial and productivity losses, and the potential proceeds – for instance from extortion – are huge. Cybercriminals do not hesitate to steal and use legitimate certificates for their malware in order to appear legitimate, so that the software can achieve its tasks. The masterminds behind these attacks keep on finding new ways to penetrate normally isolated process control systems, and are becoming increasingly successful at it.
Through a combination of technical measures and the education of employees, industrial companies can decrease the risks of cyber-attacks on their organisations. For better prevention and investigation of cyber-attacks, international co-operation at political, police and judicial levels is essential. It would also help if the industrial sector would have an open communication about these types of attacks and work together more closely to fight cybercrime.
About the author Eddy Willems is security evangelist at G Data Software. He studied computer sciences at IHB and Vrije Universiteit Brussel. In 1989 he became interested in viruses because of an incident with the famous AIDS-diskette. From that time on he started to gather information about computer viruses and anti-virus software. In 1991 he became a founding member of EICAR, a European security organisation. Since 1995, he has been a participant in the Wildlist, the world’s premier source of information on which viruses are spreading in the wild. He also has his own WAVCI website dedicated to indexing all anti-malware-related pages and websites. He was responsible for writing the virus article for the international version of the Microsoft Encarta encyclopedia. Since the end of 1996, he has been working as an anti-malware technology expert in the security industry. In May 2000, he acted as adviser to the Belgian Government in the creation of an e-security platform that provides quick anti-virus and security information to the Belgian people. In March 2001, he became the director of press and information for EICAR. He has also worked as security evangelist for Kaspersky Lab.
Computer Fraud & Security
19