Cyber Security Threats

abdomendebonairSecurity

Nov 2, 2013 (3 years and 8 months ago)

165 views

Property of Argo Pacific Pty Ltd

Cyber Security Threats


Dr Paul Twomey

The Lowy Institute for International Policy


8 September 2010

0

Property of Argo Pacific Pty Ltd

What is the Internet?


Three layers



All have vulnerabilities

1

Property of Argo Pacific Pty Ltd

2

The Transit Layer


Property of Argo Pacific Pty Ltd

3


Property of Argo Pacific Pty Ltd

The Application Layer


4

Source: Olaf Kolkman, Internet Architecture Board

Property of Argo Pacific Pty Ltd

5

And while we have been going from this…

Property of Argo Pacific Pty Ltd

6


Spectrum of Risk

1.
Messaging

2. Storing
Information

3.
Transactional systems


4.
Technology Integration

5.
Fully Integrated
information based
Business

Degree of Data Digitization

Business has been aggregating data and risk at an
unprecedented rate…

Property of Argo Pacific Pty Ltd

And our physical infrastructure has become
intertwined and reliant on our cyber infrastructure

Source: DHS, "Securing the Nation’s Critical Cyber Infrastructure

Property of Argo Pacific Pty Ltd

We have developed the myth that technology can be an
effective fortress


we can have security

9

Traditional focus on:


Better Firewalls


Boundary Intrusion Detection


Critical Offsite Capacity


Compliance Certification


False myths:


IT staff = security staff


Compliance failure is the main
source of risk


Being compliant = being safe



Property of Argo Pacific Pty Ltd

But this concept of security is false


the Internet is
fundamentally open

Facts:


We don’t know what’s on our own nets


What’s on our nets is bad, and existing
practices aren’t finding everything


Threat is in the “interior”


Threat is faster than the response


“Boundaries” are irrelevant


We don’t know what is on our partner’s
nets nor on the points of intersection


Compromises occur despite defenses


Depending on the motivation behind
any particular threat, it can be a
nuisance, costly or mission threatening

Global Internet

10

The critical capability it do develop real time response
and resiliency

Property of Argo Pacific Pty Ltd

Some types of Cyber Threats

Type

Motivation

Target

Method

Information
Warfare

Military or political
dominance

Critical
infrastructure,
political and
military assets

Attack, corrupt,
exploit, deny,
conjoint with
physical attack

Cyber Espionage

Gain of intellectual
Property and
Secrets

Governments,
companies,
individuals

Advanced
Persistent Threats

Cyber Crime

Economic gain

Individuals,
companies,
governments

Fraud, ID theft,
extortion, Attack,
Exploit

Cracking

Ego, personal
enmity

Individuals,
companies,
governments

Attack, Exploit

Hactivism

Political change

Governments,
Companeis

Attack, defacing

Cyber Terror

Political change

Innocent victims,
recruiting

Marketing,
command and
control, computer
based voilence

11

Source: analysis, Dr Irv Lachov

Property of Argo Pacific Pty Ltd

Cyber crime and cyber espionage are having real
impacts


Estimated

$1

Trillion

of

intellectual

property

stolen

each

year

(Gartner

&


McAfee,

Jan

20
09)


Cybercrime

up

53%

in

2008

(McAfee)


Topped

$20

Billion

at

financial

institutions


Reported

cyber

attacks

on

U.S.

government

computer

networks

climbed


40%

in 2008


Sensitive

records

of

45,000

FAA

workers

breached

(Feb

09)


Chinese

stole

design

secrets

of

all

U.S.

nuclear

weapons

(Michelle

Van


Cleave)


U.S.

nuclear

weapons

lab

is

missing

69

computers

(Feb

09)


Cost

to

repair

average

2008

data

breach

=

$6.6

Million

12

Source: Report of the CSIS Commission on Cybersecurity for the 44th Presidency

Property of Argo Pacific Pty Ltd

Critical infrastructure and cyber attack


Infrastructure vulnerable to cyber
attack




Power grid



Water



Communications




Banking, etc.


Little barrier to skilled attackers


Software protections not current with
today’s threats


Coordinated physical and

cyber attack strategies could cripple
critical infrastructure

13

Source: Brenton Greene, Northrop Grumman

Property of Argo Pacific Pty Ltd

Corporate Brands Under Attack



U.S. companies have lost billions
in intellectual property to cyber


A third of companies surveyed said
a major security breach could put
them out of business


Terrorists finance their operations




Heartland Payment Systems (HPY)
suffered an intrusion that
compromised at least 130 million
consumer cards


14

Source: Brenton Greene, Northrop Grumman

Property of Argo Pacific Pty Ltd

The total cost of a data breach continues to rise.

Direct and Indirect data breach costs

US$ costs per record

15

Source: The Ponemon Institute

Direct Cost: e.g. engaging forensic experts, outsourced hotline support, free credit
monitoring subscriptions, and discounts for future products and services.

Indirect Costs: e.g. in
-
house investigations and communication, and the value of customer
loss resulting from churn or diminished acquisition rates.

Property of Argo Pacific Pty Ltd

The biggest cost growth is the churn of customers
affected or influenced by the breach


Over the past four years lost business costs, created by abnormal churn or turnover of
customers, grew by more than $64 on a per victim basis, or a 38% overall percentage
increase.


Organizations in highly trusted industries such as banking, pharmaceuticals and
healthcare are more likely to experience high abnormal churn rates following a data
breach compared to retailers and companies with less direct consumer contact.

16

Component of Cost of data breach on a per victim basis

US$

Property of Argo Pacific Pty Ltd

This is an international problem

17

Property of Argo Pacific Pty Ltd

Extortion





Loss of intellectual
property/data




Potential for disruption


As part of cyber conflict

(i.e. Estonia)


As target of cyber protest

(i.e. anti
-
globalization)


Potential accountability for
misuse (i.e. botnets)


Potential for data corruption


Terrorism

Cyber risks are an increasing threat to sources of
enterprise capability and brand competitiveness

Now





Now





Emerging






Now



Future


Emerging


Phishing and pharming driving increased
customer costs, especially for financial
services sector


DDOS extortion attacks



National security information/export controlled
information


Sensitive competitive data


Sensitive personal/customer data



eBusiness and internal administration


Connections with partners


Ability to operate and deliver core services





Reputational hits; legal accountability




Impact operations or customers through data



DDOS and poisoning attacks


Focused attacks coordinated with physical
attacks

18

Property of Argo Pacific Pty Ltd

Attacks are increasingly easy to conduct

Email propagation of malicious code

“Stealth”/advanced scanning techniques

Widespread attacks using NNTP to distribute attack

Widespread attacks on DNS infrastructure

Executable code attacks (against browsers)

Automated widespread attacks

GUI intruder tools

Hijacking sessions

Internet social
engineering attacks

Packet spoofing

Automated probes/scans

Widespread

denial
-
of
-
service

attacks

Techniques to analyze
code for vulnerabilities

without source code

DDoS attacks

Increase in worms

Sophisticated command

and control

Anti
-
forensic techniques

Home users targeted

Distributed attack tools

Increase in wide
-
scale
Trojan horse distribution

Windows
-
based
remote controllable
Trojans (Back Orifice)

Skill level needed by attackers

1990

2008


Source: SE/CERT CC

Attack sophistication

19

Drivers: fear and impact

Property of Argo Pacific Pty Ltd

Recent Incidents: Rise of the Professionals

20

Property of Argo Pacific Pty Ltd

Recent Incidents: Rise of the Professionals


F
-
35
:
WSJ article:

Computer spies have broken into the
Pentagon's $300 billion Joint Strike Fighter project
--

the Defense
Department's costliest weapons program ever
--

according to
current and former government officials familiar with the attacks” ...
China suspected


Google
: Internet search company reveals existence of large
-
scale
computer intrusions, apparently coming from China with some
support from the state


US Electrical System
: WSJ article: “Cyberspies have penetrated
the U.S. electrical grid and left behind software programs that could
be used to disrupt the system” … Russia and China suspected


Optus
: In April 2010, customers of Optus, its partner internet
service providers, and a number of major corporate customers
suffered traffic degradation as a result of a distributed denial of
service attack sourced from China and

aimed at a large,
unnamed

Optus financial services customer.

21

Property of Argo Pacific Pty Ltd

Recent Incidents: Rise of the Professionals


Estonia
: As part of unrest and pro
-
Russian riots in Tallinn, the
Internet
-
embracing nation undergoes massive online attacks from
ethnic Russians


Zeus Trojan
: Zeus Trojan, capable of defeating the one
-
time
password systems used in the finance sector, targets commercial
bank accounts and has gained control of more than 3 million
computers, just in the US


Mariposa
: "botnet" of infected computers included PCs inside more
than half of the Fortune 1,000 companies and more than 40 major
banks

22

Property of Argo Pacific Pty Ltd

Mass
-
scale hacking


It's ROI focused.
.



It's not personal.
Automated attacks against mass targets, not specific individuals.


It's multilayer.

Each party involved in the hacking process has a unique role and uses a
different financial model.


It's automated.
Botnets exploit vulnerabilities and extract valuable data, conduct brute
force password attacks, disseminate spam, distribute malware and manipulate search
engine results.


Common attack types include:


Data theft or SQL injections.



Business logic attacks.



Denial of service attacks.


23

Source: Amichai Shulman


Property of Argo Pacific Pty Ltd

Advanced Persistent Threats


It's very personal.

The attacking party carefully selects targets based on political,
commercial and security interests. Social engineering is often employed.


It's persistent.
If the target shows resistance, the attacker will not leave, but rather
change strategy and deploy a new type of attack against the same target.


Control focused.

APTs are focused on gaining control of crucial infrastructure, such as
power grids and communication systems. APTs also target data comprised of intellectual
property and sensitive national security information.


It's automated, but on a small scale.

Automation is used to enhance the power of an
attack against a single target, not to launch broader multi
-
target attacks.


It's one layer.

One party owns and controls all hacking roles and responsibilities.


24

Source: Amichai Shulman


Property of Argo Pacific Pty Ltd



Started on April 27, 2007

and this attacks last about
3 weeks
.



Series of attacks targeting government portals,
parliament portal, banks, ministries, newspapers and
broadcasters of Estonia.



Estonians claimed this attacks as a political attack
or revenge from Russians for the moving of a WWII
memorial.




Cyber warfare?: Estonia cyber attacks

Source: Presentation to Africa Asia Forum on Network Research & Engineering workshop, Dakar, Senegal, 23 November 2009

Property of Argo Pacific Pty Ltd


Weeks of cyber attacks followed, targeting government and banks,
ministries, newspapers and broadcasters Web sites of Estonia.



Some attacks took the form of distributed denial of service (DDoS)
attacks (using ping floods to expensive rentals of botnets).



128 unique DDOS attacks (115 ICMP floods, 4 TCP SYN floods and
9 generic traffic floods).



Used hundreds or thousands of "zombie" computers and pelted
Estonian Web sites with thousands of requests a second, boosting
traffic far beyond normal levels.



Attacker commanding other computers to bombard a web site with
requests for data, causing the site to stop working.


How the attacks took place

Source: Presentation to Africa Asia Forum on Network Research & Engineering workshop, Dakar, Senegal, 23 November 2009

Property of Argo Pacific Pty Ltd


The attack heavily affected infrastructures of all network:



Routers damaged.



Routing tables changed.



DNS servers overloaded.



Email servers mainframes failure, and etc.

How the attack took place …

Source: Presentation to Africa Asia Forum on Network Research & Engineering workshop, Dakar, Senegal, 23 November 2009

Property of Argo Pacific Pty Ltd


Inoperability of the following state and commercial bodies:



The Estonian presidency and its parliament.



Almost all of the country’s government ministries.



Political parties.



Three news organizations.



Two biggest banks and communication’s firms.



Governmental ISP.



Telecom companies.

Impact

Source: Presentation to Africa Asia Forum on Network Research & Engineering workshop, Dakar, Senegal, 23 November 2009

Property of Argo Pacific Pty Ltd


Estonia's Computer Emergency Response Team (CERT) acted as a
coordinating unit, concentrating its efforts on protecting the most vital resources.



Closing down the sites under attacked to foreign internet addresses and
keep the sites only accessible to domestic users.



Cutting 99% of bogus traffic which was originated outside Estonia.



Implemented an online "diversion" strategy that made attackers hack sites that
had already been destroyed.



Implemented advanced filters to the traffic, then Cisco Guard was installed
to lower malicious traffic.






How did Estonia respond?

Source: Presentation to Africa Asia Forum on Network Research & Engineering workshop, Dakar, Senegal, 23 November 2009

Property of Argo Pacific Pty Ltd


Identification and further blockade of bots from root DNS servers.



CERT persuaded ISPs around the world to blacklist attacking computers which
overwhelm Estonia’s bandwidth.



Germany, Slovakia, Latvia, Lithuania, Italy and Spain supported and funded
CERT the hub in the Estonian capital Tallinn to protect the security.



Block all .ru domain.



The president gave up his own website and let them continue to attack it so
that they would not be able to destroying more critical things.



Response included much help from others

Source: Presentation to Africa Asia Forum on Network Research & Engineering workshop, Dakar, Senegal, 23 November 2009

Property of Argo Pacific Pty Ltd




The Estonian CERT analyze server logs and data to find out who is
behind the attacks.



NATO assisted Estonia in combating the cyber attacks and has voted to
work with member governments to improve cyber security.



NATO's new cyber
-
warfare center will be based in Tallinn.



Estonia called in July 2008 for an international convention on combating
computer
-
based attacks.


International impact

Source: Presentation to Africa Asia Forum on Network Research & Engineering workshop, Dakar, Senegal, 23 November 2009

Property of Argo Pacific Pty Ltd

State Actors

Definition:
Nation States who engage in one or more types of cyber operations


Russian Federation

Kyrgyzstan

Ukraine

Estonia

Georgia

Ingushetia

Peoples Republic of
China

Taiwan

Israel

Iran

Palestinian National
Authority (Hamas)

Myanmar (Burma)

U.S.

Turkey

Pakistan

Germany

Zimbabwe

Australia

Source Jeffrey Carr, GreyLogic

So who can do this?

Property of Argo Pacific Pty Ltd

State
-
Sponsored Actors

Definition:
Non
-
state actors who are engaged by States to perform one or more
types of cyber operations.

Partial list of States known to or suspected of
sponsoring Actors

Russian Federation

Peoples Republic of China

Turkey

Iran

United States

Myanmar

Israel

Source Jeffrey Carr, GreyLogic

Property of Argo Pacific Pty Ltd

Non
-
State Actors

Definition:
Non
-
state actors who engage in cyber crime and/or patriotic hacking
(aka hacktivists)


Too numerous too list

Source Jeffrey Carr, GreyLogic

Property of Argo Pacific Pty Ltd

War by proxy?

Kremlin Kids: We Launched the Estonian Cyber War

By
Noah Shachtman


March 11, 2009

|



Wired.com


Like the
online strikes against Georgia
, the origins of the
2007 cyber
attacks on Estonia

remain hazy. Everybody suspects the Russian
government was somehow behind the assaults; no one has been able
to prove it. At least so far. A pro
-
Kremlin youth group has taken
responsibility for the network attacks. And that group has a track record
of conducting operations on Moscow’s behalf.


Nashi

("Ours") is the "largest of a handful of youth movements
created
by Mr. Putin’s Kremlin

to fight for the hearts and minds of Russia’s
young people in schools, on the airwaves and, if necessary, on the
streets," according to the
New York Times
.


Yesterday, one of the group’s "commissars," Konstantin Goloskokov
(pictured), told the
Financial Times

that
he and some associates had
launched the strikes
. "I wouldn’t have called it a cyber attack; it was
cyber defense," he said. "We taught the Estonian regime the lesson that
if they act illegally, we will respond in an adequate way." He made
similar claims
, in 2007.


If true, it would be only one in a long string of propaganda drives the
group has waged in support of the Kremlin. Not only has Nashi waged
intimidation campaigns against the British and Estonian ambassadors to
Moscow, and staged big pro
-
Putin protests. Not only has been it been
accused of launching denial
-
of
-
service attacks

against unfriendly
newspapers. Last month, Nashi activist Anna Bukovskaya
acknowledged that the group was paid by Moscow to
spy on other
youth movements
. The project, for which she was paid about $1100 per
month, included obtaining "videos and photos to compromise the
opposition, data from their computers; and, as a separate track, the
dispatch of provocateurs," she told a Russian television channel.




35

Property of Argo Pacific Pty Ltd

The proliferation of capability into the hacker/criminal
world has enabled a blurring of actors and motivations


a major challenge for any future international regime
for controlling national state cyber competition

Cyber
Warfare

Cyber
Crime

Cyber
Espionage

36

Property of Argo Pacific Pty Ltd

Strategic implications


Nation
-
states lose some control over conflict




Geopolitical analysis required


Cyber conflict mirrors fighting on ground



Attribution and the false flag


Concept: People’sWar



Is national security at risk?


As with WMD, defense strategies unclear


As with terrorism, success in media hype

37

Source: Cyberspace and the Changing Nature of Warfare
Kenneth Geers Nato Cooperative Cyber Defence Centre of
Excellence

Property of Argo Pacific Pty Ltd

The old rules collide with cyber reality


Foreign Relations Law(U.S.): “It is universally recognized, as a corollary of state
sovereignty, that officials in one state may not exercise their functions in the territory of
another state without the latter's consent.”

38

Source: Cyberspace and the Changing Nature of Warfare
Kenneth Geers Nato Cooperative Cyber Defence Centre of
Excellence

Property of Argo Pacific Pty Ltd

Australian Federal government response since 2009

39

Defence Signals Directorate

Reveal Their Secrets


Protect Our Own

Cyber Security Operations Centre
(CSOC)



DSD capability that serves all government
agencies.



Provides government with a comprehensive
understanding of cyber threats against
Australian interests;



coordinates operational responses to cyber
events of national importance across
government and critical infrastructure.


embedded representation from a number of
other agencies involved in assessing the threat
to, and the protection of, Australian interests
from sophisticated threat actors.


The CSOC will also assist CERT Australia

ASIO

Attorney General’s Department

CERT Australia


work with the private sector in
identifying critical infrastructure
and systems that are important to
Australia’s national interest,
based on an assessment of risk,
and to provide these
organisations with information
and assistance to help them
protect their information and
communication technology
infrastructure from cyber threats
and vulnerabilities.



Sector Progams:


banking and finance,


control systems


telecommunications

Property of Argo Pacific Pty Ltd

Up to the early 1990s in Australia


Government ran government networks. The government ran military networks. The
government owned Telecom Australia and OTC.



To expect DSD and/or ASIO to play the primary protection role was quite valid.




40

Property of Argo Pacific Pty Ltd

But today


Every business is connected to the Internet. Every business’s network is part of the
internet.



The capacity to interact with each other is a key part of their risk environment. Telcos,
businesses, universities, and households are all connected in different ways.



The government now owns a tiny minority of these networks.



If there were negligence causing damage, who would be liable? In the 1970s, 80s and
even the early 1990s you could make a case that somehow or other the government
would end up being the defendant. Today it would be the companies.



The big change for boards in Australia is that if somebody wants to bring a negligence
action for something that went bad on the network they are more likely to to be liable.



Cyber crime and cyber espionage pose increasing risk to the


41

Property of Argo Pacific Pty Ltd

Cyber crime and cyber espionage pose increasing risk
to



Operations



Reputation



Financial performance



Competitive position in the market




And managing risk is a Board responsibility

42

Property of Argo Pacific Pty Ltd

THANK YOU

43