Cybersecurity
ARPA
"Advanced Research Projects Agency" Set task force to study & recommend hardware and software safeguards to protect classified info.
Internet browsing access
- 90% of the information is on the deep web. - We only use 0.03% or 1/30000 of the pages available, we only use the surface web.
Smart Grid vs Internet
- Aims to : Ensure reliable and secure operation. - Real-time message delivery and non-real time monitoring (not data services). - Large amount of traffic flows are periodic for consistent monitoring . - Faster timing - Two-way communication bottle (top down and bottom up) - IPv6 as major network- layer protocol.
Summary of main activities after cyber attack
- Create a war room/ situation room with clear procedures - Engage stakeholders of the organization, notify whoever needs to be notified - Contain the Breach- do everything you can as fast as possible to stop it. Takes between 2- 3 days. - Measure losses - data leakage, malwares that need to be replaced. - Lessons learned. - Prepare for the next one.
Confidentiality Foundation
- Data that must be protected from UNAUTHORIZED ACCESS in storage, process or transit. - Roughly equivalent to privacy, but anything that is linked or linkable is private not confidential. - It prevents sensitive info from reaching wrong people, and allows right people to access it. Ex of confidentiality break: - failing to properly encrypt transmission - failing to authenticate remote system before transferring data - leaving secured access points open - Accessing malicious code which opens back door - documents left on printers - walking away from access terminal while data is on monitor
Availability Foundation
- Its reachable - Authorized entities granted timely and uninterrupted (high level) access to data/objects/resources. - Implies that the supporting infrastructure (including network services, communications & access control mechanism) is functional and accessible to users.
Integrity Foundation
- Maintaining consistency, accuracy and trustworthiness of data over its life cycle (storage, transit or process). - Ensures what I see is the real info and no one tweaked it. Takes measures to stop that from happening. - Integrity is offered when there is a high level of assurance that the data/objects/resources are in their original protected form. Can be examined from 3 perspectives: 1. Prevent unauthorized subject from making modifications 2.Prevent authorized person from making unauthorized modifications/mistakes. 3.Maintain internal and external consistency of objects so data is correct/true reflection of the real world. *integrity violations can be caused by any user including admins.
Pro-Activeness
- Operating system is updated with the latest security patches - Antivirus is installed and updated - Daily Backups - Awareness - Threat Intelligence - Threat hunting - Drills - Penetration tests
Vulnerabilities & considerations
- Physical security - Hardware Leakage - Software Leakage - Communications & Network Leakage - Organizational Leakage *Internal security threats are biggest problem. It only takes 1 employee to break the system.
Evolution of Tech
- Prior info securtity was mostly physical - 1970s: Tech is for academics - 1980's Tech enters homes - 1990s Tech connects us (e-commerce) -2000s Explosive growth (social media) - 2013s Third industrial revolution. AI dominated.
Awarness
- The importance of passwords and change - Not to allow any strangers to enter the premise - Not to leave the laptop unattended - Not to open any unknown emails/attachments - Make sure to Backup your data
Encryption
-encoding a message so only authorized parties can access it. - scrambling of info - Passwords are the basic form of encryption. - Can take many forms and be applied to any electronic communication (text, audio, video) - important element in security controls and transmission of data between systems. *most effective way to achieve data security
5 reasons for Information Security Incident:
1)External attacks 2)Malicious insiders 3)Natural disaster 4)Accidents 5)Equipment failure Loss/degradation of CIA.
Cyber Security Centers
1)Security Operations Center (SOC) 2)Cyber Fusion Center (CFC) -SOC of the future
4 Cyber case goals
1. Analyze cyber threats 2. Specify indicator patterns for cyber threats 3. Manage cyber response threat activities 4. Sharing of cyber-threat information.
Two essential security layers for Smart Grid
1. Authentication and encryption layer above the IP layer. 2.Authentication layer between the MAC and IP layers
Main Cyber problems to handle
1. Awareness 2. Legal perspective 3. Thinking of cyber-crime on the global level. 4.Sharing of info/collaboration. *Responding timely enough to influence outcome.
3 Root causes of Security Breaches
1. Intended attack 2.Human error 3. System vulnerabilities *attacks are only partly due to attacker's skills but due to faulty programs, human errors, insufficient controls.
3 Identified stages of situational awarness
1. Perception. 2. Comprehension. 3. Projection. Informed by expectations that are informed by long term memory stores.
The year of Cyber-attacks
2014
Internet Networks
APANET: first architecture of internet & info security, connecting between Unis. 2nd APANET: 1970s, expanded farther locations. NIST: Protection of info and systems from unauthorized access/user/disclosure/modification to provide Confidentiality, Integrity and Availability.
Types of Information Security Threats
Accidental disclosure: Failure of components/equipment/software resulting in exposure of info or violation of elements of system. Deliberate penetration: Manipulate system to operate to advantage of threatening party or render it unreliable/unusable to legitimate operator. Active infiltration: Penetrate portions of system that he has no authorization for. Passive subversion: Monitor info within the system or being transmitted without attempts to interfere or manipulate. Physical attack:
Phishing Attack
Aims to steal info from users through masquerading as a trustful source.
Cyber War and Hacktivism targets
All business sectors.
Insider and Privilege Misuse
Any kind of unapproved or malicious use of organizational resources using example if your boss gave you his system and password, and you misuse his credentials. Or if you lost your keycard and someone finds it and uses it. Can be from an insider or external attacker using inside credentials, or both.
Security Control Types
Application Layer: input parameter validation, user authentication, session management, auditing and logging. Unauthorized Access: Identification, authentication & authorization, multi-factor authentication. Network Security: blocks unauthorized access to network, spyware, anti-virus, firewall, intrusion prevention systems, virtual private networks.
Passive Attacks
Attack that does not disrupt proper operation of network. Will be very difficult to understand the eavesdropping. Such as tapping into someone else's computer in a café. Attackers snoop data exchanged in network itself does not get affected.
Man in the Middle Attack
Attacker interferes between the two communication ends and risks compromise unauthorized access to sensitive info or altering of info/messages that reach destination (by attacker)
Attack vectors
Blackhole attack, wormhole attack, replay attack, rushing attacks, byzantine attack... and many more. Eavesdropping, traffic monitoring, jamming, sinkhole..
7 Logical Domains of Smart Grid
Bulk generation Transmission Distribution Customer Markets Service provider Operations.
Cyber Incidents
Cases which are not a CRISIS. Not every case requires a complete operation to support.
DDoS (Distributed Denial of Service)
Compromises the availability of data by flooding the victim with commands, making system inoperable.
3 Foundations of Cyber Security
Confidentiality Integrity Availability (within them is information security)
Four categories of most common attacks
Cyber-crime Cyber Espionage Cyber War Hacktivism Most common: DDoS, malicious code, viruses, worms, trojans, malware, stolen devices, phishing, social engineering and web-based attacks.
Laws & regulations
Developed to prevent/ limit cyber-crime but limited because each set of laws are limited to a certain state/region.
Dynamic Cyber-Incident Response model
Enables those responsible and key decision-makers to develop a more dynamic response within legal and organizational constraints (local and collaborative intelligence sharing)
Incident Response Teams
Forensics team, security operations center, security mitigation team, company management, PR & Marketing Team, Legal team.
Main security challenges to Smart Grid.
From malicious cyber attacks via communication networks. By: selfish misbehaving users or malicious users. Others: Dos by channel jamming (availability). Detection and defense depends on network countermeasures such and monitoring and filtering. modifying/disrupting data exchange (integrity), acquiring unauthorized info from network resource (confidentiality)
Cyber Espionage targets
Government, Media, Law Enforcement sectors. Unlikely targeting other business sectors.
Security Controls
How they address the response (countermeasures). Firewall or anti-virus is a security control. The border control is the safeguard.
Company Steps for Security Controls
IT: Make sure hardware, software, antivirus are up to date. Authentication: Combine something you know (password), something you have (PIN generator), something you are (biometric). Internal commitment: Company wide awareness. Set of policies/procedures. Access to info: Restricted and timely terminated. Data retention: Remove all data no longer required for daily business purposes. Other: Preventive, detective and corrective controls. Independent security reviews (for internet banking, audit, penetration tests): Helps detect security breaches and supports implementation/improvement.
AAA Services:
Identification: Verifying the indetity of subject. username, swiping a smart card Authentication: verifies the identity of the subject by comparing one or more factors against database. Authorization: Ensures that the requested activity or access to an object is possible given the rights & privileges assigned. Auditing: Subjects actions are tracked & recorded to hold him accountable. Accountability: By linking human to the activities of an online identify through security services & mechanism. You are accountable to all of the actions here (repudiation). ATM example: Credit card - pin code - amount - withdrawal - receipt (auditing) - Bank statement
Information Security in the Smart Grid
Imposes much more strict security requirements than the internet. Has: - attack detection and resilience operations - Strict identification, authentication and access control. - Secure and efficient communication protocols.
Information vs Cyber Security
Info Security: guarantees the security of analog and digital. Cyber Security: guarantees that the computers, data and network of the organization is defended from the unauthorized digital attack. ONLY of the digital realm.
Information Security Assessment Methodologies (Whitebox vs Blackbox)
Information provided vs not provided. Black Box: - you don't know what is going on inside - The attackers receive partial information on the targeted system - The boundaries are well defined. - A very good simulation, but the information and intelligence gathering may be a long process and may miss the main objectives, while focusing on secondary ones. White Box: - You see everything in the box. - The attacker receives all relevant information on the target system. - An efficient simulation that saves a lot of time on the information gathering process, but does not simulate a real attack.
Point of Sale Intrusions (POS)
Like a cash sale. Try to obtain credit card data.
Main impacts of Cyber-attacks
Loss of info, business disruption, revenue loss, equipment damage. Info accessed: full names, birth dates, IDs, addresses, medical records, phones, financial data, e-mails, credentials, insurance.
Potential impacts of cyber attacks
Loss of money, reputation, inability to work, lawsuits, unhappy customers, decrease in shares, company shutdown/bankruptcy.
Malware Attack
Malicious software. Compromises CIA. Most common types: viruses, worms, trojans, spyware, ransomware, adware and scareware.
Crime ware
Malware. The overwhelming attack vector in this category is ransomware. Representing nearly half of crimeware incidents.
2 ways to Asses Information Security
Map vulnerabilities and asses risk. Defensive: - Security review process. - Risk and vulnerabilities assessment. - Secured code management and review. Offensive: - Penetration Testing/Ethical Hacking, - Periodical reviews by a Red Team (try to provide a different mode of operating).
Smart Grid
Next generation power system. Integrates high-speed and two-way communication technologies into millions of power equipments to establish a dynamic and interactive infra-structure with new energy management capabilities such as advanced metering infrastructure (AMI). AMI - connect customers' homes, the utility center and the electricity market.
Denial of Service
Overwhelming an application, system, or network is one of the easiest ways for attackers to shut you down, even if only temporarily.
Information Security Phases
Plan, Do, Check and Act.
Cyber attacks on the public
Political - elections Financial - banks Health
CFC
Pro activeness. Threat hunting : checking before there is an attack. Threat intelligence : Subscribing to a service that sends you info on potential threats. Once there is one you can act or have a company act for you. Automation: Once you receive a threat will automatically solve it. Avoids false positives and is faster.
SOC
Provides centralized and consolidated cybersecurity incident prevention, detection and response capabilities. Does monitoring (ex waiting for alerts from the network on different part of the company) and Incident response process (ex CFO says he got an e-mail to transfer funds that is fake and asks for it to be investigated)
Mitigating Dos
Rate limiting: Imposing a rate limit on a set of packets that have been characterized as possibly malicious. Filtering: Compares source address of packets with blacklist provided by attack detectors. Reconfiguration: Changing the topology of victim or intermediate network.
Brute Force Attack
Repeated attempts to gain access to protected info (passwords, encryption) until correct key is found and info can be reached.
If there is an Incident/crisis:
SOC War Room is opened to handle it. 1. Managed by SOC Manager or T3 2. Initiate the incident 3. Center of information 4. Respond to the IR Manager 5. Communicate with Internal IS 6.Manage the event log
SIEM
Security Information and Event Management. Centralized platform that collects all the info from all the tools spread worldwide. The heart of the alerts.
SOAR
Security orchestration automation and response. An enterprise tool that allows organizations to use one platform.
Active Attack
Someone that sends a software or a malware. External: anything outside of the organization Internal:Anything inside the organization. These attacks are really sever because they are from within and already have all the information needed.
Cyber Attacks
Strike against a computer system, network or internet-enabled application or device. Hackers use a variety of tools to launch attacks like malware, ransomware, exploit kits... The US is #1 for cyber attacks.
Social Engineering Attacks
Techniques used to gain unauthorized access to info through human interaction.
Inform
The ability to collect, analyze, manage and exploit info and intelligence to enable info and decision superiority.
All cyber attack definitions have in common
The aim to compromise the confidentiality, integrity and availability.
By 2020
There will be 10.8 billion things to secure, 5billion personal data records stolen, $8 trillion lost to cybercrime, organizations using too many tools from too many vendors.
Paths of exploits
Threat agents --> Attack --> Weakness --> Control --> Function --> Impact.
SOC structure
Tier 1 - people receiving alerts. Tier 2 - more experienced cyber security ppl and responsible for forensics. Usually team leaders of tier 1. Tier 3 - Ppl with a lot of cyber experience. Most are hunters dealing with networks, malware, endpoint and threat intel. SOC Manager - managing the entire room.
Cyber Response Building Blocks
Tier1: Receive info from customers, cyber security members, intelligence (tier 3), SIEM, and hotline. If there is an escalation goes to Tier2 who can work with SIEM Admin, forensics and security experts. Tier 3 - receives info if Tier 2 cant handle it, and works with SIEM Admin, Forensics and Intelligence. SOC Manager - involved following Tier 3 who will then check if it is an incident. A CTO, Architect and Expert may sit in on that meeting to check if that is a real incident.
Non-profit organizations
Try fighting against cyber-attacks, making the public aware of risks, how they can be exposed and how they can defend themselves.
Most common attack sources
USA, Russia, Netherlands, Germnay, UK, Ukraine, France, Vietnam, Canada, Romania
Most frequent victims of attacks
USA, Russia, UK, Germany, Italy, Netherlands, France.
Types of Cyber Attacks
Virus - Slow PC Malware - Ransomware Phishing - Money Transfer Data leakage - selling information. Fake calls - service desk. Denial of service - website overload (slowing down the website) Hacking - Internet Cafe. Trojan Horse - Back door.
Predicting Cyber-incident progress
With further monitoring for more targeted incident response measures.
Cyber Security
the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access To protect the entire network from people who shouldn't access it or can cause some kind of damage. Connected devices have flaws and those flaws can be exploited.