Security Essentials – Start Here5 best practices to secure your organization and prevent business injuring incidentsTeodor Cimpoesu, Technical Director, UTI-CERT

UTI-CERT @ certSIGN Clear legal requirements and compliance Disaster recovery and business continuity “Trusted Introducer” member ISO 27001 & 9001 compliance Regular internal pen testing and security audit Structure enhanced to cover variety of customers Oil and gas Utilities providers Banks Telecom Al around cyber security services and solutions Flexibility for special projects customized according to client needs Customizable services Adaptable SLA Training, Knowledge transfer and technical support

rvicesSecurity validation(Pen ecurity sisVulnerabilityAnalysisSpecialProjectsResearch &Development

1. Cybercrime & Risk

Cyber risks in global contextWord Economic Forum study on global risks(2014) findings position Cyber attacks in highlikelihood / high impact. Systemic risk is the risk of “breakdowns in anentire system, as opposed to breakdowns inindividual parts and components” Systemic risks are characterized by: modest tipping points combining indirectlyto produce large failures risk-sharing or contagion, as one losstriggers a chain of others “hysteresis”, or systems being unable torecover equilibrium after a shock Cyber risks in key areas (e.g. financial) andattacks on critical infrastructure pose asystemic riskSource: World Economic Forum, “Global Risks 2014” Ninth Edition

Cyber risks in global contextOn the The Global Risks InterconnectionMap we can see the links and potentialinfluences of the systemic risks.The Technological Risks are strongly linkedwith geopolitical and economic risks.Organized crime risk has a direct link tothem.Mitigating one area involves taking intoconsideration other indirect risk propagationsas well.Source: World Economic Forum, “Global Risks 2014” Ninth Edition

GlobalCybercrimeThe Comprehensive study by UnitedNations Office on Drugs and Crime(2013) gives a perspective fromGOV, COM, EDU view.Findings:- Laws are fragmented, lackprocedural powers and hinder intlcooperation.- Law enforcement and criminaljustice have limitations in theircapacity to react and combat- Preventions activities are lacking/ require strengtheningSource: “Comprehensive Study on Cybercrime”, UN ODC

GlobalCybercrimeThe Comprehensive study by UnitedNations Office on Drugs and Crime(2013) gives a perspective fromGOV, COM, EDU view.Findings:- Laws are fragmented, lackprocedural powers and hinder intlcooperation.- Law enforcement and criminaljustice have limitations in theircapacity to react and combat- Preventions activities are lacking/ require strengtheningSource: “Comprehensive Study on Cybercrime”, UN ODC

Accelerators: business ecosystem“The increasing frequency, variety, and complexity ofattacks are the product of an emerging cybercrimeas-a-service provider market. This market allowsmalicious parties to execute attacks at considerablylower cost, with considerably lower levels of technicalsavvy.” Research-as-a-Service – Vulnerabilities, Exploits, IDs Crimware-as-a-Service – Development, Malware Services Infrastructure-as-a-Service – Botnets, Hosting, Exploitpacks Hacking-as-a-service – DoS, Password Cracking, FinancialsSource: “Cybercrime Exposed. Cybercrime-as-a-Service “, McAfee

Accelerators: Cheap & easySource: “Cybercrime Exposed. Cybercrime-as-a-Service “, McAfee

Botnet business – Global/LocalSource: Anubis Networks

EU response to cybercrimePolicies and directivesCybersecurity Strategy Strategic Priorities The Cybersecurity Strategy of the EU (2013) Achieving cyber resilience Directive 2013/40/EU on attacks against informationsystems Drastically reducing cybercrime Directive 2011/92/EU on combating the sexualexploitation of children online and child abuse Develop the industrial and technological resources forcybersec ePrivacy Directive 2009/136/EC Establish a coherent international cyberspace policy for EU Framework Decision on combating fraud andcounterfeit - 2001/413/JHADirective 2013/40/EUInstitutions & Initiatives 2013 - European Cybercrime Centre (EC3) @EUROPOL 2004 - European Network and InformationSecurity Agency (ENISA) Developing cyberdefence policy and capabilities Deadline for transposition in the Member States4.9.2015 Guidelines and best practices EU countries must: have an operational national point of contact, use the existing network of 24/7 contact points , respond to urgent requests for help within 8 hours toindicate whether and when a response may be provided, collect statistical data on cybercrime.

2. DefenceFundamentals

Step 1: Know - what is a best practice and whySANS Top20 Critical Security Controls1Inventory of Authorized and Unauthorized Devices2Inventory of Authorized and Unauthorized Software3Secure Configurations (HW/SW/Mobile/Stations/Servers)4Continuous Vulnerability Assessment and Remediation5Malware Defenses6Application Software Security7Wireless Access Control8Data Recovery Capability9Security Skills Assessment and Appropriate Training10 Secure Configurations for Network Devices11 Limitation and Control of Network Ports, Protocols&ServicesHow to implement: Update structured information on your inventory &classification. Continue with Threat Modeling, thatwill give the focus areas. Evaluate written and technical policies. Test themin real life, daily operations. Segregate, separate, define roles and limitaccess. Understand & adopt Zero Trust Model. Ensure that there are written incident responseprocedures that include a definition of personnelroles for handling incidents. The proceduresshould define the phases of incident handling.12 Controlled Use of Administrative Privileges Assign job titles and duties for handling IR13 Boundary Defense Define management personnel who will supportthe incident handling process by acting in keydecision-making roles. Org standards for time toreport anomalous events14 Maintenance, Monitoring, and Analysis of Audit Logs15 Controlled Access Based on the Need to Know16 Account Monitoring and Control17 Data Protection18 Incident Response and Management19 Secure Network Engineering Publish information regarding reportinganomalies and incidents to the incident handlingteam. Run awareness training.20 Penetration Tests and Red Team ExercisesSource: SANS Institute – Critical Security Controls

Step 1: Know - what is a best practice and whyModern SecurityPractices Intelligence drivendefense Threat vector analysis Data exfiltration analysis Detection dominant design Zero trust model Intrusion kill chain Attack hunting Visibility analysis Data visualization Lateral movement analysis Data ingress/egress mapping Internal segmentation Network security monitoring Continuous monitoring

Step 1: Know - what is a best practice and why IDS & IPS with multipledeployment modelsDPI of IP & Serial SCADAprotocols - DNP3, IEC101/104/61850, ModBus.Each protocol packet isvalidated up to its functioncode and the commandcontent.Model-based analytics forM2M sessionsSelf-learning of applicationbehavioral modelSignature Based fordetect known vulnerabilityTask-based validation ofH2M sessionsIntegration with physicalsecurityAuthentication Proxy foraccess to end-devices oEncrypted VPN tunnels forinter-site connectivity

Step 2: Discover - Assets and configuration audit

Step 2: Discover – Software Asset ManagementMicrosoft SAMRisk coverage Control costs & risks Tackle complexity Optimize use of SW assets Grow/optimize theinfrastructure Non-compliance Security Business down-time Legal & licensing Overspending on licensing Software conflicts

Step 3: Assess - the Threat (do Modeling)Methodologies, e.g. IDDIL/ATC :Covers critical security controls(SANS / ISO27001)I. DiscoveryIdentify ASSETSDefine the ATTACK SURFACEDecompose the SYSTEMIdentify ATTACK VECTORSList THREAT ACTORSII. Implementation Analysis & assessment Triage ControlSource: “A Threat-Driven Approach to Cyber Security - Methodologies, Practices and Tools to Enable a Functionally IntegratedCyber Security Organization”, Lockheed Martin Corp.

Step 3: Assess - The actual vulnerabilities (do Scan/Pentest)

Step 4: Monitor – integrate, correlate, enrichSource: HP Security

Step 4: Monitor – integrate, correlate, enrichThreat IntelligenceThe real-time collection, normalization, andanalysis of the data generated byusers,applications, and infrastructure that impactsthe IT security and risk posture of anenterprise. The goal of Security Intelligence isto provide actionable and comprehensiveinsight that reduces risk and operational effortfor any size organization.Risk Management. Vulnerability Management.Configuration Monitoring. Patch Management.Threat Intelligence.Compliance Management. Reporting and Scorecards.Source: IBMData collected and warehoused by SecurityIntelligence solutions includes logs, events,network flows, user identities and activity, assetprofiles and locations, vulnerabilities, assetconfigurations, and external threat data. SecurityIntelligence provides analytics to g/after timeline of risk and threatmanagement.SIEM. Log Management. Incident Response.Network and Host Intrusion Prevention.Network Anomaly Detection. Packet Forensics.Database Activity Monitoring. Data Loss Prevention.

Step 4: Monitor – integrate, correlate, enrichThreat Intel (TI) ors STIX – Structured Threat Information eXpression (MITRE/OASIS) TAXII – Trusted Automated eXchange of Indicator Information(MITRE/OASIS) CYBOX – Cyber Observable eXpression (MITRE/OASIS) OpenIOC – Open Indicators of Compromise (FireEYE/Mandiant) IODEF – Incident Object Description Exchange Format (IETF –RFC5070). YARA - Yet Another Regex Analyzer – binary pattern scanning(OSS) SNORT - real-time analysis of network traffic (CISCO).Enumerations MMDEF - Malware Metadata Exchange Format (IEEE) MAEC - Malware Attribute Enumeration and Characterization(MITRE). CAPEC – Common Attack Pattern Enumeration and Classification(MITRE). CVE - Common Vulnerabilities and Exposures (MITRE) CVSS - Common Vulnerability Scoring System (NIST) CPE – Common Platform Enumeration (NIST) OVAL - Open Vulnerability and Assessment Language (MITRE) OSVDB - Open Sourced Vulnerability Database (OSF)MITRE – Not-for-profit org that operates US federally fundedresearch centers.JSONYAMLXML

TI CaseStudyAnubis Network Cyberfeed – Helping an energycompany and its customers stopping cyber threatsChallengeAvailability and reliability of networks andinfrastructure, which can be compromised bymalware designed to impact network and employeeproductivity.Solutionthe company is now able to detect devices andmachines related to information stealing Trojansusing real-time security data feeds via API access, alive dashboard and plugins to its SIEM system(SPLUNK): Detect networks and devices compromised withpersistent or new malware families; Understand malware landscape at the company,network, local, country level; Track botnet behavior, growth, dispersion andlifetime; Intercept and monitor communications betweenmalware and C&C server; Ability to define business rules to querycommunication data details betweencompromised devices and C&C.Business benefitsAmongst other client detected an infectedinternal machine that only appeared onweekend days.Used Cyberfeed to pinpoint thecompromised machine finding it was aperson accessing the network through aninfected personal device.

Step 5: React – timely & well-informed. Hunt for it.In reality, companies and organizationsstruggle with: Threat detection, investigation andincident response is immature Determining the root cause of incidentsand then containing and remediatingthem is the tough nut Making use of security intelligence Evaluating assets risk state SIEM tools also require advanced skillsand knowledge Many SIEM are verbose –give too manyFPs Many attacks spread over larger periodof time and context may be lost /lacking

Step 5: React – timely & well-informed. Hunt for it.Ideal SOC / IR Team Duty officer / Tier 1 Analyst – takes care of all incomingrequests. Ensure that all incidents have owners. Triage officer / Tier 1 Analyst – deal with the reportedincidents, decides whether it is an incident and is to be behandled, and by whom Incident handler / Tier 2 Incident Responder – workson the incident: analyze data, create solutions, resolve thetechnical details and communicates about the progress to themanager and the constituents. Incident handler / Tier 3 Subject Matter Expert –advanced analyst that deals with complex cases that involvea cross-filed investigation. Incident manager – responsible for the coordination of allincident handling activities. Represents the team incommunicating to the outside 3rd parties.Services staffing: to deliver two core services of the distribution of advisorybulletins as well as incident handling: a minimum of 4 FTE. For a full service CSIRT during office hours, and maintainingsystems: a minimum of 6 to 8 FTE. For a fully staffed 24x7 shift (2 shifts during out-of-officehours), the minimum is about 12 FTE.Source: “Ten Strategies of a World-Class CybersecurityOperations Center” (MITRE)

Step 5: React – timely & well-informed. Hunt for it.Investigative Lifecycle: Initial Evidence Create IOCs forHost&Network Deploy IOCs in theEnterprise – e.g. IDS/SIEM Identify Additional SuspectSystems Collect Evidence Analyze Evidence Refine & Create new IOCsSource: “An Introduction to OpenIOC”, Mandiant

Step 5: React – timely & well-informed. Hunt for it.Actually a Russian proverb,“Доверяй но проверяй”,Suzanne Massie, a writer onRussia, taught Pr. Ronald Raegan"The old mantra of “trust but verify” just isn’t working.“Never trust and verify” is how we must apply security inthis era of sophisticated breaches.Quote: st-security-architecture

[email protected] 40722.754.319, @cteodorUTI-CERT Teamcontacts: [email protected]

3. Research

clickSIGN Online Function as a service Private Key in Cloud Local Component: Web Browser Sign and Verify Web Service architecture Files Stored in Office 365 File always in the cloud, never on the local machine Native signatures, PDF signatures, CMS-RFC5652 signatures

WhatYouSeeIsNotWhatYouGet-WebRole1: web service interface-Share Point Worker: files manager-Signature Worker: signature manager

diskSAFE for the Cloud User interface and the driver were adapted to work with data in chunks Sync module ensures that data chunks are synchronized between local and cloud storage

Classic work patterns Pattern 1:1.2.PC1 – a virtual encrypted disk is created for sync with cloud storagePC2 – in the second PC, virtual encrypted disk is imported from the configured cloud storagefolder3.PC1 – a secondary user is added for the second PC – the entire file containing encrypted disk issynced to cloud storage by the client4.PC2 – the secondary user will be able to access the encrypted disk after he gets the entire file.On a large disk, any small modification triggers entire content synchronization Pattern 2: – a virtual encrypted disk is created. It is copied on a usb stickPC2 – in the second PC, virtual encrypted disk is imported from the usb stickPC1 – a file is created and stored in the virtual encrypted disk. The entire disk must be copiedto usb stickPC2 – the disk is mounted from the usb stick

Cloud based work patterns Pattern 1:1.PC1 – a virtual encrypted disk is created for sync with Dropbox2.PC2 – in the second PC, virtual encrypted disk is imported3.PC1 – a secondary user is added for the second PC4.PC2 – the secondary user is able to access the encrypted diskDifferent from typical usage, when a user is added, instead of replicating all the data with the cloud onlyone chunk is synchronized Pattern 2:1.PC1 – a virtual encrypted disk is created for sync with Dropbox2.PC2 – in the second PC, virtual encrypted disk is imported3.PC1 – a file is created and stored in the virtual encrypted disk4.PC2 – the disk is mounted and the file is presentDependant on the size, when the file is stored on the disk, just the affected chunks are synced.Some real-life performance figures: * 4MB - 1Mb/s - 32s; 4MB - 10Mb/s - 3.2s; 4MB - 100Mb/s - 0.3s * 10MB - 1Mb/s- 80s; 10MB - 10Mb/s - 8s; 10MB - 100Mb/s - 0.8s

Computing on encrypted data

Experimental facts The practical implementation for determining X Y and X Y (followed by thecorresponding experimental results) was built on top of HElib library . It consists incoding the corresponding compute recursive functions (C/C code). In this manner, we used the leveled version of the BGV FHE scheme (embedded in the 2014 version ofHElib). The reported time for the comparison of two 8-bit integers, X Y , is 12 seconds (for128 bits of the claimed security and using one core of an Intel(R) Xeon(R) E5-1620 at 3.6 GHz).

Experimental facts Finding the maximum number working with an encrypted array: Security - 140 bits Time - 1295 sec Memory - 3.8 GB No of elements in the array - 16 The conducted tests involved an workstation with an x64 of openSUSE 12.1distribution (Intel i7-4710HQ processor running at 3.5 GHz, one core and 8GBRAM). This is the needed time costs for the homomorphic evaluation of the GETMAX function for an array of integer values (of n 8 bits length).

TTPThe approach is straightforward, we use a webcrawler for the site and abrowser extension for the user experienceCryptography comes into place with digital signatures and timestamping

TTPFirefox add-on works with our server sending captured images, Heritrix is used for crawling and storing dataSignature service is used to sign and timestamp captured images and sites. Advanced signatures are usedto be validated at a later point in timeAll signatures are stored for presentation to interested users.

(SIEM) Network Security Communication Security Data Security Managed Services Endpoint Security Alerting . Cybercrime-as-a-Service , McAfee. Accelerators: Cheap & easy Source: Cybercrime Exposed. Cybercrime-as-a-Service , McAfee. Botnet business – Global/Local . 9 Security Skills Assessmen