This post was provided to us courtesy Mr. Robert Former an information security professional and energy industry information security expert. We’d like thank both Robert and his employer, Itron,Inc. for their time and co-operation.
Will Gragido
Smart Meters – An introduction
- INTRODUCTION
Like any commodity, energy, gas, water and sewage disposal must be measured to be sold. Over time a number of technologies have evolved to accomplish this goal. Naturally as long as there has been a way to meter a service, there have been people trying to figure out how to get around the metering systems and get those services for free. This paper will examine some of the new metering technologies and compare them to the older traditional methods in the light of a secure implementation.TRADITIONAL METERING (Electro Mechanical)
The way services and utilities have traditionally been monitored has been with a mechanical system. Gas or water runs past some sort of vane which spins, driving gears and turning dials. Similarly a mechanical electric meter uses induction loops to spin an aluminum disk which then turns gears that spin dials. Of course this data needs to be collected to be billed. With this type of metering, a utility will typically get an actual read through a meter reader and use sophisticated statistical modeling to estimate the rest of the time. How often the actual read occurs is really a function of state regulation and utility policy. Now an interesting thing that you can do (among many) is that if you understand the cycle that your utility uses, you can invert the meter. That’s right, pull it out of the socket, turn it over, put it back in and you still get electricity, but the meter runs BACKWARDS! Cool, free electricity as long as you don’t let the meter reader see the meter installed upside down. Some meters had mechanisms to prevent them from running backwards, but not all. A way the utilities have come up with to combat this and other methods of fraud goes back to the sophisticated statistical modeling. If the system sees a significant change in your usage pattern, you get flagged for a live read.AUTOMATIC METER READING (AMR)
Automated Meter Reading was introduced to accomplish two primary goals; improve the accuracy of metering by getting more live reads, and reduce the work force required to gather meter data. AMR is set up to send the data back to the billing system via some communication method, be it fixed service radio, data over power line, Meter reader with a handheld device, or by a truck driving around and gathering the data over a low power radio link to the meter. AMR introduced another interesting feature: the ability to detect if someone had tampered with the meter. As the technology has advanced, and traditional mechanical meters are replaced, AMR systems have become increasingly prevalent. The major downside to an AMR system is that it is mostly a one way communication system. The meters “bubble up” the data on a periodic basis to the utility. Newer Advanced AMR systems have integrated some limited two way functionality adding features like reading meter data on demand and remote disconnect switches. “Demand Reset” is also a function sometimes provided in two-way AMR. When you track a customer’s peak demand, the meter records the maximum peak instantaneous usage over a period. At the end of that period, you need to reset the demand back to zero so you can record during the next period. In earlier days, there was a locked button or lever the meter reader would press (they had the key) when they did the readings. More modern devices can do it based on a clock. In two-way AMR you can send a demand reset command after you’ve successfully retrieved the demand value. This inevitable march of progress has led us to the latest in service metering technology, AMI.ADVANCED METER INFRASTRUCTURE (AMI)
Advanced Meter Infrastructure is where it gets cool (and spooky to some). AMI is the natural evolution of AMR technology. A full two way communication system that allows on demand reading, Time of Use (TOU) billing, remote disconnect operation, load limiting, demand response, and more. Where things get really interesting is when a Home Area Network (HAN)is integrated into the meter. Now the meter can talk to properly equipped furnaces, air conditioners, water heaters, micro generation systems, thermostats and In Home Display (IHD) devices that tell you just how much running the dishwasher will cost you to run at 3 in the afternoon vs. 3 in the morning. Past that it enables portable billing and usage of Personal Electric Vehicles (PEV) which can also be leveraged as local storage devices to help manage load spikes on the distribution system. Another interesting feature is the ability to subscribe to a service from the utility that allows them to reduce your power consumption by managing large appliances in return for a lower billing rate.Notice I said SUBSCRIBE. You have to sign up for it. This is important because for all the really interesting things AMI can do, it has also stirred up some serious political debate. While the technical concerns around security are addressed further on, let us examine the paranoia that AMI has raised. The first fear is that The Government (you know who I mean, the socialist/fascist (sic) fat cats in and around DC) is going to take control of your appliances and dictate when you can use them, and how much. This is followed rapidly by the fear that The Government will collect your usage information and somehow use it against you. None of this is helped by political pundits and demagogues who have decided to whip the masses into a frenzy using this as one of the egg beaters. Politics aside, there ARE some genuine security concerns to look at, and that is one of the things we will look at starting with the next installment, “The Risks”. There are some intermediate steps in the evolution from electro-mechanical metering to AMI, but they are outside the scope of this discussion. If you would like more information about the details, Wikipedia has some good articles.
About Our Guest Author:
Robert Former: Robert is a security engineer with 20 years experience in the IT field. Throughout his career, Robert has work in many aspects of Information Technology and has experience in the design, implementation, and operation of cabling, LAN, WAN, MAN, both traditional and IP telephony, data centers, server systems, and for the last 7 years, Information Security and Compliance. Robert currently holds the ISC(2) CISSP™, ISACA CISA™, and NSA IAM/IEM certifications. He is employed by Itron, Inc, a leading manufacturer of energy measurement systems, as the Principal Security Engineer in the R&D department. In his spare time, Robert enjoys spending time with his family as well as pursuing photography as an enthusiast and amateur radio.
Want To Play A Game?: Preparedness and Cyber Event Games
Any Given Tuesday
On February 16, 2010 the Bipartisan Policy Center’s national security preparedness group (led by Thomas Kean and Lee Hamilton), in co-ordination with former CIA Director General Michael Hayden and others. I watched it as the participants worked their way through the mock scenario and like many in my field remained quiet with respect to the matter preferring to hear the comments of others prior to offering up any ideas of my own with respect to the exercise itself. The role playing game took place in an alternate 2011. In this alternate reality 2011 hackers distribute a free phone application containing a virus, which lets them do the following:
- Sniff and capture passwords
- Capture keystrokes
The scenario combines a series of quite serious events that individually pose major problems and collectively represent a disastrous situation:
- Malicious code & content is propagated via an infected mobile phone application thusly propagating the code and establishing command & control (C&C) (EVENT OF INTEREST)
- Worsening conditions due to the spread of the malicious code & content lead to confusion in the financial markets (FINANCIAL CRISIS #1), resulting in the abandonment of smart phones as hey are now viewed with grave suspicion
- Consumer confidence plummets in the market specifically with respect to the mobile communication & smart phone manufacturers resulting in a $3 Billion USD loss in two weeks (FINANCIAL CRISIS #2)
- Data servers and alternate communications systems components (servers), experience excessive traffic conditions leading to worsening communications availability, quality, integrity (COMMUNICATIONS NETWORK CRISIS #1)
- Alternate universe 2011 experiencing climate issues (Environmental CRISIS1 & 2)
- Summer 2011 is one of the hottest in recorded history
- Impacts cooling stations within the power grid
- Summer 2011 is one of the hottest in recorded history
- Hurricane hits Gulf Coast
- Damages to the natural gas infrastructure of the United States
- Sub-national terrorist attack (bombing), at a power station takes place
- Renders key elements of the national power grid inoperable
- Millions left without power
Conclusions Made By The Participants: The U.S. Is Not Prepared For a Large Scale Cyber Event
Concerns and Comments on The Outcome
I struggled greatly with this for many reasons not the least of which is that I am a citizen of the United States, was born and bred here and make my residence here as well along with hundreds of millions of other Americans. Former Director General Hayden along with others concluded that should an event such as this occur the outcome would be disastrous. Though I understood the rationale being employed to conduct the test (it is hardly new – role playing scenarios have been used for decades to test preparedness), I was and to a degree, remain torn with respect broadcasting a message such as this one to the world at large regardless of whether or not it reflected true, current, state statistics. My fear is that in sharing this type of information with the masses the result could very well be pandemonium and panic as opposed to curiosity leading to inquiries to congressmen and women or senators.
Warfare, after all, is a behavioral activity demonstrated by human beings toward one another; it is as old as time. Archeologists have substantial evidence that suggests in no uncertain terms the realities of warfare long before history recorded the rise of the State as Westerners define it. In his 1996 book, War Before Civilization by Lawrence H. Keeley (Oxford Press, 1996), a professor in the Anthropology Department of the University of Illinois Circle Campus, Chicago stated that “approximately 90–95% of known societies throughout history engaged in at least occasional warfare and many fought constantly.” Cyber warfare is a logical extension of this mindset; a modern addition to a longstanding tradition replete with customs, courtesies, weapons and protocols. I’ve written previously on the activity and attitudes held by certain nation states with respect to cyber warfare; some friendly others not so friendly to the United States. The fact of the matter is that cyber warfare is real. Debates suggesting anything to the contrary simply the product of the uninformed or those who wish to believe that things in the world were different than how they are.
Final Thoughts
Will we see acts of war or wars fought in cyber space? I believe we’ll see a continuation of that which we’ve already seen and noted over the last two decades if not longer. To assert otherwise would be foolish. Will the manifest the way in which they did in the continuity / disaster recovery exercises described in ‘Operation Shockwave’(or for those who recall them operations ‘Black Ice’ and ‘Blue Cascade’ which took natural disasters or disasters introduced by sub-national entities and married them with cyber attacks)? I wouldn’t want to speculate however I believe that though there is much conjecture with respect to this subject; much debate amongst industry pundits (some fluent, experienced and familiar with warfare and the cyber derivative and some not) that it is not beyond the realms of possibility. A great deal of work has been done in the study of traditional warfare:
- The Art
- The Science
- The Nature
- The Humanity or lack of Humanity
- Tactics
- Strategy
So too as it relates to the integration of defensive and offensive tactics, strategy and solutions and this I believe will continue as our need to address threats which exist on a logically driven front yet have the potential to impact the physical world will only continue to grow. We have an obligation to do what we can however we can to protect our nation and our allies. I still believe we should be more discrete with sharing information (I can’t unlearn that which the Marine Corps taught me), and hope that via proper educational channels (many of those participants within the Bipartisan Policy Center’s panel suggested and commented on the need to work with industry in order to ensure safe guarding of the nation), and we will arrive at a point where exercises such as this and the feelings of angst they produce, are no longer needed nor angst generating.
Why PCI and APTs are NOTHING alike
Today I read a blog entry which both amused and troubled me. The entry in question can be found here and was written by Anton Chuvakin, a smart cat who is obviously trying to draw parallels where they simply do not exist. In this case, he asserts that there are at least 9 reasons which describe how (and why), the PCI-DSS standard and Advanced Persistent Threats (APTs) are alike. Not being new to either, I thought I would read Anton’s entry and see where he was going with this…apparently to la la land….. Let’s take a look at what he asserts.
First and foremost, he asserts that they are similar. I find that humorous at best and borderline irresponsible at worst. PCI, as you dear reader, are well aware is a governance standard created by the payment card industry (the PCI in the PCI-DSS) in order to ensure a homeostatic baseline from which all vendors, merchants, and processors conducting business with the big 6 in payment cards exists and can be measured against. It has nothing to do with threat modeling or mitigation nor does it ensure (as we are painfully aware of due to the unfortunate events which took place at Heartland, Hannaford and a host of others who were either certified PCI Compliant or in the process of being certified), that anything beyond the scope of those systems which comprise the environment which processes credit card information are secured (this is accomplished via vulnerability scanning, and auditing against the standard), leaving the remainder of the enterprise to sway in the wind like yesterday’s laundry. For the record, I don’t think PCI is good or bad, but rather like climbing the rope in gym class: if you want to make the grade, you’ll get up that rope otherwise you’ll receive the consequences. It doesn’t really speak to one’s athletic capabilities or aptitude however it does impact your grade…PCI is more akin to this than APTs.
Anton asserts the following (whether in jest or in all seriousness is debatable):
- “P” in “APT” stands for “persistent”, “P”in PCI stands for … well … PCI is pretty darn persistent
- Ok…this is cute but hardly relevant or helpful to any combating or faced with the prospects of combating and defending against the realities associated with APTs
- Both are absolutely a threat, whether of non-compliance or of severe 0wnage…
- Both are not threats. The penalities associated with the failure to comply with the PCI-DSS standard if one’s organization hopes to continue doing business processing credit card transactions is a promise whereas the threats associated with ‘APTs’ are wildcards and cannot be guaranteed as no two ‘APTs’ are alike.
- “Nobody would ever find that we lied on our SAQ” is said sometimes in PCI, and “no APT will want to hack us” is often said about APT.
- I have no issue with only because it is generally true that in making assumptions which eliminate the possibility of risk one does oneself no favors
- People under PCI sometimes do not want to update their anti-malware defenses, because they say “it is too hard.” People under APT often also do not update their anti-malware because… hey… what’s the point?
- In all my years in consulting, working in research, and for two different information security vendors I have never met an organization who said updating was too hard. I have however met several who have asserted that the politics which governed their environments were prohibited and that their management teams were — for better or worse, comfortable with the assumed level of risk under which they labored and operated. Fair enough, it’s your environment, do as thou wilt. However, in working with those who have been victimized by ‘APTs’ I can tell you that none have ever (let me reiterate EVER) said what’s the point in updating their malware defenses. The reality is that 99.999 % of the time, they were completely unaware that their environments were at risk, they were updating their defenses and assumed their vendors were maintaining congruency and continuity with respect to the content they were delivering. In most of these cases, the advanced analytic tools which were necessary (above and beyond logging and monitoring by the way), were not present within these environments and as a result the ability to track the activity associated with these threats was absent.
- “A” in APT stands for “advanced,” PCI is pretty advanced stuff for some people who have to be compliant with it (think: your neighborhood gas station)
- True however there are restrictions and guidelines associated with transaction levels (minimum activity and dollar amounts etc.). ‘APTs’ are not always terribly advanced. Ghost Net is a phenomenal example of this. The vulnerability which was exploited was quite old, the tool which was used was not sophisticated (Ghost RAT), and the rest is history.
- With PCI, you don’t always know what you need to do; with APT you almost never know what to do.
- PCI is well documented and the domains clearly articulate what is required in order to meet compliance in terms of operational controls (manual & programmable), in addition to internal and externally related controls. I already addressed the nature of ‘APTs’ two bullet points ago however will reiterate that by the time you are aware one is in your environment (provided you are not in possession of the types of technologies which would provide you view necessary to capture and identify associated ‘APT’ activity), it is too late. At this point you’d need to take immediate steps to stop the bleeding (exfiltration of data) from your organization.
- Also, you are never “done” with PCI, you need to maintain compliance and security; you’re absolutely never “done” with APT.
- Agreed but again this is true of all things within information security.
- PCI compliance requires logging and monitoring; dealing with APT absolutely requires extensive logging and monitoring.
- PCI does require logging and monitoring. However APTs require (as I mentioned previously), much more than simple logging and monitoring. Session based analysis, for example, must be present if it is not you will likely never see an ‘APT’ coming, going or just hanging about collecting data.
- People refuse to deal with PCI because they do not believe that anything bad will happen to them, similarly people refuse to deal with APT since they don’t know that APT has already happened to them.
- This is an oversimplification of the challenges associated with both PCI and ‘APT’s (and part of the reason I stated earlier that Anton’s orginal post was borderline irresponsible). PCI has teeth unlike many other regulatory and / or compliance acts. This is true for several reasons not the least of which is that it is not being pushed by the federal government but rather originates with privatized business thusly placing stringent conditions upon those who must meet its criteria in order to remain in business. People do not refuse to address ‘APTs’. This is both preposterous and asinine. Most people, specifically those outside the financial services, defense industrial base, or research & development environments (pharmaceutical, high technology, low technology etc.), are unaware of the existence of ‘APTs’. Being unaware of the existence of something does not in any way imply that under other circumstances one would refuse to acknowledge the existence of something should proof be brought forth. This is an under developed line of logic and it is logic such as this which is being espoused within the industry today that is allowing for ‘APTs’ to become the hot topic amongst any and all vendors who may or may not have any experience or expertise with these threats
I hope this comparison and contrast was helpful to those who read it as well as Anton’s blog. My goal in writing this is three fold:
- To ensure that the dialogue pertaining to APTs and other advanced families of threats remains pure and unadulterated.
- To ensure that inaccuracies and under developed concepts are prevented from permeating the cultural zeitgeist.
- To ensure certain parties avoid liberating graphics from entries posted here at Cassandra Security
German Government and Internet Explorer
The German government has warned against the use of Internet Explorer citing that Microsoft’s recommendations to increase the security zone setting to High would not make the browser safe.
It’s an interesting statement in what sure is going to continue to be a tough time for Microsoft. You’ll see that in the article from BBC that I linked above, Mr. Thomas Baumgartner of Microsoft states, among other things, “These were not attacks against general users or consumers.” That’s where Microsoft has proven to me their short sightedness in their issues surrounding flaws in Internet Explorer.
In this specific case, Mr. Baumgartner is absolutely correct in stating that the attacks against Google, Adobe, Juniper and unnamed others weren’t attacks against consumers. However, I think he’s missing a key point, with IE installed on over 60% of computers worldwide there is a better than average chance that consumers WILL SOON be targeted and this why I have issue with Microsoft’s defense against the German government warning.
My comments in this post are not intended to be an indictment against Microsoft. The fact is that Microsoft has huge market share at both the OS and application level, thus it follows that their applications are more likely to be targeted for attacks. But, it’s all in how the situation is handled and how the vendor shows they understand the long term implications of this problem. As I stated above, based on the comments reported in the press, they don’t fully understand the potential depth of the problem.
Personally, if I were responsible for IT in an organization, starting tomorrow I would think very, very seriously about taking the following actions:
- First, on all systems running IE, implement Microsoft’s recommendations in the security advisory for this issue.
- Second, have my IT administrators develop a plan to install Firefox on all systems which require a web browser and do so as the default web browser.
- Third, remove Internet Explorer from all systems unless there is a specific internal application or other 3rd business application which only supports IE. Then I would have it only installed on systems requiring access to that app, would have the security settings tuned to high and would disable as much scripting as possible.
I’m not naive, I know there are vulnerabilities in Firefox, in fact when looking at Secunia this morning I found there to be more vulns in Firefox then there are in IE (versions 5.0.1 through 8.) However, the one thing I noticed as well is that Firefox vulns were more likely to patched in a quicker fashion that IE and that the vulns reported in Firefox collectively were not as severe as the vulns reported in IE. My recommendations are based on the fact that this isn’t the first time a critical vulnerability in IE has been exploited and the only defense was to wait for the patch. This recommendation is purely defensive to a future IE zero day that goes unpatched for a significant length of time after discovery.
Granted, zero day is generally defined as an attack that occurs against a vulnerability that was previously unknown. In defense of Microsoft, it’s pretty tough to patch a zero day vulnerability before an attack occurs. However, this series of attack occurred last week and the recommendations against exploit are browser settings, not a patch. This isn’t going to work for the consumer, casual user and very likely, won’t work effectively for the large enterprise.
The reasons are simple:
- Consumers and casual users (non-IT SMBs, etc) don’t understand what these settings really mean and will be very likely to “tune them back down” once their favorite website doesn’t display correctly.
- Large enterprises with thousands of employees can’t absorb the costs of taking calls from the help desk asking “how do I make these changes again?” or trying to explain why some website isn’t working.
It’s quite simple for me to make these changes on the two computers I have in my house and to manage them appropriate. But in actuality, it’s easier for me to have my wife and son run Firefox rather than risk the “next IE zero day.”
I realize that it very well may be Firefox tomorrow if everyone jumps to that browser, but we’ve been here before with IE and we’ll probably experience it again.
Anyhow, I see no issue with the German government advising against the use of Internet Explorer and would not be surprised to see other organizations follow suit.
Again, this is not an indictment against Microsoft, rather this is about taking the necessary steps to protect your critical information and systems. Finally, let me ask you a question. Do you rely on your builder or landlord to tell you how to protect your personal information in your house or do you trust the safe manufacturer instead? For information security, rely on the security professionals.
As a final disclaimer, these views are mine alone and do not reflect the views of my employer.
There is A LOT of press regarding Google and the Chinese exfiltrating data from many corporations. The Wall Street Journal has a pretty good write up, if you have not had a chance to read it, I would encourage it: http://bit.ly/92Q1CI . Honestly, it does not matter if the attack vector was going through Google or any other medium for that matter. It’s important to understand that any open Internet connection and the financial backing of a State and Non-State Sponsored Cyber hit, has and will continue to exploit any target of value. First, APT’s have been around for a long time. Furthermore, the technology required in uncovering these “Subversive Multi-Vector Threats (SMT)” as my close colleague and friend, Will Gragido describe in a recent blog posting: http://bit.ly/8TlP6d are typically not core infrastructure security devices. What are core infrastructure security devices? FW/UTM/NGFW, IPS, Web & Mail security, A/V, HIPS and some form of DLP to name a few. These that I listed are great for detecting, stopping and mitigating about 80 – 90% of the attack surface according to an article where the NSA was quoted. Keep in mind People, process and select few technologies and vendors bridge that 10 – 20% gap.
APT’s or as we here at Cassandra refer to as SMT’s are typically a topic that not a lot of security professional’s are qualified to speak about and because the threat’s are so stealth it’s not talked about. Will and I recently gave a discussion on APT’s at ToorCon this past fall. Our ToorCon presentation can be found here: http://bit.ly/73tuYA . We are passionate and very experienced in dealing with this subject matter, as we’ve had to deal with this specific attack vector for the past 15 year’s. It’s not surprising that it’s starting to get coverage and unfortunately, it’s probably the best vector for obtaining any type of data almost undetected. Now with that said, the sky is not falling but corporations are going to have to make investments in key technologies and people if they really want to know what’s going on within their network. Correlated event data from multiple threat feeds is a great thing but it’s not as powerful in having full session based data. SMT’s are like bread crumbs that fall through the cracks and the type of technologies that can catch the breadcrumbs are those that are developed by Netwitness and Palantir to name a few. Not plugging them but these type of technologies are needed in uncovering the stealth threats that go bump in the night and broad daylight. Additionally, the time to protection is constantly shrinking and reactive point products that provide retroactive assurance can’t scale with the current threat landscape. The paradigm from a silo data feed model needs to change. A vendor that’s leading this model is McAfee. Again, at Cassandra we remain technology vendor agnostic, however, when it comes to the severity of the threats, the industry needs to change and follow the example of other vendors that are leading the battle in combating SMT’s or formely referred to as APT’s. More to come on this topic.
What is Security Research Worth?
Recently I’ve been giving thought to the value of security research and what a customer might pay for access to information collected by an organization with an expertise in assessing technical threats and vulnerabilities, government mandates and geo-political climates and then applying this knowledge to information security programs and practices. There are very likely two knee-jerk responses to this with one being, “Why would I pay for something my people can research on the internet?” and the other might be “Well, if I can get true value to increase the security posture of my organization, sure I’d pay for it.”
In either case, we still don’t know how much we should be paying for this research. I would say that we must first start with figuring out what it would cost an employer to hire an experienced security analyst or engineer, who is then dedicated to this function. According to Payscale.com security specialty pay ranges from $63,000 on the low end to nearly $100,000 per year on the high end. Add to this another 35% for benefits and you have a $135,000 per year experienced employee to spend their entire day collecting information from various websites and other resources. But remember that this person will only work about 40 to 50 hours per week, so what about the rest of that time?
So let’s assume that you have a relief factor .7 (standardized for the private sector) so the number of persons needed for a single position is 1.7 to take into account weekends, vacation and sick time. That said, if you’re going to staff 3 positions to achieve 24×7x365 security research and analysis capabilities, the number of people needed for that team is 5.1 (we’ll round it down to 5) so the total employee cost for a year is $675,000 plus training and education costs.
Ok, I know that I’m making some assumptions here and the actual salaries could be higher or lower depending on market, candidate, etc. Also, I’m making the assumption that an organization would require 24×7x365 staff to perform full security research, analysis and monitoring of the threats, vulnerabilities, market factors and geo-political factors that could impact their critical systems and networks. By the way, security research does not refer to the need to manage their security infrastructure for specific, targeted events against their infrastructure.
This brings me back to my initial question. Is there value in holistic, independent security research? Would you pay to have access to this information?
I’m certain there is and I would urge you to consider the following as you consider the value of this information or type of service to your organization.
At a minimum the following information needs to be available to the customer:
• Daily reports on the latest trends, threats, vulnerabilities and other issues that are relevant to the customer’s business or market
• Access to up to the minute threat and vulnerability data that allows an organization to customize and select security information relevant to their infrastructure
• Relevant information that covers not only technical threats and vulnerabilities but also anything specific across markets, geographies or political situations which can be used for an organization to understand the full impact of technical and geo-political events to their organizations
If a research organization can provide this type of information to a customer in a manner that doesn’t compromise their intellectual property or competitive advantage in a marketplace, there is certainly significant value to the customer. I just don’t know how much they would pay for this data. What would you?
Botnets, Malware and the Fortune 100
After a much too long hiatus and sabbatical of sorts, I’m back to contributing to the efforts here at Cassandra.
Anyhow, I came across this article very recently and, while it was published in September, it is a very timely topic given some of the conversations I’ve had with my colleagues here at Cassandra. Follows is my philosophical post. But first I have to give the folks at Defence Intelligence the proper credit and recognition as the Fox News article referenced above comes from their work.
The first line stating that at least 50 of the companies in the Fortune 100 are compromised by an information stealing botnet was not surprising to me at all. But it did get me to thinking about the state of security programs, processes and technology in these organizations, among others. While it might be easy to blame specific industries and their focus on regulatory compliance rather than security (yes, they’re different and we’ll discuss that in another article) or lay blame at the feet of lack of budget and resources, lack of technology savvy or some other excuse. We must first understand that the Fortune 100 are the largest companies in the U.S.
Let’s start with a few assumptions:
1 – The Fortune 100 are likely to be among the most savvy companies in the world when it comes to adopting and using people, processes and technology to enable their business.
2 – They are more likely to have the resources to enable effective information security programs than smaller companies.
3 – They are likely to have established an CISO or equivalent position.
4 – They are likely to be considered very coveted accounts by technology and security vendors. Therefore, we can expect that they are at least made aware of the latest innovations in technology and security and should certainly be made aware of those vendors’ research efforts into current threats.
Now that I’ve made a few assumptions, I want to dive in to the thoughts that I had on this article.
As I read the article and made these assumptions in my mind, I asked myself – “If over 50% of the Fortune 100 has been compromised, what does that say about the rest of the companies in the US?” The reality is that there is really no way to know what it means for the rest of the companies, however we can probably very safely assume that over 50% of them are compromised as well.
What is not made clear in the article or in the research details I’ve been able to review thus far is how deep the compromise goes into these organizations. Are we talking hundreds or thousands of systems or are we talking a few to tens? That would help put some of this into a better context for this article, but lacking that information I’m going to do my best to illustrate what this could mean from an information security perspective.
Maybe the question to ask is, “What did the other 47% do right?” or were they not tested? There is much to be learned from the research and this report but one thing is very clear to me, these companies have plenty with which to be concerned when it comes to the state of their information security programs.
More later…
Critical Infrastructure Part I Trains and Transit Systems Revised Edition 120509 ready for download!!!
Critical Infrastructure Part I Trains and Transit Systems Revised Edition 120509
We at Cassandra Security are pleased to release a new, and revised version of the first installment of a seventeen part series of papers dedicated to critical infrastructure and key resources. Look for Critical Infrastructure Part II: Drinking Water and Water Treatment to be released in the very near future in addition to other publications from Cassandra Security.
Seeing Tomorrow Today,
Cassandra Security
Today’s blog entry was inspired by something my friend and colleague, John Pirc shared with me over the weekend. It was interesting from both a timing and content perspective as we had (the previous Friday – November 21, 2009), released the first of a series of seventeen white-papers focusing on the seventeen domains identified as being “critical” to the United States by the FBI, DHS and Intelligence communities. That first paper titled Critical Infrastructure Part 1: Trains and Transit Systems is both germane to this blog entry and to our collective concern with respect to critical infrastructure – regardless of where it might be, the world over. The white paper dealt with the potential hazards facing Trains and Transit systems – physical and logical, because of attack or tampering. For those of you who downloaded and read it, you know that we discussed in detail several examples and scenarios (some fictitious others all too factual), carefully articulating the means by which these aspects of critical infrastructure can and are being exploited in addition to how to defend them. Our mission and reasoning for writing them is and remains simple and pure: educate those who would otherwise remain blind, lost, uninformed or misled while providing salient detail with respects to the potential for and realities associated with exploitation of these environments, and how to best prevent them. Ultimately, our desire in doing is to prevent – via education and awareness tragedies if possible. Sadly, this is not always possible however, it is a part of the mission; the goal we have set for ourselves. Much of our writing – individual or collective, deals with malicious code and content, threat vectors, reverse engineering, advanced persistent threats amongst other things however an equally vast amount deals with those third parties driven by agenda to either profit from that which we study in labs or in the sale and execution of these tools to achieve an end. These third parties may include traditional criminal entities and organizations, cyber-criminal entities and organizations, state sponsored cyber-warfare initiatives, and sub-nationally sponsored cyber-warfare initiatives (aka cyber-terrorism).
Terrorism can be defined as the systematic use of terror to achieve a goal. As there is no universally accepted definition for terrorism, I will use this as a base from which to build and expand; as I believe that, most conventional approaches eventually unite. Often these systematic approaches involve coercion in addition to violence, psychological impact (which can both manifest and affect the targets differently even when the victims share the same root experience for terror) and fear, politicism, the deliberate targeting of non-combatants, and unlawfulness. I realize that is a rather generic definition however if you would like more information I suggest looking here, here or here at Dr. Dorothy Dennings collective works.
Terrorism is a major concern the world over and Russia is not unique in this case. Since 1991 and the collapse of the Soviet Union, Russia has incurred terrorist activity as it clashed with Chechen rebels in two wars. As a result, Islamist separatists continue to target non-combatants in order to push forward their agenda. On Friday November 28, 2009, an act of terror took place within Russia’s borders. 249 miles Northwest of Moscow, in an area noted for its beauty and remoteness, a high explosive device derailed a high-speed train (favored by Russian executives and government officials) traveling between Moscow and St.Petersburg. The attack left 26 dead with another 100 injured. The explosion derailed the last three cars of the 14-car high-speed train that carried 652 passengers and approximately 30 crewmembers according Russian authorities. Russian authorities have concluded that this was a terrorist act similar to those carried out on the same line in 2007.
In 2007, the Nevsky Express was derailed causing no deaths. The derailment was attributed to two men with ties to Chechen terrorist organizations. Reports are surging throughout Russia claiming that the party responsible for the attack on the 27th is the same who is responsible for an almost identical attack on the same track, which took place in 2007 injuring dozens as the train passed over the explosive device. Though two suspects were detained a third suspect, Pavel Kosolapov, a former military officer believed to have links to Chechen separatists, remains a fugitive. Russian officials released a composite sketch on Monday November 30, 2009 of a man thought to have been involved in the bombing. Russian railroad officials have suggested that this attack had all the hallmarks of attacks used by insurgents from the volatile North Caucasus. The explosive device in question was comprised of approximately 15 points of TNT (Trinitrotoluene). The blast left a five-foot (1.5 meter) crater near the Nevsky Express train No.166. Rescue crews worked throughout the night in order to move victims from the debris. A second, smaller blast came Saturday afternoon from a second a-bomb that authorities believe malfunctioned. No one was injured in the second blast however it delayed rescue and repair work for several hours. When quoted with respect to this event, Russian President Dmitry Medvedev stated that the effect of the event had every at their wits end or as he put “”Everyone’s nerves are at the limit,”. It is not hard to understand why he, law enforcement and the people of Russia feel that way. According to Russian sources, this was the worst attack that they suffered since 2005.
What struck me about this event was the timeliness in proximity to the paper we released but also the fact that it affected the same train line within a two-year period. This last fact troubled me greatly in that though no one was killed or injured in the 2007 attack, the line was clearly considered unworthy of additional monitoring; perhaps even deemed an unlikely target for re-attack by Russian intelligence and law enforcement. This same type of thinking was applied in 1993 after the initial bombings of the World Trade Center in New York City. The buildings were not considered a likely target of attack again, at least via the same means. Terrorists rely on the unconventional becoming the conventional; it aids them in their ability to maintain surprise accomplish their mission of using fear and terror to reap either a physical or psychological reward. Therefore, what can we learn from this recent tragedy in Russia? What can we do to avoid the similar threats here in the United States and around the world with respect to trains and transit systems? We discussed mechanisms for mitigating the risks associated with these critical infrastructure assets in our paper releases on November 21. However, my challenge to you (and to myself), in the wake of this tragedy is that we ask ourselves what we can do to ensure events such as this are not ignored? We need to ensure that they are brought to the attention of policy and legislation makers, defused before the they occur via collaboration with local, state and federal law enforcement or that the opportunities for exploitation leading to such an attack lessened greatly by virtue of great vigilance.
