Threa eat & & Vulner erabili lity M Managem ement: W Wher ere e do y o you r ou ran ank? Ryan Wakeham Sr. Director, Strategic Solutions
AGENDA The Threat Landscape Case Study Top 5 Questions to Ask Yourself Threat & Vulnerability Management (TVM) Program Approach Get Started 2
THE THREAT LANDSCAPE 4
STUXNET – A CASE STUDY Malware, discovered in 2010, that specifically targeted Programmable Logic Controllers (PLC) Smart cyberweapon targeting industrial infrastructure Infect Windows OS using 4 0-day vulnerabilities Seeks out Siemens Step 7 software in order to propagate to Siemens PLCs Payload only targets very specific SCADA configurations Periodically modifies attached variable frequency drives resulting in changes in motor speed Contained a PLC rootkit that masked the changes it made by falsifying status information 5
STUXNET – A CASE STUDY Probably developed by nation state actors (highly likely Israel & USA) In-depth knowledge of industrial processes Burning of four 0-days indicates a high desire for success Development estimates up to 30k hours (30 people over 6 months) – largest malware effort in history Self-destruct and other safeguards in code Results Appeared to target an air-gapped uranium enrichment facility in Iran Physically damaged up to 1,000 centrifuges Set Iran’s nuclear program back several years 6
MORE RECENT ICS ATTACKS Havex Industroyer er •ICS malware designed to harvest data, likely for future attacks •ICS malware specifically designed to attack Ukrainian •Targeted companies in Europe and USA electric grid 201 2014 2016 201 201 2015 2017 201 BlackE ckEnergy TRITO TON •Malware used to attack Ukrainian power distribution •Malware framework targeting ICS / safety systems in order companies to disrupt, degrade, or destroy industrial processes 7
WHAT IS AT RISK FROM ICS ATTACKS? Power grids Conventional and nuclear power plants Healthcare Water, sewage, and other utilities HVAC Processing and refining Oil and gas Public transportation Airports and seaports
HOW THIS IMPACTS YOU ICS/SCADA targeted attacks are representative of other malicious activity Regardless of your industry, the threats are real Unlike state-sponsored cyberwarfare, cybercriminals are typically opportunistic Cybercriminals are becoming more productive Proliferation of known vulnerabilities & exploits Improved hacking skills Increased effectiveness of automated toolsets Security is still often an afterthought in system development How can your TVM program protect your organization? 9
HOW PREPARED ARE YOU TO RE RESPOND T TO TH THESE TH THREATS?
TOP 5 QUESTIONS TO ASK YOURSELF Do you have methods defined for reviewing and determining actions needed for technical vulnerabilities when they become known? And do you have capabilities to ensure these processes are working as designed? Do you have infrastructure and application vulnerability risk acceptance and tracking capabilities? And do you ensure the “right” people within the organization are handling risk decisions? Do you have established Threat Intelligence and Incident Response capabilities? And are they aligned with a comprehensive Threat and Vulnerability Management Program? Do you have an established SDLC process inclusive of security requirements, checkpoints, and testing? Do you conduct Business Impact Analyses to evaluate the criticality of applications and infrastructure with well-defined ownership of and accountability for all information assets? 11
MEASURE YOUR MATURITY × Lack of asset / configuration Clear picture of the organizations most mgmt. processes critical assets × No Threat Intel integration with Well-defined (repeatable) process to Vuln. / Patch mgmt. respond to threats × No defined processes for Mature capabilities for evaluating # OF ORGANIZATIONS evaluating technical technology risks and plans for action vulnerabilities Formal risk management processes in × Inability to effectively react to place – right stakeholders involved incidents Threat & Vulnerability Management Maturity Low High Maturity Level 12
COMMON CHALLENGES TIM IME DISC ISCONNECTED SE SECURIT ITY PAR ARTNER NERSHIP SENIOR L OR LEVEL L RESOU RE OURCES TO TOOLS TOOLS & TO & AMONGST ST AWAR AREN ENESS MATURITY TEAM AMS 13
WHERE RE D DO Y O YOU OU GO FR GO FROM H HERE RE? 14
RECOMMENDED TVM PROGRAM COMPONENTS ASSET MGMT INCIDENT CONFIG RESPONSE MGMT PE PEOPL PLE THREAT SOFTWARE / INTELLIGENCE DEV SEC PROCES ESS TECHNOL NOLOG OGY TECHNICAL VULN / TESTING PATCH MGMT 15
MEASURE THE RESULTS 16
BONUS CASE STUDY: PANERA BREAD First reported on Sunday (April 2) by Brian Krebs; story still developing In August, 2017, security researcher Dylan Houlihan found vulnerability on panerabread.com Exposed millions of customer loyalty records (name, email & physical address, DOB, CC last 4) Reported to Panera Bread’s director of information security Panera claimed to be working on a fix Eight months later, the records were still available and could be crawled and indexed Asked whether he saw any indication that Panera ever addressed the issue he reported in August 2017 until today, Houlihan said no. “No, the flaw never disappeared,” he said. “I checked on it every month or so because I was pissed.” Further investigation showed that there may have been close to 40 million customer records exposed https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ 17
GET STARTED Review your responses to our initial 5 questions Compare your TVM program to the framework TVM CHECKLIST Do you have these elements in place? Resources How well do you think they are working? Plan What are you missing? Time allocated Measurement Based on the framework Budget Identify immediate needs / quick wins Executive sponsorship Assign responsibility for the overall TVM program If your program is at a high level of maturity: Conduct more thorough analysis using the framework Determine how effectively components are really working 18
Thank you! Ryan Wakeham Sr. Director, Strategic Solutions 612-455-6977 RYAN@NETSPI.COM WWW.NETSPI.COM 19
Recommend
More recommend
