Multi-vendor Penetration Testing in the Advanced Metering Infrastructure: Future Challenges
|
|
- Evelyn Shaw
- 8 years ago
- Views:
Transcription
1 Multi-vendor Penetration Testing in the Advanced ing Infrastructure: Future Challenges DIMACS Workshop on Algorithmic Decision Theory for the Smart Grid Stephen McLaughlin - Penn State University 1
2 Data Management (for the last 100 years) 2
3 Data Management (now and in the near future) One Day :00 04:00 08:00 12:00 16:00 20:00 00: One Hour Kw :00:00 18:10:00 18:20:00 18:30:00 18:40:00 18:50:00 19:00:00 3
4 Data Management (now and in the near future) Peak TransientOne Day Hourly Average Peak Usage Peak Usage Outages Time of Use 0 6 Repetitive Features 00:00 04:00 08:00 12:00 16:00 20:00 00: Kw Power Quality over time 2 18:00:00 18:10:00 18:20:00 18:30:00 18:40:00 18:50:00 19:00:00 One Hour Types of appliances Tampering 4
5 AMI - the justification Automated Reading Pre-smart meter automated reading and outage notification Now expanding to Internet-connected SCADA systems Dynamic pricing schemes Time Of Use (peak load management) Maximum demand Demand response Flexible energy generation Enable consumer generation Alternate energy sources 5
6 AMI - the concerns What should we be concerned about? Accuracy/Fraud Consumer privacy National security 6
7 Penetration Testing AMI The organization assesses the security requirements in the Smart Grid information system on an organization-defined frequency to determine the extent the requirements are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the Smart Grid information system. -p 117 7
8 Vulnerability Assessment Penetration testing: the art and science of breaking systems by applying attacker tools against live systems. Destructive research attempts to illuminate the exploitable flaws and effectiveness of security infrastructure. Bottom line Q/A Q: why are we doing this? A: part of Lockheed-Martin grant to aid energy industry in identifying problems before they are found in the wild. Q: what are we doing? A: evaluating a number of vendor products in the lab that are used in neighborhood-level deployments, i.e., we only look at the meters and collectors. 8
9 AMI Architectures Collectors Repeaters Cellular Internet PSTN LAN 1: Power Line Communication Utility Server Backhaul Network... Collector Repeater LAN 2: RF Mesh 9
10 Attack Trees A means for pen-testing planning Tamper Measurement Tamper Usage Data Tamper Stored Demand (a) (b) (c) Bypass Reverse Reset Net Usage Physically Tamper Storage A2.3 Tamper in Network Intercept Communications A3.1 Inject Usage Data A1.1 Clear Logged Events Inversion A1.2 Log In and Reset Net Usage A2.2 Man in the Middle A3.2 Spoof A3.3 Log In and Clear Event History A1.3 Recover Passwords A2.1 10
11 Archetypal Trees Idea: can we separate the issues that are vendor independent from those that are specific to the vendor/ device, e.g., access media? Adversarial Goal A B Attack Grafting... then reuse an archetypal tree as a base for each vendor specific concrete tree. A S1 A S2 B Archetypal Tree Concrete Trees Archetypal Tree Concrete Trees 11
12 Pen Testing via Archetypal Trees 1. capture architectural description 2. construct archetypal trees (for each attacker goal) 3. capture vendor-specific description (for SUT) 4. construct concrete tree 5. perform penetration testing and graft leaves toward goals This paper: 3 Attack trees: fraud, DOS, disconnect, 2 "systems under test" (SUT) 12
13 Construction of Archetypal Trees Forge Demand 13
14 Construction of Archetypal Trees Forge Demand Interrupt Measurement 14
15 Construction of Archetypal Trees Forge Demand Interrupt Measurement Inversion Erase Logged Events 15
16 Construction of Archetypal Trees Forge Demand Interrupt Measurement Inversion Erase Logged Events Extract Passwords Tamper in Flight 16
17 Construction of Archetypal Trees Forge Demand Interrupt Measurement Inversion A1.1 A1.2 Erase Logged Events Extract Passwords Tamper in Flight 17
18 Construction of Archetypal Trees Forge Demand Interrupt Measurement Inversion A1.1 A1.2 Erase Logged Events Two rules for termination: 1. Attack is on a vendor-specific component 2. Target may be guarded by a protection mechanism Extract Passwords Tamper in Flight A2.1 A2.2 18
19 System Under Test PSTN connected collector ANSI C12.21 intrusion detection PBX Rcvr " " " " " Radio 120V AC Modem " " " " Collector Repeater Load Infrared Load Repeater Attacker Machine Utility Machine 900 MHz wireless mesh collector/meter network Infrared near-field security for configuration port 19
20 Fraud Concrete Tamper Usage Data Tamper Tamper (a) Measurement (b) Stored (c) Demand Bypass Reverse Reset Net Usage Physically Tamper Storage A2.3 Tamper in Network Intercept Communications A3.1 Inject Usage Data A1.1 Clear Logged Events Inversion A1.2 Log In and Reset Net Usage A2.2 Man in the Middle A3.2 Spoof A3.3 Log In and Clear Event History A1.3 Recover Passwords A2.1 () Splice Into I/O Bus a1.1 A3.1 A3.3 Intercept Communications Via Telephone Via Wireless Mesh a3.1 Initiate Session with Utility Spoof Run Diagnostic up to Usage Data Transmit Forged Usage Data a5.1 a6.1 Interpose on Collector PSTN Link Circumvent Intrusion Detection a2.1 a2.2 Identify Self as Complete Authentication Round a4.1 a4.2 20
21 Enabling Attacks (Fraud) Defeating modem intrusion detection off hook events on the line are detected by sensing presence Foreign Exchange Office (FXO) of dial-tone voltage on the line. current calls are dropped if off hook is detected such events can simply be suppress easily by preventing voltage from arriving at the FXO 21
22 Enabling Attacks (Fraud) Valid Authentication Session Identify Nonce Hash(Password,Nonce) Utility Hash(Password,Nonce') 22
23 Enabling Attacks (Fraud) Valid Authentication Session Valid Authentication Session Utility Utility Identify Identify Nonce Nonce Hash(Password,Nonce) Hash(Password,Nonce) Hash(Password,Nonce') 22
24 Enabling Attacks (Fraud) Valid Authentication Session Valid Authentication Session Utility Utility Identify Identify Nonce Nonce Hash(Password,Nonce) Hash(Password,Nonce) Hash(Password,Nonce') Replay attack: I can replay the nonce from a previous session to impersonate the meter. 22
25 Enabling Attacks (Fraud) Valid Authentication Session Valid Authentication Session Utility Utility Identify Identify Nonce Nonce Hash(Password,Nonce) Hash(Password,Nonce) Hash(Password,Nonce') Replay attack: I can replay the nonce from a previous session to impersonate the meter. Replay Attack Utility Identify Nonce Hash(Password,Nonce) Hash(Password,Nonce') Replay Nonce from valid session All subsequent messages are the same Attacker need not know password 22
26 Targeted AT Targeted Issue from Network Issue via Optical Port Directly Issue Remove Cover Tamper with Switch Manipulate Switch to Replace Tamper Seal R2.1 R2.2 R2.3 Determine Target ID or Address R1.1 Issue Remote R1.2 Recover Passwords Issue Local R1.3 R1.4 23
27 Enabling Attacks () Physical tamper evidence Limited tamper seals, which enables... Passwords are stored in EEPROM Physical access to the device can yield all of the data held in non-volatile memory, which enables... Authentication secrets derived from passwords Bypass the authentication system, which enables... Issue disconnect command. Note: if you can break the dependency chain, you can prevent the attack, i.e., simple measures can often prevent complex attacks. 24
28 Concrete Targeted Issue from Network Issue via Optical Port Directly Issue Remove Cover Tamper with Switch Manipulate Switch to Replace Tamper Seal R2.1 R2.2 R2.3 Determine Target ID or Address R1.1 Issue Remote R1.2 Recover Passwords Issue Local R1.3 R1.4 () Trojan Optical Port r1.1 R1.3 / A2.1 Recover Passwords Physically Extract from r1.2 Mutually Authenticate with r2.1 R1.2 Issue Remote Issue Command r2.2 25
29 Attacks Summary 26
30 Challenges: Logistical Uncooperative meter vendors Establishing standards for pen-testing, e.g. collections of attack trees Pen testing products, not deployments 27
31 Challenges: Methodological Enumerating adversarial goals (security is largely reactive) Being comprehensive in attack tree construction Automation of the process using existing modeling techniques such as threat modeling 28
32 Summary Horizontal penetration is now essential Transitions of major infrastructure and critical systems mandates external review of by-sector vulnerabilities. Archetypal trees are a way to get there Focus energies on adversarial efforts leading to goals Approaches goals of certifications like Common Criteria Smart grid: Deployments outstripping our ability to understand and manage vulnerabilities Society must get ahead of problems before they lead to potentially devastating events Needs more back-pressure to improve deployed solutions. 29
33 Questions? Patrick McDaniel Stephen McLaughlin Project : Papers Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick McDaniel. Multi-vendor Penetration Testing in the Advanced ing Infrastructure. Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), December Austin, TX. Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick McDaniel. Embedded Firmware Diversity for Smart Electric s. Proceedings of the 5th Workshop on Hot Topics in Security (HotSec '10), August Washington, DC. Stephen McLaughlin, Dmitry Podkuiko, and Patrick McDaniel. Energy Theft in the Advanced ing Infrastructure. In the 4th International Workshop on Critical Information Infrastructure Security, September Bonn, Germany. 30
Why we Need Standards for Breaking the Smart Grid
Why we Need Standards for Breaking the Smart Grid Stephen McLaughlin 2012 Western Energy Policy Research Conference 1 NISTIR 7628 The organization assesses the security requirements in the Smart Grid information
More informationMulti-vendor Penetration Testing in the Advanced Metering Infrastructure
Multi-vendor Penetration Testing in the Advanced ing Infrastructure Stephen McLaughlin, Dmitry Podkuiko, Sergei Miadzvezhanka, Adam Delozier, and Patrick McDaniel Department of Computer Science and Engineering
More informationEnergy Theft in the Advanced Metering Infrastructure
Energy Theft in the Advanced Metering Infrastructure Stephen McLaughlin, Dmitry Podkuiko, and Patrick McDaniel Systems and Internet Infrastructure Security Laboratory (SIIS) Pennsylvania State University,
More informationAMI security considerations
AMI security considerations Jeff McCullough Introduction Many electric utilities are deploying or planning to deploy smart grid technologies. For smart grid deployments, advanced metering infrastructure
More informationAMI Threats, Intrusion Detection Requirements and Deployment Recommendations
AMI Threats, Intrusion Detection Requirements and Deployment Recommendations David Grochocki, Jun Ho Huh, Robin Berthier, Rakesh Bobba, and William H. Sanders Information Trust Institute, Coordinated Science
More informationWELCOME. Landis+Gyr Technical Training Catalog
WELCOME Training is essential to ensure the customer s success in implementing the Smart Grid Solution. Our goal at Landis+Gyr is to provide a foundation of knowledge that will allow personnel to quickly
More informationWhat is Really Needed to Secure the Internet of Things?
What is Really Needed to Secure the Internet of Things? By Alan Grau, Icon Labs alan.grau@iconlabs.com The Internet of Things (IoT) has become a ubiquitous term to describe the tens of billions of devices
More informationMobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus
Mobile Application Hacking for Android and iphone 4-Day Hands-On Course Syllabus Android and iphone Mobile Application Hacking 4-Day Hands-On Course Course description This course will focus on the techniques
More informationSECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014
SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz 08.05.2014, ICSG 2014 Table of Contents Introduction AMI Communication Architecture Security Threats Security
More informationEmbedded Firmware Diversity for Smart Electric Meters
Embedded Firmware Diversity for Smart Electric Meters Stephen McLaughlin, Dmitry Podkuiko, Adam Delozier, Sergei Miadzvezhanka, and Patrick McDaniel 1 Smart Meters Electromechanical Smart Meter 2 3 Concerns
More informationMobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus
Mobile Application Hacking for ios 3-Day Hands-On Course Syllabus Course description ios Mobile Application Hacking 3-Day Hands-On Course This course will focus on the techniques and tools for testing
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationSecurity Implications Associated with Mass Notification Systems
Security Implications Associated with Mass Notification Systems Overview Cyber infrastructure: Includes electronic information and communications systems and services and the information contained in these
More informationTechAdvantage. Steps to Reducing Power Theft Overview: State of the Industry. Rick Schmidt Power System Engineering, Inc. www.powersystem.
TechAdvantage Steps to Reducing Power Theft Overview: State of the Industry Rick Schmidt Power System Engineering, Inc. www.powersystem.org February 21, 2013 Rick A. Schmidt Vice President Utility Automation
More informationGoals. Understanding security testing
Getting The Most Value From Your Next Network Penetration Test Jerald Dawkins, Ph.D. True Digital Security p. o. b o x 3 5 6 2 3 t u l s a, O K 7 4 1 5 3 p. 8 6 6. 4 3 0. 2 5 9 5 f. 8 7 7. 7 2 0. 4 0 3
More informationJim Sheppard, Director of Business Processes CenterPoint Energy, Texas, USA
Jim Sheppard, Director of Business Processes CenterPoint Energy, Texas, USA About Us... Public company traded on the New York Stock Exchange (CNP) Headquartered in Houston, TX Operating 3 business segments
More informationSecurity Issues with Integrated Smart Buildings
Security Issues with Integrated Smart Buildings Jim Sinopoli, Managing Principal Smart Buildings, LLC The building automation industry is now at a point where we have legitimate and reasonable concern
More informationDefense in Cyber Space Beating Cyber Threats that Target Mesh Networks
Beating Cyber Threats that Target Mesh Networks Trent Nelson, Cyber Security Assessment Lead, Idaho National Laboratory Jeff Becker, Global Wireless Business Director, Honeywell Process Solutions Table
More informationCyber Security Risk Mitigation Checklist
Cyber Security Risk Mitigation Checklist Contents Building a Risk Management AMI Program MDM Cyber Security Policy Communication Systems Personnel and Training Scada Operational Risks In Home Displays
More informationProfessional Penetration Testing Techniques and Vulnerability Assessment ...
Course Introduction Today Hackers are everywhere, if your corporate system connects to internet that means your system might be facing with hacker. This five days course Professional Vulnerability Assessment
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations
More informationPlain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75
Plain English Guide To Common Criteria Requirements In The Field Device Protection Profile Version 0.75 Prepared For: Process Control Security Requirements Forum (PCSRF) Prepared By: Digital Bond, Inc.
More informationEnergyAxis System: Security for the Smart Grid
Security for the Smart Grid 2010 by Elster All rights reserved. No part of this document may be reproduced, transmitted, processed or recorded by any means or form, electronic, mechanical, photographic
More informationConvergence of Advanced Information and Control Technology in Advanced Metering Infrastructure (AMI) Solution
Convergence of Advanced Information and Control Technology in Advanced Metering Infrastructure (AMI) Solution 138 Convergence of Advanced Information and Control Technology in Advanced Metering Infrastructure
More informationLessons Learned from AMI Pioneers Follow the Path to Success
welcome Lessons Learned from AMI Pioneers Follow the Path to Success Joe Cummins, PCIP UTC TELECOM May 2010 394 Simcoe Street South Oshawa, ON L1H 4J4 (905) 404-2009 2 outline security risks in smart grid
More informationSecurity Threats in Demo Steinkjer
Security Threats in Demo Steinkjer Report from the Telenor-SINTEF collaboration project on Smart Grids Author(s) Inger Anne Tøndel, SINTEF Martin Gilje Jaatun, SINTEF Maria Bartnes Line, SINTEF/NTNU SINTEF
More informationPatch and Vulnerability Management Program
Patch and Vulnerability Management Program What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent
More informationFORBIDDEN - Ethical Hacking Workshop Duration
Workshop Course Module FORBIDDEN - Ethical Hacking Workshop Duration Lecture and Demonstration : 15 Hours Security Challenge : 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once
More informationOPTIGUARD: A SMART METER ASSESSMENT TOOLKIT
OPTIGUARD: A SMART METER ASSESSMENT TOOLKIT Presented by: INGUARDIANS, INC. Don C. Weber, Senior Security Analyst don@inguardians.com White Paper TABLE OF CONTENTS 1.0 Role of Smart Meters 3 2.0 Risk Presented
More informationNetwork Security 101 Multiple Tactics for Multi-layered Security
Security and Resilience for Utility Network Communications White Paper Communications networks represent a partial paradox. The very openness and ubiquity that make them powerful can also present a weakness.
More informationInformation System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls
Information System Audit Arkansas Administrative Statewide Information System (AASIS) General Controls ARKANSAS DIVISION OF LEGISLATIVE AUDIT April 12, 2002 April 12, 2002 Members of the Legislative Joint
More informationDetailed Description about course module wise:
Detailed Description about course module wise: Module 1: Basics of Networking and Major Protocols 1.1 Networks and its Types. 1.2 Network Topologies 1.3 Major Protocols and their Functions 1.4 OSI Reference
More informationPrivacy and Security in library RFID Issues, Practices and Architecture
Privacy and Security in library RFID Issues, Practices and Architecture David Molnar and David Wagner University of California, Berkeley CCS '04 October 2004 Overview Motivation RFID Background Library
More informationFundamentals of Network Security - Theory and Practice-
Fundamentals of Network Security - Theory and Practice- Program: Day 1... 1 1. General Security Concepts... 1 2. Identifying Potential Risks... 1 Day 2... 2 3. Infrastructure and Connectivity... 2 4. Monitoring
More informationDeterrent and detection of smart grid meter tampering and theft of electricity, water, or gas
Deterrent and detection of smart grid meter tampering and theft of electricity, water, or gas Jeff McCullough Introduction This white paper was inspired by real concerns regarding smart grid electric meters
More informationNetwork Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion
Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann
More informationADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3
ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3 TO THE Overview EXHIBIT T to Amendment No. 60 Secure Wireless Network Services are based on the IEEE 802.11 set of standards and meet the Commonwealth of Virginia
More informationUpdate On Smart Grid Cyber Security
Update On Smart Grid Cyber Security Kshamit Dixit Manager IT Security, Toronto Hydro, Ontario, Canada 1 Agenda Cyber Security Overview Security Framework Securing Smart Grid 2 Smart Grid Attack Threats
More information1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network
WP 1004HE Part 5 1. Cyber Security White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network Table of Contents 1. Cyber Security... 1 1.1 What
More informationSECURITY RISK ANALYSIS AND EVALUATION OF INTEGRATING CUSTOMER ENERGY MANAGEMENT SYSTEMS INTO SMART DISTRIBUTION GRIDS
SECURITY RISK ANALYSIS AND EVALUATION OF INTEGRATING CUSTOMER ENERGY MANAGEMENT SYSTEMS INTO SMART DISTRIBUTION GRIDS Christian HÄGERLING Fabian M. KURTZ Christian WIETFELD TU Dortmund University Germany
More informationPotential Targets - Field Devices
Potential Targets - Field Devices Motorola Field Devices: Remote Terminal Units ACE 3600 Front End Devices ACE IP Gateway ACE Field Interface Unit (ACE FIU) 2 Credential Cracking Repeated attempts to
More information642 552 Securing Cisco Network Devices (SND)
642 552 Securing Cisco Network Devices (SND) Course Number: 642 552 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional, Cisco Firewall Specialist,
More informationDATA SECURITY 1/12. Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0
DATA SECURITY 1/12 Copyright Nokia Corporation 2002. All rights reserved. Ver. 1.0 Contents 1. INTRODUCTION... 3 2. REMOTE ACCESS ARCHITECTURES... 3 2.1 DIAL-UP MODEM ACCESS... 3 2.2 SECURE INTERNET ACCESS
More informationADM:49 DPS POLICY MANUAL Page 1 of 5
DEPARTMENT OF PUBLIC SAFETY POLICIES & PROCEDURES SUBJECT: IT OPERATIONS MANAGEMENT POLICY NUMBER EFFECTIVE DATE: 09/09/2008 ADM: 49 REVISION NO: ORIGINAL ORIGINAL ISSUED ON: 09/09/2008 1.0 PURPOSE The
More informationDale Pennington, Managing Director, Utiliworks Consulting LLC, New York, USA
Dale Pennington, Managing Director, Utiliworks Consulting LLC, New York, USA Meter Data from Cradle to Grave, do you know where your Data is? Getting Started Create your project team such that all critical
More informationImproving SCADA Control Systems Security with Software Vulnerability Analysis
Improving SCADA Control Systems Security with Software Vulnerability Analysis GIOVANNI CAGALABAN, TAIHOON KIM, SEOKSOO KIM Department of Multimedia Hannam University Ojeong-dong, Daedeok-gu, Daejeon 306-791
More informationDefense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks
Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks A look at multi-vendor access strategies Joel Langill TÜV FSEng ID-1772/09, CEH, CPT, CCNA Security Consultant / Staff
More informationDirected Circuits Meet Today s Security Challenges in Enterprise Remote Monitoring. A White Paper from the Experts in Business-Critical Continuity TM
Directed Circuits Meet Today s Security Challenges in Enterprise Remote Monitoring A White Paper from the Experts in Business-Critical Continuity TM Executive Summary With continued efforts to reduce overhead,
More informationCOMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING
COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING INFORMATION TECHNOLOGY STANDARD Name Of Standard: Mobile Device Standard Domain: Security Date Issued: 09/07/2012 Date Revised:
More informationNSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense
NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense Cyber Investigations Data Management Systems Security Data Security Analysis Digital Forensics Health Care Security Industrial
More informationExecutive Summary. AUGUST 2002 Secure Use of VLANs: An @stake Security Assessment
R e s e a r c h R e p o r t @stake consultants David Pollino and Mike Schiffman, CISSP, conducted the testing and analysis. Mr. Pollino is the Director of the Wireless Center of Excellence at @stake. He
More informationLoophole+ with Ethical Hacking and Penetration Testing
Loophole+ with Ethical Hacking and Penetration Testing Duration Lecture and Demonstration: 15 Hours Security Challenge: 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once said,
More informationEnterprise Solutions for Wireless LAN Security Wi-Fi Alliance February 6, 2003
Enterprise Solutions for Wireless LAN Security Wi-Fi Alliance February 6, 2003 Executive Summary The threat to network security from improperly secured WLANs is a real and present danger for today s enterprises.
More informationPenetration Testing. Presented by
Penetration Testing Presented by Roadmap Introduction to Pen Testing Types of Pen Testing Approach and Methodology Side Effects Demonstration Questions Introduction and Fundamentals Penetration Testing
More informationMoving Towards the Smart Grid. Southern California Edison s Advanced Metering Infrastructure (AMI) Program
Moving Towards the Smart Grid Southern California Edison s Advanced Metering Infrastructure (AMI) Program 1 Copyright 2006, Southern California Edison www.sce.com/ami Select SCE Projects using Smart Grid
More informationCOUNSEL S CHAMBERS LIMITED
COUNSEL S CHAMBERS LIMITED CCL s Acceptable Use Policy Policy for the use of CCL Network A. APPLICATION 1. This policy sets out terms and conditions on which Users may access and use CCL s Network. Please
More informationWhite Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act
A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better,
More informationInternet of Things (IoT): Security Awareness. Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com
Internet of Things (IoT): Security Awareness Sandra Liepkalns, CRISC sandra.liepkalns@netrus.com So What is the Internet of Things Network of physical objects embedded with: Electronics, software, sensors
More informationU.S. SECURITIES & EXCHANGE COMMISSION
PBX and Analog Lines Security Assessment U.S. SECURITIES & EXCHANGE COMMISSION March 31, 2000 Prepared by Deloitte & Touche LLP Enterprise Risk Services - 1 - 1 Executive Summary 1.1 Overview Deloitte
More informationAccess Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL
AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical
More informationThe NES Smart Metering System. The World s Most Advanced Metering System Solution for the Smart Grid
The NES Smart Metering System The World s Most Advanced Metering System Solution for the Smart Grid Making the Grid Smarter At Echelon, we believe the smart grid is an energy network. It includes not only
More informationCOURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM
COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM Course Description This is the Information Security Training program. The Training provides you Penetration Testing in the various field of cyber world.
More informationThe Trivial Cisco IP Phones Compromise
Security analysis of the implications of deploying Cisco Systems SIP-based IP Phones model 7960 Ofir Arkin Founder The Sys-Security Group ofir@sys-security.com http://www.sys-security.com September 2002
More informationPCI Solution for Retail: Addressing Compliance and Security Best Practices
PCI Solution for Retail: Addressing Compliance and Security Best Practices Executive Summary The Payment Card Industry (PCI) Data Security Standard has been revised to address an evolving risk environment
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationAchieving PCI Compliance Using F5 Products
Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity
More informationSecurity Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those
More informationRFID Security. April 10, 2006. Martin Dam Pedersen Department of Mathematics and Computer Science University Of Southern Denmark
April 10, 2006 Martin Dam Pedersen Department of Mathematics and Computer Science University Of Southern Denmark 1 Outline What is RFID RFID usage Security threats Threat examples Protection Schemes for
More informationSPARKS Cybersecurity Technology and the NESCOR Failure Scenarios
SPARKS Cybersecurity Technology and the NESCOR Failure Scenarios Lucie Langer and Paul Smith firstname.lastname@ait.ac.at AIT Austrian Institute of Technology ComForEn Workshop Monday 29 th September,
More informationUnderstanding Security Testing
Understanding Security Testing Choosing between vulnerability assessments and penetration testing need not be confusing or onerous. Arian Eigen Heald, M.A., Ms.IA., CNE, CISA, CISSP I. Introduction Many
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationData Security Concerns for the Electric Grid
Data Security Concerns for the Electric Grid Data Security Concerns for the Electric Grid The U.S. power grid infrastructure is a vital component of modern society and commerce, and represents a critical
More informationStephen E. McLaughlin
Education Stephen E. McLaughlin Computer Science and Engineering Pennsylvania State University Office : 344 IST Building University Park, PA 16802 (814) 867-1773 email: smclaugh@cse.psu.edu The Pennsylvania
More informationCEH Version8 Course Outline
CEH Version8 Course Outline Module 01: Introduction to Ethical Hacking Information Security Overview Information Security Threats and Attack Vectors Hacking Concepts Hacking Phases Types of Attacks Information
More informationAMI Use Case: B3 - Utility detects tampering or theft at customer site 03/16/06
AMI Use Case: 03/16/06 Author: James McGrath Author: James Mcgrath Page 1 of 23 Document History Revision History Revision Number Revision Date Revision / Reviewed By Summary of Changes Changes marked
More informationClosing Wireless Loopholes for PCI Compliance and Security
Closing Wireless Loopholes for PCI Compliance and Security Personal information is under attack by hackers, and credit card information is among the most valuable. While enterprises have had years to develop
More informationPenetration Testing: Lessons from the Field
Penetration Testing: Lessons from the Field CORE SECURITY TECHNOLOGIES SCS SERVICES May 2009 1 Agenda: About me: Alberto Soliño Director of Security Consulting Services at Core Security One of first five
More informationTechnical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium 2012-01-18, Miami Beach FL / USA
Technical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium 2012-01-18, Miami Beach FL / USA Dr. Stephan Beirer s.beirer@gai-netconsult.de Sichere ebusiness
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationSmart Metering and RF Mesh Networks for Communities
Smart Metering and RF Mesh Networks for Communities AMI RF Mesh Networks Wireless neighborhood networks (typical) Attractive bandwidth/cost trade off Signal penetration Path diversity (reliability) Self
More informationChapter 4 Managing Your Network
Chapter 4 Managing Your Network This chapter describes how to perform network management tasks with your ADSL2+ Modem Wireless Router. Backing Up, Restoring, or Erasing Your Settings The configuration
More informationHow Cisco Tracks RFID with Active RFID and Wireless LANs
How Tracks RFID with Active RFID and Wireless LANs Active RFID tags and WLANs ensure compliance with corporate finance and government regulations. IT Case Study / Wireless / RFID Solutions: Maintaining
More informationSCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005
SCADA System Security ECE 478 Network Security Oregon State University March 7, 2005 David Goeke Hai Nguyen Abstract Modern public infrastructure systems
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationRight-Sizing M2M Security: The Best Security is Security Tailored to Your Application
Right-Sizing M2M Security: The Best Security is Security Tailored to Your Application Introduction Security continues to be a hot topic in all areas of technology, including machine-tomachine (M2M) applications.
More informationWho is Watching You? Video Conferencing Security
Who is Watching You? Video Conferencing Security Navid Jam Member of Technical Staff March 1, 2007 SAND# 2007-1115C Computer and Network Security Security Systems and Technology Video Conference and Collaborative
More informationCertified Ethical Hacker Exam 312-50 Version Comparison. Version Comparison
CEHv8 vs CEHv7 CEHv7 CEHv8 19 Modules 20 Modules 90 Labs 110 Labs 1700 Slides 1770 Slides Updated information as per the latest developments with a proper flow Classroom friendly with diagrammatic representation
More informationICANWK406A Install, configure and test network security
ICANWK406A Install, configure and test network security Release: 1 ICANWK406A Install, configure and test network security Modification History Release Release 1 Comments This Unit first released with
More informationAvaya TM G700 Media Gateway Security. White Paper
Avaya TM G700 Media Gateway Security White Paper March 2002 G700 Media Gateway Security Summary With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional
More informationAvaya G700 Media Gateway Security - Issue 1.0
Avaya G700 Media Gateway Security - Issue 1.0 Avaya G700 Media Gateway Security With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional Enterprise
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationEmerging SCADA and Security Solutions Presented by; Michael F. Graves, P.E. Chris Murphy, CISSP
Emerging SCADA and Security Solutions Presented by; Michael F. Graves, P.E. Chris Murphy, CISSP July 25, 2014 Topics Improved 4G Communications Mobile Devices Cyber Security Threats Cyber Security Guidance
More informationPension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing 2001 - An Update
Pension Benefit Guaranty Corporation Office of Inspector General Evaluation Report Penetration Testing 2001 - An Update August 28, 2001 2001-18/23148-2 Penetration Testing 2001 An Update Evaluation Report
More informationCRYPTUS DIPLOMA IN IT SECURITY
CRYPTUS DIPLOMA IN IT SECURITY 6 MONTHS OF TRAINING ON ETHICAL HACKING & INFORMATION SECURITY COURSE NAME: CRYPTUS 6 MONTHS DIPLOMA IN IT SECURITY Course Description This is the Ethical hacking & Information
More informationInformation Security Assessment and Testing Services RFQ # 28873 Questions and Answers September 8, 2014
QUESTIONS ANSWERS Q1 How many locations and can all locations be tested from a A1 5 locations and not all tests can be performed from a central location? central location. Q2 Connection type between location
More information12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust
Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or
More informationLecture Embedded System Security A. R. Sadeghi, @TU Darmstadt, 2011 2012 Introduction Mobile Security
Smartphones and their applications have become an integral part of information society Security and privacy protection technology is an enabler for innovative business models Recent research on mobile
More informationCyber Security Implications of SIS Integration with Control Networks
Cyber Security Implications of SIS Integration with Control Networks The LOGIIC SIS Project Standards Certification Education & Training Publishing Conferences & Exhibits Presenter Zach Tudor is a Program
More informationSmart Grid Security: A Look to the Future
Smart Grid Security: A Look to the Future SESSION ID: TECH-W03A Gib Sorebo Chief Cybersecurity Technologist Leidos @gibsorebo Overview Distributed Energy Plug-in Vehicles Evolving Threats: Market Manipulation,
More information