HACKING RELOADED. Hacken IS simple! Christian H. Gresser

Transcription

1 HACKING RELOADED Hacken IS simple! Christian H. Gresser

2 Agenda About NESEC IT-Security and control Systems Hacking is easy A short example where we currently are Possible solutions IT-security in 2008 hacking trends Lessons learned NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 2

3 About NESEC Founded 2002 in Freising near Munich/Germany Specialized in IT security and penetration testing Strong Focus on process automation Working concepts and solutions to implement IT security in process automation Interesting penetration tests steel mill, airport, chemical plant, energy plant Close relationship with manufacturer ABB, Honeywell NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 3

4 Layers of Incidents Public Infrastructure Internet Corporate Infrastructure VPN Branch Office Infrastructure Workplace Infrastructure NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 4

5 IT-Security is new to automation NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 5

6 Risks in Production Plants Viruses, Trojans, malicious mobile code 42% of all attacks! Social engineering Denial of service attacks Deficient physical infrastructure Vulnerabilities in the OS and in applications Use of protected/illegal material, private use Hacking and cracking Disasters NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 6

7 IT Security will become an important requirement Control networks are no longer isolated networks Connection to corporate LANs, remote access (this is often not known or denied by management) Automation systems are no longer specialized platforms They will suffer the same threats as PCs and servers do They are new targets Security controls are often not (yet) implemented Password protection and Antivirus not widely used They are interesting targets Shutting down plants will make you famous (at least in the hacker community, we have seen that already) NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 7

8 Hacking Cycle Cleanup Footprinting Pillage Scanning Escalation Enumeration Penetration Analysis/Research NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 8

9 Hacking is easy High Low Intruder Knowledge back doors trojans packet spoofing sweepers disabling audits network mgmt. diagnostics Attack Sophistication session burglaries hijacking exploiting known vulnerabilities password cracking self-replicating code password guessing sniffers Cross site scripting stealth / advanced scanning techniques Staged denial of service attack distributed attack tools www attacks automated probes/scans GUI Attackers Tools NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 9

10 Hacking is easy High Low Intruder Knowledge back doors trojans packet spoofing sweepers disabling audits network mgmt. diagnostics Attack Sophistication session burglaries hijacking exploiting known vulnerabilities password cracking self-replicating code password guessing sniffers Cross site scripting stealth / advanced scanning techniques Staged denial of service attack distributed attack tools www attacks automated probes/scans GUI Attackers Tools NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 10

11 Some tools are fully automated NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 11

12 Example Hack This example break-in uses only publicly available free software and information Nmap port scanner to identify the target OS (see: http// Nessus vulnerability scanner to identify the missing patches (see: http// Symantec SecurityFocus Vulnerability Database (see: or: Metasploit Exploit Framework (see: Everyone can use these tools! NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 12

13 Free Vulnerability Databases NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 13

14 133t hacker sites NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 14

15 Free Download of all Tools NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 15

16 What s in the future Microsoft currently does a good job securing their systems There already is a trend to attack different parts in the operating system backup software and anti-virus because agents are installed on all systems completely new environments production plants It is only a matter of time before automation systems will be attacked A good indicator are the SANS Top 20 Internet Security Vulnerabilities see: NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 16

17 What s in the future 2006 will be the year of application break-ins widespread automated exploits for media players but also backup software, anti-virus and personal firewalls new and automated attacks against web applications 2007 will be the year of network components exploits for router, switches and all the networking gear Critical infrastructure like DNS will be targeted again 2008 will be the year of embedded and automation systems many issues are fixed, new targets are required these systems are finally connected to the networks NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 17

18 More attacks! Infection Attempts 900M 800M 700M 600M 500M 400M 300M 200M 100M 0 Polymorphic Viruses (Tequila) Mass Mailer Viruses (Love Letter/Melissa) Zombies Denial of Service (Yahoo!, ebay) Blended Threats (Code Red, Nimda, Slammer) Malicious Code Infection Attempts Network Intrusion Attempts , , ,000 75,000 50,000 25,000 0 Network Intrusion Attempts 2004 CERT NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 18

19 More viruses! NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 19

20 New attack vectors! NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 20

21 Control System security is different Risk Impact Risk Management Reliability Performance Security Information Technology Loss of data Recover by reboot Safety is a non-issue Occasional Failures tolerated Beta test in field acceptable High throughput demanded High delay and jitter accepted Most sites insecure Little separation among intranets on same site Focus is central server security Control Networks Loss of production, equipment, life Fault tolerance essential Explicit hazard analysis expected Outages intolerable Thorough quality assurance testing expected Modest throughput acceptable High delay a serious concern Tight physical security Information systems network isolated from plant network Focus is edge control device stability NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 21

22 IT-Security is difficult Aspect of IT Anti-virus Lifetime Outsourcing Patching Change Time criticality Availability Security skills and awareness Security testing Physical security Corporate IT widely used 3-5 years widely used frequent (often daily) frequent delays OK outages OK (overnight) fairly good widely used usually secure and manned Process Control IT often difficult / impossible to deploy 5-20 years rarely used for operations slow (required vendor approval) rare critical, often safety dependent 24 / 7 / 365 poor must be used with care often remote and unmanned NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 22

23 Timeframe from official patch to released exploits is shrinking Today a patch is decoded in less than 7 days (reverse engineering) Customers have less time to test and verify patches in their environment Exploits get more sophisticated 331 Nimda Days between patch release and exploit Welchia/ SQL Slammer 25 Blaster Nachi No simple solution available. Security, incl. patch management and anti virus, has to become a standard procedures as well NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 23

24 Some vendors still don t understand Response Time for MS Security Update Test vendor A vendor B vendor C vendor D vendor E vendor F vendor G Presented by Ian Henderson, BP at Industrial Cyber Security Conference 15 March 2005, London NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 24

25 Awareness is Rising Finally ISS gave a presentation on SCADA Security at the Black Hat Federal Conference in January 2006 They found lot s of problems in widely used software OPC has many buffer overflows OPC over DCOM is often very insecure and while analyzing SCADA systems SCADA systems usually have no authentication SCADA systems are usually not patched SCADA systems are much more often connected to the Internet as anyone believes You can go to the store and buy a book on pen-testing that will give you all the knowledge you need to cause a widespread power blackout! NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 25

26 Shift in awareness necessary Control systems have become very similar to office environments They need to be treated similar Control systems are interconnected to corporate networks or even the internet They need the same (or even better) protection Shift in security awareness: IT security should be part of the initial design process not an add-on later IT security should be part of the standard maintenance procedures not only after an incident Every employee is responsible for IT security NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 26

27 Multilayered approach necessary Protecting the infrastructure Block access to sensitive parts of the infrastructure (e.g. rooms, buildings), often referred to as physical security Protecting IT-systems Use anti-virus software and install patches to protect systems from viruses, worms and exploits Protecting networks Use firewalls and filters for network segmentation Protecting applications and data Use encryption and VPNs to protect data from unauthorized access User education Train your employees to use and adopt IT security NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 27

28 Lessons learned I IT security is becoming very important Control networks are no longer isolated networks Automation systems are no longer specialized platforms They are new targets They are interesting targets Hacking Tools are easy to use Everybody can attack and break into systems The tools are readily available If you are not protected, you will be hacked NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 28

29 Lessons learned II As a customer of process automation systems, ask your vendor these questions: Does my vendor have a coherent policy how vendor patches are tested and verified in combination with your process automation software? Where is this documented? Does my vendor test and verify anti-virus software together with your process automation software? Can my vendor provide guidance to implement security including firewalls, remote access and VPN? What will be the additional costs, if you have to cover the shortcomings of your vendor? Is your vendor prepared for the future? NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 29

30 Lessons learned III As a vendor of process automation systems, ask yourself these questions: Can you provide your customers a coherent IT security concept, covering all aspects including Security policy Secure connection to corporate network / internet Secure remote access Patch management and anti virus What is your reaction time to customers regarding patch approval and security inquiries? Are you prepared for the future? NESEC Gesellschaft für angewandte Netzwerksicherheit mbh Seite 30

31 Thank you very much for your attendance Your questions please Christian H. Gresser NESEC GmbH Lichtenbergstrasse 8 D Garching Tel.: Fax: cgresser@nesec.de Web: