Team Members: Jared Romano, Rachael Dinger, Chris Jones, Miles Kelly Supervising Professor: Dr. George Collins Industry Advisor: Dr.

Transcription

1 Cyber Security 2014 Team Members: Jared Romano, Rachael Dinger, Chris Jones, Miles Kelly Supervising Professor: Dr. George Collins Industry Advisor: Dr. Joel Dubow

2 Hacking Incidents Reported to the Cyber Emergency Response Team (CERT) in 2013, by Industry Sector Energy 53% Energy Critical Manufacturing Communications Water Nuclear Transportation Commercial Facilities Other ICS-CERT. "ICS-CERT Monitor", June 2013, [Online],

3 The Nature of the Energy Industry: Pinpointing the Problem The Evidence: This year alone, over 79 hacking incidents have occurred at energy companies in the U.S. The Cause: Prevalent use of SCADA (Supervisory Control & Data Acquisition) Systems Usually protected through physical isolation of the network. Repurposing leads to embedded systems being exposed to the Internet with no protection measures in place What should be the network security focus? Protecting the reliability of data without affecting productivity "Who s Really Attacking Your ICS Equipment?", TrendMicro, [Online],

4 Embedded Systems Currently Exposed to the Internet...

5

6 A Two-Fold Problem: What to do? In a study comprised of over 200 IT Security Professionals in the energy industry: 52% said their company s top network security priority was to train IT staff on new cyber security strategies 19% said hiring new specially trained cyber security staff was their company s top network security priority Almost all surveyed recognized that their current network security model was dated The wide depth of knowledge available for ethical hacking and forensic analysis can be daunting for many network security specialists Source: ThreatTrack Security White Paper Energy Companies and Financial Services Firms Remain Vulnerable to Data-Breaching Malware

7 The Cyber Security Team s Fall Mission: To introduce a beginner s level of knowledge on current security techniques used to protect networks using Kali Linux & Honeypots Our Intended Audience: Rookie network security specialists -- employed in the energy industry Future students studying cybersecurity How We Accomplished our Goal: an Instruction Manual Creating a virtual network penetration testing environment Performing reconnaissance on a network Exploiting and compromise a targeted system Collecting and analyzing evidence of an attack

8 Honeypots: Network Scarecrows Intrusion Detection System (IDS) A honeypot is a trap set to detect, deflect, or monitor unauthorized access attempts of information systems by a blackhat hacker Capture & analyze attacks Improve defenses Track attackers to their source Typically a Demilitarized Zone Two Types of Implementations for Honeypots Production Research Can implement a bait domain, open ports, and simulate services to attract hackers

9 Intrusion Detection Systems Monitors ports on a network for malicious activity Sends alerts to the network administrator Helps quickly Identify attacks to minimize losses What we have tried: Honeybot KfSensor Wireshark

10 Why are Honeypots Necessary? 21 occurrences in a 17 second time interval!

11 Kali Linux Linux distribution loaded with software for performing penetration testing and attack analysis. Metasploit - framework for performing exploits Msfconsole - console interface for running exploits and interacting with shells Nmap - tool for scanning ports of a system to find vulnerabilities Comes pre-loaded with hundreds of exploits Capable of doing forensic analysis of a compromised disk dcfldd - tool to create a bit-by-bit copy of a hard drive with a hash Autopsy - analysis tool that detects changes in the file system Source:

12 Post-Attack Analysis: Autopsy Digital forensics platform and graphical interface for Sleuth Kit Timeline Analysis - displays system events in graphical interface Keyword search - find files that match specific keywords Hashset filtering - filter out known good/bad files Many more features Create reports detailing the attack Provides case management tools organize case for multiple investigators provides logging, notes, plus much more Is able to see the most recent access time of the files that may have been compromised Source:

13 Next Steps: Improving the Cyber Security Team's Test Environment Acquiring a computer that can handle more virtual machines running in parallel. Implementation of a new intrusion detection system Low Interaction Honeypots vs High Interaction Honeypots

14 Next Steps: Cyber Security and Smart Grids Smart grids are critical to the nation s energy infrastructure Smart grids will replace outdated infrastructure Introduces new security threats, attacks venues Current deployment status: Austin, Texas - replaced analog meters with smart meters that communicate via a wireless network Boulder, Colorado - uses a smart meter as a gateway to a residence's home automation U.S. Dept. of Energy ARRA Smart Grid Project - national deployment of a smart grid complete with smart meters, advanced distribution management systems, and more "smart" features

15 U.S. Department of Energy ARRA Deployment Status Click to add text Click to add text

16 Conclusion Setting up the best penetration-testing environment is a very important step in learning more about potential threats Many cyber security related tools are currently available We've created an instructable detailing the basic exploit and forensic analysis process Most energy companies are unsure of how to best tackle the cyber security problem It is very hard to identify hackers

17 Questions?