13 Ways Through A Firewall What you don t know will hurt you

Similar documents
13 Ways Through A Firewall

How To Protect Your Network From Attack From A Hacker (For A Fee)

An Analysis of the Capabilities Of Cybersecurity Defense

Safe Network Integration

Strong Security in NERC CIP Version 5: Unidirectional Security Gateways

New Technologies for Substation Cyber Hardening

Stronger than Firewalls And Cheaper Too

Cyber Security Summit Milano, IT

Industrial Security for Process Automation

Stronger Than Firewalls: Unidirectional Security Gateways

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Chapter 9 Firewalls and Intrusion Prevention Systems

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Remote Access Considered Dangerous. Andrew Ginter, VP Industrial Security Waterfall Security Solutions

Detailed Description about course module wise:

Lesson 5: Network perimeter security

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Course Content: Session 1. Ethics & Hacking

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Next Gen Firewall and UTM Buyers Guide

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

BlackRidge Technology Transport Access Control: Overview

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

What would you like to protect?

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

Unified Threat Management, Managed Security, and the Cloud Services Model

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

CYBERTRON NETWORK SOLUTIONS

Section 12 MUST BE COMPLETED BY: 4/22

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Top tips for improved network security

A Systems Engineering Approach to Developing Cyber Security Professionals

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Critical Controls for Cyber Security.

Unified Threat Management

Security Awareness. Wireless Network Security

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Innovative Defense Strategies for Securing SCADA & Control Systems

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Networking for Caribbean Development

Chapter 1 The Principles of Auditing 1

CRYPTUS DIPLOMA IN IT SECURITY

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

By David G. Holmberg, Ph.D., Member ASHRAE

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Network/Cyber Security

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Network Access Security. Lesson 10

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 22 Firewalls.

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Windows Remote Access

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

Scott Lucas: I m Scott Lucas. I m the Director of Product Marketing for the Branch Solutions Business Unit.

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Cybersecurity considerations for electrical distribution systems

Network Security Guidelines. e-governance

The Protection Mission a constant endeavor

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

SCADA SYSTEMS AND SECURITY WHITEPAPER

Firewall and UTM Solutions Guide

2012 Data Breach Investigations Report

An International Perspective on Security and Compliance

Simple security is better security Or: How complexity became the biggest security threat

CompTIA Security+ (Exam SY0-410)

Host/Platform Security. Module 11

UNIDIRECTIONAL SECURITY GATEWAYS. Utilizing Unidirectional Security Gateways to Achieve Cyber Security for Industrial Environments

Developing Network Security Strategies

Cyber Security for NERC CIP Version 5 Compliance

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Deploying Firewalls Throughout Your Organization

CUTTING THROUGH THE HYPE: WHAT IS TRUE NEXT GENERATION SECURITY?

Industrial Firewalls Endpoint Security

Transcription:

Scientech 2013 Symposium: Managing Fleet Assets and Performance 13 Ways Through A Firewall What you don t know will hurt you Andrew Ginter VP Industrial Security Waterfall Security Solutions andrew. ginter @ waterfall - security. com Mike Firstenberg Director of Industrial Security Waterfall Security Solutions michaelf @ waterfall - security. com Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 2013

Firewalls Firewalls separate networks and subnetworks with different security / connectivity needs Often first investment any site makes when starting down the road to an ICS cyber security program Unified Threat Managers firewalls with stateful inspection, VPNs, in-line anti-virus scanning, intrusion detection, intrusion prevention, anti-spam, web filtering, and much more but are they secure? DMZ in-between network(s) ICS best practice: layers of firewalls, layers of host and network-based defenses Photo: Red Tiger Security Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 2

Setup for Demo Scenarios Industrial firewall / UTM Business network my laptop + hacked host Control network ICS server to attack / take over + one other ICS host Consider only one-hop compromise into DMZ, or into ICS from DMZ Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 3

Compensating Measures Abbrev Graphic Compensating Measure 2-Factor authentication Encryption Better firewall rules Host intrusion detection / prevention system / SIEM Network intrusion detection / prevention system / SIEM Security updates / patch program Unidirectional security gateway Impact Would have prevented / detected the attack Would prevent / detect some variants of the attack Would not have prevented / detected the attack Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 4

#1 Phishing / Spam / Drive-By-Download Single most common way through (enterprise) firewalls Client on business network pulls malware from internet, or activates malware in email attachment Spear-phishing carefully crafted email to fool even security experts into opening attachment Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 5

#2 Social Engineering Steal a Password VPN password on sticky note on monitor, or under keyboard Call up administrator, weave a convincing tale of woe, and ask for the password Ask the administrator to give you a VPN account Shoulder-surf while administrator enters firewall password Guess Install a keystroke logger Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 6

#3 Compromise Domain Controller Create Account More generally abuse trust of external system Create account / change password of exposed ICS server, or firewall itself Other external trust abuse compromise external HMI, ERP, DCS vendor with remote access, WSUS server, DNS server, etc. Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 7

#4 Attack Exposed Servers Every exposed port is vulnerable: SQL injection buffer overflow default passwords hard-coded password denial of service / SYN-flood Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 8

#5 Attack ICS Clients via Compromised Servers Best practice: originate all cross-firewall TCP connections on ICS / trusted side Once established, all TCP connections are bi-directional attacks can flow back to clients: compromised web servers compromised files on file servers buffer overflows Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 9

#6 Session Hijacking / Man-in-the-Middle Requires access to communications stream between authorized endpoints eg: ARPSpoof (LAN), fake Wi-Fi access point, hacked DNS server Insert new commands into existing communications session Sniff / fake session ID / cookie and re-use Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 10

#7 Piggy-Back on VPN You may trust the person you have granted remote access, but should you trust their computer? Broad VPN access rules I trust this user to connect to any machine, on any port makes it easy for worms and viruses to jump Split-tunneling allows interactive remote control Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 11

#8 Firewall Vulnerabilities Firewalls are software. All large software artifacts have bugs, and some of those bugs are security vulnerabilities and zero-days Vendor back-doors / hard-coded passwords Supply chain issues do you trust the manufacturer? The manufacturer s suppliers? Occasional design vulnerabilities Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 12

#9 Errors and Omissions Modern firewalls require 6-8 weeks full-time training to cover all features and all configurations The smallest errors expose protected servers to attack Over time, poorly-managed firewalls increasingly resemble routers Well-meaning corporate IT personnel often control firewall configurations and can reach through to fix ICS hosts Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 13

#10 Forge an IP Address Most firewall rules are expressed in terms of IP addresses Any administrator can change the IP address on a laptop or workstation Works only if attacker is on same LAN segment as true IP address or WAN routers route response traffic to a different LAN May need ARPSpoof to block machine with real IP Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 14

#11 Bypass Network Security Perimeter Complex network architectures path from business network to ICS network through only routers exists, but is not obvious Rogue wireless access points Rogue cables well meaning technicians eliminate single point of failure in firewall ICS network extends outside of physical security perimeter Dial-up port Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 15

#12 Physical Access to Firewall If you can touch it, you can compromise it Reset to factory defaults Log in to local serial port, change settings with CLI Re-arrange wiring Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 16

#13 Sneakernet Removable media, especially USB sticks, carried past physical / cyber security perimeter Entire laptops, workstations and servers carried past physical / cyber security perimeter Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 17

Keeping Score Graphic Score Impact 2 Would have prevented / detected the attack 1 Would prevent / detect some variants of the attack 0 Would not have prevented / detected the attack Score Abbrev Compensating Measure 7 2-Factor authentication 7 Encryption 11 Better firewall rules 8 Host intrusion detection / prevention system / SIEM 9 Network intrusion detection / prevention system / SIEM 9 Security updates / patch program 20 Unidirectional security gateway Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 18

Waterfall Security Solutions Headquarters in Israel, sales and operations office in the USA Hundreds of sites deployed in all critical infrastructure sectors Best Practice Award 2012, Industrial Network Security IT and OT security architects should consider Waterfall for their operations networks Waterfall is key player in the cyber security market 2010, 2011, & 2012 Strategic partnership agreements / cooperation with: OSIsoft, GE, Siemens, and many other major industrial vendors Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 19

Stronger Than Firewalls Firewalls are porous Given the elephants in the room, perimeter protection will always be disproportionately important: 100,000 vulnerabilities Plain-text device communications Dissonance between ECC and IT s constant change patch programs Long life-cycles for physical equipment andrew. ginter @ waterfall - security. com www.waterfall-security.com michaelf @ waterfall - security. com Proprietary Information Copyright 2013 by Waterfall Security Solutions Ltd. 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information