Lessons from the DHS Cyber Test Bed Project Theresa Payton President/CEO Fortalice, LLC Presented by: Kemal O. Piskin Senior Cyber Security Engineer Applied Research Associates, Inc.
What We ll Discuss DHS Cyber Test Bed (CTB) Overview Discuss the CTB methodology Highlight the CTB Team and participants Share CTB activities Summarize findings the CTB network vulnerability assessments and threat presentation interactions Key observations Project impact Cover best practices validated from the project 2
ARA Cyber Test Bed (CTB) The Cyber Test Bed was a project of the Institute of Homeland Security Solutions (Research Triangle Institute, Duke, the University of North Carolina and the NC Military Foundation) and Applied Research Associates. ARA was the principle subcontractor and architect of the CTB methodology and conceptual framework. The CTB was carried out by the Department of Homeland Security - Partners of IHSS Cyber Division. 3
CTB Project The Test Bed was a demonstration project to identify, deploy, and evaluate best practices for cyber security in small and mid-size companies. The project was carried out in a real-world environment, and it is supported by an evaluation and research framework that can illuminate multi-dimensional aspects of the impact of the project on the security of the participating companies. 4
CTB Project The Test Bed approach led to a better understanding of threats, the development of models to predict potential impacts, and the deployment of tactical deterrents. By identifying and testing best practices using existing technologies in cyber security for the private sector, the Test Bed will contribute to DHS s mission to improve cyber security while also mitigating intellectual property loss critical to economic and national security. 5
Cyber Test Bed Overview CTB employed an asset protection methodology focused on: People Security Physical Security Cyber Security Intellectual Property Protection Contingency Planning Four-stage process that comprised of: Briefings Assessments Hardware/Software Training Policy framework development Designed to be executed over a 12-18 month period 6
CTB Participant Company Demographics Nine Companies participated Participants are located throughout North Carolina Company statistics 1 to 160 employees 467 total (60% overall attended first threat brief) 50 average Annual revenues range from $20K-20M (~$12M average) Businesses fall within the following market sectors: Construction / Commercial Property Management IT Services Legal Technology Telecommunications Manufacturing Venture Capital Research and STEM 7
Initial Security Assessment 8
Network Assessments Tools Used Mandiant Used to detect and characterize any potential Advanced Persistent Threat on participant networks Required on-site visits to install server and client based hardware and software ARA performed the installs and coordinated with Mandiant to ensure configuration was correct Mandiant generated a findings report in each instance and forwarded to ARA for inclusion in our overall Network findings document Snort Free, open-source Intrusion Detection System software to allow CTB team to view and log ingress/egress traffic Used the same IDS signature base for all scans performed for consistency Fairly easy to deploy, required leave behind of ARA configured laptop Retained logs in case participant system administrators requested to review raw traffic (3 of 7 did) GFI LanGuard A fairly low cost network security and vulnerability scanner that provides a security overview mainly for Microsoft OS based systems Typically a LanGuard scan would be run during the Mandiant and Snort installation visit Provided a snapshot in time of missing patches or service packs, open share drives on workstations, security audit and password policies, open firewall ports and checks that no port hijacking is in force CTB Network Assessment Report 9
General Threat Findings General Findings All companies had compromises Companies who outsource assume security is rolled into the service they are buying (it is not) Largely, very little to no formal security policies or IT policies exist No application or understanding of defense in depth Lack of security trained personnel on-site No active patch management performed Network Scan Results All companies had some sort of nefarious activities, even ones with industrial grade enterprise security suites Most common threat appears to originate from Russian Business Network actors All companies had what appeared to be fully compromised computers (remote desktop connections, backdoors, etc.) No APT found over 4 week-long scans (Scanned 7 of 9 participants) Most/all vulnerabilities could have been avoided through common security practices 10
Specific Threats Found Specifically, CTB analysts discovered the following vulnerabilities: Numerous servers across all participants appeared to be compromised with: Domain Name Server (DNS) exploits Directly connecting to known Russian Business Network (RBN) IP addresses Connecting to questionable domains such as www.h-r-connect.co.cc, as well as other co.cc domains. Observed backdoors, Trojans and rootkits on two Unix based servers About 20 percent of one CTB participant s network computers were observed communicating with questionable IPs within the co.kr, com.cn, com.ru, and co.cc domains. DropBox, a cloud storage service which has many associated vulnerabilities, was being used extensively to store company related data for two of the nine CTB participants 11
Specific Threats Found But wait, there s more! GFI LanGuard results rated all seven companies as high, meaning they had significant vulnerabilities. The number of patches missing ranged between 112 and 742 Large amounts of BitTorrent data was being exchanged at one site As high as 40% of computers at one site were observed communicating with known RBN IPs BotNet related activity was noted on one-third of the computers one particular network Unauthorized Remote Desktop Connections were observed at three of the seven participants sites. 12
Vulnerability Assessment Statistics Beeswax Coral Curacao Honeysuckle Lavender Peony Phlox Silver Avg Number of Computers 184 97 33 79 36 1 112 50 74 Number of Days Scanned 51 54 54 32 43 1 42 88 46 Number of Events 1,024,100 67,483 104,000 296,418 463 NDC* 1,481 136,207 232,879 Patches Missing 927 390 112 NDC 742 16 130 NDC 386 Number of Vulnerabilities 1,436 1,864 1343 382 1,907 148 1,041 NDC 1,160 Events Per Day 20,080 1,250 1,926 9,263 11 NDC 35 1,548 4,873 Patches Missing Per Computer 5.04 4.02 3.39 NDC 20.61 16 1.16 NDC 8 Number of Vulnerabilities Per Computer 7.80 19.22 40.70 4.84 52.97 148 9.30 NDC 40 *NDC=No data collected 13
CTB Project Findings Policy 100% of the companies do not have a written information security policy 100% of the companies do not have a written password policy 88% of the companies do not have reporting procedures in place for data breaches and / or suspicious activity 75% of companies do not have a documented intellectual property policy 14
CTB Project Findings Software / Hardware All companies allowed the installation of personal IT hardware / software assets to be used with enterprise resources Limited capability, if any, is in place to automate hardware / software updates and patches None of the participating companies evaluate their assets for risk and/or conduct risk assessments 75% of companies allowed personal IT assets to be connected to company resources 75% of companies allowed all users to install software on enterprise resources for personal use 63% of companies allowed all users to have administrative privileges 25% of companies were able to determine if the latest firmware update have been installed 15
CTB Project Findings Software/ Hardware (cont d) 50% of companies were able to determine if the appropriate drivers were installed for all IT assets 87% of the companies do not implement an automation process to patch or update application software, although the capability exists. 87% of companies stated that most software installed on personal/enterprise IT assets did not serve an operational purpose. 63% of companies perform an asset inventory. In addition, the companies surveyed do not maintain records of utilized countermeasures. 16
CTB Project Findings Network All companies employed the use of a network based firewall 50% of the deployed network firewalls were not configured appropriately to secure the corporate infrastructure 75% of companies use wireless technologies on their network 40% do not employ any wireless security on their network 90% of companies do not have a network map to show the layout of the enterprise network and location of network resources (i.e., e-mail, file servers) 90% of companies do not employ an Intrusion Detection System/Intrusion Prevention System to actively monitor their network 17
CTB Project Findings Intellectual Property Protection Company employees have not been provided training on formal / informal processes for protecting Intellectual Property 38% of companies have an informal process that identifies organizational intellectual property 75% of companies do not have a documented intellectual property policy 25% of companies handle their intellectual property differently than other types of data 63% of companies do not arrange intellectual property agreements with their employees (and possible contractors and vendors) 50% of companies take legal action to protect their intellectual property by employing the use of patents, trademarks, copyrights, and/or trade secrets 50% of companies strictly control access to their intellectual property 18
CTB Project Findings Physical Security Companies do not have any means to determine if their investments into information security save the organization money by reducing loss 63% of companies do not employ a Security Manager or a centralized resource that manages organizational / enterprise security 87% of companies estimate the amount of revenue spent on security All companies can not determine if the money spent on security saves the organization money by reducing losses. 19
Training and Awareness CTB Project Findings Minimal information security training is not being provided to company employees Company participants do not implement a security awareness and training program for its employees 100% of companies do not implement or maintain a security awareness and training program for its personnel 100% of all companies do not provide information security training for their employees annually or as part of a new hire orientation process 20
Contingency Planning CTB Project Findings Companies that have a formally documented contingency plan are not familiar enough with the processes in order to implement it in the event of an outage Companies that have a formally documented contingency plan are not testing their plans to ensure feasibility Companies may not have adequate protection against IT outages since contingency plans are not being tested for feasibility 38% of companies have a contingency plan in place that addresses IT outages 25% of companies employ the use of a hot / cold site for continuity of network operations 21
Key Observations Leadership engagement is critical Threat briefings create the awareness and environment for change Network assessments are pivotal and provide the nexus for change Policy frameworks missing missing link once change begins Asset protection and a human factor approach is comprehensive Individuals begin to think differently about security Training makes a difference Some elements are low cost or marginal cost (time) and effective 22
Key Observations 2 CTB recruits did not see themselves as potential targets or at risk for cyber attack CTB recruits are intrigued by our credentials and the team we have pulled together to execute the program CTB companies are sophisticated, well traveled, global and aware that cyber security is a growing risk CTB companies view this experience as a chance to learn and benefit possible gain market advantage Financial institutions have regulatory hurdles/concerns that make them risk adverse to participate 23
Project Impact Project changed attitudes and behaviors toward security Changed technical behaviors (network and individual) More awareness and understanding of risks and threats Ability to make more informed decisions about security Participants began including security in all facets of business and strategic planning Policies provide a great foundational framework to bring structure to cyber security efforts Ability to ask questions to make the right hiring decisions when interviewing potential candidates Asset Cards stimulated discussions and questions about all facets of security 24
Examples of Changed Behaviors Implementing a recurring security awareness program Lavender, Phlox, Coral Made changes (increased or added responsibilities) to Staff to address security requirements Phlox, Curacao, Honeysuckle, Coral, Silver, Lavender Reserved computers strictly for travel that did not have corporate information or access Curacao, Silver, Lavender Decision to completely re-architect their network Honeysuckle, Curacao Integrating risk and security elements into operational and strategic business management decision-making Peony Made changes to how they conducted financial transactions Silver, Curacao, Peony Implementation of encryption where possible, elimination of remote log-in and remote desktop capabilities, update of policies and continuity of operations plan - Lavender 25
Best Practices Corporate leadership and buy-in are critical to engaging participants and encouraging change Policy, training and awareness significantly reduces organizational security risk Have been applying ISO 27001/2 methodologies and checklists (Information Security Framework) Threat understanding pivotal network analysis changes behavior Leveraged existing reference materials from Operations Security practices, open source literature and in-house expertise Human factors portion is critical aspect to security. All security measures can be defeated through ignorance, insider threat (malicious or not) or human vulnerability 26
FOR ADDITIONAL INFORMATION PLEASE CONTACT Theresa Payton 980.226.8932 tp@fortalicesolutions.com Kemal O. Piskin 757.510.0456 kemal.piskin@ara.com 27