presentation given at bio-it world 2016 as a senior member of the ieee on the limitations of big...

BioIT World 2016 © Brian Bissett [email protected]

Considerations and Evaluations for ITSecurity PoliciesPossession is 9/10ths of the Law

Brian BissettSenior MemberInstitute of Electrical and Electronics Engineers (IEEE) Bio-IT World 2016

1


Overview

Data Requirements (Secure and Useful)Limitations of DiD (Defense in Depth)Multi-Factor Authentication (MFA)EntropyTypes of AttacksRiskIT Operational Analytics (ITOA)Summary

2


Requirements for Useful Data

Available – Data must be available to authorized users without interference or obstructionAccurate – Data is free from Errors.Authentic – Genuine or Original and free from reproduction, fabrication, or alteration.Confidential – Protected from Unauthorized EntitiesUtility – The Data has Value

3


ConfidentialityIntegrityAvailability

The CIA Triangle

4


The Fundamental Problem

Information that is not accessible by a network is of limited usefulness.– Metcalfe’s Law: the value of a communications network is

proportional to the square of the number of its users– Sarnoff's Law: the value of a broadcast network is

proportional to the number of viewers

Information that is accessible by means of a network can never be guaranteed to be secure.To have Information that can be utilized effectively we are forced to operate in a paradigm where trade offs must be made in usefulness and security.

5


OSI Vulnerabilities Up & Down Stack

6


Common Attacks by Layer

1. Physical – Cutting, Keystroke Logging2. Data Link – Packet Sniffing, MAC Spoofing, MITM3. Network – Ping Flood, Port Knocking, IPSec Attack4. Transport – TCP and UDP Flooding5. Session – Session Hijacking, L2TP, DNS Poisoning6. Presentation – SSL MITM, SSL DoS7. Application – Viruses, Trojans, Ransomware, Data

Theft, Cross Site Scripting, SQL injection, Buffer Overflow, HTTP DoS, Brute Force (Most Vulnerable)

7


Defense in Depth (DiD)

Defense in Depth is still necessary but requires supplementation for effective network security.Defense in Depth relies on Barriers, and Barriers do not scale with the enterprise.SQL injection attacks can compromise an entire enterprise database without any triggering any alerts.Defense in Depth must be supplemented by Dynamic Protection of Users, Data, and Workloads.

8


NetSPA - NETwork Security and Planning ArchitectureSupplements Defense in Depth for Large Enterprises.1. Vulnerability Scans: list network vulnerabilities and

provide information on individual hosts and open ports.

2. Vulnerability Databases: describe prerequisites for and the effects of exploiting vulnerabilities.

3. Firewall Rules: describe how traffic may or may not flow through a filtering device.

4. Topology Information: how firewalls and hosts from vulnerability scans are connected together.

9


Tracers and Tethers (TnT)

Utilizes the strength of user authentication, encrypted connections, and continuous monitoring to secure resources. (Especially Cloud Based)Tracers – trace through gateways and trust zones.– track contextual information

Tethers – tethers to provide root of trust guarantees.– leverage cryptography.

Behavioral Analysis of “Trusted” Insiders.

10


Example: Tracers and Tethers

11


Access Attacks

Backdoors – using a known or newly discovered mechanism to access a system.Brute Force – Trying every possible combination of options for a password. (Time Consuming)Dictionary – Automated guessing of passwords using individual or groups of known words.Spoofing – contacting the system as a trusted host by modifying IP Packets Source Address.Social Engineering – You trick an idiot who has access to allow you into the system.

12


Data Pilfering and Corruption

Sniffer – Program and/or device that can monitor data over a network. Can be used for legitimate purposes (network management and troubleshooting) or nefarious purposes (theft).– Aircrack-ng– Kismet– Wireshark – Etc.

Man in the Middle (TCP Hijacking) – grab packets from the network, modify and reinsert them back into the network.

13


Multi-Factor Authentication (MFA)

The Most Secure Networks require a three tier system of Authentication for User Access:1. Something you know (e.g. a password).2. Something you have (e.g. a smart card).3. Something you are (e.g. a fingerprint). Very few Enterprises incorporate all 3

Authentication Factors, most utilize 2. Refer to NIST Special Publication 800-63-2.

14


Password Entropy

Entropy is a measure of the uncertainty associated with a random variable.WolframAlpha will calculate the Entropy of a password: http://www.wolframalpha.com/Entropy of “password” = 36.19 bits (very weak)Entropy of “P@s$w0Rd” = 51 bits (fair)Entropy of “H@rd2Gue$sP@s$w0Rd” = 114.8 bits (very strong)

15

http://www.wolframalpha.com/

http://www.wolframalpha.com/


Increasing Entropy

Within User ControlLength Randomness

Enterprise ControlledCharacter setSalt - a random number that is associated with a user and is added to that user's password.Pepper - single value unique for a site.

16


Risk Drivers

Add UsersLow Entropy Passwords and TokensOpen TCP/IP PortsAdd Applications, Services, or Systems.Add AdministratorsLower levels of Multi-Factor AuthenticationVulnerabilities are DisclosedNew Architectures Increase Attack Surfaces

17


User Experience vs. Security

Does this Annoy You Too??

18


Why Traditional Security is Failing

The BYOD culture and the rise of the Internet of Things (IoT) means Enterprise IT Departments will no longer own the devices connected to their Infrastructure. In the case of Cloud Services, Administrators may no longer have control over the Network itself, the Servers, OS, or Applications being employed by the end-users.Enterprise IT systems will constantly be open to compromise, unable to adequately prevent advanced target attacks from finding their way into the infrastructure.

19


IDS Intrusion Detection System

Device or Software Application that monitors Network or System activities for malicious activities or policy violations.Network Intrusion Detection Systems (NIDS)Host Intrusion Detection Systems (HIDS)Statistical anomaly-based IDS - monitor network traffic and compare it against an established baseline.Signature-based IDS - compare against database of signatures or attributes from known malicious threats.

20


The Ultimate Nightmare:Ransomware

21


Ransomware Overview

Malware that encrypts all your files and then extorts money to unlock them.Infection via Social Engineering using Email attachments or Webpage Executables.Not Self-Replicating, cannot spread across network on its own.– But it WILL encrypt every file it can access on your

network. Every accessible network file and even Cloud storage is vulnerable.

Common Variants: CryptoLocker, CryptoWall.Encryption is too strong to break.

22


Ransomware Infection

The Ransomware Infection can be removed from the machine easily enough but . . . .The files will remain encrypted until unencrypted with a key.Once infected only two options:

1. Pay the Ransom and hope you get sent a key.2. Wipe the Drive and Recover from a Backup.

Most Users Opt for Option Number 2.Usually when the Ransom is paid, a key is sent.

23


Protecting from Ransomware

Best Protection: The Virtual Sandbox, products like Sandboxie.Sandboxes are virtual environments running a duplicate of your OS and files.If Ransomware executes on a Sandbox, it is deleted with the Sandbox.HitmanPro will catch and neutralize Ransomware before it can encrypt your files.Firewall blocking has shown limited success.

24


Firewall Blocks to Stop Ransomware

Ransomware must contact a live command and control server (C&C) to generate keys for encryption.Only allow outbound traffic on ports used.Do not allow direct links to IP addresses lacking a DNS.Block known-malicious Tor IP addresses.Employ a Malicious Traffic Detection (MTD) Mechanism.

25


Ransomware the $$$ Cost

CryptoWall in 2015: 406,887 infections, $325M.– Includes Indirect Costs. Lost Revenue, Down Time,

Recovery Time.

CryptoLocker attacks Doubled in 2015.– More than 50,000 Corporate Machine Infections.

Kyrus Technologies reverse engineered CryptoLocker. Infected Users can Obtain Keys here: decryptcryptolocker.comMany Variants Remain Unbroken.29 Federal Agencies reported 321 Ransomware Infections to DHS in just 9 months.

26


ITOA - IT Operations Analytics

A form of real-time advanced analytics that harness and process vast volumes of highly diverse data from applications and endpoints across an organization’s IT infrastructure.Advanced targeted attacks are set to render such prevention-centric security strategies obsolete over the next five to six years. – GartnerITOA can detect sophisticated threats by recognizing anomalies in the behavior of users and devices, and identifying deviations from normal behavior as being potentially malicious activity.

27


Internet of Things (IoT)

Problem: IoT solutions are being deployed and retrofitted with security after the fact.IoT opens up the number of networks one could access quite dramatically.Derbycon Security Conference found "thousands" of medical devices that were vulnerable to remote attacks via the public internet.Def Con 23 Hacking Conference: researchers at Protiviti discussed over 20 vulnerabilities uncovered in medical devices and support systems.

28


IoT: Some of Today’s Threats

Hospira Drug pumps contain security flaws that could allow hackers to give patients a deadly overdose.Doctors disabled the wireless features on Vice President Dick Cheney's heart pump.U.S. (GAO): Boeing 787 Dreamliner, Airbus A350, and Airbus A380 are all at risk of hacking, because cockpits use the same Wi-Fi network as passengers.Samsung revealed that the mics built into its smart TVs were continuously recording and transmitting data to the company.

29


Cloud Computing

Cloud computing changes the equation of responsibility for information security.Any business that holds information about its customers is the “controller” of that data under the Data Protection Directive (DPD).If personal data is stored in a cloud, it remains the responsibility of the controller.The controller cannot offload its data protection responsibilities just by putting data into the cloud.

30


Cloud Computing Security Models

Software as a Service (SaaS) Platform as a Service (PaaS)Infrastructure as a Service (IaaS)Colocation– Colocation is your hardware in someone else’s Data Center.– Only Real Estate and Utilities are Outsourced.– Colocation was the first “Cloud” service.

Provider Responsibility

SharedResponsibility

Customer Responsibility

31


Summary

Usefulness vs. Security Paradigm is here to stay.DiD offers limited protection.Risk increases with Utility.The rise in advanced persistent threats (APTs) requires ITOA to detect nefarious activity.The diversity of appliances being connected to the Internet is opening more security holes than conventional strategies are capable of dealing with.

32


Selected Publications

Automated Data Analysis with Excel – Softcover: 442 Pages– Chapman & Hall (June 2007) – Second Edition Coming in 2016/2017– ISBN: 1-58488-885-7

Practical Pharmaceutical Laboratory Automation– Hardcover: 464 pages – Publisher: CRC Press (May 2003) – ISBN: 0849318149

33

presentation given at bio-it world 2016 as a senior member of the ieee on the limitations of big...

Technology