Sunday, April 28, 2013

Detecting Cyber Intrusion in SCADA System

How to recognize intrusion?

One of the axioms of cyber security is that although it is extremely important to try to prevent intrusions into one’s systems and databases, it is essential that intrusions be detected if they do occur.

An intruder who gains control of a substation computer can modify the computer code or insert a new program. The new software can be programmed to quietly gather data (possibly including the log-on passwords of legitimate users) and send the data to the intruder at a later time.

It can be programmed to operate power system devices at some future time or upon the recognition of a future event. It can set up a mechanism (sometimes called a ‘‘backdoor’’) that will allow the intruder to easily gain access at a future time.

For example, if the goal of the intrusion was to gain unauthorized access to utility data, the fact that another party is reading confidential data may never be noticed. Even when the intrusion does result in damage (e.g., intentionally opening a circuit breaker on a critical circuit), it may not be at all obvious that the false operation was due to a security breach rather than some other failure (e.g., a voltage transient, a relay failure, or a software bug).

For these reasons, it is important to strive to detect intrusions when they occur. To this end, a number of IT security system manufacturers have developed intrusion detection systems (IDS).

These systems are designed to recognize intrusions based on a variety of factors, including primarily:

  • Communications attempted from unauthorized or unusual addresses and
  • An unusual pattern of activity.

They generate logs of suspicious events. The owners of the systems then have to inspect the logs manually and determine which represent true intrusions and which are false alarms.

To make the situation more difficult, hackers have learned to disguise their network probes so they do not arouse suspicion. In addition, it should be recognized that there is as much a danger of having too many events flagged as suspicious as having too few.

Users will soon learn to ignore the output of an IDS that announces too many spurious events. There are outside organizations however that offer the service of studying the output of IDSs and reporting the results to the owner. They will also help the system owner to tune the parameters of the IDS and to incorporate stronger protective features in the network to be safeguarded.

Making matters more difficult, most IDSs have been developed for corporate networks with publicly accessible internet services. More research is necessary to investigate what would constitute unusual activity in a SCADA=SA environment.

In general, SA and other control systems do not have logging functions to identify who is attempting to obtain access to these systems. Efforts are underway in the commercial arena and with the National Laboratories to develop intrusion detection capabilities for control systems.


In summary, the art of detecting intrusions into substation control and diagnostic systems is still in its infancy.

Until dependable automatic tools are developed, system owners will have to place their major efforts in two areas:

  • Preventing intrusions from occurring, and
  • Recovering from them when they occur.

Sunday, April 21, 2013

Industrial Control Systems (ICS) Security Awareness Poster

Control Systems Are A Target, Need Some Awareness?

One of the challenges we face in the Industrial Control System (ICS) community is awareness. People maintaining our critical infrastructure do not realize how fragile and targeted the supporting cyber systems are, including PLCs, Relays, RTUs and entire SCADA networks.

This poster was developed by a community team of industry ICS experts to help ICS Engineers and Operators understand just how much they are a target and why. As always, the first step to changing behaviors is engagement, and the first step to engagement is ensuring people know they are a target. 

Feel free to download, print and distribute this poster amongst your organization and peers. This poster is just the first in a series of resources and training to be released by the SANS new ICS group.

Download now a high-resolution version from our Security Awareness Posters section.

Friday, April 19, 2013

Australian Government is getting serious about Information Security?

DSD's top 4 infosec strategies now mandatory for Australia government

The Australian Defence Signals Directorate has made its top four information security mitigation strategies mandatory for all Australian government agencies. Its top 35 strategies were updated in October last year, seeing very little change among the top four that it had marked as "essential".

These four strategies are employing application whitelisting, patching applications, patching operating system vulnerabilities, and minimising the number of users that have administrative rights. At the time of the last update to the strategies list, it states that 85 percent of all intrusions it dealt with in 2011 could have been mitigated had the top four strategies been followed.

The choice to make the top four mandatory stems from an update to the Australian government's Protective Security Policy Framework (PSPF). The PSPF has three core mandatory tenets covering the confidentiality, integrity, and availability of data. To achieve these requirements, it has set out seven "Infosec" requirements. 

In particular, Infosec 4 requires that all agencies document and implement procedures and measures to protect their systems and networks, and specifically notes that it "includes implementing the mandatory 'Strategies to Mitigate Targeted Cyber Intrusions' as detailed in the Australian government Information Security Manual [ISM]".

This means that the ISM will also need to be updated to reflect the changes to the PSPF. DSD expects to make these changes this month. As a mandatory measure, there will also be changes to government agencies' compliance and reporting procedures.

From August 1, agencies must provide annual PSPF compliance reports, including its status in implementing Infosec 4, to the relevant minister.

Wednesday, April 17, 2013

Can Enterprise rely on MDM to achieve Mobile Security?

mRAT spyware bypasses mobile enterprise controls
Mobile remote access Trojan (mRAT) infections are increasing and bypassing mobile enterprise security controls, putting businesses at risk of cyber espionage, research has revealed.
mRATs are capable of intercepting third-party applications such as WhatsApp, despite guarantees of encrypted communications, the study of 2 million smartphone users by Lacoon Mobile Security found.
The research also showed that mRATs are similarly able to bypass security controls in mobile device management (MDM) systems, which a growing number of businesses rely-on for mobile security.
mRATs are designed to carry out cyber espionage and typically enable eavesdropping on calls and meetings, extracting information from email and text messages and location tracking of executives.
The spyware requires a backdoor for installation, through the rooting of Google Android or the jailbreaking of Apple iOS devices.
The research found that mRATs can bypass rooting and jailbreaking detection mechanisms installed on handsets, with 52% of infected devices found running iOS and 35% running Android.
The attacks undermine the basic notion of a secure container on which most MDM systems are based, according to Lacoon Mobile Security.
MDM systems create secure containers that separate business and personal data on the mobile, in an attempt to prevent business-critical data from leaking.
However, the research team demonstrated that mRATs do not need to directly attack the encryption mechanism of the secure container, but can grab it at the point where the user pulls up the data to read it.

Mobile best practices and technologies include:
  • Remotely analyse the risk involved with each device, including behavioural analysis of the downloaded applications;
  • Calculate the risk associated with the device's operating system vulnerabilities and usage;
  • Conduct event analysis to uncover new, emerging and targeted attacks by identifying anomalies in outbound communications to C&C servers;
  • Enable network protection layer to block exploits and drive-by attacks and contain the device from accessing enterprise resources when the risk is high.

Monday, April 15, 2013

Australian Feds charge 17 year-old 'Anon' with four crimes

17-year-old suspected member of ‘Anonymous’ charged with unauthorised access to computer data

A 17-year-old youth appeared in Parramatta Children's Court on Friday (5 April 2013) to face charges relating to unauthorised access to computer data. The juvenile is suspected to be a member of the online issue motivated group "Anonymous" and allegedly committed serious offences on their behalf.

Commander Glen McEwen, Manager Cybercrime Operations, said the AFP takes any computer intrusion offences very seriously and remains committed to investigating offences that occur in cyberspace. "Protesting through computer intrusions and website defacements is not an appropriate method to raise public awareness about any issue," Commander McEwen said. "The AFP investigates various types of cybercrime and will continue to take a strong stance against these perpetrators."

Refer here to read more details.

Monday, April 8, 2013

Think someone may be reading your emails?

Encrypt them, and they can't

Are you sending confidential information in your email, text and instant messages? If so, you could be exposing it to a lot of peeping eyes...and they may decide to do bad things with it!

Here are some ways to encrypt your digital messages:

  • In Outlook, within your message, go to File, Properties, Security Settings, and click the box for "Encrypt message contents and attachments."
  • If you use some type of webmail, most good ones offer SSL as a security option; use it. It encrypts the messages *while they are traveling through the Internet.*

    However, it is not the same as encrypting the message itself. Your messages are still in clear text within the mail box storage, and when forwarded elsewhere not using an SSL-encrypted transmission method.
  • For webmail, consider getting an add-on tool, such as Armacrypt.
  • Another email option is Hushmail.
  • Consider using an up-to-date version of PGP.
  • Here's a pretty good discussion of encrypting text messages on Android devices.
  • Here are some smartphone encryption apps to consider.

Useful TIP! Don't send any sensitive or confidential information using social network messaging systems, such as Facebook mail. While you can have the *connection* (meaning while it is traveling from you to your recipient) encrypted using SSL, it does not encrypt the message itself, leaving it in clear text within the many Facebook repositories.

Wednesday, April 3, 2013

What's your personal Disaster Recovery Strategy?

After the Storm Comes a Rainbow

If you've ever had a computer device unexpectedly fail on you, you know how it feels - like a flash flood, taking you by surprise and washing away everything you need.

Lets say, you have an external hard drive which stopped. Completely. Unexpectedly.

Did you had backups of that data? Do you make backups of your data regularly?

Here are some recommendations to help you from feeling the pain of a failed hard drive:

  • Invest in an external backup drive for storing your backups. You can see some good guidance here.
  • For data that is especially valuable (income tax data, photos, business data), make another copy on a different external drive and store at a different, secure location, such as a bank safety deposit box.
  • Back up your email at least once a week; more often if you depend on it for business and would be lost without it.
  • Most external hard drives can be configured to automatically make backups at specified intervals; look for external hard drives with these capabilities.
  • If personal information is on your backup drive, encrypt it!
  • If you want to use a cloud service to store your backups, make sure they will encrypt your data, and that they have terms of service that will allow you ample time to remove your data, completely, if there is ever the need.
  • Regularly test backups to ensure the backup data is actually good.