Cloud Operations and Analytics: Improving Distributed Systems Reliability usi...
Introduction to INFOSEC Professional
1. Introduction
Infosec Professional
Presented at
King Mongkut’s University of Technology Thonburi (KMUTT)
by Chaiyakorn Apiwathanokul
CISSP, GCFA, IRCA:ISMS
Chief Security Officer
PTT ICT Solutions Co., Ltd.
A Company of PTT Group
Sep. 2010
2. • Advisor of Department of Special Investigation (DSI)
3. วิทยากรบรรยาย
• กองบัญชาการกองทัพไทย
• สานักงานปลัดกระทรวงกลาโหม
• หลักสูตรหลักประจาโรงเรียนเสนาธิการทหารบก สถาบันวิชาการทหารบกชันสูง
้
• ธนาคารแห่ งประเทศไทย
• สานักงานปลัดกระทรวงพาณิชย์
• ชมรมเทคโนโลยีสารสนเทศรัฐวิสาหกิจแห่ งประเทศไทย
• สมาคมเวชสารสนเทศไทย Thai Medical Informatics Association
• หลักสูตร Strategic IT Governance, Software Park 2007-2009
• Mini-MBA Program, Thammasat University
• Micro-MBA Program, Thammasat University
• MIS Program, Thammasat University
• มหาวิทยาลัยเทคโนโลยีพระจอมเกล้ าธนบุรี
• ITU ASP COE : Training Workshop on Information Management Framework for CIOs
• CIO Conference 2007
• Information Security Asia 2007
• 2nd Annual ASIA IT Congress 2007
• Cyber Defence Initiative Conference (CDIC) 2008, 2009 and 2010
• SCADA Asia Summit 2009 and 2010
5. CIA Admits Cyber attacks Blacked Out Cities
In the real world
• The disclosure was made at a New Orleans
security conference Friday attended by
international government officials, engineers,
and security managers.
• The CIA on Friday admitted that cyberattacks
have caused at least one power outage affecting
multiple cities outside the United States. By Thomas
Claburn InformationWeek January 18, 2008 06:15 PM
6. Maroochy Waste Water
Event: More than 750,000 gallons of
untreated sewage intentionally released
into parks, rivers, and hotel grounds
Impact: Loss of marine life, public health
jeopardized, $200,000 in cleanup and
monitoring costs
Specifics: SCADA system had 300 nodes
(142 pumping stations) governing sewage
and drinking water
Used OPC ActiveX controls, DNP3, and
Lessons learned: ModBus protocols
Suspend all access after Used packet radio communications to
terminations RTUs
Investigate anomalous system Used commercially available radios and
behavior stolen SCADA software to make laptop
Secure radio and wireless appear as a pumping station
transmissions Caused as many as 46 different incidents
over a 3-month period (Feb 9 to April 23)
7. Browns Ferry Power Plant
Event: Aug, 2006 Two circulation pumps at
Unit 3 of the nuclear power plant failed
Impact: The unit had to be shut down
manually
Specifics: The failure of the pumps was
traced to excessive traffic on the control
Recovery time:
system network, possibly caused by the
SPDS – 4hours 50 minutes
failure of another control system device
PPC – 6 hours 9 minutes
Lessons learned:
Provide adequate network
segmentation
Place controls on multiple
segments to limit congestion and
cascading effects
Provide active network
monitoring tools
8. Hatch Nuclear Power Plant
Event: A software update caused
control system to initiate plant
shutdown.
Impact: The Plant was shutdown for 48
hours
Specifics: . An engineer installed a
software update on a computer Recovery time: 48 Hours
operating on the plant's business
network. When the updated computer Lessons learned:
rebooted, it reset the data on the
Patch management policy
control system, causing safety systems
must address testing
to errantly interpret the lack of data as
requirements before
a drop in coolant water reservoirs
integration in production
environment
IT and ICS must be aware
of connectivity
…there was full two-way communication between
certain computers on the plant's corporate and
control networks. 8
9. Davis Besse Nuclear Power Plant
Event: Aug 20, 2003 Slammer worm
infects plant
Impact: Complete shutdown of digital
portion of Safety Parameter Display
System (SPDS) and Plant Process Computer
(PPC)
Recovery time:
Specifics: Worm started at contractors site
SPDS – 4hours 50 minutes
Worm jumped from corporate to plant PPC – 6 hours 9 minutes
network and found an unpatched server
Patch had been available for 6 months Lessons learned:
Secure remote (trusted) access
channels
Ensure Defense-in-depth
strategies with appropriate
procurement requirements
Critical patches need to be
applied
10. Olympic Pipeline Explosion
Event: 16-inch gasoline pipeline explosion and
fire, exacerbated by inability of SCADA system
to perform control and monitoring functions.
Impact: 3 fatalities, property damage >$45M,
matching fines of $7.86M against two
companies.
Specifics: Erroneous changes to live historical
database caused critical slowdown in system
responsiveness (evidenced by sensor scan rate
changing from 3 second poll to over 6 photo by David Willoughby copyright Bellingham Herald
minutes!) Lessons learned:
Communication link between main Identify controls to Critical Assets
computer, field sensors, and controllers was a
combination of leased phone lines and frame Do not use administrative controls
relay. to solve system anomalies
Do not perform database updates
on live systems
Apply appropriate security to
remote access
11. Big Bang Experiment is Hacked
Event: Sept, 2008 - Computer hackers broke
into the Large Hadron Collider and defaced
one of the project websites.
Impact: “There seems to be no harm done.
From what they can tell, it was someone
making the point that CMS was hackable,"
said James Gillies, spokesman for European
Organization for Nuclear Research (also
known as CERN)
Specifics: Hackers targeted the Compact
Muon Solenoid Experiment, or CMS, one of Lessons learned:
the experiments at facility that will be
Provide adequate network
analyzing the fallout of the Big Bang
segmentation
CERN expressed concerned over what the
hackers could do as they were “one step Place controls on another
away” from the computer control system segment with no direct outside
access
Provide active network
monitoring tools
Ensure defense-in-depth
strategies, firewalls & Intrusion
Detection Systems
12. Space Station – Air Gap Bridged
Event: Aug. 2008, Viruses intended to
steal passwords and send them to a
remote server infected laptops in the
International Space Station (again).
Impact: Created a “nuisance” to non-
critical space station laptops
Specifics:The virus did make it onto
more than one laptop -- suggesting that
it spread via some sort of intranet on
the space station or via a thumb drive.
Lessons learned:
Due to the human factor – there is no
true airgap, for example, thumb drives,
laptop connection, modems, VPN,
CD/DVD, etc.
12
13. Security Guard Busted For Hacking Hospital's HVAC, Patient
Information Computers, July 2009
In the real world
• "A former security guard for a Dallas hospital has
been arrested by federal authorities for allegedly
breaking into the facility's HVAC and confidential
patient information computer systems. In a bizarre
twist, he posted videos of his hacks on YouTube,
and was trying to recruit other hackers to help him
wage a massive DDoS attack on July 4 -- one day
after his planned last day on the job.
• Jesse William McGraw, 25, also known as
"GhostExodus," "PhantomExodizzmo," as well as by
a couple of false names, was charged with
downloading malicious code onto a computer at
the Carrell Clinic in order to cause damage and as a
result, "threatened public health and safety,"
according to an affidavit filed by the FBI . McGraw
worked as a night security guard for United
Protection Services, which was on contract with
hospital, which specializes in orthopedics and
sports medicine."
14. TISA in Bangkok Post : When Hacking risks health
In the real world
TISA web site : http://www.tisa.or.th
15. Malicious code/
Virus/Worm
Adversary/
Terrorist/ Disgruntled
Hacker employee
Vulnerabilities/
Weaknesses
has Manufacture
National
Critical Plant
Infrastructure Control Operation
Systems
Law/
Industry-
Government Compliance/
specific
Standard/ Regulator
Guideline
18. The Implication
• Only small number of professional with right
competency to help you out
• Collaboration and support from professional
community is highly needed
30. 3 Pillars of ICT 3 Pillars of Security
Disclosure
People Confidentiality
Process Technology Integrity Availability
(Tool) Alteration Destruction
31. Areas of Expertise
• Access Control Systems and Methodology • Malicious Code (counter measures and
(how people enter and leave the system) prevention techniques for dealing with
viruses,worms and other forms of deviant
• Administration code)
(planning, implementating and evaluating • Operations Security (setting identity
information security programs) controls; auditing and monitoring the
• Application and Systems Development mechanisms and tools)
Security • Physical Security (giving physical systems
(creating new computer programs to access solely to those who need it)
protect an organization) • Risk, Response and Recovery (processes to
• Auditing and Monitoring (collecting identify, measure and control loss)
information for identification and response • Security Architecture and Models
to security breaches) (building the security infrastructure for a
complex organization)
• Business Continuity Planning (BCP) and • Security Management Practices
Disaster Recovery Planning (DRP) (identification of information assets and
(uninterrupted access to critical data development of policies and procedures)
systems) • Telecommunications and Network
• Cryptography (the coding and decoding of Security (ensuring security through remote
data and messages) access management, network availability,
firewall architectures,VPNs, data
• Law, Investigation and Ethics (computer networking, LAN devices, etc.)
crime laws and regulations and ethics)
36. Information Technology (IT) Security
Essential Body of Knowledge (EBK)
A Competency and Functional Framework
for IT Security Workforce Development
United States Department of Homeland Security
September 2008
36
39. Competency Areas (MDIE in each)
1. Data Security 8. Personnel Security
2. Digital Forensics 9. Physical and Environmental
3. Enterprise Continuity Security
4. Incident Management 10. Procurement
5. IT Security Training and 11. Regulatory and Standards
Awareness Compliance
6. IT System Operations and 12. Security Risk Management
Maintenance 13. Strategic Security
7. Network and Management
Telecommunication Security 14. System and Application
Security
39
40. Roles of Information Security
1. Chief Information Officer
2. Digital Forensics Professional
3. Information Security Officer
4. IT Security Compliance Officer
5. IT Security Engineer
6. IT Security Professional
7. IT Systems Operations and
Maintenance Professional
8. Physical Security Professional
9. Privacy Professional
10. Procurement Professional
40
43. The Example of TISA TISET Exam
Information Security Competency Score Card
43
44. Enterprise Infosec Competency Profile
* Organization assess Infosec competency
Enterprise/ requirement against EBK
Personnel * Assess current competency within the
Capability enterprise
* Identify competency gap training
requirement, recruitment
EBK
Infosec training provider Training
Provider
maps training courses to EBK
46. Competency Profile
Max Score Min Score
Avg Score
1. Data Security
2. Digital Forensics 8. Personnel Security
3. Enterprise Continuity 9. Physical and Environmental Security
4. Incident Management 10. Procurement
5. IT Security Training and Awareness 11. Regulatory and Standards
Compliance
6. IT System Operations and Maintenance
12. Security Risk Management
7. Network and Telecommunication
13. Strategic Security Management
Security
14. System and Application Security
46
47. Functional Perspective
Max Score Min Score
Avg Score
M – Manage
D – Design
I – Implement
E - Evaluate
47
54. TISA Pilot Exam Summary: Certification Roadmap
Audit Management Technical
EXPERT
ADVANCE
International Certified IT & Information Security Professional
Step to CISSP,SSCP, CISA,CISM
FOUNDATION (Localized) TISA TISET Certification
on IT / Information Security
Competencies Test TISA TISET Exam
54