View
0
Download
0
Category
Preview:
Citation preview
CYBER SECURITY –
EINE GESELLSCHAFTLICHE
HERAUSFORDERUNG
Helmut LEOPOLD
Head of Center for Digital Safety & Security
AIT Austrian Institute of Technology
Regensburg, 21. Juni 2018(v1.0pub)
IT-Sicherheit am Donaustrand Konferenz 2018
221.06.2018
Digital
twins
The reliability and availability; i.e. the resilience of
our digital and interconnected infrastructure is no
longer guaranteed
Connected
Cars
Industry
4.0
Smart
grid eHealth
Smart
CityDigital
Transport
Social
mediaBotsDigital
currency
Digital
wallet
Cyber Security – a multi-stakeholder issue
citizen business societyeconomygovernment
privacy business value national securityglobal
competitiveness
stability
democracy
Government
critical infrastructure
providers
(network/service)
Manufacturers & system
integratorsprivate users
Connected
Cars
Industry
4.0
Smart
grid eHealth
Smart
CityDigital
Transport
Social
mediaDigital
twinsBotsDigital
currency
Digital
wallet
cyber scam
cyber terrorismcyber espionage
cyber crime
cyber sabotage
cyber war
Cyber Security threat landscape – 5 Market Driver
4
21.06.2018
Inherent
vulnerability of
technology
Cyber crime Cyber espionage Cyber terrorism Cyber sabotage Cyber war
Crime as a service
CaaS
Skills in system
development,
operation, security
Technology
innovationdigitalisation, networking
cloud
Complexity
System of systems
Quantum Computer
System
design & development
methodology
Usability – capability
lack of skilled cyber security workers in 2022
Suchmaschinen, Botnetze,
Vulnerabilities
Berechnen der Schlüssel von
asym.
Verschlüsselungssystemen
VULNERABILITIES
ARE PART OF OUR SYSTEM DESIGNS AND
OPERATION PROCESSES
Inherent
vulnerability of
technology
621.06.2018
Dragoni, N., Giaretta, A., & Mazzara, M. (2017). The Internet of Hackable Things. ArXiv, 2017, University Denmark, Uni
Cambridge http://androidvulnerabilities.org/press/2015-10-18
Presentation, Nimbusec, IDC conference, Vienna, September 2017, www.zone-H.org
▪ 80% passwords are to simple (“default”, “1234”)
▪ 70% easy identification of user accounts by simply “try and error”
▪ 70% not encrypted services
▪ 60% user interfaces (Web applications) have build in vulnerabilities
IoT devices vulnerabilities
„10k in 2k“
„The Internet of Hackable Things“ (N. Dragoni et al., TU Denmark)
5-15% aller Web-
Seiten sind mit
Malware infiziert
87% of all Android
Phones operate
with SW with known
vulnerabilities – due
to missing patch
management
Sources:
System Vulnerabilities
SW development process and technology usability
721.06.2018
System Vulnerabilities
Side Channel Attacks - CPU - Spectre & Meltdown & Micro-code
CPU performance optimization side channel attacks
“predictions”
“parallelization – out
of order processing”
sys-calls
applications
cache
meltdown
micro-code
Micro-code
remote
maintenance
System Vulnerabilities
Side Channel Attacks - IoT Networks
821.06.2018
900 Gbit/s
Sources:
http://www.golem.de/news/nach-ddos-attacken-akamai-nimmt-sicherheitsforscher-krebs-vom-netz-1609-123419.html
http://www.golem.de/news/hilfe-von-google-brian-krebs-blog-ist-nach-ddos-angriff-wieder-erreichbar-1609-123453.html
passwords: 12345, password Google Project Shield
„Mirai IoT Botnet“
System Vulnerabilities
Operation & Maintenance
9
“Britain´s newest warship
running Swiss Cheese OS
(Windows XP)”,
The Register, June 27th, 2017
On average
176 days for organisations to
close known vulnerabilities
Names, home adresses,
photos of air force pilots,
SEAL teams, military
vehicles, capacity of roads
and bridges, … , Falkvinge, The Hacker News, July 24th, 2017
Vulnerabilities in
maintenance processes
System design
Business model
Operation processes
▪ Ransomware has become an
essential cybercrime threat (Locky,
WannaCry, Cryptolocker, etc.)
▪ Ransom payments almost exclusively
in Bitcoin
▪ Over 500 families
Wie gehen wir mit den Systemschwächen um?
Cyber Crime example - ransomware
Bitcoin Reality – easy to use cyber crime payment
China stopps the
exchange of Bitcoins
Ransomware
WannaCry
cyber attack
Cyber Security - APT Advanced Persistent Threats
IV. Expand Access
V. Gain Control
II. Initial Intrusion
12
I. Social engineering
▪ Get access (public information, etc.) I. Get Access – Understand the target
II. Initial Intrusion - exploit weaknesses
II. Phishing, SW vulnerabilities,
configuration errors, stolen login
information, weak passwords, etc.
III. Strengthen foothold – lateral mov.
▪ Stays invisible in the system, command
& control capabilities, be immune to
security responses, access control from
within the trusted environment
III. strengthen foothold
IV. Expand access
IV. Search directories, e-mail boxes, admin
workspaces, etc.
V. Map the internal network structure and
find login credentials for further services
V. Gain Control
V. Discover machines/devices which hold
the most valuable information
VI. send fabricated control messages
Attacks spans weeks or months and are
developed for a dedicated purpose
25.3.2015: e-mail attack
23.12.2015: „shut down“
2016
INNOVATION BRINGS SYSTEM COMPLEXITY
Technology innovation
digitalisation, networking,
cloud, IoT
miners
BLOCKCHAIN – CYBER SECURITY ISSUES
userPrivate key of the Bitcoin
user
Key management
The owner of the
password is the owner
of a transaction
SW developer
digital currency
exchanges
wallet providers
LACK OF SKILLED CYBER SECURITY
WORKERS IN 2022
Skills in system
development,
operation, security
Cyber Security – lack of Skills & Workforce
1621.06.2018
2017 (ISC2) Global Information Security Workforce Study
Benchmarking Workforce Capacity and Response to Cyber Risk
Frost & Sullivan, Booz Allen Hamiltonhttps://iamcybersafe.org/wp-content/uploads/2017/06/Europe-GISWS-Report.pdf
Market driver:
• Digitalisation in all segments
• OT meets IT
• Implementation of the NIS recommendation and GDPR
• New Security slutions
• local Service offes have to improve their portfolio
(SOCs) to be able to compete against „fully managed
security services“
350 k
1,8 Mio
„IT security hub
Austria“
lack of skilled cyber security
workers in 2022
Crime as a service
CaaS
Cyber Crime as a Sevice
(CaaS)
CYBER CRIME AS A SERVICE
21.06.2018
CIA hack – March 2017
CIA hacking tool arsenal
8.761 files leaked from
the CIA high security
network (100+ mio lines
of code)
malware, viruses, trojans,
weaponized "zero day"
exploits, malware remote
control systems and associated
documentation is now available
in the darknet.
18
Darknet
▪ Marktplätze
▪ Cloud Service
▪ Spezielle Werkzeuge
▪ Botnetze
▪ Vulnerabilities
Snake/
Uroburos
Suchmachine
Shodan
Router KeyGen
Easy-to-use Werkzeuge
Password Cracker
WE NEED NEW TOOLS AND NEW CONCEPTS
TO BUILD RESILIENT DIGITAL SYSTEMS
TECHNOLOGIES @ AIT
We have to increase the cyber security resilience
20
Technology &
Operation
Innovative
solutions
Capacity Building
Awareness & Training
Cyber
Ranges
Ressources, Skills,
Capabilities
IT Security hub New tools and
capabilities
Financial Crime
Forensic
European standards, certification of products, processes & tools
Building secure
systems
Modell based
development
International dimension
Safe & Secure Systems – Tool Support @ AIT
Mo
del
based
En
gin
eeri
ng
Pri
vac
y &
Safe
ty &
Secu
rity
Develo
pm
en
t
• CISO, CEO, CIO, CERT, ISO 2700x, …
• Compliance
• Scenario validation
• Test-Data Generation
• Training of employees + Stakeholders –
Cyber Range
Training und System Validation
“digital twins” (AIT Cyber Range)
EN
50128
ISO
27001
ISO
26262
ISO
21434
IEC
62443…
AIT
Threat
Libraries
FMVEA S&S Architecture
DesignMORETO
Safety &
Security
Require-
ments
S&S Automatische
Testfallgenerierung (MoMuT)Code Analyse &
Verification
A/D Signal
Monitoring
Anomalie-
erkennung (AI)
Legacy System
Architecture
Safety &
Security
Monitors
Capacity
skills
Requ.
Structured
Arguments
(auto gen.)
• System Architect
• System Developer
Künstliche Intelligenz (AI) - Selbstlernende Systeme zur
Abwehr von Cyberangriffen
Distributed Anomaly Detection Engine
Self-learning and flexible anomaly detection
using data collected across different machines, systems
and organizational units.
Firewall
Logs
IDS/IPS
Logs
Application
Server LogsPerformance
Logs
▪ unknown attack anatomy Signature-based
detection does not work no specification self-
learning of “normal behavior
▪ multiple attack vectors looking at isolated
systems or single points in a network is not sufficient
▪ Possibility to see stealthy attacks looking for
“related” events
…
CAIS Cyber Attack Information System @ AIT
Privacy & Security by design by Agile cryptographic solutions
End-User Data ownership & Access control
Securing data at rest
secure distributed information sharing, long-term
security
Privacy enhancing technologies
data minimization technologies, data anonymization
Verifiability of data and processing
protect the results of computation (maintain
authenticity, enable verifiability)
Secure implementations
high-quality software and hardware implementations
of primitives
http://www.seccrit.euhttps://credential.eu https://prismacoud.eu
Preventive
protection &
end-to-end
security
Privacy by
data
minimization
AIT technology inside
2621.06.2018
Blockchain Digital
Insight platform @ AIT
““…virtual currencies such as Bitcoin establish themselves
as single common currency for cybercriminals”
“Bitcoin is […] accounting for over 40% of all identified
criminal-to-criminal payments.”
(Source: Europol 2015 Internet Organized Crime Threat
Assessment Report
)
BLOCKCHAIN FORENSIC – INT. LEADING
SCIENTIFIC & TECH COMPETENCE IN AUSTRIA @ AIT
BitCrimeEU LEAs
Connected
Cars
Industry
4.0Energy
Smart
City
Digital
Transport
• 200 participants
• 10 Teams a 6-8 personen, 24
criti. infr. operators
• Governental Strategy for Cyber
cyber security (ÖSCS)
• Game moderation
• 120 virtual machines + ICS
• 17 Terminals
NATIONAL CYBER EXCERSISE CRITICAL
INFRASTRUCTURES, 6-7. NOVEMBER 2017 AM AIT
National Cyber Security
laws
IT
operation
processes
within firms
Security
processes
within in
public
organisations
Austria as a center of the Cyber Security world
Vienna Cyber Security Week 2018
Multi stake-holder conference, training & exhibition
28
Cyber crime Cyber espionage Cyber terrorism Cyber sabotage Cyber war
diplomacy technoloy
trainingconference exhibition
41 Länder
THANK YOU FOR YOUR ATTENTION!
VIELEN DANK!
WE HAVE TO CHANGE OUR WAY OF SYSTEM DEVELOPMENT AND
OPERATION FOR A SAFE & SECURE DIGITAL WORLD
DI Helmut Leopold, PhDHead of Center for Digital Safety & Security
AIT Austrian Institute of Technology GmbH
Giefinggasse, 1210 Wien, Austria
helmut.leopold@ait.ac.at | www.ait.ac.at
Recommended