DIE SICHERHEIT UNSERER DIGITALEN INFRASTRUKTUREN BRAUCHT NEUE FORMEN DER INTERKATION UND KOOPERATION

Helmut Leopold Head of Center for Digital Safety & Security AIT Austrian Institute of Technology Graz am 27. Februar 2018 (v1.0)

53. Digitaldialog “Cyber Security & unbekannte Bedrohungen”

2 27.02.2018

Die Verfügbarkeit und Funktion; d.h. die Resilienz unserer digitalen und vernetzten

Infrastrukturen ist nicht mehr garantiert.

https://kurier.at/sport/wintersport/olympia-2018/olympia-cyberattacke-waehrend-eroeffnungsfeier/310.492.923

“Many foresaw the PyeongChang Winter Olympics being a prime target for cyberattacks, now a very successful one has been revealed.”

https://www.cbronline.com/news/pyeongchang-winter-olympics-cyberattack

„Olympia: Cyberattacke während Eröffnungsfeier“

Quelle: Kurier, 11.2.2018;

Quelle:

Cyber Security - Status Quo & Predictions

2017: 30% increase in cyber crime in Austria, and Advanced attacks (APTs) increase in scope and in frequency

3

Source: Austrian Security Report 2017, Gridling, BVT, BMI, Vienna Cyber Security Week 2018, 29.1-2.2, Wien, Austria

£71 million lost by European firms due to ransomware downtime between 2016 and 2017 - businesses of all sizes

less than 33% of attacks are reported to the authorities

Microsoft: 1500 people focusing on security, 1 billion investment in cyber security - without change of concept no cyber security is possible

Source: N. Malisevic, Microsoft, Vienna Cyber Security Week 2018, 29.1-2.2, Wien, Austria

Source: Data Inc. Study 2018, https://www.cbronline.com/news/ransomware-costs-smbs-71-million

The biggest security crises since WW II 30 nations develop cyber war capabilities

Source: Adi Shamir, Financial Crypto Conference 2016, https://www.linkedin.com/pulse/adi-shamir-makes-15-predictions-next-years-andreas-sfakianakis /

The Internet of Things (IoT) will be a security disaster. Cyber warfare will be the norm rather than the exception in conflicts

Source: OSCE, Vienna Cyber Security Week 2018, 29.1-2.2, Wien, Austria

4

Das prinzipielle Cyber Security Industrieproblem

Units not properly staffed or lack of qualified/trained personnel on information

security topics

Missing awareness

Security is not a business priority

A false sense of security on outsourcing (cloud)

CIO problem

Today’s competence vs. IT technologies of

tomorrow

Product units develop IT functions based on virtual IT services (outsourcing)

As part of the CFO Domain not linked to strategic

product/business objectives

IT-OT problem

SW which should stay unchanged

Automatic SW updates

Missing methods and tools to measure

incidents

Different culture & skills

Gegen welche Bedrohung sind wir wie geschützt? Sind wir sicher?

Cyber Security – a multi-stakeholder issue

5 2/27/2018

cyber crime cyber espionage

cyber sabotage cyber war

citizen business society economy government

privacy

business value

national security

global competitiveness

stability democracy

Government

critical infrastructure providers

(network/service)

manufacturers/system integrators

private users

cyber terrorism

Status of Cyber Security - Bedrohung - Konsequenzen Equifax Case 2017

6 27.02.2018

größtes US-Bonitätsauskunftsbüro

https://www.equifaxsecurity2017.com/

Neue Webseite:

„Vulnerability in der Web-Seite eines Zulieferers“

Source: https://www.heise.de/newsticker/meldung/Hacker-Jackpot-Credit-Bureau-Equifax-gehackt-3824607.html

Status of Cyber Security APT Advanced Persistent Threat

IV. Expand Access

V. Gain Control

II. Initial Intrusion

7

I. Social engineering Get access (public information, etc.)

I. Get Access – Understand the target

II. Initial Intrusion - exploit weaknesses II. Phishing, SW vulnerabilities,

configuration errors, stolen login information, weak passwords, etc.

III. Strengthen foothold – lateral mov. Stays invisible in the system, command

& control capabilities, be immune to security responses, access control from within the trusted environment

III. strengthen foothold

IV. Expand access IV. Search directories, e-mail boxes, admin

workspaces, etc. V. Map the internal network structure and

find login credentials for further services V. Gain Control

V. Discover machines/devices which hold the most valuable information

VI. send fabricated control messages

Attacks spans weeks or months and are developed for a dedicated purpose

25.3.2015: e-mail attack 23.12.2015: „shut down“

2016

Studie, 2017: 3300 deutsche Unternehmen 1/3 gaben einen Schaden durch

Spionage an 1/4 wussten gar nicht, dass sie

ausspioniert wurden

8

Google Translate machte aus „Russland“ „Mordor“, January 2016

Source: http://www.spiegel.de/netzwelt/web/google-translate-macht-aus-russland-mordor-a-1070756.html

“Russia Today', Moscow based Russia's biggest news channel website (RT.com) ….

Hackers have replaced “Russia” or “Russians” with “Nazi” or “Nazis” word from

the headlines…. March 2014 Source: https://www.grahamcluley.com/russia-

today-website-defaced/

Medien – Propaganda – Fake news

60.000 gemeldete Webpage-

Verfälschungen monatlich im DACH

Raum Quelle: nimbusec, zone-h.org

Studie, 2017: 3300 deutsche Unternehmen 1/3 gab an, das sie von bewusst

gesteuerten Falschmeldungen ihres Firmenauftritts betroffen waren (Fake News)

Cyber Security Market Driver

10

27.02.2018

technology IoT IT & OT Industry 4.0 Automated driving AI Blockchain Smart grid Smart city

digitalisation, global networking in

nova

tion

technologie´s vulnerability

CaaS Crime as a Service

com

plex

ity

System of Systems CPS Cyber Physical Systems Safety & Security Mono cultures New payment methods (Bitcoins)

Cyber crime Cyber espionage Cyber terrorism Cyber sabotage Cyber war

international dimension

Laws, conventions, cooperations

dipl

omac

y

IT dev., operation, & users

security experts

skills

Status of Cyber Security - Basic

11 27.02.2018

Dragoni, N., Giaretta, A., & Mazzara, M. (2017). The Internet of Hackable Things. ArXiv, 2017, [1707.08380], University Denmark Uni Cambridge http://androidvulnerabilities.org/press/2015-10-18 Presentation, Nimbusec, IDC conference, Vienna, September 201, www.zone-H.org

80% Passwörter sind zu einfach (default, “1234”) 70% Identifizierung von Benutzer Accounts durch ausprobieren 70% nicht verschlüsselte Netzdienste 60% User interfaces (Web-Applikationen) haben eingebaute

Schwachstellen (vulnerabilities wie XSS)

IoT devices vulnerabilities

„10k in 2k“ „The Internet of Hackable Things“ (N. Dragoni et al, TU Denmark)

5-15% aller Web- Seiten sind mit Malware infiziert

87% of all Android Phones operate with SW with known vulnerabilities – due to missing patch management

Sources:

System Vulnerability …

13 27.02.2018

CIA hack – March 2017 CIA hacking tool arsenal

8.761 files leaked from the CIA high security network (100+ mio lines of code)

“Britain´s newest warship running Swiss Cheese OS

(Windows XP)”,

The Register, June 27th, 2017

Vulnerabilities Crime as a Service

Names, home adresses, photos of air force pilots,

SEAL teams, military vehicles, capacity of roads and bridges, … , Falkvinge, The Hacker News, July 24th, 2017

Supply chain

14 27.02.2018

CPU Vulnerabilities – „Side Channel Attacks“ Spectre & Meltdown & Micro-code

15 27.02.2018

CPU performance optimization side channel attacks

“predictions”

“parallelization – out of order processing”

sys-calls

applications

cache

meltdown

micro-code

Micro-code remote

maintenance

System Vulnerabilities Oktober 2016 „Mirai IoT Botnet“

16 27.02.2018

900 Gbit/s

Quellen: http://www.golem.de/news/nach-ddos-attacken-akamai-nimmt-sicherheitsforscher-krebs-vom-netz-1609-123419.html http://www.golem.de/news/hilfe-von-google-brian-krebs-blog-ist-nach-ddos-angriff-wieder-erreichbar-1609-123453.html

Passwörter: 12345, password

Journalist Krebs

Google Project Shield

17 27.02.2018

Vulnerabilities - Resilienz System Monokulturen …

WannaCry, Mai 2017 300.000 computer in 150 countries hospitals in UK, railway systems But not only computers were

infected: 90 k appointments of medical services had to be cancelled

BITCOIN – WERTENTWICKLUNG - MARKTTREIBER

18 2/27/2018

China stellt den Tausch von Bitcoins ein

WannaCry cyber attack

Steigerung der Resilienz durch drei Schlüsselmassnahmen

19

Technology & Operation

Austrian Cyber Security Cluster

Leading edge solutions

Capacity Building Awareness & Training

Cyber Ranges

Neue Trainingsmethoden

Datenhoheit dem Benutzer

Zertifizierung „made in Austria“

Neue Entwicklungsmethoden Privacy & Security by Design

Ressources, Skills, Capabilities

IT Security hub Österreich

Neue Ausbildungsmethoden

20 27/02/2018

CAIS Cyber Attack Information

System

CIIS Cyber Incident

Information Sharing

Cyber Range Capacity building

Training

Thread Analysis Risk

Management

Privacy & Security by

Design, Encryption

• Information exchange – machine and human readable

• privacy, secret information, laws

• Cyber Situational Awareness

• Thread catalogues • System understanding • Basis for specs of min. standards

IT-Systems (log files) Network Traffic

• Detection of the unknown unknown by machine learning & AI

• Cyber Attack Information Systems (CAIS)

Cyber Security Range

• Scenario validation, Compliance • Test-Data Generation • Training of employees + Stakeholders • Austrian Cyber Security Cluster • Austrian Security Hub

• Safety&Security Co-Development

• Smart encryption (IoT, Cloud) - new privacy – user control of data

• Post-quantum encryption

IoT

Cyber Security Resilienz

International führend Virtual currencies

Forensic

Run-time- verification analog/digital CPS

AIT´S LEADING EDGE SOLUTION PORTFOLIO

21 27.02.2018

Blockchain Digital Insight platform @ AIT

““…virtual currencies such as Bitcoin establish themselves as single common currency for cybercriminals”

“Bitcoin is […] accounting for over 40% of all identified criminal-to-criminal payments.”

(Source: Europol 2015 Internet Organized Crime Threat Assessment Report

)

BLOCKCHAIN FORENSIC – INT. LEADING TECHNOLOGY FROM AUSTRIA @ AIT

VirtCrime BitCrime

SYSTEM PROTECTION BY EXERCISE & TRAINING – CYBER RANGE @ AIT

22

Enterprise ICT Environments

Simulation specific systems

Physical environment

Connected Cars

Industry 4.0

Smart grid eHealth Smart

City Digital

Transport Social media

Virtual and Simulated Physical

Cyber Security R&D

Security Technology Validation

Training Ethical Hacking

Modelling & Simulation

Test Data Generation

Architecture Scenario Planning

Threat Emulation

Cyber Exercises

Cyber Training

Connected Cars

Industry 4.0 Energy

Smart City

Digital Transport

• 200 Teilnehmer • 10 Teams a 6-8 Personen, 24

Kriti. Infr. Unternehmen • Regierungsstellen -

Österreichischen Strategie für Cyber Sicherheit (ÖSCS)

• Spielleitung

• 120 virtuelle Maschinen + ICS • 17 Terminals

NATIONALES CYBER PLANSPIEL KRITISCHE INFRASTRUKTUR, 6-7. NOVEMBER 2017 AM AIT

Nationales Cyber Sicherheitsgesetz 2018

IT Operation, Sicherheits-prozesse der Unternehmen

Sicherheits-prozesse der öffentl. Stellen

Austria als Zentrum der Cyber Security Welt Vienna Cyber Security Week 2018 Multi stake-holder conference, training & exhibition

24

Cyber crime Cyber espionage Cyber terrorism Cyber sabotage Cyber war

diplomacy technoloy

training conference exhibition

41 Länder

25 27.02.2018

CYBER SECURITY CLUSTER AUSTRIA VIENNA CYBER SECURITY WEEK, FEBRUARY 2018

Cyber Security – lack of Skills & Workforce

27 27.02.2018

2017 (ISC2) Global Information Security Workforce Study Benchmarking Workforce Capacity and Response to Cyber Risk Frost & Sullivan, Booz Allen Hamilton https://iamcybersafe.org/wp-content/uploads/2017/06/Europe-GISWS-Report.pdf

Markttreiber: • Digitalisierung in allen Segmenten • OT meets IT • Umsetzung der NIS Richtlinie • Neue Security Lösungen • lokale Serviceanbieter müssen Security Services anbieten

um eine lokale Wertschöpfung sicher zu stellen (SOCs) - int. Konkurrenz bietet „fully managed security services“ an.

350 k

1,8 Mio lack of skilled cyber security

workers in 2022

Cyber Sicherheit als Grundkompetenz für jeden jungen Staatsbürger – „IT Security Hub Österreich“

Sicherheit im Verkehr

28 27.02.2018

Sicherheit im öffentlichen Raum

Sicherheit in der Cyber Welt?

Resiliente Infrastrukturen durch Kooperation zur Gestaltung unserer digitalen Zukunft: NGI Gesellschaft 4.0

29 27.02.2018

Mensch-Maschine Kooperation - Cognitive psychology

Entities (SW+HW) as proxies of humans Privatsphäre

Selbstbestimmung – control of data by the user Crowd – everyone owns part of the data

Micro-economics Trust

Sicherheit kritischer Infrastrukturen „digital-twins“

Nationale Sicherheit

Smart Cyber Security Lösungen R&D

Industrie OT-IT

Netz-/Service Betreiber

Öffentl. Hand als innovativer User

„made in Austria“ Zertifizierung

Datenschutzgesetz Cyber-

Sicherheitsgesetz

Öffentliche Rahmenbedingunge

Cyber Attack 2018

30 27.02.2018

“Coincheck representatives looked numb when they faced journalists”

“One of Japan's largest digital currency exchanges says it has lost some $534m (£380m) worth of virtual assets in a hacking attack on its network.”

http://www.bbc.com/news/world-asia-42845505 Source: BBC News, 27 January 2018,

THANK YOU FOR YOUR ATTENTION!

VIELEN DANK!

WIR MÜSSEN UNSERE ARBEITSWEISE FÜR EINE SICHERE DIGITALE

ZUKUNFT ÜBERDENKEN UND IN EINEM GLOBALEN KONTEXT

KOOPERIEREN

DI Helmut Leopold, PhD Head of Center for Digital Safety & Security AIT Austrian Institute of Technology GmbH Giefinggasse, 1220 Wien, Austria helmut.leopold@ait.ac.at | www.ait.ac.at