CYBER SECURITY –

EINE GESELLSCHAFTLICHE

HERAUSFORDERUNG

Helmut LEOPOLD

Head of Center for Digital Safety & Security

AIT Austrian Institute of Technology

Regensburg, 21. Juni 2018(v1.0pub)

IT-Sicherheit am Donaustrand Konferenz 2018

221.06.2018

Digital

twins

The reliability and availability; i.e. the resilience of

our digital and interconnected infrastructure is no

longer guaranteed

Connected

Cars

Industry

4.0

Smart

grid eHealth

Smart

CityDigital

Transport

Social

mediaBotsDigital

currency

Digital

wallet

Cyber Security – a multi-stakeholder issue

citizen business societyeconomygovernment

privacy business value national securityglobal

competitiveness

stability

democracy

Government

critical infrastructure

providers

(network/service)

Manufacturers & system

integratorsprivate users

Connected

Cars

Industry

4.0

Smart

grid eHealth

Smart

CityDigital

Transport

Social

mediaDigital

twinsBotsDigital

currency

Digital

wallet

cyber scam

cyber terrorismcyber espionage

cyber crime

cyber sabotage

cyber war

Cyber Security threat landscape – 5 Market Driver

4

21.06.2018

Inherent

vulnerability of

technology

Cyber crime Cyber espionage Cyber terrorism Cyber sabotage Cyber war

Crime as a service

CaaS

Skills in system

development,

operation, security

Technology

innovationdigitalisation, networking

cloud

Complexity

System of systems

Quantum Computer

System

design & development

methodology

Usability – capability

lack of skilled cyber security workers in 2022

Suchmaschinen, Botnetze,

Vulnerabilities

Berechnen der Schlüssel von

asym.

Verschlüsselungssystemen

VULNERABILITIES

ARE PART OF OUR SYSTEM DESIGNS AND

OPERATION PROCESSES

Inherent

vulnerability of

technology

621.06.2018

Dragoni, N., Giaretta, A., & Mazzara, M. (2017). The Internet of Hackable Things. ArXiv, 2017, University Denmark, Uni

Cambridge http://androidvulnerabilities.org/press/2015-10-18

Presentation, Nimbusec, IDC conference, Vienna, September 2017, www.zone-H.org

▪ 80% passwords are to simple (“default”, “1234”)

▪ 70% easy identification of user accounts by simply “try and error”

▪ 70% not encrypted services

▪ 60% user interfaces (Web applications) have build in vulnerabilities

IoT devices vulnerabilities

„10k in 2k“

„The Internet of Hackable Things“ (N. Dragoni et al., TU Denmark)

5-15% aller Web-

Seiten sind mit

Malware infiziert

87% of all Android

Phones operate

with SW with known

vulnerabilities – due

to missing patch

management

Sources:

System Vulnerabilities

SW development process and technology usability

721.06.2018

System Vulnerabilities

Side Channel Attacks - CPU - Spectre & Meltdown & Micro-code

CPU performance optimization side channel attacks

“predictions”

“parallelization – out

of order processing”

sys-calls

applications

cache

meltdown

micro-code

Micro-code

remote

maintenance

System Vulnerabilities

Side Channel Attacks - IoT Networks

821.06.2018

900 Gbit/s

Sources:

http://www.golem.de/news/nach-ddos-attacken-akamai-nimmt-sicherheitsforscher-krebs-vom-netz-1609-123419.html

http://www.golem.de/news/hilfe-von-google-brian-krebs-blog-ist-nach-ddos-angriff-wieder-erreichbar-1609-123453.html

passwords: 12345, password Google Project Shield

„Mirai IoT Botnet“

System Vulnerabilities

Operation & Maintenance

9

“Britain´s newest warship

running Swiss Cheese OS

(Windows XP)”,

The Register, June 27th, 2017

On average

176 days for organisations to

close known vulnerabilities

Names, home adresses,

photos of air force pilots,

SEAL teams, military

vehicles, capacity of roads

and bridges, … , Falkvinge, The Hacker News, July 24th, 2017

Vulnerabilities in

maintenance processes

System design

Business model

Operation processes

▪ Ransomware has become an

essential cybercrime threat (Locky,

WannaCry, Cryptolocker, etc.)

▪ Ransom payments almost exclusively

in Bitcoin

▪ Over 500 families

Wie gehen wir mit den Systemschwächen um?

Cyber Crime example - ransomware

Bitcoin Reality – easy to use cyber crime payment

China stopps the

exchange of Bitcoins

Ransomware

WannaCry

cyber attack

Cyber Security - APT Advanced Persistent Threats

IV. Expand Access

V. Gain Control

II. Initial Intrusion

12

I. Social engineering

▪ Get access (public information, etc.) I. Get Access – Understand the target

II. Initial Intrusion - exploit weaknesses

II. Phishing, SW vulnerabilities,

configuration errors, stolen login

information, weak passwords, etc.

III. Strengthen foothold – lateral mov.

▪ Stays invisible in the system, command

& control capabilities, be immune to

security responses, access control from

within the trusted environment

III. strengthen foothold

IV. Expand access

IV. Search directories, e-mail boxes, admin

workspaces, etc.

V. Map the internal network structure and

find login credentials for further services

V. Gain Control

V. Discover machines/devices which hold

the most valuable information

VI. send fabricated control messages

Attacks spans weeks or months and are

developed for a dedicated purpose

25.3.2015: e-mail attack

23.12.2015: „shut down“

2016

INNOVATION BRINGS SYSTEM COMPLEXITY

Technology innovation

digitalisation, networking,

cloud, IoT

miners

BLOCKCHAIN – CYBER SECURITY ISSUES

userPrivate key of the Bitcoin

user

Key management

The owner of the

password is the owner

of a transaction

SW developer

digital currency

exchanges

wallet providers

LACK OF SKILLED CYBER SECURITY

WORKERS IN 2022

Skills in system

development,

operation, security

Cyber Security – lack of Skills & Workforce

1621.06.2018

2017 (ISC2) Global Information Security Workforce Study

Benchmarking Workforce Capacity and Response to Cyber Risk

Frost & Sullivan, Booz Allen Hamiltonhttps://iamcybersafe.org/wp-content/uploads/2017/06/Europe-GISWS-Report.pdf

Market driver:

• Digitalisation in all segments

• OT meets IT

• Implementation of the NIS recommendation and GDPR

• New Security slutions

• local Service offes have to improve their portfolio

(SOCs) to be able to compete against „fully managed

security services“

350 k

1,8 Mio

„IT security hub

Austria“

lack of skilled cyber security

workers in 2022

Crime as a service

CaaS

Cyber Crime as a Sevice

(CaaS)

CYBER CRIME AS A SERVICE

21.06.2018

CIA hack – March 2017

CIA hacking tool arsenal

8.761 files leaked from

the CIA high security

network (100+ mio lines

of code)

malware, viruses, trojans,

weaponized "zero day"

exploits, malware remote

control systems and associated

documentation is now available

in the darknet.

18

Darknet

▪ Marktplätze

▪ Cloud Service

▪ Spezielle Werkzeuge

▪ Botnetze

▪ Vulnerabilities

Snake/

Uroburos

Suchmachine

Shodan

Router KeyGen

Easy-to-use Werkzeuge

Password Cracker

WE NEED NEW TOOLS AND NEW CONCEPTS

TO BUILD RESILIENT DIGITAL SYSTEMS

TECHNOLOGIES @ AIT

We have to increase the cyber security resilience

20

Technology &

Operation

Innovative

solutions

Capacity Building

Awareness & Training

Cyber

Ranges

Ressources, Skills,

Capabilities

IT Security hub New tools and

capabilities

Financial Crime

Forensic

European standards, certification of products, processes & tools

Building secure

systems

Modell based

development

International dimension

Safe & Secure Systems – Tool Support @ AIT

Mo

del

based

En

gin

eeri

ng

Pri

vac

y &

Safe

ty &

Secu

rity

Develo

pm

en

t

• CISO, CEO, CIO, CERT, ISO 2700x, …

• Compliance

• Scenario validation

• Test-Data Generation

• Training of employees + Stakeholders –

Cyber Range

Training und System Validation

“digital twins” (AIT Cyber Range)

EN

50128

ISO

27001

ISO

26262

ISO

21434

IEC

62443…

AIT

Threat

Libraries

FMVEA S&S Architecture

DesignMORETO

Safety &

Security

Require-

ments

S&S Automatische

Testfallgenerierung (MoMuT)Code Analyse &

Verification

A/D Signal

Monitoring

Anomalie-

erkennung (AI)

Legacy System

Architecture

Safety &

Security

Monitors

Capacity

skills

Requ.

Structured

Arguments

(auto gen.)

• System Architect

• System Developer

Künstliche Intelligenz (AI) - Selbstlernende Systeme zur

Abwehr von Cyberangriffen

Distributed Anomaly Detection Engine

Self-learning and flexible anomaly detection

using data collected across different machines, systems

and organizational units.

Firewall

Logs

IDS/IPS

Logs

Application

Server LogsPerformance

Logs

▪ unknown attack anatomy Signature-based

detection does not work no specification self-

learning of “normal behavior

▪ multiple attack vectors looking at isolated

systems or single points in a network is not sufficient

▪ Possibility to see stealthy attacks looking for

“related” events

…

CAIS Cyber Attack Information System @ AIT

Privacy & Security by design by Agile cryptographic solutions

End-User Data ownership & Access control

Securing data at rest

secure distributed information sharing, long-term

security

Privacy enhancing technologies

data minimization technologies, data anonymization

Verifiability of data and processing

protect the results of computation (maintain

authenticity, enable verifiability)

Secure implementations

high-quality software and hardware implementations

of primitives

http://www.seccrit.euhttps://credential.eu https://prismacoud.eu

Preventive

protection &

end-to-end

security

Privacy by

data

minimization

AIT technology inside

2621.06.2018

Blockchain Digital

Insight platform @ AIT

““…virtual currencies such as Bitcoin establish themselves

as single common currency for cybercriminals”

“Bitcoin is […] accounting for over 40% of all identified

criminal-to-criminal payments.”

(Source: Europol 2015 Internet Organized Crime Threat

Assessment Report

)

BLOCKCHAIN FORENSIC – INT. LEADING

SCIENTIFIC & TECH COMPETENCE IN AUSTRIA @ AIT

BitCrimeEU LEAs

Connected

Cars

Industry

4.0Energy

Smart

City

Digital

Transport

• 200 participants

• 10 Teams a 6-8 personen, 24

criti. infr. operators

• Governental Strategy for Cyber

cyber security (ÖSCS)

• Game moderation

• 120 virtual machines + ICS

• 17 Terminals

NATIONAL CYBER EXCERSISE CRITICAL

INFRASTRUCTURES, 6-7. NOVEMBER 2017 AM AIT

National Cyber Security

laws

IT

operation

processes

within firms

Security

processes

within in

public

organisations

Austria as a center of the Cyber Security world

Vienna Cyber Security Week 2018

Multi stake-holder conference, training & exhibition

28

Cyber crime Cyber espionage Cyber terrorism Cyber sabotage Cyber war

diplomacy technoloy

trainingconference exhibition

41 Länder

THANK YOU FOR YOUR ATTENTION!

VIELEN DANK!

WE HAVE TO CHANGE OUR WAY OF SYSTEM DEVELOPMENT AND

OPERATION FOR A SAFE & SECURE DIGITAL WORLD

DI Helmut Leopold, PhDHead of Center for Digital Safety & Security

AIT Austrian Institute of Technology GmbH

Giefinggasse, 1210 Wien, Austria

helmut.leopold@ait.ac.at | www.ait.ac.at