IT-Sicherheit am Donaustrand Konferenz 2018 CYBER SECURITY – EINE GESELLSCHAFTLICHE HERAUSFORDERUNG
Helmut LEOPOLD Head of Center for Digital Safety & Security AIT Austrian Institute of Technology
Regensburg, 21. Juni 2018 (v1.0pub) The reliability and availability; i.e. the resilience of our digital and interconnected infrastructure is no longer guaranteed
Industry Smart Connected Smart Social Digital Digital eHealth Digital Digital Bots 4.0 City Cars Transport grid media wallet currency twins
21.06.2018 2 Cyber Security – a multi-stakeholder issue
privacy business value global national security stability competitiveness democracy
citizen business government economy society
Manufacturers & system critical infrastructure private users integrators providers Government (network/service) cyber war cyber sabotage cyber terrorism cyber espionage cyber scam cyber crime
Industry Smart Connected Smart Social Digital Digital eHealth Digital Digital Bots 4.0 City Cars Transport grid media wallet currency twins Cyber Security threat landscape – 5 Market Driver
Inherent System vulnerability of design & development technology methodology
Technology innovation Complexity digitalisation, networking System of systems cloud
Skills in system Usability – capability development, lack of skilled cyber security workers in 2022 operation, security
Crime as a service Suchmaschinen, Botnetze, CaaS Vulnerabilities
Berechnen der Schlüssel von Quantum Computer asym. Verschlüsselungssystemen
4 21.06.2018 Cyber crime Cyber espionage Cyber terrorism Cyber sabotage Cyber war Inherent vulnerability of technology
VULNERABILITIES ARE PART OF OUR SYSTEM DESIGNS AND OPERATION PROCESSES System Vulnerabilities SW development process and technology usability
„The Internet of Hackable Things“ (N. Dragoni et al., TU Denmark) 87% of all Android „10k in 2k“ Phones operate with SW with known vulnerabilities – due to missing patch management 5-15% aller Web- Seiten sind mit IoT devices vulnerabilities Malware infiziert
▪ 80% passwords are to simple (“default”, “1234”) ▪ 70% easy identification of user accounts by simply “try and error” ▪ 70% not encrypted services ▪ 60% user interfaces (Web applications) have build in vulnerabilities
Sources: Dragoni, N., Giaretta, A., & Mazzara, M. (2017). The Internet of Hackable Things. ArXiv, 2017, University Denmark, Uni Cambridge http://androidvulnerabilities.org/press/2015-10-18 21.06.2018 Presentation, Nimbusec, IDC conference, Vienna, September 2017, www.zone-H.org 6 System Vulnerabilities Side Channel Attacks - CPU - Spectre & Meltdown & Micro-code
Micro-code CPU performance optimization side channel attacks remote maintenance applications “parallelization – out of order processing”
meltdown “predictions”
sys-calls
micro-code
cache
21.06.2018 7 System Vulnerabilities Side Channel Attacks - IoT Networks
„Mirai IoT Botnet“
900 Gbit/s
passwords: 12345, password Google Project Shield
Sources: http://www.golem.de/news/nach-ddos-attacken-akamai-nimmt-sicherheitsforscher-krebs-vom-netz-1609-123419.html 21.06.2018 8 http://www.golem.de/news/hilfe-von-google-brian-krebs-blog-ist-nach-ddos-angriff-wieder-erreichbar-1609-123453.html System Vulnerabilities Operation & Maintenance
On average Vulnerabilities in System design 176 days for organisations to maintenance processes close known vulnerabilities
Names, home adresses, “Britain´s newest warship Business model photos of air force pilots, running Swiss Cheese OS SEAL teams, military (Windows XP)”, Operation processes vehicles, capacity of roads and bridges, … , Falkvinge, The Register, June 27th, 2017 The Hacker News, July 24th, 2017 9 Wie gehen wir mit den Systemschwächen um? Cyber Crime example - ransomware
▪ Ransomware has become an essential cybercrime threat (Locky, WannaCry, Cryptolocker, etc.)
▪ Ransom payments almost exclusively in Bitcoin
▪ Over 500 families Bitcoin Reality – easy to use cyber crime payment
China stopps the exchange of Bitcoins
Ransomware WannaCry cyber attack Cyber Security - APT Advanced Persistent Threats
I. Social engineering I. Get Access – Understand the target2016 ▪ Get access (public information, etc.)
II. Initial Intrusion - exploit weaknesses II. Initial Intrusion II. Phishing, SW vulnerabilities, III. strengthen foothold configuration errors, stolen login information, weak passwords, etc. III. Strengthen foothold – lateral mov. ▪ Stays invisible in the system, command IV. Expand Access & control capabilities, be immune to security responses, access control from within the trusted environment IV. Expand access IV. Search directories, e-mail boxes, admin workspaces, etc. V. Gain Control V. Map the internal network structure and find login credentials for further services V. Gain Control V. Discover machines/devices which hold the most valuable information VI. send fabricated control messages 25.3.2015: e-mail attack 23.12.2015: „shut down“ Attacks spans weeks or months and are developed for a dedicated purpose 12 Technology innovation digitalisation, networking, cloud, IoT
INNOVATION BRINGS SYSTEM COMPLEXITY BLOCKCHAIN – CYBER SECURITY ISSUES
user Private key of the Bitcoin user Key management The owner of the password is the owner of a transaction digital currency exchanges
wallet providers
miners SW developer Skills in system development, operation, security
LACK OF SKILLED CYBER SECURITY WORKERS IN 2022 Cyber Security – lack of Skills & Workforce
1,8 Mio lack of skilled cyber security workers in 2022 350 k
2017 (ISC2) Global Information Security Workforce Study Benchmarking Workforce Capacity and Response to Cyber Risk Frost & Sullivan, Booz Allen Hamilton https://iamcybersafe.org/wp-content/uploads/2017/06/Europe-GISWS-Report.pdf
Market driver: • Digitalisation in all segments • OT meets IT • Implementation of the NIS recommendation and GDPR „IT security hub • New Security slutions Austria“ • local Service offes have to improve their portfolio (SOCs) to be able to compete against „fully managed security services“
21.06.2018 16 Crime as a service CaaS
Cyber Crime as a Sevice (CaaS) CYBER CRIME AS A SERVICE
Easy-to-use Werkzeuge
Router KeyGen
Password Cracker
Suchmachine CIA hack – March 2017 Shodan CIA hacking tool arsenal 8.761 files leaked from the CIA high security network (100+ mio lines Darknet of code) malware, viruses, trojans, ▪ Marktplätze weaponized "zero day" ▪ Cloud Service Snake/ Uroburos exploits, malware remote ▪ Spezielle Werkzeuge control systems and associated ▪ Botnetze documentation is now available ▪ Vulnerabilities in the darknet.
21.06.2018 18 WE NEED NEW TOOLS AND NEW CONCEPTS TO BUILD RESILIENT DIGITAL SYSTEMS
TECHNOLOGIES @ AIT We have to increase the cyber security resilience
Technology & Building secure Capacity Building Ressources, Skills, Financial Crime Operation systems Awareness & Training Capabilities Forensic
Innovative Modell based Cyber IT Security hub New tools and solutions development Ranges capabilities
European standards, certification of products, processes & tools
International dimension
20 Safe & Secure Systems – Tool Support @ AIT AIT EN ISO ISO ISO IEC Threat … Libraries 50128 27001 26262 21434 62443
Safety & Security S&S Architecture FMVEA MORETO Require- Design ments
S&S Automatische Code Analyse & Testfallgenerierung (MoMuT) Verification Safety & Security Legacy System A/D Signal Anomalie- Monitors
Model Model based Engineering Architecture Monitoring erkennung (AI)
Training und System Validation Capacity
Privacy Privacy & Safety & Security Development “digital twins” (AIT Cyber Range) skills
• System Architect • CISO, CEO, CIO, CERT, ISO 2700x, … • System Developer • Compliance Requ. • Scenario validation Structured • Test-Data Generation Arguments • Training of employees + Stakeholders – (auto gen.) Cyber Range Künstliche Intelligenz (AI) - Selbstlernende Systeme zur Abwehr von Cyberangriffen
CAIS Cyber Attack Information System @ AIT
▪ unknown attack anatomy Signature-based detection does not work no specification self- learning of “normal behavior ▪ multiple attack vectors looking at isolated systems or single points in a network is not sufficient ▪ Possibility to see stealthy attacks looking for “related” events
Firewall IDS/IPS Application Performance Logs Logs Server Logs Logs …
Distributed Anomaly Detection Engine
Self-learning and flexible anomaly detection using data collected across different machines, systems and organizational units. Privacy & Security by design by Agile cryptographic solutions End-User Data ownership & Access control
Preventive protection & end-to-end security
Privacy by data minimization
Securing data at rest secure distributed information sharing, long-term security Privacy enhancing technologies data minimization technologies, data anonymization Verifiability of data and processing protect the results of computation (maintain AIT technology inside authenticity, enable verifiability) Secure implementations high-quality software and hardware implementations of primitives https://credential.eu http://www.seccrit.eu https://prismacoud.eu BLOCKCHAIN FORENSIC – INT. LEADING SCIENTIFIC & TECH COMPETENCE IN AUSTRIA @ AIT
Blockchain Digital Insight platform @ AIT
““…virtual currencies such as Bitcoin establish themselves as single common currency for cybercriminals” “Bitcoin is […] accounting for over 40% of all identified criminal-to-criminal payments.” (Source: Europol 2015 Internet Organized Crime Threat Assessment Report )
26 21.06.2018 EU LEAs BitCrime NATIONAL CYBER EXCERSISE CRITICAL INFRASTRUCTURES, 6-7. NOVEMBER 2017 AM AIT
National Cyber Security laws • 200 participants • 10 Teams a 6-8 personen, 24 Security IT criti. infr. operators operation processes processes • Governental Strategy for Cyber within in within firms cyber security (ÖSCS) public • Game moderation organisations
• 120 virtual machines + ICS • 17 Terminals
Industry Smart Connected Digital 4.0 City Cars Transport Energy Austria as a center of the Cyber Security world Vienna Cyber Security Week 2018 Multi stake-holder conference, training & exhibition
conference exhibition training
Cyber crime Cyber espionage Cyber terrorism Cyber sabotage Cyber war
diplomacy technoloy
28
41 Länder WE HAVE TO CHANGE OUR WAY OF SYSTEM DEVELOPMENT AND OPERATION FOR A SAFE & SECURE DIGITAL WORLD
THANK YOU FOR YOUR ATTENTION!
DI Helmut Leopold, PhD VIELEN DANK! Head of Center for Digital Safety & Security AIT Austrian Institute of Technology GmbH Giefinggasse, 1210 Wien, Austria [email protected] | www.ait.ac.at