Cyber Security – Eine Gesellschaftliche Herausforderung

IT-Sicherheit am Donaustrand Konferenz 2018 CYBER SECURITY – EINE GESELLSCHAFTLICHE HERAUSFORDERUNG

Helmut LEOPOLD Head of Center for Digital Safety & Security AIT Austrian Institute of Technology

Regensburg, 21. Juni 2018 (v1.0pub) The reliability and availability; i.e. the resilience of our digital and interconnected infrastructure is no longer guaranteed

Industry Smart Connected Smart Social Digital Digital eHealth Digital Digital Bots 4.0 City Cars Transport grid media wallet currency twins

21.06.2018 2 Cyber Security – a multi-stakeholder issue

privacy business value global national security stability competitiveness democracy

citizen business government economy society

Manufacturers & system critical infrastructure private users integrators providers Government (network/service) cyber war cyber sabotage cyber terrorism cyber espionage cyber scam cyber crime

Industry Smart Connected Smart Social Digital Digital eHealth Digital Digital Bots 4.0 City Cars Transport grid media wallet currency twins Cyber Security threat landscape – 5 Market Driver

Inherent System vulnerability of design & development technology methodology

Technology innovation Complexity digitalisation, networking System of systems cloud

Skills in system Usability – capability development, lack of skilled cyber security workers in 2022 operation, security

Crime as a service Suchmaschinen, Botnetze, CaaS Vulnerabilities

Berechnen der Schlüssel von Quantum Computer asym. Verschlüsselungssystemen

4 21.06.2018 Cyber crime Cyber espionage Cyber terrorism Cyber sabotage Cyber war Inherent vulnerability of technology

VULNERABILITIES ARE PART OF OUR SYSTEM DESIGNS AND OPERATION PROCESSES System Vulnerabilities SW development process and technology usability

„The Internet of Hackable Things“ (N. Dragoni et al., TU Denmark) 87% of all Android „10k in 2k“ Phones operate with SW with known vulnerabilities – due to missing patch management 5-15% aller Web- Seiten sind mit IoT devices vulnerabilities Malware infiziert

▪ 80%  passwords are to simple (“default”, “1234”) ▪ 70%  easy identification of user accounts by simply “try and error” ▪ 70%  not encrypted services ▪ 60%  user interfaces (Web applications) have build in vulnerabilities

Sources: Dragoni, N., Giaretta, A., & Mazzara, M. (2017). The Internet of Hackable Things. ArXiv, 2017, University Denmark, Uni Cambridge http://androidvulnerabilities.org/press/2015-10-18 21.06.2018 Presentation, Nimbusec, IDC conference, Vienna, September 2017, www.zone-H.org 6 System Vulnerabilities Side Channel Attacks - CPU - Spectre & Meltdown & Micro-code

Micro-code CPU performance optimization  side channel attacks remote maintenance applications “parallelization – out of order processing”

meltdown “predictions”

sys-calls

micro-code

cache

21.06.2018 7 System Vulnerabilities Side Channel Attacks - IoT Networks

„Mirai IoT Botnet“

900 Gbit/s

passwords: 12345, password Google Project Shield

Sources: http://www.golem.de/news/nach-ddos-attacken-akamai-nimmt-sicherheitsforscher-krebs-vom-netz-1609-123419.html 21.06.2018 8 http://www.golem.de/news/hilfe-von-google-brian-krebs-blog-ist-nach-ddos-angriff-wieder-erreichbar-1609-123453.html System Vulnerabilities Operation & Maintenance

On average Vulnerabilities in System design 176 days for organisations to maintenance processes close known vulnerabilities

Names, home adresses, “Britain´s newest warship Business model photos of air force pilots, running Swiss Cheese OS SEAL teams, military (Windows XP)”, Operation processes vehicles, capacity of roads and bridges, … , Falkvinge, The Register, June 27th, 2017 The Hacker News, July 24th, 2017 9 Wie gehen wir mit den Systemschwächen um? Cyber Crime example - ransomware

▪ Ransomware has become an essential cybercrime threat (Locky, WannaCry, Cryptolocker, etc.)

▪ Ransom payments almost exclusively in Bitcoin

▪ Over 500 families Bitcoin Reality – easy to use cyber crime payment

China stopps the exchange of Bitcoins

Ransomware WannaCry cyber attack Cyber Security - APT Advanced Persistent Threats

I. Social engineering I. Get Access – Understand the target2016 ▪ Get access (public information, etc.)

II. Initial Intrusion - exploit weaknesses II. Initial Intrusion II. Phishing, SW vulnerabilities, III. strengthen foothold configuration errors, stolen login information, weak passwords, etc. III. Strengthen foothold – lateral mov. ▪ Stays invisible in the system, command IV. Expand Access & control capabilities, be immune to security responses, access control from within the trusted environment IV. Expand access IV. Search directories, e-mail boxes, admin workspaces, etc. V. Gain Control V. Map the internal network structure and find login credentials for further services V. Gain Control V. Discover machines/devices which hold the most valuable information VI. send fabricated control messages 25.3.2015: e-mail attack 23.12.2015: „shut down“ Attacks spans weeks or months and are developed for a dedicated purpose 12 Technology innovation digitalisation, networking, cloud, IoT

INNOVATION BRINGS SYSTEM COMPLEXITY BLOCKCHAIN – CYBER SECURITY ISSUES

user Private key of the Bitcoin user Key management The owner of the password is the owner of a transaction digital currency exchanges

wallet providers

miners SW developer Skills in system development, operation, security

LACK OF SKILLED CYBER SECURITY WORKERS IN 2022 Cyber Security – lack of Skills & Workforce

1,8 Mio lack of skilled cyber security workers in 2022 350 k

2017 (ISC2) Global Information Security Workforce Study Benchmarking Workforce Capacity and Response to Cyber Risk Frost & Sullivan, Booz Allen Hamilton https://iamcybersafe.org/wp-content/uploads/2017/06/Europe-GISWS-Report.pdf

Market driver: • Digitalisation in all segments • OT meets IT • Implementation of the NIS recommendation and GDPR „IT security hub • New Security slutions Austria“ • local Service offes have to improve their portfolio (SOCs) to be able to compete against „fully managed security services“

21.06.2018 16 Crime as a service CaaS

Cyber Crime as a Sevice (CaaS) CYBER CRIME AS A SERVICE

Easy-to-use Werkzeuge

Router KeyGen

Password Cracker

Suchmachine CIA hack – March 2017 Shodan CIA hacking tool arsenal 8.761 files leaked from the CIA high security network (100+ mio lines Darknet of code) malware, viruses, trojans, ▪ Marktplätze weaponized "zero day" ▪ Cloud Service Snake/ Uroburos exploits, malware remote ▪ Spezielle Werkzeuge control systems and associated ▪ Botnetze documentation is now available ▪ Vulnerabilities in the darknet.

21.06.2018 18 WE NEED NEW TOOLS AND NEW CONCEPTS TO BUILD RESILIENT DIGITAL SYSTEMS

TECHNOLOGIES @ AIT We have to increase the cyber security resilience

Technology & Building secure Capacity Building Ressources, Skills, Financial Crime Operation systems Awareness & Training Capabilities Forensic

Innovative Modell based Cyber IT Security hub New tools and solutions development Ranges capabilities

European standards, certification of products, processes & tools

International dimension

20 Safe & Secure Systems – Tool Support @ AIT AIT EN ISO ISO ISO IEC Threat … Libraries 50128 27001 26262 21434 62443

Safety & Security S&S Architecture FMVEA MORETO Require- Design ments

S&S Automatische Code Analyse & Testfallgenerierung (MoMuT) Verification Safety & Security Legacy System A/D Signal Anomalie- Monitors

Model Model based Engineering Architecture Monitoring erkennung (AI)

Training und System Validation Capacity

Privacy Privacy & Safety & Security Development “digital twins” (AIT Cyber Range) skills

• System Architect • CISO, CEO, CIO, CERT, ISO 2700x, … • System Developer • Compliance Requ. • Scenario validation Structured • Test-Data Generation Arguments • Training of employees + Stakeholders – (auto gen.) Cyber Range Künstliche Intelligenz (AI) - Selbstlernende Systeme zur Abwehr von Cyberangriffen

CAIS Cyber Attack Information System @ AIT

▪ unknown attack anatomy  Signature-based detection does not work  no specification  self- learning of “normal behavior ▪ multiple attack vectors  looking at isolated systems or single points in a network is not sufficient ▪ Possibility to see stealthy attacks  looking for “related” events

Firewall IDS/IPS Application Performance Logs Logs Server Logs Logs …

Distributed Anomaly Detection Engine

Self-learning and flexible anomaly detection using data collected across different machines, systems and organizational units. Privacy & Security by design by Agile cryptographic solutions End-User Data ownership & Access control

Preventive protection & end-to-end security

Privacy by data minimization

Securing data at rest secure distributed information sharing, long-term security Privacy enhancing technologies data minimization technologies, data anonymization Verifiability of data and processing protect the results of computation (maintain AIT technology inside authenticity, enable verifiability) Secure implementations high-quality software and hardware implementations of primitives https://credential.eu http://www.seccrit.eu https://prismacoud.eu BLOCKCHAIN FORENSIC – INT. LEADING SCIENTIFIC & TECH COMPETENCE IN AUSTRIA @ AIT

Blockchain Digital Insight platform @ AIT

““…virtual currencies such as Bitcoin establish themselves as single common currency for cybercriminals” “Bitcoin is […] accounting for over 40% of all identified criminal-to-criminal payments.” (Source: Europol 2015 Internet Organized Crime Threat Assessment Report )

26 21.06.2018 EU LEAs BitCrime NATIONAL CYBER EXCERSISE CRITICAL INFRASTRUCTURES, 6-7. NOVEMBER 2017 AM AIT

National Cyber Security laws • 200 participants • 10 Teams a 6-8 personen, 24 Security IT criti. infr. operators operation processes processes • Governental Strategy for Cyber within in within firms cyber security (ÖSCS) public • Game moderation organisations

• 120 virtual machines + ICS • 17 Terminals

Industry Smart Connected Digital 4.0 City Cars Transport Energy Austria as a center of the Cyber Security world Vienna Cyber Security Week 2018 Multi stake-holder conference, training & exhibition

conference exhibition training

Cyber crime Cyber espionage Cyber terrorism Cyber sabotage Cyber war

diplomacy technoloy

41 Länder WE HAVE TO CHANGE OUR WAY OF SYSTEM DEVELOPMENT AND OPERATION FOR A SAFE & SECURE DIGITAL WORLD

THANK YOU FOR YOUR ATTENTION!

DI Helmut Leopold, PhD VIELEN DANK! Head of Center for Digital Safety & Security AIT Austrian Institute of Technology GmbH Giefinggasse, 1210 Wien, Austria [email protected] | www.ait.ac.at