There are many network traffic analysis tools out there but how many of them understand industrial protocols like Modbus, Profibus or DNP3? More importantly, how effective are these solutions in the industrial control systems environment?
In this post I would like to share a quick summary of security vendors in this domain.
Please note that this space moves quickly so the list may not be up-to-date by the time you are reading this. That being said, I hope it provides a high-level overview of vendors and capabilities in this space.
Web applications are a common attack vector and many companies are keen to address this threat. Due to their nature, web applications are located in the extranet and can be exploited by malicious attackers from outside of your corporate network. I managed a project which reduced the risk of the company’s systems being compromised through application level flaws. It improved the security of internet facing applications by:
- Fixed over 30,000 application level flaws (e.g. cross-site scripting, SQL injection, etc) across 100+ applications.
- Introduced a new testing approach to build secure coding practices into the software development life cycle and to use static and dynamic scanning tools.
- Embedded continuous application testing capabilities.
- Helped raise awareness of application security issues within internal development teams and third parties.
- Prompted the decommissioning of legacy applications.
Image courtesy Danilo Rizzuti / FreeDigitalPhotos.net
I was invited to deliver a lecture on ethical hacking to the graduate students at the University of Bradford. We started off by discussing basic principles and approaches and concluded covering specific tools and techniques.
The students, with various backgrounds ranging from mobile application development, to communications and networks actively participated in the discussion. I was also very happy to share some case studies and real-world examples around vulnerability, threat and risk management.
Interview with Konrads Smelkovs – Incident Response
Could you please tell us a little bit about your background?
I work at KPMG as a manager, and I started working with security when I was around thirteen years old. I used to go to my mother’s work, because there was nobody to look after me. There used to be an admin there who used to run early versions of Linux, which I found to be rather exciting. I begged him to give me an account on his Linux box, but I didn’t know much about that, so I started searching for information in Altavista. The only things you could find there was how to hack into Unix, and there were no books at the time I could buy. I downloaded some scripts off the internet and started running them. Some university then complained that my scripts were hacking them, though I didn’t really understand much of what I was doing. So my account got suspended for about half a year, but I got hooked and found it rather interesting and exciting, and developed an aspiration in this direction. I then did all sorts of jobs, but I wanted a job in this field. So I saw an add in the newspaper and applied for a job at KPMG back in Latvia, 6 or 7 years ago. I was asked what it is I could do, and I explained to them the sort of things I had done in terms of programming: “a little bit of this, a little bit of that…”, I did some reading about security before the interview, and they then asked me if I could do penetration testing. I had a vague idea of what it entailed, because I understood web applications quite well. So I said, “yeah, sure. I can go ahead and do that because I understand these things quite well.”
What are you working on at the moment?
In the past I used to focus mainly on break-ins. Now people resort to me for advice on how to detect on-going intrusions, which takes up a large portion of my time at the moment, but more at a senior level. I do threat modelling for a corporation. I have to know how to break-in in order to give them reasonable advice, but it’s mainly in the form of PowerPoint presentations and meetings.
When you develop threat models for corporations, how do you factor in insider threats as well as the human aspect of security?
I believe the industry oscillates from one extreme to the other. People spoke a lot about “risk” but they understood very little about what this risk entailed. They then spoke about IT risks, but it was more of a blank message. Then it all became very entangled, and there was talk about vulnerability thinking: “you have to patch everything.” But then people realised that there is no way to patch everything, and then started talking about defence strategies, which pretty much everybody misunderstands, and so they started ignoring vulnerabilities. This especially happened because we all had firewalls, but we know that those don’t help either. So what we are trying to do here is to spread common sense in one go. When we talk about threat models, we have to talk about who is attacking, what they are after, and how they will do it. So the “who” will obviously have a lot of different industry properties, why they are doing it, what their restrictions and their actions are and so on. Despite the popular belief in the press, in The Financial Times, CNN, and so on, everybody talks about the APT, these amazing hackers hacking everything. They don’t realise that the day-to-day reality is quite different. There are two main things people are concerned about. One of them is insider threats, because insiders have legitimate access, and just want to elevate that access by copying or destroying information. The second is malware, which is such a prevalent thing. Most malware is uploaded by criminals who are not specifically after you, but are after some of your resources: you are not special to them. There are very few industries where there is nation-state hacking or where competitive hacking is current. So when we talk about threat models, we mainly talk about insider threats within specific business units and how they work. This is what I think people are most afraid of: the exploitation of trust.
How do you normally advice executives in organisations about proper information security? Do you focus on building a proper security culture, on awareness training, technological/architectural means, or what do you consider is the most important thing they should keep in mind?
We need to implement lots of things. I believe that a lot of the information security awareness training is misguided. It is not about teaching people how to recognise phishing or these sort of things. It is about explaining to them why security is important and how they play a part in it.
Very few insiders develop overnight and I believe that there is a pattern, and even then, insiders are rare. Most of the time you have admins who are trying to make themselves important, or, who out of vengeance, try to destroy things. So whenever you have destruction of information, you have to look at what kind of privileged access there is. Sometimes people copy things in bulk when they leave the company, to distribute it to the company’s competitors.
So lets say you develop a threat model and present it to the company, who’s executives accepted and use to develop a policy which they then implement and enforce. Sometimes, these policies my clash with the end-users’ performance and affect the way business within the company is done. Sometimes they might resist new controls because privileges get taken away. How would you factor in this human aspect, in order to avoid this unwanted result?
Many companies impose new restrictions on their employees without analysing the unwanted result it may lead to. So for example, if companies don’t facilitate a method for sharing large files, the employees might resort to Dropbox which could represent a potential threat. Smart companies learn that it is important to offer alternatives to the privileges they remove from their employees.
How do you go by identifying what the users need?
They will often tell you what it is they need and they might even have a solution in mind. It’s really about offering their solutions securely. Rarely is the case when you have to tell them that what they want is very stupid and that they simply should not do it.
Finally, apart from sharp technical skills, what other skills would you say security professionals need in order to qualify for a job?
You have to know the difference between imposing security and learning how to make others collaborate with security. Having good interpersonal skills is very important: you need to know how to convince people to change their behaviour.
Thank you Konrads.
In order to ensure the security of a system sometimes it is not enough to follow the general advice outlined in the Overview of Protection Strategies and one may chose to perform a penetration test.
Security assessments of this highly sensitive environment should be conducted with extreme care. It requires not only basic network security skills but also knowledge of the equipment, SCADA-specific protocols and vulnerabilities.
On the photo you can see different types of PLC and RTU devices, discussed in the Overview of Industrial Control Systems:
- Modicon Momentum PLC
- Rockwell Automation MicroLogix 1100 PLC
- Siemens S7 1200 PLC
- Small embedded RTU device
The original SCADA protocols (vendor-specific protocols include ModbusRTU, DF1, Conitel, and Profibus) were serial-based, meaning that the master station initiated the communication with the controllers. Nowadays, almost all SCADA protocols are encapsulated in TCP/IP and can be operated over Ethernet.
To get a better understanding, one can use Modscan32 to connect to the PLC and view register data by entering the IP address and TCP port number in the tool.
If there is no live PLC available to work with, one can always use the ModbusTCP simulator to practice capturing traffic with Wireshark, configuring the OPC server and building human-machine interfaces.
Conducting an awareness training or explaining complex information security concepts can be simplified and made fun through gamification. It is possible to learn more about information security simply by playing card games. Please see below for the three games you can download for free, print and start playing today.
1. Playing with application vulnerabilities
OWASP Cornucopia is a mechanism in the form of a card game to assist software development teams identify security requirements in Agile, conventional and formal development processes. It is language, platform and technology agnostic.
2. Playing with threat modelling
Elevation of Privilege (EoP) is the easy way to get started threat modelling, which is a core component of the design phase in the Microsoft Security Development Lifecycle (SDL).
The EoP card game helps clarify the details of threat modelling and examines possible threats to software and computer systems.
The EoP game focuses on the following threats:
- Information Disclosure
- Denial of Service
- Elevation of Privilege
An academic-style paper explains the rules motivation and lessons learned in creating the game
The VOME project created a card game to support the discussion and teaching of issues of online privacy and consent. Players make decisions about what information characters might reveal to others and what they keep to themselves.
According to the authors, the main idea behind the game is to use the rules to model the way that information flows around the online environment. In real life, these flows are complex and often hidden. In the game it is possible simplify the relationships and decisions, and provide immediate feedback on the effects of those decisions
1. Why perform penetration testing?
Penetration testing is an instrument for getting additional information about the systems’ state of security. A penetration test shows where hackers may breach your system; hence, this information can be used to support the decision-making process when implementing protection mechanisms.
In a nutshell, penetration testing would help with:
- Vulnerability analysis for the target system,
- Assessment of the loses due to a potential breach,
- Gaining an unbiased view on the state of the system and protection mechanisms,
- Gaining insight on the qualification of the internal security staff.
2. Who should perform penetration testing?
To get unbiased view, penetration testing should be performed by third party independent professionals.
You should also consider the ethical aspect, and only hire teams with a proven reputation in the field. Otherwise, information about companies’ critical vulnerabilities may be leaked to competitors.
3. When is the best time to perform penetration testing?
The best time to perform penetration testing is after the implementation and configuration of a new system. You should apply all the security mechanisms according to the good practices and legal and regulatory requirements before undergoing a penetration test; otherwise the necessity of such an exercise would be questionable.
4. Who would benefit from penetration testing?
Organizations that realise the importance of information security and protection of information assets would highly benefit from penetration testing.
Banks and insurance companies are not the only ones on this list. There is nothing more valuable that human life, which is why penetration testing could be valuable for transport and energy companies.
But what if a company is not large enough for the system breach to cause a crisis or substantial financial losses? Even in these cases, penetration testing may prove to be useful. Small and medium-sized enterprise are likely to have a website which helps to sell goods or services. Losses due to a system breach could substantially harm their reputation and competitive advantage.
5. What penetration testing approaches are there?
White box: where the penetration testing team already has some initial information on the system, including the range of IP addresses, ports, source code, hardware and software components, etc.
Black box: where the penetration testing team has no information on the system at all. The team has to model a potential hacker’s actions from the ground up. In doing so, they might, for example, use social networks to find victims of social engineering. This approach is usually more expensive and requires more time.
6. Penetration testing: only a set of tools?
One may think that penetration testing is limited to running several vulnerability scanners, password cracking utilities, traffic sniffing tools, etc., which are, no doubt, the main tools that are used by penetration testing professionals. These are, however, only limited to aiding the expert in finding weaknesses. A comprehensive and robust penetration test mainly relies on the expert’s skills and experience..
7. Can a penetration test be performed to discover vulnerabilities, which don’t lead to significant financial losses?
An attacker might not be motivated by the financial gain, but still can cause some harm. For example, a company might use network printers. Each printer would have it’s own IP address with the open 9100 port. An attacker might:
- discover the printers’ addresses by scanning the network
- remotely connect to a printer using the ‘telnet <printer’s IP address> 9100′ command
- print messages at his / her own choice.
8. What should one expect as a result of the penetration test?
The company that commissions penetration testing normally receives the following full descriptions on:
- penetration testing activity and its stages.
- tools used
- vulnerabilities discovered
- exploited vulnerabilities
- likelihood and risk of the identified vulnerabilities and their potential impact
- recommendations on how to mitigate the outlined risks
Image courtesy of hywards/ FreeDigitalPhotos.net