Er der hackere på linien?

Transkript

1 Er der hackere på linien? Christian Helmundt Bermann Consulting Systems Engineer Marts 2015

2 Agenda Hvordan ser trusselsbilledet ud idag og hvilke udfordringer giver mobilitet og cloud. Hvordan kan Cisco s sikkerhedsløsninger hjælpe? Cisco Confidential 2

3 Hvordan ser trusselsbilledet ud idag og hvilke udfordringer giver mobiliet og cloud? Cisco Confidential 3

4 Cisco annual security report 2015 Samarbejde med multinationale selskaber og sektorer. Java falder 34%, Silverlight stigning 228% Snowshoe spam stigning Spam er stadig et stort problem Er kryptering sikkerhed? Strategien er på plads, men det operationelle halter. 56% OpenSSL (eks. Heartbleed) Under 50% anvender pentest, administration af identitet, applikationsstyring Cisco Confidential 4

5 Udfordringer generelt Brugervenlighed <-> sikkerhed Produktivitet Always-on, adgang til alt Patching Angrebsfladen er stor Cisco Confidential 5

6 Udfordringer i produktionsnet Det handler mere om sikkerhedspolitikker end om teknologi. Man bør tænke over: Findes der en IT sikkerhedspolitik Hvis ja, er der remote access til produktionen. Produkter/teknologi? Er der styr på partneradgangen? Er der kryptering og anden sikring fra IT til produktionsnetværket? Cisco Confidential 6

7 Seneste trusler PNG filer Cryptowall 3.0 Phishing Watering hole Cisco Confidential 7

8 A Watering Hole Looks Safe? Cisco Confidential 8

9 A Watering Hole There Could Be Danger.. Cisco Confidential 9

10 Watering Hole Attacks Cisco Confidential 10

11 Watering Hole Attacks Stage 1: Compromise Cisco Confidential 11 11

12 Watering Hole Attacks Stage 2: Visits Stage 1: Compromise Cisco Confidential 12 12

13 Watering Hole Attacks Specific Website Compromises Installs Malware Profiles Users Controls Cisco Confidential 13 13

14 Watering Hole Attacks Specific Website Compromises Installs Malware Profiles Users Controls Cisco Confidential 14 14

15 Watering Hole Attacks Specific Website Compromises Installs Malware Profiles Users Controls Cisco Confidential 15 15

16 Watering Hole Attacks Specific Website Compromises Installs Malware Profiles Users Controls Cisco Confidential 16 16

17 Energisektor angreb Olie og gas i Afrika, Marokko, og Brasilien; Et firma med flere elkraftværker i Tjekkiet og Bulgarien; Naturgas selskab i UK; Gas distribution i Frankrig; Industriel forsyning indenfor energi, atom og fly industri; Forskellige investerings og kapital firmaer specialiseret I energisektoren. Cisco Confidential 17

18 Hvordan kan Cisco s sikkerhedsløsninger hjælpe Cisco Confidential 18

19 Cisco s sikkerhedsmodel Attack Continuum BEFORE Control Enforce Harden DURING Detect Block Defend AFTER Scope Contain Remediate Firewall / VPN Granular App Control Modern Threat Control NGIPS Security Intelligence Web Security Advanced Malware Protection Retrospective Security IoCs / Incident Response Visibility and Automation Cisco Confidential 19

20 Cisco sikkerhed i produktionsnet Level 5 Level 4 Level 3 Level 2 Level 1 , Intranet, etc. Terminal Services FactoryTalk Application Server Application Mirror FactoryTalk Client Batch Control FactoryTalk Directory Operator Interface Discrete Control Patch Management Web Services Operations Enterprise Network Site Business Planning and Logistics Network Engineering Workstation FactoryTalk Client Drive Control Domain Controller AV Server Application Server Engineering Workstation Continuous Process Control Control Operator Interface Safety Control Firewall Firewall Site Manufacturing Operations and Control Web CIP Area Supervisory Basic Control Enterprise Zone DMZ Manufacturing Zone Cell/Area Zone Stigende bekymring omkring sikkerhed I produktionsnet og end-to-end kommunikation. Cisco sikkerhedsarkitektur, bygger sikkerhed ind i designet og giver den dybde der skal til for at sikre produktionsnetværket. Level 0 Sensors Drives Actuators Robots Process Cisco Industriel sikkerhed: Information, beskyttelse og alarmering Netværks sikkerhed Adgangs kontrol Mobil adgang Indhold Cisco Confidential 20

21 Secure remote access Remote access til medarbejdere og partnere. Imødekommer sikkerhedskrav fra IT men giver samtidig produktionen mulighed for at bruge delte og distribuerede ressourcer og trusted partners Asset management monitorering, konfiguration og audit. Styring af applikations versioner og change management Simplificeret overvågning af remote access. Cisco Confidential 21

22 Security technologies applied Defense in Depth Secure Remote Access teknologi Remote Engineers and Partners Authentication, Authorization and Accounting Access Control Lists (ACLs) Secure Browsing (HTTPS) Intrusion Protection and Detection Remote Terminal Session Application Security VLANs Plant Floor Applications and Data Cisco Confidential 22

23 Indications of Compromise Malware Backdoors Exploit Kits IPS Events CnC Connections Admin Privilege Escalations Security Intelligence Events Connections to Known CnC IPs Malware Detections Office/PDF/Jav a Compromises Malware Events Malware Executions Dropper Infections IOC: tag on a host that indicates that an event indicating likely host infection has occurred IOCs are tallied against each host Web App Attacks Cisco Confidential 23

24 Retrospective Security Point-in-time Detection Antivirus Sandboxing Initial Disposition = Clean Analysis Stops Not 100% Sleep Techniques Unknown Protocols Encryption Polymorphism Actual Disposition = Bad = Too Late!! Blind to scope of compromise Cisco AMP Retrospective Detection, Analysis Continues Turns back time Initial Disposition = Clean Actual Disposition = Bad = Blocked Visibility and Control are Key Cisco Confidential 24

25 Advanced malware protection AMP for Networks Detection Services & Big Data analytics AMP for Endpoints FireSIGHT Management Center SaaS Manager Sourcefire Sensor # # AMP Malware license

26 Beskyttelse af produktionsnet Classic Sourcefire Office Automation Solution Network TCP/IP Human FireSIGHT Machine Interfaces NGIPS (IDS+IPS) Windows + Linux rules (MS-Windows, AMP embedded Linux) Process Servers (MS-Windows/ Linux) FireSIGHT NGIPS (IDS) + Windows + Linux rules SCADA rules AMP Historians Proprietary protocols TCP/IP RTU PLC FireSIGHT RTU PLC NGIPS (IDS)+ SCADA rules RTU Controlled Process Controlled Process Sensors + actuators Controlled Process Cisco Confidential 26

27 Afslutning Udfordringer med brugere og applikationer. Avancerede angreb Sikkerhedspolitik operationel Styring af identitet, flere lag, tunneler og applikationer Cisco Confidential 27

28 Thank you.