Transcript file - Soteria Systems, LLC Announces New Cyber

Cyber Security Research
Challenges & Approaches
[email protected]
6-7th June 2013
National Symposium on
Recent Advances in Cyber security (RACS- 2013)
Agenda




Cyber Security Challenges
Need of indigenous R&D efforts in e-security
Classification of security solutions
C-DAC’s role - Focus Areas




Research Labs & Thrust Areas
e-Security Products / Solutions/ Services
Education, Awareness and Training
Future Emphasis & On-going Research
Cyber Security Challenges
Typical Security Solution Deployment Scenario
Attack Sophistication vs. Intruder Technical Knowledge
Attack Scenario
Gaining Access
Reconnaissance
Cyber Attack
Covering traces
Taking Control
Types of cyber malware and attack modes
Malware: A collective term for all types of malicious code and software
•Exploit
–
Taking advantage of computer vulnerability to cause unintended or unanticipated behaviour. This includes gaining control of a
computer system.
•Virus/worm
–
Computer programmes that replicate functional copies of themselves with varying effects ranging from mere annoyance and
inconvenience to compromise of the confidentiality or integrity of information. Viruses need to attach themselves to an existing
program, worms do not.
•Spyware
–
Malware that collects information about users without their knowledge.
•Trojan horse
–
Malicious program that acts in an automatic manner. Trojan horses can make copies of themselves, steal information, or harm
their host computer systems, or allow a hacker remote access to a target computer system.
•DDoS-attack
–
Attempt to make a computer or network resource unavailable to its intended users, mostly by saturating the target machine
with external communications requests so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered
effectively unavailable.
•Advanced persistent threats
–
A cyber-attack category, which connotes an attack with a high degree of sophistication and stealthiness over a prolonged
duration of time. The attack objectives typically extend beyond immediate financial gain.
•Botnets (or bots)
–
A collection of compromised computers connected to the Internet. They run hidden and can be exploited for further use by the
person controlling them remotely.
Vulnerability Exploit Cycle
Novice Intruders
Use Crude
Exploit Tools
Crude
Exploit Tools
Distributed
Advanced
Intruders
Discover New
Vulnerability
Automated
Scanning/Exploit
Tools Developed
Widespread Use
of Automated
Scanning/Exploit
Tools
Intruders
Begin
Using New
Types
of Exploits
Network Security Issues



Normal Flow


Interruption


Modification


Fabrication




Interception

No!
Get it?


Sent it?
No!
Repudiation
Network Security Services


Availability
Requirement
Integrity
Confidentiality
Authenticity
Non Repudiation
Attacks on the Protocol Stack
Specific Challenges
•
•
•
•
•
•
•
•
•
High Speed Content Analysis
Intrusion Detection, Analysis & Prevention
Malware Research
Efficient Behavior Modeling
Datamining for Security
Attack Analysis & Modeling
Vulnerability & Threat Analysis
End System Security
Cyber Forensics Analysis
Cyber Security Goals and Technologies
Security Tools – More Than Just a Firewall
Management, Audit, Measurement, Monitoring, and
Detection Tools
•Log Auditing Utilities
•Virus and Malicious Code Detection Systems
•Intrusion Detection Systems
•Vulnerability Scanners
•Forensics and Analysis Tools (FAT)
•Host Configuration Management Tools
•Automated Software Management Tools
Filtering/Blocking/Access
Control Technologies
•Network Firewalls
•Host-based Firewalls
•Virtual Networks
Physical Security Controls
•Physical Protection
•Personnel Security
Authentication and Authorization
Technologies
•Role-Based Authorization Tools
•Password Authentication
•Challenge/Response Authentication
•Physical/Token Authentication
•Smart Card Authentication
•Biometric Authentication
•Location-Based Authentication
•Password Distribution and Management
Technologies
•Device-to-Device Authentication
Encryption Technologies and
Data Validation
•Symmetric (Secret) Key
Encryption
•Public Key Encryption and
Key Distribution
•Virtual Private Networks
(VPNs)
Industrial Automation and Control
Systems Computer Software
Server and Workstation Operating
Systems
Real-time and Embedded Operating
Systems
Web Technologies
Need of indigenous R&D efforts
e-Security Ecosystem
Classification of Security solutions
•Collection
•Detection
•Prevention
•Protection
•Response (Analysis)
e-Security Products / Solutions of C-DAC
Collection

Client-Server architecture based Dynamically Configurable Honeynet
Detection


Malware Resist
Malware Nivarak
Protection





The BharatiyaAFISTM Suite
ENSAFE – End System Suraksha Framework
STARS - Secure Two factor based Authentication for Remote Systems
NAYAN – Network Abhigam niYantrAN
USB Pratirodh
Prevention


Guard Your Network –N/W Intrusion Prevention System Appliance
Malware Prevention System
Response











StegoCheck
Face Recognition Software
CyberCheck Suite
MobileCheck
NeSA – Network Session Analyzer
Enterprise Forensics System
Win-Lift Suite
TrueImager
TrueLock
TrueBack Bridge
TrueTraveller
Focus Areas
Centre
Bangalore
Chennai
Hyderabad
Kolkata
Focus Areas
-
Network Security (IDS/ IPS)
PKI and Key Management Systems
Insider Attack Detection
Grid and cloud Security
SCADA Security
Securing hardware systems
-
Cloud Security
-
End Point Security
Malware Analysis and Prevention
Security and Privacy for Ubiquitous Computing
Device Control
Web Application Security
Mobile Security
Cloud and Virtualization Security
-
Face Recognition
Network & Information Security
Cyber Forensics
Multimodal Biometrics
Focus Areas
Centre
Focus Areas
-
Honeypots / Honeynets
Bot detection
-
Biometrics (Fingerprint, voice, Periocular and Iris, Vascular)
-
Capacity building through Awareness Generation and Content Creation
-
Cyber Forensic for Hardware and Software tools
Disk Forensics
Network Forensics
Mobiles and Handheld device Forensics
Live Forensics and Enterprise Forensics
Mohali
Mumbai
Noida
Thiruvananthapuram
Research Labs
Title
Centre
Industrial Control System Security Research &
Cryptology Lab
Bangalore
Cyber Forensic Research Lab
Thiruvananthapuram
Cyber Threat Research Lab
Mohali
Malware Research Lab
Public Key Infrastructure (PKI) Lab
Facial Detection Resource Lab
Hyderabad
Bangalore
Kolkata
Services
Service
Offered @
Cyber Forensic Analysis
Thiruvananthapuram
Malware Analysis
Hyderabad & Mohali
Penetration Testing & Security Audits
Bangalore, Hyderabad & Mohali
Web Application Security Testing
Hyderabad
Wireless Security Assessment
Hyderabad
Network Abhigam niYantrAN
Protects internal network from rapidly propagating threats and network misuse
NAYAN addresses the
access control and
authentication requirements
of end systems
Network Abhigam niYantrAN
Protects internal network from rapidly propagating threats and network misuse
Salient Features
•
User and End System Authentication
•
End System authentication is based on
signature generated from hardware and
software configuration
•
Desktop Firewall
•
Centralized Policy Management
•
Automatic Policy Updating
•
Role and Time Based Network Access
Control
•
Activity and Network Log
Malware Resist
Simplifying and Strengthening Security
 Detection Based on Runtime Behaviour. All running programs
are monitored for a set of critical behaviors that could affect
the normal functioning
Malware Resist
Simplifying and Strengthening Security
Salient Features & Benefits
 Detection Based on Runtime Behaviour
 Capability to detect unknown malware based on heuristic
technology
 Small memory footprint and high detection rate
 Co-exists with Anti Virus Solutions
 Low False Positive Rate
 Easy to Deploy and Use
USB Pratirodh
Regulating removable storage device access
USB Pratirodh is a
software solution
which controls
unauthorized usage
of portable USB
storage devices
USB Pratirodh
Regulating removable storage device access
Salient Features:
• It provides the facility for an end user to control USB usage on
his/her end system
• User authentication
• Device Control
• Blocks Autorun.inf Malware
• Password Protected uninstaller
• Co-exists with Antivirus solutions
Guard Your Network (GYN) IPS Features
Performance – 1 Gbps throughput
Attack Detection Methods
Signature Based
Anomaly Based
Signature based Detection

Buffer overflow

SQL Injection

Cross site scripting

Directory Traversal

Authentication bypass
attempt

Command Execution
Attempt

Backdoor detection

OS and Protocol based
Attacks

Server attacks
•
•
Anomaly detection
–
Scan
–
Flood
–
DoS
–
DDoS
Security Analysis
–
–
–
–
•
Flow analysis
Threat analysis
Incident analysis
Event Correlation
Management
–
Bridge mode operation
–
Alert generation
–
Web based GUI
Intrusion Detection / Prevention Techniques - Overview
Intrusion Detection / Prevention System
Signature Based System
Uses Predefined Attack
Patterns ( Signatures)
 Known attacks can be
detected reliably with low
false positive rate
 No learning required
 Unable
to detect new
attacks
 Unable to process
encrypted packets

Anomaly Based System
Creates a baseline profile of
normal activities. Thereafter,
any activity that deviates from
base line is treated as possible
intrusion
 Capable to detect new attacks
Suitable
to detect attacks
which create variation in traffic
patterns
 Setting a base line for normal
activity is challenging

EDGE Features
Network Management
Wide Area Network
Local Area Network
Network Discovery
Active Discovery
Passive Discovery
Network Monitoring
Performance
Security
Traffic Profiling
Host based
Application based
•
Anomaly Detection
–
Statistical based
–
•
•
•
Protocol based
Attack Detection
–
Scan
–
Flood
–
DoS
–
DDoS
Fast and light weight
Customized Report Generation
Security Assessment System (SAS)
• Vulnerability and threat assessment system for grid.
• Conducts network audit
• Performs vulnerability and threat assessment.
• Visualization of threats and vulnerabilities
• Can be customized for generic computer networks
•
•
•
•
•
•
•
Keeping track of network, cluster ,OS and applications
Provides the details of services and vulnerabilities
Health analysis of the nodes.
Provides various security assessment functions
Facilitates system administrators to be aware of vulnerabilities
Provides alerts for applying patches for identified vulnerabilities
Report generation
Cyber Forensics
• Cyber Forensics activities were started at CDAC
Thiruvananthapuram in 2002 by establishing a Resource Centre
for Cyber Forensics under the initiatives on cyber security by
DIT
• Research objectives are
– Development of cyber forensics tools
– Provide state-of-the-art training to User Agencies
– Provide technical support to User Agencies by analyzing
cyber crimes
Resource Centre for Cyber Forensics
2
7M
41 ar
Major Research Areas
• Disk Forensics
•
FAT, NTFS, Ex2fs, UFS, MAC, etc
•
Network Forensics
•
Email, Log Analysis, Packet Analysis
•
•
Device Forensics
•
•
Software / Financial Fraud Forensics
•
Enterprise Forensics
GSM/CDMA phones, PDA, Smart Phones
IPR, Database, etc
Details on ready to use solutions/ Products
and user agencies identified
• Ready to use Solutions / Products:
1. CyberCheck Suite –
• TrueBack - Tool for Disk Imaging
• CyberCheck – Tool for Data Recovery, Evidence Analysis and
Reporting.
2. NetForce Suite –
• CyberInvestigator - Tool for Log Analysis
• NeSA – Tool for Network Session Re-construction and Analysis
3. Enterprise Forensics System
4. MobileCheck – Tool for Device Forensics
5. TrueImager – H/W based high-speed disk imaging tool
6. TrueLock – H/W based drive lock for IDE devices
7. TrueTraveller – Portable CF Analysis workstation
E-Security in the Industrial Control Systems (ICS)
•
Cryptography and key management
–
•
Advanced topics in cryptography
–
•
•
Model to measure & identify the scope of cyber attack and dynamic cyber threat.
Advanced attack analysis
–
•
Research in this area should provide strategies for minimizing and making predictable the timing impacts of security
protections.
Resiliency management and decision support
–
•
Research in different elasticity, tolerance and recovery mechanisms to study the timeliness of the steady state of the
system.
Architecting real-time security
–
•
Research in privacy-enhancing cryptographic algorithms (homomorphic encryptions), cryptographic in-network
aggregation schemes, Identity-based encryption, access control without a mediated, trusted third party, etc.
Architecting for bounded recovery & reaction
–
•
Research into uniquely secure and diverse escrow schemes and supporting key-management & cryptography in
smartgrid.
Research in advanced tools to provide deep analysis of cyber-physical systems.
Internet usage in smartgrid (DoS/DDoS Resiliency)
– Research into the methods to deal with denial of service using internet for specific type of smartgrid applications.
Security Design & Verification Tools(SD&VT)
– Modeling of smart grid cyber & power systems using formal languages. Data analytics and intelligent methods
verification tools.
Stuxnet
• A worm that is believed to be created by US and Israel to
target Iran’s Nuclear facilities in 2010
• Spreads via MS-Windows and targets Siemens SCADA
(Supervisory Control and Data Acquisition) equipments
• Contains a specialized malware payload that re-programs PLC
(Programmable Logic Controller)
SCADA Topology Representation ISA 99 Standard
SCADA Vulnerabilities & Attacks
Architectural vulnerabilities
• Weak separation between process network & field network
• Lack of authentication among the active components
Security Policy vulnerabilities
• Patch management policies
• Anti virus update policies
• Access policies
Software Vulnerabilities
•
•
•
•
Buffer overflows
SQL-injection
Format string
Web-application vulnerabilities
Communication Protocols Vulnerabilities in
•
•
•
•
•
DNP 3.0 (IP based)
IEC 870-part 5 101 profile
IEC 870 part 5 104 profile (IP based)
Inter Control Centre Protocol (ICCP, IP based)
ELCOM 90 (IP based, LAN protocol)
SCADA Attack Scenarios
SCADA protocol oriented attacks
•
•
•
•
•
Malware DoS Scenario (email-infection, infection through phishing , DoS worm)
Unauthorized command execution Scenario(normal commands, maintenance commands)
System Data poisoning
Replay-attacks
Compromised masters
Process network attacks
• SCADA Server Denial-of-Service (DoS)
• SCADA Server Corruption
– Unauthorized command execution
– Data poisoning
– System stop
• SCADA Server data flow corruption
• HMI corruption
Exchange network attacks
• Real Time Databases attacks
– Data poisoning attacks
– RT-database shutdown attacks
• Diagnostic Server attacks
Multi Agent
Based
SIEM
Test bed Setup
Multi Agent Based
Security Information Event Management (SIEM)
SCADA Protocol Hardening mechanism for RTUs Compatible with IEC 870-5-101
MTU
Front End Processor
Protocol
Hardener
Protocol
Hardener
Based on IEC
62351
Standards
Communication Medium
Protocol
Hardener
Protocol
Hardener
RTU 1
IEC 870-5-101
RTU 1
IEC 870-5-101
Based on IEC
62351
Standards
Face Recognition System
In the context of Machine Vision, a Face Recognition
System is a computerized system to identify human faces.
?
Query Face
Facial Database
CENTRE FOR DEVELOPMENT OF ADVANCED COMPUTING
TECHNOLOGY CONCLAVE - 2013
Systems Developed by CDAC
1. Face Verification System : 1:1 match
Application areas:
•
Visitor management system.
•
Attendance recording system.
•
Access control system.
•
Authentication of facial images in electoral roll.
2. Face Identification System for Watch-list.
Application areas: (for reduction of search space out of large database)
•
Sieving duplicate entry in large database (passport, electoral roll etc.)
•
Missing person enquiry.
•
Identification of suspect in disguise.
Human investigator has to recognize the peer matched face from the
short-listed set of faces.
Sub-disciplines of Information Hiding
Information Hiding
Cryptography
Covered writing
Steganography
Linguistic
Steganography
Technical
Steganograph
Anonymous communication
Robust copyright
marking
Fingerprinting
Imperceptible
Watermarking
Visible
Message Surveillance - Steganography
Cover Media
Types ( Still image,
Audio, Video,
Printed Text and
Fax).
Message ~ text
or, image to
ensure precise
and accurate
communication
Research Areas
 Cyber Attack Capturing and Monitoring Technologies
– Passive technologies
• Web Application Honeypot
• Hybrid Honeynet system
• Distributed Honeynet system
– Active technologies
• Active Honeypot system for Drive-By-download
attacks
 Analysis
– Bot detection and Botnet tracking
– Malicious website detection
– Cyber Attack profiling & attack trend establishment
– Attack Mitigation by development of attack signatures
www.infosecawareness.in
ISEA Material
Developed
Posters for Parents
Parents/Teachers
Handbooks
Children ComicBook
Posters for Children
Why PKI
• Assurance of the following properties are essential
for safe, secure and reliable communication
– Confidentiality: preventing disclosure of information to
unauthorized individuals or systems
– Integrity : Data cannot be modified without authorization
– Availability: The information must be available when it is
needed
– Authenticity: Ensuring that the user, data, transactions,
communications or documents are genuine
– Non-Repudiability: One party of a transaction can not deny
having sent/received a transaction
Digital Signature
• A digital signature of a message depends on
– the signer (in fact the keys of the signer) and
– on the content of the message being signed
• Digital Signatures are verifiable
• To digitally sign an electronic document the signer uses his/her
Private key
• To verify a digital signature the verifier uses the signer’s Public
key
Signature & Verification
Transmitted Message
Signature
Receiver
Jai
Hash Function
Decrypt
Message
Digest
Signature
Encrypt
Hash Function
Message
Digest
Expected
Digest
Sender
Alice
Veeru
If these are the same,
then the message
has not changed
Hashing + Encryption (Private Key) = Signature Creation
Signature + Decryption (Public Key) = Signature Verification (Hashing)
PKI Activities
• Conduct awareness programs for end users of PKI
• Conduct training programs for PKI developers of
various platforms
• Conduct specialized programs for PKI Administrators
• Contribute to the adoption of PKI in mobile and
ubiquitous environments
• Assist in setup of PKI Resource Centre
• Evolve and Compose the PKI Body of Knowledge
e-Security Products / Solutions of C-DAC
Collection

Client-Server architecture based Dynamically Configurable Honeynet
Detection



Enterprise Network Management Solution (EDGE)
Adrisya – Flow Based Anomaly Detection System
Malware Resist
Protection





The BharatiyaAFISTM Suite
ENSAFE – End System Suraksha Framework
STARS - Secure Two factor based Authentication for Remote Systems
NAYAN – Network Abhigam niYantrAN
USB Pratirodh
Prevention



Guard Your Network –N/W Intrusion Prevention System Appliance
Malware Nivarak
AppSamvid
Response











StegoCheck
Face Recognition Software
CyberCheck Suite
MobileCheck
NeSA – Network Session Analyzer
Enterprise Forensics System
Win-Lift Suite
TrueImager
TrueLock
TrueBack Bridge
TrueTraveller
Research Labs
Title
Centre
Cryptanalysis Research Lab
Bangalore (KP)
Cyber Forensic Research Lab
Thiruvananthapuram
Cyber Threat Research Lab
Mohali
Industrial Control System Security Research Lab
Bangalore (KP)
Malware Research Lab
Hyderabad
Public Key Infrastructure (PKI) Lab
Bangalore (EC)
Steganography Resource Lab
Kolkata
Thrust Research Areas
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Advanced Cyber Forensics
Auditing and Security Quality Assurance
Biometrics
Cryptography and Cryptanalysis
Disaster Recovery Solutions
Digital Provenance
Distributed Honeynets
Dynamic Firewall & Network Management
Grid, Cloud and Virtualization Security
Hardware Security Modules
Insider Attack Detection
Intrusion Detection, Prevention & Analysis
Large scale test beds for realistic
experimentation
Large scale Identity management &device
control solutions
Malware and Botnets (analysis, detection
and prevention)
PKI Evaluation Lab & Development
Securing Time Critical Systems (SCADA,
Smart Grid etc)
•
•
Security Visualization
Security Evaluation in SDLC
•
•
Security Metrics and Tools
Securing Cyber Physical Systems (ATMs,
EVMs etc)
Self Adaptive and Self Healing Software
Systems
Software Security and Formal Methods
Steganography and Steganalysis
Survivable Systems
Threat Modeling
Trusted Platform (Hardware and Software)
Unified Threat Management
Usable Security & Privacy
Vulnerability Discovery
Web Security
Whitelisting and Modeling correct software
behavior
Wireless & Mobile Security
•
•
•
•
•
•
•
•
•
•
•
•
Services
Service
Offered @
Cyber Forensic Analysis
Thiruvananthapuram
Malware Analysis
Hyderabad & Mohali
Penetration Testing & Security Audits
Bangalore (EC) Hyderabad & Mohali
Web Application Security Testing
Hyderabad
Wireless Security Assessment
Hyderabad
Online Courses
Name
Duration
Offered @
PKI Training Programme
Self Paced
Bangalore (EC)
C-DAC Certified Cyber Security
Professional (CCCSP)
Self Paced
(3 – 6 Months)
Hyderabad
e-Learning courses on e-Security
4 to 12 weeks
Noida
Education and Training Programmes
Training Program
Duration
Full Time Post-Graduate Diploma in Information Security
6 Months
NESEC (Network Security)
1 Week
Database Security
1 Week
C-HAT (Ethical Hacking)
2 Days
C-NET (Network Administration)
3 Days
C-PET (PKI Application Development)
2 Days
C-SEC (Perimeter Security)
3 Days
Database Security and Auditing
3 Days
Offered @
Bangalore (EC) &
Mumbai
Education and Training Programmes
Training Program
Duration
CNSS - Certificate Course on Networking and System
Security
22 Weeks
Network Programming and Security Engineering
2 Weeks
e-Suraksha – A Practical Approach in Network
Security
1 Week
Internetworking Devices Security
1 Week
Malware Reverse Engineering Techniques
1 Week
Web Application Security
1 Week
Wireless Security
2 Days
Information Security Awareness for Master Trainers
1 Day
Offered @
Hyderabad
Education and Training Programmes
Training Program
Duration
Advanced Diploma in Networking & System Security
26 Weeks
Training Program on Network Security Assessment
and Proactive Defense
8 Weeks
Training program on Information and Network
Security
8 Weeks
Ethical Hacking & Network Defense
6 Weeks
Network Security Engineering
6 Weeks
Perimeter Security Solutions
2 Weeks
Information Security Threat Assessment
2 Weeks
Information Security A Practical Approach
2 Weeks
Security Administration Linux
2 Weeks
Offered @
Mohali
Education and Training Programmes
Training Program
Duration
Post Graduate Diploma Programme in Information
security
2 Semesters
(1 Year)
Certificate course in Information Security (Noida)
1 Semesters
(6 Months)
Basic Cyber Forensics
Advanced Cyber Forensics
Offered @
Noida
3 – 5 Days
2 Weeks
Thiruvananthapuram
Future Emphasis
• Scalable, Robust and Standard compliant security
solutions
• Securing Hardware Systems
• Common Criteria Certification
• Secure Software engineering & coding practices
• End to End Enterprise Security Suite
• Gear up for Global Competition
• Standardizing the training programmes across centres
Ongoing Research
Ongoing Research
• Cyber Forensics
• Enhancements in Enterprise Forensics System
• Development of Advanced Cyber Forensics Tools
• Tools for Cloud Forensics; Multimedia Forensics; Financial Fraud
Analysis; Satellite phones & GPS devices Forensics; Malware
Forensics; Data Mining & Visualization
• Embedded & Critical Systems Forensics
• Data Recovery from Damaged & Magnetically erased media
• Setting up of CF training centre
Cloud Security
Mobile Security
SCADA Security
Ongoing Research
UTM (Unified Threat Management) Appliance
•
•
•
•
•
•
•
Stateful Analysis
Intrusion detection and Prevention
Gateway antivirus
Gateway anti-spyware
Content filtering
IPSEC & VPN
Network and Bandwidth Management
Dynamic Firewall
•
•
Behaviour model for evolving new firewall rules dynamically
Methods to validate and verify the rules against conflicts, errors and inconsistency.
Insider Attack Detection
•
•
•
Data collection
• Extensive Logging (Network and Host)
• Traffic capture, decode application specific protocols (like HTTP, DNS..)
• Collect Vulnerability Assessment information of all hosts
Behavior Based model
Event Correlation
Moving Towards Trustworthy Systems: R&D Essentials
• “If you are playing a game you can’t win, Change the
Game”
• Three game Changing Concepts:
– Moving Target (MT) – systems that move in multiple dimensions to the
attacker’s disadvantage and to increase resiliency
– Tailored Trustworthy Spaces (TTS) – Security tailored to the needs of
a particular transaction rather than the reverse
– Cybereconomic Incentives- a landscape of incentives that reward good
cyber security and ensure that crime does not pay