HTO 3: PPT Presentation Day 2 - Illinois Section American Water
Download
Report
Transcript HTO 3: PPT Presentation Day 2 - Illinois Section American Water
High-Tech Operator Certificate Program
Course 3: Data Management
Course 3-Day 2
Agenda – Day 2
Welcome Back & Review
Interfaces Between Systems & Applications
Networks & Network Components
In-house vs. Hosted Solutions
Web Site and Portal Functions and Features
Security Issues
Course Conclusion
Copyright © 2009 AWWA
2
Welcome Back
This is day 2 of the third course in a series of
three that leads to a High-Tech Operator
Certificate.
Today we’ll look at interfaces between systems
& applications, networks & their components, inhouse vs. hosted solutions, web site & portal
functions & features, and security issues.
Copyright © 2009 AWWA
3
Introductions and Review
Before we begin, let’s review.
What did you learn yesterday?
Introduce yourself
Your name
Where you are from
Share one thing from yesterday that really stuck
out for you
Copyright © 2009 AWWA
4
Goals
By the end of today, you will be able to:
Identify
4 common information silos
Describe
functions of common network
components
Identify
benefits of client-server and ASP
solutions
Distinguish
between web sites and portals
Identify
3 of the common system security
weaknesses
Copyright © 2009 AWWA
5
Agenda – Day 2
Welcome Back & Review
Interfaces Between Systems & Applications
Networks & Network Components
In-house vs. Hosted Solutions
Web Site and Portal Functions and Features
Security Issues
Course Conclusion
Copyright © 2009 AWWA
6
Currently: Disparate systems
Copyright © 2009 AWWA
7
Why is this a problem?
Inconsistent data
No cross-functional reports
Miss the big picture
Significant time spent
collecting & analyzing data
from multiple systems
Dependence on system
owners to produce information
Inability to make timely
decisions
Copyright © 2009 AWWA
8
What is the Solution?
Integrated Systems
Integrated Processes
Copyright © 2009 AWWA
9
Example Cross-Functional
Processes and Systems
Process
Related Systems
Purchasing
CMMS, FIS
Work Orders
CMMS, FIN, HR, GIS,
SCADA
Customer Service
CMMS, GIS
Customer Web Access
CIS, GIS, CMMS
Budgeting
FIS, HR, CMMS
Operations Management
CMMS, FIN, HR, GIS,
SCADA, CIS
Copyright © 2009 AWWA
10
Example Cross-Functional Business
Process: Purchasing
Text
• Purchase Order
• ShipmentText
Confirmation
• Payment
Text
• Inventory
Request
• Purchase Requisition
Text
Text
Copyright © 2009 AWWA
• Inventory
Confirmation
11
Example Cross-Functional Business
Process
Copyright © 2009 AWWA
12
Why Integrate?
Improved Customer
Service
Improved Operational
Efficiency
Cost Savings
Improved Management
Alignment with Strategic
Goals
Copyright © 2009 AWWA
13
How do you get there?
Copyright © 2009 AWWA
14
What if it works?
Better oversight
Improved analytics/decision support
Cross-application data analysis
Assess customer demand for services
Plan for resources to match demand
More accountability
React to changes efficiently/effectively
Allows for proactivity
Copyright © 2009 AWWA
15
Less Cost/More Revenue
More efficient work staff
Increased productivity
Cost/unit reductions with better accuracy for
planning and analysis
Lower transactional & service cost with the Web
Potential to eliminate maintenance on redundant
systems
Copyright © 2009 AWWA
16
Operational Efficiency
Eliminate dual entry/redundancy
Improved data quality
Improved analytics
Improved decision making
Improved business processes
Ability to plan to meet demands
Streamline/unify approaches
Ability to take advantage of best practices
Copyright © 2009 AWWA
17
Improved Customer Service
Customers
Greater information availability
Better response time
Fewer, more-effective interactions
Employees
Real-time data
Better access to information
More information to answer questions
Increased visibility of the whole business process
Copyright © 2009 AWWA
18
Alignment with Strategic Goals
Improve customer service level
More-effective policymaking
Leverage technology investment
Expand Web-based functionality
Copyright © 2009 AWWA
19
Summary
Disparate systems have negative effects on
business
Integration leverages staffing and technology
investments
Integration efforts must be planned
Integration can enable your workforce to make
better decisions and be more efficient
Copyright © 2009 AWWA
20
Agenda – Day 2
Welcome Back & Review
Interfaces Between Systems & Applications
Networks & Network Components
In-house vs. Hosted Solutions
Web Site and Portal Functions and Features
Security Issues
Course Conclusion
Copyright © 2009 AWWA
21
What is a Network?
A group of interconnected computers
Can be defined by scale
Personal Area Network (PAN)
Local Area Network (LAN)
Campus Area Network (CAM)
Metropolitan Area Network (MAN)
Wide Area Network (WAN)
Can be defined by communication protocol
Copyright © 2009 AWWA
22
Networks
Personal Area Network
Communicates among devices close to one
person, typically within 20-30 feet.
May be hardwired or wireless.
Local Area Network
Covers a small geographic area (home, office, or
building).
Most likely uses Ethernet technology.
Operate at speeds up to 10 Gbit/s.
Copyright © 2009 AWWA
23
Networks (cont.)
Campus Area Network
Connects two or more LANs
Limited to a specific & contiguous area
Metropolitan Area Network
Connects two or more LANs or CANs
Does not extend beyond the boundaries of the
town, city, or metropolitan area
Copyright © 2009 AWWA
24
Networks (cont.)
Wide Area Network
Covers a relatively broad geographic area (i.e.,
one city to another and one country to another
country)
Often uses transmission facilities provided by
common carriers, such as telephone companies
Copyright © 2009 AWWA
25
Intranet
Intranet
Set of interconnected networks
Uses the Internet Protocol and Web browsers
Under the control of a single administrative
entity, allowing only specific users
Closed to the rest of the world
Copyright © 2009 AWWA
26
Extranet
Extranet
Limited in scope to a single organization
Has limited connections outside the organization to the
networks of one or more other organizations or entities
Copyright © 2009 AWWA
27
Network Hardware
All networks are made up of basic hardware
building blocks to interconnect network nodes,
such as Network Interface Cards (NICs),
Bridges, Hubs, Switches, and Routers. In
addition, some method of connecting these
building blocks is required, usually in the form of
galvanic cable (most commonly Category 5
cable). Less common are microwave links (as in
IEEE 802.11) or optical cable ("optical fiber").
Copyright © 2009 AWWA
28
Network Hardware
Copyright © 2009 AWWA
29
Network Card
A network card, network
adapter or NIC (network
interface card) allows
computers to communicate
over a network.
It provides physical access to
a networking medium.
It connects to the network
either by using cables or
wirelessly.
Copyright © 2009 AWWA
30
Repeater
A repeater is an electronic device that
receives a signal, removes noise, and retransmits it at a higher level or higher
power, or onto the other side of an
obstruction, so that the signal can cover
longer distances without degradation.
Available for all network communication
media (T1, Ethernet, fiber optic, wireless,
etc.)
Copyright © 2009 AWWA
31
Hubs & Switches
A hub contains multiple ports. When a packet arrives at
one port, it is copied to all the ports of the hub.
Switches are like hubs, but associate addresses to ports
and send traffic for a specific address only to the
associated port.
Copyright © 2009 AWWA
32
Routers
Routers are networking devices that forward
data packets between networks using headers
and forwarding tables to determine the best path
to forward the packets.
Routers work at the network layer of the TCP/IP
model. Routers also provide interconnectivity
between like and unlike media.
A router is connected to at least two networks,
commonly two LANs or WANs or a LAN and its
ISP's network.
Copyright © 2009 AWWA
33
Agenda – Day 2
Welcome Back & Review
Interfaces Between Systems & Applications
Networks & Network Components
In-house vs. Hosted Solutions
Web Site and Portal Functions and Features
Security Issues
Course Conclusion
Copyright © 2009 AWWA
34
In-House or ASP?
Where do you want your software hosted?
If you run it in-house, the solution is usually
referred to as a client-server system
Vendor-run applications are referred to as
application service provider (ASP) solutions
Both options provide distinct advantages:
consider which are more important to you
Copyright © 2009 AWWA
35
Client-Server Solutions
Most software is locally hosted - the application and data
reside on your in-house server. This gives you the
greatest control over every aspect of your applications.
Having this total control comes at a cost, though.
It takes considerable expertise and effort to maintain the
document database and keep it secure.
It often requires significant expense for consultants and
hardware.
It gives you the responsibility of making regular backups in
case of a system crash.
Copyright © 2009 AWWA
36
ASP Solutions
ASP solutions are gaining popularity.
The application and data reside on the supplier's
servers, and your staff gets access through a Web
browser or client software.
The database is maintained by the vendor’s IT staff.
Multiple layers of firewalls and security, UPSs, fail-over
and reliable backups are all part of the package.
The biggest risk of on-line solutions is that they require
an active Internet connection.
Copyright © 2009 AWWA
37
Costs
With a client-server system, you pay a lump sum
upfront to buy and set up the system, including
software and servers.
With on-line providers, you pay a smaller setup
fee and then ongoing monthly payments based
on usage.
Copyright © 2009 AWWA
38
Consider In-house IT Capabilities
If you have in-house IT staff, a client-server
solution may be your best option.
Smaller organizations with little to no computer
expertise are probably better off choosing an online solution.
Copyright © 2009 AWWA
39
Consider Level of Customization
ASPs can easily make basic changes in
appearance and functionality, giving you some
control over the application.
If you need extensive customization and
integration, client-server solutions provide more
flexibility (but at a premium price).
Copyright © 2009 AWWA
40
Consider Security
If have documents that you are legally
required to protect, an in-house
solution gives you direct responsibility
for them.
In many cases, though, ASPs can
provide better security than you could
in your own data center, through more
layers of security and larger IT staffs.
Copyright © 2009 AWWA
41
Consider the Potential Problems
Being unable to access your documents
through an ASP while your Internet
connection is down
ASP
or
Losing data and time because your inhouse server crashes
Copyright © 2009 AWWA
42
Agenda – Day 2
Welcome Back & Review
Interfaces Between Systems & Applications
Networks & Network Components
In-house vs. Hosted Solutions
Web Site and Portal Functions and Features
Security Issues
Course Conclusion
Copyright © 2009 AWWA
43
Why Use the Web?
Accessible from anywhere Internet access
is available
Ability to set different permission levels
Can be made secure
Copyright © 2009 AWWA
44
Web Site
A web site is a collection of Web
pages, images, videos or other digital
assets that is hosted on one or more
Web servers, usually accessible via
the Internet.
A Web page is a document, typically
written in HTML, that is almost always
accessible via HTTP, a protocol that
transfers information from the Web
server for display in a Web browser.
Copyright © 2009 AWWA
45
Web Pages
The pages of web sites are usually
accessed from a common root URL
(a.k.a. URI): the homepage, and
usually reside on the same physical
server.
The URLs of the pages organize them
into a hierarchy, although the
hyperlinks between them control how
the reader perceives the overall
structure and how the traffic flows
between the different parts of the sites.
Copyright © 2009 AWWA
46
Web Server
A web site is hosted on a computer
system known as a web server (a.k.a.
HTTP server).
A system runs software that retrieves
and delivers the Web pages in
response to requests from the web site
users.
Apache and Microsoft’s Internet
Information Server (IIS) are commonly
used Web server applications.
Copyright © 2009 AWWA
47
Accessing Web Pages
Web sites are written in, or
dynamically converted to,
HTML and are accessed
using a software interface
called a user agent.
Web pages can be viewed or
otherwise accessed from a
range of computer-based and
Internet-enabled devices,
including desktop computers,
laptop computers, PDAs and
cell phones.
Copyright © 2009 AWWA
<html>
<head><title>Title goes here</title></head>
<body>
<h1 align=right>Body goes here</h1>
<hr>
<h3 align=center>Headings are cool!</h3>
<p><b>I can use text links... Visit <a
href="http://www.davesite.com/">Dave's Site</a>!</b><hr
width="50">
and Image Links... <a href="http://www.davesite.com/"><img
src="http://www.davesite.com/graphx/davesmll.gif"></a></p>
</body>
</html>
48
Accessing Web Pages (cont.)
A static web site is one that has Web pages stored on
the server in the same form as the user will view them.
They are edited using three broad categories of
software:
Text editors such as Notepad or TextEdit, where the HTML
is manipulated directly within the editor program
WYSIWYG editors such as Microsoft FrontPage and
Adobe Dreamweaver, where the site is edited using a GUI
interface and the underlying HTML is generated
automatically by the editor software
Template-based editors, such as Rapidweaver and iWeb,
which allow users to quickly create web sites by just
picking a suitable template from a palette and adding
pictures and text to it without ever having to see any HTML
code.
Copyright © 2009 AWWA
49
Why a Portal?
It provides a centralized application that
serves as a gateway to the other
applications within the same enterprise:
To share the information across
applications.
To have a single access point to all
applications over the Internet.
To personalize the applications and have
the coupled applications coordinated.
To have administrative tools all in a single
place to administer all the applications.
Copyright © 2009 AWWA
50
Advantages of Using Portals
Intelligent integration and access to enterprise content,
applications and processes.
Improved communication and collaboration among
customers, partners, and employees.
Unified, real-time access to information held in disparate
systems.
Consistent headers, footers, color schemes, icons &
logos, which give the user a sense of consistency,
uniformity, and ease of navigation
Personalized user modification and maintenance of the
web site presentation.
Copyright © 2009 AWWA
51
Portal Tools
Web portals have tools to:
Manage data
Manage applications
Manage information
Personalize views
Integrate legacy applications
Handle thousands of user requests
Copyright © 2009 AWWA
52
Corporate Portals Capabilities
Managing workflows
Increasing collaboration between work groups
Allowing content creators to self-publish their
information
Allowing internal and external access to specific
information using secure authentication
Copyright © 2009 AWWA
53
What’s Hot
Microsoft's SharePoint Portal Server line of
products have been gaining popularity among
corporations for building their portals, partly due
to the tight integration with the rest of the
Microsoft Office products.
Portals and databases are offered as ASP
solutions.
Copyright © 2009 AWWA
54
Agenda – Day 2
Welcome Back & Review
Interfaces Between Systems & Applications
Networks & Network Components
In-house vs. Hosted Solutions
Web Site and Portal Functions and Features
Security Issues
Course Conclusion
Copyright © 2009 AWWA
55
IT Security Fundamentals
IT Security affects and is integrated into many areas:
Security Management Practices
Access Control
Security Models and Architecture
Physical Security
Telecommunications and Networking Security
Cryptography
Disaster Recovery and Business Continuity
Law, Investigation, and Ethics
Application and System Development
Operations Security
Copyright © 2009 AWWA
56
What do you want to protect?
Sensitive Data
Employee Payroll and other
personal information
Sensitive Systems
Finance and Billing Systems
Physical Security System
SCADA / Process Control
Systems
SCADA point lists
CCTV locations
Network Diagrams
Spread-Spectrum Radio
Hopping Patterns
Routers and Network
Equipment
System Administrator
Workstations, Laptops
Anything else you need to run
your business…
Passwords, PIN Codes
Org Charts, Vacation
Schedules
Copyright © 2009 AWWA
57
System Vulnerabilities
Top 10 Control System Vulnerabilities
Copyright © 2009 AWWA
58
1. Inadequate security policies and
procedures
Clash between operational culture & modern IT
security methods.
Lack of appreciation of the risk involved with
networking control systems.
Lack of adequate risk assessment.
No control system information security policy.
No auditing or enforcing of control system
information security policy.
Copyright © 2009 AWWA
59
2. Inadequately designed defense-in-depth
mechanisms
Emphasis on system availability and reliability,
with security being an afterthought.
Insufficient investment to reengineer systems’
Web-based technology in accordance with
appropriate risk assessment criteria.
Copyright © 2009 AWWA
60
3. Remote system access without
appropriate access control
Inappropriate use of dial-up modems.
Use of commonly known passwords or no use of
passwords.
Use of nonsecure control system connectivity to
the corporate Local Area Network (LAN).
Allowing unauditable and nonsecured access by
vendors for support.
Copyright © 2009 AWWA
61
4. Inadequate system admin mechanisms &
software maintenance
Inadequate patch management.
Lack of appropriately applied real-time virus
protection.
Inadequate account management.
Inadequate change control.
Inadequate software inventory.
Copyright © 2009 AWWA
62
5. Use of inadequately secured WiFi
communication for control
Use of commercial off-the-shelf (COTS)
consumer-grade wireless devices for control
network data.
Use of outdated or deprecated
security/encryption methods (e.g., WEP).
Copyright © 2009 AWWA
63
6. Use of nondedicated comm channels
for command & control
Internet-based SCADA
Inappropriate use of control channels for noncontrol
data.
Asset management
Power quality data files
Metering
Maintenance
Internet/Intranet connectivity initiated from control
system networks.
E-mail
Web browsing
File Sharing
Instant Messaging
Copyright © 2009 AWWA
64
7. Lack of tools to detect and report
inappropriate activity
Underutilized Intrusion Detection Systems (IDS)
Undermanaged network system
Implementation of immature Intrusion Prevention
Systems (IPS)
Copyright © 2009 AWWA
65
8. Unauthorized apps or devices on
control system networks
Unauthorized installation of additional software to control
system devices (games, “weatherbug”, spyware).
Peripherals with noncontrol system interfaces (multifunction or multinetwork printers).
Nonsecure Web interfaces for control system devices.
Laptops.
USB memory.
Other portable devices (personal digital assistants
[PDAs]).
Copyright © 2009 AWWA
66
9. Control systems command and control
data not authenticated
Authentication for LAN-based control commands
not implemented.
Immature technology for authenticated serial
communications to field devices.
Copyright © 2009 AWWA
67
10. Inadequate critical support
infrastructure
Inadequate uninterruptible power supply (UPS) or other
power supply systems.
Inadequate or malfunctioning heating / ventilation / air
conditioning (HVAC) systems.
Poorly defined “6-wall” boundary infrastructure (foam
ceilings).
Insufficiently protected telecommunications
infrastructure.
Inadequate or malfunctioning fire suppression systems.
Lack of recovery plan.
Insufficient testing or maintenance of redundant
infrastructure.
Copyright © 2009 AWWA
68
Threats – Outsiders
Groups
Organized Crime
“Hacktivists”
Hacker Groups
Foreign Intelligence
Terrorists
Individuals
Fraud / Scam Artists
Curious Hackers
Vandals
Copyright © 2009 AWWA
69
Threats – Insiders
Disgruntled:
Employees and Ex-Employees
Vendors and Ex-Vendors
“Gruntled” but overly curious:
Employees and Ex-Employees
Vendors and Ex-Vendors
Copyright © 2009 AWWA
70
Malware
Virus
Trojan Horse
You searched for product A and got pop-ups for competitor
product B
“How did THAT get on MY computer?”
From usage monitors to keyloggers and password-grabbers
Adware
A “bad” program disguised as a “good” program
Spyware
Self-replicating
Weather monitors, custom cursors, screensavers, games, etc.
Once you have one, many more will follow…
Copyright © 2009 AWWA
71
Malware
Spam – Not the tasty Hormel kind…
“Legitimate” Unsolicited Commercial E-mail
“Adult” Web sites or services
Shady Sales Pitches from Forged IP addresses
“Rolex watches”, “Can you last 36 Hours”, “Hot stock tips”
Fraud and Phishing (more on this later)
You won the lottery!!!
Nigerian Oil Scam (aka 4-1-9 scam)
Pirated Software Products or Movies
Hidden Web “Bugs” in the Spam let the sender know you got it ok…
Not all spam will be caught by the spam filter (false negatives)
DON’T EVER, EVER, EVER REPLY TO SPAM OR CLICK ON ANYTHING IN
THE MESSAGE
Recommend disabling “auto-preview” and “Preview Pane” in Outlook
Copyright © 2009 AWWA
72
Malware
EULA – End-User License Agreement
The 30-page document that you didn’t read, but which
is legally binding and that you agreed to when you
clicked “OK” (Kazaa, Gator / GAIN, Weatherbug,
Screensavers)
You might have agreed to:
Limit liability to company due to damages directly or indirectly
caused by the software
Allow collection of data, including configuration information
and files
Allow monitoring of activity, including Web surfing, e-mails,
user names, passwords, credit card numbers
Allow installation of additional software without further
permission or notification
Copyright © 2009 AWWA
73
Malware
Symptoms
Computer running slow
Frequent crashes
Extra pop-ups
Slow network response time
Unfamiliar “Search Toolbars”
Detection and Removal
Antivirus software for viruses but not spyware (EULA)
Free Spyware Detection such as Ad-Aware, Spybot
Search & Destroy, Microsoft Anti-Spyware Beta
Commercial Spyware Detection
Copyright © 2009 AWWA
74
Social Engineering
Someone trying to get you to do something you
shouldn’t do, or give them information you
shouldn’t give out
Attacker will play on emotions with various
tactics: Persuasion, Intimidation, Trust, Guilt,
etc…
As technical controls are improved (firewalls,
antivirus, etc.), social engineering becomes a
more effective route
Copyright © 2009 AWWA
75
Social Engineering
“Hi, this is Mark over here at SCADA Masters. We’re
consolidating your O&M documentation into a new
format and I just wanted to verify that you guys are still
using 142 for your hopping pattern…”
“This is Alan from Fruitdale Water District. We’re
thinking about putting in a SCADA system and I was just
wondering what you guys were using and how well it’s
working out for you…”
“Hey, I’m sorry to bother you on a Friday – this will only
take a second. I’m doing a survey for my Environmental
Studies class and I wanted to ask you a few
questions…”
“Could you fax me your org chart…?”
Copyright © 2009 AWWA
76
Social Engineering
From:
To:
Bob Stevens <[email protected]>
All Employees
Subject:Mandatory System Update
This is a mandatory system update to protect our employees from the
recent Buster worm. Please click the following link to install this mandatory
update:
https://intranetserver%40101%2e5%2e87%2e52/update05276.exe
Thanks,
Bob Stevens, System Administrator
(%40101%2e5%2e87%2e52 translates to @101.5.87.52)
Copyright © 2009 AWWA
77
Phishing
A type of social engineering that plays on fear
Almost always tries to get personal information
When in doubt, contact the supposed source directly (via
phone or e-mail)
Never respond to or click on any part of the message
E-mail is like a postcard, anyone can easily forge the
“from” address and make the message look real
Linked with virus spreaders and even organized crime
BE CAREFUL!!! Ask your system administrator!
Copyright © 2009 AWWA
78
Phishing
Copyright © 2009 AWWA
79
Phishing
Copyright © 2009 AWWA
80
Fake lotteries
How to spot…
Did you enter in a lottery?
Do they tell you not to tell anyone?
Ar thier a lot of mispllled words or phrases uncommon?
Do they ask you to send them a copy of your passport or
other identification, important documents, etc.
Is there a “processing fee”? Often this is the scam itself.
Do you think they would really just e-mail you about it?
If it sounds too good to be true…
If all else… Entering in foreign lotteries is illegal!!!
Copyright © 2009 AWWA
81
Fake lotteries
FROM: THE DESK OF THE E-MAIL PROMOTIONS
MANAGER,INTERNATIONAL PROMOTIONS/PRIZE
AWARD DEPARTMENT MICROSOFT LOTTERY,
UNITED KINGDOM. 61-70 Southampton Row,
Bloomsbury, London, United Kingdom, WC1B 4AR
MR. GABRIEL MARTINS
PHONE #:+44 703-194-3199
REF NO: MSW-L/200-26937
BATCH: 2005MJL-01
ELECTRONIC MAIL AWARD WINNING NOTIFICATION. AWARD PRESENTATION CENTER:
UNITED KINGDOM
We are pleased to inform you of the announcement today of winners of the MSW MEGA
JACKPOT LOTTO WINNINGS PROGRAMS held on 2nd SEPTEMBER 2005.Your company or
your personal e-mail address, is attached to winning number 20-12DEC-2004-02MSW, With
serial number S/N-00168 drew the lucky numbers 887-13-865-37-10-83, and consequently won
in the first lottery category.
You have therefore been approved for lump sums pay out of GBP5,500,000.00 POUNDS in cash
Credited to file REF NO:MSW-L/200-26937 this is from total prize money of GBP 27,500,000.00
POUNDS, shared among the Twenty (5) international winners in this category….
Copyright © 2009 AWWA
82
Fraudulent or Illegal Offers
“Rolex” Watches
Low-cost prescription drugs
Illegal pirate / bootleg copies
Low-cost DVD movies
It is currently illegal to purchase prescription drugs without
a prescription and/or from overseas sources
Low-cost Adobe Photoshop / Microsoft Office
Just like the street peddlers in New York sell…
Same thing…
University “diploma” based on “experience” (and your $)
This won’t be from an accredited university
Copyright © 2009 AWWA
83
4-1-9 / Nigerian Oil Scam
From: JAMES ZUPP [[email protected]]
Subject: YOUR UTMOST ASSISTANCE AND HUMBLE COOPERATION REQUIRED
Dearest one,
This letter might come to you as a surprise as we have not met before,but I believe that
you would be compelled to help me after going through the contents of this letter.
My name is Mr James Zupp,a divorcee, I am a Zimbabwean of German Origin.I am
a farmer,or rather I was a farmer in Zimbabwe.Basically, I was involved in
Agricultural production,until August 2002, when the government of Robert Mugabe
decided to seize all farm-land(s) owned by whites in Zimbabwe (without
compensation). He (Robert Mugabe) did not stop at that; he also went on to expel all
White farmers in Zimbabwe.He employed the services of his war veterans to
undertake this seizure. I used the services of a Diplomatic Courier Company to
move this money (registered as official documents) out of Zimbabwe to Europe.At
present, my money totalling US$15,750,000. (Fifteen million, seven Hundred and
fifty thousand United States Dollars) is in Europe and hopefully, it would be paid
into an offshore account. Can you help me? Are you trustworthy? Can you
handle this money? Are you capable of handling this money? If you can, please
contact me on:[email protected]
….
Copyright © 2009 AWWA
84
Types of Tests
Vulnerability (or Security) Assessment
Audit
Assessing to specific and predefined standards
Penetration Test (or Penetration Study)
Looking for all weaknesses
Looking to exploit at least one specific
vulnerability to gain access to restricted
resources or systems for demonstration purposes
(“prove it!”)
RAM-W Methodology
Copyright © 2009 AWWA
85
AWWA RAM-W Methodology
Originally developed by Sandia National Labs
Expansion on RAM (Risk Assessment
Methodology). The W stands for Water.
Now run by American Water Works Association
Process of identifying and prioritizing assets by
pair-wise comparison and spreadsheets
Little focus on SCADA
Only focused on “loss” of assets, not misuse
Copyright © 2009 AWWA
86
Why do a Penetration Test?
Moving from the Theoretical to the Real World
Simulates a real “Hacker Attack”
If successful, provides unquestionable evidence
that specific vulnerabilities exist
If unsuccessful, provides a reasonable level of
assurance that networks and systems are
secure at that time
Very powerful in its form and presentation
Can find weaknesses and design flaws that
nobody ever thought about
Copyright © 2009 AWWA
87
What does a Penetration Test Entail?
Black Box (Blind Test) vs. White Box (Engineering Study)
Customer knows in advance vs. Customer response is being evaluated
Architecture Review
External Pen-Test vs. Internal Pen-Test
Background Research and Document Grinding
Social Engineering
IP-based Network Vulnerability Scanning
Identification of misconfigured Items
Exploitation of found vulnerabilities (usually scripting and C code!)
Password guessing and cracking
Dial-up Telephone Audit (wardialing)
802.11x Wireless Ethernet audit (wardriving)
Goal achieved, time limit reached, or testing halted
Final Report and Presentation to Upper Management
Plan for Ongoing Remediation Activities and Follow-on Testing
Copyright © 2009 AWWA
88
Resources
Sans.org
SecurityFocus.com (E-mail discussion lists)
US-CERT.gov
(Alerts)
CERT.org
(Alerts)
WaterISAC.org
(Information Sharing)
ARIN.net WHOIS
(Look up IP addresses)
Your System / Network Administrator
Copyright © 2009 AWWA
(Reading Room, Storm Center)
89