Industrial Control Systems The Next Twin Towers?
Eugene Kaspersky a few days ago wrote a hair-raising blog post about the reality of our Industrial Control Systems which are way more vulnerable than the network in your office. Industrial Control Systems (ICS) are the software that controls our nuclear power stations, transportation control and among many others, oil refineries. He started out with bit of background on vulnerable industrial systems and my mouth fell open.
I'm quoting Kaspersky here: “Though industrial IT systems and, say, typical office computer networks might seem similar in many ways, they are actually completely different beasts – mostly in terms of their priorities between security and usability. In your average company, one of the most important things is confidentiality of data, and IT administrators are encouraged to isolate infected systems from non-infected systems to that end, among others.
Thus, for example, if on the corporate file server a Trojan is detected, the simplest thing to do is disconnect the infected system from the network and then later start to tackle the problem.
In industrial systems that can’t be done, since here the highest priority for them is maintaining constant operation come hell or high water. Uninterrupted continuity of production is of paramount importance at any industrial object in the world; security is relegated to second place.
Another challenge to securing an “always on” environment arises due to software at an industrial/infrastructural installation only being updated after a thorough check for fault-tolerance – so as to make sure not to interrupt the working processes. And because such a check requires loads of effort (yet still doesn’t provide a guarantee of non-failure) many companies often simply don’t bother to update ICS at all – leaving it unchanged for decades.(!) (emphasis added)
Updating software might even be expressly forbidden by an industrial/infrastructural organization’s safety policy. Just recently I read a nice piece about this, which listed 11 ICS security rules; rule #2 is “Do not touch. Ever.” What more of an illustration do you need?! [end quote]
Even if an ICS is disconnected from the Internet, they can still be penetrated by social engineering, as was shown in the Stuxnet attack in Iran, where the ICS of their nuclear enrichment facility was corrupted with a simple thumbdrive attack. All employees of these industrial facilities should be stepped through some high quality security awareness training.
It was one of the comments that caused me some thought and was the inspiration for the title of this blog post. Prof. Larry Constantine remarked: “I was talking with ICS security expert Ralph Langner yesterday. We agreed that the biggest barriers to enhancing industrial cyber-security are not so much technical–formidable though those may be–as financial. In the absence of government mandates there are no economic incentives for operators to improve ICS security. The large investment has no near-term payoff; it is costly and it complicates already complex systems. Until the industrial equivalent of the Twin Towers, we are not likely to see great strides forward in terms of protecting critical infrastructure from cyber-attacks. Even then, it would not be too surprising if most of the effort went into initiatives analogous to airport security–showplace charades more about public reassurance through the illusion of security than about the reality.” The full Kaspersky blog post.
Cybergeddon – New Web Series Sponsored By Symantec
Not sure how I missed this, but on Sept 25th a new webseries was released via Yahoo Screen. The creator is CSI’s Anthony E. Zuiker, and this new series indeed has Hollywood production values we have not seen on the web yet. The 9 (mini) episode story is about an FBI agent (easy-on-the-eyes star Missy Peregrym) who is framed for a massive zero-day virus attack that threatens to shut down most of the Internet.
This is by far the most expensive Web series up to now at a cost of $6 million, triple the $2 million spent on Tom Hanks’ Electric City. They translated it in 10 different languages and it was released in 25 countries. The producers hope to get 20 million hits over time, as this thing has a long shelf life. It has not gone viral yet, but for techies like us it’s fun to watch, and you will recognize a lot of security terms that for a change are correctly used. Must be that Symantec’s malware warriors had a hand in the script. I spent a pleasant Sunday Morning watching this. Here are the trailer and links to the episodes.
Quotes Of The Month
"The defender needs to be perfect all the time. The attacker only needs to succeed once." -- Securosis Blog
"Hence that general is skillful in attack whose opponent does not know what to defend; and he is skillful in defense whose opponent does not know what to attack. -- Sun Tzu
Editor, WindowSecurity.com Newsletter
Email me at firstname.lastname@example.org
Released: Kevin Mitnick Security Awareness Training
Traditional once-a-year Security Awareness Training doesn't hack it anymore. Today, employees are frequently exposed to sophisticated phishing attacks, and your users are now the weak link in your network security. They need to be trained by an expert, and after the training stay on their toes, keeping security top of mind. Click on the orange "Get A Quote" button and find out how affordable this is! More info here.
Busy? Just take 90 seconds and watch this brand new video about the new Kevin Mitnick Security Awareness Training . You'll be glad you did.
Endpoint Security: Isn’t It Obvious!?
WindowSecurity blogger Derek Melber wrote: "I know we all deal with computers on a daily basis. With so much computer use, why is security so complex? Well, I have an answer, which might not ring a perfect tone in your ear. My perception is that people are lazy! Of course not everyone! However, enough for security to take a backseat to productivity and making money. If your local bank, where you keep your retirement funds, were to say to you “our employees keep losing their keys to the vault and can’t remember the vault passcode, so we are going to just keep a zip-tie on the vault from now on”, how would you feel about keeping your money there? Well, why do corporations continue to use zip-ties to secure intellectual property (IP), social security numbers, credit card numbers, etc.? I feel that security needs to start at the endpoint and then continue to be more secure all the way back to the file where the data is stored. Here, we are going to discuss endpoint security.
Researcher Demos Browser Extension Malware
Lucian Constantin reported that "Security researcher Zoltan Balazs has developed a remote-controlled piece of malware that functions as a browser extension and is capable of modifying Web pages, downloading and executing files, hijacking accounts, bypassing two-factor authentication security features enforced by some websites, and much more.
Balazs, who works as an IT security consultant for professional services firm Deloitte in Hungary, created the proof-of-concept malware in order to raise awareness about the security risks associated with browser extensions and as a call to the antivirus industry to take this type of threat more seriously.
The researcher plans to release the malware's source code on GitHub during a presentation at the Hacker Halted security conference in Miami, after having shared the code in advance with antivirus vendors. More.
Global Infosec Survey Finds More Talk - But Not More Action
The Chief Security Officer (CSO) site had it first. People 'talk the talk' but don't 'walk the walk' of security.
Anyone you care to ask will likely--and reasonably--agree that the threats against IT systems and data are serious and organizations need to take appropriate steps to protect their infrastructure and information. But if you look at the practices actually in use at many organizations, it becomes painfully apparent that there's still a wide gulf between ideals and reality.
That's no shock to anyone paying attention. But the reasons for the continuing gap between what needs to be done and what's actually done have remained unchanged for years. Business executives and security managers just can't get in sync. That is, CEOs and executives talk a good game about the seriousness of protecting their data, but when it comes time to put resources and capital into it, they're not willing.
That's just one of the findings of the Tenth Annual Global Information Security Survey conducted by CSO and CIO magazines and PricewaterhouseCoopers.
ViewPoint - Your Take
Write me! This is the spot for your take on things. Let me know what you think about Security, tools, and things that need to be improved. Email me at email@example.com
SecOps: What You Need To Know
Security Manager's Journal
Computerworld has a great story about a security manager whose company sells software and how he can't afford to ignore the potential vulnerability of those products.
"No business wants a customer complaining about security weaknesses in its products. If that had been the extent of what happened to my company last week, it would have been bad enough. But it was worse, because in this case, a customer skipped the normal means of reporting a problem and brought a concern about one of our software products directly to one of our senior vice presidents. Instant escalation." Ouch. More.
Infographic: Top Password Mistakes
Some common mistakes when creating passwords, courtesy of an infographic from SecurityCoverage, makers of Password Genie. Click on the link below and then click on the "Enlarge" button at the top left to see a larger version.
Adobe Patches Six Critical Flaws In Shockwave Player
Adobe has fixed six critical vulnerabilities in Shockwave Player that could potentially be exploited by attackers to execute malicious code, via the release of version 18.104.22.1688 of the software.
Fresh Twitter Attack
A few days ago I received this attack supposedly from a 14-year business relation of mine that I know well. Typical social engineering attack and exactly the thing we have been warning against for a few years now. Note that the email address is spoofed as “postmaster.twitter.com”, and that they are pulling an old trick about me being in a video that might be embarrassing. Wrong mark, guys! Warn your users that twitter accounts are being hacked and used to send attacks. Here is the attack screenshot.
8 Facts About Banks Being Hacked
Informationweek has a good story about the background of the hacks on banks, and if Iran is actually behind these attacks. This is a great background article with lots of detail.
Humans: The Weakest Link In Cyber Security? You Betcha?
Microsoft's blog hit the mark this week. Rik Ferguson, Security Director said: "People are always the weakest link in Information Security, you can deploy all the technology you want, but people simply cannot be programmed and can't be anticipated. As long as an attacker makes their delivery vehicle credible enough a target is likely to click the link or open the file". More.
The fix for this of course is security awareness training.
Fave links & Cool Sites