This whitepaper discusses how cyber ranges can be used to assess Industrial Control Systems (ICS) in a way that traditional security assessments cannot. It argues that cyber ranges allow thorough testing and evaluation of ICS without risking real-world impacts. Cyber ranges mimic actual ICS networks, enabling security testing, functionality testing, and integration testing in a safe, virtual environment. This is important because directly assessing or patching live ICS carries risks of disruptions that could endanger infrastructure, operations, or human life. The document concludes that cyber ranges provide a secure, risk-based approach to enhancing ICS security.
Building a Cyber Range for training Cyber Defense Situation AwarenessThibault Debatty
The document discusses building a cyber range for training cyber defense situation awareness. It outlines that cyber defense training requires simulating complex networks and situations while training more than just technical skills. It recommends training using the Boyd and Endsley decision making model, which involves three levels - perception, comprehension, and projection. The cyber range implementation involves text scenarios, variable trainee numbers, vagrant images to configure virtual machines, and examples of individual and team cyber situation awareness training.
Mobile Security Training, Mobile Device Security TrainingTonex
This 3-day mobile security training course costs $2,199 and teaches attendees how to secure mobile devices and applications. The training covers mobile threats, vulnerabilities, and security features of platforms like iOS and Android. Attendees will learn techniques for securing mobile networks, applications, and data through encryption, authentication, and mobile device management best practices. The course is intended for security professionals and developers seeking to protect mobile assets within their organizations.
This document is a resume for Dhishant Abrol summarizing his professional experience and qualifications. He has over 6 years of experience in information and network security, currently working as a Security Researcher. Previous roles include managing security operations centers and security architectures for clients. He has various technical certifications and skills in areas like vulnerability assessment, malware analysis, compliance, and security tools.
Safety, trust and security are core to customer
retention, growth, and the long term
success of every company. While companies
must continually look for new ways to
increase efficiency and productivity, security
of accounts and sensitive customer
information is a top priority. For more info: www.nafcu.org/cyveillance
Building a Product Security Practice in a DevOps WorldArun Prabhakar
This document discusses building a product security practice in a DevOps world. It outlines key product security capabilities that enterprises should establish throughout the product lifecycle, including threat modeling, secure coding, software composition analysis, penetration testing, and continuous monitoring. It also discusses the importance of establishing governance around product security through defining roles, processes, and controls for different functions like business, operations, and security. The goal is to integrate software and product lifecycles in a coherent manner so that final products are secure without slowing down development.
Stefan Zarinschi in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Building a Cyber Range for training Cyber Defense Situation AwarenessThibault Debatty
The document discusses building a cyber range for training cyber defense situation awareness. It outlines that cyber defense training requires simulating complex networks and situations while training more than just technical skills. It recommends training using the Boyd and Endsley decision making model, which involves three levels - perception, comprehension, and projection. The cyber range implementation involves text scenarios, variable trainee numbers, vagrant images to configure virtual machines, and examples of individual and team cyber situation awareness training.
Mobile Security Training, Mobile Device Security TrainingTonex
This 3-day mobile security training course costs $2,199 and teaches attendees how to secure mobile devices and applications. The training covers mobile threats, vulnerabilities, and security features of platforms like iOS and Android. Attendees will learn techniques for securing mobile networks, applications, and data through encryption, authentication, and mobile device management best practices. The course is intended for security professionals and developers seeking to protect mobile assets within their organizations.
This document is a resume for Dhishant Abrol summarizing his professional experience and qualifications. He has over 6 years of experience in information and network security, currently working as a Security Researcher. Previous roles include managing security operations centers and security architectures for clients. He has various technical certifications and skills in areas like vulnerability assessment, malware analysis, compliance, and security tools.
Safety, trust and security are core to customer
retention, growth, and the long term
success of every company. While companies
must continually look for new ways to
increase efficiency and productivity, security
of accounts and sensitive customer
information is a top priority. For more info: www.nafcu.org/cyveillance
Building a Product Security Practice in a DevOps WorldArun Prabhakar
This document discusses building a product security practice in a DevOps world. It outlines key product security capabilities that enterprises should establish throughout the product lifecycle, including threat modeling, secure coding, software composition analysis, penetration testing, and continuous monitoring. It also discusses the importance of establishing governance around product security through defining roles, processes, and controls for different functions like business, operations, and security. The goal is to integrate software and product lifecycles in a coherent manner so that final products are secure without slowing down development.
Stefan Zarinschi in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Security assessment for financial institutionsZsolt Nemeth
Group-IB is a cybersecurity company founded in 2003 in Russia that provides services such as security analysis, penetration testing, computer forensics, incident response, and malware intelligence. It has expanded internationally and now has over 60 employees. The company operates the first 24/7 cybersecurity response team in Eastern Europe called CERT-GIB. Group-IB works with many financial institutions and has expertise in vulnerabilities specific to the banking/e-commerce sector.
This document provides an overview of the Information Security Governance and Risk Management domain covered by the CISSP certification. It discusses key topics in this domain including information security concepts, risk management, policies, standards, procedures, data classification, risk assessment, and security controls. The document is divided into sections that define learning objectives, reference materials, and describe topics covered within the domain such as information security management, governance, classification, and the role of planning, policies, guidelines, standards, procedures, security training, and risk management practices and tools.
Santoskumaar S is a security professional with over 4 years of experience in vulnerability and risk assessment. He has expertise in using tools like Qualys Guard, Nessus, Kali Linux, and Metasploit to perform security assessments and identify vulnerabilities. Currently he works as a Risk Specialist at Infosys BPO where he is responsible for PCI compliance, vulnerability testing, security implementation, and audits. Previously he worked as a Security Analyst and Transmission Engineer at Tata Communications handling tasks like network security reviews, penetration testing, and optical network maintenance.
This document provides an introduction to the concepts of software security. It discusses how security vulnerabilities in software can enable attacks. The goals of the course are explained as helping students understand the nature of software security vulnerabilities, principles of secure software development, and techniques for security testing, analysis, and prevention of vulnerabilities. The lecture topics are outlined and assignments are described, including threat modeling, security policy design, and analyzing buffer overflow attacks and web application vulnerabilities.
The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.
The document discusses the need for organizations to adopt a strategy of cyber resilience in response to the growing threats posed by the digital environment. It emphasizes that while complete risk elimination is impossible, cyber resilience involves managing security through a multi-layered approach across people, processes, and technology. This can help organizations better prepare for, detect, respond to, and recover from cyber attacks in order to minimize potential damage and disruption. Symantec is presented as uniquely qualified to help organizations achieve cyber resilience through its security solutions, intelligence capabilities, scale, expertise and infrastructure.
SCIT-MTD is a patented technique that provides continuous rotation of virtual machines to a pristine state in order to remove malware and limit the time intruders have to exploit systems. It uses virtualization and fast VM rotation times of less than a minute to dynamically change systems into moving targets. This makes it difficult for attackers to gain access and plan attacks before being removed from the system. SCIT-MTD can be implemented without changes to existing systems and improves security even without knowing the details of vulnerabilities or malware.
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesEC-Council
This document discusses using hackers' methods and tools to defeat persistent adversaries. It summarizes Michael Davis's background in cybersecurity and agenda for the presentation, which includes why attackers are winning, why defenders aren't keeping up, and new approaches that can solve this problem. The presentation will cover compromising users, enterprise security concerns, complexity challenges, how companies make decisions, and tools like Failure Mode and Effects Analysis (FMEA) that can help manage risk and prioritize security issues.
NIST stands for National Institute of Standards and Technology and this federal agency develops and promotes measurements, standards, and technology to improve system productivity. NIST has a robust Cybersecurity Framework and is one of the most popular topics in the MedTech industry. It is the encapsulation and security of user data and their electronic documents against cyber-attacks. Being in the medical device industry, I wanted to know what cybersecurity framework or tools I should utilize to protect patients and their data. That is when I found the NIST-based Cybersecurity framework...
Assessing Risk: Developing a Client/Server Security Architecture, MITDaveMillaar
The document discusses the formation of a task force at the University of Pennsylvania to address security risks posed by new financial and data warehouse systems utilizing client/server technologies. The task force was charged with identifying threats, validting them, and developing solutions. They surveyed peer institutions, identified trends in security technologies, and outlined a methodology that included identifying assets, threats, validating threats, and developing solutions. The scope of the task force's work initially focused on the new systems but was expanded to consider some mainframe security issues as well.
This document discusses the potential threat of a "Superworm", a theoretical worm that could incorporate successful propagation techniques from past worms to spread rapidly and cause widespread damage. It describes the features such a worm may have, including exploiting multiple vulnerabilities across many operating systems and using various proliferation methods. The document also examines a past university network security incident and two security technologies that could help detect and limit the spread of such a worm: an early worm detection system and a modified reverse proxy server.
SentinelOne was founded in 2013 by an elite group of cybersecurity and defense experts who share a strong passion for disruption, and a clear vision for a path forward in a post-antivirus era. Building on their experiences learned at Check Point Software Technologies, IBM, Intel Security, Palo Alto Networks, and White Hat Security, the team is committed to the mission of defeating advanced cyber threats and instilling confidence in our digital way of life.
Find out more at https://sentinelone.com
CompTIA cysa+ certification changes: Everything you need to knowInfosec
Join Patrick Lane, Director of Products at CompTIA, to learn everything you need to know about the latest CySA+ certification and exam (CS0-002) updates, including:
Evolving security analyst job skills
Common job roles for CySA+ holders
Tips to pass the updated CySA+ exam
Plus CySA+ questions from live viewers
Multi-vocal Review of security orchestrationChadni Islam
The document summarizes a literature review on security orchestration. The review analyzed papers from various sources to understand different aspects of security orchestration such as definitions, challenges it addresses, proposed solutions, adoption practices, and architectural considerations. Key findings include that security orchestration aims to integrate disparate security tools, automate incident response workflows, and bridge the gap between detection and response. It addresses issues like lack of interoperability, skills shortage and inefficient manual processes. Taxonomies of proposed solutions and open challenges in technology, people and processes are also discussed.
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
The document discusses adversary emulation and its importance for improving security posture. It begins with an introduction to adversary emulation, comparing it to simulation. Adversary emulation involves closely mimicking the actual tactics, techniques, and procedures of a known adversary based on threat intelligence. The document outlines the benefits of adversary emulation, such as helping organizations test their defenses against the latest real-world threats. It also provides guidance on developing an adversary emulation plan, including researching a specific adversary and modeling their behaviors to design scenario-based tests that are executed sequentially.
The presentation discusses how auditors can conduct cybersecurity skills audits to improve organizational cybersecurity. It outlines challenges with current controls and the need to audit skills in addition to technology and processes. Various cybersecurity skills frameworks are presented, including NIST NICE, the EU e-CF, and SFIA models. Methods for implementing a skills audit through questionnaires and skills assessments are described. The output of a skills audit would be a list of existing skills coverage and identification of skills gaps to guide remediation actions.
Architecture centric support for security orchestration and automationChadni Islam
The presentation was prepared for the University of Adelaide School of Computer Science Research Seminar Series. See the slides to know
- what is security orchestration?
- what are the key challenges in this domain?
- how software architecture can play a role in improving the design decision of security orchestration and automation platform?
The document summarizes IBM's Application Security Assessment service which identifies security vulnerabilities in applications and network infrastructure. The service performs comprehensive testing of applications, identifies specific risks, and provides detailed recommendations to mitigate issues. It uses proven methodologies including technical testing, code review, and delivers a report on an application's security posture with remediation steps. IBM experts leverage specialized skills and tools to provide a cost-effective security evaluation.
Senior cyber security engineer with over 30 years of experience in technical management, hardware engineering, system and network engineering. Experience monitoring, analyzing, migrating, designing, consulting, deploying, troubleshooting and project/technical management of large network systems. Skilled in evaluating system vulnerabilities, compiling analysis, reporting threats, and recommending security improvements.
I will outline the process and steps to create your own layered network architecture and build your own range that can be used for practicing your defensive techniques, offensive skills or even to build your own Capture The Flag (CTF) environment. The process you will learn has been used to create CTFs for DEFCON, Hacker Halted and Showmecon; furthermore, the presentation is an introduction to the process in the instructors book Building Virtual Pentesting Labs for Advanced Penetration Testing
1) The National Cyber Range (NCR) was created by DARPA to allow for secure and timely testing of cyber technologies by rapidly emulating complex networks.
2) The NCR has completed technical design and tool development and demonstrated its architecture on an operational prototype located in Orlando, FL.
3) During a one-year beta phase, the NCR prototype will grow to emulate a 3000-node network and transition to USCYBERCOM to be available for use by government agencies.
Security assessment for financial institutionsZsolt Nemeth
Group-IB is a cybersecurity company founded in 2003 in Russia that provides services such as security analysis, penetration testing, computer forensics, incident response, and malware intelligence. It has expanded internationally and now has over 60 employees. The company operates the first 24/7 cybersecurity response team in Eastern Europe called CERT-GIB. Group-IB works with many financial institutions and has expertise in vulnerabilities specific to the banking/e-commerce sector.
This document provides an overview of the Information Security Governance and Risk Management domain covered by the CISSP certification. It discusses key topics in this domain including information security concepts, risk management, policies, standards, procedures, data classification, risk assessment, and security controls. The document is divided into sections that define learning objectives, reference materials, and describe topics covered within the domain such as information security management, governance, classification, and the role of planning, policies, guidelines, standards, procedures, security training, and risk management practices and tools.
Santoskumaar S is a security professional with over 4 years of experience in vulnerability and risk assessment. He has expertise in using tools like Qualys Guard, Nessus, Kali Linux, and Metasploit to perform security assessments and identify vulnerabilities. Currently he works as a Risk Specialist at Infosys BPO where he is responsible for PCI compliance, vulnerability testing, security implementation, and audits. Previously he worked as a Security Analyst and Transmission Engineer at Tata Communications handling tasks like network security reviews, penetration testing, and optical network maintenance.
This document provides an introduction to the concepts of software security. It discusses how security vulnerabilities in software can enable attacks. The goals of the course are explained as helping students understand the nature of software security vulnerabilities, principles of secure software development, and techniques for security testing, analysis, and prevention of vulnerabilities. The lecture topics are outlined and assignments are described, including threat modeling, security policy design, and analyzing buffer overflow attacks and web application vulnerabilities.
The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.
The document discusses the need for organizations to adopt a strategy of cyber resilience in response to the growing threats posed by the digital environment. It emphasizes that while complete risk elimination is impossible, cyber resilience involves managing security through a multi-layered approach across people, processes, and technology. This can help organizations better prepare for, detect, respond to, and recover from cyber attacks in order to minimize potential damage and disruption. Symantec is presented as uniquely qualified to help organizations achieve cyber resilience through its security solutions, intelligence capabilities, scale, expertise and infrastructure.
SCIT-MTD is a patented technique that provides continuous rotation of virtual machines to a pristine state in order to remove malware and limit the time intruders have to exploit systems. It uses virtualization and fast VM rotation times of less than a minute to dynamically change systems into moving targets. This makes it difficult for attackers to gain access and plan attacks before being removed from the system. SCIT-MTD can be implemented without changes to existing systems and improves security even without knowing the details of vulnerabilities or malware.
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesEC-Council
This document discusses using hackers' methods and tools to defeat persistent adversaries. It summarizes Michael Davis's background in cybersecurity and agenda for the presentation, which includes why attackers are winning, why defenders aren't keeping up, and new approaches that can solve this problem. The presentation will cover compromising users, enterprise security concerns, complexity challenges, how companies make decisions, and tools like Failure Mode and Effects Analysis (FMEA) that can help manage risk and prioritize security issues.
NIST stands for National Institute of Standards and Technology and this federal agency develops and promotes measurements, standards, and technology to improve system productivity. NIST has a robust Cybersecurity Framework and is one of the most popular topics in the MedTech industry. It is the encapsulation and security of user data and their electronic documents against cyber-attacks. Being in the medical device industry, I wanted to know what cybersecurity framework or tools I should utilize to protect patients and their data. That is when I found the NIST-based Cybersecurity framework...
Assessing Risk: Developing a Client/Server Security Architecture, MITDaveMillaar
The document discusses the formation of a task force at the University of Pennsylvania to address security risks posed by new financial and data warehouse systems utilizing client/server technologies. The task force was charged with identifying threats, validting them, and developing solutions. They surveyed peer institutions, identified trends in security technologies, and outlined a methodology that included identifying assets, threats, validating threats, and developing solutions. The scope of the task force's work initially focused on the new systems but was expanded to consider some mainframe security issues as well.
This document discusses the potential threat of a "Superworm", a theoretical worm that could incorporate successful propagation techniques from past worms to spread rapidly and cause widespread damage. It describes the features such a worm may have, including exploiting multiple vulnerabilities across many operating systems and using various proliferation methods. The document also examines a past university network security incident and two security technologies that could help detect and limit the spread of such a worm: an early worm detection system and a modified reverse proxy server.
SentinelOne was founded in 2013 by an elite group of cybersecurity and defense experts who share a strong passion for disruption, and a clear vision for a path forward in a post-antivirus era. Building on their experiences learned at Check Point Software Technologies, IBM, Intel Security, Palo Alto Networks, and White Hat Security, the team is committed to the mission of defeating advanced cyber threats and instilling confidence in our digital way of life.
Find out more at https://sentinelone.com
CompTIA cysa+ certification changes: Everything you need to knowInfosec
Join Patrick Lane, Director of Products at CompTIA, to learn everything you need to know about the latest CySA+ certification and exam (CS0-002) updates, including:
Evolving security analyst job skills
Common job roles for CySA+ holders
Tips to pass the updated CySA+ exam
Plus CySA+ questions from live viewers
Multi-vocal Review of security orchestrationChadni Islam
The document summarizes a literature review on security orchestration. The review analyzed papers from various sources to understand different aspects of security orchestration such as definitions, challenges it addresses, proposed solutions, adoption practices, and architectural considerations. Key findings include that security orchestration aims to integrate disparate security tools, automate incident response workflows, and bridge the gap between detection and response. It addresses issues like lack of interoperability, skills shortage and inefficient manual processes. Taxonomies of proposed solutions and open challenges in technology, people and processes are also discussed.
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
The document discusses adversary emulation and its importance for improving security posture. It begins with an introduction to adversary emulation, comparing it to simulation. Adversary emulation involves closely mimicking the actual tactics, techniques, and procedures of a known adversary based on threat intelligence. The document outlines the benefits of adversary emulation, such as helping organizations test their defenses against the latest real-world threats. It also provides guidance on developing an adversary emulation plan, including researching a specific adversary and modeling their behaviors to design scenario-based tests that are executed sequentially.
The presentation discusses how auditors can conduct cybersecurity skills audits to improve organizational cybersecurity. It outlines challenges with current controls and the need to audit skills in addition to technology and processes. Various cybersecurity skills frameworks are presented, including NIST NICE, the EU e-CF, and SFIA models. Methods for implementing a skills audit through questionnaires and skills assessments are described. The output of a skills audit would be a list of existing skills coverage and identification of skills gaps to guide remediation actions.
Architecture centric support for security orchestration and automationChadni Islam
The presentation was prepared for the University of Adelaide School of Computer Science Research Seminar Series. See the slides to know
- what is security orchestration?
- what are the key challenges in this domain?
- how software architecture can play a role in improving the design decision of security orchestration and automation platform?
The document summarizes IBM's Application Security Assessment service which identifies security vulnerabilities in applications and network infrastructure. The service performs comprehensive testing of applications, identifies specific risks, and provides detailed recommendations to mitigate issues. It uses proven methodologies including technical testing, code review, and delivers a report on an application's security posture with remediation steps. IBM experts leverage specialized skills and tools to provide a cost-effective security evaluation.
Senior cyber security engineer with over 30 years of experience in technical management, hardware engineering, system and network engineering. Experience monitoring, analyzing, migrating, designing, consulting, deploying, troubleshooting and project/technical management of large network systems. Skilled in evaluating system vulnerabilities, compiling analysis, reporting threats, and recommending security improvements.
I will outline the process and steps to create your own layered network architecture and build your own range that can be used for practicing your defensive techniques, offensive skills or even to build your own Capture The Flag (CTF) environment. The process you will learn has been used to create CTFs for DEFCON, Hacker Halted and Showmecon; furthermore, the presentation is an introduction to the process in the instructors book Building Virtual Pentesting Labs for Advanced Penetration Testing
1) The National Cyber Range (NCR) was created by DARPA to allow for secure and timely testing of cyber technologies by rapidly emulating complex networks.
2) The NCR has completed technical design and tool development and demonstrated its architecture on an operational prototype located in Orlando, FL.
3) During a one-year beta phase, the NCR prototype will grow to emulate a 3000-node network and transition to USCYBERCOM to be available for use by government agencies.
Cybersecurity: Arm and Train US Warriors to Win Cyber WarIxia
Quickly & easily recreate Internet scale cyber war, interpret the results, and rapidly act upon cyber threats to:
-Train cyber warriors to defend against threats or neutralize the enemy.
-Harden targets – networks, data centers, individual devices.
How to Test High-Performance Next-Generation FirewallsIxia
Testing next-generation firewalls necessitates simulating realistic network conditions to help you validate your enterprise firewall performance, attack detection and blocking while increasing stability and reliability under extended attack.
This document outlines a methodology for thoroughly testing firewalls under realistic conditions to evaluate their performance, security, and stability. The methodology includes baseline tests of maximum connections, throughput, and attack mitigation against SYN floods and malicious traffic. It then tests application traffic combined with SYN floods and malicious traffic to evaluate how firewalls perform under blended realistic workloads. The goal is to more accurately reflect real-world performance compared to traditional testing methods.
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...Schneider Electric
Federal agencies are moving their industrial control systems (ICS) from operational business networks to separate, dedicated networks in order to enhance security. However, without a system to test the new equipment and software coming into these separate networks, security risks will persist. This paper explores the impact on security of instituting a sanctioned ICS test lab and recommends best practices for setting up and operating these labs.
This document provides an overview of Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS), including fundamentals, evolution over time, vulnerabilities, security frameworks, good practices, and resources. It defines SCADA/ICS, describes how they have become more interconnected, lists vulnerabilities like outdated systems and remote access, outlines security standards like NIST and NERC, recommends practices like segmentation and patching, and provides example frameworks and resources.
Intrusion Detection System using Data MiningIRJET Journal
This document presents a proposed intrusion detection system using data mining techniques. It begins with an abstract that describes how internal intrusions are difficult to detect as internal users know the organization's information. It then discusses how anomaly detection can be used to create behavior profiles for each user and detect anomalous activities. The introduction provides background on intrusion detection systems and the need for more efficient and effective detection methods. It describes the proposed system which will use data mining techniques like k-means clustering to separate normal and abnormal network activities in order to detect internal attacks. It discusses the hardware and software requirements and specifications. Finally, it concludes that the proposed system can better detect anomalies in the network compared to other machine learning approaches.
13421ijmit03Engineering Life Cycle Enables Penetration Testing and Cyber Oper...IJMIT JOURNAL
This document discusses how proper engineering processes and life cycle management are important for cybersecurity operations and penetration testing. Rushing innovation undermines security foundations. Effective engineering adds security even after implementation. Current computer systems fail to manage risks properly by focusing on reactive tasks over preventative planning and maintenance. Proper risk management, personnel training, and system design are needed to avoid systemic failure. Behavioral monitoring and integrity checks can help address issues if given resources. Legacy systems may be outdated but have long usage histories that aid detection. Management must adapt approaches to succeed in securing systems.
ENGINEERING LIFE CYCLE ENABLES PENETRATION TESTING AND CYBER OPERATIONSIJMIT JOURNAL
This document discusses how proper engineering processes and life cycle management are important for cybersecurity operations and penetration testing. Rushing innovation undermines security foundations. Effective engineering adds security even after implementation. Current computer systems fail to manage risks properly and focus too much on reactive responses instead of addressing root causes like lack of planning. Proper system design, monitoring, and maintenance over the full life cycle are needed to build secure and stable systems. Personnel issues around training and risk management priorities also undermine security. Adopting full engineering practices and addressing organizational and human factors are necessary to improve current fragile security postures.
Augment Method for Intrusion Detection around KDD Cup 99 DatasetIRJET Journal
This document discusses augmenting methods for intrusion detection using the KDD Cup 99 dataset. It aims to improve detection accuracy and reduce false positives. The key points are:
- It analyzes detection precision and true positive rate (recall) for different attack classes in the KDD Cup 99 dataset to help improve dataset accuracy.
- Experimental results show the contribution of each attack class to recall and precision, which can help optimize the dataset to achieve highest accuracy with lowest false positives.
- The goal is to enhance testing of detection models and improve data quality to advance offline intrusion detection capabilities.
This document discusses how applying process safety best practices can improve operational technology (OT) cybersecurity. It outlines the five independent protection layers (IPLs) for process safety - inventory and configuration management, automatic process controls, human intervention, safety instrumented systems, and physical protection. Applying best practices to each IPL layer improves OT cybersecurity by making any operational changes from cyber attacks more apparent so they can be addressed quicker. Effective configuration management and change control are especially important, as the Stuxnet attack showed how undetected changes could damage equipment over time. Overall, following process safety practices enhances control performance, alarms, interfaces, and system resilience while countering modern cyber threats.
This document discusses the development of a cross-platform penetration testing suite that compiles standard penetration testing tools into a single mobile application. The suite aims to provide easy access to penetration testing tools on any Android device, improving portability for ethical hackers. It does not require root access of the user's phone. The suite is designed to perform tasks like port scanning, vulnerability scanning, payload generation, and more. It consolidates typical tools used for information gathering, vulnerability assessment, exploitation, and covering tracks into a single interface. This allows ethical hackers to conduct basic penetration tests using only their mobile device.
This paper deals with the risk assessment of different types of electronics and mobile payment systems as well as the countermeasures to mitigate the identified risk in various electronics and mobile payment synthesis.
Information security management guidance for discrete automationjohnnywess
This document summarizes guidance for establishing an information security management program for industrial automation departments. It finds that while standards and guidance are now readily available, implementing a comprehensive security program requires extensive cross-functional collaboration. None of the publications can be implemented alone by automation departments due to their complexity and need for interdepartmental expertise in areas like risk assessment and network segmentation. Effectively addressing vulnerabilities will require integrating security practices with existing organizational processes and acquiring new technical knowledge across roles.
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...qqlan
The document analyzes vulnerabilities in industrial control systems (ICS) from 2005 to 2012. Some key findings include:
1. The number of detected vulnerabilities has increased 20-fold since 2010, with more found in the first 10 months of 2012 than in all previous years combined.
2. Most common vulnerabilities allow remote code execution and authentication/authorization bypass. Approximately 65% are considered high or critical severity.
3. While most vendors fix the majority of issues, some vulnerabilities remain unpatched for over 30 days. Over 40% of internet-accessible ICS systems have known vulnerabilities.
Comparative study of Cyber Security Assessment ToolsIRJET Journal
This document provides a comparative study of cyber security assessment tools. It begins with an introduction that outlines how organizations face constant cyber threats and the need for routine cyber security audits. It then discusses best practices for cyber security audits, including performing security assessments, having incident response plans, prioritizing risks, integrating security into monitoring, and automating threat detection. The document also outlines the classification of security audit tools and provides examples like network mapping tools, perimeter security tools, and vulnerability scanning tools. It provides details on specific network mapping tools and their features.
This document describes a proposed vulnerability management system (VMS) that aims to automate the process of scanning software applications to identify vulnerabilities. The proposed system uses a hybrid algorithm approach that incorporates features from existing vulnerability detection tools and algorithms. The algorithm involves five main phases: inspection, scanning, attack detection, analysis, and reporting. The algorithm is intended to increase the accuracy of vulnerability detection compared to existing systems. The proposed VMS system and hybrid algorithm were tested using various vulnerability scanning tools on virtual machines, and results demonstrated that the VMS could automate the vulnerability assessment process and generate reports on detected vulnerabilities with severity levels. The main limitation is that scans using the VMS may take more time than some existing tools.
IRJET-Managing Security of Systems by Data CollectionIRJET Journal
This document discusses managing system security through data collection. It proposes creating an application that collects security-related data from client systems on a network and stores it in a database server. This would allow monitoring the systems for intrusions or issues. The application would run in the background of each client system and collect configuration, software and activity data periodically to send to the database server. The collected data could then be analyzed to detect any unauthorized changes or suspicious activity on the client systems.
Standards based security for energy utilitiesNirmal Thaliyil
The document discusses standards for cybersecurity in the energy sector. It notes that threats are increasing as energy infrastructure becomes more connected and data-driven. The document outlines some key cybersecurity standards for the energy industry including NERC CIP, IEEE1686, and IEC 62351. It maps these standards based on their level of technical detail and completeness. The document also discusses best practices for cybersecurity including technological and operational controls and how standards relate to controls for protection, detection and response.
Secure Your Medical Devices From the Ground Up ICS
The Food and Drug Administration (FDA) has recently released new guidance on cybersecurity for medical devices. This presentation will provide an overview of this guidance and review what is required for 510(k) submissions. We will also discuss the upcoming European Union (EU) cybersecurity regulations and how they compare to the FDA guidance.
This webinar with ICS and partner RTI, the largest software framework company for autonomous systems, will focus on threat modeling and cybersecurity risk assessments in light of the new guidance, and how these activities impact design requirements for medical devices. You will learn common pitfalls and mistakes to avoid when establishing organizational best practices in cybersecurity.
We will also discuss the challenges to securing data in motion for connected medical devices and describe how a data-centric software framework based on open standards, addresses the design requirements for highly reliable, scalable and secure systems.
Attendees will gain an understanding of the current regulatory expectations, best practices for cybersecurity risk assessments, and standards-based solutions for secure data connectivity.
The document discusses cyber security challenges for industrial control systems (ICS) and SCADA networks. As ICS were connected to networks and the internet, it increased opportunities for remote hacking and destruction. The disconnect between traditional IT security practices and operational needs of ICS led to vulnerabilities. Common security strategies like network isolation are no longer effective due to widespread connectivity. Recent attacks have shown that hackers can compromise ICS equipment directly and cause physical damage. The document argues industry must adopt new security technologies and policies tailored for ICS in order to address growing threats.
Generic Security Framework for Multiple Heterogeneous Virtual InfrastructuresIJRES Journal
Virtualization continues to take center stage at IT industry, yet many organizations are finding it difficult to secure virtualized environments. Security is a critical component in the growing IT system surrounding virtualization. Many organizations find the security challenges associated with virtualization to be a major hurdle, companies of all kinds across all industries are looking towards addressing business and security needs in the virtual infrastructure. There are many research work done before about how to check the compliance status of the cloud platform, not of the virtual machines running on the platform. This paper proposes the security framework for multiple heterogeneous virtual machines which assess the compliance security of the virtual machines. In this paper we make use of REST APIs, using which we create remote session on the virtual machines and fetch the machine values which will be parsed to get the required values for assessment.
The document provides guidance on securing industrial control systems through a defense-in-depth approach. It summarizes the Purdue Model for Control Hierarchy, which defines five zones and six levels of operations for industrial control systems. It then presents a reference architecture based on this model, with multiple zones and security controls between the enterprise, manufacturing and process zones. Specifically, it identifies security patterns and controls for access control, log management, network security and remote access that are critical for industrial control system security.
• ERP security
• ICS security assessment
• Protection of payment applications, remote banking systems, ATMs • Cloud technologies and virtualization systems
• Detection of zero-day vulnerabilities and prevention of APT attacks • Use of Big Data in information security
• Analysis of source code and the SAST/DAST/IAST technologies
• Complex protection of web applications and portals
• Mobile platform and application security
Similar to Cyber_range_whitepaper_cbr_070716_FINAL_DRAFT (20)
1. This whitepaper assesses how modern security assessment’s fail as a means to assess Information Technology
(IT)/Industrial Control Systems (ICS), how cyber ranges work, and how the future of ICS cybersecurity depends on
the use of Cyber Ranges as a means of assessment.
SECURING OUR FUTURE
WHY TODAY’S SOLUTIONS CANNOT SOLVE
TOMORROWS PROBLEMS
2. 1
SECURING OUR FUTURE
WHY TODAY’S SOLUTIONS
CANNOT SOLVE TOMORROWS
PROBLEMS
INTRODUCTION
INDUSTRIAL CONTROL SYSTEM (ICS)s are control systems including supervisory
control and data acquisition (SCADA) systems, distributed control systems (DCS), and
other configurations using programmable logic controllers (PLC) to provide a desired
function, often in unauthenticated network environments. ICSs are a critical component
to important national infrastructure, yet ICS are many times forgotten in an organization’s
security plan and one of the biggest cyber threats. ICS have a history of making the
news when compromised and have real world consequences when penetrated and
exploited by a perpetrator. Examples such as the Ukrainian power utility hack left
225,000 people without power in March of 2015, prove the threat ICS hacks pose[1]. At
the Risk Management Summit, Applied Control Systems surmised of the 750 ICS hacks
reported, the financial cost has been $30 billion dollars[2]. ICS-CERT responded to 295
ICS incidents across a wide variety of industries in 2015 as indicated in Figure 1. A
IT/ICS. A cyber range includes hardware and software simulating and emulating a
system for operation and security testing and training. An IT/ICS Cyber range for testing
is crucial to ensure information assurance, safety, and correct functionality. As the Centre
for the Protection Of National Infrastructure stated, “Another significant advantage of a
KEY
POINTS
Industrial Control Systems
(ICS) impact almost every
aspect of life in America and
it is one of the Department
of Homeland Security’s
leading initiatives. Every
effort must be taken to
ensure its security. Cyber
Ranges represent the next
step in securing our
nation’s critical
infrastructure for
tomorrow’s threats.
Communications
5%
Government
Facilities
6%
Unknown
10%
Critical
Infastructure
44%
Critical
Manufacturing
35%
Incidents Responded to by ICS-CERT in
2015
FIGURE 1 INCIDENTS RESPONDED TO BY ICS-CERT IN 2015
3. 2
laboratory assessment is the ICS will be separate from the
production version. This fact means the team will have a green
light to non-destructively test any and all parts of the ICS
without the possibility of causing a real-world impact.”[4] Cyber
ranges allow for a more thorough and accurate assessment of
ICS without the fear of compromising the ICS. An IT/ICS Cyber
Range will allow for cyber analyst to test devices beyond what
they were designed for and determine what functions they are
capable of performing. Cyber ranges allow for a more
thorough and accurate assessment of ICS without the fear of
compromising the ICS.
AUDITS ARE NOT ENOUGH
An IT/ICS cyber range should be part of information security
programs because audits are inadequate to ensure the
systems are secure. Audits indicate if a security mechanism
is in place and configured according to industry standards
without specifying if the mechanism is effective. A router
SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG)
may tell a tester if administrators locked a router according to
Defense Information Systems Agency (DISA) standards. The
STIG neglects to tell the tester if the lock improves the security
posture of the system, resulting in systems locked to an arbitrary standard but no more secure as a result. STIGs and audits
such as DoD Information Assurance Certification and Accreditation Process (DIACAP) and Risk Management Framework
(RMF), fail to account for traffic and integration. CPNI states, “A secure ICS does not exist, which means that hidden
vulnerabilities are still possible in an ICS, even after a clean report from a cybersecurity assessment”[4]. For example, a
penetration test exploits the vulnerabilities in a system, as it exists compared to assuming an all-purpose approach such as
DIACAP and RMF. Pairing a penetration test on your ICS equipment in a cyber range gives you a more accurate assessment
of how secure your system is than an audit, which seeks to determine the status of security settings. Using a cyber range for
security assessments addresses these issues and allows additional testing including penetration tests without fear of
compromising the system and save millions by preventing significant loss of data or personally identifiable information (PII).
Auditors use tools; testing components of a system in isolation, but the tools fail to test how the system works when the system
is running. Auditors conducting an assessment use tools such as ASSURED COMPLIANCE ASSESSMENT SOLUTION
(ACAS) testing security settings, but disregarding the effectiveness of security settings. This is a flawed but accepted security
testing approach, because it lacks empirical evidence to support the assertion the system is secure. Imagine if you went to a
mechanic with an error code appearing on the console in your car and for some reason the car is smoking when you accelerate.
You tell the mechanic your issue and show him the error code. He tells you to come back in 2 days. When you return he tells
you he has resolved the error code, you pay your bill and leave. You get 2 miles away to find the error code returns and the car
continues to smoke. When you return to the mechanic, he tells you he resolved the error code but failed to crank the car to see
if the actual issue was resolved. Doesn’t make sense, does it? Only by testing the performance of the car can you have an
accurate idea of the performance. Modern tools are limited in their assessment of security because they fail to account for the
system operating. By using a cyber range and simulating the traffic a system will experience, your testing tools will give you a
more accurate assessment of the system. Testing the system using a IT/ICS cyber range allows integrated assessment,
Security Goals of Traditional IT versus ICS
IncreasingImportance
Confidentiality
Integrity
Availability
Availability
Integrity
Confidentiality
IncreasingImportance
Confidentiality
Integrity
Availability
Availability
Integrity
Confidentiality
FIGURE 2 SECURITY GOALS OF TRADITIONAL IT VS ICS
4. 3
reflecting how the system will function when operational where other methods ensure implemented settings without addressing
how the system works when it is operating.
Audits fail to address the effect traffic will have on the system, such as bottlenecks or capacity issues. Winters states, “A good
example of such tests is investigating shifts in traffic workload patterns. Adding new components such as workstations in an
office or new sensors or reporting thresholds in an industrial control system can cause unexpected critical traffic flow changes
in parts of the system quite remote from the location where the new components were added. This, in turn, can make a single
router in yet another part of the system a critical component.”[6] While security has been the focus of cyber ranges, ranges also
have tremendous implications for engineers in observing traffic in an operational system. While engineers can plan and design
for capacity, unless a system is operational the engineer cannot be sure the design has addressed the actual system bandwidth
requirement. Cyber ranges would allow engineers to model and test systems using realistic traffic while identifying where
potential issues may occur once a system is running.
ICS TOO CRITICAL TO SECURE
As ICS’ adopt Internet Protocol (IP) or similar protocols, the risk of hacking increases. Dell reported, “Dell SonicWALL saw
global SCADA attacks increase against its customer base from 91,676 in January 2012 to 163,228 in January 2013, and 675,186
in January 2014.”[7] This warrants security reviews, which may also pose a risk to the system due to the risk of an auditor
breaking the system during testing. As NIST reported, “The nature of ICS means that when an organization does a risk
assessment, there may be additional considerations that do not exist when doing a risk assessment of a traditional IT system.
Because the impact of a cyber incident in an ICS may include both physical and digital effects, risk assessments need to
incorporate those potential effects.”[8] Through various ways, a security auditor may break a system by accident. Tools have
design flaws with unintended operational consequences. One, now defunct, security testing application had a “Mitigate All’
button, which fixed identified security issues. The unintended consequence of locking these features resulted in a computer,
ICS attacks have seen a sharp increase
over the last few years due to the ease
of conducting ICS cyber attacks and
the growing number of attackers with
access to the tools and internet access
to conduct the attacks.
0
100000
200000
300000
400000
500000
600000
700000
800000
2012 2013 2014
Global SCADA Attacks
FIGURE 3 GLOBAL SCADA ATTACKS
5. 4
which would no longer function. Certain ICS’ being broken for a security test has the potential to cause serious injury. Mimicking
an ICS using a cyber range and testing it mitigates the risk of perilous harm.
Testers cannot test many ICS implementations because ICS functions are essential and testing risks shutting down the system.
As the Centre for the Protection of National Infrastructure states, “For example, several tools employed in such a test could have
a serious impact on the ICS itself. Various ICS’ will malfunction or halt completely when security tools, such as scanners, are
run on the network. Therefore, the asset owner and assessment team must understand the potential implications of testing on
a production system. Whenever possible, cyber security tests should be performed on a backup or offline ICS.”[4] At a scientific
research station in the Artic, testing would be life threatening if it broke the HVAC. However, this poses a security risk like the
2013 breach of Target’s payment system, initiated with the HVAC system, which seen in the diagram below. Auditor inability to
test ICS with traditional tools leaves few options to ensure maintenance of security. Creating a virtualized version and testing
security issues through a cyber range delivers higher assurance of system resilience to hacking.
When loss of human life is a non-determinant, like the Artic example above, for testing an ICS, a company’s bottom line may be
the issue preventing accurate security assessment. As Ashford reports “This means almost 100% availability is required, which
in turn means it is difficult and expensive to interrupt these systems for things like security updates.”[9] Ashford maintains when
detecting malware there is little that can be done because of the fear of breaking a system. “It is not uncommon for organisations
responsible for critical infrastructure to continue running control systems even though a malware infection has been detected.”[9]
In one example an engineer shutdown a bottling plant’s systems because they changed a timer for a maintenance controller;
resulting in a $100,000 loss for the company. Using a cyber range to test ICS’ security system strength avoids the cost of a
shutdown associated with a hack and reduces the risk of a shutdown because of testing.
BUT DOES IT WORK?
Cyber ranges are for security purposes but have tremendous potential for other forms of testing. OS updates, configuration
changes and patching in ICS remain an issue because of the difficulty determining how patches or upgrades may affect a
particular ICS. The Department of Homeland Security states, “As mentioned earlier, patch testing is of special importance in
control systems because of the requirement for very high uptime. The following recommendations should be included in patch
FIGURE 4 CAPTION TO BE ADDED
FIGURE 5 2013 TARGET POS BREACH
6. 5
testing: Test bed/simulation hardware should be dedicated for
testing purposes”[10]. Again if we use a little common sense to
the idea of testing we have all been the recipient of a patch or
upgrade to our operating system on our computer which had
unforeseen consequences. Cyber ranges address this issue
by allowing developers to determine how changes affect
functionality without applying the patch to production systems.
Developers could also test new security devices, determining if
they will damage system functionality without risking system
shutdown. This would include new hardware and software
tests against a system assessing how it would function against
a specific ICS environment. One important illustration
regarding a cyber range’s use to test new security hardware
can be found in Winter’s work (Figure 5) where he notes “A
recent example of such testing in the FCR found an intrusion
prevention device deployed in a system model that could be
made to fail open when subjected to the right kind of
overloading. It would simply give up and pass all traffic through,
good or bad. This is not something you would want to find out
in a real system under attack.”[5] This illustrates the
requirement to perform additional levels of scrutiny on products
before adding them to an ICS. In this case, a simple flood
attack resulted in a complete breach of the ICS although the
ant-intrusion device was intended to prevent intrusion into the
network. Security testing could also include unintended use of
ICS devices. Consider the Nest Thermostat, which has an Application program interface (API) allowing third party developers
to create new applications with the thermostat. What would happen if malicious manipulation occurred through the API?
Without simulating traffic, functional testing offers a limited
assessment of a system, lacking identification of unknown
traffic created issues. Cyber ranges allow new hardware test
and integration for specific environments and identify unknown
hardware issues pre-installation. Functional Testing follows a
script as indicated in the diagram to the right. These scripts
list the steps and procedures to verify the system functions as
expected, and can be automated or manual. The problem with
testing this way is it fails to account for traffic and therefore
how the system will function when operational. For example,
what if 100 users on a network attempt to access the same
resource at the same time. But the system is integrated in a
way allowing 1 user access at any given moment. Here we
can see where a cyber range is the only way to discover this type of bottleneck.
FIGURE 6 FAILED IPS DEVICE
FIGURE 7 RANGE BASED FUNCTIONAL TESTING
7. 6
MAKING IT ALL WORK
Cyber Ranges go through five phases of development. In the first phase, the system goes thorough documentation for the
Cyber Range to approximate the actual network. Details included during this phase would resemble the documentation included
in system accreditation packages such as the number of laptops, printers, versions of software and hardware. One important
aspect of the system captured during the enumeration phase is traffic analysis. This is accomplished with a mix of passive and
active network traffic analysis tools; striking a balance between collecting detailed traffic patterns and operational network
performance. Network SME’s make assumptions during the enumeration phase if the system is in development and traffic
patterns are unavailable. In the next phase of cyber range development, we reconstruct the system in a virtual environment.
Next, we replicate details gathered during the enumeration phase through virtual machines (VMs) of the target system. If
replicating a non-operational system, VMs can be produced which mirror the clients you intend to integrate. Once created,
settings are verified through a functional test in the 3rd phase, Testing. The testing phase resembles a functional test and
ensures the virtualized system functions. In the 4th phase, we model the target system by adding traffic to the virtualized network.
We do this by configuring traffic emulators with the data gathered during the enumeration phase. The fifth and final stage is
where the real value of the cyber range comes in. Sample uses of a cyber range include:
Red/Blue Exercises
Testing Hardware
Testing Software
Modeling and Simulation
Independent Validation and Verification
Research and Development
Tabletop Exercises
Comparative Solution Analysis
Integration Environment
Patch Testing
Load Testing
Configuration Testing
Functional Testing
Penetration Testing
Certification
Training
Hypotheses Testing
Team Assessment
FIGURE 8 CYBER RANGE DEVELOPMENT PHASES
8. 7
At Honeywell’s Cyber Solutions Lab, we have developed a cyber range for traditional systems and ICS solutions. With
Honeywell’s background in various markets and deep engineering experience, we are able to provide a cyber range meeting
the challenges of today’s cyber threats, and the threats of tomorrow. With minimal time from enumeration to emulation,
Honeywell’s cyber range allows system owners to stop making assumptions regarding security and secure them with a higher
level of confidence than ever before.
CONCLUSION
ICS are important to the nation’s infrastructure and yet ICS are some of the most neglected systems due to availability
requirements. These systems have become essential to our way of life and the risk of examining the system to ensure its
stability and security present too much risk to the system. IT/ICS Cyber ranges offer an affordable risk-based approach to
securing IT/ICS; enhancing overall security posture of the system in a way that is impossible with other testing methodologies.
Honeywell’s Cyber Range meets the demands of today’s customers and addresses tomorrow’s challenges.
Courtney “Brock” Rabon is Honeywell Technology Solutions Inc. (HTSI)’s Cyber Evangelist and has 11
years of experience helping Commercial and Federal clients meet their cyber security goals. He manages
their Cyber Security Technologies Lab in Charleston, SC and can be reached at
courtney.rabon@honeywell.com.
HTSI is a diverse professional and technical services leader offering world-class managed solutions to federal, commercial and
international clients. HTSI’s core capabilities include engineering and space operations, physical and cyber security, engineering
and development services, logistics, facility and equipment planning, and testing and calibration.
9. 8
BIBLIOGRAPHY
[1] “iTWire - Darkness in the Ukraine – hackers turn the lights off.” [Online]. Available: http://www.itwire.com/business-it-
news/security/72709-darkness-in-the-ukraine-%E2%80%93-hackers-turn-the-lights-off.html. [Accessed: 10-Jun-2016].
[2] “Industrial_Control_Systems_at_Risk1.pdf.” .
[3] “Year_in_Review_FY2015_Final_S508C.pdf.” .
[4] “2011020-cyber_security_assessments_of_ics_gpg.pdf.” .
[5] “IEEE Xplore Full Text PDF.” .
[6] “Attacks Against SCADA Systems Doubled in 2014: Dell | SecurityWeek.Com.” [Online]. Available:
http://www.securityweek.com/attacks-against-scada-systems-doubled-2014-dell. [Accessed: 10-Jun-2016].
[7] “NIST.SP.800-82r2.pdf.” .
[8] “Industrial control systems: What are the security challenges?,” ComputerWeekly. [Online]. Available:
http://www.computerweekly.com/news/2240232680/Industrial-control-systems-What-are-the-security-challenges.
[Accessed: 13-Jun-2016].
[9] “RP_Patch_Management_S508C.pdf.” .
[10] H. Winter, “System security assessment using a cyber range,” in 7th IET International Conference on System Safety,
incorporating the Cyber Security Conference 2012, 2012, pp. 1–5.