Tales from the Perimeter

The U.S. isn’t the only country victimized by cyber espionage that is blaming China. IndiaPost yesterday reported unnamed Indian government officials alleging China has orchestrated a series of attacks on sensitive networks of Indian agencies; including an April 2008 break into the computer network of the Ministry of External Affairs.

Although Beijing vehemently denies all allegations of state-controlled cyber snooping and hacking, the Chinese government as well as its society hails the practice of hacking for the national cause.

Just last week it was reported by the Washington Post that a Georgia power plant had an emergency shut down as a result of a software update which was made on the plant’s business network that happened to be in two way communication with the plant’s SCADA network. The Washington Post reports:

The computer in question was used to monitor chemical and diagnostic data from one of the facility’s primary control systems, and the software update was designed to synchronize data on both systems. According to a report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant’s radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown.

As Washington Post reporter Brian Krebs points out, this event comes shortly after the a report issued by the Government Accountability Office (GAO) late last month, called for the Tennessee Valley Authority (TVA) to address similar weaknesses between it’s control systems and Networks.

Supervisory Control and Data Acquisition (SCADA) systems which were once isolated and disconnected from the Internet have been modernized with TCP/IP network connectivity in response to demand for cost effectiveness and greater access. This development, however, has exposed SCADA networks to the significant security risks that accompany today’s TCP/IP networks.

The good news in the case of the March 7th incident at the Georgia Power plant is that the plant’s emergency systems performed properly, and there was never any danger to the public, as reported in the Washington Post article.

However, it’s clear that the potential implications resulting from this kind of exposure are high, especially since many of these systems control much of the world’s critical infrastructure. In this case a spokesperson for the company who runs the plant in question indicated that the issue arose when they discovered the corporate network was communicating with the SCADA network, and that corrective action wasn’t taken prior to the software update. The article then goes on to quote her as saying that “plant engineers have since physically removed all network connections between the affected servers.”
There is an unfortunate belief by many who operate SCADA networks that they are secure because the networks themselves are physically secure. It seems apparent that they require an objective way to identify all connections to their SCADA networks, which is the first of “”21 Steps to Improve the Cyber Security of SCADA Networks” as recommended by the Department of Energy and The President’s Critical Infrastructure Protection Board. It would seem that it’s also critical that all SCADA network managers to perform regular assessments on that connectivity to insure that any connections between the SCADA network and the corporate network are in line with policy and do not expose critical infrastructure to unforeseen security risks such as network leaks.

Earlier this month the Department of Homeland Security announced increased funding to improve the security of our nation’s critical infrastructure. Port and Airline security continue to be hot-button issues among policitcal candidates, particularly on the heels of the latest GAO report on port security, which finds that although the state of port security has improved, there are still serious issues remaining.

Conversely, it would almost seem that this year’s FISMA report card garnered little interest from the Presidential Candidates and only a modest amount press coverage. This year’s eigth FISMA report card shows a slight improvement on the average for the Federal goverment from last years C- to a C.

This slight improvement seems far outshadowed by one of the most troubling aspects to this year’s scores — many of the departments and agencies who are responsible for our nations critical physical infrastructure are the one’s performing the worst. How can we talk about improving the security of our nation’s infrastructure without making the cyber infrastructure part of that discussion?

Alright this may be a stretch, but here goes. With the NCAA lacrosse quarterfinals getting underway this weekend, I would like to attempt to make the comparison between network security best practices and a hybrid lacrosse defense. Here goes:

Today anyone who bases a security strategy on just perimeter controls is headed for trouble. Most large organizations are taking an information protection strategy known as “defense-in-depth” that’s more comprehensive than previous approaches. To create an effective defense-in-depth strategy, IT executives need an architecture that intelligently grants permission to applications, data and resources. Typically this means deploying identity management systems that recognize the identity of an device or individual and maps it against the policy for that type of access. That, in turn, requires a highly detailed understanding of what is being protected and from whom.

As in basketball, there are two basic defensive styles in lacrosse, man-to-man and zone. Think of a zone defense as a perimeter only security methodology and man-to-man as an endpoint hardening security solutions. As we are well aware these two extremes of the network security continuum have their positives and negatives; the same is true on the lacrosse field. Only through a hybrid solution, zone defense on the perimeter and man coverage underneath (know as “slide” system) can a coach achieve defense in depth.

Okay maybe it was a stretch, but its Friday afternoon and my Blue Devils are favored over the Buckeyes. GO DUKE !!!

Just 6 weeks away - June 30, 2008 marks the deadline for the Trusted Internet Connections (TIC) initiative.

The TIC initiative seeks to consolidate the total of the external connections across the Federal government to a total of 50 - in order to allow for centralized monitoring and incident response. By reducing the number of points of presence the Federal government has on the Internet, it will make it easier to manage and secure those connections on an on going basis.

The Trusted Internet Connections initiative is not just a one-time network consolidation effort. In order to reap the benefits of the consolidation to fewer connections, connectivity will need to be consistently verified and monitored. It’s simply a reality in modern network environments, that given the low cost of connectivity and ease of deployment, agencies will need to internally monitor and audit their connectivity and network perimeter to ensure they maintain compliance with the regulation while supporting demands for the network to be flexible in support of the agency mission.

In a service environment, IT continually faces demands for change. The TIC initiative seeks to protect our nation’s most critical “cyber borders.” As the federal government adopts TIC, it’s critical that at the agency level - as well as for the service providers who have oversight of the resulting enterprise architecture - that there’s a continuous method to monitor new connectivity as inevitably crops up outside of the agreed upon scope of trusted connections, and to brign that connectivity back into the fold or to eliminate it before it poses a threat.

The growth and innovation of our economy is becoming more and more dependent on our communications infrastructure. The main component of that information infrastructure is the Internet, which depends on the continued availability of IP address space. The remaining pool of unallocated IPv4 address space is likely to be fully allocated within the next few years. IPv6 provides the necessary address space for future growth; therefore we need to facilitate the wider deployment of IPv6 addresses.

The network map below show 6,132 router on the IPv6 Internet (scanned to a /48) and May 1^st, 2008.

Two items on the newswire this morning raise the question “Who Owns the Internet?” And what the hell is “The Office of Global Internet Freedom?”

First, Senator Sam Brownback (R-KS) has alleged that the Chinese government is demanding that U.S.-owned hotels in that country filter Internet service during the upcoming Olympic Games in Beijing (http://www.computerworld.com.au/index.php/id;1747783510;fp;2;fpid;1). “The Chinese government is requiring U.S.-owned hotels to install Internet filters to “monitor and restrict information coming in and out of China,” Brownback said last week.” Brownback made the allegation during a press conference on China’s human rights record, citing “two different reliable but confidential sources.”

Secondly, the Global Online Freedom Act was introduced by Representative Chris Smith (R-NJ); the bill would penalize companies who facilitate other countries censoring the Internet (http://government.zdnet.com/?p=3787). Among other things, the bill creates a private right of action for individuals; prohibits US internet service providers from blocking online content of US government or US-government financed sites; establishes a new agency within the State Department – the Office of Global Internet Freedom; and requires the President to define as “Internet Restricting Countries” those nations that “systematically restrict” Internet access.

In theory, service providers can lower the quality of the data transferred across the network, they can charge companies such as Google or eBay a higher price for letting them use their network, or they can simply block the data altogether. Unsurprisingly, content providers such as Amazon, Microsoft, Google, and others have been lobbying Congress to prevent this from occurring. Without dredging up all of the “Net Neutrality” arguments, I’m not sure the United States should be in the business of policing Internet access in other countries. It is a slippery slope that starts with pressuring a country to provide un-filtered access and could go as far as starting a trade war over access to Facebook.

The winner in the category for “Most Open Internet Access in a Totalitarian State” is Iran. Yes, Iran. The .ir address space is very well connected and little to no filtering. While we can make no assumptions about access into or out of individual homes (or Starbucks), we can clearly see a policy difference from that of Cuba. Below is an Internet map of the .ir address space and several very interesting facts can be found in the scanning data:

· 90,260 active IP devices discovered in .ir address space (2,048 routers, 35,901 devices running web services, 15,126 devices running FTP on TCP 21)

· Less than 10% of registered IP address space is unreachable or filtered from Lumeta’s US headquarters

· 23 unsecured wireless access points found via http

o 79.132.208.11 (Aironet) – Morva ISP, Tehran

o 81.31.177.240 (Linksys) – Sharif University of Technology, Tehran

· The router providing most of the connection to the .ir address space is 195.146.63.74 - Data Communication Affairs (Russian Federation)

I’ve always been interested in how things work and the Internet is no exception. We can talk about TCP/IP, BGP routing tables, DNS servers, and other technical aspects of the Internet. But as the old saying goes a picture is worth a thousand words. Just a little background; before Lumeta was mapping some of the most secure and complex intranets in the world, we began a long-term research project to collect routing data on the Internet. Below is an Internet map of the .cu address space (Cuba). Several very interesting facts can be found in the scanning data:

* 7,266 active IP devices discovered in .cu address space (49 routers, 1,447 devices running web services, 652 devices running FTP on TCP 21)

* Approximately 50% of registered IP address space is unreachable or filtered from Lumeta’s US headquarters

* Government owned ISP CubaData filters of all ICMP traffic, though inbound TCP 80 and TCP443 traffic are not being blocked

* Unreachable assigned CIDRs include; 196.1.112.0/24 (Cuba Office - Pan American Health Organization) and 196.1.135.0/24 (Center For Genetic Engineering and Biotechnology)

* Intelsat, a global satellite operator based in Washington, D.C, provides Internet connectivity from the US to Cuba via to main routers:

* 80.255.62.74 - ns1.globalconnex.net

* 80.255.62.78 - ns1.globalconnex.net

Clearly the .cu address space is being active block from my scanning sever located in Somerset, NJ. Later this week I will post scan results for an address space that I consider more open. Any guesses?

From RSA: Secretary Michael Chertoff delivered a keynote speech at RSA wednesday, where he talked about the current phase of US cyber security efforts as a sort of “Manhattan Project.”

Chertoff highlighted a few elements of that program including the EINSTEIN initiative, (monitoring/intrusion detection) and the Trusted Internet Connections initiative. The Trusted Internet Connections initiative requires agencies to reduce their Internet Points of Presence (POPs) from 4,000– to just 50.

Network consolidation, particularly when it is dealing with Internet POPs however, should not be viewed as a single exercise, but rather as an ongoing policy compliance requirement, low cost of network connectivity and the ease of deployment make it difficult to consistently be on top of what external connectivity exists within an agency’s enterprise. Today’s IT organizations face increasing demands to deliver flexibly and mobility supporting agency missions.

As the threat landscape and the network itself continue to constantly evolve, it’s necessary for agencies, and commercial organization as well who hold similarly sensitive data, to maintain critical oversight of the operational state of their network, in order to properly guide their detection and monitoring efforts.

By starting with a clear understanding of the physical infrastructure, which the feds are seeking with TIC, the true network perimeter can be defined, and re-defined – to allow agencies to better concentrate intrusion detection and access management tools. This on-going need to define the network edge is further evidence the need for perimeter security is anything but dead…