Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Humanitarian Connectivity

2,265 views

Published on

Information security for disaster relief and emergency response field operations. Presentation delivered at the 2015 NetHope Global Summit

Published in: Technology
  • Be the first to comment

Securing Humanitarian Connectivity

  1. 1. Securing Humanitarian Connectivity Rakesh Bharania Cisco Tactical Operations www.cisco.com/go/tacops @CiscoTACOPS November 2015 Cybersecurity for Disaster Relief and Emergency Response Field Operations.
  2. 2. Agenda: Introductions Recent Humanitarian Security Incidents Managing Cybersecurity in Humanitarian Field Operations
  3. 3. Cisco Public 3© 2013-2014 Cisco and/or its affiliates. All rights reserved. Introductions
  4. 4. Cisco Public 44© 2013-2014 Cisco and/or its affiliates. All rights reserved. Emergency Response – Cisco TACOPS Dedicated crisis response team that establishes emergency networks after a disaster TacOps personnel skills include: Technical Expertise Planning, Logistics and Operations Trained First Responders (Fire, EMS) Military Service
  5. 5. Cisco Public 55© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Tactical Operations: Emergency Responses • 2005 – Hurricane Katrina (LA) • 2007 – Harris Fire (San Diego, CA) * • 2008 – Evans Road Fire (NC) * • 2008 – Cedar Rapids Floods (IA) * • 2008 – Hurricane Gustav (LA) * • 2008 – Hurricane Ike (TX) * • 2009 – Morgan Hill Fiber Cut (CA) * • 2010 – Earthquake (Haiti) • 2010 – Plane Crash (Palo Alto, CA) * • 2010 – Four Mile Canyon Fire (CO) • 2010 – Operation Verdict (Oakland, CA) * • 2010 – Earthquake (Christchurch, NZ) • 2010 – Gas Pipeline Explosion (San Bruno, CA) * • 2011 – Flooding (Queensland, AU) • 2011 – Tornados (Raleigh, NC) * • 2011 – Tornados (AL) * • 2011 – Tornado (Joplin, MO) • 2011 – Tornado (Goderich, Ontario) • 2011 – Flooding (Brazil) • 2011 – Earthquake and Tsunami (Japan) • 2012 – Dadaab Refugee Camp (Kenya) • 2012 – Waldo Canyon Fire (CO) * • 2012 – Hurricane Sandy (NY / NJ) * • 2013 – Boston Marathon Explosion (MA) • 2013 – Fertilizer Plant Explosion (West, TX) * • 2013 – Tornado (Moore, OK) * • 2013 – St. Mary’s College Fire (Leyland, UK) • 2013 – Navy Yard Shooting (Washington, DC) • 2013 – Typhoon Haiyan / Yolanda (Philippines) • 2014 – Carlton Complex Fire (WA) * • 2014 – King Fire (CA) • 2014 – Ebola virus crisis (West Africa) • 2015 – Cyclone Pam (Vanuatu) • 2015 – Earthquake (Nepal) * = NERV / ECU Deployed
  6. 6. Cisco Public 6© 2013-2014 Cisco and/or its affiliates. All rights reserved. Recent Humanitarian Security Incidents
  7. 7. Cisco Public 77© 2013-2014 Cisco and/or its affiliates. All rights reserved. Record breaking fire in Washington State, USA. Deployed emergency networks with security management to protect firefighters and other emergency workers. Across our networks, we supported over 673 unique devices, transferred 60+ GB of data. This was the first time where we deployed active cyber protections for responders. We were able to detect and mitigate 30+ “high risk attacks” against first responders over the course of one week. Example 1: Carlton Complex Fire United States - 2014
  8. 8. Cisco Public 88© 2013-2014 Cisco and/or its affiliates. All rights reserved. FEMA: “This was the first documented cyberattack against a first responder attack surface” Cyberattacks against responders: practical realities Carlton Complex Fire, WA 2014 Supported 673 devices on a mesh network supporting fire operations.
  9. 9. Cisco Public 99© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco participated in the ERCI partnership, but also provided direct cybersecurity support to a NetHope VSAT network providing connectivity to 20 ETUs etc, in Sierra Leone and Liberia. Primary concern was inappropriate use of the network by workers in the field. BitTorrent, other high b/w apps consuming donated VSAT b/w, resulting in high cost to NetHope and members. Malware and other sites also of concern. Example 2: Ebola Virus Crisis West Africa – 2014-15
  10. 10. Cisco Public 1010© 2013-2014 Cisco and/or its affiliates. All rights reserved. Example: 2014-2015 Ebola Crisis Deploying cloud-managed security at the satellite hub in Europe created effective security without having local infosec in remote areas! Hundreds of unmanaged, poorly patched hosts, risks mitigated (BYODD) 20x Remote locations… Sierra Leone Liberia (ETUs, clinics, etc) Primary Secondary Meraki MX80 Internet Upstream HSRP Juniper FW
  11. 11. Cisco Public 1111© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cybersecurity Implementation: NetHope Ebola Response Network
  12. 12. Cisco Public 1212© 2013-2014 Cisco and/or its affiliates. All rights reserved. Example 3: Gorkha Earthquake Nepal - 2015 NetHope deployed Cisco RRK at the Humanitarian Staging Area in Kathmandu Detected & isolated compromised responder laptops (confirmed malware) – disrupted botnet C2 channels Attacks included: Win32/Mudrop, Win32/Dyre, several Adobe flash buffer overflows, DNS based attacks.
  13. 13. Cisco Public 1313© 2013-2014 Cisco and/or its affiliates. All rights reserved. Example: Nepal Earthquake (Humanitarian Staging Area, Kathmandu)
  14. 14. Cisco Public 1414© 2013-2014 Cisco and/or its affiliates. All rights reserved. TeamSpy in Nepal: Targeted cyberattack against humanitarians? Evidence of TeamSpy Malware detected by Cisco RRK at HSA in Nepal. Low Infection rate, targeted victims based on geopolitical motive. In our case, C2 hosts in Germany (but doesn’t mean attackers are in or from Germany) Reinforces immediate need for advanced malware protection for field responders.
  15. 15. Cisco Public 1515© 2013-2014 Cisco and/or its affiliates. All rights reserved. Right Now: Syrian Refugee Crisis Middle East / Europe – 2011-2015 Since outbreak of conflict, humanitarian organizations have been one of the primary victims of a complex cyberwarfare campaign. Fatalities resulting from cyber incidents have been documented by FireEye / CitizenLab / University of Toronto The ongoing threat is advanced, persistent and unlike anything most NH members have dealt with to date.
  16. 16. Cisco Public 1616© 2013-2014 Cisco and/or its affiliates. All rights reserved. “Just because you’re doing good for the world doesn’t mean the bad guys are going to leave you alone.” Consider: Humanitarian organizations may have security functions and process that work back in the home office, but rarely work in the field. Obvious weak point for attack. Security and Humanitarians
  17. 17. Cisco Public 17© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cybersecurity In Humanitarian Field Operations
  18. 18. Cisco Public 1818© 2013-2014 Cisco and/or its affiliates. All rights reserved. Typical ICT Challenges In Disaster/Humanitarian Ops  Information and Computing Technologies (ICT) are needed but overwhelmed… – Lack of power – Degraded telephony infrastructure – Degraded Push-to-Talk Radio, Lack of interoperability – Oversubscribed services – Limited Internet access – Few IT resources – Lack of trained staff – Lack of Information security & management
  19. 19. Cisco Public 1919© 2013-2014 Cisco and/or its affiliates. All rights reserved. Protect the mission Protect the vulnerable Keep bad things out. Keep critical services running Know what’s happening on the network and devices Balance security and access Get it right every time. Security: What are We Really Trying to Do? Inside Outside
  20. 20. Cisco Public 2020© 2013-2014 Cisco and/or its affiliates. All rights reserved. Assumption: “In a crisis network, I need to get deployed quickly. I don’t have time or the resources to secure the network!” Reality: All field networks should be pre-planned! Plan and build your security and process into your infrastructure! Myth Busting: Information Security in a Crisis
  21. 21. Cisco Public 2121© 2013-2014 Cisco and/or its affiliates. All rights reserved. Dumb Pipes  Most field ICT deployments have a VSAT or other ISP connected to a network.  Network is typically unmanaged at that point. – Firewall Logs not reviewed – Software updates not managed – QoS/Traffic Shaping not applied – “I have a firewall, so I’m secure, right?”
  22. 22. Cisco Public 2222© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cybersecurity is a lifecycle problem Challenge: How can this work in the field, where you are most vulnerable?
  23. 23. Cisco Public 2323© 2013-2014 Cisco and/or its affiliates. All rights reserved. Least-privilege access: Users, devices, systems are given minimal access given the crisis environment (advanced AAA solutions, etc. may not be available!) Threats may come from anywhere in the network. Simplicity: Once initially configured, the security architecture should establish itself without requiring any additional work from personnel who already have too much to do. Defense-in-Depth: No single security feature or technology can mitigate the range of possible threats. On-scene staff may have little/no security background. Acceptable Use Policies, Incident Response may be undefined. HFNs Use the Same Basic Infosec Assumptions
  24. 24. Cisco Public 2424© 2013-2014 Cisco and/or its affiliates. All rights reserved. You’re going into a disaster zone! “Force Protection” Physical security of equipment Logistics Intelligence Health and Safety HFN Security Starts With the Physical
  25. 25. Cisco Public 2525© 2013-2014 Cisco and/or its affiliates. All rights reserved. Hastily formed networks (HFN) often overlook security – no such thing as a CSO in a disaster. A huge risk for first responders. TACOPS capabilities have integrated security at multiple levels to protect supported orgs: firewall, VPN, IDS/IPS, etc. Important to have buy in from agency support! First steps: assess risks, determine policy and posture Managing Infosec In Emergencies
  26. 26. Cisco Public 2626© 2013-2014 Cisco and/or its affiliates. All rights reserved. Ironport or Meraki for Layer 7 inspection, blacklisting/whitelisting, QoS, b/w management Enhances BYODD security, preserves satellite bandwidth. “Enable Facebook (because social media is important in a disaster!) but not P2P.” Throttle software updates! Layer 7 Inspection / Deep Packet Inspection For Granular Control
  27. 27. Cisco Public 2727© 2013-2014 Cisco and/or its affiliates. All rights reserved. Satellite is often the only way to get broadband data in a disaster. Protect your satellite bandwidth at all costs! Numerous reports of vulnerabilities in satellite HW/SW. Malicious traffic • Botnets, Zombies, proxies, DDoS flooding traffic. Inappropriate use …? • YouTube • BitTorrent / P2P • Adult content • GVF Security Baselines released in 2014 – 2015. Demand compliance by your vendors. Satellite Cybersecurity – Underappreciated Vulnerability
  28. 28. Cisco Public 2828© 2013-2014 Cisco and/or its affiliates. All rights reserved. Once upon a time… the NERV had a flat, open network. Evans Road Fire in North Carolina. Firefighter’s laptop came onto the NERV pre-infected – DDoS zombie w/spoofed SRC IP. Created DoS condition on the satellite uplink. A Real World Security Incident…
  29. 29. Cisco Public 2929© 2013-2014 Cisco and/or its affiliates. All rights reserved. Designed for differentiated access in a easy-to-deploy fashion. “Untrusted” VLANs: open WiFi, certain networks such as those external to the NERV or kits (patch panel) – access to the Internet only. “Trusted” VLANs have open access to servers, vehicle-based resources, etc. Requires you to have physical access to vehicle/kit …Had Us Reevaluate Access. Optical & Copper patch panel allow only limited access
  30. 30. Cisco Public 3030© 2013-2014 Cisco and/or its affiliates. All rights reserved.
  31. 31. Cisco Public 3131© 2013-2014 Cisco and/or its affiliates. All rights reserved. Each “unit” is responsible for its own firewall Each policy is the same Inbound IOS firewall, BOGON filters Egress Internet-only from “untrusted” networks Egress “sanity checking” filters for spoofed outbound traffic Layer 7 inspection + Layer 3 Our HFN Firewall Strategy – One Policy, Everywhere Internet ASA Firewall ASA Firewall Field Units San Jose, CA Raleigh, NC
  32. 32. Cisco Public 3232© 2013-2014 Cisco and/or its affiliates. All rights reserved. Security Needs to Exist Throughout The Stack ICT and Network Security is only one part of the problem. Data Collection and Dissemination: scrutinize data collected to ensure only minimal data for operations is taken into systems. How is that data protected at rest and in use? Operational Security Controls (OPSEC): protect information related to logistics, personnel, planning, and other critical activities. Consider impact of social media and communicating to donors. Connecting With Communities (CwC): CwC (ETC 2020) requires “outside the compound connectivity” – absolutely need to consider security impacts not just to humanitarians, but to beneficiary populations (exploitation, trafficking, etc?). Mass deployment of open wifi for refugees without due consideration for protecting them sets a bad precedent.
  33. 33. Cisco Public 33© 2013-2014 Cisco and/or its affiliates. All rights reserved. Wrapping up…
  34. 34. Cisco Public 3434© 2013-2014 Cisco and/or its affiliates. All rights reserved. “A humanitarian crisis can create a justification for waiving concerns about how information is collected and used, even as cyber-warfare, digital crime and government surveillance rises, particularly in unstable contexts.” - Humanitarianism in the Age of Cyber-warfare (UN OCHA, 2014)
  35. 35. Cisco Public 3535© 2013-2014 Cisco and/or its affiliates. All rights reserved. You will be (or already have been!) attacked. (Not a surprise to security people, but responders) We’ve documented evidence of targeted cyberattacks against crisis responders, not just random infections. Infosec in disaster relief and humanitarian operations is underappreciated. Who establishes infosec policies, investigates incidents, etc in the field? Do we need a Humanitarian CERT? What about mutual aid scenarios where you have multiple agencies sharing the same network? This is a responder safety issue. Failing to secure crisis ICT leaves already vulnerable people exposed. This is your reality. Right now.
  36. 36. Cisco Public 3636© 2013-2014 Cisco and/or its affiliates. All rights reserved. On Cisco.com – www.cisco.com/go/tacops Cisco CSR Reporting: csr.cisco.com -> “Critical human needs” Facebook: facebook.com/cisco.tacops Slideshare: slideshare.net/CiscoTACOPS Twitter: @CiscoTACOPS Connect With Us!
  37. 37. Thank you.

×