The document discusses addressing critical infrastructure protection (CIP) in Thailand and challenges associated with CIP where it is not regulated, including limited security professionals and low awareness among stakeholders. It provides examples of how Thailand has worked to raise CIP awareness through training and introducing ISO 27001, and notes that more remains to be done to address the challenges. The speaker is the chief security officer of a Thai company who has contributed to cybersecurity efforts in Thailand.
Franklin downloaded free software that infected his system with malware. After installing the software, Franklin's system rebooted and started malfunctioning. The document discusses computer security risks for home users, including risks from computer attacks like malware infections and accidents that can cause physical damage. It also covers essential computer security topics like threats, vulnerabilities, security elements, and defenses that can help secure systems and information.
The document discusses actual cases of insider threats involving sabotage, theft of intellectual property, and fraud to highlight critical issues organizations should address. It provides mitigation strategies to prevent insider threats such as controlling access to critical systems, monitoring file sharing utilities, and establishing security agreements with business partners. The presentation aims to better prepare attendees to understand and mitigate the risks posed by insider threats.
The document provides a preliminary report on analyzing the Stuxnet malware from a cyber warfare perspective. A team of 26 security experts collaborated on the report. The report aims to understand how Stuxnet works, find signs of attribution, develop countermeasures, and examine its potential use in cyber warfare. The report analyzes the Stuxnet source code and variants, explains how it infiltrates systems and targets industrial control systems, and proposes a multi-layered defense-in-depth strategy as a countermeasure.
Protecting legitimate software users’ interest in designing a piracy preventi...Alexander Decker
This document discusses a proposed technique called TUSRUC (Time Usage of Software in Respect of
Unforeseen Contingencies) to address software piracy by allowing legitimate users a grace period for software
reinstallation due to issues like hardware failure or virus attacks. The technique uses a mobile agent that checks
software activation codes against a database and stores user system information to determine if reinstallation
falls within the grace period or constitutes piracy. A survey found most students, staff, and faculty agreed not
having a grace period could encourage piracy among legitimate users. The TUSRUC aims to protect legitimate
users' interests while still preventing unauthorized multi-system installations.
IT Security Presentation - IIMC 2014 ConferenceJeff Lemmermann
This document discusses information technology security and fraud prevention. It begins by outlining the top IT security concerns, including data security, network security, and managing risk. It then examines specific threats like data breaches, hacking, and internal fraud. The document provides examples of major data incidents and their impacts. It emphasizes the importance of physical security, access controls, encryption, and policies/procedures to mitigate risks. Throughout, it stresses planning, governance, training, and incident response to help organizations strengthen their security posture.
This document discusses computer security policies and recommendations. It covers the history of computer security policies since the early 1990s. It also discusses the risks posed by lack of effective security policies, and the need for a holistic approach. The document provides recommendations for developing an effective computer security policy, including identifying assets, risks, access controls, backups, and education. It stresses the importance of well-trained security professionals with integrity.
The document discusses modern network security threats and organizations. It identifies common threats like worms, spam, DoS attacks and viruses. It then lists three major network security organizations that help address these threats: Computer Emergency Response Team (CERT), SysAdmin, Audit, Network, Security (SANS) Institute, and International Information Systems Security Certification Consortium ((ISC)2).
Balancing Your Internet Cyber-Life with Privacy and Securityevolutionaryit
A quick yet expansive overview of internet security and privacy basics in plain English. The digital world can be a dangerous place, this presentation will give you the practical knowledge to protect yourself.
Franklin downloaded free software that infected his system with malware. After installing the software, Franklin's system rebooted and started malfunctioning. The document discusses computer security risks for home users, including risks from computer attacks like malware infections and accidents that can cause physical damage. It also covers essential computer security topics like threats, vulnerabilities, security elements, and defenses that can help secure systems and information.
The document discusses actual cases of insider threats involving sabotage, theft of intellectual property, and fraud to highlight critical issues organizations should address. It provides mitigation strategies to prevent insider threats such as controlling access to critical systems, monitoring file sharing utilities, and establishing security agreements with business partners. The presentation aims to better prepare attendees to understand and mitigate the risks posed by insider threats.
The document provides a preliminary report on analyzing the Stuxnet malware from a cyber warfare perspective. A team of 26 security experts collaborated on the report. The report aims to understand how Stuxnet works, find signs of attribution, develop countermeasures, and examine its potential use in cyber warfare. The report analyzes the Stuxnet source code and variants, explains how it infiltrates systems and targets industrial control systems, and proposes a multi-layered defense-in-depth strategy as a countermeasure.
Protecting legitimate software users’ interest in designing a piracy preventi...Alexander Decker
This document discusses a proposed technique called TUSRUC (Time Usage of Software in Respect of
Unforeseen Contingencies) to address software piracy by allowing legitimate users a grace period for software
reinstallation due to issues like hardware failure or virus attacks. The technique uses a mobile agent that checks
software activation codes against a database and stores user system information to determine if reinstallation
falls within the grace period or constitutes piracy. A survey found most students, staff, and faculty agreed not
having a grace period could encourage piracy among legitimate users. The TUSRUC aims to protect legitimate
users' interests while still preventing unauthorized multi-system installations.
IT Security Presentation - IIMC 2014 ConferenceJeff Lemmermann
This document discusses information technology security and fraud prevention. It begins by outlining the top IT security concerns, including data security, network security, and managing risk. It then examines specific threats like data breaches, hacking, and internal fraud. The document provides examples of major data incidents and their impacts. It emphasizes the importance of physical security, access controls, encryption, and policies/procedures to mitigate risks. Throughout, it stresses planning, governance, training, and incident response to help organizations strengthen their security posture.
This document discusses computer security policies and recommendations. It covers the history of computer security policies since the early 1990s. It also discusses the risks posed by lack of effective security policies, and the need for a holistic approach. The document provides recommendations for developing an effective computer security policy, including identifying assets, risks, access controls, backups, and education. It stresses the importance of well-trained security professionals with integrity.
The document discusses modern network security threats and organizations. It identifies common threats like worms, spam, DoS attacks and viruses. It then lists three major network security organizations that help address these threats: Computer Emergency Response Team (CERT), SysAdmin, Audit, Network, Security (SANS) Institute, and International Information Systems Security Certification Consortium ((ISC)2).
Balancing Your Internet Cyber-Life with Privacy and Securityevolutionaryit
A quick yet expansive overview of internet security and privacy basics in plain English. The digital world can be a dangerous place, this presentation will give you the practical knowledge to protect yourself.
Security Testing for Testing ProfessionalsTechWell
Today’s software applications are often security-critical, making security testing an essential part of a software quality program. Unfortunately, most testers have not been taught how to effectively test the security of the software applications they validate. Join Jeff Payne as he shares what you need to know to integrate effective security testing into your everyday software testing activities. Learn how software vulnerabilities are introduced into code and exploited by hackers. Discover how to define and validate security requirements. Explore effective test techniques for assuring that common security features are tested. Learn about the most common security vulnerabilities and how to identify key security risks within applications and use testing to mitigate them. Understand how to security test applications—both web- and GUI-based—during the software development process. Review examples of how common security testing tools work and assist the security testing process. Take home valuable tools and techniques for effectively testing the security of your applications going forward.
IT Security for the Physical Security Professionalciso_insights
This document provides an overview of an IT security presentation for physical security professionals. The agenda includes introductions, an overview of IT security concepts and terminology, technical topics, and ways physical security professionals can help with IT security. Some key points covered include changing threats like identity theft and phishing, common attacks like man-in-the-middle and denial of service, and risks from things like laptop theft, wireless networks, and spyware. The presentation aims to help physical security professionals understand basic IT security principles and how they can support efforts to protect electronic information and networks.
Cyber Security for Critical Infrastrucutre-pptMohit Rampal
The document discusses cyber security threats to critical infrastructure and the need for proactive cyber defense. It notes that cyber attacks are becoming more sophisticated and professional. Zero-day vulnerabilities pose one of the biggest threats since there are no existing defenses. It also discusses how security of industrial control systems is changing as these systems become more interconnected and integrated with other networks. Fuzz testing and maturity models for fuzz testing are introduced as important methods for detecting unknown vulnerabilities. Maintaining security will require managing both known and unknown vulnerabilities through approaches like fuzz testing.
This document discusses the personal and social impacts of computers, including computer waste and mistakes, computer crime, and privacy issues. It outlines how policies and procedures need to be established to prevent computer waste and mistakes caused by human error. It also describes the different types of computer crimes like illegal access, data theft and alteration, and software piracy. Finally, it addresses privacy concerns regarding the collection and use of personal data in the workplace and via email.
ISACA SLOVENIA CHAPTER October 2016 - LubianaLuca Moroni ✔✔
Talk Luca Moroni - Via Virtuosa
Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesementOzaveščenost o varnosti spleta in kritične infrastrukture v severni Italiji: Scenariji in smernice kako opraviti samooceno
The document provides an overview of Peter Wood, an expert in ethical hacking and cybersecurity. It discusses the concept of "consumerisation" where employees want to use their personal devices for work purposes. While this raises security concerns for IT departments, the document argues that tightly controlling devices is ineffective and employee expectations around mobility and flexibility will result in loosened corporate control over tools. It outlines some of the mobile security risks at different layers of devices and examples of malware targeting smartphones.
Is your data at risk? Why physical security is insufficient for laptop computersFindWhitePapers
The document discusses why physical security alone is insufficient to protect data on laptop computers. Passwords provide access to operating systems but not protection of data. Without encryption, data is vulnerable if a laptop is lost, stolen, or its hard drive is accessed on another machine. The document evaluates options in Microsoft Windows for encryption and recommends third-party full disk encryption software for strong protection of data on laptops.
The document summarizes mobile threat data from January to June 2018. It finds that every customer saw mobile OS threats, MITM attacks increased over the last half of 2017, and one in three devices detected a mobile threat. Specific threats discussed include Meltdown and Spectre CPU vulnerabilities, vulnerabilities in Apple's Bluetooth daemon, the ZipperDown app vulnerability affecting 100 million iOS users, cryptojacking malware, and threats from unpatched vulnerabilities, malicious apps, and network attacks like MITM and rogue access points.
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
Intelligence Analyst Selena Larson, Sr. Adversary Hunter Joe Slowik, and Sr. Adversary Hunter Amy Bejtlich overview the 2018 Year in Review report detailing the eight ICS threat activity groups Dragos' Intelligence team tracks and the changing threat landscape.
Buyers Guide to Endpoint Protection PlatformsFindWhitePapers
Traditional markets for dedicated endpoint security products have been eclipsed by endpoint protection platforms. The Evolution of Endpoint Security featuring the Buyers Guide to Endpoint Protection Platforms explores how the traditional methods for endpoint security should evolve. In it, you'll learn how the lack of data protection can affect your bottom line and gain insight into the true costs involved in migrating and managing an endpoint security product. Finally, learn how Sophos's acquisition of Utimaco affects the security and data protection market.
The document discusses the need for information security professionals and provides an overview of information security. It describes how connecting to the internet exposes computers to risks from malicious actors. It then covers key topics in information security including identity theft, malware, patch management failures, and distributed denial of service attacks. The document concludes by recommending best practices for protecting digital assets such as using antivirus software, firewalls, and keeping systems updated with the latest patches.
Learn How to Detect, Prevent, and Replace the Use of USB DrivesSolarWinds
Stop Data Walking Out the Door: Learn how to detect, prevent and replace the use of USB drives
This webinar addresses the issue of rising internal data breaches, and the risk of USB thumb drives. IT professionals have an obligation to protect their companies from damage, whether it’s lost IP, lawsuits or fines. This webinar demonstrates how using SolarWinds LEM and SolarWinds Serv-U® safely detects, prevents, and replaces the use of USB thumb drives.
Other information found in this webinar:
o Insider abuse, data loss, and the ramifications
o Best practices for protecting sensitive data
o How SolarWinds technology (SolarWinds LEM and SolarWinds Serv-U®) can help protect against USB devices and ensure secure file sharing and collaboration
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The document provides an agenda for a talk on advanced persistent threats (APTs). It introduces APTs and discusses how they have evolved over time from targeting military and intelligence to also targeting private companies. It notes APTs can be opportunistic attacks that utilize social engineering and technical vulnerabilities. The document contrasts APTs with more sophisticated threats known as subversive multi-vector threats that are willing to exploit people, processes, and technologies to achieve their goals. It provides examples of analyzing suspicious foreign network traffic and discusses challenges with identifying and addressing multi-vector threats.
The document discusses a technology and security class. It provides an agenda that covers IT news, an exam follow-up, and a focus on security. Under security news, it lists several recent computer virus and hacking incidents. It then discusses common security myths and holds a quick security assessment activity. The rest of the document outlines various security topics like definitions of security concepts, security risks, protection methods, and ways to assess security risks. It emphasizes the importance of backups, strong passwords, and keeping systems updated with patches.
This chapter discusses fundamental computer security. It defines security threats like viruses, worms, Trojan horses, adware, spyware and outlines security procedures. The key threats are physical damage or theft of equipment and data corruption, access or theft. Attacks can come from internal employees or external hackers. The chapter recommends antivirus software, web security, and outlines best practices for social engineering protection.
Security Testing for Testing ProfessionalsTechWell
Today’s software applications are often security critical, making security testing an essential part of a software quality program. Unfortunately, most testers have not been taught how to effectively test the security of the software applications they validate. Join Jeff Payne as he shares what you need to know to integrate effective security testing into your everyday software testing activities. Learn how software vulnerabilities are introduced into code and exploited by hackers. Discover how to define and validate security requirements. Explore effective test techniques for assuring that common security features are tested. Learn about the most common security vulnerabilities and how to identify key security risks within applications, and use testing to mitigate them. Understand how to security test applications—both web- and GUI-based—during the software development process. Review examples of how common security testing tools work and assist the security testing process. Take home valuable tools and techniques for effectively testing the security of your applications going forward.
At RSA Europe 2010, Ron Lapedis and Michael F. Angelo did a presentation on Consumerization, titled: "Bring Your Own Computer to Work – What Now?". The presentation covered Consumerization issues as embodied with the use of non-corporate owned computers in the corporate environment. With this in mind, they discussed the potential bleed out of intellectual property and mitigation techniques. You can read Michael's blogs on the subject here: http://bit.ly/11BhzC
The document discusses several challenges posed by digital technology, including issues of truth manipulation, database limitations, security threats, and quality of life concerns. Regarding security threats, it notes that errors, accidents, and computer crimes all pose risks. Computer crimes include theft of hardware, software, information, and illegal acts using computers. Safeguarding computers requires deterrence, identification, encryption, software and data protection, and disaster recovery plans. Quality of life concerns include environmental issues from manufacturing and disposal, mental health impacts of isolation and gambling, and risks to children from pornography, predators, and cyberbullying.
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Luca Moroni ✔✔
Critical Infrastructures (IC) are essential elements in our economic and social life. Cyber incidents in such organizations could create a “domino effect”. This must be an important concern in a National Cyber Security Policy. Now EU Cybersecurity Act
View on-demand recording: http://securityintelligence.com/events/x-force-threat-intelligence-protect-sensitive-data/
Malicious or inadvertent, an insider threat to your enterprise “crown jewels” can cause significant damage. In this webcast, learn which attack trends you need to be prepared to address, explore options to protect against these threats and how you can combat this area of risk. We will also share best practices and recommendations for implementing an end-to-end data protection strategy including data encryption, monitoring, dynamic data masking and vulnerability assessment for all data sources and repositories.
In this presentation, you will learn:
- The latest findings from the X-Force Threat Intelligence Report
- How various threats and vulnerabilities are evolving
- How companies can mitigate this exposure
We Are Instructor Led Online Training Hub.Get access to the world’s best learning experience at our online learning community where millions of learners learn cutting-edge skills to advance their careers, improve their lives, and pursue the work they love. We provide a diverse range of courses, tutorials, resume formats, projects based on real business challenges, and job support to help individuals get started with their professional career.
The Consensus Audit Guidelines is a collaborative effort between industry and government to identify the most critical security controls to defending our Nation’s cyber systems from attacks.
Security Testing for Testing ProfessionalsTechWell
Today’s software applications are often security-critical, making security testing an essential part of a software quality program. Unfortunately, most testers have not been taught how to effectively test the security of the software applications they validate. Join Jeff Payne as he shares what you need to know to integrate effective security testing into your everyday software testing activities. Learn how software vulnerabilities are introduced into code and exploited by hackers. Discover how to define and validate security requirements. Explore effective test techniques for assuring that common security features are tested. Learn about the most common security vulnerabilities and how to identify key security risks within applications and use testing to mitigate them. Understand how to security test applications—both web- and GUI-based—during the software development process. Review examples of how common security testing tools work and assist the security testing process. Take home valuable tools and techniques for effectively testing the security of your applications going forward.
IT Security for the Physical Security Professionalciso_insights
This document provides an overview of an IT security presentation for physical security professionals. The agenda includes introductions, an overview of IT security concepts and terminology, technical topics, and ways physical security professionals can help with IT security. Some key points covered include changing threats like identity theft and phishing, common attacks like man-in-the-middle and denial of service, and risks from things like laptop theft, wireless networks, and spyware. The presentation aims to help physical security professionals understand basic IT security principles and how they can support efforts to protect electronic information and networks.
Cyber Security for Critical Infrastrucutre-pptMohit Rampal
The document discusses cyber security threats to critical infrastructure and the need for proactive cyber defense. It notes that cyber attacks are becoming more sophisticated and professional. Zero-day vulnerabilities pose one of the biggest threats since there are no existing defenses. It also discusses how security of industrial control systems is changing as these systems become more interconnected and integrated with other networks. Fuzz testing and maturity models for fuzz testing are introduced as important methods for detecting unknown vulnerabilities. Maintaining security will require managing both known and unknown vulnerabilities through approaches like fuzz testing.
This document discusses the personal and social impacts of computers, including computer waste and mistakes, computer crime, and privacy issues. It outlines how policies and procedures need to be established to prevent computer waste and mistakes caused by human error. It also describes the different types of computer crimes like illegal access, data theft and alteration, and software piracy. Finally, it addresses privacy concerns regarding the collection and use of personal data in the workplace and via email.
ISACA SLOVENIA CHAPTER October 2016 - LubianaLuca Moroni ✔✔
Talk Luca Moroni - Via Virtuosa
Cyber security awareness of critical infrastructures in N/E of Italy: scenarios and guidelines for self-assesementOzaveščenost o varnosti spleta in kritične infrastrukture v severni Italiji: Scenariji in smernice kako opraviti samooceno
The document provides an overview of Peter Wood, an expert in ethical hacking and cybersecurity. It discusses the concept of "consumerisation" where employees want to use their personal devices for work purposes. While this raises security concerns for IT departments, the document argues that tightly controlling devices is ineffective and employee expectations around mobility and flexibility will result in loosened corporate control over tools. It outlines some of the mobile security risks at different layers of devices and examples of malware targeting smartphones.
Is your data at risk? Why physical security is insufficient for laptop computersFindWhitePapers
The document discusses why physical security alone is insufficient to protect data on laptop computers. Passwords provide access to operating systems but not protection of data. Without encryption, data is vulnerable if a laptop is lost, stolen, or its hard drive is accessed on another machine. The document evaluates options in Microsoft Windows for encryption and recommends third-party full disk encryption software for strong protection of data on laptops.
The document summarizes mobile threat data from January to June 2018. It finds that every customer saw mobile OS threats, MITM attacks increased over the last half of 2017, and one in three devices detected a mobile threat. Specific threats discussed include Meltdown and Spectre CPU vulnerabilities, vulnerabilities in Apple's Bluetooth daemon, the ZipperDown app vulnerability affecting 100 million iOS users, cryptojacking malware, and threats from unpatched vulnerabilities, malicious apps, and network attacks like MITM and rogue access points.
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
Intelligence Analyst Selena Larson, Sr. Adversary Hunter Joe Slowik, and Sr. Adversary Hunter Amy Bejtlich overview the 2018 Year in Review report detailing the eight ICS threat activity groups Dragos' Intelligence team tracks and the changing threat landscape.
Buyers Guide to Endpoint Protection PlatformsFindWhitePapers
Traditional markets for dedicated endpoint security products have been eclipsed by endpoint protection platforms. The Evolution of Endpoint Security featuring the Buyers Guide to Endpoint Protection Platforms explores how the traditional methods for endpoint security should evolve. In it, you'll learn how the lack of data protection can affect your bottom line and gain insight into the true costs involved in migrating and managing an endpoint security product. Finally, learn how Sophos's acquisition of Utimaco affects the security and data protection market.
The document discusses the need for information security professionals and provides an overview of information security. It describes how connecting to the internet exposes computers to risks from malicious actors. It then covers key topics in information security including identity theft, malware, patch management failures, and distributed denial of service attacks. The document concludes by recommending best practices for protecting digital assets such as using antivirus software, firewalls, and keeping systems updated with the latest patches.
Learn How to Detect, Prevent, and Replace the Use of USB DrivesSolarWinds
Stop Data Walking Out the Door: Learn how to detect, prevent and replace the use of USB drives
This webinar addresses the issue of rising internal data breaches, and the risk of USB thumb drives. IT professionals have an obligation to protect their companies from damage, whether it’s lost IP, lawsuits or fines. This webinar demonstrates how using SolarWinds LEM and SolarWinds Serv-U® safely detects, prevents, and replaces the use of USB thumb drives.
Other information found in this webinar:
o Insider abuse, data loss, and the ramifications
o Best practices for protecting sensitive data
o How SolarWinds technology (SolarWinds LEM and SolarWinds Serv-U®) can help protect against USB devices and ensure secure file sharing and collaboration
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The document provides an agenda for a talk on advanced persistent threats (APTs). It introduces APTs and discusses how they have evolved over time from targeting military and intelligence to also targeting private companies. It notes APTs can be opportunistic attacks that utilize social engineering and technical vulnerabilities. The document contrasts APTs with more sophisticated threats known as subversive multi-vector threats that are willing to exploit people, processes, and technologies to achieve their goals. It provides examples of analyzing suspicious foreign network traffic and discusses challenges with identifying and addressing multi-vector threats.
The document discusses a technology and security class. It provides an agenda that covers IT news, an exam follow-up, and a focus on security. Under security news, it lists several recent computer virus and hacking incidents. It then discusses common security myths and holds a quick security assessment activity. The rest of the document outlines various security topics like definitions of security concepts, security risks, protection methods, and ways to assess security risks. It emphasizes the importance of backups, strong passwords, and keeping systems updated with patches.
This chapter discusses fundamental computer security. It defines security threats like viruses, worms, Trojan horses, adware, spyware and outlines security procedures. The key threats are physical damage or theft of equipment and data corruption, access or theft. Attacks can come from internal employees or external hackers. The chapter recommends antivirus software, web security, and outlines best practices for social engineering protection.
Security Testing for Testing ProfessionalsTechWell
Today’s software applications are often security critical, making security testing an essential part of a software quality program. Unfortunately, most testers have not been taught how to effectively test the security of the software applications they validate. Join Jeff Payne as he shares what you need to know to integrate effective security testing into your everyday software testing activities. Learn how software vulnerabilities are introduced into code and exploited by hackers. Discover how to define and validate security requirements. Explore effective test techniques for assuring that common security features are tested. Learn about the most common security vulnerabilities and how to identify key security risks within applications, and use testing to mitigate them. Understand how to security test applications—both web- and GUI-based—during the software development process. Review examples of how common security testing tools work and assist the security testing process. Take home valuable tools and techniques for effectively testing the security of your applications going forward.
At RSA Europe 2010, Ron Lapedis and Michael F. Angelo did a presentation on Consumerization, titled: "Bring Your Own Computer to Work – What Now?". The presentation covered Consumerization issues as embodied with the use of non-corporate owned computers in the corporate environment. With this in mind, they discussed the potential bleed out of intellectual property and mitigation techniques. You can read Michael's blogs on the subject here: http://bit.ly/11BhzC
The document discusses several challenges posed by digital technology, including issues of truth manipulation, database limitations, security threats, and quality of life concerns. Regarding security threats, it notes that errors, accidents, and computer crimes all pose risks. Computer crimes include theft of hardware, software, information, and illegal acts using computers. Safeguarding computers requires deterrence, identification, encryption, software and data protection, and disaster recovery plans. Quality of life concerns include environmental issues from manufacturing and disposal, mental health impacts of isolation and gambling, and risks to children from pornography, predators, and cyberbullying.
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Luca Moroni ✔✔
Critical Infrastructures (IC) are essential elements in our economic and social life. Cyber incidents in such organizations could create a “domino effect”. This must be an important concern in a National Cyber Security Policy. Now EU Cybersecurity Act
View on-demand recording: http://securityintelligence.com/events/x-force-threat-intelligence-protect-sensitive-data/
Malicious or inadvertent, an insider threat to your enterprise “crown jewels” can cause significant damage. In this webcast, learn which attack trends you need to be prepared to address, explore options to protect against these threats and how you can combat this area of risk. We will also share best practices and recommendations for implementing an end-to-end data protection strategy including data encryption, monitoring, dynamic data masking and vulnerability assessment for all data sources and repositories.
In this presentation, you will learn:
- The latest findings from the X-Force Threat Intelligence Report
- How various threats and vulnerabilities are evolving
- How companies can mitigate this exposure
We Are Instructor Led Online Training Hub.Get access to the world’s best learning experience at our online learning community where millions of learners learn cutting-edge skills to advance their careers, improve their lives, and pursue the work they love. We provide a diverse range of courses, tutorials, resume formats, projects based on real business challenges, and job support to help individuals get started with their professional career.
The Consensus Audit Guidelines is a collaborative effort between industry and government to identify the most critical security controls to defending our Nation’s cyber systems from attacks.
State of Cyber: Views from an Industry InsiderBen Johnson
In order to understand how we might improve our defenses and our contributions to cyber safety, we must understand the power of the dark side. We look at some headline making hacks and call it some interesting aspects of those, then we shift to what can we all do for better cybersecurity and digital presence.
Slides from Simson Garfinkel's "Cybersecurity Mess" talk, explaining why we won't make progress on computer security until we solve several other important items.
Presented April 25, 2012 to the MIT Industrial Liaison Program.
The document outlines an information security workshop presentation on the scope and importance of information security. It discusses 10 key domains of information security knowledge including access control, application security, risk management, cryptography, operations security, physical security, security architecture, telecommunications, and networks. The presenter has 10 years of IT consulting experience and various security certifications. The goals are to raise awareness of information security and the need for regional cooperation such as a Pacific Computer Emergency Response Team.
Brian Krebs provides five security insights: 1) Organizations should regularly pen test users as attackers already are; 2) Connected devices with IP addresses will eventually be hacked; 3) Organizations need to drill breach response in advance; 4) People need to actively work to secure and maintain privacy or they do not have privacy; 5) IoT is a national security priority given the firepower available to attackers. Brett Kelsey of Intel Security discussed cybersecurity numbers including average costs of breaches and time to detect breaches.
December ISSA Meeting Executive Security Presentationwhmillerjr
The document summarizes a presentation given by William H. Miller Jr. on enterprise security from a C-level perspective to the Information Systems Security Association Space Coast Florida Chapter. Some key points discussed include the inevitability of cyber attacks, the need for public-private partnerships in cybersecurity, guidelines for effective security policies, and components of a comprehensive security framework for organizations.
This document discusses strategies for achieving bulletproof IT security. It recommends establishing strong security policies, frequent employee training, ongoing self-assessments, encryption, asset management, and testing business continuity plans. It also stresses the importance of system hardening through vulnerability management and addressing issues like BYOD. The document provides numerous free tools and resources organizations can use to identify vulnerabilities, harden systems, and prevent malware.
The Breach at Limetree Updated November 18, 2017 Bac.docxmehek4
The Breach at Limetree
Updated November 18, 2017
Background: Limetree Inc. is a research and development firm that engages in multiple
research projects with the federal government and private corporations in the areas of
healthcare, biotechnology, and other cutting-edge industries
Limetree recently lost a DOD contract worth millions of dollars, because another competitor
claimed to have “superior chemical process that brought about the desired results in half the
time, with over seventy-five percent more yield than conventional technologies.” This contract
loss troubled Limetree Inc. management because Limetree has been working on that exact
same technology for years and they suspect that it’s no mere coincidence that a competitor has
claimed their proprietary process for their own.
The management then asked Jack Sterling, Limetree’s security manager, to investigate if there
were any IT related security problems that could shed some light on the possibility of an insider
threat. Jack performed an unannounced sweep of the office area and found serious problems.
There were poor security practices with every workstation, such as unauthorized external hard-
drives & USBs, passwords under mouse pads, unlocked displays, unauthorized software,
obvious phone PINs, wireless passwords on bulletin boards, and improper destruction of
sensitive documents.
Jacks’ investigation lead him to three suspects: Jamie Kim at workstation #14 because her
external hard-drive had the same proprietary processes files as was leaked to the competitor;
Duncan Harris at workstation #11 because he had a USB with deleted files that also had the
proprietary processes leaked; Steve Kim at workstation #4 because he had passwords and
usernames of Jamie Kim on a partially shredded paper in the trash. No other employees had
any file or potential access to the files that contained the proprietary processes.
Jack also conducted a review of the access logs on the server to rule out any unwarranted
wireless access from in or outside the facility. There were several unauthorized users using the
wireless resource, but no access to the servers. Logs on the servers themselves revealed
unauthorized directory traversals and DNS poisoning but these attacks were not in the narrow
timeframe that the insider sold the proprietary process. Jack then navigated to the folder that
the proprietary process was kept and observed there was no encryption; nor was it isolated on
the network. Jack looked up the default password for the CISCO switch and sure enough, it had
not been changed on the routers and switches. Jack also ran a root-kit detector and although it
didn’t find one, it did show that a backdoor had been planted in the distant past but wasn’t
active now. After finding the backdoor, Jack then examined the public-facing webpage and
noticed that many of the input fields did not do any data integrity checks. Since that is a poor
security pract ...
Cybersecurity and continuous intelligenceNISIInstituut
Welcome to the cybersecurity & continuous intelligence knowledge slidedeck of NISI (Nederlands Instituut voor de Software Industrie).
Cybersecurity & Continuous Intelligence is a broad topic, covering rules & regulation, internet, cyberwar, software, machine learning and society & trust.
This slidedeck offers you a more in-depth view of this exciting area.
Please contact us directly for more information via email info@nisi.nl or the contact on form on nisi.nl.
Nederlands Instituut voor de Software Industrie
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxchristiandean12115
ISE 510 Final Project Scenario Background Limetree Inc. is a research and development firm that engages in multiple research projects with the federal government and private corporations in the areas of healthcare, biotechnology, and other cutting-edge industries. It has been experiencing major growth in recent years, but there is also a concern that information security lapses are becoming rampant as the company grows. Limetree Inc. is working to establish a strong reputation in the industry, and it views a robust information security program as part of the means to achieving its goal. The company looks to monitor and remain compliant to any regulation impacting its operations.
Limetree Inc. recently experienced a security breach; it believes confidential company data has been stolen, including personal health information (PHI) used in a research study. Limetree Inc. believes the breach may have occurred because of some security vulnerabilities within its system and processes.
Limetree Inc.’s virtual environment is presented in the Agent Surefire: InfoSec educational video game. The rest of the environment is presented via an interview with the security manager, Jack Sterling.
Highlight of Interview with Jack Sterling
Interview with Jack Sterling revealed the following about Limetree Inc.’s system and processes:
Hardware/Software:
Desktop Apps: Internet Explorer, Firefox, Google Chrome, MS Office, Adobe Flash, Adobe Acrobat
Applications/Databases:
Browser – Browser in use is Internet Explorer and browser security setting was set to low. Browsers allow remote installation of applets, and there is no standard browser for the environment.
Virus Software – MacAfee is deployed locally on each user's machine and users are mandated to update their virus policy every month.
SQL Database – Ordinary users can escalate privilege via SQL Agent. Disk space for SQL database log is small and is overwritten with new information when it is full. Limetree Inc. is not using any encryption for sensitive data at rest within the SQL server environment.
Network:
The network comprises the following: three web/applications servers, three email servers, five file and printer servers, two proxy servers, seven remotely manageable Cisco switches, 250 desktops, three firewall devices, one gateway (router) device to the internet, and three wireless access points.
Configuration Highlights:
Wireless – Wireless network is available with clearly advertised SSID, and it is part of the local area network (LAN). There is no segmentation or authentication between the wireless and wired LAN. Visitors are provided access code to the wireless network at the front desk to use the internet while they wait to be attended to.
Managed switches – There is no logging of network activities on any of the switches.
Web server – Public-facing web server is part of the LAN. This is where internet users get needed information on the company. The web servers are running the f.
Lesson2.9 o u2l6 who cares about encryptionLexume1
This document outlines a lesson plan on encryption that involves students exploring who cares about encryption through readings and a debate activity. Students will represent different groups (government, civil liberties, business) in the debate about the availability of encryption software. The lesson aims to help students identify cybersecurity concerns and evaluate online sources, as well as understand that cybersecurity involves tradeoffs and that the trust model of the internet has limitations. Homework involves reading more about the evolution of encryption methods.
Risk Mitigation Plan Based On Inputs ProvidedTiffany Graham
1. The access control policy outlines how access control methodologies will secure information systems through authorization and access restriction. A reference monitor will enforce access controls based on authorizations in an administrator-managed database.
2. Discretionary access control allows flexible user-defined access permissions but increases security risks if data is made too accessible. Mandatory access control uses a hierarchy approach where the system administrator centrally controls all resource access settings.
3. The policy will employ both discretionary and mandatory access control. Discretionary control allows flexibility while mandatory control provides centralized administration of access to increase security overall. Together these methods balance usability with strict
AI: The New Player in Cybersecurity (Nov. 08, 2023)Takeshi Takahashi
These slides outline how AI is influencing cybersecurity.
Note that they were used in the keynote speech at the event "Defense and Security 2023" held in Thailand on November 8, 2023.
Security Considerations in Process Control and SCADA Environmentsamiable_indian
The document discusses security considerations for process control and SCADA environments. It outlines that security risks increase with technological advances and connectivity. The Department of Homeland Security believes critical infrastructure could be targeted. The document provides guidance on establishing security programs, including risk assessment, policies and procedures, secure network architectures, and recommendations for encryption and secure communications.
CCNA Security 02- fundamentals of network securityAhmed Habib
This document provides an overview of network security. It discusses what network security is, the rationale for it including increases in cybercrime and threats. It covers types of attacks, vulnerabilities, and countermeasures. It also discusses security policies, standards, risk assessment, and careers in network security such as network security administrator and chief information security officer.
The Threats Posed by Portable Storage DevicesGFI Software
In a society where the use of portable storage devices is commonplace, there is a real risk to business. The threat that these devices pose to corporations and organizations is often ignored. This white paper examines the nature of the threat that devices such as iPods, USB sticks, flash drives and PDAs present and the counter-measures that organizations can adopt to eliminate them.
The document summarizes the creation of a penetration testing laboratory by Thomas Butler for his master's degree project. It describes setting up three virtual machines - an "attack machine" running Backtrack5R3, and two "victim machines", one running Metasploitable and another running Badstore.net. Appendices cover the penetration testing methodology, reconnaissance, scanning, exploitation with Metasploit, and post-exploitation activities. The goal was to create a hands-on environment for practicing penetration testing skills.
Public services such as electricity, water, hospital management and transport are important for the smooth functioning of our daily lives. The critical nature of these services make these systems a key target for cyber threats. This is why the public sector experiences more incidents than any other industry.
Hence why the public sector needs to focus more on strengthening their cybersecurity strategies to address critical gaps – especially the devices used and policies governing their use.
In this session, Asela addressed some of our critical services and how the lack of security focus has affected their use.
This document discusses cloud security concerns and risks. It provides a list of the top threats to cloud computing which include abuse and nefarious use of cloud computing, insecure interfaces and APIs, and malicious insiders. The document also summarizes key security and privacy issues from NIST publications including governance, compliance, trust, and data protection. It promotes certification in cloud security knowledge and outlines 13 domains of cloud security.
The document is an agenda for the Cyber Defense Initiative Conference 2011 being held from March 20-21, 2012 in Bangkok, Thailand. The conference theme is "Is Your Privacy at Risk? Security and Privacy Challenges in the Digital Modernity." The agenda includes discussions on mobile challenges for enterprises, what to look for in mobile device management (MDM) solutions, advanced threats over networks, and advanced network analysis tools. It also provides questions to consider when evaluating MDM solutions and discusses the need for intelligence-driven security and best-of-breed solutions to address evolving cyber threats.
This document discusses current and emerging cyber threats. It notes that the physical and digital worlds are converging through devices like CCTVs and medical devices. In 2010, common threats included botnets, exploits, and identity theft. For 2011, the document predicts tighter budgets, more sophisticated technology, and more innocent users coming online leading to more targets and accessibility for criminals. It emphasizes the need for security awareness programs and cautions that internal threats may be as significant as external ones.
The document provides information about various cybersecurity incidents involving critical infrastructure systems. It summarizes past events where control systems for wastewater treatment plants, nuclear power plants, oil pipelines, and more were compromised in various ways. Each event summary includes details about the specific impacts and lessons learned about how to better secure these types of industrial control systems.
The document discusses the importance of developing an information security workforce framework for Thailand. It notes challenges like the small number of qualified professionals and lack of clear career paths. It introduces the Thailand Information Security Association (TISA) and its first competency profiling test. International frameworks for workforce development from the US Department of Defense and Department of Homeland Security are also summarized that emphasize common competencies and certifications. The document argues a framework is needed to address Thailand's challenges and properly develop the information security workforce.
The document discusses improving control system security. It examines current security trends and their impact on SCADA systems. It discusses increasing the security and usability of SCADA systems through understanding tools and techniques to mitigate risks. The document also provides an overview of the speaker and their relevant experience and qualifications.
Cyber attacks on industrial control systems pose a serious threat. Several incidents around the world have shown that critical infrastructure systems controlling functions like power grids and water treatment have been hacked, in some cases shutting down safety monitoring systems. These control systems were not designed with security in mind and connecting them to corporate networks and the internet has increased vulnerabilities. Stronger security measures are needed to protect against growing cyber threats.
This document discusses aligning IT security solutions with business justification. It emphasizes performing risk assessments to quantify risks in monetary figures in order to justify security investments based on requirements rather than just technology. It also stresses the importance of investing in human resources like user awareness, IT staff education, and management understanding. Finally, it provides an overview of the Enterprise Information Security Body of Knowledge which establishes competencies and roles to help develop the IT security workforce.
The document summarizes the establishment and purpose of the Information Technology (IT) Security Essential Body of Knowledge (EBK). The EBK was established to provide a common framework and baseline of competencies for the IT security workforce in both public and private sectors. It defines key functional areas, competencies, and roles to help standardize training, certification, and professional development in the field of IT security. The EBK was developed through collaboration between government, academia, and industry subject matter experts.
1. Addressing CIP: A Thailand Case Study
by Chaiyakorn Apiwathanokul
CISSP, GCFA, IRCA:ISMS
Chief Security Officer
PTT ICT Solutions Co., Ltd.
A Company of PTT Group
Note: CIP = Critical Infrastructure Protection
2. Addressing CIP: A Thailand Case Study
by Chaiyakorn Apiwathanokul, CISSP, GCFA, IRCA:ISMS
Synopsis:
In many countries where Critical Infrastructure Protection is not yet a
regulatory requirement or is not taken into account seriously by their
government; the perception, understanding, collaboration and qualified
workforce is big challenge. Many misperceptions about securing those
systems make it hard to convince management and stakeholders to support
activities and investments. However, the legislation is not the only way to go;
there are still many other factors that can be pulled into the scene ex. BCM,
Risk Management and etc. to help attract the managements. As a security
professional, how can we make things better? How can we utilize other
mechanisms available to help addressing this challenge?
In Thailand even though we do not explicitly issues a law specifically for CIP,
we have done something to addressed CIP in some extents. We help raise
awareness and understanding through trainings and seminars to demonstrate
the vulnerability and exploitability of such systems. We introduce ISO27001
as a basic security management framework. Of course, there are many other
things that need to be done to address this challenge.
3. About Speaker
Name: Chaiyakorn Apiwathanokul
ไชยกร อภิวัฒโนกุล
Title: Chief Security Officer (CSO)
Company: PTT ICT Solutions Company Limited
A Company of PTT Group
Certificates: ISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA
• Contribute to Thailand Cyber Crime Act B.E.2550
• Security Sub-commission under Thailand Electronic Transaction Commission
(ET Act B.E. 2544)
• Workgroup for CA service standard development
• Committee of national standard adoption of ISO27001/ISO27002
• Committee of Thailand Information Security Association (TISA)
• Committee of Cybersecurity taskforce development, Division of Skill
Development, Ministry of Labour
4. Disclaimer
• I am not a representative of neither Thailand
government nor any commission I have been
involved.
• I am not representing a spoke person for my
company.
• I am here as an infosec professional working and
contributing in Thailand and would like to share
some experience and Thailand circumstance for
the sake of global professional community
collaboration and contribution.
7. Italian Traffic Lights In the real world
Event: Feb, 2009 Italian
authorities investigating
unauthorized changes to traffic
enforcement system
Impact: Rise of over 1,400
Lessons learned:
traffic tickets costing > 250K
Do not underestimate the
Euros in two month period insider threat
Specifics: Engineer accused of Ensure separation of
conspiring with local authorities duties and auditing
to rig traffic lights to have
shorter yellow light causing
spike in camera enforced traffic
tickets
8. Transportation – Road Signs In the real world
Event: Jan 2009, Texas road
signs compromised
Impact: Motorists distracted and
provided false information
Specifics: Some commercial road
signs can be easily altered because
their instrument panels are frequently
Lessons learned:
left unlocked and their default
Use robust physical access passwords are not changed.
controls
"Programming is as simple as
Change all default passwords scrolling down the menu selection," a
Work with manufacturers to blog reports. "Type whatever you want
identify and protect password to display … In all likelihood, the crew
reset procedures will not have changed [the password]."
8
10. Security Guard Busted For Hacking Hospital's HVAC,
Patient Information Computers, July 2009 In the real world
• "A former security guard for a Dallas hospital has
been arrested by federal authorities for allegedly
breaking into the facility's HVAC and confidential
patient information computer systems. In a bizarre
twist, he posted videos of his hacks on YouTube,
and was trying to recruit other hackers to help him
wage a massive DDoS attack on July 4 -- one day
after his planned last day on the job.
• Jesse William McGraw, 25, also known as
"GhostExodus," "PhantomExodizzmo," as well as by
a couple of false names, was charged with
downloading malicious code onto a computer at
the Carrell Clinic in order to cause damage and as a
result, "threatened public health and safety,"
according to an affidavit filed by the FBI . McGraw
worked as a night security guard for United
Protection Services, which was on contract with
hospital, which specializes in orthopedics and
sports medicine."
11. In the real world
CIA Admits Cyber attacks Blacked Out Cities
• The disclosure was made at a New Orleans
security conference Friday attended by
international government officials, engineers,
and security managers.
• The CIA on Friday admitted that cyberattacks
have caused at least one power outage affecting
multiple cities outside the United States. By Thomas
Claburn InformationWeek January 18, 2008 06:15 PM
13. In the real world
TISA in Bangkok Post : When Hacking risks health
TISA web site : http://www.tisa.or.th
14. Commonly Claim: The system is isolated In the real world
Virus Found On Computer In Space Station
NASA confirmed on Wednesday that a
computer virus was identified on a laptop
computer aboard the International Space
Station, which carries about 50 computers. The
virus was stopped with virus protection
software and posed no threat to ISS systems or
operations, said NASA spokesperson Kelly
Humphries. …
The SpaceRef report suggested that a flash card or USB drive brought
on board by an astronaut may have been the source of the laptop
infection.
InformationWeek August 27, 2008
15. Malicious code/
Virus/Worm
Adversary/
Terrorist/ Disgruntled
Hacker employee
Vulnerabilities/
Weaknesses
has Manufacture
National
Critical Plant
Infrastructure Control Operation
Systems
Law/
Industry-
Government Compliance/
specific
Standard/ Regulator
Guideline
16. Simplification
Not only
someone Someone
Someone Someone (and someone
but else)
hate develop a
someone has to do
someone weapon
else got something
trouble
18. What Big Brothers do?
• US, 1996, Critical Infrastructure Protection (PCCIP)
• US, 1998, FBI National Infrastructure Protection Center (NIPC) and
the Critical Infrastructure Assurance Office (CIAO)
• Communications and Information Sector Working Group (CISWG)
• Partnership for Critical Infrastructure Security (PCIS)
9/11
• US, 2001, President’s Critical Infrastructure Board (PCIB)
• US, 2003, National Infrastructure Advisory Council (NIAC)
• Control Systems Security Program, National Cyber Security Division,
US-DHS
• United States Computer Emergency Readiness Team (US-CERT)
Control Systems Security Center (CSSC)
19. Obama elevates the priority of
Cybersecurity concerns
May 29, 2009
U.S. President Barack Obama will
appoint a government-wide
cybersecurity coordinator and
elevate cybersecurity concerns to a
top management priority for the
U.S. government, he announced
Friday.
The White House will also develop a
new, comprehensive national
cybersecurity strategy, with help
from private experts, and it will
invest in "cutting edge"
cybersecurity research and
development, Obama said in a short
speech.
20. Common Characteristics
• Tone from the top
• Accountability
• Across government agencies
• Government and industries collaboration
• Industry specific best practices vs. common best
practices (share and collaborate)
• Short/Mid/Long term plan
• Review Plan Deploy Monitor Report
21. Challenges
• Small number of security professional in the
market
• Misperceptions on the control system security
– Security by obscurity
– Separated network
– Not an IT business
– we have no secret
• Low awareness among stakeholders
23. The Implication
• Only small number of professional with right
competency to help you out
• Collaboration and support from professional
community is highly needed
24. InfoSec Professional Involvement
• Law
– ETC: Electronic Transaction Commission
– Security Sub-commission
– Electronic Transaction Act:2001
• Performance Appraisal Program (for State Enterprise)
• National Standard Adoption (ISO27001/ISO27002)
• Educate top management in healthcare industry
• Annual conference: Cyber Defence Initiative Conference
(CDIC)
• Educate top management, mid-management and technical
person involved
25. Key Influencer
• Electronic Transaction Commission (ETC)
• Thailand Information Security Association (TISA)
• State Enterprise Policy Office (SEPO)
• Ministry of ICT
• NECTEC, Ministry of Science and Technology
• ACIS Professional Center
26. Guideline on Securing the Electronic Transaction
(Derive from ISMS Implementation Guideline)
32. TISA Pilot Exam Summary: Certification Roadmap
Audit Management Technical
EXPERT
ADVANCE
International Certified IT & Information Security Professional
Step to CISSP,SSCP, CISA,CISM
FOUNDATION (Localized) TISA TISET Certification
on IT / Information Security
Competencies Test TISA TISET Exam
32 27-Jul-10
33. State Enterprise Policy Office (SEPO)
• Incentive-base Performance Appraisal Program conducted
annually
• 50+ State Enterprises under this program which include:
– Electricity Generation and distribution
– Gas pipeline and energy
– Water work
– Telecommunication
• IT Management
– ISO27001
• Business Risk Management
– Business Continuity Management (BCM)
35. The growth of ISO27001 in Thailand
Japan 3572 Philippines 15 Peru 3
India 490 Pakistan 14 Portugal 3
UK 448 Iceland 13 Argentina 2
Taiwan 373 Saudi Arabia 13 Belgium 2
China 373 Netherlands 12 Bosnia Herzegovina 2
Germany 138 Singapore 12 Cyprus 2
Korea 106 Indonesia 11 Isle of Man 2
USA 96 Bulgaria 10 Kazakhstan 2
Czech Republic 85 Norway 10 Morocco 2
Hungary 71 Russian Federation 10 Ukraine 2
Italy 61 Kuwait 9 Armenia 1
Poland 56 Sweden 9 Bangladesh 1
Spain 43 Colombia 8 Belarus 1
Malaysia 39 Iran 8 Denmark 1
Ireland 37 Bahrain 7 Dominican Republic 1
Austria 35 Switzerland 7 Kyrgyzstan 1
Croatia 6 Lebanon 1
Thailand 34
Hong Kong 32 Canada 5 Luxembourg 1
Romania 30 South Africa 5 Macedonia 1
Australia 29 Sri Lanka 5 Mauritius 1
Greece 28 Vietnam 5 Moldova 1
Mexico 24 Lithuania 4 New Zealand 1
Brazil 23 Oman 4 Sudan 1
Turkey 21 Qatar 4 Uruguay 1
UAE 20 Chile 3 Yemen 1
Slovakia 19 Egypt 3
France 18 Gibraltar 3
Slovenia 16 Macau 3 Total 6573
Number of Certificates Per Country @July 2010 http://www.iso27001certificates.com/Register%20Search.htm
36. Start with Awareness
• Annual Security Event, CDIC (Public and
Private sector)
• Top Management
• Involved Engineer and Technician
38. Normal Operation
HMI Web & DB Operator
Operator Workstation
PLC Server
39. Hacking on Operator workstation
Scenario #1.1 Known local admin password
HMI Web & DB Operator Workstation Operator
PLC Server
Connected Connect to
GUI‘s Server Remote desktop
Remotely control GUI
Add new user
Open Share folder
Hacker knows local admin password
40. Hacking on Operator workstation
Summary Scenario #1.1 Known local admin password
Required condition:
Local admin password is known (default password)
Remote Desktop is opened
Consequence:
Attacker can take over the system
Attacker can take over GUI
Attacker can add new user
Attacker can open share folder
Remediation:
Change default password
Restrict access to Remote Desktop
41. Hacking on Operator workstation
Scenario #1.2 unpatched
HMI Web & DB Operator
PLC Operator
Server Workstation
Unpatched
GUI‘s Server Exploited server
Remotely control GUI
Add new user
Open Share folder
Hacker attack on vulnerability’s server
42. Hacking on Operator workstation
Summary Scenario #1.2 unpatched
Required condition:
Operator workstation is not patched
Consequence:
Attacker can take over the system
Attacker can take over GUI
Attacker can add new user
Attacker can open share folder
Remediation:
Regularly update the workstation
Monitor the system integrity
Consider intrusion detection system
Consider security perimeter
43. Hacking on Operator workstation
Scenario #1.3 Password Sniffing
password
PLC HMI Web & DB Server Operator Work station Operator
Sniff password
in the network
44. Hacking on Operator workstation
Summary Scenario #1.3 Password Sniffing
Required condition:
Web-based HMI
Operator sends login password via HTTP
Consequence:
Password is known to hacker
Hacker can login to Web-based HMI
Remediation:
Use HTTPS instead of HTTP
Consider detection measure
45. Hacking on Operator workstation
Scenario #1.4 Remember password
PLC HMI Web & DB Server Operator Work station Operator
Remember password
Dump “remember password” Plug USB U3
Thumb drive
46. Hacking on Operator workstation
Summary Scenario #1.4 Remember password
Required condition:
Physically access to system
Autorun enabled
Consequence:
Password is stolen
Remediation:
Limit physical access to system
Disable Autorun (all drive)
Don’t use remember password feature
47. Hacking on HMI Web & DB server
Scenario #2 SQL Injection
HMI Web & DB Server Operator Work Operator
PLC
Injection flaw! station
SQL Injection
Delete table
Modify data in table
Insert, Delete, Update
48. Hacking on HMI Web & DB Server
Summary Scenario #2 SQL Injection
Required condition:
Web-based HMI
SQL Injection flaw
Consequence:
Direct database manipulation
Remediation:
Input validation
Web Application security assessment
Web Application Firewall (WAF)
49. Hacking on PLC
Scenario #3 Direct PLC Manipulation
PLC HMI Web & DB Server Operator Work station Operator
Open port 2222/TCP !
Control valve/pump
Change PLC Mode system halt
Take control of PLC
Modify PLC data
Disrupt PLC operation
50. Hacking on PLC
Summary Scenario #3 Direct PLC Manipulation
Required condition:
Port 2222/TCP is opened (Allen Bradley)
No authentication
Network routable
Consequence:
Access PLC’s data table
Remediation:
Enable authentication where possible
Routing control/ Network isolation (verify)
51. Summary
• Been doing
– Help raise awareness
– Informal gather up of industry leaders
– Some laws and regulations issued
• Future
– Many things are lined up
– Government is to work closely with industry
– Collaboration and community across countries shall be considered
– It will be a long journey