Friday 26 September 2014

SecureSingapore - an (ISC)2 event

Was privileged to be invited to speak at SecureSingapore yesterday, an event that was held right after GovWare. This was my first time to give a full presentation at a Singapore-based conference. Previously when i presented in ABS-FITA and WebSense (both in Singapore), i was doing the technical demo but this time i had a whole hour to speak. My speaking experience from conferences in India, UAE and US gave me the confidence to speak in this.



 
The topic of my talk. Unlike Defcon Kerala and The Hackers Conference in India and BSidesLV in Vegas, i need to ensure that my talk covers more on a holistic view of SCADA and Critical Infrastructure and little on the low level technical side. 



I had a great time presenting to a room full of CISSP certified professionals and security practitioners. I was also delighted to get some laughs and response from the crowd. One of the things i did was to demonstrate the way Stuxnet works and got 3 volunteers from the crowd to assist me in illustrating it.

At the end of my talk, i had a chance to meet and greet people from industries such as banks and product vendors. One of them was the President of ISC2 Singapore himself!  This was a new experience for me and i certainly thank BT and ISC2 for giving me the privilege to share my knowledge to the industry experts.

And what better way to be given the thumbs up than to receive such an honest feedback from one of the audience.




Singapore Governmentware 2014

Attended Govware recently which was held in Suntec City Convention Center on the 23rd - 25th of September.



Had a lot of great talks but of course dont expect the kind of Defcon or BSides Technical talks as these were more focused to decision makers as well as C & S level people on the latest emerging technologies that would assist them to protect their organizations.

And since i have this interest in Critical Infrastructure and SCADA, i attended the following tracks which provided a holistic view of the Critical Infrastructure issues and how their products or services can assist organizations.










One of the things i liked about Govware is the Cyber challenge CTF event that allow students and hacking enthusiasts to participate and test their hacking skills. As a past CTF participant myself, i know the pressure and the fun involved in such events.. whoever the winner will definitely has something to brag about!








And of course, the many vendors and product booths. Some showed awesome demonstrations, some provided free Tshirts, stickers and USB sticks!





















And yeah, thats me having a selfie at Govware! ;)




Saturday 20 September 2014

Vulnerability Assessment on SCADA Networks - A Guide

Recently, I wrote an article on how to perform a Vulnerability Assessment on SCADA networks which was published in Hakin9.org. This time I took the opportunity to describe the methodology and processes in detail.

Tools Used:
1) Ping Utility
2) Nmap
3) Wireshark
4) Nessus
5) Metasploit

The tools used above are mentioned by several credible websites that deal with SCADA systems and infrastructure which include:

1) SCADA HACKER:  
http://scadahacker.com/tools.html
2) Idaho National Laboratory:
http://www.inl.gov/scada/publications/d/cyber_assessment_methods_for_scada_security.pdf
3)Tenable Security: http://www.tenable.com/sites/drupal.dmz.tenablesecurity.com/files/uploads/documents/whitepapers/SCADA%20Network%20Security%20Monitoring.pdf
4) Digital Bond:
http://www.digitalbond.com/tools/the-rack/nessus/
5) US Department of Energy: http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/Introduction_to_SCADA_Security_for_Managers_and_Operators.pdf

Compliance - The Need for Vulnerability Assessment
NERC CIP 005-3 specifically mentioned the following:
Cyber Vulnerability Assessment — The Responsible Entity shall perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually. 
The vulnerability assessment shall include, at a minimum, the following:
R4.1. A document identifying the vulnerability assessment process;
R4.2. A review to verify that only ports and services required for operations at these access points are enabled;
R4.3. The discovery of all access points to the Electronic Security Perimeter;
R4.4. A review of controls for default accounts, passwords, and network management community strings;
R4.5. Documentation of the results of the assessment, the action plan to remediate or mitigate vulnerabilities identified in the assessment, and the execution status of that action plan.

NERC CIP 007-3 specifically mentioned the following:
Cyber Vulnerability Assessment — The Responsible Entity shall perform a cyber vulnerability
assessment of all Cyber Assets within the Electronic Security Perimeter at least annually. The
vulnerability assessment shall include, at a minimum, the following:
R8.1. A document identifying the vulnerability assessment process;
R8.2. A review to verify that only ports and services required for operation of the Cyber
Assets within the Electronic Security Perimeter are enabled;
R8.3. A review of controls for default accounts; and,
R8.4. Documentation of the results of the assessment, the action plan to remediate or
mitigate vulnerabilities identified in the assessment, and the execution status of that
action plan.

NERC CIP 005-3: http://www.nerc.com/files/cip-005-3.pdf
NERC CIP 007-3: http://www.nerc.com/files/cip-007-3.pdf


The Methodology
From the experience i gathered doing assessments on SCADA networks and systems, i came out with the below methodology. 


Information Gathering stage
The information gathering stage is the first and the most important stage in this methodology. Failing to perform and collect the necessary information can be a problem for the later stage. In this stage, we need to collect the following information:

1) The Network Devices information such as the IP addresses for Routers, Switches, Firewalls, IPS/IDS, Honeypots, Printers and any other devices that is connected to the SCADA network.

2) The Computer Systems such as the IP addresses, the Hostnames, the type of Operating Systems, the Services running on the systems and Hardware specification information

Challenge experienced
As SCADA has been around since the 60s, one of the problems i faced was the fact that there were little or no documentation of what the system owners have. And when they did have it, it was vague such as only the hostnames but no IP addresses tied to it. And since servers and workstations are all connected on to a single network, it was hard to determine which is which. 

How I did it
Being provided only the IP ranges, i had to use NMAP to scan the IP ranges. Take note that at this stage only runs the NMAP Ping Sweep switch and not the service/OS scans since we do not know what systems are there and what are the consequences running a service/OS scan. 

Once i determined the IP addresses found from the Ping Sweep scan, i checked with the system owners to see if they can determine which are workstations, servers, network devices, etc. In my case, the system owners could not identify and determine which is which hence i had to perform an OS scan to determine the OS of the devices in the network.

Once i managed to collect the OS information, the next step i did was to put it in a spreadsheet and categorize it according to its IP | Hostname | OS. With these, i safely determined which were servers, workstations and network devices.

Take Note
Always, always remember to save all these information in a spreadsheet. 

Grouping stage
For this stage, this is where my excel spreadsheet came into play. After determining the IP | Hostname | OS, i placed all the same OS into a tab or a column. For example, i placed all the Windows XP systems into one column, the Windows NT 4.0 into another column, Windows Server 2000, 2003, Cisco Switches, etc...all into its own individual columns. 

Once separated, i showed the system owners to determine which are the Active Servers and which are the Passive ones. This is needed later when it comes to the Scanning phase. After successfully determining these, i start to use Nessus to scan for open services beginning with a handful of workstations first, followed by the rest of the workstations, then the Passive servers and then the Active servers. Remember, at this stage, the Vulnerability Scans are not started yet as i only performed the scans for open ports and services.

Once again, remember to save all these information.

Policy and Plugins stage
Now that we have determined the IP | Hostname | OS | Open Ports | Services, its time to sit down with the system owners and find out more about the systems/servers. Take a couple of minutes to go through the workstation and look at the Add/Remove programs to determine what software/applications are installed. This is needed in order to customize the Nessus policy and plugins settings. An example is to check if there's a database installed. If there is, what brand? version? This is to eliminate the unwanted plugins and retain only the necessary ones.

Take Note
Never Ever use the Nessus Default Settings when performing a VA scan. By default, it will use huge bandwidth and unlimited amount of TCP connections to the host at a time and this can potentially cause Denial of Service issues such as System Reboot, Blue Screen and Application Hang.

The Nessus Scan Default Settings. Note the 'Unlimited' connections. This needs to be throttled. In my case, the following settings was used:
Max Hosts per Scan: 5
Max Simultaneous TCP Sessions Per Host: 15
Max Simultaneous TCP Sessions Per Scan: 5

*The above settings were used for Windows XP and Windows 7 OS. Anything below such as Win NT 4.0, the following settings was used:
Max Simultaneous TCP Sessions Per Host: 5
Max Simultaneous TCP Sessions Per Scan: 1


Now that the Default Performance Settings is edited, i also need to change the Plugins. Again, by default, all the Plugins are selected. This may cause an old system like Win NT 4.0 to crash as it could not handle the load from the scanner. Hence, in the Plugin section, select only the necessary. For example, if its a Windows OS, uncheck the Linux associated plugins, and if the Windows system is using a MS SQL database, uncheck the Oracle and MySQL plugins. 



Also, create individual customized scanning policy for individual group of devices. If its a Windows XP workstations, place them into a policy which i called 'SCADA-WinXP', followed by 'SCADA-WinNT', 'SCADA-Win2K-Passive' and 'SCADA-CiscoSwitches'..you get the point.

Take Note
The lesser and more specific plugins you select, the smoother and less intrusive the scans will be. 

The Scanning stage
Now that we have customized the policies, it is time to scan. Always scan the backup or passive systems first to see what is the outcome. A good way is to scan individually (provided you have the time). What is important is to ensure that little or no downtime is achieved during the scan. This is where the Ping utility and Wireshark comes in. By pinging what you scan, you can monitor whether or not the system is alive and running. And in an unfortunate case, if a system goes down, you can quickly pause the scan and use wireshark to analyze the issue. 


Take Note
Certain systems when i scanned, no matter how much i throttled the settings will still hang the application. I realized that this happened on Win NT 4 and below systems running on old and unsupported hardware. In my case, it was running on a 5GB hard disk with a 64-256MB of RAM. So what i did at that time was to determine how many Win NT 4 and below systems were available. I then informed the system owners that these systems will definitely hang during scanning. Once acknowledged, scan one system at a time. When the scan is completed, physically check the system if the application hang, if it is, reboot, login and ensure that the system is operational before moving on to the next system.

The Validation stage
When the vulnerability scannings are done, its time to validate the findings. My recommendation is to validate those that can be validated WITHOUT exploitation. This is very important as we do not know the consequences on exploiting the vulnerability on a Live & Production systems. Hence, although we could not validate our findings, it is still our ethical duty to report them. Certain critical vulnerabilities like MS08-067, we can use Metasploit to run a 'check' utility to determine whether or not the vulnerability really exist. However certain vulnerabilities like MS09-050, is something we cannot validate without exploitation and exploiting MS09-050 can succeed yet some experienced that sometimes, the system rebooted, hence be extra careful when validating a vulnerability through exploitation.


Manual Assessment
So far i have shown was how to use automated tools like Nmap and Nessus to perform the assessment. However, during the course of this, certain times, downtime occurred due to the fact that ancient hardware and unsupported operating systems could not handle the scans. Hence, there are ways to perform the information gathering manually.

Below is the document by NIST that provides suggestions on how you can get it done manually. I recommend that this actions to be taken only on environment where the systems and hardware are more than 10 years old. 




Risks Risks Risks!!!!
So what are the risks involved when performing vulnerability assessments and/or penetration testing? As SCADA systems are sensitive, sometimes, unexplained risks could happen. Take for example the below 'Unintentional Internal Security Consequences' taken from the NIST 800-82 document.


Hence, to prevent such accidents to happen, always ensure to gather information as much as you can before deciding what approach to use (manual or automatic). 

TIPS
Digital Bond has a project that greatly helps to perform a Nessus scan to comply against NERC CIP 007-3. You can refer to the following links below:
1) https://www.digitalbond.com/tools/bandolier/downloads/
2) https://www.digitalbond.com/wp-content/uploads/2012/04/cip007r8v1.2.zip

You can read more about it on how it assist on complying to NERC CIP 007-3.
1) http://www.digitalbond.com/tools/bandolier/nerc-cip-scan-policies/

Take Note
However, do review the plugins selected by this customized policy. This scanning policy to comply specifically to NERC CIP 007-3 is good but i need to mention that this is a baseline policy to check what is necessary to comply to NERC CIP 007-3 but it did not include the additional plugins to check for other applications and OS vulnerabilities. You may need to select additional plugins to fulfill your VA requirements and using Digital Bond's NERC CIP 007 Nessus policy is a good baseline to start with.

Tuesday 2 September 2014

The Hackers Conference - Where Professionals and Hackers Meet

I had the privilege to have my paper accepted and invited to speak at The Hackers Conference in New Delhi, India. This is my second time speaking in security conferences in Incredible India. The first time was at Kerala.

What i find fascinating was how professional the conference was organized and conducted. The key note speakers were interesting especially when politicians were involved and how the Indian government is making an effort to work together with the brilliant security enthusiasts of India into developing the country's cyber security framework. Personally, i feel that with the increasing amount of Indians into cyber security and the nation's bright students and education shifting its gear from just programming and application development into creating of cyber security application, tools, policies and frameworks, i foresee that India will be one of the top leading nation when it comes to Cyber Security in 10-20 years time.

The Banner from its website

I also had the privileged to meet security professionals that have been in the security community scene globally. One of them was Rahul Sasi, a speaker and a hacker that had spoken to most top notch conferences worldwide, and the other was Mohit Kumar, the author and webmaster of The Hacker News website. 

Me with Mohit Kumar

Me with Rahul Sasi

The topics were interesting from general security to deep level technical talks. I enjoyed most of the talks and its great to see students showcasing their research in 'breaking' stuffs. Despite not able to catch some of the speakers words as English was not their primary language, i still had a great time listening and viewing the content of their slides. Some are too wordy and some simply filled with pictures. 

The Topics

Eventually, it was the talks that made the conference alive. Due to time factors, i had to shorten my talk hence, i was not able to elaborate and articulate some of the key slides in my presentation. Despite that, i managed to share the key points of my contents of the talk..something the audience should be able to take away.













And of course, what better to way to end the day than to receive the goodies/souvenirs from the conference!

A file folder, a brochure, a cup and for the speakers; a plaque of appreciation.

I even got myself a certificate of appreciation for attending the conference! How cool is that?! 

Everyone that made this a successful conference!