Proceedings Of The Marine

WIN 2015

Proceedings magazine is a communication tool for the Coast Guard's Marine Safety & Security Council. Each quarterly magazine focuses on a specific theme of interest to the marine industry.

Issue link: https://uscgproceedings.epubxp.com/i/436751

Contents of this Issue

Navigation

Page 31 of 94

29 Winter 2014 – 2015 Proceedings www.uscg.mil/proceedings in a timely manner, as once a vulnerability is disclosed, an invisible race between malicious hackers and security teams is on. All vulnerable components should be patched imme- diately; if patches are not available, security teams must analyze the exploits and explicitly block them. Ideally, one would like to prevent zero-day exploits com- pletely; however, this is easier said than done. Traditionally, antivirus software relies on signatures to identify malware, but zero-day exploits have no specifc signatures prior to discovery. That means anti-virus and other signature-based security products cannot detect them. However, malicious activities are intrinsically different from normal activities in terms of networking patterns, data packet patterns, and command usage. Analysts can use these characteristics to detect zero-day exploits via network pattern analysis. In addition, exploits typically involve a number of stages to be successful; breaking any of the stages will stop the exploits. Therefore, it is essential that organizations take a holistic approach to carefully examine all aspects of its network infrastructure and network activities to minimize exposed surfaces. There are three general approaches to prevent and mitigate zero-day exploits: • Network-centered approaches: Zero-day vulnerability exploits require distinctive patterns that are very dif- ferent from normal patterns in network packets. More general rules to detect suspicious packets could detect packets trying to exploit vulnerabilities. Unfortunately, due to the unknown nature of zero-day exploits, these approaches have a higher chance of rejecting valid requests (more false negatives) than methods detecting known threats via unique signatures. • Host-centered approaches: Monitoring activities on individual servers and desktops can also identify zero-day attacks. Via application whitelisting, system Nation-states, criminal organizations, terrorists, or other malicious actors could target seaports for smuggling, espio- nage, sabotage, or to cause great human and economic harm for political reasons. For example, ports often manage con- tainers through a computerized logistics system. A hacker could disrupt the container routing and storage process, causing chaos and certainly delaying transport. Another scenario involves a port's automated ship rout- ing from the sea buoy to its assigned berth at the port. In this process, the shipping agent flls out a berthing request online, and the ship is assigned an arrival time and berth. This serves as a contract between the ship and port that facilitates expeditious cargo offoading and loading. If this online routing system were hacked, the port might receive hundreds of berthing requests each minute, triggering an override in the berth assignment system and bringing rout- ing to a standstill. Vulnerability Assessment, Penetration Testing To mitigate these types of cyber attacks, computer analysts seek to identify vulnerabilities in the seaport's critical com- puter network infrastructure. For example, analysts will conduct a vulnerability assessment to identify, quantify, and prioritize security weaknesses. The assessment process involves reviewing system characteristics like assets, set- tings, specifcations, code, and traffc. Another method is to conduct penetration testing and attempt to attack the system as a hacker would — using discovered vulnerabilities to "break" the system. Analysts gauge the signifcance of such breaks by the impact on three security objectives: • confdentiality, • integrity, • availability. Confdentiality is the most important security goal. How- ever, for most critical infrastructures, guaranteed avail- ability is also essential to monitor and control sensors and equipment. 2 The goal of each method (vulnerability assessment, penetra- tion testing) is to fnd vulnerabilities hackers could exploit to gain unauthorized system access and fx them before hack- ers fnd them. The level of assessment rigor is determined by the associated risks, so it is typically combined with sys- tematic risk analysis. Prevention and Mitigation Zero-day exploits have thus far only been used in targeted attacks, as will likely be the case in the future. 3 For web- sites that are not an initial attack target, the best mitigation practice is to consult publicly disclosed vulnerability lists Black, White, Gray In a penetration test, the testers receive information about the infrastructure. That disclosed information can range from no information about the system structure, known as black-box testing, to full disclosure (network diagrams, source code, IP addresses, and such), known as white-box testing. Any disclosure between the two extremes is gray-box testing. 1 0 1 1 0 1

Articles in this issue

Links on this page

Archives of this issue

view archives of Proceedings Of The Marine - WIN 2015