Protecting the CNI
BCS ELITE
9 June 2005
Mick Morgan
Head of Response
Overview
•
•
•
•
•
What is NISCC?
What is the CNI?
What is the threat?
How does NISCC work?
NISCC products and services
What is NISCC ?
NISCC is an inter-departmental centre which
co-ordinates activity across a range of
organisations. Each organisation contributes
resources and expertise to NISCC’s programme
of work according to what value it can add.
NISCC’s aim is to minimise the risk to the
Critical National Infrastructure (CNI) from
electronic attack (eA).
An Interdepartmental Centre
Security
Civil
Government
~ Police
~ MI5
~ CESG
~ Home Office
~ Trade & Industry
~ Cabinet Office
contribute to
Defence
~ MOD
~ DSTL
What is the CNI?
Those parts of the United Kingdom’s infrastructure
for which continuity is so important to national life
that loss, significant interruption or degradation of
service would have life-threatening, serious
economic or other grave social consequences for
the community, or would otherwise be of immediate
concern to the Government.
The CNI Sectors
•
•
•
•
•
•
•
•
•
•
Telecommunications
Energy
Finance
Government & Public
Services
Water and Sewerage
Health Services
Emergency Services
Transport
Hazards
Food
The Threat
Script Kiddies
Hackers
Criminals
Activists
Terrorists
Foreign States
NISCC Interest
Visible Activity
Electronic attack (eA) : What is it?
“The use of computers to gain
unauthorised access to the data or
control software of computer-based
systems in order to acquire or corrupt
data or disrupt the functioning of
systems.”
January 2002
Two types of eA
Untargeted attacks: Indiscriminate attacks affecting
availability & many targets
 Examples: Worms, viruses
 Profile: High
 Impact: Short term high
Targeted attacks: These focus on a particular target
address
 Examples: Hacking attacks, e-mail Trojan attacks
 Profile: Generally low
 Impact: Can be high & long term
2005+: Emerging threat themes
1. Greater exploitation of richness of
software & speed of wired/wireless
networks
2. Growing online markets in malicious
software & stolen information
3. Impact of globalisation eg data
‘offshoring’ & outsourcing of system
procurement, services & maintenance
4. Developing eA capabilities of terrorists
5. Concerns about sophisticated eAs:
Difficult to detect; may be impossible to
mitigate
Exploiting a rich environment




Malicious code seeks to infect ‘fast &
furiously’; attackers take control; victims
become future ‘seeders’ …
More data available on-line … more
stealing … exploiting opportunities in
feature-rich software
Attack infrastructure development:
Networks of ‘botnets’ can be easily controlled
for DDoS, spam, data egress etc … 1000s of
‘zombies’ out there!
Underpinned by growth & increased speed of
broadband & mobile networks
Exploiting Broadband - Botnets





A roBOT NETwork or ‘botnet’ is a network of compromised
computers controlled by a client, a ‘botherder’ that issues
commands via control or master servers
Command & control was Internet Relay Chat (IRC) but now
can be any real time protocol inc Instant Messaging (IM)
The nodes of the ‘botnet’ (compromised PCs often called
drones or zombies) are used to:
 Compromise other computers
 Flood targets (DDoS)
 Propagate spam email
 Sniffing, keylogging, mass id theft
 Egress data …
DIY: Much bot source code is available on the Internet
Rent: Nets of 10-50,000+ attack zombies available …
The growing online marketplace



‘Goodbye kudos, hello $$££ … roubles?!’
Exploits for £££ … not for fun!
Markets for:
 botnets: Just name your price & target!
 malware: ‘zero-day’ exploits for purchase by all!
 harvested info: CC nos, bank details, ids,
passwords
 processing time: on other people’s PCs!


Researchers motivated to discover more
vulnerabilities
Faster ‘flash to bang’ times
Impact of globalisation
 Global market brings advantages .. & risks
 Profits linked to globalisation BUT …
 Equipment purchased overseas might have
additional vulnerabilities; manufacturers
might be subject to political pressure
 Installation, maintenance & upgrade
services provided from overseas are
exploitable
 Outsourcing services & offshoring data to
foreign companies brings hard to manage
risks: monitoring contracts is very difficult
How NISCC works
Critical National Infrastructure
Threat
Assessment
Outreach
Response
Research and Development. Policy
How does NISCC work?
Critical National Infrastructure
Investigation and
Assessment
Outreach
Response
Research and Development. Policy
Investigating and Assessing the Threat
• Making best use of technical, human and open
sources to investigate.
• Analysis and assessment.
• Reports and specific threat assessments.
• Disruptions.
How does NISCC work?
Critical National Infrastructure
Investigation and
Assessment
Outreach
Response
Research and Development. Policy
Outreach
Promoting Protection and Assurance:
• Dialogue with all CNI sectors
• Facilitating information exchanges
• Tailored reports
How does NISCC work?
Critical National Infrastructure
Investigation and
Assessment
Outreach
Response
Research and Development. Policy
Response
• Briefings and alerts via UNIRAS
• Responsible disclosure of vulnerabilities
• Assistance with recovery from direct attacks
NISCC Products
 NISCC Monthly Bulletin of significant eA activity
 NISCC Quarterly Review has broader articles on CIP
issues
 NISCC Briefings address topics of current concern
 UNIRAS Alerts highlight vulnerabilities to be fixed
now!
 UNIRAS Briefings inform on emerging technical
issues
 UNIRAS Technical Notes provide detailed advice
 Details at www.niscc.gov.uk or www.uniras.gov.uk or
e-mail enquiries@niscc.gov.uk
Outreach products
NISCC reporting:
• Threat assessments for
specific CNI companies;
• UNIRAS (UK CERT)
distribution to the CNI;
• Presentations to Seminars,
Forums & Associations;
• WARPs, Information
Exchanges;
• CNI Assurance Reports.
NISCC Assurance Report
for
National Infrastructure plc
September 2003
Protecting the CNI
BCS ELITE
9 June 2005
www.niscc.gov.uk
Mick Morgan
Head of Response