ENISA Cyber Security Exercise

The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security.

Every two years, they hold a large-scale exercise called Cyber Europe.

The executive summary of the Exercise Report is reproduced below;

Cyber Europe offers to 32 different countries, Member States of the European Union (EU) and the European Free Trade Association, hereafter collectively referred to as the Member States (MS), the possibility to engage in cooperation activities at various levels with the shared objective to mitigate jointly large-scale cybersecurity incidents. The EU Standard Operational Procedures (EU-SOPs), used to support these cooperation activities, provide Member States with guidelines which they can use in the face of large-scale cybersecurity incidents.

The main goal of Cyber Europe 2014 was to train Member States to cooperate during a cyber crisis .

The exercise also aimed at providing an opportunity to Member States to test national capabilities, including the level of cybersecurity expertise and national contingency plans, involving both public and private sector organisations. In order to address the different layers of cyber crisis management, Cyber Europe 2014 was divided in three escalating phases, spread over 2014 and early 2015.

The exercise was a success, for it allowed ENISA to draw numerous lessons, recommendations and concrete actions, which will help to enhance cyber crisis preparedness in Europe. The common ability to mitigate large scale cybersecurity incidents in Europe has progressed significantly since 2010 when the first Cyber Europe exercise was organised. In particular, Cyber Europe 2014 has shown how valuable it is to share information from many different countries in real-time in order to facilitate high-level situation awareness and swift decision-making.

Nevertheless, such processes are unprecedented in real-life and hence requires primarily capability development and possibly also policy guidance from both the Member States as well as the EU Institutions and Agencies. It is crucial that Member States continue to rely upon and improve multilateral cooperation mechanisms,which complement the bilateral and regional relations they have with trusted partners. The EU-SOPs, which are meant to support the former, will be further improved to better take into account the evolving cybersecurity policy context in Europe.

In addition, experience gathered throughout this exercise and the previous ones will strongly guide the development of future EU cyber cooperation instruments and exercises.

Click the image to read the full report;

https://www.enisa.europa.eu/activities/Resilience-and-CIIP/cyber-crisis-cooperation/cce/cyber-europe/ce2014/ce2014-after-action-report

 

National Cyber Security Strategy Update

The Cabinet Office and National Security Secretariat released the UK National Cyber Security Strategy in 2011

https://www.gov.uk/government/publications/cyber-security-strategy

2 years on, the Cabinet Office has published an update on the Government’s plans

https://www.gov.uk/government/publications/national-cyber-security-strategy-2-years-on

 

 

 

Lockheed Martin Hackers Uncovered

Lockheed Martin have confirmed they have been the subject of yet another network intrusion attempt.

As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure. No customer, program or employee personal data has been compromised. Lockheed’s information security personnel are working around the clock to restore employee access to the “information systems network” targeted in the May 21 attack

I have a theory about who is responsible for the network intrusion attempt on Lockheed Martin.

It’s the launch customers, press, blogosphere and almost everyone else on the planet, trying to get an accurate assessment of how much an F35 will cost!

Sorry, couldn’t resist 🙂

Have a couple of Sunday morning vids to compensate

Cyber Defence – Boots or Sandals, Sidies or Beards

The National Security Strategy categorised Cyber Attacks as being one of the most direct and likely threats the UK will face in the coming years, a Tier 1 Threat.

A recent speech from the Director General of GCHQ was notable because it was given at all, cyber defence is coming out of the shadows, however, reading the speech, there is no mention of war, battles, defences or anything remotely military.

Also notable was the Chief of the General Staff discussing the issue, calling for the setup of a UK Cyber Command

We must learn to defend, delay, attack and manoeuvre in cyberspace, just as we might on the land, sea or air and all together at the same time. Future war will always include a cyber dimension and it could become the dominant form

Is this difference in approach, GCHQ and the military taking understandably different positions, a sign of a coming turf war for funding and control or is it entirely natural that we should approach the issue at many levels.

When it comes to actually creating a capability to defend against cyber attack and possibly use it in our own offensive operations where should the priorities lie?

I tend to think it should be concentrated away from the military, funding is tight enough as it is, diluting our already sparse resources to chase after cyber capabilities and follow the US fashion is a bad idea. It also fails to take into account the connectedness of modern systems, to defend in depth, one needs cooperation from a range of nations and organisations.

NATO and the EU joint capability areas would be a good place to invest and where military expertise needs to form part of the mix, as surely it will, it should be on a secondment or joint basis.

Let’s not reduce the UK’s military capability by diverting precious funding to an area best served by those with beards and sandals (sorry about the wholly out of touch stereotype!)

Intelligence and the civilian security sector are far better placed, supported by the military, but certainly not commanded by them.

That Cyber Thing – Royal Navy Hacked

It’s bad enough for the Royal Navy that memories of matelots and their iPods are still fresh, accidentally invading Spain, the Astute being pranged by the very tug that came to rescue her, an aircraft carrier with no aircraft and the indignity of sharing ships with the bloody Frenchies, it seems the bad luck keeps stacking up.

A Romanian network security enthusiast has claimed to have compromised the Royal Navy website at http://www.royalnavy.mod.uk/

The site is currently down for maintenance with nothing but a screenshot being displayed

http://www.flickr.com/photos/73614187@N03/6998357434/

The alleged compromise has been carried out by someone who goes by the online handle of ‘TinKode’ and claims to have used SQL injection techniques to gain access. TinKode’s blog offers this information and the Twitter feed simply links back to the original post.

==[ Author  : TinKode
==[ WebSite : InSecurity.Ro
==[ Date    : 05.11.2010
==[ Hour    : 22:55 PM
==[ Target  : www.royalnavy.mod.uk
==[ Document: Minister_Of_Defence_UK.txt
==[ Method  : SQL Injection
==[ HackTXT : http://pastebin.com/raw.php?i=M2MUEdv4

The vulnerable URL is not disclosed but the hack text link shows a list of technical information including web server type, operating system and IP address.

It also shows a list of tables, administration usernames and passwords for the Global Ops and JackSpeak sections. The Jack Speak section is a blog (highlighted in our recent post on MoD websites) that would appear to use WordPress. Lazy arse bloggers like me sometime leave the default admin user name active but a professionally run site would normally remove this as a day 1 page 1 security activity. Incredibly, it seems to have still been active.

The Jackspeak blog would also appear to have a user called jonathonband, wonder who that might be?

If it is Admiral Sir Jonathon Band then that would be another golden rule broken, the rule that says when the user leaves, so does their user login credentials.

We shouldn’t get over heated about this, its most unlikely that there is a route to the launch system for Trident from the public facing website but its more than a touch embarrassing!

It is also worth noting how much money we spend on MoD websites, some answers here and here

No doubt there will be much behind the scenes activity to harden every single MoD website and one must expect there to be several ‘interviews sans coffee‘ on Monday morning!

H/T Galrahn at Information Dissemination

F35 Hacked! (and other creative headlines)

Last March the US Inspector General of the Department of Defence issued a report on the Security Controls in the Joint Strike Fighter programme that raised concerns on information security. In this report it highlighted specific concerns about the lack of visibility of records from BAE Systems and therefore information may have been compromised. Is the F35 hacked?

It is somewhat of a leap to say that just because you can’t see the records that security may have been breached

Protests from BAE followed resulting in the withdrawal of the report in October 2008, the withdrawal note stating “we determined that we did not have sufficient evidence to support the report conclusion”

The Wall Street Journal reports today however, that significant amount of data has been obtained by Chinese hackers, several terabytes in fact, related to design and electronics.

Oh dear, that can’t be good.

Cue rebuttals, denials and press statements galore from officials, former officials and all manner of interested stakeholders some playing down the issue, stating that the data was low level and the ‘good stuff’ is held on systems not connected to the internet whilst others worrying that the world is about to end because of it.

No doubt stable doors are firmly being shut as we speak but what value is the data and whodunnit?

There is no doubt that Chinese hacking is on the increase and much of it directed by the Peoples Liberation Army (despite strenuous denials) and the US is not alone in feeling the heat, a breach reportedly occurring in Turkey.

In September 2007 the Guardian reported on how Chinese hackers had attacked Whitehall computer networks, successfully in some cases. Responsibility for advising government departments on how to protect their networks rests with MI5, GCHQ, and the Centre for the Protection of the National Infrastructure in the Cabinet Office.

The several recent and highly embarrassing data breaches from the UK government and its agencies (although most of them caused by bungling) has resulted in a much greater focus on information security and the newly released Government Security Policy Framework will likely go a long way to tightening up security across the public sector although as can be imagined the MoD uses a much higher standard than a lesser department.

Whilst the data obtained from the JSF programme might be not as valuable as that held on private networks not connected to the Internet it still has value, it can be used to validate other information or form pieces of a wider jigsaw. Whichever way you look at it, it is a bad thing.

Over at the Worldwide War Pigs blog the author makes the excellent point that the JSF programme is one of the largest collaborative industrial programmes ever with a myriad of sites, managed by main contractors, sub contractors and suppliers in at least 9 countries. All of these will have networks connected to the Internet.

How is it possible to maintain information security in the light of sophisticated, evolving and persistent threats in the context of a widely distributed network?

WITH A GREAT DEAL OF DIFFICULTY, THATS HOW

Each of these countries and suppliers will have different information security standards and capabilities. The only sensible strategy is that of a combination of perimeter and depth protection using equally sophisticated protection and detection systems, separation and vulnerability scanning. Its a complex game of cat and mouse, each playing their own game of 3D chess.

There must be lots of overtime available in the security functions at LM, BAE, MI5, DoD and the various other interested bodies around the world.

The real question is, looking forward, is the JSF/JCA going to be compromised by information security breaches as a result of the distributed nature of the programme.