Antigoni Kruti,Usman Butt,Rejwan Bin Sulaiman

2023-09-05

Abstract:This paper of work examines the SolarWinds attack, designed on Orion Platform security incident. It analyses the persistent threats agents and potential technical attack techniques to gain unauthorized access. In 2020 SolarWinds attack indicates an initial breach disclosure on Orion Platform software by malware distribution on IT and government organizations such as Homeland Security, Microsoft and Intel associated with supply chains leaks consequences from small loopholes in security systems. Hackers increased the number of infected company and businesses networks during the supply-chain attack, hackers were capable to propagate the attack by using a VMware exploit. On the special way they started to target command injections, privilege escalations, and use after free platforms of VMware. In this way, they gained access to Virtual Machines and in the east way pivot other servers. This literature review aim to analyze the security gap regarding to SolarWinds incident on Orion Platform, the impact on industry and financial sectors involving the elements of incident response plan. Therefore, this research paper ensures specifications of proper solutions for possible defense security systems by analyzing a SolarWinds attack case study via system evaluation and monitoring. It concludes with necessary remediation actions on cyber hygiene countermeasures, common vulnerabilities and exposure analysis and solutions.

Computational Engineering, Finance, and Science,Cryptography and Security

Jeong Yang,Young Lee,Arlen P. McDonald

DOI: https://doi.org/10.1007/978-3-030-92317-4_4

2022-01-01

Abstract:A recent cybersecurity attack took place on US governments and companies utilizing a popular network performance monitoring tool, SolarWinds. The attack appears to be not only extensive but also comprehensive in the scope of the common security tools that have been breached. This attack targeted the complex software supply chain. The wave of those attacks was mainly focused on the critical departments of the U.S. government and of many other leading corporations. Even if the attackers did not actively exploit their systems, the comprehensive nature of these breaches seems to indicate that there are fundamental flaws with existing security infrastructure. This paper investigates what caused this significant attack and what solutions we might have to prevent similar attacks in the future. The paper concludes that a combined set of actions of the government and industries on better policies and technologies is needed to develop a unified strategy in each organization.

Jeferson Martínez,Javier M. Durán

DOI: https://doi.org/10.18280/ijsse.110505

2021-10-31

International Journal of Safety and Security Engineering

Abstract:Exploitation of a vulnerability that compromised the source code of the Solar Winds’ Orion system, a software that is used widely by different government and industry actors in the world for the administration and monitoring of networks; brought to the fore a type of stealth attack that has been gaining momentum: supply chain attacks. The main problem in the violation of the software supply chain is that, from 85% to 97% of the code currently used in the software development industry comes from the reuse of open source code frameworks, repositories of third-party software and APIs, creating potential vulnerabilities in the development cycle of a software product. This research analyzes the SolarWinds case study from an exploratory review of academic literature, government information, but also from the articles and reports that are published by different cybersecurity consulting firms and software providers. Then, a set of good practices is proposed such as: Zero trust, Multi-Factor authentication mechanisms (MFA), strategies such as SBOM and the recommendations of the CISA guide to defend against this type of attack. Finally, the research discusses about how to improve response times and prevention against this type of attacks, also future research related to the subject is suggested, such as the application of Machine Learning and Blockchain technologies. Additionally for risk reduction, in addition to the management and articulation of IT teams that participate in all the actors that are part of the software life cycle under a DevSecOps approach.

F. Massacci,S. Peisert,T. Jaeger

DOI: https://doi.org/10.1109/MSEC.2021.3050433

Abstract:Fabio Massacci T he SolarWinds hack is an eye-opener to the current practices of the software industry. In the “Perspectives” department in this issue, the article “The SolarWinds Incident: Perspectives From IEEE Security & Privacy’s Editorial Board Members” discusses the issue of software supply chain security. Here, I would like to discuss a point that seems to be missing, including the following observations and question:

Computer Science

Guerrino Mazzarolo,Anca Delia Jurcut

DOI: https://doi.org/10.48550/arXiv.1911.09575

2019-11-22

Abstract:Insider threats have become reality for civilian firms such as Tesla, which experienced sabotage and intellectual property theft, and Capital One, which suffered from fraud. Even greater social impact was caused by the data breach at the US Department of Defense, perpetrated by well-known attackers Chelsea Manning and Edward Snowden, whose espionage and hacktivist activities are widely known. The dramatic increase of such incidents in recent years and the incalculable damage committed by insiders must serve as a warning for all members of the cyber security community. It is no longer acceptable to continue to underestimate the problem of insider threats. Firms, organizations, institutions and governments need to lead and embrace a cultural change in their security posture. Through the adoption of an Insider Threat Program that engages all the strategic branches (including HR, Legal, Information Assurance, Cyber Security and Intelligence), coordinated by the chief information security officer and supported by c-level executive, it is possible to implement a framework that can prevent, detect, and respond to disloyal and/or unintentional insider threats. Hence, defending your enterprise from insider threats is a vital part of information security best practices. It is essential that your company highly valuable classified data and assets are protected from its greatest threat: the enemy within the gates.

Cryptography and Security,Computers and Society

Partha Das Chowdhury,Mohammad Tahaei,Awais Rashid

DOI: https://doi.org/10.48550/arXiv.2211.02341

2022-11-04

Abstract:Saltzer \& Schroeder's principles aim to bring security to the design of computer systems. We investigate SolarWinds Orion update and Log4j to unpack the intersections where observance of these principles could have mitigated the embedded vulnerabilities. The common principles that were not observed include \emph{fail safe defaults}, \emph{economy of mechanism}, \emph{complete mediation} and \emph{least privilege}. Then we explore the literature on secure software development interventions for developers to identify usable analysis tools and frameworks that can contribute towards improved observance of these principles. We focus on a system wide view of access of codes, checking access paths and aiding application developers with safe libraries along with an appropriate security task list for functionalities.

Software Engineering

Rajiv Thummala,Gregory Falco

DOI: https://doi.org/10.2514/6.2024-0268

2024-02-16

Abstract:In March of 2022, Network battalion 65 (NB65), a hacktivist affiliate of Anonymous, publicly asserted its successful breach of ROSCOSMOS's satellite imaging capabilities in response to Russia's invasion of Ukraine. NB65 disseminated a series of primary sources as substantiation, proclaiming the incapacitation of ROSCOSMOS's space-based vehicle monitoring system and doxing of related proprietary documentation. Despite the profound implications of hacktivist incursions into the space sector, the event has garnered limited attention due to the obscurity of technical attack vectors and ROCOSMOS's denial of NB65's allegations. Through analysis of NB65's released primary sources of evidence, this paper uncovers the probable vulnerabilities and exploits that enabled the alleged breach into ROSCOSMOS's ground and space segment. Additionally, we highlight lessons learned and the consequences this event has for the global aerospace community.

Cryptography and Security,Systems and Control

Sumanth Rao

2024-06-13

Abstract:Enterprises are constantly under attack from sophisticated adversaries. These adversaries use a variety of techniques to first gain access to the enterprise, then spread laterally inside its networks, establish persistence, and finally exfiltrate sensitive data, or hold it for ransom. While historically, enterprises have used different Incident Response systems that monitor hosts, servers, or network devices to detect and report threats, these systems often need many analysts to triage and respond to alerts. However, the immense quantity of alerts to sift through, combined with the potential risk of missing a valid threat makes the task of the analyst challenging. To ease this manual and laborious process, researchers have proposed a variety of systems that perform automated attack investigations. These systems collect data, track causally related events, and present the analyst with an interpretable summary of the attack. In this paper, we present a survey of systems that perform automated attack investigation, and compare them based on their designs, goals, and heuristics. We discuss the challenges faced by these systems, and present a comparison in terms of their effectiveness, practicality, and ability to address these challenges. We conclude by discussing the future of these systems, and the open problems in this area.

Cryptography and Security,Systems and Control

Mounesh Marali,Sithu D Sudarsan,Ashok Gogioneni

DOI: https://doi.org/10.1109/icacce46606.2019.9079981

2019-04-01

Abstract:Industrial automation and control systems are increasingly based on open communication protocols and platforms that are also commonly used in corporate IT environments and interconnected to enable integration with business applications, they become increasingly exposed to the internet. As seen in the past with WannaCry and NotPetya, it's more likely common malware will cause the most damage in the long run. These threats are expected to increase simply since the fundamental gaps in protecting the operational technology (OT) over information technology (IT) widening. As OT becomes increasingly exposed to internet, it tends to become weak spot to cyber threats as any other connected systems. This is basically because of OT components aligned on the same hardware, software, communication protocols including operating systems that run IT components, such as networks, client, server machines & other connected devices. At the same time, reusable development and deployment of interconnected systems and their communication networks become vulnerable to cyber-attacks. This paper explores cyber security issues in industrial control systems that are built on open communication platforms and networks. Specially emphasized on attacker's objectives, electronics methods and possible countermeasures for IT systems. The paper also describes various OT security-relevant characteristics distinct from the office IT systems and relevant implementation approaches at multiple system layers to protect from cyber-attacks. Finally, paper illustrates few application level security concepts with case studies focusing configuration and operation of industrial process control system.

Puya Pakshad

DOI: https://doi.org/10.4018/979-8-3373-0588-2.ch013

2024-12-10

Abstract:Nation-sponsored cyberattacks pose a significant threat to national security by targeting critical infrastructure and disrupting essential services. One of the most impactful cyber threats affecting South Korea's banking sector and infrastructure was the DarkSeoul cyberattack, which occurred several years ago. Believed to have been orchestrated by North Korean state-sponsored hackers, the attack employed spear phishing, DNS poisoning, and malware to compromise systems, causing widespread disruption. In this paper, we conduct an in-depth analysis of the DarkSeoul attack, examining the techniques used and providing insights and defense recommendations for the global cybersecurity community. The motivations behind the attack are explored, along with an assessment of South Korea's response and the broader implications for cybersecurity policy. Our analysis highlights the vulnerabilities exploited and underscores the need for more proactive defenses against state-sponsored cyber threats. This paper emphasizes the critical need for stronger national cybersecurity defenses in the face of such threats.

Cryptography and Security,Software Engineering

Jos Wetzels,Daniel dos Santos,Mohammad Ghafari

DOI: https://doi.org/10.1145/3576914.3587485

2023-03-22

Abstract:We inspected 45 actively deployed Operational Technology (OT) product families from ten major vendors and found that every system suffers from at least one trivial vulnerability. We reported a total of 53 weaknesses, stemming from insecure by design practices or basic security design failures. They enable attackers to take a device offline, manipulate its operational parameters, and execute arbitrary code without any constraint. We discuss why vulnerable products are often security certified and appear to be more secure than they actually are, and we explain complicating factors of OT risk management.

Cryptography and Security

Can Ozkan,Xinhai Zhou,Dave Singelee

2024-12-06

Abstract:The SolarWinds attack that exploited weaknesses in the software update mechanism highlights the critical need for organizations to have better visibility into their software dependencies and potential vulnerabilities associated with them, and the Software Bill of Materials (SBOM) is paramount in ensuring software supply chain security. Under the Executive Order issued by President Biden, the adoption of the SBOM has become obligatory within the United States. The executive order mandates that an SBOM should be provided for all software purchased by federal agencies. The main applications of SBOMs are vulnerability management and license management. This work presents an in-depth and systematic investigation into the integrity of SBOMs. We explore different attack vectors that can be exploited to manipulate SBOM data, including flaws in the SBOM generation and consumption phases in the SBOM life cycle. We thoroughly investigated four SBOM consumption tools and the generation process of SBOMs for seven prominent programming languages. Our systematic investigation reveals that the tools used for consumption lack integrity control mechanisms for dependencies. Similarly, the generation process is susceptible to integrity attacks as well, by manipulating dependency version numbers in package managers and additional files, resulting in incorrect SBOM data. This could lead to incorrect views on software dependencies and vulnerabilities being overlooked during SBOM consumption. To mitigate these issues, we propose a solution incorporating the decentralized storage of hash values of software libraries.

Cryptography and Security

Svitlana Lehominova,Halyna Haidur

DOI: https://doi.org/10.28925/2663-4023.2023.22.5467

2023-01-01

Abstract:Taking into account the process of complication of the geopolitical and geoeconomic landscape space, the development of information technologies and the formation of new security challenges associated with the emergence of new cyber threats, there is a need for constant monitoring and forecasting of them in order to prevent consequences in the form of damage and leakage of valuable and confidential information. The authors analyzed the new predictable cyber security threats to organizations, with special attention paid to the protection of endpoints. Threats identified in the field of artificial intelligence development (underground development of malicious Large Language Models (LLM); “Script Kiddies” update; voice fraud for social engineering, which is created by artificial intelligence); changing trends in the behavior of threat actors (attacks on supply chains against managed file transfer solutions, malware threats that are becoming multilingual); as new emerging threats and attack methods (growing QR code rivalry; stealth attacks on peripheral devices; Python implementation in Excel creating a potentially new vector for attacks; LOL drivers changing action algorithms). The resulting detection of future threats emphasizes the need for strategic planning for the adoption of new technologies and platforms: such as Endpoint Detection and Response (EDR) capabilities, as well as the use of EDR as part of a multi-instrumented enhanced detection and response (XDR) architecture. Gartner’s research has been proven to have a tremendous impact on improving organizations’ threat detection capabilities by providing valuable insight into the strengths and weaknesses of each cybersecurity service provider with respect to emerging threat intelligence, by focusing organizations’ attention on opportunities to identify gaps in their existing security infrastructure and adopt sound decisions to invest in additional solutions or services that effectively address these gaps. The spheres of activity of the world’s leading companies were analyzed, their connection with Ukrainian companies was found, and further cooperation was proposed for the effective protection of national cyberspace.

Thomas Miller,Alexander Staves,Sam Maesschalck,Miriam Sturdee,Benjamin Green

DOI: https://doi.org/10.1016/j.ijcip.2021.100464

IF: 3.683

2021-12-01

International Journal of Critical Infrastructure Protection

Abstract:<p>Since the 1980s, we have observed a range of cyberattacks targeting Industrial Control Systems (ICS), some of which have impacted elements of critical national infrastructure (CNI). While there are access limitations on information surrounding ICS focused cyberattacks, particularly within a CNI context, this paper provides an extensive summary of those publicly reported. By identifying and analysing previous ICS focused cyberattacks, we document their evolution, affording cyber-security practitioners with a greater understanding of attack vectors, threat actors, impact, and targeted sectors and locations, critical to the continued development of holistic risk management strategies.</p>

engineering, multidisciplinary,computer science, information systems

Stephanie Ness,Tushar Khinvasara

DOI: https://doi.org/10.9734/jerr/2024/v26i21075

2024-01-29

Journal of Engineering Research and Reports

Abstract:Currently, the majority of economic, commercial, cultural, social, and governmental activity and contacts between countries, encompassing individuals, non-governmental organizations, and government institutions, occur in the virtual realm known as cyberspace. In recent times, numerous private enterprises and governmental institutions worldwide have encountered the issue of cyber- attacks and the peril associated with wireless communication technology. The modern society heavily relies on electronic technology, and safeguarding this data from cyber-attacks poses a formidable challenge. Cyber-attacks are intended to inflict financial harm onto companies. Cyber- attacks may serve military or political objectives in certain instances. Some examples of these damages include PC infections, knowledge breaches, data distribution service (DDS), and other attack routes. For this purpose, different companies employ diverse strategies to mitigate the harm caused by cyber-attacks. Cybersecurity monitors up-to-date information on the most recent IT data. Researchers worldwide have proposed several techniques to prevent cyber-attacks or mitigate their impact. Several approaches are currently in the operational phase, while others are still in the study phase. The objective of this study is to conduct a thorough examination and evaluation of the latest advancements in the field of cyber security, with the purpose of identifying and analyzing the problems, vulnerabilities, and strengths of the proposed methodologies. A comprehensive analysis is conducted on several forms of novel descendant attacks. The discussion revolves around conventional security frameworks, encompassing their historical context and early-generation approaches to cyber-security. Furthermore, this report presents the latest advancements and developing patterns in the field of cyber security, as well as the current problems and risks to security. The comprehensive review study offered for IT and cyber security researchers is anticipated to be beneficial.

Amin Hassanzadeh,Amin Rasekh,Stefano Galelli,Mohsen Aghashahi,Riccardo Taormina,Avi Ostfeld,Katherine Banks

DOI: https://doi.org/10.1061/%28ASCE%29EE.1943-7870.0001686

2020-07-25

Abstract:This study presents a critical review of disclosed, documented, and malicious cybersecurity incidents in the water sector to inform safeguarding efforts against cybersecurity threats. The review is presented within a technical context of industrial control system architectures, attack-defense models, and security solutions. Fifteen incidents were selected and analyzed through a search strategy that included a variety of public information sources ranging from federal investigation reports to scientific papers. For each individual incident, the situation, response, remediation, and lessons learned were compiled and described. The findings of this review indicate an increase in the frequency, diversity, and complexity of cyberthreats to the water sector. Although the emergence of new threats, such as ransomware or cryptojacking, was found, a recurrence of similar vulnerabilities and threats, such as insider threats, was also evident, emphasizing the need for an adaptive, cooperative, and comprehensive approach to water cyberdefense.

Cryptography and Security

George Grispos,William Bradley Glisson,David Bourrie,Tim Storer,Stacy Miller

DOI: https://doi.org/10.48550/arXiv.1706.06818

2017-06-21

Cryptography and Security

Abstract:Reports and press releases highlight that security incidents continue to plague organizations. While researchers and practitioners' alike endeavor to identify and implement realistic security solutions to prevent incidents from occurring, the ability to initially identify a security incident is paramount when researching a security incident lifecycle. Hence, this research investigates the ability of employees in a Global Fortune 500 financial organization, through internal electronic surveys, to recognize and report security incidents to pursue a more holistic security posture. The research contribution is an initial insight into security incident perceptions by employees in the financial sector as well as serving as an initial guide for future security incident recognition and reporting initiatives.

Nusrat Zahan,Yasemin Acar,Michel Cukier,William Enck,Christian Kästner,Alexandros Kapravelos,Dominik Wermke,Laurie Williams

2024-08-29

Abstract:Cyber attacks leveraging or targeting the software supply chain, such as the SolarWinds and the Log4j incidents, affected thousands of businesses and their customers, drawing attention from both industry and government stakeholders. To foster open dialogue, facilitate mutual sharing, and discuss shared challenges encountered by stakeholders in securing their software supply chain, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) organize Secure Supply Chain Summits with stakeholders. This paper summarizes the Industry Secure Supply Chain Summit held on November 16, 2023, which consisted of \panels{} panel discussions with a diverse set of \participants{} practitioners from the industry. The individual panels were framed with open-ended questions and included the topics of Software Bills of Materials (SBOMs), vulnerable dependencies, malicious commits, build and deploy infrastructure, reducing entire classes of vulnerabilities at scale, and supporting a company culture conductive to securing the software supply chain. The goal of this summit was to enable open discussions, mutual sharing, and shedding light on common challenges that industry practitioners with practical experience face when securing their software supply chain.

Cryptography and Security

Yong-Woon Hwang,Im-Yeong Lee,Hwankuk Kim,Hyejung Lee,Donghyun Kim

DOI: https://doi.org/10.1155/2022/1290129

2022-02-18

Wireless Communications and Mobile Computing

Abstract:Recently, users have used open-source intelligence (OSINT) to gather and obtain information regarding the data of interest. The advantage of using data gathered by OSINT is that security threats arising in cyberspace can be addressed. However, if a user uses data collected by OSINT for malicious purposes, information regarding the target of an attack can be gathered, which may lead to various cybercrimes, such as hacking, malware, and a denial-of-service attack. Therefore, from a cybersecurity point of view, it is important to positively use the data gathered by OSINT in a positive manner. If exploited in a negative manner, it is important to prepare countermeasures that can minimize the damage caused by cybercrimes. In this paper, the current status and security trends of OSINT will be explained. Specifically, we present security threats and cybercrimes that may occur if data gathered by OSINT are exploited by malicious users. Furthermore, to solve this problem, we propose security requirements that can be applied to the OSINT environment. The proposed security requirements are necessary for securely gathering and storing data in the OSINT environment and for securely accessing and using the data collected by OSINT. The goal of the proposed security requirements is to minimize the damage when cybercrimes occur in the OSINT environment.

computer science, information systems,telecommunications,engineering, electrical & electronic

Svetlana Abramova,Rainer Böhme

2023-08-01

Abstract:Media reports show an alarming increase of data breaches at providers of cybersecurity products and services. Since the exposed records may reveal security-relevant data, such incidents cause undue burden and create the risk of re-victimization to individuals whose personal data gets exposed. In pursuit of examining a broad spectrum of the downstream effects on victims, we surveyed 104 persons who purchased specialized devices for the secure storage of crypto-assets and later fell victim to a breach of customer data. Our case study reveals common nuisances (i.e., spam, scams, phishing e-mails) as well as previously unseen attack vectors (e.g., involving tampered devices), which are possibly tied to the breach. A few victims report losses of digital assets as a form of the harm. We find that our participants exhibit heightened safety concerns, appear skeptical about litigation efforts, and demonstrate the ability to differentiate between the quality of the security product and the circumstances of the breach. We derive implications for the cybersecurity industry at large, and point out methodological challenges in data breach research.

Cryptography and Security