This afternoon the DHS ICS-CERT updated their advisory
(published yesterday) for the Elipse EC advisory and published the latest
Monitor that describes ICS-CERT response activities during the last five months
(September 2014 thru February 2015).
Elipse Update
This update
provides a link to a Carnegie Mellon CERT (CERT-CC) vulnerability note on the base vulnerability found in the Telerik
Analytics Monitor Library. That advisory provides more details about how the
vulnerability functions.
It looks like CERT-CC note will be updated as other vendors
are identified as having vulnerable systems based upon the same Telerik DLLs (csunsapi.dll,
swift.dll, nfhwcrhk.dll, and surewarehook.dll); probably listed after they are
fixed. It will be interesting to see if ICS-CERT will provide new advisories
for each vendor’s fixes of the problem or if it will just depend on CERT-CC
updating their note.
ICS-CERT Monitor
The latest
Monitor provides some additional information about the fairly extensive
ICS-CERT response activity that we have been hearing a lot of second hand
information about over the last year or so. This Monitor provides a summary of
response data for FY 2014 (which ended on September 30th). As we
should have been able to guess from news reports the largest category of
affected industries was the Energy Sector.
We still don’t have any real description of the kinds of
affects seen as a result of the attack and we don’t know how many of the
attacks were successful. There is a list of the generic attack vectors; not
much new here. The second largest was network scanning/probing at 22% and third
was Spear Phishing attacks at 17% (you can’t tell this relative size from the
poor graphics). What is kind of scary though is that ICS-CERT could not find
the source of the attack in 38% of the cases. I hope (and believe) this is a
reflection of poor forensics and abysmal system logs and not ICS-CERT’s
capability to analyze control system attacks.
There is also a brief section here about the ICS-CERT
outreach activity to industry. It mentions the two-hour Secret level briefing
that was given 15 times across the country in December. I would have liked to
have been able to see one of these (unlikely as my Secret clearance expired
decades ago and forget about ‘need to know’), but I really doubt the efficacy
of the briefings. I would expect that these were given to C-Level managers who
could not then take them back to their ICS folks because of the lack of security
clearances at the operational level. And forget about notes or handouts since
very few organizations outside of the Defense Industrial Base have facilities
cleared to store Secret documents.
There is a brief discussion about the ICS-CERT Cybersecurity
Evaluation Tool (CSET). It does mention that version 6.2 was released in
January. Unfortunately there is nothing about that on the ICS-CERT CSET web site or the CSET
Fact Sheet (for some reason both are only accessible via the ICS-CERT page via the ‘Assessments’
link, the direct links do not work); neither mentions version numbers at all.
There is, however, a series of YouTube® video
tutorials about version 6.2, but they are not mentioned on the ICS-CERT
site. The Monitor staff did promise to have more information about v 6.2 in the
next issue.
Lots of other interesting stuff, but nothing worth
discussing here. Read it for yourself; it’s free.
Posts
No comments:
Post a Comment