DHS Alerts Critical Infrastructure Operators on Recent Cyber Attacks (2/8/12)
Wednesday, February 08, 2012 | Comments

The Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released an alert to inform critical infrastructure and key resource (CIKR) asset owners and operators of recent and ongoing activity involving secure shell (SSH), a scanning of Internet facing control systems.

ICS-CERT is aware that many organizations have experienced a large number of access attempts by remote attackers. Systems that provide SSH command line access are common targets for “brute force” attacks. This week, ICS-CERT received a report from an electric utility experiencing unsuccessful brute force activity against its networks. A brute force authentication attack attempts to obtain a user’s logon credentials by guessing user names and passwords. Brute force login tools exist for most services that allow remote access. Attackers can use brute force applications, such as password guessing tools and scripts, to automate username and password guessing. Such applications may use default password databases, dictionaries or rainbow tables that contain commonly used passwords, or they may try all combinations of a character set to guess a password.

ICS-CERT strongly encourages CIKR asset owners and operators to examine their control network configurations and establish a baseline configuration and traffic pattern. The agency also recommends that asset owners and operators audit their control systems — whether or not they think their control systems are connected to the Internet — to discover and verify removal of any default user names and passwords. Because each control system installation is unique, owners and operators may need to contact their system vendor or integrator for assistance with locating and eliminating default accounts.

Control system owners and operators are encouraged to take the following defensive measures to minimize the risk of exploitation:

• Minimize network exposure for all control system networks and devices. Control system devices should not directly face the Internet.

• Locate control system networks and devices behind firewalls and isolate them from the business network. Stay actively aware of what is on the network by performing periodic port scans.

• If remote access is required, employ secure methods, such as virtual private networks (VPNs), recognizing that VPN is only as secure as the connected devices.

• Remove, disable or rename any default system accounts wherever possible.

• Implement account lockout policies to reduce the risk from brute forcing attempts.

• Implement policies requiring the use of strong passwords. Make password lengths long and combine letters, numbers and special characters.

• Monitor the creation of administrator level accounts by third-party vendors.

The following SSH-specific mitigations are encouraged:

• Configure SSH servers to use nonstandard ports.

• Restrict access to SSH servers.

• Use intrusion detection/intrusion prevention.

The full alert is available here.

Your comments are welcome, click here.

 




 
 
Post a comment
Name: *
Email: *
Title: *
Comment: *
 

Comments

No Comments Submitted Yet

Be the first by using the form above to submit a comment!

Site Navigation

Close