Logical Ports and Services David Sopata 4/14/2016 Agenda High - - PowerPoint PPT Presentation

Logical Ports and Services

David Sopata 4/14/2016

Forward Together • ReliabilityFirst

Agenda

2

• High level methodology and tips from a

recovering CIP Auditor on how to:

• Identify Ports and Services for BES Cyber Systems and/or

Assets CIP-007-6

• Justifying the use of Ports and Services CIP-007-6
• Incorporating the information into a baseline CIP-010-2
• Monitoring the Baseline CIP-010-2, CIP-008-5

Forward Together • ReliabilityFirst

A little bit about me…

• I am a recovering CIP Auditor
• I love technology
• I enjoy helping others
• I’m not afraid of a terminal
• I enjoy learning from others
• I consider myself a process improvement hacker
• I also enjoy memes!

3

Forward Together • ReliabilityFirst

WARNING!!!!

• I might just get silly and talk about things
• utside of the standards. However, these would

be the next maturity step towards good practice.

• Also…

4

Forward Together • ReliabilityFirst

CIP-007-6 Part 1.1

5

Asset Level Requirement, High and Medium Impact

Forward Together • ReliabilityFirst

CIP-007-6 R1.1

6

• CIP-007-6 R1.1: Protecting Logical

Ports

• This is similar to CIP-007-3 R2
• This includes:

‒ All enabled logical ports that are generally associated with “layer 4” of the OSI Network model

• n BES Cyber Assets/other cyber assets.

‒ “windows services” for Windows environments or PID for the “*nix” type environments.

• Other appliances/devices may call this

something different.

Forward Together • ReliabilityFirst

CIP-007-6 R1.2

7

• CIP-007-7-6 R1.2: Protecting Physical Ports
• Additional documentation in the key Lessons Learned

and FAQs

• This includes

‒ Disabling all unnecessary input/output ports on BES Cyber Assets i.e. (Ethernet, Serial, USB, and/or other common/proprietary ports) ‒ This is to try to prevent plugging in unauthorized removable storage, and/or transient devices

• This can be accomplished through logical and

physical means of disabling the ports and through signage.

Forward Together • ReliabilityFirst

8

Forward Together • ReliabilityFirst

CIP-007-6 R1.1 Evidence/Audit Approach

9

• Need to provide one or more documented processes for

disabling or restricting ports

• Need a complete list of EACMS, PACS, and PCA that are

included in your High and Medium BES Cyber Systems.

• Need to provide a list/document of what is needed and/or

a baseline of ports that are used and what services they are tied to for ALL Cyber Assets included in your High and Medium BES Cyber Systems.

• This can be shown through:

‒ Command Line output such as “netstat –boan” for Windows or “netstat – pault” for *nix ‒ Configuration files ‒ Vendor/third-party device configuration/policy management tools and reports

• Bottom Line, need to see ports and protocols tied to a

program/PID that are listening/active, and justified!

Forward Together • ReliabilityFirst

CIP-007-6 R1.1 Evidence/Audit Approach

10

• Need to provide how these baselines are being

enforced for ALL BES Cyber Assets.

• This can be shown through:

‒ Vendor/third-party device configuration/policy management tools ‒ Device-level/host-based firewalls systems/tools

• “Where technically feasible,” indicates that if a BES Cyber

Asset can not enforce/restricts these ports and services, TFEs may be required.

• As always… go to the vendor documentation and/or

vendor for guidance.

Forward Together • ReliabilityFirst

11

Forward Together • ReliabilityFirst

Need to start at our foundation!!!

12

• This all starts at CIP-002-5
• Need to start with how BES Cyber assets make up the

BES Cyber Systems

‒ It may be found that there could be some better logical grouping of assets.

• Remember, Entities have the ability to slice and dice BES Cyber

System assets however they see fit. It can even be different between standards and requirements. *

* In order to survive CIP-010-2 baselines, it has to get down to the Cyber Asset Level.

• Now that we have our foundation, we can now

start digging around and start poking cyber assets right?...

Forward Together • ReliabilityFirst

13

We Research!

Forward Together • ReliabilityFirst

Sources to start the search

14

• Vendor Documentation
• The best place to start is with the vendor

documentation for your BES Cyber System and specific BES Cyber Assets i.e. EMS, DCS, ICS, SCADA systems

• Some vendors realize this need, and are providing a list
• f needed ports and services required to run the
• system. Some don’t…
• Other outside sources might be needed or we

may need to do some technical device

• interrogation. (I hope in a lab!)

Forward Together • ReliabilityFirst

Sources to start the search cont.

15

• Other Vendor documentation
• Hardware/Software vendors generally have marketing

and/or technical manuals that show capabilities, what ports and protocols are available, and even example configurations and/or configuration options.

• Third-party baselines
• In addition to vendor documentation, there are also some

suggested best practice baselines such as

‒ NIST Special Publications (NIST-SP-800-XXX) (some are device specific, but most are more general best practice) ‒ SANS Institute (some are device specific, but most are more general best practice) ‒ Center for Internet Security (CIS)* baselines and benchmarks (device specific, line-by- line configuration)

• * Caution!…. There will be a need to modify these

baselines to meet your environment!!!!

Forward Together • ReliabilityFirst

Sources to start the search cont.

16

• What if I have Cyber Assets or programs that

can’t be found in these sources or the vendor site is not easy to navigate?

Forward Together • ReliabilityFirst

Search Engine Hacking

17

• Known as “Google Hacking” or “Google Dorking”
• These are general terms. You can use your favorite search
• engine. 
• These techniques are used to search hard to find documents

and information, and even vulnerabilities! Aka... Open- source Intelligence (OSTIN)

• This is using the built-in operators of the search engine
• Example: Google operator search:

site:www.url.com –ext:pdf

• Google will only search the specific site containing all files

ending in .pdf. https://www.ethicalhacker.net/features/book-reviews/google- hacking-ten-simple-security-searches-that-work Google Hacking for Pentesters 3rd Addition, by Johnny Long

Forward Together • ReliabilityFirst

Search Engine Hacking cont.

18

• WayBack machine
• http://archive.org/web/
• It’s an internet archive site that allows you to search

previously cached webpages from back in the past

• User forums…
• User forums can be a wealth of information where

someone can find problem and/or answers to issues found with different devices.

• A word of caution!!!…
• Be Careful what you post to these sites!!! People

with malicious intent search these sites too!

Forward Together • ReliabilityFirst

How do I find Ports and Protocols?

19

• IANA Service Name and Transport Protocol Port Number

Registry

• http://www.iana.org/assignments/service-names-port-

numbers/service-names-port-numbers.xhtml

• It’s a great reference of

‒ System Ports (0-1023) assigned by IETF ‒ User Ports (1024-49151) assigned by IETF ‒ Dynamic and/or Private Ports (49152 – 65535) assigned by IANA using the IETF review process ‒ Transport Protocol used (udp/tcp) ‒ RFCXXXX reference of known protocols

• This information can be downloaded in many formats. (CVS, XML,

HTML, Plain Text)

• Millage will very… Some software/OS vendors take liberties with

protocols and do not follow protocols as they were defined in the RFCs.

• On that note.. If you want some “light” reading it’s a good to read

through some of the RFCs (Don’t operate heavy machinery while reading.)

Forward Together • ReliabilityFirst

Quiz Time…

20

• What are the common port numbers of these

protocols commonly found in ESPs?

• DNP/DNP3
• MODBUS
• HTTP
• HTTPS
• DNS
• NTP
• SSH

Forward Together • ReliabilityFirst

I found it, now what do I do with it?

21

• STORE THE INFORMATION!!!!
• This can help in building a good knowledge base

system of your BES Cyber System Assets and

• ther cyber assets
• If it took this much time and effort to find it, why

would you want to go hunting for it again? Why make someone else hunt for it?

• This information can be used in helping to

develop your baselines for CIP-010-2, monitoring rules for the SIEM, help new hires understand your systems. etc.

Forward Together • ReliabilityFirst

Who’s talking to whom? Why?

22

• What should we know by now?
• A list BES Cyber Assets and other associated cyber

assets/devices/appliances

• The additional programs and services that are running
• n the assets/devices
• Hopefully at this point we only have a subset of

assets/devices that are unknown where we would need to do additional technical interrogation.

• We should have some rules from CIP-005-5 as a

starting point telling us some port ranges.

Forward Together • ReliabilityFirst

Who’s talking to whom? Why? Cont.

23

• What are some tools we can use to start digging?
• For OS/System Level

‒ Vulnerability Tools (OpenVAS, Nessus, etc.) Authenticated Scans generally are better if possible ‒ End-Point-Protection system (HIPS/HIDS systems) ‒ Netstat ‒ Process Hacker (third-party application shows the same info as NetStat and more, in real-time)

• From outside the Device

‒ Vulnerability Tools (OpenVAS, NMAP, Nessus, etc.) unauthenticated scans ‒ Network Analyzers (Wireshark, etc.) ‒ Software Information Event Managers (SIEM) (SecurityOnion, Logrhythm, NetIQ, Qradar, McAfee, AlienVault, Secure IQ, Splunk etc… )

• * Caution… Some of these tools can bring down devices!

Ensure to use these types of tools in the Lab environment before ever using them in production!

Forward Together • ReliabilityFirst

Large Range of Dynamic Ports

24

• What happens when we find a program/applications that uses a

wide range of ports?

• DOCUMENT IT!!!!

‒ Even though it might be a wide range of ports, if we identify

• What assets use that program/application and who they talk too
• Justification of why it is needed

‒ It’s better than not documenting it!

• Having a limited range of IP addresses and IP ports can be used to help with logging and

monitoring and building alerts.

• 254 (1 IPv4 class C range network) X 65536 (ports) x2 (TCP/UDP)

=

• 33,292,288 potential ports open on the network.
• 131,072 potential ports open per device. That’s a large environment to track

and monitor.

• Some applications and services may overlap some of these port ranges and

will complete for ranges in the Dynamic Ports. (i.e. another increase factor)

• What happens if/when we start turning on IPv6?
• We need to limit and shrink this footprint down as much as we

can and automate monitoring as much as we to keep up with threats within the environment!

Forward Together • ReliabilityFirst

CIP 010-2, R1

• R1: Develop Baseline Configurations

25

Forward Together • ReliabilityFirst

Baselines by “individual or by group”

• Having baselines by a group can save time and energy in having to

develop less baselines

• The key to justifying a group of cyber assets as one baseline is

showing that they are configured the same and are managed the

• same. Examples…
• They are used for the same function (i.e. such as Operator Workstations)
• They are running the same hardware, Operating System, and software
• They have the same security controls across all the cyber assets

‒ i.e. malware detection/prevention, group policy settings, same ports and services are enabled/disabled same system accounts… etc.

• When we start to deviate from some of the examples above, it will be

harder to show an audit team that a group of Cyber Assets should be treated as one baseline.

• Audit teams will likely be sampling a group baseline to ensure that

there is consistency

26

Forward Together • ReliabilityFirst

Baselining Best Practices

• Establish a Configuration Management program
• Develop Organizational Configuration Management

Policy

• Establish inventory management and configuration

control systems

• Document processes, procedures and templates for the

development and maintenance of baseline configurations

• Utilize common secure Configurations / IT standards
• Baseline Management and Storage

27

Forward Together • ReliabilityFirst

CIP 010-2, R1.2

• Authorize and document changes that deviate

from the existing baseline configuration

28

Forward Together • ReliabilityFirst

CIP 010-2, R1.2 – Best Practices

• Establish Configuration Change Control processes
• Who can authorize baseline changes, and to what
• When authorization(s) needs to occur
• How the authorization will be documented, stored, and

tracked

• How authorizations are communicated
• Segregation of duties

29

Forward Together • ReliabilityFirst

CIP 010-2, R1.2 – Best Practices

• Clearly document (what changed and when)
• The identification of the asset (s) and/or system(s)
• The attribute(s) that changed
• The type of change (add/change/replacement)
• The date, time and location of change
• The source, cause or reason for the change
• The person(s) or org/bus unit that authorized the change
• Derivative changes to other assets or configuration items resulting from

the change

• These changes should also be monitored by log

and monitoring processes (as defined in CIP- 007-6, CIP-008-5, and CIP-010-6) and going beyond for monitoring changes to baselines.

30

Forward Together • ReliabilityFirst

CIP 010-2, R1.2 – Best Practices Cont.

• What are some additional things that would be best

practice for log and monitoring?

• Configuration files/system files using some form of File Integrity

Monitoring (FIM) logs (to detect unauthorized changes to systems)

• Stopping and starting of anti-malware services logs (can be an

indication of someone/something trying to evade anti-malware detection)

• Automated Software Restriction Policy logs
• Network communication session outside of the defined baseline ports

and services and cyber assets. (NetFlow, rule hits stats on the firewall)

• Application Logs
• Database logs
• Web Application Logs

…etc…

31

Forward Together • ReliabilityFirst

CIP 010-2, R1.2 – Best Practices Cont.

32

Forward Together • ReliabilityFirst

CIP 010-2, R1.2 – Best Practices Cont.

• Short answer….YES
• However, why would

we not talk and coordinate with Network Operations/Security Operations/ NOC/SOC/ISOC team and let them know?

• It’s time to knock on

the NOC and see who answers.

33

Forward Together • ReliabilityFirst

CIP 010-2, R1.3

• Must update baselines within 30 days of change

34

Forward Together • ReliabilityFirst

CIP 010-2, R1.3 – Best Practices

• Document processes and procedures for controlling

changes to configuration baselines

• Who is responsible for updating
• When are baselines updated
• Who can authorize baseline changes, to what and
• How the authorization documented, stored, and tracked
• How authorizations (R.2) are communicated, to who and when
• Maintain Configuration/Change Records
• Maintain Version histories
• Version number and date
• What was changed, who performed the update
• Who authorized the change
• Cross-reference to change records, as appropriate

35

Forward Together • ReliabilityFirst

CIP 010-2, R1.4

• Deviation from baselines must consider impact

to security controls in CIP-005 and CIP-007

36

Forward Together • ReliabilityFirst

CIP 010-2, R1.4

• R1.4.1, Prior to a change, determine required

cyber security controls that could be impacted by the change

• R1.4.2, Following the change, verify controls are

not adversely affected

• R1.4.3, Document verification results

37

Forward Together • ReliabilityFirst

CIP 010-2, R1.4 – Best Practice

• Document Test Plans and Procedures
• When testing will occur and where
• Identify steps taken to determine potentially impacted cyber security controls
• Why some/certain controls not included
• How the controls are tested
• How will adverse impacts be detected
• How Test Results (expected vs. actual) are documented
• Account for different environments or changes for when determining

what controls could be impacted

• Coordinate testing processes across departments, business units,

etc., to ensure consistency

• Why not implement log and monitoring tools in your test

environment to watch for changes? Could be used to also help improve log and monitoring tools in production.

38

Forward Together • ReliabilityFirst

CIP 010-2, R1.5

• Test Environment Requirements

39

Forward Together • ReliabilityFirst

CIP 010-2, R1.5

• Applicable to High Impact BES Cyber Systems only
• Specific to security controls that must be tested (CIP-

005-5 and CIP-007-6)

• Documentation Requirements for Testing
• Was test environment used
• Identify differences between test and production

environment

• Describe measures take to account for differences in

environment

• What security controls were tested
• How and when security controls were tested
• Document results

40

Forward Together • ReliabilityFirst

CIP 010-2, R1.5 – Best Practices

• Document test procedures for all cyber assets or group
• f assets
• Use checklists or other tools to reduce likelihood of not

testing all controls

• Maintain documentation that describes test environment

and procedures

• How does the test environment reflect production
• When is the test environment used vs production environment
• Test all PCAs, Medium, and Low-impacting BES Cyber

Systems, not just High

41

Forward Together • ReliabilityFirst

Conclusion…..

42

Forward Together • ReliabilityFirst

Reference

• https://www.ethicalhacker.net/features/book-

reviews/google-hacking-ten-simple-security- searches-that-work

• https://www.exploit-db.com/google-hacking-

database/

• Google Hacking for Pentesters, 3rd Addition by

Johnny Long

43

Forward Together • ReliabilityFirst

Questions & Answers

Forward Together ReliabilityFirst

44