Вы находитесь на странице: 1из 34

INTL 580: Writing for Intelligence

Cyber Attack Methods

Project Mission: Investigate and analyze the cyberattack outlook for the next 12 months on cyber security as it pertains to the United States.
Leslie Guelcher, Laura Suprock, and Joseph Sweeney

Prepared for: USA Director of Cyber Security

Mercyhurst University Professor William Welch 21 February 2012

Table of Contents
About This Document....................................................................................................... 2 Key Findings.................................................................................................................... 3 Outlook ............................................................................................................................. 5

Attack Methods: Threats Against Business ...................................................................... 6 Attack Methods: Cyber Identity Theft ............................................................................ 12 Attack Methods: Infrastructure ....................................................................................... 18

Annex 1: Malicious Activity by Source Origin .............................................................. 24 Annex 2: ACH Threats Against Business ................................................................... 25 Annex 3: ACH Cyber Identity Theft ........................................................................... 27 Annex 4: ACH Attacks Against Infrastructure ............................................................ 29

Endnotes ......................................................................................................................... 30

Cover image source: http://tinyurl.com/3b8bxbz

About This Document

From 28 November 2011 through 21 February 2012, the Cyber Attack Team developed an intelligence estimate* for the United States Director of Cyber Security based on the following question: What is the outlook in the next 12 months on issues of cyber security as they pertain to cyber-attacks within the United States?

Team members then produced intelligence estimates based upon the threats and incidents of cyber-attacks both within and outside the United States. International attacks were taken into account when estimating the outlook for the United States. This document outlines the consensual estimate of events that might affect the US in the coming year. Furthermore, team members individual estimates are included to provide discussion and support for the overall estimate. Following each estimate is the analysts determination of analytic confidence (on a five level scale: not reliable, low, medium, high, very high). Each analyst has also provided contact information for any feedback or questions.

*This estimate is the result of a research project undertaken as a requirement by graduate students at the Mercyhurst College Institute for Intelligence Studies. Its content and resulting estimate is based solely upon open source information and is purely academic in nature.

US Cyber Security: Cyber Attacks

Key Findings Summary: It is likely that phishing, malware and DDoS attacks will remain the three largest threats to individuals and businesses over the next 12 months. While attacks against businesses and individuals are likely to succeed, any cyber-attacks against United States infrastructure is unlikely to succeed. o Cyber Attacks Against Businesses: It is likely that malware, in the form of Trojan horses, and DDoS attacks will be the major contributors to continuing assaults against US businesses within the next 12 months. Hackers develop sophisticated Malware, especially Trojan horses, to bypass anti-virus programs to deliver malicious files to victims computers for the purpose of accessing data. DDoS attacks are on the rise and are easy to initiate given the availability of toolkits and methodology instructions.

o Cyber Identity Theft: Phishing is highly likely to remain the most common method of conducting cyber identity theft over the next 12 months. Refined phishing techniques allow access to secure networks without advanced technology. Victims are easily fooled by phishing emails and posts. Spam on social networking sites and bad apps are increasing.

o Cyber Attacks: Infrastructure: It is unlikely that a cyber-attack will exploit a SCADA (supervisory control and data acquisition) vulnerability to damage US utilities in the next 12 months. Despite recent media attention to SCADA vulnerabilities, the sheer complexity of the system coupled with fail-safes and redundancies in these systems engineering would prevent most attacks from reaching a widespread, catastrophic impact. Chances are better than even that a state-sponsored cyber-attack team could gain access to an area of U.S. infrastructure through the weaknesses in the SCADA system. 3

Analytic Confidence: Medium

L. Guelcher

L. Suprock

J. Sweeney

It is likely that phishing, malware and DDoS attacks will remain the three largest threats to individuals and businesses over the next 12 months. While attacks against businesses and individuals are likely to succeed, any cyber-attacks against United States infrastructure are unlikely to succeed. It is likely that malware, in the form of Trojan horses, and DDoS attacks will be the major contributors to continuing assaults against US businesses within the next 12 months. Hackers develop sophisticated Trojan horses to attack networks, including multi-layered threats. They deliver malware using phishing techniques to entice victims to either open a malicious file or visit an infected website. Hackers can then use remote access Trojans to access victims computer files and data. Additional threats to business come from DDoS attacks, which are on the rise given the availability of toolkits and methodology instructions. Phishing is highly likely to remain the most common method of conducting cyber identity theft over the next 12 months. Phishing techniques are constantly evolving; spear-phishing (targeted phishing) is on the rise. Even experts are vulnerable to phishing scams, which allows attackers to infiltrate even secured networks. Scammers are increasingly making use of social networking sites such as Facebook and Twitter to spread phishes, relying on the viral effect these sites generate. Owners of Android mobile devices can expect to see more bad apps on the Android Market, Androids app store, in the next year. Disguise-type malware in particular will highly likely increase. Androids large market share combines with its lax app review policy to make it a prime target for hackers. It is unlikely that a cyber-attack will exploit a SCADA (supervisory control and data acquisition) vulnerability to damage U.S. utilities in the next 12 months. Despite recent media attention to SCADA vulnerabilities, the sheer complexity of the system coupled with fail-safes and redundancies in these systems engineering would prevent most attacks from reaching a widespread, catastrophic impact. Likewise, multiple government agencies and corporations have started programs dealing with awareness for vulnerabilities and programs for preventing threats. Estimates from several researchers state that any attack on U.S. infrastructure would highly likely take copious resources not readily available to most lay-people. However, chances are better than even that a state-sponsored cyber-attack team could gain access to an area of U.S. infrastructure through the weaknesses in the SCADA system.

Attack Methods: Threats Against Business

Executive Summary Over the next 12 months, major contributors to continuing assaults against US businesses will likely be malware attacks in the form of Trojan horses and DDoS attacks. Hackers develop sophisticated Trojan horses to attack networks, including multi-layered threats. They deliver malware using phishing techniques to entice victims to either open a malicious file or visit an infected website. Hackers can then use remote access Trojans to access victims computer files and data. Additional threats to business come from DDoS attacks, which are on the rise given the availability of toolkits and methodology instructions. Discussion Identity and data theft are likely to remain major contributing factors in attacks against US businesses. While large scale data breaches1 and business identity thefts decreased2 from 2009 to the present, the sophistication of malicious attacks increased dramatically.3 Verizons Data Breach Investigation Report of 2010 breaches found a total of 760 incidents, the highest number the company has recorded.4 A Trustwave Global Security Report for 2011 found an increase in breach investigations by 42 percent in 2011 over 2010.5 As of September 2011, the FBI was investigating over 400 cases of corporate banking account takeovers. These takeovers resulted in the theft of over USD 255 million.6 A PriceWaterhouseCoopers study shows 23 percent of companies reported incidents of computer or Internet crime.7 Malware Cyber criminals use two main hack methods against businesses: malware and DDoS attacks. Malware is a factor in about half the hacking cases and responsible for nearly 80 percent of data loss.8 A 2011 report by PandaLabs indicates malware is rising;9 the report cites Malware as a common An Arbor Networks survey shows 44 reason for security breaches.10 percent of businesses experience 10 or more attacks every month. Trojan horses are the primary type of malware hackers use to attack businesses. Recently, hackers have developed HTML emails that contain JavaScript and do not require an email attachment to launch the embedded Trojan.11 Another new development that will likely lead to additional, sophisticated attacks is the development of malware as open-source programs. Users create the open source programs in social networks where they can suggest new features, report on errors, and receive customer support.12 Because of the community aspect, cyber criminals are able to access the collective knowledge of hackers to build more complex attacks.13

In addition to offering group-developed malware, hackers now offer Software-as-aService (SaaS) methods for developing attacks.14 Beyond utilizing SaaS, perpetrators can also purchase exploit kits, which allow them to create more sophisticated attacks.15 Experts believe attackers used the Black Hole exploit in nearly half of all exploits in 2011. Hackers use the Black Hole Trojan to create 95.1 percent of malicious URLs.16 Hackers can purchase an annual license for the Black Hole exploit kit for USD 1,500, which includes free software updates for the duration of the contract.17 A new type of malware is the TROJ_DOFOIL.exe Trojan, which downloads and executes a malicious file that allows a hacker to access and send stolen data from the victims computer to a cloud-based file service.18 Web pages are not immune from tampering, either. SophosLabs found an average of 30,000 newly infected web pages daily throughout 2011.19 Other recent malware incidents include the Gameover, SpyEye, and Citadel Trojans. Gameover is a variant of the Zeus Trojan that allows a hacker to collect banking information for the purpose of removing funds from accounts. Similarly, hackers use SpyEye to pilfer funds from bank accounts, only this Trojan uses a man-in-the-middle attack to conceal what it is doing from the victim.20 Citadel is a remote administrative tool Trojan that not only allows the hacker access to a victims computer, but also makes the infected computer unable to access or receive updates from antivirus vendors.21 Trojan horses, viruses disguised as a useful piece of software, can accomplish a variety of tasks including allowing remote access, logging keystrokes, erasing programs, opening ports, or 7

Malware Malware is a tool for intercepting passwords, infecting computers, or doing any other unsolicited action. Malware includes viruses, worms, Trojan horses, and spyware. Exploit Toolkit Toolkits, usually using PHP with a MySQL base, allow hackers to setup up rules to direct traffic to specific command and control servers and to deliver malicious files or payloads. Toolkits allow hackers to develop methods to trick victims into downloading Trojans from infected websites. The exploit kit gives hackers an easy-to-use method of disguising their identity along with attempting to subvert traditional antivirus screenings.
Source: http://tinyurl.com/7dk46wa

Frankenmalware An executable-virus reaches a worm-infected PC, the virus not only infects the machine, but also the worm. The wormvirus combination can then spread to other computers.
Source: http://tinyurl.com/73kx3rw

overriding antivirus programs on a victims computer.22 Trojans make up 89 percent of the 1,000 recently detected malware from McAfee Labs.23 Even China, usually blamed for cyberattacks, is not immune to Trojans. Chinas National Computer Network Emergency Response Technical Team PandaLabs data indicates that in January 2012, Trojans caused the (CNCERT) reported nearly most incidents of worldwide threats. Source: 480,000 Trojan horse attacks in http://tinyurl.com/7mzxpyj 2010. According to the report, 221,000 of those attacks originated from outside China, with 14.7 percent of the attacks originating from IP addresses in the United States.24 In fact, PandaLabs found some type of malicious code, virus, worm or Trojan infected 50 percent of all computers worldwide in 2011.25 Further adding to the sophistication of newly developed malware, hackers are hiding the infected files in a second or third layer. For example, the Internet Explorer (IE) Duqu embedded a zero-day attack in a font file in a Microsoft Word document.26 A final method for attacking businesses with malware is to purchase services from vendors; potential hackers need not understand coding or development, they only need to pay for another individual or group to perform the attack.27 Hybrid malware is a newer method for attacking systems. Frankenmalware infects approximately .004 percent of the computers researchers from Bitdefender analyzed.28 Security experts report one of the biggest problems resulting from hybrid-malware is replication to other computers. Anti-virus software may not be able to defend against hybrids because the hash, or fingerprint, may change when the two combine.29 Bitdefender posits that of the sixty-five million threats worldwide, potentially 260,000 computers could presently be infected with hybrid malware.30 Malware attacks are not limited to organizational data. The Vulnerability Assessment Team (VAT) at Argonne National Laboratory demonstrated a method to hack the Diebold Accuvote touch screen voting machines using a man-in-the-middle attack. The method is able to alter votes while leaving no evidence of the tampering on the machines.31 Embedded malware is an additional method for illegally accessing data. Greg Schaffer, acting deputy undersecretary of the DHS National Protection and Programs Directorate said in a speech that foreign parties are preloading spyware, malware and other security-compromising items in electronics to be sold in the US.32 8

Phishing and Malware Traditional phishing techniques remain the dominant method for delivering malware. Operation Shady RAT targeted over 70 organizations, including 20 percent of the Fortune 100.33 This ongoing remote administrative tool attack lasted over a year in some cases, targeting governments and defense contractors. The governments of the United States, Canada and South Korea were among victims. According to McAfee, total data taken from the attacks amount to petabytes. The command and control server running the attacks is still operational.34 The attack seems to begin with a legitimate looking email, a spear-phishing technique. The attachment contains malicious code designed to compromise the employees computer and then monitor, collect and extract data from the entire network.35 In fact, 71 percent of all network attacks start with remote access.36 Outsiders, not disgruntled employees, are usually the perpetrators of these attacks.37 Food and beverage, hospitality, and financial services are the industries hackers most frequently attack. Trustwave issued a report that found that industries comprising franchises and chain stores were leading targets of malware attacks in 2011.38 Kaspersky Labs noted that new malicious programs that target financial data make up 1.1 percent of the malware detected daily by the company.39 Trojan bankers steal victims bank account details. Kaspersky has detected the Trojan on an average of 2,000 unique users computers daily since December 2011.40

DDoS Attacks Both Death DDoS Service and 90 percent of sampled businesses claimed to have Totoro offer outsourced DDoS experienced on DDoS attack per month, up 15% attacks so that hackers can initiate from 2010, according to Arbor Networks. an attack on any website without doing the coding themselves.41 Hackers with coding knowledge can easily implement DDoS attacks through the use of online tools. Arbor Networks claims that anyone with basic understanding of the Internet could launch an attack.42 Analysts have identified more than 55 primary tools used to create DDoS attacks.43 Some of the more dangerous DDoS and Botnet toolkits available are Darkness/Optima, DeDal, Dirt Jumper, G-Bot, and Russian Armageddon.44 CERT Australia identified Dirt Jumper as the culprit of a 6 February 2012 attack on Money Management. That DDoS attack consisted of over 4,500 different computers from 50 different countries.45 The scale of DDoS attacks is also on the rise. This increase is likely the result of the availability of free versions of toolkits, such as v.6m of Darkness in January 2011.46 Not only are some of the toolkits free, there are a number of forums that detail the

process for using the toolkit to launch a DDoS attack. A Prolexic study found that while DDoS attacks are tending to be shorter in duration, they are bigger in packetper-second volume.47 In fact, 13 percent of companies surveyed by Arbor Networks in a study reported attacks over 10 gigabytes.48 Hackers are increasingly attacking organizations because of differing political or ideological stances.49 This is a change in motivation from the goal to extort or influence businesses.50 The shift in motivation will also likely lead to an increase in the use of DDoS attacks, as opposed to traditional attack methods.51 Organizational Security Malware and DDoS attacks are effective partly because of poor corporate security practices. In particular, the use of the same passwords over both personal and corporate accounts, or weak passwords enable hackers to breach corporate networks easily.52 Cyber criminals purchase log-in credentials in bulk. Anyone can purchase Facebook and Twitter account credentials with personal email addresses for USD 30 per log-in.53 A hacker can further use stolen social network credentials to log-in as the individual to send emails or links with embedded malware.54 Weak passwords are a major factor in corporate network breaches, with the most common business password being Password1 because it meets all of the criteria for the default complexity settings in Microsoft Active Directory.55 Sharing personal and business passwords compromises the security of an organizations network.56 In fact, an analysis of the passwords stolen from Stratfor in December 2011 shows that one in every ten accounts had a trivial password.57 A sample of the identities and passwords stolen from Sony showed that users reused twothirds of the passwords for other applications.58 Criminals also use software vulnerabilities to target business According to Secunias Yearly Vulnerability Research networks. The top three pieces of Report, patched vulnerabilities remain the primary software that hackers target all have exploitation method. Source: http://tinyurl.com/7oeg2ef patches available, according to a study by M86 security.59 The study revealed that the most common vulnerability criminals tap into during the last half of 2011 was on IE6, boasting17.7 percent of all web exploits. A patch for IE6 has been available since 2006.60 Organizational security also is vulnerable to social engineering and phishing attacks. Both attacks target individuals in a company for the purpose of gaining access to data 10

networks. An Australian Federal Police report cited social engineering as one of the largest cyber security threats to IT infrastructure.61 Criminals use innocent looking emails or notices to lure victims to opening an infected file. A GFI report shows that legitimate-looking customer complaint notices from the Better Business Bureau accounted for many attacks on small business owners. The email contained a link to the complaint that actually routed to malware sites.62 Another email phishing campaign included an attached invitation to an upcoming conference.63 Small businesses are particularly at risk. A Javelin report suggests that small businesses face a 15 percent higher rate of identity theft than consumers.64 Despite being at increased risk, 13 percent of small businesses employ no security measures on its network.65 The study by Panda security also found that 36 percent of small businesses rely on free antivirus software, 31 percent have no anti-spam program installed, 23 percent do not use anti-spyware software, and 15 percent have no firewall.66 While small businesses are at increased risk, vendors correct critical vulnerabilities more rapidly. Symantec found a 30 percent decrease in the total number of software vulnerabilities and a 10 percent decrease in critical vulnerabilities in 2011.67 Analytic Confidence Analytic confidence for this assessment is medium. Source reliability ranges from medium to very high and sources were corroborated. The analysts expertise is medium. The analyst worked alone but consulted with group members. The analyst used the Analysis of Competing Hypotheses methodology to corroborate this conclusion (refer to Annex 2). Subject complexity is medium and the time available for the task was adequate.

For questions or comments, please contact the author: Leslie Guelcher Email: lguelc84@lakers.mercyhurst.edu Tel. #: 814-450-2450


Attack Methods: Cyber Identity Theft

Executive Summary Phishing is highly likely to remain the most common method of conducting cyber identity theft over the next 12 months. Key factors are refinement of phishing techniques allowing access to secure networks without advanced technology and the relative ease of fooling victims. Spam on social networking sites and bad apps are also increasing. Discussion Phishing To Remain Biggest Threat To Identity Phishing is the tactic of sending an innocuous-looking email, usually disguising it to look as though it is from a legitimate source, and tricking a victim into giving personal information.68 Some phishing emails direct the victim to a website and prompt him to enter personal information directly, while others contain file attachments which can compromise a computer or an entire network.69 A scammer may attack individuals, or use individuals as a tool to infiltrate an organization or company. An average of one in every 302 emails worldwide was a phish in November 2011, but the public sector remained the chief target with a phish comprising one in every 120 emails.70 Hackers strike individuals and businesses of all sizes. Phishing techniques are growing more sophisticated. Although phishing scams with generic and vague language are still common,71 spear-phishing attacks (targeted phishing attacks) are becoming more prominent.72 Whether targeting an individual or an organization, a hacker tailors his scam to make it more likely that the victim will take the bait. Scammers may use Facebook to tailor spear-phishing schemes. Attackers take advantage of information that many users share on their profiles, which enables them to target a potential victim more effectively. Targeted attacks are increasing in frequency worldwide.73

In November 2011, automated toolkits distributed over half of all phishes. Image source: http://tinyurl.com/7h5rbst


The use of toolkits allows even unskilled hackers to carry out phishing scams and compromise systems they might otherwise be unable to infiltrate. In November 2011, the total number of phishing sites increased by 66 percent.74 Experts say that the use of exploit kits drastically increases each year,75 and this past year was no exception: in November automated hacking toolkits created over half of all phishes, or over 300 percent of what they had previously. Phishing is becoming more lucrative for scammers without significant technical skills or equipment. Even experts are vulnerable to phishing. The hack of RSAs SecurID system is one highprofile example of spearphishing, and a wonderful example of people who should know better than to open that The 2011 RSA hack began with this spear-phishing email. suspicious file. This was a case of Image source: http://tinyurl.com/7euu5rb spear-phishing because the attackers specifically tailored the email and file names to maximize their appeal to RSA employees. Even experts such as those at RSA are vulnerable to phishing attacks--nobody is immune. Timing is key to the success of some scams. Domain typo scams, or scams that set a URL to something very close to a brand and then spoof that brand, pop up when a particular brand receives attention. Notably, Megaupload spoofs recently flourished after the Jan 2012 shutdown of MegaUpload and exploited netizens curious to see what the FBI had done to the website.76

Even experts are vulnerable to phishing.

Scammers still most commonly spoof financial.77 However, increasingly scammers make use of brands with growing clout in pop culture, such as Facebook78 and YouTube.79 As the consumer base of those brands increases, so does the number of potential victims. Furthermore, the nature of social networking sites such as Facebook and Twitter allow scams to spread virally, reducing necessary time and effort on the part of the scammer. Common phishing scams include scams using natural disasters as opportunities to make money, employment scams, and phony debt relief settlement services. Scams taking advantage of victims desire to help victims of disasters in 2011 were widespread.80 2011 was the costliest year in history for natural disasters worldwide,81 with 14 in the United States topping USD 1 billion in damage.82 Experts expect current climate trends causing disasters to continue,83 so identity thieves will almost certainly continue to strike with fake donation scams. It is important to note, 13

however, that even if natural disasters do not increase in the next year scammers will almost certainly find other ways to dupe victims. Among other widespread phishing scams in recent years are those which take advantage of the poor economy: the most common were employment scams84 in 2011 and debt settlement scams in 2010.85 In employment scams, the scammers post phony job ads on job search sites, posing as an employer, and attempt to elicit information from the employment-seeking victim.86 The debt relief scam often involves upfront fees in addition to personal information, and naturally does nothing to ameliorate the victims debt.87 Social Spam Rising Also notable is the rise of social spam, or unwanted content that users experience on social networking sites.88 Many social networking communities cannot stem the growth of social spam on their sites. Internet culture serves to further hinder the growth of social spam.

How malware spreads over social networking sites. Image source: http://tinyurl.com/86g8apf

Much of Facebooks fight against social spam is passive, not proactive, in nature.89 Site integrity teams check for spikes in spam reports and unusual activity. By the time a team destroys the spam, many people may have already become victims. Although sites such as Facebook include basic automatic content filtering,90 these


functions are rudimentary at best and may block legitimate messages91 simply for including links.92 Internet culture is a key factor in the increase of social spam. Users invest a great deal of trust in their contacts on social networking sites. People are more likely to select a link if someone they know has (or appears to have) recommended it. Many users desire to receive constant updates leads them to read and respond to things without first considering consequences.93 This trust is key to the propagation of malware links.94 Likejacking or clickjacking scams on social networking sites take advantage of that sense of trust. A scammer need only post a poisoned link, and when a curious victim investigates the link Facebook posts that link to the victims profile page, thereby spreading the link virally.95 Some scams trick users into thinking that they are going to get an extra level of a popular game such as Angry Birds, but instead post the poisoned links to the users walls.96 Just a few bad links can affect many users. Facebook claims that less than 4 percent of the content on its site is spam and Twitter places its bad content at 1.5 percent.97 Assuming these numbers are accurate, they seem acceptably low. However, if even one bad link gets past screening it can affect a great number of people before the site removes it. Conflicting reports of the number of affected users complicates the issue. In 2010 a Facebook spokesman claimed that a vast majority of users had never had a security issue on the site.98 However, anti-virus firm Sophos found the same year that 40 percent of social network users had encountered cyber attacks.99 Impermium, a subscription-based anti-spam service, found that 90 percent of social network users encountered social spam in 2011.100 While the experiences of encountering a cyberattack and having a security issue are not necessarily identical, the enormous discrepancies among the cited statistics raise skepticism as to whether Facebook is being completely truthful about its spam incidence. Disguise-Type Malware Becoming Greater Risk For Mobile Devices Disguise-type malware is malware posing as some other product, such as a popular game. Its incidence is rapidly rising on mobile devices, particularly Android devices. Key reasons for this are Androids huge market share, Android Markets relaxed review policy, vulnerabilities on Android devices, and the enormous popularity of casual games. With its large user base and device vulnerabilities, Android is an obvious target for hackers. Android now possesses over 50 percent of the global smart phone market share.101 Furthermore, almost every Android device retains vulnerabilities that allow 15

most malware to gain root access.102 The combination of those two factors alone makes Android devices attractive to hackers. Googles relatively cursory review policy makes it much more likely that malware apps will make it to the Android Market, the Android app store. Fortinet experts say that hackers primarily spread mobile malware through app stores.103 Hackers can easily get apps onto the Android Market and spread them. While it might take up to 4 days to get a mobile app onto the Apple App Store, it can take under 10 minutes to get Disguise-type malware on the Android Market. Image source: http://tinyurl.com/7jjamsb the same app onto the Android 104 Market. The number of malicious apps posing as levels or cheats for games like Angry Birds is very high on the Android Market, but is very low on the Apple Store.105 AhnLab predicts an increase in 2012 of the number of disguise-type malware for smartphones.106 In January 2012, security firm Avast reported a new batch of disguised malware apps, which upon installation begin downloading packages from remote servers and sending premium-rate SMS.107 Malware masquerading as levels from popular games are rewarding for hackers because currently casual games currently enjoy huge popularity: Angry Birds boasts more than 200 million downloads.108 By March 2011, the game had generated USD 70 million, making it one of the most profitable games in history.109 Experts predict that by 2013, revenue from casual games such as Angry Birds will exceed USD 1 billion.110 It is a very lucrative market and by taking advantage of it disguise-type malware is on the rise. Ransomware is a form of disguise-type malware that renders a system unusable, with promises to return functionality in return for a monetary sum from the victim.111 It has existed in some form for decades but more recently has become a threat to mobile devices as well as PCs.112 Ransomware scams in late 2011 impersonating various worldwide law enforcement agencies demonstrated that ransomware is becoming more sophisticated, both in scamming techniques and in coding.113 This growing sophistication is not limited to


PCs. Because mobile ransomware is so new, hackers are experimenting with it and exploring possibilities, which make ransomware a threat to watch for in 2012.114

Analytic Confidence Analytic confidence for this assessment is medium. Source reliability ranges from medium to very high and sources were corroborated. The analysts expertise is lowmedium. The analyst worked alone but consulted with group members. The analyst used the Analysis of Competing Hypotheses methodology to corroborate this conclusion (refer to Annex 3). Subject complexity is medium and the time available for the task was adequate. For questions or comments, please contact the author: Laura Suprock Email: lsupro04@lakers.mercyhurst.edu Tel. #: (814) 520-6261


Attack Methods: Infrastructure

Executive Summary It is unlikely that a cyber-attack will exploit a SCADA (supervisory control and data acquisition) vulnerability to damage U.S. utilities in the next 12 months. Despite recent media attention to SCADA vulnerabilities, the sheer complexity of the system coupled with fail-safes and redundancies in these systems engineering would prevent most attacks from reaching a widespread, catastrophic impact. However, chances are better than even that a state-sponsored cyber-attack team could gain access to an area of U.S. infrastructure through the weaknesses in the SCADA system. Discussion SCADA Systems Security Recent media and press attention has generated a lot of concern over the security of the critical infrastructure and, moreover, the ease and ability of hackers to cause catastrophic failure of important utility services. Given all the documented breaches of security on public and private networks, it is very possible for such intrusions and attacks to also occur on critical control systems, such as SCADA networks, which compose a large part of the critical infrastructure. It is unlikely that a nonsponsored hacker or team of hackers could exploit the weaknesses in SCADA systems. In order for a hacker to use SCADA to take control of a utilities component they must: 1. be a highly skilled coder with detailed insider knowledge, 2. maintain the resources for the significantly long amount of time SCADA system screenshot of BOC Edwards EM Pump Test Overview demonstrates the redundancies that safeguard the entire system. Image necessary for such a Source: http://tinyurl.com/84l6scd project, and 3. be confident enough to implement attack on the first try without detection. Without these three conditions, any type of cyber-attack on an area of infrastructure would be highly likely to fail.115


Current Efforts to Secure SCADA Networks

Until recently, efforts on protecting control systems have focused on reliability of the actual system. Threats of major cyber-attacks and sabotage have shifted this focus to a more external scope. Several industry- and government-led efforts to improve the security of SCADA and similar systems show strong indications of fortifying infrastructure integrity. Government
President Bush created the Presidents Critical Infrastructure Protection Board in October 2001 to coordinate all Federal activities related to the protection of information systems and networks supporting critical infrastructures, including: federal departments and agencies, private sector companies that operate critical infrastructures, and state and local governments critical infrastructures.116 The Department of Energy has also led security efforts by establishing the national SCADA test bed program, and by developing a 5-year outline for securing control systems in the energy sector. The report identifies four main goals: (1) measure current security, (2) develop and integrate protective measures, (3) detect intrusion and implement response strategies; and (4) sustain security improvements.

The American Gas Association (AGA) has developed a series of documents which recommends practices to protect SCADA communications against cyber incidents. The recommended practices focus on ensuring the confidentiality of SCADA communications.117

The American Petroleum Institutes (API) standard provides guidelines to the operators of oil and natural gas pipeline systems for managing SCADA system integrity and security. The intent is to provide operators with a description of industry practices in SCADA security, and to provide the framework necessary for developing sound security practices within the operators individual organizations.119

The Department of Energy also published 21 Steps to Improve Cyber Security of SCADA Networks, a document that outlines specific actions to improve implementation of security and actions to establish management processes and policies.

The North American Electric Reliability Corporations (NERC) Critical Infrastructure Protection program coordinates efforts to improve cyber security for the power system in North America, especially with SCADA integrated systems.121

SCADA systems are structurally and internally complex, a factor that inevitably results in more vulnerabilities that may go unchecked. However, in order to gain access to these vulnerabilities and discover supposed weaknesses, a detailed understanding of this intricate system. It is likely that reverse-engineering a single SCADA control center network might take several highly skilled coders at least 6 19

months.122 Koyo Electronics, a Japanese firm, is working on finding and removing many weaknesses in the SCADA system through a recently revealed tool that cracks passwords.123 This program will eventually make it easier to identify and fix these design flaws. Every SCADA control center is configured differently124 with different devices running different software and protocols; performing an attack on multiple SCADA facilities would require a new attack plan for each facility.125 Also, the likelihood of successfully damaging even a single utilitys component is low. Without a real-world practice run, hackers would rely on achieving their goal on the first try. Any failure and the hacking team would have few to no answers as to why they failed and the prospect of a much more sophisticated and complex future attack. Nation-States Are Biggest Threats To U.S. Infrastructure Critical infrastructures are highly interconnected and mutually dependent in complex ways, both physically and through a host of information and communications technologies. An incident in one infrastructure can directly and indirectly affect other infrastructures through cascading and escalating failures. Exploiting these weaknesses and vulnerabilities in infrastructure control systems becomes easier as SCADA systems become more complex, digitalized, and reliant on the Internet. However, although some SCADA computers have weak external security, controlling them takes significant computer engineering and control systems engineering expertise. Taking control of these systems from the outside requires a great deal of specialized knowledge and a hacker must also overcome non-computerized fail-safe measures. Access to this specialized knowledge and the funding to carry out a large

The percentage of utility companies that interact with their government is much higher in China than in the U.S., allowing government officials to implement cyber-security programs more quickly. Image source: http://tinyurl.com/3vgp5us


scale attack are necessary in order to cause a significant amount of damage to U.S. infrastructure. The most likely source with the resources to supply the funding and expertise necessary for such an attack on infrastructure controls is be a nation-state or a nationstate-funded selective group. According to reports from the National Security Agency (NSA), cyber spies have penetrated the U.S. infrastructure system (i.e., the electrical grid) and left behind programs that could potentially disrupt it. According to intelligence officials and cyber security specialists, the sophistication of the U.S. intrusions, which extend beyond electric to other key infrastructure systems, suggests that China and Russia are mainly responsible. U.S. officials said investigators have followed electronic trails of stolen data to China and Russia, though officials from both countries have denied any such attempts at infiltrating infrastructure systems. It is highly unlikely that a group of independent hackers could cause irreparable damage to any utility through its control systems. Many skilled hackers with intimate knowledge of the control system would need to be present to even begin planning such an attack. The supervised mock cyber-attack on an unnamed Southern California utility company gave its team of experienced hackers some information on the companys general security system.126 The threat that terrorist organizations such as Al-Qaeda or the Taliban pose to U.S. infrastructure is minimal to non-existent. Both groups have sustained major losses to their groups as a whole, especially to their Internet experts. Officials apprehended Khalid Sheikh Mohammed, Al-Qaedas leading Internet expert, in 2003 and currently have him detained in Guantanamo Bay detention camp.127 The lull in cyber activity from both groups since 2008 indicates that they are not actively seeking experts in hacking. Although it is possible that they are using existing members to plan a cyberattack, it is highly unlikely that they could inflict major damage without communicating with more experienced hackers. SCADA Vulnerabilities Will Pose Risks If Unchecked It is unlikely that conventional and less resourceful hackers will exploit vulnerabilities in a SCADA system to cause damage to U.S. infrastructure. However, chances are better than even that state-sponsored hackers could currently take advantage of weaknesses within the system. Such flaws include a highly interconnected critical infrastructure system and the pronounced number of bugs discovered across several infrastructures. The U.S. critical infrastructure is often referred to as a system of systems because of the interdependencies that exist between its various industrial sectors as well as interconnections between business partners.128 SCADA systems interconnect both physically and through their information sharing network with most of the U.S. 21

infrastructure in some way.129 These connections such that damage to one sector may cause a domino effect with far-reaching consequences, as demonstrated in the figure below.

Chain reaction across industries and sectors if electric power supply were to get disconnected. Image source: http://tinyurl.com/7jzq3pq

As of 3 February 2012 Terry McCorkle, an industry researcher, and his partner discovered 1,035 bugs in industrial control system SCADA software. They reported that of the bugs found that cause systems to crash, someone who could spend some time to find a way to exploit the vulnerability could easily exploit 95 of them. 130 According to the study, many of the systems that are now Internet accessible had no original design for that. Some have embedded Web services and mobile interfaces that make it even easier to connect remotely. To make matters worse, many SCADA systems are available online with weak passwords such as 100.131 In the past, SCADA and industrial control systems in general have been responsible for monitoring and controlling critical infrastructures and manufacturing processes operated in isolated environments. These control systems and devices communicated with each other within an isolated network, and rarely shared information with systems outside their environment.132 But over time, as more components of control systems have interconnected with the outside world using Internet-based standards, and as control networks have integrated into larger corporate networks in order to share valuable data, the probability and impact of cyber-attacks have increased.133


However, companies such as Rapid7134 and Tenable Network Security135 are planning to release testing modules for Metasploit and Nessus vulnerability scanning suites, programs that organizations can use to find disclosed vulnerabilities within their environments. The increasing number of methods of detecting vulnerabilities throughout a system that designers intended for isolation, not interconnection, is promising. Although SCADA systems retain design flaws in security, increasing awareness and repair methods are likely to protect them against most malicious hackers. However unless more action is taken to ensure the safety of the system, state-sponsored hackers will remain the biggest threat to U.S. infrastructure in the next 12 months.

Analytic Confidence Analytic confidence for this assessment is medium. Source reliability is high and sources could be efficiently corroborated. The analysts expertise is low-medium and the analyst worked alone. The analyst used Analysis of Competing Hypotheses methodology to corroborate this conclusion; however, ACH concluded that the estimate would more likely be chances are less than even that a cyber-attack will exploit a SCADA vulnerability to damage U.S. utilities in the next 12 months. (refer to Annex 4). Subject complexity is medium and the time available for the task was adequate.

For questions or comments, please contact the author: Joseph R. Sweeney Email: jsween67@lakers.mercyhurst.edu Tel. #: 516-352-1128


Annex 1: Malicious Activity by Source Origin

Source: http://tinyurl.com/7qdayjg.

In 2010, the United States and China were once again the top sources for overall malicious activity. The United States saw an increase in botnet-related spam zombies, phishing hosts, and bot-infected computers during this reporting period. The United States is the main source of bot-infected computers for Rustock, one of the largest and most dominant botnets in 2010, and for the Tidserv Trojan botnet. At the end of 2010, experts estimated Rustock had1.1 million to 1.7 million bots and accounted for 48 percent of all botnet spam during that year. The Tidserv Trojan uses an advanced rootkit to hide itself on a computer, and over half of all infected computers in this botnet in 2010 were in the United States. As such, these factors would have contributed to the increases in United States spam zombie and bot-infection percentages. Chinas rise as a source of malicious activity is due to a spike in Web-based attacks originating from compromised computers and Web servers within that country. ZeuS accounted for much of this activity. Symantec will monitor this activity and provide more detail in future reports if the activity continues.


Annex 2: ACH Threats Against Business

Malware will likely affect US business cyber security within the next 12 months.



Annex 3: ACH Cyber Identity Theft

Phishing will likely remain the most common method of conducting cyber identity theft over the next 12 months.



Annex 4: ACH Attacks Against Infrastructure

It is a little less than even that United States SCADA will not be the target of a cyber-attack in the next 12 months.


1 2

http://gocsi.com/public/dbir (Source Reliability: Very High) https://www.javelinstrategy.com/uploads/1103.R_ 2011%20Identity%20Fraud%20Survey%20Report%20Brochure.pdf (Source Reliability: Very High) 3 http://www.infosecisland.com/blogview/16536-FBI-Investigating-Over-400-Corporate-Account-Takeovers.html (Source Reliability: Medium) 4 http://www.networkcomputing.com/security/232600665 (Source Reliability: Very High) 5 http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/232600620/when-and-howattackers-are-owning-businesses.html (Source Reliability: High) 6 http://www.networkcomputing.com/security/232600665 (Source Reliability: Very High) 7 http://blog.highbeambusiness.com/2011/12/computer-crime-statistics-2011-increase-in-cybercrime-phishing-andmalware-attacks/ (Source Reliability: Medium) 8 http://gocsi.com/public/dir (Source Reliability: Very High) 9 http://www.infosecurity-magazine.com/view/23558/75-of-all-new-malware-are-Trojans (Source Reliability: Very High) 10 http://www.networkcomputing.com/security/232600665 (Source Reliability: Very High) 11 http://www.darkreading.com/smb-security/167901073/security/attacks-breaches/232500660/new-drive-by-spaminfects-those-who-open-email-no-attachment-needed.html (Source Reliability: Very High) 12 http://www.computing.co.uk/ctg/news/2145226/malware-authors-social-improve-cyber-attacks (Source Reliability: Very High) 13 Ibid 14 Ibid 15 http://searchsecurity.techtarget.co.uk/news/2240115060/Study-finds-attacks-slip-past-spotty-management-policies (Source Reliability: Very High) 16 Ibid 17 http://www.airdemon.net/blackhole.html (Source Reliability: Medium) 18 http://www.gmanetwork.com/news/story/246819/scitech/technology/new-kind-of-malware-steals-uploads-docsto-cloud (Source Reliability: High) 19 http://www.csoonline.com/article/699732/increasing-malware-and-lax-security-biggest-fears-for-users-sophos (Source Reliability: Very High) 20 http://www.net-security.org/malware_news.php?id=1954 (Source Reliability: Very High) 21 http://www.computing.co.uk/ctg/news/2145226/malware-authors-social-improve-cyber-attacks (Source Reliability: Very High) 22 http://www.websitedefender.com/malware/protect-from-website-virus/ (Source Reliability: Very High) 23 http://www.mcafee.com/threat-intelligence/malware/latest.aspx (Source Reliability: Very High) 24 http://www.msnbc.msn.com/id/44093850/ns/technology_and_science-security/t/china-hit-nearly-Trojan-horseattacks/ (Source Reliability: High) 25 http://www.zdnet.com/blog/security/report-av-users-still-get-infected-with-malware/8108 (Source Reliability: Very High) 26 http://searchsecurity.techtarget.co.uk/news/2240115060/Study-finds-attacks-slip-past-spotty-management-policies (Source Reliability: Very High) 27 http://www.informationweek.com/news/security/attacks/232600497 (Source Reliability: Very High) 28 http://www.net-security.org/malware_news.php?id=1972 (Source Reliability: Very High) 29 http://www.Trojanremovalsoftware.org/are-viruses-breeding-in-the-wild (Source Reliability: High) 30 http://www.net-security.org/malware_news.php?id=1972 (Source Reliability: Very High) 31 http://www.infosecisland.com/blogview/16960-Researchers-Demonstrate-Diebold-Voting-Machine-Hack.html (Source Reliability: Medium) 32 http://www.eweek.com/c/a/Mobile-and-Wireless/DHS-Claimes-Foreign-Suppliers-Have-Embedded-Malware-inUSElectronics-832422/ (Source Reliability: Very High) 33 http://www.forbes.com/sites/ciocentral/2011/11/18/cyber-spies-are-winning-time-to-reinvent-online-security/ (Source Reliability: Very High) 34 http://arstechnica.com/security/news/2011/08/operation-shady-rat-five-year-hack-attack-hit-14-countries.ars (Source Reliability: Very High) 35 Ibid


36 37

http://www.networkcomputing.com/security/232600665 (Source Reliability: Very High) Ibid 38 Ibid 39 http://www.itp.net/587904-Trojan-banker-attacks-escalate (Source Reliability: High) 40 Ibid 41 http://www.informationweek.com/news/security/attacks/232600497 (Source Reliability: Very High) 42 http://www.eweek.com/c/a/Security/DDoS-Attack-Tools-Service-Help-Target-Organizations-Arbor-Networks763864/ (Source Reliability: Very High) 43 http://www.informationweek.com/news/security/attacks/232600497 (Source Reliability: Very High) 44 Ibid 45 http://www.cobarage.com.au/news/national/national/general/when-a-garbled-message-strikes-fear-into-apublishers-heart/2450646.aspx (Source Reliability: High) 46 http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20110123 (Source Reliability: High) 47 http://news.cnet.com/8301-13846_3-57374218-62/making-ddos-prevention-a-priority/ (Source Reliability: Very High) 48 http://smarthouse.com.au/Content_And_Downloads/Industry/C5W2X7J5 (Source Reliability: Very High) 49 http://www.informationweek.com/news/security/attacks/232600497 (Source Reliability: Very High) 50 http://smarthouse.com.au/Content_And_Downloads/Industry/C5W2X7J5 (Source Reliability: Very High) 51 Ibid 52 http://www.networkcomputing.com/security/232600665 (Source Reliability: Very High) 53 http://www.computing.co.uk/ctg/news/2144901/stolen-facebook-twitter-log-ins-sale-usd30 (Source Reliability: Very High) 54 Ibid 55 http://www.networkcomputing.com/security/232600665?pgno=2 (Source Reliability: Very High) 56 http://gocsi.com/public/dbir (Source Reliability: Very High) 57 http://www.darkreading.com/insider-threat/167801100/security/security-management/232600431/have-yourusers-passwords-already-been-hacked.html (Source Reliability: Very High) 58 Ibid 59 http://searchsecurity.techtarget.co.uk/news/2240115060/Study-finds-attacks-slip-past-spotty-patch-managementpolicies (Source Reliability: Very High) 60 Ibid 61 http://www.computerworld.com.au/article/380867/social_engineering_remains_biggest_cyber_threat/ (Source Reliability: Very High) 62 http://www.computing.co.uk/ctg/news/2144901/stolen-facebook-twitter-log-ins-sale-usd30 (Source Reliability: Very High) 63 http://www.gmanetwork.com/news/story/246819/scitech/technology/new-kind-of-malware-uploads-docs-to-cloud (Source Reliability: High) 64 http://blog.intuit.com/money/identity-theft-hitting-small-business-harder-than-consumers/ (Source Reliability: Medium) 65 http://technorati.com/business/small-business/article/cyberattacks-are-targeting-small-business-and/ (Source Reliability: High) 66 Ibid 67 http://www.darkreading.com/vulnerability-management/167901026/security/client-security/232300878/securityholes-in-software-decreased-this-year-early-data-shows.html (Source Reliability: Very High) 68 http://www.phishtank.com/what_is_phishing.php (Source Reliability: Medium) 69 http://computer.howstuffworks.com/phishing.htm (Source Reliability: Medium) 70 http://www.symantec.com/connect/blogs/symantec-intelligence-report-november-2011 (Source Reliability: Very High) 71 http://www.winferno.com/guides/antiphishing/common-questions-about-phishing.asp (Source Reliability: High) 72 http://www.informationweek.com/news/security/vulnerabilities/232400392 (Source Reliability: Very High) 73 http://www.symantec.com/connect/blogs/symantec-intelligence-report-november-2011 (Source Reliability: Very High) 74 http://www.symantec.com/connect/sites/default/files/SYMCINT_2011_11_November_FINAL-en.pdf (Source Reliability: Very High)



http://www.m86security.com/documents/pdfs/security_labs/m86_security_labs_report_2h2011.pdf (Source Reliability: High) 76 http://www.businessnewsdaily.com/2011-small-business-cyber-attacks.html (Source Reliability: High) 77 http://www.symantec.com/connect/blogs/symantec-intelligence-report-november-2011 (Source Reliability: Very High) 78 http://www.pcworld.com/article/249300/new_digital_spam_how_bad_guys_try_to_trick_you_ how_to_avoid_the_traps.html (Source Reliability: High) 79 http://www.m86security.com/documents/pdfs/security_labs/m86_security_labs_report_2h2011.pdf (Source Reliability: High) 80 http://www.symantec.com/content/en/us/enterprise/white_papers/b-symc_intelligence_qtrly_jul_to_sep_WP.enus.pdf (Source Reliability: Very High) 81 http://www.newsinsurances.co.uk/blog/2011-expensive-natural-catastrophe-year/0169484949 (Source Reliability: Medium) 82 http://www.noaa.gov/extreme2011/ (Source Reliability: Very High) 83 http://www.climate.gov/#climateWatch/videos (Source Reliability: High) 84 http://www.sacbee.com/2012/01/20/4201542/public-eye-better-business-bureau.html (Source Reliability: Medium) 85 http://techblog.cosmobc.com/2011/08/07/top-online-scams-infographic/ (Source Reliability: High) 86 http://online.wsj.com/article/C61121MATTIOLI.html (Source Reliability: High) 87 http://www.bbb.org/us/post/top-10-scams-and-rip-offs-of-2010-according-to-bbb-9055 (Source Reliability: Very High) 88 http://impermium.com/social-spam.php (Source Reliability: High) 89 http://online.wsj.com/article/SB10001424052970203686204577112942734977800.html (Source Reliability: High) 90 http://www.facebook.com/help/?faq=217878638230461 (Source Reliability: Medium) 91 http://consumerist.com/2012/01/how-facebooks-message-spam-filter-lost-me-a-free-tv-and-blu-ray-player.html (Source Reliability: Medium) 92 http://www.facebook.com/note.php?note_id=492192160843 (Source Reliability: Medium) 93 http://content.usatoday.com/communities/technologylive/post/2011/03/how-criminals-are-spreading-poisonedlinks-on-facebook/1 (Source Reliability: High) 94 http://www.computerworld.com.au/article/410782/feature_social_networking_security/?pp=2 (Pg. 2) (Source Reliability: Medium) 95 http://www.pcworld.com/article/249300/new_digital_spam_how_bad_guys_try_to_trick_you_ how_to_avoid_the_traps.html (Source Reliability: High) 96 http://www.computerworld.com.au/article/410782/feature_social_networking_security/ (Source Reliability: High) 97 http://online.wsj.com/article/SB10001424052970203686204577112942734977800.html (Source Reliability: High) 98 http://www.usatoday.com/tech/news/2011-03-22-facebook-phishing.htm (Source Reliability: High) 99 http://techland.time.com/2011/03/23/40-of-social-network-users-attacked-by-malware/ (Source Reliability: Medium) 100 http://impermium.com/social-spam.php (Source Reliability: High) 101 http://www.networkworld.com/podcasts/secthreat/2012/010312securitylandscape.html (Source Reliability: Medium) 102 http://www.pcmag.com/article2/0,2817,2396558,00.asp (Source Reliability: High) 103 http://www.networkworld.com/podcasts/secthreat/2012/010312securitylandscape.html (Source Reliability: Medium) 104 http://mobiledevices.about.com/od/mobileappbasics/tp/Can-Android-Really-Compete-With-The-Apple-AppStores.htm (Source Reliability: Medium) 105 http://blog.gadgethelpline.com/gadgets-safe-free-public-wifi/ (Source Reliability: Medium) 106 http://www.marketwatch.com/story/ahnlab-announces-mobile-security-threat-trends-for-2012-2012-01-11-7020 (Source Reliability: High) 107 http://www.gmanetwork.com/news/story/244908/scitech/gaming/fake-angry-birds-games-threaten-android-users (Source Reliability: Medium) 108 http://arabnews.com/lifestyle/science_technology/article565114.ece (Source Reliability: Medium)



http://www.industrygamers.com/news/angry-birds-one-of-the-most-profitable-games-in-history/ (Source Reliability: Medium) 110 http://arabnews.com/lifestyle/science_technology/article565114.ece (Source Reliability: Medium) 111 http://www.fortinet.com/press_releases/121213.html (Source Reliability: Very High) 112 http://www.theinfoboom.com/articles/new-ransomware-attacks-show-growing-sophistication/ (Source Reliability: High) 113 http://blogs.technet.com/b/mmpc/archive/2011/12/19/disorderly-conduct-localized-malware-impersonates-thepolice.aspx (Source Reliability: High) 114 http://www.scmagazineuk.com/2012-security-predictions-for-the-future-of-mobile-cloud-attacks-data-loss-andbig-data/article/220301/ (Source Reliability: High) 115 http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf (Source Reliability: High) 116 http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf (Source Reliability: High) 117 http://media.godashboard.com/gti/1ResearchCap/1_1GasOps/AGASCADANews.pdf (Source Reliability: Medium) 118 http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/DOE_OE_NSTB_Multi-Year_Plan.pdf (Source Reliability: High) 119 http://new.api.org/policy/otherissues/upload/Security.pdf (Source Reliability: High) 120 http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf (Source Reliability: High) 121 http://www.nerc.com/page.php?cid=6%7C69 (Source Reliability: High) 122 Ibid 123 http://threatpost.com/en_us/blogs/new-tool-will-automate-password-cracks-common-scada-product-020812 (Source Reliability: Low) 124 http://defensetech.org/2011/09/26/the-increased-threat-of-attacks-on-scada-systems/ (Source Reliability: Medium) 125 http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf (Source Reliability: High) 126 http://www.greentechmedia.com/articles/read/smart-grid-cybersecurity-vulnerabilities-revealed/ (Source Reliability: Medium) 127 http://www.globalsecurity.org/security/profiles/khalid_shaikh_mohammed.htm (Source Reliability: Medium) 128 http://www.ce.cmu.edu/~hsm/im2004/readings/CII-Rinaldi.pdf (Source Reliability: High) 129 Tenable Network Security, Protecting Critical Infrastructure: SCADA Network Security Monitoring, whitepaper, August 1, 2008. (Source Reliability: High) 130 http://www.eweek.com/c/a/Security/State-of-SCADA-Security-Worry-Researchers-234517/ (Source Reliability: Medium) 131 Ibid 132 http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf (Source Reliability: High) 133 Ibid 134 http://www.rapid7.com/ (Source Reliability: High) 135 http://www.tenable.com/ (Source Reliability: High)