1 / 33

Security: New Trends, New Issues Internet2 Fall Member Meeting 2004

Security: New Trends, New Issues Internet2 Fall Member Meeting 2004. Doug Pearson Indiana University Research and Education Networking ISAC http://www.ren-isac.net. 2004 CSI/FBI Computer Crime and Security Survey http://www.gocsi.com/. ? (!).

ashling
Download Presentation

Security: New Trends, New Issues Internet2 Fall Member Meeting 2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security: New Trends, New IssuesInternet2 Fall Member Meeting 2004 Doug Pearson Indiana University Research and Education Networking ISAC http://www.ren-isac.net

  2. 2004 CSI/FBI Computer Crime and Security Surveyhttp://www.gocsi.com/

  3. ? (!)

  4. 2004 CSI/FBI SurveyPercent Conducting Security Audits – Up

  5. 2004 CSI/FBI SurveyTechnologies Employed – Up

  6. 2004 CSI/FBI SurveyTraining – Up

  7. 2004 CSI/FBI SurveyDollar Losses – Down

  8. Factors • Poll of the CSI membership • Doesn’t represent global picture • Small business is not well represented • Doesn’t account for rising number of always-on home systems on broadband networks

  9. Maybe it means… • Poll of CSI members; “They have joined CSI because they want to find ways to reduce economic losses.” [2] • The reductions don’t seem to represent the world at large, but • Maybe the survey simply affirms that organizations that are taking an active security posture will recognize substantial results.

  10. CERT/CC & US-CERT Advisories

  11. Trends and Landscape • Rate of discovery of vulnerabilities is up – statistically relevant increases since 2002. • Time to exploit is down; in 2002 the average time was generalized as 14 days, in 2003 7-10 days, now at times less than a week • AV strategies and deployments are getting better • Patch response is getting better (vendors and users)

  12. Trends and Landscape • Sites are employing quarantine zones with scan/patch requirements • More administrative control of end-system configurations at non-traditionally centralized organizations, e.g. MS auto-update turned on, AV installed and active; • Some large-scale enterprises have difficulty with rapid patch/version deployment due to internal testing requirements – as seen with XP SP2 adoption.

  13. Trends and Landscape • Increased use of firewalls and/or ACL • Med-large business, higher education, and government sectors are all getting much more serious about security; still need much more awareness and upper-management commitment • Small business isn't as prepared – lack the technical proficiency and resources • Home systems always-on threat base is large. Lack of due care is a critical issue.

  14. Trends and Landscape • Overseas threat base is very large (and active), particularly Asia Pacific and Eastern Europe – born out in traffic patterns from worm scanning, botted systems, etc. • Pre-fab tools make it easy for unsophisticated attackers to launch sophisticated attacks; move from disruptive behavior to for-profit motive, e.g. identity theft and extortion; increasing the risk to average end-users.

  15. Trends and Landscape • Sophisticated multi-purpose, multi-attack vectors (e.g. phatbot) are on the rise • The botnet problem is very serious; move from disruptive behavior to for-profit motives. • The phishing problem is very serious; overwhelming increase from a few in 2003 to several per week. FTC estimates 5% success. • Intrusion attacks can expand very rapidly, e.g. the Spring 2004 *nix compromises proceeded with astonishing rapidity

  16. Trends and Landscape • Organized crime is becoming more engaged, particularly with extortion based on theft of information and DDoS threat, and identity theft • There's much more successful extortion (e.g. at financial institutions) than gets reported; which has interested organized crime, particularly in Eastern Europe • Information sharing for effective practice is increasing; EDUCAUSE Effective Practices Guide

  17. Trends and Landscape • Information sharing for response is increasing; regional (gigaPoP), REN-ISAC, and industry operational forums • Cross-organization response activities are working, but the active threat is large • Use of blacklist route servers by internet service providers increasing

  18. Acknowledgements • 2004 CSI/FBI Survey • http://www.gocsi.com/ • Internet Security Systems • http://www.iss.net • Carter Schoenberg • US-CERT & CERT/CC • http://www.us-cert.gov • http://www.cert.org

  19. References • [1] http://www.enterpriseitplanet.com/security/features/article.php/11321_3385371_1 • [2] Robert Richardson, editorial director of CSI

  20. REN-ISAC Information Sharing • Opportunity: • Extensive sharing within a trusted circle of operational security professionals of actionable information regarding active sources of cyber threat in a manner permitting expedient action upon the shared information will facilitate a reduction of threat scale, protection of resources, and resolution of specific infections.

  21. REN-ISAC Information Sharing • Sharing needs to occur within a closed/vetted trust circle of operational security professionals • don't want to tip off the bad guys • don't want operational personnel or processes to publicly expose compromise information • don't want to hamper law enforcement or other investigations • at times may be operating in gray areas

  22. REN-ISAC Information Sharing • There's a lot of information to share • analysis from netflow • analysis from darknets • analysis from IDS and firewalls • information sources include the activities of various groups formed around Internet service providers, research activities, loose associations, individuals institutions, ISACs, etc.

  23. REN-ISAC Information Sharing • Examples of information • worm scanning [show example data] • SSH scanners [show example data] • Bots C&C and botted systems [show example data] • DDoS

  24. REN-ISAC Information Sharing • Types of useful sharing • simple formatted lists via e-mail • automated action methods, e.g. blacklist route server • what policy and management methods are necessary for institutions to trust and employ auto methods? • what administrative and descriptive metadata needs to be associated to blacklist entries? • other types?

  25. REN-ISAC Information Sharing • Requirements for information sharing • a structured method to establish and maintain trust circle • How large can a trusted circle be and still be effective for free-flowing information sharing? • Would different levels of trust circles, e.g. regional and national, be more effective? How then to make sure that useful information gets shared broadly? • standard formats to represent the information • an organized body to facilitate process, management, and flow

  26. REN-ISAC Information Sharing • REN-ISAC is working on two items • Cyber Security Registry for Research and Education • preliminary to Registry, active now, closed/vetted mailing list RENISAC-SEC-L

  27. REN-ISAC Cyber Security Registry • To provide contact information for cyber security matters in US higher education, the REN-ISAC is developing a cyber security registry. The goal is to have deep and rich contact information for all US colleges and universities. • The primary registrant is the CIO, IT Security Officer, organizational equivalent, or superior. • All registrations will be vetted for authenticity. • Primary registrant assigns delegates. Delegates can be functional accounts. • Currency of the information will be aggressively maintained.

  28. REN-ISAC Cyber Security Registry • Aiming for 24 x 7 contact, with deep reach – a decision maker, primary actor, with clearance for sensitive information. • Optional permissions for REN-ISAC to send reports regarding threat activity seen sourced from or directed at the institution – reports may identify specific machines. • Related Registry information to serve network security management and response: • address blocks • routing registry • network connections (e.g. Abilene, NLR)

  29. REN-ISAC Cyber Security Registry • Registry information will be: • utilized by the REN-ISAC for response, such as response to threat activity identified in Abilene NetFlow, • utilized by the REN-ISAC for early warning, • open to the members of the trusted circle established by the Registry, and • with permission, proxied by the REN-ISAC to outside trusted entities, e.g. ISP’s and law enforcement.

  30. REN-ISAC Cyber Security Registry • The Registry will enable: • Appropriate communications by the REN-ISAC • Sharing of sensitive information derived from the various information sources: • Network instrumentation; including netflow, ACL counters, and, operational monitoring systems • Daily security status calls with ISACs and US-CERT • Vetted/closed network security collaborations • Backbone and member security and network engineers • Vendors, e.g. monthly ISAC calls with vendors • Members – related to incidents on local networks

  31. REN-ISAC Cyber Security Registry • The Registry will enable: • Sharing among the trusted circle members • Establishment of a vetted/trusted mailing list for members to share sensitive information • Access to the REN-ISAC / US-CERT secure portal • Access to segmented data and tools: • Segmented views of netflow information • Per-interface ACLs • Other potentials that can be served by a federated trust environment

  32. REN-ISAC Information Sharing • RENISAC-SEC-L mailing list • for individuals who would meet the Registry criteria, i.e. primary registrant as CIO/ITSO and delegates • http://www.ren-isac.net/renisac-sec-l.html

More Related