520 likes | 618 Views
REN-ISAC Community for Cyber Security Protection and Response. EDUCAUSE Live November 10, 2008. Presentation Outline. List the focus areas of a HE institution’s security office / team List community-based organizations in HE security space
E N D
REN-ISACCommunity for Cyber Security Protection and Response EDUCAUSE Live November 10, 2008
Presentation Outline • List the focus areas of a HE institution’s security office / team • List community-based organizations in HE security space • Map the focus areas to the community-based organizations • Describe the REN-ISAC organization • Describe how to join REN-ISAC
+ outreach awareness and training + policy development and enforcement + situational awareness + monitor for threat and infected systems + protect systems & users from active threat + vulnerability scanning + incident response + data and privacy protection + security reviews and consulting + risk assessment + report to management + interface with law enforcement + continuing education of staff + evaluate security products and services + compliance monitoring T
+ promote awareness + policy development and enforcement + monitor for threat and infected systems + protect systems and users from active threat + vulnerability scanning + incident response + data and privacy protection + consult on secure dev and admin + risk assessment + report to management + interface with law enforcement + security office staff education T
+ promote awareness + policy development and enforcement + monitor for threat and infected systems + protect systems and users from active threat + vulnerability scanning + incident response + data and privacy protection + consult on secure dev and admin + risk assessment + report to management + interface with law enforcement + security office staff education T Regional and State Communities
+ promote awareness + policy development and enforcement + monitor for threat and infected systems + protect systems and users from active threat + vulnerability scanning + incident response + data and privacy protection + consult on secure dev and admin + risk assessment + report to management + interface with law enforcement + security office staff education T Regional and State Communities
+ promote awareness + policy development and enforcement + monitor for threat and infected systems + protect systems and users from active threat + vulnerability scanning + incident response + data and privacy protection + consult on secure dev and admin + risk assessment + report to management + interface with law enforcement + security office staff education T Regional and State Communities
+ promote awareness + policy development and enforcement + monitor for threat and infected systems + protect systems and users from active threat + vulnerability scanning + incident response + data and privacy protection + consult on secure dev and admin + risk assessment + report to management + interface with law enforcement + security office staff education T Regional and State Communities
+ promote awareness + policy development and enforcement + monitor for threat and infected systems + protect systems and users from active threat + vulnerability scanning + incident response + data and privacy protection + consult on secure dev and admin + risk assessment + report to management + interface with law enforcement + security office staff education T Regional and State Communities
+ promote awareness + policy development and enforcement + monitor for threat and infected systems + protect systems and users from active threat + vulnerability scanning + incident response + data and privacy protection + consult on secure dev and admin + risk assessment + report to management + interface with law enforcement + security office staff education T
+ promote awareness + policy development and enforcement + monitor for threat and infected systems + protect systems and users from active threat + vulnerability scanning + incident response + data and privacy protection + consult on secure dev and admin + risk assessment + report to management + interface with law enforcement + security office staff education T
+ promote awareness + policy development and enforcement + monitor for threat and infected systems + protect systems and users from active threat + vulnerability scanning + incident response + data and privacy protection + consult on secure dev and admin + risk assessment + report to management + interface with law enforcement + security office staff education + outreach awareness and training + policy development and enforcement + situational awareness + monitor for threat and infected systems + protect systems & users from active threat + vulnerability scanning + incident response + data and privacy protection + security reviews and consulting + risk assessment + report to management + interface with law enforcement + continuing education of staff + evaluate security products and services + compliance monitoring T
Rg/St The EDUCAUSE and Internet2 Security Task Force focuses on strategy and planning, serving to coordinate collaboration across people, processes, and technologies.
Rg/St REN-ISAC addressesreal-time operational protection and response matters, within the context of a private information sharing trust community.
REN-ISAC Goal The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher education and research (R&E) communities, through : • the exchange of sensitive actionable information within a private trust community, • the provision of direct security services, and • serving as the R&E trusted partner within the formal ISAC community.
Information Sharing • REN-ISAC is a private trust community for sharing sensitive information. • The private and trusted character of the membership • provides a safe zone for the sharing of organizational incident experience – information which otherwise would not be shared, • protects information about our methods and sources, and • protects information which if publicly disclosed would abet our adversaries.
REN-ISAC is a Cooperative Effort • Member participation is a cornerstone of REN-ISAC • Advisory Groups • Executive Advisory Group: IU, LSU, Oakland U, Reed College, U Mass, UMBC, Internet2, and EDUCAUSE • Technical Advisory Group: Cornell, IU, MOREnet, Team Cymru, UC Berkeley, U Mass, U Minn, U Oregon, and WPI • Analysis Teams • Microsoft Analysis Team: IU, NYU, U Washington • Service development teams • Numerous contributors • Dedicated resource contributors: IU, LSU, Internet2 • Other major contributions (systems, tools, coordination, etc.) • Buffalo, Brandeis, WPI, MOREnet, and EDUCAUSE
Benefits of Membership • Receive and share actionable defense information • Receive protection and response information products, e.g. Daily Watch Report, Alerts, Advisories, etc. • Establish relationships with known and trusted peers • Benefit from information sharing relationships constructed in the broad security community • Benefit from vendor relationships (e.g. Microsoft SCP) • Participate in technical security webinars • Participate in REN-ISAC meetings, workshops, & training • Have access to the 24x7 REN-ISAC Watch Desk • Have access to active threat and other sensitive data feeds, e.g. for local IP and DNS block lists, sensor signatures, etc.
Benefits of Membership • Receive and share actionable defense information • Receive protection and response information products, e.g. Daily Watch Report, Alerts, Advisories, etc. • Establish relationships with known and trusted peers • Benefit from information sharing relationships constructed in the broad security community • Benefit from vendor relationships (e.g. Microsoft SCP) • Participate in technical security webinars • Participate in REN-ISAC meetings, workshops, & training • Have access to the 24x7 REN-ISAC Watch Desk • Have access to active threat and other sensitive data feeds, e.g. for local IP and DNS block lists, sensor signatures, etc.
Receive and share actionable defense information • Information resources include: • REN-ISAC members • External information sharing relationships • Results of direct reconnaissance • Other sector ISACs • Global Research NOC at IU (R&E backbone networks) • Vendor relationships • Network instrumentation and sensors operated by REN-ISAC
Receive and share actionable defense information • Information resources include: • REN-ISAC members • External information sharing relationships • Results of direct reconnaissance • Other sector ISACs • Global Research NOC at IU (R&E backbone networks) • Vendor relationships • Network instrumentation and sensors operated by REN-ISAC
Receive and share actionable defense informationExample: REN-ISAC members sharing Subject: Dear Iu.edu Subscriber Date: Mon, 31 Mar 2008 08:46:09 +1300 From: IU.EDU SUPPORT TEAM <support@iu.edu> Reply-To: supportc@instructor.net To: undisclosed-recipients: ; IMPORTANT NOTICE FROM THE IU.EDU SUPPORT TEAM Dear Iu.edu Subscriber, To complete your Iu.edu account and enable us upgrade our system so as to serve you better, you must reply to this email immediately and enter your password here (*********) Failure to do this will immediately render your email address deactivated from our database. You can also confirm your email address by logging into your Iu account at https://webmail.iu.edu/horde/imp/login.php Thank you for using IU.EDU!! THE IU.EDU TEAM
web mail account credential phishing – poll of REN-ISAC member experience • Conducted April 7 & 8, 2008 • Limitations of the poll: • <~ 50% of the community responded (a short response window). • Motivations to respond may be different between those who received the phish and those who didn't. • Membership is moderately skewed to large and advanced degree institutions. • 107 institutions responded to the poll, • 86 sites reported receiving the phish, • 61 reported that someone at the institution fell for the attack, and • 42 reported that compromised credentials were used by the attacker • The distribution of last time the phish was observed is: Dec: 3 Jan: 1 Feb: 6 Mar:37 Apr: 34 (by Apr 8)
web mail account credential phishing – information sharing among members Date Institution Message Count From Address Reply-to address Email Source IP Stolen Login IP Subject line
web mail account credential phishing – protection and response • Members used the shared information in protection and response actions • Overall collected data, with permissions of each contributing member, was taken to law enforcement
Benefits of Membership • Receive and share actionable defense information • Receive protection and response information products, e.g. Daily Watch Report, Alerts, Advisories, etc. • Establish relationships with known and trusted peers • Benefit from information sharing relationships constructed in the broad security community • Benefit from vendor relationships (e.g. Microsoft SCP) • Participate in technical security webinars • Participate in REN-ISAC meetings, workshops, & training • Have access to the 24x7 REN-ISAC Watch Desk • Have access to active threat and other sensitive data feeds, e.g. for local IP and DNS block lists, sensor signatures, etc.
Information Products • Daily Watch Report provides situational awareness. • Alerts provide critical and timely information concerning new or increasing threat. • Notifications identify specific sources and targets of active threator incident involving R&E. Sent directly to contacts at involved sites. • Feeds provide collective information regarding known sources of threat; useful for IP and DNS block lists, sensor signatures, etc. • Advisories inform regarding specific practices or approaches that can improve security posture. • TechBurst webcasts provide instruction on technical topics relevant to security protection and response. • Monitoring views provide summary views from sensor systems, useful for situational awareness.
Information Products • Daily Watch Report provides situational awareness. • Alerts provide critical and timely information concerning new or increasing threat. • Notifications identify specific sources and targets of active threator incident involving R&E. Sent directly to contacts at involved sites. • Feeds provide collective information regarding known sources of threat; useful for IP and DNS block lists, sensor signatures, etc. • Advisories inform regarding specific practices or approaches that can improve security posture. • TechBurst webcasts provide instruction on technical topics relevant to security protection and response. • Monitoring views provide summary views from sensor systems, useful for situational awareness.
Alert SampleStorm Worm DDoS Threat to EDU; Aug 2007 Issue Don’ts Prevention References Mitigation
Information Products • Daily Watch Report provides situational awareness. • Alerts provide critical and timely information concerning new or increasing threat. • Notifications identify specific sources and targets of active threator incident involving R&E. Sent directly to contacts at involved sites. • Feeds provide collective information regarding known sources of threat; useful for IP and DNS block lists, sensor signatures, etc. • Advisories inform regarding specific practices or approaches that can improve security posture. • TechBurst webcasts provide instruction on technical topics relevant to security protection and response. • Monitoring views provide summary views from sensor systems, useful for situational awareness.
Information Products: Notifications:REN-ISAC EDU Storm Worm Daily Notifications
Benefits of Membership • Receive and share actionable defense information • Receive protection and response information products, e.g. Daily Watch Report, Alerts, Advisories, etc. • Establish relationships with known and trusted peers • Benefit from information sharing relationships constructed in the broad security community • Benefit from vendor relationships (e.g. Microsoft SCP) • Participate in technical security webinars • Participate in REN-ISAC meetings, workshops, & training • Have access to the 24x7 REN-ISAC Watch Desk • Have access to active threat and other sensitive data feeds, e.g. for local IP and DNS block lists, sensor signatures, etc.
TechBurst Webcasts • DNSSEC • RENOIR • Routing: Protocols, Operation and Security for the R&E Community • Teredo (IPv6) • FBI and Cybercrime reporting • REN-ISAC Online Communities • Bro-IDS == IDS++ • Attacking Embedded Devices • Determining "Reasonable Belief" during incident response • DNS Intel • Snort • Forensic Computer Investigations, Part II • Forensic Computer Investigations, Part I • Nepenthes • Reverse Engineering Malware • Spam zombies dissected • Shared Darknet Project • DNS: Protocols, Operation and Security for the R&E Community - Part II of II • DNS: Protocols, Operation and Security for the R&E Community - Part I of II • NetFlow Advanced Topics • Introduction to NetFlow • Botnet Detection Using DNS Methods
Benefits of Membership • Receive and share actionable defense information • Receive protection and response information products, e.g. Daily Watch Report, Alerts, Advisories, etc. • Establish relationships with known and trusted peers • Benefit from information sharing relationships constructed in the broad security community • Benefit from vendor relationships (e.g. Microsoft SCP) • Participate in technical security webinars • Participate in REN-ISAC meetings, workshops, & training • Have access to the 24x7 REN-ISAC Watch Desk • Have access to active threat and other sensitive data feeds, e.g. for local IP and DNS block lists, sensor signatures, etc.
Membership • Membership is open to: • institutions of higher education, • teaching hospitals, • research and education network providers, and • government-funded research organizations; • international, although focused on U.S. • Membership is currently free, but necessary growth and value to the community is not sustainable. • Beginning July 1, 2009 a nominal membership fee will be instituted. The fee is not finalized, but the yearly per-institution cost will be kept very low. • The fee will be per-institution, irrespective of the number of REN-ISAC member representatives from the institution.
Membership People Orgs
How to Join (in the past and currently) • Paraphrased, the individual must • must have organization-wide responsibilities for cyber security protection and response, • at an institution of higher education, teaching hospital, research and education network provider, or government-funded research organization, • must be permanent staff, and • must be vouched-for (personal trust) by 2 existing members. • http://www.ren-isac.net/membership.html
Revised Membership Model • In November 2008, REN-ISAC will implement a revised membership model. Objectives of the new model are to: • Retain a strongly trusted information sharing environment • Extend the reach of REN-ISAC more broadly in the R&E community • Align “membership” directly with the institution • Set a base for a long-term sustainable business model
Revised Membership Model • Vastly oversimplified descriptions of the current and revised membership models are: • Current model:Individuals join. The individual must meet a specific work profile and receive two vouches of personal trust from existing REN-ISAC members. The individual joins to "represent [his or her] institution". • Revised model:Institutions and organizations join. A CIO or designee joins on behalf of the institution. That person assumes the ongoing responsibility of "management representative", and nominates one or more "member representatives" who participate in the operational information sharing. Two tiers of participation are differentiated in the degree of vetting of the prospective member and the classification of sensitive information shared in the tier.
Revised Membership Model: Two-Tiered • “General” membership = the entry-level tier • A CIO (or equivalent/designee) appoints General members – one or more full-time staff who meet eligibility requirements. Personal trust vouches are not required, but nominations are open to dispute by existing members • “XSec” membership = the e(X)tra (Sec)ure tier • Additional membership criteria, and two vouches of personal trust are required from existing XSec members • XSec has its own community-plumbing for sharing extra-sensitive information, and additional services available. • Two tiers = extend reach of REN-ISAC benefits in the R&E sector, while still retaining a strong-trust core
Revised Membership Model • Two important aspects of the revised model are: • it appropriately aligns membership with the institution rather than the individual, and • it creates an entry-level membership tier that doesn't have the hurdle of two vouches of personal trust from current members. • Details regarding the current and revised membership models are at: • Current: http://www.ren-isac.net/membership.html • Revised: http://www.indiana.edu/~ishare/membership.shtml
How to Join (Revised Membership Model) • Process: • Institutional membership is applied for by the CIO, local equivalent, or a designee of the same. • Requiring CIO or eq. involvement gives us a tractable point of reference for confirming identity, and identifies institutional commitment • The person identified above becomes the ‘management representative’ and nominates one or more ‘member representatives’ who participate in the operational information sharing. • The ‘process’ will come online in November. In the meantime, we suggest that you (CIOs or local equivalents) register your intent to join, and we’ll contact you when revised model is implemented. • Register intent at: http://www.ren-isac.net/join
In the works: Development Projects Not in priority order: • Scanning Service • Sensor projects in conjunction with commercial and non-commercial partners • Security Event System (SES) in cooperation with Internet2 and Argonne National Laboratory • Incident Information Sharing System (RENOIR), in cooperation with Internet2 and Worcester Polytechnic Institute