1 / 23

US-CERT: Get Plugged in!

US-CERT: Get Plugged in!. United States Computer Emergency Readiness Team HTTP://WWW.US-CERT.GOV/. For more detail on slides go to “notes” view. US-CERT Mission. Protect critical infrastructure in cyberspace – both public and private sector.

corawhite
Download Presentation

US-CERT: Get Plugged in!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. US-CERT: Get Plugged in! United States Computer Emergency Readiness Team HTTP://WWW.US-CERT.GOV/ For more detail on slides go to “notes” view

  2. US-CERT Mission • Protect critical infrastructure in cyberspace – both public and private sector. • Analyze and reduce cyber threats and vulnerabilities. • Disseminate Cyber threat information. • Coordinate incident response activities. US-CERT is the Nation’s Security Center to protect the nation’s Internet infrastructure

  3. The National Strategy to Secure Cyberspace provides a framework articulating priorities to secure cyberspace National Cyberspace Security Response System National Cyberspace Threat and Vulnerability Reduction Program National Cyberspace Security Awareness and Training Program Securing Governments’ Cyberspace International Cyberspace Security Cooperation

  4. Watch • Provide 24x7x365 triage support to federal, public, and private sectors • Monitors cyber security events available from various sources • Compiles and coordinates US-CERT reports for dissemination • Follow up with appropriate sources to ensure proper mitigation Analysis • Provide fused current and predictive cyber analysis based on reporting • Correlates incident data from a myriad of disparate reporting sources • Provide on-site Incident Response capabilities to federal and state • Support ongoing federal law enforcement investigations Malware Lab • Provide behavior techniques for dynamic and static analysis • Review malicious code for “novel” attacks; i.e. do we already know • Support forensic investigations with cursive analysis on artifacts • Provide on-site malware analytic and recovery support • Malicious code submission and collection program Focused OPS • Einstein Program • Government Forum of Incident Response Teams • Regional efforts in support of the National Response Plan • Develop and participate in national and international level exercises • Interacts and provides operational international support for US-CERT Operations Branch

  5. Vulnerabilities Handled by US-CERT FY-06 • Over 3,872 vulnerabilities reported since October 05 • 1,293 of the 3,872 were rated as high severity utilizing the Common Vulnerability Scoring System or other factors: • http://www.us-cert.gov/nvd.html • http://nvd.nist.gov/cvss.cfm • These are just the ones we know about that cover a wide range of technologies from operating systems, devices, and SCADA control systems • There is no shortage of opportunities for exploitation depending on your security posture and network cognizance of your environment

  6. Vulnerability Handling (2) • Impact • What Incremental Benefit Does The Attacker Gain? • Root compromise • User compromise (which user?) • Denial of service (which service?) • There’s a Distinction Between: • Execute arbitrary code • Execute arbitrary commands

  7. DHS Press Release MS040 Press ReleasesDHS Recommends Security Patch to Protect Against a Vulnerability Found In Windows Operating Systems For Immediate Release Office of the Press Secretary Contact: 202-282-8010 August 9, 2006 The Department of Homeland Security (DHS) is recommending that Windows Operating Systems users apply Microsoft security patch MS06-040 as quickly as possible. This security patch is designed to protect against a vulnerability that, if exploited, could enable an attacker to remotely take control of an affected system and install programs, view, change, or delete data, and create new accounts with full user rights. Windows Operating Systems users are encouraged to avoid delay in applying this security patch. Attempts to exploit vulnerabilities in operating systems routinely occur within 24 hours of the release of a security patch. This vulnerability could impact government systems, private industry and critical infrastructure, as well as individual and home users. Users can apply the Microsoft MS06-040 security patch at http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx. Home user may prefer to go to Windows Update at http://update.microsoft.com and select “express” to install critical security updates, including the MS06-040 security patch. The Department’s U.S. Computer Emergency Readiness Team (US-CERT) continues to work closely with Microsoft to minimize any impact from this vulnerability. US-CERT has issued an alert through the National Cyber Alert System and conducted a series of briefings with federal Chief Information Officers and Chief Information Security Officers, and critical infrastructure sectors through Information Sharing and Analysis Centers. Additionally, all federal agencies are required to provide US-CERT with regular updates on their patching status. DHS recommends that computer users and administrators implement the following preparedness measures to protect themselves against this vulnerability, and also from future vulnerabilities, worms, and viruses: Keep up-to-date on security patches and fixes for your operating system. The easiest way to do this is to set your system to receive automatic updates, which will ensure you automatically receive security updates issued by Microsoft. If your system does not allow automatic updates, we recommend that you manually install the Microsoft security patch today through Microsoft Update at http://update.microsoft.com/microsoftupdate Install anti-virus and anti-spy ware software and keep them up-to-date Enable a firewall which will help block attacks before they can get into your computer Do not open emails from unknown sources and do not open or execute email attachments that you are not expecting even if they come from a known and trusted source. To access the alerts for this vulnerability and for additional information on cyber security tips and practices please visit at www.us-cert.gov.

  8. Evolving Threats • New threats/attacks increasing in intensity and sophistication • Federal government and private organizations experiencing targeted attacks • Disruptions affect essential services, government operations (availability) • Loss of data critical to some agencies (confidentiality) Need new ways to share information and protect essential cyber systems

  9. Einstein Program Overview • EINSTEIN collects summary network traffic information at agency gateways and provides a high level view of the federal government network connections. • US-CERT analysts use EINSTEIN data to correlate cross agency network events. • Agency data available through a secure portal to augment CSIRT capability.

  10. EINSTEIN Deployments • Currently 7 active agency deployments • DHS/NCSD • Department of Transportation • Department of State • Treasury • SEC • FTC • USAID • Additional 6 agencies in the planning phases of deployment

  11. Benefits of Deployment • Improved situational awareness • Cross agency view • Is my agency the only one being affected? • Signatures used to detect unpublished attacks • Reports from intelligence community used to identify network attacks • No cost to agency • Hardware, software and support provided by US-CERT • Experienced Cyber Security analysts available to work with and augment your CSIRT • One day training for CSIRT/analysts on SiLK (coming soon!)

  12. Benefits of EINSTEIN - continued • Complementary approach to existing security technologies • Signature based Intrusion Detection (NIDS) • Perimeter technologies (firewall, IPS) • Helps agencies meet compliance requirements: • FISMA • FIPS200 Minimum Security Requirements for Federal Information and Information Systems • NIST 800-53 Recommended Security Controls for Federal Information Systems.

  13. EINSTEIN Success Stories • EINSTEIN analysts uncovered anomalous traffic between agencies identified a security breach. From the Washington Post: "US-CERT … spotted an unusual pattern of traffic” from Agriculture computers and notified USDA officials. • Note: US-CERT does not contact the media (information kept confidential) http://www.washingtonpost.com/wp-dyn/content/article/2006/06/22/AR2006062201549.html

  14. Data Breach Identified by EINSTEIN Analysts

  15. Summary • Agency receives at no charge: • Einstein hardware and software • Technical support • Cyber Security Analyst access to their respective flow data • DHS provides all data storage • Data is segregated (protected) from other agencies • Operational user training • Analysis provided by US-CERT • Goal is to improve the security posture of the agency • Based on data sharing with US-CERT, the agency will gain better insight into cross-agency network anomalies • Compliant With Federal Standards

  16. What can you do? • Get your security teams plugged into the Government Forum of Incident Response Teams • Deploy Einstein & gain insight into your agency and USG views • Subscribe to the National Cyber Alert System

  17. Contact Technical comments or questions US-CERT Security Operations CenterEmail: soc@us-cert.govPGP/GPG key: 0xADC4BCEDFingerprint: 02FD 5294 A076 0ACE BEB1 929B 3730 09F3 ADC4 BCEDPhone: +1 888-282-0870 Media inquiries US-CERT Public AffairsPGP/GPG key: 0x10A97BACFingerprint: 2762 28CF AFF6 EADB 95F4 6797 857D 91C1 10A9 7BACPhone: +1 202-282-8010 General questions or suggestions US-CERT Information RequestEmail: info@us-cert.govPGP/GPG key: 0x0A1E0DF7Fingerprint: CFE4 9D1D 6897 44B3 9B85 B25A F575 177B 0A1E 0DF7Phone: +1 703-235-5110 * Information available at http://www.us-cert.gov/contact.html

More Related