1 / 33

Singapore Computer Emergency Response Team ( SingCERT )

Singapore Computer Emergency Response Team ( SingCERT ) . Martin Khoo Assistant Director Incident Management, IDA Programme Manager SingCERT markhoo@singcert.org.sg. Formation of SingCERT.

darena
Download Presentation

Singapore Computer Emergency Response Team ( SingCERT )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Singapore Computer Emergency Response Team (SingCERT) Martin Khoo Assistant Director Incident Management, IDA Programme Manager SingCERT markhoo@singcert.org.sg

  2. Formation of SingCERT • SingCERT is a programme of the Infocomm Development Authority (IDA) of Singapore in collaboration with the National University of Singapore (NUS) • Launched in October 1997 during Comdex 97 SingCERT 2000 - BlackHat Briefing

  3. Missions of SingCERT • One Point of Contact • provide a reliable, trusted, single point of contact for prevention, detection & resolution of security incidents on public/private networks such as the Internet & Singapore ONE • Increase security competency • education & awareness promotion • Provide value-added security services • security consultancy program SingCERT 2000 - BlackHat Briefing

  4. Programmes of SingCERT (1) • Technical Programme * Drives the security incident response function of SingCERT * Undertakes the R&D function of SingCERT * Issues security advisories, newsletters and alerts * Ensures the operational readiness of SingCERT’s incident response infrastructure SingCERT 2000 - BlackHat Briefing

  5. Programmes of SingCERT (2) • Services Programme * Promote security awareness through the organisation of security seminars and workshops * Responsible for international & industry liaison * Manage the security consultancy services of SingCERT SingCERT 2000 - BlackHat Briefing

  6. Operational Framework Education, Consultancy, Awareness Constituency SECAP Advise Consult Incident Response Incident Report L.E.A/Reg.Bod. Collaboration Advise Consult ISAPs SIR Collaboration Incident Handling R&D Collaboration International CERTs/FIRST Knowledge Sharing SingCERT 2000 - BlackHat Briefing

  7. Local & International Collaboration • SingCERT works closely with FIRST & international CERTs efforts in the course of its incident response work • Collaboration in area of training and knowledge sharing with foreign CERTs SingCERT 2000 - BlackHat Briefing

  8. International Contacts (1) • CERT/CC (US CERT) • visited them in August 1997 • AUSCERT (Australian CERT) • SingCERT’s sponsor for FIRST membership • DFN-CERT (German CERT) -- visited them in August 1997 • JPCERT/CC (Japan CERT) • visited them in June 1998 SingCERT 2000 - BlackHat Briefing

  9. International Contacts (2) • KRCERT/CC (Korean CERT) • MyCERT (Malaysian CERT) • Forum of Incident Response & Security Teams (FIRST) • SingCERT was presented at the 10th FIRST conference in Monterrey, Mexico (June 1998) • SingCERT was voted in as full member of FIRST in November 1998 SingCERT 2000 - BlackHat Briefing

  10. International Contacts (3) • Asia Pacific Security Incident Response Co-ordination (APSIRC) • Charter is to create the AP regional forum to facilitate the exchange of ideas and expertise on Internet security incident handling • SingCERT is a founding member and the official host of the APSIRC website SingCERT 2000 - BlackHat Briefing

  11. SingCERT Security Services • Incident resolution over the phone (office hours ) and through email • Security consultation over the phone • Security advisories and alerts online at the SingCERT website • Security resource archive online at the SingCERT website SingCERT 2000 - BlackHat Briefing

  12. SingCERT Security Services • Repository on internet hoaxes, fraud and viruses • Checklists and papers on security topics • Online security discussion forum * • PGP keyserver service * SingCERT 2000 - BlackHat Briefing

  13. SingCERT Security Services • (A) Unix • Sun Solaris 2.x, SunOS 4.x • Linux (RedHat, Slackware) • FreeBSD • (B) Windows • Windows NT Server 4.0 and above SingCERT 2000 - BlackHat Briefing

  14. Reporting an incident • Hotline - 8746666 • Email - cert@singcert.org.sg • Incident Report Form • System/Network/Security administrator should be the one reporting the incident • Have information on platform and how you discover the intrusion or break-in • System log files to be made available SingCERT 2000 - BlackHat Briefing

  15. Incident Resolution • Solution may be available immediately if it is a known exploit • If it is some thing new then a work around may be proposed as an interim solution • Confidentiality is maintained at all time • Escalation to law enforcement is the decision of the victim SingCERT 2000 - BlackHat Briefing

  16. Sampling of Cases • Typical categories of incidents • Probing • Spamming • Virus/Trojan Attacks • Email Abuse • Hoaxes • Unauthorised system access • Root Compromise SingCERT 2000 - BlackHat Briefing

  17. Unauthorised Probing • Common infringement • Volume tend to go up with release of new scanning tools • Easy to detect if sites have some logging mechanism in place (eg. firewall, wrapper) • Newer scanning techniques making it more difficult to detect such activitites SingCERT 2000 - BlackHat Briefing

  18. Unsolicited Commercial Email • Few cases • Complaints about some local organisation spamming foreign users • Once off problem as the offending site normally backs off after the initial compliant • SingCERT advisory on how to protect against being spammed SingCERT 2000 - BlackHat Briefing

  19. Virus/Trojan Attacks • Chernobyl/CIH - malicious, destructive in nature - 350++ cases reported to SingCERT - Apr. 26 - 28 • Happy99, Melissa - harmless • Netbus, Back Orifice (BO) - trojan programs that can steal info. from your system ( spread through email attachments) SingCERT 2000 - BlackHat Briefing

  20. Email Abuse • Subscribing someone to porno or product marketing mailing lists • Email server used as relay by others • Advise is to use newer version of email server or to configure mail server correctly • Be careful who you give out your email account to especially online web site SingCERT 2000 - BlackHat Briefing

  21. Hoaxes • Fear, Uncertainty & Doubt (FUD) • Harmless pranks to create FUD • SingCERT asked to verify whether some virus/trojan warning is a hoax • E.g. - Celcom Screensaver, Happy New Year SingCERT 2000 - BlackHat Briefing

  22. Unauthorised System Access • Exploiting of system bugs to gain access to system • Common schemes exploits bugs in application programs (buffer overflow) or unnecessary privileges given to certain system programs • Keep up with the system patches and tune in to the hackers/underground lists SingCERT 2000 - BlackHat Briefing

  23. System Compromise • Your worse nightmare • Intruder has full control of your systems • Case where a company’s IT infrastructure was taken over by a foreign intruder • Intruder use the site to hack other places leading to a spate of complaints about the company hacking other people SingCERT 2000 - BlackHat Briefing

  24. Good Practices (1) • Have a security policy for your site • If you need to connect to the Internet you need security protection; otherwise do other people a favour and stay off the Net • Security should be taken seriously and time and money need to be spent putting it in place and also to actively monitor it SingCERT 2000 - BlackHat Briefing

  25. Good Practices (2) • Stay in the loop of the latest security happenings and issues • Keep up to date with security patches and security enhancement SingCERT 2000 - BlackHat Briefing

  26. Detection of Intrusions (1) • How to Detect Intrusion ? • you may have implemented security protection mechanisms • no mechanism is perfect • need to watch closely for signs of intrusion • deploy some form of IDS • free or commercial • need customisation before use SingCERT 2000 - BlackHat Briefing

  27. Detection of Intrusions (2) • Integrity of ID software • Ensure that the software used to examine systems has not been compromised • Integrity of file systems and sensitive data • Look for unexpected changes to directories and files SingCERT 2000 - BlackHat Briefing

  28. Detection of Intrusions (3) • System and network activities • Inspect your system and network logs • Review notifications from system and network monitoring mechanisms • Inspect processes for unexpected behaviour • Physical forms of intrusion • Investigate unauthorized hardware attached to your organization's network. SingCERT 2000 - BlackHat Briefing

  29. Detection of Intrusions (4) • Look for signs of unauthorized access to physical resources • Other sources of information • Review reports by users and external contacts about suspicious system and network events and behaviour SingCERT 2000 - BlackHat Briefing

  30. Handling Intrusions (1) • Prepare • Establish policies and procedures for responding to intrusions • Handle • Analyse all available information to characterise an intrusion • Communicate with all parties that need to be made aware of an intrusion and its progress eg. SingCERT SingCERT 2000 - BlackHat Briefing

  31. Handling Intrusions (2) • Collect and protect information associated with an intrusion • Apply short-term solutions to contain an intrusion • Eliminate all means of intruder access • Return systems to normal operation with help of incident response team • Follow up • Identify and implement security lesson learned SingCERT 2000 - BlackHat Briefing

  32. SingCERT Essential Information • Incident Reporting Hotline : (65) 8746666, (65) 8726198 [Fax] • Operating hours (GMT + 8) • : Mon- Fri (0830 - 1700) • : Sat. (0830 - 1300) • Web Site : http://www.singcert.org.sg • Incident Reporting Form : http://singcert.org.sg/incident_report_form.txt SingCERT 2000 - BlackHat Briefing

  33. Thank You http://www.singcert.org.sg

More Related