security: new trends, new issues internet2 fall member meeting 2004 doug pearson indiana university...
TRANSCRIPT
Security: New Trends, New IssuesInternet2 Fall Member Meeting 2004
Doug PearsonIndiana University
Research and Education Networking ISAChttp://www.ren-isac.net
2004 CSI/FBI Computer Crime and Security Surveyhttp://www.gocsi.com/
? (!)
2004 CSI/FBI Survey
Percent Conducting Security Audits – Up
2004 CSI/FBI Survey
Technologies Employed – Up
2004 CSI/FBI Survey
Training – Up
2004 CSI/FBI Survey
Dollar Losses – Down
Factors
• Poll of the CSI membership• Doesn’t represent global picture• Small business is not well represented• Doesn’t account for rising number of always-on
home systems on broadband networks
Maybe it means…
• Poll of CSI members; “They have joined CSI because they want to find ways to reduce economic losses.” [2]
• The reductions don’t seem to represent the world at large, but
• Maybe the survey simply affirms that organizations that are taking an active security posture will recognize substantial results.
CERT/CC & US-CERT Advisories
Trends and Landscape
• Rate of discovery of vulnerabilities is up – statistically relevant increases since 2002.
• Time to exploit is down; in 2002 the average time was generalized as 14 days, in 2003 7-10 days, now at times less than a week
• AV strategies and deployments are getting better
• Patch response is getting better (vendors and users)
Trends and Landscape
• Sites are employing quarantine zones with scan/patch requirements
• More administrative control of end-system configurations at non-traditionally centralized organizations, e.g. MS auto-update turned on, AV installed and active;
• Some large-scale enterprises have difficulty with rapid patch/version deployment due to internal testing requirements – as seen with XP SP2 adoption.
Trends and Landscape
• Increased use of firewalls and/or ACL• Med-large business, higher education, and
government sectors are all getting much more serious about security; still need much more awareness and upper-management commitment
• Small business isn't as prepared – lack the technical proficiency and resources
• Home systems always-on threat base is large. Lack of due care is a critical issue.
Trends and Landscape
• Overseas threat base is very large (and active), particularly Asia Pacific and Eastern Europe – born out in traffic patterns from worm scanning, botted systems, etc.
• Pre-fab tools make it easy for unsophisticated attackers to launch sophisticated attacks; move from disruptive behavior to for-profit motive, e.g. identity theft and extortion; increasing the risk to average end-users.
Trends and Landscape
• Sophisticated multi-purpose, multi-attack vectors (e.g. phatbot) are on the rise
• The botnet problem is very serious; move from disruptive behavior to for-profit motives.
• The phishing problem is very serious; overwhelming increase from a few in 2003 to several per week. FTC estimates 5% success.
• Intrusion attacks can expand very rapidly, e.g. the Spring 2004 *nix compromises proceeded with astonishing rapidity
Trends and Landscape
• Organized crime is becoming more engaged, particularly with extortion based on theft of information and DDoS threat, and identity theft
• There's much more successful extortion (e.g. at financial institutions) than gets reported; which has interested organized crime, particularly in Eastern Europe
• Information sharing for effective practice is increasing; EDUCAUSE Effective Practices Guide
Trends and Landscape
• Information sharing for response is increasing; regional (gigaPoP), REN-ISAC, and industry operational forums
• Cross-organization response activities are working, but the active threat is large
• Use of blacklist route servers by internet service providers increasing
Acknowledgements
• 2004 CSI/FBI Survey– http://www.gocsi.com/
• Internet Security Systems– http://www.iss.net– Carter Schoenberg
• US-CERT & CERT/CC– http://www.us-cert.gov– http://www.cert.org
References
• [1] http://www.enterpriseitplanet.com/security/features/article.php/11321_3385371_1
• [2] Robert Richardson, editorial director of CSI
REN-ISAC Information Sharing
• Opportunity: – Extensive sharing within a trusted circle of operational
security professionals of actionable information regarding active sources of cyber threat in a manner permitting expedient action upon the shared information will facilitate a reduction of threat scale, protection of resources, and resolution of specific infections.
REN-ISAC Information Sharing
• Sharing needs to occur within a closed/vetted trust circle of operational security professionals– don't want to tip off the bad guys– don't want operational personnel or processes to
publicly expose compromise information– don't want to hamper law enforcement or other
investigations– at times may be operating in gray areas
REN-ISAC Information Sharing
• There's a lot of information to share– analysis from netflow– analysis from darknets– analysis from IDS and firewalls– information sources include the activities of various
groups formed around Internet service providers, research activities, loose associations, individuals institutions, ISACs, etc.
REN-ISAC Information Sharing
• Examples of information– worm scanning [show example data]– SSH scanners [show example data]– Bots C&C and botted systems [show example data]– DDoS
REN-ISAC Information Sharing
• Types of useful sharing– simple formatted lists via e-mail– automated action methods, e.g. blacklist route server
• what policy and management methods are necessary for institutions to trust and employ auto methods?
• what administrative and descriptive metadata needs to be associated to blacklist entries?
– other types?
REN-ISAC Information Sharing
• Requirements for information sharing– a structured method to establish and maintain trust
circle– How large can a trusted circle be and still be effective
for free-flowing information sharing?– Would different levels of trust circles, e.g. regional
and national, be more effective? How then to make sure that useful information gets shared broadly?
– standard formats to represent the information– an organized body to facilitate process, management,
and flow
REN-ISAC Information Sharing
• REN-ISAC is working on two items– Cyber Security Registry for Research and Education– preliminary to Registry, active now, closed/vetted
mailing list RENISAC-SEC-L
REN-ISAC Cyber Security Registry
• To provide contact information for cyber security matters in US higher education, the REN-ISAC is developing a cyber security registry. The goal is to have deep and rich contact information for all US colleges and universities.
• The primary registrant is the CIO, IT Security Officer, organizational equivalent, or superior.
• All registrations will be vetted for authenticity.• Primary registrant assigns delegates. Delegates can be
functional accounts.• Currency of the information will be aggressively
maintained.
REN-ISAC Cyber Security Registry
• Aiming for 24 x 7 contact, with deep reach – a decision maker, primary actor, with clearance for sensitive information.
• Optional permissions for REN-ISAC to send reports regarding threat activity seen sourced from or directed at the institution – reports may identify specific machines.
• Related Registry information to serve network security management and response:– address blocks– routing registry– network connections (e.g. Abilene, NLR)
REN-ISAC Cyber Security Registry
• Registry information will be:– utilized by the REN-ISAC for response, such as
response to threat activity identified in Abilene NetFlow,
– utilized by the REN-ISAC for early warning,– open to the members of the trusted circle established
by the Registry, and – with permission, proxied by the REN-ISAC to outside
trusted entities, e.g. ISP’s and law enforcement.
REN-ISAC Cyber Security Registry
• The Registry will enable:– Appropriate communications by the REN-ISAC– Sharing of sensitive information derived from the
various information sources:• Network instrumentation; including netflow, ACL counters,
and, operational monitoring systems• Daily security status calls with ISACs and US-CERT• Vetted/closed network security collaborations• Backbone and member security and network engineers• Vendors, e.g. monthly ISAC calls with vendors• Members – related to incidents on local networks
REN-ISAC Cyber Security Registry
• The Registry will enable:– Sharing among the trusted circle members– Establishment of a vetted/trusted mailing list for
members to share sensitive information– Access to the REN-ISAC / US-CERT secure portal– Access to segmented data and tools:
• Segmented views of netflow information• Per-interface ACLs• Other potentials that can be served by a federated trust
environment
REN-ISAC Information Sharing
• RENISAC-SEC-L mailing list– for individuals who would meet the Registry criteria,
i.e. primary registrant as CIO/ITSO and delegates– http://www.ren-isac.net/renisac-sec-l.html