1 / 30

Security Incident Handlings How can we work together to provide confidence for Internet users?

Security Incident Handlings How can we work together to provide confidence for Internet users?. Suguru Yamaguchi, Ph.D. JPCERT/CC (WIDE Project/NAIST). Overview. "Security Incidents" in the Internet

aldona
Download Presentation

Security Incident Handlings How can we work together to provide confidence for Internet users?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Incident HandlingsHow can we work together to provide confidence for Internet users? Suguru Yamaguchi, Ph.D. JPCERT/CC (WIDE Project/NAIST)

  2. Overview • "Security Incidents" in the Internet • Security Incidents have been widely spread in the Internet, and increasing its number observed. Because of its expansion of applications to various areas of activities, security incidents may cause serious impacts on our society. • Fighting against these security incidents • Technical approaches • Network operations, software development (OS, application) • Non-Technical approaches • Law-enforcement • Regulations and Law • Incurrence APNIC OPM - August 2001

  3. Current Situation

  4. Def. Security Incidents • Any kinds of activities that directly interferer our communication infrastructure • Intentional / malicious • Intrusion from outside, information leakage, password theft, malicious code implanted from the outside, denial of service attack, .... • Non-intentional • Misuse by customers, system down, power failure, .... • Network operators have to handle both activities and protect their system from any troubles. APNIC OPM - August 2001

  5. Security Incidents observed recently • Port Scanning & Probe • This happen everyday in any environment. • Recognized as a prologue to more significant incidents • Intrusion, break-in • Using weak and/or cracked password to login directly to the system. • But, it is quite rare in these days because of widely spread of usage of One Time Password system (challenge-response type). • Using “Buffer Overflow” security hole to implant and execute “shell-code” on the targeted system. • Almost all of the attack tools are using this method. • Amplifier and Open relay • SPAM, packet smurfing, … • Denial of Services (DoS) • Generate excessive load on the targeted system • Distributed DoS • Targeting major WWW, IRC server, and other services APNIC OPM - August 2001

  6. Statistics@JPCERT/CC (1) APNIC OPM - August 2001

  7. Statistics@JPCERT/CC (2) APNIC OPM - August 2001

  8. Statistics@CERT/CC APNIC OPM - August 2001

  9. Common Scenario • Scanning ports to know which port is open for remote access. • Finding out application servers that have buffer overflow security holes. (sendmail, INN, phf, imap, pop, statd, named...) • Try to implant “shell-code” and invoke shell program or other program on the target. If succeeded, the intruder(s) can obtain the way to break-in to the system, without any evidence logged by the system. • Once break-in to the system, the intruder(s) can get /etc/passwd for password cracking and other configuration files on the system to know more details of its setup. • Sometimes, they try to obtain more access privilege, especially “root” access, by means of “Trojan horse” and other exploit codes. • Modify system log files to erase their “footprint”, and replace some programs on the system to protect their malicious activities, e.g. ps, ls, who, …. • It’s quite likely to install packet monitoring program to conduct wire-tapping to get passwords in plain-text exchanged over the local networks. • Try to spread their activities to other systems. APNIC OPM - August 2001

  10. Sophisticated Port Scan • More sophisticated “Port Scanning” technique • IDS (Intrusion Detection System) is widely installed • Random Access to the system • Attackers have to access the specific port in multiple times to know if that port can be utilized for their break-in. The fundamental idea of IDS is to catch this phenomena. • Random Access is a great help for attackers • Because IDS does not have enough memory space to record all the event they sense. • It’s hard for IDS to sense the port scanning. • “Slow scan” can masquerade malicious accesses to the system as a series of “mistakes” • It’s also hard for IDS to determine intentional or non-intentional scans. APNIC OPM - August 2001

  11. Last 3 months • Using buffer overflow is the main course to break-in. • Microsoft IIS is causing major troubles. • HUC attacks in 2001Q1 and Q2 • CodeRed and CodeRed II • Since Windows NT/2kp/2k-as are installed on huge number of systems, it’s fairly easy for attacks to make attacks as “pandemic”. • Dedicated Internet circuit causes more troubles • xDSL, FTTH services are getting more popular in many countries. • At home or small office, there are many “non-protected” system • Attackers are now using them as DoS handlers • Scanning port 137, 139 • Promoting usage of “personal firewall” is required, but …. • Worm on UNIX • Very classic break-in method, e.g., RTM worm in 1988 • Ramen, Lion, CodeRed • The break-in method uses “buffer overflow” APNIC OPM - August 2001

  12. ① using “buffer overflow” security hole in sadmind on Solaris OS, then implant Worm program on the system ③ making their own copy to the other system on which sadimind on Solaris OS is working. This is an activities as Worm ② Scan IIS on the local networks, and then put special code into the IIS in order to replace WWW pages and crash them Sadmind: traversing various operating systems Solaris Windows APNIC OPM - August 2001

  13. DDoS (1) • Distributed DoS Attack • Preparing multiple DoS handler (agent) in the Internet, then simultaneously generating traffic from them. • Even each DoS handler can generate small amount of traffic, but the aggregated traffic can be 100Mbps or more in many cases • Automatic DDoS tools are now widely available on the Internet • Trinoo, TFM, TFM2K • Making serious impact on commercial Web sites • Yahoo!, CNN, eBay, Amazon, and etc. were attacked by this method in Feb. 2000. • Many government recognized that DDoS is “top priority” threat we have to consider. • There is no major solution for this attack…. APNIC OPM - August 2001

  14. Stop services Target Attacker Agent 1. Implant DoS code from outside 2. Get trigger to start generating the traffic DDoS (2) APNIC OPM - August 2001

  15. Protect Your System • Setting up your “security policy” and operational rules for all the people involved to the network / system operations • Continuously applying security patches submitted by software vendors • Auditing and system updating in proper manner • It’s quite rare to face attacks by unknown method. • Making it as “business as usual” • Clearly defined procedures for all of us. • Using technology • IDS, Firewall, audit tools, …. APNIC OPM - August 2001

  16. CSIRT: Computer Security Incident Response Team

  17. Background • Problem solution requires to work together with • various organizations (universities, industries, government, law enforcement [detectives], ….) • Technical analysis is always required • Organizations / Persons in other countries, because security incidents may be caused by someone in other countries. • Information Switchboard is good idea • For smooth communication and collaboration • For wide-range analysis on information • As information repository APNIC OPM - August 2001

  18. CSIRT • Computer Security Incident Response Team • Organization focused on computer security incidents • Technical professionals for analysis, assistance on problem solution, and accelerating information exchange among organization involved to the specific security incident • CERT/CC in US, 1988 • Funded by DoD, but not fully involved to law enforcement • Currently, many country has its own IRT as national contact point • Sometimes government subsidiary, independent group, university, …. • “There is” is much better than “there isn’t” • Stable contact point is key idea APNIC OPM - August 2001

  19. Ex. Activities in JPCERT/CC • Incident Response • Gathering reports from users on the Internet • Analyze attack methods observed in our constituency • Exchange information with other IRTs in the world • Promote vendors to develop counter measures for attacks. • Promoting development and deployment of security technologies • Gathering information on Internet technologies • Publish Warning and Security alerts • Organize symposiums, workshops, and conferences on security technologies and engineering • Provide information on the Internet through WWW and E-mail list APNIC OPM - August 2001

  20. Involved sites Involved sites Coordination (1) • Providing help on problem solutions • Information • Coordination • confidentiality • Analysis on • Attacks Technical Corporation Advisors Vendors APNIC OPM - August 2001

  21. Coordination (2) • Providing Information • Technical Information • Warnings • Periodical Circulation … information • Analysis to • know current situation APNIC OPM - August 2001

  22. Function of National IRT • Information Repository for Everybody Industries Users Info. Repository Technology Transfer Human Resource Development Gathering information Mutual benefits Reports Request for help JPCERT/CC Neutral Compact Focused on Analysis APNIC OPM - August 2001

  23. FIRST • Forum of Incident Response and Security Teams • International forum of CSIRTs • Membership based • Mutual trust infrastructure for exchanging information among CSIRT in the world • Membership requires annual fee, but it’s not too much • Annual conference • In Hawaii in 2002 • Technical Colloquia • http://www.first.org/ APNIC OPM - August 2001

  24. Teams in AP region • Australia AusCERT www.auscert.org.au • China CERCERT www.edu.cn • Indonesia ID-CERT www.paume.itb.ac.id/rahard/id-cert • Japan JPCERT/CC www.jpcert.or.jp • Korea CERTCC-KR www.certcc.or.kr • Malaysia MyCERT www.mycert.mimos.my • Philippine PH-CERT www.phcert.org.ph • Singapore SingCERT www.singcert.org.sg • Taiwan TWCERT www.cert.org.tw • These teams are considered as national contact of IRT. You may have other contacts for incident response, such as security team in your organization, law enforcement, depends on your situation. • If you know other IRT not listed here, please give me information on it. Thanks! APNIC OPM - August 2001

  25. APSIRC • Asia-Pacific Security Incident Response Centers • Virtual forum for exchanging information / ideas • Mailing list managed by APNG group • Major persons working in this area are registered. • Mail to apsirc-request@apng.org, if you want to subscribe • There is few traffic on the list • Promoting establishment of IRT in the countries where there is no national contact. • Org. or persons as stable contact point is highly required. • The IRT does not have to be funded by government. APNIC OPM - August 2001

  26. IRT requires various information • Information we need… • Address allocation and domain allocation • Contact point to venders, ISPs, victims, suspects, …. • Ask situation • Ask collaboration and corporation to solve the specific incident • Address smurf is our headake • reliable WHOIS database • special access permission to WHOIS database • National and International level • Contact point to the law enforcement • Security incident is banned in many countries. • Sometimes, contacting law enforcement is mandatory • APNIC has quite important role on maintaining databases for helping IRTS in AP region APNIC OPM - August 2001

  27. Government Activities (1) • Inter-governmental Network for Law Enforcement teams • 24/7 • ICPO, G8 Lyon Group • Interaction between industries and governments are still under discussion • G8 subgroup on high-tech crime / professional workshop • Held in Oct. 2000 in Berlin and May 2001 in Tokyo APNIC OPM - August 2001

  28. Government Activities (2) • European Treaty for fight against High-Tech Crimes • Discussed since 2000, public comment request in March 2001, finalize in July 2001. • Will be effective through ratification process in each countries • This treaty requires a country to maintain / create / modify laws to prepare consistent action against high-tech crimes • E.g. all the countries ratified should have law to ban computer virus development as well as circulation. APNIC OPM - August 2001

  29. Government Activities (3) • CSIRT have to work with the government in some cases • Dialogue with government is very important, because we does not have to be isolated from government. • Law enforcement is now major group who are working on computer / network security issues in many countries • Collaborations …. APNIC OPM - August 2001

  30. Summary • Security Incidents: growing rapidly • CSIRT: always busy • APNIC and country registries: please work with CSIRT in each member states for providing reliable information on who is using the address and domain. • Country who does not have CSIRT: make it! APNIC OPM - August 2001

More Related