security new trends new issues internet2 fall member meeting 2004
Skip this Video
Download Presentation
Security: New Trends, New Issues Internet2 Fall Member Meeting 2004

Loading in 2 Seconds...

play fullscreen
1 / 33

Security: New Trends, New Issues Internet2 Fall Member Meeting 2004 - PowerPoint PPT Presentation

  • Uploaded on

Security: New Trends, New Issues Internet2 Fall Member Meeting 2004. Doug Pearson Indiana University Research and Education Networking ISAC 2004 CSI/FBI Computer Crime and Security Survey ? (!).

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Security: New Trends, New Issues Internet2 Fall Member Meeting 2004' - ashling

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security new trends new issues internet2 fall member meeting 2004

Security: New Trends, New IssuesInternet2 Fall Member Meeting 2004

Doug Pearson

Indiana University

Research and Education Networking ISAC

2004 csi fbi computer crime and security survey http www gocsi com
2004 CSI/FBI Computer Crime and Security Survey
  • Poll of the CSI membership
  • Doesn’t represent global picture
  • Small business is not well represented
  • Doesn’t account for rising number of always-on home systems on broadband networks
maybe it means
Maybe it means…
  • Poll of CSI members; “They have joined CSI because they want to find ways to reduce economic losses.” [2]
  • The reductions don’t seem to represent the world at large, but
  • Maybe the survey simply affirms that organizations that are taking an active security posture will recognize substantial results.
trends and landscape
Trends and Landscape
  • Rate of discovery of vulnerabilities is up – statistically relevant increases since 2002.
  • Time to exploit is down; in 2002 the average time was generalized as 14 days, in 2003 7-10 days, now at times less than a week
  • AV strategies and deployments are getting better
  • Patch response is getting better (vendors and users)
trends and landscape13
Trends and Landscape
  • Sites are employing quarantine zones with scan/patch requirements
  • More administrative control of end-system configurations at non-traditionally centralized organizations, e.g. MS auto-update turned on, AV installed and active;
  • Some large-scale enterprises have difficulty with rapid patch/version deployment due to internal testing requirements – as seen with XP SP2 adoption.
trends and landscape14
Trends and Landscape
  • Increased use of firewalls and/or ACL
  • Med-large business, higher education, and government sectors are all getting much more serious about security; still need much more awareness and upper-management commitment
  • Small business isn't as prepared – lack the technical proficiency and resources
  • Home systems always-on threat base is large. Lack of due care is a critical issue.
trends and landscape15
Trends and Landscape
  • Overseas threat base is very large (and active), particularly Asia Pacific and Eastern Europe – born out in traffic patterns from worm scanning, botted systems, etc.
  • Pre-fab tools make it easy for unsophisticated attackers to launch sophisticated attacks; move from disruptive behavior to for-profit motive, e.g. identity theft and extortion; increasing the risk to average end-users.
trends and landscape16
Trends and Landscape
  • Sophisticated multi-purpose, multi-attack vectors (e.g. phatbot) are on the rise
  • The botnet problem is very serious; move from disruptive behavior to for-profit motives.
  • The phishing problem is very serious; overwhelming increase from a few in 2003 to several per week. FTC estimates 5% success.
  • Intrusion attacks can expand very rapidly, e.g. the Spring 2004 *nix compromises proceeded with astonishing rapidity
trends and landscape17
Trends and Landscape
  • Organized crime is becoming more engaged, particularly with extortion based on theft of information and DDoS threat, and identity theft
  • There's much more successful extortion (e.g. at financial institutions) than gets reported; which has interested organized crime, particularly in Eastern Europe
  • Information sharing for effective practice is increasing; EDUCAUSE Effective Practices Guide
trends and landscape18
Trends and Landscape
  • Information sharing for response is increasing; regional (gigaPoP), REN-ISAC, and industry operational forums
  • Cross-organization response activities are working, but the active threat is large
  • Use of blacklist route servers by internet service providers increasing
  • 2004 CSI/FBI Survey
  • Internet Security Systems
    • Carter Schoenberg
  • [1]
  • [2] Robert Richardson, editorial director of CSI
ren isac information sharing
REN-ISAC Information Sharing
  • Opportunity:
    • Extensive sharing within a trusted circle of operational security professionals of actionable information regarding active sources of cyber threat in a manner permitting expedient action upon the shared information will facilitate a reduction of threat scale, protection of resources, and resolution of specific infections.
ren isac information sharing22
REN-ISAC Information Sharing
  • Sharing needs to occur within a closed/vetted trust circle of operational security professionals
    • don't want to tip off the bad guys
    • don't want operational personnel or processes to publicly expose compromise information
    • don't want to hamper law enforcement or other investigations
    • at times may be operating in gray areas
ren isac information sharing23
REN-ISAC Information Sharing
  • There's a lot of information to share
    • analysis from netflow
    • analysis from darknets
    • analysis from IDS and firewalls
    • information sources include the activities of various groups formed around Internet service providers, research activities, loose associations, individuals institutions, ISACs, etc.
ren isac information sharing24
REN-ISAC Information Sharing
  • Examples of information
    • worm scanning [show example data]
    • SSH scanners [show example data]
    • Bots C&C and botted systems [show example data]
    • DDoS
ren isac information sharing25
REN-ISAC Information Sharing
  • Types of useful sharing
    • simple formatted lists via e-mail
    • automated action methods, e.g. blacklist route server
      • what policy and management methods are necessary for institutions to trust and employ auto methods?
      • what administrative and descriptive metadata needs to be associated to blacklist entries?
    • other types?
ren isac information sharing26
REN-ISAC Information Sharing
  • Requirements for information sharing
    • a structured method to establish and maintain trust circle
    • How large can a trusted circle be and still be effective for free-flowing information sharing?
    • Would different levels of trust circles, e.g. regional and national, be more effective? How then to make sure that useful information gets shared broadly?
    • standard formats to represent the information
    • an organized body to facilitate process, management, and flow
ren isac information sharing27
REN-ISAC Information Sharing
  • REN-ISAC is working on two items
    • Cyber Security Registry for Research and Education
    • preliminary to Registry, active now, closed/vetted mailing list RENISAC-SEC-L
ren isac cyber security registry
REN-ISAC Cyber Security Registry
  • To provide contact information for cyber security matters in US higher education, the REN-ISAC is developing a cyber security registry. The goal is to have deep and rich contact information for all US colleges and universities.
  • The primary registrant is the CIO, IT Security Officer, organizational equivalent, or superior.
  • All registrations will be vetted for authenticity.
  • Primary registrant assigns delegates. Delegates can be functional accounts.
  • Currency of the information will be aggressively maintained.
ren isac cyber security registry29
REN-ISAC Cyber Security Registry
  • Aiming for 24 x 7 contact, with deep reach – a decision maker, primary actor, with clearance for sensitive information.
  • Optional permissions for REN-ISAC to send reports regarding threat activity seen sourced from or directed at the institution – reports may identify specific machines.
  • Related Registry information to serve network security management and response:
    • address blocks
    • routing registry
    • network connections (e.g. Abilene, NLR)
ren isac cyber security registry30
REN-ISAC Cyber Security Registry
  • Registry information will be:
    • utilized by the REN-ISAC for response, such as response to threat activity identified in Abilene NetFlow,
    • utilized by the REN-ISAC for early warning,
    • open to the members of the trusted circle established by the Registry, and
    • with permission, proxied by the REN-ISAC to outside trusted entities, e.g. ISP’s and law enforcement.
ren isac cyber security registry31
REN-ISAC Cyber Security Registry
  • The Registry will enable:
    • Appropriate communications by the REN-ISAC
    • Sharing of sensitive information derived from the various information sources:
      • Network instrumentation; including netflow, ACL counters, and, operational monitoring systems
      • Daily security status calls with ISACs and US-CERT
      • Vetted/closed network security collaborations
      • Backbone and member security and network engineers
      • Vendors, e.g. monthly ISAC calls with vendors
      • Members – related to incidents on local networks
ren isac cyber security registry32
REN-ISAC Cyber Security Registry
  • The Registry will enable:
    • Sharing among the trusted circle members
    • Establishment of a vetted/trusted mailing list for members to share sensitive information
    • Access to the REN-ISAC / US-CERT secure portal
    • Access to segmented data and tools:
      • Segmented views of netflow information
      • Per-interface ACLs
      • Other potentials that can be served by a federated trust environment
ren isac information sharing33
REN-ISAC Information Sharing
  • RENISAC-SEC-L mailing list
    • for individuals who would meet the Registry criteria, i.e. primary registrant as CIO/ITSO and delegates