security new trends new issues internet2 fall member meeting 2004
Download
Skip this Video
Download Presentation
Security: New Trends, New Issues Internet2 Fall Member Meeting 2004

Loading in 2 Seconds...

play fullscreen
1 / 33

Security: New Trends, New Issues Internet2 Fall Member Meeting 2004 - PowerPoint PPT Presentation


  • 120 Views
  • Uploaded on

Security: New Trends, New Issues Internet2 Fall Member Meeting 2004. Doug Pearson Indiana University Research and Education Networking ISAC http://www.ren-isac.net. 2004 CSI/FBI Computer Crime and Security Survey http://www.gocsi.com/. ? (!).

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security: New Trends, New Issues Internet2 Fall Member Meeting 2004' - ashling


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security new trends new issues internet2 fall member meeting 2004

Security: New Trends, New IssuesInternet2 Fall Member Meeting 2004

Doug Pearson

Indiana University

Research and Education Networking ISAC

http://www.ren-isac.net

2004 csi fbi computer crime and security survey http www gocsi com
2004 CSI/FBI Computer Crime and Security Surveyhttp://www.gocsi.com/
factors
Factors
  • Poll of the CSI membership
  • Doesn’t represent global picture
  • Small business is not well represented
  • Doesn’t account for rising number of always-on home systems on broadband networks
maybe it means
Maybe it means…
  • Poll of CSI members; “They have joined CSI because they want to find ways to reduce economic losses.” [2]
  • The reductions don’t seem to represent the world at large, but
  • Maybe the survey simply affirms that organizations that are taking an active security posture will recognize substantial results.
trends and landscape
Trends and Landscape
  • Rate of discovery of vulnerabilities is up – statistically relevant increases since 2002.
  • Time to exploit is down; in 2002 the average time was generalized as 14 days, in 2003 7-10 days, now at times less than a week
  • AV strategies and deployments are getting better
  • Patch response is getting better (vendors and users)
trends and landscape13
Trends and Landscape
  • Sites are employing quarantine zones with scan/patch requirements
  • More administrative control of end-system configurations at non-traditionally centralized organizations, e.g. MS auto-update turned on, AV installed and active;
  • Some large-scale enterprises have difficulty with rapid patch/version deployment due to internal testing requirements – as seen with XP SP2 adoption.
trends and landscape14
Trends and Landscape
  • Increased use of firewalls and/or ACL
  • Med-large business, higher education, and government sectors are all getting much more serious about security; still need much more awareness and upper-management commitment
  • Small business isn't as prepared – lack the technical proficiency and resources
  • Home systems always-on threat base is large. Lack of due care is a critical issue.
trends and landscape15
Trends and Landscape
  • Overseas threat base is very large (and active), particularly Asia Pacific and Eastern Europe – born out in traffic patterns from worm scanning, botted systems, etc.
  • Pre-fab tools make it easy for unsophisticated attackers to launch sophisticated attacks; move from disruptive behavior to for-profit motive, e.g. identity theft and extortion; increasing the risk to average end-users.
trends and landscape16
Trends and Landscape
  • Sophisticated multi-purpose, multi-attack vectors (e.g. phatbot) are on the rise
  • The botnet problem is very serious; move from disruptive behavior to for-profit motives.
  • The phishing problem is very serious; overwhelming increase from a few in 2003 to several per week. FTC estimates 5% success.
  • Intrusion attacks can expand very rapidly, e.g. the Spring 2004 *nix compromises proceeded with astonishing rapidity
trends and landscape17
Trends and Landscape
  • Organized crime is becoming more engaged, particularly with extortion based on theft of information and DDoS threat, and identity theft
  • There's much more successful extortion (e.g. at financial institutions) than gets reported; which has interested organized crime, particularly in Eastern Europe
  • Information sharing for effective practice is increasing; EDUCAUSE Effective Practices Guide
trends and landscape18
Trends and Landscape
  • Information sharing for response is increasing; regional (gigaPoP), REN-ISAC, and industry operational forums
  • Cross-organization response activities are working, but the active threat is large
  • Use of blacklist route servers by internet service providers increasing
acknowledgements
Acknowledgements
  • 2004 CSI/FBI Survey
    • http://www.gocsi.com/
  • Internet Security Systems
    • http://www.iss.net
    • Carter Schoenberg
  • US-CERT & CERT/CC
    • http://www.us-cert.gov
    • http://www.cert.org
references
References
  • [1] http://www.enterpriseitplanet.com/security/features/article.php/11321_3385371_1
  • [2] Robert Richardson, editorial director of CSI
ren isac information sharing
REN-ISAC Information Sharing
  • Opportunity:
    • Extensive sharing within a trusted circle of operational security professionals of actionable information regarding active sources of cyber threat in a manner permitting expedient action upon the shared information will facilitate a reduction of threat scale, protection of resources, and resolution of specific infections.
ren isac information sharing22
REN-ISAC Information Sharing
  • Sharing needs to occur within a closed/vetted trust circle of operational security professionals
    • don't want to tip off the bad guys
    • don't want operational personnel or processes to publicly expose compromise information
    • don't want to hamper law enforcement or other investigations
    • at times may be operating in gray areas
ren isac information sharing23
REN-ISAC Information Sharing
  • There's a lot of information to share
    • analysis from netflow
    • analysis from darknets
    • analysis from IDS and firewalls
    • information sources include the activities of various groups formed around Internet service providers, research activities, loose associations, individuals institutions, ISACs, etc.
ren isac information sharing24
REN-ISAC Information Sharing
  • Examples of information
    • worm scanning [show example data]
    • SSH scanners [show example data]
    • Bots C&C and botted systems [show example data]
    • DDoS
ren isac information sharing25
REN-ISAC Information Sharing
  • Types of useful sharing
    • simple formatted lists via e-mail
    • automated action methods, e.g. blacklist route server
      • what policy and management methods are necessary for institutions to trust and employ auto methods?
      • what administrative and descriptive metadata needs to be associated to blacklist entries?
    • other types?
ren isac information sharing26
REN-ISAC Information Sharing
  • Requirements for information sharing
    • a structured method to establish and maintain trust circle
    • How large can a trusted circle be and still be effective for free-flowing information sharing?
    • Would different levels of trust circles, e.g. regional and national, be more effective? How then to make sure that useful information gets shared broadly?
    • standard formats to represent the information
    • an organized body to facilitate process, management, and flow
ren isac information sharing27
REN-ISAC Information Sharing
  • REN-ISAC is working on two items
    • Cyber Security Registry for Research and Education
    • preliminary to Registry, active now, closed/vetted mailing list RENISAC-SEC-L
ren isac cyber security registry
REN-ISAC Cyber Security Registry
  • To provide contact information for cyber security matters in US higher education, the REN-ISAC is developing a cyber security registry. The goal is to have deep and rich contact information for all US colleges and universities.
  • The primary registrant is the CIO, IT Security Officer, organizational equivalent, or superior.
  • All registrations will be vetted for authenticity.
  • Primary registrant assigns delegates. Delegates can be functional accounts.
  • Currency of the information will be aggressively maintained.
ren isac cyber security registry29
REN-ISAC Cyber Security Registry
  • Aiming for 24 x 7 contact, with deep reach – a decision maker, primary actor, with clearance for sensitive information.
  • Optional permissions for REN-ISAC to send reports regarding threat activity seen sourced from or directed at the institution – reports may identify specific machines.
  • Related Registry information to serve network security management and response:
    • address blocks
    • routing registry
    • network connections (e.g. Abilene, NLR)
ren isac cyber security registry30
REN-ISAC Cyber Security Registry
  • Registry information will be:
    • utilized by the REN-ISAC for response, such as response to threat activity identified in Abilene NetFlow,
    • utilized by the REN-ISAC for early warning,
    • open to the members of the trusted circle established by the Registry, and
    • with permission, proxied by the REN-ISAC to outside trusted entities, e.g. ISP’s and law enforcement.
ren isac cyber security registry31
REN-ISAC Cyber Security Registry
  • The Registry will enable:
    • Appropriate communications by the REN-ISAC
    • Sharing of sensitive information derived from the various information sources:
      • Network instrumentation; including netflow, ACL counters, and, operational monitoring systems
      • Daily security status calls with ISACs and US-CERT
      • Vetted/closed network security collaborations
      • Backbone and member security and network engineers
      • Vendors, e.g. monthly ISAC calls with vendors
      • Members – related to incidents on local networks
ren isac cyber security registry32
REN-ISAC Cyber Security Registry
  • The Registry will enable:
    • Sharing among the trusted circle members
    • Establishment of a vetted/trusted mailing list for members to share sensitive information
    • Access to the REN-ISAC / US-CERT secure portal
    • Access to segmented data and tools:
      • Segmented views of netflow information
      • Per-interface ACLs
      • Other potentials that can be served by a federated trust environment
ren isac information sharing33
REN-ISAC Information Sharing
  • RENISAC-SEC-L mailing list
    • for individuals who would meet the Registry criteria, i.e. primary registrant as CIO/ITSO and delegates
    • http://www.ren-isac.net/renisac-sec-l.html
ad