Security: New Trends, New Issues Internet2 Fall Member Meeting 2004

1
Security New Trends, New IssuesInternet2 Fall
Member Meeting 2004

• Doug Pearson
• Indiana University
• Research and Education Networking ISAC
• http//www.ren-isac.net

2
2004 CSI/FBI Computer Crime and Security
Surveyhttp//www.gocsi.com/
3
(No Transcript)
4

• ? (!)

5
2004 CSI/FBI SurveyPercent Conducting Security
Audits Up
6
2004 CSI/FBI SurveyTechnologies Employed Up
7
2004 CSI/FBI SurveyTraining Up
8
2004 CSI/FBI SurveyDollar Losses Down
9
Factors

• Poll of the CSI membership
• Doesnt represent global picture
• Small business is not well represented
• Doesnt account for rising number of always-on
  home systems on broadband networks

10
Maybe it means

• Poll of CSI members They have joined CSI
  because they want to find ways to reduce economic
  losses. 2
• The reductions dont seem to represent the world
  at large, but
• Maybe the survey simply affirms that
  organizations that are taking an active security
  posture will recognize substantial results.

11
CERT/CC US-CERT Advisories
12
Trends and Landscape

• Rate of discovery of vulnerabilities is up
  statistically relevant increases since 2002.
• Time to exploit is down in 2002 the average time
  was generalized as 14 days, in 2003 7-10 days,
  now at times less than a week
• AV strategies and deployments are getting better
• Patch response is getting better (vendors and
  users)

13
Trends and Landscape

• Sites are employing quarantine zones with
  scan/patch requirements
• More administrative control of end-system
  configurations at non-traditionally centralized
  organizations, e.g. MS auto-update turned on, AV
  installed and active
• Some large-scale enterprises have difficulty with
  rapid patch/version deployment due to internal
  testing requirements as seen with XP SP2
  adoption.

14
Trends and Landscape

• Increased use of firewalls and/or ACL
• Med-large business, higher education, and
  government sectors are all getting much more
  serious about security still need much more
  awareness and upper-management commitment
• Small business isn't as prepared lack the
  technical proficiency and resources
• Home systems always-on threat base is large. Lack
  of due care is a critical issue.

15
Trends and Landscape

• Overseas threat base is very large (and active),
  particularly Asia Pacific and Eastern Europe
  born out in traffic patterns from worm scanning,
  botted systems, etc.
• Pre-fab tools make it easy for unsophisticated
  attackers to launch sophisticated attacks move
  from disruptive behavior to for-profit motive,
  e.g. identity theft and extortion increasing the
  risk to average end-users.

16
Trends and Landscape

• Sophisticated multi-purpose, multi-attack vectors
  (e.g. phatbot) are on the rise
• The botnet problem is very serious move from
  disruptive behavior to for-profit motives.
• The phishing problem is very serious
  overwhelming increase from a few in 2003 to
  several per week. FTC estimates 5 success.
• Intrusion attacks can expand very rapidly, e.g.
  the Spring 2004 nix compromises proceeded with
  astonishing rapidity

17
Trends and Landscape

• Organized crime is becoming more engaged,
  particularly with extortion based on theft of
  information and DDoS threat, and identity theft
• There's much more successful extortion (e.g. at
  financial institutions) than gets reported which
  has interested organized crime, particularly in
  Eastern Europe
• Information sharing for effective practice is
  increasing EDUCAUSE Effective Practices Guide

18
Trends and Landscape

• Information sharing for response is increasing
  regional (gigaPoP), REN-ISAC, and industry
  operational forums
• Cross-organization response activities are
  working, but the active threat is large
• Use of blacklist route servers by internet
  service providers increasing

19
Acknowledgements

• 2004 CSI/FBI Survey
• http//www.gocsi.com/
• Internet Security Systems
• http//www.iss.net
• Carter Schoenberg
• US-CERT CERT/CC
• http//www.us-cert.gov
• http//www.cert.org

20
References

• 1 http//www.enterpriseitplanet.com/security/fea
  tures/article.php/11321_3385371_1
• 2 Robert Richardson, editorial director of CSI

21
REN-ISAC Information Sharing

• Opportunity
• Extensive sharing within a trusted circle of
  operational security professionals of actionable
  information regarding active sources of cyber
  threat in a manner permitting expedient action
  upon the shared information will facilitate a
  reduction of threat scale, protection of
  resources, and resolution of specific infections.

22
REN-ISAC Information Sharing

• Sharing needs to occur within a closed/vetted
  trust circle of operational security
  professionals
• don't want to tip off the bad guys
• don't want operational personnel or processes to
  publicly expose compromise information
• don't want to hamper law enforcement or other
  investigations
• at times may be operating in gray areas

23
REN-ISAC Information Sharing

• There's a lot of information to share
• analysis from netflow
• analysis from darknets
• analysis from IDS and firewalls
• information sources include the activities of
  various groups formed around Internet service
  providers, research activities, loose
  associations, individuals institutions, ISACs,
  etc.

24
REN-ISAC Information Sharing

• Examples of information
• worm scanning show example data
• SSH scanners show example data
• Bots CC and botted systems show example data
• DDoS

25
REN-ISAC Information Sharing

• Types of useful sharing
• simple formatted lists via e-mail
• automated action methods, e.g. blacklist route
  server
• what policy and management methods are necessary
  for institutions to trust and employ auto
  methods?
• what administrative and descriptive metadata
  needs to be associated to blacklist entries?
• other types?

26
REN-ISAC Information Sharing

• Requirements for information sharing
• a structured method to establish and maintain
  trust circle
• How large can a trusted circle be and still be
  effective for free-flowing information sharing?
• Would different levels of trust circles, e.g.
  regional and national, be more effective? How
  then to make sure that useful information gets
  shared broadly?
• standard formats to represent the information
• an organized body to facilitate process,
  management, and flow

27
REN-ISAC Information Sharing

• REN-ISAC is working on two items
• Cyber Security Registry for Research and
  Education
• preliminary to Registry, active now,
  closed/vetted mailing list RENISAC-SEC-L

28
REN-ISAC Cyber Security Registry

• To provide contact information for cyber security
  matters in US higher education, the REN-ISAC is
  developing a cyber security registry. The goal is
  to have deep and rich contact information for all
  US colleges and universities.
• The primary registrant is the CIO, IT Security
  Officer, organizational equivalent, or superior.
• All registrations will be vetted for
  authenticity.
• Primary registrant assigns delegates. Delegates
  can be functional accounts.
• Currency of the information will be aggressively
  maintained.

29
REN-ISAC Cyber Security Registry

• Aiming for 24 x 7 contact, with deep reach a
  decision maker, primary actor, with clearance for
  sensitive information.
• Optional permissions for REN-ISAC to send reports
  regarding threat activity seen sourced from or
  directed at the institution reports may
  identify specific machines.
• Related Registry information to serve network
  security management and response
• address blocks
• routing registry
• network connections (e.g. Abilene, NLR)

30
REN-ISAC Cyber Security Registry

• Registry information will be
• utilized by the REN-ISAC for response, such as
  response to threat activity identified in Abilene
  NetFlow,
• utilized by the REN-ISAC for early warning,
• open to the members of the trusted circle
  established by the Registry, and
• with permission, proxied by the REN-ISAC to
  outside trusted entities, e.g. ISPs and law
  enforcement.

31
REN-ISAC Cyber Security Registry

• The Registry will enable
• Appropriate communications by the REN-ISAC
• Sharing of sensitive information derived from the
  various information sources
• Network instrumentation including netflow, ACL
  counters, and, operational monitoring systems
• Daily security status calls with ISACs and
  US-CERT
• Vetted/closed network security collaborations
• Backbone and member security and network
  engineers
• Vendors, e.g. monthly ISAC calls with vendors
• Members related to incidents on local networks

32
REN-ISAC Cyber Security Registry

• The Registry will enable
• Sharing among the trusted circle members
• Establishment of a vetted/trusted mailing list
  for members to share sensitive information
• Access to the REN-ISAC / US-CERT secure portal
• Access to segmented data and tools
• Segmented views of netflow information
• Per-interface ACLs
• Other potentials that can be served by a
  federated trust environment

33
REN-ISAC Information Sharing

• RENISAC-SEC-L mailing list
• for individuals who would meet the Registry
  criteria, i.e. primary registrant as CIO/ITSO and
  delegates
• http//www.ren-isac.net/renisac-sec-l.html