Title: Security: New Trends, New Issues Internet2 Fall Member Meeting 2004
1Security New Trends, New IssuesInternet2 Fall
Member Meeting 2004
- Doug Pearson
- Indiana University
- Research and Education Networking ISAC
- http//www.ren-isac.net
22004 CSI/FBI Computer Crime and Security
Surveyhttp//www.gocsi.com/
3(No Transcript)
4 52004 CSI/FBI SurveyPercent Conducting Security
Audits Up
62004 CSI/FBI SurveyTechnologies Employed Up
72004 CSI/FBI SurveyTraining Up
82004 CSI/FBI SurveyDollar Losses Down
9Factors
- Poll of the CSI membership
- Doesnt represent global picture
- Small business is not well represented
- Doesnt account for rising number of always-on
home systems on broadband networks
10Maybe it means
- Poll of CSI members They have joined CSI
because they want to find ways to reduce economic
losses. 2 - The reductions dont seem to represent the world
at large, but - Maybe the survey simply affirms that
organizations that are taking an active security
posture will recognize substantial results.
11CERT/CC US-CERT Advisories
12Trends and Landscape
- Rate of discovery of vulnerabilities is up
statistically relevant increases since 2002. - Time to exploit is down in 2002 the average time
was generalized as 14 days, in 2003 7-10 days,
now at times less than a week - AV strategies and deployments are getting better
- Patch response is getting better (vendors and
users)
13Trends and Landscape
- Sites are employing quarantine zones with
scan/patch requirements - More administrative control of end-system
configurations at non-traditionally centralized
organizations, e.g. MS auto-update turned on, AV
installed and active - Some large-scale enterprises have difficulty with
rapid patch/version deployment due to internal
testing requirements as seen with XP SP2
adoption.
14Trends and Landscape
- Increased use of firewalls and/or ACL
- Med-large business, higher education, and
government sectors are all getting much more
serious about security still need much more
awareness and upper-management commitment - Small business isn't as prepared lack the
technical proficiency and resources - Home systems always-on threat base is large. Lack
of due care is a critical issue.
15Trends and Landscape
- Overseas threat base is very large (and active),
particularly Asia Pacific and Eastern Europe
born out in traffic patterns from worm scanning,
botted systems, etc. - Pre-fab tools make it easy for unsophisticated
attackers to launch sophisticated attacks move
from disruptive behavior to for-profit motive,
e.g. identity theft and extortion increasing the
risk to average end-users.
16Trends and Landscape
- Sophisticated multi-purpose, multi-attack vectors
(e.g. phatbot) are on the rise - The botnet problem is very serious move from
disruptive behavior to for-profit motives. - The phishing problem is very serious
overwhelming increase from a few in 2003 to
several per week. FTC estimates 5 success. - Intrusion attacks can expand very rapidly, e.g.
the Spring 2004 nix compromises proceeded with
astonishing rapidity
17Trends and Landscape
- Organized crime is becoming more engaged,
particularly with extortion based on theft of
information and DDoS threat, and identity theft - There's much more successful extortion (e.g. at
financial institutions) than gets reported which
has interested organized crime, particularly in
Eastern Europe - Information sharing for effective practice is
increasing EDUCAUSE Effective Practices Guide
18Trends and Landscape
- Information sharing for response is increasing
regional (gigaPoP), REN-ISAC, and industry
operational forums - Cross-organization response activities are
working, but the active threat is large - Use of blacklist route servers by internet
service providers increasing
19Acknowledgements
- 2004 CSI/FBI Survey
- http//www.gocsi.com/
- Internet Security Systems
- http//www.iss.net
- Carter Schoenberg
- US-CERT CERT/CC
- http//www.us-cert.gov
- http//www.cert.org
20References
- 1 http//www.enterpriseitplanet.com/security/fea
tures/article.php/11321_3385371_1 - 2 Robert Richardson, editorial director of CSI
21REN-ISAC Information Sharing
- Opportunity
- Extensive sharing within a trusted circle of
operational security professionals of actionable
information regarding active sources of cyber
threat in a manner permitting expedient action
upon the shared information will facilitate a
reduction of threat scale, protection of
resources, and resolution of specific infections.
22REN-ISAC Information Sharing
- Sharing needs to occur within a closed/vetted
trust circle of operational security
professionals - don't want to tip off the bad guys
- don't want operational personnel or processes to
publicly expose compromise information - don't want to hamper law enforcement or other
investigations - at times may be operating in gray areas
23REN-ISAC Information Sharing
- There's a lot of information to share
- analysis from netflow
- analysis from darknets
- analysis from IDS and firewalls
- information sources include the activities of
various groups formed around Internet service
providers, research activities, loose
associations, individuals institutions, ISACs,
etc.
24REN-ISAC Information Sharing
- Examples of information
- worm scanning show example data
- SSH scanners show example data
- Bots CC and botted systems show example data
- DDoS
25REN-ISAC Information Sharing
- Types of useful sharing
- simple formatted lists via e-mail
- automated action methods, e.g. blacklist route
server - what policy and management methods are necessary
for institutions to trust and employ auto
methods? - what administrative and descriptive metadata
needs to be associated to blacklist entries? - other types?
26REN-ISAC Information Sharing
- Requirements for information sharing
- a structured method to establish and maintain
trust circle - How large can a trusted circle be and still be
effective for free-flowing information sharing? - Would different levels of trust circles, e.g.
regional and national, be more effective? How
then to make sure that useful information gets
shared broadly? - standard formats to represent the information
- an organized body to facilitate process,
management, and flow
27REN-ISAC Information Sharing
- REN-ISAC is working on two items
- Cyber Security Registry for Research and
Education - preliminary to Registry, active now,
closed/vetted mailing list RENISAC-SEC-L
28REN-ISAC Cyber Security Registry
- To provide contact information for cyber security
matters in US higher education, the REN-ISAC is
developing a cyber security registry. The goal is
to have deep and rich contact information for all
US colleges and universities. - The primary registrant is the CIO, IT Security
Officer, organizational equivalent, or superior. - All registrations will be vetted for
authenticity. - Primary registrant assigns delegates. Delegates
can be functional accounts. - Currency of the information will be aggressively
maintained.
29REN-ISAC Cyber Security Registry
- Aiming for 24 x 7 contact, with deep reach a
decision maker, primary actor, with clearance for
sensitive information. - Optional permissions for REN-ISAC to send reports
regarding threat activity seen sourced from or
directed at the institution reports may
identify specific machines. - Related Registry information to serve network
security management and response - address blocks
- routing registry
- network connections (e.g. Abilene, NLR)
30REN-ISAC Cyber Security Registry
- Registry information will be
- utilized by the REN-ISAC for response, such as
response to threat activity identified in Abilene
NetFlow, - utilized by the REN-ISAC for early warning,
- open to the members of the trusted circle
established by the Registry, and - with permission, proxied by the REN-ISAC to
outside trusted entities, e.g. ISPs and law
enforcement.
31REN-ISAC Cyber Security Registry
- The Registry will enable
- Appropriate communications by the REN-ISAC
- Sharing of sensitive information derived from the
various information sources - Network instrumentation including netflow, ACL
counters, and, operational monitoring systems - Daily security status calls with ISACs and
US-CERT - Vetted/closed network security collaborations
- Backbone and member security and network
engineers - Vendors, e.g. monthly ISAC calls with vendors
- Members related to incidents on local networks
32REN-ISAC Cyber Security Registry
- The Registry will enable
- Sharing among the trusted circle members
- Establishment of a vetted/trusted mailing list
for members to share sensitive information - Access to the REN-ISAC / US-CERT secure portal
- Access to segmented data and tools
- Segmented views of netflow information
- Per-interface ACLs
- Other potentials that can be served by a
federated trust environment
33REN-ISAC Information Sharing
- RENISAC-SEC-L mailing list
- for individuals who would meet the Registry
criteria, i.e. primary registrant as CIO/ITSO and
delegates - http//www.ren-isac.net/renisac-sec-l.html