SL- CERT

Presented
by
T J Pathirage

Computer Emergency
Response Team- Sri Lanka
(SL-CERT)

1
 CERT Concept

 First Internet Worm incident in 1988

 The concept of Computer Emergency Response

Team (CERT) was born

 CERT was meant to be a single point of contact

for internet security problem

 CERT Coordination Center (CERT/CC) was

establish as a mother CERT at CMU in USA

Definition

 What is a CERT?
An organization or team that provides
services and support for responding to
computer security incidents to a defined
constituency.

 CERT will protect the computer related

infrastructure by coordinating defense
against and responding to cyber attacks.
 It will alleviate the number of incidents
targeted at and perpetrated from Sri
Lanka, and will provide an effective
response to cyber security incidents.

2
 Why Do I Need a CERT?

– Even the best information security

infrastructure cannot guarantee that
intrusions or other malicious acts will not
happen.

– When computer security incidents occur, it

will be critical for an organization to have
an effective means of responding.

– The ability of an organization to protect,

detect, analyze, and respond to an incident
will limit the damage done and lower the
cost of recovery.

Why Do I Need a CERT?

 Internet systems vulnerable target for attack

– Systems not securely configured
– Computer security incidents
 In recent years the attack techniques have become
sophisticated
 Rapid proliferation of viruses and worms
 Critical infrastructure such as telecommunication,
transportation, energy etc. can get affected by
attacks on Information infrastructures

3
 Recent Attacks
 Code Red : July, 2001
 Nimda : September, 2001
 SQL Slammer : January, 2003
 Blaster : August, 2003
 Sobig : August, 2003
 Sophistication has grown

 Fast growing Phishing threat

 Speed of attacks results in widespread damage in short

time

World Wide Costs of Virus

 US $ 45 billion in 2002
 US $ 38 billion in August, 2003 alone
 US $ 119 – 145 billion estimated for the year
2003

 “ Next Wave”
Wave” of worms and viruses could cause
far more damaging payloads
 Threat of “zero-
zero-day attack”
attack” is increasing
 Hackers can explore vulnerabilities in just 6 hours

4
 Incidents Reported to CERT/CC

Vulnerability Exploit Cycle

Novice Intruders Automated

Use Crude Scanning/Exploit
Exploit Tools Tools Developed Intruders Begin
Using New Types
Crude Exploit Widespread Use of Exploits
Tools Distributed of Automated
Scanning/Exploit
Tools

Advanced
Intruders
Discover
Vulnerability

Properly configured and patched systems are less vulnerable leading to fewer security incidents

5
 Typical Network Attack

attack
attack
gain user other
other hosts
hosts
access

Locate
Locate take
take or
or
System
System Install
Install
cover
cover tracks
tracks alter
alter
to
to attack
attack backdoors
backdoors information
information

gain
gain
Privileged
Privileged engaged
engaged in in
access
access other
other
unauthorized
unauthorized
activity
activity

More Sophisticated Intruders

 Intruders are
– Building technical knowledge and skills
– Gaining leverage through automation
– Exploiting network interconnections and moving
easily through the infrastructure
– Becoming mode skilled at masking their behavior

6
 Security and the evolving
Threats
Internet Worms
Packet Forging/
High Spoofing

Stealth Diagnostics

Sniffers Sophistication of Hacker

Sweepers Tools
Hijacking
Back Doors Sessions
Sophistication of Hacker Tools

Disabling
Exploiting Known Audits
Vulnerabilities

Password
Cracking

Self Replicating Code

Hacker
Technical Knowledge
Password Guessing Required

Low

1980 1990 2000

Computer Security Incidents

 Any real or suspected adverse event in relation to

the security of computer systems or networks
 The act of violating explicit or implied security
policy
– Unauthorized access
– Denial of service. Disruption
– Unauthorized use of a system for processing or
storage of data
– Changes to systems software, hardware,
firmware, characteristics without the owner’
owner’s
knowledge
– CSI activity also defined as a network or host activity that
potentially threatens the security of computer systems

7
 Effects of an Attack
 Denial-
Denial-of-
of-service

 Unauthorized use/misuse of computing systems, defacement of

websites
 Loss/alteration/compromise of data or software

 Monetary/financial loss
– FBI/CSI survey : estimated cost $c141,496,560.
– Australian Computer Crime and Security Survey: $2,223,900
– Estimated cost of clean up and lost productivity for the Love Bug
Bug
worm - $2.62 billion worldwide
 Loss or endangerment of human life
– Attack on infrastructure control systems
 W32.Blaster worm may have contributed to the cascading effect
of blackout on the US East Coast where many control systems
are based on Windows 2000 or Windows XP (Computer World)
 Loss of trust in computer/network system

 Loss of public confidence

Amount of Loss

 Trends in 2004
– Virus attacks
– DOS Attacks

– Mostly not
reported!

FIB/CSI Survey, 2004

8
 CERT in each country

 The challenge of security incidents

has led to hundred of CERTs being
created around the world
– Country as a whole
– Specific user segment e.g. Finance
Sector CERT

SL-CERT

 Enhancing cyber security and providing

support in the protection of critical ICT
infrastructure, Sri Lankan Computer
Emergency Response Team (CERT-SL)
was established by ICTA.

9
 Strategic Objectives of SL- CERT

 Vision
“Be the nation’s most
trusted security agency
responding to all types
of Information Security
incidents”

Strategic Objectives of SL-

SL-CERT

 Mission
 To enhance the security of the Nation’
Nation’s
Information and infrastructure through
proactive actions and effective collaboration.

 Provide the focal point for reporting security

vulnerabilities and serve as a model to help
others established incident response teams,
and raise awareness of security issues

10
 Objectives

 Provide Cyber-
Cyber-security related incident handling
(analysis, response on site, response support)
 Vulnerability handling and management services
(analysis, response)
 Review emerging security threats and technologies.
 Awareness and training programs on cyber-
cyber-security.
 Cyber-
Cyber-security related information dissemination and
announcements.
 Formulate and advice on risk assessment methodology
 Assessments on cyber-
cyber-security
 Intrusion detection.

National structure

SRI Lanka CERT

Industry Vertical Other

Uni. of Colombo Uni. of Peradeniya Uni. of Moratuwa CERTs Entities

Industry
SL Police
Home users
Academia
Internet
security experts

 Participation in Organizations and Communities

11
 Security Approaches
 Vulnerability Management
(Reactive)
– Identify and fix vulnerabilities

Reactive
 Risk Management (Proactive)
– Identify and manage risks Proactive

 Security Quality Management

Services

Risk management is more strategic in nature

Reactive Services
 These will be initiated by members (requests for
assistance from) , or by a threat, report or attack in the
country, or any activity identified by an intrusion detection
system;
 Provides a single point of contact for reporting local problems
– Warnings and dissemination of info on the attack
– Alerts on attacks, vulnerabilities etc
– Incident handling (analysis, response on site, support)
– Vulnerability Handling (analysis, response)
– Virus, worm handling (analysis, response on site
support, incident coordination),
– Guidance on protecting systems and for recovery.
– Shares information and lessons learned with other
CERTs, with the CERT/CC, other response teams and
other appropriate organizations and sites

12
 Computer Security
Incidents Handling
 Reporting
– Central point of repository incidents
– Database of incidents
 Analysis
– Analysis for trends and patterns of intruder activity
– Develop preventive strategies for the whole constituency
– In-
In-depth look at an incidents report or an incident activity
to determine the scope, priority and threat of the incident
 Response
– Sent out recommendations for recovery, containment and
prevention to systems administrators

Incident Response (IR)

 IR is a process devoted to restoring a network or
computer system to operation
 IR Handling by CERT
– Preparation
– Identification
– Containment
– Eradication
– Recovery
– Follow up

 Operating Procedures (SOPs) shall be prepared to

help CERT discharge its functions to its
constituency

13
Computer Security- Incident Handling

Preparation

Identification
Telephone

Containment

Web Eradication
Reporting

HTTP Virtual Directory

Recovery
Response
CERT –SL
E- mail
Follow Up
Message Delivery

Fax

Vulnerability Os related Applications Security

database data Related data Related Web-sites

Proactive Services
 Pro-
Pro-active services
– Security Guidelines
– Carry out a technology watch,
– Alerts and announcements
– Vulnerability analysis and response
– Artifact analysis
– Incident tracing
– Intrusion Detection
– Auditing and Penetration testing
– Security Consulting
– Risk Analysis
– Security Product Development
– Collaboration
– Coordination
– Security related information dissemination

14
 Security Quality Management
Services

 To assist the nation, the Government and member

organizations improve overall security and identify threats, risks
risks
and weaknesses

– Conduct Information Security awareness programs

– Conducting education and training programs.
– Disaster recovery planning

Thank you

15