Академический Документы
Профессиональный Документы
Культура Документы
Presented
by
T J Pathirage
Computer Emergency
Response Team- Sri Lanka
(SL-CERT)
1
CERT Concept
Definition
What is a CERT?
An organization or team that provides
services and support for responding to
computer security incidents to a defined
constituency.
2
Why Do I Need a CERT?
3
Recent Attacks
Code Red : July, 2001
Nimda : September, 2001
SQL Slammer : January, 2003
Blaster : August, 2003
Sobig : August, 2003
Sophistication has grown
US $ 45 billion in 2002
US $ 38 billion in August, 2003 alone
US $ 119 – 145 billion estimated for the year
2003
“ Next Wave”
Wave” of worms and viruses could cause
far more damaging payloads
Threat of “zero-
zero-day attack”
attack” is increasing
Hackers can explore vulnerabilities in just 6 hours
4
Incidents Reported to CERT/CC
Advanced
Intruders
Discover
Vulnerability
Properly configured and patched systems are less vulnerable leading to fewer security incidents
5
Typical Network Attack
attack
attack
gain user other
other hosts
hosts
access
Locate
Locate take
take or
or
System
System Install
Install
cover
cover tracks
tracks alter
alter
to
to attack
attack backdoors
backdoors information
information
gain
gain
Privileged
Privileged engaged
engaged in in
access
access other
other
unauthorized
unauthorized
activity
activity
Intruders are
– Building technical knowledge and skills
– Gaining leverage through automation
– Exploiting network interconnections and moving
easily through the infrastructure
– Becoming mode skilled at masking their behavior
6
Security and the evolving
Threats
Internet Worms
Packet Forging/
High Spoofing
Stealth Diagnostics
Disabling
Exploiting Known Audits
Vulnerabilities
Password
Cracking
Low
7
Effects of an Attack
Denial-
Denial-of-
of-service
Monetary/financial loss
– FBI/CSI survey : estimated cost $c141,496,560.
– Australian Computer Crime and Security Survey: $2,223,900
– Estimated cost of clean up and lost productivity for the Love Bug
Bug
worm - $2.62 billion worldwide
Loss or endangerment of human life
– Attack on infrastructure control systems
W32.Blaster worm may have contributed to the cascading effect
of blackout on the US East Coast where many control systems
are based on Windows 2000 or Windows XP (Computer World)
Loss of trust in computer/network system
Amount of Loss
Trends in 2004
– Virus attacks
– DOS Attacks
– Mostly not
reported!
8
CERT in each country
SL-CERT
9
Strategic Objectives of SL- CERT
Vision
“Be the nation’s most
trusted security agency
responding to all types
of Information Security
incidents”
Mission
To enhance the security of the Nation’
Nation’s
Information and infrastructure through
proactive actions and effective collaboration.
10
Objectives
Provide Cyber-
Cyber-security related incident handling
(analysis, response on site, response support)
Vulnerability handling and management services
(analysis, response)
Review emerging security threats and technologies.
Awareness and training programs on cyber-
cyber-security.
Cyber-
Cyber-security related information dissemination and
announcements.
Formulate and advice on risk assessment methodology
Assessments on cyber-
cyber-security
Intrusion detection.
National structure
Industry
SL Police
Home users
Academia
Internet
security experts
11
Security Approaches
Vulnerability Management
(Reactive)
– Identify and fix vulnerabilities
Reactive
Risk Management (Proactive)
– Identify and manage risks Proactive
Reactive Services
These will be initiated by members (requests for
assistance from) , or by a threat, report or attack in the
country, or any activity identified by an intrusion detection
system;
Provides a single point of contact for reporting local problems
– Warnings and dissemination of info on the attack
– Alerts on attacks, vulnerabilities etc
– Incident handling (analysis, response on site, support)
– Vulnerability Handling (analysis, response)
– Virus, worm handling (analysis, response on site
support, incident coordination),
– Guidance on protecting systems and for recovery.
– Shares information and lessons learned with other
CERTs, with the CERT/CC, other response teams and
other appropriate organizations and sites
12
Computer Security
Incidents Handling
Reporting
– Central point of repository incidents
– Database of incidents
Analysis
– Analysis for trends and patterns of intruder activity
– Develop preventive strategies for the whole constituency
– In-
In-depth look at an incidents report or an incident activity
to determine the scope, priority and threat of the incident
Response
– Sent out recommendations for recovery, containment and
prevention to systems administrators
13
Computer Security- Incident Handling
Preparation
Identification
Telephone
Containment
Web Eradication
Reporting
Recovery
Response
CERT –SL
E- mail
Follow Up
Message Delivery
Fax
Proactive Services
Pro-
Pro-active services
– Security Guidelines
– Carry out a technology watch,
– Alerts and announcements
– Vulnerability analysis and response
– Artifact analysis
– Incident tracing
– Intrusion Detection
– Auditing and Penetration testing
– Security Consulting
– Risk Analysis
– Security Product Development
– Collaboration
– Coordination
– Security related information dissemination
14
Security Quality Management
Services
Thank you
15