A few diverse yet somewhat tied together points and recommended actions about security

(aka loose change)

Doug Pearson

dodpears@ren-isac.net

REN-ISAC

Fall 2010 Internet2 Member Meeting

1

REN-ISAC status and background

2

REN-ISAC Mission

The REN-ISAC mission is to aid and promote cyber security operational protection and response within the higher education

and research (R&E) communities. The mission is conducted within the context of a private community of trusted

representatives at member institutions, and in service to the R&E community at-large. REN-ISAC serves as the R&E trusted

partner for served networks, the formal ISAC community, and in other commercial, governmental, and private security

information sharing relationships.

3

REN-ISAC Roles

• ISAC

– Community of trusted security staff at R&E institutions

– Sharing of sensitive protection and response information among the trusted R&E members, cross-sector, and with external trusted partners

– TLP Green level alert and advisory to all of US R&E regardless of membership status

• CSIRT

– Incident communications and notifications for remediation, supporting all of US R&E, regardless of membership status

– SOC for Internet2 network

4

Membership

• Membership is open to colleges and universities, teaching hospitals, R&E network providers, and government-funded research organizations.

• The institution is the “member”, and is represented by a management representative who nominates one or more member representatives.

• Very specific job responsibility requirements define who is eligible to become a member representative.

• Membership is tiered (General and XSec). The tiers differ in criteria for membership, the degree of trust vetting, types of information shared within the tier, services, and the commitment-level of the institution.

5

Membership and Reach

• Membership stats as of November 1, are:

– Number of member organizations: 309 • Representing over 400 institutions

– Number of member representatives: 744

• Service to R&E beyond just the membership

– Notifications to over 1400 EDU institutions, directly and privately, regarding compromised systems

– Episodic TLP Green alerts aimed at R&E security practitioners, CIOs, and business officers

6

REN-ISAC is a Cooperative Effort

• Member participation is a cornerstone of REN-ISAC

• Dedicated resource contributors: IU, LSU, and Internet2

• In-kind contributions from EDUCAUSE

• Member contributions through participation: – Executive Advisory Group

• Bard , IU, LSU, Oakland, Reed, UMBC, Internet2, EDUCAUSE

– Technical Advisory Group

• Cornell, IU, UC Berkeley, UMass, UOregon, WPI , Arbor, Team Cymru

– Microsoft Analysis Team

• IU, NYU, UAB, UWashington

– Membership Committee

• Emory , Scranton, UIUC, UMN

– Services

• MOREnet 7

Relationships

• Internet2

• EDUCAUSE

• Higher Education Information Security Council

• Internet2 SALSA and CSI2 Working Groups

• Global Research NOC at IU

• Other sector ISACs

• National ISAC Council

• DHS/US-CERT and other national CERTs and CSIRTs

• Microsoft

• Team Cymru

• Dragon Research Group

• APWG

• Private threat analysis and mitigation efforts

8

Sustainability

• Hosted by Indiana University

• Financial contributions of Indiana University, Louisiana State University, and Internet2

• In-kind contributions from EDUCAUSE

• Member contributions in projects, services, and activities

• A nominal membership fee

9

Benefits of Membership

• Receive and share practical defense information in a private community of trusted members

• Establish relationships with known and trusted peers

• Have access to direct security services

• Benefit from information sharing relationships in the broad security community

• Benefit from vendor relationships, such as the REN-ISAC and Microsoft Security Cooperation Program relationship

• Participate in technical educational security webinars

• Participate in REN-ISAC meetings, workshops, & training

• Have access to the 24x7 REN-ISAC Watch Desk

• Have access to threat information resources ("data feeds") that can be used to identify local compromised machines, and to block known threats

10

Information Products

• Daily Watch Report provides situational awareness.

• Alerts provide critical and timely information concerning new or increasing threat.

• Notifications identify specific sources and targets of active threat or incident involving R&E. Sent directly to contacts at involved sites. ~8000 notifications sent per month.

• Feeds provide collective information regarding known sources of threat; useful for IP and DNS block lists, sensor signatures, etc.

• Advisories inform regarding specific practices or approaches that can improve security posture.

• TechBurst webcasts provide instruction on technical topics relevant to security protection and response.

• Monitoring views provide summary views from sensor systems, e.g. traffic patterns on Internet2, useful for situational awareness.

11

REN-ISAC References

Information about membership http://www.ren-isac.net/membership.html

List of current member institutions http://www.ren-isac.net/cgi-bin/memberlist.cgi

REN-ISAC Overviews

– Flier http://www.ren-isac.net/docs/ren-isac_brief.pdf

– Executive Overview http://www.ren-isac.net/docs/ren-isac_executive_overview.pdf

12

Targeted attacks against online institutional banking

(how to lose a million dollars without even trying)

13

January 10 REN-ISAC Alert

14

Distribution of the REN-ISAC Alert

REN-ISAC private mailing list

EDUCAUSE security@

EDUCAUSE cio@

NACUBO newsletter

REN-ISAC public web page

15

Pointer to the Alert

• The original alert is here:

– CIO version • http://www.ren-isac.net/alerts/banking-attacks_cio-bo_201001.html

– Technical version • http://www.ren-isac.net/alerts/banking-attacks_technical_201001.html

16

Alert Summary

• Criminals are targeting commercial online banking activities, e.g. ACH and wire transfers.

• The persons who conduct banking transactions on behalf your institutions and organizations are being specifically targeted by the criminals.

• In the attacks, the criminals get the banking credentials, and the capability to execute transfers from the infected machine.

• Standard antivirus, firewalls, and IDS are not sufficient defenses.

• Two-factor authentication is being defeated.

• Some of the most successful operations (and the respective malware) are known as Clampi, Zeus, and SpyEye.

17

In the simplest version of an attack:

– The targeted person receives a phishing e-mail. The e-mail can be highly-tailored to the person being phished (spear phishing) as so appear convincingly legitimate.

– The person opens an infected attachment that installs malware on the computer.

– The malware watches for web traffic with banking sites, captures account credentials, and passes those to the criminal.

– The criminal uses the capture credentials, possibly from the infected machine, to make fraudulent transfers.

18

In reality, the attacks and malware are much more sophisticated…

– record keystrokes (key logging)

– steal data submitted in HTTP forms

– steal credentials that are "securely" stored on your system

– steal and manipulate browser cookies

– modify the HTML of target web sites, including injecting additional data entry fields into targeted web pages

– redirect user from targeted web pages to attacker controlled pages

– take screen shots

– search for and steal files from your computer

– modify the local hosts file

– download and execute arbitrary programs

19

In reality, the attacks and malware are much more sophisticated (continued)…

– manipulate registry keys

– allow attacker to "back connect" to an infected computer and make financial transactions from it

– send Instant Messages to an attacker, permitting an attacker to receive stolen data in real time, and to be able to ride in on a user’s two-factor authenticated session

– allow an attacker to completely control the infected machine using a VNC backdoor

20

Attacks have been many, successful, difficult to stop, and damaging: – PC Invader Costs Ky. County $415,000

http://voices.washingtonpost.com/securityfix/2009/07/an_odyssey_of_fraud_part_ii.html

– Cyber Crooks Target Public & Private Schools http://voices.washingtonpost.com/securityfix/2009/09/cyber_mob_targets_public_priva.html

– The Growing Threat to Business Banking Online A public school district in PA lost $700,000 in a two-day attack http://voices.washingtonpost.com/securityfix/2009/07/the_pitfalls_of_business_banki.html

– Three million in district funds stolen; $2.5 million recovered http://duanesburg.org/district/news/0910/010510crime.cfm

– Cyber Thieves Steal Nearly $1,000,000 from University of Virginia College http://krebsonsecurity.com/2010/09/cyber-thieves-steal-nearly-1000000-from-university-of-virginia-college/

– Computer Crooks Steal $100,000 from Ill. Town http://krebsonsecurity.com/2010/04/computer-crooks-steal-100000-from-ill-town/

– Cyber Crooks Leave Traditional Bank Robbers in the Dust http://krebsonsecurity.com/2010/03/cyber-crooks-leave-bank-robbers-in-the-dust/

In many cases, some or all of funds have been recovered, but at substantial cost.

21

In the Alert, we RECOMMEND

– Make sure that all of your officers are aware.

– Apply strict technical controls and periodic validation to all systems used in performing financial transactions.

– Require special awareness training for all personnel involved in performing online financial transactions.

– Make committed and purposeful use of banking transaction initiator/approver roles. Most banks offer sophisticated role-based controls, but it's up to the institution to put them to effective use.

– Have written policies defining the controlled environment in which online banking transactions can be conducted, e.g. what systems can be used, how they must be maintained, required personnel training, etc.

22

In the Alert, we RECOMMEND (continued)

– Routinely audit compliance with established technical controls and policies.

– WE STRONGLY RECOMMEND THAT all online banking operations should be conducted on special-use computers that are used SOLELY for banking transactions. No other use of the machine should be permitted - no e-mail, no web browsing, no general-purpose business use - nothing but institutional online banking transactions.

23

Fraud Advisory for Businesses: Corporate Account Take Over

– Created as part of a joint effort between the United States Secret Service, the Federal Bureau of Investigation, the Internet Crime Complaint Center (IC3) and the Financial Services Information Sharing and Analysis Center (FS-ISAC).

– http://www.fsisac.com/files/public/db/p265.pdf

– Protect, Detect, Respond

24

– Protect • Educate

• Enhance the security of your computers and network

• Enhance the security of your corporate banking processes and protocols

• Understand your responsibilities and liabilities

– Detect • Monitor and reconcile accounts at least once per day

• Discuss the options offered by your financial institution to help detect or prevent out-of-pattern activity

• Note any changes in the performance of your computer

• Pay attention to warnings

• Be on the alert for rogue e-mails

• Run regular virus and malware scans on your computer 25

– Respond • If you detect suspicious activity, immediately cease all activity, and

remove the computer system(s) from the network

• Make sure your employees know how to and to whom to report suspicious activity to within your company and at your financial institution

• Immediately contact your financial institution

• Maintain a written chronology of what happened

• File a police report

• Have a contingency plans to recover systems suspected of compromise

• Consider whether company or personal data may have been compromised

• Report exposures to PCI DSS

26

Summing up:

Make sure your CIO, CISO, Treasurer, and Business Officers

– are each individually familiar with this threat, and

– have discussed it as a group, and taken appropriate steps

27

closing the feedback loop – IR to defenses

(lemonade from lemons)

28

not talking about SPAM filtering…

My next topic was going to be about spam – make a plug for doing spam filtering really, really well. The rationale was as a follow-on to the "targeted attacks against online banking". Quite most of the vector for that threat is via phishing spam.

Good spam filtering can make a substantial dent into that. It won't eliminate it entirely, but it can make a dent.

I talked this idea over with Gabe Iovino, staff REN-ISAC, and as usual, Gabe made a very good point. If I was going to talk about doing Excellent Spam Filtering, I'd need to also discuss “How does one know if they're doing a good job?”

That became way too involved for my short time at the podium, so I ditched that idea... but it did lead to an interesting thought…

29

…using incident response (IR) as a measure of the performance of your defenses.

If you're doing good IR, then you’re responding, identifying causes, tracking, and reporting.

One step forward with that is to take IR measures, e.g. how many X incidents are caused by Y, to determine the effectiveness of your defenses around or against Y.

If you’re seeing a lot of infections resulting from spam, then maybe your spam defenses aren’t strong enough.

SUGGESTION: Close the feedback loop. Use IR metrics to drive targeted improvements in your defenses.

30

References for Metrics:

Security Metrics: A Solution in Search of a Problem

Joel Rosenblatt, EDUCAUSE Quarterly, vol. 31, no. 3 (July-September 2008) http://www.educause.edu/EDUCAUSE+Quarterly/EDUCAUSEQuarterlyMagazineVolum/SecurityMetricsASolutioninSear/163096

Center for Internet Security: Consensus Information Security Metrics http://cisecurity.org/en-us/?route=downloads.metrics

31

multifunction peripherals

(it’s everywhere)

32

April 2010 CBS report: http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml

“Nearly every digital copier built since 2002 contains a hard drive – like the one on your personal computer – storing an image of every document copied, scanned, or emailed by the machine.

“In the process, it's turned an office staple into a digital time-bomb packed with highly-personal or sensitive data.

“If you're in the identity theft business it seems this would be a pot of gold.”

The story is legitimate, but somewhat exaggerated.

33

A more reasoned analysis provide at TechRepublic

The truth about copier hard drives: Tips for securing your data http://blogs.techrepublic.com.com/security/?p=3841

– don't just worry about copiers, but all "multi-function peripherals"

– most manufacturers offer *optional* data security kits

– whether a particular MFP saves every digitized document or not appears to depend on the brand and how it is configured

34

TechRepublic:

• concerns:

– physical access: who has access? employees, customers, service technicians (real and imposters)? if sensitive information is stored, it needs to be protected

– network access: if connected to the network, you should regularly check the National Vulnerability Database for any problems

– web-based configuration: default passwords?, address books, etc.

– public MFPs: if what you're copying has sensitive data, don't use a public MFP – you don't know how it's configured or maintained

35

TechRepublic:

• best practices

– acquire brands that meet industry security specifications, e.g. ISO 15408 Level 3 Certification, and IEEE-2600-2008

– make informed decisions about ease-of-use versus security, e.g. in regard to access controls, passwords, etc.

– consider optional data security kits

– have policy regarding end-of-life (what should happen to the hard drive, and/or other non-volatile memory?)

36

• see also:

– How To Protect your Photocopier Hard drive and Security http://www.prlog.org/10640424-how-to-protect-your-photocopier-hard-drive-and-security.html

– IU University Information Security Office Protecting Data in Copiers and Multifunction Devices http://informationsecurity.iu.edu/articles/Copiers_and_Multifunction_Devices

37

38

centralization versus decentralization

C?D

39

Can an institution with highly decentralized IT adequately protect itself from certain classes of threats?

• Success criteria:

– Policy, and manifestation in processes and practices

– Actual technical operational protections and responses

– Skilled and trained resources

• Looking at couple of examples:

– the multifunction device hard drive issue • Is every school and department on their own in regard to

awareness, policy, and effectively executing on policy?

– vulnerabilities and exposures in DNS (eh?) • If many schools and departments are managing that on their own,

do they really have the capability, knowledge, and resources to do that well?

C?D

40

"the debate over whether to centralize or decentralize is not so much about which strategy is more effective but rather how both strategies work best in combination. Each strategy might be more or less appropriate in a given circumstance“

Lawrence W. Frederick, University of the Pacific, "Recasting the Centralization-Decentralization Debate: Advancing the Innovation Support Cycle", EDUCAUSE Center for Applied Research, Research Bulletin, Volume 2008, Issue 10 (May 2008): 2 http://www.educause.edu/ECAR/RecastingtheCentralizationDece/162931

"There is a deep literature that makes the case that on balance, decentralized approaches are best suited to organizations where innovation is the primary objective, whereas centralization is best where efficiency (capturing economies of scale and scope) is paramount."

Richard Katz, "IT Matters: Centralization or Decentralization May Not!" in "The Organization of the Organization: CIOs’ Views on the Role of Central IT", EDUCAUSE Review, vol. 42, no. 6 (November/December 2007): 24-53. http://www.educause.edu/EDUCAUSE+Review/EDUCAUSEReviewMagazineVolume42/TheOrganizationoftheOrganizati/162064

C?D

41

Factor risk into the considerations.

Could easily make the argument that things like DNS service provision, policy and process for technology disposal, etc. aren’t important to innovation, and represent substantial areas for risk mitigation, and therefore are appropriate for centralized approaches.

C?D

42

application whitelisting

43

Traditional antivirus, based on signatures, is only marginally effective. Malware and viruses constantly mutate in order to evade detection. AV using heuristic analysis can do a little bit better, but still falls short.

Application whitelisting is an emerging approach to combat viruses and malware. Whitelisting specifies exactly what programs can run on a computer and blocks all others – that is, deny all, with specific controlled exceptions.

Applications are allowed based on policies. Policies can be tied to groups, users, systems, etc.

Generally, to implement whitelisting at your institution, you'll need be managing the desktops, that is, the IT department manages the software installations, configurations, updating, everything on the desktop. The user can't be administrator.

44

I'd encourage everyone to learn more about application whitelisting, and to consider trying it in a controlled environment at your institution.

Maybe the right thing to do would be to trial it in the Business Office, Treasurers Office, or wherever it is that the persons who perform online institutional banking transactions work – i.e. those persons who are the targets that we talked about at the beginning of this presentation.

Application Whitelisting Gains New Urgency http://blogs.gartner.com/dan-blum/2010/06/10/application-whitelisting-gains-new-urgency/

SANS: Application Whitelisting: Explanation and Uses https://www.sans.org/webcasts/application-whitelisting-explanation-92873

SANS: Application Whitelisting: Stop Tomorrow's Malware Today https://www.sans.org/webcasts/application-whitelisting-stop-tomorrows-malware-today-93328

45

REN-ISAC SES

46

Objective

• Improve timely local protection against cyber security threat, by means of real-time sharing of security event information within a trusted federation, and among federations.

• At its root, not a new idea. Security event information is being shared now, in private and semi-private communities, and some public sources. But there are issues…

47

Discovery, Correlation, and Protection

48

SES – In Its Simplest

• In a security information sharing federation, such as REN-ISAC,

– guided by policy and information sharing agreements,

– machine (aggregated) and human generated security event data from participating sites, and

– data incorporated from various information sharing partners, and third-party data sources,

– is normalized to standards-based formats (IDMEF, IODEF, & ICSG), and

– through various secure interfaces,

– is submitted to the SES repository.

• Correlation is performed on the collected data, identifying “bad actors” and determining confidence.

• High confidence bad actor information is then made available to the participating sites for use in local protections

49

“Collected Intelligence Framework/Database” for Security Analyst Research

50

Additionally…

• The data in SES forms a “collected intelligence framework” useful for reputation and other security analyst research.

51

SES: Inside a Participating Site: Machine-to-Machine

Optional uses of SES data, and submissions to SES

52

SES: Implementation

• Development began Aug’08

• Phase I beta conducted Feb’09 – May’10

• Production deployment May’10

– 10 sites currently submitting machine-generated data, primarily scanner type data, e.g. ssh, vnc honeypot, darknet, etc.

– Incident manual submissions by REN-ISAC members and staff

• Phase II, anticipated year-end 2010

– Unify many data sources into a single repository under one API

– Redesign database, supporting high-volume and normalization of the unified many-sources

– Additional API for query and submission

– Collected intelligence framework supporting reputation analysis

– API integration into applications

53

SES: Building a Framework

• A framework for

– Intra and inter-federation cooperation

– Incorporation of additional correlation and analysis tools

– Interface with systems that notify abuse contacts regarding infected systems, e.g. the REN-ISAC notification system

– Interface with systems that treat higher-level collections of incident information in a federated context

• Extending the framework

– Long term intelligence storage

– Threat analysis platform

54

contact: Doug Pearson

dodpears@ren-isac.net http://www.ren-isac.net

55