CyberSec Env Sol Case
-
Upload
don-baraka-daniel -
Category
Documents
-
view
9 -
download
0
description
Transcript of CyberSec Env Sol Case
Cyber Security. Cyber Security. Environment, Solutions and Environment, Solutions and
Case study.Case study.
Cyber Security. Cyber Security. Environment, Solutions and Environment, Solutions and
Case study.Case study.Case study.Case study.
Special Telecommunications ServiceSpecial Telecommunications ServiceDavid GabrielDavid Gabriel, , BuciuBuciu AdrianAdrianContact: [email protected]: [email protected]
[email protected]@sts.ro
Case study.Case study.
Special Telecommunications ServiceSpecial Telecommunications ServiceDavid GabrielDavid Gabriel, , BuciuBuciu AdrianAdrianContact: [email protected]: [email protected]
[email protected]@sts.ro
Environment
Network/services can be damaged due to :• Attacks against physical integrity that can modify or destroy the
information,
• Unauthorized use of information.
Types of attacks
I) Passive and active attacksa) passive attacks - the intruder observes the information passing through the
communication medium, without interfering with the flow and content of
messages
b) active attacks - the intruder can modify, circumvent or insert false messages
into the communication flow.
Environment
II) Denial-of-Service Attacks• Are typically carried out by overloading the system capacity, and by
preventing legitimate users from accessing and using the targeted resource.
III) Defacement Attacks• A defacement attack is carried out by replacing the victim’s web page with a
forged page whose content will depend on the criminal purpose.
IV) Malware attacks • A malicious code (or malware) is any program that can deliberately and
unexpectedly interfere with the normal operation of a computer.
Environment
V) Cyber intrusionMalevolent can attack a system by appropriating legitimate user identification and
connection parameters (e.g passwords) , or through deception and exploitation of
vulnerabilities.
The main methods used to obtain the connection parameters of legitimate users The main methods used to obtain the connection parameters of legitimate users
to gain access to systems are:
• Guessing;
• Deception (social engineering);
• Listening to traffic;
• Introducing a Trojan horse;
• Cracking encrypted passwords;
• Spying on users.
VI) Spam and Phishing •Spam is the bulk sending of unsolicited e-mail:
• for commercial or publicity purposes;
• for purposes of introducing malicious software, such as malware into the
system.
• Phishing refers to an attack using mail programs to trick or coax web users
Environment
• Phishing refers to an attack using mail programs to trick or coax web users
into revealing sensitive information that can then be exploited for criminal
purposes.
VII) Some communication protocols misuse
VIII) Cyberattack methodology•The process of committing a cyberattack consists of collecting and searching
for the vulnerabilities of the target systems and exploiting them.
Security criteria• The capability of a system to continuously deliver services. This depends on the
availability of hardware and software resources and as well as services.
• The capability of a system to prevent unauthorized individuals and processes
from accessing data. This concerns the preservation of data confidentiality and
integrity. These are ensured by:
Environment
integrity. These are ensured by:
•(i) access control procedures such as identification, authentication and
authorization with respect to certain permissions or access rights; and
•(ii) encryption mechanisms.
• The capability of a system to allow only authorized individuals and processes to
perform data modification. Here, an integrity criterion is necessary. This involves
access control, error control and coherency checking procedures.
• The capability of a system to ensure that specific actions and transactions have
actually taken place. This involves traceability, proof, administration, audit and
non-repudiation of actions and events.
• The capability of a system to carry out actions and provide the expected services
under appropriate conditions of usage and performance throughout its life span.
This involves continuity, reliability, user friendliness and operational soundness.
Environment
• CyberDefence - prevent hijacking of computers or computer networks and services;
• Proactive Cyber Defence - not to blame external conditions for the results obtained;
• Sun-Tzu or SunWu first introduced the notion of predictability analysis as part of a strategy to overcome (to win);
Environment
• Large networks generate a huge amount of logs and security events;
• Firewalls, IDS / IPS systems, web servers, authenticationsystems and other equipment contribute to the growing number of events that need to be analyzed in order to lead to of events that need to be analyzed in order to lead to countermeasures;
• SEM (Security Event Manager) - a centralized storage and logs interpretation , managing security events generated by network equipments and services;
• SIEM – Security Information and Event Management;
Environment
• SIEM Capabilities:
– Data Aggregation: aggregate data from many sources, including network,
security, servers, databases, applications, providing the ability to consolidate
monitored data and helping to avoid missing crucial events;
– Correlation: looks for common attributes and links events to each other into
meaningful bundles;meaningful bundles;
– Alerting: the automated analysis of correlated events and generation of alerts,
to notify recipients of immediate issues;
– Dashboards: tools that take event data and turn it into informational charts to
assist in discovering patterns, or identifying activity that is not forming a
standard pattern;
– Compliance: SIEM can be employed to automate the gathering of compliance
data, producing reports that adapt to existing security, governance and auditing
processes;
– Retention: SIEM/SIM solutions employ long-term storage of historical data to
facilitate correlation of data over time and to provide the retention necessary for
compliance requirements;
Solutions
Possible solutions for monitoring, analysis and prevention of attacks can be
divided into two main categories in terms of licensing:• Open source;
• Enterprise.
Open source solutions:Open source solutions:
OSSIM – Open Source Security Information Management. Integrates the following software components:
• arpwatch – aimed at detecting abnormalities in the OSI layer 2 (MAC);
• P0f – used for passive OS detection and analysis of transitions from one operating system to another;
• Pads – used to detect abnormalities of services;
• Nessus – vulnerability scanner;
• Tcptrack - Used to obtain information about sessions and to correlate them with other events;
Solutions
• Ntop – used to make a database of network information;
• Nagios – used to monitor resources (hardware and network services);
• Osiris – HIDS;
• Snort – detection system and intrusion prevention;
• Tcpdump – packet analyzer;
• Syslog – server used for collecting logs from network devices;
• Netflow – protocol used for collecting information about IP traffic;
• HoneyD – creates virtual hosts on the network, used as traps for detecting and preventing attacks;
Solutions
Enterprise solutions:
– ArcSight• It is a solution that combines traditional security event monitoring with
smart correlation and detection of anomalies, using analytical tools and auto repair;and auto repair;
– CheckPoint Eventia Suite • It is a solution for information and security events management;
• Has two components – an analysis component (Eventia Analyzer) and a reporting component (Eventia Reporter);
– Juniper Security Threat Response Manager • Stand alone unit, for integrated network monitoring to ensure detection
of threats, log management and compliance with security policy;
Case study
Case Study
Case StudyWeb servers Report
Case study
Type of event: flood
Traffic is totaled and recorded in interval 6:14 a.m. to 6:34 a.m. and 7:11 p.m. to 7:19 p.m. respectively
Case study
Type of event: flood
Case study
Traffic is totaled and recorded in the time slot 7:58 p.m. to 9:44 p.m.
Methods to overcome such attacks
• Alternative routing;
• Blackholing;
• Changing public IP address;
• Monitoring websites with custom scripts developed by internal teams in order to
satisfy specific needs;
Conclusion
satisfy specific needs;
• Monitor bidirectional traffic through the internal SIEM platforms;
• Whenever possible collecting of access and error logs on application servers;
• Demanding local Internet service providers to block unauthorized traffic;
• Cooperation with national and international CERTS teams in order to isolate the
incidents;
• Redundancy at the routing level ;
• At least one loop to be provided by a service provider in order to ensure
scrubbing;
Conclusion
Lessons to be learned by CERT teams in order to be proactive:
- Use methods to study attacks;
- Use methods to detect spam sources and to put them on blacklists;- Use methods to detect spam sources and to put them on blacklists;
- Use methods to detect networks botnets and to understand their behavior;
- Use of honeypots in order to study the behavior of the malware and spam;
- Exchange information between CERT teams quickly and in standard
manner;
- Transport information from sources that generate allerts to centralized
systems through standardized protocol and using a secure manner;
Conclusion
• Standardization of protocols for log transmission (syslog);
• Using of guidelines - NIST 800-92 - log Normalization;• Using of guidelines - NIST 800-92 - log Normalization;
• Integration of events generated by physical protection systems into the security event correlation;
• Assessment of compliance (e.g PCI, Sarbanes-Oxley, HIPPA);
Conclusion
• Standardization at the advisory level
• Standardization of incident and data exchange (including • Standardization of incident and data exchange (including statistics)
• Standardization of security event data
• Standardization for network abuse reporting
Conclusion
• Use of fast databases able to read and write very fast at the expense of relational type;
Examples:• Mongodb
If you need dynamic queries; if you prefer to define indexes, not If you need dynamic queries; if you prefer to define indexes, not
map/reduce functions; if you need good performance on a large DB;
• Cassandra
When DB writing processes is far more than reading processes
(logging). Writes are faster than reads, so one natural niche is real
time data analysis;
• Membase
Any application where low-latency data access, high concurrency
support and high availability is a requirement.
Referencies1.http://en.wikipedia.org/wiki/Security_information_and_event_management
2. itu_cybersudy_2009cgdc-2009-e.pdf
3. itu-understanding-cybercrime-guide.pdf
4. http://cassandra.apache.org/
5. http://www.mongodb.org/
6. http://www.apache.org
7. http://www.x-arf.org/specification.htm
8. http://www.arcsight.com/
9. http://www.checkpoint.com/9. http://www.checkpoint.com/
10. http://www.juniper.net
11. http://communities.alienvault.com/community
12. http://www.tcpdump.org/
13. http://www.balabit.com/ and http://http://www.syslog.org/
14. http://www.tenable.com
15. http://www.snort.org/
16. http://www.ntop.org/
17. http://www.nagios.org/
18. http://nfsen.sourceforge.net/ based on nfdump
19. http://www.virtuallyinformed.com
20. http://www.itu.int/ITU-D/cyb/publications/index.html
Questions
?
https://www.stsnet.ro
http://sks.stsisp.ro:11371https://ca.stsisp.rohttps://corisweb.stsisp.ro