Open Source Monitoring (OSM). Information Protection Around the Clock, Around the Globe! WHAT OSM IS...

Open Source Monitoring (OSM)

Information Protection Around the Clock, Around the Globe!

WHAT OSM IS and IS

NOTProprietary Information – Not for further Distribution


What OSM is

Open Source Monitoring Searching/Monitoring for specific

information in any public media Essential for:

– IT administration– Human Resources– Legal

Marketing and performance information

Proprietary Information – Not for further Distribution


What OSM is not

E-mail monitoring

24 x 7 real time intrusion detection system

24 x 7 real time monitoring of employee activity

Sole source of information for critical actions and decisions



WHY



Business Case

Risk = Threat + Vulnerabilities No one has 100% protection

Knowing threats and fixing them reduces risk

Saves Money


Due Diligence Case

Gain an external view of yourself/company– Public opinion– Competitors– Employees/Former employees– Leaks/Threats



Common Sense Case

Help enforce company security policy

Receive customer feedback on products/services

Information consolidation– Single source for multiple purposes



Types of Media Monitored

Web pages– Search engines (dogpile, yahoo)– Search tools (Web Seeker/ Web Whacker)

News postings– News clients– News feed– News server– Dejanews



Types of Media to Monitor

Chat groups (IRC/ICQ) - High Interest Only– enter chat group and log – search through logs for key words

Message Boards– yahoo– raging bull– cnn– aol– others



Types of Media to Monitor

FTP– warez sites– code– proprietary information

Legacy/Bulletin Boards– dial up and become involved– connections through BBS world

Any form of public media– news– tv & radio



PROCESS



Methodologies

Systematic Continuos Keyword based Filtered collection Organized Comprehensive Analyze data


Report

CollectCollect

Analyze

Reduce


Initial Meeting

Initial Meeting

Develop search criteria– Keywords (hack, SunOS,

etc)– Identify Key personnel

(CEO, CFO, CIO, etc)– Identify company

domains– Customer specific terms– Boolean Scripts– Other issues relevant to

company

Determine reporting contact

Determine Priority 1, 2, and 3 levels


Pre-Meeting Prep


Priority 1

Claims of break-ins against CUSTOMER Passwords, dial-in numbers or other

critical information which could allow access to CUSTOMER network

Employees disclosing sensitive corporate information or trade secrets

Extremely malicious postings related to products or services

Threats of violence against CUSTOMER



Priority 1 ExampleAnalysis: In reply to a request for help with how to implement remote access with no password to a critical network device, an external source suggests putting a “+” in the .rhosts file which would allow anyone on the network to login into the router with no password.

Re: script to log into routerAuthor: NAMEEmail:[email protected]:DATEForums:comp.unix.questions Message-ID: <DOMAIN> Organization: DOMAIN

I don't know about cisco routers, but...

$ rsh remotehostname who

"rsh" is "remsh" on some systems (those where rsh = restricted shell,you want remote shell).You'll need to configure your .rhosts file on the remote host.The simplest thing to do: echo "+" > ~/.rhosts

NAME wrote:

> We have SCO Internet FastStart 1.1.0 , ( release 3.2v5.0.2 ) , i want> to make an automatic script that a log into a cisco router .. and> perform 'who' command .. and get the output .. , the whole process> should look like this :> -------> telnet router> username :username> password:password> who> ---------> i tried to pass the data through a pipe .. but it does not work ... ,> how can i perform the above by an automatic script !

-- NAMELOCATION



Priority 2

Employee disclosing sensitive corporate information in a public forum

Information which could aid an attacker in gaining access to CUSTOMER IT resources

Malicious postings related to products or services that may potentially have a significant negative impact on public image

Employee involved in criminal activity



Priority 2 ExampleAnalysis: To resolve a network access problem, the suggestion is made to use an exploit tool to gain root access and configure the system as needed. If an employee of a corporation was either one of the individuals involved in this exchange, it would present potential problems for the employer. In both cases the individuals are engaging in discussions of how to breakin to systems, and this type of activity reflects poorly on the employer and exposes it to potential liability. The message also indicates that a system is potentially going to be broken into at some point in the near future, or already has been.

Re: *BACKDOORS*Author: NAMEEmail:ADDRESS@DOMAINDate:DATEForums:alt.hacking, alt.hackers.malitious, alt.2600, alt.2600.archangel Message-ID: <DOMAIN> Organization: DOMAIN

>[email protected] writes:>: i need some help. can someone tell me where to get a program that will>: open up a port on a unix box, and allow you to telnet to that port>: and type a word and shell out as root?>: i need something that will be loaded into memory and act as a daemon,>: so that you dont need to edit /etc/inetd.conf or /etc/services.>: i tried to write one but i dont know enough about sockets and daemons>: to write something like this.>: surely some hacker must have this tool they can share with me.

Problem: Your program needs to be running with user-id root to give youa root shell. Otherwise, it must be a program that will initiate anexploit when triggered by an incoming connection on the port.

Solution: If you don't have an exploit, you don't have root, so the problem can't be solved like this. If you DO have an exploit, you don't need the server program you asked about. I assume you have a standard user account on this box (if not, you're looking at the stiuation from the wrong angle). READ about system logs. Telnet in as yourself, fireoff your exploit, become root. Remove the presence from the logs.Make a backdoor so you can still get in after the expolit has beenpatched.

---=> NAME -=> LOCATION-=> ADDRESS@DOMAIN



Priority 3

Employee spending large amount of time communicating in public forums from corporate account

Information about protests, demonstrations, or boycotts involving customer name

Potential trademark or copyright violations of CUSTOMER assets



General Example

Analysis: An exchange between a person reporting alleged problems with a particular construction product, and a response from another person who provides information about a class action lawsuit involving the product. Information is also provided about two web sites acting as virtual clearing houses for problems related to this type of product.

Re: COMPANY Siding ProblemsAuthor: NAMEEmail:[email protected]:DATEForums:alt.consumers.experiences Message-ID: <DOMAIN> Organization: DOMAIN

HEY! there is a class action suit against NAME!Come by my webpage at http://DOMAIN.net/ see more information and a list of siding lawsuit sights.

http://DOMAIN.com/Default.htm is a clearing house for sidingproblems especially COMPANY!

email me at [email protected] for more info.

In article <DOMAIN.com>, [email protected] (NAME) wrote:

> Bought a new house in June of 1993 with COMPANY oriented > strandboard siding. Advertised as having a 25 year warranty. > Started having problems with the siding within 3 months. Have > been fighting a 5 year battle with COMPANY to have them stand > behind their product. Currently getting bids to have the siding > replaced at my expense because their 25 year warranty product is > falling apart. For everyone's information, several products of > this type have been marketed to many thousands of people with > the same result. Does L.P. ring any bells. Stay away from > oriented strandboard siding.



Initial Meeting

1st Quarter

Search on keywords and findings from initial meeting– report weekly– continuos contact with client for modifications to criteria – Anything critical report immediately confirm receipt– review with customer to insure they are receiving what they

want and need when they want it and need it

1st quarter



Initial Meeting

Review

Review– Assure keywords and

key personnel have not changed

– Review and update keyword lists at end of 1st Quarter

Weekly reports

Review



Initial Meeting

Continuing effort

Weekly reports

Review


Report

CollectCollect

Analyze

Reduce


COLLECTING


CollectCollect

Analyze

ReduceReport


Collection Examples

Set up a news server

Group of people collecting and reporting

Subscribe to email lists and filter data



News Feed

Internet News

ReportingServer

alt

comp bus

other



Own News Feed continued

Bring in news feed Break down the messages

by groups Program search for key

words developed by customer

Flag suspect messages Send messages to reporting

server Determine value of

message

next message number

find

CUSTOMER AND (kill or break or password or hack)

CUSTOMER AND (security or fire or bomb or boycott)



Internet

Collectors at Home

Each collector receives one client

Responsible for searching web, news, and message boards



Email Lists

[email protected]@[email protected]@firewall.sickkids.on.camajordomo@starfury.services.soscorp.comowner-ascend-users@[email protected]@sekure.org [email protected]@[email protected]@onelist.comcyberlist-watch-digest-help@[email protected]@starfury.services.soscorp.comowner-ascend-users@[email protected]@[email protected]@gmx.net

CUSTOMER AND (kill OR break OR password OR hack)CUSTOMER AND (security OR fire OR bomb OR boycott)CUSTOMER NAMECUSTOMER PRODUCTSCUSTOMER SERVICES



Reduction


Web Page updates

Following news

Report

CollectCollect

Analyze

Reduce


Analysis

Time saving Must have

accompanying logic Multi-layered

First Review

Tech Review

Customer centric Review

Report

CollectCollect

Analyze

Reduce


Reports

Single source - multi layered

Tailorable

Timely (weekly & ad hoc)

Electronic based– ease of redistribution

Feedback loop ESSENTIAL


Report

CollectCollect

Analyze

Reduce


PROS & CONS



Pros

Provide current and trend data on threats to company

Meet requirements for “due diligence”

Ensure employees comply with policy

Performance feedback



Cons

Competitive intelligence, potential for extortion and industrial espionage

Ambulance chasers

Conflict of interest



Conclusion

Intended to be one part of overall security posture

During an Incident, OSM is an essential partner to your IRT

Policies without enforcement are not worth the paper they are written on

Your competitors are using it What you don’t know can’t hurt you,

right?



Underestimating the impact can be costly...

"The biggest mistake people make is they underestimate the threat."

Jeff Moss, founder of Def Con(the largest annual hacker convention)



Contact Information

Rob Karas

PARA-PROTECTSERVICES, INC.

5600 General Washington Drive

Suite B-212

Alexandria, VA 22312

[email protected]

http://www.para-protect.com

Phone: 703-658-7746

Toll Free: 888-402-PARA


Open Source Monitoring (OSM). Information Protection Around the Clock, Around the Globe! WHAT OSM IS...

Documents

Transcript of Open Source Monitoring (OSM). Information Protection Around the Clock, Around the Globe! WHAT OSM IS...