Open Source Monitoring (OSM). Information Protection Around the Clock, Around the Globe! WHAT OSM IS...
-
Upload
della-chandler -
Category
Documents
-
view
216 -
download
0
Transcript of Open Source Monitoring (OSM). Information Protection Around the Clock, Around the Globe! WHAT OSM IS...
Information Protection Around the Clock, Around the Globe!
WHAT OSM IS and IS
NOTProprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
What OSM is
Open Source Monitoring Searching/Monitoring for specific
information in any public media Essential for:
– IT administration– Human Resources– Legal
Marketing and performance information
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
What OSM is not
E-mail monitoring
24 x 7 real time intrusion detection system
24 x 7 real time monitoring of employee activity
Sole source of information for critical actions and decisions
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
WHY
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Business Case
Risk = Threat + Vulnerabilities No one has 100% protection
Knowing threats and fixing them reduces risk
Saves Money
Information Protection Around the Clock, Around the Globe!
Due Diligence Case
Gain an external view of yourself/company– Public opinion– Competitors– Employees/Former employees– Leaks/Threats
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Common Sense Case
Help enforce company security policy
Receive customer feedback on products/services
Information consolidation– Single source for multiple purposes
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Types of Media Monitored
Web pages– Search engines (dogpile, yahoo)– Search tools (Web Seeker/ Web Whacker)
News postings– News clients– News feed– News server– Dejanews
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Types of Media to Monitor
Chat groups (IRC/ICQ) - High Interest Only– enter chat group and log – search through logs for key words
Message Boards– yahoo– raging bull– cnn– aol– others
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Types of Media to Monitor
FTP– warez sites– code– proprietary information
Legacy/Bulletin Boards– dial up and become involved– connections through BBS world
Any form of public media– news– tv & radio
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
PROCESS
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Methodologies
Systematic Continuos Keyword based Filtered collection Organized Comprehensive Analyze data
Proprietary Information – Not for further Distribution
Report
CollectCollect
Analyze
Reduce
Information Protection Around the Clock, Around the Globe!
Initial Meeting
Initial Meeting
Develop search criteria– Keywords (hack, SunOS,
etc)– Identify Key personnel
(CEO, CFO, CIO, etc)– Identify company
domains– Customer specific terms– Boolean Scripts– Other issues relevant to
company
Determine reporting contact
Determine Priority 1, 2, and 3 levels
Proprietary Information – Not for further Distribution
Pre-Meeting Prep
Information Protection Around the Clock, Around the Globe!
Priority 1
Claims of break-ins against CUSTOMER Passwords, dial-in numbers or other
critical information which could allow access to CUSTOMER network
Employees disclosing sensitive corporate information or trade secrets
Extremely malicious postings related to products or services
Threats of violence against CUSTOMER
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Priority 1 ExampleAnalysis: In reply to a request for help with how to implement remote access with no password to a critical network device, an external source suggests putting a “+” in the .rhosts file which would allow anyone on the network to login into the router with no password.
Re: script to log into routerAuthor: NAMEEmail:[email protected]:DATEForums:comp.unix.questions Message-ID: <DOMAIN> Organization: DOMAIN
I don't know about cisco routers, but...
$ rsh remotehostname who
"rsh" is "remsh" on some systems (those where rsh = restricted shell,you want remote shell).You'll need to configure your .rhosts file on the remote host.The simplest thing to do: echo "+" > ~/.rhosts
NAME wrote:
> We have SCO Internet FastStart 1.1.0 , ( release 3.2v5.0.2 ) , i want> to make an automatic script that a log into a cisco router .. and> perform 'who' command .. and get the output .. , the whole process> should look like this :> -------> telnet router> username :username> password:password> who> ---------> i tried to pass the data through a pipe .. but it does not work ... ,> how can i perform the above by an automatic script !
-- NAMELOCATION
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Priority 2
Employee disclosing sensitive corporate information in a public forum
Information which could aid an attacker in gaining access to CUSTOMER IT resources
Malicious postings related to products or services that may potentially have a significant negative impact on public image
Employee involved in criminal activity
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Priority 2 ExampleAnalysis: To resolve a network access problem, the suggestion is made to use an exploit tool to gain root access and configure the system as needed. If an employee of a corporation was either one of the individuals involved in this exchange, it would present potential problems for the employer. In both cases the individuals are engaging in discussions of how to breakin to systems, and this type of activity reflects poorly on the employer and exposes it to potential liability. The message also indicates that a system is potentially going to be broken into at some point in the near future, or already has been.
Re: *BACKDOORS*Author: NAMEEmail:ADDRESS@DOMAINDate:DATEForums:alt.hacking, alt.hackers.malitious, alt.2600, alt.2600.archangel Message-ID: <DOMAIN> Organization: DOMAIN
>[email protected] writes:>: i need some help. can someone tell me where to get a program that will>: open up a port on a unix box, and allow you to telnet to that port>: and type a word and shell out as root?>: i need something that will be loaded into memory and act as a daemon,>: so that you dont need to edit /etc/inetd.conf or /etc/services.>: i tried to write one but i dont know enough about sockets and daemons>: to write something like this.>: surely some hacker must have this tool they can share with me.
Problem: Your program needs to be running with user-id root to give youa root shell. Otherwise, it must be a program that will initiate anexploit when triggered by an incoming connection on the port.
Solution: If you don't have an exploit, you don't have root, so the problem can't be solved like this. If you DO have an exploit, you don't need the server program you asked about. I assume you have a standard user account on this box (if not, you're looking at the stiuation from the wrong angle). READ about system logs. Telnet in as yourself, fireoff your exploit, become root. Remove the presence from the logs.Make a backdoor so you can still get in after the expolit has beenpatched.
---=> NAME -=> LOCATION-=> ADDRESS@DOMAIN
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Priority 3
Employee spending large amount of time communicating in public forums from corporate account
Information about protests, demonstrations, or boycotts involving customer name
Potential trademark or copyright violations of CUSTOMER assets
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
General Example
Analysis: An exchange between a person reporting alleged problems with a particular construction product, and a response from another person who provides information about a class action lawsuit involving the product. Information is also provided about two web sites acting as virtual clearing houses for problems related to this type of product.
Re: COMPANY Siding ProblemsAuthor: NAMEEmail:[email protected]:DATEForums:alt.consumers.experiences Message-ID: <DOMAIN> Organization: DOMAIN
HEY! there is a class action suit against NAME!Come by my webpage at http://DOMAIN.net/ see more information and a list of siding lawsuit sights.
http://DOMAIN.com/Default.htm is a clearing house for sidingproblems especially COMPANY!
email me at [email protected] for more info.
In article <DOMAIN.com>, [email protected] (NAME) wrote:
> Bought a new house in June of 1993 with COMPANY oriented > strandboard siding. Advertised as having a 25 year warranty. > Started having problems with the siding within 3 months. Have > been fighting a 5 year battle with COMPANY to have them stand > behind their product. Currently getting bids to have the siding > replaced at my expense because their 25 year warranty product is > falling apart. For everyone's information, several products of > this type have been marketed to many thousands of people with > the same result. Does L.P. ring any bells. Stay away from > oriented strandboard siding.
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Initial Meeting
1st Quarter
Search on keywords and findings from initial meeting– report weekly– continuos contact with client for modifications to criteria – Anything critical report immediately confirm receipt– review with customer to insure they are receiving what they
want and need when they want it and need it
1st quarter
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Initial Meeting
Review
Review– Assure keywords and
key personnel have not changed
– Review and update keyword lists at end of 1st Quarter
Weekly reports
Review
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Initial Meeting
Continuing effort
Weekly reports
Review
Proprietary Information – Not for further Distribution
Report
CollectCollect
Analyze
Reduce
Information Protection Around the Clock, Around the Globe!
COLLECTING
Proprietary Information – Not for further Distribution
CollectCollect
Analyze
ReduceReport
Information Protection Around the Clock, Around the Globe!
Collection Examples
Set up a news server
Group of people collecting and reporting
Subscribe to email lists and filter data
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
News Feed
Internet News
ReportingServer
alt
comp bus
other
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Own News Feed continued
Bring in news feed Break down the messages
by groups Program search for key
words developed by customer
Flag suspect messages Send messages to reporting
server Determine value of
message
next message number
find
CUSTOMER AND (kill or break or password or hack)
CUSTOMER AND (security or fire or bomb or boycott)
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Internet
Collectors at Home
Each collector receives one client
Responsible for searching web, news, and message boards
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Email Lists
[email protected]@[email protected]@firewall.sickkids.on.camajordomo@starfury.services.soscorp.comowner-ascend-users@[email protected]@sekure.org [email protected]@[email protected]@onelist.comcyberlist-watch-digest-help@[email protected]@starfury.services.soscorp.comowner-ascend-users@[email protected]@[email protected]@gmx.net
CUSTOMER AND (kill OR break OR password OR hack)CUSTOMER AND (security OR fire OR bomb OR boycott)CUSTOMER NAMECUSTOMER PRODUCTSCUSTOMER SERVICES
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Reduction
Proprietary Information – Not for further Distribution
Web Page updates
Following news
Report
CollectCollect
Analyze
Reduce
Information Protection Around the Clock, Around the Globe!
Analysis
Time saving Must have
accompanying logic Multi-layered
First Review
Tech Review
Customer centric Review
Report
CollectCollect
Analyze
Reduce
Information Protection Around the Clock, Around the Globe!
Reports
Single source - multi layered
Tailorable
Timely (weekly & ad hoc)
Electronic based– ease of redistribution
Feedback loop ESSENTIAL
Proprietary Information – Not for further Distribution
Report
CollectCollect
Analyze
Reduce
Information Protection Around the Clock, Around the Globe!
PROS & CONS
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Pros
Provide current and trend data on threats to company
Meet requirements for “due diligence”
Ensure employees comply with policy
Performance feedback
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Cons
Competitive intelligence, potential for extortion and industrial espionage
Ambulance chasers
Conflict of interest
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Conclusion
Intended to be one part of overall security posture
During an Incident, OSM is an essential partner to your IRT
Policies without enforcement are not worth the paper they are written on
Your competitors are using it What you don’t know can’t hurt you,
right?
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Underestimating the impact can be costly...
"The biggest mistake people make is they underestimate the threat."
Jeff Moss, founder of Def Con(the largest annual hacker convention)
Proprietary Information – Not for further Distribution
Information Protection Around the Clock, Around the Globe!
Contact Information
Rob Karas
PARA-PROTECTSERVICES, INC.
5600 General Washington Drive
Suite B-212
Alexandria, VA 22312
http://www.para-protect.com
Phone: 703-658-7746
Toll Free: 888-402-PARA
Proprietary Information – Not for further Distribution