Security: New Trends, New IssuesInternet2 Fall Member Meeting 2004

Doug PearsonIndiana University

Research and Education Networking ISAChttp://www.ren-isac.net

2004 CSI/FBI Computer Crime and Security Surveyhttp://www.gocsi.com/

? (!)

2004 CSI/FBI Survey

Percent Conducting Security Audits – Up

2004 CSI/FBI Survey

Technologies Employed – Up

2004 CSI/FBI Survey

Training – Up

2004 CSI/FBI Survey

Dollar Losses – Down

Factors

• Poll of the CSI membership• Doesn’t represent global picture• Small business is not well represented• Doesn’t account for rising number of always-on

home systems on broadband networks

Maybe it means…

• Poll of CSI members; “They have joined CSI because they want to find ways to reduce economic losses.” [2]

• The reductions don’t seem to represent the world at large, but

• Maybe the survey simply affirms that organizations that are taking an active security posture will recognize substantial results.

CERT/CC & US-CERT Advisories

Trends and Landscape

• Rate of discovery of vulnerabilities is up – statistically relevant increases since 2002.

• Time to exploit is down; in 2002 the average time was generalized as 14 days, in 2003 7-10 days, now at times less than a week

• AV strategies and deployments are getting better

• Patch response is getting better (vendors and users)

Trends and Landscape

• Sites are employing quarantine zones with scan/patch requirements

• More administrative control of end-system configurations at non-traditionally centralized organizations, e.g. MS auto-update turned on, AV installed and active;

• Some large-scale enterprises have difficulty with rapid patch/version deployment due to internal testing requirements – as seen with XP SP2 adoption.

Trends and Landscape

• Increased use of firewalls and/or ACL• Med-large business, higher education, and

government sectors are all getting much more serious about security; still need much more awareness and upper-management commitment

• Small business isn't as prepared – lack the technical proficiency and resources

• Home systems always-on threat base is large. Lack of due care is a critical issue.

Trends and Landscape

• Overseas threat base is very large (and active), particularly Asia Pacific and Eastern Europe – born out in traffic patterns from worm scanning, botted systems, etc.

• Pre-fab tools make it easy for unsophisticated attackers to launch sophisticated attacks; move from disruptive behavior to for-profit motive, e.g. identity theft and extortion; increasing the risk to average end-users.

Trends and Landscape

• Sophisticated multi-purpose, multi-attack vectors (e.g. phatbot) are on the rise

• The botnet problem is very serious; move from disruptive behavior to for-profit motives.

• The phishing problem is very serious; overwhelming increase from a few in 2003 to several per week. FTC estimates 5% success.

• Intrusion attacks can expand very rapidly, e.g. the Spring 2004 *nix compromises proceeded with astonishing rapidity

Trends and Landscape

• Organized crime is becoming more engaged, particularly with extortion based on theft of information and DDoS threat, and identity theft

• There's much more successful extortion (e.g. at financial institutions) than gets reported; which has interested organized crime, particularly in Eastern Europe

• Information sharing for effective practice is increasing; EDUCAUSE Effective Practices Guide

Trends and Landscape

• Information sharing for response is increasing; regional (gigaPoP), REN-ISAC, and industry operational forums

• Cross-organization response activities are working, but the active threat is large

• Use of blacklist route servers by internet service providers increasing

Acknowledgements

• 2004 CSI/FBI Survey– http://www.gocsi.com/

• Internet Security Systems– http://www.iss.net– Carter Schoenberg

• US-CERT & CERT/CC– http://www.us-cert.gov– http://www.cert.org

References

• [1] http://www.enterpriseitplanet.com/security/features/article.php/11321_3385371_1

• [2] Robert Richardson, editorial director of CSI

REN-ISAC Information Sharing

• Opportunity: – Extensive sharing within a trusted circle of operational

security professionals of actionable information regarding active sources of cyber threat in a manner permitting expedient action upon the shared information will facilitate a reduction of threat scale, protection of resources, and resolution of specific infections.

REN-ISAC Information Sharing

• Sharing needs to occur within a closed/vetted trust circle of operational security professionals– don't want to tip off the bad guys– don't want operational personnel or processes to

publicly expose compromise information– don't want to hamper law enforcement or other

investigations– at times may be operating in gray areas

REN-ISAC Information Sharing

• There's a lot of information to share– analysis from netflow– analysis from darknets– analysis from IDS and firewalls– information sources include the activities of various

groups formed around Internet service providers, research activities, loose associations, individuals institutions, ISACs, etc.

REN-ISAC Information Sharing

• Examples of information– worm scanning [show example data]– SSH scanners [show example data]– Bots C&C and botted systems [show example data]– DDoS

REN-ISAC Information Sharing

• Types of useful sharing– simple formatted lists via e-mail– automated action methods, e.g. blacklist route server

• what policy and management methods are necessary for institutions to trust and employ auto methods?

• what administrative and descriptive metadata needs to be associated to blacklist entries?

– other types?

REN-ISAC Information Sharing

• Requirements for information sharing– a structured method to establish and maintain trust

circle– How large can a trusted circle be and still be effective

for free-flowing information sharing?– Would different levels of trust circles, e.g. regional

and national, be more effective? How then to make sure that useful information gets shared broadly?

– standard formats to represent the information– an organized body to facilitate process, management,

and flow

REN-ISAC Information Sharing

• REN-ISAC is working on two items– Cyber Security Registry for Research and Education– preliminary to Registry, active now, closed/vetted

mailing list RENISAC-SEC-L

REN-ISAC Cyber Security Registry

• To provide contact information for cyber security matters in US higher education, the REN-ISAC is developing a cyber security registry. The goal is to have deep and rich contact information for all US colleges and universities.

• The primary registrant is the CIO, IT Security Officer, organizational equivalent, or superior.

• All registrations will be vetted for authenticity.• Primary registrant assigns delegates. Delegates can be

functional accounts.• Currency of the information will be aggressively

maintained.

REN-ISAC Cyber Security Registry

• Aiming for 24 x 7 contact, with deep reach – a decision maker, primary actor, with clearance for sensitive information.

• Optional permissions for REN-ISAC to send reports regarding threat activity seen sourced from or directed at the institution – reports may identify specific machines.

• Related Registry information to serve network security management and response:– address blocks– routing registry– network connections (e.g. Abilene, NLR)

REN-ISAC Cyber Security Registry

• Registry information will be:– utilized by the REN-ISAC for response, such as

response to threat activity identified in Abilene NetFlow,

– utilized by the REN-ISAC for early warning,– open to the members of the trusted circle established

by the Registry, and – with permission, proxied by the REN-ISAC to outside

trusted entities, e.g. ISP’s and law enforcement.

REN-ISAC Cyber Security Registry

• The Registry will enable:– Appropriate communications by the REN-ISAC– Sharing of sensitive information derived from the

various information sources:• Network instrumentation; including netflow, ACL counters,

and, operational monitoring systems• Daily security status calls with ISACs and US-CERT• Vetted/closed network security collaborations• Backbone and member security and network engineers• Vendors, e.g. monthly ISAC calls with vendors• Members – related to incidents on local networks

REN-ISAC Cyber Security Registry

• The Registry will enable:– Sharing among the trusted circle members– Establishment of a vetted/trusted mailing list for

members to share sensitive information– Access to the REN-ISAC / US-CERT secure portal– Access to segmented data and tools:

• Segmented views of netflow information• Per-interface ACLs• Other potentials that can be served by a federated trust

environment

REN-ISAC Information Sharing

• RENISAC-SEC-L mailing list– for individuals who would meet the Registry criteria,

i.e. primary registrant as CIO/ITSO and delegates– http://www.ren-isac.net/renisac-sec-l.html