office of campus information security incident response briefing jeffrey savoy, cissp
TRANSCRIPT
![Page 1: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/1.jpg)
Office of Campus Information Security
Incident Response BriefingJeffrey Savoy, CISSP
![Page 2: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/2.jpg)
Roadmap
• OCIS Incident Response Background• Infringement Reports• Situational Awareness Reports• Information Incident Reporting Policy• Nessus Self Service Scans• AppScan Self Service Scans
![Page 3: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/3.jpg)
OCIS Incident Response Background
OCIS Incident Response • Reports [email protected]
• Help Desk, NOC, www.cio.wisc.edu, etc
• 2 FTE and 2 part time students• Handle some reports directly and forward others
• WiscNIC
• Statistics posted at www.cio.wisc.edu/security• Wide range of reports
![Page 4: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/4.jpg)
Infringement ReportsVolume:
![Page 5: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/5.jpg)
Infringement ReportsComplainants:
![Page 6: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/6.jpg)
Infringement ReportsCampus locations:
![Page 7: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/7.jpg)
Situational awareness reports
• A wide variety of reports can be sent to [email protected]• The following are specific reports that either we signup orimplement locally• Goal is to reduce exposure time• Each source contains different raw evidence• Each potential of false positive• Based on experience, harder to track in NAT environment• We can tune local alerts• In most cases, worth investigation
![Page 8: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/8.jpg)
Situational awareness reports
Web-Spam Searches OCIS has a process that queries Google daily (M-F) for signs web spam on wisc.edu sites.
The spam may be indicative of a compromised web server or a site that allows public comments which is being abused.
![Page 9: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/9.jpg)
Situational awareness reportsExample:
“OCIS has identified the below URLs recently found in Google to be consistent with providing or re-directing to web spam.”
Include (in part): Why getting this email (WiscNic)Suspicious urlWhat might indicateGoogle cache removal instructions
Statistics: 29 confirmed reports since January 2009 (about 4 a week)
![Page 10: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/10.jpg)
Situational awareness reports
Sophos Alerts OCIS receives alerts of spam originating from the University
of Wisconsin - Madison from Sophos email honeypots installed world wide. Often these alerts are indicative of a compromised personal computer that is being used to send out email spam. We have access to this service as the result of WiscMail purchase of Sophos for filtering.
![Page 11: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/11.jpg)
Situational awareness reportsExample:“Our spam scanning software has detected the following spam
was sent from your network <IP ADDR> I have attached a part of the raw data below for your review.
• Please note that all dates and times are in -0700 unless otherwise noted.
• Could you please look into this possible spam, and let us know what actions you take to resolve.”
Statistics: 150 alerts in last 9 months (about 4 a week)
![Page 12: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/12.jpg)
Situational awareness reports
Alerts from our campus border flow analysis OCIS staff process alerts of suspicious activity daily (M-F). These alerts may be indicative of compromised server or personal computer, however, they may sometimes be the result of end activity, eg P2P file sharing, Skype, etc.
The current alerts look for a variety of conditions, eg suspicious SMTP/DNS activity, connections to suspicious IP addresses as listed by REN-ISAC (Research and Education Network Info Sharing and Analysis Center), etc.
![Page 13: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/13.jpg)
Situational awareness reports
Example:“Our flow analysis tool is alerting on a possible suspicious activityOriginating from <IP ADDR> This may be a sign of a compromise, infection,or user activities, eg peer to peer applications, etc. “
Include (in part):• Network flows• Why suspicious, eg connecting to known cc server, etc
Statistics: 34 in last two months (about 4 a week)
![Page 14: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/14.jpg)
Situational awareness reports
Project HoneyPot Alerts
OCIS staff receives alerts of email spam, dictionary web attacks, etc for UW System from the Project Honey Pot service (www.projecthoneypot.org). OCIS pays a small amount yearly for this subscription.
![Page 15: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/15.jpg)
Situational awareness reportsExample:144.92.X.X (SPAM)- Sat, 26 Jan 2008 22:56:04 -0500- DCC-MsgId: 426a2a78 5bfc2ebc e9c189b8 40c608fb- Subject: Armchair Vegas- From: "ClubVIP Casino." <[email protected]>
Statistics: 280 in last 20 months (about 3 a week)
![Page 16: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/16.jpg)
Situational awareness reports
REN-ISAC OCIS staff receive alerts of possible "bots" or otherwise
compromised machines directly from REN-ISAC operations that their system may identify.
![Page 17: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/17.jpg)
Situational awareness reportsExample:The host(s) listed at the bottom of this message have been identified aslikely bot infected. The host(s) were observed attempting to connect toa known botnet controller at 152.8.146.168 tcp port 5190.Please examine this machine for signs of break-in. IP Address Timestamp----------------------------------------146.151.X.X 2006-02-12-17:54:47-UTC-5
Statistics: 125 in last 22 months (about 1 a week)
![Page 18: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/18.jpg)
Situational awareness reports
Shadowserver Foundation OCIS staff receive alerts for the University of Wisconsin-
Madison from additional honeypots installed around the world and maintained by security volunteers running the Shadowserver Foundation (www.shadowserver.org)
The types of reports that we may receive are listed at this url: http://www.shadowserver.org/wiki/pmwiki.php/Services/Reports
![Page 19: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/19.jpg)
Situational awareness sources
Example:
Statistics: 118 reports in the last 10 months (about 3 a week)
![Page 20: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/20.jpg)
Information Incident Reporting Policy
http://www.cio.wisc.edu/policiesUW-Madison employees, contractors and users of UW-
Madisoninformation resources must report incidents in which there is areasonable belief that UW-Madison sensitive information mayhave been accessed by unauthorized persons. Reportableincidents include but are not limited to:
• intrusion by malware or other unauthorized access via the network into computer systems or devices, where it is reasonable to believe that sensitive information was accessed by unauthorized persons.
![Page 21: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/21.jpg)
Information Incident Reporting PolicySensitive data defined:• Institutional Data that could, by itself or in combination with
other such Data, be used for identity theft, fraud, or other such crimes. It includes Data defined as Restricted Data. Restricted Data includes information with Personal Identifying Information (PII) as specified in Wisconsin’s data Breach Notification Law (statute Section 134.98)
• Institutional Data whose public disclosure is restricted by law, contract, University policy, professional code, or practice within the applicable unit, discipline, or profession
• Etc
![Page 22: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/22.jpg)
Information Incident Reporting Policy
![Page 23: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/23.jpg)
Nessus self service scansPurpose:
A convenient way to obtain a baseline scan of campus devices on the network without having to purchase and maintain Nessus software
Location: https://www.cio.wisc.edu/security/scanning
Statistics: Over 200 scans requested since January 2008
![Page 24: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/24.jpg)
Nessus self service scans
![Page 25: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/25.jpg)
Nessus self service scans
Limitations:
• Scans done without local credentials• Firewalls (host and network) need to be open• Limited effectiveness with those using NAT• Verbose reports
![Page 26: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/26.jpg)
IBM AppScan self service scans
Purpose:A convenient way to obtain a baseline scan of web servers without having to purchase and maintain Appscan software.
Location: https://www.cio.wisc.edu/security/scanning
Statistics: Over 100 scans requested since January 2008
![Page 27: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/27.jpg)
IBM AppScan self service scans
![Page 28: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/28.jpg)
IBM AppScan self service scans
Limitations:
• Scans done without credentials to web site, eg pubcookie, etc
• Firewalls (host and network) need to be open• Verbose reports• Crawling large sites may result in long scan times • Load on web server• Default form values used by Appscan may result in false
negatives
![Page 29: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/29.jpg)
Lockdown 2009!http://cio.wisc.edu/events/Lockdown
![Page 30: Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP](https://reader035.vdocuments.us/reader035/viewer/2022062518/56649ec65503460f94bd2900/html5/thumbnails/30.jpg)
Questions?