martin-asia-00-singcert

Views:
 
Category: Entertainment
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

Singapore Computer Emergency Response Team (SingCERT) : 

Singapore Computer Emergency Response Team (SingCERT) Martin Khoo Assistant Director Incident Management, IDA Programme Manager SingCERT markhoo@singcert.org.sg

Formation of SingCERT : 

SingCERT 2000 - BlackHat Briefing 2 4/4/00 Formation of SingCERT SingCERT is a programme of the Infocomm Development Authority (IDA) of Singapore in collaboration with the National University of Singapore (NUS) Launched in October 1997 during Comdex 97

Missions of SingCERT : 

SingCERT 2000 - BlackHat Briefing 3 4/4/00 Missions of SingCERT One Point of Contact provide a reliable, trusted, single point of contact for prevention, detection & resolution of security incidents on public/private networks such as the Internet & Singapore ONE Increase security competency education & awareness promotion Provide value-added security services security consultancy program

Programmes of SingCERT (1) : 

SingCERT 2000 - BlackHat Briefing 4 4/4/00 Programmes of SingCERT (1) Technical Programme * Drives the security incident response function of SingCERT * Undertakes the R&D function of SingCERT * Issues security advisories, newsletters and alerts * Ensures the operational readiness of SingCERT’s incident response infrastructure

Programmes of SingCERT (2) : 

SingCERT 2000 - BlackHat Briefing 5 4/4/00 Programmes of SingCERT (2) Services Programme * Promote security awareness through the organisation of security seminars and workshops * Responsible for international & industry liaison * Manage the security consultancy services of SingCERT

Operational Framework : 

SingCERT 2000 - BlackHat Briefing 6 4/4/00 Operational Framework Constituency SECAP L.E.A/Reg.Bod. SIR ISAPs International CERTs/FIRST Collaboration Collaboration Incident Response Incident Report Advise Consult Advise Consult Incident Handling Education, Consultancy, Awareness R&D Collaboration Knowledge Sharing

Local & International Collaboration : 

SingCERT 2000 - BlackHat Briefing 7 4/4/00 Local & International Collaboration SingCERT works closely with FIRST & international CERTs efforts in the course of its incident response work Collaboration in area of training and knowledge sharing with foreign CERTs

International Contacts (1) : 

SingCERT 2000 - BlackHat Briefing 8 4/4/00 International Contacts (1) CERT/CC (US CERT) visited them in August 1997 AUSCERT (Australian CERT) SingCERT’s sponsor for FIRST membership DFN-CERT (German CERT) -- visited them in August 1997 JPCERT/CC (Japan CERT) visited them in June 1998

International Contacts (2) : 

SingCERT 2000 - BlackHat Briefing 9 4/4/00 International Contacts (2) KRCERT/CC (Korean CERT) MyCERT (Malaysian CERT) Forum of Incident Response & Security Teams (FIRST) SingCERT was presented at the 10th FIRST conference in Monterrey, Mexico (June 1998) SingCERT was voted in as full member of FIRST in November 1998

International Contacts (3) : 

SingCERT 2000 - BlackHat Briefing 10 4/4/00 International Contacts (3) Asia Pacific Security Incident Response Co-ordination (APSIRC) Charter is to create the AP regional forum to facilitate the exchange of ideas and expertise on Internet security incident handling SingCERT is a founding member and the official host of the APSIRC website

SingCERT Security Services : 

SingCERT 2000 - BlackHat Briefing 11 4/4/00 SingCERT Security Services Incident resolution over the phone (office hours ) and through email Security consultation over the phone Security advisories and alerts online at the SingCERT website Security resource archive online at the SingCERT website

SingCERT Security Services : 

SingCERT 2000 - BlackHat Briefing 12 4/4/00 SingCERT Security Services Repository on internet hoaxes, fraud and viruses Checklists and papers on security topics Online security discussion forum * PGP keyserver service *

SingCERT Security Services : 

SingCERT 2000 - BlackHat Briefing 13 4/4/00 SingCERT Security Services (A) Unix Sun Solaris 2.x, SunOS 4.x Linux (RedHat, Slackware) FreeBSD (B) Windows Windows NT Server 4.0 and above

Reporting an incident : 

SingCERT 2000 - BlackHat Briefing 14 4/4/00 Reporting an incident Hotline - 8746666 Email - cert@singcert.org.sg Incident Report Form System/Network/Security administrator should be the one reporting the incident Have information on platform and how you discover the intrusion or break-in System log files to be made available

Incident Resolution : 

SingCERT 2000 - BlackHat Briefing 15 4/4/00 Incident Resolution Solution may be available immediately if it is a known exploit If it is some thing new then a work around may be proposed as an interim solution Confidentiality is maintained at all time Escalation to law enforcement is the decision of the victim

Sampling of Cases : 

SingCERT 2000 - BlackHat Briefing 16 4/4/00 Sampling of Cases Typical categories of incidents Probing Spamming Virus/Trojan Attacks Email Abuse Hoaxes Unauthorised system access Root Compromise

Unauthorised Probing : 

SingCERT 2000 - BlackHat Briefing 17 4/4/00 Unauthorised Probing Common infringement Volume tend to go up with release of new scanning tools Easy to detect if sites have some logging mechanism in place (eg. firewall, wrapper) Newer scanning techniques making it more difficult to detect such activitites

Unsolicited Commercial Email : 

SingCERT 2000 - BlackHat Briefing 18 4/4/00 Unsolicited Commercial Email Few cases Complaints about some local organisation spamming foreign users Once off problem as the offending site normally backs off after the initial compliant SingCERT advisory on how to protect against being spammed

Virus/Trojan Attacks : 

SingCERT 2000 - BlackHat Briefing 19 4/4/00 Virus/Trojan Attacks Chernobyl/CIH - malicious, destructive in nature - 350++ cases reported to SingCERT - Apr. 26 - 28 Happy99, Melissa - harmless Netbus, Back Orifice (BO) - trojan programs that can steal info. from your system ( spread through email attachments)

Email Abuse : 

SingCERT 2000 - BlackHat Briefing 20 4/4/00 Email Abuse Subscribing someone to porno or product marketing mailing lists Email server used as relay by others Advise is to use newer version of email server or to configure mail server correctly Be careful who you give out your email account to especially online web site

Hoaxes : 

SingCERT 2000 - BlackHat Briefing 21 4/4/00 Hoaxes Fear, Uncertainty & Doubt (FUD) Harmless pranks to create FUD SingCERT asked to verify whether some virus/trojan warning is a hoax E.g. - Celcom Screensaver, Happy New Year

Unauthorised System Access : 

SingCERT 2000 - BlackHat Briefing 22 4/4/00 Unauthorised System Access Exploiting of system bugs to gain access to system Common schemes exploits bugs in application programs (buffer overflow) or unnecessary privileges given to certain system programs Keep up with the system patches and tune in to the hackers/underground lists

System Compromise : 

SingCERT 2000 - BlackHat Briefing 23 4/4/00 System Compromise Your worse nightmare Intruder has full control of your systems Case where a company’s IT infrastructure was taken over by a foreign intruder Intruder use the site to hack other places leading to a spate of complaints about the company hacking other people

Good Practices (1) : 

SingCERT 2000 - BlackHat Briefing 24 4/4/00 Good Practices (1) Have a security policy for your site If you need to connect to the Internet you need security protection; otherwise do other people a favour and stay off the Net Security should be taken seriously and time and money need to be spent putting it in place and also to actively monitor it

Good Practices (2) : 

SingCERT 2000 - BlackHat Briefing 25 4/4/00 Good Practices (2) Stay in the loop of the latest security happenings and issues Keep up to date with security patches and security enhancement

Detection of Intrusions (1) : 

SingCERT 2000 - BlackHat Briefing 26 4/4/00 Detection of Intrusions (1) How to Detect Intrusion ? you may have implemented security protection mechanisms no mechanism is perfect need to watch closely for signs of intrusion deploy some form of IDS free or commercial need customisation before use

Detection of Intrusions (2) : 

SingCERT 2000 - BlackHat Briefing 27 4/4/00 Detection of Intrusions (2) Integrity of ID software Ensure that the software used to examine systems has not been compromised Integrity of file systems and sensitive data Look for unexpected changes to directories and files

Detection of Intrusions (3) : 

SingCERT 2000 - BlackHat Briefing 28 4/4/00 Detection of Intrusions (3) System and network activities Inspect your system and network logs Review notifications from system and network monitoring mechanisms Inspect processes for unexpected behaviour Physical forms of intrusion Investigate unauthorized hardware attached to your organization's network.

Detection of Intrusions (4) : 

SingCERT 2000 - BlackHat Briefing 29 4/4/00 Detection of Intrusions (4) Look for signs of unauthorized access to physical resources Other sources of information Review reports by users and external contacts about suspicious system and network events and behaviour

Handling Intrusions (1) : 

SingCERT 2000 - BlackHat Briefing 30 4/4/00 Handling Intrusions (1) Prepare Establish policies and procedures for responding to intrusions Handle Analyse all available information to characterise an intrusion Communicate with all parties that need to be made aware of an intrusion and its progress eg. SingCERT

Handling Intrusions (2) : 

SingCERT 2000 - BlackHat Briefing 31 4/4/00 Handling Intrusions (2) Collect and protect information associated with an intrusion Apply short-term solutions to contain an intrusion Eliminate all means of intruder access Return systems to normal operation with help of incident response team Follow up Identify and implement security lesson learned

SingCERT Essential Information : 

SingCERT 2000 - BlackHat Briefing 32 4/4/00 SingCERT Essential Information Incident Reporting Hotline : (65) 8746666, (65) 8726198 [Fax] Operating hours (GMT + 8) : Mon- Fri (0830 - 1700) : Sat. (0830 - 1300) Web Site : http://www.singcert.org.sg Incident Reporting Form : http://singcert.org.sg/incident_report_form.txt

Slide 33: 

Thank You http://www.singcert.org.sg

authorStream Live Help