logging in or signing up martin-asia-00-singcert aSGuest8303 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 29 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: December 29, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Singapore Computer Emergency Response Team (SingCERT) : Singapore Computer Emergency Response Team (SingCERT) Martin Khoo Assistant Director Incident Management, IDA Programme Manager SingCERT markhoo@singcert.org.sg Formation of SingCERT : SingCERT 2000 - BlackHat Briefing 2 4/4/00 Formation of SingCERT SingCERT is a programme of the Infocomm Development Authority (IDA) of Singapore in collaboration with the National University of Singapore (NUS) Launched in October 1997 during Comdex 97 Missions of SingCERT : SingCERT 2000 - BlackHat Briefing 3 4/4/00 Missions of SingCERT One Point of Contact provide a reliable, trusted, single point of contact for prevention, detection & resolution of security incidents on public/private networks such as the Internet & Singapore ONE Increase security competency education & awareness promotion Provide value-added security services security consultancy program Programmes of SingCERT (1) : SingCERT 2000 - BlackHat Briefing 4 4/4/00 Programmes of SingCERT (1) Technical Programme * Drives the security incident response function of SingCERT * Undertakes the R&D function of SingCERT * Issues security advisories, newsletters and alerts * Ensures the operational readiness of SingCERT’s incident response infrastructure Programmes of SingCERT (2) : SingCERT 2000 - BlackHat Briefing 5 4/4/00 Programmes of SingCERT (2) Services Programme * Promote security awareness through the organisation of security seminars and workshops * Responsible for international & industry liaison * Manage the security consultancy services of SingCERT Operational Framework : SingCERT 2000 - BlackHat Briefing 6 4/4/00 Operational Framework Constituency SECAP L.E.A/Reg.Bod. SIR ISAPs International CERTs/FIRST Collaboration Collaboration Incident Response Incident Report Advise Consult Advise Consult Incident Handling Education, Consultancy, Awareness R&D Collaboration Knowledge Sharing Local & International Collaboration : SingCERT 2000 - BlackHat Briefing 7 4/4/00 Local & International Collaboration SingCERT works closely with FIRST & international CERTs efforts in the course of its incident response work Collaboration in area of training and knowledge sharing with foreign CERTs International Contacts (1) : SingCERT 2000 - BlackHat Briefing 8 4/4/00 International Contacts (1) CERT/CC (US CERT) visited them in August 1997 AUSCERT (Australian CERT) SingCERT’s sponsor for FIRST membership DFN-CERT (German CERT) -- visited them in August 1997 JPCERT/CC (Japan CERT) visited them in June 1998 International Contacts (2) : SingCERT 2000 - BlackHat Briefing 9 4/4/00 International Contacts (2) KRCERT/CC (Korean CERT) MyCERT (Malaysian CERT) Forum of Incident Response & Security Teams (FIRST) SingCERT was presented at the 10th FIRST conference in Monterrey, Mexico (June 1998) SingCERT was voted in as full member of FIRST in November 1998 International Contacts (3) : SingCERT 2000 - BlackHat Briefing 10 4/4/00 International Contacts (3) Asia Pacific Security Incident Response Co-ordination (APSIRC) Charter is to create the AP regional forum to facilitate the exchange of ideas and expertise on Internet security incident handling SingCERT is a founding member and the official host of the APSIRC website SingCERT Security Services : SingCERT 2000 - BlackHat Briefing 11 4/4/00 SingCERT Security Services Incident resolution over the phone (office hours ) and through email Security consultation over the phone Security advisories and alerts online at the SingCERT website Security resource archive online at the SingCERT website SingCERT Security Services : SingCERT 2000 - BlackHat Briefing 12 4/4/00 SingCERT Security Services Repository on internet hoaxes, fraud and viruses Checklists and papers on security topics Online security discussion forum * PGP keyserver service * SingCERT Security Services : SingCERT 2000 - BlackHat Briefing 13 4/4/00 SingCERT Security Services (A) Unix Sun Solaris 2.x, SunOS 4.x Linux (RedHat, Slackware) FreeBSD (B) Windows Windows NT Server 4.0 and above Reporting an incident : SingCERT 2000 - BlackHat Briefing 14 4/4/00 Reporting an incident Hotline - 8746666 Email - cert@singcert.org.sg Incident Report Form System/Network/Security administrator should be the one reporting the incident Have information on platform and how you discover the intrusion or break-in System log files to be made available Incident Resolution : SingCERT 2000 - BlackHat Briefing 15 4/4/00 Incident Resolution Solution may be available immediately if it is a known exploit If it is some thing new then a work around may be proposed as an interim solution Confidentiality is maintained at all time Escalation to law enforcement is the decision of the victim Sampling of Cases : SingCERT 2000 - BlackHat Briefing 16 4/4/00 Sampling of Cases Typical categories of incidents Probing Spamming Virus/Trojan Attacks Email Abuse Hoaxes Unauthorised system access Root Compromise Unauthorised Probing : SingCERT 2000 - BlackHat Briefing 17 4/4/00 Unauthorised Probing Common infringement Volume tend to go up with release of new scanning tools Easy to detect if sites have some logging mechanism in place (eg. firewall, wrapper) Newer scanning techniques making it more difficult to detect such activitites Unsolicited Commercial Email : SingCERT 2000 - BlackHat Briefing 18 4/4/00 Unsolicited Commercial Email Few cases Complaints about some local organisation spamming foreign users Once off problem as the offending site normally backs off after the initial compliant SingCERT advisory on how to protect against being spammed Virus/Trojan Attacks : SingCERT 2000 - BlackHat Briefing 19 4/4/00 Virus/Trojan Attacks Chernobyl/CIH - malicious, destructive in nature - 350++ cases reported to SingCERT - Apr. 26 - 28 Happy99, Melissa - harmless Netbus, Back Orifice (BO) - trojan programs that can steal info. from your system ( spread through email attachments) Email Abuse : SingCERT 2000 - BlackHat Briefing 20 4/4/00 Email Abuse Subscribing someone to porno or product marketing mailing lists Email server used as relay by others Advise is to use newer version of email server or to configure mail server correctly Be careful who you give out your email account to especially online web site Hoaxes : SingCERT 2000 - BlackHat Briefing 21 4/4/00 Hoaxes Fear, Uncertainty & Doubt (FUD) Harmless pranks to create FUD SingCERT asked to verify whether some virus/trojan warning is a hoax E.g. - Celcom Screensaver, Happy New Year Unauthorised System Access : SingCERT 2000 - BlackHat Briefing 22 4/4/00 Unauthorised System Access Exploiting of system bugs to gain access to system Common schemes exploits bugs in application programs (buffer overflow) or unnecessary privileges given to certain system programs Keep up with the system patches and tune in to the hackers/underground lists System Compromise : SingCERT 2000 - BlackHat Briefing 23 4/4/00 System Compromise Your worse nightmare Intruder has full control of your systems Case where a company’s IT infrastructure was taken over by a foreign intruder Intruder use the site to hack other places leading to a spate of complaints about the company hacking other people Good Practices (1) : SingCERT 2000 - BlackHat Briefing 24 4/4/00 Good Practices (1) Have a security policy for your site If you need to connect to the Internet you need security protection; otherwise do other people a favour and stay off the Net Security should be taken seriously and time and money need to be spent putting it in place and also to actively monitor it Good Practices (2) : SingCERT 2000 - BlackHat Briefing 25 4/4/00 Good Practices (2) Stay in the loop of the latest security happenings and issues Keep up to date with security patches and security enhancement Detection of Intrusions (1) : SingCERT 2000 - BlackHat Briefing 26 4/4/00 Detection of Intrusions (1) How to Detect Intrusion ? you may have implemented security protection mechanisms no mechanism is perfect need to watch closely for signs of intrusion deploy some form of IDS free or commercial need customisation before use Detection of Intrusions (2) : SingCERT 2000 - BlackHat Briefing 27 4/4/00 Detection of Intrusions (2) Integrity of ID software Ensure that the software used to examine systems has not been compromised Integrity of file systems and sensitive data Look for unexpected changes to directories and files Detection of Intrusions (3) : SingCERT 2000 - BlackHat Briefing 28 4/4/00 Detection of Intrusions (3) System and network activities Inspect your system and network logs Review notifications from system and network monitoring mechanisms Inspect processes for unexpected behaviour Physical forms of intrusion Investigate unauthorized hardware attached to your organization's network. Detection of Intrusions (4) : SingCERT 2000 - BlackHat Briefing 29 4/4/00 Detection of Intrusions (4) Look for signs of unauthorized access to physical resources Other sources of information Review reports by users and external contacts about suspicious system and network events and behaviour Handling Intrusions (1) : SingCERT 2000 - BlackHat Briefing 30 4/4/00 Handling Intrusions (1) Prepare Establish policies and procedures for responding to intrusions Handle Analyse all available information to characterise an intrusion Communicate with all parties that need to be made aware of an intrusion and its progress eg. SingCERT Handling Intrusions (2) : SingCERT 2000 - BlackHat Briefing 31 4/4/00 Handling Intrusions (2) Collect and protect information associated with an intrusion Apply short-term solutions to contain an intrusion Eliminate all means of intruder access Return systems to normal operation with help of incident response team Follow up Identify and implement security lesson learned SingCERT Essential Information : SingCERT 2000 - BlackHat Briefing 32 4/4/00 SingCERT Essential Information Incident Reporting Hotline : (65) 8746666, (65) 8726198 [Fax] Operating hours (GMT + 8) : Mon- Fri (0830 - 1700) : Sat. (0830 - 1300) Web Site : http://www.singcert.org.sg Incident Reporting Form : http://singcert.org.sg/incident_report_form.txt Slide 33: Thank You http://www.singcert.org.sg You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
martin-asia-00-singcert aSGuest8303 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 29 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: December 29, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Singapore Computer Emergency Response Team (SingCERT) : Singapore Computer Emergency Response Team (SingCERT) Martin Khoo Assistant Director Incident Management, IDA Programme Manager SingCERT markhoo@singcert.org.sg Formation of SingCERT : SingCERT 2000 - BlackHat Briefing 2 4/4/00 Formation of SingCERT SingCERT is a programme of the Infocomm Development Authority (IDA) of Singapore in collaboration with the National University of Singapore (NUS) Launched in October 1997 during Comdex 97 Missions of SingCERT : SingCERT 2000 - BlackHat Briefing 3 4/4/00 Missions of SingCERT One Point of Contact provide a reliable, trusted, single point of contact for prevention, detection & resolution of security incidents on public/private networks such as the Internet & Singapore ONE Increase security competency education & awareness promotion Provide value-added security services security consultancy program Programmes of SingCERT (1) : SingCERT 2000 - BlackHat Briefing 4 4/4/00 Programmes of SingCERT (1) Technical Programme * Drives the security incident response function of SingCERT * Undertakes the R&D function of SingCERT * Issues security advisories, newsletters and alerts * Ensures the operational readiness of SingCERT’s incident response infrastructure Programmes of SingCERT (2) : SingCERT 2000 - BlackHat Briefing 5 4/4/00 Programmes of SingCERT (2) Services Programme * Promote security awareness through the organisation of security seminars and workshops * Responsible for international & industry liaison * Manage the security consultancy services of SingCERT Operational Framework : SingCERT 2000 - BlackHat Briefing 6 4/4/00 Operational Framework Constituency SECAP L.E.A/Reg.Bod. SIR ISAPs International CERTs/FIRST Collaboration Collaboration Incident Response Incident Report Advise Consult Advise Consult Incident Handling Education, Consultancy, Awareness R&D Collaboration Knowledge Sharing Local & International Collaboration : SingCERT 2000 - BlackHat Briefing 7 4/4/00 Local & International Collaboration SingCERT works closely with FIRST & international CERTs efforts in the course of its incident response work Collaboration in area of training and knowledge sharing with foreign CERTs International Contacts (1) : SingCERT 2000 - BlackHat Briefing 8 4/4/00 International Contacts (1) CERT/CC (US CERT) visited them in August 1997 AUSCERT (Australian CERT) SingCERT’s sponsor for FIRST membership DFN-CERT (German CERT) -- visited them in August 1997 JPCERT/CC (Japan CERT) visited them in June 1998 International Contacts (2) : SingCERT 2000 - BlackHat Briefing 9 4/4/00 International Contacts (2) KRCERT/CC (Korean CERT) MyCERT (Malaysian CERT) Forum of Incident Response & Security Teams (FIRST) SingCERT was presented at the 10th FIRST conference in Monterrey, Mexico (June 1998) SingCERT was voted in as full member of FIRST in November 1998 International Contacts (3) : SingCERT 2000 - BlackHat Briefing 10 4/4/00 International Contacts (3) Asia Pacific Security Incident Response Co-ordination (APSIRC) Charter is to create the AP regional forum to facilitate the exchange of ideas and expertise on Internet security incident handling SingCERT is a founding member and the official host of the APSIRC website SingCERT Security Services : SingCERT 2000 - BlackHat Briefing 11 4/4/00 SingCERT Security Services Incident resolution over the phone (office hours ) and through email Security consultation over the phone Security advisories and alerts online at the SingCERT website Security resource archive online at the SingCERT website SingCERT Security Services : SingCERT 2000 - BlackHat Briefing 12 4/4/00 SingCERT Security Services Repository on internet hoaxes, fraud and viruses Checklists and papers on security topics Online security discussion forum * PGP keyserver service * SingCERT Security Services : SingCERT 2000 - BlackHat Briefing 13 4/4/00 SingCERT Security Services (A) Unix Sun Solaris 2.x, SunOS 4.x Linux (RedHat, Slackware) FreeBSD (B) Windows Windows NT Server 4.0 and above Reporting an incident : SingCERT 2000 - BlackHat Briefing 14 4/4/00 Reporting an incident Hotline - 8746666 Email - cert@singcert.org.sg Incident Report Form System/Network/Security administrator should be the one reporting the incident Have information on platform and how you discover the intrusion or break-in System log files to be made available Incident Resolution : SingCERT 2000 - BlackHat Briefing 15 4/4/00 Incident Resolution Solution may be available immediately if it is a known exploit If it is some thing new then a work around may be proposed as an interim solution Confidentiality is maintained at all time Escalation to law enforcement is the decision of the victim Sampling of Cases : SingCERT 2000 - BlackHat Briefing 16 4/4/00 Sampling of Cases Typical categories of incidents Probing Spamming Virus/Trojan Attacks Email Abuse Hoaxes Unauthorised system access Root Compromise Unauthorised Probing : SingCERT 2000 - BlackHat Briefing 17 4/4/00 Unauthorised Probing Common infringement Volume tend to go up with release of new scanning tools Easy to detect if sites have some logging mechanism in place (eg. firewall, wrapper) Newer scanning techniques making it more difficult to detect such activitites Unsolicited Commercial Email : SingCERT 2000 - BlackHat Briefing 18 4/4/00 Unsolicited Commercial Email Few cases Complaints about some local organisation spamming foreign users Once off problem as the offending site normally backs off after the initial compliant SingCERT advisory on how to protect against being spammed Virus/Trojan Attacks : SingCERT 2000 - BlackHat Briefing 19 4/4/00 Virus/Trojan Attacks Chernobyl/CIH - malicious, destructive in nature - 350++ cases reported to SingCERT - Apr. 26 - 28 Happy99, Melissa - harmless Netbus, Back Orifice (BO) - trojan programs that can steal info. from your system ( spread through email attachments) Email Abuse : SingCERT 2000 - BlackHat Briefing 20 4/4/00 Email Abuse Subscribing someone to porno or product marketing mailing lists Email server used as relay by others Advise is to use newer version of email server or to configure mail server correctly Be careful who you give out your email account to especially online web site Hoaxes : SingCERT 2000 - BlackHat Briefing 21 4/4/00 Hoaxes Fear, Uncertainty & Doubt (FUD) Harmless pranks to create FUD SingCERT asked to verify whether some virus/trojan warning is a hoax E.g. - Celcom Screensaver, Happy New Year Unauthorised System Access : SingCERT 2000 - BlackHat Briefing 22 4/4/00 Unauthorised System Access Exploiting of system bugs to gain access to system Common schemes exploits bugs in application programs (buffer overflow) or unnecessary privileges given to certain system programs Keep up with the system patches and tune in to the hackers/underground lists System Compromise : SingCERT 2000 - BlackHat Briefing 23 4/4/00 System Compromise Your worse nightmare Intruder has full control of your systems Case where a company’s IT infrastructure was taken over by a foreign intruder Intruder use the site to hack other places leading to a spate of complaints about the company hacking other people Good Practices (1) : SingCERT 2000 - BlackHat Briefing 24 4/4/00 Good Practices (1) Have a security policy for your site If you need to connect to the Internet you need security protection; otherwise do other people a favour and stay off the Net Security should be taken seriously and time and money need to be spent putting it in place and also to actively monitor it Good Practices (2) : SingCERT 2000 - BlackHat Briefing 25 4/4/00 Good Practices (2) Stay in the loop of the latest security happenings and issues Keep up to date with security patches and security enhancement Detection of Intrusions (1) : SingCERT 2000 - BlackHat Briefing 26 4/4/00 Detection of Intrusions (1) How to Detect Intrusion ? you may have implemented security protection mechanisms no mechanism is perfect need to watch closely for signs of intrusion deploy some form of IDS free or commercial need customisation before use Detection of Intrusions (2) : SingCERT 2000 - BlackHat Briefing 27 4/4/00 Detection of Intrusions (2) Integrity of ID software Ensure that the software used to examine systems has not been compromised Integrity of file systems and sensitive data Look for unexpected changes to directories and files Detection of Intrusions (3) : SingCERT 2000 - BlackHat Briefing 28 4/4/00 Detection of Intrusions (3) System and network activities Inspect your system and network logs Review notifications from system and network monitoring mechanisms Inspect processes for unexpected behaviour Physical forms of intrusion Investigate unauthorized hardware attached to your organization's network. Detection of Intrusions (4) : SingCERT 2000 - BlackHat Briefing 29 4/4/00 Detection of Intrusions (4) Look for signs of unauthorized access to physical resources Other sources of information Review reports by users and external contacts about suspicious system and network events and behaviour Handling Intrusions (1) : SingCERT 2000 - BlackHat Briefing 30 4/4/00 Handling Intrusions (1) Prepare Establish policies and procedures for responding to intrusions Handle Analyse all available information to characterise an intrusion Communicate with all parties that need to be made aware of an intrusion and its progress eg. SingCERT Handling Intrusions (2) : SingCERT 2000 - BlackHat Briefing 31 4/4/00 Handling Intrusions (2) Collect and protect information associated with an intrusion Apply short-term solutions to contain an intrusion Eliminate all means of intruder access Return systems to normal operation with help of incident response team Follow up Identify and implement security lesson learned SingCERT Essential Information : SingCERT 2000 - BlackHat Briefing 32 4/4/00 SingCERT Essential Information Incident Reporting Hotline : (65) 8746666, (65) 8726198 [Fax] Operating hours (GMT + 8) : Mon- Fri (0830 - 1700) : Sat. (0830 - 1300) Web Site : http://www.singcert.org.sg Incident Reporting Form : http://singcert.org.sg/incident_report_form.txt Slide 33: Thank You http://www.singcert.org.sg