US-CERT Overview & Cyber Threats

Transcription

1 US-CERT Overview & Cyber Threats National Cyber Security Division United States Computer Emergency Readiness Team June 2006

2

3 Agenda Introduction to US-CERT Overview of why we depend on a secure cyberspace Vulnerabilities and cyber attack trends What can you do? Questions

4 NCSD/US-CERT Organization Chart Acting Director Andy Purdy Strategic Planning Milestones Progress Report Policy International Privacy Human Resources Budget/Contracts Office Management COOP PCII Office of Director US-CERT Jerry Dixon LE/Intelligence Michael Levin Awareness/Outreach Liesyl Franz Strategic Initiatives Cheri McGuire Security Operations Focused Operations Mission Support Intel Requirements LE Coordination NCRCG Outreach Awareness International Affairs and Public Policy CIP Cyber Security Control Systems Software Assurance Training & Education Exercise Planning & Coordination Standards & Best Practices R&D Coordination

5 US-CERT Organizational Chart Deputy Director Jerry Dixon Mission Support Chief of Staff Reggie McKinney Focused Operations Director Rob Pate Operations Director Mike Witt

6 The National Strategy to Secure Cyberspace provides a framework articulating priorities to secure cyberspace I. National Cyberspace Security Response System II. III. IV. National Cyberspace Threat and Vulnerability Reduction Program National Cyberspace Security Awareness and Training Program Securing Governments Cyberspace V. International Cyberspace Security Cooperation

7 Operations Branch Watch Analysis Malware Lab Information Services Provide 24x7x365 triage support to federal, public, and private sectors Monitors cyber security events available from various sources Compiles and coordinates US-CERT reports for dissemination Follow up with appropriate sources to ensure proper mitigation Provide fused current and predictive cyber analysis based on reporting Correlates incident data from a myriad of disparate reporting sources Provide on-site Incident Response capabilities to federal and state Support ongoing federal law enforcement investigations Provide behavior techniques for dynamic and static analysis Review malicious code for novel attacks; i.e. do we already know Support forensic investigations with cursive analysis on artifacts Provide on-site malware analytic and recovery support Malicious code submission and collection program Provides operational output content, design, and development Overall design and implementation of US-CERT public facing website Provides support to NCSD with distribution of divisional products Develop and participate in national and international level exercises Interacts and provides operational international support for US-CERT

8 Vulnerabilities Handled by US-CERT FY-06 Over 3,872 vulnerabilities reported since October 05 1,293 of the 3,872 were rated as high severity utilizing the Common Vulnerability Scoring System or other factors: These are just the ones we know about that cover a wide range of technologies from operating systems, devices, and SCADA control systems There is no shortage of opportunities for exploitation depending on your security posture and network environment

9 Vulnerability Handling Read and comprehend the reports Contact vendors Describe the report Add our comments and analysis Facilitate discussion about the vulnerability Publish documents describing the vulnerability

10 Vulnerability Handling (2) Impact What incremental benefit does the attacker gain? Root compromise User compromise (which user?) Denial of service (which service?)

11 We Depend on a Secure Cyberspace to: Maintain national security Promote economic well being Ensure public safety, health, and citizen welfare Preserve privacy

12 Companies & other organizations that use IT systems Corporations US Government US Gov t agencies, Law Enforcement, DOD, sr. leadership, Intelligence Community, state & local gov t International Govt & CSIRTs US-CERT Software & Hardware Producers International Govt s International CSIRTs FIRST Community General Public Manufacturers of IT hardware, process control systems & software (both COTS & open source) Critical Infrastructure Operators (i.e. Power, Oil, Gas, Transportation) & ISACS Critical Infrastructure Operators Media & Public Affairs Public media outlets & DHS Public Affairs office

13 Today s Business and Economy are Global Business depends on cyberspace for automation, communication, tracking, and daily operations Government, business, and individuals rely on the integrity, confidentiality, and availability of data Traditional borders are gone unprecedented global interdependencies exist Global supply chains (JIT) Global partners Global customers Global infrastructure industries

14

15 Why are we at risk: Vulnerabilities A vulnerability is something that: Violates an explicit or implicit security policy Usually caused by a software defect, but not always (social engineering, undocumented features, poor security practices) Often causes unexpected system behavior A vulnerability can be: Used for theft of information Used for Denial of Service attack Used for network intrusions

16 Changes in attack behaviour exploiting passwords 1988 exploiting passwords exploiting known vulnerabilities Today exploiting known vulnerabilities exploiting protocol flaws examining source files for new security flaws probing systems for know types of flaws abusing web servers, installing sniffer & spyware programs IP source address spoofing Distributed denial of service attacks - botnets widespread, automated scanning of the Internet

17 Surveyed Companies Identify Risks 53% (of 494 organizations responding) detected security breaches Detected breaches included: 78% viruses 59% insider abuse of net access 49% laptop theft 39% unauthorized access to information 17% denial of service 10% theft of proprietary information 5% financial fraud Source Computer Security Institute/FBI Survey

18 The chart below represents a snapshot of incident trends based on incident reporting to US-CERT

19 Growing Threats, Vulnerabilities and Risks Threats Disgruntled employees Hackers Organized crime Competitors Terrorists Governments Vulnerabilities OS Network Applications Databases PCs, PDA, phones Middleware E-communities (e-government, e-commerce, etc) Risks Disclosure of sensitive Information Sabotage of critical operations/service Extortion Theft of trade secrets EFT fraud Loss of client confidence Legal liability

20

21 The Scob Trojan Attacker Attackers exploits un-patched IIS web servers. Sites now deliver additional java script at the end of each page. Finally the attacker retrieves and uses the captured usernames, passwords Unknowing users casually browsers to these compromised sites. The java script executes downloading a key logger. This works because of an unknown/unpatched IE vulnerability. When users browse to web sites the key logger captures and forwards the strokes to other compromised systems.

22

23

24

25

26 Technology Based Mitigation Tools: Patch & Protect Firewall: A system designed to prevent unauthorized access to or from a private computer or network Content Filtering: Web and mail traffic for malicious or unapproved content Antivirus Software: A program that searches a hard disk and scans incoming data for known viruses and removes any that are found Remote Management Tools: Enterprise tools for installing patches, updating registry settings, and maintaining asset inventory Role Based Access Control Software: Software that manages access to critical services or applications Log Analysis & Event Correlation Tools: Automated tools to reduce the amount of manual work to analyze detected cyber events Patch: an actual piece of software inserted into a program to fix a particular problem or vulnerability Key word: UPDATE

27 Technical Defense in Depth Internet Firewall First Line of Defense Internet (SMTP) Gateway Internal Mail Servers Desktop Users Second Line of Defense Third Line of Defense

28 Non-Technical Risk Mitigation Tools Security awareness training for users & system administrators Security policies and guidelines for deploying new technologies or improving the security of existing IT infrastructure Establish a Security Operations team, either permanent or virtual with existing technical staff Report cyber incidents! Report cyber crime!

29 What More Can be Done? Changing the environment Security awareness to change your corporate culture Securing the system architecture Data integrity Increasing the risk to bad actors Legal action and international cooperation Strengthening the foundations Survivable systems Improving Software Security built-in

30

31

32 Technical comments or questions Contact US-CERT Security Operations Center PGP/GPG key: 0xADC4BCED Fingerprint: 02FD 5294 A076 0ACE BEB1 929B F3 ADC4 BCED Phone: Media inquiries US-CERT Public Affairs PGP/GPG key: 0x10A97BAC Fingerprint: CF AFF6 EADB 95F D 91C1 10A9 7BAC Phone: General questions or suggestions US-CERT Information Request PGP/GPG key: 0x0A1E0DF7 Fingerprint: CFE4 9D1D B3 9B85 B25A F B 0A1E 0DF7 Phone: * Information available at

33 QUESTIONS?