Cyber Security. Environment, Solutions and Case study. Special Telecommunications Service David Gabriel, Buciu Adrian Contact: gdavid13@sts.ro adibuciu@sts.ro
Environment Network/services can be damaged due to : Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information. Types of attacks I) Passive and active attacks a) passive attacks - the intruder observes the information passing through the communication medium, without interfering with the flow and content of messages b) active attacks - the intruder can modify, circumvent or insert false messages into the communication flow.
Environment II) Denial-of-Service Attacks Are typically carried out by overloading the system capacity, and by preventing legitimate users from accessing and using the targeted resource. III) Defacement Attacks A defacement attack is carried out by replacing the victim s web page with a forged page whose content will depend on the criminal purpose. IV) Malware attacks A malicious code (or malware) is any program that can deliberately and unexpectedly interfere with the normal operation of a computer.
Environment V) Cyber intrusion Malevolent can attack a system by appropriating legitimate user identification and connection parameters (e.g passwords), or through deception and exploitation of vulnerabilities. The main methods used to obtain the connection parameters of legitimate users to gain access to systems are: Guessing; Deception (social engineering); Listening to traffic; Introducing a Trojan horse; Cracking encrypted passwords; Spying on users.
Environment VI) Spam and Phishing Spam is the bulk sending of unsolicited e-mail: for commercial or publicity purposes; for purposes of introducing malicious software, such as malware into the system. Phishing refers to an attack using mail programs to trick or coax web users into revealing sensitive information that can then be exploited for criminal purposes. VII) Some communication protocols misuse VIII) Cyberattack methodology The process of committing a cyberattack consists of collecting and searching for the vulnerabilities of the target systems and exploiting them.
Environment Security criteria The capability of a system to continuously deliver services. This depends on the availability of hardware and software resources and as well as services. The capability of a system to prevent unauthorized individuals and processes from accessing data. This concerns the preservation of data confidentiality and integrity. These are ensured by: (i) access control procedures such as identification, authentication and authorization with respect to certain permissions or access rights; and (ii) encryption mechanisms. The capability of a system to allow only authorized individuals and processes to perform data modification. Here, an integrity criterion is necessary. This involves access control, error control and coherency checking procedures. The capability of a system to ensure that specific actions and transactions have actually taken place. This involves traceability, proof, administration, audit and non-repudiation of actions and events. The capability of a system to carry out actions and provide the expected services under appropriate conditions of usage and performance throughout its life span. This involves continuity, reliability, user friendliness and operational soundness.
Environment CyberDefence - prevent hijacking of computers or computer networks and services; Proactive Cyber Defence - not to blame external conditions for the results obtained; Sun-Tzu or SunWu first introduced the notion of predictability analysis as part of a strategy to overcome (to win);
Environment Large networks generate a huge amount of logs and security events; Firewalls, IDS / IPS systems, web servers, authentication systems and other equipment contribute to the growing number of events that need to be analyzed in order to lead to countermeasures; SEM (Security Event Manager) - a centralized storage and logs interpretation, managing security events generated by network equipments and services; SIEM Security Information and Event Management;
Environment SIEM Capabilities: Data Aggregation: aggregate data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data and helping to avoid missing crucial events; Correlation: looks for common attributes and links events to each other into meaningful bundles; Alerting: the automated analysis of correlated events and generation of alerts, to notify recipients of immediate issues; Dashboards: tools that take event data and turn it into informational charts to assist in discovering patterns, or identifying activity that is not forming a standard pattern; Compliance: SIEM can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes; Retention: SIEM/SIM solutions employ long-term storage of historical data to facilitate correlation of data over time and to provide the retention necessary for compliance requirements;
Solutions Possible solutions for monitoring, analysis and prevention of attacks can be divided into two main categories in terms of licensing: Open source; Enterprise. Open source solutions: Open source solutions: OSSIM Open Source Security Information Management. Integrates the following software components: arpwatch aimed at detecting abnormalities in the OSI layer 2 (MAC); P0f used for passive OS detection and analysis of transitions from one operating system to another; Pads used to detect abnormalities of services; Nessus vulnerability scanner; Tcptrack - Used to obtain information about sessions and to correlate them with other events;
Solutions Ntop used to make a database of network information; Nagios used to monitor resources (hardware and network services); Osiris HIDS; Snort detection system and intrusion prevention; Tcpdump packet analyzer; Syslog server used for collecting logs from network devices; Netflow protocol used for collecting information about IP traffic; HoneyD creates virtual hosts on the network, used as traps for detecting and preventing attacks;
Solutions Enterprise solutions: ArcSight It is a solution that combines traditional security event monitoring with smart correlation and detection of anomalies, using analytical tools and auto repair; CheckPoint Eventia Suite It is a solution for information and security events management; Has two components an analysis component (Eventia Analyzer) and a reporting component (Eventia Reporter); Juniper Security Threat Response Manager Stand alone unit, for integrated network monitoring to ensure detection of threats, log management and compliance with security policy;
Case study
Case Study
Case Study Web servers Report
Case study Type of event: flood Traffic is totaled and recorded in interval 6:14 a.m. to 6:34 a.m. and 7:11 p.m. to 7:19 p.m. respectively
Case study Type of event: flood
Case study Traffic is totaled and recorded in the time slot 7:58 p.m. to 9:44 p.m.
Conclusion Methods to overcome such attacks Alternative routing; Blackholing; Changing public IP address; Monitoring websites with custom scripts developed by internal teams in order to satisfy specific needs; Monitor bidirectional traffic through the internal SIEM platforms; Whenever possible collecting of access and error logs on application servers; Demanding local Internet service providers to block unauthorized traffic; Cooperation with national and international CERTS teams in order to isolate the incidents; Redundancy at the routing level ; At least one loop to be provided by a service provider in order to ensure scrubbing;
Conclusion Lessons to be learned by CERT teams in order to be proactive: - Use methods to study attacks; - Use methods to detect spam sources and to put them on blacklists; - Use methods to detect networks botnets and to understand their behavior; - Use of honeypots in order to study the behavior of the malware and spam; - Exchange information between CERT teams quickly and in standard manner; - Transport information from sources that generate allerts to centralized systems through standardized protocol and using a secure manner;
Conclusion Standardization of protocols for log transmission (syslog); Using of guidelines - NIST 800-92 - log Normalization; Integration of events generated by physical protection systems into the security event correlation; Assessment of compliance (e.g PCI, Sarbanes-Oxley, HIPPA);
Conclusion Standardization at the advisory level Standardization of incident and data exchange (including statistics) Standardization of security event data Standardization for network abuse reporting
Conclusion Use of fast databases able to read and write very fast at the expense of relational type; Examples: Mongodb If you need dynamic queries; if you prefer to define indexes, not map/reduce functions; if you need good performance on a large DB; Cassandra When DB writing processes is far more than reading processes (logging). Writes are faster than reads, so one natural niche is real time data analysis; Membase Any application where low-latency data access, high concurrency support and high availability is a requirement.
Referencies 1.http://en.wikipedia.org/wiki/Security_information_and_event_management 2. itu_cybersudy_2009cgdc-2009-e.pdf 3. itu-understanding-cybercrime-guide.pdf 4. http://cassandra.apache.org/ 5. http://www.mongodb.org/ 6. http://www.apache.org 7. http://www.x-arf.org/specification.htm 8. http://www.arcsight.com/ 9. http://www.checkpoint.com/ 10. http://www.juniper.net 11. http://communities.alienvault.com/community 12. http://www.tcpdump.org/ 13. http://www.balabit.com/ and http://http://www.syslog.org/ 14. http://www.tenable.com 15. http://www.snort.org/ 16. http://www.ntop.org/ 17. http://www.nagios.org/ 18. http://nfsen.sourceforge.net/ based on nfdump 19. http://www.virtuallyinformed.com 20. http://www.itu.int/itu-d/cyb/publications/index.html
Questions? https://www.stsnet.ro https://corisweb.stsisp.ro https://ca.stsisp.ro http://sks.stsisp.ro:11371