Open Source Monitoring OSM WHAT OSM IS and
- Slides: 38
Open Source Monitoring (OSM)
WHAT OSM IS and IS NOT Information Protection Around the Clock, Around the Globe!
What OSM is l l l Open Source Monitoring Searching/Monitoring for specific information in any public media Essential for: – IT administration – Human Resources – Legal l Marketing and performance information Information Protection Around the Clock, Around the Globe!
What OSM is not l E-mail monitoring l 24 x 7 real time intrusion detection system l l 24 x 7 real time monitoring of employee activity Sole source of information for critical actions and decisions Information Protection Around the Clock, Around the Globe!
WHY Information Protection Around the Clock, Around the Globe!
Business Case Risk = Threat + Vulnerabilities l No one has 100% protection l Knowing threats and fixing them reduces risk l Saves Money Information Protection Around the Clock, Around the Globe!
Due Diligence Case l Gain an external view of yourself/company – – Public opinion Competitors Employees/Former employees Leaks/Threats Information Protection Around the Clock, Around the Globe!
Common Sense Case l Help enforce company security policy l Receive customer feedback on products/services l Information consolidation – Single source for multiple purposes Information Protection Around the Clock, Around the Globe!
Types of Media Monitored l Web pages – Search engines (dogpile, yahoo) – Search tools (Web Seeker/ Web Whacker) l News postings – – News clients News feed News server Dejanews Information Protection Around the Clock, Around the Globe!
Types of Media to Monitor l Chat groups (IRC/ICQ) - High Interest Only – enter chat group and log – search through logs for key words l Message Boards – – – yahoo raging bull cnn aol others Information Protection Around the Clock, Around the Globe!
Types of Media to Monitor l FTP – warez sites – code – proprietary information l Legacy/Bulletin Boards – dial up and become involved – connections through BBS world l Any form of public media – news – tv & radio Information Protection Around the Clock, Around the Globe!
PROCESS Information Protection Around the Clock, Around the Globe!
Methodologies l l l l Systematic Continuos Keyword based Filtered collection Organized Comprehensive Analyze data Collect Reduce Report Analyze Information Protection Around the Clock, Around the Globe!
Initial Meeting l l Determine reporting contact Determine Priority 1, 2, and 3 levels Develop search criteria – Keywords (hack, Sun. OS, etc) – Identify Key personnel (CEO, CFO, CIO, etc) – Identify company domains – Customer specific terms – Boolean Scripts – Other issues relevant to company Pre-Meeting Prep Information Protection Around the Clock, Around the Globe!
Priority 1 l l l Claims of break-ins against CUSTOMER Passwords, dial-in numbers or other critical information which could allow access to CUSTOMER network Employees disclosing sensitive corporate information or trade secrets Extremely malicious postings related to products or services Threats of violence against CUSTOMER Information Protection Around the Clock, Around the Globe!
Priority 1 Example Analysis: In reply to a request for help with how to implement remote access with no password to a critical network device, an external source suggests putting a “+” in the. rhosts file which would allow anyone on the network to login into the router with no password. Re: script to log into router Author: NAME Email: ADDRESS@DOMAIN. com Date: DATE Forums: comp. unix. questions Message-ID: <DOMAIN> Organization: DOMAIN I don't know about cisco routers, but. . . $ rsh remotehostname who "rsh" is "remsh" on some systems (those where rsh = restricted shell, you want remote shell). You'll need to configure your. rhosts file on the remote host. The simplest thing to do: echo "+" > ~/. rhosts NAME wrote: > We have SCO Internet Fast. Start 1. 1. 0 , ( release 3. 2 v 5. 0. 2 ) , i want > to make an automatic script that a log into a cisco router. . and > perform 'who' command. . and get the output. . , the whole process > should look like this : > ------> telnet router > username : username > password: password > who > ----> i tried to pass the data through a pipe. . but it does not work. . . , > how can i perform the above by an automatic script ! -- NAME LOCATION Information Protection Around the Clock, Around the Globe!
Priority 2 l l Employee disclosing sensitive corporate information in a public forum Information which could aid an attacker in gaining access to CUSTOMER IT resources Malicious postings related to products or services that may potentially have a significant negative impact on public image Employee involved in criminal activity Information Protection Around the Clock, Around the Globe!
Priority 2 Example Analysis: To resolve a network access problem, the suggestion is made to use an exploit tool to gain root access and configure the system as needed. If an employee of a corporation was either one of the individuals involved in this exchange, it would present potential problems for the employer. In both cases the individuals are engaging in discussions of how to breakin to systems, and this type of activity reflects poorly on the employer and exposes it to potential liability. The message also indicates that a system is potentially going to be broken into at some point in the near future, or already has been. Re: *BACKDOORS* Author: NAME Email: ADDRESS@DOMAIN Date: DATE Forums: alt. hacking, alt. hackers. malitious, alt. 2600. archangel Message-ID: <DOMAIN> Organization: DOMAIN >ADDRESS@DOMAIN. com writes: >: i need some help. can someone tell me where to get a program that will >: open up a port on a unix box, and allow you to telnet to that port >: and type a word and shell out as root? >: i need something that will be loaded into memory and act as a daemon, >: so that you dont need to edit /etc/inetd. conf or /etc/services. >: i tried to write one but i dont know enough about sockets and daemons >: to write something like this. >: surely some hacker must have this tool they can share with me. Problem: Your program needs to be running with user-id root to give you a root shell. Otherwise, it must be a program that will initiate an exploit when triggered by an incoming connection on the port. Solution: If you don't have an exploit, you don't have root, so the problem can't be solved like this. If you DO have an exploit, you don't need the server program you asked about. I assume you have a standard user account on this box (if not, you're looking at the stiuation from the wrong angle). READ about system logs. Telnet in as yourself, fire off your exploit, become root. Remove the presence from the logs. Make a backdoor so you can still get in after the expolit has been patched. --=> NAME -=> LOCATION -=> ADDRESS@DOMAIN Information Protection Around the Clock, Around the Globe!
Priority 3 l l l Employee spending large amount of time communicating in public forums from corporate account Information about protests, demonstrations, or boycotts involving customer name Potential trademark or copyright violations of CUSTOMER assets Information Protection Around the Clock, Around the Globe!
General Example Analysis: An exchange between a person reporting alleged problems with a particular construction product, and a response from another person who provides information about a class action lawsuit involving the product. Information is also provided about two web sites acting as virtual clearing houses for problems related to this type of product. Re: COMPANY Siding Problems Author: NAME Email: ADDRESS@DOMAIN. net Date: DATE Forums: alt. consumers. experiences Message-ID: <DOMAIN> Organization: DOMAIN HEY! there is a class action suit against NAME! Come by my webpage at http: //DOMAIN. net/ see more information and a list of siding lawsuit sights. http: //DOMAIN. com/Default. htm is a clearing house for siding problems especially COMPANY! email me at ADDRESS@DOMAIN. net for more info. In article <DOMAIN. com>, ADDRESS@DOMAIN. com (NAME) wrote: > Bought a new house in June of 1993 with COMPANY oriented > strandboard siding. Advertised as having a 25 year warranty. > Started having problems with the siding within 3 months. Have > been fighting a 5 year battle with COMPANY to have them stand > behind their product. Currently getting bids to have the siding > replaced at my expense because their 25 year warranty product is > falling apart. For everyone's information, several products of > this type have been marketed to many thousands of people with > the same result. Does L. P. ring any bells. Stay away from > oriented strandboard siding. Information Protection Around the Clock, Around the Globe!
1 st Quarter Initial Meeting l 1 st quarter Search on keywords and findings from initial meeting – – report weekly continuos contact with client for modifications to criteria Anything critical report immediately confirm receipt review with customer to insure they are receiving what they want and need when they want it and need it Information Protection Around the Clock, Around the Globe!
Review Initial Meeting l Weekly reports Review – Assure keywords and key personnel have not changed – Review and update keyword lists at end of 1 st Quarter Review Information Protection Around the Clock, Around the Globe!
Continuing effort Weekly reports Initial Meeting Collect Reduce Report Review Analyze Information Protection Around the Clock, Around the Globe!
COLLECTING Collect Reduce Report Analyze Information Protection Around the Clock, Around the Globe!
Collection Examples l Set up a news server l Group of people collecting and reporting l Subscribe to email lists and filter data Information Protection Around the Clock, Around the Globe!
News Feed Internet News alt other comp bus Reporting Server Information Protection Around the Clock, Around the Globe!
Own News Feed continued l l l Bring in news feed Break down the messages by groups Program search for key words developed by customer Flag suspect messages Send messages to reporting server Determine value of message next message number find CUSTOMER AND (kill or break or password or hack) CUSTOMER AND (security or fire or bomb or boycott) Information Protection Around the Clock, Around the Globe!
Collectors at Home Each collector receives one client l Internet l Responsible for searching web, news, and message boards Information Protection Around the Clock, Around the Globe!
Email Lists listserv@rmsbus. comcsr majordomo@greatcircle. com majordomo@unify. com majordomo@firewall. sickkids. on. ca majordomo@starfury. services. soscorp. com owner-ascend-users@max. bungi. com majordomo@connect. com. au bos-br-request@sekure. org majordomo@greatcircle. com majordomo@unify. com majordomo@firewall. sickkids. on. ca subscribe@onelist. com cyberlist-watch-digest-help@ioshua. rivertown. net hchat 0 a@gmx. net majordomo@starfury. services. soscorp. com owner-ascend-users@max. bungi. com majordomo@connect. com. au bos-br-request@sekure. org cyberlist-watch-digest-help@ioshua. rivertown. net hchata@gmx. net CUSTOMER AND (kill OR break OR password OR hack) CUSTOMER AND (security OR fire OR bomb OR boycott) CUSTOMER NAME CUSTOMER PRODUCTS CUSTOMER SERVICES Information Protection Around the Clock, Around the Globe!
Reduction l l Web Page updates Collect Following news Reduce Report Analyze Information Protection Around the Clock, Around the Globe!
Analysis l l l Time saving Must have accompanying logic Multi-layered First Review Tech Review Collect Report Reduce Analyze Information Protection Around the Clock, Around the Globe! Customer centric Review
Reports l Single source - multi layered Collect l Tailorable l Timely (weekly & ad hoc) l Electronic based Reduce Report – ease of redistribution Analyze l Feedback loop ESSENTIAL Information Protection Around the Clock, Around the Globe!
PROS & CONS Information Protection Around the Clock, Around the Globe!
Pros l Provide current and trend data on threats to company l Meet requirements for “due diligence” l Ensure employees comply with policy l Performance feedback Information Protection Around the Clock, Around the Globe!
Cons l Competitive intelligence, potential for extortion and industrial espionage l Ambulance chasers l Conflict of interest Information Protection Around the Clock, Around the Globe!
Conclusion l l l Intended to be one part of overall security posture During an Incident, OSM is an essential partner to your IRT Policies without enforcement are not worth the paper they are written on Your competitors are using it What you don’t know can’t hurt you, right? Information Protection Around the Clock, Around the Globe!
Underestimating the impact can be costly. . . "The biggest mistake people make is they underestimate threat. " Jeff Moss, founder of Def Con (the largest annual hacker convention) Information Protection Around the Clock, Around the Globe!
Contact Information Rob Karas PARA-PROTECT SERVICES, INC. 5600 General Washington Drive Suite B-212 Alexandria, VA 22312 rob@para-protect. com http: //www. para-protect. com Phone: 703 -658 -7746 Toll Free: 888 -402 -PARA Information Protection Around the Clock, Around the Globe!
Open source security monitoring
Open innovation open science open to the world
Eriksonova vývojová teorie
Opensource mano
Osm vs onap
Onap aai architecture
Source monitoring error
Priming memory
Proprietary software advantages and disadvantages
Lims software for library
Module 4 - open source software and licensing
Open source command and control software
Benefits of free software
Flight information display system and open source
Free wrt
Hadoop open source
Open source electronics prototyping platform
Pbx architecture
Osint nato
Open source sdn software
Intrusion prevention system open source
Open source java games
Private cloud open source
Open source task scheduler
Pentaho bi platform
Introduction to operating systems
Open source search engines
Open source vpn client
Sipfoundry
Open source software integrator
Open source motion control
Open source genealogy
Open source erp framework
Open source nonprofit crm
Podu robotics
Open source
Ipam tool open source
Managed open source
Hazelcast open source
