Singapore Computer Emergency Response Team Sing CERT Martin
- Slides: 33
Singapore Computer Emergency Response Team (Sing. CERT) Martin Khoo Assistant Director Incident Management, IDA Programme Manager 4/4/00 Sing. CERT markhoo@singcert. org. sg Sing. CERT 2000 - Black. Hat Briefing
Formation of Sing. CERT l Sing. CERT is a programme of the Infocomm Development Authority (IDA) of Singapore in collaboration with the National University of Singapore (NUS) l Launched in October 1997 during Comdex 97 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 2
Missions of Sing. CERT l One Point of Contact – provide a reliable, trusted, single point of contact for prevention, detection & resolution of security incidents on public/private networks such as the Internet & Singapore ONE l Increase security competency – education & awareness promotion l Provide value-added security services – security consultancy program 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 3
Programmes of Sing. CERT (1) l Technical Programme * Drives the security incident response function of Sing. CERT * Undertakes the R&D function of Sing. CERT * Issues security advisories, newsletters and alerts * Ensures the operational readiness of Sing. CERT’s incident response infrastructure 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 4
Programmes of Sing. CERT (2) l Services Programme * Promote security awareness through the organisation of security seminars and workshops * Responsible for international & industry liaison * Manage the security consultancy services of Sing. CERT 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 5
Operational Framework Constituency Incident Response Education, Consultancy, Awareness Advise SECAP Consult Incident Report L. E. A/Reg. Bod. Advise Consult Collaboration ISAPs SIR Collaboration Incident Handling 4/4/00 R&D Collaboration International CERTs/FIRST Sing. CERT 2000 - Black. Hat Briefing Knowledge Sharing 6
Local & International Collaboration l Sing. CERT works closely with FIRST & international CERTs efforts in the course of its incident response work l Collaboration in area of training and knowledge sharing with foreign CERTs 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 7
International Contacts (1) l CERT/CC (US CERT) – visited them in August 1997 l AUSCERT (Australian CERT) – Sing. CERT’s sponsor for FIRST membership l DFN-CERT (German CERT) -- visited them in August 1997 l JPCERT/CC (Japan CERT) – visited them in June 1998 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 8
International Contacts (2) l KRCERT/CC (Korean CERT) l My. CERT (Malaysian CERT) l Forum of Incident Response & Security Teams (FIRST) – Sing. CERT was presented at the 10 th FIRST conference in Monterrey, Mexico (June 1998) – Sing. CERT was voted in as full member of FIRST in November 1998 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 9
International Contacts (3) l Asia Pacific Security Incident Response Co-ordination (APSIRC) l Charter is to create the AP regional forum to facilitate the exchange of ideas and expertise on Internet security incident handling l Sing. CERT is a founding member and the official host of the APSIRC website 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 10
Sing. CERT Security Services l Incident resolution over the phone (office hours ) and through email l Security consultation over the phone l Security advisories and alerts online at the Sing. CERT website l Security resource archive online at the Sing. CERT website 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 11
Sing. CERT Security Services l Repository on internet hoaxes, fraud and viruses l Checklists and papers on security topics l Online security discussion forum * l PGP keyserver service * 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 12
Sing. CERT Security Services F(A) Unix · Sun Solaris 2. x, Sun. OS 4. x · Linux (Red. Hat, Slackware) · Free. BSD F(B) Windows · Windows NT Server 4. 0 and above 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 13
Reporting an incident l Hotline - 8746666 l Email - cert@singcert. org. sg l Incident Report Form l System/Network/Security administrator should be the one reporting the incident l Have information on platform and how you discover the intrusion or break-in l System log files to be made available 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 14
Incident Resolution l Solution may be available immediately if it is a known exploit l If it is some thing new then a work around may be proposed as an interim solution l Confidentiality is maintained at all time l Escalation to law enforcement is the decision of the victim 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 15
Sampling of Cases l Typical categories of incidents – Probing – Spamming – Virus/Trojan Attacks – Email Abuse – Hoaxes – Unauthorised system access – Root Compromise 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 16
Unauthorised Probing l Common infringement l Volume tend to go up with release of new scanning tools l Easy to detect if sites have some logging mechanism in place (eg. firewall, wrapper) l Newer scanning techniques making it more difficult to detect such activitites 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 17
Unsolicited Commercial Email l Few cases l Complaints about some local organisation spamming foreign users l Once off problem as the offending site normally backs off after the initial compliant l Sing. CERT advisory on how to protect against being spammed 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 18
Virus/Trojan Attacks l Chernobyl/CIH - malicious, destructive in nature - 350++ cases reported to Sing. CERT - Apr. 26 - 28 l Happy 99, Melissa - harmless l Netbus, Back Orifice (BO) - trojan programs that can steal info. from your system ( spread through email attachments) 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 19
Email Abuse l Subscribing someone to porno or product marketing mailing lists l Email server used as relay by others l Advise is to use newer version of email server or to configure mail server correctly l Be careful who you give out your email account to especially online web site 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 20
Hoaxes l Fear, Uncertainty & Doubt (FUD) l Harmless pranks to create FUD l Sing. CERT asked to verify whether some virus/trojan warning is a hoax l E. g. - Celcom Screensaver, Happy New Year 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 21
Unauthorised System Access l Exploiting of system bugs to gain access to system l Common schemes exploits bugs in application programs (buffer overflow) or unnecessary privileges given to certain system programs l Keep up with the system patches and tune in to the hackers/underground lists 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 22
System Compromise l Your worse nightmare l Intruder has full control of your systems l Case where a company’s IT infrastructure was taken over by a foreign intruder l Intruder use the site to hack other places leading to a spate of complaints about the company hacking other people 23 Sing. CERT 2000 - Black. Hat Briefing 4/4/00
Good Practices (1) l Have a security policy for your site l If you need to connect to the Internet you need security protection; otherwise do other people a favour and stay off the Net l Security should be taken seriously and time and money need to be spent putting it in place and also to actively monitor it 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 24
Good Practices (2) l Stay in the loop of the latest security happenings and issues l Keep up to date with security patches and security enhancement 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 25
Detection of Intrusions (1) l How to Detect Intrusion ? – you may have implemented security protection mechanisms – no mechanism is perfect – need to watch closely for signs of intrusion – deploy some form of IDS – free or commercial – need customisation before use 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 26
Detection of Intrusions (2) l Integrity of ID software – Ensure that the software used to examine systems has not been compromised l Integrity of file systems and sensitive data – Look for unexpected changes to directories and files 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 27
Detection of Intrusions (3) l System and network activities – Inspect your system and network logs – Review notifications from system and network monitoring mechanisms – Inspect processes for unexpected behaviour l Physical forms of intrusion – Investigate unauthorized hardware attached to your organization's network. 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 28
Detection of Intrusions (4) – Look for signs of unauthorized access to physical resources l Other sources of information – Review reports by users and external contacts about suspicious system and network events and behaviour 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 29
Handling Intrusions (1) l Prepare – Establish policies and procedures for responding to intrusions l Handle – Analyse all available information to characterise an intrusion – Communicate with all parties that need to be made aware of an intrusion and its progress eg. Sing. CERT 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 30
Handling Intrusions (2) – Collect and protect information associated with an intrusion – Apply short-term solutions to contain an intrusion – Eliminate all means of intruder access – Return systems to normal operation with help of incident response team l Follow up – Identify and implement security lesson learned 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 31
Sing. CERT Essential Information l Incident Reporting Hotline : (65) 8746666, (65) 8726198 [Fax] l Operating hours (GMT + 8) %: Mon- Fri (0830 - 1700) %: Sat. (0830 - 1300) l Web Site : http: //www. singcert. org. sg l Incident Reporting Form : http: //singcert. org. sg/incident_report_form. txt 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 32
Thank You http: //www. singcert. org. sg 4/4/00 Sing. CERT 2000 - Black. Hat Briefing
- Cert sing
- Sing sing sing and make music with the heavens
- Come on with
- Struktur teks observasi ana ing ngisor iki yaiku....
- Sing praise to him
- Pengertian shalat qashar
- Blue section of erg
- Ercp emergency response
- Ecrv
- The importance of training
- Utm emergency response plan
- 29 cfr 1910 120
- Missouri emergency response commission
- Erg green section
- Emergency disaster tactical response
- 2008 emergency response guidebook
- Walmart crisis management plan
- Emergency response plan
- Emergency response tool
- Natural response and forced response
- What is natural response
- A subsequent
- Surge rapid response team
- Pediatric rapid response team
- Crisis management team roles and responsibilities
- Hazardous area response team
- What is tpr in teaching
- Pennsylvania state animal response team
- Ekos ultrasound
- Bureaucratic bypass syndrome
- Team spirit becomes team infatuation
- The white team cheers for the blue team, just like
- What is user response in computer
- Microquill