Singapore Computer Emergency Response Team Sing CERT Martin

  • Slides: 33
Download presentation
Singapore Computer Emergency Response Team (Sing. CERT) Martin Khoo Assistant Director Incident Management, IDA

Singapore Computer Emergency Response Team (Sing. CERT) Martin Khoo Assistant Director Incident Management, IDA Programme Manager 4/4/00 Sing. CERT markhoo@singcert. org. sg Sing. CERT 2000 - Black. Hat Briefing

Formation of Sing. CERT l Sing. CERT is a programme of the Infocomm Development

Formation of Sing. CERT l Sing. CERT is a programme of the Infocomm Development Authority (IDA) of Singapore in collaboration with the National University of Singapore (NUS) l Launched in October 1997 during Comdex 97 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 2

Missions of Sing. CERT l One Point of Contact – provide a reliable, trusted,

Missions of Sing. CERT l One Point of Contact – provide a reliable, trusted, single point of contact for prevention, detection & resolution of security incidents on public/private networks such as the Internet & Singapore ONE l Increase security competency – education & awareness promotion l Provide value-added security services – security consultancy program 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 3

Programmes of Sing. CERT (1) l Technical Programme * Drives the security incident response

Programmes of Sing. CERT (1) l Technical Programme * Drives the security incident response function of Sing. CERT * Undertakes the R&D function of Sing. CERT * Issues security advisories, newsletters and alerts * Ensures the operational readiness of Sing. CERT’s incident response infrastructure 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 4

Programmes of Sing. CERT (2) l Services Programme * Promote security awareness through the

Programmes of Sing. CERT (2) l Services Programme * Promote security awareness through the organisation of security seminars and workshops * Responsible for international & industry liaison * Manage the security consultancy services of Sing. CERT 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 5

Operational Framework Constituency Incident Response Education, Consultancy, Awareness Advise SECAP Consult Incident Report L.

Operational Framework Constituency Incident Response Education, Consultancy, Awareness Advise SECAP Consult Incident Report L. E. A/Reg. Bod. Advise Consult Collaboration ISAPs SIR Collaboration Incident Handling 4/4/00 R&D Collaboration International CERTs/FIRST Sing. CERT 2000 - Black. Hat Briefing Knowledge Sharing 6

Local & International Collaboration l Sing. CERT works closely with FIRST & international CERTs

Local & International Collaboration l Sing. CERT works closely with FIRST & international CERTs efforts in the course of its incident response work l Collaboration in area of training and knowledge sharing with foreign CERTs 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 7

International Contacts (1) l CERT/CC (US CERT) – visited them in August 1997 l

International Contacts (1) l CERT/CC (US CERT) – visited them in August 1997 l AUSCERT (Australian CERT) – Sing. CERT’s sponsor for FIRST membership l DFN-CERT (German CERT) -- visited them in August 1997 l JPCERT/CC (Japan CERT) – visited them in June 1998 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 8

International Contacts (2) l KRCERT/CC (Korean CERT) l My. CERT (Malaysian CERT) l Forum

International Contacts (2) l KRCERT/CC (Korean CERT) l My. CERT (Malaysian CERT) l Forum of Incident Response & Security Teams (FIRST) – Sing. CERT was presented at the 10 th FIRST conference in Monterrey, Mexico (June 1998) – Sing. CERT was voted in as full member of FIRST in November 1998 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 9

International Contacts (3) l Asia Pacific Security Incident Response Co-ordination (APSIRC) l Charter is

International Contacts (3) l Asia Pacific Security Incident Response Co-ordination (APSIRC) l Charter is to create the AP regional forum to facilitate the exchange of ideas and expertise on Internet security incident handling l Sing. CERT is a founding member and the official host of the APSIRC website 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 10

Sing. CERT Security Services l Incident resolution over the phone (office hours ) and

Sing. CERT Security Services l Incident resolution over the phone (office hours ) and through email l Security consultation over the phone l Security advisories and alerts online at the Sing. CERT website l Security resource archive online at the Sing. CERT website 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 11

Sing. CERT Security Services l Repository on internet hoaxes, fraud and viruses l Checklists

Sing. CERT Security Services l Repository on internet hoaxes, fraud and viruses l Checklists and papers on security topics l Online security discussion forum * l PGP keyserver service * 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 12

Sing. CERT Security Services F(A) Unix · Sun Solaris 2. x, Sun. OS 4.

Sing. CERT Security Services F(A) Unix · Sun Solaris 2. x, Sun. OS 4. x · Linux (Red. Hat, Slackware) · Free. BSD F(B) Windows · Windows NT Server 4. 0 and above 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 13

Reporting an incident l Hotline - 8746666 l Email - cert@singcert. org. sg l

Reporting an incident l Hotline - 8746666 l Email - cert@singcert. org. sg l Incident Report Form l System/Network/Security administrator should be the one reporting the incident l Have information on platform and how you discover the intrusion or break-in l System log files to be made available 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 14

Incident Resolution l Solution may be available immediately if it is a known exploit

Incident Resolution l Solution may be available immediately if it is a known exploit l If it is some thing new then a work around may be proposed as an interim solution l Confidentiality is maintained at all time l Escalation to law enforcement is the decision of the victim 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 15

Sampling of Cases l Typical categories of incidents – Probing – Spamming – Virus/Trojan

Sampling of Cases l Typical categories of incidents – Probing – Spamming – Virus/Trojan Attacks – Email Abuse – Hoaxes – Unauthorised system access – Root Compromise 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 16

Unauthorised Probing l Common infringement l Volume tend to go up with release of

Unauthorised Probing l Common infringement l Volume tend to go up with release of new scanning tools l Easy to detect if sites have some logging mechanism in place (eg. firewall, wrapper) l Newer scanning techniques making it more difficult to detect such activitites 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 17

Unsolicited Commercial Email l Few cases l Complaints about some local organisation spamming foreign

Unsolicited Commercial Email l Few cases l Complaints about some local organisation spamming foreign users l Once off problem as the offending site normally backs off after the initial compliant l Sing. CERT advisory on how to protect against being spammed 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 18

Virus/Trojan Attacks l Chernobyl/CIH - malicious, destructive in nature - 350++ cases reported to

Virus/Trojan Attacks l Chernobyl/CIH - malicious, destructive in nature - 350++ cases reported to Sing. CERT - Apr. 26 - 28 l Happy 99, Melissa - harmless l Netbus, Back Orifice (BO) - trojan programs that can steal info. from your system ( spread through email attachments) 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 19

Email Abuse l Subscribing someone to porno or product marketing mailing lists l Email

Email Abuse l Subscribing someone to porno or product marketing mailing lists l Email server used as relay by others l Advise is to use newer version of email server or to configure mail server correctly l Be careful who you give out your email account to especially online web site 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 20

Hoaxes l Fear, Uncertainty & Doubt (FUD) l Harmless pranks to create FUD l

Hoaxes l Fear, Uncertainty & Doubt (FUD) l Harmless pranks to create FUD l Sing. CERT asked to verify whether some virus/trojan warning is a hoax l E. g. - Celcom Screensaver, Happy New Year 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 21

Unauthorised System Access l Exploiting of system bugs to gain access to system l

Unauthorised System Access l Exploiting of system bugs to gain access to system l Common schemes exploits bugs in application programs (buffer overflow) or unnecessary privileges given to certain system programs l Keep up with the system patches and tune in to the hackers/underground lists 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 22

System Compromise l Your worse nightmare l Intruder has full control of your systems

System Compromise l Your worse nightmare l Intruder has full control of your systems l Case where a company’s IT infrastructure was taken over by a foreign intruder l Intruder use the site to hack other places leading to a spate of complaints about the company hacking other people 23 Sing. CERT 2000 - Black. Hat Briefing 4/4/00

Good Practices (1) l Have a security policy for your site l If you

Good Practices (1) l Have a security policy for your site l If you need to connect to the Internet you need security protection; otherwise do other people a favour and stay off the Net l Security should be taken seriously and time and money need to be spent putting it in place and also to actively monitor it 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 24

Good Practices (2) l Stay in the loop of the latest security happenings and

Good Practices (2) l Stay in the loop of the latest security happenings and issues l Keep up to date with security patches and security enhancement 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 25

Detection of Intrusions (1) l How to Detect Intrusion ? – you may have

Detection of Intrusions (1) l How to Detect Intrusion ? – you may have implemented security protection mechanisms – no mechanism is perfect – need to watch closely for signs of intrusion – deploy some form of IDS – free or commercial – need customisation before use 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 26

Detection of Intrusions (2) l Integrity of ID software – Ensure that the software

Detection of Intrusions (2) l Integrity of ID software – Ensure that the software used to examine systems has not been compromised l Integrity of file systems and sensitive data – Look for unexpected changes to directories and files 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 27

Detection of Intrusions (3) l System and network activities – Inspect your system and

Detection of Intrusions (3) l System and network activities – Inspect your system and network logs – Review notifications from system and network monitoring mechanisms – Inspect processes for unexpected behaviour l Physical forms of intrusion – Investigate unauthorized hardware attached to your organization's network. 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 28

Detection of Intrusions (4) – Look for signs of unauthorized access to physical resources

Detection of Intrusions (4) – Look for signs of unauthorized access to physical resources l Other sources of information – Review reports by users and external contacts about suspicious system and network events and behaviour 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 29

Handling Intrusions (1) l Prepare – Establish policies and procedures for responding to intrusions

Handling Intrusions (1) l Prepare – Establish policies and procedures for responding to intrusions l Handle – Analyse all available information to characterise an intrusion – Communicate with all parties that need to be made aware of an intrusion and its progress eg. Sing. CERT 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 30

Handling Intrusions (2) – Collect and protect information associated with an intrusion – Apply

Handling Intrusions (2) – Collect and protect information associated with an intrusion – Apply short-term solutions to contain an intrusion – Eliminate all means of intruder access – Return systems to normal operation with help of incident response team l Follow up – Identify and implement security lesson learned 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 31

Sing. CERT Essential Information l Incident Reporting Hotline : (65) 8746666, (65) 8726198 [Fax]

Sing. CERT Essential Information l Incident Reporting Hotline : (65) 8746666, (65) 8726198 [Fax] l Operating hours (GMT + 8) %: Mon- Fri (0830 - 1700) %: Sat. (0830 - 1300) l Web Site : http: //www. singcert. org. sg l Incident Reporting Form : http: //singcert. org. sg/incident_report_form. txt 4/4/00 Sing. CERT 2000 - Black. Hat Briefing 32

Thank You http: //www. singcert. org. sg 4/4/00 Sing. CERT 2000 - Black. Hat

Thank You http: //www. singcert. org. sg 4/4/00 Sing. CERT 2000 - Black. Hat Briefing