Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget.

Slides:



Advertisements
Similar presentations
Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
Advertisements

David Grochocki et al.  Lures Potential attackers  Smartmeters do two way communication  Millions of Meters has to be replaced  Serious damages just.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1www.skyboxsecurity.com Skybox Cyber Security Best Practices Three steps to reduce the risk of Advanced Persistent Threats With continuing news coverage.
IT security Are you protected against hackers?. Why are we in danger?  The Internet is worldwide, publicly accessible  More and more companies and institutes.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices
1 Pertemuan 6 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Lecture 11 Reliability and Security in IT infrastructure.
(Geneva, Switzerland, September 2014)
Stephen S. Yau CSE , Fall Security Strategies.
Network security policy: best practices
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.
Study Results Advanced Persistent Threat Awareness.
1 Panda Malware Radar Discovering hidden threats Channel Presentation Name Date.
FORESEC Academy FORESEC Academy Security Essentials (II)
Information Security Management: Protecting IT Assets from Current and Future Threats John McCumber Strategic Program Manager.
EEye Digital Security    On the Frontline of the Threat Landscape: Simple configuration goes a long way.
PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.
Honeypot and Intrusion Detection System
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Shared Darknet Project Internet2 Spring 2006 Member Meeting Doug Pearson Technical Director, REN-ISAC.
1 © 2001, Cisco Systems, Inc. All rights reserved. Cisco Info Center for Security Monitoring.
The ProactiveWatch Monitoring Service. Are These Problems For You? Your business gets disrupted when your IT environment has issues Your employee and.
# Ethical Hacking. 2 # Ethical Hacking - ? Why – Ethical Hacking ? Ethical Hacking - Process Ethical Hacking – Commandments Reporting.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Randy Beavers CS 585 – Computer Security February 19, 2009.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Small Business Security Keith Slagle April 24, 2007.
Detecting Attacks on Internet Infrastructure and Monitoring of Service Restoration in Real Time Andy Ogielski FCC Workshop on Cyber Security 30 September.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
© 2008 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Cyber Security and the National.
Computer Security Status Update FOCUS Meeting, 28 March 2002 Denise Heagerty, CERN Computer Security Officer.
IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.
1 REN-ISAC Update Research and Education Networking Information Sharing and Analysis Center Joint Techs Madison WI July 2006.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
Role Of Network IDS in Network Perimeter Defense.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Armenia Twinning 2011 Component F – Information Society, 2 – 6 May DEVELOPMENT OF INFORMATION SOCIETY STATISTICS IN LITHUANIA SURVEY ON.
1 Current Trends in Enterprise IT Network Security Key Takeaways Based on 100 Survey Responses © 2016 Lumeta Corporation.
Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.
Servers in the Wild… …and the threats that lurk about. DePaul University Information Security Team TLT Presentation 08 May 2002.
Eric Van Horn Cosc 356.  Nearly every organization in todays era uses computers and a network to send, receive, and store information  Very important.
Incident Response Strategy and Implementation Anthony J. Scaturro University IT Security Officer September 22, 2004.
Proactive Incident Response
SIEM Rotem Mesika System security engineering
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
Centralized Security Event Management
Cybersecurity - What’s Next? June 2017
Critical Security Controls
Backdoor Attacks.
Skybox Cyber Security Best Practices
Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department.
Intrusion Detection system
Overview UA has formed is forming a Security Operations Center (SOC) with Students supporting Tier 1 Activities. The SOC provides benefits to the University.
Network Security Mark Creighton GBA 576 6/4/2019.
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget (Nigel Beighton, Symantec, Advance Threat Research) ECPRD Nicosia 6.th November 2003

What is CNI  “CNI” is an initiative to prepare and protect a country’s critical organisations and infrastructure  The “CNI project” is a community based early warning and reporting capability currently in development as a pilot by Symantec and selected organisations  We need early warning to be prepared & alerts for all our community.

Events over last 7 days

Governments need to protect Experience “…need time to be prepared” “…interested in benchmarking” Trends Increase speed and severity of hit Sector targeting Organisations Services CNI Where did it come from? New research

Change in Exploitability of Vulnerabilities “..its easy” “..in theory” “..it can be done”

Patch, patch, patch Averaging 90 serious/critical vulnrabilities a month ! Organisations can not constantly patch – emergency patches are only tested against the vulnrability Not all vulnerabilities lead to attacks Will this vulnerability become the next Blaster? –Watch them try it, build exploits, test it and start it Need to prioritise which patch to do, when and where You need time to be prepared

The Changing Threat Picture targeted they try it, they test it

Blaster Milestones July 16 Buffer Overflow vulnerability discovered Microsoft Patch Released August Aug 16 Sample Exploit code circulating in the hacking community Symantec sees increase in TCP port 135 scanning Exploit code captured & made public Automated tools observed start of exploiting vulnerability on a large scale Symantec discover the W32.Blaster worm. virus updates released. Blaster hit the headlines with reported spread affecting 188,000 systems worldwide. Microsoft delisted windows update.com website and averted denial of service attack. CNI Members contacted directly about Blaster CNI Members advised 31 Broadcast media to comment on Blaster CNI CORe team begin specific monitoring

Blaster worm 30,000 15,000 Time Unique Source IPs 0 July 20July 27August 3August 10 CNI Customers advised of potential issue CNI Customers contacted directly re Blaster Broadcast media comment on Blaster

Less time to react W32.Blaster Worm

Timing days months/weeks Deepsight TMS Mgmt & Monitor Deepsight Alert CNI (community defence) Technology vulnerability warning General Threat Alert Spotted Threat on you Activity warning “on the doorstep” Hit “around the corner”

Where does the data come from? Symantec’s 20,000 internet and private network sensors (180 countries) 200+ pop-up honey-pots Security Focus Bugtraq Virus response team (and their zoo!) –100M submitting AV systems Internet community (black_hat & white_hat) External authorities Directly monitored averages per day*:  Logs/alerts imported 400M  Triggered events 250,000  Severe events 300 Correlated with  5.5B events  40M attacking IP addresses Directly monitored averages per day*:  Logs/alerts imported 400M  Triggered events 250,000  Severe events 300 Correlated with  5.5B events  40M attacking IP addresses *Ex. virus!

Community Monitor & Alert Community Monitor & Alert Early Warning Community Knowledge Community Knowledge Analysis & Reporting

What do we get Community Monitor & Alert Community Monitor & Alert Early Warning Community Knowledge Analysis Security device monitoring Community specific alerting Online threat reporting. Deep probe activity report (weekly) Online technology vulnerability alerting Analysis & trend tracking events (quarterly) Online community forum Online threat reporting Online regulatory and standard industry benchmarking Custom reporting and analysis

Important notes  CNI will provide “observations”, “probables”, “potentials” – this needs to be treated accordingly.  Do not have all data on all companies in all segments – it grows with the community  (Public) Device data is initially processed in the US (Alexandria central SOC) – now moving to European only processing.  It is a pilot (experimental) – development input is essential Q. How accurate?

What is the Pilot? 6 months Up to 8 sensors Monitored Deepsight access Early warning Shared data (Anonymised) 6 months Up to 8 sensors Monitored Deepsight access Early warning Shared data (Anonymised).. and involvement Sensor data Workshops Feedback Ideas … and an understand of the information basis.. Pilot Customers Advance Release Customers Full Launch Phase 1 Phase 2 nowFeb 04April 04

Our experiences A pilot is a pilot –Pros High attention from vendor State of the art technology –Cons Deficient routines Reports still in development State of the art technology Time-consuming for the customer No community parliament warning (We are alone )

Options – data sensitivity Option2 – outside IDS collector only Option1 – multi devices NIDS Firewalls Internet secure log data NIDS Firewalls Internet secure log data IDS Collector Multi-dimensional analyses Internal & External Comprehensive (Not acceptable) External only Less comprehensive Acceptable

LAN Stortinget Internet ManHunt IDS Firewall Pilot infrastructure

Our Home page

Reports Weekly Event Digest Emerging Threat Notifications Community Watch Report Deep Sight Alert Service

People – our greatest resource This technology/concept is very interesting, but without dedicated people within your organization this concept will fail Heavy use of internal personal resources –Incident handling,routines, reports, monitoring Well-educated personnel –High requirements for internal IT security and networking skills

Responsibility In the end; you cannot transfer responsibility to the vendor –Still you have to keep up the high focus on IT security

Internal handling of CNI information Daily routines and procedures Incident management –Incident Response Team Who is doing what in a crisis –Who is pulling the plug –Who is handling the press –Who is responible for handling forensic evidence

Controversials You have to give something before you get something Collecting data from the parliament –IDS’ and Firewalls –Inside or outside the Firewall? –What do the MP’s say if we tell them that an american company are collecting data from IDS’s and FW within their local network

Why join this concept? Parliamentary community –European Parliamentary IRT –A large community gives high attention from the vendor –More reliable data from a large community –Benchmarking within the community –Community warning –A problem shared is a problem halved

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.