Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP.

Slides:

Advertisements

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Advertisements

Basic Communication on the Internet:

Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

What are computer viruses and its types? Computer Viruses are malicious software programs that damage computer program entering into the computer without.

Breaking Trust On The Internet

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

Intrusion Detection Systems and Practices

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

Open Proxy Servers Kevin Guthrie ALA, January 2003.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 5 Network Defenses.

Computer Networks IGCSE ICT Section 4.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Incident Response Updated 03/20/2015

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Chapter 6: Packet Filtering

CERN’s Computer Security Challenge

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

BY OLIVIA WILSON AND BRITTANY MCDONALD Up Your Shields with Shields Up!

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

The Internet 8th Edition Tutorial 2 Basic Communication on the Internet: .

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

 A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. It is deliberately.

Security at NCAR David Mitchell February 20th, 2007.

Computer Emergency Notification System (CENS)

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.

Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information.

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Sid Stamm, Zulfikar Ramzan and Markus Jokobsson Erkang Xu.

Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.

NetTech Solutions Protecting the Computer Lesson 10.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

1 REN-ISAC Update Research and Education Networking Information Sharing and Analysis Center Joint Techs Madison WI July 2006.

W elcome to our Presentation. Presentation Topic Virus.

Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.

Role Of Network IDS in Network Perimeter Defense.

Syo-401 Question Answer. QUESTION 1 An achievement in providing worldwide Internet security was the signing of certificates associated with which of the.

Computer Security Sample security policy Dr Alexei Vernitski.

By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.

FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.

Network System Security - Task 2. Russell Johnston.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Information Technology Acceptable Use An Overview

Instructor Materials Chapter 7 Network Security

Backdoor Attacks.

Information Security Seminar

* Essential Network Security Book Slides.

Open Proxy Servers Kevin Guthrie ALA, January 2003

Chapter 4: Protecting the Organization

Computer Security.

Computer Networks Protocols

Marcial Quinones-Cardona

Cybersecurity Simplified: Phishing

Presentation transcript:

Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP

Roadmap OCIS Incident Response Background Infringement Reports Situational Awareness Reports Information Incident Reporting Policy Nessus Self Service Scans AppScan Self Service Scans

OCIS Incident Response Background OCIS Incident Response Reports Help Desk, NOC, etc 2 FTE and 2 part time students Handle some reports directly and forward others WiscNIC Statistics posted at Wide range of reports

Infringement Reports Volume:

Infringement Reports Complainants:

Infringement Reports Campus locations:

Situational awareness reports A wide variety of reports can be sent to The following are specific reports that either we signup or implement locally Goal is to reduce exposure time Each source contains different raw evidence Each potential of false positive Based on experience, harder to track in NAT environment We can tune local alerts In most cases, worth investigation

Situational awareness reports Web-Spam Searches OCIS has a process that queries Google daily (M-F) for signs web spam on wisc.edu sites. The spam may be indicative of a compromised web server or a site that allows public comments which is being abused.

Situational awareness reports Example: “OCIS has identified the below URLs recently found in Google to be consistent with providing or re-directing to web spam.” Include (in part): Why getting this (WiscNic) Suspicious url What might indicate Google cache removal instructions Statistics: 29 confirmed reports since January 2009 (about 4 a week)

Situational awareness reports Sophos Alerts OCIS receives alerts of spam originating from the University of Wisconsin - Madison from Sophos honeypots installed world wide. Often these alerts are indicative of a compromised personal computer that is being used to send out spam. We have access to this service as the result of WiscMail purchase of Sophos for filtering.

Situational awareness reports Example: “Our spam scanning software has detected the following spam was sent from your network I have attached a part of the raw data below for your review. Please note that all dates and times are in unless otherwise noted. Could you please look into this possible spam, and let us know what actions you take to resolve.” Statistics: 150 alerts in last 9 months (about 4 a week)

Situational awareness reports Alerts from our campus border flow analysis OCIS staff process alerts of suspicious activity daily (M-F). These alerts may be indicative of compromised server or personal computer, however, they may sometimes be the result of end activity, eg P2P file sharing, Skype, etc. The current alerts look for a variety of conditions, eg suspicious SMTP/DNS activity, connections to suspicious IP addresses as listed by REN-ISAC (Research and Education Network Info Sharing and Analysis Center), etc.

Situational awareness reports Example: “Our flow analysis tool is alerting on a possible suspicious activity Originating from This may be a sign of a compromise, infection, or user activities, eg peer to peer applications, etc. “ Include (in part): Network flows Why suspicious, eg connecting to known cc server, etc Statistics: 34 in last two months (about 4 a week)

Situational awareness reports Project HoneyPot Alerts OCIS staff receives alerts of spam, dictionary web attacks, etc for UW System from the Project Honey Pot service ( OCIS pays a small amount yearly for this subscription.

Situational awareness reports Example: X.X (SPAM) - Sat, 26 Jan :56: DCC-MsgId: 426a2a78 5bfc2ebc e9c189b8 40c608fb - Subject: Armchair Vegas - From: "ClubVIP Casino." Statistics: 280 in last 20 months (about 3 a week)

Situational awareness reports REN-ISAC OCIS staff receive alerts of possible "bots" or otherwise compromised machines directly from REN-ISAC operations that their system may identify.

Situational awareness reports Example: The host(s) listed at the bottom of this message have been identified as likely bot infected. The host(s) were observed attempting to connect to a known botnet controller at tcp port Please examine this machine for signs of break-in. IP Address Timestamp X.X :54:47-UTC-5 Statistics: 125 in last 22 months (about 1 a week)

Situational awareness reports Shadowserver Foundation OCIS staff receive alerts for the University of Wisconsin- Madison from additional honeypots installed around the world and maintained by security volunteers running the Shadowserver Foundation ( The types of reports that we may receive are listed at this url: eports

Situational awareness sources Example: Statistics: 118 reports in the last 10 months (about 3 a week)

Information Incident Reporting Policy UW-Madison employees, contractors and users of UW-Madison information resources must report incidents in which there is a reasonable belief that UW-Madison sensitive information may have been accessed by unauthorized persons. Reportable incidents include but are not limited to: intrusion by malware or other unauthorized access via the network into computer systems or devices, where it is reasonable to believe that sensitive information was accessed by unauthorized persons.

Information Incident Reporting Policy Sensitive data defined: Institutional Data that could, by itself or in combination with other such Data, be used for identity theft, fraud, or other such crimes. It includes Data defined as Restricted Data. Restricted Data includes information with Personal Identifying Information (PII) as specified in Wisconsin’s data Breach Notification Law (statute Section ) Institutional Data whose public disclosure is restricted by law, contract, University policy, professional code, or practice within the applicable unit, discipline, or profession Etc

Information Incident Reporting Policy

Nessus self service scans Purpose: A convenient way to obtain a baseline scan of campus devices on the network without having to purchase and maintain Nessus software Location: Statistics: Over 200 scans requested since January 2008

Nessus self service scans

Limitations: Scans done without local credentials Firewalls (host and network) need to be open Limited effectiveness with those using NAT Verbose reports

IBM AppScan self service scans Purpose: A convenient way to obtain a baseline scan of web servers without having to purchase and maintain Appscan software. Location: Statistics: Over 100 scans requested since January 2008

IBM AppScan self service scans

Limitations: Scans done without credentials to web site, eg pubcookie, etc Firewalls (host and network) need to be open Verbose reports Crawling large sites may result in long scan times Load on web server Default form values used by Appscan may result in false negatives

Lockdown 2009!

Questions?