Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM.

Slides:



Advertisements
Similar presentations
GHOST glibc gethostbyname() Vulnerability CVE Johannes B. Ullrich, Ph.D. SANS Technology Institute
Advertisements

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
NetAcumen ActiveX Download Instructions
XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.
SLAC Vulnerability Scanning Cyber Security Working Group - LBL December 5, 2005 Teresa Downey - SLAC.
Web Server Administration
Windows Security Tech Talk 9/25/07. What is a virus?  A computer program designed to self replicate without permission from the end user  The program.
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
Distance Education Team 2 Security Architectures and Analysis.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
Fermilab VPN Service What is a VPN ?.
Web Design Terms and Concepts Ms. Scales. Q. What is a Server? A. A server is a computer that stores information many people can access. It runs special.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Security Audit Tools Project. CT 395 IT Security I Professor Igbeare Summer Quarter 2009 August 25, 2009.
First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.
Portal User Group Meeting September 14, Agenda Welcome Updates Reminders.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Setting up a Grid-CERT Experiences of an academic CSIRT TERENA Networking Conference May, Lyngby, Denmark Klaus Möller DFN-CERT Services GmbH.
Dial In Number Pin: 3959 Information About Microsoft’s January 2013 Out-of-Band Security Bulletin Jonathan Ness Security Development Manager.
Lesson 2 — The Internet and the World Wide Web
Talking points Attacks are more frequent, more aggressive, require more time to repair and prevent Machines get compromised in 2003 for the same reasons.
Patch Management Only part of the solution….. Bob Isaak Mar 04, 2004.
Microsoft Internet Explorer and the Internet Using Microsoft Explorer 5.
Common Servers in a Workplace Environment Brandon Reynolds Computer Electronic Networking Dept. of Technology, Eastern Kentucky University.
OFC290 Information Rights Management in Microsoft Office 2003 Lauren Antonoff Group Program Manager.
CERN IT Department CH-1211 Genève 23 Switzerland t Windows Desktop Applications Life-cycle Management Sebastien Dellabella, Rafal Otto Internet.
CSCD 303 Essential Computer Security Spring 2013 Lecture 8 - Desktop Security OS Security Compared Reading: See References.
Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.
Microsoft Security Response Center Presented by Fan Chiang, Chun-Wei( 范姜竣韋 ) 2015/11/14 1 NTUIM.
CU – Boulder Security Incidents Jon Giltner. Our Challenge.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
PREVIOUS GNEWS. 4 Patches / 5 Vulns – 3 Critical Affecting Winodow (all of them), Office, IE, SharePoint,.net Other updates, MSRT, Defender Definitions,
Technical Awareness on Analysis of Headers.
Computer Security Status C5 Meeting, 2 Nov 2001 Denise Heagerty, CERN Computer Security Officer.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Information About Microsoft Out-of-Band Security Bulletins.
XAMPP.
Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.
Virus Infections By: Lindsay Bowser. Introduction b What is a “virus”? b Brief history of viruses b Different types of infections b How they spread b.
Office 365 is cloud- based productivity, hosted by Microsoft. Business-class Gain large, 50GB mailboxes that can send messages up to 25MB in size,
GFI LANguard Matt Norris Dave Hone Chris Gould. GFI LANguard: Description Through the performances of the three (3) cornerstones of vulnerability management:
Outlook / Exchange Training. Outlook / Exchange: Agenda What Can Microsoft Exchange Do / How works at UST? and Inbox Mailbox Quota Archiving.
NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
보안 취약점 비교 Linux vs. Windows
GNU and Linux.
WannaCry/WannaCrypt Ransomware
WannaCry/WannaCrypt Ransomware
Lesson 19: Configuring and Managing Updates
Chapter 7. Identifying Assets and Activities to Be Protected
Office 365 is cloud-based productivity, hosted by Microsoft.
THE RISKS OF ‘NOT’ PATCHING…
Overview – SOE PatchTT November 2015.
Overview – SOE PatchTT December 2013.
MICROSOFT OUTLOOK and Outlook service Provider
NetAcumen ActiveX Download Instructions
Migration Strategies – Business Desktop Deployment (BDD) Overview
Determined Human Adversaries: Mitigations
Cybersecurity Strategy
Connecting Remotely Winter 2014.
Severity and Exploitability Index
Determined Human Adversaries: Mitigations
Chloe Riley | Research Commons Librarian |
Presentation transcript:

Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM

Agenda Why? Where does this stuff come from? What’s relevant to Stanford? What’s important enough to bother with? How does it get written up? What do I do with it?

Why? Many computer intrusions happen because software is out of date Sys admins and users can make more informed decisions about patches and threats

Where does info come from? Vulnerabilities & Patches: –Vendor bulletins & contacts Microsoft, Sun, Cisco, Oracle, Apple, Linux –Mailing lists Full Disclosure –Other reliable sources CERT, ISS X-Force, iDefense, Last Stages of Delirium, Shmoo

Where? cont. New exploits in the wild & other incidents: –Mailing lists FIRST, Shmoo –Contacts around campus island.stanford.edu, Expert Partners, LNAs –Other reliable sources DShield, ISS X-Force

How much information? A few hundred messages a day, depending on activity – much higher during major incidents, like RPC attacks Most aren’t significant within Stanford environment – significant means “in use by enough people to merit a major threat if patch is not installed, or if attack is not mitigated” What’s enough?

What’s relevant to Stanford? Operating systems: Microsoft Windows 2000 & XP, Macintosh OS X, Solaris 7-9, RedHat & Debian Linux, Cisco IOS Applications: Internet Explorer, Outlook, Office, MS SQL Server, IIS, sendmail, OpenSSH, Oracle, AFS, Kerberos, Apache, OpenSSL Others?

What gets written up? My goal: to distribute information on the sorts of things I’d be willing to get paged at 3am about i.e.. only send an alert when something is an immediate threat, or requires immediate action implies that alerts ought to include recommendations for action!

What gets written up? cont. Vulnerabilities & patches: Issue exists in default install of OS or widely used application (applies to lots of people) Issue allows remote exploitation, or local exploitation for systems with lots of local users (ie. cluster machines)

What gets written up? cont. Vulnerability can be triggered with no action by user, or little action –RPC attacks –vulns in Web browsers that can be triggered via pop-ups Vulnerabilities for which there are exploits in active circulation

What gets written up? cont. Active attacks Issues that are impacting Stanford and/or the rest of the Internet Issues about which the security team is getting lots of questions Issues that can be easily avoided by updating software or AV signatures

Ah, but… Almost all based on information collected from other sources – very little hands-on Consolidate data, reconcile conflicts between sources, simplify for action by system admins and end users, tailor to Stanford environment

How does it get written up? Consistent format between alerts –Summary –Technical Details –Countermeasures –References

Summary “End user” language Who’s affected: which operating system or application, which version What’s the threat What do you do (including URLs if appropriate) Basis of distribution

Technical Details Where’s the vulnerability Why does the problem exist How can it be exploited For an attack or exploit, what sort of damage does it do Any forensics: logs or other evidence of exploitation

Countermeasures Patches or software updates that mitigate threat – direct links to downloads by versions etc. Workarounds if available and practical, to reduce risk from vulnerability or attack System recovery – if an attack happens, what do I do?

A Note on Patch Testing We’re not set up to do much yet Test Windows and OS X patches with the Leland and AFS applications Working on getting more formalized testing in place as part of host security management initiative

References Vendor alerts Third-party confirmation CERT advisories, reports from research firms like ISS and iDefense Enough information for a motivated reader to reconstruct everything in the alert

Where do they end up? Mailing lists: Expert Partners, LNAs, etc. Newsgroups

What do I do with it? Do you use the affected system in the summary? Are you responsible for your own machines? Other people’s?

What’s it look like so far? “Security alert process” in place since December 2002 We’ve missed some! We’d like to think that the RPC attacks of August & September were not typical… Total: 61 in 13 months – so much for 1-2 per month!

For more information html guesswork.com/metaweather.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.