Presentation is loading. Please wait.

Presentation is loading. Please wait.

Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget.

Published byBarnard Townsend Modified over 9 years ago

Similar presentations

Presentation on theme: "Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget."— Presentation transcript:

1 Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget (Nigel Beighton, Symantec, Advance Threat Research) ECPRD Nicosia 6.th November 2003

2 What is CNI  “CNI” is an initiative to prepare and protect a country’s critical organisations and infrastructure  The “CNI project” is a community based early warning and reporting capability currently in development as a pilot by Symantec and selected organisations  We need early warning to be prepared & alerts for all our community.

3

4 Events over last 7 days

5 Governments need to protect Experience “…need time to be prepared” “…interested in benchmarking” Trends Increase speed and severity of hit Sector targeting Organisations Services CNI Where did it come from? New research

6 Change in Exploitability of Vulnerabilities “..its easy” “..in theory” “..it can be done”

7 Patch, patch, patch Averaging 90 serious/critical vulnrabilities a month ! Organisations can not constantly patch – emergency patches are only tested against the vulnrability Not all vulnerabilities lead to attacks Will this vulnerability become the next Blaster? –Watch them try it, build exploits, test it and start it Need to prioritise which patch to do, when and where You need time to be prepared

8 The Changing Threat Picture targeted they try it, they test it

9 Blaster Milestones July 16 Buffer Overflow vulnerability discovered Microsoft Patch Released 2223 25August 7 11 13Aug 16 Sample Exploit code circulating in the hacking community Symantec sees increase in TCP port 135 scanning Exploit code captured & made public Automated tools observed start of exploiting vulnerability on a large scale Symantec discover the W32.Blaster worm. virus updates released. Blaster hit the headlines with reported spread affecting 188,000 systems worldwide. Microsoft delisted windows update.com website and averted denial of service attack. CNI Members contacted directly about Blaster CNI Members advised 31 Broadcast media to comment on Blaster CNI CORe team begin specific monitoring

10 Blaster worm 30,000 15,000 Time Unique Source IPs 0 July 20July 27August 3August 10 CNI Customers advised of potential issue CNI Customers contacted directly re Blaster Broadcast media comment on Blaster

11 Less time to react W32.Blaster Worm

12 Timing days months/weeks Deepsight TMS Mgmt & Monitor Deepsight Alert CNI (community defence) Technology vulnerability warning General Threat Alert Spotted Threat on you Activity warning “on the doorstep” Hit “around the corner”

13 Where does the data come from? Symantec’s 20,000 internet and private network sensors (180 countries) 200+ pop-up honey-pots Security Focus Bugtraq Virus response team (and their zoo!) –100M submitting AV systems Internet community (black_hat & white_hat) External authorities Directly monitored averages per day*:  Logs/alerts imported 400M  Triggered events 250,000  Severe events 300 Correlated with  5.5B events  40M attacking IP addresses Directly monitored averages per day*:  Logs/alerts imported 400M  Triggered events 250,000  Severe events 300 Correlated with  5.5B events  40M attacking IP addresses *Ex. virus!

14 Community Monitor & Alert Community Monitor & Alert Early Warning Community Knowledge Community Knowledge Analysis & Reporting

15 What do we get Community Monitor & Alert Community Monitor & Alert Early Warning Community Knowledge Analysis Security device monitoring Community specific alerting Online threat reporting. Deep probe activity report (weekly) Online technology vulnerability alerting Analysis & trend tracking events (quarterly) Online community forum Online threat reporting Online regulatory and standard industry benchmarking Custom reporting and analysis

16 Important notes  CNI will provide “observations”, “probables”, “potentials” – this needs to be treated accordingly.  Do not have all data on all companies in all segments – it grows with the community  (Public) Device data is initially processed in the US (Alexandria central SOC) – now moving to European only processing.  It is a pilot (experimental) – development input is essential Q. How accurate?

17 What is the Pilot? 6 months Up to 8 sensors Monitored Deepsight access Early warning Shared data (Anonymised) 6 months Up to 8 sensors Monitored Deepsight access Early warning Shared data (Anonymised).. and involvement Sensor data Workshops Feedback Ideas … and an understand of the information basis.. Pilot Customers Advance Release Customers Full Launch Phase 1 Phase 2 nowFeb 04April 04

18 Our experiences A pilot is a pilot –Pros High attention from vendor State of the art technology –Cons Deficient routines Reports still in development State of the art technology Time-consuming for the customer No community parliament warning (We are alone )

19 Options – data sensitivity Option2 – outside IDS collector only Option1 – multi devices NIDS Firewalls Internet secure log data NIDS Firewalls Internet secure log data IDS Collector Multi-dimensional analyses Internal & External Comprehensive (Not acceptable) External only Less comprehensive Acceptable

20 LAN Stortinget Internet ManHunt IDS Firewall Pilot infrastructure

21 Our Home page

22 Reports Weekly Event Digest Emerging Threat Notifications Community Watch Report Deep Sight Alert Service

23 People – our greatest resource This technology/concept is very interesting, but without dedicated people within your organization this concept will fail Heavy use of internal personal resources –Incident handling,routines, reports, monitoring Well-educated personnel –High requirements for internal IT security and networking skills

24 Responsibility In the end; you cannot transfer responsibility to the vendor –Still you have to keep up the high focus on IT security

25 Internal handling of CNI information Daily routines and procedures Incident management –Incident Response Team Who is doing what in a crisis –Who is pulling the plug –Who is handling the press –Who is responible for handling forensic evidence

26 Controversials You have to give something before you get something Collecting data from the parliament –IDS’ and Firewalls –Inside or outside the Firewall? –What do the MP’s say if we tell them that an american company are collecting data from IDS’s and FW within their local network

27 Why join this concept? Parliamentary community –European Parliamentary IRT –A large community gives high attention from the vendor –More reliable data from a large community –Benchmarking within the community –Community warning –A problem shared is a problem halved

Download ppt "Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget."

Similar presentations

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
David Grochocki et al.  Lures Potential attackers  Smartmeters do two way communication  Millions of Meters has to be replaced  Serious damages just.

David Grochocki et al.  Lures Potential attackers  Smartmeters do two way communication  Millions of Meters has to be replaced  Serious damages just.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1www.skyboxsecurity.com Skybox Cyber Security Best Practices Three steps to reduce the risk of Advanced Persistent Threats With continuing news coverage.

1www.skyboxsecurity.com Skybox Cyber Security Best Practices Three steps to reduce the risk of Advanced Persistent Threats With continuing news coverage.
IT security Are you protected against hackers?. Why are we in danger?  The Internet is worldwide, publicly accessible  More and more companies and institutes.

IT security Are you protected against hackers?. Why are we in danger?  The Internet is worldwide, publicly accessible  More and more companies and institutes.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.

 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
1 Pertemuan 6 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 6 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.

Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.

SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.

Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.

Similar presentations

Ads by Google