Presentation is loading. Please wait.

Presentation is loading. Please wait.

Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM.

Published byClare Stevens Modified over 9 years ago

Similar presentations

Presentation on theme: "Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM."— Presentation transcript:

1 Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM

2 Agenda Why? Where does this stuff come from? What’s relevant to Stanford? What’s important enough to bother with? How does it get written up? What do I do with it?

3 Why? Many computer intrusions happen because software is out of date Sys admins and users can make more informed decisions about patches and threats

4

5

6 Where does info come from? Vulnerabilities & Patches: –Vendor bulletins & contacts Microsoft, Sun, Cisco, Oracle, Apple, Linux –Mailing lists bugtraq@securityfocus.com, Full Disclosure –Other reliable sources CERT, ISS X-Force, iDefense, Last Stages of Delirium, Shmoo

7

8 Where? cont. New exploits in the wild & other incidents: –Mailing lists incidents@securityfocus.com, intrusions@incidents.org, FIRST, Shmoo –Contacts around campus island.stanford.edu, Expert Partners, LNAs –Other reliable sources DShield, ISS X-Force

9

10 How much information? A few hundred email messages a day, depending on activity – much higher during major incidents, like RPC attacks Most aren’t significant within Stanford environment – significant means “in use by enough people to merit a major threat if patch is not installed, or if attack is not mitigated” What’s enough?

11 What’s relevant to Stanford? Operating systems: Microsoft Windows 2000 & XP, Macintosh OS X, Solaris 7-9, RedHat & Debian Linux, Cisco IOS Applications: Internet Explorer, Outlook, Office, MS SQL Server, IIS, sendmail, OpenSSH, Oracle, AFS, Kerberos, Apache, OpenSSL Others?

12 What gets written up? My goal: to distribute information on the sorts of things I’d be willing to get paged at 3am about i.e.. only send an alert when something is an immediate threat, or requires immediate action implies that alerts ought to include recommendations for action!

13 What gets written up? cont. Vulnerabilities & patches: Issue exists in default install of OS or widely used application (applies to lots of people) Issue allows remote exploitation, or local exploitation for systems with lots of local users (ie. cluster machines)

14 What gets written up? cont. Vulnerability can be triggered with no action by user, or little action –RPC attacks –vulns in Web browsers that can be triggered via pop-ups Vulnerabilities for which there are exploits in active circulation

15

16 What gets written up? cont. Active attacks Issues that are impacting Stanford and/or the rest of the Internet Issues about which the security team is getting lots of questions Issues that can be easily avoided by updating software or AV signatures

17 Ah, but… Almost all based on information collected from other sources – very little hands-on Consolidate data, reconcile conflicts between sources, simplify for action by system admins and end users, tailor to Stanford environment

18 How does it get written up? Consistent format between alerts –Summary –Technical Details –Countermeasures –References

19

20 Summary “End user” language Who’s affected: which operating system or application, which version What’s the threat What do you do (including URLs if appropriate) Basis of email distribution

21 Technical Details Where’s the vulnerability Why does the problem exist How can it be exploited For an attack or exploit, what sort of damage does it do Any forensics: logs or other evidence of exploitation

22 Countermeasures Patches or software updates that mitigate threat – direct links to downloads by versions etc. Workarounds if available and practical, to reduce risk from vulnerability or attack System recovery – if an attack happens, what do I do?

23 A Note on Patch Testing We’re not set up to do much yet Test Windows and OS X patches with the Leland and AFS applications Working on getting more formalized testing in place as part of host security management initiative

24 References Vendor alerts Third-party confirmation CERT advisories, reports from research firms like ISS and iDefense Enough information for a motivated reader to reconstruct everything in the alert

25 Where do they end up? http://securecomputing.stanford.edu/alert.html Mailing lists: Expert Partners, LNAs, etc. Newsgroups

26 What do I do with it? Do you use the affected system in the summary? Are you responsible for your own machines? Other people’s?

27 What’s it look like so far? “Security alert process” in place since December 2002 We’ve missed some! We’d like to think that the RPC attacks of August & September were not typical… Total: 61 in 13 months – so much for 1-2 per month!

28

29 For more information http://securecomputing.stanford.edu/alert. html http://www.precision- guesswork.com/metaweather.html

Download ppt "Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM."

Similar presentations

GHOST glibc gethostbyname() Vulnerability CVE-2015-0235 Johannes B. Ullrich, Ph.D. SANS Technology Institute https://isc.sans.edu.

GHOST glibc gethostbyname() Vulnerability CVE Johannes B. Ullrich, Ph.D. SANS Technology Institute
COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
NetAcumen ActiveX Download Instructions

NetAcumen ActiveX Download Instructions
XP Browser and E-mail Basics1. XP Browser and E-mail Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.

XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.
SLAC Vulnerability Scanning Cyber Security Working Group - LBL December 5, 2005 Teresa Downey - SLAC.

SLAC Vulnerability Scanning Cyber Security Working Group - LBL December 5, 2005 Teresa Downey - SLAC.
Web Server Administration

Web Server Administration
Windows Security Tech Talk 9/25/07. What is a virus?  A computer program designed to self replicate without permission from the end user  The program.

Windows Security Tech Talk 9/25/07. What is a virus?  A computer program designed to self replicate without permission from the end user  The program.
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.

Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
Distance Education Team 2 Security Architectures and Analysis.

Distance Education Team 2 Security Architectures and Analysis.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.

How To Keep Up With Security Patches Eric Schultze Security Strategies Microsoft.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
Fermilab VPN Service What is a VPN ?.

Fermilab VPN Service What is a VPN ?.
Web Design Terms and Concepts Ms. Scales. Q. What is a Server? A. A server is a computer that stores information many people can access. It runs special.

Web Design Terms and Concepts Ms. Scales. Q. What is a Server? A. A server is a computer that stores information many people can access. It runs special.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Security Audit Tools Project. CT 395 IT Security I Professor Igbeare Summer Quarter 2009 August 25, 2009.

Security Audit Tools Project. CT 395 IT Security I Professor Igbeare Summer Quarter 2009 August 25, 2009.
First Community Bank www.fcbnm.com Prevx Safe Online Rollout & Best Practice Presentation.

First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.

To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.

Similar presentations

Ads by Google