Cyber Security.
Cyber Security.
Environment, Solutions and
Environment, Solutions and
Case study.
Case study.
Cyber Security.
Cyber Security.
Environment, Solutions and
Environment, Solutions and
Case study.
Case study.
Case study.
Case study.
Special Telecommunications Service
Special Telecommunications Service
David Gabriel
David Gabriel,
, Buciu
Buciu Adrian
Adrian
Contact: [email protected]
Contact: [email protected]
[email protected]
[email protected]
Case study.
Case study.
Special Telecommunications Service
Special Telecommunications Service
David Gabriel
David Gabriel,
, Buciu
Buciu Adrian
Adrian
Contact: [email protected]
Contact: [email protected]
[email protected]
[email protected]
Environment
Network/services can be damaged due to :
• Attacks against physical integrity that can modify or destroy the information,
• Unauthorized use of information.
Types of attacks
I)
Passive and active attacks
a) passive attacks - the intruder observes the information passing through the communication medium, without interfering with the flow and content of messages
b) active attacks - the intruder can modify, circumvent or insert false messages into the communication flow.
Environment
II) Denial-of-Service Attacks
• Are typically carried out by overloading the system capacity, and by preventing legitimate users from accessing and using the targeted resource.
III) Defacement Attacks
• A defacement attack is carried out by replacing the victim’s web page with a forged page whose content will depend on the criminal purpose.
IV) Malware attacks
•
A malicious code (or malware) is any program that can deliberately and unexpectedly interfere with the normal operation of a computer.Environment
V) Cyber intrusion
Malevolent can attack a system by appropriating legitimate user identification and connection parameters (e.g passwords) , or through deception and exploitation of vulnerabilities.
The main methods used to obtain the connection parameters of legitimate users The main methods used to obtain the connection parameters of legitimate users to gain access to systems are:
• Guessing;
• Deception (social engineering); • Listening to traffic;
• Introducing a Trojan horse; • Cracking encrypted passwords; • Spying on users.
VI) Spam and Phishing
•Spam is the bulk sending of unsolicited e-mail: • for commercial or publicity purposes;
• for purposes of introducing malicious software, such as malware into the system.
• Phishing refers to an attack using mail programs to trick or coax web users
Environment
• Phishing refers to an attack using mail programs to trick or coax web users into revealing sensitive information that can then be exploited for criminal purposes.
VII) Some communication protocols misuse
VIII) Cyberattack methodology
•The process of committing a cyberattack consists of collecting and searching for the vulnerabilities of the target systems and exploiting them.
Security criteria
• The capability of a system to continuously deliver services. This depends on the
availability of hardware and software resources and as well as services.
• The capability of a system to prevent unauthorized individuals and processes from accessing data. This concerns the preservation of data confidentiality and
integrity. These are ensured by:
Environment
integrity. These are ensured by:
•(i) access control procedures such as identification, authentication and authorization with respect to certain permissions or access rights; and •(ii) encryption mechanisms.
• The capability of a system to allow only authorized individuals and processes to perform data modification. Here, an integrity criterion is necessary. This involves access control, error control and coherency checking procedures.
• The capability of a system to ensure that specific actions and transactions have actually taken place. This involves traceability, proof, administration, audit and
non-repudiation of actions and events.
• The capability of a system to carry out actions and provide the expected services under appropriate conditions of usage and performance throughout its life span. This involves continuity, reliability, user friendliness and operational soundness.
Environment
•
CyberDefence - prevent hijacking of computers or computer
networks and services;
•
Proactive Cyber Defence - not to blame external conditions for
the results obtained;
•
Sun-Tzu or SunWu first introduced the notion of predictability
analysis as part of a strategy to overcome (to win);
Environment
•
Large networks generate a huge amount of logs and security
events;
•
Firewalls, IDS / IPS systems, web servers, authentication
systems and other equipment contribute to the growing number
of events that need to be analyzed in order to lead to
of events that need to be analyzed in order to lead to
countermeasures;
•
SEM (Security Event Manager) - a centralized storage and logs
interpretation , managing security events generated by network
equipments and services;
Environment
•
SIEM Capabilities:
– Data Aggregation: aggregate data from many sources, including network, security, servers, databases, applications, providing the ability to consolidate monitored data and helping to avoid missing crucial events;
– Correlation: looks for common attributes and links events to each other into meaningful bundles;
meaningful bundles;
– Alerting: the automated analysis of correlated events and generation of alerts, to notify recipients of immediate issues;
– Dashboards: tools that take event data and turn it into informational charts to assist in discovering patterns, or identifying activity that is not forming a
standard pattern;
– Compliance: SIEM can be employed to automate the gathering of compliance data, producing reports that adapt to existing security, governance and auditing processes;
– Retention: SIEM/SIM solutions employ long-term storage of historical data to facilitate correlation of data over time and to provide the retention necessary for compliance requirements;
Solutions
Possible solutions for monitoring, analysis and prevention of attacks can be
divided into two main categories in terms of licensing:
• Open source;
•
Enterprise.
Open source solutions:
Open source solutions:
OSSIM – Open Source Security Information Management. Integrates the
following software components:
•
arpwatch – aimed at detecting abnormalities in the OSI layer 2
(MAC);
•
P0f – used for passive OS detection and analysis of transitions
from one operating system to another;
•
Pads – used to detect abnormalities of services;
•
Nessus – vulnerability scanner;
•
Tcptrack - Used to obtain information about sessions and to
correlate them with other events;
Solutions
• Ntop – used to make a database of network information;
• Nagios – used to monitor resources (hardware and
network services);
• Osiris – HIDS;
• Snort – detection system and intrusion prevention;
• Tcpdump – packet analyzer;
• Syslog – server used for collecting logs from network
devices;
• Netflow – protocol used for collecting information about IP
traffic;
• HoneyD – creates virtual hosts on the network, used as
traps for detecting and preventing attacks;
Solutions
Enterprise solutions:
–
ArcSight
• It is a solution that combines traditional security event monitoring with smart correlation and detection of anomalies, using analytical tools and auto repair;
and auto repair;
–
CheckPoint Eventia Suite
• It is a solution for information and security events management;
• Has two components – an analysis component (Eventia Analyzer) and a reporting component (Eventia Reporter);
–
Juniper Security Threat Response Manager
• Stand alone unit, for integrated network monitoring to ensure detection of threats, log management and compliance with security policy;
Case Study
Case study
Type of event: flood
Traffic is totaled and recorded in interval 6:14 a.m. to 6:34 a.m. and 7:11 p.m. to 7:19 p.m. respectively
Case study
Case study
Methods to overcome such attacks
•
Alternative routing;• Blackholing;
• Changing public IP address;
• Monitoring websites with custom scripts developed by internal teams in order to satisfy specific needs;
Conclusion
satisfy specific needs;
• Monitor bidirectional traffic through the internal SIEM platforms;
• Whenever possible collecting of access and error logs on application servers; • Demanding local Internet service providers to block unauthorized traffic;
• Cooperation with national and international CERTS teams in order to isolate the incidents;
• Redundancy at the routing level ;
• At least one loop to be provided by a service provider in order to ensure scrubbing;
Conclusion
Lessons to be learned by CERT teams in order to be proactive:
- Use methods to study attacks;
- Use methods to detect spam sources and to put them on blacklists; - Use methods to detect spam sources and to put them on blacklists;
- Use methods to detect networks botnets and to understand their behavior; - Use of honeypots in order to study the behavior of the malware and spam; - Exchange information between CERT teams quickly and in standard
manner;
- Transport information from sources that generate allerts to centralized systems through standardized protocol and using a secure manner;
Conclusion
•
Standardization of protocols for log transmission (syslog);
•
Using of guidelines - NIST 800-92 - log Normalization;
•
Using of guidelines - NIST 800-92 - log Normalization;
•
Integration of events generated by physical protection systems
into the security event correlation;
Conclusion
• Standardization at the advisory level
• Standardization of incident and data exchange (including
• Standardization of incident and data exchange (including
statistics)
• Standardization of security event data
Conclusion
•
Use of fast databases able to read and write very fast at
the expense of relational type;
Examples:
• Mongodb
If you need dynamic queries; if you prefer to define indexes, not If you need dynamic queries; if you prefer to define indexes, not map/reduce functions; if you need good performance on a large DB; • Cassandra
When DB writing processes is far more than reading processes (logging). Writes are faster than reads, so one natural niche is real time data analysis;
• Membase
Any application where low-latency data access, high concurrency support and high availability is a requirement.
