Singapore Computer Emergency Response Team (SingCERT) Martin Khoo Assistant Director Incident...
Transcript of Singapore Computer Emergency Response Team (SingCERT) Martin Khoo Assistant Director Incident...
Singapore Computer Emergency Response Team
(SingCERT) Martin Khoo
Assistant Director
Incident Management, IDA
Programme Manager SingCERT
SingCERT 2000 - BlackHat Briefing
24/4/00
Formation of SingCERT
SingCERT is a programme of the Infocomm Development Authority (IDA) of Singapore in collaboration with the National University of Singapore (NUS)
Launched in October 1997 during Comdex 97
SingCERT 2000 - BlackHat Briefing
34/4/00
Missions of SingCERTOne Point of Contact
– provide a reliable, trusted, single point of contact for prevention, detection & resolution of security incidents on public/private networks such as the Internet & Singapore ONE
Increase security competency– education & awareness promotion
Provide value-added security services– security consultancy program
SingCERT 2000 - BlackHat Briefing
44/4/00
Programmes of SingCERT (1)Technical Programme
* Drives the security incident response function of SingCERT
* Undertakes the R&D function of SingCERT
* Issues security advisories, newsletters and alerts
* Ensures the operational readiness of SingCERT’s incident response infrastructure
SingCERT 2000 - BlackHat Briefing
54/4/00
Programmes of SingCERT (2)Services Programme
* Promote security awareness through the organisation of security seminars and workshops
* Responsible for international & industry liaison
* Manage the security consultancy services of SingCERT
SingCERT 2000 - BlackHat Briefing
64/4/00
Operational Framework
Constituency SECAP
L.E.A/Reg.Bod.
SIR ISAPs
InternationalCERTs/FIRST
Collaboration
Collaboration
IncidentResponse
IncidentReport
Advise
Consult
Advise Consult
Incident Handling
Education, Consultancy, Awareness
R&D Collaboration
Knowledge Sharing
SingCERT 2000 - BlackHat Briefing
74/4/00
Local & International Collaboration
SingCERT works closely with FIRST & international CERTs efforts in the course of its incident response work
Collaboration in area of training and knowledge sharing with foreign CERTs
SingCERT 2000 - BlackHat Briefing
84/4/00
International Contacts (1)CERT/CC (US CERT)
– visited them in August 1997
AUSCERT (Australian CERT)– SingCERT’s sponsor for FIRST membership
DFN-CERT (German CERT)-- visited them in August 1997
JPCERT/CC (Japan CERT)– visited them in June 1998
SingCERT 2000 - BlackHat Briefing
94/4/00
International Contacts (2)
KRCERT/CC (Korean CERT)MyCERT (Malaysian CERT)Forum of Incident Response & Security
Teams (FIRST) – SingCERT was presented at the 10th FIRST
conference in Monterrey, Mexico (June 1998)
– SingCERT was voted in as full member of FIRST in November 1998
SingCERT 2000 - BlackHat Briefing
104/4/00
International Contacts (3)Asia Pacific Security Incident
Response Co-ordination (APSIRC)Charter is to create the AP regional
forum to facilitate the exchange of ideas and expertise on Internet security incident handling
SingCERT is a founding member and the official host of the APSIRC website
SingCERT 2000 - BlackHat Briefing
114/4/00
SingCERT Security ServicesIncident resolution over the phone
(office hours ) and through emailSecurity consultation over the phoneSecurity advisories and alerts online
at the SingCERT websiteSecurity resource archive online at
the SingCERT website
SingCERT 2000 - BlackHat Briefing
124/4/00
SingCERT Security Services
Repository on internet hoaxes, fraud and viruses
Checklists and papers on security topics
Online security discussion forum *PGP keyserver service *
SingCERT 2000 - BlackHat Briefing
134/4/00
SingCERT Security Services
(A) Unix Sun Solaris 2.x, SunOS 4.x Linux (RedHat, Slackware) FreeBSD
(B) Windows Windows NT Server 4.0 and above
SingCERT 2000 - BlackHat Briefing
144/4/00
Reporting an incidentHotline - 8746666Email - [email protected] Report FormSystem/Network/Security administrator
should be the one reporting the incidentHave information on platform and how you
discover the intrusion or break-inSystem log files to be made available
SingCERT 2000 - BlackHat Briefing
154/4/00
Incident Resolution
Solution may be available immediately if it is a known exploit
If it is some thing new then a work around may be proposed as an interim solution
Confidentiality is maintained at all time
Escalation to law enforcement is the decision of the victim
SingCERT 2000 - BlackHat Briefing
164/4/00
Sampling of Cases
Typical categories of incidents– Probing– Spamming– Virus/Trojan Attacks– Email Abuse– Hoaxes– Unauthorised system access– Root Compromise
SingCERT 2000 - BlackHat Briefing
174/4/00
Unauthorised Probing
Common infringementVolume tend to go up with release
of new scanning toolsEasy to detect if sites have some
logging mechanism in place (eg. firewall, wrapper)
Newer scanning techniques making it more difficult to detect such activitites
SingCERT 2000 - BlackHat Briefing
184/4/00
Unsolicited Commercial Email
Few casesComplaints about some local
organisation spamming foreign users
Once off problem as the offending site normally backs off after the initial compliant
SingCERT advisory on how to protect against being spammed
SingCERT 2000 - BlackHat Briefing
194/4/00
Virus/Trojan Attacks
Chernobyl/CIH - malicious, destructive in nature - 350++ cases reported to SingCERT - Apr. 26 - 28
Happy99, Melissa - harmless Netbus, Back Orifice (BO) - trojan
programs that can steal info. from your system ( spread through email attachments)
SingCERT 2000 - BlackHat Briefing
204/4/00
Email Abuse
Subscribing someone to porno or product marketing mailing lists
Email server used as relay by othersAdvise is to use newer version of
email server or to configure mail server correctly
Be careful who you give out your email account to especially online web site
SingCERT 2000 - BlackHat Briefing
214/4/00
Hoaxes
Fear, Uncertainty & Doubt (FUD)Harmless pranks to create FUDSingCERT asked to verify whether
some virus/trojan warning is a hoaxE.g. - Celcom Screensaver, Happy
New Year
SingCERT 2000 - BlackHat Briefing
224/4/00
Unauthorised System Access
Exploiting of system bugs to gain access to system
Common schemes exploits bugs in application programs (buffer overflow) or unnecessary privileges given to certain system programs
Keep up with the system patches and tune in to the hackers/underground lists
SingCERT 2000 - BlackHat Briefing
234/4/00
System CompromiseYour worse nightmareIntruder has full control of your systemsCase where a company’s IT infrastructure
was taken over by a foreign intruderIntruder use the site to hack other places
leading to a spate of complaints about the company hacking other people
SingCERT 2000 - BlackHat Briefing
244/4/00
Good Practices (1)
Have a security policy for your siteIf you need to connect to the Internet you
need security protection; otherwise do other people a favour and stay off the Net
Security should be taken seriously and time and money need to be spent putting it in place and also to actively monitor it
SingCERT 2000 - BlackHat Briefing
254/4/00
Good Practices (2)
Stay in the loop of the latest security happenings and issues
Keep up to date with security patches and security enhancement
SingCERT 2000 - BlackHat Briefing
264/4/00
Detection of Intrusions (1)
How to Detect Intrusion ?– you may have implemented security
protection mechanisms– no mechanism is perfect – need to watch closely for signs of
intrusion– deploy some form of IDS– free or commercial – need customisation before use
SingCERT 2000 - BlackHat Briefing
274/4/00
Detection of Intrusions (2)
Integrity of ID software– Ensure that the software used to
examine systems has not been compromised
Integrity of file systems and sensitive data – Look for unexpected changes to
directories and files
SingCERT 2000 - BlackHat Briefing
284/4/00
Detection of Intrusions (3)
System and network activities – Inspect your system and network logs– Review notifications from system and
network monitoring mechanisms– Inspect processes for unexpected
behaviour
Physical forms of intrusion – Investigate unauthorized hardware
attached to your organization's network.
SingCERT 2000 - BlackHat Briefing
294/4/00
Detection of Intrusions (4)
– Look for signs of unauthorized access to physical resources
Other sources of information – Review reports by users and external
contacts about suspicious system and network events and behaviour
SingCERT 2000 - BlackHat Briefing
304/4/00
Handling Intrusions (1)
Prepare– Establish policies and procedures for
responding to intrusions
Handle– Analyse all available information to
characterise an intrusion– Communicate with all parties that need
to be made aware of an intrusion and its progress eg. SingCERT
SingCERT 2000 - BlackHat Briefing
314/4/00
Handling Intrusions (2)– Collect and protect information associated with
an intrusion
– Apply short-term solutions to contain an intrusion
– Eliminate all means of intruder access
– Return systems to normal operation with help of incident response team
Follow up– Identify and implement security lesson learned
SingCERT 2000 - BlackHat Briefing
324/4/00
SingCERT Essential Information
Incident Reporting Hotline :
(65) 8746666, (65) 8726198 [Fax]Operating hours (GMT + 8)
: Mon- Fri (0830 - 1700): Sat. (0830 - 1300)
Web Site : http://www.singcert.org.sgIncident Reporting Form :
http://singcert.org.sg/incident_report_form.txt
Thank You
http://www.singcert.org.sg