Singapore Computer Emergency Response Team (SingCERT) Martin Khoo Assistant Director Incident...

Singapore Computer Emergency Response Team

(SingCERT) Martin Khoo

Assistant Director

Incident Management, IDA

Programme Manager SingCERT

[email protected]

SingCERT 2000 - BlackHat Briefing

24/4/00

Formation of SingCERT

SingCERT is a programme of the Infocomm Development Authority (IDA) of Singapore in collaboration with the National University of Singapore (NUS)

Launched in October 1997 during Comdex 97


34/4/00

Missions of SingCERTOne Point of Contact

– provide a reliable, trusted, single point of contact for prevention, detection & resolution of security incidents on public/private networks such as the Internet & Singapore ONE

Increase security competency– education & awareness promotion

Provide value-added security services– security consultancy program


44/4/00

Programmes of SingCERT (1)Technical Programme

* Drives the security incident response function of SingCERT

* Undertakes the R&D function of SingCERT

* Issues security advisories, newsletters and alerts

* Ensures the operational readiness of SingCERT’s incident response infrastructure


54/4/00

Programmes of SingCERT (2)Services Programme

* Promote security awareness through the organisation of security seminars and workshops

* Responsible for international & industry liaison

* Manage the security consultancy services of SingCERT


64/4/00

Operational Framework

Constituency SECAP

L.E.A/Reg.Bod.

SIR ISAPs

InternationalCERTs/FIRST

Collaboration

Collaboration

IncidentResponse

IncidentReport

Advise

Consult

Advise Consult

Incident Handling

Education, Consultancy, Awareness

R&D Collaboration

Knowledge Sharing


74/4/00

Local & International Collaboration

SingCERT works closely with FIRST & international CERTs efforts in the course of its incident response work

Collaboration in area of training and knowledge sharing with foreign CERTs


84/4/00

International Contacts (1)CERT/CC (US CERT)

– visited them in August 1997

AUSCERT (Australian CERT)– SingCERT’s sponsor for FIRST membership

DFN-CERT (German CERT)-- visited them in August 1997

JPCERT/CC (Japan CERT)– visited them in June 1998


94/4/00

International Contacts (2)

KRCERT/CC (Korean CERT)MyCERT (Malaysian CERT)Forum of Incident Response & Security

Teams (FIRST) – SingCERT was presented at the 10th FIRST

conference in Monterrey, Mexico (June 1998)

– SingCERT was voted in as full member of FIRST in November 1998


104/4/00

International Contacts (3)Asia Pacific Security Incident

Response Co-ordination (APSIRC)Charter is to create the AP regional

forum to facilitate the exchange of ideas and expertise on Internet security incident handling

SingCERT is a founding member and the official host of the APSIRC website


114/4/00

SingCERT Security ServicesIncident resolution over the phone

(office hours ) and through emailSecurity consultation over the phoneSecurity advisories and alerts online

at the SingCERT websiteSecurity resource archive online at

the SingCERT website


124/4/00

SingCERT Security Services

Repository on internet hoaxes, fraud and viruses

Checklists and papers on security topics

Online security discussion forum *PGP keyserver service *


134/4/00

SingCERT Security Services

(A) Unix Sun Solaris 2.x, SunOS 4.x Linux (RedHat, Slackware) FreeBSD

(B) Windows Windows NT Server 4.0 and above


144/4/00

Reporting an incidentHotline - 8746666Email - [email protected] Report FormSystem/Network/Security administrator

should be the one reporting the incidentHave information on platform and how you

discover the intrusion or break-inSystem log files to be made available


154/4/00

Incident Resolution

Solution may be available immediately if it is a known exploit

If it is some thing new then a work around may be proposed as an interim solution

Confidentiality is maintained at all time

Escalation to law enforcement is the decision of the victim


164/4/00

Sampling of Cases

Typical categories of incidents– Probing– Spamming– Virus/Trojan Attacks– Email Abuse– Hoaxes– Unauthorised system access– Root Compromise


174/4/00

Unauthorised Probing

Common infringementVolume tend to go up with release

of new scanning toolsEasy to detect if sites have some

logging mechanism in place (eg. firewall, wrapper)

Newer scanning techniques making it more difficult to detect such activitites


184/4/00

Unsolicited Commercial Email

Few casesComplaints about some local

organisation spamming foreign users

Once off problem as the offending site normally backs off after the initial compliant

SingCERT advisory on how to protect against being spammed


194/4/00

Virus/Trojan Attacks

Chernobyl/CIH - malicious, destructive in nature - 350++ cases reported to SingCERT - Apr. 26 - 28

Happy99, Melissa - harmless Netbus, Back Orifice (BO) - trojan

programs that can steal info. from your system ( spread through email attachments)


204/4/00

Email Abuse

Subscribing someone to porno or product marketing mailing lists

Email server used as relay by othersAdvise is to use newer version of

email server or to configure mail server correctly

Be careful who you give out your email account to especially online web site


214/4/00

Hoaxes

Fear, Uncertainty & Doubt (FUD)Harmless pranks to create FUDSingCERT asked to verify whether

some virus/trojan warning is a hoaxE.g. - Celcom Screensaver, Happy

New Year


224/4/00

Unauthorised System Access

Exploiting of system bugs to gain access to system

Common schemes exploits bugs in application programs (buffer overflow) or unnecessary privileges given to certain system programs

Keep up with the system patches and tune in to the hackers/underground lists


234/4/00

System CompromiseYour worse nightmareIntruder has full control of your systemsCase where a company’s IT infrastructure

was taken over by a foreign intruderIntruder use the site to hack other places

leading to a spate of complaints about the company hacking other people


244/4/00

Good Practices (1)

Have a security policy for your siteIf you need to connect to the Internet you

need security protection; otherwise do other people a favour and stay off the Net

Security should be taken seriously and time and money need to be spent putting it in place and also to actively monitor it


254/4/00

Good Practices (2)

Stay in the loop of the latest security happenings and issues

Keep up to date with security patches and security enhancement


264/4/00

Detection of Intrusions (1)

How to Detect Intrusion ?– you may have implemented security

protection mechanisms– no mechanism is perfect – need to watch closely for signs of

intrusion– deploy some form of IDS– free or commercial – need customisation before use


274/4/00


Integrity of ID software– Ensure that the software used to

examine systems has not been compromised

Integrity of file systems and sensitive data – Look for unexpected changes to

directories and files


284/4/00


System and network activities – Inspect your system and network logs– Review notifications from system and

network monitoring mechanisms– Inspect processes for unexpected

behaviour

Physical forms of intrusion – Investigate unauthorized hardware

attached to your organization's network.


294/4/00


– Look for signs of unauthorized access to physical resources

Other sources of information – Review reports by users and external

contacts about suspicious system and network events and behaviour


304/4/00

Handling Intrusions (1)

Prepare– Establish policies and procedures for

responding to intrusions

Handle– Analyse all available information to

characterise an intrusion– Communicate with all parties that need

to be made aware of an intrusion and its progress eg. SingCERT


314/4/00

Handling Intrusions (2)– Collect and protect information associated with

an intrusion

– Apply short-term solutions to contain an intrusion

– Eliminate all means of intruder access

– Return systems to normal operation with help of incident response team

Follow up– Identify and implement security lesson learned


324/4/00

SingCERT Essential Information

Incident Reporting Hotline :

(65) 8746666, (65) 8726198 [Fax]Operating hours (GMT + 8)

: Mon- Fri (0830 - 1700): Sat. (0830 - 1300)

Web Site : http://www.singcert.org.sgIncident Reporting Form :

http://singcert.org.sg/incident_report_form.txt

Thank You

http://www.singcert.org.sg

Singapore Computer Emergency Response Team (SingCERT) Martin Khoo Assistant Director Incident...

Documents

Transcript of Singapore Computer Emergency Response Team (SingCERT) Martin Khoo Assistant Director Incident...