Critical National Infrastructure - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

Critical National Infrastructure

Description:

'CNI' is an initiative to prepare and protect a country's critical ... ManHunt IDS. Firewall. Pilot infrastructure. Our Home page. Reports. Weekly Event Digest ... – PowerPoint PPT presentation

Number of Views:99
Avg rating:3.0/5.0
Slides: 27
Provided by: frode9
Category:

less

Transcript and Presenter's Notes

Title: Critical National Infrastructure


1
Critical National Infrastructure
  • What is attacking your network, and how do you
    know?
  • By
  • Frode Rein
  • ICT Manager, The Norwegian Parliament
    Stortinget
  • (Nigel Beighton, Symantec, Advance Threat
    Research)

ECPRD Nicosia 6.th November 2003
2
What is CNI
  • CNI is an initiative to prepare and protect a
    countrys critical organisations and
    infrastructure
  • The CNI project is a community based early
    warning and reporting capability currently in
    development as a pilot by Symantec and selected
    organisations
  • We need early warning to be prepared alerts for
    all our community.

3
(No Transcript)
4
Events over last 7 days
5
Where did it come from?
Trends
Governments need to protect
Increase speed and severity of hit
Sector targeting
CNI
Organisations
need time to be prepared
Services
Newresearch
interested in benchmarking
Experience
6
Change in Exploitability of Vulnerabilities
..its easy
..in theory
..it can be done
7
Patch, patch, patch
  • Averaging 90 serious/critical vulnrabilities a
    month !
  • Organisations can not constantly patch
  • emergency patches are only tested against the
    vulnrability
  • Not all vulnerabilities lead to attacks
  • Will this vulnerability become the next Blaster?
  • Watch them try it, build exploits, test it and
    start it
  • Need to prioritise which patch to do, when and
    where
  • You need time to be prepared

8
The Changing Threat Picture
9
Blaster Milestones
Blaster hit the headlines with reported spread
affecting 188,000 systems worldwide.
Symantec sees increase in TCP port 135 scanning
Automated tools observed start of exploiting
vulnerability on a large scale
Microsoft Patch Released
Broadcast media to comment on Blaster
CNI CORe team begin specific monitoring
July 16
22
23
25
August 7
11
13
Aug 16
31
Buffer Overflow vulnerability discovered
CNI Members contacted directly about Blaster
CNI Members advised
Microsoft delisted windows update.com website and
averted denial of service attack.
Sample Exploit code circulating in the hacking
community
Symantec discover the W32.Blaster worm. virus
updates released.
Exploit code captured made public
10
Blaster worm
30,000
Unique Source IPs
15,000
0
July 20
July 27
August 3
August 10
Time
11
Less time to react
12
Timing
CNI (community defence)
Activity warning
Mgmt Monitor
Spotted Threat on you
Deepsight TMS
Deepsight Alert
Technology vulnerability warning
General Threat Alert
Hit
months/weeks
days
on the doorstep
around the corner
13
Where does the data come from?
  • Symantecs 20,000 internet and private network
    sensors (180 countries)
  • 200 pop-up honey-pots
  • Security Focus Bugtraq
  • Virus response team (and their zoo!)
  • 100M submitting AV systems
  • Internet community (black_hat white_hat)
  • External authorities
  • Directly monitored averagesper day
  • Logs/alerts imported
  • 400M
  • Triggered events
  • 250,000
  • Severe events
  • 300
  • Correlated with
  • 5.5B events
  • 40M attacking IP addresses

Ex. virus!
14
Community Monitor Alert
Early Warning
CNI
Community Knowledge
Analysis Reporting
15
What do we get
Community Monitor Alert
Early Warning
  • Deep probe activity report (weekly)
  • Online technology vulnerability alerting
  • Security device monitoring
  • Community specific alerting
  • Online threat reporting.

CNI
Community Knowledge
Analysis
  • Analysis trend tracking events (quarterly)
  • Online community forum
  • Online threat reporting
  • Online regulatory and standard industry
    benchmarking
  • Custom reporting and analysis

16
Important notes
  • CNI will provide observations, probables,
    potentials this needs to be treated
    accordingly.
  • Do not have all data on all companies in all
    segments it grows with the community
  • (Public) Device data is initially processed in
    the US (Alexandria central SOC) now moving to
    European only processing.
  • It is a pilot (experimental) development input
    is essential

Q. How accurate?
17
What is the Pilot?
  • 6 months
  • Up to 8 sensors Monitored
  • Deepsight access
  • Early warning
  • Shared data(Anonymised)
  • .. and involvement
  • Sensor data
  • Workshops
  • Feedback
  • Ideas

and an understand of the information basis..
18
Our experiences
  • A pilot is a pilot
  • Pros
  • High attention from vendor
  • State of the art technology
  • Cons
  • Deficient routines
  • Reports still in development
  • State of the art technology
  • Time-consuming for the customer
  • No community parliament warning (We are alone ? )

19
Options data sensitivity
  • Option1 multi devices
  • Multi-dimensional analyses
  • Internal External
  • Comprehensive
  • (Not acceptable)

NIDS
Internet
Firewalls
secure log data
  • External only
  • Less comprehensive
  • Acceptable
  • Option2 outside IDS collector only

NIDS
Internet
Firewalls
secure log data
IDS Collector
20
Pilot infrastructure
ManHunt IDS
Firewall
LAN Stortinget
Internet
21
Our Home page
22
Reports
  • Weekly Event Digest
  • Emerging Threat Notifications
  • Community Watch Report
  • Deep Sight Alert Service

23
People our greatest resource
  • This technology/concept is very interesting, but
    without dedicated people within your organization
    this concept will fail
  • Heavy use of internal personal resources
  • Incident handling,routines, reports, monitoring
  • Well-educated personnel
  • High requirements for internal IT security and
    networking skills

24
Responsibility
  • In the end you cannot transfer responsibility to
    the vendor
  • Still you have to keep up the high focus on IT
    security

25
Internal handling of CNI information
  • Daily routines and procedures
  • Incident management
  • Incident Response Team
  • Who is doing what in a crisis
  • Who is pulling the plug
  • Who is handling the press
  • Who is responible for handling forensic evidence

26
Controversials
  • You have to give something before you get
    something
  • Collecting data from the parliament
  • IDS and Firewalls
  • Inside or outside the Firewall?
  • What do the MPs say if we tell them that an
    american company are collecting data from IDSs
    and FW within their local network

27
Why join this concept?
  • Parliamentary community
  • European Parliamentary IRT
  • A large community gives high attention from the
    vendor
  • More reliable data from a large community
  • Benchmarking within the community
  • Community warning
  • A problem shared is a problem halved
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Critical National Infrastructure" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!