Download How does it get written up?

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
Document related concepts

Trusted Computing wikipedia , lookup

Cyberwarfare wikipedia , lookup

Information security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Unix security wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Outlook.com wikipedia , lookup

Cyberattack wikipedia , lookup

Microsoft Security Essentials wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Computer security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Mobile security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cross-site scripting wikipedia , lookup

Transcript 
Writing Security Alerts
tbird
Last modified 5/23/2017 9:07 PM
Agenda
•
•
•
•
•
•
Why?
Where does this stuff come from?
What’s relevant to Stanford?
What’s important enough to bother with?
How does it get written up?
What do I do with it?
Why?
• Many computer intrusions happen
because software is out of date
• Sys admins and users can make more
informed decisions about patches and
threats
Where does info come from?
Vulnerabilities & Patches:
– Vendor bulletins & contacts
• Microsoft, Sun, Cisco, Oracle, Apple, Linux
– Mailing lists
• [email protected], Full Disclosure
– Other reliable sources
• CERT, ISS X-Force, iDefense, Last Stages of
Delirium, Shmoo
Where? cont.
New exploits in the wild & other incidents:
– Mailing lists
• [email protected],
[email protected], FIRST, Shmoo
– Contacts around campus
• island.stanford.edu, Expert Partners, LNAs
– Other reliable sources
• DShield, ISS X-Force
How much information?
• A few hundred email messages a day,
depending on activity – much higher
during major incidents, like RPC attacks
• Most aren’t significant within Stanford
environment – significant means “in use
by enough people to merit a major threat
if patch is not installed, or if attack is not
mitigated”
• What’s enough?
What’s relevant to Stanford?
• Operating systems: Microsoft Windows
2000 & XP, Macintosh OS X, Solaris 7-9,
RedHat & Debian Linux, Cisco IOS
• Applications: Internet Explorer, Outlook,
Office, MS SQL Server, IIS, sendmail,
OpenSSH, Oracle, AFS, Kerberos, Apache,
OpenSSL
• Others?
What gets written up?
• My goal: to distribute information on the
sorts of things I’d be willing to get paged
at 3am about
• i.e.. only send an alert when something is
an immediate threat, or requires
immediate action
• implies that alerts ought to include
recommendations for action!
What gets written up? cont.
Vulnerabilities & patches:
• Issue exists in default install of OS or
widely used application (applies to lots of
people)
• Issue allows remote exploitation, or local
exploitation for systems with lots of local
users (ie. cluster machines)
What gets written up? cont.
• Vulnerability can be triggered with no
action by user, or little action
– RPC attacks
– vulns in Web browsers that can be triggered
via pop-ups
• Vulnerabilities for which there are exploits
in active circulation
What gets written up? cont.
Active attacks
• Issues that are impacting Stanford and/or
the rest of the Internet
• Issues about which the security team is
getting lots of questions
• Issues that can be easily avoided by
updating software or AV signatures
Ah, but…
• Almost all based on information collected
from other sources – very little hands-on
• Consolidate data, reconcile conflicts
between sources, simplify for action by
system admins and end users, tailor to
Stanford environment
How does it get written up?
• Consistent format between alerts
– Summary
– Technical Details
– Countermeasures
– References
Summary
• “End user” language
• Who’s affected: which operating system or
application, which version
• What’s the threat
• What do you do (including URLs if
appropriate)
• Basis of email distribution
Technical Details
•
•
•
•
Where’s the vulnerability
Why does the problem exist
How can it be exploited
For an attack or exploit, what sort of
damage does it do
• Any forensics: logs or other evidence of
exploitation
Countermeasures
• Patches or software updates that mitigate
threat – direct links to downloads by
versions etc.
• Workarounds if available and practical, to
reduce risk from vulnerability or attack
• System recovery – if an attack happens,
what do I do?
A Note on Patch Testing
• We’re not set up to do much yet
• Test Windows and OS X patches with the
Leland and AFS applications
• Working on getting more formalized
testing in place as part of host security
management initiative
References
• Vendor alerts
• Third-party confirmation
• CERT advisories, reports from research
firms like ISS and iDefense
• Enough information for a motivated
reader to reconstruct everything in the
alert
Where do they end up?
• http://securecomputing.stanford.edu/alert.html
• Mailing lists: Expert Partners, LNAs, etc.
• Newsgroups
What do I do with it?
• Do you use the affected system in the
summary?
• Are you responsible for your own
machines? Other people’s?
What’s it look like so far?
• “Security alert process” in place since
December 2002
• We’ve missed some!
• We’d like to think that the RPC attacks of
August & September were not typical…
• Total: 61 in 13 months – so much for 1-2
per month!
40
35
30
25
# of
20
Alerts
15
10
5
Win
Solaris
Other
Oracle
Cisco
0
For more information
http://securecomputing.stanford.edu/alert.
html
http://www.precisionguesswork.com/metaweather.html
Related documents
Proposed System Architecture - BMI 205
Proposed System Architecture - BMI 205
Stanford + Connects 16 x 9 PowerPoint template
Stanford + Connects 16 x 9 PowerPoint template
Distributed Cognition
Distributed Cognition
STANFORD UNIVERSITY Department of Chemical Engineering
STANFORD UNIVERSITY Department of Chemical Engineering
Metabolomics Complexity in Forest Trees Expected from Inron
Metabolomics Complexity in Forest Trees Expected from Inron
Connectionism and Artificial Intelligence
Connectionism and Artificial Intelligence
LinkedIn Experience Sample - Stanford Graduate School of Business
LinkedIn Experience Sample - Stanford Graduate School of Business
Science Matters Posters
Science Matters Posters
Stanford University Physician Presents Effects of Tegreen 97® on
Stanford University Physician Presents Effects of Tegreen 97® on
1 Chapter Overview Defining Operators Creating Jobs Configuring
1 Chapter Overview Defining Operators Creating Jobs Configuring
Snort Intrusion Detection
Snort Intrusion Detection
Emergency Alerts for known Cancer Patients
Emergency Alerts for known Cancer Patients