Your SlideShare is downloading. ×
Assessing cybersecurity_Anto Veldre
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Assessing cybersecurity_Anto Veldre

2,499
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,499
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Assessing cybersecurity in a modern State of digital era Anto Veldre Information Security Expert CERT-EEEstonian Information System Authority
  • 2. Tallinn, Estonia
  • 3. Milk & gasoline ... http://y.delfi.ee/norm/102149/4987007_FZJEkH.jpeg
  • 4. The lifestyle http://upload.wikimedia.org/wikipedia/commons/0/03/Kakerdaja_raba.jpg
  • 5. State Information System Authority (www.ria.ee)
  • 6. Abbreviations CERT - Computer Emergency Response Team CSIRT - Computer Security Incident Response Team
  • 7. CERT typology Types: - national - govermental - ISP, company, etc - university CERT-EE – nat/gov, dual consistuency (.EE, ASxxxx) Compare to our neighbours - www.ficora.fi Keyword to remember – the constituency - кому работаешь?
  • 8. State Information System Authority (1)
  • 9. State Information System Authority (2)
  • 10. State Information System Authority (3)
  • 11. http://liesma.deviantart.com/art/organized-chaos-160240663
  • 12. Basic categories for inventarization(an analogy - phone numbers) IP addresses (like 217.26.147.31) Netblocks (like 217.26.147.0/24)Autonomous Systems (AS28990) Domain Names (DNS) like www.xyz.md
  • 13. Estonian Autonomous Systems?
  • 14. Inventory - basics
  • 15. Our Lego Objects we care - Timestamp - (category – virus, break-in, DDoS, defacement, SSH doorknock) - IP - FQDN – fully qualified domain name - URL (http://www.somewhat.md/infection.exe - An executable (.exe) - MD5("The quick brown fox jumps over the lazy dog") = 9e107d9d372bb6826bd81d3542a419d6
  • 16. Important considerations Main equations - technical control != content control - IP address as private data? == a trap
  • 17. Where to find information? Passive DNS Netflow statistics Listening to the Ethernet directly Webproxy logs, Statistics, hostcount ... ... These are standard tools present in router OSs. Intel exchange with partners. Honeypots.
  • 18. Freedom on the InternetCandidate information to be censored:tax motivated sites"bad" information: - abortion - pr0n, CP - violence"extremism" - incl religious - device design blueprints, incl. (c)
  • 19. Freedom of informationmethods of control - surveillance - filtering out (DNS or action based) - redirection - intrusion - combinedIt is extremely important to watershed between: - Technical Monitoring (for viruses, for CNC IP) - Content monitoring (for the word „terrorist“)
  • 20. CERT: RFC2350 Constituency Clients Authority, legal possibilities Contacts, security level, pledges Service library Assisting in ... Solving … Publishing advisories, reports …
  • 21. CERT vs LEO• CERT and the community Trusted communities Data feeds• CERT vs intel Technical – IP, FQDN, ASN (vs content) A nightman job – plumbing and pipes - ассенизаторская работа
  • 22. Philosophy behind the CERT • Technical intelligence is the foundation for any CERT • Event vs incident. Ticketing. 15 min rule vs reporting&statistics needs • Reporting earning our salary People are the heart of a CERT
  • 23. Philosophy behind the CERT (2) • Standard secrecy on the input Takes time to declassify Enables LEO and mil contacts • Mobile threats Cloud Automated authentication, joint IDs
  • 24. Incidents (1) * DDoS (2007 and further) * malware - Zeus/SpyEye , Sinowal etc - drive-by infections - forum poisoning - false positive on svchost.exe - phishing letter from E-bay - tax related mail accounts
  • 25. Incidents (2) - e-mail offending the President - intrusion somewhere (a registrar, a webhoster) - authentication library on “a system“ - an APT ( = Advanced Persistent Threat) - Tasmanian BGP → core network routers down - anchor related incidents (Baltic Sea)
  • 26. Incidents (3) - domain related incidents - assessing technology incidents (RSA, DN, ID) - comments on public and PR incidents (firesheep) - testimonies at the court (Allaple) - lecturing (at universities, schools …) - i-voting tech support
  • 27. What we do not do (but sometimes we could intermediate) - assist private persons (but sometimes ...) - repairing somebodys installation - copyright enforcement - filtering - content intelligence - pr0n, CP handling
  • 28. PeopleSeven (7) • Qualifications: - HelpDesk capability - network admin - programmer, coder - teacher, lecturer - CIO or CISO or CISA - system analyst - technical writer
  • 29. Duties- contact point - consultancy- incident handling - input to legislators- advisories on threats - bringing people together- reporting - awareness raising - http://vimeo.com/22067817- alerting
  • 30. Systems• Mostly free software• Linux/BSD• FireShark, tcpdump, ...• AbuseHelper (see bitbucket, ClarifiedNetworks)• S4A (Snort for all)• VSR – Virtual Situation Room, (see bb, C)
  • 31. Trusted Introducer
  • 32. Back to CyberSec
  • 33. CIIP Critical Information Infrastructure Protection • 2 whales: Communication & Energy • The Emergency Law: Vital Services – 43 fields - PVS - Provider of (a) vital service - IOCO - The Institution Organizing the Continuous Operation (of vital services) - CI - Co-ordinating Institution (in charge to contain and resolve the emergency) http://valitsus.ee/en/government-office/government-communication/handbook/crisis-communication http://ee.vlex.com/vid/emergency-act-siseministeeriumi- 204964755
  • 34. CIIP workflow Define vital (critical) areas Analyze dependencies - foundation: energy and communications - ICT - other, not directly related to ICT Define or list vital providers Communicate, analyze
  • 35. SCADA http://www.parijat.com/scadaproduct/images/MunicipalSCADA-2.jpg
  • 36. Telco• Vital providers in telco field: - 420 of these in entrepeneurs DB - 3-4-5 large ones - by the definition * has an interchange point
  • 37. Supervision Dept- ISKE - (IT Grundschutz by BSI, .de)Information Systems Three Level Security Baseline- Incident reports, CERT-EE Incidents DB- Compliance Problems / deficiencies noted by CERT or CIIPhttps://www.bsi.bund.de/ContentBSI/Aktuelles/Veranstaltungen/gstag/gstag_201010.html
  • 38. Thank You! Anto Veldre www.ria.ee | anto.veldre@cert.ee | +372 663 0200Estonian Information Systems Authority | Rävala 5, 10112 Tallinn, Estonia