Next-generation AAM aircraft unveiled by Supernal, S-A2
Meletis Belsis -CSIRTs
1. A Computer SecurityA Computer Security
Incident Response Team’sIncident Response Team’s
Support SystemSupport System
Meletis A. Belsis, Anthony N. Godwin, Leon SmalovMeletis A. Belsis, Anthony N. Godwin, Leon Smalov
Coventry University, 2002Coventry University, 2002
2. Computer Crime and CSIRTsComputer Crime and CSIRTs
Today computer crime is on the rise. Adversaries attackToday computer crime is on the rise. Adversaries attack
corporate systems daily.corporate systems daily.
To provide adequate security support, Computer SecurityTo provide adequate security support, Computer Security
Incident Response Teams (CSIRT) have been assembled.Incident Response Teams (CSIRT) have been assembled.
Their job is to gather and organize information coming fromTheir job is to gather and organize information coming from
security incidents.security incidents.
Along with that CSIRTs provide security advice and help toAlong with that CSIRTs provide security advice and help to
identify the perpetrators.identify the perpetrators.
The Security Incident information is used to statistically analyzeThe Security Incident information is used to statistically analyze
computer crime, to assist enterprises in protecting themselvescomputer crime, to assist enterprises in protecting themselves
against knownagainst known security holessecurity holes and for educational purposes.and for educational purposes.
3. CSIRTsCSIRTs
Currently there are a number of CSIRT teams. Examples of suchCurrently there are a number of CSIRT teams. Examples of such
include CERT/CC, CIAC and also theinclude CERT/CC, CIAC and also the CERIAS LaboratoryCERIAS Laboratory..
Each one of these is using their own techniques, tools, policiesEach one of these is using their own techniques, tools, policies
and provide a number of different functions to its registeredand provide a number of different functions to its registered
users.users.
Currently large scale enterprises try to develop their own internalCurrently large scale enterprises try to develop their own internal
CSIRT to handle incidents that take place within the corporateCSIRT to handle incidents that take place within the corporate
IT infrastructures.IT infrastructures.
Building a CSIRT includes providing solution to a number ofBuilding a CSIRT includes providing solution to a number of
managerial and technical problems. Two of the technicalmanagerial and technical problems. Two of the technical
problems are:problems are:
the type and structure of data that need to storedthe type and structure of data that need to stored
the way this data is going to be gathered and accessedthe way this data is going to be gathered and accessed
4. Current Incident Data StructuresCurrent Incident Data Structures
Every CSIRT is using their own data structures to store details ofEvery CSIRT is using their own data structures to store details of
the security breaches that have taken place.the security breaches that have taken place.
Generally these are concentrated in storing technical details thatGenerally these are concentrated in storing technical details that
an incident includes. The technical details of an attack are usefulan incident includes. The technical details of an attack are useful
to the technical expertise but are far from useful to corporateto the technical expertise but are far from useful to corporate
managers.managers.
The last few years new trends in hacking has sought forThe last few years new trends in hacking has sought for
collaboration between the CSIRTs.collaboration between the CSIRTs.
CSIRTs from around the world need to collaborate and compareCSIRTs from around the world need to collaborate and compare
their information in order to trace attacks that take place in atheir information in order to trace attacks that take place in a
number of system simultaneously.number of system simultaneously.
5. Current Incident Data StructuresCurrent Incident Data Structures
Based on the current incident data structures automaticBased on the current incident data structures automatic
collaboration is impossible.collaboration is impossible.
This collaboration is currently taking place using telephones orThis collaboration is currently taking place using telephones or
emails which is a slow process.emails which is a slow process.
A couple of solutions that proposed a common structure are stillA couple of solutions that proposed a common structure are still
in a research stage.in a research stage.
Examples of such are theExamples of such are the European proposal, ProjectEuropean proposal, Project S2003S2003 andand
thethe Incident Object Description and Exchange FormatIncident Object Description and Exchange Format
(IODEF(IODEF).).
The authors of this paper have presented their own views in aThe authors of this paper have presented their own views in a
paper presented at the IFIP/Sec 2002 conference in Cairo.paper presented at the IFIP/Sec 2002 conference in Cairo.
6. Reporting Security IncidentsReporting Security Incidents
The way that incident are reported and accessed isThe way that incident are reported and accessed is
essential.essential.
Current CSIRTs use off line mediums or the WEB toCurrent CSIRTs use off line mediums or the WEB to
allow for new incidents to be stored and/or to allowallow for new incidents to be stored and/or to allow
individuals to access this data.individuals to access this data.
The off line mediums are quite insufficient and makeThe off line mediums are quite insufficient and make
the technical experts uncomfortable.the technical experts uncomfortable.
Managing the security of the incident dataManaging the security of the incident data
(Confidentiality, Integrity and Availability (CIA)) when(Confidentiality, Integrity and Availability (CIA)) when
accessed with the previous method is difficultaccessed with the previous method is difficult
7. Limitations of the WEBLimitations of the WEB
The WEB is insecure. CSIRT can provide only a fraction of theThe WEB is insecure. CSIRT can provide only a fraction of the
actual information stored for every incident.actual information stored for every incident.
The queries used to search the DB are predetermined. There isThe queries used to search the DB are predetermined. There is
no spaceno space for smart queries (i.e. Show all incidents that had as targetfor smart queries (i.e. Show all incidents that had as target
an Apache Server).an Apache Server).
Users depending on their role need to see different types ofUsers depending on their role need to see different types of
incident data. E.g. Security experts need to know the protocolsincident data. E.g. Security experts need to know the protocols
that were used to attack a system. Managers need to know thethat were used to attack a system. Managers need to know the
time it took to recuperate from the attack.time it took to recuperate from the attack.
Current interfaces do not allow the development of data views.Current interfaces do not allow the development of data views.
8. The CORBA approachThe CORBA approach
CORBA has widelyCORBA has widely
proposed and used toproposed and used to
access databases.access databases.
CORBA allows accessCORBA allows access
from both standalonefrom both standalone
applications and webapplications and web
based ones.based ones.
CORBA provides aCORBA provides a
number of securitynumber of security
objects that are adequateobjects that are adequate
to fulfill the CIA Model.to fulfill the CIA Model.
Client Object Server Object
Object Request Broker (ORB)
Dynamic
Invocation
Interface (DII)
Interface Definition
Language (IDL)
Object Adapter (OA)
IDL Skeleton
Dynamic
Skeleton
Interface
CORBA SERVICES : LifeCycle ,
Naming, Persistence, Security e.t.c.
CORBA FACILITIES : User
Interface, Health Care, Financial
e.t.c.
Operation + Arguments
Operation Result +
Arguments
9. Our proposalOur proposal
The new system allows access to the incident DB from both aThe new system allows access to the incident DB from both a
Web based interface and a standalone application.Web based interface and a standalone application.
Using this we can connect the main security managementUsing this we can connect the main security management
console that companies have, to a security incident DB anywhereconsole that companies have, to a security incident DB anywhere
in the world.in the world.
The registration of incidents could be carried out usingThe registration of incidents could be carried out using
automated processes by the security software that detects them.automated processes by the security software that detects them.
In addition to this security experts can use the managementIn addition to this security experts can use the management
console to access their company’s private security incidentconsole to access their company’s private security incident
records and perform statistical analysis.records and perform statistical analysis.
10. Our ProposalOur Proposal
A Natural Language InterfaceA Natural Language Interface
to DB (NLIDB) is used.to DB (NLIDB) is used.
This allows to create realThis allows to create real
time complex queries usingtime complex queries using
plain English statements.plain English statements.
This allows inexperienceThis allows inexperience
users to perform dynamicusers to perform dynamic
searches to the DB.searches to the DB.
The NLIDB formats theThe NLIDB formats the
results depending on the userresults depending on the user
that is currently logged in. Sothat is currently logged in. So
we do not overflow managerswe do not overflow managers
with technical information orwith technical information or
technical experts withtechnical experts with
management informationmanagement information
11. Our ProposalOur Proposal
Using CORBA securityUsing CORBA security
services we can protectservices we can protect
incident data much moreincident data much more
efficiently (i.e. createefficiently (i.e. create
better authentication).better authentication).
CSIRT can provide newCSIRT can provide new
services on demand.services on demand.
12. Our ProposalOur Proposal
By using CORBABy using CORBA
CSIRTs can interoperateCSIRTs can interoperate
more efficiently.more efficiently.
CSIRTs can exchangeCSIRTs can exchange
incident informationincident information
much easier.much easier.
The system can beThe system can be
programmed to automateprogrammed to automate
exchanges ofexchanges of
information wheninformation when
required.required.
13. ConclusionsConclusions
CSIRTs is one of the best weapons against computer crime.CSIRTs is one of the best weapons against computer crime.
Providing more efficient ways to access incident DBs will allowProviding more efficient ways to access incident DBs will allow
to cut the incident response times to a minimum. This can beto cut the incident response times to a minimum. This can be
translated into millions of pounds worth of savings.translated into millions of pounds worth of savings.
Interconnecting CSIRTs will create better statistical data,Interconnecting CSIRTs will create better statistical data,
identifying new trends of hacking, and this information will alsoidentifying new trends of hacking, and this information will also
be used by the authorities for arresting the criminals.be used by the authorities for arresting the criminals.
Future plans of this system will be to automate updates ofFuture plans of this system will be to automate updates of
security breaches into security tools like intrusion detectionsecurity breaches into security tools like intrusion detection
systems and firewalls that registered enterprises have.systems and firewalls that registered enterprises have.
14. In Correspondence:In Correspondence:
Belsis A. MeletisBelsis A. Meletis
DKERG, Coventry University,DKERG, Coventry University,
Belsis@Coventry.ac.ukBelsis@Coventry.ac.uk
www.mis.cov.ac.uk/Research/DKERG/DKERG.htmlwww.mis.cov.ac.uk/Research/DKERG/DKERG.html