USCERT: Get Plugged in

1
US-CERT Get Plugged in!
United States Computer Emergency Readiness
Team HTTP//WWW.US-CERT.GOV/
For more detail on slides go to notes view
2
US-CERT Mission

• Protect critical infrastructure in cyberspace
  both public and private sector.
• Analyze and reduce cyber threats and
  vulnerabilities.
• Disseminate Cyber threat information.
• Coordinate incident response activities.
• US-CERT is the
• Nations Security Center to protect the nations
  Internet infrastructure

3
The National Strategy to Secure Cyberspace
provides a framework articulating priorities to
secure cyberspace

• National Cyberspace Security Response System
• National Cyberspace Threat and Vulnerability
  Reduction Program
• National Cyberspace Security Awareness and
  Training Program
• Securing Governments Cyberspace
• International Cyberspace Security Cooperation

4
Operations Branch
5
Vulnerabilities Handled by US-CERT FY-06

• Over 3,872 vulnerabilities reported since October
  05
• 1,293 of the 3,872 were rated as high severity
  utilizing the Common Vulnerability Scoring System
  or other factors
• http//www.us-cert.gov/nvd.html
• http//nvd.nist.gov/cvss.cfm
• These are just the ones we know about that cover
  a wide range of technologies from operating
  systems, devices, and SCADA control systems
• There is no shortage of opportunities for
  exploitation depending on your security posture
  and network cognizance of your environment

6
Vulnerability Handling (2)

• Impact
• What Incremental Benefit Does The Attacker Gain?
• Root compromise
• User compromise (which user?)
• Denial of service (which service?)
• Theres a Distinction Between
• Execute arbitrary code
• Execute arbitrary commands

7
DHS Press Release MS040

• Press ReleasesDHS Recommends Security Patch to
  Protect Against a Vulnerability Found In Windows
  Operating Systems For Immediate Release Office
  of the Press Secretary Contact 202-282-8010
  August 9, 2006
• The Department of Homeland Security (DHS) is
  recommending that Windows Operating Systems users
  apply Microsoft security patch MS06-040 as
  quickly as possible. This security patch is
  designed to protect against a vulnerability that,
  if exploited, could enable an attacker to
  remotely take control of an affected system and
  install programs, view, change, or delete data,
  and create new accounts with full user rights.
• Windows Operating Systems users are encouraged to
  avoid delay in applying this security patch.
  Attempts to exploit vulnerabilities in operating
  systems routinely occur within 24 hours of the
  release of a security patch. This vulnerability
  could impact government systems, private industry
  and critical infrastructure, as well as
  individual and home users.
• Users can apply the Microsoft MS06-040 security
  patch at http//www.microsoft.com/technet/security
  /bulletin/ms06-040.mspx. Home user may prefer to
  go to Windows Update at http//update.microsoft.co
  m and select express to install critical
  security updates, including the MS06-040 security
  patch.
• The Departments U.S. Computer Emergency
  Readiness Team (US-CERT) continues to work
  closely with Microsoft to minimize any impact
  from this vulnerability. US-CERT has issued an
  alert through the National Cyber Alert System and
  conducted a series of briefings with federal
  Chief Information Officers and Chief Information
  Security Officers, and critical infrastructure
  sectors through Information Sharing and Analysis
  Centers. Additionally, all federal agencies are
  required to provide US-CERT with regular updates
  on their patching status.
• DHS recommends that computer users and
  administrators implement the following
  preparedness measures to protect themselves
  against this vulnerability, and also from future
  vulnerabilities, worms, and viruses
• Keep up-to-date on security patches and fixes for
  your operating system. The easiest way to do this
  is to set your system to receive automatic
  updates, which will ensure you automatically
  receive security updates issued by Microsoft. If
  your system does not allow automatic updates, we
  recommend that you manually install the Microsoft
  security patch today through Microsoft Update at
  http//update.microsoft.com/microsoftupdate
• Install anti-virus and anti-spy ware software and
  keep them up-to-date
• Enable a firewall which will help block attacks
  before they can get into your computer
• Do not open emails from unknown sources and do
  not open or execute email attachments that you
  are not expecting even if they come from a known
  and trusted source.
• To access the alerts for this vulnerability and
  for additional information on cyber security tips
  and practices please visit at www.us-cert.gov.

8
Evolving Threats

• New threats/attacks increasing in intensity and
  sophistication
• Federal government and private organizations
  experiencing targeted attacks
• Disruptions affect essential services, government
  operations (availability)
• Loss of data critical to some agencies
  (confidentiality)
• Need new ways to share information and protect
  essential cyber systems

9
Einstein Program Overview

• EINSTEIN collects summary network traffic
  information at agency gateways and provides a
  high level view of the federal government network
  connections.
• US-CERT analysts use EINSTEIN data to correlate
  cross agency network events.
• Agency data available through a secure portal to
  augment CSIRT capability.

10
EINSTEIN Deployments

• Currently 7 active agency deployments
• DHS/NCSD
• Department of Transportation
• Department of State
• Treasury
• SEC
• FTC
• USAID
• Additional 6 agencies in the planning phases of
  deployment

11
Benefits of Deployment

• Improved situational awareness
• Cross agency view
• Is my agency the only one being affected?
• Signatures used to detect unpublished attacks
• Reports from intelligence community used to
  identify network attacks
• No cost to agency
• Hardware, software and support provided by
  US-CERT
• Experienced Cyber Security analysts available to
  work with and augment your CSIRT
• One day training for CSIRT/analysts on SiLK
  (coming soon!)

12
Benefits of EINSTEIN - continued

• Complementary approach to existing security
  technologies
• Signature based Intrusion Detection (NIDS)
• Perimeter technologies (firewall, IPS)
• Helps agencies meet compliance requirements
• FISMA
• FIPS200 Minimum Security Requirements for Federal
  Information and Information Systems
• NIST 800-53 Recommended Security Controls for
  Federal Information Systems.

13
EINSTEIN Success Stories

• EINSTEIN analysts uncovered anomalous traffic
  between agencies identified a security breach.
• From the Washington Post
• "US-CERT spotted an unusual pattern of traffic
  from Agriculture computers and notified USDA
  officials.
• Note US-CERT does not contact the media
  (information kept confidential)
• http//www.washingtonpost.com/wp-dyn/content/artic
  le/2006/06/22/AR2006062201549.html

14
Data Breach Identified by EINSTEIN Analysts
15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
(No Transcript)
19
(No Transcript)
20
Summary

• Agency receives at no charge
• Einstein hardware and software
• Technical support
• Cyber Security Analyst access to their respective
  flow data
• DHS provides all data storage
• Data is segregated (protected) from other
  agencies
• Operational user training
• Analysis provided by US-CERT
• Goal is to improve the security posture of the
  agency
• Based on data sharing with US-CERT, the agency
  will gain better insight into cross-agency
  network anomalies
• Compliant With Federal Standards

21
What can you do?

• Get your security teams plugged into the
  Government Forum of Incident Response Teams
• Deploy Einstein gain insight into your agency
  and USG views
• Subscribe to the National Cyber Alert System

22
(No Transcript)
23
Contact

• Technical comments or questions
• US-CERT Security Operations CenterEmail
  soc_at_us-cert.govPGP/GPG key 0xADC4BCEDFingerprin
  t 02FD 5294 A076 0ACE BEB1 929B 3730 09F3 ADC4
  BCEDPhone 1 888-282-0870
• Media inquiries
• US-CERT Public AffairsPGP/GPG key
  0x10A97BACFingerprint 2762 28CF AFF6 EADB 95F4
  6797 857D 91C1 10A9 7BACPhone 1 202-282-8010
• General questions or suggestions
• US-CERT Information RequestEmail
  info_at_us-cert.govPGP/GPG key 0x0A1E0DF7Fingerpri
  nt CFE4 9D1D 6897 44B3 9B85 B25A F575 177B 0A1E
  0DF7Phone 1 703-235-5110
• Information available at http//www.us-cert.gov/
  contact.html