Cyber Security.

Environment, Solutions and

Case study.
Special Telecommunications Service
David Gabriel,
Gabriel, Buciu Adrian
Contact: gdavid13@sts.ro
adibuciu@sts.ro

Environment
Network/services can be damaged due to :

Attacks against physical integrity that can modify or destroy the

information,
Unauthorized use of information.

Types of attacks
I)
Passive and active attacks
a)

passive attacks - the intruder observes the information passing through the
communication medium, without interfering with the flow and content of
messages

b) active attacks - the intruder can modify, circumvent or insert false messages
into the communication flow.

Environment
II) Denial-of-Service Attacks

Are typically carried out by overloading the system capacity, and by

preventing legitimate users from accessing and using the targeted resource.

III) Defacement Attacks

A defacement attack is carried out by replacing the victims web page with a
forged page whose content will depend on the criminal purpose.

IV) Malware attacks

A malicious code (or malware) is any program that can deliberately and
unexpectedly interfere with the normal operation of a computer.

Environment
V) Cyber intrusion
Malevolent can attack a system by appropriating legitimate user identification and
connection parameters (e.g passwords) , or through deception and exploitation of
vulnerabilities.
The main methods used to obtain the connection parameters of legitimate users
to gain access to systems are:
Guessing;
Deception (social engineering);
Listening to traffic;
Introducing a Trojan horse;
Cracking encrypted passwords;
Spying on users.

Environment
VI) Spam and Phishing
Spam is the bulk sending of unsolicited e-mail:
for commercial or publicity purposes;
for purposes of introducing malicious software, such as malware into the
system.
Phishing refers to an attack using mail programs to trick or coax web users
into revealing sensitive information that can then be exploited for criminal
purposes.

VII) Some communication protocols misuse

VIII) Cyberattack methodology
The process of committing a cyberattack consists of collecting and searching
for the vulnerabilities of the target systems and exploiting them.

Environment
Security criteria
The capability of a system to continuously deliver services. This depends on the
availability of hardware and software resources and as well as services.
The capability of a system to prevent unauthorized individuals and processes
from accessing data. This concerns the preservation of data confidentiality and
integrity. These are ensured by:
(i) access control procedures such as identification, authentication and
authorization with respect to certain permissions or access rights; and
(ii) encryption mechanisms.
The capability of a system to allow only authorized individuals and processes to
perform data modification. Here, an integrity criterion is necessary. This involves
access control, error control and coherency checking procedures.
The capability of a system to ensure that specific actions and transactions have
actually taken place. This involves traceability, proof, administration, audit and
non-repudiation of actions and events.
The capability of a system to carry out actions and provide the expected services
under appropriate conditions of usage and performance throughout its life span.
This involves continuity, reliability, user friendliness and operational soundness.

Environment
CyberDefence - prevent hijacking of computers or computer
networks and services;

Proactive Cyber Defence - not to blame external conditions for

the results obtained;

Sun-Tzu or SunWu first introduced the notion of predictability

analysis as part of a strategy to overcome (to win);

Environment
Large networks generate a huge amount of logs and security
events;
Firewalls, IDS / IPS systems, web servers, authentication
systems and other equipment contribute to the growing number
of events that need to be analyzed in order to lead to
countermeasures;
SEM (Security Event Manager) - a centralized storage and logs
interpretation , managing security events generated by network
equipments and services;
SIEM Security Information and Event Management;

Environment

SIEM Capabilities:
Data Aggregation: aggregate data from many sources, including network,
security, servers, databases, applications, providing the ability to consolidate
monitored data and helping to avoid missing crucial events;
Correlation: looks for common attributes and links events to each other into
meaningful bundles;
Alerting: the automated analysis of correlated events and generation of alerts,
to notify recipients of immediate issues;
Dashboards: tools that take event data and turn it into informational charts to
assist in discovering patterns, or identifying activity that is not forming a
standard pattern;
Compliance: SIEM can be employed to automate the gathering of compliance
data, producing reports that adapt to existing security, governance and auditing
processes;
Retention: SIEM/SIM solutions employ long-term storage of historical data to
facilitate correlation of data over time and to provide the retention necessary for
compliance requirements;

Solutions
Possible solutions for monitoring, analysis and prevention of attacks can be
divided into two main categories in terms of licensing:

Open source;

Enterprise.

Open source solutions:

OSSIM Open Source Security Information Management. Integrates the
following software components:

arpwatch aimed at detecting abnormalities in the OSI layer 2

(MAC);

P0f used for passive OS detection and analysis of transitions

from one operating system to another;

Pads used to detect abnormalities of services;

Nessus vulnerability scanner;

Tcptrack - Used to obtain information about sessions and to

correlate them with other events;

Solutions
Ntop used to make a database of network information;
Nagios used to monitor resources (hardware and
network services);
Osiris HIDS;
Snort detection system and intrusion prevention;
Tcpdump packet analyzer;
Syslog server used for collecting logs from network
devices;
Netflow protocol used for collecting information about IP
traffic;
HoneyD creates virtual hosts on the network, used as
traps for detecting and preventing attacks;

Solutions
Enterprise solutions:

ArcSight

It is a solution that combines traditional security event monitoring with

smart correlation and detection of anomalies, using analytical tools
and auto repair;

CheckPoint Eventia Suite

It is a solution for information and security events management;

Has two components an analysis component (Eventia Analyzer) and
a reporting component (Eventia Reporter);

Juniper Security Threat Response Manager

Stand alone unit, for integrated network monitoring to ensure detection

of threats, log management and compliance with security policy;

Case study

Case Study

Case Study
Web servers Report

Case study

Type of event: flood

Traffic is totaled and recorded in interval 6:14 a.m. to 6:34 a.m. and
7:11 p.m. to 7:19 p.m. respectively

Case study

Type of event: flood

Case study

Traffic is totaled and recorded in the time slot 7:58 p.m. to 9:44 p.m.

Conclusion
Methods to overcome such attacks
Alternative routing;
Blackholing;
Changing public IP address;
Monitoring websites with custom scripts developed by internal teams in order to
satisfy specific needs;
Monitor bidirectional traffic through the internal SIEM platforms;
Whenever possible collecting of access and error logs on application servers;
Demanding local Internet service providers to block unauthorized traffic;
Cooperation with national and international CERTS teams in order to isolate the
incidents;
Redundancy at the routing level ;
At least one loop to be provided by a service provider in order to ensure
scrubbing;

Conclusion
Lessons to be learned by CERT teams in order to be proactive:
- Use methods to study attacks;
- Use methods to detect spam sources and to put them on blacklists;
- Use methods to detect networks botnets and to understand their behavior;
- Use of honeypots in order to study the behavior of the malware and spam;
- Exchange information between CERT teams quickly and in standard
manner;
- Transport information from sources that generate allerts to centralized
systems through standardized protocol and using a secure manner;

Conclusion

Standardization of protocols for log transmission (syslog);

Using of guidelines - NIST 800-92 - log Normalization;
Integration of events generated by physical protection systems
into the security event correlation;
Assessment of compliance (e.g PCI, Sarbanes-Oxley, HIPPA);

Conclusion

Standardization at the advisory level

Standardization of incident and data exchange (including

statistics)

Standardization of security event data

Standardization for network abuse reporting

Conclusion
Use of fast databases able to read and write very fast at
the expense of relational type;
Examples:

Mongodb
If you need dynamic queries; if you prefer to define indexes, not
map/reduce functions; if you need good performance on a large DB;

Cassandra
When DB writing processes is far more than reading processes
(logging). Writes are faster than reads, so one natural niche is real
time data analysis;

Membase
Any application where low-latency data access, high concurrency
support and high availability is a requirement.

Referencies
1.http://en.wikipedia.org/wiki/Security_information_and_event_management
2. itu_cybersudy_2009cgdc-2009-e.pdf
3. itu-understanding-cybercrime-guide.pdf
4. http://cassandra.apache.org/
5. http://www.mongodb.org/
6. http://www.apache.org
7. http://www.x-arf.org/specification.htm
8. http://www.arcsight.com/
9. http://www.checkpoint.com/
10. http://www.juniper.net
11. http://communities.alienvault.com/community
12. http://www.tcpdump.org/
13. http://www.balabit.com/ and http://http://www.syslog.org/
14. http://www.tenable.com
15. http://www.snort.org/
16. http://www.ntop.org/
17. http://www.nagios.org/
18. http://nfsen.sourceforge.net/ based on nfdump
19. http://www.virtuallyinformed.com
20. http://www.itu.int/ITU-D/cyb/publications/index.html

Questions

?
https://www.stsnet.ro
https://corisweb.stsisp.ro
https://ca.stsisp.ro
http://sks.stsisp.ro:11371