Crowd-sourcing CyberSecurity through the REN- ISAC Community Chris - - PowerPoint PPT Presentation

crowd sourcing cybersecurity through the ren isac
SMART_READER_LITE
LIVE PREVIEW

Crowd-sourcing CyberSecurity through the REN- ISAC Community Chris - - PowerPoint PPT Presentation

Jul 31, 2023 167 likes •631 views

Crowd-sourcing CyberSecurity through the REN- ISAC Community Chris ODonnell REN-ISAC Background MISSION Overall serve the Research and Higher Education space and promote operational security CSIRT Role Operate a trusted

slide-1
SLIDE 1

Crowd-sourcing CyberSecurity through the REN- ISAC Community

Chris O’Donnell

slide-2
SLIDE 2

REN-ISAC Background

slide-3
SLIDE 3

MISSION

  • Overall – serve the Research and Higher Education

space and promote operational security

  • CSIRT Role
  • Operate a trusted community
  • Work with other ISACs and others external parties
slide-4
SLIDE 4

FACTS AND FIGURES ▪ Hosted at Indiana University ▪ Board of Directors ▪ Advisory groups ▪ Ad hoc special interest groups and projects ▪ Over 500 member institutions and over 1600 member representatives

slide-5
SLIDE 5

Threat Landscape

slide-6
SLIDE 6

INFOSEC IS #1 IT ISSUE IN HIGHER ED, 2016 *AND AGAIN IN 2017*

* Educause Top 10 IT Issues 2016 and 2017

slide-7
SLIDE 7

THREAT TRENDS

§ Motive? § The threat actor is external to the

  • rganization

§ Time to compromise is < one hour § Time to discover a breach occurred > than one day

slide-8
SLIDE 8

DATA BREACHES IN HIGHER EDUCATION

62 85 82 76 51 57 47 60 33 22 16 19 10 20 30 40 50 60 70 80 90 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Source: Privacy Rights Clearinghouse

slide-9
SLIDE 9

WHERE IS EDUCATION ON THE LIST?

slide-10
SLIDE 10

SENSITIVE DATA BREACHES

slide-11
SLIDE 11
slide-12
SLIDE 12

RANSOMWARE

slide-13
SLIDE 13

RECENT SURVEY RESULTS

Increasing employee education and awareness efforts 19 (70%)

Tightening spam filters on email systems 11 (41%) Accelerating the institutions move to cloud storage 1 (4%) Reminding system administrators to verify/test backups, check schedules 9 (33%) Updating institutional policies / standards 2 (7%)

What Are You Doing to Mitigate the Risk of Ransomware? (N=27)

slide-14
SLIDE 14

MOBILE

§ Mobile use is increasing § Lots of older unpatched OSes § 3rd party app stores § Malicious apps on primary app stores

slide-15
SLIDE 15

INSIDER THREAT

slide-16
SLIDE 16

PHISHING

§ Primary attack vector for online crime § Spear-phishing / Whaling

slide-17
SLIDE 17

RECENT SURVEY RESULTS

slide-18
SLIDE 18

DENIAL OF SERVICE ATTACKS

„Amplification via

vulnerable protocols, e.g. NTP

„Increasing use of

Internet connected devices (IoT)

slide-19
SLIDE 19

DENIAL OF SERVICE ATTACKS

slide-20
SLIDE 20

COMPROMISED CREDENTIALS

slide-21
SLIDE 21

Crowdsourcing Cybersecurity Through the REN-ISAC Community

slide-22
SLIDE 22

RELATIONSHIPS

§ Sector ISAC § Members § 3rd Parties

slide-23
SLIDE 23

CONCERNS

slide-24
SLIDE 24

How do we help?

slide-25
SLIDE 25

CSIRT for EDU Space

slide-26
SLIDE 26

SOC ACTIVITY – MOSTLY AUTOMATED

Notifications Q1 Q2 Q3 Q4 Compromised machines 23,943 16,911 13,589 12,661 Compromised credentials 13,162 1,037,881 5,094 1,141,653 Spam or Phish 117 86 111 1,995 Vulnerable machines 1 39 2 11 Open recursive DNS resolvers 793 713 607 655 Open mail relays 52 25 37 34 Other 1 3 5 1 Totals 38,069 1,055,658 19,445 1,157,010

REN-ISAC CSIRT Activity, YTD 2016

slide-27
SLIDE 27

SOC ACTIVITY - MANUAL

Notifications Q1 Q2 Q3 Q4 Notification Questions 429 626 278 194 Password resets 105 100 75 60 Notifications 51 21 50 38 Other 177 627 477 371 Totals 762 1,374 880 663 Non-interactive tickets 2,060 2,611 3,302 3,026

REN-ISAC SOC Activity, YTD 2016

slide-28
SLIDE 28

SHARING INTEL

slide-29
SLIDE 29

ALERTS, ADVISORIES, AND REPORTS

§ Advisories on various threats § Daily Watch

slide-30
SLIDE 30

COMMUNITY SHARING

§ Community of trusted cybersecurity

staff at R&E member institutions

§ Confidentiality, Integrity and Availability § Sharing actionable intel for operational

protection and response

slide-31
SLIDE 31

CIF/SES AUTOMATED THREAT INTELLIGENCE

slide-32
SLIDE 32

PASSIVE DNS – WHAT?

slide-33
SLIDE 33

` example.com’s authoritative DNS server www.example.com

Global Internet

`

Global DNS

authoritative DNS server recursive caching DNS server

My University

visit www.my.edu request to resolve www.example.com

slide-34
SLIDE 34

` example.com’s authoritative DNS server www.example.com

Global Internet

` authoritative DNS server recursive caching DNS server

My University

visit www.my.edu where is the authoritative for example.com?

slide-35
SLIDE 35

` example.com’s authoritative DNS server www.example.com

Global Internet

` authoritative DNS server recursive caching DNS server

My University

visit www.my.edu response

slide-36
SLIDE 36

` example.com’s authoritative DNS server www.example.com

Global Internet

` authoritative DNS server recursive caching DNS server

My University

visit www.my.edu query

Global DNS

slide-37
SLIDE 37

` example.com’s authoritative DNS server www.example.com

Global Internet

` authoritative DNS server recursive caching DNS server

My University

visit www.my.edu response

Global DNS

slide-38
SLIDE 38

` example.com’s authoritative DNS server www.example.com

Global Internet

`

Global DNS

authoritative DNS server recursive caching DNS server

My University

visit www.my.edu response

slide-39
SLIDE 39

` example.com’s authoritative DNS server www.example.com

Global Internet

`

Global DNS

authoritative DNS server recursive caching DNS server

My University

visit www.my.edu

Whee!

slide-40
SLIDE 40

PASSIVE DNS – WHY?

slide-41
SLIDE 41

EDUCATION

▪ Techbursts ▪ Wikis

slide-42
SLIDE 42

FUTURE (NOW) THREAT VECTORS

▪ Automated Access Controls ▪ Industrial Control Systems ▪ Internet of Things

slide-43
SLIDE 43

Wrap up….

slide-44
SLIDE 44

QUESTIONS?

slide-45
SLIDE 45

„ REN-ISAC „ http://ren-isac.net „ soc@ren-isac.net „ (317) 274-7228