putting private and government cert s to the test
play

Putting private and government CERTs to the test Stefan Frei, - PowerPoint PPT Presentation

Sep 08, 2023 •369 likes •723 views

Putting private and government CERTs to the test Stefan Frei, Martin May ETH Zurich: http://www.csg.ethz.ch Paper download: http://www.techzoom.net/risk ETH Zurich - Stefan Frei, Martin May - 20 th Annual FIRST Conference 2008 - Vancouver -

  1. Putting private and government CERT’s to the test Stefan Frei, Martin May ETH Zurich: http://www.csg.ethz.ch Paper download: http://www.techzoom.net/risk ETH Zurich - Stefan Frei, Martin May - 20 th Annual FIRST Conference 2008 - Vancouver - Canada

  2. Outline � We discuss the role of security information providers with respect to todays security ecosystem. � We identify the most well known sources where security advisories can be found and present a methodology to measure the performance of these information providers. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 2 NSHS07H8354726

  3. Evolution of the Internet society � Situation � Global Internet penetration and e-commerce growths have experienced an explosive increase over the past years. � Information technology has become a backbone of our industry and everyday life. � The constant discovery, publication and exploitation of new vulnerabilities drives the security risks we are constantly exposed to. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 3 NSHS07H8354726

  4. Today's challenge � Challenge � Businesses and enterprises need accurate and validated vulnerability information from a trusted source! � Many organizations publish information on new vulnerabilities and even more organizations depend on such sources for security information. � What are viable security information sources? The vendor? Security mailing lists? Government CERTs? Private enterprises? 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 4 NSHS07H8354726

  5. Sources of Security Information � Requirements � We want trusted , unbiased and timely security vulnerability information in a standard format . � Security Information Provider (SIP) � CERT’s and private sector services provide security information through the publication of vulnerability advisories. � SIPs monitor the (in)security scene, do research and collaborate with vendors to provide security information to the public. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 5 NSHS07H8354726

  6. Security Information Provider (SIP) � Sources � The most referenced sources of security information: � US-CERT , USA, since 1988 � IBM Internet Security Systems X-Force (XF), USA, since 1996 � SecurityFocus (SF), USA, since 1996 � Secunia , Denmark, since 2003 � FrSIRT , France, since 2005 � SecurityTracker , USA, since 2001 � SecurityWatch , USA, since 2004 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 6 NSHS07H8354726

  7. Other Sources � Exploit archives � We also include three well known exploit archives in our study .. to shed a light on the ”other side” of the security industry. � Milw0rm � PacketStorm � SecurityVulns � National Vulnerability Database (NVD) � Source for risk rating of vulnerabilities � National Vulnerability Database (NVD) www.nvd.nist.gov 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 7 NSHS07H8354726

  8. The role of Security Information Providers ETH Zurich - Stefan Frei, Martin May - 20 th Annual FIRST Conference 2008 - Vancouver - Canada

  9. Vulnerability Lifecycle Discovery Disclosure Patch installed Exploit Patch available time Black Risk Gray Risk White Risk � Processes & Timing � The exact sequence of events varies between vulnerabilities. � Different processes are involved in the discovery , exploitation , disclosure and patching of vulnerabilities. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 9 NSHS07H8354726

  10. Lifecycle Events Process/Event Remarks � Discovery by whom? � the good > report responsibly � the bad > misuse, exploit � Disclosure by whom? � coordinated disclosure? � vendor/public taken by surprise? � Exploitation through the bad � Patching by vendor (originator) � when is a patch available? � when is it installed? 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 10 NSHS07H8354726

  11. Important Processes � Vulnerability first � SIPs monitor the (in)security scene, conduct own research, colaborate with vendors. � These activities result in security advisories. � Patch first/coordinated disclosure � Patches released by vendors get analyzed by SIPs, resulting in a security advisory. � Exploit first � An exploit in the wild gets analyzed by SIPs, resulting in a security advisory. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 11 NSHS07H8354726

  12. Dynamics of (In)Security � Very high dynamics at the disclosure date. � Exploit (red), Patch (green) dynamics before/after disclosure Exploits quickly Information is result in security badly needed till advisory by SIPs patch is available Source: Speed of (In)Security - BlackHat 06 - www.techzoom.net/publications 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 12 NSHS07H8354726

  13. Role of Security Information Providers � Monitoring � SIPs effectively and efficiently monitor the (in)security scene. New security issues are quickly relesed as security advisories to the public. � Watchdogs � Independent and trusted SIPs act like the free press in an open society: efficient watchdogs to expose important issues to the public! � This is an essential role for the well-being and functioning of the security ecosystem. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 13 NSHS07H8354726

  14. Methodology & Data Gathering ETH Zurich - Stefan Frei, Martin May - 20 th Annual FIRST Conference 2008 - Vancouver - Canada

  15. Methodology � Methodology � Definition of „vulnerability“ and identification of data sources. � Process phases � Monitor the appearance of new advisories/exploits with 30 min intervals since August 2006 � Download and parse all known advisories from monitored SIPs � Correlate the information gained in phases (1) and (2). 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 15 NSHS07H8354726

  16. What is a vulnerability? � Definition of a vulnerability � Counting or defining vulnerabilities is a delicate business that depends significantly on the parties involved. � If something is considered a bug , a feature , or a vulnerability may differ if you talk to a researcher or the vendor of the affected software. � Several different definitions exist ... 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 16 NSHS07H8354726

  17. What is a vulnerability - CVE � Common Vulnerabilities and Exposures (CVE) � A dictionary of common names (identifiers) for publicly known vulnerabilities. � A de facto industry standard that has achieved wide acceptance in the security industry, academia, and government organizations. � CVE is run by MITRE, a non-profit organization of the U.S government chartered to work in the public interest. Source: www.cve.mitre.org 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 17 NSHS07H8354726

  18. What is a vulnerability - CVE � Flow of security information � A number of organizations in the security community provide CVE with vulnerability information. � Since CVE does not rely on one single source, it has a better chance of identifying all publicly known security problems. � This process provides a more comprehensive set of vulnerability information for everyone. � Building the CVE list � Submission (analyze, research, process) � Candidate Stage (submissions, reserved, out-of-band) � Entry Stage (accepted) 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 18 NSHS07H8354726

  19. What is a vulnerability - CVE � CVE provides the security community: � A comprehensive list of publicly known vulnerabilities. � An analysis of the authenticity of newly published vulnerabilities. � A unique identifier for each vulnerability. � Given the high acceptance of CVE we assume that any security issue of relevance will eventually get an CVE assigned. � From the original 321 entries in 1999, the CVE list has grown to over 30,000 entries as of April 2008. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 19 NSHS07H8354726

  20. CVE Content/SIP Identification (January 1st, 2008) � 29,797 CVE entries contained 158,779 external references to 77 different sources. � Sources we cover in this study are marked by (*), covering >50% of the CVEs 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 20 NSHS07H8354726

  21. Correlation � Correlation � Download and parse security advisories and exploits advisories in observation period. � We used CVE identifiers to correlate security advisories among different sources. � We used references ( =URLs ) in security advisories, NVD and CVE documents to correlate advisories and/or exploits. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 21 NSHS07H8354726

  22. Measurements ETH Zurich - Stefan Frei, Martin May - 20 th Annual FIRST Conference 2008 - Vancouver - Canada

  23. Advisories by Source � Number of unique CVEs covered by advisories of different sources. � 6,532 (=100%) vulnerabilities were published in 2007 (based on the NVD publication date) 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 23 NSHS07H8354726

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BC Government & BCTF Putting the Students First BC Government & BCTF Putting the

BC Government & BCTF Putting the Students First BC Government & BCTF Putting the

BC Government & BCTF Putting the Students First BC Government & BCTF Putting the Students First BC Publi lic c Schools ools have e 40,000 0 teache hers s and ov over er 500,000 00 stud uden ents s in 60 school ool distric

472 views • 13 slides
CCN-CERT Setting up a Governmental CERT: The CCN-CERT Case Study Sevilla, June 2007

CCN-CERT Setting up a Governmental CERT: The CCN-CERT Case Study Sevilla, June 2007

CCN-CERT Setting up a Governmental CERT: The CCN-CERT Case Study Sevilla, June 2007 Presentation FORUM: 19th Annual FIRST Conference SESSION: CCN Initiative of a Governmental CERT OBJECTIVE: Set the scope and goals of CCN

648 views • 28 slides
August 2019 As a government- enabled organisation, CERT NZs job is to advise everyday New

August 2019 As a government- enabled organisation, CERT NZs job is to advise everyday New

Wanaka Chamber of Commerce Cyber security risks to your business ( and what you can do about it) August 2019 As a government- enabled organisation, CERT NZs job is to advise everyday New Zealanders and organisations on how to avoid or manage

269 views • 22 slides
Kinesio Tape Workshop Richard Cohen, D.C., DABCO, RCRB, Cert MDT, Cert VGT, Cert KT1, KT2, KT3

Kinesio Tape Workshop Richard Cohen, D.C., DABCO, RCRB, Cert MDT, Cert VGT, Cert KT1, KT2, KT3

Kinesio Tape Workshop Richard Cohen, D.C., DABCO, RCRB, Cert MDT, Cert VGT, Cert KT1, KT2, KT3 Team Chiropractor Kings College, Wilkes-Barre, PA History Concept developed by Kenzo Kase in the 70s Introduced to NATA in USA 1995

740 views • 32 slides
(E (EG-CERT) Ahmed Tharwat | Sharm El Sheikh | December 2017 Outline EG-CERT EG-CERT

(E (EG-CERT) Ahmed Tharwat | Sharm El Sheikh | December 2017 Outline EG-CERT EG-CERT

Egyptian Computer Emergency Readiness Team (E (EG-CERT) Ahmed Tharwat | Sharm El Sheikh | December 2017 Outline EG-CERT EG-CERT Hierarchy Operational Framework Key Cybersecurity Threats Capacity Building International

293 views • 14 slides
Implementing the IODEF at the CERT/CC Roman Danyliw <rdd@cert.org> INCH IETF 55

Implementing the IODEF at the CERT/CC Roman Danyliw <rdd@cert.org> INCH IETF 55

Implementing the IODEF at the CERT/CC Roman Danyliw <rdd@cert.org> INCH IETF 55 Incident Reporting Forms CERT Coordination Center (CERT/CC) Federal Computer Incident Response Capability (FedCIRC) National

437 views • 9 slides
Domestic group Outline: Opportunities Government Private Challenges Government

Domestic group Outline: Opportunities Government Private Challenges Government

Domestic group Outline: Opportunities Government Private Challenges Government Private Reforms Opportunities: government Capital market as the option with Government intervention: Infrastructure bond, bond tied

86 views • 8 slides
(Putting) Teaching to the Test: How SENCERs Course Assessment Tool Protects Innovative

(Putting) Teaching to the Test: How SENCERs Course Assessment Tool Protects Innovative

(Putting) Teaching to the Test: How SENCERs Course Assessment Tool Protects Innovative Teaching SENCER Summer Institute 2017 Stephen Carroll Evaluation of Teaching/Learning At nearly 80% of US colleges and universities, SETs (Student

522 views • 19 slides
The DotGov Program Putting the US Government on the Internet Jessica Salmoiraghi, Associate

The DotGov Program Putting the US Government on the Internet Jessica Salmoiraghi, Associate

Office of Government-wide Policy The DotGov Program Putting the US Government on the Internet Jessica Salmoiraghi, Associate Administrator, Office of Government-wide Policy U.S. General Services Administration What is .GOV? The DotGov Program

288 views • 17 slides
Putting the first targets to the test An update Fraser Range: drilling in progress,

Putting the first targets to the test An update Fraser Range: drilling in progress,

ASX Code: ORN Putting the first targets to the test An update Fraser Range: drilling in progress, encouraging signs Victoria: drilling in progress targeting Cu-Ni-PGE Epithermal gold targets in Queensland: Negotiating access

388 views • 21 slides
Integrated Service Delivery Putting Citizens First In the Digital Age Inter-American Development

Integrated Service Delivery Putting Citizens First In the Digital Age Inter-American Development

Integrated Service Delivery Putting Citizens First In the Digital Age Inter-American Development Bank August 2019 Modernizing Government Context Environment Government Response Fiscal Pressures Retrenchment Changing Political Expectations

592 views • 38 slides
Montgomery County CERT General Meeting Tonights Agenda CERT Business Reports

Montgomery County CERT General Meeting Tonights Agenda CERT Business Reports

MAY 2016 Montgomery County CERT General Meeting Tonights Agenda CERT Business Reports Upcoming opportunities Featured speaker Ben Koshy, Special Ops, MC-CERT Field Searches Outreach Outreach Items WHO: National Institute

599 views • 24 slides
Management and Prevention Debbie Hicks MSc , BA, RGN, NMP, DN Cert, PWT Cert Nurse Consultant

Management and Prevention Debbie Hicks MSc , BA, RGN, NMP, DN Cert, PWT Cert Nurse Consultant

Hypoglycaemia in in Adults in in the Community: Recognition, Management and Prevention Debbie Hicks MSc , BA, RGN, NMP, DN Cert, PWT Cert Nurse Consultant Diabetes Medicus Health Partners Presentation content Statistics relating to

605 views • 24 slides
CERT-SPC: role and mission Cap. G.di F. Gabriele Cicognani - CERT-SPC - Rome, 04.21.2009 Agenda

CERT-SPC: role and mission Cap. G.di F. Gabriele Cicognani - CERT-SPC - Rome, 04.21.2009 Agenda

A modern approach to ICT security in pubblic administration CERT-SPC: role and mission Cap. G.di F. Gabriele Cicognani - CERT-SPC - Rome, 04.21.2009 Agenda SPCs architetture Scenario: security threats The CERT-SPC: role and

562 views • 30 slides
Lecture 32/Chapter 27 Putting Skills to the Test Seven Guidelines Applied to Night Light

Lecture 32/Chapter 27 Putting Skills to the Test Seven Guidelines Applied to Night Light

Lecture 32/Chapter 27 Putting Skills to the Test Seven Guidelines Applied to Night Light Article Chi-Square Analysis of Night Light Data Seven Guidelines (Review) Step 1: Determine if study was sample survey, experiment, obs study,

559 views • 11 slides
Passive DNS @ CERT.at (pDNS) contact: L. Aaron Kaplan <kaplan@cert.at> Tel: +43 1

Passive DNS @ CERT.at (pDNS) contact: L. Aaron Kaplan <kaplan@cert.at> Tel: +43 1

Passive DNS @ CERT.at (pDNS) contact: L. Aaron Kaplan <kaplan@cert.at> Tel: +43 1 505 64 16 / 78 Idea & credits: Florian Weimer, BFK pDNS @ CERT.at passive DNS: Idea to capture the DNS answers and give them a timestamp.

336 views • 6 slides
IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction to WLCG & IPv6 IPv6 security & threats IPv6 protocol attacks Issues for site network & security teams Issues for sys admins

501 views • 34 slides
Collaborative Security Reflections about Security and the Open Internet NLUUG Najaarsconferentie

Collaborative Security Reflections about Security and the Open Internet NLUUG Najaarsconferentie

Collaborative Security Reflections about Security and the Open Internet NLUUG Najaarsconferentie 2015 19 November 2015 www.internetsociety.org Mission: To promote the open development, evolution, f o e c and use of the Internet r u t

547 views • 27 slides
CBCN4103 It is a global collection of networks, both big and small, that connect together in

CBCN4103 It is a global collection of networks, both big and small, that connect together in

CBCN4103 It is a global collection of networks, both big and small, that connect together in many different ways to form the single entity that we know as "the Internet." Who owns it? The Internet ernet Society, a

833 views • 42 slides
Learning from the Past J. Trent Adams (adams@isoc.org) Learning from the Past: Reinvention A

Learning from the Past J. Trent Adams (adams@isoc.org) Learning from the Past: Reinvention A

W3C Identity in the Browser Workshop Learning from the Past J. Trent Adams (adams@isoc.org) Learning from the Past: Reinvention A Cautionary Tale Of course you can reinvent the wheel but it ll require new roads, too.

304 views • 5 slides
Measuring Decentralized Video Streaming: Background Methodology A Case Study of DTube Analysis

Measuring Decentralized Video Streaming: Background Methodology A Case Study of DTube Analysis

Motivation Measuring Decentralized Video Streaming: Background Methodology A Case Study of DTube Analysis Conclusions Trinh Viet Doan, Tat Dat Pham, Markus Oberprieler, Vaibhav Bajpai Technical University of Munich (TUM) IFIP Networking,

1.26k views • 59 slides
NETmundial Ini-a-ve: Planning Document WHERE ARE WE NOW O

NETmundial Ini-a-ve: Planning Document WHERE ARE WE NOW O

NETmundial Ini-a-ve: Planning Document WHERE ARE WE NOW O VERVIEW q Ini-a-ve was officially launched on 6 November 2014; q The community was invited to:

685 views • 15 slides
DNSSEC Workshop San Jos, Costa Rica ICANN Meeting 14 March 2012 1 Program Committee

DNSSEC Workshop San Jos, Costa Rica ICANN Meeting 14 March 2012 1 Program Committee

DNSSEC Workshop San Jos, Costa Rica ICANN Meeting 14 March 2012 1 Program Committee Steve Crocker, Shinkuro, Inc. Simon McCalla, Nominet Russ Mundy, Cobham Lance Wolak, Public Interest Registry Luis Diego Espinoza,

347 views • 11 slides
Computer Communication Networks Introduction ICEN/ICSI 416 Fall 2017 Prof. Dola Saha 1

Computer Communication Networks Introduction ICEN/ICSI 416 Fall 2017 Prof. Dola Saha 1

Computer Communication Networks Introduction ICEN/ICSI 416 Fall 2017 Prof. Dola Saha 1 Introductions Instructor Prof. Dola Saha, PhD University of Colorado Boulder http://www.albany.edu/faculty/dsaha/ dsaha@albany.edu

666 views • 18 slides

More recommend