putting private and government cert s to the test
play

Putting private and government CERTs to the test Stefan Frei, - PowerPoint PPT Presentation

Sep 08, 2023 •369 likes •723 views

Putting private and government CERTs to the test Stefan Frei, Martin May ETH Zurich: http://www.csg.ethz.ch Paper download: http://www.techzoom.net/risk ETH Zurich - Stefan Frei, Martin May - 20 th Annual FIRST Conference 2008 - Vancouver -

  1. Putting private and government CERT’s to the test Stefan Frei, Martin May ETH Zurich: http://www.csg.ethz.ch Paper download: http://www.techzoom.net/risk ETH Zurich - Stefan Frei, Martin May - 20 th Annual FIRST Conference 2008 - Vancouver - Canada

  2. Outline � We discuss the role of security information providers with respect to todays security ecosystem. � We identify the most well known sources where security advisories can be found and present a methodology to measure the performance of these information providers. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 2 NSHS07H8354726

  3. Evolution of the Internet society � Situation � Global Internet penetration and e-commerce growths have experienced an explosive increase over the past years. � Information technology has become a backbone of our industry and everyday life. � The constant discovery, publication and exploitation of new vulnerabilities drives the security risks we are constantly exposed to. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 3 NSHS07H8354726

  4. Today's challenge � Challenge � Businesses and enterprises need accurate and validated vulnerability information from a trusted source! � Many organizations publish information on new vulnerabilities and even more organizations depend on such sources for security information. � What are viable security information sources? The vendor? Security mailing lists? Government CERTs? Private enterprises? 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 4 NSHS07H8354726

  5. Sources of Security Information � Requirements � We want trusted , unbiased and timely security vulnerability information in a standard format . � Security Information Provider (SIP) � CERT’s and private sector services provide security information through the publication of vulnerability advisories. � SIPs monitor the (in)security scene, do research and collaborate with vendors to provide security information to the public. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 5 NSHS07H8354726

  6. Security Information Provider (SIP) � Sources � The most referenced sources of security information: � US-CERT , USA, since 1988 � IBM Internet Security Systems X-Force (XF), USA, since 1996 � SecurityFocus (SF), USA, since 1996 � Secunia , Denmark, since 2003 � FrSIRT , France, since 2005 � SecurityTracker , USA, since 2001 � SecurityWatch , USA, since 2004 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 6 NSHS07H8354726

  7. Other Sources � Exploit archives � We also include three well known exploit archives in our study .. to shed a light on the ”other side” of the security industry. � Milw0rm � PacketStorm � SecurityVulns � National Vulnerability Database (NVD) � Source for risk rating of vulnerabilities � National Vulnerability Database (NVD) www.nvd.nist.gov 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 7 NSHS07H8354726

  8. The role of Security Information Providers ETH Zurich - Stefan Frei, Martin May - 20 th Annual FIRST Conference 2008 - Vancouver - Canada

  9. Vulnerability Lifecycle Discovery Disclosure Patch installed Exploit Patch available time Black Risk Gray Risk White Risk � Processes & Timing � The exact sequence of events varies between vulnerabilities. � Different processes are involved in the discovery , exploitation , disclosure and patching of vulnerabilities. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 9 NSHS07H8354726

  10. Lifecycle Events Process/Event Remarks � Discovery by whom? � the good > report responsibly � the bad > misuse, exploit � Disclosure by whom? � coordinated disclosure? � vendor/public taken by surprise? � Exploitation through the bad � Patching by vendor (originator) � when is a patch available? � when is it installed? 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 10 NSHS07H8354726

  11. Important Processes � Vulnerability first � SIPs monitor the (in)security scene, conduct own research, colaborate with vendors. � These activities result in security advisories. � Patch first/coordinated disclosure � Patches released by vendors get analyzed by SIPs, resulting in a security advisory. � Exploit first � An exploit in the wild gets analyzed by SIPs, resulting in a security advisory. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 11 NSHS07H8354726

  12. Dynamics of (In)Security � Very high dynamics at the disclosure date. � Exploit (red), Patch (green) dynamics before/after disclosure Exploits quickly Information is result in security badly needed till advisory by SIPs patch is available Source: Speed of (In)Security - BlackHat 06 - www.techzoom.net/publications 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 12 NSHS07H8354726

  13. Role of Security Information Providers � Monitoring � SIPs effectively and efficiently monitor the (in)security scene. New security issues are quickly relesed as security advisories to the public. � Watchdogs � Independent and trusted SIPs act like the free press in an open society: efficient watchdogs to expose important issues to the public! � This is an essential role for the well-being and functioning of the security ecosystem. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 13 NSHS07H8354726

  14. Methodology & Data Gathering ETH Zurich - Stefan Frei, Martin May - 20 th Annual FIRST Conference 2008 - Vancouver - Canada

  15. Methodology � Methodology � Definition of „vulnerability“ and identification of data sources. � Process phases � Monitor the appearance of new advisories/exploits with 30 min intervals since August 2006 � Download and parse all known advisories from monitored SIPs � Correlate the information gained in phases (1) and (2). 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 15 NSHS07H8354726

  16. What is a vulnerability? � Definition of a vulnerability � Counting or defining vulnerabilities is a delicate business that depends significantly on the parties involved. � If something is considered a bug , a feature , or a vulnerability may differ if you talk to a researcher or the vendor of the affected software. � Several different definitions exist ... 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 16 NSHS07H8354726

  17. What is a vulnerability - CVE � Common Vulnerabilities and Exposures (CVE) � A dictionary of common names (identifiers) for publicly known vulnerabilities. � A de facto industry standard that has achieved wide acceptance in the security industry, academia, and government organizations. � CVE is run by MITRE, a non-profit organization of the U.S government chartered to work in the public interest. Source: www.cve.mitre.org 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 17 NSHS07H8354726

  18. What is a vulnerability - CVE � Flow of security information � A number of organizations in the security community provide CVE with vulnerability information. � Since CVE does not rely on one single source, it has a better chance of identifying all publicly known security problems. � This process provides a more comprehensive set of vulnerability information for everyone. � Building the CVE list � Submission (analyze, research, process) � Candidate Stage (submissions, reserved, out-of-band) � Entry Stage (accepted) 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 18 NSHS07H8354726

  19. What is a vulnerability - CVE � CVE provides the security community: � A comprehensive list of publicly known vulnerabilities. � An analysis of the authenticity of newly published vulnerabilities. � A unique identifier for each vulnerability. � Given the high acceptance of CVE we assume that any security issue of relevance will eventually get an CVE assigned. � From the original 321 entries in 1999, the CVE list has grown to over 30,000 entries as of April 2008. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 19 NSHS07H8354726

  20. CVE Content/SIP Identification (January 1st, 2008) � 29,797 CVE entries contained 158,779 external references to 77 different sources. � Sources we cover in this study are marked by (*), covering >50% of the CVEs 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 20 NSHS07H8354726

  21. Correlation � Correlation � Download and parse security advisories and exploits advisories in observation period. � We used CVE identifiers to correlate security advisories among different sources. � We used references ( =URLs ) in security advisories, NVD and CVE documents to correlate advisories and/or exploits. 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 21 NSHS07H8354726

  22. Measurements ETH Zurich - Stefan Frei, Martin May - 20 th Annual FIRST Conference 2008 - Vancouver - Canada

  23. Advisories by Source � Number of unique CVEs covered by advisories of different sources. � 6,532 (=100%) vulnerabilities were published in 2007 (based on the NVD publication date) 20 th Annual FIRST Conference - 2008 ETH Zurich, Stefan Frei, Martin May 23 NSHS07H8354726

Recommend

BC Government & BCTF Putting the Students First BC Government & BCTF Putting the

BC Government & BCTF Putting the Students First BC Government & BCTF Putting the

BC Government & BCTF Putting the Students First BC Government & BCTF Putting the Students First BC Publi lic c Schools ools have e 40,000 0 teache hers s and ov over er 500,000 00 stud uden ents s in 60 school ool distric

472 views • 13 slides
CCN-CERT Setting up a Governmental CERT: The CCN-CERT Case Study Sevilla, June 2007

CCN-CERT Setting up a Governmental CERT: The CCN-CERT Case Study Sevilla, June 2007

CCN-CERT Setting up a Governmental CERT: The CCN-CERT Case Study Sevilla, June 2007 Presentation FORUM: 19th Annual FIRST Conference SESSION: CCN Initiative of a Governmental CERT OBJECTIVE: Set the scope and goals of CCN

648 views • 28 slides
August 2019 As a government- enabled organisation, CERT NZs job is to advise everyday New

August 2019 As a government- enabled organisation, CERT NZs job is to advise everyday New

Wanaka Chamber of Commerce Cyber security risks to your business ( and what you can do about it) August 2019 As a government- enabled organisation, CERT NZs job is to advise everyday New Zealanders and organisations on how to avoid or manage

269 views • 22 slides
Kinesio Tape Workshop Richard Cohen, D.C., DABCO, RCRB, Cert MDT, Cert VGT, Cert KT1, KT2, KT3

Kinesio Tape Workshop Richard Cohen, D.C., DABCO, RCRB, Cert MDT, Cert VGT, Cert KT1, KT2, KT3

Kinesio Tape Workshop Richard Cohen, D.C., DABCO, RCRB, Cert MDT, Cert VGT, Cert KT1, KT2, KT3 Team Chiropractor Kings College, Wilkes-Barre, PA History Concept developed by Kenzo Kase in the 70s Introduced to NATA in USA 1995

740 views • 32 slides
(E (EG-CERT) Ahmed Tharwat | Sharm El Sheikh | December 2017 Outline EG-CERT EG-CERT

(E (EG-CERT) Ahmed Tharwat | Sharm El Sheikh | December 2017 Outline EG-CERT EG-CERT

Egyptian Computer Emergency Readiness Team (E (EG-CERT) Ahmed Tharwat | Sharm El Sheikh | December 2017 Outline EG-CERT EG-CERT Hierarchy Operational Framework Key Cybersecurity Threats Capacity Building International

293 views • 14 slides
Implementing the IODEF at the CERT/CC Roman Danyliw <rdd@cert.org> INCH IETF 55

Implementing the IODEF at the CERT/CC Roman Danyliw <rdd@cert.org> INCH IETF 55

Implementing the IODEF at the CERT/CC Roman Danyliw <rdd@cert.org> INCH IETF 55 Incident Reporting Forms CERT Coordination Center (CERT/CC) Federal Computer Incident Response Capability (FedCIRC) National

437 views • 9 slides
Domestic group Outline: Opportunities Government Private Challenges Government

Domestic group Outline: Opportunities Government Private Challenges Government

Domestic group Outline: Opportunities Government Private Challenges Government Private Reforms Opportunities: government Capital market as the option with Government intervention: Infrastructure bond, bond tied

86 views • 8 slides
(Putting) Teaching to the Test: How SENCERs Course Assessment Tool Protects Innovative

(Putting) Teaching to the Test: How SENCERs Course Assessment Tool Protects Innovative

(Putting) Teaching to the Test: How SENCERs Course Assessment Tool Protects Innovative Teaching SENCER Summer Institute 2017 Stephen Carroll Evaluation of Teaching/Learning At nearly 80% of US colleges and universities, SETs (Student

522 views • 19 slides
The DotGov Program Putting the US Government on the Internet Jessica Salmoiraghi, Associate

The DotGov Program Putting the US Government on the Internet Jessica Salmoiraghi, Associate

Office of Government-wide Policy The DotGov Program Putting the US Government on the Internet Jessica Salmoiraghi, Associate Administrator, Office of Government-wide Policy U.S. General Services Administration What is .GOV? The DotGov Program

288 views • 17 slides
Putting the first targets to the test An update Fraser Range: drilling in progress,

Putting the first targets to the test An update Fraser Range: drilling in progress,

ASX Code: ORN Putting the first targets to the test An update Fraser Range: drilling in progress, encouraging signs Victoria: drilling in progress targeting Cu-Ni-PGE Epithermal gold targets in Queensland: Negotiating access

388 views • 21 slides
Integrated Service Delivery Putting Citizens First In the Digital Age Inter-American Development

Integrated Service Delivery Putting Citizens First In the Digital Age Inter-American Development

Integrated Service Delivery Putting Citizens First In the Digital Age Inter-American Development Bank August 2019 Modernizing Government Context Environment Government Response Fiscal Pressures Retrenchment Changing Political Expectations

592 views • 38 slides
Montgomery County CERT General Meeting Tonights Agenda CERT Business Reports

Montgomery County CERT General Meeting Tonights Agenda CERT Business Reports

MAY 2016 Montgomery County CERT General Meeting Tonights Agenda CERT Business Reports Upcoming opportunities Featured speaker Ben Koshy, Special Ops, MC-CERT Field Searches Outreach Outreach Items WHO: National Institute

599 views • 24 slides
Management and Prevention Debbie Hicks MSc , BA, RGN, NMP, DN Cert, PWT Cert Nurse Consultant

Management and Prevention Debbie Hicks MSc , BA, RGN, NMP, DN Cert, PWT Cert Nurse Consultant

Hypoglycaemia in in Adults in in the Community: Recognition, Management and Prevention Debbie Hicks MSc , BA, RGN, NMP, DN Cert, PWT Cert Nurse Consultant Diabetes Medicus Health Partners Presentation content Statistics relating to

605 views • 24 slides
CERT-SPC: role and mission Cap. G.di F. Gabriele Cicognani - CERT-SPC - Rome, 04.21.2009 Agenda

CERT-SPC: role and mission Cap. G.di F. Gabriele Cicognani - CERT-SPC - Rome, 04.21.2009 Agenda

A modern approach to ICT security in pubblic administration CERT-SPC: role and mission Cap. G.di F. Gabriele Cicognani - CERT-SPC - Rome, 04.21.2009 Agenda SPCs architetture Scenario: security threats The CERT-SPC: role and

562 views • 30 slides
Lecture 32/Chapter 27 Putting Skills to the Test Seven Guidelines Applied to Night Light

Lecture 32/Chapter 27 Putting Skills to the Test Seven Guidelines Applied to Night Light

Lecture 32/Chapter 27 Putting Skills to the Test Seven Guidelines Applied to Night Light Article Chi-Square Analysis of Night Light Data Seven Guidelines (Review) Step 1: Determine if study was sample survey, experiment, obs study,

559 views • 11 slides
Passive DNS @ CERT.at (pDNS) contact: L. Aaron Kaplan <kaplan@cert.at> Tel: +43 1

Passive DNS @ CERT.at (pDNS) contact: L. Aaron Kaplan <kaplan@cert.at> Tel: +43 1

Passive DNS @ CERT.at (pDNS) contact: L. Aaron Kaplan <kaplan@cert.at> Tel: +43 1 505 64 16 / 78 Idea & credits: Florian Weimer, BFK pDNS @ CERT.at passive DNS: Idea to capture the DNS answers and give them a timestamp.

336 views • 6 slides
1 1.Variation in the Wedge between Social and Private Returns 1. Economists Solutions to

1 1.Variation in the Wedge between Social and Private Returns 1. Economists Solutions to

1. Why do Governments Have R&D Outline and Innovation Policies? 1. Economic rationale for government support of Social return to R&D>Private return => private The Economics of R&D Tax private R&D. sector

495 views • 5 slides
Montgomery County CERT General Meeting Tonights Agenda CERT Business Upcoming Schedule

Montgomery County CERT General Meeting Tonights Agenda CERT Business Upcoming Schedule

JANUARY 2017 Montgomery County CERT General Meeting Tonights Agenda CERT Business Upcoming Schedule GoTeam in 2017 Reports Reports Teen CERT Instructors needed; Contact Kathee if available Sessions are Sunday and

762 views • 38 slides
Montgomery County CERT General Meeting Tonights Agenda CERT Business Reports

Montgomery County CERT General Meeting Tonights Agenda CERT Business Reports

JUNE 2016 Montgomery County CERT General Meeting Tonights Agenda CERT Business Reports Upcoming opportunities Table toping an EVAC drill? Review protocol and technique Information needed; communications Stair chair;

402 views • 27 slides
Montgomery County CERT General Meeting Tonights Agenda CERT Business Reports

Montgomery County CERT General Meeting Tonights Agenda CERT Business Reports

JANUARY 2016 Montgomery County CERT General Meeting Tonights Agenda CERT Business Reports Upcoming opportunities Winter Preparedness Outreach Operations Santa Run Report Response was fair to good Sat. easier to staff

685 views • 53 slides
Montgomery County CERT General Meeting Tonights Agenda CERT Business Reports

Montgomery County CERT General Meeting Tonights Agenda CERT Business Reports

SEPTEMBER 2016 Montgomery County CERT General Meeting Tonights Agenda CERT Business Reports Upcoming opportunities Calendar review Guest Speakers Beth Anne Nesselt, MCFRS Community Outreach Bat. Chief James Resnick,

439 views • 32 slides
April 17, 2018 Budget Management - Private Business vs Government Private Business works with an

April 17, 2018 Budget Management - Private Business vs Government Private Business works with an

PSFRD Stakeholders Task Force April 17, 2018 Budget Management - Private Business vs Government Private Business works with an annual budget used as a guideline for their business activities. This document is never changed subsequent to Board

269 views • 10 slides
Montgomery County CERT General Meeting Tonights Agenda General Meeting Recent CERT

Montgomery County CERT General Meeting Tonights Agenda General Meeting Recent CERT

JANUARY 2014 Montgomery County CERT General Meeting Tonights Agenda General Meeting Recent CERT Activity Outreach IT Training HR Social Media General announcements Recent CERT Activity Sunday Monday Tuesday

671 views • 31 slides
ROLE OF CERT-GOV-MD and cooperation at national level Na Natalia SPINU NU, Ch Chief, C ,

ROLE OF CERT-GOV-MD and cooperation at national level Na Natalia SPINU NU, Ch Chief, C ,

ROLE OF CERT-GOV-MD and cooperation at national level Na Natalia SPINU NU, Ch Chief, C , CERT-GO GOV-MD MD, S , S.E .E. C . CTS AGENDA 1. Introduction 2. CERT-GOV- MD: organization and operational capacities 3. CYBERSECURI TY

529 views • 32 slides

More recommend