348 sites, 57 countries, 1 security team: Operational Security in EGI
Leif Nixon (European Grid Infrastructure), Sven Gabriel (EGI (EGI-CSIRT)), Tobias Dussa
The European Grid Infrastructure (EGI, http://egi.eu/) is a distributed environment spanning roughly 150.000 cores and 200+ PB storage at 348 sites in 57 countries. Approximately 14.000 users from all over the world are currently using this infrastructure.
This presentation will cover the challenging task of maintaining operational security within the EGI infrastructure, and how the incident response capability of sites is measured and exercised through large-scale security drills, closely simulating real incidents.
dussa-gabriel-nixon.zip
MD5: 92c30fe8ce7b76b06220b1d610fb6021
Format: application/zip
Last Update: June 7th, 2024
Size: 235.64 Mb
A Pragmatic Approach to Cloud Security Modeling
Richard Puckett
This session will cover advances and lesson's learned from Cisco's internal & external implementations of Cloud Computing, ranging from SaaS to IaaS, and the common sense security practices we're implementing as we pursue an expanding footprint in the Cloud space. Topic will include specifics around our overall Cloud security plan, the 15-point assessment model (inclusive of forensics, investigations and e-litigation support requirements) that Cisco has developed for assessing Cloud, and steps we're taking to update security policy & process components associated with Cloud integration in the Enterprise.
puckett-richard.zip
MD5: efed49a64d22818b8228bc04e15cdb94
Format: application/zip
Last Update: June 7th, 2024
Size: 7.26 Mb
A Wrench in the Cogwheels of P2P Botnets
Tillmann Werner (Kaspersky Lab)
**Presentation available to FIRST membership only**
Botnets are disposable products these days. It is usually only a matter of time until actions are taken to disrupt a botnet infrastructure, which is especially true for the successful ones. Interestingly enough, while peer-to-peer botnets are generally assumed to be extremely resistant to takedown attempts, they turn out to be relatively weak. In this presentation we will discuss a recent P2P bot, which is still active, and have a look at its inner workings. We will also touch on possible ways to counter this botnet and review the limitations that stop people from taking actions against it. We reverse-engineered the custom communication protocol which allows us to track the botnet in real time. This gives us some insights in how the botnet's machinery works, what it is used for and how it evolves. For example, the collected data reveals how spam campaigns are designed and how successful they are in terms of how many people visit the advertised URLs. With in-depth knowledge of the protocol we are able to create our own software that takes part in the collective and communicates with other infected machines. What's more, these insights also reveal architectural flaws in the botnet design which may be of interest when it comes to takedown efforts. This opens up a new angle for interactions with the botnet. However, current legal boundaries make it difficult to actually use this knowledge outside the laboratory. The presented case is especially interesting as it is an example where all technical means for a botnet takedown are available, but the legal and ethical questions remain unresolved. We believe that this is a nice case study in light of the ongoing discussion about feasibility and effectiveness of botnet takedown attempts and that as such it can greatly inspirit the discourse.
- US
Benefits of an Exploit Disclosure Process
Holly StewartHolly Stewart (Microsoft, US), Tom Cross (IBM Internet Security Systems)
Most of us in the industry either have a vulnerability disclosure process in place or at least understand the tenants of what one entails, but what about exploitation disclosure? Could there possibly be any benefits to working with an affected vendor when you discover exploitation in the wild?
Holly will walk through several scenarios and conditions where coordinating the disclosure of in-the-wild exploitation can provide better service to your organization and to the general public at large. Holly will also discuss the new model of exploitation disclosure that she has helped put in place at the Microsoft Malware Protection Center.
cross-stewart-slides.pdf
MD5: 565ff7241f48526910ee1774fe2f1713
Format: application/pdf
Last Update: June 7th, 2024
Size: 650.15 Kb
Blitzableiter – Countering Flash Exploits
Joern Bratzke (Recurity Labs), Robert Tezli (Recurity Labs)
Rich Internet Applications that make use of Browser Plugins like the Adobe Flash player are often attacked in malicious ways, for instance to send out malware to users or exploiting parser errors in the runtime itself. In order to defend against those threats, even those which are not yet known, a novel approach has been chosen and developed. The talk presents this simple but effective approach for securing Adobe Flash content before using it. The security threats presented by Flash movies are discussed, as well as their inner workings that allow such attacks to happen. Some of those details will make you laugh, some will make you wince. Based on the properties discussed, the idea behind the defense approach will be presented, as well as the code implementing it and the results of using it in the real world.
bratzke-tezli-slides.pdf
MD5: 653f10c80013bcaff9fbda149e66e51d
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.03 Mb
Botnets, Collective Defense and Project MARS
Jeff Williams
Rustock, Lethic, Cutwail, Bobax, Grum, Waledac, Rbot, Pushbot, Rimecud and others are all families of botnets which, collectively, have been removed from millions of computers. In spite of the capability of anti-malware software there are still millions of infected computers because of detection gaps due to frequent updates as well as the hundreds of millions of computers running without an up to date anti-virus or no AV at all. As has been demonstrated by the Conficker Working Group, Operation b49 and other collective efforts to respond more holistically to these threats we see that there are other actions which can be taken to protect the Internet as a whole from these threats. This talk will focus on notable botnet families, their prevalence and an update on Project MARS and will cover how it is possible to measure, analyze, notify and protect our customers and constituents.
williams-jeff-slides.pdf
MD5: af792d35a45e56e53c06b522daa2f1ed
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.6 Mb
Cloud Security vs. Cybercrime Economy: The Kaspersky Vision
Eugene Kaspersky (Kaspersky Lab)
Collection, analysis and response stages which consist of 6 core modules
Jae Ho Ahn, Jin Myeong Chung
ECSC is organizing the separate incident of over than 11,000 education organization, and emerging each of them to analyze and response to the infringe threats effectively. I am going to introduce the way of collect, analyze, and integrate the information presented from large numbers of education organizations. The presentation will show how we analyze the correlation between security information from disparate device.
There are over than 11,000 education organization(primary, secondary schools are included) in Korea. Amount of the information collected from the organizations is not measurable. ECSC developed it's own data collection methodology and is managing the incident response system using that informations. This system consists of 6 core modules, and the presentaion will dispose this modules and effective analyzing method to handle them.
ahn-chung-slides.pdf
MD5: be9801332a7cc92cb08d599978c38ec1
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.27 Mb
Cyber Clean Center Project – A five year retrospective
You Nakatsuru
The Japanese Cyber Clean Center (CCC) project was launched in December 2006 with the aim of combating the threat of wide-spreading bots, as well as to promote countermeasures. The project ends in March 2011.
This presentation covers the overall CCC activities of five years, including the most recent updates, and introduces the achievements as well as the various findings obtained.
Furthermore, it explains the current situation in Japan after the completion of the CCC project.
nakatsuru-you-slides.pdf
MD5: d189c0ddfece3dd6c00d0295a8bca1d2
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.55 Mb
- KE
Cybercrime in the Kenyan Context
Mwende NjirainiMwende Njiraini (Former Chair ITU-T SG17 Regional Group for Africa, KE)
The mobile phone has become the standard means of communication in Kenya providing basic voice and data services. Though volume of voice traffic continues to grow averaging 6.63 billion minutes as at September 2010, mobile data services including SMS, Internet, premium rate, mobile money and banking services hold a high growth potential.
With mobile penetration averaging 60% and 99% of the approximate 3.2 million internet/data subscriptions being through mobile phones, mobile telephony has changed the perception of cybersecurity in Kenya. Additionally, the range of critical services delivered over mobile networks continues to increase. Of particular concern is mobile money, it has gone beyond its initial role of providing financial services to the unbanked population, to providing value-added services which include payment of utility bills such as water, electricity and pay-TV.
Each of the four mobile operators in Kenya has a variant of mobile money services with Safaricom offering M-pesa; Essar Telecom, Yu-cash, Telkom Kenya, Orange-money and Airtel Networks, Airtel Money. However the entrance of network agnostic mobile money providers, mobile number portability as well as the potential implementation of money mobility across networks will undoubtedly increase the complexity of cybersecurity threats.
Using relevant examples, this presentation will explore the changing landscape of cybersecurity in Kenya as influenced by mobile services.
Data Exfiltration – Not just for Hollywood
Iftach Amit (Security & Innovation)
The industry is saturated with penetration testing experience and have adapted itself to test organizations using "best practice" methodologies over the past decade or so. With not a lot of changes happening in the field, organizations find themselves on the defense with not a lot to account for when data breaches happen.
In this presentation we will offer an alternative view of how a security test is done, with a strong focus on data exfiltration techniques employed by advanced attackers and criminals. After an overview of how the initial phases of how an attacker would infiltrate a business (common knowledge), we will explore the targeting considerations when choosing what to look after, as well as advanced techniques for getting the data out without being detected.
Finally, some approaches to data monitoring and control would be proposed in order to mitigate the techniques that are already in place and have affected large organizations.
amit-iftach-slides.pdf
MD5: 84e4a83547eb7bbdd8fe00b8a6925894
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.93 Mb
- US
Data Mining the eCriminals: Interesting things lurking in APWG statistics
Patrick Cain (Anti-Phishing Working Group, US)
The APWG publishes a large set of statistics. As General Motors CFO Chris Liddell says "Anybody can produce data. It's harder to produce information. The real key is producing an insight." This presentation will correlate data from APWG statistical reports including the URL Block List, bad domain report, others' data, and our internal data to offer insight over the past year in eCrime and compare with historical trends and countermeasures. This presentation will offer insight into the eCrime world as seen by the APWG's statistics. One challenge is mining our data is trying to use the same data model for data received from multiple reporting sources. As such, we also propose a way to measure eCrime based upon risk to make the statistics more consistent across reporters.
cain-patrick-slides.pdf
MD5: 2c05793451ebc0d5e48b0e5d321f3967
Format: application/pdf
Last Update: June 7th, 2024
Size: 291.27 Kb
Data Security Challenges in the all too Public and not so Private Sectors
Patrick Gray
gray-patrick-slides.pdf
MD5: 24d323009a160e2ccf8e7e48e6d72dff
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.74 Mb
- US
Developing and testing secure iPhone apps
Kenneth R. van WykKenneth R. van Wyk (FIRST.Org, US)
Today's smart phone application environment closely resembles a "gold rush" environment, with hundreds of thousands of applications being developed--often by small scale software developers with little or no security experience. As a result, many apps are being released prior to adequate security reviews being done. Incident responders are well advised to learn about the underlying problems and technical issues faced by developing and deploying smart phone apps so that they can be best prepared to handle security incidents. This session provides an overview of the security hurdles, pitfalls, and mechanisms provided by Apple's iOS platform and application architectures. Additionally, techniques for testing the security of iOS apps, both statically and dynamically, are covered and demonstrated. The session will provide incident responders with a rapid immersion into the essential security issues faced in the iOS app world.
Digital Dependence: Cybersecurity in the 21st Century
Melissa Hathaway (Hathaway Global Strategies, LLC )
The Internet has co-mingled and connected every nation and nearly all essential services, and has blurred the lines of sovereign assets and commercial space. This digital entanglement of private and public infrastructure has occurred over time --since the dawn of the Internet. This presentation will describe the history of technology innovation around the Internet, describe the early adopters, and illustrate the economic benefits and security challenges.
- DK
Dissecting the Trojan-Patcher Gang
Peter Kruse (CSIS Security Group, DK)
During the past four years CSIS Security Group eCrime unit has been investigating a group of it-criminals known as "The Patcher Gang".
The Patcher attack is by far the largest targeted attack against Denmark ever seen, with more than 10,000 infected PC's registered during a period of 6 months. The attack was performed in two separate waves spanning over a year. This presentation will focus on the malware family known as BankPatch/Multibanker/Patcher/NadeBanker.
The aim of this tecnical presentation is to document how this specific banker circumvents eBanking solutions using a combination of MiTB (Man in The Browser) tricks and manipulating certain JAVA applets. Also, we will show how operations are controlled through a frontend C&C server and a backend SQL based database.
The Patcher gang usually buys "pay per installs" from people tied to the Mebroot/Torpig gang. During the past 4 years, they have been performing attacks against Holland, Denmark and Greece but for the past 6 months the Patcher gang has changed geographical focus to US, Germany and Switcherland.
The Botnet used to control infected hosts consists of approximately 10,000 infected PC's.
The presentation will be divided into the following topics:
- Patcher malware in details
- Infectionstats
- How does the group operate?
- Profiling the group
- Anti-virus detection stats
- How we mitigated this attack working with ISP's and Law Enforcement
- How to battle eCrime in the future - working together
The Patcher presentation will be done by Dennis Rand and Peter Kruse from CSIS Security Group A/S, eCrime Unit, http://www.csis.dk
kruse-peter-slides.pdf
MD5: be3fe3d8d3eb808bca49bcceaab8d057
Format: application/pdf
Last Update: June 7th, 2024
Size: 5.57 Mb
Don't Lose Sight of the Extended Enterprise
Rod Rasmussen (IID)
As businesses have moved most of their operations online, from payment transactions to email to content, they have turned to a web of partners, Software as a Service (SaaS) vendors, payment systems providers, Internet service providers (ISPs), etc. These organizations, collectively known as an extended enterprise, have quickly turned into an essential framework for conducting business online.
But with this extended enterprise, a dangerous new security threat has emerged. Just ask CheckFree, Comcast, Twitter, and even the international oversight body for domain names itself, ICANN. Their Domain Name Systems (DNS) were hijacked through an extended enterprise partner, giving criminals sudden access to hundreds of transaction partners’ web operations and therefore millions of customers’ vital personal information.
So how exactly are cyber criminals targeting organizations through the extended enterprise, and what needs to be done to mitigate such security threats? Rod Rasmussen, Internet Identity President/CTO and leading expert on DNS abuse, will address this growing problem.
rasmussen-rod-slides.pdf
MD5: 7894b7bb3321f7dd22316f1c67fd5795
Format: application/pdf
Last Update: June 7th, 2024
Size: 7.92 Mb
- US
Five Years of Persistent Targeted Attacks
Maarten Van HorenbeeckMaarten Van Horenbeeck (Microsoft Corporation, US)
Maarten Van Horenbeeck is a Senior Program Manager in the Microsoft Security Response Center (MRSC). Maarten manages Microsoft's efforts to share information on security vulnerabilities with third party security software providers, government agencies and national CERT teams. Prior to this work at Microsoft, Maarten was a security consultant to private industry and government on security investigations, during which he investigated several instances of persistent targeted attacks.
Vulnerability exploitation in function of criminal behavior can generally be grouped in one of two classes. One group of actors aims for the masses, and exploits users in an opportunistic way. Their goal is generally to garner denial of service power, financial information or access credentials using the sheer size of the attack. Another group aims for very specific data that can be monetized, often only from a single organization or user. This latter group is often referred to as the "Advanced Persistent Threat". This presentation will cover the techniques used in persistent, targeted attacks over the last few years, and how they have evolved. Particular attention will be given to the exploitation of document file format vulnerabilities, as well as DNS-based tracking techniques. Investigative results will be shared on a number of actual, real-life attacks. In addition, the presentation will provide a basic framework that can be used by organizations to identify their maturity level in defending and responding to persistent, targeted attacks.
Funny Pharma: Inside the Web’s Leading Rogue Pharmacies
Brian Krebs (Krebs on Security, LLC)
Last year, insiders stole the confidential customer and affiliate databases from two of the largest rogue Internet pharmacy programs -- generic pill mills advertised via spam botnets and black hat search engine trickery. Through routes both comical and creepy, the two databases wound up in Krebs's hands. He has been mining the data ever since for nuggets of insight into the structure and day-to-day operations of these online apothecaries, and has interviewed dozens of buyers to find out what motivated them to purchase and ingest pills ordered through spam. In his keynote, Krebs will explain how this misunderstood marketplace is evolving well beyond little blue pills, and how the growing demand for knockoff prescription drugs is driving much of the cybercrime economy today.
krebs-brian-outline.pdf
MD5: 49eb750d81894ad24984aae8465a64cc
Format: application/pdf
Last Update: June 7th, 2024
Size: 9.05 Kb
Intrusion Suppression – A Different Approach to Threat Management and Mitigation
Christopher Day (Terremark Worldwide)
Terremark designs its security systems, operations, and incident response capabilities around the concept of “intrusion suppression”. The central tenet of intrusion suppression is that while we strive to harden our information systems against attack and adhere to best practices for information security administration and compliance, we assume the systems we are trying to protect are always vulnerable to a sufficiently motivated and skilled attacker and can be compromised. Intrusion suppression relies on the capability to know when a system has been compromised and react to that compromise quickly enough to reduce or eliminate the damage caused. Fundamentally, an intrusion suppression model cannot rely on traditional signature-based systems and must utilize more advanced tools and techniques including integrating a comprehensive threat intelligence capability. This presentation will outline the processes we use as well as the tools and techniques that work for us in our environment.
IT Security in the European Digital Agenda
Marc Feidt (European Commission)
Marc J. Feidt holds a degree in Computer Science from the University of Karlsruhe since 1979.
He started his carrier as a software developer in the field of compiler construction and simulation systems. Subsequently, he worked for several years as consultant for relational database design, migration and operations.
Since he joined the European Commission in May 1989, he has continued working in the IT area, first at Eurostat, then the Informatics Directorate and finally at Directorate-General for Informatics (DIGIT).
In 2004 he was appointed Head of Unit for Planning and Resources in DIGIT and since 2008, he became responsible for the unit in charge of Corporate Infrastructure Services within DIGIT.
The unit "Corporate Infrastructure Services" provides the Commission with secure, reliable and high performance Corporate Information Technology and Telecommunications Infrastructure. The unit’s services portfolio are the physical network infrastructure service, the data network services supporting internal and external data communications including the sTESTA network and the IT infrastructure services in the Commission’s Data Centres.
Marc is a member of the “Gesellschaft für Informatik (GI)”.
feidt-marc-slides.pdf
MD5: 14de42edcb5d3384b7a972e98542da92
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.44 Mb
- DE
Andreas Schuster (Deutsche Telekom AG, DE)
Timestamps help an incident responder and forensic analyst to correlate events and artifacts. The presentation will explain methods to distill time stamps from a multitude of sources, like web browser history files, server log files, EXIF headers of digital images, recorded network traffic, and the remains of Windows processes in memory dumps. In addition, a simple method to locate potential time stamps in unstructured data will be discussed. The presentation will then explain means to filter and compact data, and explain how to correlate time stamps originating from different clocks and time zones. An important part of the presentation will be to explain the well-known open source tool "log2timeline" by Kristinn Gudjonsson and handling of its various import and export modules. Finally, free and commercial visualization tools for timelines will be discussed and demonstrated.
- US
Lessons from Our Past Fuel the Success of Our Future
John Stewart (US)
**Presentation available to FIRST membership only**
Since well before the Internet’s inception, security professionals have been fighting the good fight to protect information technology systems and infrastructure from those who would try to disrupt business, steal information, or do us harm. Today, we continue to grapple with new and varied electronic security threats: from nation-state attacks to the wikileaks exposure and SCADA vulnerabilities; from ID theft to phishing to unseen bots controlling our systems; from cyber-bullying to… the list goes on and on. What effect do these threats have on our confidence and assurance in information security?While security professionals have come a long way in developing and delivering on the technologies, processes, and behavioral changes that improve information security, there is still certainly far to go. We must learn from our past to ensure that we don’t reenact the mistakes of yesterday, and are able to move the security needle forward effectively and with confidence. As computer scientist Alan Kay says, “the best way to predict the future is to invent it.” It’s time to invent a better future. Join Cisco Vice President and Chief Security Officer, John N. Stewart, as he shares his perspective on some of our past successes, discusses today’s security challenges, and proposes new models and approaches to close the cybersecurity gap and improve our future security posture.
stewart-john-slides.pdf
MD5: cf776709231080e6061593b5b6728252
Format: application/pdf
Last Update: June 7th, 2024
Size: 10.49 Mb
Lessons Learned from Security Incidents?
Anu Puhakainen (Ericsson), Mikko Karikytö (Ericsson)
**Full presentation available to FIRST membership only**
The presentation gives examples of past security incidents occurred in mobile telecommunications networks and a viewpoint from telecom vendor perspective. Majority of the incidents are not product vulnerabilities but reflect e.g. lack of security procedures. This presentation summarizes common nominators for security incidents and discusses what should be learnt from them.
Lightning Talks
Multiple
sullivan-brian-slides.pdf
MD5: e834e83d723e6857777ac78faa5af636
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.04 Mb
ford-david-slides.pdf
MD5: 090de3dfd03e8913596b7478d14be63d
Format: application/pdf
Last Update: June 7th, 2024
Size: 183.87 Kb
ford-david-slides2.pdf
MD5: d01d8b9ac2d4901422663b7fda31523a
Format: application/pdf
Last Update: June 7th, 2024
Size: 544.4 Kb
smithee-chris-slides.pdf
MD5: d02fd7191dfc33c4a02fed1ad65db5ab
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.56 Mb
bizeul-slides.pdf
MD5: ac4559c53a9a6d3008dd6000a28b0c0b
Format: application/pdf
Last Update: June 7th, 2024
Size: 52.86 Kb
masato-terada-slides.pdf
MD5: f4b4ea00295b493a07ad056fb8f872fe
Format: application/pdf
Last Update: June 7th, 2024
Size: 986.12 Kb
kaplan-aaron-slides.pdf
MD5: aeed10b5e246f8fd4bcdb269b8cc123e
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.96 Mb
monserrat-slides.pdf
MD5: 46e72d92891b42f6838d5a41d37e6bc5
Format: application/pdf
Last Update: June 7th, 2024
Size: 9.84 Mb
Listening to the Network: Leveraging Network Flow Telemetry for Security Applications
Darren Anstee (Arbor Networks)
This presentation will cover the use of network flow telemetry exported from network infrastructure elements such as routers and layer-3 switches in real-time incident response, forensic investigations, and policy auditing/validation. Real-world examples of flow telemetry export from multiple vendors will be described, along with the use of both open-source and commercial flow collection and analysis systems in a security context. The utility of flow telemetry in security applications will be compared and contrasted with that of syslog analysis and packet-capture.
anstee-darren-slides.pdf
MD5: fb22935923799160805d42b6ca3f6d58
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.13 Mb
- JP
Looking into Malicious Insiders
Koichiro KomiyamaKoichiro Komiyama (JP)
"Insider threats" where staff members or persons inside an organization damage its IT systems or leak information is a topic frequently discussed.
In order to prevent the serious monetary damages and reputational harm deriving from insider threats, a different approach is required from external threats.
In our study, a group of police officers, psychologists and CSIRT engineers examined the police records of investigation for 30 IT crime cases.
This presentation introduces the background characteristics and premonitory behaviors of malicious insiders, as well as prevention measures.
Furthermore, it presents technical countermeasures that can be employed by system administrators.
Online exploitation of children – What’s it got to do with me?
Michael Moran (INTERPOL)
Child abuse material (child pornography) is a reality in the modern connected society and any corporate association with it can lead to prosecution and permanent brand damage. This talk will explain in detail the issues surrounding this phenomenon, the difficulties from a corporate point of view and give an understanding why risk management must also include the welfare of the children abused to produce it.
moran-michael-papers.pdf
MD5: b31215d98028e404a52e6e3ea2491749
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.91 Mb
- US
Panel: International Coordination in a Borderless World
Scott Algeier (Information Technology - Information Sharing and Analysis Center , US)
algeier-scott-slides.pdf
MD5: fa227a3f38a1b97227656435649d640b
Format: application/pdf
Last Update: June 7th, 2024
Size: 430.52 Kb
Wendi Rafferty
During this presentation, Wendi will discuss in-depth case studies of two intrusion investigations conducted in 2010. Both of these intrusions were conducted by groups of sophisticated attackers attempting to establish a foothold in each organization as well as exfiltrate sensitive data.
The overall numbers and statistics of each investigation are presented along with details about how the compromises occurred, what type of malware was used, and the tactics leveraged by the attacker. Attendees will learn how each compromise differed and how, as a result, each organization implemented remediation tactics in a different manner.
The focus of the presentation resides within the remediation portion of the investigation and how two separate organizations implemented solutions very differently. We will look at a 100,000+ node network with a decentralized infrastructure versus a centralized network with less than 1,500 nodes and identify how their remediation needs and tactics varied.
We will review several of the tactics, including active directory configuration, data centralization, network monitoring solutions, password change management software, setting user service expectations, and project management of a large scale remediation effort.
Finally, we will present details about the products used, the challenges in implementation, effective project management, and the advantages and disadvantages of a centralized technical approach.
rafferty-wendi-slides.pdf
MD5: f97dc19e3bcc9524d38a9cd1c0444f4e
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.48 Mb
SCADA Vulnerability Disclosure
Kevin Hemsley
hemsley-kevin-slides.pdf
MD5: f22e017df8a274f60ffb280633170b59
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.31 Mb
- CA
Securing the podium with incident response during an Olympics (Vancouver 2010 Olympic Lesson’s Learned)
Robert Pitcher (Public Safety Canada, CA)
The build up and execution of an Olympic Games is a massive undertaking for any country. In addition to the incredible amount of physical security required to deliver the Games, the logical infrastructure is equally, if not more, as important to the success of the events. During the lead up to the delivery of the Vancouver 2010 Olympic and Paralympics Games, the Government of Canada undertook large scale readiness planning to ensure that departments and organizations were prepared. This planning encompassed 3 large scale exercises, formations of multilateral working groups, technological surveys, and a robust incident response plan. As the federal lead for incident response in the planning and the execution of the 2010 Vancouver Games, I will deliver a lessons learned presentation from the perspective of a planner and handler who was involved from the initial stages, to the passing of the Olympic torch at the conclusion of the ceremonies.
pitcher-robert-slides.pdf
MD5: 1622180df3b5743349845cf679b67bac
Format: application/pdf
Last Update: June 7th, 2024
Size: 524.11 Kb
Security Challenges for Future Systems
Steve Purser (European Network & Information Security Agency (ENISA))
This presentation will cover the issues that future developers of ICT systems need to resolve in order to ensure adequate security in real operational environments. The presentation will be structured as follows:
Introduction to ENISA
The Trends
Scope & Requirements
Design Considerations
Deploying Secure Systems.
The goal is to highlight the less obvious challenges in building secure systems in a highly distributed, global environment (such as scalability requirements, evolution of security SW into application-level and infrastructure-level solutions and the consequences, unrealistic assumptions on operational environments, evolving security models etc.). The talk will be based on practical, operational experience and definitely not theoretical.
purser-steve-slides.pdf
MD5: 7a56ba06adfef6a6ea09244c98b95af2
Format: application/pdf
Last Update: June 7th, 2024
Size: 430 Kb
State of the Net
Mikko Hypponen (F-Secure)
25 years, and what have we got?
hypponen-mikko-slides.pdf
MD5: efbb7aa869c95a8c9d98524d454eb82c
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.92 Mb
Targeted and Opportunistic Botnet Building
Günter Ollmann (Damballa)
There's a general myth that botnet operators are opportunistic in their building strategy. In some older and sloppier cases they are but things have moved on. The ecosystem that supports botnet building is increasingly indistinguishable from legitimate Internet businesses – countless shades of gray – and most aspects of that business are well planned and targeted with commercial precision. As such, the targeted and opportunistic attack nomenclature is increasingly outdated – particularly when the attackers operate within a federated business model. How are some of the more successful botnet building enterprises distinguishing themselves? We’ve heard plenty of things about the popular malware kits such as Zeus, SpyEye and TLD3, but how do these translate in to the commercial botnet building industry? This talk will analyze the links between key malware construction tools, their authors relationship with the botnet builders and how their malicious payloads are in fact distributed using common federated delivery campaigns. We’ll look to distinguishing between targeted and opportunistic attacks and show that the differentiation is often just a matter of perspective if you’re missing some of the middle-men operators that help facilitate a successful attack.
ollmann-gunter-slides.pdf
MD5: 3b688bfad7bcef8322555c6c902d325c
Format: application/pdf
Last Update: June 7th, 2024
Size: 7.33 Mb
Team updates
IT-ISAC, IBM, CESICAT-CERT, ECSC, NTT-CERT
it-isac.pdf
MD5: 1d1ced8462d252368651a47d1008bb82
Format: application/pdf
Last Update: June 7th, 2024
Size: 615.09 Kb
- JP
The day disaster struck the northeastern part of Japan
Japan Teams (JPCERT/CC, IIJ-SECT, NCSIRT, NTT-CERT, Rakuten-CERT, JP)
The day disaster struck the northeastern part of Japan
The Dynamics and Threats of End-Point Software Portfolios
Stefan Frei (Secunia)
In this talk we look at the evolution of the security threats and the complexity of keeping a typical end-user PC secure over the last five years. The study is based on data from more than 3 million users of the Secunia Personal Software Inspector (PSI), which provides unique insights into the distribution and dynamics of programs typically present on end-user PCs.
We find an alarming development - vulnerabilities affecting the portfolio of the Top-50 programs typically present on end-user PCs almost quadrupled in the last three years. Further analysis identifies third party (non-Microsoft) programs to be almost exclusively responsible for this alarming trend.
We examine the complexity of keeping a typical software portfolio secure and identify the top programs most likely to be found secure/insecure. Our analysis reveals that the frequency and complexity of managing a large
number of diverse update mechanisms required to keep end-point PC secure leads to a large population of easy targets for cybercriminals.
frei-stefan-slides.pdf
MD5: 7b380efa38e4cb3215745d2aa899c4c2
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.49 Mb
- US
The Future is YOU!
Rob Thomas (Team Cymru, US)
Over a decade ago, when I founded Team Cymru with 3 friends, the Internet, and indeed the World, was a very different place. I've worked with FIRST members around the world as we've seen things evolve, sometimes for the better, often, despite our best efforts, to the detriment of people, businesses and our hopes for the future.
One thing that has remained constant is YOU. This presentation will touch on what I've discovered about our community and how that translates into lessons for the next generation of Security professionals. Hopefully it'll be a fun and entertaining trip for us all!
thomas-rob-slides.pdf
MD5: ef6a2fde67ad2832b070dffdcfce832b
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.4 Mb
The Implementation and Management of a CSIRT Team in the African Arena
Rudolph Pretorius (First National Bank)
The presentation will be on the setup of CSIRT team in the banking sector in South Africa
The challenges and benefits the operational model that is operational successful in the Southern African region.
The relationship with other role players in the local environment and the newest threats and incidents that are managed by the team in the region.
The road to hell is paved with best practices…
Frank Breedijk, Ian Southam (Schuberg Philis)
Most of us in the industry either have a vulnerability disclosure process in place or at least understand the tenants of what one entails, but what about exploitation disclosure? Could there possibly be any benefits to working with an affected vendor when you discover exploitation in the wild?
Holly will walk through several scenarios and conditions where coordinating the disclosure of in-the-wild exploitation can provide better service to your organization and to the general public at large. Holly will also discuss the new model of exploitation disclosure that she has helped put in place at the Microsoft Malware Protection Center.
The Underground Economy and Ecosystem of SMS-based Cybercrime
Denis Maslennikov (Kaspersky Lab)
It is obvious that for many years cybercriminals ‘work’ for money. Illegal profits are the main aim of bad guys and they use a lot of different ways and techniques: botnets, spam, DDoS, password stealing, phishing, etc. This list is not endless but it is rather big.It is also well known that bad guys are always on the look for new ways of making illegal profits. And in many cases they are quite successful in such searches. For more than 2 years now, cybercriminals in the number of specific countries (Russia and Ukraine especially) prosperously exploit legislation loopholes which allow them to use SMS premium rate numbers anonymously. The growth of the different types of malicious software which uses SMS premium rate numbers (ransomware and SMS Trojans mostly) started in 2008. In 2009 multiple groups of cybercriminals began creating web sites with various types of SMS scams. The aforementioned loopholes allowed the people behind this scams to stay safe and it wasn’t until late 2010 when the Russian police arrested a number of people for operating an SMS scam ring.This presentation will observe the most popular ways used by the cybercriminals to maliciously exploit SMS premium rate numbers. We will also explain how it is possible that such criminal activity exists in the first place. Finally we will describe the main pillar of the malicious SMS underground economy and ecosystem and the possible solutions and legal and operational changes required to shut it down.
Understanding and Mitigating Internet Routing Threats
John KristoffJohn Kristoff (DePaul University)
The Internet routing system, and specifically the border gateway
protocol (BGP), is a key component upon which much of the Internet
infrastructure relies. Yet, after years of recurring events, whether
they are intentional route hijacks or accidental route leaks, we have
see very little fundamental change that has helped raised the bar
against these all-to-real security threats. Why? What can reasonably
be done to protect ourselves today?
In this session, we first summarize the threat of traffic redirection by
bogus or malicious routing announcements. We then present practical
operational best practices and a new set of tools that can help minimize
your reliance on otherwise untrusted routes to help limit your network's
risk to the traffic redirection risks.
kristoff-john-slides.pdf
MD5: b22ebb95b89789f54dceda1e1e969a4f
Format: application/pdf
Last Update: June 7th, 2024
Size: 507.71 Kb
Working effectively against criminals and criminal activities through boundaries and minds
Ireneusz Parafjanczuk, Mikhail Ganev
RU-CERT - 10 years of experience in incident response in Russian Federation. For about 10 years RU-CERT plays a role of computer security incident response proxy for all RF address space. Having no authority to use any force against malicious resource owners, RU-CERT efforts in counteractions to fishing/malware distribution and some of cyber criminal activities aren’t in vain. RU-CERT’s model of different incidents types, processing information sources assessment rating, problems, statistic , and improvements ideas are going to be presented.
Worldwide Security and Resiliency of Cyber Infrastructures: The Role of the Domain Name System
Igor Nai Fovino (Global Cyber Security Center)
Security threats are one of the main problems of our digital society. Most of the systems that use information and communication technologies (ICT) are exposed to failures and vulnerabilities that can be exploited by malicious software and agents. There exists a huge plethora of examples of the use of these weaknesses by organized crime. Regulations, policies and technical solutions have been already put in place by governments to fight against the cyber crime threat. However, a relatively new trend widened the cyber security problem, making it, literally speaking, a matter of citizen protection and safety. Critical infrastructures and systems (power plants, energy grids, oil pipelines etc.) started in the last years to massively use general-purpose ICT systems and telecommunication networks to operate. The direct implication is that today those critical systems are exposed not only to traditional safety and availability problems, but also to new kinds of security threats. The process control network of most Critical Installations is integrated with broader information and communication systems, including the company business network. Most maintenance services on process control equipment are remotely performed.
fovino-igor-slides.pdf
MD5: b74bb088432c6f43c1afb708c0a8b069
Format: application/pdf
Last Update: June 7th, 2024
Size: 4.09 Mb
