National Webcast Initiative
Cyber Security:
The Three Things You Should Have Done Yesterday
and the Three Things You Should Do Today
June 22, 2004
Question: and Answer Transcript
The following is a compilation of information exchanged during the written Q and A session of the webcast. The transcript has been edited for relevance.Question:: Are you familiar with the efforts of Secure
Florida in educating citizens and businesses in cyber-security issues?
The Secure Florida initiative has been active for over two years.
Answer: We work with Mike Russo from Florida,
thanks for sharing the information regarding Florida's efforts. If there
are other efforts/people that we should have as contacts please work with
us to share this information.
Question:: What is an ISAC? What does US-CERT Stand
for, the acronym?
Answer: ISAC - Information Sharing
and Analysis Center. US-CERT stands for US Computer Emergency Response
Team.
Question:: What is a Rootkit?
Answer: A program that an attacker will upload
to a compromised machine that is designed not only to give root access to
the system, but also to hide that access by modifying system logs.
Question:: Has spam been used to propagate viruses or
worms? Is it a threat or just a nuisance?
Answer: Spam has been used to propagate viruses
and worms. Any unsolicited email should be treated with caution.
Question:: How do we determine the difference between
basic infection and a compromised computer? Should we always rebuild
any infected computers?
Answer: Depends on your uses and policies. In
general, you cannot trust a computer that has been infected, as most malware
opens ports that are easily identified and used for malicious activity.
Question:: How can we determine if the administrative
rights of a system have been compromised?
Answer: Key methods to determine this are if
your log files indicate admin access that you know was not during a time
that an authorized admin should have been on the system. If your logs are
corrupted, you should assume that your admin account is compromised.
Question:: Microsoft systems are attacked far more than
other systems. What are all the reasons for this imbalance?
Answer: Authors of malicious code are typically
aiming to infect as many systems as possible. Microsoft Windows is used by
the majority of computer users, so it is targeted more frequently.
Question:: Mal ware is another whole bucket of worms
... What I would like to learn is how to find compromised computers ...
Answer: One of the easiest ways is by monitoring
your firewall logs. For example, if you see a bunch of systems that are not
your mail server trying to send email out your firewall, then you know that
they are infected with a mass mailing worm that uses its own SMTP engine.
Question:: How long do you think it will take for spyware
writers to incorporate the maliciousness of viruses and worms
Answer: I am not sure that they do not already;
Spyware is a very major concern.
Question:: What is a P2P network?
Answer: Peer to Peer, filesharing. Things like
napster, etc are P2P networks.
Question:: Can you use : 's and @'s in passwords?
Answer: In windows I know that you can use @,
- not sure about :. The only characters that you cannot use are those that
are defined by the OS as reserved.
Question:: What are Hashes?
Answer: Hash values are produced for accessing
data for security purposes. Tables of hashes are used for fast look-up of
data-records. For a more detailed definition, please refer to the provided
list of security term definitions.
Question:: Which is more susceptible to Rootkits? unix
or windows? Will this be discussed in more detail?
Answer: Neither is more susceptible to rootkits.
Any machine that has an exploitable vulnerability is equally susceptible
to rootkits.
Question:: What are your recommendations for SINGLE
sign ON PASSWORDS?
Answer: In terms of password length/complexity,
I think 14 characters and using an automatic tool to generate random passwords
is the best way to go. If you mean should you use single sign-on, that is
a case by case decision.
Question:: Are there any gateway appliances that will
block spyware like those that block worms, viruses and p2p
Answer: Yes. Adaware is a program that can block
this type of malicious code. Spybot is another good utility.
Question:: What tools do you recommend for cleaning
detected spyware without rebuilding machines?
Answer: Adaware and Spybot are both good tools
for defending against spyware.
Question:: XP Service Pack 2 - any specific worries
there?
Answer: The policies and procedures that need
to be followed to keep a system secure do not change based on the OS. There
are no specific worries with this OS over another.
Question:: ...For rootkit level attacks, can we see
activity in services for Microsoft based systems; example being running
daemons?
Answer: If a system is compromised by a rootkit,
the process will be hidden and will not be easily detected.
Question:: I want to have the capability to block spyware
at the edge of the network much like an IPS can do with worms and viruses...before
it gets to the desktop
Answer: One way to do this would be to verify
correct firewall policies (blocking port 135, etc). Additionally, review
of firewall logs will uncover any spyware that does get on your network when
it tries to communicate outbound from your network.
Question: I have been to sans.org & I found
uscert.gov; I have found some sites such as packetstormsecurity.com,
I'm looking for a list from the experts to begin down the path to learn
how to become an expert
Answer: There is no one single list that works
for every industry. In addition to sans, uscert, packetstorm, and MS, I would
suggest bugtraq on security focus and NIST.
Question:: What is "2-factor" security for
VPN?
Answer: 2-factor authentication is a method
whereby users are verified by traditional passwords but also by the use of
a physical device, such as a smart card or token. It requires both pieces
to authenticate.
Question:: How effective is Network Address Translation
(NATing) at thwarting these types of attacks?
Answer: NAT is not effective at preventing any
types of attack per se. NAT combined with good ACLs is needed.
Question:: ACL?
Answer: Access Control List
Question:: What are 2 factor authentications for administrators?
Answer: 2 factor authentication refers to 2
factors for authorization such as a password and a keyfob. Or a password
and a biometric.
Question:: What is IPSec protocol
Answer: IPSec is a protocol that encrypts traffic.
Question:: What do you think about data encryption as
an additional layer of security for confidential information?
Answer: Absolutely a requirement to use encryption
for confidential information.
Question:: Is there a reason that worms were listed
as part of inside threats?
Answer: Because once they are on a network they
are devastating inside a network and therefore it is necessary to be able
to segment and protect your network from its other hosts if they become compromised.
Question:: How would you evaluate the risks of a new
patch versus the security hole assuming that the security hole is of
somewhat less than essential? Clearly an essential security update would
be applied immediately.
Answer: That really depends on the situation,
but you are correct in evaluating the risks of the patch as well as the risks
of the security hole.
Question:: Can you suggest a tool or formula to assist
in showing public education institutions the TCO analyses for 'security'
or lack of 'security'?
Answer: We will take this away with us for a
future answer.
Question:: I think a webcast on the severity of spyware
and what can be done to prevent it would also be helpful
Answer: Thank you. We will consider this as
a future webcast topic.
Question:: Are the 3 things for yesterday supposed to
be more critical than 3 things for today? Specifically, is PW management
more critical than baseline security?
Answer: This is going to depend on your specific
situation; the title refers to issues that have been around for a while and
others that are emerging.
Question:: Some of us are ready to do these steps today
... the webcast is a high level overview ... where can we get a lower
level "How To"
Answered Privately: We will take this away
with us for a future webcast sessions geared to more hands-on.
Question:: Can non-government people access the webcast
- ie, security persons from critical infrastructure sites
Answer: Yes. The webcast will be made publicly
available.
Question:: Is there a particular site where I can get
a checklist of specifics on how to properly implement security on various
operating systems? (ie, information understandable by intermediate computer
operator?)
Answer: Try sans.org to start. If this does
not help, try searching for the OS specifically.
Question:: Do you know of any good 'how to' guides for
building an effective, comprehensive information security plan? Any other
advice for a new Information Security Officer?
Answer: I would start with the ISC2 website,
as well as do a google search for best practice security policy development,
there are a number of orgs that have this type of info available.
Question:: Are there any ROI figures or case studies
on the effectiveness of strong authentication and two-factor authentication
on breaches?
Answer: Not that we are aware of, but there
may be some that exist. We will take this away as an item.
Question:: What software is recommended to determine
which pcs are NOT patched?
Answer: This is going to depend on your OS.
In general you want to look for the enterprise management solutions that
are available to you with your OS that are deployed.
Question:: Is the webcast across US or global?
Answer: Most of the attendees are from the US,
however there are registrants from Canada also.
Question:: What is meant by 'social engineering' in
regard to security?
Answer: Social engineering is a method of gaining
personal information by using messages that cater to individual interests.
An example of this would be an email that claims to contain a critical patch,
but in reality contains malicious code. This is designed to trick the user
into opening the mail. There are many other examples.
Question:: Someone said that a reading list will be
provided ... I would also like to suggest courses on IDS & IPS I
need to know more about those and how to read sniffer captures ... also
another area for us to know about is the legal aspects of monitoring
our own networks ... I just mentioned a sniffer ... I run one 24-7 ...
what legal liabilities does this give me?
Answer: This depends on your industry, but in
general as long as there is a notice to your users that the network can be
monitored then you are OK.
Question:: Are there effective tools for detection and
eradications of worms?
Answer: In general you should refer to your
Anti-Virus vendor for detection and removal of any worm infection that you
have.
Question:: It was mentioned that Rootkits are difficult
to detect and that it takes a special type of Forensics person to find
them -- can you suggest training/resources for finding Rootkits?
Answer: There are many good security training
classes for forensics, personally I am aware of a good class done by a company
called BIA.
Question:: Higher Education has a role in this, due
to fast network attachments typically as one factor. Will any of your
sessions deal with topics that help Higher Ed do a better job at Securing
information and systems ?
Answer: This will be taken as a request regarding
future sessions.
Question:: Are there going to be different levels of
presentations? In other words, will some presentations be targeted for
high technical skills while others are targeted for lower skills?
Answer: A combination on technical and non-technical
presentations have been planned.
Question:: When will DHS funding be made available to
local law enforcement for training, preparation, and response to cyber
incidents? In particular, #16 Cyber Security Enhancement equipment category,
referenced in the FY 2004 Authorized Equipment List.
Answer: We cannot comment on DHS funding. Please
contact DHS directly. It is our understanding that this is an eligible expense
under ODP grants and that these grants are coordinated by the individual
states' homeland security office.
Question:: What role will DHS play in the future to
shape data traffic inbound to US from overseas, where much of the virus
traffic originates?
Answer: Please direct this to info@us-cert.gov
Question:: Please give my thanks to all involved ...
I'm guessing by the number of seats still occupied that there are many
of us out there wanting to learn THANK YOU
Answer: You're welcome. Thank you for attending.
We'll notify you of future webcasts.
Question:: What is the difference between InfraGard
and MS-ISAC? and will there be any interaction between the two?
Answer: The MS-ISAC comprises members from the
state government sector. We participate with infraguard, but the MS-ISAC
is a sector specific organization. Each sector has a similar ISAC such as
telecom, energy, etc.
-