USCERT: Get Plugged in - PowerPoint PPT Presentation

1 / 23
About This Presentation

USCERT: Get Plugged in


Provide on-site Incident Response capabilities to federal and state ... new ways to share information and protect essential cyber systems. Einstein Program ... – PowerPoint PPT presentation

Number of Views:30
Avg rating:3.0/5.0
Slides: 24
Provided by: bobsp6


Transcript and Presenter's Notes

Title: USCERT: Get Plugged in

US-CERT Get Plugged in!
United States Computer Emergency Readiness
For more detail on slides go to notes view
US-CERT Mission
  • Protect critical infrastructure in cyberspace
    both public and private sector.
  • Analyze and reduce cyber threats and
  • Disseminate Cyber threat information.
  • Coordinate incident response activities.
  • US-CERT is the
  • Nations Security Center to protect the nations
    Internet infrastructure

The National Strategy to Secure Cyberspace
provides a framework articulating priorities to
secure cyberspace
  • National Cyberspace Security Response System
  • National Cyberspace Threat and Vulnerability
    Reduction Program
  • National Cyberspace Security Awareness and
    Training Program
  • Securing Governments Cyberspace
  • International Cyberspace Security Cooperation

Operations Branch
Vulnerabilities Handled by US-CERT FY-06
  • Over 3,872 vulnerabilities reported since October
  • 1,293 of the 3,872 were rated as high severity
    utilizing the Common Vulnerability Scoring System
    or other factors
  • http//
  • http//
  • These are just the ones we know about that cover
    a wide range of technologies from operating
    systems, devices, and SCADA control systems
  • There is no shortage of opportunities for
    exploitation depending on your security posture
    and network cognizance of your environment

Vulnerability Handling (2)
  • Impact
  • What Incremental Benefit Does The Attacker Gain?
  • Root compromise
  • User compromise (which user?)
  • Denial of service (which service?)
  • Theres a Distinction Between
  • Execute arbitrary code
  • Execute arbitrary commands

DHS Press Release MS040
  • Press ReleasesDHS Recommends Security Patch to
    Protect Against a Vulnerability Found In Windows
    Operating Systems For Immediate Release Office
    of the Press Secretary Contact 202-282-8010
    August 9, 2006
  • The Department of Homeland Security (DHS) is
    recommending that Windows Operating Systems users
    apply Microsoft security patch MS06-040 as
    quickly as possible. This security patch is
    designed to protect against a vulnerability that,
    if exploited, could enable an attacker to
    remotely take control of an affected system and
    install programs, view, change, or delete data,
    and create new accounts with full user rights.
  • Windows Operating Systems users are encouraged to
    avoid delay in applying this security patch.
    Attempts to exploit vulnerabilities in operating
    systems routinely occur within 24 hours of the
    release of a security patch. This vulnerability
    could impact government systems, private industry
    and critical infrastructure, as well as
    individual and home users.
  • Users can apply the Microsoft MS06-040 security
    patch at http//
    /bulletin/ms06-040.mspx. Home user may prefer to
    go to Windows Update at http//
    m and select express to install critical
    security updates, including the MS06-040 security
  • The Departments U.S. Computer Emergency
    Readiness Team (US-CERT) continues to work
    closely with Microsoft to minimize any impact
    from this vulnerability. US-CERT has issued an
    alert through the National Cyber Alert System and
    conducted a series of briefings with federal
    Chief Information Officers and Chief Information
    Security Officers, and critical infrastructure
    sectors through Information Sharing and Analysis
    Centers. Additionally, all federal agencies are
    required to provide US-CERT with regular updates
    on their patching status.
  • DHS recommends that computer users and
    administrators implement the following
    preparedness measures to protect themselves
    against this vulnerability, and also from future
    vulnerabilities, worms, and viruses
  • Keep up-to-date on security patches and fixes for
    your operating system. The easiest way to do this
    is to set your system to receive automatic
    updates, which will ensure you automatically
    receive security updates issued by Microsoft. If
    your system does not allow automatic updates, we
    recommend that you manually install the Microsoft
    security patch today through Microsoft Update at
  • Install anti-virus and anti-spy ware software and
    keep them up-to-date
  • Enable a firewall which will help block attacks
    before they can get into your computer
  • Do not open emails from unknown sources and do
    not open or execute email attachments that you
    are not expecting even if they come from a known
    and trusted source.
  • To access the alerts for this vulnerability and
    for additional information on cyber security tips
    and practices please visit at

Evolving Threats
  • New threats/attacks increasing in intensity and
  • Federal government and private organizations
    experiencing targeted attacks
  • Disruptions affect essential services, government
    operations (availability)
  • Loss of data critical to some agencies
  • Need new ways to share information and protect
    essential cyber systems

Einstein Program Overview
  • EINSTEIN collects summary network traffic
    information at agency gateways and provides a
    high level view of the federal government network
  • US-CERT analysts use EINSTEIN data to correlate
    cross agency network events.
  • Agency data available through a secure portal to
    augment CSIRT capability.

EINSTEIN Deployments
  • Currently 7 active agency deployments
  • Department of Transportation
  • Department of State
  • Treasury
  • SEC
  • FTC
  • Additional 6 agencies in the planning phases of

Benefits of Deployment
  • Improved situational awareness
  • Cross agency view
  • Is my agency the only one being affected?
  • Signatures used to detect unpublished attacks
  • Reports from intelligence community used to
    identify network attacks
  • No cost to agency
  • Hardware, software and support provided by
  • Experienced Cyber Security analysts available to
    work with and augment your CSIRT
  • One day training for CSIRT/analysts on SiLK
    (coming soon!)

Benefits of EINSTEIN - continued
  • Complementary approach to existing security
  • Signature based Intrusion Detection (NIDS)
  • Perimeter technologies (firewall, IPS)
  • Helps agencies meet compliance requirements
  • FIPS200 Minimum Security Requirements for Federal
    Information and Information Systems
  • NIST 800-53 Recommended Security Controls for
    Federal Information Systems.

EINSTEIN Success Stories
  • EINSTEIN analysts uncovered anomalous traffic
    between agencies identified a security breach.
  • From the Washington Post
  • "US-CERT spotted an unusual pattern of traffic
    from Agriculture computers and notified USDA
  • Note US-CERT does not contact the media
    (information kept confidential)
  • http//

Data Breach Identified by EINSTEIN Analysts
(No Transcript)
(No Transcript)
(No Transcript)
(No Transcript)
(No Transcript)
  • Agency receives at no charge
  • Einstein hardware and software
  • Technical support
  • Cyber Security Analyst access to their respective
    flow data
  • DHS provides all data storage
  • Data is segregated (protected) from other
  • Operational user training
  • Analysis provided by US-CERT
  • Goal is to improve the security posture of the
  • Based on data sharing with US-CERT, the agency
    will gain better insight into cross-agency
    network anomalies
  • Compliant With Federal Standards

What can you do?
  • Get your security teams plugged into the
    Government Forum of Incident Response Teams
  • Deploy Einstein gain insight into your agency
    and USG views
  • Subscribe to the National Cyber Alert System

(No Transcript)
  • Technical comments or questions
  • US-CERT Security Operations CenterEmail
    soc_at_us-cert.govPGP/GPG key 0xADC4BCEDFingerprin
    t 02FD 5294 A076 0ACE BEB1 929B 3730 09F3 ADC4
    BCEDPhone 1 888-282-0870
  • Media inquiries
  • US-CERT Public AffairsPGP/GPG key
    0x10A97BACFingerprint 2762 28CF AFF6 EADB 95F4
    6797 857D 91C1 10A9 7BACPhone 1 202-282-8010
  • General questions or suggestions
  • US-CERT Information RequestEmail
    info_at_us-cert.govPGP/GPG key 0x0A1E0DF7Fingerpri
    nt CFE4 9D1D 6897 44B3 9B85 B25A F575 177B 0A1E
    0DF7Phone 1 703-235-5110
  • Information available at http//
Write a Comment
User Comments (0)