CERT running security pilots

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2002/0429/web-info-05-03-02.asp

By Dan Caterinicchia 
May 3, 2002

The CERT Coordination Center at Pennsylvania's Carnegie Mellon
University has developed two unique pilot programs designed to bolster
the information assurance capabilities of government agencies.

The number and sophistication of cyberattacks against U.S. government
systems have increased in recent years, but the refinement of the
individuals initiating them has decreased, which makes it even more
difficult for agencies to differentiate a high school hacker from an
extended, coordinated intrusion attempt, said John McHugh, senior
member of the technical staff at the CERT Coordination Center (CCC) at
Carnegie Mellon.

Speaking May 2 at an Armed Forces Communications and Electronics
Association information technology conference in Quantico, Va., McHugh
said the basic idea is to make sure that cyber intruders can't take
out all the systems all the time since "survivability is the
mission-centric notion of information assurance."

To help agencies improve their defenses, the CCC is working on the
Automated Incident Response (AirCERT) program, a data collection and
coordination exercise that uses statistical methods to detect emerging
threat patterns.

AirCERT uses an open source infrastructure to automatically gather and
report security incidents from CCC client Internet sites that agree to
have that information inspected, McHugh said. The goal is to "reduce
the burden on security analysts by automatically handling
well-understood attacks," he said.

The CCC has completed an AirCERT proof-of-concept prototype and is
testing the program with members of the Internet community.

The CCC also is working with a defense agency -- which McHugh would
not name because of security concerns -- on another program that uses
raw data to identify routing anomalies and back doors into a network.

The NetFlow system collects enormous amounts of unbiased data and
analyzes it in "chunks at a time" to help establish "traffic
baselines" and detects potentially nefarious activity as deviations
from the baselines, McHugh said.

The CCC is working with the defense agency on a detailed analysis of
its daily traffic and hopes to use real-time data in the future, he
said, adding that agencies and companies that use Cisco Systems Inc.  
routers can do this type of analysis.

"This is a capability in most Cisco routers, and anyone who wants to
can collect this data," McHugh told Federal Computer Week. "We're
working with a large government client to develop tools to [enable
them to] analyze it themselves."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.