Slide 1OverviewMy jobSecurity engineer tasksTypical incidentsOther types of incidents1University of Illinois at Urbana-ChampaignSecurity OperationsJim Barlow<[email protected]>Head of Security Operations and Incident ResponseNational Center for Supercomputing Applications (NCSA)University of Illinois at Urbana-Champaign2University of Illinois at Urbana-ChampaignOverview•What I do at NCSA•A typical day for a security engineer•Typical incidents•Other types of attacks3University of Illinois at Urbana-ChampaignMy job•Head of Security Operations at NCSA•Around 500 employees•Over 5000 remote users•4000+ hosts on our network•Open network environment (no firewalls)•Variety of platforms–From windows desktops to high-end supercomputers4University of Illinois at Urbana-ChampaignSecurity engineer tasks•Security monitoring–Monitoring IDS alerts (NIDS and HIDS)–Syslogs–Network flows–Keeping up with latest vulnerabilities and attacks•Risk Assessment–Determining local risks from threats–Notifying users or admins•Proactive measures–Probes and scans of systems–Network vulnerability scans•Incident response–How, what, who and where?5University of Illinois at Urbana-ChampaignTypical incidents•MySQL exploits–Windows machines–Either remote exploit or weak admin password–Sets up warez site•Awstats exploit–Linux box–Installed psyBNC and joins IRC network•OpenSSL exploit–Linux box–Installed t0rn rootkit–Replaced a number of binaries–Set up phishing site6University of Illinois at Urbana-ChampaignOther types of incidents•Remote exploits–Port scans (3306, 42, 135, 445, etc.)–Legacy exploits (Code Red, Nimda, IIS)•SSH brute force attacks•X server keystroke logging•Bots (huge problem)–Scan & sploit–Spam–DDoS–Keystroke
View Full Document