SANS Training and GIAC Certification Update
Edition 3 March 27, 2001
Greetings, I'm Stephen Northcutt, and I am writing today to ask you to
play a role in turning the tide against the attacker community. The
FBI's notice about widespread Russian and Ukrainian cyber-extortion,
as well as last week's Lion Worm breakout, clearly show that the
defensive security community is losing ground to the attackers. As a
community, it is time for us to stop and say, "This is where we draw
the line."
This is a long message, packed with information you may need to help
secure your systems and to work cooperatively to start turning the
situation around. I hope that you will take the time to read it
through.
Table of Contents
- FBI Cyber-Extortion Notice and Lion Worm
- Security Heroes
- Government Help and Community Involvement
- Happy Birthday GIAC
- Testing for Security Essentials Certification
Without Taking The Courses
- Intrusion Detection Training Goes Live Online
- Follow the Money
- Local Security Mentoring Project: An Update
- Late Breaking Conference Information
- Call for Instructors and Authors
****************************************
FBI Cyber-Extortion Notice and Lion Worm
The problem is simple. Windows IIS servers and Linux and Solaris boxes
are falling prey to attackers at unprecedented rates. Once compromised,
they are used to attack other systems with fast, automated, rapidly
evolving tools.
Who is to blame? IIS, Linux, and Solaris administrators (and their
managers) must take a major part of the responsibility. If they do not
make even minimal efforts to secure their systems, they are making the
attackers' jobs easier and making the problem worse. If you are an IIS
Administrator and you aren't keeping service packs and hot fixes up to
date, please start today. If you need guidance, invest ten minutes and
read www.sans.org/infosecFAQ/win2000/sec_IIS.htm and
www.sans.org/infosecFAQ/win2000/sec_win2k.htm
Microsoft estimates that 25% of the web servers in the world run IIS,
that makes IIS a big target, but also a huge opportunity to improve.
If you have brought a Linux box into the world, do run Bastille.
(http://www.bastille-linux.org/) Solaris administrators, please run
YASSP. (http://www.yassp.org/) These are just the minimum steps, but
if administrators followed them, the entire Internet would be in much
better shape.
If you are a manager of system administrators, please give them the
opportunity to get trained in security. Windows network administrators
have confirmed that the word security NEVER CAME UP in their training
or testing for the MCSE (Microsoft Certified Systems Engineer). That
means that tens of thousands of people may be managing Windows systems
without much of a clue about security. The same weakness exists in most
vendor-sponsored UNIX and Linux sysadmin courses.
Of course, if you are reading this note, it means that you are on the
SANS mailing list and you already care about security, so these
recommendations probably do not apply to you. Can you think of someone
else, a co-worker, relative, schoolmate that is an administrator and
might not know the basic fundamentals? If so, please consider lending
them a hand.
***************
Security Heroes
System administrators cannot be expected to do the job all by
themselves. The community needs some heroes. These are leaders who
bring fresh ideas to help us close the gap, to reduce the advantage the
attackers have over us. They build the tools that will protect the rest
of us and get them out in time for the tools to be effective.
Thank goodness for people like Bill Stearns, author of Ramenfind and
Lionfind. (http://www.sans.org/y2k/lion.htm)
He, Dave Dittrich, Greg Shipley, and Matt Fearnow all worked through
the night when the Lion worm was discovered. They reverse engineered
it. The fact there was more than one variant really complicated matters,
but Bill still had Lionfind working by morning. Similar Herculean
efforts by Steve Gibson of Gibson Research (http://grc.com) provided
the entire Windows community with a collection of great tools that
include Patchwork, a free tool that detects whether your IIS servers
are vulnerable to the Russian extortionists.
(http://www.cisecurity.org/patchwork.html)
The SANS Institute vigorously applauds Bill, Steve, and Jay Beale for
Bastille, and Jean Chouanard for YASSP.
Another security hero is Mark Krause, security manager at UUNET, who
acted quickly to "black hole" traffic to the site to which the Lion worm
was sending password files.
There are many more of you out there who can be heroes.
*****************************************
Government Help and Community Involvement
The FBI's National Infrastructure Protection Center (NIPC) has really
started to have an impact in the past year. They deserve the community's
thanks for sharing information far earlier than they ever have before.
Working through organizations like the Financial Services/ISAC, The
Center for Information Security, and SANS, the FBI got data out to the
defensive community in time to do a lot of good. The NIPC has come a
long way and now is widely regarded as the most effective
Government-funded organization for information security. One fresh FBI
idea is InfraGard, through which regular people like you and me team up
with law enforcement. It's sort of a cyber-neighborhood watch. The
program sponsors chapters in cities that have FBI field offices. A list
of the active chapters is available at:
http://www.infragard.net/chapter_main_pg.htm The cities with active
chapters are marked with a diamond. If your city doesn't have a
chapter, maybe you could consider starting one. If an incentive would
help, we are happy to offer a 30% discount for any of our online courses
to InfraGard members. Contact [EMAIL PROTECTED] for further information.
Another important step we need to take as a community is improving
incident handling. There will always be new vulnerabilities and systems
are going to get compromised, but we have a lot of room for improvement
in how we recover once we are attacked. SANS already has an excellent
Incident Handling Step-by-Step booklet available,
(http://www.sansstore.org/), created by community consensus, but we as
a community really need to improve our ability to respond to compromises
on specific operating systems. SANS began a project to develop a Unix
specific response to incidents and made a lot of progress, but that has
gotten stalled and is not up to date with the latest threats. If you
are experienced with responding to compromised Unix systems and are
willing to help, please drop a note to John Green, [EMAIL PROTECTED] By
the way, John teaches the popular Unix forensics class in the Unix
Security track and will be teaching the whole track in Honolulu, May 28
- June 1, 2001. http://www.sans.org/aloha3/aloha3.htm
Obviously we need a similar book for Windows 2000, and we will probably
offer the opportunity to lead the project to one of the folks who
responded to the call for reviewers for the first draft of the Securing
Windows 2000 Step-by-Step guide by Jeff Shawgo, GCNT. (That's short for
GIAC certified in Windows NT/2000 Security.) For those on the project,
we hope to have the second and final round ready to go out in April. As
always, we need a quick turnaround to make this work, within five days
if possible, and then we will make every effort to get this new booklet
into the field as quickly as possible. And thank you, but we do not need
new reviewers at this point.
Of course you don't know you have an incident until you detect something
has gone wrong. One of the most popular detection systems is Snort.
Though it is easy to install and run, there are tips and tricks to get
the most out of it. We are starting a Community consensus Step-by-Step
guide for installing and using Snort. What we need are people that are
willing to take sections in the outline and develop, document every step
they took so that someone else can follow those steps, get the system
hardened, Snort installed and begin to do effective intrusion detection.
The lead on the project is Chris Kuethe. If you run Snort and are
willing to help make significant contributions on the project, contact
[EMAIL PROTECTED] Also, Loras Even did a writeup on using Snort
on Windows that I thought was really interesting and useful,
http://www.sans.org/newlook/resources/IDFAQ/snort.htm
Making it easier to understand these attacks is another important task
that we as a community need to face. Have you ever read an advisory of
a new vulnerability and just had no clue what they were talking about?
It happens to me all the time. For example, when I first heard about
Unicode (http://www.sans.org/infosecFAQ/threats/traversal.htm) I had
no clue what it was about. Then the attackers went on to build more
powerful tools to exploit this vulnerability, creating tools like Back
Gate.
So one of the things that the community needs to do is to make these
vulnerability announcements comprehensible. We also need to provide
accurate threat information detailing whether a threat needs to be dealt
with immediately or may be postponed.
And of course as we put resources in place to make it easier to
understand what these attacks are and how important they are, each of
us has a personal responsibility to use those new resources and
understand the attacks that are decimating our Internet connected
systems.
*******************
Happy Birthday GIAC
The Global Information Assurance Certification is now one year old. In
March 2000, SANS graduated the first class in the SANS Security
Essentials Certification program. At SANS 2000 in Orlando, we ran the
first class through the Intrusion Detection Immersion Curriculum. That
was a six day, five night, monster course. I still remember shaking
hands with the students as they left the room after the exam - those
were some tired eyes. More than one student wrote on their comment
sheets that we should have issued "I survived the IDIC" T-shirts.
Today, you expect that type of intensity from a SANS track.
Did you notice, we said Global Information Assurance Certification
instead of Global Incident Analysis Center? Within the next six weeks
we expect to begin the transformation of the Incident Analysis Center
with a new look and a slightly modified mission.
SANS has established the domain ***incidents.org*** and we are moving
our new experimental Consensus Intrusion Database (CID) to this
platform. This is an exciting development - like an Internet security
weather project. It gathers and analyzes huge amounts of data from many
ID systems (Snort! systems first but others soon). CID correlates
information that you send to [EMAIL PROTECTED] with information from
other security organizations that are willing to work together including
Netsq.com, mynetwatchman.com and dshield.org.
Matt Fearnow was using CID (www.incidents.org/CID) when he noticed the
huge increase in probes to port 53. He isolated the top IP addresses,
compared notes with other GIAC people, and concluded it had to be a
worm. We had experienced a similar pattern with the ramen worm:
http://www.sans.org/infosecFAQ/malicious/ramen.htm
http://www.sans.org/infosecFAQ/malicious/ramen2.htm
http://www.sans.org/infosecFAQ/malicious/ramen3.htm
So we went into incident handling mode to find and try to reduce the
threat from the Lion Worm.
Incidents.org, like the Global Incidents Analysis Center, hopes to never
charge anyone for assistance. If your system has been attacked, we will
try to find a volunteer incident handler to help you and give you
support by email or possibly by phone as well. Of course we have to
pay Matt and will probably need a bigger server for CID at some point...
Do you like the logo on the web page? We plan to print some hospital
scrub shirts with the logo and sell them as a fund raiser for
Incidents.Org at SANS 2001, Baltimore.
(http://www.sans.org/SANS2001.htm)
*********************************************
Testing for Security Essentials Certification Without Taking The Courses
(The "Challenge" Tests)
Scott Sumner, GSEC, is the first person to successfully pass the new
"challenge" test for SANS Security Essentials Certification, having
earned the certification without taking the SANS Security Essentials
courses. We created the challenge test in response to your numerous
requests. You may signup for the challenge test at
http://www.sans.org/giactc/GSEC_challenge.htm.
To earn GSEC certification, you must get a passing grade on the test
and also do a practical project to demonstrate mastery. The cost for
the GSEC is $425; If you successfully complete the practical and exam,
you will be eligible for the recertification in a year and that will
include full access to all online course material so you can quickly
update your knowledge.
We are working on challenge tests for the other certifications and will
let you know when they become available.
**********************************************
Intrusion Detection Training Goes Live Online
We are really excited to announce that our Intrusion Detection Immersion
Curriculum is now available online. Students that do not work with
packet decoding and hexadecimal math on a daily basis will benefit from
additional time to absorb and master the material. The online course is
taught an hour at a time, with reinforcement quizzes after each section.
We are currently offering an introductory discount of 25% off the full
price of $2,235. Until April 27, 2001, IDIC online tuition is only
$1675. http://www.sans.org/giactc/ID_info.htm.
****************
Follow the Money
Many people that I talk to simply do not understand exactly how cyber
attack activity is related to money. We need to change the image that
many people have of attackers as "just a bunch of kids having harmless
fun." When you are investigating a crime, computer or otherwise, always
be sensitive to a single question: "Could money be involved?" If so,
follow the money! In an attack on an e-commerce system, crooks can
capture thousands of credit card numbers that can be sold. And they can
extort money to keep from disclosing the numbers. In addition, because
so many contracts are being signed on line, entire transactions are
subject to malicious transformations or theft. However, most of us have
no idea how money flows and is at risk in e-commerce, so we
commissioned a course that we are going to run in May at SANS 2001
called e-Money.
http://www.sans.org/SANS2001/sunday1.htm#SUN-1-7
If you are in an e-business, or you are responsible for crime
investigation, consider adding this course to your program at SANS 2001.
Granted, this doesn't have the sizzle of a course on hacker exploits or
intrusion detection, but attackers will be going for money. Shouldn't
you be equipped to follow the money?
******************************
Local Security Mentor Programs
The first of these, in Omaha, is now underway. If you are certified
and want to help others in your city or organization get security
training at a significant cost savings, then perhaps you would consider
becoming a mentor. Other opportunities include:
- Calgary, Canada,KickStart beginning April 17, 2001
- Charleston, SC, KickStart begins May 1, 2001
- St. Louis, MO, KickStart begins May 25, 2001
- Edmonton, Canada, KickStart begins May 29, 2001
For more information about the program please contact [EMAIL PROTECTED]
************************************
Late Breaking Conference Information
Since I last wrote you, another conference sold out (eCoast II) and
Triangle Park will close registration next because it will be sold out
soon, as well.
Firewalls, SANS Security Essentials, Windows Security, and Advanced
Incident Handling are selling fast for SANS 2001, May 13 - 20 in
Baltimore as are several other classes. Please do not delay registering
if you are planning to attend SANS 2001.
SANS SpringBreak, April 18 - 22 in Orlando,
http://www.sans.org/springbreak.htm There is a special class to look at
there; it is a two day hands on assessment course. You keep asking for
hands on; here it is!
Caribbean SANS will be held June 5 - 8, 2001 in the Caribe Hilton in
Puerto Rico. The course will be taught in English, but the instructor
can answer questions and explain concepts in Spanish. If you know
someone who would benefit from a bilingual course offering, please let
them know about this. http://www.sans.org/caribbean/caribbean.htm
Eric Cole, Jason Fossen, and I are coming to Malaysia (July 10 - 13,
2001). The three-track conference will offer SANS Security Essentials,
Firewalls, and Windows 2000 Security.
http://www.sans.org/fareast/fareast.htm
********************************
Call For Instructors and Authors
To be a SANS instructor or advisory board member you must be recognized
as an expert practitioner in the subject you wish to instruct. We give
consideration to people who score a 90 or above on Level II exams.
Potential SANS instructors are asked to present during SANS At Night or
in a one-hour talk at a technical conference. That gives the community
a chance to assess the candidate's teaching skills. If you are
interested in teaching in one of our conferences, please contact Deb
Tuttle. [EMAIL PROTECTED]
Also, the Call for Papers has been released for our Network Security
Conference in San Diego, October 15 - 22, 2001. This will be the largest
network security conference ever held and will feature new programs on
useful security tools and other innovations. If you have something that
is useful to share with the community, perhaps something they can put
to work immediately upon returning to the office, please check out the
Call for Papers. http://www.sans.org/NS2001/cfp.htm
That's it for now. Until next time, I hope your efforts to improve
security are fruitful, that your management is giving you the support
and time needed to learn and do the job effectively, and that the SANS
Information Security Reading Room and our other free updates are helping
you stay current with new threats and techniques.
Stephen Northcutt
The SANS Institute
