Docstoc

A Practical Approach to Manage Phishing Incident

Document Sample
A Practical Approach to Manage Phishing Incident Powered By Docstoc
					A Practical Approach to Manage
Phishing Incident with URL Filtering
   Kasom Koth-Arsa, Surachai Chitpinityon, Julllawadee Maneesilp
   Kasetsart University, Bangkok, Thailand.
Agenda

Introduction
Objective
Phishing Management System
Conclusion
Introduction
 What is Phishing?
 Why Phishing is important?
  Who are our concern about
  Phishing?
What is Phishing?

  Phishing is an online form of deception
  Attacker pretends to be someone else
  To obtain sensitive information from the
   victim
Why phishing is important?

  A serious threat to Internet usage
  Growing very fast
  Frauds that affect many websites and
   organizations
  More advanced and complex techniques
   to convert the organization websites to the seemingly
    trusted financial websites to gain confidential user
    information.
Who are our concern about
phishing?
One of the most attacked
 organizations is education institution.
   Organize their network systems by
    dividing into many sub-departments.
   This hierarchical structure causes
    challenge in management effectiveness
    and network-security enforcement.
                     UniNet
     UniNet         Largest university
                     network provider in
                     Thailand running by
                     Ministry of Education
                       1Gbps and 10Gbps link
                        countrywide
                    UniNet has 431 member
                     institutes
                       240 Universities
                       134 Vocational School
                       57 Primary School
                    100,000 plus users



Phishing becomes a serious problem!
Objective
Developing a phishing management
 solution which covers to handle the whole
 anti-phishing processes for UniNet
   Systematic procedure
   Fast response
   Tracking, monitoring and collecting phishing
    information
   Intelligent URL Filtering system to enforce
    the blocking specified URL
   Block only the phishing URL, not the whole
    site
Phishing Management System
System Module
  Account Management
  Ticket Management
  Web Filtering
Interaction Diagram
Use Case Diagram
System Configuration
System Module

   Account       Incident
  Management                   Tracker & Reporter
                Management

                      Ticket Management



    Account      Phishing
    Database     Database



                               URL Filtering
Account Management Module
Users must register with our system before
 report the phishing website
Using the following information:
     Full name
     Company
     E-mail
     Username
     Password




Identification procedure
 Ticket management module
Manage Phishing
                      Ticket management
 events
Easy to manage
 and track        Incident
 incidents using               Tracking & Reporting
                 management
 ticket status
                    Created       Opened
                    Deleted       Verified
                                 Canceled
                                  Blocked
                                 Site Take Down
                                  Closed
URL Filtering (Web Screen)
Phishing system can block/unblock web access to
 the phishing site through the URL filtering
 system.

     URL Filtering

        TCP Session Hijacking Technique
        Intercept HTTP request
        Inject forged HTTP reply
        Block or redirect access of any given URL
Pass-by URL Filtering
                                     Gateway

                                                Internet


                           1                           2
     Client                      2



 n Ease of Installation (No
                                       
   Traffic Interruption)               ?
                                       ?
                                        
 n Non Blocking Traffic
   Stream                                3
 n No Single Point of Failure     Filtering Engine
 n Scalable


 Traffics are captured and passed by without queuing
 Zero delay, independent from traffic volume
TCP Session Hijacking
                                         Filtering
                            Client                               Server




                                              SYN J


                                                CK J+1
                                     SYN K , A

                                             ACK K+1

                                       Data (HTTP req
                                                         uest)

                                     FIN L
Faked FIN by Filtering Engine

                                             reply)
                                     Data (
        Packet will be ignored
Interaction Diagram
              UniNet          Web Filtering      University
Company     Administrator       Engine          Administrator

   Report a phishing URL (open a ticket)
                   Block URL
                   Verifythe phishing URL
    The ticket is set to canceled
         Inform the corresponding university
                     Server investigation/cleaning
       administrator to investigate the incident
                    Inform that the server already clean
                    Re-verify the URL
                    Cancel the blocking of the URL

          Close the ticket, inform both party
Use Case Diagram
                                                    University
          Company
                                                   Administrator



                                                 Notify
 Create        View     Create
                                               incident
 ticket        ticket   Account
                                                cleared



    Change                                              Block/
                                  Manage
     ticket                       Account              unblock
    status                                              URL




                                     UniNet
                                   Administrator
  System Configuration
                                           10G


      UniNet
      Network                                                              Internet
                        Backbone                                 Gateway
                                   10G                     10G

      1G

                                         10G        SPAN




                         1G
                                               1G
      1G
           management




Phishing Management           Phishing Filtering Engine
User Ticket Tracking Screenshot
Conclusion
Phishing Management System is now
 initial deploy on UniNet Infrastructure
   Enable UniNet to response quicker to phishing
    incident
   Enable a statistic logging that helps UniNet
    anticipate the future problem and improve
    network security
   Design for handle 10Gbps Network (need some
    more hardware to complete)
Thank you.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:8/31/2014
language:English
pages:21