COLLECTING EVIDENCE IN A CORPORATE INTRANET ENVIRONMENT
|
|
- Randell Fleming
- 6 years ago
- Views:
Transcription
1 Abstract Design of a Network-Access Audit Log for Security Monitoring and Forensic Investigation Atif Ahmad Tobias Ruighaver Department of Information Systems, University of Melbourne, atif@unimelb.edu.au. tobias@unimelb.edu.au. An attempt at determining the source of anomalous network traffic may result in the identification of the networked system where it originated. From a forensic point of view it is almost impossible to positively identify the application or the user behind the application that generated the traffic. Many users may have been using the networked system and there remains the possibility of network traffic generation by Trojan horses. We propose a network-access log that bridges the gap between system event logs and network monitoring by extending event logging on individual hosts with information pertaining to generation of network traffic. The key contribution of the proposed network access audit log is the establishment of the chain of evidence linking the outgoing traffic to its source thereby improving the network security of an intranet. Keywords Security Monitoring, Forensic Investigation, Network Monitoring, Event Log. INTRODUCTION Recent trends in Trojan horse deployment indicate an alarming increase in the use of deceptively modified scripts and programs to gain unauthorized access to computer systems (Gordon et al. 1998). Traditionally it has been insider threat, malicious and unintended, which offered the most potent challenge to computer security. Today the Trojan horse has emerged as a new cause for concern, and is expected to compete with insider threat as the main source of security violations. Trojan horse detection is often integrated in anti-virus software. Detecting Trojan horses on a large scale while using a template-based file-identification paradigm implicitly assumes that those Trojan horses are being employed to gain unauthorized access to more than one system at a time. More hazardous Trojan horses are those that are tailored to a single target and hence may not appear elsewhere (Gordon et al. 1998). In order to counter unique or rare Trojan horses dedicated to particular targets we cannot continue to rely only on fileidentification paradigms, whether template or generic based. Instead more sophisticated methods of detection must be employed. From a forensic point of view, it is currently difficult or even impossible to ascertain whether a malicious attack originates from a Trojan horse or from some other source. Although some Trojan horse behaviour can be detected by monitoring network traffic, most traffic patterns caused by Trojan horses and other malicious network applications cannot easily be differentiated from non-malicious traffic on the network. More importantly, even when the presence of a malicious program is known, it may still be impossible to identify just from the network traffic itself which traffic originates from the malicious application and which traffic has been produced by other network applications. This paper will first discuss the inadequacy of currently available auditing techniques. We will then propose a model for a network-access audit log aimed at recording network-related behaviour of applications. We will show that the logging of this behaviour makes it much easier to identify malicious network traffic and that by tracing network attacks back to the actual application that generated the traffic; these logs may also allow the forensic investigator to establish the exact involvement of the user in the attack. COLLECTING EVIDENCE IN A CORPORATE INTRANET ENVIRONMENT Traditionally logging has been the primary source for documenting events happening in operating systems. Event logs aim to record significant events in the case where an incident takes place and the administrator wanted some idea of what had transpired (Murray 1998). Event logging has been based on the old centralized computing model that is now largely obsolete. 1st Australian Computer, Network & Information Forensics Conference 2003 Page 1
2 In an Intranet-type environment where resources are distributed, events on one computer are frequently related to those on another. In these scenarios centralized logging leads to extremely localized (and short) chains of evidence that are difficult to relate to other chains on other computers within the same Intranet. Network traffic logging has assisted in connecting links of evidence that exist on operating systems that are related due to the use of network connectivity. In the case of malicious-use of remote commands if network traffic is recorded then it can be typically traced to a source address thereby connecting it to the computer from which the attack originated. In general there is not enough information in the event logs of the source address to identify which application initiated the network traffic and what initiated the network traffic in the first place. Specifically, intention is extremely difficult to establish in such an environment. If a user account can be linked to the use of privileges that led to the generation of malicious network traffic, the user may still claim that he/she didn t do it. In such a case it may become necessary to provide a source of evidence that cannot be easily repudiated that identifies the identity of the user. In such a case physical access control logs or CCTV pictures may be required. Industry standards and expert advice in the area of incident handling have traditionally limited the scope of the crime scene to the computer system itself. In a corporate intranet broadening the scope to include the immediate physical work environment around the computer system will significantly improve the context of computer-based evidence. It has been well documented that the vast majority of malicious incidents that aim at harming corporate interests originate from the work environment. Including the immediate work environment surrounding computer systems will preserve the chain of evidence that has traditionally ended at the user terminal. A significant percentage of financial loss is also due to unintentional human error. In these cases evidence collection in the work environment will provide useful intelligence that may help in explaining the why and the how of the incident. In effect, valuable intelligence may assist in reducing the cost of human error longterm. Figure 1: Chain of Evidence linking user to incident THE RATIONALE FOR NETWORK ACCESS LOGGING Event logging in a generalized sense is simply a process by which details regarding a significant event are recorded onto a persistent medium for future reference. Traditionally event logging has focused on events happening in the operating system on individual computers. Event logging facilities aim to record significant events in case the system went down and the administrator wanted some idea of what transpired (Murray 1998). Today the centralized computing model is largely irrelevant; the average workplace employs a distributed architecture where users no longer generate traffic on a centralized system. Instead dedicated workstations generate network traffic and access network resources (like file servers etc.) on demand. This new distributed computing model has replaced the centralized model as the preferred computing architecture and has gained wide acceptance in workplaces today. Unfortunately, general event logging technology has not kept up with this development. As is obvious, event logging too should become distributed. However, just collecting the event logs of every system in a centralized event database is not an adequate solution. Without adapting the system s event logging mechanism to its new role, each system will only record events as if it were in a stand-alone state. 1st Australian Computer, Network & Information Forensics Conference 2003 Page 2
3 Figure 2: Windows NT Event Log Entry To address the obvious deficiencies of current event logs, some system administrators are trying to gather data from the network itself (Mukherjee et al. 1994). However, there is a lack of guidelines on what data should be collected while the collection itself has become difficult through the widespread use of LAN switches. Hence, system administrators often have to rely on commercial network monitoring tools designed to ensure the efficient running of the network. Better, but still relatively expensive, are commercial network intrusion detection tools. In both cases, the data collection will be limited by the original objectives of the data collection tools. Even when a systematic network monitoring approach is combined with the traditional logging of system events, a forensic investigator faces difficulties. The low level of abstraction of the information contained in network logs will make it difficult to get a detailed understanding on what is happening on the network (Sommer 1998). And when suspicious network patterns have finally been identified, it may only be possible to trace them back to the systems involved. If the attacker has not manipulated the internal timing of the identified systems, it may also be possible to find out which user account was involved. In general, there will not be enough information in the event logs to determine whether the traffic was directly initiated by the user, was generated by a specific application that has been running without the user being aware, or perhaps resulted from some other event (Sommer 1998). The following is a sample tcpdump output showing network events illustrating the limited data available when recording network traffic (Loza, 2000) : #tcpdump tcpdump: listening on hme0 11:17: > : udp 82 11:17: pine.tree.com > birch.tree.com.telnet: =>S : (0) win 8760 <mss 1460> (DF) 11:17: pine.tree.com > oak.tree.com: icmp: echo request (DF) 11:17: oak.tree.com > pine.tree.com: icmp: echo reply (DF) 11:17: arp who-has tell Field Data Timestamp: 11:17: Source.Port > Dest.Port: > : Protocol : Udp Bytes of data: 82 Table 1: tcpdump entries We are primarily concerned with the first line of this example where host sends data to host through port Tcpdump tells us the protocol used is UDP and that 82 bytes were passed in this direction. Note the limited information we are able to obtain from such network logging. To bridge the gap between systems event logs and network monitoring, we need to extend event logging on each system with information on the source of network traffic. We can assume at this point, that all host-based traffic 1st Australian Computer, Network & Information Forensics Conference 2003 Page 3
4 will be initiated by a network application or service and will have to pass the network subsystem (or network stack) of the host before being placed on the network itself. Hence, in the next section we will further develop the concept of a network-access log that records details regarding significant events that have occurred during the generation of network requests and during the processing of these requests by the network stack. By creating a log of events regarding the nature of all network requests, which links the user to the program generating the requests and that program to the traffic it produces, we believe we are able to improve accountability for both user behaviour and program behaviour in a distributed computing environment. OBJECTIVES OF NETWORK ACCESS LOGGING As computing moved from standalone computers to a networked environment, it became obvious that the available audit logs were no longer sufficient as the only source of evidence. To improve the situation, system administrators currently have no choice but to fall back on whatever network monitoring or network intrusion detection tools they have available (Sommer 1998). They will be limited by the options these tools have for generating network logs and other output. The proposed network access log will offer a third source of evidence regarding behaviour of any network applications responsible for initiating network traffic. The types of events of interest to this event log include the starting up of these applications by the user as well as any action carried out by these applications that eventually results in the generation of network traffic. Behaviour of network applications can be both passive and active. Passive behaviour includes network application behaviour like listening for incoming data and active behaviour includes sending data to an external entity. Whereas both require the invocation of system calls, at the network driver level only the sending of data (active behaviour) is detectable. Therefore, logging events elsewhere in the network stack may also detect the passive behaviour of a network application. In many cases it is the passive behaviour of a network application that is indicative of the true nature of the application. For example a web browser and a web server both send and receive data through the network subsystem on port 80. Differentiating the two at the network driver level based upon whether they send or receive data is difficult. However monitoring the network application s invocation of services from the network subsystem (eg. Listen()) will allow the distinction to stand out clearly. The primary objective of the network access log is to record any data a forensic investigator may need to prove the historical chain between the source of the traffic (user, application, etc.) and each component that takes part in affecting the resultant network packet that is sent onto the physical link, so as to maintain accountability for all network traffic outgoing from the system. The main trade-off in any event logging mechanism is to keep system overheads and use of disk space within acceptable limits, while at the same time maximizing the amount of useful information in the event logs Schaen et al. (1991). Hence, it is important to prevent excess redundancy in the event logs and to provide flexible options to allow the system administrator or security specialist to tailor the audit policy. THE BRIDGE MODEL It is important to establish that if collecting events at the network card level is not adequate, we no longer have a single point of collection for network related events. In most operating systems, the network stack can be invoked at different levels depending on the intended functionality of the network application involved. Further examination also shows that there is no obvious location at which monitoring would be able to achieve all of the above objectives of the audit log. Sufficient abstraction is required to be able to minimize redundant data and a strategic location(s) that allows the capture of the most useful data about the network traffic while ensuring that no traffic circumvents these monitored locations. If we accept that we can no longer monitor on the network card level, we may also have to accept that we can no longer guarantee that a malicious user or program can never bypass our event logging mechanism. We can only make circumvention of our monitoring points as difficult as possible. Although in general network calls may use any installed transport protocol and any available path through the network stack, there are only a few fixed number of entry points to the stack that are commonly used. Rather than monitoring the behaviour of outgoing traffic through the entire stack, we propose that simply monitoring the entry points, while ensuring that the path from each entry point to the lowest layer is protected from tampering, will be sufficient. If we can assume that system administrator privileges have not been compromised, such protection can be easily instituted through the use of change-detection software. 1st Australian Computer, Network & Information Forensics Conference 2003 Page 4
5 Logging every access point in the entire network stack may be possible but such an approach allows for significant redundancy to any subsequent logging. Hence, instead of monitoring all access points, we propose this bridge model where we endeavour to monitor a minimum number of points, while ensuring that all traffic flows through these points by protecting the stack from illegal entry or other attempts to circumvent those points. To confirm the viability of this bridge model we examined the flow of network requests through the network stack of NT. PRELIMINARY EXAMINATION OF NETWORK REQUESTS THROUGH THE NT NETWORK STACK Network Applications generate network traffic by sending outgoing data through one or more dlls. These dlls make up various layers of the network stack and eventually pass this data to the network card, which deposits it onto the network. To demonstrate the difference between passive and active behaviour of a network aware application we display the start-up sequence of a web browser at the top (Win32 API) and bottom (network card) of the network stack. The start-up sequence consists of the invocation of the web browser and ends with the completed loading of its default homepage. The following table illustrates the function calls made at the API layer (first 30 calls are shown). Address resolution and network address conversion functions (inet_addr,ntohs, htonl, inet_ntoa, etc.) and socket address resolution (getsockname) have been omitted. Call API Call Function 1 WSAStartup Initiates use of the Windows Sockets DLL by a process. 2 Gethostbyname Gets host information corresponding to a hostname. 4 Socket creates a socket which is bound to a specific service provider 7 Bind associates a local address with a socket. 8 Gethostbyname 14 Connect establishes a connection to a peer 15 Socket 17 Ioctlsocket controls the mode of a socket 18 Bind 23 Connect 24 Select determines the status of one or more sockets, waiting if necessary 25 Send sends data on a connected socket 26 WSAFDIsSet 27 Recv receives data from a socket 28 Select Table 2: Possible function calls used in the startup sequence of a web browser The majority of the above Winsock API calls are passive. The only active calls visible from the network card are send() and recv(). Web browsers follow a sequence of calls when establishing a socket connection (see Fig 3), these calls form a recognized pattern which can be used to identify anomalous Winsock activity by processes masquerading as web browsers. An interesting piece of information to a Forensic investigator would be the existence of an unsuccessful socket() call made by the network application. Unsuccessful socket() calls can occur for a variety of reasons including the failure of the network subsystem or the absence of a preceding WSAStartup() call. Any of these events provides a clear signal to investigators that unauthorized network calls were placed. The main features of a network access log would be the recording of the time a network application was invoked, the absolute path of the executable, the process id, and the active and passive behaviour of the executing process. The network access log represents a continuing chain of evidence relating outgoing network traffic to its system based origins. 1st Australian Computer, Network & Information Forensics Conference 2003 Page 5
6 Figure 3: Sequence of calls followed by Web browsers when establishing a socket connection CONCLUSION The key contribution of the proposed network access audit log is the establishment of the chain of evidence linking the outgoing traffic to its source. Previously, detection of anomalous traffic would result in, at best, an indication of which system it came from. Currently, with many users using the system and with the possibility of network traffic generation by Trojan horses it is almost impossible to determine the application or the user behind the application that generated the traffic. The network-access log, on the other hand, provides the facility by which any piece of network traffic can be traced to its source. The main advantage of the network access log is detection of masquerade attacks (web servers acting like browsers or sending mail files, TCP/IP applications using other protocols and ports to send or receive messages, or anomalous behaviour by legitimate applications), however the log can also build an indirect profile of the network traffic generated by the host. Change detection applied on the log allows it to become part of a distributed intrusion detection mechanism that detects insider threats. The primary weakness of this log is its inability to detect the use of unauthorized transport protocols. In order to generate network traffic, local system components must use all or part of the network subsystem to generate packets that will eventually be placed on the network. These packets are formed by transport protocols that consist of software installed by the system s administrator. It is assumed that the path(s) traversed by outgoing data destined for the network is inviolable, i.e. all outgoing data must enter the network subsystem using one or more of the approved paths before being placed on the network. Installation of non-standard or unauthorized packages that allow local components to circumvent any or all of these paths will violate the integrity of the audit log. Hence it is assumed that administrator privileges on the system are secure and the system administrator takes care when installing new network stacks to ensure that these are monitored as well. Finally, while the network access log attempts to record the behaviour of local components of the system that generate network traffic, outgoing data itself is not filtered or inspected for anomalous content. Therefore, detecting normal network applications that do not behave in a suspicious manner but send confidential data will not be possible via this log. REFERENCES Loza, Boris (2000). Sniff Your own Networks with TCPDUMP, Gordon, S. and D. M. Chess (1998). Where There's Smoke, There's Mirrors: The Truth about Trojan Horses on the Internet. Virus Bulletin Conference. Murray, J. D. (1998). Windows NT Event Logging, O'Reilly & Associates. Mukherjee, B., L. T. Heberlein, et al. (1994). Network Intrusion Detection. IEEE Network(May/June 1994): Sommer, P. (1998). Intrusion Detection Systems as Evidence. RAID 98, Louvain-la-Neuve, Belgum. Schaen, S. I. and B. W. McKenney (1991). Network Auditing: Issues and Recommendations. IEEE: Bishop, M. (1995). A Standard Audit Trail Format. Proceedings of the 1995 National Information Systems Security Conference, Baltimore, MD. 1st Australian Computer, Network & Information Forensics Conference 2003 Page 6
7 Ranum, Marcus J. et al., Implementing A Generalized Tool For Network Monitoring, USENIX 11 th Systems Administration Conference, San Diego, Oct COPYRIGHT [Atif Ahmad, Tobias Ruighaver] The author/s assign the We-B Centre & Edith Cowan University a non-exclusive license to use this document for personal use provided that the article is used in full and this copyright statement is reproduced. The authors also grant a non-exclusive license to the We-B Centre & ECU to publish this document in full in the Conference Proceedings. Such documents may be published on the World Wide Web, CD-ROM, in printed form, and on mirror sites on the World Wide Web. Any other usage is prohibited without the express permission of the authors. 1st Australian Computer, Network & Information Forensics Conference 2003 Page 7
The Forensic Chain-of-Evidence Model: Improving the Process of Evidence Collection in Incident Handling Procedures
The Forensic Chain-of-Evidence Model: Improving the Process of Evidence Collection in Incident Handling Procedures Atif Ahmad Department of Information Systems, University of Melbourne, Parkville, VIC
More informationQuestion 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:
Cybercrime Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1: Organizations can prevent cybercrime from occurring through the proper use of personnel, resources,
More informationComputer Security Policy
Administration and Policy: Computer usage policy B 0.2/3 All systems Computer and Rules for users of the ECMWF computer systems May 1995 Table of Contents 1. The requirement for computer security... 1
More informationintelop Stealth IPS false Positive
There is a wide variety of network traffic. Servers can be using different operating systems, an FTP server application used in the demilitarized zone (DMZ) can be different from the one used in the corporate
More informationDoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel
CCNA4 Chapter 4 * DoS Attacks DoS attacks are the most publicized form of attack and also among the most difficult to eliminate. DoS attacks prevent authorized people from using a service by consuming
More informationitexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공
itexamdump 최고이자최신인 IT 인증시험덤프 http://www.itexamdump.com 일년무료업데이트서비스제공 Exam : CISA Title : Certified Information Systems Auditor Vendor : ISACA Version : DEMO Get Latest & Valid CISA Exam's Question and
More informationCHAPTER 8 FIREWALLS. Firewall Design Principles
CHAPTER 8 FIREWALLS Firewalls can be an effective means of protecting a local system or network of systems from network-based security threats while at the same time affording access to the outside world
More informationChapter 11: Networks
Chapter 11: Networks Devices in a Small Network Small Network A small network can comprise a few users, one router, one switch. A Typical Small Network Topology looks like this: Device Selection Factors
More informationChoosing The Best Firewall Gerhard Cronje April 10, 2001
Choosing The Best Firewall Gerhard Cronje April 10, 2001 1. Introduction Due to the phenomenal growth of the Internet in the last couple of year s companies find it hard to operate without a presence on
More informationChapter 11: It s a Network. Introduction to Networking
Chapter 11: It s a Network Introduction to Networking Small Network Topologies Typical Small Network Topology IT Essentials v5.0 2 Device Selection for a Small Network Factors to be considered when selecting
More informationChapter 9. Firewalls
Chapter 9 Firewalls The Need For Firewalls Internet connectivity is essential Effective means of protecting LANs Inserted between the premises network and the Internet to establish a controlled link however
More informationIDS: Signature Detection
IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions
More informationINFORMATION SECURITY-SECURITY INCIDENT RESPONSE
Information Technology Services Administrative Regulation ITS-AR-1506 INFORMATION SECURITY-SECURITY INCIDENT RESPONSE 1.0 Purpose and Scope The purpose of the Security Response Administrative Regulation
More informationIntrusion Detection and Prevention
Intrusion Detection and Prevention Outlines: Intrusion Tpesof Types Intrusion Intrusion Detection Models Intrusion Prevention Models By: Arash Habibi Lashkari July 2010 Network Security 07 1 Definition
More informationAppendix PERFORMANCE COUNTERS SYS-ED/ COMPUTER EDUCATION TECHNIQUES, INC.
Appendix E PERFORMANCE COUNTERS SYS-ED/ COMPUTER EDUCATION TECHNIQUES, INC 1 Default s for Commonly Used Objects Object Default Cache Data Map Hits % How often requested data is found in the cache This
More informationOverview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks
Overview Handling Security Incidents Chapter 7 Lecturer: Pei-yih Ting Attacks Security Incidents Handling Security Incidents Incident management Methods and Tools Maintaining Incident Preparedness Standard
More informationCyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems
Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems Section 1: Command Line Tools Skill 1: Employ commands using command line interface 1.1 Use command line commands to gain situational
More informationIPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions
IPS Effectiveness IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions An Intrusion Prevention System (IPS) is a critical layer of defense that helps you protect
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationUnit code: D/601/1939 QCF Level 5: BTEC Higher National Credit value: 15
Unit 49: Digital Forensics Unit code: D/601/1939 QCF Level 5: BTEC Higher National Credit value: 15 Aim To provide learners with an understanding of the principles of digital forensics and the impact on
More informationComputer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic
Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition Chapter 2 Investigating Network Traffic Objectives After completing this chapter, you should be able to: Understand network
More informationGujarat Forensic Sciences University
Gujarat Forensic Sciences University Knowledge Wisdom Fulfilment Cyber Security Consulting Services Secure Software Engineering Infrastructure Security Digital Forensics SDLC Assurance Review & Threat
More informationAbstract. Keywords: Virus, inetmon Engine, Virus Parser, Virus Matching Engine. 1. Introduction
Real-Time Detection System Using inetmon Engine Sureswaran Ramadass, Azlan Bin Osman, Rahmat Budiarto, N. Sathiananthan, Ng Chin Keong, Choi Sy Jong Network Research Group, School Of Computer Science,
More informationSoftware System For Automatic Reaction To Network Anomalies And In Real Time Data Capturing Necessary For Investigation Of Digital Forensics
Software System For Automatic Reaction To Network Anomalies And In Real Time Data Capturing Necessary For Investigation Of Digital Forensics Mladen Vukašinović Faculty of Information Technology Mediterranean
More informationA Software System for automatic reaction to network anomalies and in Real Time Data Capturing necessary for investigation of digital Forensics
A Software System for automatic reaction to network anomalies and in Real Time Data Capturing necessary for investigation of digital Forensics Mladen Vukašinović Abstract Digital forensics has a technical
More informationTesting the Date Maintenance of the File Allocation Table File System
Abstract Testing the Date Maintenance of the File Allocation Table File Tom Waghorn Edith Cowan University e-mail: twaghorn@student.ecu.edu.au The directory entries used in the File Allocation Table filesystems
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 3 Protecting Systems Objectives Explain how to harden operating systems List ways to prevent attacks through a Web browser Define
More information2. INTRUDER DETECTION SYSTEMS
1. INTRODUCTION It is apparent that information technology is the backbone of many organizations, small or big. Since they depend on information technology to drive their business forward, issues regarding
More informationISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002
ISO 27002 COMPLIANCE GUIDE How Rapid7 Can Help You Achieve Compliance with ISO 27002 A CONTENTS Introduction 2 Detailed Controls Mapping 3 About Rapid7 8 rapid7.com ISO 27002 Compliance Guide 1 INTRODUCTION
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationNetwork Performance Analysis System. White Paper
Network Performance Analysis System White Paper Copyright Copyright 2018 Colasoft. All rights reserved. Information in this document is subject to change without notice. No part of this document may be
More informationAttackers Process. Compromise the Root of the Domain Network: Active Directory
Attackers Process Compromise the Root of the Domain Network: Active Directory BACKDOORS STEAL CREDENTIALS MOVE LATERALLY MAINTAIN PRESENCE PREVENTION SOLUTIONS INITIAL RECON INITIAL COMPROMISE ESTABLISH
More informationInformation Security Specialist. IPS effectiveness
Information Security Specialist IPS effectiveness IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions An Intrusion Prevention System (IPS) is a critical layer of
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 19: Intrusion Detection Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Intruders Intrusion detection host-based network-based
More informationACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems
ACS-3921/4921-001 Computer Security And Privacy Chapter 9 Firewalls and Intrusion Prevention Systems ACS-3921/4921-001 Slides Used In The Course A note on the use of these slides: These slides has been
More informationISO 27002: 2013 Audit Standard Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD ISO 27002
: 2013 Audit Standard Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More informationScrutinizer Flow Analytics
Scrutinizer Flow Analytics TM Scrutinizer Flow Analytics Scrutinizer Flow Analytics is an expert system that highlights characteristics about the network. It uses flow data across dozens or several hundred
More informationNetworking interview questions
Networking interview questions What is LAN? LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected
More information10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS WHITE PAPER INTRODUCTION BANKS ARE A COMMON TARGET FOR CYBER CRIMINALS AND OVER THE LAST YEAR, FIREEYE HAS BEEN HELPING CUSTOMERS RESPOND
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationNetworking IP filtering and network address translation
System i Networking IP filtering and network address translation Version 6 Release 1 System i Networking IP filtering and network address translation Version 6 Release 1 Note Before using this information
More informationR (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.
R (2) N (5) Oral (3) Total (10) Dated Sign Experiment No: 1 Problem Definition: Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing. 1.1 Prerequisite:
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informationn Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test
Chapter Objectives n Explain penetration testing concepts n Explain vulnerability scanning concepts Chapter #4: Threats, Attacks, and Vulnerabilities Vulnerability Scanning and Penetration Testing 2 Penetration
More informationInternal Audit Report DATA CENTER LOGICAL SECURITY
Internal Audit Report DATA CENTER LOGICAL SECURITY Report No. SC 12 06 June 2012 David Lane Principal IT Auditor Jim Dougherty Principal Auditor Approved Barry Long, Director Internal Audit & Advisory
More informationCYBER RESILIENCE & INCIDENT RESPONSE
CYBER RESILIENCE & INCIDENT RESPONSE www.nccgroup.trust Introduction The threat landscape has changed dramatically over the last decade. Once the biggest threats came from opportunist attacks and preventable
More informationSpecialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com
Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE s3security.com Security Professional Services S3 offers security services through its Security Professional Services (SPS) group, the security-consulting
More informationChapter 7 Forensic Duplication
Chapter 7 Forensic Duplication Ed Crowley Spring 11 Topics Response Strategies Forensic Duplicates and Evidence Federal Rules of Evidence What is a Forensic Duplicate? Hard Drive Development Forensic Tool
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (9 th Week) 9. Firewalls and Intrusion Prevention Systems 9.Outline The Need for Firewalls Firewall Characterictics and Access Policy Type of Firewalls
More informationOverview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter
Computer Network Lab 2017 Fachgebiet Technische Informatik, Joachim Zumbrägel Overview Security Type of attacks Firewalls Protocols Packet filter 1 Security Security means, protect information (during
More informationINSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic
Virus Protection & Content Filtering TECHNOLOGY BRIEF Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server Enhanced virus protection for Web and SMTP traffic INSIDE The need
More informationControls Electronic messaging Information involved in electronic messaging shall be appropriately protected.
I Use of computers This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To
More informationIT ACCEPTABLE USE POLICY
CIO Signature Approval & Date: IT ACCEPTABLE USE POLICY 1.0 PURPOSE The purpose of this policy is to define the acceptable and appropriate use of ModusLink s computing resources. This policy exists to
More informationCryptography and Network Security Chapter 1
Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 1 Introduction The art of war teaches us to rely not on the likelihood of the enemy's
More informationCyberspace : Privacy and Security Issues
Cyberspace : Privacy and Security Issues Chandan Mazumdar Professor, Dept. of Computer Sc. & Engg Coordinator, Centre for Distributed Computing Jadavpur University November 4, 2017 Agenda Cyberspace Privacy
More informationTraining for the cyber professionals of tomorrow
Hands-On Labs Training for the cyber professionals of tomorrow CYBRScore is a demonstrated leader in professional cyber security training. Our unique training approach utilizes immersive hands-on lab environments
More informationHOW TO ANALYZE AND UNDERSTAND YOUR NETWORK
Handbook HOW TO ANALYZE AND UNDERSTAND YOUR NETWORK Part 3: Network Traffic Monitoring or Packet Analysis? by Pavel Minarik, Chief Technology Officer at Flowmon Networks www.flowmon.com In previous two
More informationTwitter Adaptation Layer Submitted for Drexel University s CS544
Twitter Adaptation Layer Submitted for Drexel University s CS544 Josh Datko www.datko.net 9 June 2012 1 Description of Service The Twitter Adaptation Layer (TWAL) provides connected, best-effort-end-to-end
More informationOverview of TCP/IP Overview of TCP/IP protocol: TCP/IP architectural models TCP protocol layers.
Overview of TCP/IP 3 Overview of TCP/IP protocol: TCP/IP architectural models TCP protocol layers. 4 2 5 6 3 7 8 4 9 10 5 11 12 6 13 14 7 15 16 8 17 18 9 19 20 10 21 Why TCP/IP? Packet based Provides decentralized
More informationNetwork Forensics and Privacy Enhancing Technologies living together in harmony
Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2006 Network Forensics and Privacy Enhancing Technologies living together
More informationConfiguring IP Services
CHAPTER 8 Configuring IP Services This chapter describes how to configure optional IP services supported by the Cisco Optical Networking System (ONS) 15304. For a complete description of the commands in
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationMeans for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content
Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:
More informationAcceptable Use Policy
Acceptable Use Policy POLICY 07.01.01 Effective Date: 01/01/2015 The following are responsible for the accuracy of the information contained in this document Responsible Policy Administrator Information
More informationFlowMon ADS implementation case study
FlowMon ADS implementation case study Kamil Doležel Kamil.dolezel@advaict.com AdvaICT, a.s. Brno, Czech Republic Abstract FlowMon ADS implementation provides completely new insight into networks of all
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationBest practices with Snare Enterprise Agents
Best practices with Snare Enterprise Agents Snare Solutions About this document The Payment Card Industry Data Security Standard (PCI/DSS) documentation provides guidance on a set of baseline security
More informationSpoofing Attack Against an EPC Class One RFID System
Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2009 Spoofing Attack Against an EPC Class One RFID System Christopher
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationn Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network
Always Remember Chapter #1: Network Device Configuration There is no 100 percent secure system, and there is nothing that is foolproof! 2 Outline Learn about the Security+ exam Learn basic terminology
More information# ROLE DESCRIPTION / BENEFIT ISSUES / RISKS
As SharePoint has proliferated across the landscape there has been a phase shift in how organizational information is kept secure. In one aspect, business assets are more secure employing a formally built
More informationNetwork Security: Firewall, VPN, IDS/IPS, SIEM
Security: Firewall, VPN, IDS/IPS, SIEM Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr What is a Firewall? A firewall is hardware, software, or a combination of both that is used to prevent unauthorized
More informationFreeware Live Forensics tools evaluation and operation tips
Edith Cowan University Research Online Australian Digital Forensics Conference Security Research Centre Conferences 2006 Freeware Live Forensics tools evaluation and operation tips Ricci Ieong ewalker
More informationFirewalls 1. Firewalls. Alexander Khodenko
Firewalls 1 Firewalls Alexander Khodenko May 01, 2003 Firewalls 2 Firewalls Firewall is defined as a linkage in a network, which relays only those data packets that are clearly intended for and authorized
More informationWhite Paper February McAfee Network Protection Solutions. Encrypted Threat Protection Network IPS for SSL Encrypted Traffic.
White Paper February 2005 McAfee Network Protection Solutions Encrypted Threat Protection Network IPS for SSL Encrypted Traffic Network IPS for SSL Encrypted Traffic 2 Introduction SSL Encryption Overview
More informationIntrusion Detection System
Intrusion Detection System Time Machine Dynamic Application Detection 1 NIDS: Two generic problems Attack identified But what happened in the past??? Application identification Only by port number! Yet
More informationDONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY
DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY Published By: Fusion Factor Corporation 2647 Gateway Road Ste 105-303 Carlsbad, CA 92009 USA 1.0 Overview Fusion Factor s intentions for publishing an
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationSecurity Guide SAP Supplier InfoNet
SAP Supplier InfoNet Table of Contents 1 About this document....3 2 Network and communication security....4 2.1 Network security....4 2.2 Communication channel security....4 2.3 Network resource security....4
More informationA Study of Cache-Based IP Flow Switching
University of Pennsylvania ScholarlyCommons Technical Reports (CIS) Department of Computer & Information Science November 2000 A Study of Cache-Based IP Flow Switching Osman Ertugay University of Pennsylvania
More informationInformation Technology Cyber Security Policy. Convergint Technologies, LLC
Information Technology Cyber Security Policy Convergint Technologies, LLC September 2015 Convergint Technologies, LLC POLICY MANUAL Subject: CYBER SECURITY POLICY Approved: Tom Schmitt Effective Date:
More informationMPEG Frame Types intrapicture predicted picture bidirectional predicted picture. I frames reference frames
MPEG o We now turn our attention to the MPEG format, named after the Moving Picture Experts Group that defined it. To a first approximation, a moving picture (i.e., video) is simply a succession of still
More informationEliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat
WHITE PAPER Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat Executive Summary Unfortunately, it s a foregone conclusion that no organisation is 100 percent safe
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationETSI TS V6.1.0 ( )
TS 102 224 V6.1.0 (2004-12) Technical Specification Smart cards; Security mechanisms for UICC based Applications - Functional requirements (Release 6) 2 TS 102 224 V6.1.0 (2004-12) Reference RTS/SCP-R0282r1
More informationProcess System Security. Process System Security
Roel C. Mulder Business Consultant Emerson Process Management Sophistication of hacker tools, May 2006, Slide 2 Risk Assessment A system risk assessment is required to determine security level Security
More informationSECURING INFORMATION SYSTEMS
SECURING INFORMATION SYSTEMS (November 7, 2016) BUS3500 - Abdou Illia - Fall 2016 1 LEARNING GOALS Understand security attacks preps Discuss the major threats to information systems. Discuss protection
More informationProxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking
NETWORK MANAGEMENT II Proxy Servers Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking resources from the other
More informationTAN Jenny Partner PwC Singapore
1 Topic: Cybersecurity Risks An Essential Audit Consideration TAN Jenny Partner PwC Singapore PwC Singapore is honoured to be invited to contribute to the development of this guideline. Cybersecurity Risks
More informationfirewalls perimeter firewall systems firewalls security gateways secure Internet gateways
Firewalls 1 Overview In old days, brick walls (called firewalls ) built between buildings to prevent fire spreading from building to another Today, when private network (i.e., intranet) connected to public
More informationAcceptable Use Policy
Acceptable Use Policy 1. Purpose The purpose of this policy is to outline the acceptable use of computer equipment at Robotech CAD Solutions. These rules are in place to protect the employee and Robotech
More informationCOMPUTER FORENSICS (CFRS)
Computer Forensics (CFRS) 1 COMPUTER FORENSICS (CFRS) 500 Level Courses CFRS 500: Introduction to Forensic Technology and Analysis. 3 credits. Presents an overview of technologies of interest to forensics
More informationQuestion: 1 DES - Data Encryption standard has a 128 bit key and is very difficult to break.
1 ISC - SSCP System Security Certified Practitioner (SSCP) Question: 1 DES - Data Encryption standard has a 128 bit key and is very difficult to break. Question: 2 What is the main difference between computer
More informationThe Trustworthiness of Digital Records
The Trustworthiness of Digital Records International Congress on Digital Records Preservation Beijing, China 16 April 2010 1 The Concept of Record Record: any document made or received by a physical or
More informationManaged Endpoint Defense
DATA SHEET Managed Endpoint Defense Powered by CB Defense Next-gen endpoint threat detection and response DEPLOY AND HARDEN. Rapidly deploy and optimize endpoint prevention with dedicated security experts
More informationComputer Security Spring Firewalls. Aggelos Kiayias University of Connecticut
Computer Security Spring 2008 Firewalls Aggelos Kiayias University of Connecticut Idea: Monitor inbound/ outbound traffic at a communication point Firewall firewall Internet LAN A firewall can run on any
More informationStandard: Event Monitoring
October 24, 2016 Page 1 Contents Revision History... 4 Executive Summary... 4 Introduction and Purpose... 5 Scope... 5 Standard... 5 Audit Log Standard: Nature of Information and Retention Period... 5
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 20: Intrusion Prevention Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Firewalls purpose types locations Network perimeter
More information