Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

Similar documents
SECURITY & PRIVACY DOCUMENTATION

Cybersecurity: Incident Response Short

Chapter 10: Security and Ethical Challenges of E-Business

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Having learned basics of computer security and data security, in this section, you will learn how to develop secure systems.

Guide to Network Security First Edition. Chapter One Introduction to Information Security

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

2. INTRUDER DETECTION SYSTEMS

Access Controls. CISSP Guide to Security Essentials Chapter 2

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Chapter 4. Network Security. Part I

Security and Authentication

19.1. Security must consider external environment of the system, and protect it from:

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

IT ACCEPTABLE USE POLICY

Standard Categories for Incident Response (definitions) V2.1. Standard Categories for Incident Response Teams. Definitions V2.1.

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Chapter 6 Network and Internet Security and Privacy

itexamdump 최고이자최신인 IT 인증시험덤프 일년무료업데이트서비스제공

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Overview Intrusion Detection Systems and Practices

Securing Information Systems

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Glenwood Telecommunications, Inc. Acceptable Use Policy (AUP)

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

SANS Exam SEC504 Hacker Tools, Techniques, Exploits and Incident Handling Version: 7.1 [ Total Questions: 328 ]

SECURING INFORMATION SYSTEMS

II.C.4. Policy: Southeastern Technical College Computer Use

Unit 2 Assignment 2. Software Utilities?

The State of the Hack. Kevin Mandia MANDIANT

Management Information Systems (MMBA 6110-SP) Research Paper: Internet Security. Michael S. Pallos April 3, 2002

How Breaches Really Happen

NETWORK THREATS DEMAN

CSE 565 Computer Security Fall 2018

COUNTERING IMPROVISED EXPLOSIVE DEVICES

e-commerce Study Guide Test 2. Security Chapter 10

Cleveland State University General Policy for University Information and Technology Resources

A (sample) computerized system for publishing the daily currency exchange rates

Incident Response Services

Ethical Hacking and Countermeasures: Attack Phases, Second Edition. Chapter 1 Introduction to Ethical Hacking

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Ethical Hacking and Prevention

Introduction to Information Technology Turban, Rainer and Potter John Wiley & Sons, Inc. Copyright Chapter 12 1

CSE 565 Computer Security Fall 2018

Security Solutions. Overview. Business Needs

Security of Information Technology Resources IT-12

Chapter 12. Information Security Management

Acceptable Use Policy

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Intrusion Attempt Who's Knocking Your Door

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Accounting Information Systems

HIPAA UPDATE. Michael L. Brody, DPM

Financial CISM. Certified Information Security Manager (CISM) Download Full Version :

1-7 Attacks on Cryptosystems

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

ANATOMY OF AN ATTACK!

Distributed Systems. Lecture 14: Security. Distributed Systems 1

Language-Based Protection

Corporate Policy. Revision Change Date Originator Description Rev Erick Edstrom Initial

Intruders. significant issue for networked systems is hostile or unwanted access either via network or local can identify classes of intruders:

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Distributed Systems. Lecture 14: Security. 5 March,

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Microsoft Exam Security fundamentals Version: 9.0 [ Total Questions: 123 ]

A practical guide to IT security

CompTIA Security+ (2008 Edition) Exam

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

Cyber Security Program

Vulnerabilities. To know your Enemy, you must become your Enemy. Information security: Vulnerabilities & attacks threats. difficult.

Acceptable Usage Policy

The GenCyber Program. By Chris Ralph

300 Lena Drive Aurora, Ohio P: F: Page 1 of 5

Analysis on computer network viruses and preventive measures

Acceptable Use Policy (AUP)

Information Security Controls Policy

Discovering Computers Living in a Digital World

Network Security. Course notes. Version

Jacksonville State University Acceptable Use Policy 1. Overview 2. Purpose 3. Scope

A Security Model for Space Based Communication. Thom Stone Computer Sciences Corporation

Syllabus: The syllabus is broadly structured as follows:

Guest Wireless Policy

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Cyber Security. Our part of the journey

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Feasibility study of scenario based self training material for incident response

Cyber fraud and its impact on the NHS: How organisations can manage the risk

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Kevin Mandia MANDIANT. Carnegie Mellon University Incident Response Master of Information System Management

Q WEB APPLICATION ATTACK STATISTICS

Computer Security: Principles and Practice

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Security+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing. International Standard Book Number:

5. Execute the attack and obtain unauthorized access to the system.

Transcription:

Overview Handling Security Incidents Chapter 7 Lecturer: Pei-yih Ting Attacks Security Incidents Handling Security Incidents Incident management Methods and Tools Maintaining Incident Preparedness Standard Incident Handling Procedures Learn from Experience Malicious code Common Types of Attacks 1 2 Attack Terms and Concepts Types of Attacks An attack is any attempt to Gain unauthorized access to a system Deny authorized users from accessing a system The purpose of an attack is to Bring about data disclosure, alteration, or denial (DAD) An attacker is an individual (or group) who strives to violate a system s security When an attacker breaks a law or regulation, a computer crime occurs Military and Intelligence Attacks Attacks are attempts to acquire secret information from military or law enforcement agencies For example, defense strategies, sealed legal proceedings Cause serious damage or result in great expense to change and reformulate plans Business Attack Similar to a military attack, but the target is a commercial organization Purpose is to access sensitive data For example, trade secret information or important business decisions 3 4

Types of Attacks Types of Attacks Financial Attack Target is a commercial organization Purpose is to acquire goods, services, or money improperly For example, phone phreaking Terrorist Attacks Coordinates with a physical attack by disrupting communication and infrastructure control systems Purpose is to affect the ability of agencies to react to the physical attack Grudge Attacks Purpose is to inflict damage or seek revenge against an organization Former employees comprise a large number of these attackers Fun Attacks No real purpose except bragging rights for the hacker Can be very difficult to track down 5 6 Security Incidents Handling Security Incidents A security incident is defined as any violation of a security policy Every attack is an incident Not every incident is an attack, ex. accessing Internet auction sites during office hour or using dictionary word for a password Incident recognition starts with user education Users should know what the policies are so they will know when an incident has occurred Users should also be educated about what to do if they notice that an incident has occurred Many incidents go unresolved because they are First step: recognizing an incident has occurred The security policy should clearly state actions and behaviors that constitute a security incident. Some incidents are discovered after the fact through log analysis or system audit For example, unauthorized access to secure files discovered by scanning an access log Some incidents are identified and examined as they occur DOS attacks are usually apparent as they occur Second step: There are four general types of incidents. Each type of incidents presents its own challenges in detection and avoidance. unnoticed 7 8

Handling Security Incidents Four types of security incidents: Scanning The systematic probing of ports to find open ports and query them for information Not an attack, but may be a precursor to an attack Looking for packet traces in the log file of a firewall Compromise Any unauthorized access to a system Generally involves defeating or bypassing security controls Detecting compromise is difficult, usually by noticing Handling Security Incidents Malicious code Any program, procedure, or executable file that makes unauthorized modifications or triggers unauthorized activities Viruses, worms, Trojan horses fall into this category Noticing strange behaviors of your system Antivirus S/W catches these by signature matching Denial of Service (DoS) Violates the availability property of security Denies authorized users access to a system Highly disruptive to online retailers (business platform on the Internet) something unusual in system activities 9 10 Denies the attacker s IP Incident Management Methods Incident Management A security policy should have incident handling plans for all probable incidents General procedures Detect that an incident has occurred Contain the damage caused by the incident Assess the damage and report the incident Investigate the origin of the incident Collect evidences Analyze findings Take action to avoid another occurrence Recover from the damage 11 Often a standing incident response team is created with members from different departments within an organization IRT ensures that an incident is handled efficiently IRT collects information from an attack for analysis (promote any changes that will reduce the likelihood of a reoccurrence) and possible legal action IRT investigates an incident by collecting evidence that can be used to verify the identity or activity of an attacker 12

Incident Management The analysis of a system to find evidence of attack activity is called system forensics Tools used to collect evidence include Log file analyzers, disk search and scanning tools, network activity tracing tools When an incident occurs, a rule of thumb is to call law enforcement officials in immediately if you think there is any chance a violation of the law has occurred 13 Maintain Incident Preparedness An incident response team should be prepared for all viable incidents When forming an incident response team, take advantage of resources that provide additional information and guidance on how teams operate The incident response team should be trained to follow security policy procedures Each team member should know his/her own role and possibly other roles as well Establish a relationship with law enforcement officials who may be called in when incidents occur Users should know how to recognize common incidents and what to do if they notice one 14 Maintain Incident Preparedness Using Standard Incident Handling Procedures Resource Table 7.1 Incident Response Team Resources Handbook for Computer Security Incident Response Teams Computer Security Incident Response Team Responding to Intrusions Forming an Incident Response Team SANS IESEC Reading Room: Incident Handling FIRST: Forum of Incident Response and Security Teams URL http://www.sei.cmu.edu/pub/docu ments/98.reports/pdf/98hb001.pdf http://www.cert.org/csirts http://www.cert.org/securityimprovement/modules/m06.html http://www.auscert.org.au/render. html?it=2252&cid=1920 http://www.sans.org/rr/catindex.p hp?cat_id=27 http://www.first.org/ When an incident response team is mobilized, they should follow written procedures from the security policy Each team member should fill out a standard incident report It is important to maintain a document trail throughout Make sure that your procedures will meet any requirements for law enforcement 15 16

Postmortem: Learn from Experience After an incident, complete any research or documentation and review the handling process The response team should meet as quickly as possible to debrief Review the incident and consider why and how it happened, can it happen again, what changes might be good Review team performance and consider what went well, what did not, what changes might be useful to make the team more effective Encourage all team members to research what other organization have published on the topic of Malicious Code Best defense against malicious code is a good offense Use shields such as virus scanners Use intrusion detection system (IDS) Be careful about executable files that are introduced into your system Any data entry point into a system can be used to introduce malicious code including floppy disks, data ports, networks, and removable storage devices Viruses can be detected using several techniques including signature scans, changed size or time-date stamps, cryptographic hashes, and digital signatures Active-X controls or Java native code executed in a browser incident response 17 18 is dangerous Malicious Code About Malicious Code Viruses A program that embeds a copy of itself inside of an executable file and attempts to perform unauthorized data access or modification A virus needs a host software in order to run Worms A standalone program that tries to perform some type of unauthorized data access or modification Logic Bombs Executes a sequence of instructions when a specific system event occurs Usually hides itself as a virus in system executables 19 Trojan horses Similar to a worm Appears to have some useful or neutral purpose Performs some malicious act when run Active Content Issues The Internet is one of the most common entry points for malicious code Downloadable plug-ins perform many useful functions but make it easy to send malicious code Java sandbox model Active X control (digitally signed) 20

Back Doors Common Types of Attacks Programmers often leave an opening in software they write to allow them to gain entrance without going through normal security control Once discovered, these openings can be exploited by anyone Brute Force Attempts to guess a password by trying all possible character combinations To defend, you should require strong passwords, limit failed login attempts, and audit login attempts Common Types of Attacks Buffer Overflows Forces strings that are longer than the max buffer size to be written to the buffer Overflow can cause a program crash that leaves an unauthorized security level A popular attack because there are so many programs with this vulnerability Denial of Service Disrupts the ability of authorized users to access data Usually either involves flooding a target with too many requests or sending a particular type of packet 21 22 Common Types of Attacks Man-in-the-Middle An attacker listens between a user and a resource and intercepts data Social Engineering An attacker convinces an authorized user to disclose information or allow unauthorized access System Bugs Not an attack but offers vulnerabilities that can be exploited Be careful with program development and apply patches for externally developed software Unauthorized Access to Sensitive Information Final goal of many attacks is to gain access to sensitive information The attacker may wish to view, disclose, or modify information To avoid serious damage, protect data Use appropriate controls Be prepared to handle attacks that do occur 23 24

Summary Summary An attack is an attempt to gain unauthorized access or to deny authorized access to a system A security incident is any violation of a security policy An attacker is any individual or group who attempts to overcome a system s security controls A computer crime occurs when an attacker violates a law or regulation There are several broad categories of attacks Military and intelligence, business, financial, terrorist, grudge, and fun 25 To deal with security incidents, you must Understand the security policy and what activity would constitute an incident Recognize the occurrence of an incident Follow procedures to document and analyze the incident Possibly follow through with legal action if necessary There are several categories of incidents Scanning, compromise, malicious code, denial of service 26 Summary Assignments A good practice is to have a standing incident response team There are several types of malicious code Viruses, worms, logic bombs, Trojan horses, issues of active content Common types of attacks include Back doors, brute force, buffer overflows, denial of service, man-in-the-middle, social engineering, system bug exploitation Reading: Chapter 7 Practice 7.13 Challenge Questions Turn in Challenge Exercise 7.3 next week 27 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback