We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJaquan Berriman
Modified over 2 years ago
1 Copyright © 2014 M. E. Kabay. All rights reserved. CSIRTs CSH5 Chapter 56 “Computer Security Incident Response Teams” Michael Miora, M. E. Kabay and Bernie Cowens
2 Copyright © 2014 M. E. Kabay. All rights reserved. Topics Forming a Team Handling Computer Security Incidents Managing a Team
3 Copyright © 2014 M. E. Kabay. All rights reserved. Synonyms CERT: Computer Emergency Readiness Team (or also generically computer emergency response team) CSIRTs = Computer Security Incident Response Teams CIRTs (computer incident response teams) Computer emergency quick-response teams
4 Copyright © 2014 M. E. Kabay. All rights reserved. DISA CIRTM CD-ROM Assigned for individual study: Computer Incident Response Team Management* Topics Forming a Team Handling Computer Security Incidents Managing a Team Permission granted by DISA for free duplication May download entire CD-ROM in ZIP file: http://www.mekabay.com/infosecmgmt/disa_cirtm_cdrom.zip See also CSIRT Management monograph: http://www.mekabay.com/infosecmgmt/csirtm.pdf From Defense Information Systems Agency. Distributed at all possible opportunities to get rid of them!
5 Copyright © 2014 M. E. Kabay. All rights reserved. Forming & Constituting a CSIRT Overview Incident Response Arena Typical Network Attack Services Service Levels Policies and Procedures Staff
6 Copyright © 2014 M. E. Kabay. All rights reserved. Overview of this Section The incident-response arena: why do we need a CSIRT? Steps in typical network attack Reactive and proactive CSIRT services Factors to consider in determining services Policies and procedures for managing incident response team Knowledge, skills & abilities of personnel – considerations when hiring staff
7 Copyright © 2014 M. E. Kabay. All rights reserved. Incident Response Arena Internet a global network with hundreds of millions of potential attackers IPv4 has limited provisions for security Vulnerabilities & exploits change constantly Systematic vulnerability scanning Automated attack vectors Protocol flaws Buffer overflows….
8 Copyright © 2014 M. E. Kabay. All rights reserved. Typical Network Attack Motives vary; economic motivation growing Intruders often study system to obtain root Conceal evidence by tampering with log files Install rootkits to allow later access Add to botnets for spam or denial of service http://tinyurl.com/3dd2vq
9 Copyright © 2014 M. E. Kabay. All rights reserved. Services Computer Security Incident Response Teams (CSIRTs) Some organizations use “Computer Emergency Response Teams” (CERTs) CERT-CC® http://www.cert.org/http://www.cert.org/ Computer Emergency Response Team Coordination Center Software Engineering Institute (SEI) Carnegie-Mellon University (CMU) Created in Dec 1988 in response to problems in coping with Morris Worm disaster of Nov 2, 1988 Must define services clearly to avoid wrong expectations
10 Copyright © 2014 M. E. Kabay. All rights reserved. Service Levels Decide when CSIRT will be available Normal work hours Extended hours 24/7 coverage Don’t announce services until you can actually provide them Setting false expectations will lead to disaster
11 Copyright © 2014 M. E. Kabay. All rights reserved. Policies and Procedures Need written policies & procedures (P&P) Team can support CSIRT mission Set expectations for confidentiality Framework for normal operations Maintain consistent, reliable service Need leadership approval and visible support
12 Copyright © 2014 M. E. Kabay. All rights reserved. Staff Requirements People are central to success Good customer-service skills Strong desire to resolve problems Handle distraught persons calmly – get maximum info Communicate clearly Good oral/written communication skills Team work Technical knowledge Formal training in computer science Related work experience Coding skills
13 Copyright © 2014 M. E. Kabay. All rights reserved. Screening Job Candidates As discussed in Chapter 45 of CSH5 Interview Position overview Customer service orientation Character Pager, travel requirements Flexibility in scheduling Orientation and formal training Mission Policies & procedures Specific problem-tracking tools Diagnostic tools
14 Copyright © 2014 M. E. Kabay. All rights reserved. Topics Forming a Team Handling Computer Security Incidents Managing a Team
15 Copyright © 2014 M. E. Kabay. All rights reserved. Handling Computer Security Incidents Types of Attacks Computer Security Tools Triage Process Technical Requirements Tracking System Information & Response Needs Telephone Hotline
16 Copyright © 2014 M. E. Kabay. All rights reserved. Types of Attacks As discussed in CSH5 Chapter 8 Extent of damage can vary Annoying to life-threatening Evaluate costs of different types of incident Types of attack Penetration Denial of service Means Automated attack tools Trojans Viruses Not possible to have a rigid framework in advance
17 Copyright © 2014 M. E. Kabay. All rights reserved. Computer Security Tools Learn about specifics available to your CSIRT General classes I&A and related attack- tools (e.g., cracks…) Firewalls vs scanners for vulnerabilities Protocol-related attacks Diagnostic tools Debug Dump analysis Disk-editors Sniffers
18 Copyright © 2014 M. E. Kabay. All rights reserved. Triage Process Must be able to allocate limited resources wisely Triage name applied in medicine Means “sorting” in French Rapidly decide Where to send callers for help Which resources to assign to specific problems Identify critical-path relations Look for problems that potentially risk most severe consequences Functional analysis that must take into account characteristics of each organization
19 Copyright © 2014 M. E. Kabay. All rights reserved. Prioritizing Incidents Sensitivity and/or criticality of the data affected Amount of data affected Which host machines are involved Where and under what conditions the incident occurred Effects of the incident on mission accomplishment Whether the incident is likely to result in media coverage Number of stakeholders affected Possible relationships to other incidents currently being investigated The nature of the attack Economic impact and time lost Number of times the problem has recurred Who reports the incident Mission-critical
20 Copyright © 2014 M. E. Kabay. All rights reserved. Technical Requirements Assign least-skilled staff to triage stage – enough skill to Identify nature of problem Collect basic information Decide quickly to whom to send caller Let more experienced staff avoid clerical functions Information requests: low to medium skill levels Incident response: medium skill levels Vulnerability handling: high skill levels http://www.summum.us/images/jpg/pyramid3.jpg
21 Copyright © 2014 M. E. Kabay. All rights reserved. Tracking System (1) Critically important to track information Use formal tracking system (many products available) to ensure Easy notes Availability to entire group Keyword and full-text retrieval Status settings May play crucial role in solving problems For course notes on a course taught in the 1980s and 1990s about managing technical-support issues, see http://www.mekabay.com/courses/academic/jac/TS P/index.htm http://tinyurl.com/3xsued Used with permission of the photographer, Mike Robinson. See catalog at http://tinyurl.com/3dm33c http://tinyurl.com/3dm33c
22 Copyright © 2014 M. E. Kabay. All rights reserved. Tracking System (2) See http://www.mekabay.com/methodology/Todo_empty.mdb
23 Copyright © 2014 M. E. Kabay. All rights reserved. Information & Response Needs for Every Incident Report Who is the reporting organization? What other organizations are involved or need to know about the incident? What is the date and time of the incident? What type of incident is it? What is the name or ID of the information system or systems affected? What is the mission impact of the incident? What are the technical details or the who, what, when, where, why, and how of the incident? What actions have been taken? Has there been any coordination with other commands on the incident? Are there any other clues or is any information missing? ? ????????????
24 Copyright © 2014 M. E. Kabay. All rights reserved. Telephone Hotline Must handle phone calls at all times of day/night Call-forwarding to agent on duty Pagers Message service SMS to cell phones Answering machine / voicemail( ) Define rules for taking details and then transferring calls to right person MOST IMPORTANT: Never drop the caller! Always monitor the transfer and ensure there is a live person (not voicemail) on the other end of the line to take control of the situation Always provide direct-line phone # & case # for use in case of interruption Define procedures to handle cranks/pranks
25 Copyright © 2014 M. E. Kabay. All rights reserved. Topics Forming a Team Handling Computer Security Incidents Managing a Team
26 Copyright © 2014 M. E. Kabay. All rights reserved. Managing a Team Securing Your CSIRT Using a Code of Conduct Prioritizing Incidents Balancing Workload
27 Copyright © 2014 M. E. Kabay. All rights reserved. Securing Your CSIRT CSIRT itself an attractive target for attackers Operational and legal repercussions to compromise Must protect Incident reports, Electronic mail, Vulnerability reports, and even Briefing notes and slides. ENCRYPT ENCRYPT ENCRYPT… BACKUP BACKUP BACKUP… http://www.swehs.co.uk/docs/photos/bletchley03.jpg ENIGMA
28 Copyright © 2014 M. E. Kabay. All rights reserved. Using a Code of Conduct Code of Conduct can determine reputation of team Clear explanations Define technical terms Clarify work you plan to do Never emit bovine fecal material: instead, try “I don’t know but I’ll find out” – perfectly acceptable response to a question Establish continuous process improvement by welcoming constructive criticism and suggestions for improvement Maintain confidentiality Support ethical behavior at all times by all staff members
29 Copyright © 2014 M. E. Kabay. All rights reserved. Balancing Workload in Triage Handling new calls Periodic rotation: All new incidents are assigned to a designated triage coordinator At set intervals, incidents are rotated to new triage coordinators Equal distribution Team leader reviews all new reports Distributes them evenly to staff members Combination approach New reports distributed equitably during regular hours Outside regular hours rotate periodically among coordinators Primary Escalation Dispatch
30 Copyright © 2014 M. E. Kabay. All rights reserved. Balancing Workload (cont’d) Approaches to ongoing incidents Single coordinator for entire incident Develop stronger rapport with client No lag time for turnover to next coordinator Periodic hand off Open incidents handed off to a new lead person at regular intervals Lag time but fresh perspective with each hand-off Combination approach common Single coordinator takes lead for a given case Hand it off to another team member when necessary
31 Copyright © 2014 M. E. Kabay. All rights reserved. Review Questions (1) 1.What is a computer security incident? 2.Why do we need a CSIRT? 3.When was the CERT-CC® formed and in response to what incident? 4.Why should we define the working hours for our CSIRT unambiguously? 5.How do written policies and procedures support the functions of the CSIRT? 6.Why should we staff the CSIRT with people who are NOT classic stereotyped geeks?
32 Copyright © 2014 M. E. Kabay. All rights reserved. Review Questions (2) 7.Why (i.e., how) is triage a critically important element of incident response team planning? 8.Why (i.e., how) are tracking systems valuable for CSIRTs? 9.Why should the telephone hotline include instructions that no caller is to be sent to another resource without ascertaining that the transfer has actually taken place (e.g., “Sally, this is Joe. He will take over from this point. Here you go, Joe.”) 10.Explain how a clear code of conduct can support the functions of the CSIRT.
33 Copyright © 2014 M. E. Kabay. All rights reserved. DISCUSSION
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Public Health Seattle & King County Incident Command System Overview May 2004.
IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.
INDEX Ethical Hacking Terminology. What is Ethical hacking? Who are Ethical hacker? How many types of hackers? White Hats (Ethical hackers)
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Network security policy: best practices
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Incident Response Christian Seifert IMT st October 2007.
Systems Analysis and Design 8 th Edition Chapter 2 Analyzing the Business Case.
Succession Planning Who will replace your leaders? Presented by Jacquelyn Thorp, MSHR/SPHR -CA.
An Introduction to System Administration Chapter 1.
Managing the Information Technology Resource Jerry N. Luftman
STAFF APPRAISAL PROGRAMS
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Chapter 5 IT Processes Paula Goulding ICT622.
Chapter 11: Policies and Procedures Security+ Guide to Network Security Fundamentals Second Edition.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Contingency Management Indiana University of Pennsylvania John P. Draganosky.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Systems Analysis and Design 9th Edition
Developing Plans and Procedures
Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.
Session 3 – Information Security Policies
© Prentice Hall CHAPTER 15 Managing the IS Function.
Security Awareness: Applying Practical Security in Your World
PC Support & Repair Chapter 10 Communication Skills.
1 Secure Your Business PATCH MANAGEMENT STRATEGY.
Servers in the Wild… …and the threats that lurk about. DePaul University Information Security Team TLT Presentation 08 May 2002.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
1MRO.PPT LAST REVISED: 9 JULY 2008 Citizens Serving Communities Mission Radio Operator Skills and Requirements Developed as part of the National Emergency.
APA of Isfahan University of Technology In the name of God.
1MRO.PPT Last Revised: 10 June 2003 Mission Radio Operator Skills and Requirements Developed as part of the National Emergency Services Curriculum Project.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Software Project Management Lecture # 9. Outline Chapter 25 – Risk Management What is Risk Management Risk Management Strategies Software Risks.
Information Technology Acceptable Use An Overview CSTMC All Staff Meeting February 10, 2014.
Software Project Management Lecture # 8. Outline Chapter 25 – Risk Management What is Risk Management Risk Management Strategies Software Risks.
Preventing and Managing a Crisis. Overview This session will cover how to: Develop a crisis communications plan Prevent crises Prepare for crises Implement.
Is There a Security Problem in Computing? Network Security / G. Steffen1.
Unit Introduction and Overview
Information Systems Security
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
Basic Nursing: Foundations of Skills & Concepts Chapter 30 LEADERSHIP AND WORK TRANSITION.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Incident Response November 2015 Navigating a Cybersecurity Incident.
Project Management : Techniques and Tools (60-499) Fall 2014 / Winter 2015.
© 2017 SlidePlayer.com Inc. All rights reserved.