Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Slides:

Advertisements

Similar presentations

Incident Response Managing Security at Microsoft Published: April 2004.

Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

Chapter 12 Network Security.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Network security policy: best practices

Module 8: Implementing Administrative Templates and Audit Policy.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

APA of Isfahan University of Technology In the name of God.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

What is FORENSICS? Why do we need Network Forensics?

BUSINESS B1 Information Security.

Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.

FORESEC Academy FORESEC Academy Security Essentials (II)

Module 14: Configuring Server Security Compliance

Module 6 Planning and Deploying Messaging Security.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Chapter 8 Safeguarding the Internet. Firewalls Firewalls: hardware & software that are built using routers, servers and other software A point between.

Safeguarding OECD Information Assets Frédéric CHALLAL Head, Systems Engineering Team OECD.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Appendix C: Designing an Operations Framework to Manage Security.

IS Network and Telecommunications Risks Chapter Six.

Module 5: Configuring Internet Explorer and Supporting Applications.

Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.

Note1 (Admi1) Overview of administering security.

Module 6: Designing Security for Network Hosts

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Module 7: Advanced Application and Web Filtering.

Module 11: Designing Security for Network Perimeters.

Module 9: Designing Security for Data. Overview Creating a Security Plan for Data Creating a Design for Security of Data.

Network Security & Accounting

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

NetTech Solutions Protecting the Computer Lesson 10.

Module 2: Designing Network Security

Module 11: Designing an Active Directory Federation Services Implementation in Windows Server 2008.

Module 9 Planning and Implementing Monitoring and Maintenance.

Module 10: Implementing Administrative Templates and Audit Policy.

Understand Audit Policies LESSON Security Fundamentals.

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.

Role Of Network IDS in Network Perimeter Defense.

Module 7: Designing Security for Accounts and Services.

IS3220 Information Technology Infrastructure Security

Information Security tools for records managers Frank Rankin.

Syo-401 Question Answer. QUESTION 1 An achievement in providing worldwide Internet security was the signing of certificates associated with which of the.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Appendix A: Designing an Acceptable Use Policy. Overview Analyzing Risks That Users Introduce Designing Security for Computer Use.

Critical Security Controls

Securing the Network Perimeter with ISA 2004

Click to edit Master subtitle style

IS4680 Security Auditing for Compliance

Security week 1 Introductions Class website Syllabus review

Presentation transcript:

Module 12: Responding to Security Incidents

Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response Procedure

Lesson 1: Introduction to Auditing and Incident Response The Auditing Process Why Auditing Is Important What Is an Incident Response Procedure?

You can determine a user’s actions by examining the following: ISA Server packet filter log file Security event log file and the IIS log file Security event log file from the domain controller ISA Server packet filter log file Security event log file and the IIS log file Security event log file from the domain controller The Auditing Process ISA Server IIS Server Domain Controller

You must dedicate time to review the logs. By enabling auditing, you can: You must dedicate time to review the logs. By enabling auditing, you can: Why Auditing Is Important Monitor events in your network Take action if there is any suspicious activity Monitor events in your network Take action if there is any suspicious activity External Attacker Internal Attacker

An incident response procedure includes steps such as: What Is an Incident Response Procedure? People to contact Actions for limiting damage Provisions for investigation People to contact Actions for limiting damage Provisions for investigation People Actions Provision for investigation

Lesson 2: Designing an Audit Policy Process for Planning an Audit Policy Guidelines for Creating a Framework for Auditing Common Auditing Tools and Sources Guidelines for Designing an Audit Review Process Activity: Risk and Response

When planning an audit policy, you must: Determine what types of events to audit Identify auditing tools to use Create a process for reviewing event logs Establish a retention policy for audit logs Determine what types of events to audit Identify auditing tools to use Create a process for reviewing event logs Establish a retention policy for audit logs Process for Planning an Audit Policy

The following guidelines help to create a framework for auditing: Audit events and resources that you want to track Create audit statements that include: The type of event The event details Audit point Audit events and resources that you want to track Create audit statements that include: The type of event The event details Audit point Guidelines for Creating a Framework for Auditing

Common Auditing Tools and Sources ResourceTools and sources Operating systems Event Viewer EventComb SCOM Custom scripts Web sites IIS logs URLScan Network perimeters Router logs Firewall logs Packet filtering logs Proxy logs Applications Application-specific logs Intrusion-detection software Antivirus software SCOM

When designing an audit review process, define: Who is responsible for managing and analyzing events How often to analyze events How to report possible incidents to management How to preserve the chain of evidence Where to archive event logs Who is responsible for managing and analyzing events How often to analyze events How to report possible incidents to management How to preserve the chain of evidence Where to archive event logs Guidelines for Designing an Audit Review Process

Activity: Risk and Response For each scenario: Read the scenario Choose the best risk management strategy Determine an appropriate security response Discuss your answers as a class Read the scenario Choose the best risk management strategy Determine an appropriate security response Discuss your answers as a class

Lesson 3: Designing an Incident Response Procedure Process for Planning an Incident Response Procedure Guidelines for Creating an Incident Response Team What to Include in a Communication Plan Common Indicators of Security Incidents Guidelines for Analyzing a Security Incident Methods for Limiting Damage from an Attack Guidelines for Documenting Security Incidents Activity: Risk and Response

Process for Planning an Incident Response Procedure When planning an audit policy, you must: Create and train an incident response team Develop a communication plan Create a plan for identifying an attack Create policies to contain an attack Develop a process for reviewing incidents Create and train an incident response team Develop a communication plan Create a plan for identifying an attack Create policies to contain an attack Develop a process for reviewing incidents

Use these guidelines to ensure that the appropriate job roles are: In the team Available 24 hours a day Trained in responding to security incidents Competent in their areas of responsibility Able to analyze situations objectively under pressure Strong communicators In the team Available 24 hours a day Trained in responding to security incidents Competent in their areas of responsibility Able to analyze situations objectively under pressure Strong communicators Guidelines for Creating an Incident Response Team

Include in your communication plan: What to Include in a Communication Plan Triggers that define when to contact each member of the incident response team Contact information for all team members Substitute team members and contact information Procedures for communicating securely among team members Incident details that each team member receives How team members communicate details of the incident to non-team members Triggers that define when to contact each member of the incident response team Contact information for all team members Substitute team members and contact information Procedures for communicating securely among team members Incident details that each team member receives How team members communicate details of the incident to non-team members

Common Indicators of Security Incidents AreaExamples Network irregularities Network performance decreases Accounts are used at irregular times System irregularities Audited events increase significantly System performance decreases Computers crash or reboot mysteriously Direct reporting of events Users report security incidents A new virus is published Intrusion detection software detects an incident Physical indicators Hardware is missing Visible signs exist of physical compromise Business indicators Confidential information is published on the Internet or in print Competitor appears to possess trade secrets

Guidelines for Analyzing a Security Incident To identifyDetermine Symptoms How is the event occurring? What are the symptoms of the attack? Origin Where is the attack originating? Is the point of origin connected to the attacker? Entry point How is the attack entering the network? Is the attacker exploiting a known vulnerability? Intent What does the attacker appear to be trying to accomplish? Is there a pattern to the attack? Severity What is at risk? How serious is the risk? Exposure What systems have been compromised? In what way are the systems compromised?

Methods for Limiting Damage from an Attack ResourceExamples Networks Disconnect affected networks from the corporate network Disconnect corporate network from the Internet Block TCP/IP ports Computers Remove infected computers from the network Remove computers that have sensitive information from the network Deploy security hotfixes and service packs Applications Change passwords on compromised and sensitive accounts Update antivirus scanning engines and signature files Update intrusion detection systems and inspect log files Physical security Replace locks and key codes Increase physical security

Use these guidelines to gather any feedback and discover: The origin of the incident How the incident was detected and reported How the incident was responded to and resolved Recommended changes to policies and procedures Improvements to your incident response procedure Updates to your risk management plan The financial impact of the security incident The origin of the incident How the incident was detected and reported How the incident was responded to and resolved Recommended changes to policies and procedures Improvements to your incident response procedure Updates to your risk management plan The financial impact of the security incident Guidelines for Documenting Security Incidents

Activity: Risk and Response For each scenario: Read the scenario Choose the best risk management strategy Determine an appropriate security response Discuss your answers as a class Read the scenario Choose the best risk management strategy Determine an appropriate security response Discuss your answers as a class

Lab: Responding to Security Incidents Exercise 1 Identifying Potential Vulnerabilities Exercise 2 Implementing an Incident Response Team Exercise 3 Implementing an Incident Response Plan

Course Evaluation