Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Networking Security and Assurance Lab National Chung Cheng University Security Assurance in Design, Implementation and Operation Bo Cheng Source:

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Networking Security and Assurance Lab National Chung Cheng University Security Assurance in Design, Implementation and Operation Bo Cheng Source:"— Presentation transcript:

1 Information Networking Security and Assurance Lab National Chung Cheng University Security Assurance in Design, Implementation and Operation Bo Cheng Source: Special Pub 800-12 -- An Introduction to Computer Security: The NIST Handbook

2 Information Networking Security and Assurance Lab National Chung Cheng University 2 Security Assurance - The Concept The degree of confidence one has that the security measures, both technical and operational. Not a true measure of how secure the system actually is.  It is extremely difficult -- and in many cases virtually impossible -- to know exactly how secure a system is.

3 Information Networking Security and Assurance Lab National Chung Cheng University 3 Accreditation Accreditation is a management official's formal acceptance of the adequacy of a system's security.  A process used primarily within the federal government  A form of quality control. It forces managers and technical staff to work together to find  workable,  cost-effective solutions given security needs,  technical constraints,  operational constraints, and  mission or business requirements.

4 Information Networking Security and Assurance Lab National Chung Cheng University 4 When to Do Accreditation A computer system should be accredited before the system becomes operational with periodic re-accreditation after major system changes or when significant time has elapsed. Even if a system was not initially accredited, the accreditation process can be initiated at any time.

5 Information Networking Security and Assurance Lab National Chung Cheng University 5 Who & What Who needs to be assured?  the management official who is ultimately responsible for the security of the system. What types of assurance can be obtained?  Design assurance  Implementation assurance  Operational assurance

6 Information Networking Security and Assurance Lab National Chung Cheng University 6 Design and Implementation Assurance Addresses the quality of security features built into systems  Whether the features of a system, application, or component meets security requirements and specifications  Whether they are they are well designed and well built. Examines system design, development, and installation. Associated with  The development/acquisition and implementation phase of the system life cycle  Throughout the life cycle as the system is modified

7 Information Networking Security and Assurance Lab National Chung Cheng University 7 Testing and Certification Testing can address the quality of the system as built, as implemented, or as operated.  Two common testing techniques Functional testing (to see if a given function works according to its requirements) or Penetration testing (to see if security can be bypassed).  Range from trying several test cases to in-depth studies using metrics, automated tools, or multiple detailed test cases. Certification is a formal process for testing components or systems against a specified set of security requirements.  Normally performed by an independent reviewer

8 Information Networking Security and Assurance Lab National Chung Cheng University 8 Operational Assurance Addresses  Whether the system's technical features are being bypassed or have vulnerabilities  Whether required procedures are being followed. Two basic methods to maintain operational assurance:  A system audit: a one-time or periodic event to evaluate security. May examine an entire system for the purpose of reaccreditation May investigate a single anomalous event.  Monitoring: an ongoing activity that checks on the system, its users, or the environment.

9 Information Networking Security and Assurance Lab National Chung Cheng University 9 The Auditing Process Less formal audits are often called security reviews. Can be self-administered or independent (either internal or external). Two types of automated tools are used to help find a variety of threats and vulnerabilities  Active tools: find vulnerabilities by trying to exploit them  Passive tests: only examine the system and infer the existence of problems from the state of the system. Not taking advantage of these tools puts system administrators at a disadvantage.

10 Information Networking Security and Assurance Lab National Chung Cheng University 10 The Monitoring Process Review of System Logs Automated Tools  Virus scanners: checks for virus infections.  Checksumming: presumes that program files should not change between updates.  Password crackers: check passwords against a dictionary (either a "regular" dictionary or a specialized one with easy-to-guess passwords) and also check if passwords are common permutations of the user ID.  Integrity verification programs: can be used by such applications to look for evidence of data tampering, errors, and omissions.  Intrusion detectors: analyze the system audit trail, especially log-ons, connections, operating system calls, and various command parameters, for activity that could represent unauthorized activity.  System performance monitoring: analyzes system performance logs in real time to look for availability problems, including active attacks (such as the 1988 Internet worm) and system and network slowdowns and crashes.

11 Information Networking Security and Assurance Lab National Chung Cheng University Incident Response Bo Cheng Source: Special Pub 800-61 Computer Security Incident Handling Guide Incident Response and Computer Forensics, Second Edition Chris Prosise, Kevin Mandia, Matt Pepe McGraw-Hill, Paperback, 2nd edition, Published July 2003, 507 pages, ISBN 007222696X

12 Information Networking Security and Assurance Lab National Chung Cheng University 12 Incident Handling (Incident Response) Incident: A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices. Incident Handling: The mitigation of violations of security policies and recommended practices.  become an important component of information technology (IT) programs. An incident response capability:  Detecting incidents,  Minimizing loss and destruction,  Mitigating the weaknesses that were exploited, and  Restoring computing services.

13 Information Networking Security and Assurance Lab National Chung Cheng University 13 Seven components of incident response Pre-Incident Preparation Initial Response Formulate Response Strategy Detection of Incidents Investigate the Incident Data Collection Data Analysis Reporting Resolution Recovery Implement Security Measures Incident Occurs: Point-In-Time or Ongoing

14 Information Networking Security and Assurance Lab National Chung Cheng University 14 Pre-incident Preparation (1/2) Preparing the Organization:  Implement host-based security measures.  Implement network-based security measures.  Training end user.  Employing an intrusion detection system (IDS)  Creating strong access control.  Performing timely vulnerability assessments.  Ensuring backups are performed on a regular basis.

15 Information Networking Security and Assurance Lab National Chung Cheng University 15 Pre-incident Preparation (2/2) Preparing the CSIRT:  The hardware needed to investigate computer security incidents.  The software needed to investigate computer security incidents.  The documentation needed to investigate computer security incidents.  The appropriate policies and operating procedures to implement your response strategies.  The training your staff or employee require to perform incident response in a manner that promotes successful forensics, investigations, and remediation.

16 Information Networking Security and Assurance Lab National Chung Cheng University 16 Detection of Incidents (1/2) IDS End User Help Desk System Administrator Security Human Resources Functional Areas Company X IDS Detection of Remote Attack Numerous Failed Logon Attempts Logins into Dormant or Default Accounts Activity during Nonworking Hours Unfamiliar Files or Executable Programs Altered Pages on Web Server Gaps in Log files or Erasure of Log Files Slower System Performance System Crash Indicator

17 Information Networking Security and Assurance Lab National Chung Cheng University 17 Detection of Incidents (2/2) Some of the critical details include the following:  Current time and date  Who/What reported the incident  Nature of the incident  When the incident occurred  Hardware/software involved  Points of contact for involved personnel

18 Information Networking Security and Assurance Lab National Chung Cheng University 18 Initial Response One of the first steps of any investigation is to obtain enough information an appropriate response.  Assembling the CSIRT  Collecting network-based and other data  Determining the type of incident that has occurred  Assessing the impact of the incident. Initial Response will not involve touching the affected system(s).

19 Information Networking Security and Assurance Lab National Chung Cheng University 19 Formulate response strategy (1/3) Considering the Totality of Circumstances:  How many resources are need to investigate an incident ?  How critical are the affected systems ?  How sensitive is the compromised or stolen information ?  Who are potential perpetrators ?  What is the apparent skill of the attacker ?  How much system and user downtime is involved ?  What is the overall dollar loss ?

20 Information Networking Security and Assurance Lab National Chung Cheng University 20 Formulate response strategy (2/3) Considering Appropriate Responses: Incident Example Response Strategy Likely Outcome Dos AttackTFN DDoS attack Reconfigure router to minimize effect of the flooding. Effect of attack mitigated by router countermeasures. Establishment of perpetrator ’ s identity may require too many resources to be worthwhile investment.

21 Information Networking Security and Assurance Lab National Chung Cheng University 21 Formulate response strategy (3/3) Response strategy option should be quantified with pros and cons related to the following:  Estimated dollar loss  Network downtime and its impact to operations.  User downtime and its impact to operations.  Whether or not your organization is legally compelled to take certain action.  Public disclosure of the incident and its impact to the organization’s reputation/business. Tacking Action  Legal Action  Administrative Action

22 Information Networking Security and Assurance Lab National Chung Cheng University 22 Investigate the Incident The investigation phase involves determining the who, what, when, where, how, and why surrounding an incident. A computer security investigation can be divided into two phases:  Data Collection  Forensic Analysis

23 Information Networking Security and Assurance Lab National Chung Cheng University 23 Possible investigation phase steps Network-Based Evidence Obtain IDS Logs Obtain Existing Router Logs Obtain Relevant Firewall Logs Obtain Remote Logs from a Centralized Host (SYSLOG) Perform Network Monitoring Obtain Backups Host-Based Evidence Obtain the Volatile Data during a Live Response Obtain the System time Obtain the Time/Data stamps for Every File on the Victim System Obtain all Relevant Files that Confirm or Dispel Allegation Obtain Backups Other Evidence Obtain Oral testimony from Witnesses 1.Review the Volatile Data. Review the Network Connections. Identify Any Rogue Processes (Backdoors, Sniffers). 2.Analyze the Relevant Time/Data Stamps. Identify Files Uploaded to the system by an Attacker. Identify File Downloaded or taken from the System. 3.Review the Log Files. 4.Identify Unauthorized User Accounts. 5.Look for Unusual or Hidden Files. 6.Examine Jobs Run by the Scheduler Service. 7.Review the Registry. 8.Perform Keyword searches. Data CollectionAnalysis

24 Information Networking Security and Assurance Lab National Chung Cheng University 24 Performing Forensic Analysis Perform Forensic Duplication Create a Working Copy of all Evidence Media Create File Lists Perform Statistical Data Partition Table File System Extract Email and Attachments Recover Deleted Data Perform File Signature Analysis Recover Unallocated Space Identify Known System File Review Browser History Files Review Data Collected During Live Response Search for Relevant Strings Perform Software Analysis Review all the Network-Based Evidence Identify and Decrypt Encrypted Files Perform File-by-File Review Installed Application Perform Specialized Analysis Preparation of Data Analysis of Data

25 Information Networking Security and Assurance Lab National Chung Cheng University 25 Reporting Some guidelines to ensure that the reporting phase does not become your CSIRT’s nemesis:  Document immediately  Write concisely and clearly  Use a standard format  Use editor

26 Information Networking Security and Assurance Lab National Chung Cheng University 26 Incident Response Organizations OrganizationURL AusCERT—Australian Computer Emergency Response Team http://www.auscert.org.au CCIPS—Computer Crime and Intellectual Property Section, U.S. Department of Justice http://www.cybercrime.gov CERT ® /CC—CERT ® Coordination Center, Carnegie Mellon University http://www.cert.org CERT ® /CC Incident Reporting System https://irf.cc.cert.org CIAC—Computer Incident Advisory Capability, U.S. Department of Energy http://www.ciac.org/ciac DOD-CERT—U.S. Department of Defense Computer Emergency Response Team http://www.cert.mil FedCIRC—Federal Computer Incident Response Center http://www.fedcirc.gov FedCIRC Incident Reporting System https://incidentreport.fedcirc.gov FIRST—Forum of Incident Response and Security Teams http://www.first.org HTCIA—High Technology Crime Investigation Association http://www.htcia.org IAIP—Information Analysis Infrastructure Protection, U.S. Department of Homeland Security http://www.nipc.gov IAIP Incident Report Form http://www.nipc.gov/incident/cirr.htm IETF Extended Incident Handling (inch) Working Group http://www.ietf.org/html.charters/inch-charter.html InfraGard http://www.infragard.net ISC—Internet Storm Center http://isc.incidents.org US-CERT—United States Computer Emergency Response Team http://www.us-cert.gov

27 Information Networking Security and Assurance Lab National Chung Cheng University 27 Incident Response-Related Mailing Lists Mailing List NameArchive Location Bugtraqhttp://www.securityfocus.com/archive/1 DShieldhttp://www.dshield.org/pipermail/list Focus-IDShttp://www.securityfocus.com/archive/96 Forensicshttp://www.securityfocus.com/archive/104 Incidentshttp://www.securityfocus.com/archive/75 Intrusionshttp://cert.uni-stuttgart.de/archive/intrusions LogAnalysishttp://airsnarf.shmoo.com/pipermail/loganalysis

28 Information Networking Security and Assurance Lab National Chung Cheng University 28 Technical Resource Sites Resource NameURL Assurance and Security) Intrusion Detection Pageshttp://www.cerias.purdue.edu/coast/intrusion-detection/welcome.html CHIHT (Clearing House for Incident Handling Tools)http://chiht.dfn-cert.de CSIRT Development, CERT ® /CChttp://www.cert.org/csirts CSRC—Computer Security Resource Center, NISThttp://csrc.nist.gov DShield (Distributed Intrusion Detection System)http://www.dshield.org Incident Handling Links and Documentshttp://www.honeypots.net/incidents/links Intrusion Detection FAQ, SANS Institutehttp://www.sans.org/resources/idfaq Intrusion Detection Links and Documentshttp://www.honeypots.net/ids/links Loganalysis.orghttp://www.loganalysis.org NIJ (National Institute of Justice) Electronic Crime Program http://www.ojp.usdoj.gov/nij/sciencetech/ecrime.htm NIST Internet Time Servicehttp://www.boulder.nist.gov/timefreq/service/its.htm SANS Institute Reading Roomhttp://www.sans.org/rr SecurityFocushttp://www.securityfocus.com The Electronic Evidence Information Centerhttp://www.e-evidence.info

29 Information Networking Security and Assurance Lab National Chung Cheng University 29 Vulnerability and Exploit Information Resources Resource NameURL CERT ® /CC Advisories http://www.cert.org/advisories CERT ® /CC Incident Notes http://www.cert.org/incident_notes CERT ® /CC Vulnerability Notes Database http://www.kb.cert.org/vuls CIAC Bulletins and Advisories http://www.ciac.org/cgi-bin/index/bulletins Common Vulnerabilities and Exposures (CVE) http://www.cve.mitre.org ICAT Vulnerability Metabase http://icat.nist.gov Information Analysis Infrastructure Protection (IAIP) http://www.nipc.gov Packet Storm http://www.packetstormsecurity.com SANS/FBI Top 20 List http://www.sans.org/top20 SecurityFocus Vulnerabilities Database http://www.securityfocus.com/bid

30 Information Networking Security and Assurance Lab National Chung Cheng University 30 Training Resources Training Resource Name Types of TrainingURL CERT ® /CCIncident response http://www.cert.org/training Computer Forensic ServicesComputer forensics http://www.computer- forensic.com/training.html FoundstoneIncident response, computer forensics http://www.foundstone.com MIS Training Institute (MISTI)Incident response, intrusion detection, computer forensics http://www.misti.com SANS InstituteIncident response, intrusion detection, computer forensics http://www.sans.org

Download ppt "Information Networking Security and Assurance Lab National Chung Cheng University Security Assurance in Design, Implementation and Operation Bo Cheng Source:"

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Identifying and Responding to Security Incidents in the Law Firm

Identifying and Responding to Security Incidents in the Law Firm
Incident Response Managing Security at Microsoft Published: April 2004.

Incident Response Managing Security at Microsoft Published: April 2004.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Software Quality Assurance Plan

Software Quality Assurance Plan
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Incidence Response & Computer Forensics, Second Edition Chris Prosise Kevin Mandia.

Incidence Response & Computer Forensics, Second Edition Chris Prosise Kevin Mandia.
Information Security Policies and Standards

Information Security Policies and Standards
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.

Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
Incidence Response & Computer Forensics, Second Edition

Incidence Response & Computer Forensics, Second Edition
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice

Computer Security: Principles and Practice

Similar presentations

Ads by Google