Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 9. Copyright Pearson Prentice-Hall 2010  In previous chapters, we have looked at threats, planning, and response  In Chapter 9, we complete.

Similar presentations


Presentation on theme: "Chapter 9. Copyright Pearson Prentice-Hall 2010  In previous chapters, we have looked at threats, planning, and response  In Chapter 9, we complete."— Presentation transcript:

1 Chapter 9

2 Copyright Pearson Prentice-Hall 2010  In previous chapters, we have looked at threats, planning, and response  In Chapter 9, we complete the discussion of the plan-protect-respond cycle  Response planning is necessary because defenses can never stop all attacks. Companies must respond appropriately when attacks happen or natural disasters occur 2

3 Copyright Pearson Prentice-Hall 2010 3 Plan (Chapter 2) Protect (Chapters 3-8) Respond (Chapter 9)

4 Copyright Pearson Prentice-Hall 2010  Incidents Happen ◦ Protections inevitably break down occasionally ◦ Successful attacks are called security incidents, breaches, or compromises  Incident Severity ◦ False alarms  Apparent compromises are not real compromises  Also called false positives  Handled by the on-duty staff  Waste time and may dull vigilance 4

5 Copyright Pearson Prentice-Hall 2010  Incident Severity ◦ Minor incidents  Breaches that on-duty staff can handle  Little to no management or policy issues ◦ Major incidents  Beyond the capabilities of the on-duty staff  Must convene a Computer Security Incident Response Team (CSIRT)  CSIRT needs participation beyond IT security 5

6 Copyright Pearson Prentice-Hall 2010  Incident Severity ◦ Disasters  Fires, floods, hurricanes, major terrorist attacks  Must assure business continuity  Maintaining the day-to-day operations of the firm  Need a business continuity group headed by a senior manager  Core permanent staff will facilitate activities  IT disaster response is restoring IT services  May be a subset of business continuity  May be a stand-alone IT disaster 6

7 Copyright Pearson Prentice-Hall 2010  Process for Major Incidents ◦ E.g. Breach of server with sensitive customer information  Detection, Analysis, and Escalation ◦ Must detect through technology or people  Need good intrusion detection technology  All employees must know how to report incidents ◦ Must analyze the incident enough to guide subsequent actions  Confirm that the incident is real  Determine its scope: Who is attacking; what are they doing; how sophisticated they are, etc.  Predominately done via log file analysis 7

8 Copyright Pearson Prentice-Hall 2010  Detection, Analysis, and Escalation ◦ If deemed severe enough, escalate to a major incident  Pass to the CSIRT, the disaster response team, or the business continuity team 8

9 Copyright Pearson Prentice-Hall 2010  Containment ◦ Disconnection of the system from the site network or the site network from the Internet (damaging)  Harmful, so must be done only with proper authorization  This is a business decision, not a technical decision 9

10 Copyright Pearson Prentice-Hall 2010  Containment ◦ Black-holing the attacker (only works for a short time)  Blocking the IP address of the attacker  What must be in place for this to be an efficient/effective option?  What does black-holing tell the hacker? ◦ Continue to collect data (allows harm to continue) to understand the situation  Especially necessary if prosecution is desired 10

11 Copyright Pearson Prentice-Hall 2010  Recovery ◦ Restore site from backup  But what if back-up files are compromised? ◦ Total Software installation ◦ Must leave Site more secure than before, the hackers may be back 11

12 Copyright Pearson Prentice-Hall 2010  Recovery ◦ Data  Restoration from backup tapes  Loses data since last trusted backup 12

13  After initial restore ◦ Updated WordPress admin password  It wasn’t “admin” ◦ Updated WordPress to latest version ◦ I updated my Plugins Copyright Pearson Prentice-Hall 2010 13

14  Remember I said I was hacked again  I forgot to update my themes ◦ Wordpress themes are usually PHP code ◦ Determines blog look and behavior  Mine was not updated  So I updated it… 14 I had 69 out of date themes!!!!!!

15 Copyright Pearson Prentice-Hall 2010  Recovery ◦ Software  Total software reinstallation of operating system and applications may be necessary for the system to be trustable  Manual reinstallation of software  Need installation media and product activation keys  Must have good configuration documentation before the incident  Reinstallation from a disk image  Can greatly reduce time and effort  Requires a recent disk image 15

16 Copyright Pearson Prentice-Hall 2010  Apology ◦ Acknowledge responsibility and harm without evasion or weasel words ◦ Explain potential inconvenience and harm in detail ◦ Explain what actions will be taken to compensate victims, if any 16

17 Copyright Pearson Prentice-Hall 2010  Punishment ◦ Punishing employees usually is fairly easy  Most employees are at-will employees  Companies usually have wide discretion in firing at-will employees  This varies internationally  Union agreements may limit sanctions or at least require more detailed processes 17

18 Copyright Pearson Prentice-Hall 2010  Punishment ◦ The decision to pursue criminal prosecution  Must consider cost and effort  Must consider probable success if pursue (often attackers are minors or foreign nationals)  Loss of reputation because the incident becomes public 18

19 Copyright Pearson Prentice-Hall 2010  Punishment ◦ Collecting and managing evidence  Forensics: Courts have strict rules for admitting evidence in court  Call the authorities and a forensics expert for help 19

20 Copyright Pearson Prentice-Hall 2010  Punishment ◦ Collecting and managing evidence  Protecting evidence  Pull the plug on a server if possible  This is a business decision, not an IT decision  Document the chain of custody  Who held the evidence at all times  What they did to protect it  Document the chain of custody 20

21 Copyright Pearson Prentice-Hall 2010  Postmortem Evaluation ◦ What should we do differently next time? ◦ I’ve set up my them to update automatically and only have 1 theme to keep tack of. ◦ I still need to check for updates of WordPress and Plugins routinely 21

22 Copyright Pearson Prentice-Hall 2010  Organization of the CSIRT ◦ Should be led by a senior manager ◦ Should have members from affected line operations ◦ The IT security staff may manage the CSIRT’s operation on a day-to-day basis ◦ Might need to communicate with the media; only do so via public relations ◦ The corporate legal counsel must be involved to address legal issues ◦ Human resources is necessary, especially if there are to be sanctions against employees 22

23  Carnegie Mellon Computer Emergency Response Team (CERT) ◦ XNET XNET Copyright Pearson Prentice-Hall 2010 23

24 Copyright Pearson Prentice-Hall 2010 24 DimensionCriminal LawCivil Law Deals withViolations of criminal statutes Interpretations of rights and duties that companies or individuals have relative to each other PenaltiesJail time and finesMonetary penalties and orders to parties to take or not take certain actions Cases brought byProsecutorsPlaintiff is one of the two parties Criterion for verdictBeyond a reasonable doubt Preponderance of the evidence (usually) Requires mens rea (guilty mind) UsuallyRarely, although may affect the imposed penalty Applicable to IT securityYes. To prosecute attackers and to avoid breaking the law Yes. To avoid or minimize civil trials and judgments

25 Copyright Pearson Prentice-Hall 2010  Cyberlaw ◦ Cyberlaw is any law dealing with information technology  Jurisdictions ◦ Areas of responsibility within which government bodies can make and enforce law but beyond which they cannot 25

26 Copyright Pearson Prentice-Hall 2010  Computer Forensics Experts ◦ Professionals trained to collect and evaluate computer evidence in ways that are likely to be admissible in court ◦ Meet with them before there is a need because the initial moments of an intrusion require correct action 26

27 Copyright Pearson Prentice-Hall 2010  Expert Witnesses ◦ Normally, witnesses can only testify regarding facts, not interpretations ◦ Expert witnesses may interpret facts to make them comprehensible to the jury in situations where juries are likely to have a difficult time evaluating the evidence themselves 27

28 Copyright Pearson Prentice-Hall 2010  18 U.S.C § 1030 ◦ United States Code Title 18, Part I (Crimes) Section 1030 ◦ Actions prohibited  Hacking  Malware  Denial of service 28

29 Copyright Pearson Prentice-Hall 2010  18 U.S.C § 1030 ◦ Protected computers  Applicability is limited to protected computers  Include “government computers, financial institution computers, and any computer which is used in interstate or foreign commerce or communications” ◦ Often require damage threshold for prosecution  The FBI may require even higher damages to prosecute 29

30 Copyright Pearson Prentice-Hall 2010  18 U.S.C § 2511 ◦ Prohibits the interception of electronic messages, both en route and after the message is received and stored ◦ Allows e-mail service providers to read the content of mail  A company can read employee mail if it owns the mail system 30

31 Copyright Pearson Prentice-Hall 2010  Other Federal Laws ◦ Many traditional federal criminal laws may apply in individual cases ◦ For example, fraud, extortion, and the theft of trade secrets ◦ These laws often have far harsher consequences than cybercrime laws 31

32 Copyright Pearson Prentice-Hall 2010  Event logging for suspicious events  Sometimes, send alarms  A detective control, not a preventative or restorative control 32

33 Copyright Pearson Prentice-Hall 2010 33 Management: Configuration, Tuning, etc. Actions: Generate Alarms Generate Log Summary Reports Support Interactive Manual Log Analysis Automated Analysis: Attack Signatures versus Anomaly Detection Event Logging: Individual Events are Time-Stamped Log is Flat File of Events (Sometimes) Data Aggregation from Multiple IDSs

34  Logging ◦ Captures discrete events time-stamped ◦ Stored in a sequential file  Automated Analysis ◦ Attack Signatures (see my Hack) ◦ Anomaly Detection  Deviations from past activity  Actions ◦ Alarm ◦ Log Summary Reports should be reviewed ◦ Support Interactive Log Analysis Tools Copyright Pearson Prentice-Hall 2010 34

35  Multiple IDS allow a better overview of attack  Agents ◦ Each device collecting data/event  Manger program ◦ Integrates log files from all sources ◦ Batch transfers  Least expensive  Hacker disables event logging, if done between batches hack may go undetected  Real-Time  More expensive  Doesn’t suffer from hacking Copyright Pearson Prentice-Hall 2010 35

36 Copyright Pearson Prentice-Hall 2010 36

37 Copyright Pearson Prentice-Hall 2010  Network IDSs (NIDSs) ◦ Stand-alone device or built into a switch or router ◦ NIDSs see and can filter all packets passing through them ◦ Switch or router NIDSs can collect data on all ports ◦ A NIDS collects data for only its portion of the network  Blind spots in network where no NIDS data is collected ◦ Cannot filter encrypted packets 37

38 Copyright Pearson Prentice-Hall 2010  Host IDSs (HIDSs) ◦ Attractions  Provide highly detailed information for the specific host ◦ Weaknesses of Host IDSs  Limited Viewpoint; Only one host  Host IDSs can be attacked and disabled 38

39 Copyright Pearson Prentice-Hall 2010  Host IDSs (HIDSs) ◦ Operating System Monitors  Collects data on operating system events  Multiple failed logins  Creating new accounts  Adding new executables (programs—may be attack programs) 39

40 Copyright Pearson Prentice-Hall 2010  Host IDSs (HIDSs) ◦ Operating System Monitors  Modifying executables (installing Trojan horses does this)  Adding registry keys (changes how system works)  Changing or deleting system logs and audit files  Changing system audit policies  User accessing critical system files  User accessing unusual files  Changing the OS monitor itself 40

41 Copyright Pearson Prentice-Hall 2010  Log Files ◦ Flat files of time-stamped events ◦ Individual logs for single NIDs or HIDs ◦ Integrated logs  Aggregation of event logs from multiple IDS agents (Figure 9-12)  Difficult to create because of format incompatibilities  Time synchronization of IDS event logs is crucial (Network Time Protocol) 41

42 Copyright Pearson Prentice-Hall 2010  Event Correlation (Figure 9-15) ◦ Suspicious patterns in a series of events across multiple devices ◦ Difficult because the relevant events exist in much larger event streams that are logged ◦ Usually requires many analysis of the integrated log file data 42

43 Copyright Pearson Prentice-Hall 2010 Sample Log File (many irrelevant log entries not shown)  1.8:45:05:47. Packet from 1.15.3.6 to 60.3.4.5 (NIDS log entry)  2.8:45:07:49. Host 60.3.4.5. Failed login attempt for account Lee (Host 60.3.4.5 log entry)  3.8:45:07:50. Packet from 60.3.4.5 to 1.15.3.6 (NIDS)  4.8:45:50:15. Packet from 1.15.3.6 to 60.3.4.5 (NIDS)  5.8:45:50:18. Host 60.3.4.5. Failed login attempt for account Lee (HIDS)  6.8:45:50:19. Packet from 60.3.4.5 to 1.15.3.6 (NIDS)  7.8:49:07:44. Packet from 1.15.3.6 to 60.3.4.5 (NIDS)  8.8:49:07:47. Host 60.3.4.5. Successful login attempt for account Lee (HIDS)  9.8:49:07:48. Packet from 60.3.4.5 to 1.15.3.6 (NIDS) 43

44 Copyright Pearson Prentice-Hall 2010 Sample Log File  10. 8:56:12:30. Packet from 60.3.4.5 to 123.28.5.210. TFTP request (NIDS)  11. 8:56:28:07. Series of packets from 123.28.5.210 and 60.3.4.5. TFTP response (NIDS)  12.No more host log entries ◦ (The log would not say this; it would merely stop sending events) 44

45 Copyright Pearson Prentice-Hall 2010 Sample Log File (many irrelevant log entries not shown)  13.9:03.17:33. Series of packets between 60.3.4.5 and 1.17.8.40. SMTP (NIDS)  14.9:05.55:89. Series of packets between 60.3.4.5 and 1.17.8.40. SMTP (NIDS)  15.9:11.22:22. Series of packets between 60.3.4.5 and 1.17.8.40. SMTP (NIDS)  16.9:15.17:47. Series of packets between 60.3.4.5 and 1.17.8.40. SMTP (NIDS)  17.9:20:12:05. Packet from 60.3.4.5 to 60.0.1.1. TCP SYN=1, Destination Port 80 (NIDS)  18.9:20:12:07: Packet from 60.0.1.1 to 60.3.4.5. TCP RST=1, Source Port 80 (NIDS)  19.9:20:12:08. Packet from 60.3.4.5 to 60.0.1.2. TCP SYN=1, Destination Port 80 (NIDS)  20.9:20:12:11 Packet from 60.3.4.5 to 60.0.1.3. TCP SYN=1, Destination Port 80 (NIDS)  21.9:20:12:12. Packet from 60.0.1.3 to 60.3.4.5. TCP SYN=1; ACK=1, Source Port 80 (NIDS) 45

46 Copyright Pearson Prentice-Hall 2010  Tuning for Precision ◦ Too many false positives  False alarms  Can overwhelm administrators, dull vigilance ◦ False negatives allow attacks to proceed unseen 46

47 Copyright Pearson Prentice-Hall 2010  Tuning for Precision ◦ Tuning for false positives turns off unnecessary rules, reduces alarm levels of unlikely rules  For instance, alarms for attacks against Solaris operating systems can be deleted if a firm has no Sun Microsystems servers  Tuning requires a great deal of expensive labor  Even after tuning, most alerts will be false positives 47

48 Copyright Pearson Prentice-Hall 2010  Updates ◦ Program, attack signatures must be updated frequently  Processing Performance ◦ If processing speed cannot keep up with network traffic, some packets will not be examined ◦ This can make some IDSs useless during attacks that increase the traffic load 48

49 Copyright Pearson Prentice-Hall 2010  Storage ◦ There will be limited disk storage for log files ◦ When log files reach storage limits, they must be archived ◦ Event correlation is difficult across multiple backup tapes ◦ Adding more disk capacity reduces the problem but never eliminates it 49

50 Copyright Pearson Prentice-Hall 2010  Business Continuity Planning ◦ A business continuity plan specifies how a company plans to restore or maintain core business operations when disasters occur ◦ IT Disaster response is restoring IT services 50

51 Copyright Pearson Prentice-Hall 2010  Principles of Business Continuity Management ◦ Protect people first  Evacuation plans and drills  Never allow staff members back into unsafe environments  Must have a systematic way to account for all employees and notify loved ones  Counseling afterwards 51

52 Copyright Pearson Prentice-Hall 2010  Principles of Business Continuity Management ◦ People have reduced capacity in decision making during a crisis  Planning and rehearsal are critical ◦ Avoid rigidity  Unexpected situations will arise  Communication will break down and information will be unreliable  Decision makers must have the flexibility to act 52

53 Copyright Pearson Prentice-Hall 2010  Principles of Business Continuity Management ◦ Communication  Try to compensate for inevitable breakdowns  Have a backup communication system  Communicate constantly to keep everybody “in the loop” 53

54 Copyright Pearson Prentice-Hall 2010 54 Business Continuity: Keeping the entire firm operating or restoring the firm to operation IT Disaster Response: Keeping IT resources operating or restoring them to operation

55 Copyright Pearson Prentice-Hall 2010  IT Disaster Recovery ◦ IT disaster recovery looks specifically at the technical aspects of how a company can get its IT back into operation using backup facilities ◦ A subset of business continuity or for disasters the only affect IT ◦ All decisions are business decisions and should not be made by mere IT or IT security staffs 55

56 Copyright Pearson Prentice-Hall 2010  Types of Backup Facilities ◦ Hot sites  Ready to run (power, HVAC, computers): Just add data  Considerations: Rapid readiness at high cost  Must be careful to have the software at the hot site up-to-date in terms of configuration 56

57 Copyright Pearson Prentice-Hall 2010  Types of Backup Facilities ◦ Cold sites  Building facilities, power, HVAC, communication to outside world only  No computer equipment  Less expensive but usually take too long to get operating 57

58 Copyright Pearson Prentice-Hall 2010  Types of Backup Facilities ◦ Site sharing  Site sharing among a firm’s sites (problem of equipment compatibility and data synchronization)  Continuous data protection needed to allow rapid recovery 58

59 Copyright Pearson Prentice-Hall 2010  Office Computers ◦ Hold much of a corporation’s data and analysis capability ◦ Will need new computers if old computers are destroyed or unavailable  Will need new software  Well-synchronized data backup is critical ◦ People will need a place to work 59

60 Copyright Pearson Prentice-Hall 2010  Restoration of Data and Programs ◦ Restoration from backup tapes: Need backup tapes at the remote recovery site ◦ May be impossible during a disaster  Testing the IT Disaster Recovery Plan ◦ Difficult and expensive ◦ Necessary 60

61 Or, as we say in Hawaii, “All pau” 61

62 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America. Copyright © 2010 Pearson Education, Inc. Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall


Download ppt "Chapter 9. Copyright Pearson Prentice-Hall 2010  In previous chapters, we have looked at threats, planning, and response  In Chapter 9, we complete."

Similar presentations


Ads by Google