Overview � Attacks Handling Security Incidents � Security Incidents � Handling Security Incidents � Incident management Methods and Tools � Maintaining Incident Preparedness Chapter 7 � Standard Incident Handling Procedures � Learn from Experience Lecturer: Pei-yih Ting � Malicious code � Common Types of Attacks 1 2 Attack Terms and Concepts Types of Attacks � An attack is any attempt to � Military and Intelligence Attacks � Gain unauthorized access to a system � Attacks are attempts to acquire secret information � Deny authorized users from accessing a system from military or law enforcement agencies � The purpose of an attack is to � For example, defense strategies, sealed legal proceedings � Cause serious damage or result in great expense to change � Bring about data disclosure, alteration, or denial (DAD) and reformulate plans � An attacker is an individual (or group) who strives � Business Attack to violate a system ’ s security � Similar to a military attack, but the target is a � When an attacker breaks a law or regulation, a commercial organization computer crime occurs � Purpose is to access sensitive data � For example, trade secret information or important business decisions 3 4
Types of Attacks (cont ’ d) Types of Attacks (cont ’ d) � Financial Attack � Grudge Attacks � Target is a commercial organization � Purpose is to inflict damage or seek revenge against an organization � Purpose is to acquire goods, services, or money improperly � Former employees comprise a large number of these attackers � For example, phone phreaking � Terrorist Attacks � Fun Attacks � Coordinates with a physical attack by disrupting � No real purpose except bragging rights for the hacker communication and infrastructure control systems � Can be very difficult to track down � Purpose is to affect the ability of agencies to react to the physical attack 5 6 Handling Security Incidents Security Incidents � A security incident is defined as any violation of � First step: recognizing an incident has occurred a security policy � The security policy should clearly state actions and � Every attack is an incident behaviors that constitute a security incident. � Not every incident is an attack, ex. accessing Internet � Some incidents are discovered after the fact through log auction sites during office hour or using dictionary analysis or system audit word for a password � For example, unauthorized access to secure files � Incident recognition starts with user education discovered by scanning an access log � Users should know what the policies are so they will � Some incidents are identified and examined as they occur know when an incident has occurred � DOS attacks are usually apparent as they occur � Users should also be educated about what to do if � Second step: There are four general types of they notice that an incident has occurred incidents. Each type of incidents presents its own � Many incidents go unresolved because they are challenges in detection and avoidance. unnoticed 7 8
Handling Security Incidents Handling Security Incidents (cont ’ d) (cont ’ d) � Malicious code Four types of security incidents: � Any program, procedure, or executable file that makes � Scanning unauthorized modifications or triggers unauthorized activities � The systematic probing of ports to find open ports and query them for information � Viruses, worms, Trojan horses fall into this category � Not an attack, but may be a precursor to an attack � Noticing strange behaviors of your system � Looking for packet traces in the log file of a firewall � Antivirus S/W catches these by signature matching � Compromise � Denial of Service (DoS) � Any unauthorized access to a system � Violates the availability property of security � Generally involves defeating or bypassing security � Denies authorized users access to a system controls � Highly disruptive to online retailers (business platform � Detecting compromise is difficult, usually by noticing on the Internet) something unusual in system activities � Denies the attacker ’ s IP 9 10 Incident Management (cont ’ d) Incident Management Methods � Often a standing incident response team is � A security policy should have incident handling plans for all probable incidents created with members from different departments within an organization � General procedures � IRT ensures that an incident is handled efficiently � Detect that an incident has occurred � IRT collects information from an attack for � Contain the damage caused by the incident analysis (promote any changes that will reduce � Assess the damage and report the incident the likelihood of a reoccurrence) and possible � Investigate the origin of the incident legal action � Collect evidences � Analyze findings � IRT investigates an incident by collecting � Take action to avoid another occurrence evidence that can be used to verify the identity � Recover from the damage or activity of an attacker 11 12
Incident Management (cont ’ d) Maintain Incident Preparedness � An incident response team should be prepared for � The analysis of a system to find evidence of all viable incidents attack activity is called system forensics � When forming an incident response team, take advantage of resources that provide additional � Tools used to collect evidence include information and guidance on how teams operate � Log file analyzers, disk search and scanning tools, � The incident response team should be trained to network activity tracing tools follow security policy procedures � When an incident occurs, a rule of thumb is to � Each team member should know his/her own role and call law enforcement officials in immediately if possibly other roles as well you think there is any chance a violation of the � Establish a relationship with law enforcement law has occurred officials who may be called in when incidents occur � Users should know how to recognize common incidents and what to do if they notice one 13 14 Maintain Incident Using Standard Incident Preparedness (cont ’ d) Handling Procedures Table 7.1 Incident Response Team Resources � When an incident response team is mobilized, they should follow written procedures from the Resource URL Handbook for Computer Security http://www.sei.cmu.edu/pub/docu security policy Incident Response Teams ments/98.reports/pdf/98hb001.pdf � Each team member should fill out a standard Computer Security Incident http://www.cert.org/csirts Response Team incident report Responding to Intrusions http://www.cert.org/security- � It is important to maintain a document trail throughout improvement/modules/m06.html � Make sure that your procedures will meet any Forming an Incident Response Team http://www.auscert.org.au/render. html?it=2252&cid=1920 requirements for law enforcement SANS IESEC Reading Room: Incident http://www.sans.org/rr/catindex.p Handling hp?cat_id=27 FIRST: Forum of Incident Response http://www.first.org/ and Security Teams 15 16
Postmortem: Learn from Malicious Code Experience � After an incident, complete any research or � Best defense against malicious code is a good offense documentation and review the handling process � Use shields such as virus scanners � The response team should meet as quickly as � Use intrusion detection system (IDS) possible to debrief � Be careful about executable files that are introduced � Review the incident and consider why and how it into your system happened, can it happen again, what changes might � Any data entry point into a system can be used to introduce be good malicious code including floppy disks, data ports, networks, � Review team performance and consider what went and removable storage devices well, what did not, what changes might be useful to � Viruses can be detected using several techniques including make the team more effective signature scans, changed size or time-date stamps, � Encourage all team members to research what cryptographic hashes, and digital signatures other organization have published on the topic of � Active-X controls or Java native code executed in a browser incident response is dangerous 17 18 Malicious Code (cont ’ d) About Malicious Code (cont ’ d) � Viruses � Trojan horses � A program that embeds a copy of itself inside of an � Similar to a worm executable file and attempts to perform unauthorized � Appears to have some useful or neutral purpose data access or modification � Performs some malicious act when run � A virus needs a host software in order to run � Active Content Issues � Worms � The Internet is one of the most common entry points � A standalone program that tries to perform some type for malicious code of unauthorized data access or modification � Downloadable plug-ins perform many useful functions � Logic Bombs but make it easy to send malicious code � Executes a sequence of instructions when a specific � Java sandbox model system event occurs � Active X control (digitally signed) � Usually hides itself as a virus in system executables 19 20
Recommend
More recommend
