Course Notes Flashcards
Switch
An OSI layer 2 device • Hardware bridging ASICs (very fast!) • Forwards traffic based on MAC address • The core of an enterprise network • High bandwidth - Many simultaneous packets
Router
An OSI layer 3 device • Routes traffic between IP subnets • Routers inside of switches are sometimes called “layer 3 switches” • Layer 2 = Switch, Layer 3 = Router • Often connects diverse network types - LAN, WAN, copper, fiber
Firewall
OSI layer 4 (TCP/UDP), some firewalls filter
through OSI layer 7
• Filters traffic by port number
• Can encrypt traffic into/out of the network
and between sites
• Can proxy traffic - A common security technique
• Most firewalls can be layer 3 devices (routers)
Load balancer
Distributes the load over many physical servers
• Very common in large environments
• Load balanced evenly across servers or
based on specific content types
Proxy
Sits between the users and the external network
• Receives the user requests and sends
the request on their behalf (the proxy)
• Applications may need to know how to
use the proxy (explicit)
• Some proxies are invisible (transparent)
All-in-one security appliance
Unified Threat Management (UTM) /
Web security gateway
• URL filter / Content inspection, malware
inspection, spam filter, CSU/DSU, router, switch,
firewall, IDS/IPS, bandwidth shaper, VPN endpoint
VPN concentrator
The connection point for remote users • Traffic is encrypted across the Internet and decrypted on the internal private network
Intrusion detection/prevention system
Protects against OS and application exploits • Detection • Alerts but does not stop the attack • Prevention • Blocks the attack
Protocol analyzer
- Captures network packets
- Decodes each part of the communication
- Sees all of the network conversation
Spam Filters
Stop unsolicited email at the gateway
• Whitelist
• Only receive email from trusted senders
• SMTP standards checking
• Block anything that doesn’t follow RFC standards
• rDNS - Reverse DNS
• Block email where the sender’s domain
doesn’t match the IP address
• Tarpitting
• Intentionally slow down the server conversation
• Recipient filtering
• Block all email not addressed to a valid
recipient email address
Web Application Firewall
• Applies rules to HTTP conversations • Allow or deny based on expected input • Protects against exploits like SQL injections and buffer overflows • Focus of Payment Card Industry Data Security Standard (PCI DSS)
Application-aware Security Devices
• Network-based Firewalls
• Control traffic flows based on the application
• Microsoft SQL Server, Twitter, YouTube
• Intrusion Prevention Systems
• Identify the application
• Apply application-specific vulnerability signatures
to the traffic
• Host-based firewalls
• Work with the OS to determine the application
Configuring firewall rules
• Allow or disallow traffic based on security tuples
• Source IP, Destination IP, port number,
time of day, application, etc.
• Evaluated top-to-bottom
• There’s an implicit deny at the bottom
VLANs
Logically separate your switch ports into subnets
• VLANs cannot communicate to each
other without a router
• Group users together by function
Secure router configuration
- Always change the default login / password
- Protect configuration file transfers
- TFTP - in the clear
- SCP - encrypted
- HTTPS - encrypted
Access Control Lists (ACLs)
• Permissions associated with an object
• Used in file systems, network devices,
operating systems, and more
Switch port security
- IEEE 802.1X
- Port-based Network Access Control (PNAC)
- Makes extensive use of EAP and RADIUS
- Extensible Authentication Protocol
- Remote Authentication Dial In User Service
- Disable your unused ports
- Enable duplicate MAC address checking / spoofing
Flood Guards
Commonly seen on intrusion prevention systems • DoS / DDoS • Denial of Service • SYN floods • Overload a server • Ping floods / ping scans • Overwhelm the network • Identify what’s out there • Port floods / port scans • Identify open ports on a device
Spanning Tree Protocol (STP)
- IEEE standard 802.1D
- Prevents loops in bridged (switched) networks
- Built into the switch configuration options
Network Separation
Separate switches, separate routers, no overlap
• Used in sensitive environments
• Logical separation
• Virtualization of the network infrastructure
Log Analysis
- Good for post-event analysis
- Can provide useful real-time analysis
- Automation and consolidation is the key
• Remote Access
An important requirement
• We are increasingly mobile
• Take advantage of encryption technologies
• Keep everything private
• Consider adding additional authentication
technologies (One-time passwords)
• Constantly audit your access logs
Telephony
One of the newest digital technologies
• And one of the most difficult to secure
• Firewalls generally don’t like VoIP technologies
• You’ll need protocol-specific application gateways
• Don’t forget your legacy telephony!
• Long distance still costs money
Network Access Control
A complex technology • But powerful when well engineered • Very useful in large open environments • Universities and large enterprises • Requires a large security infrastructure • Authentication is critical • Redundancy is required
Virtualization
- Huge cost savings
- Security must catch up to the speed of change
- The control of physical objects is gone
- Difficult to apply external security components
- Requires additional insight
- Harder to view intra-server communication
- Take advantage of your logs
- They’ll tell you much more than you can see
Defense in Depth
Good security has many layers
• Firewall, DMZ, authentication, intrusion detection,
VPN access, anti-virus and anti-malware software
DMZ (Demilitarized Zone)
• A layer of security between your internal network
and the Internet
• Protects external-facing services
• Usually less trusted than the Internal network connection
Vlan Additional info
Logically separate your switch ports into subnets
• VLANs cannot communicate to each other without a router
• The router/firewall becomes the gatekeeper
• Control your organization’s traffic from within
• Group users together by function
• Be careful not to separate users too far from their resources
• Is often integrated with the NAC
• Move people automatically into their VLAN based on credentials
Platform as a Service (PaaS)
- No servers, no software, no maintenance team
- No hardware of any kind
- Someone else handles the platform, you handle the product
- You don’t have control of the data, people, or infrastructure
- SalesForce.com is an example of PaaS
Software as a service (SaaS)
- On-demand software, no local installation
- Used for common business functions such as payroll services
- Data and applications are centrally managed
- Gmail and Google Docs is an example of SaaS
Infrastructure as a service (IaaS)
• Sometimes called Hardware as a Service (HaaS)
• Equipment is outsourced
• You are still responsible for the overall device and application
management
• You’re also responsible for the security
• Your data is out there, but more within your control
• Web hosting and email services would be an example of IaaS
Cloud Deployment Models
- Private - A virtualized data center
- Public - Available to everyone over the Internet
- Hybrid - A mix of public and private
- Community - Several organizations share the same resources
Network Attached Storage (NAS)
Connect to a shared storage device
across the network
• File-level access
Storage Area Network (SAN)
Looks and feels like a
local storage device
• Block-level access
Fibre Channel over Ethernet (FCoE)
• Run Fiber Channel on Ethernet, not routable
Fibre Channel over IP (FCIP)
• Encapsulate Fibre Channel frames into IP
• iSCSI - Internet Small Computer Systems Interface
Send SCSI commands over an IP network
FTP
tcp/20, tcp/21
File Transfer Protocol
Sends and receives files between systems
SSH
tcp 22
Secure Shell
Encrypted console login
SCP
tcp 22
Secure Copy
Relatively simple file copy over SSH
SFTP
Secure File Transfer Protocol
SSH File Transfer with file management
Telnet
tcp 23
Telecommunication network
Remote console login to network devices
SMTP
tcp 25
Simple mail transfer protocol
Transfer email between mail servers
DNS
udp 53 tcp 53
domain name services
Convert domain names to IP addresses
TFTP
udp 69
Trivial File Transfer Protocol
A very simple file transfer protocol
HTTP
tcp 80
Hyper text transfer protocol
Web server communication
POP3
tcp 110
Post Office Protocol version 3
Receive mail into a mail client
NetBIOS Name service
udp 137
NetBIOS Name service
Register, remove find services by name
NetBIOS datagram service
Udp 138
Connectionless data transfer
NetBIOS Session Service
tcp 139
Connection-oriented data transer
IMAP4
tcp 143
Internet Message Access Protocol v4
A newer mail client protocol
SNMP
udp 161
Simple Network Management Protocol
Gather statistics and manage network devices
HTTPS
tcp 443
Hypertext Transfer Protocol Secure
Web server communication with encryption
TLS/SSL
tcp 443
Transport Layer Security/Secure Sockets Layer
Secure protocols for web browsing
FTPS
Tcp 990, 989
File transfer protocol over secure sockets layer
Adds security to FTP with TLS/SSL
RDP
Tcp 3389 Remote Desktop Protocol
Graphical display of remote device
ICMP
Internet control message protocol
Send management messages between devices
IPsec
Various
Internet Protocol Security
Authentication, Integrity, confidentiality, and encryption
OSI Layer 1
Physical
Signaling,cabling,connectors
(cables,NICs,hubs)
OSI Layer 2
Data Link Switching Layer
The switching layer (frames, Mac addresses, EUI-48, EUI, 64, switches
OSI Layer 3
Network - The routing Layer
Ip addresses, routers, packets
OSI Layer 4
Transport - post office layer
TCP segements UDP datagrams
OSI Layer 5
Session - communication between devices (control protocols, tunneling protocols
OSI Layer 6
Presention - encoding and encryption
SSL/TLS
OSI Layer 7
Application - The layer we see
Google mail, twitter, facebook
Please do not throw sausage pizza away
Physical, Data link, network, transport, session, presentation, application
EAP
EAP (Extensible Authentication Protocol)
• An authentication framework
• WPA and WPA2 use five EAP types as
authentication mechanisms
LEAP
Lightweight Extensible Authentication Protocol
• Cisco proprietary
• Uses passwords only
• No detailed certificate management
• Based on MS-CHAP
(including MS-CHAP security shortcomings)
PEAP
(Protected Extensible Authentication Protocol)
• Created by Cisco, Microsoft, and RSA Security
• Encapsulates EAP in a TLS tunnel
• Only one certificate needed, on the server
WEP
- 64-bit or 128-bit key size
- Cryptographic vulnerabilities found
- WEP is no longer used
WPA
- Short-term workaround after WEP
- Used RC4 cipher as a TKIP (Temporal Key Integrity Protocol)
- TKIP has its own vulnerabilities
WPA2
• Replaced TKIP with CCMP (Counter Mode with Cipher Block
Chaining Message Authentication Code Protocol)
• Replaced RC4 with AES (Advanced Encryption Standard)
• WPA2 is the latest and most secure wireless encryption method
WPA2-Enterprise
- WPA2-Enterprise adds 802.1x
* RADIUS server authentication
Captive Portal
Authentication to a network
• Common on wireless networks
• Access table recognizes a lack of authentication
• Redirects web access to a captive portal page
• Username / password
• And additional authentication factors
• Once proper authentication is provided,
the web session continues
• Until the captive portal removes your access
Omnidirectional Antennas
- One of the most common
- Included on most access points
- Signal is evenly distributed on all sides
- Omni=all
- Good choice for most environments
- You need coverage in all directions
- No ability to focus the signal
- A different antenna will be required
Directional Antennas
- Focus the signal - Increased distances
- Send and receive in a single direction
- Focused transmission and listening
- Antenna performance is measured in dB
- Double power every 3dB of gain
- Yagi antenna - Very directional and high gain
- Parabolic antenna
- Focus the signal to a single point
MAC (Media Access Control) filtering
Access is controlled through the physical hardware address • It’s easy to find a working MAC addresses with wireless LAN analysis • MAC addresses can be spoofed • Security through obscurity
SSID (Service Set Identifier) Management
• The SSID is the name of the wireless network
• i.e., LINKSYS, DEFAULT, NETGEAR
• Change the SSID to something appropriate for its use
• The SSID broadcasts can be disabled
• You can still determine the SSID
through wireless network analysis
• Security through obscurity
TKIP - Temporal Key Integrity Protocol
Temporal Key Integrity Protocol
• Created when WEP was broken - we needed a stopgap
• Mixed the keys - Combines the secret root key with the IV
• Adds sequence counter - Prevents replay attacks
• 64-bit Message Integrity Check - Protects against tampering
• Used in WPA (Wi-Fi Protected Access)
prior to the creation of WPA2
CCMP
• Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol
• Replaced TKIP when WPA2 was published
• Based on AES and uses a 128-bit key and a 128-bit block size
• Requires additional computing resources
• Data confidentiality - Only authorized parties can access info
• Authentication - Provides proof of genuineness of the user
• Access control - Allow or disallow access to the network
Site Surveys
Sample the existing wireless spectrum
• Identify existing access points
• Work around existing frequencies, plan for interference
• Plan for ongoing site surveys - things will certainly change
VPN over Wireless Networks
Wireless from your local coffee shop - no encryption
• Everyone around the coffee shop can see your traffic
• Exceptionally easy to capture your data
• Some of your data might be encrypted with HTTPS. Maybe.
• Protect all of your traffic with a VPN tunnel
Control types
Technical security controls, Management security controls, Operational security controls
Technical security controls
Access control, audit and accountability,
identification and authentication,
system and communications protection
Management security controls
Security assessment and authorization, planning,
risk assessment, system and services acquisition,
program management
Operational security controls
Awareness and training, configuration management,
contingency planning, incident response, maintenance,
media protection, physical and environmental
protection, personnel security, system and
information integrity
False Positives
A report that isn’t true - a false alarm or mistaken identity
• IDS/IPS information - only as good as the signatures
• Workstation anti-virus - False positives can remove legit files
• Consider a second opinion - http://www.VirusTotal.com
False Negatives
A report missed identifying something - no notification
• Malicious traffic got through your defenses
• It’s difficult to know when this happens - It’s completely silent
• Get catch/miss rates with industry tests - IPS, anti-virus
Security policies
A set of policies that covers many areas of security • Human resource policies • Business policies • Certificate policies • Incident-response policies
Risk Calculation
• Annualized Rate of Occurrence (ARO)
• How likely is it that a hurricane will hit?
In Montana? In Florida?
• SLE (Single Loss Expectancy)
• What is the monetary loss if a single event occurs?
• Laptop stolen = $1,000
• ALE (Annual Loss Expectancy)
• ARO x SLE
• 7 laptops stolen a year (ARO) x $1,000 (SLE) = $7,000
• The business impact can be more than monetary
• Quantitative vs. qualitative
Quantitative Risk Assessment
- Assign a dollar value to risk
- Single Loss Expectancy (SLE) - How much loss for one event?
- Annual Loss Expectancy
- SLE x Annual Rate of Occurrence (ARO)
- Often difficult to calculate without historical reference
- How risky is a buffalo stampede?
Qualitative Risk Assessment
• Identify significant risk factors
• Ask opinions about the significance
• Display visually with traffic light grid
or similar method
Threat Assessment
- Where are we vulnerable to threats?
- OS, applications, 3rd-party connections, Internet
- Constant vigilance
- New threats discovered all the time
- Old threats become popular again
Vulnerability Assessment
Actively scan a network in search of vulnerabilities • Known vulnerabilities • Automated process • For unknown vulnerabilities, consider input validation/fuzzing • Can identify obvious and no-so-obvious vulnerabilities • Lack of application/OS patches • No anti-virus/anti-spyware • Weak passwords
Vulnerabilities
• A flaw or weakness
• A door with a broken lock
• An operating system library that
grants administrative access
• This doesn’t mean your system has been breached
• Someone first has to know about the vulnerability
• Vulnerabilities were there, but previously unknown
• This is why we patch
• New vulnerabilities are identified all the time
Threat Vectors
The path that the threat takes to the target • Target: Your computer, mobile device, gaming system • Email: Embedded links, attached files • Web browser: Fake site, session hijack • Wireless hotspot: Rogue access point • Telephone: Social engineering • USB flash drive: Auto-executing malware • And many more…
Threat Probability
• Identify actual and potential threats
• Regardless of the probability
• Identify as many vulnerabilities as possible
• Check your OS, your services, and your applications
• Nobody said this would be easy
• Now you can calculate the likelihood
of a successful exploit
• There’s no official formula here
• Different organizations will have different priorities
Deflecting Risk
Risk avoidance, risk transference, risk acceptance, risk mitigation, risk deterrence.
Risk-avoidance
stop participating in high-risk activity
Risk transference
Buy some insurance
• Risk acceptance
A business decision; we’ll take the risk!
Risk mitigation
Decrease the risk level
• Risk deterrence
Big dogs, security fences, warning signs
Risks with Cloud Computing
Control of data • Data in the cloud can potentially be accessed by anyone • Security is managed elsewhere • Your control mechanisms are in the hands of others • Server unavailability / Account lockout • Cloud computing doesn’t guarantee availability
Risks associated with virtualization
- Compromising the virtualization layer puts all systems at risk
- There is little control over VM to VM communication
- Support for “virtual firewalls” is an emerging technology
- Single physical host contains VMs that have different security profiles
- Physical separation is no longer possible
- There is potential for loss of separation of duties
- System admin controls many servers on a single piece of hardware
Recovery Time Objectives
Mean time to Restore (MTTR), Mean time to repair(MTTR), Mean time to failure, (MTTF), Mean time between failures(MTBF), Recovery time objective(RTO), Recovery point objectivces(RPO)
MTTR
Mean time to restore (MTTR)
• Mean time to repair
MTTF
Mean time to failure (MTTF)
• The expected lifetime of a product or system
MTBF
- Mean time between failures (MTBF)
* Predict the time between failures
RTO
Recovery time objectives (RTO)
• Get up and running quickly
• Get back to a particular service level
RPO
- Recovery point objectives (RPO)
- How much data loss is acceptable?
- Bring the system back online; how far back does data go?
On-boarding
• Bring a new partner into the organization • This is more particular than hiring new staff • Many agreements will be in place • Legalities associated with business and security matters • Implement technical functions • Secure connections between partners • Usually as an IPsec tunnel or physical segmentation • Establish an authentication method • Provide access to shared resources • Audit all security controls • Properly share (and separate) data
Off-boarding
This process should be pre-planned • You don’t want to decide how to do things at this point • How will the systems be dissolved? • What happens to the data? • When will the final connections be terminated?
Social Media and Third-Party Concerns
Management of data
• Social media data includes privacy concerns
• Some of the data is extremely valuable
• Your social media reputation
• Someone else is tweeting for you
• The tone is as important as the message
• Account control is important
• Social media accounts are shared by a large group
• A mistake on one phone can be seen by many
Interoperability Agreements
Memorandum of Understanding(MOU), Service Level Agreement(SLA), Businesss Partners Agreement(BPA), Interconnection Security Agreement(ISA)
MOU
Memorandum of Understanding
• Informal letter of intent;not a signed contract
• Usually includes statements of confidentiality
SLA
- Service Level Agreement (SLA)
- Minimum terms for services provided
- Uptime, response time agreement, etc
BPA
Business Partners Agreement (BPA)
• Commonly seen between manufacturers and resellers
ISA
nterconnection Security Agreement (ISA)
• Used by US Federal Government to define security controls
Privacy Considerations
Privacy of the individual
• Both personal and professional
• Legally mandated privacy laws in many European countries
• An employer can’t track your personal computer use
• Customer data often contains a aspect of privacy
• Even benign data can be combined to violate privacy
• Third-party agreements must consider privacy
• The rules should be in place from the beginning
Data Ownership
Data is everything
• The most important asset in an organization
• Without the data, there’s no company
• The owner of the data has a responsibility
• Protection, privacy
• Technical / Logical controls
• Physical controls
• Who owns the data if the third-party agreement ends?
Risk Awareness with Third-Parties
Combine two systems • Hopefully get a seamless technical integration • Security must be designed into the project • Usually designed by teams from both organizations • Everyone must be aware of the risks • Security policies must be examined for additional risks • Resources, business requirements, and risk must be balanced • Agreements must be in place • For example: Who does backups? Who gets access to the backups? How are the backups stored?
Data Ownership
Who owns the data? • There’s more than one participant • Is there more than one owner? • What part of the data is owned by which partner? • Data ownership agreements can avoid some of the messy details • Where is the data stored? • Who owns the data when • the relationship is over? • How is data destroyed?
Third-party Data Sharing
• Data shared between partners • Network connections may exist • Proper controls may not be in place • Data shared with others • Agreements are usually in place with the data owners • Data is sometimes shared with others without permission
Data Backups with Third-Parties
- Backups are often overlooked
- They contain everything
- Data backups are often kept off-site
- Yet-another third-party
- Losing data from a backup is a very bad thing
- Seems to happen more often than you might think
- Not all backups are the same
- Financial data, health care data, top secret data, etc.
Security Policy Considerations with Third-parties
The security policy is the weakest link
• A badly implemented security policy puts data at risk
• Protect information between vendors, partners, and
customers
• Avoid data modification, disclosure, damage, or destruction
• Most of this language is contractual
• Everybody understands their responsibilities
• Security policies are constantly updated
• The threat landscape is constantly changing
Third-Party Security Compliance
Third-party relationships add to the need for security
compliance
• Shared resources require additional oversight
• Compliance can be technically challenging
• Cloud-based services add additional complexity
• Some compliance requirements are legally mandated
• HIPAA - Health Insurance Portability and Accountability Act
• PCI DSS - Payment Card Industry Data Security Standard
• FISMA - Federal Information Security Management Act
• Perform a gap analysis
• Determine all gaps in security
• Resolve the issues
• Some issues can’t be easily resolved
• A decision must be made regarding cost vs. benefit
• Perform periodic audits
• These audits may be involved and far-reaching
• More coordination required with the third-party
Change Management
• Upgrade software, change firewall configuration,
modify switch ports
• Occurs very frequently
• The change management process is often
overlooked or ignored
• Clear policies are needed
• Frequency, duration, installation process, fallback procedures
Incident Management
- Series of events that negatively affects the organization
- Database hack, stolen laptop, water pipe burst
- Who will be contacted when an incident occurs?
- Who’s responsible for managing the incident response?
- Technical steps for handling systems and preserving evidence
- What goes on the report?
User Rights and Permissions
• Management sets the limits • Security team administers the limits • You must translate management requirements into technical access • Periodic audits are useful
Auditing
- Does everyone have the correct permissions?
- How are your resources used?
- Are your systems and applications secure?
- Are your disaster recovery plans going to work?
- Can you contact the right people at the right time?
- Document everything
Capturing system images
Copy the contents of a disk • Bit-for-bit, byte-for-byte • Software imaging tools • Use a bootable device • Remove the physical drive • Use a hardware write-blocker • Get the backup tapes • These may already be available
Preventing data loss or theft
- Involves process and procedure
- Some of the most difficult data policies to implement
- It’s very easy to carry large amounts of data around
- There are both internal and external threats
- You have to protect everywhere
- This is a bigger threat every day
Data Loss Prevention Systems
- On your computer - Data in use
- On your network - Data in motion
- On your server - Data at rest
Network traffic and logs
Traffic logs • Firewalls log a lot of information • Switches and routers don’t usually log user-level information • Intrusion Detection/Prevention Systems • Raw network traffic data • Rebuild images, email messages, browser sessions, file transfers
Capture video
• A moving record of the event • Gathers information external to the computer and network • Captures the status of the screen and other volatile information • Don’t forget security cameras • The video content must also be archived
Time Offsets
• Windows: 64-bit time stamp
• Number of 100-nanosecond intervals since
January 1, 1601 00:00:00 GMT
• This stops working in 58,000 years
• Unix: 32-bit time stamp
• Number of seconds since January 1, 1970 00:00:00 GMT
• This stops working on Tuesday, January 19, 2038 at
3:14:07 GMT
• Different file systems store timestamps differently
• FAT: Time is stored in local time
• NTFS: Time is stored in GMT
• Record the time offset from the operating system
• The Windows Registry
• Many different values (daylight saving time,
time change information, etc.)
Taking Hashes
MD5(Message Digest 5), CRC(Cycilical Redundancy Check)
MD5
Hashing algorithm
128 bits, displayed as hexadecimal
CRC
Hashing Algorithm
.
• 32 bits, displayed as hexadecimal
Screenshots
- Capture the state of the screen
- Difficult to reproduce, even with a disk image
- External capture
- Use digital camera
- Internal capture
- PrintScreen key
- Third-party utility
Witnesses
Who might have seen this?
• Interview and document
• Not all witness statements are 100% accurate
• Humans are fallible
Tracking man hours and expense
- Some incidents can use massive resources
- May have an impact on the bottom line
- May be required for restitution
- Be as accurate as possible
Chain of custody
Controlling and managing the evidence to maintain integrity • Document everyone who contacts the evidence • Use hashes with digital evidence • Label and catalog everything • Seal, sign, and store
Big Data Analysis
- Large amounts of data, stored without structure
- Incidents can create an enormous amount of data
- Diverse log formats and data types
- Collecting the data is only the first part
- You must also be able to view it
- Query the data
- A structured language that applies to large scale data
- Visualization tools can display the data in unique ways
- Graphs
- Statistical analysis
- Tag clouds
Preparing for an Incident
• Communication methods - phones and contact info
• Incident handling hardware and software
• Laptops, removable media,
forensic software, digital cameras
• Incident analysis resources
• Documentation, network diagrams,baselines,
critical file hash values
• Incident mitigation software
• Clean OS and application images
• Policies needed for incident handling
• Everyone knows what to do
Preventing an Incident
Risk assessments
• Periodic analysis, prioritization of risk, disposition of risk
• Host security
• Harden the operating system, patches, and
ongoing monitoring
• Network security
• Firewalls, VPNs, intrusion prevention systems
• Malware prevention
• Hosts, email and file servers, application clients
• User awareness and training
• Keep your users updated with the
latest security techniques
Incident Precursors
Web server log - Vulnerability scanner in use
• Exploit announcement
• Monthly Microsoft patch release, Adobe Flash update
• Direct threats - A hacking group doesn’t like you
Incident Indicators
An attack is underway or an exploit is successful
• Buffer overflow attempt
• Identified by an intrusion detection/prevention system
• Anti-virus software identifies malware
• Deletes from OS an notifies administrator
• Host-based monitor detects a configuration change
• Constantly monitors system files
• Network traffic flows deviate from the norm
• Requires constant monitoring
Incident Notification
• Corporate / Organization • CIO / Head of Information Security / Internal Response Teams • Internal non-IT • Human resources, public affairs, legal department • External contacts • System owner, law enforcement • US-CERT (for U.S. Government agencies)
Event Notification
Notification is ongoing during an event
• Status updates, wide-scale notifications
• Consider in-band and out-of-band methods
• Email, Web (intranet, external, etc.), Telephone calls,
In-person updates, Voice mail recordings,
Paper flyers, notices
Criteria for Mitigation Strategies
- Potential damage and theft - prevent the destruction
- Preserve the evidence
- Gather as many details as possible
- Maintain service availability
- The organization must continue
- Implementation resources and time
- Every task requires resources
- Effectiveness - amount of containment
- Duration of the mitigation - Let’s get this over quickly
Isolation and Containment
Generally a bad idea to let things run their course
• An incident can spread quickly
• Sandboxes
• The attacker thinks they’re on a real system,
but they’re not
• Isolation can be sometimes be problematic
• Malware or infections can monitor connectivity
• When connectivity is lost, everything is
deleted/encrypted/damaged
Lessons Learned from Incidents
What happened, exactly?
• Timestamp of the events
• How did your incident plans work?
• Did the process operate successfully?
• What would you do differently next time?
• Retrospective views provide context
• Which indicators would you watch next time?
• Different precursors may give you better alerts
Incident Reporting
A lot of information is created during an incident
• Information should be objective and factual
• Logbook - a pencil and paper is remarkable technology
• Digital camera - a snapshot or movie of a device
• Audio recorder - easier to say it and transcribe later
• Laptop - capture terminal sessions and digital evidence
Tracking Issues
- Incident status
- Summary information
- Relationship between incidents
- Actions taken by all parties
- Chain of custody information
- Contact information
- Comments from incident handlers
- Next steps to be taken
Incident Recovery
Eradicate the bug
• Remove malware, disable breached user accounts,
fix vulnerabilities
• Recover the system
• Restore from backups, rebuild from scratch, replace
compromised files, tighten down the perimeter
Reconstitution
- A phased approach - it’s difficult to fix everything at once
- Recovery may take months
- Large-scale incidents require a large amount work
- The plan should be efficient
- Start with quick, high-value security changes
- Patches, firewall policy changes
- Later phases involve much “heavier lifting”
- Infrastructure changes, large-scale security rollouts
First Responders
Very specific tasks for the first person on the scene
• Objective is to contain the damage
• Don’t disturb the environment
• Get the right people in place before poking around
• Follow the escalation policy
Handling a Data Breach
Try to determine the attacker
• Useful for law enforcement and to stop future breaches
• Security must be analyzed and secured
• Change passwords, update firewalls
• Even across systems that may not appear to be breached
• Notify all affected people - customers, partners, employees
• Personally Identifiable Information (PII) may require
additional notifications
• Credit monitoring requirements
Damage and Loss Control
Prevent the spread of damage
• Needs to be part of the incident response policy
• Virus infection may be handled differently than a DoS attack
• Device removal - pull a device from the network
• Disconnect the Internet
• Every case is a bit different
• What’s attacked or damaged?
• Can you gather additional details if you leave it in place?
Security policy training and procedures
- All of your policy information is on the Intranet
- Provide in-person mandatory training sessions
- Train people on general security best practices
- Define a company policy for visitors GUI configuration
Personally identifiable information (PII)
- Part of your privacy policy
- Not everyone realizes the importance of this data
- It should become a normal part of security management
Information classification examples
Unclassified (public) - no restrictions on viewing the data
• Classified (private / restricted / internal use only)
• Confidential (low) - highly sensitive,
must be approved to view
• Secret (medium) - viewing is severely restricted
• Top-Secret (high) - highest level of classification
Data labeling, handling and disposa
Data is usually saved for a very long time
• Document and label everything
• Some backups must be legally preserved
• Trash and recycling can be a security concern
Compliance, best practices and standards
• Non-compliance has serious repercussions
• Sarbanes-Oxley Act (SOX) - The Public Company
Accounting Reform and Investor Protection Act of 2002
• The Health Insurance Portability and
Accountability Act (HIPAA)
• Extensive standards for storage, use, and
transmission of health care information
• The Gramm-Leach-Bliley Act of 1999 (GLBA)
• Disclosure of privacy information from
financial institutions
User habits
Promote good password behaviors
• Document data handling processes
• Define clean desk policies
• Personally owned devices can be a challenge
• Tailgating can allow unauthorized people
to enter the building
Threat Awareness
• New viruses - thousands every week • Phishing attacks • Spyware • Learns personal info, captures keystrokes and browsing information • Zero-day exploits • Quick reaction is the only defense