Information Networking Security and Assurance Lab National Chung Cheng University Security Assurance in Design, Implementation and Operation Bo Cheng Source:

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Identifying and Responding to Security Incidents in the Law Firm
Incident Response Managing Security at Microsoft Published: April 2004.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Software Quality Assurance Plan
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
Incidence Response & Computer Forensics, Second Edition Chris Prosise Kevin Mandia.
Information Security Policies and Standards
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
Incidence Response & Computer Forensics, Second Edition
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Department Of Computer Engineering
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Security Guidelines and Management
Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Incident Response Updated 03/20/2015
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
APA of Isfahan University of Technology In the name of God.
A First Course in Information Security
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
General Awareness Training
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Information Systems Security Computer System Life Cycle Security.
11 SECURITY TEMPLATES AND PLANNING Chapter 7. Chapter 7: SECURITY TEMPLATES AND PLANNING2 OVERVIEW  Understand the uses of security templates  Explain.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
SecSDLC Chapter 2.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Role Of Network IDS in Network Perimeter Defense.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
 What threat assessments are  What vulnerability assessments are  What exploit assessments are.
Information Systems Security
Securing Network Servers
Critical Security Controls
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
How to Mitigate the Consequences What are the Countermeasures?
PLANNING A SECURE BASELINE INSTALLATION
Operating System Concepts
6. Application Software Security
Presentation transcript:

Information Networking Security and Assurance Lab National Chung Cheng University Security Assurance in Design, Implementation and Operation Bo Cheng Source: Special Pub An Introduction to Computer Security: The NIST Handbook

Information Networking Security and Assurance Lab National Chung Cheng University 2 Security Assurance - The Concept The degree of confidence one has that the security measures, both technical and operational. Not a true measure of how secure the system actually is.  It is extremely difficult -- and in many cases virtually impossible -- to know exactly how secure a system is.

Information Networking Security and Assurance Lab National Chung Cheng University 3 Accreditation Accreditation is a management official's formal acceptance of the adequacy of a system's security.  A process used primarily within the federal government  A form of quality control. It forces managers and technical staff to work together to find  workable,  cost-effective solutions given security needs,  technical constraints,  operational constraints, and  mission or business requirements.

Information Networking Security and Assurance Lab National Chung Cheng University 4 When to Do Accreditation A computer system should be accredited before the system becomes operational with periodic re-accreditation after major system changes or when significant time has elapsed. Even if a system was not initially accredited, the accreditation process can be initiated at any time.

Information Networking Security and Assurance Lab National Chung Cheng University 5 Who & What Who needs to be assured?  the management official who is ultimately responsible for the security of the system. What types of assurance can be obtained?  Design assurance  Implementation assurance  Operational assurance

Information Networking Security and Assurance Lab National Chung Cheng University 6 Design and Implementation Assurance Addresses the quality of security features built into systems  Whether the features of a system, application, or component meets security requirements and specifications  Whether they are they are well designed and well built. Examines system design, development, and installation. Associated with  The development/acquisition and implementation phase of the system life cycle  Throughout the life cycle as the system is modified

Information Networking Security and Assurance Lab National Chung Cheng University 7 Testing and Certification Testing can address the quality of the system as built, as implemented, or as operated.  Two common testing techniques Functional testing (to see if a given function works according to its requirements) or Penetration testing (to see if security can be bypassed).  Range from trying several test cases to in-depth studies using metrics, automated tools, or multiple detailed test cases. Certification is a formal process for testing components or systems against a specified set of security requirements.  Normally performed by an independent reviewer

Information Networking Security and Assurance Lab National Chung Cheng University 8 Operational Assurance Addresses  Whether the system's technical features are being bypassed or have vulnerabilities  Whether required procedures are being followed. Two basic methods to maintain operational assurance:  A system audit: a one-time or periodic event to evaluate security. May examine an entire system for the purpose of reaccreditation May investigate a single anomalous event.  Monitoring: an ongoing activity that checks on the system, its users, or the environment.

Information Networking Security and Assurance Lab National Chung Cheng University 9 The Auditing Process Less formal audits are often called security reviews. Can be self-administered or independent (either internal or external). Two types of automated tools are used to help find a variety of threats and vulnerabilities  Active tools: find vulnerabilities by trying to exploit them  Passive tests: only examine the system and infer the existence of problems from the state of the system. Not taking advantage of these tools puts system administrators at a disadvantage.

Information Networking Security and Assurance Lab National Chung Cheng University 10 The Monitoring Process Review of System Logs Automated Tools  Virus scanners: checks for virus infections.  Checksumming: presumes that program files should not change between updates.  Password crackers: check passwords against a dictionary (either a "regular" dictionary or a specialized one with easy-to-guess passwords) and also check if passwords are common permutations of the user ID.  Integrity verification programs: can be used by such applications to look for evidence of data tampering, errors, and omissions.  Intrusion detectors: analyze the system audit trail, especially log-ons, connections, operating system calls, and various command parameters, for activity that could represent unauthorized activity.  System performance monitoring: analyzes system performance logs in real time to look for availability problems, including active attacks (such as the 1988 Internet worm) and system and network slowdowns and crashes.

Information Networking Security and Assurance Lab National Chung Cheng University Incident Response Bo Cheng Source: Special Pub Computer Security Incident Handling Guide Incident Response and Computer Forensics, Second Edition Chris Prosise, Kevin Mandia, Matt Pepe McGraw-Hill, Paperback, 2nd edition, Published July 2003, 507 pages, ISBN X

Information Networking Security and Assurance Lab National Chung Cheng University 12 Incident Handling (Incident Response) Incident: A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices. Incident Handling: The mitigation of violations of security policies and recommended practices.  become an important component of information technology (IT) programs. An incident response capability:  Detecting incidents,  Minimizing loss and destruction,  Mitigating the weaknesses that were exploited, and  Restoring computing services.

Information Networking Security and Assurance Lab National Chung Cheng University 13 Seven components of incident response Pre-Incident Preparation Initial Response Formulate Response Strategy Detection of Incidents Investigate the Incident Data Collection Data Analysis Reporting Resolution Recovery Implement Security Measures Incident Occurs: Point-In-Time or Ongoing

Information Networking Security and Assurance Lab National Chung Cheng University 14 Pre-incident Preparation (1/2) Preparing the Organization:  Implement host-based security measures.  Implement network-based security measures.  Training end user.  Employing an intrusion detection system (IDS)  Creating strong access control.  Performing timely vulnerability assessments.  Ensuring backups are performed on a regular basis.

Information Networking Security and Assurance Lab National Chung Cheng University 15 Pre-incident Preparation (2/2) Preparing the CSIRT:  The hardware needed to investigate computer security incidents.  The software needed to investigate computer security incidents.  The documentation needed to investigate computer security incidents.  The appropriate policies and operating procedures to implement your response strategies.  The training your staff or employee require to perform incident response in a manner that promotes successful forensics, investigations, and remediation.

Information Networking Security and Assurance Lab National Chung Cheng University 16 Detection of Incidents (1/2) IDS End User Help Desk System Administrator Security Human Resources Functional Areas Company X IDS Detection of Remote Attack Numerous Failed Logon Attempts Logins into Dormant or Default Accounts Activity during Nonworking Hours Unfamiliar Files or Executable Programs Altered Pages on Web Server Gaps in Log files or Erasure of Log Files Slower System Performance System Crash Indicator

Information Networking Security and Assurance Lab National Chung Cheng University 17 Detection of Incidents (2/2) Some of the critical details include the following:  Current time and date  Who/What reported the incident  Nature of the incident  When the incident occurred  Hardware/software involved  Points of contact for involved personnel

Information Networking Security and Assurance Lab National Chung Cheng University 18 Initial Response One of the first steps of any investigation is to obtain enough information an appropriate response.  Assembling the CSIRT  Collecting network-based and other data  Determining the type of incident that has occurred  Assessing the impact of the incident. Initial Response will not involve touching the affected system(s).

Information Networking Security and Assurance Lab National Chung Cheng University 19 Formulate response strategy (1/3) Considering the Totality of Circumstances:  How many resources are need to investigate an incident ?  How critical are the affected systems ?  How sensitive is the compromised or stolen information ?  Who are potential perpetrators ?  What is the apparent skill of the attacker ?  How much system and user downtime is involved ?  What is the overall dollar loss ?

Information Networking Security and Assurance Lab National Chung Cheng University 20 Formulate response strategy (2/3) Considering Appropriate Responses: Incident Example Response Strategy Likely Outcome Dos AttackTFN DDoS attack Reconfigure router to minimize effect of the flooding. Effect of attack mitigated by router countermeasures. Establishment of perpetrator ’ s identity may require too many resources to be worthwhile investment.

Information Networking Security and Assurance Lab National Chung Cheng University 21 Formulate response strategy (3/3) Response strategy option should be quantified with pros and cons related to the following:  Estimated dollar loss  Network downtime and its impact to operations.  User downtime and its impact to operations.  Whether or not your organization is legally compelled to take certain action.  Public disclosure of the incident and its impact to the organization’s reputation/business. Tacking Action  Legal Action  Administrative Action

Information Networking Security and Assurance Lab National Chung Cheng University 22 Investigate the Incident The investigation phase involves determining the who, what, when, where, how, and why surrounding an incident. A computer security investigation can be divided into two phases:  Data Collection  Forensic Analysis

Information Networking Security and Assurance Lab National Chung Cheng University 23 Possible investigation phase steps Network-Based Evidence Obtain IDS Logs Obtain Existing Router Logs Obtain Relevant Firewall Logs Obtain Remote Logs from a Centralized Host (SYSLOG) Perform Network Monitoring Obtain Backups Host-Based Evidence Obtain the Volatile Data during a Live Response Obtain the System time Obtain the Time/Data stamps for Every File on the Victim System Obtain all Relevant Files that Confirm or Dispel Allegation Obtain Backups Other Evidence Obtain Oral testimony from Witnesses 1.Review the Volatile Data. Review the Network Connections. Identify Any Rogue Processes (Backdoors, Sniffers). 2.Analyze the Relevant Time/Data Stamps. Identify Files Uploaded to the system by an Attacker. Identify File Downloaded or taken from the System. 3.Review the Log Files. 4.Identify Unauthorized User Accounts. 5.Look for Unusual or Hidden Files. 6.Examine Jobs Run by the Scheduler Service. 7.Review the Registry. 8.Perform Keyword searches. Data CollectionAnalysis

Information Networking Security and Assurance Lab National Chung Cheng University 24 Performing Forensic Analysis Perform Forensic Duplication Create a Working Copy of all Evidence Media Create File Lists Perform Statistical Data Partition Table File System Extract and Attachments Recover Deleted Data Perform File Signature Analysis Recover Unallocated Space Identify Known System File Review Browser History Files Review Data Collected During Live Response Search for Relevant Strings Perform Software Analysis Review all the Network-Based Evidence Identify and Decrypt Encrypted Files Perform File-by-File Review Installed Application Perform Specialized Analysis Preparation of Data Analysis of Data

Information Networking Security and Assurance Lab National Chung Cheng University 25 Reporting Some guidelines to ensure that the reporting phase does not become your CSIRT’s nemesis:  Document immediately  Write concisely and clearly  Use a standard format  Use editor

Information Networking Security and Assurance Lab National Chung Cheng University 26 Incident Response Organizations OrganizationURL AusCERT—Australian Computer Emergency Response Team CCIPS—Computer Crime and Intellectual Property Section, U.S. Department of Justice CERT ® /CC—CERT ® Coordination Center, Carnegie Mellon University CERT ® /CC Incident Reporting System CIAC—Computer Incident Advisory Capability, U.S. Department of Energy DOD-CERT—U.S. Department of Defense Computer Emergency Response Team FedCIRC—Federal Computer Incident Response Center FedCIRC Incident Reporting System FIRST—Forum of Incident Response and Security Teams HTCIA—High Technology Crime Investigation Association IAIP—Information Analysis Infrastructure Protection, U.S. Department of Homeland Security IAIP Incident Report Form IETF Extended Incident Handling (inch) Working Group InfraGard ISC—Internet Storm Center US-CERT—United States Computer Emergency Response Team

Information Networking Security and Assurance Lab National Chung Cheng University 27 Incident Response-Related Mailing Lists Mailing List NameArchive Location Bugtraqhttp:// DShieldhttp:// Focus-IDShttp:// Forensicshttp:// Incidentshttp:// Intrusionshttp://cert.uni-stuttgart.de/archive/intrusions LogAnalysishttp://airsnarf.shmoo.com/pipermail/loganalysis

Information Networking Security and Assurance Lab National Chung Cheng University 28 Technical Resource Sites Resource NameURL Assurance and Security) Intrusion Detection Pageshttp:// CHIHT (Clearing House for Incident Handling Tools) CSIRT Development, CERT ® /CChttp:// CSRC—Computer Security Resource Center, NISThttp://csrc.nist.gov DShield (Distributed Intrusion Detection System) Incident Handling Links and Documentshttp:// Intrusion Detection FAQ, SANS Institutehttp:// Intrusion Detection Links and Documentshttp:// Loganalysis.orghttp:// NIJ (National Institute of Justice) Electronic Crime Program NIST Internet Time Servicehttp:// SANS Institute Reading Roomhttp:// SecurityFocushttp:// The Electronic Evidence Information Centerhttp://

Information Networking Security and Assurance Lab National Chung Cheng University 29 Vulnerability and Exploit Information Resources Resource NameURL CERT ® /CC Advisories CERT ® /CC Incident Notes CERT ® /CC Vulnerability Notes Database CIAC Bulletins and Advisories Common Vulnerabilities and Exposures (CVE) ICAT Vulnerability Metabase Information Analysis Infrastructure Protection (IAIP) Packet Storm SANS/FBI Top 20 List SecurityFocus Vulnerabilities Database

Information Networking Security and Assurance Lab National Chung Cheng University 30 Training Resources Training Resource Name Types of TrainingURL CERT ® /CCIncident response Computer Forensic ServicesComputer forensics forensic.com/training.html FoundstoneIncident response, computer forensics MIS Training Institute (MISTI)Incident response, intrusion detection, computer forensics SANS InstituteIncident response, intrusion detection, computer forensics

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.