(c) 2003 Carnegie Mellon Universary1 Incident Handling.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Systems Availability and Business Continuity Chapter Four Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
System and Network Security Practices COEN 351 E-Commerce Security.
Intrusion Detection Systems and Practices
Recognizing Attacks1. 2 Recognition Stances Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence.
Recognizing Attacks1. 2 Recognition Stances Recognizing Attacks3 Leading Questions Is it a real break-in? Was any damage really done? Is protecting evidence.
Network Security Testing Techniques Presented By:- Sachin Vador.
Handling Security Incidents
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Network security policy: best practices
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Incident Response Updated 03/20/2015
Information Security Information Technology and Computing Services Information Technology and Computing Services
Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Administering Windows 7 Lesson 11. Objectives Troubleshoot Windows 7 Use remote access technologies Troubleshoot installation and startup issues Understand.
Intrusion Detection Presentation : 1 OF n by Manish Mehta 01/24/03.
Information Systems Security Computer System Life Cycle Security.
Understanding and Troubleshooting Your PC. Chapter 12: Maintenance and Troubleshooting Fundamentals2 Chapter Objectives  In this chapter, you will learn:
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Chapter Fourteen Windows XP Professional Fault Tolerance.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
FORESEC Academy FORESEC Academy Security Essentials (II)
Instant Messaging for the Workplace A pure collaborative communication tool that does not distract users from their normal activities.
Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Module 15 Managing Windows Server® 2008 Backup and Restore.
1 Policy Types l Program l Issue Specific l System l Overall l Most Generic User Policies should be publicized l Internal Operations Policies should be.
Topic 5: Basic Security.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Security fundamentals Topic 2 Establishing and maintaining baseline security.
1 Figure 10-4: Intrusion Detection Systems (IDSs) Actions  Alarms  Interactive analysis Manual event inspection of raw log file Pattern retrieval 
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
IT Computer Security JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
CHAPTER 2 Laws of Security. Introduction Laws of security enable user make the judgment about the security of a system. Some of the “laws” are not really.
C OMPUTER THREATS, ATTACKS AND ASSETS DONE BY NISHANT NARVEKAR TE COMP
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Information Systems CS-507 Lecture 32. Physical Intrusion The intruder could physically enter an organization to steal information system assets or carry.
Troubleshooting Windows Vista Lesson 11. Skills Matrix Technology SkillObjective DomainObjective # Troubleshooting Installation and Startup Issues Troubleshoot.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
IDS And Tripwire Rayhan Mir COSC 356. What is IDS IDS - Intrusion detection system Primary function – To monitor network or host resources to detect intrusions.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Chapter Objectives In this chapter, you will learn:
Working at a Small-to-Medium Business or ISP – Chapter 8
Critical Security Controls
Lesson 16-Windows NT Security Issues
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
BACHELOR’S THESIS DEFENSE
BACHELOR’S THESIS DEFENSE
Incident response and intrusion detection
BACHELOR’S THESIS DEFENSE
Presentation transcript:

(c) 2003 Carnegie Mellon Universary1 Incident Handling

(c) 2003 Carnegie Mellon Universary2 Intruder Technology Intruders use currently available technology to develop new technology

(c) 2003 Carnegie Mellon Universary3 Code Red An automated worm with variety of malicious behavior –CR1 built from single-site DoS tool and previous worm –At least 7 versions exist that differ in target selection and payload –All exploit vulnerabilities in IIS; installed by default in Windows 2000 and Windows XP –CR2 different payload and improved propagation algorithm –CR2 was almost certainly created by a different author than CR, based on the original worm (New versions are appearing)

(c) 2003 Carnegie Mellon Universary4 Professional Threats The new threat is not just simple hacking. Sociology of today’s threat vs. “hackers” Morale Organization Vigilance vs. assumed invulnerability Motivation of today’s threat Accountability vs. anarchy Delayed vs. immediate gratification Internal vs. external gratification Preparation of current threat vs. “hackers” Training Intelligence / strategy

(c) 2003 Carnegie Mellon Universary5 Handling Break-ins What to do How to catch intruder How to find damage How to repair damage

(c) 2003 Carnegie Mellon Universary6 Basic Rules (1) DON’T PANIC Is it a real break-in? Was any damage really done? Is protecting evidence important? Is restoring normal operation quickly important? Willing to chance modification of files? Is no publicity important? Can it happen again?

(c) 2003 Carnegie Mellon Universary7 Basic Rules (2) DOCUMENT Start notebook Collect printouts and backup media Use scripts Consult legal assistance for evidence- gathering

(c) 2003 Carnegie Mellon Universary8 Basic Rules (3) PLAN AHEAD 1.Identify/understand the problem 2.Contain/stop the damage 3.Confirm diagnosis and determine damage 4.Restore system 5.Deal with the cause 6.Perform related recovery

(c) 2003 Carnegie Mellon Universary9 Discovering an Intruder Catching them in the act Finding changes Receiving message from other system administrator Strange activities User reports

(c) 2003 Carnegie Mellon Universary10 Signs of Intrusions

(c) 2003 Carnegie Mellon Universary11 Running Processes What: –Background programs running on user accounts –New system processes –Running for abnormal amounts of time How to detect: –Check process list –Watch system response time –Watch total system load

(c) 2003 Carnegie Mellon Universary12 Dealing with Running Processes Notify users of process checking Clarify ownership/identity of processes Look for files opened by process (even if removed) Look at network connections by process Check file system/network/configuration

(c) 2003 Carnegie Mellon Universary13 Changed Configuration What: –Network cards in promiscuous mode –Odd printer configuration –Odd disk configuration/partitioning How to detect: –Configuration utilities –Static checking tools –Program failures –Network/printing delays

(c) 2003 Carnegie Mellon Universary14 Dealing with Changed Configurations What to do: –Report changes off of baseline –Do a walkabout audit of equipment on network –Probe for modems –Look for unexpected network routes How to do it: –Set priorities –Establish a flexible schedule –Automate as much as possible –Vary checks over time

(c) 2003 Carnegie Mellon Universary15 Added Accounts/Directories/Files What: –New files in system areas –New programs in odd locations (temporary, guest, scratch) –New directories with odd names (“.. ”, “...”, “//”, etc.) –New accounts How to detect: –File listing utilities –File system utilities –Account management utilities

(c) 2003 Carnegie Mellon Universary16 Dealing with Added Objects Establish procedures for program/account creation Verify ownership and content of suspect files/accounts Examine actions taken by suspect programs

(c) 2003 Carnegie Mellon Universary17 Log Gaps What: –Deleted or abridged log files How to detect: –Lack of expected messages across a time span –Mismatches between logs –Mismatches with billed access/reported access

(c) 2003 Carnegie Mellon Universary18 Dealing with Log Gaps Examine logs for typical events as well as atypical ones Establish overlapping logging Establish non-traditional logging

(c) 2003 Carnegie Mellon Universary19 Changed Programs/Files What: –Modified system programs or files –Virus-infected programs or files How to detect: –Integrity checkers –Virus scanners How to Deal (see integrity lecture)

(c) 2003 Carnegie Mellon Universary20 Communication What: –IRC communication – –Modem traffic –Website chat –Instant messaging How to detect: –Logs –Sniffing/Monitoring –Caller id

(c) 2003 Carnegie Mellon Universary21 Dealing with Intruder Communication Set policy and publicize it Announce examination of /IRC/instant message/web Reconcile logs Look for added clients Watch for suspect sites

(c) 2003 Carnegie Mellon Universary22 Dealing with Intruder(1) Ignore intruder Dangerous Contrary to policy/law? Communicate with intruder Dangerous Low return Trace/identify intruder Watch for traps / assumptions Easiest if prepared ahead of time

(c) 2003 Carnegie Mellon Universary23 Dealing with Intruder(2) Break intruder’s connection Physically Logically (logout, kill processes, lock account) Contact outside help Don’t use infected system Avoid using from connected systems

(c) 2003 Carnegie Mellon Universary24 Cleaning up after Intruder Restore system programs / files Delete unauthorized accounts Restore authorized access to affected accounts Restore file / device protections Remove setuid/setgid programs Remove unauthorized mail aliases Remove added files / directories Force new passwords

(c) 2003 Carnegie Mellon Universary25 Resuming Operation Investigate until how and when is known, fix holes and resume Patch and repair damage, enable further monitoring, resume Quick scan and cleanup, resume Call in law enforcement -- delay resumption Do nothing -- use corrupted system

(c) 2003 Carnegie Mellon Universary26 Damage Control Deal with consequences of break-in Was sensitive information disclosed? Who do you need to notify formally? Who do you need to notify informally? What disciplinary action is needed? What vendor contacts do we need to make? What other system administrators should be notified? What updated employee training is needed?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.