APA of Isfahan University of Technology In the name of God
Computer Security Incident The term “security incident” is defined as the act of non- compliance with the security policy, procedure, or a core security requirement that impacts the confidentiality, integrity and availability of health information. 2
Containment,Eradication,Recovery Post-IncidentActivities DetectionAndAnalysis Preparation 3 The organization is ready to respond to incidents, and also prevents incidents by ensuring that systems, networks, and applications are sufficiently secure. networks, and applications are sufficiently secure. The organization get the incident report or sign of incident searching for type and cause of it. and cause of it. The organization can act to mitigate the impact of the incident by containing it and ultimately recovering from it. The organization members share “lessons learned” from the incident.
2)Preventing Incidents Recommended practices for securing networks : Patch Management Host Security Network Security Malicious Code Prevention 4
5
6
Definition : Denial of Service (DoS) A Denial of Service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources. 7
DDos DDos: Distributed Denial of Service 8
DDos Types Of DDos Attacks : 1)Reflector Attack 9
DDos Types Of DDos Attacks : 2)Amplifier Attack 10
DDos Types Of DDos Attacks : 3)Flood Attack 11
Step 1 :Preparation 1) Preparation I. ISP II. IDS Configuration III. Resource Monitoring IV. Maintain Paper Copy of Handling Documents 12
Step 1 :Preparation 1) Prevention I. Control Traffic II. On Internet-accessible hosts, disable all unneeded services III. Implement redundancy for key functions IV. Ensure that networks and systems are not running near maximum capacity 13
Step2: Detection and Analysis Precursors and Reactions : Low Volume of Traffic Caused by Reconnaissance Activities Block ways of attack A new DoS tool Investigate it and change configurations 14
Step2: Detection and Analysis Indication Of Each Type of DoS: Network Based DoS against a host Network Based DoS against network DoS against OS of A host DoS against an application on a particular host 15
Step2: Detection and Analys is IP address in most cases is spoofed Logs may be helpful to find the Attacker. When an outage occurs, no one may realize that a DoS attack caused it Outages are so common! Network-based DoS attacks are difficult for IDPS sensors to detect with a high degree of accuracy User Get False alerts so disable it. Attacker use zombies Agents are not sinful. 16
Step3: 1)Containment Strategies Simple Solution : Filtering All Traffic by IP Spoofed Ips Most of the time not possible Solution : Filtering based on Characteristics (port, Protocol,…) 17
Step3: 1)Containment Strategies Other Strategies : I. Correct vulnerability II. Relocate The Target III. Attack the Attacker ! 18
19
Definition : unauthorized access An unauthorized access incident occurs when a person gains access to resources that the person was not intended to have 20
Special Characteristic : These kinds of Attacks mostly occur in several steps. First The attacker gain limited access through a vulnerability then try to gain higher level of access. So : Tracking The Incident is Important. 21
Step 1 :Preparation 1) Preparation 1) Education 2) Configuration 3) Control 2) Prevention Network Security Host Security Authentication and Authorization Physical Security 22
Step2: Detection and Analysis Have many types of occurrence. Lots of Precursors and Indications Must be customized to environment-specific 23
Step2: Detection and Analysis Precursors: 24 Detecting reconnaissance activities through IDPS A failed physical access attempt to a system. A user report of a social engineering attempt. A new exploit for gaining unauthorized access is released publicly
Step2: Detection and Analysis Types of unauthorized access and possible Indications: Root compromise of a host Unauthorized data modification Unauthorized usage of standard user account Physical Intruder Unauthorized data access 25
Step2: Detection and Analysis Problem: It is difficult to distinguish malicious activity from benign one Solution: Change management process 26
Step2: Detection and Analysis Prioritization Problem: Calculating current and future impact is difficult Solution: The incident may need to be prioritized before the analysis is complete It Must be done based on an estimate of the current impact Considering the criticality of the resources Next Step: Considering the criticality of the resources 27
Step3: 1)Containment Strategies Problem: Response time is important. Analyzing step may take a long time Solution: Perform an initial analysis, then prioritize, response and another analysis stage 28
Step3: 1)Containment Strategies : Shutting down the system !!! Easy Solution : Shutting down the system !!! The Moderate one: A combination of: Isolate the affected systems Disable the affected service Eliminate the attacker’s route into the environment. Disable user accounts that may have been used in the attack Enhance physical security measures 29
Step3: 2)Eradication And Recovery Recovery is based on level of access In case of root access system restore Mitigate the vulnerability 30
31
Definition : Inappropriate Usage An Inappropriate Usage incident occurs when a user performs actions that violate acceptable computing use policies. 32
Examples: Download password cracking tools. Send spam promoting a personal business harassing messages to coworkers Set up an unauthorized Web site on one of the organization’s computers Use file sharing services to acquire or distribute pirated materials Transfer sensitive materials from the organization to external locations. 33
Examples: (Attack annoying outside entities from inside Organization) An internal user Defacing another organization’s public Web site. Purchasing items from online retailers with stolen credit card numbers. A third party Sending spam s with spoofed source addresses that appear to belong to the organization. Performing a DoS against an organization by generating packets with spoofed source IP addresses that belong to the organization. 34
Types of Inappropriate use : Personal Deliberate Disclosure of Sensitive information Inadvertent Misuse 35
Impacts of inappropriate Usage on Organization: Loss of productivity Increased risk of liability and legal action Reduction (or loss)of network bandwidth Increased risk of virus infection and other malicious code 36
Step 1 :Preparation 1) Preparation Coordinate with : representatives of the organization’s human resources Physical security team Set Proxy and Log users activities Configure IDPS Software 37
Step 1 :Preparation 2) Prevention Configure: Firewall Server Set: URL filtering Rule Limitation on use of Encrypted Protocols 38
Step2: Detection and Analysis Usually no precursor, Just users report Analyzing Reports(is a report real or no?) Problem: Incidents Reported from outside Solution: Accurate and complete Logging 39
Step2: Detection and Analysis Different activities and Indication: Attack against external party IDPS alerts and Logs Access to inappropriate materials Users report, IDPS alerts and Logs Users report, IDPS alerts and Logs Unauthorized Access Usage Unusual Traffic, New Process, New Files, Users report, IDPS alerts and Logs. 40
Step2: Detection and Analysis Prioritization: Business impact of these incidents is different It depends on: I. Whether the activity is criminal II. How much damage the organization’s reputation may sustain 41
Step2: Detection and Analysis Prioritization: Example of Response time table 42
Step3: Containment, Eradication And Recovery Generally no such step is needed May be just reinstalling uninstalled software Evidence gathering is Important 43