Chapter 1 Real World Incidents Spring 2016 - Incident Response & Computer Forensics.

Slides:



Advertisements
Similar presentations
Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
Advertisements

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Security Issues and Challenges in Cloud Computing
System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 7 HARDENING SERVERS.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
Lesson 19: Configuring Windows Firewall
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Security Guidelines and Management
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Incident Response Updated 03/20/2015
Copyright © 2014 Pearson Education, Inc. 1 IS Security is a critical aspect of managing in the digital world Chapter 10 - Securing Information Systems.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
APA of Isfahan University of Technology In the name of God.
13Computer Intrusions Dr. John P. Abraham Professor UTPA.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
What is FORENSICS? Why do we need Network Forensics?
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail ( ) Electronic Mail ( ) Domain mail server collects incoming mail.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.
Center of Excellence for IT at Bellevue College. Cyber security and information assurance refer to measures for protecting computer systems, networks,
Computer Crimes 8 8 Chapter. The act of using a computer to commit an illegal act Authorized and unauthorized computer access. Examples- o Stealing time.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis.
Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.
Advanced Persistent Threats (APT) Sasha Browning.
NT SECURITY: HACKING AND HOW TO PREVENT IT BY GREG WATSON.
Retina Network Security Scanner
Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Cryptography and Network Security Sixth Edition by William Stallings.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Intrusion Detection MIS ALTER 0A234 Lecture 1.
Securing Interconnect Networks By: Bryan Roberts.
Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
ETHICAL HACKING WHAT EXACTLY IS ETHICAL HACKING ? By : Bijay Acharya
Chapter 7: Identifying Advanced Attacks
Backdoor Attacks.
Secure Software Confidentiality Integrity Data Security Authentication
Onno W. Purbo Cracking Techniques Onno W. Purbo
Incident Detection and Response
Security in Networking
Chapter 27: System Security
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
IS4680 Security Auditing for Compliance
Lecture 2 - SQL Injection
Incident response and intrusion detection
Presentation transcript:

Chapter 1 Real World Incidents Spring Incident Response & Computer Forensics

What is an Incident?  Event: An observable occurrence in a system or network. --NIST  Incident: Violation or threat of violation of computer security policies, acceptable use policies, or standard security practices. --NIST

What is Incident Response?  Confirm whether or not an incident occurred?  Provide rapid detection  Determine and document the scope  Prevent a disjointed, non-cohesive response  Minimize disruption  Minimize damage  Restore normal operations  Allow for criminal or civil actions against perpertrators  Educate  Close loopholes

Case Study #1  Used SQL injection vulnerability  Webserver was located in a DMZ  Executed commands on the backend database system  Carried out extensive reconnaissance  Implanted a backdoor  Extracted and cracked password has for local administrator account on internal DB server  Thus, gained accesses to most systems  Installed keystroke-logging malware  Obtained password hashes from multiple systems belonging to administrators

Case Study #1  Found passwords for all users on the domain in a domain controller  Implanted more than 20 backdoors  With malware, modified the executables to avoid antivirus detection  The malware family allowed the attacker full control over the victim system, file upload/download capabilities, etc.  Stole data on many occasions  Found where sensitive networking documentation was stored  Found information on where financial data are stored

Case Study #1  Established RDP connections  Used FTP to download data  Also installed backdoors to transfer data  Used data compression techniques to avoid detection  Few months later discovered the jump server (the only system that can access sensitive resources)  Carried out reconnaissance on financial environment  Detected 90 systems that processed or stored credit card information  Proxied traffic from the jump server to mail server (since the latter had direct internet access)

Case Study #1  Executed pslist to find out running processes  Dumped memory contents of multiple processes  Found unencrypted cardholder information  Over three months, downloaded millions of instances of cardholder data from all 90 systems  About 10 months after the attacker breached the system, a sys admin noticed that the mail server communicating over TCP port 80 with an IP address in a foreign country

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.