Presentation is loading. Please wait.

Presentation is loading. Please wait.

L esson 1 Course Introduction. UTSA IS 6353 Incident Response Overview Course Administrivia Info Assurance Review Incident Response.

Published byLoraine Ford Modified over 9 years ago

Similar presentations

Presentation on theme: "L esson 1 Course Introduction. UTSA IS 6353 Incident Response Overview Course Administrivia Info Assurance Review Incident Response."— Presentation transcript:

1 L esson 1 Course Introduction

2 UTSA IS 6353 Incident Response Overview Course Administrivia Info Assurance Review Incident Response

3 UTSA IS 6353 Incident Response IS6353 Intrusion Detection and Incident Response 6:00-7:50 PM T/TH Robert Kaufman –Background –Contact information Syllabus and Class Schedule Student Background Information –Email to robert.kaufman@utsa.edu

4 UTSA IS 6353 Incident Response Student Information Name Reliable email address Email to robert.kaufman@utsa.edurobert.kaufman@utsa.edu

5 UTSA IS 6353 Incident Response Text Books Course Text: –Incident Response and Computer Forensics McGraw Hill Publishing, 2014. ISBN 978-0071798686 Additional References: –Principles of Computer Security, Conklin, White, Cothren, Williams, and Davis –Hacking Exposed, by McClure, Scambray, Kurtz –Cyber crime Investigator’s Field Guide, by Bruce Middleton

6 UTSA IS 6353 Incident Response Grading Grades –2 Tests –Final –1 Paper –4-5 Labs

7 A Sampling of Malicious Activity March 1999 - EBay gets hacked March 1999 - Melissa virus hits Internet April 1999 - Chernobyl Virus hits May 1999 - Hackers shut down web sites of FBI, Senate, and DOE June 1999 - Worm.Explore.Zip virus hits July 1999 - Cult of the Dead Cow (CDC) releases Back Orifice Sept 1999 - Hacker pleads guilty to attacking NATO and Gore web sites Oct 1999 - Teenage hacker admits to breaking into AOL

8 A Sampling of Malicious Activity Nov 1999 - BubbleBoy virus hits Dec 1999 - Babylonia virus spreads Feb 2000 - Several sites experience DOS attacks Feb 2000 - Alaska Airlines site hacked May 2000 - Love Bug virus ravages net July 2001 – Code Red Runs RampantCode Red Runs Rampant Sept 2001 – Nimda Explodes

9 A Sampling of Malicious Activity Jan 2003 – Sapphire/Slammer Worm Aug 2003 – Blaster (LoveSan) Worm Jan 2004 – MyDoom Mar 2004 – Witty Worm May 2004 – Sasser Worm Dec 2006 – TJX Credit/Debit Card Theft Jan 2007 – Storm Worm Mar 2009 - Conficker June 2010 - Stuxnet http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms

10 UTSA IS 6353 Incident Response Spread of Slammer—25 Jan 05:29 UTC

11 UTSA IS 6353 Incident Response Spread of Slammer—25 Jan 06:00 UTC

12 UTSA IS 6353 Incident Response CSI Survey: Average Loss Ref: 2008 CSI Survey

13 UTSA IS 6353 Incident Response Internet Security Software Market 2002 - $7.4 Billion est. 1999 - $4.2 Billion 1998 - $3.1 Billion 1997 - $2 Billion ’97 & ’98 figures based on a study released by market research firm International Data Corp. in Framingham, Mass. ’99 & ’02 figures from IDC study based on a survey of 300 companies with more than $100 million in annual revenues

14 UTSA IS 6353 Incident Response DISA VAAP Results PROTECTIONPROTECTION DETECTIONDETECTION REACTIONREACTION 38,000 Attacks 24,700 Succeed 13,300 Blocked 988 Detected 23,712 Undetected 267 Reported 721 Not Reported

15 UTSA IS 6353 Incident Response Computer Security The Prevention and/or detection of unauthorized actions by users of a computer system. In the beginning, this meant ensuring privacy on shared systems. Today, interesting aspect of security is in enabling different access levels.

16 UTSA IS 6353 Incident Response What are our goals in Security? The “CIA” of security –Confidentiality –Integrity Data integrity Software Integrity –Availability Accessible and usable on demand –(authentication) –(nonrepudiation)

17 UTSA IS 6353 Incident Response The “root” of the problem Most security problems can be grouped into one of the following categories: –Network and host misconfigurations Lack of qualified people in the field –Operating system and application flaws Deficiencies in vendor quality assurance efforts Lack of qualified people in the field Lack of understanding of/concern for security

18 UTSA IS 6353 Incident Response Computer Security Operational Model Protection = Prevention+ (Detection + Response) Access Controls Encryption Firewalls Intrusion Detection Incident Handling

19 UTSA IS 6353 Incident Response Proactive –vs- Reactive Models “Most organizations only react to security threats, and, often times, those reactions come after the damage has already been done.” “The key to a successful information security program resides in taking a pro-active stance towards security threats, and attempting to eliminate vulnerability points before they can be used against you.”

20 UTSA IS 6353 Incident Response So What Happens When Computer Security Fails? Incident Response Methodology--7 Step Process –Preparation: Proactive Computer Security –Detection of Incidents –Initial Response –Formulate Response Strategy –Investigate the Incident –Reporting –Resolution

21 UTSA IS 6353 Incident Response 7 Components of Incident Response Pre-Incident Preparation Detection of Incidents Initial Response Formulate Response Strategy Data Collection Data Analysis Reporting Investigate the Incident Resolution Recovery Implement Security Measures Page 15, Fig 2-1, Mandia 2nd Edition

22 UTSA IS 6353 Incident Response Resources in the Fight SANS CERT CC FIRST CERIAS NIST CIAS

23 UTSA IS 6353 Incident Response SANS System Administration, Networking, and Security (SANS) Institute Global Incident Analysis Center Security Alerts, Updates, & Education NewsBites, Security Digest, Windows Digest Certification http://www.sans.org/

24 UTSA IS 6353 Incident Response Carnegie Mellon CERT CC Computer Emergency Response Team Coordination Center Started by DARPA Alerts & Response Services Training and CERT Standup Clearing House http://www.cert.org

25 UTSA IS 6353 Incident Response FIRST Forum of Incident Response and Security Teams Established 1988 Govt & Private Sector Membership Over 70 Members Coordinate Global Response http://www.first.org

26 UTSA IS 6353 Incident Response CERIAS Center for Education and Research in Information Assurance and Security Home of Gene Spafford A "University Center" InfoSec Research & Education Members: Academia, Govt, & Industry http://www.cerias.purdue.edu/coast/)

27 UTSA IS 6353 Incident Response NIST National Institute of Science and Technology (NIST) Operares Computer Security Resource Clearinghouse (CSRC) Raising Awarenss Multiple Disciplines Main Source of Fed Govt Standards http://csrc.ncsl.nist.gov/

28 UTSA IS 6353 Incident Response CIAS UTSA’s Center for Infrastructure Assurance and Security (CIAS) Multidisciplinary education and development of operational capabilities in the areas of infrastructure assurance and security. National Cyber Exercises Cyber Security Training Cyber Competitions http://www.utsa.edu/cias/

29 UTSA IS 6353 Incident Response So How Many Vulnerabilties Are Out? Lets See What the CERT CC Says.

30 UTSA IS 6353 Incident Response

31

32

33

34

35 History Lesson The Art of War, Sun Tzu Lesson for you Know the enemy Know yourself…and in a 100 battles you will never be defeated If ignorant both of your enemy and of yourself you are certain in every battle to be in peril

36 UTSA IS 6353 Incident Response History Lesson The Art of War, Sun Tzu Lesson for the Hacker Probe him and learn where his strength is abundant and where deficient To subdue the enemy without fighting is the acme of skill One able to gain victory by modifying his tactics IAW with enemy situation may be said to be divine

37 UTSA IS 6353 Incident Response Hacker Attacks Intent is for you to know your enemy Not intended to make you a hacker Need to know defensive techniques Need to know where to start recovery process Need to assess extent of investigative environment

38 UTSA IS 6353 Incident Response Anatomy of a Hack FOOTPRINTINGSCANNINGENUMERATION GAINING ACCESS ESCALATING PRIVILEGE PILFERING COVERING TRACKS CREATING BACKDOORS DENIAL OF SERVICE Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

39 UTSA IS 6353 Incident Response Footprinting Objective Target Address Range Acquire Namespace Information Gathering Surgical Attack Don’t Miss Details Technique Open Source Search whois Web Interface to whois ARIN whois DNS Zone Transfer Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

40 UTSA IS 6353 Incident Response Scanning Objective Bulk target assessment Determine Listening Services Focus attack vector Technique Ping Sweep TCP/UDP Scan OS Detection Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

41 UTSA IS 6353 Incident Response Enumeration Objective Intrusive Probing Commences Identify valid accounts Identify poorly protected shares Technique List user accounts List file shares Identify applications Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

42 UTSA IS 6353 Incident Response Gaining Access Objective Informed attempt to access target Typically User level access Technique Password sniffing File share brute forcing Password file grab Buffer overflows Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

43 UTSA IS 6353 Incident Response Escalating Privilege Objective Gain Root level access Technique Password cracking Known exploits Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

44 UTSA IS 6353 Incident Response Pilfering Objective Info gathering to access trusted systems Technique Evaluate trusts Search for cleartext passwords Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

45 UTSA IS 6353 Incident Response Cover Tracks Objective Ensure highest access Hide access from system administrator or owner Technique Clear logs Hide tools Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

46 UTSA IS 6353 Incident Response Creating Back Doors Objective Deploy trap doors Ensure easy return access Technique Create rogue user accounts Schedule batch jobs Infect startup files Plant remote control services Install monitors Trojanize Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

47 UTSA IS 6353 Incident Response Denial of Service Objective If unable to escalate privilege then kill Build DDOS network Technique SYN Flood ICMP Attacks Identical src/dst SYN requests Out of bounds TCP options DDOS Source: Hacking Exposed, McClure, Sacmbray, and Kurtz

48 UTSA IS 6353 Incident Response Hacker Exploits per SANS RECONNAISSANCESCANNING EXPLOIT SYSTEMS KEEPING ACCESS COVER TRACKS Source: SANs Institute

49 UTSA IS 6353 Incident Response Hacking Summary Threat: Hacking on the rise Security posture usually reactive Losses increasing 7 Step Process Hacker Techniques

Download ppt "L esson 1 Course Introduction. UTSA IS 6353 Incident Response Overview Course Administrivia Info Assurance Review Incident Response."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Penetration Testing & Countermeasures Paul Fong & Cai Yu CS691 5 May 2003.

Penetration Testing & Countermeasures Paul Fong & Cai Yu CS691 5 May 2003.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
IS6303 Intro to Voice and Data Security

IS6303 Intro to Voice and Data Security
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Information Networking Security and Assurance Lab National Chung Cheng University Network Security (I) 授課老師 : 鄭伯炤 Office: Dept. of Communication Rm #112.

Information Networking Security and Assurance Lab National Chung Cheng University Network Security (I) 授課老師 : 鄭伯炤 Office: Dept. of Communication Rm #112.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Wardriving 7/29/2004 The “Bad Karma Gang”. Agenda Introduction to Wardriving The Tools of Wardriving Wardriving Green Lake.

Wardriving 7/29/2004 The “Bad Karma Gang”. Agenda Introduction to Wardriving The Tools of Wardriving Wardriving Green Lake.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cyberspace and the Police Mamoru TAKAHASHI Head of Computer Forensic Center, Hi-tech Crime Technology Division National Police Agency, Japan.

Cyberspace and the Police Mamoru TAKAHASHI Head of Computer Forensic Center, Hi-tech Crime Technology Division National Police Agency, Japan.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Similar presentations

Ads by Google