APA of Isfahan University of Technology In the name of God.

In the name of God

ComputerComputer SecuritySecurity IncidentIncident The term “security

incident” is defined as the act of non-compliance with the security policy, procedure, or a core security requirement that impacts the confidentiality, integrity and availability of health information.

2

ContainmentContainment, ,

Eradication, Eradication, Recovery Recovery

Post-IncidentPost-IncidentActivitiesActivities

Detection Detection AndAnd

AnalysisAnalysis

PreparationPreparation

3

The organization is ready to respond to incidents, The organization is ready to respond to incidents, and also prevents incidents by ensuring that systems,and also prevents incidents by ensuring that systems,

networks, and applications are sufficiently secure. networks, and applications are sufficiently secure.

The organization get the incident report or The organization get the incident report or sign of incident searching for typesign of incident searching for type

and cause of it.and cause of it.

The organization can act to mitigate the impact of the incident by containing it and

ultimately recovering from it.

The organization members share “lessons learned” from the incident .

2)Preventing Incidents2)Preventing Incidents Recommended practices for securing

networks :

Patch Management

Host Security

Network Security

Malicious Code Prevention

4

Definition :Definition :A Denial of Service (DoS)Denial of Service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources.

7

DDosDDos: Distributed Denial of Service

8

Types Of DDosDDos Attacks :1)Reflector Attack

9

Types Of DDosDDos Attacks :

2)Amplifier Attack

10

Types Of DDosDDos Attacks :

3)Flood Attack

11

Step 1 :PreparationStep 1 :Preparation

1)1)PreparationPreparationI.I. ISP ISP

II.II. IDS ConfigurationIDS Configuration

III.III. Resource MonitoringResource Monitoring

IV.IV. Maintain Paper Copy of Handling Maintain Paper Copy of Handling DocumentsDocuments

12

Step 1 :PreparationStep 1 :Preparation1)1) PreventionPrevention

I. Control TrafficII. On Internet-accessible hosts,

disable all unneeded services III.Implement redundancy for

key functions IV.Ensure that networks and

systems are not running near maximum capacity

13

Step2: Detection and AnalysisStep2: Detection and AnalysisPrecursors and Reactions :

Low Volume of Traffic Caused by Reconnaissance Activities Block ways of attack

A new DoS tool Investigate it and change configurations

14

Step2: Detection and AnalysisStep2: Detection and Analysis

Indication Of Each Type of DoS:

Network Based DoS against a host

Network Based DoS against network

DoS against OS of A host

DoS against an application on a

particular host15

Step2: Detection and AnalysStep2: Detection and Analysisis

IP address in most cases is spoofed IP address in most cases is spoofed Logs may be Logs may be

helpful to find the Attacker.helpful to find the Attacker.

When an outage occurs, no one may realize that a DoS When an outage occurs, no one may realize that a DoS

attack caused it attack caused it Outages are so common! Outages are so common!

Network-based DoS attacks are difficult for IDPS sensors Network-based DoS attacks are difficult for IDPS sensors

to detect with a high degree of accuracy to detect with a high degree of accuracy User Get User Get

False alerts so disable it.False alerts so disable it.

Attacker use zombies Attacker use zombies Agents are not sinful. Agents are not sinful.

16

Step3: Step3:

1)Containment Strategies1)Containment Strategies

Simple Solution : Filtering All Traffic by IPSimple Solution : Filtering All Traffic by IP

Spoofed Ips Spoofed Ips Most of the time not possible Most of the time not possible

Solution :Solution :

Filtering based on Characteristics (port, Filtering based on Characteristics (port, Protocol ,…)Protocol ,…)

17

Step3: Step3: 1)Containment Strategies1)Containment StrategiesOther Strategies :Other Strategies :

I.I. Correct vulnerabilityCorrect vulnerability

II.II. Relocate The TargetRelocate The Target

III.III. Attack the Attacker ! Attack the Attacker !

18

Definition :Definition :An unauthorized accessunauthorized access incident occurs when a person gains access to

resources that the person was not intended to have

20

Special Characteristic :Special Characteristic :

These kinds of Attacks mostly

occur in several steps.

First The attacker gain limited

access through a vulnerability

then try to gain higher level of

access.

So : Tracking The Incident is

Important.

21

Step 1 :PreparationStep 1 :Preparation1)1)PreparationPreparation

1)1) EducationEducation2)2) ConfigurationConfiguration3)3) ControlControl

2)2)PreventionPrevention Network Security Network Security Host SecurityHost Security Authentication and AuthorizationAuthentication and Authorization Physical SecurityPhysical Security

22


Have many types of occurrence.Have many types of occurrence.

Lots of Precursors and IndicationsLots of Precursors and Indications

Must be customized to environment-Must be customized to environment-

specificspecific

23

Step2: Detection and AnalysisStep2: Detection and AnalysisPrecursors:

24

Detecting reconnaissance activities through IDPS

A failed physical access attempt to a system.

A user report of a social engineering attempt.

A new exploit for gaining unauthorized access is released publicly

Step2: Detection and AnalysisStep2: Detection and AnalysisTypes of unauthorized access and possible

Indications:

Root compromise of a hostRoot compromise of a host

Unauthorized data modification Unauthorized data modification

Unauthorized usage of standard user accountUnauthorized usage of standard user account

Physical IntruderPhysical Intruder

Unauthorized data accessUnauthorized data access

25


Problem: It is difficult to distinguish malicious It is difficult to distinguish malicious

activity from benign oneactivity from benign oneSolution: Change management processChange management process

26

Step2: Detection and AnalysisStep2: Detection and AnalysisPrioritizationProblem: Calculating current and future impact is Calculating current and future impact is

difficultdifficultSolution: The incident may need to be prioritized The incident may need to be prioritized

before the analysis is completebefore the analysis is complete It Must be done based on an estimate of It Must be done based on an estimate of

the current impactthe current impactNext Step: Considering the criticality of Considering the criticality of

the resourcesthe resources 27

Step3: Step3:

1)Containment Strategies1)Containment StrategiesProblem: Response time is important. Analyzing step Response time is important. Analyzing step

may take a long timemay take a long timeSolution: Perform an initial analysis, then prioritize, Perform an initial analysis, then prioritize,

response and another analysis stageresponse and another analysis stage

28

Step3: 1)Containment StrategiesStep3: 1)Containment StrategiesEasy Solution : Shutting down the system !!!: Shutting down the system !!!

The Moderate one: A combination of:

Isolate the affected systemsIsolate the affected systems Disable the affected service Disable the affected service Eliminate the attacker’s route into the Eliminate the attacker’s route into the

environmentenvironment. . Disable user accounts that may have been used Disable user accounts that may have been used

in the attackin the attack Enhance physical security measuresEnhance physical security measures

29

Step3:Step3:

2)Eradication And Recovery2)Eradication And Recovery

Recovery is based on level of accessRecovery is based on level of access

In case of root access In case of root access system restore system restore

Mitigate the vulnerabilityMitigate the vulnerability

30

Definition :Definition :An Inappropriate UsageInappropriate Usage incident occurs

when a user performs actions that violate acceptable computing use policies.

32

Examples: Download password cracking tools. Send spam promoting a personal business Email harassing messages to coworkers Set up an unauthorized Web site on one of the

organization’s computers Use file sharing services to acquire or distribute

pirated materials Transfer sensitive materials from the organization to

external locations.

33

Examples: (Attack annoying outside entities from inside

Organization) An internal user

Defacing another organization’s public Web site.Defacing another organization’s public Web site. Purchasing items from online retailers with stolen Purchasing items from online retailers with stolen

credit card numbers .credit card numbers . A third party

Sending spam emails with spoofed source email Sending spam emails with spoofed source email addresses that appear to belong to the addresses that appear to belong to the organization. organization.

Performing a DoS against an organization by Performing a DoS against an organization by generating packets with spoofed source IP generating packets with spoofed source IP addresses that belong to the organization.addresses that belong to the organization.

34

Types of Inappropriate use :Types of Inappropriate use :

Personal e-mailPersonal e-mail

Deliberate Disclosure of Sensitive Deliberate Disclosure of Sensitive

informationinformation

Inadvertent MisuseInadvertent Misuse

35

Impacts of inappropriate Usage on Impacts of inappropriate Usage on Organization:Organization:

Loss of productivityLoss of productivity

Increased risk of liability and legal actionIncreased risk of liability and legal action

Reduction (or loss)of network bandwidthReduction (or loss)of network bandwidth

Increased risk of virus infection and other Increased risk of virus infection and other

malicious codemalicious code

36


1)1)PreparationPreparation Coordinate with :Coordinate with :

representatives of the organization’s human resources Physical security team

Set Proxy and Log users activitiesSet Proxy and Log users activities Configure IDPS SoftwareConfigure IDPS Software

37


2)2)PreventionPrevention Configure:Configure:

Firewall Email Server

Set:Set: URL filtering RuleURL filtering Rule Limitation on use of Encrypted ProtocolsLimitation on use of Encrypted Protocols

38


Usually no precursor, Just users report Usually no precursor, Just users report Analyzing Reports(is a report real or no?)Analyzing Reports(is a report real or no?)

Problem: Incidents Reported from outside Incidents Reported from outside

Solution: Accurate and complete LoggingAccurate and complete Logging

39


Different activities and Indication: Attack against external party Attack against external party

IDPS alerts and LogsIDPS alerts and Logs Access to inappropriate materials Access to inappropriate materials

Users report, IDPS alerts and LogsUsers report, IDPS alerts and Logs Unauthorized Access UsageUnauthorized Access Usage

Unusual Traffic, New Process, New Files, Users Unusual Traffic, New Process, New Files, Users report, IDPS alerts and Logs.report, IDPS alerts and Logs.

40


Prioritization:Prioritization:

Business impact of these incidents is different

It depends on:

I.I. Whether the activity is criminalWhether the activity is criminal

II.II. How much damage the organization’s How much damage the organization’s reputation may sustain reputation may sustain

41


Prioritization:Prioritization: Example of Response time table Example of Response time table

42

Step3: Containment, Eradication And Step3: Containment, Eradication And Recovery Recovery

Generally no such step is neededGenerally no such step is needed

May be just reinstalling uninstalled May be just reinstalling uninstalled

software software

Evidence gathering is ImportantEvidence gathering is Important

43

APA of Isfahan University of Technology In the name of God.

Documents

Transcript of APA of Isfahan University of Technology In the name of God.