APA of Isfahan University of Technology In the name of God.
-
Upload
edwina-jones -
Category
Documents
-
view
213 -
download
0
Transcript of APA of Isfahan University of Technology In the name of God.
In the name of God
ComputerComputer SecuritySecurity IncidentIncident The term “security
incident” is defined as the act of non-compliance with the security policy, procedure, or a core security requirement that impacts the confidentiality, integrity and availability of health information.
2
ContainmentContainment, ,
Eradication, Eradication, Recovery Recovery
Post-IncidentPost-IncidentActivitiesActivities
Detection Detection AndAnd
AnalysisAnalysis
PreparationPreparation
3
The organization is ready to respond to incidents, The organization is ready to respond to incidents, and also prevents incidents by ensuring that systems,and also prevents incidents by ensuring that systems,
networks, and applications are sufficiently secure. networks, and applications are sufficiently secure.
The organization get the incident report or The organization get the incident report or sign of incident searching for typesign of incident searching for type
and cause of it.and cause of it.
The organization can act to mitigate the impact of the incident by containing it and
ultimately recovering from it.
The organization members share “lessons learned” from the incident .
2)Preventing Incidents2)Preventing Incidents Recommended practices for securing
networks :
Patch Management
Host Security
Network Security
Malicious Code Prevention
4
5
6
Definition :Definition :A Denial of Service (DoS)Denial of Service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources.
7
DDosDDos: Distributed Denial of Service
8
Types Of DDosDDos Attacks :1)Reflector Attack
9
Types Of DDosDDos Attacks :
2)Amplifier Attack
10
Types Of DDosDDos Attacks :
3)Flood Attack
11
Step 1 :PreparationStep 1 :Preparation
1)1)PreparationPreparationI.I. ISP ISP
II.II. IDS ConfigurationIDS Configuration
III.III. Resource MonitoringResource Monitoring
IV.IV. Maintain Paper Copy of Handling Maintain Paper Copy of Handling DocumentsDocuments
12
Step 1 :PreparationStep 1 :Preparation1)1) PreventionPrevention
I. Control TrafficII. On Internet-accessible hosts,
disable all unneeded services III.Implement redundancy for
key functions IV.Ensure that networks and
systems are not running near maximum capacity
13
Step2: Detection and AnalysisStep2: Detection and AnalysisPrecursors and Reactions :
Low Volume of Traffic Caused by Reconnaissance Activities Block ways of attack
A new DoS tool Investigate it and change configurations
14
Step2: Detection and AnalysisStep2: Detection and Analysis
Indication Of Each Type of DoS:
Network Based DoS against a host
Network Based DoS against network
DoS against OS of A host
DoS against an application on a
particular host15
Step2: Detection and AnalysStep2: Detection and Analysisis
IP address in most cases is spoofed IP address in most cases is spoofed Logs may be Logs may be
helpful to find the Attacker.helpful to find the Attacker.
When an outage occurs, no one may realize that a DoS When an outage occurs, no one may realize that a DoS
attack caused it attack caused it Outages are so common! Outages are so common!
Network-based DoS attacks are difficult for IDPS sensors Network-based DoS attacks are difficult for IDPS sensors
to detect with a high degree of accuracy to detect with a high degree of accuracy User Get User Get
False alerts so disable it.False alerts so disable it.
Attacker use zombies Attacker use zombies Agents are not sinful. Agents are not sinful.
16
Step3: Step3:
1)Containment Strategies1)Containment Strategies
Simple Solution : Filtering All Traffic by IPSimple Solution : Filtering All Traffic by IP
Spoofed Ips Spoofed Ips Most of the time not possible Most of the time not possible
Solution :Solution :
Filtering based on Characteristics (port, Filtering based on Characteristics (port, Protocol ,…)Protocol ,…)
17
Step3: Step3: 1)Containment Strategies1)Containment StrategiesOther Strategies :Other Strategies :
I.I. Correct vulnerabilityCorrect vulnerability
II.II. Relocate The TargetRelocate The Target
III.III. Attack the Attacker ! Attack the Attacker !
18
19
Definition :Definition :An unauthorized accessunauthorized access incident occurs when a person gains access to
resources that the person was not intended to have
20
Special Characteristic :Special Characteristic :
These kinds of Attacks mostly
occur in several steps.
First The attacker gain limited
access through a vulnerability
then try to gain higher level of
access.
So : Tracking The Incident is
Important.
21
Step 1 :PreparationStep 1 :Preparation1)1)PreparationPreparation
1)1) EducationEducation2)2) ConfigurationConfiguration3)3) ControlControl
2)2)PreventionPrevention Network Security Network Security Host SecurityHost Security Authentication and AuthorizationAuthentication and Authorization Physical SecurityPhysical Security
22
Step2: Detection and AnalysisStep2: Detection and Analysis
Have many types of occurrence.Have many types of occurrence.
Lots of Precursors and IndicationsLots of Precursors and Indications
Must be customized to environment-Must be customized to environment-
specificspecific
23
Step2: Detection and AnalysisStep2: Detection and AnalysisPrecursors:
24
Detecting reconnaissance activities through IDPS
A failed physical access attempt to a system.
A user report of a social engineering attempt.
A new exploit for gaining unauthorized access is released publicly
Step2: Detection and AnalysisStep2: Detection and AnalysisTypes of unauthorized access and possible
Indications:
Root compromise of a hostRoot compromise of a host
Unauthorized data modification Unauthorized data modification
Unauthorized usage of standard user accountUnauthorized usage of standard user account
Physical IntruderPhysical Intruder
Unauthorized data accessUnauthorized data access
25
Step2: Detection and AnalysisStep2: Detection and Analysis
Problem: It is difficult to distinguish malicious It is difficult to distinguish malicious
activity from benign oneactivity from benign oneSolution: Change management processChange management process
26
Step2: Detection and AnalysisStep2: Detection and AnalysisPrioritizationProblem: Calculating current and future impact is Calculating current and future impact is
difficultdifficultSolution: The incident may need to be prioritized The incident may need to be prioritized
before the analysis is completebefore the analysis is complete It Must be done based on an estimate of It Must be done based on an estimate of
the current impactthe current impactNext Step: Considering the criticality of Considering the criticality of
the resourcesthe resources 27
Step3: Step3:
1)Containment Strategies1)Containment StrategiesProblem: Response time is important. Analyzing step Response time is important. Analyzing step
may take a long timemay take a long timeSolution: Perform an initial analysis, then prioritize, Perform an initial analysis, then prioritize,
response and another analysis stageresponse and another analysis stage
28
Step3: 1)Containment StrategiesStep3: 1)Containment StrategiesEasy Solution : Shutting down the system !!!: Shutting down the system !!!
The Moderate one: A combination of:
Isolate the affected systemsIsolate the affected systems Disable the affected service Disable the affected service Eliminate the attacker’s route into the Eliminate the attacker’s route into the
environmentenvironment. . Disable user accounts that may have been used Disable user accounts that may have been used
in the attackin the attack Enhance physical security measuresEnhance physical security measures
29
Step3:Step3:
2)Eradication And Recovery2)Eradication And Recovery
Recovery is based on level of accessRecovery is based on level of access
In case of root access In case of root access system restore system restore
Mitigate the vulnerabilityMitigate the vulnerability
30
31
Definition :Definition :An Inappropriate UsageInappropriate Usage incident occurs
when a user performs actions that violate acceptable computing use policies.
32
Examples: Download password cracking tools. Send spam promoting a personal business Email harassing messages to coworkers Set up an unauthorized Web site on one of the
organization’s computers Use file sharing services to acquire or distribute
pirated materials Transfer sensitive materials from the organization to
external locations.
33
Examples: (Attack annoying outside entities from inside
Organization) An internal user
Defacing another organization’s public Web site.Defacing another organization’s public Web site. Purchasing items from online retailers with stolen Purchasing items from online retailers with stolen
credit card numbers .credit card numbers . A third party
Sending spam emails with spoofed source email Sending spam emails with spoofed source email addresses that appear to belong to the addresses that appear to belong to the organization. organization.
Performing a DoS against an organization by Performing a DoS against an organization by generating packets with spoofed source IP generating packets with spoofed source IP addresses that belong to the organization.addresses that belong to the organization.
34
Types of Inappropriate use :Types of Inappropriate use :
Personal e-mailPersonal e-mail
Deliberate Disclosure of Sensitive Deliberate Disclosure of Sensitive
informationinformation
Inadvertent MisuseInadvertent Misuse
35
Impacts of inappropriate Usage on Impacts of inappropriate Usage on Organization:Organization:
Loss of productivityLoss of productivity
Increased risk of liability and legal actionIncreased risk of liability and legal action
Reduction (or loss)of network bandwidthReduction (or loss)of network bandwidth
Increased risk of virus infection and other Increased risk of virus infection and other
malicious codemalicious code
36
Step 1 :PreparationStep 1 :Preparation
1)1)PreparationPreparation Coordinate with :Coordinate with :
representatives of the organization’s human resources Physical security team
Set Proxy and Log users activitiesSet Proxy and Log users activities Configure IDPS SoftwareConfigure IDPS Software
37
Step 1 :PreparationStep 1 :Preparation
2)2)PreventionPrevention Configure:Configure:
Firewall Email Server
Set:Set: URL filtering RuleURL filtering Rule Limitation on use of Encrypted ProtocolsLimitation on use of Encrypted Protocols
38
Step2: Detection and AnalysisStep2: Detection and Analysis
Usually no precursor, Just users report Usually no precursor, Just users report Analyzing Reports(is a report real or no?)Analyzing Reports(is a report real or no?)
Problem: Incidents Reported from outside Incidents Reported from outside
Solution: Accurate and complete LoggingAccurate and complete Logging
39
Step2: Detection and AnalysisStep2: Detection and Analysis
Different activities and Indication: Attack against external party Attack against external party
IDPS alerts and LogsIDPS alerts and Logs Access to inappropriate materials Access to inappropriate materials
Users report, IDPS alerts and LogsUsers report, IDPS alerts and Logs Unauthorized Access UsageUnauthorized Access Usage
Unusual Traffic, New Process, New Files, Users Unusual Traffic, New Process, New Files, Users report, IDPS alerts and Logs.report, IDPS alerts and Logs.
40
Step2: Detection and AnalysisStep2: Detection and Analysis
Prioritization:Prioritization:
Business impact of these incidents is different
It depends on:
I.I. Whether the activity is criminalWhether the activity is criminal
II.II. How much damage the organization’s How much damage the organization’s reputation may sustain reputation may sustain
41
Step2: Detection and AnalysisStep2: Detection and Analysis
Prioritization:Prioritization: Example of Response time table Example of Response time table
42
Step3: Containment, Eradication And Step3: Containment, Eradication And Recovery Recovery
Generally no such step is neededGenerally no such step is needed
May be just reinstalling uninstalled May be just reinstalling uninstalled
software software
Evidence gathering is ImportantEvidence gathering is Important
43