L esson 1 Course Introduction. UTSA IS 3523 ID & Incident Response Overview Course Administrivia...

Lesson 1Course Introduction

UTSA IS 3523 ID & Incident Response

Overview

• Course Administrivia• Info Assurance Review• Incident Response


IS3523 Intrusion Detectionand

Incident Response

• 5:30-6:45 PM M/W

• Robert Kaufman– Background– Contact information

• Syllabus and Class Schedule

• Student Background Information– Email


Student Information

• Name• Reliable email address• Email to [email protected]


Text Books

• Course Text:– Incident Response and Computer Forensics Mandia, Kevin

and Prosise, Chris, Osborne/McGraw Hill Publishing, 2003. ISBN 0-07-222696-X

• Additional References:– Principles of Computer Security, Conklin, White, Cothren,

Williams, and Davis– Hacking Exposed, by McClure, Scambray, Kurtz– Cyber crime Investigator’s Field Guide, by Bruce Middleton


Grading

• Grades– 2 Tests– Final– Many Projects/Labs

A Sampling of Malicious Activity• March 1999 - EBay gets hacked• March 1999 - Melissa virus hits Internet• April 1999 - Chernobyl Virus hits• May 1999 - Hackers shut down web sites of FBI, Senate, and DOE• June 1999 - Worm.Explore.Zip virus hits• July 1999 - Cult of the Dead Cow (CDC) releases Back Orifice• Sept 1999 - Hacker pleads guilty to attacking NATO and Gore web sites• Oct 1999 - Teenage hacker admits to breaking into AOL• Nov 1999 - BubbleBoy virus hits• Dec 1999 - Babylonia virus spreads• Feb 2000 - Several sites experience DOS attacks• Feb 2000 - Alaska Airlines site hacked• May 2000 - Love Bug virus ravages net• July 2001 – Code Red Runs Rampant• Sept 2001 – Nimda Explodes• Jan 2003 – Slammer Worm


You have to have security, or else…

• 2001 CSI/FBI Computer Crime and Security Survey– 538 security “practitioners” in the U.S.

• 91% reported computer security breaches within the previous 12 months

• 70% reported their Internet connection as a frequent point of attack (up from 59% in 2000)

• 64% suffered financial losses due to breaches, 35% could quantify this loss.

• Losses due to computer security breaches totaled (for the 186 respondents reporting a loss) $377,828,700

• Average loss $2,031,337

– Source: Computer Security Institute http://www.gocsi.com


And the hits just keep coming…

• 2002 CSI/FBI Computer Crime & Security Survey– 503 security “practitioners” in the U.S.

• 90% detected computer security breaches• 40% detected penetrations from the outside• 80% acknowledged financial losses due to breaches• $455,848,000 in losses due to computer security breaches totaled (for the

223 respondents reporting a loss) • 26 reported theft of proprietary info ($170,827,000)• 25 reported financial fraud ($115,753,000)• 34% reported intrusions to law enforcement• 78% detected employee abuse of internet access privileges, i.e.

pornography and inappropriate email use

– Source: Computer Security Institute http://www.gocsi.com


And coming

• A 2003 FBI/CSI Computer Crime and Security Survey revealed the following:– 60% had a security breach in the last year.– 78% detected employee abuse of internet privileges.– 85% admitted to being infected by a computer virus.– Average loss from insider access was $300,000– Average loss due to virus attack $283,000– Average loss from Telecom eavesdropping is $1,205,000– Average loss from outsider penetration was $226,000– The average reported loss from net abuse was $536,000– Source: Computer Security Institute http://www.gocsi.com


Internet Security Software Market

2002 - $7.4 Billion est.

1999 - $4.2 Billion

1998 - $3.1 Billion

1997 - $2 Billion

’97 & ’98 figures based on a study released by market research firm International Data Corp. in Framingham, Mass.

’99 & ’02 figures from IDC study based on a survey of 300 companies with more than $100 million in annual revenues


DISA VAAP Results

PROTECTION

DETECTION

REACTION

38,000Attacks

24,700Succeed

13,300Blocked

988Detected

23,712Undetected

267Reported

721 NotReported


Computer Security

The Prevention and/or detection of unauthorized actions by users of a computer system.

In the beginning, this meant ensuring privacy on shared systems.Today, interesting aspect of security is in enabling different access levels.


What are our goals in Security?

• The “CIA” of security– Confidentiality– Integrity

• Data integrity• Software Integrity

– Availability• Accessible and usable on demand

– (authentication)– (nonrepudiation)


The “root” of the problem

• Most security problems can be grouped into one of the following categories:– Network and host misconfigurations

• Lack of qualified people in the field

– Operating system and application flaws• Deficiencies in vendor quality assurance efforts

• Lack of qualified people in the field

• Lack of understanding of/concern for security


Computer Security Operational Model

Protection = Prevention + (Detection + Response)

Access ControlsEncryptionFirewalls

Intrusion DetectionIncident Handling


Proactive –vs- Reactive Models

• “Most organizations only react to security threats, and, often times, those reactions come after the damage has already been done.”

• “The key to a successful information security program resides in taking a pro-active stance towards security threats, and attempting to eliminate vulnerability points before they can be used against you.”


So What Happens When Computer Security Fails?

• Incident Response Methodology--7 Step Process– Preparation: Proactive Computer Security– Detection of Incidents– Initial Response– Formulate Response Strategy– Investigate the Incident– Reporting– Resolution


7 Components of Incident Response

Pre-Incident Preparation

Detectionof

Incidents

InitialResponse

FormulateResponseStrategy

DataCollection

DataAnalysis

Reporting

Investigate the Incident

ResolutionRecovery

Implement Security Measures

Page 15, Fig 2-1, Mandia 2nd Edition

Pre-Incident Preparation

Detection of Incidents

Incident Response Team FormedNotification Checklist Completed

Initial Response

Formulate Response Strategy

Is it really an Incident?

Yes

No

Follow-Up

Pursue and accumulate

evidence and/or secure system

Secure System

Reporting

Implement Security Measures

Forensic Duplication

Investigation

Forensic duplication?

Accumulate EvidenceYes

No

Perform Network Monitoring

Isolate and Contain

Can Pursue Both Paths Simultaneously

Page 18, Fig 2-1, Mandia 1st Edition


Resources in the Fight

• SANS

• CERT CC

• FIRST

• DOE CIAC

• CERIAS

• NIST


SANS

• System Administration, Networking, and Security (SANS) Institute

• Global Incident Analysis Center• Security Alerts, Updates, & Education• NewsBites, Security Digest, Windows

Digest• Certification

• http://www.sans.org/


Carnegie Mellon CERT CC

• Computer Emergency Response Team Coordination Center

• Started by DARPA • Alerts & Response Services

• Training and CERT Standup

• Clearing House

• http://www.cert.org


FIRST

• Forum of Incident Response and Security

Teams

• Established 1988

• Govt & Private Sector Membership

• Over 70 Members

• Coordinate Global Response

• http://www.first.org


DOE CIAC

• Computer Incident Advisory Capability• Established 1989

• Part of Lawrence Livermore Lab

• Awareness training and education• Trend, threat, vulnerability data collection and

analysis

• http://ciac.llnl.gov/


CERIAS

• Center for Education and Research in

Information Assurance and Security

• Home of Gene Spafford

• A "University Center"

• InfoSec Research & Education

• Members: Academia, Govt, & Industry

• http://www.cerias.purdue.edu/coast/)


NIST

• National Institute of Science and Technology (NIST)

• Operares Computer Security Resource Clearinghouse (CSRC)

• Raising Awarenss

• Multiple Disciplines

• Main Source of Fed Govt Standards

• http://csrc.ncsl.nist.gov/


So How Many VulnerabiltiesAre Out?

Lets See What the CERT CCSays.


History LessonThe Art of War, Sun Tzu

Lesson for you

• Know the enemy

• Know yourself…and in a 100 battles you will never be defeated

• If ignorant both of your enemy and of yourself you are certain in every battle to be in peril


History LessonThe Art of War, Sun Tzu

Lesson for the Hacker

• Probe him and learn where his strength is abundant and where deficient

• To subdue the enemy without fighting is the acme of skill

• One able to gain victory by modifying his tactics IAW with enemy situation may be said to be divine


Hacker Attacks

• Intent is for you to know your enemy

• Not intended to make you a hacker

• Need to know defensive techniques

• Need to know where to start recovery process

• Need to assess extent of investigative environment


Anatomy of a Hack

FOOTPRINTING SCANNING ENUMERATION

GAINING ACCESS ESCALATINGPRIVILEGE

PILFERING

COVERING TRACKS

CREATING BACKDOORSDENIAL

OF SERVICE

Source: Hacking Exposed, McClure, Sacmbray, and Kurtz


Footprinting

Objective• Target Address

Range• Acquire Namespace • Information

Gathering• Surgical Attack• Don’t Miss Details

Technique• Open Source Search• whois• Web Interface to

whois• ARIN whois• DNS Zone Transfer



Scanning

Objective• Bulk target

assessment• Determine

Listening Services• Focus attack vector

Technique• Ping Sweep• TCP/UDP Scan• OS Detection



Enumeration

Objective• Intrusive Probing

Commences• Identify valid

accounts• Identify poorly

protected shares

Technique• List user accounts• List file shares• Identify applications



Gaining Access

Objective• Informed attempt

to access target

• Typically User level access

Technique• Password sniffing• File share brute

forcing• Password file grab• Buffer overflows



Escalating Privilege

Objective• Gain Root level

access

Technique• Password cracking

• Known exploits



Pilfering

Objective• Info gathering to

access trusted systems

Technique• Evaluate trusts

• Search for cleartext passwords



Cover Tracks

Objective• Ensure highest

access

• Hide access from system administrator or owner

Technique• Clear logs

• Hide tools



Creating Back Doors

Objective• Deploy trap doors

• Ensure easy return access

Technique• Create rogue user

accounts• Schedule batch jobs• Infect startup files• Plant remote control

services• Install monitors• Trojanize



Denial of Service

Objective• If unable to

escalate privilege then kill

• Build DDOS network

Technique• SYN Flood• ICMP Attacks• Identical src/dst SYN

requests• Out of bounds TCP

options• DDOS



Hacker Exploits per SANS

RECONNAISSANCE SCANNING

EXPLOIT SYSTEMS KEEPING ACCESS

COVERTRACKS

Source: SANs Institute


Hacking Summary

• Threat: Hacking on the rise

• Security posture usually reactive

• Losses increasing

• 7 Step Process

• Hacker Techniques

L esson 1 Course Introduction. UTSA IS 3523 ID & Incident Response Overview Course Administrivia...

Documents

Transcript of L esson 1 Course Introduction. UTSA IS 3523 ID & Incident Response Overview Course Administrivia...