1 / 0

Computer Incident Response, BCP, DRP, Backups

Computer Incident Response, BCP, DRP, Backups. Lesson 16. An Incident is any event that disrupts normal operating procedure and precipitates some level of crisis. A Computer Intrusion. Denial of Service Attack. Theft of information. Computer Misuse. A power failure.

abia
Download Presentation

Computer Incident Response, BCP, DRP, Backups

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Incident Response,BCP, DRP, Backups

    Lesson 16
  2. An Incident is any event that disrupts normal operating procedure and precipitates some level of crisis. A Computer Intrusion. Denial of Service Attack. Theft of information. Computer Misuse. A power failure. Investigator(s) gather facts, analyze and resolve the incident. Incident Definitions From “Incident Response” by Mandia and Prosise
  3. Confirms or disproves an Incident. Accumulate accurate and timely information. The proper retrieval and handling of Evidence. The protection of privacy rights as established by law and policy. Minimal disruption of business and network operations. The legal or civil action against offenders. Accurate reports and useful recommendation. Incident Response Goals
  4. Define Roles. Establish Policies. Identify Tools. Network Preparation. Incident Preparation Firewall Logs. IDS Logs. Suspicious User. System Administrator. Suspicions of a user. Incident Detection Activate IR Team Initial Response Completed IR Checklist. Incident Response Process From “Incident Response” by Mandia and Prosise Complete IR Checklist Who/What/Where/When. Incident Description Hardware/Software. Personnel Involved. Network. Verify Incident. Affected Systems. Users Involved. Business Impact. Is it really an Incident?
  5. System Criticality. Information Sensitivity. Perpetrators. Publicity. Skill of Attacker. System Downtime. Dollar Loss. Response Strategy Accumulate Evidence & Secure System Best Evidence Rule. Chain of custody. Data Volatility. Forensic Duplication Management Approval Dollar Loss. Downtime. Legal Liability. Publicity. Intellectual Property. Incident Response Process (cont)
  6. Investigate Implement Security Measures Network Monitoring Incident Response Process (cont) Who, What, When, Where, How. People and Things. Isolate and Contain. Disconnect. Electronically isolate. Network Filtering. Monitor throughout the incident. Track the hacker. No incident recurrence. Monitor on subnet. Monitor at boundary.
  7. New Procedures. Reinstall files. Reinstall from CD-Rom. Secure System. Turnoff unneeded services. Apply patches. Strong Passwords. Strong Administration. Recovery Documentation Incident Response Process (cont) Document everything as it occurs. Support both criminal and civil prosecution. Produce the final report. Process improvement.
  8. Risk Management. Host preparation. Network Preparation. Network Policies and Procedures. A Response toolkit. The Incident Response Team. Incident Response Preparation
  9. Team Composition depends upon: Number and type of hosts involved. Number and type of networks involved. Number and type of Operating Systems involved. Attack sophistication. Incident Publicity. Internal Politics. Corporate Liability. Incident Response Team
  10. Team Manager. - Single Point of Contact - Leader/decision maker - Clear authority to act/decide. - Assess potential impact/loss - Upper management support - Spokesperson - Documents team actions. Computer Specialist - System Administrator - Systems Operator/Programmer - Technically Tracks intruder - Monitors on-going system activity. - Reconstructs crime. - Documents technical aspects of crime. Network Specialist Advisor - Advises computer specialist - Network protocol specialist - As Required Computer Crime Investigator - Investigator w/jurisdiction. - Collects/documents evidence. - Advises on investigative aspects. - This may be a team of investigators. Company Attorney - Legal advice - Case preparation - Adjunct to Team Public Affairs - Advise senior management on PR - Press Spokesperson - Adjunct to Team Security Auditor - Assists Computer specialist. - Audit trails/logs - Assess Economic impact - Adjunct to Team Computer Incident Response Team (CIRT)
  11. Respond to all security incidents with a formal investigative process based upon the Incident Response Plan and Corporate policies. Conduct a bias free investigation. Determine if a true incident did occur. Assess the damage and scope of the incident. Control and contain the incident. Document the incident and maintain a chain of custody. Protect Privacy Rights by law and corporate policy. Liaison to law Enforcement and Legal Authorities. Provide Expert Testimony. Provide recommendation to senior level management. Incident Response Team Mission
  12. Suggested Incident Goals and Priorities Incident Response Goals in order of importance. Assure the integrity of critical systems (life support, etc.) Maintain and restore the site data. Maintain and restore site services. Figure out what happened. Avoid escalation and further incidents. Avoid negative publicity. Find out who did it. Punish the attackers. Incident Response Priorities in order of importance P1 - Protect human life and safety. P2 - Protect classified and sensitive data. P3 - Protect proprietary, scientific and managerial data. P4 - Prevent damage to systems. P5 - Minimize service disruption of computing resources.
  13. Incident Detection – discovering an incident? Incident discovery Strange activities System crashes Unusual hard disk activity. Unexplained Reboots. Account discrepancies Sluggish response Strange login hours. Failed logins with bad passwords. Unusual activity with the su command. A message from a remote System Administrator
  14. Incident Detection (cont) System monitoring: Another superuser logs in. A user on vacation who is logged in. Deleted or corrupted log files. A user who is not a programmer but is running compilers. Network connections from unknown machines. Unauthorized changes to system programs. New account entries in /etc/passwd file. Analysis tools such as Tripwire. The System Administrator should investigate any strange activity. Various commands can be employed to explore who is doing what on the system.
  15. Sample Helpful UNIX Commands finger - a protocol to find out about an individual user or users logged onto a system. It accesses the /etc/passwd file Most System Administrators will disable finger. users - Checks the file /etc/utmp and displays the users logged onto the system. UNIX keeps track of who is logged onto the system in a file called /etc/utmp. A file called /var/adm/wtmp keeps track of all logins and logouts. w/who/whois/whodo - same as users. ps - Provides a snapshot of all processes running on the system at any given moment.
  16. More Helpful UNIX Commands netstat - Lists all the active and pending TCP/IP connections between your machine and other machines. lastcomm - Checks the file /var/adm/acct and prints out a list of commands executed by a user. ttywatch - A utility that allows the System Administrator to monitor every tty on their system and allows them to record the keystrokes for later playback (similar to a VCR). traceroute - A utility that allows the System Administrator to trace the route of an IP packet from their host to a particular foreign host. works by constructing special UDP packets to unused port The ttl fields start at 1 and continue to advance by 1 until it gets back a "service unavailable" ICMP message instead of a "time to live exceeded" message.
  17. Incident Detection (cont) Stopping the Intruder. Power Down? Interrupts users. Deletes evidence Damage the file systems. Ask him/her to leave? Intruder may damage the system to prevent being caught. Kill his/her processes? Use the ps command to list all his/her processes. Change all compromised account passwords. Use the kill command to terminate the processes. Check for backdoors/sniffers/undesired programs. Break the connection? Interrupts other users. What about kernel level activity? Changes to the kernel may negate ability to accomplish some of the checks we mentioned
  18. Disconnect? If the intruder stays connected your company and you may be liable for damages. If the intruder knows you detected him he may damage your system to cover his tracks. If you disconnect the intruder may go on to access other computers. Do you protect your information or try to catch the intruder? Stay Connected and Trace the intruder? Consult your log files for system, terminal and line information. Work with other system administrators to pool information. Set up an undetectable monitor to record his activity(make sure your legal advisor is involved and that you have proper authorization). Analyze your data for patterns, trends, key words, motivation, etc. Set a honey pot?. Track him across the network, across the continent, across national borders. Document everything. An Intruder has been detected!
  19. Incident Reporting Incident notification Guidelines. Contact CIRT quickly Use explicit language that is clear, concise and fully qualified. No smoke screens. No generalities Use factual language.. No false information No incomplete information. Use matter of fact language and tone. No emotion No inflammatory language
  20. Initial Response Freeze the Incident Scene. Verbally contain the scene with instructions such as: “Take your hands off the keyboard and step away from the computer.” “Physically disconnect the computer from the network.” “What is your name, office and telephone number.” “What is the hardware and operating system?” “I’m going to fax you a set of instruction. What is your Fax number?”
  21. Incident Response Checklist Version 1.0 Date: Time: Name: Telephone Number: Nature of Incident: Time of Incident: How was the incident detected: Current Impact of Incident; Future Impact of incident: Description of the incident: Hardware/OS/Software involved: IP and network addresses of compromised systems: Network Type: Modem: Criticality of Information: Physical location: System Administrator Name and Number: Current status of machine: Description of Intruder Actions Ongoing activity: Source Address: Malicious program involved: Denial of Service Vandalism: Indication of insider or outsider:
  22. Incident Response Checklist (cont) Version 1.0 Client Actions Network disconnected: Remote access available: Local Access available: Audit logs available and examined: Any changes to firewall: Any changes to ACL: Who has been notified: Other actins taken: Available Tools Third party host auditing: Network monitoring: Network Auditing: Additional Contacts Users: System Administrators: Network Administrators: Special Information Who should not know about this incident: Response Team Member Signature/Date:__________________________________
  23. Incident Response Team Fax Version 1.0 Date:_____________ Time:____________ Name:_______________________ Thank you for notifying the incident response team and agreeing to help. Please do not touch the affected computer(s) unless told to do so by a member of the Incident Response team. Please remain within sight of the computer until a member of the Incident Response Team arrives and assure that no one touches the computer. Please help us by detailing as much information about the incident as possible. Please complete the following items. If additional space is required use a separate sheet of paper. Witnesses: 1. 2. 3. What indicators lead you to notice and/or report the incident. Be as specific as possible. Incident Indicators: The next section is important so be as accurate as possible. From the time you noticed the incident to the time you took your hands from the computer, list every command you typed and any file you accessed. Commands typed and Files accessed: Response Team Member Signature:______________________________________-
  24. Initial Response (cont) Physically contain the scene.Two personnel, if possible, should immediately respond to the scene. Incident Scene Survey (1st Member) Use a portable tape recorder to: 1. Record the scene 2. Record who is present. Order everyone to leave the scene who is not directly involved in the incident or the investigation. 3. Interview the individual who reported the incident. 4. Assist the 2nd Member. Record, when possible, the actions of the second individual.
  25. Initial Response (cont) Contain the System (2nd Member). Ask the System Administrator to assist. Back up the system. Do this with forensic type tool that does bit-by-bit backup such as SafeBack Alternatively, remove the drive and seal it in a plastic bag with your notes and the notes of the individual who reported the incident. Attempt to identify the changed files: Tripwire http://www.tripwire.org/ or alternatively Expert Witness at http://www.asrdata.com.
  26. Incident Investigation & Assessment Conduct Personnel Interviews. System administrator. Selected questions include: Unusual Activity? Administrative Access to System?. Remote Access to Systems? Logging Capabilities? Current Security Precautions? Managers. selected questions include: On-going Security tests? Disgruntled employees? Recently fired employee? History of current employees? Sensitive data or applications on the systems? End users. Selected questions include: Anomalous Behavior or Suspicious activity?
  27. Incident Investigation & Assessment Assess the potential security Incident. What are the incident symptoms? Is it a security incident? A system problem? Power outage Faulty software Communication problems Procedures problem Training Problem
  28. Incident Investigation & Assessment Evaluate the severity and scope of the incident. What specifically happened? What was the entry point? What local computers/networks were affected? What remote computers/networks were affected? What information was affected? What was its value to the organization? What further can possibly occur? Who else knows about the incident? What are the estimated time/resources required to handle the incident.
  29. Incident Investigation & Assessment Indications of an incident. A new account. Passwords were changed on existing accounts The protection changed on selected files/devices. New SUID and SGID programs have been found. System programs have been added/modified.. An alias has been installed in the E-Mail system to run a program. New features have been added to your news or UUCP system. A password sniffer was found (Steal passwords to use Crack). File dates have been modified. Login files have been modified. The system has an unexplained crash. Accounting discrepancies. Denial of Service. Unexplained poor system performance. Suspicious probes/browsing.
  30. Incident Investigation & Assessment Indications of an incident (cont) Undocumented changes or upgrades to programs. Unexplained user account charges or changes. Security Access compromise (passwords, etc). Unauthorized use of computer facilities. Unexplained network/computer crashes. Unexplained corrupted files or services. Theft/missing computer/storage equipment. UnexplainedHigh utilization of equipment, storage or network resources. Unexplained loss of critical/sensitive data. Unexplained user account lockouts. Unexplained Network traps/alarms. Unexplained Firewall/IDS alerts/alarms.
  31. Incident Investigation & Assessment All systems/networks are suspect until the actual extent of the incident is known. Verify the integrity of all site computers. Verify the integrity of all site networks. Verify the integrity of all files/directories (checksums). Compare system files with backups or initial distributions. Compare software application with the baseline. Analyze the documentation, files and security logs.
  32. Computer Forensics Will eventually have to make a decision on whether to involve LE and push for prosecution. Computer Forensics Principles. P1: Preserve the evidence in an unchanged state. (think Forensic Image) P2: Thoroughly and completely document the Investigative Process. (chain-of-custody)
  33. System Restoration The System Administrator should be used in the recovery process. Don't trust anything that is on-line. Don't believe anything your system tells you. Reformat disks Restore operating system. Reload software. Assign new passwords. Scan the /etc/passwd for newly created files Check for changes to files that may affect security (trapdoors, logic bombs, etc.). The recovery should be planned to have minimal impact on the users. Keep the users informed. Engage in rumor control.
  34. Incident Evaluation Conduct an after action meeting. Prepare an after action report to document the incident, the response to the incident and the recovery from the incident. Lessons Learned? What other reports might you need to generate? Law Enforcement report? Regulatory agency report? Insurance claim? Disciplinary action? Dismissal action? Vendor report? Update disaster recovery plan? Update software to new versions? Update employee training? Public Affairs report? CEO report to employees?
  35. Do You Notify Law Enforcement? Brief/coordinate with upper management. In certain situations/environments, you may not have a choice If you do, remember LE agency will assume control. Computer crime investigation is complex, time consuming, and resource intensive. Allow time/resources for Investigation. Prosecution. Computer Crime Investigation
  36. Backup strategies Three most important things to do for security, BCP, and DRP – Backup, Backup, Backup Four different types of Backups Full: Backup everything every time Differential: only backup that which has changed since the last full backup (typically) Incremental: Only backup that which has changed since the last full or incremental backup. Delta: backup only the portions of files that have changed since the last delta or full backup Pros/cons of the different types?
  37. Backup considerations What do you backup? HW and SW as well as data Environmental Protection Magnetic and optical media can be damaged by dust, mold, heat, condensation,… Location of backups and backup facilities Onsite .vs. offsite, hot, warm, cold facilities Effect of time on media
  38. Business Continuity Plans (BCP) Goal is to protect the operations of the organization, not just the computing systems. May be invoked as a result of any type of disaster Three phases to the recovery process Continuation of activities: enable a very limited set of functions, the essentials for business to continue. Resumption of activities: provide for a full, or almost full, range of business functions. Restoration of activities: bring back a normal operating environment in a permanent facility.
  39. Losses during a disaster Cumulative Loss Summary With and Without a DRP
  40. Some final thoughts Business Continuity Plan (BCP): Similar to a DRP but focuses solely on business continuity. DRP should also take into account possible personnel safety and loss of life issues. Business Impact Assessment/Analysis (BIA): used to determine what is important for inclusion in the BCP/DRP. Will assess how unavailability of each system/process would affect the organization.
  41. Summary What is the Importance and Significance of this material? How does this topic fit into the subject of “Voice and Data Security”?
More Related