Your SlideShare is downloading. ×
  • Like
Cause 11   im final
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Cause 11 im final



Published in Education , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Millions of probestens of thousands of attacks per dayfirewalls drop ~3 million attacks per day


  • 1. Information Security Incident ManagementOne EDU’s ApproachJohnny Nipper, EnCEKevin Lanning, MSIS GSEC CISSPBenjamin Bressman, GSEC GCIH GCFA
  • 2. Information Security Level Set• Core Principles of Information Security – Confidentiality – Keeping information private – Integrity – Keeping information accurate – Availability – Keeping information available (even in disasters) to authorized parties
  • 3. Why Incident Response?• Legal and Compliance obligations require notification when sensitive information is acquired by unauthorized parties• University Policy requires a process for responding to incidents• Computing environments at large are under constant attack. (We are no exception)• Attack Stats
  • 4. What is an incident?• Acceptance Criteria – How do we determine the difference between an incident and an event? • Could sensitive information/critical system be at risk? • Was event malicious? – Maintaining a publicly accessible definition of sensitive data helps bring clarity during events – Trust support personnel and the campus community, but maintain the ability to verify when validation is needed
  • 5. Incident Management Methodologies• One approach—see—Course 504 – Planning • Your departmental contacts • Communication strategies • Failover systems and strategies, data archives/backups – Identification-Is it an incident? – Containment-Are intrusions contained? – Eradication-Is intrusion over? – Recovery-Are your business functions back to normal? – Lessons Learned-Recommendations
  • 6. Incident Management• Incident Environment? – Higher education institutions compared with business or military – Governance/Culture – Mission – Technology types/Infrastructure
  • 7. How are incidents discovered?• Intrusion Detection/Prevention Systems• Centrally Managed Anti-Virus• Complaints by attacked parties• Support Personnel - Often our first responders – Help contain the incident and preserve data – Help balance forensics with business continuity
  • 8. Response, Evidence Acquisition• Preserve Evidence – Disconnect from the network? – How do we power down? – Preserve “last accessed” times (No AV scans) – Log access can overwrite valuable information• What evidence? – A forensic image, an exact copy of the disk(s) – Preserving timestamps is key – Network data, Off-site logs, etc
  • 9. Business Impact• Must be mindful of business impact – How will incident response/forensics impact… • University mission – Teaching – Research – Public Service • The Department/Group – When will systems be back up and running? – Will intruders have a way back into the systems? • The User
  • 10. Investigation and AnalysisAsk the question:“Was there unauthorized acquisition of sensitive information?”
  • 11. Investigation and Analysis• Provide context for decision makers – From the perspective of sensitive information: • Where did sensitive information exist, if at all? – From the technical perspective: • Create timelines that detail (for example)… – File creation and access – When was malware introduced? • Capabilities of the malware? • When was sensitive information last accessed?
  • 12. Forensic Processes and Tools• Integrity and confidentiality of evidence – Chain of custody forms – Cryptographic Hash of hard drives, images – Storage of hard drives and hard drive images• Tools – Guidance Software EnCase, AccessData FTK – Open source tools like log2timeline – Anti-malware software (SEP) – Registry/Log/Browser/OS Artifact data viewers – Identity Finder – Finds sensitive information
  • 13. Reporting Results• Cases can be presented to… – Information Security management – Office of University Counsel – Office of Research Compliance – Internal Audit – Law Enforcement• Decision makers help determine next steps – Is a notification appropriate? – How can we prevent recurrence?
  • 14. Lessons Learned/Recommendations• Behavior Modification – User learns best practices to prevent future incidents – Sys Admin configures systems to resist similar attacks• Software Modifications – Harden software if flaws are found during investigation – Introduce vulnerability management to be proactive• Process Modifications – Business processes may be modified to reduce risk
  • 15. References• How to Reach Us? –• Documents: – NIST 800-61 – “Computer Security Incident Handling Guide” (• Courses: – SANS 504 – “Hacker Techniques, Exploits and Incident Handling” (• Tools: – Guidance Software / EnCase – – Access Data / FTK – – log2timeline – – Identity Finder –• Online Resources: – Forensics Wiki – – Forensic Focus – – Windows Incident Response –