Cause 11 im final


Published on

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Millions of probestens of thousands of attacks per dayfirewalls drop ~3 million attacks per day
  • Cause 11 im final

    1. 1. Information Security Incident ManagementOne EDU’s ApproachJohnny Nipper, EnCEKevin Lanning, MSIS GSEC CISSPBenjamin Bressman, GSEC GCIH GCFA
    2. 2. Information Security Level Set• Core Principles of Information Security – Confidentiality – Keeping information private – Integrity – Keeping information accurate – Availability – Keeping information available (even in disasters) to authorized parties
    3. 3. Why Incident Response?• Legal and Compliance obligations require notification when sensitive information is acquired by unauthorized parties• University Policy requires a process for responding to incidents• Computing environments at large are under constant attack. (We are no exception)• Attack Stats
    4. 4. What is an incident?• Acceptance Criteria – How do we determine the difference between an incident and an event? • Could sensitive information/critical system be at risk? • Was event malicious? – Maintaining a publicly accessible definition of sensitive data helps bring clarity during events – Trust support personnel and the campus community, but maintain the ability to verify when validation is needed
    5. 5. Incident Management Methodologies• One approach—see—Course 504 – Planning • Your departmental contacts • Communication strategies • Failover systems and strategies, data archives/backups – Identification-Is it an incident? – Containment-Are intrusions contained? – Eradication-Is intrusion over? – Recovery-Are your business functions back to normal? – Lessons Learned-Recommendations
    6. 6. Incident Management• Incident Environment? – Higher education institutions compared with business or military – Governance/Culture – Mission – Technology types/Infrastructure
    7. 7. How are incidents discovered?• Intrusion Detection/Prevention Systems• Centrally Managed Anti-Virus• Complaints by attacked parties• Support Personnel - Often our first responders – Help contain the incident and preserve data – Help balance forensics with business continuity
    8. 8. Response, Evidence Acquisition• Preserve Evidence – Disconnect from the network? – How do we power down? – Preserve “last accessed” times (No AV scans) – Log access can overwrite valuable information• What evidence? – A forensic image, an exact copy of the disk(s) – Preserving timestamps is key – Network data, Off-site logs, etc
    9. 9. Business Impact• Must be mindful of business impact – How will incident response/forensics impact… • University mission – Teaching – Research – Public Service • The Department/Group – When will systems be back up and running? – Will intruders have a way back into the systems? • The User
    10. 10. Investigation and AnalysisAsk the question:“Was there unauthorized acquisition of sensitive information?”
    11. 11. Investigation and Analysis• Provide context for decision makers – From the perspective of sensitive information: • Where did sensitive information exist, if at all? – From the technical perspective: • Create timelines that detail (for example)… – File creation and access – When was malware introduced? • Capabilities of the malware? • When was sensitive information last accessed?
    12. 12. Forensic Processes and Tools• Integrity and confidentiality of evidence – Chain of custody forms – Cryptographic Hash of hard drives, images – Storage of hard drives and hard drive images• Tools – Guidance Software EnCase, AccessData FTK – Open source tools like log2timeline – Anti-malware software (SEP) – Registry/Log/Browser/OS Artifact data viewers – Identity Finder – Finds sensitive information
    13. 13. Reporting Results• Cases can be presented to… – Information Security management – Office of University Counsel – Office of Research Compliance – Internal Audit – Law Enforcement• Decision makers help determine next steps – Is a notification appropriate? – How can we prevent recurrence?
    14. 14. Lessons Learned/Recommendations• Behavior Modification – User learns best practices to prevent future incidents – Sys Admin configures systems to resist similar attacks• Software Modifications – Harden software if flaws are found during investigation – Introduce vulnerability management to be proactive• Process Modifications – Business processes may be modified to reduce risk
    15. 15. References• How to Reach Us? –• Documents: – NIST 800-61 – “Computer Security Incident Handling Guide” (• Courses: – SANS 504 – “Hacker Techniques, Exploits and Incident Handling” (• Tools: – Guidance Software / EnCase – – Access Data / FTK – – log2timeline – – Identity Finder –• Online Resources: – Forensics Wiki – – Forensic Focus – – Windows Incident Response –