Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Introduction to Incident Response ManagementDon Caeiro
This document discusses incident response management and key concepts related to cybersecurity incidents. It defines an incident as an adverse event that compromises the confidentiality, integrity, or availability of computer systems. Common incident categories include compromise of confidentiality or integrity, denial of resources, intrusions, misuse, damage, and hoaxes. Cyber incidents are classified as low, moderate, or high severity based on factors such as the impact on services, data classification, legal issues, policy violations, public interest, threat potential, and business impact. Effective incident response is needed to address business impacts of incidents including protecting data, reputation, customer trust, and revenue.
The document discusses the components of an information security blueprint, including policies, standards, practices, and a security education program. It describes developing an enterprise security policy and issue-specific policies. The blueprint provides a plan for security controls, technologies, and training to ensure the organization's information is protected. It is the basis for designing and implementing all aspects of the security program.
This slide explains the design part as well as implementation part of the firewall. And also tells about the need of firewall and firewall capabilities.
The document provides an overview of access control systems and methodology. It covers topics such as types of access control including mandatory access control (MAC) and discretionary access control (DAC), authentication methods, implementation of access control through hardware, software and policies, and how access control protects systems from threats and prepares for minimal impact. It also discusses access control standards like the Orange Book and limitations of formal access control models.
Virtual private networks (VPNs) allow users to securely access an organization's intranet from remote locations using public networks like the internet. VPNs use encryption and tunneling protocols to securely transmit data and authenticate users, providing privacy and access similar to a private network. The main benefits of VPNs are reduced costs compared to dedicated private networks, as VPNs can leverage existing broadband internet connections instead of expensive leased lines. Common VPN protocols include PPTP, L2TP, and IPsec, with "tunneling" referring to the encapsulation of packets within other protocol packets to create and maintain virtual connections.
If you really want to understand what exactly Database Security is all about,this presentation is yours.
You will understand it just by having one look at the slides.
Presentation contains things which are really simple to understand.
Incident response methodology involves responding to and managing cyber attacks through investigation, containment, eradication, recovery and lessons learned. A well-developed incident response plan is needed to minimize damage from attacks and data breaches, and recover as quickly as possible. Key aspects of incident response include detecting incidents, formulating response strategies, investigating through data collection and forensic analysis, and reporting findings. The goal is to understand attack methods and prevent future incidents.
This document provides an overview of web services security. It discusses the main concerns of authentication, authorization, confidentiality and integrity. It presents a framework for web services security and describes how security can be implemented at the transport, message and application levels. Various usage scenarios for web services are explored, and the security implications of scenarios like enterprise application integration, reusing existing business logic, and business partner collaboration are examined. Emerging standards for web services security are also overviewed.
Introduction to Incident Response ManagementDon Caeiro
This document discusses incident response management and key concepts related to cybersecurity incidents. It defines an incident as an adverse event that compromises the confidentiality, integrity, or availability of computer systems. Common incident categories include compromise of confidentiality or integrity, denial of resources, intrusions, misuse, damage, and hoaxes. Cyber incidents are classified as low, moderate, or high severity based on factors such as the impact on services, data classification, legal issues, policy violations, public interest, threat potential, and business impact. Effective incident response is needed to address business impacts of incidents including protecting data, reputation, customer trust, and revenue.
The document discusses the components of an information security blueprint, including policies, standards, practices, and a security education program. It describes developing an enterprise security policy and issue-specific policies. The blueprint provides a plan for security controls, technologies, and training to ensure the organization's information is protected. It is the basis for designing and implementing all aspects of the security program.
This slide explains the design part as well as implementation part of the firewall. And also tells about the need of firewall and firewall capabilities.
The document provides an overview of access control systems and methodology. It covers topics such as types of access control including mandatory access control (MAC) and discretionary access control (DAC), authentication methods, implementation of access control through hardware, software and policies, and how access control protects systems from threats and prepares for minimal impact. It also discusses access control standards like the Orange Book and limitations of formal access control models.
Virtual private networks (VPNs) allow users to securely access an organization's intranet from remote locations using public networks like the internet. VPNs use encryption and tunneling protocols to securely transmit data and authenticate users, providing privacy and access similar to a private network. The main benefits of VPNs are reduced costs compared to dedicated private networks, as VPNs can leverage existing broadband internet connections instead of expensive leased lines. Common VPN protocols include PPTP, L2TP, and IPsec, with "tunneling" referring to the encapsulation of packets within other protocol packets to create and maintain virtual connections.
If you really want to understand what exactly Database Security is all about,this presentation is yours.
You will understand it just by having one look at the slides.
Presentation contains things which are really simple to understand.
Incident response methodology involves responding to and managing cyber attacks through investigation, containment, eradication, recovery and lessons learned. A well-developed incident response plan is needed to minimize damage from attacks and data breaches, and recover as quickly as possible. Key aspects of incident response include detecting incidents, formulating response strategies, investigating through data collection and forensic analysis, and reporting findings. The goal is to understand attack methods and prevent future incidents.
This document provides an overview of web services security. It discusses the main concerns of authentication, authorization, confidentiality and integrity. It presents a framework for web services security and describes how security can be implemented at the transport, message and application levels. Various usage scenarios for web services are explored, and the security implications of scenarios like enterprise application integration, reusing existing business logic, and business partner collaboration are examined. Emerging standards for web services security are also overviewed.
This document discusses access control systems and methodologies. It covers security clearances used by the federal government, multifactor authentication/biometrics, and passwords. Specific access control methods like fingerprints, voiceprints, retina scanning, iris scanning, and face recognition are explained. The document also discusses password cracking techniques and applications used to crack passwords like John the Ripper, Rainbow Crack, and Cain & Abel.
This document provides an overview of computer forensics. It defines computer forensics as the process of preserving, identifying, extracting, documenting and interpreting computer data for legal evidence. The document then outlines the history of computer forensics, the steps involved which include acquisition, identification, evaluation and presentation, certifications available, requirements to work in the field, how evidence is collected, uses of computer forensics in criminal and civil cases, advantages like ability to search large amounts of data quickly, and disadvantages such as costs and ensuring no evidence tampering. It also lists some computer forensics labs and centers in India.
This webinar describes how you can manage the risk of privileged accounts being compromised, creating a breach of sensitive data or other assets in your organization, through privileged access management, or PAM. PAM can reduce risks by hardening your environment in ways no other solution can, but is challenging to deploy. This webinar provides an unbiased perspective on PAM capabilities, lessons learned and deployment challenges, distilling the good practices you need to be successful. It covers:
- PAM definitions, core features and specific security and compliance drivers
- The PAM market landscape and major vendors
- How to integrate PAM with identity management, service ticketing and monitoring
- Avoiding availability and performance issues
1) Data breaches are a constant threat, with insiders posing a major risk.
2) Proactive database forensics is an emerging area that can help detect and respond to insider threats.
3) A proactive forensic architecture is needed to integrate auditing and forensics activities to reliably gather evidence from multiple sources and ensure its integrity.
The document discusses various aspects of network forensics and investigating logs. It covers analyzing log files as evidence, maintaining accurate timekeeping across systems, configuring extended logging in IIS servers, and the importance of log file accuracy and authenticity when using logs as evidence in an investigation.
This document outlines a security concept and risk management process. It discusses identifying risks and assets, assessing impact and probability, and determining appropriate risk responses such as acceptance, avoidance, mitigation, and transfer. It also describes common security controls around availability, confidentiality and integrity. Attack vectors like malware, denial of service attacks, social engineering and phishing are examined. Finally, it discusses security patterns for identity and access management, segregation of duties, layered security and cryptography.
Information Security Principles - Access Controlidingolay
The document discusses various concepts related to access controls and authentication methods in information security. It covers identification, authentication, authorization, accountability and different authentication factors like something you know, something you have, something you are. It also discusses access control models, biometrics, passwords and single sign-on systems.
Identity and Access Management (IAM) is a crucial part of living in a connected world. It involves managing multiple identities of an individual or entity, distributed across disparate portals. In an enterprise, IAM solutions serve as a mean to secure access, control user activities and manage authentication for an App or a group of software (infrastructure).
This detailed PowerPoint brings you the most fundamental concepts and ideas related to identity and access management. Plus, we have debunked some popular IAM myths, so do checkout!
1) Zero Trust is a security model that does not inherently trust anything inside or outside its perimeter and instead verifies anything and everything trying to connect to its systems before granting access.
2) Traditional security models rely on physical or logical network boundaries to define what is trusted, but this is ineffective as users and devices can no longer be trusted once inside these boundaries.
3) The core tenants of Zero Trust include secure all communication, grant least permission, grant access to single resources at a time, make access policies dynamic, collect and use data to improve security, monitor assets, and periodically re-evaluate trust.
Ch 4: Footprinting and Social EngineeringSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
A more in-depth analysis of cyber forensics; but explained eloquently for the beginner, by Chaitanya Dhareshwar - Cyber Crime Investigator, Technocrat and Entrepreneur.
Learn what cyber forensics is all about and how you can begin using the basic tools of forensics in your day to day life. Not only does it make the world a safer place, your data remains significantly more secure.
Every step you take towards cyber security in this lawless internet allows you to achieve greater knowledge unhindered.
The document discusses EnCase, a digital forensics software. It can recover various types of data from devices including pictures, documents, and entire disk drives. The software includes tools for acquisition, analysis, and reporting. It uses the .E01 file format to store evidence and allows users to search devices for keywords, artifacts, and other digital evidence. The document provides instructions for downloading, installing, and using EnCase to examine digital media and create case files.
Digital forensics is the application of science to solve legal problems involving digital evidence. It has emerged since the 1980s as computer crimes have grown. There are challenges to reliability such as standards, controls, and new technologies like cloud and solid state drives. Case studies demonstrate how digital evidence can solve old cases, as with the BTK killer through metadata on a word document. The field faces ongoing challenges but continued research supports its validity in courts of law.
This document provides an overview of computer forensics. It defines computer forensics as the process of identifying, collecting, and analyzing digital evidence in a way that is legally acceptable. The document then discusses the evolution of digital forensics over three phases: the ad-hoc phase from the 1970s-1980s when tools were lacking; the structured phase from the 1980s-1990s when basic tools and techniques were developed; and the enterprise phase from the 1990s onward as computer use increased exponentially. Finally, it notes that computer forensics is needed for criminal investigations, security investigations, domestic cases, and data/IP theft cases to produce legally acceptable evidence that can lead to punishment.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
This document discusses the roles and responsibilities involved in incident response (IR). It describes the incident manager who leads the investigation team, and the remediation team leader who coordinates remediation activities. It outlines the IR process including initial response, investigation, and remediation phases. It provides guidance on hiring IR talent, preserving evidence, analyzing data, developing indicators of compromise, and creating reports.
This document discusses access control systems and methodologies. It covers security clearances used by the federal government, multifactor authentication/biometrics, and passwords. Specific access control methods like fingerprints, voiceprints, retina scanning, iris scanning, and face recognition are explained. The document also discusses password cracking techniques and applications used to crack passwords like John the Ripper, Rainbow Crack, and Cain & Abel.
This document provides an overview of computer forensics. It defines computer forensics as the process of preserving, identifying, extracting, documenting and interpreting computer data for legal evidence. The document then outlines the history of computer forensics, the steps involved which include acquisition, identification, evaluation and presentation, certifications available, requirements to work in the field, how evidence is collected, uses of computer forensics in criminal and civil cases, advantages like ability to search large amounts of data quickly, and disadvantages such as costs and ensuring no evidence tampering. It also lists some computer forensics labs and centers in India.
This webinar describes how you can manage the risk of privileged accounts being compromised, creating a breach of sensitive data or other assets in your organization, through privileged access management, or PAM. PAM can reduce risks by hardening your environment in ways no other solution can, but is challenging to deploy. This webinar provides an unbiased perspective on PAM capabilities, lessons learned and deployment challenges, distilling the good practices you need to be successful. It covers:
- PAM definitions, core features and specific security and compliance drivers
- The PAM market landscape and major vendors
- How to integrate PAM with identity management, service ticketing and monitoring
- Avoiding availability and performance issues
1) Data breaches are a constant threat, with insiders posing a major risk.
2) Proactive database forensics is an emerging area that can help detect and respond to insider threats.
3) A proactive forensic architecture is needed to integrate auditing and forensics activities to reliably gather evidence from multiple sources and ensure its integrity.
The document discusses various aspects of network forensics and investigating logs. It covers analyzing log files as evidence, maintaining accurate timekeeping across systems, configuring extended logging in IIS servers, and the importance of log file accuracy and authenticity when using logs as evidence in an investigation.
This document outlines a security concept and risk management process. It discusses identifying risks and assets, assessing impact and probability, and determining appropriate risk responses such as acceptance, avoidance, mitigation, and transfer. It also describes common security controls around availability, confidentiality and integrity. Attack vectors like malware, denial of service attacks, social engineering and phishing are examined. Finally, it discusses security patterns for identity and access management, segregation of duties, layered security and cryptography.
Information Security Principles - Access Controlidingolay
The document discusses various concepts related to access controls and authentication methods in information security. It covers identification, authentication, authorization, accountability and different authentication factors like something you know, something you have, something you are. It also discusses access control models, biometrics, passwords and single sign-on systems.
Identity and Access Management (IAM) is a crucial part of living in a connected world. It involves managing multiple identities of an individual or entity, distributed across disparate portals. In an enterprise, IAM solutions serve as a mean to secure access, control user activities and manage authentication for an App or a group of software (infrastructure).
This detailed PowerPoint brings you the most fundamental concepts and ideas related to identity and access management. Plus, we have debunked some popular IAM myths, so do checkout!
1) Zero Trust is a security model that does not inherently trust anything inside or outside its perimeter and instead verifies anything and everything trying to connect to its systems before granting access.
2) Traditional security models rely on physical or logical network boundaries to define what is trusted, but this is ineffective as users and devices can no longer be trusted once inside these boundaries.
3) The core tenants of Zero Trust include secure all communication, grant least permission, grant access to single resources at a time, make access policies dynamic, collect and use data to improve security, monitor assets, and periodically re-evaluate trust.
Ch 4: Footprinting and Social EngineeringSam Bowne
Slides for a college course at City College San Francisco. Based on "Hands-On Ethical Hacking and Network Defense, Third Edition" by Michael T. Simpson, Kent Backman, and James Corley -- ISBN: 9781285454610.
Instructor: Sam Bowne
Class website: https://samsclass.info/123/123_S17.shtml
A more in-depth analysis of cyber forensics; but explained eloquently for the beginner, by Chaitanya Dhareshwar - Cyber Crime Investigator, Technocrat and Entrepreneur.
Learn what cyber forensics is all about and how you can begin using the basic tools of forensics in your day to day life. Not only does it make the world a safer place, your data remains significantly more secure.
Every step you take towards cyber security in this lawless internet allows you to achieve greater knowledge unhindered.
The document discusses EnCase, a digital forensics software. It can recover various types of data from devices including pictures, documents, and entire disk drives. The software includes tools for acquisition, analysis, and reporting. It uses the .E01 file format to store evidence and allows users to search devices for keywords, artifacts, and other digital evidence. The document provides instructions for downloading, installing, and using EnCase to examine digital media and create case files.
Digital forensics is the application of science to solve legal problems involving digital evidence. It has emerged since the 1980s as computer crimes have grown. There are challenges to reliability such as standards, controls, and new technologies like cloud and solid state drives. Case studies demonstrate how digital evidence can solve old cases, as with the BTK killer through metadata on a word document. The field faces ongoing challenges but continued research supports its validity in courts of law.
This document provides an overview of computer forensics. It defines computer forensics as the process of identifying, collecting, and analyzing digital evidence in a way that is legally acceptable. The document then discusses the evolution of digital forensics over three phases: the ad-hoc phase from the 1970s-1980s when tools were lacking; the structured phase from the 1980s-1990s when basic tools and techniques were developed; and the enterprise phase from the 1990s onward as computer use increased exponentially. Finally, it notes that computer forensics is needed for criminal investigations, security investigations, domestic cases, and data/IP theft cases to produce legally acceptable evidence that can lead to punishment.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
This document discusses the roles and responsibilities involved in incident response (IR). It describes the incident manager who leads the investigation team, and the remediation team leader who coordinates remediation activities. It outlines the IR process including initial response, investigation, and remediation phases. It provides guidance on hiring IR talent, preserving evidence, analyzing data, developing indicators of compromise, and creating reports.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
This document discusses common vulnerabilities in access controls for web applications and best practices for securing them. It covers different types of privilege escalation like vertical, horizontal, and context-dependent escalation. It also discusses vulnerabilities like unprotected functionality that can be accessed without authentication, identifier-based functions where access is based on predictable IDs, and multistage functions where access is not re-validated at each step. The document provides recommendations for testing access controls and securing them through measures like centralizing control checks and restricting access based on sessions rather than request parameters.
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
This document discusses securing web applications. It describes how modern web apps allow two-way information flow and user login/content submission, which introduces security risks if user input is not properly validated. It emphasizes that the core security problem is that users can submit arbitrary input, and outlines common attacks like modifying prices or session tokens. The document then covers core defense mechanisms like authentication, session management, access control, input validation at boundaries, and handling errors and attacks through logging, alerts and responses.
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
Request forgery techniques like on-site request forgery (OSRF) and cross-site request forgery (CSRF) allow attackers to trick a user's browser into making requests without the user's consent. OSRF uses stored XSS to inject links that trigger requests when clicked, while CSRF embeds requests directly on malicious sites. Defenses include anti-CSRF tokens and preventing sensitive actions via GET. The same-origin policy does not fully prevent cross-domain data theft using techniques like JavaScript hijacking, Flash, and relaxed HTML5 CORS policies.
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
This is a presentation I gave at DEF CON 23, in the Packet Hacking Village.
This document discusses three key areas of preparation for effective incident response: preparing the organization, preparing the incident response team, and preparing the infrastructure. It provides details on identifying risks, policies to promote successful IR, educating users, defining the IR team mission, training the team, equipping the team, asset management, hardening hosts, implementing centralized logging, network segmentation, access controls, and documentation. The overall goal is to outline steps organizations can take before an incident occurs to facilitate rapid identification, containment, eradication and recovery.
The document discusses post-exploitation techniques during hacking. It explains why post-exploitation is important to determine the value of compromised machines, maintain control, and identify sensitive data and system configurations. It provides an overview of steps like infrastructure analysis to gather network details, pillaging systems for sensitive files, collecting user information, ensuring persistence through backdoors or rootkits, and properly cleaning systems after. The goal is to show how vulnerabilities can be chained together to gain higher levels of access during real-world attacks.
The document discusses the basics of IT security including the CIA triad of confidentiality, integrity and availability. It also covers common security concepts such as assets, vulnerabilities, threats, countermeasures and risks. Additionally, it summarizes authentication, authorization and accounting (AAA) protocols, common attacks and how to implement secure network architecture.
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
This document discusses administrative security controls and incident response management. It covers topics such as least privilege, separation of duties, privilege monitoring, forensic data collection and analysis, incident response phases including preparation, detection, response, and recovery, and continuity planning including backup strategies, fault tolerance, and disaster recovery processes. The goal of these controls and plans is to mitigate risks from both internal and external threats and ensure business continuity even during disruptive events.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
This document discusses administrative security controls, forensics, incident response management, and continuity of operations. Some key points:
- Administrative controls include least privilege, separation of duties, and job rotation to mitigate fraud. Privilege monitoring scrutinizes account access.
- Forensics aims to preserve evidence and analyze systems and networks for legal purposes. It includes identification, acquisition, analysis and reporting of potential evidence.
- Incident response includes preparation, detection, response, mitigation, recovery and lessons learned. The goal is to quickly contain incidents and restore normal operations.
- Continuity of operations focuses on fault tolerance, backups, disaster recovery and maintaining service levels. It ensures critical business functions can
Track 5 session 2 - st dev con 2016 - security iot best practicesST_World
This document summarizes a presentation on IoT security good practices. It discusses various types of invasive and non-invasive attacks on IoT devices, as well as solutions to improve security such as adding a secure element, using an MCU's security features, and risk management practices. Cryptography methods that can be used for authentication, encryption and integrity are explained. The document also covers topics like secure boot, secure storage, secure communications, and the importance of security over the entire product lifecycle. Recommendations are made to design fortified products, understand risks, use security features and tools, and work with trusted partners.
This document discusses techniques for hunting bad guys on networks, including identifying client-side attacks, malware command and control channels, post-exploitation activities, and hunting artifacts. It provides examples of using DNS logs, firewall logs, HTTP logs, registry keys, installed software inventories, and the AMCache registry hive to look for anomalous behaviors that could indicate security compromises. The goal is to actively hunt for threats rather than just detecting known bad behaviors.
PLNOG 8: Merike Kaeo - Guide to Building Secure InfrastructuresPROIDEA
This document provides a summary of techniques to secure network infrastructure. It discusses protecting devices through secure access controls, filtering infrastructure to permit only required protocols, securing routing protocols through authentication and prefix filtering, securing MPLS through design rules and ACLs, and securing DNS through techniques like DNSSEC to prevent cache poisoning and unauthorized updates. The document outlines common attacks like spoofing, hijacking, and denial of service and recommends mitigation strategies across the network, routing, and application layers.
CNIT 160 4e Security Program Management (Part 5)Sam Bowne
This document provides an overview of topics related to information security program development and management, including security program operations, secure engineering and development, network protection, endpoint protection and management, and identity and access management. It discusses key concepts for each topic such as firewalls, intrusion prevention systems, malware prevention techniques, and centralized identity and access management. The document also outlines processes for managing access governance, conducting privileged account audits, and performing user behavior analytics.
The document discusses authentication, authorization, and accounting (AAA) as a model for access control. Authentication verifies a user's identity, usually with a username and password. Authorization determines the resources and actions a user can access. Accounting tracks user activity for auditing purposes. Nonrepudiation prevents users from denying actions. Common authentication methods include passwords, smart cards, and biometrics. Technologies like Active Directory, RADIUS, and Kerberos are used to centrally manage AAA. Permissions and access control lists determine what access users have to files, folders, and other objects. Encryption and digital certificates enhance security.
Distributed Sensor Data Contextualization for Threat Intelligence AnalysisJason Trost
As organizations operationalize diverse network sensors of various types, from passive sensors to DNS sinkholes to honeypots, there are many opportunities to combine this data for increased contextual awareness for network defense and threat intelligence analysis. In this presentation, we discuss our experiences by analyzing data collected from distributed honeypot sensors, p0f, snort/suricata, and botnet sinkholes as well as enrichments from PDNS and malware sandboxing. We talk through how we can answer the following questions in an automated fashion: What is the profile of the attacking system? Is the host scanning/attacking my network an infected workstation, an ephemeral scanning/exploitation box, or a compromised web server? If it is a compromised server, what are some possible vulnerabilities exploited by the attacker? What vulnerabilities (CVEs) has this attacker been seen exploiting in the wild and what tools do they drop? Is this attack part of a distributed campaign or is it limited to my network?
Remote forensics involves acquiring digital evidence from remote devices or locations without physical access. It includes applications like electronic discovery, incident response, network forensics, and cloud forensics. While often understood as live forensics, remote forensics also includes techniques like booting devices into forensic modes remotely or using forensic tools on remote systems to access local evidence. Enterprise-level remote forensic tools allow preventative forensics and faster incident response but are not widely used due to budget, knowledge, and legal barriers. As technology spreads and more data is stored remotely, remote forensics will become more important and perhaps even fully automated for Internet of Things devices in the future.
This document summarizes several security analysis tools, including CACLS for modifying access control lists in Windows, NSLOOKUP for resolving domain names to IP addresses, Traceroute/tracert for tracing the network path between hosts, Ping for checking network connectivity, and WS-Ping which combines tools like Ping, Traceroute, network scanning, and information gathering. It also discusses SATAN and Nessus, which are vulnerability scanners that detect potential security issues by analyzing network configurations and services without exploiting any vulnerabilities.
This document provides an overview of reviewing firewall, router, and switch configurations to ensure network infrastructure security. It discusses defining critical assets to protect, assessing firewall, router, and switch configurations to protect those assets with concentric security layers, and common security best practices for these devices such as controlling access, disabling unneeded services, and using secure management channels. Definitions of networking and security terms are also provided.
Similar to CNIT 121: 3 Pre-Incident Preparation (20)
The document discusses various topics related to cyberwar including Mastodon, Lockheed-Martin's kill chain model, and Mitre's ATT&CK framework. It notes that China, Russia, Iran, and North Korea pose major cyber threats according to the FBI and CISA. China is described as the broadest cyber espionage threat. Russia conducts destructive malware and ransomware operations. Iran's growing cyber expertise makes it a threat. North Korea's program poses an espionage, cybercrime, and attack threat and continues cryptocurrency heists.
- DNS vulnerabilities can arise from configuration errors, architecture mistakes, vulnerable software implementations, protocol weaknesses, and failure to use security extensions.
- Common mistakes include single points of failure, exposure of internal information, leakage of internal queries, unnecessary recursiveness, failure to restrict access, and unprotected zone transfers.
- Software vulnerabilities have included buffer overflows and flaws in randomization of source ports, transaction IDs, and domain name ordering that enable cache poisoning and man-in-the-middle attacks.
This chapter discusses software development security. It covers topics like programming concepts, compilers and interpreters, procedural vs object-oriented languages, application development methods like waterfall vs agile models, databases, object-oriented design, assessing software vulnerabilities, and artificial intelligence techniques. The key aspects are securing the entire software development lifecycle from initial planning through operation and disposal, using secure coding practices, testing for vulnerabilities, and continually improving processes.
This document discusses attacking iOS applications by exploiting vulnerabilities in the iOS runtime, interprocess communication, and through injection attacks. Specifically, it covers instrumenting the iOS runtime using method swizzling, attacking applications using interprocess communication techniques like application extensions, and exploiting entry points like UIWebViews, client-side data stores, and file handling routines to perform injection attacks on iOS apps.
This document provides an overview of elliptic curve cryptography including what an elliptic curve is, the elliptic curve discrete logarithm problem (ECDLP), Diffie-Hellman key agreement and digital signatures using elliptic curves. It discusses NIST standard curves like P-256 and Curve25519 as well as choosing appropriate curves and potential issues like attacks if randomness is not properly implemented or an invalid curve is used.
The document discusses the Diffie-Hellman key exchange protocol. It describes how Diffie-Hellman works by having two parties agree on a shared secret over an insecure channel without transmitting the secret itself. It also covers potential issues like using proper cryptographic techniques to derive keys from the shared secret and using safe prime numbers to prevent attacks.
This document provides an overview of analyzing iOS apps, including jailbreaking mobile devices. It discusses iOS security features like code signing and sandboxing. It explains how to set up a test environment for analyzing apps by jailbreaking a device and using Unix tools. Key files like property lists and databases that can be explored are also outlined.
This document discusses various techniques for writing secure Android apps, including minimizing unnecessary permissions and exposure, securing data storage and communication, and making apps difficult to reverse engineer. It provides examples of implementing essential security mechanisms like permission protection and securing activities, content providers, and web views. It also covers more advanced techniques such as protection level downgrades, obfuscation, and tamper detection.
12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
The document discusses investigating Windows systems by analyzing the Windows Registry. It describes the purpose and structure of the Registry, including the main hive files and user-specific hives. It provides an overview of important Registry keys that can contain forensic artifacts, such as system configuration keys, network information keys, user and security information keys, and auto-run keys that can indicate malware persistence. Specific Registry keys and values are highlighted that are most useful for analyzing evidence on a compromised system, including ShellBags, UserAssist, MRU lists, and Internet Explorer TypedURLs and TypedPaths. Tools for Registry analysis like RegRipper, AutoRuns, and Nirsoft utilities are also mentioned.
This document provides an overview of the RSA cryptosystem. It begins with the mathematical foundations of RSA, including the group ZN* and Euler's totient function. It then covers the RSA trapdoor permutation using modular exponentiation and key generation. The document discusses encrypting and signing with RSA, as well as implementations using libraries and algorithms like square-and-multiply. It concludes with topics like side-channel attacks, optimizations for speed, and ways implementations can fail like the Bellcore attack on RSA-CRT.
12 Investigating Windows Systems (Part 1 of 3Sam Bowne
This document provides an overview of analyzing the Windows file system, NTFS metadata, and logs to investigate security incidents and recover deleted files. It discusses the Master File Table (MFT) structure, timestamps, alternate data streams, prefetch files, event logs, and scheduled tasks. The MFT stores file metadata including attributes, timestamps, and data runs. File deletion only marks the MFT entry inactive, allowing recovery of deleted file contents and metadata. Event and security logs can reveal lateral movement and suspicious processes. Prefetch files indicate program execution history. Scheduled tasks configure automated programs through .job files logged by Task Scheduler.
This document discusses computational hardness and complexity classes related to cryptography. It covers the computational complexity of problems like factoring large numbers and the discrete logarithm problem. These problems are assumed to be hard, even for quantum computers, and form the basis for cryptographic techniques. The document also discusses how cryptography could be broken if faster algorithms were found for these problems or if the key sizes used were too small.
This document discusses exploiting vulnerabilities in Android devices. It covers identifying pre-installed apps that could provide access, techniques for remotely or locally exploiting devices, and the different privilege levels an attacker may obtain including non-system app access, installed package access, ADB shell access, system user access, and root user access. Specific exploitation techniques mentioned include exploiting update mechanisms, remote code loading, webviews, listening services, and messaging apps. Tools discussed include Drozer, Ettercap, and Burp.
This document provides an overview of the incident response analysis methodology process. It discusses defining objectives, understanding the situation and available resources, identifying leadership, avoiding impossible tasks like proving a negative, asking why to define scope, knowing where data is stored, accessing raw data, selecting analysis methods like searching for malware or using tools like VirusTotal, manual review, filtering data, statistical analysis using tools like Sawmill, string searching, analyzing unallocated space, and file carving. It stresses periodically evaluating results to ensure progress and only making definitive statements if supported by evidence.
This document discusses authenticated encryption, which both encrypts messages and authenticates them with a tag. It covers several authenticated encryption schemes:
1. Authenticated Encryption with Associated Data (AEAD) which encrypts a plaintext and authenticates additional associated data with a tag.
2. AES-GCM, the standard authenticated cipher, which uses AES in Galois/Counter Mode. It has two layers - encryption then authentication.
3. OCB, faster than GCM but limited by licensing. It blends encryption and authentication into one layer.
4. SIV, considered the safest as it is secure even if nonces are reused, but it is not streamable.
This document summarizes part 2 of a course on attacking Android applications. It discusses how application components like activities and services can be exploited if not properly protected. Specific vulnerabilities in the Sieve password manager application are demonstrated, including insecure content providers, SQL injection, and an insecure file-backed content provider. The document also covers how services and broadcast receivers can be abused if not protected correctly.
This document discusses attacking Android applications through their components. It covers exploiting vulnerabilities in an app's security model, intercepting communications, and compromising application containers or internet servers that apps rely on. Specific attacks examined include bypassing the lock screen, tapjacking, accessing private app data through recently used screenshots, and changing a PIN without knowing the old one using fragment injection. The document provides examples of how to interact with an app's activities, services, content providers and permissions through intents and other techniques.
The document discusses stream ciphers and how they can be implemented in either hardware or software. It describes how stream ciphers work by generating a pseudorandom bitstream from a key and nonce that is XOR'd with the plaintext. Hardware-oriented stream ciphers were initially more efficient to implement than block ciphers using dedicated circuits like LFSRs. However, LFSR-based designs are insecure and modern software-oriented stream ciphers like Salsa20 are more efficient on CPUs. The document cautions that stream ciphers can be broken if the key and nonce are reused or if there are flaws in the implementation.
Live data collection on Windows systems can be done using prebuilt kits like Mandiant Redline or Velociraptor, by creating your own scripted toolkit using built-in and free tools to collect processes, network connections, system logs and other volatile data, while following best practices like testing your methods first and being cautious of malware on investigated systems.
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
Executive Directors Chat Leveraging AI for Diversity, Equity, and InclusionTechSoup
Let’s explore the intersection of technology and equity in the final session of our DEI series. Discover how AI tools, like ChatGPT, can be used to support and enhance your nonprofit's DEI initiatives. Participants will gain insights into practical AI applications and get tips for leveraging technology to advance their DEI goals.
Thinking of getting a dog? Be aware that breeds like Pit Bulls, Rottweilers, and German Shepherds can be loyal and dangerous. Proper training and socialization are crucial to preventing aggressive behaviors. Ensure safety by understanding their needs and always supervising interactions. Stay safe, and enjoy your furry friends!
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
Main Java[All of the Base Concepts}.docxadhitya5119
This is part 1 of my Java Learning Journey. This Contains Custom methods, classes, constructors, packages, multithreading , try- catch block, finally block and more.
Physiology and chemistry of skin and pigmentation, hairs, scalp, lips and nail, Cleansing cream, Lotions, Face powders, Face packs, Lipsticks, Bath products, soaps and baby product,
Preparation and standardization of the following : Tonic, Bleaches, Dentifrices and Mouth washes & Tooth Pastes, Cosmetics for Nails.
6. Identifying Risk: Assets
• Corporate reputation
• Confidential business information
• Personally identifiable information
• Payment account data
7. Identifying Risk: Exposures
• Unpatched web servers
• Internet-facing systems
• Disgruntled employees
• Untrained employees
8. Identifying Risk:
Threat Actors
• Who can actually exploit these
exposures
• Anyone from the Internet
• Physical access to building
• Physically within a secure area
10. Working with Outsourced IT
• Challenges may include
• Red tape delays requesting work
• Additional costs
• No vehicle to accomplish a task, such as
getting log files for analysis
• Service Level Agreements are required for
responsiveness to critical requests
11. Global Infrastructure Issues
• Large multinational organizations
• Privacy and labor regulations may limit
searches for indicators of compromise
• Team coordination across many time zones
• Data accessibility--large data sets such as
disk images are difficult to efficiently transfer
12. Educating Users on
Host-Based Security
• Common ways users are targeted
• Proper response to suspected incidents
• Specific contact person
• Don't attempt an amateur investigation, which
may destroy evidence
• Server software installed by users, such as FTP,
can jeopardize the organization's security
16. Internal Communications
• Attackers often monitor email to see if they have been
detected
• Encrypt email with S/MIME or PGP
• Label documents and communications as
recommended by your legal counsel
• Monitor conference call participation
• Use case numbers or project names to refer to an
investigation
• Adjust emails from IDS systems and other devices not
to disclose sensitive information
18. Communicating with
External Parties
• Often required by governance and legislation
• Incident disclosure language in contracts
• Use approved channels, such as public
relations or legal office
20. Training the IR Team
• Carnegie Mellon
• Purdue
• Johns Hopkins
• SANS
21. Hardware to Outfit
the IR Team
• Data protection with encryption
• Permanent, internal media (SSDs and hard disks)
• Full-disk encryption (FDE) like TrueCrypt or
Mcafee Endpoint Encryption
• Hardware-based FDE; Self-Encrypting Drive (SED)
• External media (thumb drives, USB hard disks or
SSDs, external SATA drives)
• TrueCrypt is a common solution
• TrueCrypt is dead, replaced by VeraCrypt (links Ch
3c, 3d)
22. Forensics in the Field
• Laptop computer with
• As much RAM as possible
• The fastest CPU possible
• I/O buses -- eSATA, Firewire 800, USB 3.0
• Screen: large and high resolution
• Large and fast internal storage drives
• Portable and under warranty
23. Forensics at the Office
• Dedicated forensics lab
• Systems with write-blockers
• Secure storage for original material with
written evidence-handling policies
• Fresh, clean virtual analysis machines with
forensic tools installed
• Analysts work on copies of the data, never
on original data
26. Network Monitoring
Platforms
• For ad-hoc monitoring, a laptop similar to the
one for on-site forensic work (with a built-in
UPS)
• Most often, use a 1U rack-mount system
• 12-16 GB of RAM, high-end CPU, storage with
enough speed and capacity to hold incoming
data at 80% of line speed
• Separate network port for management
28. Software for the IR Team
• "Forensically Sound" software
• Many people think a tool is approved by courts, such as
EnCase, but any software may be used if the court accepts it
• Daubert standard for admissibility of scientific evidence
30. Software Used by IR Teams
• Boot disks or USB sticks
• Such as Kali, CAINE, or Helix
• Operating Systems (all common types, virtualized)
• Disk imaging tools (approved by NIST, link Ch 3h)
• Memory Capture and Analysis
31. Software Used by IR Teams
• Live response capture and analysis
• Indicator creation and search utilities
• Forensic examination suites
• Like EnCase, FTK, or SleuthKit and Autopsy
• Log analysis tools
32. Documentation:
Evidence Handling
• Strict procedures to maintain integrity with positive
control
• Evidence must be always under direct
supervision, or secured in a controlled container,
such a safe
• Evidence must be shipped via a traceable carrier,
packaged in a tamper-evident manner, and
protected from the elements
• Cryptographic hash value such as MD5
35. Documentation:
Internal Knowledge Repository
• Ticketing or case management system holds
knowledge about a specific case
• Knowledge repository contains information
relevant to many cases
• Logically organized and searchable
38. Computing Device
Configuration
• Many organizations focus attention on the
systems they regard as important
• But attackers often use noncritical systems to
base their attacks
• Two steps:
• Understand what you have
• Improve and augment
• Log settings, antivirus, HIPS, etc.
40. Asset Management
• Need information about systems
• Date provisioned
• Ownership and Business Unit
• Physical location
• Contact information
• Role or services
• Network configuration
42. Passwords
• Attackers often obtain hundreds of
thousands of passwords, by hash dumps of
domain controllers
• Including service accounts
• Often hard-coded into back-office systems
and applications
• Same local administrator account on all
systems
43. Services
• Run in the background
• "Log on as" shows service accounts
44. Instrumentation
• Software metering
• Performance monitoring
• AV or host-based firewalls
• Event, error, and access logs
• Centralized system is very helpful
47. What to Log
on Windows
• Log-on and log-off events
• User and group management
• Process creation and termination
• Increase local storage for each event log to 100
MB or 500 MB
• Forward all events to centralized logging
system
48. What to Log
on Unix
• Enable process accounting
• increase local storage
• Forward all events to a centralized logging
system
49. What to Log
from Applications
• Web server, proxy, and firewall logs
• Database, email, DHCP, AV, IPS/IDS
• DNS query logging
• Custom applications
50. Antivirus and Host Intrusion
Prevention Systems
• Log events to a central server
• Don't delete malware on detection
• Quarantine it to a central location preserves
evidence
• Don't automatically transmit suspicious files to a
vendor
• It may contain sensitive data like proxy settings
or credentials
• It may alert the attacker that they've been caught
51. Investigative Tools
• Can search your environment for artifacts like
malware or attacker tools
• AccessData Enterprise
• Guidance Software EnCase Enterprise
• Mandiant Intelligent Response
• Homegrown solution using shell scripts and
Windows Management Instrumentation (WMI)
54. Controls
• Traffic filtering at the sub-organization level
• Web, chat, and file transfer proxies
• Two-factor authentication for connections
crossing significant borders
55. Microsoft RPC
(Remote Procedure Calls)
• Ports 135, 137, 138, 139, 445
• Once you allow access for file sharing, you get
remote administration (psexec) over those same
ports
56.
57. Access Control
• Traffic between zones is carefully controlled
• Personnel in the Finance group can get email, Active
Directory, and web traffic to proxies
• Connections to servers over HTTPS
• Servers are not allowed to send outbound traffic to the
Internet
• For system management, administrator uses two-
factor authentication to the specified administrative
workstation (jump-box)
59. Blackholes
• Remove default routes from internal routers and
switches
• Workstations and servers that require access to
external resources must go through the
authenticated proxy
• Proxy logs can detect unusual traffic patterns
• Traffic to external IP addresses sent to a blackhole
or a system for analysis
• Can act as a simple early-warning system
61. Documentation
• Network diagrams at various levels
• Placement of network monitoring devices
requires that information
• Device configurations (routers, firewalls,
switches)
• Change control can detect tampering
62. Logging and Monitoring
Devices
• Firewalls
• Intrusion Detection Systems
• Full-content capture systems
• Hardware network tap
• Netflow emitters (statistical traffic monitoring)
• Proxy servers
63. Network Services
• Configure DNS and DHCP services for extensive
logging
• Retain the logs for at least a year
• Configure a DNS blackhole to redirect malicious
traffic to a monitoring server
• Links Ch 3q, 3r