1 / 43

Management of incident Preventing

In the name of God. APA of Isfahan University of Technology. Management of incident Preventing. Computer Security Incident

chaylse
Download Presentation

Management of incident Preventing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. In the name of God APA of Isfahan University of Technology Management of incident Preventing

  2. ComputerSecurityIncident • The term “security incident” is defined as the act of non-compliance with the security policy, procedure, or a core security requirement that impacts the confidentiality, integrity and availability of health information. Introduction

  3. StepS Containment, Eradication, Recovery Post-Incident Activities Detection And Analysis Preparation • The organization is ready to respond to incidents, • and also prevents incidents by ensuring that systems, • networks, and applications are sufficiently secure. • The organization get the incident report or • sign of incident searching for type • and cause of it. • The organization can act to mitigate the impact of the incident by containing it and ultimately recovering from it. • The organization members share “lessons learned” from the incident .

  4. 2)Preventing Incidents • Recommended practices for securing networks : • Patch Management • Host Security • Network Security • Malicious Code Prevention Preparation

  5. Types of Incidents • Denial of Service • Unauthorized Access • Inappropriate Usage • Malicious Code • Multiple Component Incidents Overview

  6. Denial of service

  7. Definition : A Denial of Service (DoS) is an action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources. Denial Of Service Incidents

  8. DDos: Distributed Denial of Service Denial Of Service Incidents

  9. Types Of DDos Attacks : 1)Reflector Attack Denial Of Service Incidents

  10. Types Of DDos Attacks : 2)Amplifier Attack Denial Of Service Incidents

  11. Types Of DDos Attacks : 3)Flood Attack Denial Of Service Incidents

  12. Step 1 :Preparation • Preparation • ISP • IDS Configuration • Resource Monitoring • Maintain Paper Copy of Handling Documents Denial Of Service Incidents

  13. Step 1 :Preparation • Prevention • Control Traffic • On Internet-accessible hosts, disable all unneeded services • Implement redundancy for key functions • Ensure that networks and systems are not running near maximum capacity Denial Of Service Incidents

  14. Step2: Detection and Analysis Precursors and Reactions : • Low Volume of Traffic Caused by Reconnaissance Activities  Block ways of attack • A new DoS tool  Investigate it and change configurations Denial Of Service Incidents

  15. Step2: Detection and Analysis Indication Of Each Type of DoS: • Network Based DoS against a host • Network Based DoS against network • DoS against OS of A host • DoS against an application on a particular host Denial Of Service Incidents

  16. Step2: Detection and Analysis • IP address in most cases is spoofed  Logs may be helpful to find the Attacker. • When an outage occurs, no one may realize that a DoS attack caused it  Outages are so common! • Network-based DoS attacks are difficult for IDPS sensors to detect with a high degree of accuracy  User Get False alerts so disable it. • Attacker use zombies  Agents are not sinful. Denial Of Service Incidents Notice !

  17. Step3: 1)Containment Strategies Simple Solution : Filtering All Traffic by IP Spoofed Ips Most of the time not possible Solution : Filtering based on Characteristics (port, Protocol ,…) Denial Of Service Incidents

  18. Step3: 1)Containment Strategies Other Strategies : • Correct vulnerability • Relocate The Target • Attack the Attacker ! Denial Of Service Incidents

  19. Unauthorized Access Incidents

  20. Definition : An unauthorized access incident occurs when a person gains access to resources that the person was not intended to have Unauthorized Access Incidents

  21. Special Characteristic : • These kinds of Attacks mostly occur in several steps. • First The attacker gain limited access through a vulnerability then try to gain higher level of access. • So : Tracking The Incident is Important. Unauthorized Access Incidents

  22. Step 1 :Preparation • Preparation • Education • Configuration • Control • Prevention • Network Security • Host Security • Authentication and Authorization • Physical Security Unauthorized Access Incidents

  23. Step2: Detection and Analysis • Have many types of occurrence. • Lots of Precursors and Indications • Must be customized to environment-specific Unauthorized Access Incidents

  24. Step2: Detection and Analysis Precursors: Unauthorized Access Incidents • Detecting reconnaissance activities through IDPS • A failed physical access attempt to a system. • A user report of a social engineering attempt. • A new exploit for gaining unauthorized access is released publicly

  25. Step2: Detection and Analysis Types of unauthorized access and possible Indications: • Root compromise of a host • Unauthorized data modification • Unauthorized usage of standard user account • Physical Intruder • Unauthorized data access Unauthorized Access Incidents

  26. Step2: Detection and Analysis Problem: • It is difficult to distinguish malicious activity from benign one Solution: • Change management process Unauthorized Access Incidents

  27. Step2: Detection and Analysis Prioritization Problem: • Calculating current and future impact is difficult Solution: • The incident may need to be prioritized before the analysis is complete • It Must be done based on an estimate of the current impact Next Step:Considering the criticality of the resources Unauthorized Access Incidents

  28. Step3: 1)Containment Strategies Problem: • Response time is important. Analyzing step may take a long time Solution: • Perform an initial analysis, then prioritize, response and another analysis stage Unauthorized Access Incidents

  29. Step3: 1)Containment Strategies Easy Solution : Shutting down the system !!! The Moderate one: • A combination of: • Isolate the affected systems • Disable the affected service • Eliminate the attacker’s route into the environment. • Disable user accounts that may have been used in the attack • Enhance physical security measures Unauthorized Access Incidents

  30. Step3: 2)Eradication And Recovery • Recovery is based on level of access • In case of root access  system restore • Mitigate the vulnerability Unauthorized Access Incidents

  31. Inappropriate Usage Incidents

  32. Definition : An Inappropriate Usage incident occurs when a user performs actions that violate acceptable computing use policies. Inappropriate Usage Incidents

  33. Examples: • Download password cracking tools. • Send spam promoting a personal business • Email harassing messages to coworkers • Set up an unauthorized Web site on one of the organization’s computers • Use file sharing services to acquire or distribute pirated materials • Transfer sensitive materials from the organization to external locations. Inappropriate Usage Incidents

  34. Examples: (Attack annoying outside entities from inside Organization) • An internal user • Defacing another organization’s public Web site. • Purchasing items from online retailers with stolen credit card numbers . • A third party • Sending spam emails with spoofed source email addresses that appear to belong to the organization. • Performing a DoS against an organization by generating packets with spoofed source IP addresses that belong to the organization. Inappropriate Usage Incidents

  35. Types of Inappropriate use : • Personal e-mail • Deliberate Disclosure of Sensitive information • Inadvertent Misuse Inappropriate Usage Incidents

  36. Impacts of inappropriate Usage on Organization: • Loss of productivity • Increased risk of liability and legal action • Reduction (or loss)of network bandwidth • Increased risk of virus infection and other malicious code Inappropriate Usage Incidents

  37. Step 1 :Preparation • Preparation • Coordinate with : • representatives of the organization’s human resources • Physical security team • Set Proxy and Log users activities • Configure IDPS Software Inappropriate Usage Incidents

  38. Step 1 :Preparation • Prevention • Configure: • Firewall • Email Server • Set: • URL filtering Rule • Limitation on use of Encrypted Protocols Inappropriate Usage Incidents Access Denied

  39. Step2: Detection and Analysis • Usually no precursor, Just users report • Analyzing Reports(is a report real or no?) Problem: • Incidents Reported from outside Solution: • Accurate and complete Logging Inappropriate Usage Incidents

  40. Step2: Detection and Analysis Different activities and Indication: • Attack against external party IDPS alerts and Logs • Access to inappropriate materials Users report, IDPS alerts and Logs • Unauthorized Access Usage Unusual Traffic, New Process, New Files, Users report, IDPS alerts and Logs. Inappropriate Usage Incidents

  41. Step2: Detection and Analysis Prioritization: • Business impact of these incidents is different • It depends on: • Whether the activity is criminal • How much damage the organization’s reputation may sustain Inappropriate Usage Incidents

  42. Step2: Detection and Analysis Prioritization: Example of Response time table Inappropriate Usage Incidents

  43. Step3: Containment, Eradication And Recovery • Generally no such step is needed • May be just reinstalling uninstalled software • Evidence gathering is Important Inappropriate Usage Incidents

More Related