cit 380 securing computer systems
Download
Skip this Video
Download Presentation
CIT 380: Securing Computer Systems

Loading in 2 Seconds...

play fullscreen
1 / 31

CIT 380: Securing Computer Systems - PowerPoint PPT Presentation


  • 160 Views
  • Uploaded on

CIT 380: Securing Computer Systems. Incident Response. Incident Response. What is an Incident? Phases of Incident Response Preparation Identification Containment Damage Assessment Preserve Evidence Eradication Recovery Follow-up. What is an Incident?. Violation of security policy:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CIT 380: Securing Computer Systems' - josiah


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cit 380 securing computer systems

CIT 380: Securing Computer Systems

Incident Response

CIT 380: Securing Computer Systems

incident response
Incident Response

What is an Incident?

Phases of Incident Response

  • Preparation
  • Identification
  • Containment
  • Damage Assessment
  • Preserve Evidence
  • Eradication
  • Recovery
  • Follow-up

CIT 380: Securing Computer Systems

what is an incident
What is an Incident?

Violation of security policy:

  • Unauthorized access of information
  • Unauthorized access to machines
  • Embezzlement
  • Virus or worm attack
  • Denial of service attacks
  • Email spam or harassment

CIT 380: Securing Computer Systems

detecting an incident
Detecting an Incident
  • Catching perpetrator in the act
    • Unauthorized logins, NIDS alerts.
  • Noticing unauthorized system changes.
  • Receiving a message from another site, saying that your site was used to launch an attack on them.
  • Strange activities on system:
    • crashes, random reboots, slow performance.

CIT 380: Securing Computer Systems

incident response1
Incident Response

Restoring system to satisfy site security policy

Phases:

  • Preparation for attack (before attack detected)
  • Identification of attack
  • Containment of attack (confinement)
  • Damage assessment
  • Preserve evidence (if necessary)
  • Eradication of attack (stop attack)
  • Recovery from attack (restore system to secure state)
  • Follow-up to attack (analysis and other actions)

CIT 380: Securing Computer Systems

preparation
Preparation
  • Configure intrusion detection systems.
  • Determine your response goals.
  • Document incident response procedures.
    • Who to contact?
    • What to do?
  • Organizing a CSIRT
    • Finding and training personnel.
    • Hardware/software necessary for investigation.

CIT 380: Securing Computer Systems

incident response goals
Incident Response Goals
  • Determine if a security breach occurred.
  • Contain intrusion to prevent further damage.
  • Recover systems and data.
  • Prevent future intrusions of same kind.
  • Investigate and/or prosecute intrusion.
  • Prevent public knowledge of incident.

CIT 380: Securing Computer Systems

identification
Identification
  • Who/what reported incident.
  • Date and time of the incident.
  • Nature of the intrusion.
    • What level of unauthorized access was attained?
    • Is it known to the public?
  • Hardware/software involved
    • How critical are the affected systems?
  • Assemble CSIRT
    • Team membership may vary based on nature of incident

CIT 380: Securing Computer Systems

containment
Containment

Limit access of attacker to system resources.

Containment method depends on criticality of systems and extent of intrusion.

  • Monitoring intruder
  • Reducing intruder’s access
  • Deception
  • De-activating the affected account
    • Need to kill active processes too
  • Blocking access to system via firewall
  • Pulling network/phone cable
  • Powering down system

CIT 380: Securing Computer Systems

monitoring
Monitoring
  • Records attacker’s actions; does not interfere with attack:
    • Idea is to find out what the attacker is after and/or methods the attacker is using.
  • Problem: attacked system is vulnerable throughout
    • Attacker can also attack other systems.
  • Example: type of OS can be derived from settings of TCP and IP packets of incoming connections
    • Analyst draws conclusions about source of attack.

CIT 380: Securing Computer Systems

reducing access
Reducing Access
  • Reduce protection domain of attacker.
  • Problem: if defenders do not know what attacker is after, reduced protection domain may contain what the attacker is after.
    • Stoll created document that attacker d/led.
    • Download took several hours, during which the phone call was traced to Germany.

CIT 380: Securing Computer Systems

deception
Deception

Honeypot: system designed for intruders to attack, to waste their time and to allow safe monitoring

  • ex: The Honeynet Project, honeyd

Deception Tool Kit

  • Creates false network interface.
  • Can present any network configuration to attackers.
  • When probed, can return wide range of vulnerabilities.
  • Attacker wastes time attacking non-existent systems while analyst collects and analyzes attacks to determine goals and abilities of attacker.

CIT 380: Securing Computer Systems

deception1
Deception
  • Experiments show deception is effective response to keep attackers from targeting real systems.

CIT 380: Securing Computer Systems

honeynet project
Honeynet Project

Tool development

  • Environment simulation: virtual machines.
  • Data control: firewalling tools to limit attacker activities to avoid damaging other systems.
  • Data collection: network and keystroke loggers.
  • Data analysis: tools to extract relevant data from tcpdump logs and more.

Research and documentation

  • Analysis of attacker and honeypot techniques.
  • Analysis of particular attacks.

CIT 380: Securing Computer Systems

damage assessment data
Damage Assessment: Data
  • System date and time when assessment began.
  • List of users currently logged in.
  • Time/date stamps for filesystem.
  • List of processes
  • List of open network sockets
    • Associated applications
    • Associated systems

CIT 380: Securing Computer Systems

damage assessment data1
Damage Assessment: Data
  • System configuration files.
  • Log and accounting files.
  • System date and time when assessment complete.

CIT 380: Securing Computer Systems

data assessment procedure
Data Assessment: Procedure

Use trusted binaries from floppy/CDROM

  • Use a trusted shell.
  • Set PATH to only use floppy/CDROM tools.

System date and time:

> date

Mon Apr 26 13:33:08 EDT 2004

List of current users

> w

1:33pm up 30 day(s), 3:34, 3 users, load avg:0.26

User tty [email protected] idle JCPU PCPU what

root console 9:21am 4:13 -sh

wald pts/14 15Apr04 3:25 66:24 63:06 -bash

root pts/20 9:21am 4:12 -sh

novi pts/6 Sat 4pm 17 52 -bash

CIT 380: Securing Computer Systems

data assessment procedure1
Data Assessment: Procedure

File date/time stamps

ls –alRu / >/mnt/floppy/atime

ls –alRc / >/mnt/floppy/ctime

ls –alR / >/mnt/floppy/mtime

CIT 380: Securing Computer Systems

data assessment procedure2
Data Assessment: Procedure

Network ports

> netstat –anp

Active Internet connections (servers and established)

Proto Local Addr Foreign Addr State Program

tcp :::22 :::* LISTEN 26327/sshd

tcp 10.17.0.110:22 10.1.0.90:51327 ESTABLISHED 28644/sshd:

tcp 127.0.0.1:25 0.0.0.0:* LISTEN 1840/sendmail

udp 0.0.0.0:32768 0.0.0.0:* 1456/rpc.statd

udp 0.0.0.0:68 0.0.0.0:* 1363/dhclient

udp 0.0.0.0:111 0.0.0.0:* 1436/portmap

CIT 380: Securing Computer Systems

data assessment procedure3
Data Assessment: Procedure

Running Processes

> ps aux

USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND

root 1 0.0 0.0 1928 520 ? S Apr17 0:04 init [5]

root 1403 0.0 0.0 2128 580 ? S Apr17 0:01 syslogd -m 0

rpc 1436 0.0 0.0 2516 576 ? S Apr17 0:00 portmap

rpcuser 1456 0.0 0.0 2916 832 ? S Apr17 0:00 rpc.statd

smmsp 1849 0.0 0.2 7324 2520 ? S Apr17 0:00 sendmail: Queue [email protected]:00:00 for /var/spool/clientmqueue

root 1970 0.0 0.0 2992 348 tty3 S Apr17 0:00 /sbin/mingetty tty3

root 26327 0.0 0.1 4728 1504 ? S Apr21 0:00 /usr/sbin/sshd

waldenj 28646 0.0 0.2 8548 2560 ? S 11:12 0:00 sshd: [email protected]

/7

waldenj 28647 0.0 0.1 6800 1500 pts/7 S 11:12 0:00 -bash

root 28767 0.0 0.1 6572 1356 pts/7 S 13:44 0:00 bash

root 28789 0.0 0.0 3624 876 pts/7 R 13:49 0:00 ps aux

CIT 380: Securing Computer Systems

data assessment procedure4
Data Assessment: Procedure

Collect system configuration

  • Check for sniffers: ifconfig
  • /etc/passwd, /etc/shadow, /etc/group
  • Scheduled jobs: cron and at
  • System init files: /etc/inittab, /etc/rc.d

Collect system log files

  • Login logs in /etc/utmp, /etc/wtmp
  • Check /etc/syslog.conf
  • Log files in /var/adm, /var/log
  • Process accounting files in /var/acct
  • Shell history files, e.g., ~/.bash_history

CIT 380: Securing Computer Systems

preserve evidence
Preserve Evidence

In-depth live system investigation.

Construct a bit-level copy of entire hard disk or partition for forensic examination.

  • Create image in single-user mode

md5sum /dev/hda

dd if=/dev/hda conv=noerror,sync | ssh desthost “cat >disk.img”

desthost> md5sum disk.img

CIT 380: Securing Computer Systems

eradication
Eradication
  • Do nothing.
  • Kill attacker’s processes and/or accounts.
  • Block attacker’s network access to system.
  • Patch and repair what you think was changed, then resume operation.
  • Investigate until root cause discovered, then restore system from backups and patch security holes.
  • Call law enforcement before proceeding further.

CIT 380: Securing Computer Systems

follow up
Follow-Up
  • File reports with law enforcement, vendor, or regulatory agency.
  • File insurance claims if relevant.
  • Notify administrators of other affected systems.
  • Disciplinary actions against employees for internal attacks.
  • Update security of computer networks/systems.
  • Review handling of the incident.
  • Update incident handling policy/training.

CIT 380: Securing Computer Systems

follow up1
Follow-Up

Tracking/Counter-attacking

  • IP header marking: traceback at the packet level.
  • Counterattacking

CIT 380: Securing Computer Systems

ip header marking
IP Header Marking

Router inserts header data indicating path taken.

http://en.wikipedia.org/wiki/IP_traceback

When do you mark it?

Deterministic: always marked.

Probabilistic: marked with some probability.

How do you mark it?

Internal: marking placed in existing header.

Expansive: header expanded to include space for marking.

CIT 380: Securing Computer Systems

counterattacking
Counterattacking

Use legal procedures

  • Collect chain of evidence so legal authorities can establish attack was real.
  • Check with lawyers for this
    • Rules of evidence very specific and detailed.
    • If you don’t follow them, expect case to be dropped.

Technical attack

  • Goal is to damage attacker seriously enough to stop current attack and deter future attacks.

CIT 380: Securing Computer Systems

consequences
Consequences
  • Counterattack may harm innocent party.
    • Attacker may have broken into source of attack or may be impersonating innocent party.
  • Counterattack may have side effects.
    • If counterattack is flooding, may block legitimate use of network.
  • Counterattack antithetical to shared use of network.
    • Counterattack absorbs network resources and makes threats more immediate.
  • Counterattack may be legally actionable.

CIT 380: Securing Computer Systems

example counterworm
Example: Counterworm
  • Counterworm given signature of worm.
  • Counterworm spreads rapidly, deleting all occurrences of original worm.
    • ex: Welchia/Nachi hunts Blaster/MyDoom worms.
  • Issues
    • Can counterworm delete only targeted worm?
    • What if infected system gathering worms for research?
    • How do originators of counterworm know it will not cause problems for any system?
      • And are they legally liable if it does?

CIT 380: Securing Computer Systems

key points
Key Points
  • Security incidents come in many forms.
  • Prepare for an incident before one occurs.
  • Understand your response goals.
  • Don’t trust the affected system in any way.
  • Contain the problem, then prepare detailed response.
  • Save data offline for later analysis.
  • Legal issues of counterattacks.

CIT 380: Securing Computer Systems

references
References
  • Matt Bishop, Introduction to Computer Security, Addison-Wesley, 2005.
  • N. Brownlee and E. Guttman, , “RFC 2350 - Expectations for Computer Security Incident Response,” http://www.faqs.org/rfcs/rfc2350.html, 1998.
  • CERT, “Computer Security Incident Response Team (CSIRT) FAQ,” http://www.cert.org/csirts/csirt_faq.html
  • William Cheswick, Steven Bellovin, Steven, and Avriel Rubin, Firewalls and Internet Security, 2nd edition, Addison-Wesley, 2003.
  • Fraser (ed.), “RFC 2196 - Site Security Handbook,” http://www.faqs.org/rfcs/rfc2196.html, 1997.
  • Garfinkel, Simson, Spafford, Gene, and Schartz, Alan, Practical UNIX and Internet Security, 3rd edition, O’Reilly & Associates, 2003.
  • Kevin Mandia, Chris Prosise, and Matt Pepe, Incident Response & Computer Forensics, 2nd edition, McGraw-Hill, 2003.

CIT 380: Securing Computer Systems

ad