1 / 29

Chapter 13: Advanced Security and Beyond

Chapter 13: Advanced Security and Beyond. Security+ Guide to Network Security Fundamentals Second Edition. Objectives. Define computer forensics Respond to a computer forensics incident Harden security through new solutions List information security jobs and skills.

seth
Download Presentation

Chapter 13: Advanced Security and Beyond

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 13: Advanced Security and Beyond Security+ Guide to Network Security Fundamentals Second Edition

  2. Objectives • Define computer forensics • Respond to a computer forensics incident • Harden security through new solutions • List information security jobs and skills

  3. Understanding Computer Forensics • Computer forensics can attempt to retrieve information— even if it has been altered or erased —that can be used in the pursuit of the criminal • The interest in computer forensics is heightened: • High amount of digital evidence • Increased scrutiny by legal profession • Higher level of computer skills by criminals

  4. Forensics Opportunities and Challenges • Computer forensics creates opportunities to uncover evidence impossible to find using a manual process • One reason that computer forensics specialists have this opportunity is due to the persistence of evidence • Electronic documents are more difficult to dispose of than paper documents • Deleting a data file does NOT actually delete the file from the computer’s hard drive, it changes the status of that storage location to unused

  5. Responding to a Computer Forensics Incident • Generally involves four basic steps similar to those of standard forensics: • Secure the crime scene • Collect the evidence • Establish a chain of custody • Examine and preserve the evidence http://en.wikipedia.org/wiki/Computer_forensics

  6. Securing the Crime Scene • Physical surroundings of the computer should be clearly documented • Photographs of the area should be taken before anything is touched • Cables connected to the computer should be labeled to document the computer’s hardware components and how they are connected • Team takes custody of the entire computer along with the keyboard and any peripherals

  7. Preserving the Data • Computer forensics team first captures any volatile data that would be lost when computer is turned off and moves data to a secure location • Includes any data not recorded in a file on the hard drive or an image backup: • Contents of RAM • Current network connections • Logon sessions • Network configurations • Open files http://www.porcupine.org/forensics/forensic-discovery/ http://ntsecurity.nu/onmymind/2006/2006-06-01.html

  8. Preserving the Data (continued) • After retrieving volatile data, the team focuses on the hard drive • Mirror image backup (or bit-stream backup) is an evidence-grade backup because its accuracy meets evidence standards (exact duplicate or original) • Mirror image backups are considered a primary key to uncovering evidence; they create exact replicas of the computer contents at the crime scene http://www.forensics-intl.com/def2.html

  9. Mirror Image Backups • Mirror image backups must meet the following criteria: • Mirror image software should only be used by trained professionals • Those using the mirror image software must have evidence handling experience • The mirror imaging tools must be able to find any bad sectors on the original drive that may cause problems for the imaging software • Forensic imaging done in a controlled manner • Imaging personnel should be a disinterested third-party http://www.syschat.com/how-create-mirror-image-your-hard-438.html

  10. Establishing the Chain of Custody • As soon as the team begins its work, they must start and maintain a strict chain of custody • Chain of custody documents that evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence • A chain of custody includes documenting all of the serial numbers of the systems and devices involved • Who handled the systems and for how long • How systems were shipped and stored

  11. Examining Data for Evidence • After a computer forensics expert creates a mirror image of system, original system should be secured and the mirror image examined to reveal evidence • All exposed application data should be examined for clues (documents, spreadsheets, email, digital photographs, cookies, cache…) • Microsoft Windows operating systems use Windowspage file as a “scratch pad” to write data when sufficient RAM is not available http://www.porcupine.org/forensics/forensic-discovery/chapter8.html

  12. Windows Page File • Windows page files can range from 1 megabyte to over a gigabyte in size and can be temporary or permanent • By default, XP creates a page file which is 1.5 times the amount of installed RAM • pagefile.sys • These files can contain remnants of work done in past • Special programs are needed to search through the page file quickly http://www.theeldergeek.com/paging_file.htm

  13. Examining Data for Evidence • Slack is another source of hidden data • Windows computers use two types of slack • RAM slack • File slack http://www.forensics-intl.com/def7.html http://www.forensics-intl.com/def6.html

  14. RAM Slack • Windows stores files on a hard drive or other media type in 512-byte sectors • Multiple sectors make up a cluster • When a file saved is not long enough to fill up the last sector, Windows pads the remaining sector space (for that cluster) with data that is currently stored in RAM • This padding creates “RAM slack” and pertains only to the last sector of a file • If additional sectors are needed to round out the block size for the last cluster assigned to the file (if there is not enough data in RAM), a different type of slack is created…

  15. File Slack • File slack (drive slack): padded data that Windows uses comes from data stored on the hard drive • Such data could contain remnants of previously deleted files

  16. Examining Data for Evidence

  17. Summary of Examining Data for Evidence

  18. Exploring Information Security Jobs and Skills • Need for information security workers will continue to grow for the foreseeable future • Information security personnel are in short supply; those in the field are being rewarded well • Security budgets have been spared the drastic cost-cutting that has plagued IT since 2001 • Companies recognize the high costs associated with weak security and have decided that prevention outweighs cleanup

  19. Exploring Information Security Jobs and Skills • Most industry experts agree security certifications continue to be important • Preparing for the Security+ certification will help you solidify your knowledge and skills in cryptography, firewalls, and other important security defenses

  20. TCP/IP Protocol Suite • One of the most important skills is a strong knowledge of the foundation upon which network communications rests, namely Transmission Control Protocol/Internet Protocol (TCP/IP) • Understanding TCP/IP concepts helps effectively troubleshoot computer network problems and diagnose possible anomalous behavior on a network

  21. Packets • No matter how clever the attacker is, they still must send their attack to your computer with a packet • To recognize the abnormal, you must first understand what is normal

  22. Firewalls • Firewalls are essential tools on all networks and often provide a first layer of defense • Network security personnel should have a strong background of how firewalls work, how to create access control lists (ACLs) to mirror the organization’s security policy, and how to tweak ACLs to balance security with employee access

  23. Routers • Routers form the heart of a TCP/IP network • Configuring routers for both packet transfer and packet filtering can become very involved • As network connections become more complex (VPN, IPv6), understanding how to implement and configure routers becomes more important

  24. Intrusion-Detection Systems (IDS) • Security professionals should know how to administer and maintain an IDS • Capabilities of these systems has increased dramatically since first introduced, making them mandatory for today’s networks • One problem is that IDS can produce an enormous amount of data that requires checking • In addition, IDS/IPS systems can produce a number of false positives.

  25. Other Skills • A programming background is another helpful tool for security workers • Security workers should also be familiar with penetration testing • Once known as “ethical hacking,” probes vulnerabilities in systems, networks, and applications

  26. Computer Forensic Skills • Computer forensic specialists require an additional level of training and skills: • Basic forensic examinations • Advanced forensic examinations • Incident responder skills • Managing computer investigations http://www.infosecinstitute.com/courses/computer_forensics_training.html?cf

  27. Summary • Forensic science is application of science to questions of interest to the legal profession • Several unique opportunities give computer forensics the ability to uncover evidence that would be extremely difficult to find using a manual process • Computer forensics also has a unique set of challenges that are not found in standard evidence gathering, including volume of electronic evidence, how it is scattered in numerous locations, and its dynamic content

  28. Summary (continued) • Searching for digital evidence includes looking at “obvious” files and e-mail messages • Need for information security workers will continue to grow, especially in computer forensics • Skills needed in these areas include knowledge of TCP/IP, packets, firewalls, routers, IDS, and penetration testing

More Related