Computer Security - Discussion

profilegiggles.desmoin
Ch17-CISSP.pdf

502

Chap ter 17 Pre vent ing and Re spond ing to In ci dents

THE CISSP EXAM TOP ICS COV ERED IN THIS CHAP TER IN CLUDE:

Do main 7: Se cu rity Op er a tions 7.3 Con duct log ging and mon i tor ing ac tiv i ties

7.3.1 In tru sion de tec tion and pre ven tion

7.3.2 Se cu rity In for ma tion and Event Man age ment (SIEM)

7.3.3 Con tin u ous mon i tor ing

7.3.4 Egress mon i tor ing

7.7 Con duct in ci dent man age ment

7.7.1 De tec tion

7.7.2 Re sponse

7.7.3 Mit i ga tion

7.7.4 Re port ing

7.7.5 Re cov ery

7.7.6 Re me di a tion

7.7.7 Lessons learned

7.8 Op er ate and main tain de tec tive and pre ven ta tive mea sures

7.8.1 Fire walls

7.8.2 In tru sion de tec tion and pre ven tion sys tems

7.8.3 Whitelist ing/ black list ing

7.8.4 Third-party pro vided se cu rity ser vices

7.8.5 Sand box ing

7.8.6 Hon ey pots/ hon eynets

7.8.7 Anti-mal ware

The Se cu rity Op er a tions do main for the CISSP cer ti fi ca tion exam in cludes sev eral ob jec tives di rectly re lated to in ci dent man age ment. Ef fec tive in ci dent man age ment helps an or ga ni za tion re spond ap pro pri ately when at tacks oc cur to limit the scope of an at tack. Or ga ni za tions im ple ment pre ven tive mea sures to pro tect against, and de tect, at tacks, and this chap ter cov ers many of these con trols and coun ter mea sures. Log ging, mon i tor ing, and au dit ing pro vide as sur ances that the se cu rity con trols are in place and are pro vid ing the de sired pro tec tions.

Man ag ing In ci dent Re sponse One of the pri mary goals of any se cu rity pro gram is to pre vent se cu rity in ci dents. How ever, de spite best

ef forts of in for ma tion tech nol ogy (IT) and se cu rity pro fes sion als, in ci dents do oc cur. When they hap pen, an or ga ni za tion must be able to re spond to limit or con tain the in ci dent. The pri mary goal of in ci dent re sponse is to min i mize the im pact on the or ga ni za tion.

Defin ing an In ci dent

Be fore dig ging into in ci dent re sponse, it’s im por tant to un der stand the def i ni tion of an in ci dent. Al though that may seem sim ple, you’ll find that there are dif fer ent def i ni tions de pend ing on the con text.

503

An in ci dent is any event that has a neg a tive ef fect on the con fi den tial ity, in tegrity, or avail abil ity of an or ga ni za tion’s as sets. In for ma tion Tech nol ogy In fra struc ture Li brary ver sion 3 (ITILv3) de fines an in ci dent as “an un planned in ter rup tion to an IT Ser vice or a re duc tion in the qual ity of an IT Ser vice.” No tice that these def i ni tions en com pass events as di verse as di rect at tacks, nat u ral oc cur rences such as a hur ri cane or earth quake, and even ac ci dents, such as some one ac ci den tally cut ting ca bles for a live net work.

In con trast, a com puter se cu rity in ci dent (some times called just se cu rity in ci dent) com monly refers to an in ci dent that is the re sult of an at tack, or the re sult of ma li cious or in ten tional ac tions on the part of users. For ex am ple, re quest for com ments (RFC) 2350, “Ex pec ta tions for Com puter Se cu rity In ci dent Re sponse,” de fines both a se cu rity in ci dent and a com puter se cu rity in ci dent as “any ad verse event which com pro mises some as pect of com puter or net work se cu rity.” Na tional In sti tute of Stan dards and Tech nol ogy (NIST) spe cial pub li ca tion (SP) 800-61 “Com puter Se cu rity In ci dent Han dling Guide” de fines a com puter se cu rity in ci dent as “a vi o la tion or im mi nent threat of vi o la tion of com puter se cu rity poli cies, ac cept able use poli cies, or stan dard se cu rity prac tices.” (NIST doc u ments, in clud ing SP 800-61, can be ac cessed from the NIST pub li ca tions page: https://csrc.nist.gov/Pub li ca tions).

In the con text of in ci dent re sponse, an in ci dent is re fer ring to a com puter se cu rity in ci dent. How ever, you’ll of ten see it listed as just as in ci dent. For ex am ple, within the CISSP Se cu rity Op er a tions do main, the “Con duct in ci dent man age ment” ob jec tive is clearly re fer ring to com puter se cu rity in ci dents.

In this chap ter, any ref er ence to an in ci dent refers to a com puter se cu rity in ci dent.

Or ga ni za tions han dle some in ci dents such as weather events or nat u ral dis as ters us ing other meth ods such as with a busi ness con ti nu ity plan (cov ered in Chap ter 3, “Busi ness Con ti nu ity Plan ning”) or with a dis as ter re cov ery plan (cov ered in Chap ter 18, “Dis as ter Re cov ery Plan ning”).

Or ga ni za tions com monly de fine the mean ing of a com puter se cu rity in ci dent within their se cu rity pol icy or in ci dent re sponse plans. The def i ni tion is usu ally one or two sen tences long and in cludes ex am ples of com mon events that the or ga ni za tion clas si fies as se cu rity in ci dents, such as the fol low ing:

Any at tempted net work in tru sion

Any at tempted de nial-of-ser vice at tack

Any de tec tion of ma li cious soft ware

Any unau tho rized ac cess of data

Any vi o la tion of se cu rity poli cies

In ci dent Re sponse Steps Ef fec tive in ci dent re sponse man age ment is han dled in sev eral steps or phases. Fig ure 17.1 shows the seven

steps in volved in man ag ing in ci dent re sponse as out lined in the CISSP ob jec tives. It’s im por tant to re al ize that in ci dent re sponse is an on go ing ac tiv ity and the re sults of the lessons learned stage are used to im prove de tec tion meth ods or help pre vent a re peated in ci dent. The fol low ing sec tions de scribe these steps in more depth.

FIG URE 17.1 In ci dent re sponse

You may run across doc u men ta tion that lists these steps dif fer ently. For ex am ple, SP 800-

61 is an ex cel lent re source for learn ing more about in ci dent han dling, but it iden ti fies the fol low ing four steps in the in ci dent re sponse life cy cle: 1) prepa ra tion, 2) de tec tion and anal y sis, 3) con tain ment, erad i ca tion, and re cov ery, and 4) post-in ci dent re cov ery. Still, no mat ter how doc u men ta tion lists the steps, they con tain many of the same el e ments and have the same goal of man ag ing in ci dent re sponse ef fec tively.

It’s im por tant to stress that in ci dent re sponse does not in clude a coun ter at tack against the at tacker. Launch ing at tacks on oth ers is coun ter pro duc tive and of ten il le gal. If a tech ni cian can iden tify the at tacker and launch an at tack, it will very likely re sult in an es ca la tion of the at tack by the at tacker. In other words, the at tacker may now con sider it per sonal and reg u larly launch grudge at tacks. In ad di tion, it’s likely that the

504

at tacker is hid ing be hind one or more in no cent vic tims. At tack ers of ten use spoof ing meth ods to hide their iden tity, or launch at tacks by zom bies in a bot net. Coun ter at tacks may be against an in no cent vic tim rather than an at tacker.

De tec tion

IT en vi ron ments in clude mul ti ple meth ods of de tect ing po ten tial in ci dents. The fol low ing list iden ti fies many of the com mon meth ods used to de tect po ten tial in ci dents. It also in cludes notes on how these meth ods re port the in ci dents:

In tru sion de tec tion and pre ven tion sys tems (de scribed later in this chap ter) send alerts to ad min is tra tors when an item of in ter est oc curs.

Anti-mal ware soft ware will of ten dis play a pop-up win dow to in di cate when it de tects mal ware.

Many au to mated tools reg u larly scan au dit logs look ing for pre de fined events, such as the use of spe cial priv i leges. When they de tect spe cific events, they typ i cally send an alert to ad min is tra tors.

End users some times de tect ir reg u lar ac tiv ity and con tact tech ni cians or ad min is tra tors for help. When users re port events such as the in abil ity to ac cess a net work re source or up date a sys tem, it alerts IT per son nel about a po ten tial in ci dent.

 Cell Phone Can not Be Up dated

Many se cu rity in ci dents aren’t de tected un til months af ter they oc cur. Users of ten no tice things that aren’t quite right, such as the in abil ity to up date a cell phone, but don’t re port it right away. This al lows at tack ers to main tain a pres ence on in fected de vices or net works for an ex tended pe riod of time.

As an ex am ple, re tired United States (U.S.) Ma rine Corps gen eral John Kelly turned in his cell phone to White House tech ni cal sup port per son nel dur ing the sum mer of 2017. He was the White House chief of staff at the time. Kelly re port edly was un able to do soft ware up dates, and some other func tions on his phone weren’t work ing. Af ter some in ves ti ga tion, the White House IT de part ment re port edly de ter mined that his phone was com pro mised, and the com pro mise may have oc curred as early as De cem ber 2016, while Kelly was the Sec re tary of Home land Se cu rity.

No tice that just be cause an IT pro fes sional re ceives an alert from an au to mated tool or a com plaint from a user, this doesn’t al ways mean an in ci dent has oc curred. In tru sion de tec tion and pre ven tion sys tems of ten give false alarms, and end users are prone to sim ple user er rors. IT per son nel in ves ti gate these events to de ter mine whether they are in ci dents.

Many IT pro fes sion als are clas si fied as first re spon ders for in ci dents. They are the first ones on the scene and have knowl edge on how to dif fer en ti ate typ i cal IT prob lems from se cu rity in ci dents. They are sim i lar to med i cal first re spon ders who have out stand ing skills and abil i ties to pro vide med i cal as sis tance at ac ci dent scenes, and help get the pa tients to med i cal fa cil i ties when nec es sary. The med i cal first re spon ders have spe cific train ing to help them de ter mine the dif fer ence be tween mi nor and ma jor in juries. Fur ther, they know what to do when they come across a ma jor in jury. Sim i larly, IT pro fes sion als need spe cific train ing so that they can de ter mine the dif fer ence be tween a typ i cal prob lem that needs trou bleshoot ing and a se cu rity in ci dent that they need to es ca late.

Af ter in ves ti gat ing an event and de ter min ing it is a se cu rity in ci dent, IT per son nel move to the next step: re sponse. In many cases, the in di vid ual do ing the ini tial in ves ti ga tion will es ca late the in ci dent to bring in other IT pro fes sion als to re spond.

Re sponse

Af ter de tect ing and ver i fy ing an in ci dent, the next step is re sponse. The re sponse varies de pend ing on the sever ity of the in ci dent. Many or ga ni za tions have a des ig nated in ci dent re sponse team—some times called a com puter in ci dent re sponse team (CIRT), or com puter se cu rity in ci dent re sponse team (CSIRT). The or ga ni za tion ac ti vates the team dur ing a ma jor se cu rity in ci dent but does not typ i cally ac ti vate the team for mi nor in ci dents. A for mal in ci dent re sponse plan doc u ments who would ac ti vate the team and un der what con di tions.

Team mem bers are trained on in ci dent re sponse and the or ga ni za tion’s in ci dent re sponse plan. Typ i cally, team mem bers as sist with in ves ti gat ing the in ci dent, as sess ing the dam age, col lect ing ev i dence, re port ing the in ci dent, and re cov ery pro ce dures. They also par tic i pate in the re me di a tion and lessons learned stages, and help with root cause anal y sis.

505

The quicker an or ga ni za tion can re spond to an in ci dent, the bet ter chance they have at lim it ing the dam age. On the other hand, if an in ci dent con tin ues for hours or days, the dam age is likely to be greater. For ex am ple, an at tacker may be try ing to ac cess a cus tomer data base. A quick re sponse can pre vent the at tacker from ob tain ing any mean ing ful data. How ever, if given con tin ued un ob structed ac cess to the data base for sev eral hours or days, the at tacker may be able to get a copy of the en tire data base.

Af ter an in ves ti ga tion is over, man age ment may de cide to pros e cute re spon si ble in di vid u als. Be cause of this, it’s im por tant to pro tect all data as ev i dence dur ing the in ves ti ga tion. Chap ter 19, “In ves ti ga tions and Ethics,” cov ers in ci dent han dling and re sponse in the con text of sup port ing in ves ti ga tions. If there is any pos si bil ity of pros e cu tion, team mem bers take ex tra steps to pro tect the ev i dence. This en sures the ev i dence can be used in le gal pro ce dures.

Com put ers should not be turned off when con tain ing an in ci dent. Tem po rary files and

data in volatile ran dom ac cess mem ory (RAM) will be lost if the com puter is pow ered down. Foren sics ex perts have tools they can use to re trieve data in tem po rary files and volatile RAM as long as the sys tem is kept pow ered on. How ever, this ev i dence is lost if some one turns the com puter off or un plugs it.

Mit i ga tion

Mit i ga tion steps at tempt to con tain an in ci dent. One of the pri mary goals of an ef fec tive in ci dent re sponse is to limit the ef fect or scope of an in ci dent. For ex am ple, if an in fected com puter is send ing data out its net work in ter face card (NIC), a tech ni cian can dis able the NIC or dis con nect the ca ble to the NIC. Some times con tain ment in volves dis con nect ing a net work from other net works to con tain the prob lem within a sin gle net work. When the prob lem is iso lated, se cu rity per son nel can ad dress it with out wor ry ing about it spread ing to the rest of the net work.

In some cases, re spon ders take steps to mit i gate the in ci dent, but with out let ting the at tacker know that the at tack has been de tected. This al lows se cu rity per son nel to mon i tor the at tacker’s ac tiv i ties and de ter mine the scope of the at tack.

Re port ing

Re port ing refers to re port ing an in ci dent within the or ga ni za tion and to or ga ni za tions and in di vid u als out side the or ga ni za tion. Al though there’s no need to re port a mi nor mal ware in fec tion to a com pany’s chief ex ec u tive of fi cer (CEO), up per-level man age ment does need to know about se ri ous se cu rity breaches.

As an ex am ple, the Wan naCry ran somware at tack in 2017 in fected more than 230,000 com put ers in more than 150 coun tries within a sin gle day. The mal ware dis played a mes sage of “Ooops your files have been en crypted.” The at tack re port edly in fected parts of the United King dom’s Na tional Health Ser vice (NHS) forc ing some med i cal ser vices to run on an emer gency-only ba sis. As IT per son nel learned of the im pact of the at tack, they be gan re port ing it to su per vi sors, and this re port ing very likely reached ex ec u tives the same day the at tack oc curred.

Or ga ni za tions of ten have a le gal re quire ment to re port some in ci dents out side of the or ga ni za tion. Most coun tries (and many smaller ju ris dic tions, in clud ing states and cities) have en acted reg u la tory com pli ance laws to gov ern se cu rity breaches, par tic u larly as they ap ply to sen si tive data re tained within in for ma tion sys tems. These laws typ i cally in clude a re quire ment to re port the in ci dent, es pe cially if the se cu rity breach ex posed cus tomer data. Laws dif fer from lo cale to lo cale, but all seek to pro tect the pri vacy of in di vid ual records and in for ma tion, to pro tect con sumer iden ti ties, and to es tab lish stan dards for fi nan cial prac tice and cor po rate gov er nance. Ev ery or ga ni za tion has a re spon si bil ity to know what laws ap ply to it and to abide by these laws.

Many ju ris dic tions have spe cific laws gov ern ing the pro tec tion of per son ally iden ti fi able in for ma tion (PII). If a data breach ex poses PII, the or ga ni za tion must re port it. Dif fer ent laws have dif fer ent re port ing re quire ments, but most in clude a re quire ment to no tify in di vid u als af fected by the in ci dent. In other words, if an at tack on a sys tem re sulted in an at tacker gain ing PII about you, the own ers of the sys tem have a re spon si bil ity to in form you of the at tack and what data the at tack ers ac cessed.

In re sponse to se ri ous se cu rity in ci dents, the or ga ni za tion should con sider re port ing the in ci dent to of fi cial agen cies. In the United States, this may mean no ti fy ing the Fed eral Bu reau of In ves ti ga tions (FBI), dis trict at tor ney of fices, and/or state and lo cal law en force ment agen cies. In Eu rope, or ga ni za tions may re port the in ci dent to the In ter na tional Crim i nal Po lice Or ga ni za tion (IN TER POL) or some other en tity based on the in ci dent and their lo ca tion. These agen cies may be able to as sist in in ves ti ga tions, and the data they col lect may help them pre vent fu ture at tacks against other or ga ni za tions.

Many in ci dents are not re ported be cause they aren’t rec og nized as in ci dents. This is of ten the re sult of in ad e quate train ing. The ob vi ous so lu tion is to en sure that per son nel have rel e vant train ing. Train ing should teach in di vid u als how to rec og nize in ci dents, what to do in the ini tial re sponse, and how to re port an in ci dent.

506

Re cov ery

Af ter in ves ti ga tors col lect all ap pro pri ate ev i dence from a sys tem, the next step is to re cover the sys tem, or re turn it to a fully func tion ing state. This can be very sim ple for mi nor in ci dents and may only re quire a re boot. How ever, a ma jor in ci dent may re quire com pletely re build ing a sys tem. Re build ing the sys tem in cludes restor ing all data from the most re cent backup.

When a com pro mised sys tem is re built from scratch, it’s im por tant to en sure it is con fig ured prop erly and is at least as se cure as it was be fore the in ci dent. If an or ga ni za tion has ef fec tive con fig u ra tion man age ment and change man age ment pro grams, these pro grams will pro vide nec es sary doc u men ta tion to en sure the re built sys tems are con fig ured prop erly. Some things to dou ble-check in clude ac cess con trol lists (ACLs) and en sur ing that un needed ser vices and pro to cols are dis abled or re moved, that all up-to-date patches are in stalled, that user ac counts are mod i fied from the de faults, and any com pro mises have been re versed.

In some cases, an at tacker may have in stalled ma li cious code on a sys tem dur ing an at tack.

This may not be ap par ent with out a de tailed in spec tion of the sys tem. The most se cure method of restor ing a sys tem af ter an in ci dent is to com pletely re build the sys tem from scratch. If in ves ti ga tors sus pect that an at tacker may have mod i fied code on the sys tem, re build ing a sys tem may be a good op tion.

Re me di a tion

In the re me di a tion stage, per son nel look at the in ci dent and at tempt to iden tify what al lowed it to oc cur, and then im ple ment meth ods to pre vent it from hap pen ing again. This in cludes per form ing a root cause anal y sis.

A root cause anal y sis ex am ines the in ci dent to de ter mine what al lowed it to hap pen. For ex am ple, if at tack ers suc cess fully ac cessed a data base through a web site, per son nel would ex am ine all the el e ments of the sys tem to de ter mine what al lowed the at tack ers to suc ceed. If the root cause anal y sis iden ti fies a vul ner a bil ity that can be mit i gated, this stage will rec om mend a change.

It could be that the web server didn’t have up-to-date patches, al low ing the at tack ers to gain re mote con trol of the server. Re me di a tion steps might in clude im ple ment ing a patch man age ment pro gram. Per haps the web site ap pli ca tion wasn’t us ing ad e quate in put val i da tion tech niques, al low ing a suc cess ful Struc tured Query Lan guage (SQL) in jec tion at tack. Re me di a tion would in volve up dat ing the ap pli ca tion to in clude in put val i da tion. Maybe the data base is lo cated on the web server in stead of in a back end data base server. Re me di a tion might in clude mov ing the data base to a server be hind an ad di tional fire wall.

Lessons Learned

Dur ing the lessons learned stage, per son nel ex am ine the in ci dent and the re sponse to see if there are any lessons to be learned. The in ci dent re sponse team will be in volved in this stage, but other em ploy ees who are knowl edge able about the in ci dent will also par tic i pate.

While ex am in ing the re sponse to the in ci dent, per son nel look for any ar eas where they can im prove their re sponse. For ex am ple, if it took a long time for the re sponse team to con tain the in ci dent, the ex am i na tion tries to de ter mine why. It might be that per son nel don’t have ad e quate train ing and didn’t have the knowl edge and ex per tise to re spond ef fec tively. They may not have rec og nized the in ci dent when they re ceived the first no ti fi ca tion, al low ing an at tack to con tinue longer than nec es sary. First re spon ders may not have rec og nized the need to pro tect ev i dence and in ad ver tently cor rupted it dur ing the re sponse.

Re mem ber, the out put of this stage can be fed back to the de tec tion stage of in ci dent man age ment. For ex am ple, ad min is tra tors may re al ize that at tacks are get ting through un de tected and in crease their de tec tion ca pa bil i ties and rec om mend changes to their in tru sion de tec tion sys tems.

It is com mon for the in ci dent re sponse team to cre ate a re port when they com plete a lessons learned re view. Based on the find ings, the team may rec om mend changes to pro ce dures, the ad di tion of se cu rity con trols, or even changes to poli cies. Man age ment will de cide what rec om men da tions to im ple ment and is re spon si ble for the re main ing risk for any rec om men da tions they re ject.

507

 Del e gat ing In ci dent Re sponse to Users

In one or ga ni za tion, the re spon si bil ity to re spond to com puter in fec tions was ex tended to users. Close to each com puter was a check list that iden ti fied com mon symp toms of mal ware in fec tion. If users sus pected their com put ers were in fected, the check list in structed them to dis con nect the NIC and con tact the help desk to re port the is sue. By dis con nect ing the NIC, they helped con tain the mal ware to their sys tem and stopped it from spread ing any fur ther.

This isn’t pos si ble in all or ga ni za tions, but in this case, users were part of a very large net work op er a tions cen ter and they were all in volved in some form of com puter sup port. In other words, they weren’t typ i cal end users but in stead had a sub stan tial amount of tech ni cal ex per tise.

Im ple ment ing De tec tive and Pre ven tive Mea sures Ide ally, an or ga ni za tion can avoid in ci dents com pletely by im ple ment ing pre ven tive coun ter mea sures.

This sec tion cov ers sev eral pre ven tive se cu rity con trols that can pre vent many at tacks and de scribes many com mon well-known at tacks. When an in ci dent does oc cur, an or ga ni za tion will want to de tect it as soon as pos si ble. In tru sion de tec tion and pre ven tion sys tems are one of the ways that or ga ni za tions do de tect in ci dents and are also in cluded in this sec tion, along with some spe cific mea sures or ga ni za tions can take to de tect and pre vent suc cess ful at tacks.

You may no tice the use of both pre ven ta tive and pre ven tive. While most doc u men ta tion

cur rently uses only pre ven tive, the CISSP ob jec tives in clude both us ages. For ex am ple, Do main 1 in cludes ref er ences to pre ven tive con trols. This chap ter cov ers ob jec tives from Do main 7, and Do main 7 refers to pre ven ta tive mea sures. For sim plic ity, we are us ing pre ven tive in this chap ter, ex cept when quot ing the CISSP ob jec tives.

Ba sic Pre ven tive Mea sures While there is no sin gle step you can take to pro tect against all at tacks, there are some ba sic steps you can

take that go a long way to pro tect against many types of at tacks. Many of these steps are de scribed in more depth in other ar eas of the book but are listed here as an in tro duc tion to this sec tion.

Keep sys tems and ap pli ca tions up-to-date. Ven dors reg u larly re lease patches to cor rect bugs and se cu rity flaws, but these only help when they’re ap plied. Patch man age ment (cov ered in Chap ter 16, “Man ag ing Se cu rity Op er a tions”) en sures that sys tems and ap pli ca tions are kept up-to-date with rel e vant patches.

Re move or dis able un needed ser vices and pro to cols. If a sys tem doesn’t need a ser vice or pro to col, it should not be run ning. At tack ers can not ex ploit a vul ner a bil ity in a ser vice or pro to col that isn’t run ning on a sys tem. As an ex treme con trast, imag ine a web server is run ning ev ery avail able ser vice and pro to col. It is vul ner a ble to po ten tial at tacks on any of these ser vices and pro to cols.

Use in tru sion de tec tion and pre ven tion sys tems. In tru sion de tec tion and pre ven tion sys tems ob serve ac tiv ity, at tempt to de tect at tacks, and pro vide alerts. They can of ten block or stop at tacks. These sys tems are de scribed in more depth later in this chap ter.

Use up-to-date anti-mal ware soft ware. Chap ter 21, “Ma li cious Code and Ap pli ca tion At tacks,” cov ers var i ous types of ma li cious code such as viruses and worms. A pri mary coun ter mea sure is anti-mal ware soft ware, cov ered later in this chap ter.

Use fire walls. Fire walls can pre vent many dif fer ent types of at tacks. Net work-based fire walls pro tect en tire net works and host-based fire walls pro tect in di vid ual sys tems. Chap ter 11, “Se cure Net work Ar chi tec ture and Se cur ing Net work Com po nents,” in cludes in for ma tion on us ing fire walls within a net work, and this chap ter in cludes a sec tion de scrib ing how fire walls can pre vent at tacks.

Im ple ment con fig u ra tion and sys tem man age ment pro cesses. Con fig u ra tion and sys tem man age ment pro cesses help en sure that sys tems are de ployed in a se cure man ner and re main in a se cure state through out their life times. Chap ter 16 cov ers con fig u ra tion and change man age ment pro cesses.

508

Thwart ing an at tacker’s at tempts to breach your se cu rity re quires vig i lant ef forts to keep

sys tems patched and prop erly con fig ured. Fire walls and in tru sion de tec tion and pre ven tion sys tems of ten pro vide the means to de tect and gather ev i dence to pros e cute at tack ers that have breached your se cu rity.

Un der stand ing At tacks Se cu rity pro fes sion als need to be aware of com mon at tack meth ods so that they can take proac tive steps to

pre vent them, rec og nize them when they oc cur, and re spond ap pro pri ately in re sponse to an at tack. This sec tion pro vides an over view of many com mon at tacks. The fol low ing sec tions dis cuss many of the pre ven tive mea sures used to thwart these and other at tacks.

We’ve at tempted to avoid du pli ca tion of spe cific at tacks but also pro vide a com pre hen sive

cov er age of dif fer ent types of at tacks through out this book. In ad di tion to this chap ter, you’ll see dif fer ent types of at tacks in other chap ters. For ex am ple, Chap ter 14, “Con trol ling and Mon i tor ing Ac cess,” dis cusses some spe cific at tacks re lated to ac cess con trol; Chap ter 12, “Se cure Com mu ni ca tions and Net work At tacks,” cov ers dif fer ent types of net work-based at tacks; and Chap ter 21 cov ers var i ous types of at tacks re lated to ma li cious code and ap pli ca tions.

Bot nets

Bot nets are quite com mon to day. The com put ers in a bot net are like ro bots (re ferred to as bots and some times zom bies). Mul ti ple bots in a net work form a bot net and will do what ever at tack ers in struct them to do. A bot herder is typ i cally a crim i nal who con trols all the com put ers in the bot net via one or more com mand-and-con trol servers. The bot herder en ters com mands on the server, and the zom bies check in with the com mand-and-con trol server to re ceive in struc tions. Zom bies can be pro grammed to con tact the server pe ri od i cally or re main dor mant un til a spe cific pro grammed date and time, or in re sponse to an event, such as when spe cific traf fic is de tected. Bot herders com monly in struct the bots within a bot net to launch a wide range of at tacks, send spam and phish ing emails, or rent the bot nets out to other crim i nals.

Com put ers are typ i cally joined to a bot net af ter be ing in fected with some type of ma li cious code or ma li cious soft ware. Once the com puter is in fected, it of ten gives the bot herder re mote ac cess to the sys tem and ad di tional mal ware is in stalled. In some cases, the zom bies in stall mal ware that searches for files in clud ing pass words or other in for ma tion of in ter est to the at tacker or in clude key log gers to cap ture user key strokes. Bot herders of ten is sue com mands to the zom bies, caus ing them to launch at tacks.

Bot nets of more than 40,000 com put ers are rel a tively com mon, and bot nets con trol ling mil lions of sys tems have been ac tive in the past. Some bot herders con trol more than one bot net.

There are many meth ods of pro tect ing sys tems from be ing joined to a bot net, so it’s best to use a de fense- in-depth strat egy, im ple ment ing mul ti ple lay ers of se cu rity. Be cause sys tems are typ i cally joined to a bot net af ter be com ing in fected with mal ware, it’s im por tant to en sure that sys tems and net works are pro tected with up-to-date anti-mal ware soft ware. Some mal ware takes ad van tage of un patched flaws in op er at ing sys tems and ap pli ca tions, so keep ing a sys tem up-to-date with patches helps keep them pro tected. How ever, at tack ers are in creas ingly cre at ing new mal ware that by passes the anti-mal ware soft ware, at least tem po rar ily. They are also dis cov er ing vul ner a bil i ties that don’t have patches avail able yet.

Ed u cat ing users is ex tremely im por tant as a coun ter mea sure against bot net in fec tions. World wide, at tack ers are al most con stantly send ing out ma li cious phish ing emails. Some in clude ma li cious at tach ments that join sys tems to a bot net if the user opens it. Oth ers in clude links to ma li cious sites that at tempt to down load ma li cious soft ware or try to trick the user into down load ing the ma li cious soft ware. Oth ers try to trick users into giv ing up their pass words, and at tack ers then use these har vested pass words to in fil trate sys tems and net works. Train ing users about these at tacks and main tain ing a high level of se cu rity aware ness can of ten help pre vent many at tacks.

Many mal ware in fec tions are browser based, al low ing user sys tems to be come in fected when the user is surf ing the Web. Keep ing browsers and their plug-ins up-to-date is an im por tant se cu rity prac tice. Ad di tion ally, most browsers have strong se cu rity built in, and these fea tures shouldn’t be dis abled. For ex am ple, most browsers sup port sand box ing to iso late web ap pli ca tions, but some browsers in clude the abil ity to dis able sand box ing. This might im prove per for mance of the browser slightly, but the risk is sig nif i cant.

509

 Bot nets, IoT, and Em bed ded Sys tems

At tack ers have tra di tion ally in fected desk top and lap top com put ers with mal ware and joined them to bot nets. While this still oc curs, at tack ers have been ex pand ing their reach to the In ter net of Things (IoT).

As an ex am ple, at tack ers used the Mi rai mal ware in 2016 to launch a dis trib uted de nial-of-ser vice (DDoS) at tack on Do main Name Sys tem (DNS) servers hosted by Dyn. Most of the de vices in volved in this at tack were In ter net of Things (IoT) de vices such as in ter net-con nected cam eras, dig i tal video recorders, and home-based routers that were in fected and added to the Mi rai bot net. The at tack ef fec tively pre vented users from ac cess ing many pop u lar web sites such as Twit ter, Net flix, Ama zon, Red dit, Spo tify, and more.

Em bed ded sys tems in clude any de vice with a pro ces sor, an op er at ing sys tem, and one or more ded i cated apps. Some ex am ples in clude de vices that con trol traf fic lights, med i cal equip ment, au to matic teller ma chine (ATM), print ers, ther mostats, dig i tal watches, and dig i tal cam eras. Many au to mo biles in clude mul ti ple em bed ded sys tems such as those used for cruise con trol, backup sen sors, rain/wiper sen sors, dash board dis plays, en gine con trols and mon i tors, sus pen sion con trols, and more. When any of these de vices have con nec tiv ity to the in ter net, they be come part of the IoT.

This ex plo sion of em bed ded sys tems is cer tainly im prov ing many prod ucts. How ever, if they have in ter net ac cess, it’s just a mat ter of time be fore at tack ers fig ure out how to ex ploit them. Ide ally, man u fac tur ers will de sign and build them with se cu rity in mind and in clude meth ods to eas ily up date them. The Mi rai DNS at tack in di cates they haven’t done so, at least by 2016.

De nial-of-Ser vice At tacks

De nial-of-ser vice (DoS) at tacks are at tacks that pre vent a sys tem from pro cess ing or re spond ing to le git i mate traf fic or re quests for re sources and ob jects. A com mon form of a DoS at tack will trans mit so many data pack ets to a server that it can not process them all. Other forms of DoS at tacks fo cus on the ex ploita tion of a known fault or vul ner a bil ity in an op er at ing sys tem, ser vice, or ap pli ca tion. Ex ploit ing the fault of ten re sults in a sys tem crash or 100 per cent CPU uti liza tion. No mat ter what the ac tual at tack con sists of, any at tack that ren ders its vic tim un able to per form nor mal ac tiv i ties is a DoS at tack. DoS at tacks can re sult in sys tem crashes, sys tem re boots, data cor rup tion, block age of ser vices, and more.

An other form of DoS at tack is a dis trib uted de nial-of-ser vice (DDoS) at tack. A DDoS at tack oc curs when mul ti ple sys tems at tack a sin gle sys tem at the same time. For ex am ple, a group of at tack ers could launch co or di nated at tacks against a sin gle sys tem. More of ten to day, though, an at tacker will com pro mise sev eral sys tems and use them as launch ing plat forms against the vic tims. At tack ers com monly use bot nets to launch DDoS at tacks.

DoS at tacks are typ i cally aimed at in ter net-fac ing sys tem. In other words, if at tack ers can

ac cess a sys tem via the in ter net, it is highly sus cep ti ble to a DoS at tack. In con trast, DoS at tacks are not com mon for in ter nal sys tems that are not di rectly ac ces si ble via the in ter net. Sim i larly, many DDoS at tacks tar get in ter net-fac ing sys tems.

A dis trib uted re flec tive de nial-of-ser vice (DR DoS) at tack is a vari ant of a DoS. It uses a re flected ap proach to an at tack. In other words, it doesn’t at tack the vic tim di rectly, but in stead ma nip u lates traf fic or a net work ser vice so that the at tacks are re flected back to the vic tim from other sources. Do main Name Sys tem (DNS) poi son ing at tacks (cov ered in Chap ter 12) and smurf at tacks (cov ered later in this chap ter) are ex am ples.

SYN Flood At tack

The SYN flood at tack is a com mon DoS at tack. It dis rupts the stan dard three-way hand shake used by Trans mis sion Con trol Pro to col (TCP) to ini ti ate com mu ni ca tion ses sions. Nor mally, a client sends a SYN (syn chro nize) packet to a server, the server re sponds with a SYN/ACK (syn chro nize/ac knowl edge) packet to the client, and the client then re sponds with an ACK (ac knowl edge) packet back to the server. This three-way hand shake es tab lishes a com mu ni ca tion ses sion that the two sys tems use for data trans fer un til the ses sion is ter mi nated with FIN (fin ish) or RST (re set) pack ets.

How ever, in a SYN flood at tack, the at tack ers send mul ti ple SYN pack ets but never com plete the con nec tion with an ACK. This is sim i lar to a jokester stick ing his hand out to shake hands, but when the other per son sticks his hand out in re sponse, the jokester pulls his hand back, leav ing the other per son hang ing.

510

Fig ure 17.2 shows an ex am ple. In this ex am ple, a sin gle at tacker has sent three SYN pack ets and the server has re sponded to each. For each of these re quests, the server has re served sys tem re sources to wait for the ACK. Servers of ten wait for the ACK for as long as three min utes be fore abort ing the at tempted ses sion, though ad min is tra tors can ad just this time.

FIG URE 17.2 SYN flood at tack

Three in com plete ses sions won’t cause a prob lem. How ever, an at tacker will send hun dreds or thou sands of SYN pack ets to the vic tim. Each in com plete ses sion con sumes re sources, and at some point, the vic tim be comes over whelmed and is not able to re spond to le git i mate re quests. The at tack can con sume avail able mem ory and pro cess ing power, re sult ing in the vic tim slow ing to a crawl or ac tu ally crash ing.

It’s com mon for the at tacker to spoof the source ad dress, with each SYN packet hav ing a dif fer ent source ad dress. This makes it dif fi cult to block the at tacker us ing the source In ter net Pro to col (IP) ad dress. At tack ers have also co or di nated at tacks launch ing si mul ta ne ous at tacks against a sin gle vic tim as a DDoS at tack. Lim it ing the num ber of al low able open ses sions isn’t ef fec tive as a de fense be cause once the sys tem reaches the limit it blocks ses sion re quests from le git i mate users. In creas ing the num ber of al low able ses sions on a server re sults in the at tack con sum ing more sys tem re sources, and a server has a fi nite amount of RAM and pro cess ing power.

Us ing SYN cook ies is one method of block ing this at tack. These small records con sume very few sys tem re sources. When the sys tem re ceives an ACK, it checks the SYN cook ies and es tab lishes a ses sion. Fire walls of ten in clude mech a nisms to check for SYN at tacks, as do in tru sion de tec tion and in tru sion pre ven tion sys tems.

An other method of block ing this at tack is to re duce the amount of time a server will wait for an ACK. It is typ i cally three min utes by de fault, but in nor mal op er a tion it rarely takes a le git i mate sys tem three min utes to send the ACK packet. By re duc ing the time, half-open ses sions are flushed from the sys tem’s mem ory quicker.

TCP Re set At tack

An other type of at tack that ma nip u lates the TCP ses sion is the TCP re set at tack. Ses sions are nor mally ter mi nated with ei ther the FIN (fin ish) or the RST (re set) packet. At tack ers can spoof the source IP ad dress in a RST packet and dis con nect ac tive ses sions. The two sys tems then need to reestab lish the ses sion. This is pri mar ily a threat for sys tems that need per sis tent ses sions to main tain data with other sys tems. When the ses sion is reestab lished, they need to re-cre ate the data so it’s much more than just send ing three pack ets back and forth to es tab lish the ses sion.

Smurf and Frag gle At tacks

Smurf and frag gle at tacks are both DoS at tacks. A smurf at tack is an other type of flood at tack, but it floods the vic tim with In ter net Con trol Mes sage Pro to col (ICMP) echo pack ets in stead of with TCP SYN pack ets. More specif i cally, it is a spoofed broad cast ping re quest us ing the IP ad dress of the vic tim as the source IP ad dress.

Ping uses ICMP to check con nec tiv ity with re mote sys tems. Nor mally, ping sends an echo re quest to a sin gle sys tem, and the sys tem re sponds with an echo re ply. How ever, in a smurf at tack the at tacker sends the echo re quest out as a broad cast to all sys tems on the net work and spoofs the source IP ad dress. All these sys tems re spond with echo replies to the spoofed IP ad dress, flood ing the vic tim with traf fic.

Smurf at tacks take ad van tage of an am pli fy ing net work (also called a smurf am pli fier) by send ing a di rected broad cast through a router. All sys tems on the am pli fy ing net work then at tack the vic tim. How ever, RFC 2644, re leased in 1999, changed the stan dard de fault for routers so that they do not for ward di rected broad cast traf fic. When ad min is tra tors cor rectly con fig ure routers in com pli ance with RFC 2644, a net work can not be an am pli fy ing net work. This lim its smurf at tacks to a sin gle net work. Ad di tion ally, it is com mon to

511

dis able ICMP on fire walls, routers, and even many servers to pre vent any type of at tacks us ing ICMP. When stan dard se cu rity prac tices are used, smurf at tacks are rarely a prob lem to day.

Frag gle at tacks are sim i lar to smurf at tacks. How ever, in stead of us ing ICMP, a frag gle at tack uses UDP pack ets over UDP ports 7 and 19. The frag gle at tack will broad cast a UDP packet us ing the spoofed IP ad dress of the vic tim. All sys tems on the net work will then send traf fic to the vic tim, just as with a smurf at tack.

Ping Flood

A ping flood at tack floods a vic tim with ping re quests. This can be very ef fec tive when launched by zom bies within a bot net as a DDoS at tack. If tens of thou sands of sys tems si mul ta ne ously send ping re quests to a sys tem, the sys tem can be over whelmed try ing to an swer the ping re quests. The vic tim will not have time to re spond to le git i mate re quests. A com mon way that sys tems han dle this to day is by block ing ICMP traf fic. Ac tive in tru sion de tec tion sys tems can de tect a ping flood and mod ify the en vi ron ment to block ICMP traf fic dur ing the at tack.

Ping of Death

A ping-of-death at tack em ploys an over sized ping packet. Ping pack ets are nor mally 32 or 64 bytes, though dif fer ent op er at ing sys tems can use other sizes. The ping-of-death at tack changed the size of ping pack ets to over 64 KB, which was big ger than many sys tems could han dle. When a sys tem re ceived a ping packet larger than 64 KB, it re sulted in a prob lem. In some cases the sys tem crashed. In other cases, it re sulted in a buf fer over flow er ror. A ping-of-death at tack is rarely suc cess ful to day be cause patches and up dates re move the vul ner a bil ity.

Al though the ping of death isn’t a prob lem to day, many other types of at tacks cause buf fer

over flow er rors (dis cussed in Chap ter 21). When ven dors dis cover bugs that can cause a buf fer over flow, they re lease patches to fix them. One of the best pro tec tions against any buf fer over flow at tack is to keep a sys tem up-to-date with cur rent patches. Ad di tion ally, pro duc tion sys tems should not in clude untested code or al low the use of sys tem or root-level priv i leges from ap pli ca tions.

Teardrop

In a teardrop at tack, an at tacker frag ments traf fic in such a way that a sys tem is un able to put data pack ets back to gether. Large pack ets are nor mally di vided into smaller frag ments when they’re sent over a net work, and the re ceiv ing sys tem then puts the packet frag ments back to gether into their orig i nal state. How ever, a teardrop at tack man gles these pack ets in such a way that the sys tem can not put them back to gether. Older sys tems couldn’t han dle this sit u a tion and crashed, but patches re solved the prob lem. Al though cur rent sys tems aren’t sus cep ti ble to teardrop at tacks, this does em pha size the im por tance of keep ing sys tems up-to-date. Ad di tion ally, in tru sion de tec tion sys tems can check for mal formed pack ets.

Land At tacks

A land at tack oc curs when the at tacker sends spoofed SYN pack ets to a vic tim us ing the vic tim’s IP ad dress as both the source and des ti na tion IP ad dress. This tricks the sys tem into con stantly re ply ing to it self and can cause it to freeze, crash, or re boot. This at tack was first dis cov ered in 1997, and it has resur faced sev eral times at tack ing dif fer ent ports. Keep ing a sys tem up-to-date and fil ter ing traf fic to de tect traf fic with iden ti cal source and des ti na tion ad dresses helps to pro tect against LAND at tacks.

Zero-Day Ex ploit

A zero-day ex ploit refers to an at tack on a sys tem ex ploit ing a vul ner a bil ity that is un known to oth ers. How ever, se cu rity pro fes sion als use the term in dif fer ent con texts and it has some mi nor dif fer ences based on the con text. Here are some ex am ples:

At tacker First Dis cov ers a Vul ner a bil ity When an at tacker dis cov ers a vul ner a bil ity, the at tacker can eas ily ex ploit it be cause the at tacker is the only one aware of the vul ner a bil ity. At this point, the ven dor is un aware of the vul ner a bil ity and has not de vel oped or re leased a patch. This is the com mon def i ni tion of a zero-day ex ploit.

Ven dor Learns of Vul ner a bil ity When ven dors learn of a vul ner a bil ity, they eval u ate the se ri ous ness of the threat and pri or i tize the de vel op ment of a patch. Soft ware patches can be com plex and re quire ex ten sive test ing to en sure that the patch does not cause other prob lems. Ven dors may de velop and re lease patches within days for se ri ous threats, or they may take months to de velop and re lease a patch for a prob lem they do not con sider se ri ous. At tacks ex ploit ing the vul ner a bil ity dur ing this time are of ten called zero-day ex ploits be cause the pub lic does not know about the vul ner a bil ity.

512

Ven dor Re leases Patch Once a patch is de vel oped and re leased, patched sys tems are no longer vul ner a ble to the ex ploit. How ever, or ga ni za tions of ten take time to eval u ate and test a patch be fore ap ply ing it, re sult ing in a gap be tween when the ven dor re leases the patch and when ad min is tra tors ap ply it. Mi cro soft typ i cally re leases patches on the sec ond Tues day of ev ery month, com monly called “Patch Tues day.” At tack ers of ten try to re verse-en gi neer the patches to un der stand them, and then ex ploit them the next day, com monly called “Ex ploit Wednes day.” Some peo ple re fer to at tacks the day af ter the ven dor re leases a patch as a zero- day at tack. How ever, this us age isn’t as com mon. In stead, most se cu rity pro fes sion als con sider this as an at tack on an un patched sys tem.

If an or ga ni za tion doesn’t have an ef fec tive patch man age ment sys tem, they can have

sys tems that are vul ner a ble to known ex ploits. If an at tack oc curs weeks or months af ter a ven dor re leases a patch, this is not a zero-day ex ploit. In stead, it is an at tack on an un patched sys tem.

Meth ods used to pro tect sys tems against zero-day ex ploits in clude many of the ba sic pre ven tive mea sures. En sure that sys tems are not run ning un needed ser vices and pro to cols to re duce a sys tem’s at tack sur face, en able both net work-based and host-based fire walls to limit po ten tially ma li cious traf fic, and use in tru sion de tec tion and pre ven tion sys tems to help de tect and block po ten tial at tacks. Ad di tion ally, hon ey pots and padded cells give ad min is tra tors an op por tu nity to ob serve at tacks and may re veal an at tack us ing a zero-day ex ploit. Hon ey pots and padded cells are ex plained later in this chap ter.

Ma li cious Code

Ma li cious code is any script or pro gram that per forms an un wanted, unau tho rized, or un known ac tiv ity on a com puter sys tem. Ma li cious code can take many forms, in clud ing viruses, worms, Tro jan horses, doc u ments with de struc tive macros, and logic bombs. It is of ten called mal ware, short for ma li cious soft ware, and less com monly mal code, short for ma li cious code. At tack ers are con stantly writ ing and mod i fy ing ma li cious code for al most ev ery type of com put ing de vice or in ter net-con nected de vice. Chap ter 21 cov ers ma li cious code in de tail.

Meth ods of dis tribut ing viruses con tinue to evolve. Years ago, the most pop u lar method was via floppy disks, hand-car ried from sys tem to sys tem. Later, the most pop u lar method was via email as ei ther an at tach ment or an em bed ded script, and this method is still pop u lar to day. Many pro fes sion als con sider drive- by down loads to be one of the most pop u lar meth ods.

A drive-by down load is code down loaded and in stalled on a user’s sys tem with out the user’s knowl edge. At tack ers mod ify the code on a web page and when the user vis its, the code down loads and in stalls mal ware on the user’s sys tem with out the user’s knowl edge or con sent. At tack ers some times com pro mise le git i mate web sites and add ma li cious code to in clude drive-by down loads. They also host their own ma li cious web sites and use phish ing or re di rect ion meth ods to get users to the ma li cious web site. Most drive-by down loads take ad van tage of vul ner a bil i ties in un patched sys tems, so keep ing a sys tem up-to-date pro tects them.

At tack ers have some times used “malver tis ing” to spread mal ware. They pose as le git i mate com pa nies and pay to have their ads posted on le git i mate web sites. If users click the ad, they are redi rected to a ma li cious site that typ i cally at tempts a drive-by down load.

At tack ers fre quently use a drive-by down load to in fect a sin gle sys tem, with the goal of

gain ing a foothold in a net work. A com mon method is to send phish ing emails with links to ma li cious sites along with a short phrase such as “You’ll like this” or “You have to check this out.” If users click the link, they are taken to a site that at tempts to down load mal ware. If suc cess ful, at tack ers use this in fected com puter as a pivot point to in fect other com put ers in the net work.

An other pop u lar method of in stalling mal ware uses a pay-per-in stall ap proach. Crim i nals pay web site op er a tors to host their mal ware, which is of ten a fake anti-mal ware pro gram (also called rogue ware). The web site op er a tors are paid for ev ery in stal la tion ini ti ated from their web site. Pay ments vary, but in gen eral, pay ments for suc cess ful in stal la tions on com put ers in the United States pay more.

Al though the ma jor ity of mal ware ar rives from the in ter net, some is trans mit ted to sys tems via Uni ver sal Se rial Bus (USB) flash drives. Many viruses can de tect when a user in serts a USB flash drive into a sys tem. It then in fects the drive. When the user plugs it into an other sys tem, the mal ware in fects the other sys tem.

Man-in-the-Mid dle At tacks

A man-in-the-mid dle (MITM) at tack oc curs when a ma li cious user can gain a po si tion log i cally be tween the two end points of an on go ing com mu ni ca tion. There are two types of man-in-the-mid dle at tacks. One in volves copy ing or sniff ing the traf fic be tween two par ties, which is ba si cally a snif fer at tack as de scribed in

513

Chap ter 14. The other type in volves at tack ers po si tion ing them selves in the line of com mu ni ca tion where they act as a store-and-for ward or proxy mech a nism, as shown in Fig ure 17.3. The client and server think they are con nected di rectly to each other. How ever, the at tacker cap tures and for wards all data be tween the two sys tems. An at tacker can col lect lo gon cre den tials and other sen si tive data as well as change the con tent of mes sages ex changed be tween the two sys tems.

FIG URE 17.3 A man-in-the-mid dle at tack

Man-in-the-mid dle at tacks re quire more tech ni cal so phis ti ca tion than many other at tacks be cause the at tacker needs to suc cess fully im per son ate a server from the per spec tive of the client and im per son ate the client from the per spec tive of the server. A man-in-the-mid dle at tack will of ten re quire a com bi na tion of mul ti ple at tacks. For ex am ple, the at tacker may al ter rout ing in for ma tion and DNS val ues, ac quire and in stall en cryp tion cer tifi cates to break into an en crypted tun nel, or fal sify Ad dress Res o lu tion Pro to col (ARP) lookups as a part of the at tack.

Some man-in-the-mid dle at tacks are thwarted by keep ing sys tems up-to-date with patches. An in tru sion de tec tion sys tem can not usu ally de tect man-in-the-mid dle or hi jack at tacks, but it can de tect ab nor mal ac tiv i ties oc cur ring over com mu ni ca tion links and raise alerts on sus pi cious ac tiv ity. Many users of ten use vir tual pri vate net works (VPNs) to avoid these at tacks. Some VPNs are hosted by an em ployee’s or ga ni za tion, but there are also sev eral com mer cially avail able VPNs that any one can use, typ i cally at a cost.

Sab o tage

Em ployee sab o tage is a crim i nal act of de struc tion or dis rup tion com mit ted against an or ga ni za tion by an em ployee. It can be come a risk if an em ployee is knowl edge able enough about the as sets of an or ga ni za tion, has suf fi cient ac cess to ma nip u late crit i cal as pects of the en vi ron ment, and has be come dis grun tled. Em ployee sab o tage oc curs most of ten when em ploy ees sus pect they will be ter mi nated with out just cause or if em ploy ees re tain ac cess af ter be ing ter mi nated.

This is an other im por tant rea son em ployee ter mi na tions should be han dled swiftly and ac count ac cess should be dis abled as soon as pos si ble af ter the ter mi na tion. Other safe guards against em ployee sab o tage are in ten sive au dit ing, mon i tor ing for ab nor mal or unau tho rized ac tiv ity, keep ing lines of com mu ni ca tion open be tween em ploy ees and man agers, and prop erly com pen sat ing and rec og niz ing em ploy ees for their con tri bu tions.

Es pi onage

Es pi onage is the ma li cious act of gath er ing pro pri etary, se cret, pri vate, sen si tive, or con fi den tial in for ma tion about an or ga ni za tion. At tack ers of ten com mit es pi onage with the in tent of dis clos ing or sell ing the in for ma tion to a com peti tor or other in ter ested or ga ni za tion (such as a for eign gov ern ment). At tack ers can be dis sat is fied em ploy ees, and in some cases, em ploy ees who are be ing black mailed by some one out side the or ga ni za tion.

It can also be com mit ted by a mole or plant placed in the or ga ni za tion to steal in for ma tion for a pri mary se cret em ployer. In some cases, es pi onage oc curs far from the work place, such as at a con ven tion or an event, per pe trated by some one who specif i cally tar gets em ploy ees’ mo bile as sets.

Coun ter mea sures against es pi onage are to strictly con trol ac cess to all non pub lic data, thor oughly screen new em ployee can di dates, and ef fi ciently track all em ployee ac tiv i ties.

514

Many re ported cases of es pi onage are traced back to ad vanced per sis tent threats (APTs) spon sored by na tion-states. APTs are dis cussed in sev eral chap ters of this book, such as Chap ter 14. One of the ways these at tacks are de tected is with egress mon i tor ing, or mon i tor ing the flow of traf fic out of a net work.

In tru sion De tec tion and Pre ven tion Sys tems The pre vi ous sec tion de scribed many com mon at tacks. At tack ers are con stantly mod i fy ing their at tack

meth ods, so at tacks typ i cally morph over time. Sim i larly, de tec tion and pre ven tion meth ods change to adapt to new at tacks. In tru sion de tec tion sys tems (IDSs) and in tru sion pre ven tion sys tems (IPSs) are two meth ods or ga ni za tions typ i cally im ple ment to de tect and pre vent at tacks.

An in tru sion oc curs when an at tacker can by pass or thwart se cu rity mech a nisms and gain ac cess to an or ga ni za tion’s re sources. In tru sion de tec tion is a spe cific form of mon i tor ing that mon i tors recorded in for ma tion and real-time events to de tect ab nor mal ac tiv ity in di cat ing a po ten tial in ci dent or in tru sion. An in tru sion de tec tion sys tem (IDS) au to mates the in spec tion of logs and real-time sys tem events to de tect in tru sion at tempts and sys tem fail ures. Be cause an IPS in cludes de tec tion ca pa bil i ties, you’ll of ten see them re ferred to as in tru sion de tec tion and pre ven tion sys tems (IDPSs).

IDSs are an ef fec tive method of de tect ing many DoS and DDoS at tacks. They can rec og nize at tacks that come from ex ter nal con nec tions, such as an at tack from the in ter net, and at tacks that spread in ter nally such as a ma li cious worm. Once they de tect a sus pi cious event, they re spond by send ing alerts or rais ing alarms. In some cases, they can mod ify the en vi ron ment to stop an at tack. A pri mary goal of an IDS is to pro vide a means for a timely and ac cu rate re sponse to in tru sions.

An IDS is in tended as part of a de fense-in-depth se cu rity plan. It will work with, and

com ple ments, other se cu rity mech a nisms such as fire walls, but it does not re place other se cu rity mech a nisms.

An in tru sion pre ven tion sys tem (IPS) in cludes all the ca pa bil i ties of an IDS but can also take ad di tional steps to stop or pre vent in tru sions. If de sired, ad min is tra tors can dis able these ex tra fea tures of an IPS, es sen tially caus ing it to func tion as an IDS.

You’ll of ten see the two terms com bined as in tru sion de tec tion and pre ven tion sys tems (IDPSs). For ex am ple, NIST SP 800-94, “Guide to In tru sion De tec tion and Pre ven tion Sys tems,” pro vides com pre hen sive cov er age of both in tru sion de tec tion and in tru sion pre ven tion sys tems, but for brevity uses IDPS through out the doc u ment to re fer to both. In this chap ter, we are de scrib ing meth ods used by IDSs to de tect at tacks, how they can re spond to at tacks, and the types of IDSs avail able. We are then adding in for ma tion on IPSs where ap pro pri ate.

Knowl edge- and Be hav ior-Based De tec tion

An IDS ac tively watches for sus pi cious ac tiv ity by mon i tor ing net work traf fic and in spect ing logs. For ex am ple, an IDS can have sen sors or agents mon i tor ing key de vices such as routers and fire walls in a net work. These de vices have logs that can record ac tiv ity, and the sen sors can for ward these log en tries to the IDS for anal y sis. Some sen sors send all the data to the IDS, whereas other sen sors in spect the en tries and only send spe cific log en tries based on how ad min is tra tors con fig ure the sen sors.

The IDS eval u ates the data and can de tect ma li cious be hav ior us ing two com mon meth ods: knowl edge- based de tec tion and be hav ior-based de tec tion. In short, knowl edge-based de tec tion uses sig na tures sim i lar to the sig na ture def i ni tions used by anti-mal ware soft ware. Be hav ior-based de tec tion doesn’t use sig na tures but in stead com pares ac tiv ity against a base line of nor mal per for mance to de tect ab nor mal be hav ior. Many IDSs use a com bi na tion of both meth ods.

Knowl edge-Based De tec tion The most com mon method of de tec tion is knowl edge-based de tec tion (also called sig na ture-based de tec tion or pat tern-match ing de tec tion). It uses a data base of known at tacks de vel oped by the IDS ven dor. For ex am ple, some au to mated tools are avail able to launch SYN flood at tacks, and these tools have known pat terns and char ac ter is tics de fined in a sig na ture data base. Real-time traf fic is matched against the data base, and if the IDS finds a match, it raises an alert. The pri mary draw back for a knowl edge-based IDS is that it is ef fec tive only against known at tack meth ods. New at tacks, or slightly mod i fied ver sions of known at tacks, of ten go un rec og nized by the IDS.

Knowl edge-based de tec tion on an IDS is sim i lar to sig na ture-based de tec tion used by anti-mal ware ap pli ca tions. The anti-mal ware ap pli ca tion has a data base of known mal ware and checks files against the data base look ing for a match. Just as anti-mal ware soft ware must be reg u larly up dated with new sig na tures from the anti-mal ware ven dor, IDS data bases must be reg u larly up dated with new at tack sig na tures. Most IDS ven dors pro vide au to mated meth ods to up date the sig na tures.

515

Be hav ior-Based De tec tion The sec ond de tec tion type is be hav ior-based de tec tion (also called sta tis ti cal in tru sion de tec tion, anom aly de tec tion, and heuris tics-based de tec tion). Be hav ior-based de tec tion starts by cre at ing a base line of nor mal ac tiv i ties and events on the sys tem. Once it has ac cu mu lated enough base line data to de ter mine nor mal ac tiv ity, it can de tect ab nor mal ac tiv ity that may in di cate a ma li cious in tru sion or event.

This base line is of ten cre ated over a fi nite pe riod such as a week. If the net work is mod i fied, the base line needs to be up dated. Oth er wise, the IDS may alert you to nor mal be hav ior that it iden ti fies as ab nor mal. Some prod ucts con tinue to mon i tor the net work to learn more about nor mal ac tiv ity and will up date the base line based on the ob ser va tions.

Be hav ior-based IDSs use the base line, ac tiv ity sta tis tics, and heuris tic eval u a tion tech niques to com pare cur rent ac tiv ity against pre vi ous ac tiv ity to de tect po ten tially ma li cious events. Many can per form state ful packet anal y sis sim i lar to how state ful in spec tion fire walls (cov ered in Chap ter 11) ex am ine traf fic based on the state or con text of net work traf fic.

Anom aly anal y sis adds to an IDS’s ca pa bil i ties by al low ing it to rec og nize and re act to sud den in creases in traf fic vol ume or ac tiv ity, mul ti ple failed lo gin at tempts, lo gons or pro gram ac tiv ity out side nor mal work ing hours, or sud den in creases in er ror or fail ure mes sages. All of these could in di cate an at tack that a knowl edge- based de tec tion sys tem may not rec og nize.

A be hav ior-based IDS can be la beled an ex pert sys tem or a pseudo–ar ti fi cial in tel li gence sys tem be cause it can learn and make as sump tions about events. In other words, the IDS can act like a hu man ex pert by eval u at ing cur rent events against known events. The more in for ma tion pro vided to a be hav ior-based IDS about nor mal ac tiv i ties and events, the more ac cu rately it can de tect anom alies. A sig nif i cant ben e fit of a be hav ior-based IDS is that it can de tect newer at tacks that have no sig na tures and are not de tectable with the sig na ture-based method.

The pri mary draw back for a be hav ior-based IDS is that it of ten raises a high num ber of false alarms, also called false alerts or false pos i tives. Pat terns of user and sys tem ac tiv ity can vary widely dur ing nor mal op er a tions, mak ing it dif fi cult to ac cu rately de fine the bound aries of nor mal and ab nor mal ac tiv ity.

 False Alarms

A chal lenge that many IDS ad min is tra tors have is find ing a bal ance be tween the num ber of false alarms or alerts that an IDS sends and en sur ing that the IDS re ports ac tual at tacks. In one or ga ni za tion we know about, an IDS sent a se ries of alerts over a cou ple of days that were ag gres sively in ves ti gated but turned out to be false alarms. Ad min is tra tors be gan los ing faith in the sys tem and re gret ted wast ing time chas ing these false alarms.

Later, the IDS be gan send ing alerts on an ac tual at tack. How ever, ad min is tra tors were ac tively trou bleshoot ing an other is sue that they knew was real, and they didn’t have time to chase what they per ceived as more false alarms. They sim ply dis missed the alarms on the IDS and didn’t dis cover the at tack un til a few days later.

SIEM Sys tems

Many IDSs and IPSs send col lected data to a se cu rity in for ma tion and event man age ment (SIEM) sys tem. A SIEM sys tem also col lects data from many other sources within the net work. It pro vides real-time mon i tor ing of traf fic and anal y sis and no ti fi ca tion of po ten tial at tacks. Ad di tion ally, it pro vides long-term stor age of data, al low ing se cu rity pro fes sion als to an a lyze the data.

A SIEM typ i cally in cludes sev eral fea tures. Be cause it col lects data from dis sim i lar de vices, it in cludes a cor re la tion and ag gre ga tion fea ture con vert ing this data into use ful in for ma tion. Ad vanced an a lytic tools within the SIEM can an a lyze the data and raise alerts and/or trig ger re sponses based on pre con fig ured rules. These alerts and trig gers are typ i cally sep a rate from alerts sent by IDSs and IPSs, but some over lap is likely to oc cur.

IDS Re sponse

Al though knowl edge-based and be hav ior-based IDSs de tect in ci dents dif fer ently, they both use an alert sys tem. When the IDS de tects an event, it trig gers an alarm or alert. It can then re spond us ing a pas sive or ac tive method. A pas sive re sponse logs the event and sends a no ti fi ca tion. An ac tive re sponse changes the en vi ron ment to block the ac tiv ity in ad di tion to log ging and send ing a no ti fi ca tion.

516

In some cases, you can mea sure a fire wall’s ef fec tive ness by plac ing a pas sive IDS be fore

the fire wall and an other pas sive IDS af ter the fire wall. By ex am in ing the alerts in the two IDSs, you can de ter mine what at tacks the fire wall is block ing in ad di tion to de ter min ing what at tacks are get ting through.

Pas sive Re sponse No ti fi ca tions can be sent to ad min is tra tors via email, text or pager mes sages, or pop- up mes sages. In some cases, the alert can gen er ate a re port de tail ing the ac tiv ity lead ing up to the event, and logs are avail able for ad min is tra tors to get more in for ma tion if needed. Many 24-hour net work op er a tions cen ters (NOCs) have cen tral mon i tor ing screens view able by ev ery one in the main sup port cen ter. For ex am ple, a sin gle wall can have mul ti ple large-screen mon i tors pro vid ing data on dif fer ent el e ments of the NOC. The IDS alerts can be dis played on one of these screens to en sure that per son nel are aware of the event. These in stant no ti fi ca tions help ad min is tra tors re spond quickly and ef fec tively to un wanted be hav ior.

Ac tive Re sponse Ac tive re sponses can mod ify the en vi ron ment us ing sev eral dif fer ent meth ods. Typ i cal re sponses in clude mod i fy ing ACLs to block traf fic based on ports, pro to cols, and source ad dresses, and even dis abling all com mu ni ca tions over spe cific ca ble seg ments. For ex am ple, if an IDS de tects a SYN flood at tack from a sin gle IP ad dress, the IDS can change the ACL to block all traf fic from this IP ad dress. Sim i larly, if the IDS de tects a ping flood at tack from mul ti ple IP ad dresses, it can change the ACL to block all ICMP traf fic. An IDS can also block ac cess to re sources for sus pi cious or ill-be haved users. Se cu rity ad min is tra tors con fig ure these ac tive re sponses in ad vance and can tweak them based on chang ing needs in the en vi ron ment.

An IDS that uses an ac tive re sponse is some times re ferred to as an IPS (in tru sion

pre ven tion sys tem). This is ac cu rate in some sit u a tions. How ever, an IPS (de scribed later in this sec tion) is placed in line with the traf fic. If an ac tive IDS is placed in line with the traf fic, it is an IPS. If it is not placed in line with the traf fic, it isn’t a true IPS be cause it can only re spond to the at tack af ter it has de tected an at tack in progress. NIST SP 800-94 rec om mends plac ing all ac tive IDSs in line with the traf fic so that they func tion as IPSs.

Host- and Net work-Based IDSs

IDS types are com monly clas si fied as host based and net work based. A host-based IDS (HIDS) mon i tors a sin gle com puter or host. A net work-based IDS (NIDS) mon i tors a net work by ob serv ing net work traf fic pat terns.

A less-used clas si fi ca tion is an ap pli ca tion-based IDS, which is a spe cific type of net work-based IDS. It mon i tors spe cific ap pli ca tion traf fic be tween two or more servers. For ex am ple, an ap pli ca tion-based IDS can mon i tor traf fic be tween a web server and a data base server look ing for sus pi cious ac tiv ity.

Host-Based IDS An HIDS mon i tors ac tiv ity on a sin gle com puter, in clud ing process calls and in for ma tion recorded in sys tem, ap pli ca tion, se cu rity, and host-based fire wall logs. It can of ten ex am ine events in more de tail than a NIDS can, and it can pin point spe cific files com pro mised in an at tack. It can also track pro cesses em ployed by the at tacker.

A ben e fit of HIDSs over NIDSs is that HIDSs can de tect anom alies on the host sys tem that NIDSs can not de tect. For ex am ple, an HIDS can de tect in fec tions where an in truder has in fil trated a sys tem and is con trol ling it re motely. You may no tice that this sounds sim i lar to what anti-mal ware soft ware will do on a com puter. It is. Many HIDSs in clude anti- mal ware ca pa bil i ties.

Al though many ven dors rec om mend in stalling host-based IDSs on all sys tems, this isn’t com mon due to some of the dis ad van tages of HIDSs. In stead, many or ga ni za tions choose to in stall HIDSs only on key servers as an added level of pro tec tion. Some of the dis ad van tages to HIDSs are re lated to the cost and us abil ity. HIDSs are more costly to man age than NIDSs be cause they re quire ad min is tra tive at ten tion on each sys tem, whereas NIDSs usu ally sup port cen tral ized ad min is tra tion. An HIDS can not de tect net work at tacks on other sys tems. Ad di tion ally, it will of ten con sume a sig nif i cant amount of sys tem re sources, de grad ing the host sys tem per for mance. Al though it’s of ten pos si ble to re strict the sys tem re sources used by the HIDS, this can re sult in it miss ing an ac tive at tack. Ad di tion ally, HIDSs are eas ier for an in truder to dis cover and dis able, and their logs are main tained on the sys tem, mak ing the logs sus cep ti ble to mod i fi ca tion dur ing a suc cess ful at tack.

Net work-Based IDS A NIDS mon i tors and eval u ates net work ac tiv ity to de tect at tacks or event anom alies. A sin gle NIDS can mon i tor a large net work by us ing re mote sen sors to col lect data at key net work lo ca tions that send data to a cen tral man age ment con sole and/or a SIEM. These sen sors can mon i tor traf fic at routers, fire walls, net work switches that sup port port mir ror ing, and other types of net work taps.

517

Mon i tor ing En crypted Traf fic

As much as 75 per cent of in ter net traf fic is en crypted us ing Trans port Layer Se cu rity (TLS) with Hy per text Trans fer Pro to col Se cure (HTTPS), and that num ber con tin ues to climb ev ery year. While en cryp tion helps en sure pri vacy of data in tran sit as it trav els over the in ter net, it also presents chal lenges for IDPSs.

As an ex am ple, imag ine a user un wit tingly es tab lishes a se cure HTTPS ses sion with a ma li cious site. The ma li cious site then at tempts to down load ma li cious code to the user’s sys tem through this chan nel. Be cause the ma li cious code is en crypted, the IDPS can not ex am ine it, and the code gets through to the client.

Sim i larly, many bot nets have used en cryp tion to by pass in spec tion by an IDPS. When a zom bie con tacts a com mand-and-con trol server, it of ten es tab lishes an HTTPS ses sion first. It can use this en crypted ses sion to send har vested pass words and other data it has col lected and to re ceive com mands from the server for fu ture ac tiv ity.

One so lu tion that many or ga ni za tions have be gun im ple ment ing is the use of TLS de cryp tors, some times called SSL de cryp tors. A TLS de cryp tor de tects TLS traf fic, takes steps to de crypt it, and sends the de crypted traf fic to an IDPS for in spec tion. This can be very ex pen sive in terms of pro cess ing power, so a TLS de cryp tor is of ten a stand-alone hard ware ap pli ance ded i cated to this func tion, but it can be within an IDPS so lu tion, a next-gen er a tion fire wall, or some other ap pli ance. Ad di tion ally, it is typ i cally placed in line with the traf fic, en sur ing that all traf fic to and from the in ter net passes through it.

The TLS de cryp tor de tects and in ter cepts a TLS hand shake be tween an in ter nal client and an in ter net server. It then es tab lishes two HTTPS ses sions. One is be tween the in ter nal client and the TLS de cryp tor. The sec ond is be tween the TLS de cryp tor and the in ter net server. While the traf fic is trans mit ted us ing HTTPS, it is de crypted on the TLS de cryp tor.

There is a weak ness with TLS de cryp tors, though. APTs of ten en crypt traf fic be fore ex fil trat ing it out of a net work. The en cryp tion is typ i cally per formed on a host be fore es tab lish ing a con nec tion with a re mote sys tem and send ing it. Be cause the traf fic is en crypted on the client, and not within a TLS ses sion, the TLS de cryp tor can not de crypt it. Sim i larly, an IDPS may be able to de tect that this traf fic is en crypted, but it won’t be able to de crypt the traf fic so that it can in spect it.

Switches are of ten used as a pre ven tive mea sure against rogue snif fers. If the IDS is

con nected to a nor mal port on the switch, it will cap ture only a small por tion of the net work traf fic, which isn’t very use ful. In stead, the switch can be con fig ured to mir ror all traf fic to a spe cific port (com monly called port mir ror ing) used by the IDS. On Cisco switches, the port used for port mir ror ing is re ferred to as a Switched Port An a lyzer (SPAN) port.

The cen tral con sole is of ten in stalled on a sin gle-pur pose com puter that is hard ened against at tacks. This re duces vul ner a bil i ties in the NIDS and can al low it to op er ate al most in vis i bly, mak ing it much harder for at tack ers to dis cover and dis able it. A NIDS has very lit tle neg a tive ef fect on the over all net work per for mance, and when it is de ployed on a sin gle-pur pose sys tem, it doesn’t ad versely af fect per for mance on any other com puter. On net works with large vol umes of traf fic, a sin gle NIDS may be un able to keep up with the flow of data, but it is pos si ble to add ad di tional sys tems to bal ance the load.

Of ten, a NIDS can dis cover the source of an at tack by per form ing Re verse Ad dress Res o lu tion Pro to col (RARP) or re verse Do main Name Sys tem (DNS) lookups. How ever, be cause at tack ers of ten spoof IP ad dresses or launch at tacks by zom bies via a bot net, ad di tional in ves ti ga tion is re quired to de ter mine the ac tual source. This can be a la bo ri ous process and is be yond the scope of the IDS. How ever, it is pos si ble to dis cover the source of spoofed IPs with some in ves ti ga tion.

It is un eth i cal and risky to launch coun ter strikes against an in truder or to at tempt to

re verse-hack an in truder’s com puter sys tem. In stead, rely on your log ging ca pa bil i ties and sniff ing col lec tions to pro vide suf fi cient data to pros e cute crim i nals or to im prove the se cu rity of your en vi ron ment in re sponse.

A NIDS is usu ally able to de tect the ini ti a tion of an at tack or on go ing at tacks, but it can’t al ways pro vide in for ma tion about the suc cess of an at tack. It won’t know if an at tack af fected spe cific sys tems, user ac counts, files, or ap pli ca tions. For ex am ple, a NIDS may dis cover that a buf fer over flow ex ploit was sent through the net work, but it won’t nec es sar ily know whether the ex ploit suc cess fully in fil trated a sys tem. How ever, af ter

518

ad min is tra tors re ceive the alert they can check rel e vant sys tems. Ad di tion ally, in ves ti ga tors can use the NIDS logs as part of an au dit trail to learn what hap pened.

In tru sion Pre ven tion Sys tems

An in tru sion pre ven tion sys tem (IPS) is a spe cial type of ac tive IDS that at tempts to de tect and block at tacks be fore they reach tar get sys tems. It’s some times re ferred to as an in tru sion de tec tion and pre ven tion sys tem (IDPS). A dis tin guish ing dif fer ence be tween an IDS and an IPS is that the IPS is placed in line with the traf fic, as shown in Fig ure 17.4. In other words, all traf fic must pass through the IPS and the IPS can choose what traf fic to for ward and what traf fic to block af ter an a lyz ing it. This al lows the IPS to pre vent an at tack from reach ing a tar get.

FIG URE 17.4 In tru sion pre ven tion sys tem

In con trast, an ac tive IDS that is not placed in line can check the ac tiv ity only af ter it has reached the tar get. The ac tive IDS can take steps to block an at tack af ter it starts but can not pre vent it.

An IPS can use knowl edge-based de tec tion and/or be hav ior-based de tec tion, just as any other IDS. Ad di tion ally, it can log ac tiv ity and pro vide no ti fi ca tion to ad min is tra tors just as an IDS would.

A cur rent trend is the re place ment of IDSs with IPSs. Sim i larly, many ap pli ances that

in clude de tec tion and pre ven tion ca pa bil i ties fo cus their use on an IPS. Be cause an IPS is placed in line with the traf fic, it can in spect all traf fic as it oc curs.

Spe cific Pre ven tive Mea sures Al though in tru sion de tec tion and pre ven tion sys tems go a long way to ward pro tect ing net works,

ad min is tra tors typ i cally im ple ment ad di tional se cu rity con trols to pro tect their net works. The fol low ing sec tions de scribe sev eral of these as ad di tional pre ven tive mea sures.

Hon ey pots/Hon eynets

Hon ey pots are in di vid ual com put ers cre ated as a trap for in trud ers. A hon eynet is two or more net worked hon ey pots used to gether to sim u late a net work. They look and act like le git i mate sys tems, but they do not host data of any real value for an at tacker. Ad min is tra tors of ten con fig ure hon ey pots with vul ner a bil i ties to tempt in trud ers into at tack ing them. They may be un patched or have se cu rity vul ner a bil i ties that ad min is tra tors pur posely leave open. The goal is to grab the at ten tion of in trud ers and keep the in trud ers away from the le git i mate net work that is host ing valu able re sources. Le git i mate users wouldn’t ac cess the hon ey pot, so any ac cess to a hon ey pot is most likely an unau tho rized in truder.

In ad di tion to keep ing the at tacker away from a pro duc tion en vi ron ment, the hon ey pot gives ad min is tra tors an op por tu nity to ob serve an at tacker’s ac tiv ity with out com pro mis ing the live en vi ron ment. In some cases, the hon ey pot is de signed to de lay an in truder long enough for the au to mated IDS to de tect the in tru sion and gather as much in for ma tion about the in truder as pos si ble. The longer the at tacker spends with the hon ey pot, the more time an ad min is tra tor has to in ves ti gate the at tack and po ten tially iden tify the in truder. Some se cu rity pro fes sion als, such as those en gaged in se cu rity re search, con sider hon ey pots to be ef fec tive coun ter mea sures against zero-day ex ploits be cause they can ob serve the at tacker’s ac tions.

Of ten, ad min is tra tors host hon ey pots and hon eynets on vir tual sys tems. These are much sim pler to re- cre ate af ter an at tack. For ex am ple, ad min is tra tors can con fig ure the hon ey pot and then take a snap shot of a hon ey pot vir tual ma chine. If an at tacker mod i fies the en vi ron ment, ad min is tra tors can re vert the ma chine to the state it was in when they took the snap shot. When us ing vir tual ma chines (VMs), ad min is tra tors should mon i tor the hon ey pot or hon eynet closely. At tack ers can of ten de tect when they are within a VM and may at tempt a VM es cape at tack to break out of the VM.

The use of hon ey pots raises the is sue of en tice ment ver sus en trap ment. An or ga ni za tion can legally use a hon ey pot as an en tice ment de vice if the in truder dis cov ers it through no out ward ef forts of the hon ey pot owner. Plac ing a sys tem on the in ter net with open se cu rity vul ner a bil i ties and ac tive ser vices with known ex ploits is en tice ment. En ticed at tack ers make their own de ci sions to per form il le gal or unau tho rized ac tions. En trap ment, which is il le gal, oc curs when the hon ey pot owner ac tively so lic its vis i tors to ac cess the site and then charges them with unau tho rized in tru sion. In other words, it is en trap ment when you trick or en cour age some one into per form ing an il le gal or unau tho rized ac tion. Laws vary in dif fer ent coun tries so it’s im por tant to un der stand lo cal laws re lated to en tice ment and en trap ment.

519

Un der stand ing Pseudo Flaws

Pseudo flaws are false vul ner a bil i ties or ap par ent loop holes in ten tion ally im planted in a sys tem in an at tempt to tempt at tack ers. They are of ten used on hon ey pot sys tems to em u late well-known op er at ing sys tem vul ner a bil i ties. At tack ers seek ing to ex ploit a known flaw might stum ble across a pseudo flaw and think that they have suc cess fully pen e trated a sys tem. More so phis ti cated pseudo flaw mech a nisms ac tu ally sim u late the pen e tra tion and con vince the at tacker that they have gained ad di tional ac cess priv i leges to a sys tem. How ever, while the at tacker is ex plor ing the sys tem, mon i tor ing and alert ing mech a nisms trig ger and alert ad min is tra tors to the threat.

Un der stand ing Padded Cells

A padded cell sys tem is sim i lar to a hon ey pot, but it per forms in tru sion iso la tion us ing a dif fer ent ap proach. When an IDPS de tects an in truder, that in truder is au to mat i cally trans ferred to a padded cell. The padded cell has the look and feel of an ac tual net work, but the at tacker is un able to per form any ma li cious ac tiv i ties or ac cess any con fi den tial data from within the padded cell.

The padded cell is a sim u lated en vi ron ment that of fers fake data to re tain an in truder’s in ter est, sim i lar to a hon ey pot. How ever, the IDPS trans fers the in truder into a padded cell with out in form ing the in truder that the change has oc curred. In con trast, the at tacker chooses to at tack the hon ey pot di rectly, with out be ing trans ferred to the hon ey pot by the IDPS. Ad min is tra tors mon i tor padded cells closely and use them to de tect and ob serve at tacks. They can be used by se cu rity pro fes sion als to de tect meth ods and to gather ev i dence for pos si ble pros e cu tion of at tack ers. Padded cells are not com monly used to day but may still be on the exam.

Warn ing Ban ners

Warn ing ban ners in form users and in trud ers about ba sic se cu rity pol icy guide lines. They typ i cally men tion that on line ac tiv i ties are au dited and mon i tored, and of ten pro vide re minders of re stricted ac tiv i ties. In most sit u a tions, word ing in ban ners is im por tant from a le gal stand point be cause these ban ners can legally bind users to a per mis si ble set of ac tions, be hav iors, and pro cesses.

Unau tho rized per son nel who are some how able to log on to a sys tem also see the warn ing ban ner. In this case, you can think of a warn ing ban ner as an elec tronic equiv a lent of a “no tres pass ing” sign. Most in tru sions and at tacks can be pros e cuted when warn ings clearly state that unau tho rized ac cess is pro hib ited and that any ac tiv ity will be mon i tored and recorded.

Warn ing ban ners in form both au tho rized and unau tho rized users. These ban ners typ i cally

re mind au tho rized users of the con tent in ac cept able-use agree ments.

Anti-mal ware

The most im por tant pro tec tion against ma li cious code is the use of anti-mal ware soft ware with up-to-date sig na ture files and heuris tic ca pa bil i ties. At tack ers reg u larly re lease new mal ware and of ten mod ify ex ist ing mal ware to pre vent de tec tion by anti-mal ware soft ware. Anti-mal ware soft ware ven dors look for these changes and de velop new sig na ture files to de tect the new and mod i fied mal ware. Years ago, anti-mal ware ven dors rec om mended up dat ing sig na ture files once a week. How ever, most anti-mal ware soft ware to day in cludes the abil ity to check for up dates sev eral times a day with out user in ter ven tion.

Orig i nally, anti-mal ware soft ware fo cused on viruses. How ever, as mal ware ex panded to

in clude other ma li cious code such as Tro jans, worms, spy ware, and rootk its, ven dors ex panded the abil i ties of their anti-mal ware soft ware. To day, most anti-mal ware soft ware will de tect and block most mal ware, so tech ni cally it is anti-mal ware soft ware. How ever, most ven dors still mar ket their prod ucts as an tivirus soft ware. The CISSP ob jec tives use the term anti-mal ware.

Many or ga ni za tions use a mul ti pronged ap proach to block mal ware and de tect any mal ware that gets in. Fire walls with con tent-fil ter ing ca pa bil i ties (or spe cial ized con tent-fil ter ap pli ances) are com monly used at the bound ary be tween the in ter net and the in ter nal net work to fil ter out any type of ma li cious code. Spe cial ized anti-mal ware soft ware is in stalled on email servers to de tect and fil ter any type of mal ware passed via email. Ad di tion ally, anti-mal ware soft ware is in stalled on each sys tem to de tect and block mal ware. Or ga ni za tions of ten use a cen tral server to de ploy anti-mal ware soft ware, down load up dated def i ni tions, and push these def i ni tions out to the clients.

A mul ti pronged ap proach with anti-mal ware soft ware on each sys tem in ad di tion to fil ter ing in ter net con tent helps pro tect sys tems from in fec tions from any source. As an ex am ple, us ing up-to-date anti-mal ware soft ware on each sys tem will de tect and block a virus on an em ployee’s USB flash drive.

520

Anti-mal ware ven dors com monly rec om mend in stalling only one anti-mal ware ap pli ca tion on any sys tem. When a sys tem has more than one anti-mal ware ap pli ca tion in stalled, the ap pli ca tions can in ter fere with each other and can some times cause sys tem prob lems. Ad di tion ally, hav ing more than one scan ner can con sume ex ces sive sys tem re sources.

Fol low ing the prin ci ple of least priv i lege also helps. Users will not have ad min is tra tive per mis sions on sys tems and will not be able to in stall ap pli ca tions that may be ma li cious. If a virus does in fect a sys tem, it can of ten im per son ate the logged-in user. When this user has lim ited priv i leges, the virus is lim ited in its ca pa bil i ties. Ad di tion ally, vul ner a bil i ties re lated to mal ware in crease as ad di tional ap pli ca tions are added. Each ad di tional ap pli ca tion pro vides an other po ten tial at tack point for ma li cious code.

Ed u cat ing users about the dan gers of ma li cious code, how at tack ers try to trick users into in stalling it, and what they can do to limit their risks is an other pro tec tion method. Many times, a user can avoid an in fec tion sim ply by not click ing on a link or open ing an at tach ment sent via email.

Chap ter 14 cov ers so cial en gi neer ing tac tics, in clud ing phish ing, spear phish ing, and whal ing. When users are ed u cated about these types of at tacks, they are less likely to fall for them. Al though many users are ed u cated about these risks, phish ing emails con tinue to flood the in ter net and land in users’ in boxes. The only rea son at tack ers con tinue to send them is that they con tinue to fool some users.

Ed u ca tion, Pol icy, and Tools

Ma li cious soft ware is a con stant chal lenge within any or ga ni za tion us ing IT re sources. Con sider Kim, who for warded a seem ingly harm less in terof fice joke through email to Larry’s ac count. Larry opened the doc u ment, which ac tu ally con tained ac tive code seg ments that per formed harm ful ac tions on his sys tem. Larry then re ported a host of “per for mance is sues” and “sta bil ity prob lems” with his work sta tion, which he’d never com plained about be fore.

In this sce nario, Kim and Larry don’t rec og nize the harm caused by their ap par ently in nocu ous ac tiv i ties. Af ter all, shar ing anec dotes and jokes through com pany email is a com mon way to bond and so cial ize. What’s the harm in that, right? The real ques tion is how can you ed u cate Kim, Larry, and all your other users to be more dis creet and dis cern ing in han dling shared doc u ments and ex e cuta bles?

The key is a com bi na tion of ed u ca tion, pol icy, and tools. Ed u ca tion should in form Kim that for ward ing non work ma te ri als on the com pany net work is counter to pol icy and good be hav ior. Like wise, Larry should learn that open ing at tach ments un re lated to spe cific work tasks can lead to all kinds of prob lems (in clud ing those he fell prey to here). Poli cies should clearly iden tify ac cept able use of IT re sources and the dan gers of cir cu lat ing unau tho rized ma te ri als. Tools such as anti-mal ware soft ware should be em ployed to pre vent and de tect any type of mal ware within the en vi ron ment.

Whitelist ing and Black list ing

Whitelist ing and black list ing ap pli ca tions can be an ef fec tive pre ven tive mea sure that blocks users from run ning unau tho rized ap pli ca tions. They can also help pre vent mal ware in fec tions. Whitelist ing iden ti fies a list of ap pli ca tions au tho rized to run on a sys tem, and black list ing iden ti fies a list of ap pli ca tions that are not au tho rized to run on a sys tem.

A whitelist would not in clude mal ware ap pli ca tions and would block them from run ning. Some whitelists iden tify ap pli ca tions us ing a hash ing al go rithm to cre ate a hash. How ever, if an ap pli ca tion is in fected with a virus, the virus ef fec tively changes the hash, so this type of whitelist blocks in fected ap pli ca tions from run ning too. (Chap ter 6, “Cryp tog ra phy and Sym met ric Key Al go rithms,” cov ers hash ing al go rithms in more depth.)

The Ap ple iOS run ning on iPhones and iPads is an ex am ple of an ex treme ver sion of whitelist ing. Users are only able to in stall apps avail able from Ap ple’s App Store. Per son nel at Ap ple re view and ap prove all apps on the App Store and quickly re move mis be hav ing apps. Al though it is pos si ble for users to by pass se cu rity and jail break their iOS de vice, most users don’t do so partly be cause it voids the war ranty.

Jail break ing re moves re stric tions on iOS de vices and per mits root-level ac cess to the

un der ly ing op er at ing sys tem. It is sim i lar to root ing a de vice run ning the An droid op er at ing sys tem.

Black list ing is a good op tion if ad min is tra tors know which ap pli ca tions they want to block. For ex am ple, if man age ment wants to en sure that users are not run ning games on their sys tem, ad min is tra tors can en able tools to block these games.

Fire walls

521

Fire walls pro vide pro tec tion to a net work by fil ter ing traf fic. As dis cussed in Chap ter 11, fire walls have gone through a lot of changes over the years.

Ba sic fire walls fil ter traf fic based on IP ad dresses, ports, and some pro to cols us ing pro to col num bers. Fire walls in clude rules within an ACL to al low spe cific traf fic and end with an im plicit deny rule. The im plicit deny rule blocks all traf fic not al lowed by a pre vi ous rule. For ex am ple, a fire wall can al low HTTP and HTTPS traf fic by al low ing traf fic us ing TCP ports 80 and 443, re spec tively. (Chap ter 11 cov ers log i cal ports in more depth.)

ICMP uses a pro to col num ber of 1, so a fire wall can al low ping traf fic by al low ing traf fic with a pro to col num ber of 1. Sim i larly, a fire wall can al low IPsec En cap su lat ing Se cu rity Pro to col (ESP) traf fic and IPsec Au then ti ca tion Header (AH) traf fic by al low ing pro to col num bers 50 and 51, re spec tively.

The In ter net As signed Num bers Au thor ity (IANA) main tains a list of well-known ports

matched to pro to cols. IANA also main tains lists of as signed pro to col num bers for IPv4 and IPv6.

Sec ond-gen er a tion fire walls add ad di tional fil ter ing ca pa bil i ties. For ex am ple, an ap pli ca tion-level gate way fire wall fil ters traf fic based on spe cific ap pli ca tion re quire ments and cir cuit-level gate way fire walls fil ter traf fic based on the com mu ni ca tions cir cuit. Third-gen er a tion fire walls (also called state ful in spec tion fire walls and dy namic packet fil ter ing fire walls) fil ter traf fic based on its state within a stream of traf fic.

A next-gen er a tion fire wall func tions as a uni fied threat man age ment (UTM) de vice and com bines sev eral fil ter ing ca pa bil i ties. It in cludes tra di tional func tions of a fire wall such as packet fil ter ing and state ful in spec tion. How ever, it is able to per form packet in spec tion tech niques, al low ing it to iden tify and block ma li cious traf fic. It can fil ter mal ware us ing def i ni tion files and/or whitelists and black lists. It also in cludes in tru sion de tec tion and/or in tru sion pre ven tion ca pa bil i ties.

Sand box ing

Sand box ing pro vides a se cu rity bound ary for ap pli ca tions and pre vents the ap pli ca tion from in ter act ing with other ap pli ca tions. Anti-mal ware ap pli ca tions use sand box ing tech niques to test un known ap pli ca tions. If the ap pli ca tion dis plays sus pi cious char ac ter is tics, the sand box ing tech nique pre vents the ap pli ca tion from in fect ing other ap pli ca tions or the op er at ing sys tem.

Ap pli ca tion de vel op ers of ten use vir tu al iza tion tech niques to test ap pli ca tions. They cre ate a vir tual ma chine and then iso late it from the host ma chine and the net work. They are then able to test the ap pli ca tion within this sand box en vi ron ment with out af fect ing any thing out side the vir tual ma chine. Sim i larly, many anti-mal ware ven dors use vir tu al iza tion as a sand box ing tech nique to ob serve the be hav ior of mal ware.

Third-Party Se cu rity Ser vices

Some or ga ni za tions out source se cu rity ser vices to a third party, which is an in di vid ual or or ga ni za tion out side the or ga ni za tion. This can in clude many dif fer ent types of ser vices such as au dit ing and pen e tra tion test ing.

In some cases, an or ga ni za tion must pro vide as sur ances to an out side en tity that third-party ser vice providers com ply with spe cific se cu rity re quire ments. For ex am ple, or ga ni za tions pro cess ing trans ac tions with ma jor credit cards must com ply with the Pay ment Card In dus try Data Se cu rity Stan dard (PCI DSS). These or ga ni za tions of ten out source some of the ser vices, and PCI DSS re quires or ga ni za tions to en sure that ser vice providers also com ply with PCI DSS re quire ments. In other words, PCI DSS doesn’t al low or ga ni za tions to out source their re spon si bil i ties.

Some soft ware as a ser vice (SaaS) ven dors pro vide se cu rity ser vices via the cloud. For ex am ple, Bar racuda Net works in clude cloud-based so lu tions sim i lar to next-gen er a tion fire walls and UTM de vices. For ex am ple, their Web Se cu rity Ser vice acts as a proxy for web browsers. Ad min is tra tors con fig ure proxy set tings to ac cess a cloud-based sys tem, and it per forms web fil ter ing based on the needs of the or ga ni za tion. Sim i larly, they have a cloud-based Email Se cu rity Gate way that can per form in bound spam and mal ware fil ter ing. It can also in spect out go ing traf fic to en sure that it com plies with an or ga ni za tion’s data loss pre ven tion poli cies.

Pen e tra tion Test ing

Pen e tra tion test ing is an other pre ven tive mea sure an or ga ni za tion can use to counter at tacks. A pen e tra tion test (of ten short ened to pen test) mim ics an ac tual at tack in an at tempt to iden tify what tech niques at tack ers can use to cir cum vent se cu rity in an ap pli ca tion, sys tem, net work, or or ga ni za tion. It may in clude vul ner a bil ity scans, port scans, packet sniff ing, DoS at tacks, and so cial-en gi neer ing tech niques.

Se cu rity pro fes sion als try to avoid out ages when per form ing pen e tra tion test ing. How ever, pen e tra tion test ing is in tru sive and can af fect the avail abil ity of a sys tem. Be cause of this, it’s ex tremely im por tant for se cu rity pro fes sion als to get writ ten ap proval from se nior man age ment be fore per form ing any test ing.

522

NIST SP 800-115, “Tech ni cal Guide to In for ma tion Se cu rity Test ing and As sess ment,”

in cludes a sig nif i cant amount of in for ma tion about test ing, in clud ing pen e tra tion test ing.

Reg u larly staged pen e tra tion tests are a good way to eval u ate the ef fec tive ness of se cu rity con trols used within an or ga ni za tion. Pen e tra tion test ing may re veal ar eas where patches or se cu rity set tings are in suf fi cient, where new vul ner a bil i ties have de vel oped or be come ex posed, and where se cu rity poli cies are ei ther in ef fec tive or not be ing fol lowed. At tack ers can ex ploit any of these vul ner a bil i ties.

A pen e tra tion test will com monly in clude a vul ner a bil ity scan or vul ner a bil ity as sess ment to de tect weak nesses. How ever, the pen e tra tion test goes a step fur ther and at tempts to ex ploit the weak nesses. For ex am ple, a vul ner a bil ity scan ner may dis cover that a web site with a back end data base is not us ing in put val i da tion tech niques and is sus cep ti ble to a SQL in jec tion at tack. The pen e tra tion test may then use a SQL in jec tion at tack to ac cess the en tire data base. Sim i larly, a vul ner a bil ity as sess ment may dis cover that em ploy ees aren’t ed u cated about so cial-en gi neer ing at tacks, and a pen e tra tion test may use so cial- en gi neer ing meth ods to gain ac cess to a se cure area or ob tain sen si tive in for ma tion from em ploy ees.

Here are some of the goals of a pen e tra tion test:

De ter mine how well a sys tem can tol er ate an at tack

Iden tify em ploy ees’ abil ity to de tect and re spond to at tacks in real time

Iden tify ad di tional con trols that can be im ple mented to re duce risk

Pen e tra tion test ing typ i cally in cludes so cial-en gi neer ing at tacks, net work and sys tem

con fig u ra tion re views, and en vi ron ment vul ner a bil ity as sess ments. A pen e tra tion test takes vul ner a bil ity as sess ments and vul ner a bil ity scans a step fur ther by ver i fy ing that vul ner a bil i ties can be ex ploited.

Risks of Pen e tra tion Test ing

A sig nif i cant dan ger with pen e tra tion tests is that some meth ods can cause out ages. For ex am ple, if a vul ner a bil ity scan dis cov ers that an in ter net-based server is sus cep ti ble to a buf fer over flow at tack, a pen e tra tion test can ex ploit that vul ner a bil ity, which may re sult in the server shut ting down or re boot ing.

Ide ally, pen e tra tion tests should stop be fore they cause any ac tual dam age. Un for tu nately, testers of ten don’t know what step will cause the dam age un til they take that step. For ex am ple, fuzz testers send in valid or ran dom data to ap pli ca tions or sys tems to check for the re sponse. It is pos si ble for a fuzz tester to send a stream of data that causes a buf fer over flow and locks up an ap pli ca tion, but testers don’t know that will hap pen un til they run the fuzz tester. Ex pe ri enced pen e tra tion testers can min i mize the risk of a test caus ing dam age, but they can not elim i nate the risk.

When ever pos si ble, testers per form pen e tra tion tests on a test sys tem in stead of a live pro duc tion sys tem. For ex am ple, when test ing an ap pli ca tion, testers can run and test the ap pli ca tion in an iso lated en vi ron ment such as a sand box. If the test ing causes dam age, it only af fects the test sys tem and does not im pact the live net work. The chal lenge is that test sys tems of ten don’t pro vide a true view of a pro duc tion en vi ron ment. Testers may be able to test sim ple ap pli ca tions that don’t in ter act with other sys tems in a test en vi ron ment. How ever, most ap pli ca tions that need to be tested are not sim ple. When test sys tems are used, pen e tra tion testers will of ten qual ify their anal y sis with a state ment in di cat ing that the test was done on a test sys tem and so the re sults may not pro vide a valid anal y sis of the pro duc tion en vi ron ment.

Ob tain ing Per mis sion for Pen e tra tion Test ing

Pen e tra tion test ing should only be per formed af ter care ful con sid er a tion and ap proval of se nior man age ment. Many se cu rity pro fes sion als in sist on get ting this ap proval in writ ing with the risks spelled out. Per form ing un ap proved se cu rity test ing could cause pro duc tiv ity losses and trig ger emer gency re sponse teams.

Ma li cious em ploy ees in tent on vi o lat ing the se cu rity of an IT en vi ron ment can be pun ished based on ex ist ing laws. Sim i larly, if in ter nal em ploy ees per form in for mal unau tho rized tests against a sys tem with out au tho riza tion, an or ga ni za tion may view their ac tions as an il le gal at tack rather than as a pen e tra tion test. These em ploy ees will very likely lose their jobs and may even face le gal con se quences.

Pen e tra tion-Test ing Tech niques

523

It is com mon for or ga ni za tions to hire ex ter nal con sul tants to per form pen e tra tion test ing. The or ga ni za tion can con trol what in for ma tion they give to these testers, and the level of knowl edge they are given iden ti fies the type of tests they con duct.

Chap ter 20, “Soft ware De vel op ment Se cu rity,” cov ers white-box test ing, black-box test ing,

and gray-box test ing in the con text of soft ware test ing. These same terms are of ten as so ci ated with pen e tra tion test ing and mean the same thing.

Black-Box Test ing by Zero-Knowl edge Team A zero-knowl edge team knows noth ing about the tar get site ex cept for pub licly avail able in for ma tion, such as a do main name and com pany ad dress. It’s as if they are look ing at the tar get as a black box and have no idea what is within the box un til they start prob ing. An at tack by a zero-knowl edge team closely re sem bles a real ex ter nal at tack be cause all in for ma tion about the en vi ron ment must be ob tained from scratch.

White-Box Test ing by Full-Knowl edge Team A full-knowl edge team has full ac cess to all as pects of the tar get en vi ron ment. They know what patches and up grades are in stalled, and the ex act con fig u ra tion of all rel e vant de vices. If the tar get is an ap pli ca tion, they would have ac cess to the source code. Full-knowl edge teams per form white-box test ing (some times called crys tal-box or clear-box test ing). White-box test ing is com monly rec og nized as be ing more ef fi cient and cost ef fec tive in lo cat ing vul ner a bil i ties be cause less time is needed for dis cov ery.

Gray-Box Test ing by Par tial-Knowl edge Team A par tial-knowl edge team that has some knowl edge of the tar get per forms gray-box test ing, but they are not pro vided ac cess to all the in for ma tion. They may be given in for ma tion on the net work de sign and con fig u ra tion de tails so that they can fo cus on at tacks and vul ner a bil i ties for spe cific tar gets.

The reg u lar se cu rity ad min is tra tion staff pro tect ing the tar get of a pen e tra tion test can be con sid ered a full-knowl edge team. How ever, they aren’t the best choice to per form a pen e tra tion test. They of ten have blind spots or gaps in their un der stand ing, es ti ma tion, or ca pa bil i ties with cer tain se cu rity sub jects. If they knew about a vul ner a bil ity that could be ex ploited, they would likely al ready have rec om mended a con trol to min i mize it. A full-knowl edge team knows what has been se cured, so it may fail to prop erly test ev ery pos si bil ity by re ly ing on false as sump tions. Zero-knowl edge or par tial-knowl edge testers are less likely to make these mis takes.

Pen e tra tion test ing may em ploy au to mated at tack tools or suites, or be per formed man u ally us ing com mon net work util i ties. Au to mated at tack tools range from pro fes sional vul ner a bil ity scan ners and pen e tra tion testers to un der ground tools shared by at tack ers on the in ter net. Sev eral open-source and com mer cial tools (such as Metas ploit) are avail able, and both se cu rity pro fes sion als and at tack ers use these tools.

So cial-en gi neer ing tech niques are of ten used dur ing pen e tra tion tests. De pend ing on the goal of the test, the testers may use tech niques to breach the phys i cal perime ter of an or ga ni za tion or to get users to re veal in for ma tion. These tests help de ter mine how vul ner a ble em ploy ees are to skilled so cial en gi neers, and how fa mil iar they are with se cu rity poli cies de signed to thwart these types of at tacks.

 So cial En gi neer ing in Pen tests

The fol low ing ex am ple is from a pen e tra tion test con ducted at a bank, but the same re sults are of ten re peated at many dif fer ent or ga ni za tions. The testers were specif i cally asked if they could get ac cess to em ployee user ac counts or em ployee user sys tems.

Pen e tra tion testers crafted a forged email that looked like it was com ing from an ex ec u tive within the bank. It in di cated a prob lem with the net work and said that all em ploy ees needed to re spond with their user name and pass word as soon as pos si ble to en sure they didn’t lose their ac cess. Over 40 per cent of the em ploy ees re sponded with their cre den tials.

Ad di tion ally, the testers in stalled mal ware on sev eral USB drives and “dropped” them at dif fer ent lo ca tions in the park ing lot and within the bank. A well-mean ing em ployee saw one, picked it up, and in serted it into a com puter with the in tent of iden ti fy ing the owner. In stead, the USB drive in fected the user’s sys tem, grant ing the testers re mote ac cess.

Both testers and at tack ers of ten use sim i lar meth ods suc cess fully. Ed u ca tion is the most ef fec tive method at mit i gat ing these types of at tacks, and the pen test of ten re in forces the need for ed u ca tion.

Pro tect Re ports

524

Pen e tra tion testers will pro vide a re port doc u ment ing their re sults, and this re port should be pro tected as sen si tive in for ma tion. The re port will out line spe cific vul ner a bil i ties and how these vul ner a bil i ties can be ex ploited. It will of ten in clude rec om men da tions on how to mit i gate the vul ner a bil i ties. If these re sults fall into the hands of at tack ers be fore the or ga ni za tion im ple ments the rec om men da tions, at tack ers can use de tails in the re port to launch an at tack.

It’s also im por tant to re al ize that just be cause a pen e tra tion test ing team makes a rec om men da tion, it doesn’t mean the or ga ni za tion will im ple ment the rec om men da tion. Man age ment has the choice of im ple ment ing a rec om men da tion to mit i gate a risk or ac cept ing a risk if they de cide the cost of the rec om mended con trol is not jus ti fied. In other words, a one-year-old re port may out line a spe cific vul ner a bil ity that hasn’t been mit i gated. This year-old re port should be pro tected just as closely as a re port com pleted yes ter day.

Eth i cal Hack ing

Eth i cal hack ing is of ten used as an other name for pen e tra tion test ing. An eth i cal hacker is some one who un der stands net work se cu rity and meth ods to breach se cu rity but does not use this knowl edge for per sonal gain. In stead, an eth i cal hacker uses this knowl edge to help or ga ni za tions un der stand their vul ner a bil i ties and take ac tion to pre vent ma li cious at tacks. An eth i cal hacker will al ways stay within le gal lim its.

Chap ter 14 men tions the tech ni cal dif fer ence be tween crack ers, hack ers, and at tack ers. The orig i nal def i ni tion of a hacker is a tech nol ogy en thu si ast who does not have ma li cious in tent whereas a cracker or at tacker is ma li cious. The orig i nal mean ing of the term hacker has be come blurred be cause it is of ten used syn ony mously with at tacker. In other words, most peo ple view a hacker as an at tacker, giv ing the im pres sion that eth i cal hack ing is a con tra dic tion in terms. How ever, the term eth i cal hack ing uses the term hacker in its orig i nal sense.

Eth i cal hack ers will learn about and of ten use the same tools and tech niques used by at tack ers. How ever, they do not use them to at tack sys tems. In stead, they use them to test sys tems for vul ner a bil i ties and only af ter an or ga ni za tion has granted them ex plicit per mis sion to do so.

Log ging, Mon i tor ing, and Au dit ing Log ging, mon i tor ing, and au dit ing pro ce dures help an or ga ni za tion pre vent in ci dents and pro vide an

ef fec tive re sponse when they oc cur. The fol low ing sec tions cover log ging and mon i tor ing, as well as var i ous au dit ing meth ods used to as sess the ef fec tive ness of ac cess con trols.

Log ging and Mon i tor ing

Log ging records events into var i ous logs, and mon i tor ing re views these events. Com bined, log ging and mon i tor ing al low an or ga ni za tion to track, record, and re view ac tiv ity, pro vid ing over all ac count abil ity.

This helps an or ga ni za tion de tect un de sir able events that can neg a tively af fect con fi den tial ity, in tegrity, or avail abil ity of sys tems. It is also use ful in re con struct ing ac tiv ity af ter an event has oc curred to iden tify what hap pened and some times to pros e cute those re spon si ble for the ac tiv ity.

Log ging Tech niques

Log ging is the process of record ing in for ma tion about events to a log file or data base. Log ging cap tures events, changes, mes sages, and other data that de scribe ac tiv i ties that oc curred on a sys tem. Logs will com monly record de tails such as what hap pened, when it hap pened, where it hap pened, who did it, and some times how it hap pened. When you need to find in for ma tion about an in ci dent that oc curred in the re cent past, logs are a good place to start.

For ex am ple, Fig ure 17.5 shows Event Viewer on a Mi cro soft sys tem with a log en try se lected and ex panded. This log en try shows that a user named Dar ril Gib son ac cessed a file named Pay roll Data (Con fi den tial).xlsx lo cated in a folder named C:\Pay roll. It shows that the user ac cessed the file at 4:05 p.m. on No vem ber 10.

525

FIG URE 17.5 View ing a log en try

As long as the iden ti fi ca tion and au then ti ca tion pro cesses are se cure, this is enough to hold Dar ril ac count able for ac cess ing the file. On the other hand, if the or ga ni za tion doesn’t use se cure au then ti ca tion pro cesses and it’s easy for some one to im per son ate an other user, Dar ril may be wrongly ac cused. This re in forces the re quire ment for se cure iden ti fi ca tion and au then ti ca tion prac tices as a pre req ui site for ac count abil ity.

Logs are of ten re ferred to as au dit logs, and log ging is of ten called au dit log ging. How ever,

it’s im por tant to re al ize that au dit ing (de scribed later in this chap ter) is more than just log ging. Log ging will record events whereas au dit ing ex am ines or in spects an en vi ron ment for com pli ance.

Com mon Log Types

There are many dif fer ent types of logs. The fol low ing is a short list of com mon logs avail able within an IT en vi ron ment.

Se cu rity Logs Se cu rity logs record ac cess to re sources such as files, fold ers, print ers, and so on. For ex am ple, they can record when a user ac cessed, mod i fied, or deleted a file, as shown ear lier in Fig ure 17.5. Many sys tems au to mat i cally record ac cess to key sys tem files but re quire an ad min is tra tor to en able au dit ing on other re sources be fore log ging ac cess. For ex am ple, ad min is tra tors might con fig ure log ging for pro pri etary data, but not for pub lic data posted on a web site.

Sys tem Logs Sys tem logs record sys tem events such as when a sys tem starts or stops, or when ser vices start or stop. If at tack ers are able to shut down a sys tem and re boot it with a CD or USB flash drive, they can steal data from the sys tem with out any record of the data ac cess. Sim i larly, if at tack ers are able to stop a ser vice that is mon i tor ing the sys tem, they may be able to ac cess the sys tem with out the logs record ing their ac tions. Logs that de tect when sys tems re boot, or when ser vices stop, can help ad min is tra tors dis cover po ten tially ma li cious ac tiv ity.

Ap pli ca tion Logs These logs record in for ma tion for spe cific ap pli ca tions. Ap pli ca tion de vel op ers choose what to record in the ap pli ca tion logs. For ex am ple, a data base de vel oper can choose to record when any one ac cesses spe cific data ob jects such as ta bles or views.

Fire wall Logs Fire wall logs can record events re lated to any traf fic that reaches a fire wall. This in cludes traf fic that the fire wall al lows and traf fic that the fire wall blocks. These logs com monly log key packet in for ma tion such as source and des ti na tion IP ad dresses, and source and des ti na tion ports, but not the ac tual con tents of the pack ets.

Proxy Logs Proxy servers im prove in ter net ac cess per for mance for users and can con trol what web sites users can visit. Proxy logs in clude the abil ity to record de tails such as what sites spe cific users visit and how much time they spend on these sites. They can also record when users at tempt to visit known pro hib ited sites.

Change Logs Change logs record change re quests, ap provals, and ac tual changes to a sys tem as a part of an over all change man age ment process. A change log can be man u ally cre ated or cre ated from an in ter nal web page as per son nel record ac tiv ity re lated to a change. Change logs are use ful to track ap proved changes. They can also be help ful as part of a dis as ter re cov ery pro gram. For ex am ple, af ter a dis as ter ad min is tra tors and tech ni cians can use change logs to re turn a sys tem to its last known state, in clud ing all ap plied changes.

526

Log ging is usu ally a na tive fea ture in an op er at ing sys tem and for most ap pli ca tions and ser vices. This makes it rel a tively easy for ad min is tra tors and tech ni cians to con fig ure a sys tem to record spe cific types of events. Events from priv i leged ac counts, such as ad min is tra tor and root user ac counts, should be in cluded in any log ging plan. This helps pre vent at tacks from a ma li cious in sider and will doc u ment ac tiv ity for pros e cu tion if nec es sary.

Pro tect ing Log Data

Per son nel within the or ga ni za tion can use logs to re-cre ate events lead ing up to and dur ing an in ci dent, but only if the logs haven’t been mod i fied. If at tack ers can mod ify the logs, they can erase their ac tiv ity, ef fec tively nul li fy ing the value of the data. The files may no longer in clude ac cu rate in for ma tion and may not be ad mis si ble as ev i dence to pros e cute at tack ers. With this in mind, it’s im por tant to pro tect log files against unau tho rized ac cess and unau tho rized mod i fi ca tion.

It’s com mon to store copies of logs on a cen tral sys tem, such as a SIEM, to pro tect it. Even if an at tack mod i fies or cor rupts the orig i nal files, per son nel can still use the copy to view the events. One way to pro tect log files is by as sign ing per mis sions to limit their ac cess.

Or ga ni za tions of ten have strict poli cies man dat ing back ups of log files. Ad di tion ally, these poli cies de fine re ten tion times. For ex am ple, or ga ni za tions might keep archived log files for a year, three years, or any other length of time. Some gov ern ment reg u la tions re quire or ga ni za tions to keep archived logs in def i nitely. Se cu rity con trols such as set ting logs to read-only, as sign ing per mis sions, and im ple ment ing phys i cal se cu rity con trols pro tect archived logs from unau tho rized ac cess and mod i fi ca tions. It’s im por tant to de stroy logs when they are no longer needed.

Keep ing un nec es sary logs can cause ex ces sive la bor costs if the or ga ni za tion ex pe ri ences

le gal is sues. For ex am ple, if reg u la tions re quire an or ga ni za tion to keep logs for one year but the or ga ni za tion has 10 years of logs, a court or der can force per son nel to re trieve rel e vant data from these 10 years of logs. In con trast, if the or ga ni za tion keeps only one year of logs, per son nel need only search a year’s worth of logs, which will take sig nif i cantly less time and ef fort.

The Na tional In sti tute of Stan dards and Tech nol ogy (NIST) pub lishes a sig nif i cant amount of in for ma tion on IT se cu rity, in clud ing Fed eral In for ma tion Pro cess ing Stan dards (FIPS) pub li ca tions. The Min i mum Se cu rity Re quire ments for Fed eral In for ma tion and In for ma tion Sys tems (FIPS 200) spec i fies the fol low ing as the min i mum se cu rity re quire ments for au dit data:

Cre ate, pro tect, and re tain in for ma tion sys tem au dit records to the ex tent needed to en able the mon i tor ing, anal y sis, in ves ti ga tion, and re port ing of un law ful, unau tho rized, or in ap pro pri ate in for ma tion sys tem ac tiv ity.

En sure that the ac tions of in di vid ual in for ma tion sys tem users can be uniquely traced to those users so they can be held ac count able for their ac tions.

You’ll find it use ful to re view NIST doc u ments when pre par ing for the CISSP exam to give

you a broader idea of dif fer ent se cu rity con cepts. They are freely avail able, and you can ac cess them here: http://csrc.nist .gov. You can down load the FIPS 200 doc u ment here: http://csrc.nist .gov/pub li ca tions/fips/fips200/FIPS-200-fi nal-march.pdf.

The Role of Mon i tor ing

Mon i tor ing pro vides sev eral ben e fits for an or ga ni za tion, in clud ing in creas ing ac count abil ity, help ing with in ves ti ga tions, and ba sic trou bleshoot ing. The fol low ing sec tions de scribe these ben e fits in more depth.

Au dit Trails

Au dit trails are records cre ated when in for ma tion about events and oc cur rences is stored in one or more data bases or log files. They pro vide a record of sys tem ac tiv ity and can re con struct ac tiv ity lead ing up to and dur ing se cu rity events. Se cu rity pro fes sion als ex tract in for ma tion about an in ci dent from an au dit trail to prove or dis prove cul pa bil ity, and much more. Au dit trails al low se cu rity pro fes sion als to ex am ine and trace events in for ward or re verse or der. This flex i bil ity helps when track ing down prob lems, per for mance is sues, at tacks, in tru sions, se cu rity breaches, cod ing er rors, and other po ten tial pol icy vi o la tions.

527

Au dit trails pro vide a com pre hen sive record of sys tem ac tiv ity and can help de tect a wide

va ri ety of se cu rity vi o la tions, soft ware flaws, and per for mance prob lems.

Us ing au dit trails is a pas sive form of de tec tive se cu rity con trol. They serve as a de ter rent in the same man ner that closed cir cuit tele vi sion (CCTV) or se cu rity guards do. If per son nel know they are be ing watched and their ac tiv i ties are be ing recorded, they are less likely to en gage in il le gal, unau tho rized, or ma li cious ac tiv ity—at least in the ory. Some crim i nals are too care less or clue less for this to ap ply con sis tently. How ever, more and more ad vanced at tack ers take the time to lo cate and delete logs that might have recorded their ac tiv ity. This has be come a stan dard prac tice with many ad vanced per sis tent threats.

Au dit trails are also es sen tial as ev i dence in the pros e cu tion of crim i nals. They pro vide a be fore-and-af ter pic ture of the state of re sources, sys tems, and as sets. This in turn helps to de ter mine whether a change or al ter ation is the re sult of an ac tion by a user, the op er at ing sys tem (OS), or the soft ware, or whether it’s caused by some other source, such as hard ware fail ure. Be cause data in au dit trails can be so valu able, it is im por tant to en sure that the logs are pro tected to pre vent mod i fi ca tion or dele tion.

Mon i tor ing and Ac count abil ity

Mon i tor ing is a nec es sary func tion to en sure that sub jects (such as users and em ploy ees) can be held ac count able for their ac tions and ac tiv i ties. Users claim an iden tity (such as with a user name) and prove their iden tity (by au then ti cat ing), and au dit trails record their ac tiv ity while they are logged in. Mon i tor ing and re view ing the au dit trail logs pro vides ac count abil ity for these users.

This di rectly pro motes pos i tive user be hav ior and com pli ance with the or ga ni za tion’s se cu rity pol icy. Users who are aware that logs are record ing their IT ac tiv i ties are less likely to try to cir cum vent se cu rity con trols or to per form unau tho rized or re stricted ac tiv i ties.

Once a se cu rity pol icy vi o la tion or a breach oc curs, the source of that vi o la tion should be de ter mined. If it is pos si ble to iden tify the in di vid u als re spon si ble, they should be held ac count able based on the or ga ni za tion’s se cu rity pol icy. Se vere cases can re sult in ter mi nat ing em ploy ment or le gal pros e cu tion.

Leg is la tion of ten re quires spe cific mon i tor ing and ac count abil ity prac tices. This in cludes laws such as the Sar banes–Ox ley Act of 2002, the Health In sur ance Porta bil ity and Ac count abil ity Act (HIPAA), and Eu ro pean Union (EU) pri vacy laws that many or ga ni za tions must abide by.

 Mon i tor ing Ac tiv ity

Ac count abil ity is nec es sary at ev ery level of busi ness, from the front line in fantry to the high-level com man ders over see ing daily op er a tions. If you don’t mon i tor the ac tions and ac tiv i ties of users and their ap pli ca tions on a given sys tem, you aren’t able to hold them ac count able for mis takes or mis deeds they com mit.

Con sider Duane, a qual ity as sur ance su per vi sor for the data en try de part ment at an oil-drilling data min ing com pany. Dur ing his daily rou tine, he sees many highly sen si tive doc u ments that in clude the kind of valu able in for ma tion that can earn a heavy tip or bribe from in ter ested par ties. He also cor rects the kind of mis takes that could cause se ri ous back lash from his com pany’s clien tele be cause some times a mi nor cler i cal er ror can cause se ri ous is sues for a client’s en tire project.

When ever Duane touches or trans fers such in for ma tion on his work sta tion, his ac tions leave an elec tronic trail of ev i dence that his su per vi sor, Nicole, can ex am ine in the event that Duane’s ac tions should come un der scru tiny. She can ob serve where he ob tained or placed pieces of sen si tive in for ma tion, when he ac cessed and mod i fied such in for ma tion, and just about any thing else re lated to the han dling and pro cess ing of the data as it flows in from the source and out to the client.

This ac count abil ity pro vides pro tec tion to the com pany should Duane mis use this in for ma tion. It also pro vides Duane with pro tec tion against any one falsely ac cus ing him of mis us ing the data he han dles.

Mon i tor ing and In ves ti ga tions

Au dit trails give in ves ti ga tors the abil ity to re con struct events long af ter they have oc curred. They can record ac cess abuses, priv i lege vi o la tions, at tempted in tru sions, and many dif fer ent types of at tacks. Af ter de tect ing a se cu rity vi o la tion, se cu rity pro fes sion als can re con struct the con di tions and sys tem state lead ing up to the event, dur ing the event, and af ter the event through a close ex am i na tion of the au dit trail.

528

One im por tant con sid er a tion is en sur ing that logs have ac cu rate time stamps and that these time stamps re main con sis tent through out the en vi ron ment. A com mon method is to set up an in ter nal Net work Time Pro to col (NTP) server that is syn chro nized to a trusted time source such as a pub lic NTP server. Other sys tems can then syn chro nize with this in ter nal NTP server.

NIST op er ates sev eral time servers that sup port au then ti ca tion. Once an NTP server is prop erly con fig ured, the NIST servers will re spond with en crypted and au then ti cated time mes sages. The au then ti ca tion pro vides as sur ances that the re sponse came from a NIST server.

Sys tems should have their time syn chro nized against a cen tral ized or trusted pub lic time

server. This en sures that all au dit logs record ac cu rate and con sis tent times for recorded events.

Mon i tor ing and Prob lem Iden ti fi ca tion

Au dit trails of fer de tails about recorded events that are use ful for ad min is tra tors. They can record sys tem fail ures, OS bugs, and soft ware er rors in ad di tion to ma li cious at tacks. Some log files can even cap ture the con tents of mem ory when an ap pli ca tion or sys tem crashes. This in for ma tion can help pin point the cause of the event and elim i nate it as a pos si ble at tack. For ex am ple, if a sys tem keeps crash ing due to faulty mem ory, crash dump files can help di ag nose the prob lem.

Us ing log files for this pur pose is of ten la beled as prob lem iden ti fi ca tion. Once a prob lem is iden ti fied, per form ing prob lem res o lu tion in volves lit tle more than fol low ing up on the dis closed in for ma tion.

Mon i tor ing Tech niques

Mon i tor ing is the process of re view ing in for ma tion logs look ing for some thing spe cific. Per son nel can man u ally re view logs, or use tools to au to mate the process. Mon i tor ing is nec es sary to de tect ma li cious ac tions by sub jects as well as at tempted in tru sions and sys tem fail ures. It can help re con struct events, pro vide ev i dence for pros e cu tion, and cre ate re ports for anal y sis.

It’s im por tant to un der stand that mon i tor ing is a con tin u ous process. Con tin u ous mon i tor ing en sures that all events are recorded and can be in ves ti gated later if nec es sary. Many or ga ni za tions in crease log ging in re sponse to an in ci dent or a sus pected in ci dent to gather ad di tional in tel li gence on at tack ers.

Log anal y sis is a de tailed and sys tem atic form of mon i tor ing in which the logged in for ma tion is an a lyzed for trends and pat terns as well as ab nor mal, unau tho rized, il le gal, and pol icy-vi o lat ing ac tiv i ties. Log anal y sis isn’t nec es sar ily in re sponse to an in ci dent but in stead a pe ri odic task, which can de tect po ten tial is sues.

When man u ally an a lyz ing logs, ad min is tra tors sim ply open the log files and look for rel e vant data. This can be very te dious and time con sum ing. For ex am ple, search ing 10 dif fer ent archived logs for a spe cific event or ID code can take some time, even when us ing built-in search tools.

In many cases, logs can pro duce so much in for ma tion that im por tant de tails can get lost in the sheer vol ume of data, so ad min is tra tors of ten use au to mated tools to an a lyze the log data. For ex am ple, in tru sion de tec tion sys tems (IDSs) ac tively mon i tor mul ti ple logs to de tect and re spond to ma li cious in tru sions in real time. An IDS can help de tect and track at tacks from ex ter nal at tack ers, send alerts to ad min is tra tors, and record at tack ers’ ac cess to re sources.

Mul ti ple ven dors sell op er a tions man age ment soft ware that ac tively mon i tors the se cu rity, health, and per for mance of sys tems through out a net work. This soft ware au to mat i cally looks for sus pi cious or ab nor mal ac tiv i ties that in di cate prob lems such as an at tack or unau tho rized ac cess.

Se cu rity In for ma tion and Event Man age ment

Many or ga ni za tions use a cen tral ized ap pli ca tion to au to mate mon i tor ing of sys tems on a net work. Sev eral terms are used to de scribe these tools, in clud ing se cu rity in for ma tion and event man age ment (SIEM), se cu rity event man age ment (SEM), and se cu rity in for ma tion man age ment (SIM). These tools pro vide real- time anal y sis of events oc cur ring on sys tems through out an or ga ni za tion. They in clude agents in stalled on re mote sys tems that mon i tor for spe cific events known as alarm trig gers. When the trig ger oc curs, the agents re port the event back to the cen tral mon i tor ing soft ware.

For ex am ple, a SIEM can mon i tor a group of email servers. Each time one of the email servers logs an event, a SIEM agent ex am ines the event to de ter mine if it is an item of in ter est. If it is, the SIEM agent for wards the event to a cen tral SIEM server, and de pend ing on the event, it can raise an alarm for an ad min is tra tor. For ex am ple, if the send queue of an email server starts back ing up, a SIEM ap pli ca tion can de tect the is sue and alert ad min is tra tors be fore the prob lem is se ri ous.

Most SIEMs are con fig urable, al low ing per son nel within the or ga ni za tion to spec ify what items are of in ter est and need to be for warded to the SIEM server. SIEMs have agents for just about any type of server or net work de vice, and in some cases, they mon i tor net work flows for traf fic and trend anal y sis. The tools can

529

also col lect all the logs from tar get sys tems and use data-min ing tech niques to re trieve rel e vant data. Se cu rity pro fes sion als can then cre ate re ports and an a lyze the data.

SIEMs of ten in clude so phis ti cated cor re la tion en gines. These en gines are a soft ware com po nent that col lects the data and ag gre gates it look ing for com mon at tributes. It then uses ad vanced an a lytic tools to de tect ab nor mal i ties and sends alerts to se cu rity ad min is tra tors.

Some mon i tor ing tools are also used for in ven tory and sta tus pur poses. For ex am ple, tools can query all the avail able sys tems and doc u ment de tails, such as sys tem names, IP ad dresses, op er at ing sys tems, in stalled patches, up dates, and in stalled soft ware. These tools can then cre ate re ports of any sys tem based on the needs of the or ga ni za tion. For ex am ple, they can iden tify how many sys tems are ac tive, iden tify sys tems with miss ing patches, and flag sys tems that have unau tho rized soft ware in stalled.

Soft ware mon i tor ing watches for at tempted or suc cess ful in stal la tions of un ap proved soft ware, use of unau tho rized soft ware, or unau tho rized use of ap proved soft ware. This re duces the risk of users in ad ver tently in stalling a virus or Tro jan horse.

Sam pling

Sam pling, or data ex trac tion, is the process of ex tract ing spe cific el e ments from a large col lec tion of data to con struct a mean ing ful rep re sen ta tion or sum mary of the whole. In other words, sam pling is a form of data re duc tion that al lows some one to glean valu able in for ma tion by look ing at only a small sam ple of data in an au dit trail.

Sta tis ti cal sam pling uses pre cise math e mat i cal func tions to ex tract mean ing ful in for ma tion from a very large vol ume of data. This is sim i lar to the sci ence used by poll sters to learn the opin ions of large pop u la tions with out in ter view ing ev ery one in the pop u la tion. There is al ways a risk that sam pled data is not an ac cu rate rep re sen ta tion of the whole body of data, and sta tis ti cal sam pling can iden tify the mar gin of er ror.

Clip ping Lev els

Clip ping is a form of non sta tis ti cal sam pling. It se lects only events that ex ceed a clip ping level, which is a pre de fined thresh old for the event. The sys tem ig nores events un til they reach this thresh old.

As an ex am ple, failed lo gon at tempts are com mon in any sys tem as users can eas ily en ter the wrong pass word once or twice. In stead of rais ing an alarm for ev ery sin gle failed lo gon at tempt, a clip ping level can be set to raise an alarm only if it de tects five failed lo gon at tempts within a 30-minute pe riod. Many ac count lock out con trols use a sim i lar clip ping level. They don’t lock the ac count af ter a sin gle failed lo gon. In stead, they count the failed lo gons and lock the ac count only when the pre de fined thresh old is reached.

Clip ping lev els are widely used in the process of au dit ing events to es tab lish a base line of rou tine sys tem or user ac tiv ity. The mon i tor ing sys tem raises an alarm to sig nal ab nor mal events only if the base line is ex ceeded. In other words, the clip ping level causes the sys tem to ig nore rou tine events and only raise an alert when it de tects se ri ous in tru sion pat terns.

In gen eral, non sta tis ti cal sam pling is dis cre tionary sam pling, or sam pling at the au di tor’s dis cre tion. It doesn’t of fer an ac cu rate rep re sen ta tion of the whole body of data and will ig nore events that don’t reach the clip ping level thresh old. How ever, it is ef fec tive when used to fo cus on spe cific events. Ad di tion ally, non sta tis ti cal sam pling is less ex pen sive and eas ier to im ple ment than sta tis ti cal sam pling.

Both sta tis ti cal and non sta tis ti cal sam pling are valid mech a nisms to cre ate sum maries or

over views of large bod ies of au dit data. How ever, sta tis ti cal sam pling is more re li able and math e mat i cally de fen si ble.

Other Mon i tor ing Tools

Al though logs are the pri mary tools used with au dit ing, there are some ad di tional tools used within or ga ni za tions that are worth men tion ing. For ex am ple, a closed-cir cuit tele vi sion (CCTV) can au to mat i cally record events onto tape for later re view. Se cu rity per son nel can also watch a live CCTV sys tem for un wanted, unau tho rized, or il le gal ac tiv i ties in real time. This sys tem can work alone or in con junc tion with se cu rity guards, who them selves can be mon i tored by the CCTV and held ac count able for any il le gal or un eth i cal ac tiv ity. Other tools in clude key stroke mon i tor ing, traf fic anal y sis mon i tor ing, trend anal y sis mon i tor ing, and mon i tor ing to pre vent data loss.

Key stroke Mon i tor ing Key stroke mon i tor ing is the act of record ing the key strokes a user per forms on a phys i cal key board. The mon i tor ing is com monly done via tech ni cal means such as a hard ware de vice or a soft ware pro gram known as a key log ger. How ever, a video recorder can per form vis ual mon i tor ing. In most cases, at tack ers use key stroke mon i tor ing for ma li cious pur poses. In ex treme cir cum stances and highly

530

re stricted en vi ron ments, an or ga ni za tion might im ple ment key stroke mon i tor ing to au dit and an a lyze user ac tiv ity.

Key stroke mon i tor ing is of ten com pared to wire tap ping. There is some de bate about whether key stroke mon i tor ing should be re stricted and con trolled in the same man ner as tele phone wire taps. Many or ga ni za tions that em ploy key stroke mon i tor ing no tify both au tho rized and unau tho rized users of such mon i tor ing through em ploy ment agree ments, se cu rity poli cies, or warn ing ban ners at sign-on or lo gin ar eas.

Com pa nies can and do use key stroke mon i tor ing in some sit u a tions. How ever, in al most

all cases, they are re quired to in form em ploy ees of the mon i tor ing.

Traf fic Anal y sis and Trend Anal y sis Traf fic anal y sis and trend anal y sis are forms of mon i tor ing that ex am ine the flow of pack ets rather than ac tual packet con tents. This is some times re ferred to as net work flow mon i tor ing. It can in fer a lot of in for ma tion, such as pri mary and backup com mu ni ca tion routes, the lo ca tion of pri mary servers, sources of en crypted traf fic and the amount of traf fic sup ported by the net work, typ i cal di rec tion of traf fic flow, fre quency of com mu ni ca tions, and much more.

These tech niques can some times re veal ques tion able traf fic pat terns, such as when an em ployee’s ac count sends a mas sive amount of email to oth ers. This might in di cate the em ployee’s sys tem is part of a bot net con trolled by an at tacker at a re mote lo ca tion. Sim i larly, traf fic anal y sis might de tect if an un scrupu lous in sider for wards in ter nal in for ma tion to unau tho rized par ties via email. These types of events of ten leave de tectable sig na tures.

Egress Mon i tor ing Egress mon i tor ing refers to mon i tor ing out go ing traf fic to pre vent data ex fil tra tion, which is the

unau tho rized trans fer of data out side the or ga ni za tion. Some com mon meth ods used to pre vent data ex fil tra tion are us ing data loss pre ven tion tech niques, look ing for steganog ra phy at tempts, and us ing wa ter mark ing to de tect unau tho rized data go ing out.

Ad vanced at tack ers, such as ad vanced per sis tent threats spon sored by na tion-states, com monly en crypt data be fore send ing it out of the net work. This can thwart some com mon tools that at tempt to de tect data ex fil tra tion. How ever, it’s also pos si ble to in clude tools that mon i tor the amount of en crypted data sent out of the net work.

Data Loss Pre ven tion

Data loss pre ven tion (DLP) sys tems at tempt to de tect and block data ex fil tra tion at tempts. These sys tems have the ca pa bil ity of scan ning un en crypted data look ing for key words and data pat terns. For ex am ple, imag ine that an or ga ni za tion uses data clas si fi ca tions of Con fi den tial, Pro pri etary, Pri vate, and Sen si tive. A DLP sys tem can scan files for these words and de tect them.

Pat tern-match ing DLP sys tems look for spe cific pat terns. For ex am ple, U.S. so cial se cu rity num bers have a pat tern of nnn-nn-nnnn (three num bers, a dash, two num bers, a dash, and four num bers). The DLP can look for this pat tern and de tect it. Ad min is tra tors can set up a DLP sys tem to look for any pat terns based on their needs.

There are two pri mary types of DLP sys tems: net work-based and end point-based.

Net work-Based DLP A net work-based DLP scans all out go ing data look ing for spe cific data. Ad min is tra tors would place it on the edge of the neg a tive to scan all data leav ing the or ga ni za tion. If a user sends out a file con tain ing re stricted data, the DLP sys tem will de tect it and pre vent it from leav ing the or ga ni za tion. The DLP sys tem will send an alert, such as an email to an ad min is tra tor.

End point-Based DLP An end point-based DLP can scan files stored on a sys tem as well as files sent to ex ter nal de vices, such as print ers. For ex am ple, an or ga ni za tion’s end point-based DLP can pre vent users from copy ing sen si tive data to USB flash drives or send ing sen si tive data to a printer. Ad min is tra tors would con fig ure the DLP to scan the files with the ap pro pri ate key words, and if it de tects files with these key words, it will block the copy or print job. It’s also pos si ble to con fig ure an end point-based DLP sys tem to reg u larly scan files (such as on a file server) for files con tain ing spe cific key words or pat terns, or even for unau tho rized file types, such as MP3 files.

DLP sys tems typ i cally have the abil ity to per form deep-level ex am i na tions. For ex am ple, if users em bed the files in com pressed zip files, a DLP sys tem can still de tect the key words and pat terns. How ever, a DLP sys tem doesn’t have the abil ity to de crypt data.

A net work-based DLP sys tem might have stopped some ma jor breaches in the past. For ex am ple, in the Sony at tack of 2014, at tack ers ex fil trated more than 25 GB of sen si tive un en crypted data on Sony em ploy ees, in clud ing so cial se cu rity num bers, med i cal, and salary in for ma tion. If the at tack ers didn’t en crypt the data prior to re triev ing it, a DLP sys tem could have de tected at tempts to trans mit it out of the net work.

531

How ever, it’s worth men tion ing that ad vanced per sis tent threats (such as Fancy Bear and Cozy Bear dis cussed in Chap ter 14) com monly en crypt traf fic prior to trans mit ting it out of the net work.

The U.S. De part ment of Home land Se cu rity and the Fed eral Bu reau of In ves ti ga tion

re leased a joint anal y sis re port (JAR-16-20296A) in De cem ber 2016 out lin ing the ac tions of Fancy Bear (APT 28) and Cozy Bear (APT 29).

Steganog ra phy

Steganog ra phy is the prac tice of em bed ding a mes sage within a file. For ex am ple, in di vid u als can mod ify bits within a pic ture file to em bed a mes sage. The change is im per cep ti ble to some one look ing at the pic ture, but if other peo ple know to look for the mes sage, they can ex tract it.

It is pos si ble to de tect steganog ra phy at tempts if you have the orig i nal file and a file you sus pect has a hid den mes sage. If you use a hash ing al go rithm such as Se cure Hash Al go rithm 3 (SHA-3), you can cre ate a hash of both files. If the hashes are the same, the file does not have a hid den mes sage. How ever, if the hashes are dif fer ent, it in di cates the sec ond file has been mod i fied. Foren sic anal y sis tech niques might be able to re trieve the mes sage.

In the con text of egress mon i tor ing, an or ga ni za tion can pe ri od i cally cap ture hashes of in ter nal files that rarely change. For ex am ple, graph ics files such as JPEG and GIF files gen er ally stay the same. If se cu rity ex perts sus pect that a ma li cious in sider is em bed ding ad di tional data within these files and email ing them out side the or ga ni za tion, they can com pare the orig i nal hashes with the hashes of the files the ma li cious in sider sent out. If the hashes are dif fer ent, it in di cates the files are dif fer ent and may con tain hid den mes sages.

Wa ter mark ing

Wa ter mark ing is the prac tice of em bed ding an im age or pat tern in pa per that isn’t read ily per ceiv able. It is of ten used with cur rency to thwart coun ter feit ing at tempts. Sim i larly, or ga ni za tions of ten use wa ter mark ing in doc u ments. For ex am ple, au thors of sen si tive doc u ments can mark them with the ap pro pri ate clas si fi ca tion such as “Con fi den tial” or “Pro pri etary.” Any one work ing with the file or a printed copy of the file will eas ily see the clas si fi ca tion.

From the per spec tive of egress mon i tor ing, DLP sys tems can de tect the wa ter mark in un en crypted files. When a DLP sys tem iden ti fies sen si tive data from these wa ter marks, it can block the trans mis sion and raise an alert for se cu rity per son nel. This pre vents trans mis sion of the files out side the or ga ni za tion.

An ad vanced im ple men ta tion of wa ter mark ing is dig i tal wa ter mark ing. A dig i tal wa ter mark is a se cretly em bed ded marker in a dig i tal file. For ex am ple, some movie stu dios dig i tally mark copies of movies sent to dif fer ent dis trib u tors. Each copy has a dif fer ent mark and the stu dios track which dis trib u tor re ceived which copy. If any of the dis trib u tors re lease pi rated copies of the movie, the stu dio can iden tify which dis trib u tor did so.

Au dit ing to As sess Ef fec tive ness Many or ga ni za tions have strong ef fec tive se cu rity poli cies in place. How ever, just be cause the poli cies are

in place doesn’t mean that per son nel know about them or fol low them. Many times, an or ga ni za tion will want to as sess the ef fec tive ness of their se cu rity poli cies and re lated ac cess con trols by au dit ing the en vi ron ment.

Au dit ing is a me thod i cal ex am i na tion or re view of an en vi ron ment to en sure com pli ance with reg u la tions and to de tect ab nor mal i ties, unau tho rized oc cur rences, or crimes. It ver i fies that the se cu rity mech a nisms de ployed in an en vi ron ment are pro vid ing ad e quate se cu rity for the en vi ron ment. The test process en sures that per son nel are fol low ing the re quire ments dic tated by the se cu rity pol icy or other reg u la tions, and that no sig nif i cant holes or weak nesses ex ist in de ployed se cu rity so lu tions.

Au di tors are re spon si ble for test ing and ver i fy ing that pro cesses and pro ce dures are in place to im ple ment se cu rity poli cies or reg u la tions, and that they are ad e quate to meet the or ga ni za tion’s se cu rity re quire ments. They also ver ify that per son nel are fol low ing these pro cesses and pro ce dures. In other words, au di tors per form the au dit ing.

532

Au dit ing and Au dit ing

The term au dit ing has two dif fer ent dis tinct mean ings within the con text of IT se cu rity, so it’s im por tant to rec og nize the dif fer ences.

First, au dit ing refers to the use of au dit logs and mon i tor ing tools to track ac tiv ity. For ex am ple, au dit logs can record when any user ac cesses a file and doc u ment ex actly what the user did with the file and when.

Sec ond, au dit ing also refers to an in spec tion or eval u a tion. Specif i cally, an au dit is an in spec tion or eval u a tion of a spe cific process or re sult to de ter mine whether an or ga ni za tion is fol low ing spe cific rules or guide lines.

These rules may be from the or ga ni za tion’s se cu rity pol icy or a re sult of ex ter nal laws and reg u la tions. For ex am ple, a se cu rity pol icy may dic tate that in ac tive ac counts should be dis abled as soon as pos si ble af ter an em ployee is ter mi nated. An au dit can check for in ac tive ac counts and even ver ify the ex act time ac counts were dis abled and match this to the time of a ter mi nated em ployee’s exit in ter view. In spec tion au dits can be done in ter nally or by an ex ter nal au di tor, and they will of ten use the logs cre ated from au dit ing and mon i tor ing as part of the eval u a tion process.

In spec tion Au dits

Se cure IT en vi ron ments rely heav ily on au dit ing as a de tec tive se cu rity con trol to dis cover and cor rect vul ner a bil i ties. Two im por tant au dits within the con text of ac cess con trol are ac cess re view au dits and user en ti tle ment au dits.

It’s im por tant to clearly de fine and ad here to the fre quency of au dit re views. Or ga ni za tions typ i cally de ter mine the fre quency of a se cu rity au dit or se cu rity re view based on risk. Per son nel eval u ate vul ner a bil i ties and threats against the or ga ni za tion’s valu able as sets to de ter mine the over all level of risk. This helps the or ga ni za tion jus tify the ex pense of an au dit and de ter mine how fre quently they want to have an au dit.

Au dits cost time and money, and the fre quency of an au dit is based on the as so ci ated risk.

For ex am ple, po ten tial mis use or com pro mise of priv i leged ac counts rep re sents a much greater risk than mis use or com pro mise of reg u lar user ac counts. With this in mind, se cu rity per son nel would per form user en ti tle ment au dits for priv i leged ac counts much more of ten than user en ti tle ment au dits of reg u lar user ac counts.

As with many other as pects of de ploy ing and main tain ing se cu rity, se cu rity au dits are of ten viewed as key el e ments of due care. If se nior man age ment fails to en force com pli ance with reg u lar se cu rity re views, then stake hold ers can hold them ac count able and li able for any as set losses that oc cur be cause of se cu rity breaches or pol icy vi o la tions. When au dits aren’t per formed, it cre ates the per cep tion that man age ment is not ex er cis ing due care.

Ac cess Re view Au dits

Many or ga ni za tions per form pe ri odic ac cess re views and au dits to en sure that ob ject ac cess and ac count man age ment prac tices sup port the se cu rity pol icy. These au dits ver ify that users do not have ex ces sive priv i leges and that ac counts are man aged ap pro pri ately. They en sure that se cure pro cesses and pro ce dures are in place, that per son nel are fol low ing them, and that these pro cesses and pro ce dures are work ing as ex pected.

For ex am ple, ac cess to highly valu able data should be re stricted to only the users who need it. An ac cess re view au dit will ver ify that data has been clas si fied and that data clas si fi ca tions are clear to the users. Ad di tion ally, it will en sure that any one who has the au thor ity to grant ac cess to data un der stands what makes a user el i gi ble for the ac cess. For ex am ple, if a help desk pro fes sional can grant ac cess to highly clas si fied data, the help desk pro fes sional needs to know what makes a user el i gi ble for that level of ac cess.

When ex am in ing ac count man age ment prac tices, an ac cess re view au dit will en sure that ac counts are dis abled and deleted in ac cor dance with best prac tices and se cu rity poli cies. For ex am ple, ac counts should be dis abled as soon as pos si ble if an em ployee is ter mi nated. A typ i cal ter mi na tion pro ce dure pol icy of ten in cludes the fol low ing el e ments:

At least one wit ness is present dur ing the exit in ter view.

Ac count ac cess is dis abled dur ing the in ter view.

533

Em ployee iden ti fi ca tion badges and other phys i cal cre den tials such as smart cards are col lected dur ing or im me di ately af ter the in ter view.

The em ployee is es corted off the premises im me di ately af ter the in ter view.

The ac cess re view ver i fies that a pol icy ex ists and that per son nel are fol low ing it. When ter mi nated em ploy ees have con tin ued ac cess to the net work af ter an exit in ter view, they can eas ily cause dam age. For ex am ple, an ad min is tra tor can cre ate a sep a rate ad min is tra tor ac count and use it to ac cess the net work even if the ad min is tra tor’s orig i nal ac count is dis abled.

User En ti tle ment Au dits

User en ti tle ment refers to the priv i leges granted to users. Users need rights and per mis sions (priv i leges) to per form their job, but they only need a lim ited num ber of priv i leges. In the con text of user en ti tle ment, the prin ci ple of least priv i lege en sures that users have only the priv i leges they need to per form their job and no more.

Al though ac cess con trols at tempt to en force the prin ci ple of least priv i lege, there are times when users are granted ex ces sive priv i leges. User en ti tle ment re views can dis cover when users have ex ces sive priv i leges, which vi o late se cu rity poli cies re lated to user en ti tle ment.

Au dits of Priv i leged Groups

Many or ga ni za tions use groups as part of a Role Based Ac cess Con trol model. It’s im por tant to limit the mem ber ship of groups that have a high-level of priv i leges, such as ad min is tra tor groups. It’s also im por tant to make sure group mem bers are us ing their high-priv i lege ac counts only when nec es sary. Au dits can help de ter mine whether per son nel are fol low ing these poli cies.

Ac cess re view au dits, user en ti tle ment au dits, and au dits of priv i leged groups can be

per formed man u ally or au to mat i cally. Many iden tity and ac cess man age ment (IAM) sys tems in clude the abil ity to per form these au dits us ing au to ma tion tech niques.

High-Level Ad min is tra tor Groups

Many op er at ing sys tems have priv i leged groups such as an Ad min is tra tors group. The Ad min is tra tors group is typ i cally granted full priv i leges on a sys tem, and when a user ac count is placed in the Ad min is tra tors group, the user has these priv i leges. With this in mind, a user en ti tle ment re view will of ten re view mem ber ship in any priv i leged groups, in clud ing the dif fer ent ad min is tra tor groups.

Some groups have such high priv i leges that even in or ga ni za tions with tens of thou sands of users, their mem ber ship is lim ited to a very few peo ple. For ex am ple, Mi cro soft do mains in clude a group known as the En ter prise Ad mins group. Users in this group can do any thing on any do main within a Mi cro soft for est (a group of re lated do mains). This group has so much power that mem ber ship is of ten re stricted to only two or three high-level ad min is tra tors. Mon i tor ing and au dit ing mem ber ship in this group can un cover unau tho rized in di vid u als added to these groups.

It is pos si ble to use au to mated meth ods to mon i tor mem ber ship in priv i leged ac counts so that at tempts to add unau tho rized users au to mat i cally fail. Au dit logs will also record this ac tion, and an en ti tle ment re view can check for these events. Au di tors can ex am ine the au dit trail to de ter mine who at tempted to add the unau tho rized ac count.

Per son nel can also cre ate ad di tional groups with el e vated priv i leges. For ex am ple, ad min is tra tors might cre ate an ITAd mins group for some users in the IT de part ment. They would grant the group ap pro pri ate priv i leges based on the job re quire ments of these ad min is tra tors, and place the ac counts of the IT de part ment ad min is tra tors into the ITAd mins group. Only ad min is tra tors from the IT de part ment should be in the group, and a user en ti tle ment au dit can ver ify that users in other de part ments are not in the group. This is one way to de tect creep ing priv i leges.

A user en ti tle ment au dit can also de tect whether pro cesses are in place to re move

priv i leges when users no longer need them and if per son nel are fol low ing these pro cesses. For ex am ple, if an ad min is tra tor trans ferred to the Sales de part ment of an or ga ni za tion, this ad min is tra tor should no longer have ad min is tra tive priv i leges.

Dual Ad min is tra tor Ac counts

534

Many or ga ni za tions re quire ad min is tra tors to main tain two ac counts. They use one ac count for reg u lar day-to-day use. A sec ond ac count has ad di tional priv i leges and they use it for ad min is tra tive work. This re duces the risk as so ci ated with this priv i leged ac count.

For ex am ple, if mal ware in fects a sys tem while a user is logged on, the mal ware can of ten as sume the priv i leges of the user’s ac count. If the user is logged on with a priv i leged ac count, the mal ware starts with these el e vated priv i leges. How ever, if an ad min is tra tor uses the ad min is tra tor ac count only 10 per cent of the time to per form ad min is tra tive ac tions, this re duces the po ten tial risk of an in fec tion oc cur ring at the same time the ad min is tra tor is logged on with an ad min is tra tor ac count.

Au dit ing can ver ify that ad min is tra tors are us ing the priv i leged ac count ap pro pri ately. For ex am ple, an or ga ni za tion may es ti mate that ad min is tra tors will need to use a priv i leged ac count only about 10 per cent of the time dur ing a typ i cal day and should use their reg u lar ac count the rest of the time. An anal y sis of logs can show whether this is an ac cu rate es ti mate and whether ad min is tra tors are fol low ing the rule. If an ad min is tra tor is con stantly us ing the ad min is tra tor ac count and rarely us ing the reg u lar user ac count, an au dit can flag this as an ob vi ous pol icy vi o la tion.

Se cu rity Au dits and Re views Se cu rity au dits and re views help en sure that an or ga ni za tion has im ple mented se cu rity con trols prop erly.

Ac cess re view au dits (pre sented ear lier in this chap ter) as sess the ef fec tive ness of ac cess con trols. These re views en sure that ac counts are man aged ap pro pri ately, don’t have ex ces sive priv i leges, and are dis abled or deleted when re quired. In the con text of the Se cu rity Op er a tions do main, se cu rity au dits help en sure that man age ment con trols are in place. The fol low ing list in cludes some com mon items to check:

Patch Man age ment A patch man age ment re view en sures that patches are eval u ated as soon as pos si ble once they are avail able. It also en sures that the or ga ni za tion fol lows es tab lished pro ce dures to eval u ate, test, ap prove, de ploy, and ver ify the patches. Vul ner a bil ity scan re ports can be valu able in any patch man age ment re view or au dit.

Vul ner a bil ity Man age ment A vul ner a bil ity man age ment re view en sures that vul ner a bil ity scans and as sess ments are per formed reg u larly in com pli ance with es tab lished guide lines. For ex am ple, an or ga ni za tion may have a pol icy doc u ment stat ing that vul ner a bil ity scans are per formed at least weekly, and the re view ver i fies that this is done. Ad di tion ally, the re view will ver ify that the vul ner a bil i ties dis cov ered in the scans have been ad dressed and mit i gated.

Con fig u ra tion Man age ment Sys tems can be au dited pe ri od i cally to en sure that the orig i nal con fig u ra tions are not mod i fied. It is of ten pos si ble to use script ing tools to check spe cific con fig u ra tions of sys tems and iden tify when a change has oc curred. Ad di tion ally, log ging can be en abled for many con fig u ra tion set tings to record con fig u ra tion changes. A con fig u ra tion man age ment au dit can check the logs for any changes and ver ify that they are au tho rized.

Change Man age ment A change man age ment re view en sures that changes are im ple mented in ac cor dance with the or ga ni za tion’s change man age ment pol icy. This of ten in cludes a re view of out ages to de ter mine the cause. Out ages that re sult from unau tho rized changes are a clear in di ca tion that the change man age ment pro gram needs im prove ment.

Re port ing Au dit Re sults

The ac tual for mats used by an or ga ni za tion to pro duce re ports from au dits vary. How ever, re ports should ad dress a few ba sic or cen tral con cepts:

The pur pose of the au dit

The scope of the au dit

The re sults dis cov ered or re vealed by the au dit

In ad di tion to these ba sic con cepts, au dit re ports of ten in clude many de tails spe cific to the en vi ron ment, such as time, date, and a list of the au dited sys tems. They can also in clude a wide range of con tent that fo cuses on

Prob lems, events, and con di tions

Stan dards, cri te ria, and base lines

Causes, rea sons, im pact, and ef fect

Rec om mended so lu tions and safe guards

Au dit re ports should have a struc ture or de sign that is clear, con cise, and ob jec tive. Al though au di tors will of ten in clude opin ions or rec om men da tions, they should clearly iden tify them. The ac tual find ings should be

535

based on fact and ev i dence gath ered from au dit trails and other sources dur ing the au dit.

Pro tect ing Au dit Re sults

Au dit re ports in clude sen si tive in for ma tion. They should be as signed a clas si fi ca tion la bel and only those peo ple with suf fi cient priv i lege should have ac cess to au dit re ports. This in cludes high-level ex ec u tives and se cu rity per son nel in volved in the cre ation of the re ports or re spon si ble for the cor rec tion of items men tioned in the re ports.

Au di tors some times cre ate a sep a rate au dit re port with lim ited data for other per son nel. This mod i fied re port pro vides only the de tails rel e vant to the tar get au di ence. For ex am ple, se nior man age ment does not need to know all the minute de tails of an au dit re port. There fore, the au dit re port for se nior man age ment is much more con cise and of fers more of an over view or sum mary of find ings. An au dit re port for a se cu rity ad min is tra tor re spon si ble for cor rec tion of the prob lems should be very de tailed and in clude all avail able in for ma tion on the events it cov ers.

On the other hand, the fact that an au di tor is per form ing an au dit is of ten very pub lic. This lets per son nel know that se nior man age ment is ac tively tak ing steps to main tain se cu rity.

Dis tribut ing Au dit Re ports

Once an au dit re port is com pleted, au di tors sub mit it to its as signed re cip i ents, as de fined in se cu rity pol icy doc u men ta tion. It’s com mon to file a signed con fir ma tion of re ceipt. When an au dit re port con tains in for ma tion about se ri ous se cu rity vi o la tions or per for mance is sues, per son nel es ca late it to higher lev els of man age ment for re view, no ti fi ca tion, and as sign ment of a re sponse to re solve the is sues.

Us ing Ex ter nal Au di tors

Many or ga ni za tions choose to con duct in de pen dent au dits by hir ing ex ter nal se cu rity au di tors. Ad di tion ally, some laws and reg u la tions re quire ex ter nal au dits. Ex ter nal au dits pro vide a level of ob jec tiv ity that an in ter nal au dit can not pro vide, and they bring a fresh, out side per spec tive to in ter nal poli cies, prac tices, and pro ce dures.

Many or ga ni za tions hire ex ter nal se cu rity ex perts to per form pen e tra tion test ing against

their sys tem as a form of test ing. These pen e tra tion tests help an or ga ni za tion iden tify vul ner a bil i ties and the abil ity of at tack ers to ex ploit these vul ner a bil i ties.

An ex ter nal au di tor is given ac cess to the com pany’s se cu rity pol icy and the au tho riza tion to in spect ap pro pri ate as pects of the IT and phys i cal en vi ron ment. Thus, the au di tor must be a trusted en tity. The goal of the au dit ac tiv ity is to ob tain a fi nal re port that de tails find ings and sug gests coun ter mea sures when ap pro pri ate.

An ex ter nal au dit can take a con sid er able amount of time to com plete—weeks or months, in some cases. Dur ing the course of the au dit, the au di tor may is sue in terim re ports. An in terim re port is a writ ten or ver bal re port given to the or ga ni za tion about any ob served se cu rity weak nesses or pol icy/pro ce dure mis matches that de mand im me di ate at ten tion. Au di tors is sue in terim re ports when ever a prob lem or is sue is too im por tant to wait un til the fi nal au dit re port.

Once the au di tors com plete their in ves ti ga tions, they typ i cally hold an exit con fer ence. Dur ing this con fer ence, the au di tors present and dis cuss their find ings and dis cuss res o lu tion is sues with the af fected par ties. How ever, only af ter the exit con fer ence is over and the au di tors have left the premises do they write and sub mit their fi nal au dit re port to the or ga ni za tion. This al lows the fi nal au dit re port to re main un af fected by of fice pol i tics and co er cion.

Af ter the or ga ni za tion re ceives the fi nal au dit re port, in ter nal au di tors re view it and make rec om men da tions to se nior man age ment based on the re port. Se nior man age ment is re spon si ble for se lect ing which rec om men da tions to im ple ment and for del e gat ing im ple men ta tion re quire ments to in ter nal per son nel.

Sum mary The CISSP Se cu rity Op er a tions do main lists six spe cific in ci dence re sponse steps. De tec tion is the first

step and can come from au to mated tools or from em ployee ob ser va tions. Per son nel in ves ti gate alerts to de ter mine if an ac tual in ci dent has oc curred, and if so, the next step is re sponse. Con tain ment of the in ci dent is im por tant dur ing the mit i ga tion stage. It’s also im por tant to pro tect any ev i dence dur ing all stages of in ci dent re sponse. Re port ing may be re quired based on gov ern ing laws or an or ga ni za tion’s se cu rity pol icy. In the re cov ery stage, the sys tem is re stored to full op er a tion, and it’s im por tant to en sure that it is re stored to at least as se cure a state as it was in be fore the at tack. The re me di a tion stage in cludes a root cause anal y sis and

536

will of ten in clude rec om men da tions to pre vent a re oc cur rence. Last, the lessons learned stage ex am ines the in ci dent and the re sponse to de ter mine if there are any lessons to be learned.

Sev eral ba sic steps can pre vent many com mon at tacks. They in clude keep ing sys tems and ap pli ca tions up- to-date with cur rent patches, re mov ing or dis abling un needed ser vices and pro to cols, us ing in tru sion de tec tion and pre ven tion sys tems, us ing anti-mal ware soft ware with up-to-date sig na tures, and en abling both host-based and net work-based fire walls.

De nial-of-ser vice (DoS) at tacks pre vent a sys tem from pro cess ing or re spond ing to le git i mate re quests for ser vice and com monly at tack sys tems ac ces si ble via the in ter net. The SYN flood at tack dis rupts the TCP three- way hand shake, some times con sum ing re sources and band width. While the SYN flood at tack is still com mon to day, other at tacks are of ten vari a tions on older at tack meth ods. Bot nets are of ten used to launch dis trib uted DoS (DDoS) at tacks. Zero-day ex ploits are pre vi ously un known vul ner a bil i ties. Fol low ing ba sic pre ven tive mea sures helps to pre vent suc cess ful zero-day ex ploit at tacks.

Au to mated tools such as in tru sion de tec tion sys tems use logs to mon i tor the en vi ron ment and de tect at tacks as they are oc cur ring. Some can au to mat i cally block at tacks. There are two types of de tec tion meth ods em ployed by IDSs: knowl edge-based and be hav ior-based. A knowl edge-based IDS uses a data base of at tack sig na tures to de tect in tru sion at tempts but can not rec og nize new at tack meth ods. A be hav ior-based sys tem starts with a base line of nor mal ac tiv ity and then mea sures ac tiv ity against the base line to de tect ab nor mal ac tiv ity. A pas sive re sponse will log the ac tiv ity and pos si bly send an alert on items of in ter est. An ac tive re sponse will change the en vi ron ment to block an at tack in ac tion. Host-based sys tems are in stalled on and mon i tor in di vid ual hosts, whereas net work-based sys tems are in stalled on net work de vices and mon i tor over all net work ac tiv ity. In tru sion pre ven tion sys tems are placed in line with the traf fic and can block ma li cious traf fic be fore it reaches the tar get sys tem.

Hon ey pots, hon eynets, and padded cells can be use ful tools to pre vent ma li cious ac tiv ity from oc cur ring on a pro duc tion net work while en tic ing in trud ers to stick around. They of ten in clude pseudo flaws and fake data used to tempt at tack ers. Ad min is tra tors and se cu rity per son nel also use these to gather ev i dence against at tack ers for pos si ble pros e cu tion.

Up-to-date anti-mal ware soft ware pre vents many ma li cious code at tacks. Anti-mal ware soft ware is com monly in stalled at the bound ary be tween the in ter net and the in ter nal net work, on email servers, and on each sys tem. Lim it ing user priv i leges for soft ware in stal la tions helps pre vent ac ci den tal mal ware in stal la tion by users. Ad di tion ally, ed u cat ing users about dif fer ent types of mal ware, and how crim i nals try to trick users, helps them avoid risky be hav iors.

Pen e tra tion test ing is a use ful tool to check the strength and ef fec tive ness of de ployed se cu rity mea sures and an or ga ni za tion’s se cu rity poli cies. It starts with vul ner a bil ity as sess ments or scans and then at tempts to ex ploit vul ner a bil i ties. Pen e tra tion test ing should only be done with man age ment ap proval and should be done on test sys tems in stead of pro duc tion sys tems when ever pos si ble. Or ga ni za tions of ten hire ex ter nal con sul tants to per form pen e tra tion test ing and can con trol the amount of knowl edge these con sul tants have. Zero-knowl edge test ing is of ten called black-box test ing, full-knowl edge test ing is of ten called white-box or crys tal-box test ing, and par tial-knowl edge test ing is of ten called gray-box test ing.

Log ging and mon i tor ing pro vide over all ac count abil ity when com bined with ef fec tive iden ti fi ca tion and au then ti ca tion prac tices. Log ging in volves record ing events in logs and data base files. Se cu rity logs, sys tem logs, ap pli ca tion logs, fire wall logs, proxy logs, and change man age ment logs are all com mon log files. Log files in clude valu able data and should be pro tected to en sure that they aren’t mod i fied, deleted, or cor rupted. If they are not pro tected, at tack ers will of ten try to mod ify or delete them, and they will not be ad mis si ble as ev i dence to pros e cute an at tacker.

Mon i tor ing in volves re view ing logs in real time and also later as part of an au dit. Au dit trails are the records cre ated by record ing in for ma tion about events and oc cur rences into one or more data bases or log files, and they can be used to re con struct events, ex tract in for ma tion about in ci dents, and prove or dis prove cul pa bil ity. Au dit trails pro vide a pas sive form of de tec tive se cu rity con trol and serve as a de ter rent in the same man ner as CCTV or se cu rity guards do. In ad di tion, they can be es sen tial as ev i dence in the pros e cu tion of crim i nals. Logs can be quite large, so dif fer ent meth ods are used to an a lyze them or re duce their size. Sam pling is a sta tis ti cal method used to an a lyze logs, and us ing clip ping lev els is a non sta tis ti cal method in volv ing pre de fined thresh olds for items of in ter est.

The ef fec tive ness of ac cess con trols can be as sessed us ing dif fer ent types of au dits and re views. Au dit ing is a me thod i cal ex am i na tion or re view of an en vi ron ment to en sure com pli ance with reg u la tions and to de tect ab nor mal i ties, unau tho rized oc cur rences, or out right crimes. Ac cess re view au dits en sure that ob ject ac cess and ac count man age ment prac tices sup port an or ga ni za tion’s se cu rity pol icy. User en ti tle ment au dits en sure that per son nel fol low the prin ci ple of least priv i lege.

Au dit re ports doc u ment the re sults of an au dit. These re ports should be pro tected and dis tri bu tion should be lim ited to only spe cific peo ple in an or ga ni za tion. Se nior man age ment and se cu rity pro fes sion als have a need to ac cess the re sults of se cu rity au dits, but if at tack ers have ac cess to au dit re ports, they can use the in for ma tion to iden tify vul ner a bil i ties they can ex ploit.

537

Se cu rity au dits and re views are com monly done to guar an tee that con trols are im ple mented as di rected and work ing as de sired. It’s com mon to in clude au dits and re views to check patch man age ment, vul ner a bil ity man age ment, change man age ment, and con fig u ra tion man age ment pro grams.

Exam Es sen tials Know in ci dent re sponse steps. The CISSP Se cu rity Op er a tions do main lists in ci dent re sponse steps as

de tec tion, re sponse, mit i ga tion, re port ing, re cov ery, re me di a tion, and lessons learned. Af ter de tect ing and ver i fy ing an in ci dent, the first re sponse is to limit or con tain the scope of the in ci dent while pro tect ing ev i dence. Based on gov ern ing laws, an or ga ni za tion may need to re port an in ci dent to of fi cial au thor i ties, and if PII is af fected, in di vid u als need to be in formed. The re me di a tion and lessons learned stages in clude root cause anal y sis to de ter mine the cause and rec om mend so lu tions to pre vent a re oc cur rence.

Know ba sic pre ven tive mea sures. Ba sic pre ven tive mea sures can pre vent many in ci dents from oc cur ring. These in clude keep ing sys tems up-to-date, re mov ing or dis abling un needed pro to cols and ser vices, us ing in tru sion de tec tion and pre ven tion sys tems, us ing anti-mal ware soft ware with up-to-date sig na tures, and en abling both host-based and net work-based fire walls.

Know what de nial-of-ser vice (DoS) at tacks are. DoS at tacks pre vent a sys tem from re spond ing to le git i mate re quests for ser vice. A com mon DoS at tack is the SYN flood at tack, which dis rupts the TCP three- way hand shake. Even though older at tacks are not as com mon to day be cause ba sic pre cau tions block them, you may still be tested on them be cause many newer at tacks are of ten vari a tions on older meth ods. Smurf at tacks em ploy an am pli fi ca tion net work to send nu mer ous re sponse pack ets to a vic tim. Ping-of-death at tacks send nu mer ous over sized ping pack ets to the vic tim, caus ing the vic tim to freeze, crash, or re boot.

Un der stand bot nets, bot net con trollers, and bot herders. Bot nets rep re sent sig nif i cant threats due to the mas sive num ber of com put ers that can launch at tacks, so it’s im por tant to know what they are. A bot net is a col lec tion of com pro mised com put ing de vices (of ten called bots or zom bies) or ga nized in a net work con trolled by a crim i nal known as a bot herder. Bot herders use a com mand and con trol server to re motely con trol the zom bies and of ten use the bot net to launch at tacks on other sys tems, or to send spam or phish ing emails. Bot herders also rent bot net ac cess out to other crim i nals.

Un der stand zero-day ex ploits. A zero-day ex ploit is an at tack that uses a vul ner a bil ity that is ei ther un known to any one but the at tacker or known only to a lim ited group of peo ple. On the sur face, it sounds like you can’t pro tect against an un known vul ner a bil ity, but ba sic se cu rity prac tices go a long way to ward pre vent ing zero-day ex ploits. Re mov ing or dis abling un needed pro to cols and ser vices re duces the at tack sur face, en abling fire walls blocks many ac cess points, and us ing in tru sion de tec tion and pre ven tion sys tems helps de tect and block po ten tial at tacks. Ad di tion ally, us ing tools such as hon ey pots and padded cells helps pro tect live net works.

Un der stand man-in-the-mid dle at tacks. A man-in-the-mid dle at tack oc curs when a ma li cious user is able to gain a log i cal po si tion be tween the two end points of a com mu ni ca tions link. Al though it takes a sig nif i cant amount of so phis ti ca tion on the part of an at tacker to com plete a man-in-the mid dle at tack, the amount of data ob tained from the at tack can be sig nif i cant.

Un der stand sab o tage and es pi onage. Ma li cious in sid ers can per form sab o tage against an or ga ni za tion if they be come dis grun tled for some rea son. Es pi onage is when a com peti tor tries to steal in for ma tion, and they may use an in ter nal em ployee. Ba sic se cu rity prin ci ples, such as im ple ment ing the prin ci ple of least priv i lege and im me di ately dis abling ac counts for ter mi nated em ploy ees, limit the dam age from these at tacks.

Un der stand in tru sion de tec tion and in tru sion pre ven tion. IDSs and IPSs are im por tant de tec tive and pre ven tive mea sures against at tacks. Know the dif fer ence be tween knowl edge-based de tec tion (us ing a data base sim i lar to anti-mal ware sig na tures) and be hav ior-based de tec tion. Be hav ior-based de tec tion starts with a base line to rec og nize nor mal be hav ior and com pares ac tiv ity with the base line to de tect ab nor mal ac tiv ity. The base line can be out dated if the net work is mod i fied, so it must be up dated when the en vi ron ment changes.

Rec og nize IDS/IPS re sponses. An IDS can re spond pas sively by log ging and send ing no ti fi ca tions or ac tively by chang ing the en vi ron ment. Some peo ple re fer to an ac tive IDS as an IPS. How ever, it’s im por tant to rec og nize that an IPS is placed in line with the traf fic and in cludes the abil ity to block ma li cious traf fic be fore it reaches the tar get.

Un der stand the dif fer ences be tween HIDSs and NIDSs. Host-based IDSs (HIDSs) can mon i tor ac tiv ity on a sin gle sys tem only. A draw back is that at tack ers can dis cover and dis able them. A net work-based IDS (NIDS) can mon i tor ac tiv ity on a net work, and a NIDS isn’t as vis i ble to at tack ers.

Un der stand hon ey pots, padded cells, and pseudo flaws. A hon ey pot is a sys tem that of ten has pseudo flaws and fake data to lure in trud ers. Ad min is tra tors can ob serve the ac tiv ity of at tack ers while they are in the hon ey pot, and as long as at tack ers are in the hon ey pot, they are not in the live net work. Some IDSs

538

have the abil ity to trans fer at tack ers into a padded cell af ter de tec tion. Al though a hon ey pot and padded cell are sim i lar, note that a hon ey pot lures the at tacker but the at tacker is trans ferred into the padded cell.

Un der stand meth ods to block ma li cious code. Ma li cious code is thwarted with a com bi na tion of tools. The ob vi ous tool is anti-mal ware soft ware with up-to-date def i ni tions in stalled on each sys tem, at the bound ary of the net work, and on email servers. How ever, poli cies that en force ba sic se cu rity prin ci ples, such as the prin ci ple of least priv i lege, pre vent reg u lar users from in stalling po ten tially ma li cious soft ware. Ad di tion ally, ed u cat ing users about the risks and the meth ods at tack ers com monly use to spread viruses helps users un der stand and avoid dan ger ous be hav iors.

Un der stand pen e tra tion test ing. Pen e tra tion tests start by dis cov er ing vul ner a bil i ties and then mimic an at tack to iden tify what vul ner a bil i ties can be ex ploited. It’s im por tant to re mem ber that pen e tra tion tests should not be done with out ex press con sent and knowl edge from man age ment. Ad di tion ally, since pen e tra tion tests can re sult in dam age, they should be done on iso lated sys tems when ever pos si ble. You should also rec og nize the dif fer ences be tween black-box test ing (zero knowl edge), white-box test ing (full knowl edge), and gray-box test ing (par tial knowl edge).

Know the types of log files. Log data is recorded in data bases and dif fer ent types of log files. Com mon log files in clude se cu rity logs, sys tem logs, ap pli ca tion logs, fire wall logs, proxy logs, and change man age ment logs. Logs files should be pro tected by cen trally stor ing them and us ing per mis sions to re strict ac cess, and archived logs should be set to read-only to pre vent mod i fi ca tions.

Un der stand mon i tor ing and uses of mon i tor ing tools. Mon i tor ing is a form of au dit ing that fo cuses on ac tive re view of the log file data. Mon i tor ing is used to hold sub jects ac count able for their ac tions and to de tect ab nor mal or ma li cious ac tiv i ties. It is also used to mon i tor sys tem per for mance. Mon i tor ing tools such as IDSs or SIEMs au to mate mon i tor ing and pro vide real-time anal y sis of events.

Un der stand au dit trails. Au dit trails are the records cre ated by record ing in for ma tion about events and oc cur rences into one or more data bases or log files. They are used to re con struct an event, to ex tract in for ma tion about an in ci dent, and to prove or dis prove cul pa bil ity. Us ing au dit trails is a pas sive form of de tec tive se cu rity con trol, and au dit trails are es sen tial ev i dence in the pros e cu tion of crim i nals.

Un der stand sam pling. Sam pling, or data ex trac tion, is the process of ex tract ing el e ments from a large body of data to con struct a mean ing ful rep re sen ta tion or sum mary of the whole. Sta tis ti cal sam pling uses pre cise math e mat i cal func tions to ex tract mean ing ful in for ma tion from a large vol ume of data. Clip ping is a form of non sta tis ti cal sam pling that records only events that ex ceed a thresh old.

Un der stand how to main tain ac count abil ity. Ac count abil ity is main tained for in di vid ual sub jects through the use of au dit ing. Logs record user ac tiv i ties and users can be held ac count able for their logged ac tions. This di rectly pro motes good user be hav ior and com pli ance with the or ga ni za tion’s se cu rity pol icy.

Un der stand the im por tance of se cu rity au dits and re views. Se cu rity au dits and re views help en sure that man age ment pro grams are ef fec tive and be ing fol lowed. They are com monly as so ci ated with ac count man age ment prac tices to pre vent vi o la tions with least priv i lege or need-to-know prin ci ples. How ever, they can also be per formed to over see patch man age ment, vul ner a bil ity man age ment, change man age ment, and con fig u ra tion man age ment pro grams.

Un der stand au dit ing and the need for fre quent se cu rity au dits. Au dit ing is a me thod i cal ex am i na tion or re view of an en vi ron ment to en sure com pli ance with reg u la tions and to de tect ab nor mal i ties, unau tho rized oc cur rences, or out right crimes. Se cure IT en vi ron ments rely heav ily on au dit ing. Over all, au dit ing serves as a pri mary type of de tec tive con trol used within a se cure en vi ron ment. The fre quency of an IT in fra struc ture se cu rity au dit or se cu rity re view is based on risk. An or ga ni za tion de ter mines whether suf fi cient risk ex ists to war rant the ex pense and in ter rup tion of a se cu rity au dit. The de gree of risk also af fects how of ten an au dit is per formed. It is im por tant to clearly de fine and ad here to the fre quency of au dit re views.

Un der stand that au dit ing is an as pect of due care. Se cu rity au dits and ef fec tive ness re views are key el e ments in dis play ing due care. Se nior man age ment must en force com pli ance with reg u lar pe ri odic se cu rity re views, or they will likely be held ac count able and li able for any as set losses that oc cur.

Un der stand the need to con trol ac cess to au dit re ports. Au dit re ports typ i cally ad dress com mon con cepts such as the pur pose of the au dit, the scope of the au dit, and the re sults dis cov ered or re vealed by the au dit. They of ten in clude other de tails spe cific to the en vi ron ment and can in clude sen si tive in for ma tion such as prob lems, stan dards, causes, and rec om men da tions. Au dit re ports that in clude sen si tive in for ma tion should be as signed a clas si fi ca tion la bel and han dled ap pro pri ately. Only peo ple with suf fi cient priv i lege should have ac cess to them. An au dit re port can be pre pared in var i ous ver sions for dif fer ent tar get au di ences to in clude only the de tails needed by a spe cific au di ence. For ex am ple, se nior se cu rity ad min is tra tors might have a re port with all the rel e vant de tails, whereas a re port for ex ec u tives would pro vide only high-level in for ma tion.

Un der stand ac cess re view and user en ti tle ment au dits. An ac cess re view au dit en sures that ob ject ac cess and ac count man age ment prac tices sup port the se cu rity pol icy. User en ti tle ment au dits en sure that the prin ci ple of least priv i lege is fol lowed and of ten fo cus on priv i leged ac counts.