Discussion - Week 13

profileskollipara1028
ch17.pptx

Chapter 17 Preventing and Responding to Incidents

Managing Incident Response

Defining an Incident

Incident Response Steps

overview

Defining an Incident 1/2

Any negative effect on CIA

Unplanned interruption to IT

Computer security incident

RFC 2350 “Expectations for Computer Security Incident Response”

“Any adverse event which compromises some aspect of computer or network security.”

NIST SP 800-61

Computer Security Incident Handling Guide

Defining an Incident 2/2

Any attempted network intrusion

Any attempted denial-of-service attack

Any detection of malicious software

Any unauthorized access of data

Any violation of security policies

Incident Response Steps

Detection

Response

Mitigation

Reporting

Recovery

Remediation

Lessons Learned

overview

IR Step: Detection

Detecting actual or potential incidents

IDSes, AV, audits, automated tools, end users

First responders

IR Step: Response

Based on severity of incident

Computer incident response team (CIRT)/computer security incident response team (CSIRT)

Faster response limits damage

IR Step: Mitigation

Contain the incident

Limit the effect or scope

May involve disconnecting from the network

Actions in this step may be noticed by an attacker

IR Step: Reporting

Internal and external notification

May be mandated by regulation

PII violations are of critical concern in many jurisdictions

Relevant training is need to properly recognize and report incidents

IR Step: Recovery

Evidence collection should be completed before recovery efforts

Recovery is to return the environment to a normal state or condition

Security should be restored to an equal or greater level than before the incident

IR Step: Remediation

Analyze the incident to determine the cause

Implement countermeasures to prevent a recurrence

Root-cause analysis

IR Step: Lessons Learned

Determine what can be learned from the incident and the response

Focus on improving future reponse

May highlight need for additional training

May require adjustment of security infrastructure

CIRT submits analysis and recommendations report to management

Implementing Detective and Preventive Measures

Basic Preventive Measures

Understanding Attacks

Intrusion Detection and Prevention Systems

Specific Preventive Measures

overview

Basic Preventive Measures

Keep systems and applications up-to-date

Remove or disable unneeded services and protocols

Use intrusion detection and prevention systems

Use up-to-date anti-malware software

Use firewalls

Implement configuration and system management processes

Understanding Attacks 1/2

Botnets

Denial of service

Distributed denial-of-service (DDoS)

Distributed reflective denial-of-service (DRDoS)

SYN flood attack

Smurf and Fraggle attacks

Ping flood

Ping of Death

Teardrop

Understanding Attacks 2/2

Land attack

Zero-day exploit

Malicious code

Drive-by download

Malvertising

Man-in-the-middle

War dialing

Sabotage

Espionage

Intrusion Detection and Prevention Systems

IDS, IPS, IDPS

NIST SP 800-94 Guide to Intrusion Detection and Prevention Systems

Knowledge and behavior-based detection

SIEM systems

IDS response

Active vs. passive

Host and network IDS

Intrusion prevention systems

Specific Preventive Measures

Honeypots/honeynets

Pseudo flaw

Padded cell

Warning banners

Anti-malware

Whitelisting and blacklisting

Firewalls

Sandboxing

Third-Party Security Services

Payment Card Industry Data Security Standard (PCI DSS)

SaaS cloud security

Penetration testing

Risks

Obtaining permission

Black box, white box, gray box

Reports

Ethical hacking

Logging, Monitoring, and Auditing

Logging and Monitoring

Monitoring Techniques

Egress Monitoring

Auditing to Assess Effectiveness

Security Audits and Reviews

Reporting Audit Results

overview

Logging and Monitoring

Security logs, system logs, application logs, firewall logs, proxy logs, change logs

Protecting log data

FIPS 200, audit log security requirements

Audit trails

Monitoring and accountability

Monitoring and investigations

Monitoring and problem identification

Monitoring Techniques

Log analysis

Security Information and Event Management (SIEM)

Security Event Management (SEM)

Security Information Management (SIM)

Sampling or data extration

Clipping levels

Keystroke monitoring

Traffic and trend analysis

Egress Monitoring

Data loss prevention (DLP)

Network-based DLP

Endpoint-based DLP

Steganography

Watermarking

Auditing to Assess Effectiveness

Auditing, auditors

Methodical examination

Compliance

Inspection audits

Access review audits

User entitlement audits

Audits of privileged groups

High-level administrators

Dual administrator accounts

Security Audits and Reviews

Patch management

Vulnerability management

Configuration management

Change management

Reporting Audit Results

Purpose, scope, results

Problems, events, and conditions

Standards, criteria, and baselines

Causes, reasons, impact, and effect

Recommended solutions and safeguards

Protecting audit results

Distributing audit reports

Using external auditors

Conclusion

Read the Exam Essentials

Review the chapter

Perform the Written Labs

Answer the Review Questions