Discussion - Week 13
Chapter 17 Preventing and Responding to Incidents
Managing Incident Response
Defining an Incident
Incident Response Steps
overview
Defining an Incident 1/2
Any negative effect on CIA
Unplanned interruption to IT
Computer security incident
RFC 2350 “Expectations for Computer Security Incident Response”
“Any adverse event which compromises some aspect of computer or network security.”
NIST SP 800-61
Computer Security Incident Handling Guide
Defining an Incident 2/2
Any attempted network intrusion
Any attempted denial-of-service attack
Any detection of malicious software
Any unauthorized access of data
Any violation of security policies
Incident Response Steps
Detection
Response
Mitigation
Reporting
Recovery
Remediation
Lessons Learned
overview
IR Step: Detection
Detecting actual or potential incidents
IDSes, AV, audits, automated tools, end users
First responders
IR Step: Response
Based on severity of incident
Computer incident response team (CIRT)/computer security incident response team (CSIRT)
Faster response limits damage
IR Step: Mitigation
Contain the incident
Limit the effect or scope
May involve disconnecting from the network
Actions in this step may be noticed by an attacker
IR Step: Reporting
Internal and external notification
May be mandated by regulation
PII violations are of critical concern in many jurisdictions
Relevant training is need to properly recognize and report incidents
IR Step: Recovery
Evidence collection should be completed before recovery efforts
Recovery is to return the environment to a normal state or condition
Security should be restored to an equal or greater level than before the incident
IR Step: Remediation
Analyze the incident to determine the cause
Implement countermeasures to prevent a recurrence
Root-cause analysis
IR Step: Lessons Learned
Determine what can be learned from the incident and the response
Focus on improving future reponse
May highlight need for additional training
May require adjustment of security infrastructure
CIRT submits analysis and recommendations report to management
Implementing Detective and Preventive Measures
Basic Preventive Measures
Understanding Attacks
Intrusion Detection and Prevention Systems
Specific Preventive Measures
overview
Basic Preventive Measures
Keep systems and applications up-to-date
Remove or disable unneeded services and protocols
Use intrusion detection and prevention systems
Use up-to-date anti-malware software
Use firewalls
Implement configuration and system management processes
Understanding Attacks 1/2
Botnets
Denial of service
Distributed denial-of-service (DDoS)
Distributed reflective denial-of-service (DRDoS)
SYN flood attack
Smurf and Fraggle attacks
Ping flood
Ping of Death
Teardrop
Understanding Attacks 2/2
Land attack
Zero-day exploit
Malicious code
Drive-by download
Malvertising
Man-in-the-middle
War dialing
Sabotage
Espionage
Intrusion Detection and Prevention Systems
IDS, IPS, IDPS
NIST SP 800-94 Guide to Intrusion Detection and Prevention Systems
Knowledge and behavior-based detection
SIEM systems
IDS response
Active vs. passive
Host and network IDS
Intrusion prevention systems
Specific Preventive Measures
Honeypots/honeynets
Pseudo flaw
Padded cell
Warning banners
Anti-malware
Whitelisting and blacklisting
Firewalls
Sandboxing
Third-Party Security Services
Payment Card Industry Data Security Standard (PCI DSS)
SaaS cloud security
Penetration testing
Risks
Obtaining permission
Black box, white box, gray box
Reports
Ethical hacking
Logging, Monitoring, and Auditing
Logging and Monitoring
Monitoring Techniques
Egress Monitoring
Auditing to Assess Effectiveness
Security Audits and Reviews
Reporting Audit Results
overview
Logging and Monitoring
Security logs, system logs, application logs, firewall logs, proxy logs, change logs
Protecting log data
FIPS 200, audit log security requirements
Audit trails
Monitoring and accountability
Monitoring and investigations
Monitoring and problem identification
Monitoring Techniques
Log analysis
Security Information and Event Management (SIEM)
Security Event Management (SEM)
Security Information Management (SIM)
Sampling or data extration
Clipping levels
Keystroke monitoring
Traffic and trend analysis
Egress Monitoring
Data loss prevention (DLP)
Network-based DLP
Endpoint-based DLP
Steganography
Watermarking
Auditing to Assess Effectiveness
Auditing, auditors
Methodical examination
Compliance
Inspection audits
Access review audits
User entitlement audits
Audits of privileged groups
High-level administrators
Dual administrator accounts
Security Audits and Reviews
Patch management
Vulnerability management
Configuration management
Change management
Reporting Audit Results
Purpose, scope, results
Problems, events, and conditions
Standards, criteria, and baselines
Causes, reasons, impact, and effect
Recommended solutions and safeguards
Protecting audit results
Distributing audit reports
Using external auditors
Conclusion
Read the Exam Essentials
Review the chapter
Perform the Written Labs
Answer the Review Questions