Upload
others
View
24
Download
0
Embed Size (px)
Citation preview
Introduction to Cyber-Security
C4DLab
June , 2016Christopher, K. Chepken (PhD)CyberSecurity
Introduction to Cyber Security
C4DLab
Hacking
Hacking
• Is an attempt to circumvent or bypass the securitymechanisms of an information system or network• Ethical – identifies weakness and recommends solution• Hacker – Exploits weaknesses• It is the art of exploring various security breaches• Has consequences
– denial of serviceC4DLab
• Is an attempt to circumvent or bypass the securitymechanisms of an information system or network• Ethical – identifies weakness and recommends solution• Hacker – Exploits weaknesses• It is the art of exploring various security breaches• Has consequences
– denial of service
Hacking: Reasons & Justification
• To steal services, data or files• Thrill and excitement• To promote some tools or skills• Disease: Feel like doing it!• Believe that all info needs to be free• Ethical hacking-show security problems
C4DLab
• To steal services, data or files• Thrill and excitement• To promote some tools or skills• Disease: Feel like doing it!• Believe that all info needs to be free• Ethical hacking-show security problems
Hacking: Discussion
• How is your organization? How are staffresponding to tightenning of securityloopholes?
C4DLab
Hacking techniques• Hacking techniques are different ways whichhackers use to exploit systems.
– Can be as many hacking techniques as there arehackers.• Some are known, others unknown (developingeveryday)• IT security personnel’s work is to keep track ofupcoming and threatening hacking techniques.
C4DLab
• Hacking techniques are different ways whichhackers use to exploit systems.– Can be as many hacking techniques as there arehackers.
• Some are known, others unknown (developingeveryday)• IT security personnel’s work is to keep track ofupcoming and threatening hacking techniques.
Hacking techniques• Vulnerability scanning :a tool used to quickly checkcomputers on a network for known weaknesses e.g.Open ports• Brute force Attack e.g password guessing• Dictionary attack• Password cracking: process of recoveringpasswords from data• Packet sniffer• Spoofing attack (Phishing): masquerades asanother by falsifying data
C4DLab
• Vulnerability scanning :a tool used to quickly checkcomputers on a network for known weaknesses e.g.Open ports• Brute force Attack e.g password guessing• Dictionary attack• Password cracking: process of recoveringpasswords from data• Packet sniffer• Spoofing attack (Phishing): masquerades asanother by falsifying data
Hacking techniques
• Programmed threats e.g. Virus, worms ortrojans• Social engineering: E.g. A hacker cancontact the system administrator and poseas a user who cannot get access to his or hersystem; or a call may come in masqueradesas the boss who is about to fire IT securityexpert.
C4DLab
• Programmed threats e.g. Virus, worms ortrojans• Social engineering: E.g. A hacker cancontact the system administrator and poseas a user who cannot get access to his or hersystem; or a call may come in masqueradesas the boss who is about to fire IT securityexpert.
Hacking techniques
• Social engineering May be an act of– Intimidation– Helpfulness: Oppossite of Intimidation– Name-dropping : Using names of authorisedusers– Technical e.g. Sending an email to a legitimateuser, seeking a response that contains vitalinformation
C4DLab
• Social engineering May be an act of– Intimidation– Helpfulness: Oppossite of Intimidation– Name-dropping : Using names of authorisedusers– Technical e.g. Sending an email to a legitimateuser, seeking a response that contains vitalinformation
Hacking Techniques
• Keystroke logging: A keylogger is a tooldesigned to record ("log") every keystrokeon an affected machine for later retrieval– Key loggers can be
• Legitimate:, to detect evidence of employeefraud, Mac on iphone, ipads??• Illegitimate: To steal info, viruses
C4DLab
• Keystroke logging: A keylogger is a tooldesigned to record ("log") every keystrokeon an affected machine for later retrieval– Key loggers can be
• Legitimate:, to detect evidence of employeefraud, Mac on iphone, ipads??• Illegitimate: To steal info, viruses
Hackers techniques: Denial of service
• DoS: an attempt made by attackers to make computers’resources inaccessible to its anticipated user• Attackers may not use their systems, they create Botnets(a network of zombie computers)• All computers in a botnet are notified to do somethingon a single computer/network or server• Distributed Denial of service (DDoS) is on a network orweb service
C4DLab
• DoS: an attempt made by attackers to make computers’resources inaccessible to its anticipated user• Attackers may not use their systems, they create Botnets(a network of zombie computers)• All computers in a botnet are notified to do somethingon a single computer/network or server• Distributed Denial of service (DDoS) is on a network orweb service
Hacking: Information gathering
• Identity management is the process for managing the entirelife cycle of digital identities, including the profiles of people,systems, and services, as well as the use of emergingtechnologies to control access to company resources.– Identity theft
• Access management is the process of regulating access toinformation assets by providing a policy-based control of whocan use a specific system based on an individual's role and thecurrent role's permissions and restrictions.– Unauthorised Access
C4DLab
• Identity management is the process for managing the entirelife cycle of digital identities, including the profiles of people,systems, and services, as well as the use of emergingtechnologies to control access to company resources.– Identity theft
• Access management is the process of regulating access toinformation assets by providing a policy-based control of whocan use a specific system based on an individual's role and thecurrent role's permissions and restrictions.– Unauthorised Access
Information gathering
• What do robbers do before they break intothe bank or anything else? They gatherinformation.• You can gather information to
– Protect yourself– To harm others (hackers)– Just to know or solve a problem
• Example: http://www.shortinfosec.net/2009/02/security-information-gathering-brief.html
C4DLab
• What do robbers do before they break intothe bank or anything else? They gatherinformation.• You can gather information to
– Protect yourself– To harm others (hackers)– Just to know or solve a problem
• Example: http://www.shortinfosec.net/2009/02/security-information-gathering-brief.html
Areas of interest to attackers
C4DLab
Source: http://resources.infosecinstitute.com/network-intelligence-gathering/
Hacking: Insider threats• A malicious insider threat is a current or former employee, contractor, or otherbusiness partner who has or had authorized access to an organization'snetwork, system, or data and intentionally exceeded or misused that access ina manner that negatively affected the confidentiality, integrity, or availability ofthe organization's information or information systems. (http://www.cert.org/insider-threat/)• Insiders are now the biggest threat compared to hackers• It is a big threat- agree/disagree?• Case of entire payroll publishing, Edward Snowden (former CIA- Disclosed toseveral media outlets thousands of classified documents from his formeremployers )!!
– Example report for your reading
C4DLab
• A malicious insider threat is a current or former employee, contractor, or otherbusiness partner who has or had authorized access to an organization'snetwork, system, or data and intentionally exceeded or misused that access ina manner that negatively affected the confidentiality, integrity, or availability ofthe organization's information or information systems. (http://www.cert.org/insider-threat/)• Insiders are now the biggest threat compared to hackers• It is a big threat- agree/disagree?• Case of entire payroll publishing, Edward Snowden (former CIA- Disclosed toseveral media outlets thousands of classified documents from his formeremployers )!!
– Example report for your reading
Hacking: Rogue wireless points
• Rogue wireless points entice you to connect.• Consequences can be very bad
– Information gathering– Stealing data– Installing malware–
C4DLab
• Rogue wireless points entice you to connect.• Consequences can be very bad
– Information gathering– Stealing data– Installing malware–
Hacking: Spam and email threats• Spam is unsolicited email• Spaming is the single most attack to firewalls• Threats include
– Information harvesting– Malware introduction– Denial of service– Identity theft
C4DLab
• Spam is unsolicited email• Spaming is the single most attack to firewalls• Threats include
– Information harvesting– Malware introduction– Denial of service– Identity theft
Hacking: Spam and email threats
• Phishing: Emails that ask for your personalinformation• “Spear-Phishing” – carefully crafted emailsto fool even security experts
C4DLab
• Phishing: Emails that ask for your personalinformation• “Spear-Phishing” – carefully crafted emailsto fool even security experts
Hacking: Attack on devices
• These devices include PDAs, USBs and otherhand held devices.– Theft – both data and hardware– Hijack, interception– Malware, viruses, trojans etc.
C4DLab
• These devices include PDAs, USBs and otherhand held devices.– Theft – both data and hardware– Hijack, interception– Malware, viruses, trojans etc.
Hackers: Routers & firewalls
C4DLab
Hacking: Routers & firewalls• Interception• Firewall vulnerabilities
– Firewall is S/W hence can have bugs– Vendor back door
• Session hijacking/man-in-the middle– Sniffing– May insert commands in between communication sessions
• Attack on exposed servers e.g. SQL injection, defaultpasswords etc– An exposed port is vulnerable
C4DLab
• Interception• Firewall vulnerabilities
– Firewall is S/W hence can have bugs– Vendor back door
• Session hijacking/man-in-the middle– Sniffing– May insert commands in between communication sessions
• Attack on exposed servers e.g. SQL injection, defaultpasswords etc– An exposed port is vulnerable
Hacking wireless network
• Wireless networks, sometimes called WiFi,allow you to connect to the internet withoutrelying on wires- Use radio waves whichconnect to a hotspot with idendifyinginformation called service set identifier(SSID)C4DLab
• Wireless networks, sometimes called WiFi,allow you to connect to the internet withoutrelying on wires- Use radio waves whichconnect to a hotspot with idendifyinginformation called service set identifier(SSID)
Hacking wireless network• Hijack or intercept an unprotected connection• A practice known as wardriving involves individuals equippedwith a computer, a wireless card, and a GPS device drivingthrough areas in search of wireless networks and identifying thespecific coordinates of a network location.• Wardriving can be used to intercept the connection betweenyour computers and the hospot• Download of unlawful or dangerous content
C4DLab
• Hijack or intercept an unprotected connection• A practice known as wardriving involves individuals equippedwith a computer, a wireless card, and a GPS device drivingthrough areas in search of wireless networks and identifying thespecific coordinates of a network location.• Wardriving can be used to intercept the connection betweenyour computers and the hospot• Download of unlawful or dangerous content
Introduction to Cyber Security
C4DLab
Prevention
Attack prevention: DDoS• Increase bandwidth:
– Problem: Bandwidth is not unlimited• DDoS mitigation Service
– Use DDoS protection and mitigation network,automated tools,– Use anti-DDoS technicians who are real-time as perthe varying DDoS attack characteristics
• Restrict connections to your servers:install/configure your routers and firewall soas to limit the connectivityC4DLab
• Increase bandwidth:– Problem: Bandwidth is not unlimited
• DDoS mitigation Service– Use DDoS protection and mitigation network,automated tools,– Use anti-DDoS technicians who are real-time as perthe varying DDoS attack characteristics
• Restrict connections to your servers:install/configure your routers and firewall soas to limit the connectivity
Attack prevention
• Harden your systems / lockdown• Patch all your systems• Install a firewall on each system, or at leaston the network
C4DLab
• Harden your systems / lockdown• Patch all your systems• Install a firewall on each system, or at leaston the network
Securing routers and the network• Assess network security and degree ofexposure to the Internet
– Portscan your own network from outside to see theexposed services (TCP/IP service that shouldn't beexposed, such as FTP)– run a vulnerability scanner against your servers– monitor your network traffic– refer to your system log– check your firewall logs
C4DLab
• Assess network security and degree ofexposure to the Internet– Portscan your own network from outside to see theexposed services (TCP/IP service that shouldn't beexposed, such as FTP)– run a vulnerability scanner against your servers– monitor your network traffic– refer to your system log– check your firewall logs
Securing routers and the network
• Limit who has access to the routerconfiguration• Ensure that there is control over who canmake changes to router configuration• Reduce the services running on the router• Encrypt passwords• Ensure that you understand securityloopholes which have been identified
C4DLab
• Limit who has access to the routerconfiguration• Ensure that there is control over who canmake changes to router configuration• Reduce the services running on the router• Encrypt passwords• Ensure that you understand securityloopholes which have been identified
Attack prevention: Use passwords• Do not use
– real words or combinations thereof– numbers of significance (eg birthdates)– similar/same password for all your accounts
• Characteristics of a strong password include:– Length:– Structure: should never be a single word found in a dictionary– Distinctness: Do not use one password for all of your accesscodes– Frequency: change password frequently
C4DLab
• Do not use– real words or combinations thereof– numbers of significance (eg birthdates)– similar/same password for all your accounts
• Characteristics of a strong password include:– Length:– Structure: should never be a single word found in a dictionary– Distinctness: Do not use one password for all of your accesscodes– Frequency: change password frequently
Passwords (very important)• "A password should be like a toothbrush. Use it every day;change it regularly; and DON'T share it with friends.” - USENET)• Don’ts for password (http://oreilly.com/catalog/csb/chapter/ch03.html)
– Allow any logins without passwords. If you're the systemadministrator, make sure every account has a password.– Keep passwords that may have come with your system– Write your password down– Type a password while anyone is watching.– Record your password online or send it anywhere via electronicmail.– Keep the same password indefinitely.
C4DLab
• "A password should be like a toothbrush. Use it every day;change it regularly; and DON'T share it with friends.” - USENET)• Don’ts for password (http://oreilly.com/catalog/csb/chapter/ch03.html)
– Allow any logins without passwords. If you're the systemadministrator, make sure every account has a password.– Keep passwords that may have come with your system– Write your password down– Type a password while anyone is watching.– Record your password online or send it anywhere via electronicmail.– Keep the same password indefinitely.
Attack prevention: Routers & network
• Encrypt connections• Do not install software from little known sites• Limit access to your server(s)• Use Anti-Virus Software• install secure certificates on web sites• purchase and deploy of products according toidentified needs
C4DLab
• Encrypt connections• Do not install software from little known sites• Limit access to your server(s)• Use Anti-Virus Software• install secure certificates on web sites• purchase and deploy of products according toidentified needs
Attack prevention: General• Monitor suspicious traffic patterns• Control on Mobile Devices• Do not use public Email systems like Gmail,Yahoo!... For official work• Do not use professional credentials online• Regularly conduct awareness trainings• Do employee background checks• Continuous training and learning newtechnologies and methods
C4DLab
• Monitor suspicious traffic patterns• Control on Mobile Devices• Do not use public Email systems like Gmail,Yahoo!... For official work• Do not use professional credentials online• Regularly conduct awareness trainings• Do employee background checks• Continuous training and learning newtechnologies and methods
Attack Prevention: General• Attending conferences and events by professionalindustry groups in computer security.• Don’t use Generic Usernames• Prevent illegal “‘farmers’” from “harvesting” yourlists• Use a strong firewall
C4DLab
• Attending conferences and events by professionalindustry groups in computer security.• Don’t use Generic Usernames• Prevent illegal “‘farmers’” from “harvesting” yourlists• Use a strong firewall
Protection against attacks in social media
• Awareness training• Regular vulnerability scans and tests• Monitoring of networks for suspicious activity• Implementation of best practices• Avoid Unsolicited Installation of Scripts• Organizational usage policy is recommended
C4DLab
• Awareness training• Regular vulnerability scans and tests• Monitoring of networks for suspicious activity• Implementation of best practices• Avoid Unsolicited Installation of Scripts• Organizational usage policy is recommended
Securing cables
• Mainly against physical attack• Monitoring – manually or automatic• Use reputable, experienced providers• Make sure the wires are properly hiddenagainst the wall to prevent anyone fromtripping on them and causing damage.
C4DLab
• Mainly against physical attack• Monitoring – manually or automatic• Use reputable, experienced providers• Make sure the wires are properly hiddenagainst the wall to prevent anyone fromtripping on them and causing damage.
Securing firewalls• Tighten the Routers at your border to the Internet interms of packets that can be admitted or let out.• Deploy strong packet filtering firewalls• Setup proxy servers for services you allow throughyour packet-filtering firewalls• Develop special sustom made server or Internetservices client and server software
C4DLab
• Tighten the Routers at your border to the Internet interms of packets that can be admitted or let out.• Deploy strong packet filtering firewalls• Setup proxy servers for services you allow throughyour packet-filtering firewalls• Develop special sustom made server or Internetservices client and server software
Securing firewalls• Install updated service packs and Enable auto updatesfor firewall• Tweaking the settings to your usage• Keeping settings consistent across your network• Hide your PC/internal network whenever possible• Do not use weak passwords
C4DLab
• Install updated service packs and Enable auto updatesfor firewall• Tweaking the settings to your usage• Keeping settings consistent across your network• Hide your PC/internal network whenever possible• Do not use weak passwords
Securing firewalls: Best practice• Use acceptable usage policy• Limit the number of applications that run on the firewall- let thefirewall do it's work.• Ensure that you're filtering or disabling all unnecessary ports• Regularly perform vulnerability assessments on your firewall• Constantly monitor (or subscribe to) your firewall vendor's securitybulletins• Perform ongoing audits, at least yearly, on the firewall
C4DLab
• Use acceptable usage policy• Limit the number of applications that run on the firewall- let thefirewall do it's work.• Ensure that you're filtering or disabling all unnecessary ports• Regularly perform vulnerability assessments on your firewall• Constantly monitor (or subscribe to) your firewall vendor's securitybulletins• Perform ongoing audits, at least yearly, on the firewall
Securing Mobile handheld devices
• Mobile handheld devices:– Any device operating to hold, store, process, andaccess data, including smartphones, cellphones,tablets, or personal digital assistants (PDAs)
• The primary risk to any hand held device isloss or theft of the device.C4DLab
• Mobile handheld devices:– Any device operating to hold, store, process, andaccess data, including smartphones, cellphones,tablets, or personal digital assistants (PDAs)
• The primary risk to any hand held device isloss or theft of the device.
Securing Mobile handheld devices• Passcode lock• Automatic sleep mode• Remote wipe: Enable the ability to remotely wipe the device• Data encryption or do not keep confidential data• Disable any short range network e.g. Bluetooth and wi-fi• Know what GPS and Location-Based Services can do
C4DLab
• Passcode lock• Automatic sleep mode• Remote wipe: Enable the ability to remotely wipe the device• Data encryption or do not keep confidential data• Disable any short range network e.g. Bluetooth and wi-fi• Know what GPS and Location-Based Services can do
Securing Mobile handheld devices• Avoid sharing mobile devices• Back up your data, especially contacts• Do not use rogue Wi-Fi networks- ensure has password• Install apps from trusted sources• Delete any text you receive with passwords or othersensitive information
C4DLab
• Avoid sharing mobile devices• Back up your data, especially contacts• Do not use rogue Wi-Fi networks- ensure has password• Install apps from trusted sources• Delete any text you receive with passwords or othersensitive information
Securing Mobile handheld devices• Wipe each device thoroughly before disposing of it• Install updates and anti-virus software if available• Treat your mobile devices like your wallet or purse• If you lose your mobile, change your login detailssuch as email passwords immediately and contactthe phone provider
C4DLab
• Wipe each device thoroughly before disposing of it• Install updates and anti-virus software if available• Treat your mobile devices like your wallet or purse• If you lose your mobile, change your login detailssuch as email passwords immediately and contactthe phone provider
Securing laptop computers• Treat it like cash• Get it out of the car…don't ever leave it behind• Keep it locked…use a security cable• Keep it off the floor…or at least between your feet• Keep passwords separate…not near the laptop orcase• Don't leave it "for just a sec"…no matter where youare• Pay attention in airports…especially at security
C4DLab
• Treat it like cash• Get it out of the car…don't ever leave it behind• Keep it locked…use a security cable• Keep it off the floor…or at least between your feet• Keep passwords separate…not near the laptop orcase• Don't leave it "for just a sec"…no matter where youare• Pay attention in airports…especially at security
Securing laptop computers• Use bells and whistles…if you've got an alarm,turn it on• Avoid distraction• Mind the bag- May say you have a laptop• Be vigilant in hotels• Know where to turn for help• No one thinks their laptop will be stolen- startthinking from today
C4DLab
• Use bells and whistles…if you've got an alarm,turn it on• Avoid distraction• Mind the bag- May say you have a laptop• Be vigilant in hotels• Know where to turn for help• No one thinks their laptop will be stolen- startthinking from today
Penetration testing
• Also called pen testing, is the practiceof testing a computer system, network orWeb application to find vulnerabilities thatan attacker could exploit.– Sometimes called white hat- the good guysbreak in– Main objective is to identify weaknesses– Can be manual or automated
C4DLab
• Also called pen testing, is the practiceof testing a computer system, network orWeb application to find vulnerabilities thatan attacker could exploit.– Sometimes called white hat- the good guysbreak in– Main objective is to identify weaknesses– Can be manual or automated
Penetration testing: process
• The generic process is– Information gathering about target– Identifying possible entry points– Attempting to break in (either virtually or forreal)– Reporting back the findings
C4DLab
• The generic process is– Information gathering about target– Identifying possible entry points– Attempting to break in (either virtually or forreal)– Reporting back the findings
Penetration testing: strategies• Targeted testing: By IT team and pen test team- “light-turned” on pentest• External testing: On externally visible servers• Internal testing: mimicks an inside attack by a user with standardprevileges• Blind testing: team performing the attack has limited information e.g.Only company name• Double blind testing :A few people might be aware a test is beingconducted
C4DLab
• Targeted testing: By IT team and pen test team- “light-turned” on pentest• External testing: On externally visible servers• Internal testing: mimicks an inside attack by a user with standardprevileges• Blind testing: team performing the attack has limited information e.g.Only company name• Double blind testing :A few people might be aware a test is beingconducted
Penetration testing
• Various Tools for pen tests exist.• Class Exercise:
– Look for open source pen tests tools– Try using simple open source pen tests tools
C4DLab
• Various Tools for pen tests exist.• Class Exercise:
– Look for open source pen tests tools– Try using simple open source pen tests tools
Preventing Data Loss (PDL)
• Data can be: any data or sensitive data.– Identify: Identify where you have stored data underyour control.– Inventory what data you have stored in ALL of theseplaces– Dispose: do not keep any sensitive data, e.g. Creditcard numbers, ID etc, in electronic form unless you
absolutely must– Stop and think whenever handling sensitive data
C4DLab
• Data can be: any data or sensitive data.– Identify: Identify where you have stored data underyour control.– Inventory what data you have stored in ALL of theseplaces– Dispose: do not keep any sensitive data, e.g. Creditcard numbers, ID etc, in electronic form unless you
absolutely must– Stop and think whenever handling sensitive data
Preventing Data Loss (PDL)• Saving to the wrong locations
– Do not save data in wrong locations– Do not save sensitive data on mobile or removable media– Do not save sensitive data on shared environment, should bein a private area on a secure server; encrypt the data
• Not knowing where your sensitive data is– You may share a file with sensitive data without knowing
• Human error– If you know there has been an incident, do incident response
C4DLab
• Saving to the wrong locations– Do not save data in wrong locations– Do not save sensitive data on mobile or removable media– Do not save sensitive data on shared environment, should bein a private area on a secure server; encrypt the data
• Not knowing where your sensitive data is– You may share a file with sensitive data without knowing
• Human error– If you know there has been an incident, do incident response
Securing wireless networks
• Change default passwords - Most networkdevices, including wireless access points,are pre-configured with defaultadministrator passwords to simplify setup• Restrict access - Only allow authorizedusers to access your network (Use mediaaccess control- MAC of every device )• Encrypt the data on your network
C4DLab
• Change default passwords - Most networkdevices, including wireless access points,are pre-configured with defaultadministrator passwords to simplify setup• Restrict access - Only allow authorizedusers to access your network (Use mediaaccess control- MAC of every device )• Encrypt the data on your network
Securing wireless networks
• Protect your SSID - To avoid outsiderseasily accessing your network, avoidpublicizing your SSID; Turn network namebroadcasting off• Use firewall• Use up to date anti-virus• Change the default name of the network
C4DLab
• Protect your SSID - To avoid outsiderseasily accessing your network, avoidpublicizing your SSID; Turn network namebroadcasting off• Use firewall• Use up to date anti-virus• Change the default name of the network
Physical security• Physical access- definition
– Server room– Office with network computers– Other areas
• Measures– E.g. log book, Biometrics– One controlling point e.g. soldier
• How do you trace back in case of breakage-Incident responseC4DLab
• Physical access- definition– Server room– Office with network computers– Other areas
• Measures– E.g. log book, Biometrics– One controlling point e.g. soldier
• How do you trace back in case of breakage-Incident response
Physical security• Computer physical security is a methodology forsafeguarding computer systems, peripherals and allassets that form these systems- As important as othersecurity.• Any other computing security starts at the physical level• Example of physical access security policy:http://dii.vermont.gov/sites/dii/files/pdfs/Physical-Security-for-Computer-Protection.pdf
– Use of Secure Areas to Protect Data and Information– Physical Access management to protect data and information
C4DLab
• Computer physical security is a methodology forsafeguarding computer systems, peripherals and allassets that form these systems- As important as othersecurity.• Any other computing security starts at the physical level• Example of physical access security policy:http://dii.vermont.gov/sites/dii/files/pdfs/Physical-Security-for-Computer-Protection.pdf
– Use of Secure Areas to Protect Data and Information– Physical Access management to protect data and information
Physical access: Measures Restrict Access - For servers and other important computingdevices, out of sight, out of mind is the motto. Make sure the most vulnerable devices are in that locked room Set up surveillance- You need to know who goes in or out,authorised or unauthorised- CCTV, log book etc Protect the hard drives- lock them up using case locks Protect any workstations in the network- even the one at thereception!
C4DLab
Restrict Access - For servers and other important computingdevices, out of sight, out of mind is the motto. Make sure the most vulnerable devices are in that locked room Set up surveillance- You need to know who goes in or out,authorised or unauthorised- CCTV, log book etc Protect the hard drives- lock them up using case locks Protect any workstations in the network- even the one at thereception!
Physical access: Measures Protect the portables- a laptop or hand held device maybe stolen with saved passwords or data- lock them up Pack up the backups- Do not have backups in the sameplace as servers. Do not leave them anywhere! Disable the drives e.g. USB, floppy or CD-Rom- they maybe used to fraudulently copy data Printers and other output devices save a lot ofinformation- protect them. Mostly ignored.
C4DLab
Protect the portables- a laptop or hand held device maybe stolen with saved passwords or data- lock them up Pack up the backups- Do not have backups in the sameplace as servers. Do not leave them anywhere! Disable the drives e.g. USB, floppy or CD-Rom- they maybe used to fraudulently copy data Printers and other output devices save a lot ofinformation- protect them. Mostly ignored.
Incident handling
• What is an incident?• Handling?
C4DLab
• What is an incident?• Handling?
Incident Handling What is an incident? Must be defined How to report, who to contact Plan your strategies and course of action Have a policy in place Have written procedures to follow Communications – notifying affectedpersonnel Incident handling e.g. what happened at JKIA?
C4DLab
What is an incident? Must be defined How to report, who to contact Plan your strategies and course of action Have a policy in place Have written procedures to follow Communications – notifying affectedpersonnel Incident handling e.g. what happened at JKIA?
Incident Response Plan
Documentation – of incident at all stages, needed forevidence and post-incident review Determination – determining an incident, admitting anincident has occurred Notification – advising appropriate parties i.e. management,police, legal counsel etc. Containment – minimising the impact of the incident Assessment – assess the scope of the damage Eradication – removal of the cause of the incident Recovery – return system back to normal with fixes in place
C4DLab
Documentation – of incident at all stages, needed forevidence and post-incident review Determination – determining an incident, admitting anincident has occurred Notification – advising appropriate parties i.e. management,police, legal counsel etc. Containment – minimising the impact of the incident Assessment – assess the scope of the damage Eradication – removal of the cause of the incident Recovery – return system back to normal with fixes in place
Incident detection Accidental or malicious source? Need to monitor to detect incidents andviolations Must have profiles of vulnerability – list ofknown vulnerabilities Use Intrusion Detection Systems (IDS) Profiles of normal activity for computer networks, users,and attack patterns Physical access Intrusion Detection System
In most cases, internal staff pick up suspectedabnormal behavior and situationsC4DLab
Accidental or malicious source? Need to monitor to detect incidents andviolations Must have profiles of vulnerability – list ofknown vulnerabilities Use Intrusion Detection Systems (IDS) Profiles of normal activity for computer networks, users,and attack patterns Physical access Intrusion Detection System
In most cases, internal staff pick up suspectedabnormal behavior and situations
Reaction
Reactive activities must reflect good businesspractices and support the organisation’sobjectives and/or missions Must provide protection of personnel andinformation assets The Security Incident Plan must be separatefrom the Disaster Recovery Plan
C4DLab
Reactive activities must reflect good businesspractices and support the organisation’sobjectives and/or missions Must provide protection of personnel andinformation assets The Security Incident Plan must be separatefrom the Disaster Recovery Plan
Incident response philosophies Watch and Warn – monitor and notifyappropriate personnel on detection of an incident Repair and Report – identify intrusion, repairthe vulnerability or contain situation, and closeincident as soon as possible Pursue and Prosecute – monitor attack, collectand maintain evidence, prosecute via legal system
C4DLab
Watch and Warn – monitor and notifyappropriate personnel on detection of an incident Repair and Report – identify intrusion, repairthe vulnerability or contain situation, and closeincident as soon as possible Pursue and Prosecute – monitor attack, collectand maintain evidence, prosecute via legal system
Response Define roles for personnel, responsibilities andauthority for each role Determine costs for establishing response plan Define under what circumstances services can bedisabled Define who has authority to shut down services Isolate affected segments/machines – both tolimit further infection and to gather evidence
C4DLab
Define roles for personnel, responsibilities andauthority for each role Determine costs for establishing response plan Define under what circumstances services can bedisabled Define who has authority to shut down services Isolate affected segments/machines – both tolimit further infection and to gather evidence
Incident notification Minimise surprises Notify in a timely manner, to the appropriatepeople, following written procedures Notify response team, management and chiefsecurity manager (or equivalent) Contact Organisations offering advisory and assistance response e.g. CERT Affected parties and partners Law enforcement News media
C4DLab
Minimise surprises Notify in a timely manner, to the appropriatepeople, following written procedures Notify response team, management and chiefsecurity manager (or equivalent) Contact Organisations offering advisory and assistance response e.g. CERT Affected parties and partners Law enforcement News media
Incident Containment Stop the spread of containment or abuse Determine the affected systems Deny access, where possible Eliminate rogue processes Regain control Lock out attacker/abuser Block the source Disable the service affected Disconnect from the network or Internet
Clean the system Rebuild the system
C4DLab
Stop the spread of containment or abuse Determine the affected systems Deny access, where possible Eliminate rogue processes Regain control Lock out attacker/abuser Block the source Disable the service affected Disconnect from the network or Internet
Clean the system Rebuild the system
Assessing the damage Determine the scope of damage Compromised data, systems, services, privileges, etc.
Determine the length of the incident Determine the cause of the incident Vulnerability exploited Safeguard bypassed Detection avoided
Determine the responsible party Source of attack Online identity Attack fingerprints
C4DLab
Determine the scope of damage Compromised data, systems, services, privileges, etc.
Determine the length of the incident Determine the cause of the incident Vulnerability exploited Safeguard bypassed Detection avoided
Determine the responsible party Source of attack Online identity Attack fingerprints
Incident recovery Set priorities based upon costs and criticality Repair the vulnerability – do not leave thehole for others to abuse Apply a patch Disable the service Change the procedure Redesign
Improve the safeguard Update detection systems Restore data and services Monitor for additional signs of attack
C4DLab
Set priorities based upon costs and criticality Repair the vulnerability – do not leave thehole for others to abuse Apply a patch Disable the service Change the procedure Redesign
Improve the safeguard Update detection systems Restore data and services Monitor for additional signs of attack
Incident documentation Documentation is needed to provide evidence and for post-incidence review Some sources of evidence/documentation come from videosurveillance systems, electronic security monitoring systems,handwritten journals, service logs, telephone logs, interviews,etc. Develop an incident timeline Each event must be supported by the original documents – this iscrucial
C4DLab
Documentation is needed to provide evidence and for post-incidence review Some sources of evidence/documentation come from videosurveillance systems, electronic security monitoring systems,handwritten journals, service logs, telephone logs, interviews,etc. Develop an incident timeline Each event must be supported by the original documents – this iscrucial
Sources of Information Help desk logs Network logs System logs Administration logs Physical access logs Accounting logs Audit logs Security logs Backups Staff clock logs Staff
C4DLab
Help desk logs Network logs System logs Administration logs Physical access logs Accounting logs Audit logs Security logs Backups Staff clock logs Staff
Computer forensics investigations
C4DLab
Computer forensics investigations• Electronic record : any data that is recorded or preserved on anymedium in or by a computer system or other similar device, thatcan be read or perceived by a person or a computer system orother similar device. It includes a display, printout or otheroutput of that data.• Computer Forensics: Computer forensics is the scientificexamination and analysis of data held on, or retrieved from,computer storage media in such a way that the information canbe used as evidence in a court of law.• Anti-forensics is the process of cybercriminals getting into atargeted environment and hacking the forensics toolsthemselves.
C4DLab
• Electronic record : any data that is recorded or preserved on anymedium in or by a computer system or other similar device, thatcan be read or perceived by a person or a computer system orother similar device. It includes a display, printout or otheroutput of that data.• Computer Forensics: Computer forensics is the scientificexamination and analysis of data held on, or retrieved from,computer storage media in such a way that the information canbe used as evidence in a court of law.• Anti-forensics is the process of cybercriminals getting into atargeted environment and hacking the forensics toolsthemselves.
Computer forensics investigations &Incident handling• Handling data under investigation
– For hand held devices, mobile phones– For computers, servers and laptops– Any other computing devices
C4DLab
• Handling data under investigation– For hand held devices, mobile phones– For computers, servers and laptops– Any other computing devices
Computer forensics investigations:Some history• Early in 1970’s students discovered how to gainunauthorized access to large timeshared computersystems.• 1978 the Florida Computer Crime Act was the 1st lawto help deal with computer fraud and intrusion.Employees at a dog track used a computer to printfraudulent winning tickets. The act also defined allunauthorized access as a crime.• 1984 US Federal Computer Fraud and Abuse Act waspassed. (Morris Worm 1988)
C4DLab
• Early in 1970’s students discovered how to gainunauthorized access to large timeshared computersystems.• 1978 the Florida Computer Crime Act was the 1st lawto help deal with computer fraud and intrusion.Employees at a dog track used a computer to printfraudulent winning tickets. The act also defined allunauthorized access as a crime.• 1984 US Federal Computer Fraud and Abuse Act waspassed. (Morris Worm 1988)
Properties of digital evidence• Digital evidence is any data stored ortransmitted using a computer that supportsor refutes a theory of how an offenseoccurred or that addresses critical elementsof the offense such as intent or alibi. (Casey,Eoghan. Digital Evidence and Computer Crime, p12)• Extremely fragile, similar to a fingerprint.
C4DLab
• Digital evidence is any data stored ortransmitted using a computer that supportsor refutes a theory of how an offenseoccurred or that addresses critical elementsof the offense such as intent or alibi. (Casey,Eoghan. Digital Evidence and Computer Crime, p12)• Extremely fragile, similar to a fingerprint.
Properties of digital evidence• “Latent” : it can not been seen in it’s natural state,much like DNA.
– Any actions that can alter, damage or destroy digitalevidence will be scrutinized by the courts.• Is often constantly changing and can be very timesensitive• Can transcend borders with ease and speed
C4DLab
• “Latent” : it can not been seen in it’s natural state,much like DNA.– Any actions that can alter, damage or destroy digitalevidence will be scrutinized by the courts.
• Is often constantly changing and can be very timesensitive• Can transcend borders with ease and speed
Recognizing Potential Evidence There are many ways:1. Contraband or fruits of a crime
– Stolen Computer Equipment– Stolen Software2. A tool of the offense– Theft committed using computer– Fraud committed using computer– E-mail sent from a computer– Sex offense committed after being arranged on computer– Fraudulent money or ID’s made with computer
C4DLab
There are many ways:1. Contraband or fruits of a crime– Stolen Computer Equipment– Stolen Software2. A tool of the offense– Theft committed using computer– Fraud committed using computer– E-mail sent from a computer– Sex offense committed after being arranged on computer– Fraudulent money or ID’s made with computer
Recognizing Potential Evidence (cnt)3. Only incidental to the offense– Drug dealer maintaining records or orderingsupplies– Child molester keeping records on children– Suicide notes or pictures of the crime stored online– Victim keeping diary or electronic journal– Suspect searching the web for info about crime– Credit card fraud records being kept on computer– Child pornography being stored on computer
C4DLab
3. Only incidental to the offense– Drug dealer maintaining records or orderingsupplies– Child molester keeping records on children– Suicide notes or pictures of the crime stored online– Victim keeping diary or electronic journal– Suspect searching the web for info about crime– Credit card fraud records being kept on computer– Child pornography being stored on computer
Recognizing Potential Evidence (cnt)4. Both instrumental to the offense and astorage device for evidence– Hacker uses computer to attack another systemand stores the information on their computer.– Child pornographer uses computer tomanufacture, distribute and store pornography
C4DLab
4. Both instrumental to the offense and astorage device for evidence– Hacker uses computer to attack another systemand stores the information on their computer.– Child pornographer uses computer tomanufacture, distribute and store pornography
Types of crime that might involvedigital evidence
– Online auction fraud– Child exploitation/Abuse– Computer Intrusion– Homicide– Domestic Violence– Economic Fraud,Counterfeiting– Threats, Harassment,Stalking
– Extortion– Gambling– Identity Theft– Narcotics– Prostitution– Software Piracy– Telecom Fraud
C4DLab
– Online auction fraud– Child exploitation/Abuse– Computer Intrusion– Homicide– Domestic Violence– Economic Fraud,Counterfeiting– Threats, Harassment,Stalking
– Extortion– Gambling– Identity Theft– Narcotics– Prostitution– Software Piracy– Telecom Fraud
Types of investigations Internal: no search warrant or subpoena needed, quickestinvestigation
– Corporate investigation that involves IT administratorreviewing documents that they should not be viewing. Civil: other side may own the data, may need subpoena
– One party sues another over ownership of intellectualproperty, must acquire and authenticate digital evidence so itcan be submitted in court. Criminal: highest stakes, accuracy and documentationmust be of highest quality, slowest moving
– Child porn investigation that involves possession anddistribution of contraband.C4DLab
Internal: no search warrant or subpoena needed, quickestinvestigation– Corporate investigation that involves IT administratorreviewing documents that they should not be viewing.
Civil: other side may own the data, may need subpoena– One party sues another over ownership of intellectualproperty, must acquire and authenticate digital evidence so itcan be submitted in court.
Criminal: highest stakes, accuracy and documentationmust be of highest quality, slowest moving– Child porn investigation that involves possession anddistribution of contraband.
Qualities of a good investigatorHighest level of ethicsUnbiasedState facts not opinions (unless requested to doso)Aware of when to call for helpHas good documentation skillsGood communications skillsFollows same process/methodology every time
C4DLab
Highest level of ethicsUnbiasedState facts not opinions (unless requested to doso)Aware of when to call for helpHas good documentation skillsGood communications skillsFollows same process/methodology every time
Incident response and business continuityplans
• Business continuity (BC) is enabling yourbusiness to stay on course whatever storms itis forced to weather.• BC is defined as the capability of theorganization to continue delivery of productsor services at acceptable predefined levelsfollowing a disruptive incident. (Source: ISO
22301:2012)
C4DLab
• Business continuity (BC) is enabling yourbusiness to stay on course whatever storms itis forced to weather.• BC is defined as the capability of theorganization to continue delivery of productsor services at acceptable predefined levelsfollowing a disruptive incident. (Source: ISO
22301:2012)
Incident response and business continuityplans
• Three key elements for business continuity are: (wikipedia)1. Resilience: critical business functions and the supportinginfrastructure should not be materially affected by mostdisruptions.2. Recovery: arrangements are made to recover or restorecritical and less critical business functions that fail for somereason.3. Contingency: the organization establishes a generalizedcapability and readiness to cope effectively with whatevermajor incidents and disasters occur, including those that werenot, and perhaps could not have been, foreseen.
C4DLab
• Three key elements for business continuity are: (wikipedia)1. Resilience: critical business functions and the supportinginfrastructure should not be materially affected by mostdisruptions.2. Recovery: arrangements are made to recover or restorecritical and less critical business functions that fail for somereason.3. Contingency: the organization establishes a generalizedcapability and readiness to cope effectively with whatevermajor incidents and disasters occur, including those that werenot, and perhaps could not have been, foreseen.
Business Continuity Management
• Business Continuity Management (BCM) is aholistic management process that identifiespotential threats to an organization and theimpacts to business operations those threats, ifrealized, might cause, and which provides aframework for building organizational resiliencewith the capability of an effective response thatsafeguards the interests of its key stakeholders,reputation, brand and value-creatingactivities. (Source: ISO 22301:2012)- BCI.org
C4DLab
• Business Continuity Management (BCM) is aholistic management process that identifiespotential threats to an organization and theimpacts to business operations those threats, ifrealized, might cause, and which provides aframework for building organizational resiliencewith the capability of an effective response thatsafeguards the interests of its key stakeholders,reputation, brand and value-creatingactivities. (Source: ISO 22301:2012)- BCI.org
Maltego: for showing the connections you have
• Find out about Maltego
C4DLab