Beruflich Dokumente
Kultur Dokumente
10-4
© 2015 Pearson Education Ltd.
10.1 Introduction
10.2 Incident Response Process
10.3 Intrusion Detection Systems
10.4 Business Continuity Planning
10.5 IT Disaster Recovery
10-5
© 2015 Pearson Education Ltd.
The Situation
◦ Hurricane Katrina devastated New Orleans in 2005
Followed shortly by Hurricane Rita
◦ The U.S. Federal Emergency Management
Administration (FEMA) botched the relief effort
10-6
© 2015 Pearson Education Ltd.
Walmart Is the Largest Retailer in the U.S.
◦ Supplied $20 million in cash
◦ Supplied 100,000 free meals
◦ 1,900 truckloads full of diapers, toothbrushes, other
emergency supplies
45 trucks were rolling before the hurricane hit
land
◦ Provided police and relief workers with flashlights,
batteries, ammunition, protective gear, and meals
10-7
© 2015 Pearson Education Ltd.
What Was Walmart’s Process?
Walmart Business Continuity Center
◦ A permanent department with a small core staff
◦ Activated two days before Katrina hit
◦ Soon, 50 managers and specialists were at work in
the center
10-8
© 2015 Pearson Education Ltd.
Walmart Business Continuity Center
◦ Before computer network went down, sent detailed
orders to its distribution center in Mississippi
◦ Recovery merchandise for stores: bleach, mops, etc.
◦ 40 power generators to supply stores with backup
power
◦ Sent loss-prevention employees to secure stores
10-9
© 2015 Pearson Education Ltd.
Communication
◦ Network communication failed
◦ Relied on telephone to contact its stores and other
key constituencies
Response
◦ Stores came back to business within days
◦ Engaged local law enforcement to preserve order in
lines to get into stores
10-10
© 2015 Pearson Education Ltd.
Preparation
◦ Full-time director of business continuity
◦ Detailed business continuity plans
◦ Clear lines of responsibility
Multitasking
◦ During all of this, also monitored a hurricane off
Japan
10-11
© 2015 Pearson Education Ltd.
Incidents Happen
◦ Protections inevitably break down, occasionally
◦ Successful attacks are called security incidents,
breaches, or compromises
Incident Severity
◦ False alarms
Apparent compromises are not real compromises
Also called false positives
Handled by the on-duty staff
Wastes time and may dull vigilance
10-12
© 2015 Pearson Education Ltd.
Incident Severity
◦ Major incidents
Beyond the capabilities of the on-duty staff
Must convene a Computer Security Incident
Response Team (CSIRT)
CSIRT needs participation beyond IT security
10-13
© 2015 Pearson Education Ltd.
Incident Severity
◦ Disasters
Fires, floods, hurricanes, major terrorist attacks
Must assure business continuity
Maintaining the day-to-day operations of the firm
Requires a business continuity group headed by a
senior manager
Core permanent staff will facilitate activities
IT disaster response is restoring IT services
May be a subset of business continuity
May be a stand-alone IT disaster
10-14
© 2015 Pearson Education Ltd.
Speed and Accuracy Are Essential
◦ Speed of response can reduce damage
Attacker will have less time to do damage
The attacker cannot burrow as deeply into the
system and become very difficult to detect
Speed is also necessary in recovery
10-15
© 2015 Pearson Education Ltd.
Speed and Accuracy Are Essential
◦ Accuracy is equally important
Common mistake is to act on incorrect
assumptions
If problem is misdiagnosed or the wrong
approach is taken, can make things much worse
Take your time quickly
10-16
© 2015 Pearson Education Ltd.
Planning Before an Incident or Disaster
◦ Decide what to do ahead of time
◦ Time to consider matters thoroughly and without
the time pressure of a crisis
◦ During an attack, human decision-making skills
degrade
◦ Incident response is reacting to incidents according
to plan
◦ Must have flexibility within the plan to adapt
◦ Best to adapt within a plan than to improvise
completely
10-17
© 2015 Pearson Education Ltd.
Team Members Must Rehearse the Plan
◦ Rehearsals find mistakes in the plan
◦ Practice builds speed
Types of Rehearsals
◦ Walkthroughs (table-top exercises)
◦ Live tests (actually doing planned actions) can find
subtle problems, but are expensive
10-18
© 2015 Pearson Education Ltd.
10.1 Introduction
10.2 Incident Response Process
10.3 Intrusion Detection Systems
10.4 Business Continuity Planning
10.5 IT Disaster Recovery
10-19
© 2015 Pearson Education Ltd.
Process for Major Incidents
Detection, Analysis, and Escalation
◦ Must detect through technology or people
Need good intrusion detection technology
All employees must know how to report incidents
◦ Must analyze the incident enough to guide
subsequent actions
Confirm that the incident is real
Determine its scope: Who is attacking; what are
they doing; how sophisticated they are, etc.
10-20
© 2015 Pearson Education Ltd.
Detection, Analysis, and Escalation
◦ If deemed severe enough, escalate to a major
incident
Pass to the CSIRT, the disaster response team, or
the business continuity team
10-21
© 2015 Pearson Education Ltd.
Containment
◦ Disconnection of the system from the site network
or the site network from the Internet (damaging)
Harmful, so must be done only with proper
authorization
This is a business decision, not a technical
decision
10-22
© 2015 Pearson Education Ltd.
Containment
◦ Black holing the attacker (only works for a short
time)
◦ Continue to collect data to understand the situation
(allows harm to continue)
Especially necessary if prosecution is desired
10-23
© 2015 Pearson Education Ltd.
Recovery
◦ Repair during continuing server operation
Avoids lack of availability
No loss of data
Possibility of a rootkit not having been removed,
etc.
10-24
© 2015 Pearson Education Ltd.
Recovery
◦ Data
Restoration from
backup tapes
Loses data since last
trusted backup
10-25
© 2015 Pearson Education Ltd.
Recovery
◦ Software
Total software reinstallation of operating system
and applications may be necessary for the system
to be trusted
Manual reinstallation of software
Need installation media and product activation keys
Must have good configuration documentation before the
incident
Reinstallation from a disk image
Can greatly reduce time and effort
Requires a recent disk image
10-26
© 2015 Pearson Education Ltd.
Apology
◦ Acknowledge responsibility and harm without
evasion or weasel words
◦ Explain potential inconvenience and harm in detail
◦ Explain what actions will be taken to compensate
victims, if any
10-27
© 2015 Pearson Education Ltd.
Punishment
◦ Punishing employees is usually fairly easy
Most employees are at-will employees
Companies usually have wide discretion in firing
at-will employees
This varies internationally
Union agreements may limit sanctions or at least
require more detailed processes
10-28
© 2015 Pearson Education Ltd.
Punishment
◦ The decision to pursue criminal prosecution
Must consider cost and effort
Must consider probable success if pursued
(attackers are often minors or foreign nationals)
Loss of reputation because the incident becomes
public
10-29
© 2015 Pearson Education Ltd.
Punishment
◦ Collecting and managing evidence
Forensics: Courts have strict rules for admitting
evidence in court
Call the authorities and a forensics expert for help
10-30
© 2015 Pearson Education Ltd.
Punishment
◦ Collecting and managing evidence
Protecting evidence
Pull the plug on a server if possible
This is a business decision, not an IT decision
10-31
© 2015 Pearson Education Ltd.
Post-mortem Evaluation
◦ What should we do differently next time?
10-32
© 2015 Pearson Education Ltd.
Organization of the CSIRT
◦ Should be led by a senior manager
◦ Should have members from affected line operations
◦ IT security staff may manage the CSIRT’s operations on a
day-to-day basis
◦ Might need to communicate with the media; only do so
via public relations
◦ Corporate legal counsel must be involved to address
legal issues
◦ Human resources is necessary, especially if there will be
sanctions against employees
10-33
© 2015 Pearson Education Ltd.
Dimension Criminal Law Civil Law
Deals with Violations of criminal Interpretations of rights
statutes and duties that companies
or individuals have relative
to each other
Penalties Jail time and fines Monetary penalties and
orders to parties to take or
not take certain actions
Cases brought by Prosecutors Plaintiff is one of two
parties
Criterion for verdict Beyond a reasonable Preponderance of the
doubt evidence (usually)
Requires mens rea (guilty Usually Rarely, although may affect
mind) the imposed penalty
Applicable to IT security Yes, to prosecute Yes, to avoid or minimize
attackers and avoid civil trials and judgments
breaking the law
10-34
© 2015 Pearson Education Ltd.
Cyberlaw
◦ Cyberlaw is any law dealing with information
technology
Jurisdictions
◦ Areas of responsibility within which government
bodies can make and enforce law, but beyond
which they cannot
10-35
© 2015 Pearson Education Ltd.
The United States Federal Judicial System
◦ U.S. District Courts
94 in the United States
Decisions in trials are only binding to the litigants
10-36
© 2015 Pearson Education Ltd.
The United States Federal Judicial System
◦ U.S. Circuit Courts of Appeal
13 in the United States
Do not conduct trials
Review district court decisions
Decisions are precedents only for the district
courts under the circuit court of appeals making a
decision
10-37
© 2015 Pearson Education Ltd.
10-38
© 2015 Pearson Education Ltd.
The United States Federal Judicial System
◦ U.S. Supreme Court
Final arbiter of U.S. Federal law
Only hears about 100 cases per year
Usually only reviews cases that involve conflicts
between appellate court precedents or important
constitutional issues
10-39
© 2015 Pearson Education Ltd.
U.S. State and Local Law
◦ In the United States, many powers are reserved for
the states
◦ This typically includes the prosecution of crimes
taking place within a state or that do not affect
interstate commerce
◦ For most cybercrimes committed within a state,
state law applies
◦ State cybercrime laws vary widely
◦ Local police usually investigate crimes under both
local and state laws
10-40
© 2015 Pearson Education Ltd.
International Law
◦ Differences are wide and rapidly changing
(generally improving)
◦ Important to multinational firms
◦ Also important to purely domestic firms
Suppliers and buyers may be in other countries
Attackers may be in other countries
◦ Several treaties exist to harmonize laws and
facilitate cross-border prosecution
Generally immature
10-41
© 2015 Pearson Education Ltd.
10-42
© 2015 Pearson Education Ltd.
Admissibility of Evidence
◦ Unreliable evidence may be kept from juries
◦ Belief that juries cannot evaluate unreliable
evidence properly
◦ Example: Hearsay evidence
Federal Rules of Civil Procedure
◦ Guide U.S. courts
◦ Now have strong rules for evaluating the
admissibility of electronic evidence
10-43
© 2015 Pearson Education Ltd.
Computer Forensics Experts
◦ Professionals trained to collect and evaluate
computer evidence in ways that are likely to be
admissible in court
◦ Meet with them before there is a need because the
initial moments of an intrusion require correct
action
10-44
© 2015 Pearson Education Ltd.
10-45
© 2015 Pearson Education Ltd.
Expert Witnesses
◦ Normally, witnesses can only testify regarding facts,
not interpretations
◦ Expert witnesses may interpret facts to make them
comprehensible to the jury in situations where
juries are likely to have a difficult time evaluating
the evidence themselves
10-46
© 2015 Pearson Education Ltd.
18 U.S.C. § 1030
◦ United States Code Title 18, Part I (Crimes) Section
1030
◦ Actions prohibited
Hacking
Malware
Denial of service
10-47
© 2015 Pearson Education Ltd.
18 U.S.C. § 1030
◦ Protected computers
Applicability is limited to protected computers
Includes “government computers, financial
institution computers, and any computer which is
used in interstate or foreign commerce or
communications”
◦ Often requires damage threshold for prosecution
The FBI may require even higher damages to
prosecute
10-48
© 2015 Pearson Education Ltd.
18 U.S.C. § 2511
◦ Prohibits the interception of electronic messages,
both en route and after the message is received and
stored
◦ Allows e-mail service providers to read the content
of e-mails
A company can read employee e-mail if it owns
the e-mail system
10-49
© 2015 Pearson Education Ltd.
Other Federal Laws
◦ Many traditional federal criminal laws may apply in
individual cases
◦ Examples include fraud, extortion, and the theft of
trade secrets
◦ These laws often have far harsher consequences
than cybercrime laws
10-50
© 2015 Pearson Education Ltd.
10.1 Introduction
10.2 Incident Response Process
10.3 Intrusion Detection Systems
10.4 Business Continuity Planning
10.5 IT Disaster Recovery
10-51
© 2015 Pearson Education Ltd.
Event logging for suspicious events
Sometimes send alarms
A detective control, not a preventative or
restorative control
10-52
© 2015 Pearson Education Ltd.
10-53
© 2015 Pearson Education Ltd.
10-54
© 2015 Pearson Education Ltd.
Network IDSs (NIDSs)
◦ Stand-alone device or built into a switch or router
◦ Can see and filter all packets passing through them
◦ Switch or router NIDSs can collect data on all ports
◦ Collects data for only its portion of the network
Blind spots in network where no NIDS data is
collected
◦ Cannot filter encrypted packets
10-55
© 2015 Pearson Education Ltd.
Host IDSs (HIDSs)
◦ Attractions
Provide highly detailed information for the
specific host
◦ Weaknesses
Limited viewpoint; only one host
Can be attacked and disabled
10-56
© 2015 Pearson Education Ltd.
Host IDSs (HIDSs)
◦ Operating System Monitors
Collect data on operating system events
Multiple failed logins
Creating new accounts
Adding new executables (programs—may be
attack programs)
10-57
© 2015 Pearson Education Ltd.
Host IDSs (HIDSs)
◦ Operating System Monitors
Modifying executables (installing Trojan horses
does this)
Adding registry keys (changes how system works)
Changing or deleting system logs and audit files
Changing system audit policies
User accessing critical system files
User accessing unusual files
Changing the OS monitor itself
10-58
© 2015 Pearson Education Ltd.
Log Files
◦ Flat files of time-stamped events
◦ Individual logs for single NIDS or HIDS
◦ Integrated logs
Aggregation of event logs from multiple IDS
agents (next two slides)
Difficult to create because of format
incompatibilities
Time synchronization of IDS event logs is crucial
(Network Time Protocol)
10-59
© 2015 Pearson Education Ltd.
Event Correlation (Figure 10-19)
◦ Suspicious patterns in a series of events across
multiple devices
◦ Difficult because the relevant events exist in much
larger event streams that are logged
◦ Usually requires many analyses of the integrated
log file data
10-60
© 2015 Pearson Education Ltd.
Sample Log File
10-61 (Many irrelevant log entries not shown)
© 2015 Pearson Education Ltd.
Tuning for Precision
◦ Too many false positives
False alarms
Can overwhelm administrators, dull vigilance
◦ False negatives allow attacks to proceed unseen
10-62
© 2015 Pearson Education Ltd.
Tuning for Precision
◦ Tuning for false positives turns off unnecessary
rules, reduces alarm levels of unlikely rules
For instance, alarms for attacks against Solaris
operating systems can be deleted if a firm has no
Sun Microsystems servers
Tuning requires a great deal of expensive labor
Even after tuning, most alerts will be false
positives
10-63
© 2015 Pearson Education Ltd.
Updates
◦ Program, attack signatures must be updated
frequently
Processing Performance
◦ If processing speed cannot keep up with network
traffic, some packets will not be examined
◦ This can make some IDSs useless during attacks
that increase the traffic load
10-64
© 2015 Pearson Education Ltd.
Storage
◦ Limited disk storage for log files
◦ When log files reach storage limits, they must be
archived
◦ Event correlation is difficult across multiple backup
tapes
◦ Adding more disk capacity reduces the problem but
never eliminates it
10-65
© 2015 Pearson Education Ltd.
Honeypot
◦ A fake server or entire network segment with
multiple clients and servers
◦ Legitimate users should never try to reach
resources on the honeypot
◦ Primarily used by researchers studying attacker
behavior by recording everything a visitor does
10-66
© 2015 Pearson Education Ltd.
10-67
© 2015 Pearson Education Ltd.
10.1 Introduction
10.2 Incident Response Process
10.3 Intrusion Detection Systems
10.4 Business Continuity Planning
10.5 IT Disaster Recovery
10-68
© 2015 Pearson Education Ltd.
Business Continuity Planning
◦ A business continuity plan specifies how a
company plans to restore or maintain core
business operations when disasters occur
◦ Disaster response is restoring IT services
10-69
© 2015 Pearson Education Ltd.
10-70
© 2015 Pearson Education Ltd.
Principles of Business Continuity Management
◦ Protect people first
Evacuation plans and drills
Never allow staff members back into unsafe
environments
Must have a systematic way to account for all
employees and notify loved ones
Counseling afterwards
10-71
© 2015 Pearson Education Ltd.
Principles of Business Continuity Management
◦ People have reduced capacity in decision making
during a crisis
Planning and rehearsal are critical
◦ Avoid rigidity
Unexpected situations will arise
Communication will break down and information
will be unreliable
Decision makers must have the flexibility to act
10-72
© 2015 Pearson Education Ltd.
Principles of Business Continuity Management
◦ Communication
Try to compensate for inevitable breakdowns
Have a backup communication system
Communicate constantly to keep everybody “in
the loop”
10-73
© 2015 Pearson Education Ltd.
Business Process Analysis
◦ Identification of business processes and their
interrelationships
◦ Prioritization of business processes
Downtime tolerance (in the extreme, mean time to
belly-up)
Importance to the firm
Required by higher-importance processes
◦ Resource needs (must be shifted during crises)
Cannot restore all business processes
immediately
10-74
© 2015 Pearson Education Ltd.
Testing the Plan
◦ Difficult because of the scope of disasters
◦ Difficult because of the number of people involved
10-75
© 2015 Pearson Education Ltd.
Updating the Plan
◦ Must be updated frequently
◦ Business conditions change and businesses
reorganize constantly
◦ People who must execute the plan also change jobs
constantly
◦ Telephone numbers and other contact information
must be updated far more frequently than the plan
as a whole
◦ Should have a small, permanent staff
10-76
© 2015 Pearson Education Ltd.
10.1 Introduction
10.2 Incident Response Process
10.3 Intrusion Detection Systems
10.4 Business Continuity Planning
10.5 IT Disaster Recovery
10-77
© 2015 Pearson Education Ltd.
IT Disaster Recovery
◦ Looks specifically at the technical aspects of how a
company can get its IT back into operation using
backup facilities
◦ A subset of business continuity or for disasters that
only affect IT
◦ All decisions are business decisions and should not
be made by IT or IT security staff
10-78
© 2015 Pearson Education Ltd.
Types of Backup Facilities
◦ Hot sites
Ready to run (e.g., power, HVAC, computers) -
just add data
Considerations: Rapid readiness at high cost
Must be careful to have the software at the hot
site up-to-date in terms of configuration
10-79
© 2015 Pearson Education Ltd.
Types of Backup Facilities
◦ Cold sites
Building facilities, power, HVAC, communication
to outside world only
No computer equipment
Less expensive but usually take too long to get
operating
10-80
© 2015 Pearson Education Ltd.
Types of Backup Facilities
◦ Site sharing
Site sharing among a firm’s sites (problem of
equipment compatibility and data
synchronization)
Continuous data protection needed to allow rapid
recovery
10-81
© 2015 Pearson Education Ltd.
Office Computers
◦ Hold much of a corporation’s data and analysis
capability
◦ Will need new computers if old computers are
destroyed or unavailable
Will need new software
Well-synchronized data backup is critical
◦ People will need a place to work
10-82
© 2015 Pearson Education Ltd.
Restoration of Data and Programs
◦ Restoration from backup tapes; need backup tapes
at the remote recovery site
◦ May be impossible during a disaster
10-83
© 2015 Pearson Education Ltd.
All rights reserved. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise without the prior written
permission of the publisher.