Wide Area Networks (WANs)

Chapter 9

2



In previous chapters, we have looked at threats, planning, and response



In Chapter 9, we complete the discussion of the plan-protect-respond cycle



Response planning is necessary because defenses can never stop all attacks.

Companies must respond appropriately when attacks happen or natural disasters occur

Copyright Pearson Prentice-Hall 2009

Plan

(Chapter 2)

3

Respond

(Chapter 9)

Protect

(Chapters 3-8)


4



The Situation

◦ Hurricane Katrina devastated New Orleans in 2005

 Followed shortly by Hurricane Rita

◦ The U.S. Federal Emergency Management

Administration (FEMA) botched the relief effort


5



Wal-Mart Is the Largest Retailer in the

United States

◦ Supplied $20 million in cash

◦ Supplied 100,000 free meals

◦ 1,900 truckloads full of diapers, toothbrushes, other emergency supplies



45 trucks were rolling before the hurricane hit land

◦ Provided police and relief workers with flashlight, batteries, ammunition, protective gear, and meals


6



What Was Wal-Mart’s Process?



Wall-Mart Business Continuity Center

◦ A permanent department with a small core staff

◦ Activated two days before Katrina hit

◦ Soon, 50 managers and specialists were at work in the center


7



Wall-Mart Business Continuity Center

◦ Before computer network went down, sent detailed orders to its distribution center in Mississippi

◦ Recovery merchandise for stores: bleach and mops, etc.

◦ 40 power generators to supply stores with backup power

◦ Sent loss-prevention employees to secure stores


8



Communication

◦ Network communication failed

◦ Relied on telephone to contact its stores and other key constituencies



Response

◦ Stores came back to business within days

◦ Engaged local law enforcement to preserve order in lines to get into stores


9



Preparation

◦ Full-time director of business continuity

◦ Detailed business continuity plans

◦ Clear lines of responsibility



Multitasking

◦ During all of this, were monitoring a hurricane off

Japan


10



Incidents Happen

◦ Protections inevitably break down occasionally

◦ Successful attacks are called security incidents, breaches, or compromises


11



Incidents Happen

◦ Protections inevitably break down occasionally

◦ Successful attacks are called security incidents, breaches, or compromises



Incident Severity

◦ False alarms



Apparent compromises are not real compromises

 Also called false positives



Handled by the on-duty staff

 Waste time and may dull vigilance


12



Incident Severity

◦ Major incidents

 Beyond the capabilities of the on-duty staff

 Must convene a Computer Security Incident

Response Team (CSIRT)

 CSIRT needs participation beyond IT security


13



Incident Severity

◦ Disasters

 Fires, floods, hurricanes, major terrorist attacks

 Must assure business continuity

 Maintaining the day-to-day operations of the firm

 Need a business continuity group headed by a senior manager

 Core permanent staff will facilitate activities

 IT disaster response is restoring IT services

 May be a subset of business continuity

 May be a stand-alone IT disaster


14



Speed and Accuracy Are of the Essence

◦ Speed of response can reduce damage

 Attacker will have less time to do damage

 The attacker cannot burrow as deeply into the system and become very difficult to detect

 Speed is also necessary in recovery


15



Speed and Accuracy Are of the Essence

◦ Accuracy is equally important

 Common mistake is to act on incorrect assumptions

 If misdiagnose the problem or take the wrong approach, can make things much worse



Take your time quickly


16



Planning Before an Incident or Disaster

◦ Decide what to do ahead of time

◦ Have time to consider matters thoroughly and without the time pressure of a crisis

◦ (During an attack, human decision-making skills degrade)

◦ Incident response is reacting to incidents according to plan

◦ Within the plan, need to have flexibility to adapt

◦ Best to adapt within a plan than to improvise completely


17



Team Members Must Rehearse the Plan

◦ Rehearsals find mistakes in the plan

◦ Practice builds speed



Types of Rehearsals

◦ Walkthroughs (table-top exercises)

◦ Live tests (actually doing planned actions) can find subtle problems but are expensive


18



Process for Major Incidents



Detection, Analysis, and Escalation

◦ Must detect through technology or people

 Need good intrusion detection technology

 All employees must know how to report incidents

◦ Must analyze the incident enough to guide subsequent actions

 Confirm that the incident is real



Determine its scope: Who is attacking; what are they doing; how sophisticated they are, etc.


19



Detection, Analysis, and Escalation

◦ If deemed severe enough, escalate to a major incident

 Pass to the CSIRT, the disaster response team, or the business continuity team


20



Containment

◦ Disconnection of the system from the site network or the site network from the Internet (damaging)

 Harmful, so must be done only with proper authorization

 This is a business decision, not a technical decision


21



Containment

◦ Black-holing the attacker (only works for a short time)

◦ Continue to collect data (allows harm to continue) to understand the situation

 Especially necessary if prosecution is desired


22



Recovery

◦ Repair during continuing server operation

 Avoids lack of availability

 No loss of data

 Possibility of a rootkit not having been removed, etc.


23



Recovery

◦ Data

 Restoration from backup tapes

 Loses data since last trusted backup


24



Recovery

◦ Software

 Total software reinstallation of operating system and applications may be necessary for the system to be trustable

 Manual reinstallation of software

 Need installation media and product activation keys

 Must have good configuration documentation before the incident

 Reinstallation from a disk image

 Can greatly reduce time and effort

 Requires a recent disk image


25



Apology

◦ Acknowledge responsibility and harm without evasion or weasel words

◦ Explain potential inconvenience and harm in detail

◦ Explain what actions will be taken to compensate victims, if any


26



Punishment

◦ Punishing employees usually is fairly easy

 Most employees are at-will employees

 Companies usually have wide discretion in firing at-will employees

 This varies internationally



Union agreements may limit sanctions or at least require more detailed processes


27



Punishment

◦ The decision to pursue criminal prosecution

 Must consider cost and effort

 Must consider probable success if pursue (often attackers are minors or foreign nationals)

 Loss of reputation because the incident becomes public


28



Punishment

◦ Collecting and managing evidence

 Forensics: Courts have strict rules for admitting evidence in court

 Call the authorities and a forensics expert for help


29



Punishment

◦ Collecting and managing evidence

 Protecting evidence

 Pull the plug on a server if possible

 This is a business decision, not an IT decision

 Document the chain of custody

 Who held the evidence at all times

 What they did to protect it

 Document the chain of custody


30



Postmortem Evaluation

◦ What should we do differently next time?


31



Organization of the CSIRT

◦ Should be led by a senior manager

◦ Should have members from affected line operations

◦ The IT security staff may manage the CSIRT’s operation on a day-to-day basis

◦ Might need to communicate with the media; only do so via public relations

◦ The corporate legal counsel must be involved to address legal issues

◦ Human resources is necessary, especially if there are to be sanctions against employees


Dimension

Deals with

Penalties

Cases brought by

Criminal Law

Violations of criminal statutes

Jail time and fines

Prosecutors

Criterion for verdict Beyond a reasonable doubt

Usually Requires mens rea (guilty mind)

Applicable to IT security Yes. To prosecute attackers and to avoid breaking the law

32

Civil Law

Interpretations of rights and duties that companies or individuals have relative to each other

Monetary penalties and orders to parties to take or not take certain actions

Plaintiff is one of the two parties

Preponderance of the evidence (usually)

Rarely, although may affect the imposed penalty

Yes. To avoid or minimize civil trials and judgments


33



Cyberlaw

◦ Cyberlaw is any law dealing with information technology



Jurisdictions

◦ Areas of responsibility within which government bodies can make and enforce law but beyond which they cannot


34



The United States Federal Judicial System

◦ U.S. District Courts

 94 in the United States

 Decisions in trials are only binding on the litigants


35




◦ U.S. Circuit Courts of Appeal

 13 in the United States

 Do not conduct trials



Review district court decisions

 Decisions are precedents only for the district courts under the circuit court of appeals making a decision


36




◦ U.S. Supreme Court

 Final arbiter of U.S. federal law

 Only hears about 100 cases per year



Usually only reviews cases that involve conflicts between appellate court precedents or important constitutional issues


37



U.S. State and Local Law

◦ In the United States, many powers are reserved for the states

◦ This typically includes the prosecution of crimes taking place within a state or that do not affect interstate commerce

◦ For most cybercrimes committed within a state, state law applies

◦ State cybercrime laws vary widely

◦ Local police usually investigate crimes under both local and state laws


38



International Law

◦ Differences are wide and rapidly changing

(generally improving)

◦ Important to multinational firms

◦ Also important to purely domestic firms

 Suppliers and buyers may be in other countries

 Attackers may be in other countries

◦ Several treaties exist to harmonize laws and facilitate cross-border prosecution

 Generally immature


39



Admissibility of Evidence

◦ Unreliable evidence may be kept from juries

◦ Belief that juries cannot evaluate unreliable evidence properly

◦ Example: hearsay evidence



Federal Rules of Civil Procedure

◦ Guide U.S. courts

◦ Now have strong rules for evaluating the admissibility of electronic evidence


40



Computer Forensics Experts

◦ Professionals trained to collect and evaluate computer evidence in ways that are likely to be admissible in court

◦ Meet with them before there is a need because the initial moments of an intrusion require correct action


41



Expert Witnesses

◦ Normally, witnesses can only testify regarding facts, not interpretations

◦ Expert witnesses may interpret facts to make them comprehensible to the jury in situations where juries are likely to have a difficult time evaluating the evidence themselves


42



18 U.S.C § 1030

◦ United States Code Title 18, Part I (Crimes) Section

1030

◦ Actions prohibited



Hacking

 Malware

 Denial of service


43



18 U.S.C § 1030

◦ Protected computers

 Applicability is limited to protected computers

 Include “government computers, financial institution computers, and any computer which is used in interstate or foreign commerce or communications”

◦ Often require damage threshold for prosecution

 The FBI may require even higher damages to prosecute


44



18 U.S.C § 2511

◦ Prohibits the interception of electronic messages, both en route and after the message is received and stored

◦ Allows e-mail service providers to read the content of mail

 A company can read employee mail if it owns the mail system


45



Other Federal Laws

◦ Many traditional federal criminal laws may apply in individual cases

◦ For example, fraud, extortion, and the theft of trade secrets

◦ These laws often have far harsher consequences than cybercrime laws


46



Event logging for suspicious events



Sometimes, send alarms



A detective control, not a preventative or restorative control


Management :

Configuration, Tuning, etc.

Actions :

Generate Alarms

Generate Log Summary Reports

Support Interactive Manual Log Analysis

Automated Analysis :

Attack Signatures versus Anomaly

Detection

Event Logging :

Individual Events are Time-Stamped

Log is Flat File of Events

(Sometimes) Data Aggregation from

Multiple IDSs

47


3.

Agent:

Host

48

IDS

4.

Agent:

Netw ork

IDS

5.

Encrypted

Communication

4.

Agent:

Netw ork IDS

1.

Manager

4.

Agent:

Netw ork

IDS

Sw itch

2.

Integrated

Log File

5.

Encrypted

Communication

IDS Vendor

Router Firew all


49



Network IDSs (NIDSs)

◦ Stand-alone device or built into a switch or router

◦ NIDSs see and can filter all packets passing through them

◦ Switch or router NIDSs can collect data on all ports

◦ A NIDS collects data for only its portion of the network

 Blind spots in network where no NIDS data is collected

◦ Cannot filter encrypted packets


50



Host IDSs (HIDSs)

◦ Attractions

 Provide highly detailed information for the specific host

◦ Weaknesses of Host IDSs

 Limited Viewpoint; Only one host



Host IDSs can be attacked and disabled


51



Host IDSs (HIDSs)

◦ Operating System Monitors

 Collects data on operating system events

 Multiple failed logins

 Creating new accounts

 Adding new executables (programs—may be attack programs)


52



Host IDSs (HIDSs)

◦ Operating System Monitors

 Modifying executables (installing Trojan horses does this)

 Adding registry keys (changes how system works)

 Changing or deleting system logs and audit files

 Changing system audit policies

 User accessing critical system files

 User accessing unusual files

 Changing the OS monitor itself


53



Log Files

◦ Flat files of time-stamped events

◦ Individual logs for single NIDs or HIDs

◦ Integrated logs



Aggregation of event logs from multiple IDS agents (Figure 9-12)

 Difficult to create because of format incompatibilities

 Time synchronization of IDS event logs is crucial

(Network Time Protocol)


54



Event Correlation (Figure 9-15)

◦ Suspicious patterns in a series of events across multiple devices

◦ Difficult because the relevant events exist in much larger event streams that are logged

◦ Usually requires many analysis of the integrated log file data


55



















Sample Log File

(many irrelevant log entries not shown)

1. 8:45:05:47. Packet from 1.15.3.6 to 60.3.4.5 (NIDS log entry)

2. 8:45:07:49. Host 60.3.4.5. Failed login attempt for account Lee (Host 60.3.4.5 log entry)

3. 8:45:07:50. Packet from 60.3.4.5 to 1.15.3.6 (NIDS)


5. 8:45:50:18. Host 60.3.4.5. Failed login attempt for account Lee (HIDS)



8. 8:49:07:47. Host 60.3.4.5. Successful login attempt for account Lee (HIDS)



56

Sample Log File



10.

8:56:12:30. Packet from 60.3.4.5 to 123.28.5.210.

TFTP request (NIDS)



11.

8:56:28:07. Series of packets from 123.28.5.210 and

60.3.4.5. TFTP response (NIDS)



12. No more host log entries

◦ (The log would not say this; it would merely stop sending events)


57



















Sample Log File

(many irrelevant log entries not shown)

13.

9:03.17:33. Series of packets between 60.3.4.5 and 1.17.8.40. SMTP (NIDS)

14.


15.


16.


17.

9:20:12:05. Packet from 60.3.4.5 to 60.0.1.1. TCP SYN=1, Destination Port 80 (NIDS)

18.

9:20:12:07: Packet from 60.0.1.1 to 60.3.4.5. TCP RST=1, Source Port 80 (NIDS)

19.

9:20:12:08. Packet from 60.3.4.5 to 60.0.1.2. TCP SYN=1, Destination Port 80 (NIDS)

20.

9:20:12:11 Packet from 60.3.4.5 to 60.0.1.3. TCP SYN=1, Destination Port 80 (NIDS)

21.

9:20:12:12. Packet from 60.0.1.3 to 60.3.4.5. TCP SYN=1; ACK=1, Source Port 80

(NIDS)


58



Tuning for Precision

◦ Too many false positives

 False alarms

 Can overwhelm administrators, dull vigilance

◦ False negatives allow attacks to proceed unseen


59



Tuning for Precision

◦ Tuning for false positives turns off unnecessary rules, reduces alarm levels of unlikely rules

 For instance, alarms for attacks against Solaris operating systems can be deleted if a firm has no

Sun Microsystems servers

 Tuning requires a great deal of expensive labor

 Even after tuning, most alerts will be false positives


60



Updates

◦ Program, attack signatures must be updated frequently



Processing Performance

◦ If processing speed cannot keep up with network traffic, some packets will not be examined

◦ This can make some IDSs useless during attacks that increase the traffic load


61



Storage

◦ There will be limited disk storage for log files

◦ When log files reach storage limits, they must be archived

◦ Event correlation is difficult across multiple backup tapes

◦ Adding more disk capacity reduces the problem but never eliminates it


62



Business Continuity Planning

◦ A business continuity plan specifies how a company plans to restore or maintain core business operations when disasters occur

◦ Disaster response is restoring IT services


63



Principles of Business Continuity Management

◦ Protect people first

 Evacuation plans and drills

 Never allow staff members back into unsafe environments

 Must have a systematic way to account for all employees and notify loved ones

 Counseling afterwards


64




◦ People have reduced capacity in decision making during a crisis

 Planning and rehearsal are critical

◦ Avoid rigidity

 Unexpected situations will arise



Communication will break down and information will be unreliable

 Decision makers must have the flexibility to act


65




◦ Communication

 Try to compensate for inevitable breakdowns

 Have a backup communication system

 Communicate constantly to keep everybody “in the loop”


66



Business Process Analysis

◦ Identification of business processes and their interrelationships

◦ Prioritization of business processes

 Downtime tolerance (in the extreme, mean time to belly-up)

 Importance to the firm



Required by higher-importance processes

◦ Resource needs (must be shifted during crises)

 Cannot restore all business processes immediately


67



Testing the Plan

◦ Difficult because of the scope of disasters

◦ Difficult because of the number of people involved


68



Updating the Plan

◦ Must be updated frequently

◦ Business conditions change and businesses reorganize constantly

◦ People who must execute the plan also change jobs constantly

◦ Telephone numbers and other contact information must be updated far more frequently than the plan as a whole

◦ Should have a small permanent staff


Business Continuity:

Keeping the entire firm operating or restoring the firm to operation

IT Disaster Response:

Keeping IT resources operating or restoring them to operation

69


70



IT Disaster Recovery

◦ IT disaster recovery looks specifically at the technical aspects of how a company can get its IT back into operation using backup facilities

◦ A subset of business continuity or for disasters the only affect IT

◦ All decisions are business decisions and should not be made by mere IT or IT security staffs


71



Types of Backup Facilities

◦ Hot sites

 Ready to run (power, HVAC, computers): Just add data



Considerations: Rapid readiness at high cost

 Must be careful to have the software at the hot site up-to-date in terms of configuration


72




◦ Cold sites

 Building facilities, power, HVAC, communication to outside world only



No computer equipment

 Less expensive but usually take too long to get operating


73




◦ Site sharing

 Site sharing among a firm’s sites (problem of equipment compatibility and data synchronization)

 Continuous data protection needed to allow rapid recovery


74



Office Computers

◦ Hold much of a corporation’s data and analysis capability

◦ Will need new computers if old computers are destroyed or unavailable

 Will need new software

 Well-synchronized data backup is critical

◦ People will need a place to work


75



Restoration of Data and Programs

◦ Restoration from backup tapes: Need backup tapes at the remote recovery site

◦ May be impossible during a disaster



Testing the IT Disaster Recovery Plan

◦ Difficult and expensive

◦ Necessary


Or, as we say in Hawaii, “All pau”

76


Wide Area Networks (WANs)

Wal-Mart Is the Largest Retailer in the

United States

Related documents

Products

Support

Wide Area Networks (WANs)

Wal-Mart Is the Largest Retailer in the

United States

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib