Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Computer Security Issues

advertisement 
Special Agent
Chris Buechner (cbuechner@fbi.gov)
Denver FBI
Computer Analysis Response Team
CART
Computer Crime
Before and After the Attack
Cyber Investigations
• Computer Crimes
• Before you’re a Victim
• When You’re a Victim
Are you a victim?
•
•
•
•
•
•
What type of victim are you?
How do you know you’re a victim?
How to protect the information
Getting your system back up
Who should you contact
Who are the hackers/crackers
What type of Victim
• System hacked
– Gain information
– Gain band width
– Revenge (insider)
• Silent host
– Capture additional sites
– Cover tracks
How do you know
you’re a victim?
• Logs show unauthorized access
– Telnet
– Ftp
• Creation of new accounts
• Loss of computer resources
– DOS (denial of service)
• New files and directories appear
• Information on system, made public
– Grades, salaries, personnel information, credit card
information
Protect the information
• Take computer off line
• Determine the location of the attack
– What if any information was taken
– The identity of the attackers
– Methods of intrusion used
Getting system back
online
• Replace the computer if possible
• Make a copy of system files
• Restore the backups from trusted source
– Backups may have back doors installed
• Install all upgrades and patches
Who should you contact
• Local law enforcement vs. the feds
– Local law enforcement
•
•
•
•
Can better handle juveniles
Lower thresholds for prosecution
Minimal resources
Limited by boundaries
– The feds
•
•
•
•
Unlimited resources
Nationally and International coverage
No juvenile system
Minimum threshold for prosecution
When you make contact
• Do not make contact from compromised
system
• Have procedures in place to control the
situation
• Select one individual to control and
maintain evidence
• Maintain log of costs and steps taken in the
process
THREATS
THREATS
Hacker/Cracker Criminal
Profiles
•
•
•
•
Majority are white males
THIS is changing...
16-40! Most likely 16-26
Interview: most will go as far as they THINK
you know. Often ask for counsel.
• Very loyal to friends - to a point
Hacker/Cracker Criminal
Profiles
• Ego maniacs
• Socially withdrawn
• Generally still don’t understand Law
Enforcement
Are WE catching the really GOOD ones?
METHODS OF
ATTACKS
Dumpster diving
Brute force hacking
Social engineering
Data scope programs
Sniffer programs
IP spoofing
DDOS
“To Watch” Sites/Lists
• Sites:
– antionline.com, wired.com, 2600.com, rootshell.com,
csu.purdue.edu/coast/, etc.
• Newsgroups/Lists:
– Bugtraq, NTbugtraq, Best of Security (BoS)
– CERT.org
– alt.security, comp.security.misc, etc.
• Tools (www.network-tools.com)
Before you’re a Victim
DEVELOP A PLAN!
Preparation
• Post warning banners:
– Every system should display banner
• Display at every login – at every port accessed
– FTP, Telnet
• System is property of your organization
• System is subject to monitoring
• No expectation of privacy while using system
– Management and legal counsel should approve
– DO NOT reveal system purpose/OS/etc
Preparation
• Be Proactive to Prevent Incidents
–
–
–
–
Establish Security Policy
Monitor and Analyze Network Traffic
Assess Vulnerabilities (System Scans)
Configure Systems Wisely
• Limit Services (FTP/telnet)
• Patches
– Establish Training for Employees
Preparation
• Establish Policy on Employee Privacy
– Email: Owned by Corp. or Employee
– Data Files
– Encryption okay?
• Keys
• Disgruntled Employees
Preparation
• Establish Organizational Approach to
Intrusions (2 ways)
– Contain, Clean and Deny
• STOP Intruder. Remove system from Net
• Repair System and block access
• IP Filtering, Firewalls, etc.
Preparation
• Establish Organizational Approach to
Intrusions
– Monitor and Gather Information
• Fishbowl
• Proceed with Caution
Preparation
• Policy for Peer Notification
– DDOS
• Remote Computing
– Telecommuters
• Laptop Privacy (temps, contractors too)
– Acceptable Use Policy (Sign Yearly)
– Revoke Access when no longer required
– Log Remote Access (Radius/Caller ID/Remote
Callback)
Preparation
• Develop Management Support
• Develop a Incident Response Team
– Assign Specific Duties
• Call - duty and phone list
• Legal Counsel
• PR/Law Enforcement Liaison
• Assign a Person to be Responsible for
Incident
System Preparation
• System Backups
–
–
–
–
Original O/S
Log Files
Admin Files/Applications
Data
• When restoring systems, be careful not to
re-introduce problem
System Preparation
• Acquire and install some level of intrusion
detection and audit capability.
– Advanced Logging programs
– TCP Wrappers, Tripwire, etc.
• Install and configure a firewall
• Monitor industry information regarding
intrusions/hacker techniques
The Security Investment
• Recruit and hire security capable staff
• Keep current on system vulnerabilities
• Ensure networked systems are maintained
and patched
• Train administrators and users in security
and protection measures
• Adequate password security
When you’re a Victim
What the FBI can do
•
•
•
•
•
Combine technical skills and investigative experience
National and global coverage
Apply more traditional investigative techniques
Long-term commitment of resources
Integration of law enforcement and national security
concerns
• Pattern analysis
• Can provide deterrent effect . . . even if hacker not
prosecuted
The FBI won’t:
• Take over your systems
• Repair your systems
• Share proprietary information with
competitors
• Provide investigation-related
information to the media or your
shareholders
When You’re a Victim
• Stop and Think -- REMAIN CALM
– Take Notes (who, what, why, where, when, how
and why)
– Notify appropriate persons
• Supervisor
• Security Coordinator
• Legal Counsel
• Etc
– Enforce a Need to Know Policy
When You’re a Victim
• Communicate Wisely
– Email/chat -- intruder may be listening
– Use telephone/voicemail/fax/etc.
– If email, use encryption or secure system
• Remove system from Net
When You’re a Victim
• Make a Bit by Bit copy of system
– Use NEW media & VERIFY the backup!!
– Initial and date backup…time too
– Secure in a locked limited access location
• Chain of Custody
• Collect other evidence in the same manner
– Always preserve originals!
When You’re a Victim
• Best Evidence Rule
– Original Drives
– Bit by Bit Copy
• Linux dd
• Safeback
– Copy of relevant files
When You’re a Victim
• Begin analysis to determine what happened
–
–
–
–
–
Work from copy
Review system, firewall, router logs
Look for trojan system files
Look for new, suspicious users
Contact ISP for additional logs and possible
filtering
When You’re a Victim
• Start to determine cost of attack
–
–
–
–
–
Recovery costs
Lost business
Legal expenses
Salaries
Technical and Security Contractors
• Maintain incident log and chronology
When You’re a Victim
• Know When to Contact Law Enforcement
– Intrusions, theft, espionage, child pornography,
hate crimes, and threats
– Dollar losses due to intrusions exceed $5K
• Law Enforcement Difficulties
– keystroke monitoring and wire taps
– legal restrictions (subpoena’s/orders/warrants)
Final Thoughts
• 2001 CSI/FBI security survey revealed:
– 91% of respondents had detected security
breach within last year
– 64% reported significant loss due to intrusion
• Any computer system is vulnerable
– Through Internet or by local user
Contact Us
Federal Bureau of Investigation
Computer Crime Squad
Denver Division
(303) 629-7171 (24 Hours)
(303) 628-3267 (Direct)
Cbuechner@FBI.gov
Related documents
Click here to the Presentation
Click here to the Presentation
509.060 Defense. In any prosecution for unlawful imprisonment or
509.060 Defense. In any prosecution for unlawful imprisonment or
IN-Symptoms
IN-Symptoms
First Aid Pre-Test Name____________________________
First Aid Pre-Test Name____________________________
Making RJ Work How to write a letter of apology with young people
Making RJ Work How to write a letter of apology with young people
Download
advertisement