ECIH Compile

Sample EC-Council Certified Incident Handler Version 1

Mo d u le III

Batch PDF Merger

Incident Response and Handling Steps

News: A Delicate Balance is Required to Achieve Inform ation Security April 22, 20 0 9 D avid Ch ad w ick, Pro fe s s o r o f In fo rm atio n Sys te m s Se cu rity at th e U n ive rs ity o f Ke n t, calls fo r be tte r in cid e n t h an d lin g an d p ro ce d u re s to p ro te ct s e n s itive d ata It did not start with the loss of the personal details of 25 m illion people in receipt of Child Benefit in Novem ber 20 0 7.1 Neither did it end in J anuary 20 0 9 with the British Council losing a com puter disk containing the nam es, national insurance num bers, salary and bank account details of its 2,0 0 0 UK staff.2 Data loss has been happening ever since com puters were first invented, and it will continue to happen as long as we have them , regardless of any legislation that J ack Straw m ight wish to im pose, even legislation that recom m ends jail sentences for em ployees of organisations where data breaches occur. After all, crim es that incur the harshest of penalties still occur daily. Furtherm ore, data loss will continue to happen even if encryption is ubiquitously im plem ented. Why? Because data security depends m ore on people and processes than on raw encryption technologies. This is eloquently illustrated in the data loss last August when the personal details of the 84,0 0 0 prisoners in England and Wales went m issing. This data was held encrypted on the governm ent com puter system but was downloaded unencrypted onto a m em ory stick by an external contractor who then m isplaced the stick.

Source: http:/ / w w w .publicservice.co.uk/

EC-Council

Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module Objective

This m odule will fam iliarize you with:

• • • • • • • • • • EC-Council

Handling Incidents Need for Incident Response Goals of Incident Response Incident Response Plan Incident Response and Handling Steps Training and Awareness Incident Managem ent Incident Response Team Incident Response Best Practices Incident Response Plan Checklist Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module Flow

EC-Council

Handling Incidents

Need for Incident Response

Incident Response Plan

Goals of Incident Response

Incident Response and Handling Steps

Training and Awareness

Incident Response Team

Incident Managem en t

Incident Response Best Practices

Incident Response Plan Checklist Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

How to Identify an Incident Suspicious entries in network logs

Accounting gaps of several m inutes with n o accounting log

Other events such as unsuccessful login attem pts, attem pts to write, alter, or delete system files, system failure, or perform ance degradation Unusual usage patterns, such as program s being com piled in the account of users who are non-program m ers

EC-Council


Handling Incidents Incident handling involves :

• Incident reporting • Incident analysis • Incident response

Incident handling allows incident reports to be gathered in one location so that exact trends and patterns can be recognized and recom m ended strategies can be em ployed

It helps the corresponding staff to understand the process of responding and to tackle unexpected threats and security breaches

EC-Council


Need for Incident Response The purpose of incident response is to aid personnel to quickly and efficiently recover from a security incident

Incident response is required to identify the attacks that have com prom ised personal and business inform ation or data

Incident response is required to:

• • • • EC-Council

Protect system s Protect personnel Efficiently use the resources Deal with legal issues Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Goals of Incident Response Exam ining the incident Minim izing the im pact of incident Preventing future attacks or incidents Enhancing security of the com puter system Securing privacy rights established by law and policy Providing accurate reports and useful recom m endations Assisting the law enforcem ent in prosecuting digital crim inals Protecting the organization’s reputation and assets EC-Council


Incident Response Plan Incident response plan consists of a set of instructions to detect and respond to an incident

It defines the areas of responsibility and creates procedures for handing various com puter security incidents

The incident response plan covers: • • • • • EC-Council

How inform ation is passed to the appropriate personnel Assessm ent of the incident Minim izing dam age and response strategy Docum entation of the incident Preservation of the evidence Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Purpose of Incident Response Plan The incident response plan gathers required resources in an organized m anner to address incidents related to the security of a com puter system

It protects the organization’s resources against an attack

It protects the sensitive data on the system s

It supports legal investigations

EC-Council


Requirem ents of Incident Response Plan

The requirem ents of incident response planning are:

• Expert team s (Com puter Em ergency Response Team (CERT)) • Legal review and approved strategy • Com pany’s financial support • Executive/ upper m anagem ent support • A feasible and tested action plan • Physical resources, such as redundant storage, standby system s, and backup services

EC-Council


Preparation Preparation is the m ost im portant aspect that allows you to respond to an incident before it happens

The success of an incident response process depends on the pre-incident preparation

It includes:

EC-Council

• • • • • • • •

Exam ining security m easures for networks and system s Intrusion Detection System (IDS) Creating access control Vulnerability assessm ents Perform ing regular backups Baseline protection by updating patches and antivir us Com m unication plan Audit trail Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Preparation (cont’d) It consists of security m easures that an incident response team should begin to im plem ent in order to ensure protection of the organization’s assets and inform ation

Preparing incident response team includes:

The requirem ent of hardware and software com ponents to investigate the com puter security incidents The requirem ent of docum ents such as form s and reports to investigate the incident

Policies and operating procedures for backup and recovery

Training the staff and users on how to respond to incidents

EC-Council


Incident Response and Handling Steps Identification

Incident Recording

Initial Response

Form ulating a Response Strategy

Containm ent

Com m unicating the Incident

Incident Classification

Incident Investigation

Data Collection

Notifying External Agencies

Evidence Protection

Forensic Analysis

Eradication

System s Recovery

Incident Docum entation

Review and Update the Response Policies

Incident Dam age and Cost Assessm ent

EC-Council


Step 1: Identification Identification stage involves validating, identifying, and reporting the incident

This phase is necessary for categorizing and responding to incidents

Identify the incidents with the help of software packages such as antivirus software and in trusion detection tools

System and network audit logs m ay also provide sufficient inform ation to decide whether unauthorized activity has occurred or not EC-Council


Identification (cont’d) Audit log collection, exam ination, and analysis

Incident reporting and assessm ent

Collect and protect system inform ation

The actions taken in identification phase include: Assign event identity and severity level

Other system s analysis

Assign incident task force m em bers

EC-Council


Step 2: Incident Recording Incident recording is a process of accurately storing the details of occurrence of an incident

The inform ation gathered should include:

• • • •

The date and tim e the incident happened The date and tim e at which the incident was detecte d Who has reported the incident Details of the incident include: • Description of the incident • System s involved • Back up inform ation such as error m essages, log files, etc.

EC-Council


Step 3: Initial Response The first step in investigation process is to gather sufficient inform ation required to determ ine a proper incident response

It involves: • • • •

Initial investigation Details of the incident Creating incident response team Notifying individuals about the incident

The purpose of the initial response phase is to docum ent steps to be followed in responding an incident

EC-Council


Step 3: Initial Response (cont’d)

During initial response, you should:

• Check whether you are dealing with an actual incident or a false positive • Gather enough inform ation on the type and severityof attack or incident • Record your actions and docum ent the incident

EC-Council


Step 4: Com m unicating the Incident Com m unicate with the incident response team whenever you suspect the occurrence of any security breach

In order to handle the incident, the incident team lead will discuss the breach with their core team and other m em bers of the organization

While reducing the im pact of the incident, m aintain appropriate controls and coordination of the incident

Discuss the incident with legal representative to file a lawsuit against the perpetrators

EC-Council


Step 5: Containm ent Containm ent focuses on lim iting the scope and extent of an incident

Avoid conventional m ethods to trace back; this m ay alert the attackers

The com m on techniques in containm ent stage are: • • • • •

Disabling of specific system services Changing of passwords an d disabling accounts Com plete backups of the infected system Tem porary shutdown of the infected system Restoration of the infected system

EC-Council


Containm ent (cont’d) Reduce the potential effect or dam age of the incident, by quickly responding to it The response generally depends on the organization and nature of the incident occurred

The points to consider while m inim izing the risk are: • • • • • EC-Council

Providing security and safety to hum an life Protecting confidential and sensitive data Safeguarding business, scientific, and m anagerialinform ation Protecting hardware an d software against future att acks Lim iting the dam age of the com puter’s resources Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Step 6: Form ulating a Response Strategy The response strategy generally depends on the incident situation

Response strategies consider the following: • • • • • • • •

EC-Council

Are the system s seriously effected due to the incid ent? How sensitive is the com prom ised or stolen inform ation? Who are the attackers? Is the public aware of the incident? What is the unauthorized access level gain ed by atta ckers? What are the attacker skills? What is the total downtim e of the system and the user? What is the total cost of the loss ?


Step 7: Incident Classification

Classification of incidents is defined based on their severity and potential targets

Classify the incidents based on the num ber of factors such as: • • • •

EC-Council

Nature of the incident Criticality of the system s being im pacted Num ber of system s im pacted by the incident Legal and regulatory requirem ents


Step 8: Incident Investigation

Investigation is a process of gathering evidence related to an incident from system s and networks

Exam ine the investigation process to identify:

• • • •

The incident Tim e of the incident Perpetrator of the incident? Mitigation steps to prevent future occurrence

EC-Council


Step 9: Data Collection

Data collection is defined as gathering of the facts and evidence that are required for forensic analysis

Data collection involves several unique forensic challenges, such as:

• Gathering data that exceeds the com puter storage capacity • Proper collection of data to ensure integrity

EC-Council


Data Collection (cont’d)

Evidence Classification:

Host-based evidence

EC-Council

Network-based evidence

Other evidence


Data Collection (cont’d)

Host-based evidence:

• Host-based evidence consists of logs, records, docum ents, and any other inform ation available on the system

Network-based evidence:

• Network-based evidence con sists of inform ation gathered from IDS logs, pen-register/ trap and traces, router logs, firewall logs, and authentication servers

Other evidence:

EC-Council

• Other evidence consists of inform ation and evidence gathered from the people


Step 10 : Forensic Analysis

Data such as log files, system files, graphic files, web history files, em ails, installed applications etc. are gathered for analysis

Forensic analysis should attem pt to determ ine: • • • •

The victim s and attackers of the incident Nature of the incident Tim e and location of the incident What triggered the incident

EC-Council


Step 11: Evidence Protection Protect the evidence to take legal actions against the attackers

Take com plete backup of the affected system s with the help of new or never-before-used m edia devices

Store and protect the backup in either CD-R or DVD-R to prosecute the offender(s)

The stored backup can be used to recovery the data from the affected system s

Backups should be stored in a physically secure location EC-Council


Step 12: Notify External Agencies Once sufficient evidence is gathered, external agencies should be notified to file a case and prosecute the perpetrator

The external agencies include local and national law enforcem ent, external security agencies, and security experts

EC-Council


Step 13: Eradication The eradication stage rem oves or elim inates the root cause of the incident

Vulnerability analysis is perform ed in this stage

It lists counterm easures to thwart further dam age thereby securing the organization’s assets

EC-Council


Eradication (cont’d)

The possible counterm easures include:

• • • • • • • •

Using antivirus software Installing latest patches Policy com pliance checks Independent security audits Disabling unnecessary services Updating security policies and procedures Changing passwords of com prom ised system s Elim inating intruder’s access and identification of possible changes com pletely • Reinstalling com prom ised system s • Rebuilding system s EC-Council


Step 14: System s Recovery Recovering a system from an incident generally depends on the extent of the security breach

In recovery step, an affected system is restored to its norm al operations

The com puter system s and networks are m on itored and validated

Recovery stage determ ines the course of actions for an incident

Run vulnerability assessm ent and penetration testing tools to identify the possible vulnerabilities present in the system or network

EC-Council


System s Recovery (cont’d) Determ ine integrity of the backup file by m aking an attem pt to read its data Verify success of operation and norm al condition of the system Monitor the system by network loggers, system log files, and potential back doors

The actions to be perform ed in recovery stage are: • • • •

Rebuilding the system by installing new OS Restoring user data from trusted backups Exam ining the protection and detection m ethods Exam ining security patches and system logging inform ation

EC-Council


Step 15: Incident Docum entation The incident response team should docum ent various processes while handling and responding to an incident

Docum ent the steps and conclusion statem ents im m ediately after com pletion of the forensic process

The docum ent should be properly organized, exam ined, reviewed, and vetted from the m anagem ent and legal representative

The docum entation should provide: • Description of the security breach • Details of action takes place such as: • Who have handled the incident • When the incident was handled • Reasons behind the occurrence of an incident

EC-Council


Incident Docum entation (cont’d) The best way to prosecute the offender(s) is through proper docum entation

The docum ent prepared should be:

Concise and Clear:

• Prepare the reports in such a way that it is clearly understood by everyone

Standard Form at:

• Maintain a standard form at that m akes report writin g scalable, saves tim e, and enhances accuracy

Editors:

EC-Council

• Ensure that the forensic reports are edited properly


Step 16: Incident Dam age and Cost Assessm ent The two im portant evidence that are required for legal prosecution are incident dam age and cost

Costs include:

• • • • •

EC-Council

Costs due to loss of con fidential inform ation Legal costs Labor costs System downtim e cost Installation cost


Step 17: Review and Update the Response Policies Review the process after com pletion of both docum entation and recovery steps

Discuss with your team m em bers about the steps that are successfully im plem ented and the m istakes com m itted

Reviewing the response and updating policies will reduce the im pact of incident and helps you to handle future incidents

EC-Council


Training and Awareness Training and awareness provides skills required to im plem ent incident handling policies Practical training rem oves developm ental errors, im proves procedures, and reduces the occurrence of m iscom m unication

Well-trained m em bers can prevent an incident or lim it the resulting dam age

Security awareness and training should include: • • • • EC-Council

Design and planning of the awareness and trainingprogram Developm ent of the awareness and training m aterials Im plem entation of the awareness and training progra m s Measuring the effectiveness of the program an d updating it Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Training and Awareness (cont’d) Training should be conducted at specified intervals, and it should include:

• Incident handling location • Pre-assignm ent plans to handle the em ergency situation by all em ployees • Recognition and operation of utility shut-off devices

The awareness cam paign should be designed for several purposes such as:

• Knowledge and participation • Concerning plan's strategies • Contingency arrangem ents EC-Council


Security Awareness and Training Checklist Checklist for security awareness and training: • • • • • • • • •

Is the type and frequency of training noted? Are training classes for security personnel describ ed? Are training classes for basic end-users described? Are instructors for the training classes noted? Is it noted that security training is tracked andlogged? Is it noted that all courses are evaluated by theusers? Are roles and responsibilities for security awareness noted? Are roles and responsibilities for security trainin g noted? Does the plan indicate that a record of user training participation is kept? • Does the plan indicate that users are assessed fortheir security knowledge after they undergo training? EC-Council


Incident Managem ent Incident m anagem ent helps in not only responding to incident s but also helps in preventing future incidents by m in im izing the potential dam age caused by risks and threats

It consists of action plan developm ent, consistent processes that are repeatable, m easurable, and understood within the organization

Who perform s Incident Managem ent?

• • • •

EC-Council

Hum an resource personnel experienced in Incident Handling Legal council The Security Manager An outsourced service provider Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Incident Managem ent (cont’d) The objective of the incident m anagem ent is to quickly restore the services of the com puter system into norm al operations after an incident with little or no im pact on the business

It provides end-to-end m anagem ent support on how to handle security incidents or events

Incident m anagem ent involves:

• • • • EC-Council

Security policies and procedures for defining a pro cess Assigning roles and responsibilities to incident re sponse team Equipm ent, tools, and supporting m aterial Identifying and training qualified staff on handlin g security incidents Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Purpose of Incident Managem ent The incident m anagem ent is required to: • Prevent incidents and attacks by tightening the physical security of the system or infrastructure • Create awareness by conducting training program sfor em ployees and users on security issues and response plan s • Monitor and test the organization’s infrastructureto identify the weakness and vulnerabilities • Share the inform ation about the incident with other team s

EC-Council


Incident Managem ent Process Prepare:

• Plan and im plem ent an initial incident m anagem ent • Follow lessons learned and evaluate the assessm entactivities to enhance the security of the system s

Protect:

• Im plem ent security m easures to protect the com puter system from incidents • Im plem ent infrastructure protection im provem ents re sulting from postm ortem reviews or other process im provem ent m echanism s

Detect:

• Notice events and report those events • Receive the reports of events

Triage:

• Categorize, prioritize, and correlate events • Assign events for handling or response

Respond:

EC-Council

• Analyze the event • Plan a response strategy Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Incident Managem ent Process Figure : Five High-Level Incident Managem ent Processes

Source: http:/ / w w w .cert.org/

EC-Council


Incident Managem ent Team

The incident m anagem ent team provides support to all com puter system s that are affected by threats or attacks

The incident m anagem ent team consists of:

Executive m anagem ent

EC-Council

Staff support departm ent representatives

Departm ent heads whose departm ents have been directly affected by the incident


Incident Managem ent Team (cont’d)

The incident m anagem ent team is responsible for:

• • • •

EC-Council

Managing internal and external com m unications Directing response and recovery activities Monitoring the recovery progress Providing or reallocating recovery resources


Incident Response Team Incident response team is a group of security professionals within an organization who are trained and asked to respond to a security incident The response team should contain an authorized security personnel to take necessary actions against the security incidents The incident response team should: • Develop or review the processes and procedures that m ust be followed in response to an incident • Manage the response to an incident and ensure thatall procedures are followed correctly • Review changes in legal and regulatory requirem ents to ensure that all processes and procedures are valid • Review and recom m end technologies to m an age and counteract incidents • Establish relationship with local law enforcem entagency, governm ent agencies, key partners, and suppliers EC-Council


Incident Response Team (cont’d) An incident response team takes responsibility for dealing with potential or real tim e inform ation security incidents The team should be m ade of a num ber of people with knowledge and skills in different areas The representatives of incident response team are: • • • • • • • EC-Council

IT Security IT Operations Physical Security Hum an Resources Legal Departm ent Public Relations External Expertise Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Incident Response Team Mem bers Inform ation Security Officer (ISO)

Inform ation Technology Officer (ITOC)

Inform ation Privacy Officer (IPO)

Network Adm inistrator

System Adm inistrator

Business Applications and Online Sales Officer

Internal Auditor EC-Council


Incident Response Team Mem bers Roles and Responsibilities Inform ation Security Officer (ISO):

Inform ation Technology Officer:

• Provides incident handling training to m em bers • Prepares sum m ary on corrective actions taken to handle the incident

• Point of contact for various security incidents • Inform s the ISO to provide incident response team

Inform ation Privacy Officer:

• Organizes security activities with ISO • Develops com m unication with organizations that are affected by security incidents

Network Adm inistrator:

• Analyzes network traffic for signs of incidents • Perform s corrective actions against the suspected intruder by blocking the n etwork

EC-Council


Incident Response Team Mem bers Roles and Responsibilities (cont’d)

System Adm inistrator:

• Updates services packages and patches • Exam ines system logs to identify the m alicious activities

Business Applications and Online Sales Officer:

• Review business applications and services for signs of incident • Check the audit logs of critical servers that are vulnerable to attacks

Internal Auditor:

EC-Council

• Checks whether the inform ation system s are in com pliance with security policies and controls • Identify and report any security loopholes to the m anagem ent Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Developing Skills in Incident Response Personnel Appropriate books, m agazines, and other technical references should be available that help in im proving the technical knowledge of the subject

Prepare a training budget to m aintain, enhance, and increase the proficiency in technical areas and security disciplines, including the legal aspects of the incident response by the legal experts

Give opportunities to the team m em bers to perform other tasks associated with incident response

Consider the process of rotating staff m em bers who are in and out of the incident response team EC-Council


Developing Skills in Incident Response Personnel (cont’d) Maintain sufficient staff in the organization so that the team m em bers can have uninterrupted tim e of work Develop a m entoring program for senior technical staff to help less experienced staff to know about incident handling process

Hire external subject m atter experts for training

Develop various scenarios on incident handling and conduct group discussions on how they would handle them

Conduct incident handling m ock drills for the team s EC-Council


Incident Response Team Structure Incident response team should handle the incident whenever an incident is identified by any person in the organization

The incident response team should :

• Analyze the incident data • Exam ine the im pact of the incident • Minim ize the dam age and restore the system to thenorm al operations

The incident response team includes:

• Central incident response team • Distributed incident response team s • Coordinating team

EC-Council


Incident Response Team Structure (cont’d) Staffin g Mo d e ls 2 4 / 7 Availability

Em p lo ye e s

Partially Ou ts o u rce d

Fu lly Ou ts o u rce d

Te am m o d e l s e le ctio n :

Em p lo ye e Mo rale

Co s t

Staff Exp e rtis e

Organ izatio n al Stru ctu re

EC-Council


Incident Response Team Dependencies Managem ent Inform ation Security Telecom m unications IT Support Legal Departm ent Public Affairs and Media Relation s Hum an Resources Business Continuity Plann ing Physical Security and Facilities Managem ent EC-Council


Incident Response Team Services Advisory Distribution Vulnerability Assessm ent Intrusion Detection Education and Awareness Technology Watch Patch Managem ent

EC-Council


Defining the Relationship between Incident Response, Incident Handling, and Incident Managem ent


EC-Council


Incident Response Best Practices Stay calm

Assess the situation

Identify the people to handle the incident

Form a plan for resolution • Identify the problem • Do not cause any dam age • Resolve the problem

Docum ent everything

Analyze the evidence to confirm that an incident has occurred EC-Council


Incident Response Best Practices (cont’d) Notify the appropriate people Stop the incident if it is still in progress Identify the single m ost im portant and im m ediate problem Preserve evidence from the incident Wipe out all effects of the incident Identify and m itigate all vulnerabilities that were exploited Prevent reoccurrence of the incident Review the causes and resolution Confirm that operations have been restored to norm al Create a final report EC-Council


Incident Response Policy Im plem ent incident response policy supported by the m anagem ent

Decide an organizational approach

Determ ine the outside n otification procedures

Identify rem ote connections and include rem otely operating em ployees or contractors Identify the m em bers of the incident team and describe their roles, responsibilities, and functions Prepare a com m unication plan to contact the key personnel

Define and follow a m ethod for reporting and archiving the in cidents EC-Council


Incident Response Plan Checklist Does your plan accurately describe the system s it applies to? Does your plan include a contact list of key personnel? Does your plan include inform ation on roles and responsibilities? Does your plan include a diagram of the escalation fram ework? Does your plan include how to contact the agency CSIRC? Does your plan list the m em bers of the CSIRT team ? Does your plan list the m em bers of the CSIRC team ? Does your plan include a description of incident types? Does your plan include guidance on severity levels? Does your plan include inform ation on agency security policies? Does your plan include incident handling guidelines?

EC-Council


Incident Handling System : RTIR http:/ / bestpractical.com / rtir/

Re qu e s t Tracke r fo r In cid e n t Re s p o n s e ( RTIR) is an open source incident handling system It helps in handling incident reports It allows to tie m ultiple incident reports to specific incidents It m akes it easy to launch investigations to work with law enforcem ent, network providers and other partners to get to the bottom of each incident Features: • Incident response workflow • Easy and clickable m etadata lookups • Scripted action

EC-Council


Screenshot: RTIR

EC-Council


RPIER 1st Responder Fram ework http:/ / w w w .ohloh.net/ p/ rpier-infosec

Regim ented Potential Incident Exam ination Report (RPIER ) is a security tool built to facilitate 1st response procedures for incident handling It is designed to acquire com m only requested inform ation for incident handling Features: • • • • • • •

EC-Council

Fully configurable GUI Auto-update functionality with SHA1 verification Results are auto- zipped Results are auto- uploaded to central secured repository Em ail notification Pre/ post run integrity check Com m and line configuration/ execution Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

RPIER 1st Responder Fram ework: Screenshot

EC-Council


Sum m ary The purpose of incident response is to aid personnel to quickly and efficiently recover from a security incident

Incident response plan consists of a set of instructions to detect and respond to an incident

The incident response plan gathers required resources in an organized m anner to address incidents related to the security of a com puter system

Preparation is the m ost im portant aspect that allows you to respond to an incident before it occurs

Training and awareness provides skills required to im plem ent incident handling policies

Incident m anagem ent not only responds to an incident but also prevents the occurrence of future incidents by m inim izing the potential dam age caused by risks and threats

EC-Council


EC-Council


EC-Council


EC-Council Certified Incident Handler Version 1

Mo d u le IV CSIRT

News: Council of Europe and OAS Step up Efforts to Counter Terrorism and Strengthen Cyber Security

Source: http:/ / w w w .egov m onitor.com

EC-Council


Module Objective This m odule will fam iliarize you with: • • • • • • • • • • • • • •

EC-Council

CSIRT CSIRT Goals and Strategy CSIRT Vision CSIRT Mission Statem ent CSIRT Constituency Types of CSIRT Environm ents Best Practices for Creating a CSIRT Roles of CSIRTs CSIRT Services CSIRT Policies and Procedures CSIRT Incident Report Form CERT CERT(R) Coordination Center: Incident Reporting Form World CERTs Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Module Flow CSIRT

CSIRT Goals and Strategy

CSIRT Vision

Types of CSIRT Environm ents

CSIRT Constituency

CSIRT Mission Statem ent

Best Practices for Creating a CSIRT

Roles of CSIRTs

CSIRT Services

CERT

CSIRT Incident Report Form

CSIRT Policies and Procedures

CERT(R) Coordination Center: Incident Reporting Form

World CERTs

EC-Council


Introduction to CSIRT

EC-Council


What is CSIRT CSIRT stands for Com puter Security Incident Response Team

It is a service organization which provides 24x7 com puter security incident response services to any user, com pany, governm ent agency, or organization

It provides a reliable and trusted single point of contact for reporting com puter security incidents worldwide

It provides the m eans for reporting incidents and dissem inating im portant incident related inform ation

EC-Council


What is the Need of an Incident Response Team (IRT) Incident response team helps organizations to recover from com puter security breaches and threats

This team is dedicated to understand the incident response process and take necessary actions when n eeded

It is a form alized team with its m ajor job function as: ‘perform ing incident response’

The team consists of experts trained to respond an d handle incidents

EC-Council


CSIRT Goals and Strategy Goals of CSIRT: • To m anage security problem s by taking a proactiveapproach towards the custom ers’ security vulnerabilities and by responding effectively to potential inform ation security incidents • To m inim ize and control the dam age • To provide or assist with effective response and re covery • To prevent future security incidents

Strategy of CSIRT: • It provides a single point of contact for reporting local problem s • It identifies and analyzes what has happened duringan incident, including the im pact an d threat • It researches on solutions and m itigation strategie s EC-Council


CSIRT Vision

Identify the organization

Specify the m ission, goals, and objectives of an organization

Select the services to be offered by the CSIRT

Determ ine how the CSIRT should be structured for the organization

Plan the budget required by the organization to im plem ent an d m anage the CSIRT

Determ ine the resources (equipm ent, staff, infrastructure) to be used by CSIRT EC-Council


Com m on Nam es of CSIRT Com puter Incident Response Team (CIRT)

Incident Handling Team (IHT)

Incident Response Team (IRT)

Security Em ergency Response Team (SERT)

Security Incident Response Team (SIRT)

EC-Council


CSIRT Fram ework

EC-Council


CSIRT Mission Statem ent Mission Statem ent provides a basic understanding of what the team is trying to achieve

It provides a focus for the overall goals an d objectives of the CSIRT CSIRT should define, docum ent, adhere to, and widely distribute a con cise and clear m ission statem ent Mission Statem ent m ust be non-am biguous and con sist of m axim um three or four sentences It should specify the m ission with which the CSIRT is charged

EC-Council


CSIRT Constituency Constituency is the region where the CSIRT is bound to serve

It m ight be defined in the form of a statem ent an d m ay be supported by a list of dom ain nam es

CSIRT constituency m ay be bounded or unboun ded by som e constraints

CSIRT defines its constituency and its relationship to that constituency

EC-Council


CSIRT Constituency (cont’d) Typ e o f Co n s titu e n cy Se rve d

CSIRT Typ e

N atu re o f Mis s io n

International Coordination Center

Obtain a knowledge base with a global perspective of com puter security threats through coordination with other CSIRTs and building a “web of trust” am ong CSIRTs

Other CSIRTs around the world

Corporation

Im prove the security of the corporation’s inform ation infrastructure and m inim ize the threat of damage resulting from intrusions

System and network adm inistrators and system users within the corporation

Technical

Im prove the security of a given IT product

Users of the product

Table: CSIRT Types With Associated Missions and Constituencies; Source: w w w .cert.org

EC-Council


CSIRT Constituency (cont’d) The issues relating to the constituency that are to be addressed are: • • • •

EC-Council

Overlapping constituencies Relationship to constituency Prom oting the CSIRT to the constituency Gaining constituency’s trust


CSIRT’s Place in an Organization The place that a CSIRT holds in its parent organization is tightly coupled to its stated m ission

It fails when placed un der the system adm inistration departm ent of its parent organization

CSIRT m ay constitute of the entire security team for an organization, or, m ay be totally distinct from an organization’s security team

The activities of CSIRT can also be carried out by the organization’s security team

CSIRT m ust be well em bedded within the organization’s business structure

EC-Council


CSIRT’s Place in an Organization (cont’d) It com m only reside swithin, or has som e overlap, with the organization’s IT security departm ent as shown in the figure below:

Pare n t Organ izatio n

Source: w w w .cert.org

EC-Council


CSIRT’s Relationship with Peers

Figure: CSIRT Peer Relationships, Source: w w w .cert.org

EC-Council


CSIRT Types and Roles

EC-Council


Types of CSIRT Environm ents Internal CSIRT : • Provides services to their parent organization suchas bank, m anufacturing com pany, university, or any governm ent agencies

National CSIRT: • Provides services to the entire nation. For exam ple , J apan Com puter Em ergency Response Team Coordination Center (J PCERT/ CC)

Vendor CSIRT • Identifies vulnerabilities in software and hardware products

Governm ental sector CSIRT • Provides services to governm ent agencies and to the citizens in som e countries

Military sector CSIRT • Provides services to m ilitary organizations with responsibilities for IT infrastructure

Sm all & Medium Enterprises (SME) Sector CSIRT • Provides its services to its own business branch or sim ilar user group

EC-Council


Best Practices for creating a CSIRT 1 2 3 4 5 6 7 8

EC-Council

• Obtain m anagem ent support and buy-in • Determ ine the CSIRT strategic plan • Gather relevant inform ation • Design the CSIRT vision • Com m unicate the CSIRT vision and operational plan • Begin CSIRT im plem entation • Announce the operational CSIRT • Evaluate CSIRT effectiveness


Step 1: Obtain Managem ent Support and Buy-in Without m anagem ent approval and support, creating an effective incident response capability can be difficult and problem atic

Consider that the team is established: • How is it m aintained an d expanded with budget, pers onnel, an d equipm ent resources? • Will the role and authority of the CSIRT continueto be backed by m anagem ent across the various constituencies or parent organization?

EC-Council


Step 2: Determ ine the CSIRT Developm ent Strategic Plan Are there specific tim efram es to be m et? Are they realistic, and if not, can they be changed?

Is there a project group? Where do the group m em bers com e from ?

How do you let the organization know about the developm ent of the CSIRT?

If you have a project team , how do you record and com m unicate the inform ation you are collecting, especially if the team is geographically dispersed?

EC-Council


Step 3: Gather Relevant Inform ation Meet with the key stakeholders to discuss the expectations, strategic direction, definitions, and responsibilities of the CSIRT

The stakeholders can include:

• • • • • •

Business m anagers Representatives from IT Representatives from the legal departm ent Representatives from hum an resources Representatives from public relations Any existing security groups, including physical security • Audit and risk m anagem ent specialists

EC-Council


Step 4: Design your CSIRT Vision

In creating your vision, you should: • Id e n tify yo u r co n s titu e n cy: Who does the CSIRT support and give service to? • D e fin e yo ur CSIRT m is s io n , go als , an d o bje ctive s : What does the CSIRT do for the identified constituency? • Se le ct th e CSIRT s e rvice s to p ro vid e to th e co n s titu e n cy ( o r o th e rs ) : How does the CSIRT support its m ission? • D e te rm in e th e o rgan izatio n al m o d e l: How is the CSIRT structured and organized? • Id e n tify re qu ire d re s o u rce s : What staff, equipm ent, and infrastructure are needed to operate the CSIRT? • D e te rm in e yo u r CSIRT fu n d in g: How is the CSIRT funded for its initial startup and its long-term m aintenance and growth?

EC-Council


Step 5: Com m unicate the CSIRT Vision Com m unicate the CSIRT’s vision and operational plan to m anagem ent, constituency, and others who need to know and understand its operations

As appropriate, m ake adjustm ents to the plan based on their feedback

EC-Council


Step 6: Begin CSIRT Im plem entation Hire and train initial CSIRT staff

Buy equipm ent, and build any necessary network infrastructure to support the team

Develop the initial set of CSIRT policies an d procedures to support your services

Define and build an incident-tracking system

Develop incident-reporting guidelines and form s for your constituen cy

EC-Council


Step 7: Announce the CSIRT When the CSIRT is operational, announce it to the constituency or parent organization

It is best if this announcem ent is m ade by the sponsoring m anagem ent

Include the contact in form ation and hours of operation for the CSIRT in the announcem ent

This is an excellent tim e to m ake the CSIRT incidentreporting guidelines available EC-Council


Step 8: Evaluate CSIRT Effectiveness Once CSIRT is operational, the m anagem ent determ ines the effectiveness of the team and uses evaluation results to im prove CSIRT processes

It m ust ensure that the team is m eeting the needs of the constituency

The CSIRT, in conjunction with m anagem ent and the constituency, will need to develop a m echanism to perform such an evaluation

EC-Council


Role of CSIRTs CSIRTs provide IT security incident centered service to their constituency, such as: prevention, detection, correction, repression, or creating awareness building The CSIRTs services focus on attacks that are propagated via the Internet that tunnel their way to extranets, in tranets, and com puter system s The CSIRT reports preventive m easures along with the identified vulnerabilities to its constituency

The CSIRTs provide best kind of services like:

• Awareness building • Detection • Correction

EC-Council


Roles in an Incident Response Team Except for som e com m on roles, the roles in an IRT are distinct for every organization:

Incident Coordinator (IC) • The IC connects different groups • He/ she links the groups that are affected by the ni cidents, such as legal, hum an resources, different business areas, and m anagem ent

Incident Manager (IM) • The IM focuses on the incident and handles it from m anagem ent and technical point of view EC-Council


Roles in an Incident Response Team (cont’d) Incident Analyst (IA) • Incident analysts are the technical experts in their particular area • The IA applies the appropriate technology and tries to eradicate and recover from the incident Constituency • The constituency is not a part of the incident-resp onse team itself, but is a stakeholder in the incident Adm inistration • Ensures that the foundation ’s offices are returnedto norm al operations as quickly as possible • Assists in the developm ent of an alternate site asnecessary EC-Council


Roles in an Incident Response Team (cont’d) Hum an Resources • The HR is responsible for the “hum an” aspects of ht e disaster including post-event counseling and next-of-kin notification • It answers questions related to com pensation an d benefits

Public Relations • The PR is responsible for developing the m edia m ess ages regarding any event • It is responsible for all stakeholder com m unications including the board, foundation personnel, donors, grantees suppliers/ vendors, and the m edia

EC-Council


Roles in an Incident Response Team (cont’d) CSIRT

IC acts as a link between different groups (IC) Incident Coordinator

Handles an incident from m anagem ent and technical point of view

Eradicates and recovers from the incident

EC-Council

It is a stakeholder in the incident

Constituency

Ad m in is tratio n (IM) Incident Manager

Responsible for hum an aspects of disaster Hum an Resources

Ensures that the office operations return to a norm al situation (IA) Incident Analyst

Responsible for stakeholder Com m unications Public Relations


Roles in an Incident Response Team (cont’d) Other roles m ay include:

• • • • • • • • • • •

EC-Council

Support staff Technical writers Network or system adm inistrators, CSIRT infrastructure staff Program m ers or developers (to build CSIRT tools) Web developers and m aintain ers Media relations Legal or paralegal staff or liaison Law enforcem ent staff or liaison Auditors or quality assurance staff Marketing staff


CSIRT Services, Policies, and Procedures

EC-Council


CSIRT Services

CSIRT services are grouped into the following three categories: • Reactive services • Proactive services • Security quality m anagem ent services

EC-Council


Reactive Services The reactive services process the requests for assistance

They respond to incidents reports from the CSIRT constituency

They identify and rectify any threats or attacks against the CSIRT system s

The services provided include:

• • • •

EC-Council

Alerts and warnings Incident handling Vulnerability handling Artifact handling


Proactive Services The services im prove the infrastructure and security processes of the constituency before any incident occurs

The services provided include:

• • • •

Announcem ents Technology watch Security audit or assessm ent Configuration and m aintenance of security tools, applications, infrastructures, and services • Developm ent of security tools • Intrusion detection services • Security-related inform ation dissem ination

EC-Council


Security Quality Managem ent Services The security quality m anagem ent services are established services designed to im prove the overall security of an organization

These services incorporate feedback and lessons learned based on knowledge gained by responding to incidents, vulnerabilities, an d attacks

The services include:

• • • • • •

EC-Council

Risk analysis Business continuity and disaster recovery planning Security consulting Awareness building Education/ training Product evaluation or certification


CSIRT Policies and Procedures Policies are the governing principles adopted by the organizations or team s

• The policies of an organization need to be clearlystated

Policies and procedures are interrelated

Procedures detail how a team enacts activities within the boundaries of its policies • Procedures m ake a policy successful

Mem bers of an organization should clearly understand policies and procedures in order to im plem ent them

EC-Council


CSIRT Policies and Procedures (cont’d)

A policy can be defined with: • • • • • •

EC-Council

Attributes Content Validation Im plem entation Maintenance, and Enforcem ent


Attributes

A policy should be defined as a set of detailed procedures

It should outline essential characteristics for a specific topic area in the m anner that necessary inform ation is provided

EC-Council


Attributes (cont’d)

Source: w w w .sei.cm u.edu

EC-Council


Content The content of a policy is m ainly a definition of behavior in a certain topic area It defines the features that are the boun dary conditions for any policy definition The policy content features are listed in the following table:

EC-Council


Content (cont’d)

Source: w w w .sei.cm u.edu

EC-Council


Validity

After a policy has been defined, it is advisable to check its validity in practice before actually im plem enting it

Validity check finds out if all the ideas in the policy can actually be translated into real-life behavior

EC-Council


Im plem entation, Maintenance, and Enforcem ent After validating the policy, feedback should be given to the policy m akers so that they can m ake revisions

Once the policy is revised based on the feedback and it is ensured that the policy does not require further changes; the policy can be im plem ented

EC-Council


How CSIRT Handles a Case Keep a log book

Inform the appropriate people

Maintain a list of contacts

Release the inform ation

Follow up analysis

Report EC-Council


CSIRT Incident Report Form

EC-Council


Incident Tracking and Reporting System s

EC-Council


Application for Incident Response Team s (AIRT) http:/ / airt.leune.com /

AIRT is a web-based application designed and developed to support the day to day operations of a com puter security incident response team It supports highly autom ated processing of incident reports and facilitates coordination of m ultiple incidents by a security operations center

Features: • • • • EC-Council

Identify owners of networks Track incidents Autom atically im port incident reports Prepare outgoing em ails based on incident tem plates Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

AIRT: Screenshot 1

EC-Council


AIRT: Screenshot 2

EC-Council


BMC Rem edy Action Request System http:/ / w w w .bm c.com /

BMC Rem edy Action Request System provides a consolidated service process m anagem ent platform for autom ating and m anaging service m anagem ent business processes

Features: • Autom ates service m anagem ent business processes • Integrates processes with system s across the enterp rise • Adapts and evolves your processes to continually align with the needs of the business • Manages business process perform ance in real-tim e • Replaces outdated m anual system s with process autom ation that speeds the handling of unique processes • Rapidly prototypes, deploys, m aintains, and iterate s Service Managem ent applications • Captures and tracks critical business data EC-Council


BMC Rem edy Action Request System : Screenshot

EC-Council


PGP Desktop Em ail http:/ / w w w .pgp.com / PGP Desktop Em ail provides enterprises with an autom atic, transparent encryption solution for securing internal and external confidential em ail com m unications With PGP Desktop Em ail, organizations can m inim ize the risk of a data breach and com ply with partner and regulatory m andates for inform ation security and privacy Features: • Eas y, au to m atic o p e ratio n • Protects sensitive em ail without changing the userexperience

• En fo rce d s e cu rity p o licie s • Enforce data protection autom atically with centrally m anaged policies

• Acce le rate d d e p lo ym e n t • Achieves end-to-end em ail encryption using the exis ting infrastructure

• Re d u ce d o p e ratio n co s ts • Result from centralized autom ation of em ail encryption policies

EC-Council


PGP Desktop Em ail (cont’d)

EC-Council


The GNU Privacy Guard (GnuPG) http:/ / w w w .gnupg.org/

GnuPG is the GNU project's com plete and free im plem entation of the OpenPGP standard as defined by RFC4880

It allows to encrypt and sign your data and com m unication, features a versatile key m anagem ent system as well as access m odules for all kind of public key directories

Features: • • • •

Does not use any patented algorithm s Can be used as a filter program Decrypts and verifies PGP 5, 6 and 7 m essages Supports ElGam al, DSA, RSA, AES, 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1, RIPE-MD-160 and TIGER • Supports key and signature expiration dates EC-Council


Listserv http:/ / w w w .lsoft.com /

Listserv is em ail list m anagem ent software

It provides the power, reliability, and enterprise-level perform ance you need to m anage all your opt-in em ail lists

Its Web interface sim plifies em ail list and server m anagem ent, allowing you to control your lists and adm inister your server from anywhere on the Internet

EC-Council


Listserv (cont’d) Features and benefits • List owner features: • • • • • •

Supports all list types Autom atic subscriptions Autom atic bounce handling Personalization Searchable web archives RSS support

• Site adm inistrator features • • • • • • EC-Council

Multiple license sizes Virus protection Deliverability Spam control Database connectivity Custom izable web interface Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Listserv : Screenshot

EC-Council


CERT

EC-Council


CERT CERT stands for Com m unity Em ergency Response Team (CERT) CERT program helps to train people to be better prepared to respond to em ergency situations in their com m unities

CERT m em bers can provide critical support to first responders by: • Providing imm ediate assistance to victim s • Organizing spontaneous volunteers at a disaster site

EC-Council


CERT-CC


EC-Council


CERT(R) Coordination Center: Incident Reporting Form

Source: http:/ / w w w .cert.org/ reporting/ incident_ form .txt

EC-Council


CERT:OCTAVE OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation

It is a set of tools, techniques, and m ethods for risk-based inform ation security strategic assessm ent and plannin g

There are three octave m ethods:

• OCTAVE Method • OCTAVE-S • OCTAVE-Allegro

EC-Council


OCTAVE Method OCTAVE m ethod uses a three-phased approach to exam ine organization al and technology issues

It com prises of a series of workshops that are conducted by in terdisciplinary an alysis team of three to five persons of the organ ization

This m ethod focuses on:

• Identifying critical assets and the threats to those assets • Identifying the vulnerabilities, both organizational and technological, that expose those threats, creating risk to the organization • Developing a practice-based protection strategy and risk m itigation plans to support the organization's m ission and priorities

EC-Council


OCTAVE Method (cont’d)

EC-Council


OCTAVE-S OCTAVE-S uses a m ore stream lined process and different worksheets but produces the sam e result as the OCTAVE m ethod

It requires a team of 3-5 people having understanding on all the aspects of the com pany

This version does not start with gathering the inform ation regarding im portant assets, security requirem ents, threats, and security practices

The assum ption is that the analysis team is aware of this inform ation

OCTAVE-S includes only a lim ited exploration of the com puting infrastructure

EC-Council


OCTAVE Allegro OCTAVE Allegro is a stream lined variant of the OCTAVE m ethod that focuses on inform ation assets

It can be perform ed in a workshop-style, collaborative setting

It does not suit for individuals who want to perform risk assessm ent without extensive organizational involvem ent, expertise, or input

It focuses m ainly on the inform ation assets

The assets of the organization are identified and assessed based on the inform ation assets to which they are conn ected

EC-Council


OCTAVE Allegro (cont’d)

OCTAVE Allegro consists of eight steps organized into four phases: • Phase 1 - Assessm ent participants develop risk m easu rem ent criteria consistent with organizational drivers: the organization's m ission, goal objectives, and critical success factors • Phase 2 - Participants create a profile of each critical inform ation asset that establishes clear boundaries for the asset, identifies its security requirem ents, and identifies all of its containers • Phase 3 - Participants identify threats to each info rm ation asset in the context of its containers • Phase 4 - Participants identify and analyze risks toinform ation assets and begin to develop m itigation approaches

EC-Council


OCTAVE Allegro (cont’d)

EC-Council


World CERTs Asia Pacific CERTs • • • • • • • • • •

Australia CERT (AUSCERT) Hong Kong CERT (HKCERT/ CC) Indonesian CSIRT (ID-CERT) J apan CERT-CC (J PCERT/ CC) Korea CERT (CERT-KR) Malaysia CERT (MyCERT) Pakistan CERT(PakCERT) Singapore CERT (SingCERT) Taiwan CERT (TWCERT) China CERT (CNCERT/ CC)

North Am erican CERTs • • • • •

CERT-CC US-CERT Canadian Cert Cancert Forum of Incident Response and Security Team s • FIRST

EC-Council

South Am erican CERTs • CAIS • CAIS- Brazilian Research Network CSIRT • NIC BR Security Office Brazilian CERT • NBS

European CERTs • • • • • • • • •

EuroCERT FUNET CERT CERTA DFN-CERT J ANET-CERT CERT-NL UNINETT-CERT CERT-NASK Swiss Academ ic and Research Network CERT Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Australia CERT (AUSCERT)

Source: http:/ / w w w .auscert.org.au/ index.htm l

EC-Council


Hong Kong CERT (HKCERT/ CC)

Source: http:/ / w w w .hkcert.org

EC-Council


Indonesian CSIRT (ID-CERT)

Source: http:/ / w w w .cert.or.id/

EC-Council


J apan CERT-CC (J PCERT/ CC)

EC-Council

Source: http:/ / w w w .jpcert.or.jp/ english/


Malaysian CERT (MyCERT)

Source: http:/ / w w w .m y cert.org.m y / en/

EC-Council


Indian CERT

EC-Council


Pakistan CERT (PakCERT)

Source: http:/ / w w w .pakcert.org/

EC-Council


Singapore CERT (SingCERT)

Source: http:/ / w w w .singcert.org.sg/ index.php?option=com _ m jfrontpage&Item id=30

EC-Council


Taiwan CERT (TWCERT)

Source: http:/ / w w w .cert.org.tw / eng/

EC-Council


China CERT (CNCERT/ CC)

Source: http:/ / w w w .cert.org.cn/ english_ w eb/

EC-Council


US-CERT

Source: http:/ / w w w .us-cert.gov/

EC-Council


Governm ent Forum of Incident Response and Security Team s (GFIRST) GFIRST is a group of technical and tactical practitioners of security response team s responsible for securing governm ent inform ation technology system s GFIRST m em bers work together to understand and handle com puter security incidents and to encourage proactive and preventative security practices

EC-Council


Canadian Cert

EC-Council

Source: http:/ / w w w .ew a-canada.com / index.php


Forum of Incident Response and Security Team s

EC-Council

Source: http:/ / w w w .first.org/


CAIS/ RNP

Source: http:/ / w w w .rnp.br/ en/

EC-Council


NIC BR Security Office Brazilian CERT

Source: http:/ / w w w .nic.br/ im prensa/ clipping/ 20 0 8/ m idia412.htm

EC-Council


EuroCERT

Source: http:/ / w w w .eurocert.ie/

EC-Council


FUNET CERT

Source: http:/ / w w w .csc.fi

EC-Council


SURFnet-CERT

Source: http:/ / cert.surfnet.nl/ hom e-eng.htm l

EC-Council


DFN-CERT

Source: http:/ / www.dfn-cert.de/

EC-Council


J ANET-CERT

EC-Council

Source: http:/ / w w w .ja.net/ index.htm l


CERT POLSKA

EC-Council

Source: http:/ / w w w .cert.pl


Swiss Academ ic and Research Network CERT

Source: http:/ / w w w .sw itch.ch/ cert/

EC-Council


http:/ / www.first.org/ about/ orga nization/ team s/

EC-Council


http:/ / www.apcert.org/ about/ str ucture/ m em bers.htm l

EC-Council


IRTs Around the World

Copyrigh t 20 0 4 Carnegie Mellon University CERT® and CERT Coordination Cen ter ® are registered in the U.S. Patent and Tradem ark office.

EC-Council


Sum m ary CSIRT is a service organization which provides 24x7 com puter security incident response services to any user, com pany, governm ent agency, or organization CSIRT should define, docum ent, adhere to, and widely distribute a con cise and clear m ission statem ent

Constituency is the region over which the CSIRT is bound to serve

CSIRT m ay constitute the entire security team for an organization or m ay be totally distinct from an organization’s security team CERT program helps train people to be better prepared to respond to em ergency situations in their com m unities

Security accreditation refers to the acceptance an d m anagem ent of risk

EC-Council


EC-Council


EC-Council



Mo d u le I Introduction to Incident Response and Handling

Batch PDF Merger

News: Num ber of Reported Cyber Incidents J um ps Federal civilian agencies reported three tim es as m any cyber-related incidents in fiscal 20 0 8 as they did in fiscal 20 0 6 to the Hom eland Security Departm ent's office that coordinates defenses and responses to cyberattacks. Meanwhile, an official says the office suspects the actual num ber of cyber incidents is higher. Th e age n cie s re p o rte d to D H S’ U n ite d State s Co m p u te r Em e rge n cy Re ad in e s s Te am ( U S-CERT) a to tal o f 18 ,0 50 in cide n ts in fis cal 2 0 0 8 , co m p are d w ith 12 ,9 8 6 in fis cal 2 0 0 7 an d 5,14 4 in fis cal 2 0 0 6 , acco rd in g to D H S o fficials . Ove rall, th e to tal n u m be r o f in cid e n ts re p o rte d to U S-CERT fro m co m m e rcial, fo re ign , p rivate , an d fe de ral, s tate an d lo cal go ve rn m e n t s e cto rs ro s e fro m 2 4 ,0 9 7 in fis cal 2 0 0 6 to 72 ,0 6 5 in fis cal 2 0 0 8 . The Federal Inform ation Security Managem ent Act requires agencies to report cyber incidents, which are defined as acts that violate com puter security or acceptable-use policies. The types of incidents include unauthorized access, denial of service, m alicious code, im proper usage, and scans, probes and attem pted access. Mischel Kwon, US-CERT’s director, said that the num bers represent both an increase in m alware and improvem ents in the capabilities of US-CERT and agencies to detect and report cyber incidents. “As we m ature and becom e m ore robust, and we deploy m ore tools, incident num bers will go up,” she said. “Both parts of the story are true: There is an increase in m al events, and there is an increase in capabilities in order to detect those m al events.” Kwon added that the num bers were a bit deceiving because the reports are based on m anual reporting by agencies and that there are few security operations centers that m onitor federal agency networks. She said agencies don’t have the tools or analysts to review data to determ ine if incidents have occurred.

Source: http:/ / fcw .com /

EC-Council


Cyber Incident Statistics N u m be r o f cybe r in cid e n ts re p o rte d to D H S’ U n ite d State s Co m p u te r Em e rge n cy Re ad in e s s Te am 20 ,0 0 0

20 0 8

18,0 0 0 16,0 0 0 14,0 0 0

20 0 7

12,0 0 0 10 ,0 0 0 8,0 0 0 6,0 0 0

20 0 6

4,0 0 0 2,0 0 0 0

Source: http:/ / fcw .com /

EC-Council


Incidents and Events by Category 10%

4% 4% 5%

Unauthorized Access

10%

4%

7% 6%

Malicious Code Improper Usage Scans, Probes and Attempted Access 77%

FY0 8 Q4

Under Investigation

73%

FY0 9 Q1

Cyber Security Trends, QUARTERLY TRENDS AND ANALYSIS REPORT, http:/ / w w w .us-cert.gov/

EC-Council


Top Five Incidents Phishing

10% 4%

9% 4%

Malware

5%

4% 5%

Policy Violation

5%

5%

Non-Cyber

7%

72%

FY0 8 Q4

Suspicious Network Activity Others

70%

FY0 9 Q1

Cyber Security Trends, QUARTERLY TRENDS AND ANALYSIS REPORT, http:/ / w w w .us-cert.gov/

EC-Council


Case Study: Incident Handling and Response 





Th e Cas e : Xconsoft, a m ajor software developer located out of the New J ersey, realized that the sensitive inform ation from folders shared across its network is being accessed by unauthorized people and leaked to third parties. Th e Ch alle n ge s : Loss of the proprietary inform ation could result in huge financial losses. The com pany hired an established consultant for incident handling and response. The m ajor challenges in front of the consultants were to contain the dam age, assess the losses and identifying the perpetrators. Th e Re s u lt: After conducting a network-wide search for specific keywords and file nam es the consultant advised the com pany to isolate the system s that contained sensitive inform ation and took possession of suspected system s for further analysis. After going through a com plete incident handling and response cycle; and with the help of a com puter forensics investigator the com pany was able to trace the culprits. The consultant advised the com pany to develop and im plem ent effective network security policies an d deploy intrusion detection tools to defend itself from various inform ation security incidents.

Can risks involved in engaging third party consultants not effectively counter the apprehension about ROI in developing an in-house incident handling and response team ? EC-Council


Module Objective

This m odule will fam iliarize you with: • • • • • • • • •

EC-Council

Com puter Security Incident Data Classification Inform ation Warfare Key Concepts of Inform ation Security Types of Com puter Security Incidents Signs of an Incident Incident Response Incident Handling Incident Reporting Organizations


Module Flow Com puter Security Incident

Data Classification

Key Concepts of Inform ation Security

Inform ation Warfare

Types of Com puter Security Incidents

Signs of an Incident

Incident Handling

Incident Response

Incident Reporting Organizations EC-Council


Com puter Security Incident A com puter security incident m ight be any real or suspected adverse event in relation to the security of com puter system s or networks Source: w w w .cert.org

It is a violation or im m inent threat of violation of com puter security policies, acceptable use policies, or standard security practices

EC-Council


Statistics: Different Sources of Security Incidents

Source: Outlook J ournal, J anuary 20 0 8, w w w .accenture.com

EC-Council


Inform ation as Business Asset Inform ation asset is a piece of inform ation that is im portant for any business process

The loss of inform ation m ay affect the in vestm ent of organization in different business activities

Inform ation asset can be a trade secret, patent inform ation, em ployee/ personnel inform ation, or an idea to develop the business for an organization

Characteristics of Inform ation Assets: • It is recognized to be of value to the organization • It requires cost, skill, tim e, and resource • It is a part of the organization’s corporate identity

EC-Council


Data Classification Data classification is the process of classifying data based on the level of sensitivity as it is created, m odified, im proved, stored, or transm itted

Data classification helps in identifying the data for business operations

Data can be classified into five levels: • • • • • EC-Council

Top secret Confidential inform ation Proprietary inform ation Inform ation for internal use Public docum ents Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Com m on Term inologies Inform ation System : • Inform ation system processes data into useful information to achieve specified organizational or individual goals • It accepts, processes, and stores data in the formof records in a com puter system and autom ates som e of the inform ation processing activities of the organization

Inform ation Owner: • Inform ation owner is the initial owner who is capable of creating and storing inform ation

Inform ation Custodian: • Inform ation custodian is responsible for im plem enting and controlling the security m easures of an inform ation system

EC-Council


Inform ation Warfare The term Inform ation Warfare or Infowar refers to the use of inform ation and inform ation system s as weapons in a conflict in which the inform ation and inform ation system s them selves are the targets

Inform ation warfare is divided into two categories: • Offe n s ive in fo rm atio n w arfare , where an adversary attacks the inform ation resources to gain un due advantage • D e fe n s ive in fo rm atio n w arfare , is an attem pt to protect the inform ation assets against attacks

EC-Council


Key Concepts of Inform ation Security Confidentiality:

Integrity:

Availability:

EC-Council

• Refers to the prevention of the unauthorized access, disclosure, and use of inform ation, a part of the broader concept of privacy • Confidentiality is m aintain ed through user authentication and access control

• Refers to the reliability and trustworthiness of ht e inform ation • Prevention of the unauthorized changes to the data

• Guarantee of access to resources • Is a critical function for com panies that rely on electronic data and com m un ications


Vulnerability, Threat, and Attack

Vulnerability:

Threat:

Attack:

• Existence of a weakness in design or im plem entation that can lead to an unexpected, undesirable event com prom ising the security of the system

• A circumstance, event, or person with the potential to cause harm to a system in the form of destruction, disclosure, data m odification, and/ or Denial of Service (DoS)

• An assault on system security that is derived from an intelligent threat

EC-Council


Types of Com puter Security Incidents Malicious code attacks: • It includes viruses, Trojan, worm s, and m aliciousscripts attacks by attackers to gain privileges, capture passwords, and m odify audit logs to perform unauthorized activity on the victim 's system s

Unauthorized access: • It includes various activities from im properly logging into a user's account to gaining unauthorized access to files and directories by obtaining adm inistrator privileges

Unauthorized use of services: • Users m ay attem pt to transfer files without authorization or use inter-dom ain access m echanism s to access files and directories belonging to another organization's dom ain

EC-Council


Types of Com puter Security Incidents (cont’d) Fraud and theft: • Inform ation system s can be exploited by autom atingtraditional m ethods of fraud

Em ployee sabotage an d abuse include: • • • • •

Destroying hardware or facilities Planting logic bom bs that destroy program s or data Intentionally entering incorrect data Crashing system s Intentionally deleting and changing data

Misuse: • It is a condition when som eone uses com puter resources for illegitim ate purpose such as storing personal inform ation in official com puter

EC-Council


Exam ples of Com puter Security Incidents

EC-Council


Verizon Data Breach Investigations Report - 20 0 8 Who is behind data breaches?

Source: Verizon’s Data Breach Investigations Report, 20 0 8. w w w .verizon.com

EC-Council


Verizon Data Breach Investigations Report - 20 0 8 (cont’d) How do breaches occur? 70

62 %

60

59 %

50 40 31 % 30

22 %

20

15 %

10 0 Were att ributed to a significant error

Resulted from hacking and intru sions

Incorporated m alicious code

Exploited a vulnerability

Were due to physical thr eats


EC-Council


Verizon Data Breach Investigations Report - 20 0 8 (cont’d) Sources of Data Breaches

External: • Intuitively, external threats originate from sources outside the organization

Internal • Internal threat sources are those originating from within the organization

Partner • Partners include any third party sharing a business relationship with the organization


EC-Council


Incidents That Required the Execution of Disaster Recovery Plans 70

% of Respondents 59 %

60

54 %

53 % 50

45 % 41 %

40

36 % 33 %

39 %

37 %

34 %

30

26 %

20

10

7%

0

Source: Sym antec Global Disaster Recovery Survey – J une 20 0 9. http:/ / w w w .sy m antec.com /

EC-Council


Signs of an Incident Accurately detecting and assessing incidents is the m ost challenging and essential part of the incident response process

Typical indications of the security incidents include:

• A system alarm , or sim ilar indication from an intru sion detection • Attem pt to logon to a n ew user account • DoS attack, or users not able to log into an account • System crashes, or poor system perform ance • Unauthorized operation of a program , or sniffer device to capture network traffic • Suspicious entries in system , or network accoun ting or other accounting inconsistencies

EC-Council


Signs of an Incident (cont’d) Signs of an incident fall into one of the two categories: • Aprecursor is a sign of incident that m ay happen in the future • Anindication is a sign of incident that have already occurred or m ay be in progress

The exam ples of precursor are: • Web server log entries that show the usage of a web vulnerability scanner • An announcem ent of a new exploit that targets a vulnerability of the organization’s m ail server • A threat from a hacktivist group stating that the group will attack the organization

The exam ples of in dication are: • The antivirus software alerts when it detects thata host is infected with a worm • The user calls the help desk to report a threatenin g em ail m essage • IDS and IPS system logs indicating an unusual devia tion from typical network traffic flows

EC-Council


Incident Categories There are 3 category of incidents:

Low level

Middle level

High level

EC-Council


Incident Categories: Low Level Low level incidents are the least severe kind of incidents

They should be handled within one day after the event occurs

Low level incidents include: • • • • • • •

EC-Council

Loss of personal password Unsuccessful scans and probes Request to review security logs Presence of any com puter virus or worm s Failure to download an ti-virus signatures Suspected sharing of the organization’s accoun ts Minor breaches of the organization’s acceptable usa ge policy Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Incident Categories: Middle Level The incidents at this level are com paratively m ore serious and thus, should be handled the sam e day the event occurs

Middle level incidents include: • • • • • • • • • • EC-Council

In-active external/ internal unauthorized access tosystem s Violation of special access to a com puter or com puting facility Unfriendly em ployee term ination Unauthorized storing and processing data Destruction of property related to a com puter incid ent Localized worm / virus outbreak Personal theft of data related to a com puter incident Com puter virus or worm s of com paratively larger intensity Illegal access to buildings Breach of the organization’s acceptable usage policy Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Incident Categories: High Level High level incidents should be handled im m ediately after the incident It poses an im m ediate threat to various system s that lead to crim inal charges, regulatory fines, or bad nam e to the organization

These include: • • • • • •

Denial of Service attacks Suspected com puter break-in Com puter virus or worm s of highest intensity; e.g.Trojan, back door Changes to system hardware, firm ware, or softwarewithout authentication Destruction of property exceeding $ 10 0 ,0 0 0 Personal theft exceeding $ 10 0 ,0 0 0 and illegal electronic fund transfer or download/ sale • Any kind of pornography, gam bling, or violation ofany law

EC-Council


Incident Prioritization Prioritizing handling of the incident is critical for the incident handling process

Incidents should not be handled on a first-com e, first-served basis

Prioritize the incidents based on two factors:

• Current and potentialte ch n ical e ffe ct of the incident • Criticality of the affected resources

EC-Council


Incident Response Incident response is a process of responding to incidents that m ay have occurred due to security breach in the system or network

It plays a m ajor role when the security of the system is com prom ised

The goal of the incident response is to handle the in cidents in a way that m inim izes the dam age and reduces recovery tim e and costs

It includes: • Responding to incidents system atically so that theappropriate steps are taken • Helping personnel to recover quickly and efficiently from security incidents, m inim izing loss or theft of inform ation and disruption of services • Using inform ation gathered during incident handling to prepare for handling future incidents in a better way and to provide stronger protection for system s and data • Dealing properly with legal issues that m ay ariseduring incidents

EC-Council


Incident Handling Incident handling involves all the processes, logistics, com m un ications, coordination, and planning to respond and overcom e an incident efficiently

Incident handling helps to find out trends and pattern of the intruder’s activity

Incident handling procedures help network adm inistrators in recovery, containm ent, and prevention of incidents

Incident handling policies help the corresponding staffs to understand the process of responding and tackling unexpected threats and security breaches

EC-Council


Use of Disaster Recovery Technologies Which of the following technology type do you have, and which are covered by DR Plan? Have in Organization

10 0

Covered by DR Plan

92 % 90 83 %

82 %

79 %

81 %

80

77 %

70

66 % 62 %

60

61 %

56 %

66 %

61 % 51 %

50 40

46 % 44 %

39 % 33 %

30 24 % 20 10 0


EC-Council


Im pact of Virtualization on Incident Response and Handling Do you test virtual servers as part of your disaster recovery plan?

No 27%

Ye s No

Ye s 73 %


EC-Council


Im pact of Virtualization on Incident Response and Handling (cont’d) How are your organization’s data and m ission critical applications protected in virtual environm ent? 70 % 59%

60 % 50 % 40 % 30 %

49% 43%

41%

42% 38% 27%

29%

20 % 10 % 0%


EC-Council


Estim ating Cost of an Incident Tangible Cost: • • • •

Lost productive hours Investigation and recovery cost Loss of business Loss or theft of resources

Intangible Cost: • Dam age to corporate reputation • Loss of goodwill • Psychological dam age • Those directly im pacted m ay feel victim ized • May im pact m orale or initiate fear

• Legal liability • Effect on shareholder value

EC-Council


Key Findings of Sym antec Global Disaster Recovery Survey - 20 0 9 The average cost of executing/ im plem enting disaster recovery plans for each downtim e incident worldwide according to respondents is US$ 287,60 0

The m edian cost of executing/ im plem enting disaster recovery plans for each downtim e incident worldwide ranges from approxim ately $ 10 0 ,0 0 0 to $ 50 0 ,0 0 0

In North Am erica, the m edian cost is as high as $ 90 0 ,0 0 0

Globally, the m edian disaster recovery cost is highest for healthcare and financial services organizations

In North Am erica, the m edian cost for financial institutions is $ 650 ,0 0 0


EC-Council


Incident Reporting Incident reporting is the process of reporting an encountered security breach in a proper form at The incident should be reported to receive technical assistance and raise security awareness that would m inim ize the losses Organizations m ay not report com puter crim es due to negative publicity and potential loss of custom ers

Incident reporting should include: • • • •

Intensity of the security breach Circum stances, which revealed the vulnerability Shortcom ings in the design and im pact or level ofweakness Entry logs related to the intruder’s activity

EC-Council


Incident Reporting Organizations

The organizations that deal with com puter security incidents are: • • • • • • • • • •

EC-Council

Com puter Em ergency Response Team (CERT) Com puter Security Incident Response Team (CSIRT) Forum for Incident Response and Security Team s (FIR ST) Com puter Incident Response Team (CIRT) Incident Response Center (IRC) Security Em ergency Response Team (SERT) Security Incident Response Team (SIRT) Inform ation Analysis In frastructure Protection (IAIP) CERT Coordination Center (CERT/ CC) Inform ation Sharing and An alysis Centers (ISAC)


Vulnerability Resources http:/ / w w w .kb.cert.org/ vuls/ US-CERT Vulnerability Notes Database: • Descriptions of these vulnerabilities are available from this web page in a searchable database form at, and are published as "US-CERT Vulnerability Notes".

EC-Council


Vulnerability Resources (cont’d) http:/ / w eb.nvd.nist.gov/ NVD (National Vulnerability Database): • Integrates all publicly available U.S. Governm entvulnerability resources and provides references to industry resources

EC-Council


Sum m ary Com puter security incident m ight be any real or suspected adverse event in relation to the security of com puter system s or networks

Inform ation system transform s data into useful in form ation that supports decision m aking

Incident response is an organized approach to address and m anage the afterm ath of a security breach or attack

Incident handling refers to the operational procedures used to actually m anipulate the incident and purge it from the system s

Incident reporting is the process of reporting the inform ation regarding the encountered security breach in a proper form at EC-Council


EC-Council


EC-Council



Mo d u le II Risk Assessm ent

News: Report Faults TSA Risk Assessm ent GAO fin d s age n cy d id n o t fo llo w D e p artm e n t o f H o m e lan d Se cu rity p ro ce s s The Transportation Security Adm inistration lacks the structure, policies and procedures to com plete an effective risk m anagem ent plan for freight and passenger transportation, according to a report by the Governm ent Accountability Office. Risk m anagem ent is the security watchword at the Departm ent of Hom eland Security as it attem pts to allocate m oney and other resources to the areas that are m ost vulnerable to a terrorist attack. The GAO, which audits Executive Branch program s for Congress, said that TSA did not com plete a sixstep process established by DHS to properly identify and prioritize risks to the transportation system . TSA collected threat, vulnerability and consequence inform ation, but did not perform risk assessm ent that would integrate the three com ponents for each m ode, or the transportation system as a whole, the GAO said. The GAO also said TSA set its security priorities based on intelligence, not risk assessm ent, and DHS did not review or validate TSA's m ethodology. In addition, the GAO said that TSA lacked an organizational structure to direct and control its riskm anagem ent efforts, a way of evaluating perform ance, and policies and procedures to integrate with the overall DHS risk m anagem ent plan.

Source: http:/ / w w w .joc.com /

EC-Council


Module Objective


• • • • • • • • •

EC-Council

Risk Risk Policy Risk Assessm ent NIST Risk Assessm ent Methodology Steps to Assess Risks at Workplace Risk Analysis Risk Mitigation Cost/ Benefit Analysis Residual Risk


Module Flow Risk

Risk Policy

NIST Risk Assessm ent Methodology

Risk Assessm ent

Steps to Assess Risks at Workplace

Risk Analysis

Cost/ Benefit Analysis

Risk Mitigation

Residual Risk

EC-Council


Risk

Risk is defined as the probability or threat of an incident

It is a m easure of possible inability to achieve a goal, objective, or target within a defined security, cost, plan, and technical lim itations

It adversely affects the organization’s operations and revenues

EC-Council


Risk Policy Risk policy is a set of ideas to be im plem ented to overcom e the risk

Risk policy includes:

• Rules of behavior while dealing with the com putersystem and the consequences for violating these rules • Personnel and technical controls for the com putersystem • Methods for identifying, properly lim iting, and controlling interconnections with other system s and particular m ethods to m onitor and m anage such lim its • Procedures for the on-going training of em ployeesauthorized to access the system • Procedures to m onitor the efficiency of the security controls • Provisions for continuing support if there is an ni terruption in the system or if the system crashes

EC-Council


Risk Assessm ent

EC-Council


Risk Assessm ent Risk assessm ent is the process of identifying threat sources that pose risk to the business or project environm ent

It determ ines the level of risk and the resulting security requirem ents for each system

Risk assessm ent for a new system is conducted at the beginning of the System Developm ent Life Cycle Risk assessm ent for an existing system is conducted when there are m odifications m ade to the system ’s environm ent

This process helps to identify the suitable controls to reduce risk in risk m itigation process

The organization should plan , im plem ent, an d m onitor a set of security m easures that need to be undertaken against the identified risk EC-Council


NIST’s Risk Assessm ent Methodology The NIST’s risk assessm ent m ethodology contains nine prim ary steps:

Sys te m Ch aracte rizatio n

Im p act An alys is

Ris k D e te rm in atio n

Th re ats Id e n tificatio n

Vu ln e rability Id e n tificatio n

Like lih o o d D e te rm in atio n

Co n tro l An alys is

Co n tro l Re co m m e n d atio n s

Re s u lts D o cu m e n tatio n

Source: http:/ / csrc.nist.gov/

EC-Council


Step 1: System Characterization Identify the boundaries of the IT system along with the resources and the inform ation that constitute the system

Characterize the IT system so as to establish the scope of the risk assessm ent effort

It describes the operational authorization boundaries such as hardware, software, system connectivity etc.

In p u t Hardware Software System interfaces Data and inform ation People System m ission

EC-Council

Ste p 1. Sys te m Ch aracte rizatio n

Ou tp u t System Boundary System Functions System and Data Criticality System and Data Sensitivity


System Characterization Tem plate System Nam e: Hardware Software System Interfaces Data & Inform ation Persons who support the IT system System m ission (e.g. processes perform ed by the system ) System & data criticality (system ’s value or im portance to the organization) Functional requirem ents of the IT system Users of the system System Security policies (organizational policies, federal requirem ents, industry practices, laws) System security architecture Current network topology (e.g. network diagram ) Current inform ation storage protection that safeguards system & data CIA Flow of inform ation relating to the IT system Managem ent controls used for the IT system (e.g. security planning, rules of behavior) Operational controls (e.g. back-up, contingency, and resum ption and recovery operations, personnel security…) Physical security environm ent (e.g. facility security, data center policies) Environm ental security (tem perature control, water, power)

EC-Council


Step 2: Threats Identification Threat refers to a probable im pact of a threat source exploiting the vulnerabilities in the system

To determ ine the likelihood of a threat, consider:

• Vulnerabilities of the system • Threat sources

In p u t History of system attack Data from intelligence agencies, NIPC, OIG, FedCIRC, m ass m edia

EC-Council

Ste p 2 . Th re at Id e n tificatio n

Ou tp u t Threat Statem ent


Step 2: Threats Identification (cont’d)

Hum an Threats

• • • • • • • •

EC-Council

Incorrect data entry or om issions Inadvertent acts Eavesdropping Im personation Shoulder surfing User abuse or fraud Theft, sabotage, vandalism , or physical intrusions Espionage


Step 2: Threats Identification (cont’d) Technical Threats

• • • • • • • • • • •

EC-Council

Breaking passwords for unauthorized access of the system resources Sniffing and scanning of network traffic Data/ system contam ination Malicious code infection Spam and m ail frauds Phishing that m ay result in loss of confidential private inform ation DDoS attacks Application coding errors Unauthorized m odification of a database Session hijacking System and application errors, failures


Step 3: Identify Vulnerabilities Identify the vulnerabilities associated with the system environm ent

Prepare a list of the system vulnerabilities that threat source can exploit

In p u t Reports from prior risk assessm ents Any audit com m ents Security requirem ents Security test results

EC-Council

Ste p 3 . Vu ln e rability Id e n tificatio n

Ou tp u t List of Potential Vulnerabilities


Vulnerability Report Tem plate In tro d u ctio n Date carried out: Testing Team details: Network Details: Scope of test: Exe cu tive Su m m ary OS Security issues discovered with appropriate criticality level specified: Application Security issues discovered with appropriate criticality level specified: Physical Security issues discovered with appropriate criticality level specified: Personnel Security issues discovered with appropriate criticality level specified: General Security issues discovered with appropriate criticality level specified: Te ch n ical Su m m ary

An n e xe s

EC-Council

OS Security issues discovered: Web Server Security: Database Server Security : General Application Security: Business Continuity Policy: 1: 2: 3: Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Step 4: Control Analysis Identify or plan the controls that are to be im plem ented to m inim ize the threats

Derive the probability to exercise a vulnerability in the threat environm ent

In p u t Current controls Planned controls

EC-Council

Ste p 4 . Co n tro l An alys is

Ou tp u t List of Current and Planned Controls


Step 5: Likelihood Determ ination Factors that help derive overall likelihood rating: • Threat-source m otivation and capability • Nature of the vulnerability • Existence and effectiveness of the current controls

In p u t Threat-source m otivation Threat capacity Nature of vulnerability Current controls

Ste p 5. Like lih o o d D e te rm in atio n


EC-Council

Ou tp u t Likelihood Rating


Step 6: Im pact Analysis Determ ine the im pact of a threat when a vuln erability is successfully exercised Consider the system m ission, system and data criticality, and system and data sensitivity to perform im pact analysis Prioritize the im pact levels that are associated with the com prom ise of an organization’s inform ation assets Use qualitative or quantitative assessm ent to determ ine the sensitivity and criticality of the inform ation assets

In p u t Mission im pact analysis Asset criticality assessm ent Data criticality Data sensitivity

EC-Council

Ste p 6 . Im p act An alys is Loss of Integrity Loss of Availability Loss of Confidentiality

Ou tp u t Im pact Rating


Step 7: Risk Determ ination Assess the level of risk to the IT system

The likelihood of a given threat-source’s attem pting to exercise a given vulnerability

The im pact of a threat-source when it successfully exercises the vulnerability

In p u t Likelihood of threat exploitation Magnitude of im pact Adequacy of planned or current controls

EC-Council

The adequacy of planned or existing security controls for reducing or elim inating risk

Ste p 7. Ris k D e te rm in atio n

Ou tp u t Risks and Associated Risk Levels


Step 8: Control Recom m endations Recom m end the controls to be im plem ented to reduce the level of risk

The im plem ented controls should reduce the risk to an acceptable level

Factors to be considered in recom m ending controls:

• • • • •

Effectiveness of recom m ended options Legislation and regulation Organizational policy Operational im pact Safety and reliability

EC-Council

In p u t Ste p 8 . Co n tro l Re co m m e n d atio n s

Ou tp u t Recom m ended Controls


Step 9: Results Docum entation Results of risk assessm ent should be presented in an official report or briefing

Result docum ent should be m ade available to the concerned staff, risk control developers, and risk auditors Risk assessm ent report should include: • • • • • • • •

List of the identified vulnerabilities and risks Risk sum m ary Risk likelihood rating Risk im pact rating Overall risk rating Analysis of the relevant controls List of the recom m ended controls Appendix section containing incident logs and reports of initial risk assessm ent phase

EC-Council

In p u t Ste p 9 . Re s u lts D o cu m e n tatio n

Ou tp u t Risk Assessm ent Report


Risk Assessm ent Report Tem plate Ris k No.

Vu ln e rability

EC-Council

Th re at

Ris k

Ris k Su m m ary

Ris k Like lih o o d Ratin g

Ris k Im p act Ratin g

Ove rall Ris k Ratin g

An alys is o f Re le van t Co n tro ls an d Oth e r Facto rs

Re co m m e n d atio n s


Steps to Assess Risks at Work Place The steps involved in risk assessm ent at work place are:

Hazards identification

Decide who will be harm ed and how

Analyze risks and check for precautions

Im plem ent results of the risk assessm ent

Review risk assessm ent

EC-Council

1

2

3

4

5 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Step1: Identify Hazards A hazard is anything that m ay cause harm

Check out the hazards you com e across at a work place

Identify the things that cause harm at the work place

Take the em ployee’s opinion

Take the guidance of a trade association if you are a m em ber

EC-Council


Step 2: Determ ine Who Will be Harm ed and How For each hazard, identify who m ight be harm ed

Identify how they m ight be harm ed

Extra thought will be needed for som e hazards

Do not forget to think of anyone

Ask the staff if anyone is left

EC-Council


Step 3: Analyze Risks and Check for Precautions Analyze risks and check for precautions After spotting all the hazards, think about the precautions to be taken Try a less risky option Prevent access to the hazard Issue personal protective equipm ent Provide welfare facilities

EC-Council


Step 4: Im plem ent Results of Risk Assessm ent Risk assessm ent m ust be suitable and sufficient

Im plem ent a tem porary solution until m ore reliable controls are in place

Identify a long term solution to the risks that im pact m ore critical infrastructure

Train the em ployees on the identified risks and their control m easures

Frequently check whether the control m easures stay in place

EC-Council


Step 5: Review Risk Assessm ent

Revisit your risk assessm ent plan

Find out if any changes are to be m ade

Enquire if any workers have spotted a problem

Make sure the risk assessm ent is up to date

EC-Council


Risk Analysis

EC-Council


Risk Analysis Risk analysis involves the process of defining and evaluating the dangers

It is used to determ ine all possible and significant risks for your particular business

Risk analysis should be con ducted properly in order to put a proper response in place, based on the am ount of risk

Ris k An alys is = Ris k As s e s s m e n t + Ris k Man age m e n t + Ris k Co m m u n icatio n

EC-Council


Need for Risk Analysis Risk analysis identifies risks within the organization and the potential losses associated with these risks It is required to define procedures through which an organization can survive or reduce the probability of risks

It helps in analyzing five elem ents:

• • • • •

EC-Council

Assets (resources of an organization) Disruptive events ( threat to an organization) Vulnerabilities (weakness of an organization) Losses (due to occurrence of the adversity) Safeguards (preventive m easures against vulnerabilities)


Risk Analysis: Approach There are two approaches of risk analysis:

Quantitative risk analysis • It is num erical determ ination of the probability of an adverse event and the extent of the losses due to the event • It assigns num eric values to the com ponents of therisk assessm ent and potential loss • Ris k = Pro bability o f Lo s s X Lo s s

Qualitative risk analysis • It does not use num erical m ethods to determ ine the probability of an adverse event and the extent of the losses • Here, • Ris k = ( Attack Su cce s s + Criticality) – ( Co u n te rm e as u re s )

EC-Council


Risk Mitigation

EC-Council


Risk Mitigation Risk m itigation includes all possible solutions for reducing the probability of the risk and lim iting the im pact of the risk if it occurs

It involves the im plem entation of risk control m easures outlined in risk assessm ent process

Apply a least cost approach and im plem ent appropriate controls to reduce risks

EC-Council


Risk Mitigation Strategies Risk m itigation strategy determ ines the circum stances under which the action has to be taken to m inim ize and overcom e risks Risk m itigation strategies are selected according to discovered and exploited vulnerability, and the expected im pact of the risk Organization can use one or m ore of the following strategies:

Risk assum ption • It is a risk m itigation strategy where an organization absorbs m inor risks while preparing to respond to m ajor ones Risk avoidance • It is a strategy to avoid risks either by engagin gin alternate activities or preventing specific exposure from the risk sources

EC-Council


Risk Mitigation Strategies (cont’d) Risk lim itation • This strategy focuses on lim iting the exposure tothe risk

Risk planning • This strategy focuses on com prehensive plan developm ent for risk assessm ent and m itigation

Research and acknowledgm ent • This strategy focuses on m inim izing the probabilityof risks and losses by searching vulnerabilities in system and appropriate controls

Risk transference • It is a strategy where loss is m inim ized by transferring risks to other parties either in the form of insurance or contract EC-Council


Risk Mitigation Strategy (cont’d)

EC-Council



Cost/ Benefit Analysis Cost/ benefit analysis is done for each proposed control to find out which control is required and suitable under the given circum stances

It is the process of analyzing the business decisions

It can be qualitative or quantitative

A cost benefit analysis finds, quantifies, and adds all the positive factors and subtracts all the negative factors and produces the net result

It dem onstrates that the costs of im plem enting the controls can be justified by the reduction in the level of risk EC-Council


NIST Approach for Control Im plem entation Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

EC-Council

• Prioritize actions

• Evaluate recom m ended control options

• Conduct cost-beneficial analysis

• Select control

• Assign responsibility

• Develop a safeguard im plem entation plan

• Im plem ent selected controls Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Residual Risk Risk that rem ains after im plem entation of all the possible risk control m easures is called as residual risk

The im plem ented risk con trol m easure cann ot rem ove the risks com pletely

They are intended to reduce the risk level to zero

Re s id u al Ris k= ( In h e re n t Ris k) X ( Co n tro l Ris k)

• Wherein h e re n t ris k = ( th re ats x vu ln e rability)

EC-Council


Residual Risk (cont’d) The relationship between control im plem entation and residual risk is illustrated by a flowchart below:


EC-Council


Risk Managem ent Tools

CRAMM

Acuity STREAM

Callio Secura 17799

EAR / Pilar

EC-Council


CRAMM http:/ / w w w .cram m .com /

CRAMM helps in assessing, designing, and m anaging inform ation security strategy CRAMM is based on the UK Governm ent's preferred risk assessm ent m ethodology

Features: • A com prehensive risk assessm ent tool in com pliancewith ISO 270 0 1 • Supports inform ation security m anagers to plan andm anage security • Tool wizards create pro-form a inform ation securitypolicies and other related docum entation • Supports key processes in business contin uity m anagem ent • A database of over 30 0 0 security controls referenced to relevant risks and ranked by effectiveness and cost EC-Council


Working of CRAMM CRAMM provides a staged approach em bracing both technical (e.g. IT hardware an d software) and non-technical (e.g. physical an d hum an) aspects of security CRAMM follows a three stage approach: Asset identification an d valuation • CRAMM enables the reviewer to identify the physical (e.g. IT hardware), software (e.g.. application packages), data (e.g. the inform ation held on the IT system ) and location assets that m ake up the inform ation system • Data and software assets are valued in term s of the im pact that would result if the inform ation were to be unavailable, destroyed, disclosed or m odified

Threat and vulnerability assessm ent • CRAMM covers the full range of deliberate and accid ental threats that m ay affect inform ation system s including hacking, viruses, failures of equipm ent or software, willful dam age or terrorism and errors by people

Counterm easure selection and recom m endation • CRAMM contains a large counterm easure library consisting of over 30 0 0 detailed counterm easures organized into over 70 logical groupings

EC-Council


CRAMM: Screenshot

EC-Council


Acuity STREAM http:/ / w w w .acuity rm .com /

STREAM autom ates the com plex processes involved in m anaging com pliance with standards and delivering effective risk m anagem ent

It is a m ulti-concurrent user, role based software tool, with a central database, used in real-tim e by risk m anagers, risk analysts, business stakeholders, control owners, and internal auditors It provides inform ation for senior m anagers, on the status of com pliance across the business with key control standards, and on the level of residual risk m easured in relation to defined business appetites

EC-Council


Com ponents of STREAM

EC-Council


STREAM: Screenshot

EC-Council


Callio Secura 17799 http:/ / w w w .callio.com /

Callio Secura 17799 is software that enables com panies to com ply with the ISO 17799/ BS 7799 inform ation security m anagem ent standard It helps in: • Managing threats, vulnerabilities and controls • Managing various types of evaluation criteria, such as confidentiality, availability, integrity and legal com pliance • Custom izing the vuln erability, occurrence and criterion scales used during the asset evaluation and risk assessm ent processes • Verifying level of com pliance with ISO 17799 (gapanalysis) • Com piling an inventory of your com pany’s m ost im portant assets; • Defining the structures and processes within yourISMS • Mitigating the risks to each asset; • Defining scenarios for the im plem entation of contro ls • Drafting security policies • Managing policy docum ents • Making policies, standards and procedures electronically available • Verifying whether ISMS m eets the requirem ents forBS 7799-2 certification; • Docum enting and justifying the application of theISO 17799 standard’s 127 controls to m anagem ent fram ework

EC-Council


Screenshot: Callio Secura 17799

EC-Council


Screenshot: Callio Secura 17799

Define unlim ited num ber of team s that m anage access to docum ent m anagem ent

Define user roles within each team

Link team s with any ISMS

EC-Council


EAR / Pilar http:/ / w w w .ar-tools.com /

EAR / PILAR is designed to support the risk m anagem ent process along long periods, providing increm ental analysis as the safeguards im prove

Its functionalities include:

• Quantitative and qualitative risk analysis • Managem ent quantitative and qualitative business m i pact analysis & continuity of operations

EC-Council


Screenshot: Pilar

EC-Council


Screenshots: Pilar

EC-Council


Sum m ary Risk is defined as the probability or threat of an incident

Risk policy is a set of ideas to be im plem ented to overcom e the risk

Risk assessm ent is identifying the resources that pose a threat to the business or project environm ent

Risk analysis involves the process of defining and evaluating the dangers

Risk m itigation involves im plem enting the risk reducing controls that reduces the level of the risk EC-Council


EC-Council


EC-Council



Mo d u le V

Batch PDF Merger

Handling Network Security Incident

News: Microsoft Responds to Xbox Live Denial-of-service Attack

EC-Council

Source: w w w . arstechnica.com


Module Objective This m odule will fam iliarize you with: • • • •

EC-Council

Handling Denial-of-Service Incidents Handling Unauthorized Access Incidents Handling Inappropriate Usage Incidents Handling Multiple Com ponent Incidents


Module Flow Denial-of-Service Incidents

Detecting DoS Attacks

Incident Handling Preparation for DoS

Unauthorized Access Incident

Preventing DoS Incidents

DoS Response Strategies

Detecting Unauthorized Access Incident

Preventing Unauthorized Access Incident

Inappropriate Usage Incidents

Prevention of Inappropriate Usage Incidents

Handling and Prevention of Inappropriate Usage Incidents

Detecting Inappropriate Usage Incidents

Multiple Com ponent Incidents

Containm ent Strategy for Multiple Com ponent Incidents

EC-Council


Handling Denial-of-Service Incidents

EC-Council


Denial-of-Service Incidents Denial-of-Service (DoS) attack prevents the authorized users to access networks, system s, or applications by exhausting the network resources

DoS attack involves:

• Consum ing all available bandwidth by generating huge network traffic • Making m any processor-intensive requests so that ht e server’s processing resources are fully consum ed • Sending m alform ed TCP/ IP server requests that resu lts in server’s operating system crash • Sending illegal requests to an application • Establishing sim ultaneous login sessions to a server so that other users cannot start login sessions • Consum ing all available disk space by creating m any large files EC-Council


Distributed Denial-of-Service Attack Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large num ber of com prom ised system s, known as botnet, attack a single target to cause a Denial-of-Service for the users of the targeted system In a DDoS attack, attackers first infect s m ultiple system s called zom bies, which are then used to attack a particular target

Attacker infects handler system s Handler system s then infect num erous system s (zom bies)

Attacke d Zom bies then attack the target system together

EC-Council


Detecting DoS Attack

Indications for a network-based DoS attack : • Reports of the users regarding system and serviceunavailability • Undefined connection losses • Alert from network intrusion detection system • Alert from host intrusion detection system • Increase in utilization of the network’s bandwidth • A host having num ber of connections • Asym m etric network traffic pattern • Unusual Log entries of firewall and router and OS • Data Packets with unusual source addresses • Data Packets with unusual destination addresses

EC-Council


Incident Handling Preparation for DoS 1

• Contact Internet Service Providers (ISP) and theirsecond tier agents to determ ine how they can help in handling network based DoS attack

2

• Contact organizations such as CERT and Internet Crim e Com plaint Center (IC3) to for help in handling the DoS attack

3

• Configure and deploy IDS (Intrusion Detection Syste m ) and prevention software to detect DoS traffic

4

• Perform ongoing resource m onitoring to establish ht e network bandwidth utilization

5

• Check various web sites that provide statistics onlatency between various ISPs and between various physical locations which is referred to as Internet health m onitoring

6

• Discuss with network infrastructure adm inistratorsregarding the m ethod by which they can assist in analyzing and containing network-based DoS and DDoS attacks

7

• Create and m aintain updated docum entation of incident handling process

EC-Council


DoS Response Strategies Absorbing the attack • Using additional capacity to absorb attack; it requires preplanning and additional resources

Degrading services • Identifying critical services and stopping n on critical services

Shutting down the services • Shut down all the services until the attack has subsided

EC-Council


Preventing a DoS Incident The network perim eter should be configured in such a way that it denies all incom ing and outgoing traffic/ services that are not required

DoS attack can be prevented : • • • • • • •

By blocking Echo services; that is used for DoS att ack Through filtering and blocking the entrance and exit ports By blocking traffic from unassigned IP address ranges By following the firewall rules and router accesscontrol lists to block traffic properly Configuring the border routers so that directed broadcasts are n ot forwarded By lim iting the incom ing and outgoin g ICMP trafficfor the necessary types and codes By jam m ing outgoin g connections to com m on IRC, peer-to-peer service, and instant m essaging ports if the usage of such services is not perm itted

EC-Council


Preventing a DoS Incident (cont’d) Restricting certain protocols such as ICMP to consum e only a pre-determ ined percentage of the total bandwidth

Im plem ent redundancy for key functions

Make sure that networks or system s are n ot running at threshold capacity since it would be easy for a m inor DoS attack to take up the rem aining resources

EC-Council


Following the Containm ent Strategy to Stop DoS The exploited vulnerability or weakness should be corrected Im plem ent the filters after determ ining the m ethod of attack

Im plem ent the ISP filtering

Reposition the attack host

Attack the attackers

EC-Council


Following the Containm ent Strategy to Stop DoS (cont’d) Configure router and firewall rules Establish a well docum ented m ethod for seeking assistance from ISPs and second-tier providers in responding to network based DoS attacks Configure security software such as IPS and IDS to detect DoS attacks Monitor network traffic using tools such as EtherApe, SolarWinds and Nagios Restrict all incom ing and outgoing traffic that is not required Prepare a containm ent strategy which includes several solutions in sequence EC-Council


Handling Unauthorized Access Incidents

EC-Council


Unauthorized Access Incident Unauthorized access is a condition where a person gains access to system and network resources which he/ she was not authorized to have

Exam ples of unauthorized access incidents:

• • • • • • • • EC-Council

Perform ing the rem ote root com prom ise on the em ailserver Changing the web server contents By guessing or cracking passwords of application Copying sensitive data without authorization Installing and runnin g packet sniffer on the workstation Using the FTP server to distribute the pirated software and m usic files For gaining the internal network access by dialingthe unsecured m odem Accessing the workstation using a false ID Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Detecting Unauthorized Access Incident Indications of root com prom ise in a host: • Suspicious tools or exploits are found • Strange network traffic • System configuration changes, including: • • • • • •

EC-Council

Modifications or additions of services Unpredicted open ports Network interface card set to prom iscuous m ode Suddenly, system shuts down and restarts Changes in log and audit policies Creation of new adm inistrative level user account or group Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Detecting Unauthorized Access Incident (cont’d) Indications of root com prom ise in a host

• Change in significant files such as OS files, System library • Usage of secret account • Increase in the usage of resources • User reports of system unavailability • Alerts of network and host intrusion detection • Creation of new files or directories with unusual nam es • Log m essages of the operating system and application • Attackers inform ing of com prom ising a host EC-Council


Detecting Unauthorized Access Incident (cont’d) Unauthorized data m odification • • • • •

Alert of network and host IDS Increase in the usage of resource Reports of users regarding unexpected data m odifications Changes in critical files Creation of new files or directories with unusualnam es

Unauthorized usage of standard user account • Unauthorized access attem pts to the im portant files • Usage of secret account • Log entries of the web proxy which shows the downlo ading of the attacker’s tool EC-Council


Detecting Unauthorized Access Incident (cont’d) Physical intruder • Report of the user regarding network or system unavailability • System status changes • Misplaced hardware parts • Unauthorized hardware found

Unauthorized data access • IDS, IPS, and firewall alert for data access through FTP, HTTP, and other protocols • Logs entries showing access attem pts to the critical files EC-Council


Incident Handling Preparation 1 2 3 4

EC-Council

• Configure network based and host based IDPS to identify and alert any attem pt to gain unauthorized access • Use centralized log servers so that the im portant ni form ation from hosts across the organization is stored in a particular safe location • A well docum ented password policy should be created for all users of applications, system s, trust dom ains, or the organization • Make system adm inistrators aware of their responsib ilities in handling unauthorized access incidents


Incident Prevention

Network Security • Design the network in such a way that it blocks the suspicious traffic • Properly secure all rem ote access m ethods, including m odem s and VPNs • Move all publicly accessible system s and services to secured Dem ilitarized Zone (DMZ) • Use private IP addresses for all hosts located on internal networks

EC-Council


Incident Prevention Host Security • Perform regular vulnerability assessm ents to identify serious risks and m itigate the risks to an acceptable level • Disable all un wanted services on hosts • Run services with the least privileges possible toreduce the im m ediate im pact of successful exploits • Use host-based/ personal firewall software to lim itthe individual hosts’ exposure to attacks • Lim it unauthorized physical access to logged-in syst em s by requiring hosts to lock idle screens autom atically and asking users to log off before leaving the office • Regularly verify the perm ission settings for critical resources, including password files, sensitive databases, and public web pages

EC-Council


Incident Prevention (cont’d)

Authentication and Authorization

• Prepare the appropriate password policy • Strong authentication should be required for accessing critical resources • Create authentication and authorization standards of r em ployees and contractors to follow when evaluating or developing software • Establish procedures for provisioning and de-provis ioning user accounts

EC-Council


Incident Prevention (cont’d)

Physical Security • Restrict access to critical resources by im plem enting physical security m easures

EC-Council


Following the Containm ent Strategy to Stop Unauthorized Access Isolate the affected system s

Disable the affected service

Elim inate the attacker’s route into the network

Disable user accounts that m ay have been used in the attack

Enhance physical security m easures EC-Council


Eradication and Recovery Eradicate the incident • Identify and m itigate all vulnerabilities that were exploited • Patch the system s • Rem ove com ponents of the incident from system s

Recover from the incident • Return affected system s to an operations ready state • Confirm that the affected system s are function ing norm ally • Im plem ent additional m onitoring to look for related activity in future • Form ulate and regularly update security policies EC-Council


Recom m endations Install the IDS for alerting the attem pts regarding unauthorized access

Configure centralized logging for all users

Establish password security policy such that users change their passwords regularly

Design the network in such a way that it blocks the suspicious traffic

Secure all rem ote access m ethods including VPNs

Use DMZ to host publically accessed system s and services EC-Council


Recom m endations ( cont’d) Disable the unwanted services Install the host-based firewall software to lim it the individual hosts’ exposure to attacks Create and im plem ent a password policy

Provide the details of the m anagem ent change to the IRT Select m itigation strategies considering both short and long term business objectives Restore or reinstall system s that appear to have suffered a root com prom ise EC-Council


Handling Inappropriate Usage Incidents

EC-Council


Inappropriate Usage Incidents An inappropriate usage incident occurs when a user perform s actions that violate the acceptable com puting use policies

Exam ples :

• • • • • •

Installing password cracking tools Downloading pornography m aterial Sending spam m ails which prom ote the personal busin ess Sending em ails to colleagues which irritates them Hosting unauthorized websites on the com pany’s com puter Using sharing services to distribute or acquire pir ated m aterials • Sending critical data outside the com pany EC-Council


Inappropriate Usage Incidents (cont’d) Inappropriate usage incidents directed at outside parties m ay cause m ore loss to organizations in the form of dam age to reputation and legal liabilities

Exam ples :

• An internal user changing the content of another organization public website • An internal user purchasing item s from online retailers by using the stolen credit card num bers • Sending the em ail to the third party with the spoofed source em ail address from the com pany • Perform ing the DoS attack against any other organization using the com pany’s resources

EC-Council


Detecting the Inappropriate Usage Incidents Unauthorized service usage • • • • • • •

Alert from the intrusion detection system Unusual network traffic Installation of the new process and software runnin g on a host Creation of the new files or directories with abnorm al nam es Increase in the resource utilization Report of the user Log entries of application

Access to inappropriate m aterials • • • •

Alert from the intrusion detection system Report of the user Log entries of the application Inappropriate files on com puters, servers, and onthe rem ovable m edia

Attack against external party • Alert from the intrusion detection system • Reports of outside party • Log entries of network, host, and application

EC-Council


Incident Handling Preparation Form ulate security policies in coordination with the hum an resources and legal departm ent representatives to handle the inappropriate usage incidents

Discuss with the m em ber of the organization’s physical security team regarding internal users’ behavior

Meet with the concerned person of the legal departm ent regarding the liability issue particularly with those type of incidents that are targeted to outside parties

EC-Council


Incident Handling Preparation

Install IDS, em ail content filtering software, security controls tools to identify certain types of activity, including:

Anti-Virus

• Using the unauthorized services like peer-to-peerfile and m usic sharing • Spam • File with suspicious file extension • Reconnaissance activity • Outbound attack

Register the log of user activities such as FTP com m ands, web requests, and em ail headers

EC-Council


Incident Prevention Install firewall and intrusion detection an d prevention system s to block the use of service which violate the organ ization’s policy

Organize the Em ail server in such a way that they cannot be used for sending spam

Install the spam filter software

Filter the URL to prevent the access of inappropriate websites

Im plem ent the outboun d connection which use the encrypted protocols such as HTTP secure, secure shell, and IP security protocol EC-Council


Recom m endations Meet with the hum an resources and legal departm ents representative for discussing the handling of inappropriate usage incidents Meet with the representative of the organization’s legal departm ent to discuss liability issues Install IDS to detect certain types of inappropriate usage

Register the log of the user’s activity

Filter the em ail server to prevent relaying of the unauthorized m ail

Use the spam filter software to filter the spam on the em ail server

Install the URL filtering software EC-Council


Handling Multiple Com ponent Incidents

EC-Council


Multiple Com ponent Incidents The m ultiple com ponent incidents consist of com bination of two or m ore attacks in a system

Exam ples of m ultiple com ponent incident are:

• Malicious code attacks using em ails • The additional workstation and servers gets infecte d using that m alicious code by the attacker • These workstation can be used by the attacker as ahost to launch DDoS attack against another organization

EC-Council


Multiple Com ponent Incidents (cont’d)

EC-Council


Preparation for Multiple Com ponent Incidents It is difficult to analyze the m ultiple com pon ent incidents, since the incident handler m ay not be aware that the incident is com posed of several stages

Ask the incident handling team to review the scenarios involving m ultiple com ponent incidents

Centralized logging and IDS software should be used to analyze the incident

When all the precursors an d indications are accessible from a single point, then the incident handler m ust con sider that the in cident is of m ultiple com ponents EC-Council


Following the Containm ent Strategy to Stop Multiple Com ponent Incidents Any incident can turn out to be the m ultiple com ponent incident hence the incident handler should not stop after getting signs of a particular incident

Discovering and containing all com ponents of an incident require extra tim e and effort

Good and experienced handlers can guess whether an incident has other com ponents

EC-Council


Recom m endations Use the centralized logging and event correlation software

Search for the signs of other com ponents after controlling the incident

Separately prioritize the handling of each incident com ponent

EC-Council


Network Traffic Monitoring Tools

EC-Council


ntop http:/ / w w w .ntop.org/

ntop is a network traffic probe that shows the network usage, sim ilar to what the popular top Unix com m and does

Features: • • • • • • •

EC-Council

Sort network traffic according to m any protocols Show network traffic sorted according to various criteria Display traffic statistics Store on disk persistent traffic statistics in RRDform at Identify the identity (e.g. em ail address) of com puter users Passively (i.e. without sending probe packets) identify the host OS Show IP traffic distribution am ong the various protocols


ntop: Screenshot

EC-Council


EtherApe http:/ / etherape.sourceforge.net/

EtherApe is a graphical network m onitor for Unix m odel and displays network activity graphically It can filter traffic to be shown and can read traffic from a file as well as live from the network

Features: • • • • •

EC-Council

Data display can be refined using a network filter Nam e resolution is done using standard libc functio ns Protocol sum m ary dialog shows global traffic statis tics by protocol Live data can be read from Ethernet, FDDI, PPP andSLIP interfaces Clicking on a node/ link opens a detail dialog showin g protocol breakdown and other traffic statistics Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

EtherApe: Screenshot

EC-Council


Ngrep http:/ / ngrep.sourceforge.net/

ngrep is a pcap-aware tool that allows you to specify extended regular or hexadecim al expressions to m atch against data payloads of packets It is used to debug plaintext protocol interactions such as HTTP, SMTP, FTP, etc., to identify and analyze anom alous network com m unications It is used to do the m ore mundane plaintext credential collection as with HTTP Basic Authentication, FTP, or POP3 authentication

EC-Council


SolarWinds: Orion NetFlow Traffic Analyzer http:/ / w w w .solarw inds.com / Orion NetFlow Traffic Analyzer (NTA) analyzes NetFlow, J -Flow, and sFlow data and perform s CBQoS m onitoring to deliver a com plete picture of network traffic It enables you to quantify exactly how your network is being used, by whom , and for what purpose Features: • Quickly and easily identifies which users, applications, and protocols are consum ing the m ost network bandwidth • Monitors network traffic by capturing flow data fro m network devices • Perform s Class-Based Quality of Service (CBQoS) m onitoring to ensure that your traffic prioritization policies are effective • Enables you to quickly drill-down into traffic onspecific network elem ents • Generates network traffic reports EC-Council


SolarWinds: Orion NetFlow Traffic Analyzer: Screenshot 1

EC-Council


SolarWinds: Orion NetFlow Traffic Analyzer: Screenshot 2

EC-Council


Nagios: op5 Monitor http:/ / w w w .op5.com /

op5 Monitor is an easy to use network m onitoring system that finds and handles any problem s that m ay arise in your IT environm ent It creates a com prehensive, easy to understand overview that enables sim ple root cause analysis It helps you identify the prim ary cause of potential problem s in your network before m ajor dam age is done It com m unicates with devices on the network and collects data about their operational status EC-Council


Nagios: op5 Monitor (cont’d) Features: • Capable of m onitoring network devices, workstation, servers, services, and software applications • Autom atic back-up and restore of specific configura tion files • Enhanced security with SSL encryption and m ulti use r access capabilities • Monitor all layers of virtual environm ents from one tactical overview • Enables users to define exceptions in a given tim eperiod • Easy to use graphical user interface (GUI) for m anagem ent and configuration • Notifications and escalations sent via, Em ail, SMS,and Pager • Schedule functionality with autom atic weekly and monthly em ail distribution in PDF form at EC-Council


op5 Monitor: Screenshot 1

EC-Council


op5 Monitor: Screenshot 2

EC-Council


CyberCop Scanner http:/ / w w w .nss.co.uk/

CyberCop Scanner is the network security assessm ent com ponent that can scan devices on the network for m ore than 70 0 vulnerabilities

It can be configured to search for the vulnerabilities that are of particular concern in accordance with the corporate security policy

It is known as a s e n s o r com ponent because it is essentially concerned with m onitoring and collecting data

It can run on either a Windows (NT or 20 0 0 ) or Unix (Red Hat Linux) platform

EC-Council


CyberCop Scanner (cont’d) Reporting and analysis: • Allows com parison of results for two hosts specifie d by IP address • Allows com parison of results for two scan sessionsspecified by date and tim e • Provides a graphical sum m ary report with pie charts for different report categories (Com plexity, Ease of Fix, Im pact, Popularity, Risk Factor, Root Cause) • Displays results by the difficulty involved in exploiting a vulnerability (Low, Medium , High) • Displays results by the specific threat posed by avulnerability (System Integrity, Confidentiality, Accountability, Data Integrity, Authorization, Availability, Intelligence) • Displays results by the likelihood that a vulnerability will be exploited (Obscure, Widespread, Popular) EC-Council


CyberCop Scanner: Screenshot 1

EC-Council


CyberCop Scanner: Screenshot 2

EC-Council


Network Auditing Tools

EC-Council


Nessus http:/ / w w w .nessus.org/ The Nessus vulnerability scanner is active scanners featuring high speed discovery, configuration auditing, asset profiling, sensitive data discovery, and vulnerability analysis of your security posture

It is distributed throughout an entire enterprise, inside DMZs, and across physically separate networks


EC-Council

Credentialed and un-credentialed port scanning Network based vulnerability scanning Credentialed based patch audits for Windows and m ost UNIX platform s Credentialed configuration auditing of m ost Windows and UNIX platform s Custom and em bedded web application vulnerabilitytesting Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Nessus: Screenshot

EC-Council


Security Adm inistrator's Integrated Network Tool (SAINT) http:/ / w w w .saintcorporation.com /

SAINT is a vulnerability scanner that scans network to detect anything that could allow an attacker to gain unauthorized access, create a denial-of-service, or gain sensitive inform ation about the network SAINT vulnerability scanner can: • Detect and fix possible weaknesses in your network’s security before they can be exploited by intruders • Anticipate and prevent com m on system vulnerabilitie s • Dem onstrate com pliance with current governm ent regulations such as FISMA, SOX, GLBA, HIPAA, and COPPA and with industry regulations such as PCI DSS

EC-Council


Security Adm inistrator's Integrated Network Tool (SAINT) Features • Lets you exploit vulnerabilities found by the scanner with the integrated penetration testing tool, SAINTexploit™ • Shows you how to fix the vulnerabilities, and where to begin rem ediation efforts —with the exploitable vulnerabilities • Lets you scan and exploit both IPv4 and IPv6 addresses • Shows you if the network is com pliant with PCI security standards • Allows you to design and generate vulnerability ass essm ent reports quickly and easily • Shows you if your network security is im proving over tim e by using the trend analysis report • Provides autom atic updates at least every two weeks, or sooner for a critical vulnerability announcem ent EC-Council


SAINT: Screenshot

EC-Council


Security Auditor's Research Assistant (SARA) http:/ / w w w -arc.com /

Security Auditor's Research Assistant (SARA) is a is a third generation network security analysis tool Features: • Operates under Unix, Linux, MAC OS/ X or Windows (th rough coLinux) OS‘ • Integrates the National Vulnerability Database (NVD) • Perform s SQL injection tests • Perform s exhaustive XSS tests • CVE standards support • Supports rem ote self scan and API facilities

EC-Council


SARA: Screenshot

EC-Council


Nm ap http:/ / nm ap.org/

Nm ap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing It rapidly scans large networks and runs on all m ajor com puter operating system s It uses raw IP packets in novel ways to determ ine: • • • •

EC-Council

What What What What

hosts are available on the network services (application nam e and version) thosehosts are offering operating system s (and OS versions) they arerunning type of packet filters/ firewalls are in use


Nm ap: Screenshot

EC-Council


Netcat http:/ / netcat.sourceforge.net/

Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/ IP protocol It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other program s and scripts

Features: • Outbound and inbound connections, TCP or UDP, to or from any ports • Featured tunneling m ode which allows also specialtunneling such as UDP to TCP, with the possibility of specifying all network param eters • Built-in port-scanning capabilities with random izer

EC-Council


Wireshark http:/ / w w w .w ireshark.org/

Wireshark is the network protocol analyzer, and is the de facto (and often de jure) standard across m any industries and educational institutions


Deep inspection of hundreds of protocols, with m ore being added all the tim e Live capture and offline an alysis Standard three-pane packet browser Multi-platform Captured network data can be browsed via a GUI, orvia the TTY-m ode TShark utility • Read/ write m any different capture file form ats • Capture files com pressed with gzip can be decom press ed on the fly • Decryption support for m any protocols, in cluding IP sec, ISAKMP, Kerberos, SNMPv3, SSL/ TLS, WEP, an d WPA/ WPA2

EC-Council


Wireshark: Screenshot

EC-Council


Argus - Audit Record Generation and Utilization System http:/ / w w w .qosient.com / argus/ Argus- network audit record generation and utilization system support network operations, perform ance and security m anagem ent

It processes packets (either capture files or live packet data) and generates detailed status reports of the 'flows' that it detects in the packet stream

For m any sites, it is used to establish network activity audits that are then used to supplem ent traditional IDS based network security

The Argus audit data is used for network forensics, non-repudiation, network asset, and service inventory

EC-Council


Snort http:/ / w w w .snort.org/

Snort is an open source network intrusion prevention and detection system (IDS/ IPS)

It uses a rule-driven language which com bines the benefits of signature, protocol and anom aly-based inspection m ethods

It is capable of perform ing real-tim e traffic analysis and packet logging on IP networks

It can perform protocol analysis, content searching/ m atching, and can be used to detect a variety of attacks and probes

EC-Council


Snort: Screenshot

EC-Council


Network Protection Tools

EC-Council


Iptables http:/ / w w w .netfilter.org/ ip table s is the userspace com m and line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset iptables package includes ip6tables which is used for configuring the IPv6 packet filter

It requires a kernel that features the ip_ tables packet filter

Features: • Listing the contents of the packet filter ruleset • Adding/ rem oving/ m odifying rules in the packet filte r ruleset • Listing/ zeroing per-rule counters of the packet filter ruleset

EC-Council


Proventia Network Intrusion Prevention System (IPS) http:/ / w w w .ibm .com /

IBM Proventia Network Intrusion Prevention System (IPS) stops Internet threats before they im pact your business and delivers protection to all three layers of the network: core, perim eter and rem ote segm ents

The IBM Proventia Network Intrusion Prevention System (IPS) delivers network protection that is designed to: • Stop threats before im pact without sacrificing high-speed n etwork perform ance • Provide a platform for security convergence that helps reduce the cost of deploying and m anaging point solution s • Protect networks, servers, desktops and revenue-gen erating applications from m alicious threats • Conserve network bandwidth and prevents network m si use/ abuse from in stant m essaging and peer-to-peer file sharing • Prevent data loss and aids com pliance efforts EC-Council


IPS: Screenshot

EC-Council


NetDetector http:/ / w w w .niksun.com /

NetDetector is a full-featured appliance for network security surveillance, signature-based anom aly detection, analytics and forensics It acts as a security cam era and m otion detector for your network by continuously capturing and warehousing network traffic (both packets and statistics)


EC-Council

Continuous, in-depth real-tim e surveillance Capture network events the first tim e and store events for post-event an alysis Signature and statistical an om aly detection Superior drill-down forensic analysis down to packet level Advanced reconstruction of web, em ail, instant m ess aging, FTP, Telnet, VoIP and other TCP/ IP applications Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

TigerGuard http:/ / w w w .tigertools.net/

TigerGuard is designed to centrally m anage events and logs, alerts from IDS devices, m onitor network and wireless traffic, and perform discovery, vulnerability assessm ents, event logging, and com pliancy reporting


EC-Council

Sensor console Firewall console Network console WiFi console Event console Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

TigerGuard: Screenshot 1

EC-Council


TigerGuard: Screenshot 2

EC-Council


Sum m ary Denial-of-Service (DoS) attack prevents the authorized users to access networks, system s, or applications by exhausting the network resources Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large num ber of com prom ised system s, known as botnet, attack a single target to cause a Denial-of-Service for the users of the targeted system Unauthorized Access is condition where a person gains access to system and network resources which he/ she was not authorized to have

An inappropriate usage in cident occurs when a user perform s actions that violate the acceptable com puting use policies

A m ultiple com ponent in cident is a single incident that en com passes two or m ore incidents EC-Council


EC-Council


EC-Council



Mo d u le VI Handling Malicious Code Incidents

News: Malicious Program Targets Macs ( CN N ) -- Mac com puters are known for their near-im m unity to m alicious com puter program s that plague PCs. But that m ay be changing som ewhat, according to com puter security researchers. It seem s that as sleek Mac com puters becom e m ore popular, they're also m ore sought-after targets for the authors of harmful program s. "The bad guys generally go toward the biggest target, what will get them the biggest bang for their buck," said Kevin Haley, a director of security response at Sym antec. Until recently, the big target always was Microsoft Windows, and Apple com puters were protected by "relative obscurity," he said. But blogs are buzzing this week about what two Sym antec researchers have called the first harm ful com puter program to strike specifically at Mac. This Trojan horse program, dubbed the "iBotnet," has infected only a few thousand Mac m achines, but it represents a step in the evolution of m alicious com puter software, Haley said. The iBotnet is a sign that harm ful programs are moving toward Mac, said Paul Henry, a forensics and security analyst at Lum ension Security in Arizona. "We all knew it was going to happen," he said. "It was just a m atter of tim e, and, personally, I think we're going to see a lot m ore of it." The m alicious software was first reported in J anuary. It didn't gain widespread attention until recently, when Mario Ballano Barcena and Alfredo Pesoli of Sym antec, m aker of the popular Norton antivirus products, detailed the software in a publication called "Virus Bulletin.”

EC-Council

Source: http:/ / w w w .cnn.com


News: Handling Malicious Hackers and Assessing Risk in Real Tim e Im agin e th is … A hacker creates a look-alike website of a well-known bank. He sends across e-m ails to custom ers requesting for confidential inform ation claim ing the bank’s website is undergoing a revam p or reconstruction. The inform ation sought is confidential custom er data. The e-m ail has a link em bedded in it, which, by default, directs the custom er to the fake site that the hacker has created. The custom er, thinking it to be a genuine com m unication from the bank, provides the details, which the hacker saves and later uses for fraudulent transactions such as m oney transfers or procuring critical passwords. N o t a Se cu re Situ atio n to be in The rapid growth of online com m erce has brought increasing sophistication to Internet fraud. Frauds are executed across m ultiple access channels. Threats from Phishing (crim inally fraudulent process of attem pting to acquire sensitive inform ation such as usernam es, passwords and credit card details, by m asquerading as a trustworthy entity in an electronic com m unication), Pharm ing (a hacker’s attack aim ing to redirect a website’s traffic to another bogus website), Trojans (a type of m alicious software), Key Logging (used to retrieve online password entries), and Proxy Attacks, com bined with regulations and m andates (HIPAA, PCI) governing online data piracy place online security at a prem ium . If you take a closer look at the illustration in the beginning of this article, you will realize that a sim ple login procedure m akes it easy for a hacker to access online accounts and transactions. To thwart hackers, banks are adopting stringent levels of login procedures, which are m ore personalized and secure. Som e of them include the introduction of additional levels of passwords, personalized background im age for login, virtual keyboards, or even a virtual mouse am ong others. Whatever you type on the physical keyboard can be tapped by hacking, through keylogging. Keylogging provides a m eans to obtain passwords or encryption keys by bypassing security m easures. To prevent this, financial transaction sites are installing virtual keypads and virtual mouse. Instead of typing the password on the keyboard the norm al way, as part of the login process the user will be able to use the cursor to select his or her password on the virtual keyboard. This process helps circum vent the key locking setup enforced by the hacker.

EC-Council

Source: http:/ / businessm irror.com .ph


Module Objective


• • • • • • • •

EC-Council

Virus Trojans and Spywares Incident Handling Preparation Incident Prevention Detection and Analysis Evidence Gathering and Handling Eradication and Recovery Recom m endations


Module Flow Virus

Trojans and Spyware

Incident Prevention

Incident Handling Preparation

Detection and Analysis

Evidence Gathering and Handling

Recom m endations

EC-Council


Count of Malware Sam ples

Source: http:/ / w w w .avertlabs.com

EC-Council


Virus Com puter viruses are m alicious software program s that infect com puters and corrupt or delete the data on them

Viruses spread through em ail attachm ents, instant m essages, downloads from the Internet, contam inated m edia etc.

Viruses are generally categorized as: • File infectors: Attach them selves to program files • System or boot-record in fectors: Infect executable code found in certain system areas on a disk • Macro viruses: Infect Microsoft Word application

EC-Council


Worm s A worm is a self-replicating virus that does not alter files but resides in active m em ory and duplicates itself

It takes advantage of file or inform ation transport features on the system to travel independently

A worm spreads through the infected network autom atically

EC-Council


Trojans and Spywares Trojans: • Trojan horse is a m alicious, security-breaking program that is disguised as any useful program • Trojans are executable program s that is installedwhen a file is opened • Trojans get activated without the intervention ofthe user • Sim ilar to viruses, Trojans do not distribute itself from one system to another • Trojans allow others to con trol a user’s system

Spyware: • Spywares are software in stalled on the com puter without the knowledge of the user • Spywares pretend to be program s that offer useful applications, but they actually acquire the inform ation of the com puter and send it to the attacker who can access it rem otely • Spywares are also known as adware EC-Council


Incident Handling Preparation 1

• Establish m alicious code security policy

2

• Install antivirus software

3

• Check all files and attachm ents from websites

4

• Check all the rem ovable m edia such as USB, diskette s etc.

5

• Users m ust be aware of m alicious code issues

6

• Study the antivirus vendor bulletins

7

• Install host based intrusion detection system s oncritical hosts

8

• Collect m alware incident analysis resources

9

• Acquire m alware incident m itigation software

10

• Establish the procedure for reporting m alicious code incident

EC-Council


Incident Prevention Use antivirus software Design a point of contact for reporting m alicious code Block the installation of spyware software Rem ove suspicious files Filter spam Lim it the use of unnecessary program s with FTP Alert users for handling em ail attachm ents Close the open windows shares Use the web browser’s security to edge m alicious code Prevent the open transm it of e-m ail Secure the e-m ail clients

EC-Council


Detection of Malicious Code Case 1. Host is infected by the virus which is delivered via e-m ail

Signs of the presence of m alicious code include: • • • • • • • • •

EC-Council

Antivirus software detects the infected files Increase in the num ber of e-m ails sent an d received Change in the Tem plate of word processing docum ent Deletion or corruption of files System files becom e inaccessible Old m essage and graphics will appear on screen Som e program s start and run slowly, or do not runat all System becom es instable or crashes Indication of root com prom ise of a host if the viru s achieves root level access Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Detection of Malicious Code (Cont’d) Case 2. Host is infected by worm s that propagates through a vulnerable service

Signs of the presence of m alicious code include:

• • • • •

EC-Council

Antivirus software detects the infected files Failure in connection attem pts targeted at the vuln erable services Increase in network usage Program s start and run slowly, or do not run at all System becom es instable or crashes


Detection of Malicious Code (Cont’d) Case 3. Trojan horse gets installed and runs on a host

Signs of the presence of m alicious code include:

• Antivirus software will detect the Trojan horse versions of files • Network IDS alerts the Trojan horse client-servercom m unications • Log entries of the firewall and router for Trojanhorse client-server com m unications • Host and unknown rem ote system s network connections • Unusual open ports • Unknown running processes • Program s start and run slowly, or do not run at all • System becom e instable or crashes • Indication of root com prom ise of a host if the Trojan achieves root level access

EC-Council


Detection of Malicious Code (Cont’d) Case 4. Host infected with virus, worm , or Trojan horse using m alicious m obile code on a website

• Strange dialog box will appear requesting for permission to run any program • Abnorm al graphics will appear such as overlappingand overlaid m essage boxes

Case 5. Malicious m obile code on a web site exploits vulnerabilities on a host

• • • • •

EC-Council

Strange dialog box will appear requesting for permission to run program s Abnorm al graphics will appear such as overlappingand overlaid m essage boxes Increase in the num ber of em ails being sent or received Host and unknown rem ote system s network connections Indication of root com prom ise of a host if the m obile code achieves root level access Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Detection of Malicious Code (Cont’d) Case 6. When the user receives the virus hoax m essage • The original source appears as from the governm entagency or as from an im portant official person • It does not link to outside sources • Message requires an urgent action • It prom pts to delete certain files or forwarded m assages

EC-Council


Containm ent Strategy Recognize and separate the infected hosts from the inform ation system

Register the unidentified m alicious code to antivirus vendors

Configure em ail servers and clients to block em ails

Block particular hosts

Shut down the em ail servers

Isolate networks from the Internet

Ensure the user’s participation

Disable services

Disable connectivity

EC-Council


Evidence Gathering and Handling

Forensic Identification

• It is the practice of identifying the infected system s by looking for the evidence of the latest infection

Active Identification

• This m ethod is used to identify the hosts which are currently infected

Manual Identification

• Labor intensive, but it is im portant as it provides appropriate identity of the infected hosts

EC-Council


Eradication and Recovery Antivirus and antispyware software can identify infected files but som e of the infected files cannot be recovered

If the m alicious code provides attackers with root-level access, then it becom es hard to determ ine what other actions the attackers have perform ed

In som e of the cases, infected files are restored from a previous uninfected backup or can be rebuilt from scratch

EC-Council


Recom m endations Establish m alicious code security policy Users m ust be aware of m alicious code issues Study antivirus bulletins Install host based intrusion detection system s on critical hosts Use antivirus software, an d keep it updated with the latest virus signatures Configure software to block suspicious files Close the open window share Deal with m alicious code incidents as quickly as possible EC-Council


Antivirus System s

EC-Council


Sym antec: Norton AntiVirus 20 0 9 http:/ / w w w .sy m antec.com /

Sym antec Norton AntiVirus 20 0 9 protects com puter system from m alicious program s such as virus, worm s, Trojan, spyware, etc.


Protects against viruses, spyware, Trojan horses,worm s, bots, and rootkits Pulse updates every 5 to 15 m inutes or faster Intelligence-driven technology for faster, fewer,shorter scans Blocks browser, OS, and application threats; protects against infected Web sites • Protects against the latest threats with proactivem ultilayered protection system • Real-tim e SONAR technology detects em erging spyware and viruses before traditional definitions are available

EC-Council


Norton AntiVirus 20 0 9: Screenshot

EC-Council


Kaspersky Anti-Virus 20 10 http:/ / w w w .kaspersky .com /

Kaspersky Anti-Virus 20 10 offers real-tim e autom ated protection from a range of IT threats Features: • • • • • • • • • •

Real-tim e scanning of files, web pages, and e-m essa ges Disabling of links to m alicious websites Blocking of suspicious program s based on their behavior Protection from hijacking of your PC Toolbar for Internet browsers to warn you about infected or unsafe websites Urgent Detection System to stop fast em erging threats Scan system and installed applications for vulnerabilities Enter logins and passwords using secure Virtual Keyboard Rem ove activity traces in your Internet browser (history, cookies, etc.) Identity theft by key loggers and screen capture malware

EC-Council


Kaspersky Anti-Virus 20 10 : Screenshot

EC-Council


AVG Anti-Virus http:/ / w w w .avg.com /

AVG anti-virus protects com puter system from m alicious program s such as virus, worm s, Trojan, spyware, etc.


EC-Council

An ti-Viru s : protection against viruses, worm s, and Trojans An ti-Sp yw are : protection against spyware, adware, and identity-theft An ti-Ro o tkit: protection against hidden threats (rootkits) W e b Sh ie ld an d Lin kScan n e r: protection against m alicious websites Real-tim e security while you surf and chat online


AVG Anti-virus: Screenshot

EC-Council


McAfee VirusScan Plus http:/ / hom e.m cafee.com /

McAfee VirusScan Plus offers essential PC security with accelerated perform ance

Features • Anti-virus, anti-spyware, and SiteAdvisor protectyou from m alicious software • Firewall blocks outsiders from hacking into your PC • SiteAdvisor rates web site safety before you clickwith red, yellow or green colors • Online account m anagem ent lets you easily add other PCs to your subscription • QuickClean safely rem oves junk files that slow your PC and take up space on your hard drive

EC-Council


McAfee VirusScan Plus: Screenshot

EC-Council


BitDefender Antivirus 20 0 9 http:/ / w w w .bitdefender.com /

BitDefender Antivirus 20 0 9 provides advanced proactive protection against viruses, spyware, phishing attacks and identity theft Features: • Scans all web, e-m ail, and instant m essaging traffic for viruses and spyware, in real-tim e • Protects against new virus outbreaks using advanced heuristics • Blocks attem pted identity theft (phishing) • Prevents personal inform ation from leaking via e-mail, web, or instant m essaging • Reduces the system load and avoids requesting userinteraction during gam es

EC-Council


BitDefender Antivirus 20 0 9: Screenshot

EC-Council


F-Secure Anti-Virus 20 0 9 http:/ / w w w .f-secure.com / F-Secure Anti-Virus 20 0 9 provides advanced and affordable protection against viruses, spyware intrusions, and infected e-m ail

Its autom atic updates and DeepGuard 2.0 cloud com puting technology provides protection against new threats


EC-Council

Protection against viruses, worm s, rootkits an d oth er m alware Real-tim e protection again st spyware Provides instant protection against new threats (DeepGuard 2.0 ) Scans e-m ail for viruses an d m alicious code Autom atic updates for both virus definitions and ht e software


F-Secure Anti-Virus 20 0 9: Screenshot

EC-Council


Trend Micro AntiVirus plus AntiSpyware 20 0 9 http:/ / w w w .trendm icro.com /

Trend Micro AntiVirus plus AntiSpyware 20 09 safeguards data and files from m alicious activities Features: • Protects against current and future viruses • Defends your personal inform ation with anti-spyware technology • Provides real-tim e protection with autom ated com puter scans • Prevents unauthorized changes • Cleans browser history, cookies and unnecessary files • Provides custom izable security warnings • Quarantines suspicious files

EC-Council


Trend Micro AntiVirus plus AntiSpyware 20 0 9: Screenshot

EC-Council


HijackThis http:/ / w w w .trendsecure.com /

HijackThis is a free utility which quickly scans System s running Windows OS to find settings that m ay have been changed by spyware, m alware, or other unwanted program s

It creates a report with the results of the scan

EC-Council


Tripwire Enterprise http:/ / w w w .tripw ire.com /

Tripwire Enterprise com bines configuration assessm ent and change auditing in a single infrastructure m anagem ent solution that delivers enterprise-wide control of physical and virtual configurations

It com es with policies that cover such diverse regulatory standards as Paym ent Card Industry (PCI) and Sarbanes-Oxley (SOX), as well as security standards like those form the National Institute of Standards and Technology (NIST)

Features: • Change auditing • Configuration assessm ent • Sam ple reports EC-Council


Tripwire Enterprise: Screenshot

EC-Council


Stinger http:/ / vil.nai.com /

Stinger is a stand-alone utility used to detect and rem ove specific viruses

It utilizes next generation scan engine technology, including process scanning, digitally signed DAT files, and scan perform ance optim izations

EC-Council


Sum m ary Com puter viruses are the software program s m eant to infect com puters, corrupt, or delete the data

A worm is a self-replicating virus that does not alter files but resides in active m em ory and duplicate itself

Forensic identification is the practice of identifying infected system s by looking for evidence of recent infections

Antivirus and antispyware software can identify the infected files but som e the infected files cannot be recovered

Deploy host-based intrusion detection an d prevention system s, including file integrity checkers, to critical hosts EC-Council


EC-Council


EC-Council



Mo d u le VIII Forensic Analysis and Incident Response

Batch PDF Merger

News: Microsoft Com puter Online Forensic Evidence Extractor Free for Interpol The Microsoft COFEE evidence extracting tool will be m ade available to Interpol for free, per an agreement between the Redm ond com pany and the International Crim inal Police Organization. The software giant announced that the Com puter Online Forensic Evidence Extractor would be distributed by Interpol internationally, in no less than 187 m arkets worldwide. The m ove is just one aspect of a broader Microsoft strategy designed to protect people both physically and virtually in collaboration with governm ents around the world. In this regard, the Redm ond com pany used the Worldwide Public Safety Sym posium to launch the Citizen Safety Architecture as well as to prom ise support for Interpol's Security Initiative (GSI). “Given the direct correlation between the declining econom y and the rise of public safety concerns, there is a pressing need for innovative, collaborative and integrated solutions, like Citizen Safety Architecture, that deliver to governm ents the tools they need to ensure the safety of their citizens,” explained Tim Bloechl, m anaging director for worldwide public safety and national security at Microsoft. The Citizen Safety Architecture has at its basis a variety of tools dedicated to not just cutting costs, but also boosting what Microsoft referred to as m ultiagency operational effectiveness, as well as stream line collaboration and inform ation sharing. The Redm ond com pany indicated that the Citizen Safety Architecture was based on Microsoft Single View Platform (SVP), Microsoft FusionX, “Eagle,” Microsoft Intelligence Fram ework, the Microsoft Incident Response Platform and Global Security Operations Centers (GSOCs). “Microsoft and INTERPOL recognize the strong synergies between Citizen Safety Architecture and GSI, and our pledge to develop a long-term relationship with organizations like INTERPOL supports the overall goal of Citizen Safety Architecture,” Bloechl added. In addition to the Citizen Safety Architecture fram ework, the software giant will also provide Interpol with COFEE, a tool designed to extract forensic evidence from live com puter activity. In this m anner, Interpol officers will be able to harvest and then use evidence that would otherwise not be available through traditional offline forensic analysis, Microsoft underlined. Source: http:/ / new s.softpedia.com /

EC-Council


Module Objective


• • • • • • • •

EC-Council

Com puter Forensics Forensic Readiness Types of Com puter Forensics Com puter Forensics Process Digital Evidence Collecting Electronic Evidence Forensic Policies Forensic Analysis Guidelines


Module Flow

EC-Council

Com puter Forensics

Forensics Preparedness

Com puter Forensics Process

Types of Com puter Forensics

Digital Evidence

Collecting Electronic Evidence

Forensic Analysis Guidelines

Forensic Policies


Com puter Forensics

“A m ethodical series of techniques and procedures for gathering evidence, from com puting equipm ent and various storage devices and digital m edia, that can be presented in a court of law in a coherent and - Dr. H.B. W olfe m eaningful form at”

EC-Council


Objectives of Forensic Analysis

To recover, analyze, and preserve com puter and related m aterials in such a way that it can be presented as evidence in a court of law

To identify the evidence in short tim e, estim ate the potential im pact of the m alicious activity on the victim , and assess the intent and identity of the perpetrator

EC-Council


Role of Forensic Analysis in Incident Response Forensic analysis helps in determ ining the exact cause of an incident It helps in generating a tim eline for the in cident which helps in correlating different incidents Forensic analysis of the affected system helps in determ ining the n ature of incidents and im pact of the incident It helps in tracking the perpetrators of the crim e or incident It extracts, processes, and interprets the factual evidence so that it proves the attacker’s actions in the court It saves the organization’s m oney and tim e by conducting a dam age assessm ent of the victim ized network It also saves organizations from legal liabilities and lawsuits EC-Council


Forensic Readiness Forensic readiness m ay be defined as a state of incident response preparedness that enables an organization to m axim ize its potential to use digital evidence while m inim izing the cost of an investigation

It also m inim izes the risk of internal threat and acts as a preem ptive m easure

Objectives:

• Maxim izing an environm ent’s ability to collect credible digital evidence • Minim izing the cost of forensics during an in cidentresponse EC-Council


Forensic Readiness And Business Continuity Forensic readiness allows businesses to: • Quickly determ ine the in cidents • Understand the relevant inform ation • Minim ize the required resources • Rem ove the threat of repeated incidents • Quickly recover from dam age with less down tim e

Lack of forensic readiness m ay result in: • Loss of clients thereby dam aging the organization ’sreputation • System downtim e • Data m anipulation, deletion, and theft EC-Council


Types of Com puter Forensics Disk Forensics • It is the process of acquiring and analyzing the data stored on physical storage m edia

Network Forensics • It can be defined as sniffing, recording, acquisition, and analysis of network traffic and event logs in order to investigate a network security incident

E-m ail Forensics • It is the process of studying the source and content of an em ail

Internet (Web) Forensics • It is the application of scientific and legally sound m ethods for the investigation of Internet crim es

Source Code Forensics • It is the process of determ ining the software ownership and copyright issues

EC-Council


Com puter Forensic Investigator

Com puter forensic in vestigator m ust have knowledge of gen eral com puter skills such as hardware, software, O.S, applications, etc.

The investigator m ust perform a proper in vestigation to protect the digital evidence

The investigator m ust be certified from authorized organization s

EC-Council


People Involved in Com puter Forensics Attorney:

• Gives legal advise on collection, preservation and presentation of evidence

Photographer:

• Photographs the crim e scene and the evidence gathered

Incident Responder:

• Responsible for incident handling and response

Decision Maker:

EC-Council

• Responsible for authorization of a policy or procedure for the investigation process Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

People Involved in Com puter Forensics (cont’d) Incident Analyzer:

• Analyzes the incidents based on their occurrence

Evidence Exam iner/ Investigator:

• Exam ines the evidence acquired, and sorts useful evidence

Evidence Docum enter:

• Docum ents all the evidence and the phases present in the investigation process

EC-Council

Evidence Manager:

• Manages the evidence in such a way as to m ake a procedural way of evidence found

Expert Witness:

• Offers a form al opinion as a testim ony in the court of law Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Com puter Forensics Process Preparation It enables easy coordination am ong staff and provides baseline protection

Collection It is the process of identifying, labeling, recording, and acquiring data from all possible sources

Exam ination It involves processing of large am ount of collected data using a com bination of autom ated and m anual m ethods EC-Council


Com puter Forensics Process (cont’d) Analysis It is the process of analyzing the results of the investigation using legally justifiable m ethods and techniques

Reporting In this phase, the analysis results are reported and recom m endations are provided for im proving policies, guidelines, procedures, tools, and other aspects of the forensic process

EC-Council


Digital Evidence Digital evidence is defined as “any inform ation of probative value that is either stored or transm itted in a digital form ”

Digital evidence is found in the files, such as:

• • • • • • •

Graphics files Audio and video recording and files Web browser history Server logs Word processing and spreadsheet files E-m ails Log files

EC-Council


Characteristics of Digital Evidence Adm issible • Evidence m ust be related to the fact being proved

Authentic • Evidence m ust be real an d related to the incidentin a proper way

Com plete • Evidence m ust prove the attacker’s actions

Reliable • Evidence m ust not cast doubt on the authenticity and veracity of the evidence

Believable • Evidence m ust be clear and understandable by the uj dges

EC-Council


Collecting Electronic Evidence List the system s involved in the incident and from which system s evidence can be collected

For each system , obtain the relevant order of volatility

Record the extent of the system 's clock drift

Collect the evidence from all the people who affected by the incident EC-Council


Collecting Electronic Evidence (cont’d) Electronic evidence resides in: Data Files: • • • • • •

Office desktop com puter/ workstation Notebook com puter Hom e com puter Com puter of personal assistants/ secretary/ staff Palm top devices Network file servers/ m ainfram es/ m ini-com puters

Backup Tapes: • System -wide backups (m onthly/ weekly/ increm ental) • Disaster recovery backups (stored off site) • Personal or “ad hoc” backups (look for diskettes and other portable m edia) EC-Council


Collecting Electronic Evidence (cont’d) Other Media Sources: • Tape archives • Replaced/ rem oved drives • Floppy diskettes and other portable m edia (e.g., CDs, Zip cartridges)

EC-Council


Evidence Collection Form Tem plate Fo re n s ic An alys t Makin g Se izu re Full Nam e:

Title:

Phone:

Departm ent

Com m ents: Signature:

Date and tim e: W itn e s s Sign atu re

Full Nam e:

Title:

Phone:

Departm ent

Full Address:

Signature:

EC-Council

Room No Building Address Line 1 Address Line 2 Address Line 3 Address Line 4 Post code

Date and tim e:


Evidence Collection Form Tem plate (cont’d) S.No.

Evidences

Make

Details

1 2 3 4 5 6 7 8 9 10

EC-Council


Challenging Aspects of Digital Evidence Digital evidence are fragile in nature

During the investigation of the crim e scene, if the com puter is turned off, the data which is not saved can be lost perm anently

During the investigation, digital evidence can be altered m aliciously or unintentionally without leaving any clear signs of alteration

Digital evidence is circum stantial that m akes it difficult for the forensics investigator to differentiate the system ’s activity

After the incident, if a user writes som e data to the system , it m ay overwrite the crim e evidence EC-Council


Forensic Policy Forensic policy is a set of procedures describing the actions to be taken when an incident is observed

It defines the roles and responsibilities of all people perform ing or assisting the forensic activities

It should include all internal and external parties that m ay be involved and also indicates who should contact which parties

It explains what actions should and should not be perform ed under norm al and special conditions

EC-Council


Forensic Policy (cont’d) Organizations should ensure that their policies contain clear statem ents that address all m ajor forensic considerations

They should allow authorized personnel to m onitor system s and networks and perform investigations

Separate policies should be m aintained for incident handlers and others with predefined forensic roles

Organization’s forensic policy should be consistent with the other policies

EC-Council


Forensics in the Inform ation System Life Cycle Regular backups of system s should be perform ed For securing centralized log servers, audit reports should be forwarded by auditing the workstations, servers, and network devices For auditing, m ission critical applications should be configured Maintain a database of file hashes for the files of com m on OS and application deploym ents File integrity checking software should be used for protecting im portant assets

Network and system con figurations records should be m aintained Data retention policies supporting system and network activities should be im plem ented EC-Council


Forensic Analysis Guidelines

Organizations should: • Have a capability to perform com puter and networkforensics • Determ ine which parties should handle each aspectof forensics • Create and m aintain guidelines and procedures for perform ing forensic tasks • Perform forensics using a consistent process • Be proactive in collecting useful data • Adhere to standard operating procedure as specified by local laws and standard m aking bodies such as IOCE & SWGDE while collecting digital evidence Source: http:/ / csrc.nist.gov/

EC-Council


Forensics Analysis Tools

EC-Council


Helix http:/ / w w w .e-fense.com / Helix is a bootable com puter forensic tool kit providing incident response, com puter forensics and e-discovery in one interface Helix is a custom ized distribution of the Knoppix Live Linux CD You can boot into a custom ized Linux environm ent that includes custom ized Linux kernels, excellent hardware detection and m any applications dedicated to Incident Response and Forensics Helix has been m odified very carefully to NOT touch the host com puter in any way and it is forensically sound Helix has a special Windows autorun side for Incident Response and Forensics

Helix focuses on Incident Response & Forensics tools

EC-Council


Tools Present in Helix CD for Windows Forensics Windows Forensics Toolchest (WFT) Incident Response Collection Report (IRCR2)

Putty SSH Screen Capture Messenger Password

First Responder’s Evidence Disk (FRED) Mail Password Viewer First Responder Utility (FRU) Protected Storage Viewer Security Reports (SecReport) Network Password Viewer Md5 Generator Registry Viewer Com m and Shell Asterisk Logger File Recovery – recover deleted files IE History Viewer Rootkit Revealer VNC Server

EC-Council

IE Cookie Viewer Mozilla Cookie Viewer Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Helix: Screenshot 1

EC-Council


Helix: Screenshot 2

EC-Council


Helix: Screenshot 3

EC-Council


Windows Forensic Toolchest http:/ / w w w .foolm oon.net/

Windows Forensic Toolchest (WFT) is designed to provide a structured and repeatable autom ated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant inform ation from the system

It is essentially a forensically enhanced batch processing shell capable of running other security tools and producing HTML based reports in a forensically sound m anner

It provides extensive logging of all its actions along with com puting the MD5/ SHA1 checksum s along the way to ensure that its output is verifiable

EC-Council


Windows Forensic Toolchest (cont’d) Features: • Provides structured and repeatable live forensic re sponse, incident response, or audit • Ability to run locally, via CD/ DVD, or thum b drive • Verification of all executed tools • Support for m d5 hash • Ability to verify WFT configuration files • Autom atic updating of WFT hash values for tools • User-editable configuration file controls execution • Generation of both raw text and htm l reports • Ability to run com m ands based on run-tim e OS

EC-Council


Windows Forensic Toolchest: Screenshot 1

EC-Council


Windows Forensic Toolchest: Screenshot 2

EC-Council


Knoppix Linux http:/ / w w w .knopper.net/

KNOPPIX is a bootable Live system on CD or DVD, consisting of a representative collection of

• GNU/ Linux software • Autom atic hardware detection • Support for m any graphics cards, sound cards, SCSIand USB devices and other peripherals

It can be used as a productive Linux system for the desktop, educational CD, rescue system , or adapted and used as a platform for com m ercial software product dem os

EC-Council


Knoppix Linux: Screenshot

EC-Council


The Coroner's Toolkit (TCT) http:/ / w w w .porcupine.org/

TCT is a collection of program s by Dan Farm er and Wietse Venem a for a post-m ortem analysis of a UNIX system after break-in

TCT com ponents are: • • • •

EC-Council

Grave-robber tool: This tool captures inform ation Ils and m actim e tools: These tools display accesspatterns of files dead or alive Unrm and lazarus tools: These tools recover deletedfiles Findkey tool: This tool recovers cryptographic keys from a runnin g process or from files


EnCase Forensic http:/ / w w w .guidancesoftw are.com / EnCase Forensic is an in vestigation platform that collects digital data, perform s analysis, reports on findings, and preserves them in a court validated, forensically sound form at It gives investigators the ability to im age a drive and preserve it in a forensic m anner using the EnCase evidence file form at (LEF or E0 1)

Features: • • • • • • • • • •

Advanced search options Internet and em ail investigation support Court validated logical evidence file form at Multiple viewers Instant m essage analysis EnScript® program m ing Bookm arking Reporting Support for the m ost system files Multiple acquisition options

EC-Council


EnCase Forensic: Screenshot 1

EC-Council


EnCase Forensic: Screenshot 2

EC-Council


THE FARMER'S BOOT CD (FBCD) http:/ / w w w .forensicbootcd.com / The FBCD provides with a forensic environm ent to safely and quickly preview data stored within various storage m edia (such as internal and external hard drives, USB thum b drives, digital m usic players, digital cam eras, SD and com pact flash cards, etc.) Using The FBCD, you can: • • • • • • • • • • • • • •

Mount file system s in a forensically sound m anner,using a GUI Preview data using a single, unified GUI (Delve) Authenticate, Acquire and Analyze storage m edia Decrypt EFS-encrypted files Access and parse the Windows Registry Generate thum bnails for graphics files Dum p file m eta-data (graphics files, PDF docum ents, etc.) Obtain the passwords for system users Undelete files from the ext2, FAT, and NTFS file system types Identify and reset Host Protected Areas (HPA) on IDE drives Dum p the system BIOS tables Parse the Windows pagefile.sys file for e-m ail addresses and URLs Dum p file system m eta-data (initialized date, lastm ount date, etc.) Read various Windows and Linux log files Parse web browser cache files for history and cookie inform ation

EC-Council


FBCD: Screenshot1

EC-Council


FBCD: Screenshot2

EC-Council


Dum pReg http:/ / w w w .sy stem tools.com / Dum pReg is a program for Windows that dum ps the registry, m aking it easy to find keys and values containing a string The registry entries can be sorted by reverse order of last m odified tim e, m aking it easy to see changes m ade by recently installed software

EC-Council


Dum pSec http:/ / w w w .sy stem tools.com /

Dum pSec is a security auditing program for Microsoft Windows® NT/ XP/ 20 0 x

It dum ps the perm issions (DACLs) and audit settings (SACLs) for the file system , registry, printers, and shares in a concise, readable form at, so that holes in system security are readily apparent

It also dum ps user, group and replication inform ation

EC-Council


Dum pEvt http:/ / w w w .sy stem tools.com /

Som arSoft's Dum pEvt is a Windows NT/ 20 0 x program to dum p the event log in a form at suitable for im porting into a database

It is sim ilar to the DUMPEL utility in the Microsoft Windows Resource Kit, but without som e of the lim itations

It allows dum ping of Windows 20 0 x event logs (DNS, File Replication, and Directory Service)

EC-Council


Foundstone Forensic ToolKit http:/ / w w w .foundstone.com /

Foundstone Forensic ToolKit contains several Win32 Com m and line tools that can help you exam ine the files on a NTFS disk partition for unauthorized activity


AFin d allows you to search for access tim es between certain tim e fram es H Fin d scans the disk for hidden files SFin d scans the disk for hidden data stream s an d lists the last access tim es File Stat is a quick dum p of all file and security attributes H u n t is a quick way to see if a server reveals too m uch info via NULL sessions

EC-Council


Sysinternals Suite http:/ / technet.m icrosoft.com / The Sysinternals suite is a bundle of som e of the following selected Sysinternals utilities: AccessChk

Gives specific users or groups access inform ation

AccessEnum

Gives a full view of your file system and Registry security settings

AdExplorer

Explore an AD database, define favorite locations, view object properties and attributes

AdRestore

Enum erates the deleted objects in a dom ain

Autologon

Enables you to easily configure Windows’ built-in autologon m echanism

Autoruns

Shows what program s are configured to run during system bootup or login

CacheSet

Allows to m anipulate the working-set param eters of the system file cache

LDMDum p

Shows the contents of the LDM database

ListDLLs

Show you the full path nam es of loaded m odules

PsLogList

Dum p the contents of an Event Log on the local or a rem ote com puter

PsPasswd

Allows changing of account passwords on the local or rem ote system s in batches

PsService

Service viewer and controller for Windows

NTFSInfo

Shows you inform ation about NTFS volum es

RegMon

It is a Registry m onitoring utility

RootkitRevealer

Advanced rootkit detection utility

EC-Council


NSLOOKUP http:/ / w w w .kloth.net/ NSLOOKUP is an online service to look up inform ation in the DNS (Dom ain Nam e System [RFC10 34, RFC10 35, and RFC10 33]) It is a program to query Internet dom ain nam e servers

It has two m odes: • In te ractive m o d e : This m ode allows the user to query n am e servers for inform ation about various hosts and dom ains • N o n -in te ractive m o d e : This m ode is used to print just the nam e and requested inform ation for a host

EC-Council


dig – DNS Lookup Utility http:/ / m em bers.shaw .ca/

dig (dom ain inform ation groper) is a flexible tool for interrogating DNS nam e servers It perform s DNS lookups and displays the answers that are returned from the nam e server(s) that were queried It is norm ally used with com m and-line argum ents

It also has a batch m ode of operation for reading lookup requests from a file

Dig Synopsis • d ig [ @s e rve r ] [ -b address ] [ -c class ] [ -f filenam e ] [ -k filenam e ] [ -p port# ] [ -t ty pe ] [ x addr ] [ -y nam e:key ] [ n am e ] [ typ e ] [ clas s ] [ qu e ryo p t... ] • d ig [ -h ] • d ig [ glo bal-qu e ryo p t... ] [ qu e ry... ]

A typical invocation of d ig looks like: • d ig @s e rve r n am e typ e

EC-Council


Whois http:/ / w w w .nsauditor.com /

Whois com m unicates with WHOIS servers located around the world to obtain dom ain registration inform ation

It supports IP address queries and autom atically selects the appropriate whois server for IP addresses

This tool looks up inform ation on a dom ain, IP address, or dom ain registration inform ation

EC-Council


Whois: Screenshot

EC-Council


VisualRoute http:/ / w w w .visualroute.com /

VisualRoute trace route software provides IPv4 and IPv6 traceroute, ping test, m ultiple route discovery and connectivity analysis reports

It also helps in determ ining actual cause of conn ectivity problem pinpoints in the network where a problem occurs

Features: • • • • • • •

EC-Council

Graphical view of traceroute, ping, reverse DNS connectivity analysis IP location reporting Whois lookups, network provider reporting Om nipath™ m ultiple path discovery Netvu™ multiple route topology graph Application port testing, port probing, DNS perform ance testing Continuous connection testing with report history


VisualRoute: Screenshot

EC-Council


Netstat Com m and http:/ / chiht.dfn-cert.de/

n e ts tat is a useful tool for checking network configuration and activity The netstat com m and provides inform ation from various data structures in the network stack This inform ation can include current network connections and listening servers, routing tables, ARP caches etc.

EC-Council


Linux: DD Com m and http:/ / chiht.dfn-cert.de/

The dd com m and is used to m ake binary copies of com puter m edia

It is used as a sim ple disk im aging tool if given a raw disk device as its input

Forensic Investigators use the built- in Linux com m and “dd” to copy data from a disk drive The “dd” com m and can copy data from any disk that Linux can m ount and access Other forensic tools such as AccessData FTK and Ilook can read dd im age files EC-Council


Linux: Find Com m and http:/ / chiht.dfn-cert.de/

The find com m and is built in to m any versions of Unix, but is also available as part of the GNU binutils package for both Unix and Windows Find can be used to search through a directory tree looking for files that have particular nam es, perm issions, or alm ost any other com bination of attributes

Syntax

• find [-H] [-L] [-P] [path...] [expression]

EC-Council


Linux: Arp Com m and http:/ / chiht.dfn-cert.de/

The Address Resolution Protocol is used by com puters to translate IP addresses for m achines on the local network segm ent into Ethernet addresses

It describes the standard for m apping Ethernet addresses in the local subnet to IP addresses

Most operating system s m aintain a cache of this inform ation, and the arp com m and can be used to print out the current contents of this cache

Syntax:

• C:\>arp -a

EC-Council


Linux: ps, ls, lsof, and ifconfig Com m ands http:/ / chiht.dfn-cert.de/

ps is a basic Unix com m and that report the status of processes

Unix ls com m and is used to list files and directories on a filesystem

Lsof is a com m and used to list files which are currently open on a Unix system s

ifconfig is a com m and is used to report the state of network interfaces on Unix system s

EC-Council


Linux: Top Com m and http:/ / chiht.dfn-cert.de/ The top com m and is a system m onitor tool that displays and updates inform ation about the top cpu processes on a Unix system It displays the top 15 processes on the system and periodically updates this inform ation

EC-Council


Linux: Grep Com m and http:/ / chiht.dfn-cert.de/

The Unix grep com m and searches text files for patterns m atching regular expressions It is used to extract interesting inform ation from log files

It is a built-in com m and on m any Unix system s, or an open source version is available as part of the GNU project

Syntax • grep [options] PATTERN [FILE...] • grep [options] [-e PATTERN | -f FILE] [FILE...]

EC-Council


Linux: Strings Com m and http:/ / chiht.dfn-cert.de/

Strings is a com m and which displays the strings contained in a binary file

It is used to search unknown binaries for any hints about its function

Syntax • strings [-afo] [-n number] [file ...]

EC-Council


Sum m ary Com puter forensic In vestigator m ust have knowledge of gen eral com puter skills such as hardware, software, O.S, application s, etc. Com puter forensics helps to recover, analyze, and preserve com puter and related m aterials in such a way that it can be presented as evidence in a court of law Forensic readiness is ability of an organization to m axim ize its potential to use digital evidence while m inim izing the cost of an investigation Digital evidence is defined as “any inform ation of probative value that is either stored or transm itted in a digital form ” Forensic policy defines the roles and responsibilities of all people perform ing or assisting the forensic activities Separate policies should be m aintained for incident handlers and others with forensic roles EC-Council


EC-Council


EC-Council



Mo d u le VII Handling Insider Threats

News: Malicious Insider Attacks to Rise

Source: http:/ / new svote.bbc.co.uk/

EC-Council


News: Experts Say Layoffs, Cost-Cutting Increase ‘Insider’ Cyber Threat

Source: http:/ / w w w .cqpolitics.com /

EC-Council


Module Objective

This m odule will fam iliarize you with: • • • • • •

EC-Council

Insider Threats Anatom y of an Insider Attack Insider Threats Detection Insider Threats Response Handling Insider Threats Guidelines for Detecting and Preventing Insider Threats


Module Flow

EC-Council

Insider Threats

Anatom y of an Insider Attack

Insiders Threat Response

Insider Threat Detection

Handling Insider Threats

Guidelines for Detecting and Preventing Insider Threats


Insider Threats Insiders with their authorized privileges can m isuse the resource that directly affects the confidentiality, integrity, and availability of the inform ation system

Insiders could be current em ployee, disgruntled system adm inistrators, hum an resources, contractors, business partners etc.

Insiders indulge in m alicious activities on the organization’s network, system , and database

These activities im pact business operations and dam ages the organization’s reputation and profit EC-Council


Anatom y of an Insider Attack Understand business process

Gain credentials and trust

Install logic bom bs, rootkits, key loggers

Activate logic bom bs and rootkits

Dam age, publicize and/ or pass inform ation to com petitors for financial gain or personal revenge

EC-Council


Insider Risk Matrix If an attacker has technical literacy with process knowledge, there is the highest risk of insider attack

Process Knowledge

Technical Literacy

High

Low

High

Greatest Threat

Dem onized But Insignificant

Low

Significant Threat

Insignificant

Source: GartnerGroup Report 560 5

EC-Council


Insider Threats Detection Insider threats can be detected by observing concerning behaviors exhibited by the insiders such as conflicts with supervisors an d coworkers, decline in perform ance, tardiness, or unexplained absenteeism Insider threats can be identified by exam ining the system event logs including database logs, em ail logs, application logs, file access logs, and rem ote access logs Applications such as firewalls, routers, and intrusion detection system s can be used to identify insider threats

The techniques used to detect insider threats are: • Correlation • Detecting anom aly • Discovering pattern

EC-Council


Insider Threats Response Response depends on the nature of insider threats and the organization’s policy

Response can be autom ated or needs hum an involvem ent

The techniques used to respond to an insider threat include: • • • •

Placing m alicious users in quarantine network, sothat attack cannot be spread Preventing m alicious users from accessing sensitive inform ation Disabling the com puter system s from network connection Blocking m alicious user accounts and physically restricting them from entering access control areas

EC-Council


Insider’s Incident Response Plan Insider’s incident response plan helps the organization to m inim ize or lim it the dam age caused due to m alicious insiders

Organizations should ensure that the in sider perpetrators are not included in response team or not aware of the progress

The organizations should consider the rights of every em ployee or user while developing incident response plan

The plan should depict the process to be followed and responsibilities of the m em bers involved in the response team

The organization should n ot share or provide the details of the insider’s incident response plan with all em ployees EC-Council


Guidelines for Detecting and Preventing Insider Threats: Hum an Resources Conduct background checks on all users and em ployees who are in sensitive positions Exam ine and respond to suspicious behavior of em ployees beginn ing with the hiring process

Anticipate and m anage negative workplace issues

Em ploym ent verification and credit checks

Prepare an inform ation security policy docum ent

Monitor and secure the organization’s physical environm ent EC-Council


Guidelines for Detecting and Preventing Insider Threats: Network Security Com puter networks should be secured by con figuring firewalls and m onitoring outbound traffic to HTTP and HTTPS services Create rules to reduce the outbound transfer of files to an authorized set of users and system s Prevent file sharing, instant m essaging, and other features am ong em ployees that allows unauthorized access to corporate networks

Scan all outgoing and incom in g m ails for sensitive inform ation and m alicious codes

Establish strict password policies

Im plem ent account m anagem ent policies and procedures

EC-Council


Guidelines for Detecting and Preventing Insider Threats: Access Controls Access privileges should be enabled to em ployees or users based on the routine perform ance of their job roles

The access requests granted to users should be docum ented an d vetted by a supervisor

Em ployees should take perm ission from data owners before accessing the sensitive system s

Establish change controls on the user’s system

When an em ployee is term inated from the job, the em ployers should disable all access rights to physical locations, networks, system s, applications, and data EC-Council


Guidelines for Detecting and Preventing Insider Threats: Security Awareness Program Identify and report the m alicious behavior of insiders

Exam ine the organization’s policies and controls

Im plem ent proper system adm inistration safeguards for critical servers

Provide consistency for defined security policies and controls

Enforce separation of duties in order to lim it the m isuse of resources Im plem ent secure backups and recovery m ethods to ensure data availability EC-Council


Guidelines for Detecting and Preventing Insider Threats: Adm inistrators and Privileged Users Disable the default adm inistrative accounts to provide accountability

Ensure that adm inistrators use unique account during installation process Im plem ent non-repudiation technique to view all the actions perform ed by adm inistrators and privileged users Monitor the activities of system adm inistrators and privileged users who have perm issions to access sensitive inform ation Use encryption m ethods to prevent adm inistrators and privileged users from accessing backup tapes and sensitive inform ation EC-Council


Guidelines for Detecting and Preventing Insider Threats: Backups Organizations should im plem ent secure backup and recovery processes to continue business operations when the system s are com prom ised

Regularly take backups and test it for integrity and availability

Secure the backup m edia and its content from alteration, theft, or destruction Im plem ent separation of duties and configuration m anagem ent procedures to perform backups on com puter system s, networks, and databases Im plem ent backup policies to secure the backup process and m edia EC-Council


Guidelines for Detecting and Preventing Insider Threats: Audit Trails and Log Monitoring Enforce account and password policies an d procedures to identify the onlin e actions perform ed by insiders Periodic logging, m on itoring, and auditing process helps organization to identify and investigate suspicious in sider actions Audit trails should be con figured for network devices, operating system s, com m ercial software, and custom applications Auditing should review and exam ine the changes perform ed on critical assets of any organization Protect the audit files through file perm issions and store the files in central host server to avoid alterations Im plem ent intrusion detection and file integrity software to detect and m onitor suspicious activity on sensitive data EC-Council


Em ployee Monitoring Tools

EC-Council


Activity Monitor http:/ / w w w .softactivity .com /

Activity Monitor is a com puter m onitoring software and key logger

It allows you to track any LAN, giving you the detailed inform ation on what, how, and when your network users perform ed


Live view of rem ote desktops Easy Internet usage m onitoring Monitor software usage Record activity log for all workplaces in one centr alized location on m ain com puter with Activity Monitor installed • Store com plete history of com m unications for everyuser • Track any user’s keystrokes on your screen in realtim e m ode

EC-Council


Activity Monitor: Screenshot 1

EC-Council


Activity Monitor: Screenshot 2

EC-Council


Net Spy Pro http:/ / w w w .net-m onitoring-softw are.com / Net Spy Pro is the em ployee and student network m onitoring software It allows you to m onitor all user activity on your network in real tim e from your own workstation Features: • Allows the adm inistrator to view an actual screensh ot of one, som e or all workstations instantly • Shows a list of the favorites on a user's InternetExplorer Browser to the adm inistrator • Shows you a list of all files in the tem porary hist ory (cache) of the Internet Explorer browser • Allows an adm inistrator to view all open ports ona workstation • Shows a full list of processes and services run ning on the rem ote m achine to the adm inistrator • Show a list of recent docum ents opened by a user ot the adm inistrator

EC-Council


Net Spy Pro: Screenshot 1

EC-Council


Net Spy Pro: Screenshot 2

EC-Council


Spector Pro http:/ / w w w .spectorsoft.com /

Spector Pro is m onitoring and recording software for every detail of PC and Internet activity - in your hom e or in your office

Features: • • • • • • • • • •

EC-Council

Keystrokes typed recording MySpace and Facebook recording Online searches recording Web sites visited recording Sum m ary reports Em ail activity recording Program activity recording Keywords detected recording Files transferred recording User activity recording Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Spector Pro: Screenshot 1

EC-Council


Spector Pro: Screenshot 2

EC-Council


SpyAgent http:/ / w w w .spy tech-w eb.com /

Spytech SpyAgent is com puter spy software that allows you to m onitor everything users do on your com puter

Features: • • • • • • • • • • • EC-Council

Keystroke logging Em ails sent and received m onitoring Events tim eline loggin g Internet chat conversations m onitoring Website activity m onitoring Application usage m onitoring Com puter usage loggin g Intelligent screenshot capturing Internet traffic data m on itoring Files uploaded and downloaded m onitoring Files/ docum ents accessed logging Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

SpyAgent: Screenshot 1

EC-Council


SpyAgent: Screenshot 2

EC-Council


Handy Keylogger http:/ / w w w .handy -key logger.com /

Handy Keylogger is a user-friendly spy key logger

It capture all key strokes, m onitor internet usage, enable screenshots grabbing by tim e and interval, m onitor clipboard, and send the logs to your e-m ail address invisibly

Features: • • • • • • • •

EC-Council

Monitor every key stroke on your keyboard Grab key strokes under all user accounts Log all clipboard events: text and graphics copiedto the clipboard Record Internet/ websites activity Log chats and e-m ails typed on your PC Record instant m essengers Capture all passwords Invisibly send logs to your m ailbox Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Handy Keylogger: Screenshot 1

EC-Council


Handy Keylogger: Screenshot 2

EC-Council


Anti Keylogger http:/ / w w w .anti-key loggers.com /

Anti-keylogger is a dedicated anti-keylogging product for Microsoft Windows

It protects com puters against inform ation-stealing program s and m odules

Features: • • • • • • • •

EC-Council

Prevents online identity theft Prevents Internet banking fraud Secures em ail com m unication, instant m essaging andchat Elim inates leakage of confidential or proprietaryinform ation Keeps usernam es, passwords, PINs, etc. safe Reduces security breaches Enforces com puter an d Internet Acceptable Use Policies (AUP) Disables espionage software of your com petitors


Anti Keylogger: Screenshot

EC-Council


Actual Spy http:/ / w w w .actualspy .com / Actual Spy is a keylogger which allows you to find out what other users do on your com puter in your absence It is capable of catching all keystrokes, capturing the screen, logging the program s being run and closed, m onitoring the clipboard contents

Features: • • • • • • • • EC-Council

Logs all keystrokes Makes screenshots within the specified tim e interval Saves the applications’ run ning and closing Watches clipboard conten ts Records all print activity Records disk changes Records internet connection s Records all websites visited Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Actual Spy: Screenshot 1

EC-Council


Actual Spy: Screenshot 2

EC-Council


Iam BigBrother http:/ / w w w .iam bigbrother.com /

Iam BigBrother is an internet m onitoring software for both hom es and business It runs in stealth m ode where it is not detected by the user of the com puter It records all of the internet activity for m any program s including Am erica Online, MSN, Outlook Express, etc. Features: • • • • • EC-Council

Chat and instant m essage recording Em ail recording Web site viewed Keystroke recording Screen capture Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Iam BigBrother: Screenshot 1

EC-Council


Iam BigBrother: Screenshot 2

EC-Council


0 0 7 Spy Software http:/ / w w w .e-spy -softw are.com /

0 0 7 Spy Software is com puter m onitoring software which allows you to secretly record all activities of com puter and takes screen snapshot at set intervals

Features: • • • • • • • • EC-Council

Capability of overriding Anti-Spy program s such asAd-aware View logs rem otely with your favorite browsers from anywhere at an ytim e Support user filter to spy on specific users View all user's Logs with a Single Login Capture screen at the highest speed Autom atically startup in active and stealth Mode Powerful keylogger engine to capture all passwords Built-in slide show for screen snapshot pictures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

0 0 7 Spy Software: Screenshot 1

EC-Council


0 0 7 Spy Software: Screenshot 2

EC-Council


SpyBuddy http:/ / w w w .exploreany w here.com /

SpyBuddy 20 0 9 is a com puter m onitoring software that reveals what your em ployee is really doing on the com puter It secretly records all internet and com puter related activities and present inform ation to you

Features: • • • • • • • EC-Council

Chat blocking Websites blocking Clipboard activity m onitoring Screenshot recording Keystrokes typed recording Online search recording Print activity m onitoring Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

SpyBuddy 20 0 9: Screenshot 1

EC-Council


SpyBuddy 20 0 9: Screenshot 2

EC-Council


SoftActivity Keylogger http:/ / w w w .softactivity .com /

SoftActivity Keylogger is a spying engine that runs in the background and secretly records URLs visited in browser, keystrokes in any program , chat conversations, received and sent em ail

It captures screenshots of the desktop at a preset period of tim e

Features: • • • • • • EC-Council

Logs everything Screenshots recording with advanced IntelliSnap™ et chnology Enhanced reporting features Works secretly Receive reports in em ail Com plete com patibility Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

SoftActivity Keylogger: Screenshot 1

EC-Council


SoftActivity Keylogger: Screenshot 2

EC-Council


Elite Keylogger http:/ / w w w .w idestep.com /

Elite Keystroke is keylogger for m onitoring and recording every detail of PC and Internet activity everywhere: at hom e or in the office

Features:

• • • • • • •

EC-Council

Keystroke recording Undetectable Chats, IMs, E-m ail recording Clipboard m onitoring Application activity recording Winlogon and passwords m onitoring Screenshots recording


Elite Keylogger: Screenshot 1

EC-Council


Elite Keylogger: Screenshot 2

EC-Council


Spy Sweeper http:/ / w w w .w ebroot.com /

Spy Sweeper is an antispyware software that blocks and rem oves spyware It delivers the advanced spyware detection available to beat dangerous spyware program s

Features: • • • • • • • EC-Council

Advanced detection and rem oval capabilities Real-tim e threat protection Enhanced rootkit discovery m ethods Minim al im pact on com puter perform ance Windows vista com patible Multiple user protection Up-to-date spyware news and inform ation Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Spy Sweeper: Screenshot

EC-Council


Sum m ary Insiders perform m alicious activities on the organization’s network, system , and database

Response depends on the nature of the insider threats and the organization’s policy

Insider threats can be detected by exam ining the system event logs including database logs, em ail logs, application logs, file access logs, and rem ote access logs

Access privileges should be enabled to em ployees or users based on the routine perform ance of their job roles

Organizations should im plem ent secure backup and recovery processes to continue business operations when the system s are com prom ised EC-Council


EC-Council


EC-Council


Sample Sample EC-Council Certified Incident Handler Version 1

Mo d u le IX Incident Reporting

Batch PDF Batch PDF Merger Merger

News: Infosec 20 0 9 Experts Discuss the Cyber Crim e Landscape 28 Apr 20 0 9 Every person who goes online has a part to play in helping to reduce e-crim e and better secure cyberspace, according to a panel of experts speaking at the Infosecurity Europe show in London. Philip Virgo, secretary general of Eurim , began the panel debate by highlighting the developm ent of today's real-world law enforcem ent agencies, which were originally created by businesses such as rail com panies and banks rather than by governm ents. Virgo believes that we cannot expect governm ents to shoulder all the responsibility for policing the internet. He believes that only by users, agencies, security firm s and organisations working together can the huge problem of cyber crim e begin to be addressed. His call was echoed by Charlie McMurdie, detective superintendent of the newly form ed Police Central e-Crim e Unit (PceU), who is pushing for greater interaction between the various stakeholders, both public and private, across various countries. "Currently, everyone is doing different things in different ways," she said. "We need to develop structure, standards and training, not only for the 43 police forces across the UK, but all the organisations involved in helping detect, prevent and track down illegal online behaviour." This will help to speed up investigations, and help elim inate duplication, thereby freeing up m ore of the lim ited resources, according to McMurdie. The PceU is pushing for end users to get involved as well by reporting even relatively m inor instances of e-crim e, as these can help to locate and identify the large organised crim inal gangs. Source: http:/ / w w w .vnunet.com /

EC-Council


Module Objective

This m odule will fam iliarize you with: • • • • • •

EC-Council

Incident Reporting Why to Report an Incident Whom to Report an Incident Federal Agency Incident Categories Organizations to Report Com puter Incident Incident Reporting Guidelines


Module Flow

EC-Council

Incident Reporting

Why to Report an Incident

Federal Agency Incident Categories

Whom to Report an Incident

Organizations to Report Com puter Incident

Incident Reporting Guidelines


Incident Reporting

Incident reporting is the process of reporting the inform ation regarding the encountered security breach in a proper form at

Incidents that should be reported include: • • • • •

Logs of unauthorized access showing failed or successful attem pts Unwanted disruption Denial of service Use of a system for processing or storage of data Changes m ade to the system ’s hardware or software

EC-Council


Why to Report an Incident

It is necessary to report an incident in order to:

• Receive technical assistance including guidance on detecting and handling the incidents • Im prove awareness on IT security issues and prevent other nuisance • Provide stronger protection for system s and data • Deal properly with legal issues • Know the inform ation regarding new threats and in cident trends • Be prepared for handling future incidents

EC-Council


Why Organizations do not Report Com puter Crim es Misunderstanding of the scope of the problem • Misconception that this does not happen to other organizations

Fear of negative publicity • Proactive reporting and handling of the incident will allow m any organizations to put their spin on the m edia reports

Potential loss of custom ers

Desire to handle things internally

Lack of awareness of the attack EC-Council


Whom to Report an Incident Head of inform ation security

?

Local inform ation security officer Incident response team s in the organization Hum an resources Public affairs officer Legal departm ent CERT EC-Council


How to Report an Incident

Incidents are reported using: • • • • • • •

EC-Council

Electronic Mail Online reporting form s Telephone calls Facsim ile (FAX) In person Voice m ailbox greeting Paper (e.g., post notices on bulletin boards and doors, hand out notices at all entrance points)


Details to be Reported

Details to be reported include: • • • • • • • • • • •

EC-Council

Date, tim e, and location of the incident Contact inform ation Intensity of the incident Circum stances that revealed the incident Sum m ary of hosts involved Description of the activity The nature of the violation Type of private data involved Other persons involved Any im m ediate harm known or observed Im m ediate corrective actions already taken


Prelim inary Inform ation Security Incident Reporting Form Sys te m In fo rm atio n Nam e of the Departm ent : _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Brief description on the affected system : _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Physical location of the affected system : _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ System adm inistration/ operation by: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Co n tact In fo rm atio n Nam e:_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Designation:_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Telephone Num ber: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Mobile Num ber: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Em ail Address: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Fax Num ber: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

In cid e n t D e tails Date/ Tim e (Detected):_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Sym ptom s of Incidents: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Im pacts: Defacem ent of web site Service interruption (denial of service attack / m ail bom b / system failure) Massive m alicious code attack Lost/ dam age/ unauthorized alternation of inform ation Com prom ise/ leakage of sensitive inform ation Intrusion/ unauthorized access Others, please specify: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Please provide details on the im pact and service interruption period, if any: Actions Taken: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Current System Status: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Other Inform ation: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

EC-Council


CERT Incident Reference Num bers CERT assigns reference num bers for every reported activity

These num bers help CERT to track correspondence and identify related activity

These num bers are unique and selected random ly

These num bers should be m entioned clearly in the subject line of any m ail m essages regarding the incident

e.g. CERT# XXXX, US CERT-0 6-0 0 0 1 reference num ber shows that it was the first case registered at US CERT in 20 0 6 EC-Council


Contact Inform ation Contact inform ation should include at least an em ail address and telephone num ber

If possible include fax num ber and a cellular telephone num ber

Tim e zone from where the reporting is m ade, should be m entioned

It is good to specify an alternate contact in case the victim is unavailable EC-Council


Sam ple Report Showing Contact Inform ation Contact Inform ation

Source: https:/ / form s.us-cert.gov/

EC-Council


Sum m ary of Hosts Involved Hosts involved in the incident or related activity is the m ost obvious inform ation to be noted

Som e tim es, hosts used in one incident m ay have been used earlier

Sum m ary of IP addresses and hostnam es involved in the incident should be included in the report

Hosts involved in the incident m ust be identified and the inform ation m ust be released as per the organization’s policies and procedures

EC-Council


Sam ple Report Showing Sum m ary of Hosts Involved

Sum m ary of Hosts


EC-Council


Description of the Activity

Activity description should include:

• • • • • • • •

EC-Council

Date Methods of intrusion Intruder tools involved Software versions and patch levels Intruder tool output Details of vulnerabilities exploited Source of attack And other relevant inform ation


Sam ple Report Showing Description of the Activity

Description of Activity

Source: http:/ / w w w .nitc.state.ne.us/

EC-Council


Log Extracts Showing the Activity Logs provide significantly m ore details than the description

Log entries showing the activity should be in cluded along with the report

To avoid confusion, rem ove the log entries that are not related with the incident

Ensure that the non disclosure policies are not violated while sending log entries to other sites

EC-Council


Exam ple Showing the Log Extracts of an Activity

Source: http:/ / w w w .kerio.co.uk/

EC-Council


Tim e Zone Dates, tim es, and tim e zones are confusing when used casually in international com m unications; hence clearly identify the date, tim e, an d location of the incident

A tim e zone reference relative to GMT (or UTC) such as GMT5 is preferred, since less form al tim e zone designations can be m isinterpreted

Inaccuracy in tim e should be m entioned in the report if it exceeds by a m inute or two

If the system was synchronized with a national tim e server via Network Tim e Protocol, the sam e should be m entioned in the report

EC-Council


Federal Agency Incident Categories Cate go ry

N am e

CAT 0

Exercise/ Network Defense Testing

This category is used during state, federal, national, international exercises and approved activity testing of internal/ external network defenses or responses.

Not Applicable; this category is for each agency's internal use during exercises.

CAT 1

Unauthorized Access

In this category an individual gains logical or physical access without perm ission to a federal agency network, system , application, data, or other resource

Within one (1) hour of discovery/ detection.

Denial of Service (DoS)

An attack that successfully prevents or im pairs the norm al authorized functionality of networks, system s or applications by exhausting resources. This activity includes being the victim or participating in the DoS.

Within two (2) hours of discovery/ detection if the successful attack is still ongoing and the agency is unable to successfully m itigate activity.

CAT 3

Malicious Code

Successful installation of m alicious software (e.g., virus, worm , Trojan horse, or other code-based m alicious entity) that infects an operating system or application. Agencies are NOT required to report m alicious logic that has been successfully quarantined by antivirus (AV) software.

Daily Note: Within one (1) hour of discovery/ detection if widespread across agency.

CAT 4

Im proper Usage

A person violates acceptable com puting use policies.

Weekly

CAT 5

Scans/ Probes/ Att em pted Access

This category includes any activity that seeks to access or identify a federal agency com puter, open ports, protocols, service, or any com bination for later exploit. This activity does not directly result in a com prom ise or denial of service.

Monthly Note: If system is classified, report within one (1) hour of discovery.

Investigation

Unconfirm ed incidents that are potentially m alicious or anom alous activity deem ed by the reporting entity to warrant further review.

Not Applicable; this category is for each agency's use to categorize a potential incident that is currently being investigated.

CAT 2

CAT 6

EC-Council

D e s crip tio n

Source: http:/ / w w w .us-cert.gov/

Re p o rtin g Tim e fram e


Organizations to Report Com puter Incident United State Internet Crim e Task Force

Internet Crim e Com plaint Center (IC3)

Com puter Crim e and Intellectual Property Section (CCIPS)

Internet Watch Foundation (IWF)

EC-Council


United State Internet Crim e Task Force http:/ / w w w .usict.org/ services.asp

EC-Council


Internet Crim e Com plaint Center (IC3) http:/ / w w w .ic3.gov/

EC-Council


Com puter Crim e & Intellectual Property Section http:/ / w w w .usdoj.gov/ crim inal/ cy bercrim e/ reporting.htm

EC-Council


Internet Watch Foundation (IWF) http:/ / w w w .iw f.org.uk/

EC-Council


Incident Reporting Guidelines

Victim should attem pt to gather the following inform ation before reporting: • Nam e and address of the reporting agency • Nam e, address, e-m ail address, and phone n um ber(s)of the reporting person • Nam e, address, e-m ail address, and phone n um ber(s)of the victim • Nam e, address, e-m ail address, and phone n um ber(s)of the alternate contact (e.g., alternate inform ation security officer's, system adm inistrator, etc.) • Description of the incident • Date and tim e of the incident occurred • Date and tim e the incident was discovered • Any actions at, and following the tim e of discovery that were taken prior to calling CERT Source: http:/ / w w w .chp.ca.gov/

EC-Council


Incident Reporting Guidelines (cont’d) Additional inform ation that should be gathered by the victim :

• Make / m odel of the affected com puter(s) • Serial and state asset identification num bers of ht e affected devices • IP address of the affected com puter(s) • Assigned nam e of the affected com puter(s) • Operating system of the affected com puter(s) • Location of the affected com puter(s)

EC-Council


Sam ple Incident Reporting Form 1

EC-Council

Source: http:/ / w w w .nbt.nhs.uk/



EC-Council

Source: http:/ / w w w .neola.com /


Sam ple Incident Reporting Form 2 (cont’d)

EC-Council



Sam ple Incident Reporting Form 2 (cont’d)

EC-Council




Source: http:/ / w w w .occs.odu.edu/

EC-Council


Sam ple Post Incident Report Form

Source: http:/ / w w w .ogcio.gov.hk/

EC-Council


Post Incident Report (cont’d)

Source: http:/ / w w w .ogcio.gov.hk/

EC-Council


Sum m ary Incident reporting is the process of reporting the inform ation regarding the encountered security breach in a proper form at Incidents should be reported in order to receive technical assistance including guidance on detecting and handling the incidents CERT incident reference n um bers help CERT to track correspondence and identify related activity Contact inform ation should include at least an em ail address and telephone n um ber Hosts involved in the in cident or related activity is the m ost obvious inform ation to be noted Logs provide significantly m ore details than the description United State Internet Crim e Task Force is a n on-profit, governm ent assist, and victim advocate agency EC-Council


EC-Council


EC-Council



Mo d u le X Incident Recovery

Police Seek Grant for Com m unications and Com puter Equipm ent 0 5/ 0 7/ 20 0 9

In part of the 20 0 9 Am erican Recovery and Reinvestm ent Act, the J ustice Departm ent will be funding a num ber of grants for law enforcem ent. The Watertown Police Departm ent will be applying to receive $ 24,0 0 0 in funding from the Edward Byrne Mem orial J ustice Assistance Grant. According to Chief J ohn Gavallas, the Police Departm ent intends to use the funding to purchase equipm ent to operate a critical incident com m and center and briefing room . Purchases will include telephone system s, com puters, com puter m onitors, printers, upgrades to the IT system s, presentation equipm ent, m ultiple internet access points, audio-visual equipm ent including televisions, DVD and video players and projectors. "This will allow us to conduct roll call training in the briefing room and the equipm ent will provide incident com manders the equipm ent in managing a critical incident in town," said Chief Gavallas. The two principal requirem ents of the grant are public notice and that authorization to apply for the grant is given by the governing authority of the town. The Town Council gave approval for the grant application during its regular May 4 m eeting. The grant is nam ed in honor of New York City Police Officer Edwin Byrne, who was killed in the line of duty while conducting a stakeout to m onitor drug activity in 1988.

Source: http:/ / w w w .zw ire.com /

EC-Council


Module Objective

This m odule will fam iliarize you with: • • • • • • • •

EC-Council

Incident Recovery Principles of Incident Recovery Incident Recovery Steps Contingency/ Continuity of Operations Planning Business Continuity Planning Incident Recovery Plan Incident Recovery Planning Team Business Im pact Analysis


Module Flow

EC-Council

Incident Recovery

Principles of Incident Recovery

Contingency/ Continuity of Operations Planning

Incident Recovery Steps

Business Continuity Planning

Incident Recovery Plan

Business Im pact Analysis

Incident Recovery Planning Team


Incident Recovery Incident recovery is a process of rebuilding and restoring the com puter system s affected by an incident to norm al operational stage

System recovery involves all processes, policies, and tools that are used to restore norm al business functions Incident recovery m easures depend on the severity of incidents, criticality of the affected system s or processes, im pact on business revenues, and available resources

EC-Council


Principles of Incident Recovery Support and involvem ent of upper level m anagers lead to a robust incident recovery plan

Assess the organization on a regular basis

Policies and procedures adopted m ust be docum ented and m ade available to the intended staff to m eet the business operational needs Determ ine the m anagers responsible for declaring, responding, and recovering from an incident

Restrict com m unications am on g internal and external supporters of the organizations EC-Council


Principles of Incident Recovery (cont’d) Train em ployees against unforeseen crisis

Procedures m ust be tested and rehearsed to detect the vulnerabilities in the plan

Planners m ust identify new threats and update plans accordingly

Evaluate the effectiveness of the procedure and m onitor safety and hygienic issues of the em ployees

EC-Council


Incident Recovery Steps • System restoration

Step 1:

• System validation

Step2:

• System operations

Step3:

• System m onitoring

Step4:

EC-Council


Contingency/ Continuity of Operations Planning Contingency plan is a set of specific strategies, guidelines and processes to recover from an incident resulting due to a particular problem or em ergency It is necessary for a com pany or business to function norm ally Guidelines for contingency planning are as follows: Starting Point • Focuses on the developm ent and m aintenance of theplan

Im pact assessm ent • • • •

Problem s analysis Checks what sort of problem s/ incidents can occur Checks for the likelihood of the occurrence of theproblem Checks for the severity of the problem

Plan developm ent • Contingency plan is developed in this phase by considering the system threats and available resources • It regulates the business process by setting an ord er or priority of the organizational processes

EC-Council


Contingency/ Continuity of Operations Planning (cont’d) Testing the plan • In this phase, the developed plan is tested to determ ine whether the plan can actually work in real tim e environm ent • Testing results are docum ented for future reference

Personnel training • Personnel needs to undergo training to get fam iliar with the plan which helps them to perform their tasks and responsibilities effectively

Maintaining the plan • As processes are added or deleted by the organizatio n, the plans should be updated regularly

EC-Council


Contingency/ Continuity of Operations Planning (cont’d) Com ponents of contingency planning:

• Supporting Inform ation • Notification/ Activation ( supplies notification pro cedures and offers activation of the plan) • Recovery (recovers the data with the help of backups) • Reconstitution (restores original inform ation after the in cident) • Plan Appendices (provides records of further analysis)

EC-Council


Contingency/ Continuity of Operations Planning (cont’d) Continuity of operations provides an alternative site to the organization for a period of one m onth so as to recover from the incident and perform norm al organizational operations

EC-Council


Business Continuity Planning Business continuity is defined as the ability of an organization to continue to function even after a disastrous event, accom plished through the deploym ent of redundant hardware and software, the use of fault tolerant system s, as well as a solid backup and recovery strategy Source: http:/ / w w w .m icrosoft.com /

It provides a planning m ethodology that allows continuity in business operations before, during, and after an in cident or event

Som e other plans that are included in business continuity plan are:

• • • •

Incident/ disaster recovery plan Business recovery plan Business resum ption plan Contingency plan

EC-Council


Incident Recovery Plan An incident recovery plan is a statem ent of actions that should be taken before, during, or after an incident

Docum ent and test the plan in order to ensure the continuity of operations an d availability of resources during a incident

The planning process should ensure continuity of operations, som e level of organizational stability, and an orderly recovery from the incident occurred

The objectives of incident recovery plan are: • • • • •

EC-Council

Providing security to com puters Optim izing the risks Providing assurance to reliability of system s Providing a standard for testing the plan Reducing the decision m aking during an incident Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Incident Recovery Planning Process Establish the incident recovery planning team

Perform business im pact an alysis to assess risks

Delegate responsibilities across the organization

Develop policies and procedures

Docum ent the incident recovery procedures

Handle incidents

Train staff and test the plan EC-Council


Incident Recovery Planning Team The incident recovery plan ning team m ust have m em bers representing different departm ents within the organization

Mem bers of the incident recovery team s should have required skills, business process kn owledge, and experience

Each departm ent m ust m aintain its own recovery planning group to conduct research, assess, and im plem ent the plan

IT and network m anagers m ust address enterprise and specific departm ent and business issues

EC-Council


Business Im pact Analysis Business im pact analysis identifies the im pact of uncontrolled and nonspecific events on the business process

Steps in business im pact analysis are as follows:

• • • • •

Identify key business processes and functions Establish requirem ents for business recovery Determ ine resource interdependencies Determ ine impact on operations Develop priorities and classification of businessprocesses and functions • Develop recovery tim e requirem ents • Determ ine financial, operational, and legal im pactof disruption

EC-Council


Business Im pact Analysis (BIA) Tem plate Organization:

Date BIA Com pleted:

System Nam e:

BIA POC:

System Manager Point of Contact (POC): System Description: {Discussion of the system purpose and architecture, including system diagram s} A. Id e n tify Sys te m POCs

Ro le

Internal {Identify the individuals, positions, or offices within your organization that depend on or support the system ; also specify their relationship to the system } _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

External {Identify the individuals, positions, or offices outside your organization that depend on or support the system ; also specify their relationship to the system } _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

EC-Council

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _



Business Im pact Analysis (BIA) Tem plate (cont’d) B. Id e n tify Sys te m Re s o u rce s {Identify the specific hardware, software, and other resources that com prise the system ; include quantity and type} Hardware Software Other resources C. Id e n tify critical ro le s {List the roles identified in Section A that are deem ed critical} _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ D . Lin k critical ro le s to critical re s o u rce s {Identify the IT resources needed to accom plish the roles listed in Section C} Critical Ro le Critical Re s o u rce s _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

EC-Council

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Source: http:/ / csrc.nist.gov/


Business Im pact Analysis (BIA) Tem plate (cont’d) E. Id e n tify o u tage im p acts an d allo w able o u tage tim e s {Characterize the im pact on critical roles if a critical resource is unavailable; also, identify the m aximum acceptable period that the resource could be unavailable before unacceptable im pacts resulted} Re s o u rce

Ou tage Im p act

Allo w able Ou tage Tim e

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

F. Prio ritize re s o u rce re co ve ry {List the priority associated with recovering a specific resource, based on the outage im pacts and allowable outage tim es provided in Section E. Use quantitative or qualitative scale (e.g., high/ m edium / low, 15, A/ B/ C)} Re s o u rce Re co ve ry Prio rity

EC-Council



Incident Recovery Plan Im plem entation Allocate tasks for im plem entation

Create an im plem entation schedule

Allocate the incident recovery docum entation

Evaluate the worth and efficiency of m itigation steps

EC-Council


Incident Recovery Training

Train the staff to research on incident recovery issues

Organizations should identify the required skills and appoint suitable people in the planning process

Organizations should prepare an agenda for the team and set tasks for achieving goals

Highly centralized an d structured inform ation m anagem ent departm ent can process at a faster pace

EC-Council


Incident Recovery Testing Test determ ines the effectiveness of policies and procedures when im plem ented

Procedure audits:

Live walk-throughs of procedures:

Live walk-throughs of related process:

Scenario testing:

EC-Council

• Em ployees view the procedure to determ ine its authenticity and efficiency in executing procedures

• Determ ines the procedure’s effectiveness

• Related procedures are im plem ented to check their effectiveness

• Creates a m ock incident that inspects the workingprocess of the events Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Incident Recovery Testing (cont’d) Work group-level tests:

• Creates a m ock incident for a specific group of people

Departm ent-level tests:

• Creates a m ock incident for which the entire depart m ent m ust respond

Facility-level tests:

Enterprise-level tests:

EC-Council

• Creates a m ock incident for which an entire facility is liable

• Creates a m ock incident for which the entire organization m ust respond


Sum m ary Incident recovery is a process of restoring and rebuilding the com puter system into norm al operations that are affected by an incident

Contingency plan provides backup for docum ents to overcom e from an incident

Business continuity is the ability of an organization to continue to function even after a disastrous event

An incident recovery plan is a statem ent of actions that should be taken before, during, or after an incident EC-Council


EC-Council


EC-Council



Mo d u le XI Security Policies and Laws

Module Objective


• • • • • • • • •

EC-Council

Key elem ents of Security Policy Purpose of a Security Policy Design of Security Policy Exam ples of Security Policies Acceptable Use Policy Role of Law in Incident Handling Legal issues when dealing with an Incident Laws and Acts Intellectual Property Laws


Module Flow

Key Elem ents of Security Policy

Purpose of a Security Policy

Exam ples of Security Policies

Design of Security Policy

Acceptable Use Policy

Role of Law in Incident Handling

Laws and Acts

Legal Issues When Dealing With an Incident

Intellectual Property Laws

EC-Council


Security Policies

EC-Council


Security Policy A security policy is a docum ent that states in writing how a com pany plans to protect its physical and inform ation technology assets

It defines what business objectives and security goals are desired by the m anagem ent

It is a living docum ent as the docum ent is never finished, but is continuously updated depending upon technology and em ployee requirem ents

It depicts the basic architecture of the com pany’s security environm ent

EC-Council


Key Elem ents of Security Policy

Clear com m unication Brief and clear inform ation Defined scope and applicability Enforceable by law Recognizes areas of responsibility Sufficient guidance Top m anagem ent involvem ent

EC-Council


Goals of a Security Policy Security policies help in protecting the organization’s system and inform ation assets from abuse and inappropriate use

It sets the guidelines for responding to internal and external incidents

Security policies help in establishing m echanism s for the organization to satisfy its legal and ethical responsibilities

Security policies provide an outline for the m anagem ent and adm inistration of organization’s security

EC-Council


Characteristics of a Security Policy They m ust be im plem entable through system adm inistration procedures, publishing of acceptable use guidelines, or other appropriate m ethods

They m ust be enforceable with security tools, where appropriate, and with sanctions, where actual prevention is n ot technically feasible

They m ust clearly define the areas of responsibility for the users, adm inistrators, and m anagem ent

They m ust be docum ented, distributed, and com m unicated

EC-Council


Design of Security Policy

Security policy structure should contain: • • • • •

EC-Council

A detailed description of the policy issues Description about the status of the policy Functionalities of those affected by the policy Com patibility level of the policy Applicability of the policy to the environm ent


Im plem enting Security Policies Im plem entation follows after building, revision, and updating of the security policy

Final version m ust be m ade available to all of the staff m em bers in the organization

For effective im plem entation, there m ust be rotation of the job so that data handling m ust not be restricted to a set of people

Proper security awareness program , cooperation, an d coordination am ong em ployees is required

EC-Council


Exam ples of Security Policies

EC-Council


Access Control Policy Access control policy authorizes perm ission for a user to perform a set of actions on a set of resources

It authorizes access on a ‘need to use’ basis, by an appropriate approval process

Access to resources is based on the necessity and if a particular person whose job role responsibilities require the use of those resources

Unauthorized access is prevented by im plem enting m anaged controls

EC-Council


Sam ple Access Control Policy

Source: http:/ / w w w .qgcio.qld.gov.au/

EC-Council


Sam ple Access Control Policy (cont’d)

EC-Council

Source: http:/ / w w w .qgcio.qld.gov.au/


Im portance of Access Control Policies Protects the system by im plem enting the personnel procedures set by the m anagem ent

Protects the system autom atically by im plem enting the software and hardware controls

Dictates the policies, procedures, and accountability to control the system ’s use

Acts as detective in in vestigation to find out the act that has already occurred

EC-Council


Acceptable Use Policy (AUP) An acceptable use policy is a set of rules applied by an organization, network, or Internet to restrict their usage

In som e cases, these docum ents are nam ed as Internet and E-m ail policy, Internet AUP, or Network AUP and also Acceptable IT Use Policy

The m ost im portant part of an AUP docum ent is the code of conduct governing the behavior of a user whilst con nected to the organization, network, or Internet

They are sim ilar to and often doing the sam e job as a docum ent labeled ‘Term s of Service’

EC-Council


Personal Com puter Acceptable Use Policy

EC-Council

Source: http:/ / w w w .w atchguard.com /


Adm inistrative Security Policy Adm inistrative security policy ensures that the organization’s resources are properly m anaged, used, protected, and controlled

It defines the security and protection requirem ents for inform ation and inform ation system s

It specifies the responsibility to m anage the inform ation security risk of the organization

EC-Council


Im portance of Adm inistrative Security Policies Safeguards valuable, confidential or proprietary inform ation from unauthorized access, or from revealing the data

Elim inates strong legal liability from em ployees or third parties

Ensures the data availability and processing resources

Ensures the integrity of the inform ation, and prevents it from unauthorized and undetected m odification, m anipulation, insertion, and deletion

EC-Council


Asset Control Policy Asset control policy is designed to protect the organizational resources on the network by establishing the policies and procedures

It enables organizational assets to be tracked concerning their location and who is using them

An asset tracking database is created to track assets which includes all inform ation on the Asset Transfer Checklist table and the date of the asset change

When an asset is acquired, an ID (Internal tracking num ber) is assigned for the asset and its inform ation is entered into the asset tracking database

EC-Council


Audit Trail Policy Audit trail policy m aintains a record of system activities such as records of com puter events, operating system , application, or user’s activities Maintains regular system operations by im plem enting m anagem ent, operational, and technical controls

Audit trail policies help in detecting security violations, perform ance problem s and flaws

It sets internal controls an d audit requirem ents such as:

• • • •

EC-Council

Individual accountability Reconstructing event Problem m onitoring Intrusion detection Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Sam ple Audit Trail Policy

EC-Council



Im portance of Audit Trail Policy Helps in various regulatory laws, rules, and guidelines Individual actions are tracked and renders users to be personally accountable for their actions Am ount of dam age occurred during the incident can be calculated

Helps in intrusion detection

Helps to reconstruct the events after a problem has occurred

Detects disk failures, network outages and over utilization of system resources

EC-Council


Logging Policy Logging policy defines which set of events needs to be logged

It captures and reviews the im portant data in a tim ely m anner

It includes • • • •

Notification procedures Guidelines for log review intervals Retention standards Response tim e expectations

Specific procedures to retrieve the logs and n ecessary logging are stated in the policy EC-Council


Im portance of Logging Policies Detects intrusions and com prom ises

Detects equipm ent failures and prevents down tim e

Maintains the proper levels of personnel

Provides qualitative data for capacity planning

Helpful in crim inal and civil investigations EC-Council


Docum entation Policy Docum entation policy determ ines the requirem ents and procedures for docum entation of organization’s operations and resources such as networks and servers

Network docum entation defines the docum entation of networking devices and operations

Server docum entation defines the docum entation of server configuration inform ation and running services

Both the server and network docum entation policies define: • Who has the authority to access, read, and changethe network or server docum entation • Defines the authorized person to be notified aboutthe changes m ade in the network or server

EC-Council


Docum entation Policy (cont’d) In server docum entation, the list of item s to be docum ented and reviewed are: • • • • • • • • • • •

EC-Council

Nam e, location, and fun ction of the server Hardware com ponents of the system List of software running on the server Configuration inform ation about the sever Types of data and the owners of the data stored onthe server Data on the server that is to be backed up Users or groups having the access to the data store d on the server and their authentication process and protocols Adm inistrators on the server and the authentication process and protocols Data and authentication encryption requirem ents User accessing data from rem ote locations Adm inistrators adm inistrating the server from rem ote locations


Docum entation Policy (cont’d)

Network docum entation includes:

• Locations and IP addresses of all hubs, switches,routers, and firewalls on the network • Various security zones on the network and devices ht at control access between them • Locations of every network drop and the associatedswitch and port on the switch supplying that connection • Interrelationship between all network devices showing lines runnin g between the network devices • All subnets on the network and their relationships • All Wide Area Network (WAN) or Metropolitan Area Network (MAN) • Network devices configuration inform ation • DHCP server settings

EC-Council


Evidence Collection Policy Evidence should be collected, preserved, accessed and transported properly in order to preserve its integrity Every steps, m ethods or tools used for handling the evidence should be thoroughly docum ented For each system , obtain the relevant order of volatility and persistent data

Maintain a precise chain of custody

Methods used to collect evidence should be transparent and reproducible

Docum ent all findings an d actions perform ed during the process EC-Council


Evidence Preservation Policy The evidence preservation policy should address the following requirem ents: • Evidence m ust be preserved in its original state • Evidence should be protected from m echanical or ele ctrom agnetic dam age • At least two copies of evidence should be m ade • Bit stream backups are to be m ade as they are thoro ugh than the standard backups • Collected hardware evidence should be sealed in polythene bags and properly labeled for identification • All the evidence should be item ized, with the following inform ation: • Evidence tag num ber • Tim e and date discovered • Nam e of the person • Evidence description • Storage notes

EC-Council


Inform ation Security Policy Inform ation security policies strengthens the security of inform ation resources

It allows the organization to satisfy its legal and ethical responsibilities

It incorporates the security practices like the m anagem ent of vulnerable points and system file security

Inform ation security policies set the fram ework for regular vulnerability and risk assessm ent

It provides guidelines for effective im plem entation of control m easures to respond to the security incidents EC-Council


Inform ation Security Policy: University of California

Source: http:/ / w w w .ucop.edu/

EC-Council


Inform ation Security Policy: Pearce & Pearce, Inc.

EC-Council

Source: https:/ / w w w .pearceandpearce.com /


Inform ation Security Policy: Pearce & Pearce, Inc. (cont’d)

EC-Council


Im portance of Inform ation Security Policy Inform ation security policies help in m inim izing wastage and m isuse of organization’s resources

It helps in safeguarding and protecting valuable, confidential, and proprietary inform ation from unauthorized access

Security policies help in ensuring availability of data and processing resources

It helps in protecting the confidentiality an d integrity of the inform ation

Inform ation security policies helps in im proving overall security posture of the organization

EC-Council


National Inform ation Assurance Certification & Accreditation Process (NIACAP) Policy NIACAP sets up a standard national process, set of activities, general tasks, and a m anagem ent structure It certifies and recognizes system s which m aintain inform ation assurance and security posture

The NIACAP process accom plishes the requirem ents of the docum ented security policy

Accredited security posture is m aintained all through the system life cycle

The process com prises of existing system certifications and product evaluations

Process users m ust arrange the process with their program strategies and incorporate the activities into their en terprise system life cycle EC-Council


National Inform ation Assurance Certification & Accreditation Process (NIACAP) Policy (cont’d) Agreem ent between the IS program m anager, Designated Approving Authority (DAA), certification agent (certifier), and user representative is the m ain aspect of NIACAP

Critical schedule, budget, security, functionality, and perform ance issues are determ ined by these individuals

System Security Authorization Agreem ent (SSAA) contains the docum entation of NIACAP agreem ents

The results of Certification and Accreditation (C&A) are docum ented using SSAA

The objective is to use the SSAA to establish an evolving yet binding agreem ent on the level of security required before the system developm ent begins or changes

EC-Council


Im portance of The National Inform ation Assurance (IA) Certification & Accreditation (C&A) Policy Describes the operating environm ent, system security architecture, and threat

Establishes the C&A boundary of the system to be accredited

Form s the baseline security configuration docum ent

Docum ents all requirem ents necessary for accreditation, test plan s and procedures, certification results, and residual risk Minim izes docum entation requirem ents by consolidating applicable inform ation into the SSAA (security policy, concept of operations, architecture description, test procedures, etc.) EC-Council


Physical Security Policy Physical security policy helps to control and m onitor the physical access to inform ation resource facilities

Physical access to all restricted facilities are docum ented and m anaged

Every individual who has physical access to inform ation resource facilities should sign the access and non-disclosure agreem ents

Access cards and/ or keys m ust not be shared or loaned to others

All access to the inform ation resources should be tracked with a sign in/ out log

EC-Council


Sam ple Physical Security Policy 1

EC-Council

Source: http:/ / trustedtoolkit.com /


Sam ple Physical Security Policy 1 (cont’d)

EC-Council

Source: http:/ / trustedtoolkit.com /


Sam ple Physical Security Policy 2

EC-Council

Source: http:/ / w w w .cnc.police.uk/


Im portance of Physical Security Policies Controls access to the facilities and com puters

Protects assets from in ternational abuse, m isuse, or destruction by em ployees, contractors, or consultants

Protects inform ation processing facilities by reducing risk of hum an error, fraud, and theft

Monitors how well personnel com ply with contractual security provisions

EC-Council


Physical Security Guidelines System s should be protected against environm ental factors such as fire, power, excessive heat, and hum idity

System s should have alternate power supply during power losses such as an UPS

Com puting devices should be placed in order to protect them from shoulder surfing

Monitoring system s should be installed to m onitor the work area and office prem ises

While in transit, laptops should be placed in secure storage

Workstations should be locked when left un attended

EC-Council


Personnel Security Policies & Guidance Personnel security policies include the safety m easures to be taken regarding com pany em ployees

Manager should im plem ent the personnel security policies to:

• Ensure trustworthiness of the people in the postswho require access to official inform ation • Protect the official inform ation before granting ht em access • Enforce term s and condition s to the em ployee access ing official inform ation

EC-Council


Personnel Security Policies & Guidance (cont’d) Elem ents of personnel security are:

Personal Screening: • It is a pre-em ploym ent check which involves the employees’ background check • This is done even as the em ployee is given accessto the official inform ation • While recruiting em ployee for a perm anent staff position, he m ust be checked for: • Satisfactory character referees • Accuracy of the curriculum vitae and qualifications

• Before appointing an em ployee after he/ she is recru ited, verify details of the em ployee such as: • Identity and character confirm ation through referees • Crim inal background check from police

• Sim ilarly, em ployee being recruited for a tem porary staff position can be checked through a verifying agency EC-Council


Personnel Security Policies & Guidance (cont’d) Granting access:

• Chief executives need to grant access the perm anent staff to access official inform ation after clearance from : • • • •

Pre-em ploym ent checks Periodic reviews Approval procedures Sound term s & conditions of the em ploym ent

• Avoid granting access to the m ost sensitive sitesas there are chances of indirect exposure by staff or visitors • Access granted individuals m ust be issued a pass or access or identity card • A "Basic Check" can be don e further after the pre-em ploym ent check, about staff or contractors who need a frequent access to sensitive sites

EC-Council


Law and Incident Handling

EC-Council


Role of Law in Incident Handling Federal law requires federal agencies to report incidents to the Federal Com puter Incident Response Center

It requires federal agen cies to establish incident response capabilities

Incident response team should be fam iliar with the reporting procedures for all relevant law enforcem ent agencies and well prepared to recom m end suitable agency and contact details

Several levels of law enforcem ent agencies are available to in vestigate incidents

EC-Council


Legal Issues When Dealing With an Incident Law enforcem ent should be contacted through designated individuals in a m anner consistent with the requirem ents of the law and the organization’s procedures

Organizations should not contact m ultiple agencies because it m ight result in jurisdictional conflicts

Consult lawyers if an illegal act has occurred

Reporting to law enforcem ent changes the character of the evidence handling process • Evidence can be subpoenaed by courts • Perpetrators and their lawyers can get access to ti in the trial • Evidence gathering process and all actions and docum entation of the investigations m ay also be accessible to the other party during litigation

EC-Council


Law Enforcem ent Agencies

Federal investigatory agencies (e.g., the FBI and the U.S. Secret Service)

District attorney offices

State law enforcem ent

Local law enforcem ent

EC-Council


U.S. Law Enforcem ent Agencies

EC-Council


Laws and Acts

EC-Council


Searching and Seizing Com puters without a Warrant The Fourth Am endm ent of USA PATRIOT Act of 20 0 1 lim its the ability of governm ent agents to search for evidence without a warrant

If the governm ent’s conduct does not violate a person’s “Reasonable Expectation Of Privacy,” then form ally it does not constitute a Fourth Am endm ent “search” and no warrant is required

EC-Council


§ A: Fourth Am endm ent’s “Reasonable Expectation of Privacy” in Cases Involving Com puters: General Principles

A search is constitutional if it does not violate a person’s “reasonable” or “legitim ate” expectation of privacy Katz v. United States, 389 U.S. 347, 362 (1967) (Harlan, J., concurring). This inquiry em braces two discrete questions: •First, whether the individual’s conduct reflects “an actual (subjective) expectation of privacy,” •Second, whether the individual’s subjective expectation of privacy is “one that society is prepared to recognize as ‘reasonable.’”

EC-Council


§ A.4: Private Searches The Fourth Am endm ent does not apply to searches conducted by private parties who are not acting as agents of the governm ent

In United States v. J acobsen, 466 U.S. 10 9 (1984), the Suprem e Court presented the fram ework that should guide agents seeking to uncover evidence as a result of a private search

Even if courts follow the m ore restrictive approach, the inform ation gleaned from the private search will often be useful in providing the probable cause needed to obtain a warrant for a further search

The fact that the person conducting a search is not a governm ent em ployee does not always m ean that the search is “private” for Fourth Am endm ent purposes

EC-Council


The Privacy Protection Act When agents have reason to believe that a search m ay result in a seizure of m aterials relating to First Am endm ent activities such as publishing or posting materials on the World Wide Web, they m ust consider the effect of the Privacy Protection Act (“PPA”), 42 U.S.C. § 20 0 0 aa Brief History: •Before the Suprem e Court decided Warden v. Hayden, 387 U.S. 294, 30 9 (1967), law enforcem ent officers could not obtain search warrants to search for and seize “m ere evidence” of crim e. Warrants were perm itted only to seize contraband, instrum entalities, or fruits of crim e •This ruling set the stage for a collision between law enforcem ent and the press •By freeing the Fourth Am en dm ent from Boyd's restrictive regim e, Hayden created the possibility that law enforcem ent could use search warrants to target the press for evidence of crim e it had collected in the course of investigating an d reporting news stories EC-Council


Federal Inform ation Security Managem ent Act (FISMA) Title III of the E-Governm ent Act, entitled the Federal Inform ation Security Managem ent Act (FISMA), requires each Federal agency to develop, docum ent, and im plem ent an agency-wide inform ation security program to provide inform ation security for the inform ation and inform ation system s that support the operations and assets of the agency, including those provided or m anaged by another agency, contractor, or other source. The inform ation security program m ust include— •Periodic assessm ents of the risk and m agnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, m odification, or destruction of inform ation and inform ation system s that support the operations and assets of the agency;

Source: http:/ / csrc.nist.gov

EC-Council


Federal Inform ation Security Managem ent Act (FISMA) (cont’d) 







EC-Council

Policies and procedures that are based on risk assessm ents, cost-effectively reduce inform ation security risks to an acceptable level, and ensure that inform ation security is addressed throughout the life cycle of each agency inform ation system ; Subordinate plans for providing adequate inform ation security for networks, facilities, inform ation system s, or groups of inform ation system s, as appropriate; Security awareness training to inform personnel (including contractors and other users of inform ation system s that support the operations and assets of the agency) of the inform ation security risks associated with their activities and their responsibilities in com plying with agency policies and procedures designed to reduce these risks; Periodic testing and evaluation of the effectiveness of inform ation security policies, procedures, and practices (including the m anagem ent, operational, and technical controls of every agency inform ation system identified in their inventory) to be perform ed with a frequency depending on risk, but no less than annually; Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Federal Inform ation Security Managem ent Act (FISMA) (cont’d) 





EC-Council

A process for planning, im plem enting, evaluating, and docum enting rem edial action to address any deficiencies in the inform ation security policies, procedures and practices of the agency; Procedures for detecting, reporting, and responding to security incidents (including m itigating risks associated with such incidents before substantial dam age is done and notifying and consulting with the Federal inform ation security incident response center, and as appropriate, law enforcem ent agencies, relevant Offices of Inspector General, and any other agency or office, in accordance with law or as directed by the President; and Plans and procedures to ensure continuity of operations for inform ation system s that support the operations and assets of the agency. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Mexico Se ctio n 3 0 -4 5-5 — U n au th o rize d co m p u te r u s e A person who knowingly, willfully and without authorization, or having obtained authorization, uses the opportunity the authorization provides for purposes to which the authorization does not extend, directly or indirectly accesses, uses, takes, transfers, conceals, obtains, copies or retains possession of any com puter, com puter network, com puter property, com puter service, com puter system or any part thereof, when the • dam age to the com puter property or com puter service has a value of two hundred fifty dollars ($ 250 ) or less, is guilty of a petty m isdem eanor; • dam age to the com puter property or com puter service has a value of m ore than two hundred fifty dollars ($ 250 ) but not m ore than five hundred dollars ($ 50 0 ), is guilty of a m isdem eanor; EC-Council

Source: http:/ / law .justia.com /


Mexico (cont’d) • dam age to the com puter property or com puter service has a value of m ore than five hundred dollars ($ 50 0 ) but not m ore than two thousand five hundred dollars ($ 2,50 0 ), is guilty of a fourth degree felony; • dam age to the com puter property or com puter service has a value of m ore than two thousand five hundred dollars ($ 2,50 0 ) but not m ore than twenty thousand dollars ($ 20 ,0 0 0 ), is guilty of a third degree felony; • dam age to the com puter property or com puter service has a value of m ore than twenty thousand dollars ($ 20 ,0 0 0 ), is guilty of a second degree felony

EC-Council


Brazilian Laws 

ENTRY OF FALSE DATA INTO THE INFORMATION SYSTEM • Art. 313-A. Entry, or facilitation on the part of an authorized em ployee of the entry, of false data, im proper alteration or exclusion of correct data with respect to the inform ation system or the data bank of the Public Managem ent for purposes of achieving an im proper advantage for him self or for som e other person, or of causing dam ages

 

Penalty-im prisonm ent for 2 to 12 years, and fines UNAUTHORIZED MODIFICATION OR ALTERATION OF THE INFORMATION SYSTEM • Art. 313-B. Modification or alteration of the inform ation system or com puter program by an em ployee, without authorization by or at the request of a com petent authority



EC-Council

Penalty-detention for 3 m onths to 2 years, and fines

Source: http:/ / w w w .m osstingrett.no/


Canadian Laws  



Canadian Crim inal Code Section 342.1 states: (1) Every one who, fraudulently and without color of right, • (a) obtains, directly or indirectly, any com puter service, • (b) by m eans of an electro-m agnetic, acoustic, m echan ical or other device, intercepts or causes to be intercepted, directly or indirectly , any function of a com puter system • (c) uses or causes to be used, directly or indirectly, a com puter system with intent to com m it an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a com puter system

Person to com m it an offence under paragraph (a), (b) or (c) is guilty of an indictable offence and liable to im prisonm ent for a term not exceeding ten years


EC-Council


United Kingdom ’s Laws Co m p u te r Mis u s e Act 19 9 0 (1) A person is guilty of an offense if(a) he causes a com puter to perform any function with the intent to secure access to any program or data held in any com puter, (b) the access he intends to secure is unauthorized, and (c) he knows at the tim e when he causes the com puter to perform the function that that is the case

(2) The intent a person has to have to com m it an offense under this section need not to be directed at: (a) any particular program or data, (b) a program or data of any particular kind, or (c) a program or data held in any particular com puter

(3) A person guilty of an offense under this section shall be liable on sum m ary conviction to im prisonm ent for a term not exceeding six m onths or to a fine not exceeding level 5 on the standard scale or to both Source: http:/ / w w w .opsi.gov.uk

EC-Council


United Kingdom ’s Laws (cont’d) (4) A person is guilty of an offense under this section if he com m its an offense under section 1 above (" the unauthorized access offense") with intent (a) to com m it an offense to which this section applies; or (b) to facilitate the com m ission of such an offen se and the offense he intends to com m it or facilitate is referred to below in this section as the further offense

(5) This section applies to offences (a) for which the sentence is fixed by law; or (b) for which a person of twenty-one years of age or over (not previously convicted) m ay be sentenced to im prisonm en t for a term of five years

(6) It is im m aterial for the purposes of this section whether the further offense is to be com m itted on the sam e occasion as the unauthorized access offense or on any future occasion (7) A person m ay be guilty of an offense under this section even though the facts are such that the com m ission of the further offense is im possible

EC-Council


United Kingdom ’s Laws (cont’d) (8) A person guilty of an offense under this section shall be liable (a) on sum m ary conviction, to im prison m ent for a term n ot exceedin g the statutory m axim um or to both; and (b) on conviction on indictm ent, to im prisonm ent for a term not exceeding five years or to a fine or to both

(9) A person is guilty of an offense if (a) he does an y act which causes an unauthorized m odification of the contents of any com puter; and (b) at the tim e when he does the act he has the requisite in tent and the requisite knowledge.

(10 ) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a m odification of the contents of any and by so doing (a) to im pair the operation of any com puter; (b) to prevent or hinder access to any program or data held in any com puter; or (c) to im pair the operation of any such program or the reliability of any such data

EC-Council


Belgium Laws   

 

EC-Council

COMPUTER HACKING Article 550 (b) of the Crim inal Code: §1. Any person who, aware that he is not authorised, accesses or m aintains his access to a com puter system , m ay be sentenced to a term of im prisonm ent of 3 m onths to 1 year and to a fine of (Bfr 5,20 0 -5m ) or to one of these sentences If the offence specified in §1 above is com m itted with intention to defraud, the term of im prisonm ent m ay be from 6 m onths to 2 years §2. Any person who, with the intention to defraud or with the intention to cause harm , exceeds his power of access to a com puter system , m ay be sentenced to a term of im prisonm ent of 6 m onths to 2 years and to a fine of (BFr 5,20 0 -20 m ) or to one of these sentences



Germ an Laws 

Penal Code Section 20 2a. Data Espionage: • (1) Any person who obtains without authorization, for him self or for another, data which are not m eant for him and which are specially protected against unauthorized access, shall be liable to im prisonm ent for a term not exceeding three years or to a fine • (2) Data within the m eaning of subsection 1 are only such as are stored or transm itted electronically or m agnetically or in any form not directly visible



Penal Code Section 30 3a: Alteration of Data • (1) Any person who unlawfully erases, suppresses, renders useless, or alters data (section 20 2a(2)) shall be liable to im prisonm ent for a term not exceeding two years or to a fine • (2) The attem pt shall be punishable Source: http:/ / w w w .m osstingrett.no/

EC-Council


Italian Laws 

Penal Code Article 615 ter: Unauthorized access into a com puter or telecom m unication system s: • Anyone who enters unauthorized into a com puter or telecom m unication system protected by security m easures, or rem ains in it against the expressed or im plied will of the on e who has the right to exclude him , shall be sentenced to im prison m ent not exceeding three years • The im prisonm ent is from one until five years • if the crim e is com m itted by a public official or by an officer of a public service, through abuse of power or through violation of the duties concerning the function or the service, or by a person who practices even without a licen ce - the profession of a private investigator, or with abuse of the capacity of a system operator


EC-Council


Cybercrim e Act 20 0 1 The Cybercrim e Act 20 0 1 am ended the Crim inal Code Act 1995 to replace existing oudated com puter offences 478.1 Unauthorized access to, or m odification of, restricted data (1) A person is guilty of an offence if: (a) the person causes any unauthorized access to, or m odification of, restricted data; and (b) the person intends to cause the access or m odification; and (c) the person knows that the access or m odification is unauthorized; and (d) one or m ore of the following applies: (i) the restricted data is held in a Com m onwealth com puter; (ii) the restricted data is held on behalf of the Com m onwealth; (iii) the access to, or m odification of, the restricted data is caused by m eans of a telecom m unications service

EC-Council

Source: http:/ / w w w .cy bercrim elaw .net/


Cybercrim e Act 20 0 1 (cont’d) Penalty: 2 years im prisonm ent (2) Absolute liability applies to paragraph (1)(d) (3) In this section: restricted data m eans data (a) held in a com puter; an d (b) to which access is restricted by an access control system associated with a function of the com puter

EC-Council


Inform ation Technology Act THE INFORMATION TECHNOLOGY ACT, 20 0 0 (No. 21 of 20 0 0 ) CHAPTER XI OFFENCES 66.Hacking with com puter system (1) Whoever with the intent to cause or knowing that he is likely to wrongful loss or dam age to the public or any person destroys alters any inform ation residing in a com puter resource utility or affects it injuriously by any m eans,

cause

or deletes or

or dim ishes its value or

com m its hack

(2) Whoever com m its hacking shall be punished with im prisonm ent

up to

three years, or with fine which m ay extend upto two lakh rupees, or with both

Source: http:/ / law m in.nic.in/

EC-Council


Singapore Laws Chapter 50 A: Com puter m isuse Act Section 3 – (1) Any person who knowingly causes a com puter to perform any function for the purpose of securing access without authority, shall be liable on conviction to a fine n ot exceeding $ 5.0 0 0 or to im prisonm ent for a term n ot exceeding 2 years or to both. (2) If an y dam age is caused as a restut of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding $ 50 .0 0 0 or to im prisonm ent for a term n ot exceeding 7 years or to both Section 4: Access with intent to com m it or facilitate com m ission of offence (1) This section shall apply to an offence involvin g property, fraud, dishonesty or which causes bodily harm and which is punishable on conviction with im prisonm ent for a term of n ot less than 2 years. (2) Any person guilty of an offence under this section shall be liable on conviction to a not exceeding $ 50 .0 0 0 or to im prisonm ent for a term n ot exceeding 10 years or to both EC-Council



Sarbanes-Oxley Act 





Title I Pu blic Co m p an y Acc o u n tin g Ove rs igh t Bo ard ( PCAOB) consists of nine sections an d establishes the Public Com pany Accounting Oversight Board, to provide independent oversight of public accoun ting firm s providing audit services ("auditors") Title II Au d ito r In d e p e n d e n ce consists of nin e sections and establishes standards for external auditor independence, to lim it conflicts of interest and addresses new auditor approval requirem ents, audit partner rotation, an d auditor reporting requirem ents Title III Co rp o rate Re s p o n s ibility consists of eight sections and m andates that senior executives take individual responsibility for the accuracy and com pleteness of corporate financial reports

EC-Council

Source: http:/ / frw ebgate.access.gpo.gov/


Sarbanes-Oxley Act (cont’d) 

 

Title IV En h an ce d Fin an cial D is clo s u re s consists of nine sections and describes enhanced reporting requirem ents for financial transactions, including off-balance-sheet transactions, pro-form a figures and stock transactions of corporate officers Title V An alys t Co n flicts o f In te re s t consists of only one section, which includes m easures designed to help restore investor confidence in the reporting of securities analysts Title VI Co m m is s io n Re s o u rce s an d Au th o rity consists of four sections and defines practices to restore investor confidence in securities analysts

EC-Council





EC-Council

Title VII Stu d ie s an d Re p o rts consists of five sections and it include the effects of consolidation of public accounting firm s, the role of credit rating agencies in the operation of securities markets, securities violations and enforcem ent actions, and whether investm ent banks assisted Enron, Global Crossing and others to m anipulate earnings and obfuscate true financial conditions Title VIII Co rp o rate an d Crim in al Frau d Acco u n tability consists of seven sections and is also referred to as the “Corporate and Crim inal Fraud Act of 20 0 2”. It describes specific crim inal penalties for fraud by m anipulation, destruction or alteration of financial records or other interference with investigations, while providing certain protections for whistle-blowers. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited






EC-Council

Title IX W h ite Co llar Crim e Pe n alty En h an ce m e n t consists of two sections. This section is also called the “White Collar Crim e Penalty Enhancem ent Act of 20 0 2.” This section increases the crim inal penalties associated with white-collar crim es and conspiracies. It recom m ends stronger sentencing guidelines and specifically adds failure to certify corporate financial reports as a crim inal offense. Title X Corporate Tax Returns consists of one section. Section 10 0 1 states that the Chief Executive Officer should sign the com pany tax return. Title XI Co rp o rate Frau d Acco u n tability consists of seven sections. Section 110 1 recom m ends a nam e for this title as “Corporate Fraud Accountability Act of 20 0 2”. It identifies corporate fraud and records tam pering as crim inal offenses and joins those offenses to specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC to tem porarily freeze large or unusual paym ents. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Social Security Act Sec. 464. [42 U.S.C. 664] (a)(1) Upon receiving notice from a State agency adm inistering a plan approved under this part that a nam ed individual owes past-due support which has been assigned to such State pursuant to section 40 8(a)(3) or section 471(a)(17), the Secretary of the Treasury shall determ ine whether any am ounts, as refunds of Federal taxes paid, are payable to such individual (regardless of whether such individual filed a tax return as a m arried or unm arried individual). If the Secretary of the Treasury finds that any such am ount is payable, he shall withhold from such refunds an am ount equal to the past-due support, shall concurrently send notice to such individual that the withholding has been m ade (including in or with such notice a notification to any other person wh o m ay have filed a joint return with such individual of the steps which such other person m ay take in order to secure his or her proper share of the refund), and shall pay such am ount to the State agency (together with notice of the individual's hom e address) for distribution in accordance with section 457. This subsection m ay be executed by the disbursing official of the Departm ent of the Treasury.

EC-Council

Source: http:/ / w w w .ssa.gov/


Social Security Act (cont’d) Sec. 1137. [42 U.S.C. 1320 b– 7] (a) In order to m eet the requirem ents of this section, a State m ust have in effect an incom e and eligibility verification system which m eets the requirem ents of subsection (d) and un der which— (1) the State shall require, as a condition of eligibility for benefits under any program listed in subsection (b), that each applicant for or recipient of benefits under that program furnish to the State his social security account n um ber (or num bers, if he has m ore than on e such num ber), and the State shall utilize such account num bers in the adm inistration of that program so as to enable the association of the records pertaining to the applicant or recipient with his accoun t num ber; (2) wage inform ation from agencies adm inistering State unem ploym ent com pensation laws available pursuant to section 330 4(a)(16) of the In ternal Revenue Code of 1954[71], wage inform ation reported pursuant to paragraph (3) of this subsection, and wage, incom e, and other inform ation from the Social Security Adm inistration and the Internal Revenue Service available pursuant to section 610 3(l)(7) of such Code[72], shall be requested and utilized to the extent that such inform ation m ay be useful in verifying eligibility for, and the am ount of, benefits available under any program listed in subsection (b), as determ ined by the Secretary of Health and Hum an Services (or, in the case of the unem ploym ent com pensation program , by the Secretary of Labor, or, in the case of the supplem ental nutrition assistance program [73], by the Secretary of Agriculture); EC-Council


Social Security Act (cont’d) 

EC-Council

(3) em ployers (as defined in section 453A(a)(2)(B)) (including State and local governm ental entities and labor organizations) in such State are required, effective Septem ber 30 , 1988, to m ake quarterly wage reports to a State agency (which m ay be the agency adm inistering the State's unem ploym ent com pensation law) except that the Secretary of Labor (in consultation with the Secretary of Health and Hum an Services and the Secretary of Agriculture) m ay waive the provisions of this paragraph if he determ ines that the State has in effect an alternative system which is as effective and tim ely for purposes of providing em ploym ent related incom e and eligibility data for the purposes described in paragraph (2), and except that no report shall be filed with respect to an em ployee of a State or local agency perform ing intelligence or counterintelligence functions, if the head of such agency has determ ined that filing such a report could endanger the safety of the em ployee or com prom ise an ongoing investigation or intelligence m ission, and except that in the case of wage reports with respect to dom estic service em ploym ent, a State m ay perm it em ployers (as so defined) that m ake returns with respect to such em ploym ent on a calendar year basis pursuant to section 3510 of the Internal Revenue Code of 1986 to m ake such reports on an annual basis; Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Gram m -Leach-Bliley Act  

EC-Council

The GLB Act gives authority to eight federal agencies and the states to adm inister and enforce the Financial Privacy Rule and the Safeguards Rule Fin an cial Privacy Ru le requires financial institutions to provide each consum er with a privacy notice at the tim e the consum er relationship is established and annually thereafter. The privacy notice m ust explain the inform ation collected about the consum er, where that inform ation is shared, how that inform ation is used, and how that inform ation is protected. The notice m ust also identify the consum er’s right to opt-out of the inform ation being shared with unaffiliated parties per the Fair Credit Reporting Act. Should the privacy policy change at any point in tim e, the consum er m ust be notified again for acceptance. Each tim e the privacy notice is reestablished, the consum er has the right to opt-out again. The unaffiliated parties receiving the nonpublic inform ation are held to the acceptance term s of the consum er under the original relationship agreem ent. In sum m ary, the financial privacy rule provides for a privacy policy agreem ent between the com pany and the consum er pertaining to the protection of the consum er’s personal nonpublic inform ation.

Source: http:/ / w w w .ftc.gov/


Gram m -Leach-Bliley Act (cont’d) 



EC-Council

Safe gu ard s Ru le requires financial institution s to develop a written inform ation security plan that describes how the com pany is prepared for, and plans to continue to protect clients’ nonpublic personal inform ation. (The Safeguards Rule also applies to inform ation of those no longer consum ers of the finan cial institution.) This plan m ust include: •

Denoting at least one em ployee to m anage the safeguards,

•

Constructing a thorough [risk m anagem ent] on each departm ent handling the nonpublic inform ation,

•

Develop, m onitor, and test a program to secure the inform ation, and

•

Change the safeguards as needed with the changes in how inform ation is collected, stored, and used.

This rule is intended to do what m ost businesses should already be doing: protecting their clients. The Safeguards Rule forces financial institutions to take a closer look at how they m anage private data and to do a risk analysis on their current processes. No process is perfect, so this has m eant that every financial institution has had to m ake som e effort to com ply with the GLBA. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Health Insurance Portability and Accountability Act (HIPAA) Ensure integrity, confidentiality and availability of electronic protected health inform ation

Protect against reasonably anticipated threats or hazards, and im proper use or disclosure

Protect against any reasonably anticipated uses or disclosures of such inform ation that are not perm itted or required

Pe n alty: Fine up to $ 50 ,0 0 0 , im prisoned not m ore than 1 year, or both

Source: http:/ / w w w .hhs.gov/

EC-Council


Intellectual Property Laws

EC-Council


Intellectual Property Intellectual property is the product of intellect that has com m ercial value and includes copyrights and tradem arks

Com m on types of intellectual property include: • • • • •

Copyrights Tradem arks Patents Industrial design rights Trade secrets

Under intellectual property law, owners are granted certain exclusive rights to a variety of intangible assets

EC-Council


US Laws for Tradem arks and Copyright The Digital Millennium Copyright Act (DMCA) of 1998 • This Act creates lim itations on the liability of online service providers for copyright infringem ent

The Lanham (Tradem ark) Act (15 USC §§ 10 51 - 1127) • This Act prohibits a n um ber of activities, includin g tradem ark infringem ent, tradem ark dilution , and false advertising

EC-Council


US Laws for Tradem arks and Copyright (cont’d) Doctrine of “Fair Use”

Section 10 7 of the Copyright Law m entions the doctrine of “ fair use”

The doctrine is a result of a num ber of court decisions over the years

Reproduction of a particular work for criticism , news reporting, com m ent, teaching, scholarship, and research is considered as fair according to Section 10 7 of the Copyright Law

EC-Council


US Laws for Tradem arks and Copyright (cont’d) Online Copyright Infringem ent Liability Lim itation Act: • Sec. 512. Lim itations on liability relating to m ate rial on-line • Lim itation- Notwithstanding the provisions of sectio n 10 6, a provider shall not be liable for: • Direct infringem ent • m onetary relief under section 50 4 or 50 5 for contributory infringem ent or vicarious liability based solely on conduct • m onetary relief under section 50 4 or 50 5 for contributory infringem ent or vicarious liability, based solely on providing access to m aterial over that provider's system or network

• Protection of privacy • Lim itation based upon rem oving or disabling accessto infringin g m aterial

EC-Council


Australia Laws For Tradem arks and Copyright The Trade Marks Act 1995 • This Act grants protection to a letter, word, phrase, sound, sm ell, shape, logo, picture, aspect of packaging or com bination of these, used by traders on their goods and services to indicate their origin

The Patents Act 1990 • This Act grants m onopoly rights to inventors of new inventions such as im proved products or devices and substances

The Copyright Act 1968 • This Act relates to copyright and the protection of certain perform ances and for other purposes

EC-Council


UK Laws for Tradem arks and Copyright The Copyright, Etc. And Trade Marks (Offences And Enforcem ent) Act 20 0 2 • This Act am ends the crim inal provisions in intellectual property law, law relating to copyright, rights in perform ances, fraudulent reception of conditional access transm issions by use of unauthorized decoders and trade m arks

Tradem arks Act 1994 (TMA) • This Act provides the honest use of ones own nam eor address is a defense

EC-Council


China Laws for Tradem arks and Copyright Copyright Law of People’s Republic of China (Am endm ents on October 27, 20 0 1) • Article 1: The purpose of protecting the copyrightof authors in their literary, artistic and scientific works and the copyright-related rights and interests • Article 2: Works of Chinese citizens, legal entities or other organizations, whether published or not, shall enjoy copyright in accordance with this Law

Tradem ark Law of the People's Republic of China (Am endm ents on October 27, 20 0 1) • This Law is enacted for the purposes of im provingthe adm inistration of tradem arks, protecting the exclusive right to use tradem arks, and of encouraging producers and operators to guarantee the quality of their goods and services and m aintaining the reputation of their tradem arks, with a view to protecting the interests of consum ers, producers and operators and to prom oting the developm ent of the socialist m arket econom y

EC-Council


Indian Laws for Tradem arks and Copyright The Patents (Am endm ent) Act, 1999 • This Act provides establishm ent of a m ail box syste m to file patents

Trade Marks Act, 1999 • This Act provides registration of tradem arks relating to goods and services

The Copyright Act, 1957 • This Act prescribes m andatory punishm ent for piracy of copyrighted m atter appropriate with the gravity of the offense with an effect to deter infringem ent

EC-Council


J apanese Laws for Tradem arks and Copyright The Tradem ark Law (Law No. 127 of 1957): • This Law applies only to registered tradem arks

The Tradem ark Law (N.S. 187 of 1999): • According to this law, tradem arks are distinguishable and are not indispensable to secure the function of the goods or their packaging

Copyright Managem ent Business Law (4.2.2.3 of 20 0 0 ): • This law facilitates the establishm ent of new copyright m anagem ent businesses, in order to "respond to the developm ent of digital technologies and com m unication networks"

EC-Council


Canada Laws for Tradem arks and Copyright Copyright Act ( R.S., 1985, c. C-42 ) • This Act grants protection to a architectural work, artistic work, Berne convention country, com m ission, book, broadcaster, choreographic work, cinem atographic work, collective society, work or com bination of these, used by traders on their goods and services to indicate their origin

Tradem ark Law • It states that if a m ark is used by a person as atrade-m ark for any of the purposes or in any of the m anners, it shall n ot be held invalid m erely on the ground that the person or a predecessor in title uses it or has used it for any other of those purposes or in any other of those m ann ers

EC-Council


South African Laws for Tradem arks and Copyright Tradem arks Act 194 of 1993 • It is the act to provide the registration of tradem arks, certification trade m arks and collective trade m arks and to provide for incidental m atters

Copyright Act of 1978 • It is the act to regulate copyright and to providefor m atters in cidental thereto

Patents Act No. 57 of 1978 • To provide for the registration and granting of letters patent for inventions and for m atters connected therewith

EC-Council


South Korean Laws for Tradem arks and Copyright Copyright law Act No. 3916 • The purpose of this Act is to protect the rights of authors an d the rights neighboring on them and to prom ote fair use of works in order to contribute to the im provem ent and developm ent of culture

Industrial Design Protection Act • The purpose of this act is to encourage the creatio n of designs by ensuring their protection and utilization so as to contribute to the developm ent of industry

EC-Council


Belgium Laws for Tradem arks and Copyright Copyright Law, 30 / 0 6/ 1994 • The purpose of the act is to protect the literaryor artistic work from unauthorized usage • The author of a work alone shall have the right toreproduce his work or to have it reproduced in any m anner or form whatsoever

Tradem ark Law, 30 / 0 6/ 1969 • It is the law approving the Benelux Convention Concerning Tradem arks and Annex, signed in Brussels on March 19, 1962 • The high contracting parties shall incorporate into their dom estic legislation, in one or both of the original texts, the Benelux Uniform Law on Trade Marks annexed to this Convention and shall establish an adm inistration com m on to their countries under the nam e "Benelux Trade Marks Bureau"

EC-Council


Hong Kong Laws for Intellectual Property Hong Kong’s IP laws are based on constitutional or Basic Law provisions

Article 139 of the Basic Law • Governm ent shall form ulate policies on science an dtechnology an d protect achievem ents in scientific research

Article 140 of the basic law • It protects the rights of authors in their literary and artistic creations

EC-Council


Sum m ary A security policy is a docum ent that states in writing how a com pany plans to protect its physical and inform ation technology assets Security policy ensures custom er’s integrity and prevents unauthorized m odifications of the data Federal law requires Federal agencies to report incidents to the Federal Com puter Incident Response Center Organizations should not contact m ultiple agencies because it m ight result in jurisdictional conflicts Under intellectual property law, owners are granted certain exclusive rights to a variety of intangible assets An acceptable use policy is a set of rules applied by organization, network, or Internet to restrict their usage Evidence should be collected according to procedures that m eet all applicable laws and regulations, in order to be adm issible in court Chain of custody is a docum entation showing the seizure, custody, control, transfer, analysis, and disposition of evidence

EC-Council


EC-Council


EC-Council


ECIH Compile

Recommend Documents