Sample EC-Council Certified Incident Handler Version 1
Mo d u le III
Batch PDF Merger
Incident Response and Handling Steps
News: A Delicate Balance is Required to Achieve Inform ation Security April 22, 20 0 9 D avid Ch ad w ick, Pro fe s s o r o f In fo rm atio n Sys te m s Se cu rity at th e U n ive rs ity o f Ke n t, calls fo r be tte r in cid e n t h an d lin g an d p ro ce d u re s to p ro te ct s e n s itive d ata It did not start with the loss of the personal details of 25 m illion people in receipt of Child Benefit in Novem ber 20 0 7.1 Neither did it end in J anuary 20 0 9 with the British Council losing a com puter disk containing the nam es, national insurance num bers, salary and bank account details of its 2,0 0 0 UK staff.2 Data loss has been happening ever since com puters were first invented, and it will continue to happen as long as we have them , regardless of any legislation that J ack Straw m ight wish to im pose, even legislation that recom m ends jail sentences for em ployees of organisations where data breaches occur. After all, crim es that incur the harshest of penalties still occur daily. Furtherm ore, data loss will continue to happen even if encryption is ubiquitously im plem ented. Why? Because data security depends m ore on people and processes than on raw encryption technologies. This is eloquently illustrated in the data loss last August when the personal details of the 84,0 0 0 prisoners in England and Wales went m issing. This data was held encrypted on the governm ent com puter system but was downloaded unencrypted onto a m em ory stick by an external contractor who then m isplaced the stick.
Source: http:/ / w w w .publicservice.co.uk/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
This m odule will fam iliarize you with:
• • • • • • • • • • EC-Council
Handling Incidents Need for Incident Response Goals of Incident Response Incident Response Plan Incident Response and Handling Steps Training and Awareness Incident Managem ent Incident Response Team Incident Response Best Practices Incident Response Plan Checklist Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
EC-Council
Handling Incidents
Need for Incident Response
Incident Response Plan
Goals of Incident Response
Incident Response and Handling Steps
Training and Awareness
Incident Response Team
Incident Managem en t
Incident Response Best Practices
Incident Response Plan Checklist Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How to Identify an Incident Suspicious entries in network logs
Accounting gaps of several m inutes with n o accounting log
Other events such as unsuccessful login attem pts, attem pts to write, alter, or delete system files, system failure, or perform ance degradation Unusual usage patterns, such as program s being com piled in the account of users who are non-program m ers
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Handling Incidents Incident handling involves :
• Incident reporting • Incident analysis • Incident response
Incident handling allows incident reports to be gathered in one location so that exact trends and patterns can be recognized and recom m ended strategies can be em ployed
It helps the corresponding staff to understand the process of responding and to tackle unexpected threats and security breaches
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Need for Incident Response The purpose of incident response is to aid personnel to quickly and efficiently recover from a security incident
Incident response is required to identify the attacks that have com prom ised personal and business inform ation or data
Incident response is required to:
• • • • EC-Council
Protect system s Protect personnel Efficiently use the resources Deal with legal issues Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Goals of Incident Response Exam ining the incident Minim izing the im pact of incident Preventing future attacks or incidents Enhancing security of the com puter system Securing privacy rights established by law and policy Providing accurate reports and useful recom m endations Assisting the law enforcem ent in prosecuting digital crim inals Protecting the organization’s reputation and assets EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response Plan Incident response plan consists of a set of instructions to detect and respond to an incident
It defines the areas of responsibility and creates procedures for handing various com puter security incidents
The incident response plan covers: • • • • • EC-Council
How inform ation is passed to the appropriate personnel Assessm ent of the incident Minim izing dam age and response strategy Docum entation of the incident Preservation of the evidence Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Purpose of Incident Response Plan The incident response plan gathers required resources in an organized m anner to address incidents related to the security of a com puter system
It protects the organization’s resources against an attack
It protects the sensitive data on the system s
It supports legal investigations
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Requirem ents of Incident Response Plan
The requirem ents of incident response planning are:
• Expert team s (Com puter Em ergency Response Team (CERT)) • Legal review and approved strategy • Com pany’s financial support • Executive/ upper m anagem ent support • A feasible and tested action plan • Physical resources, such as redundant storage, standby system s, and backup services
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Preparation Preparation is the m ost im portant aspect that allows you to respond to an incident before it happens
The success of an incident response process depends on the pre-incident preparation
It includes:
EC-Council
• • • • • • • •
Exam ining security m easures for networks and system s Intrusion Detection System (IDS) Creating access control Vulnerability assessm ents Perform ing regular backups Baseline protection by updating patches and antivir us Com m unication plan Audit trail Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Preparation (cont’d) It consists of security m easures that an incident response team should begin to im plem ent in order to ensure protection of the organization’s assets and inform ation
Preparing incident response team includes:
The requirem ent of hardware and software com ponents to investigate the com puter security incidents The requirem ent of docum ents such as form s and reports to investigate the incident
Policies and operating procedures for backup and recovery
Training the staff and users on how to respond to incidents
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response and Handling Steps Identification
Incident Recording
Initial Response
Form ulating a Response Strategy
Containm ent
Com m unicating the Incident
Incident Classification
Incident Investigation
Data Collection
Notifying External Agencies
Evidence Protection
Forensic Analysis
Eradication
System s Recovery
Incident Docum entation
Review and Update the Response Policies
Incident Dam age and Cost Assessm ent
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 1: Identification Identification stage involves validating, identifying, and reporting the incident
This phase is necessary for categorizing and responding to incidents
Identify the incidents with the help of software packages such as antivirus software and in trusion detection tools
System and network audit logs m ay also provide sufficient inform ation to decide whether unauthorized activity has occurred or not EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Identification (cont’d) Audit log collection, exam ination, and analysis
Incident reporting and assessm ent
Collect and protect system inform ation
The actions taken in identification phase include: Assign event identity and severity level
Other system s analysis
Assign incident task force m em bers
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Incident Recording Incident recording is a process of accurately storing the details of occurrence of an incident
The inform ation gathered should include:
• • • •
The date and tim e the incident happened The date and tim e at which the incident was detecte d Who has reported the incident Details of the incident include: • Description of the incident • System s involved • Back up inform ation such as error m essages, log files, etc.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: Initial Response The first step in investigation process is to gather sufficient inform ation required to determ ine a proper incident response
It involves: • • • •
Initial investigation Details of the incident Creating incident response team Notifying individuals about the incident
The purpose of the initial response phase is to docum ent steps to be followed in responding an incident
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: Initial Response (cont’d)
During initial response, you should:
• Check whether you are dealing with an actual incident or a false positive • Gather enough inform ation on the type and severityof attack or incident • Record your actions and docum ent the incident
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Com m unicating the Incident Com m unicate with the incident response team whenever you suspect the occurrence of any security breach
In order to handle the incident, the incident team lead will discuss the breach with their core team and other m em bers of the organization
While reducing the im pact of the incident, m aintain appropriate controls and coordination of the incident
Discuss the incident with legal representative to file a lawsuit against the perpetrators
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Containm ent Containm ent focuses on lim iting the scope and extent of an incident
Avoid conventional m ethods to trace back; this m ay alert the attackers
The com m on techniques in containm ent stage are: • • • • •
Disabling of specific system services Changing of passwords an d disabling accounts Com plete backups of the infected system Tem porary shutdown of the infected system Restoration of the infected system
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Containm ent (cont’d) Reduce the potential effect or dam age of the incident, by quickly responding to it The response generally depends on the organization and nature of the incident occurred
The points to consider while m inim izing the risk are: • • • • • EC-Council
Providing security and safety to hum an life Protecting confidential and sensitive data Safeguarding business, scientific, and m anagerialinform ation Protecting hardware an d software against future att acks Lim iting the dam age of the com puter’s resources Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 6: Form ulating a Response Strategy The response strategy generally depends on the incident situation
Response strategies consider the following: • • • • • • • •
EC-Council
Are the system s seriously effected due to the incid ent? How sensitive is the com prom ised or stolen inform ation? Who are the attackers? Is the public aware of the incident? What is the unauthorized access level gain ed by atta ckers? What are the attacker skills? What is the total downtim e of the system and the user? What is the total cost of the loss ?
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 7: Incident Classification
Classification of incidents is defined based on their severity and potential targets
Classify the incidents based on the num ber of factors such as: • • • •
EC-Council
Nature of the incident Criticality of the system s being im pacted Num ber of system s im pacted by the incident Legal and regulatory requirem ents
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 8: Incident Investigation
Investigation is a process of gathering evidence related to an incident from system s and networks
Exam ine the investigation process to identify:
• • • •
The incident Tim e of the incident Perpetrator of the incident? Mitigation steps to prevent future occurrence
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 9: Data Collection
Data collection is defined as gathering of the facts and evidence that are required for forensic analysis
Data collection involves several unique forensic challenges, such as:
• Gathering data that exceeds the com puter storage capacity • Proper collection of data to ensure integrity
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Data Collection (cont’d)
Evidence Classification:
Host-based evidence
EC-Council
Network-based evidence
Other evidence
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Data Collection (cont’d)
Host-based evidence:
• Host-based evidence consists of logs, records, docum ents, and any other inform ation available on the system
Network-based evidence:
• Network-based evidence con sists of inform ation gathered from IDS logs, pen-register/ trap and traces, router logs, firewall logs, and authentication servers
Other evidence:
EC-Council
• Other evidence consists of inform ation and evidence gathered from the people
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 10 : Forensic Analysis
Data such as log files, system files, graphic files, web history files, em ails, installed applications etc. are gathered for analysis
Forensic analysis should attem pt to determ ine: • • • •
The victim s and attackers of the incident Nature of the incident Tim e and location of the incident What triggered the incident
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 11: Evidence Protection Protect the evidence to take legal actions against the attackers
Take com plete backup of the affected system s with the help of new or never-before-used m edia devices
Store and protect the backup in either CD-R or DVD-R to prosecute the offender(s)
The stored backup can be used to recovery the data from the affected system s
Backups should be stored in a physically secure location EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 12: Notify External Agencies Once sufficient evidence is gathered, external agencies should be notified to file a case and prosecute the perpetrator
The external agencies include local and national law enforcem ent, external security agencies, and security experts
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 13: Eradication The eradication stage rem oves or elim inates the root cause of the incident
Vulnerability analysis is perform ed in this stage
It lists counterm easures to thwart further dam age thereby securing the organization’s assets
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Eradication (cont’d)
The possible counterm easures include:
• • • • • • • •
Using antivirus software Installing latest patches Policy com pliance checks Independent security audits Disabling unnecessary services Updating security policies and procedures Changing passwords of com prom ised system s Elim inating intruder’s access and identification of possible changes com pletely • Reinstalling com prom ised system s • Rebuilding system s EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 14: System s Recovery Recovering a system from an incident generally depends on the extent of the security breach
In recovery step, an affected system is restored to its norm al operations
The com puter system s and networks are m on itored and validated
Recovery stage determ ines the course of actions for an incident
Run vulnerability assessm ent and penetration testing tools to identify the possible vulnerabilities present in the system or network
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
System s Recovery (cont’d) Determ ine integrity of the backup file by m aking an attem pt to read its data Verify success of operation and norm al condition of the system Monitor the system by network loggers, system log files, and potential back doors
The actions to be perform ed in recovery stage are: • • • •
Rebuilding the system by installing new OS Restoring user data from trusted backups Exam ining the protection and detection m ethods Exam ining security patches and system logging inform ation
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 15: Incident Docum entation The incident response team should docum ent various processes while handling and responding to an incident
Docum ent the steps and conclusion statem ents im m ediately after com pletion of the forensic process
The docum ent should be properly organized, exam ined, reviewed, and vetted from the m anagem ent and legal representative
The docum entation should provide: • Description of the security breach • Details of action takes place such as: • Who have handled the incident • When the incident was handled • Reasons behind the occurrence of an incident
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Docum entation (cont’d) The best way to prosecute the offender(s) is through proper docum entation
The docum ent prepared should be:
Concise and Clear:
• Prepare the reports in such a way that it is clearly understood by everyone
Standard Form at:
• Maintain a standard form at that m akes report writin g scalable, saves tim e, and enhances accuracy
Editors:
EC-Council
• Ensure that the forensic reports are edited properly
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 16: Incident Dam age and Cost Assessm ent The two im portant evidence that are required for legal prosecution are incident dam age and cost
Costs include:
• • • • •
EC-Council
Costs due to loss of con fidential inform ation Legal costs Labor costs System downtim e cost Installation cost
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 17: Review and Update the Response Policies Review the process after com pletion of both docum entation and recovery steps
Discuss with your team m em bers about the steps that are successfully im plem ented and the m istakes com m itted
Reviewing the response and updating policies will reduce the im pact of incident and helps you to handle future incidents
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Training and Awareness Training and awareness provides skills required to im plem ent incident handling policies Practical training rem oves developm ental errors, im proves procedures, and reduces the occurrence of m iscom m unication
Well-trained m em bers can prevent an incident or lim it the resulting dam age
Security awareness and training should include: • • • • EC-Council
Design and planning of the awareness and trainingprogram Developm ent of the awareness and training m aterials Im plem entation of the awareness and training progra m s Measuring the effectiveness of the program an d updating it Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Training and Awareness (cont’d) Training should be conducted at specified intervals, and it should include:
• Incident handling location • Pre-assignm ent plans to handle the em ergency situation by all em ployees • Recognition and operation of utility shut-off devices
The awareness cam paign should be designed for several purposes such as:
• Knowledge and participation • Concerning plan's strategies • Contingency arrangem ents EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Security Awareness and Training Checklist Checklist for security awareness and training: • • • • • • • • •
Is the type and frequency of training noted? Are training classes for security personnel describ ed? Are training classes for basic end-users described? Are instructors for the training classes noted? Is it noted that security training is tracked andlogged? Is it noted that all courses are evaluated by theusers? Are roles and responsibilities for security awareness noted? Are roles and responsibilities for security trainin g noted? Does the plan indicate that a record of user training participation is kept? • Does the plan indicate that users are assessed fortheir security knowledge after they undergo training? EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Managem ent Incident m anagem ent helps in not only responding to incident s but also helps in preventing future incidents by m in im izing the potential dam age caused by risks and threats
It consists of action plan developm ent, consistent processes that are repeatable, m easurable, and understood within the organization
Who perform s Incident Managem ent?
• • • •
EC-Council
Hum an resource personnel experienced in Incident Handling Legal council The Security Manager An outsourced service provider Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Managem ent (cont’d) The objective of the incident m anagem ent is to quickly restore the services of the com puter system into norm al operations after an incident with little or no im pact on the business
It provides end-to-end m anagem ent support on how to handle security incidents or events
Incident m anagem ent involves:
• • • • EC-Council
Security policies and procedures for defining a pro cess Assigning roles and responsibilities to incident re sponse team Equipm ent, tools, and supporting m aterial Identifying and training qualified staff on handlin g security incidents Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Purpose of Incident Managem ent The incident m anagem ent is required to: • Prevent incidents and attacks by tightening the physical security of the system or infrastructure • Create awareness by conducting training program sfor em ployees and users on security issues and response plan s • Monitor and test the organization’s infrastructureto identify the weakness and vulnerabilities • Share the inform ation about the incident with other team s
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Managem ent Process Prepare:
• Plan and im plem ent an initial incident m anagem ent • Follow lessons learned and evaluate the assessm entactivities to enhance the security of the system s
Protect:
• Im plem ent security m easures to protect the com puter system from incidents • Im plem ent infrastructure protection im provem ents re sulting from postm ortem reviews or other process im provem ent m echanism s
Detect:
• Notice events and report those events • Receive the reports of events
Triage:
• Categorize, prioritize, and correlate events • Assign events for handling or response
Respond:
EC-Council
• Analyze the event • Plan a response strategy Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Managem ent Process Figure : Five High-Level Incident Managem ent Processes
Source: http:/ / w w w .cert.org/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Managem ent Team
The incident m anagem ent team provides support to all com puter system s that are affected by threats or attacks
The incident m anagem ent team consists of:
Executive m anagem ent
EC-Council
Staff support departm ent representatives
Departm ent heads whose departm ents have been directly affected by the incident
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Managem ent Team (cont’d)
The incident m anagem ent team is responsible for:
• • • •
EC-Council
Managing internal and external com m unications Directing response and recovery activities Monitoring the recovery progress Providing or reallocating recovery resources
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response Team Incident response team is a group of security professionals within an organization who are trained and asked to respond to a security incident The response team should contain an authorized security personnel to take necessary actions against the security incidents The incident response team should: • Develop or review the processes and procedures that m ust be followed in response to an incident • Manage the response to an incident and ensure thatall procedures are followed correctly • Review changes in legal and regulatory requirem ents to ensure that all processes and procedures are valid • Review and recom m end technologies to m an age and counteract incidents • Establish relationship with local law enforcem entagency, governm ent agencies, key partners, and suppliers EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response Team (cont’d) An incident response team takes responsibility for dealing with potential or real tim e inform ation security incidents The team should be m ade of a num ber of people with knowledge and skills in different areas The representatives of incident response team are: • • • • • • • EC-Council
IT Security IT Operations Physical Security Hum an Resources Legal Departm ent Public Relations External Expertise Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response Team Mem bers Inform ation Security Officer (ISO)
Inform ation Technology Officer (ITOC)
Inform ation Privacy Officer (IPO)
Network Adm inistrator
System Adm inistrator
Business Applications and Online Sales Officer
Internal Auditor EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response Team Mem bers Roles and Responsibilities Inform ation Security Officer (ISO):
Inform ation Technology Officer:
• Provides incident handling training to m em bers • Prepares sum m ary on corrective actions taken to handle the incident
• Point of contact for various security incidents • Inform s the ISO to provide incident response team
Inform ation Privacy Officer:
• Organizes security activities with ISO • Develops com m unication with organizations that are affected by security incidents
Network Adm inistrator:
• Analyzes network traffic for signs of incidents • Perform s corrective actions against the suspected intruder by blocking the n etwork
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response Team Mem bers Roles and Responsibilities (cont’d)
System Adm inistrator:
• Updates services packages and patches • Exam ines system logs to identify the m alicious activities
Business Applications and Online Sales Officer:
• Review business applications and services for signs of incident • Check the audit logs of critical servers that are vulnerable to attacks
Internal Auditor:
EC-Council
• Checks whether the inform ation system s are in com pliance with security policies and controls • Identify and report any security loopholes to the m anagem ent Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Developing Skills in Incident Response Personnel Appropriate books, m agazines, and other technical references should be available that help in im proving the technical knowledge of the subject
Prepare a training budget to m aintain, enhance, and increase the proficiency in technical areas and security disciplines, including the legal aspects of the incident response by the legal experts
Give opportunities to the team m em bers to perform other tasks associated with incident response
Consider the process of rotating staff m em bers who are in and out of the incident response team EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Developing Skills in Incident Response Personnel (cont’d) Maintain sufficient staff in the organization so that the team m em bers can have uninterrupted tim e of work Develop a m entoring program for senior technical staff to help less experienced staff to know about incident handling process
Hire external subject m atter experts for training
Develop various scenarios on incident handling and conduct group discussions on how they would handle them
Conduct incident handling m ock drills for the team s EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response Team Structure Incident response team should handle the incident whenever an incident is identified by any person in the organization
The incident response team should :
• Analyze the incident data • Exam ine the im pact of the incident • Minim ize the dam age and restore the system to thenorm al operations
The incident response team includes:
• Central incident response team • Distributed incident response team s • Coordinating team
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response Team Structure (cont’d) Staffin g Mo d e ls 2 4 / 7 Availability
Em p lo ye e s
Partially Ou ts o u rce d
Fu lly Ou ts o u rce d
Te am m o d e l s e le ctio n :
Em p lo ye e Mo rale
Co s t
Staff Exp e rtis e
Organ izatio n al Stru ctu re
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response Team Dependencies Managem ent Inform ation Security Telecom m unications IT Support Legal Departm ent Public Affairs and Media Relation s Hum an Resources Business Continuity Plann ing Physical Security and Facilities Managem ent EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response Team Services Advisory Distribution Vulnerability Assessm ent Intrusion Detection Education and Awareness Technology Watch Patch Managem ent
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Defining the Relationship between Incident Response, Incident Handling, and Incident Managem ent
Source: http:/ / w w w .cert.org/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response Best Practices Stay calm
Assess the situation
Identify the people to handle the incident
Form a plan for resolution • Identify the problem • Do not cause any dam age • Resolve the problem
Docum ent everything
Analyze the evidence to confirm that an incident has occurred EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response Best Practices (cont’d) Notify the appropriate people Stop the incident if it is still in progress Identify the single m ost im portant and im m ediate problem Preserve evidence from the incident Wipe out all effects of the incident Identify and m itigate all vulnerabilities that were exploited Prevent reoccurrence of the incident Review the causes and resolution Confirm that operations have been restored to norm al Create a final report EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response Policy Im plem ent incident response policy supported by the m anagem ent
Decide an organizational approach
Determ ine the outside n otification procedures
Identify rem ote connections and include rem otely operating em ployees or contractors Identify the m em bers of the incident team and describe their roles, responsibilities, and functions Prepare a com m unication plan to contact the key personnel
Define and follow a m ethod for reporting and archiving the in cidents EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response Plan Checklist Does your plan accurately describe the system s it applies to? Does your plan include a contact list of key personnel? Does your plan include inform ation on roles and responsibilities? Does your plan include a diagram of the escalation fram ework? Does your plan include how to contact the agency CSIRC? Does your plan list the m em bers of the CSIRT team ? Does your plan list the m em bers of the CSIRC team ? Does your plan include a description of incident types? Does your plan include guidance on severity levels? Does your plan include inform ation on agency security policies? Does your plan include incident handling guidelines?
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Handling System : RTIR http:/ / bestpractical.com / rtir/
Re qu e s t Tracke r fo r In cid e n t Re s p o n s e ( RTIR) is an open source incident handling system It helps in handling incident reports It allows to tie m ultiple incident reports to specific incidents It m akes it easy to launch investigations to work with law enforcem ent, network providers and other partners to get to the bottom of each incident Features: • Incident response workflow • Easy and clickable m etadata lookups • Scripted action
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: RTIR
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
RPIER 1st Responder Fram ework http:/ / w w w .ohloh.net/ p/ rpier-infosec
Regim ented Potential Incident Exam ination Report (RPIER ) is a security tool built to facilitate 1st response procedures for incident handling It is designed to acquire com m only requested inform ation for incident handling Features: • • • • • • •
EC-Council
Fully configurable GUI Auto-update functionality with SHA1 verification Results are auto- zipped Results are auto- uploaded to central secured repository Em ail notification Pre/ post run integrity check Com m and line configuration/ execution Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
RPIER 1st Responder Fram ework: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary The purpose of incident response is to aid personnel to quickly and efficiently recover from a security incident
Incident response plan consists of a set of instructions to detect and respond to an incident
The incident response plan gathers required resources in an organized m anner to address incidents related to the security of a com puter system
Preparation is the m ost im portant aspect that allows you to respond to an incident before it occurs
Training and awareness provides skills required to im plem ent incident handling policies
Incident m anagem ent not only responds to an incident but also prevents the occurrence of future incidents by m inim izing the potential dam age caused by risks and threats
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Certified Incident Handler Version 1
Mo d u le IV CSIRT
News: Council of Europe and OAS Step up Efforts to Counter Terrorism and Strengthen Cyber Security
Source: http:/ / w w w .egov m onitor.com
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective This m odule will fam iliarize you with: • • • • • • • • • • • • • •
EC-Council
CSIRT CSIRT Goals and Strategy CSIRT Vision CSIRT Mission Statem ent CSIRT Constituency Types of CSIRT Environm ents Best Practices for Creating a CSIRT Roles of CSIRTs CSIRT Services CSIRT Policies and Procedures CSIRT Incident Report Form CERT CERT(R) Coordination Center: Incident Reporting Form World CERTs Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow CSIRT
CSIRT Goals and Strategy
CSIRT Vision
Types of CSIRT Environm ents
CSIRT Constituency
CSIRT Mission Statem ent
Best Practices for Creating a CSIRT
Roles of CSIRTs
CSIRT Services
CERT
CSIRT Incident Report Form
CSIRT Policies and Procedures
CERT(R) Coordination Center: Incident Reporting Form
World CERTs
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to CSIRT
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
What is CSIRT CSIRT stands for Com puter Security Incident Response Team
It is a service organization which provides 24x7 com puter security incident response services to any user, com pany, governm ent agency, or organization
It provides a reliable and trusted single point of contact for reporting com puter security incidents worldwide
It provides the m eans for reporting incidents and dissem inating im portant incident related inform ation
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
What is the Need of an Incident Response Team (IRT) Incident response team helps organizations to recover from com puter security breaches and threats
This team is dedicated to understand the incident response process and take necessary actions when n eeded
It is a form alized team with its m ajor job function as: ‘perform ing incident response’
The team consists of experts trained to respond an d handle incidents
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Goals and Strategy Goals of CSIRT: • To m anage security problem s by taking a proactiveapproach towards the custom ers’ security vulnerabilities and by responding effectively to potential inform ation security incidents • To m inim ize and control the dam age • To provide or assist with effective response and re covery • To prevent future security incidents
Strategy of CSIRT: • It provides a single point of contact for reporting local problem s • It identifies and analyzes what has happened duringan incident, including the im pact an d threat • It researches on solutions and m itigation strategie s EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Vision
Identify the organization
Specify the m ission, goals, and objectives of an organization
Select the services to be offered by the CSIRT
Determ ine how the CSIRT should be structured for the organization
Plan the budget required by the organization to im plem ent an d m anage the CSIRT
Determ ine the resources (equipm ent, staff, infrastructure) to be used by CSIRT EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Com m on Nam es of CSIRT Com puter Incident Response Team (CIRT)
Incident Handling Team (IHT)
Incident Response Team (IRT)
Security Em ergency Response Team (SERT)
Security Incident Response Team (SIRT)
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Fram ework
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Mission Statem ent Mission Statem ent provides a basic understanding of what the team is trying to achieve
It provides a focus for the overall goals an d objectives of the CSIRT CSIRT should define, docum ent, adhere to, and widely distribute a con cise and clear m ission statem ent Mission Statem ent m ust be non-am biguous and con sist of m axim um three or four sentences It should specify the m ission with which the CSIRT is charged
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Constituency Constituency is the region where the CSIRT is bound to serve
It m ight be defined in the form of a statem ent an d m ay be supported by a list of dom ain nam es
CSIRT constituency m ay be bounded or unboun ded by som e constraints
CSIRT defines its constituency and its relationship to that constituency
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Constituency (cont’d) Typ e o f Co n s titu e n cy Se rve d
CSIRT Typ e
N atu re o f Mis s io n
International Coordination Center
Obtain a knowledge base with a global perspective of com puter security threats through coordination with other CSIRTs and building a “web of trust” am ong CSIRTs
Other CSIRTs around the world
Corporation
Im prove the security of the corporation’s inform ation infrastructure and m inim ize the threat of damage resulting from intrusions
System and network adm inistrators and system users within the corporation
Technical
Im prove the security of a given IT product
Users of the product
Table: CSIRT Types With Associated Missions and Constituencies; Source: w w w .cert.org
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Constituency (cont’d) The issues relating to the constituency that are to be addressed are: • • • •
EC-Council
Overlapping constituencies Relationship to constituency Prom oting the CSIRT to the constituency Gaining constituency’s trust
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT’s Place in an Organization The place that a CSIRT holds in its parent organization is tightly coupled to its stated m ission
It fails when placed un der the system adm inistration departm ent of its parent organization
CSIRT m ay constitute of the entire security team for an organization, or, m ay be totally distinct from an organization’s security team
The activities of CSIRT can also be carried out by the organization’s security team
CSIRT m ust be well em bedded within the organization’s business structure
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT’s Place in an Organization (cont’d) It com m only reside swithin, or has som e overlap, with the organization’s IT security departm ent as shown in the figure below:
Pare n t Organ izatio n
Source: w w w .cert.org
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT’s Relationship with Peers
Figure: CSIRT Peer Relationships, Source: w w w .cert.org
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Types and Roles
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Types of CSIRT Environm ents Internal CSIRT : • Provides services to their parent organization suchas bank, m anufacturing com pany, university, or any governm ent agencies
National CSIRT: • Provides services to the entire nation. For exam ple , J apan Com puter Em ergency Response Team Coordination Center (J PCERT/ CC)
Vendor CSIRT • Identifies vulnerabilities in software and hardware products
Governm ental sector CSIRT • Provides services to governm ent agencies and to the citizens in som e countries
Military sector CSIRT • Provides services to m ilitary organizations with responsibilities for IT infrastructure
Sm all & Medium Enterprises (SME) Sector CSIRT • Provides its services to its own business branch or sim ilar user group
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Best Practices for creating a CSIRT 1 2 3 4 5 6 7 8
EC-Council
• Obtain m anagem ent support and buy-in • Determ ine the CSIRT strategic plan • Gather relevant inform ation • Design the CSIRT vision • Com m unicate the CSIRT vision and operational plan • Begin CSIRT im plem entation • Announce the operational CSIRT • Evaluate CSIRT effectiveness
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 1: Obtain Managem ent Support and Buy-in Without m anagem ent approval and support, creating an effective incident response capability can be difficult and problem atic
Consider that the team is established: • How is it m aintained an d expanded with budget, pers onnel, an d equipm ent resources? • Will the role and authority of the CSIRT continueto be backed by m anagem ent across the various constituencies or parent organization?
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Determ ine the CSIRT Developm ent Strategic Plan Are there specific tim efram es to be m et? Are they realistic, and if not, can they be changed?
Is there a project group? Where do the group m em bers com e from ?
How do you let the organization know about the developm ent of the CSIRT?
If you have a project team , how do you record and com m unicate the inform ation you are collecting, especially if the team is geographically dispersed?
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: Gather Relevant Inform ation Meet with the key stakeholders to discuss the expectations, strategic direction, definitions, and responsibilities of the CSIRT
The stakeholders can include:
• • • • • •
Business m anagers Representatives from IT Representatives from the legal departm ent Representatives from hum an resources Representatives from public relations Any existing security groups, including physical security • Audit and risk m anagem ent specialists
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Design your CSIRT Vision
In creating your vision, you should: • Id e n tify yo u r co n s titu e n cy: Who does the CSIRT support and give service to? • D e fin e yo ur CSIRT m is s io n , go als , an d o bje ctive s : What does the CSIRT do for the identified constituency? • Se le ct th e CSIRT s e rvice s to p ro vid e to th e co n s titu e n cy ( o r o th e rs ) : How does the CSIRT support its m ission? • D e te rm in e th e o rgan izatio n al m o d e l: How is the CSIRT structured and organized? • Id e n tify re qu ire d re s o u rce s : What staff, equipm ent, and infrastructure are needed to operate the CSIRT? • D e te rm in e yo u r CSIRT fu n d in g: How is the CSIRT funded for its initial startup and its long-term m aintenance and growth?
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Com m unicate the CSIRT Vision Com m unicate the CSIRT’s vision and operational plan to m anagem ent, constituency, and others who need to know and understand its operations
As appropriate, m ake adjustm ents to the plan based on their feedback
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 6: Begin CSIRT Im plem entation Hire and train initial CSIRT staff
Buy equipm ent, and build any necessary network infrastructure to support the team
Develop the initial set of CSIRT policies an d procedures to support your services
Define and build an incident-tracking system
Develop incident-reporting guidelines and form s for your constituen cy
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 7: Announce the CSIRT When the CSIRT is operational, announce it to the constituency or parent organization
It is best if this announcem ent is m ade by the sponsoring m anagem ent
Include the contact in form ation and hours of operation for the CSIRT in the announcem ent
This is an excellent tim e to m ake the CSIRT incidentreporting guidelines available EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 8: Evaluate CSIRT Effectiveness Once CSIRT is operational, the m anagem ent determ ines the effectiveness of the team and uses evaluation results to im prove CSIRT processes
It m ust ensure that the team is m eeting the needs of the constituency
The CSIRT, in conjunction with m anagem ent and the constituency, will need to develop a m echanism to perform such an evaluation
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Role of CSIRTs CSIRTs provide IT security incident centered service to their constituency, such as: prevention, detection, correction, repression, or creating awareness building The CSIRTs services focus on attacks that are propagated via the Internet that tunnel their way to extranets, in tranets, and com puter system s The CSIRT reports preventive m easures along with the identified vulnerabilities to its constituency
The CSIRTs provide best kind of services like:
• Awareness building • Detection • Correction
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Roles in an Incident Response Team Except for som e com m on roles, the roles in an IRT are distinct for every organization:
Incident Coordinator (IC) • The IC connects different groups • He/ she links the groups that are affected by the ni cidents, such as legal, hum an resources, different business areas, and m anagem ent
Incident Manager (IM) • The IM focuses on the incident and handles it from m anagem ent and technical point of view EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Roles in an Incident Response Team (cont’d) Incident Analyst (IA) • Incident analysts are the technical experts in their particular area • The IA applies the appropriate technology and tries to eradicate and recover from the incident Constituency • The constituency is not a part of the incident-resp onse team itself, but is a stakeholder in the incident Adm inistration • Ensures that the foundation ’s offices are returnedto norm al operations as quickly as possible • Assists in the developm ent of an alternate site asnecessary EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Roles in an Incident Response Team (cont’d) Hum an Resources • The HR is responsible for the “hum an” aspects of ht e disaster including post-event counseling and next-of-kin notification • It answers questions related to com pensation an d benefits
Public Relations • The PR is responsible for developing the m edia m ess ages regarding any event • It is responsible for all stakeholder com m unications including the board, foundation personnel, donors, grantees suppliers/ vendors, and the m edia
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Roles in an Incident Response Team (cont’d) CSIRT
IC acts as a link between different groups (IC) Incident Coordinator
Handles an incident from m anagem ent and technical point of view
Eradicates and recovers from the incident
EC-Council
It is a stakeholder in the incident
Constituency
Ad m in is tratio n (IM) Incident Manager
Responsible for hum an aspects of disaster Hum an Resources
Ensures that the office operations return to a norm al situation (IA) Incident Analyst
Responsible for stakeholder Com m unications Public Relations
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Roles in an Incident Response Team (cont’d) Other roles m ay include:
• • • • • • • • • • •
EC-Council
Support staff Technical writers Network or system adm inistrators, CSIRT infrastructure staff Program m ers or developers (to build CSIRT tools) Web developers and m aintain ers Media relations Legal or paralegal staff or liaison Law enforcem ent staff or liaison Auditors or quality assurance staff Marketing staff
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Services, Policies, and Procedures
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Services
CSIRT services are grouped into the following three categories: • Reactive services • Proactive services • Security quality m anagem ent services
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reactive Services The reactive services process the requests for assistance
They respond to incidents reports from the CSIRT constituency
They identify and rectify any threats or attacks against the CSIRT system s
The services provided include:
• • • •
EC-Council
Alerts and warnings Incident handling Vulnerability handling Artifact handling
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Proactive Services The services im prove the infrastructure and security processes of the constituency before any incident occurs
The services provided include:
• • • •
Announcem ents Technology watch Security audit or assessm ent Configuration and m aintenance of security tools, applications, infrastructures, and services • Developm ent of security tools • Intrusion detection services • Security-related inform ation dissem ination
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Security Quality Managem ent Services The security quality m anagem ent services are established services designed to im prove the overall security of an organization
These services incorporate feedback and lessons learned based on knowledge gained by responding to incidents, vulnerabilities, an d attacks
The services include:
• • • • • •
EC-Council
Risk analysis Business continuity and disaster recovery planning Security consulting Awareness building Education/ training Product evaluation or certification
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Policies and Procedures Policies are the governing principles adopted by the organizations or team s
• The policies of an organization need to be clearlystated
Policies and procedures are interrelated
Procedures detail how a team enacts activities within the boundaries of its policies • Procedures m ake a policy successful
Mem bers of an organization should clearly understand policies and procedures in order to im plem ent them
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Policies and Procedures (cont’d)
A policy can be defined with: • • • • • •
EC-Council
Attributes Content Validation Im plem entation Maintenance, and Enforcem ent
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Attributes
A policy should be defined as a set of detailed procedures
It should outline essential characteristics for a specific topic area in the m anner that necessary inform ation is provided
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Attributes (cont’d)
Source: w w w .sei.cm u.edu
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Content The content of a policy is m ainly a definition of behavior in a certain topic area It defines the features that are the boun dary conditions for any policy definition The policy content features are listed in the following table:
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Content (cont’d)
Source: w w w .sei.cm u.edu
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Validity
After a policy has been defined, it is advisable to check its validity in practice before actually im plem enting it
Validity check finds out if all the ideas in the policy can actually be translated into real-life behavior
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Im plem entation, Maintenance, and Enforcem ent After validating the policy, feedback should be given to the policy m akers so that they can m ake revisions
Once the policy is revised based on the feedback and it is ensured that the policy does not require further changes; the policy can be im plem ented
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How CSIRT Handles a Case Keep a log book
Inform the appropriate people
Maintain a list of contacts
Release the inform ation
Follow up analysis
Report EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Incident Report Form
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Tracking and Reporting System s
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Application for Incident Response Team s (AIRT) http:/ / airt.leune.com /
AIRT is a web-based application designed and developed to support the day to day operations of a com puter security incident response team It supports highly autom ated processing of incident reports and facilitates coordination of m ultiple incidents by a security operations center
Features: • • • • EC-Council
Identify owners of networks Track incidents Autom atically im port incident reports Prepare outgoing em ails based on incident tem plates Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
AIRT: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
AIRT: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
BMC Rem edy Action Request System http:/ / w w w .bm c.com /
BMC Rem edy Action Request System provides a consolidated service process m anagem ent platform for autom ating and m anaging service m anagem ent business processes
Features: • Autom ates service m anagem ent business processes • Integrates processes with system s across the enterp rise • Adapts and evolves your processes to continually align with the needs of the business • Manages business process perform ance in real-tim e • Replaces outdated m anual system s with process autom ation that speeds the handling of unique processes • Rapidly prototypes, deploys, m aintains, and iterate s Service Managem ent applications • Captures and tracks critical business data EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
BMC Rem edy Action Request System : Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
PGP Desktop Em ail http:/ / w w w .pgp.com / PGP Desktop Em ail provides enterprises with an autom atic, transparent encryption solution for securing internal and external confidential em ail com m unications With PGP Desktop Em ail, organizations can m inim ize the risk of a data breach and com ply with partner and regulatory m andates for inform ation security and privacy Features: • Eas y, au to m atic o p e ratio n • Protects sensitive em ail without changing the userexperience
• En fo rce d s e cu rity p o licie s • Enforce data protection autom atically with centrally m anaged policies
• Acce le rate d d e p lo ym e n t • Achieves end-to-end em ail encryption using the exis ting infrastructure
• Re d u ce d o p e ratio n co s ts • Result from centralized autom ation of em ail encryption policies
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
PGP Desktop Em ail (cont’d)
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
The GNU Privacy Guard (GnuPG) http:/ / w w w .gnupg.org/
GnuPG is the GNU project's com plete and free im plem entation of the OpenPGP standard as defined by RFC4880
It allows to encrypt and sign your data and com m unication, features a versatile key m anagem ent system as well as access m odules for all kind of public key directories
Features: • • • •
Does not use any patented algorithm s Can be used as a filter program Decrypts and verifies PGP 5, 6 and 7 m essages Supports ElGam al, DSA, RSA, AES, 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1, RIPE-MD-160 and TIGER • Supports key and signature expiration dates EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Listserv http:/ / w w w .lsoft.com /
Listserv is em ail list m anagem ent software
It provides the power, reliability, and enterprise-level perform ance you need to m anage all your opt-in em ail lists
Its Web interface sim plifies em ail list and server m anagem ent, allowing you to control your lists and adm inister your server from anywhere on the Internet
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Listserv (cont’d) Features and benefits • List owner features: • • • • • •
Supports all list types Autom atic subscriptions Autom atic bounce handling Personalization Searchable web archives RSS support
• Site adm inistrator features • • • • • • EC-Council
Multiple license sizes Virus protection Deliverability Spam control Database connectivity Custom izable web interface Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Listserv : Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CERT
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CERT CERT stands for Com m unity Em ergency Response Team (CERT) CERT program helps to train people to be better prepared to respond to em ergency situations in their com m unities
CERT m em bers can provide critical support to first responders by: • Providing imm ediate assistance to victim s • Organizing spontaneous volunteers at a disaster site
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CERT-CC
Source: http:/ / w w w .cert.org/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CERT(R) Coordination Center: Incident Reporting Form
Source: http:/ / w w w .cert.org/ reporting/ incident_ form .txt
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CERT:OCTAVE OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation
It is a set of tools, techniques, and m ethods for risk-based inform ation security strategic assessm ent and plannin g
There are three octave m ethods:
• OCTAVE Method • OCTAVE-S • OCTAVE-Allegro
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
OCTAVE Method OCTAVE m ethod uses a three-phased approach to exam ine organization al and technology issues
It com prises of a series of workshops that are conducted by in terdisciplinary an alysis team of three to five persons of the organ ization
This m ethod focuses on:
• Identifying critical assets and the threats to those assets • Identifying the vulnerabilities, both organizational and technological, that expose those threats, creating risk to the organization • Developing a practice-based protection strategy and risk m itigation plans to support the organization's m ission and priorities
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
OCTAVE Method (cont’d)
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
OCTAVE-S OCTAVE-S uses a m ore stream lined process and different worksheets but produces the sam e result as the OCTAVE m ethod
It requires a team of 3-5 people having understanding on all the aspects of the com pany
This version does not start with gathering the inform ation regarding im portant assets, security requirem ents, threats, and security practices
The assum ption is that the analysis team is aware of this inform ation
OCTAVE-S includes only a lim ited exploration of the com puting infrastructure
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
OCTAVE Allegro OCTAVE Allegro is a stream lined variant of the OCTAVE m ethod that focuses on inform ation assets
It can be perform ed in a workshop-style, collaborative setting
It does not suit for individuals who want to perform risk assessm ent without extensive organizational involvem ent, expertise, or input
It focuses m ainly on the inform ation assets
The assets of the organization are identified and assessed based on the inform ation assets to which they are conn ected
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
OCTAVE Allegro (cont’d)
OCTAVE Allegro consists of eight steps organized into four phases: • Phase 1 - Assessm ent participants develop risk m easu rem ent criteria consistent with organizational drivers: the organization's m ission, goal objectives, and critical success factors • Phase 2 - Participants create a profile of each critical inform ation asset that establishes clear boundaries for the asset, identifies its security requirem ents, and identifies all of its containers • Phase 3 - Participants identify threats to each info rm ation asset in the context of its containers • Phase 4 - Participants identify and analyze risks toinform ation assets and begin to develop m itigation approaches
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
OCTAVE Allegro (cont’d)
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
World CERTs Asia Pacific CERTs • • • • • • • • • •
Australia CERT (AUSCERT) Hong Kong CERT (HKCERT/ CC) Indonesian CSIRT (ID-CERT) J apan CERT-CC (J PCERT/ CC) Korea CERT (CERT-KR) Malaysia CERT (MyCERT) Pakistan CERT(PakCERT) Singapore CERT (SingCERT) Taiwan CERT (TWCERT) China CERT (CNCERT/ CC)
North Am erican CERTs • • • • •
CERT-CC US-CERT Canadian Cert Cancert Forum of Incident Response and Security Team s • FIRST
EC-Council
South Am erican CERTs • CAIS • CAIS- Brazilian Research Network CSIRT • NIC BR Security Office Brazilian CERT • NBS
European CERTs • • • • • • • • •
EuroCERT FUNET CERT CERTA DFN-CERT J ANET-CERT CERT-NL UNINETT-CERT CERT-NASK Swiss Academ ic and Research Network CERT Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Australia CERT (AUSCERT)
Source: http:/ / w w w .auscert.org.au/ index.htm l
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Hong Kong CERT (HKCERT/ CC)
Source: http:/ / w w w .hkcert.org
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Indonesian CSIRT (ID-CERT)
Source: http:/ / w w w .cert.or.id/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
J apan CERT-CC (J PCERT/ CC)
EC-Council
Source: http:/ / w w w .jpcert.or.jp/ english/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Malaysian CERT (MyCERT)
Source: http:/ / w w w .m y cert.org.m y / en/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Indian CERT
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Pakistan CERT (PakCERT)
Source: http:/ / w w w .pakcert.org/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Singapore CERT (SingCERT)
Source: http:/ / w w w .singcert.org.sg/ index.php?option=com _ m jfrontpage&Item id=30
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Taiwan CERT (TWCERT)
Source: http:/ / w w w .cert.org.tw / eng/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
China CERT (CNCERT/ CC)
Source: http:/ / w w w .cert.org.cn/ english_ w eb/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
US-CERT
Source: http:/ / w w w .us-cert.gov/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Governm ent Forum of Incident Response and Security Team s (GFIRST) GFIRST is a group of technical and tactical practitioners of security response team s responsible for securing governm ent inform ation technology system s GFIRST m em bers work together to understand and handle com puter security incidents and to encourage proactive and preventative security practices
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Canadian Cert
EC-Council
Source: http:/ / w w w .ew a-canada.com / index.php
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Forum of Incident Response and Security Team s
EC-Council
Source: http:/ / w w w .first.org/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CAIS/ RNP
Source: http:/ / w w w .rnp.br/ en/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
NIC BR Security Office Brazilian CERT
Source: http:/ / w w w .nic.br/ im prensa/ clipping/ 20 0 8/ m idia412.htm
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EuroCERT
Source: http:/ / w w w .eurocert.ie/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
FUNET CERT
Source: http:/ / w w w .csc.fi
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SURFnet-CERT
Source: http:/ / cert.surfnet.nl/ hom e-eng.htm l
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DFN-CERT
Source: http:/ / www.dfn-cert.de/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
J ANET-CERT
EC-Council
Source: http:/ / w w w .ja.net/ index.htm l
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CERT POLSKA
EC-Council
Source: http:/ / w w w .cert.pl
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Swiss Academ ic and Research Network CERT
Source: http:/ / w w w .sw itch.ch/ cert/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
http:/ / www.first.org/ about/ orga nization/ team s/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
http:/ / www.apcert.org/ about/ str ucture/ m em bers.htm l
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
IRTs Around the World
Copyrigh t 20 0 4 Carnegie Mellon University CERT® and CERT Coordination Cen ter ® are registered in the U.S. Patent and Tradem ark office.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary CSIRT is a service organization which provides 24x7 com puter security incident response services to any user, com pany, governm ent agency, or organization CSIRT should define, docum ent, adhere to, and widely distribute a con cise and clear m ission statem ent
Constituency is the region over which the CSIRT is bound to serve
CSIRT m ay constitute the entire security team for an organization or m ay be totally distinct from an organization’s security team CERT program helps train people to be better prepared to respond to em ergency situations in their com m unities
Security accreditation refers to the acceptance an d m anagem ent of risk
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sample EC-Council Certified Incident Handler Version 1
Mo d u le I Introduction to Incident Response and Handling
Batch PDF Merger
News: Num ber of Reported Cyber Incidents J um ps Federal civilian agencies reported three tim es as m any cyber-related incidents in fiscal 20 0 8 as they did in fiscal 20 0 6 to the Hom eland Security Departm ent's office that coordinates defenses and responses to cyberattacks. Meanwhile, an official says the office suspects the actual num ber of cyber incidents is higher. Th e age n cie s re p o rte d to D H S’ U n ite d State s Co m p u te r Em e rge n cy Re ad in e s s Te am ( U S-CERT) a to tal o f 18 ,0 50 in cide n ts in fis cal 2 0 0 8 , co m p are d w ith 12 ,9 8 6 in fis cal 2 0 0 7 an d 5,14 4 in fis cal 2 0 0 6 , acco rd in g to D H S o fficials . Ove rall, th e to tal n u m be r o f in cid e n ts re p o rte d to U S-CERT fro m co m m e rcial, fo re ign , p rivate , an d fe de ral, s tate an d lo cal go ve rn m e n t s e cto rs ro s e fro m 2 4 ,0 9 7 in fis cal 2 0 0 6 to 72 ,0 6 5 in fis cal 2 0 0 8 . The Federal Inform ation Security Managem ent Act requires agencies to report cyber incidents, which are defined as acts that violate com puter security or acceptable-use policies. The types of incidents include unauthorized access, denial of service, m alicious code, im proper usage, and scans, probes and attem pted access. Mischel Kwon, US-CERT’s director, said that the num bers represent both an increase in m alware and improvem ents in the capabilities of US-CERT and agencies to detect and report cyber incidents. “As we m ature and becom e m ore robust, and we deploy m ore tools, incident num bers will go up,” she said. “Both parts of the story are true: There is an increase in m al events, and there is an increase in capabilities in order to detect those m al events.” Kwon added that the num bers were a bit deceiving because the reports are based on m anual reporting by agencies and that there are few security operations centers that m onitor federal agency networks. She said agencies don’t have the tools or analysts to review data to determ ine if incidents have occurred.
Source: http:/ / fcw .com /
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Cyber Incident Statistics N u m be r o f cybe r in cid e n ts re p o rte d to D H S’ U n ite d State s Co m p u te r Em e rge n cy Re ad in e s s Te am 20 ,0 0 0
20 0 8
18,0 0 0 16,0 0 0 14,0 0 0
20 0 7
12,0 0 0 10 ,0 0 0 8,0 0 0 6,0 0 0
20 0 6
4,0 0 0 2,0 0 0 0
Source: http:/ / fcw .com /
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incidents and Events by Category 10%
4% 4% 5%
Unauthorized Access
10%
4%
7% 6%
Malicious Code Improper Usage Scans, Probes and Attempted Access 77%
FY0 8 Q4
Under Investigation
73%
FY0 9 Q1
Cyber Security Trends, QUARTERLY TRENDS AND ANALYSIS REPORT, http:/ / w w w .us-cert.gov/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Top Five Incidents Phishing
10% 4%
9% 4%
Malware
5%
4% 5%
Policy Violation
5%
5%
Non-Cyber
7%
72%
FY0 8 Q4
Suspicious Network Activity Others
70%
FY0 9 Q1
Cyber Security Trends, QUARTERLY TRENDS AND ANALYSIS REPORT, http:/ / w w w .us-cert.gov/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Case Study: Incident Handling and Response
Th e Cas e : Xconsoft, a m ajor software developer located out of the New J ersey, realized that the sensitive inform ation from folders shared across its network is being accessed by unauthorized people and leaked to third parties. Th e Ch alle n ge s : Loss of the proprietary inform ation could result in huge financial losses. The com pany hired an established consultant for incident handling and response. The m ajor challenges in front of the consultants were to contain the dam age, assess the losses and identifying the perpetrators. Th e Re s u lt: After conducting a network-wide search for specific keywords and file nam es the consultant advised the com pany to isolate the system s that contained sensitive inform ation and took possession of suspected system s for further analysis. After going through a com plete incident handling and response cycle; and with the help of a com puter forensics investigator the com pany was able to trace the culprits. The consultant advised the com pany to develop and im plem ent effective network security policies an d deploy intrusion detection tools to defend itself from various inform ation security incidents.
Can risks involved in engaging third party consultants not effectively counter the apprehension about ROI in developing an in-house incident handling and response team ? EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
This m odule will fam iliarize you with: • • • • • • • • •
EC-Council
Com puter Security Incident Data Classification Inform ation Warfare Key Concepts of Inform ation Security Types of Com puter Security Incidents Signs of an Incident Incident Response Incident Handling Incident Reporting Organizations
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow Com puter Security Incident
Data Classification
Key Concepts of Inform ation Security
Inform ation Warfare
Types of Com puter Security Incidents
Signs of an Incident
Incident Handling
Incident Response
Incident Reporting Organizations EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Com puter Security Incident A com puter security incident m ight be any real or suspected adverse event in relation to the security of com puter system s or networks Source: w w w .cert.org
It is a violation or im m inent threat of violation of com puter security policies, acceptable use policies, or standard security practices
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Statistics: Different Sources of Security Incidents
Source: Outlook J ournal, J anuary 20 0 8, w w w .accenture.com
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Inform ation as Business Asset Inform ation asset is a piece of inform ation that is im portant for any business process
The loss of inform ation m ay affect the in vestm ent of organization in different business activities
Inform ation asset can be a trade secret, patent inform ation, em ployee/ personnel inform ation, or an idea to develop the business for an organization
Characteristics of Inform ation Assets: • It is recognized to be of value to the organization • It requires cost, skill, tim e, and resource • It is a part of the organization’s corporate identity
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Data Classification Data classification is the process of classifying data based on the level of sensitivity as it is created, m odified, im proved, stored, or transm itted
Data classification helps in identifying the data for business operations
Data can be classified into five levels: • • • • • EC-Council
Top secret Confidential inform ation Proprietary inform ation Inform ation for internal use Public docum ents Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Com m on Term inologies Inform ation System : • Inform ation system processes data into useful information to achieve specified organizational or individual goals • It accepts, processes, and stores data in the formof records in a com puter system and autom ates som e of the inform ation processing activities of the organization
Inform ation Owner: • Inform ation owner is the initial owner who is capable of creating and storing inform ation
Inform ation Custodian: • Inform ation custodian is responsible for im plem enting and controlling the security m easures of an inform ation system
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Inform ation Warfare The term Inform ation Warfare or Infowar refers to the use of inform ation and inform ation system s as weapons in a conflict in which the inform ation and inform ation system s them selves are the targets
Inform ation warfare is divided into two categories: • Offe n s ive in fo rm atio n w arfare , where an adversary attacks the inform ation resources to gain un due advantage • D e fe n s ive in fo rm atio n w arfare , is an attem pt to protect the inform ation assets against attacks
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Key Concepts of Inform ation Security Confidentiality:
Integrity:
Availability:
EC-Council
• Refers to the prevention of the unauthorized access, disclosure, and use of inform ation, a part of the broader concept of privacy • Confidentiality is m aintain ed through user authentication and access control
• Refers to the reliability and trustworthiness of ht e inform ation • Prevention of the unauthorized changes to the data
• Guarantee of access to resources • Is a critical function for com panies that rely on electronic data and com m un ications
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerability, Threat, and Attack
Vulnerability:
Threat:
Attack:
• Existence of a weakness in design or im plem entation that can lead to an unexpected, undesirable event com prom ising the security of the system
• A circumstance, event, or person with the potential to cause harm to a system in the form of destruction, disclosure, data m odification, and/ or Denial of Service (DoS)
• An assault on system security that is derived from an intelligent threat
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Types of Com puter Security Incidents Malicious code attacks: • It includes viruses, Trojan, worm s, and m aliciousscripts attacks by attackers to gain privileges, capture passwords, and m odify audit logs to perform unauthorized activity on the victim 's system s
Unauthorized access: • It includes various activities from im properly logging into a user's account to gaining unauthorized access to files and directories by obtaining adm inistrator privileges
Unauthorized use of services: • Users m ay attem pt to transfer files without authorization or use inter-dom ain access m echanism s to access files and directories belonging to another organization's dom ain
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Types of Com puter Security Incidents (cont’d) Fraud and theft: • Inform ation system s can be exploited by autom atingtraditional m ethods of fraud
Em ployee sabotage an d abuse include: • • • • •
Destroying hardware or facilities Planting logic bom bs that destroy program s or data Intentionally entering incorrect data Crashing system s Intentionally deleting and changing data
Misuse: • It is a condition when som eone uses com puter resources for illegitim ate purpose such as storing personal inform ation in official com puter
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Exam ples of Com puter Security Incidents
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Verizon Data Breach Investigations Report - 20 0 8 Who is behind data breaches?
Source: Verizon’s Data Breach Investigations Report, 20 0 8. w w w .verizon.com
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Verizon Data Breach Investigations Report - 20 0 8 (cont’d) How do breaches occur? 70
62 %
60
59 %
50 40 31 % 30
22 %
20
15 %
10 0 Were att ributed to a significant error
Resulted from hacking and intru sions
Incorporated m alicious code
Exploited a vulnerability
Were due to physical thr eats
Source: Verizon’s Data Breach Investigations Report, 20 0 8. w w w .verizon.com
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Verizon Data Breach Investigations Report - 20 0 8 (cont’d) Sources of Data Breaches
External: • Intuitively, external threats originate from sources outside the organization
Internal • Internal threat sources are those originating from within the organization
Partner • Partners include any third party sharing a business relationship with the organization
Source: Verizon’s Data Breach Investigations Report, 20 0 8. w w w .verizon.com
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incidents That Required the Execution of Disaster Recovery Plans 70
% of Respondents 59 %
60
54 %
53 % 50
45 % 41 %
40
36 % 33 %
39 %
37 %
34 %
30
26 %
20
10
7%
0
Source: Sym antec Global Disaster Recovery Survey – J une 20 0 9. http:/ / w w w .sy m antec.com /
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Signs of an Incident Accurately detecting and assessing incidents is the m ost challenging and essential part of the incident response process
Typical indications of the security incidents include:
• A system alarm , or sim ilar indication from an intru sion detection • Attem pt to logon to a n ew user account • DoS attack, or users not able to log into an account • System crashes, or poor system perform ance • Unauthorized operation of a program , or sniffer device to capture network traffic • Suspicious entries in system , or network accoun ting or other accounting inconsistencies
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Signs of an Incident (cont’d) Signs of an incident fall into one of the two categories: • Aprecursor is a sign of incident that m ay happen in the future • Anindication is a sign of incident that have already occurred or m ay be in progress
The exam ples of precursor are: • Web server log entries that show the usage of a web vulnerability scanner • An announcem ent of a new exploit that targets a vulnerability of the organization’s m ail server • A threat from a hacktivist group stating that the group will attack the organization
The exam ples of in dication are: • The antivirus software alerts when it detects thata host is infected with a worm • The user calls the help desk to report a threatenin g em ail m essage • IDS and IPS system logs indicating an unusual devia tion from typical network traffic flows
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Categories There are 3 category of incidents:
Low level
Middle level
High level
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Categories: Low Level Low level incidents are the least severe kind of incidents
They should be handled within one day after the event occurs
Low level incidents include: • • • • • • •
EC-Council
Loss of personal password Unsuccessful scans and probes Request to review security logs Presence of any com puter virus or worm s Failure to download an ti-virus signatures Suspected sharing of the organization’s accoun ts Minor breaches of the organization’s acceptable usa ge policy Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Categories: Middle Level The incidents at this level are com paratively m ore serious and thus, should be handled the sam e day the event occurs
Middle level incidents include: • • • • • • • • • • EC-Council
In-active external/ internal unauthorized access tosystem s Violation of special access to a com puter or com puting facility Unfriendly em ployee term ination Unauthorized storing and processing data Destruction of property related to a com puter incid ent Localized worm / virus outbreak Personal theft of data related to a com puter incident Com puter virus or worm s of com paratively larger intensity Illegal access to buildings Breach of the organization’s acceptable usage policy Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Categories: High Level High level incidents should be handled im m ediately after the incident It poses an im m ediate threat to various system s that lead to crim inal charges, regulatory fines, or bad nam e to the organization
These include: • • • • • •
Denial of Service attacks Suspected com puter break-in Com puter virus or worm s of highest intensity; e.g.Trojan, back door Changes to system hardware, firm ware, or softwarewithout authentication Destruction of property exceeding $ 10 0 ,0 0 0 Personal theft exceeding $ 10 0 ,0 0 0 and illegal electronic fund transfer or download/ sale • Any kind of pornography, gam bling, or violation ofany law
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Prioritization Prioritizing handling of the incident is critical for the incident handling process
Incidents should not be handled on a first-com e, first-served basis
Prioritize the incidents based on two factors:
• Current and potentialte ch n ical e ffe ct of the incident • Criticality of the affected resources
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response Incident response is a process of responding to incidents that m ay have occurred due to security breach in the system or network
It plays a m ajor role when the security of the system is com prom ised
The goal of the incident response is to handle the in cidents in a way that m inim izes the dam age and reduces recovery tim e and costs
It includes: • Responding to incidents system atically so that theappropriate steps are taken • Helping personnel to recover quickly and efficiently from security incidents, m inim izing loss or theft of inform ation and disruption of services • Using inform ation gathered during incident handling to prepare for handling future incidents in a better way and to provide stronger protection for system s and data • Dealing properly with legal issues that m ay ariseduring incidents
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Handling Incident handling involves all the processes, logistics, com m un ications, coordination, and planning to respond and overcom e an incident efficiently
Incident handling helps to find out trends and pattern of the intruder’s activity
Incident handling procedures help network adm inistrators in recovery, containm ent, and prevention of incidents
Incident handling policies help the corresponding staffs to understand the process of responding and tackling unexpected threats and security breaches
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Use of Disaster Recovery Technologies Which of the following technology type do you have, and which are covered by DR Plan? Have in Organization
10 0
Covered by DR Plan
92 % 90 83 %
82 %
79 %
81 %
80
77 %
70
66 % 62 %
60
61 %
56 %
66 %
61 % 51 %
50 40
46 % 44 %
39 % 33 %
30 24 % 20 10 0
Source: Sym antec Global Disaster Recovery Survey – J une 20 0 9. http:/ / w w w .sy m antec.com /
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Im pact of Virtualization on Incident Response and Handling Do you test virtual servers as part of your disaster recovery plan?
No 27%
Ye s No
Ye s 73 %
Source: Sym antec Global Disaster Recovery Survey – J une 20 0 9. http:/ / w w w .sy m antec.com /
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Im pact of Virtualization on Incident Response and Handling (cont’d) How are your organization’s data and m ission critical applications protected in virtual environm ent? 70 % 59%
60 % 50 % 40 % 30 %
49% 43%
41%
42% 38% 27%
29%
20 % 10 % 0%
Source: Sym antec Global Disaster Recovery Survey – J une 20 0 9. http:/ / w w w .sy m antec.com /
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Estim ating Cost of an Incident Tangible Cost: • • • •
Lost productive hours Investigation and recovery cost Loss of business Loss or theft of resources
Intangible Cost: • Dam age to corporate reputation • Loss of goodwill • Psychological dam age • Those directly im pacted m ay feel victim ized • May im pact m orale or initiate fear
• Legal liability • Effect on shareholder value
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Key Findings of Sym antec Global Disaster Recovery Survey - 20 0 9 The average cost of executing/ im plem enting disaster recovery plans for each downtim e incident worldwide according to respondents is US$ 287,60 0
The m edian cost of executing/ im plem enting disaster recovery plans for each downtim e incident worldwide ranges from approxim ately $ 10 0 ,0 0 0 to $ 50 0 ,0 0 0
In North Am erica, the m edian cost is as high as $ 90 0 ,0 0 0
Globally, the m edian disaster recovery cost is highest for healthcare and financial services organizations
In North Am erica, the m edian cost for financial institutions is $ 650 ,0 0 0
Source: Sym antec Global Disaster Recovery Survey – J une 20 0 9. http:/ / w w w .sy m antec.com /
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Reporting Incident reporting is the process of reporting an encountered security breach in a proper form at The incident should be reported to receive technical assistance and raise security awareness that would m inim ize the losses Organizations m ay not report com puter crim es due to negative publicity and potential loss of custom ers
Incident reporting should include: • • • •
Intensity of the security breach Circum stances, which revealed the vulnerability Shortcom ings in the design and im pact or level ofweakness Entry logs related to the intruder’s activity
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Reporting Organizations
The organizations that deal with com puter security incidents are: • • • • • • • • • •
EC-Council
Com puter Em ergency Response Team (CERT) Com puter Security Incident Response Team (CSIRT) Forum for Incident Response and Security Team s (FIR ST) Com puter Incident Response Team (CIRT) Incident Response Center (IRC) Security Em ergency Response Team (SERT) Security Incident Response Team (SIRT) Inform ation Analysis In frastructure Protection (IAIP) CERT Coordination Center (CERT/ CC) Inform ation Sharing and An alysis Centers (ISAC)
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerability Resources http:/ / w w w .kb.cert.org/ vuls/ US-CERT Vulnerability Notes Database: • Descriptions of these vulnerabilities are available from this web page in a searchable database form at, and are published as "US-CERT Vulnerability Notes".
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerability Resources (cont’d) http:/ / w eb.nvd.nist.gov/ NVD (National Vulnerability Database): • Integrates all publicly available U.S. Governm entvulnerability resources and provides references to industry resources
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary Com puter security incident m ight be any real or suspected adverse event in relation to the security of com puter system s or networks
Inform ation system transform s data into useful in form ation that supports decision m aking
Incident response is an organized approach to address and m anage the afterm ath of a security breach or attack
Incident handling refers to the operational procedures used to actually m anipulate the incident and purge it from the system s
Incident reporting is the process of reporting the inform ation regarding the encountered security breach in a proper form at EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Certified Incident Handler Version 1
Mo d u le II Risk Assessm ent
News: Report Faults TSA Risk Assessm ent GAO fin d s age n cy d id n o t fo llo w D e p artm e n t o f H o m e lan d Se cu rity p ro ce s s The Transportation Security Adm inistration lacks the structure, policies and procedures to com plete an effective risk m anagem ent plan for freight and passenger transportation, according to a report by the Governm ent Accountability Office. Risk m anagem ent is the security watchword at the Departm ent of Hom eland Security as it attem pts to allocate m oney and other resources to the areas that are m ost vulnerable to a terrorist attack. The GAO, which audits Executive Branch program s for Congress, said that TSA did not com plete a sixstep process established by DHS to properly identify and prioritize risks to the transportation system . TSA collected threat, vulnerability and consequence inform ation, but did not perform risk assessm ent that would integrate the three com ponents for each m ode, or the transportation system as a whole, the GAO said. The GAO also said TSA set its security priorities based on intelligence, not risk assessm ent, and DHS did not review or validate TSA's m ethodology. In addition, the GAO said that TSA lacked an organizational structure to direct and control its riskm anagem ent efforts, a way of evaluating perform ance, and policies and procedures to integrate with the overall DHS risk m anagem ent plan.
Source: http:/ / w w w .joc.com /
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
This m odule will fam iliarize you with:
• • • • • • • • •
EC-Council
Risk Risk Policy Risk Assessm ent NIST Risk Assessm ent Methodology Steps to Assess Risks at Workplace Risk Analysis Risk Mitigation Cost/ Benefit Analysis Residual Risk
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow Risk
Risk Policy
NIST Risk Assessm ent Methodology
Risk Assessm ent
Steps to Assess Risks at Workplace
Risk Analysis
Cost/ Benefit Analysis
Risk Mitigation
Residual Risk
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Risk
Risk is defined as the probability or threat of an incident
It is a m easure of possible inability to achieve a goal, objective, or target within a defined security, cost, plan, and technical lim itations
It adversely affects the organization’s operations and revenues
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Risk Policy Risk policy is a set of ideas to be im plem ented to overcom e the risk
Risk policy includes:
• Rules of behavior while dealing with the com putersystem and the consequences for violating these rules • Personnel and technical controls for the com putersystem • Methods for identifying, properly lim iting, and controlling interconnections with other system s and particular m ethods to m onitor and m anage such lim its • Procedures for the on-going training of em ployeesauthorized to access the system • Procedures to m onitor the efficiency of the security controls • Provisions for continuing support if there is an ni terruption in the system or if the system crashes
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Risk Assessm ent
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Risk Assessm ent Risk assessm ent is the process of identifying threat sources that pose risk to the business or project environm ent
It determ ines the level of risk and the resulting security requirem ents for each system
Risk assessm ent for a new system is conducted at the beginning of the System Developm ent Life Cycle Risk assessm ent for an existing system is conducted when there are m odifications m ade to the system ’s environm ent
This process helps to identify the suitable controls to reduce risk in risk m itigation process
The organization should plan , im plem ent, an d m onitor a set of security m easures that need to be undertaken against the identified risk EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
NIST’s Risk Assessm ent Methodology The NIST’s risk assessm ent m ethodology contains nine prim ary steps:
Sys te m Ch aracte rizatio n
Im p act An alys is
Ris k D e te rm in atio n
Th re ats Id e n tificatio n
Vu ln e rability Id e n tificatio n
Like lih o o d D e te rm in atio n
Co n tro l An alys is
Co n tro l Re co m m e n d atio n s
Re s u lts D o cu m e n tatio n
Source: http:/ / csrc.nist.gov/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 1: System Characterization Identify the boundaries of the IT system along with the resources and the inform ation that constitute the system
Characterize the IT system so as to establish the scope of the risk assessm ent effort
It describes the operational authorization boundaries such as hardware, software, system connectivity etc.
In p u t Hardware Software System interfaces Data and inform ation People System m ission
EC-Council
Ste p 1. Sys te m Ch aracte rizatio n
Ou tp u t System Boundary System Functions System and Data Criticality System and Data Sensitivity
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
System Characterization Tem plate System Nam e: Hardware Software System Interfaces Data & Inform ation Persons who support the IT system System m ission (e.g. processes perform ed by the system ) System & data criticality (system ’s value or im portance to the organization) Functional requirem ents of the IT system Users of the system System Security policies (organizational policies, federal requirem ents, industry practices, laws) System security architecture Current network topology (e.g. network diagram ) Current inform ation storage protection that safeguards system & data CIA Flow of inform ation relating to the IT system Managem ent controls used for the IT system (e.g. security planning, rules of behavior) Operational controls (e.g. back-up, contingency, and resum ption and recovery operations, personnel security…) Physical security environm ent (e.g. facility security, data center policies) Environm ental security (tem perature control, water, power)
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Threats Identification Threat refers to a probable im pact of a threat source exploiting the vulnerabilities in the system
To determ ine the likelihood of a threat, consider:
• Vulnerabilities of the system • Threat sources
In p u t History of system attack Data from intelligence agencies, NIPC, OIG, FedCIRC, m ass m edia
EC-Council
Ste p 2 . Th re at Id e n tificatio n
Ou tp u t Threat Statem ent
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Threats Identification (cont’d)
Hum an Threats
• • • • • • • •
EC-Council
Incorrect data entry or om issions Inadvertent acts Eavesdropping Im personation Shoulder surfing User abuse or fraud Theft, sabotage, vandalism , or physical intrusions Espionage
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Threats Identification (cont’d) Technical Threats
• • • • • • • • • • •
EC-Council
Breaking passwords for unauthorized access of the system resources Sniffing and scanning of network traffic Data/ system contam ination Malicious code infection Spam and m ail frauds Phishing that m ay result in loss of confidential private inform ation DDoS attacks Application coding errors Unauthorized m odification of a database Session hijacking System and application errors, failures
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: Identify Vulnerabilities Identify the vulnerabilities associated with the system environm ent
Prepare a list of the system vulnerabilities that threat source can exploit
In p u t Reports from prior risk assessm ents Any audit com m ents Security requirem ents Security test results
EC-Council
Ste p 3 . Vu ln e rability Id e n tificatio n
Ou tp u t List of Potential Vulnerabilities
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerability Report Tem plate In tro d u ctio n Date carried out: Testing Team details: Network Details: Scope of test: Exe cu tive Su m m ary OS Security issues discovered with appropriate criticality level specified: Application Security issues discovered with appropriate criticality level specified: Physical Security issues discovered with appropriate criticality level specified: Personnel Security issues discovered with appropriate criticality level specified: General Security issues discovered with appropriate criticality level specified: Te ch n ical Su m m ary
An n e xe s
EC-Council
OS Security issues discovered: Web Server Security: Database Server Security : General Application Security: Business Continuity Policy: 1: 2: 3: Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Control Analysis Identify or plan the controls that are to be im plem ented to m inim ize the threats
Derive the probability to exercise a vulnerability in the threat environm ent
In p u t Current controls Planned controls
EC-Council
Ste p 4 . Co n tro l An alys is
Ou tp u t List of Current and Planned Controls
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Likelihood Determ ination Factors that help derive overall likelihood rating: • Threat-source m otivation and capability • Nature of the vulnerability • Existence and effectiveness of the current controls
In p u t Threat-source m otivation Threat capacity Nature of vulnerability Current controls
Ste p 5. Like lih o o d D e te rm in atio n
Source: http:/ / csrc.nist.gov/
EC-Council
Ou tp u t Likelihood Rating
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 6: Im pact Analysis Determ ine the im pact of a threat when a vuln erability is successfully exercised Consider the system m ission, system and data criticality, and system and data sensitivity to perform im pact analysis Prioritize the im pact levels that are associated with the com prom ise of an organization’s inform ation assets Use qualitative or quantitative assessm ent to determ ine the sensitivity and criticality of the inform ation assets
In p u t Mission im pact analysis Asset criticality assessm ent Data criticality Data sensitivity
EC-Council
Ste p 6 . Im p act An alys is Loss of Integrity Loss of Availability Loss of Confidentiality
Ou tp u t Im pact Rating
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 7: Risk Determ ination Assess the level of risk to the IT system
The likelihood of a given threat-source’s attem pting to exercise a given vulnerability
The im pact of a threat-source when it successfully exercises the vulnerability
In p u t Likelihood of threat exploitation Magnitude of im pact Adequacy of planned or current controls
EC-Council
The adequacy of planned or existing security controls for reducing or elim inating risk
Ste p 7. Ris k D e te rm in atio n
Ou tp u t Risks and Associated Risk Levels
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 8: Control Recom m endations Recom m end the controls to be im plem ented to reduce the level of risk
The im plem ented controls should reduce the risk to an acceptable level
Factors to be considered in recom m ending controls:
• • • • •
Effectiveness of recom m ended options Legislation and regulation Organizational policy Operational im pact Safety and reliability
EC-Council
In p u t Ste p 8 . Co n tro l Re co m m e n d atio n s
Ou tp u t Recom m ended Controls
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 9: Results Docum entation Results of risk assessm ent should be presented in an official report or briefing
Result docum ent should be m ade available to the concerned staff, risk control developers, and risk auditors Risk assessm ent report should include: • • • • • • • •
List of the identified vulnerabilities and risks Risk sum m ary Risk likelihood rating Risk im pact rating Overall risk rating Analysis of the relevant controls List of the recom m ended controls Appendix section containing incident logs and reports of initial risk assessm ent phase
EC-Council
In p u t Ste p 9 . Re s u lts D o cu m e n tatio n
Ou tp u t Risk Assessm ent Report
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Risk Assessm ent Report Tem plate Ris k No.
Vu ln e rability
EC-Council
Th re at
Ris k
Ris k Su m m ary
Ris k Like lih o o d Ratin g
Ris k Im p act Ratin g
Ove rall Ris k Ratin g
An alys is o f Re le van t Co n tro ls an d Oth e r Facto rs
Re co m m e n d atio n s
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Steps to Assess Risks at Work Place The steps involved in risk assessm ent at work place are:
Hazards identification
Decide who will be harm ed and how
Analyze risks and check for precautions
Im plem ent results of the risk assessm ent
Review risk assessm ent
EC-Council
1
2
3
4
5 Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step1: Identify Hazards A hazard is anything that m ay cause harm
Check out the hazards you com e across at a work place
Identify the things that cause harm at the work place
Take the em ployee’s opinion
Take the guidance of a trade association if you are a m em ber
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Determ ine Who Will be Harm ed and How For each hazard, identify who m ight be harm ed
Identify how they m ight be harm ed
Extra thought will be needed for som e hazards
Do not forget to think of anyone
Ask the staff if anyone is left
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: Analyze Risks and Check for Precautions Analyze risks and check for precautions After spotting all the hazards, think about the precautions to be taken Try a less risky option Prevent access to the hazard Issue personal protective equipm ent Provide welfare facilities
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 4: Im plem ent Results of Risk Assessm ent Risk assessm ent m ust be suitable and sufficient
Im plem ent a tem porary solution until m ore reliable controls are in place
Identify a long term solution to the risks that im pact m ore critical infrastructure
Train the em ployees on the identified risks and their control m easures
Frequently check whether the control m easures stay in place
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Review Risk Assessm ent
Revisit your risk assessm ent plan
Find out if any changes are to be m ade
Enquire if any workers have spotted a problem
Make sure the risk assessm ent is up to date
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Risk Analysis
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Risk Analysis Risk analysis involves the process of defining and evaluating the dangers
It is used to determ ine all possible and significant risks for your particular business
Risk analysis should be con ducted properly in order to put a proper response in place, based on the am ount of risk
Ris k An alys is = Ris k As s e s s m e n t + Ris k Man age m e n t + Ris k Co m m u n icatio n
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Need for Risk Analysis Risk analysis identifies risks within the organization and the potential losses associated with these risks It is required to define procedures through which an organization can survive or reduce the probability of risks
It helps in analyzing five elem ents:
• • • • •
EC-Council
Assets (resources of an organization) Disruptive events ( threat to an organization) Vulnerabilities (weakness of an organization) Losses (due to occurrence of the adversity) Safeguards (preventive m easures against vulnerabilities)
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Risk Analysis: Approach There are two approaches of risk analysis:
Quantitative risk analysis • It is num erical determ ination of the probability of an adverse event and the extent of the losses due to the event • It assigns num eric values to the com ponents of therisk assessm ent and potential loss • Ris k = Pro bability o f Lo s s X Lo s s
Qualitative risk analysis • It does not use num erical m ethods to determ ine the probability of an adverse event and the extent of the losses • Here, • Ris k = ( Attack Su cce s s + Criticality) – ( Co u n te rm e as u re s )
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Risk Mitigation
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Risk Mitigation Risk m itigation includes all possible solutions for reducing the probability of the risk and lim iting the im pact of the risk if it occurs
It involves the im plem entation of risk control m easures outlined in risk assessm ent process
Apply a least cost approach and im plem ent appropriate controls to reduce risks
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Risk Mitigation Strategies Risk m itigation strategy determ ines the circum stances under which the action has to be taken to m inim ize and overcom e risks Risk m itigation strategies are selected according to discovered and exploited vulnerability, and the expected im pact of the risk Organization can use one or m ore of the following strategies:
Risk assum ption • It is a risk m itigation strategy where an organization absorbs m inor risks while preparing to respond to m ajor ones Risk avoidance • It is a strategy to avoid risks either by engagin gin alternate activities or preventing specific exposure from the risk sources
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Risk Mitigation Strategies (cont’d) Risk lim itation • This strategy focuses on lim iting the exposure tothe risk
Risk planning • This strategy focuses on com prehensive plan developm ent for risk assessm ent and m itigation
Research and acknowledgm ent • This strategy focuses on m inim izing the probabilityof risks and losses by searching vulnerabilities in system and appropriate controls
Risk transference • It is a strategy where loss is m inim ized by transferring risks to other parties either in the form of insurance or contract EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Risk Mitigation Strategy (cont’d)
EC-Council
Source: http:/ / csrc.nist.gov/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Cost/ Benefit Analysis Cost/ benefit analysis is done for each proposed control to find out which control is required and suitable under the given circum stances
It is the process of analyzing the business decisions
It can be qualitative or quantitative
A cost benefit analysis finds, quantifies, and adds all the positive factors and subtracts all the negative factors and produces the net result
It dem onstrates that the costs of im plem enting the controls can be justified by the reduction in the level of risk EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
NIST Approach for Control Im plem entation Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
EC-Council
• Prioritize actions
• Evaluate recom m ended control options
• Conduct cost-beneficial analysis
• Select control
• Assign responsibility
• Develop a safeguard im plem entation plan
• Im plem ent selected controls Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Residual Risk Risk that rem ains after im plem entation of all the possible risk control m easures is called as residual risk
The im plem ented risk con trol m easure cann ot rem ove the risks com pletely
They are intended to reduce the risk level to zero
Re s id u al Ris k= ( In h e re n t Ris k) X ( Co n tro l Ris k)
• Wherein h e re n t ris k = ( th re ats x vu ln e rability)
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Residual Risk (cont’d) The relationship between control im plem entation and residual risk is illustrated by a flowchart below:
Source: http:/ / csrc.nist.gov/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Risk Managem ent Tools
CRAMM
Acuity STREAM
Callio Secura 17799
EAR / Pilar
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CRAMM http:/ / w w w .cram m .com /
CRAMM helps in assessing, designing, and m anaging inform ation security strategy CRAMM is based on the UK Governm ent's preferred risk assessm ent m ethodology
Features: • A com prehensive risk assessm ent tool in com pliancewith ISO 270 0 1 • Supports inform ation security m anagers to plan andm anage security • Tool wizards create pro-form a inform ation securitypolicies and other related docum entation • Supports key processes in business contin uity m anagem ent • A database of over 30 0 0 security controls referenced to relevant risks and ranked by effectiveness and cost EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Working of CRAMM CRAMM provides a staged approach em bracing both technical (e.g. IT hardware an d software) and non-technical (e.g. physical an d hum an) aspects of security CRAMM follows a three stage approach: Asset identification an d valuation • CRAMM enables the reviewer to identify the physical (e.g. IT hardware), software (e.g.. application packages), data (e.g. the inform ation held on the IT system ) and location assets that m ake up the inform ation system • Data and software assets are valued in term s of the im pact that would result if the inform ation were to be unavailable, destroyed, disclosed or m odified
Threat and vulnerability assessm ent • CRAMM covers the full range of deliberate and accid ental threats that m ay affect inform ation system s including hacking, viruses, failures of equipm ent or software, willful dam age or terrorism and errors by people
Counterm easure selection and recom m endation • CRAMM contains a large counterm easure library consisting of over 30 0 0 detailed counterm easures organized into over 70 logical groupings
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CRAMM: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Acuity STREAM http:/ / w w w .acuity rm .com /
STREAM autom ates the com plex processes involved in m anaging com pliance with standards and delivering effective risk m anagem ent
It is a m ulti-concurrent user, role based software tool, with a central database, used in real-tim e by risk m anagers, risk analysts, business stakeholders, control owners, and internal auditors It provides inform ation for senior m anagers, on the status of com pliance across the business with key control standards, and on the level of residual risk m easured in relation to defined business appetites
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Com ponents of STREAM
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
STREAM: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Callio Secura 17799 http:/ / w w w .callio.com /
Callio Secura 17799 is software that enables com panies to com ply with the ISO 17799/ BS 7799 inform ation security m anagem ent standard It helps in: • Managing threats, vulnerabilities and controls • Managing various types of evaluation criteria, such as confidentiality, availability, integrity and legal com pliance • Custom izing the vuln erability, occurrence and criterion scales used during the asset evaluation and risk assessm ent processes • Verifying level of com pliance with ISO 17799 (gapanalysis) • Com piling an inventory of your com pany’s m ost im portant assets; • Defining the structures and processes within yourISMS • Mitigating the risks to each asset; • Defining scenarios for the im plem entation of contro ls • Drafting security policies • Managing policy docum ents • Making policies, standards and procedures electronically available • Verifying whether ISMS m eets the requirem ents forBS 7799-2 certification; • Docum enting and justifying the application of theISO 17799 standard’s 127 controls to m anagem ent fram ework
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: Callio Secura 17799
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: Callio Secura 17799
Define unlim ited num ber of team s that m anage access to docum ent m anagem ent
Define user roles within each team
Link team s with any ISMS
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EAR / Pilar http:/ / w w w .ar-tools.com /
EAR / PILAR is designed to support the risk m anagem ent process along long periods, providing increm ental analysis as the safeguards im prove
Its functionalities include:
• Quantitative and qualitative risk analysis • Managem ent quantitative and qualitative business m i pact analysis & continuity of operations
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: Pilar
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Screenshots: Pilar
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary Risk is defined as the probability or threat of an incident
Risk policy is a set of ideas to be im plem ented to overcom e the risk
Risk assessm ent is identifying the resources that pose a threat to the business or project environm ent
Risk analysis involves the process of defining and evaluating the dangers
Risk m itigation involves im plem enting the risk reducing controls that reduces the level of the risk EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sample EC-Council Certified Incident Handler Version 1
Mo d u le V
Batch PDF Merger
Handling Network Security Incident
News: Microsoft Responds to Xbox Live Denial-of-service Attack
EC-Council
Source: w w w . arstechnica.com
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective This m odule will fam iliarize you with: • • • •
EC-Council
Handling Denial-of-Service Incidents Handling Unauthorized Access Incidents Handling Inappropriate Usage Incidents Handling Multiple Com ponent Incidents
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow Denial-of-Service Incidents
Detecting DoS Attacks
Incident Handling Preparation for DoS
Unauthorized Access Incident
Preventing DoS Incidents
DoS Response Strategies
Detecting Unauthorized Access Incident
Preventing Unauthorized Access Incident
Inappropriate Usage Incidents
Prevention of Inappropriate Usage Incidents
Handling and Prevention of Inappropriate Usage Incidents
Detecting Inappropriate Usage Incidents
Multiple Com ponent Incidents
Containm ent Strategy for Multiple Com ponent Incidents
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Handling Denial-of-Service Incidents
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Denial-of-Service Incidents Denial-of-Service (DoS) attack prevents the authorized users to access networks, system s, or applications by exhausting the network resources
DoS attack involves:
• Consum ing all available bandwidth by generating huge network traffic • Making m any processor-intensive requests so that ht e server’s processing resources are fully consum ed • Sending m alform ed TCP/ IP server requests that resu lts in server’s operating system crash • Sending illegal requests to an application • Establishing sim ultaneous login sessions to a server so that other users cannot start login sessions • Consum ing all available disk space by creating m any large files EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Distributed Denial-of-Service Attack Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large num ber of com prom ised system s, known as botnet, attack a single target to cause a Denial-of-Service for the users of the targeted system In a DDoS attack, attackers first infect s m ultiple system s called zom bies, which are then used to attack a particular target
Attacker infects handler system s Handler system s then infect num erous system s (zom bies)
Attacke d Zom bies then attack the target system together
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Detecting DoS Attack
Indications for a network-based DoS attack : • Reports of the users regarding system and serviceunavailability • Undefined connection losses • Alert from network intrusion detection system • Alert from host intrusion detection system • Increase in utilization of the network’s bandwidth • A host having num ber of connections • Asym m etric network traffic pattern • Unusual Log entries of firewall and router and OS • Data Packets with unusual source addresses • Data Packets with unusual destination addresses
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Handling Preparation for DoS 1
• Contact Internet Service Providers (ISP) and theirsecond tier agents to determ ine how they can help in handling network based DoS attack
2
• Contact organizations such as CERT and Internet Crim e Com plaint Center (IC3) to for help in handling the DoS attack
3
• Configure and deploy IDS (Intrusion Detection Syste m ) and prevention software to detect DoS traffic
4
• Perform ongoing resource m onitoring to establish ht e network bandwidth utilization
5
• Check various web sites that provide statistics onlatency between various ISPs and between various physical locations which is referred to as Internet health m onitoring
6
• Discuss with network infrastructure adm inistratorsregarding the m ethod by which they can assist in analyzing and containing network-based DoS and DDoS attacks
7
• Create and m aintain updated docum entation of incident handling process
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DoS Response Strategies Absorbing the attack • Using additional capacity to absorb attack; it requires preplanning and additional resources
Degrading services • Identifying critical services and stopping n on critical services
Shutting down the services • Shut down all the services until the attack has subsided
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Preventing a DoS Incident The network perim eter should be configured in such a way that it denies all incom ing and outgoing traffic/ services that are not required
DoS attack can be prevented : • • • • • • •
By blocking Echo services; that is used for DoS att ack Through filtering and blocking the entrance and exit ports By blocking traffic from unassigned IP address ranges By following the firewall rules and router accesscontrol lists to block traffic properly Configuring the border routers so that directed broadcasts are n ot forwarded By lim iting the incom ing and outgoin g ICMP trafficfor the necessary types and codes By jam m ing outgoin g connections to com m on IRC, peer-to-peer service, and instant m essaging ports if the usage of such services is not perm itted
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Preventing a DoS Incident (cont’d) Restricting certain protocols such as ICMP to consum e only a pre-determ ined percentage of the total bandwidth
Im plem ent redundancy for key functions
Make sure that networks or system s are n ot running at threshold capacity since it would be easy for a m inor DoS attack to take up the rem aining resources
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Following the Containm ent Strategy to Stop DoS The exploited vulnerability or weakness should be corrected Im plem ent the filters after determ ining the m ethod of attack
Im plem ent the ISP filtering
Reposition the attack host
Attack the attackers
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Following the Containm ent Strategy to Stop DoS (cont’d) Configure router and firewall rules Establish a well docum ented m ethod for seeking assistance from ISPs and second-tier providers in responding to network based DoS attacks Configure security software such as IPS and IDS to detect DoS attacks Monitor network traffic using tools such as EtherApe, SolarWinds and Nagios Restrict all incom ing and outgoing traffic that is not required Prepare a containm ent strategy which includes several solutions in sequence EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Handling Unauthorized Access Incidents
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Unauthorized Access Incident Unauthorized access is a condition where a person gains access to system and network resources which he/ she was not authorized to have
Exam ples of unauthorized access incidents:
• • • • • • • • EC-Council
Perform ing the rem ote root com prom ise on the em ailserver Changing the web server contents By guessing or cracking passwords of application Copying sensitive data without authorization Installing and runnin g packet sniffer on the workstation Using the FTP server to distribute the pirated software and m usic files For gaining the internal network access by dialingthe unsecured m odem Accessing the workstation using a false ID Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Detecting Unauthorized Access Incident Indications of root com prom ise in a host: • Suspicious tools or exploits are found • Strange network traffic • System configuration changes, including: • • • • • •
EC-Council
Modifications or additions of services Unpredicted open ports Network interface card set to prom iscuous m ode Suddenly, system shuts down and restarts Changes in log and audit policies Creation of new adm inistrative level user account or group Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Detecting Unauthorized Access Incident (cont’d) Indications of root com prom ise in a host
• Change in significant files such as OS files, System library • Usage of secret account • Increase in the usage of resources • User reports of system unavailability • Alerts of network and host intrusion detection • Creation of new files or directories with unusual nam es • Log m essages of the operating system and application • Attackers inform ing of com prom ising a host EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Detecting Unauthorized Access Incident (cont’d) Unauthorized data m odification • • • • •
Alert of network and host IDS Increase in the usage of resource Reports of users regarding unexpected data m odifications Changes in critical files Creation of new files or directories with unusualnam es
Unauthorized usage of standard user account • Unauthorized access attem pts to the im portant files • Usage of secret account • Log entries of the web proxy which shows the downlo ading of the attacker’s tool EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Detecting Unauthorized Access Incident (cont’d) Physical intruder • Report of the user regarding network or system unavailability • System status changes • Misplaced hardware parts • Unauthorized hardware found
Unauthorized data access • IDS, IPS, and firewall alert for data access through FTP, HTTP, and other protocols • Logs entries showing access attem pts to the critical files EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Handling Preparation 1 2 3 4
EC-Council
• Configure network based and host based IDPS to identify and alert any attem pt to gain unauthorized access • Use centralized log servers so that the im portant ni form ation from hosts across the organization is stored in a particular safe location • A well docum ented password policy should be created for all users of applications, system s, trust dom ains, or the organization • Make system adm inistrators aware of their responsib ilities in handling unauthorized access incidents
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Prevention
Network Security • Design the network in such a way that it blocks the suspicious traffic • Properly secure all rem ote access m ethods, including m odem s and VPNs • Move all publicly accessible system s and services to secured Dem ilitarized Zone (DMZ) • Use private IP addresses for all hosts located on internal networks
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Prevention Host Security • Perform regular vulnerability assessm ents to identify serious risks and m itigate the risks to an acceptable level • Disable all un wanted services on hosts • Run services with the least privileges possible toreduce the im m ediate im pact of successful exploits • Use host-based/ personal firewall software to lim itthe individual hosts’ exposure to attacks • Lim it unauthorized physical access to logged-in syst em s by requiring hosts to lock idle screens autom atically and asking users to log off before leaving the office • Regularly verify the perm ission settings for critical resources, including password files, sensitive databases, and public web pages
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Prevention (cont’d)
Authentication and Authorization
• Prepare the appropriate password policy • Strong authentication should be required for accessing critical resources • Create authentication and authorization standards of r em ployees and contractors to follow when evaluating or developing software • Establish procedures for provisioning and de-provis ioning user accounts
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Prevention (cont’d)
Physical Security • Restrict access to critical resources by im plem enting physical security m easures
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Following the Containm ent Strategy to Stop Unauthorized Access Isolate the affected system s
Disable the affected service
Elim inate the attacker’s route into the network
Disable user accounts that m ay have been used in the attack
Enhance physical security m easures EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Eradication and Recovery Eradicate the incident • Identify and m itigate all vulnerabilities that were exploited • Patch the system s • Rem ove com ponents of the incident from system s
Recover from the incident • Return affected system s to an operations ready state • Confirm that the affected system s are function ing norm ally • Im plem ent additional m onitoring to look for related activity in future • Form ulate and regularly update security policies EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Recom m endations Install the IDS for alerting the attem pts regarding unauthorized access
Configure centralized logging for all users
Establish password security policy such that users change their passwords regularly
Design the network in such a way that it blocks the suspicious traffic
Secure all rem ote access m ethods including VPNs
Use DMZ to host publically accessed system s and services EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Recom m endations ( cont’d) Disable the unwanted services Install the host-based firewall software to lim it the individual hosts’ exposure to attacks Create and im plem ent a password policy
Provide the details of the m anagem ent change to the IRT Select m itigation strategies considering both short and long term business objectives Restore or reinstall system s that appear to have suffered a root com prom ise EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Handling Inappropriate Usage Incidents
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Inappropriate Usage Incidents An inappropriate usage incident occurs when a user perform s actions that violate the acceptable com puting use policies
Exam ples :
• • • • • •
Installing password cracking tools Downloading pornography m aterial Sending spam m ails which prom ote the personal busin ess Sending em ails to colleagues which irritates them Hosting unauthorized websites on the com pany’s com puter Using sharing services to distribute or acquire pir ated m aterials • Sending critical data outside the com pany EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Inappropriate Usage Incidents (cont’d) Inappropriate usage incidents directed at outside parties m ay cause m ore loss to organizations in the form of dam age to reputation and legal liabilities
Exam ples :
• An internal user changing the content of another organization public website • An internal user purchasing item s from online retailers by using the stolen credit card num bers • Sending the em ail to the third party with the spoofed source em ail address from the com pany • Perform ing the DoS attack against any other organization using the com pany’s resources
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Detecting the Inappropriate Usage Incidents Unauthorized service usage • • • • • • •
Alert from the intrusion detection system Unusual network traffic Installation of the new process and software runnin g on a host Creation of the new files or directories with abnorm al nam es Increase in the resource utilization Report of the user Log entries of application
Access to inappropriate m aterials • • • •
Alert from the intrusion detection system Report of the user Log entries of the application Inappropriate files on com puters, servers, and onthe rem ovable m edia
Attack against external party • Alert from the intrusion detection system • Reports of outside party • Log entries of network, host, and application
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Handling Preparation Form ulate security policies in coordination with the hum an resources and legal departm ent representatives to handle the inappropriate usage incidents
Discuss with the m em ber of the organization’s physical security team regarding internal users’ behavior
Meet with the concerned person of the legal departm ent regarding the liability issue particularly with those type of incidents that are targeted to outside parties
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Handling Preparation
Install IDS, em ail content filtering software, security controls tools to identify certain types of activity, including:
Anti-Virus
• Using the unauthorized services like peer-to-peerfile and m usic sharing • Spam • File with suspicious file extension • Reconnaissance activity • Outbound attack
Register the log of user activities such as FTP com m ands, web requests, and em ail headers
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Prevention Install firewall and intrusion detection an d prevention system s to block the use of service which violate the organ ization’s policy
Organize the Em ail server in such a way that they cannot be used for sending spam
Install the spam filter software
Filter the URL to prevent the access of inappropriate websites
Im plem ent the outboun d connection which use the encrypted protocols such as HTTP secure, secure shell, and IP security protocol EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Recom m endations Meet with the hum an resources and legal departm ents representative for discussing the handling of inappropriate usage incidents Meet with the representative of the organization’s legal departm ent to discuss liability issues Install IDS to detect certain types of inappropriate usage
Register the log of the user’s activity
Filter the em ail server to prevent relaying of the unauthorized m ail
Use the spam filter software to filter the spam on the em ail server
Install the URL filtering software EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Handling Multiple Com ponent Incidents
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Multiple Com ponent Incidents The m ultiple com ponent incidents consist of com bination of two or m ore attacks in a system
Exam ples of m ultiple com ponent incident are:
• Malicious code attacks using em ails • The additional workstation and servers gets infecte d using that m alicious code by the attacker • These workstation can be used by the attacker as ahost to launch DDoS attack against another organization
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Multiple Com ponent Incidents (cont’d)
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Preparation for Multiple Com ponent Incidents It is difficult to analyze the m ultiple com pon ent incidents, since the incident handler m ay not be aware that the incident is com posed of several stages
Ask the incident handling team to review the scenarios involving m ultiple com ponent incidents
Centralized logging and IDS software should be used to analyze the incident
When all the precursors an d indications are accessible from a single point, then the incident handler m ust con sider that the in cident is of m ultiple com ponents EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Following the Containm ent Strategy to Stop Multiple Com ponent Incidents Any incident can turn out to be the m ultiple com ponent incident hence the incident handler should not stop after getting signs of a particular incident
Discovering and containing all com ponents of an incident require extra tim e and effort
Good and experienced handlers can guess whether an incident has other com ponents
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Recom m endations Use the centralized logging and event correlation software
Search for the signs of other com ponents after controlling the incident
Separately prioritize the handling of each incident com ponent
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Network Traffic Monitoring Tools
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ntop http:/ / w w w .ntop.org/
ntop is a network traffic probe that shows the network usage, sim ilar to what the popular top Unix com m and does
Features: • • • • • • •
EC-Council
Sort network traffic according to m any protocols Show network traffic sorted according to various criteria Display traffic statistics Store on disk persistent traffic statistics in RRDform at Identify the identity (e.g. em ail address) of com puter users Passively (i.e. without sending probe packets) identify the host OS Show IP traffic distribution am ong the various protocols
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ntop: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EtherApe http:/ / etherape.sourceforge.net/
EtherApe is a graphical network m onitor for Unix m odel and displays network activity graphically It can filter traffic to be shown and can read traffic from a file as well as live from the network
Features: • • • • •
EC-Council
Data display can be refined using a network filter Nam e resolution is done using standard libc functio ns Protocol sum m ary dialog shows global traffic statis tics by protocol Live data can be read from Ethernet, FDDI, PPP andSLIP interfaces Clicking on a node/ link opens a detail dialog showin g protocol breakdown and other traffic statistics Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EtherApe: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ngrep http:/ / ngrep.sourceforge.net/
ngrep is a pcap-aware tool that allows you to specify extended regular or hexadecim al expressions to m atch against data payloads of packets It is used to debug plaintext protocol interactions such as HTTP, SMTP, FTP, etc., to identify and analyze anom alous network com m unications It is used to do the m ore mundane plaintext credential collection as with HTTP Basic Authentication, FTP, or POP3 authentication
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SolarWinds: Orion NetFlow Traffic Analyzer http:/ / w w w .solarw inds.com / Orion NetFlow Traffic Analyzer (NTA) analyzes NetFlow, J -Flow, and sFlow data and perform s CBQoS m onitoring to deliver a com plete picture of network traffic It enables you to quantify exactly how your network is being used, by whom , and for what purpose Features: • Quickly and easily identifies which users, applications, and protocols are consum ing the m ost network bandwidth • Monitors network traffic by capturing flow data fro m network devices • Perform s Class-Based Quality of Service (CBQoS) m onitoring to ensure that your traffic prioritization policies are effective • Enables you to quickly drill-down into traffic onspecific network elem ents • Generates network traffic reports EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SolarWinds: Orion NetFlow Traffic Analyzer: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SolarWinds: Orion NetFlow Traffic Analyzer: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Nagios: op5 Monitor http:/ / w w w .op5.com /
op5 Monitor is an easy to use network m onitoring system that finds and handles any problem s that m ay arise in your IT environm ent It creates a com prehensive, easy to understand overview that enables sim ple root cause analysis It helps you identify the prim ary cause of potential problem s in your network before m ajor dam age is done It com m unicates with devices on the network and collects data about their operational status EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Nagios: op5 Monitor (cont’d) Features: • Capable of m onitoring network devices, workstation, servers, services, and software applications • Autom atic back-up and restore of specific configura tion files • Enhanced security with SSL encryption and m ulti use r access capabilities • Monitor all layers of virtual environm ents from one tactical overview • Enables users to define exceptions in a given tim eperiod • Easy to use graphical user interface (GUI) for m anagem ent and configuration • Notifications and escalations sent via, Em ail, SMS,and Pager • Schedule functionality with autom atic weekly and monthly em ail distribution in PDF form at EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
op5 Monitor: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
op5 Monitor: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CyberCop Scanner http:/ / w w w .nss.co.uk/
CyberCop Scanner is the network security assessm ent com ponent that can scan devices on the network for m ore than 70 0 vulnerabilities
It can be configured to search for the vulnerabilities that are of particular concern in accordance with the corporate security policy
It is known as a s e n s o r com ponent because it is essentially concerned with m onitoring and collecting data
It can run on either a Windows (NT or 20 0 0 ) or Unix (Red Hat Linux) platform
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CyberCop Scanner (cont’d) Reporting and analysis: • Allows com parison of results for two hosts specifie d by IP address • Allows com parison of results for two scan sessionsspecified by date and tim e • Provides a graphical sum m ary report with pie charts for different report categories (Com plexity, Ease of Fix, Im pact, Popularity, Risk Factor, Root Cause) • Displays results by the difficulty involved in exploiting a vulnerability (Low, Medium , High) • Displays results by the specific threat posed by avulnerability (System Integrity, Confidentiality, Accountability, Data Integrity, Authorization, Availability, Intelligence) • Displays results by the likelihood that a vulnerability will be exploited (Obscure, Widespread, Popular) EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CyberCop Scanner: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CyberCop Scanner: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Network Auditing Tools
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Nessus http:/ / w w w .nessus.org/ The Nessus vulnerability scanner is active scanners featuring high speed discovery, configuration auditing, asset profiling, sensitive data discovery, and vulnerability analysis of your security posture
It is distributed throughout an entire enterprise, inside DMZs, and across physically separate networks
Features: • • • • •
EC-Council
Credentialed and un-credentialed port scanning Network based vulnerability scanning Credentialed based patch audits for Windows and m ost UNIX platform s Credentialed configuration auditing of m ost Windows and UNIX platform s Custom and em bedded web application vulnerabilitytesting Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Nessus: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Security Adm inistrator's Integrated Network Tool (SAINT) http:/ / w w w .saintcorporation.com /
SAINT is a vulnerability scanner that scans network to detect anything that could allow an attacker to gain unauthorized access, create a denial-of-service, or gain sensitive inform ation about the network SAINT vulnerability scanner can: • Detect and fix possible weaknesses in your network’s security before they can be exploited by intruders • Anticipate and prevent com m on system vulnerabilitie s • Dem onstrate com pliance with current governm ent regulations such as FISMA, SOX, GLBA, HIPAA, and COPPA and with industry regulations such as PCI DSS
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Security Adm inistrator's Integrated Network Tool (SAINT) Features • Lets you exploit vulnerabilities found by the scanner with the integrated penetration testing tool, SAINTexploit™ • Shows you how to fix the vulnerabilities, and where to begin rem ediation efforts —with the exploitable vulnerabilities • Lets you scan and exploit both IPv4 and IPv6 addresses • Shows you if the network is com pliant with PCI security standards • Allows you to design and generate vulnerability ass essm ent reports quickly and easily • Shows you if your network security is im proving over tim e by using the trend analysis report • Provides autom atic updates at least every two weeks, or sooner for a critical vulnerability announcem ent EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SAINT: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Security Auditor's Research Assistant (SARA) http:/ / w w w -arc.com /
Security Auditor's Research Assistant (SARA) is a is a third generation network security analysis tool Features: • Operates under Unix, Linux, MAC OS/ X or Windows (th rough coLinux) OS‘ • Integrates the National Vulnerability Database (NVD) • Perform s SQL injection tests • Perform s exhaustive XSS tests • CVE standards support • Supports rem ote self scan and API facilities
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SARA: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Nm ap http:/ / nm ap.org/
Nm ap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing It rapidly scans large networks and runs on all m ajor com puter operating system s It uses raw IP packets in novel ways to determ ine: • • • •
EC-Council
What What What What
hosts are available on the network services (application nam e and version) thosehosts are offering operating system s (and OS versions) they arerunning type of packet filters/ firewalls are in use
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Nm ap: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Netcat http:/ / netcat.sourceforge.net/
Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/ IP protocol It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other program s and scripts
Features: • Outbound and inbound connections, TCP or UDP, to or from any ports • Featured tunneling m ode which allows also specialtunneling such as UDP to TCP, with the possibility of specifying all network param eters • Built-in port-scanning capabilities with random izer
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Wireshark http:/ / w w w .w ireshark.org/
Wireshark is the network protocol analyzer, and is the de facto (and often de jure) standard across m any industries and educational institutions
Features: • • • • •
Deep inspection of hundreds of protocols, with m ore being added all the tim e Live capture and offline an alysis Standard three-pane packet browser Multi-platform Captured network data can be browsed via a GUI, orvia the TTY-m ode TShark utility • Read/ write m any different capture file form ats • Capture files com pressed with gzip can be decom press ed on the fly • Decryption support for m any protocols, in cluding IP sec, ISAKMP, Kerberos, SNMPv3, SSL/ TLS, WEP, an d WPA/ WPA2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Wireshark: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Argus - Audit Record Generation and Utilization System http:/ / w w w .qosient.com / argus/ Argus- network audit record generation and utilization system support network operations, perform ance and security m anagem ent
It processes packets (either capture files or live packet data) and generates detailed status reports of the 'flows' that it detects in the packet stream
For m any sites, it is used to establish network activity audits that are then used to supplem ent traditional IDS based network security
The Argus audit data is used for network forensics, non-repudiation, network asset, and service inventory
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Snort http:/ / w w w .snort.org/
Snort is an open source network intrusion prevention and detection system (IDS/ IPS)
It uses a rule-driven language which com bines the benefits of signature, protocol and anom aly-based inspection m ethods
It is capable of perform ing real-tim e traffic analysis and packet logging on IP networks
It can perform protocol analysis, content searching/ m atching, and can be used to detect a variety of attacks and probes
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Snort: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Network Protection Tools
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Iptables http:/ / w w w .netfilter.org/ ip table s is the userspace com m and line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset iptables package includes ip6tables which is used for configuring the IPv6 packet filter
It requires a kernel that features the ip_ tables packet filter
Features: • Listing the contents of the packet filter ruleset • Adding/ rem oving/ m odifying rules in the packet filte r ruleset • Listing/ zeroing per-rule counters of the packet filter ruleset
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Proventia Network Intrusion Prevention System (IPS) http:/ / w w w .ibm .com /
IBM Proventia Network Intrusion Prevention System (IPS) stops Internet threats before they im pact your business and delivers protection to all three layers of the network: core, perim eter and rem ote segm ents
The IBM Proventia Network Intrusion Prevention System (IPS) delivers network protection that is designed to: • Stop threats before im pact without sacrificing high-speed n etwork perform ance • Provide a platform for security convergence that helps reduce the cost of deploying and m anaging point solution s • Protect networks, servers, desktops and revenue-gen erating applications from m alicious threats • Conserve network bandwidth and prevents network m si use/ abuse from in stant m essaging and peer-to-peer file sharing • Prevent data loss and aids com pliance efforts EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
IPS: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
NetDetector http:/ / w w w .niksun.com /
NetDetector is a full-featured appliance for network security surveillance, signature-based anom aly detection, analytics and forensics It acts as a security cam era and m otion detector for your network by continuously capturing and warehousing network traffic (both packets and statistics)
Features: • • • • •
EC-Council
Continuous, in-depth real-tim e surveillance Capture network events the first tim e and store events for post-event an alysis Signature and statistical an om aly detection Superior drill-down forensic analysis down to packet level Advanced reconstruction of web, em ail, instant m ess aging, FTP, Telnet, VoIP and other TCP/ IP applications Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
TigerGuard http:/ / w w w .tigertools.net/
TigerGuard is designed to centrally m anage events and logs, alerts from IDS devices, m onitor network and wireless traffic, and perform discovery, vulnerability assessm ents, event logging, and com pliancy reporting
Features: • • • • •
EC-Council
Sensor console Firewall console Network console WiFi console Event console Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
TigerGuard: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
TigerGuard: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary Denial-of-Service (DoS) attack prevents the authorized users to access networks, system s, or applications by exhausting the network resources Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large num ber of com prom ised system s, known as botnet, attack a single target to cause a Denial-of-Service for the users of the targeted system Unauthorized Access is condition where a person gains access to system and network resources which he/ she was not authorized to have
An inappropriate usage in cident occurs when a user perform s actions that violate the acceptable com puting use policies
A m ultiple com ponent in cident is a single incident that en com passes two or m ore incidents EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Certified Incident Handler Version 1
Mo d u le VI Handling Malicious Code Incidents
News: Malicious Program Targets Macs ( CN N ) -- Mac com puters are known for their near-im m unity to m alicious com puter program s that plague PCs. But that m ay be changing som ewhat, according to com puter security researchers. It seem s that as sleek Mac com puters becom e m ore popular, they're also m ore sought-after targets for the authors of harmful program s. "The bad guys generally go toward the biggest target, what will get them the biggest bang for their buck," said Kevin Haley, a director of security response at Sym antec. Until recently, the big target always was Microsoft Windows, and Apple com puters were protected by "relative obscurity," he said. But blogs are buzzing this week about what two Sym antec researchers have called the first harm ful com puter program to strike specifically at Mac. This Trojan horse program, dubbed the "iBotnet," has infected only a few thousand Mac m achines, but it represents a step in the evolution of m alicious com puter software, Haley said. The iBotnet is a sign that harm ful programs are moving toward Mac, said Paul Henry, a forensics and security analyst at Lum ension Security in Arizona. "We all knew it was going to happen," he said. "It was just a m atter of tim e, and, personally, I think we're going to see a lot m ore of it." The m alicious software was first reported in J anuary. It didn't gain widespread attention until recently, when Mario Ballano Barcena and Alfredo Pesoli of Sym antec, m aker of the popular Norton antivirus products, detailed the software in a publication called "Virus Bulletin.”
EC-Council
Source: http:/ / w w w .cnn.com
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
News: Handling Malicious Hackers and Assessing Risk in Real Tim e Im agin e th is … A hacker creates a look-alike website of a well-known bank. He sends across e-m ails to custom ers requesting for confidential inform ation claim ing the bank’s website is undergoing a revam p or reconstruction. The inform ation sought is confidential custom er data. The e-m ail has a link em bedded in it, which, by default, directs the custom er to the fake site that the hacker has created. The custom er, thinking it to be a genuine com m unication from the bank, provides the details, which the hacker saves and later uses for fraudulent transactions such as m oney transfers or procuring critical passwords. N o t a Se cu re Situ atio n to be in The rapid growth of online com m erce has brought increasing sophistication to Internet fraud. Frauds are executed across m ultiple access channels. Threats from Phishing (crim inally fraudulent process of attem pting to acquire sensitive inform ation such as usernam es, passwords and credit card details, by m asquerading as a trustworthy entity in an electronic com m unication), Pharm ing (a hacker’s attack aim ing to redirect a website’s traffic to another bogus website), Trojans (a type of m alicious software), Key Logging (used to retrieve online password entries), and Proxy Attacks, com bined with regulations and m andates (HIPAA, PCI) governing online data piracy place online security at a prem ium . If you take a closer look at the illustration in the beginning of this article, you will realize that a sim ple login procedure m akes it easy for a hacker to access online accounts and transactions. To thwart hackers, banks are adopting stringent levels of login procedures, which are m ore personalized and secure. Som e of them include the introduction of additional levels of passwords, personalized background im age for login, virtual keyboards, or even a virtual mouse am ong others. Whatever you type on the physical keyboard can be tapped by hacking, through keylogging. Keylogging provides a m eans to obtain passwords or encryption keys by bypassing security m easures. To prevent this, financial transaction sites are installing virtual keypads and virtual mouse. Instead of typing the password on the keyboard the norm al way, as part of the login process the user will be able to use the cursor to select his or her password on the virtual keyboard. This process helps circum vent the key locking setup enforced by the hacker.
EC-Council
Source: http:/ / businessm irror.com .ph
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
This m odule will fam iliarize you with:
• • • • • • • •
EC-Council
Virus Trojans and Spywares Incident Handling Preparation Incident Prevention Detection and Analysis Evidence Gathering and Handling Eradication and Recovery Recom m endations
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow Virus
Trojans and Spyware
Incident Prevention
Incident Handling Preparation
Detection and Analysis
Evidence Gathering and Handling
Recom m endations
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Count of Malware Sam ples
Source: http:/ / w w w .avertlabs.com
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Virus Com puter viruses are m alicious software program s that infect com puters and corrupt or delete the data on them
Viruses spread through em ail attachm ents, instant m essages, downloads from the Internet, contam inated m edia etc.
Viruses are generally categorized as: • File infectors: Attach them selves to program files • System or boot-record in fectors: Infect executable code found in certain system areas on a disk • Macro viruses: Infect Microsoft Word application
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Worm s A worm is a self-replicating virus that does not alter files but resides in active m em ory and duplicates itself
It takes advantage of file or inform ation transport features on the system to travel independently
A worm spreads through the infected network autom atically
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trojans and Spywares Trojans: • Trojan horse is a m alicious, security-breaking program that is disguised as any useful program • Trojans are executable program s that is installedwhen a file is opened • Trojans get activated without the intervention ofthe user • Sim ilar to viruses, Trojans do not distribute itself from one system to another • Trojans allow others to con trol a user’s system
Spyware: • Spywares are software in stalled on the com puter without the knowledge of the user • Spywares pretend to be program s that offer useful applications, but they actually acquire the inform ation of the com puter and send it to the attacker who can access it rem otely • Spywares are also known as adware EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Handling Preparation 1
• Establish m alicious code security policy
2
• Install antivirus software
3
• Check all files and attachm ents from websites
4
• Check all the rem ovable m edia such as USB, diskette s etc.
5
• Users m ust be aware of m alicious code issues
6
• Study the antivirus vendor bulletins
7
• Install host based intrusion detection system s oncritical hosts
8
• Collect m alware incident analysis resources
9
• Acquire m alware incident m itigation software
10
• Establish the procedure for reporting m alicious code incident
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Prevention Use antivirus software Design a point of contact for reporting m alicious code Block the installation of spyware software Rem ove suspicious files Filter spam Lim it the use of unnecessary program s with FTP Alert users for handling em ail attachm ents Close the open windows shares Use the web browser’s security to edge m alicious code Prevent the open transm it of e-m ail Secure the e-m ail clients
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Detection of Malicious Code Case 1. Host is infected by the virus which is delivered via e-m ail
Signs of the presence of m alicious code include: • • • • • • • • •
EC-Council
Antivirus software detects the infected files Increase in the num ber of e-m ails sent an d received Change in the Tem plate of word processing docum ent Deletion or corruption of files System files becom e inaccessible Old m essage and graphics will appear on screen Som e program s start and run slowly, or do not runat all System becom es instable or crashes Indication of root com prom ise of a host if the viru s achieves root level access Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Detection of Malicious Code (Cont’d) Case 2. Host is infected by worm s that propagates through a vulnerable service
Signs of the presence of m alicious code include:
• • • • •
EC-Council
Antivirus software detects the infected files Failure in connection attem pts targeted at the vuln erable services Increase in network usage Program s start and run slowly, or do not run at all System becom es instable or crashes
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Detection of Malicious Code (Cont’d) Case 3. Trojan horse gets installed and runs on a host
Signs of the presence of m alicious code include:
• Antivirus software will detect the Trojan horse versions of files • Network IDS alerts the Trojan horse client-servercom m unications • Log entries of the firewall and router for Trojanhorse client-server com m unications • Host and unknown rem ote system s network connections • Unusual open ports • Unknown running processes • Program s start and run slowly, or do not run at all • System becom e instable or crashes • Indication of root com prom ise of a host if the Trojan achieves root level access
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Detection of Malicious Code (Cont’d) Case 4. Host infected with virus, worm , or Trojan horse using m alicious m obile code on a website
• Strange dialog box will appear requesting for permission to run any program • Abnorm al graphics will appear such as overlappingand overlaid m essage boxes
Case 5. Malicious m obile code on a web site exploits vulnerabilities on a host
• • • • •
EC-Council
Strange dialog box will appear requesting for permission to run program s Abnorm al graphics will appear such as overlappingand overlaid m essage boxes Increase in the num ber of em ails being sent or received Host and unknown rem ote system s network connections Indication of root com prom ise of a host if the m obile code achieves root level access Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Detection of Malicious Code (Cont’d) Case 6. When the user receives the virus hoax m essage • The original source appears as from the governm entagency or as from an im portant official person • It does not link to outside sources • Message requires an urgent action • It prom pts to delete certain files or forwarded m assages
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Containm ent Strategy Recognize and separate the infected hosts from the inform ation system
Register the unidentified m alicious code to antivirus vendors
Configure em ail servers and clients to block em ails
Block particular hosts
Shut down the em ail servers
Isolate networks from the Internet
Ensure the user’s participation
Disable services
Disable connectivity
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Gathering and Handling
Forensic Identification
• It is the practice of identifying the infected system s by looking for the evidence of the latest infection
Active Identification
• This m ethod is used to identify the hosts which are currently infected
Manual Identification
• Labor intensive, but it is im portant as it provides appropriate identity of the infected hosts
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Eradication and Recovery Antivirus and antispyware software can identify infected files but som e of the infected files cannot be recovered
If the m alicious code provides attackers with root-level access, then it becom es hard to determ ine what other actions the attackers have perform ed
In som e of the cases, infected files are restored from a previous uninfected backup or can be rebuilt from scratch
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Recom m endations Establish m alicious code security policy Users m ust be aware of m alicious code issues Study antivirus bulletins Install host based intrusion detection system s on critical hosts Use antivirus software, an d keep it updated with the latest virus signatures Configure software to block suspicious files Close the open window share Deal with m alicious code incidents as quickly as possible EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Antivirus System s
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sym antec: Norton AntiVirus 20 0 9 http:/ / w w w .sy m antec.com /
Sym antec Norton AntiVirus 20 0 9 protects com puter system from m alicious program s such as virus, worm s, Trojan, spyware, etc.
Features: • • • •
Protects against viruses, spyware, Trojan horses,worm s, bots, and rootkits Pulse updates every 5 to 15 m inutes or faster Intelligence-driven technology for faster, fewer,shorter scans Blocks browser, OS, and application threats; protects against infected Web sites • Protects against the latest threats with proactivem ultilayered protection system • Real-tim e SONAR technology detects em erging spyware and viruses before traditional definitions are available
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Norton AntiVirus 20 0 9: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Kaspersky Anti-Virus 20 10 http:/ / w w w .kaspersky .com /
Kaspersky Anti-Virus 20 10 offers real-tim e autom ated protection from a range of IT threats Features: • • • • • • • • • •
Real-tim e scanning of files, web pages, and e-m essa ges Disabling of links to m alicious websites Blocking of suspicious program s based on their behavior Protection from hijacking of your PC Toolbar for Internet browsers to warn you about infected or unsafe websites Urgent Detection System to stop fast em erging threats Scan system and installed applications for vulnerabilities Enter logins and passwords using secure Virtual Keyboard Rem ove activity traces in your Internet browser (history, cookies, etc.) Identity theft by key loggers and screen capture malware
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Kaspersky Anti-Virus 20 10 : Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
AVG Anti-Virus http:/ / w w w .avg.com /
AVG anti-virus protects com puter system from m alicious program s such as virus, worm s, Trojan, spyware, etc.
Features: • • • • •
EC-Council
An ti-Viru s : protection against viruses, worm s, and Trojans An ti-Sp yw are : protection against spyware, adware, and identity-theft An ti-Ro o tkit: protection against hidden threats (rootkits) W e b Sh ie ld an d Lin kScan n e r: protection against m alicious websites Real-tim e security while you surf and chat online
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
AVG Anti-virus: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
McAfee VirusScan Plus http:/ / hom e.m cafee.com /
McAfee VirusScan Plus offers essential PC security with accelerated perform ance
Features • Anti-virus, anti-spyware, and SiteAdvisor protectyou from m alicious software • Firewall blocks outsiders from hacking into your PC • SiteAdvisor rates web site safety before you clickwith red, yellow or green colors • Online account m anagem ent lets you easily add other PCs to your subscription • QuickClean safely rem oves junk files that slow your PC and take up space on your hard drive
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
McAfee VirusScan Plus: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
BitDefender Antivirus 20 0 9 http:/ / w w w .bitdefender.com /
BitDefender Antivirus 20 0 9 provides advanced proactive protection against viruses, spyware, phishing attacks and identity theft Features: • Scans all web, e-m ail, and instant m essaging traffic for viruses and spyware, in real-tim e • Protects against new virus outbreaks using advanced heuristics • Blocks attem pted identity theft (phishing) • Prevents personal inform ation from leaking via e-mail, web, or instant m essaging • Reduces the system load and avoids requesting userinteraction during gam es
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
BitDefender Antivirus 20 0 9: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
F-Secure Anti-Virus 20 0 9 http:/ / w w w .f-secure.com / F-Secure Anti-Virus 20 0 9 provides advanced and affordable protection against viruses, spyware intrusions, and infected e-m ail
Its autom atic updates and DeepGuard 2.0 cloud com puting technology provides protection against new threats
Features: • • • • •
EC-Council
Protection against viruses, worm s, rootkits an d oth er m alware Real-tim e protection again st spyware Provides instant protection against new threats (DeepGuard 2.0 ) Scans e-m ail for viruses an d m alicious code Autom atic updates for both virus definitions and ht e software
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
F-Secure Anti-Virus 20 0 9: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trend Micro AntiVirus plus AntiSpyware 20 0 9 http:/ / w w w .trendm icro.com /
Trend Micro AntiVirus plus AntiSpyware 20 09 safeguards data and files from m alicious activities Features: • Protects against current and future viruses • Defends your personal inform ation with anti-spyware technology • Provides real-tim e protection with autom ated com puter scans • Prevents unauthorized changes • Cleans browser history, cookies and unnecessary files • Provides custom izable security warnings • Quarantines suspicious files
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Trend Micro AntiVirus plus AntiSpyware 20 0 9: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
HijackThis http:/ / w w w .trendsecure.com /
HijackThis is a free utility which quickly scans System s running Windows OS to find settings that m ay have been changed by spyware, m alware, or other unwanted program s
It creates a report with the results of the scan
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tripwire Enterprise http:/ / w w w .tripw ire.com /
Tripwire Enterprise com bines configuration assessm ent and change auditing in a single infrastructure m anagem ent solution that delivers enterprise-wide control of physical and virtual configurations
It com es with policies that cover such diverse regulatory standards as Paym ent Card Industry (PCI) and Sarbanes-Oxley (SOX), as well as security standards like those form the National Institute of Standards and Technology (NIST)
Features: • Change auditing • Configuration assessm ent • Sam ple reports EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tripwire Enterprise: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Stinger http:/ / vil.nai.com /
Stinger is a stand-alone utility used to detect and rem ove specific viruses
It utilizes next generation scan engine technology, including process scanning, digitally signed DAT files, and scan perform ance optim izations
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary Com puter viruses are the software program s m eant to infect com puters, corrupt, or delete the data
A worm is a self-replicating virus that does not alter files but resides in active m em ory and duplicate itself
Forensic identification is the practice of identifying infected system s by looking for evidence of recent infections
Antivirus and antispyware software can identify the infected files but som e the infected files cannot be recovered
Deploy host-based intrusion detection an d prevention system s, including file integrity checkers, to critical hosts EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sample EC-Council Certified Incident Handler Version 1
Mo d u le VIII Forensic Analysis and Incident Response
Batch PDF Merger
News: Microsoft Com puter Online Forensic Evidence Extractor Free for Interpol The Microsoft COFEE evidence extracting tool will be m ade available to Interpol for free, per an agreement between the Redm ond com pany and the International Crim inal Police Organization. The software giant announced that the Com puter Online Forensic Evidence Extractor would be distributed by Interpol internationally, in no less than 187 m arkets worldwide. The m ove is just one aspect of a broader Microsoft strategy designed to protect people both physically and virtually in collaboration with governm ents around the world. In this regard, the Redm ond com pany used the Worldwide Public Safety Sym posium to launch the Citizen Safety Architecture as well as to prom ise support for Interpol's Security Initiative (GSI). “Given the direct correlation between the declining econom y and the rise of public safety concerns, there is a pressing need for innovative, collaborative and integrated solutions, like Citizen Safety Architecture, that deliver to governm ents the tools they need to ensure the safety of their citizens,” explained Tim Bloechl, m anaging director for worldwide public safety and national security at Microsoft. The Citizen Safety Architecture has at its basis a variety of tools dedicated to not just cutting costs, but also boosting what Microsoft referred to as m ultiagency operational effectiveness, as well as stream line collaboration and inform ation sharing. The Redm ond com pany indicated that the Citizen Safety Architecture was based on Microsoft Single View Platform (SVP), Microsoft FusionX, “Eagle,” Microsoft Intelligence Fram ework, the Microsoft Incident Response Platform and Global Security Operations Centers (GSOCs). “Microsoft and INTERPOL recognize the strong synergies between Citizen Safety Architecture and GSI, and our pledge to develop a long-term relationship with organizations like INTERPOL supports the overall goal of Citizen Safety Architecture,” Bloechl added. In addition to the Citizen Safety Architecture fram ework, the software giant will also provide Interpol with COFEE, a tool designed to extract forensic evidence from live com puter activity. In this m anner, Interpol officers will be able to harvest and then use evidence that would otherwise not be available through traditional offline forensic analysis, Microsoft underlined. Source: http:/ / new s.softpedia.com /
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
This m odule will fam iliarize you with:
• • • • • • • •
EC-Council
Com puter Forensics Forensic Readiness Types of Com puter Forensics Com puter Forensics Process Digital Evidence Collecting Electronic Evidence Forensic Policies Forensic Analysis Guidelines
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
EC-Council
Com puter Forensics
Forensics Preparedness
Com puter Forensics Process
Types of Com puter Forensics
Digital Evidence
Collecting Electronic Evidence
Forensic Analysis Guidelines
Forensic Policies
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Com puter Forensics
“A m ethodical series of techniques and procedures for gathering evidence, from com puting equipm ent and various storage devices and digital m edia, that can be presented in a court of law in a coherent and - Dr. H.B. W olfe m eaningful form at”
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Objectives of Forensic Analysis
To recover, analyze, and preserve com puter and related m aterials in such a way that it can be presented as evidence in a court of law
To identify the evidence in short tim e, estim ate the potential im pact of the m alicious activity on the victim , and assess the intent and identity of the perpetrator
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Role of Forensic Analysis in Incident Response Forensic analysis helps in determ ining the exact cause of an incident It helps in generating a tim eline for the in cident which helps in correlating different incidents Forensic analysis of the affected system helps in determ ining the n ature of incidents and im pact of the incident It helps in tracking the perpetrators of the crim e or incident It extracts, processes, and interprets the factual evidence so that it proves the attacker’s actions in the court It saves the organization’s m oney and tim e by conducting a dam age assessm ent of the victim ized network It also saves organizations from legal liabilities and lawsuits EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Readiness Forensic readiness m ay be defined as a state of incident response preparedness that enables an organization to m axim ize its potential to use digital evidence while m inim izing the cost of an investigation
It also m inim izes the risk of internal threat and acts as a preem ptive m easure
Objectives:
• Maxim izing an environm ent’s ability to collect credible digital evidence • Minim izing the cost of forensics during an in cidentresponse EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Readiness And Business Continuity Forensic readiness allows businesses to: • Quickly determ ine the in cidents • Understand the relevant inform ation • Minim ize the required resources • Rem ove the threat of repeated incidents • Quickly recover from dam age with less down tim e
Lack of forensic readiness m ay result in: • Loss of clients thereby dam aging the organization ’sreputation • System downtim e • Data m anipulation, deletion, and theft EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Types of Com puter Forensics Disk Forensics • It is the process of acquiring and analyzing the data stored on physical storage m edia
Network Forensics • It can be defined as sniffing, recording, acquisition, and analysis of network traffic and event logs in order to investigate a network security incident
E-m ail Forensics • It is the process of studying the source and content of an em ail
Internet (Web) Forensics • It is the application of scientific and legally sound m ethods for the investigation of Internet crim es
Source Code Forensics • It is the process of determ ining the software ownership and copyright issues
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Com puter Forensic Investigator
Com puter forensic in vestigator m ust have knowledge of gen eral com puter skills such as hardware, software, O.S, applications, etc.
The investigator m ust perform a proper in vestigation to protect the digital evidence
The investigator m ust be certified from authorized organization s
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
People Involved in Com puter Forensics Attorney:
• Gives legal advise on collection, preservation and presentation of evidence
Photographer:
• Photographs the crim e scene and the evidence gathered
Incident Responder:
• Responsible for incident handling and response
Decision Maker:
EC-Council
• Responsible for authorization of a policy or procedure for the investigation process Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
People Involved in Com puter Forensics (cont’d) Incident Analyzer:
• Analyzes the incidents based on their occurrence
Evidence Exam iner/ Investigator:
• Exam ines the evidence acquired, and sorts useful evidence
Evidence Docum enter:
• Docum ents all the evidence and the phases present in the investigation process
EC-Council
Evidence Manager:
• Manages the evidence in such a way as to m ake a procedural way of evidence found
Expert Witness:
• Offers a form al opinion as a testim ony in the court of law Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Com puter Forensics Process Preparation It enables easy coordination am ong staff and provides baseline protection
Collection It is the process of identifying, labeling, recording, and acquiring data from all possible sources
Exam ination It involves processing of large am ount of collected data using a com bination of autom ated and m anual m ethods EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Com puter Forensics Process (cont’d) Analysis It is the process of analyzing the results of the investigation using legally justifiable m ethods and techniques
Reporting In this phase, the analysis results are reported and recom m endations are provided for im proving policies, guidelines, procedures, tools, and other aspects of the forensic process
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Digital Evidence Digital evidence is defined as “any inform ation of probative value that is either stored or transm itted in a digital form ”
Digital evidence is found in the files, such as:
• • • • • • •
Graphics files Audio and video recording and files Web browser history Server logs Word processing and spreadsheet files E-m ails Log files
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Characteristics of Digital Evidence Adm issible • Evidence m ust be related to the fact being proved
Authentic • Evidence m ust be real an d related to the incidentin a proper way
Com plete • Evidence m ust prove the attacker’s actions
Reliable • Evidence m ust not cast doubt on the authenticity and veracity of the evidence
Believable • Evidence m ust be clear and understandable by the uj dges
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Electronic Evidence List the system s involved in the incident and from which system s evidence can be collected
For each system , obtain the relevant order of volatility
Record the extent of the system 's clock drift
Collect the evidence from all the people who affected by the incident EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Electronic Evidence (cont’d) Electronic evidence resides in: Data Files: • • • • • •
Office desktop com puter/ workstation Notebook com puter Hom e com puter Com puter of personal assistants/ secretary/ staff Palm top devices Network file servers/ m ainfram es/ m ini-com puters
Backup Tapes: • System -wide backups (m onthly/ weekly/ increm ental) • Disaster recovery backups (stored off site) • Personal or “ad hoc” backups (look for diskettes and other portable m edia) EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Electronic Evidence (cont’d) Other Media Sources: • Tape archives • Replaced/ rem oved drives • Floppy diskettes and other portable m edia (e.g., CDs, Zip cartridges)
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Collection Form Tem plate Fo re n s ic An alys t Makin g Se izu re Full Nam e:
Title:
Phone:
Departm ent
Com m ents: Signature:
Date and tim e: W itn e s s Sign atu re
Full Nam e:
Title:
Phone:
Departm ent
Full Address:
Signature:
EC-Council
Room No Building Address Line 1 Address Line 2 Address Line 3 Address Line 4 Post code
Date and tim e:
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Collection Form Tem plate (cont’d) S.No.
Evidences
Make
Details
1 2 3 4 5 6 7 8 9 10
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Challenging Aspects of Digital Evidence Digital evidence are fragile in nature
During the investigation of the crim e scene, if the com puter is turned off, the data which is not saved can be lost perm anently
During the investigation, digital evidence can be altered m aliciously or unintentionally without leaving any clear signs of alteration
Digital evidence is circum stantial that m akes it difficult for the forensics investigator to differentiate the system ’s activity
After the incident, if a user writes som e data to the system , it m ay overwrite the crim e evidence EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Policy Forensic policy is a set of procedures describing the actions to be taken when an incident is observed
It defines the roles and responsibilities of all people perform ing or assisting the forensic activities
It should include all internal and external parties that m ay be involved and also indicates who should contact which parties
It explains what actions should and should not be perform ed under norm al and special conditions
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Policy (cont’d) Organizations should ensure that their policies contain clear statem ents that address all m ajor forensic considerations
They should allow authorized personnel to m onitor system s and networks and perform investigations
Separate policies should be m aintained for incident handlers and others with predefined forensic roles
Organization’s forensic policy should be consistent with the other policies
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Forensics in the Inform ation System Life Cycle Regular backups of system s should be perform ed For securing centralized log servers, audit reports should be forwarded by auditing the workstations, servers, and network devices For auditing, m ission critical applications should be configured Maintain a database of file hashes for the files of com m on OS and application deploym ents File integrity checking software should be used for protecting im portant assets
Network and system con figurations records should be m aintained Data retention policies supporting system and network activities should be im plem ented EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Analysis Guidelines
Organizations should: • Have a capability to perform com puter and networkforensics • Determ ine which parties should handle each aspectof forensics • Create and m aintain guidelines and procedures for perform ing forensic tasks • Perform forensics using a consistent process • Be proactive in collecting useful data • Adhere to standard operating procedure as specified by local laws and standard m aking bodies such as IOCE & SWGDE while collecting digital evidence Source: http:/ / csrc.nist.gov/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Forensics Analysis Tools
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Helix http:/ / w w w .e-fense.com / Helix is a bootable com puter forensic tool kit providing incident response, com puter forensics and e-discovery in one interface Helix is a custom ized distribution of the Knoppix Live Linux CD You can boot into a custom ized Linux environm ent that includes custom ized Linux kernels, excellent hardware detection and m any applications dedicated to Incident Response and Forensics Helix has been m odified very carefully to NOT touch the host com puter in any way and it is forensically sound Helix has a special Windows autorun side for Incident Response and Forensics
Helix focuses on Incident Response & Forensics tools
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tools Present in Helix CD for Windows Forensics Windows Forensics Toolchest (WFT) Incident Response Collection Report (IRCR2)
Putty SSH Screen Capture Messenger Password
First Responder’s Evidence Disk (FRED) Mail Password Viewer First Responder Utility (FRU) Protected Storage Viewer Security Reports (SecReport) Network Password Viewer Md5 Generator Registry Viewer Com m and Shell Asterisk Logger File Recovery – recover deleted files IE History Viewer Rootkit Revealer VNC Server
EC-Council
IE Cookie Viewer Mozilla Cookie Viewer Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Helix: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Helix: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Helix: Screenshot 3
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Windows Forensic Toolchest http:/ / w w w .foolm oon.net/
Windows Forensic Toolchest (WFT) is designed to provide a structured and repeatable autom ated Live Forensic Response, Incident Response, or Audit on a Windows system while collecting security-relevant inform ation from the system
It is essentially a forensically enhanced batch processing shell capable of running other security tools and producing HTML based reports in a forensically sound m anner
It provides extensive logging of all its actions along with com puting the MD5/ SHA1 checksum s along the way to ensure that its output is verifiable
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Windows Forensic Toolchest (cont’d) Features: • Provides structured and repeatable live forensic re sponse, incident response, or audit • Ability to run locally, via CD/ DVD, or thum b drive • Verification of all executed tools • Support for m d5 hash • Ability to verify WFT configuration files • Autom atic updating of WFT hash values for tools • User-editable configuration file controls execution • Generation of both raw text and htm l reports • Ability to run com m ands based on run-tim e OS
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Windows Forensic Toolchest: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Windows Forensic Toolchest: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Knoppix Linux http:/ / w w w .knopper.net/
KNOPPIX is a bootable Live system on CD or DVD, consisting of a representative collection of
• GNU/ Linux software • Autom atic hardware detection • Support for m any graphics cards, sound cards, SCSIand USB devices and other peripherals
It can be used as a productive Linux system for the desktop, educational CD, rescue system , or adapted and used as a platform for com m ercial software product dem os
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Knoppix Linux: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
The Coroner's Toolkit (TCT) http:/ / w w w .porcupine.org/
TCT is a collection of program s by Dan Farm er and Wietse Venem a for a post-m ortem analysis of a UNIX system after break-in
TCT com ponents are: • • • •
EC-Council
Grave-robber tool: This tool captures inform ation Ils and m actim e tools: These tools display accesspatterns of files dead or alive Unrm and lazarus tools: These tools recover deletedfiles Findkey tool: This tool recovers cryptographic keys from a runnin g process or from files
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EnCase Forensic http:/ / w w w .guidancesoftw are.com / EnCase Forensic is an in vestigation platform that collects digital data, perform s analysis, reports on findings, and preserves them in a court validated, forensically sound form at It gives investigators the ability to im age a drive and preserve it in a forensic m anner using the EnCase evidence file form at (LEF or E0 1)
Features: • • • • • • • • • •
Advanced search options Internet and em ail investigation support Court validated logical evidence file form at Multiple viewers Instant m essage analysis EnScript® program m ing Bookm arking Reporting Support for the m ost system files Multiple acquisition options
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EnCase Forensic: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EnCase Forensic: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
THE FARMER'S BOOT CD (FBCD) http:/ / w w w .forensicbootcd.com / The FBCD provides with a forensic environm ent to safely and quickly preview data stored within various storage m edia (such as internal and external hard drives, USB thum b drives, digital m usic players, digital cam eras, SD and com pact flash cards, etc.) Using The FBCD, you can: • • • • • • • • • • • • • •
Mount file system s in a forensically sound m anner,using a GUI Preview data using a single, unified GUI (Delve) Authenticate, Acquire and Analyze storage m edia Decrypt EFS-encrypted files Access and parse the Windows Registry Generate thum bnails for graphics files Dum p file m eta-data (graphics files, PDF docum ents, etc.) Obtain the passwords for system users Undelete files from the ext2, FAT, and NTFS file system types Identify and reset Host Protected Areas (HPA) on IDE drives Dum p the system BIOS tables Parse the Windows pagefile.sys file for e-m ail addresses and URLs Dum p file system m eta-data (initialized date, lastm ount date, etc.) Read various Windows and Linux log files Parse web browser cache files for history and cookie inform ation
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
FBCD: Screenshot1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
FBCD: Screenshot2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Dum pReg http:/ / w w w .sy stem tools.com / Dum pReg is a program for Windows that dum ps the registry, m aking it easy to find keys and values containing a string The registry entries can be sorted by reverse order of last m odified tim e, m aking it easy to see changes m ade by recently installed software
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Dum pSec http:/ / w w w .sy stem tools.com /
Dum pSec is a security auditing program for Microsoft Windows® NT/ XP/ 20 0 x
It dum ps the perm issions (DACLs) and audit settings (SACLs) for the file system , registry, printers, and shares in a concise, readable form at, so that holes in system security are readily apparent
It also dum ps user, group and replication inform ation
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Dum pEvt http:/ / w w w .sy stem tools.com /
Som arSoft's Dum pEvt is a Windows NT/ 20 0 x program to dum p the event log in a form at suitable for im porting into a database
It is sim ilar to the DUMPEL utility in the Microsoft Windows Resource Kit, but without som e of the lim itations
It allows dum ping of Windows 20 0 x event logs (DNS, File Replication, and Directory Service)
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Foundstone Forensic ToolKit http:/ / w w w .foundstone.com /
Foundstone Forensic ToolKit contains several Win32 Com m and line tools that can help you exam ine the files on a NTFS disk partition for unauthorized activity
Features: • • • • •
AFin d allows you to search for access tim es between certain tim e fram es H Fin d scans the disk for hidden files SFin d scans the disk for hidden data stream s an d lists the last access tim es File Stat is a quick dum p of all file and security attributes H u n t is a quick way to see if a server reveals too m uch info via NULL sessions
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sysinternals Suite http:/ / technet.m icrosoft.com / The Sysinternals suite is a bundle of som e of the following selected Sysinternals utilities: AccessChk
Gives specific users or groups access inform ation
AccessEnum
Gives a full view of your file system and Registry security settings
AdExplorer
Explore an AD database, define favorite locations, view object properties and attributes
AdRestore
Enum erates the deleted objects in a dom ain
Autologon
Enables you to easily configure Windows’ built-in autologon m echanism
Autoruns
Shows what program s are configured to run during system bootup or login
CacheSet
Allows to m anipulate the working-set param eters of the system file cache
LDMDum p
Shows the contents of the LDM database
ListDLLs
Show you the full path nam es of loaded m odules
PsLogList
Dum p the contents of an Event Log on the local or a rem ote com puter
PsPasswd
Allows changing of account passwords on the local or rem ote system s in batches
PsService
Service viewer and controller for Windows
NTFSInfo
Shows you inform ation about NTFS volum es
RegMon
It is a Registry m onitoring utility
RootkitRevealer
Advanced rootkit detection utility
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
NSLOOKUP http:/ / w w w .kloth.net/ NSLOOKUP is an online service to look up inform ation in the DNS (Dom ain Nam e System [RFC10 34, RFC10 35, and RFC10 33]) It is a program to query Internet dom ain nam e servers
It has two m odes: • In te ractive m o d e : This m ode allows the user to query n am e servers for inform ation about various hosts and dom ains • N o n -in te ractive m o d e : This m ode is used to print just the nam e and requested inform ation for a host
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
dig – DNS Lookup Utility http:/ / m em bers.shaw .ca/
dig (dom ain inform ation groper) is a flexible tool for interrogating DNS nam e servers It perform s DNS lookups and displays the answers that are returned from the nam e server(s) that were queried It is norm ally used with com m and-line argum ents
It also has a batch m ode of operation for reading lookup requests from a file
Dig Synopsis • d ig [ @s e rve r ] [ -b address ] [ -c class ] [ -f filenam e ] [ -k filenam e ] [ -p port# ] [ -t ty pe ] [ x addr ] [ -y nam e:key ] [ n am e ] [ typ e ] [ clas s ] [ qu e ryo p t... ] • d ig [ -h ] • d ig [ glo bal-qu e ryo p t... ] [ qu e ry... ]
A typical invocation of d ig looks like: • d ig @s e rve r n am e typ e
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Whois http:/ / w w w .nsauditor.com /
Whois com m unicates with WHOIS servers located around the world to obtain dom ain registration inform ation
It supports IP address queries and autom atically selects the appropriate whois server for IP addresses
This tool looks up inform ation on a dom ain, IP address, or dom ain registration inform ation
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Whois: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
VisualRoute http:/ / w w w .visualroute.com /
VisualRoute trace route software provides IPv4 and IPv6 traceroute, ping test, m ultiple route discovery and connectivity analysis reports
It also helps in determ ining actual cause of conn ectivity problem pinpoints in the network where a problem occurs
Features: • • • • • • •
EC-Council
Graphical view of traceroute, ping, reverse DNS connectivity analysis IP location reporting Whois lookups, network provider reporting Om nipath™ m ultiple path discovery Netvu™ multiple route topology graph Application port testing, port probing, DNS perform ance testing Continuous connection testing with report history
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
VisualRoute: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Netstat Com m and http:/ / chiht.dfn-cert.de/
n e ts tat is a useful tool for checking network configuration and activity The netstat com m and provides inform ation from various data structures in the network stack This inform ation can include current network connections and listening servers, routing tables, ARP caches etc.
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Linux: DD Com m and http:/ / chiht.dfn-cert.de/
The dd com m and is used to m ake binary copies of com puter m edia
It is used as a sim ple disk im aging tool if given a raw disk device as its input
Forensic Investigators use the built- in Linux com m and “dd” to copy data from a disk drive The “dd” com m and can copy data from any disk that Linux can m ount and access Other forensic tools such as AccessData FTK and Ilook can read dd im age files EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Linux: Find Com m and http:/ / chiht.dfn-cert.de/
The find com m and is built in to m any versions of Unix, but is also available as part of the GNU binutils package for both Unix and Windows Find can be used to search through a directory tree looking for files that have particular nam es, perm issions, or alm ost any other com bination of attributes
Syntax
• find [-H] [-L] [-P] [path...] [expression]
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Linux: Arp Com m and http:/ / chiht.dfn-cert.de/
The Address Resolution Protocol is used by com puters to translate IP addresses for m achines on the local network segm ent into Ethernet addresses
It describes the standard for m apping Ethernet addresses in the local subnet to IP addresses
Most operating system s m aintain a cache of this inform ation, and the arp com m and can be used to print out the current contents of this cache
Syntax:
• C:\>arp -a
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Linux: ps, ls, lsof, and ifconfig Com m ands http:/ / chiht.dfn-cert.de/
ps is a basic Unix com m and that report the status of processes
Unix ls com m and is used to list files and directories on a filesystem
Lsof is a com m and used to list files which are currently open on a Unix system s
ifconfig is a com m and is used to report the state of network interfaces on Unix system s
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Linux: Top Com m and http:/ / chiht.dfn-cert.de/ The top com m and is a system m onitor tool that displays and updates inform ation about the top cpu processes on a Unix system It displays the top 15 processes on the system and periodically updates this inform ation
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Linux: Grep Com m and http:/ / chiht.dfn-cert.de/
The Unix grep com m and searches text files for patterns m atching regular expressions It is used to extract interesting inform ation from log files
It is a built-in com m and on m any Unix system s, or an open source version is available as part of the GNU project
Syntax • grep [options] PATTERN [FILE...] • grep [options] [-e PATTERN | -f FILE] [FILE...]
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Linux: Strings Com m and http:/ / chiht.dfn-cert.de/
Strings is a com m and which displays the strings contained in a binary file
It is used to search unknown binaries for any hints about its function
Syntax • strings [-afo] [-n number] [file ...]
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary Com puter forensic In vestigator m ust have knowledge of gen eral com puter skills such as hardware, software, O.S, application s, etc. Com puter forensics helps to recover, analyze, and preserve com puter and related m aterials in such a way that it can be presented as evidence in a court of law Forensic readiness is ability of an organization to m axim ize its potential to use digital evidence while m inim izing the cost of an investigation Digital evidence is defined as “any inform ation of probative value that is either stored or transm itted in a digital form ” Forensic policy defines the roles and responsibilities of all people perform ing or assisting the forensic activities Separate policies should be m aintained for incident handlers and others with forensic roles EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Certified Incident Handler Version 1
Mo d u le VII Handling Insider Threats
News: Malicious Insider Attacks to Rise
Source: http:/ / new svote.bbc.co.uk/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
News: Experts Say Layoffs, Cost-Cutting Increase ‘Insider’ Cyber Threat
Source: http:/ / w w w .cqpolitics.com /
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
This m odule will fam iliarize you with: • • • • • •
EC-Council
Insider Threats Anatom y of an Insider Attack Insider Threats Detection Insider Threats Response Handling Insider Threats Guidelines for Detecting and Preventing Insider Threats
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
EC-Council
Insider Threats
Anatom y of an Insider Attack
Insiders Threat Response
Insider Threat Detection
Handling Insider Threats
Guidelines for Detecting and Preventing Insider Threats
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Insider Threats Insiders with their authorized privileges can m isuse the resource that directly affects the confidentiality, integrity, and availability of the inform ation system
Insiders could be current em ployee, disgruntled system adm inistrators, hum an resources, contractors, business partners etc.
Insiders indulge in m alicious activities on the organization’s network, system , and database
These activities im pact business operations and dam ages the organization’s reputation and profit EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Anatom y of an Insider Attack Understand business process
Gain credentials and trust
Install logic bom bs, rootkits, key loggers
Activate logic bom bs and rootkits
Dam age, publicize and/ or pass inform ation to com petitors for financial gain or personal revenge
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Insider Risk Matrix If an attacker has technical literacy with process knowledge, there is the highest risk of insider attack
Process Knowledge
Technical Literacy
High
Low
High
Greatest Threat
Dem onized But Insignificant
Low
Significant Threat
Insignificant
Source: GartnerGroup Report 560 5
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Insider Threats Detection Insider threats can be detected by observing concerning behaviors exhibited by the insiders such as conflicts with supervisors an d coworkers, decline in perform ance, tardiness, or unexplained absenteeism Insider threats can be identified by exam ining the system event logs including database logs, em ail logs, application logs, file access logs, and rem ote access logs Applications such as firewalls, routers, and intrusion detection system s can be used to identify insider threats
The techniques used to detect insider threats are: • Correlation • Detecting anom aly • Discovering pattern
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Insider Threats Response Response depends on the nature of insider threats and the organization’s policy
Response can be autom ated or needs hum an involvem ent
The techniques used to respond to an insider threat include: • • • •
Placing m alicious users in quarantine network, sothat attack cannot be spread Preventing m alicious users from accessing sensitive inform ation Disabling the com puter system s from network connection Blocking m alicious user accounts and physically restricting them from entering access control areas
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Insider’s Incident Response Plan Insider’s incident response plan helps the organization to m inim ize or lim it the dam age caused due to m alicious insiders
Organizations should ensure that the in sider perpetrators are not included in response team or not aware of the progress
The organizations should consider the rights of every em ployee or user while developing incident response plan
The plan should depict the process to be followed and responsibilities of the m em bers involved in the response team
The organization should n ot share or provide the details of the insider’s incident response plan with all em ployees EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Guidelines for Detecting and Preventing Insider Threats: Hum an Resources Conduct background checks on all users and em ployees who are in sensitive positions Exam ine and respond to suspicious behavior of em ployees beginn ing with the hiring process
Anticipate and m anage negative workplace issues
Em ploym ent verification and credit checks
Prepare an inform ation security policy docum ent
Monitor and secure the organization’s physical environm ent EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Guidelines for Detecting and Preventing Insider Threats: Network Security Com puter networks should be secured by con figuring firewalls and m onitoring outbound traffic to HTTP and HTTPS services Create rules to reduce the outbound transfer of files to an authorized set of users and system s Prevent file sharing, instant m essaging, and other features am ong em ployees that allows unauthorized access to corporate networks
Scan all outgoing and incom in g m ails for sensitive inform ation and m alicious codes
Establish strict password policies
Im plem ent account m anagem ent policies and procedures
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Guidelines for Detecting and Preventing Insider Threats: Access Controls Access privileges should be enabled to em ployees or users based on the routine perform ance of their job roles
The access requests granted to users should be docum ented an d vetted by a supervisor
Em ployees should take perm ission from data owners before accessing the sensitive system s
Establish change controls on the user’s system
When an em ployee is term inated from the job, the em ployers should disable all access rights to physical locations, networks, system s, applications, and data EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Guidelines for Detecting and Preventing Insider Threats: Security Awareness Program Identify and report the m alicious behavior of insiders
Exam ine the organization’s policies and controls
Im plem ent proper system adm inistration safeguards for critical servers
Provide consistency for defined security policies and controls
Enforce separation of duties in order to lim it the m isuse of resources Im plem ent secure backups and recovery m ethods to ensure data availability EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Guidelines for Detecting and Preventing Insider Threats: Adm inistrators and Privileged Users Disable the default adm inistrative accounts to provide accountability
Ensure that adm inistrators use unique account during installation process Im plem ent non-repudiation technique to view all the actions perform ed by adm inistrators and privileged users Monitor the activities of system adm inistrators and privileged users who have perm issions to access sensitive inform ation Use encryption m ethods to prevent adm inistrators and privileged users from accessing backup tapes and sensitive inform ation EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Guidelines for Detecting and Preventing Insider Threats: Backups Organizations should im plem ent secure backup and recovery processes to continue business operations when the system s are com prom ised
Regularly take backups and test it for integrity and availability
Secure the backup m edia and its content from alteration, theft, or destruction Im plem ent separation of duties and configuration m anagem ent procedures to perform backups on com puter system s, networks, and databases Im plem ent backup policies to secure the backup process and m edia EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Guidelines for Detecting and Preventing Insider Threats: Audit Trails and Log Monitoring Enforce account and password policies an d procedures to identify the onlin e actions perform ed by insiders Periodic logging, m on itoring, and auditing process helps organization to identify and investigate suspicious in sider actions Audit trails should be con figured for network devices, operating system s, com m ercial software, and custom applications Auditing should review and exam ine the changes perform ed on critical assets of any organization Protect the audit files through file perm issions and store the files in central host server to avoid alterations Im plem ent intrusion detection and file integrity software to detect and m onitor suspicious activity on sensitive data EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Em ployee Monitoring Tools
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Activity Monitor http:/ / w w w .softactivity .com /
Activity Monitor is a com puter m onitoring software and key logger
It allows you to track any LAN, giving you the detailed inform ation on what, how, and when your network users perform ed
Features: • • • •
Live view of rem ote desktops Easy Internet usage m onitoring Monitor software usage Record activity log for all workplaces in one centr alized location on m ain com puter with Activity Monitor installed • Store com plete history of com m unications for everyuser • Track any user’s keystrokes on your screen in realtim e m ode
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Activity Monitor: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Activity Monitor: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Net Spy Pro http:/ / w w w .net-m onitoring-softw are.com / Net Spy Pro is the em ployee and student network m onitoring software It allows you to m onitor all user activity on your network in real tim e from your own workstation Features: • Allows the adm inistrator to view an actual screensh ot of one, som e or all workstations instantly • Shows a list of the favorites on a user's InternetExplorer Browser to the adm inistrator • Shows you a list of all files in the tem porary hist ory (cache) of the Internet Explorer browser • Allows an adm inistrator to view all open ports ona workstation • Shows a full list of processes and services run ning on the rem ote m achine to the adm inistrator • Show a list of recent docum ents opened by a user ot the adm inistrator
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Net Spy Pro: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Net Spy Pro: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Spector Pro http:/ / w w w .spectorsoft.com /
Spector Pro is m onitoring and recording software for every detail of PC and Internet activity - in your hom e or in your office
Features: • • • • • • • • • •
EC-Council
Keystrokes typed recording MySpace and Facebook recording Online searches recording Web sites visited recording Sum m ary reports Em ail activity recording Program activity recording Keywords detected recording Files transferred recording User activity recording Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Spector Pro: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Spector Pro: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SpyAgent http:/ / w w w .spy tech-w eb.com /
Spytech SpyAgent is com puter spy software that allows you to m onitor everything users do on your com puter
Features: • • • • • • • • • • • EC-Council
Keystroke logging Em ails sent and received m onitoring Events tim eline loggin g Internet chat conversations m onitoring Website activity m onitoring Application usage m onitoring Com puter usage loggin g Intelligent screenshot capturing Internet traffic data m on itoring Files uploaded and downloaded m onitoring Files/ docum ents accessed logging Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SpyAgent: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SpyAgent: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Handy Keylogger http:/ / w w w .handy -key logger.com /
Handy Keylogger is a user-friendly spy key logger
It capture all key strokes, m onitor internet usage, enable screenshots grabbing by tim e and interval, m onitor clipboard, and send the logs to your e-m ail address invisibly
Features: • • • • • • • •
EC-Council
Monitor every key stroke on your keyboard Grab key strokes under all user accounts Log all clipboard events: text and graphics copiedto the clipboard Record Internet/ websites activity Log chats and e-m ails typed on your PC Record instant m essengers Capture all passwords Invisibly send logs to your m ailbox Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Handy Keylogger: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Handy Keylogger: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Anti Keylogger http:/ / w w w .anti-key loggers.com /
Anti-keylogger is a dedicated anti-keylogging product for Microsoft Windows
It protects com puters against inform ation-stealing program s and m odules
Features: • • • • • • • •
EC-Council
Prevents online identity theft Prevents Internet banking fraud Secures em ail com m unication, instant m essaging andchat Elim inates leakage of confidential or proprietaryinform ation Keeps usernam es, passwords, PINs, etc. safe Reduces security breaches Enforces com puter an d Internet Acceptable Use Policies (AUP) Disables espionage software of your com petitors
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Anti Keylogger: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Actual Spy http:/ / w w w .actualspy .com / Actual Spy is a keylogger which allows you to find out what other users do on your com puter in your absence It is capable of catching all keystrokes, capturing the screen, logging the program s being run and closed, m onitoring the clipboard contents
Features: • • • • • • • • EC-Council
Logs all keystrokes Makes screenshots within the specified tim e interval Saves the applications’ run ning and closing Watches clipboard conten ts Records all print activity Records disk changes Records internet connection s Records all websites visited Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Actual Spy: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Actual Spy: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Iam BigBrother http:/ / w w w .iam bigbrother.com /
Iam BigBrother is an internet m onitoring software for both hom es and business It runs in stealth m ode where it is not detected by the user of the com puter It records all of the internet activity for m any program s including Am erica Online, MSN, Outlook Express, etc. Features: • • • • • EC-Council
Chat and instant m essage recording Em ail recording Web site viewed Keystroke recording Screen capture Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Iam BigBrother: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Iam BigBrother: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
0 0 7 Spy Software http:/ / w w w .e-spy -softw are.com /
0 0 7 Spy Software is com puter m onitoring software which allows you to secretly record all activities of com puter and takes screen snapshot at set intervals
Features: • • • • • • • • EC-Council
Capability of overriding Anti-Spy program s such asAd-aware View logs rem otely with your favorite browsers from anywhere at an ytim e Support user filter to spy on specific users View all user's Logs with a Single Login Capture screen at the highest speed Autom atically startup in active and stealth Mode Powerful keylogger engine to capture all passwords Built-in slide show for screen snapshot pictures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
0 0 7 Spy Software: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
0 0 7 Spy Software: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SpyBuddy http:/ / w w w .exploreany w here.com /
SpyBuddy 20 0 9 is a com puter m onitoring software that reveals what your em ployee is really doing on the com puter It secretly records all internet and com puter related activities and present inform ation to you
Features: • • • • • • • EC-Council
Chat blocking Websites blocking Clipboard activity m onitoring Screenshot recording Keystrokes typed recording Online search recording Print activity m onitoring Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SpyBuddy 20 0 9: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SpyBuddy 20 0 9: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SoftActivity Keylogger http:/ / w w w .softactivity .com /
SoftActivity Keylogger is a spying engine that runs in the background and secretly records URLs visited in browser, keystrokes in any program , chat conversations, received and sent em ail
It captures screenshots of the desktop at a preset period of tim e
Features: • • • • • • EC-Council
Logs everything Screenshots recording with advanced IntelliSnap™ et chnology Enhanced reporting features Works secretly Receive reports in em ail Com plete com patibility Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SoftActivity Keylogger: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
SoftActivity Keylogger: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Elite Keylogger http:/ / w w w .w idestep.com /
Elite Keystroke is keylogger for m onitoring and recording every detail of PC and Internet activity everywhere: at hom e or in the office
Features:
• • • • • • •
EC-Council
Keystroke recording Undetectable Chats, IMs, E-m ail recording Clipboard m onitoring Application activity recording Winlogon and passwords m onitoring Screenshots recording
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Elite Keylogger: Screenshot 1
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Elite Keylogger: Screenshot 2
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Spy Sweeper http:/ / w w w .w ebroot.com /
Spy Sweeper is an antispyware software that blocks and rem oves spyware It delivers the advanced spyware detection available to beat dangerous spyware program s
Features: • • • • • • • EC-Council
Advanced detection and rem oval capabilities Real-tim e threat protection Enhanced rootkit discovery m ethods Minim al im pact on com puter perform ance Windows vista com patible Multiple user protection Up-to-date spyware news and inform ation Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Spy Sweeper: Screenshot
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary Insiders perform m alicious activities on the organization’s network, system , and database
Response depends on the nature of the insider threats and the organization’s policy
Insider threats can be detected by exam ining the system event logs including database logs, em ail logs, application logs, file access logs, and rem ote access logs
Access privileges should be enabled to em ployees or users based on the routine perform ance of their job roles
Organizations should im plem ent secure backup and recovery processes to continue business operations when the system s are com prom ised EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sample Sample EC-Council Certified Incident Handler Version 1
Mo d u le IX Incident Reporting
Batch PDF Batch PDF Merger Merger
News: Infosec 20 0 9 Experts Discuss the Cyber Crim e Landscape 28 Apr 20 0 9 Every person who goes online has a part to play in helping to reduce e-crim e and better secure cyberspace, according to a panel of experts speaking at the Infosecurity Europe show in London. Philip Virgo, secretary general of Eurim , began the panel debate by highlighting the developm ent of today's real-world law enforcem ent agencies, which were originally created by businesses such as rail com panies and banks rather than by governm ents. Virgo believes that we cannot expect governm ents to shoulder all the responsibility for policing the internet. He believes that only by users, agencies, security firm s and organisations working together can the huge problem of cyber crim e begin to be addressed. His call was echoed by Charlie McMurdie, detective superintendent of the newly form ed Police Central e-Crim e Unit (PceU), who is pushing for greater interaction between the various stakeholders, both public and private, across various countries. "Currently, everyone is doing different things in different ways," she said. "We need to develop structure, standards and training, not only for the 43 police forces across the UK, but all the organisations involved in helping detect, prevent and track down illegal online behaviour." This will help to speed up investigations, and help elim inate duplication, thereby freeing up m ore of the lim ited resources, according to McMurdie. The PceU is pushing for end users to get involved as well by reporting even relatively m inor instances of e-crim e, as these can help to locate and identify the large organised crim inal gangs. Source: http:/ / w w w .vnunet.com /
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
This m odule will fam iliarize you with: • • • • • •
EC-Council
Incident Reporting Why to Report an Incident Whom to Report an Incident Federal Agency Incident Categories Organizations to Report Com puter Incident Incident Reporting Guidelines
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
EC-Council
Incident Reporting
Why to Report an Incident
Federal Agency Incident Categories
Whom to Report an Incident
Organizations to Report Com puter Incident
Incident Reporting Guidelines
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Reporting
Incident reporting is the process of reporting the inform ation regarding the encountered security breach in a proper form at
Incidents that should be reported include: • • • • •
Logs of unauthorized access showing failed or successful attem pts Unwanted disruption Denial of service Use of a system for processing or storage of data Changes m ade to the system ’s hardware or software
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Why to Report an Incident
It is necessary to report an incident in order to:
• Receive technical assistance including guidance on detecting and handling the incidents • Im prove awareness on IT security issues and prevent other nuisance • Provide stronger protection for system s and data • Deal properly with legal issues • Know the inform ation regarding new threats and in cident trends • Be prepared for handling future incidents
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Why Organizations do not Report Com puter Crim es Misunderstanding of the scope of the problem • Misconception that this does not happen to other organizations
Fear of negative publicity • Proactive reporting and handling of the incident will allow m any organizations to put their spin on the m edia reports
Potential loss of custom ers
Desire to handle things internally
Lack of awareness of the attack EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Whom to Report an Incident Head of inform ation security
?
Local inform ation security officer Incident response team s in the organization Hum an resources Public affairs officer Legal departm ent CERT EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How to Report an Incident
Incidents are reported using: • • • • • • •
EC-Council
Electronic Mail Online reporting form s Telephone calls Facsim ile (FAX) In person Voice m ailbox greeting Paper (e.g., post notices on bulletin boards and doors, hand out notices at all entrance points)
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Details to be Reported
Details to be reported include: • • • • • • • • • • •
EC-Council
Date, tim e, and location of the incident Contact inform ation Intensity of the incident Circum stances that revealed the incident Sum m ary of hosts involved Description of the activity The nature of the violation Type of private data involved Other persons involved Any im m ediate harm known or observed Im m ediate corrective actions already taken
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Prelim inary Inform ation Security Incident Reporting Form Sys te m In fo rm atio n Nam e of the Departm ent : _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Brief description on the affected system : _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Physical location of the affected system : _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ System adm inistration/ operation by: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Co n tact In fo rm atio n Nam e:_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Designation:_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Telephone Num ber: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Mobile Num ber: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Em ail Address: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Fax Num ber: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
In cid e n t D e tails Date/ Tim e (Detected):_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Sym ptom s of Incidents: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Im pacts: Defacem ent of web site Service interruption (denial of service attack / m ail bom b / system failure) Massive m alicious code attack Lost/ dam age/ unauthorized alternation of inform ation Com prom ise/ leakage of sensitive inform ation Intrusion/ unauthorized access Others, please specify: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Please provide details on the im pact and service interruption period, if any: Actions Taken: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Current System Status: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Other Inform ation: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
CERT Incident Reference Num bers CERT assigns reference num bers for every reported activity
These num bers help CERT to track correspondence and identify related activity
These num bers are unique and selected random ly
These num bers should be m entioned clearly in the subject line of any m ail m essages regarding the incident
e.g. CERT# XXXX, US CERT-0 6-0 0 0 1 reference num ber shows that it was the first case registered at US CERT in 20 0 6 EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Contact Inform ation Contact inform ation should include at least an em ail address and telephone num ber
If possible include fax num ber and a cellular telephone num ber
Tim e zone from where the reporting is m ade, should be m entioned
It is good to specify an alternate contact in case the victim is unavailable EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sam ple Report Showing Contact Inform ation Contact Inform ation
Source: https:/ / form s.us-cert.gov/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary of Hosts Involved Hosts involved in the incident or related activity is the m ost obvious inform ation to be noted
Som e tim es, hosts used in one incident m ay have been used earlier
Sum m ary of IP addresses and hostnam es involved in the incident should be included in the report
Hosts involved in the incident m ust be identified and the inform ation m ust be released as per the organization’s policies and procedures
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sam ple Report Showing Sum m ary of Hosts Involved
Sum m ary of Hosts
Source: http:/ / w w w .cert.org/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Description of the Activity
Activity description should include:
• • • • • • • •
EC-Council
Date Methods of intrusion Intruder tools involved Software versions and patch levels Intruder tool output Details of vulnerabilities exploited Source of attack And other relevant inform ation
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sam ple Report Showing Description of the Activity
Description of Activity
Source: http:/ / w w w .nitc.state.ne.us/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Log Extracts Showing the Activity Logs provide significantly m ore details than the description
Log entries showing the activity should be in cluded along with the report
To avoid confusion, rem ove the log entries that are not related with the incident
Ensure that the non disclosure policies are not violated while sending log entries to other sites
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Exam ple Showing the Log Extracts of an Activity
Source: http:/ / w w w .kerio.co.uk/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Tim e Zone Dates, tim es, and tim e zones are confusing when used casually in international com m unications; hence clearly identify the date, tim e, an d location of the incident
A tim e zone reference relative to GMT (or UTC) such as GMT5 is preferred, since less form al tim e zone designations can be m isinterpreted
Inaccuracy in tim e should be m entioned in the report if it exceeds by a m inute or two
If the system was synchronized with a national tim e server via Network Tim e Protocol, the sam e should be m entioned in the report
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Federal Agency Incident Categories Cate go ry
N am e
CAT 0
Exercise/ Network Defense Testing
This category is used during state, federal, national, international exercises and approved activity testing of internal/ external network defenses or responses.
Not Applicable; this category is for each agency's internal use during exercises.
CAT 1
Unauthorized Access
In this category an individual gains logical or physical access without perm ission to a federal agency network, system , application, data, or other resource
Within one (1) hour of discovery/ detection.
Denial of Service (DoS)
An attack that successfully prevents or im pairs the norm al authorized functionality of networks, system s or applications by exhausting resources. This activity includes being the victim or participating in the DoS.
Within two (2) hours of discovery/ detection if the successful attack is still ongoing and the agency is unable to successfully m itigate activity.
CAT 3
Malicious Code
Successful installation of m alicious software (e.g., virus, worm , Trojan horse, or other code-based m alicious entity) that infects an operating system or application. Agencies are NOT required to report m alicious logic that has been successfully quarantined by antivirus (AV) software.
Daily Note: Within one (1) hour of discovery/ detection if widespread across agency.
CAT 4
Im proper Usage
A person violates acceptable com puting use policies.
Weekly
CAT 5
Scans/ Probes/ Att em pted Access
This category includes any activity that seeks to access or identify a federal agency com puter, open ports, protocols, service, or any com bination for later exploit. This activity does not directly result in a com prom ise or denial of service.
Monthly Note: If system is classified, report within one (1) hour of discovery.
Investigation
Unconfirm ed incidents that are potentially m alicious or anom alous activity deem ed by the reporting entity to warrant further review.
Not Applicable; this category is for each agency's use to categorize a potential incident that is currently being investigated.
CAT 2
CAT 6
EC-Council
D e s crip tio n
Source: http:/ / w w w .us-cert.gov/
Re p o rtin g Tim e fram e
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Organizations to Report Com puter Incident United State Internet Crim e Task Force
Internet Crim e Com plaint Center (IC3)
Com puter Crim e and Intellectual Property Section (CCIPS)
Internet Watch Foundation (IWF)
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
United State Internet Crim e Task Force http:/ / w w w .usict.org/ services.asp
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Internet Crim e Com plaint Center (IC3) http:/ / w w w .ic3.gov/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Com puter Crim e & Intellectual Property Section http:/ / w w w .usdoj.gov/ crim inal/ cy bercrim e/ reporting.htm
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Internet Watch Foundation (IWF) http:/ / w w w .iw f.org.uk/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Reporting Guidelines
Victim should attem pt to gather the following inform ation before reporting: • Nam e and address of the reporting agency • Nam e, address, e-m ail address, and phone n um ber(s)of the reporting person • Nam e, address, e-m ail address, and phone n um ber(s)of the victim • Nam e, address, e-m ail address, and phone n um ber(s)of the alternate contact (e.g., alternate inform ation security officer's, system adm inistrator, etc.) • Description of the incident • Date and tim e of the incident occurred • Date and tim e the incident was discovered • Any actions at, and following the tim e of discovery that were taken prior to calling CERT Source: http:/ / w w w .chp.ca.gov/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Reporting Guidelines (cont’d) Additional inform ation that should be gathered by the victim :
• Make / m odel of the affected com puter(s) • Serial and state asset identification num bers of ht e affected devices • IP address of the affected com puter(s) • Assigned nam e of the affected com puter(s) • Operating system of the affected com puter(s) • Location of the affected com puter(s)
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sam ple Incident Reporting Form 1
EC-Council
Source: http:/ / w w w .nbt.nhs.uk/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sam ple Incident Reporting Form 2
EC-Council
Source: http:/ / w w w .neola.com /
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sam ple Incident Reporting Form 2 (cont’d)
EC-Council
Source: http:/ / w w w .neola.com /
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sam ple Incident Reporting Form 2 (cont’d)
EC-Council
Source: http:/ / w w w .neola.com /
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sam ple Incident Reporting Form 3
Source: http:/ / w w w .occs.odu.edu/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sam ple Post Incident Report Form
Source: http:/ / w w w .ogcio.gov.hk/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Post Incident Report (cont’d)
Source: http:/ / w w w .ogcio.gov.hk/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary Incident reporting is the process of reporting the inform ation regarding the encountered security breach in a proper form at Incidents should be reported in order to receive technical assistance including guidance on detecting and handling the incidents CERT incident reference n um bers help CERT to track correspondence and identify related activity Contact inform ation should include at least an em ail address and telephone n um ber Hosts involved in the in cident or related activity is the m ost obvious inform ation to be noted Logs provide significantly m ore details than the description United State Internet Crim e Task Force is a n on-profit, governm ent assist, and victim advocate agency EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Certified Incident Handler Version 1
Mo d u le X Incident Recovery
Police Seek Grant for Com m unications and Com puter Equipm ent 0 5/ 0 7/ 20 0 9
In part of the 20 0 9 Am erican Recovery and Reinvestm ent Act, the J ustice Departm ent will be funding a num ber of grants for law enforcem ent. The Watertown Police Departm ent will be applying to receive $ 24,0 0 0 in funding from the Edward Byrne Mem orial J ustice Assistance Grant. According to Chief J ohn Gavallas, the Police Departm ent intends to use the funding to purchase equipm ent to operate a critical incident com m and center and briefing room . Purchases will include telephone system s, com puters, com puter m onitors, printers, upgrades to the IT system s, presentation equipm ent, m ultiple internet access points, audio-visual equipm ent including televisions, DVD and video players and projectors. "This will allow us to conduct roll call training in the briefing room and the equipm ent will provide incident com manders the equipm ent in managing a critical incident in town," said Chief Gavallas. The two principal requirem ents of the grant are public notice and that authorization to apply for the grant is given by the governing authority of the town. The Town Council gave approval for the grant application during its regular May 4 m eeting. The grant is nam ed in honor of New York City Police Officer Edwin Byrne, who was killed in the line of duty while conducting a stakeout to m onitor drug activity in 1988.
Source: http:/ / w w w .zw ire.com /
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
This m odule will fam iliarize you with: • • • • • • • •
EC-Council
Incident Recovery Principles of Incident Recovery Incident Recovery Steps Contingency/ Continuity of Operations Planning Business Continuity Planning Incident Recovery Plan Incident Recovery Planning Team Business Im pact Analysis
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
EC-Council
Incident Recovery
Principles of Incident Recovery
Contingency/ Continuity of Operations Planning
Incident Recovery Steps
Business Continuity Planning
Incident Recovery Plan
Business Im pact Analysis
Incident Recovery Planning Team
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Recovery Incident recovery is a process of rebuilding and restoring the com puter system s affected by an incident to norm al operational stage
System recovery involves all processes, policies, and tools that are used to restore norm al business functions Incident recovery m easures depend on the severity of incidents, criticality of the affected system s or processes, im pact on business revenues, and available resources
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Principles of Incident Recovery Support and involvem ent of upper level m anagers lead to a robust incident recovery plan
Assess the organization on a regular basis
Policies and procedures adopted m ust be docum ented and m ade available to the intended staff to m eet the business operational needs Determ ine the m anagers responsible for declaring, responding, and recovering from an incident
Restrict com m unications am on g internal and external supporters of the organizations EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Principles of Incident Recovery (cont’d) Train em ployees against unforeseen crisis
Procedures m ust be tested and rehearsed to detect the vulnerabilities in the plan
Planners m ust identify new threats and update plans accordingly
Evaluate the effectiveness of the procedure and m onitor safety and hygienic issues of the em ployees
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Recovery Steps • System restoration
Step 1:
• System validation
Step2:
• System operations
Step3:
• System m onitoring
Step4:
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Contingency/ Continuity of Operations Planning Contingency plan is a set of specific strategies, guidelines and processes to recover from an incident resulting due to a particular problem or em ergency It is necessary for a com pany or business to function norm ally Guidelines for contingency planning are as follows: Starting Point • Focuses on the developm ent and m aintenance of theplan
Im pact assessm ent • • • •
Problem s analysis Checks what sort of problem s/ incidents can occur Checks for the likelihood of the occurrence of theproblem Checks for the severity of the problem
Plan developm ent • Contingency plan is developed in this phase by considering the system threats and available resources • It regulates the business process by setting an ord er or priority of the organizational processes
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Contingency/ Continuity of Operations Planning (cont’d) Testing the plan • In this phase, the developed plan is tested to determ ine whether the plan can actually work in real tim e environm ent • Testing results are docum ented for future reference
Personnel training • Personnel needs to undergo training to get fam iliar with the plan which helps them to perform their tasks and responsibilities effectively
Maintaining the plan • As processes are added or deleted by the organizatio n, the plans should be updated regularly
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Contingency/ Continuity of Operations Planning (cont’d) Com ponents of contingency planning:
• Supporting Inform ation • Notification/ Activation ( supplies notification pro cedures and offers activation of the plan) • Recovery (recovers the data with the help of backups) • Reconstitution (restores original inform ation after the in cident) • Plan Appendices (provides records of further analysis)
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Contingency/ Continuity of Operations Planning (cont’d) Continuity of operations provides an alternative site to the organization for a period of one m onth so as to recover from the incident and perform norm al organizational operations
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Business Continuity Planning Business continuity is defined as the ability of an organization to continue to function even after a disastrous event, accom plished through the deploym ent of redundant hardware and software, the use of fault tolerant system s, as well as a solid backup and recovery strategy Source: http:/ / w w w .m icrosoft.com /
It provides a planning m ethodology that allows continuity in business operations before, during, and after an in cident or event
Som e other plans that are included in business continuity plan are:
• • • •
Incident/ disaster recovery plan Business recovery plan Business resum ption plan Contingency plan
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Recovery Plan An incident recovery plan is a statem ent of actions that should be taken before, during, or after an incident
Docum ent and test the plan in order to ensure the continuity of operations an d availability of resources during a incident
The planning process should ensure continuity of operations, som e level of organizational stability, and an orderly recovery from the incident occurred
The objectives of incident recovery plan are: • • • • •
EC-Council
Providing security to com puters Optim izing the risks Providing assurance to reliability of system s Providing a standard for testing the plan Reducing the decision m aking during an incident Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Recovery Planning Process Establish the incident recovery planning team
Perform business im pact an alysis to assess risks
Delegate responsibilities across the organization
Develop policies and procedures
Docum ent the incident recovery procedures
Handle incidents
Train staff and test the plan EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Recovery Planning Team The incident recovery plan ning team m ust have m em bers representing different departm ents within the organization
Mem bers of the incident recovery team s should have required skills, business process kn owledge, and experience
Each departm ent m ust m aintain its own recovery planning group to conduct research, assess, and im plem ent the plan
IT and network m anagers m ust address enterprise and specific departm ent and business issues
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Business Im pact Analysis Business im pact analysis identifies the im pact of uncontrolled and nonspecific events on the business process
Steps in business im pact analysis are as follows:
• • • • •
Identify key business processes and functions Establish requirem ents for business recovery Determ ine resource interdependencies Determ ine impact on operations Develop priorities and classification of businessprocesses and functions • Develop recovery tim e requirem ents • Determ ine financial, operational, and legal im pactof disruption
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Business Im pact Analysis (BIA) Tem plate Organization:
Date BIA Com pleted:
System Nam e:
BIA POC:
System Manager Point of Contact (POC): System Description: {Discussion of the system purpose and architecture, including system diagram s} A. Id e n tify Sys te m POCs
Ro le
Internal {Identify the individuals, positions, or offices within your organization that depend on or support the system ; also specify their relationship to the system } _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
External {Identify the individuals, positions, or offices outside your organization that depend on or support the system ; also specify their relationship to the system } _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
EC-Council
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Source: http:/ / csrc.nist.gov/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Business Im pact Analysis (BIA) Tem plate (cont’d) B. Id e n tify Sys te m Re s o u rce s {Identify the specific hardware, software, and other resources that com prise the system ; include quantity and type} Hardware Software Other resources C. Id e n tify critical ro le s {List the roles identified in Section A that are deem ed critical} _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ D . Lin k critical ro le s to critical re s o u rce s {Identify the IT resources needed to accom plish the roles listed in Section C} Critical Ro le Critical Re s o u rce s _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
EC-Council
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Source: http:/ / csrc.nist.gov/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Business Im pact Analysis (BIA) Tem plate (cont’d) E. Id e n tify o u tage im p acts an d allo w able o u tage tim e s {Characterize the im pact on critical roles if a critical resource is unavailable; also, identify the m aximum acceptable period that the resource could be unavailable before unacceptable im pacts resulted} Re s o u rce
Ou tage Im p act
Allo w able Ou tage Tim e
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
F. Prio ritize re s o u rce re co ve ry {List the priority associated with recovering a specific resource, based on the outage im pacts and allowable outage tim es provided in Section E. Use quantitative or qualitative scale (e.g., high/ m edium / low, 15, A/ B/ C)} Re s o u rce Re co ve ry Prio rity
EC-Council
Source: http:/ / csrc.nist.gov/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Recovery Plan Im plem entation Allocate tasks for im plem entation
Create an im plem entation schedule
Allocate the incident recovery docum entation
Evaluate the worth and efficiency of m itigation steps
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Recovery Training
Train the staff to research on incident recovery issues
Organizations should identify the required skills and appoint suitable people in the planning process
Organizations should prepare an agenda for the team and set tasks for achieving goals
Highly centralized an d structured inform ation m anagem ent departm ent can process at a faster pace
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Recovery Testing Test determ ines the effectiveness of policies and procedures when im plem ented
Procedure audits:
Live walk-throughs of procedures:
Live walk-throughs of related process:
Scenario testing:
EC-Council
• Em ployees view the procedure to determ ine its authenticity and efficiency in executing procedures
• Determ ines the procedure’s effectiveness
• Related procedures are im plem ented to check their effectiveness
• Creates a m ock incident that inspects the workingprocess of the events Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Incident Recovery Testing (cont’d) Work group-level tests:
• Creates a m ock incident for a specific group of people
Departm ent-level tests:
• Creates a m ock incident for which the entire depart m ent m ust respond
Facility-level tests:
Enterprise-level tests:
EC-Council
• Creates a m ock incident for which an entire facility is liable
• Creates a m ock incident for which the entire organization m ust respond
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary Incident recovery is a process of restoring and rebuilding the com puter system into norm al operations that are affected by an incident
Contingency plan provides backup for docum ents to overcom e from an incident
Business continuity is the ability of an organization to continue to function even after a disastrous event
An incident recovery plan is a statem ent of actions that should be taken before, during, or after an incident EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Certified Incident Handler Version 1
Mo d u le XI Security Policies and Laws
Module Objective
This m odule will fam iliarize you with:
• • • • • • • • •
EC-Council
Key elem ents of Security Policy Purpose of a Security Policy Design of Security Policy Exam ples of Security Policies Acceptable Use Policy Role of Law in Incident Handling Legal issues when dealing with an Incident Laws and Acts Intellectual Property Laws
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Key Elem ents of Security Policy
Purpose of a Security Policy
Exam ples of Security Policies
Design of Security Policy
Acceptable Use Policy
Role of Law in Incident Handling
Laws and Acts
Legal Issues When Dealing With an Incident
Intellectual Property Laws
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Security Policies
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Security Policy A security policy is a docum ent that states in writing how a com pany plans to protect its physical and inform ation technology assets
It defines what business objectives and security goals are desired by the m anagem ent
It is a living docum ent as the docum ent is never finished, but is continuously updated depending upon technology and em ployee requirem ents
It depicts the basic architecture of the com pany’s security environm ent
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Key Elem ents of Security Policy
Clear com m unication Brief and clear inform ation Defined scope and applicability Enforceable by law Recognizes areas of responsibility Sufficient guidance Top m anagem ent involvem ent
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Goals of a Security Policy Security policies help in protecting the organization’s system and inform ation assets from abuse and inappropriate use
It sets the guidelines for responding to internal and external incidents
Security policies help in establishing m echanism s for the organization to satisfy its legal and ethical responsibilities
Security policies provide an outline for the m anagem ent and adm inistration of organization’s security
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Characteristics of a Security Policy They m ust be im plem entable through system adm inistration procedures, publishing of acceptable use guidelines, or other appropriate m ethods
They m ust be enforceable with security tools, where appropriate, and with sanctions, where actual prevention is n ot technically feasible
They m ust clearly define the areas of responsibility for the users, adm inistrators, and m anagem ent
They m ust be docum ented, distributed, and com m unicated
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Design of Security Policy
Security policy structure should contain: • • • • •
EC-Council
A detailed description of the policy issues Description about the status of the policy Functionalities of those affected by the policy Com patibility level of the policy Applicability of the policy to the environm ent
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Im plem enting Security Policies Im plem entation follows after building, revision, and updating of the security policy
Final version m ust be m ade available to all of the staff m em bers in the organization
For effective im plem entation, there m ust be rotation of the job so that data handling m ust not be restricted to a set of people
Proper security awareness program , cooperation, an d coordination am ong em ployees is required
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Exam ples of Security Policies
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Access Control Policy Access control policy authorizes perm ission for a user to perform a set of actions on a set of resources
It authorizes access on a ‘need to use’ basis, by an appropriate approval process
Access to resources is based on the necessity and if a particular person whose job role responsibilities require the use of those resources
Unauthorized access is prevented by im plem enting m anaged controls
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sam ple Access Control Policy
Source: http:/ / w w w .qgcio.qld.gov.au/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sam ple Access Control Policy (cont’d)
EC-Council
Source: http:/ / w w w .qgcio.qld.gov.au/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Im portance of Access Control Policies Protects the system by im plem enting the personnel procedures set by the m anagem ent
Protects the system autom atically by im plem enting the software and hardware controls
Dictates the policies, procedures, and accountability to control the system ’s use
Acts as detective in in vestigation to find out the act that has already occurred
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Acceptable Use Policy (AUP) An acceptable use policy is a set of rules applied by an organization, network, or Internet to restrict their usage
In som e cases, these docum ents are nam ed as Internet and E-m ail policy, Internet AUP, or Network AUP and also Acceptable IT Use Policy
The m ost im portant part of an AUP docum ent is the code of conduct governing the behavior of a user whilst con nected to the organization, network, or Internet
They are sim ilar to and often doing the sam e job as a docum ent labeled ‘Term s of Service’
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Personal Com puter Acceptable Use Policy
EC-Council
Source: http:/ / w w w .w atchguard.com /
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Adm inistrative Security Policy Adm inistrative security policy ensures that the organization’s resources are properly m anaged, used, protected, and controlled
It defines the security and protection requirem ents for inform ation and inform ation system s
It specifies the responsibility to m anage the inform ation security risk of the organization
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Im portance of Adm inistrative Security Policies Safeguards valuable, confidential or proprietary inform ation from unauthorized access, or from revealing the data
Elim inates strong legal liability from em ployees or third parties
Ensures the data availability and processing resources
Ensures the integrity of the inform ation, and prevents it from unauthorized and undetected m odification, m anipulation, insertion, and deletion
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Asset Control Policy Asset control policy is designed to protect the organizational resources on the network by establishing the policies and procedures
It enables organizational assets to be tracked concerning their location and who is using them
An asset tracking database is created to track assets which includes all inform ation on the Asset Transfer Checklist table and the date of the asset change
When an asset is acquired, an ID (Internal tracking num ber) is assigned for the asset and its inform ation is entered into the asset tracking database
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Audit Trail Policy Audit trail policy m aintains a record of system activities such as records of com puter events, operating system , application, or user’s activities Maintains regular system operations by im plem enting m anagem ent, operational, and technical controls
Audit trail policies help in detecting security violations, perform ance problem s and flaws
It sets internal controls an d audit requirem ents such as:
• • • •
EC-Council
Individual accountability Reconstructing event Problem m onitoring Intrusion detection Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sam ple Audit Trail Policy
EC-Council
Source: http:/ / csrc.nist.gov/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Im portance of Audit Trail Policy Helps in various regulatory laws, rules, and guidelines Individual actions are tracked and renders users to be personally accountable for their actions Am ount of dam age occurred during the incident can be calculated
Helps in intrusion detection
Helps to reconstruct the events after a problem has occurred
Detects disk failures, network outages and over utilization of system resources
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Logging Policy Logging policy defines which set of events needs to be logged
It captures and reviews the im portant data in a tim ely m anner
It includes • • • •
Notification procedures Guidelines for log review intervals Retention standards Response tim e expectations
Specific procedures to retrieve the logs and n ecessary logging are stated in the policy EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Im portance of Logging Policies Detects intrusions and com prom ises
Detects equipm ent failures and prevents down tim e
Maintains the proper levels of personnel
Provides qualitative data for capacity planning
Helpful in crim inal and civil investigations EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Docum entation Policy Docum entation policy determ ines the requirem ents and procedures for docum entation of organization’s operations and resources such as networks and servers
Network docum entation defines the docum entation of networking devices and operations
Server docum entation defines the docum entation of server configuration inform ation and running services
Both the server and network docum entation policies define: • Who has the authority to access, read, and changethe network or server docum entation • Defines the authorized person to be notified aboutthe changes m ade in the network or server
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Docum entation Policy (cont’d) In server docum entation, the list of item s to be docum ented and reviewed are: • • • • • • • • • • •
EC-Council
Nam e, location, and fun ction of the server Hardware com ponents of the system List of software running on the server Configuration inform ation about the sever Types of data and the owners of the data stored onthe server Data on the server that is to be backed up Users or groups having the access to the data store d on the server and their authentication process and protocols Adm inistrators on the server and the authentication process and protocols Data and authentication encryption requirem ents User accessing data from rem ote locations Adm inistrators adm inistrating the server from rem ote locations
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Docum entation Policy (cont’d)
Network docum entation includes:
• Locations and IP addresses of all hubs, switches,routers, and firewalls on the network • Various security zones on the network and devices ht at control access between them • Locations of every network drop and the associatedswitch and port on the switch supplying that connection • Interrelationship between all network devices showing lines runnin g between the network devices • All subnets on the network and their relationships • All Wide Area Network (WAN) or Metropolitan Area Network (MAN) • Network devices configuration inform ation • DHCP server settings
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Collection Policy Evidence should be collected, preserved, accessed and transported properly in order to preserve its integrity Every steps, m ethods or tools used for handling the evidence should be thoroughly docum ented For each system , obtain the relevant order of volatility and persistent data
Maintain a precise chain of custody
Methods used to collect evidence should be transparent and reproducible
Docum ent all findings an d actions perform ed during the process EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Preservation Policy The evidence preservation policy should address the following requirem ents: • Evidence m ust be preserved in its original state • Evidence should be protected from m echanical or ele ctrom agnetic dam age • At least two copies of evidence should be m ade • Bit stream backups are to be m ade as they are thoro ugh than the standard backups • Collected hardware evidence should be sealed in polythene bags and properly labeled for identification • All the evidence should be item ized, with the following inform ation: • Evidence tag num ber • Tim e and date discovered • Nam e of the person • Evidence description • Storage notes
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Inform ation Security Policy Inform ation security policies strengthens the security of inform ation resources
It allows the organization to satisfy its legal and ethical responsibilities
It incorporates the security practices like the m anagem ent of vulnerable points and system file security
Inform ation security policies set the fram ework for regular vulnerability and risk assessm ent
It provides guidelines for effective im plem entation of control m easures to respond to the security incidents EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Inform ation Security Policy: University of California
Source: http:/ / w w w .ucop.edu/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Inform ation Security Policy: Pearce & Pearce, Inc.
EC-Council
Source: https:/ / w w w .pearceandpearce.com /
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Inform ation Security Policy: Pearce & Pearce, Inc. (cont’d)
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Im portance of Inform ation Security Policy Inform ation security policies help in m inim izing wastage and m isuse of organization’s resources
It helps in safeguarding and protecting valuable, confidential, and proprietary inform ation from unauthorized access
Security policies help in ensuring availability of data and processing resources
It helps in protecting the confidentiality an d integrity of the inform ation
Inform ation security policies helps in im proving overall security posture of the organization
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
National Inform ation Assurance Certification & Accreditation Process (NIACAP) Policy NIACAP sets up a standard national process, set of activities, general tasks, and a m anagem ent structure It certifies and recognizes system s which m aintain inform ation assurance and security posture
The NIACAP process accom plishes the requirem ents of the docum ented security policy
Accredited security posture is m aintained all through the system life cycle
The process com prises of existing system certifications and product evaluations
Process users m ust arrange the process with their program strategies and incorporate the activities into their en terprise system life cycle EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
National Inform ation Assurance Certification & Accreditation Process (NIACAP) Policy (cont’d) Agreem ent between the IS program m anager, Designated Approving Authority (DAA), certification agent (certifier), and user representative is the m ain aspect of NIACAP
Critical schedule, budget, security, functionality, and perform ance issues are determ ined by these individuals
System Security Authorization Agreem ent (SSAA) contains the docum entation of NIACAP agreem ents
The results of Certification and Accreditation (C&A) are docum ented using SSAA
The objective is to use the SSAA to establish an evolving yet binding agreem ent on the level of security required before the system developm ent begins or changes
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Im portance of The National Inform ation Assurance (IA) Certification & Accreditation (C&A) Policy Describes the operating environm ent, system security architecture, and threat
Establishes the C&A boundary of the system to be accredited
Form s the baseline security configuration docum ent
Docum ents all requirem ents necessary for accreditation, test plan s and procedures, certification results, and residual risk Minim izes docum entation requirem ents by consolidating applicable inform ation into the SSAA (security policy, concept of operations, architecture description, test procedures, etc.) EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Physical Security Policy Physical security policy helps to control and m onitor the physical access to inform ation resource facilities
Physical access to all restricted facilities are docum ented and m anaged
Every individual who has physical access to inform ation resource facilities should sign the access and non-disclosure agreem ents
Access cards and/ or keys m ust not be shared or loaned to others
All access to the inform ation resources should be tracked with a sign in/ out log
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sam ple Physical Security Policy 1
EC-Council
Source: http:/ / trustedtoolkit.com /
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sam ple Physical Security Policy 1 (cont’d)
EC-Council
Source: http:/ / trustedtoolkit.com /
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sam ple Physical Security Policy 2
EC-Council
Source: http:/ / w w w .cnc.police.uk/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Im portance of Physical Security Policies Controls access to the facilities and com puters
Protects assets from in ternational abuse, m isuse, or destruction by em ployees, contractors, or consultants
Protects inform ation processing facilities by reducing risk of hum an error, fraud, and theft
Monitors how well personnel com ply with contractual security provisions
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Physical Security Guidelines System s should be protected against environm ental factors such as fire, power, excessive heat, and hum idity
System s should have alternate power supply during power losses such as an UPS
Com puting devices should be placed in order to protect them from shoulder surfing
Monitoring system s should be installed to m onitor the work area and office prem ises
While in transit, laptops should be placed in secure storage
Workstations should be locked when left un attended
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Personnel Security Policies & Guidance Personnel security policies include the safety m easures to be taken regarding com pany em ployees
Manager should im plem ent the personnel security policies to:
• Ensure trustworthiness of the people in the postswho require access to official inform ation • Protect the official inform ation before granting ht em access • Enforce term s and condition s to the em ployee access ing official inform ation
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Personnel Security Policies & Guidance (cont’d) Elem ents of personnel security are:
Personal Screening: • It is a pre-em ploym ent check which involves the employees’ background check • This is done even as the em ployee is given accessto the official inform ation • While recruiting em ployee for a perm anent staff position, he m ust be checked for: • Satisfactory character referees • Accuracy of the curriculum vitae and qualifications
• Before appointing an em ployee after he/ she is recru ited, verify details of the em ployee such as: • Identity and character confirm ation through referees • Crim inal background check from police
• Sim ilarly, em ployee being recruited for a tem porary staff position can be checked through a verifying agency EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Personnel Security Policies & Guidance (cont’d) Granting access:
• Chief executives need to grant access the perm anent staff to access official inform ation after clearance from : • • • •
Pre-em ploym ent checks Periodic reviews Approval procedures Sound term s & conditions of the em ploym ent
• Avoid granting access to the m ost sensitive sitesas there are chances of indirect exposure by staff or visitors • Access granted individuals m ust be issued a pass or access or identity card • A "Basic Check" can be don e further after the pre-em ploym ent check, about staff or contractors who need a frequent access to sensitive sites
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Law and Incident Handling
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Role of Law in Incident Handling Federal law requires federal agencies to report incidents to the Federal Com puter Incident Response Center
It requires federal agen cies to establish incident response capabilities
Incident response team should be fam iliar with the reporting procedures for all relevant law enforcem ent agencies and well prepared to recom m end suitable agency and contact details
Several levels of law enforcem ent agencies are available to in vestigate incidents
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Legal Issues When Dealing With an Incident Law enforcem ent should be contacted through designated individuals in a m anner consistent with the requirem ents of the law and the organization’s procedures
Organizations should not contact m ultiple agencies because it m ight result in jurisdictional conflicts
Consult lawyers if an illegal act has occurred
Reporting to law enforcem ent changes the character of the evidence handling process • Evidence can be subpoenaed by courts • Perpetrators and their lawyers can get access to ti in the trial • Evidence gathering process and all actions and docum entation of the investigations m ay also be accessible to the other party during litigation
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Law Enforcem ent Agencies
Federal investigatory agencies (e.g., the FBI and the U.S. Secret Service)
District attorney offices
State law enforcem ent
Local law enforcem ent
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
U.S. Law Enforcem ent Agencies
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Laws and Acts
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Searching and Seizing Com puters without a Warrant The Fourth Am endm ent of USA PATRIOT Act of 20 0 1 lim its the ability of governm ent agents to search for evidence without a warrant
If the governm ent’s conduct does not violate a person’s “Reasonable Expectation Of Privacy,” then form ally it does not constitute a Fourth Am endm ent “search” and no warrant is required
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
§ A: Fourth Am endm ent’s “Reasonable Expectation of Privacy” in Cases Involving Com puters: General Principles
A search is constitutional if it does not violate a person’s “reasonable” or “legitim ate” expectation of privacy Katz v. United States, 389 U.S. 347, 362 (1967) (Harlan, J., concurring). This inquiry em braces two discrete questions: •First, whether the individual’s conduct reflects “an actual (subjective) expectation of privacy,” •Second, whether the individual’s subjective expectation of privacy is “one that society is prepared to recognize as ‘reasonable.’”
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
§ A.4: Private Searches The Fourth Am endm ent does not apply to searches conducted by private parties who are not acting as agents of the governm ent
In United States v. J acobsen, 466 U.S. 10 9 (1984), the Suprem e Court presented the fram ework that should guide agents seeking to uncover evidence as a result of a private search
Even if courts follow the m ore restrictive approach, the inform ation gleaned from the private search will often be useful in providing the probable cause needed to obtain a warrant for a further search
The fact that the person conducting a search is not a governm ent em ployee does not always m ean that the search is “private” for Fourth Am endm ent purposes
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
The Privacy Protection Act When agents have reason to believe that a search m ay result in a seizure of m aterials relating to First Am endm ent activities such as publishing or posting materials on the World Wide Web, they m ust consider the effect of the Privacy Protection Act (“PPA”), 42 U.S.C. § 20 0 0 aa Brief History: •Before the Suprem e Court decided Warden v. Hayden, 387 U.S. 294, 30 9 (1967), law enforcem ent officers could not obtain search warrants to search for and seize “m ere evidence” of crim e. Warrants were perm itted only to seize contraband, instrum entalities, or fruits of crim e •This ruling set the stage for a collision between law enforcem ent and the press •By freeing the Fourth Am en dm ent from Boyd's restrictive regim e, Hayden created the possibility that law enforcem ent could use search warrants to target the press for evidence of crim e it had collected in the course of investigating an d reporting news stories EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Federal Inform ation Security Managem ent Act (FISMA) Title III of the E-Governm ent Act, entitled the Federal Inform ation Security Managem ent Act (FISMA), requires each Federal agency to develop, docum ent, and im plem ent an agency-wide inform ation security program to provide inform ation security for the inform ation and inform ation system s that support the operations and assets of the agency, including those provided or m anaged by another agency, contractor, or other source. The inform ation security program m ust include— •Periodic assessm ents of the risk and m agnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, m odification, or destruction of inform ation and inform ation system s that support the operations and assets of the agency;
Source: http:/ / csrc.nist.gov
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Federal Inform ation Security Managem ent Act (FISMA) (cont’d)
EC-Council
Policies and procedures that are based on risk assessm ents, cost-effectively reduce inform ation security risks to an acceptable level, and ensure that inform ation security is addressed throughout the life cycle of each agency inform ation system ; Subordinate plans for providing adequate inform ation security for networks, facilities, inform ation system s, or groups of inform ation system s, as appropriate; Security awareness training to inform personnel (including contractors and other users of inform ation system s that support the operations and assets of the agency) of the inform ation security risks associated with their activities and their responsibilities in com plying with agency policies and procedures designed to reduce these risks; Periodic testing and evaluation of the effectiveness of inform ation security policies, procedures, and practices (including the m anagem ent, operational, and technical controls of every agency inform ation system identified in their inventory) to be perform ed with a frequency depending on risk, but no less than annually; Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Federal Inform ation Security Managem ent Act (FISMA) (cont’d)
EC-Council
A process for planning, im plem enting, evaluating, and docum enting rem edial action to address any deficiencies in the inform ation security policies, procedures and practices of the agency; Procedures for detecting, reporting, and responding to security incidents (including m itigating risks associated with such incidents before substantial dam age is done and notifying and consulting with the Federal inform ation security incident response center, and as appropriate, law enforcem ent agencies, relevant Offices of Inspector General, and any other agency or office, in accordance with law or as directed by the President; and Plans and procedures to ensure continuity of operations for inform ation system s that support the operations and assets of the agency. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Mexico Se ctio n 3 0 -4 5-5 — U n au th o rize d co m p u te r u s e A person who knowingly, willfully and without authorization, or having obtained authorization, uses the opportunity the authorization provides for purposes to which the authorization does not extend, directly or indirectly accesses, uses, takes, transfers, conceals, obtains, copies or retains possession of any com puter, com puter network, com puter property, com puter service, com puter system or any part thereof, when the • dam age to the com puter property or com puter service has a value of two hundred fifty dollars ($ 250 ) or less, is guilty of a petty m isdem eanor; • dam age to the com puter property or com puter service has a value of m ore than two hundred fifty dollars ($ 250 ) but not m ore than five hundred dollars ($ 50 0 ), is guilty of a m isdem eanor; EC-Council
Source: http:/ / law .justia.com /
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Mexico (cont’d) • dam age to the com puter property or com puter service has a value of m ore than five hundred dollars ($ 50 0 ) but not m ore than two thousand five hundred dollars ($ 2,50 0 ), is guilty of a fourth degree felony; • dam age to the com puter property or com puter service has a value of m ore than two thousand five hundred dollars ($ 2,50 0 ) but not m ore than twenty thousand dollars ($ 20 ,0 0 0 ), is guilty of a third degree felony; • dam age to the com puter property or com puter service has a value of m ore than twenty thousand dollars ($ 20 ,0 0 0 ), is guilty of a second degree felony
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Brazilian Laws
ENTRY OF FALSE DATA INTO THE INFORMATION SYSTEM • Art. 313-A. Entry, or facilitation on the part of an authorized em ployee of the entry, of false data, im proper alteration or exclusion of correct data with respect to the inform ation system or the data bank of the Public Managem ent for purposes of achieving an im proper advantage for him self or for som e other person, or of causing dam ages
Penalty-im prisonm ent for 2 to 12 years, and fines UNAUTHORIZED MODIFICATION OR ALTERATION OF THE INFORMATION SYSTEM • Art. 313-B. Modification or alteration of the inform ation system or com puter program by an em ployee, without authorization by or at the request of a com petent authority
EC-Council
Penalty-detention for 3 m onths to 2 years, and fines
Source: http:/ / w w w .m osstingrett.no/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Canadian Laws
Canadian Crim inal Code Section 342.1 states: (1) Every one who, fraudulently and without color of right, • (a) obtains, directly or indirectly, any com puter service, • (b) by m eans of an electro-m agnetic, acoustic, m echan ical or other device, intercepts or causes to be intercepted, directly or indirectly , any function of a com puter system • (c) uses or causes to be used, directly or indirectly, a com puter system with intent to com m it an offence under paragraph (a) or (b) or an offence under section 430 in relation to data or a com puter system
Person to com m it an offence under paragraph (a), (b) or (c) is guilty of an indictable offence and liable to im prisonm ent for a term not exceeding ten years
Source: http:/ / w w w .m osstingrett.no/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
United Kingdom ’s Laws Co m p u te r Mis u s e Act 19 9 0 (1) A person is guilty of an offense if(a) he causes a com puter to perform any function with the intent to secure access to any program or data held in any com puter, (b) the access he intends to secure is unauthorized, and (c) he knows at the tim e when he causes the com puter to perform the function that that is the case
(2) The intent a person has to have to com m it an offense under this section need not to be directed at: (a) any particular program or data, (b) a program or data of any particular kind, or (c) a program or data held in any particular com puter
(3) A person guilty of an offense under this section shall be liable on sum m ary conviction to im prisonm ent for a term not exceeding six m onths or to a fine not exceeding level 5 on the standard scale or to both Source: http:/ / w w w .opsi.gov.uk
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
United Kingdom ’s Laws (cont’d) (4) A person is guilty of an offense under this section if he com m its an offense under section 1 above (" the unauthorized access offense") with intent (a) to com m it an offense to which this section applies; or (b) to facilitate the com m ission of such an offen se and the offense he intends to com m it or facilitate is referred to below in this section as the further offense
(5) This section applies to offences (a) for which the sentence is fixed by law; or (b) for which a person of twenty-one years of age or over (not previously convicted) m ay be sentenced to im prisonm en t for a term of five years
(6) It is im m aterial for the purposes of this section whether the further offense is to be com m itted on the sam e occasion as the unauthorized access offense or on any future occasion (7) A person m ay be guilty of an offense under this section even though the facts are such that the com m ission of the further offense is im possible
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
United Kingdom ’s Laws (cont’d) (8) A person guilty of an offense under this section shall be liable (a) on sum m ary conviction, to im prison m ent for a term n ot exceedin g the statutory m axim um or to both; and (b) on conviction on indictm ent, to im prisonm ent for a term not exceeding five years or to a fine or to both
(9) A person is guilty of an offense if (a) he does an y act which causes an unauthorized m odification of the contents of any com puter; and (b) at the tim e when he does the act he has the requisite in tent and the requisite knowledge.
(10 ) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a m odification of the contents of any and by so doing (a) to im pair the operation of any com puter; (b) to prevent or hinder access to any program or data held in any com puter; or (c) to im pair the operation of any such program or the reliability of any such data
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Belgium Laws
EC-Council
COMPUTER HACKING Article 550 (b) of the Crim inal Code: §1. Any person who, aware that he is not authorised, accesses or m aintains his access to a com puter system , m ay be sentenced to a term of im prisonm ent of 3 m onths to 1 year and to a fine of (Bfr 5,20 0 -5m ) or to one of these sentences If the offence specified in §1 above is com m itted with intention to defraud, the term of im prisonm ent m ay be from 6 m onths to 2 years §2. Any person who, with the intention to defraud or with the intention to cause harm , exceeds his power of access to a com puter system , m ay be sentenced to a term of im prisonm ent of 6 m onths to 2 years and to a fine of (BFr 5,20 0 -20 m ) or to one of these sentences
Source: http:/ / w w w .m osstingrett.no/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Germ an Laws
Penal Code Section 20 2a. Data Espionage: • (1) Any person who obtains without authorization, for him self or for another, data which are not m eant for him and which are specially protected against unauthorized access, shall be liable to im prisonm ent for a term not exceeding three years or to a fine • (2) Data within the m eaning of subsection 1 are only such as are stored or transm itted electronically or m agnetically or in any form not directly visible
Penal Code Section 30 3a: Alteration of Data • (1) Any person who unlawfully erases, suppresses, renders useless, or alters data (section 20 2a(2)) shall be liable to im prisonm ent for a term not exceeding two years or to a fine • (2) The attem pt shall be punishable Source: http:/ / w w w .m osstingrett.no/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Italian Laws
Penal Code Article 615 ter: Unauthorized access into a com puter or telecom m unication system s: • Anyone who enters unauthorized into a com puter or telecom m unication system protected by security m easures, or rem ains in it against the expressed or im plied will of the on e who has the right to exclude him , shall be sentenced to im prison m ent not exceeding three years • The im prisonm ent is from one until five years • if the crim e is com m itted by a public official or by an officer of a public service, through abuse of power or through violation of the duties concerning the function or the service, or by a person who practices even without a licen ce - the profession of a private investigator, or with abuse of the capacity of a system operator
Source: http:/ / w w w .m osstingrett.no/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Cybercrim e Act 20 0 1 The Cybercrim e Act 20 0 1 am ended the Crim inal Code Act 1995 to replace existing oudated com puter offences 478.1 Unauthorized access to, or m odification of, restricted data (1) A person is guilty of an offence if: (a) the person causes any unauthorized access to, or m odification of, restricted data; and (b) the person intends to cause the access or m odification; and (c) the person knows that the access or m odification is unauthorized; and (d) one or m ore of the following applies: (i) the restricted data is held in a Com m onwealth com puter; (ii) the restricted data is held on behalf of the Com m onwealth; (iii) the access to, or m odification of, the restricted data is caused by m eans of a telecom m unications service
EC-Council
Source: http:/ / w w w .cy bercrim elaw .net/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Cybercrim e Act 20 0 1 (cont’d) Penalty: 2 years im prisonm ent (2) Absolute liability applies to paragraph (1)(d) (3) In this section: restricted data m eans data (a) held in a com puter; an d (b) to which access is restricted by an access control system associated with a function of the com puter
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Inform ation Technology Act THE INFORMATION TECHNOLOGY ACT, 20 0 0 (No. 21 of 20 0 0 ) CHAPTER XI OFFENCES 66.Hacking with com puter system (1) Whoever with the intent to cause or knowing that he is likely to wrongful loss or dam age to the public or any person destroys alters any inform ation residing in a com puter resource utility or affects it injuriously by any m eans,
cause
or deletes or
or dim ishes its value or
com m its hack
(2) Whoever com m its hacking shall be punished with im prisonm ent
up to
three years, or with fine which m ay extend upto two lakh rupees, or with both
Source: http:/ / law m in.nic.in/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Singapore Laws Chapter 50 A: Com puter m isuse Act Section 3 – (1) Any person who knowingly causes a com puter to perform any function for the purpose of securing access without authority, shall be liable on conviction to a fine n ot exceeding $ 5.0 0 0 or to im prisonm ent for a term n ot exceeding 2 years or to both. (2) If an y dam age is caused as a restut of an offence under this section, a person convicted of the offence shall be liable to a fine not exceeding $ 50 .0 0 0 or to im prisonm ent for a term n ot exceeding 7 years or to both Section 4: Access with intent to com m it or facilitate com m ission of offence (1) This section shall apply to an offence involvin g property, fraud, dishonesty or which causes bodily harm and which is punishable on conviction with im prisonm ent for a term of n ot less than 2 years. (2) Any person guilty of an offence under this section shall be liable on conviction to a not exceeding $ 50 .0 0 0 or to im prisonm ent for a term n ot exceeding 10 years or to both EC-Council
Source: http:/ / w w w .m osstingrett.no/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sarbanes-Oxley Act
Title I Pu blic Co m p an y Acc o u n tin g Ove rs igh t Bo ard ( PCAOB) consists of nine sections an d establishes the Public Com pany Accounting Oversight Board, to provide independent oversight of public accoun ting firm s providing audit services ("auditors") Title II Au d ito r In d e p e n d e n ce consists of nin e sections and establishes standards for external auditor independence, to lim it conflicts of interest and addresses new auditor approval requirem ents, audit partner rotation, an d auditor reporting requirem ents Title III Co rp o rate Re s p o n s ibility consists of eight sections and m andates that senior executives take individual responsibility for the accuracy and com pleteness of corporate financial reports
EC-Council
Source: http:/ / frw ebgate.access.gpo.gov/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sarbanes-Oxley Act (cont’d)
Title IV En h an ce d Fin an cial D is clo s u re s consists of nine sections and describes enhanced reporting requirem ents for financial transactions, including off-balance-sheet transactions, pro-form a figures and stock transactions of corporate officers Title V An alys t Co n flicts o f In te re s t consists of only one section, which includes m easures designed to help restore investor confidence in the reporting of securities analysts Title VI Co m m is s io n Re s o u rce s an d Au th o rity consists of four sections and defines practices to restore investor confidence in securities analysts
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sarbanes-Oxley Act (cont’d)
EC-Council
Title VII Stu d ie s an d Re p o rts consists of five sections and it include the effects of consolidation of public accounting firm s, the role of credit rating agencies in the operation of securities markets, securities violations and enforcem ent actions, and whether investm ent banks assisted Enron, Global Crossing and others to m anipulate earnings and obfuscate true financial conditions Title VIII Co rp o rate an d Crim in al Frau d Acco u n tability consists of seven sections and is also referred to as the “Corporate and Crim inal Fraud Act of 20 0 2”. It describes specific crim inal penalties for fraud by m anipulation, destruction or alteration of financial records or other interference with investigations, while providing certain protections for whistle-blowers. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sarbanes-Oxley Act (cont’d)
EC-Council
Title IX W h ite Co llar Crim e Pe n alty En h an ce m e n t consists of two sections. This section is also called the “White Collar Crim e Penalty Enhancem ent Act of 20 0 2.” This section increases the crim inal penalties associated with white-collar crim es and conspiracies. It recom m ends stronger sentencing guidelines and specifically adds failure to certify corporate financial reports as a crim inal offense. Title X Corporate Tax Returns consists of one section. Section 10 0 1 states that the Chief Executive Officer should sign the com pany tax return. Title XI Co rp o rate Frau d Acco u n tability consists of seven sections. Section 110 1 recom m ends a nam e for this title as “Corporate Fraud Accountability Act of 20 0 2”. It identifies corporate fraud and records tam pering as crim inal offenses and joins those offenses to specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC to tem porarily freeze large or unusual paym ents. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Social Security Act Sec. 464. [42 U.S.C. 664] (a)(1) Upon receiving notice from a State agency adm inistering a plan approved under this part that a nam ed individual owes past-due support which has been assigned to such State pursuant to section 40 8(a)(3) or section 471(a)(17), the Secretary of the Treasury shall determ ine whether any am ounts, as refunds of Federal taxes paid, are payable to such individual (regardless of whether such individual filed a tax return as a m arried or unm arried individual). If the Secretary of the Treasury finds that any such am ount is payable, he shall withhold from such refunds an am ount equal to the past-due support, shall concurrently send notice to such individual that the withholding has been m ade (including in or with such notice a notification to any other person wh o m ay have filed a joint return with such individual of the steps which such other person m ay take in order to secure his or her proper share of the refund), and shall pay such am ount to the State agency (together with notice of the individual's hom e address) for distribution in accordance with section 457. This subsection m ay be executed by the disbursing official of the Departm ent of the Treasury.
EC-Council
Source: http:/ / w w w .ssa.gov/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Social Security Act (cont’d) Sec. 1137. [42 U.S.C. 1320 b– 7] (a) In order to m eet the requirem ents of this section, a State m ust have in effect an incom e and eligibility verification system which m eets the requirem ents of subsection (d) and un der which— (1) the State shall require, as a condition of eligibility for benefits under any program listed in subsection (b), that each applicant for or recipient of benefits under that program furnish to the State his social security account n um ber (or num bers, if he has m ore than on e such num ber), and the State shall utilize such account num bers in the adm inistration of that program so as to enable the association of the records pertaining to the applicant or recipient with his accoun t num ber; (2) wage inform ation from agencies adm inistering State unem ploym ent com pensation laws available pursuant to section 330 4(a)(16) of the In ternal Revenue Code of 1954[71], wage inform ation reported pursuant to paragraph (3) of this subsection, and wage, incom e, and other inform ation from the Social Security Adm inistration and the Internal Revenue Service available pursuant to section 610 3(l)(7) of such Code[72], shall be requested and utilized to the extent that such inform ation m ay be useful in verifying eligibility for, and the am ount of, benefits available under any program listed in subsection (b), as determ ined by the Secretary of Health and Hum an Services (or, in the case of the unem ploym ent com pensation program , by the Secretary of Labor, or, in the case of the supplem ental nutrition assistance program [73], by the Secretary of Agriculture); EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Social Security Act (cont’d)
EC-Council
(3) em ployers (as defined in section 453A(a)(2)(B)) (including State and local governm ental entities and labor organizations) in such State are required, effective Septem ber 30 , 1988, to m ake quarterly wage reports to a State agency (which m ay be the agency adm inistering the State's unem ploym ent com pensation law) except that the Secretary of Labor (in consultation with the Secretary of Health and Hum an Services and the Secretary of Agriculture) m ay waive the provisions of this paragraph if he determ ines that the State has in effect an alternative system which is as effective and tim ely for purposes of providing em ploym ent related incom e and eligibility data for the purposes described in paragraph (2), and except that no report shall be filed with respect to an em ployee of a State or local agency perform ing intelligence or counterintelligence functions, if the head of such agency has determ ined that filing such a report could endanger the safety of the em ployee or com prom ise an ongoing investigation or intelligence m ission, and except that in the case of wage reports with respect to dom estic service em ploym ent, a State m ay perm it em ployers (as so defined) that m ake returns with respect to such em ploym ent on a calendar year basis pursuant to section 3510 of the Internal Revenue Code of 1986 to m ake such reports on an annual basis; Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Gram m -Leach-Bliley Act
EC-Council
The GLB Act gives authority to eight federal agencies and the states to adm inister and enforce the Financial Privacy Rule and the Safeguards Rule Fin an cial Privacy Ru le requires financial institutions to provide each consum er with a privacy notice at the tim e the consum er relationship is established and annually thereafter. The privacy notice m ust explain the inform ation collected about the consum er, where that inform ation is shared, how that inform ation is used, and how that inform ation is protected. The notice m ust also identify the consum er’s right to opt-out of the inform ation being shared with unaffiliated parties per the Fair Credit Reporting Act. Should the privacy policy change at any point in tim e, the consum er m ust be notified again for acceptance. Each tim e the privacy notice is reestablished, the consum er has the right to opt-out again. The unaffiliated parties receiving the nonpublic inform ation are held to the acceptance term s of the consum er under the original relationship agreem ent. In sum m ary, the financial privacy rule provides for a privacy policy agreem ent between the com pany and the consum er pertaining to the protection of the consum er’s personal nonpublic inform ation.
Source: http:/ / w w w .ftc.gov/
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Gram m -Leach-Bliley Act (cont’d)
EC-Council
Safe gu ard s Ru le requires financial institution s to develop a written inform ation security plan that describes how the com pany is prepared for, and plans to continue to protect clients’ nonpublic personal inform ation. (The Safeguards Rule also applies to inform ation of those no longer consum ers of the finan cial institution.) This plan m ust include: •
Denoting at least one em ployee to m anage the safeguards,
•
Constructing a thorough [risk m anagem ent] on each departm ent handling the nonpublic inform ation,
•
Develop, m onitor, and test a program to secure the inform ation, and
•
Change the safeguards as needed with the changes in how inform ation is collected, stored, and used.
This rule is intended to do what m ost businesses should already be doing: protecting their clients. The Safeguards Rule forces financial institutions to take a closer look at how they m anage private data and to do a risk analysis on their current processes. No process is perfect, so this has m eant that every financial institution has had to m ake som e effort to com ply with the GLBA. Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Health Insurance Portability and Accountability Act (HIPAA) Ensure integrity, confidentiality and availability of electronic protected health inform ation
Protect against reasonably anticipated threats or hazards, and im proper use or disclosure
Protect against any reasonably anticipated uses or disclosures of such inform ation that are not perm itted or required
Pe n alty: Fine up to $ 50 ,0 0 0 , im prisoned not m ore than 1 year, or both
Source: http:/ / w w w .hhs.gov/
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Intellectual Property Laws
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Intellectual Property Intellectual property is the product of intellect that has com m ercial value and includes copyrights and tradem arks
Com m on types of intellectual property include: • • • • •
Copyrights Tradem arks Patents Industrial design rights Trade secrets
Under intellectual property law, owners are granted certain exclusive rights to a variety of intangible assets
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
US Laws for Tradem arks and Copyright The Digital Millennium Copyright Act (DMCA) of 1998 • This Act creates lim itations on the liability of online service providers for copyright infringem ent
The Lanham (Tradem ark) Act (15 USC §§ 10 51 - 1127) • This Act prohibits a n um ber of activities, includin g tradem ark infringem ent, tradem ark dilution , and false advertising
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
US Laws for Tradem arks and Copyright (cont’d) Doctrine of “Fair Use”
Section 10 7 of the Copyright Law m entions the doctrine of “ fair use”
The doctrine is a result of a num ber of court decisions over the years
Reproduction of a particular work for criticism , news reporting, com m ent, teaching, scholarship, and research is considered as fair according to Section 10 7 of the Copyright Law
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
US Laws for Tradem arks and Copyright (cont’d) Online Copyright Infringem ent Liability Lim itation Act: • Sec. 512. Lim itations on liability relating to m ate rial on-line • Lim itation- Notwithstanding the provisions of sectio n 10 6, a provider shall not be liable for: • Direct infringem ent • m onetary relief under section 50 4 or 50 5 for contributory infringem ent or vicarious liability based solely on conduct • m onetary relief under section 50 4 or 50 5 for contributory infringem ent or vicarious liability, based solely on providing access to m aterial over that provider's system or network
• Protection of privacy • Lim itation based upon rem oving or disabling accessto infringin g m aterial
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Australia Laws For Tradem arks and Copyright The Trade Marks Act 1995 • This Act grants protection to a letter, word, phrase, sound, sm ell, shape, logo, picture, aspect of packaging or com bination of these, used by traders on their goods and services to indicate their origin
The Patents Act 1990 • This Act grants m onopoly rights to inventors of new inventions such as im proved products or devices and substances
The Copyright Act 1968 • This Act relates to copyright and the protection of certain perform ances and for other purposes
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
UK Laws for Tradem arks and Copyright The Copyright, Etc. And Trade Marks (Offences And Enforcem ent) Act 20 0 2 • This Act am ends the crim inal provisions in intellectual property law, law relating to copyright, rights in perform ances, fraudulent reception of conditional access transm issions by use of unauthorized decoders and trade m arks
Tradem arks Act 1994 (TMA) • This Act provides the honest use of ones own nam eor address is a defense
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
China Laws for Tradem arks and Copyright Copyright Law of People’s Republic of China (Am endm ents on October 27, 20 0 1) • Article 1: The purpose of protecting the copyrightof authors in their literary, artistic and scientific works and the copyright-related rights and interests • Article 2: Works of Chinese citizens, legal entities or other organizations, whether published or not, shall enjoy copyright in accordance with this Law
Tradem ark Law of the People's Republic of China (Am endm ents on October 27, 20 0 1) • This Law is enacted for the purposes of im provingthe adm inistration of tradem arks, protecting the exclusive right to use tradem arks, and of encouraging producers and operators to guarantee the quality of their goods and services and m aintaining the reputation of their tradem arks, with a view to protecting the interests of consum ers, producers and operators and to prom oting the developm ent of the socialist m arket econom y
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Indian Laws for Tradem arks and Copyright The Patents (Am endm ent) Act, 1999 • This Act provides establishm ent of a m ail box syste m to file patents
Trade Marks Act, 1999 • This Act provides registration of tradem arks relating to goods and services
The Copyright Act, 1957 • This Act prescribes m andatory punishm ent for piracy of copyrighted m atter appropriate with the gravity of the offense with an effect to deter infringem ent
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
J apanese Laws for Tradem arks and Copyright The Tradem ark Law (Law No. 127 of 1957): • This Law applies only to registered tradem arks
The Tradem ark Law (N.S. 187 of 1999): • According to this law, tradem arks are distinguishable and are not indispensable to secure the function of the goods or their packaging
Copyright Managem ent Business Law (4.2.2.3 of 20 0 0 ): • This law facilitates the establishm ent of new copyright m anagem ent businesses, in order to "respond to the developm ent of digital technologies and com m unication networks"
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Canada Laws for Tradem arks and Copyright Copyright Act ( R.S., 1985, c. C-42 ) • This Act grants protection to a architectural work, artistic work, Berne convention country, com m ission, book, broadcaster, choreographic work, cinem atographic work, collective society, work or com bination of these, used by traders on their goods and services to indicate their origin
Tradem ark Law • It states that if a m ark is used by a person as atrade-m ark for any of the purposes or in any of the m anners, it shall n ot be held invalid m erely on the ground that the person or a predecessor in title uses it or has used it for any other of those purposes or in any other of those m ann ers
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
South African Laws for Tradem arks and Copyright Tradem arks Act 194 of 1993 • It is the act to provide the registration of tradem arks, certification trade m arks and collective trade m arks and to provide for incidental m atters
Copyright Act of 1978 • It is the act to regulate copyright and to providefor m atters in cidental thereto
Patents Act No. 57 of 1978 • To provide for the registration and granting of letters patent for inventions and for m atters connected therewith
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
South Korean Laws for Tradem arks and Copyright Copyright law Act No. 3916 • The purpose of this Act is to protect the rights of authors an d the rights neighboring on them and to prom ote fair use of works in order to contribute to the im provem ent and developm ent of culture
Industrial Design Protection Act • The purpose of this act is to encourage the creatio n of designs by ensuring their protection and utilization so as to contribute to the developm ent of industry
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Belgium Laws for Tradem arks and Copyright Copyright Law, 30 / 0 6/ 1994 • The purpose of the act is to protect the literaryor artistic work from unauthorized usage • The author of a work alone shall have the right toreproduce his work or to have it reproduced in any m anner or form whatsoever
Tradem ark Law, 30 / 0 6/ 1969 • It is the law approving the Benelux Convention Concerning Tradem arks and Annex, signed in Brussels on March 19, 1962 • The high contracting parties shall incorporate into their dom estic legislation, in one or both of the original texts, the Benelux Uniform Law on Trade Marks annexed to this Convention and shall establish an adm inistration com m on to their countries under the nam e "Benelux Trade Marks Bureau"
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Hong Kong Laws for Intellectual Property Hong Kong’s IP laws are based on constitutional or Basic Law provisions
Article 139 of the Basic Law • Governm ent shall form ulate policies on science an dtechnology an d protect achievem ents in scientific research
Article 140 of the basic law • It protects the rights of authors in their literary and artistic creations
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary A security policy is a docum ent that states in writing how a com pany plans to protect its physical and inform ation technology assets Security policy ensures custom er’s integrity and prevents unauthorized m odifications of the data Federal law requires Federal agencies to report incidents to the Federal Com puter Incident Response Center Organizations should not contact m ultiple agencies because it m ight result in jurisdictional conflicts Under intellectual property law, owners are granted certain exclusive rights to a variety of intangible assets An acceptable use policy is a set of rules applied by organization, network, or Internet to restrict their usage Evidence should be collected according to procedures that m eet all applicable laws and regulations, in order to be adm issible in court Chain of custody is a docum entation showing the seizure, custody, control, transfer, analysis, and disposition of evidence
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited