Upload
rosalyn-horton
View
212
Download
0
Embed Size (px)
Citation preview
Lesson 1Course Introduction
UTSA IS 3523 ID & Incident Response
Overview
• Course Administrivia• Info Assurance Review• Incident Response
UTSA IS 3523 ID & Incident Response
IS3523 Intrusion Detectionand
Incident Response
• 5:30-6:45 PM M/W
• Robert Kaufman– Background– Contact information
• Syllabus and Class Schedule
• Student Background Information– Email
UTSA IS 3523 ID & Incident Response
Student Information
• Name• Reliable email address• Email to [email protected]
UTSA IS 3523 ID & Incident Response
Text Books
• Course Text:– Incident Response and Computer Forensics Mandia, Kevin
and Prosise, Chris, Osborne/McGraw Hill Publishing, 2003. ISBN 0-07-222696-X
• Additional References:– Principles of Computer Security, Conklin, White, Cothren,
Williams, and Davis– Hacking Exposed, by McClure, Scambray, Kurtz– Cyber crime Investigator’s Field Guide, by Bruce Middleton
UTSA IS 3523 ID & Incident Response
Grading
• Grades– 2 Tests– Final– Many Projects/Labs
A Sampling of Malicious Activity• March 1999 - EBay gets hacked• March 1999 - Melissa virus hits Internet• April 1999 - Chernobyl Virus hits• May 1999 - Hackers shut down web sites of FBI, Senate, and DOE• June 1999 - Worm.Explore.Zip virus hits• July 1999 - Cult of the Dead Cow (CDC) releases Back Orifice• Sept 1999 - Hacker pleads guilty to attacking NATO and Gore web sites• Oct 1999 - Teenage hacker admits to breaking into AOL• Nov 1999 - BubbleBoy virus hits• Dec 1999 - Babylonia virus spreads• Feb 2000 - Several sites experience DOS attacks• Feb 2000 - Alaska Airlines site hacked• May 2000 - Love Bug virus ravages net• July 2001 – Code Red Runs Rampant• Sept 2001 – Nimda Explodes• Jan 2003 – Slammer Worm
UTSA IS 3523 ID & Incident Response
You have to have security, or else…
• 2001 CSI/FBI Computer Crime and Security Survey– 538 security “practitioners” in the U.S.
• 91% reported computer security breaches within the previous 12 months
• 70% reported their Internet connection as a frequent point of attack (up from 59% in 2000)
• 64% suffered financial losses due to breaches, 35% could quantify this loss.
• Losses due to computer security breaches totaled (for the 186 respondents reporting a loss) $377,828,700
• Average loss $2,031,337
– Source: Computer Security Institute http://www.gocsi.com
UTSA IS 3523 ID & Incident Response
And the hits just keep coming…
• 2002 CSI/FBI Computer Crime & Security Survey– 503 security “practitioners” in the U.S.
• 90% detected computer security breaches• 40% detected penetrations from the outside• 80% acknowledged financial losses due to breaches• $455,848,000 in losses due to computer security breaches totaled (for the
223 respondents reporting a loss) • 26 reported theft of proprietary info ($170,827,000)• 25 reported financial fraud ($115,753,000)• 34% reported intrusions to law enforcement• 78% detected employee abuse of internet access privileges, i.e.
pornography and inappropriate email use
– Source: Computer Security Institute http://www.gocsi.com
UTSA IS 3523 ID & Incident Response
And coming
• A 2003 FBI/CSI Computer Crime and Security Survey revealed the following:– 60% had a security breach in the last year.– 78% detected employee abuse of internet privileges.– 85% admitted to being infected by a computer virus.– Average loss from insider access was $300,000– Average loss due to virus attack $283,000– Average loss from Telecom eavesdropping is $1,205,000– Average loss from outsider penetration was $226,000– The average reported loss from net abuse was $536,000– Source: Computer Security Institute http://www.gocsi.com
UTSA IS 3523 ID & Incident Response
Internet Security Software Market
2002 - $7.4 Billion est.
1999 - $4.2 Billion
1998 - $3.1 Billion
1997 - $2 Billion
’97 & ’98 figures based on a study released by market research firm International Data Corp. in Framingham, Mass.
’99 & ’02 figures from IDC study based on a survey of 300 companies with more than $100 million in annual revenues
UTSA IS 3523 ID & Incident Response
DISA VAAP Results
PROTECTION
DETECTION
REACTION
38,000Attacks
24,700Succeed
13,300Blocked
988Detected
23,712Undetected
267Reported
721 NotReported
UTSA IS 3523 ID & Incident Response
Computer Security
The Prevention and/or detection of unauthorized actions by users of a computer system.
In the beginning, this meant ensuring privacy on shared systems.Today, interesting aspect of security is in enabling different access levels.
UTSA IS 3523 ID & Incident Response
What are our goals in Security?
• The “CIA” of security– Confidentiality– Integrity
• Data integrity• Software Integrity
– Availability• Accessible and usable on demand
– (authentication)– (nonrepudiation)
UTSA IS 3523 ID & Incident Response
The “root” of the problem
• Most security problems can be grouped into one of the following categories:– Network and host misconfigurations
• Lack of qualified people in the field
– Operating system and application flaws• Deficiencies in vendor quality assurance efforts
• Lack of qualified people in the field
• Lack of understanding of/concern for security
UTSA IS 3523 ID & Incident Response
Computer Security Operational Model
Protection = Prevention + (Detection + Response)
Access ControlsEncryptionFirewalls
Intrusion DetectionIncident Handling
UTSA IS 3523 ID & Incident Response
Proactive –vs- Reactive Models
• “Most organizations only react to security threats, and, often times, those reactions come after the damage has already been done.”
• “The key to a successful information security program resides in taking a pro-active stance towards security threats, and attempting to eliminate vulnerability points before they can be used against you.”
UTSA IS 3523 ID & Incident Response
So What Happens When Computer Security Fails?
• Incident Response Methodology--7 Step Process– Preparation: Proactive Computer Security– Detection of Incidents– Initial Response– Formulate Response Strategy– Investigate the Incident– Reporting– Resolution
UTSA IS 3523 ID & Incident Response
7 Components of Incident Response
Pre-Incident Preparation
Detectionof
Incidents
InitialResponse
FormulateResponseStrategy
DataCollection
DataAnalysis
Reporting
Investigate the Incident
ResolutionRecovery
Implement Security Measures
Page 15, Fig 2-1, Mandia 2nd Edition
Pre-Incident Preparation
Detection of Incidents
Incident Response Team FormedNotification Checklist Completed
Initial Response
Formulate Response Strategy
Is it really an Incident?
Yes
No
Follow-Up
Pursue and accumulate
evidence and/or secure system
Secure System
Reporting
Implement Security Measures
Forensic Duplication
Investigation
Forensic duplication?
Accumulate EvidenceYes
No
Perform Network Monitoring
Isolate and Contain
Can Pursue Both Paths Simultaneously
Page 18, Fig 2-1, Mandia 1st Edition
UTSA IS 3523 ID & Incident Response
Resources in the Fight
• SANS
• CERT CC
• FIRST
• DOE CIAC
• CERIAS
• NIST
UTSA IS 3523 ID & Incident Response
SANS
• System Administration, Networking, and Security (SANS) Institute
• Global Incident Analysis Center• Security Alerts, Updates, & Education• NewsBites, Security Digest, Windows
Digest• Certification
• http://www.sans.org/
UTSA IS 3523 ID & Incident Response
Carnegie Mellon CERT CC
• Computer Emergency Response Team Coordination Center
• Started by DARPA • Alerts & Response Services
• Training and CERT Standup
• Clearing House
• http://www.cert.org
UTSA IS 3523 ID & Incident Response
FIRST
• Forum of Incident Response and Security
Teams
• Established 1988
• Govt & Private Sector Membership
• Over 70 Members
• Coordinate Global Response
• http://www.first.org
UTSA IS 3523 ID & Incident Response
DOE CIAC
• Computer Incident Advisory Capability• Established 1989
• Part of Lawrence Livermore Lab
• Awareness training and education• Trend, threat, vulnerability data collection and
analysis
• http://ciac.llnl.gov/
UTSA IS 3523 ID & Incident Response
CERIAS
• Center for Education and Research in
Information Assurance and Security
• Home of Gene Spafford
• A "University Center"
• InfoSec Research & Education
• Members: Academia, Govt, & Industry
• http://www.cerias.purdue.edu/coast/)
UTSA IS 3523 ID & Incident Response
NIST
• National Institute of Science and Technology (NIST)
• Operares Computer Security Resource Clearinghouse (CSRC)
• Raising Awarenss
• Multiple Disciplines
• Main Source of Fed Govt Standards
• http://csrc.ncsl.nist.gov/
UTSA IS 3523 ID & Incident Response
So How Many VulnerabiltiesAre Out?
Lets See What the CERT CCSays.
UTSA IS 3523 ID & Incident Response
UTSA IS 3523 ID & Incident Response
UTSA IS 3523 ID & Incident Response
UTSA IS 3523 ID & Incident Response
UTSA IS 3523 ID & Incident Response
UTSA IS 3523 ID & Incident Response
History LessonThe Art of War, Sun Tzu
Lesson for you
• Know the enemy
• Know yourself…and in a 100 battles you will never be defeated
• If ignorant both of your enemy and of yourself you are certain in every battle to be in peril
UTSA IS 3523 ID & Incident Response
History LessonThe Art of War, Sun Tzu
Lesson for the Hacker
• Probe him and learn where his strength is abundant and where deficient
• To subdue the enemy without fighting is the acme of skill
• One able to gain victory by modifying his tactics IAW with enemy situation may be said to be divine
UTSA IS 3523 ID & Incident Response
Hacker Attacks
• Intent is for you to know your enemy
• Not intended to make you a hacker
• Need to know defensive techniques
• Need to know where to start recovery process
• Need to assess extent of investigative environment
UTSA IS 3523 ID & Incident Response
Anatomy of a Hack
FOOTPRINTING SCANNING ENUMERATION
GAINING ACCESS ESCALATINGPRIVILEGE
PILFERING
COVERING TRACKS
CREATING BACKDOORSDENIAL
OF SERVICE
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3523 ID & Incident Response
Footprinting
Objective• Target Address
Range• Acquire Namespace • Information
Gathering• Surgical Attack• Don’t Miss Details
Technique• Open Source Search• whois• Web Interface to
whois• ARIN whois• DNS Zone Transfer
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3523 ID & Incident Response
Scanning
Objective• Bulk target
assessment• Determine
Listening Services• Focus attack vector
Technique• Ping Sweep• TCP/UDP Scan• OS Detection
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3523 ID & Incident Response
Enumeration
Objective• Intrusive Probing
Commences• Identify valid
accounts• Identify poorly
protected shares
Technique• List user accounts• List file shares• Identify applications
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3523 ID & Incident Response
Gaining Access
Objective• Informed attempt
to access target
• Typically User level access
Technique• Password sniffing• File share brute
forcing• Password file grab• Buffer overflows
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3523 ID & Incident Response
Escalating Privilege
Objective• Gain Root level
access
Technique• Password cracking
• Known exploits
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3523 ID & Incident Response
Pilfering
Objective• Info gathering to
access trusted systems
Technique• Evaluate trusts
• Search for cleartext passwords
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3523 ID & Incident Response
Cover Tracks
Objective• Ensure highest
access
• Hide access from system administrator or owner
Technique• Clear logs
• Hide tools
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3523 ID & Incident Response
Creating Back Doors
Objective• Deploy trap doors
• Ensure easy return access
Technique• Create rogue user
accounts• Schedule batch jobs• Infect startup files• Plant remote control
services• Install monitors• Trojanize
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3523 ID & Incident Response
Denial of Service
Objective• If unable to
escalate privilege then kill
• Build DDOS network
Technique• SYN Flood• ICMP Attacks• Identical src/dst SYN
requests• Out of bounds TCP
options• DDOS
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
UTSA IS 3523 ID & Incident Response
Hacker Exploits per SANS
RECONNAISSANCE SCANNING
EXPLOIT SYSTEMS KEEPING ACCESS
COVERTRACKS
Source: SANs Institute
UTSA IS 3523 ID & Incident Response
Hacking Summary
• Threat: Hacking on the rise
• Security posture usually reactive
• Losses increasing
• 7 Step Process
• Hacker Techniques