when to declare an information security incident and how to respond once you do (166229905)
Post on 14-Apr-2018
216 Views
Preview:
TRANSCRIPT
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 1/27
When to Declare an Information Security
Incident and How to Respond Once You Do
Dr. Kees Leune
ISO, Adelphi University
Robert Henry, CISSP
CISO, Santa Clara University
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 2/27
Information Security Offensive Process
1. Open sourceintelligence gathering
2. Targeted scanning 3. Intrusion
4. Retention 5. Evasion
6. Use(Exfiltration, Pivot,Defacement, DoS,
etc.)
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 3/27
Information Security Defense Process
EDUCAUSE Security ProfessionalsConference April 16, 2013
1. Prepare 2. Monitor 3. Respond
4. Resolve 4. Restore 6. Learn
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 4/27
No Need to Reinvent the Wheel!
NISThttp://csrc.nist.gov/publications/PubsSPs.html
SANS
http://www.sans.org/security-resources/policies/
ITILhttp://www.itil-officialsite.com/
ISO 27002http://www.iso.org/iso/catalogue_detail?csnumber=50297
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 5/27
Event? Or Incident?
With the cycle defined, your authority established in policy, andyour controls implemented, you can start preparing themonitoring process.
Information security event An information security event--anything that happens on systems or network AND that can be observed. Can be ordinary OR unusual.
Information security incident An information security incident is a deviation from the norm, which hasan adverse result or threatens an adverse result. Incident detection isbased on analysing events.
From NIST SP-800-61
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 6/27
Let's start
It is Friday afternoon around 3:30 p.m. and the
phone rings. Just by looking at the clock, you
know that this cannot be good.
Caller ID confirms that you really don't want to
take the call, but you really should...
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 7/27
Dramatis Personae
Occasio laboris
● Departmental Web Site
Owner
● College Sys Admin
● Central IT Help Desk
● Central IT Incident
Handler
● Department Intern
● Random Email Authorsfrom the Internet (a cast
of billions!)
Machina
● College IIS Web Server with
Front Page extensions
● College IIS Web Server with
ODBC connections to MS-
SQL server
● College MS-SQL Server
● All servers are up-to-date
on A-V, OS patches, andapplication patches
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 8/27
email to Department Website Owner
From: xqzme2@mindspring.com
Sent: Mar 15, 2007 5:54 AM
To: webmaster@modlang.metrouniv.edu
Subject: SPAM
To Whom It May Concern,
I received the attached sexual spam from
someone at your university. I'm letting you
know because I sure you do not want your
University to be joined in any lawsuit that may
come out of this activity.
David Hawley
-----Forwarded Message-----
From: Noahhornsby@mail.metrouniv.edu
Sent: Mar 14, 2007 5:54 AM
To: Xqzme2
Subject: Greetings !!!
Hello ours dear member!. Thank you for using
our services!
Now we represent new unique 2 sites for you.
Believe, this site will not leave you cold ! Just
exclusive high definition quality video. Only
best for you! To your good health and
prosperity ! Thanks for attention !
If you love young innocent bodies CLICK HERE.
If you love skilled and mature CLICK HERE.
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 9/27
The Sys Admin’s Response:
? . . . Not sure what to do about this . . . ?
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 10/27
Central IT Help Desk Receives This email
From: Average User <auser@metrouniv.edu>
To: helpdesk@metrouniv.edu
Date: 3/17/2007 10:19 AM
Subject: Fwd: Illegal content
This email does not look like it came from a reliable source. We
did not open the links and are deleting this but I thought it
would be good to forward on to CIT.
Thanks,
Average
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 11/27
Fowarded Message & Attachment
From: "Uwe Packer" <nurmist@hotmail.com>
To: <webmgr@metrouniv.edu>, <regmail@metrouniv.
edu>, <auser@metrouniv.edu>
Date: 3/9/2007 10:34 PM
Subject: Illegal content
Unfortunately I have to report that your
IT services are being misused for
spamming and drug sales. Would you
please upgrade your security and stop
this content from being distributed to
minors.
Uwe
Sample post received:
Mar,8, 2007 at 05:22:18 propecia (qtk092yvxyc@pochta.com)
http://modlang.metrouniv.edu/_s297board/000009a5.htm
Hi! propecia
[url=http://modlang.metrouniv.edu/_s297board/000009a5.
htm]propecia[/url]
Welcome!
===
May 10, 2007 at 02:04:31 Tadalafil (7ejtf8@yahoo.com)
http://modlang.metrouniv.edu/_s297board/000009a4.htm?
tadalafil
===
Hi! tadalafil as
[url=http://modlang.metrouniv.edu/_s297board/000009a4.
htm?tadalafil]tadalafil as[/url] Waiting for you!
__________________________________________________
_______________Advertisement: 1000s of Sexy Singles online now at Lavalife -
Click herehttp://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Flavalife9%2Eninemsn%2Ecom%
2Eau%2Fclickthru%2Fclickthru%2Eact%3Fid%3Dninemsn%26context%3Dan99%26
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 12/27
Central Help Desk Response
From: Desk, Help
To: User, Average
Date: 3/20/2007 11:02 AM
Subject: Re: Fwd: Illegal content
Hi Average,Yes, this is a spam email. Please delete. In the future you may also
forward spam emails as attachments to spam@metrouniv.edu and
the spam system will learn to mark them as such.
Thank you,
Techie
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 13/27
email Picked-up by Sys Admin
From: Simon Brady <simon@hikari.org.nz>
To: <abuse@modlang.metrouniv.edu>
Date: 3/13/2007 4:12 AM
Subject: Compromised University website
Hi folks,
A web bulletin board run by your Modern Languages and Literatures
Faculty appears to have been taken oven by spammers:
http://modlang.metrouniv.edu/s297board_frm.htm
Could you please pass this on to your IT security staff?Thanks,
Simon
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 14/27
Sys Admins Findings
Messed-up site is an open web forum.... no username/
password required.
● The Sys Admin’s Notes:● The main modlang site does not even seem to have a link
to the sketchy forum so I'm not sure how someone would
navigate to it... but all the same there are several posts
from the last few days that have inappropriate offers.
● Wow! There are several other forums doing the samestuff
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 15/27
CPU Usage Chart
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 16/27
Oh, No! More Nasty Grams!
> From: "ernie nicholas" <ernnich@gmail.com>
> Date: June 4, 2007 12:17:41 PM MDT
> To: abuse@malville.metrouniv.edu
> Subject: spam page
>
> Hello,
>
> The following page links to spam:
> http://www.metrouniv.edu/malville/maincontent.asp?page=bgdubscr
>
> thanks
> From: "john smith" <johnsmith666@gmail.com>
> Date: June 8, 2007 12:17:41 PM MDT
> To: abuse@malville.metrouniv.edu
> Subject: spam page
>
EDUCAUSE Security Professionals Conference April 16, 2013
> Hello,
>
> The following page links to spam:
> http://www.metrouniv.edu/malville/maincontent.asp?page=uhlffmhy
>
> thanks
**********************************************
> From: "bob carol" <bcarol@gmail.com>
> Date: June 10, 2007 2:27:31 AM MDT
> To: abuse@malville.metrouniv.edu
> Subject: spam page
>
> Hello,
>
> The following page links to spam:
> http://www.metrouniv.edu/malville/maincontent.asp?page=bzvetcps
>
> thanks
***********************************************>
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 17/27
What the Web Server Logged
2007-03-18 18:36:44 192.168.236.60 GET
/malville/maincontent.asp page=Policies'%
3BINSERT+INTO+OTHERPAGES+(PAGE,CONTENT)+VALUES+
(CHAR(117)%2BCHAR(104)%2BCHAR(108)%2BCHAR(102)%
2BCHAR(102)%2BCHAR(109)%2BCHAR(104)%2BCHAR(121),SPACE(0))%2D%2D 80 - 83.222.16.60 Mozilla/4.0+(compatible;
+MSIE+6.0;+Windows+NT+5.1) 200 0 0
Note: see your handouts for a better view
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 18/27
De-Coding the Logs
The log entry from the previous page uses a combination of ASCII & Hex that translates to a SQL insert command loading anentry and a script, “uhlffmhy,” in the “OtherPages” table.
Then, a URL like this:http://www.metrouniv.edu/malville/maincontent.asp?page=uhlffmhy
redirects to an on-line pharmaceutical site.
See handouts for additional log entries
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 19/27
HOW DID THIS HAPPEN?
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 20/27
And it is just a faculty member's petproject . . .
What damage could there be?
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 21/27
EDUCAUSE Security ProfessionalsConference April 16, 2013
Tables in the Malville Database:
The usual system tables and:
Checklist
CrossReferencesFeedbackOtherPagesContributors
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 22/27
Rows from the Contributors table displayed as a column:
id 500name Thomas Smithaddress 1492 Columbus Dr.
city HopeState MTzip 93666Hphone 5088769821posit Marketing Directorempl Warmsprings CreekWphone 5088353009email tsmith22@yahoo.comsource phoneDriveamount 750
cc mcccname Thomas L. Smithccnum 4857349832681896ccexp 10/10/2010cvv 430alum yesassn yesgyear 1993degree BSmajor mktFin
spouse Mary
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 23/27
EDUCAUSE Security ProfessionalsConference April 16, 2013
How do you remove the pestilence?
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 24/27
EDUCAUSE Security ProfessionalsConference April 16, 2013
How and when do you get the server back in
business?
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 25/27
EDUCAUSE Security ProfessionalsConference April 16, 2013
Whew!Time to go home!
But Wait!
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 26/27
Lessons Learned
● Have a policy for what gets stored and where
it gets stored
● Have an Incident Response plan
● And somebody responsible for it
● Practice your Incident Response Plan
● Include appropriate teams—including Help Desk
●
Conduct information security education
EDUCAUSE Security ProfessionalsConference April 16, 2013
7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)
http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 27/27
Thanks!
EDUCAUSE Security ProfessionalsConference April 16 2013
top related