when to declare an information security incident and how to respond once you do (166229905)

7/29/2019 When to Declare an Information Security Incident and How to Respond Once You Do (166229905)

http://slidepdf.com/reader/full/when-to-declare-an-information-security-incident-and-how-to-respond-once-you 1/27

When to Declare an Information Security

Incident and How to Respond Once You Do

Dr. Kees Leune

ISO, Adelphi University

Robert Henry, CISSP

CISO, Santa Clara University

EDUCAUSE Security ProfessionalsConference April 16, 2013



Information Security Offensive Process

1. Open sourceintelligence gathering

2. Targeted scanning 3. Intrusion

4. Retention 5. Evasion

6. Use(Exfiltration, Pivot,Defacement, DoS,

etc.)



Information Security Defense Process


1. Prepare 2. Monitor 3. Respond

4. Resolve 4. Restore 6. Learn



No Need to Reinvent the Wheel!

NISThttp://csrc.nist.gov/publications/PubsSPs.html

SANS

http://www.sans.org/security-resources/policies/

ITILhttp://www.itil-officialsite.com/

ISO 27002http://www.iso.org/iso/catalogue_detail?csnumber=50297


http://www.iso.org/iso/catalogue_detail?csnumber=50297


http://www.iso.org/iso/catalogue_detail?csnumber=50297

http://www.itil-officialsite.com/


http://csrc.nist.gov/publications/PubsSPs.html



Event? Or Incident?

With the cycle defined, your authority established in policy, andyour controls implemented, you can start preparing themonitoring process.

Information security event An information security event--anything that happens on systems or network AND that can be observed. Can be ordinary OR unusual.

Information security incident An information security incident is a deviation from the norm, which hasan adverse result or threatens an adverse result. Incident detection isbased on analysing events.

From NIST SP-800-61




Let's start

It is Friday afternoon around 3:30 p.m. and the

phone rings. Just by looking at the clock, you

know that this cannot be good.

Caller ID confirms that you really don't want to

take the call, but you really should...



Dramatis Personae

Occasio laboris

● Departmental Web Site

Owner

● College Sys Admin

● Central IT Help Desk

● Central IT Incident

Handler

● Department Intern

● Random Email Authorsfrom the Internet (a cast

of billions!)

Machina

● College IIS Web Server with

Front Page extensions

● College IIS Web Server with

ODBC connections to MS-

SQL server

● College MS-SQL Server

● All servers are up-to-date

on A-V, OS patches, andapplication patches




email to Department Website Owner

From: [email protected]

Sent: Mar 15, 2007 5:54 AM

To: [email protected]

Subject: SPAM

To Whom It May Concern,

I received the attached sexual spam from

someone at your university. I'm letting you

know because I sure you do not want your

University to be joined in any lawsuit that may

come out of this activity.

David Hawley

-----Forwarded Message-----

From: [email protected]

Sent: Mar 14, 2007 5:54 AM

To: Xqzme2

Subject: Greetings !!!

Hello ours dear member!. Thank you for using

our services!

Now we represent new unique 2 sites for you.

Believe, this site will not leave you cold ! Just

exclusive high definition quality video. Only

best for you! To your good health and

prosperity ! Thanks for attention !

If you love young innocent bodies CLICK HERE.

If you love skilled and mature CLICK HERE.



The Sys Admin’s Response:

? . . . Not sure what to do about this . . . ?




Central IT Help Desk Receives This email

From: Average User <[email protected]>

To: [email protected]

Date: 3/17/2007 10:19 AM

Subject: Fwd: Illegal content

This email does not look like it came from a reliable source. We

did not open the links and are deleting this but I thought it

would be good to forward on to CIT.

Thanks,

Average




Fowarded Message & Attachment

From: "Uwe Packer" <[email protected]>

To: <[email protected]>, <regmail@metrouniv.

edu>, <[email protected]>

Date: 3/9/2007 10:34 PM

Subject: Illegal content

Unfortunately I have to report that your

IT services are being misused for

spamming and drug sales. Would you

please upgrade your security and stop

this content from being distributed to

minors.

Uwe

Sample post received:

Mar,8, 2007 at 05:22:18 propecia ([email protected])

http://modlang.metrouniv.edu/_s297board/000009a5.htm

Hi! propecia

[url=http://modlang.metrouniv.edu/_s297board/000009a5.

htm]propecia[/url]

Welcome!

===

May 10, 2007 at 02:04:31 Tadalafil ([email protected])

http://modlang.metrouniv.edu/_s297board/000009a4.htm?

tadalafil

===

Hi! tadalafil as

[url=http://modlang.metrouniv.edu/_s297board/000009a4.

htm?tadalafil]tadalafil as[/url] Waiting for you!

__________________________________________________

_______________Advertisement: 1000s of Sexy Singles online now at Lavalife -

Click herehttp://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Flavalife9%2Eninemsn%2Ecom%

2Eau%2Fclickthru%2Fclickthru%2Eact%3Fid%3Dninemsn%26context%3Dan99%26




Central Help Desk Response

From: Desk, Help

To: User, Average

Date: 3/20/2007 11:02 AM

Subject: Re: Fwd: Illegal content

Hi Average,Yes, this is a spam email. Please delete. In the future you may also

forward spam emails as attachments to [email protected] and

the spam system will learn to mark them as such.

Thank you,

Techie




email Picked-up by Sys Admin

From: Simon Brady <[email protected]>

To: <[email protected]>

Date: 3/13/2007 4:12 AM

Subject: Compromised University website

Hi folks,

A web bulletin board run by your Modern Languages and Literatures

Faculty appears to have been taken oven by spammers:

http://modlang.metrouniv.edu/s297board_frm.htm

Could you please pass this on to your IT security staff?Thanks,

Simon




Sys Admins Findings

Messed-up site is an open web forum.... no username/

password required.

● The Sys Admin’s Notes:● The main modlang site does not even seem to have a link

to the sketchy forum so I'm not sure how someone would

navigate to it... but all the same there are several posts

from the last few days that have inappropriate offers.

● Wow! There are several other forums doing the samestuff




CPU Usage Chart




Oh, No! More Nasty Grams!

> From: "ernie nicholas" <[email protected]>

> Date: June 4, 2007 12:17:41 PM MDT

> To: [email protected]

> Subject: spam page

>

> Hello,

>

> The following page links to spam:

> http://www.metrouniv.edu/malville/maincontent.asp?page=bgdubscr

>

> thanks

> From: "john smith" <[email protected]>

> Date: June 8, 2007 12:17:41 PM MDT



>

EDUCAUSE Security Professionals Conference April 16, 2013

> Hello,

>


> http://www.metrouniv.edu/malville/maincontent.asp?page=uhlffmhy

>

> thanks

**********************************************

> From: "bob carol" <[email protected]>

> Date: June 10, 2007 2:27:31 AM MDT



>

> Hello,

>


> http://www.metrouniv.edu/malville/maincontent.asp?page=bzvetcps

>

> thanks

***********************************************>



What the Web Server Logged

2007-03-18 18:36:44 192.168.236.60 GET

/malville/maincontent.asp page=Policies'%

3BINSERT+INTO+OTHERPAGES+(PAGE,CONTENT)+VALUES+

(CHAR(117)%2BCHAR(104)%2BCHAR(108)%2BCHAR(102)%

2BCHAR(102)%2BCHAR(109)%2BCHAR(104)%2BCHAR(121),SPACE(0))%2D%2D 80 - 83.222.16.60 Mozilla/4.0+(compatible;

+MSIE+6.0;+Windows+NT+5.1) 200 0 0

Note: see your handouts for a better view




De-Coding the Logs

The log entry from the previous page uses a combination of ASCII & Hex that translates to a SQL insert command loading anentry and a script, “uhlffmhy,” in the “OtherPages” table.

Then, a URL like this:http://www.metrouniv.edu/malville/maincontent.asp?page=uhlffmhy

redirects to an on-line pharmaceutical site.

See handouts for additional log entries




HOW DID THIS HAPPEN?




And it is just a faculty member's petproject . . .

What damage could there be?





Tables in the Malville Database:

The usual system tables and:

Checklist

CrossReferencesFeedbackOtherPagesContributors



Rows from the Contributors table displayed as a column:

id 500name Thomas Smithaddress 1492 Columbus Dr.

city HopeState MTzip 93666Hphone 5088769821posit Marketing Directorempl Warmsprings CreekWphone 5088353009email [email protected] phoneDriveamount 750

cc mcccname Thomas L. Smithccnum 4857349832681896ccexp 10/10/2010cvv 430alum yesassn yesgyear 1993degree BSmajor mktFin

spouse Mary




How do you remove the pestilence?




How and when do you get the server back in

business?




Whew!Time to go home!

But Wait!



Lessons Learned

● Have a policy for what gets stored and where

it gets stored

● Have an Incident Response plan

● And somebody responsible for it

● Practice your Incident Response Plan

● Include appropriate teams—including Help Desk

●

Conduct information security education




Thanks!

EDUCAUSE Security ProfessionalsConference April 16 2013

when to declare an information security incident and how to respond once you do (166229905)

Documents