800 likes | 930 Vues
IA Summer School – Practice. Willis Marti June 2006. Agenda. Tuesday Lecture Wednesday Guest plus Hands-on Thursday Hands-on Bibliography. Tuesday Agenda. Ethics & Overview of ‘Practice’ Forensics & Legal Issues Vulnerabilities Threats, Protection & Mitigation Incident Response.
E N D
IA Summer School –Practice Willis Marti June 2006
Agenda • Tuesday • Lecture • Wednesday • Guest plus Hands-on • Thursday • Hands-on • Bibliography
Tuesday Agenda • Ethics & Overview of ‘Practice’ • Forensics & Legal Issues • Vulnerabilities • Threats, Protection & Mitigation • Incident Response
Wednesday Agenda • Dr. Dave McIntyre, ICHS • Lions, Tigers, Bears and Rootkits • Encryption Tools • Log Analysis
Thursday Agenda • Port Scanning • Packet Analysis • Attack Scripts • Intrusion Detection & Prevention
Ethics & Overview • Ethics is a general term for what is often described as the “science (study) of morality”. In philosophy, ethical behavior is that which is “good” or “right.” • a set of moral principles or values • Keys: • More than one way! • A way to judge behavior
More than One System • Understand your environment • Laws • Regulation • Custom • Understand your users • Globalization is real • Backgrounds can’t be assumed
What are Ethics? • According to the Webster Dictionary, ethics is the system or code of morals of a particular person, religion, group or profession. • Ethics are subject to personal interpretation. Two people may not view the same ethical issue the same way.
What are Ethics? (continued) • Ethical issues are not legal issues. • Individuals can choose if they wish to follow the ethical guideline or not. • Legal issues have documented definitions (laws) and specific consequences if the laws are broken. • Ethical issues are guidelines set by a specific group of people with no real documented definitions of what is right and what is wrong.
Three Ethical Decision Theories 1. Utilitarianism Theory • Considers the ethical issue and its relationship to individuals • Makes decision a decision based on what benefits the most people • "The greater good of the most people". Utilitarianism Example: An 8:00 am class has 10 students in it. Nine of those students and the Teaching Assistant (TA) all live in Friley Hall, which is on one side of campus, while one student lives in Hawthorn Court, on the other side of campus. The TA decides to move the lecture to Pearson Hall instead of Lagomarcino Hall, as Pearson is much closer to the ten individuals' dorm than the one individuals' dorm. This benefits 10 people and inconveniences one person, thus more people are benefited than not.
Three Ethical Decision Theories(cont.) • 2. Pluralism Theory • Believes there are two options in an ethical issue, right and wrong decisions • Pluralism stresses each person has a decision-making duty, must make ethical decisions based on that duty, and never break away from the decision-making duty. • All decisions are clear-cut, black and white Pluralism Example: • No one should ever lie. Your best friend recently was picked up for OWI. Ten minutes before the arrest you were in the vehicle and knew your friend was intoxicated. The police have asked about your whereabouts during this time and if you could attest to your friends' intoxicated state. You have to make a decision to lie or tell the truth. You decide to tell the truth because you have a duty to always tell the truth.
Three Ethical Decision Theories(cont.) • 3. Rights-based Theory • All people have rights, and those rights must be respected • Decisions are based on respecting individual rights • All decisions are clear-cut, black and white Rights-based Example: • You are a network administrator with access to many email accounts. The temptation to read personal email is strong. However, you know you should never read a person’s email because it violates a person’s rights to privacy, and resist the temptation.
Ethical Issues Related to Computers • Fraud • Privacy • Program Ownership
Academic Controversy Questions • What is the ethical question in this scenario? • What can be done to eliminate the ethical question? • What is the individual’s questionable behavior? • What different views could there be concerning this ethical question? • Justify why the persons actions are right or wrong • What do you think the right thing is to do? What would you do in this situation?
Novice Academic Controversy #1 Josh is an employee at HOW Programs, a programming company that specializes in writing customized software for large corporations. Josh's boss, Jo Ann, asked him to write a program enabling ABC Wood Company to analyze their sales and predict what supplies the company should stock up on to maintain a proper inventory. After sitting down with the ABC Wood Company representatives to get an idea of what they wanted for the program, Josh realized there were commercial software packages that would do bits and pieces of what he wanted to write in his program. Josh felt he could take a few shortcuts, thus getting the program to ABC sooner if he took the program already written and incorporated it into his program code. By completing such a large project a few days earlier, Josh received a bonus and promotions. Were Josh's actions ethical?
Novice Academic Controversy #2 Three years later, Caroline began working at HOW Programs. She was given a project that required her to write a program that would evaluate inventory and determine the rate of production needed so that inventory would not get too high or too low. After doing some research on the project, Caroline found a program Josh wrote for the ABC Wood Company. Caroline realized Josh's project was similar. She decided that a combination of the same basic ideas behind Josh's program and some new program code would work well in her program. Caroline used pieces of Josh's program as she wrote the remainder of the program. Caroline received a bonus and a promotion because of the program. Were Caroline's actions ethical?
Bottom Line • There are standards. • There are punishments (sanctions). • It’s not how the user views the ethics/legality of a situation, it’s how your environment views it.
Forensics & Legal Issues (Computer) Forensics is the use of specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage.
Forensic Subjects • Computer Crime • Basic Forensic • A Few Technology Issues • Legal Challenges • Search and Seizure of Computers • Collection of Evidence from a “Live” System • Forensic Imaging and Verification • Data Recovery and Analysis • Encryption • Real World
Computer Crime • What is a computer crime? • Types of evidence • Why collect evidence • The rules of evidence (next slide!) • Locard’s Exchange Principle • Why is computer forensics necessary? • Computer Forensics as part of an Incident Response Plan
Criminal Civil Administrative Sysadmin 95%+ 51% 25% ? ??? Differing Standards
Basic Forensics • The forensics objective • The principles of evidential integrity and continuity • Chain of Custody • Computer Forensics Methodology • General Evidence Processing Guidelines and Procedures
Types of storage Hard disks Review of disk geometry Tables and file structure Sectors and clusters File storage Unallocated File Space Spool, Temporary, and Swap Files Floppy disks Allocated vs. Unallocated space Deleted files, File Slack Computer memory and RAM Slack Bios control Device drivers Initialization files The Boot sequence General overview of Networks A Few Technology Issues
Search and Seizure of Computers • Preparing a Forensic Checklist • To seize or not to seize • How to handle a “live” computer • Understanding the boot sequence for forensic control • What to seize and where to look • Photographing and recording equipment layout • Bagging, tagging and removing equipment • Storage of seized equipment
Collection of Evidence from a “Live” System • Build Forensic Response Toolkit • Trusted Source Files • Built-in Operating System Utilities • Specialized Windows tools • Analysis of Data • Log Analysis and Correlation • File Access Times • Abnormal Processes • Reviewing Relevant Files • Unusual of Hidden Files
Data Recovery and Analysis • Overview of analysis software • Demonstration of analysis techniques • Keyword searching • Graphic searching • Producing, viewing, and sorting file listings • Extracting files • Undeleting files • Investigating floppy disks • Use the Forensics Toolkit
Vulnerabilities • People are our biggest vulnerability. • People are unavoidable.
Unwarranted Trust • Address spoofing • Viruses & worms • Denial of service attacks • Packet sniffing • Password cracking
Everything’s Vulnerable • Design Vulnerabilities • Implementation Vulnerabilities • Configuration Vulnerabilities • Resource Vulnerabilities • User Vulnerabilities • Business Process Vulnerabilities
Why Vulnerabilities • Engineers assume things should work. • Rarely does anyone consider deliberate deception. • Programs and people that lie can gain advantage.
Vulnerability Management • Process to identify and remediate vulnerabilities in the enterprise to reduce risk posture • Processes • Asset Classification • Incident, Vulnerability & Threat Handling • Incident Categorization, Assessment, Response • Vulnerability & Threat Identification and Response • Enterprise Remediation • Threat/Vulnerability Prioritization, Accountability, etc. • Remediation Tracking • Metrics
Security Metrics Security Processes: Threat, Vuln, IAM, NAC Security Program Value Security Staff: Expertise, Experience Security Infrastructure: Assess, Plan, Implement How to Manage
Active Management • “Discovery Scans” • Frequent Scans to Baseline and Discover Assets • Identify & Classify Assets and Enforce Policies • Conduct Vulnerability Scans on Critical Assets • Automated Recurring Scans • Shift from Quarterly or Yearly Consultative Scans • Aggregate, Prioritize and Assign Accountability • Workflow System to Track Remediation Effort • Result = Awareness of Critical Assets Exposure
CVE • http://www.cve.mitre.org/
Defining Network Security Securityis prevention of unwanted information transfer • What are the components? • ...Physical Security • …Operational Security • …Human Factors • …Protocols
Areas for Protection • Privacy • Data Integrity • Authentication/Access Control • Denial of Service
Security Threat, Value and Cost Tradeoffs • Identify the Threats • Set a Value on Information • Add up the Costs (to secure) Cost < Value * Threat *Likelihood
Threats • Hackers/Crackers (“Joyriders”) • Criminals (Thieves) • Rogue Programs (Viruses, Worms) • Internal Personnel • System Failures
Network Threats • IP Address spoofing attacks • TCP SYN Flood attacks • Random port scanning of internal systems • Snooping of network traffic • Buffer overrun attacks
Network Threats (cont.) • Backdoor command attacks • Information leakage attacks via finger, echo, ping, and traceroute commands • Attacks via download of Java and ActiveX scripts • TCP Protocol Attacks
Threat, Value and Cost Tradeoffs • Operations Security • Host Security • Firewalls • Cryptography: Encryption/Authentication • Monitoring/Audit Trails
Host Security • Security versus Performance & Functionality • Unix/Linux, Microsoft Windows, MVS, etc • Desktops vs Servers • “Security Through Obscurity” L
Host Security (cont) • Programs • Configuration • Regression Testing
Network Security • Traffic Control • Not a replacement for Host-based mechanisms • Firewalls and Monitoring, Encryption • Choke Points & Performance • IDS/IPS • NetSQUID
Access Control • Host-based: • Passwords, etc. • Directory Rights • Access Control Lists • Superusers L • Network-based: • Address Based • Filters • Encryption • Path Selection
Network Security and Privacy • Protecting data from being read by unauthorized persons. • Preventing unauthorized persons from inserting and deleting messages. • Verifying the sender of each message. • Allowing electronic signatures on documents.
FIREWALLS • Prevent against (many) attacks • Access Control • Authentication • Logging • Notifications
Types of Firewalls • Packet Filters • Network Layer • Stateful Packet Filters • Network Level • Circuit-Level Gateways • Session Level • Application Gateways • Application Level Application Presentation Session Transport Network Data Link Physical
Packet Level • Sometimes part of router • TAMU “Drawbridge” ROTW Drawbridge Router Campus