Weitere ähnliche Inhalte
Ähnlich wie Information Security Lesson 13 - Advanced Security - Eric Vanderburg (20)
Mehr von Eric Vanderburg (20)
Kürzlich hochgeladen (20)
Information Security Lesson 13 - Advanced Security - Eric Vanderburg
- 2. Computer Forensics
• Retrieving information from computers for
use in an investigation
• The need for forensics knowledge will
increase due to:
– Increased digital information being stored
– Higher criminal computer skill
– Mistakes in the handling of evidence can
make it inadmissable in court
Information Security © 2006 Eric Vanderburg
- 3. Forensics
• Electronic data is harder to destroy
– Search programs
– RAM slack – data from RAM that is inserted to fill the rest of the
sector
– File or drive slack – previous data from the drive that is
contained in any additional unused sectors in an allocated
cluster.
– Page file
• Difficulties
–
–
–
–
–
Much data to look through
1 day of email is equal to a years worth of snail mail.
Data may be stored in many places under different controls
Dynamic content makes data different each time it is accessed
Data can be changed simply by accessing it
Information Security © 2006 Eric Vanderburg
- 4. Forensics
• Metadata – data about data
– Can be useful to find information about a file.
– Could be false because some metadata is not
updated properly or is coded by the author
• Steganography – hiding data in data
– Use hashes to uncover data within system
files and application files.
– Other files must be scanned by
steganography programs.
Information Security © 2006 Eric Vanderburg
- 5. Responding to the incident
1.
Secure the crime scene
a)
2.
Collect the evidence
a)
b)
c)
3.
Data can be easily destroyed (take proper care of it)
Before shutting the computer down, record some information
(RAM contents, network connections, running programs,
current user, open files or URLs, and current configurations)
Before data is changed or scanned, hard disks are secured
and mirrored using a bit-stream backup.
Establish a chain of custody
a)
4.
Photograph the equipment placement with analog film before it
is touched (protect against accusations of planting or
tampering)
Show that the equipment/evidence was secure at all times and
show who had access to it at all times to protect against
tampering.
Examine and preserve the evidence
Information Security © 2006 Eric Vanderburg
- 6. Attacks
• Attacks are quicker than ever
• Attacks are more frequent
Information Security © 2006 Eric Vanderburg
- 7. Technology
• Encryption extensions are being built into processors –
TPM (Trusted Platform Model) – making a cryptographic
coprocessor standard on each processor
• Behavior blocking – rather than using a specific
signature, we watch for behavior. (more false positives)
• Antispam
• Cap network connections (average is 2 per second) –
could be much larger for those using file sharing or chat
programs.
• Sandboxing through virtual machines
• Baselining (Internet traffic, ports, programs)
• DRM (Digital Rights Management) – control access and
use of information.
Information Security © 2006 Eric Vanderburg
- 8. Employment
• The need for security workers is higher
than any other IT need. (Programming
comes in close second)
• Security Certifications
Information Security © 2006 Eric Vanderburg
- 9. Certifications
•
•
•
•
•
Security+
CWSP (Certified Wireless Security Professional)
CCSP (Cisco Certified Security Professional)
MCSE: Security (Microsoft Certified Systems Engineer): Security
(ISC)2 (International Information Systems Security Certification
Consortium)
– CISSP (Certified Information Systems Security Professional)
– SSCP (Systems Security Certified Practitioner)
•
EC-Council
– CEH (Certified Ethical Hacker)
– CHFI (Computer Hacking Forensics Investigator)
•
Checkpoint
– CCSA (Checkpoint Certified Security Administrator)
– CCSE (Checkpoint Certified Security Expert)
•
RSA
– RCSE (RSA Certified Systems Engineer)
– RCSA (RSA Certified Systems Administrator)
Information Security © 2006 Eric Vanderburg
- 10. Skills
• Networking knowledge
– TCP/IP
– Network equipment (routers, firewalls, VLANs,
switching)
– Intrusion detection systems
• People skills
– People are the largest threat so you must understand
them.
– Training
• Legal
– Understand your responsibilities and your limitations
(privacy)
– Operate under the guidance of your security policy
(this will protect you against legal action)
Information Security © 2006 Eric Vanderburg
- 11. Acronyms
• HIP, Host Intrusion Prevention
• TPM, Trusted Platform Model
Information Security © 2006 Eric Vanderburg