SlideShare ist ein Scribd-Unternehmen logo

Cause 11 im final

Als PPTX, PDF herunterladen
C
cavapyta
Technologie
1 von 15
Information Security Incident Management One EDU’s Approach Johnny Nipper, EnCE Kevin Lanning, MSIS GSEC CISSP Benjamin Bressman, GSEC GCIH GCFA
Information Security Level Set • Core Principles of Information Security – Confidentiality – Keeping information private – Integrity – Keeping information accurate – Availability – Keeping information available (even in disasters) to authorized parties
Why Incident Response? • Legal and Compliance obligations require notification when sensitive information is acquired by unauthorized parties • University Policy requires a process for responding to incidents • Computing environments at large are under constant attack. (We are no exception) • Attack Stats
What is an incident? • Acceptance Criteria – How do we determine the difference between an incident and an event? • Could sensitive information/critical system be at risk? • Was event malicious? – Maintaining a publicly accessible definition of sensitive data helps bring clarity during events – Trust support personnel and the campus community, but maintain the ability to verify when validation is needed
Incident Management Methodologies • One approach—see SANS.org—Course 504 – Planning • Your departmental contacts • Communication strategies • Failover systems and strategies, data archives/backups – Identification-Is it an incident? – Containment-Are intrusions contained? – Eradication-Is intrusion over? – Recovery-Are your business functions back to normal? – Lessons Learned-Recommendations
Incident Management • Incident Environment? – Higher education institutions compared with business or military – Governance/Culture – Mission – Technology types/Infrastructure
How are incidents discovered? • Intrusion Detection/Prevention Systems • Centrally Managed Anti-Virus • Complaints by attacked parties • Support Personnel - Often our first responders – Help contain the incident and preserve data – Help balance forensics with business continuity
Response, Evidence Acquisition • Preserve Evidence – Disconnect from the network? – How do we power down? – Preserve “last accessed” times (No AV scans) – Log access can overwrite valuable information • What evidence? – A forensic image, an exact copy of the disk(s) – Preserving timestamps is key – Network data, Off-site logs, etc
Business Impact • Must be mindful of business impact – How will incident response/forensics impact… • University mission – Teaching – Research – Public Service • The Department/Group – When will systems be back up and running? – Will intruders have a way back into the systems? • The User
Investigation and Analysis Ask the question: “Was there unauthorized acquisition of sensitive information?”
Investigation and Analysis • Provide context for decision makers – From the perspective of sensitive information: • Where did sensitive information exist, if at all? – From the technical perspective: • Create timelines that detail (for example)… – File creation and access – When was malware introduced? • Capabilities of the malware? • When was sensitive information last accessed?
Forensic Processes and Tools • Integrity and confidentiality of evidence – Chain of custody forms – Cryptographic Hash of hard drives, images – Storage of hard drives and hard drive images • Tools – Guidance Software EnCase, AccessData FTK – Open source tools like log2timeline – Anti-malware software (SEP) – Registry/Log/Browser/OS Artifact data viewers – Identity Finder – Finds sensitive information
Reporting Results • Cases can be presented to… – Information Security management – Office of University Counsel – Office of Research Compliance – Internal Audit – Law Enforcement • Decision makers help determine next steps – Is a notification appropriate? – How can we prevent recurrence?
Lessons Learned/Recommendations • Behavior Modification – User learns best practices to prevent future incidents – Sys Admin configures systems to resist similar attacks • Software Modifications – Harden software if flaws are found during investigation – Introduce vulnerability management to be proactive • Process Modifications – Business processes may be modified to reduce risk
References • How to Reach Us? – security@unc.edu • Documents: – NIST 800-61 – “Computer Security Incident Handling Guide” (csrc.nist.gov) • Courses: – SANS 504 – “Hacker Techniques, Exploits and Incident Handling” (sans.org) • Tools: – Guidance Software / EnCase – www.guidancesoftware.com – Access Data / FTK – www.accessdata.com – log2timeline – www.log2timeline.net – Identity Finder – www.identityfinder.com • Online Resources: – Forensics Wiki – www.forensicswiki.org – Forensic Focus – www.forensicfocus.com – Windows Incident Response – windowsir.blogspot.com

Empfohlen

Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญCurrent trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญBAINIDA
 
Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony David Sweigert
 
Jeffrey_Smith_Resume_2016
Jeffrey_Smith_Resume_2016Jeffrey_Smith_Resume_2016
Jeffrey_Smith_Resume_2016Jeffrey Smith
 
Information security introduction
Information security introductionInformation security introduction
Information security introductionG Prachi
 
Infosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security responseInfosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security responseHuntsman Security
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpagenakomuri
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01Wiliam Ferraciolli
 
Leveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonLeveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonPatricia M Watson
 

Empfohlen

Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญCurrent trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญBAINIDA
 
Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony David Sweigert
 
Jeffrey_Smith_Resume_2016
Jeffrey_Smith_Resume_2016Jeffrey_Smith_Resume_2016
Jeffrey_Smith_Resume_2016Jeffrey Smith
 
Information security introduction
Information security introductionInformation security introduction
Information security introductionG Prachi
 
Infosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security responseInfosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security responseHuntsman Security
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpagenakomuri
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01Wiliam Ferraciolli
 
Leveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonLeveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonPatricia M Watson
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseInfocyte
 
Internet safety and security strategies for building an internet safety wall
Internet safety and security strategies for building an internet safety wallInternet safety and security strategies for building an internet safety wall
Internet safety and security strategies for building an internet safety wallCommonwealth Telecommunications Organisation
 
Harris candidate capabilities
Harris candidate capabilities Harris candidate capabilities
Harris candidate capabilities NickHarris84
 
Carver IT Security for Librarians
Carver IT Security for LibrariansCarver IT Security for Librarians
Carver IT Security for LibrariansNational Information Standards Organization (NISO)
 
Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationInfocyte
 
Computer security chapter 2: About Hacking
Computer security chapter 2: About Hacking Computer security chapter 2: About Hacking
Computer security chapter 2: About Hacking Theko Moima
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of SpartaLancope, Inc.
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Database forensics
Database forensicsDatabase forensics
Database forensicsDenys A. Flores, PhD
 
Martin_Leroux_2014
Martin_Leroux_2014Martin_Leroux_2014
Martin_Leroux_2014Martin Leroux
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Crew
 
edCeh brochure
edCeh brochureedCeh brochure
edCeh brochureKnowledgehut
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Mark Arena
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Infocyte
 
Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)Huntsman Security
 
Building a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramBuilding a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramCarl C. Manion
 
Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationSurfWatch Labs
 
Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Saurabh Upadhyay
 
Identity theft and data responsibilities
Identity theft and data responsibilitiesIdentity theft and data responsibilities
Identity theft and data responsibilitiesPeter Henley
 
basic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptbasic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptPawachMetharattanara
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraIGN MANTRA
 

Weitere ähnliche Inhalte

Was ist angesagt?

Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseInfocyte
 
Harris candidate capabilities
Harris candidate capabilities Harris candidate capabilities
Harris candidate capabilities NickHarris84
 
Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationInfocyte
 
Computer security chapter 2: About Hacking
Computer security chapter 2: About Hacking Computer security chapter 2: About Hacking
Computer security chapter 2: About Hacking Theko Moima
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of SpartaLancope, Inc.
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Crew
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Mark Arena
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Infocyte
 
Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)Huntsman Security
 
Building a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramBuilding a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramCarl C. Manion
 
Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationSurfWatch Labs
 
Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Saurabh Upadhyay
 
Identity theft and data responsibilities
Identity theft and data responsibilitiesIdentity theft and data responsibilities
Identity theft and data responsibilitiesPeter Henley
 

Was ist angesagt? (19)

Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident Response
 
Internet safety and security strategies for building an internet safety wall
Internet safety and security strategies for building an internet safety wallInternet safety and security strategies for building an internet safety wall
Internet safety and security strategies for building an internet safety wall
 
Harris candidate capabilities
Harris candidate capabilities Harris candidate capabilities
Harris candidate capabilities
 
Carver IT Security for Librarians
Carver IT Security for LibrariansCarver IT Security for Librarians
Carver IT Security for Librarians
 
Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 Presentation
 
Computer security chapter 2: About Hacking
Computer security chapter 2: About Hacking Computer security chapter 2: About Hacking
Computer security chapter 2: About Hacking
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Database forensics
Database forensicsDatabase forensics
Database forensics
 
Martin_Leroux_2014
Martin_Leroux_2014Martin_Leroux_2014
Martin_Leroux_2014
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response Programme
 
edCeh brochure
edCeh brochureedCeh brochure
edCeh brochure
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
 
Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)
 
Building a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramBuilding a Successful Threat Hunting Program
Building a Successful Threat Hunting Program
 
Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution Demonstration
 
Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Ethical hacking concept-Part 1
Ethical hacking concept-Part 1
 
Identity theft and data responsibilities
Identity theft and data responsibilitiesIdentity theft and data responsibilities
Identity theft and data responsibilities
 

Ähnlich wie Cause 11 im final

basic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptbasic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptPawachMetharattanara
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraIGN MANTRA
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas IndonesiaIGN MANTRA
 
Technology Issues and Cybersecurity Strategies
Technology Issues and Cybersecurity StrategiesTechnology Issues and Cybersecurity Strategies
Technology Issues and Cybersecurity StrategiesJack Pringle
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdfGnanavi2
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaSee You Rise Holdings
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTShenlydailymotion
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresJose L. Quiñones-Borrero
 
information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topicsOlajide Kuku
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational contentOlajide Kuku
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecturebabak danyal
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmtmadunix
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 

Ähnlich wie Cause 11 im final (20)

basic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptbasic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.ppt
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
Technology Issues and Cybersecurity Strategies
Technology Issues and Cybersecurity StrategiesTechnology Issues and Cybersecurity Strategies
Technology Issues and Cybersecurity Strategies
 
encase enterprise
encase enterprise encase enterprise
encase enterprise
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTS
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and Countermeasures
 
ch01.ppt
ch01.pptch01.ppt
ch01.ppt
 
information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topics
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational content
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecture
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
 

Kürzlich hochgeladen

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

Kürzlich hochgeladen (20)

presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 

Cause 11 im final

  • 1. Information Security Incident Management One EDU’s Approach Johnny Nipper, EnCE Kevin Lanning, MSIS GSEC CISSP Benjamin Bressman, GSEC GCIH GCFA
  • 2. Information Security Level Set • Core Principles of Information Security – Confidentiality – Keeping information private – Integrity – Keeping information accurate – Availability – Keeping information available (even in disasters) to authorized parties
  • 3. Why Incident Response? • Legal and Compliance obligations require notification when sensitive information is acquired by unauthorized parties • University Policy requires a process for responding to incidents • Computing environments at large are under constant attack. (We are no exception) • Attack Stats
  • 4. What is an incident? • Acceptance Criteria – How do we determine the difference between an incident and an event? • Could sensitive information/critical system be at risk? • Was event malicious? – Maintaining a publicly accessible definition of sensitive data helps bring clarity during events – Trust support personnel and the campus community, but maintain the ability to verify when validation is needed
  • 5. Incident Management Methodologies • One approach—see SANS.org—Course 504 – Planning • Your departmental contacts • Communication strategies • Failover systems and strategies, data archives/backups – Identification-Is it an incident? – Containment-Are intrusions contained? – Eradication-Is intrusion over? – Recovery-Are your business functions back to normal? – Lessons Learned-Recommendations
  • 6. Incident Management • Incident Environment? – Higher education institutions compared with business or military – Governance/Culture – Mission – Technology types/Infrastructure
  • 7. How are incidents discovered? • Intrusion Detection/Prevention Systems • Centrally Managed Anti-Virus • Complaints by attacked parties • Support Personnel - Often our first responders – Help contain the incident and preserve data – Help balance forensics with business continuity
  • 8. Response, Evidence Acquisition • Preserve Evidence – Disconnect from the network? – How do we power down? – Preserve “last accessed” times (No AV scans) – Log access can overwrite valuable information • What evidence? – A forensic image, an exact copy of the disk(s) – Preserving timestamps is key – Network data, Off-site logs, etc
  • 9. Business Impact • Must be mindful of business impact – How will incident response/forensics impact… • University mission – Teaching – Research – Public Service • The Department/Group – When will systems be back up and running? – Will intruders have a way back into the systems? • The User
  • 10. Investigation and Analysis Ask the question: “Was there unauthorized acquisition of sensitive information?”
  • 11. Investigation and Analysis • Provide context for decision makers – From the perspective of sensitive information: • Where did sensitive information exist, if at all? – From the technical perspective: • Create timelines that detail (for example)… – File creation and access – When was malware introduced? • Capabilities of the malware? • When was sensitive information last accessed?
  • 12. Forensic Processes and Tools • Integrity and confidentiality of evidence – Chain of custody forms – Cryptographic Hash of hard drives, images – Storage of hard drives and hard drive images • Tools – Guidance Software EnCase, AccessData FTK – Open source tools like log2timeline – Anti-malware software (SEP) – Registry/Log/Browser/OS Artifact data viewers – Identity Finder – Finds sensitive information
  • 13. Reporting Results • Cases can be presented to… – Information Security management – Office of University Counsel – Office of Research Compliance – Internal Audit – Law Enforcement • Decision makers help determine next steps – Is a notification appropriate? – How can we prevent recurrence?
  • 14. Lessons Learned/Recommendations • Behavior Modification – User learns best practices to prevent future incidents – Sys Admin configures systems to resist similar attacks • Software Modifications – Harden software if flaws are found during investigation – Introduce vulnerability management to be proactive • Process Modifications – Business processes may be modified to reduce risk
  • 15. References • How to Reach Us? – security@unc.edu • Documents: – NIST 800-61 – “Computer Security Incident Handling Guide” (csrc.nist.gov) • Courses: – SANS 504 – “Hacker Techniques, Exploits and Incident Handling” (sans.org) • Tools: – Guidance Software / EnCase – www.guidancesoftware.com – Access Data / FTK – www.accessdata.com – log2timeline – www.log2timeline.net – Identity Finder – www.identityfinder.com • Online Resources: – Forensics Wiki – www.forensicswiki.org – Forensic Focus – www.forensicfocus.com – Windows Incident Response – windowsir.blogspot.com

Hinweis der Redaktion

  1. Millions of probestens of thousands of attacks per dayfirewalls drop ~3 million attacks per day