Chapter 17: Preventing and Responding to Incidents

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Entrapment

Illegal; honeypot owner actively solicits visitors to charge them with intrusion

Espionage

Malicious act of gathering proprietary, secret, or confidential info about an org Defense: Strictly control access Screen new employees Track all employee activities

Detection

Methods: IDS/IPS anti-malware software Automated tools/audit logs End users notifying techs

Pentest

Mimics an actual attack in an attempt to ID what techniques attackers can use to circumvent security; goes a step further than vulnerability scan and assessment Goals 1-determine how well a system can tolerate an attack 2-ID employees abilities to detect and respond to attacks in real time 3-ID controls that can be implemented to reduce risk

Incident response goal

Minimize the impact on the organization

Anti-malware software

Most important protection against malicious code is this with up to date signature files and heuristic capabilities; multi-pronged approach... firewalls fo block malware, special malware software on email servers; anti malware on each system

Reporting

Reporting an incident within the org and to outside organizations and individuals; laws govern the protection of PII and reporting of breaches; serious incidents, report to FBI (US) or INTERPOL (EUROPE)

Recovery

Return system to fully functioning state; major incident may require complete system rebuild; important to ensure it is configured properly, ACLs, services/protocols, etc.

Gray Box Testing

Security testing that is based on limited knowledge of an application's design.

Padded cell

Simulated environment that offers fake data to retain an intruders interest; IDPS transfers hackers to this

Egress monitoring

monitoring outgoing traffic to prevent data exfiltration (unauth transfer of data outside an org) -can involve looking for steganography, watermarking

7 steps of incident response

DRM-RRR-L 1: Detection 2: Response 3: Mitigation 4: Reporting 5: Recovery 6: Remediation 7: Lessons Learned

Security Logs

record access to resources like files, folders, printers, etc. -record info about when a user accessed, modified, deleted a file

System logs

record system events such as when a system starts/stops/reboots, or when services start/stop

basic preventive measures

1) keep systems and app's up-to-date 2) remove/disable unneeded services and protocols 3) use IDS/IPS 4) use up-to-date anti-malware 5) use firewalls 6) implement config and system management processes

Fraggle Attack

A DDoS attack type on a computer that floods the target system with a large amount of UDP echo traffic to IP broadcast addresses; UDP ports 7 & 19

distributed reflector DoS (DRDoS) attack

A DoS attack bounced off of uninfected computers, called reflectors, before being directed at the target. This is achieved by spoofing the source IP address in the attack to make it look like all of the requests for response are being sent by the target, then all of the reflectors send their responses to the target, thereby flooding the target with traffic.

Ping of Death Attack

A crafted ICMP packet larger than the maximum 65,535 bytes; causes the recipient system to crash or freeze. Patches/updates have fixed this vulnerability

White Box Testing

A design that allows one to peek inside the "box" and focuses specifically on using internal knowledge of the software to guide the selection of test data.

Sandboxing

A form of software virtualization that lets programs and processes run in their own isolated virtual environment

Man-in-the-middle (MITM) attack

A hacker placing himself between a client and a host to intercept network traffic; also called session hijacking. Defense: Keep system up to date with patches IDS can not detect, but can see abnormal activity in comm links VPNs

Security Information and Event Management (SIEM)

A method for analyzing risk in software systems. It is a centralized collection of monitoring of security and event logs from different systems. SIEM allows for the correlation of different events and early detection of attacks. IDS and IPS send data to this, as well as many other sources

Auditing

A methodical or review of an environment to ensure compliance and detect abnormalities

Honeynet

A network set up with intentional vulnerabilities.

Passive Response

A response option in intrusion detection in which the system simply reports and records the problem detected, relying on the user to take subsequent action

Intrusion Prevention System (IPS)

A technology that monitors activity like an IDS but will automatically take proactive preventative action if it detects unacceptable activity. Sometimes called IDPS -places IN LINE with the traffic

Intrusion Prevention System (IPS)

A technology that monitors activity like an IDS but will automatically take proactive preventative action if it detects unacceptable activity. Sometimes combined with IDS

Teardrop Attack

A type of DoS that sends mangled IP fragments with overlapping and oversized payloads to the target machine; system is unable to put the packets back together

NIDS (network-based intrusion detection system)

A type of intrusion detection that protects an entire network and is situated at the edge of the network or in a network's protective perimeter, known as the DMZ (demilitarized zone). Here, it can detect many types of suspicious traffic patterns Central console on a single purpose computer; little negative impact on network performance; however it can't always provide info on the success of an attack

HIDS (host-based intrusion detection system)

A type of intrusion detection that runs on a single computer, such as a client or server, to alert about attacks against that one host. Pro: can detect anomalies on host system that NIDS cannot Negative: cost and usability; require admin attention on each system, and consume system resources

zero-day exploit

A vulnerability that is exploited before the software creator/vendor is even aware of its existence. Defense: Don't run unnecessary services and protocols to reduce attack surface Enable network and host based firewalls IDS and IPS systems

Response

Activate CIRT (comp incident response team); the quicker the response, the quicker they can limit damage

Anomaly-based detection

Also known as behavior-based detection, an IDPS detection method that compares current data and traffic patterns to an established baseline of normalcy. Benefit: can recognize attacks that have no signatures and are not detectable with signature method Negative: also raise a high number of false alarms

Signature-based detection

Also known as knowledge-based detection or misuse detection, the examination of system or network data in search of patterns that match known attack signatures. Uses a database of known attacks developed by IDS vendor

Smurf Attack

An attack that broadcasts a ping request to computers yet changes the address so that all responses are sent to the victim; floods victim with ICMP echo packets Defense: Configure router so it's not an amplifying network Disable ICMP on firewalls and routers

Distributed Denial of Service (DDoS)

An attack that uses many computers to perform a DoS attack.

Ethical Hacker

An expert at breaking into systems and can attack systems on behalf of the system's owner and with the owner's consent; doesn't use knowledge for personal gain

Computer Security Incident

An incident that is the result of an attack, or the result of malicious or intentional actions on the part of users

Incident

Any event that has a negative effect on CIA of an organizations assets

Mitigation

Attempt to contain an incident; limit the effect or scope of an incident

Data Loss Prevention (DLP)

Attempt to detect and block data exfiltration attempts; have the capability of scanning unencrypted data and looking for keywords and patterns

Pentest Risks

Can cause outages

Next generation firewall (unified threat management)

Combines several filtering capabilities, packet filtering and stateful inspection; can filter malware using white and blacklists, and some IDS IPS capes

Sabotage

Criminal act of destruction or disruption committed against an organization by an employee Defense: disable account access as soon as possible after termination Auditing Properly compensate employees

Land Attack

DoS attack that uses a spoofed SYN packet that includes the victim's IP address as both source and destination; tricks system into replying to itself

Watermarking

Embedding an image of pattern in paper that isn't readily available; uses to thwart counterfeiting attempts

Access Review Audits

Ensure that object access and account management practices support the security policies; verify users don't have excessive privileges and accounts are managed properly

Lessons Learned

Examine the incident and the response; personnel look for any areas where they can improve their response

Pseudo flaws

False vulnerabilities or apparent loopholes intentionally implanted in a system in an attempt to tempt hackers

botnets or zombie networks

Hordes of surreptitiously infiltrated computers, linked and controlled remotely. This technique is used to perpetrate click fraud, as well as a variety of other computer security crimes. Defense: Defense in depth strategy Educating users against these infections

Whitelisting

Identifies a list of applications that are authorized to run on a system; example is apple and apple store apps

Blacklisting

Identifies a list of apps that are not authorized to run on a system

Enticement

Legal use, no outward efforts of honeypot owner

Termination polciy

One witness Account is disabled during interview Badge and credentials are collected immediately after interview Employer escorted off premises

Common Security Audit Review

Patch Management Vulnerability Management Configuration Management Change Management

Remediation

Personnel look at the incident and attempt to ID what allowed it to occur, and implement methods to prevent it from happening again; includes performing a Root Cause Analysis

Ping Flood Attack

Ping utility used to send large number of echo request messages and overwhelms server Effective when launched by zombies Defense: block ICMP traffic

Sampling or Data Extraction

Process of extracting specific elements from a large collection of data to construct a meaningful representation or summary of the whole

Logging

Process of recording information about events to a log file or database

Monitoring

Process of reviewing information logs looking for something specific; necessary to detect malicious actions by subjects as well as attempted intrusions and system failures

drive-by download

Program which automatically downloads when a user visits a web page, usually without their knowledge or consent.

Firewalls

Provide protection to a network by filtering traffic based on IP addresses, ports, protocol numbers (first gen) Additional filtering capes based on app requirements and comm circuit (second gen) Stateful inspection firewall and dynamic packet filtering firewall filter based on its state in a stream of traffic (third gen)

Audit Report Format

Purpose of Audit Scope of Audit Results discovered or revealed by audit Problems, events, conditions Standards, criteria, baselines Causes, reasons, impact Recommended solutions and safeguard

Audit trails

Record of all changes and actions performed with a system, for security purposes; stored on one or more databases or log files

Original hacker definition

Tech enthusiast who doesn't have malicious intent

Black Box Testing

Testing, either functional or non-functional, without reference to the internal structure of the component or system.

SYN flood attack

The SYN flood attack sends TCP connections requests faster than a machine can process them. Attacker creates a random source address for each packet SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP address Victim responds to spoofed IP address,then waits for confirmation that never arrives (timeout wait is about 3 minutes) Victim's connection table fills up waiting for replies and ignores new connections Defense: SYN cookies Firewall mechanisms Reduce amount of time server will wait for an ACK

Honeypot

Vulnerable computer that is set up to entice an intruder to break into it

Intrusion Detection System (IDS)

a computer program that senses when another computer is attempting to scan or access a computer or network

denial of service attack

a cyber attack in which an attacker sends a flood of data packets to the target computer, with the aim of overloading its resources Any attack that renders its victims unable to perform normal activities

Cracker

a hacker with criminal intent; uses synonymously with attacker

clipping level

a predefined assessment level that triggers a predetermined response when surpassed. Typically, the response is to notify an administrator. Example: alarm raised after 5 failed logon attempts in 30 min; not a good representation of whole body of data, but good for specific events

Endpoint-based DLP

can scan files stored on a system as well as files sent to external devices -can prevent users from copying data to USB drives or sending sensitive info to printers

Active Response

collecting additional information about the intrusion, modifying the network environment, taking action against the intrusion

Log analysis

detailed and systematic form of monitoring inwhich the logged info is analyzed for trends, abnormal, unauth, illegal, and policy violating activities

malicious code (malware)

includes a variety of threats such as viruses, worms, Trojan horses, and bots

Network-based DLP

scans all outgoing data looking for specific data -if sensitive data is sent, the DLP with detect it, prevent it from leaving, and send an alert

Steganography

the art and science of hiding information by embedding messages within other, seemingly harmless messages; can be realized with a hashing function

Traffic Analysis

the attacker passively monitors transmissions via wireless networks to identify communication patterns and participants Also called network flow monitoring; reveals questionable traffic patterns


Ensembles d'études connexes

Microcomputers & Networks Test 1

View Set

PrepU chapter 47 Next Generation - NGN

View Set

NU424 RESPIRATORY PrepU (Exam 1)

View Set

Billy Joel - We Didn't Start the Fire

View Set

Algebra 2 semester 1 final study guide

View Set