IS 3423 Secure Network Design

1
IS 3423Secure Network Design

• Chapter Eight
• Incident Handling

2
Incident

• Any breach that results from
• an external intruder attack
• Unintentional damage
• An employee testing new programs
• Employee inadvertently exploiting a software
  vulnerability
• A disgruntled employee

3
Security Breach

• An incident
• Should investigate the possibility of an incident
  occurring BEFORE it occurs.
• Consider how to handle it BEFORE it occurs
• Avoid panic, disorganize, additional loss

4
Security Breach Procedures

• Recognize that a breach has occurred
• Evaluate the breach
• Restore and recover from losses

5
Acceptable Use Policy Violations

• Handled similar to security breach
• Corporation may be held liable for their
  employees actions

6
Computer Security Response

• Need to be able to quickly detect and respond to
  incidents in a way that is both cost-efficient
  and cost-effective

7
Reasons for Increases in Computer Network
Security Incidents

• Increased reliance on computers
• Use of large interlinked networks

8
Incident Response Team Responsibilities

• Be aware of latest threats and incidents
• Main point of contact for incident reporting
• Notify others of the incident
• Assess the damage and impact of the incident
• Find out how to avoid further exploitation of the
  same vulnerability
• Recover from the incident

9
Who is on the team?

• Need well-rounded representation from the
  corporation
• Technical knowledge is important
• Need good interpersonal and communication skills.
• Should be analytical, even tempered
• Should understand the business
• Make sure someone is responsible for representing
  each area of the organization
• Aids in communication

10
Determining if Suspicious Behavior is an Incident

• Look for
• Accounting discrepancies
• Data modification and deletion
• Poor system performance
• Atypical traffic patterns
• Atypical time of system use
• Large numbers of failed logins
• Must know what is normal before one can detect
  an anomaly

11
Keeping Track of Important Information

• Must be able to collect as much evidence as
  possible
• Requires complete auditing and logging
• Better to store logs on write once storage
  systems
• May need to isolate the device in question, or
  may want to observe attack in progress, as long
  as it is not deemed to be catastrophic

12
Intrusion Detection Systems (IDS)

• Designed to detect known attack signatures and
  network anomalies
• Use at critical network access points to signal
  appropriate alarms that a breach may have
  occurred.

13
Types of IDS

• Statistical Analysis maintains historical
  statistical profiles for each user or system that
  is monitored (pattern matching) may be able to
  detect intruders who attack previously unknown
  vulnerabilities
• Rule-based Analysis uses rules that
  characterize known security attack scenarios
• Combination of the Two most likely

14
Hub Vs. Switch NIDS Functionality Fig. 8-1
15
Hub is better?

• As shown in 8-1, if use a switch, NIDS port only
  receives data when it is intentionally sent to it

16
Improving the NIDS Switched Environment

• Embed IDS within the switch does not provide
  full range of detection
• Monitor/Span/Mirror Port configure switch to
  act like a hub echoing every packet to the
  dedicated span port can heavily increase
  traffic
• Cable taps Have inline tap to monitor traffic
  (figure 8-2) 2nd switch dedicated to IDS sensors

17
Figure 8-2 Using a NIDS with Cable Taps
18
NIDS Limitations

• Traffic Loads sensor starts dropping packets
  during high loads, or can shut down completely
• State information requires a lot of memory
• IDS can also be attacked
• Can bypass an IDS

19
What makes a Good IDS?

• Must be reliable enough to run continuously with
  minimal human intervention
• Must be fault tolerant
• Minimal overhead
• Must have timely alerting mechanisms
• Must be easily tailored to fit into various
  corporate environments
• Must be difficult to bypass

20
Handling an Incident

• Goal restore control to affected systems and
  limit the impact and damage
• Shutting down the system may be the only
  practical solution

21
Prioritizing Actions

• Protect human life and peoples safety
• Protect sensitive or classified data
• Protect that that is costly
• Prevent damage to systems
• Minimize disruption to computing resources

22
Assessing Incident Damage

• Systematically check the network infrastructure
  to see how many systems could have been affected
• Check log statistics
• Assure OS s/w has not been compromised
• Verify configuration changes on devices and
  servers
• Check sensitive data for access or change
• Check for new or unknown devices
• Verify passwords have not been modified

23
Reporting and Alerting Procedures

• Need to respond quickly
• Need a 24 hour hotline
• All sites with involved parties must be notified
  ASAP have a list of point of contact (POC)
• Keep technical level of detail low (dont want a
  copy cat attacker
• Work with law enforcement
• Have PR handle the press they know how
• Do not halt or break lines of communication
• Halt speculation

24
Incident Vulnerability Mitigation should you
apply a patch?

• Do risk assessment to determine level of
  vulnerability
• Do you trust users to apply the patch?
• How do you assure they are applied, and properly?

25
Responding to the Incident

• Restore control and limit damage
• Keep accurate documentation who did you
  contact, and when? Have a log of what transpired

26
Recovering from an Incident

• Document what happened, how did it happen, and
  what steps should be taken to prevent it from
  occurring again??
• May need to change security policies
• Be prepared to respond quickly

27
For Case

• Plan for the possibility of the example scenarios
  on pp. 370-372 occurring.
• How will your company cope under these
  circumstances?

28
Chapter 8 Review Questions

• Discuss three possible security breaches
• Discuss what you should do if a suspected
  security breach occurs? How do you determine if
  the breach is real?
• If the breach is real, how are actions to be
  prioritized?
• What are the responsibilities of an Incident
  Response team? Who should be on the team?

29
Chapter 8 Review Questions (cont.)

• Discuss the two primary types of IDS
• Why is a switched NIDS generally less effective
  than a hub NIDS?
• Discuss the characteristics of a good IDS
• Discuss the limitations of an NIDS
• Discuss the procedure for assessing incident
  damage