What's New in Teams Calling, Meetings and Devices March 2024
Cause 11 im final
1. Information Security Incident Management
One EDU’s Approach
Johnny Nipper, EnCE
Kevin Lanning, MSIS GSEC CISSP
Benjamin Bressman, GSEC GCIH GCFA
2. Information Security
Level Set
• Core Principles of Information Security
– Confidentiality – Keeping information private
– Integrity – Keeping information accurate
– Availability – Keeping information available (even
in disasters) to authorized parties
3. Why Incident Response?
• Legal and Compliance obligations require
notification when sensitive information is acquired
by unauthorized parties
• University Policy requires a process for responding to
incidents
• Computing environments at large are under constant
attack. (We are no exception)
• Attack Stats
4. What is an incident?
• Acceptance Criteria
– How do we determine the difference between an
incident and an event?
• Could sensitive information/critical system be at risk?
• Was event malicious?
– Maintaining a publicly accessible definition of
sensitive data helps bring clarity during events
– Trust support personnel and the campus
community, but maintain the ability to verify
when validation is needed
5. Incident Management
Methodologies
• One approach—see SANS.org—Course 504
– Planning
• Your departmental contacts
• Communication strategies
• Failover systems and strategies, data
archives/backups
– Identification-Is it an incident?
– Containment-Are intrusions contained?
– Eradication-Is intrusion over?
– Recovery-Are your business functions back to
normal?
– Lessons Learned-Recommendations
6. Incident Management
• Incident Environment?
– Higher education institutions compared with
business or military
– Governance/Culture
– Mission
– Technology types/Infrastructure
7. How are incidents discovered?
• Intrusion Detection/Prevention Systems
• Centrally Managed Anti-Virus
• Complaints by attacked parties
• Support Personnel - Often our first responders
– Help contain the incident and preserve data
– Help balance forensics with business continuity
8. Response, Evidence Acquisition
• Preserve Evidence
– Disconnect from the network?
– How do we power down?
– Preserve “last accessed” times (No AV scans)
– Log access can overwrite valuable information
• What evidence?
– A forensic image, an exact copy of the disk(s)
– Preserving timestamps is key
– Network data, Off-site logs, etc
9. Business Impact
• Must be mindful of business impact
– How will incident response/forensics impact…
• University mission
– Teaching
– Research
– Public Service
• The Department/Group
– When will systems be back up and running?
– Will intruders have a way back into the systems?
• The User
11. Investigation and Analysis
• Provide context for decision makers
– From the perspective of sensitive information:
• Where did sensitive information exist, if at all?
– From the technical perspective:
• Create timelines that detail (for example)…
– File creation and access
– When was malware introduced?
• Capabilities of the malware?
• When was sensitive information last accessed?
12. Forensic Processes and Tools
• Integrity and confidentiality of evidence
– Chain of custody forms
– Cryptographic Hash of hard drives, images
– Storage of hard drives and hard drive images
• Tools
– Guidance Software EnCase, AccessData FTK
– Open source tools like log2timeline
– Anti-malware software (SEP)
– Registry/Log/Browser/OS Artifact data viewers
– Identity Finder – Finds sensitive information
13. Reporting Results
• Cases can be presented to…
– Information Security management
– Office of University Counsel
– Office of Research Compliance
– Internal Audit
– Law Enforcement
• Decision makers help determine next steps
– Is a notification appropriate?
– How can we prevent recurrence?
14. Lessons Learned/Recommendations
• Behavior Modification
– User learns best practices to prevent future incidents
– Sys Admin configures systems to resist similar attacks
• Software Modifications
– Harden software if flaws are found during investigation
– Introduce vulnerability management to be proactive
• Process Modifications
– Business processes may be modified to reduce risk
15. References
• How to Reach Us?
– security@unc.edu
• Documents:
– NIST 800-61 – “Computer Security Incident Handling Guide” (csrc.nist.gov)
• Courses:
– SANS 504 – “Hacker Techniques, Exploits and Incident Handling” (sans.org)
• Tools:
– Guidance Software / EnCase – www.guidancesoftware.com
– Access Data / FTK – www.accessdata.com
– log2timeline – www.log2timeline.net
– Identity Finder – www.identityfinder.com
• Online Resources:
– Forensics Wiki – www.forensicswiki.org
– Forensic Focus – www.forensicfocus.com
– Windows Incident Response – windowsir.blogspot.com
Notes de l'éditeur
Millions of probestens of thousands of attacks per dayfirewalls drop ~3 million attacks per day