SlideShare une entreprise Scribd logo

Cause 11 im final

Télécharger en tant que PPTX, PDF
C
cavapyta
Technologie
1  sur  15
Information Security Incident Management One EDU’s Approach Johnny Nipper, EnCE Kevin Lanning, MSIS GSEC CISSP Benjamin Bressman, GSEC GCIH GCFA
Information Security Level Set • Core Principles of Information Security – Confidentiality – Keeping information private – Integrity – Keeping information accurate – Availability – Keeping information available (even in disasters) to authorized parties
Why Incident Response? • Legal and Compliance obligations require notification when sensitive information is acquired by unauthorized parties • University Policy requires a process for responding to incidents • Computing environments at large are under constant attack. (We are no exception) • Attack Stats
What is an incident? • Acceptance Criteria – How do we determine the difference between an incident and an event? • Could sensitive information/critical system be at risk? • Was event malicious? – Maintaining a publicly accessible definition of sensitive data helps bring clarity during events – Trust support personnel and the campus community, but maintain the ability to verify when validation is needed
Incident Management Methodologies • One approach—see SANS.org—Course 504 – Planning • Your departmental contacts • Communication strategies • Failover systems and strategies, data archives/backups – Identification-Is it an incident? – Containment-Are intrusions contained? – Eradication-Is intrusion over? – Recovery-Are your business functions back to normal? – Lessons Learned-Recommendations
Incident Management • Incident Environment? – Higher education institutions compared with business or military – Governance/Culture – Mission – Technology types/Infrastructure
How are incidents discovered? • Intrusion Detection/Prevention Systems • Centrally Managed Anti-Virus • Complaints by attacked parties • Support Personnel - Often our first responders – Help contain the incident and preserve data – Help balance forensics with business continuity
Response, Evidence Acquisition • Preserve Evidence – Disconnect from the network? – How do we power down? – Preserve “last accessed” times (No AV scans) – Log access can overwrite valuable information • What evidence? – A forensic image, an exact copy of the disk(s) – Preserving timestamps is key – Network data, Off-site logs, etc
Business Impact • Must be mindful of business impact – How will incident response/forensics impact… • University mission – Teaching – Research – Public Service • The Department/Group – When will systems be back up and running? – Will intruders have a way back into the systems? • The User
Investigation and Analysis Ask the question: “Was there unauthorized acquisition of sensitive information?”
Investigation and Analysis • Provide context for decision makers – From the perspective of sensitive information: • Where did sensitive information exist, if at all? – From the technical perspective: • Create timelines that detail (for example)… – File creation and access – When was malware introduced? • Capabilities of the malware? • When was sensitive information last accessed?
Forensic Processes and Tools • Integrity and confidentiality of evidence – Chain of custody forms – Cryptographic Hash of hard drives, images – Storage of hard drives and hard drive images • Tools – Guidance Software EnCase, AccessData FTK – Open source tools like log2timeline – Anti-malware software (SEP) – Registry/Log/Browser/OS Artifact data viewers – Identity Finder – Finds sensitive information
Reporting Results • Cases can be presented to… – Information Security management – Office of University Counsel – Office of Research Compliance – Internal Audit – Law Enforcement • Decision makers help determine next steps – Is a notification appropriate? – How can we prevent recurrence?
Lessons Learned/Recommendations • Behavior Modification – User learns best practices to prevent future incidents – Sys Admin configures systems to resist similar attacks • Software Modifications – Harden software if flaws are found during investigation – Introduce vulnerability management to be proactive • Process Modifications – Business processes may be modified to reduce risk
References • How to Reach Us? – security@unc.edu • Documents: – NIST 800-61 – “Computer Security Incident Handling Guide” (csrc.nist.gov) • Courses: – SANS 504 – “Hacker Techniques, Exploits and Incident Handling” (sans.org) • Tools: – Guidance Software / EnCase – www.guidancesoftware.com – Access Data / FTK – www.accessdata.com – log2timeline – www.log2timeline.net – Identity Finder – www.identityfinder.com • Online Resources: – Forensics Wiki – www.forensicswiki.org – Forensic Focus – www.forensicfocus.com – Windows Incident Response – windowsir.blogspot.com

Recommandé

Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญCurrent trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญBAINIDA
 
Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony David Sweigert
 
Jeffrey_Smith_Resume_2016
Jeffrey_Smith_Resume_2016Jeffrey_Smith_Resume_2016
Jeffrey_Smith_Resume_2016Jeffrey Smith
 
Information security introduction
Information security introductionInformation security introduction
Information security introductionG Prachi
 
Infosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security responseInfosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security responseHuntsman Security
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpagenakomuri
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01Wiliam Ferraciolli
 
Leveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonLeveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonPatricia M Watson
 

Recommandé

Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญCurrent trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญ
Current trends in information security โดย ผศ.ดร.ปราโมทย์ กั่วเจริญBAINIDA
 
Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony David Sweigert
 
Jeffrey_Smith_Resume_2016
Jeffrey_Smith_Resume_2016Jeffrey_Smith_Resume_2016
Jeffrey_Smith_Resume_2016Jeffrey Smith
 
Information security introduction
Information security introductionInformation security introduction
Information security introductionG Prachi
 
Infosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security responseInfosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security responseHuntsman Security
 
Basic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpageBasic security concepts_chapter_1_6perpage
Basic security concepts_chapter_1_6perpagenakomuri
 
Isys20261 lecture 01
Isys20261 lecture 01Isys20261 lecture 01
Isys20261 lecture 01Wiliam Ferraciolli
 
Leveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonLeveraging Digital Forensics | Patricia Watson
Leveraging Digital Forensics | Patricia WatsonPatricia M Watson
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseInfocyte
 
Internet safety and security strategies for building an internet safety wall
Internet safety and security strategies for building an internet safety wallInternet safety and security strategies for building an internet safety wall
Internet safety and security strategies for building an internet safety wallCommonwealth Telecommunications Organisation
 
Harris candidate capabilities
Harris candidate capabilities Harris candidate capabilities
Harris candidate capabilities NickHarris84
 
Carver IT Security for Librarians
Carver IT Security for LibrariansCarver IT Security for Librarians
Carver IT Security for LibrariansNational Information Standards Organization (NISO)
 
Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationInfocyte
 
Computer security chapter 2: About Hacking
Computer security chapter 2: About Hacking Computer security chapter 2: About Hacking
Computer security chapter 2: About Hacking Theko Moima
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of SpartaLancope, Inc.
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Database forensics
Database forensicsDatabase forensics
Database forensicsDenys A. Flores, PhD
 
Martin_Leroux_2014
Martin_Leroux_2014Martin_Leroux_2014
Martin_Leroux_2014Martin Leroux
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Crew
 
edCeh brochure
edCeh brochureedCeh brochure
edCeh brochureKnowledgehut
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Mark Arena
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Infocyte
 
Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)Huntsman Security
 
Building a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramBuilding a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramCarl C. Manion
 
Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationSurfWatch Labs
 
Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Saurabh Upadhyay
 
Identity theft and data responsibilities
Identity theft and data responsibilitiesIdentity theft and data responsibilities
Identity theft and data responsibilitiesPeter Henley
 
basic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptbasic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptPawachMetharattanara
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraIGN MANTRA
 

Contenu connexe

Tendances

Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseInfocyte
 
Harris candidate capabilities
Harris candidate capabilities Harris candidate capabilities
Harris candidate capabilities NickHarris84
 
Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationInfocyte
 
Computer security chapter 2: About Hacking
Computer security chapter 2: About Hacking Computer security chapter 2: About Hacking
Computer security chapter 2: About Hacking Theko Moima
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of SpartaLancope, Inc.
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Crew
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Mark Arena
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Infocyte
 
Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)Huntsman Security
 
Building a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramBuilding a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramCarl C. Manion
 
Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationSurfWatch Labs
 
Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Saurabh Upadhyay
 
Identity theft and data responsibilities
Identity theft and data responsibilitiesIdentity theft and data responsibilities
Identity theft and data responsibilitiesPeter Henley
 

Tendances (19)

Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident Response
 
Internet safety and security strategies for building an internet safety wall
Internet safety and security strategies for building an internet safety wallInternet safety and security strategies for building an internet safety wall
Internet safety and security strategies for building an internet safety wall
 
Harris candidate capabilities
Harris candidate capabilities Harris candidate capabilities
Harris candidate capabilities
 
Carver IT Security for Librarians
Carver IT Security for LibrariansCarver IT Security for Librarians
Carver IT Security for Librarians
 
Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 Presentation
 
Computer security chapter 2: About Hacking
Computer security chapter 2: About Hacking Computer security chapter 2: About Hacking
Computer security chapter 2: About Hacking
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Database forensics
Database forensicsDatabase forensics
Database forensics
 
Martin_Leroux_2014
Martin_Leroux_2014Martin_Leroux_2014
Martin_Leroux_2014
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response Programme
 
edCeh brochure
edCeh brochureedCeh brochure
edCeh brochure
 
Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...Cyber Threat Intelligence: Building and maturing an intelligence program that...
Cyber Threat Intelligence: Building and maturing an intelligence program that...
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
 
Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)
 
Building a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramBuilding a Successful Threat Hunting Program
Building a Successful Threat Hunting Program
 
Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution Demonstration
 
Ethical hacking concept-Part 1
Ethical hacking concept-Part 1Ethical hacking concept-Part 1
Ethical hacking concept-Part 1
 
Identity theft and data responsibilities
Identity theft and data responsibilitiesIdentity theft and data responsibilities
Identity theft and data responsibilities
 

Similaire à Cause 11 im final

basic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptbasic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptPawachMetharattanara
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraIGN MANTRA
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas IndonesiaIGN MANTRA
 
Technology Issues and Cybersecurity Strategies
Technology Issues and Cybersecurity StrategiesTechnology Issues and Cybersecurity Strategies
Technology Issues and Cybersecurity StrategiesJack Pringle
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdfGnanavi2
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaSee You Rise Holdings
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTShenlydailymotion
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresJose L. Quiñones-Borrero
 
information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topicsOlajide Kuku
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational contentOlajide Kuku
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecturebabak danyal
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmtmadunix
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteDamir Delija
 

Similaire à Cause 11 im final (20)

basic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.pptbasic-security-concepts-what-is-security48.ppt
basic-security-concepts-what-is-security48.ppt
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantraWorkshop incident response n handling-bssn 12 nop 2019-ignmantra
Workshop incident response n handling-bssn 12 nop 2019-ignmantra
 
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
2019-09-11 Workshop incident response n handling honeynet Universitas Indonesia
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
Technology Issues and Cybersecurity Strategies
Technology Issues and Cybersecurity StrategiesTechnology Issues and Cybersecurity Strategies
Technology Issues and Cybersecurity Strategies
 
encase enterprise
encase enterprise encase enterprise
encase enterprise
 
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
644205e3-8f85-43da-95ac-e4cbb6a7a406-150917105917-lva1-app6892.pdf
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
 
INFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTSINFORMATION SECURITY STUDY GUIDE for STUDENTS
INFORMATION SECURITY STUDY GUIDE for STUDENTS
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and Countermeasures
 
ch01.ppt
ch01.pptch01.ppt
ch01.ppt
 
information security presentation topics
information security presentation topicsinformation security presentation topics
information security presentation topics
 
educational content, educational contented educational content
educational content, educational contented educational contenteducational content, educational contented educational content
educational content, educational contented educational content
 
Network Security 1st Lecture
Network Security 1st LectureNetwork Security 1st Lecture
Network Security 1st Lecture
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
 
Računalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidenteRačunalna forenzika i automatizirani odgovor na mrežne incidente
Računalna forenzika i automatizirani odgovor na mrežne incidente
 

Dernier

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Dernier (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

Cause 11 im final

  • 1. Information Security Incident Management One EDU’s Approach Johnny Nipper, EnCE Kevin Lanning, MSIS GSEC CISSP Benjamin Bressman, GSEC GCIH GCFA
  • 2. Information Security Level Set • Core Principles of Information Security – Confidentiality – Keeping information private – Integrity – Keeping information accurate – Availability – Keeping information available (even in disasters) to authorized parties
  • 3. Why Incident Response? • Legal and Compliance obligations require notification when sensitive information is acquired by unauthorized parties • University Policy requires a process for responding to incidents • Computing environments at large are under constant attack. (We are no exception) • Attack Stats
  • 4. What is an incident? • Acceptance Criteria – How do we determine the difference between an incident and an event? • Could sensitive information/critical system be at risk? • Was event malicious? – Maintaining a publicly accessible definition of sensitive data helps bring clarity during events – Trust support personnel and the campus community, but maintain the ability to verify when validation is needed
  • 5. Incident Management Methodologies • One approach—see SANS.org—Course 504 – Planning • Your departmental contacts • Communication strategies • Failover systems and strategies, data archives/backups – Identification-Is it an incident? – Containment-Are intrusions contained? – Eradication-Is intrusion over? – Recovery-Are your business functions back to normal? – Lessons Learned-Recommendations
  • 6. Incident Management • Incident Environment? – Higher education institutions compared with business or military – Governance/Culture – Mission – Technology types/Infrastructure
  • 7. How are incidents discovered? • Intrusion Detection/Prevention Systems • Centrally Managed Anti-Virus • Complaints by attacked parties • Support Personnel - Often our first responders – Help contain the incident and preserve data – Help balance forensics with business continuity
  • 8. Response, Evidence Acquisition • Preserve Evidence – Disconnect from the network? – How do we power down? – Preserve “last accessed” times (No AV scans) – Log access can overwrite valuable information • What evidence? – A forensic image, an exact copy of the disk(s) – Preserving timestamps is key – Network data, Off-site logs, etc
  • 9. Business Impact • Must be mindful of business impact – How will incident response/forensics impact… • University mission – Teaching – Research – Public Service • The Department/Group – When will systems be back up and running? – Will intruders have a way back into the systems? • The User
  • 10. Investigation and Analysis Ask the question: “Was there unauthorized acquisition of sensitive information?”
  • 11. Investigation and Analysis • Provide context for decision makers – From the perspective of sensitive information: • Where did sensitive information exist, if at all? – From the technical perspective: • Create timelines that detail (for example)… – File creation and access – When was malware introduced? • Capabilities of the malware? • When was sensitive information last accessed?
  • 12. Forensic Processes and Tools • Integrity and confidentiality of evidence – Chain of custody forms – Cryptographic Hash of hard drives, images – Storage of hard drives and hard drive images • Tools – Guidance Software EnCase, AccessData FTK – Open source tools like log2timeline – Anti-malware software (SEP) – Registry/Log/Browser/OS Artifact data viewers – Identity Finder – Finds sensitive information
  • 13. Reporting Results • Cases can be presented to… – Information Security management – Office of University Counsel – Office of Research Compliance – Internal Audit – Law Enforcement • Decision makers help determine next steps – Is a notification appropriate? – How can we prevent recurrence?
  • 14. Lessons Learned/Recommendations • Behavior Modification – User learns best practices to prevent future incidents – Sys Admin configures systems to resist similar attacks • Software Modifications – Harden software if flaws are found during investigation – Introduce vulnerability management to be proactive • Process Modifications – Business processes may be modified to reduce risk
  • 15. References • How to Reach Us? – security@unc.edu • Documents: – NIST 800-61 – “Computer Security Incident Handling Guide” (csrc.nist.gov) • Courses: – SANS 504 – “Hacker Techniques, Exploits and Incident Handling” (sans.org) • Tools: – Guidance Software / EnCase – www.guidancesoftware.com – Access Data / FTK – www.accessdata.com – log2timeline – www.log2timeline.net – Identity Finder – www.identityfinder.com • Online Resources: – Forensics Wiki – www.forensicswiki.org – Forensic Focus – www.forensicfocus.com – Windows Incident Response – windowsir.blogspot.com

Notes de l'éditeur

  1. Millions of probestens of thousands of attacks per dayfirewalls drop ~3 million attacks per day