Book One-Chapter Five

Question 1

How is an incident identified?

Answer 1

Intrusion detection tools (IDS) can warn the network administrator or staff about most security breaches must faster than manually identifying intrusions.
An administrator needs to watch for the following signs of security incidents:

• Suspicious log entries
• System alarms from the IDS
• Presence of unexplained user accounts on the network
• Presence of suspicious files or unknown file extensions on the system
• Modified files or folders
• Unusual services running or ports opened
• Unusual system behavior
• Changed drive icons
• Drives not accessible
• More packets received than expected

Question 2

What are the procedures for handling an incident?

Answer 2

1. Verify incident
2. Contact department/agency security staff:
   - IT manager
   - Designee or others by department procedure
3. Security designee contacts CSIRT- (Computer Security Incident Response Team- responsible for receiving, reviewing, and responding to a computer security incident reports and activities…. in the US, it is US CERT, the US Computer Emergency Readiness Team under DHS)

• Call the appropirate CSIRT org for your company
• Be sure to inform the appropriate people in your organization, such as the CIO or CSIO

4. Isolate the systems, unless the CSIRT’s decision is to leave the system connected to monitor an active attack
5. Begin a log book (who, what, when, where)
6. Identify the type of incident (virus, worm, or hacker)
7. Create a preliminary estimation of the extent of the problem, including the number of systems
8. Contact the local police authority with jurisdiction at the location of the incident, coordinated with CSIRT
9. Follow the server/operating system-specific procedures to snapshot the system
10. Inoculate/restore the system
11. Close the vulnerability and ensure that all patches have been installed
12. Return to normal operations
13. Prepare report and conduct follow-up analysis
14. Revise prevention and screening procedures
15. Log all actions

Question 3

Describe 5 different types of incidents:

Answer 3

Repudiation- When a person or program, acting on behalf of another person, performs and invalid action

Reconnaissance Attack- Collecting or discovering information about any individual or organization that might be useful in attacking that individual or organization. DSL and cable modem connections are more expored than others to reconnaissance attacks because the connections are usually open, which allows more time for attackers to attack the system. Port scanning, or running a program that remotely finds which ports are open or closed on remote systems, is one of the ost common types of reconnaissance attacks.

Harassment- an individual using that Internet is a cyber crime in which the attacker sends a harassing message to a ictim using e-mail, IM, or any other form of online communication.

Extortion- Forces the victim to pay $ to the attacker by threatenin to reveal informtaion that could lead to a severe loss for the victim. This loss could be data/informtaion related, or it could be a simple financial threat.

Pornography Trafficking
Organized Crime Activity

Subversion- an incident in which a system does not behave in the expected manner. This leads the users to believe that this behavior is due to an attack on the integrity of the system, network, or application. In reality, it is something else entirely. In a surbersive incident, the perpetrator modifies the Web Links so that whenever onyone uses one of the links, they are redirected to an unrelated Web address.

• Evidence of data tampering
• Unauthorized access or attempts at unauthorized access from internal and external sources
• Threats and attacks by an electronic medium
• Defaced Web pages
• Detection of some unusual activity, such as possibly malicious code or modified traffic patterns
• Denial-of-service attacks
• Other malicious attacks, virus attacks, that damage the servers or workstations
• Other types of incidents that weaken the trust and confidence in information technology systems

Question 4

What is the difference between a mid-level incident and a high-level incident?

Answer 4

Mid-level incidents are more serious kinds (than low-level). They should be handled the same day the event occurs, and normally within 2-4 hours after the event has occured. Types of mid-level attacks:

• Unfriendly employee termination
• Violation of special or sprivileged access to a computer or any facility that would normally only be accessible to administrators
• Illegal access of the network
• Unauthorized storing or processing of data
• Destruction of property worth less than $100K
• Personal theft of an amount less than $100K
• Presence of computer virus or worm of higher intensity

High-level incidents are severe and should be handled as soon as possible. Incident response teams handle these and are reported to the CSO: Includes the following:

• Suspected computer break-in
• Denial-of-service attacks
• The presence of a harmful virus or worm, which can lead to serious corruption or data loss
• Changes in hardware, software, and firmware without authentication
• Destruction or theft of property worth more than $100K
• Child pornography
• Gambling
• Illegal downloads of copyrighted material: books, music, videos, software
• Other illegal downloads
• Any violations of the law

Question 5

Describe the reasons that some organizations don’t report computer-related incidents:

Answer 5

• Misunderstanding the scope of the problem: Many orgs assume that their incident is unique and that no other company faces such attacks
• Fear of negative publicity: If word gets out about the attack, outsiders will think less of the company, thereby affecting its value. However, proactive reporting and handling will allow the company to put its own spin on the incident first, minimizing damage.
• Potential loss of customers: Companies may fear they will lose customers after the incident is reported if the customers no longer feel secure doing business with them.
• Desire to handle things internally: Think that the problem is small enough to be handled without outside help.
• Lack of awareness of the attack: Sometimes the attack just goes undetected, so the losses just go unexplained.

Question 6

What is a change control?

Answer 6

A procedure that handles or controls all authorized changes to assets such as software and hardware. It also keeps track of access privileges and processes. It involves change requests, result recording, documenting, testing the results after the changes, and gaining approval for the requests.
Involves performing analysis of the problem, updating the results, and sending a request of the change to the concerned personnel or representative. This change is reviewed by the management, and if it is deemed necessary, authorization for the change is given.

Question 7

Social engineering

Answer 7

A technique used to make a person reveal confidential information such as passwords through manipulation.

Question 8

Describe the steps involved in creating a (CSIRT) Computer Security Incident Response Team:

Answer 8

1. Obtain Management’s Support and Buy-In: Management’s support can include the provision of resources, funding, and time. Management must support the planning and implementation procedure, commit to uphold CSIRT operations, and authority for the long term.
2. Determine the CSRIT Development Strategic Plan: Various issues, such as below need to be solved:
   a. Are there specif time frames to be met? Are they realistic, and if not, can they be changed?
   b. Is there a project group? Where do the group members come from? Ensure all stakeholders are represented. Some may not be on the team for the whole project but are brought in to provide subject matter expertise and input as needed.
   c. How is the organization informed about the development of the CSIRT? Informing the org of the plan for the CSIRT in the early stages of development can help staff members feel they are a part of the design process.
3. Gather Revevant Information: This group is futile if it is not able to understand the organization’s requirements for incident response. What services to offer and whether the CSIRT team is skilled enough to handle specific situations. This information can be gathered through general discussions or interviews with key stakeholders: business managers, IT representatives, legal dept representatives, HR reps, PR repsd, any exxisting security groups including physical security, audit and risk management specialists.

• Resources available for reviewing:
• Org charts for the enterprise and specific business functions
• Topologies for organizational or constituency systems and networks
• Critical system and asset inventories
• Existing disaster recovery or business continuity plans
• Existing guidelines for notifying the organization of a physical security breach
• Any existing incident response plans
• Any parental or institutional regulations
• Any existing security policies and procedures

4. Design the CSIRT Vision: man focus is to clearly communicate what is expected fromt he CSIRT. The vision for the CSIRT must give a clear description of how the CCSIRT functions match with the current organization structure and how CSIRT intermingles with its clients.
   - Who does the CSIRT support? Identify the constituency.
   - What does the CSIRT do for the identified constituency? Define the mission, goals, and objectives
   - How does the CSIRT support its mission? Select the CSIRT services to provide.
   - How is the CSIRT structured and organized? Determine the organization model.
   - What staff, equipment, and infrastructure are needed to operate the CSIRT? Identify required resources.
   - How are the initial startup as well as the long-term maintenance and growth of the CSIRT funded? Determine sources of funding.
5. Communicate the CSIRT Vision: Communicate the operational plan to management, the constituency, and others who need to know and understand its operations. Helps in gaining information that may have been missed during the information-gathering process.
6. Begin CSIRT Implementation: Begins as soon as the management’s support and funding is obtained. Includes the following:
   - hiring and training intial CSIRT staff
   - buying equipment
   - building any necessary network infrastructure to support the team
   - developing the initial set of CSIRT policies and procedures to support its services
   - defining specification and building the incident tracking system
   - developing incdent reporting guidelines and forms
7. Annouce the CSIRT: the announcement needs to come from sponsoring management. once the CSIRT is operational, the effectiveness of the team can be evaluated through feedback mechanisms, including:
   - benchmarking against other CSIRTs
   - General discussions with constituency representatives
   - Evaluation surbeys distributed to constituency members on a periodic basis
   - Creation of a set of criteria parameters that is then used by an auditing or 3rd party group to evaluate the team.

Question 9

Describe three examples of CSIRT’s:

Answer 9

1. North American: CERT-CC Computer Emergency Response Team/Coordination Center): CERT-CC- is located at the Software Engineering Institute (SEI), a fedderally funded reasearch and develpment center at CMU in Pittburgh, PA. Established objectives: to provide response to major security incidents and to analyze product vulnerabilities. A part of the SEI network systems survivability program, whose goal is to guarantee suitable technology and system management practives that are used to protecte networks from attacks, minimize damages, and ensure the continuity of the critical services in spite of successful attacks, accidents, or failures.
2. US-CERT (The US Computer Emergency Readiness Team)- formed in 2003 to protect the nation’s Internet infrastructure. Partnership between the US government (DHS), and the private sector. Manages defense against and responses to cyber attacks. Main objectives: Analyzing and reducing cyber threats and vulnerabilities, disseminating cyber-threat warning info, and coordinating incident response activities.
3. CanCERT (Canadian Computer Emergency Response Team) Established in 1998, operating 24/7, main objective: to be the trusted center for the collection and dissemination of information related to networked computer threats, vulnerabilities, incidents, and incident response for the Canadian government, as well as business and academic organizations.