Expert answer:IT Security Case Study

Solved by verified expert:PLease find the attached file for case study instruction. Uploaded are case study questions including all materials required for the case study.
class_10.ppt

class_11.ppt

class_documents.zip

new_case_study.docx

security_in_computing__5th_edition.pdf

Unformatted Attachment Preview

Information Systems Vulnerability
and Risk Analysis
Class 10
Learning Objectives:
Upon completion of this chapter you should be able to:
– Know what contingency planning is and how incident
response planning, disaster recovery planning, and
business continuity plans are related to contingency
planning.
– Understand the elements that comprise a business
impact analysis and the information that is collected for
the attack profile.
– Recognize the components of an incident response
plan.
Learning Objectives:
Upon completion of this chapter you should be able to:
– Understand the steps involved in incident reaction and
incident recovery.
– Define the disaster recovery plan and its parts.
– Define the business continuity plan and its parts.
– Grasp the reasons for and against involving law
enforcement officials in incident responses and when it
is required.
– Understand procedures and forensic tools available to
recover data.
Agenda
•
•
•
•
•
•
•
Background
Definitions
Incident response planning
Procedures for identifying forensic evidence
Forensic software products
Links to useful websites
Case studies
Background
• The term “Computer Forensics” was coined back
in 1991
• Computer forensics deals with the application of
law to science – the science is computer science
• Computer forensics has been describes as the
autopsy of a computer hard disk drive
• Deals with the preservation, identification,
extraction and documentation of computer
evidence
Incident Response Planning
• Incident response planning covers the identification of, classification
of, and response to an incident
• An incident is an attack against an information asset that poses a clear
threat to the confidentiality, integrity, or availability of information
resources
• Attacks are only classified as incidents if they have the following
characteristics:
– Are directed against information assets
– Have a realistic chance of success
– Could threaten the confidentiality, integrity, or availability of information
resources
• IR is more reactive, than proactive, with the exception of the planning
that must occur to prepare the IR teams to be ready to react to an
incident
Incident Response Plan
• Format and Content
– The plan must be organized to support quick and easy
access to the information needed
• Storage
– The plan should be protected as sensitive information
– On the other hand, the organization needs this
information readily available
• Testing
– An untested plan is not a useful plan. The levels of
testing strategies can vary
Incident Detection
• The most common occurrence is a complaint about
technology support, often delivered to the help desk
• Possible detections:
–
–
–
–
intrusion detection systems, both host-based and network-based
virus detection software
systems administrators
end users
• Only through careful training can the organization hope to
quickly identify and classify an incident
• Once an attack is properly identified, the organization can
respond
Incident Indicators
Possible indicators of
incidents:
– Presence of unfamiliar files
– Unknown programs or
processes
– Unusual consumption of
computing resources
– Unusual system crashes
Probable indicators of
incidents:
–
–
–
–
Activities at unexpected times
Presence of new accounts
Reported attacks
Notification from IDS
Definite indicators of
incidents:
–
–
–
–
–
Use of dormant accounts
Changes to logs
Presence of hacker tools
Notifications by partner or peer
Notification by hacker
Predefined situations that
signal an automatic
incident:
–
–
–
–
–
Loss of availability
Loss of integrity
Loss of confidentiality
Violation of policy
Violation of law
Incident or Disaster
• When Does an Incident Become a Disaster?
– the organization is unable to mitigate the impact
of an incident during the incident
– the level of damage or destruction is so severe
the organization is unable to quickly recover
– It is up to the organization to decide which
incidents are to be classified as disasters and
thus receive the appropriate level of response
Incident Reaction
• Incident reaction consists of actions that guide the
organization to stop the incident, mitigate the
impact of the incident, and provide information for
the recovery from the incident
• In reacting to the incident there are a number of
actions that must occur quickly including:
– notification of key personnel
– assignment of tasks
– documentation of the incident
Notification of Key Personnel
• Most organizations maintain alert rosters for emergencies.
An alert roster contains contact information for the
individuals to be notified in an incident
• Two ways to activate an alert roster:
– A sequential roster is activated as a contact person calls each and
every person on the roster
– A hierarchical roster is activated as the first person calls a few
other people on the roster, who in turn call a few other people, and
so on
• The alert message is a scripted description of the incident,
just enough information so that everyone knows what part
of the IRP to implement
Documenting an Incident
• Documenting the event is important:
– First, it is important to ensure that the event is recorded
for the organization’s records, to know what happened,
and how it happened, and what actions were taken. The
documentation should record the who, what, when,
where, why, and how of the even
– Second, it is important to prove, should it ever be
questioned, that the organization did everything
possible to prevent the spread of the incident
– Finally, the recorded incident can also be used as a
simulation in future training sessions
Incident Containment Strategies
• Before an incident can be contained, the affected areas of the
information and information systems must be determined
• The organization can stop the incident and attempt to recover
control through a number of strategies including:
–
–
–
–
severing the affected circuits
disabling accounts
reconfiguring a firewall
The ultimate containment option, reserved for only the most drastic of
scenarios, involves a full stop of all computers and network devices in the
organization
Incident Recovery
• Once the incident has been contained, and control
of the systems regained, the next stage is recovery
• The first task is to identify the human resources
needed and launch them into action
• The full extent of the damage must be assessed
• The organization repairs vulnerabilities, addresses
any shortcomings in safeguards, and restores the
data and services of the systems
Damage Assessment
• There are several sources of information:
–
–
–
–
–
including system logs
intrusion detection logs
configuration logs and documents
documentation from the incident response
results of a detailed assessment of systems and data
storage
• Computer evidence must be carefully collected,
documented, and maintained to be acceptable in
formal proceedings
• Individuals assessing damage need special training
Recovery
In the recovery process:
– Identify the vulnerabilities that allowed the incident to occur and
spread and resolve them
– Address the safeguards that failed to stop or limit the incident, or
were missing from the system in the first place. Install, replace or
upgrade them
– Evaluate monitoring capabilities. Improve their detection and
reporting methods, or simply install new monitoring capabilities
– Restore the data from backups
– Restore the services and processes in use
– Continuously monitor the system
– Restore the confidence of the members of the organization’s
communities of interest
– Conduct an after-action review
Automated Response
• New systems can respond to incidents autonomously
• Trap and trace uses a combination of resources to
detect intrusion then trace back to source
• Trapping may involve honeypots or honeynets
• Entrapment is luring an individual into committing a
crime to get a conviction
• Enticement is legal and ethical, while entrapment is not
Law Enforcement Involvement
• When the incident at hand constitutes a violation
of law the organization may determine that
involving law enforcement is necessary
• There are several questions, which must then be
answered:
– When should the organization get law enforcement
involved?
– What level of law enforcement agency should be
involved: local, state, or federal?
– What will happen when the law enforcement agency is
involved?
• Some of these questions are best answered by the
organization’s legal department
Local, State, or Federal Authorities
• Selecting the level of law enforcement depends on the
level and type of crime discovered:
– The Federal Bureau of Investigation deals with many computer
crimes that are categorized as felonies
– The US Secret Service works with crimes involving US currency,
counterfeiting, credit cards, identity theft, and other crimes
– The US Treasury Department has a bank fraud investigation unit
and the Securities and Exchange Commission has investigation and
fraud control units as well
State Investigative Services
• Each state has its own version of the FBI In Georgia, it’s called the Georgia Bureau of
Investigation or GBI
• The GBI arrests individuals, serves warrants, and
generally enforces laws on property that is owned
by the state or any state agency
• The state investigative office may not have a
special agency dedicated to computer crime but
when there is a law within the state that impacts
computer crimes, the state agency usually handles
the case
Local Law Enforcement
• Local agencies enforce all local and state laws and
handle suspects and security crime scenes for state
and federal cases
• Local law enforcement agencies seldom have a
computer crimes task force, but most investigative
(detective) units are capable of processing crime
scenes, and handling most common criminal
activities and the apprehension and processing of
suspects of computer related crimes
Benefits of Law Enforcement
Involvement
Involving law enforcement agencies has advantages:
– Agencies may be much better equipped at processing
evidence than private organizations
– Unless the organization has staff trained in forensics they
may less effective in convicting suspects
– Law enforcement agencies are also prepared to handle the
warrants and subpoenas needed
– Law enforcement skilled at obtaining statements from
witnesses, completing affidavits, and other information
collection
Drawbacks to Law Enforcement
Involvement
Involving law enforcement agencies has
disadvantages:
– On the downside, once a law enforcement agency takes over
a case, the organization loses complete control over the
chain of events
– The organization may not hear about the case for weeks or
even months
– Equipment vital to the organization’s business may be
tagged as evidence, to be removed, stored, and preserved
until it can be examined for possible support for the
criminal case
– However, if the organization detects a criminal act, it is a
legal obligation to involve the appropriate law enforcement
officials
Computer Evidence Processing
Steps
•
•
•
•
•
•
•
•
Step 1:
Step 2:
Step 3:
Step 4:
disks
Step 5:
Step 6:
Step 7:
Step 8:
Shut down the computer
Document the hardware configuration of the system
Transport the computer system to a secure location
Make bit stream backups of hard disks and floppy
Mathematically authentication data on all devices
Document the system data and time
Make a list of key search words
Evaluate the Windows swap file
Computer Evidence Processing
Steps
• Step 9: Evaluate file slack
• Step 10: Evaluate unallocated space (erased files)
• Step 11: Search files, file stack and unallocated space for
key words
• Step 12: Document file names, dates and times
• Step 13: Identify file, program and storage anomalies
• Step 14: Evaluate program functionality
• Step 15: Document your findings
• Step 16: Retain copies of software used
Good Documentation Is Essential
•
•
•
•
•
•
•
•
Computer time and data settings
Hard disk partitions
Operating system and version
Data and operating system integrity
Computer virus evaluation
File catalog
Software licensing
Retention of software, input files and out files
Data Validation Using The MD5
Hash
• Law enforcement computer forensic specialists
rely on mathematical validation to verify that the
stored image of a computer disk drive and relevant
files exactly match
• In the past 32 bit algorithms were used (e.g.,
CRCCHECK and CRC3
• Today, more accurate mathematical calculations
are use (e.g., 128 bit hashes)
Electronic Document Discovery
A Powerful New Litigation Tool
• In the past, documentary evidence was limited to
paper documents
• Computer technology has created new types of
documentary evidence
• Today, documents are rarely typed or handwritten
• Most documents are created using computers,
such as word processing or email
• Copies of computer files are as good as the
original electronic document
Electronic Document Discovery
A Powerful New Litigation Tool
• Computer data is stored at multiple levels
on computer storage media
• Fragments of various draft documents and
email linger for months in bizarre storage
locations
Identifying Internet Activity
Computer Forensics Goes To Cyber Space
• The Internet – Friend or Enemy?
• Cyber crime has become a reality in our
modern world
• Law enforcement agencies encountering
more computers at crime scenes
• Law enforcement successes in computerrelated investigations are directly related to
the availability and quality of forensic tools
NTI Forensic and Security Suites
• NTI specializes in computer forensics
• Created the first computer forensics training
courses for the Federal government
• Claims to have the largest forensics lab
Computer Incident Response
Suite
• Tool suite designed to aid corporate and
government computer specialists deal with
potential computer risks associated with accidents,
malicious code, criminal acts, and corporate
security abuses
• This software suite includes:
–
–
–
–
–
CopyQM
CRCMD5
Diskscrub
DiskSig
Net Threat Analyzer
Corporate Evidence Processing
Suite
• This suite of tools was created to assist
corporations and non-law enforcement
government agencies in dealing with internal
audits, internal investigations and identification of
computer policy abuses
• This software suite includes:
–
–
–
–
–
CRCMD5
FileList
Seized
ShowFL
Text Search Plus
Data Elimination Suite
• This suite of tools was designed to eliminate
sensitive data and to validate that the data was
securely erased
• This software suite includes:
–
–
–
–
–
CopyQM
Get Free
Get Slack
M-Sweep Pro
Text Search Plus
GetFree – Forensic Data Capture
Tool
• When files are deleted in DOS, Windows,
Windows 95, and Windows 98, the data associated
with the file is not actually eliminated
• Data is reassigned to unallocated storage space
• This data can provide the computer forensics
investigator with valuable leads and evidence
• When GetFree software is used as an investigative
tool, it eliminates the need to restore potentially
hundreds or thousands of files
GetFree – Forensic Data Capture
Tool
• GetFree Software – primary uses
– Calculates the amount of unallocated storage space on a
storage device
– Automatically captures all logical unallocated space on
hard drives and floppy diskettes
– Used in internal audits, security reviews and computerrelated investigations
– Identifies violations of company policy through the
identification of sensitive data leakage into unallocated
storage space
– Identifies sensitive data spills in unallocated data
storage units
Law Enforcement Computer
Evidence Suite
• This software suite includes:
–
–
–
–
CRCMD5
Diskscrub
Net Threat Analyzer
Seized
Sample Terms and Conditions for
Computer Forensics
•
•
•
•
•
•
Service levels
Ibas’ obligations
Client’s obligations
Confidentiality
Risk and transport of material
Liability and limitation of liability
Source: Ibas, a forensics service provider
Computer Forensics
After an incident has occurred, computer forensics
may be performed to attempt to reconstruct past
events and determine who, what, where, when,
and why?
http://www.foundstone.com
Handling a Computer Security
Incident When Not Prepared
•
•
•
•
•
•
•
•
•
•
Step 1. Remain calm
Step 2. Take good notes
Step 3. Notify the right people and get help
Step 4. Enforce a “need-to-know” policy
Step 5. Use out of band communications
Step 6. Contain the problem
Step 7. Make backup of affected system(s)
Step 8. Get rid of problem
Step 9. Get back in business
Step 10. Learn from the experience
Source: Computer Security Incident Handling:Step-by-Step, SANS Institute
The Coroner’s Toolkit
• Collection of Unix tools which perform a post
mortem analysis after an incident
–
–
–
–
captures information needed for analysis
displays access patterns of files
recovers deleted files
recovers crypto keys from a running process and from
files
• Litigation support and forensic data recovery
http://www.ndci.com
Eradication
• Removal of the cause of the incident
• eradicating any viruses, bogus files, etc.
• Affected systems examined for evidence
– involves complete review; may be timeconsuming
Incident Recovery
• The process of:
– bringing system back to a known good state
– installing patches/fixes for vulnerability
exploited
– restoring information integrity and availability
• Must set priorities to know what is most
important to protect
Incident Recovery
•
•
•
•
•
•
•
Repair vulnerability
Improve safeguard
Update detection
Restore data
Restore services
Monitor for additional signs of attack
Restoration of Confidence
Follow-Up
• What went right? What went wrong with
regard to incident response?
• What policies/procedures should be
changed/updated?
• New products purchased?
• New personnel hired?
Free Software Downloads
• FileCNVT: converts compressed olutput from NTI’s
FileList Program
• DM: public domain DOS database manager (works well
with Net Threat Analyzer)
• ShowFl: Windows program used with NTI’s FileList
Program in computer usage timeline analysis
• FILTER: forensic binary data filter and documentation
tool
• NTAView: Windows program used with NTI’s Net Threat
Analyzer Program in Internet related investigations
• SPACES: Simple tool for use in encryption pattern
analysis
Links to Useful Websites
•
•
•
•
•
•
Intellectual property
Law/legal
Professional associations
Government
Computer/IT
Financial
Source: Kessler International (http://investigation.com)
Case Studies
•
•
•
•
•
•
•
Data recovery
On-Site acquisition
Electronic risk control
Electronic document discovery
Password recovery
Litigation support
Expert witness testimony
Case Study
Data Recovery
• Our Client, a renowned trading company, suffered
a sudden, devastating power outage that caused
their server to cease functioning
• The company took the hard-drive to a local
computer repair person that was unable to read the
corrupt drive
• At this point, the company contacted you to
recover the information
• What actions will you take?
Case Study
On-Site Acquisition
• Our client, an international real estate firm with
locations around the globe, was conducting an
internal investigation into commission fraud
• All the offices shared files through a server at their
headquarters
• You were contacted to conduct an on-site
investigation
• What steps would you take to conduct the
investigation?
Case Study
Password Recovery
• One client, a large r …
Purchase answer to see full
attachment

How it works

1. Paste your instructions in the instructions box. You can also attach an instructions file
2. Select the writer category, deadline, education level and review the instructions 
3. Make a payment for the order to be assignment to a writer
4.  Download the paper after the writer uploads it 

Will the writer plagiarize my essay?

You will get a plagiarism-free paper and you can get an originality report upon request.

Is this service safe?

All the personal information is confidential and we have 100% safe payment methods. We also guarantee good grades