EC-Council free certificationGet certified with EC CouncilIncident response qualificationsEC-Council Accredited Training centersIncident response certificationECIH Compile - PDFCOFFEE.COM
文章推薦指數: 80 %
Sample EC-Council Certified Incident Handler Version 1. Mo d u le III Batch PDF Merger Incident Response and Handling Steps Home ECIHCompile ECIHCompile Author/Uploaded JegathisPalaniveloo SampleEC-CouncilCertifiedIncidentHandlerVersion1 ModuleIII BatchPDFMerger IncidentResponseandHandling Views317 Downloads78 Filesize23MB ReportDMCA/Copyright DOWNLOADFILE RecommendStories Compile 6,622 2,849 707KB Readmore LaporanCompile 39 3 7MB Readmore DigestCompile 35 0 2MB Readmore Compile1 1.PetrosLimitedisasubsidiaryofButrosLimited.WhenButrosacquiredits60%interesttheretainedearningsofPetr 38 0 538KB Readmore Mika-Compile 35 RELAX(TakeltEasy) WordsandMusicbyMIKA ModeratelyF#m E mp Withpeclal C~m7 c#m Bm7 1114fr IRJ41r x 76 4 9MB Readmore Compile105 PRELIMACCTG105QUIZ2Question1PresentedbelowisthestatementofFinancialPositionpreparedbybookkeeperofDiam 50 15 1MB Readmore BQCompile LANDSCAPEWORKS FOR PROPOSEDPLANTINGPLANFORMEDICALHEALTHCENTREOFUNIVERISTIPUTRAMALAYSIA,SELANGOR,MALAYSIA. 54 1 836KB Readmore ToCompile DAFTARISIAntibiotikUNJANI........................................................................................... 31 1 3MB Readmore CompileBDF 47 2 2MB Readmore Citationpreview SampleEC-CouncilCertifiedIncidentHandlerVersion1ModuleIIIBatchPDFMergerIncidentResponseandHandlingStepsNews:ADelicateBalanceisRequiredtoAchieveInformationSecurityApril22,2009DavidChadwick,ProfessorofInformationSystemsSecurityattheUniversityofKent,callsforbetterincidenthandlingandprocedurestoprotectsensitivedataItdidnotstartwiththelossofthepersonaldetailsof25millionpeopleinreceiptofChildBenefitinNovember2007.1NeitherdiditendinJanuary2009withtheBritishCouncillosingacomputerdiskcontainingthenames,nationalinsurancenumbers,salaryandbankaccountdetailsofits2,000UKstaff.2Datalosshasbeenhappeningeversincecomputerswerefirstinvented,anditwillcontinuetohappenaslongaswehavethem,regardlessofanylegislationthatJackStrawmightwishtoimpose,evenlegislationthatrecommendsjailsentencesforemployeesoforganisationswheredatabreachesoccur.Afterall,crimesthatincurtheharshestofpenaltiesstilloccurdaily.Furthermore,datalosswillcontinuetohappenevenifencryptionisubiquitouslyimplemented.Why?Becausedatasecuritydependsmoreonpeopleandprocessesthanonrawencryptiontechnologies.ThisiseloquentlyillustratedinthedatalosslastAugustwhenthepersonaldetailsofthe84,000prisonersinEnglandandWaleswentmissing.Thisdatawasheldencryptedonthegovernmentcomputersystembutwasdownloadedunencryptedontoamemorystickbyanexternalcontractorwhothenmisplacedthestick.Source:http://www.publicservice.co.uk/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleObjectiveThismodulewillfamiliarizeyouwith:••••••••••EC-CouncilHandlingIncidentsNeedforIncidentResponseGoalsofIncidentResponseIncidentResponsePlanIncidentResponseandHandlingStepsTrainingandAwarenessIncidentManagementIncidentResponseTeamIncidentResponseBestPracticesIncidentResponsePlanChecklistCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleFlowEC-CouncilHandlingIncidentsNeedforIncidentResponseIncidentResponsePlanGoalsofIncidentResponseIncidentResponseandHandlingStepsTrainingandAwarenessIncidentResponseTeamIncidentManagementIncidentResponseBestPracticesIncidentResponsePlanChecklistCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHowtoIdentifyanIncidentSuspiciousentriesinnetworklogsAccountinggapsofseveralminuteswithnoaccountinglogOthereventssuchasunsuccessfulloginattempts,attemptstowrite,alter,ordeletesystemfiles,systemfailure,orperformancedegradationUnusualusagepatterns,suchasprogramsbeingcompiledintheaccountofuserswhoarenon-programmersEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHandlingIncidentsIncidenthandlinginvolves:•Incidentreporting•Incidentanalysis•IncidentresponseIncidenthandlingallowsincidentreportstobegatheredinonelocationsothatexacttrendsandpatternscanberecognizedandrecommendedstrategiescanbeemployedIthelpsthecorrespondingstafftounderstandtheprocessofrespondingandtotackleunexpectedthreatsandsecuritybreachesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNeedforIncidentResponseThepurposeofincidentresponseistoaidpersonneltoquicklyandefficientlyrecoverfromasecurityincidentIncidentresponseisrequiredtoidentifytheattacksthathavecompromisedpersonalandbusinessinformationordataIncidentresponseisrequiredto:••••EC-CouncilProtectsystemsProtectpersonnelEfficientlyusetheresourcesDealwithlegalissuesCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedGoalsofIncidentResponseExaminingtheincidentMinimizingtheimpactofincidentPreventingfutureattacksorincidentsEnhancingsecurityofthecomputersystemSecuringprivacyrightsestablishedbylawandpolicyProvidingaccuratereportsandusefulrecommendationsAssistingthelawenforcementinprosecutingdigitalcriminalsProtectingtheorganization’sreputationandassetsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponsePlanIncidentresponseplanconsistsofasetofinstructionstodetectandrespondtoanincidentItdefinestheareasofresponsibilityandcreatesproceduresforhandingvariouscomputersecurityincidentsTheincidentresponseplancovers:•••••EC-CouncilHowinformationispassedtotheappropriatepersonnelAssessmentoftheincidentMinimizingdamageandresponsestrategyDocumentationoftheincidentPreservationoftheevidenceCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPurposeofIncidentResponsePlanTheincidentresponseplangathersrequiredresourcesinanorganizedmannertoaddressincidentsrelatedtothesecurityofacomputersystemItprotectstheorganization’sresourcesagainstanattackItprotectsthesensitivedataonthesystemsItsupportslegalinvestigationsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRequirementsofIncidentResponsePlanTherequirementsofincidentresponseplanningare:•Expertteams(ComputerEmergencyResponseTeam(CERT))•Legalreviewandapprovedstrategy•Company’sfinancialsupport•Executive/uppermanagementsupport•Afeasibleandtestedactionplan•Physicalresources,suchasredundantstorage,standbysystems,andbackupservicesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPreparationPreparationisthemostimportantaspectthatallowsyoutorespondtoanincidentbeforeithappensThesuccessofanincidentresponseprocessdependsonthepre-incidentpreparationItincludes:EC-Council••••••••ExaminingsecuritymeasuresfornetworksandsystemsIntrusionDetectionSystem(IDS)CreatingaccesscontrolVulnerabilityassessmentsPerformingregularbackupsBaselineprotectionbyupdatingpatchesandantivirusCommunicationplanAudittrailCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPreparation(cont’d)Itconsistsofsecuritymeasuresthatanincidentresponseteamshouldbegintoimplementinordertoensureprotectionoftheorganization’sassetsandinformationPreparingincidentresponseteamincludes:TherequirementofhardwareandsoftwarecomponentstoinvestigatethecomputersecurityincidentsTherequirementofdocumentssuchasformsandreportstoinvestigatetheincidentPoliciesandoperatingproceduresforbackupandrecoveryTrainingthestaffandusersonhowtorespondtoincidentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponseandHandlingStepsIdentificationIncidentRecordingInitialResponseFormulatingaResponseStrategyContainmentCommunicatingtheIncidentIncidentClassificationIncidentInvestigationDataCollectionNotifyingExternalAgenciesEvidenceProtectionForensicAnalysisEradicationSystemsRecoveryIncidentDocumentationReviewandUpdatetheResponsePoliciesIncidentDamageandCostAssessmentEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep1:IdentificationIdentificationstageinvolvesvalidating,identifying,andreportingtheincidentThisphaseisnecessaryforcategorizingandrespondingtoincidentsIdentifytheincidentswiththehelpofsoftwarepackagessuchasantivirussoftwareandintrusiondetectiontoolsSystemandnetworkauditlogsmayalsoprovidesufficientinformationtodecidewhetherunauthorizedactivityhasoccurredornotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIdentification(cont’d)Auditlogcollection,examination,andanalysisIncidentreportingandassessmentCollectandprotectsysteminformationTheactionstakeninidentificationphaseinclude:AssigneventidentityandseveritylevelOthersystemsanalysisAssignincidenttaskforcemembersEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep2:IncidentRecordingIncidentrecordingisaprocessofaccuratelystoringthedetailsofoccurrenceofanincidentTheinformationgatheredshouldinclude:••••ThedateandtimetheincidenthappenedThedateandtimeatwhichtheincidentwasdetectedWhohasreportedtheincidentDetailsoftheincidentinclude:•Descriptionoftheincident•Systemsinvolved•Backupinformationsuchaserrormessages,logfiles,etc.EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep3:InitialResponseThefirststepininvestigationprocessistogathersufficientinformationrequiredtodetermineaproperincidentresponseItinvolves:••••InitialinvestigationDetailsoftheincidentCreatingincidentresponseteamNotifyingindividualsabouttheincidentThepurposeoftheinitialresponsephaseistodocumentstepstobefollowedinrespondinganincidentEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep3:InitialResponse(cont’d)Duringinitialresponse,youshould:•Checkwhetheryouaredealingwithanactualincidentorafalsepositive•Gatherenoughinformationonthetypeandseverityofattackorincident•RecordyouractionsanddocumenttheincidentEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep4:CommunicatingtheIncidentCommunicatewiththeincidentresponseteamwheneveryoususpecttheoccurrenceofanysecuritybreachInordertohandletheincident,theincidentteamleadwilldiscussthebreachwiththeircoreteamandothermembersoftheorganizationWhilereducingtheimpactoftheincident,maintainappropriatecontrolsandcoordinationoftheincidentDiscusstheincidentwithlegalrepresentativetofilealawsuitagainsttheperpetratorsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep5:ContainmentContainmentfocusesonlimitingthescopeandextentofanincidentAvoidconventionalmethodstotraceback;thismayalerttheattackersThecommontechniquesincontainmentstageare:•••••DisablingofspecificsystemservicesChangingofpasswordsanddisablingaccountsCompletebackupsoftheinfectedsystemTemporaryshutdownoftheinfectedsystemRestorationoftheinfectedsystemEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedContainment(cont’d)Reducethepotentialeffectordamageoftheincident,byquicklyrespondingtoitTheresponsegenerallydependsontheorganizationandnatureoftheincidentoccurredThepointstoconsiderwhileminimizingtheriskare:•••••EC-CouncilProvidingsecurityandsafetytohumanlifeProtectingconfidentialandsensitivedataSafeguardingbusiness,scientific,andmanagerialinformationProtectinghardwareandsoftwareagainstfutureattacksLimitingthedamageofthecomputer’sresourcesCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep6:FormulatingaResponseStrategyTheresponsestrategygenerallydependsontheincidentsituationResponsestrategiesconsiderthefollowing:••••••••EC-CouncilArethesystemsseriouslyeffectedduetotheincident?Howsensitiveisthecompromisedorstoleninformation?Whoaretheattackers?Isthepublicawareoftheincident?Whatistheunauthorizedaccesslevelgainedbyattackers?Whataretheattackerskills?Whatisthetotaldowntimeofthesystemandtheuser?Whatisthetotalcostoftheloss?Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep7:IncidentClassificationClassificationofincidentsisdefinedbasedontheirseverityandpotentialtargetsClassifytheincidentsbasedonthenumberoffactorssuchas:••••EC-CouncilNatureoftheincidentCriticalityofthesystemsbeingimpactedNumberofsystemsimpactedbytheincidentLegalandregulatoryrequirementsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep8:IncidentInvestigationInvestigationisaprocessofgatheringevidencerelatedtoanincidentfromsystemsandnetworksExaminetheinvestigationprocesstoidentify:••••TheincidentTimeoftheincidentPerpetratoroftheincident?MitigationstepstopreventfutureoccurrenceEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep9:DataCollectionDatacollectionisdefinedasgatheringofthefactsandevidencethatarerequiredforforensicanalysisDatacollectioninvolvesseveraluniqueforensicchallenges,suchas:•Gatheringdatathatexceedsthecomputerstoragecapacity•PropercollectionofdatatoensureintegrityEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDataCollection(cont’d)EvidenceClassification:Host-basedevidenceEC-CouncilNetwork-basedevidenceOtherevidenceCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDataCollection(cont’d)Host-basedevidence:•Host-basedevidenceconsistsoflogs,records,documents,andanyotherinformationavailableonthesystemNetwork-basedevidence:•Network-basedevidenceconsistsofinformationgatheredfromIDSlogs,pen-register/trapandtraces,routerlogs,firewalllogs,andauthenticationserversOtherevidence:EC-Council•OtherevidenceconsistsofinformationandevidencegatheredfromthepeopleCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep10:ForensicAnalysisDatasuchaslogfiles,systemfiles,graphicfiles,webhistoryfiles,emails,installedapplicationsetc.aregatheredforanalysisForensicanalysisshouldattempttodetermine:••••ThevictimsandattackersoftheincidentNatureoftheincidentTimeandlocationoftheincidentWhattriggeredtheincidentEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep11:EvidenceProtectionProtecttheevidencetotakelegalactionsagainsttheattackersTakecompletebackupoftheaffectedsystemswiththehelpofnewornever-before-usedmediadevicesStoreandprotectthebackupineitherCD-RorDVD-Rtoprosecutetheoffender(s)ThestoredbackupcanbeusedtorecoverythedatafromtheaffectedsystemsBackupsshouldbestoredinaphysicallysecurelocationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep12:NotifyExternalAgenciesOncesufficientevidenceisgathered,externalagenciesshouldbenotifiedtofileacaseandprosecutetheperpetratorTheexternalagenciesincludelocalandnationallawenforcement,externalsecurityagencies,andsecurityexpertsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep13:EradicationTheeradicationstageremovesoreliminatestherootcauseoftheincidentVulnerabilityanalysisisperformedinthisstageItlistscountermeasurestothwartfurtherdamagetherebysecuringtheorganization’sassetsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEradication(cont’d)Thepossiblecountermeasuresinclude:••••••••UsingantivirussoftwareInstallinglatestpatchesPolicycompliancechecksIndependentsecurityauditsDisablingunnecessaryservicesUpdatingsecuritypoliciesandproceduresChangingpasswordsofcompromisedsystemsEliminatingintruder’saccessandidentificationofpossiblechangescompletely•Reinstallingcompromisedsystems•RebuildingsystemsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep14:SystemsRecoveryRecoveringasystemfromanincidentgenerallydependsontheextentofthesecuritybreachInrecoverystep,anaffectedsystemisrestoredtoitsnormaloperationsThecomputersystemsandnetworksaremonitoredandvalidatedRecoverystagedeterminesthecourseofactionsforanincidentRunvulnerabilityassessmentandpenetrationtestingtoolstoidentifythepossiblevulnerabilitiespresentinthesystemornetworkEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSystemsRecovery(cont’d)DetermineintegrityofthebackupfilebymakinganattempttoreaditsdataVerifysuccessofoperationandnormalconditionofthesystemMonitorthesystembynetworkloggers,systemlogfiles,andpotentialbackdoorsTheactionstobeperformedinrecoverystageare:••••RebuildingthesystembyinstallingnewOSRestoringuserdatafromtrustedbackupsExaminingtheprotectionanddetectionmethodsExaminingsecuritypatchesandsystemlogginginformationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep15:IncidentDocumentationTheincidentresponseteamshoulddocumentvariousprocesseswhilehandlingandrespondingtoanincidentDocumentthestepsandconclusionstatementsimmediatelyaftercompletionoftheforensicprocessThedocumentshouldbeproperlyorganized,examined,reviewed,andvettedfromthemanagementandlegalrepresentativeThedocumentationshouldprovide:•Descriptionofthesecuritybreach•Detailsofactiontakesplacesuchas:•Whohavehandledtheincident•Whentheincidentwashandled•ReasonsbehindtheoccurrenceofanincidentEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentDocumentation(cont’d)Thebestwaytoprosecutetheoffender(s)isthroughproperdocumentationThedocumentpreparedshouldbe:ConciseandClear:•PreparethereportsinsuchawaythatitisclearlyunderstoodbyeveryoneStandardFormat:•Maintainastandardformatthatmakesreportwritingscalable,savestime,andenhancesaccuracyEditors:EC-Council•EnsurethattheforensicreportsareeditedproperlyCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep16:IncidentDamageandCostAssessmentThetwoimportantevidencethatarerequiredforlegalprosecutionareincidentdamageandcostCostsinclude:•••••EC-CouncilCostsduetolossofconfidentialinformationLegalcostsLaborcostsSystemdowntimecostInstallationcostCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep17:ReviewandUpdatetheResponsePoliciesReviewtheprocessaftercompletionofbothdocumentationandrecoverystepsDiscusswithyourteammembersaboutthestepsthataresuccessfullyimplementedandthemistakescommittedReviewingtheresponseandupdatingpolicieswillreducetheimpactofincidentandhelpsyoutohandlefutureincidentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTrainingandAwarenessTrainingandawarenessprovidesskillsrequiredtoimplementincidenthandlingpoliciesPracticaltrainingremovesdevelopmentalerrors,improvesprocedures,andreducestheoccurrenceofmiscommunicationWell-trainedmemberscanpreventanincidentorlimittheresultingdamageSecurityawarenessandtrainingshouldinclude:••••EC-CouncilDesignandplanningoftheawarenessandtrainingprogramDevelopmentoftheawarenessandtrainingmaterialsImplementationoftheawarenessandtrainingprogramsMeasuringtheeffectivenessoftheprogramandupdatingitCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTrainingandAwareness(cont’d)Trainingshouldbeconductedatspecifiedintervals,anditshouldinclude:•Incidenthandlinglocation•Pre-assignmentplanstohandletheemergencysituationbyallemployees•Recognitionandoperationofutilityshut-offdevicesTheawarenesscampaignshouldbedesignedforseveralpurposessuchas:•Knowledgeandparticipation•Concerningplan'sstrategies•ContingencyarrangementsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSecurityAwarenessandTrainingChecklistChecklistforsecurityawarenessandtraining:•••••••••Isthetypeandfrequencyoftrainingnoted?Aretrainingclassesforsecuritypersonneldescribed?Aretrainingclassesforbasicend-usersdescribed?Areinstructorsforthetrainingclassesnoted?Isitnotedthatsecuritytrainingistrackedandlogged?Isitnotedthatallcoursesareevaluatedbytheusers?Arerolesandresponsibilitiesforsecurityawarenessnoted?Arerolesandresponsibilitiesforsecuritytrainingnoted?Doestheplanindicatethatarecordofusertrainingparticipationiskept?•Doestheplanindicatethatusersareassessedfortheirsecurityknowledgeaftertheyundergotraining?EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentManagementIncidentmanagementhelpsinnotonlyrespondingtoincidentsbutalsohelpsinpreventingfutureincidentsbyminimizingthepotentialdamagecausedbyrisksandthreatsItconsistsofactionplandevelopment,consistentprocessesthatarerepeatable,measurable,andunderstoodwithintheorganizationWhoperformsIncidentManagement?••••EC-CouncilHumanresourcepersonnelexperiencedinIncidentHandlingLegalcouncilTheSecurityManagerAnoutsourcedserviceproviderCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentManagement(cont’d)TheobjectiveoftheincidentmanagementistoquicklyrestoretheservicesofthecomputersystemintonormaloperationsafteranincidentwithlittleornoimpactonthebusinessItprovidesend-to-endmanagementsupportonhowtohandlesecurityincidentsoreventsIncidentmanagementinvolves:••••EC-CouncilSecuritypoliciesandproceduresfordefiningaprocessAssigningrolesandresponsibilitiestoincidentresponseteamEquipment,tools,andsupportingmaterialIdentifyingandtrainingqualifiedstaffonhandlingsecurityincidentsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPurposeofIncidentManagementTheincidentmanagementisrequiredto:•Preventincidentsandattacksbytighteningthephysicalsecurityofthesystemorinfrastructure•Createawarenessbyconductingtrainingprogramsforemployeesandusersonsecurityissuesandresponseplans•Monitorandtesttheorganization’sinfrastructuretoidentifytheweaknessandvulnerabilities•SharetheinformationabouttheincidentwithotherteamsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentManagementProcessPrepare:•Planandimplementaninitialincidentmanagement•FollowlessonslearnedandevaluatetheassessmentactivitiestoenhancethesecurityofthesystemsProtect:•Implementsecuritymeasurestoprotectthecomputersystemfromincidents•ImplementinfrastructureprotectionimprovementsresultingfrompostmortemreviewsorotherprocessimprovementmechanismsDetect:•Noticeeventsandreportthoseevents•ReceivethereportsofeventsTriage:•Categorize,prioritize,andcorrelateevents•AssigneventsforhandlingorresponseRespond:EC-Council•Analyzetheevent•PlanaresponsestrategyCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentManagementProcessFigure:FiveHigh-LevelIncidentManagementProcessesSource:http://www.cert.org/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentManagementTeamTheincidentmanagementteamprovidessupporttoallcomputersystemsthatareaffectedbythreatsorattacksTheincidentmanagementteamconsistsof:ExecutivemanagementEC-CouncilStaffsupportdepartmentrepresentativesDepartmentheadswhosedepartmentshavebeendirectlyaffectedbytheincidentCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentManagementTeam(cont’d)Theincidentmanagementteamisresponsiblefor:••••EC-CouncilManaginginternalandexternalcommunicationsDirectingresponseandrecoveryactivitiesMonitoringtherecoveryprogressProvidingorreallocatingrecoveryresourcesCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponseTeamIncidentresponseteamisagroupofsecurityprofessionalswithinanorganizationwhoaretrainedandaskedtorespondtoasecurityincidentTheresponseteamshouldcontainanauthorizedsecuritypersonneltotakenecessaryactionsagainstthesecurityincidentsTheincidentresponseteamshould:•Developorreviewtheprocessesandproceduresthatmustbefollowedinresponsetoanincident•Managetheresponsetoanincidentandensurethatallproceduresarefollowedcorrectly•Reviewchangesinlegalandregulatoryrequirementstoensurethatallprocessesandproceduresarevalid•Reviewandrecommendtechnologiestomanageandcounteractincidents•Establishrelationshipwithlocallawenforcementagency,governmentagencies,keypartners,andsuppliersEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponseTeam(cont’d)AnincidentresponseteamtakesresponsibilityfordealingwithpotentialorrealtimeinformationsecurityincidentsTheteamshouldbemadeofanumberofpeoplewithknowledgeandskillsindifferentareasTherepresentativesofincidentresponseteamare:•••••••EC-CouncilITSecurityITOperationsPhysicalSecurityHumanResourcesLegalDepartmentPublicRelationsExternalExpertiseCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponseTeamMembersInformationSecurityOfficer(ISO)InformationTechnologyOfficer(ITOC)InformationPrivacyOfficer(IPO)NetworkAdministratorSystemAdministratorBusinessApplicationsandOnlineSalesOfficerInternalAuditorEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponseTeamMembersRolesandResponsibilitiesInformationSecurityOfficer(ISO):InformationTechnologyOfficer:•Providesincidenthandlingtrainingtomembers•Preparessummaryoncorrectiveactionstakentohandletheincident•Pointofcontactforvarioussecurityincidents•InformstheISOtoprovideincidentresponseteamInformationPrivacyOfficer:•OrganizessecurityactivitieswithISO•DevelopscommunicationwithorganizationsthatareaffectedbysecurityincidentsNetworkAdministrator:•Analyzesnetworktrafficforsignsofincidents•PerformscorrectiveactionsagainstthesuspectedintruderbyblockingthenetworkEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponseTeamMembersRolesandResponsibilities(cont’d)SystemAdministrator:•Updatesservicespackagesandpatches•ExaminessystemlogstoidentifythemaliciousactivitiesBusinessApplicationsandOnlineSalesOfficer:•Reviewbusinessapplicationsandservicesforsignsofincident•ChecktheauditlogsofcriticalserversthatarevulnerabletoattacksInternalAuditor:EC-Council•Checkswhethertheinformationsystemsareincompliancewithsecuritypoliciesandcontrols•IdentifyandreportanysecurityloopholestothemanagementCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDevelopingSkillsinIncidentResponsePersonnelAppropriatebooks,magazines,andothertechnicalreferencesshouldbeavailablethathelpinimprovingthetechnicalknowledgeofthesubjectPrepareatrainingbudgettomaintain,enhance,andincreasetheproficiencyintechnicalareasandsecuritydisciplines,includingthelegalaspectsoftheincidentresponsebythelegalexpertsGiveopportunitiestotheteammemberstoperformothertasksassociatedwithincidentresponseConsidertheprocessofrotatingstaffmemberswhoareinandoutoftheincidentresponseteamEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDevelopingSkillsinIncidentResponsePersonnel(cont’d)MaintainsufficientstaffintheorganizationsothattheteammemberscanhaveuninterruptedtimeofworkDevelopamentoringprogramforseniortechnicalstafftohelplessexperiencedstafftoknowaboutincidenthandlingprocessHireexternalsubjectmatterexpertsfortrainingDevelopvariousscenariosonincidenthandlingandconductgroupdiscussionsonhowtheywouldhandlethemConductincidenthandlingmockdrillsfortheteamsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponseTeamStructureIncidentresponseteamshouldhandletheincidentwheneveranincidentisidentifiedbyanypersonintheorganizationTheincidentresponseteamshould:•Analyzetheincidentdata•Examinetheimpactoftheincident•MinimizethedamageandrestorethesystemtothenormaloperationsTheincidentresponseteamincludes:•Centralincidentresponseteam•Distributedincidentresponseteams•CoordinatingteamEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponseTeamStructure(cont’d)StaffingModels24/7AvailabilityEmployeesPartiallyOutsourcedFullyOutsourcedTeammodelselection:EmployeeMoraleCostStaffExpertiseOrganizationalStructureEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponseTeamDependenciesManagementInformationSecurityTelecommunicationsITSupportLegalDepartmentPublicAffairsandMediaRelationsHumanResourcesBusinessContinuityPlanningPhysicalSecurityandFacilitiesManagementEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponseTeamServicesAdvisoryDistributionVulnerabilityAssessmentIntrusionDetectionEducationandAwarenessTechnologyWatchPatchManagementEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDefiningtheRelationshipbetweenIncidentResponse,IncidentHandling,andIncidentManagementSource:http://www.cert.org/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponseBestPracticesStaycalmAssessthesituationIdentifythepeopletohandletheincidentFormaplanforresolution•Identifytheproblem•Donotcauseanydamage•ResolvetheproblemDocumenteverythingAnalyzetheevidencetoconfirmthatanincidenthasoccurredEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponseBestPractices(cont’d)NotifytheappropriatepeopleStoptheincidentifitisstillinprogressIdentifythesinglemostimportantandimmediateproblemPreserveevidencefromtheincidentWipeoutalleffectsoftheincidentIdentifyandmitigateallvulnerabilitiesthatwereexploitedPreventreoccurrenceoftheincidentReviewthecausesandresolutionConfirmthatoperationshavebeenrestoredtonormalCreateafinalreportEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponsePolicyImplementincidentresponsepolicysupportedbythemanagementDecideanorganizationalapproachDeterminetheoutsidenotificationproceduresIdentifyremoteconnectionsandincluderemotelyoperatingemployeesorcontractorsIdentifythemembersoftheincidentteamanddescribetheirroles,responsibilities,andfunctionsPrepareacommunicationplantocontactthekeypersonnelDefineandfollowamethodforreportingandarchivingtheincidentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponsePlanChecklistDoesyourplanaccuratelydescribethesystemsitappliesto?Doesyourplanincludeacontactlistofkeypersonnel?Doesyourplanincludeinformationonrolesandresponsibilities?Doesyourplanincludeadiagramoftheescalationframework?DoesyourplanincludehowtocontacttheagencyCSIRC?DoesyourplanlistthemembersoftheCSIRTteam?DoesyourplanlistthemembersoftheCSIRCteam?Doesyourplanincludeadescriptionofincidenttypes?Doesyourplanincludeguidanceonseveritylevels?Doesyourplanincludeinformationonagencysecuritypolicies?Doesyourplanincludeincidenthandlingguidelines?EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentHandlingSystem:RTIRhttp://bestpractical.com/rtir/RequestTrackerforIncidentResponse(RTIR)isanopensourceincidenthandlingsystemIthelpsinhandlingincidentreportsItallowstotiemultipleincidentreportstospecificincidentsItmakesiteasytolaunchinvestigationstoworkwithlawenforcement,networkprovidersandotherpartnerstogettothebottomofeachincidentFeatures:•Incidentresponseworkflow•Easyandclickablemetadatalookups•ScriptedactionEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedScreenshot:RTIREC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRPIER1stResponderFrameworkhttp://www.ohloh.net/p/rpier-infosecRegimentedPotentialIncidentExaminationReport(RPIER)isasecuritytoolbuilttofacilitate1stresponseproceduresforincidenthandlingItisdesignedtoacquirecommonlyrequestedinformationforincidenthandlingFeatures:•••••••EC-CouncilFullyconfigurableGUIAuto-updatefunctionalitywithSHA1verificationResultsareauto-zippedResultsareauto-uploadedtocentralsecuredrepositoryEmailnotificationPre/postrunintegritycheckCommandlineconfiguration/executionCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRPIER1stResponderFramework:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSummaryThepurposeofincidentresponseistoaidpersonneltoquicklyandefficientlyrecoverfromasecurityincidentIncidentresponseplanconsistsofasetofinstructionstodetectandrespondtoanincidentTheincidentresponseplangathersrequiredresourcesinanorganizedmannertoaddressincidentsrelatedtothesecurityofacomputersystemPreparationisthemostimportantaspectthatallowsyoutorespondtoanincidentbeforeitoccursTrainingandawarenessprovidesskillsrequiredtoimplementincidenthandlingpoliciesIncidentmanagementnotonlyrespondstoanincidentbutalsopreventstheoccurrenceoffutureincidentsbyminimizingthepotentialdamagecausedbyrisksandthreatsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCertifiedIncidentHandlerVersion1ModuleIVCSIRTNews:CouncilofEuropeandOASStepupEffortstoCounterTerrorismandStrengthenCyberSecuritySource:http://www.egovmonitor.comEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleObjectiveThismodulewillfamiliarizeyouwith:••••••••••••••EC-CouncilCSIRTCSIRTGoalsandStrategyCSIRTVisionCSIRTMissionStatementCSIRTConstituencyTypesofCSIRTEnvironmentsBestPracticesforCreatingaCSIRTRolesofCSIRTsCSIRTServicesCSIRTPoliciesandProceduresCSIRTIncidentReportFormCERTCERT(R)CoordinationCenter:IncidentReportingFormWorldCERTsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleFlowCSIRTCSIRTGoalsandStrategyCSIRTVisionTypesofCSIRTEnvironmentsCSIRTConstituencyCSIRTMissionStatementBestPracticesforCreatingaCSIRTRolesofCSIRTsCSIRTServicesCERTCSIRTIncidentReportFormCSIRTPoliciesandProceduresCERT(R)CoordinationCenter:IncidentReportingFormWorldCERTsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIntroductiontoCSIRTEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWhatisCSIRTCSIRTstandsforComputerSecurityIncidentResponseTeamItisaserviceorganizationwhichprovides24x7computersecurityincidentresponseservicestoanyuser,company,governmentagency,ororganizationItprovidesareliableandtrustedsinglepointofcontactforreportingcomputersecurityincidentsworldwideItprovidesthemeansforreportingincidentsanddisseminatingimportantincidentrelatedinformationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWhatistheNeedofanIncidentResponseTeam(IRT)IncidentresponseteamhelpsorganizationstorecoverfromcomputersecuritybreachesandthreatsThisteamisdedicatedtounderstandtheincidentresponseprocessandtakenecessaryactionswhenneededItisaformalizedteamwithitsmajorjobfunctionas:‘performingincidentresponse’TheteamconsistsofexpertstrainedtorespondandhandleincidentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRTGoalsandStrategyGoalsofCSIRT:•Tomanagesecurityproblemsbytakingaproactiveapproachtowardsthecustomers’securityvulnerabilitiesandbyrespondingeffectivelytopotentialinformationsecurityincidents•Tominimizeandcontrolthedamage•Toprovideorassistwitheffectiveresponseandrecovery•TopreventfuturesecurityincidentsStrategyofCSIRT:•Itprovidesasinglepointofcontactforreportinglocalproblems•Itidentifiesandanalyzeswhathashappenedduringanincident,includingtheimpactandthreat•ItresearchesonsolutionsandmitigationstrategiesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRTVisionIdentifytheorganizationSpecifythemission,goals,andobjectivesofanorganizationSelecttheservicestobeofferedbytheCSIRTDeterminehowtheCSIRTshouldbestructuredfortheorganizationPlanthebudgetrequiredbytheorganizationtoimplementandmanagetheCSIRTDeterminetheresources(equipment,staff,infrastructure)tobeusedbyCSIRTEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCommonNamesofCSIRTComputerIncidentResponseTeam(CIRT)IncidentHandlingTeam(IHT)IncidentResponseTeam(IRT)SecurityEmergencyResponseTeam(SERT)SecurityIncidentResponseTeam(SIRT)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRTFrameworkEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRTMissionStatementMissionStatementprovidesabasicunderstandingofwhattheteamistryingtoachieveItprovidesafocusfortheoverallgoalsandobjectivesoftheCSIRTCSIRTshoulddefine,document,adhereto,andwidelydistributeaconciseandclearmissionstatementMissionStatementmustbenon-ambiguousandconsistofmaximumthreeorfoursentencesItshouldspecifythemissionwithwhichtheCSIRTischargedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRTConstituencyConstituencyistheregionwheretheCSIRTisboundtoserveItmightbedefinedintheformofastatementandmaybesupportedbyalistofdomainnamesCSIRTconstituencymaybeboundedorunboundedbysomeconstraintsCSIRTdefinesitsconstituencyanditsrelationshiptothatconstituencyEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRTConstituency(cont’d)TypeofConstituencyServedCSIRTTypeNatureofMissionInternationalCoordinationCenterObtainaknowledgebasewithaglobalperspectiveofcomputersecuritythreatsthroughcoordinationwithotherCSIRTsandbuildinga“weboftrust”amongCSIRTsOtherCSIRTsaroundtheworldCorporationImprovethesecurityofthecorporation’sinformationinfrastructureandminimizethethreatofdamageresultingfromintrusionsSystemandnetworkadministratorsandsystemuserswithinthecorporationTechnicalImprovethesecurityofagivenITproductUsersoftheproductTable:CSIRTTypesWithAssociatedMissionsandConstituencies;Source:www.cert.orgEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRTConstituency(cont’d)Theissuesrelatingtotheconstituencythataretobeaddressedare:••••EC-CouncilOverlappingconstituenciesRelationshiptoconstituencyPromotingtheCSIRTtotheconstituencyGainingconstituency’strustCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRT’sPlaceinanOrganizationTheplacethataCSIRTholdsinitsparentorganizationistightlycoupledtoitsstatedmissionItfailswhenplacedunderthesystemadministrationdepartmentofitsparentorganizationCSIRTmayconstituteoftheentiresecurityteamforanorganization,or,maybetotallydistinctfromanorganization’ssecurityteamTheactivitiesofCSIRTcanalsobecarriedoutbytheorganization’ssecurityteamCSIRTmustbewellembeddedwithintheorganization’sbusinessstructureEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRT’sPlaceinanOrganization(cont’d)Itcommonlyresideswithin,orhassomeoverlap,withtheorganization’sITsecuritydepartmentasshowninthefigurebelow:ParentOrganizationSource:www.cert.orgEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRT’sRelationshipwithPeersFigure:CSIRTPeerRelationships,Source:www.cert.orgEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRTTypesandRolesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTypesofCSIRTEnvironmentsInternalCSIRT:•Providesservicestotheirparentorganizationsuchasbank,manufacturingcompany,university,oranygovernmentagenciesNationalCSIRT:•Providesservicestotheentirenation.Forexample,JapanComputerEmergencyResponseTeamCoordinationCenter(JPCERT/CC)VendorCSIRT•IdentifiesvulnerabilitiesinsoftwareandhardwareproductsGovernmentalsectorCSIRT•ProvidesservicestogovernmentagenciesandtothecitizensinsomecountriesMilitarysectorCSIRT•ProvidesservicestomilitaryorganizationswithresponsibilitiesforITinfrastructureSmall&MediumEnterprises(SME)SectorCSIRT•ProvidesitsservicestoitsownbusinessbranchorsimilarusergroupEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedBestPracticesforcreatingaCSIRT12345678EC-Council•Obtainmanagementsupportandbuy-in•DeterminetheCSIRTstrategicplan•Gatherrelevantinformation•DesigntheCSIRTvision•CommunicatetheCSIRTvisionandoperationalplan•BeginCSIRTimplementation•AnnouncetheoperationalCSIRT•EvaluateCSIRTeffectivenessCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep1:ObtainManagementSupportandBuy-inWithoutmanagementapprovalandsupport,creatinganeffectiveincidentresponsecapabilitycanbedifficultandproblematicConsiderthattheteamisestablished:•Howisitmaintainedandexpandedwithbudget,personnel,andequipmentresources?•WilltheroleandauthorityoftheCSIRTcontinuetobebackedbymanagementacrossthevariousconstituenciesorparentorganization?EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep2:DeterminetheCSIRTDevelopmentStrategicPlanAretherespecifictimeframestobemet?Aretheyrealistic,andifnot,cantheybechanged?Isthereaprojectgroup?Wheredothegroupmemberscomefrom?HowdoyoulettheorganizationknowaboutthedevelopmentoftheCSIRT?Ifyouhaveaprojectteam,howdoyourecordandcommunicatetheinformationyouarecollecting,especiallyiftheteamisgeographicallydispersed?EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep3:GatherRelevantInformationMeetwiththekeystakeholderstodiscusstheexpectations,strategicdirection,definitions,andresponsibilitiesoftheCSIRTThestakeholderscaninclude:••••••BusinessmanagersRepresentativesfromITRepresentativesfromthelegaldepartmentRepresentativesfromhumanresourcesRepresentativesfrompublicrelationsAnyexistingsecuritygroups,includingphysicalsecurity•AuditandriskmanagementspecialistsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep4:DesignyourCSIRTVisionIncreatingyourvision,youshould:•Identifyyourconstituency:WhodoestheCSIRTsupportandgiveserviceto?•DefineyourCSIRTmission,goals,andobjectives:WhatdoestheCSIRTdofortheidentifiedconstituency?•SelecttheCSIRTservicestoprovidetotheconstituency(orothers):HowdoestheCSIRTsupportitsmission?•Determinetheorganizationalmodel:HowistheCSIRTstructuredandorganized?•Identifyrequiredresources:Whatstaff,equipment,andinfrastructureareneededtooperatetheCSIRT?•DetermineyourCSIRTfunding:HowistheCSIRTfundedforitsinitialstartupanditslong-termmaintenanceandgrowth?EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep5:CommunicatetheCSIRTVisionCommunicatetheCSIRT’svisionandoperationalplantomanagement,constituency,andotherswhoneedtoknowandunderstanditsoperationsAsappropriate,makeadjustmentstotheplanbasedontheirfeedbackEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep6:BeginCSIRTImplementationHireandtraininitialCSIRTstaffBuyequipment,andbuildanynecessarynetworkinfrastructuretosupporttheteamDeveloptheinitialsetofCSIRTpoliciesandprocedurestosupportyourservicesDefineandbuildanincident-trackingsystemDevelopincident-reportingguidelinesandformsforyourconstituencyEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep7:AnnouncetheCSIRTWhentheCSIRTisoperational,announceittotheconstituencyorparentorganizationItisbestifthisannouncementismadebythesponsoringmanagementIncludethecontactinformationandhoursofoperationfortheCSIRTintheannouncementThisisanexcellenttimetomaketheCSIRTincidentreportingguidelinesavailableEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep8:EvaluateCSIRTEffectivenessOnceCSIRTisoperational,themanagementdeterminestheeffectivenessoftheteamandusesevaluationresultstoimproveCSIRTprocessesItmustensurethattheteamismeetingtheneedsoftheconstituencyTheCSIRT,inconjunctionwithmanagementandtheconstituency,willneedtodevelopamechanismtoperformsuchanevaluationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRoleofCSIRTsCSIRTsprovideITsecurityincidentcenteredservicetotheirconstituency,suchas:prevention,detection,correction,repression,orcreatingawarenessbuildingTheCSIRTsservicesfocusonattacksthatarepropagatedviatheInternetthattunneltheirwaytoextranets,intranets,andcomputersystemsTheCSIRTreportspreventivemeasuresalongwiththeidentifiedvulnerabilitiestoitsconstituencyTheCSIRTsprovidebestkindofserviceslike:•Awarenessbuilding•Detection•CorrectionEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRolesinanIncidentResponseTeamExceptforsomecommonroles,therolesinanIRTaredistinctforeveryorganization:IncidentCoordinator(IC)•TheICconnectsdifferentgroups•He/shelinksthegroupsthatareaffectedbythenicidents,suchaslegal,humanresources,differentbusinessareas,andmanagementIncidentManager(IM)•TheIMfocusesontheincidentandhandlesitfrommanagementandtechnicalpointofviewEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRolesinanIncidentResponseTeam(cont’d)IncidentAnalyst(IA)•Incidentanalystsarethetechnicalexpertsintheirparticulararea•TheIAappliestheappropriatetechnologyandtriestoeradicateandrecoverfromtheincidentConstituency•Theconstituencyisnotapartoftheincident-responseteamitself,butisastakeholderintheincidentAdministration•Ensuresthatthefoundation’sofficesarereturnedtonormaloperationsasquicklyaspossible•AssistsinthedevelopmentofanalternatesiteasnecessaryEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRolesinanIncidentResponseTeam(cont’d)HumanResources•TheHRisresponsibleforthe“human”aspectsofhtedisasterincludingpost-eventcounselingandnext-of-kinnotification•ItanswersquestionsrelatedtocompensationandbenefitsPublicRelations•ThePRisresponsiblefordevelopingthemediamessagesregardinganyevent•Itisresponsibleforallstakeholdercommunicationsincludingtheboard,foundationpersonnel,donors,granteessuppliers/vendors,andthemediaEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRolesinanIncidentResponseTeam(cont’d)CSIRTICactsasalinkbetweendifferentgroups(IC)IncidentCoordinatorHandlesanincidentfrommanagementandtechnicalpointofviewEradicatesandrecoversfromtheincidentEC-CouncilItisastakeholderintheincidentConstituencyAdministration(IM)IncidentManagerResponsibleforhumanaspectsofdisasterHumanResourcesEnsuresthattheofficeoperationsreturntoanormalsituation(IA)IncidentAnalystResponsibleforstakeholderCommunicationsPublicRelationsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRolesinanIncidentResponseTeam(cont’d)Otherrolesmayinclude:•••••••••••EC-CouncilSupportstaffTechnicalwritersNetworkorsystemadministrators,CSIRTinfrastructurestaffProgrammersordevelopers(tobuildCSIRTtools)WebdevelopersandmaintainersMediarelationsLegalorparalegalstafforliaisonLawenforcementstafforliaisonAuditorsorqualityassurancestaffMarketingstaffCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRTServices,Policies,andProceduresEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRTServicesCSIRTservicesaregroupedintothefollowingthreecategories:•Reactiveservices•Proactiveservices•SecurityqualitymanagementservicesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedReactiveServicesThereactiveservicesprocesstherequestsforassistanceTheyrespondtoincidentsreportsfromtheCSIRTconstituencyTheyidentifyandrectifyanythreatsorattacksagainsttheCSIRTsystemsTheservicesprovidedinclude:••••EC-CouncilAlertsandwarningsIncidenthandlingVulnerabilityhandlingArtifacthandlingCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedProactiveServicesTheservicesimprovetheinfrastructureandsecurityprocessesoftheconstituencybeforeanyincidentoccursTheservicesprovidedinclude:••••AnnouncementsTechnologywatchSecurityauditorassessmentConfigurationandmaintenanceofsecuritytools,applications,infrastructures,andservices•Developmentofsecuritytools•Intrusiondetectionservices•Security-relatedinformationdisseminationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSecurityQualityManagementServicesThesecurityqualitymanagementservicesareestablishedservicesdesignedtoimprovetheoverallsecurityofanorganizationTheseservicesincorporatefeedbackandlessonslearnedbasedonknowledgegainedbyrespondingtoincidents,vulnerabilities,andattacksTheservicesinclude:••••••EC-CouncilRiskanalysisBusinesscontinuityanddisasterrecoveryplanningSecurityconsultingAwarenessbuildingEducation/trainingProductevaluationorcertificationCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRTPoliciesandProceduresPoliciesarethegoverningprinciplesadoptedbytheorganizationsorteams•ThepoliciesofanorganizationneedtobeclearlystatedPoliciesandproceduresareinterrelatedProceduresdetailhowateamenactsactivitieswithintheboundariesofitspolicies•ProceduresmakeapolicysuccessfulMembersofanorganizationshouldclearlyunderstandpoliciesandproceduresinordertoimplementthemEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRTPoliciesandProcedures(cont’d)Apolicycanbedefinedwith:••••••EC-CouncilAttributesContentValidationImplementationMaintenance,andEnforcementCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAttributesApolicyshouldbedefinedasasetofdetailedproceduresItshouldoutlineessentialcharacteristicsforaspecifictopicareainthemannerthatnecessaryinformationisprovidedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAttributes(cont’d)Source:www.sei.cmu.eduEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedContentThecontentofapolicyismainlyadefinitionofbehaviorinacertaintopicareaItdefinesthefeaturesthataretheboundaryconditionsforanypolicydefinitionThepolicycontentfeaturesarelistedinthefollowingtable:EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedContent(cont’d)Source:www.sei.cmu.eduEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedValidityAfterapolicyhasbeendefined,itisadvisabletocheckitsvalidityinpracticebeforeactuallyimplementingitValiditycheckfindsoutifalltheideasinthepolicycanactuallybetranslatedintoreal-lifebehaviorEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedImplementation,Maintenance,andEnforcementAftervalidatingthepolicy,feedbackshouldbegiventothepolicymakerssothattheycanmakerevisionsOncethepolicyisrevisedbasedonthefeedbackanditisensuredthatthepolicydoesnotrequirefurtherchanges;thepolicycanbeimplementedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHowCSIRTHandlesaCaseKeepalogbookInformtheappropriatepeopleMaintainalistofcontactsReleasetheinformationFollowupanalysisReportEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCSIRTIncidentReportFormEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentTrackingandReportingSystemsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedApplicationforIncidentResponseTeams(AIRT)http://airt.leune.com/AIRTisaweb-basedapplicationdesignedanddevelopedtosupportthedaytodayoperationsofacomputersecurityincidentresponseteamItsupportshighlyautomatedprocessingofincidentreportsandfacilitatescoordinationofmultipleincidentsbyasecurityoperationscenterFeatures:••••EC-CouncilIdentifyownersofnetworksTrackincidentsAutomaticallyimportincidentreportsPrepareoutgoingemailsbasedonincidenttemplatesCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAIRT:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAIRT:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedBMCRemedyActionRequestSystemhttp://www.bmc.com/BMCRemedyActionRequestSystemprovidesaconsolidatedserviceprocessmanagementplatformforautomatingandmanagingservicemanagementbusinessprocessesFeatures:•Automatesservicemanagementbusinessprocesses•Integratesprocesseswithsystemsacrosstheenterprise•Adaptsandevolvesyourprocessestocontinuallyalignwiththeneedsofthebusiness•Managesbusinessprocessperformanceinreal-time•Replacesoutdatedmanualsystemswithprocessautomationthatspeedsthehandlingofuniqueprocesses•Rapidlyprototypes,deploys,maintains,anditeratesServiceManagementapplications•CapturesandtrackscriticalbusinessdataEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedBMCRemedyActionRequestSystem:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPGPDesktopEmailhttp://www.pgp.com/PGPDesktopEmailprovidesenterpriseswithanautomatic,transparentencryptionsolutionforsecuringinternalandexternalconfidentialemailcommunicationsWithPGPDesktopEmail,organizationscanminimizetheriskofadatabreachandcomplywithpartnerandregulatorymandatesforinformationsecurityandprivacyFeatures:•Easy,automaticoperation•Protectssensitiveemailwithoutchangingtheuserexperience•Enforcedsecuritypolicies•Enforcedataprotectionautomaticallywithcentrallymanagedpolicies•Accelerateddeployment•Achievesend-to-endemailencryptionusingtheexistinginfrastructure•Reducedoperationcosts•ResultfromcentralizedautomationofemailencryptionpoliciesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPGPDesktopEmail(cont’d)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTheGNUPrivacyGuard(GnuPG)http://www.gnupg.org/GnuPGistheGNUproject'scompleteandfreeimplementationoftheOpenPGPstandardasdefinedbyRFC4880Itallowstoencryptandsignyourdataandcommunication,featuresaversatilekeymanagementsystemaswellasaccessmodulesforallkindofpublickeydirectoriesFeatures:••••DoesnotuseanypatentedalgorithmsCanbeusedasafilterprogramDecryptsandverifiesPGP5,6and7messagesSupportsElGamal,DSA,RSA,AES,3DES,Blowfish,Twofish,CAST5,MD5,SHA-1,RIPE-MD-160andTIGER•SupportskeyandsignatureexpirationdatesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedListservhttp://www.lsoft.com/ListservisemaillistmanagementsoftwareItprovidesthepower,reliability,andenterprise-levelperformanceyouneedtomanageallyouropt-inemaillistsItsWebinterfacesimplifiesemaillistandservermanagement,allowingyoutocontrolyourlistsandadministeryourserverfromanywhereontheInternetEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedListserv(cont’d)Featuresandbenefits•Listownerfeatures:••••••SupportsalllisttypesAutomaticsubscriptionsAutomaticbouncehandlingPersonalizationSearchablewebarchivesRSSsupport•Siteadministratorfeatures••••••EC-CouncilMultiplelicensesizesVirusprotectionDeliverabilitySpamcontrolDatabaseconnectivityCustomizablewebinterfaceCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedListserv:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCERTEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCERTCERTstandsforCommunityEmergencyResponseTeam(CERT)CERTprogramhelpstotrainpeopletobebetterpreparedtorespondtoemergencysituationsintheircommunitiesCERTmemberscanprovidecriticalsupporttofirstrespondersby:•Providingimmediateassistancetovictims•OrganizingspontaneousvolunteersatadisastersiteEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCERT-CCSource:http://www.cert.org/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCERT(R)CoordinationCenter:IncidentReportingFormSource:http://www.cert.org/reporting/incident_form.txtEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCERT:OCTAVEOCTAVEstandsforOperationallyCriticalThreat,Asset,andVulnerabilityEvaluationItisasetoftools,techniques,andmethodsforrisk-basedinformationsecuritystrategicassessmentandplanningTherearethreeoctavemethods:•OCTAVEMethod•OCTAVE-S•OCTAVE-AllegroEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedOCTAVEMethodOCTAVEmethodusesathree-phasedapproachtoexamineorganizationalandtechnologyissuesItcomprisesofaseriesofworkshopsthatareconductedbyinterdisciplinaryanalysisteamofthreetofivepersonsoftheorganizationThismethodfocuseson:•Identifyingcriticalassetsandthethreatstothoseassets•Identifyingthevulnerabilities,bothorganizationalandtechnological,thatexposethosethreats,creatingrisktotheorganization•Developingapractice-basedprotectionstrategyandriskmitigationplanstosupporttheorganization'smissionandprioritiesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedOCTAVEMethod(cont’d)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedOCTAVE-SOCTAVE-SusesamorestreamlinedprocessanddifferentworksheetsbutproducesthesameresultastheOCTAVEmethodItrequiresateamof3-5peoplehavingunderstandingonalltheaspectsofthecompanyThisversiondoesnotstartwithgatheringtheinformationregardingimportantassets,securityrequirements,threats,andsecuritypracticesTheassumptionisthattheanalysisteamisawareofthisinformationOCTAVE-SincludesonlyalimitedexplorationofthecomputinginfrastructureEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedOCTAVEAllegroOCTAVEAllegroisastreamlinedvariantoftheOCTAVEmethodthatfocusesoninformationassetsItcanbeperformedinaworkshop-style,collaborativesettingItdoesnotsuitforindividualswhowanttoperformriskassessmentwithoutextensiveorganizationalinvolvement,expertise,orinputItfocusesmainlyontheinformationassetsTheassetsoftheorganizationareidentifiedandassessedbasedontheinformationassetstowhichtheyareconnectedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedOCTAVEAllegro(cont’d)OCTAVEAllegroconsistsofeightstepsorganizedintofourphases:•Phase1-Assessmentparticipantsdevelopriskmeasurementcriteriaconsistentwithorganizationaldrivers:theorganization'smission,goalobjectives,andcriticalsuccessfactors•Phase2-Participantscreateaprofileofeachcriticalinformationassetthatestablishesclearboundariesfortheasset,identifiesitssecurityrequirements,andidentifiesallofitscontainers•Phase3-Participantsidentifythreatstoeachinformationassetinthecontextofitscontainers•Phase4-ParticipantsidentifyandanalyzeriskstoinformationassetsandbegintodevelopmitigationapproachesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedOCTAVEAllegro(cont’d)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWorldCERTsAsiaPacificCERTs••••••••••AustraliaCERT(AUSCERT)HongKongCERT(HKCERT/CC)IndonesianCSIRT(ID-CERT)JapanCERT-CC(JPCERT/CC)KoreaCERT(CERT-KR)MalaysiaCERT(MyCERT)PakistanCERT(PakCERT)SingaporeCERT(SingCERT)TaiwanCERT(TWCERT)ChinaCERT(CNCERT/CC)NorthAmericanCERTs•••••CERT-CCUS-CERTCanadianCertCancertForumofIncidentResponseandSecurityTeams•FIRSTEC-CouncilSouthAmericanCERTs•CAIS•CAIS-BrazilianResearchNetworkCSIRT•NICBRSecurityOfficeBrazilianCERT•NBSEuropeanCERTs•••••••••EuroCERTFUNETCERTCERTADFN-CERTJANET-CERTCERT-NLUNINETT-CERTCERT-NASKSwissAcademicandResearchNetworkCERTCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAustraliaCERT(AUSCERT)Source:http://www.auscert.org.au/index.htmlEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHongKongCERT(HKCERT/CC)Source:http://www.hkcert.orgEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIndonesianCSIRT(ID-CERT)Source:http://www.cert.or.id/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedJapanCERT-CC(JPCERT/CC)EC-CouncilSource:http://www.jpcert.or.jp/english/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedMalaysianCERT(MyCERT)Source:http://www.mycert.org.my/en/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIndianCERTEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPakistanCERT(PakCERT)Source:http://www.pakcert.org/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSingaporeCERT(SingCERT)Source:http://www.singcert.org.sg/index.php?option=com_mjfrontpage&Itemid=30EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTaiwanCERT(TWCERT)Source:http://www.cert.org.tw/eng/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedChinaCERT(CNCERT/CC)Source:http://www.cert.org.cn/english_web/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedUS-CERTSource:http://www.us-cert.gov/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedGovernmentForumofIncidentResponseandSecurityTeams(GFIRST)GFIRSTisagroupoftechnicalandtacticalpractitionersofsecurityresponseteamsresponsibleforsecuringgovernmentinformationtechnologysystemsGFIRSTmembersworktogethertounderstandandhandlecomputersecurityincidentsandtoencourageproactiveandpreventativesecuritypracticesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCanadianCertEC-CouncilSource:http://www.ewa-canada.com/index.phpCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedForumofIncidentResponseandSecurityTeamsEC-CouncilSource:http://www.first.org/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCAIS/RNPSource:http://www.rnp.br/en/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNICBRSecurityOfficeBrazilianCERTSource:http://www.nic.br/imprensa/clipping/2008/midia412.htmEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEuroCERTSource:http://www.eurocert.ie/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedFUNETCERTSource:http://www.csc.fiEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSURFnet-CERTSource:http://cert.surfnet.nl/home-eng.htmlEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDFN-CERTSource:http://www.dfn-cert.de/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedJANET-CERTEC-CouncilSource:http://www.ja.net/index.htmlCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCERTPOLSKAEC-CouncilSource:http://www.cert.plCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSwissAcademicandResearchNetworkCERTSource:http://www.switch.ch/cert/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedhttp://www.first.org/about/organization/teams/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedhttp://www.apcert.org/about/structure/members.htmlEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIRTsAroundtheWorldCopyright2004CarnegieMellonUniversityCERT®andCERTCoordinationCenter®areregisteredintheU.S.PatentandTrademarkoffice.EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSummaryCSIRTisaserviceorganizationwhichprovides24x7computersecurityincidentresponseservicestoanyuser,company,governmentagency,ororganizationCSIRTshoulddefine,document,adhereto,andwidelydistributeaconciseandclearmissionstatementConstituencyistheregionoverwhichtheCSIRTisboundtoserveCSIRTmayconstitutetheentiresecurityteamforanorganizationormaybetotallydistinctfromanorganization’ssecurityteamCERTprogramhelpstrainpeopletobebetterpreparedtorespondtoemergencysituationsintheircommunitiesSecurityaccreditationreferstotheacceptanceandmanagementofriskEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSampleEC-CouncilCertifiedIncidentHandlerVersion1ModuleIIntroductiontoIncidentResponseandHandlingBatchPDFMergerNews:NumberofReportedCyberIncidentsJumpsFederalcivilianagenciesreportedthreetimesasmanycyber-relatedincidentsinfiscal2008astheydidinfiscal2006totheHomelandSecurityDepartment'sofficethatcoordinatesdefensesandresponsestocyberattacks.Meanwhile,anofficialsaystheofficesuspectstheactualnumberofcyberincidentsishigher.TheagenciesreportedtoDHS’UnitedStatesComputerEmergencyReadinessTeam(US-CERT)atotalof18,050incidentsinfiscal2008,comparedwith12,986infiscal2007and5,144infiscal2006,accordingtoDHSofficials.Overall,thetotalnumberofincidentsreportedtoUS-CERTfromcommercial,foreign,private,andfederal,stateandlocalgovernmentsectorsrosefrom24,097infiscal2006to72,065infiscal2008.TheFederalInformationSecurityManagementActrequiresagenciestoreportcyberincidents,whicharedefinedasactsthatviolatecomputersecurityoracceptable-usepolicies.Thetypesofincidentsincludeunauthorizedaccess,denialofservice,maliciouscode,improperusage,andscans,probesandattemptedaccess.MischelKwon,US-CERT’sdirector,saidthatthenumbersrepresentbothanincreaseinmalwareandimprovementsinthecapabilitiesofUS-CERTandagenciestodetectandreportcyberincidents.“Aswematureandbecomemorerobust,andwedeploymoretools,incidentnumberswillgoup,”shesaid.“Bothpartsofthestoryaretrue:Thereisanincreaseinmalevents,andthereisanincreaseincapabilitiesinordertodetectthosemalevents.”Kwonaddedthatthenumberswereabitdeceivingbecausethereportsarebasedonmanualreportingbyagenciesandthattherearefewsecurityoperationscentersthatmonitorfederalagencynetworks.Shesaidagenciesdon’thavethetoolsoranalyststoreviewdatatodetermineifincidentshaveoccurred.Source:http://fcw.com/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCyberIncidentStatisticsNumberofcyberincidentsreportedtoDHS’UnitedStatesComputerEmergencyReadinessTeam20,000200818,00016,00014,000200712,00010,0008,0006,00020064,0002,0000Source:http://fcw.com/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentsandEventsbyCategory10%4%4%5%UnauthorizedAccess10%4%7%6%MaliciousCodeImproperUsageScans,ProbesandAttemptedAccess77%FY08Q4UnderInvestigation73%FY09Q1CyberSecurityTrends,QUARTERLYTRENDSANDANALYSISREPORT,http://www.us-cert.gov/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTopFiveIncidentsPhishing10%4%9%4%Malware5%4%5%PolicyViolation5%5%Non-Cyber7%72%FY08Q4SuspiciousNetworkActivityOthers70%FY09Q1CyberSecurityTrends,QUARTERLYTRENDSANDANALYSISREPORT,http://www.us-cert.gov/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCaseStudy:IncidentHandlingandResponseTheCase:Xconsoft,amajorsoftwaredeveloperlocatedoutoftheNewJersey,realizedthatthesensitiveinformationfromfolderssharedacrossitsnetworkisbeingaccessedbyunauthorizedpeopleandleakedtothirdparties.TheChallenges:Lossoftheproprietaryinformationcouldresultinhugefinanciallosses.Thecompanyhiredanestablishedconsultantforincidenthandlingandresponse.Themajorchallengesinfrontoftheconsultantsweretocontainthedamage,assessthelossesandidentifyingtheperpetrators.TheResult:Afterconductinganetwork-widesearchforspecifickeywordsandfilenamestheconsultantadvisedthecompanytoisolatethesystemsthatcontainedsensitiveinformationandtookpossessionofsuspectedsystemsforfurtheranalysis.Aftergoingthroughacompleteincidenthandlingandresponsecycle;andwiththehelpofacomputerforensicsinvestigatorthecompanywasabletotracetheculprits.Theconsultantadvisedthecompanytodevelopandimplementeffectivenetworksecuritypoliciesanddeployintrusiondetectiontoolstodefenditselffromvariousinformationsecurityincidents.CanrisksinvolvedinengagingthirdpartyconsultantsnoteffectivelycountertheapprehensionaboutROIindevelopinganin-houseincidenthandlingandresponseteam?EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleObjectiveThismodulewillfamiliarizeyouwith:•••••••••EC-CouncilComputerSecurityIncidentDataClassificationInformationWarfareKeyConceptsofInformationSecurityTypesofComputerSecurityIncidentsSignsofanIncidentIncidentResponseIncidentHandlingIncidentReportingOrganizationsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleFlowComputerSecurityIncidentDataClassificationKeyConceptsofInformationSecurityInformationWarfareTypesofComputerSecurityIncidentsSignsofanIncidentIncidentHandlingIncidentResponseIncidentReportingOrganizationsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedComputerSecurityIncidentAcomputersecurityincidentmightbeanyrealorsuspectedadverseeventinrelationtothesecurityofcomputersystemsornetworksSource:www.cert.orgItisaviolationorimminentthreatofviolationofcomputersecuritypolicies,acceptableusepolicies,orstandardsecuritypracticesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStatistics:DifferentSourcesofSecurityIncidentsSource:OutlookJournal,January2008,www.accenture.comEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInformationasBusinessAssetInformationassetisapieceofinformationthatisimportantforanybusinessprocessThelossofinformationmayaffecttheinvestmentoforganizationindifferentbusinessactivitiesInformationassetcanbeatradesecret,patentinformation,employee/personnelinformation,oranideatodevelopthebusinessforanorganizationCharacteristicsofInformationAssets:•Itisrecognizedtobeofvaluetotheorganization•Itrequirescost,skill,time,andresource•Itisapartoftheorganization’scorporateidentityEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDataClassificationDataclassificationistheprocessofclassifyingdatabasedonthelevelofsensitivityasitiscreated,modified,improved,stored,ortransmittedDataclassificationhelpsinidentifyingthedataforbusinessoperationsDatacanbeclassifiedintofivelevels:•••••EC-CouncilTopsecretConfidentialinformationProprietaryinformationInformationforinternalusePublicdocumentsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCommonTerminologiesInformationSystem:•Informationsystemprocessesdataintousefulinformationtoachievespecifiedorganizationalorindividualgoals•Itaccepts,processes,andstoresdataintheformofrecordsinacomputersystemandautomatessomeoftheinformationprocessingactivitiesoftheorganizationInformationOwner:•InformationowneristheinitialownerwhoiscapableofcreatingandstoringinformationInformationCustodian:•InformationcustodianisresponsibleforimplementingandcontrollingthesecuritymeasuresofaninformationsystemEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInformationWarfareThetermInformationWarfareorInfowarreferstotheuseofinformationandinformationsystemsasweaponsinaconflictinwhichtheinformationandinformationsystemsthemselvesarethetargetsInformationwarfareisdividedintotwocategories:•Offensiveinformationwarfare,whereanadversaryattackstheinformationresourcestogainundueadvantage•Defensiveinformationwarfare,isanattempttoprotecttheinformationassetsagainstattacksEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedKeyConceptsofInformationSecurityConfidentiality:Integrity:Availability:EC-Council•Referstothepreventionoftheunauthorizedaccess,disclosure,anduseofinformation,apartofthebroaderconceptofprivacy•Confidentialityismaintainedthroughuserauthenticationandaccesscontrol•Referstothereliabilityandtrustworthinessofhteinformation•Preventionoftheunauthorizedchangestothedata•Guaranteeofaccesstoresources•IsacriticalfunctionforcompaniesthatrelyonelectronicdataandcommunicationsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedVulnerability,Threat,andAttackVulnerability:Threat:Attack:•Existenceofaweaknessindesignorimplementationthatcanleadtoanunexpected,undesirableeventcompromisingthesecurityofthesystem•Acircumstance,event,orpersonwiththepotentialtocauseharmtoasystemintheformofdestruction,disclosure,datamodification,and/orDenialofService(DoS)•AnassaultonsystemsecuritythatisderivedfromanintelligentthreatEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTypesofComputerSecurityIncidentsMaliciouscodeattacks:•Itincludesviruses,Trojan,worms,andmaliciousscriptsattacksbyattackerstogainprivileges,capturepasswords,andmodifyauditlogstoperformunauthorizedactivityonthevictim'ssystemsUnauthorizedaccess:•Itincludesvariousactivitiesfromimproperlyloggingintoauser'saccounttogainingunauthorizedaccesstofilesanddirectoriesbyobtainingadministratorprivilegesUnauthorizeduseofservices:•Usersmayattempttotransferfileswithoutauthorizationoruseinter-domainaccessmechanismstoaccessfilesanddirectoriesbelongingtoanotherorganization'sdomainEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTypesofComputerSecurityIncidents(cont’d)Fraudandtheft:•InformationsystemscanbeexploitedbyautomatingtraditionalmethodsoffraudEmployeesabotageandabuseinclude:•••••DestroyinghardwareorfacilitiesPlantinglogicbombsthatdestroyprogramsordataIntentionallyenteringincorrectdataCrashingsystemsIntentionallydeletingandchangingdataMisuse:•ItisaconditionwhensomeoneusescomputerresourcesforillegitimatepurposesuchasstoringpersonalinformationinofficialcomputerEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedExamplesofComputerSecurityIncidentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedVerizonDataBreachInvestigationsReport-2008Whoisbehinddatabreaches?Source:Verizon’sDataBreachInvestigationsReport,2008.www.verizon.comEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedVerizonDataBreachInvestigationsReport-2008(cont’d)Howdobreachesoccur?7062%6059%504031%3022%2015%100WereattributedtoasignificanterrorResultedfromhackingandintrusionsIncorporatedmaliciouscodeExploitedavulnerabilityWereduetophysicalthreatsSource:Verizon’sDataBreachInvestigationsReport,2008.www.verizon.comEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedVerizonDataBreachInvestigationsReport-2008(cont’d)SourcesofDataBreachesExternal:•Intuitively,externalthreatsoriginatefromsourcesoutsidetheorganizationInternal•InternalthreatsourcesarethoseoriginatingfromwithintheorganizationPartner•PartnersincludeanythirdpartysharingabusinessrelationshipwiththeorganizationSource:Verizon’sDataBreachInvestigationsReport,2008.www.verizon.comEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentsThatRequiredtheExecutionofDisasterRecoveryPlans70%ofRespondents59%6054%53%5045%41%4036%33%39%37%34%3026%20107%0Source:SymantecGlobalDisasterRecoverySurvey–June2009.http://www.symantec.com/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSignsofanIncidentAccuratelydetectingandassessingincidentsisthemostchallengingandessentialpartoftheincidentresponseprocessTypicalindicationsofthesecurityincidentsinclude:•Asystemalarm,orsimilarindicationfromanintrusiondetection•Attempttologontoanewuseraccount•DoSattack,orusersnotabletologintoanaccount•Systemcrashes,orpoorsystemperformance•Unauthorizedoperationofaprogram,orsnifferdevicetocapturenetworktraffic•Suspiciousentriesinsystem,ornetworkaccountingorotheraccountinginconsistenciesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSignsofanIncident(cont’d)Signsofanincidentfallintooneofthetwocategories:•Aprecursorisasignofincidentthatmayhappeninthefuture•AnindicationisasignofincidentthathavealreadyoccurredormaybeinprogressTheexamplesofprecursorare:•Webserverlogentriesthatshowtheusageofawebvulnerabilityscanner•Anannouncementofanewexploitthattargetsavulnerabilityoftheorganization’smailserver•AthreatfromahacktivistgroupstatingthatthegroupwillattacktheorganizationTheexamplesofindicationare:•Theantivirussoftwarealertswhenitdetectsthatahostisinfectedwithaworm•Theusercallsthehelpdesktoreportathreateningemailmessage•IDSandIPSsystemlogsindicatinganunusualdeviationfromtypicalnetworktrafficflowsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentCategoriesThereare3categoryofincidents:LowlevelMiddlelevelHighlevelEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentCategories:LowLevelLowlevelincidentsaretheleastseverekindofincidentsTheyshouldbehandledwithinonedayaftertheeventoccursLowlevelincidentsinclude:•••••••EC-CouncilLossofpersonalpasswordUnsuccessfulscansandprobesRequesttoreviewsecuritylogsPresenceofanycomputervirusorwormsFailuretodownloadanti-virussignaturesSuspectedsharingoftheorganization’saccountsMinorbreachesoftheorganization’sacceptableusagepolicyCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentCategories:MiddleLevelTheincidentsatthislevelarecomparativelymoreseriousandthus,shouldbehandledthesamedaytheeventoccursMiddlelevelincidentsinclude:••••••••••EC-CouncilIn-activeexternal/internalunauthorizedaccesstosystemsViolationofspecialaccesstoacomputerorcomputingfacilityUnfriendlyemployeeterminationUnauthorizedstoringandprocessingdataDestructionofpropertyrelatedtoacomputerincidentLocalizedworm/virusoutbreakPersonaltheftofdatarelatedtoacomputerincidentComputervirusorwormsofcomparativelylargerintensityIllegalaccesstobuildingsBreachoftheorganization’sacceptableusagepolicyCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentCategories:HighLevelHighlevelincidentsshouldbehandledimmediatelyaftertheincidentItposesanimmediatethreattovarioussystemsthatleadtocriminalcharges,regulatoryfines,orbadnametotheorganizationTheseinclude:••••••DenialofServiceattacksSuspectedcomputerbreak-inComputervirusorwormsofhighestintensity;e.g.Trojan,backdoorChangestosystemhardware,firmware,orsoftwarewithoutauthenticationDestructionofpropertyexceeding$100,000Personaltheftexceeding$100,000andillegalelectronicfundtransferordownload/sale•Anykindofpornography,gambling,orviolationofanylawEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentPrioritizationPrioritizinghandlingoftheincidentiscriticalfortheincidenthandlingprocessIncidentsshouldnotbehandledonafirst-come,first-servedbasisPrioritizetheincidentsbasedontwofactors:•Currentandpotentialtechnicaleffectoftheincident•CriticalityoftheaffectedresourcesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentResponseIncidentresponseisaprocessofrespondingtoincidentsthatmayhaveoccurredduetosecuritybreachinthesystemornetworkItplaysamajorrolewhenthesecurityofthesystemiscompromisedThegoaloftheincidentresponseistohandletheincidentsinawaythatminimizesthedamageandreducesrecoverytimeandcostsItincludes:•Respondingtoincidentssystematicallysothattheappropriatestepsaretaken•Helpingpersonneltorecoverquicklyandefficientlyfromsecurityincidents,minimizinglossortheftofinformationanddisruptionofservices•Usinginformationgatheredduringincidenthandlingtoprepareforhandlingfutureincidentsinabetterwayandtoprovidestrongerprotectionforsystemsanddata•DealingproperlywithlegalissuesthatmayariseduringincidentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentHandlingIncidenthandlinginvolvesalltheprocesses,logistics,communications,coordination,andplanningtorespondandovercomeanincidentefficientlyIncidenthandlinghelpstofindouttrendsandpatternoftheintruder’sactivityIncidenthandlingprocedureshelpnetworkadministratorsinrecovery,containment,andpreventionofincidentsIncidenthandlingpolicieshelpthecorrespondingstaffstounderstandtheprocessofrespondingandtacklingunexpectedthreatsandsecuritybreachesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedUseofDisasterRecoveryTechnologiesWhichofthefollowingtechnologytypedoyouhave,andwhicharecoveredbyDRPlan?HaveinOrganization100CoveredbyDRPlan92%9083%82%79%81%8077%7066%62%6061%56%66%61%51%504046%44%39%33%3024%20100Source:SymantecGlobalDisasterRecoverySurvey–June2009.http://www.symantec.com/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedImpactofVirtualizationonIncidentResponseandHandlingDoyoutestvirtualserversaspartofyourdisasterrecoveryplan?No27%YesNoYes73%Source:SymantecGlobalDisasterRecoverySurvey–June2009.http://www.symantec.com/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedImpactofVirtualizationonIncidentResponseandHandling(cont’d)Howareyourorganization’sdataandmissioncriticalapplicationsprotectedinvirtualenvironment?70%59%60%50%40%30%49%43%41%42%38%27%29%20%10%0%Source:SymantecGlobalDisasterRecoverySurvey–June2009.http://www.symantec.com/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEstimatingCostofanIncidentTangibleCost:••••LostproductivehoursInvestigationandrecoverycostLossofbusinessLossortheftofresourcesIntangibleCost:•Damagetocorporatereputation•Lossofgoodwill•Psychologicaldamage•Thosedirectlyimpactedmayfeelvictimized•Mayimpactmoraleorinitiatefear•Legalliability•EffectonshareholdervalueEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedKeyFindingsofSymantecGlobalDisasterRecoverySurvey-2009Theaveragecostofexecuting/implementingdisasterrecoveryplansforeachdowntimeincidentworldwideaccordingtorespondentsisUS$287,600Themediancostofexecuting/implementingdisasterrecoveryplansforeachdowntimeincidentworldwiderangesfromapproximately$100,000to$500,000InNorthAmerica,themediancostisashighas$900,000Globally,themediandisasterrecoverycostishighestforhealthcareandfinancialservicesorganizationsInNorthAmerica,themediancostforfinancialinstitutionsis$650,000Source:SymantecGlobalDisasterRecoverySurvey–June2009.http://www.symantec.com/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentReportingIncidentreportingistheprocessofreportinganencounteredsecuritybreachinaproperformatTheincidentshouldbereportedtoreceivetechnicalassistanceandraisesecurityawarenessthatwouldminimizethelossesOrganizationsmaynotreportcomputercrimesduetonegativepublicityandpotentiallossofcustomersIncidentreportingshouldinclude:••••IntensityofthesecuritybreachCircumstances,whichrevealedthevulnerabilityShortcomingsinthedesignandimpactorlevelofweaknessEntrylogsrelatedtotheintruder’sactivityEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentReportingOrganizationsTheorganizationsthatdealwithcomputersecurityincidentsare:••••••••••EC-CouncilComputerEmergencyResponseTeam(CERT)ComputerSecurityIncidentResponseTeam(CSIRT)ForumforIncidentResponseandSecurityTeams(FIRST)ComputerIncidentResponseTeam(CIRT)IncidentResponseCenter(IRC)SecurityEmergencyResponseTeam(SERT)SecurityIncidentResponseTeam(SIRT)InformationAnalysisInfrastructureProtection(IAIP)CERTCoordinationCenter(CERT/CC)InformationSharingandAnalysisCenters(ISAC)Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedVulnerabilityResourceshttp://www.kb.cert.org/vuls/US-CERTVulnerabilityNotesDatabase:•Descriptionsofthesevulnerabilitiesareavailablefromthiswebpageinasearchabledatabaseformat,andarepublishedas"US-CERTVulnerabilityNotes".EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedVulnerabilityResources(cont’d)http://web.nvd.nist.gov/NVD(NationalVulnerabilityDatabase):•IntegratesallpubliclyavailableU.S.GovernmentvulnerabilityresourcesandprovidesreferencestoindustryresourcesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSummaryComputersecurityincidentmightbeanyrealorsuspectedadverseeventinrelationtothesecurityofcomputersystemsornetworksInformationsystemtransformsdataintousefulinformationthatsupportsdecisionmakingIncidentresponseisanorganizedapproachtoaddressandmanagetheaftermathofasecuritybreachorattackIncidenthandlingreferstotheoperationalproceduresusedtoactuallymanipulatetheincidentandpurgeitfromthesystemsIncidentreportingistheprocessofreportingtheinformationregardingtheencounteredsecuritybreachinaproperformatEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCertifiedIncidentHandlerVersion1ModuleIIRiskAssessmentNews:ReportFaultsTSARiskAssessmentGAOfindsagencydidnotfollowDepartmentofHomelandSecurityprocessTheTransportationSecurityAdministrationlacksthestructure,policiesandprocedurestocompleteaneffectiveriskmanagementplanforfreightandpassengertransportation,accordingtoareportbytheGovernmentAccountabilityOffice.RiskmanagementisthesecuritywatchwordattheDepartmentofHomelandSecurityasitattemptstoallocatemoneyandotherresourcestotheareasthataremostvulnerabletoaterroristattack.TheGAO,whichauditsExecutiveBranchprogramsforCongress,saidthatTSAdidnotcompleteasixstepprocessestablishedbyDHStoproperlyidentifyandprioritizeriskstothetransportationsystem.TSAcollectedthreat,vulnerabilityandconsequenceinformation,butdidnotperformriskassessmentthatwouldintegratethethreecomponentsforeachmode,orthetransportationsystemasawhole,theGAOsaid.TheGAOalsosaidTSAsetitssecurityprioritiesbasedonintelligence,notriskassessment,andDHSdidnotrevieworvalidateTSA'smethodology.Inaddition,theGAOsaidthatTSAlackedanorganizationalstructuretodirectandcontrolitsriskmanagementefforts,awayofevaluatingperformance,andpoliciesandprocedurestointegratewiththeoverallDHSriskmanagementplan.Source:http://www.joc.com/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleObjectiveThismodulewillfamiliarizeyouwith:•••••••••EC-CouncilRiskRiskPolicyRiskAssessmentNISTRiskAssessmentMethodologyStepstoAssessRisksatWorkplaceRiskAnalysisRiskMitigationCost/BenefitAnalysisResidualRiskCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleFlowRiskRiskPolicyNISTRiskAssessmentMethodologyRiskAssessmentStepstoAssessRisksatWorkplaceRiskAnalysisCost/BenefitAnalysisRiskMitigationResidualRiskEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRiskRiskisdefinedastheprobabilityorthreatofanincidentItisameasureofpossibleinabilitytoachieveagoal,objective,ortargetwithinadefinedsecurity,cost,plan,andtechnicallimitationsItadverselyaffectstheorganization’soperationsandrevenuesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRiskPolicyRiskpolicyisasetofideastobeimplementedtoovercometheriskRiskpolicyincludes:•Rulesofbehaviorwhiledealingwiththecomputersystemandtheconsequencesforviolatingtheserules•Personnelandtechnicalcontrolsforthecomputersystem•Methodsforidentifying,properlylimiting,andcontrollinginterconnectionswithothersystemsandparticularmethodstomonitorandmanagesuchlimits•Proceduresfortheon-goingtrainingofemployeesauthorizedtoaccessthesystem•Procedurestomonitortheefficiencyofthesecuritycontrols•ProvisionsforcontinuingsupportifthereisanniterruptioninthesystemorifthesystemcrashesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRiskAssessmentEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRiskAssessmentRiskassessmentistheprocessofidentifyingthreatsourcesthatposerisktothebusinessorprojectenvironmentItdeterminesthelevelofriskandtheresultingsecurityrequirementsforeachsystemRiskassessmentforanewsystemisconductedatthebeginningoftheSystemDevelopmentLifeCycleRiskassessmentforanexistingsystemisconductedwhentherearemodificationsmadetothesystem’senvironmentThisprocesshelpstoidentifythesuitablecontrolstoreduceriskinriskmitigationprocessTheorganizationshouldplan,implement,andmonitorasetofsecuritymeasuresthatneedtobeundertakenagainsttheidentifiedriskEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNIST’sRiskAssessmentMethodologyTheNIST’sriskassessmentmethodologycontainsnineprimarysteps:SystemCharacterizationImpactAnalysisRiskDeterminationThreatsIdentificationVulnerabilityIdentificationLikelihoodDeterminationControlAnalysisControlRecommendationsResultsDocumentationSource:http://csrc.nist.gov/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep1:SystemCharacterizationIdentifytheboundariesoftheITsystemalongwiththeresourcesandtheinformationthatconstitutethesystemCharacterizetheITsystemsoastoestablishthescopeoftheriskassessmenteffortItdescribestheoperationalauthorizationboundariessuchashardware,software,systemconnectivityetc.InputHardwareSoftwareSysteminterfacesDataandinformationPeopleSystemmissionEC-CouncilStep1.SystemCharacterizationOutputSystemBoundarySystemFunctionsSystemandDataCriticalitySystemandDataSensitivityCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSystemCharacterizationTemplateSystemName:HardwareSoftwareSystemInterfacesData&InformationPersonswhosupporttheITsystemSystemmission(e.g.processesperformedbythesystem)System&datacriticality(system’svalueorimportancetotheorganization)FunctionalrequirementsoftheITsystemUsersofthesystemSystemSecuritypolicies(organizationalpolicies,federalrequirements,industrypractices,laws)SystemsecurityarchitectureCurrentnetworktopology(e.g.networkdiagram)Currentinformationstorageprotectionthatsafeguardssystem&dataCIAFlowofinformationrelatingtotheITsystemManagementcontrolsusedfortheITsystem(e.g.securityplanning,rulesofbehavior)Operationalcontrols(e.g.back-up,contingency,andresumptionandrecoveryoperations,personnelsecurity…)Physicalsecurityenvironment(e.g.facilitysecurity,datacenterpolicies)Environmentalsecurity(temperaturecontrol,water,power)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep2:ThreatsIdentificationThreatreferstoaprobableimpactofathreatsourceexploitingthevulnerabilitiesinthesystemTodeterminethelikelihoodofathreat,consider:•Vulnerabilitiesofthesystem•ThreatsourcesInputHistoryofsystemattackDatafromintelligenceagencies,NIPC,OIG,FedCIRC,massmediaEC-CouncilStep2.ThreatIdentificationOutputThreatStatementCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep2:ThreatsIdentification(cont’d)HumanThreats••••••••EC-CouncilIncorrectdataentryoromissionsInadvertentactsEavesdroppingImpersonationShouldersurfingUserabuseorfraudTheft,sabotage,vandalism,orphysicalintrusionsEspionageCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep2:ThreatsIdentification(cont’d)TechnicalThreats•••••••••••EC-CouncilBreakingpasswordsforunauthorizedaccessofthesystemresourcesSniffingandscanningofnetworktrafficData/systemcontaminationMaliciouscodeinfectionSpamandmailfraudsPhishingthatmayresultinlossofconfidentialprivateinformationDDoSattacksApplicationcodingerrorsUnauthorizedmodificationofadatabaseSessionhijackingSystemandapplicationerrors,failuresCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep3:IdentifyVulnerabilitiesIdentifythevulnerabilitiesassociatedwiththesystemenvironmentPreparealistofthesystemvulnerabilitiesthatthreatsourcecanexploitInputReportsfrompriorriskassessmentsAnyauditcommentsSecurityrequirementsSecuritytestresultsEC-CouncilStep3.VulnerabilityIdentificationOutputListofPotentialVulnerabilitiesCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedVulnerabilityReportTemplateIntroductionDatecarriedout:TestingTeamdetails:NetworkDetails:Scopeoftest:ExecutiveSummaryOSSecurityissuesdiscoveredwithappropriatecriticalitylevelspecified:ApplicationSecurityissuesdiscoveredwithappropriatecriticalitylevelspecified:PhysicalSecurityissuesdiscoveredwithappropriatecriticalitylevelspecified:PersonnelSecurityissuesdiscoveredwithappropriatecriticalitylevelspecified:GeneralSecurityissuesdiscoveredwithappropriatecriticalitylevelspecified:TechnicalSummaryAnnexesEC-CouncilOSSecurityissuesdiscovered:WebServerSecurity:DatabaseServerSecurity:GeneralApplicationSecurity:BusinessContinuityPolicy:1:2:3:Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep4:ControlAnalysisIdentifyorplanthecontrolsthataretobeimplementedtominimizethethreatsDerivetheprobabilitytoexerciseavulnerabilityinthethreatenvironmentInputCurrentcontrolsPlannedcontrolsEC-CouncilStep4.ControlAnalysisOutputListofCurrentandPlannedControlsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep5:LikelihoodDeterminationFactorsthathelpderiveoveralllikelihoodrating:•Threat-sourcemotivationandcapability•Natureofthevulnerability•ExistenceandeffectivenessofthecurrentcontrolsInputThreat-sourcemotivationThreatcapacityNatureofvulnerabilityCurrentcontrolsStep5.LikelihoodDeterminationSource:http://csrc.nist.gov/EC-CouncilOutputLikelihoodRatingCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep6:ImpactAnalysisDeterminetheimpactofathreatwhenavulnerabilityissuccessfullyexercisedConsiderthesystemmission,systemanddatacriticality,andsystemanddatasensitivitytoperformimpactanalysisPrioritizetheimpactlevelsthatareassociatedwiththecompromiseofanorganization’sinformationassetsUsequalitativeorquantitativeassessmenttodeterminethesensitivityandcriticalityoftheinformationassetsInputMissionimpactanalysisAssetcriticalityassessmentDatacriticalityDatasensitivityEC-CouncilStep6.ImpactAnalysisLossofIntegrityLossofAvailabilityLossofConfidentialityOutputImpactRatingCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep7:RiskDeterminationAssessthelevelofrisktotheITsystemThelikelihoodofagiventhreat-source’sattemptingtoexerciseagivenvulnerabilityTheimpactofathreat-sourcewhenitsuccessfullyexercisesthevulnerabilityInputLikelihoodofthreatexploitationMagnitudeofimpactAdequacyofplannedorcurrentcontrolsEC-CouncilTheadequacyofplannedorexistingsecuritycontrolsforreducingoreliminatingriskStep7.RiskDeterminationOutputRisksandAssociatedRiskLevelsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep8:ControlRecommendationsRecommendthecontrolstobeimplementedtoreducethelevelofriskTheimplementedcontrolsshouldreducetherisktoanacceptablelevelFactorstobeconsideredinrecommendingcontrols:•••••EffectivenessofrecommendedoptionsLegislationandregulationOrganizationalpolicyOperationalimpactSafetyandreliabilityEC-CouncilInputStep8.ControlRecommendationsOutputRecommendedControlsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep9:ResultsDocumentationResultsofriskassessmentshouldbepresentedinanofficialreportorbriefingResultdocumentshouldbemadeavailabletotheconcernedstaff,riskcontroldevelopers,andriskauditorsRiskassessmentreportshouldinclude:••••••••ListoftheidentifiedvulnerabilitiesandrisksRisksummaryRisklikelihoodratingRiskimpactratingOverallriskratingAnalysisoftherelevantcontrolsListoftherecommendedcontrolsAppendixsectioncontainingincidentlogsandreportsofinitialriskassessmentphaseEC-CouncilInputStep9.ResultsDocumentationOutputRiskAssessmentReportCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRiskAssessmentReportTemplateRiskNo.VulnerabilityEC-CouncilThreatRiskRiskSummaryRiskLikelihoodRatingRiskImpactRatingOverallRiskRatingAnalysisofRelevantControlsandOtherFactorsRecommendationsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStepstoAssessRisksatWorkPlaceThestepsinvolvedinriskassessmentatworkplaceare:HazardsidentificationDecidewhowillbeharmedandhowAnalyzerisksandcheckforprecautionsImplementresultsoftheriskassessmentReviewriskassessmentEC-Council12345Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep1:IdentifyHazardsAhazardisanythingthatmaycauseharmCheckoutthehazardsyoucomeacrossataworkplaceIdentifythethingsthatcauseharmattheworkplaceTaketheemployee’sopinionTaketheguidanceofatradeassociationifyouareamemberEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep2:DetermineWhoWillbeHarmedandHowForeachhazard,identifywhomightbeharmedIdentifyhowtheymightbeharmedExtrathoughtwillbeneededforsomehazardsDonotforgettothinkofanyoneAskthestaffifanyoneisleftEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep3:AnalyzeRisksandCheckforPrecautionsAnalyzerisksandcheckforprecautionsAfterspottingallthehazards,thinkabouttheprecautionstobetakenTryalessriskyoptionPreventaccesstothehazardIssuepersonalprotectiveequipmentProvidewelfarefacilitiesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep4:ImplementResultsofRiskAssessmentRiskassessmentmustbesuitableandsufficientImplementatemporarysolutionuntilmorereliablecontrolsareinplaceIdentifyalongtermsolutiontotherisksthatimpactmorecriticalinfrastructureTraintheemployeesontheidentifiedrisksandtheircontrolmeasuresFrequentlycheckwhetherthecontrolmeasuresstayinplaceEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStep5:ReviewRiskAssessmentRevisityourriskassessmentplanFindoutifanychangesaretobemadeEnquireifanyworkershavespottedaproblemMakesuretheriskassessmentisuptodateEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRiskAnalysisEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRiskAnalysisRiskanalysisinvolvestheprocessofdefiningandevaluatingthedangersItisusedtodetermineallpossibleandsignificantrisksforyourparticularbusinessRiskanalysisshouldbeconductedproperlyinordertoputaproperresponseinplace,basedontheamountofriskRiskAnalysis=RiskAssessment+RiskManagement+RiskCommunicationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNeedforRiskAnalysisRiskanalysisidentifiesriskswithintheorganizationandthepotentiallossesassociatedwiththeserisksItisrequiredtodefineproceduresthroughwhichanorganizationcansurviveorreducetheprobabilityofrisksIthelpsinanalyzingfiveelements:•••••EC-CouncilAssets(resourcesofanorganization)Disruptiveevents(threattoanorganization)Vulnerabilities(weaknessofanorganization)Losses(duetooccurrenceoftheadversity)Safeguards(preventivemeasuresagainstvulnerabilities)Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRiskAnalysis:ApproachTherearetwoapproachesofriskanalysis:Quantitativeriskanalysis•Itisnumericaldeterminationoftheprobabilityofanadverseeventandtheextentofthelossesduetotheevent•Itassignsnumericvaluestothecomponentsoftheriskassessmentandpotentialloss•Risk=ProbabilityofLossXLossQualitativeriskanalysis•Itdoesnotusenumericalmethodstodeterminetheprobabilityofanadverseeventandtheextentofthelosses•Here,•Risk=(AttackSuccess+Criticality)–(Countermeasures)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRiskMitigationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRiskMitigationRiskmitigationincludesallpossiblesolutionsforreducingtheprobabilityoftheriskandlimitingtheimpactoftheriskifitoccursItinvolvestheimplementationofriskcontrolmeasuresoutlinedinriskassessmentprocessApplyaleastcostapproachandimplementappropriatecontrolstoreducerisksEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRiskMitigationStrategiesRiskmitigationstrategydeterminesthecircumstancesunderwhichtheactionhastobetakentominimizeandovercomerisksRiskmitigationstrategiesareselectedaccordingtodiscoveredandexploitedvulnerability,andtheexpectedimpactoftheriskOrganizationcanuseoneormoreofthefollowingstrategies:Riskassumption•ItisariskmitigationstrategywhereanorganizationabsorbsminorriskswhilepreparingtorespondtomajoronesRiskavoidance•ItisastrategytoavoidriskseitherbyengaginginalternateactivitiesorpreventingspecificexposurefromtherisksourcesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRiskMitigationStrategies(cont’d)Risklimitation•ThisstrategyfocusesonlimitingtheexposuretotheriskRiskplanning•ThisstrategyfocusesoncomprehensiveplandevelopmentforriskassessmentandmitigationResearchandacknowledgment•ThisstrategyfocusesonminimizingtheprobabilityofrisksandlossesbysearchingvulnerabilitiesinsystemandappropriatecontrolsRisktransference•ItisastrategywherelossisminimizedbytransferringriskstootherpartieseitherintheformofinsuranceorcontractEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRiskMitigationStrategy(cont’d)EC-CouncilSource:http://csrc.nist.gov/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCost/BenefitAnalysisCost/benefitanalysisisdoneforeachproposedcontroltofindoutwhichcontrolisrequiredandsuitableunderthegivencircumstancesItistheprocessofanalyzingthebusinessdecisionsItcanbequalitativeorquantitativeAcostbenefitanalysisfinds,quantifies,andaddsallthepositivefactorsandsubtractsallthenegativefactorsandproducesthenetresultItdemonstratesthatthecostsofimplementingthecontrolscanbejustifiedbythereductioninthelevelofriskEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNISTApproachforControlImplementationStep1Step2Step3Step4Step5Step6Step7EC-Council•Prioritizeactions•Evaluaterecommendedcontroloptions•Conductcost-beneficialanalysis•Selectcontrol•Assignresponsibility•Developasafeguardimplementationplan•ImplementselectedcontrolsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedResidualRiskRiskthatremainsafterimplementationofallthepossibleriskcontrolmeasuresiscalledasresidualriskTheimplementedriskcontrolmeasurecannotremovetheriskscompletelyTheyareintendedtoreducetheriskleveltozeroResidualRisk=(InherentRisk)X(ControlRisk)•Whereinherentrisk=(threatsxvulnerability)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedResidualRisk(cont’d)Therelationshipbetweencontrolimplementationandresidualriskisillustratedbyaflowchartbelow:Source:http://csrc.nist.gov/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRiskManagementToolsCRAMMAcuitySTREAMCallioSecura17799EAR/PilarEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCRAMMhttp://www.cramm.com/CRAMMhelpsinassessing,designing,andmanaginginformationsecuritystrategyCRAMMisbasedontheUKGovernment'spreferredriskassessmentmethodologyFeatures:•AcomprehensiveriskassessmenttoolincompliancewithISO27001•Supportsinformationsecuritymanagerstoplanandmanagesecurity•Toolwizardscreatepro-formainformationsecuritypoliciesandotherrelateddocumentation•Supportskeyprocessesinbusinesscontinuitymanagement•Adatabaseofover3000securitycontrolsreferencedtorelevantrisksandrankedbyeffectivenessandcostEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWorkingofCRAMMCRAMMprovidesastagedapproachembracingbothtechnical(e.g.IThardwareandsoftware)andnon-technical(e.g.physicalandhuman)aspectsofsecurityCRAMMfollowsathreestageapproach:Assetidentificationandvaluation•CRAMMenablesthereviewertoidentifythephysical(e.g.IThardware),software(e.g..applicationpackages),data(e.g.theinformationheldontheITsystem)andlocationassetsthatmakeuptheinformationsystem•Dataandsoftwareassetsarevaluedintermsoftheimpactthatwouldresultiftheinformationweretobeunavailable,destroyed,disclosedormodifiedThreatandvulnerabilityassessment•CRAMMcoversthefullrangeofdeliberateandaccidentalthreatsthatmayaffectinformationsystemsincludinghacking,viruses,failuresofequipmentorsoftware,willfuldamageorterrorismanderrorsbypeopleCountermeasureselectionandrecommendation•CRAMMcontainsalargecountermeasurelibraryconsistingofover3000detailedcountermeasuresorganizedintoover70logicalgroupingsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCRAMM:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAcuitySTREAMhttp://www.acuityrm.com/STREAMautomatesthecomplexprocessesinvolvedinmanagingcompliancewithstandardsanddeliveringeffectiveriskmanagementItisamulti-concurrentuser,rolebasedsoftwaretool,withacentraldatabase,usedinreal-timebyriskmanagers,riskanalysts,businessstakeholders,controlowners,andinternalauditorsItprovidesinformationforseniormanagers,onthestatusofcomplianceacrossthebusinesswithkeycontrolstandards,andonthelevelofresidualriskmeasuredinrelationtodefinedbusinessappetitesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedComponentsofSTREAMEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSTREAM:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCallioSecura17799http://www.callio.com/CallioSecura17799issoftwarethatenablescompaniestocomplywiththeISO17799/BS7799informationsecuritymanagementstandardIthelpsin:•Managingthreats,vulnerabilitiesandcontrols•Managingvarioustypesofevaluationcriteria,suchasconfidentiality,availability,integrityandlegalcompliance•Customizingthevulnerability,occurrenceandcriterionscalesusedduringtheassetevaluationandriskassessmentprocesses•VerifyinglevelofcompliancewithISO17799(gapanalysis)•Compilinganinventoryofyourcompany’smostimportantassets;•DefiningthestructuresandprocesseswithinyourISMS•Mitigatingtheriskstoeachasset;•Definingscenariosfortheimplementationofcontrols•Draftingsecuritypolicies•Managingpolicydocuments•Makingpolicies,standardsandprocedureselectronicallyavailable•VerifyingwhetherISMSmeetstherequirementsforBS7799-2certification;•DocumentingandjustifyingtheapplicationoftheISO17799standard’s127controlstomanagementframeworkEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedScreenshot:CallioSecura17799EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedScreenshot:CallioSecura17799DefineunlimitednumberofteamsthatmanageaccesstodocumentmanagementDefineuserroleswithineachteamLinkteamswithanyISMSEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEAR/Pilarhttp://www.ar-tools.com/EAR/PILARisdesignedtosupporttheriskmanagementprocessalonglongperiods,providingincrementalanalysisasthesafeguardsimproveItsfunctionalitiesinclude:•Quantitativeandqualitativeriskanalysis•Managementquantitativeandqualitativebusinessmipactanalysis&continuityofoperationsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedScreenshot:PilarEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedScreenshots:PilarEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSummaryRiskisdefinedastheprobabilityorthreatofanincidentRiskpolicyisasetofideastobeimplementedtoovercometheriskRiskassessmentisidentifyingtheresourcesthatposeathreattothebusinessorprojectenvironmentRiskanalysisinvolvestheprocessofdefiningandevaluatingthedangersRiskmitigationinvolvesimplementingtheriskreducingcontrolsthatreducestheleveloftheriskEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSampleEC-CouncilCertifiedIncidentHandlerVersion1ModuleVBatchPDFMergerHandlingNetworkSecurityIncidentNews:MicrosoftRespondstoXboxLiveDenial-of-serviceAttackEC-CouncilSource:www.arstechnica.comCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleObjectiveThismodulewillfamiliarizeyouwith:••••EC-CouncilHandlingDenial-of-ServiceIncidentsHandlingUnauthorizedAccessIncidentsHandlingInappropriateUsageIncidentsHandlingMultipleComponentIncidentsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleFlowDenial-of-ServiceIncidentsDetectingDoSAttacksIncidentHandlingPreparationforDoSUnauthorizedAccessIncidentPreventingDoSIncidentsDoSResponseStrategiesDetectingUnauthorizedAccessIncidentPreventingUnauthorizedAccessIncidentInappropriateUsageIncidentsPreventionofInappropriateUsageIncidentsHandlingandPreventionofInappropriateUsageIncidentsDetectingInappropriateUsageIncidentsMultipleComponentIncidentsContainmentStrategyforMultipleComponentIncidentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHandlingDenial-of-ServiceIncidentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDenial-of-ServiceIncidentsDenial-of-Service(DoS)attackpreventstheauthorizeduserstoaccessnetworks,systems,orapplicationsbyexhaustingthenetworkresourcesDoSattackinvolves:•Consumingallavailablebandwidthbygeneratinghugenetworktraffic•Makingmanyprocessor-intensiverequestssothathteserver’sprocessingresourcesarefullyconsumed•SendingmalformedTCP/IPserverrequeststhatresultsinserver’soperatingsystemcrash•Sendingillegalrequeststoanapplication•Establishingsimultaneousloginsessionstoaserversothatotheruserscannotstartloginsessions•ConsumingallavailablediskspacebycreatingmanylargefilesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDistributedDenial-of-ServiceAttackDistributedDenial-of-Service(DDoS)attackisaDoSattackwherealargenumberofcompromisedsystems,knownasbotnet,attackasingletargettocauseaDenial-of-ServicefortheusersofthetargetedsystemInaDDoSattack,attackersfirstinfectsmultiplesystemscalledzombies,whicharethenusedtoattackaparticulartargetAttackerinfectshandlersystemsHandlersystemstheninfectnumeroussystems(zombies)AttackedZombiesthenattackthetargetsystemtogetherEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDetectingDoSAttackIndicationsforanetwork-basedDoSattack:•Reportsoftheusersregardingsystemandserviceunavailability•Undefinedconnectionlosses•Alertfromnetworkintrusiondetectionsystem•Alertfromhostintrusiondetectionsystem•Increaseinutilizationofthenetwork’sbandwidth•Ahosthavingnumberofconnections•Asymmetricnetworktrafficpattern•UnusualLogentriesoffirewallandrouterandOS•DataPacketswithunusualsourceaddresses•DataPacketswithunusualdestinationaddressesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentHandlingPreparationforDoS1•ContactInternetServiceProviders(ISP)andtheirsecondtieragentstodeterminehowtheycanhelpinhandlingnetworkbasedDoSattack2•ContactorganizationssuchasCERTandInternetCrimeComplaintCenter(IC3)toforhelpinhandlingtheDoSattack3•ConfigureanddeployIDS(IntrusionDetectionSystem)andpreventionsoftwaretodetectDoStraffic4•Performongoingresourcemonitoringtoestablishhtenetworkbandwidthutilization5•CheckvariouswebsitesthatprovidestatisticsonlatencybetweenvariousISPsandbetweenvariousphysicallocationswhichisreferredtoasInternethealthmonitoring6•Discusswithnetworkinfrastructureadministratorsregardingthemethodbywhichtheycanassistinanalyzingandcontainingnetwork-basedDoSandDDoSattacks7•CreateandmaintainupdateddocumentationofincidenthandlingprocessEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDoSResponseStrategiesAbsorbingtheattack•Usingadditionalcapacitytoabsorbattack;itrequirespreplanningandadditionalresourcesDegradingservices•IdentifyingcriticalservicesandstoppingnoncriticalservicesShuttingdowntheservices•ShutdownalltheservicesuntiltheattackhassubsidedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPreventingaDoSIncidentThenetworkperimetershouldbeconfiguredinsuchawaythatitdeniesallincomingandoutgoingtraffic/servicesthatarenotrequiredDoSattackcanbeprevented:•••••••ByblockingEchoservices;thatisusedforDoSattackThroughfilteringandblockingtheentranceandexitportsByblockingtrafficfromunassignedIPaddressrangesByfollowingthefirewallrulesandrouteraccesscontrolliststoblocktrafficproperlyConfiguringtheborderrouterssothatdirectedbroadcastsarenotforwardedBylimitingtheincomingandoutgoingICMPtrafficforthenecessarytypesandcodesByjammingoutgoingconnectionstocommonIRC,peer-to-peerservice,andinstantmessagingportsiftheusageofsuchservicesisnotpermittedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPreventingaDoSIncident(cont’d)RestrictingcertainprotocolssuchasICMPtoconsumeonlyapre-determinedpercentageofthetotalbandwidthImplementredundancyforkeyfunctionsMakesurethatnetworksorsystemsarenotrunningatthresholdcapacitysinceitwouldbeeasyforaminorDoSattacktotakeuptheremainingresourcesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedFollowingtheContainmentStrategytoStopDoSTheexploitedvulnerabilityorweaknessshouldbecorrectedImplementthefiltersafterdeterminingthemethodofattackImplementtheISPfilteringRepositiontheattackhostAttacktheattackersEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedFollowingtheContainmentStrategytoStopDoS(cont’d)ConfigurerouterandfirewallrulesEstablishawelldocumentedmethodforseekingassistancefromISPsandsecond-tierprovidersinrespondingtonetworkbasedDoSattacksConfiguresecuritysoftwaresuchasIPSandIDStodetectDoSattacksMonitornetworktrafficusingtoolssuchasEtherApe,SolarWindsandNagiosRestrictallincomingandoutgoingtrafficthatisnotrequiredPrepareacontainmentstrategywhichincludesseveralsolutionsinsequenceEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHandlingUnauthorizedAccessIncidentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedUnauthorizedAccessIncidentUnauthorizedaccessisaconditionwhereapersongainsaccesstosystemandnetworkresourceswhichhe/shewasnotauthorizedtohaveExamplesofunauthorizedaccessincidents:••••••••EC-CouncilPerformingtheremoterootcompromiseontheemailserverChangingthewebservercontentsByguessingorcrackingpasswordsofapplicationCopyingsensitivedatawithoutauthorizationInstallingandrunningpacketsnifferontheworkstationUsingtheFTPservertodistributethepiratedsoftwareandmusicfilesForgainingtheinternalnetworkaccessbydialingtheunsecuredmodemAccessingtheworkstationusingafalseIDCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDetectingUnauthorizedAccessIncidentIndicationsofrootcompromiseinahost:•Suspicioustoolsorexploitsarefound•Strangenetworktraffic•Systemconfigurationchanges,including:••••••EC-CouncilModificationsoradditionsofservicesUnpredictedopenportsNetworkinterfacecardsettopromiscuousmodeSuddenly,systemshutsdownandrestartsChangesinlogandauditpoliciesCreationofnewadministrativeleveluseraccountorgroupCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDetectingUnauthorizedAccessIncident(cont’d)Indicationsofrootcompromiseinahost•ChangeinsignificantfilessuchasOSfiles,Systemlibrary•Usageofsecretaccount•Increaseintheusageofresources•Userreportsofsystemunavailability•Alertsofnetworkandhostintrusiondetection•Creationofnewfilesordirectorieswithunusualnames•Logmessagesoftheoperatingsystemandapplication•AttackersinformingofcompromisingahostEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDetectingUnauthorizedAccessIncident(cont’d)Unauthorizeddatamodification•••••AlertofnetworkandhostIDSIncreaseintheusageofresourceReportsofusersregardingunexpecteddatamodificationsChangesincriticalfilesCreationofnewfilesordirectorieswithunusualnamesUnauthorizedusageofstandarduseraccount•Unauthorizedaccessattemptstotheimportantfiles•Usageofsecretaccount•Logentriesofthewebproxywhichshowsthedownloadingoftheattacker’stoolEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDetectingUnauthorizedAccessIncident(cont’d)Physicalintruder•Reportoftheuserregardingnetworkorsystemunavailability•Systemstatuschanges•Misplacedhardwareparts•UnauthorizedhardwarefoundUnauthorizeddataaccess•IDS,IPS,andfirewallalertfordataaccessthroughFTP,HTTP,andotherprotocols•LogsentriesshowingaccessattemptstothecriticalfilesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentHandlingPreparation1234EC-Council•ConfigurenetworkbasedandhostbasedIDPStoidentifyandalertanyattempttogainunauthorizedaccess•Usecentralizedlogserverssothattheimportantniformationfromhostsacrosstheorganizationisstoredinaparticularsafelocation•Awelldocumentedpasswordpolicyshouldbecreatedforallusersofapplications,systems,trustdomains,ortheorganization•MakesystemadministratorsawareoftheirresponsibilitiesinhandlingunauthorizedaccessincidentsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentPreventionNetworkSecurity•Designthenetworkinsuchawaythatitblocksthesuspicioustraffic•Properlysecureallremoteaccessmethods,includingmodemsandVPNs•MoveallpubliclyaccessiblesystemsandservicestosecuredDemilitarizedZone(DMZ)•UseprivateIPaddressesforallhostslocatedoninternalnetworksEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentPreventionHostSecurity•Performregularvulnerabilityassessmentstoidentifyseriousrisksandmitigatetheriskstoanacceptablelevel•Disableallunwantedservicesonhosts•Runserviceswiththeleastprivilegespossibletoreducetheimmediateimpactofsuccessfulexploits•Usehost-based/personalfirewallsoftwaretolimittheindividualhosts’exposuretoattacks•Limitunauthorizedphysicalaccesstologged-insystemsbyrequiringhoststolockidlescreensautomaticallyandaskinguserstologoffbeforeleavingtheoffice•Regularlyverifythepermissionsettingsforcriticalresources,includingpasswordfiles,sensitivedatabases,andpublicwebpagesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentPrevention(cont’d)AuthenticationandAuthorization•Preparetheappropriatepasswordpolicy•Strongauthenticationshouldberequiredforaccessingcriticalresources•Createauthenticationandauthorizationstandardsofremployeesandcontractorstofollowwhenevaluatingordevelopingsoftware•Establishproceduresforprovisioningandde-provisioninguseraccountsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentPrevention(cont’d)PhysicalSecurity•RestrictaccesstocriticalresourcesbyimplementingphysicalsecuritymeasuresEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedFollowingtheContainmentStrategytoStopUnauthorizedAccessIsolatetheaffectedsystemsDisabletheaffectedserviceEliminatetheattacker’srouteintothenetworkDisableuseraccountsthatmayhavebeenusedintheattackEnhancephysicalsecuritymeasuresEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEradicationandRecoveryEradicatetheincident•Identifyandmitigateallvulnerabilitiesthatwereexploited•Patchthesystems•RemovecomponentsoftheincidentfromsystemsRecoverfromtheincident•Returnaffectedsystemstoanoperationsreadystate•Confirmthattheaffectedsystemsarefunctioningnormally•Implementadditionalmonitoringtolookforrelatedactivityinfuture•FormulateandregularlyupdatesecuritypoliciesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRecommendationsInstalltheIDSforalertingtheattemptsregardingunauthorizedaccessConfigurecentralizedloggingforallusersEstablishpasswordsecuritypolicysuchthatuserschangetheirpasswordsregularlyDesignthenetworkinsuchawaythatitblocksthesuspicioustrafficSecureallremoteaccessmethodsincludingVPNsUseDMZtohostpublicallyaccessedsystemsandservicesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRecommendations(cont’d)DisabletheunwantedservicesInstallthehost-basedfirewallsoftwaretolimittheindividualhosts’exposuretoattacksCreateandimplementapasswordpolicyProvidethedetailsofthemanagementchangetotheIRTSelectmitigationstrategiesconsideringbothshortandlongtermbusinessobjectivesRestoreorreinstallsystemsthatappeartohavesufferedarootcompromiseEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHandlingInappropriateUsageIncidentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInappropriateUsageIncidentsAninappropriateusageincidentoccurswhenauserperformsactionsthatviolatetheacceptablecomputingusepoliciesExamples:••••••InstallingpasswordcrackingtoolsDownloadingpornographymaterialSendingspammailswhichpromotethepersonalbusinessSendingemailstocolleagueswhichirritatesthemHostingunauthorizedwebsitesonthecompany’scomputerUsingsharingservicestodistributeoracquirepiratedmaterials•SendingcriticaldataoutsidethecompanyEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInappropriateUsageIncidents(cont’d)InappropriateusageincidentsdirectedatoutsidepartiesmaycausemorelosstoorganizationsintheformofdamagetoreputationandlegalliabilitiesExamples:•Aninternaluserchangingthecontentofanotherorganizationpublicwebsite•Aninternaluserpurchasingitemsfromonlineretailersbyusingthestolencreditcardnumbers•Sendingtheemailtothethirdpartywiththespoofedsourceemailaddressfromthecompany•PerformingtheDoSattackagainstanyotherorganizationusingthecompany’sresourcesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDetectingtheInappropriateUsageIncidentsUnauthorizedserviceusage•••••••AlertfromtheintrusiondetectionsystemUnusualnetworktrafficInstallationofthenewprocessandsoftwarerunningonahostCreationofthenewfilesordirectorieswithabnormalnamesIncreaseintheresourceutilizationReportoftheuserLogentriesofapplicationAccesstoinappropriatematerials••••AlertfromtheintrusiondetectionsystemReportoftheuserLogentriesoftheapplicationInappropriatefilesoncomputers,servers,andontheremovablemediaAttackagainstexternalparty•Alertfromtheintrusiondetectionsystem•Reportsofoutsideparty•Logentriesofnetwork,host,andapplicationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentHandlingPreparationFormulatesecuritypoliciesincoordinationwiththehumanresourcesandlegaldepartmentrepresentativestohandletheinappropriateusageincidentsDiscusswiththememberoftheorganization’sphysicalsecurityteamregardinginternalusers’behaviorMeetwiththeconcernedpersonofthelegaldepartmentregardingtheliabilityissueparticularlywiththosetypeofincidentsthataretargetedtooutsidepartiesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentHandlingPreparationInstallIDS,emailcontentfilteringsoftware,securitycontrolstoolstoidentifycertaintypesofactivity,including:Anti-Virus•Usingtheunauthorizedserviceslikepeer-to-peerfileandmusicsharing•Spam•Filewithsuspiciousfileextension•Reconnaissanceactivity•OutboundattackRegisterthelogofuseractivitiessuchasFTPcommands,webrequests,andemailheadersEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentPreventionInstallfirewallandintrusiondetectionandpreventionsystemstoblocktheuseofservicewhichviolatetheorganization’spolicyOrganizetheEmailserverinsuchawaythattheycannotbeusedforsendingspamInstallthespamfiltersoftwareFiltertheURLtopreventtheaccessofinappropriatewebsitesImplementtheoutboundconnectionwhichusetheencryptedprotocolssuchasHTTPsecure,secureshell,andIPsecurityprotocolEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRecommendationsMeetwiththehumanresourcesandlegaldepartmentsrepresentativefordiscussingthehandlingofinappropriateusageincidentsMeetwiththerepresentativeoftheorganization’slegaldepartmenttodiscussliabilityissuesInstallIDStodetectcertaintypesofinappropriateusageRegisterthelogoftheuser’sactivityFiltertheemailservertopreventrelayingoftheunauthorizedmailUsethespamfiltersoftwaretofilterthespamontheemailserverInstalltheURLfilteringsoftwareEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHandlingMultipleComponentIncidentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedMultipleComponentIncidentsThemultiplecomponentincidentsconsistofcombinationoftwoormoreattacksinasystemExamplesofmultiplecomponentincidentare:•Maliciouscodeattacksusingemails•Theadditionalworkstationandserversgetsinfectedusingthatmaliciouscodebytheattacker•TheseworkstationcanbeusedbytheattackerasahosttolaunchDDoSattackagainstanotherorganizationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedMultipleComponentIncidents(cont’d)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPreparationforMultipleComponentIncidentsItisdifficulttoanalyzethemultiplecomponentincidents,sincetheincidenthandlermaynotbeawarethattheincidentiscomposedofseveralstagesAsktheincidenthandlingteamtoreviewthescenariosinvolvingmultiplecomponentincidentsCentralizedloggingandIDSsoftwareshouldbeusedtoanalyzetheincidentWhenalltheprecursorsandindicationsareaccessiblefromasinglepoint,thentheincidenthandlermustconsiderthattheincidentisofmultiplecomponentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedFollowingtheContainmentStrategytoStopMultipleComponentIncidentsAnyincidentcanturnouttobethemultiplecomponentincidenthencetheincidenthandlershouldnotstopaftergettingsignsofaparticularincidentDiscoveringandcontainingallcomponentsofanincidentrequireextratimeandeffortGoodandexperiencedhandlerscanguesswhetheranincidenthasothercomponentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRecommendationsUsethecentralizedloggingandeventcorrelationsoftwareSearchforthesignsofothercomponentsaftercontrollingtheincidentSeparatelyprioritizethehandlingofeachincidentcomponentEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNetworkTrafficMonitoringToolsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedntophttp://www.ntop.org/ntopisanetworktrafficprobethatshowsthenetworkusage,similartowhatthepopulartopUnixcommanddoesFeatures:•••••••EC-CouncilSortnetworktrafficaccordingtomanyprotocolsShownetworktrafficsortedaccordingtovariouscriteriaDisplaytrafficstatisticsStoreondiskpersistenttrafficstatisticsinRRDformatIdentifytheidentity(e.g.emailaddress)ofcomputerusersPassively(i.e.withoutsendingprobepackets)identifythehostOSShowIPtrafficdistributionamongthevariousprotocolsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedntop:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEtherApehttp://etherape.sourceforge.net/EtherApeisagraphicalnetworkmonitorforUnixmodelanddisplaysnetworkactivitygraphicallyItcanfiltertraffictobeshownandcanreadtrafficfromafileaswellaslivefromthenetworkFeatures:•••••EC-CouncilDatadisplaycanberefinedusinganetworkfilterNameresolutionisdoneusingstandardlibcfunctionsProtocolsummarydialogshowsglobaltrafficstatisticsbyprotocolLivedatacanbereadfromEthernet,FDDI,PPPandSLIPinterfacesClickingonanode/linkopensadetaildialogshowingprotocolbreakdownandothertrafficstatisticsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEtherApe:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNgrephttp://ngrep.sourceforge.net/ngrepisapcap-awaretoolthatallowsyoutospecifyextendedregularorhexadecimalexpressionstomatchagainstdatapayloadsofpacketsItisusedtodebugplaintextprotocolinteractionssuchasHTTP,SMTP,FTP,etc.,toidentifyandanalyzeanomalousnetworkcommunicationsItisusedtodothemoremundaneplaintextcredentialcollectionaswithHTTPBasicAuthentication,FTP,orPOP3authenticationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSolarWinds:OrionNetFlowTrafficAnalyzerhttp://www.solarwinds.com/OrionNetFlowTrafficAnalyzer(NTA)analyzesNetFlow,J-Flow,andsFlowdataandperformsCBQoSmonitoringtodeliveracompletepictureofnetworktrafficItenablesyoutoquantifyexactlyhowyournetworkisbeingused,bywhom,andforwhatpurposeFeatures:•Quicklyandeasilyidentifieswhichusers,applications,andprotocolsareconsumingthemostnetworkbandwidth•Monitorsnetworktrafficbycapturingflowdatafromnetworkdevices•PerformsClass-BasedQualityofService(CBQoS)monitoringtoensurethatyourtrafficprioritizationpoliciesareeffective•Enablesyoutoquicklydrill-downintotrafficonspecificnetworkelements•GeneratesnetworktrafficreportsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSolarWinds:OrionNetFlowTrafficAnalyzer:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSolarWinds:OrionNetFlowTrafficAnalyzer:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNagios:op5Monitorhttp://www.op5.com/op5MonitorisaneasytousenetworkmonitoringsystemthatfindsandhandlesanyproblemsthatmayariseinyourITenvironmentItcreatesacomprehensive,easytounderstandoverviewthatenablessimplerootcauseanalysisIthelpsyouidentifytheprimarycauseofpotentialproblemsinyournetworkbeforemajordamageisdoneItcommunicateswithdevicesonthenetworkandcollectsdataabouttheiroperationalstatusEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNagios:op5Monitor(cont’d)Features:•Capableofmonitoringnetworkdevices,workstation,servers,services,andsoftwareapplications•Automaticback-upandrestoreofspecificconfigurationfiles•EnhancedsecuritywithSSLencryptionandmultiuseraccesscapabilities•Monitoralllayersofvirtualenvironmentsfromonetacticaloverview•Enablesuserstodefineexceptionsinagiventimeperiod•Easytousegraphicaluserinterface(GUI)formanagementandconfiguration•Notificationsandescalationssentvia,Email,SMS,andPager•SchedulefunctionalitywithautomaticweeklyandmonthlyemaildistributioninPDFformatEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedop5Monitor:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedop5Monitor:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCyberCopScannerhttp://www.nss.co.uk/CyberCopScanneristhenetworksecurityassessmentcomponentthatcanscandevicesonthenetworkformorethan700vulnerabilitiesItcanbeconfiguredtosearchforthevulnerabilitiesthatareofparticularconcerninaccordancewiththecorporatesecuritypolicyItisknownasasensorcomponentbecauseitisessentiallyconcernedwithmonitoringandcollectingdataItcanrunoneitheraWindows(NTor2000)orUnix(RedHatLinux)platformEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCyberCopScanner(cont’d)Reportingandanalysis:•AllowscomparisonofresultsfortwohostsspecifiedbyIPaddress•Allowscomparisonofresultsfortwoscansessionsspecifiedbydateandtime•Providesagraphicalsummaryreportwithpiechartsfordifferentreportcategories(Complexity,EaseofFix,Impact,Popularity,RiskFactor,RootCause)•Displaysresultsbythedifficultyinvolvedinexploitingavulnerability(Low,Medium,High)•Displaysresultsbythespecificthreatposedbyavulnerability(SystemIntegrity,Confidentiality,Accountability,DataIntegrity,Authorization,Availability,Intelligence)•Displaysresultsbythelikelihoodthatavulnerabilitywillbeexploited(Obscure,Widespread,Popular)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCyberCopScanner:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCyberCopScanner:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNetworkAuditingToolsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNessushttp://www.nessus.org/TheNessusvulnerabilityscannerisactivescannersfeaturinghighspeeddiscovery,configurationauditing,assetprofiling,sensitivedatadiscovery,andvulnerabilityanalysisofyoursecuritypostureItisdistributedthroughoutanentireenterprise,insideDMZs,andacrossphysicallyseparatenetworksFeatures:•••••EC-CouncilCredentialedandun-credentialedportscanningNetworkbasedvulnerabilityscanningCredentialedbasedpatchauditsforWindowsandmostUNIXplatformsCredentialedconfigurationauditingofmostWindowsandUNIXplatformsCustomandembeddedwebapplicationvulnerabilitytestingCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNessus:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSecurityAdministrator'sIntegratedNetworkTool(SAINT)http://www.saintcorporation.com/SAINTisavulnerabilityscannerthatscansnetworktodetectanythingthatcouldallowanattackertogainunauthorizedaccess,createadenial-of-service,orgainsensitiveinformationaboutthenetworkSAINTvulnerabilityscannercan:•Detectandfixpossibleweaknessesinyournetwork’ssecuritybeforetheycanbeexploitedbyintruders•Anticipateandpreventcommonsystemvulnerabilities•DemonstratecompliancewithcurrentgovernmentregulationssuchasFISMA,SOX,GLBA,HIPAA,andCOPPAandwithindustryregulationssuchasPCIDSSEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSecurityAdministrator'sIntegratedNetworkTool(SAINT)Features•Letsyouexploitvulnerabilitiesfoundbythescannerwiththeintegratedpenetrationtestingtool,SAINTexploit™•Showsyouhowtofixthevulnerabilities,andwheretobeginremediationefforts—withtheexploitablevulnerabilities•LetsyouscanandexploitbothIPv4andIPv6addresses•ShowsyouifthenetworkiscompliantwithPCIsecuritystandards•Allowsyoutodesignandgeneratevulnerabilityassessmentreportsquicklyandeasily•Showsyouifyournetworksecurityisimprovingovertimebyusingthetrendanalysisreport•Providesautomaticupdatesatleasteverytwoweeks,orsoonerforacriticalvulnerabilityannouncementEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSAINT:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSecurityAuditor'sResearchAssistant(SARA)http://www-arc.com/SecurityAuditor'sResearchAssistant(SARA)isaisathirdgenerationnetworksecurityanalysistoolFeatures:•OperatesunderUnix,Linux,MACOS/XorWindows(throughcoLinux)OS‘•IntegratestheNationalVulnerabilityDatabase(NVD)•PerformsSQLinjectiontests•PerformsexhaustiveXSStests•CVEstandardssupport•SupportsremoteselfscanandAPIfacilitiesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSARA:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNmaphttp://nmap.org/Nmap("NetworkMapper")isafreeandopensource(license)utilityfornetworkexplorationorsecurityauditingItrapidlyscanslargenetworksandrunsonallmajorcomputeroperatingsystemsItusesrawIPpacketsinnovelwaystodetermine:••••EC-CouncilWhatWhatWhatWhathostsareavailableonthenetworkservices(applicationnameandversion)thosehostsareofferingoperatingsystems(andOSversions)theyarerunningtypeofpacketfilters/firewallsareinuseCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNmap:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNetcathttp://netcat.sourceforge.net/Netcatisafeaturednetworkingutilitywhichreadsandwritesdataacrossnetworkconnections,usingtheTCP/IPprotocolItisdesignedtobeareliable"back-end"toolthatcanbeuseddirectlyoreasilydrivenbyotherprogramsandscriptsFeatures:•Outboundandinboundconnections,TCPorUDP,toorfromanyports•FeaturedtunnelingmodewhichallowsalsospecialtunnelingsuchasUDPtoTCP,withthepossibilityofspecifyingallnetworkparameters•Built-inport-scanningcapabilitieswithrandomizerEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWiresharkhttp://www.wireshark.org/Wiresharkisthenetworkprotocolanalyzer,andisthedefacto(andoftendejure)standardacrossmanyindustriesandeducationalinstitutionsFeatures:•••••Deepinspectionofhundredsofprotocols,withmorebeingaddedallthetimeLivecaptureandofflineanalysisStandardthree-panepacketbrowserMulti-platformCapturednetworkdatacanbebrowsedviaaGUI,orviatheTTY-modeTSharkutility•Read/writemanydifferentcapturefileformats•Capturefilescompressedwithgzipcanbedecompressedonthefly•Decryptionsupportformanyprotocols,includingIPsec,ISAKMP,Kerberos,SNMPv3,SSL/TLS,WEP,andWPA/WPA2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWireshark:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedArgus-AuditRecordGenerationandUtilizationSystemhttp://www.qosient.com/argus/Argus-networkauditrecordgenerationandutilizationsystemsupportnetworkoperations,performanceandsecuritymanagementItprocessespackets(eithercapturefilesorlivepacketdata)andgeneratesdetailedstatusreportsofthe'flows'thatitdetectsinthepacketstreamFormanysites,itisusedtoestablishnetworkactivityauditsthatarethenusedtosupplementtraditionalIDSbasednetworksecurityTheArgusauditdataisusedfornetworkforensics,non-repudiation,networkasset,andserviceinventoryEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSnorthttp://www.snort.org/Snortisanopensourcenetworkintrusionpreventionanddetectionsystem(IDS/IPS)Itusesarule-drivenlanguagewhichcombinesthebenefitsofsignature,protocolandanomaly-basedinspectionmethodsItiscapableofperformingreal-timetrafficanalysisandpacketloggingonIPnetworksItcanperformprotocolanalysis,contentsearching/matching,andcanbeusedtodetectavarietyofattacksandprobesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSnort:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNetworkProtectionToolsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIptableshttp://www.netfilter.org/iptablesistheuserspacecommandlineprogramusedtoconfiguretheLinux2.4.xand2.6.xIPv4packetfilteringrulesetiptablespackageincludesip6tableswhichisusedforconfiguringtheIPv6packetfilterItrequiresakernelthatfeaturestheip_tablespacketfilterFeatures:•Listingthecontentsofthepacketfilterruleset•Adding/removing/modifyingrulesinthepacketfilterruleset•Listing/zeroingper-rulecountersofthepacketfilterrulesetEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedProventiaNetworkIntrusionPreventionSystem(IPS)http://www.ibm.com/IBMProventiaNetworkIntrusionPreventionSystem(IPS)stopsInternetthreatsbeforetheyimpactyourbusinessanddeliversprotectiontoallthreelayersofthenetwork:core,perimeterandremotesegmentsTheIBMProventiaNetworkIntrusionPreventionSystem(IPS)deliversnetworkprotectionthatisdesignedto:•Stopthreatsbeforeimpactwithoutsacrificinghigh-speednetworkperformance•Provideaplatformforsecurityconvergencethathelpsreducethecostofdeployingandmanagingpointsolutions•Protectnetworks,servers,desktopsandrevenue-generatingapplicationsfrommaliciousthreats•Conservenetworkbandwidthandpreventsnetworkmsiuse/abusefrominstantmessagingandpeer-to-peerfilesharing•PreventdatalossandaidscomplianceeffortsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIPS:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNetDetectorhttp://www.niksun.com/NetDetectorisafull-featuredappliancefornetworksecuritysurveillance,signature-basedanomalydetection,analyticsandforensicsItactsasasecuritycameraandmotiondetectorforyournetworkbycontinuouslycapturingandwarehousingnetworktraffic(bothpacketsandstatistics)Features:•••••EC-CouncilContinuous,in-depthreal-timesurveillanceCapturenetworkeventsthefirsttimeandstoreeventsforpost-eventanalysisSignatureandstatisticalanomalydetectionSuperiordrill-downforensicanalysisdowntopacketlevelAdvancedreconstructionofweb,email,instantmessaging,FTP,Telnet,VoIPandotherTCP/IPapplicationsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTigerGuardhttp://www.tigertools.net/TigerGuardisdesignedtocentrallymanageeventsandlogs,alertsfromIDSdevices,monitornetworkandwirelesstraffic,andperformdiscovery,vulnerabilityassessments,eventlogging,andcompliancyreportingFeatures:•••••EC-CouncilSensorconsoleFirewallconsoleNetworkconsoleWiFiconsoleEventconsoleCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTigerGuard:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTigerGuard:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSummaryDenial-of-Service(DoS)attackpreventstheauthorizeduserstoaccessnetworks,systems,orapplicationsbyexhaustingthenetworkresourcesDistributedDenial-of-Service(DDoS)attackisaDoSattackwherealargenumberofcompromisedsystems,knownasbotnet,attackasingletargettocauseaDenial-of-ServicefortheusersofthetargetedsystemUnauthorizedAccessisconditionwhereapersongainsaccesstosystemandnetworkresourceswhichhe/shewasnotauthorizedtohaveAninappropriateusageincidentoccurswhenauserperformsactionsthatviolatetheacceptablecomputingusepoliciesAmultiplecomponentincidentisasingleincidentthatencompassestwoormoreincidentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCertifiedIncidentHandlerVersion1ModuleVIHandlingMaliciousCodeIncidentsNews:MaliciousProgramTargetsMacs(CNN)--Maccomputersareknownfortheirnear-immunitytomaliciouscomputerprogramsthatplaguePCs.Butthatmaybechangingsomewhat,accordingtocomputersecurityresearchers.ItseemsthatassleekMaccomputersbecomemorepopular,they'realsomoresought-aftertargetsfortheauthorsofharmfulprograms."Thebadguysgenerallygotowardthebiggesttarget,whatwillgetthemthebiggestbangfortheirbuck,"saidKevinHaley,adirectorofsecurityresponseatSymantec.Untilrecently,thebigtargetalwayswasMicrosoftWindows,andApplecomputerswereprotectedby"relativeobscurity,"hesaid.ButblogsarebuzzingthisweekaboutwhattwoSymantecresearchershavecalledthefirstharmfulcomputerprogramtostrikespecificallyatMac.ThisTrojanhorseprogram,dubbedthe"iBotnet,"hasinfectedonlyafewthousandMacmachines,butitrepresentsastepintheevolutionofmaliciouscomputersoftware,Haleysaid.TheiBotnetisasignthatharmfulprogramsaremovingtowardMac,saidPaulHenry,aforensicsandsecurityanalystatLumensionSecurityinArizona."Weallknewitwasgoingtohappen,"hesaid."Itwasjustamatteroftime,and,personally,Ithinkwe'regoingtoseealotmoreofit."ThemalicioussoftwarewasfirstreportedinJanuary.Itdidn'tgainwidespreadattentionuntilrecently,whenMarioBallanoBarcenaandAlfredoPesoliofSymantec,makerofthepopularNortonantivirusproducts,detailedthesoftwareinapublicationcalled"VirusBulletin.”EC-CouncilSource:http://www.cnn.comCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNews:HandlingMaliciousHackersandAssessingRiskinRealTimeImaginethis…Ahackercreatesalook-alikewebsiteofawell-knownbank.Hesendsacrosse-mailstocustomersrequestingforconfidentialinformationclaimingthebank’swebsiteisundergoingarevamporreconstruction.Theinformationsoughtisconfidentialcustomerdata.Thee-mailhasalinkembeddedinit,which,bydefault,directsthecustomertothefakesitethatthehackerhascreated.Thecustomer,thinkingittobeagenuinecommunicationfromthebank,providesthedetails,whichthehackersavesandlaterusesforfraudulenttransactionssuchasmoneytransfersorprocuringcriticalpasswords.NotaSecureSituationtobeinTherapidgrowthofonlinecommercehasbroughtincreasingsophisticationtoInternetfraud.Fraudsareexecutedacrossmultipleaccesschannels.ThreatsfromPhishing(criminallyfraudulentprocessofattemptingtoacquiresensitiveinformationsuchasusernames,passwordsandcreditcarddetails,bymasqueradingasatrustworthyentityinanelectroniccommunication),Pharming(ahacker’sattackaimingtoredirectawebsite’straffictoanotherboguswebsite),Trojans(atypeofmalicioussoftware),KeyLogging(usedtoretrieveonlinepasswordentries),andProxyAttacks,combinedwithregulationsandmandates(HIPAA,PCI)governingonlinedatapiracyplaceonlinesecurityatapremium.Ifyoutakeacloserlookattheillustrationinthebeginningofthisarticle,youwillrealizethatasimpleloginproceduremakesiteasyforahackertoaccessonlineaccountsandtransactions.Tothwarthackers,banksareadoptingstringentlevelsofloginprocedures,whicharemorepersonalizedandsecure.Someofthemincludetheintroductionofadditionallevelsofpasswords,personalizedbackgroundimageforlogin,virtualkeyboards,orevenavirtualmouseamongothers.Whateveryoutypeonthephysicalkeyboardcanbetappedbyhacking,throughkeylogging.Keyloggingprovidesameanstoobtainpasswordsorencryptionkeysbybypassingsecuritymeasures.Topreventthis,financialtransactionsitesareinstallingvirtualkeypadsandvirtualmouse.Insteadoftypingthepasswordonthekeyboardthenormalway,aspartoftheloginprocesstheuserwillbeabletousethecursortoselecthisorherpasswordonthevirtualkeyboard.Thisprocesshelpscircumventthekeylockingsetupenforcedbythehacker.EC-CouncilSource:http://businessmirror.com.phCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleObjectiveThismodulewillfamiliarizeyouwith:••••••••EC-CouncilVirusTrojansandSpywaresIncidentHandlingPreparationIncidentPreventionDetectionandAnalysisEvidenceGatheringandHandlingEradicationandRecoveryRecommendationsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleFlowVirusTrojansandSpywareIncidentPreventionIncidentHandlingPreparationDetectionandAnalysisEvidenceGatheringandHandlingRecommendationsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCountofMalwareSamplesSource:http://www.avertlabs.comEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedVirusComputervirusesaremalicioussoftwareprogramsthatinfectcomputersandcorruptordeletethedataonthemVirusesspreadthroughemailattachments,instantmessages,downloadsfromtheInternet,contaminatedmediaetc.Virusesaregenerallycategorizedas:•Fileinfectors:Attachthemselvestoprogramfiles•Systemorboot-recordinfectors:Infectexecutablecodefoundincertainsystemareasonadisk•Macroviruses:InfectMicrosoftWordapplicationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWormsAwormisaself-replicatingvirusthatdoesnotalterfilesbutresidesinactivememoryandduplicatesitselfIttakesadvantageoffileorinformationtransportfeaturesonthesystemtotravelindependentlyAwormspreadsthroughtheinfectednetworkautomaticallyEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTrojansandSpywaresTrojans:•Trojanhorseisamalicious,security-breakingprogramthatisdisguisedasanyusefulprogram•Trojansareexecutableprogramsthatisinstalledwhenafileisopened•Trojansgetactivatedwithouttheinterventionoftheuser•Similartoviruses,Trojansdonotdistributeitselffromonesystemtoanother•Trojansallowotherstocontrolauser’ssystemSpyware:•Spywaresaresoftwareinstalledonthecomputerwithouttheknowledgeoftheuser•Spywarespretendtobeprogramsthatofferusefulapplications,buttheyactuallyacquiretheinformationofthecomputerandsendittotheattackerwhocanaccessitremotely•SpywaresarealsoknownasadwareEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentHandlingPreparation1•Establishmaliciouscodesecuritypolicy2•Installantivirussoftware3•Checkallfilesandattachmentsfromwebsites4•CheckalltheremovablemediasuchasUSB,diskettesetc.5•Usersmustbeawareofmaliciouscodeissues6•Studytheantivirusvendorbulletins7•Installhostbasedintrusiondetectionsystemsoncriticalhosts8•Collectmalwareincidentanalysisresources9•Acquiremalwareincidentmitigationsoftware10•EstablishtheprocedureforreportingmaliciouscodeincidentEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentPreventionUseantivirussoftwareDesignapointofcontactforreportingmaliciouscodeBlocktheinstallationofspywaresoftwareRemovesuspiciousfilesFilterspamLimittheuseofunnecessaryprogramswithFTPAlertusersforhandlingemailattachmentsClosetheopenwindowssharesUsethewebbrowser’ssecuritytoedgemaliciouscodePreventtheopentransmitofe-mailSecurethee-mailclientsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDetectionofMaliciousCodeCase1.Hostisinfectedbytheviruswhichisdeliveredviae-mailSignsofthepresenceofmaliciouscodeinclude:•••••••••EC-CouncilAntivirussoftwaredetectstheinfectedfilesIncreaseinthenumberofe-mailssentandreceivedChangeintheTemplateofwordprocessingdocumentDeletionorcorruptionoffilesSystemfilesbecomeinaccessibleOldmessageandgraphicswillappearonscreenSomeprogramsstartandrunslowly,ordonotrunatallSystembecomesinstableorcrashesIndicationofrootcompromiseofahostifthevirusachievesrootlevelaccessCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDetectionofMaliciousCode(Cont’d)Case2.HostisinfectedbywormsthatpropagatesthroughavulnerableserviceSignsofthepresenceofmaliciouscodeinclude:•••••EC-CouncilAntivirussoftwaredetectstheinfectedfilesFailureinconnectionattemptstargetedatthevulnerableservicesIncreaseinnetworkusageProgramsstartandrunslowly,ordonotrunatallSystembecomesinstableorcrashesCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDetectionofMaliciousCode(Cont’d)Case3.TrojanhorsegetsinstalledandrunsonahostSignsofthepresenceofmaliciouscodeinclude:•AntivirussoftwarewilldetecttheTrojanhorseversionsoffiles•NetworkIDSalertstheTrojanhorseclient-servercommunications•LogentriesofthefirewallandrouterforTrojanhorseclient-servercommunications•Hostandunknownremotesystemsnetworkconnections•Unusualopenports•Unknownrunningprocesses•Programsstartandrunslowly,ordonotrunatall•Systembecomeinstableorcrashes•IndicationofrootcompromiseofahostiftheTrojanachievesrootlevelaccessEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDetectionofMaliciousCode(Cont’d)Case4.Hostinfectedwithvirus,worm,orTrojanhorseusingmaliciousmobilecodeonawebsite•Strangedialogboxwillappearrequestingforpermissiontorunanyprogram•AbnormalgraphicswillappearsuchasoverlappingandoverlaidmessageboxesCase5.Maliciousmobilecodeonawebsiteexploitsvulnerabilitiesonahost•••••EC-CouncilStrangedialogboxwillappearrequestingforpermissiontorunprogramsAbnormalgraphicswillappearsuchasoverlappingandoverlaidmessageboxesIncreaseinthenumberofemailsbeingsentorreceivedHostandunknownremotesystemsnetworkconnectionsIndicationofrootcompromiseofahostifthemobilecodeachievesrootlevelaccessCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDetectionofMaliciousCode(Cont’d)Case6.Whentheuserreceivesthevirushoaxmessage•Theoriginalsourceappearsasfromthegovernmentagencyorasfromanimportantofficialperson•Itdoesnotlinktooutsidesources•Messagerequiresanurgentaction•ItpromptstodeletecertainfilesorforwardedmassagesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedContainmentStrategyRecognizeandseparatetheinfectedhostsfromtheinformationsystemRegistertheunidentifiedmaliciouscodetoantivirusvendorsConfigureemailserversandclientstoblockemailsBlockparticularhostsShutdowntheemailserversIsolatenetworksfromtheInternetEnsuretheuser’sparticipationDisableservicesDisableconnectivityEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEvidenceGatheringandHandlingForensicIdentification•ItisthepracticeofidentifyingtheinfectedsystemsbylookingfortheevidenceofthelatestinfectionActiveIdentification•ThismethodisusedtoidentifythehostswhicharecurrentlyinfectedManualIdentification•Laborintensive,butitisimportantasitprovidesappropriateidentityoftheinfectedhostsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEradicationandRecoveryAntivirusandantispywaresoftwarecanidentifyinfectedfilesbutsomeoftheinfectedfilescannotberecoveredIfthemaliciouscodeprovidesattackerswithroot-levelaccess,thenitbecomeshardtodeterminewhatotheractionstheattackershaveperformedInsomeofthecases,infectedfilesarerestoredfromapreviousuninfectedbackuporcanberebuiltfromscratchEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRecommendationsEstablishmaliciouscodesecuritypolicyUsersmustbeawareofmaliciouscodeissuesStudyantivirusbulletinsInstallhostbasedintrusiondetectionsystemsoncriticalhostsUseantivirussoftware,andkeepitupdatedwiththelatestvirussignaturesConfiguresoftwaretoblocksuspiciousfilesClosetheopenwindowshareDealwithmaliciouscodeincidentsasquicklyaspossibleEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAntivirusSystemsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSymantec:NortonAntiVirus2009http://www.symantec.com/SymantecNortonAntiVirus2009protectscomputersystemfrommaliciousprogramssuchasvirus,worms,Trojan,spyware,etc.Features:••••Protectsagainstviruses,spyware,Trojanhorses,worms,bots,androotkitsPulseupdatesevery5to15minutesorfasterIntelligence-driventechnologyforfaster,fewer,shorterscansBlocksbrowser,OS,andapplicationthreats;protectsagainstinfectedWebsites•Protectsagainstthelatestthreatswithproactivemultilayeredprotectionsystem•Real-timeSONARtechnologydetectsemergingspywareandvirusesbeforetraditionaldefinitionsareavailableEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNortonAntiVirus2009:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedKasperskyAnti-Virus2010http://www.kaspersky.com/KasperskyAnti-Virus2010offersreal-timeautomatedprotectionfromarangeofITthreatsFeatures:••••••••••Real-timescanningoffiles,webpages,ande-messagesDisablingoflinkstomaliciouswebsitesBlockingofsuspiciousprogramsbasedontheirbehaviorProtectionfromhijackingofyourPCToolbarforInternetbrowserstowarnyouaboutinfectedorunsafewebsitesUrgentDetectionSystemtostopfastemergingthreatsScansystemandinstalledapplicationsforvulnerabilitiesEnterloginsandpasswordsusingsecureVirtualKeyboardRemoveactivitytracesinyourInternetbrowser(history,cookies,etc.)IdentitytheftbykeyloggersandscreencapturemalwareEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedKasperskyAnti-Virus2010:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAVGAnti-Virushttp://www.avg.com/AVGanti-virusprotectscomputersystemfrommaliciousprogramssuchasvirus,worms,Trojan,spyware,etc.Features:•••••EC-CouncilAnti-Virus:protectionagainstviruses,worms,andTrojansAnti-Spyware:protectionagainstspyware,adware,andidentity-theftAnti-Rootkit:protectionagainsthiddenthreats(rootkits)WebShieldandLinkScanner:protectionagainstmaliciouswebsitesReal-timesecuritywhileyousurfandchatonlineCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAVGAnti-virus:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedMcAfeeVirusScanPlushttp://home.mcafee.com/McAfeeVirusScanPlusoffersessentialPCsecuritywithacceleratedperformanceFeatures•Anti-virus,anti-spyware,andSiteAdvisorprotectyoufrommalicioussoftware•FirewallblocksoutsidersfromhackingintoyourPC•SiteAdvisorrateswebsitesafetybeforeyouclickwithred,yelloworgreencolors•OnlineaccountmanagementletsyoueasilyaddotherPCstoyoursubscription•QuickCleansafelyremovesjunkfilesthatslowyourPCandtakeupspaceonyourharddriveEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedMcAfeeVirusScanPlus:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedBitDefenderAntivirus2009http://www.bitdefender.com/BitDefenderAntivirus2009providesadvancedproactiveprotectionagainstviruses,spyware,phishingattacksandidentitytheftFeatures:•Scansallweb,e-mail,andinstantmessagingtrafficforvirusesandspyware,inreal-time•Protectsagainstnewvirusoutbreaksusingadvancedheuristics•Blocksattemptedidentitytheft(phishing)•Preventspersonalinformationfromleakingviae-mail,web,orinstantmessaging•ReducesthesystemloadandavoidsrequestinguserinteractionduringgamesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedBitDefenderAntivirus2009:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedF-SecureAnti-Virus2009http://www.f-secure.com/F-SecureAnti-Virus2009providesadvancedandaffordableprotectionagainstviruses,spywareintrusions,andinfectede-mailItsautomaticupdatesandDeepGuard2.0cloudcomputingtechnologyprovidesprotectionagainstnewthreatsFeatures:•••••EC-CouncilProtectionagainstviruses,worms,rootkitsandothermalwareReal-timeprotectionagainstspywareProvidesinstantprotectionagainstnewthreats(DeepGuard2.0)Scanse-mailforvirusesandmaliciouscodeAutomaticupdatesforbothvirusdefinitionsandhtesoftwareCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedF-SecureAnti-Virus2009:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTrendMicroAntiVirusplusAntiSpyware2009http://www.trendmicro.com/TrendMicroAntiVirusplusAntiSpyware2009safeguardsdataandfilesfrommaliciousactivitiesFeatures:•Protectsagainstcurrentandfutureviruses•Defendsyourpersonalinformationwithanti-spywaretechnology•Providesreal-timeprotectionwithautomatedcomputerscans•Preventsunauthorizedchanges•Cleansbrowserhistory,cookiesandunnecessaryfiles•Providescustomizablesecuritywarnings•QuarantinessuspiciousfilesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTrendMicroAntiVirusplusAntiSpyware2009:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHijackThishttp://www.trendsecure.com/HijackThisisafreeutilitywhichquicklyscansSystemsrunningWindowsOStofindsettingsthatmayhavebeenchangedbyspyware,malware,orotherunwantedprogramsItcreatesareportwiththeresultsofthescanEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTripwireEnterprisehttp://www.tripwire.com/TripwireEnterprisecombinesconfigurationassessmentandchangeauditinginasingleinfrastructuremanagementsolutionthatdeliversenterprise-widecontrolofphysicalandvirtualconfigurationsItcomeswithpoliciesthatcoversuchdiverseregulatorystandardsasPaymentCardIndustry(PCI)andSarbanes-Oxley(SOX),aswellassecuritystandardslikethoseformtheNationalInstituteofStandardsandTechnology(NIST)Features:•Changeauditing•Configurationassessment•SamplereportsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTripwireEnterprise:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedStingerhttp://vil.nai.com/Stingerisastand-aloneutilityusedtodetectandremovespecificvirusesItutilizesnextgenerationscanenginetechnology,includingprocessscanning,digitallysignedDATfiles,andscanperformanceoptimizationsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSummaryComputervirusesarethesoftwareprogramsmeanttoinfectcomputers,corrupt,ordeletethedataAwormisaself-replicatingvirusthatdoesnotalterfilesbutresidesinactivememoryandduplicateitselfForensicidentificationisthepracticeofidentifyinginfectedsystemsbylookingforevidenceofrecentinfectionsAntivirusandantispywaresoftwarecanidentifytheinfectedfilesbutsometheinfectedfilescannotberecoveredDeployhost-basedintrusiondetectionandpreventionsystems,includingfileintegritycheckers,tocriticalhostsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSampleEC-CouncilCertifiedIncidentHandlerVersion1ModuleVIIIForensicAnalysisandIncidentResponseBatchPDFMergerNews:MicrosoftComputerOnlineForensicEvidenceExtractorFreeforInterpolTheMicrosoftCOFEEevidenceextractingtoolwillbemadeavailabletoInterpolforfree,peranagreementbetweentheRedmondcompanyandtheInternationalCriminalPoliceOrganization.ThesoftwaregiantannouncedthattheComputerOnlineForensicEvidenceExtractorwouldbedistributedbyInterpolinternationally,innolessthan187marketsworldwide.ThemoveisjustoneaspectofabroaderMicrosoftstrategydesignedtoprotectpeoplebothphysicallyandvirtuallyincollaborationwithgovernmentsaroundtheworld.Inthisregard,theRedmondcompanyusedtheWorldwidePublicSafetySymposiumtolaunchtheCitizenSafetyArchitectureaswellastopromisesupportforInterpol'sSecurityInitiative(GSI).“Giventhedirectcorrelationbetweenthedecliningeconomyandtheriseofpublicsafetyconcerns,thereisapressingneedforinnovative,collaborativeandintegratedsolutions,likeCitizenSafetyArchitecture,thatdelivertogovernmentsthetoolstheyneedtoensurethesafetyoftheircitizens,”explainedTimBloechl,managingdirectorforworldwidepublicsafetyandnationalsecurityatMicrosoft.TheCitizenSafetyArchitecturehasatitsbasisavarietyoftoolsdedicatedtonotjustcuttingcosts,butalsoboostingwhatMicrosoftreferredtoasmultiagencyoperationaleffectiveness,aswellasstreamlinecollaborationandinformationsharing.TheRedmondcompanyindicatedthattheCitizenSafetyArchitecturewasbasedonMicrosoftSingleViewPlatform(SVP),MicrosoftFusionX,“Eagle,”MicrosoftIntelligenceFramework,theMicrosoftIncidentResponsePlatformandGlobalSecurityOperationsCenters(GSOCs).“MicrosoftandINTERPOLrecognizethestrongsynergiesbetweenCitizenSafetyArchitectureandGSI,andourpledgetodevelopalong-termrelationshipwithorganizationslikeINTERPOLsupportstheoverallgoalofCitizenSafetyArchitecture,”Bloechladded.InadditiontotheCitizenSafetyArchitectureframework,thesoftwaregiantwillalsoprovideInterpolwithCOFEE,atooldesignedtoextractforensicevidencefromlivecomputeractivity.Inthismanner,Interpolofficerswillbeabletoharvestandthenuseevidencethatwouldotherwisenotbeavailablethroughtraditionalofflineforensicanalysis,Microsoftunderlined.Source:http://news.softpedia.com/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleObjectiveThismodulewillfamiliarizeyouwith:••••••••EC-CouncilComputerForensicsForensicReadinessTypesofComputerForensicsComputerForensicsProcessDigitalEvidenceCollectingElectronicEvidenceForensicPoliciesForensicAnalysisGuidelinesCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleFlowEC-CouncilComputerForensicsForensicsPreparednessComputerForensicsProcessTypesofComputerForensicsDigitalEvidenceCollectingElectronicEvidenceForensicAnalysisGuidelinesForensicPoliciesCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedComputerForensics“Amethodicalseriesoftechniquesandproceduresforgatheringevidence,fromcomputingequipmentandvariousstoragedevicesanddigitalmedia,thatcanbepresentedinacourtoflawinacoherentand-Dr.H.B.Wolfemeaningfulformat”EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedObjectivesofForensicAnalysisTorecover,analyze,andpreservecomputerandrelatedmaterialsinsuchawaythatitcanbepresentedasevidenceinacourtoflawToidentifytheevidenceinshorttime,estimatethepotentialimpactofthemaliciousactivityonthevictim,andassesstheintentandidentityoftheperpetratorEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRoleofForensicAnalysisinIncidentResponseForensicanalysishelpsindeterminingtheexactcauseofanincidentIthelpsingeneratingatimelinefortheincidentwhichhelpsincorrelatingdifferentincidentsForensicanalysisoftheaffectedsystemhelpsindeterminingthenatureofincidentsandimpactoftheincidentIthelpsintrackingtheperpetratorsofthecrimeorincidentItextracts,processes,andinterpretsthefactualevidencesothatitprovestheattacker’sactionsinthecourtItsavestheorganization’smoneyandtimebyconductingadamageassessmentofthevictimizednetworkItalsosavesorganizationsfromlegalliabilitiesandlawsuitsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedForensicReadinessForensicreadinessmaybedefinedasastateofincidentresponsepreparednessthatenablesanorganizationtomaximizeitspotentialtousedigitalevidencewhileminimizingthecostofaninvestigationItalsominimizestheriskofinternalthreatandactsasapreemptivemeasureObjectives:•Maximizinganenvironment’sabilitytocollectcredibledigitalevidence•MinimizingthecostofforensicsduringanincidentresponseEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedForensicReadinessAndBusinessContinuityForensicreadinessallowsbusinessesto:•Quicklydeterminetheincidents•Understandtherelevantinformation•Minimizetherequiredresources•Removethethreatofrepeatedincidents•QuicklyrecoverfromdamagewithlessdowntimeLackofforensicreadinessmayresultin:•Lossofclientstherebydamagingtheorganization’sreputation•Systemdowntime•Datamanipulation,deletion,andtheftEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTypesofComputerForensicsDiskForensics•ItistheprocessofacquiringandanalyzingthedatastoredonphysicalstoragemediaNetworkForensics•Itcanbedefinedassniffing,recording,acquisition,andanalysisofnetworktrafficandeventlogsinordertoinvestigateanetworksecurityincidentE-mailForensics•ItistheprocessofstudyingthesourceandcontentofanemailInternet(Web)Forensics•ItistheapplicationofscientificandlegallysoundmethodsfortheinvestigationofInternetcrimesSourceCodeForensics•ItistheprocessofdeterminingthesoftwareownershipandcopyrightissuesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedComputerForensicInvestigatorComputerforensicinvestigatormusthaveknowledgeofgeneralcomputerskillssuchashardware,software,O.S,applications,etc.TheinvestigatormustperformaproperinvestigationtoprotectthedigitalevidenceTheinvestigatormustbecertifiedfromauthorizedorganizationsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPeopleInvolvedinComputerForensicsAttorney:•Giveslegaladviseoncollection,preservationandpresentationofevidencePhotographer:•PhotographsthecrimesceneandtheevidencegatheredIncidentResponder:•ResponsibleforincidenthandlingandresponseDecisionMaker:EC-Council•ResponsibleforauthorizationofapolicyorprocedurefortheinvestigationprocessCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPeopleInvolvedinComputerForensics(cont’d)IncidentAnalyzer:•AnalyzestheincidentsbasedontheiroccurrenceEvidenceExaminer/Investigator:•Examinestheevidenceacquired,andsortsusefulevidenceEvidenceDocumenter:•DocumentsalltheevidenceandthephasespresentintheinvestigationprocessEC-CouncilEvidenceManager:•ManagestheevidenceinsuchawayastomakeaproceduralwayofevidencefoundExpertWitness:•OffersaformalopinionasatestimonyinthecourtoflawCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedComputerForensicsProcessPreparationItenableseasycoordinationamongstaffandprovidesbaselineprotectionCollectionItistheprocessofidentifying,labeling,recording,andacquiringdatafromallpossiblesourcesExaminationItinvolvesprocessingoflargeamountofcollecteddatausingacombinationofautomatedandmanualmethodsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedComputerForensicsProcess(cont’d)AnalysisItistheprocessofanalyzingtheresultsoftheinvestigationusinglegallyjustifiablemethodsandtechniquesReportingInthisphase,theanalysisresultsarereportedandrecommendationsareprovidedforimprovingpolicies,guidelines,procedures,tools,andotheraspectsoftheforensicprocessEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDigitalEvidenceDigitalevidenceisdefinedas“anyinformationofprobativevaluethatiseitherstoredortransmittedinadigitalform”Digitalevidenceisfoundinthefiles,suchas:•••••••GraphicsfilesAudioandvideorecordingandfilesWebbrowserhistoryServerlogsWordprocessingandspreadsheetfilesE-mailsLogfilesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCharacteristicsofDigitalEvidenceAdmissible•EvidencemustberelatedtothefactbeingprovedAuthentic•EvidencemustberealandrelatedtotheincidentinaproperwayComplete•Evidencemustprovetheattacker’sactionsReliable•EvidencemustnotcastdoubtontheauthenticityandveracityoftheevidenceBelievable•EvidencemustbeclearandunderstandablebytheujdgesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCollectingElectronicEvidenceListthesystemsinvolvedintheincidentandfromwhichsystemsevidencecanbecollectedForeachsystem,obtaintherelevantorderofvolatilityRecordtheextentofthesystem'sclockdriftCollecttheevidencefromallthepeoplewhoaffectedbytheincidentEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCollectingElectronicEvidence(cont’d)Electronicevidenceresidesin:DataFiles:••••••Officedesktopcomputer/workstationNotebookcomputerHomecomputerComputerofpersonalassistants/secretary/staffPalmtopdevicesNetworkfileservers/mainframes/mini-computersBackupTapes:•System-widebackups(monthly/weekly/incremental)•Disasterrecoverybackups(storedoffsite)•Personalor“adhoc”backups(lookfordiskettesandotherportablemedia)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCollectingElectronicEvidence(cont’d)OtherMediaSources:•Tapearchives•Replaced/removeddrives•Floppydiskettesandotherportablemedia(e.g.,CDs,Zipcartridges)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEvidenceCollectionFormTemplateForensicAnalystMakingSeizureFullName:Title:Phone:DepartmentComments:Signature:Dateandtime:WitnessSignatureFullName:Title:Phone:DepartmentFullAddress:Signature:EC-CouncilRoomNoBuildingAddressLine1AddressLine2AddressLine3AddressLine4PostcodeDateandtime:Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEvidenceCollectionFormTemplate(cont’d)S.No.EvidencesMakeDetails12345678910EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedChallengingAspectsofDigitalEvidenceDigitalevidencearefragileinnatureDuringtheinvestigationofthecrimescene,ifthecomputeristurnedoff,thedatawhichisnotsavedcanbelostpermanentlyDuringtheinvestigation,digitalevidencecanbealteredmaliciouslyorunintentionallywithoutleavinganyclearsignsofalterationDigitalevidenceiscircumstantialthatmakesitdifficultfortheforensicsinvestigatortodifferentiatethesystem’sactivityAftertheincident,ifauserwritessomedatatothesystem,itmayoverwritethecrimeevidenceEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedForensicPolicyForensicpolicyisasetofproceduresdescribingtheactionstobetakenwhenanincidentisobservedItdefinestherolesandresponsibilitiesofallpeopleperformingorassistingtheforensicactivitiesItshouldincludeallinternalandexternalpartiesthatmaybeinvolvedandalsoindicateswhoshouldcontactwhichpartiesItexplainswhatactionsshouldandshouldnotbeperformedundernormalandspecialconditionsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedForensicPolicy(cont’d)OrganizationsshouldensurethattheirpoliciescontainclearstatementsthataddressallmajorforensicconsiderationsTheyshouldallowauthorizedpersonneltomonitorsystemsandnetworksandperforminvestigationsSeparatepoliciesshouldbemaintainedforincidenthandlersandotherswithpredefinedforensicrolesOrganization’sforensicpolicyshouldbeconsistentwiththeotherpoliciesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedForensicsintheInformationSystemLifeCycleRegularbackupsofsystemsshouldbeperformedForsecuringcentralizedlogservers,auditreportsshouldbeforwardedbyauditingtheworkstations,servers,andnetworkdevicesForauditing,missioncriticalapplicationsshouldbeconfiguredMaintainadatabaseoffilehashesforthefilesofcommonOSandapplicationdeploymentsFileintegritycheckingsoftwareshouldbeusedforprotectingimportantassetsNetworkandsystemconfigurationsrecordsshouldbemaintainedDataretentionpoliciessupportingsystemandnetworkactivitiesshouldbeimplementedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedForensicAnalysisGuidelinesOrganizationsshould:•Haveacapabilitytoperformcomputerandnetworkforensics•Determinewhichpartiesshouldhandleeachaspectofforensics•Createandmaintainguidelinesandproceduresforperformingforensictasks•Performforensicsusingaconsistentprocess•Beproactiveincollectingusefuldata•AdheretostandardoperatingprocedureasspecifiedbylocallawsandstandardmakingbodiessuchasIOCE&SWGDEwhilecollectingdigitalevidenceSource:http://csrc.nist.gov/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedForensicsAnalysisToolsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHelixhttp://www.e-fense.com/Helixisabootablecomputerforensictoolkitprovidingincidentresponse,computerforensicsande-discoveryinoneinterfaceHelixisacustomizeddistributionoftheKnoppixLiveLinuxCDYoucanbootintoacustomizedLinuxenvironmentthatincludescustomizedLinuxkernels,excellenthardwaredetectionandmanyapplicationsdedicatedtoIncidentResponseandForensicsHelixhasbeenmodifiedverycarefullytoNOTtouchthehostcomputerinanywayanditisforensicallysoundHelixhasaspecialWindowsautorunsideforIncidentResponseandForensicsHelixfocusesonIncidentResponse&ForensicstoolsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedToolsPresentinHelixCDforWindowsForensicsWindowsForensicsToolchest(WFT)IncidentResponseCollectionReport(IRCR2)PuttySSHScreenCaptureMessengerPasswordFirstResponder’sEvidenceDisk(FRED)MailPasswordViewerFirstResponderUtility(FRU)ProtectedStorageViewerSecurityReports(SecReport)NetworkPasswordViewerMd5GeneratorRegistryViewerCommandShellAsteriskLoggerFileRecovery–recoverdeletedfilesIEHistoryViewerRootkitRevealerVNCServerEC-CouncilIECookieViewerMozillaCookieViewerCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHelix:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHelix:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHelix:Screenshot3EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWindowsForensicToolchesthttp://www.foolmoon.net/WindowsForensicToolchest(WFT)isdesignedtoprovideastructuredandrepeatableautomatedLiveForensicResponse,IncidentResponse,orAuditonaWindowssystemwhilecollectingsecurity-relevantinformationfromthesystemItisessentiallyaforensicallyenhancedbatchprocessingshellcapableofrunningothersecuritytoolsandproducingHTMLbasedreportsinaforensicallysoundmannerItprovidesextensiveloggingofallitsactionsalongwithcomputingtheMD5/SHA1checksumsalongthewaytoensurethatitsoutputisverifiableEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWindowsForensicToolchest(cont’d)Features:•Providesstructuredandrepeatableliveforensicresponse,incidentresponse,oraudit•Abilitytorunlocally,viaCD/DVD,orthumbdrive•Verificationofallexecutedtools•Supportformd5hash•AbilitytoverifyWFTconfigurationfiles•AutomaticupdatingofWFThashvaluesfortools•User-editableconfigurationfilecontrolsexecution•Generationofbothrawtextandhtmlreports•Abilitytoruncommandsbasedonrun-timeOSEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWindowsForensicToolchest:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWindowsForensicToolchest:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedKnoppixLinuxhttp://www.knopper.net/KNOPPIXisabootableLivesystemonCDorDVD,consistingofarepresentativecollectionof•GNU/Linuxsoftware•Automatichardwaredetection•Supportformanygraphicscards,soundcards,SCSIandUSBdevicesandotherperipheralsItcanbeusedasaproductiveLinuxsystemforthedesktop,educationalCD,rescuesystem,oradaptedandusedasaplatformforcommercialsoftwareproductdemosEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedKnoppixLinux:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTheCoroner'sToolkit(TCT)http://www.porcupine.org/TCTisacollectionofprogramsbyDanFarmerandWietseVenemaforapost-mortemanalysisofaUNIXsystemafterbreak-inTCTcomponentsare:••••EC-CouncilGrave-robbertool:ThistoolcapturesinformationIlsandmactimetools:ThesetoolsdisplayaccesspatternsoffilesdeadoraliveUnrmandlazarustools:ThesetoolsrecoverdeletedfilesFindkeytool:ThistoolrecoverscryptographickeysfromarunningprocessorfromfilesCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEnCaseForensichttp://www.guidancesoftware.com/EnCaseForensicisaninvestigationplatformthatcollectsdigitaldata,performsanalysis,reportsonfindings,andpreservestheminacourtvalidated,forensicallysoundformatItgivesinvestigatorstheabilitytoimageadriveandpreserveitinaforensicmannerusingtheEnCaseevidencefileformat(LEForE01)Features:••••••••••AdvancedsearchoptionsInternetandemailinvestigationsupportCourtvalidatedlogicalevidencefileformatMultipleviewersInstantmessageanalysisEnScript®programmingBookmarkingReportingSupportforthemostsystemfilesMultipleacquisitionoptionsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEnCaseForensic:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEnCaseForensic:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTHEFARMER'SBOOTCD(FBCD)http://www.forensicbootcd.com/TheFBCDprovideswithaforensicenvironmenttosafelyandquicklypreviewdatastoredwithinvariousstoragemedia(suchasinternalandexternalharddrives,USBthumbdrives,digitalmusicplayers,digitalcameras,SDandcompactflashcards,etc.)UsingTheFBCD,youcan:••••••••••••••Mountfilesystemsinaforensicallysoundmanner,usingaGUIPreviewdatausingasingle,unifiedGUI(Delve)Authenticate,AcquireandAnalyzestoragemediaDecryptEFS-encryptedfilesAccessandparsetheWindowsRegistryGeneratethumbnailsforgraphicsfilesDumpfilemeta-data(graphicsfiles,PDFdocuments,etc.)ObtainthepasswordsforsystemusersUndeletefilesfromtheext2,FAT,andNTFSfilesystemtypesIdentifyandresetHostProtectedAreas(HPA)onIDEdrivesDumpthesystemBIOStablesParsetheWindowspagefile.sysfilefore-mailaddressesandURLsDumpfilesystemmeta-data(initializeddate,lastmountdate,etc.)ReadvariousWindowsandLinuxlogfilesParsewebbrowsercachefilesforhistoryandcookieinformationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedFBCD:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedFBCD:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDumpReghttp://www.systemtools.com/DumpRegisaprogramforWindowsthatdumpstheregistry,makingiteasytofindkeysandvaluescontainingastringTheregistryentriescanbesortedbyreverseorderoflastmodifiedtime,makingiteasytoseechangesmadebyrecentlyinstalledsoftwareEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDumpSechttp://www.systemtools.com/DumpSecisasecurityauditingprogramforMicrosoftWindows®NT/XP/200xItdumpsthepermissions(DACLs)andauditsettings(SACLs)forthefilesystem,registry,printers,andsharesinaconcise,readableformat,sothatholesinsystemsecurityarereadilyapparentItalsodumpsuser,groupandreplicationinformationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDumpEvthttp://www.systemtools.com/SomarSoft'sDumpEvtisaWindowsNT/200xprogramtodumptheeventloginaformatsuitableforimportingintoadatabaseItissimilartotheDUMPELutilityintheMicrosoftWindowsResourceKit,butwithoutsomeofthelimitationsItallowsdumpingofWindows200xeventlogs(DNS,FileReplication,andDirectoryService)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedFoundstoneForensicToolKithttp://www.foundstone.com/FoundstoneForensicToolKitcontainsseveralWin32CommandlinetoolsthatcanhelpyouexaminethefilesonaNTFSdiskpartitionforunauthorizedactivityFeatures:•••••AFindallowsyoutosearchforaccesstimesbetweencertaintimeframesHFindscansthediskforhiddenfilesSFindscansthediskforhiddendatastreamsandliststhelastaccesstimesFileStatisaquickdumpofallfileandsecurityattributesHuntisaquickwaytoseeifaserverrevealstoomuchinfoviaNULLsessionsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSysinternalsSuitehttp://technet.microsoft.com/TheSysinternalssuiteisabundleofsomeofthefollowingselectedSysinternalsutilities:AccessChkGivesspecificusersorgroupsaccessinformationAccessEnumGivesafullviewofyourfilesystemandRegistrysecuritysettingsAdExplorerExploreanADdatabase,definefavoritelocations,viewobjectpropertiesandattributesAdRestoreEnumeratesthedeletedobjectsinadomainAutologonEnablesyoutoeasilyconfigureWindows’built-inautologonmechanismAutorunsShowswhatprogramsareconfiguredtorunduringsystembootuporloginCacheSetAllowstomanipulatetheworking-setparametersofthesystemfilecacheLDMDumpShowsthecontentsoftheLDMdatabaseListDLLsShowyouthefullpathnamesofloadedmodulesPsLogListDumpthecontentsofanEventLogonthelocaloraremotecomputerPsPasswdAllowschangingofaccountpasswordsonthelocalorremotesystemsinbatchesPsServiceServiceviewerandcontrollerforWindowsNTFSInfoShowsyouinformationaboutNTFSvolumesRegMonItisaRegistrymonitoringutilityRootkitRevealerAdvancedrootkitdetectionutilityEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNSLOOKUPhttp://www.kloth.net/NSLOOKUPisanonlineservicetolookupinformationintheDNS(DomainNameSystem[RFC1034,RFC1035,andRFC1033])ItisaprogramtoqueryInternetdomainnameserversIthastwomodes:•Interactivemode:Thismodeallowstheusertoquerynameserversforinformationaboutvarioushostsanddomains•Non-interactivemode:ThismodeisusedtoprintjustthenameandrequestedinformationforahostEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibiteddig–DNSLookupUtilityhttp://members.shaw.ca/dig(domaininformationgroper)isaflexibletoolforinterrogatingDNSnameserversItperformsDNSlookupsanddisplaystheanswersthatarereturnedfromthenameserver(s)thatwerequeriedItisnormallyusedwithcommand-lineargumentsItalsohasabatchmodeofoperationforreadinglookuprequestsfromafileDigSynopsis•dig[@server][-baddress][-cclass][-ffilename][-kfilename][-pport#][-ttype][xaddr][-yname:key][name][type][class][queryopt...]•dig[-h]•dig[global-queryopt...][query...]Atypicalinvocationofdiglookslike:•dig@servernametypeEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWhoishttp://www.nsauditor.com/WhoiscommunicateswithWHOISserverslocatedaroundtheworldtoobtaindomainregistrationinformationItsupportsIPaddressqueriesandautomaticallyselectstheappropriatewhoisserverforIPaddressesThistoollooksupinformationonadomain,IPaddress,ordomainregistrationinformationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWhois:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedVisualRoutehttp://www.visualroute.com/VisualRoutetraceroutesoftwareprovidesIPv4andIPv6traceroute,pingtest,multipleroutediscoveryandconnectivityanalysisreportsItalsohelpsindeterminingactualcauseofconnectivityproblempinpointsinthenetworkwhereaproblemoccursFeatures:•••••••EC-CouncilGraphicalviewoftraceroute,ping,reverseDNSconnectivityanalysisIPlocationreportingWhoislookups,networkproviderreportingOmnipath™multiplepathdiscoveryNetvu™multipleroutetopologygraphApplicationporttesting,portprobing,DNSperformancetestingContinuousconnectiontestingwithreporthistoryCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedVisualRoute:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNetstatCommandhttp://chiht.dfn-cert.de/netstatisausefultoolforcheckingnetworkconfigurationandactivityThenetstatcommandprovidesinformationfromvariousdatastructuresinthenetworkstackThisinformationcanincludecurrentnetworkconnectionsandlisteningservers,routingtables,ARPcachesetc.EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedLinux:DDCommandhttp://chiht.dfn-cert.de/TheddcommandisusedtomakebinarycopiesofcomputermediaItisusedasasimplediskimagingtoolifgivenarawdiskdeviceasitsinputForensicInvestigatorsusethebuilt-inLinuxcommand“dd”tocopydatafromadiskdriveThe“dd”commandcancopydatafromanydiskthatLinuxcanmountandaccessOtherforensictoolssuchasAccessDataFTKandIlookcanreadddimagefilesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedLinux:FindCommandhttp://chiht.dfn-cert.de/ThefindcommandisbuiltintomanyversionsofUnix,butisalsoavailableaspartoftheGNUbinutilspackageforbothUnixandWindowsFindcanbeusedtosearchthroughadirectorytreelookingforfilesthathaveparticularnames,permissions,oralmostanyothercombinationofattributesSyntax•find[-H][-L][-P][path...][expression]EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedLinux:ArpCommandhttp://chiht.dfn-cert.de/TheAddressResolutionProtocolisusedbycomputerstotranslateIPaddressesformachinesonthelocalnetworksegmentintoEthernetaddressesItdescribesthestandardformappingEthernetaddressesinthelocalsubnettoIPaddressesMostoperatingsystemsmaintainacacheofthisinformation,andthearpcommandcanbeusedtoprintoutthecurrentcontentsofthiscacheSyntax:•C:\>arp-aEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedLinux:ps,ls,lsof,andifconfigCommandshttp://chiht.dfn-cert.de/psisabasicUnixcommandthatreportthestatusofprocessesUnixlscommandisusedtolistfilesanddirectoriesonafilesystemLsofisacommandusedtolistfileswhicharecurrentlyopenonaUnixsystemsifconfigisacommandisusedtoreportthestateofnetworkinterfacesonUnixsystemsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedLinux:TopCommandhttp://chiht.dfn-cert.de/ThetopcommandisasystemmonitortoolthatdisplaysandupdatesinformationaboutthetopcpuprocessesonaUnixsystemItdisplaysthetop15processesonthesystemandperiodicallyupdatesthisinformationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedLinux:GrepCommandhttp://chiht.dfn-cert.de/TheUnixgrepcommandsearchestextfilesforpatternsmatchingregularexpressionsItisusedtoextractinterestinginformationfromlogfilesItisabuilt-incommandonmanyUnixsystems,oranopensourceversionisavailableaspartoftheGNUprojectSyntax•grep[options]PATTERN[FILE...]•grep[options][-ePATTERN|-fFILE][FILE...]EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedLinux:StringsCommandhttp://chiht.dfn-cert.de/StringsisacommandwhichdisplaysthestringscontainedinabinaryfileItisusedtosearchunknownbinariesforanyhintsaboutitsfunctionSyntax•strings[-afo][-nnumber][file...]EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSummaryComputerforensicInvestigatormusthaveknowledgeofgeneralcomputerskillssuchashardware,software,O.S,applications,etc.Computerforensicshelpstorecover,analyze,andpreservecomputerandrelatedmaterialsinsuchawaythatitcanbepresentedasevidenceinacourtoflawForensicreadinessisabilityofanorganizationtomaximizeitspotentialtousedigitalevidencewhileminimizingthecostofaninvestigationDigitalevidenceisdefinedas“anyinformationofprobativevaluethatiseitherstoredortransmittedinadigitalform”ForensicpolicydefinestherolesandresponsibilitiesofallpeopleperformingorassistingtheforensicactivitiesSeparatepoliciesshouldbemaintainedforincidenthandlersandotherswithforensicrolesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCertifiedIncidentHandlerVersion1ModuleVIIHandlingInsiderThreatsNews:MaliciousInsiderAttackstoRiseSource:http://newsvote.bbc.co.uk/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNews:ExpertsSayLayoffs,Cost-CuttingIncrease‘Insider’CyberThreatSource:http://www.cqpolitics.com/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleObjectiveThismodulewillfamiliarizeyouwith:••••••EC-CouncilInsiderThreatsAnatomyofanInsiderAttackInsiderThreatsDetectionInsiderThreatsResponseHandlingInsiderThreatsGuidelinesforDetectingandPreventingInsiderThreatsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleFlowEC-CouncilInsiderThreatsAnatomyofanInsiderAttackInsidersThreatResponseInsiderThreatDetectionHandlingInsiderThreatsGuidelinesforDetectingandPreventingInsiderThreatsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInsiderThreatsInsiderswiththeirauthorizedprivilegescanmisusetheresourcethatdirectlyaffectstheconfidentiality,integrity,andavailabilityoftheinformationsystemInsiderscouldbecurrentemployee,disgruntledsystemadministrators,humanresources,contractors,businesspartnersetc.Insidersindulgeinmaliciousactivitiesontheorganization’snetwork,system,anddatabaseTheseactivitiesimpactbusinessoperationsanddamagestheorganization’sreputationandprofitEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAnatomyofanInsiderAttackUnderstandbusinessprocessGaincredentialsandtrustInstalllogicbombs,rootkits,keyloggersActivatelogicbombsandrootkitsDamage,publicizeand/orpassinformationtocompetitorsforfinancialgainorpersonalrevengeEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInsiderRiskMatrixIfanattackerhastechnicalliteracywithprocessknowledge,thereisthehighestriskofinsiderattackProcessKnowledgeTechnicalLiteracyHighLowHighGreatestThreatDemonizedButInsignificantLowSignificantThreatInsignificantSource:GartnerGroupReport5605EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInsiderThreatsDetectionInsiderthreatscanbedetectedbyobservingconcerningbehaviorsexhibitedbytheinsiderssuchasconflictswithsupervisorsandcoworkers,declineinperformance,tardiness,orunexplainedabsenteeismInsiderthreatscanbeidentifiedbyexaminingthesystemeventlogsincludingdatabaselogs,emaillogs,applicationlogs,fileaccesslogs,andremoteaccesslogsApplicationssuchasfirewalls,routers,andintrusiondetectionsystemscanbeusedtoidentifyinsiderthreatsThetechniquesusedtodetectinsiderthreatsare:•Correlation•Detectinganomaly•DiscoveringpatternEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInsiderThreatsResponseResponsedependsonthenatureofinsiderthreatsandtheorganization’spolicyResponsecanbeautomatedorneedshumaninvolvementThetechniquesusedtorespondtoaninsiderthreatinclude:••••Placingmalicioususersinquarantinenetwork,sothatattackcannotbespreadPreventingmalicioususersfromaccessingsensitiveinformationDisablingthecomputersystemsfromnetworkconnectionBlockingmalicioususeraccountsandphysicallyrestrictingthemfromenteringaccesscontrolareasEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInsider’sIncidentResponsePlanInsider’sincidentresponseplanhelpstheorganizationtominimizeorlimitthedamagecausedduetomaliciousinsidersOrganizationsshouldensurethattheinsiderperpetratorsarenotincludedinresponseteamornotawareoftheprogressTheorganizationsshouldconsidertherightsofeveryemployeeoruserwhiledevelopingincidentresponseplanTheplanshoulddepicttheprocesstobefollowedandresponsibilitiesofthemembersinvolvedintheresponseteamTheorganizationshouldnotshareorprovidethedetailsoftheinsider’sincidentresponseplanwithallemployeesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedGuidelinesforDetectingandPreventingInsiderThreats:HumanResourcesConductbackgroundchecksonallusersandemployeeswhoareinsensitivepositionsExamineandrespondtosuspiciousbehaviorofemployeesbeginningwiththehiringprocessAnticipateandmanagenegativeworkplaceissuesEmploymentverificationandcreditchecksPrepareaninformationsecuritypolicydocumentMonitorandsecuretheorganization’sphysicalenvironmentEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedGuidelinesforDetectingandPreventingInsiderThreats:NetworkSecurityComputernetworksshouldbesecuredbyconfiguringfirewallsandmonitoringoutboundtraffictoHTTPandHTTPSservicesCreaterulestoreducetheoutboundtransferoffilestoanauthorizedsetofusersandsystemsPreventfilesharing,instantmessaging,andotherfeaturesamongemployeesthatallowsunauthorizedaccesstocorporatenetworksScanalloutgoingandincomingmailsforsensitiveinformationandmaliciouscodesEstablishstrictpasswordpoliciesImplementaccountmanagementpoliciesandproceduresEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedGuidelinesforDetectingandPreventingInsiderThreats:AccessControlsAccessprivilegesshouldbeenabledtoemployeesorusersbasedontheroutineperformanceoftheirjobrolesTheaccessrequestsgrantedtousersshouldbedocumentedandvettedbyasupervisorEmployeesshouldtakepermissionfromdataownersbeforeaccessingthesensitivesystemsEstablishchangecontrolsontheuser’ssystemWhenanemployeeisterminatedfromthejob,theemployersshoulddisableallaccessrightstophysicallocations,networks,systems,applications,anddataEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedGuidelinesforDetectingandPreventingInsiderThreats:SecurityAwarenessProgramIdentifyandreportthemaliciousbehaviorofinsidersExaminetheorganization’spoliciesandcontrolsImplementpropersystemadministrationsafeguardsforcriticalserversProvideconsistencyfordefinedsecuritypoliciesandcontrolsEnforceseparationofdutiesinordertolimitthemisuseofresourcesImplementsecurebackupsandrecoverymethodstoensuredataavailabilityEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedGuidelinesforDetectingandPreventingInsiderThreats:AdministratorsandPrivilegedUsersDisablethedefaultadministrativeaccountstoprovideaccountabilityEnsurethatadministratorsuseuniqueaccountduringinstallationprocessImplementnon-repudiationtechniquetoviewalltheactionsperformedbyadministratorsandprivilegedusersMonitortheactivitiesofsystemadministratorsandprivilegeduserswhohavepermissionstoaccesssensitiveinformationUseencryptionmethodstopreventadministratorsandprivilegedusersfromaccessingbackuptapesandsensitiveinformationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedGuidelinesforDetectingandPreventingInsiderThreats:BackupsOrganizationsshouldimplementsecurebackupandrecoveryprocessestocontinuebusinessoperationswhenthesystemsarecompromisedRegularlytakebackupsandtestitforintegrityandavailabilitySecurethebackupmediaanditscontentfromalteration,theft,ordestructionImplementseparationofdutiesandconfigurationmanagementprocedurestoperformbackupsoncomputersystems,networks,anddatabasesImplementbackuppoliciestosecurethebackupprocessandmediaEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedGuidelinesforDetectingandPreventingInsiderThreats:AuditTrailsandLogMonitoringEnforceaccountandpasswordpoliciesandprocedurestoidentifytheonlineactionsperformedbyinsidersPeriodiclogging,monitoring,andauditingprocesshelpsorganizationtoidentifyandinvestigatesuspiciousinsideractionsAudittrailsshouldbeconfiguredfornetworkdevices,operatingsystems,commercialsoftware,andcustomapplicationsAuditingshouldreviewandexaminethechangesperformedoncriticalassetsofanyorganizationProtecttheauditfilesthroughfilepermissionsandstorethefilesincentralhostservertoavoidalterationsImplementintrusiondetectionandfileintegritysoftwaretodetectandmonitorsuspiciousactivityonsensitivedataEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEmployeeMonitoringToolsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedActivityMonitorhttp://www.softactivity.com/ActivityMonitorisacomputermonitoringsoftwareandkeyloggerItallowsyoutotrackanyLAN,givingyouthedetailedinformationonwhat,how,andwhenyournetworkusersperformedFeatures:••••LiveviewofremotedesktopsEasyInternetusagemonitoringMonitorsoftwareusageRecordactivitylogforallworkplacesinonecentralizedlocationonmaincomputerwithActivityMonitorinstalled•Storecompletehistoryofcommunicationsforeveryuser•Trackanyuser’skeystrokesonyourscreeninrealtimemodeEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedActivityMonitor:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedActivityMonitor:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNetSpyProhttp://www.net-monitoring-software.com/NetSpyProistheemployeeandstudentnetworkmonitoringsoftwareItallowsyoutomonitoralluseractivityonyournetworkinrealtimefromyourownworkstationFeatures:•Allowstheadministratortoviewanactualscreenshotofone,someorallworkstationsinstantly•Showsalistofthefavoritesonauser'sInternetExplorerBrowsertotheadministrator•Showsyoualistofallfilesinthetemporaryhistory(cache)oftheInternetExplorerbrowser•Allowsanadministratortoviewallopenportsonaworkstation•Showsafulllistofprocessesandservicesrunningontheremotemachinetotheadministrator•ShowalistofrecentdocumentsopenedbyauserottheadministratorEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNetSpyPro:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNetSpyPro:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSpectorProhttp://www.spectorsoft.com/SpectorProismonitoringandrecordingsoftwareforeverydetailofPCandInternetactivity-inyourhomeorinyourofficeFeatures:••••••••••EC-CouncilKeystrokestypedrecordingMySpaceandFacebookrecordingOnlinesearchesrecordingWebsitesvisitedrecordingSummaryreportsEmailactivityrecordingProgramactivityrecordingKeywordsdetectedrecordingFilestransferredrecordingUseractivityrecordingCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSpectorPro:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSpectorPro:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSpyAgenthttp://www.spytech-web.com/SpytechSpyAgentiscomputerspysoftwarethatallowsyoutomonitoreverythingusersdoonyourcomputerFeatures:•••••••••••EC-CouncilKeystrokeloggingEmailssentandreceivedmonitoringEventstimelineloggingInternetchatconversationsmonitoringWebsiteactivitymonitoringApplicationusagemonitoringComputerusageloggingIntelligentscreenshotcapturingInternettrafficdatamonitoringFilesuploadedanddownloadedmonitoringFiles/documentsaccessedloggingCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSpyAgent:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSpyAgent:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHandyKeyloggerhttp://www.handy-keylogger.com/HandyKeyloggerisauser-friendlyspykeyloggerItcaptureallkeystrokes,monitorinternetusage,enablescreenshotsgrabbingbytimeandinterval,monitorclipboard,andsendthelogstoyoure-mailaddressinvisiblyFeatures:••••••••EC-CouncilMonitoreverykeystrokeonyourkeyboardGrabkeystrokesunderalluseraccountsLogallclipboardevents:textandgraphicscopiedtotheclipboardRecordInternet/websitesactivityLogchatsande-mailstypedonyourPCRecordinstantmessengersCaptureallpasswordsInvisiblysendlogstoyourmailboxCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHandyKeylogger:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHandyKeylogger:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAntiKeyloggerhttp://www.anti-keyloggers.com/Anti-keyloggerisadedicatedanti-keyloggingproductforMicrosoftWindowsItprotectscomputersagainstinformation-stealingprogramsandmodulesFeatures:••••••••EC-CouncilPreventsonlineidentitytheftPreventsInternetbankingfraudSecuresemailcommunication,instantmessagingandchatEliminatesleakageofconfidentialorproprietaryinformationKeepsusernames,passwords,PINs,etc.safeReducessecuritybreachesEnforcescomputerandInternetAcceptableUsePolicies(AUP)DisablesespionagesoftwareofyourcompetitorsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAntiKeylogger:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedActualSpyhttp://www.actualspy.com/ActualSpyisakeyloggerwhichallowsyoutofindoutwhatotherusersdoonyourcomputerinyourabsenceItiscapableofcatchingallkeystrokes,capturingthescreen,loggingtheprogramsbeingrunandclosed,monitoringtheclipboardcontentsFeatures:••••••••EC-CouncilLogsallkeystrokesMakesscreenshotswithinthespecifiedtimeintervalSavestheapplications’runningandclosingWatchesclipboardcontentsRecordsallprintactivityRecordsdiskchangesRecordsinternetconnectionsRecordsallwebsitesvisitedCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedActualSpy:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedActualSpy:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIamBigBrotherhttp://www.iambigbrother.com/IamBigBrotherisaninternetmonitoringsoftwareforbothhomesandbusinessItrunsinstealthmodewhereitisnotdetectedbytheuserofthecomputerItrecordsalloftheinternetactivityformanyprogramsincludingAmericaOnline,MSN,OutlookExpress,etc.Features:•••••EC-CouncilChatandinstantmessagerecordingEmailrecordingWebsiteviewedKeystrokerecordingScreencaptureCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIamBigBrother:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIamBigBrother:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited007SpySoftwarehttp://www.e-spy-software.com/007SpySoftwareiscomputermonitoringsoftwarewhichallowsyoutosecretlyrecordallactivitiesofcomputerandtakesscreensnapshotatsetintervalsFeatures:••••••••EC-CouncilCapabilityofoverridingAnti-SpyprogramssuchasAd-awareViewlogsremotelywithyourfavoritebrowsersfromanywhereatanytimeSupportuserfiltertospyonspecificusersViewalluser'sLogswithaSingleLoginCapturescreenatthehighestspeedAutomaticallystartupinactiveandstealthModePowerfulkeyloggerenginetocaptureallpasswordsBuilt-inslideshowforscreensnapshotpicturesCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited007SpySoftware:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited007SpySoftware:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSpyBuddyhttp://www.exploreanywhere.com/SpyBuddy2009isacomputermonitoringsoftwarethatrevealswhatyouremployeeisreallydoingonthecomputerItsecretlyrecordsallinternetandcomputerrelatedactivitiesandpresentinformationtoyouFeatures:•••••••EC-CouncilChatblockingWebsitesblockingClipboardactivitymonitoringScreenshotrecordingKeystrokestypedrecordingOnlinesearchrecordingPrintactivitymonitoringCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSpyBuddy2009:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSpyBuddy2009:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSoftActivityKeyloggerhttp://www.softactivity.com/SoftActivityKeyloggerisaspyingenginethatrunsinthebackgroundandsecretlyrecordsURLsvisitedinbrowser,keystrokesinanyprogram,chatconversations,receivedandsentemailItcapturesscreenshotsofthedesktopatapresetperiodoftimeFeatures:••••••EC-CouncilLogseverythingScreenshotsrecordingwithadvancedIntelliSnap™etchnologyEnhancedreportingfeaturesWorkssecretlyReceivereportsinemailCompletecompatibilityCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSoftActivityKeylogger:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSoftActivityKeylogger:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEliteKeyloggerhttp://www.widestep.com/EliteKeystrokeiskeyloggerformonitoringandrecordingeverydetailofPCandInternetactivityeverywhere:athomeorintheofficeFeatures:•••••••EC-CouncilKeystrokerecordingUndetectableChats,IMs,E-mailrecordingClipboardmonitoringApplicationactivityrecordingWinlogonandpasswordsmonitoringScreenshotsrecordingCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEliteKeylogger:Screenshot1EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEliteKeylogger:Screenshot2EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSpySweeperhttp://www.webroot.com/SpySweeperisanantispywaresoftwarethatblocksandremovesspywareItdeliverstheadvancedspywaredetectionavailabletobeatdangerousspywareprogramsFeatures:•••••••EC-CouncilAdvanceddetectionandremovalcapabilitiesReal-timethreatprotectionEnhancedrootkitdiscoverymethodsMinimalimpactoncomputerperformanceWindowsvistacompatibleMultipleuserprotectionUp-to-datespywarenewsandinformationCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSpySweeper:ScreenshotEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSummaryInsidersperformmaliciousactivitiesontheorganization’snetwork,system,anddatabaseResponsedependsonthenatureoftheinsiderthreatsandtheorganization’spolicyInsiderthreatscanbedetectedbyexaminingthesystemeventlogsincludingdatabaselogs,emaillogs,applicationlogs,fileaccesslogs,andremoteaccesslogsAccessprivilegesshouldbeenabledtoemployeesorusersbasedontheroutineperformanceoftheirjobrolesOrganizationsshouldimplementsecurebackupandrecoveryprocessestocontinuebusinessoperationswhenthesystemsarecompromisedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSampleSampleEC-CouncilCertifiedIncidentHandlerVersion1ModuleIXIncidentReportingBatchPDFBatchPDFMergerMergerNews:Infosec2009ExpertsDiscusstheCyberCrimeLandscape28Apr2009Everypersonwhogoesonlinehasaparttoplayinhelpingtoreducee-crimeandbettersecurecyberspace,accordingtoapanelofexpertsspeakingattheInfosecurityEuropeshowinLondon.PhilipVirgo,secretarygeneralofEurim,beganthepaneldebatebyhighlightingthedevelopmentoftoday'sreal-worldlawenforcementagencies,whichwereoriginallycreatedbybusinessessuchasrailcompaniesandbanksratherthanbygovernments.Virgobelievesthatwecannotexpectgovernmentstoshoulderalltheresponsibilityforpolicingtheinternet.Hebelievesthatonlybyusers,agencies,securityfirmsandorganisationsworkingtogethercanthehugeproblemofcybercrimebegintobeaddressed.HiscallwasechoedbyCharlieMcMurdie,detectivesuperintendentofthenewlyformedPoliceCentrale-CrimeUnit(PceU),whoispushingforgreaterinteractionbetweenthevariousstakeholders,bothpublicandprivate,acrossvariouscountries."Currently,everyoneisdoingdifferentthingsindifferentways,"shesaid."Weneedtodevelopstructure,standardsandtraining,notonlyforthe43policeforcesacrosstheUK,butalltheorganisationsinvolvedinhelpingdetect,preventandtrackdownillegalonlinebehaviour."Thiswillhelptospeedupinvestigations,andhelpeliminateduplication,therebyfreeingupmoreofthelimitedresources,accordingtoMcMurdie.ThePceUispushingforenduserstogetinvolvedaswellbyreportingevenrelativelyminorinstancesofe-crime,asthesecanhelptolocateandidentifythelargeorganisedcriminalgangs.Source:http://www.vnunet.com/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleObjectiveThismodulewillfamiliarizeyouwith:••••••EC-CouncilIncidentReportingWhytoReportanIncidentWhomtoReportanIncidentFederalAgencyIncidentCategoriesOrganizationstoReportComputerIncidentIncidentReportingGuidelinesCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleFlowEC-CouncilIncidentReportingWhytoReportanIncidentFederalAgencyIncidentCategoriesWhomtoReportanIncidentOrganizationstoReportComputerIncidentIncidentReportingGuidelinesCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentReportingIncidentreportingistheprocessofreportingtheinformationregardingtheencounteredsecuritybreachinaproperformatIncidentsthatshouldbereportedinclude:•••••LogsofunauthorizedaccessshowingfailedorsuccessfulattemptsUnwanteddisruptionDenialofserviceUseofasystemforprocessingorstorageofdataChangesmadetothesystem’shardwareorsoftwareEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWhytoReportanIncidentItisnecessarytoreportanincidentinorderto:•Receivetechnicalassistanceincludingguidanceondetectingandhandlingtheincidents•ImproveawarenessonITsecurityissuesandpreventothernuisance•Providestrongerprotectionforsystemsanddata•Dealproperlywithlegalissues•Knowtheinformationregardingnewthreatsandincidenttrends•BepreparedforhandlingfutureincidentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWhyOrganizationsdonotReportComputerCrimesMisunderstandingofthescopeoftheproblem•MisconceptionthatthisdoesnothappentootherorganizationsFearofnegativepublicity•ProactivereportingandhandlingoftheincidentwillallowmanyorganizationstoputtheirspinonthemediareportsPotentiallossofcustomersDesiretohandlethingsinternallyLackofawarenessoftheattackEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedWhomtoReportanIncidentHeadofinformationsecurity?LocalinformationsecurityofficerIncidentresponseteamsintheorganizationHumanresourcesPublicaffairsofficerLegaldepartmentCERTEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHowtoReportanIncidentIncidentsarereportedusing:•••••••EC-CouncilElectronicMailOnlinereportingformsTelephonecallsFacsimile(FAX)InpersonVoicemailboxgreetingPaper(e.g.,postnoticesonbulletinboardsanddoors,handoutnoticesatallentrancepoints)Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDetailstobeReportedDetailstobereportedinclude:•••••••••••EC-CouncilDate,time,andlocationoftheincidentContactinformationIntensityoftheincidentCircumstancesthatrevealedtheincidentSummaryofhostsinvolvedDescriptionoftheactivityThenatureoftheviolationTypeofprivatedatainvolvedOtherpersonsinvolvedAnyimmediateharmknownorobservedImmediatecorrectiveactionsalreadytakenCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPreliminaryInformationSecurityIncidentReportingFormSystemInformationNameoftheDepartment:________________________________________________________________________________Briefdescriptionontheaffectedsystem:_______________________________________________________________________Physicallocationoftheaffectedsystem:_______________________________________________________________________Systemadministration/operationby:_________________________________________________________________________ContactInformationName:_______________________________________________________________________Designation:_______________________________________________________________________TelephoneNumber:__________________________________MobileNumber:___________________________________EmailAddress:_____________________________________FaxNumber:______________________________________IncidentDetailsDate/Time(Detected):_______________________________________________________________________SymptomsofIncidents:_______________________________________________________________________Impacts:DefacementofwebsiteServiceinterruption(denialofserviceattack/mailbomb/systemfailure)MassivemaliciouscodeattackLost/damage/unauthorizedalternationofinformationCompromise/leakageofsensitiveinformationIntrusion/unauthorizedaccessOthers,pleasespecify:_______________________________Pleaseprovidedetailsontheimpactandserviceinterruptionperiod,ifany:ActionsTaken:__________________________________________________________________________CurrentSystemStatus:_____________________________________________________________________OtherInformation:_______________________________________________________________________EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCERTIncidentReferenceNumbersCERTassignsreferencenumbersforeveryreportedactivityThesenumbershelpCERTtotrackcorrespondenceandidentifyrelatedactivityThesenumbersareuniqueandselectedrandomlyThesenumbersshouldbementionedclearlyinthesubjectlineofanymailmessagesregardingtheincidente.g.CERT#XXXX,USCERT-06-0001referencenumbershowsthatitwasthefirstcaseregisteredatUSCERTin2006EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedContactInformationContactinformationshouldincludeatleastanemailaddressandtelephonenumberIfpossibleincludefaxnumberandacellulartelephonenumberTimezonefromwherethereportingismade,shouldbementionedItisgoodtospecifyanalternatecontactincasethevictimisunavailableEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSampleReportShowingContactInformationContactInformationSource:https://forms.us-cert.gov/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSummaryofHostsInvolvedHostsinvolvedintheincidentorrelatedactivityisthemostobviousinformationtobenotedSometimes,hostsusedinoneincidentmayhavebeenusedearlierSummaryofIPaddressesandhostnamesinvolvedintheincidentshouldbeincludedinthereportHostsinvolvedintheincidentmustbeidentifiedandtheinformationmustbereleasedaspertheorganization’spoliciesandproceduresEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSampleReportShowingSummaryofHostsInvolvedSummaryofHostsSource:http://www.cert.org/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDescriptionoftheActivityActivitydescriptionshouldinclude:••••••••EC-CouncilDateMethodsofintrusionIntrudertoolsinvolvedSoftwareversionsandpatchlevelsIntrudertooloutputDetailsofvulnerabilitiesexploitedSourceofattackAndotherrelevantinformationCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSampleReportShowingDescriptionoftheActivityDescriptionofActivitySource:http://www.nitc.state.ne.us/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedLogExtractsShowingtheActivityLogsprovidesignificantlymoredetailsthanthedescriptionLogentriesshowingtheactivityshouldbeincludedalongwiththereportToavoidconfusion,removethelogentriesthatarenotrelatedwiththeincidentEnsurethatthenondisclosurepoliciesarenotviolatedwhilesendinglogentriestoothersitesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedExampleShowingtheLogExtractsofanActivitySource:http://www.kerio.co.uk/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedTimeZoneDates,times,andtimezonesareconfusingwhenusedcasuallyininternationalcommunications;henceclearlyidentifythedate,time,andlocationoftheincidentAtimezonereferencerelativetoGMT(orUTC)suchasGMT5ispreferred,sincelessformaltimezonedesignationscanbemisinterpretedInaccuracyintimeshouldbementionedinthereportifitexceedsbyaminuteortwoIfthesystemwassynchronizedwithanationaltimeserverviaNetworkTimeProtocol,thesameshouldbementionedinthereportEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedFederalAgencyIncidentCategoriesCategoryNameCAT0Exercise/NetworkDefenseTestingThiscategoryisusedduringstate,federal,national,internationalexercisesandapprovedactivitytestingofinternal/externalnetworkdefensesorresponses.NotApplicable;thiscategoryisforeachagency'sinternaluseduringexercises.CAT1UnauthorizedAccessInthiscategoryanindividualgainslogicalorphysicalaccesswithoutpermissiontoafederalagencynetwork,system,application,data,orotherresourceWithinone(1)hourofdiscovery/detection.DenialofService(DoS)Anattackthatsuccessfullypreventsorimpairsthenormalauthorizedfunctionalityofnetworks,systemsorapplicationsbyexhaustingresources.ThisactivityincludesbeingthevictimorparticipatingintheDoS.Withintwo(2)hoursofdiscovery/detectionifthesuccessfulattackisstillongoingandtheagencyisunabletosuccessfullymitigateactivity.CAT3MaliciousCodeSuccessfulinstallationofmalicioussoftware(e.g.,virus,worm,Trojanhorse,orothercode-basedmaliciousentity)thatinfectsanoperatingsystemorapplication.AgenciesareNOTrequiredtoreportmaliciouslogicthathasbeensuccessfullyquarantinedbyantivirus(AV)software.DailyNote:Withinone(1)hourofdiscovery/detectionifwidespreadacrossagency.CAT4ImproperUsageApersonviolatesacceptablecomputingusepolicies.WeeklyCAT5Scans/Probes/AttemptedAccessThiscategoryincludesanyactivitythatseekstoaccessoridentifyafederalagencycomputer,openports,protocols,service,oranycombinationforlaterexploit.Thisactivitydoesnotdirectlyresultinacompromiseordenialofservice.MonthlyNote:Ifsystemisclassified,reportwithinone(1)hourofdiscovery.InvestigationUnconfirmedincidentsthatarepotentiallymaliciousoranomalousactivitydeemedbythereportingentitytowarrantfurtherreview.NotApplicable;thiscategoryisforeachagency'susetocategorizeapotentialincidentthatiscurrentlybeinginvestigated.CAT2CAT6EC-CouncilDescriptionSource:http://www.us-cert.gov/ReportingTimeframeCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedOrganizationstoReportComputerIncidentUnitedStateInternetCrimeTaskForceInternetCrimeComplaintCenter(IC3)ComputerCrimeandIntellectualPropertySection(CCIPS)InternetWatchFoundation(IWF)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedUnitedStateInternetCrimeTaskForcehttp://www.usict.org/services.aspEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInternetCrimeComplaintCenter(IC3)http://www.ic3.gov/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedComputerCrime&IntellectualPropertySectionhttp://www.usdoj.gov/criminal/cybercrime/reporting.htmEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInternetWatchFoundation(IWF)http://www.iwf.org.uk/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentReportingGuidelinesVictimshouldattempttogatherthefollowinginformationbeforereporting:•Nameandaddressofthereportingagency•Name,address,e-mailaddress,andphonenumber(s)ofthereportingperson•Name,address,e-mailaddress,andphonenumber(s)ofthevictim•Name,address,e-mailaddress,andphonenumber(s)ofthealternatecontact(e.g.,alternateinformationsecurityofficer's,systemadministrator,etc.)•Descriptionoftheincident•Dateandtimeoftheincidentoccurred•Dateandtimetheincidentwasdiscovered•Anyactionsat,andfollowingthetimeofdiscoverythatweretakenpriortocallingCERTSource:http://www.chp.ca.gov/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentReportingGuidelines(cont’d)Additionalinformationthatshouldbegatheredbythevictim:•Make/modeloftheaffectedcomputer(s)•Serialandstateassetidentificationnumbersofhteaffecteddevices•IPaddressoftheaffectedcomputer(s)•Assignednameoftheaffectedcomputer(s)•Operatingsystemoftheaffectedcomputer(s)•Locationoftheaffectedcomputer(s)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSampleIncidentReportingForm1EC-CouncilSource:http://www.nbt.nhs.uk/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSampleIncidentReportingForm2EC-CouncilSource:http://www.neola.com/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSampleIncidentReportingForm2(cont’d)EC-CouncilSource:http://www.neola.com/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSampleIncidentReportingForm2(cont’d)EC-CouncilSource:http://www.neola.com/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSampleIncidentReportingForm3Source:http://www.occs.odu.edu/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSamplePostIncidentReportFormSource:http://www.ogcio.gov.hk/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPostIncidentReport(cont’d)Source:http://www.ogcio.gov.hk/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSummaryIncidentreportingistheprocessofreportingtheinformationregardingtheencounteredsecuritybreachinaproperformatIncidentsshouldbereportedinordertoreceivetechnicalassistanceincludingguidanceondetectingandhandlingtheincidentsCERTincidentreferencenumbershelpCERTtotrackcorrespondenceandidentifyrelatedactivityContactinformationshouldincludeatleastanemailaddressandtelephonenumberHostsinvolvedintheincidentorrelatedactivityisthemostobviousinformationtobenotedLogsprovidesignificantlymoredetailsthanthedescriptionUnitedStateInternetCrimeTaskForceisanon-profit,governmentassist,andvictimadvocateagencyEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCertifiedIncidentHandlerVersion1ModuleXIncidentRecoveryPoliceSeekGrantforCommunicationsandComputerEquipment05/07/2009Inpartofthe2009AmericanRecoveryandReinvestmentAct,theJusticeDepartmentwillbefundinganumberofgrantsforlawenforcement.TheWatertownPoliceDepartmentwillbeapplyingtoreceive$24,000infundingfromtheEdwardByrneMemorialJusticeAssistanceGrant.AccordingtoChiefJohnGavallas,thePoliceDepartmentintendstousethefundingtopurchaseequipmenttooperateacriticalincidentcommandcenterandbriefingroom.Purchaseswillincludetelephonesystems,computers,computermonitors,printers,upgradestotheITsystems,presentationequipment,multipleinternetaccesspoints,audio-visualequipmentincludingtelevisions,DVDandvideoplayersandprojectors."Thiswillallowustoconductrollcalltraininginthebriefingroomandtheequipmentwillprovideincidentcommanderstheequipmentinmanagingacriticalincidentintown,"saidChiefGavallas.Thetwoprincipalrequirementsofthegrantarepublicnoticeandthatauthorizationtoapplyforthegrantisgivenbythegoverningauthorityofthetown.TheTownCouncilgaveapprovalforthegrantapplicationduringitsregularMay4meeting.ThegrantisnamedinhonorofNewYorkCityPoliceOfficerEdwinByrne,whowaskilledinthelineofdutywhileconductingastakeouttomonitordrugactivityin1988.Source:http://www.zwire.com/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleObjectiveThismodulewillfamiliarizeyouwith:••••••••EC-CouncilIncidentRecoveryPrinciplesofIncidentRecoveryIncidentRecoveryStepsContingency/ContinuityofOperationsPlanningBusinessContinuityPlanningIncidentRecoveryPlanIncidentRecoveryPlanningTeamBusinessImpactAnalysisCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleFlowEC-CouncilIncidentRecoveryPrinciplesofIncidentRecoveryContingency/ContinuityofOperationsPlanningIncidentRecoveryStepsBusinessContinuityPlanningIncidentRecoveryPlanBusinessImpactAnalysisIncidentRecoveryPlanningTeamCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentRecoveryIncidentrecoveryisaprocessofrebuildingandrestoringthecomputersystemsaffectedbyanincidenttonormaloperationalstageSystemrecoveryinvolvesallprocesses,policies,andtoolsthatareusedtorestorenormalbusinessfunctionsIncidentrecoverymeasuresdependontheseverityofincidents,criticalityoftheaffectedsystemsorprocesses,impactonbusinessrevenues,andavailableresourcesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPrinciplesofIncidentRecoverySupportandinvolvementofupperlevelmanagersleadtoarobustincidentrecoveryplanAssesstheorganizationonaregularbasisPoliciesandproceduresadoptedmustbedocumentedandmadeavailabletotheintendedstafftomeetthebusinessoperationalneedsDeterminethemanagersresponsiblefordeclaring,responding,andrecoveringfromanincidentRestrictcommunicationsamonginternalandexternalsupportersoftheorganizationsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPrinciplesofIncidentRecovery(cont’d)TrainemployeesagainstunforeseencrisisProceduresmustbetestedandrehearsedtodetectthevulnerabilitiesintheplanPlannersmustidentifynewthreatsandupdateplansaccordinglyEvaluatetheeffectivenessoftheprocedureandmonitorsafetyandhygienicissuesoftheemployeesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentRecoverySteps•SystemrestorationStep1:•SystemvalidationStep2:•SystemoperationsStep3:•SystemmonitoringStep4:EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedContingency/ContinuityofOperationsPlanningContingencyplanisasetofspecificstrategies,guidelinesandprocessestorecoverfromanincidentresultingduetoaparticularproblemoremergencyItisnecessaryforacompanyorbusinesstofunctionnormallyGuidelinesforcontingencyplanningareasfollows:StartingPoint•FocusesonthedevelopmentandmaintenanceoftheplanImpactassessment••••ProblemsanalysisCheckswhatsortofproblems/incidentscanoccurChecksforthelikelihoodoftheoccurrenceoftheproblemChecksfortheseverityoftheproblemPlandevelopment•Contingencyplanisdevelopedinthisphasebyconsideringthesystemthreatsandavailableresources•ItregulatesthebusinessprocessbysettinganorderorpriorityoftheorganizationalprocessesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedContingency/ContinuityofOperationsPlanning(cont’d)Testingtheplan•Inthisphase,thedevelopedplanistestedtodeterminewhethertheplancanactuallyworkinrealtimeenvironment•TestingresultsaredocumentedforfuturereferencePersonneltraining•PersonnelneedstoundergotrainingtogetfamiliarwiththeplanwhichhelpsthemtoperformtheirtasksandresponsibilitieseffectivelyMaintainingtheplan•Asprocessesareaddedordeletedbytheorganization,theplansshouldbeupdatedregularlyEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedContingency/ContinuityofOperationsPlanning(cont’d)Componentsofcontingencyplanning:•SupportingInformation•Notification/Activation(suppliesnotificationproceduresandoffersactivationoftheplan)•Recovery(recoversthedatawiththehelpofbackups)•Reconstitution(restoresoriginalinformationaftertheincident)•PlanAppendices(providesrecordsoffurtheranalysis)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedContingency/ContinuityofOperationsPlanning(cont’d)ContinuityofoperationsprovidesanalternativesitetotheorganizationforaperiodofonemonthsoastorecoverfromtheincidentandperformnormalorganizationaloperationsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedBusinessContinuityPlanningBusinesscontinuityisdefinedastheabilityofanorganizationtocontinuetofunctionevenafteradisastrousevent,accomplishedthroughthedeploymentofredundanthardwareandsoftware,theuseoffaulttolerantsystems,aswellasasolidbackupandrecoverystrategySource:http://www.microsoft.com/Itprovidesaplanningmethodologythatallowscontinuityinbusinessoperationsbefore,during,andafteranincidentoreventSomeotherplansthatareincludedinbusinesscontinuityplanare:••••Incident/disasterrecoveryplanBusinessrecoveryplanBusinessresumptionplanContingencyplanEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentRecoveryPlanAnincidentrecoveryplanisastatementofactionsthatshouldbetakenbefore,during,orafteranincidentDocumentandtesttheplaninordertoensurethecontinuityofoperationsandavailabilityofresourcesduringaincidentTheplanningprocessshouldensurecontinuityofoperations,someleveloforganizationalstability,andanorderlyrecoveryfromtheincidentoccurredTheobjectivesofincidentrecoveryplanare:•••••EC-CouncilProvidingsecuritytocomputersOptimizingtherisksProvidingassurancetoreliabilityofsystemsProvidingastandardfortestingtheplanReducingthedecisionmakingduringanincidentCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentRecoveryPlanningProcessEstablishtheincidentrecoveryplanningteamPerformbusinessimpactanalysistoassessrisksDelegateresponsibilitiesacrosstheorganizationDeveloppoliciesandproceduresDocumenttheincidentrecoveryproceduresHandleincidentsTrainstaffandtesttheplanEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentRecoveryPlanningTeamTheincidentrecoveryplanningteammusthavemembersrepresentingdifferentdepartmentswithintheorganizationMembersoftheincidentrecoveryteamsshouldhaverequiredskills,businessprocessknowledge,andexperienceEachdepartmentmustmaintainitsownrecoveryplanninggrouptoconductresearch,assess,andimplementtheplanITandnetworkmanagersmustaddressenterpriseandspecificdepartmentandbusinessissuesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedBusinessImpactAnalysisBusinessimpactanalysisidentifiestheimpactofuncontrolledandnonspecificeventsonthebusinessprocessStepsinbusinessimpactanalysisareasfollows:•••••IdentifykeybusinessprocessesandfunctionsEstablishrequirementsforbusinessrecoveryDetermineresourceinterdependenciesDetermineimpactonoperationsDevelopprioritiesandclassificationofbusinessprocessesandfunctions•Developrecoverytimerequirements•Determinefinancial,operational,andlegalimpactofdisruptionEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedBusinessImpactAnalysis(BIA)TemplateOrganization:DateBIACompleted:SystemName:BIAPOC:SystemManagerPointofContact(POC):SystemDescription:{Discussionofthesystempurposeandarchitecture,includingsystemdiagrams}A.IdentifySystemPOCsRoleInternal{Identifytheindividuals,positions,orofficeswithinyourorganizationthatdependonorsupportthesystem;alsospecifytheirrelationshiptothesystem}__________________________________________________________________________________________________________________External{Identifytheindividuals,positions,orofficesoutsideyourorganizationthatdependonorsupportthesystem;alsospecifytheirrelationshiptothesystem}_________________________________________________________EC-Council_________________________________________________________Source:http://csrc.nist.gov/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedBusinessImpactAnalysis(BIA)Template(cont’d)B.IdentifySystemResources{Identifythespecifichardware,software,andotherresourcesthatcomprisethesystem;includequantityandtype}HardwareSoftwareOtherresourcesC.Identifycriticalroles{ListtherolesidentifiedinSectionAthataredeemedcritical}_________________________________________________________D.Linkcriticalrolestocriticalresources{IdentifytheITresourcesneededtoaccomplishtheroleslistedinSectionC}CriticalRoleCriticalResources____________________________________________________________________________________________________________________________________________________________________________________________________________________________________EC-Council__________________________________________________________________________________________________________________Source:http://csrc.nist.gov/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedBusinessImpactAnalysis(BIA)Template(cont’d)E.Identifyoutageimpactsandallowableoutagetimes{Characterizetheimpactoncriticalrolesifacriticalresourceisunavailable;also,identifythemaximumacceptableperiodthattheresourcecouldbeunavailablebeforeunacceptableimpactsresulted}ResourceOutageImpactAllowableOutageTime________________________________________________________________________________________________F.Prioritizeresourcerecovery{Listthepriorityassociatedwithrecoveringaspecificresource,basedontheoutageimpactsandallowableoutagetimesprovidedinSectionE.Usequantitativeorqualitativescale(e.g.,high/medium/low,15,A/B/C)}ResourceRecoveryPriorityEC-CouncilSource:http://csrc.nist.gov/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentRecoveryPlanImplementationAllocatetasksforimplementationCreateanimplementationscheduleAllocatetheincidentrecoverydocumentationEvaluatetheworthandefficiencyofmitigationstepsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentRecoveryTrainingTrainthestafftoresearchonincidentrecoveryissuesOrganizationsshouldidentifytherequiredskillsandappointsuitablepeopleintheplanningprocessOrganizationsshouldprepareanagendafortheteamandsettasksforachievinggoalsHighlycentralizedandstructuredinformationmanagementdepartmentcanprocessatafasterpaceEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentRecoveryTestingTestdeterminestheeffectivenessofpoliciesandprocedureswhenimplementedProcedureaudits:Livewalk-throughsofprocedures:Livewalk-throughsofrelatedprocess:Scenariotesting:EC-Council•Employeesviewtheproceduretodetermineitsauthenticityandefficiencyinexecutingprocedures•Determinestheprocedure’seffectiveness•Relatedproceduresareimplementedtochecktheireffectiveness•CreatesamockincidentthatinspectstheworkingprocessoftheeventsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIncidentRecoveryTesting(cont’d)Workgroup-leveltests:•CreatesamockincidentforaspecificgroupofpeopleDepartment-leveltests:•CreatesamockincidentforwhichtheentiredepartmentmustrespondFacility-leveltests:Enterprise-leveltests:EC-Council•Createsamockincidentforwhichanentirefacilityisliable•CreatesamockincidentforwhichtheentireorganizationmustrespondCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSummaryIncidentrecoveryisaprocessofrestoringandrebuildingthecomputersystemintonormaloperationsthatareaffectedbyanincidentContingencyplanprovidesbackupfordocumentstoovercomefromanincidentBusinesscontinuityistheabilityofanorganizationtocontinuetofunctionevenafteradisastrouseventAnincidentrecoveryplanisastatementofactionsthatshouldbetakenbefore,during,orafteranincidentEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCertifiedIncidentHandlerVersion1ModuleXISecurityPoliciesandLawsModuleObjectiveThismodulewillfamiliarizeyouwith:•••••••••EC-CouncilKeyelementsofSecurityPolicyPurposeofaSecurityPolicyDesignofSecurityPolicyExamplesofSecurityPoliciesAcceptableUsePolicyRoleofLawinIncidentHandlingLegalissueswhendealingwithanIncidentLawsandActsIntellectualPropertyLawsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedModuleFlowKeyElementsofSecurityPolicyPurposeofaSecurityPolicyExamplesofSecurityPoliciesDesignofSecurityPolicyAcceptableUsePolicyRoleofLawinIncidentHandlingLawsandActsLegalIssuesWhenDealingWithanIncidentIntellectualPropertyLawsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSecurityPoliciesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSecurityPolicyAsecuritypolicyisadocumentthatstatesinwritinghowacompanyplanstoprotectitsphysicalandinformationtechnologyassetsItdefineswhatbusinessobjectivesandsecuritygoalsaredesiredbythemanagementItisalivingdocumentasthedocumentisneverfinished,butiscontinuouslyupdateddependingupontechnologyandemployeerequirementsItdepictsthebasicarchitectureofthecompany’ssecurityenvironmentEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedKeyElementsofSecurityPolicyClearcommunicationBriefandclearinformationDefinedscopeandapplicabilityEnforceablebylawRecognizesareasofresponsibilitySufficientguidanceTopmanagementinvolvementEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedGoalsofaSecurityPolicySecuritypolicieshelpinprotectingtheorganization’ssystemandinformationassetsfromabuseandinappropriateuseItsetstheguidelinesforrespondingtointernalandexternalincidentsSecuritypolicieshelpinestablishingmechanismsfortheorganizationtosatisfyitslegalandethicalresponsibilitiesSecuritypoliciesprovideanoutlineforthemanagementandadministrationoforganization’ssecurityEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCharacteristicsofaSecurityPolicyTheymustbeimplementablethroughsystemadministrationprocedures,publishingofacceptableuseguidelines,orotherappropriatemethodsTheymustbeenforceablewithsecuritytools,whereappropriate,andwithsanctions,whereactualpreventionisnottechnicallyfeasibleTheymustclearlydefinetheareasofresponsibilityfortheusers,administrators,andmanagementTheymustbedocumented,distributed,andcommunicatedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDesignofSecurityPolicySecuritypolicystructureshouldcontain:•••••EC-CouncilAdetaileddescriptionofthepolicyissuesDescriptionaboutthestatusofthepolicyFunctionalitiesofthoseaffectedbythepolicyCompatibilitylevelofthepolicyApplicabilityofthepolicytotheenvironmentCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedImplementingSecurityPoliciesImplementationfollowsafterbuilding,revision,andupdatingofthesecuritypolicyFinalversionmustbemadeavailabletoallofthestaffmembersintheorganizationForeffectiveimplementation,theremustberotationofthejobsothatdatahandlingmustnotberestrictedtoasetofpeoplePropersecurityawarenessprogram,cooperation,andcoordinationamongemployeesisrequiredEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedExamplesofSecurityPoliciesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAccessControlPolicyAccesscontrolpolicyauthorizespermissionforausertoperformasetofactionsonasetofresourcesItauthorizesaccessona‘needtouse’basis,byanappropriateapprovalprocessAccesstoresourcesisbasedonthenecessityandifaparticularpersonwhosejobroleresponsibilitiesrequiretheuseofthoseresourcesUnauthorizedaccessispreventedbyimplementingmanagedcontrolsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSampleAccessControlPolicySource:http://www.qgcio.qld.gov.au/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSampleAccessControlPolicy(cont’d)EC-CouncilSource:http://www.qgcio.qld.gov.au/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedImportanceofAccessControlPoliciesProtectsthesystembyimplementingthepersonnelproceduressetbythemanagementProtectsthesystemautomaticallybyimplementingthesoftwareandhardwarecontrolsDictatesthepolicies,procedures,andaccountabilitytocontrolthesystem’suseActsasdetectiveininvestigationtofindouttheactthathasalreadyoccurredEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAcceptableUsePolicy(AUP)Anacceptableusepolicyisasetofrulesappliedbyanorganization,network,orInternettorestricttheirusageInsomecases,thesedocumentsarenamedasInternetandE-mailpolicy,InternetAUP,orNetworkAUPandalsoAcceptableITUsePolicyThemostimportantpartofanAUPdocumentisthecodeofconductgoverningthebehaviorofauserwhilstconnectedtotheorganization,network,orInternetTheyaresimilartoandoftendoingthesamejobasadocumentlabeled‘TermsofService’EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPersonalComputerAcceptableUsePolicyEC-CouncilSource:http://www.watchguard.com/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAdministrativeSecurityPolicyAdministrativesecuritypolicyensuresthattheorganization’sresourcesareproperlymanaged,used,protected,andcontrolledItdefinesthesecurityandprotectionrequirementsforinformationandinformationsystemsItspecifiestheresponsibilitytomanagetheinformationsecurityriskoftheorganizationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedImportanceofAdministrativeSecurityPoliciesSafeguardsvaluable,confidentialorproprietaryinformationfromunauthorizedaccess,orfromrevealingthedataEliminatesstronglegalliabilityfromemployeesorthirdpartiesEnsuresthedataavailabilityandprocessingresourcesEnsurestheintegrityoftheinformation,andpreventsitfromunauthorizedandundetectedmodification,manipulation,insertion,anddeletionEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAssetControlPolicyAssetcontrolpolicyisdesignedtoprotecttheorganizationalresourcesonthenetworkbyestablishingthepoliciesandproceduresItenablesorganizationalassetstobetrackedconcerningtheirlocationandwhoisusingthemAnassettrackingdatabaseiscreatedtotrackassetswhichincludesallinformationontheAssetTransferChecklisttableandthedateoftheassetchangeWhenanassetisacquired,anID(Internaltrackingnumber)isassignedfortheassetanditsinformationisenteredintotheassettrackingdatabaseEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAuditTrailPolicyAudittrailpolicymaintainsarecordofsystemactivitiessuchasrecordsofcomputerevents,operatingsystem,application,oruser’sactivitiesMaintainsregularsystemoperationsbyimplementingmanagement,operational,andtechnicalcontrolsAudittrailpolicieshelpindetectingsecurityviolations,performanceproblemsandflawsItsetsinternalcontrolsandauditrequirementssuchas:••••EC-CouncilIndividualaccountabilityReconstructingeventProblemmonitoringIntrusiondetectionCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSampleAuditTrailPolicyEC-CouncilSource:http://csrc.nist.gov/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedImportanceofAuditTrailPolicyHelpsinvariousregulatorylaws,rules,andguidelinesIndividualactionsaretrackedandrendersuserstobepersonallyaccountablefortheiractionsAmountofdamageoccurredduringtheincidentcanbecalculatedHelpsinintrusiondetectionHelpstoreconstructtheeventsafteraproblemhasoccurredDetectsdiskfailures,networkoutagesandoverutilizationofsystemresourcesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedLoggingPolicyLoggingpolicydefineswhichsetofeventsneedstobeloggedItcapturesandreviewstheimportantdatainatimelymannerItincludes••••NotificationproceduresGuidelinesforlogreviewintervalsRetentionstandardsResponsetimeexpectationsSpecificprocedurestoretrievethelogsandnecessaryloggingarestatedinthepolicyEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedImportanceofLoggingPoliciesDetectsintrusionsandcompromisesDetectsequipmentfailuresandpreventsdowntimeMaintainstheproperlevelsofpersonnelProvidesqualitativedataforcapacityplanningHelpfulincriminalandcivilinvestigationsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDocumentationPolicyDocumentationpolicydeterminestherequirementsandproceduresfordocumentationoforganization’soperationsandresourcessuchasnetworksandserversNetworkdocumentationdefinesthedocumentationofnetworkingdevicesandoperationsServerdocumentationdefinesthedocumentationofserverconfigurationinformationandrunningservicesBoththeserverandnetworkdocumentationpoliciesdefine:•Whohastheauthoritytoaccess,read,andchangethenetworkorserverdocumentation•DefinestheauthorizedpersontobenotifiedaboutthechangesmadeinthenetworkorserverEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDocumentationPolicy(cont’d)Inserverdocumentation,thelistofitemstobedocumentedandreviewedare:•••••••••••EC-CouncilName,location,andfunctionoftheserverHardwarecomponentsofthesystemListofsoftwarerunningontheserverConfigurationinformationabouttheseverTypesofdataandtheownersofthedatastoredontheserverDataontheserverthatistobebackedupUsersorgroupshavingtheaccesstothedatastoredontheserverandtheirauthenticationprocessandprotocolsAdministratorsontheserverandtheauthenticationprocessandprotocolsDataandauthenticationencryptionrequirementsUseraccessingdatafromremotelocationsAdministratorsadministratingtheserverfromremotelocationsCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedDocumentationPolicy(cont’d)Networkdocumentationincludes:•LocationsandIPaddressesofallhubs,switches,routers,andfirewallsonthenetwork•Varioussecurityzonesonthenetworkanddeviceshtatcontrolaccessbetweenthem•Locationsofeverynetworkdropandtheassociatedswitchandportontheswitchsupplyingthatconnection•Interrelationshipbetweenallnetworkdevicesshowinglinesrunningbetweenthenetworkdevices•Allsubnetsonthenetworkandtheirrelationships•AllWideAreaNetwork(WAN)orMetropolitanAreaNetwork(MAN)•Networkdevicesconfigurationinformation•DHCPserversettingsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEvidenceCollectionPolicyEvidenceshouldbecollected,preserved,accessedandtransportedproperlyinordertopreserveitsintegrityEverysteps,methodsortoolsusedforhandlingtheevidenceshouldbethoroughlydocumentedForeachsystem,obtaintherelevantorderofvolatilityandpersistentdataMaintainaprecisechainofcustodyMethodsusedtocollectevidenceshouldbetransparentandreproducibleDocumentallfindingsandactionsperformedduringtheprocessEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEvidencePreservationPolicyTheevidencepreservationpolicyshouldaddressthefollowingrequirements:•Evidencemustbepreservedinitsoriginalstate•Evidenceshouldbeprotectedfrommechanicalorelectromagneticdamage•Atleasttwocopiesofevidenceshouldbemade•Bitstreambackupsaretobemadeastheyarethoroughthanthestandardbackups•Collectedhardwareevidenceshouldbesealedinpolythenebagsandproperlylabeledforidentification•Alltheevidenceshouldbeitemized,withthefollowinginformation:•Evidencetagnumber•Timeanddatediscovered•Nameoftheperson•Evidencedescription•StoragenotesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInformationSecurityPolicyInformationsecuritypoliciesstrengthensthesecurityofinformationresourcesItallowstheorganizationtosatisfyitslegalandethicalresponsibilitiesItincorporatesthesecuritypracticeslikethemanagementofvulnerablepointsandsystemfilesecurityInformationsecuritypoliciessettheframeworkforregularvulnerabilityandriskassessmentItprovidesguidelinesforeffectiveimplementationofcontrolmeasurestorespondtothesecurityincidentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInformationSecurityPolicy:UniversityofCaliforniaSource:http://www.ucop.edu/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInformationSecurityPolicy:Pearce&Pearce,Inc.EC-CouncilSource:https://www.pearceandpearce.com/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInformationSecurityPolicy:Pearce&Pearce,Inc.(cont’d)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedImportanceofInformationSecurityPolicyInformationsecuritypolicieshelpinminimizingwastageandmisuseoforganization’sresourcesIthelpsinsafeguardingandprotectingvaluable,confidential,andproprietaryinformationfromunauthorizedaccessSecuritypolicieshelpinensuringavailabilityofdataandprocessingresourcesIthelpsinprotectingtheconfidentialityandintegrityoftheinformationInformationsecuritypolicieshelpsinimprovingoverallsecuritypostureoftheorganizationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNationalInformationAssuranceCertification&AccreditationProcess(NIACAP)PolicyNIACAPsetsupastandardnationalprocess,setofactivities,generaltasks,andamanagementstructureItcertifiesandrecognizessystemswhichmaintaininformationassuranceandsecuritypostureTheNIACAPprocessaccomplishestherequirementsofthedocumentedsecuritypolicyAccreditedsecuritypostureismaintainedallthroughthesystemlifecycleTheprocesscomprisesofexistingsystemcertificationsandproductevaluationsProcessusersmustarrangetheprocesswiththeirprogramstrategiesandincorporatetheactivitiesintotheirenterprisesystemlifecycleEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedNationalInformationAssuranceCertification&AccreditationProcess(NIACAP)Policy(cont’d)AgreementbetweentheISprogrammanager,DesignatedApprovingAuthority(DAA),certificationagent(certifier),anduserrepresentativeisthemainaspectofNIACAPCriticalschedule,budget,security,functionality,andperformanceissuesaredeterminedbytheseindividualsSystemSecurityAuthorizationAgreement(SSAA)containsthedocumentationofNIACAPagreementsTheresultsofCertificationandAccreditation(C&A)aredocumentedusingSSAATheobjectiveistousetheSSAAtoestablishanevolvingyetbindingagreementonthelevelofsecurityrequiredbeforethesystemdevelopmentbeginsorchangesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedImportanceofTheNationalInformationAssurance(IA)Certification&Accreditation(C&A)PolicyDescribestheoperatingenvironment,systemsecurityarchitecture,andthreatEstablishestheC&AboundaryofthesystemtobeaccreditedFormsthebaselinesecurityconfigurationdocumentDocumentsallrequirementsnecessaryforaccreditation,testplansandprocedures,certificationresults,andresidualriskMinimizesdocumentationrequirementsbyconsolidatingapplicableinformationintotheSSAA(securitypolicy,conceptofoperations,architecturedescription,testprocedures,etc.)EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPhysicalSecurityPolicyPhysicalsecuritypolicyhelpstocontrolandmonitorthephysicalaccesstoinformationresourcefacilitiesPhysicalaccesstoallrestrictedfacilitiesaredocumentedandmanagedEveryindividualwhohasphysicalaccesstoinformationresourcefacilitiesshouldsigntheaccessandnon-disclosureagreementsAccesscardsand/orkeysmustnotbesharedorloanedtoothersAllaccesstotheinformationresourcesshouldbetrackedwithasignin/outlogEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSamplePhysicalSecurityPolicy1EC-CouncilSource:http://trustedtoolkit.com/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSamplePhysicalSecurityPolicy1(cont’d)EC-CouncilSource:http://trustedtoolkit.com/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSamplePhysicalSecurityPolicy2EC-CouncilSource:http://www.cnc.police.uk/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedImportanceofPhysicalSecurityPoliciesControlsaccesstothefacilitiesandcomputersProtectsassetsfrominternationalabuse,misuse,ordestructionbyemployees,contractors,orconsultantsProtectsinformationprocessingfacilitiesbyreducingriskofhumanerror,fraud,andtheftMonitorshowwellpersonnelcomplywithcontractualsecurityprovisionsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPhysicalSecurityGuidelinesSystemsshouldbeprotectedagainstenvironmentalfactorssuchasfire,power,excessiveheat,andhumiditySystemsshouldhavealternatepowersupplyduringpowerlossessuchasanUPSComputingdevicesshouldbeplacedinordertoprotectthemfromshouldersurfingMonitoringsystemsshouldbeinstalledtomonitortheworkareaandofficepremisesWhileintransit,laptopsshouldbeplacedinsecurestorageWorkstationsshouldbelockedwhenleftunattendedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPersonnelSecurityPolicies&GuidancePersonnelsecuritypoliciesincludethesafetymeasurestobetakenregardingcompanyemployeesManagershouldimplementthepersonnelsecuritypoliciesto:•Ensuretrustworthinessofthepeopleinthepostswhorequireaccesstoofficialinformation•Protecttheofficialinformationbeforegrantinghtemaccess•EnforcetermsandconditionstotheemployeeaccessingofficialinformationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPersonnelSecurityPolicies&Guidance(cont’d)Elementsofpersonnelsecurityare:PersonalScreening:•Itisapre-employmentcheckwhichinvolvestheemployees’backgroundcheck•Thisisdoneevenastheemployeeisgivenaccesstotheofficialinformation•Whilerecruitingemployeeforapermanentstaffposition,hemustbecheckedfor:•Satisfactorycharacterreferees•Accuracyofthecurriculumvitaeandqualifications•Beforeappointinganemployeeafterhe/sheisrecruited,verifydetailsoftheemployeesuchas:•Identityandcharacterconfirmationthroughreferees•Criminalbackgroundcheckfrompolice•Similarly,employeebeingrecruitedforatemporarystaffpositioncanbecheckedthroughaverifyingagencyEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedPersonnelSecurityPolicies&Guidance(cont’d)Grantingaccess:•Chiefexecutivesneedtograntaccessthepermanentstafftoaccessofficialinformationafterclearancefrom:••••Pre-employmentchecksPeriodicreviewsApprovalproceduresSoundterms&conditionsoftheemployment•Avoidgrantingaccesstothemostsensitivesitesastherearechancesofindirectexposurebystafforvisitors•Accessgrantedindividualsmustbeissuedapassoraccessoridentitycard•A"BasicCheck"canbedonefurtherafterthepre-employmentcheck,aboutstafforcontractorswhoneedafrequentaccesstosensitivesitesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedLawandIncidentHandlingEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedRoleofLawinIncidentHandlingFederallawrequiresfederalagenciestoreportincidentstotheFederalComputerIncidentResponseCenterItrequiresfederalagenciestoestablishincidentresponsecapabilitiesIncidentresponseteamshouldbefamiliarwiththereportingproceduresforallrelevantlawenforcementagenciesandwellpreparedtorecommendsuitableagencyandcontactdetailsSeverallevelsoflawenforcementagenciesareavailabletoinvestigateincidentsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedLegalIssuesWhenDealingWithanIncidentLawenforcementshouldbecontactedthroughdesignatedindividualsinamannerconsistentwiththerequirementsofthelawandtheorganization’sproceduresOrganizationsshouldnotcontactmultipleagenciesbecauseitmightresultinjurisdictionalconflictsConsultlawyersifanillegalacthasoccurredReportingtolawenforcementchangesthecharacteroftheevidencehandlingprocess•Evidencecanbesubpoenaedbycourts•Perpetratorsandtheirlawyerscangetaccesstotiinthetrial•EvidencegatheringprocessandallactionsanddocumentationoftheinvestigationsmayalsobeaccessibletotheotherpartyduringlitigationEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedLawEnforcementAgenciesFederalinvestigatoryagencies(e.g.,theFBIandtheU.S.SecretService)DistrictattorneyofficesStatelawenforcementLocallawenforcementEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedU.S.LawEnforcementAgenciesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedLawsandActsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSearchingandSeizingComputerswithoutaWarrantTheFourthAmendmentofUSAPATRIOTActof2001limitstheabilityofgovernmentagentstosearchforevidencewithoutawarrantIfthegovernment’sconductdoesnotviolateaperson’s“ReasonableExpectationOfPrivacy,”thenformallyitdoesnotconstituteaFourthAmendment“search”andnowarrantisrequiredEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited§A:FourthAmendment’s“ReasonableExpectationofPrivacy”inCasesInvolvingComputers:GeneralPrinciplesAsearchisconstitutionalifitdoesnotviolateaperson’s“reasonable”or“legitimate”expectationofprivacyKatzv.UnitedStates,389U.S.347,362(1967)(Harlan,J.,concurring).Thisinquiryembracestwodiscretequestions:•First,whethertheindividual’sconductreflects“anactual(subjective)expectationofprivacy,”•Second,whethertheindividual’ssubjectiveexpectationofprivacyis“onethatsocietyispreparedtorecognizeas‘reasonable.’”EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited§A.4:PrivateSearchesTheFourthAmendmentdoesnotapplytosearchesconductedbyprivatepartieswhoarenotactingasagentsofthegovernmentInUnitedStatesv.Jacobsen,466U.S.109(1984),theSupremeCourtpresentedtheframeworkthatshouldguideagentsseekingtouncoverevidenceasaresultofaprivatesearchEvenifcourtsfollowthemorerestrictiveapproach,theinformationgleanedfromtheprivatesearchwilloftenbeusefulinprovidingtheprobablecauseneededtoobtainawarrantforafurthersearchThefactthatthepersonconductingasearchisnotagovernmentemployeedoesnotalwaysmeanthatthesearchis“private”forFourthAmendmentpurposesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedThePrivacyProtectionActWhenagentshavereasontobelievethatasearchmayresultinaseizureofmaterialsrelatingtoFirstAmendmentactivitiessuchaspublishingorpostingmaterialsontheWorldWideWeb,theymustconsidertheeffectofthePrivacyProtectionAct(“PPA”),42U.S.C.§2000aaBriefHistory:•BeforetheSupremeCourtdecidedWardenv.Hayden,387U.S.294,309(1967),lawenforcementofficerscouldnotobtainsearchwarrantstosearchforandseize“mereevidence”ofcrime.Warrantswerepermittedonlytoseizecontraband,instrumentalities,orfruitsofcrime•Thisrulingsetthestageforacollisionbetweenlawenforcementandthepress•ByfreeingtheFourthAmendmentfromBoyd'srestrictiveregime,HaydencreatedthepossibilitythatlawenforcementcouldusesearchwarrantstotargetthepressforevidenceofcrimeithadcollectedinthecourseofinvestigatingandreportingnewsstoriesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedFederalInformationSecurityManagementAct(FISMA)TitleIIIoftheE-GovernmentAct,entitledtheFederalInformationSecurityManagementAct(FISMA),requireseachFederalagencytodevelop,document,andimplementanagency-wideinformationsecurityprogramtoprovideinformationsecurityfortheinformationandinformationsystemsthatsupporttheoperationsandassetsoftheagency,includingthoseprovidedormanagedbyanotheragency,contractor,orothersource.Theinformationsecurityprogrammustinclude—•Periodicassessmentsoftheriskandmagnitudeoftheharmthatcouldresultfromtheunauthorizedaccess,use,disclosure,disruption,modification,ordestructionofinformationandinformationsystemsthatsupporttheoperationsandassetsoftheagency;Source:http://csrc.nist.govEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedFederalInformationSecurityManagementAct(FISMA)(cont’d)EC-CouncilPoliciesandproceduresthatarebasedonriskassessments,cost-effectivelyreduceinformationsecurityriskstoanacceptablelevel,andensurethatinformationsecurityisaddressedthroughoutthelifecycleofeachagencyinformationsystem;Subordinateplansforprovidingadequateinformationsecurityfornetworks,facilities,informationsystems,orgroupsofinformationsystems,asappropriate;Securityawarenesstrainingtoinformpersonnel(includingcontractorsandotherusersofinformationsystemsthatsupporttheoperationsandassetsoftheagency)oftheinformationsecurityrisksassociatedwiththeiractivitiesandtheirresponsibilitiesincomplyingwithagencypoliciesandproceduresdesignedtoreducetheserisks;Periodictestingandevaluationoftheeffectivenessofinformationsecuritypolicies,procedures,andpractices(includingthemanagement,operational,andtechnicalcontrolsofeveryagencyinformationsystemidentifiedintheirinventory)tobeperformedwithafrequencydependingonrisk,butnolessthanannually;Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedFederalInformationSecurityManagementAct(FISMA)(cont’d)EC-CouncilAprocessforplanning,implementing,evaluating,anddocumentingremedialactiontoaddressanydeficienciesintheinformationsecuritypolicies,proceduresandpracticesoftheagency;Proceduresfordetecting,reporting,andrespondingtosecurityincidents(includingmitigatingrisksassociatedwithsuchincidentsbeforesubstantialdamageisdoneandnotifyingandconsultingwiththeFederalinformationsecurityincidentresponsecenter,andasappropriate,lawenforcementagencies,relevantOfficesofInspectorGeneral,andanyotheragencyoroffice,inaccordancewithlaworasdirectedbythePresident;andPlansandprocedurestoensurecontinuityofoperationsforinformationsystemsthatsupporttheoperationsandassetsoftheagency.Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedMexicoSection30-45-5—UnauthorizedcomputeruseApersonwhoknowingly,willfullyandwithoutauthorization,orhavingobtainedauthorization,usestheopportunitytheauthorizationprovidesforpurposestowhichtheauthorizationdoesnotextend,directlyorindirectlyaccesses,uses,takes,transfers,conceals,obtains,copiesorretainspossessionofanycomputer,computernetwork,computerproperty,computerservice,computersystemoranypartthereof,whenthe•damagetothecomputerpropertyorcomputerservicehasavalueoftwohundredfiftydollars($250)orless,isguiltyofapettymisdemeanor;•damagetothecomputerpropertyorcomputerservicehasavalueofmorethantwohundredfiftydollars($250)butnotmorethanfivehundreddollars($500),isguiltyofamisdemeanor;EC-CouncilSource:http://law.justia.com/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedMexico(cont’d)•damagetothecomputerpropertyorcomputerservicehasavalueofmorethanfivehundreddollars($500)butnotmorethantwothousandfivehundreddollars($2,500),isguiltyofafourthdegreefelony;•damagetothecomputerpropertyorcomputerservicehasavalueofmorethantwothousandfivehundreddollars($2,500)butnotmorethantwentythousanddollars($20,000),isguiltyofathirddegreefelony;•damagetothecomputerpropertyorcomputerservicehasavalueofmorethantwentythousanddollars($20,000),isguiltyofaseconddegreefelonyEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedBrazilianLawsENTRYOFFALSEDATAINTOTHEINFORMATIONSYSTEM•Art.313-A.Entry,orfacilitationonthepartofanauthorizedemployeeoftheentry,offalsedata,improperalterationorexclusionofcorrectdatawithrespecttotheinformationsystemorthedatabankofthePublicManagementforpurposesofachievinganimproperadvantageforhimselforforsomeotherperson,orofcausingdamagesPenalty-imprisonmentfor2to12years,andfinesUNAUTHORIZEDMODIFICATIONORALTERATIONOFTHEINFORMATIONSYSTEM•Art.313-B.Modificationoralterationoftheinformationsystemorcomputerprogrambyanemployee,withoutauthorizationbyorattherequestofacompetentauthorityEC-CouncilPenalty-detentionfor3monthsto2years,andfinesSource:http://www.mosstingrett.no/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCanadianLawsCanadianCriminalCodeSection342.1states:(1)Everyonewho,fraudulentlyandwithoutcolorofright,•(a)obtains,directlyorindirectly,anycomputerservice,•(b)bymeansofanelectro-magnetic,acoustic,mechanicalorotherdevice,interceptsorcausestobeintercepted,directlyorindirectly,anyfunctionofacomputersystem•(c)usesorcausestobeused,directlyorindirectly,acomputersystemwithintenttocommitanoffenceunderparagraph(a)or(b)oranoffenceundersection430inrelationtodataoracomputersystemPersontocommitanoffenceunderparagraph(a),(b)or(c)isguiltyofanindictableoffenceandliabletoimprisonmentforatermnotexceedingtenyearsSource:http://www.mosstingrett.no/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedUnitedKingdom’sLawsComputerMisuseAct1990(1)Apersonisguiltyofanoffenseif(a)hecausesacomputertoperformanyfunctionwiththeintenttosecureaccesstoanyprogramordataheldinanycomputer,(b)theaccessheintendstosecureisunauthorized,and(c)heknowsatthetimewhenhecausesthecomputertoperformthefunctionthatthatisthecase(2)Theintentapersonhastohavetocommitanoffenseunderthissectionneednottobedirectedat:(a)anyparticularprogramordata,(b)aprogramordataofanyparticularkind,or(c)aprogramordataheldinanyparticularcomputer(3)Apersonguiltyofanoffenseunderthissectionshallbeliableonsummaryconvictiontoimprisonmentforatermnotexceedingsixmonthsortoafinenotexceedinglevel5onthestandardscaleortobothSource:http://www.opsi.gov.ukEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedUnitedKingdom’sLaws(cont’d)(4)Apersonisguiltyofanoffenseunderthissectionifhecommitsanoffenseundersection1above("theunauthorizedaccessoffense")withintent(a)tocommitanoffensetowhichthissectionapplies;or(b)tofacilitatethecommissionofsuchanoffenseandtheoffenseheintendstocommitorfacilitateisreferredtobelowinthissectionasthefurtheroffense(5)Thissectionappliestooffences(a)forwhichthesentenceisfixedbylaw;or(b)forwhichapersonoftwenty-oneyearsofageorover(notpreviouslyconvicted)maybesentencedtoimprisonmentforatermoffiveyears(6)Itisimmaterialforthepurposesofthissectionwhetherthefurtheroffenseistobecommittedonthesameoccasionastheunauthorizedaccessoffenseoronanyfutureoccasion(7)ApersonmaybeguiltyofanoffenseunderthissectioneventhoughthefactsaresuchthatthecommissionofthefurtheroffenseisimpossibleEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedUnitedKingdom’sLaws(cont’d)(8)Apersonguiltyofanoffenseunderthissectionshallbeliable(a)onsummaryconviction,toimprisonmentforatermnotexceedingthestatutorymaximumortoboth;and(b)onconvictiononindictment,toimprisonmentforatermnotexceedingfiveyearsortoafineortoboth(9)Apersonisguiltyofanoffenseif(a)hedoesanyactwhichcausesanunauthorizedmodificationofthecontentsofanycomputer;and(b)atthetimewhenhedoestheacthehastherequisiteintentandtherequisiteknowledge.(10)Forthepurposesofsubsection(1)(b)abovetherequisiteintentisanintenttocauseamodificationofthecontentsofanyandbysodoing(a)toimpairtheoperationofanycomputer;(b)topreventorhinderaccesstoanyprogramordataheldinanycomputer;or(c)toimpairtheoperationofanysuchprogramorthereliabilityofanysuchdataEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedBelgiumLawsEC-CouncilCOMPUTERHACKINGArticle550(b)oftheCriminalCode:§1.Anypersonwho,awarethatheisnotauthorised,accessesormaintainshisaccesstoacomputersystem,maybesentencedtoatermofimprisonmentof3monthsto1yearandtoafineof(Bfr5,200-5m)ortooneofthesesentencesIftheoffencespecifiedin§1aboveiscommittedwithintentiontodefraud,thetermofimprisonmentmaybefrom6monthsto2years§2.Anypersonwho,withtheintentiontodefraudorwiththeintentiontocauseharm,exceedshispowerofaccesstoacomputersystem,maybesentencedtoatermofimprisonmentof6monthsto2yearsandtoafineof(BFr5,200-20m)ortooneofthesesentencesSource:http://www.mosstingrett.no/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedGermanLawsPenalCodeSection202a.DataEspionage:•(1)Anypersonwhoobtainswithoutauthorization,forhimselforforanother,datawhicharenotmeantforhimandwhicharespeciallyprotectedagainstunauthorizedaccess,shallbeliabletoimprisonmentforatermnotexceedingthreeyearsortoafine•(2)Datawithinthemeaningofsubsection1areonlysuchasarestoredortransmittedelectronicallyormagneticallyorinanyformnotdirectlyvisiblePenalCodeSection303a:AlterationofData•(1)Anypersonwhounlawfullyerases,suppresses,rendersuseless,oraltersdata(section202a(2))shallbeliabletoimprisonmentforatermnotexceedingtwoyearsortoafine•(2)TheattemptshallbepunishableSource:http://www.mosstingrett.no/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedItalianLawsPenalCodeArticle615ter:Unauthorizedaccessintoacomputerortelecommunicationsystems:•Anyonewhoentersunauthorizedintoacomputerortelecommunicationsystemprotectedbysecuritymeasures,orremainsinitagainsttheexpressedorimpliedwilloftheonewhohastherighttoexcludehim,shallbesentencedtoimprisonmentnotexceedingthreeyears•Theimprisonmentisfromoneuntilfiveyears•ifthecrimeiscommittedbyapublicofficialorbyanofficerofapublicservice,throughabuseofpowerorthroughviolationofthedutiesconcerningthefunctionortheservice,orbyapersonwhopracticesevenwithoutalicence-theprofessionofaprivateinvestigator,orwithabuseofthecapacityofasystemoperatorSource:http://www.mosstingrett.no/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCybercrimeAct2001TheCybercrimeAct2001amendedtheCriminalCodeAct1995toreplaceexistingoudatedcomputeroffences478.1Unauthorizedaccessto,ormodificationof,restricteddata(1)Apersonisguiltyofanoffenceif:(a)thepersoncausesanyunauthorizedaccessto,ormodificationof,restricteddata;and(b)thepersonintendstocausetheaccessormodification;and(c)thepersonknowsthattheaccessormodificationisunauthorized;and(d)oneormoreofthefollowingapplies:(i)therestricteddataisheldinaCommonwealthcomputer;(ii)therestricteddataisheldonbehalfoftheCommonwealth;(iii)theaccessto,ormodificationof,therestricteddataiscausedbymeansofatelecommunicationsserviceEC-CouncilSource:http://www.cybercrimelaw.net/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCybercrimeAct2001(cont’d)Penalty:2yearsimprisonment(2)Absoluteliabilityappliestoparagraph(1)(d)(3)Inthissection:restricteddatameansdata(a)heldinacomputer;and(b)towhichaccessisrestrictedbyanaccesscontrolsystemassociatedwithafunctionofthecomputerEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedInformationTechnologyActTHEINFORMATIONTECHNOLOGYACT,2000(No.21of2000)CHAPTERXIOFFENCES66.Hackingwithcomputersystem(1)Whoeverwiththeintenttocauseorknowingthatheislikelytowrongfullossordamagetothepublicoranypersondestroysaltersanyinformationresidinginacomputerresourceutilityoraffectsitinjuriouslybyanymeans,causeordeletesorordimishesitsvalueorcommitshack(2)Whoevercommitshackingshallbepunishedwithimprisonmentuptothreeyears,orwithfinewhichmayextenduptotwolakhrupees,orwithbothSource:http://lawmin.nic.in/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSingaporeLawsChapter50A:ComputermisuseActSection3–(1)Anypersonwhoknowinglycausesacomputertoperformanyfunctionforthepurposeofsecuringaccesswithoutauthority,shallbeliableonconvictiontoafinenotexceeding$5.000ortoimprisonmentforatermnotexceeding2yearsortoboth.(2)Ifanydamageiscausedasarestutofanoffenceunderthissection,apersonconvictedoftheoffenceshallbeliabletoafinenotexceeding$50.000ortoimprisonmentforatermnotexceeding7yearsortobothSection4:Accesswithintenttocommitorfacilitatecommissionofoffence(1)Thissectionshallapplytoanoffenceinvolvingproperty,fraud,dishonestyorwhichcausesbodilyharmandwhichispunishableonconvictionwithimprisonmentforatermofnotlessthan2years.(2)Anypersonguiltyofanoffenceunderthissectionshallbeliableonconvictiontoanotexceeding$50.000ortoimprisonmentforatermnotexceeding10yearsortobothEC-CouncilSource:http://www.mosstingrett.no/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSarbanes-OxleyActTitleIPublicCompanyAccountingOversightBoard(PCAOB)consistsofninesectionsandestablishesthePublicCompanyAccountingOversightBoard,toprovideindependentoversightofpublicaccountingfirmsprovidingauditservices("auditors")TitleIIAuditorIndependenceconsistsofninesectionsandestablishesstandardsforexternalauditorindependence,tolimitconflictsofinterestandaddressesnewauditorapprovalrequirements,auditpartnerrotation,andauditorreportingrequirementsTitleIIICorporateResponsibilityconsistsofeightsectionsandmandatesthatseniorexecutivestakeindividualresponsibilityfortheaccuracyandcompletenessofcorporatefinancialreportsEC-CouncilSource:http://frwebgate.access.gpo.gov/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSarbanes-OxleyAct(cont’d)TitleIVEnhancedFinancialDisclosuresconsistsofninesectionsanddescribesenhancedreportingrequirementsforfinancialtransactions,includingoff-balance-sheettransactions,pro-formafiguresandstocktransactionsofcorporateofficersTitleVAnalystConflictsofInterestconsistsofonlyonesection,whichincludesmeasuresdesignedtohelprestoreinvestorconfidenceinthereportingofsecuritiesanalystsTitleVICommissionResourcesandAuthorityconsistsoffoursectionsanddefinespracticestorestoreinvestorconfidenceinsecuritiesanalystsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSarbanes-OxleyAct(cont’d)EC-CouncilTitleVIIStudiesandReportsconsistsoffivesectionsanditincludetheeffectsofconsolidationofpublicaccountingfirms,theroleofcreditratingagenciesintheoperationofsecuritiesmarkets,securitiesviolationsandenforcementactions,andwhetherinvestmentbanksassistedEnron,GlobalCrossingandotherstomanipulateearningsandobfuscatetruefinancialconditionsTitleVIIICorporateandCriminalFraudAccountabilityconsistsofsevensectionsandisalsoreferredtoasthe“CorporateandCriminalFraudActof2002”.Itdescribesspecificcriminalpenaltiesforfraudbymanipulation,destructionoralterationoffinancialrecordsorotherinterferencewithinvestigations,whileprovidingcertainprotectionsforwhistle-blowers.Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSarbanes-OxleyAct(cont’d)EC-CouncilTitleIXWhiteCollarCrimePenaltyEnhancementconsistsoftwosections.Thissectionisalsocalledthe“WhiteCollarCrimePenaltyEnhancementActof2002.”Thissectionincreasesthecriminalpenaltiesassociatedwithwhite-collarcrimesandconspiracies.Itrecommendsstrongersentencingguidelinesandspecificallyaddsfailuretocertifycorporatefinancialreportsasacriminaloffense.TitleXCorporateTaxReturnsconsistsofonesection.Section1001statesthattheChiefExecutiveOfficershouldsignthecompanytaxreturn.TitleXICorporateFraudAccountabilityconsistsofsevensections.Section1101recommendsanameforthistitleas“CorporateFraudAccountabilityActof2002”.Itidentifiescorporatefraudandrecordstamperingascriminaloffensesandjoinsthoseoffensestospecificpenalties.Italsorevisessentencingguidelinesandstrengthenstheirpenalties.ThisenablestheSECtotemporarilyfreezelargeorunusualpayments.Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSocialSecurityActSec.464.[42U.S.C.664](a)(1)UponreceivingnoticefromaStateagencyadministeringaplanapprovedunderthispartthatanamedindividualowespast-duesupportwhichhasbeenassignedtosuchStatepursuanttosection408(a)(3)orsection471(a)(17),theSecretaryoftheTreasuryshalldeterminewhetheranyamounts,asrefundsofFederaltaxespaid,arepayabletosuchindividual(regardlessofwhethersuchindividualfiledataxreturnasamarriedorunmarriedindividual).IftheSecretaryoftheTreasuryfindsthatanysuchamountispayable,heshallwithholdfromsuchrefundsanamountequaltothepast-duesupport,shallconcurrentlysendnoticetosuchindividualthatthewithholdinghasbeenmade(includinginorwithsuchnoticeanotificationtoanyotherpersonwhomayhavefiledajointreturnwithsuchindividualofthestepswhichsuchotherpersonmaytakeinordertosecurehisorherpropershareoftherefund),andshallpaysuchamounttotheStateagency(togetherwithnoticeoftheindividual'shomeaddress)fordistributioninaccordancewithsection457.ThissubsectionmaybeexecutedbythedisbursingofficialoftheDepartmentoftheTreasury.EC-CouncilSource:http://www.ssa.gov/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSocialSecurityAct(cont’d)Sec.1137.[42U.S.C.1320b–7](a)Inordertomeettherequirementsofthissection,aStatemusthaveineffectanincomeandeligibilityverificationsystemwhichmeetstherequirementsofsubsection(d)andunderwhich—(1)theStateshallrequire,asaconditionofeligibilityforbenefitsunderanyprogramlistedinsubsection(b),thateachapplicantfororrecipientofbenefitsunderthatprogramfurnishtotheStatehissocialsecurityaccountnumber(ornumbers,ifhehasmorethanonesuchnumber),andtheStateshallutilizesuchaccountnumbersintheadministrationofthatprogramsoastoenabletheassociationoftherecordspertainingtotheapplicantorrecipientwithhisaccountnumber;(2)wageinformationfromagenciesadministeringStateunemploymentcompensationlawsavailablepursuanttosection3304(a)(16)oftheInternalRevenueCodeof1954[71],wageinformationreportedpursuanttoparagraph(3)ofthissubsection,andwage,income,andotherinformationfromtheSocialSecurityAdministrationandtheInternalRevenueServiceavailablepursuanttosection6103(l)(7)ofsuchCode[72],shallberequestedandutilizedtotheextentthatsuchinformationmaybeusefulinverifyingeligibilityfor,andtheamountof,benefitsavailableunderanyprogramlistedinsubsection(b),asdeterminedbytheSecretaryofHealthandHumanServices(or,inthecaseoftheunemploymentcompensationprogram,bytheSecretaryofLabor,or,inthecaseofthesupplementalnutritionassistanceprogram[73],bytheSecretaryofAgriculture);EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSocialSecurityAct(cont’d)EC-Council(3)employers(asdefinedinsection453A(a)(2)(B))(includingStateandlocalgovernmentalentitiesandlabororganizations)insuchStatearerequired,effectiveSeptember30,1988,tomakequarterlywagereportstoaStateagency(whichmaybetheagencyadministeringtheState'sunemploymentcompensationlaw)exceptthattheSecretaryofLabor(inconsultationwiththeSecretaryofHealthandHumanServicesandtheSecretaryofAgriculture)maywaivetheprovisionsofthisparagraphifhedeterminesthattheStatehasineffectanalternativesystemwhichisaseffectiveandtimelyforpurposesofprovidingemploymentrelatedincomeandeligibilitydataforthepurposesdescribedinparagraph(2),andexceptthatnoreportshallbefiledwithrespecttoanemployeeofaStateorlocalagencyperformingintelligenceorcounterintelligencefunctions,iftheheadofsuchagencyhasdeterminedthatfilingsuchareportcouldendangerthesafetyoftheemployeeorcompromiseanongoinginvestigationorintelligencemission,andexceptthatinthecaseofwagereportswithrespecttodomesticserviceemployment,aStatemaypermitemployers(assodefined)thatmakereturnswithrespecttosuchemploymentonacalendaryearbasispursuanttosection3510oftheInternalRevenueCodeof1986tomakesuchreportsonanannualbasis;Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedGramm-Leach-BlileyActEC-CouncilTheGLBActgivesauthoritytoeightfederalagenciesandthestatestoadministerandenforcetheFinancialPrivacyRuleandtheSafeguardsRuleFinancialPrivacyRulerequiresfinancialinstitutionstoprovideeachconsumerwithaprivacynoticeatthetimetheconsumerrelationshipisestablishedandannuallythereafter.Theprivacynoticemustexplaintheinformationcollectedabouttheconsumer,wherethatinformationisshared,howthatinformationisused,andhowthatinformationisprotected.Thenoticemustalsoidentifytheconsumer’srighttoopt-outoftheinformationbeingsharedwithunaffiliatedpartiespertheFairCreditReportingAct.Shouldtheprivacypolicychangeatanypointintime,theconsumermustbenotifiedagainforacceptance.Eachtimetheprivacynoticeisreestablished,theconsumerhastherighttoopt-outagain.Theunaffiliatedpartiesreceivingthenonpublicinformationareheldtotheacceptancetermsoftheconsumerundertheoriginalrelationshipagreement.Insummary,thefinancialprivacyruleprovidesforaprivacypolicyagreementbetweenthecompanyandtheconsumerpertainingtotheprotectionoftheconsumer’spersonalnonpublicinformation.Source:http://www.ftc.gov/Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedGramm-Leach-BlileyAct(cont’d)EC-CouncilSafeguardsRulerequiresfinancialinstitutionstodevelopawritteninformationsecurityplanthatdescribeshowthecompanyispreparedfor,andplanstocontinuetoprotectclients’nonpublicpersonalinformation.(TheSafeguardsRulealsoappliestoinformationofthosenolongerconsumersofthefinancialinstitution.)Thisplanmustinclude:•Denotingatleastoneemployeetomanagethesafeguards,•Constructingathorough[riskmanagement]oneachdepartmenthandlingthenonpublicinformation,•Develop,monitor,andtestaprogramtosecuretheinformation,and•Changethesafeguardsasneededwiththechangesinhowinformationiscollected,stored,andused.Thisruleisintendedtodowhatmostbusinessesshouldalreadybedoing:protectingtheirclients.TheSafeguardsRuleforcesfinancialinstitutionstotakeacloserlookathowtheymanageprivatedataandtodoariskanalysisontheircurrentprocesses.Noprocessisperfect,sothishasmeantthateveryfinancialinstitutionhashadtomakesomeefforttocomplywiththeGLBA.Copyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHealthInsurancePortabilityandAccountabilityAct(HIPAA)Ensureintegrity,confidentialityandavailabilityofelectronicprotectedhealthinformationProtectagainstreasonablyanticipatedthreatsorhazards,andimproperuseordisclosureProtectagainstanyreasonablyanticipatedusesordisclosuresofsuchinformationthatarenotpermittedorrequiredPenalty:Fineupto$50,000,imprisonednotmorethan1year,orbothSource:http://www.hhs.gov/EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIntellectualPropertyLawsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIntellectualPropertyIntellectualpropertyistheproductofintellectthathascommercialvalueandincludescopyrightsandtrademarksCommontypesofintellectualpropertyinclude:•••••CopyrightsTrademarksPatentsIndustrialdesignrightsTradesecretsUnderintellectualpropertylaw,ownersaregrantedcertainexclusiverightstoavarietyofintangibleassetsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedUSLawsforTrademarksandCopyrightTheDigitalMillenniumCopyrightAct(DMCA)of1998•ThisActcreateslimitationsontheliabilityofonlineserviceprovidersforcopyrightinfringementTheLanham(Trademark)Act(15USC§§1051-1127)•ThisActprohibitsanumberofactivities,includingtrademarkinfringement,trademarkdilution,andfalseadvertisingEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedUSLawsforTrademarksandCopyright(cont’d)Doctrineof“FairUse”Section107oftheCopyrightLawmentionsthedoctrineof“fairuse”ThedoctrineisaresultofanumberofcourtdecisionsovertheyearsReproductionofaparticularworkforcriticism,newsreporting,comment,teaching,scholarship,andresearchisconsideredasfairaccordingtoSection107oftheCopyrightLawEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedUSLawsforTrademarksandCopyright(cont’d)OnlineCopyrightInfringementLiabilityLimitationAct:•Sec.512.Limitationsonliabilityrelatingtomaterialon-line•Limitation-Notwithstandingtheprovisionsofsection106,aprovidershallnotbeliablefor:•Directinfringement•monetaryreliefundersection504or505forcontributoryinfringementorvicariousliabilitybasedsolelyonconduct•monetaryreliefundersection504or505forcontributoryinfringementorvicariousliability,basedsolelyonprovidingaccesstomaterialoverthatprovider'ssystemornetwork•Protectionofprivacy•LimitationbaseduponremovingordisablingaccesstoinfringingmaterialEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedAustraliaLawsForTrademarksandCopyrightTheTradeMarksAct1995•ThisActgrantsprotectiontoaletter,word,phrase,sound,smell,shape,logo,picture,aspectofpackagingorcombinationofthese,usedbytradersontheirgoodsandservicestoindicatetheiroriginThePatentsAct1990•ThisActgrantsmonopolyrightstoinventorsofnewinventionssuchasimprovedproductsordevicesandsubstancesTheCopyrightAct1968•ThisActrelatestocopyrightandtheprotectionofcertainperformancesandforotherpurposesEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedUKLawsforTrademarksandCopyrightTheCopyright,Etc.AndTradeMarks(OffencesAndEnforcement)Act2002•ThisActamendsthecriminalprovisionsinintellectualpropertylaw,lawrelatingtocopyright,rightsinperformances,fraudulentreceptionofconditionalaccesstransmissionsbyuseofunauthorizeddecodersandtrademarksTrademarksAct1994(TMA)•ThisActprovidesthehonestuseofonesownnameoraddressisadefenseEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedChinaLawsforTrademarksandCopyrightCopyrightLawofPeople’sRepublicofChina(AmendmentsonOctober27,2001)•Article1:Thepurposeofprotectingthecopyrightofauthorsintheirliterary,artisticandscientificworksandthecopyright-relatedrightsandinterests•Article2:WorksofChinesecitizens,legalentitiesorotherorganizations,whetherpublishedornot,shallenjoycopyrightinaccordancewiththisLawTrademarkLawofthePeople'sRepublicofChina(AmendmentsonOctober27,2001)•ThisLawisenactedforthepurposesofimprovingtheadministrationoftrademarks,protectingtheexclusiverighttousetrademarks,andofencouragingproducersandoperatorstoguaranteethequalityoftheirgoodsandservicesandmaintainingthereputationoftheirtrademarks,withaviewtoprotectingtheinterestsofconsumers,producersandoperatorsandtopromotingthedevelopmentofthesocialistmarketeconomyEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedIndianLawsforTrademarksandCopyrightThePatents(Amendment)Act,1999•ThisActprovidesestablishmentofamailboxsystemtofilepatentsTradeMarksAct,1999•ThisActprovidesregistrationoftrademarksrelatingtogoodsandservicesTheCopyrightAct,1957•ThisActprescribesmandatorypunishmentforpiracyofcopyrightedmatterappropriatewiththegravityoftheoffensewithaneffecttodeterinfringementEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedJapaneseLawsforTrademarksandCopyrightTheTrademarkLaw(LawNo.127of1957):•ThisLawappliesonlytoregisteredtrademarksTheTrademarkLaw(N.S.187of1999):•Accordingtothislaw,trademarksaredistinguishableandarenotindispensabletosecurethefunctionofthegoodsortheirpackagingCopyrightManagementBusinessLaw(4.2.2.3of2000):•Thislawfacilitatestheestablishmentofnewcopyrightmanagementbusinesses,inorderto"respondtothedevelopmentofdigitaltechnologiesandcommunicationnetworks"EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedCanadaLawsforTrademarksandCopyrightCopyrightAct(R.S.,1985,c.C-42)•ThisActgrantsprotectiontoaarchitecturalwork,artisticwork,Berneconventioncountry,commission,book,broadcaster,choreographicwork,cinematographicwork,collectivesociety,workorcombinationofthese,usedbytradersontheirgoodsandservicestoindicatetheiroriginTrademarkLaw•Itstatesthatifamarkisusedbyapersonasatrade-markforanyofthepurposesorinanyofthemanners,itshallnotbeheldinvalidmerelyonthegroundthatthepersonorapredecessorintitleusesitorhasuseditforanyotherofthosepurposesorinanyotherofthosemannersEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSouthAfricanLawsforTrademarksandCopyrightTrademarksAct194of1993•Itistheacttoprovidetheregistrationoftrademarks,certificationtrademarksandcollectivetrademarksandtoprovideforincidentalmattersCopyrightActof1978•ItistheacttoregulatecopyrightandtoprovideformattersincidentaltheretoPatentsActNo.57of1978•ToprovidefortheregistrationandgrantingofletterspatentforinventionsandformattersconnectedtherewithEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSouthKoreanLawsforTrademarksandCopyrightCopyrightlawActNo.3916•ThepurposeofthisActistoprotecttherightsofauthorsandtherightsneighboringonthemandtopromotefairuseofworksinordertocontributetotheimprovementanddevelopmentofcultureIndustrialDesignProtectionAct•ThepurposeofthisactistoencouragethecreationofdesignsbyensuringtheirprotectionandutilizationsoastocontributetothedevelopmentofindustryEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedBelgiumLawsforTrademarksandCopyrightCopyrightLaw,30/06/1994•Thepurposeoftheactistoprotecttheliteraryorartisticworkfromunauthorizedusage•TheauthorofaworkaloneshallhavetherighttoreproducehisworkortohaveitreproducedinanymannerorformwhatsoeverTrademarkLaw,30/06/1969•ItisthelawapprovingtheBeneluxConventionConcerningTrademarksandAnnex,signedinBrusselsonMarch19,1962•Thehighcontractingpartiesshallincorporateintotheirdomesticlegislation,inoneorbothoftheoriginaltexts,theBeneluxUniformLawonTradeMarksannexedtothisConventionandshallestablishanadministrationcommontotheircountriesunderthename"BeneluxTradeMarksBureau"EC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedHongKongLawsforIntellectualPropertyHongKong’sIPlawsarebasedonconstitutionalorBasicLawprovisionsArticle139oftheBasicLaw•GovernmentshallformulatepoliciesonscienceandtechnologyandprotectachievementsinscientificresearchArticle140ofthebasiclaw•ItprotectstherightsofauthorsintheirliteraryandartisticcreationsEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedSummaryAsecuritypolicyisadocumentthatstatesinwritinghowacompanyplanstoprotectitsphysicalandinformationtechnologyassetsSecuritypolicyensurescustomer’sintegrityandpreventsunauthorizedmodificationsofthedataFederallawrequiresFederalagenciestoreportincidentstotheFederalComputerIncidentResponseCenterOrganizationsshouldnotcontactmultipleagenciesbecauseitmightresultinjurisdictionalconflictsUnderintellectualpropertylaw,ownersaregrantedcertainexclusiverightstoavarietyofintangibleassetsAnacceptableusepolicyisasetofrulesappliedbyorganization,network,orInternettorestricttheirusageEvidenceshouldbecollectedaccordingtoproceduresthatmeetallapplicablelawsandregulations,inordertobeadmissibleincourtChainofcustodyisadocumentationshowingtheseizure,custody,control,transfer,analysis,anddispositionofevidenceEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibitedEC-CouncilCopyright©byEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited × Report"ECIHCompile" Yourname Email Reason -SelectReason- Pornographic Defamatory Illegal/Unlawful Spam OtherTermsOfServiceViolation Fileacopyrightcomplaint Description Close Submit Ourpartnerswillcollectdataandusecookiesforadpersonalizationandmeasurement.LearnhowweandouradpartnerGoogle,collectandusedata.Agree&close
延伸文章資訊
- 1EC-Council Certified Incident Handler ( ECIH ) .pdf
Transcript of EC-Council Certified Incident Handler ( ECIH ) .pdf · PDF fileEC-Council Certified....
- 2EC-Council Certified Incident Handler v2
- 3EC-Council ECIH - Certified Incident Handler - Fast Lane
EC-Council ECIH Training ▷ Get advice now & book a course ✓ Course duration: 3 days ✓ Award-Winni...
- 4EC-Council Certified Incident Handler (ECIH) Version 2 eBook w
The Digital and eTextbook ISBNs for EC-Council Certified Incident Handler (ECIH) Version 2 eBook ...
- 5EC Council Certified Incident Handler A ... - Amazon.in
EC Council Certified Incident Handler A Complete Guide - 2020 Edition eBook : Blokdyk, Gerardus: ...
