![Security Analyst PDF [PDF]](https://pdfs.asia/img/200x200/security-analyst-pdf.jpg)
12 0 24 MB
Trainer’s Handbook – Security Analyst
Trainer’s Handbook
Security Analyst SSC/ Q0901
1
Trainer’s Handbook – Security Analyst
2
Trainer’s Handbook – Security Analyst
3
Trainer’s Handbook – Security Analyst
Copyright (c) 2015 NASSCOM 4E-vandana Building (4th Floor) 11, Tolstoy Marg, Connaught Place New Delhi 110 001, India T 91 11 4151 9230; F 91 11 4151 9240 E [email protected]
W www.nasscom.in Disclaimer The information contained herein has been obtained from sources reliable to NASSCOM. NASSCOM disclaims all warranties to the accuracy, completeness or adequacy of such information. NASSCOM shall have no liability for errors, omissions, or inadequacies, in the information contained herein, or for interpretations thereof. Every effort has been made to trace the owners of the copyright material included in the book. The publishers would be grateful for any omissions brought to their notice for acknowledgements in future editions of the book. No entry in NASSCOM shall be responsible for any loss whatsoever, sustained by any person who relies on this material. The material in this publication is copyrighted. No parts of this report can be reproduced either on paper or electronic media, unless authorized by NASSCOM. 4
Trainer’s Handbook – Security Analyst
Foreword The Indian IT-ITeS industry has built its reputation in the global arena on several differentiators, chief among them being the availability of manpower. Organizations across the world recognize the value India brings to every engagement with its vast and readily available pool of IT professionals. Global entities have found it extremely effective to leverage this significant resource in order to enjoy a competitive edge and innovation benefits. In the coming years, the landscape is expected to shift in ways that reveal more exciting opportunities. The world will require people with advanced technology skills and domain knowledge, set against a backdrop of heightened labour mobility across occupations and markets. India is largely acknowledged to be heir apparent to the benefits of a demographic dividend over the coming decades, which has the potential to see the nation emerge as one of the world’s largest population base of employable youth. With many other countries set to face the effects of an aging and retirement-ready workforce, India is poised to become a sought after destination for those seeking higher value add and specialized services. Global markets are on their way towards revival and recovery, and this is well reflected in the proactive recruitment measures taken by IT-ITeS organizations in India in recent times. India’s IT-BPM industry is on track to achieve its target of USD 225 billion by 2020. From a base on about 3.1 million employees in FY2014, the industry is expected to add another 2 million additional employees by 2020. Indirect employment generated by 2020 is expected to be 3X the total direct employment number is between 13-16 million by 2020. To realize India’s potential of emerging as a skills hub of the world, a significant amount of foresight and work is requisite. It is imperative that stakeholders engage in a concerted effort to undertake the transformation of the labour pool estimated to enter the market into skilled and employable talent. Enabling the creation of a future industry-ready cohort will give the IT-ITeS industry an edge in leadership and sustainability. One of the growing areas of global interest and concern is Information/ Cyber Security. This led to the identification of the “hot skills” du jour, resulting in the formal creation of a Qualification Pack (QP) or job role framework for the role of a Security Analyst. The QP is designed to capture the skills required by the IT-BPM industry for an entry level position in this field. To ensure the creation of an academic course that is both relevant and viable, IT-ITeS Sector Skills Council NASSCOM (SSC NASSCOM) partnered with key industry stakeholders, including Cyber Eye Research, Cypher Cloud, Deloitte, First American, HCL, HDFC, IBM, ISC2, Karvy Analytics, NIIT University, PwC, Symantec, TCS, Wells Fargo, and the Data Security Council of India (DSCI) for design of the curricula and courseware. In addition, the program addresses the need for faculty support, and achieves this by acquainting trainers with the latest advancements in pedagogy. We wish the universities and colleges all the very best in their endeavor.
R Chandrashekhar President NASSCOM
5
Trainer’s Handbook – Security Analyst
Acknowledgements NASSCOM would like to thank its member company representatives within the Security Analyst Special Interest Group (SIG) Council for believing in our vision to enhance the employability of the available engineering student pool. SSC NASSCOM facilitates this by developing and enabling the implementation of courses relevant to projected industry needs. The aim is to address two key requirements, of closing the industry-academia skill gap, and of creating a talent pool that can reasonably weather future externalities in the IT-BPM industry. NASSCOM believes that this is an initiative of great importance for all stakeholders concerned – the industry, academia, and the students. The tremendous amount of work and ceaseless support offered by the members of this SIG in developing a meaningful strategy for the content and design of program training materials has been truly commendable. We would like to particularly thank Cyber Eye Research Labs, DSCI, First America, Karvy Analytics, and Symantec for bringing much needed focus to this effort. NASSCOM recognizes the fantastic contributions of Mr. Ram Ganesh at Cyber Eye Research labs; Mr. Ashok Polapragada and Mr. Ranjit Kumar at Karvy Analytics; Mr. Dwaraka Ramana K at First American; Dr Giri T at Cypher Cloud, Mr. Nanda Kumar Sarvade, Mr. Vinayak Godse and Mr. Aditya Bhatia at DSCI. We acknowledge with sincere gratitude the immense contribution of the SIG member companies, Deloitte, HCL, HDFC, IBM, ISC2, NIIT University, PwC, Symantec, TCS, Wells Fargo for their part in the creation of this course and its accompanying training materials. We extend our thanks to PROGILENCE Capability Development Pvt. Ltd. for producing this course publication. Dr Sandhya Chintala Executive Director – Sector Skill Council Vice President – NASSCOM
6
Trainer’s Handbook – Security Analyst
Prologue The tectonic shifts in the digital world have resulted in parallel shifts in our relationship with technology, accompanied by a heightened awareness of security concerns. For instance, functions such as protecting an individual or entity from digital security threats, or devising robust security measures that will help maintain the integrity of data, are growing areas of importance. It is not surprising then that the field of Cyber Security has grown swiftly over the past few years, especially in view of its implications for developing meaningful business strategies or government policy. There is a rise in key services that now include guarding sensitive information within a company or body, implementing required security measures to avoid breaches, avoiding any flaws in security systems, and preventing unauthorized access to networks. What remains to be addressed is the projected demand for a relevant and qualified workforce. The creation of a job role framework for the Security Analyst role is a welcome endeavor that will contribute towards bridging any shortfall. The content of this book caters to a holistic set of skilling areas, including the study of core technologies currently adopted in this field and the industry as a whole, and the development of familiarity with professional environments that students will likely to operate in after graduation. It incorporates a blend of domain concepts, hands-on practice sessions, and sessions covering auxiliary skills such as communication and problem solving skills. The incorporated aspects of the facilitator guide and student handbook are expected to act as effective companions in the learning process. This mixture is designed to prepare students for the transition from the academic to the professional in an industry-relevant manner. This first edition of the publication has been developed by NASSCOM in conjunction with industry leaders who have operated and studied the field of Cyber Security extensively. I congratulate the team effort in successfully creating material that will be widely available, accessible and applicable. The Security Analyst course will be offered to B.Tech candidates who can register to take it in any semester beginning with the second half of their third year. This publication will act as an important resource for students as they prepare for the new tide, and this in turn will contribute to keeping our workforce in the forefront.
Vice Chancellor JNTUH
7
Trainer’s Handbook – Security Analyst
About the Qualification Pack JOB ROLE: Security Analyst (Information/System Security Analyst/Engineer) OCCUPATION: Information Security
Note: All the Horizontals - Occupations, Tracks and Job Roles cut across the Industry Verticals.
Security Analyst is from the Occupation “Information Security” under the IT Services sub-sector.
8
Trainer’s Handbook – Security Analyst
9
Trainer’s Handbook – Security Analyst The qualification SSC/Q0901 is part of the IT- ITeS Sector and the IT Services subsector. This qualification eligibility requirements and National Occupational Standards are listed below.
Qualifications Pack Code
SSC/ Q 0901 Security Analyst
Job Role
This job role is applicable in both national and international scenarios
Credits(NVEQF/NVQF/NSQF)
Version number
0.1
Sector
IT-ITeS
Drafted on
30/04/13
Sub-sector
IT Services
Last reviewed on
30/04/13
Occupation
Information Security
Next review date
30/06/14
NSQF level Minimum Educational Qualifications Maximum Educational Qualifications
7
Training (Suggested but not mandatory) Experience
Certification in Information systems or related fields, Basic soft skills training
Applicable National Occupational Standards (NOS)
Diploma in Engineering or any graduate course Bachelor's Degree in Science/Technology/Computers
0-2 years of work experience/internship in security Compulsory: 1. SSC/N0901 (Contribute to managing information security) 2. SSC/N0902 (Co-ordinate responses to information security incidents) 3. SSC/N0903 (Install and configure information security devices) 4. SSC/N0904 (Contribute to information security audits) 5. SSC/N0905 (Support teams to prepare for and undergo information security audits) 6. SSC/N9001 ( Manage your work to meet requirements) 7. SSC/N9002 (Work effectively with colleagues ) 8. SSC/N9003 (Maintain a healthy, safe and secure working environment) 9. SSC/N9004 (Provide data/information in standard formats) 10. SSC/N9005 (Develop your knowledge, skills and competence) Optional: Not Applicable
10
Trainer’s Handbook – Security Analyst
JNTUH Syllabus for Security Analyst Objectives:
To introduce the terminology, technology and its applications To introduce the concept of Security Analyst To introduce the tools, technologies & programming languages which is used in day to day security analyst job role.
Information Security Management (Security Analyst – I) Unit I : Information Security Management Information Security Overview, Threats and Attack Vectors, Types of Attacks, Common Vulnerabilities and Exposures (CVE), Security Attacks, Fundamentals of Information Security, Computer Security Concerns, Information Security Measures etc. Unit II : Fundamentals of Information Security Key Elements of Networks, Logical Elements of Network, Critical Information Characteristics, Information States etc. Unit III : Data Leakage What is Data Leakage and statistics, Data Leakage Threats, Reducing the Risk of Data Loss, Key Performance Indicators (KPI), Database Security etc. Unit IV : Information Security Policies, Procedures and Audits Information Security Policies-necessity-key elements & characteristics, Implementation, Configuration, Security Standards-Guidelines & Frameworks etc.
Security
Policy
Unit V : Information Security Management – Roles and Responsibilities Security Roles & Responsibilities, Accountability, Roles and Responsibilities of Information Security Management, team-responding to emergency situation-risk analysis process etc. Text Books: Prescribed books:1. Management of Information Security by Michael E.Whitman and Herbert J.Mattord References:1. http://www.iso.org/iso/home/standards/management-standards/iso27001.htm 2. http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf
11
Trainer’s Handbook – Security Analyst
Information Security Assessments & Audits ( Security Analyst – II) Unit I : Information Security Performance Metrics and Audit Security Metrics and Reporting, Common Issues and Variances of Performance Metrics, Introduction to Security Audit, Servers and Storage devices, Infrastructure and Networks, Communication Routes, Information Security Methodologies (Black-box, White-box, Grey-box), Phases of Information Security Audit and Strategies, Ethics of an Information Security Auditor etc. Unit II : Information Security Audit Tasks, Reports and Post Auditing Actions Pre-audit checklist, Information Gathering, Vulnerability Analysis, External Security Audit, Internal Network Security Audit, Firewall Security Audit, IDS Security Auditing, Social Engineering Security Auditing, Web Application Security Auditing, Information Security Audit Deliverables & Writing Report, Result Analysis, Post Auditing Actions, Report Retention etc. Unit III : Vulnerability Management Information Security Vulnerabilities – Threats and Vulnerabilities, Human-based Social Engineering, Computer-based Social Engineering, Social Media Countermeasures, Vulnerability Management – Vulnerability Scanning, Testing, Threat management, Remediation etc. Unit IV : Information Security Assessments Vulnerability Assessment, Classification, Types of Vulnerability Assessment, Vulnerability Assessment Phases, Vulnerability Analysis Stages, Characteristics of a Good Vulnerability Assessment Solutions &Considerations, Vulnerability Assessment Reports – Tools and choosing a right Tool, Information Security Risk Assessment, Risk Treatment, Residual Risk, Risk Acceptance, Risk Management Feedback Loops etc. Unit V : Configuration Reviews Introduction to Configuration Management, Configuration Management Requirements-Plan-Control, Development of configuration Control Policies, Testing Configuration Management etc. Text Books: Prescribed books:1. Assessing Information Security (strategies, tactics, logic and framework) by A Vladimirov, K.Gavrilenko, and A.Michajlowski 2. “The Art of Computer Virus Research and Defense by Peter Szor.” References:1. https://www.sans.org/reading-room/whitepapers/threats/implementing-vulnerability-managementprocess-34180 2. http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf
12
Trainer’s Handbook – Security Analyst
Information Security Incident Response & Management (Security Analyst – III) Unit I : Managing Information Security Services Configuring Network Devices, Identifying Unauthorized Devices, Testing the Traffic Filtering Devices, Configuring Router, Configuring Modes – Router/Global/Interface/Line/Privilege EXEC/ROM/User EXEC, Configuring a banner/Firewall/Bastion Host/VPN server etc. Unit II : Troubleshooting Network Devices and Services Introcution& Methodology of Troubleshooting, Troubleshooting of Network CommunicationConnectivity-Network Devices-Network Slowdowns-Systems-Modems etc. Unit III : Information Security Incident Management & Data Backup Information Security Incident Management overview-Handling-Response, Incident Response Roles and Responsibilities, Incident Response Process etc. Data Back introduction, Types of Data Backup and its techniques, Developing an Effective Data Backup Strategy and Plan, Security Policy for Back Procedures. Unit IV : Log Correlation Computer Security Logs, Configuring& Analyzing Windows Logs, Log Management-Functions & Challenges, Centralized Logging and Architecture, Time Synchronization – NTP/NIST etc. Unit V : Handling Network Security Incidents Network Reconnaissance Incidents, Network Scanning Security Incidents, Network Attacks and Security Incidents, Detecting DoS Attack, DoS Response Strategies, Preventing/stopping a DoS Incident etc. Unit VI : Handling Malicious Code Incidents Incident Handling Preparation, Incident Prevention, Detection of Malicious Code, Containment Strategy, Evidence Gathering and Handling, Eradication and Recovery, Recommendations etc. Project: Text Books: Prescribed books:1. Managing Information Security Risks, The Octave Approach by Christopher Alberts, and Audrey Dorofee 2. “Cryptography and Network Security (4th Edition) by (Author) William Stallings.” References:1. https://www.sans.org/reading-room/whitepapers/incident/security-incident-handling-smallorganizations-32979
13
Trainer’s Handbook – Security Analyst
Classroom and Lab Requirements: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.
PCs/Tablets/Laptops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Networking Equipment- Routers & Switches Firewalls and Access Points Access to all security sites like ISO, PIC DSS Commercial Tools like HP Web Inspect, IBM AppScan, etc. Open Source tools like sqlmap, Nessus, Nmap, Metasploit Community edition etc. Anti-Virus and Anti-Spam software Security templates from various sites ITIL, ISO, etc. Projection facilities
The above equipment has to be made available for classwork and for research work in non-class hours. The equipment has to have relatively high speed and current OS and other software applications. Students need to have adequate number of terminals for individual use for adequate number of hours. The equipment needs to be installed in keeping with all health and safety measures. Any routine breakdowns should be promptly addressed.
14
Trainer’s Handbook – Security Analyst
Table of Contents Facilitator’s Guide
…17
An Introduction: The industry, sub-sector, occupation and career
…37
1. SSC/ N 0901: Contribute to managing information security
…49
i. ii. iii. iv. v. vi. vii. viii. ix. x.
Information Security and Threats Fundamentals of Information Security Data Leakage and Prevention Information Security Policies, Procedures, Standards and Guidelines Information Security Management – Roles and Responsibilities Information Security Performance Metrics Risk Assessment Configuration Review Device Log Correlations Data Backup
2. SSC/N 0902: Coordinate responses to information security incidents i. ii. iii. iv. v.
…231
Incident response overview Incident Response – Roles and Responsibilities Incident Response Process Handling Malicious Code Incidents Handling Network Security Incidents
3. SSC/ N 0903 Install, configure and troubleshoot information security devices …315 i. ii. iii. iv. v. vi. vii. viii. ix.
Configuring Network Devices Configuring Secure Content Management Configuring Firewall Troubleshooting Cisco IOS Firewall Configurations Cisco IOS Firewall IDS IPS Configuration Anti-virus and Antispam Software Web Application Security Configuration Patch Management
4. SSC/ N 0904: Contribute to information security audits ; SSC/ N 0905: Support teams to prepare for and undergo information security audits…………………………………………..523 i. ii. iii. iv. v.
Information Security Audit Work and Work Environment Information Security Auditor Vulnerability Analysis Penetration Testing 15
Trainer’s Handbook – Security Analyst vi. vii. viii.
Information Security Audit Tasks Audit Reports and Actions Audit Support Activities
5. SSC/ N 9001: Contribute to managing information security i. ii. iii.
Understanding scope of work and working within limits of authority Work and work environment Maintaining confidentiality
6. SSC/ N 9002: Work effectively with colleagues i. ii.
…761
Information and Knowledge Management How to manage data/ information effectively Skills required to manage data and information effectively Performance Evaluation Criteria for an Information Security Analyst
9. SSC/ N 9005: Develop knowledge, skills & competence i. ii. iii. iv.
…685
Need For Health and Safety at Work Security Analyst’s role Emergency Situations Skills for Maintaining Health and Safety at Work
8. SSC/ N 9004: Provide data/information in standard formats i. ii. iii. iv.
…667
Effective Communication Working Effectively
7. SSC/ N 9003: Maintain a healthy, safe and secure working environment i. ii. iii. iv.
…637
…785
Importance of Self-Development Knowledge and Skills Required for the Job Avenues of Self-Development Planning for Self-Development
Annexures
…839
1. Security Assessment Template 2. Case studies 3. Assessment Criteria
16
Trainer’s Handbook – Security Analyst
Facilitator’s Guide
Training Methodology Facilitator- Knowledge and Skills Formative Assessment Learning Principles Instructional Methods Some important instructions for Trainers
17
Trainer’s Handbook – Security Analyst
TRAINING METHODOLOGY The Training Methodology to be selected keeping in mind the background and ability levels of the students as well as the adult learning principles. Focus will be on :
encouraging the learners to discover the information through research, activities and questioning techniques. providing an opportunity to every participant to practice and perform the practical criteria that they are expected learn in the session incorporating the following principles in the training methodology
Teacher’s Role The role of a Teacher in this program is to - “Assist each participant to reach an acceptable workplace competency standard through effective training. “ In order to do that the teacher must first ensure that s(he) is fully competent to take on this role. i.e the teacher has the right Knowledge, Skill and Attitude as a Facilitator and a Subject Matter Expert.
18
Trainer’s Handbook – Security Analyst
FACILITATOR – KNOWLEDGE AND SKILLS What is Competence?
What is a Qualification Pack?
Competence is the ability to consistently carry out tasks to a standard of performance required in the workplace that demonstrates performance outcomes, knowledge, understanding and skills.
Each job role will require the performance of a number of tasks. The combination of all the NOSs corresponding to these tasks would form the Qualification Pack (QP) for that job role. These QPs and NOSs can form the benchmarks for various education and training programs as well as recruitment.
What are National Occupational Standards(NOS)? Occupational Standards describe what a person should be able to do, know and understand in order to carry out work competently and consistently. When they are applicable and recognised Nationally they become National Occupational Standards (NOS) NOS are called ‘Standards’ because they are performance outcomes, which have been agreed by employers and key stakeholders from the industry, for any person performing that particular job role. The standards are developed in consultation with a wide range of people experienced in the areas covered by the competency standards. This consultation is to ensure that the standards are relevant to as wide a range of workplaces as possible. Each NOS covers: Performance Criteria Knowledge and Understanding o Organisational Context o Technical Core/Generic Skills Professional Skills
The QP and NOSs for each job role would correspond to a certain level of skill, knowledge and responsibility of the National Skills Qualification Framework. The same is indicated in the Qualification Pack.
What is Competency Based Training (CBT)? Competency based training focuses on what is expected of a person in the workplace rather than on the suggested time spent on learning. Competency based training (CBT) relies on the competency standards to form the basis of all training and assessment resources and learning outcomes. CBT is an outcome oriented methodology that focuses on what it is that a participant can do and how well he/she can do it. CBT training materials clearly state what is expected of participants in terms of performance, in given conditions, and to what standards. CBT differs from the traditional approach to learning in that it focuses on skill development relative to the needs of a particular job role, in this case Household Helpers. 19
Trainer’s Handbook – Security Analyst
20
Trainer’s Handbook – Security Analyst
FORMATIVE ASSESSMENT Assessment is the process of measurement. It is a process by which evidence is gathered and judged/evaluated by an Assessment Practitioner in order to decide whether an individual has demonstrated the required skills, understanding and knowledge when compared with a pre-determined standard. Assessment may be used in different ways and on different occasions according to its purpose. Such uses of assessment (with clarification) include:
Diagnostic - Finding out what’s learnt and what gaps there might be. Its purpose is to ascertain, prior to instruction, each student’s strengths, weaknesses, knowledge, and skills. Establishing these permits the instructor to remediate students and adjust the curriculum to meet each learner’s unique needs. Formative - Evaluation of an individual learner used to help individual improve performance; – Identification of areas for improvement – Specific suggestions for improvement. Summative - tying in all aspects of learning through a final application.
A trainer will be required to engage in Diagnostic and Formative assessment that will help ensure that the learning outcomes are achieved. Formative assessment incorporates tests within study units, for example, when students had finished working on a specific learning activity, in order to allow teachers to
diagnose learning needs and adjust teaching at that point.
Assessment methods/tools:
Observation – of individual performance and/or within a group (of process, attitudes, behaviours and application of skills) practical assessment (of completed job) witness/third party evidence (from workplace/from trainer) oral and written questioning simulation (role play, scenario-building to replicate work-place) course work (structured in line with pre-determined standards of performance) assignments/reports/projects/present ations professional discussion Evidence of own work from the workplace
Best practices for assessment:
Define the content and competencies to be assessed in an assessment plan or blueprint as the first step in creating a valid assessment program. Provide evidence that the implemented assessment methods measure what was intended in the plan. Assure that the assessment is reliable, showing the amount of error or variability that could occur if the same assessment were repeated with the 21
Trainer’s Handbook – Security Analyst
same group of trainees or practitioners. Present accumulated evidence of the validity of assessment results for a specific group of people in specific circumstances to demonstrate that the results can be interpreted to measure what they are purported to measure. Assessment method should be within realistic estimates of cost in time and effort Self-Evaluation and Peer Evaluation should also be used as it helps strengthen the learning further
Assessing Presentations Presentations are used increasingly in training programmes because the ability to present information is a valuable skill and also reflects the level of understanding achieved. It is not sufficient simply to ask a student to make an oral presentation. Students need feedback on their performance in order that they can improve. The list below is designed to help in the development of assessment criteria and feedback.
Does the content of the presentation relate to the title and or purpose of the presentation? Is the breadth of the content sufficient? Is the depth of the content sufficient? Is the message of the presentation clearly put / argued? Is the argument consistent? Is sufficient evidence given to support arguments?
Is there evidence of appropriate critical thinking? Are conclusions drawn appropriately? Is the focus sharp / to the point? Does the presenter put her own point of view in an appropriate manner? Is the audience engaged – is their attention maintained by the presenter? Is the response to questions and comment competent / accurate / adequate (etc)? Is time keeping managed well (enough)? Is the presentation: - Audible and clear (articulation) - does the speaker have ‘presence’ and adequate confidence - is the posture and body language appropriate - does she make appropriate eye contact Is the presentation well structured, clear identity of beginning, middle and end Is there use of creativity, the content or presentation original or creative in some way? Are there unexpected features in the content / presentation beyond the expected? It is stressed that no more than a few of these criteria can be managed by an assessor listening to a short presentation. It may be possible to set up situations in which students help each other to develop presentation skills in a non-tutor led practice session. Groups of students are asked to prepare for a brief presentation (e.g. 5 / 8 minutes) on an academic topic of an interest. Each participant is given a list 22
Trainer’s Handbook – Security Analyst
of assessment criteria with one sheet for each presenter. The aim of filling in the sheet will be to give feedback rather than marks. For every presentation, all students fill in one sheet and at the end, simply hand the sheets to the presenter. The value of
such an exercise can be enhanced if students are asked to reflect on their performance and write an account of the manner by which they will modify their performance on the next occasion.
23
Trainer’s Handbook – Security Analyst A Sample Student Presentations Assessment Sheet Student name:
Date:
Course Unit, number and name: Presentation topic: Planned learning outcomes
Level of attainment High Average Low
Tutor’s comments
Academic content 1. Knowledge & understanding of core material 2. Extent, quality and appropriateness of research 3. Conceptual grasp of issues, quality of argument and ability to answer questions
10 9 8 7 6 5 4 3 2 1 10 9 8 7 6 5 4 3 2 1 10 9 8 7 6 5 4 3 2 1
Quality of management 1. Pacing of presentation 2. Effective use of visual material -whiteboard, visual aids, handouts (as appropriate) 3. Organisation/structure of material (intro; main body; conclusion)
10 9 8 7 6 5 4 3 2 1 10 9 8 7 6 5 4 3 2 1 10 9 8 7 6 5 4 3 2 1
Quality of communication • Audibility, liveliness and clarity of presentation • Confidence and fluency in use of English
10 9 8 7 6 5 4 3 2 1 10 9 8 7 6 5 4 3 2 1
• Appropriate use of body language (inc. eye contact)
10 9 8 7 6 5 4 3 2 1
• Listening skills: responsiveness to audience
10 9 8 7 6 5 4 3 2 1
Key areas of competence achieved:
Key development areas:
Assessing tutor:
Signature:
Dept:
24
Trainer’s Handbook – Security Analyst
LEARNING PRINCIPLES Here are some Learning Principles Techniques to use them.
and
Create a Supportive Environment Techniques: 1. call each trainee by name throughout training 2. listen to each person's questions and viewpoints 3. never belittle an individual 4. always be courteous and patient 5. assure individuals that mistakes are part of the learning process 6. look for opportunities to validate each person 7. encourage trainees to support one another in learning endeavors 8. ensure that the physical space is as comfortable as possible.
Emphasize Personal Benefits of Training Techniques: 1. have each participant develop their own personal goals for this training 2. encourage participants to write down specific actions they will take in response to this training.
Use Training Methods that Require Active Participation Techniques: 1. limit lecturing to trainees 2. encourage participation and sharing of experiences 3. use questioning techniques 4. weave discussion sections with exercises that require trainees to practice a skill or apply knowledge.
Use a Variety of Teaching Methods To engage all learners, it is best to vary the methods in which information is communicated. Techniques: 1. 2. 3. 4. 5. 6. 7. 8. 9.
group discussion (small and large) skill practice (role-play) lecture case study panel/guest expert Group Activities question/answer demonstration technology (media, video, computer, interactive)
Provide Structured Opportunities
Learning
Empower trainees to be self-directed learners as they strive to fulfill objectives of the training, by teaching them how to master the content and to become aware of their own learning process. Techniques: 1. 2. 3. 4. 5.
structured note-taking problem-solving exercises brainstorming progress logs evaluating own work and the work of others 6. have them analyze the way they went about doing a learning project 7. encourage participants to support/train one another
Provide Immediate Feedback on Practice
25
Trainer’s Handbook – Security Analyst
Sensitive feedback helps trainees correct errors and reinforces good behaviors. Adult learners want gentle, constructive criticism. Techniques : 1. self feedback 2. peer feedback 3. trainer feedback
Meet Trainee's Individual Learning Needs Techniques : 1. get to know trainees 2. consider each trainee's capabilities and interests
3. encourage individual creativity and initiative 4. pay attention to individual communication 5. acknowledge cultural differences
Make Course Content Relevant and Coherent Techniques: 1. provide overview of course with objectives 2. relate each new component to previous component 3. when presenting new material, present overall concept first 4. utilize an Experiential Learning Model 5. provide examples of concept that are relevant to trainees' work.
26
Trainer’s Handbook – Security Analyst
INSTRUCTIONAL METHODS 1. Lecturing and Explaining
Managing a planned discussion
Explanation or lecture method, is the most used instructional method. If used well it can facilitate effective learning by conveying key facts, concepts and principles. This will Lecture provide a framework to guide the learners through a topic and stimulating interest in a subject.
Determine the objectives and scope of the particular discussion. Make it clear to the group what the specific purposes are.
Effective explanation is characterized by:
clear statements and examples of what is being explained and its relevance logical organisation of information with appropriate examples to illustrate concepts and principles linking of key topics, concepts and principles re-capping of key points at the end of each sub-topic a clear engaging style of presentation opportunities for student involvement.
2. Discussion Discussion can be a very effective method when the main objective is to encourage learners to share information and compare points of Class view. It can Discussion specifically promote co-operative learning and developing thought process & expression
Get the environment right, e.g. the shape of the room, seating arrangements, etc. Prepare key questions in advance, but work situationally with the emerging flow of the discussion. Treat all viewpoints with respect, even though you might disagree strongly with a position taken. Manage the participation of individuals carefully. Do not allow any individuals to monopolise the discussion. However, don’t pressure people to contribute. Keep the group focused on the topic (allowing for some exploration of related issues) and ensure that contributions are relevant and purposeful. You will need to: o clarify vague of confusing remarks o challenge obvious misconceptions o check that everyone understands the key points raised in the discussion. Encourage contributors to support their statements with examples, collaborative facts etc, especially when they show a clear prejudice. Note important points so that you can refer to them later on. Call a halt to procedure at the right moment, i.e. when the discussion has covered the topics sufficiently or the 27
Trainer’s Handbook – Security Analyst
group stops being productive in terms of relevant inputs. Summarise what has been discussed, identifying the critical learning points and issues.
week’s questions and the readings I set? Off you go.” They are also useful when a difficult topic or some awkwardness has brought a session to a standstill. In such a situation, set a brief task or question for pairs to work on. For
Structures for promoting discussion
Rounds : A round simply involves everyone sitting in a circle and commenting briefly on a particular topic in turn. For example it might concern: “Questions I would like answered.…” “Points on which I would like clarification.…” Rounds work well at the start of a session as they involve each person speaking once before anyone speaks a second time. This establishes a more balanced pattern of interaction and makes it much more likely that individuals will speak again later. Taking your turn in rounds can be threatening in a large group, and students unfamiliar with rounds should be allowed to “pass” when it is their turn. Buzz groups, pairs and triads : Buzz groups are simply small groups of two or three students formed spontaneously to discuss a topic for a short period. In a pair, it is almost impossible for a student to stay silent and once students have spoken “in private” they are much more likely to speak afterwards “in public” in the whole group. Buzz groups are very useful to get things going, for example: “To start off, how well did you progress with last
example: What are the difficult areas of this topic? What appears to be the best approach to take? Triads are more resourceful and rigorous for challenging activities, perhaps because at any give time one of the three is neither speaking nor being directly spoken to, and so can have half an eye on the question or task the group is supposed to be working on. Brainstorms : Brainstorming is a very good method for a situation where the aim is to expand people’s thinking in an area and
generate ideas. In brainstorming, any idea is welcomed and no justification is needed. This method is particularly appropriate at the beginning of a topic to identify existing knowledge and provide a framework for learning. However, brainstorming must be wellconducted, with certain ground rules clearly adhered to. These are: 28
Trainer’s Handbook – Security Analyst
o All ideas are accepted without justification. o People cannot comment on other people’s suggestions. o One person acts as the coordinator and writes up comments on the board and keeps a reasonable order on proceedings. After an agreed period of time, or when no more suggestions are forthcoming, the group turns its attention to the total list, either accepting it as a statement of a range of possibilities or discussing selected items that seem most useful.
3. Demonstration Demonstration is a widely used and effective method for teaching of skills at all levels. Like explanation, it is always linked in some way to other instructional strategies. For example, learners are unlikely to learn effectively from demonstration alone. They will need guided practice and feedback on how they are doing. The following is a guide for planning and conducting a demonstration session.
Pre - demonstration planning
Be clear in your mind about what you are trying to demonstrate. Analyse the skill(s) you intend to demonstrate:
Identify the crucial steps of the activity and break it down into basic operations and procedures. Remember that what is easy and comprehensible to you will be less so for most learners. Therefore, try to simplify without sacrificing essential skill components. Organise the equipment needed and prepare any teaching aids that will help learners understand what is involved.
Carrying out the demonstration
Make sure everyone can see. Describe what you intend to do and why. Arouse the interest of learners. Reveal the main steps of the activity and identify the likely problem areas. Accompany each step with a verbal description, and attempt to show the skill from the operator’s point of view. However, do keep to the main points. Too much talking will distract students from the visual demonstration. Adjust the speed of your movements to suit your learners, especially if they are watching and then copying. Watch for their responses and actions and alter your pace accordingly. Inspire confidence in learners as you go along. This way they will be willing and keen to have a go. Try not to over-impress or be too absorbed in your own demonstration. Remember that you are trying to help learners achieve competence. Overindulgence in your skills may rob some learners of self-confidence when they try to practise the skill. On finishing the demonstration, check that the process has been fully understood. Ask participants to recap the main points of the activity. This will help to identify gaps in knowledge and
reinforce learning. 29
Trainer’s Handbook – Security Analyst
4. Individual learning)
work
(self
Learner practice and supervision Learners need to practise new skills in order to achieve a positive and beneficial result. In providing learners Individual with opportunities Work for individual practice, you should remember the following.
Plan specific times during the session when individual practice is to be undertaken. Arrange the environment with care. Ideally such things should be done before learners arrive, but reality may dictate otherwise. Establish a procedure to re-arrange settings when necessary. Ensure that when learners begin, they have an achievable objective in mind. Try to ensure that learners are employing the correct procedure right from the start. This is more likely to occur if participants know exactly what they are to do. Instil some enthusiasm into the proceedings. Be conscious of the group as a whole, even when you are dealing with one person at a time. Listen to what is going on around you in case some learners are bored, confused or giving each other wrong advice. Allocate your time fairly between individuals. Adults do not expect equal time every session, but they expect you to be fair overall.
Provide swift and accurate feedback for learners. Be encouraging and praise people for what they are doing or trying to do. The whole purpose of individual practice is to do it more efficiently and effectively. When and where learners experience positive results, their achievement will encourage them to put in more effort for further success. However, until learners achieve some degree of competence, you will need to reinforce their efforts in positive ways.
Structured Reflection Effective learning is supported when students are actively engaged in the learning process and structured reflection exercises allow students to explore their experiences, challenge current beliefs and develop new practices and understandings. Reflection involves describing, analysing and evaluating our thoughts, assumptions, beliefs, theory base and actions. It includes: 1. Looking forward (prospective reflection). 2. Looking at what we are doing now (spective reflection). 3. Looking back (retrospective reflection). Adult learners have an inbuilt need to direct their own learning. However, they are heavily reliant on their trainers to facilitate the process. The Trainer can facilitate the process, by asking simulating questions or statements that makes the student think.
30
Trainer’s Handbook – Security Analyst
5. Group
throughout the groups and, avoid putting trainees with personality conflicts together in the same group; Try to construct groups so that the more shy trainees will feel free to offer their opinions without inhibition.
work (cooperative
learning) Much as been written on the benefits of cooperative or collaborative learning. Group-based learning can be very effective as an instructional strategy in a variety of ways as outlined below.
It encourages communication and team working. It facilitates problem solving and decision making. It provides an active basis for learning. It enables the sharing of knowledge and the meeting of different viewpoints and perspectives. It encourages ongoing peer assessment.
However, managing group learning can be difficult and the possible benefits to learners can be offset if group activities are poorly organized and facilitated.
There is a series of activities an Instructor must attend to for a small group training exercise to be successful. Although the importance of each activity may vary from one class to another, the following areas, at least, must be considered and acted upon. Plan out the exercises ahead of time, anticipate potential difficulties and alternative solutions and make notes for your instructions to the class.
Introduce the exercises. Try, when possible, to distribute people with special skills or talents evenly
o who belongs to which groups o where each group will meet (and how to get there) o what resources (if applicable) are available - and where o how long they will have to solve the problem (stress that timing is important) o when and where the class will come back together o what the group is to do while working together o what your role will be during the exercise and how you will contact them and how they can contact you o who are the leaders of each group and what are their responsibilities. Conducting the group exercises. o Start by ensuring each group has found its study location and got started, o Then check progress and interaction within each group during the exercise. If they are having small problems, be patient and encourage them to work things out as a group. Look for participation by the quietest trainees and encourage them. o Remind each group of the imminent end of its individual exercises at least five minutes before it is due. Stick to your schedule!
How to conduct group exercises
Give clear, concise directions using your prepared notes. Be sure to cover
Conduct the class summary or review
presentations, 31
Trainer’s Handbook – Security Analyst
o Stay in control of the assembled groups and explain to them what procedures will be applied to cover the time for each group to present o as well as rules about interruptions or distractions. o Make sure schedules are met fairly. o Conduct the summary or discussion of the exercise, making sure each group’s efforts is given due credit. Maintain a neutral position.
Always remember to thank the groups for their participation.
6. Role play Role-play can be a very useful method when learners need to develop and practise important social and interpersonal skills, for example, client service, conducting drills, meetings, counselling, etc. It enables learners to evaluate their performance and feelings in such situations and develop skills in simulated real life conditions without the consequences of real life failure.
Using role-play Ensure that learners can authentically and effectively play the roles.
Provide sufficient - but not too much information to enable participants to be able to take on the prescribed roles. Anticipate and have a plan for possible breakdowns in the role-play. Monitor the activity very carefully and be prepared to intervene if there are significant problems. (Judgement is needed here.)
Ensure a thorough de-brief of the roleplay, so that learners are clear as to the purposes of the activity.
7. Questioning The effective use of questions is one of the most difficult but effective methods for promoting learning. The skilful use of questions can achieve the following results:
Questions can stimulate interest and motivation. Questions can use learners’ knowledge for the benefit of the group. Questions encourage communication between group members. Questions focus thinking skills and the practise of thinking skills. Questions encourage the development of self-expression of thought and feelings. Questions can be used to assess student knowledge and understanding.
Key tactics in using questions
Make the questions clear and brief, and ask just one thing at a time. Pitch questions at the right level for the individual or group, using language they understand. Choose the right type of questions for your purpose, for example, open questions for exploration; closed questions for a focused response. Ask questions in an encouraging way. Your manner will often determine the response. Pause to give students time to answer. Answering a question involves a series 32
Trainer’s Handbook – Security Analyst
of mental operations: “Do I understand the question?”; “Do I have the answer?”; “Am I prepared to offer it?”; “Actually speak it?”. Learn to cope with thinking silences. Distribute questions so that everybody has a chance to contribute. Sequence questions if you need to ask more than one, and ensure that they are in a logical order.
Responding to student answers
Respond to students’ answers warmly, using non-verbal as well as verbal signals. Ensure that incorrect responses are dealt with appropriately. Do not allow an individual to feel embarrassed, but don’t allow an incorrect response to pass without correction. Some useful strategies include: o rephrasing the question for the individual concerned o providing clues to the correct answer o allowing other individuals to offer a response. If you cannot answer a question, be honest and offer to find the necessary information if it is pertinent to the course of study.
8. Case-studies A case study is a capture of a real life situation. Cases typically provide information outlining a problem-based Case Study scenario, where decisions involving value judgements are involved. The information actually provided varies
considerably with cases. Some contain very detailed and comprehensive information; others simply document the key elements of a situation. However, all good case studies have the following features in common.
They present an authentic portrayal of important issues and processes in a topic area. They are interesting and appropriate for the group of learners. They encompass key knowledge for a topic area. They promote multiple interpretations of a situation. They offer more than one viable possible solution. As an instructional method, case studies can help achieve the following outcomes. Promote skills of critical analysis and problem solving. Encourage reflective practice and decision making in complex situations. Motivate learners and create a framework for independent learning.
Using case studies Find case studies involving real people and real situations. These are interesting to the students and assist their understanding. When using the case study method, there are certain “rules” to keep in mind. Be clear about what the case can teach and what you want the learners to accomplish. Ensure the case has been thoroughly read and digested. Clarify any points of misunderstanding. Establish a good climate for discussion in which learners can freely express there views and challenge the views of others. Use the case from more than one perspective. Illustrate different ways of 33
Trainer’s Handbook – Security Analyst
framing the problem, and the assumptions and valuations that underpin these differences. Use good discussion management techniques. Introduce relevant theoretical knowledge, showing linkages of concepts and principles. Summarize the key issues and clarify any points of concern.
9. Poster board tours Groups work together on a task, but also produce a poster summarizing the outcomes of their
work. Posters can involve a design or proposal, lists of pros and cons of an approach, or the main features of a case study. De-briefing this group work can take the form of displaying the posters. Group members may briefly introduce or explain the contents of their posters. Posters can be especially quick and effective as a means of sharing experimental and laboratory work where different groups have undertaken different experiments. Once the posters are displayed, students can “tour” them, asking for clarification or adding comments and questions.
34
Trainer’s Handbook – Security Analyst
SOME IMPORTANT INSTRUCTIONS FOR TRAINERS Before the session 1. Read the Trainers Guide carefully before conducting the training. Familiarise yourself thoroughly with the domain knowledge as well as instructional style. 2. Ensure familiarity with the local language and culture. 3. Always enter the class at least 10 minutes before session is due to start 4. Ensure all material/ aids/equipment required for the training and activities (as per checklist) are ready and available, in advance.
During the session 5. Carry out attendance check at the start of every session/ day. Keep track of absentees. 6. Ensure all participants complete the required assessments. Maintain a careful record of assessment scores for every participant. 7. Always encourage participants. Never discourage participants from actively engaging in discussions.
8. Provide opportunity and encouragement for every participant to practice and perform the practical criteria that they are expected learn in the session 9. Have an ongoing recognition platform/mechanism for appreciating desirable behaviour and practices in the classroom 10. Follow the lesson plan/ session plan. Bring any deviations to the notice of the Head of the Institution. 11. Ensure key learnings are captured at the end of each session. 12. Regularly check participants work books to ensure all exercises are being completed on time.
After the session 13. Ensure all tools/equipment/material are put back in their assigned places after the session. Encourage the participants to take responsibility for the same. 14. Complete all session related documentation on a day to day basis
35
Trainer’s Handbook – Security Analyst
An Introduction: The Industry, Sub-sector, Occupation & Career
UNIT I: An Overview of the IT-BPM Industry UNIT II: An Overview of the IT Services Sub-Sector UNIT III: About Information Security and it’s Roles
37 | P a g e
Trainer’s Handbook – Security Analyst
INTRODUCTION The Industry, Sub-sector, Occupation & Career
This Unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 1.1. An Overview of the IT-BPM Industry 1.2. An Overview of the IT Services Sub-Sector 1.3. About Information Security and it’s Roles
38 | P a g e
Trainer’s Handbook – Security Analyst
LESSON PLAN
Outcomes
Performance Ensuring Measures
You need to know and understand: 1. Give a brief description of the IT A General Overview of the ITBPM Industry BPM Industry 2. List the types of The organisations within ITorganisations within BPM Industry the IT-BPM Industry. The sub-sectors within the IT 3. Research and BPM Industry provide some names General Overview of the IT of each type Services Sub-Sector 4. State the sub Profile of the IT Services Subsectors within the ITSector BPM Industry Key Trends in the IT Services 5. Give a brief Sub-Sector description of the IT Roles in the IT Services SubServices Sub-sector Sector 6. List the key trends in General Overview of the IT Services SubInformation Security and it’s sector Roles 7. List the roles in the IT Services Sub-Sector Career Map for Information 8. Give a brief Security description of Information Security and it’s Roles 9. Describe the Career Map for Information Security Personnel
39 | P a g e
Duration (Hrs) 2Hr in class assessment & 2Hrs offline Research and Learning activity
Work Environment / Lab Requirement
PCs/Tablets/Laptops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Networking Equipment- Routers & Switches
Trainer’s Handbook – Security Analyst
SUGGESTED LEARNING ACTIVITIES Activity 1:
Ask students to introduce themselves and state why they have chosen this course. Note down all the unique reasons on the board. Highlight why Information security or Cyber Security is the right choice for them.
Activity 2:
Divide the class in groups of 4 or 5 students each. Ask them to research and find out “What could be the 4 major subsectors in the IT ITES sector and what would each sub-sector comprise of” Ask them to present and then share the division given in the course content.
Activity 3:
Divide the class in groups of 4 or 5 students each. Ask them to research and find out “What the various job categories in the Information security sector and provide a brief description of each of the job categories” Ask them to present and then share the tracks given in the course content. Share the role and responsibilities of a Security Analyst.
40 | P a g e
Trainer’s Handbook – Security Analyst
Training Resource Material 1.1. An Overview of the IT-BPM Industry General Overview The Information Technology – Business Process Management (IT-BPM) industry has been fuelling India's growth story. In addition to contributing to the country's Gross Domestic Product (GDP) and exports, the industry has played a big role in influencing the socio-economic parameters across the country. The industry has helped provide employment and a good standard of living to millions. It has placed India on the world map with an image of a technologically advanced and a knowledge-based economy. Growth of the IT-BPM industry has provided India with a wide range of economic and social benefits which includes creating employment, raising income levels, promoting exports and significantly contributing to the GDP of the country. This sector attracts amongst the largest investments by venture capitalists and has been credited with enabling the entrepreneurial ventures of many, in the country. The IT-BPM industry has almost doubled in terms of revenue and contribution to India's GDP over the last six years.
Organizations within the ITBPM Industry 41 | P a g e
The organisations within the IT-BPM Industry are categorised along the following parameters:
Sector the organisation is serving Type as well as range of offering the organisation provides Geographic spread of operations and Revenues and size of operations A broad structure of the Industry based on the parameters identified in the Indian context is represented below : Multi-national Companies (MNCs): MNC organisations have their headquarters outside India but operate in multiple locations worldwide, including those in India. They cater to external clients (both domestic and/or global). Indian Service Providers (ISPs): ISPs are organisations that have started with their operations in India. Most of these organisations would have their headquarters in India, while having offices at many international locations. While most have a client base which is global as well as domestic, there are some that have focussed on serving only the Indian clients.
Global In-house Centres (GIC): GIC organisations cater to the needs of their parent company only and do not serve external clients. This model allows
Trainer’s Handbook – Security Analyst
the organisation the option to keep IT Operations in-house and at the same time, take advantage of expanding their global footprint and offering
opportunities for innovation in a costeffective manner.
Sub-Sectors within the IT-BPM Industry The IT-BPM industry has four sub-sectors as listed in the subsequent figure.
Figure : Sub-Sectors in the IT-BPM Industry
ITServices (ITS)
Business Process Management (BPM)
Custom Application Development (CAD) Hardware Deployment and Support Software Deployment and Support IT Consulting System Integration Information Systems Outsourcing Software Testing Network Consultation and Integration Education and Training
Customer Interaction and Support (CIS) Finance and Accounting (F&A) Human Resource Management (HRM) Knowledge Services Procurement and Logistics
IT-BPM Industry Engineering and R&D (ER&D)
Embedded Services Engineering Services
Figure: Sub-Sectors in the IT-BPM Industry
42 | P a g e
Software Products (SPD)
Product Development
Trainer’s Handbook – Security Analyst
1.2. An Overview of the IT Services Sub-Sector General Overview IT-BPM market, a USD 118 billion market in India in FY2014, is a leading contributor to the services industry in India with respect to employment and revenue. It accounts for 38 per cent of the country's total services exports and contributes to 8.1 per cent of India’s GDP2. It also accounts for INR 1,911 billion in FY2014. The IT Services subsector is a major contributor to the overall IT-BPM Industry.
.5 million
The number of people directly employed in ITS sub-sector
1600 +
Number of Organisations in the ITS sub-sector
USD 52 Billion
Total amount of ITS sub-sector Export Revenues IN FY 2014
9.7 %
The sub-sector has evolved as a major contributor to India's GDP and plays a vital role in driving economic growth in terms of employment, export promotion and revenue generation.
> 14 %
Growth in IT service exports in FY 2014
1
India’s position in IT global landscape
60 %
Total contribution of ITS sub-sector in industry Exports
Growth of the ITS sub-sector in INR terms in the domestic market in FY 2014
Figure: IT Services Sub-sector-A Snapshot
43 | P a g e
IT Services (ITS) sub-sector offers services to create and manage information for business functions through host of activities that include consulting, systems integration, IT outsourcing / managed services / hosting services, training and support/ maintenance.
Trainer’s Handbook – Security Analyst
The worldwide IT Services market stood at USD 655 billion in 2013. The Indian IT Services exports form the largest and fastest growing segment of the IT services with a growth rate of >14 per cent in FY 2014. IT Services export constituted over half of the entire export of the IT Industry. Even within the domestic market, IT services is the fastest growing segment in the Indian domestic market, growing by 9.7 per cent to reach INR 727 billion, driven by IS outsourcing, cloud services and increasing adoption from all customer segments – government, enterprise, consumers and small and medium businesses. There are over 1600 companies providing IT services in the country with the top 5 comprising around 60 per cent of the total revenue from the industry. The sub-sector has established a record as a major contributor to the country's GDP as well as penetrated into many large sectors - established as well as upcoming like healthcare, media, education and retail. This has ensured that the sub-sector is a field in demand, both in the present and the future. With an increased focus on
optimising efficiencies, companies in all the sectors see value in leveraging IT to manage their business better and are increasing their IT investments. The wide scope of the services in this subsector creates a requirement for a large variety of skills. This reflects on the range of opportunities available for building a career in IT Services to a varied group of people and the industry continues to be amongst the most sought, after for many young and aspiring individuals.
Profile of the IT Services SubSector Vertical Profile: BFSI is the largest driver in this space claiming half of the entire IT Services export. Other industry verticals like Healthcare, Retail and Media have started making big investments in IT services and are turning into key verticals for the IT Services sub-sector. An illustrative view of the vertical and horizontal profiles is shown below.
Figure 3: Contribution of Areas in the IT-BPM Industry (FY 2014)
44 | P a g e
Trainer’s Handbook – Security Analyst
The IT Services sub-sector started off in India with a focus on basic application development and maintenance. The subsector has now grown and includes significant footprints in traditional segments which include custom application development, application management, IS outsourcing and software testing. With time, the sector has expanded to provide end-to-end IT solutions and includes consulting, testing services, infrastructure services and system integration in the offering.
After starting off, the IT Services subsector, served mostly the North American market until the 1990s. While North America continues to be a major importer of Indian IT services, the sub-sector has witnessed entry into other markets, in order to mitigate risk as well as to expand markets thus servicing clients in a greater number of geographical areas like Latin America, the Asia Pacific and Europe. The client base in these markets is a healthy mix between BFSI, Manufacturing, Retail, Telecom and all key Industry verticals.
Key Trends in the IT Services Sub-Sector
Figure 5 : Trends in the IT Services
45 | P a g e
Trainer’s Handbook – Security Analyst The IT-BPM industry is standing at a watershed moment in history. In FY 2014, the industry achieved a stellar landmark of crossing US 118 billion in revenues. However, with the industry slowly reaching a stage of maturity and with a business model closely aligned to exports, it faces the brunt of the economic shake-up like the one observed in 2008, which redefined the economic order amongst nations.
While the recovery has gathered pace in the last few months, companies are becoming increasingly conscious that in the globally connected world, the “new normal” will be characterised by business volatility. The ups and downs will be more frequent and companies need to learn how best to manage this volatility.
Occupations and tracks within the IT Services Sub-Sector
46 | P a g e
Trainer’s Handbook – Security Analyst
1.3. General Overview of Information Security Information systems from unauthorised access, use, disclosure, disruption, modification, perusal, inspection, recording, or destruction. The core function of this occupation is to ensure the confidentiality, integrity and availability of data to the ‘right’ users within/outside of the organisation.
Incorporating security into the software development process
Risk, Audit and Compliance Risk Management roles are responsible for assessing, measuring, and managing the security risks to information security of an organisation. These conduct assessments for security threats and vulnerabilities, determine deviations from acceptable pre-defined configurations, enterprise or local policy, assess the level of risk, develop and/or recommend appropriate mitigation countermeasures in operational and nonoperational situations. Key responsibilities also include measuring the maturity of an organisation to ensure that proper security controls are incorporated when developing and running Information-security systems. These also perform scheduled/unscheduled audits on the organisation’s security systems and processes and ensure compliance.
Security Testing Security Testing involves devising testing standards and cases of confidentiality, 47 | P a g e
Application Security: Application Security roles are responsible for ensuring stable and secure functioning of the applications. Application Security professionals perform the following functions in an organisation:
Knowing threats Securing the network, host and application integrity, authentication, availability, authorisation and non-repudiation of information. Security Testing professionals perform scheduled and adhoc tests to assess vulnerability and/or safety of an organisation’s information systems.
Incident Management Incident Management roles work towards restoring normal service operations in an organisation to minimise the adverse effect on business operations, thus ensuring that the best possible level of service quality and availability is maintained. Incident management professionals manage and protect computer assets, networks and information systems to answer the key question “what to do, when things go wrong. Business Continuity Management/Disaster Recovery (BCP/DR): BCP/DR roles are responsible for improving system availability and integration of IT operational risk management strategies for an organisation.
Development, implementation, testing, and maintenance of the
Trainer’s Handbook – Security Analyst
business continuity management plan Recommendation and proof of concept for recovery options Assessments and audits for BCP/DR
Network Security Network Security roles are responsible for defining and implementing overall network security that includes baseline configuration, change control, security standards and process implementation.
Privacy Privacy roles are responsible for defining and managing data/information/IP policies etc. for an organisation. These roles require knowledge of information security norms and data privacy norms and regulations. Note on Information Security occupation: Information Security related job roles may be performed in any of the following setups:
48 | P a g e
Consulting Managed Services Internal function organisation
within
the
In each of these set-ups, the essential functions and the highlighted tracks remain the same, however, the delivery style and hence skills vary slightly, depending upon the set-up. Privacy professionals help define and implement privacy standards, build privacy awareness to protect an organisation’s information assets.
IT Forensics IT Forensics roles collect, process, preserve, analyse and present computerrelated evidence in support of network vulnerability mitigation, and/or criminal, fraud, counter-intelligence or lawenforcement investigations.
Trainer’s Guide– Security Analyst SSC/N0901
SSC/ N 0901: Contribute to Managing Information Security
UNIT I: Information Security and Threats UNIT II: Fundamentals of Information Security UNIT III: Data Leakage UNIT IV: Information Security Policies, Procedures, Standards and Guidelines UNIT V: Information Security Management – Roles and Responsibilities UNIT VI: Information Security Performance Metrics UNIT VII: Risk Assessment UNIT VIII: Configuration Review UNIT IX: Device Log Correlation
UNIT X: Data Backup
49
Trainer’s Guide– Security Analyst SSC/N0901
Unit Code SSC/ N 0901 Unit Title Contribute to managing information security (Task) Description This unit is about carrying out specified tasks as part of a team working to ensure information security. Scope This unit/ task covers the following: Information security includes: Identify and Access Management (IdAM) Physical security Networks (wired and wireless) Devices Endpoints/ edge devices Storage devices Servers Software Applications security Content management Messaging Web security Security of infrastructure3 Infrastructure devices (e.g. routers, firewall services) Computer assets, server and storage networks Messaging Intrusion detection/ prevention Security incident management Third party security management Personnel security requirements Back ups include: Validation Tracking Consolidation Replication Configuration Logs Devices Applications Software Appropriate people: Line manager 50
Trainer’s Guide– Security Analyst SSC/N0901
Members of the security team Subject matter experts Performance Criteria (PC) w.r.t. the Scope To be competent, you must be able to: PC1. establish your role and responsibilities in contributing to managing information security. PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines. PC3. carry out security assessment of information security systems using automated tools. PC4. carry out configuration reviews of information security systems using automated tools, where required. PC5. carry out backups of security devices and applications in line with information security policies, procedures and guidelines, where required. PC6. maintain accurate daily records/ logs of information security performance parameters using standard templates and tools. PC7. analyze information security performance metrics to highlight variances and issues for action by appropriate people. PC8. provide inputs to root cause analysis and the resolution of information security issues, where required. PC9. update your organization’s knowledge base promptly and accurately with information security issues and their resolution. PC10. obtain advice and guidance on information security issues from appropriate people, where required. PC11. comply with your organization’s policies, standards, procedures and guidelines when contributing to managing information security. Knowledge and Understanding (K) A. Organizatio nal Context (Knowledge of the company/ organizatio n and its processes)
You need to know and understand: KA1. your organization’s policies, procedures, standards and guidelines for managing information security. KA2. your organization’s knowledge base and how to access and update the same. KA3. limits of your role and responsibilities and who to seek guidance from KA4. the organizational systems, procedures and tasks/ checklists within the domain and how to use the same. KA5. how to analyze root causes of information security issues. KA6. how to carry out information security assessments. KA7. how to carry out configuration reviews. KA8. how to correlate devices and logs. KA9. different types of automation tools and how to use them. KA10. how to access and analyze information security performance metrics. KA11. who to involve when managing information security. KA12. your organization’s information security systems and tools and how to access and maintain them. 51
Trainer’s Guide– Security Analyst SSC/N0901
B. Technical Knowledge
KA13. standard tools and templates available and how to use the same. The user/ individual on the job needs to know and understand: KB1. fundamentals of information security and how to apply them, including: networks communication application security KB2. different types of backups for security devices and applications and how to carry out backups. KB3. common issues and variances of performance metrics that require action and whom to report these. KB4. how to identify and resolve information security vulnerabilities and issues.
52
Trainer’s Guide– Security Analyst SSC/N0901
The Units The module for this NOS is divided in ten units based on the learning objectives as given below: UNIT I: Information Security and Threats 1.1. 1.2.
Information Security Information Assets & Threats
UNIT II: Fundamentals of Information Security 2.1. Elements of information security 2.2. Principles and concepts – data security 2.3. Types of controls
UNIT III: Data Leakage 3.1 Introduction – Data Leakage 3.2 Organisational Data Classification, Location and Pathways 3.3 Content Awareness 3.4 Content Analysis Techniques 3.5 Data Protection 3.6 DLP Limitations 3.7 DRM-DLP Conundrum UNIT IV: Information Security Policies, Procedures, Standards and Guidelines 4.1. Information Security Policies 4.2. Key Elements of a Security Policy 4.3. Security Standards, Guidelines and Frameworks 4.4. Laws, Regulations and Guidelines
UNIT V: Information Security Management – Roles and Responsibilities 5.1. Information and Data Security Team Structure 5.2. Security Incident Response Team
UNIT VI: Information Security Performance Metrics 6.1. Introduction – Security Metrics 6.2. Types of Security Metrics 6.3. Using Security Metrics 6.4. Developing the Metrics Process 6.5. Metrics and Reporting 6.6. Designing Information Security Measuring Systems
53
Trainer’s Guide– Security Analyst SSC/N0901
UNIT VII: Risk Assessment 7.1. Risk Overview 7.2. Risk Identification 7.3. Risk Analysis 7.4. Risk Treatment 7.5. Risk Management Feedback Loops 7.6. Risk Monitoring UNIT VIII: Configuration Reviews 8.1. Configuration Management 8.2. Organisational SecCM Policy 8.3. Identify CM Tools 8.4. Implementing Secure Configurations 8.5. Unauthorised Access to Configuration Stores UNIT IX: Log Correlation and Management 9.1. Event Log Concepts 9.2. Log Management and its need 9.3. Log Management Process 9.4. Configuring Windows Event Log 9.5. IIS Log Files 9.6. Analysis and Response UNIT X: Data Backup 10.1. Data Backup 10.2. Types of Backup 10.3. Backup Procedures 10.4. Types of Storage 10.5. Features of a Good Backup Strategy
24
Trainer’s Guide– Security Analyst SSC/N0901
UNIT I Information Security and Threats
This unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 1.1. Information Security 1.2. Information Assets & Threats (Virus, Worms, Trojans, Other Threats, Network Attacks)
33
Trainer’s Guide– Security Analyst SSC/N0901
Lesson Plan
Outcomes
Performance Ensuring Measures
Duration (Hrs)
Work Environment / Lab Requirement
To be competent, you must Peer group, Faculty 2 hr in class be able to: group and Industry presentation experts. s PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines
PCs/Tablets/ Laptops
Projection facilities
You need to know and KA4, KA5. Peer understand: group, Faculty group and Industry KA4. the organizational experts. systems, procedures and tasks/checklists within the KB1 - KB4 domain and how to use these Group and Faculty evaluation based on anticipated out KB1. fundamentals of comes. Reward information security and how points to be to apply these, including: allocated to groups. • networks
PCs/Tablets/ Laptops
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
Access to all security sites like ISO, PCI DSS, Center for Internet Security
•
communication
•
application security
2Hrs classroom assessment and 10 Hrs offline Research and Learning activity.
34
Trainer’s Guide– Security Analyst SSC/N0901
Suggested Learning Activities Activity 1:
Divide the students into groups and ask them to research various types of attacks and get examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get the maximum number of correct examples will get a prize. Activity 2: Ask the students to research cases of attacks over the years and impact of those attacks on the organisations where these occurred. Activity 3:
Ask the students to access the CVE and list all the types of information that they can get from there. Present the same in class and elaborate upon the various ways that information can be used.
35
Trainer’s Guide– Security Analyst SSC/N0901
Trainer Resource Material 1.1 Introduction – Information Security With the pervasive growth and use of digital information, much of which is confidential, there has also been growth in incidents of information theft, including, cyber attacks by hackers. This has happened both in governments and in private companies. This has necessitated the need for the position of information security analyst. Those who work as information security analysts are responsible for keeping information safe from data breaches using a variety of tools and techniques. Information security analysts protect information stored on computer networks, in applications etc. They do this with special software that allows them to keep track of those who can access and who have accessed data. Also, they may perform investigations to determine whether or not data has been compromised, the extent of it and related vulnerabilities.
Someone at an entry level position may operate the software to monitor and analyze information.
At senior level positions, one may carry out investigative work to determine whether a security breach has occurred. At higher levels people design systems and architecture to address these vulnerabilities.
The field of information security has seen significant growth in recent times, and the number of job opportunities in this area are likely to increase in the near future. Recent incidents of information theft from large companies like Target, Sony and Citibank has shown the risks and challenges of this field and this necessitates the growing need for information security and professionals in this field. We are now witnessing the rising background level of data leakage from governments, businesses and other organisations, families and individuals. A larger part of an information security analyst’s work involves monitoring data use and access on a computer network.
Security analysts focus on three main areas: 1. risk assessment (identifying risks or issues an organization may face) 2. vulnerability assessment (determining an organization’s weaknesses to threats) 3. defense planning (designing the protection architecture and installing security systems such as firewalls and data encryption programs)
36
Trainer’s Guide– Security Analyst SSC/N0901
Information security analysts can find themselves working with IT companies, financial and utility companies and consulting firms. They may also find positions with government organizations. Any company or organization with data to protect may hire information security
analysts so they could find themselves working at a wide variety of different institutions. A number of companies operate ‘Security Operation Centers (SOCs)’ for carrying out data security services for captive or client services.
Why information security? With the pervasive growth and use of digital information, much of which is confidential, there has been also a growth in incidents of information theft, including cyber-attacks by hackers. This has happened both in governments and in private companies. This has necessitated the need for keeping information safe from data breaches using a variety of tools and techniques.
Role of a security analyst in information technology Protect information and information systems from unauthorized access; use; disclosure; disruption; modification; perusal; inspection; recording or destruction. Perform investigations to determine whether or not data has been compromised, the extent of it and related vulnerabilities. Ensure the confidentiality, integrity and availability of data to the 'right' users within/ outside of the organization. Risk assessment (identifying risks or issues an organization may face). Vulnerability assessment (to determine an organization’s weaknesses to threats). Defense planning (designing the protection architecture and installing security systems such as firewalls and data encryption programs).
37
Trainer’s Guide– Security Analyst SSC/N0901
Major Skills of Security Analyst • Understanding security policy
• Data & Traffic Analysis • Identifying Security Events –> How & when to alarm • Incident Response Foundation and Background • • • •
Network infrastructure knowledge Diverse device configuration ability Security configuration knowledge Data management & teamwork
Challenges for Security Analyst • Not tied to a product or solution • Complex knowledge – Not one specific process is correct or product solution • Diverse set of skills are needed
38
Trainer’s Guide– Security Analyst SSC/N0901
1.2 Information Assets & Threats Security concerning IT and information is normally categorised in three categories to facilitate the management of information.
Threats to information assets
confidentiality, integrity or availability of an information system constitute risk management. The key concerns in information assets security are:
Risk is the potential threat, and process of understanding and responding to factors that may lead to a failure in the
Confidentiality • Prevention of unauthorized disclosure or use of information assets
Integrity • Prevention of unauthorized modification of information assets
Availability • Ensuring authorized access of information assets when required for the duration required
theft fraud/ forgery
unauthorized information access interception or modification of data and data management systems
The above concerns are materialised in the event of a breach caused by exploitation of vulnerability. Vulnerabilities Vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. ‘Threat agent or actor’ refers to the intent and method targeted at the intentional exploitation of the vulnerability or a situation and method that may accidentally trigger the vulnerability.
A ‘threat vector’ is a path or a tool that a threat actor uses to attack the target. ‘Threat targets’ are anything of value to the threat actor such as PC, laptop, PDA, tablet,39
Trainer’s Guide– Security Analyst SSC/N0901
Threat classification Microsoft has proposed a threat classification called STRIDE from the initials of threat categories:
Spoofing of user identity Tampering Repudiation Information disclosure (privacy breach or data leak) Denial of Service (D.o.S.) Elevation of privilege
Threat agents (individuals and groups) can be classified as follows:
Non-Target specific: Non-Target specific threat agents are computer viruses, worms, Trojans and logic bombs. Employees: staff, contractors, operational/ maintenance
personnel or security guards who are annoyed with the company. Organized crime and criminals: criminals target information that is of value to them, such as bank accounts, credit cards or intellectual property that can be converted into money. Criminals will often make use of insiders to help them. Corporations: corporations are engaged in offensive information warfare or competitive intelligence. Partners and competitors come under this category. Unintentional human error: accidents, carelessness etc. Intentional human error: insider, outsider etc. Natural: Flood, fire, lightning, meteor, earthquakes etc.
Types of attacks •
Virus
Virus is a malicious program able to inject its code into other programs/ applications or data files and the targeted areas become "infected". Installation of a virus is done without user's consent, and spreads in form of executable code transferred from one host to another. Types of viruses include Resident virus, non-resident virus; boot sector virus; macro virus; file-infecting virus (file-infector); Polymorphic virus; Metamorphic virus; Stealth virus; Companion virus and Cavity virus. •
Worm
Worm is a malicious program category, exploiting operating system vulnerabilities to spread itself. In its design, worm is quite similar to a virus - considered even its sub-class. Unlike the viruses though worms can reproduce/ duplicate and spread by itself. During this process worm does not require to attach itself to any existing program or executable.
40
Trainer’s Guide– Security Analyst SSC/N0901
Different types of worms based on their method of spread are email worms; internet worms; network worms and multi-vector worms. •
Trojan
Computer Trojan or Trojan Horses are named after the mythological Trojan horse owing to their similarity in operation strategy. Trojans are a type of malware software that masquerades itself as a not-malicious even useful application but it will actually do damage to the host computer after its installation. Unlike virus, Trojans do not self-replicate unless end user intervene to install.
infects the non-infected disks used by the system
Types of Virus Depending on virus "residence", we can classify viruses in following way:
Resident virus - virus that embeds itself in the memory on a target host. In such way it becomes activated every time the OS starts or executes a specific action.
Non-resident virus - when executed, this type of virus actively seeks targets for infections either on local, removable or network locations. Upon further infection it exits. This way is not residing in the memory any more.
Boot sector virus - A boot sector virus is a computer virus that infects a storage device's master boot record (MBR). It is not mandatory that a boot sector virus successfully boot the victim's PC to infect it. As a result, even non-bootable media can trigger the spread of boot sector viruses. These viruses copy their infected code either to the floppy disk's boot sector or to the hard disk's partition table. During start-up, the virus gets loaded to the computer's memory. As soon as the virus is saved to the memory, it
Macro virus - virus written in macro language, embedded in Word, Excel, Outlook etc. documents. This type of virus is executed as soon as the document that contains it, is opened. This corresponds to the macro execution within those documents which under normal circumstances is automatic. Another classification of viruses can result from their characteristics:
File-infecting virus (file-infector) – this is a classic form of virus. When the infected file is being executed, the virus seeks out other files on the host and infects them with malicious code. The malicious code is inserted either at the beginning of the host file code (prepending virus), in the middle (mid-infector) or in the end (appending virus). A specific type of viruses called "cavity virus" can even inject the code in the gaps in the file structure itself. The start point of the file execution is changed to the start of the virus code to ensure that it is run when the file is executed. Afterwards the control may or may 41
Trainer’s Guide– Security Analyst SSC/N0901
not be passed on to the original program in turn. Depending on the infections routing the host file may become otherwise corrupted and completely non-functional. More sophisticated viral forms allow through the host program execution while trying to hide their presence completely (see polymorphic and metamorphic viruses).
Polymorphic virus - A polymorphic virus is a complicated computer virus that affects data types and functions. It is a self-encrypted virus designed to avoid detection by a scanner. Upon infection, the polymorphic virus duplicates itself by creating usable, albeit slightly modified, copies of itself.
Metamorphic virus - this virus is capable of changing its own code with each infection. The rewriting process may cause the infection to appear different each time but the functionality of the code remains the same. The metamorphic nature of this virus type makes it possible to infect executables from two or more different operating systems or even different computer architectures as well. The metamorphic viruses are ones of the most complex in build and very difficult to detect.
Stealth virus - memory resident virus that utilises various mechanisms to avoid detection. This avoidance can be achieved for example, by removing itself from the infected files and placing a copy of itself in a different location. The virus can also maintain a
clean copy of the infected files in order to provide it to the antivirus engine for scan while the infected version still remains undetected. Furthermore, the stealth viruses are actively working to conceal any traces of their activities and changes made to files.
Armored virus - vdtype of virus that has been designed to thwart attempts by analysts from examining its code by using various methods to make tracing, disassembling and reverse engineering more difficult. An Armored Virus may also protect itself from antivirus programs, making it more difficult to trace. To do this, the Armored Virus attempts to trick the antivirus program into believing its location is somewhere other than where it really is on the system
Multipartite virus – this attempts to attack both the file executables as well as the master boot record of the drive at the same time. This type may be tricky to remove as even when the file executable part is clean it can reinfect the system all over again from the boot sector if it wasn't cleaned as well.
Camouflage virus – this virus type is able to report as a harmless program to the antivirus software. In such cases where the virus has similar code to the legitimate non-infected files code the antivirus application is being tricked that it has to do with the legitimate program as well. This would work only but in case of basic signature based antivirus software. 42
Trainer’s Guide– Security Analyst SSC/N0901
Nowadays, antivirus solutions have become more elaborate whereas the camouflage viruses are quite rare and not a serious threat due to the ease of their detection.
Companion virus - A companion virus is a complicated computer virus which, unlike traditional viruses, does not modify any files. Instead, it creates a copy of the file and places a different extension on it, usually .com. This unique quality makes a companion virus difficult to detect, as anti-virus software tends to use changes in files as clue.
Cavity virus - unlike traditional viruses the cavity virus does not attach itself to the end of the infected file but instead uses the empty spaces within the program files itself (that exists there for variety of reasons). This way the length of the program code is not being changed and the virus can more easily avoid detection. The injection of the virus in most cases is not impacting the functionality of the host file at all. The cavity viruses are quite rare though.
……Let us discuss a recent news about a new version of a notorious virus that takes over a system until money is paid as ransom which has been detected by cyber experts. Version 2.0 of the TeslaCrypt ransomware encryptor family, say experts, is notorious for infecting computers of gamers. The malicious program is now targeting online consumers and businesses via email attachments which block access to a computer system until a sum of money, specifically in dollars, is paid as ransom. If the victim delays, the ransom is doubled. Detected in February 2015, TeslaCrypt began infecting systems in the US, Europe and Southeast Asian countries. It then occurred in Indian cities including Delhi and Mumbai. Two businessmen from Agra were targeted this year, from whom the extortionist demanded more than $10,000. In the last six months, two cases were reported in Agra, where the malware locked down its victim's most important files and kept them hostage in exchange for a ransom to unlock it.
Source: News Articles
Email worms: spread through email messages, especially through those with attachments.
Internet worms: spread directly over the internet by exploiting access to open ports or system vulnerabilities.
Types of Worms The most common categorization of worms relies on the method how they spread:
43
Trainer’s Guide– Security Analyst SSC/N0901
Network worms: spread over open and unprotected network shares.
Multi-vector worms: having two or more various spread capabilities.
Types of Trojans Computer Trojans or Trojan horses are named after the mythological Trojan horse from Trojan War, in which the Greeks give a giant wooden horse to their foes, the Trojans. As soon as Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their soldiers to capture Troy. Computer Trojan horse works in way that is very similar to such strategy - it is a type of malware software that masquerades itself as not-malicious even useful application but it will actually do damage to the host computer after its installation. Trojans do not self-replicate since its key difference to a virus and require often end user intervention to install itself - which happens in most scenarios where user is being tricked that the program he is installing is a legitimate one (this is very often connected with social engineering attacks on end users). One of the other common method is for the Trojan to be spammed as an email attachment or a link in an email. Another similar method has the Trojan arriving as a file or link in an instant messaging client. Trojans can be spread as well by means of drive-by downloads or downloaded and dropped by other Trojans itself or legitimate programs that have been compromised.
The results of Trojan activities can vary greatly - starting from low invasive ones that only change the wallpaper or desktop icons through Trojans which open backdoors on the computer and allow other threats to infect the host or allow a hacker remote access to the targeted computer system. It is up to Trojans to cause serious damage on the host by deleting files or destroying the data on the system using various ways (like drive format or causing BSOD). Such Trojans are usually stealthy and do not advertise their presence on the computer. The Trojan classification can be based upon performed function and the way they breach the systems. An important thing to keep in mind is that many Trojans have multiple payload functions so any such classification will provide only a general overview and not a strict boundary. Some of the most common Trojan types are:
Remote Access Trojans (RAT) aka Backdoor. Trojan - this type of Trojan opens backdoor on the targeted system to allow the attacker remote access to the system or even complete control over it. This kind of Trojan is most widespread type and often has as well various other functions. It may be used as an entry point for DOS attack or for allowing worms or even other Trojans to the system. A computer with a sophisticated backdoor program installed may also be referred to as a "zombie" or a "bot". A network of such bots may often be referred to as a "botnet" (see part 3 of the Security 1:1 series). Backdoor. Trojans are 44
Trainer’s Guide– Security Analyst SSC/N0901
generally created by malware authors who are organized and aim to make money out of their efforts. These types of Trojans can be highly sophisticated and can require more work to implement than some of the simpler malware seen on the Internet.
Trojan-DDoS - this Trojan is installed simultaneously on a large number of computers in order to create a zombie network (botnet) of machines that can be used (as attackers) in a DDoS attack on a particular target.
Trojan-Proxy - A proxy Trojan is a virus which hijacks and turns the host computer into a proxy server, part of a botnet, from which an attacker can stage anonymous activities and attacks.
Trojan-FTP – this Trojan is designed to open FTP ports on the targeted machine allow remote attacker access to the host. Furthermore, the attacked can access as well network shares or connections to further spread other threats.
Destructive Trojan – this is designed to destroy or delete data. It is much like a virus.
Security Software Disabler Trojan – this is designed to stop security programs like antivirus solutions, firewalls or IPS either by disabling them or killing the processes. This kind of Trojan functionality is often combined with destructive Trojan that can execute data deletion or corruption only after the security
software is disabled. Security Software Disablers are entry Trojans that allow next level of attack on the targeted system.
Info Stealer (Data Sending/ Stealing Trojan) - this Trojan is designed to provide attacker with confidential or sensitive information from compromised host and send it to a predefined location (attacker). The stolen data comprise of login details, passwords, PII, credit card information etc. Data sending Trojans can be designed to look for specific information only or can be more generic like Key-logger Trojans. Nowadays more than ever before attackers are concentrating on compromising end users for financial gain. The information stolen with use of Info stealer Trojan is often sold on the black market. Info stealers gather information by using several techniques. The most common techniques may include log key strokes, screen shots and web cam images, monitoring internet activity often for specific financial websites. The stolen information may be stored locally so that it can be retrieved later or it can be sent to a remote location where it can be accessed by an attacker. It is often encrypted before posting it to the malware author.
Keylogger Trojan – this is a type of data-sending Trojan that is recording every keystroke of the end user. This kind of Trojan is specifically used to steal sensitive information from 45
Trainer’s Guide– Security Analyst SSC/N0901
targeted host and send it back to attacker. For these Trojans, the goal is to collect as much data as possible without any direct specification what the data will be.
Trojan-PSW (Password Stealer) – this is a type of data-sending Trojans designed specifically to steal passwords from the targeted systems. In its execution routine, the Trojan will very often first drop a keylogging component onto the infected machine.
Trojan-Banker – a Trojan designed specifically to steal online banking information to allow attacker further access to bank account or credit card information.
Trojan-IM – a type of data-sending Trojan designed specifically to steal data or account information from instant messaging programs like MSN, Skype etc.
Trojan-Game Thief – a Trojan designed to steal information about online gaming account.
Trojan Mail Finder – a Trojan used to harvest any emails found on the infected computer. The email list is being then forwarded to the remote attacker.
Trojan-Dropper - A Trojan-Dropper is a type of trojan that drops different type of standalone malware (trojans,
worms, backdoors) to a system. It is usually an executable file that contains other files compressed inside its body. When a TrojanDropper is run, it extracts these compressed files and saves them to a folder (usually a temporary one) on the computer.
Trojan.Downloader – a Trojan that can download other malicious programs to the target computer. Very often combined with the functionality of Trojan-Dropper. Most downloaders that are encountered will attempt to download content from the internet rather than the local network. In order to successfully achieve its primary function, a downloader must run on a computer that is inadequately protected and connected to a network.
Trojan.FakeAV – Trojan.FakeAV is a detection for Trojan horse programs that intentionally misrepresent the security status of a computer. These programs attempt to convince the user to purchase software in order to remove non-existent malware or security risks from the computer. The user is continually prompted to pay for the software using a credit card. Some programs employ tactics designed to annoy or disrupt the activities of the user until the software is purchased.
46
Trainer’s Guide– Security Analyst SSC/N0901
This type of Trojan can be either targeted to extort money for "nonexisting" threat removal or in other cases the installation of the program itself injects other malware to the host machine. FakeAV applications can perform fake scans with variable results, but always detect at least one malicious object. They may as well drop files that are then ‘detected’. The FakeAV application is constantly updated with new interfaces so that they mimic the legitimate anti-virus solutions and appear very professional to the end users.
Trojan-Spy – this Trojan has a similar functionality to the Info stealer or Trojan-PSW and its purpose is to spy on the actions executed on the target host. These can include tracking data entered via keystrokes, collecting screenshots, listing active processes/ services on the host or stealing passwords.
Trojan-ArcBomb -These Trojans are archives designed to freeze or slow performance or to flood the disk with a large amount of “empty” data when an attempt is made to unpack the archived data. So-called archive 47
Trainer’s Guide– Security Analyst SSC/N0901
bombs pose a particular threat for file and mail servers when an automated processing system is used to process incoming data: an archive bomb can simply crash the server.
Trojan-Clicker or Trojan-AD clicker – a Trojan that continuously attempts to connect to specific websites in order to boost the visit counters on those sites. More specific functionality of the Trojan can include generating traffic to pay-per-click web advertising campaigns in order to create or boost revenue.
Trojan-SMS – a Trojan used to send text messages from infected mobile devices to premium rate paid phone numbers.
Trojan-Ransom (TrojanRansomlock) aka Ransomware Trojan - Trojan.Ransomlock is a detection for Trojan horse programs that lock the desktop of a compromised computer making it unusable. The threat may arrive on the compromised computer by various means, such as visiting malicious sites, by opening untrusted links or advertisement banners, or by installing software from untrusted sources.
Various functions on the compromised computer are modified, ranging from inhibiting access to the task manager to altering the master boot record (MBR) so that the operating system cannot be executed. These programs attempt to convince the user to pay money in order to have their computer unlocked and use a variety of different techniques in order to encourage the user to pay the ransom.
Cryptolock Trojan (Trojan.Cryptolocker) – this is a new variation of Ransomware Trojan emerged in 2013, in a difference to a Ransomlock Trojan (that only locks computer screen or some part of computer functionality), the Cryptolock Trojan encrypts and locks individual files. While the Cryptolocker uses a common Trojan spreading techniques like spam email and social engineering in order to infect victims, the threat itself uses more sophisticated techniques likes public-key cryptography with strong RSA 2048 encryption.
48
Trainer’s Guide– Security Analyst SSC/N0901
……In an another incident detected by Kaspersky Labs, Pune, the TeslaCrypt Ransomware encryptor family exhibited a curious behaviour. In version 2.0 of the Trojan notorious for infecting computer gamers, it displays an HTML page in the web browser which is an exact copy of CryptoWall 3.0, another notorious ransomware program. TeslaCrypt were detected in February 2015 and the new ransomware Trojan gained immediate notoriety as a menace to computer gamers. Amongst other types of target files, it tries to infect typical gaming files: game saves, user profiles, recoded replays etc. That said, TeslaCrypt does not encrypt files that are larger than 268 MB. Few more examples of ransomware Trojans are - CryptoLocker, CryptoWall, CoinVault, TorLocker, CoinVault and CTB-Locker. Source: New articles
Other security threats Malware refers to software viruses, spyware, adware, worms, trojans, ransomeware etc. They are designed to cause damage to a targeted computer or cause a certain degree of operational disruption. Rootkit are malicious software designed to hide certain processes or programs from detection. Usually acquires and maintains privileged system access while hiding its presence in the same time. It acts as a conduit by providing the attacker with a backdoor to a system Spyware is a software that monitors and collects information about a particular user, computer or organisation without user’s knowledge. There are different types of spyware, namely system monitors, trojans (keyloggers, banker trojans, inforstealers), adware, tracking cookies etc. Tracking cookies are a specific type of cookies that are distributed, shared and read across two or more unrelated websites for the purpose of gathering information or potentially to present customized data to you. Riskware is a term used to describe potentially dangerous software whose installation may pose a risk to the computer. Adware in general term adware is software generating or displaying certain advertisements to the user. This kind of adware is very common for freeware and shareware software and can analyze end user internet habits and then tailor the advertisements directly to users’ interests.
49
Trainer’s Guide– Security Analyst SSC/N0901
Scareware is a class of malware that includes both Ransomeware (Trojan.Ransom) and FakeAV software. Also well known, under the names "Rogue Security Software" or "Misleading Software". This kind of software tricks user into belief that the computer has been infected and offers paid solutions to clean the "fake" infection. Spam is the term used to describe unsolicited or unwanted electronic messages, especially advertisements. The most widely recognized form of spam is email spam. Creepware is a term used to describe activities like spying others through webcams (very often combined with capturing pictures), tracking online activities of others and listening to conversation over the computer's microphone and stealing passwords and other data. Blended threat defines an exploit that combines elements of multiple types of malware components. Usage of multiple attack vectors and payload types targets to increase the severity of the damage causes and as well the speed of spreading. Blended threat defines an exploit that combines elements of multiple types of malware components. Usage of multiple attack vectors and payload types targets to increase the severity of the damage causes and as well the speed of spreading.
A. COHEN
B. NORTON
In 1983, this person was the first to offer the definition of 'Computer Virus'...
C. SMITH
D. McAfee
ANSWER : …………………………………………………………..
50
Trainer’s Guide– Security Analyst SSC/N0901
Network attacks Network attack is usually defined as an intrusion on the network infrastructure that will first analyse the environment and collect information in order to exploit the existing open ports or vulnerabilities. This may include unauthorized access to organisation resources.
Characteristics of network attacks:
Passive attacks: they refer to attack where the purpose is only to learn and get some information from the system, but the system resources are not altered or disabled in any way. Active attacks: in this type of network attack, the perpetrator accesses and either alters, disables or destroys resources or data
either alters, disables or destroys resources or data. Outside attack: when attack is performed from outside of the organization by unauthorized entity it is said to be an outside attack. Inside attack: if an attack is performed from within the company by an "insider" that already has certain access to the network it is considered to be an inside attack. Others such as end users targeted attacks (like phishing or social engineering): these attacks are not directly referred to as network attacks, but are important to know due to their widespread occurrences.
What types of attack are there?
Social engineering
Phishing attack
Social phishing
Spear phishing attack
Watering hole attack
Whaling
Vishing (voice phishing or VoIP phishing
Port scanning
Spoofing
Network sniffing
DoS attack & DDoS attack
ICMP smurf Denial of serv
Buffer overflow attack
Botnet
Man-in-themiddle attack
Session hijacking attack
Cross-side scripting attack (XSS attack)
SQL injection attack
Bluetooth related attacks
*Denial of Service Attack *Distributed Denial of Service Attack
51
Trainer’s Guide– Security Analyst SSC/N0901
Social engineering – refers to a psychological manipulation of people (employees of a company) to perform actions that potentially lead to leak of company's proprietary or confidential information or otherwise can cause damage to company resources, personnel or company image. Social engineers use various strategies to trick users into disclosing confidential information, data or both. One of the very common technique used by social engineers is to pretend to be someone else - IT professional, member of the management team, co-worker, insurance investigator or even member of governmental authorities. The mere fact that the addressed party is someone from the mentioned should convince the victim that the person has right to know of any confidential or in any other way secure information. The purpose of social engineering remains the same as purpose of hacking. Unauthorized access gain to confidential information, data theft, industrial espionage or environment/ service disruption. Phishing attack – this type of attack uses social engineering techniques to steal confidential information. The most common purpose of such attack targets victim's banking account details and credentials. Phishing attacks tend to use schemes involving spoofed emails sent to users that lead them to malware infected websites designed to appear as real online banking websites. Emails received by users in most cases will look authentic
sent from sources known to the user (very often with appropriate company logo and localised information). These emails will contain a direct request to verify some account information, credentials or credit card numbers by following the provided link and confirming the information online. The request will be accompanied by a threat that the account may become disabled or suspended if the mentioned details are not being verified by the user.
Social phishing – in the recent years, phishing techniques evolved much to include social media like Facebook or Twitter. This type of Phishing is often called Social Phishing. The purpose remains the same – to obtain confidential information and gain access to personal files. The means of the attack are bit different though and include special links or posts posted on the social media sites that attract the user with their content and convince them to click on them. The link redirects then to malicious website or similar harmful content. The websites can mirror the legitimate Facebook pages so that unsuspecting user does not notice the difference. The website will require user to login with his real information. At this point, the attacker collects the credentials gaining access to compromised account and all data on it. Other scenario includes fake apps. Users are encouraged to download the apps and install them, apps that contain malware used to steal confidential information. 52
Trainer’s Guide– Security Analyst SSC/N0901
Facebook Phishing attacks are often much more laboured. Consider the following scenario - link posted by an attacker can include some pictures or phrase that will attract the user to click on it. The user clicks upon which he/ she is redirected to a mirror website that ask him/ her to like the post first before even viewing it. User not suspecting any harm, clicks on the "like" button but doesn't realise that the "like" button has been spoofed and in reality is "accept" button for the fake app to access user's personal information. At this point, data is
collected and compromised.
account
is
Spear phishing attack – this is a type of phishing attack targeted at specific individuals, groups of individuals or companies. Spear phishing attacks are performed mostly with primary purpose of industrial espionage and theft of sensitive information while ordinary phishing attacks are directed against wide public with intent of financial fraud. It has been estimated that in last couple of years targeted spear phishing attacks are more widespread than ever before.
The recommendations to protect your company against phishing and spear phishing include: 1. Never open or download a file from an unsolicited email, even from someone you know (you can call or email the person to double check that it really came from them). 2. Keep your operating system updated. 3. Use a reputable anti-virus program. 4. Enable two factor authentication whenever available. 5. Confirm the authenticity of a website prior to entering login credentials by looking for a reputable security trust mark. 6. Look for HTTPS in the address bar when you enter any sensitive personal information on a website to make sure your data will be encrypted.
Watering hole attack – this is a more complex type of a phishing attack. Instead of the usual way of sending spoofed emails to end users in order to trick them into revealing confidential information, attackers use multiple staged approach to gain access to the targeted information. In first steps, attacker is profiling the
potential victim, collecting information about his or her’s internet habits, history of visited websites etc. In next step attacker uses that knowledge to inspect the specific legitimate public websites for vulnerabilities. If any vulnerabilities or loopholes are found, the attacker compromises the website with its 53
Trainer’s Guide– Security Analyst SSC/N0901
own malicious code. The compromised website then awaits for the targeted victim to come back and then infects them with exploits (often zero-day vulnerabilities) or malware. This is an analogy to a lion waiting at the watering hole for his prey.
Whaling – it is a type of phishing attack specifically targeted at senior executives or other high profile targets within a company. Vishing (Voice Phishing or VoIP Phishing) – it is a use of social engineering techniques over telephone system to gain access to confidential information from users. This phishing attack is often combined with caller ID spoofing that masks the real source phone number and instead of it displays the number
familiar to the phishing victim or number known to be of a real banking institution. General practices of Vishing include pre-recorded automated instructions for users requesting them to provide bank account or credit card information for verification over the phone.
Port scanning – an attack type where the attacker sends several requests to a range of ports to a targeted host in order to find out what ports are active and open, which allows them to exploit known service vulnerabilities related to specific ports. Port scanning can be used by the malicious attackers to compromise the security as well by the IT professionals to verify the network security.
Spoofing – it is a technique used to masquerade a person, program or an address as another by falsifying the data with purpose of unauthorized access. A few of the common spoofing types include:
IP Address spoofing – process of creating IP packets with forged source IP address to impersonate legitimate system. This kind of spoofing is often used in DoS attacks (Smurf Attack).
ARP spoofing (ARP Poisoning) – process of sending fake ARP messages in the network. The purpose of this spoofing is to associate the MAC address with the IP address of another legitimate host causing traffic redirection to the attacker host. This kind of spoofing is often used in man-in-the-middle attacks.
DNS spoofing (DNS Cache Poisoning) – an attack where the wrong data is inserted into DNS Server cache, causing the DNS server to divert the traffic by returning wrong IP addresses as results for client queries.
Email spoofing – a process of faking the email's sender "from" field in order to hide real origin of the email. This type of spoofing is often used in spam mail or during phishing attack.
Search engine poisoning – attackers take advantage of high profile news items or popular events that may be of specific interest for certain group of people to 54
Trainer’s Guide– Security Analyst SSC/N0901
spread malware and viruses. This is performed by various methods that have in purpose achieving highest possible search ranking on known search portals by the malicious sites and links introduced by the hackers. Search engine poisoning techniques are often used to distribute rogue security products (scareware) to users searching for legitimate security solutions for download.
Network sniffing (Packet Sniffing) – a process of capturing the data packets travelling in the network. Network sniffing can be used both by IT professionals to analyse and monitor the traffic for example, in order to find unexpected suspicious traffic, but as well by perpetrators to collect data send over clear text that is easily readable with use of network sniffers (protocol analysers). Best counter measure against sniffing is the use of encrypted communication between the hosts. Denial of Service Attack (DoS Attack) and Distributed Denial of Service Attack (DDoS Attack) – an attack designed to cause an interruption or suspension of services of a specific host/ server by flooding it with large quantities of useless traffic or external communication requests. When the DoS attack succeeds the server is not able to answer even to legitimate requests anymore, this can be observed in numbers of ways – slow response of the server, slow network performance, unavailability of software or web page, inability to access data, website or other resources. Distributed Denial of Service Attack (DDoS) occurs where multiple compromised or infected systems (botnet) flood a particular host with traffic simultaneously.
DoS (denial-of-service) attack Few of the most common DoS attack types:
ICMP flood attack (Ping Flood) – the attack that sends ICMP ping requests to the victim host without waiting for the answer in order to overload it with ICMP traffic to the point where the host cannot answer to them any more either because of the network bandwidth congestion with ICMP packets (both requests and replies) or high CPU utilization caused by processing the ICMP requests. Easiest way to protect against any various types of ICMP flood attacks is either to disable propagation of ICMP traffic sent to broadcast address on the router or disable ICMP traffic on the firewall level.
Ping of Death (PoD) – this attack involves sending a malformed or otherwise corrupted malicious ping to the host machine for example, PING having size bigger than usual which can cause buffer overflow on the system that lead to a system crash.
Smurf attack – this works in the same way as Ping Flood attack with one major difference that the source IP address of the attacker host is spoofed with IP address of 55
Trainer’s Guide– Security Analyst SSC/N0901
other legitimate non malicious computer. Such attack will cause disruption both on the attacked host (receiving large number of ICMP requests) as well as on the spoofed victim host (receiving large number of ICMP replies).
ICMP Smurf Denial of Service SYN flood attack – this attack exploits the way the TCP 3-way handshake works during the TCP connection is being established. In normal process, the host computer sends a TCP SYN packet to the remote host requesting a connection. The remote host answers with a TCP SYN-ACK packet confirming the connection can be made. As soon as this is received by the first local host it replies again with TCP ACK packet to the remote host. At this point the TCP socket connection is established. During the SYN flood attack, the attacker host or more commonly several attacker hosts send SYN packets to the victim host requesting a connection, the victim host responds with SYN-ACK packets but the attacker host never respond with ACK packets as a result the victim host is reserving the space for all those connections still awaiting the remote attacker hosts to respond, which never happens. This keeps the server with dead open connections and in the end effect prevent legitimate host to connect to the server any more.
Buffer overflow attack – in this type of attack the victim host is being provided with traffic/ data that is out of range of the processing specs of the victim host, protocols or applications, overflowing the buffer and overwriting the adjacent memory. One example can be the mentioned Ping of Death attack where malformed ICMP packet with size exceeding the normal value can cause the buffer overflow.
Botnet – a collection of compromised computers that can be controlled by remote perpetrators to perform various types of attacks on other computers or networks. A known example of botnet usage is within the distributed denial of service attack where multiple systems submit as many request as possible to the victim machine in order to overload it with incoming packets. Botnets can be otherwise used to send out span, spread viruses and spyware and as well to steal personal and confidential information which afterwards is being forwarded to the botmaster.
Man-in-the-middle attack – the attack is form of active monitoring or eavesdropping on victims’ connections and communication between victim hosts. This form of attack includes interaction between both victim parties of the communication and the attacker. This is achieved by attacker intercepting all part of the communication, changing the content of it and sending back as legitimate replies. Both 56
Trainer’s Guide– Security Analyst SSC/N0901
parties are not aware of the attacker presence and believing the replies they get are legitimate. For this attack to be successful, the perpetrator must successfully impersonate at least one of the endpoints. This can be the case if there are no protocols in place that would secure mutual authentication or encryption during the communication process.
Session hijacking attack – this attack is targeted as exploit of the valid computer session in order to gain unauthorized access to information on a computer system. The attack type is often referred to as cookie hijacking as during its progress, the attacker uses the stolen session
cookie to gain access and authenticate to remote server by impersonating legitimate user.
Cross-side scripting attack (XSS attack) – the attacker exploits the XSS vulnerabilities found in web server applications in order to inject a client side script onto the webpage that can either point the user to a malicious website of the attacker or allow attacker to steal the user's session cookie.
SQL injection attack – the attacker uses existing vulnerabilities in the applications to inject a code/ string for execution that exceeds the allowed and expected input to the SQL database.
Bluetooth related attacks
Bluesnarfing – this kind of attack allows the malicious user to gain unauthorized access to information on a device through its bluetooth connection. Any device with bluetooth turned on and set to "discoverable" state may be prone to bluesnarfing attack.
Bluejacking – this kind of attack allows the malicious user to send unsolicited (often spam) messages over bluetooth enabled devices.
Bluebugging – it is a hack attack on a bluetooth enabled device. Bluebugging enables the attacker to initiate phone calls on the victim's phone as well as read through the address book, messages and eavesdrop on phone conversations.
57
Trainer’s Guide– Security Analyst SSC/N0901
Fig: Top Network Attacks as per McAfee Labs, 2015
Few recent cyberattacks (or Network attacks) that shook some big businesses around the globe:
Primera Blue Cross March 2015 The company, a health insurer based in Washington State, said up to 11 million customers could have been affected by a cyberattack last year. Hackers gained access to its computers on May 5, and the breach was not discovered until Jan. 29, Primera said. The breach could have exposed members' names, dates of birth, Social Security numbers, mailing and email addresses, phone numbers and bank account information. The company is working with the F.B.I. and a cybersecurity firm to investigate. 58
Trainer’s Guide– Security Analyst SSC/N0901
Anthem February 2015 One of the nation’s largest health insurers said that the personal information of tens of millions of its customers and employees, including its chief executive, was the subject of a “very sophisticated external cyberattack.” The company added that hackers were able to breach a database that contained as many as 80 million records of current and former customers, as well as employees. The information accessed included names, Social Security numbers, birthdays, addresses, email and employment information, including income data.
Sony Pictures November 2014 A huge attack that essentially wiped clean several internal data centers and led to cancellation of the theatrical release of "The Interview," a comedy about the fictional assassination of the North Korean leader Kim Jong-un. Contracts, salary lists, film budgets, entire films and Social Security numbers were stolen, including -- to the dismay of top executives -- leaked emails that included criticisms of Angelina Jolie and disparaging remarks about President Obama.
Staples October 2014 The office supply retailer said hackers had broken into the company’s network and compromised the information of about 1.16 million credit cards.
59
Trainer’s Guide– Security Analyst SSC/N0901
and
allow an attacker to secretly gather customer information that could be sold.
Common Vulnerabilities and Exposures (CVE) is a catalogue of known security threats. The catalogue is sponsored by the United States Department of Homeland Security (DHS), and threats are divided into two categories: vulnerabilities and exposures.
The catalogue’s main purpose is to standardize the way each known vulnerability or exposure is identified. This is important because standard IDs allow security administrators to quickly access technical information about a specific threat across multiple CVE-compatible information sources.
Common Vulnerabilities Exposures (CVE)
According to the CVE website, a vulnerability is a mistake in software code that provides an attacker with direct access to a system or network. For example, the vulnerability may allow an attacker to pose as a super user or system administrator who has full access privileges. An exposure, on the other hand, is defined as a mistake in software code or configuration that provides an attacker with indirect access to a system or network. For example, an exposure may
CVE is sponsored by US-CERT, the DHS Office of Cybersecurity and Information Assurance (OCSIA). MITRE, a not-for-profit organization that operates research and development centres sponsored by the U.S. federal government, maintains the CVE catalogue and public website. It also manages the CVE Compatibility Program, which promotes the use of standard CVE identifiers by authorized CVE Numbering Authorities (CNAs).
60
Trainer’s Guide– Security Analyst SSC/N0901
UNIT II Fundamentals of Information Security
This unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 2.1 Elements of information security 2.2 Principles and concepts – data security 2.3 Types of controls 61
Trainer’s Guide– Security Analyst SSC/N0901
Lesson Plan
Outcomes To be competent, you must be able to: PC3. carry out security assessment of information security systems using automated tools
Performance Measures
Ensuring
QA session and a Descriptive write up on understanding. Peer group, Faculty group and Industry experts.
PC8. provide inputs to root cause analysis and the resolution of information security issues, where required
Duration (Hrs)
Work Environment / Lab Requirement
2 hrs
You need to know and understand: KA5. how to analyse root causes of information security issues KA6. how to carry out information security assessments KB4. how to identify and resolve information security vulnerabilities and issues
KA6, KA7, KA8. Peer review with faculty with appropriate feedback. KB1 – KB4 Going through the security standards over Internet by visiting sites like ISO, PCI DSS etc., and understand various methodologies and usage of algorithms
4 hrs classroom session and 4 hrs research
PCs/Tablets/Lapto ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Networking EquipmentRouters & Switches Firewalls and Access Points Access to all security sites like ISO, PIC DSS Commercial Tools like HP Web Inspect and IBM AppScan etc., Open Source tools like sqlmap, Nessus etc., PCs/Tablets/Lapto ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Networking EquipmentRouters & Switches Firewalls and Access Points Access to all security sites like ISO, PIC DSS Commercial Tools like HP Web Inspect and IBM AppScan etc., Open Source tools like sqlmap, Nessus etc.,
62
Trainer’s Guide– Security Analyst SSC/N0901
Suggested Learning Activities Activity 1:
Ask students to and investigate the various types of threats to network security, Application Security, Communication Security. Also list the various counter measures or security devices that may be used to address these. Present the same in class. Activity 2: Ask students to research various information security service companies’ websites and understand the various security services they offer. Carry out a comparison of the various services or products offered and list their features and benefits. Activity 3: Ask the students to research various categories if controls and state what are the various controls within each category. Let them discuss in groups the benefits and limitation of examples each type of control within a category.
Activity 4: Ask the students to research various elements of a decision tree and an algorithm. Ask them to create algorithms and decision trees for various situations in case of planning for security of information assets.
63
Trainer’s Guide– Security Analyst SSC/N0901
Training Resource Material 2.1 Elements of Information Security Network Security Network security refers to any activity designed to protect your network. Specifically, these activities protect the usability, reliability, integrity and safety of your network and data. Effective network security targets a variety of threats and stops them from entering or spreading on your network. No single solution protects you from a variety of threats. You need multiple layers of security. If one fails, others still stand. Network security is accomplished through hardware and software. The software must be constantly updated and managed to protect you from emerging threats. Wireless networks, which by their nature, facilitate access to the radio, are more vulnerable than wired networks and need to encrypt communications to deal with sniffing and continuously checking the identity of the mobile nodes. The mobility factor adds more challenges to security, namely monitoring and maintenance of secure traffic transport of mobile nodes. This concerns both homogenous and heterogeneous mobility (intertechnology), the latter requires homogenization of the security level of all networks visited by the mobile. From the terminal’s side, it is important to protect its resources (battery, disk, CPU) against misuse and ensure the confidentiality of its data. In an ad hoc or sensor network, it becomes essential to
ensure terminal’s integrity as it plays a dual role of router and terminal. The difficulty of designing security solutions that could address these challenges is not only to ensure robustness faced with potential attacks or to ensure that it does not slow down communications, but also to optimize the use of resources in terms of bandwidth, memory, battery, etc. More importantly, in this open context the wireless network is to ensure anonymity and privacy, while allowing traceability for legal reasons. Indeed, the growing need for traceability is now necessary for the fight against criminal organizations and terrorists, but also to minimize the plundering of copyright. It is therefore facing a dilemma of providing a network support of free exchange of information while controlling the content of the communication to avoid harmful content. Actually, this concerns both wired and wireless networks. All these factors influence the selection and implementation of security tools that are guided by a prior risk assessment and security policy. Finally, we are increasingly thinking about trust models in the design of secured systems, that should offer higher level of trust than classical security mechanisms, and it seems that future networks should implement both models: security and trust models. In fact, if communication nodes will be capable of building and maintaining a 64
Trainer’s Guide– Security Analyst SSC/N0901
predefined trust level in the network, then the communication system will be trustable all the time, thus allowing a trusted and secure service deployment. However, such trust models are very difficult to design and the trust level is generally a biased concept presently. It is very similar to the human based trust model. Note that succeeding in building such trust models will allow infrastructure based networks but especially infrastructure-less or self-organized networks such as ad hoc sensors to be trusted enough to deploy several applications. This will also have an impact on current business models where the economic model would have to change in
order to include new players in the telecommunication value chain such as users offering their machines to build an infrastructure-less network. For example, in the context of ad hoc networks, we could imagine that ad hoc users become distributors of content or provide any other networked services1, being a sort of service providers. In this case, an appropriate charging and billing system needs to be designed. A network security system usually consists of many components. Ideally, all components work together, which minimizes maintenance and improves security.
Network security components often include: Anti-virus and anti-spyware Firewall to block unauthorized access to your network Intrusion Prevention Systems (IPS) to identify fast-spreading threats, such as zero-day or zero-hour attacks Virtual Private Networks (VPNs) to provide secure remote access Communication security
Application Security Application security (AppSec) is the use of software, hardware and procedural methods to protect applications from external threats. AppSec is the operational
solution to the problem of software risk. AppSec helps identify, fix and prevent security vulnerabilities in any kind of software application irrespective of the function, language or platform
65
Trainer’s Guide– Security Analyst SSC/N0901
As a best practice, AppSec employs proactive and preventative methods to manage software risk, and align an organization’s security investments with the reality of today’s threats. It has three distinct elements:
1)
measurable reduction of risk in existing applications
2)
prevention of introduction of new risks
3)
compliance with software security mandates
The severity and frequency of cyberattacks is increasing which is making the practice of AppSec important. AppSec as a discipline is also becoming more complex the variety of business software continues to proliferate. Here are some of the reasons why (and see if these sound familiar): Today’s enterprise software comes from a variety of sources –
in-house development teams, commercial vendors,
outsourced solution providers, and open source projects.
Software developers have an endless choice of programming languages to choose from – Java, .NET, C++, PHP and more.
Applications can be deployed across myriad platforms – installed to operate locally, over virtual servers and networks, accessed as a service in the cloud or run on mobile devices. AppSec products must provide capabilities for managing security risk across all of these options as each of these development and deployment options can introduce security vulnerabilities. An effective software security strategy addresses both immediate and systemic risk. The Application Security market has reached sufficient maturity to allow organizations of all sizes to follow a wellestablished roadmap:
A software vulnerability can be defined as a programmatic function that processes critical data in an insecure way. These “holes” in an application can be exploited by a hacker, spy or cybercriminal as an entry point to steal sensitive, protected or confidential data.
Begin with software security testing to find and assess potential vulnerabilities: Follow remediation procedures to prioritize and fix them. Train developers on secure coding practices. Leverage ongoing threat intelligence to keep up-to-date. 66
Trainer’s Guide– Security Analyst SSC/N0901
Develop continuous methods to secure applications throughout the development life cycle. Instantiate policies and procedures that instill good governance.
Testing and remediation form the baseline response to insecure applications, but the critical element of a successful AppSec effort is ongoing developer training. Security conscious development teams write bulletproof code, and avoid common errors. For example, data input validation – the process of ensuring that a program operates with clean, correct and useful data. Neglecting this important step, and failing to build in standard input validation rules or “check routines” leaves the application open to common attacks such as cross-site scripting and SQL injection. When undertaken correctly, Application Security is an orderly process of reducing the risks associated with developing and
running business critical software. Properly managed, a good application security program will move your organization from a state of unmanaged risk and reactive security to effective, proactive risk mitigation.
Communications Security Communications Security (COMSEC) ensures the security of telecommunications confidentiality and integrity – the two information assurance (IA) pillars. Generally, COMSEC may refer to the security of any information that is transmitted, transferred or communicated.
There are five COMSEC security types:
Cryptosecurity: This encrypts data, rendering it unreadable until the data is decrypted.
Emission Security (EMSEC): This prevents the release or capture of emanations from equipment, such as cryptographic equipment, thereby preventing unauthorized interception.
Physical Security: This ensures the safety of, and prevents unauthorized access to, cryptographic information, documents and equipment.
Traffic-Flow Security: This hides messages and message characteristics flowing on a network.
Transmission Security (TRANSEC): This protects transmissions from unauthorized access, thereby preventing interruption and harm.
67
Trainer’s Guide– Security Analyst SSC/N0901
2.2. Principles and Concepts – Data Security Critical Information Characteristics
Confidentiality
Integrity
Availability
Information States Information has three basic states, at any given moment, information is being transmitted, stored or processed. The three states exist irrespective of the media in which information resides. Information systems security concerns itself with the maintenance of three critical characteristics of information:
confidentiality, integrity and availability. These attributes of information represent the full spectrum of security concerns in an automated environment. They are applicable for any organization irrespective of its philosophical outlook on sharing information.
Transmission
Information States
Processing
Storage 68
Trainer’s Guide– Security Analyst SSC/N0901
Prevention vs. detection Security efforts to assure confidentiality, integrity and availability can be divided into those oriented to prevention and those focused on detection. The latter aims to rapidly discover and correct for lapses that could not be (or at least were not) prevented. The balance between prevention and detection depends on the circumstances and the available security technologies.
Identification is the first step in the ‘identify-authenticateauthorize’ sequence that is performed every day countless times by humans and computers alike when access to information or information processing resources are required. While particulars of identification systems differ depending on who or what is being identified, some intrinsic properties of identification apply regardless of these particular. Just three of ch user in the company.com locality. Provided that the company in question is a small one, and that only one employee is named Gaurav. His colleagues may refer to that particular person by only using his first name. That would work because they are in the same locality and only one Gaurav works there. However, if Gaurav were someone on the other side of the world or even across town, to refer to [email protected] as simply Gaurav would make no sense because user name Gaurav
Basic information security concepts:
• • • • • • •
Identification Authentication Authorization Confidentiality Integrity Availability Non-repudiation
these properties are the scope, locality, and uniqueness of IDs. Identification name spaces can be local or global in scope. To illustrate this concept, let’s refer to the familiar notation of email addresses. While many email accounts named Gaurav may exist around the world, an email address [email protected] unambiguously refers exactly to one su
is not globally unique and refers to different persons in different localities. This is one of the reasons why two user accounts should never use the same name on the same system — not only because you would not be able to enforce access controls based on non-unique and ambiguous user names, but also because you would not be able to establish accountability for user actions.
Authentication happens right after identification and before authorization. It verifies the 69
Trainer’s Guide– Security Analyst SSC/N0901
authenticity of the identity declared at the identification stage. In other words, it is at the authentication stage that you prove you are indeed the person or the system you claim to be. The three methods of authentication are what you know, what you have and what you are. Regardless of the particular authentication method used, the aim is to obtain reasonable assurance that the identity declared at the identification stage belongs to the party in communication. It is important to note that reasonable assurance may mean different degrees of assurance, depending on the particular environment and application, and therefore may require different approaches to authentication. Authentication requirements of a national security – critical system naturally differ from authentication requirements of a small company. As different authentication methods have different costs and properties as well as different returns on investment, the choice of authentication method for a particular system or organization should be made after these factors have been carefully considered. Authorization is the process of ensuring that a user has sufficient rights to perform the requested operation, and preventing those
without sufficient rights from doing the same. After declaring identity at the identification stage and proving it at the authentication stage, users are assigned a set of authorizations (also referred to as rights, privileges or permissions) that define what they can do on the system. These authorizations are most commonly defined by the system’s security policy and are set by the security or system administrator. These privileges may range from the extremes of “permit nothing” to “permit everything” and include anything in between.
Confidentiality means persons authorized have access to receive or use information, documents etc. Unauthorized access to confidential information may have devastating consequences, not only in national security applications, but also in commerce and industry. Main mechanisms of protection of confidentiality in information systems are cryptography and access controls. Examples of threats to confidentiality are malware, intruders, social engineering, insecure networks and poorly administered systems.
Integrity is concerned with the trustworthiness, origin, completeness and correctness of information as well as the prevention of improper or 70
Trainer’s Guide– Security Analyst SSC/N0901
unauthorized modification of information. Integrity in the information security context refers not only to integrity of information itself but also to the origin integrity i.e. integrity of the source of information. Integrity protection mechanisms may be grouped into two broad types: preventive mechanisms, such as access controls that prevent unauthorized modification of information, and detective mechanisms, which are intended to detect unauthorized modifications when preventive mechanisms have failed. Controls that protect integrity include principles of least privilege, separation and rotation of duties.
Availability of information, although usually mentioned last, is not the least important pillar of information security. Who needs confidentiality and integrity if the authorized users of information cannot access and use it? Who needs sophisticated encryption and access controls if the information being protected is not accessible to authorized users when they need it? Therefore, despite being mentioned last in the C-I-A triad, availability is just as important and as necessary a component of information security as confidentiality and integrity. Attacks against availability are known as denial of
service (DoS) attacks. Natural and manmade disasters obviously may also affect availability as well as confidentiality and integrity of information though their frequency and severity greatly differ. Natural disasters are infrequent but severe, whereas human errors are frequent but usually not as severe as natural disasters. In both cases, business continuity and disaster recovery planning (which at the very least includes regular and reliable backups) is intended to minimize losses.
Non-repudiation in the information security context refers to one of the properties of cryptographic digital signatures that offers the possibility of proving whether a particular message has been digitally signed by the holder of a particular digital signature’s private key. Non-repudiation is a somewhat controversial subject, partly because it is an important one in this day and age of electronic commerce, and because it does not provide an absolute guarantee. A digital signature owner, who may like to repudiate a transaction maliciously may always claim that his/ her digital signature key was stolen by someone who actually signed the digital transaction in question, thus repudiating the transaction.
71
Trainer’s Guide– Security Analyst SSC/N0901 The following types of non-repudiation services are defined in international standard ISO 14516:2002 (guidelines for the use and management of trusted third party services). o o
Approval: non-repudiation of approval provides proof of who is responsible for approval of the contents of a message. Sending: non-repudiation of sending provides proof of who sent the message.
o
Origin: non-repudiation of origin is a combination of approval and sending.
o
Submission: non-repudiation of submission provides proof that a delivery agent has accepted the message for transmission.
o
Transport: non-repudiation of transport provides proof for the message originator that a delivery agent has delivered the message to the intended recipient. Receipt: non-repudiation of receipt provides proof that the recipient received the message.
o o
Knowledge: non-repudiation of knowledge provides proof that the recipient recognized the content of the received message.
o
Delivery: non-repudiation of delivery is a combination of receipt and knowledge, as it provides proof that the recipient received and recognized the content of the message.
The following types of non-repudiation services are defined in international standard ISO 14516:2002 (guidelines for the use and management of trusted third party services). Approval: non-repudiation of approval provides proof of who is responsible for approval of the contents of a message. Sending: non-repudiation of sending provides proof of who sent the message. Origin: non-repudiation of origin is a combination of approval and sending. Submission: non-repudiation of submission provides proof that a delivery agent has accepted the message for transmission.
Transport: non-repudiation of transport provides proof for the message originator that a delivery agent has delivered the message to the intended recipient. Receipt: non-repudiation of receipt provides proof that the recipient received the message. Knowledge: non-repudiation of knowledge provides proof that the recipient recognized the content of the received message. Delivery: non-repudiation of delivery is a combination of receipt and knowledge, as it provides proof that the recipient received and recognized the content of the message.
72
Trainer’s Guide– Security Analyst SSC/N0901
Fun-Facts about Top Data Center Security-GOOGLE
73
Trainer’s Guide– Security Analyst SSC/N0901
2.3 Types of Controls Central to information security is the concept of controls, which may be categorized by their functionality (preventive, detective, corrective, deterrent, recovery and compensating) and plane of application (physical, administrative or technical).
sense to try and fix the situation. Corrective controls vary widely, depending on the area being targeted, and they may be technical or administrative in nature.
By functionality:
Deterrent controls are intended to discourage potential attackers. Examples of deterrent controls include notices of monitoring and logging as well as the visible practice of sound information security management.
Preventive controls Preventive controls are the first controls met by an adversary. These try to prevent security violations and enforce access control. Like other controls, these may be physical, administrative or technical. Doors, security procedures and authentication requirements are examples of physical, administrative and technical preventive controls respectively. Detective controls Detective controls are in place to detect security violations and alert the defenders. They come into play when preventive controls have failed or have been circumvented and are no less crucial than detective controls. Detective controls include cryptographic checksums, file integrity checkers, audit trails and logs and similar mechanisms. Corrective controls Corrective controls try to correct the situation after a security violation has occurred. Although a violation occurred, but the data remains secure, so it makes
Deterrent controls
Recovery controls Recovery controls are somewhat like corrective controls, but they are applied in more serious situations to recover from security violations and restore information and information processing resources. Recovery controls may include disaster recovery and business continuity mechanisms, backup systems and data, emergency key management arrangements and similar controls. Compensating controls Compensating controls are intended to be alternative arrangements for other controls when the original controls have failed or cannot be used. When a second set of controls addresses the same threats that are addressed by another set of controls, it acts as a compensating control.
74
Trainer’s Guide– Security Analyst SSC/N0901
By plane of application: Physical controls include doors, secure facilities, fire extinguishers, flood protection and air conditioning. Administrative controls are the organization’s policies, procedures and guidelines intended to facilitate information security. Technical controls are the various technical measures, such as firewalls, authentication systems, intrusion detection systems and file encryption among others.
Access Control Models Logical access control models are the abstract foundations upon which actual access control mechanisms and systems are built. Access control is among the most important concepts in computer security. Access control models define how computers enforce access of subjects (such as users, other computers, applications and so on) to objects (such as computers, files, directories, applications, servers and devices). Three main access control models exist:
Discretionary Access Control model Mandatory Access Control model
Role Based Access Control model
Discretionary Access Control (DAC) The Discretionary Access Control model is the most widely used of the three models. In the DAC model, the owner (creator) of information (file or directory) has the
discretion to decide about and set access control restrictions on the object in question, which may, for example, be a file or a directory. The advantage of DAC is its flexibility. Users may decide who can access information and what they can do with it — read, write, delete, rename, execute and so on. At the same time, this flexibility is also a disadvantage of DAC because users may make wrong decisions regarding access control restrictions or maliciously set insecure or inappropriate permissions. Nevertheless, the DAC model remains the model of choice for the absolute majority of operating systems today, including Solaris. Mandatory Access Control (MAC) Mandatory access control, as its name suggests, takes a stricter approach to access control. In systems utilizing MAC, users have little or no discretion as to what access permissions they can set on their information. Instead, mandatory access controls specified in a system-wide security policy are enforced by the operating system and applied to all operations on that system. MAC based systems use data classification levels (such as public, confidential, secret and top secret) and security clearance labels corresponding to data classification levels to decide in accordance with the security policy set by the system administrator what access control restrictions to enforce. Additionally, per group and/ or per domain access control restrictions may be imposed i.e. in addition to having the required security clearance level, subjects (users or applications) must also belong to the appropriate group or domain. For example, a file with a confidential label belonging only to the research group may not be accessed by a user from the 75
Trainer’s Guide– Security Analyst SSC/N0901
marketing group, even if that user has a security clearance level higher than confidential (for example, secret or top secret). This concept is known as compartmentalization or ‘need to know’. Although MAC based systems, when used appropriately, are thought to be more secure than DAC based systems, they are also much more difficult to use and administer because of the additional restrictions and limitations imposed by the operating system. MAC based systems are typically used in government, military and financial environments where higher than usual security is required and where the added complexity and costs are tolerated. MAC is implemented in Trusted Solaris, a version of the Solaris operating environment intended for high security environments. Role-Based Access Control (RBAC) In the role based access control model, rights and permissions are assigned to roles instead of individual users. This added layer of abstraction permits easier and more flexible administration and enforcement of access controls. For example, access to marketing files may be restricted only to the marketing manager role, and users Ann, David, and Joe may be assigned the role of marketing manager. Later, when David moves from the marketing department elsewhere, it is enough to revoke his role of marketing manager, and no other changes would be necessary. When you apply this approach to an organization with thousands of employees and hundreds of roles, you can see the added security and convenience of using RBAC. Solaris has supported RBAC since release 8.
Centralized vs. Control
Decentralized Access
Further distinction should be made between centralized and decentralized (distributed) access control models. In environments with centralized access control, a single, central entity makes access control decisions and manages the access control system whereas in distributed access control environments, these decisions are made and enforced in a decentralized manner. Both approaches have their pros and cons, and it is generally inappropriate to say that one is better than the other. The selection of a particular access control approach should be made only after careful consideration of an organization’s requirements and associated risks.
Security Vulnerability Management Security vulnerability management is the current evolutionary step of vulnerability assessment systems that began in the early 1990s with the advent of the network security scanner S.A.T.A.N. (Security Administrator’s Tool for Analyzing Networks) followed by the 1st commercial vulnerability scanner from ISS. While early tools mainly found vulnerabilities and produced lengthy reports, today’s best-inclass solutions deliver comprehensive discovery and support the entire security vulnerability management lifecycle. A vulnerability can occur anywhere in the IT environment, and can be the result of many different root causes. Security vulnerability management solutions gather comprehensive endpoint and network intelligence, and apply advanced analytics to identify and prioritize the vulnerabilities that pose the most risk to critical systems. The result is actionable 76
Trainer’s Guide– Security Analyst SSC/N0901
data that enables IT security teams to focus on the tasks that will most quickly and effectively reduce overall network risk with the fewest possible resources. Security vulnerability management is a closed-loop workflow that generally includes identifying networked systems and associated applications, auditing (scanning) the systems and applications for vulnerabilities and remediating the vulnerabilities. Any IT infrastructure
components may present existing or new security concerns and weaknesses i.e. vulnerabilities. It may be product/ component faults or it may be inadequate configuration. Malicious code or unauthorized individuals may exploit those vulnerabilities to cause damage, such as disclosure of credit card data. Vulnerability management is the process of identifying those vulnerabilities and reacting appropriately to mitigate the risk.
Vulnerability assessment and management is an essential piece for managing overall IT risk because: Persistent threats Attacks exploiting security vulnerabilities for financial gain and criminal agendas continue to dominate headlines. Regulation Many government and industry regulations mandate rigorous vulnerability management practices. Risk management Mature organizations treat it as a key risk management component. Organizations that follow mature IT security principles understand the importance of risk management.
Properly planned and implemented threat and vulnerability management programs represent a key element in an organization’s information security program, providing an approach to risk and threat mitigation that is proactive and business aligned, not just reactive and technology focused.
Vulnerability Assessment Includes assessment the environment for known vulnerabilities, and to assess IT components, using the security configuration policies (by device role) that have been defined for the environment. This is accomplished through scheduled
vulnerability and configuration assessments of the environment. Network based vulnerability assessment (VA) has been the primary method employed to baseline networks, servers and hosts. The primary strength of VA is breadth of coverage. Thorough and accurate vulnerability assessments can be accomplished for managed systems via credentialed access. Unmanaged systems can be discovered and a basic assessment can be completed. The ability to evaluate databases and web applications for security weaknesses is crucial, considering
77
Trainer’s Guide– Security Analyst SSC/N0901
the rise of attacks that target these components. Database scanners check database configuration and properties to verify whether they comply with database security best practices. Web application scanners test an application’s logic for “abuse” cases that can break or exploit the application. Additional tools can be leveraged to perform more in-depth testing and analysis. All three scanning technologies (network, application and database) assess a different class of security weaknesses, and most organizations need to implement all three. Risk assessment Larger issues should be expressed in the language of risk (e.g. ISO 27005), specifically expressing impact in terms of business impact. The business case for any remedial action should incorporate considerations relating to the reduction of
risk and compliance with policy. This incorporates the basis of the action to be agreed on between the relevant line of business and the security team. Risk analysis “Fixing” the issue may involve acceptance of the risk, shifting of the risk to another party or reducing the risk by applying remedial action, which could be anything from a configuration change to implementing a new infrastructure (e.g. data loss prevention, firewalls, host intrusion prevention software). Elimination of the root cause of security weaknesses may require changes to user administration and system provisioning processes. Many processes and often several teams may come into play (e.g. configuration management, change management, patch management etc.). Monitoring and incident management processes are also required to maintain the environment.
Vulnerability enumeration Common Vulnerabilities and Exposures (CVE) Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e. CVE Identifiers) for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE identifiers, you may then quickly and accurately access fix information in one or more separate CVE compatible databases to remediate the problem. Common Vulnerability Scoring System (CVSS) The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable, accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations and governments that need accurate and consistent vulnerability impact scores. 78
Trainer’s Guide– Security Analyst SSC/N0901
Common Weakness Enumeration (CWE) The Common Weakness Enumeration Specification (CWE) provides a common language of discourse for discussing, finding and dealing with the causes of software security vulnerabilities as they are found in code, design or system architecture. Each individual CWE represents a single vulnerability type. CWEs are used as a classification mechanism that differentiates CVEs by the type of vulnerability they represent. For more details see: Common Weakness Enumeration.
Remediation Planning Prioritization Vulnerability and security configuration assessments typically generate very long remediation work lists, and this remediation work needs to be prioritized. When organizations initially implement vulnerability assessment and security configuration baselines, they typically discover that a large number of systems contain multiple vulnerabilities and security configuration errors. There is typically more mitigation work to do than the resources available to accomplish it. Therefore, prioritization is important. Root Cause Analysis (RCA) It is important to analyse security and vulnerability assessments in order to determine the root cause. In many cases, the root cause of a set of vulnerabilities lies within the provisioning, administration and maintenance processes of IT operations or within their development or the procurement processes of applications. Elimination of the root cause of security weaknesses may require changes to user administration and system provisioning processes. What makes a good RCA? An RCA is an analysis of a failure to determine the first (or root) failure that
cause the ultimate condition in which the system finds itself. For example, in an application crash one should be thinking, why did it crash this way? A security analyst’s job in performing an RCA is to keep asking the inquisitive "why" until one runs out of room for questions, and then they are faced with the problem at the root of the situation. Example: an application that had its database pilfered by hackers where the ultimate failure the analyst may be investigating is the exfiltration of consumer private data, but SQL Injection isn't what caused the failure. Why did the SQL Injection happen? Was the root of the problem that the developer responsible simply didn't follow the corporate policy for building SQL queries? Or was the issue a failure to implement something like the OWASP ESAPI (ESAPI - The OWASP Enterprise Security API is a free, open source web application security control library that makes it easier for programmers to write lower-risk applications.) in the appropriate manner? Or maybe the cause was a vulnerable open-source piece of code that was incorporated into the corporate application without passing it through the full source code lifecycle process? Your job when you're performing an RCA is to figure this out. Root-cause analysis is 79
Trainer’s Guide– Security Analyst SSC/N0901
super critical in the software security world. A number of automated solutions are also available for various types of RCA. For example, HP's web application security testing technology which can link XSS issues to a single line of code in the application input handler.
Decision tree and algorithms may be used for further detailed analysis as tools. To learn more about it, visit: https://www.sans.org/readingroom/whitepapers/detection/decisiontree-analysis-intrusion-detection-how-toguide-33678 .
Ranking of Cyber security objectives in terms of business priority objective
5 4.5 4 3.5 3 2.5 2 1.5 1 0.5 0
4.4
4.7
3.5 2.8 1.9
65% of organizations had an average of 3 DDoS attacks in the past 12 months. 54 minutes’ downtime during one DDoS attack. Average cost per minute downtime is $22,000 Average annual cost of DDoS attacks is $3000,000
80
Trainer’s Guide– Security Analyst SSC/N0901
UNIT III Data Leakage and Prevention
This unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 3.1 Introduction Data Leakage 3.2 Organisational Data Classification, Location and Pathways 3.3 Content Awareness 3.4 Content Analysis Techniques 3.5 Data Protection 3.6 DLP Limitations 3.7 DRM – DLP Conundrum 3.1. 81
Trainer’s Guide– Security Analyst SSC/N0901
Lesson Plan
Outcomes To be competent, you must be able to: PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines PC3. carry out security assessment of information security systems using automated tools PC11. comply with your organization’s policies, standards, procedures and guidelines when contributing to managing information security
Performance Measures
Ensuring
Duration (Hrs)
Work Environment / Lab Requirement
4 hrs
Going through various organizations websites and understand the policies and guidelines. (Research)
Project charter, Architecture (charts), Project plan, Poster presentation and execution plan.
You need to know and understand: KA12. your organization’s information security systems and tools and how to access and maintain these
KA12. Going through various organizations websites and understand the policies and guidelines. (Research)
KA13. standard tools and templates available and how to use these
KA12. Project charter, Architecture (charts), Project plan, Poster presentation and execution plan.
KB4. how to identify and resolve information security vulnerabilities and issues
KA13. Creation of templates based on the learnings from KA1 to KA12.
4 hrs
KA1 to KA13:
PCs/Tablets/Laptops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Networking Equipments- Routers & Switches Firewalls and Access Points Access to all security sites like ISO, PIC DSS Commercial Tools like HP Web Inspect and IBM AppScan etc.,
KB1 – KB4 1. Going through the security standards over Internet by visiting sites like ISO, PCI DSS etc., and understand various methodologies and usage of algorithms
PCs/Tablets/Laptops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Networking Equipments- Routers & Switches Firewalls and Access Points Access to all security sites like ISO, PIC DSS Commercial Tools like HP Web Inspect and IBM AppScan etc., Open Source tools like sqlmap, Nessus etc.,
Open Source tools like sqlmap, Nessus etc.,
82
Trainer’s Guide– Security Analyst SSC/N0901
Activity 1:
Suggested Learning Activities
Research the extent of data leakage in its various forms across different types of organisations and incidents of leakage and related loss. Present the cases in class and discus the various steps that can be taken proactively and post event to ensure loss prevention and minimisation? Activity 2: Ask students to identify work behaviours and practices that can lead to data leakage in a work context. Also encourage students to look at their own environment and identify various confidential and personal information and how their own practices and habits can cause data leakage. Activity 3:
Ask students to research various organisations that offer products and services in the Data Leakage Prevention and Data Risk Management. Compare the two, note down and present the various offerings, tools and their features, benefits and limitations. Activity 4:
Discuss with students the three states of information
Data at Rest Data in Motion
Data in Use
Ask students to find examples of data around them and in their daily lives that are categorised in these three. Ask them to state risks of data leakages and the various sources of it.
83
Trainer’s Guide– Security Analyst SSC/N0901
Training Resource Material 3.1 Introduction to Data Leakage Data leakage is defined as the accidental or unintentional distribution of private or sensitive data to an unauthorized entity.
Sensitive data in companies and organizations include intellectual property (IP), financial information, patient information, personal credit card data, and other information depending on the business and the industry. Data leakage poses a serious issue for companies as the number of incidents and the cost to those experiencing them continue to increase.
Data leakage is enhanced by the fact that transmitted data (both inbound and outbound), including emails, instant messaging, website forms and file transfers among others, are largely unregulated and unmonitored on their way to their destinations. Furthermore, in many cases, sensitive data are shared among various stakeholders such as employees working from outside the organization’s premises (e.g. on laptops), business partners and customers. This increases the risk that confidential information will fall into unauthorized hands. Whether caused by malicious intent or an inadvertent mistake by an insider or outsider, exposure of sensitive information can seriously hurt an organization. The potential damage and adverse consequences of a data leakage incident can be classified into two categories:
1. Direct losses: They refer to tangible damage that is easy to measure or to estimate quantitatively. Indirect losses, on the other hand, are much harder to quantify and have a much broader impact in terms of cost, place and time. 2. Indirect losses: They include violations of regulations (such as those protecting customer privacy) resulting in fines; settlements or customer compensation fees; litigation involving lawsuits; loss of future sales; costs of investigation and remedial or restoration fees. Indirect losses include reduced share price as a result of negative publicity; damage to a company’s goodwill and reputation; customer abandonment; and exposure of intellectual property (business plans, code, financial reports and meeting agendas) to competitors.
Enterprises use Data Leakage Prevention (DLP) technology as one component in a comprehensive plan for the handling and transmission of sensitive data. The technological means employed for enhancing DLP can be divided into the following categories:
• • • •
Standard security measures Advanced/ intelligent security measures Access control and encryption Designated DLP systems 84
Trainer’s Guide– Security Analyst SSC/N0901
Standard security measures are used by many organizations and include common mechanisms such as firewalls, intrusion detection systems (IDSs) and antivirus software that can provide protection against both outsider attacks (e.g. a firewall which limits access to the internal network and an intrusion detection system which detects attempted intrusions) and inside attacks (e.g. antivirus scans to detect a Trojan horse that may be installed on a PC to send confidential information). Another example is the use of thin clients which operate in a client-server
architecture, with no personal or sensitive data stored on a client’s computer. Policies and training for improving the awareness of employees and partners provide additional standard security measures. Advanced or intelligent security measures include machine learning and temporal reasoning algorithms for detecting abnormal access to data (i.e. databases or information retrieval systems), activity based verification (e.g. based on keystrokes and mouse patterns), detection of abnormal email exchange patterns, and applying the honeypot concept for detecting malicious insiders.
Device control, access control and encryption are used to prevent access by an unauthorized user. These are the simplest measures that can be taken to protect large amounts of personal data against malicious outsider and insider attacks.
Designated DLP solutions are intended to detect and prevent attempts to copy or send sensitive data, intentionally or unintentionally, without authorization, mainly by personnel who are authorized to access the sensitive information. A major capability of such solutions is an ability to classify content as sensitive. Designated
DLP solutions are typically implemented using mechanisms such as exact data matching, structured data fingerprinting, statistical methods (e.g. machine learning), rule and regular expression matching, published lexicons, conceptual definitions and keywords.
Data Leakage Prevention (DLP) solutions, are often referred to as Information Leak Prevention (ILP), Data Leak/ Loss Prevention (DLP), Outbound Content Compliance, Content Monitoring and Filtering, Content Monitoring and Protection (CMP) or Extrusion Prevention.
85
Trainer’s Guide– Security Analyst SSC/N0901
A designated data leakage prevention solution is defined as a system that is designed to detect and prevent the unauthorized access, use or transmission of confidential information. Data in each state often requires different techniques for loss prevention. For
example, although deep content inspection is useful for data in motion, it doesn’t help so much for data at rest. Therefore, an effective data loss prevention program should adopt appropriate techniques to cover all the organization’s potential loss modes.
Enterprise data generally exists in the following three major states:
Data at rest: it resides in files systems, distributed desktops and large centralized data stores, databases or other storage centers.
Data at the endpoint or in use: it resides at network endpoints such as laptops; USB devices; external drives; CD/ DVDs; archived tapes; MP3 players; iPhones or other highly mobile devices.
Data in motion: it moves through the network to the outside world via email, instant messaging, peer-to-peer (P2P), FTP or other communication mechanisms.
86
Trainer’s Guide– Security Analyst SSC/N0901
Types of data leaked
8% 4% 15%
NPI ( e.g. Customer Data)
Confidentiality Info PHI (e.g. Patient's Records)
73%
Intellectual Property
Data Leak Vectors
HTTP
12% 3% 1% 5%
Email
42%
10%
Networked Printer
End Point
11%
Internal Mail
16%
IM Webmail
Others
Source: http://www.networksunlimited.com
87
Trainer’s Guide– Security Analyst SSC/N0901
3.2 Organizational Data Classification, Location and Pathways Enterprises are often unaware of all of the types and locations of information they possess. It is important, prior to purchasing a DLP solution, to identify and classify sensitive data types and their flow from system to system and to users. This process should yield a data taxonomy or classification system that will be leveraged by various DLP modules as they scan for and take action on information that falls into the various classifications within the taxonomy. Analysis of critical business processes should yield the required information. Classifications can include categories such as private customer or employee data, financial data and intellectual property. Once the data have been identified and classified appropriately, further analysis of processes should facilitate the location of primary data stores and key data pathways.
enterprise on servers, individual workstations, tape and other media. Copies are frequently made to facilitate application testing without first cleansing the data of sensitive content. Having a good idea of the data classifications and location of the primary data stores proves helpful in both the selection and placement of the DLP solution. Once the DLP solution is in place, it can assist in locating additional data locations and pathways. It is also important to understand the enterprise’s data life cycle. Understanding the life cycle from point of origin through processing, maintenance, storage and disposal will help uncover further data repositories and transmission paths. Additional information should be collected by conducting an inventory of all data egress points since not all business processes are documented and not all data movement is a result of an established process. Analysis of firewall and router rule sets can aid these efforts.
Frequently multiple copies and variations of the same data are scattered across the DLP features vs. DLP solutions The DLP market is also split between DLP as a feature and DLP as a solution. A number of products, particularly email security solutions, provide basic DLP functions, but aren't complete DLP solutions. The difference is:
•
•
A DLP product includes centralized management, policy creation and enforcement workflow dedicated to the monitoring and protection of content and data. The user interface and functionality are dedicated to solving the business and technical problems of protecting content through content awareness. DLP features include some of the detection and enforcement capabilities of DLP products, but are not dedicated to the task of protecting content and data.
88
Trainer’s Guide– Security Analyst SSC/N0901
3.3 Content Awareness Content vs. Context
Content Analysis
We need to distinguish content from context. One of the defining characteristics of DLP solutions is their content awareness. This is the ability of products to analyse deep content using a variety of techniques, and is very different from analysing context. It's easiest to think of content as a letter and context as the envelope and environment around it.
The first step in content analysis is capturing the envelope and opening it. The engine then needs to parse the context (we'll need that for the analysis) and dig into it. This is easy for a plain text email, but when you want to look inside binary files, it gets a little more complicated.
Context includes things like source; destination; size; recipients; sender; header information; metadata; time; format and anything else short of the content of the letter itself. Context is highly useful and any DLP solution should include contextual analysis as part of an overall solution. A more advanced version of contextual analysis is business context analysis, which involves deeper analysis of the content, its environment at the time of analysis and the use of the content at that time. Content awareness involves peering inside containers and analysing the content itself. The advantage of content awareness is that while we use context, we're not restricted by it. If I want to protect a piece of sensitive data, I would want to protect it everywhere and not just in obviously sensitive containers. I'm protecting the data, not the envelope, so it makes a lot more sense to open the letter, read it, and decide how to treat it. This is more difficult and time consuming than basic contextual analysis and is the defining characteristic of DLP solutions.
All DLP solutions solve this using file cracking. File cracking is the technology used to read and understand the file, even if the content is buried multiple levels down. For example, it's not unusual for the cracker to read an Excel spreadsheet embedded in a Word file that's zipped. The product needs to unzip the file, read the Word doc, analyse it, find the Excel data, read it and analyse it. Other situations get far more complex, like a .pdf embedded in a CAD file. Many of the products in the market today support around 300 file types, embedded content, multiple languages, double byte character sets for Asian languages, and pulling plain text from unidentified file types. Quite a few use the autonomy or verity content engines to help with file cracking, but all the serious tools have quite a bit of proprietary capability, in addition to the embedded content engine. Some tools support analysis of encrypted data if enterprise encryption is used with recovery keys, and most tools can identify standard encryption and use that as a contextual rule to block/ quarantine content.
89
Trainer’s Guide– Security Analyst SSC/N0901
3.4 Content Analysis Techniques Once the content is accessed, there are seven major analysis techniques used to find policy violations, each with its own strengths and weaknesses. 1. Rule based/ Regular expressions: This is the most common analysis technique available in both DLP products and other tools with DLP features. It analyses the content for specific rules, such as 16 digit numbers that meet credit card checksum requirements, medical billing codes or other textual analyses. Most DLP solutions enhance basic regular expressions with their own additional analysis rules (e.g. a name in proximity to an address near a credit card number). Its advantages are: as a first-pass filter or for detecting easily identified pieces of structured data like credit card numbers, social security numbers and healthcare codes/ records. Strengths: rules process quickly and can be easily configured. Most products ship with initial rule sets. The technology is well understood and easy to incorporate into a variety of products. Weaknesses: prone to high false positive rates. Offers very little protection for unstructured content like sensitive intellectual property. 2._Database fingerprinting: Sometimes called Exact Data Matching – this technique takes either a database dump or live data (via ODBC connection) from a database and only looks for exact matches. For example, you could generate a policy to look only for credit card numbers in your customer base, thus ignoring your own
employees buying online. More advanced tools look for combinations of information, such as the magic combination of first name or initial with last name, credit card or social security number that triggers a disclosure. Make sure you understand the performance and security implications of nightly extracts vs. live database connections. Its advantages are: structured data from databases. Strengths: very low false positives (close to 0). Allows you to protect customer/ sensitive data while ignoring other, similar data used by employees (like their personal credit cards for online orders). Weaknesses: nightly dumps won't contain transaction data since the last extract. Live connections can affect database performance. Large databases affect product performance. 3._Exact file matching: With this technique you take a hash of a file and monitor for any files that match that exact fingerprint. Some consider this to be a contextual analysis technique since the file contents themselves are not analysed. Its advantages are: media files and other binaries where textual analysis isn't necessarily possible. Strengths: works on any file type, low false positives with a large enough hash value (effectively none). Weaknesses: trivial to evade. Worthless for content that's edited, such as standard office documents and edited media files.
90
Trainer’s Guide– Security Analyst SSC/N0901
4._Partial document matching: This technique looks for a complete or partial match on protected content. Thus you could build a policy to protect a sensitive document, and the DLP solution will look for either the complete text of the document, or even excerpts as small as a few sentences. For example, you could load up a business plan for a new product and the DLP solution would alert if an employee pasted a single paragraph into an Instant Message. Most solutions are based on a technique known as cyclical hashing, where you take a hash of a portion of the content, offset a predetermined number of characters, then take another hash, and keep going until the document is completely loaded as a series of overlapping hash values. Outbound content is run through the same hash technique, and the hash values compared for matches. Many products use cyclical hashing as a base, then add more advanced linguistic analysis. Its advantages are: protecting sensitive documents or similar content with text such as CAD files (with text labels) and source code. Unstructured content that's known to be sensitive. Strengths: ability to protect unstructured data. Generally low false positives (some vendors will say zero false positives, but any common sentence/ text in a protected document can trigger alerts). Doesn't rely on complete matching of large documents. It can find policy violations on even a partial match. Weaknesses: performance limitations on the total volume of content that can be protected. Common phrases/ verbiage in a protected document may trigger false positives. Must know exactly which
documents you want to protect. Trivial to avoid (ROT 1 encryption is sufficient for evasion). 5._Statistical analysis: Use of machine learning, Bayesian analysis and other statistical techniques to analyse a corpus of content and find policy violations in content that resembles the protected content. This category includes a wide range of statistical techniques which vary greatly in implementation and effectiveness. Some techniques are very similar to those used to block spam. Its advantages are: unstructured content where a deterministic technique, like partial document matching would be ineffective. For example, a repository of engineering plans that's impractical to load for partial document matching due to high volatility or massive volume. Strengths: can work with more nebulous content where you may not be able to isolate exact documents for matching. Can enforce policies such as "alert on anything outbound that resembles the documents in this directory". Weaknesses: prone to false positives and false negatives. Requires a large corpus of source content – the bigger, the better. 6._Conceptual/ Lexicon: This technique uses a combination of dictionaries, rules and other analyses to protect nebulous content that resembles an "idea". It's easier to give an example — a policy that alerts on traffic that resembles insider trading, which uses key phrases, word counts and positions to find violations. Other examples are sexual harassment, running a private business from a work account and job hunting.
91
Trainer’s Guide– Security Analyst SSC/N0901
Its advantages are: completely unstructured ideas that defy simple categorization based on matching known documents, databases or other registered sources. Strengths: not all corporate policies or content can be described using specific examples. Conceptual analysis can find closely defined policy violations other techniques can't even think of monitoring for. Weaknesses: in most cases, these are not user-definable and the rule sets must be built by the DLP vendor with significant effort, which costs more. This technique is very prone to false positives and negatives because of the flexible nature of the rules. 7._Categories: Pre-built categories with rules and dictionaries for common types of sensitive data, such as credit card numbers/ PCI protection, HIPAA etc.
describe content related to privacy, regulations or industry specific guidelines. Strengths: extremely simple to configure. Saves significant policy generation time. Category policies can form the basis for more advanced, enterprise specific policies. For many organizations, categories can meet a large percentage of their data protection needs. Weaknesses: one size fits all might not work. Only good for easily categorized rules and content. These seven techniques form the basis for most of the DLP products on the market. Not all products include all techniques, and there can be significant differences between implementations. Most products can also chain techniques — building complex policies from combinations of content and contextual analysis techniques.
Its advantages are: anything that neatly fits a provided category. Typically, easy to
92
Trainer’s Guide– Security Analyst SSC/N0901
3.5 Data Protection The goal of DLP is to protect content throughout its lifecycle. In terms of DLP, this includes three major aspects: •
Data at Rest includes scanning of storage and other content repositories to identify where sensitive content is located. We call this content discovery. For example, you can use a DLP product to scan your servers and identify documents with credit card numbers. If the server isn't authorized for that kind of data, the file can be encrypted or removed or a warning sent to the file owner.
•
Data in Motion is sniffing of traffic on the network (passively or inline via proxy) to identify content being sent across specific communications channels. For example, this includes sniffing emails, instant messages and web traffic for snippets of sensitive source code. In motion, tools can often block based on central policies depending on the type of traffic.
•
Data in Use is typically addressed by endpoint solutions that monitor data as the user interacts with it. For example, they can identify when you attempt to transfer a sensitive document to a USB drive and block it (as opposed to blocking use of the USB drive entirely). Data in use tools can also detect things like copy and paste or use of sensitive data in an unapproved application (such as someone attempting to encrypt data to sneak it past the sensors).
Many organizations first enter the world of DLP with network based products that provide broad protection for managed and unmanaged systems. It’s typically easier to start a deployment with network products to gain broad coverage quickly. Early
products limited themselves to basic monitoring and alerting, but all current products include advanced capabilities to integrate with existing network infrastructure and provide protective, not just detective controls.
93
Trainer’s Guide– Security Analyst SSC/N0901
Data In Motion Network Monitor At the heart of most DLP solutions lies a passive network monitor. The network monitoring component is typically deployed at or near the gateway on a SPAN port (or a similar tap). It performs full packet capture, session reconstruction and content analysis in real time. Performance is more complex and subtle than vendors normally discuss. First, on the client expectation side, most clients claim they need full gigabit ethernet performance, but that level of performance is unnecessary except in very unusual circumstances since few organizations are really running that high a level of communications traffic. DLP is a tool to monitor employee communications, not web application traffic. Realistically, we find that small enterprises normally run under 50 MByte/s of relevant traffic, medium enterprises run closer to 50-200 MB/s and large enterprises around 300 MB/s (maybe as high as 500 in a few cases)., Not every product runs full packet
capture because of the content analysis overhead. You might have to choose between pre-filtering (and thus missing non-standard traffic) or buying more boxes and load balancing. Also, some products lock monitoring into pre-defined port and protocol combinations, rather than using service/ channel identification based on packet content. Even if full application channel identification is included, you want to make sure it's enabled otherwise you might miss non-standard communications such as connecting over an unusual port. Most of the network monitors are dedicated general purpose server hardware with DLP software installed. A few vendors deploy true specialized appliances. While some products have their management, workflow and reporting built into the network monitor, this is often offloaded to a separate server or appliance. Email Integration The next major component is email integration. Since email is stored and forwarded, you can gain a lot of 94
Trainer’s Guide– Security Analyst SSC/N0901
capabilities, including quarantine, encryption integration and filtering without the same hurdles to avoid blocking synchronous traffic. Most products embed an MTA (Mail Transport Agent) into the product, allowing you to just add it as another hop in the email chain. Quite a few also integrate with some of the major existing MTAs/ email security solutions directly for better performance. One weakness of this approach is it doesn't give you access to internal email. If you're on an exchange server, internal messages never make it through the external MTA since there's no reason to send that traffic out. To monitor internal mail, you'll need direct Exchange/ Lotus integration, which is surprisingly rare in the market. Full integration is different from just scanning logs/ libraries after the fact, which is what some companies call internal mail support. Good email integration is absolutely critical if you ever want to do any filtering, as opposed to just monitoring. Filtering/ Blocking and Proxy Integration Nearly anyone deploying a DLP solution will eventually want to start blocking traffic. There's only so long you can take watching all your sensitive data running to the nether regions of the Internet before you start taking some action. Blocking isn't the easiest thing in the world, especially since we're trying to allow good traffic. Block only bad traffic, and make the decision using real-time content analysis. Email, as we mentioned, is fairly straightforward to filter. It's not quite real time and is ‘proxied’ by its very nature. Adding one more analysis hop is a manageable problem in even the most complex environments. Outside of email,
most of our communications traffic is synchronous. Everything runs in real time. Thus if we want to filter it we either need to bridge the traffic, proxy it or poison it from the outside. Bridge With a bridge, we just have a system with two network cards which performs content analysis in the middle. If we see something bad, the bridge breaks the connection for that session. Bridging isn't the best approach for DLP since it might not stop all the bad traffic before it leaks out. It's like sitting in a doorway watching everything go past with a magnifying glass. By the time you get enough traffic to make an intelligent decision, you may have missed the really good stuff. Very few products take this approach although it does have the advantage of being protocol agnostic. Proxy In simplified terms, a proxy is protocol/ application specific and queues up traffic before passing it on, allowing for deeper analysis. We see gateway proxies mostly for HTTP, FTP and IM protocols. Few DLP solutions include their own proxies. They tend to integrate with existing gateway/ proxy vendors since most customers prefer integration with these existing tools. Integration for web gateways is typically through the iCAP protocol, allowing the proxy to grab the traffic, send it to the DLP product for analysis and cut communication, if there's a violation. This means you don't have to add another piece of hardware in front of your network traffic, and the DLP vendors can avoid the difficulties of building dedicated network hardware for inline analysis. If the gateway includes a reverse SSL proxy you can also 95
Trainer’s Guide– Security Analyst SSC/N0901
sniff SSL connections. You will need to make changes on your endpoints to deal with all the certificate alerts, but you can now peer into encrypted traffic. For Instant Messaging, you'll need an IM proxy and a DLP product that specifically supports whatever IM protocol you're using. TCP Poisoning The last method of filtering is TCP poisoning. You monitor the traffic and when you see something bad, you inject a TCP reset packet to kill the connection. This works on every TCP protocol but isn't very efficient. For one thing, some protocols will keep trying to get the traffic through. If you TCP poison a single email message, the server will keep trying to send it for three days, as often as every 15 minutes. The other problem is the same as bridging. Since you don't queue the traffic at all, by the time you notice something bad, it might be too late. It's a good stop-gap to cover non-standard protocols, but you'll want to proxy as much as possible. Internal Networks Although technically capable of monitoring internal networks, DLP is rarely used on internal traffic other than email. Gateways provide convenient choke points. Internal monitoring is a daunting prospect from cost, performance, and policy management/ false positive standpoints. A few DLP vendors have partnerships for internal monitoring, but this is a lower priority feature for most organizations. Distributed and Hierarchical Deployments All medium to large enterprises and many smaller organizations have multiple locations and web gateways. A DLP solution should support multiple monitoring points, including a mix of
passive network monitoring, proxy points, email servers and remote locations. While processing/ analysis can be offloaded to remote enforcement points, they should send all events back to a central management server for workflow, reporting, investigations and archiving. Remote offices are usually easy to support since you can just push policies down and reporting back, but not every product has this capability. The more advanced products support hierarchical deployments for organizations that want to manage DLP differently in multiple geographic locations or by business unit. International companies often need this to meet legal monitoring requirements which vary by country. Hierarchical management supports coordinated local policies and enforcement in different regions, running on their own management servers and communicating back to a central management server. Early products only supported one management server but now we have options to deal with these distributed situations with a mix of corporate/ regional/ business unit policies, reporting and workflow.
Data At Rest While catching leaks on the network is fairly powerful, it's only one small part of the problem. Many customers are finding that it's just as valuable, if not more valuable, to figure out where all that data is stored in the first place. We call this content discovery. Enterprise search tools might be able to help with this, but they really aren't tuned well for this specific problem. Enterprise data classification tools can also help, but based on discussions with a number of clients, they don't seem to work well for finding specific policy violations. Thus we see many clients 96
Trainer’s Guide– Security Analyst SSC/N0901
opting to use the content discovery features of their DLP products. The biggest advantage of content discovery in a DLP tool is that it allows you to take a single policy, and apply it across data no matter where it's stored, how it's shared, or how it's used. For example, you can define a policy that requires credit card numbers to
only be emailed when encrypted, never be shared via HTTP or HTTPS, only be stored on approved servers and only be stored on workstations/ laptops by employees on the accounting team. All of this can be specified in a single policy on the DLP management server.
Content discovery consists of three components:
Endpoint discovery: scanning workstations and laptops for content.
Storage discovery: scanning mass storage, including file servers, SAN and NAS.
Server discovery: application specific scanning of stored data on email servers, document management systems and databases (not currently a feature of most DLP products, but beginning to appear in some Database Activity Monitoring products).
Content Discovery Techniques There are three basic techniques for content discovery: 1. Remote scanning: a connection is made to the server or device using a file sharing or application protocol, and scanning is performed remotely. This is essentially mounting a remote drive and scanning it from a server that takes policies from, and sends results to the central policy server. For some vendors, this is an appliance while for others, it's a commodity server. For smaller deployments, it's integrated into the central management server. 2. Agent Based scanning: an agent is installed on the system (server) to be scanned and scanning is performed locally. Agents are platform specific, and use local CPU cycles, but can potentially perform significantly faster than remote scanning, especially for
large repositories. For endpoints, this should be a feature of the same agent used for enforcing. 3. Memory Resident Agent scanning: rather than deploying a full-time agent, a memory resident agent is installed, which performs a scan, then exits without leaving anything running or stored on the local system. This offers the performance of agent based scanning in situations where you don't want an agent running all the time. Any of these technologies can work for any of the modes, and enterprises will typically deploy a mix depending on policy and infrastructure requirements. We currently see technology limitations with each approach which guide deployment: • Remote scanning can significantly increase network traffic and has 97
Trainer’s Guide– Security Analyst SSC/N0901
•
performance limitations based on network bandwidth and target and scanner network performance. Some solutions can only scan gigabytes per day (sometimes hundreds, but not terabytes per day), per server based on these practical limitations, which may be inadequate for very large storage. Agents, temporal or permanent, are limited by processing power and memory on the target system, which
•
often translates to restrictions on the number of policies that can be enforced, and the types of content analysis that can be used. For example, most endpoint agents are not capable of partial document matching or database fingerprinting against large data sets. This is especially true of endpoint agents which are more limited. Agents don't support all platforms.
Data at Rest Enforcement Once a policy violation is discovered, the DLP tool can take a variety of actions: Alert/ report: create an incident in the central management server just like a network violation. Warn: notify the user via email that they may be in violation of policy. Quarantine/ notify: move the file to the central management server and leave a text file with instructions on how to request recovery of the file. Quarantine/ encrypt: encrypt the file in place, usually leaving a plain text file describing how to request decryption. Quarantine/ access control: change access controls to restrict access to the file. Remove/ delete: either transfer the file to the central server without notification or just delete it. The combination of different deployment architectures, discovery techniques and enforcement options creates a powerful combination for protecting data at rest and supporting compliance initiatives. For example, we're starting to see increasing deployments of CMF to support PCI compliance — more for the ability to ensure (and report) that no cardholder data is stored in violation of PCI than to protect email or web traffic. Data In Use DLP usually starts on the network because that's the most cost-effective way to get
the broadest coverage. Network monitoring is non-intrusive (unless you have to crack SSL), and offers visibility to any system on the network, managed or unmanaged, server or workstation. Filtering is more difficult, but again still relatively straightforward on the network (especially for email) and covers all systems connected to the network. However, this isn't a complete solution. It doesn't protect data when someone walks out the door with a laptop, and can't even prevent people from copying data to portable storage like USB drives. To move from a "leak prevention" solution to a 98
Trainer’s Guide– Security Analyst SSC/N0901
"content protection" solution, products need to expand not only to stored data, but to the endpoints where data is used. Note: Although there have been large advancements in endpoint DLP, endpointonly solutions are not recommended for most users. DLP endpoint solutions normally require compromise on the number and types of policies that can be enforced, offer limited email integration with no protection for unmanaged systems. An organisation will need both network and endpoint capabilities, and most of the leading network solutions are adding or already offer at least some endpoint protection.
Adding an endpoint agent to a DLP solution not only gives you the ability to discover stored content, but to potentially protect systems no longer on the network or even protect data as it's being actively used. While extremely powerful, it has been problematic to implement. Agents need to perform within the resource constraints of a standard laptop while maintaining content awareness. This can be difficult if you have large policies such as, "protect all 10 million credit card numbers from our database", as opposed to something simpler like, "protect any credit card number" that will generate false positives every time an employee visits say, flipkart.com.
Key capabilities existing products vary widely in functionality, but we can break out three key capabilities: 1. Monitoring and enforcement within the network stack: this allows enforcement of network rules without a network appliance. The product should be able to enforce the same rules as if the system were on the managed network as well as separate rules designed only for use on unmanaged networks. 2. Monitoring and enforcement within the system kernel: by plugging directly into the operating system kernel you can monitor user activity, such as copying and pasting sensitive content. This can also allow products to detect (and block) policy violations when the user is taking sensitive content and attempting to hide it from detection, perhaps by encrypting it or modifying source documents. 3. Monitoring and enforcement within the file system: this allows monitoring and enforcement based on where data is stored. For example, you can perform local discovery and/ or restrict transfer of sensitive content to unencrypted USB devices.
These options are simplified, and most early products focus on 1 and 3 to solve the portable storage problem, and protect devices on unmanaged networks. System/ kernel integration is much more complex and there are a variety of approaches to gaining this functionality. 99
Trainer’s Guide– Security Analyst SSC/N0901
Endpoint DLP is evolving to support a few critical use cases: •
Enforcing network rules off the managed network or modifying rules for more hostile networks.
•
Restricting sensitive content from portable storage, including USB drives, CD/ DVD drives, home storage and devices like smartphones and PDAs.
•
Restricting copy and paste of sensitive content.
•
Restricting applications allowed to use sensitive content, for example, only allowing encryption with an approved enterprise solution, not tools downloaded online that don't allow enterprise data recovery.
•
Integration with Enterprise Digital Rights Management to automatically apply access control to documents based on the included content.
•
Auditing use of sensitive content for compliance reporting.
The following features are highly desirable when deploying DLP at the endpoint:
Endpoint agents and rules should be centrally managed by the same DLP management server that controls data in motion and data at rest (network and discovery). Policy creation and management should be fully integrated with other DLP policies in a single interface. Incidents should be reported to, and managed by a central management server. Endpoint agent should use the same content analysis techniques
and rules as the network servers/ appliances. Rules (policies) should adjust based on where the endpoint is located (on or off the network). When the endpoint is on a managed network with gateway DLP, redundant local rules should be skipped to improve performance. Agent deployment should integrate with existing enterprise software deployment tools. Policy updates should offer options for secure management via the DLP management server or existing enterprise software update tools.
Endpoint limitations
Realistically, the performance and storage limitations of the endpoint will restrict the types of content analysis supported and the number and type of policies that are locally enforced. For some enterprises, this might not matter depending on the kinds of policies to be enforced, but in many cases endpoints impose significant constraints on data in use policies.
100
Trainer’s Guide– Security Analyst SSC/N0901
Photo source: www.slideshare.net
3.6 DLP Limitations While DLP solutions can go far in helping an enterprise gain greater insight over and control of sensitive data, stakeholders need to be apprised of limitations and gaps in DLP solutions. Understanding these limitations is the first step in the development of strategies and policies to help compensate for the limitations of the technology. Some of the most significant limitations common among DLP solutions are:
Encryption — DLP solutions can only inspect encrypted information that they can first decrypt. To do this, DLP
agents, network appliances and crawlers must have access to, and be able to utilize, the appropriate decryption keys. If users have the ability to use personal encryption packages where keys are not managed by the enterprise and provided to the DLP solution, the files cannot be analyzed. To mitigate this risk, policies should forbid the installation and use of encryption solutions that are not centrally managed, and users should be educated that anything that cannot be decrypted for inspection (meaning 101
Trainer’s Guide– Security Analyst SSC/N0901
that the DLP solution has the encryption key) will ultimately be blocked.
Graphics — DLP solutions cannot intelligently interpret graphics files. Short of blocking or manually inspecting all such information, a significant gap will exist in an enterprise’s control of its information. Sensitive information scanned into a graphics file or intellectual property (IP) that exists in a graphics format, such as design documents would fall into this category. Enterprises that have significant IP in a graphics format should develop strong policies that govern the use and dissemination of this information. While DLP solutions cannot intelligently read the contents of a graphics file, they can identify specific file types, their source and destination. This capability, combined with well-defined traffic analysis can flag uncharacteristic movement of this type of information and provide some level of control.
Third-party service providers — When an enterprise sends its sensitive information to a trusted third party, it is inherently trusting that the service provider mirrors the same level of control over information leaks since the enterprise’s DLP solutions rarely extend to the service provider’s network. A robust third-party management program that incorporates effective contract language and a supporting audit program can help mitigate this risk.
Mobile devices — With the advent of mobile computing devices, such as smartphones, there are communication channels that are not easily monitored or controlled. Short message service (SMS) is the communication protocol that allows text messaging, and is a key example. Another consideration is the ability of many of these devices to utilize Wi-Fi or even become a Wi-Fi hotspot themselves. Both cases allow for outof-band communication that cannot be monitored by most enterprises. Finally, the ability of many of these devices to capture and store digital photographs and audio information presents yet another potential gap. While some progress is being made in this area, the significant limitations of processing power and centralized management remain a challenge. Again, this situation is best addressed by the development of strong policies and supporting user education to compel appropriate use of these devices.
Multilingual support — A few DLP solutions support multiple languages, but virtually all management consoles support only English. It is also true that for each additional language and character set, the system must support processing requirements and time windows for analysis increase. Until such time that vendors recognize sufficient market demand to address this gap, there is little recourse but to seek other methods to control information leaks in languages other than English. Multinational enterprises 102
Trainer’s Guide– Security Analyst SSC/N0901
must carefully consider this potential gap when evaluating and deploying a DLP solution. These points are not
intended to discourage the adoption of DLP technology.
The only recourse for most enterprises is the adoption of behavioral policies and physical security controls that complement the suite of technology controls that is available today, such as: • Solution lock-in — At this time there is no portability of rule sets across various DLP platforms, which means that changing from one vendor to another or integration with an acquired organization’s solution can require significant work to replicate a complex rule set in a different product. • Limited client OS support — Many DLP solutions do not provide endpoint DLP agents for operating systems such as Linux and Mac because their use as clients in the enterprise is much less common. This does, however, leave a potentially significant gap for enterprises that have a number of these clients. This risk can only be addressed by behavior oriented policies or requires the use of customized solutions that are typically not integrated with the enterprise DLP platform. • Cross application support — DLP functions can also be limited by application types. A DLP agent that can monitor the data manipulations of one application may not be able to do so for another application on the same system. Enterprises must ensure that all applications that can manipulate sensitive data are identified and must verify that the DLP solution supports them. In cases where unsupported applications exist, other actions may be required through policy, or if feasible, through removal of the application in q uestion. The Open Security Foundation's DataLossDB gathers information about events involving the loss, theft or exposure of personally identifiable information (PII). DataLossDB's dataset, in current and previous forms, has been used in research by numerous educational, governmental
and commercial entities, which often have been able to provide statistical analysis with graphical presentations. The charts below are provided in "as-is" format based on the current dataset maintained by the Open Security Foundation and DataLossDB.
103
Trainer’s Guide– Security Analyst SSC/N0901
104
Trainer’s Guide– Security Analyst SSC/N0901
3.7 The DRM – DLP Conundrum Digital Rights Management (DRM), a system for protecting the copyrights of data circulated via the Internet or other digital media by enabling secure distribution and/ or disabling illegal distribution of the data. Typically, a DRM system protects intellectual property by either encrypting the data so that it can only be accessed by authorized users or marking the content with a digital watermark or similar method so that the content cannot be freely distributed. The practice of imposing technological restrictions that control what users can do with digital media. When a program is designed to prevent you from copying or
sharing a song, reading an ebook on another device, or playing a single player game without an internet connection, you are being restricted by DRM. In other words, DRM creates a damaged good – it prevents you from doing what would be possible without it. This concentrates control over production and distribution of media, giving DRM peddlers the power to carry out massive digital book burnings and conduct large scale surveillance over people's media viewing habits. Enterprise Digital Rights management (DRM) and Data Loss Prevention (DLP) are typically thought of as separate technologies that could replace 105
Trainer’s Guide– Security Analyst SSC/N0901
each other. DRM encrypts files and controls access privileges dynamically as a file is in use. DLP detects patterns and can restrict movement of information that meets certain criteria. Rather than being competitive, the reality is that many organizations can use them as complementary solutions. DLP’s ability to scan, detect data patterns and enforce appropriate actions using contextual awareness reduces the risk of losing sensitive data. A drawback of DLP is that it does not provide any protection in case users have to send confidential information legitimately to a business partner or customer. DLP cannot protect information once it is outside the organization’s perimeter. DLP is very good at monitoring the flow of data throughout an organization and applying predefined policies at endpoint devices or the network. The policies can log activities, send warnings to end users and administrators, quarantine data or block it altogether. The challenge is that most businesses need to share sensitive data with outside people. Considering most data leaks originate from trusted insiders who have or had access to sensitive documents,
organizations must complement and empower the existing security infrastructure with a data centric security solution that protects data in use persistently. That is where DRM comes in. DRM ensures that only intended recipients can view sensitive files regardless of their location. This assures protection of data beyond controlled boundaries so that an organization is always in control of its information. DRM policy stays with the document even if it is renamed or saved to another format, like a PDF. This provides a more complete solution to limit the possibility of a data breach. By integrating DLP and DRM, organizations may be able to: allow DLP to scan DRM-protected documents, and apply DLP policies enforce DLP policy engines to encrypt or reclassify a file to create a DRM protected document secure data persistently and reduce the risk of losing it from both insiders and outsiders. DLP alone cannot control data in use by authorized internal or external users. Adding DRM ensures that vulnerabilities are minimized and that an organization can immediately deny access to any file regardless of its location.
106
Trainer’s Guide– Security Analyst SSC/N0901
UNIT IV Information Security Policies, Procedures, Standards and Guidelines
This unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 4.1. Information Security Policies 4.2. Key Elements of a Security Policy 4.3. Security Standards, Guidelines and Frameworks 4.4. Laws, Regulations and Guidelines 107
Trainer’s Guide– Security Analyst SSC/N0901
Lesson Plan
Outcomes
Performance Measures
Ensuring
To be competent, you must be able to:
Duration (Hrs)
Work Environment / Lab Requirement
4 hrs
PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines
PC11. comply with your organization’s policies, standards, procedures and guidelines when contributing to managing information security
You need to know and understand: KA1. your organization’s policies, procedures, standards and guidelines for managing information security KA2. your organization’s knowledge base and how to access and update this KA4. the organizational systems, procedures and tasks/checklists within the domain and how to use these KA12. your organization’s information security systems and tools and how to access and maintain these KA13. standard tools and templates available and how to use these KB1. fundamentals of information security and how to apply these, including: • networks • communication • application security
KA1. QA session and a Descriptive write up on understanding.
8 hrs
KA2 Group presentation and peer evaluation along with Faculty.
KA4 Performance evaluation from Faculty and Industry with reward points.
KA12. Faculty and peer review.
PCs/Tablets/Lapto ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Networking EquipmentRouters & Switches Firewalls and Access Points Commercial Tools like HP Web Inspect and IBM AppScan etc., Open Source tools like sqlmap, Nessus etc., PCs/Tablets/Lapto ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security Security Templates from ITIL, ISO
KA13. Faculty and peer review. KB1 - KB4 Group and Faculty evaluation based on anticipated out comes. Reward points to be allocated to groups.
108
Trainer’s Guide– Security Analyst SSC/N0901
Suggested Learning Activities Activity 1:
Divide students into groups and ask them to research and collate various security policies available across various organisations. Let them categorise various policies and highlight the differences between these based on context including sector, size of organisation, types of information or data they possess, country, etc. Ask the students to compile a list of component that are similar across policies. Engage them in a discussion as to why they think these elements are similar or dissimilar and what is the impact of the variances. Activity 2: Divide the students into groups and ask them to research various standards of data security that area available. Ask them to categorise the various standards based on the area they pertain to.
Let them present key highlights of a selected standard. Engage them in a discussion on why standards are important, why these standards have credibility and legitimacy. Also encourage them to think about what is the composition of the standard setting body and who are their members or patrons. Activity 3: Ask the students to develop standards for various aspects of their student life and education, get them to make a plan for advocacy and promotion of these standards so that more and more people adopt them. Let them list down key imperatives and challenges for the successful adoption and recognition of their proposed standards
Activity 4: Ask the students to explore the various laws and regulations that are applied in the areas of information security. Let them present key features of the laws and cite cases where these were violated and cases were filed in breach of law. Let them present findings in the class, discussing the details of the case and interesting facets of it.
109
Trainer’s Guide– Security Analyst SSC/N0901
Training Resource Material 4.1 Information Security Policies Security policies are the foundation of your security infrastructure. Without them, you cannot protect your company from possible lawsuits, lost revenue and bad publicity, not to mention basic security attacks. A security policy is a document or set of documents that describes, at a high level, the security controls that will be implemented by the company. Policies are not technology specific and do three things for an organisation: Reduce or eliminate legal liability to
employees and third parties. Protect confidential, proprietary information from theft, misuse, unauthorized disclosure or modification. Prevent waste of company computing resources. Organisations are giving more priority to development of information security policies, protecting their assets is one of the prominent things that needs to be considered. Lack of clarity in InfoSec policies can lead to catastrophic damages which cannot be recovered. So an organisation makes different strategies in implementing a security policy successfully. An information security policy provides management direction and support for information security across the organisation. There are two types of basic security policies:
Technical security policies: these include how technology should be configured and used.
Administrative security policies: these include how people (both end users and management) should behave/ respond to security.
Persons responsible for the implementation of the security policies are:
Director of Information Security Chief Security Officer Director of Information Technology Chief Information Officer
Information in an organisation will be both electronic and hard copy, and this information needs to be secured properly against the consequences of breaches of confidentiality, integrity and availability. Proper security measures need to be implemented to control and secure information from unauthorised changes, deletions and disclosures. To find the level of security measures that need to be applied, a risk assessment is mandatory. Security policies are intended to define what is expected from employees within an organisation with respect to information systems. The objective is to guide or control the use of systems to reduce the risk to information assets. It also gives the staff 110
Trainer’s Guide– Security Analyst SSC/N0901
who are dealing with information systems an acceptable use policy, explaining what is allowed and what not. Security policies of all companies are not same, but the key motive behind them is to protect assets.
Security policies are tailored to the specific mission goals.
A security policy should determine rules and regulations for the following systems:
Encryption mechanisms
Access control devices
Authentication systems
Firewalls
Anti-virus systems
Websites
Gateways
Routers and switches
Necessity of a security policy
It is generally impossible to accomplish a complex task without a detailed plan for doing so. A security policy is that plan that provides for the consistent application of security principles throughout your company. After implementation, it becomes a reference guide when matters of security arise. A security policy indicates senior management’s commitment to maintain a secure network, which allows the IT staff to do a more effective job of securing the company’s information assets. Ultimately, a security policy will reduce the risk of a damaging security incident. In the event of a security incident, certain policies, such as an Incident Response Policy may limit your company’s exposure and reduce the scope of the incident. A security policy can provide legal protection to your company. By specifying
to your users exactly how they can and cannot use the network, how they should treat confidential information, and the proper use of encryption, you are reducing your liability and exposure in the event of an incident. Further, a security policy provides a written record of your company’s policies if there is ever a question about what is and is not an approved act. Security policies are often required by third parties that do business with your company as part of their due diligence process. Some examples of these might be auditors, customers, partners and investors. Companies that do business with your company, particularly those that will be sharing confidential data or connectivity to electronic systems, will be concerned about your security policy. 111
Trainer’s Guide– Security Analyst SSC/N0901
Lastly, one of the most common reasons why companies create security policies today is to fulfill regulations and meet standards that relate to security of digital information. Once the security policy is implemented, it will be a part of day-to-day business activities. Security policies that are implemented need to be reviewed whenever there is an organizational change. Policies can be monitored by depending on any monitoring solutions like SIEM and the violation of security policies can be seriously dealt with. There should also be a mechanism to report any violations to the policy. While developing these policies, it is obligatory to make them as simple as possible because complex policies are less secure than simple systems. Security
policies can be modified at a later time i.e. not to say that you can create a violent policy now and a perfect policy can be developed some time later. It is also mandatory to update the policy based upon the environmental changes that an organization goes into when it progresses. The policy updates also need to be communicated with all employees as well as the person who authorized to monitor policy violations as they may flag for some scenarios which have been ignored by the organization. Management is responsible for establishing controls and should regularly review the status of controls. Below is a list of some of the security policies that an organization may have:
Access Control Policy
How information is accessed
Contingency Planning Policy
How availability of data is made online 24/7
Data Classification Policy
How data are classified
Change Control Policy
How changes are made to directories or the file server
Wireless Policy
How wireless infrastructure devices need to be configured
Incident Response Policy
How incidents are reported and investigated
Termination of Access Policy How employees are terminated Backup Policy
How data are backed up
Virus Policy
How virus infections need to be dealt with
Retention Policy
How data can be stored
Physical Access Policy
How access to the physical area is obtained
Security Awareness Policy
How security awareness is carried out 112
Trainer’s Guide– Security Analyst SSC/N0901
Audit Trail Policy
How audit trails are analyzed
Firewall Policy
How firewalls are named, configured etc.
Network Security Policy
How network systems can be secured
Encryption Policy
How data are encrypted, the encryption method used etc.
Others
Promiscuous Policy Firewall Management Policy Permissive Policy Special Access Policy Prudent Policy Network Connection Policy Paranoid Policy Network Business Partner Policy Acceptable Use Policy User Account Policy Data Classification Policy Intrusion Detection Policy Remote Access Policy Virus Prevention Policy Information Protection Policy Laptop Security Policy Personal Security Policy Cryptography Policy
Acceptable Usage Policy
Acceptable Usage Policy (AUP) is the policy that one should adhere to while accessing the network. Some of the assets that this policy covers are mobile, wireless, desktop, laptop and tablet computers, email, servers, internet etc. For each asset, we need to look at how we can protect it, manage it, authorised persons to use and administer the asset, accepted methods of communication in these assets etc. A template for AUP is published in SANS http://www.sans.org/security resources/policies/Acceptable_Use_Policy.pdf and a security analyst will get an idea of how an AUP actually looks. Some of the regulatory compliances mandate that a user should accept the AUP before getting access to network devices. Implementing these controls makes the organization a bit more risk free, even though it is very costly.
Once a reasonable security policy has been developed, an engineer has to look at the country’s laws, which should be incorporated in security policies. One example is the use of encryption to create
a secure channel between two entities. Some encryption algorithms and their levels (128,192) will not be allowed by the government for a standard use. Legal experts need to be consulted if you want 113
Trainer’s Guide– Security Analyst SSC/N0901
to know what level of encryption is allowed in an area. This would become a challenge
if security policies are derived for a big organisation spread across the globe.
Some of the laws, regulation and standards used for policy definition include:
The PCI Data Security Standard (PCIDSS) The Health Insurance Portability and Accountability Act (HIPAA) The Sarbanes-Oxley Act (SOX) The ISO family of security standards The Graham-Leach-Bliley Act (GLBA)
4.2 Key Elements of Security Policy A policy should contain: •
Overview – background information of what issue the policy addresses.
•
Purpose – why the policy is created.
•
Scope – what areas this policy covers.
•
Targeted audience – whom the policy is applicable for.
•
Policy – a detailed description of the policy.
•
Definitions – a brief introduction of the technical jargon used in the policy.
•
Version – number to control the changes made to the document.
Policy Content When developing content, many go about creating a policy exactly the wrong way. The goal is not to create hundreds of pages of impressive looking information, but rather to create an actionable security plan. The following guidelines apply to the content of successful IT security policies. • A security policy should be no longer than absolutely necessary. Some believe that policies are more impressive when they fill enormous binders or contain hundreds or even thousands of policies. These types of policies overwhelm you with data, and are
frequently advertised on the internet. But quantity does not equal quality, and it is the sheer amount of information in those policies that makes them useless. Brevity is of utmost importance. • A security policy should be written in “plain English.” While, by nature, technical topics will be covered, it is important that the policy be clear and understood by the target audience for that particular policy. There is never room for “consultant speak” in a security policy. If there is a doubt, the policy should be written so that more people can understand it rather than 114
Trainer’s Guide– Security Analyst SSC/N0901
fewer. Clarity must be a priority in security policies so that a policy isn’t misunderstood during a crisis or otherwise misapplied, which could lead to a critical vulnerability. • A security policy must be consistent with applicable laws and regulations. In some countries there are laws that apply to a company’s security practices, such as those covering the use of encryption. Some states have specific disclosure laws or regulations governing the protection of citizens’ personal information, and some industries have regulations governing security policies. It is recommended that you research and become familiar with any regulations or standards that apply to your company’s security controls. • A security policy should be reasonable. The point of this process is to create a policy that you can actually use rather than one that makes your company secure on paper but is impossible to implement. Keep in mind that the more secure a policy is, the greater the burden it places on your users and IT staff to comply with. Find a middle ground in the balance between security and usability that will work for you. • A security policy must be enforceable. A policy should clearly state which actions are permitted and which of those are in violation of the policy. Further, the policy should spell out enforcement options when non-compliance or violations are discovered, and must be consistent with applicable laws. A security policy can be formatted to be consistent with your company’s internal documentation, however certain information should be
placed on each page of the policy. At a minimum, this information should include: policy name, creation date, target audience and a clear designation that the policy is company confidential.
Security Policy Implementation Once a policy has been created, perhaps the hardest part of the process is rolling it out to the organization. This step must be well planned and undertaken thoughtfully. First and most importantly, a security policy must be backed by the company’s senior management team. Without their support, the cooperation needed across departments will likely doom the implementation. Department heads must be involved, and specifically, Human Resources and Legal Services must play an integral part. Make sure you have management buy-in before you get too far along in the process. If the position doesn’t already exist, an Information Security Officer or IT Security Program Manager should be designated at your company who is responsible for implementing and managing the security policy. This can be an existing manager. This designation is sometimes not practical at smaller companies, but regardless, one person, who has the authority to make executive decisions, needs to own and be accountable for your company’s security policy. Remember that your security policy must be officially adopted as company policy. It should be signed and recorded in the same way your company makes any major decision, including full senior management approval. Next, go through 115
Trainer’s Guide– Security Analyst SSC/N0901
each policy and think about how it will be applied within the organization. Make sure that the tools are in place to conform to the policy. For example, if the policy specifies that a certain network be monitored, make sure that monitoring capabilities exist on that network segment. If a policy specifies that visitors must agree to the Acceptable Use Policy before using the network, make sure that there is a process in place to provide visitors with the Acceptable Use Policy. In this phase, if you discover something impractical, create a plan to make appropriate changes to either the network or the policy. Understand that policies differ from processes and procedures. You will need to carefully consider the necessary security processes and procedures after you have your policy finished. For example, the Backup Policy may detail the schedules for backups and off-site rotation of backup media, however it won’t say exactly how these tasks are to be accomplished. Additionally, certain procedures must be created to support the policies. For example, how should your users respond if they suspect a security incident? How will you notify your users if they are noncompliant with a specific policy? How will exemptions to the policy be requested and approved? Work with the necessary departments within your company (Legal, IT, HR etc.) to establish procedures to support your policies. User education is critical to a successful security policy implementation. A training session should be held to go over the policies that will impact users as well as provide basic information security awareness training.
Often, users create security issues because they simply don’t understand that what they are doing is risky or against the security policy. Users must be provided any user level policies, and must acknowledge in writing that they have read and will adhere to the policies. If possible, coordinate this with Human Resources so that the policies can be included with any other HR documents that require a user signature. No matter how well implemented, no policy will be 100% applicable for every scenario, and exceptions will need to be granted. Exceptions, however, must be granted only in writing and must be well documented. It should be made clear from the outset that the policy is the official company standard, and an exception will only be granted when there is an overwhelming business need. After the security policy has been in place for some period, which can be anywhere from three months to a year, the company’s information security controls should be audited against the applicable policies. Make sure that each policy is being followed as intended and is still appropriate to the situation. If discrepancies are found or the policies are no longer applicable as written, they must be changed to fit your company’s current requirements. After the initial review process, you should regularly review the security policy to ensure that it still meets your company’s requirements. Create a process so that the policy is periodically reviewed by the appropriate persons. This should occur both at certain intervals (i.e. once per year), and when certain business changes occur (i.e. the company opens in a 116
Trainer’s Guide– Security Analyst SSC/N0901
new location). This will ensure that the policy does not get “stale”, and will continue to be a useful management tool for years to come. When changes need to be made, be sure to: update the revision history section of the document to
differentiate the new document from past versions; and distribute any modified user level policies to your users. Clearly communicate the policy changes to any affected parties.
Internal Security Policy: Microsoft Snicker if you must, but this is for real. Microsoft has great internal security policies and controls. Think about it. When was the last time you heard about a major breach of Microsoft's corporate network? The one you might recall is October 2000, when hackers breached its security and accessed source code for future versions of Windows. "That was a wake-up call. It changed the way our executives and employees think about security," says Greg Wood, Microsoft's general manager of InfoSecurity. Microsoft is one of the most targeted entities on the Internet, absorbing more than 2,200 unique attacks a day. When it developed its security policy, the security team sought simplicity for protecting the company's 300,000 hosts. Microsoft threw out its thick, three-ring binder that held its barely touched security policy. Replacing it was a thin pamphlet containing 45 half-page doctrines based on elemental security principles: enforcement, business rationale and risk assessments. The litmus test for any security policy is whether it's enforceable. Microsoft's security policies are easily understood and have teeth. There's no excuse for ignorance of the policy, and any breach is enforced through HR actions, Wood says. Microsoft's security team applies business logic to its security policies. Wood says this helps earn the business units' cooperation. They know security won't arbitrarily inhibit operations. Where best practices will often ban certain functions and services, the Microsoft policy has flexibility to meet business necessities--within reason. Source: News Journals
117
Trainer’s Guide– Security Analyst SSC/N0901
California State University, Northridge – Adoption plan of good Information Security Policy California State University, Northridge (CSUN) is committed to providing a secure and accessible data and networking infrastructure that protects the confidentiality, availability and integrity of information. The creation, preservation and exchange of information is an intrinsic part of the University's teaching, scholarship and administrative operations. Increasingly that information is processed, handled or stored in electronic form. The growing availability of digital information offers opportunities to improve our collaborations and work in new ways. Unfortunately, it also presents us with new threats. The very technologies we use to gather, share and analyse information also make our institution vulnerable to varied and continually evolving information security risks. CSUN is entrusted with a wide range of confidential and sensitive information pertaining to our students, faculty staff, donors, and other members of the community (e.g. affiliates). We take seriously our obligation to be stewards of that trust. We are obligated by law and institutional policy to take all reasonable and appropriate steps to protect the confidentiality, availability, privacy, and integrity of information in our custody. This obligation is broad and applies to information in both electronic and material form. Our practices are designed both to prevent the inappropriate disclosure of information and to preserve information in case of intentional or accidental loss. (For complete case study please refer to : http://www.csun.edu/sites/default/files/csun-itsec-plan.pdf ) Source: www.csu.edu
118
Trainer’s Guide– Security Analyst SSC/N0901
4.3 Security Standards, Guidelines & Frameworks Process: Security Frameworks
Governance
Security governance frameworks represent solutions to the question of how to manage security effectively. The manner in which a company builds a governance structure is a reflection of the organization of the company and the laws and business environment in which it finds itself. Auditing the security governance practices of a company requires understanding how the organization manages the processes and procedures that make up its security program and compare those aspects to recognized governance frameworks. Luckily, there are many sources that an auditor can use to identify best practices in building a manageable, measurable and effective security governance program. The frameworks mentioned in this text are not a complete list, and significant research is constantly being conducted in this area. What follow are three of the most frequently found frameworks, and should get you started in understanding how they can be applied to the organizations you audit. COSO The Foreign Corrupt Practices Act of 1977 (FCPA) is a law that requires any publicly traded company to accurately document any transactions or monetary exchanges it is involved in (to prevent off-the-books money transfers). Additionally, the law requires that a publicly traded company also have a system of internal accounting
controls to monitor fraud and abuse and test them through compliance auditing. This law had little guidance from the Securities and Exchange Commission (SEC), and in response to this, a consortium of private organizations created the Treadway Commission to figure out what companies needed to do to comply with this law. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed in 1985 to improve the accuracy of financial reports and to standardize on internal control methods to reduce fraudulent reporting. COSO studied the problem and issued guidance about how to create an internal controls framework that complies with the FCPA. The resulting document, called “Internal Controls: Integrated Framework,” was published in 1994 and provided common language, definitions and assessment methodologies for a company’s internal accounting controls. This COSO report is considered the standard by which accounting auditors assess companies to ensure compliance with the FCPA and SOX section 404. The COSO report lists a few main concepts that guided the development of the COSO framework and define what internal controls can and cannot do for an organization. These concepts show the relationship between people and processes in respect to the effectiveness of controls, and they define the principles with which to implement them:
119
Trainer’s Guide– Security Analyst SSC/N0901
Internal control is a process and not a one-time activity.
Internal control is affected by people; it must be adopted through the organization and is not simply a policy document that gets filed away.
An internal control can provide only reasonable assurance, not absolute assurance to the management and board of a business. A control cannot ensure success.
Internal controls are designed for the achievement of business objectives.
The COSO internal controls framework consists of five main control components as seen in the figure below. These controls are the foundation of the COSO framework and provide a means for
auditors to assess a company’s control efficiency, effectiveness, reliability of financial reporting and compliance with the law.
Monitor Information and Communication
Control Activities
Risk Assessment
Control Environment
Figure COSO Internal Controls Framework
Control environment The control environment defines how an organization builds its internal governance program and affects the company as a whole. The CEO, Board of Directors, and Executive Management are mostly involved at this level, creating the ethics environment and organizational structure
and defining the roles and responsibilities. The control environment consists of the people, culture and ethics of the business. Risk assessment Solid risk assessment methodologies are important to any successful governance program. COSO identifies this area as 120
Trainer’s Guide– Security Analyst SSC/N0901
critical to all control development activities and for identifying business objectives. You can’t protect what you don’t know about, so a thorough risk assessment provides the data to help a company design controls to protect its assets and achieve its strategic goals. Control activities This section covers the controls that COSO recommends to help mitigate risk. The main categories for controls in COSO are operational, financial reporting and compliance. The controls identified are broad in nature and cover some IT related issues, but COSO doesn’t address this area as well for IT as it does the accounting side. It does highlight the various activities that should be controlled, but leaves it up to management to figure out how to do it. Information and communication Having an organization in which information and communication are free to flow between all aspects of the business is addressed in this component of COSO. Information, according to COSO, is the data used to run the business, whereas communication is defined as the method used to disseminate information to the appropriate individuals. People cannot do their jobs efficiently and effectively if they are not provided with the necessary information. Without the appropriate lines of communication and timely action, problems can turn into catastrophes. Communication is the mechanism that drives the other four components of the COSO framework.
Monitoring Auditing and measurement are essential in determining how controls perform. Monitoring can be the alarm system that identifies a problem and provides valuable data for fixing issues for the future. Monitoring can consist of periodic reports, audits or testing mechanisms that provide the status of individual controls. COSO is one of the more widely adopted internal control frameworks for large companies due in no small part to the mandates set forth through SOX 404. In response to criticism that the framework was impractical for smaller organizations, the committee published “Internal Control over Financial Reporting for Small Public Companies” in 2006. The COSO framework represents the grandfather of internal controls and though it was designed primarily for accounting controls, it still provides value for companies building out a security governance strategy. From an IT perspective, the five main components are entirely relevant to securing information, but the actual controls themselves don’t go to the same level of depth as other frameworks such as Control Objects for Information and related Technologies (COBIT). COBIT The COBIT framework was created by the Information Systems Audit and Control. Association (ISACA) and IT Governance Institute (ITGI) as a response to the needs of the IT community for a less generalized and more actionable set of controls for securing information systems. The ITGI is a 121
Trainer’s Guide– Security Analyst SSC/N0901
non-profit organization that leads the development of COBIT through committees consisting of experts from universities, governments and auditors across the globe. The COBIT framework is a series of manuals and implementation guidelines for creating a full IT governance, auditing and service delivery program for any organization. COBIT is not a replacement but an augmentation to COSO, and maps directly to COSO from an IT perspective. Although COSO covers the whole enterprise from an accounting perspective, it does so by providing high level objectives that require the business to figure out how to accomplish them. COBIT on the other hand, works with COSO by fully detailing the necessary controls required and how to measure and audit them. The built-in auditable nature of COBIT is why it has become one of the leading IT governance frameworks as it gets as close as can be expected to a turnkey governance program. COBIT does not dig down into the actual tasks and procedures however,
which necessitates using other sources to develop standards and procedures for implementing the controls. In other words, COBIT won’t tell you the best way to configure AES encryption for your wireless infrastructure, but it will provide you with a mechanism for identifying where and why you need to apply it based on risk. The role of COBIT in IT governance is to provide a model that takes the guesswork out of how to bridge the gap between business and IT goals. COBIT considers business the customer of IT services. Business requirements (needs) ultimately drive the investment in IT resources, which in turn need processes that can deliver enterprise information back to the business. At the foundation of COBIT is the cyclical nature of business needing information and IT delivering information services. Information is what IT provides to the business and COBIT defines the following seven control areas as business requirements for information:
Effectiveness: information should be delivered in a timely, correct, consistent and usable manner.
Efficiency: information is delivered in the most cost effective way.
Confidentiality: data is protected from unauthorized disclosure.
Integrity: business is protected from unauthorized manipulation or destruction of data.
Availability: data should be accessible when the business needs it.
Compliance: adherence to laws, regulations, and contractual agreements.
Reliability of information: data correctly represents the state of the business and transactions. 122
Trainer’s Guide– Security Analyst SSC/N0901
IT resources in COBIT are the components of information delivery and represent the technology, people and procedures used to meet business goals. Resources are divided into four areas:
Applications: information processing systems and procedures
Information: the data as used by the business
Infrastructure: technology and systems used for data delivery and processing
People: the human talent needed to keep everything operating
IT processes (or activities) are the planned utilization of resources and divided into four inter-related domains. Each process has its own controls that govern how the process is to be accomplished and measured. There are 34 high level processes and hundreds of individual controls. The domains and processes are:
Plan and Organize (PO): Defines strategy and guides the creation of a service and solutions delivery organization. The high level process for this domain is as follows: o PO1 Define a strategic IT plan o PO2 Define the information architecture o PO3 Determine technological direction o PO4 Define the IT processes, organization and relationships o PO5 Manage the IT investment o PO6 Communicate management aims and direction
o PO7 Manage IT Human Resources o PO8 Manage quality o PO9 Assess and manage IT risks o PO10 Manage projects Acquire and Implement (AI): Builds IT solutions and creates services. The high level process for this domain is as follows: o AI1 Identify automated solutions o AI2 Acquire and maintain application software o AI3 Acquire and maintain technology infrastructure o AI4 Enable operation and use o AI5 Procure IT resources o AI6 Manage changes o AI7 Install and accredit solutions and changes Deliver and Support (DS): User facing delivery of services and solutions. The high level process for this domain is as follows: o DS1 Define and manage service levels o DS2 Manage third-party services o DS3 Manage performance and capacity o DS4 Ensure continuous service o DS5 Ensure systems security o DS6 Identify and allocate costs o DS7 Educate and train users o DS8 Manage service desk and incidents o DS9 Manage the configuration o DS10 Manage problems o DS11 Manage data o DS12 Manage the physical environment 123
Trainer’s Guide– Security Analyst SSC/N0901
o DS13 Manage operations Monitor and Evaluate (ME): Monitors IT processes to ensure synergy between business requirements. The high level process for this domain is as follows: o ME1 Monitor and evaluate IT performance o ME2 Monitor and evaluate internal control o ME3 Ensure compliance with external requirements o ME4 Provide IT governance Each of the processes in COBIT is written for managers, users and auditors by addressing each group’s needs. Each process control objective is built using a template that includes: o a general statement that provides answers to why management needs the control and were it fits o the key business requirements that the control addresses o how the controls are achieved o control goals and metrics o who is responsible for each individual control activity o how the controls can be measured o clear descriptions of measuring how mature the organization is in accomplishing the control using a detailed 0–5 scale Maturity Model
Institute (SEI). The Capabilities Maturity Model was designed as a tool for ensuring quality software development. COBIT has modified the model to deliver a measurement and tracking tool that identifies the current state of adoption (maturity level) for each process so as to compare an organization execution with industry averages and business targets. This helps management identify where the company’s performance is in relation to its peers and provides a path to improve with specific and prescriptive steps used to get there.
Measurement of each process and control is accomplished through a Maturity Model. The COBIT Maturity Model is based on the Capabilities Maturity Model pioneered by Carnegie Mellon’s Software Engineering 124
Trainer’s Guide– Security Analyst SSC/N0901
The COBIT Maturity Model scale provides the following measurements: COBIT Maturity Scale 0 Non existent Not performed. 1 Initial/ Ad hoc Process is chaotic, not standardized and done case by case. 2 Repeatable Relies on individual knowledge, no formal training and no process intuitive management. 3 Defined process Standardized and documented processes and formal training to communicate standards. 4 Managed Processes are monitored and checked for compliance by management, measurable processes are reviewed for improvement and limited automation. 5 Optimized Processes are refined and compared with others based on maturity, processes are automated through workflow tools to improve quality and effectiveness. Using COBIT requires customization to better align with the company implementing it. COBIT is not designed as a governance strategy in a box, but as a reference for building a process focused system, utilizing international standards and good practices. Companies still need to determine a risk management methodology and build out a technical infrastructure to automate the various COBIT processes identified. COBIT’s real value is in providing the management, measurement and organizational glue to tie these functions together. IT auditors like to use COBIT mainly because it creates a well-documented set of processes and controls that can be assessed along with the metrics and requirements for each control. COBIT’s usefulness is also apparent when the organization under audit does not use COBIT as a governance framework because an auditor can build checklists and plan
audits based on COBIT to ensure that all aspects of the IT process are performed. COBIT is also an invaluable resource when writing the audit report because it allows the auditor to justify and compare his findings to a well-respected standard. ITIL The Information Technology Infrastructure Library (ITIL) provides documentations for best practices for IT Service Management. ITIL was created in the late 1980s by Great Britain’s Office of Government Commerce to standardize Britain’s government agencies and to follow security best practices. A study was conducted and generated a significant amount of information (roughly 40 books) that became known as ITIL. The books were revised and consolidated in 2004 and became a series of eight books focused on IT services management. This version 2 of ITIL became popular among organizations 125
Trainer’s Guide– Security Analyst SSC/N0901
looking for an internationally recognized, proactive framework for managing IT services, reducing cost and improving quality. Version 3 of ITIL was released in June 2007 to refresh the core service and support delivery material that many companies have implemented, and to move the ITIL framework towards a life cycle model that includes management of all lifecycle services provided by IT. The five books that make up Version 3 are:
Service Strategy: This book is the foundation for the others by defining business to IT alignment, value to business, services strategy and service portfolio management.
Service Design: Focused on the design of IT processes, policies and architectures. Includes service level, management, capacity management, information security management and availability management.
Service Transition: Covers moving from the design phase to production business services and change management. It also includes service asset and configuration management, service validation and testing, evaluation and knowledge management.
Service Operation: Provides information on the day-to-day support of production systems. This includes service delivery and services support, service desk design, application management, problem management and technical management.
Continual Service Improvement: This book covers service improvements and service retirement strategies.
ITIL is primarily about delivering IT as a service and the lifecycle of service development, implementation, operation and management. ITIL is used by companies for overall management of IT and also for managing security processes. Auditing an ITIL shop requires that the auditor understand the basics of ITIL to speak the same language. ITIL also works well with COBIT as a means for fleshing out the service delivery of each process. The ITGI even creates a mapping between COBIT and ITIL for organizations that want to utilize the two standards. ITIL also meets the criteria for ISO 20000, which means that it can be used to achieve international certification. Whether a company chooses to go for certification or not, ITIL gives guidance about how to move from a reactive to a proactive approach to managing IT and security as a service.
Technology: Standards Procedures and Guidelines Knowing what processes and controls need to be in place is half the job. The other half is implementing the technology and procedures that allow the control to work as intended. Most auditors focus their efforts on testing and validating controls to ensure that they are functional and dependable. Penetration testing, configuration review and architecture review are all part of this type of assessment, so auditors needs to know 126
Trainer’s Guide– Security Analyst SSC/N0901
where to go to find guidance, templates and sample designs that have been proven to work through consensus and extensive testing. The best security programs don’t provide much benefit if the execution of those programs relies on poor control choices. The following standards and best practices can help the auditor distinguish good security designs from bad and provide reference architectures to compare.
controls and processes that must be in place if a business wants to be certified as compliant with the ISO standard. The contents of ISO 27001 are:
ISMS: Establish the ISM, implement and operate, monitor and review, maintain and improve documentation requirements, control documents and records.
Management responsibility: Involves commitment, provision of resources and training for awareness and competence.
Internal audits: These are the requirements for conducting audits.
ISMS improvements: These are the corrective and preventative actions.
Annex A: Objectives and controls and checklist.
Annex B: Organization for economic cooperation, development principles and international standard.
Annex C: Correspondence between ISO 9001, SIO 14001 and standard.
ISO 27000 Series of Standards The ISO 27000 series are internationally recognized security control standards for the creation and operations of an Information Security Management System (ISMS). Previously known as ISO 17799 and originating from British Standard 7799, the ISO 27000 series is one of the most widely used and cited documents in information security today. All the major governance frameworks reference ISO when discussing key controls, and it is a great resource to address a wide range of security needs from data-handling standards, to physical security, to policy. ISO 27000 is broad and covers a great deal of content that is broken into seven published standards documents with ten more currently in preparation. This overview is centered on the first two standards: ISO 27001 and 27002. The first ISO standard is ISO 27001:2005 Information Technology Techniques Information Security Management Systems. It provides the requirements for a security management system in accordance with ISO 27002 best practices. ISO 27001 identifies generic technological
A key concept used in 27001 is the Deming Cycle process improvement approach: Plan, Do, Check and Act. This continuous improvement cycle was made famous by Dr. W. Edwards Deming whose quality control techniques methodology is a way to show that a process can be continually improved by learning from mistakes and monitoring the things done correctly to further refine the capabilities of the system.
127
Trainer’s Guide– Security Analyst SSC/N0901
The Deming Cycle is simple yet powerful, and ISO 27001 applies it to security management in the following manner: Step 1. Plan: Establish the ISM according to the policies, processes and objectives of the organization to manage risk. Step 2. Do: Implement and operate the ISM. Step 3. Check: Audit, assess and review the ISM against policies, objectives and experiences. Step 4. Act: Take action to correct deficiencies identified for continuous improvement.
ISO 27001 provides guidance for setting up an ISMS and an excellent checklist for assessing compliance with the standard by specifying what controls need to be in place. An organization can be certified through an approved assessment and registration organization as being in compliance with 27001. There are over 3,000 companies certified against ISO 27001. Many companies choose certification as a mechanism to “prove” their competence in building an information security program, but also because certification provides proof for SOX and other legal compliance frameworks that the company has met the requirements of those laws. The other benefit of ISO 27001 is its global acceptance as an accepted standard that is required for conducting business with some companies, which can provide a unique business opportunity for a
company that goes down the path of certification. The second ISO standard is ISO 27002:2005 Security Techniques Code of Practice, which consists of international best practices for securing systems. This standard provides best practice information about everything from Human Resources security needs to physical security and it represents the detailed implementation requirements for ISO 27001. ISO 27002 is full of good high level information that can be used as a source document for any generalized audit or assessment. It consists of security controls across all forms of data communication, including electronic, paper and voice (notes tied to pigeons are not included).
The twelve areas covered in ISO 27002:2005 are:
Intro to information security management Risk assessment and treatment
Security policy Organization of information security
Asset management 128
Trainer’s Guide– Security Analyst SSC/N0901
Human Resources security
Physical security Communications and ops management
Access control
Information systems acquisition, development and maintenance Information security incident management
Business continuity Compliance
The ISO standards define a solid benchmark for assessing a company’s information security practices, but as with most of high level control documents, it doesn’t give the auditor details about security architecture or implementation guidance. 27002 is a great internationally recognized standard to refer back to for control requirements in an audit report or findings document, and makes excellent source material for an auditor’s checklist. NIST The National Institute of Standards and Technologies (NIST) is a federal agency of the United States government, tasked with helping commerce in the U.S. by providing weights and measurements, materials references and technology standards. If you have configured your computer to use an atomic clock source from the internet to synchronize time to, then you have used a NIST service. NIST also provides reference samples of over 1,300 items, including cesium 137, peanut butter and oysters. The division within NIST, most interesting from an information security standpoint is the Computer Security Resource Centre (CSRC), which is the division tasked with creating information security standards.
The CSRC is currently directed by the United States Congress to create standards for information security in response to laws such as the Information Technology Reform Act of 1996, the Federal Information Security Management Act of 2002 (FISMA) and HIPAA. Although FISMA is a federal law and not enforceable in the private sector, private companies can reap the benefits of the many excellent documents NIST has created for FISMA compliance. Federal Information Processing Standards Publications (FIPS) standards are a series of standards that government agencies must follow by law according to FISMA. FIPS standards include encryption standards, information categorization and other requirements. FIPS also mandates standards for technology through a certification program. Hardware and software involved in encrypting data via AES for example, must be FIPS 140-2 (level 2) compliant to be used by the federal government. The NIST Special Publications (800 series documents) are a treasure trove of good information for auditors, systems administrators and security practitioners of any size company. These documents 129
Trainer’s Guide– Security Analyst SSC/N0901
give guidance and provide specific recommendations about how to address a wide range of security requirements. These documents are created by academic researchers, security consultants and government scientists. They are reviewed by the security community through a draft process that allows anyone to provide comments and feedback on the documents before they are made
standards. The documents are also revised on a regular basis as new technologies become adopted. Table below provides a list of some of the most widely used NIST 800 series documents. This list is not exhaustive, and there are new documents added all of the time, so check the NIST website on a regular basis for updates and new drafts.
Table NIST 800 Series documents: SP 800-14 Generally Accepted Principles and Practices for Security Information Technology Systems SP 800-18
Guide for Developing Security Plans for Information Technology Systems
SP 800-27 Engineering Principles for Information Technology Security (A Baseline for Achieving Security) SP 800-30
Risk Management Guide for Information Technology
SP 800-34
Contingency Planning Guide for Information Technology Systems
SP 800-37
Guidelines for Security Certification and Accreditation of IS Systems
SP 800-47
Security Guide for Interconnecting Information Technology Systems
SP 800-50 Program
Building an Information Technology Security Awareness and Training
SP 800-53
Recommended Security Controls for Federal Information Systems
SP 800-53A
Techniques and Procedures for Verification of Security Controls in Federal Information Technology Systems
SP 800-54
BGP Security
SP 800-55
Security Metrics Guide for Information Technology Systems
SP 800-58
Security Considerations for VOIP Systems
SP 800-60
Guide for Mapping Types of Information and Information Systems to Security Categories (Two Volumes)
SP 800-61
Computer Security Incident Handling Guide
SP 800-66
An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule 130
Trainer’s Guide– Security Analyst SSC/N0901
SP 800-77
Guide to IPSEC VPNs
SP 800-88
Guidelines for Media Sanitization
SP 800-92
Guide to Computer Security Log Management
SP 800-95
Guide to Security Web Services
SP 800-97
Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
SP 800-100
Information Security Handbook: A Guide for Managers
The Cyber Security Research and Development Act of 2002 requires that NIST develop checklists to help minimize the security risks of hardware and software used by the federal government. These checklists show detailed configurations of many hardware and software platforms including Cisco. SP 800-70 outlines the format, goals, and objectives of the checklists and how to submit a checklist if you build one that you would like to share. NIST provides these checklists in Security Content Automation Protocol (SCAP) format, and can be loaded into a SCAP validated scanner for automated auditing. There are a number of scanning vendors that support SCAP such as Qualys and Tenable (Nessus Scanner). For a complete list of scanning vendors and downloadable checklists, visit http://checklists.nist.gov. Centre for Internet Security The Centre for Internet Security (CIS) is a not-for-profit group dedicated to creating security best practices and configuration guidance for companies to help reduce the risk of inadequately securing corporate systems. CIS provides peer-reviewed configuration guides and templates that administrators and auditors can follow when securing or testing the security of a target system. These guides are well
written and provide a sufficient level of detail down to the actual configuration level to use as a checklist while also explaining why the particular configuration option needs to be implemented. CIS refers to its best practice documents as benchmarks and has two categories:
Level 1 benchmarks consist of the minimum level of security that needs to be configured that any skilled administrator can implement.
Level 2 benchmarks focus on particular applications of security based on the type of system or manner in which the system is used. Proper security depends on understanding risk, which determines at what level you need to protect an asset. Laptops, for example, have a different risk profile than servers, which are explored in the Level 2 benchmark section in detail.
The CIS benchmarks are often used for configuration level auditing of technology for proper implementation of security features and good defensive practices. Many compliance laws dictate high level controls, but never go into the details of how to actually perform the tasks necessary. These benchmarks developed 131
Trainer’s Guide– Security Analyst SSC/N0901
by CIS help to fill in the blanks when auditing for compliance through consensus-validated device configuration recommendations. CIS also makes available automated assessment tools that leverage these benchmarks. CIS benchmarks can be found at www.cisecurity.org. NSA The National Security Agency (NSA) has been responsible for securing information and information assurance since it began in 1952. As a component of the U.S. Department of Defense, the NSA is typically known for its cryptology research and cryptanalysis of encrypted communications. The NSA created the DES encryption standard that was (and still used in the form of 3DES) the most commonly deployed encryption technique until it was replaced by AES. Although the NSA’s mission is to keep government communications private, it has also shared a significant amount of computer security research in the form of configuration guides on hardening computer systems and network infrastructure equipment. Through research conducted by the Information Assurance Department of the NSA, a series of security configuration guides have been posted to help the public better secure computers and networks. These guides cover:
Applications Database servers Operating systems Routers Supporting documents
Switches VoIP and IP telephony Vulnerability reports Web servers and browsers Wireless
Auditors are free to use these configuration guidelines when examining security controls. They make a great resource and are updated as new technologies and applications are studied. You can find the guides at http://www.nsa.gov/ia/index.cfm. DISA The Defense Information Security Agency (DISA) is a component of the U.S. Department of Defense that is charged with protecting military networks and creating configuration standards for military network deployments. DISA provides a number of useful configuration checklists for a wide variety of information system technologies. Security Technical Implementation Guides (STIG) are great source material for security configuration assessments and highly recommended as a tool for any auditor looking for vetted configuration recommendations. While STIGs are written with military auditors in mind, they are easy to read and include justification for the configuration requirements and what threats are mitigated. You can access the current list of STIGs at http://iase.disa.mil/ stigs/stig/index.html. SANS The SANS (SysAdmin, Audit, Network, Security) Institute is by far one of the best sources of free security information available on the Internet today. 132
Trainer’s Guide– Security Analyst SSC/N0901
Established in 1989 as a security research and education organization, it has become a source of training and knowledge that shares information about security for hundreds of thousands of individuals across the globe. The SANS website has something for everyone involved in information security, from the CIO to the hard-core security technologists and researchers. SANS is in the business of security education and delivers training events, conferences, and webcasts. It offers an extensive array of technical security and management tracks covering everything from incident handling and hacking to creating security policies. SANS security training conferences are the most
common venue for a student attending these courses, but many are also offered through on-demand web training and selfstudy. Each of these courses also offers an opportunity to test for certification through the GIAC organization (a separate entity that governs the certification and testing process for SANS). For those students who want a more traditional education process, SANS is accredited in the state of Maryland to grant master’s degrees in information assurance and management. Although SANS focuses on training, it also provides a wealth of free security information as part of its mission to use knowledge and expertise to give back to the Internet community.
SANS offers the following free services and resources that are perfect for auditors and security professionals to use to gain insight into new issues and understanding technical security controls:
SANS reading room: The reading room consists of over 1,600 computer security whitepapers from vendors and research projects written by SANS students going for GIAC Gold certification. There are a wide range of topic categories, ensuring you will find something relevant to what you are looking for from best practices to configuration guidance.
SANS Top 20: SANS Top 20 is a list of the top 20 vulnerabilities in operating systems and applications that hackers attack. This information is updated yearly by a large panel of security experts, and it provides auditors and security practitioners with a good list of high-risk areas they need to ensure are addressed. Although this list is good, it doesn’t cover the latest threats, so it should not be used as a checklist, but rather as a tool to focus your efforts.
SANS security policy samples: If you are looking for sample security policies, this resource is a goldmine. All of the policies represented are free for use, and in some cases, you can simply insert the business’s name. These policy templates cover a wide range of security functional areas and are added to on a regular basis. It is important to note that security policies are a serious documents and require that legal departments and HR departments be involved in their adoptions. 133
Trainer’s Guide– Security Analyst SSC/N0901
SANS newsletters: SANS provides a number of newsletters available as e-mails or RSS feeds that you can subscribe to. Many topics are present, including one focused on auditing (SANS AuditBits).
Internet Storm Center: The Internet Storm Center is a group of volunteer incident handlers who analyze suspicious Internet traffic from across the globe. They look at packet traces to determine if a new virus, worm, or other attack vectors have popped up in the wild. The ISC also compiles attack trend data and the most frequently attacked ports. Incident handlers are always “on duty,” and you can read their notes as they go about analyzing attacks.
SCORE: SCORE is a joint project with the CIS to create minimum standards of configuration for security devices connected to the Internet. These checklists are available for free and provide sound guidance about necessary technical controls.
Intrusion Detection FAQ: The Intrusion Detection FAQ is a fantastic resource for better understanding how to identify an attack on your network. FAQs cover the basics of intrusion detection, details about tools to use, and a detailed analysis of sample attacks.
The SANS website should be considered mandatory reading for auditors who want to better understand the tools and techniques attackers use to break into systems. Having all of this knowledge in a single place is useful as auditors tailor their checklists and audit criteria to address current events and attacks.
ISACA If you are involved in security auditing to any degree, you undoubtedly have heard of the Information Systems Audit and Control Association (ISACA). ISACA is the largest association of IT auditors in existence with over 65,000 members across the world. Many of the auditing techniques and security governance processes used to audit IT today have been compiled and standardized by ISACA. Over 50,000 people have earned the Certified Information Systems Auditor certification (CISA), demonstrating knowledge in auditing. The Certified Information Systems Manager (CISM) is also offered to
test IT governance and management expertise. ISACA is more than just a certification granting organization. In addition to establishing the IT Governance Institute and developing COBIT, they have created the de-facto standards guide for assessing and auditing IT controls. The IS standards, guidelines and procedures for auditing and control professionals are regularly updated and reviewed to provide the auditing community with standards, guidelines and procedures for conducting audits.
134
Trainer’s Guide– Security Analyst SSC/N0901
The auditing guide includes:
Standards of IS auditing: This section includes code of conduct for professional auditors, auditing process from planning to follow up and various other standards for performing audits.
Auditing G: This section provides information on how to conduct audits while following the standards of IS auditing.
Auditing procedures: This section provides details on how to audit various types of systems and processes, providing a sample approach to testing controls such as firewalls and intrusion detection systems.
The IT Assurance Guide to using COBIT is another excellent resource for how to conduct an audit using COBIT as the governance framework. Regardless of whether or not the company being audited uses COBIT, the guide describes how to leverage the controls identified by COBIT and apply those to the audit process. This enables an auditor to follow a well-documented framework to ensure that no major areas are missed.
ISO 27003 ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes the process of ISMS specification and design from inception to the production of implementation plans. It describes the process of obtaining management approval to implement an ISMS, defines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as the ISMS project), and provides guidance on how to plan the ISMS project, resulting in a final ISMS project implementation plan.
systematically improve the effectiveness of their Information Security Management Systems. It “provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001. This would include policy, information security risk management, control objectives, controls, processes and procedures, and support the process of its revision, helping to determine whether any of the ISMS processes or controls need to be changed or improved.”
ISO 27004 ISO/IEC 27004 concerns measurements relating to information security management. These are commonly known as ‘security metrics’ in the profession. The standard is intended to help organizations measure, report on and hence
ISO 15408 Evaluation Common Criteria Evaluation for Security SO/IEC 15408-1:2009 establishes the general concepts and principles of IT 135
Trainer’s Guide– Security Analyst SSC/N0901
security evaluation and specifies the general model of evaluation given by various parts of ISO/IEC 15408, which in its entirety is meant to be used as the basis for evaluation of security properties of IT products. It provides an overview of all parts of ISO/IEC 15408, describes the various parts of ISO/IEC 15408, defines the terms and abbreviations to be used in all parts ISO/IEC 15408, establishes the core concept of a Target of Evaluation (TOE), the evaluation context and describes the audience to which the evaluation criteria are addressed. An introduction to the basic security concepts necessary for evaluation of IT products is given. It defines the various operations by which the functional and assurance components given in ISO/IEC 15408-2 and ISO/IEC 15408-3 may be tailored through the use of permitted operations. The key concepts of protection profiles (PP), packages of security requirements and the topic of conformance are specified and the consequences of evaluation and evaluation results are described. ISO/IEC 15408-1:2009 gives guidelines for the specification of Security Targets (ST) and provides a description of the organization of components throughout the model. ISO/IEC 13335 (IT Security Management) SO/IEC 13335-1:2004 presents the concepts and models fundamental to a basic understanding of ICT security, and addresses the general management issues that are essential to the successful planning, implementation and operation of ICT security. Part 2 of ISO/IEC 13335 (currently 2nd WD) provides operational
guidance on ICT security. Together, these parts can be used to help identify and manage all aspects of ICT security. ISO 13335 is focused on Information and Communication Technologies, also called ICT. ISO standard 13335 was created to help businesses improve their information and communication security. There is currently only one part of the ISO 13335 standard, ISO 13335-1. ISO standard 13335 is designed to create an IT management framework, including information security policies, internal controls, company approved practices and configuration management of hardware and software components. No one changes information and communication technologies without formal review and approval after thorough testing was completed. In addition, ISO 13335 was created in an effort to improve business continuity, the continuation of business operations in case of a massive technical failure, natural disaster or hack attack. ISO 13335-1 The ICT standard ISO 13335-1 originated as a technical report on information security before it became a separate ISO standard. ISO 13335-1 is focused on technical security controls over administrative procedures and internal corporate rules. ISO standard 13335-1 is now the entire ISO 13335 standard with the other sections either consolidated into ISO 13335-1 or made into their own standards. Network security controls like firewalls can block traffic from selected IP addresses or prevent users from accessing specific websites. Built-in data archiving modules attached to routers or network 136
Trainer’s Guide– Security Analyst SSC/N0901
connections automatically save all email messages, creating an instant record of communications available if the main email server goes down or if messages are deleted by unauthorized parties. ISO 13335-2 ISO 13335-2 originally contained the ISO’s guidance on ICT security. The 1990s version of the standard was broken up into ISO 13335-1 and 13335-2. The ICT security recommendations in ISO 13335-2 were incorporated into ISO 13335-1 in the 2004 update of the standard. ISO 13335-3 ISO 13335-3 was originally the guidelines for managing IT security. ISO standard 13335-3 has been replaced by ISO 27005. In essence, what was ISO 13335-3 is now part of ISO 27005. ISO 13335-4 ISO 13335-4 outlined the ISO recommended practices of selecting technical security controls or IT safeguards. ISO 13335-5 has also been replaced with ISO 27005. ISO 13335-5 ISO 13335-5 was originally a set of guidelines on network security. ISO 133355 was replaced with ISO 18028-1 in 2006. ISO 18028-1 has since been revised by ISO 27033-1, released in 2009.
estimation of the severity of the risk are set during risk analysis. During risk treatment, the organization decides whether to accept the risk, mitigate its effects or work to prevent the risk from occurring. During risk monitoring, the group monitors the risks to the network. Some risks may disappear as more security hardware is installed while others may grow due to user complacency or evolving security threats. For example, the risk that a server’s compromise would shut down a business is reduced when a backup server off site is created with hot backups of the organization’s data. If the main server compromises and is removed from the network to prevent hackers from using it to access other areas, the business simply switches over the remote backup server and keeps going. ISO Standard 24762 for Technical Disaster Recovery ISO/IEC 24762:2008 provides guidelines on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management, applicable to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services. ISO/IEC 24762:2008 specifies:
the requirements for implementing, operating, monitoring and maintaining ICT DR services and facilities
the capabilities which outsourced ICT DR service providers should possess and the practices they should follow so as to provide basic secure operating
ISO 27005 ISO 27005 replaced several sections of the original ISO 13335 standard. ISO 27005 describes how organizations define their context, the areas for which they are responsible. Risks are identified and the
137
Trainer’s Guide– Security Analyst SSC/N0901
environments and facilitate organizations' recovery efforts
the guidance for selection of recovery site
the guidance for ICT DR service providers to continuously improve their ICT DR services
ISO Standard for BCM – 22301 ISO 22301 is a management systems standard for BCM which can be used by organizations of all sizes and types. These organizations will be able to obtain accredited certification against this standard and so demonstrate to legislators, regulators, customers, prospective customers and other interested parties that they are adhering to good practice in BCM. ISO 22301 also enables the business continuity manager to show top management that a recognized standard has been achieved. While ISO 22301 may be used for certification and therefore includes rather short and concise requirements, describing the central elements of BCM, a more extensive guidance standard (ISO 22313) is being developed to provide greater detail on each requirement in ISO 22301. ISO 22301 may also be used within an organization to measure itself against good practice, and by auditors wishing to report
to management. The influence of the standard will therefore be much greater than those who simply choose to be certified against the standard. ISO/IEC 27031 provides guidance on the concepts and principles behind the role of information and communications technology in ensuring business continuity. The standard: Suggests a structure or framework (actually a set of methods and processes) for any organization – private, governmental and non-governmental. Identifies and specifies all relevant aspects including performance criteria, design and implementation details for improving ICT readiness as part of the organization’s ISMS, helping to ensure business continuity. Enables an organization to measure its ICT continuity, security and hence readiness to survive a disaster in a consistent and recognized manner. IEEE Standards IEEE has standardization activities in the network and information security space and in anti-malware technologies, including in the encryption, fixed and removable storage and hard copy devices areas as well as applications of these technologies in smart grids.
Encryption Approved standards:
IEEE Std 1363-2000 IEEE Standard Specifications for Public-Key Cryptography [Also 1363a-2004]
IEEE Std 1363.1-2008 IEEE Standard Specification for Public-Key Cryptographic Techniques Based on Hard Problems over Lattices
138
Trainer’s Guide– Security Analyst SSC/N0901
IEEE Std 1363.2-2008 IEEE Standard Specification for Password-Based Public Key Cryptographic Techniques
Fixed and Removable Storage Approved standards: •
IEEE Std 1619-2007 IEEE Standard for Cryptographic Protection of Data on BlockOriented Storage Devices*
•
IEEE Std 1619.1-2007 IEEE Standard for Authenticated Encryption with Length Expansion for Storage Devices
•
IEEE Std 1619.2-2010 IEEE Standard for Wide-Block Encryption for Shared Storage Media
•
IEEE Std 1667-2009 IEEE Standard Protocol for Authentication in Host Attachments of Transient Storage Devices
Security for Hardcopy Devices Approved standards: •
IEEE Std 2600-2008 IEEE Standard for Information Technology: Hardcopy Device and System Security
•
IEEE Std 2600.1-2009 IEEE Standard for a Protection Profile in Operational Environment A
•
IEEE Std 2600.2-2009 IEEE Standard Protection Profile for Hardcopy Devices in IEEE Std. 2600 (TM)-2008 Operational Environment B
•
IEEE Std 2600.3-2009 IEEE Standard Protection Profile for Hardcopy Devices in IEEE Std. 2600 (TM)-2008 Operational Environment C
•
IEEE Std 2600.4-2010 IEEE Standard Protection Profile for Hardcopy Devices in IEEE Std. 2600 (TM)-2008 Operational Environment D
ISO 17799 ISO/IEC 17799:2005 establishes guidelines and general principles for initiating, implementing, maintaining and improving
information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management.
ISO/IEC 17799:2005 contains best practices of control objectives and controls in the following areas of information security management: o security policy o organization of information security 139
Trainer’s Guide– Security Analyst SSC/N0901
o asset management o human resources security o physical and environmental security o communications and operations management o access control o information systems acquisition, development and maintenance o information security incident management o business continuity management o compliance
The control objectives and controls in ISO/IEC 17799:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 17799:2005 is intended as a common basis
and practical guideline for developing organizational security standards and effective security management practices and to help build confidence in interorganizational activities.
ISO 17799: The key components of the Standard – The Standard is divided into 2 parts.
• •
ISO 7799 Code of Practice for Information Security Management BS 7799 Part II Specifies requirements for establishing, implementing and documenting Information Security Management System (ISMS)
The standard has ten domains, which address key areas of Information Security Management. 1. Information security policy for the organization This activity involves a thorough understanding of the organization business goals and its dependence on information security. This entire exercise begins with creation of the IT
security policy. This is an extremely important task and should convey total commitment of top management. The policy cannot be a theoretical exercise. It should reflect the needs of the actual users. It should be implementable, easy to understand and must balance the level of protection with productivity. The policy should cover
140
Trainer’s Guide– Security Analyst SSC/N0901
all the important areas like personnel, physical, procedural and technical. 2. Creation of information infrastructure
security
A management framework needs to be established to initiate, implement and control information security within the organization. This needs proper procedures for approval of the information security policy, assigning of the security roles and coordination of security across the organization. 3. Asset classification and control One of the most laborious but essential task is to manage inventory of all the IT assets, which could be information assets, software assets, physical assets or other similar services. These information assets need to be classified to indicate the degree of protection. The classification should result into appropriate information labelling to indicate whether it is sensitive or critical and what procedure, which is appropriate for copy, store, transmit or destruction of the information asset. 4. Personnel security Human errors, negligence and greed are responsible for most thefts, frauds or misuse of facilities. Various proactive measures that should be taken are: creation of personnel screening policies, confidentiality agreements, terms and conditions of employment and information security education and training. Alert and well-trained employees who are aware of what to look for can prevent future security breaches.
5. Physical and environmental security Designing a secure physical environment to prevent unauthorized access, damage and interference to business premises and information is usually the beginning point of any security plan. This involves creating physical security perimeter and entry control, secure offices; rooms; facilities, providing physical access controls and protection devices to minimize risks ranging from fire to electromagnetic radiation and providing adequate protection to power supplies and data cables are some of the activities. Cost effective design and constant monitoring are two key aspects to maintain adequate physical security control. 6. Communications management
and
operations
Properly documented procedures for the management and operation of all information processing facilities should be established. This includes detailed operating instructions and incident response procedures. Network management requires a range of controls to achieve and maintain security in computer networks. This also includes establishing procedures for remote equipment including equipment in user areas. Special controls should be established to safeguard the confidentiality and integrity of data passing over public networks. Special controls may also be required to maintain the availability of the network services. 141
Trainer’s Guide– Security Analyst SSC/N0901
Exchange of information and software between external organizations should be controlled and should be compliant with any relevant legislation. There should be proper information and software exchange agreements. The media in transit need to be secured and should not be vulnerable to unauthorized access, misuse or corruption. Electronic commerce involves electronic data interchange, electronic mail and online transactions across public networks such as Internet. Electronic commerce is vulnerable to a number of network threats that may result in fraudulent activity, contract dispute and disclosure or modification of information. Controls should be applied to protect electronic commerce from such threats. 7. Access control Access to information and business processes should be controlled on the business and security requirements. This will include defining access control policy and rules; user access management; user registration; privilege management; user password use and management; review of user access rights; network access controls; enforcing path from user terminal to computer; user authentication; node authentication; segregation of networks; network connection control; network routing control; operating system access control; user identification and authentication; use of system utilities; application access control; monitoring system access and
use and ensuring information security when using mobile computing and tele-working facilities. 8. System development maintenance
and
Security should ideally be built at the time of inception of a system. Hence security requirements should be identified and agreed prior to the development of information systems. This begins with security requirements analysis and specification and providing controls at every stage i.e. data input; data processing; data storage and retrieval and data output. It may be necessary to build applications with cryptographic controls. There should be a defined policy on the use of such controls, which may involve encryption; digital signature; use of digital certificates; protection of cryptographic keys and standards to be used for cryptography. A strict change control procedure should be in place to facilitate tracking of changes. Any changes to operating system changes, software packages should be strictly controlled. Special precaution must be taken to ensure that no covert channels, back doors or Trojans are left in the application system for later exploitation. 9. Business Continuity Management A business continuity management process should be designed, implemented and periodically tested to reduce the disruption caused by disasters and security failures. This begins by identifying all events that 142
Trainer’s Guide– Security Analyst SSC/N0901
could cause interruptions to business processes and depending on the risk assessment, preparation of a strategy plan. The plan needs to be periodically tested, maintained and re-assessed based on changing circumstances. 10. Compliance It is essential that strict adherence is observed to the provision of national and international IT laws, pertaining to Intellectual Property Rights (IPR), software copyrights, safeguarding of organizational records, data protection and privacy of personal information, prevention of misuse of information processing facilities, regulation of cryptographic controls and collection of evidence. Information Technology’s use in business has also resulted in enacting of laws that enforce responsibility of compliance. All legal requirements must be complied with to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements. BS 7799 (ISO 17799) and "It’s" relevance to Indian Companies: Although Indian companies and the Government have invested in IT, facts of theft and attacks on Indian sites and companies are alarming. Attacks and theft that happen on corporate websites are high and is usually kept under "strict" secrecy to avoid embarrassment from business partners, investors, media and customers. Huge losses are sometimes un-audited and the only solution is to involve a model
where one can see a long run business led approach to Information Security Management. BS 7799 (ISO 17799) consists of 127 best security practices (covering 10 Domains which was discussed above) which Indian companies can adopt to build their Security Infrastructure. Even if a company decides not go in for the certification, BS 7799 (ISO 17799) model helps companies maintain IT security through ongoing, integrated management of policies and procedures, personnel training, selecting and implementing effective controls, reviewing their effectiveness and improvement. Additional benefits of an ISMS are improved customer confidence, a competitive edge, better personnel motivation and involvement, and reduced incident impact. Ultimately leads to increased profitability.
Security Standards Organizations
Internet Corporation for Assigned Names and Numbers (ICANN) ICANN’s role is to oversee the huge and complex interconnected network of unique identifiers that allow computers on the Internet to find one another. To reach another person on the Internet you have to type an address into your computer - a name or a number. That address has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn't have one global Internet. 143
Trainer’s Guide– Security Analyst SSC/N0901
ICANN was formed in 1998. It is a notfor-profit partnership of people from all over the world dedicated to keeping the Internet secure, stable and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers. This is commonly termed “universal resolvability” and means that wherever you are on the network – and hence the world – that you receive the same predictable results when you access the network. Without this, you could end up with an Internet that worked entirely differently depending on your location on the globe.
International Standards impact everyone, everywhere.
International Organization Standardization (ISO)
American National Standards Institute (ANSI) oversees the creation, promulgation and use of thousands of norms and guidelines that directly impact businesses in America in nearly every sector: from acoustical devices to construction equipment, from dairy and livestock production to energy distribution, and many more. ANSI is also actively engaged in accreditation assessing the competence of organizations determining conformance to standards.
for
ISO (International Organization for Standardization) is an independent, nongovernmental membership organization and the world's largest developer of voluntary International Standards. They are made up of 162 member countries who are the national standards bodies around the world, with a Central Secretariat that is based in Geneva, Switzerland. International Standards make things work. They give world-class specifications for products, services and systems, to ensure quality, safety and efficiency. They are instrumental in facilitating international trade. ISO has published more than 19 500 International Standards covering almost every industry, from technology, to food safety, to agriculture and healthcare. ISO
Consultative Committee For Telephone and Telegraphy (CCITT)
The CCITT, now known as the ITU-T (for Telecommunication Standardization Sector of the International Telecommunications Union), is the primary international body for fostering cooperative standards for telecommunications equipment and systems. It is located in Geneva, Switzerland.
American National Institute(ANSI)
Standards
Institute Of Electronics and Electrical Engineers (IEEE)
IEEE is the world's largest professional association dedicated to advancing technological innovation and excellence for the benefit of humanity. IEEE and its members inspire a global community through IEEE's highly cited publications, conferences, technology standards, and professional and educational activities. IEEE, pronounced "Eye-triple-E," stands for 144
Trainer’s Guide– Security Analyst SSC/N0901
the Institute of Electrical and Electronics Engineers.
Electronic Industries Association
The Electronic Industries Association (EIA) comprises individual organizations that together have agreed on certain data transmission standards such as EIA/TIA232 (formerly known as RS-232). The Electronics Industries Alliance (EIA) is an alliance of trade organizations that lobby in the interest of companies engaged in the manufacture of electronics-related products.
National Center for Standards and Certification Information (NIST)
National Institute of Standards and Technology's web site. Founded in 1901 and now part of the U.S. Department of Commerce, NIST is one of the nation's oldest physical science laboratories. US Congress established the agency to remove a major handicap to U.S. industrial competitiveness at the time. Today, NIST measurements support the smallest of technologies—nanoscale devices so tiny that tens of thousands can fit on the end of a single human hair—to the largest and most complex of human-made creations,
from earthquake-resistant skyscrapers to wide-body jetliners to global communication networks. The National Centre for Standards and Certification Information provides research services on standards, technical regulations and conformity assessment procedures for non-agricultural products. The Centre is a central repository for standards-related information in the United States and has access to U.S., foreign and international documents and contact points through its role as the U.S. national inquiry point under the World Trade Organization Agreement on Technical Barriers to Trade. The Program maintains a database on NIST and Department of Commerce staff participation in standards developing activities.
World Wide Web Consortium (W3C)
The World Wide Web Consortium (W3C) is an international community where Member organizations, a full-time staff, and the public work together to develop Web standards. Led by Web inventor Tim Berners-Lee and CEO Jeffrey Jaffe, W3C's mission is to lead the Web to its full potential.
Vision W3C's vision for the Web involves participation, sharing knowledge, and thereby building trust on a global scale.
145
Trainer’s Guide– Security Analyst SSC/N0901
The following design principles guide W3C's work. Web for All The social value of the Web is that it enables human communication, commerce, and opportunities to share knowledge. One of W3C's primary goals is to make these benefits available to all people, whatever their hardware, software, network infrastructure, native language, culture, geographical location, or physical or mental ability. Web on Everything The number of different kinds of devices that can access the Web has grown immensely. Mobile phones, smart phones, personal digital assistants, interactive television systems, voice response systems, kiosks and even certain domestic appliances can all access the Web. L Web for Rich Interaction The Web was invented as a communications tool intended to allow anyone, anywhere to share information. For many years, the Web was a "read-only" tool for many. Blogs and wikis brought more authors to the Web, and social networking emerged from the flourishing market for content and personalized Web experiences. W3C standards have supported this evolution thanks to strong architecture and design principles. Some people view the Web as a giant repository of linked data while others as a giant set of services that exchange messages. The two views are complementary, and which to use often depends on the application. Web of Trust The Web has transformed the way we communicate with each other. In doing so, it has also modified the nature of our social relationships. People now "meet on the Web" and carry out commercial and personal relationships, in some cases without ever meeting in person. W3C recognizes that trust is a social phenomenon, but technology design can foster trust and confidence. As more activity moves on-line, it will become even more important to support complex interactions among parties around the globe. Web Application Security Consortium (WASC) The Web Application Security Consortium (WASC) is a non-profit made up of an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web. As an active community, WASC facilitates the exchange of ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world utilize our materials to assist with the challenges presented by web application security. 146
Trainer’s Guide– Security Analyst SSC/N0901
4.4. Information Security Laws, Regulations & Guidelines India India’s Ministry of Communications and Information Technology (“Department of Information Technology”) has implemented the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Privacy Rules”). Clarifications to the Privacy Rules were issued via Press Note by the Ministry. India’s enabling legislation is India’s Information Technology Act 2000 (the “Act”). While India continues to adhere to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Rules) enacted in 2011, the Centre for Internet and Society presented a new Privacy (Protection) Bill, 2013 (Bill), on September 30, 2013. The Bill seeks to further refine provisions of the Rules, with a focus on protection of personal data through limitations on use and requirements for notice. The collection of personal data would be prohibited unless “necessary for the achievement of a purpose of the person seeking its collection,” and, subject to sections 6 and 7 of the Bill, “no personal data may be collected under this Act prior to the data subject being given notice, in such form and manner as may be prescribed, of the collection.” The Bill acknowledges the collection of data with and without consent; the regulation of personal data storage, processing, transfer, and security;
and discusses the different types of disclosure.
http://deity.gov.in/sites/upload_fil es/dit/files/GSR313E_10511(1).pdf
http://pib.nic.in/newsite/erelease. aspx?relid=74990
http://unpan1.un.org/intradoc/gro ups/public/documents/apcity/unp an010239.pdf
Data Protection Authority Registration Requirements
and
No specific data protection authority exists, but the Privacy Rules state that in the case of a breach, a “Body Corporate,” as defined under the Act, must answer to “the agency mandated under the law” (presumably, the Ministry). There are no registration requirements for the collection of data. However, the Data Security Council of India (the “DSCI”) provides a certification service by which organizations within India may become “DSCI Privacy Certified.”
Protected Personal Data Personal information is defined as any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a corporate entity, is capable of identifying such person. Sensitive personal data or information is defined as “personal information” which consists of information relating to any of 147
Trainer’s Guide– Security Analyst SSC/N0901
the following: passwords; financial information such as bank account or credit card or debit card or other payment instrument details; physical, physiological and mental health condition; sexual orientation; medical records and history; biometric information; any detail relating to any of the above as provided to a corporate entity for providing service; and any of the information received under the above by a corporate entity for processing, stored or processed under lawful contract or otherwise. Data or information is not sensitive and personal if it is available in the public domain or furnished under the Right to Information Act of 2005.
Data may be collected and processed when all of the following conditions are met:
Data Collection and Processing The Privacy Rules apply to data collection, but do not define processing. The Privacy Rules requires a Body Corporate that collects, receives, possesses, stores, deals, or handles sensitive or personal data to provide a privacy policy for handling of such data and ensure that the policies are available for view by the data subjects who have provided the information under contract. The policy shall provide for:
clear and easily accessible statements of its practices and policies; the type of personal or sensitive personal data or information collected; the purpose of collection and usage of such information; the disclosure of information including sensitive personal data or information; and
reasonable security practices and procedures.
the data subject has provided written consent and is aware at the time of collection that the information is being collected, the purpose of collection, the intended recipients of the information; and the name and address of the agency that is collecting and will retain the information; the data subject has been provided with the option not to provide its sensitive personal data or information; the data subject is permitted to withdraw his/her consent, in writing, at any time; the information is collected for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and the collection of the sensitive personal data or information is considered necessary for that lawful purpose.
Data Transfer Disclosure of data to a third party requires prior permission of the data subject, whether the information is provided under contract or otherwise, except in the following situations:
the disclosure has already been agreed to in a contract; the disclosure is necessary for compliance with a legal obligation; 148
Trainer’s Guide– Security Analyst SSC/N0901
the data is shared with government agencies with the authority to obtain the data for the purpose of verification of identity, or for the prevention, detection, investigation, prosecution, and punishment of offenses, including cyber incidents; or the disclosure is pursuant to an order under the law.
Data may be transferred domestically or internationally to any person or Body Corporate that ensures the same level of data protection that is adhered to by the Body corporate, but the transfer is allowed only if:
the data subject consents; or the transfer is necessary for the performance of the lawful contract between the body corporate or any person on its behalf and the data subject.
Data Security A Body Corporate is required to implement reasonable security practices and procedures. The Privacy Rules indicate that reasonable practice methodologies include IS/ISO/EIC 27001 or other measures that have been pre-approved by the central government and are subject to annual audits by a central government approved auditor. Breach Notification
Other Considerations Data retention rules state that information should not be retained longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law. A clarification to the Privacy Rules stating that a “Body corporate providing services relating to collection, storage, dealing or handling of sensitive personal data or information under contractual obligation with any legal entity located within or outside India is exempt from the requirement to obtain consent” was issued via Press Note by the Department of Information and Technology. Accordingly, outsourcing service providers in India should be exempt from obtaining consent from the individuals whose data they process. Enforcement & Penalties A corporate entity may be liable for up to Rs. 50,000,000 for the negligent failure to implement and maintain reasonable practices and procedures, causing wrongful loss or gain. International Directory of laws: This directory includes laws, regulations and industry guidelines with significant security and privacy impact and requirements. This is largely USA focused but used by International agencies as a reference point.
There is no mandatory requirement to report data security breach incidents under the Privacy Rules.
149
Trainer’s Guide– Security Analyst SSC/N0901
Broad laws:
Sarbanes-Oxley Act (SOX);
Payment Card Industry Data Security Standard (PCI DSS);
Gramm-Leach-Bliley Act (GLB) Act;
Electronic Fund Transfer Act, Regulation E (EFTA);
Customs-Trade Partnership Against Terrorism (C-TPAT);
Free and Secure Trade Program (FAST);
Children's Online Privacy Protection Act (COPPA);
Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule; Federal Rules of Civil Procedure (FRCP)
Industry specific laws:
Federal Information Security Management Act (FISMA);
North American Electric Reliability Corp. (NERC) standards;
Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records;
Health Insurance Portability and Accountability Act (HIPAA);
The Health Information Technology for Economic and Clinical Health Act (HITECH);
Patient Safety and Quality Improvement Act (PSQIA, Patient Safety Rule);
H.R. 2868: The Chemical Facility Anti-Terrorism Standards Regulation
150
Trainer’s Guide– Security Analyst SSC/N0901
UNIT V Information Security Management – Roles and Responsibilities
This Unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 5.1. Information and Data Security Team Structure 5.2. Security Incident Response Team
151
Trainer’s Guide– Security Analyst SSC/N0901
LESSON PLAN
Outcomes To be competent, you must be able to: PC1. establish your role and responsibilities in contributing to managing information security PC10. obtain advice and guidance on information security issues from appropriate people, where required
Performance Measures
Ensuring
Going through various organizations websites and understand the policies and guidelines. (Research)
Duration (Hrs)
Work Environment / Lab Requirement
2 hrs
Understand, summarize and articulate.
PC11. comply with your organization’s policies, standards, procedures and guidelines when contributing to managing information security
You need to know and understand: KA3. limits of your role and responsibilities and who to seek guidance from KA4. the organizational systems, procedures and tasks/checklists within the domain and how to use these KA11. who to involve when managing information security
KA1. Going through various organizations websites and understand the policies and guidelines. (Research)
2 hrs
PCs/Tablets/Lapto ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Networking EquipmentRouters & Switches Firewalls and Access Points Commercial Tools like HP Web Inspect and IBM AppScan etc., Open Source tools like sqlmap, Nessus etc.,
PCs/Tablets/Lapto ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated)
KA2, KA3. Understand, summarize and articulate.
152
Trainer’s Guide– Security Analyst SSC/N0901
Suggested Learning Activities Activity 1:
Research various job titles and roles within the data security sub-sector. Meet industry representatives and compile a list of functions, qualification and experience requirements for each role. Present the same in class in groups. Activity 2:
Divide the students into various teams and ask them to research through industry interactions various teams in place in organisations, from different sectors, assigned to information security. Compare the variances between different types of companies and encourage students to debate and deliberate on various aspects of these including composition, liaising with different departments inside the organisation, interactions with other organisations, their functions, etc.
153
Trainer’s Guide– Security Analyst SSC/N0901
Training Resource Material 5.1 Information and Data Security Team Structure With the growing importance and scope of information and data security, numerous organizational structures and configurations have been implemented to get a handle on the complexities associated with managing and protecting data. Information security governance begins at the top with the Board of Directors and CEO enforcing accountability for
adherence to standards and commissioning the development of security architectures that address the security requirements of the business as a whole. The auditing function might be its own group (or outsourced to a third party) and might report to the CEO or directly to the Board of Directors to maintain its independence.
Board of Directors The Board of Directors is responsible for protecting the interests of the shareholders of the corporation. This duty of care (fiduciary responsibility) requires that it understand the risk to the business and its data. The Board of Directors is responsible for approving the appropriate resources necessary to safeguard data. It also needs to be kept aware of how the security program is performing. Security Steering Committee The Security Steering Committee has an important role in security governance; this group is responsible for setting the tactical and strategic direction for the organization as a whole. The group generally consists of the CEO, CFO, CIO/CISO, and the internal auditing function (or oversight if it is outsourced to a third party). Other business functions might also be present, such as Human Resources and business operational leaders, depending on the size and organizational complexity of the business. This team reviews audit results, risk assessment, and current program performance data. The committee also provides approval for any major policy or security strategy changes. CEO or Executive Management Senior management must answer to the Board of Directors and shareholders of a company. Furthermore, if the company is publicly traded, the CEO and CFO must personally attest to the accuracy and integrity of the financial reports the company issues. Executive management sets the tone and direction for the rest of the company and must be aware of the risks the company faces for the confidentiality, integrity, and availability of sensitive data. CIO/CISO The CIO/CISO is responsible for aligning the information security program strategy and vision to business requirements. The CIO/CISO ensures that the correct resources are in place to adhere to the policies and procedures set forth by the steering committee. This 154
Trainer’s Guide– Security Analyst SSC/N0901
role generally reports to the CEO and Board of Directors and reports how the organization is performing relative to the company’s goals and similar organizations in the same industry. Security Director The security director’s role is to coordinate the efforts for securing corporate assets. The responsibilities include reporting on the progress of initiatives to executive management and building the teams and resources to address the various tasks necessary for information security. This role also acts as a liaison to other aspects of the business to articulate security requirements throughout the company. The security director manages the teams in developing corporate data security policies, standards, procedures, and guidelines. Security Analyst A security analyst builds the policies, analyses risk, and identifies new threats to the business. Business continuity and disaster recovery planning are important functions performed by the analyst to prepare the company for the unexpected. The analyst is also responsible for creating reports about the performance of the organization’s security systems. Security Architect A security architect defines the procedures, guidelines, and standards used by the company. Architects help to select the controls used to protect the company’s data and they make sure that the controls are sufficient for addressing the risk and complying with policy. This role is also responsible for testing security products and making recommendations about what will best serve the needs of the company. Security Engineer A security engineer implements the controls selected by the security architect. Security engineers are responsible for the maintenance of firewalls, IPS, and other tools. This includes upgrades, testing, patching, and overall maintenance of the security systems. This role might also be responsible for testing the functionality of equipment to make sure that it operates as expected.
Systems Administrator A systems administrator is responsible for monitoring and maintaining the servers, printers, and workstations a company uses. In addition, administrators add and/or remove user accounts as necessary, control access to shared resources, and maintain company-wide antivirus software. Database Administrator The Database Administrator (DBA) has an important job in most companies. The DBA is responsible for designing and maintaining corporate databases and also securing access to the data to ensure its integrity. The ramifications of lax security in this role can be severe, especially considering the reporting requirements mandated by SOX. IS Auditor 155
Trainer’s Guide– Security Analyst SSC/N0901
An auditor’s role in security governance is to assess the effectiveness in meeting the requirements set forth by policy and management direction. The auditor is tasked to identify risk and report on how the organization performs to upper management. The auditor provides an impartial review of projects and technologies to identify weaknesses that could result in loss to the company. End User End users have a critical role in security governance that is often overlooked. They must be aware of the impact their actions can have on the security of the company and be able to safeguard confidential information. They are responsible for complying with po licies and procedures and following safe computing practices, such as not opening attachments without antimalware software running or loading unauthorized software. A solid user security awareness program can help promote safe computing habits.
1. Board of Directors
3. CIO/CISO
6. System Architect
2. CEO
7. System Engineer
8. System Administrator
9. Database Administrator
4. Security Director
5. Security Analyst
10. IS Auditor
11. End User
Hierarchical flowchart for all the Roles w.r.t. Information Security
156
Trainer’s Guide– Security Analyst SSC/N0901
5.2 Security incident response team The security incident response team is a group of individuals who have been trained in incident management, each having distinct response roles. The team works under the direction of the incident officer. The team is tasked with the following responsibilities:
Processes IT security complaints or incidents. Assesses threats to IT resources. Alerts IT managers of imminent threats. Determines incident severity and escalates it, if necessary, with notification to CTO and president’s senior staff.
Coordinates security incidents (level 2 or 3) from discovery to closure. Reviews incidents, provides solutions/resolutions and closure.
Table-Top Exercise : Students are recommended to follow this link and perform an interesting exercise on Security Breach by assuming various roles as mentioned in the corresponding exercise: http://www.nascio.org/portals/0/awards/ nominations2015/2015/2015PA12PA%20Cyber%20Continuity%20CIO%20Ex ercise%20DR%20Sec%20Biz%20Continuity %20NASCIO%202015%20FINAL.pdf
157
Trainer’s Guide– Security Analyst SSC/N0901
158
Trainer’s Guide– Security Analyst SSC/N0901
UNIT VI Information Security Performance Metrics
This Unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 6.1. Introduction – Security Metrics 6.2. Types of Security Metrics 6.3. Using Security Metrics 6.4. Developing the Metrics Process 6.5. Metrics and Reporting 6.6. Designing Information Security Measuring Systems
159
Trainer’s Guide– Security Analyst SSC/N0901
LESSON PLAN
Outcomes To be competent, you must be able to: PC7. analyze information security performance metrics to highlight variances and issues for action by appropriate people PC3. carry out security assessment of information security systems using automated tools PC9. update your organization’s knowledge base promptly and accurately with information security issues and their resolution PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines
Performance Measures
Ensuring
QA session and a Descriptive write up on understanding.
Duration (Hrs)
Work Environment / Lab Requirement
4 hrs
Group presentation and peer evaluation along with Faculty.
Team work (IM and chat applications) and group activities (online forums) including templates to be prepared.
Project charter, Architecture (charts), Project plan, Poster presentation and execution plan.
Creation of templates based on the learnings You need to know and understand: KA1. your organization’s policies, procedures, standards and guidelines for managing information security KA2. your organization’s knowledge base and how to access and update this KA10. how to access and analyze information security performance metrics KA11. who to involve when managing information security KA12. your organization’s information security systems and tools and how to access and maintain these KA13. standard tools and templates available and how to use these KB3. common issues and variances of performance metrics that require action and who to report these to
KA1. QA session and a Descriptive write up on understanding. KA2 Group presentation and peer evaluation along with Faculty. KA10, KA11. Team work (IM and chat applications) and group activities (online forums) including templates to be prepared. KA12. Project charter, Architecture (charts), Project plan, Poster presentation and execution plan. KA13. Creation of templates based on the learnings
12 hrs
PCs/Tablets/Lapto ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Networking EquipmentsRouters & Switches Firewalls and Access Points Access to all security sites like ISO, PIC DSS Commercial Tools like HP Web Inspect and IBM AppScan etc., Open Source tools like sqlmap, Nessus etc., PCs/Tablets/Lapto ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Networking EquipmentsRouters & Switches Firewalls and Access Points Access to all security sites like ISO, PIC DSS Commercial Tools like HP Web Inspect and IBM AppScan etc., Open Source tools like sqlmap, Nessus etc.,
160
Trainer’s Guide– Security Analyst SSC/N0901
Suggested Learning Activities Activity 1: Ask the class to make teams and gather as much information from industry and research the various information security performance metrics they use in their organisations. Encourage students to discuss the various challenges in identifying, monitoring and inferencing performance through these metrics. Activity 2:
Ask students to develop performance metrics for various aspects of their own academic and non-academic behaviours and track these over a period of a week. Let them draw out various inferences from this monitoring. Let them present at the end of the week the object of their study, the metric they chose, and the challenges in implementing these metrics and their process of inferencing. Encourage the class to debate the inferences and their validity. Activity 3: Ask the students to research the various information security companies offering products and services for tracking and instituting performance metrics systems in organisations. Ask students to compare services, present features, benefits and limitations of the same.
161
Trainer’s Guide– Security Analyst SSC/N0901
Training Resource Material 6.1 Introduction – Security Metrics It helps to understand what metrics are by drawing a distinction between metrics and measurements. Measurements provide single-point-in-time views of specific, discrete factors, while metrics are derived by comparing to a predetermined baseline of two or more measurements taken over time. Measurements are generated by counting; metrics are generated from analysis. In other words, measurements are objective raw data and metrics are either objective or subjective human interpretations of those data. In the face of regular, high-profile news reports of serious security breaches, as well as intense scrutiny of institutional costs, security managers are more than ever being held accountable for demonstrating effectiveness of their security programs. What means should managers be using to meet this challenge? Key among these should be security metrics. This presentation will provide a definition of security metrics, explain their value, discuss the difficulties in generating them, suggest a methodology for building a security metrics program, and review factors that affect its ongoing success Good metrics are those that are SMART, i.e. specific, measurable, attainable, repeatable, and time-dependent. Truly useful metrics indicate the degree to which security goals, such as data confidentiality, are being met, and they drive actions taken to improve an organization’s overall security program. Distinguishing metrics meaningful primarily to those with direct responsibility for security management from those that speak directly to executive
management interests and issues is critical to development of an effective security metrics program. While there are multiple ways to categorize metrics, guidance from the National Institute for Standards and Technology (NIST) does this in a way that is more helpful than simply providing tag names for metric groupings. The Performance Measurement Guide for Information Security (NIST SP 800-55 Revision 1) divides security metrics into three categories and links each to levels of security program maturity. The categories are: Implementation – metrics used to show progress in implementing policies and procedures and individual security controls
Effectiveness/efficiency – metrics used to monitor results of security control implementation for a single control or across multiple controls
Impact – metrics used to convey the impact of the information security program on the institution's mission, often through quantifying cost avoidance or risk reduction produced by the overall program
Truly useful metrics indicate the degree to which security goals are being met and they drive actions taken to improve an organization's overall security program. Before expending resources, it is essential that goals and objectives of the security program be articulated. 162
Trainer’s Guide– Security Analyst SSC/N0901
6.2. Types of Security Metrics Three distinct types of metrics classified according to level: Strategic security metrics These are measures concerning the information security elements of high level business goals, objectives and strategies. For example, if the organization needs to bolster its information security capabilities and competences in order to support various business initiatives, without expanding the budget, metrics concerning the efficiency and effectiveness of information security are probably relevant. Broad-brush metrics relating to information security risks, capabilities and value tend to exist at this high level. The reporting period may be one or more years. Security management metrics There are numerous facets to managing information security risks that could be measured, hence many possible metrics. We recommend making a special effort to identify management metrics that directly relate to achieving specific business objectives for information security, supplementing those that are needed to manage the information security department, function or team just like any other part of the business (e.g. expenditure against budget). Management-level metrics tend to be reported/updated on a monthly or quarterly basis. Metrics concerning
information security projects/initiatives (e.g. implementing dual-factor authentication) and the information security management system (e.g. security incident statistics) are typical examples. Operational security metrics At the lowest level of analysis, most information security controls, systems and processes need to be measured in order to operate and control them. Metrics supporting security operations are normally only of direct concern to those managing and performing security activities. They include both technical and non-technical security metrics that are often updated on a weekly, daily or hourly basis. They are unlikely to be of much interest or value beyond the information security and related technical functions, although some
Another classification is by object of measurement: Process Security Metrics: These metrics measure processes and procedures. Examples are number of policy violations, percentage of systems with formal risk assessments, percentage of system with tested security controls, percentage of weak passwords (noncompliant), number of identified risks and their severity, percentage of systems with contingency plans, etc. These are usually Compliance/Governance driven. While they generally support 163
Trainer’s Guide– Security Analyst SSC/N0901
better security, but the actual impact is hard to define. Network Security Metrics: These are driven by products (firewalls, IDS, etc.) Readily available and widely used, they give a sense of control. Usually have a level of data presentation through charts and interfaces. These can be misleading though. Examples are Successful/unsuccessful logons, number of incidents, number of viruses blocked, number of patches applied, number of spam blocked, number of virus infections, number of port probes, traffic analysis, etc. Software Security Metrics: Software measures are usually troublesome (LOC, FPs, Complexity, etc.) Metrics are context sensitive and environmentdependent and architecture dependent. Examples are Size and complexity, defects/LOC, defects (severity, type) over time, cost per defect, attack surface (# of interfaces), layers of security and design flaws People Security Metrics: Are usually relevant, but unreliable. As people behavior is difficult to model. There are biases and non-standard responses that make it difficult to predict. Examples include associates/contractors that have completed information security policy training, team size, etc. Other A sample list of metrics is given below. These metrics cover the following business functions:
Application Security o Number of Applications o Percentage of Critical Applications o Risk Assessment Coverage o Security Testing Coverage
Configuration Change Management o Mean-Time to Complete Changes o Percent of Changes with Security Review o Percent of Changes with Security Exceptions Financial o Information Security Budget as % of IT Budget o Information Security Budget Allocation Incident Management o Mean-Time to Incident Discovery o Incident Rate o Percentage of Incidents Detected by Internal Controls o Mean-Time Between Security Incidents o Mean-Time to Recovery Patch Management o Patch Policy Compliance o Patch Management Coverage o Mean-Time to Patch Vulnerability Management o Vulnerability Scan Coverage o Percent of Systems Without Known Severe Vulnerabilities o Mean-Time to Mitigate Vulnerabilities Number of Known Vulnerability Instances
164
Trainer’s Guide– Security Analyst SSC/N0901
6.3 Using Security Metrics Using security metrics involves data acquisition. This may be automated or manually collected. Data collection automation depends on the availability of data from automated sources versus the availability of data from people. Manual data collection involves developing questionnaires and conducting interviews and surveys with the organization’s staff.
More useful data becomes available from semi-automated and automated data sources, such
as self-assessment tools, certification and accreditation (C&A) databases, incident reporting and response databases, and other data sources as a security program matures. Metrics data collection is fully automated when all data is gathered by using automated data sources without human involvement or intervention.
6.4 Developing the Metrics Process At a high level, the steps for establishing a metrics program are: o Define goals and objectives o Determine information goals o Develop metrics models
o Schedule o Implement metrics o Set benchmarks and targets o Establish a formal review cycle
o Determine metrics reporting format and
165
Trainer’s Guide– Security Analyst SSC/N0901
6.5 Metrics and Reporting There are a number of challenges often encountered in the organizations that are about to implement or are already in the process of implementing an ISMP. A number of challenges that commonly arise from the stakeholders' misconceptions and erroneous expectations regarding metrics (IATAC, 2009); these include: Measurement efforts are finite (while in reality a metrics programme is aimed at continual improvement and long term benefits).
Data for metrics support is readily accessible and conducive to measurement (in many cases, depending on the IS management's maturity, size and structure of the organization, et cetera, this may not be so and changes to the existing data collection and analysis processes may have to be made, especially toward higher levels of standardization, to make metrics effective and efficient). Metrics provide quick returns (this again depends on factors such as maturity of IS management; expecting business impact metrics from an ISMS that does not have the capability to effectively provide them is unrealistic, for instance). Metrics can be automated easily/rapidly (attempting to automate measures that have not yet been thoroughly tested and proven to be effective can be ultimately counterproductive).
Measures should help ensure maximum ROI (while not unreasonable per se, this often receives a high priority at the expense of the other facets of measurement, which get neglected and, ones again, the capability of IS management to deliver on these expectations is not always fully considered).
The lack of consensus definitions and vocabulary, and a broadly accepted model for mapping IS metrics to organizational structure and clearly illustrating how the lower level metrics can roll up into the higher level ones in a meaningful way can possibly contribute to this problem (although, based on the information presented in earlier chapters of the report, it can be recognized that efforts are being made to rectify these issues). Without a good model or methodology for rolling up quantitative measures, security professionals often struggle to find a compromise between reporting methods that are too technical for the senior management and ones that impair the utility of a metric due to oversimplification. The frequency of reports depends on organizational norms, the volume and gravity of information available, and management requirements. Regular reporting periods may vary from daily or weekly to monthly, quarterly, six-monthly or annual. The latter ones are more likely to identify and discuss trends and strategic issues, and to include status reports on security-relevant development projects, information security initiatives and so forth, in other words they provide the context to make sense of the numbers 166
Trainer’s Guide– Security Analyst SSC/N0901
Here are some options for your consideration: An annual, highly-confidential Information Security Report for the CEO, the Board and other senior management (including Internal Audit). This report might include commentary on the success or otherwise of specific security investments. A forwardlooking section can help to set the scene for planned future investments, and is a good opportunity to point out the ever changing legal and regulatory environment and the corresponding personal liabilities on senior managers. Quarterly status reports to the most senior body directly responsible for information security, physical security, risk and/or governance. Traffic light status reports are common and KPIs may be required, but the Information Security Manager’s commentary (supplemented or endorsed by that of the CTO/CIO) is a good value add. Monthly reports to the CTO/CIO, listing projects participated in and security incidents, along with their monetary value (the financial impacts do not need to be precisely accurate, they are used to indicate the scale of losses).
167
Trainer’s Guide– Security Analyst SSC/N0901
6.6 Designing information security measurement systems In order to design an information security measurement system one has to ask the following fundamental questions. 1. What are we going to measure? Identifying the right metrics, we shouldn’t implement a measurement process if we don’t intend to follow it routinely and systematically - we need repeatable and reliable measures; we shouldn’t capture data that we don’t intend to analyse, that is simply an avoidable cost. We shouldn’t analyse data if we don’t intend to make practical use of the results. 2. How will we measure things? Where will the data come from and where will they be stored? If the source information is not already captured and available, there will be a need to put in place the processes to gather it. This in turn raises the issue of who will capture the data. Will it be centralized or will we distribute the data collection processes? If departments and functions outside central control are reporting, how far can they be trusted not to manipulate the figures? Will they meet deadlines and formatting requirements? How much data gathering and reporting can be automated? 3. How will we report? What do senior management actually want? To get senior management buyin it is important to discuss the purpose and outputs with managers and peers. Provide alternative formats initially to assess their preference. It may be required to report differently from other functions in the organization, using different presentation formats as well as
different content. Managers are likely to feel more comfortable with conventional management reports, so look at a range of sample reports to pick out the style cues. 4. How should we implement our reporting system? When developing metrics, it’s worth testing out the feasibility and effectiveness of the measurement processes and the usefulness of chosen metrics on a limited scale before rolling them out across the entire corporation. Pilot studies or trials are useful ways to iron-out any glitches in the processes for collecting and analysing metrics, and for deciding whether the metrics are truly indicative of what you are trying to measure. Even after the initial trial period, continuous feedback on the metrics can help to refine the measurement system. Changes in both the organization and the information security risks it faces mean that some metrics are likely to become outdated over time. 5. Setting targets Measuring and reporting leads to the identification and benchmarking of Key Performance Indicators (KPIs) and then tracking measures to evaluate performance. Before publishing the chosen metrics it is important to figure out which ones would truly indicate making progress towards the organization’s information security goals.
168
Trainer’s Guide– Security Analyst SSC/N0901
UNIT VII Risk Assessment
This Unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 7.1. Risk Overview 7.2. Risk Identification 7.3. Risk Analysis 7.4. Risk Treatment 7.5. Risk Management Feedback Loops 7.6. Risk Monitoring 169
Trainer’s Guide– Security Analyst SSC/N0901
LESSON PLAN
Outcomes
Performance Measures
Ensuring
To be competent, you must be able 1. to:
Duration (Hrs)
Work Environment / Lab Requirement
4 hrs
PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines
PC11. comply with your organization’s policies, standards, procedures and guidelines when contributing to managing information security You must know and understand: KA6. how to carry out information security assessments KA13. standard tools and templates available and how to use these KB4. how to identify and resolve information security vulnerabilities and issues
KA6, KA7, KA8. Peer review with faculty with appropriate feedback. KA13. Creation of templates based on the learnings KB1 – KB4 Going through the security standards over Internet by visiting sites like ISO, PCI DSS etc., and understand various methodologies and usage of algorithms
4 hrs
PCs/Tablets/Lapt ops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security PCs/Tablets/Lapt ops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security
170
Trainer’s Guide– Security Analyst SSC/N0901
Suggested Learning Activities Activity 1:
The students should be encouraged to research various risks for their institute in the area of information security. They should prepare a process report highlighting their approach towards identifying risk, recording, monitoring, analysing and treating risk. The approach should be shared with the faculty and the report should be submitted for evaluation. The student or group which addresses a risk effectively especially instigating a real change in practices, policy, etc. should be recognised and applauded by the faculty.
171
Trainer’s Guide– Security Analyst SSC/N0901
Training Resource Material 7.1 Risk Overview Risk: A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through pre-emptive action. Risk assessments, whether they pertain to information security or other types of risk, are a means of providing decision makers with information needed to understand factors that can negatively influence operations and outcomes and make informed judgments concerning the extent of actions needed to reduce risk. As reliance on computer systems and electronic data has grown, information security risk has joined the array of risks that governments and businesses must manage. Regardless of the types of risk being considered, all risk assessments generally include the following elements. Identifying threats that could harm and, thus, adversely affect critical operations and assets. Threats include such things as intruders, criminals, disgruntled employees, terrorists, and natural disasters. Estimating the likelihood that such threats will materialize based on historical information and judgment of knowledgeable individuals. Identifying and ranking the value, sensitivity, and criticality of the operations and assets that could be affected should a threat materialize in order to determine which operations and assets are the most important. Estimating, for the most critical and sensitive assets and operations, the potential losses or
damage that could occur if a threat materializes, including recovery costs. Identifying cost-effective actions to mitigate or reduce the risk. These actions can include implementing new organizational policies and procedures as well as technical or physical controls. Documenting the results and developing an action plan. There are various models and methods for assessing risk, and the extent of an analysis and the resources expended can vary depending on the scope of the assessment and the availability of reliable data on risk factors. In addition, the availability of data can affect the extent to which risk assessment results can be reliably quantified. A quantitative approach generally estimates the monetary cost of risk and risk reduction techniques based on (1) the likelihood that a damaging event will occur, (2) the costs of potential losses, and (3) the costs of mitigating actions that could be taken. When reliable data on likelihood and costs are not available, a qualitative approach can be taken by defining risk in more subjective and general terms such as high, medium, and low. In this regard, qualitative assessments depend more on the expertise, experience, and judgment of those conducting the assessment. It is also possible to use a combination of quantitative and qualitative methods.
172
Trainer’s Guide– Security Analyst SSC/N0901
7.2 Risk Identification Risk identification is the process of determining risks that could potentially prevent the program, enterprise, or investment from achieving its objectives. It includes documenting and communicating the concern. The objective of risk identification is the early and continuous identification of events that, if they occur, will have negative impacts on the project's ability to achieve performance or capability outcome goals. They may come from within the project or from external sources. There are multiple types of risk assessments, including program risk assessments, risk assessments to support an investment decision, analysis of alternatives, and assessments of operational or cost uncertainty. Risk identification needs to match the type of assessment required to support riskinformed decision making. For an acquisition program, the first step is to identify the program goals and objectives, thus fostering a common understanding across the team of what is needed for program success. This gives context and
bounds the scope by which risks are identified and assessed. There are multiple sources of risk. For risk identification, the project team should review the program scope, cost estimates, schedule (to include evaluation of the critical path), technical maturity, key performance parameters, performance challenges, stakeholder expectations vs. current plan, external and internal dependencies, implementation challenges, integration, interoperability, supportability, supply-chain vulnerabilities, ability to handle threats, cost deviations, test event expectations, safety, security, and more. In addition, historical data from similar projects, stakeholder interviews, and risk lists provide valuable insight into areas for consideration of risk. Risk identification is an iterative process. As the program progresses, more information will be gained about the program (e.g., specific design), and the risk statement will be adjusted to reflect the current understanding. New risks will be identified as the project progresses through the life cycle.
173
Trainer’s Guide– Security Analyst SSC/N0901
7.3 Risk Analysis This is the next step in the risk assessment program, Risk Analysis, requires an entity to, conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected information held by the entity.
In other words, Risk analysis, which is a tool for risk management, is a method of identifying vulnerabilities and threats, and assessing the possible damage to determine where to implement security safeguards.
Risk analysis steps: Identify the scope of the analysis. Gather data. Identify and document potential threats and vulnerabilities. Assess current security measures. Determine the likelihood of threat occurrence. Determine the potential impact of threat occurrence. Determine the level of risk. Identify security measures and finalize documentation.
A risk analysis has four main goals: Identify assets and their values Identify vulnerabilities and threats Quantify the probability and business impact of these potential threats Provide an economic balance between the impact of the threat and the cost of the countermeasure
174
Trainer’s Guide– Security Analyst SSC/N0901
7.4 Risk Evaluation The risk evaluation process receives as input the output of risk analysis process. It compares each risk level against the risk acceptance criteria and prioritise the risk list with risk treatment indications.
7.5 Risk Treatment Risk treatment efforts should be undertaken to mitigate identified risks, using appropriate administrative, technical and physical controls. Control includes:
applying appropriate controls to avoid, eliminate or reduce risks; transferring some risks to third parties as appropriate (e.g., by insurance); knowingly and objectively accepting some risks; and documenting the risk treatment choices made, and the reasons for them.
Risk treatments should take account of:
legal-regulatory and private certificatory requirements; organizational objectives, operational requirements and constraints; and costs of implementation and operation relative to risks being reduced.
Risk treatment strategies include:
Risk reduction Taking the mitigation steps necessary to reduce the overall risk to an asset. Often this will include selecting countermeasures that will either reduce the likelihood of occurrence or reduce the severity of loss, or achieve both objectives at the same time. Countermeasures can include technical or operational controls or changes to the physical environment. For example, the risk of computer viruses can be mitigated by acquiring and implementing antivirus software. When evaluating the strength of a control, consideration should be given to whether the controls are preventative or detective. The remaining level of risk after the controls/countermeasures have been applied is often referred to as “residual risk.” An organization may choose to undergo a further cycle of risk treatment to address this.
175
Trainer’s Guide– Security Analyst SSC/N0901
Risk sharing/transference The organization shares its risk with third parties through insurance and/or service providers. Insurance is a post-event compensatory mechanism used to reduce the burden of loss if the event were to occur. Transference is the shifting of risk from one party to another. For example, when hard-copy documents are moved offsite for storage at a secure-storage vendor location, the responsibility and costs associated with protecting the data transfers to the service provider. The cost of storage may include compensation (insurance) if documents are damaged, lost, or stolen.
Risk avoidance The practice of eliminating the risk by withdrawing from or not becoming involved in the activity that allows the risk to be realized. For example, an organization decides to discontinue a business process in order to avoid a situation that exposes the organization to risk.
Risk acceptance An organization decides to accept a particular risk because it falls within its risk-tolerance parameters and therefore agrees to accept the cost when it occurs. Risk acceptance is a viable strategy where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are accepted by default
176
Trainer’s Guide– Security Analyst SSC/N0901
7.6 Risk Management Feedback Loops
Risk management is a comprehensive process that requires organizations to:
frame risk (i.e., establish the context for risk-based decisions); assess risk;
respond to risk once determined; and
monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations.
Risk management is carried out as a holistic, organization wide activity that addresses risk from the strategic level to the tactical level, ensuring that risk based decision making is integrated into every aspect of the organization. The following sections briefly describe each of the four risk management components. The first component of risk management addresses how organizations frame risk or establish a risk context—that is, describing the environment in which risk-based decisions are made. The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions. The risk frame establishes a foundation for managing risk and delineates the boundaries for riskbased decisions within organizations. Establishing a realistic and credible risk frame requires that organizations identify:
risk assumptions (e.g., assumptions about the threats, vulnerabilities, consequences/impact, and
likelihood of occurrence that affect how risk is assessed, responded to, and monitored over time); risk constraints (e.g., constraints on the risk assessment, response, and monitoring alternatives under consideration); risk tolerance (e.g., levels of risk, types of risk, and degree of risk uncertainty that are acceptable); and priorities and trade-offs (e.g., the relative importance of missions/business functions, tradeoffs among different types of risk that organizations face, time frames in which organizations must address risk, and any factors of uncertainty that organizations consider in risk responses).
The risk framing component and the associated risk management strategy also include any strategic-level decisions on how risk to organizational operations and assets, individuals, other organizations, and the Nation, is to be managed by senior leaders/executives.
177
Trainer’s Guide– Security Analyst SSC/N0901
The second component of risk management addresses how organizations assess risk within the context of the organizational risk frame. The purpose of the risk assessment component is to identify:
threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or the Nation; vulnerabilities internal and external to organizations; the harm (i.e., consequences/impact) to organizations that may occur given the potential for threats exploiting vulnerabilities; and the likelihood that harm will occur. The end result is a determination of risk (i.e., the degree of harm and likelihood of harm occurring).
To support the risk assessment component, organizations identify:
the tools, techniques, and methodologies that are used to assess risk; the assumptions related to risk assessments; the constraints that may affect risk assessments; roles and responsibilities; how risk assessment information is collected, processed, and communicated throughout organizations; how risk assessments are conducted within organizations; the frequency of risk assessments; and
how threat information is obtained (i.e., sources and methods).
The third component of risk management addresses how organizations respond to risk once that risk is determined based on the results of risk assessments. The purpose of the risk response component is to provide a consistent, organization-wide, response to risk in accordance with the organizational risk frame by:
developing alternative courses of action for responding to risk; evaluating the alternative courses of action; determining appropriate courses of action consistent with organizational risk tolerance; and implementing risk responses based on selected courses of action.
To support the risk response component, organizations describe the types of risk responses that can be implemented (i.e., accepting, avoiding, mitigating, sharing, or transferring risk). Organizations also identify the tools, techniques, and methodologies used to develop courses of action for responding to risk, how courses of action are evaluated, and how risk responses are communicated across organizations and as appropriate, to external entities (e.g., external service providers, supply chain partners). The fourth component of risk management addresses how organizations monitor risk over time. The purpose of the risk monitoring component is to:
178
Trainer’s Guide– Security Analyst SSC/N0901
verify that planned risk response measures are implemented and information security requirements derived from/traceable to organizational mission/business functions, federal legislation, directives, regulations, policies, and standards, and guidelines, are satisfied; determine the ongoing effectiveness of risk response measures following implementation; and identify risk-impacting changes to organizational information systems
and the environments in which the systems operate. To support the risk monitoring component, organizations describe how compliance is verified and how the ongoing effectiveness of risk responses is determined (e.g., the types of tools, techniques, and methodologies used to determine the sufficiency/correctness of risk responses and if risk mitigation measures are implemented correctly, operating as intended, and producing the desired effect with regard to reducing risk). In addition, organizations describe how changes that may impact the ongoing effectiveness of risk responses are monitored.
179
Trainer’s Guide– Security Analyst SSC/N0901
7.7 Risk Monitoring Risk monitoring provides organizations with the means to:
verify compliance;
determine the ongoing effectiveness of risk response measures; and
identify risk-impacting changes to organizational information systems and environments of operation.
Analysing monitoring results gives organizations the capability to maintain awareness of the risk being incurred, highlight the need to revisit other steps in the risk management process, and initiate process improvement activities as needed. Organizations employ risk monitoring tools, techniques, and procedures to increase risk awareness, helping senior leaders/executives develop a better understanding of the ongoing risk to organizational operations and assets, individuals, other organizations, and the Nation. Organizations can implement risk monitoring at any of the risk management tiers with different objectives and utility of information produced. For example, Tier 1 monitoring activities might include ongoing threat assessments and how changes in the threat space may affect Tier 2 and Tier 3 activities, including enterprise architectures (with embedded information security architectures) and organizational information systems. Tier 2 monitoring
activities might include, for example, analyses of new or current technologies either in use or considered for future use by organizations to identify exploitable weaknesses and/or deficiencies in those technologies that may affect mission/business success. Tier 3 monitoring activities focus on information systems and might include, for example, automated monitoring of standard configuration settings for information technology products, vulnerability scanning, and ongoing assessments of security controls. In addition to deciding on appropriate monitoring activities across the risk management tiers, organizations also decide how monitoring is to be conducted (e.g., automated or manual approaches) and the frequency of monitoring activities based on, for example, the frequency with which deployed security controls change, critical items on plans of action and milestones, and risk tolerance.
180
Trainer’s Guide– Security Analyst SSC/N0901
UNIT VIII Configuration review
This Unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 8.1. Configuration Management 8.2. Organisational SecCM Policy 8.3. Identify CM Tools 8.4. Implementing Secure Configurations 8.5. Unauthorised Access to Configuration Stores
181
Trainer’s Guide– Security Analyst SSC/N0901
LESSON PLAN
Outcomes To be competent, you must be able to: PC4. carry out configuration reviews of information security systems using automated tools, where required
Performance Measures
Ensuring
Performance evaluation from Faculty and Industry with reward points
Duration (Hrs)
Work Environment / Lab Requirement
2 hrs
QA session and a Descriptive write up on understanding.
KA6, KA7 Performance You must know and understand: KA6. how to carry out evaluation from Faculty information security assessments and Industry with reward points KA7. how to carry out configuration reviews KA9. different types of automation tools and how to use these
KA9. QA session and a Descriptive write up on understanding.
4 hrs
PCs/Tablets/Lapt ops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Networking EquipmentsRouters & Switches Firewalls and Access Points Access to all security sites like ISO, PIC DSS Commercial Tools like HP Web Inspect and IBM AppScan etc., Open Source tools like sqlmap, Nessus etc., PCs/Tablets/Lapt ops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security
182
Trainer’s Guide– Security Analyst SSC/N0901
Suggested Learning Activities Activity 1: The students should be divided into groups and asked to research configuration management tools available in the industry. They should compare and categorise these tools based on their features, area of strengths and limitations. These should be presented in class for shared understanding. Activity 2:
Create a group project by interacting with companies that offer CM tools and prepare a sequential process map of how the tool functions in order to carry out its functions. Present the same in class, highlighting the functionality and dependencies of the tools.
183
Trainer’s Guide– Security Analyst SSC/N0901
Training Resource Material 8.1 Configuration Management An information system is typically in a constant state of change in response to new, enhanced, corrected, or updated hardware and software capabilities, patches for correcting software flaws and other errors to existing components, new security threats, changing business functions, etc. Implementing information system changes almost always results in some adjustment to the system configuration. To ensure that the required adjustments to the system configuration do not adversely affect the security of the information system or the organization from operation of the information system, a well-defined configuration management process that integrates information security is needed. Organizations apply configuration management (CM) for establishing baselines and for tracking, controlling, and managing many aspects of business development and operation (e.g., products, services, manufacturing, business processes, and information technology). Organizations with a robust and effective CM process need to consider information security implications with respect to the development and operation of information systems including hardware, software, applications, and documentation. Effective CM of information systems requires the integration of the management of secure configurations into the organizational CM process or processes. For this reason, this document assumes that information security is an integral part of an organization’s overall CM process; however, the focus of this document is on implementation of the information system security aspects of CM, and as such the
term security-focused configuration management (SecCM) is used to emphasize the concentration on information security. Though both IT business application functions and security-focused practices are expected to be integrated as a single process, SecCM in this context is defined as the management and control of configurations for information systems to enable security and facilitate the management of information security risk. Configuration Management (CM) comprises a collection of activities focused on establishing and maintaining the integrity of products and systems, through control of the processes for initializing, changing, and monitoring the configurations of those products and systems. A Configuration Item (CI) is an identifiable part of a system (e.g., hardware, software, firmware, documentation, or a combination thereof) that is a discrete target of configuration control processes. A Baseline Configuration is a set of specifications for a system, or CI within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes. The basic parts of a CM Plan include: Configuration Control Board (CCB) – Establishment of and charter for a group of qualified people with responsibility for the process of controlling and approving changes throughout the development and operational lifecycle of products and 184
Trainer’s Guide– Security Analyst SSC/N0901
systems; may also be referred to as a change control board; Configuration Item Identification – methodology for selecting and naming configuration items that need to be placed under CM; Configuration Change Control – process for managing updates to the baseline configurations for the configuration items; and Configuration Monitoring – process for assessing or testing the level of compliance with the established baseline configuration and mechanisms for reporting on the configuration status of items placed under CM. Security-Focused Configuration Management (SecCM) is the management and control of secure configurations for an information system to enable security and facilitate the management of risk. SecCM builds on the general concepts, processes, and activities of configuration management by attention on the implementation and maintenance of the established security requirements of the organization and information systems. Information security configuration management requirements are integrated into (or complement) existing organizational configuration management processes (e.g., business functions, applications, products) and information systems. SecCM activities include:
identification and recording of configurations that impact the security posture of the information system and the organization; the consideration of security risks in approving the initial configuration; the analysis of security implications of changes to the information system configuration; and
documentation of the approved/implemented changes.
SecCM requires an ongoing investment in time and resources. Product patches, fixes, and updates require time for security impact analysis even as threats and vulnerabilities continue to exist. As changes to information systems are made, baseline configurations are updated, specific configuration settings confirmed, and configuration items tracked, verified, and reported. SecCM is a continuous activity that, once incorporated into IT management processes, touches all stages of the system development life cycle (SDLC). In the context of SecCM of information systems, a configuration item (CI) is an aggregation of information system components that is designated for configuration management and treated as a single entity throughout the SecCM process. This implies that the CI is identified, labelled, and tracked during its life cycle – the CI is the target of many of the activities within SecCM, such as configuration change control and monitoring activities. A CI may be a specific information system component (e.g., server, workstation, router, application), a group of information system components (e.g., group of servers with like operating systems, group of network components such as routers and switches, an application or suite of applications), a noncomponent object (e.g., firmware, documentation), or an information system as a whole. CIs give organizations a way to decompose the information system into manageable parts whose configurations can be actively managed. The purpose of breaking up an information system into CIs is to allow more granularity and control in managing the secure configuration of the system. The level of 185
Trainer’s Guide– Security Analyst SSC/N0901
granularity will vary among organizations and systems and is balanced against the associated management overhead for each CI. In one organization, it may be appropriate to create a single CI to track all of the laptops within a system, while in another organization, each laptop may represent an individual CI. Baseline configuration A baseline configuration is a set of specifications for a system, or Configuration Item (CI) within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes. Security-focused configuration management of information systems involves a set of activities that can be organized into four major phases – Planning, Identifying and Implementing Configurations, Controlling Configuration Changes, and Monitoring. Planning - Planning includes developing policy and procedures to incorporate SecCM into existing information technology and security programs, and then disseminating the policy throughout the organization. Identifying and implementing configurations - After the planning and preparation activities are completed, a secure baseline configuration for the information system is developed, reviewed, approved, and implemented. The approved baseline configuration for an information system and associated components represents the most secure state consistent with operational requirements and constraints. For a typical
information system, the secure baseline may address configuration settings, software loads, patch levels, how the information system is physically or logically arranged, how various security controls are implemented, and documentation. Where possible, automation is used to enable interoperability of tools and uniformity of baseline configurations across the information system. Controlling configuration changes - Given the continually evolving nature of an information system and the mission it supports, the challenge for organizations is not only to establish an initial baseline configuration that represents a secure state (which is also cost-effective, functional, and supportive of mission and business processes), but also to maintain a secure configuration in the face of the significant waves of change that ripple through organizations. Monitoring Monitoring activities are used as the mechanism within SecCM to validate that the information system is adhering to organizational policies, procedures, and the approved secure baseline configuration. Monitoring identifies undiscovered/ undocumented system components, misconfigurations, vulnerabilities, and unauthorized changes, all of which, if not addressed, can expose organizations to increased risk. Using automated tools helps organizations to efficiently identify when the information system is not consistent with the approved baseline configuration and when remediation actions are necessary. In addition, the use of automated tools often facilitates situational awareness and the documentation of deviations from the baseline configuration.
186
Trainer’s Guide– Security Analyst SSC/N0901
8.2 Organizational SecCM Policy The organization is typically responsible for defining documented policies for the SecCM program. The SecCM program manager develops, disseminates, and periodically reviews and updates the SecCM policies for the organization. The policies are included as a part of the overall organization-wide security policy. The SecCM policy normally includes the following: 1. Purpose – the objective(s) in establishing organization-wide SecCM policy; 2. Scope – the extent of the enterprise architecture to which the policy applies; 3. Roles – the roles that are significant within the context of the policy; 4. Responsibilities – the responsibilities of each identified role; 5. Activities – the functions that are performed to meet policy objectives; 6. Common secure configurations – federal and/or organization-wide standardized benchmarks for configuration settings along with how to address deviations; and 7. Records – the records of configuration management activities to be maintained; the information to be included in each type of record; who is responsible for
writing/keeping the records; and procedures for protecting, accessing, auditing, and ultimately deleting such records. SecCM policy may also address the following topics:
SecCM training requirements; Use of SecCM templates; Use of automated tools; Prohibited configuration settings; and Requirements for inventory of information systems and components.
SecCM Training SecCM is a fundamental part of an organizational security program, but often requires a change in organizational culture. Staff is provided training to ensure their understanding of SecCM policies and procedures. Training also provides a venue for management to communicate the reasons why SecCM is important. SecCM training material is developed covering organizational policies, procedures, tools, artefacts, and monitoring requirements. The training may be mandatory or optional as appropriate and is targeted to relevant staff (e.g., system administrators, system/software developers, system security officers, system owners, etc.) as necessary to ensure that staff has the skills to manage the baseline configurations in accordance with organizational policy.
187
Trainer’s Guide– Security Analyst SSC/N0901
8.3 Identify SecCM Tools Managing the myriad configurations found within information system components has become an almost impossible task using manual methods like spreadsheets. When possible, organizations look for automated solutions which, in the long run, can lower costs, enhance efficiency, and improve the reliability of SecCM efforts. In most cases, tools to support activities in SecCM phases two, three, and four are selected for use across the organization by SecCM program management, and information system owners are responsible for applying the tools to the SecCM activities performed on each information system. Similarly, tools and mechanisms for inventory reporting and management may be provided to information system owners by the organization. In accordance with federal government and organizational policy, if automated tools are used, the tools are Security Content Automation Protocol (SCAP)-validated to the extent that such tools are available. There are a wide variety of configuration management tools available to support an organization’s SecCM program. At a minimum, the organization considers tools that can automatically assess configuration settings of IS components. Automated tools should be able to scan different information system components (e.g., Web server, database server, network devices, etc.) running different operating systems, identify the current configuration settings, and indicate where they are noncompliant with policy. Such tools import settings from one or more common secure configurations and then allow for tailoring the configurations to the organization’s security and mission/functional requirements.
Tools that implement and/or assess configuration settings are evaluated to determine whether they include requirements such as: • Ability to pull information from a variety of sources (different type of components, different operating systems, different platforms, etc.); •
Use of standardized specifications such as XML and SCAP;
•
Integration with other products such as help desk, inventory management, and incident response solutions;
•
Vendor-provided support (patches, updated vulnerability signatures, etc.);
•
Compliance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidelines and link vulnerabilities to SP 800-53 controls;
•
Standardized reporting capability (e.g. SCAP, XML) including ability to tailor output & drill down;
•
Data consolidation into Security Information and Event Management (SIEM) tools and dashboard products.
Organizations may consider implementation of an all-in-one solution for configuration management. For example, various configuration management functions are included in products for managing IT servers, workstations, desktops, and services provided by applications. These products may include functions such as: o Inventory/discovery of IS components; o Software distribution; 188
Trainer’s Guide– Security Analyst SSC/N0901
o Patch management; o Operating system deployment; o Policy management;
o Migration to new baseline configuration; and o Backup/recovery.
8.4 Implementing secure configurations Implementing secure configurations for IT products is no simple task. There are many IT products, and each has a myriad of possible parameters that can be configured. In addition, organizations have mission and business process needs which may require that IT products be configured in a particular manner. To further
complicate matters, for some products, the configuration settings of the underlying platform may need to be modified to allow for the functionality required for mission accomplishment such that they deviate from the approved common secure configurations.
Using the secure configuration previously established as a starting point, the following structured approach is recommended when implementing the secure configuration: 1) 2) 3) 4) 5)
Prioritize Configurations Test Configurations Resolve Issues and Document Deviations Record and Approve the Baseline Configuration Deploy the Baseline Configuration
i. Prioritize Configurations In the ideal environment, all IT products within an organization would be configured to the most secure state that still provided the functionality required by the organization. However, due to limited resources and other constraints, many organizations may find it necessary to prioritize which information systems, IT products, or CIs to target first for secure configuration as they implement SecCM.
•
•
In determining the priorities for implementing secure configurations in information systems, IT products, or CIs, organizations consider the following criteria: •
System impact level – Implementing secure configurations in information systems with a high or moderate security impact level may have priority
•
over information systems with a low security impact level. Risk assessments – Risk assessments can be used to target information systems, IT products, or CIs having the most impact on security and organizational risk. Vulnerability scanning – Vulnerability scans can be used to target information systems, IT products, or CIs that are most vulnerable. For example, the Common Vulnerability Scoring System (CVSS) is a specification within SCAP that provides an open framework for communicating the characteristics of software flaw vulnerabilities and in calculating their relative severity. CVSS scores can be used to help prioritize configuration and patching activities. Degree of penetration – The degree of penetration represents the extent to 189
Trainer’s Guide– Security Analyst SSC/N0901
which the same product is deployed within an information technology environment. For example, if an organization uses a specific operating system on 95 percent of its workstations, it may obtain the most immediate value by planning and deploying secure configurations for that operating system. Other IT products or CIs can be targeted afterwards. ii. Test Configurations Organizations fully test secure configurations prior to implementation in the production environment. There are a number of issues that may be encountered when implementing configurations including software compatibility and hardware device driver issues. For example, there may be legacy applications with special operating requirements that do not function correctly after a common secure configuration has been applied. Additionally, configuration errors could occur if OS and multiple application configurations are applied to the same component. For example, a setting for an application configuration parameter may conflict with a similar setting for an OS configuration parameter. Virtual environments are recommended for testing secure configurations as they allow organizations to examine the functional impact on applications without having to configure actual machines. iii. Resolve Deviations
Issues
and
Document
Testing secure configuration implementations may introduce functional problems within the system or applications. For example, the new secure configuration may close a port or stop a service that is needed for OS or application functionality. These problems are
examined individually and either resolved or documented as a deviation from, or exception to, the established common secure configurations. In some cases, changing one configuration setting may require changes to another setting, another CI, or another information system. For instance, a common secure configuration may specify strengthened password requirements which may require a change to existing single sign-on applications. Or there may be a requirement that the OS-provided firewall be enabled by default. To ensure that applications function as expected, the firewall policy may need to be revised to allow specific ports, services, IP addresses, etc. When conflicts between applications and secure configurations cannot be resolved, deviations are documented and approved through the configuration change control process as appropriate. iv. Record and Approve the Baseline Configuration The established and tested secure configuration, including any necessary deviations, represents the preliminary baseline configuration and is recorded in order to support configuration change control/security impact analysis, incident resolution, problem solving, and monitoring activities. Once recorded, the preliminary baseline configuration is approved in accordance with organizationally defined policy. Once approved, the preliminary baseline configuration becomes the initial baseline configuration for the information system and its constituent CIs. The baseline configuration of an information system includes the sum total of the secure configurations of its constituent CIs and represents the systemspecific configuration against which all changes are controlled. 190
Trainer’s Guide– Security Analyst SSC/N0901
The baseline configuration may include, as applicable, information regarding the system architecture, the interconnection of hardware components, secure configuration settings of software components, the software load, supporting documentation, and the elements in a release package. There could be a different baseline configuration for each life cycle stage (development, test, staging, production) of the information system. When possible, organizations employ automated tools to support the management of baseline configurations and to keep the configuration information as up to date and near real time as possible. There are a number of solutions which maintain baseline configurations for a wide variety of hardware and software products. Some comprehensive SecCM solutions integrate the maintenance of baseline configurations with component inventory and monitoring tools. v. Deploy the Baseline Configuration Organizations are encouraged to implement baseline configurations in a centralized and automated manner using automated configuration management tools, automated scripts, vendor-provided mechanisms, etc. SecCM monitoring is accomplished through assessment and reporting activities. For organizations with a large number of components, the only practical and effective solution for SecCM monitoring activities is the use of automated solutions that use standardized reporting methods such as SCAP. An information system may have many components and many baseline configurations. To manually collect information on the configuration of all components and assess them against
policy and approved baseline configurations is not practical, or even possible, in most cases. Automated tools can also facilitate reporting for Security Information and Event Management applications that can be accessed by management and/or formatted into other reports on baseline configuration status. Care is exercised in collecting and analysing the results generated by automated tools to account for any false positives. SecCM monitoring may be supported by numerous means, including, but not limited to: •
•
Scanning to discover components not recorded in the inventory. For example, after testing of a new firewall, a technician forgets to remove it from the network. If it is not properly configured, it may provide access to the network for intruders. A scan would identify this network device as not a part of the inventory, enabling the organization to take action. Scanning to identify disparities between the approved baseline configuration and the actual configuration for an information system.
Example I. A technician rolls out a new patch but forgets to update the baseline configurations of the information systems impacted by the new patch. A scan would identify a difference between the actual environment and the description in the baseline configuration enabling the organization to take action. Example II. A new tool is installed on the workstations of a few end users of the information system. During installation, the tool changes a number of configuration settings in the browser on the users’ workstations, exposing them to attack. A scan would identify the change in the 191
Trainer’s Guide– Security Analyst SSC/N0901
workstation configuration, allowing the appropriate individuals to take action. Implementation of automated change monitoring tools (e.g., change/configuration management tools, application whitelisting tools). Unauthorized changes to information systems may be an indication that the systems are under attack or that SecCM procedures are not being followed or need updating. Automated tools are available that monitor information systems for changes and alert system staff if unauthorized changes occur or are attempted.
Querying audit records/log monitoring to identify unauthorized change events. Running system integrity checks to verify that baseline configurations have not been changed. Reviewing configuration change control records (including system impact analyses) to verify conformance with SecCM policy and procedures.
When possible, organizations seek to normalize data to describe their information system in order that the various outputs from monitoring can be combined, correlated, analysed, and reported in a consistent manner. SCAP provides a common language for describing vulnerabilities, misconfigurations, and products and is an obvious starting point for organizations seeking a consistent way of communicating across the organization regarding the security status of the enterprise architecture. When inconsistencies are discovered as a result of monitoring activities, the organization may want to take remedial action. Action taken may be via manual methods or via use of automated tools.
Automated tools are preferable since actions are not reliant upon human intervention and are taken immediately once an unauthorized change is identified. Examples of possible actions include:
Implementing non-destructive remediation actions (e.g., quarantining of unregistered device(s), blocking insecure protocols, etc.); Sending an alert with change details to appropriate staff using email; Rolling back changes and restoring from backups; Updating the inventory to include newly identified components; and Updating baseline configurations to represent new configurations.
Many applications support configuration management interfaces and functionality to allow operators and administrators to change configuration parameters, update Web site content, and to perform routine maintenance. Top configuration management threats include:
Unauthorized access to administration interfaces Unauthorized access to configuration stores Retrieval of plaintext configuration secrets Lack of individual accountability Over-privileged process and service accounts Unauthorized Access to Administration Interfaces
Administration interfaces are often provided through additional Web pages or separate Web applications that allow administrators, operators, and content developers to managed site content and configuration. Administration interfaces 192
Trainer’s Guide– Security Analyst SSC/N0901
such as these should be available only to restricted and authorized users. Malicious users able to access a configuration management function can potentially deface the Web site, access downstream systems and databases, or take the application out of action altogether by corrupting configuration data. Counter measures to prevent unauthorized access to administration interfaces include:
Minimize the number administration interfaces.
of
Use strong authentication, for example, by using certificates. Use strong authorization with multiple gatekeepers.
Consider supporting only local administration. If remote administration is absolutely essential, use encrypted channels, for example, with VPN technology or SSL, because of the sensitive nature of the data passed over administrative interfaces. To further reduce risk, also consider using IPSec policies to limit remote administration to computers on the internal network.
193
Trainer’s Guide– Security Analyst SSC/N0901
8.5 Unauthorized Access to Configuration Stores Because of the sensitive nature of the data maintained in configuration stores, you should ensure that the stores are adequately secured. Countermeasures to protect configuration stores include: Configure restricted ACLs on text-based configuration files such as Machine.config and Web.config. Keep custom configuration stores outside of the Web space. This removes the potential to download Web server configurations to exploit their vulnerabilities. Retrieval of Plaintext Configuration Secrets Restricting access to the configuration store is a must. As an important defence in depth mechanism, you should encrypt sensitive data such as passwords and connection strings. This helps prevent external attackers from obtaining sensitive configuration data. It also prevents rogue administrators and internal employees from obtaining sensitive details such as database connection strings and account credentials that might allow them to gain access to other systems. Lack of Individual Accountability Lack of auditing and logging of changes made to configuration information
threatens the ability to identify when changes were made and who made those changes. When a breaking change is made either by an honest operator error or by a malicious change to grant privileged access, action must first be taken to correct the change. Then apply preventive measures to prevent breaking changes to be introduced in the same manner. Keep in mind that auditing and logging can be circumvented by a shared account; this applies to both administrative and user/application/service accounts. Administrative accounts must not be shared. User/application/service accounts must be assigned at a level that allows the identification of a single source of access using the account, and that contains any damage to the privileges granted that account.
Over-privileged Application and Service Accounts If application and service accounts are granted access to change configuration information on the system, they may be manipulated to do so by an attacker. The risk of this threat can be mitigated by adopting a policy of using least privileged service and application accounts. Be wary of granting accounts the ability to modify their own configuration information unless explicitly required by design.
194
Trainer’s Guide– Security Analyst SSC/N0901
UNIT IX Log Correlation and Management
This Unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 9.1. Event Log Concepts 9.2. Log Management and its need 9.3. Log Management Process 9.4. Configuring Windows Event Log 9.5. IIS Log Files 9.6. Analysis and Response
195
Trainer’s Guide– Security Analyst SSC/N0901
LESSON PLAN
Outcomes To be competent, you must be able to: PC6. maintain accurate daily records/logs of information security performance parameters using standard templates and tools PC7. analyze information security performance metrics to highlight variances and issues for action by appropriate people PC8. provide inputs to root cause analysis and the resolution of information security issues, where required PC9. update your organization’s knowledge base promptly and accurately with information security issues and their resolution PC3. carry out security assessment of information security systems using automated tools
Performance Measures
Ensuring
Going through various organizations websites and understand the policies and guidelines. (Research) Understand, summarize and articulate.
Duration (Hrs)
Work Environment / Lab Requirement
4 hrs
Peer group, Faculty group and Industry experts.
Peer review with faculty with appropriate feedback. Going through various organizations websites and understand the policies and guidelines. (Research)
Team work (IM and chat applications) and group activities (online forums) including templates to be prepared
KA1. Going through various You must know and understand: KA1. your organization’s organizations websites policies, procedures, standards and and understand the guidelines for managing policies and guidelines. information security (Research) KA2. your organization’s KA2, Understand, summarize knowledge base and how to access and articulate. and update this KA4. the organizational KA4, KA5. Peer group, Faculty group and Industry systems, procedures and experts. tasks/checklists within the domain and how to use these
4 hrs
PCs/Tablets/La ptops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Networking EquipmentRouters & Switches Firewalls and Access Points Access to all security sites like ISO, PIC DSS Commercial Tools like HP Web Inspect and IBM AppScan etc.,
Open Source tools like sqlmap, Nessus etc.,
PCs/Tablets/Lapt ops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Networking EquipmentsRouters & Switches Firewalls and Access Points
196
Trainer’s Guide– Security Analyst SSC/N0901 KA5. how to analyze root causes KA8. Peer review with faculty of information security issues with appropriate feedback. KA8. how to correlate devices and logs KA9. Going through various organizations websites KA9. different types of and understand the automation tools and how to use policies and guidelines. these (Research) KA10. how to access and analyze information security performance KA10, KA11. Team work (IM metrics and chat applications) and group activities (online forums) including templates to be prepared.
Access to all security sites like ISO, PIC DSS Commercial Tools like HP Web Inspect and IBM AppScan etc., Open Source tools like sqlmap, Nessus etc.,
Suggested Learning Activities Activity 1: The students should research various log report templates and sources which provide guidance on using log reports. The various information available in the report should be understood and possible anomalies listed.
Activity 2: Students should divided in groups. One group should explore the log configurations of their own server and generate reports from the servers of their own institute each week. These should be analysed and activity reports and inferences from it presented in class by a different group each week.
197
Trainer’s Guide– Security Analyst SSC/N0901
Training Resource Material 9.1 Event Logs - Concepts A log is a record of the events occurring within an organization’s systems and networks. Logs are composed of log entries; each entry contains information related to a specific event that has occurred within a system or network. Originally, logs were used primarily for troubleshooting problems, but logs now serve many functions within most organizations, such as optimizing system and network performance, recording the actions of users, and providing data useful for investigating malicious activity. Logs have evolved to contain information related to many different types of events occurring within networks and systems. Within an organization, many logs contain records related to computer security; common examples of these computer security logs are audit logs that track user authentication attempts and security device logs that record possible attacks Key Concepts Log management: Log management refers to the broad practice of collecting, aggregating and analysing network data for a variety of purposes. Data logging devices collect incredible amounts of information on security, operational and application events — log management comprises the tools to search and parse this data for trends, anomalies and other relevant information. Security information event management (SIEM): Like log management, SIEM also involves the collection and analysis of data. The key distinction to be made is that SIEM is a specialized tool for information security. SIEM appliances enable event
reduction and real-time alerting, and they provide specific workflows to address security breaches as they occur. Another key feature of SIEM is the incorporation of non-event based data, such as vulnerability scanning reports, for correlation and analysis. A lot of money has been invested in security products such as firewalls, intrusion detection, and strong authentication over the past several years. However, system penetration attempts continue to occur and go unnoticed until it is too late. It is not that security countermeasures are ineffective against intrusive activity. Indeed, they can be very effective within an organization where security policies and procedures require analysis of security events and appropriate incident response. However, deploying and analysing a single device in an effort to maintain situational awareness with respect to the state of security within an organization is the "computerized version of tunnel vision”. Security events must be analysed from as many sources as possible in order to assess threat and formulate appropriate response. Extraordinary levels of security awareness can be attained in an organization's network by simply listening to what its devices are telling you.
Security software logs primarily contain computer security-related information.
Operating system logs and application logs typically contain a variety of information, including computer security-related data
198
Trainer’s Guide– Security Analyst SSC/N0901
Security Software Most organizations use several types of network-based and host-based security software to detect malicious activity, protect systems and data, and support incident response efforts. Accordingly, security software is a major source of computer security log data. Common types of network-based and host based security software include the following: Antimalware Software. The most common form of antimalware software is antivirus software, which typically records all instances of detected malware, file and system disinfection attempts, and file quarantines. Additionally, antivirus software might also record when malware scans were performed and when antivirus signature or software updates occurred. Antispyware software and other types of antimalware software (e.g., rootkit detectors) are also common sources of security information. Intrusion Detection and Intrusion Prevention Systems. Intrusion detection and intrusion prevention systems record detailed information on suspicious behaviour and detected attacks, as well as any actions intrusion prevention systems performed to stop malicious activity in progress. Some intrusion detection systems, such as file integrity checking software, run periodically instead of continuously, so they generate log entries in batches instead of on an ongoing basis. Remote Access Software Remote access is often granted and secured through virtual private networking (VPN). VPN systems typically log successful
and failed login attempts, as well as the dates and times each user connected and disconnected, and the amount of data sent and received in each user session. VPN systems that support granular access control, such as many Secure Sockets Layer (SSL) VPNs, may log detailed information about the use of resources. Web Proxies Web proxies are intermediate hosts through which Web sites are accessed. Web proxies make Web page requests on behalf of users, and they cache copies of retrieved Web pages to make additional accesses to those pages more efficient. Web proxies can also be used to restrict Web access and to add a layer of protection between Web clients and Web servers. Web proxies often keep a record of all URLs accessed through them. Vulnerability Management Software Vulnerability management software, which includes patch management software and vulnerability assessment software, typically logs the patch installation history and vulnerability status of each host, which includes known vulnerabilities and missing software updates. Vulnerability management software may also record additional information about hosts’ configurations. Vulnerability management software typically runs occasionally, not continuously, and is likely to generate large batches of log entries. Authentication Servers Authentication servers, including directory servers and single sign-on servers, typically log each authentication attempt, including its origin, username, success or failure, and date and time. 199
Trainer’s Guide– Security Analyst SSC/N0901
Routers Routers may be configured to permit or block certain types of network traffic based on a policy. Routers that block traffic are usually configured to log only the most basic characteristics of blocked activity. Firewalls Like routers, firewalls permit or block activity based on a policy; however, firewalls use much more sophisticated methods to examine network traffic. Firewalls can also track the state of network traffic and perform content inspection. Firewalls tend to have more complex policies and generate more detailed logs of activity than routers. Network Quarantine Servers Some organizations check each remote host’s security posture before allowing it to join the network. This is often done through a network quarantine server and agents placed on each host. Hosts that do not respond to the server’s checks or that fail the checks are quarantined on a separate virtual local area network (VLAN) segment. Network quarantine servers log information about the status of checks, including which hosts were quarantined and for what reasons. Operating systems (OS) for servers, workstations, and networking devices (e.g., routers, switches) usually log a variety of information related to security. The most common types of securityrelated OS data are as follows: System Events System events are operational actions performed by OS components, such as shutting down the system or starting a
service. Typically, failed events and the most significant successful events are logged, but many OSs permit administrators to specify which types of events will be logged. The details logged for each event also vary widely; each event is usually timestamped, and other supporting information could include event, status, and error codes; service name; and user or system account associated with an event. Audit Records Audit records contain security event information such as successful and failed authentication attempts, file accesses, security policy changes, account changes (e.g., account creation and deletion, account privilege assignment), and use of privileges. OSs typically permit system administrators to specify which types of events should be audited and whether successful and/or failed attempts to perform certain actions should be logged. OS logs are most beneficial for identifying or investigating suspicious activity involving a particular host. After suspicious activity is identified by security software, OS logs are often consulted to get more information on the activity. Applications Operating systems and security software provide the foundation and protection for applications, which are used to store, access, and manipulate the data used for the organization’s business processes. Most organizations rely on a variety of commercial off-the-shelf (COTS) applications, such as e-mail servers and clients, Web servers and browsers, file servers and file sharing clients, and database servers and clients. Some applications generate their own log files, 200
Trainer’s Guide– Security Analyst SSC/N0901
while others use the logging capabilities of the OS on which they are installed. Applications vary significantly in the types of information that they log. The following lists some of the most commonly logged types of information and the potential benefits of each: Client requests and server responses, which can be very helpful in reconstructing sequences of events and determining their apparent outcome. If the application logs successful user authentications, it is usually possible to determine which user made each request. Some applications can perform highly detailed logging, such as email servers recording the sender, recipients, subject name, and attachment names for each e-mail; Web servers recording each URL requested and the type of response provided by the server; and business applications recording which financial records were accessed by each user. This information can be used to identify or investigate incidents and to monitor application usage for compliance and auditing purposes. Account information such as successful and failed authentication attempts, account changes (e.g., account creation and deletion, account privilege assignment), and use of privileges. In addition to identifying security events such as brute force password guessing and escalation of privileges, it can be used to identify who has used the application and when each person has used it.
Usage information such as the number of transactions occurring in a certain period (e.g., minute, hour) and the size of transactions (e.g., e-mail message size, file transfer size). This can be useful for certain types of security monitoring (e.g., a tenfold increase in e-mail activity might indicate a new e-mail–borne malware threat; an unusually large outbound e-mail message might indicate inappropriate release of information). Significant operational actions such as application startup and shutdown, application failures, and major application configuration changes. This can be used to identify security compromises and operational failures. Much of this information, particularly for applications that are not used through unencrypted network communications, can only be logged by the applications, which makes application logs particularly valuable for application-related security incidents, auditing, and compliance efforts. However, these logs are often in proprietary formats that make them more difficult to use, and the data they contain is often highly context-dependent, necessitating more resources to review their contents.
201
Trainer’s Guide– Security Analyst SSC/N0901
9.2 Log Management and its need Log management can benefit an organization in many ways. It helps to ensure that computer security records are stored in sufficient detail for an appropriate period of time. Routine log reviews and analysis are beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems shortly after they
have occurred, and for providing information useful for resolving such problems. Logs can also be useful for performing auditing and forensic analysis, supporting the organization’s internal investigations, establishing baselines, and identifying operational trends and long term problems
A log management infrastructure typically comprises the following three tiers: Log Generation The first tier contains the hosts that generate the log data. Some hosts run logging client applications or services that make their log data available through networks to log servers in the second tier. Other hosts make their logs available through other means, such as allowing the servers to authenticate to them and retrieve copies of the log files. Log Analysis and Storage The second tier is composed of one or more log servers that receive log data or copies of log data from the hosts in the first tier. The data is transferred to the servers either in a real-time or near-real-time manner, or in occasional batches based on a schedule or the amount of log data waiting to be transferred. Servers that receive log data from multiple log generators are sometimes called collectors or aggregators. Log data may be stored on the log servers themselves or on separate database servers. Log Monitoring The third tier contains consoles that may be used to monitor and review log data and the results of automated analysis. Log monitoring consoles can also be used to generate reports. In some log management infrastructures, consoles can also be used to provide management for the log servers and clients. Also, console user privileges sometimes can be limited to only the necessary functions and data sources for each user.
Log management infrastructures typically perform several functions that assist in the storage, analysis, and disposal of log
data. These functions are normally performed in such a way that they do not alter the original logs.
202
Trainer’s Guide– Security Analyst SSC/N0901
The following items describe common log management infrastructure functions: Log parsing is extracting data from a log so that the parsed values can be used as input for another logging process. A simple example of parsing is reading a text-based log file that contains 10 comma-separated values per line and extracting the 10 values from each line. Parsing is performed as part of many other logging functions, such as log conversion and log viewing. Event filtering is the suppression of log entries from analysis, reporting, or longterm storage because their characteristics indicate that they are unlikely to contain information of interest. For example, duplicate entries and standard informational entries might be filtered because they do not provide useful information to log analysts. Typically, filtering does not affect the generation or short-term storage of events because it does not alter the original log files. In event aggregation, similar entries are consolidated into a single entry containing a count of the number of occurrences of the event. For example, a thousand entries that each record part of a scan could be aggregated into a single entry that indicates how many hosts were scanned. Aggregation is often performed as logs are originally generated (the generator counts similar related events and periodically writes a log entry containing the count), and it can also be performed as part of log reduction or event correlation processes, which are described below.
Storage Log rotation is closing a log file and opening a new log file when the first file is considered to be complete. Log rotation is typically performed according to a schedule (e.g., hourly, daily, weekly) or when a log file reaches a certain size. The primary benefits of log rotation are preserving log entries and keeping the size of log files manageable. When a log file is rotated, the preserved log file can be compressed to save space. Also, during log rotation, scripts are often run that act on the archived log. For example, a script might analyse the old log to identify malicious activity, or might perform filtering that causes only log entries meeting certain characteristics to be preserved. Many log generators offer log rotation capabilities; many log files can also be rotated through simple scripts or third-party utilities, which in some cases offer features not provided by the log generators. Log archival is retaining logs for an extended period of time, typically on removable media, a storage area network (SAN), or a specialized log archival appliance or server. Logs often need to be preserved to meet legal or regulatory requirements. There are two types of log archival: retention and preservation. Log retention is archiving logs on a regular basis as part of standard operational activities. Log preservation is keeping logs that normally would be discarded, because they contain records of activity of particular interest. Log preservation is typically performed in support of incident handling or investigations. Log compression is storing a log file in a way that reduces the amount of storage 203
Trainer’s Guide– Security Analyst SSC/N0901
space needed for the file without altering the meaning of its contents. Log compression is often performed when logs are rotated or archived. Log reduction is removing unneeded entries from a log to create a new log that is smaller. A similar process is event reduction, which removes unneeded data fields from all log entries. Log and event reduction are often performed in conjunction with log archival so that only the log entries and data fields of interest are placed into long-term storage. Log conversion is parsing a log in one format and storing its entries in a second format. For example, conversion could take data from a log stored in a database and save it in an XML format in a text file. Many log generators can convert their own logs to another format; third party conversion utilities are also available. Log conversion sometimes includes actions such as filtering, aggregation, and normalization. – In log normalization, each log data field is converted to a particular data representation and categorized consistently. One of the most common uses of normalization is storing dates and times in a single format. For example, one log generator might store the event time in a twelve-hour format (2:34:56 P.M. EDT) categorized as Timestamp, while another log generator might store it in twenty-four (14:34) format categorized as Event Time, with the time zone stored in different notation (-0400) in a different field categorized as Time Zone. 24 Normalizing the data makes analysis and reporting much easier when multiple log formats are in use. However, normalization can be very resource-intensive, especially for complex log entries (e.g., typical intrusion detection logs).
Log file integrity checking involves calculating a message digest for each file and storing the message digest securely to ensure that changes to archived logs are detected. A message digest is a digital signature that uniquely identifies data and has the property that changing a single bit in the data causes a completely different message digest to be generated. The most commonly used message digest algorithms are MD5 and Secure Hash Algorithm 1 (SHA- 1). 25 If the log file is modified and its message digest is recalculated, it will not match the original message digest, indicating that the file has been altered. The original message digests should be protected from alteration through FIPSapproved encryption algorithms, storage on read-only media, or other suitable means. Analysis Event correlation is finding relationships between two or more log entries. The most common form of event correlation is rulebased correlation, which matches multiple log entries from a single source or multiple sources based on logged values, such as timestamps, IP addresses, and event types. Event correlation can also be performed in other ways, such as using statistical methods or visualization tools. If correlation is performed through automated methods, generally the result of successful correlation is a new log entry that brings together the pieces of information into a single place. Depending on the nature of that information, the infrastructure might also generate an alert to indicate that the identified event needs further investigation. – Log viewing is displaying log entries in a human-readable format. Most log generators provide some sort of log viewing capability; third-party log viewing utilities are also available. Some log viewers provide filtering and aggregation capabilities. 204
Trainer’s Guide– Security Analyst SSC/N0901
Log reporting is displaying the results of log analysis. Log reporting is often performed to summarize significant activity over a particular period of time or to record detailed information related to a particular event or series of events.
Disposal Log clearing is removing all entries from a log that precede a certain date and time. Log clearing is often performed to remove old log data that is no longer needed on a system because it is not of importance or it has been archived.
205
Trainer’s Guide– Security Analyst SSC/N0901
9.3 Log Management Process System-level and infrastructure administrators should follow standard processes for managing the logs for which they are responsible. Major operational processes for log management are as follows:
Configure the log sources, including log generation, storage, and security Perform analysis of log data Initiate appropriate responses to identified events Manage the long-term storage of log data.
Configure Log Sources System-level administrators need to configure log sources so that they capture the necessary information in the desired format and locations, as well as retain the information for the appropriate period of time. The process includes:
administrators determine which of their hosts and host components must or should participate in the log management infrastructure, A single log file might contain information from several sources, such as an OS log containing information from the OS itself and several security software programs and applications. Administrators ascertain which log sources use each log file. For each identified log source, administrators determine which types of events each log source must or should log, as well as which data characteristics must or should be logged for each type of event.
The administrator’s ability to configure each log source is dependent on the features offered by that particular type of log source. For example, some log sources offer very granular configuration options, while some offer no granularity at all— logging is simply enabled or disabled, with no control over what is logged. This section discusses log source configuration in three categories: log generation, log storage and disposal, and log security. Event Logs Event logs are special files that record significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. Example: Windows Event Log Whenever the significant types of events occur, Windows records the event in an event log that you can read by using Event Viewer. Advanced users might find the details in event logs helpful when troubleshooting problems with Windows and other programs. Event Viewer tracks information in several different logs. Windows Logs include: Application (program) events Events are classified as error, warning, or information, depending on the severity of the event. An error is a significant problem, such as loss of data. A warning is an event that isn't necessarily significant, but might indicate a possible future problem. An information event describes the successful operation of a program, driver, or service. Security-related events These events are called audits and are described as successful or failed 206
Trainer’s Guide– Security Analyst SSC/N0901
depending on the event, such as whether a user trying to log on to Windows was successful. Setup events Computers that are configured as domain controllers will have additional logs displayed here. System events System events are logged by Windows and Windows system services, and are classified as error, warning, or information. Forwarded events These events are forwarded to this log by other computers.
that run on your computer, as well as more detailed logs that pertain to specific Windows services.
Applications and Services Logs vary. They include separate logs about the programs
Double-click an event to view the details of the event.
Open Event Viewer by clicking the Start button Picture of the Start button, clicking Control Panel, clicking System and Security, clicking Administrative Tools, and then double-clicking Event Viewer. Administrator permission is required if you're prompted for an administrator password or confirmation, type the password or provide confirmation. Click an event log in the left pane.
207
Trainer’s Guide– Security Analyst SSC/N0901
9.4 Configuring Windows Event Log Authorized administrators can define security settings for the event logs. The choices are somewhat limited, and include log size, the length of time a log should be stored, and when the log should be cleared. Each event log can be configured individually. 1. Click Start, select Programs, select Administrative Tools, click Computer Management. 2. In the console tree, click Event Viewer. Right-click Security and select Properties.
Under Log size, select one of these options: If the log is not to be archived, click Overwrite events as needed. To archive the log at scheduled intervals, click Overwrite events older than and specify the appropriate number of days. Be sure that the Maximum log size is large enough to accommodate the interval.
3. The Security Properties window will appear. Here authorized administrators can set the Maximum log size and select what action to take when the maximum log size is reached.
To restore the default settings, click Restore Defaults. To clear the log, click Clear Log.
To retain all the events in the log, click Do not overwrite events (clear log manually). This option requires that logs be cleared manually. When the maximum log size is reached, new events are discarded. If the event log is not cleared and archived
208
Trainer’s Guide– Security Analyst SSC/N0901
regularly, the following message will appear. 1. After establishing the security log settings, click the Apply button.
become active. Change the date by selecting the drop down menu and choosing a date from the calendar that is presented. Change the time by scrolling the up and down arrows in the time dialog box. Follow the same procedures clicking on the To: drop down menu and changing the selection to Events On. Set the date and time for the last as described above. 5. Once all the desired filtering options have been selected, click the Apply button and click OK. The Event Viewer will filter the log and display the information as defined by the filter. Windows Logon Types
2. The Security Properties window also provides the ability to set filters on the event log to perform searches and sorting of audit data. To filter an existing event log in order to view or save specific security events, select the Filter tab and configure the filter. 3. To configure the filter, select the Event types that will be included by checking or unchecking a selection box next to Information, Warning, Error, Succe ss Audit, and/or Failure audit, then input any additional desired filtering requirements by Event source, Category, Event ID, User, or Computer. 4. By default. the entire event log will be filtered for viewing by the parameters selected above. If desired, select a date and time range for the logs that will be filtered for viewing. This is accomplished by first clicking on the From: drop down menu and changing the selection to Events On. The date and time dialog boxes will
Logon Types are logged in the Logon Type field of logon events (event IDs 528 and 540 for successful logons, and 529-537 and 539 for failed logons). Windows supports the following logon types and associated logon type values: 2: Interactive logon—This is used for a logon at the console of a computer. A type 2 logon is logged when you attempt to log on at a Windows computer’s local keyboard and screen. 3: Network logon—This logon occurs when you access remote file shares or printers. Also, most logons to Internet Information Services (IIS) are classified as network logons, other than IIS logons that use the basic authentication protocol (those are logged as logon type 8). 4: Batch logon—This is used for scheduled tasks. When the Windows Scheduler service starts a scheduled task, it first creates a new logon session for the task, so that it can run in the security context of the account that was specified when the task was created. 209
Trainer’s Guide– Security Analyst SSC/N0901
5: Service logon—This is used for services and service accounts that log on to start a service. When a service starts, Windows first creates a logon session for the user account that is specified in the service configuration. 7: Unlock—This is used whenever you unlock your Windows machine. 8: Network clear text logon—This is used when you log on over a network and the password is sent in clear text. This happens, for example, when you use basic authentication to authenticate to an IIS server. 9: New credentials-based logon—This is used when you run an application using the RunAs command and specify the /netonly switch. When you start a program with RunAs using /netonly, the program starts in a new logon session that has the same local identity (this is the identity of the user you are currently logged on with), but uses different credentials (the ones specified in the runas command) for other network connections. Without /netonly, Windows runs the program on the local computer and on the network as the user specified in the runas command, and logs the logon event with type 2. 10: Remote Interactive logon—This is used for RDP-based applications like Terminal Services, Remote Desktop or Remote Assistance. 11: Cached Interactive logon—This is logged when users log on using cached credentials, which basically means that in the absence of a domain controller, you can still log on to your local machine using your domain credentials. Windows supports logon using cached credentials to ease the life of mobile users and users who are often disconnected.
How to Read the Windows Application, Security, and System Log Files The Windows application, security, and system log files can be read with a Windows application called “Event Viewer,” which is accessed through the Control Panel: Click the Start button on the desktop’s Taskbar Click the Control Panel menu item The Control Panel’s window will open In the Control Panel, double-click the Administrative Tools icon The Administrative Tools window will open with a list of different icons Double click the Event Viewer icon How to Read Other Windows Log Files Many log files that software applications use are written as plain text file, making it possible to use any freeware text editor, “Notepad” or “WordPad”, to read the generated log files. To read .txt files in WordPad:
Click the Start button on the desktop’s Taskbar Click All Programs option Click Accessories menu item Click WordPad application A new WordPad window will open Click the File menu Click the Open menu item Navigate to the desired log file and click the Open button There are also programs that allow the user to monitor log files as they occur in real-time. Examples of such software include Tail For Win32 and Hoo WinTail. These programs make it easy to read new entries from the bottom (tail) of the log file. 210
Trainer’s Guide– Security Analyst SSC/N0901
9.5 IIS log files Internet Information Services (IIS) is a web server developed by Microsoft for use with Windows Server. The server is meant for a variety of hosting uses while attempting to maintain a high level of flexibility and scalability. To help with server use and analysis, IIS is integrated with several types of log files. These log file formats provide information on a range of websites and specific statistics, including Internet Protocol (IP) addresses, user information and site visits as well as dates, times and queries. Log File Formats in IIS (IIS 6.0) IIS provides six different log file formats that you can use to track and analyse information about your IIS-based sites and services. In addition to the six available formats, you can create your own custom log file format. The following log file formats and logging options are available in IIS:
W3C Extended Log File Format Text-based, customizable format for a single site. This is the default format. W3C Centralized Logging All data from all Web sites is recorded in a single log file in the W3C log file format. NCSA Common Log File Format Text-based, fixed format for a single site. IIS Log File Format Text-based, fixed format for a single site. ODBC Logging Fixed format for a single site. Data is recorded in an ODBC-compliant database. Centralized Binary Logging Binarybased, unformatted data that is not
customizable. Data is recorded from multiple Web sites and sent to a single log file. To interpret the data, you need a special parser. HTTP.sys Error Log Files Fixed format for HTTP.sys-generated errors.
You can read text-based log files using a text editor such as Notepad, which is included with Windows, but administrators often import the files into a report-generating software tool for further analysis. IIS logs, when properly analysed, provide information about demographics and usage of the IIS web server. By tracking usage data, web providers can better tailor their services to support specific regions, time frames or IP ranges. Log filters also allow providers to track only the data deemed necessary for analysis. Analyse an IIS Log file IIS logs contain crucial information for improving the web site. Log files for an IIS server are the key source of information for managing the websites hosted on the server. The log files contain a record of each request from a web user and the response provided by the IIS server. This data is crucial for marketing, site performance and security. Logs are often the only indication that a user is attempting to hack into your IIS server. Patterns and trends can be spotted in this data to help you segment your users for marketing opportunities. IIS log analysis is a critical tool in improving your website. Internet Information Services (IIS) 6.0 offers a number of ways to record the 211
Trainer’s Guide– Security Analyst SSC/N0901
activity of your Web sites, File Transfer Protocol (FTP) sites, Network News Transfer Protocol (NNTP) service, and Simple Mail Transfer Protocol (SMTP) service and allows you to choose the log file format that works best for your environment. IIS logging is designed to be more detailed than the event logging or performance monitoring features of the Microsoft® Windows® Server 2003, Standard Edition, Windows® Server 2003, Enterprise Edition, and Windows® Server 2003, Datacenter Edition, operating systems. IIS log files can include information such as who has visited your site, what was viewed, and when the information was last viewed. You can monitor attempts to access your sites, virtual folders, or files and determine whether attempts were made to read or write to your files. IIS log file formats allow you to record events independently for any site, virtual folder, or file.
Using a text editor, the following steps can be used to analyse the IIS file:
Open the log file labeled as "ex010110.log" in your text editor. The six digits in the log file name are in the format day, month and year the file was created. Locate the header information. This is a line starting with "#Fields:."
Use this line to determine the corresponding values in each column. Use the date and time to identify when the request was created. The "sitename" and "computername" will indicate what server responded to the request. Identify the visitor to your web server by the "c-ip" which is the ip address of the visitors’ computer. The "cs-method" column will most often contain either "post" or "get" depending on the request made by the visitors’ browser. The fields "csuri-stem" and "cs-uri-query" will denote the resource such as an image or web page the visitor requested. Use the "sc-status" column to determine whether the web server was capable of correctly responding to the request. A link is provided in the resource section of this article to a complete list of response codes. Use the "cs(User-Agent)" to determine what type of browser the visitor used, or if the visitor is actually a search engine. A link to a list of common user agents has been provided in the resource area of this article.
212
Trainer’s Guide– Security Analyst SSC/N0901
9.6 Log Analysis and Response Analyse Log Data Effective analysis of log data is often the most challenging aspect of log management, but is also usually the most important. Although analysing log data is sometimes perceived by administrators as uninteresting and inefficient (e.g., little value for much effort), having robust log management infrastructures and automating as much of the log analysis process as possible can significantly improve analysis so that it takes less time to perform and produces more valuable results. The most effective way to gain a solid understanding of log data is to review and analyse portions of it regularly (e.g., every day). The goal is to eventually gain an understanding of the baseline of typical log entries, likely encompassing the vast majority of log entries on the system. (Because a few types of entries often comprise a significant percentage of the log entries, this is not as difficult as it may first sound.) Daily log reviews should include those entries that have been deemed most likely to be important, as well as some of the entries that are not yet fully understood. Because it can make considerable effort to understand the significance of most log entries, the initial days, weeks, or even months of performing the log analysis process are the most challenging and time-consuming. Over time, as the baseline of normal activity is broadened and deepened, the daily log reviews should take less time and be more focused on the most important log entries, thus leading to more valuable analysis results.
Another motivation for understanding the log entries is so that the analysis process can be automated as much as possible. By determining which types of log entries are of interest and which are not, administrators can configure automated filtering of the log entries. This allows events known to be malicious to be recognized and responded to automatically (e.g., alerting administrators, reconfiguring other security controls). Another purpose for filtering is to ensure that the manual analysis performed by administrators is prioritized appropriately. The filtering should be configured so that it presents administrators with a reasonable number of entries for manual analysis. Web log analysis software (also called a web log analyzer) is a kind of web analytics software that passes a server log file from a web server, and based on the values contained in the log file, derives indicators about when, how, and by whom a web server is visited. Usually reports are generated from the log files immediately, but the log files can alternatively be passed for a database and reports generated on demand. There are free, open source and paid software tools available for log analysis or management. Response to events During their log analysis, infrastructure and system-level administrators may identify events of significance, such as incidents and operational problems that necessitate some type of response. When an administrator identifies a likely computer security incident, as defined by the 213
Trainer’s Guide– Security Analyst SSC/N0901
organization’s incident response policies, the administrator should follow the organization’s incident response procedures to ensure that it is addressed appropriately. Examples of computer security incidents include a host being infected by malware and a person gaining unauthorized access to a host. Administrators should perform their own responses to non-incident events, such as minor operational problems (e.g., misconfiguration of host security software). Some organizations require system-level administrators to report incidents and logging-related operational problems to infrastructure administrators so that the infrastructure administrators can better identify additional instances of the same activities and patterns that cannot be seen at the individual system level. Infrastructure and system-level administrators should also be prepared to assist incident response teams with their efforts. For example, when an incident occurs, affected system-level administrators may be asked to review their systems’ logs for particular signs of malicious activity or to provide copies of their logs to incident handlers for further
analysis. Administrators should also be prepared to alter their logging configurations as part of a response. Adverse events such as worms often cause unusually large numbers of events to be logged. This can cause various negative impacts, such as slowing system performance, overwhelming logging processes, and overwriting recent log entries. Analysts may not be able to see other events of significance because their records are hidden among all of the other log entries. Accordingly, administrators may need to reconfigure logging for the short term, long term, or permanently, depending on the source of the log data, to prevent it from overwhelming the system and the logs. Administrators may also need to adjust logging to capture more data as part of a response effort, such as collecting additional information on a particular type of activity. To identify similar incidents, especially in the short term, administrators may need to perform additional log monitoring and analysis, such as more closely examining the types of logging sources that recorded pertinent information on the initial incident.
214
Trainer’s Guide– Security Analyst SSC/N0901
UNIT X Data Backup
This Unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 10.1. Data Backup 10.2. Types of Backup 10.3. Backup Procedures 10.4. Types of Storage 10.5. Features of a Good Backup Strategy
215
Trainer’s Guide– Security Analyst SSC/N0901
LESSON PLAN
Outcomes To be competent, you must be able to: PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines PC5. carry out backups of security devices and applications in line with information security policies, procedures and guidelines, where required
Performance Measures
Ensuring
Project charter, Architecture (charts), Project plan, Poster presentation and execution plan.
Duration (Hrs)
Work Environment / Lab Requirement
4 hrs
Going through the security standards over Internet by visiting sites like ISO, PCI DSS etc., and understand various methodologies and usage of algorithms
KA12. Project charter, You must know and understand: KA12. your organization’s Architecture (charts), information security systems and Project plan, Poster tools and how to access and presentation and maintain these execution plan. KB2. different types of backups for security devices and applications KB2. Going through the and how to carry out backups security standards over Internet by visiting sites like ISO, PCI DSS etc., and understand various methodologies and usage of algorithms
4 hrs
PCs/Tablets/Lapt ops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Networking EquipmentsRouters & Switches Firewalls and Access Points Backup devices and storage media PCs/Tablets/La ptops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Networking EquipmentsRouters & Switches Firewalls and Access Points Backup devices and storage media
216
Trainer’s Guide– Security Analyst SSC/N0901
Suggested Learning Activities Activity 1: The students should backup data available in the institute and evaluate the backup requirements for the institute. If there isn’t a policy for backup then the same should be developed by the students and all necessary steps for successful implementation should be carried out by students. Activity 2:
The students should be divided into group and asked to prepare a report on difference between backup of individual data and of security devices and applications. The same should focus on requirements, challenges, products and means available, advantages and disadvantages, media used, and other differences. Activity 3: The students should research various products and services for backup available in the industry and compare the benefits, features and limitations of each. The comparison should be presented in class.
217
Trainer’s Guide– Security Analyst SSC/N0901
Training Material resource 10.1 Data Backup - Overview Backup is the activity of copying files or databases so that they will be preserved in case of equipment failure or other catastrophe. Backup is usually a routine part of the operation of large businesses with mainframes as well as the administrators of smaller business computers. For personal computer users, backup is also necessary but often neglected. The retrieval of files you backed up is called restoring them.
Purpose All electronic information considered of institutional value should be copied onto secure storage media on a regular basis (i.e., backed up), for disaster recovery and
business resumption. Special backup needs, identified through technical risk analysis that exceeds these requirements, should be accommodated on an individual basis.
Scope Data custodians are responsible for providing adequate backups to ensure the recovery of data and systems in the event of failure. Backup provisions allow business processes to be resumed in a reasonable amount of time with minimal loss of data. Since hardware and software failures can take many forms, and may occur over time, multiple generations of institutional data backups need to be maintained.
218
Trainer’s Guide– Security Analyst SSC/N0901
10.2 Types of Backup Full backup Full backup is a method of backup where all the files and folders selected for the backup will be backed up. It is commonly used as an initial or first backup followed with subsequent incremental or differential backups. After several incremental or differential backups, it is common to start over with a fresh full backup again. Some also like to do full backups for all backup runs typically for smaller folders or projects that do not occupy too much storage space. Advantages Restores are fast and easy to manage as the entire list of files and folders are in one backup set. Easy to maintain and restore different versions. Disadvantages Backups can take very long as each file is backed up again every time the full backup is run. Consumes the most storage space compared to incremental and differential backups. The exact same files are be stored repeatedly resulting in inefficient use of storage.
Incremental backup Incremental backup is a backup of all changes made since the last backup. The last backup can be a full backup or simply the last incremental backup. With incremental backups, one full backup is done first and subsequent backup runs are
just the changed files and new files added since the last backup. Advantages Much faster backups Efficient use of storage space as files is not duplicated. Much less storage space used compared to running full backups and even differential backups. Disadvantages Restores are slower than with a full backup and differential backups. Restores are a little more complicated. All backup sets (first full backup and all incremental backups) are needed to perform a restore.
Differential backups Differential backups fall in the middle between full backups and incremental backup. A differential backup is a backup of all changes made since the last full backup. With differential backups, one full backup is done first and subsequent backup runs are the changes made since the last full backup. The result is a much faster backup than a full backup for each backup run. Storage space used is less than a full backup but more than Incremental backups. Restores are slower than with a full backup but usually faster than Incremental backups. Advantages Much faster backups then full backups More efficient use of storage space then full backups since only files changed since the last full backup will be copied on each differential backup run. 219
Trainer’s Guide– Security Analyst SSC/N0901
Faster restores backups
than
incremental
Disadvantages Backups are slower then incremental backups Not as efficient use of storage space as compared to incremental backups. All files added or edited after the initial full backup will be duplicated again with each subsequent differential backup. Restores are slower than with full backups. Restores are a little more complicated than full backups but simpler than incremental backups. Only the full backup set and the last differential backup are needed to perform a restore.
Mirror backups Mirror backups are as the name suggests a mirror of the source being backed up. With mirror backups, when a file in the source is deleted, that file is eventually also deleted in the mirror backup. Because of this, mirror backups should be used with caution as a file that is deleted by accident, sabotage or through a virus may also cause that same file in mirror to be deleted as well. Some do not consider a mirror to be a backup. Many online backup services offer a mirror backup with, a 30 day’s delete. This means that when you delete a file on your source, that file is kept on the storage server for at least 30 days before it is eventually deleted. This helps strike a balance offering a level of safety while not allowing the backups to keep growing since online storage can be relatively expensive. Many backup software utilities do provide support for mirror backups.
Advantages The backup is clean and does not contain old and obsolete files Disadvantages There is a chance that files in the source deleted accidentally, by sabotage or through a virus may also be deleted from the backup mirror.
Full PC backup Full PC backup of full computer backup typically involves backing up entire images of the computer’s hard drives rather than individual files and folders. The drive image is like a snapshot of the drive. It may be stored compressed or uncompressed. With other file backups, only the user’s document, pictures, videos and music files can be restored while the operating system, programs etc. need to be reinstalled from is source download or disc media. With the full PC backup however, you can restore the hard drives to its exact state when the backup was done. Hence, not only can the documents, pictures, videos and audio files be restored but the operating system, hardware drivers, system files, registry, programs, emails etc. In other words, a full PC backup can restore a crashed computer to its exact state at the time the backup was made. Full PC backups are sometimes called “Drive Image Backups” Advantages A crashed computer can be restored in minutes with all programs databases emails etc intact. No need to install the operating system, programs and perform settings etc. Ideal backup solution for a hard drive failure. 220
Trainer’s Guide– Security Analyst SSC/N0901
Offsite Backup Any backup where the backup storage medium is kept at a different geographic location from the source is known as an offsite backup. The backup may be done locally at first on the usual storage devices but once the storage medium is brought to another location, it becomes an offsite backup.
Disadvantages May not be able to restore on a completely new computer with a different motherboard, CPU, Display adapters, sound card etc. Any problems that were present on the computer (like viruses, or misconfigured drivers, unused programs etc.) at the time of the backup may still be present after a full restore.
Local backup
Full internal control over the backup storage media and the security of the data on it. There is no need to entrust the storage media to third parties. Disadvantages Since the backup is stored close by to the source, it does not offer good protections against theft, fire, flood, earthquakes and other natural disasters. When the source is damaged by any of these circumstances, there’s a good chance the backup will be also damaged.
A local backup is any backup where the storage medium is kept close at hand. Typically, the storage medium is plugged in directly to the source computer being backed up or is connected through a local area network to the source being backed up.
Advantages Offers additional protection when compared to local backup such as protection from theft, fire, flood, earthquakes, hurricanes and more.
Advantages Offers good protection from hard drive failures, virus attacks, accidental deletes and deliberate employee sabotage on the source data. Very fast backup and very fast restore. Storage cost can be very cheap when the right storage medium is used like external hard drives Data transfer cost to the storage medium can be negligible or very cheap Since the backups are stored close by, they are very conveniently obtained whenever needed for backups and restore.
Disadvantages Except for online backups, it requires more due diligence to bring the storage media to the offsite location. May cost more as people usually need to rotate between several storage devices. For example when keeping in a bank deposit box, people usually use 2 or 3 hard drives and rotate between them. So at least one drive will be in storage at any time while the other is removed to perform the backup. Because of increased handling of the storage devices, the risk of damaging 221
Trainer’s Guide– Security Analyst SSC/N0901
delicate hard disk is higher. (does not apply to online storage)
Online backup An online backup is a backup done on an ongoing basis to a storage medium that is always connected to the source being backed up. The term “online” refers to the storage device or facility being always connected. Typically, the storage medium or facility is located offsite and connected to the backup source by a network or Internet connection. It does not involve human intervention to plug in drives and storage media for backups to run. Many commercial data centers now offer this as a subscription service to consumers. The storage data centers are located away from the source being backed up and the data is sent from the source to the storage center securely over the Internet. Typically, a client application is installed on the source computer being backed up. Users can define what folders and files they want to backup and at one times of the day they want the backups to run. The data may be compressed and encrypted before being sent over the Internet to the storage data center. The storage facility is a commercial data center located away from the source computers being backed up. Typically, they are built to certain fire and earthquake safety specifications. They have higher security standards with CCTV and round the clock monitoring. They typically have backup generators to deal with grid power outages and the facility is temperature controlled. Data is not just stored in one physical media but replicated across several devices. These facilities are usually
serviced by multiple redundant Internet connection so there is no single point of failure to bring the service down. Advantages Offers the best protection against fires, theft and natural disasters. Because data is replicated across several storage media, the risk of data loss from hardware failure is very low. Because backups are frequent or continuous, data loss is very minimal compared to other backups that are run less frequently. Because it is online, it requires little human or manual interaction after it is setup. Disadvantages Is a more expensive option then local backups. Initial or first backups can be a slow process spanning a few days or weeks depending on Internet connection speed and the amount of data backed up. Can be slow to restore.
Remote backups Remote backups are a form of offsite backup with a difference being that you can access, restore or administer the backups while located at your source location or other physical location. The term “remote” refers to the ability to control or administer the backups from another location. You do not need to be physically present at the backup storage facility to access the backups. Putting your backup hard drive at your bank safe deposit box would not be considered a remote backup. You cannot administer or access it without making a 222
Trainer’s Guide– Security Analyst SSC/N0901
trip to the bank. The term “remote backup” is often used loosely and interchangeably with “online backup” and “cloud backup”. Advantages Much better protection from natural disasters than local backups. Easier administration as it does not need a physical trip to the offsite backup location. Disadvantages More expensive then local backups Can take longer to backup and restore than local backups
Cloud backup Cloud backup is a term often used loosely and interchangeably with Online Backup and Remote Backup. This is a type of backup where data is backed up to a storage server or facility connected to the source via the Internet. With the proper login credentials, that backup can then be accessed securely from any other computer with an Internet connection. The term “cloud” refers to the backup storage facility being accessible from the Internet. Advantages Since this is an offsite backup, it offers protection from fire, floods, earth quakes and other natural disasters. Able to easily connect and access the backup with just an Internet connection.
Data is replicated across several storage devices and usually serviced by multiple internet connections so the system is not at the mercy of a single point of failure. When the service is provided by a good commercial data center, service is managed and protection is unparalleled. Disadvantages More expensive then local backups Can take longer to backup and restore
FTP Backup This is a kind of backup where the backup is done via the File Transfer Protocol (FTP) over the Internet to an FTP Server. Typically, the FTP Server is located in a commercial data center away from the source data being backed up. When the FTP server is located at a different location, this is another form of offsite backup. Advantages Since this is an offsite backup, it offers protection from fire, floods, earth quakes and other natural disasters. Able to easily connect and access the backup with just an Internet connection. Disadvantages More expensive then local backups Can take longer to backup and restore. Backup and restore times are dependent to the Internet connection.
223
Trainer’s Guide– Security Analyst SSC/N0901
10.3 Backup Procedures The 3-2-1 Rule
The simplest way to remember how to back up your images safely is to use the 32-1 rule. We recommend keeping 3 copies of any important file (a primary and two backups)
We recommend having the files on 2 different media types (such as hard drive and optical media), to protect against different types of hazards.*
1 copy should be stored offsite (or at least offline). The data backup procedures must include
frequency, data backup retention, testing, media replacement, recovery time, roles and responsibilities
Local data backup procedures must include the following:
Data Backup Retention. Retention of backup data must meet System and institution requirements for critical data. Testing - Restoration of backup data must be performed and validated on all types of media in use periodically. Media Replacement - Backup media should be replaced according to manufacturer recommendations. Recovery Time - The recovery time objective (RTO) must be defined and support business requirements.
Roles and Responsibilities Appropriate roles and responsibilities must be defined for data backup and restoration to ensure timeliness and accountability. Offsite Storage - Removable backup media taken offsite must be stored in an offsite location that is insured and bonded or in a locked media rated, fire safe. Onsite Storage - Removable backup media kept onsite must be stored in a locked container with restricted physical access. Media Destruction - How to dispose of data storage media in various situations. Encryption - Non-public data stored on removable backup media must be encrypted. Non-public data must be encrypted in transit and at rest when sent to an offsite backup facility, either physically or via electronic transmission. Third Parties - Third parties' backup handling & storage procedures must meet System, or institution policy or procedure requirements related to data protection, security and privacy. These procedures must cover contract terms that include bonding, insurance, disaster recovery planning and requirements for storage facilities with appropriate environmental controls.
224
Trainer’s Guide– Security Analyst SSC/N0901
Definitions Archive: An archive is a collection of historical data specifically selected for long-term retention and future reference. It is usually data that is no longer actively used, and is often stored on removable media. Backup: A copy of data that may be used to restore the original in the event the latter is lost or damaged beyond repair. It is a safeguard for data that is being used. Backups are not intended to provide a means to archive data for future reference or to maintain a versioned history of data to meet specific retention requirements. Critical Data: Data that needs to be preserved in support of the institution's ability to recover from a disaster or to ensure business continuity. Data: Information collected, stored, transferred or reported for any purpose, whether in computers or in manual files. Data can include: financial transactions, lists, identifying information about people, projects or processes, and information in the form of reports. Because data has value, and because it has various sensitivity classifications defined by federal law and state statute, it must be protected. Destruction: Destruction of media includes: disintegration, incineration, pulverizing, shredding, and melting. Information cannot be restored in any form following destruction. Media Rated, Fire Safe: A safe designed to maintain internal temperature and humidity levels low enough to prevent damage to CDs, tapes, and other computer storage devices in a fire. Safes are rated based on the length of time the contents of a safe are preserved while
directly exposed to fire and high temperatures. Information Technology Resources: Facilities, technologies, and information resources used for System information processing, transfer, storage, and communications. Included in this definition are computer labs, classroom technologies, computing and electronic communications devices and services, such as modems, e-mail, networks, telephones (including cellular), voice mail, fax transmissions, video, multimedia, and instructional materials. This definition is not all-inclusive, but rather, reflects examples of System equipment, supplies and services. Recovery Point Objective (RPO): Acceptable amount of service or data loss measured in time. The RPO is the point in time prior to service or data loss that service or data will be recovered to. Recovery Time Objective (RTO). Acceptable duration from the time of service or data loss to the time of restoration.
Automated Backup If the data backup plan defines a daily interval, making manual backups becomes quite time consuming, and one may discover now and then that they have skipped making backups because they had something else more important to do at same time. It is better to foresee the risk of not making backups and try to automate the whole backup process as much as possible.
225
Trainer’s Guide– Security Analyst SSC/N0901
10.4 Types of storage Local Storage Options 1. External Hard Drive
These are hard drives similar to the type that is installed within a desktop computer or laptop computer. The difference being that they can be plugged in to the computer or removed and kept separate from the main computer.
Advantages:
Very good option for local backups of large amounts of data. The cheapest storage option in terms of cost per GB. Very reliable when handled with care
Disadvantages:
Can be very delicate. May be damaged if dropped or through electrical surge
Faster read and write performance More robust and reliable than traditional magnetic hard drives Highly portable. Can be easily taken offsite
Disadvantages:
Still relatively expensive when compared to traditional hard drives Storage space is typically less than that of traditional magnetic hard drives.
3. Network Attached Storage (NAS) NAS are simply one or more regular IDE or SATA hard drives plugged in an array storage enclosure and connected to a network Router or Hub through a Ethernet port. Some of these NAS enclosures have ventilating fans to protect the hard drives from overheating.
2. Solid State Drive (SSD)
Advantages:
Solid State Drives look and function similar to traditional mechanical/ magnetic hard drives but the similarities stop there. Internally, they are completely different. They have no moving parts or rotating platers. They rely solely on semiconductors and electronics for data storage making it a more reliable and robust than traditional magnetic. No moving parts also means that they use less power than traditional hard drives and are much faster too.
With the prices of Solid State Drives coming down and is lower power usage, SSD’s are used extensively on laptops and mobile devices. External SSD’s are also a viable option for data backups. Advantages:
Very good option for local backups especially for networks and small businesses. As several hard drives can be plugged in, NAS can hold very large amounts of data Can be setup with Redundancy (RAID) increasing the reliability and/ or read and write performance. Depending on the type of RAID level used, the NAS can still function even if one hard drive in the RAID set fails. Or two hard drives can be setup to double the read and write speed of single hard drive. The drive is always connected and available to the network making the NAS a good option for implementing automated scheduled backups. 226
Trainer’s Guide– Security Analyst SSC/N0901
Disadvantages:
Significantly more expensive than using single External Hard Drives Difficult to bring offsite making it very much a local backup hence still susceptible to some events like theft and floods, fire etc.
Advantages:
Low cost per disk
Disadvantages:
Relatively shorter life span than other storage options Not as reliable as other storage options like external hard disk and SSD. One damaged disk in a backup set can make the whole backup unusable.
4. USB Thumb Drive or Flash Drive
These are similar to Solid State Drives except that it is much smaller in size and capacity. They have no moving parts making them quite robust. They are extremely portable and can fit on a keychain. They are Ideal for backing up a small amount of data that need to be brought with you on the go.
Remote Storage Options
Advantages:
The most portable storage option. Can fit on a keychain making it an offsite backup when you bring it with you. Much more robust than traditional magnetic hard drives
1. Cloud Storage Cloud storage is storage space on commercial data center accessible from any computer with Internet access. It is usually provided by a service provider. A limited storage space may be provided free with more space available for a subscription fee. Examples of service providers are Amazon S3, Google Drive, Sky Drive etc.
Disadvantages:
Advantages:
Relatively expensive per GB so can only be used for backing up a small amount of data
A very good offsite backup. Not affected by events and disasters such as theft, floods, fire etc
5. Optical Drive (CD/ DVD)
Disadvantages:
CD’s and DVD’s are ideal for storing a list of songs, movies, media or software for distribution or for giving to a friend due to the very low cost per disk. They do not make good storage options for backups due to their shorter lifespan, small storage space and slower read and write speeds.
More expensive than traditional external hard drives. Often requires an ongoing subscription. Requires an Internet connection to access the cloud storage. Much slower than other local backups
227
Trainer’s Guide– Security Analyst SSC/N0901
10.5 Features of a Good Backup Strategy The following are features to aim for when designing your backup strategy: Able to recover from data loss in all circumstances like hard drive failure, virus attacks, theft, accidental deletes or data entry errors, sabotage, fire, flood, earth quakes and other natural disasters. Able to recover to an earlier state if necessary like due to data entry errors or accidental deletes. Able to recover as quickly as possible with minimum effort, cost and data loss. Require minimum ongoing human interaction and maintenance after the initial setup. Hence able to run automated or semi-automated.
Planning Your Backup Strategy 1. What to Backup The first step in planning your backup strategy is identifying what needs to be backed up. Identify the files and folders that you cannot afford to lose? It involves going through your documents, databases, pictures, videos, music and program setup or installation files. Some of these media like pictures and videos may be irreplaceable. Others like documents and databases may be tedious or costly to recover from hard copies. These are the files and folders that need to be in your backup plan. 2. Where to Backup to This is another fundamental consideration in your backup plan. In light of some content being irreplaceable, the backup strategy should protect against all events. Hence a good backup strategy should employ a combination of local and offsite backups. Local backups are needed due to its lower cost allowing you to backup a huge amount of data. Local backups are also useful for its very fast restore speed allowing you to get back online in
minimal time. Offsite backups are needed for its wider scope of protection from major disasters or catastrophes not covered by local backups.
3. When to Backup Frequency: How often you backup your data is the next major consideration when planning your backup policy. Some folders are fairly static and do not need to be backed up very often. Other folders are frequently updated and should correspondingly have a higher backup frequency like once a day or more. Your decision regarding backup frequency should be based on a worst case scenario. For example, if tragedy struck just before the next backup was scheduled to run, how much data would you lose since the last backup. How long would it take and how much would it cost to re key that lost data? Backup Start Time: You would typically want to run your backups when there’s minimal usage on the computers. Backups may consume some computer resources that may affect performance. 228
Trainer’s Guide– Security Analyst SSC/N0901
Also, files that are open or in use may not get backed up.
storage devices with limited space like USB thumb drives.
Scheduling backups to run after business hours is a good practice providing the computer is left on overnight. Backups will not normally run when the computer is in “sleep” or “hibernate mode”. Some backup software will run immediately upon boot up if it missed a scheduled backup the previous night.
If you are backing up very private or sensitive data to an offsite service, some backup tools and services also offer support for encryption. Encryption is a good way to protect your content should it fall into malicious hands. When applying encryption, always ensure that you remember your encryption key. You will not be able to restore it without your encryption key or phrase. 6. Testing Your Backup A backup is only worth doing if it can be restored when you need it most. It is advisable to periodically test your backup by attempting to restore it. Some backup utilities offer a validation option for your backups. While this is a welcome feature, it is still a good idea to test your backup with an actual restore once in a while. 7. Backup Utilities & Services Simply copying and pasting files and folders to another drive would be considered a backup. However, the aim of a good backup plan is to set it up once and leave it to run on its own. You would check up on it occasionally but the backup strategy should not depend on your ongoing interaction for it to continue backing up. A good backup plan would incorporate the use of good quality, proven backup software utilities and backup services.
So if the first hour on a business day morning is your busiest time, you would not want your computer doing its backups then. If you always shut down or put your computer in sleep or hibernate mode at the end of a work day, maybe your lunch time would be a better time to schedule a backup. Just leave the computer on but logged-off when you go out for lunch. Since servers are usually left running 24 hours, overnight backups for servers are a good choice. 4. Backup Types Many backup softwares offer several backup types like Full Backup, Incremental Backup and Differential backup. Each backup type has its own advantages and disadvantages. Full backups are useful for projects, databases or small websites where many different files (text, pictures, videos etc.) are needed to make up the entire project and you may want to keep different versions of the project. 5. Compression & Encryption As part of your backup plan, you also need to decide if you want to apply any compression to your backups. For example, when backing up to an online service, you may want to apply compression to save on storage cost and upload bandwidth. You may also want to apply compression when backing up to
229
Trainer’s Guide– Security Analyst SSC/N0901
To access further security logs, access the following web links https://www.owasp.org/index.php/Logging_Cheat_Sheet https://www.sans.org/reading-room/whitepapers/logging/detecting-attacks-webapplications-log-files-2074 http://blog.hicube.in/2012/11/07/understanding-log-files-linux-server/
230
Trainer’s Handbook – Security Analyst SSC/N0902
SSC/ N 0902: Coordinate responses to information security Incidents
UNIT I: Incident Response Overview UNIT II: Incident Response – Roles and Responsibilities UNIT III: Incident Response Process UNIT IV: Handling Malicious Code Incidents UNIT V: Handling Network Security Incidents
243
Trainer’s Handbook – Security Analyst SSC/N0902
Unit Code
SSC/N0902
Unit Title (Task)
Co-ordinate responses to information security incidents
Description
This unit is about playing a co-ordinating role in responding to information security incidents, liaising with members of the security team who carry out investigations and other stakeholders or business users.
Scope
This unit/ task covers the following: Information security incidents may cover: Identify and Access Management (IDAM) Physical security Networks (wired and wireless) Devices Endpoints/ edge devices Storage devices Servers Software Applications security Content management Messaging Web security Security of infrastructure Infrastructure devices (e.g. routers, firewall services) Computer assets, server s and storage networks Messaging Intrusion detection/prevention Security incident management Third party security management Personnel security requirements Information security incidents: Automatically by tools and systems Manually by employees or business users Appropriate people: Line manager 244
Trainer’s Handbook – Security Analyst SSC/N0902
Members of the security team Incident management group Subject matter experts Performance Criteria (PC) w.r.t. the Scope To be competent, you must be able to: PC1. establish your role and responsibilities in co-ordinating responses to information security incidents. PC2. record, classify and prioritize information security incidents using standard templates and tools. PC3. access your organization’s knowledge base for information on previous information security incidents and how these were managed. PC4. assign information security incidents promptly to appropriate people for investigation/ action. PC5. liaise with stakeholders to gather, validate and provide information related to information security incidents, where required. PC6. track progress of investigations into information security incidents and escalate to appropriate people where progress does not comply with standards or service level agreements (SLAs). PC7. prepare accurate preliminary reports on information security incidents using standard templates and tools. PC8. submit preliminary reports promptly to appropriate people for action PC9. update the status of information security incidents following investigation/ action using standard templates and tools. PC10. obtain advice and guidance on co-ordinating information security incidents from appropriate people, where required. PC11. update your organization’s knowledge base promptly and accurately with information security incidents and how they were managed. PC12. comply with your organization’s policies, standards, procedures, guidelines and service level agreements (SLAs) when coordinating responses to information security incidents. Knowledge and Understanding (K) A. Organizationa You need to know and understand: l Context 245
Trainer’s Handbook – Security Analyst SSC/N0902
(Knowledge of the company/ organization and its processes)
B. Technical Knowledge
KA1. your organization’s policies, procedures, standards, guidelines and service level agreements for responding to information security incidents. KA2. the day-to-day operations, procedures and tasks relating to your area of work. KA3. your organization’s knowledge base and how to access and update the same. KA4. limits of your role and responsibilities and who to seek guidance from, where required. KA5. the purpose of managing information security incidents. KA6. who to involve when investigating and coordinating responses to information security incidents and how to contact them. KA7. the importance of tracking progress and corrective and preventative actions for information security incidents. KA8. the importance of keeping records and evidence relating to information security incidents. KA9. the impact information security incidents can have on your organization. KA10. different types of information security incidents and how to deal with them. KA11. how to assign and escalate information on information security incidents. KA12. different methods and techniques used when working with others. KA13. standard tools and templates available and how to use them. KA14. your organization’s policies and procedures for sharing information on security incidents and the importance of complying with the same. KA15. how to classify and priorities information security incidents. You need to know and understand: KB1. fundamentals of information security and how to apply these, including: networks communication application security KB2. routine operational procedures and tasks required to co-ordinate and respond to information security incidents. KB3. different stages of incident management and your role in relation to these, including: identify 246
Trainer’s Handbook – Security Analyst SSC/N0902
KB4. KB5. KB6. KB7.
contain cleanse recover close how to identify and resolve information security vulnerabilities and incidents. common issues and incidents of information security that may require action and who to report these to. how to obtain and validate information related to information security issues. how to prepare and submit information security reports and who to share these with.
247
Trainer’s Handbook – Security Analyst SSC/N0902
THE UNITS The module for this NOS is divided in five units based on the learning objectives as given below: UNIT I: Incident Response Overview 1.1 Incident Response Overview 1.2 Handling Different Types of Information Security Incidents 1.3 Preparation for Incident Response and Handling Constraints of a Security Audit UNIT II: Incident Response Team – Roles and Responsibilities 2.1 Incident Response Team 2.2 Incident Response Team Dependencies UNIT III: Incident Response Process 3.1 Incident Response Process UNIT IV: Handling Malicious Code Incidents 4.1. Incident Handling Preparation 4.2. Incident Prevention 4.3. Detection of Malicious Code 4.4. Containment Strategy 4.5. Evidence Gathering and Handling 4.6. Eradication and Recovery
UNIT V: Handling Network Security Incidents 5.1. Network Reconnaissance Incidents 5.2. Denial of Service Attack Incidents 5.3. Unauthorized Access Incidents 5.4. Inappropriate Usage Incidents 5.5. Multiple Component Incidents
248
Trainer’s Handbook – Security Analyst SSC/N0902
UNIT I Incident Response Overview
This unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 1.1 Incident Response Overview 1.2 Handling Different Types of Information Security Incidents 1.3 Preparation for Incident Response and Handling
249
Trainer’s Handbook – Security Analyst SSC/N0902
Lesson Plan Outcomes To be competent, you must be able to: PC2. record, classify and prioritize information security incidents using standard templates and tools PC3. access your organization’s knowledge base for information on previous information security incidents and how these were managed You need to know and understand: KA5. the purpose of managing information security incidents
Performance Ensuring Measures
PCs/Tablets/Laptops Projection facilities
Group presentation and evaluation by faculty and groups
KA1. QA session and a Descriptive write up on understanding.
KA9. the impact information security incidents can have on your organization KA10. different types of information security incidents and how to deal with these
KA9. QA session and a Descriptive write up on understanding.
KA14. your organization’s policies and procedures for sharing information on security incidents and the importance of complying with these
KA10. Classify latest threats and vulnerabilities into CIA triad. Classify various threats into incident categories listed in the unit.
KB3. different stages of incident management and your role in relation to these, including: • identify • contain • cleanse • recover • close
Work Environment / Lab Requirement
PC2. PC3. QA session 2 hr in class and a Descriptive presentations write up on understanding.
KA5. Performance evaluation from Faculty and Industry with reward points.
KA15. how to classify and priorities information security incidents
Duration (Hrs)
2Hr in class assessment & 15Hrs offline Research and Learning activity
PCs/Tablets/Laptops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated)
KA15. Group and Faculty evaluation based on anticipated out comes. Reward points to be allocated to groups. KA14. KB3 Group and faculty evaluation for highlighting the various parts and their purpose of an incident response plan/tasks of incident management, using live researched examples
250
Trainer’s Handbook – Security Analyst SSC/N0902
Suggested Learning Activities Activity 1: Ask the students to research various type of information security incidents from the internet and populate the various categories of incidents mentioned in the unit with examples of each. Let them present a few details of these incidents if possible.
Activity 2: Ask the students visit various company sites and find out their incident response plans and list out various components of it. Activity 3: Divide the students into groups and ask them to create an incident response plan for the training institute and modify it as they progress through this module.
251
Trainer’s Handbook – Security Analyst SSC/N0902
Training Resource Material 1.1 Incident Response An incident is a set of one or more security events or conditions that requires action and closure in order to maintain an acceptable risk profile.
Incidents In the haystack of events, organizations must find the "needles" that are the security incidents. Events are isolated and disconnected, but incidents add the context that enables security administrators to gain understanding and take action. It can be defined as a set of events or conditions requiring response and closure. Incidents comprise not only the significant threats that jeopardize business and require intervention. They include more mundane situations that occur on a daily basis, and only threaten the business if no action is taken. Examples of these routine situations include “low and slow” port scans and some varieties of email worms. Most organizations face thousands of instances of the latter types of threats, together with the higher profile blended threats like Code Red, Nimda, and Klez. Besides attacks, known system vulnerabilities or discovered policy violations are also incidents that require a response in order to protect the business. When related events (e.g. attacks, vulnerabilities, and policy violations) are viewed together, the true nature (or type) of the incident becomes evident.
Incidents can be classified into:
Malicious code Network reconnaissance Unauthorized access Inappropriate usage Multiple component
Introduction to Incident Handling and Response Computer or information security incident response has become an important component of information technology (IT) security programs. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited and restoring IT services. Different types of information security incidents are caused due to: Peripheral devices such as external/ removable media Attrition (brute force methods that compromise, degrade, or destroy systems, networks or services) Website or web based application Email message or attachment Improper usage of an organization’s acceptable usage policies by an authorized user Loss or theft of equipment Other factors 252
Trainer’s Handbook – Security Analyst SSC/N0902
These are explained in Unit IV and V. Impact of information security incidents: • • •
Functional impact (current and likely future negative impact to business functions) Information impact (effect on the confidentiality, integrity, and availability of the organization’s information) Recoverability from the incident (time and types of resources that must be spent on recovering from the incident)
Organizations prioritize information security incidents based on the weightages they give to each of the above categories for a particular incident. For example, an organization that deals with massive amounts of personal identifying information (PII) might weight information impact more heavily than recoverability impact, while an emergency response agency might prioritize functional impact to ensure the continued delivery of emergency services.
adhere to organization’s mission, size, structure, and functions. formulate policy, plan, and procedure creation to counter adverse events. to provide stronger protection for systems and data. to minimize loss or theft of information and disruption of services. to respond quickly and effectively when security breaches occur.
How to identify an incident Need for incident response
to respond quickly and effectively when security breaches occur. to be able to use information gained during incident handling to better prepare for handling future incidents. to provide stronger protection for systems and data. to help deal properly with legal issues that may arise during incidents. to comply with law, regulations, and policy directing a coordinated, effective defense against information.
Goals of incident response
incident analysis hardware and software to identify an incident. appropriate incident handling communication means and facilities. incident analysis resources to identify an incident. incident mitigation software to identify an incident. different response strategies to identify incidents through attack vectors, such as external/ removable media, attrition, web, email, impersonation, improper usage by organization’s authorized users, loss or theft of equipment and others that are beyond the scope of the above mentioned.
formal, focused, and coordinated approach to responding to incidents. 253
Trainer’s Handbook – Security Analyst SSC/N0902
Two main types of signs of an incident are: • Precursors: a sign that an incident may occur in the future. • Indicator: a sign that an incident may have occurred or may be occurring now.
Signs of security incident Some of the common signs of security incident are: web server log entries that show the usage of a vulnerability scanner. announcement of a new exploit that targets a vulnerability of the organization’s mail server. threat from a group stating that it will attack the organization. network intrusion detection sensor alerts when a buffer overflow attempt occurs against a database server. antivirus software alerts when it detects that a host is infected with malware. system administrator sees a file name with unusual characters. host records an auditing configuration change in its log. application logs multiple failed login attempts from an unfamiliar remote system. email administrator sees a large number of bounced emails with suspicious content. network administrator notices an unusual deviation from typical network traffic flows.
Incident Information One can get information about incidents from various sources:
Alerts: reviewing alerts based on supporting data from sources such as Intrusion Detection and Prevention Systems (IDPS); Security Information and Event Management (SIEM) alerts; Antivirus and anti-spam software; file integrity checking software; third-party monitoring services etc. Logs: analyzing logs from sources such as operating system, service and application logs and network device logs in correlation with event information. Network flow: using routers and other networking devices to provide information and locate anomalous network activity caused by malware, data exfiltration and other malicious acts. Publicly Available Information: updating and integrating new vulnerabilities and exploits published by authorized agencies such as National Vulnerability Database (NVD). People: validating reports registered by users, system administrators, network administrators, security staff, other people within the organization and reports originating from external sources or parties.
254
Trainer’s Handbook – Security Analyst SSC/N0902
1.2 Handling Different Types of Information Security Incidents Handling incidents
Purpose of incident response plan
There are five important incident handling phases: Preparation: establishing and training an incident response team, and acquiring the necessary tools and resources. Detection and analysis: detecting security breaches and alerting organization during any imminent attack. Containment: mitigating the impact of the incident by containing Eradication and recovery: carrying out detection and analysis cycle to eradicate incident and ultimately initiate recovery. Post-incident activity: preparing detailed report of the cause and cost of the incident and future preventive measures against similar attacks. This is similar to the tasks contained within incident management plans: • identify • contain • cleanse • recover • close
The objective of instating an incident response plan is to provide the roadmap for implementing the incidence response capability. The incident response plan acts as a defence mechanism against hackers, malware, human error and a series of other security threats.
Organizations should have a plan to respond to various types of incidents detailing various aspects of incident handling including the above.
Requirements of incident response plan The intervention of an incident response plan can be the structure to building an organization’s incident response capability. Emphasis on computing security policies and practices are the main objectives of most organization in their overall risk management strategies. Elements that are recommended as important to an incident response plan are:
Incident response plan
Incident Response Plan is an organization’s foundation to a formal, focused and coordinated approach for incident response.
organization’s mission towards the plan organization’s strategies and goals to determine the structure of incident response capability senior management approval in the structuring of the proposed plan organizational approach to incident response incident response team’s communication with the rest of the organization and with other organizations metrics for measuring the incident response capability and its effectiveness roadmap for maturing the incident response capability (regular reviews, audits and tests etc.) 255
Trainer’s Handbook – Security Analyst SSC/N0902
how the program fits into the overall organization.
Incident response plan checklist Developing an incident response plan checklist can minimize the threat of security breach in the form of attacks in websites and servers, or inadvertent leakage of share sensitive data etc. Instating a structure that ensures the latest developments are captured, understood, evaluated as threats to the business, documented and distributed will help ensure an effective incident response. An incident response plan checklist should be an amalgamation of the following key practices:
provides a roadmap for implementing an incident response program based on the organization’s policy.
organize both short and long-term goals program, including metrics for measuring the program. highlight incident handler’s training needs and other technical requirements. address existing and new cyber technologies are adequately addressed in policies and procedure. conduct regular reviews, audits and tests to protect against security breach. classify business data in the order of its sensitivity and security requirements. selecting of appropriate incident response team structure. complying with security-related incident regulations and law enforcement procedures
256
Trainer’s Handbook – Security Analyst SSC/N0902
1.3 Preparation for Incident Response and Handling
Create a core team
Integrity of business security demands the presence of an effective incidence response team and the latter can be achieved through the selection of appropriate structure and staffing models. Typically, a designated incident response team or personnel function as the first point of contact (POC) in a situation involving security breach in an organization. The incident handlers may then analyse the incident data, determine the impact of the incident, and act appropriately to limit the damage and restore normal services. The incident response team’s success depends on the participation and cooperation of individuals throughout the organization. Therefore, an organization must create a core team, identify suitable individuals, discuss incident response team models, and provide advice on selecting an appropriate model. A team model may be based on the following models: Central Security Incident Response team: a functional model for small organizations with limited or no geographic presence wherein a single incident response team handles core security computing. Distributed Security Incident Response team: this model is effective for large organizations (e.g. one team per division) and for organizations with major computing resources at distant locations (e.g. one team per geographic region, one team per major facility). Coordinating team: an incident response team provides advice to other teams without having authority
over those teams. For example, a department wise team may assist individual agencies’ teams and it is almost modelled as a CSIRT for CSIRTs. Create tool kit, systems and instrumentation: a jumpkit is a portable case instrumental to incident response teams and it contains items such as laptop, appropriate software such as packet sniffers, digital forensics, back up devices, blank media etc.
Listed below are range of various tool kit, systems and instrumentation that may be useful in an incident response:
Incident handler communications and facilities: these may include contact information of team members and others within the organization and external, on-call information matrix, incident reporting mechanisms such as phone numbers, email addresses, online forms, etc. Incident tracking systems; smartphones for round-theclock communication; use of encryption software for internal team members; security materials storage facility etc. Incident analysis hardware and software: digital forensic workstations and/ or backup devices to create disk images, preserve log files and save other relevant incident data etc. Laptops; spare workstations; servers; networking equipment or the virtualized equivalents for storing and trying out malware; blank removable media; packet sniffers and protocol analyzers; digital forensic software; evidence gathering accessories such as digital cameras, audio recorders, chain of custody forms etc. 257
Trainer’s Handbook – Security Analyst SSC/N0902
Incident analysis resources: port lists, including commonly used ports and Trojan horse ports; documentation for Oss; applications; protocols etc. Network diagrams and lists of critical assets such as database servers; current baselines of expected network system and application activity;
cryptographic hashes of critical files to speed incident analysis, verification and eradication. Incident mitigation software: access to images of clean OS and application installations for restoration and recovery purposes.
Table-Top Exercise for Incident Response (IR) for XYZ Organization: IR Lifecycle Stage Preparation
Detection and Analysis
Containment
Eradication
Recovery
Summary of Incident Activities
Provide training and awareness for all individuals in recognizing anomalous behavior and specific reporting requirements for suspected breaches of an Gather contact information for incident handlers, Gather hardware and software needed for technical analysis; and Perform evaluations, such as tabletop exercises, of the IR capability. Monitor information system protection mechanisms and system logs Investigate reports of suspected XYZ breaches from agency individuals. Notify Security Director and the System Administrator immediately, but no later than 24-hours after identification of a possible issue involving XYZ asset information. Choose and implement strategy for preventing further Information loss based on level of risk to Information. Gather and preserve technical evidence, if applicable; Eliminate components of the incident, such as deleting malicious code and disabling breached user accounts, if applicable. Restore systems via appropriate technical actions such as: restoring from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, and tightening network perimeter security.
258
Trainer’s Handbook – Security Analyst SSC/N0902
Sample Incident Response Evaluation Scenarios XYZ Breach Scenario Through a routine evaluation of system logs, a system administrator discovers that XYZ’s data has been exfiltrated from the system by an unauthorized user account. A remote user has lost his/her laptop. The user’s job function required that XYZ’s information be stored on the laptop. After a recent office move, it is discovered that a locked cabinet containing XYZ’s information is missing.
Tabletop Exercise Objectives
Determine the actions that would help prevent this type of incident (preparation). Determine the controls in place that would help identify this incident, along with procedures on how to report the incident (detection and analysis). How to prevent further damage (containment), How to clean the system (eradication). How to restore the system in a secure manner (recovery).
259
Trainer’s Handbook – Security Analyst SSC/N0902
260
Trainer’s Handbook – Security Analyst SSC/N0902
UNIT II Incident Response - Roles and Responsibilities
This unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 2.1. Incident Response Team 2.2. Incident Response Team Dependencies
261
Trainer’s Handbook – Security Analyst SSC/N0902
Lesson Plan
Outcomes
Performance Measures
Ensuring
To be competent, you must be able to:
1. Identify and access sources for standard PC1. establish your role and checklists, guidelines responsibilities in co-ordinating responses and templates for to information security incidents carrying out different types of audits PC4. assign information security incidents promptly to appropriate people for investigation/action
Duration (Hrs)
Work Environment / Lab Requirement
2 hrs
PCs/Tablets/Lapto ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated)
PC5. liaise with stakeholders to gather, validate and provide information related to information security incidents, where required PC10. obtain advice and guidance on coordinating information security incidents from appropriate people, where required You need to know and understand: KA4. limits of your role and responsibilities and who to seek guidance from where required KA6. who to involve when investigating and co-ordinating responses to information security incidents and how to contact them KA11. how to assign and escalate information on information security incidents KA12. different methods and techniques used when working with others KB5. common issues and incidents of information security that may require action and who to report these to KB6. how to obtain and validate information related to information security issues
KB7. how to prepare and submit information security reports and who to share these with
KA4 Peer group, Faculty group and Industry experts. KA6 Performance evaluation from Faculty and Industry with reward points
4 hrs classroo m session and 2 hrs research
KA11. Online exam and rewards points based on reviews from the forums. KA12. Faculty and peer review. KB5, KB6, KB7 Going through the security standards over Internet by visiting sites like ISO, PCI DSS etc., and understand various methodologies and usage of algorithms. Learn about CIA triad relating to latest threats and vulnerabilities
PCs/Tablets/Lapto ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security Security Templates from ITIL, ISO
262
Trainer’s Handbook – Security Analyst SSC/N0902
Suggested Learning Activities Activity 1: Ask students to research various sites of companies to understand their Information Security Incident plan and team involved, including roles and responsibilities for various teams and personnel. Let them come and present the same in class. Activity 2: Ask students to research various external service providers and services that support incident team in the organisation in responding to information security incidents.
263
Trainer’s Handbook – Security Analyst SSC/N0902
Training Resource Material 2.1 Incident Response Team Incident response team members A single employee, with one or more designated alternates should be in charge of incident response. In a fully outsourced model, this person oversees and evaluates the outsourcer’s work. All other models generally have a team manager and one or more deputies who assume authority in the absence of the team manager. Every team member should have good problem solving skills and critical thinking abilities.
Incident response team: roles and responsibilities An incident response team member should possess technical skills, such as system administration, network administration, programming, technical support or intrusion detection. An incident response team should be a combination of skilled members in the area of technology (e.g. operating systems and applications) and other technical areas such as network intrusion detection, malware analysis or forensics.
Roles and responsibilities A team member in an incident response unit is expected to have the basic understanding of the technologies used and their applications. The individual should be capable of comprehending and handling the following security incidents:
the type of incident activity that is being reported or seen by the community. the way in which incident response team services are being provided (the level and depth of technical assistance provided to the constituency). the responses that are appropriate for the team (e.g. what policies and procedures or other regulations must be considered or followed while undertaking the response). the level of authority the incident response team has in taking any specific actions when applying technical solutions to an incident reported to the incident response team.
Developing skills in incident response personnel
maintain, enhance and expand proficiency in technical areas and security disciplines as well as less technical topics such as the legal aspects of incident response. incentivize participation in staff conferences.
promote deeper technical understanding. engage external technical knowledge facilitator with deep technical knowledge in needed areas to impart learning and development. provide opportunities to perform other tasks in non-functional areas.
264
Trainer’s Handbook – Security Analyst SSC/N0902
rotate staffing of members across functions to gain new technical skills. create a mentoring program to enable senior technical staff to help less experienced staff learn incident handling. develop incident handling scenarios and conduct team discussions.
Incident response team structure After successfully selecting a functional core team, it is best followed that team members be further integrated and modelled into appropriate staffing based on the magnitude of incident response and size of the organization. Find details of the three types of staffing methods below:
In house employees Partially outsourced Fully outsourced
Therefore, an organization must consider the following factors before selecting an appropriate incident response team structures:
The need for 24/7 availability: real-time availability is considered one of the best for incident response options because the longer an incident last, the more potential there is for damage and loss. Full-time versus part-time team members: organizations with limited funding, staffing or incident response needs may have only part-time incident response team members, serving as more of a virtual incident response team. An existing group such as the IT help desk can act as a first POC for incident reporting and perform
initial investigation and data collection. Employee morale: segregate administrative work and core incident response to minimize stress on employees and to help boost morale. Cost: implement sufficient funding for training and skills development of incident response team members the area of work function demands broader knowledge of IT. Staff expertise: incident handling requires specialized knowledge and experience in several technical areas. The breadth and depth of knowledge required varies based on the severity of the organization’s risks. Outsourced In the case of outsourced work, the organization must consider not only the current quality (breadth and depth) of the outsourcer’s work, but also efforts to ensure the quality of future work. Document line of work or authority of outsourced incident response work appropriately and ensure actions for these decision points are handled. Divide incident response responsibilities and restrict access to sensitive information. Provide regularly updated documents that define what incidents outsources is concerned about. Create correlation among multiple data sources. Maintain basic incident response skills in-house. 265
Trainer’s Handbook – Security Analyst SSC/N0902
2.2 Incident Response Team Dependencies It is important to identify other groups within the organization and rely on the expertise, judgment, and abilities of others, including response policy, budget, staffing established by management; information security staff members during certain stages of incident handling (prevention, containment, eradication, and recovery); IT technical experts (system and network administrators, legal departments to review plans, policies, documents etc.); public affairs; media relations; human resources; business continuity planning; physical security and facilities management. Different methods and techniques used when working with others
Incident response team services The main focus of an incident response team is performing incident response however it may also undertake the provision of the following services: Intrusion detection: incident response team analyzes incidents more quickly and accurately, based on the knowledge it gains of intrusion detection technologies. Advisory distribution: the team also may also issue advisories within the organization regarding new vulnerabilities and threats through automated methods. Education and awareness: promote education and awareness among
users, technical staff know about detecting, reporting and responding to incidents through means such as workshops; websites; newsletters; posters and stickers on monitors and laptops. Information sharing: manage the organization’s incident information sharing efforts.
Defining the relationship between incident response, incident handling, and incident management Incident response means responding to computer security incidents systematically or by following a consistent incident handling methodology so that the appropriate actions are taken timely. It is a mechanism to minimize loss or theft of information and disruption of services caused by incidents. Incident handling refers to the several phases of incident response process i.e. preparation, detection and analysis, containment, eradication and recovery and post-incident activity required in adequate handling of an incident. Incident management is term used to describe the overall computing security management to detect the occurrence of incident, initiate and handle an incident response and prevent any future reoccurrences.
266
Trainer’s Handbook – Security Analyst SSC/N0902
Routine operational procedures and tasks required to co-ordinate and respond to information security incidents Prepare to handle incidents.
Use incident analysis hardware and software.
Use incident analysis resources.
Use of incident mitigation software.
Management responsible for coordinating incident response among various stakeholders, minimizing damage, and reporting to Congress, OMB, the General Accounting Office (GAO), and other parties.
Information security staff members may be needed during certain stages of incident handling (prevention, containment, eradication and recovery). For example, to alter network security controls (e.g. firewall rule sets).
IT technical experts (e.g. system and network administrators) can ensure that the appropriate actions are taken for the affected system, such as whether to disconnect an attacked system. Coordinate with relevant legal experts to review incident response plans, policies and procedures to ensure their compliance with law and federal guidance, including the right to privacy. Coordinate and inform the media and, by extension, the public. Ensure that incident response policies and procedures and business continuity processes are in sync. Coordinate with Physical Security and Facilities Management to access facilities during incident handling. A part of outlining the incident response framework involves the identification of IR Severity Levels. These levels will help the team understand the severity of an event and will govern the team’s response. Some suggestions for these levels are the following:
SEVERITY LEVEL
LEVEL OF BUSINESS IMPACT
RESOLUTION EFFORT REQUIRED
SEVERITY 1
LOW
LOW EFFORT
SEVERITY 2
MODERATE
MODERATE EFFORT
SEVERITY 3
HIGH
EXTENSIVE, ONGOING EFFORT
SEVERITY 4
SEVERE
DISASTER RECOVERY INVOKED
267
Trainer’s Handbook – Security Analyst SSC/N0902
Start to create a documented action script that will outline your response steps so your IR Manager can follow them consistently. Your script should show steps similar to the following:
STEP # ACTION 1
Incident announced
2
IR Manager alerted
3
IR Manager begins information gathering from affected site
4
IR Manager begins tracking and documentation of incident
5
IR Manager invokes Assessment Team (Details of call bridge or other communication mechanism)
6
Assessment Team reviews details and decides on Severity Level of incident.
7
IF SEV 1 = PROCEED TO STEP #11.0
8
IF SEV 2 = PROCEED TO STEP #12.0
9
IF SEV 3 = PROCEED TO STEP #13.0
10
IF SEV 4 = PROCEED TO STEP #14.0
FOR SEVERITY LEVEL 1 – Proceed with following sequence 11.0
Determine attack vectors being used by threat
11.1
Determine network locations that are impacted
11.2
Identify areas that fall under “Parent Organization”
11.3
Identify systems or applications that are impacted
FOR SEVERITY LEVEL 2 – Proceed with following sequence 12.0
Determine attack vectors being used by threat
12.1
Alert Incident Officer to Severity 2 threat
References: Students are encouraged to read more on Roles and Responsibilities in IR team of any Organization from following references.
http://www.cert.org/csirts/Creating-A-CSIRT.html
http://www.cert.org/csirts/Creating-A-CSIRT.html#practices
O’Reilly Incident Response – Kenneth R. vanWyk and Richard Forno
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
268
Trainer’s Handbook – Security Analyst SSC/N0902
UNIT III Incident Response Process
This unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 3.1 Incident Response Process
269
Trainer’s Handbook – Security Analyst SSC/N0902
Lesson Plan Performance Ensuring Outcomes Measures PC2. record, classify and 1. QA session and a prioritize information security Descriptive write up on incidents using standard templates understanding. and tools 2. Group presentation and peer evaluation along PC5. liaise with stakeholders to with Faculty. gather, validate and provide 3. Performance evaluation information related to information from Faculty and security incidents, where required Industry with reward points. PC6. track progress of 4. Written assignment of investigations into information incident report prepared security incidents and escalate to appropriate people where progress does not comply with standards or service level agreements (SLAs) PC7. prepare accurate preliminary reports on information security incidents using standard templates and tools
Work Environment / Duration (Hrs) Lab Requirement 4 Hrs PCs/Tablets/Lapto classroom ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security Security Templates from ITIL, ISO Projection facilities
PC8. submit preliminary reports promptly to appropriate people for action PC9. update the status of information security incidents following investigation/action using standard templates and tools KA1. your organization’s policies, procedures, standards, guidelines and service level agreements for responding to information security incidents KA2. the day-to-day operations, procedures and tasks relating to your area of work KA7. the importance of tracking progress and corrective and preventative actions for information security incidents KA8. the importance of keeping records and evidence relating to information security incidents
KA1. QA session and a Descriptive write up on understanding. KA2 Group presentation and peer evaluation along with Faculty. KA7, KA8. Performance evaluation from Faculty and Industry with reward points KA13. Creation of templates based on the learnings
4 Hours Classroom and 10 hrs research
PCs/Tablets/Lapto ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security Security Templates from ITIL, ISO
KB1 – KB7 1. Group and Faculty evaluation based on
270
Trainer’s Handbook – Security Analyst SSC/N0902 KA13. standard tools and templates available and how to use these
anticipated out comes. Reward points to be allocated to groups.
KA14. your organization’s policies and procedures for sharing information on security incidents and the importance of complying with these
2. Classify latest threats and vulnerabilities into CIA triad.
KA15. how to classify and priorities information security incidents KB6. how to obtain and validate information related to information security issues KB7. how to prepare and submit information security reports and who to share these with
Suggested Learning Activities Activity 1:
Ask the class to research the internet and collect ideas and templates on incident report forms and formats. Meet with industry if possible to understand the usage and applicability of these. Activity 2:
Divide the students in groups ask them to prepare an incident report using templates available for preparing a report for your training institute. Highlight the sources of information for various parts of the report. Activity 3: Provide students with a list of types of companies/organisations and the different kinds of data available within these. Ask students to prioritize the various types of data using various considerations stated in the unit.
271
Trainer’s Handbook – Security Analyst SSC/N0902
Training Resource Material 3.1 Incident Response Process Step 1: Identification Obtaining and validating information related to information security issues In incident handling, detection may be the most difficult task. Incident response teams in an organization are equipped to handle security incidents using welldefined response strategies beginning with information gathering. Preparing a list most common attack vectors such as external/removable media, web, email, impersonation, improper use by authorized users etc. can narrow down to the most competent incident handling procedure. Therefore, it is important to validate each incident using defined standard procedures and document each step taken accurately. Common issues and incidents of information security that may require action and whom to report An indicator may not always translate into a security incident given the possibility of technical faults due to human error in cases such as server crash or modification of critical files. Determining whether a particular event is actually an incident is sometimes a matter of judgment. It may be necessary to collaborate with other technical and information security personnel to make a decision. Therefore, incident handlers need to report the matter to highly experienced and proficient staff members who can analyse the precursors and indicators effectively and take appropriate actions.
Mentioned below are some of the means to conduct initial analysis for validation: Profiling Networks and Systems in order to measure the characteristics of expected activity so that changes to it can be more easily identified and used one of the several detection and analysis techniques. Studying networks, systems and applications to understand what their normal behavior is so that abnormal behavior can be recognized more easily. Creating and implementing a log retention policy that specifies how long log data should be maintained may be extremely helpful in analysis because older log entries may show reconnaissance activity or previous instances of similar attacks. Correlating events using evidence of an incident captured in several logs such wherein each may contain different types of data — a firewall log may have the source IP address that was used, whereas an application log may contain a username. Synchronizing hosts clock using protocols such as the Network Time Protocol (NTP) to record time of attack. Maintain and use a knowledge base of information that handlers need for referencing quickly during incident analysis. Use internet search engines for research to help analysts find information on unusual activity. Run packet sniffers to collect additional data to record traffic that matches specified criteria should keep the volume of data manageable and 272
Trainer’s Handbook – Security Analyst SSC/N0902
minimize the inadvertent capture of other information. Filter the data to segregate categories of indicators that tend to be insignificant.
Comments from incident handlers Next steps to be taken (rebuild the host, upgrade an application etc.)
Step 3: Initial response
Any occurrences of incident must be recorded and the incident response team should update the status of incidents along with other pertinent information. Observations and facts of the incident may be stored in any of the following sources such as logbook, laptops, audio recorders and digital cameras etc.
Commence initial response to an incident based on the type of incident, the criticality of the resources and data that are affected, the severity of the incident, existing Service Level Agreements (SLA) for affected resources, the time and day of the week, and other incidents that the team is handling. Generally, the highest priority is handling incidents that are likely to cause the most damage to the organization or to other organizations.
Incident record samples and template
Step 4: Communicating the incident
Documenting system events, conversations and observed changes in files can lead to a more efficient, more systematic and error-free handling of the problem. Using an application or a database, such as an issue tracking system helps ensure that incidents are handled and resolved in a timely manner.
The incident should be communicated in appropriate procedures through the organization’s points of contact (POC) for reporting incidents internally. Therefore, it is important for an organization to structure their incident response capability so that all incidents are reported directly to the incident response team, whereas others will use existing support.
Step 2: Incident recording
The following useful information are to be included in an incident record template: Current status of the incident as new, in progress, forwarded for investigation, resolved etc. Summary of the incident Indicators related to the incident Other incidents related to this incident Actions taken by all incident handlers on this incident Chain of custody, if applicable Impact assessments related to the incident Contact information for other involved parties (system owners, system administrators etc.) List of evidence gathered during the incident investigation
Assigning and escalating information on information security incidents Organizations should also establish an escalation process for those instances when the team does not respond to an incident within the designated time. This can happen for many reasons. For example, cell phones may fail or people may have personal emergencies. The escalation process should state how long a person should wait for a response and what to do if no response occurs. On failure to respond within a stipulated time, then the incident should be escalated again to a higher level of management.
273
Trainer’s Handbook – Security Analyst SSC/N0902
This process should be repeated until the incident is successfully handled. Step 5: Containment Containment and Quarantine
system has been compromised and if allowed with the compromise to continue, it may help the attacker to use the compromised system to attack other systems.
Containment is important before an incident overwhelms resources or increases damage. Most incidents require containment so that is an important consideration early in the course of handling each incident. Containment provides time for developing a tailored remediation strategy. An essential part of containment is decision-making where the situation may demand immediate action such as shut down a system, disconnect it from a network and disable certain functions.
Understand network damage
Various containment strategies may be considered in the following ways: Potential damage to and theft of resources Need for evidence preservation Service availability (network connectivity, services provided to external parties etc.) Time and resources needed to implement the strategy Effectiveness of the strategy (partial containment, full containment etc.) Duration of the solution (emergency workaround to be removed in four hours, temporary workaround to be removed in two weeks, permanent solution etc.)
Identify and isolate the trust model
Quarantine Handling an incident may necessitate the use of strategies to contain the existing predicament and one such method being redirecting the attacker to a sandbox (a form of containment) so that they can monitor the attacker’s activity, usually to gather additional evidence. Hence, once a
On the other hand, containment may give rise to another potential issue and that is some attacks may cause additional damage when they are contained. When the incident handler attempts to contain the incident by disconnecting the compromised host from the network, the subsequent pings will fail. As a result of the failure, the malicious process may overwrite or encrypt all the data on the host’s hard drive.
Network information systems are vulnerable to threats and benign nodes often compromised because of unknown, incomplete or distorted information while interacting with external sources. In this case, malicious nodes need to be identified and isolated from the environment. The solution to insecure can be found in the establishment of trust. Trust model can be formed based on the characteristics, information sources to compute, most relevant and reliable information source, experience of other members of community etc. Step 6: Formulating a response strategy An analysis of the recoverability from an incident determines the possible responses that the team may take when handling the incident. An incident with a high functional impact and low effort to recover from is an ideal candidate for immediate action from the team. In situations involving high end data 274
Trainer’s Handbook – Security Analyst SSC/N0902
infiltration and exposure of sensitive information the incident response team may formulate response by transferring the case to strategic level team. Each response strategy should be formulated based on business impact caused by the incident and the estimated efforts required to recover from the incident. Incident response policies should include provisions concerning incident reporting at a minimum, what must be reported to whom and at what times. Important information to be included are CIO, head of information security, local information security officer, other incident response teams within the organization, external incident response teams (if appropriate), system owner, human resources (for cases involving employees, such as harassment through email), public affairs etc. Step 7: Incident classification Classifying and prioritizing information security incidents Incident prioritization Functional impact of the incident on the existing functionality of the affected systems and future functional impact of the incident if it is not immediately contained. Information impact of the incident that may amount to information exfiltration and impact on organization’s overall mission and impact of exfiltration of sensitive information on other organizations if any of the data pertain to a partner organization. Recoverability from the incident and how to determine the amount of time and resources that must be spent on recovering from that incident. Necessity to actually recover from an incident and carefully weigh that against the value the recovery effort
will create and any requirements related to incident handling. An incident may be broadly classified based on common attack vectors such as external/ removable media; attrition; web; email; improper usage; loss or theft of equipment; miscellaneous.
Incident classification guidelines and templates Organizations should document their guidelines and templates to handle any incident but should focus on being prepared to handle incidents that use common attack vectors. Capturing the attack pattern formally with required information may help understand specific parts of an attack, how it is designed and executed, providing the adversary's perspective on the problem and the solution, and gives guidance on ways to mitigate the attack's effectiveness.
Requirements – identification of relevant security requirements, misuse and abuse cases. Architecture and design – provide context for architectural risk analysis and guidance for security architecture. Implementation and development – prioritize and guide review activities. Testing and quality assurance – provide context for appropriate riskbased and penetration testing. System operation – leverage lessons learned from security incidents into preventative guidance. Policy and standard generation – guide the identification of appropriate prescriptive organizational policies and standards.
275
Trainer’s Handbook – Security Analyst SSC/N0902
Incident prioritization guidelines and templates
time and types of resources that must be spent on recovering from the incident).
Creating written guidelines for prioritizing incidents serve as a good practice and help achieve effective information sharing within an organization. The step may also help in identifying situations that are of greater severity and demand immediate attention. An ideal template for incident prioritization should be formulated based on relevant factors such as the functional impact of the incident (e.g. current and likely future negative impact to business functions), the information impact of the incident (e.g. effect on the confidentiality, integrity and availability of the organization’s information) and the recoverability from the incident (e.g. the
Step 8: Incident investigation
• • •
•
One of the key tasks of an incident response team is to receive information on possible incidents, investigate them, and take action to ensure that the damage caused by the incidents is minimized. Following up an incident investigation In the course of the work, the team must adhere to the following procedures deemed appropriate to a given situation:
receive initial investigation and data gathering from IT help desk members and escalate to high strategic level specialist if situation demands. use appropriate materials that may be needed during an investigation. should become acquainted with various law enforcement representatives before an incident occurs to discuss conditions under which incidents should be reported to them. maintain record of chain of custody forms should detail the transfer and include each party’s signature while transferring evidence from person to person.
•
should be careful to give out only appropriate information — the affected parties may request details about internal investigations that should not be revealed publicly.
•
ensure law enforcement are available to investigate incidents wherever necessary. collect required list of evidence gathered during the incident investigation. should collect evidence in accordance with procedures that meet all applicable laws and regulations that have been developed from previous discussions with legal staff and appropriate law enforcement agencies so that any evidence can be admissible in court.
• •
276
Trainer’s Handbook – Security Analyst SSC/N0902
Lessons learnt from security incident Handling and rectifying security incident work best in a “learning and improving” model. Therefore, incident handling teams must evolve to reflect on new threats, improved technology and lessons learned. Each lesson’s learned brief must include the following agenda:
Incident data can also be collected to determine if a change to incident response capabilities causes a corresponding change in the team’s performance (improvements in efficiency, reductions in costs etc).
Incident record keeping or collecting data that are actionable, rather than collecting data simply because they are available will be useful in several capacities to the organization. It may help in deriving at the following information:
What exactly happened and during times? How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? What would the staff and management do differently the next time a similar incident occurs? How could information sharing with other organizations have been improved? What corrective actions can prevent similar incidents in the future? What precursors or indicators should be watched for in the future to detect similar incidents? What additional tools or resources are needed to detect, analyze and mitigate future incidents?
Process change for the future The changing nature of information technology and changes in personnel requires the incident response team to review all related documentation and procedures for handling incidents at designated intervals. A study of incident characteristics (data collected of previous incidents) may indicate systemic security weaknesses and threats as well as changes in incident trends.
Incident record keeping
systemic security weaknesses and threats, as well as changes in incident trends. selection and implementation of additional controls. measure the success of the incident response team. expected return on investment from the data.
Step 9: Data collection Chain of custody Evidences collected should be accounted for at all times whenever evidence is transferred from person to person, chain of custody forms should detail the transfer and include each party’s signature. A detailed log should be kept for all evidence, including the following:
Identifying information (e.g. the location, serial number, model number, hostname, media access control (MAC) addresses and IP addresses of a computer). Name, title, and phone number of each individual who collected or handled the evidence during the investigation. 277
Trainer’s Handbook – Security Analyst SSC/N0902
Time and date (including time zone) of each occurrence of evidence handling. Locations where the evidence was stored.
Step 10: Forensic analysis Incident handling requires some team members to be specialized in particular technical areas, such as network intrusion detection, malware analysis or forensics. Many incidents cause a dynamic chain of events to occur, an initial system snapshot may do more good in identifying the problem and its source than most other actions that can be taken at this stage. Therefore, it is appropriate to obtain snapshots through full forensic disk images, not file system backups. Disk images should be made to sanitized writeprotectable or write-once media. This process is superior to a file system backup for investigatory and evidentiary purposes. Imaging is also valuable in that it is much safer to analyse an image than it is to perform analysis on the original system because the analysis may inadvertently alter the original. Some of the useful resources in forensic aspects of incident analysis may include digital forensic workstations and/ or backup devices to create disk images, preserve log files, and save other relevant incident data Step 11: Evidence protection Importance of keeping evidence relating to information security incidents Collecting evidence from computing resources presents some challenges. It is generally desirable to acquire evidence from a system of interest as soon as one suspects that an incident may have occurred. Users and system administrators
should be made aware of the steps that they should take to preserve evidence. In addition, evidence should be accounted for at all times whenever evidence is transferred from person to person, chain of custody forms should detail the transfer and include each party’s signature and a registry or log be maintained location of the stored evidence. Step 12: Notify external agencies An organization’s incident response team should plan its incident coordination with those parties before incidents occur to ensure that all parties know their roles and that effective line of communication are established. Some of the organizations’ external agencies may include other or external incident response teams, law enforcement agencies, Internet service providers and constituents, law enforcements/ legal departments and customers or system owner etc. Step 13: Eradication Eliminating components of the incident such as deleting malware and disabling breached user accounts as well as identifying and mitigating all vulnerabilities that were exploited follow next to successful containment and quarantine. During the process, it is important to identify all affected hosts within the organization so that they can be remediated. In some cases, eradication is either not necessary or is performed during recovery. Identify data backup holes Verify data back-up and restore procedures. Incident response should be aware of the location of back-up date 278
Trainer’s Handbook – Security Analyst SSC/N0902
storage, maintenance, user access and security procedures for data restoration and system recovery. Following are the suggested data back-up sources:
should also focus on longer-term changes (e.g. infrastructure changes) and ongoing work to keep the enterprise as secure as possible.
Step 14: Systems recovery
spare workstations, servers, networking equipment or virtualized equivalents, which may be used for many purposes, such as restoring backups and trying out malware. other important materials include back-up devices, blank media, basic networking equipment and cables. Operating system updates and patch management All hosts patched appropriately using standard configurations be configured to follow the principle of least privilege — granting users only the privileges necessary for performing their authorized tasks. Hosts should have auditing enabled and should log significant security-related events, security of hosts and their configurations should be continuously monitored. In some organizations, the use of Security Content Automation Protocol (SCAP) expressed operating system and application configuration checklists to assist in securing hosts consistently and effectively. Infrastructure improvement
and
security
policy
Security cannot be achieved by merely implementing various security systems, tools or products. However, security failures are less likely through the implementation of security policy, process, procedure and product(s). Multiple layers of defence need to be applied to design a fail-safe security system. The organization should also report all changes and updates made to its IT infrastructure, network configuration and systems. Organization
In recovery, administrators restore systems to normal operation, confirm that the systems are functioning normally, and (if applicable) remediate vulnerabilities to prevent similar incidents. Recovery may involve such actions as restoring systems from clean back-ups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords and tightening network perimeter security (e.g. firewall rulesets, boundary router access control lists etc.). Higher levels of system logging or network monitoring are often part of the recovery process. Once a resource is successfully attacked, it is often attacked again or other resources within the organization are attacked in a similar manner. Step 15: Incident documentation A logbook is an effective and simple medium for recording all facts regarding incidents. Documenting system events, conversations and observed changes in files can lead to a more efficient, more systematic and less error prone handling of the problem. Every step taken from the time the incident was detected to its final resolution should be documented and time-stamped. Every document regarding the incident should be dated and signed by the incident handler as such information can also be used as evidence in a court of law if legal prosecution is pursued.
279
Trainer’s Handbook – Security Analyst SSC/N0902
Importance of keeping records and evidence relating to information security incidents The incident response team should maintain records about the status of incidents along with other pertinent information. Using an application or a database, such as an issue tracking system, helps ensure that incidents are handled and resolved in a timely manner. Audio and strategies
video
documentation
Recording details of evidence gathering accessories including hard-bound notebooks, digital cameras, audio recorders, chain of custody forms etc. is one of the common strategies used to track incidents and security. In addition, laptops, audio recorders, and digital cameras can also serve the purpose beside system events, conversations, and observed changes in files can lead to a more efficient, more systematic and less error prone handling of the problem.
Update the status of information security incidents
Voice mailbox greeting (set up a separate voice mailbox for incident updates and update the greeting message to reflect the current incident status and use the help desk’s voice mail greeting) Paper (post notices on bulletin boards and doors, hand out notices at all entrance points etc.)
Incident status template An incident status should carry statement of the current status of the incident so that communications with the media are consistent and up-to-date. Template may include the following details:
Incident handling team may need to provide status updates to certain parties even in some cases the entire organization. The team should plan and prepare several communication methods, including out-ofband methods (in person or on paper), and select the methods that are appropriate for a particular incident.
Possible communication methods include:
Email Website (internal, external or portal) Telephone calls In person (daily briefings)
Current status of the incident (new, in progress, forwarded for investigation, resolved etc.) Summary of the incident Indicators related to the incident Other incidents related to this incident Actions taken by all incident handlers on this incident Chain of custody, if applicable Impact assessments related to the incident Contact information for other involved parties (e.g. system owners, system administrators) List of evidence gathered during the incident investigation Comments from incident handlers Next steps to be taken (e.g. rebuild the host, upgrade an application) Preparing reports on information security incidents
This estimate may become the basis for subsequent prosecution activity by law 280
Trainer’s Handbook – Security Analyst SSC/N0902
enforcement entities. Follow-up reports should be kept for a period of time as specified in record retention policies Another important post-incident activity is creating a follow-up report for each incident, which can be quite valuable for future use. The report provides a reference that can be used to assist in handling similar incidents. Incident report templates Creating a formal chronology of events in the incident report template for criteria including time-stamped information such as log data from systems (important for legal reasons) and monetary estimate of the amount of damage the incident caused. Additionally, the following information may also be a part of the report:
Number of incidents handled Time per incident Objective assessment of each incident Subjective assessment of each incident
Organizations should specify which incidents must be reported, when they must be reported and to whom. The parties most commonly notified are the CIO, head of information security, local information security officer, other incident response teams within the organization and system owners. Submitting information security reports Security follow-up reports are usually kept for a period of time as specified in record retention policies. Most organizations have data retention policies that state how long certain types of data may be kept. For
example, an organization may state that email messages should be retained for only 180 days. If a disk image contains thousands of emails, the organization may not want the image to be kept for more than 180 days unless it is absolutely necessary. Step 16: Incident damage and cost assessment After the incident is adequately handled, the organization issues a report that details the cause and cost of the incident and the steps the organization should take to prevent future incidents. The incident data, particularly the total hours of involvement and the cost, may be used to justify additional funding of the incident response team. Cost of storing evidence and the cost of retaining functional computers that can use the stored hardware and media can be substantial. Cost is a major factor, especially if employees are required to be onsite 24/7. Organizations may fail to include incident response-specific costs in budgets, such as sufficient funding for training and maintaining skills. Step 17: Review and update the response policies The organization must review and update response policies, related activities, gather information from the handlers, provide incident updates to other groups, and ensure that the team’s needs are met. The gambit of the work may also include periodically reviewing and updating threat update information through briefings, web postings, and mailing lists published by authorized agencies or public bodies. 281
Trainer’s Handbook – Security Analyst SSC/N0902
Step 18: Training and awareness Organizations must create, provision, and operate a formal incident response capability. Security awareness and training checklist
Establishing an incident response training and awareness should include the following actions: creating an incident response training and awareness policy and plan. developing procedures for performing incident handling and reporting. setting guidelines for communicating with outside parties regarding incidents. training IT staff on complying with the organization’s security standards and making users aware of policies and procedures regarding appropriate use of networks, systems and applications. training should be provided for SOP (delineation of the specific technical processes, techniques, checklists and forms) users. staffing and training the incident response team. providing a solid training program for new employees. training to maintain networks, systems and applications in accordance with the organization’s security standards. creating awareness of policies and procedures regarding appropriate use of networks, systems, and applications.
Incident response knowledge base The knowledge base is the consolidated incident data collected onto common incident database. Organizations can create their own knowledge base or refer to those established by several groups and organizations. Although it is possible to build a knowledge base with a complex structure, a simple approach can be effective. Text documents, spreadsheets and relatively simple databases provide effective, flexible and searchable mechanisms for sharing data among team members. The knowledge base should also contain a variety of information, including explanations of the significance and validity of precursors and indicators, such as IDPS alerts, operating system log entries and application error codes. Accessing and updating knowledge base An incident handler may access knowledge databases information quickly during incident analysis, a centralized knowledge base provides a consistent and maintainable source of information. The knowledge base should include general information such as data on precursors and indicators of previous incidents. Importance of tracking progress Several groups collect and consolidate incident data from various organizations into incident databases. This information sharing may take place in many forms such as trackers and real-time blacklists. The organization can also check its own
282
Trainer’s Handbook – Security Analyst SSC/N0902
knowledge base or issue tracking system for related activity. Corrective and preventative actions for information security incidents In the absence of security controls higher volumes of incidents may occur overwhelming the incident response team. An incident response team may be able to identify problems that the organization is otherwise not aware of. The team can play a key role in risk assessment and training by identifying gaps. The following text, however, provides a brief overview of some of the main recommended practices for securing networks, systems and applications:
Periodic risk assessments of systems and applications to determine what risks posed by combinations of threats and vulnerabilities. Hardened hosts appropriately using standard configurations while keeping each host properly patched, hosts should be configured to follow the principle of least privilege — granting users only the privileges necessary for performing their authorized tasks. The network perimeter should be configured to deny all activity that is not expressly permitted. Software to detect and stop malware should be deployed throughout the organization. Users should be made aware of policies and procedures regarding appropriate use of networks, systems and applications.
283
Trainer’s Handbook – Security Analyst SSC/N0902
UNIT IV Handling Malicious Code Incidents
This unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 5.1. Incident handling preparation 5.2. Incident prevention 5.3. Detection of Malicious Code 5.4. Containment strategy 5.5. Evidence gathering and handling 5.6. Eradication and Recovery
284
Trainer’s Handbook – Security Analyst SSC/N0902
Lesson Plan Performance Measures
Outcomes To be competent, you must be able to: PC5. liaise with stakeholders to gather, validate and provide information related to information security incidents, where required
Ensuring
1. Creation of templates based on the learnings 2. Peer review with faculty with appropriate feedback.
Duration (Hrs)
Work Environment / Lab Requirement
4 hrs
PC9. update the status of information security incidents following investigation/action using standard templates and tools You need to know and understand: KA7. the importance of tracking progress and corrective and preventative actions for information security incidents KA10. different types of information security incidents and how to deal with these
KA7 Peer review with faculty with appropriate feedback. KA10 Team work (IM and chat applications) and group activities (online forums) including templates to be prepared.
8 hrs
PCs/Tablets/Lapto ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Projection facilities
PCs/Tablets/Lapto ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security Security Templates from ITIL, ISO
Suggested Learning Activities Activity 1: Divide students in groups and assign them the following task. List various service providers and products that help in addressing malicious code incidents through prevention and eradication. Compare features and benefits of various products and service providers. Present your finding in class and compare the findings with that of your peers. Activity 2:
Research various OS and the inbuilt provisions to prevent malicious code incidents. Present the same in class.
285
Trainer’s Handbook – Security Analyst SSC/N0902
Training Resource Material Malicious code refers to a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs or otherwise compromise the security or integrity of the victim’s data. Generally, malicious code is designed to perform these nefarious functions without the system’s user knowing. Malicious code
attacks can be divided into five categories: viruses, Trojan horses, worms, mobile code and blended.
4.1 Incident Handling Preparation Preparation is the first step to handling an incident response and it accounts for establishing an incident response capability so that the organization is ready to respond to incidents, but also preventing incidents by ensuring that systems, networks and applications are sufficiently secure. Incident handling procedures include the following requirements: Contact information for team members and others within and outside the organization (primary and back-up contacts) such as law enforcement and other incident response teams etc. On-call information for other teams within the organization including escalation information. Incident reporting mechanisms, such as phone numbers; email addresses; online forms; and secure instant messaging systems that users can use to report suspected incidents. Issue tracking system for tracking incident information, status etc.
Encryption software to be used for communication among team members, within the organization and with external parties and federal agencies, software must use a FIPSvalidated encryption algorithm. Digital forensic workstations and/ or backup devices to create disk images, preserve log files, and save other relevant incident data. Laptops for activities such as analyzing data, sniffing packets and writing reports. Portable printer to print copies of log files and other evidence from non-networked systems. Packet sniffers and protocol analyzers to capture and analyze network traffic. Port lists, including commonly used ports and Trojan horse ports. Documentation for OSs, applications, protocols, and intrusion detection and antivirus products. Network diagrams and lists of critical assets, such as database servers. 286
Trainer’s Handbook – Security Analyst SSC/N0902
Current baselines of expected network, system and application activity. Cryptographic hashes of critical files to speed incident analysis, verification and eradication. Access to images of clean OS and application installations for restoration and recovery purposes.
For malicious code incidents, the following preparation steps can be taken: STEP 1.Make users aware of malicious code issues – this information should include a basic review of the methods that malicious code uses to propagate and the symptoms of infections. Holding regular user education sessions helps to ensure that users are aware of the risks that malicious code poses. STEP 2.Read antivirus vendor bulletins – sign up for mailing lists from antivirus vendors that provide timely information on new malicious code threats. STEP 3.Deploy host-based intrusion detection systems to critical hosts – host-based IDS software can
detect signs of malicious code incidents such as configuration changes and system executable modifications. File integrity checkers are useful in identifying the affected components of a system. Some organizations configure their network perimeters to block connections to specific common Trojan horse ports, with the goal of preventing Trojan horse client and server component communications. However, this approach is generally ineffective. Known Trojan horses use hundreds of different port numbers, and many Trojan horses can be configured to use any port number. Also, some Trojan horses use the same port numbers that legitimate services use so their communication cannot be blocked by port number. Some organizations also implement port blocking incorrectly so legitimate connections are sometimes blocked. Implementing filtering rules for each Trojan horse port will also increase the demands placed on the filtering device. Generally, a Trojan horse port should be blocked only if the organization has a serious Trojan horse infestation.
287
Trainer’s Handbook – Security Analyst SSC/N0902
Figure: Incident Captured in system32 files
288
Trainer’s Handbook – Security Analyst SSC/N0902
4.2 Incident Prevention Incident prevention objectively works on minimizing larger negative business (e.g. more extensive damage, longer periods of service and data unavailability etc.) impact and reduced number of incidents. Although incident response teams are generally not responsible for securing resources, they can be advocates of sound security practices. They can play a key role of identify problems that the organization is otherwise not aware of, the team can play a key role in risk assessment and training by identifying gaps. Some of the recommended practices for securing networks, systems and applications include:
periodic risk assessments of systems and applications. hardening of hosts appropriately using standard configurations. configuring network perimeters such as securing all connection points, such as virtual private networks (VPNs) and dedicated connections to other organizations. deploying malware protection at the host level (server and workstation operating systems), the application server level (email server, web proxies etc.) and the application client level (email clients, instant messaging clients etc.) applying the learning from previous incidents, and sharing with users so
they can see how their actions could affect the organization. For preventing malicious code incidents, the following steps can be taken: STEP 1.Use antivirus software: antivirus software is a necessity to combat the threat of malicious code and limit damage. The software should be running on all hosts throughout the organization, and all copies should be kept current with the latest virus signatures so that the newest threats can be thwarted. Antivirus software should also be used for applications used to transfer malicious code, such as email, file transfer and instant messaging software. The software should be configured to perform periodic scans of the system as well as real-time scans of each file as it is downloaded, opened or executed. The antivirus software should also be configured to disinfect and quarantine infected files. Some antivirus products not only look for viruses, worms and Trojan horses, but they also examine HTML, ActiveX, JavaScript and other types of mobile code for malicious content. STEP 2.Block suspicious files: configure email servers and clients to block attachments with file extensions that are associated with malicious code (e.g. .pif, .vbs) and suspicious file extension combinations (e.g. .txt.vbs, .htm.exe). STEP 3.Limit the use of nonessential programs with file transfer capabilities: examples include peer-to-peer file and music sharing 289
Trainer’s Handbook – Security Analyst SSC/N0902
programs, instant messaging software and IRC clients and servers. These programs are frequently used to spread malicious code among users. STEP 4.Educate users on the safe handling of email attachments: antivirus software should be configured to scan each attachment before opening it. Users should not open suspicious attachments or attachments from unknown sources. Users should also not assume that if the sender is known, the attachment is not infected. Senders may not know that their systems are infected with malicious code that can extract email addresses from files and send copies of the malicious code to those addresses. This activity creates the impression that the emails are coming from a trusted person even though the person is not aware that they have been sent. Users can also be educated on file types that they should never open (e.g. .bat, .com, .exe, .pif, .vbs). Although user awareness of good practices should lessen the number and severity of malicious code incidents, organizations should assume that users will make mistakes and infect systems. STEP 5.Eliminate open windows shares: many worms spread through unsecured shares on hosts running Windows. If one host in the organization is infected with a worm, it could rapidly spread to hundreds or thousands of other hosts within the organization through their unsecured shares.
Organizations should routinely check all hosts for open shares and direct the system owners to secure the shares properly. Also, the network perimeter should be configured to prevent traffic that uses NetBIOS ports from entering or leaving the organization’s networks. This should not only prevent external hosts from directly infecting internal hosts through open shares but should also prevent internal worm infections from spreading to other organizations through open shares. STEP 6.Use web browser security to limit mobile code: all web browsers should have their security settings configured so as to prevent unsigned ActiveX and other mobile code vehicles from unknowingly being downloaded to and executed on local systems. Organizations should consider establishing an internet security policy that specifies which types of mobile code may be used from various sources (e.g. internal servers, external servers). STEP 7.Configure email clients to act more securely: email clients throughout the organization should be configured to avoid actions that may inadvertently permit infections to occur. For example, email clients should not automatically execute attachments.
290
Trainer’s Handbook – Security Analyst SSC/N0902
4.3 Detection of Malicious Code Detection of malicious code involves the preparation to handle incidents that use common attack vectors. Some of the key aspects useful in determining malicious code detection: screening attack vectors such as removable media or other peripheral device. keeping a tab on network flow information through routers and other networking devices that can be used to find anomalous network activity caused by malware, data exfiltration and other malicious acts. monitoring alerts sent by most IDPS products that uses attack signatures to identify malicious activity. The signatures must be kept up to date so that the newest attacks can be detected.
observing antivirus software alerts for detecting various forms of malware, generates alerts and prevents the malware from infecting hosts. maintaining and using a rich knowledge base replete with explanations of the significance and validity of precursors and indicators, such as IDPS alerts, operating system log entries and application error codes. following appropriate containment procedures which require disconnection of host from the network, and cause further damage. Because malicious code incidents can take many forms, they may be detected via a number of precursors and indications. Some precursors and possible responses are listed below:
Precursor: An alert warns of new malicious code that targets software that the organization uses. Response: Research the new virus to determine whether it is real or a hoax. This can be done through antivirus vendor websites and virus hoax sites. If the malicious code is confirmed as authentic, ensure that antivirus software is updated with virus signatures for the new malicious code. If a virus signature is not yet available, and the threat is serious and imminent, the activity might be blocked through other means, such as configuring email servers or clients to block emails matching characteristics of the new malicious code. The team might also want to notify antivirus vendors of the new virus.
291
Trainer’s Handbook – Security Analyst SSC/N0902
Precursor: Antivirus software detects and successfully disinfects or quarantines a newly received infected file. Response: Determine how the malicious code entered the system and what vulnerability or weakness it was attempting to exploit. If the malicious code might pose a significant risk to other users and hosts, mitigate the weaknesses that the malicious code used to reach the system and would have used to infect the target host.
For Example: Similarly, there are certain indications that can highlight the onset of a malicious action. For example: Malicious action: a virus that spreads through email infects a host. Indicators: Antivirus software alerts of infected files Sudden increase in the number of emails being sent and received Changes to templates for word processing documents, spreadsheets etc. Deleted, corrupted or inaccessible files Unusual items on the screen such as odd messages and graphics Programs start slowly, run slowly or do not run at all System instability and crashes Malicious action: a worm that spreads through a vulnerable service infects a host. Indicators: Antivirus software alerts of infected files Port scans and failed connection attempts targeted at the vulnerable service (e.g. open Windows shares, HTTP) Increased network usage Programs start slowly, run slowly or do not run at all
System instability and crashes Malicious action: malicious mobile code on a Web site is used to infect a host with a virus, worm or Trojan horse. Indicators: Indications listed above for the pertinent type of malicious code Unexpected dialog boxes, requesting permission to do something Unusual graphics such as overlapping or overlaid message boxes Malicious action: a Trojan horse is installed and running on a host. Indicators: Antivirus software alerts of Trojan horse versions of files Network intrusion detection alerts of Trojan horse client-server communication Firewall and router log entries for Trojan horse client-server communication Network connections between the host and unknown remote systems Unusual and unexpected ports open Unknown processes running High amounts of network traffic generated by the host, particularly if directed at external host(s) Programs start slowly, run slowly or do not run at all System instability and crashes 292
Trainer’s Handbook – Security Analyst SSC/N0902
4.4 Containment Strategy Containment strategies vary based on the type of incident. For example, the strategy for containing an email-borne malware infection is quite different from that of a network-based DDoS attack. Organizations should create separate containment strategies for each major incident type, with criteria documented clearly to facilitate decision making. Criteria for determining the appropriate strategy include:
Potential damage to and theft of resources Need for evidence preservation Service availability (e.g. network connectivity or services provided to external parties) Time and resources needed to implement the strategy Effectiveness of the strategy (e.g. partial containment or full containment) Duration of the solution (e.g. emergency workaround to be removed in four hours, temporary workaround to be removed in two weeks or permanent solution)
Containment strategy for malicious code incidents may include: Identifying and isolating other infected hosts: antivirus alert messages are a good source of information, but not every infection will be detected by antivirus software.
Incident handlers may need to search for indications of infection through other means such as:
performing port scans to detect hosts listening on a known Trojan horse or backdoor port. using antivirus scanning and cleanup tools released to combat a specific instance of malicious code. reviewing logs from email servers, firewalls and other systems that the malicious code may have passed through as well as individual host logs. configuring network and host intrusion detection software to identify activity associated with infections. auditing the processes running on systems to confirm that they are all legitimate.
Sending unknown malicious code to antivirus vendors: malicious code that cannot be definitively identified by antivirus software may occasionally enter the environment. Eradicating the malicious code from systems and preventing additional infections may be difficult or impossible without having updated antivirus signatures from the vendor. Incident handlers should be familiar with the procedures for submitting copies of unknown malicious code to the organization’s antivirus vendors. Configuring email servers and clients to block emails: many email programs can be configured manually to block emails by 293
Trainer’s Handbook – Security Analyst SSC/N0902
particular subjects, attachment names or other criteria that correspond to the malicious code. This is neither a foolproof nor an efficient solution, but it may be the best option available if an imminent threat exists and antivirus signatures are not yet available. Blocking outbound access: if the malicious code attempts to generate outbound emails or connections, handlers should consider blocking access to IP addresses or services to which the infected system may be attempting to connect. Shutting down email servers: during the most severe malicious code incidents with hundreds or thousands of internal hosts infected, email servers may become completely overwhelmed by viruses trying to spread via email. It may be necessary to
shut down an email server to halt the spread of email-borne viruses. Isolating networks from the internet: networks may become overwhelmed with worm traffic when a severe worm infestation occurs. Occasionally a worm will generate so much traffic throughout the internet that network perimeters are completely overwhelmed. It may be better to disconnect the organization from the internet, particularly if the organization’s internet access is essentially useless as a result of the volume of worm traffic. This protects the organization’s systems from being attacked by external worms should the organization’s systems already be infected. This prevents them from attacking other systems and adding to the traffic congestion.
294
Trainer’s Handbook – Security Analyst SSC/N0902
4.5 Evidence Gathering and Handling The primary reason for gathering evidence during an incident is to resolve the incident however it may also be needed for legal proceedings. In the case of incident analysis, the procedure is implemented through the application of hardware and software and related accessories such as hard-bound notebooks, digital cameras, audio recorders, chain of custody forms, evidence storage bags and tags and evidence tape and to preserve evidence for possible legal actions.
With respect to legal proceedings, it is important to clearly document how all evidence, including compromised systems, has been preserved. Evidence should be collected according to procedures that meet all applicable laws and regulations that have been developed from previous discussions with legal staff and appropriate law enforcement agencies so that any evidence can be admissible in court. Thus, users and system administrators should be made aware of the steps that they should take to preserve evidence.
4.6 Eradication and Recovery After an incident has occurred, it is important to identify all affected hosts within the organization so that they can be remediated. For some incidents, eradication is either not necessary or is performed during recovery. In recovery, administrators restore systems to normal operation, confirm that the systems are functioning normally and (if applicable) remediate vulnerabilities to prevent similar incidents. Eradication procedures may be performed in the following ways:
identify and mitigate all vulnerabilities that were exploited. remove malware, inappropriate materials and other components. repeat the detection and analysis steps to identify all other affected hosts, if more affected hosts are discovered (e.g. new malware infections.
contain and eradicate the incident in accordance with appropriate procedures.
Recovery may involve such actions as restoring systems from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords and tightening network perimeter security (e.g. firewall rulesets, boundary router access control lists). Some of the recommended practices in recovery procedures are:
return affected systems to an operationally ready state confirm that the affected systems are functioning normally implement additional monitoring to look for future related activity, if necessary
295
Trainer’s Handbook – Security Analyst SSC/N0902
Eradication and recovery should be done in a phased approach so that remediation steps are prioritized. Antivirus systems Antivirus software effectively identifies and removes malicious code infections however, some infected files cannot be disinfected. (Files can be deleted and replaced with clean backup copies. In case of an application, the affected application can be reinstalled.) If the malicious code provided attackers with root-level access, it may not be possible to determine what other actions the attackers may have performed. In such cases, the system should either be restored from a previous, uninfected backup or be rebuilt from
scratch. Of course, the system should then be secured so that it will not be susceptible to another infection from the same malicious code. Antivirus software sends alerts when it detects that a host is infected with malware. It detects various forms of malware, generates alerts and prevents the malware from infecting hosts. Current antivirus products are effective at stopping many instances of malware if their signatures are kept up to date. Antispam software is used to detect spam and prevent it from reaching users’ mailboxes. Spam may contain malware, phishing attacks and other malicious content, so alerts from anti-spam software may indicate attack attempts.
Case Study on Incident Handling Process The Challenge A large, multinational organization was alerted by US-CERT/FBI that it had been the source of a number of credit cards and details being leaked/sold on underground (carding) forums. After an initial investigation, the organization's security team discovered a compromised credit-card processing server but, having insufficient resources and skills in dealing with the incident, called in OSEC. The Solution OSEC sent a team of analysts, including Incident Response, Crisis Management, and Digital Forensics personnel to the organization's head office and data centres to deal with the incident. Once there, the team initiated full incident response based on the information supplied by the organization itself as well as law enforcement/authorities. Planning - After The Fact The first task was understanding what measures were in place to deal with the incident. Unfortunately, while the organization had an incident response plan, it had not undertaken the first step of Incident Response - preparation. OSEC's incident response manager, along with the team, got to work coming up with a strategy: analysing the available information, using it to understand the extent of the compromise, and the incident, and working out how to contain and eradicate it. All the while, information to the rest of the organization and the world at large had to be controlled, due to the possible legal and regulatory implications. 296
Trainer’s Handbook – Security Analyst SSC/N0902
Now that you know the security challenge that had been faced by US-CERT/FBI, you may now read the Detection and Eradication process that was adopted to handle the incident in a controlled manner:
Detection and Analysis Containment required understanding what data had been exfiltrated, and working back from there to the compromised resources, as well as examining the rest of the environment for other footholds that the attackers had. Quickly gaining an understanding of the network and segmentation, as well as rapidly implementing network behavioural analysis and performing content inspection between the payment processing infrastructure and external networks, OSEC detected connections back to command and control servers that were known to be operated by organized criminal elements ('carders'). From there, we started performing analysis of the compromised systems using forensics techniques to determine how and what vulnerabilities had been exploited to gain access, correlating that with available logging information, all the while monitoring network flows to both ensure that no additional card information was being exfiltrated for the purposes of understanding what machines were under their control, all without alerting the bad guys. Within a short amount of time, OSEC determined that a third-party web application/site that was vulnerable to SQL injection had been initially compromised, and then used as a "base of operations" to penetrate further into the network, ultimately gaining access to the payment processing segments. By targeting administrators using social engineering attacks in combination with an Internet Explorer vulnerability, they had then stolen credentials that could be used to authenticate to payment processing servers, and utilized privilege escalation vulnerabilities on the servers themselves to harvest credit card numbers as they were being processed. In addition, they had installed customized malware that communicated with the command and control servers and exfiltrated data through encrypted tunnels, in bursts, to evade detection.
297
Trainer’s Handbook – Security Analyst SSC/N0902
Containment and Eradication OSEC then went about stopping the spread of the malware and compromise, and expelling the attackers from the network. Once we had determined that the malware installed would not respond negatively to loss of connectivity to command and control servers, we quickly: ensured the initial point of compromise (SQL injection) was corrected scanned for similar common vulnerabilities in externally-visible systems, and ensured any identified issues were corrected reset all relevant authentication credentials blocked the attackers at the network perimeter. We then set about isolating and cleaning each of the compromised hosts as quickly as we could, in coordination with IT personnel, to ensure that the processing systems were impacted as little as possible. In most cases, we were able to wipe hosts and perform recovery to ensure all traces of malware were eradicated, but a number of systems required manual cleaning, which we undertook with the relevant organizational resources, and initiated extensive monitoring to ensure no undetected issues remained. Finally, once the full extent of the breach was understood - particularly what and how much data had been stolen, OSEC coordinated with PR and Legal personnel to manage client and other regulatory-body notifications. Post-Incident Activity Once the immediate incident had been dealt with, OSEC performed a post-mortem analysis of the incident, the organization's response, and compared it to OSEC's internally-developed IR processes, procedures, and frameworks to identify what needed to be done to ensure IR, vulnerability management, as well as overall Information Security Management process and procedures were improved such that future incidents would be minimized We then sat down with the various stakeholders in the organization that had been involved and discussed the incident and response, explaining the relevant issues, identifying organizational problems that also needed to be corrected, as well as future strategies for avoiding incidents and dealing with them when they occurred, communicating our recommended incident response strategy and implementation to the organization's senior levels. Having reviewed OSEC's recommendations, the organization then asked us back to assist with implementing them. Over a 3 months’ period, OSEC led a number of efforts, including implementing protection mechanisms at the host, application, and network layers; establishing a functioning vulnerability management within the overall information security management program, verifying processes, helping with staffing and training, and performing incident response drills to test the final product. The Result Twelve months after implementing the recommendations, and achieving a practical incident response program, the organization has not suffered any subsequent breaches. In addition, it has gained the assurance, through incident response drills, that should a breach occur, response will be swift and effective. 298
Trainer’s Handbook – Security Analyst SSC/N0902
UNIT V Handling Network Security Incidents
This unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 5.1. Network Reconnaissance Incidents 5.2. Denial of Service Attacks 5.3. Unauthorised Access Incidents 5.4. Inappropriate Usage Incidents 5.5. Multiple Component Incidents 299
Trainer’s Handbook – Security Analyst SSC/N0902
Lesson Plan Performance Measures
Outcomes To be competent, you must be able to: PC5. liaise with stakeholders to gather, validate and provide information related to information security incidents, where required
Ensuring
1. Creation of templates based on the learnings 2. Peer review with faculty with appropriate feedback.
Duration (Hrs)
Work Environment / Lab Requirement
4 hrs
PC9. update the status of information security incidents following investigation/action using standard templates and tools You need to know and understand: KA7. the importance of tracking progress and corrective and preventative actions for information security incidents KA10. different types of information security incidents and how to deal with these
KA7 Peer review with faculty with appropriate feedback. KA10 Team work (IM and chat applications) and group activities (online forums) including templates to be prepared.
8 hrs
PCs/Tablets/Lapto ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Projection facilities
PCs/Tablets/Lapto ps Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security Security Templates from ITIL, ISO
Suggested Learning Activities Activity 1:
Present to class different types of incidents that impact network security and research various service providers who offer services for network incident management. Compare their offerings. Activity 2:
Create an action plan for your training institute for addressing network security incidents. As part of the plan state do’s and don’ts for the network administrator and users.
300
Trainer’s Handbook – Security Analyst SSC/N0902
Training Resource Material Intruders over computer networks to gather information about computer systems and resources. A probe is any attempt launched to detect: •
active hosts and networks that are reachable over a public or an accessible medium.
•
services and applications they are running that could be connected to any vulnerability that these services and applications may have, which could be exposed and taken advantage of.
5.1 Network Reconnaissance Incidents Probes can be classified appropriately into three main activities: Host detection Host detection essentially aims to establish liveness of a host along with its network address. Hardware addresses may also be sought by intruders having access to the same segment as the target. Port enumeration Port enumeration is to do with the listing of TCP/ UDP services running on a host. This may be a list of all services or only
those of particular interest to an intruder along with the port address they are running on. Vulnerability assessment Vulnerability assessment seeks to establish information on the type and version of the operating system and the different applications running on a machine. Version and patch level details about an operating system and applications are important to judge the possible exploits that could be used to attack the host.
301
Trainer’s Handbook – Security Analyst SSC/N0902
A probe could be seen to be launched by an intruder in two modes: 1. Active 2. Passive An active probe involves some attempted interaction over the network on behalf of the intruder. This may involve sending a packet directly to a target host or a network or some intermediary used for the purposes of probing. A passive probe, on the other hand, would involve an intruder restricting herself to sniffing and logging traffic, originating from and destined to a potential or an identified target and obtaining relevant information. The choice of being passive may be due to reasons of configuration or access or it may be a deliberate act by an intruder to avoid detection. This probe by their nature are hard to detect. Any reconnaissance information gained using such tactics, however, is limited to the traffic visible to an intruder. Active probes are necessary if an intruder wishes to gather information both timely and of her choice.
A variety of techniques exist for active probes, including making use of mechanisms such as the TCP handshake to judge a host’s liveness, fingerprinting the protocol stack (which often indicates the operating system the host is running), probing DNS servers and grabbing service banners volunteering information on the host. Most active probes make use of techniques that use the core protocols of the modern day communications, namely IP, ICMP, TCP and UDP. Common approaches to counter-probing activity at this level include: •
•
filtering inbound ICMP probes (responses to which are used to determine what machine is alive). filtering outbound ICMP responses to UDP port scanning attempts (where a lack of
response allows an intruder to determine a live host). • filtering inbound TCP probes with different combinations of flags set, (response or lack of it, to which (depending on the flags set and the operating system probed) may indicate to an intruder whether a host is live or not). • using a variety of firewalling techniques that allow throttling of probes and stateful mechanisms that disallow unsolicited packets aimed at generating responses from target hosts. A somewhat more proactive approach is suggested by Kang et al, who propose to generate false positive responses to any probes attempting to detect hosts or enumerate ports targeting an unused address space or closed ports on active hosts. Their approach, referred to as all 302
Trainer’s Handbook – Security Analyst SSC/N0902
positive response (APR), is designed to make it difficult for an intruder to distinguish active hosts from inactive ones, and open ports from closed ones. To an intruder, all machines appear active and all ports appear open. Such an approach could also help in detecting any packets that follow up after initial probes, which attempt to probe the host further, enumerating ports or assessing some vulnerability. Using false responses is useful in hiding any information about the network that an intruder may try to gather, but an all positive approach will certainly indicate to an intruder that false responses are being generated to all probing. Another important issue is that generating false responses for a very large network may require untenably large resources, and may therefore not be scalable. Some factors to consider here are the size of the entire (used and unused) address space that the false response needs to be generated for, the rate at which the network is probed, the various types of probes launched (that need to be responded to) and memory state required to detect any attempts at intrusion that follow up a false response. Generating a false positive response to probes targeting a closed port on an active host could also result in a conflict: an active host may have a port closed at the time of the probe, but the port may open (upon the host initiating a connection or starting a service, for instance) sometime after the false response is generated. Some alternatives to APR could be designed so that such responses are generated:
where some probes are randomly replied to and some are not. to a specified subset of the unused address space. This subset could be chosen randomly (from a given chunk of addresses) or strategically (from an address space used noncontiguously). for all probes destined for the unused address space. This is similar to APR, except that only probes destined for the unused parts of the address space are replied to and one or a few services depicted.
Handling specific types of incidents Denial of Service (DoS) — an attack that prevents the usage of network, system or application resources. Malicious Code — a virus, worm, Trojan horse or other code based malicious entity that infects a host. Unauthorized Access — a user gains access without permission to a network, system, application, data or other resource. Inappropriate Usage — a user violates acceptable computing use policies. Multiple Component — a single incident that encompasses two or more incidents. For example, a malicious code infection leads to unauthorized access to a host, which is then used to gain unauthorized access to additional hosts.
303
Trainer’s Handbook – Security Analyst SSC/N0902
Fig: A Sample Network Reconnaissance Check Screenshot
304
Trainer’s Handbook – Security Analyst SSC/N0902
5.2 Denial of Service Incidents DoS prevents authorized used of IT resources. Tips for responding to a network distributed denial-of-service (DDoS) incident. General considerations
DDoS attacks often take the form of flooding the network with unwanted traffic. Some attacks focus on overwhelming resources of a specific system. It will be very difficult to defend against the attack without specialized equipment or your ISP’s help. Too many people often participate during incident response. Limit the number of people on the team. DDoS incidents may span days. Consider how your team will handle a prolonged attack. Humans get tired! Understand your equipment’s capabilities in mitigating a DDoS attack. Many underappreciate the capabilities of their devices or overestimate their performance.
Prepare for a future incident
If you do not prepare for a DDoS incident in advance, you will waste precious time during the attack. Contact your ISP to understand the paid and free DDoS mitigation it offers and what process you should follow. Create a whitelist of the source IPs and protocols you must allow if prioritizing traffic during an attack. Include your big customers, critical partners etc. Confirm DNS time-to-live (TTL) settings for the systems that might be attacked.
Lower the TTLs, if necessary, to facilitate DNS redirection if the original IPs get attacked. Establish contacts for your ISP, law enforcement, IDS, firewall, systems and network teams. Document your IT infrastructure details, including business owners, IP addresses and circuit IDs. Prepare a network topology diagram and an asset inventory. Understand business implications (e.g. money lost) of likely DDoS attack scenarios. If the risk of a DDoS attack is high, consider purchasing specialized DDoS mitigation products or services. Collaborate with your BCP/ DR planning team to understand their perspective on DDoS incidents. Harden the configuration of network, OS and application components that may be targeted by DDoS. Baseline your current infrastructure’s performance so you can identify the attack faster and more accurately.
Analyse the attack
Understand the logical flow of the DDoS attack and identify the infrastructure components affected by it. Review the load and logs of servers, routers, firewalls, applications and other affected infrastructure. Identify what aspects of the DDoS traffic differentiate it from benign traffic (e.g. specific source IPs, destination ports, URLs, TCP flags etc.).
305
Trainer’s Handbook – Security Analyst SSC/N0902
Use a network analyzer (e.g. tcpdump, ntop, Aguri, MRTG, a NetFlow tool) to review the traffic. Contact your ISP and internal teams to learn about their visibility into the attack, and to ask for help. If contacting the ISP, be specific about the traffic you would like to control (e.g. blackhole what networks blocks to be blackholed what source IPs to be rate-limited). Find out whether the company received an extortion demand as a precursor to the attack. Create a NIDS signature to focus to differentiate between benign and malicious traffic, if possible. Notify your company’s executive and legal teams upon their direction. Consider involving law enforcement.
Wrap up the incident and adjust
Mitigate the effects of the attack
While it is very difficult to fully block DDoS attacks. You may be able to mitigate their effects. Attempt to throttle or block DDoS traffic as close to the network’s “cloud” as possible via a router, firewall, load balancer, specialized device etc. Terminate unwanted connections or processes on servers and routers and tune their TCP/ IP settings. Switch to alternate sites or networks using DNS or another mechanism. Blackhole DDoS traffic targeting the original IPs, if possible. If the bottle neck is a particular a feature of an application, temporarily disable that feature. Add servers or network bandwidth to handle the DDoS load (this is an arms race though).
Route traffic through a trafficscrubbing service or product via DNS or routing changes. If adjusting defenses, make one change at a time, so you know the cause of the changes you may observe. Configure egress filters to block the traffic your systems may send in response to DDoS traffic to avoid adding unnecessary packets to the network.
consider what preparation steps you could have taken to respond to the incident faster or more effectively. adjust assumptions that affected the decisions made during DDoS incident preparation, if necessary. assess the effectiveness of your DDoS response process, involving people and communication. consider what relationships inside and outside your organizations could help you with future incidents.
Key DDoS incident response steps
Preparation: establish contacts, define procedures and gather tools to save time during an attack. Analysis: detect the incident, determine its scope and involve the appropriate parties. Mitigation: mitigate the attack’s effects on the targeted environment. Wrap up: document the incident’s details, discuss lessons learned and adjust plans and defenses.
306
Trainer’s Handbook – Security Analyst SSC/N0902
5.3 Unauthorized Access Incidents Examples of unauthorised access include:
performing a remote root compromise of an email server. defacing a web server. guessing and cracking passwords. copying a database containing credit card numbers. viewing sensitive data, including payroll records and medical information without authorization. running a packet sniffer on a workstation to capture usernames and passwords. using a permission error on an anonymous FTP server to distribute pirated software and music files. dialing into an unsecured modem and gaining internal network access. posing as an executive, calling the help desk, resetting the executive’s email password and learning the new password. using an unattended, logged-in workstation without permission.
Preparation
configure network based and host based IDS software (such as file integrity checkers and log monitors) to identify and alert on attempts to gain unauthorized access. Each type of intrusion detection software may detect attacks that others are not able to detect. use centralized log servers so pertinent information from hosts across the
organization is stored in a single secured location. establish procedures to be followed when all users of an application, system, trust domain or organization should change their passwords because of a password compromise. The procedures should adhere to the organization’s password policy. discuss unauthorized access incidents with system administrators so that they understand their roles in the incident handling process.
Prevention Network security Configure the network perimeter to deny all incoming traffic that is not expressly permitted. Secure all remote access methods properly, including modems and VPNs. An unsecured modem can provide easily attainable unauthorized access to internal systems and networks. War dialling is the most efficient technique for identifying improperly secured modems. When securing remote access, carefully consider the trustworthiness of the clients. If they are outside the organization’s control, they should be given as little access to resources as possible, and their actions should be closely monitored. Put all publicly accessible services on secured demilitarized zone (DMZ) network segments. The network perimeter can then be configured so that external hosts can establish connections only to hosts on the DMZ, not internal network segments. 307
Trainer’s Handbook – Security Analyst SSC/N0902
Use private IP addresses for all hosts on internal networks. This will severely restrict the ability of attackers to establish direct connections to internal hosts. Host security • perform regular vulnerability assessments to identify serious risks and mitigate the risks to an acceptable level. • disable all unneeded services on hosts. Separate critical services so they run on different hosts. If an attacker then compromises a host, immediate access should be gained only to a single service. • run services with the least privileges possible to reduce the immediate impact of successful exploits. • use host based firewall software to limit individual hosts’ exposure to attacks. • limit unauthorized physical access to logged-in systems by requiring hosts to lock idle screens automatically and asking users to log off before leaving the office. • verify the permission settings regularly for critical resources, including password files, sensitive databases and public web pages. This process can easily be automated to report changes in permissions on a regular basis.
• create authentication and authorization standards for employees and contractors to follow when developing software. For example, passwords should be strongly encrypted using a FIPS 140-2 validated algorithm when they are transmitted or stored. • establish procedures for provisioning and de-provisioning user accounts. These should include an approval process for new account requests and a process for periodically disabling or deleting accounts that are no longer needed. Physical security • Implement physical security measures that restrict access to critical resources. Detection and analysis As unauthorized access incidents can occur in many forms, they can be detected through dozens of types of precursors and indications.
Precursors List of precursors responses:
and
respective
• create a password policy that requires the use of complex, ‘difficult-to-guess’ passwords, forbids password sharing, and directs users to use different passwords on different systems, especially external hosts and applications.
Precursor: unauthorized access incidents are often preceded by reconnaissance activity to map hosts and services and to identify vulnerabilities. Activity may include port scans, host scans, vulnerability scans, pings, trace routes, DNS zone transfers, OS fingerprinting and banner grabbing. Such activity is detected primarily through IDS software and secondarily, through log analysis.
• require sufficiently strong authentication, particularly for accessing critical resources.
Response: incident handlers should look for distinct changes in reconnaissance patterns. For example, a sudden interest in
Authentication and authorization
308
Trainer’s Handbook – Security Analyst SSC/N0902
a particular port number or host. If this activity points out a vulnerability that could be exploited, the organization may have time to block future attacks by mitigating the vulnerability (e.g. patching a host, disabling an unused service, modifying firewall rules etc.).
guidance on handling the social engineering attempts. The team should determine what resources the attacker was interested in and look for corresponding log based precursors, as it is likely that the social engineering is only part of the reconnaissance.
Precursor: a new exploit for gaining unauthorized access is released publicly, and it poses a significant threat to the organization.
Precursor: a person or system may observe a failed physical access attempt (e.g. outsider attempting to open a locked wiring closet door, unknown individual using a cancelled ID badge).
Response: the organization should investigate the new exploit and, if possible, alter security controls to minimize the potential impact of the exploit for the organization. Precursor: users report possible social engineering attempts — attackers trying to trick them into revealing sensitive information, such as passwords or encouraging them to download or run programs and file attachments.
Response: security should detain the person, if possible. The purpose of the activity should be determined and it should be verified that the physical and computer security controls are strong enough to block the apparent threat. (An attacker who cannot gain physical access may perform remote computing based attacks instead.) Physical and computer security controls should be strengthened if necessary.
Response: the incident response team should send a bulletin to users with
Indications List of Malicious actions and their Malicious action: root compromise of a host Indicators: • Hacker tools on system • Unusual traffic to/ from host • System configuration changes • Modification of critical files • Unexplained account usage • Strange OS/ application log messages respective indicators:
309
Trainer’s Handbook – Security Analyst SSC/N0902
hundreds of files, including system Malicious action: unauthorized data modification (e.g. web server defacement, FTP warez server) Indicators:
Network intrusion detection alerts Increased resource utilization User reports of the data modification (e.g. defaced website) Modifications to critical files (e.g. web pages) New files or directories with unusual names (e.g. binary characters, leading spaces, leading dots etc.) Significant changes in expected resource usage (e.g., CPU, network activity, full logs or file systems)
binaries. Rootkits hide much of what they do, making it tricky to identify what was changed. Therefore, if an attacker appears to have gained root access to a system, Malicious Action: Unauthorized usage of standard user account handlers cannot trust the operating system Indicators software. Typically, the best solution is to • Access attempts to critical files (e.g., password files) restore the system from a known good • Unexplained account usage (e.g., idle account in use, account in use from backup or reinstall the operating system multiple locations at once, commands that are unexpected from a particular and applications from scratch, and then user, large number of locked-out accounts) secure the system properly. • Web proxy log entries showing the download of hacker tools Changing all passwords on the system, and possibly on all systems that have trust relationships with the victim system, is also highly recommended. Containment, eradication and
recovery Initial containment elements
Isolation of affected system Disabling affected service Eliminate attacker’s route Disable user accounts used in attack Enhance physical security
Eradication and recovery Successful attackers frequently install rootkits, which modify or replace dozens or
Some unauthorized access incidents involve the exploitation of multiple vulnerabilities, so it is important for handlers to identify all vulnerabilities that were used and to determine strategies for correcting or mitigating each vulnerability. Other vulnerabilities that are present should be mitigated as well or an attacker may use them instead. If an attacker only gains a lesser level of access than administrator level, eradication and recovery actions should be based on the extent to which the attacker 310
Trainer’s Handbook – Security Analyst SSC/N0902
gained access. Vulnerabilities that were used to gain access should be mitigated appropriately. Additional actions should be performed as merited to identify and address weaknesses systemically. For example, if an attacker gained user level access by guessing a weak password, then not only should that account’s password be changed to a stronger password, but also the system administrator and owner should consider enforcing stronger password requirements. If the system was in compliance with the organization’s password policies, the organization should consider revising its password policies.
Recommendations Key recommendations for handling unauthorized access incidents are summarized below:
configure intrusion detection software to alert on attempts to gain unauthorized access. Network and host based intrusion detection software (including file integrity checking software) is valuable for detecting attempts to gain unauthorized access. Each type of software may detect incidents that the other types of software cannot so the use of multiple types of computer security software is highly recommended. configure all hosts to use centralized logging. Incidents are easier to detect if data from all hosts across the organization is stored in a centralized, secured location. establish procedures for having all users change their passwords. A
password compromise may force the organization to require all users of an application, system, trust domain or perhaps, the entire organization to change their passwords. configure the network perimeter to deny all incoming traffic that is not expressly permitted. By limiting the types of incoming traffic, attackers should be able to reach fewer targets and should be able to reach the targets using only designated protocols. This should reduce the number of unauthorized access incidents. secure all remote access methods, including modems and VPNs. Unsecured modems provide easily attainable unauthorized access to internal systems and networks. Remote access clients are often outside the organization’s control, granting them access to resources increases risk. put all publicly accessible services on secured DMZ network segments. This permits the organization to allow external hosts to initiate connections to hosts only on the DMZ segments, not to hosts on internal network segments. This should reduce the number of unauthorized access incidents. disable all unneeded services on hosts and separate critical services. Every service that is running presents another potential opportunity for compromise. Separating critical services is important because if an attacker compromises a host that is running a critical service, immediate 311
Trainer’s Handbook – Security Analyst SSC/N0902
access should be gained only to that one service. use host based firewall software to limit individual hosts’ exposure to attacks. Deploying host based firewall software to individual hosts and configuring it to deny all activity that is not expressly permitted should further reduce the likelihood of unauthorized access incidents. create and implement a password policy. The password policy should require the use of complex, ‘difficultto-guess’ passwords and ensure that authentication methods are sufficiently strong for accessing critical resources. Weak and default passwords are likely to be guessed or cracked, leading to unauthorized access. provide change management information to the incident response team. Indications such as system shutdowns, audit configuration changes and executable modifications
are probably caused by routine system administration rather than attacks. When such indications are detected, the team should be able to use change management information to verify that the indications are caused by authorized activity.
select containment strategies that balance mitigating risks and maintaining services. Incident handlers should consider moderate containment solutions that focus on mitigating the risks as much as is practical while maintaining unaffected services. restore or reinstall systems that appear to have suffered a root compromise. The effects of root compromises are often difficult to identify completely. The system should be restored from a known good backup, or the operating system and applications should be reinstalled from scratch. The system should then be secured properly so the incident cannot recur.
312
Trainer’s Handbook – Security Analyst SSC/N0902
5.4 Inappropriate usage incident An inappropriate usage incident occurs when a user performs actions that violate acceptable computing use policies. Although such incidents are often not security related, handling them is very similar to handling security related incidents. Therefore, it has become commonplace for incident response teams to handle many inappropriate usage incidents. Examples of incidents a team might handle include users who —
download password cracking tools or pornography. send spam promoting a personal business. email harassing co-workers. set up an unauthorized website on one of the organization’s computers. use file or music sharing services to acquire or distribute pirated materials. transfer sensitive materials from the organization to external locations.
Recommendations
Key recommendations for handling inappropriate usage incidents include:
discuss the handling of inappropriate usage incidents with the organization’s human resources and legal departments. Processes for monitoring and logging user activities should comply with the organization’s policies and all applicable laws. Procedures for handling incidents that directly involve employees should incorporate discretion and confidentiality. discuss liability issues with the organization’s legal departments. Liability issues may arise during
inappropriate usage incidents, particularly for incidents that are targeted at outside parties. Incident handlers should understand when they should discuss incidents with the allegedly attacked party and what information they should reveal. configure network based intrusion detection software to detect certain types of inappropriate usage. Intrusion detection software has built-in capabilities to detect certain inappropriate usage incidents, such as the use of unauthorized services, outbound reconnaissance activity and attacks and improper mail relay usage (e.g. sending spam). log basic information on user activities. Basic information on user activities such as FTP commands, web requests, and email headers may be valuable for investigative and evidentiary purposes. configure all email servers so they cannot be used for unauthorized mail relaying. Mail relaying is commonly used to send spam. implement spam filtering software on all email servers. Spam filtering software can block much of the spam sent by external parties to the organization’s users as well as spam that is sent by internal users. implement URL filtering software. It prevents access to many inappropriate websites. Users should be required to use the software, typically by preventing access to external websites unless the traffic passes through a server that performs URL filtering. 313
Trainer’s Handbook – Security Analyst SSC/N0902
5.5 Multiple component incident A multiple component incident is a single incident that encompasses two or more incidents. For example, the following could comprise a multiple component incident: 1. Malicious code spread through email compromises an internal workstation.
2. An attacker (who may or may not be the one who sent the malicious code) uses the infected workstation to compromise additional workstations and servers. 3. An attacker (who may or may not have been involved in steps 1 or 2) uses one of the compromised hosts to launch a DDoS attack against another organization. This multiple component incident consists of a malicious code incident, several unauthorized access incidents and a DoS incident.
Recommendations
use centralized logging and event correlation software. Incident handlers should identify an incident as having multiple components more quickly if all precursors and indications are accessible from a single point of view. contain the initial incident and then search for signs of other incident components. It can take an extended period of time for a handler to authoritatively determine that an incident has only a single component; meanwhile, the initial incident has not been contained. It is generally better to contain the initial incident first. prioritize the handling of each incident component. Resources are probably too limited to handle all incident components simultaneously. Components should be prioritized based on the current component and its response guidelines.
The key recommendations for handling multiple component incidents are given below:
314
Trainer’s Handbook – Security Analyst SSC/ Q0903
SSC/ N 0903 Install, configure and troubleshoot information security devices
UNIT I: Configuring Network Devices UNIT II: Configuring Secure Content Management UNIT III: Configuring Firewall UNIT IV: Troubleshooting Cisco IOS Firewall Configurations UNIT V: Cisco IOS Firewall IDS UNIT VI: IPS Configuration UNIT VII: Anti-virus and Antispam Software UNIT VIII: Web Application Security Configuration UNIT IX: Patch Management
315
Trainer’s Handbook – Security Analyst SSC/ Q0903
Unit Code
SSC/ N 0903
Unit Title (Task)
Install, configure and troubleshoot information security devices
Description
This unit is about installing/configuring information security devices and resolving any problems, following clearly laid down instructions and guidelines.
Scope
This unit/task covers the following:
Information security devices may cover: Identify and Access Management (IdAM) networks (wired and wireless) devices endpoints/edge devices storage devices servers software application security application support application penetration application testing content management messaging web security security of infrastructure infrastructure devices (e.g. routers, firewall services) computer assets, server s and storage networks messaging intrusion detection/prevention security incident management third party security management personnel security requirements Appropriate people: line manager members of the security team subject matter experts Stakeholders: internal external Performance Criteria(PC) w.r.t. the Scope The user / individual on the job should be able to: PC1. identify the information security devices you are required to install/ configure/troubleshoot and source relevant instructions and guidelines PC2. identify any issues with instructions and guidelines for installing/configuring information security devices and clarify these with 316
Trainer’s Handbook – Security Analyst SSC/ Q0903 appropriate people PC3. liaise with stakeholders clearly and promptly regarding the installation/ configuration of information security devices PC4. install/configure information security devices as per instructions and guidelines PC5. test installed/configured information security devices, following instructions and guidelines PC6. resolve problems with security devices, following instructions and guidelines PC7. obtain advice and guidance on installing/configuring/testing/troubleshooting information security devices from appropriate people, where required PC8. record the installation/configuration/testing/troubleshooting of information security devices promptly using standard templates and tools PC9. provide reports for troubleshooting, configurations and deployment using standard templates and tools PC10. comply with your organization’s policies, standards, procedures, guidelines and service level agreements (SLAs) when Installing / configuring / troubleshooting information security devices Knowledge and Understanding (K) A. Organizatio nal Context (Knowledge of the company / organization and its processes)
B. Technical Knowledge
The user/individual on the job needs to know and understand: KA1. your organization’s policies, procedures, standards, guidelines and client specific service level agreements for installing, configuring and troubleshooting information security devices KA2. limits of your role and responsibilities and who to seek guidance from where required KA3. your organization’s systems, procedures and tasks/checklists relevant to your work and how to use these KA4. the importance of following manufacturer’s installation guides and procedures and how to access and apply these to install, configure and troubleshoot information security devices KA5. who to involve when installing, configuring and troubleshooting information security devices KA6. methods and techniques used when working with others KA7. the importance of recording issues when installing/configuring/ troubleshooting information security devices and how to report these KA8. standard tools and templates available and how to use these to record installation/configuration/troubleshooting The user/individual on the job needs to know and understand: KB1. different types of information security devices and their functions KB2. different technical and configuration specifications for information security devices and how this affects function and use KB3. architecture concepts and design patterns and how these contribute to the security of design and devices KB4. common issues that may occur when installing or configuring information security devices and how to resolve these KB5. methods of testing installed/configured information security devices
317
Trainer’s Handbook – Security Analyst SSC/ Q0903
THE UNITS The module for this NOS is divided in 9 Units.
UNIT I: Configuring Network Devices 1.1. Identifying Unauthorized Devices 1.2. Testing the Traffic Filtering Devices 1.3. Solutions Combining Traffic Filtering with Other Technologies
UNIT II: Configuring Secure Content Management 2.1 Secure Content Management Overview 2.2 The importance of Secure Content Management 2.3 How does Secure Content Management Work? 2.4 Solution Architectures
UNIT III: Configuring Firewall 3.1. What Firewall Software Does? 3.2. Firewall Configuration 3.3. Why Firewall Security? 3.4. Configuring a Simple Firewall
UNIT IV: Troubleshooting Cisco IOS Firewall Configurations 4.1 Troubleshooting Cisco IOS Firewall Configurations
UNIT V: Cisco IOS Firewall IDS 5.1 Cisco IOS Firewall IDS feature 5.2 Cisco IOS Firewall IDS Signature List 5.3 Cisco IOS Firewall IDS Configuration Task List
UNIT VI: IPS Configuration 6.1 Understanding IPS Network Sensing 6.2 Overview of IPS Configuration
UNIT VII: Anti-virus and Antispam Software 7.1 Antivirus Software 7.2 Antispam Software
UNIT VIII: Web Application Security Configuration 8.1 Web Application Security Overview 8.2 Configuring Cisco Web Application Security Module
UNIT IX: Patch Management 9.1 Patch Management Overview 9.2 The Patch Management Process 9.3 Windows Patch Management Tools
318
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT I Configuring Network Devices
This Unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 1.1. Identifying Unauthorized Devices 1.2. Testing the Traffic Filtering Devices 1.3. Solutions Combining Traffic Filtering with Other Technologies
319
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
Outcomes To be competent, you must be able to: PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines
You need to know and understand: KA4. the organizational systems, procedures and tasks/checklists within the domain and how to use these
KB1. fundamentals of information security and how to apply these, including: •
networks
•
communication
•
application security
Performance Ensuring Measures
Duration (Hrs)
Peer group, Faculty group and Industry experts.
2 hr in class presentations
KA4, KA5. Peer group, Faculty group and Industry experts.
2Hrs classroom assessment and 10 Hrs offline Research and Learning activity.
KB1 - KB4 Group and Faculty evaluation based on anticipated out comes. Reward points to be allocated to groups.
Work Environment / Lab Requirement
PCs/Tablets/L aptops
Projection facilities
PCs/Tablets/L aptops
Labs availability (24/7)
Internet with WiFi
(Min 2 Mbps Dedicated)
Access to all security sites like ISO, PCI DSS, Center for Internet Security
320
Trainer’s Handbook – Security Analyst SSC/ Q0903
Suggested Learning Activities Activity 1:
Divide the students into groups and ask them to research various types of attacks and get examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get the maximum number of correct examples will get a prize. Activity 2: Ask the students to research cases of attacks over the years and impact of those attacks on the organisations where these occurred. Activity 3:
Ask the students to access the CVE and list all the types of information that they can get from there. Present the same in class and elaborate upon the various ways that information can be used.
321
Trainer’s Handbook – Security Analyst SSC/ Q0903
Trainer Resource Material 1.1. Identifying Unauthorized Devices Most organizations today use some form of asset management. These systems work great for managing assets that are known and permitted within the environment, but offer little visibility or control over rogue machines that may be connecting to the network. The challenge with rogue devices is that they are not part of the management framework. This means that they are not part of any standards, policies, security controls, or patch updates. They pose a unique threat to an environment. Consider a server that a developer built to test something and never decommissioned. This server remains online, running company code on an unpatched database. Without actively monitoring the network, there is no way that an administrator can have any real idea of the volume of unmanaged systems on the network. The greater the number of unmanaged systems, the greater the risk to the network. Where administrators have
audited the network, typically between 1 percent and 10 percent of assets were previously unknown to the administrator. Once detected, local system administrators can manage modest numbers of assets. However, if the volume or location of rogue assets is excessive or dangerous, these results provide justification and motivation for automated and proactive enforcement performed by Network Access Control.
Identify Assets There are two general approaches to identifying assets on the network, techniques that are very similar in nature to finding viruses:
on-access or real-time detection, on-demand or scheduled detection.
Note that the optimal solution is likely to be able to cater for both approaches to device identification.
Real-time detection - Relies on detection of traffic generated by the endpoint. The benefit is its timely nature—detection is immediate. Consequently, you can take action very quickly. The downside of this approach is that since detection is based on traffic generated by the endpoint, there must be a sensor located near this traffic. This technique may not be practical for all network topologies. Scheduled detection - The system queries network addresses for a response according to a schedule. This model can overcome the proximity limitations of the first approach. Sensors can execute scans from a limited number of locations or a single location on the network. The downside of this approach is that detection is not immediate. It is limited to the detection interval determined by the schedule. As in the example of off-hours scanning, rogue systems may operate on the network between detection scans and escape identification. 322
Trainer’s Handbook – Security Analyst SSC/ Q0903
Further steps to identifying unauthorised devices include asset inventory tool.
Asset Inventory Tool Deploy an automated asset inventory discovery tool and use it to build a preliminary asset inventory of systems connected to an organization’s public and private network(s). Both, active tools that scan through network address ranges and passive tools that identify hosts based on analysing their traffic should be employed. Deploy DHCP Server logging, and utilize a system to improve the asset inventory and help detect unknown systems through this DHCP information. All equipment acquisitions should automatically update the inventory system as new, approved devices are connected to the network. Maintain an asset inventory of all systems connected to the network and the network devices themselves recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every system that has an Internet Protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices
such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether or not they are attached to the organization’s network. Make sure the asset inventory database is properly protected and a copy stored in a secure location. In addition to an inventory of hardware, organizations should develop an inventory of information assets that identifies their critical information. Information asset inventory should map critical information to the hardware assets (including servers, workstations, and laptops) on which it is located. A department and individual responsible for each information asset should be identified, recorded, and tracked. Further to the asset inventory tool the organisation needs to:
Deploy network level authentication via 802.1x to limit and control which devices can be connected to the network. Deploy network access control (NAC) to monitor authorized systems so if attacks occur, the impact can be remediated by moving the untrusted system to a virtual local area network that has minimal access. Create separate VLANs for BYOD (bring your own device) systems or other untrusted devices. Utilize client certificates to validate and authenticate systems prior to connecting to the private network.
Organizations must first establish information/asset owners, deciding and documenting which organizations and individuals are responsible for each 323
Trainer’s Handbook – Security Analyst SSC/ Q0903
component of a business process that includes information, software, and hardware. In particular, when organizations acquire new systems, they record the owner and features of each new asset, including its network interface media access control (MAC) address and location. This mapping of asset attributes and owner-to-MAC address can be stored in a free or commercial database management system. Use tools to pull information from network assets such as switches and routers regarding the machines connected to the network. Using securely authenticated and encrypted network management protocols, tools can retrieve MAC addresses and other information from network devices that can be reconciled with the organization’s asset inventory of servers, workstations, laptops, and other devices. Once MAC addresses are confirmed, switches should implement 802.1x and NAC to only allow authorized systems that are properly configured to connect to the network. Effective organizations configure free or commercial network scanning tools to perform network sweeps on a regular basis, sending a variety of different packet types to identify devices connected to the network. In addition to active scanning tools that sweep the network, other asset identification tools passively listen on network interfaces looking for devices to announce their presence by sending traffic. Such passive tools can be connected to switch span ports at critical places in the network to view all data flowing through such switches, maximizing the chance of identifying
systems communicating through those switches. Whether physical or virtual, each machine using an IP address should be included in an organization’s asset inventory. The system must be capable of identifying any new unauthorized devices that are connected to the network within 24 hours. Alerting or sending e-mail notification to a list of enterprise administrative personnel. The system must automatically isolate the unauthorized system from the network within one hour of the initial alert. Send a follow-up alert or e-mail notification when isolation is achieved. Every 24 hours after that point, the system must alert or send e-mail about the status of the system until the unauthorized system has been removed from the network. The asset inventory database and alerting system must be able to identify the location, department, and other details of where authorized and unauthorized devices are plugged into the network. To evaluate the implementation of Control 1 on a periodic basis, the evaluation team will connect hardened test systems to at least 10 locations on the network, including a selection of subnets associated with demilitarized zones (DMZs), workstations, and servers. Two of the systems must be included in the asset inventory database, while the other systems are not. The evaluation team must then verify that the systems generate an alert or e-mail notice regarding the newly connected systems within 24 hours of the test machines being connected to the network. The evaluation team must verify that the 324
Trainer’s Handbook – Security Analyst SSC/ Q0903
system provides details of the location of all the test machines connected to the network. For those test machines included in the asset inventory, the team must also verify that the system provides information about the asset owner. The evaluation team must then verify that the
test systems are automatically isolated from the production network within one hour of initial notification and that an email or alert indicating the isolation has occurred. The team must then verify that the connected test systems are isolated from production systems.
325
Trainer’s Handbook – Security Analyst SSC/ Q0903
1.2. Testing the Traffic Filtering Devices There are four basic recommendations for Traffic Filtering In order to reduce security threats, organisations use various devices, technologies and techniques for traffic filtering. Each institution/organisation that wishes to improve the efficiency of filtering and increase the level of security in its network should apply the following recommendations: 1. Define traffic-filtering rules that will
2. Select a traffic-filtering technology
that will be implemented depending on the requirements and needs; 3. Implement
defined rules on the selected technology and optimise the performance of devices accordingly;
4. Maintain all the components of the
solution, including not only devices, but also the policy.
determine the manner in which the incoming and outgoing traffic flow in the network will be regulated. A set of traffic-filtering rules can be adopted as an independent packet filtering policy or as a part of the information security policy;
Traffic-filtering technologies are commonly divided into
packet filtering/stateless firewall stateful firewall technologies.
The packet-filtering functionality (stateless firewall) is built into the majority of operating systems and devices with a traffic routing feature. In most cases, it is a router on which access control lists (ACLs) are applied. A packet filter implemented on a router is the simplest, but only one of the available traffic-filtering methods. Packet filtering is the basic feature of all firewall devices. The first firewall devices, with only a packet filter, were also called stateless inspection firewalls. Unlike them, modern firewall devices provide far more possibilities for packet filtering. A packet filter enables the implementation
of control of access to resources by deciding whether a packet should be allowed to pass, based on the information contained in the IP packet header. The packet filter does not analyse the content of the packet (unlike a content filter), nor does it attempt to determine the sessions to which individual packets belong, based on the information contained in the TCP or UPD header, and therefore it does not make any further decisions in that regard. For this reason, the process is also known as stateless packet inspection. Due to its manner of operation, which does not track the information on the state of connections, it is necessary to explicitly allow two-way traffic on the connection 326
Trainer’s Handbook – Security Analyst SSC/ Q0903
when configuring a stateless firewall device. Stateless firewall devices analyse each packet individually and filter them based on the information contained in Layers 3 and 4 of the OSI reference model. A filtering decision is made based on the following information:
source IP address; 8 destination IP address; protocol; source port number; destination port number.
They are commonly implemented as a part of the functionality on routers (ACL, firewall filters, etc.), but can also be implemented on servers. The advantages of applying packet filters:
simple implementation;
supported by most routers, so there is no need to invest in new equipment and software;
rarely cause bottlenecks in the area of their application, even at high speeds in Gigabit networks.
The disadvantages of applying packet filters:
vulnerability to IP spoofing attacks;
vulnerability to attacks that exploit problems within the TCP/IP specification and the protocol stack;
problems with filtering packets that are fragmented (causing interoperability and non-functioning of VPN connections);
no support for the dynamic filtering
of some services (the services that require
dynamic negotiation about the ports that will be used in communication – passive FTP).
Stateful packet inspection improves the packet filtering process by monitoring the state of each connection established through a firewall device. It is known that the TCP protocol allows two-way communication and that TCP traffic is characterised by three phases: establishing the connection, data transfer, and terminating the connection. In the connection establishment phase, stateful packet inspection records each connection in the state-table. In the data transfer phase, the device monitors certain parameters in the header of the L3 packet and L4 segment and makes a filtering decision depending on their values and the content of the state-table. The state-table contains all currently active connections. As a result, a potential attacker trying to spoof a packet with a header indicating that the packet is a part of an established connection can only be detected by the stateful inspection firewall device, which verifies whether the connection is recorded in the state-table. The state-table contains the following information:
source IP address; destination IP address; source port number; destination port number; TCP sequence numbers; TCP flag values.
The state of the synchronize (SYN), reset (RST), acknowledgment (ACK) and finish 327
Trainer’s Handbook – Security Analyst SSC/ Q0903
(FIN) flags are monitored within the TCP header and a conclusion is reached about the state of a specific connection. The UDP protocol does not have a formal procedure for establishing and terminating a connection. However, devices with stateful inspection can monitor the state of individual flows1 and match different flows when they logically correspond to each other (e.g., a DNS response from an external server will only be allowed to pass if the corresponding DNS query from the internal source to that server has previously been recorded). The advantages of applying stateful firewall devices:
a higher level of protection compared to stateless firewall devices (greater efficiency and more detailed traffic analysis);
detection of IP spoofing and DoS attacks;
more log information compared to packet filters.
The disadvantages of applying stateful firewall devices: •
no protection against application layer attacks;
•
performance degradation of the router on which they are deployed (this depends on the size of the network and other services run on the router);
•
not all of them provide support for UDP, GRE and IPSEC protocols, treating them in the same way as stateless firewall devices;
•
no support for user authentication.
Lately, attempts have been made to improve the standard stateful packet inspection technology by adding basic solutions from intrusion detection technology. The improved version is called stateful protocol analysis, also known as DPI (Deep Packet Inspection) analysis of data on the application layer. The devices resulting from this development trend include Application Firewall, Application Proxy Gateways and Proxy servers. Unlike stateful firewall devices that filter traffic based on the data on layers 3, 4 and 5 of the OSI reference model, these devices also enable traffic filtering based on the information on the application layer of the OSI reference model (Layer 7).
Application Firewall Application Firewall (AF) devices perform a stateful protocol analysis of the application layer. They support numerous common protocols, such as HTTP, SQL, email service (SMTP, POP3 and IMAP), VoIP and XML. Stateful protocol analysis relies on predefined profiles of acceptable operating modes for the selected protocol, enabling the identification of potential deviations and irregularities in the message flow of the protocol through the device. Problems may arise if there is a conflict between the operating mode of a specific protocol, which is defined on the AF device, and the way in which the protocol is implemented in the specific version of the application or of the operating systems used in the network.
328
Trainer’s Handbook – Security Analyst SSC/ Q0903
The stateful protocol analysis can:
determine whether an e-mail message contains a type of attachment that is not allowed (e.g., exec files);
determine whether instant messaging is used via an HTTP port;
block the connection through which an unwanted command is executed (e.g., an FTP put command on the FTP server);
block access to a page with unwanted active content (e.g., Java);
identify an irregular sequence of commands exchanged in the communication between two hosts (e.g., an unusually large number of repetitions of the same command or the use of a command before using the command it depends on);
enable the verification of individual commands and the minimum and maximum length of appropriate command-line arguments (e.g., the number of characters used in a username). An AF device cannot detect attacks that meet the generally acceptable procedures of operation of a specific protocol, such as DoS (Denial of Service) attacks caused by the repetition of a large number of acceptable message sequences in a short time interval. Due to the complexity of the analysis they perform, and the large number of concurrent sessions they monitor, the main disadvantage of the method of stateful protocol analysis is the intensive use of AF devices.
Application Proxy Gateway Application Proxy Gateway (APG) devices also perform an analysis of the traffic flow on the application layer. Compared to AF devices, APG devices provide a higher level of security for individual applications since they never allow a direct connection between two hosts, and they can perform an inspection of the content of application-layer messages. APG devices contain so-called proxy agents or “intermediaries” in the communication between two end hosts. In this way, they prevent direct communication between them. Each successful connection between the end hosts consists of two connections – one between the client and the proxy server and the other between the proxy server and the destination device. Based on the filtering rules defined on the APG device, proxy agents decide whether network traffic will be allowed or not. Trafficfiltering decisions can also be made based on the information contained in the header of an application-layer message or even based on the content conveyed by that message. In addition, proxy agents can require user authentication. There are also APG devices with the capability of packet decryption, analysis and reencryption, before a packet is forwarded to the destination host. Packets that cannot be decrypted are simply forwarded through the device. Compared to packet filters and stateful devices, APG devices have numerous deficiencies. The manner of operation of APG devices requires a significantly greater utilisation of resources, i.e., they require more memory and greater utilisation of processor time for analysing 329
Trainer’s Handbook – Security Analyst SSC/ Q0903
and interpreting each packet passing through the device. As a result, APG devices are not suitable for filtering applications that are more demanding in terms of bandwidth or applications that are sensitive to time delays (real-time applications). Another deficiency of these devices is the limitation in the number of services that can be filtered through them. Each type of traffic passing through the device requires a specific proxy agent that acts as an intermediary in the communication. Consequently, APG devices do not always support the filtering of new applications or protocols. Due to their price, APG devices are commonly used for protecting data centres or other networks containing publicly available servers that are of high importance to an organisation. In order to reduce the load on APG devices and achieve greater efficiency, modern networks more frequently use proxy servers (dedicated proxy servers) that are dedicated to specific services that are not so sensitive to time delays (e.g., e-mail or web proxy servers).
Dedicated Proxy Server Like APG devices, Dedicated Proxy (DP) servers also have a role as “intermediaries” in the communication between two hosts, although their trafficfiltering capabilities are significantly
lower. This type of device is intended for the analysis of the operation of specific services and protocols (e.g., HTTP or SMTP). Due to their limited traffic-filtering capabilities, DP devices are deployed behind firewall devices in the network architecture. Their main function is to perform specialised filtering of a specific type of traffic (based on a limited set of parameters) and carry out the logging operation. This significantly reduces the load on the firewall device itself, which is located in front of the DP server. The most widely used devices of this type are Web Proxy servers. A common example of their use is an HTTP proxy server (placed behind the firewall device or router), to which users need to connect when they wish to access external web servers. If an institution has an outgoing connection (uplink) of lower bandwidth, the use of the caching function is recommended in order to reduce the level of traffic and improve the response time. As a result of an increase in the number of available web applications and the number of threats transferred through the HTTP protocol, Web Proxy servers are growing in significance. Equipment manufacturers today add the functionality of various firewall technologies to the standard Web Proxy servers, thus increasing their trafficfiltering capabilities.
330
Trainer’s Handbook – Security Analyst SSC/ Q0903
1.3. Solutions Combining Traffic Filtering with Other Technologies In addition to their basic purpose of blocking unwanted traffic, firewall devices often combine their filtering functionality with other technologies, primarily routing. It is the other way around with routers. As a result, NAT (Network Address Translation) is sometimes considered to be a firewall technology, although essentially it is a routing technology. Other related functionalities, such as VPN and IDP, are often available on firewall devices. In order to have a complete overview and due to their frequent use, these technologies are also addressed briefly in this chapter. NAT (Network Address Translation) NAT is a technology that enables devices that use private IP addresses to communicate with devices on the Internet. This technology translates private IP addresses, which can be used by devices within a Local Area Network (LAN), into publicly available Internet addresses. The application of NAT technology may limit (intentionally or unintentionally) the number of available services, i.e., it may disable the functioning of the services that require direct, end-to-end connectivity (e.g., VoIP). There are three types of NAT translations: dynamic, static and PAT. Dynamic NAT uses a set of publicly available IP addresses, successively assigning them to hosts with private IP addresses. When a host with a private IP address needs to communicate with a device on the Internet, dynamic NAT
translates its private IP address into a publicly available IP address, by taking the first available IP address from a defined pool of publicly available IP addresses. Dynamic NAT is suitable for client computers. Static NAT provides one-to-one mapping between the private IP address of a host and the public IP address assigned to it. In this manner, the host with a private IP address always appears on the Internet with the same public IP address. This is the main difference between static and dynamic translation. Static NAT is suitable for servers. In both types of translation mentioned above, each private IP address is translated into a separate, public IP address. In order to support a sufficient number of simultaneous user sessions, an organisation using dynamic and/or static NAT needs to have a sufficient number of public IP addresses. PAT (Port Address Translation or so-called NAT overload) performs mapping between several private IP addresses and one or more public IP addresses. The mapping of each private IP address is performed by way of the port number of the public IP address. PAT translation ensures that each client on a LAN that establishes a connection with a device on the Internet is assigned a different port number of the public IP address. The response from the Internet, which comes as a result of the request, is sent to the port from which the request was forwarded. In this manner, a device that performs the translation (a router, firewall or server) knows to which host from the LAN it should forward the packet. This 331
Trainer’s Handbook – Security Analyst SSC/ Q0903
feature of PAT increases the level of security of the LAN to a certain degree, since it prevents a connection from the Internet being established directly with the hosts on the LAN. Due to this manner of operation, PAT is sometimes, incorrectly, regarded as a security technology, although it is primarily a routing technology.
VPN (Virtual Private Network) VPN (Virtual Private Network) technology is used to increase the security of data transfer through a network infrastructure that does not provide a sufficient degree of data security. It enables the encryption and decryption of network traffic between external networks and an internal, protected network. VPN functionality can be available on firewall devices or implemented on VPN servers that are placed behind firewall devices in the network architecture. In many cases, the implementation of VPN services on a firewall device itself is the most optimal solution. Placing a VPN server behind the firewall device requires the VPN traffic to pass through the firewall device in an encrypted form. As a result, the firewall device cannot perform an inspection, access control or logging of the network traffic, and therefore cannot scan it for certain security threats. However, regardless of the place of the implementation, the VPN service requires the application of certain filtering rules of the firewall device in order to enable its uninterrupted operation. Accordingly, special attention should always be paid to making sure that the appropriate protocols and the TCP/UDP services that are necessary for the functioning of the chosen VPN solution are supported.
IDP (Intrusion Detection and Prevention) Network Intrusion Detection (ID) is based on monitoring the operation of computer systems or networks and analysing the processes they perform, which can point to certain incidents. Incidents are events posing a threat to or violating defined security policies, violating AUP (Acceptable Use Policy) rules, or generally accepted security norms. They appear as a result of the operation of various malware programmes (e.g., worms, spyware, viruses, and Trojans), as a result of attempts at unauthorised access to a system through public infrastructure (Internet), or as a result of the operation of authorised system users who abuse their privileges. Network Intrusion Prevention (IP) includes the process of detecting network intrusion events, but also includes the process of preventing and blocking detected or potential network incidents. Network Intrusion Detection and Prevention systems (IDP) are based on identifying potential incidents, logging information about them, attempting to prevent them and alerting the administrators responsible for security. In addition to this basic function, IDP systems can also be used to identify problems concerning the adopted security policies, to document existing security threats and to discourage individuals from violating security rules. IDP systems use various incident-detection methods.
332
Trainer’s Handbook – Security Analyst SSC/ Q0903
There are three primary classes of detection methodology: 1. Signature-based detection Certain security threats can be detected based on the characteristic manner in which they appear. The behaviour of an already detected security threat, described in a form that can be used for the detection of any subsequent appearance of the same threat, is called an attack signature. This detection method, based on the characteristic signature of an attack, is a process of comparing the known forms in which the threat has appeared with the specific network traffic in order to identify certain incidents. Although it can be very efficient in detecting the subsequent appearance of known threats, this detection method is extremely inefficient in the detection of completely unknown threats, of threats hidden by using various techniques, and of already known threats that have somehow been modified in the meantime. It is considered the simplest detection method and it cannot be used for monitoring and analysing the state of certain, more complex forms of communication. 2. Anomaly-based detection This method of IDP is based on detecting anomalies in a specific traffic flow in the network. Anomaly detection is performed, based on the defined profile of acceptable traffic and its comparison with the specific traffic in the network. Acceptable traffic profiles are formed by tracking the typical characteristics of the traffic in the network during a certain period of time (e.g., the number of e-mail messages sent by a user, and the number of attempts to
log in to a host, or the level of utilisation of the processor in a given time interval). These characteristics of the behaviour of users, hosts, connections or applications in the same time interval are then considered to be completely acceptable. However, acceptable-behaviour profiles can unintentionally contain certain security threats, which lead to problems in their application. Likewise, imprecisely defined profiles of acceptable behaviour can cause numerous alarms, generated by the system itself as a reaction to certain (acceptable) activities on the network. The greatest advantage of this detection method is its exceptional efficiency in detecting previously unknown security threats. 3. Detection based on stateful protocol analysis Stateful protocol analysis is a process of comparing predefined operation profiles with the specific data flow of that protocol on the network. Predefined profiles of operation of a protocol are defined by the manufacturers of IDP devices and they identify everything that is acceptable or not acceptable in the exchange of messages in a protocol. Unlike anomaly-based detection, where profiles are created based on the hosts or specific activities on the network, stateful protocol analysis uses general profiles generated by the equipment manufacturers. Most IDP systems use several detection methods simultaneously, thus enabling a more comprehensive and precise method of detection. Testing tools are used for testing the detection, recognition and response capabilities of devices that perform packet 333
Trainer’s Handbook – Security Analyst SSC/ Q0903
filtering (including those that use network address translation), such as firewalls, IDSes/IPSes, routers and switches. These test the Traffic Filtering devices' ability to detect and/or block DoS attacks, spyware, backdoors, and attacks against
applications such as IIS, SQL Server and WINS. Standard traffic sessions can be used to test how packet filtering devices handle a variety of protocols including HTTP, FTP, SNMP and SMTP.
334
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT II Configuring Secure Content Management
This Unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 2.1 Secure Content Management Overview 2.2 The importance of Secure Content Management 2.3 How does Secure Content Management Work? 2.4 Solution Architectures
335
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
Outcomes To be competent, you must be able to: PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines
You need to know and understand: KA4. the organizational systems, procedures and tasks/checklists within the domain and how to use these KB1. fundamentals of information security and how to apply these, including: • networks • communication • application security
Performance Ensuring Measures
Duration (Hrs)
Work Environment / Lab Requirement
Peer group, Faculty group and Industry experts.
2 hr in class presentations
PCs/Tablets/Laptops Projection facilities
KA4, KA5. Peer group, Faculty group and Industry experts.
2Hrs classroom assessment and 10 Hrs offline Research and Learning activity.
PCs/Tablets/Laptops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security
KB1 - KB4 Group and Faculty evaluation based on anticipated out comes. Reward points to be allocated to groups.
336
Trainer’s Handbook – Security Analyst SSC/ Q0903
Suggested Learning Activities Activity 1:
Divide the students into groups and ask them to research various types of attacks and get examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get the maximum number of correct examples will get a prize. Activity 2: Ask the students to research cases of attacks over the years and impact of those attacks on the organisations where these occurred. Activity 3:
Ask the students to access the CVE and list all the types of information that they can get from there. Present the same in class and elaborate upon the various ways that information can be used.
337
Trainer’s Handbook – Security Analyst SSC/ Q0903
Lesson 2.1 Secure Content Management - Overview Organizations are increasingly moving toward collaboration — encouraging usage of the Internet for knowledge access and productivity enhancement, advocating widespread adoption of email as a communication means and promoting instant messaging for better coordination. The global nature of business transactions — involving service providers and third party solutions — relies on communication protocols such as SMTP, HTTP, HTTPS, FTP, IPSec VPN, etc. for exchange of information and execution of a transaction. This has been contributing to increased dependencies of an organization on the inbound and outbound traffic flowing across its boundaries. Internet technology, with its open architecture, inherently provides access to all resources that are connected to the World Wide Web. Hence, users can connect themselves to all legitimate and illegitimate web sources. This may expose organizations to serious security threats. The outward and inward connections, thus, have a potential to jeopardize the security posture of an organization. These connections also create possibilities of data leakage from an organization to the outside world. Security threats have been increasingly exploiting these connections, channels, protocols and traffic to perpetrate attacks. Advent of Web 2.0 technologies and proliferation of file sharing protocols, data
sharing portals, media streaming, etc. by the users expand the attack surface of an organization. They create enormous opportunities for external threats to exploit weaknesses. Allowing the inbound and outbound connections — as access given to the employees to initiate or receive traffic — creates issues of employee productivity. It also contributes to bandwidth issue as connection to public or media streaming sites consumes an organization’s network bandwidth. While allowing legitimate traffic, organizations may not like their employee to indulge in different forms of entertainment and attractions available online, which can lead to security threats, data leakage and productivity issues. Security has been evolving to address these challenges through a set of practices and technical solutions under a category which can broadly be classified as ‘Secure Content Management’ (SCM). DSCI believes that SCM is an important discipline of security. It deserves a close attention as it promises defence against the threats that are increasingly concentrating their acts to exploit weakness in the content management. It also offers effective instruments to curb the data leakages, hence, is regarded as an important element of data security strategies.
338
Trainer’s Handbook – Security Analyst SSC/ Q0903
2.2 The Importance of Secure Content Management Unrestricted Access
Liability Exposure
The use of the Internet is on the rise, as are the risks of uncontrolled access. When employees and staff inadvertently or deliberately access sites containing inappropriate, illegal or dangerous content, businesses suffer losses of productivity, expose themselves to legal liabilities and can experience degraded network performance that negatively affects mission-critical tasks. There are also a growing number of security risks— including Trojans and worms—that can seriously impact operations.
Employees who visit pornographic or racist/hate sites represent a major legal liability concern. Businesses need to shield themselves from potential legal liability that can arise if an employee is repeatedly exposed to offensive material on a coworker’s computer or anywhere in the workplace. Other sources of liability exposure include peer-to-peer networking and file sharing, which have opened the door to charges of copyright violations and high-profile litigation. Corporations can be held liable for breaking copyright laws if employees use company networks to download music or movies illegally.
The Risks include: Impacted employee productivity Restricting access to inappropriate Web sites helps companies prevent excessive non-productive Web surfing and preserves network bandwidth.
Hacker Attacks and Privacy Violations Instant messaging, peer-to-peer file sharing and multimedia downloads make businesses vulnerable to backdoor attacks.
339
Trainer’s Handbook – Security Analyst SSC/ Q0903
2.3 How Secure Content Management Works Securing content starts with controlling access to certain Web sites based on predetermined criteria. At a basic level, user access to Internet content is controlled using the URL address or the URL content category (such as nudity or gambling). Basic content management solutions can also examine the way the content is delivered, such as through Java applets or ActiveX scripts, and determine access permissions accordingly. More advanced content management solutions also provide the abilit y to block applications such as instant messaging and peer-to-peer services.
Site Blocking Monitoring
Versus
Content
Secure content management solutions employ one of two basic approaches: site blocking or content monitoring. While there are considerable differences between these two approaches, both are based on pass-through filtering technology. That is, all requests for Web pages pass through an Internet control point such as a firewall, proxy server or
caching device. The device then evaluates each request to determine whether it should be allowed or denied based on company policy.
Site blocking The site blocking approach for content management typically uses list-based or URL-based filters to identify and block certain Web sites. Some solutions rely on white lists that allow access to only those sites that appear on the list. For example, a retail store might create a white list containing only the company’s Web site, shipping Web sites and supplier Web sites. Other solutions use black lists, which permit access to all sites except those on the black list. The black list approach is preferable for businesses whose employees need less restrictive Internet access. With a black list approach, the database of Web sites is organized into categories, such as “violence” or “drugs,” and network administrators can selectively block categories.
The effectiveness and manageability of site blocking depends on a number of factors: Database size—A larger database allows more sites to be added to the restricted list. Update frequency—New sites continually emerge, and many existing sites are relocated. Most site blocking solutions update their databases on a daily basis, often automatically downloading new URLs every night. Category organization—Definition of categories must be carefully considered and established with enough granularity to accomplish effective restrictions while allowing access when appropriate. A general limitation of site blocking is that it focuses exclusively on HTTP-based Web traffic. It does not block instant messaging, e-mail attachments, peer-to-peer applications and other applications that could contain security threats. 340
Trainer’s Handbook – Security Analyst SSC/ Q0903
Content Monitoring The most basic level of content monitoring uses a keyword-blocking approach. Instead of blocking URLs, it compares the keyboard data to a userdefined library of words and phrases. When a match to one of the blocked words or phrases is detected, the solution filters or blocks the data, or in some cases even closes the application. The problem with this approach is that it can inadvertently block legitimate pages based on the fact that they contain one or more targeted keywords.
More advanced content monitoring solutions not only examine the individual words on the page, but also evaluate context and other data such as HTML tags. Armed with this information, advanced content monitoring solutions can more accurately assess Web sites and consequently more accurately control blocking. Another valuable advantage of content monitoring is the ability to monitor and filter content not only from Web sites, but also chat rooms, instant messaging, e-mail attachments and Windows applications.
For example, a Web site about cancer research could be blocked because it contains the word “breast.”
341
Trainer’s Handbook – Security Analyst SSC/ Q0903
2. 4 Solution Architectures Content management software can be embedded on a networked device such as a proxy server, caching appliance or firewall, or it can reside on a dedicated server running the Microsoft Windows, Linux or UNIX operating system. The three common deployment methods vary in terms of effectiveness, cost and manageability.
Client Solutions Installed on the desktop, client solutions are most suited for home environments where parental control is the primary application. Client software solutions include a management interface and a database of blocked Web sites; the parent downloads database updates via the Internet. Leading providers of client solutions include Zone Labs, Net Nanny® and Internet Service Providers (ISPs) such as Microsoft® MSN and AOL®.
Standalone Solutions Standalone solutions consist of a dedicated database server for defining policies and a separate gateway or firewall that enforces the content management policies. These solutions are more manageable than client based solutions because an administrator can create a policy once on the gateway and then apply it across all desktops. However, most standalone solutions require organizations to purchase and manage two separate hardware devices in addition to content management software. They also require additional storage to be purchased as needed, when
the policy database grows to exceed the storage available. Key vendors of standalone solutions include SonicWALL®, Websense and Surf Control®.
Integrated Solutions Integrated solutions consolidate management and processing in a single gateway or firewall, thereby reducing capital and operational expenses. However, when the gateway or firewall is also used for services like anti-virus and intrusion prevention, performance can suffer. Key vendors of integrated content filtering solutions include SonicWALL®, Symantec™ and WatchGuard®. Evaluating Solutions Depending on the levels of protection, performance and manageability required, non-residential customers should choose between an integrated solution and a standalone appliance. Both alternatives can combine Internet content management with dynamic threat protection techniques to control access and secure the network against an array of threats from viruses, spyware, worms, instant messaging and peer-to-peer applications. At the core of both integrated and standalone solutions is a rating architecture that leverages a comprehensive database of millions of pre-rated Web sites and domains. When a user attempts to access a Web site, the URL is cross-referenced against a master ratings database. These databases can be managed and maintained by the content filtering solution vendor, and made available at multiple locations for performance efficiency and high 342
Trainer’s Handbook – Security Analyst SSC/ Q0903
availability. A rating is returned to the requestor and compared to the content filtering policy established by the administrator. If the Web request is permitted, the user is able to view the page. If the requested Web site is denied, a custom block message informs the user that the site has been blocked according to policy.
Integrated Content Management and Firewalls Content filtering integrated on a firewall is a cost-effective content management solution that is ideal for businesses with small to mid-sized networks. This alternative integrates the existing firewall technology, or is installed simultaneously with a new firewall solution. A typical service will make available a continuously updated, comprehensive database of millions of Web sites, domains and IP addresses. Minimal administrative overhead means that businesses can either manage the solution themselves or outsource the task to their IT service provider.
Standalone Appliances For larger businesses and enterprise environments requiring more comprehensive content control abilities, a standalone content filtering appliance maximizes the protection of any network from today’s sophisticated Internet threats. Although it requires the purchase of additional hardware, ease of installation and use make this an attractive solution. The appliance can be dropped into the existing network without any reconfiguration of existing hardware or software. Appliances are also an
affordable way to upgrade existing firewalls by introducing new functionality without an actual upgrade on the firewall itself. A standalone appliance can affordably combine Internet content management with real-time gateway antivirus and antispyware capabilities, and the best appliances are rich in features and functionality and deliver superior value for the investment. Beyond these advantages and basic Web site access controls, other advantages of a standalone appliance include: Seamless integration—Appliances can be easily installed in virtually any network, and combined with any existing firewall. Plug-and-play designs speed installation, making them drop-in solutions that eliminate the need for additional servers or hardware. Dynamic rating engine—Built-in capabilities can dynamically evaluate new URLs. Real-time analysis of page content, context for flagged words, HTML tags and other data can produce a rating and category for immediate access or blocking based on the organizations’ predetermined policies. New ratings can be automatically added to a master ratings database for subsequent requests. Protection from attacks—Deep packet inspection technology can block viruses, worms, Trojans, spyware, phishing, malicious code and other attacks before they are able to infect a network. Appliances can scan and clean network traffic over a multitude of ports and protocols including HTTP, SMTP, POP3, FTP and NetBIOS. Advanced security for bandwidth protection and reduced legal liabilities— Appliances can provide controls for
343
Trainer’s Handbook – Security Analyst SSC/ Q0903
managing instant messaging, peer-to-peer and multimedia applications. Management and reporting capabilities—Integrated support enables network administrators to manage all users through a single interface, while the
option to create custom categories and URL-rating lists provides more granular control over filtering policies. Advanced reporting and analysis tools provide granular insight into network usage through custom reports.
344
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT III Configuring Firewall
This Unit covers: Lesson Plan Suggested Learning Activities Trainer’s Resource Material 3.1. What Firewall Software Does? 3.2. Firewall Configuration 3.3. Why Firewall Security? 3.4. Configuring a Simple Firewall
345
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
Outcomes To be competent, you must be able to: PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines
You need to know and understand: KA4. the organizational systems, procedures and tasks/checklists within the domain and how to use these KB1. fundamentals of information security and how to apply these, including: • networks • communication • application security
Performance Ensuring Measures
Duration (Hrs)
Work Environment / Lab Requirement
Peer group, Faculty group and Industry experts.
2 hr in class presentations
PCs/Tablets/Laptops Projection facilities
KA4, KA5. Peer group, Faculty group and Industry experts.
2Hrs classroom assessment and 10 Hrs offline Research and Learning activity.
PCs/Tablets/Laptops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security
KB1 - KB4 Group and Faculty evaluation based on anticipated out comes. Reward points to be allocated to groups.
346
Trainer’s Handbook – Security Analyst SSC/ Q0903
Suggested Learning Activities Activity 1:
Divide the students into groups and ask them to research various types of attacks and get examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get the maximum number of correct examples will get a prize. Activity 2: Ask the students to research cases of attacks over the years and impact of those attacks on the organisations where these occurred. Activity 3:
Ask the students to access the CVE and list all the types of information that they can get from there. Present the same in class and elaborate upon the various ways that information can be used.
347
Trainer’s Handbook – Security Analyst SSC/ Q0903
Lesson 3.1. What Firewall Software Does A firewall is simply a program or hardware device that filters the information coming through the Internet connection into your private network or computer system. If an incoming packet of information is flagged by the filters, it is not allowed through. Let's say that you work at a company with 500 employees. The company will therefore have hundreds of computers that all have network cards connecting them together. In addition, the company will have one or more connections to the Internet through something like T1 or T3 lines. Without a firewall in place, all of those hundreds of computers are directly accessible to anyone on the Internet. A person who knows what he or she is doing can probe those computers, try to make FTP connections to them, try to make telnet connections to them and so on. If one employee makes a mistake and leaves a security hole, hackers can get to the machine and exploit the hole. With a firewall in place, the landscape is much different. A company will place a firewall at every connection to the Internet (for example, at every T1 line coming into the company). The firewall can implement security rules. For example, one of the security rules inside the company might be: Out of the 500 computers inside this company, only one of them is permitted to receive public FTP traffic. Allow FTP
connections only to that one computer and prevent them on all others. A company can set up rules like this for FTP servers, Web servers, Telnet servers and so on. In addition, the company can control how employees connect to Web sites, whether files are allowed to leave the company over the network and so on. A firewall gives a company tremendous control over how people use the network. Firewalls use one or more of three methods to control traffic flowing in and out of the network: Packet filtering : Packets (small chunks of data) are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded. Proxy service : Information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa. Stateful inspection : A newer method that doesn't examine the contents of each packet but instead compares certain key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded. 348
Trainer’s Handbook – Security Analyst SSC/ Q0903
3.2 Firewall Software Configuration Firewall Configuration Firewalls are customizable. This means that you can add or remove filters based on several conditions. Some of these are:
IP addresses Each machine on the Internet is assigned a unique address called an IP address. IP addresses are 32-bit numbers, normally expressed as four "octets" in a "dotted decimal number." A typical IP address looks like this: 216.27.61.137. For example, if a certain IP address outside the company is reading too many files from a server, the firewall can block all traffic to or from that IP address.
Domain names As it is hard to remember the string of numbers that make up an IP address, and
Some common protocols that you can set firewall filters for include:
IP (Internet Protocol) - the main delivery system for information over the Internet
TCP (Transmission Control Protocol) - used to break apart and rebuild information that travels over the Internet
HTTP (Hyper Text Transfer Protocol) - used for Web pages
FTP (File Transfer Protocol) - used
because IP addresses sometimes need to change, all servers on the Internet also have human-readable names, called domain names. For example, it is easier for most of us to remember www.howstuffworks.com than it is to remember 216.27.61.137. A company might block all access to certain domain names, or allow access only to specific domain names.
Protocols The protocol is the pre-defined way that someone who wants to use a service talks with that service. The "someone" could be a person, but more often it is a computer program like a Web browser. Protocols are often text, and simply describe how the client and server will have their conversation. The http in the Web's protocol.
to download and upload files
UDP (User Datagram Protocol) used for information that requires no response, such as streaming audio and video
ICMP (Internet Control Message Protocol) - used by a router to exchange the information with other routers
SMTP (Simple Mail Transport Protocol) - used to send text-based information (e-mail)
SNMP
(Simple
Network 349
Trainer’s Handbook – Security Analyst SSC/ Q0903
Management Protocol) - used to collect system information from a remote computer
A company might set up only one or two machines to handle a specific protocol and ban that protocol on all other machines.
Ports Any server machine makes its services available to the Internet using numbered ports, one for each service that is available on the server (see How Web Servers Work for details). For example, if a server machine is running a Web (HTTP) server and an FTP server, the Web server would typically be available on port 80, and the FTP server would be available on port 21. A company might block port 21 access on all machines but one inside the company.
Specific words and phrases This can be anything. The firewall will sniff (search through) each packet of information for an exact match of the text listed in the filter. For example, you could instruct the firewall to block any packet with the word "X-rated" in it. The key here is that it has
Telnet - used to perform commands on a remote computer
to be an exact match. The "X-rated" filter would not catch "X rated" (no hyphen). But you can include as many words, phrases and variations of them as you need. Some operating systems come with a firewall built in. Otherwise, a software firewall can be installed on the computer in your home that has an Internet connection. This computer is considered a gateway because it provides the only point of access between your home network and the Internet. With a hardware firewall, the firewall unit itself is normally the gateway. A good example is the Linksys Cable/DSL router. It has a built-in Ethernet card and hub. Computers in your home network connect to the router, which in turn is connected to either a cable or DSL modem. You configure the router via a Web-based interface that you reach through the browser on your computer. You can then set any filters or additional information. Hardware firewalls are incredibly secure and not very expensive. Home versions that include a router, firewall and Ethernet hub for broadband connections can be found for well under Rs 10000.
350
Trainer’s Handbook – Security Analyst SSC/ Q0903
3.3. Why Firewall Security? Access or abuse of unprotected computers There are many creative ways that unscrupulous people use to access or abuse unprotected computers: Remote login : When someone is able to connect to your computer and control it in some form. This can range from being able to view or access your files to actually running programs on your computer. Application backdoors : Some programs have special features that allow for remote access. Others contain bugs that provide a backdoor, or hidden access that provides some level of control of the program. SMTP session hijacking : SMTP is the most common method of sending e-mail over the Internet. By gaining access to a list of e-mail addresses, a person can send unsolicited junk e-mail (spam) to thousands of users. This is done quite often by redirecting the e-mail through the SMTP server of an unsuspecting host, making the actual sender of the spam difficult to trace. Operating system bugs : Like applications, some operating systems have backdoors. Others provide remote access with insufficient security controls or have bugs that an experienced hacker can take advantage of. Denial of service : You have probably heard this phrase used in news reports on the attacks on major Web sites. This type of attack is nearly impossible to counter. What happens is that the hacker sends a
request to the server to connect to it. When the server responds with an acknowledgement and tries to establish a session, it cannot find the system that made the request. By inundating a server with these unanswerable session requests, a hacker causes the server to slow to a crawl or eventually crash. E-mail bombs :An e-mail bomb is usually a personal attack. Someone sends you the same e-mail hundreds or thousands of times until your e-mail system cannot accept any more messages. Macros : To simplify complicated procedures, many applications allow you to create a script of commands that the application can run. This script is known as a macro. Hackers have taken advantage of this to create their own macros that, depending on the application, can destroy your data or crash your computer. Viruses: Probably the most well-known threat is computer viruses. A virus is a small program that can copy itself to other computers. This way it can spread quickly from one system to the next. Viruses range from harmless messages to erasing all of your data. Spam : Typically harmless but always annoying, spam is the electronic equivalent of junk mail. Spam can be dangerous though. Quite often it contains links to Web sites. Be careful of clicking on these because you may accidentally accept a cookie that provides a backdoor to your computer. Redirect bombs : Hackers can use ICMP to change (redirect) the path information 351
Trainer’s Handbook – Security Analyst SSC/ Q0903
takes by sending it to a different router. This is one of the ways that a denial of service attack is set up. Source routing : In most cases, the path a packet travels over the Internet (or any other network) is determined by the routers along that path. But the source providing the packet can arbitrarily specify the route that the packet should travel. Hackers sometimes take advantage of this to make information appear to come from a trusted source or even from inside the network! Most firewall products disable source routing by default.
Security against unauthorized access or abuse Some of the items in the list above are hard, if not impossible, to filter using a firewall. While some firewalls offer virus protection, it is worth the investment to install anti-virus software on each computer. And, even though it is annoying, some spam is going to get through your firewall as long as you accept e-mail. The level of security you establish will determine how many of these threats can be stopped by your firewall. The highest level of security would be to simply block everything. Obviously that defeats the purpose of having an Internet connection. But a common rule of thumb is to block everything, then begin to select what types of traffic you will allow. You can also restrict traffic that travels through the firewall so that only certain types of information, such as e-mail, can get through. This is a good rule for businesses that have an experienced network administrator that understands what the needs are and knows exactly
what traffic to allow through. For most of us, it is probably better to work with the defaults provided by the firewall developer unless there is a specific reason to change it. One of the best things about a firewall from a security standpoint is that it stops anyone on the outside from logging onto a computer in your private network. While this is a big deal for businesses, most home networks will probably not be threatened in this manner. Still, putting a firewall in place provides some peace of mind. Proxy Servers and DMZ A function that is often combined with a firewall is a proxy server. The proxy server is used to access Web pages by the other computers. When another computer requests a Web page, it is retrieved by the proxy server and then sent to the requesting computer. The net effect of this action is that the remote computer hosting the Web page never comes into direct contact with anything on your home network, other than the proxy server. Proxy servers can also make your Internet access work more efficiently. If you access a page on a Web site, it is cached (stored) on the proxy server. This means that the next time you go back to that page, it normally doesn't have to load again from the Web site. Instead it loads instantaneously from the proxy server. There are times that you may want remote users to have access to items on your network. Some examples are:
Web site Online business FTP download and upload area 352
Trainer’s Handbook – Security Analyst SSC/ Q0903
In cases like this, you may want to create a DMZ (Demilitarized Zone). DMZ is just an area that is outside the firewall. Think of DMZ as the front yard of a house. It belongs to the owner, who may put some things there, but would put anything valuable inside the house where it can be properly secured. Setting up a DMZ is very easy. If you have multiple computers, you can choose to simply place one of the computers between the Internet connection and the firewall. Most of the software firewalls available will allow you to designate a directory on the gateway computer as a DMZ.
Configuring a Simple Firewall The Cisco 1800 integrated services routers support network traffic filtering by means of access lists. The router also supports packet inspection and dynamic temporary
access lists by means of Context-Based Access Control (CBAC). Basic traffic filtering is limited to configured access list implementations that examine packets at the network layer or, at most, the transport layer, permitting or denying the passage of each packet through the firewall. However, the use of inspection rules in CBAC allows the creation and use of dynamic temporary access lists. These dynamic lists allow temporary openings in the configured access lists at firewall interfaces. These openings are created when traffic for a specified user session exits the internal network through the firewall. The openings allow returning traffic for the specified session (that would normally be blocked) back through the firewall. See the Cisco IOS Security Configuration Guide, Release 12.3 , for more detailed information on traffic filtering and firewalls. The following Figure shows a network deployment using PPPoE or PPPoA with NAT and a firewall. A figure of a router with a firewall configured
1. Multiple networked devices— Desktops, laptop PCs, switches 2. Fast Ethernet LAN interface (the inside interface for NAT) 3. PPPoE or PPPoA client and firewall implementation—Cisco 1811/1812 or Cisco 1801/1802/1803 series integrated services router, respectively 4. Point at which NAT occurs 5. Protected network 6. Unprotected network 7. Fast Ethernet or ATM WAN interface (the outside interface for NAT)
353
Trainer’s Handbook – Security Analyst SSC/ Q0903
In the configuration example that follows, the firewall is applied to the outside WAN interface (FE0) on the Cisco 1811 or Cisco 1812 and protects the Fast Ethernet LAN on FE2 by filtering and inspecting all traffic
entering the router on the Fast Ethernet WAN interface FE1. Note that in this example, the network traffic originating from the corporate network, network address 10.1.1.0, is considered safe traffic and is not filtered.
Configuration Tasks Perform the following tasks to configure this network scenario:
Configure Access Lists Configure Inspection Rules Apply Access Lists and Inspection Rules to Interfaces
Configure Access Lists Perform these steps to create access lists for use by the firewall, beginnin g in global configuration mode:
Step 1
Command access-list access-list-number { deny | permit }protocol source source-wildcard [ operator [port]] destination Example: Router(config)# access-list 103 permit host 200.1.1.1 eq isakmp any Router(config)#
Step 2
access-list access-list-number { deny | permit }protocol source source-wildcard destination destination-wildcard Example: Router(config)# access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255 Router(config)#
Purpose Creates an access list which prevents Internet- initiated traffic from reaching the local (inside) network of the router, and which compares source and destination ports. See the Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services for details about this command. Creates an access list that allows network traffic to pass freely between the corporate network and the local networks through the configured VPN tunnel.
354
Trainer’s Handbook – Security Analyst SSC/ Q0903
Configure Inspection Rules Perform these steps to configure firewall inspection rules for all TCP and UDP traffic, as well as specific application protocols as defined by the security policy, beginning in global configuration mode:
Command or Action Step
Purpose
ip inspect name inspection-name Defines an inspection rule for a particular protocol. 1 protocol Example: Router(config)# ip inspect name firewall tcp Router(config)#
Step
ip inspect name inspection-name Repeat this command for each inspection rule that 2 protocol you wish to use. Example: Router(config)# ip inspect name firewall rtsp Router(config)# ip inspect name firewall h323 Router(config)# ip inspect name firewall netshow Router(config)# ip inspect name firewall ftp Router(config)# ip inspect name firewall sqlnet Router(config)#
355
Trainer’s Handbook – Security Analyst SSC/ Q0903
Apply Access Lists and Inspection Rules to Interfaces Perform these steps to apply the ACLs and inspection rules to the network interfaces, beginning in global configuration mode:
Command Step
Purpose
interface type number 1Example:
Enters interface configuration mode for the inside network interface on your router.
Router(config)# interface vlan 1 Router(config-if)# Step
ip inspect inspection-name 2{ in | out }
Assigns the set of firewall inspection rules to the inside interface on the router.
Example: Router(config-if)# firewall in
ip
inspect
Router(config-if)# Step
exit 3Example:
Returns to global configuration mode.
Router(config-if)# exit Router(config)# Step
interface type number 4Example: Router(config)# fastethernet 0
Enters interface configuration mode for the outside network interface on your router. interface
Router(config-if)# Step
ip access-group { access-list5number | access-list-name } { in | out }
Assigns the defined ACLs to the outside interface on the router.
Example: Router(config-if)# ip access-group 103 in Router(config-if)# Step
exit 6 Example:
Returns to global configuration mode.
Router(config-if)# exit Router(config)#
356
Trainer’s Handbook – Security Analyst SSC/ Q0903
Configuration Example A telecommuter is granted secure access to a corporate network, using IPSec tunneling. Security to the home network is accomplished through firewall inspection. The protocols that are allowed are all TCP, UDP, RTSP, H.323, NetShow, FTP, and SQLNet. There are no servers on the home network; therefore, no traffic is allowed that is initiated from outside. IPSec tunneling secures the connection
from the Home LAN to the corporate network. Like the Internet Firewall Policy, HTTP need not be specified because Java blocking is not necessary. Specifying TCP inspection allows for single-channel protocols such as Telnet and HTTP. UDP is specified for DNS. The following configuration example shows a portion of the configuration file for the simple firewall scenario described in the preceding sections.
! Firewall inspection is setup for all tcp and udp traffic as well as specific application protocols as defined by the security policy. ip inspect name firewall tcp ip inspect name firewall udp ip inspect name firewall rtsp ip inspect name firewall h323 ip inspect name firewall netshow ip inspect name firewall ftp ip inspect name firewall sqlnet ! interface vlan 1 ! This is the internal home network ip inspect firewall in ! inspection examines outbound traffic no cdp enable ! interface fastethernet 0 ! FE0 is the outside or internet exposed interface. ip access-group 103 in ! acl 103 permits ipsec traffic from the corp. router as well as denies internet initiated traffic inbound. ip nat outside no cdp enable ! ! acl 103 defines traffic allowed from the peer for the ipsec tunnel. access-list 103 permit udp host 200.1.1.1 any eq isakmp access-list 103 permit udp host 200.1.1.1 eq isakmp any access-list 103 permit esp host 200.1.1.1 any access-list 103 permit icmp any any ! allow icmp for debugging but should be disabled due to security implications. access-list 103 deny ip any any ! prevents internet initiated traffic inbound. no cdp run !
357
Trainer’s Handbook – Security Analyst SSC/ Q0903
358
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT IV Troubleshooting information security devices
This Unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 4.1 Troubleshooting the Cisco IOS Firewall Configuration 4.2 Troubleshooting routers 359
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
Outcomes To be competent, you must be able to: PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines
You need to know and understand: KA4. the organizational systems, procedures and tasks/checklists within the domain and how to use these KB1. fundamentals of information security and how to apply these, including: • networks • communication • application security
Performance Ensuring Measures
Duration (Hrs)
Work Environment / Lab Requirement
Peer group, Faculty group and Industry experts.
2 hr in class presentations
PCs/Tablets/Laptops Projection facilities
KA4, KA5. Peer group, Faculty group and Industry experts.
2Hrs classroom assessment and 10 Hrs offline Research and Learning activity.
PCs/Tablets/Laptops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security
KB1 - KB4 Group and Faculty evaluation based on anticipated out comes. Reward points to be allocated to groups.
360
Trainer’s Handbook – Security Analyst SSC/ Q0903
Suggested Learning Activities Activity 1:
Divide the students into groups and ask them to research various types of attacks and get examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get the maximum number of correct examples will get a prize. Activity 2: Ask the students to research cases of attacks over the years and impact of those attacks on the organisations where these occurred. Activity 3:
Ask the students to access the CVE and list all the types of information that they can get from there. Present the same in class and elaborate upon the various ways that information can be used.
361
Trainer’s Handbook – Security Analyst SSC/ Q0903
Training Resource Material 4.1 Troubleshooting CISCO IOS Firewall configurations
In order to reverse (remove) an access list, put a "no" in front of the accessgroup command in interface configuration mode: int no ip access-group # in|out
If too much traffic is denied, study the logic of your list or try to define an additional broader list, and then apply it instead. For example: access-list # permit tcp any any access-list # permit udp any any access-list # permit icmp any any int ip access-group # in|out
The show ip access-lists command shows which access lists are applied and what traffic is denied by them. If you look at the packet count denied before and after the failed operation with the source and destination IP address, this number increases if the access list blocks traffic.
If the router is not heavily loaded, debugging can be done at a packet level on the extended or ip inspect access list. If the router is heavily loaded, traffic is slowed through the router. Use discretion with debugging commands. Temporarily add the no ip route-cache command to the interface: int no ip route-cache Then, in enable (but not config) mode: term mon debug ip packet # det produces output similar to this: *Mar 1 04:38:28.078: IP: s=10.31.1.161 (Serial0), d=171.68.118.100 (Ethernet0), g=10.31.1.21, len 100, forward *Mar 1 04:38:28.086: IP: s=171.68.118.100 (Ethernet0), d=9.9.9.9 (Serial0), g=9.9.9.9, len 100, forward
Extended access lists can also be used with the "log" option at the end of the various statements: access-list 101 deny ip host 171.68.118.100 host 10.31.1.161 log access-list 101 permit ip any any You therefore see messages on the screen for permitted and denied traffic: 362
Trainer’s Handbook – Security Analyst SSC/ Q0903
*Mar 1 04:44:19.446: %SEC-6-IPACCESSLOGDP: list 111 permitted icmp 171.68.118.100 -> 10.31.1.161 (0/0), 15 packets *Mar 1 03:27:13.295: %SEC-6-IPACCESSLOGP: list 118 denied tcp 171.68.118.100(0) -> 10.31.1.161(0), 1 packet
If the ip inspect list is suspect, the debug ip inspect command produces output such as this output: Feb 14 12:41:17 10.31.1.52 56: 3d05h: CBAC* sis 258488 pak 16D0DC TCP P ack 3195751223 seq 3659219376(2) (10.31.1.5:11109) => (12.34.56.79:23) Feb 14 12:41:17 10.31.1.52 57: 3d05h: CBAC* sis 258488 pak 17CE30 TCP P ack 3659219378 seq 3195751223(12) (10.31.1.5:11109) enable Password: XXXXXX Router# Step 2 List privileged exec commands: Router# debug ? command will place the router in the privileged exec mode. After entering the enable password, you will receive a prompt that will consist of the router name with a # symbol. Step 3 Use the terminal monitor command to copy debug command output and system error messages to your current terminal display. By redirecting output to your current terminal display, you can view debug command output remotely, without being connected through the console port. If you use debug commands at the console port, character-by-character processor interrupts are generated, maximizing the processor load already caused by using debug.
Using Router Diagnostic Commands In many situations, using third-party diagnostic tools can be more useful and less intrusive than using debug commands.
Using the ping Command To check host reachability and network connectivity, use the ping exec (user) or privileged exec command. After you log in to the router or access server, you are automatically in user exec command mode. The exec commands available at the user level are a subset of those available at the privileged level. In general, the user exec commands allow you to connect to remote devices, change terminal settings on a temporary basis, perform basic tests, and list system information. The ping command can 367
Trainer’s Handbook – Security Analyst SSC/ Q0903 be used to confirm basic network connectivity on AppleTalk, ISO Connectionless Network Service (CLNS), IP, Novell, Apollo, VINES, DECnet, or XNS networks. For IP, the ping command sends Internet Control Message Protocol (ICMP) Echo messages. ICMP is the Internet protocol that reports errors and provides information relevant to IP packet addressing. If a station receives an ICMP Echo message, it sends an ICMP Echo Reply message back to the source. The extended command mode of the ping command permits you to specify the supported IP header options. This allows the router to perform a more extensive range of test options. To enter ping extended command mode, enter yes at the extended commands prompt of the ping command. It is a good idea to use the ping command when the network is functioning properly to see how the command works under normal conditions and so you have something to compare against when troubleshooting.
Using the trace Command The trace user exec command discovers the routes that a router’s packets follow when traveling to their destinations. The trace privileged exec command permits the supported IP header options to be specified, allowing the router to perform a more extensive range of test options.
The trace command works by using the error message generated by routers when a datagram exceeds its time-to-live (TTL) value. First, probe datagrams are sent with a TTL value of 1. This causes the first router to discard the probe datagrams and send back “time exceeded” error messages. The trace command then sends several probes and displays the round-trip time for each. After every third probe, the TTL is increased by one. Each outgoing packet can result in one of two error messages. A “time exceeded” error message indicates that an intermediate router has seen and discarded the probe. A “port unreachable” error message indicates that the destination node has received the probe and discarded it because it could not deliver the packet to an application. If the timer goes off before a response comes in, trace prints an asterisk (*). The trace command terminates when the destination responds, when the maximum TTL is exceeded, or when the user interrupts the trace with the escape sequence. As with ping, it is a good idea to use the trace command when the network is functioning properly to see how the command works under normal conditions and so you have something to compare against when troubleshooting
.
368
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT V Configuring IDS
This Unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 5.1 Cisco IOS Firewall IDS feature 5.2 Cisco IOS Firewall IDS Signature List 5.3 Cisco IOS Firewall IDS Configuration Task List 5.4 Configuring Snort
369
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
Outcomes To be competent, you must be able to: PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines
You need to know and understand: KA4. the organizational systems, procedures and tasks/checklists within the domain and how to use these KB1. fundamentals of information security and how to apply these, including: • networks • communication • application security
Performance Ensuring Measures
Duration (Hrs)
Work Environment / Lab Requirement
Peer group, Faculty group and Industry experts.
2 hr in class presentations
PCs/Tablets/Laptops Projection facilities
KA4, KA5. Peer group, Faculty group and Industry experts.
2Hrs classroom assessment and 10 Hrs offline Research and Learning activity.
PCs/Tablets/Laptops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security
KB1 - KB4 Group and Faculty evaluation based on anticipated out comes. Reward points to be allocated to groups.
370
Trainer’s Handbook – Security Analyst SSC/ Q0903
Suggested Learning Activities Activity 1:
Divide the students into groups and ask them to research various types of attacks and get examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get the maximum number of correct examples will get a prize. Activity 2: Ask the students to research cases of attacks over the years and impact of those attacks on the organisations where these occurred. Activity 3:
Ask the students to access the CVE and list all the types of information that they can get from there. Present the same in class and elaborate upon the various ways that information can be used.
371
Trainer’s Handbook – Security Analyst SSC/ Q0903
Training Resource Material 5.1 Cisco IOS Firewall IDS feature The Cisco IOS Firewall IDS feature supports intrusion detection technology for midrange and high-end router platforms with firewall support. It is ideal for any network perimeter, and especially for locations in which a router is being deployed and additional security between network segments is required. It also can protect intranet and extranet connections where additional security is mandated, and branch-office sites connecting to the corporate office or Internet. The Cisco IOS Firewall IDS feature identifies 59 of the most common attacks using "signatures" to detect patterns of misuse in network traffic. The intrusiondetection signatures included in the Cisco IOS Firewall were chosen from a broad cross-section of intrusion-detection signatures. The signatures represent severe breaches of security and the most common network attacks and information-gathering scans. The Cisco IOS Firewall IDS acts as an inline intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match any of the IDS signatures.
IDS monitors packets and send alarms when suspicious activity is detected.
IDS logs the event through Cisco IOS syslog or the Cisco Secure Intrusion Detection System (Cisco Secure IDS, formerly known as NetRanger) Post Office Protocol.
The network administrator can configure the IDS system to choose the appropriate response to various threats.
When packets in a session match a signature, the IDS system can be configured to take these actions:
Send an alarm to a syslog server or a Cisco Secure IDS Director (centralized management interface)
Drop the packet
Reset the TCP connection
Cisco developed its Cisco IOS softwarebased intrusion-detection capabilities in Cisco IOS Firewall with flexibility in mind, so that individual signatures could be disabled in case of false positives. Also, while it is preferable to enable both the firewall and intrusion detection features of the CBAC security engine to support a network security policy, each of these features may be enabled independently and on different router interfaces. Cisco IOS software-based intrusion detection is part of the Cisco IOS Firewall.
Interaction with Cisco IOS Firewall Default Parameters When Cisco IOS IDS is enabled, Cisco IOS Firewall is automatically enabled. Thus, IDS uses Cisco IOS Firewall default parameter values to inspect incoming sessions. Default parameter values include the following:
The rate at which IDS starts deleting half-open sessions (modified via the ip inspect one-minute high command)
The rate at which IDS stops deleting half-open sessions (modified via the ip inspect one-minute low command) 372
Trainer’s Handbook – Security Analyst SSC/ Q0903
The maximum incomplete sessions (modified via the ip inspect maxincomplete high and the ip inspect max-incomplete low commands)
detect the policy violation in real time, forward alarms to a Cisco Secure IDS Director management console, and remove the offender from the network.
After the incoming TCP session setup rate crosses the one-minute high water mark, the router will reset the oldest half-open session, which is the default behaviour of the Cisco IOS Firewall. Cisco IOS IDS cannot modify this default behaviour. Thus, after a new TCP session rate crosses the one-minute high water mark and a router attempts to open new connections by sending SYN packets at the same time, the latest SYN packet will cause the router to reset the half-open session that was opened by the earlier SYN packet. Only the last SYN request will survive.
The Cisco Secure IDS Director is a highperformance, software-based management system that centrally monitors the activity of multiple Cisco Secure IDS Sensors located on local or remote network segments.
Compatibility with Cisco Secure Intrusion Detection Cisco IOS Firewall is compatible with the Cisco Secure Intrusion Detection System (formally known as NetRanger). The Cisco Secure IDS is an enterprise-scale, realtime, intrusion detection system designed to detect, report, and terminate unauthorized activity throughout a network. The Cisco Secure IDS consists of three components:
Sensor
Director
Post Office
Cisco Secure IDS Sensors, which are highspeed network appliances, analyze the content and context of individual packets to determine if traffic is authorized. If a network's data stream exhibits unauthorized or suspicious activity, such as a SATAN attack, a ping sweep, or the transmission of a secret research project code word, Cisco Secure IDS Sensors can
The Cisco Secure IDS Post Office is the communication backbone that allows Cisco Secure IDS services and hosts to communicate with each other. All communication is supported by a proprietary, connection-based protocol that can switch between alternate routes to maintain point-to-point connections. Cisco Secure IDS customers can deploy the Cisco IOS Firewall IDS signatures to complement their existing IDS systems. This allows an IDS to be deployed to areas that may not be capable of supporting a Cisco Secure IDS Sensor. Cisco IOS Firewall IDS signatures can be deployed alongside or independently of other Cisco IOS Firewall features. The Cisco IOS Firewall IDS can be added to the Cisco Secure IDS Director screen as an icon to provide a consistent view of all intrusion detection sensors throughout a network. The Cisco IOS Firewall intrusion detection capabilities have an enhanced reporting mechanism that permits logging to the Cisco Secure IDS Director console in addition to Cisco IOS syslog.
Functional Description The Cisco IOS Firewall IDS acts as an inline intrusion detection sensor, watching packets as they traverse the router's interfaces and acting upon them in a definable fashion. When a packet, or a number of packets in a session, match a 373
Trainer’s Handbook – Security Analyst SSC/ Q0903
signature, the Cisco IOS Firewall IDS may perform the following configurable actions: •
Alarm—Sends an alarm to a syslog server or Cisco Secure IDS Director
•
Drop—Drops the packet
•
Reset—Resets the TCP connection
The following describes the packet auditing process with Cisco IOS Firewall IDS: •
You create an audit rule, which specifies the signatures that should be applied to packet traffic and the actions to take when a match is found. An audit rule can apply informational and attack signatures to network packets. The signature list can have just one signature, all signatures, or any number of signatures in between. Signatures can be disabled in case of false positives or the needs of the network environment.
•
You apply the audit rule to an interface on the router, specifying a traffic direction (in or out).
•
If the audit rule is applied to the in direction of the interface, packets passing through the interface are audited before the inbound ACL has a chance to discard them. This allows an administrator to be alerted if an attack or information-gathering activity is underway even if the router would normally reject the activity.
•
If the audit rule is applied to the out direction on the interface, packets are audited after they enter the router through another interface. In this case, the inbound ACL of the other interface may discard packets before they are audited. This may result in the loss of Cisco IOS Firewall IDS alarms even though the attack or
information-gathering activity was thwarted. •
Packets going through the interface that match the audit rule are audited by a series of modules, starting with IP; then either ICMP, TCP, or UDP (as appropriate); and finally, the Application level.
•
If a signature match is found in a module, then the following userconfigured action(s) occur: –
If the action is alarm, then the module completes its audit, sends an alarm, and passes the packet to the next module.
–
If the action is drop, then the packet is dropped from the module, discarded, and not sent to the next module.
–
If the action is reset, then the packets are forwarded to the next module, and packets with the reset flag set are sent to both participants of the session, if the session is TCP.
It is recommended that you use the drop and reset actions together. If there are multiple signature matches in a module, only the first match fires an action. Additional matches in other modules fire additional alarms, but only one per module. Note This process is different than on the Cisco Secure IDS Sensor appliance, which identifies all signature matches for each packet.
374
Trainer’s Handbook – Security Analyst SSC/ Q0903
When to Use Firewall IDS Firewall IDS capabilities are ideal for providing additional visibility at intranet, extranet, and branch-office Internet perimeters. Network administrators enjoy more robust protection against attacks on the network and can automatically respond to threats from internal or external hosts. The Firewall with intrusion detection is intended to satisfy the security goals of customers, and is particularly appropriate for the following scenarios: •
Enterprises that are interested in a cost-effective method of extending their perimeter security across all network boundaries, specifically branch-office, intranet, and extranet perimeters.
•
Small and medium-sized businesses that are looking for a cost-effective router that has an integrated firewall with intrusion-detection capabilities.
•
Service providers that want to set up managed services, providing firewalling and intrusion detection to
their customers, all housed within the necessary function of a router.
Memory Impact
and
Performance
The performance impact of intrusion detection will depend on the configuration of the signatures, the level of traffic on the router, the router platform, and other individual features enabled on the router such as encryption, source route bridging, and so on. Enabling or disabling individual signatures will not alter performance significantly, however, signatures that are configured to use Access Control Lists will have a significant performance impact. For auditing atomic signatures, there is no traffic-dependent memory requirement. For auditing compound signatures, CBAC allocates memory to maintain the state of each session for each connection. Memory is also allocated for the configuration database and for internal caching.
375
Trainer’s Handbook – Security Analyst SSC/ Q0903
5.2 Cisco IOS Firewall IDS Signature List The following is a complete list of Cisco IOS Firewall IDS signatures. A signature detects patterns of misuse in network traffic. In Cisco IOS Firewall IDS, signatures are categorized into four types: •
Info Atomic
•
Info Compound
•
Attack Atomic
•
Attack Compound
An info signature detects informationgathering activity, such as a port sweep. An attack signature detects attacks attempted into the protected network, such as denial-of-service attempts or the execution of illegal commands during an FTP session. Info and attack signatures can be either atomic or compound signatures. Atomic signatures can detect patterns as simple as an attempt to access a specific port on a specific host. Compound signatures can detect complex patterns, such as a sequence of operations distributed across multiple hosts over an arbitrary period of time. The intrusion-detection signatures included in the Cisco IOS Firewall were chosen from a broad cross-section of intrusion-detection signatures as representative of the most common network attacks and informationgathering scans that are not commonly found in an operational network. The following signatures are listed in numerical order by their signature number in the Cisco Secure IDS Network Security Database. After each signature's name is an indication of the type of signature (info or attack, atomic or compound).
Atomic signatures marked with an asterisk (Atomic*) are allocated memory for session states by CBAC.
1000 IP options-Bad Option List (Info, Atomic) Triggers on receipt of an IP datagram where the list of IP options in the IP datagram header is incomplete or malformed. The IP options list contains one or more options that perform various network management or debugging tasks.
1001 IP options-Record Packet Route (Info, Atomic) Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 7 (Record Packet Route).
1002 IP options-Timestamp (Info, Atomic) Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 4 (Timestamp).
1003 IP options-Provide s,c,h,tcc (Info, Atomic) Triggers on receipt of an IP datagram where the IP option list for the 376
Trainer’s Handbook – Security Analyst SSC/ Q0903
datagram includes option 2 (Security options).
1004 IP options-Loose Source Route (Info, Atomic) Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 3 (Loose Source Route).
2000 ICMP Echo Reply (Info, Atomic)
2003 ICMP Redirect (Info, Atomic) Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 5 (Redirect).
2004 ICMP Atomic)
Echo
Request
(Info,
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 8 (Echo Request).
1102 Impossible IP Packet (Attack, Atomic) This triggers when an IP packet arrives with source equal to destination address. This signature will catch the so-called Land Attack.
2002 ICMP Source Quench (Info, Atomic) Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 4 (Source Quench).
1101 Unknown IP Protocol (Attack, Atomic) Triggers when an IP datagram is received with the protocol field set to 101 or greater. These protocol types are undefined or reserved and should not be used.
1100 IP Fragment Attack (Attack, Atomic) Triggers when any IP datagram is received with the "more fragments" flag set to 1 or if there is an offset indicated in the offset field.
2001 ICMP Host Unreachable (Info, Atomic) Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 3 (Host Unreachable).
1006 IP options-Strict Source Route (Info, Atomic) Triggers on receipt of an IP datagram in which the IP option list for the datagram includes option 2 (Strict Source Routing).
1005 IP options-SATNET ID (Info, Atomic) Triggers on receipt of an IP datagram where the IP option list for the datagram includes option 8 (SATNET stream identifier).
Triggers when a IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 0 (Echo Reply).
2005 ICMP Time Exceeded for a Datagram (Info, Atomic) Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 11(Time Exceeded for a Datagram).
2006 ICMP Parameter Problem on Datagram (Info, Atomic)
377
Trainer’s Handbook – Security Analyst SSC/ Q0903
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 12 (Parameter Problem on Datagram).
2007 ICMP Timestamp Request (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 18 (Address Mask Reply).
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 13 (Timestamp Request).
2008 ICMP Timestamp Reply (Info, Atomic)
2009 ICMP Information Request (Info, Atomic)
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 17 (Address Mask Request).
2012 ICMP Address Mask Reply (Info, Atomic)
2154 Ping of Death Attack (Attack, Atomic)
( IP offset * 8 ) + (IP data length) > 65535
2010 ICMP Information Reply (Info, Atomic)
2011 ICMP Address Mask Request (Info, Atomic)
2151 Large ICMP Traffic (Attack, Atomic)
Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP), the Last Fragment bit is set, and
In other words, the IP offset (which represents the starting position of this fragment in the original packet, and which is in 8-byte units) plus the rest of the packet is greater than the maximum size for an IP packet.
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 16 (ICMP Information Reply).
Traffic
Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP) and the IP length is greater than 1024.
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 15 (Information Request).
ICMP
Triggers when an IP datagram is received with the protocol field in the IP header set to 1 (ICMP) and either the more fragments flag is set to 1 (ICMP) or there is an offset indicated in the offset field.
Triggers when an IP datagram is received with the "protocol" field in the IP header set to 1 (ICMP) and the "type" field in the ICMP header set to 14 (Timestamp Reply).
2150 Fragmented (Attack, Atomic)
3040 TCP - no bits set in flags (Attack, Atomic) Triggers when a TCP packet is received with no bits set in the flags field.
3041 TCP - SYN and FIN bits set (Attack, Atomic) Triggers when a TCP packet is received with both the SYN and FIN bits set in the flag field. 378
Trainer’s Handbook – Security Analyst SSC/ Q0903
3042 TCP - FIN bit with no ACK bit in flags (Attack, Atomic)
Counts number of Rcpt to: lines in a single mail message and alarms after a user-definable maximum has been exceeded (default is 250).
Triggers when a TCP packet is received with the FIN bit set but with no ACK bit set in the flags field.
3050 Half-open SYN Attack/SYN Flood (Attack, Compound) Triggers when multiple TCP sessions have been improperly initiated on any of several well-known service ports. Detection of this signature is currently limited to FTP, Telnet, HTTP, and email servers (TCP ports 21, 23, 80, and 25 respectively).
3100 Smail Compound)
Attack
3101 Sendmail Invalid (Attack, Compound)
Recipient
3102 Sendmail Invalid Sender (Attack, Compound)
3103 Sendmail Reconnaissance (Attack, Compound) Triggers when "expn" or "vrfy" commands are issued to the SMTP port.
3104 Archaic Sendmail (Attack, Compound)
3105 Sendmail Decode Alias (Attack, Compound) Triggers on any mail message with ": decode@" in the header.
3152 FTP CWD Compound)
~root
(Attack,
Triggers when someone tries to execute the CWD ~root command.
3153 FTP Improper Address Specified (Attack, Atomic*) Triggers if a port command is issued with an address that is not the same as the requesting host.
3154 FTP Improper Port Specified (Attack, Atomic*) Triggers if a port command is issued with a data port specified that is less than 1024 or greater than 65535.
Attacks
Triggers when "wiz" or "debug" commands are issued to the SMTP port.
3151 FTP SYST Command Attempt (Info, Compound) Triggers when someone tries to execute the FTP SYST command.
Triggers on any mail message with a "pipe" (|) symbol in the "From:" field.
3150 FTP Remote Command Execution (Attack, Compound) Triggers when someone tries to execute the FTP SITE command.
Triggers on any mail message with a "pipe" (|) symbol in the recipient field.
3107 Majordomo Execute Attack (Attack, Compound) A bug in the Majordomo program will allow remote users to execute arbitrary commands at the privilege level of the server.
(Attack,
Triggers on the very common "smail" attack against SMTP-compliant e-mail servers (frequently sendmail).
3106 Mail Spam (Attack, Compound)
4050 UDP Bomb (Attack, Atomic) Triggers when the UDP length specified is less than the IP length specified.
4100 Tftp Passwd Compound)
File
(Attack,
379
Trainer’s Handbook – Security Analyst SSC/ Q0903
Triggers on an attempt to access the passwd file (typically /etc/passwd) via TFTP.
6100 RPC Port Registration (Info, Atomic*)
Triggers when a request is made to the portmapper for the YP update daemon (ypupdated) port.
Triggers when attempts are made to register new RPC services on a target host.
6101 RPC Port Unregistration (Info, Atomic*)
Triggers when a request is made to the portmapper for the YP transfer daemon (ypxfrd) port.
Triggers when attempts are made to unregister existing RPC services on a target host.
6102 RPC Dump (Info, Atomic*)
6103 Proxied RPC Request (Attack, Atomic*) Triggers when a proxied RPC request is sent to the portmapper of a target host.
6151 ypbind Portmap Request (Info, Atomic*)
6152 yppasswdd Portmap Request (Info, Atomic*) Triggers when a request is made to the portmapper for the YP password daemon (yppasswdd) port.
6153 ypupdated Portmap Request (Info, Atomic*)
6180 rexd Attempt (Info, Atomic*) Triggers when a call to the rexd program is made. The remote execution daemon is the server responsible for remote program execution. This may be indicative of an attempt to gain unauthorized access to system resources. 6190 statd Buffer Overflow (Attack, Atomic*) Triggers when a large statd request is sent. This could be an attempt to overflow a buffer and gain access to system resources.
Triggers when a request is made to the portmapper for the YP bind daemon (ypbind) port.
6175 rexd Portmap Request (Info, Atomic*) Triggers when a request is made to the portmapper for the remote execution daemon (rexd) port.
6150 ypserv Portmap Request (Info, Atomic*) Triggers when a request is made to the portmapper for the YP server daemon (ypserv) port.
6155 mountd Portmap Request (Info, Atomic*) Triggers when a request is made to the portmapper for the mount daemon (mountd) port.
Triggers when an RPC dump request is issued to a target host.
6154 ypxfrd Portmap Request (Info, Atomic*)
8000 FTP Retrieve Password File (Attack, Atomic*) SubSig ID: 2101 Triggers on string "passwd" issued during an FTP session. May indicate someone attempting to retrieve the password file from a machine in order to crack it and gain unauthorized access to system resources 380
Trainer’s Handbook – Security Analyst SSC/ Q0903
5.3 Cisco IOS Firewall IDS Configuration Task List See the following sections for configuration tasks for the Cisco IOS Firewall Intrusion Detection System feature. Each task in the list is identified as optional or required: •
Initializing Cisco IDS (Required)
IOS
Firewall
•
Initializing the Post Office (Required)
•
Configuring and Applying Audit Rules (Required)
•
Verifying Configuration (Optional)
the
Initializing Cisco IOS Firewall IDS To initialize Cisco IOS Firewall IDS on a router, use the following commands in global configuration mode: Command
Purpose
Step 1
Router(config)# ip audit Sets the threshold beyond which spamming in e-mail smtp spamrecipients messages is suspected. Here,recipients is the maximum number of recipients in an e-mail message. The default is 250.
Step 2
Router(config)# ip audit Sets the threshold beyond which queued events are po max- dropped from the queue for sending to the Cisco Secure eventsnumber_events IDS Director. Here, number_events is the number of events in the event queue. The default is 100. Increasing this number may have an impact on memory and performance, as each event in the event queue requires 32 KB of memory.
Step 3
Router(config)# exit
Exits global configuration mode.
Initializing the Post Office You must reload the router every time you make a Post Office configuration
Step 1
change. To initialize the Post Office system, use the following commands in global configuration mode:
Command
Purpose
Router(config)# ip audit notifynr-director or
Sends event notifications (alarms) to either a Cisco Secure IDS Director, a syslog server, or both.
Router(config)#ip audit notifylog
For example, if you are sending alarms to a Cisco Secure IDS Director, use the nrdirector keyword in the command syntax. If you are sending alarms 381
Trainer’s Handbook – Security Analyst SSC/ Q0903 to a syslog the log keyword command syntax. Step 2
router(config)# ip id orgid org-id
audit
po
local
hostid host-
server, in
use the
Sets the Post Office parameters for both the router (using the ip audit po local command) and the Cisco Secure IDS Director (using the ip audit po remote command). Here, host-id is a unique number between 1 and 65535 that identifies the router, and org-id is a unique number between 1 and 65535 that identifies the organization to which the router and Director both belong.
Step 3
Router(config)# ip audit po remote hostid hostid orgid org-id rmtaddress ip-addresslocaladdress ipaddress portport-number preferencepreferencenumber timeout secondsapplication application-type
Sets the Post Office parameters for both the Cisco Secure IDS Director (using the ip audit po remote command). •
host-id is a unique number between 1 and 65535 that identifies the Director.
•
org-id is a unique number between 1 and 65535 that identifies the organization to which the router and Director both belong.
• rmtaddress ip-address is the Director's IP address. • localaddress ip-address is the router's interface IP address. • port-number identifies the UDP port on which the Director is listening for alarms (45000 is the default). • preference-number is the relative priority of the route to the Director (1 is the default)—if more than one route is used to reach the same Director, then one must be a primary route (preference 1) and the other a secondary route (preference 2). • seconds is the number of seconds the Post Office waits before it determines that a connection has timed out (5 is
382
Trainer’s Handbook – Security Analyst SSC/ Q0903 the default). • application-type is either director or logger. Note If you are sending Post Office notifications to a Sensor, use loggerinstead of director as your application. Sending to a logging application means that no alarms are sent to a GUI; instead, the Cisco Secure IDS alarm data is written to a flat file, which can then be processed with filters, such as perl and awk, or staged to a database. Use logger only in advanced applications where you want the alarms only to be logged and not displayed. Step 4
Router(config)# logging console info
Displays the syslog messages on the router console if you are sending alarms to the syslog console.
Step 5
Router(config)# exit
Exits global configuration mode.
Step 6
Router# write memory
Saves the configuration.
Step 7
Router# reload
Reloads the router.
After you have configured the router, add the Cisco IOS Firewall IDS router's Post Office information to the /usr/nr/etc/hosts and /usr/nr/etc/rout es files on the Cisco Secure IDS Sensors
and Directors communicating with the router. You can do this with the nrConfigure tool in Cisco Secure IDS. For more information, refer to the NetRanger User Guide.
383
Trainer’s Handbook – Security Analyst SSC/ Q0903
Configuring and Applying Audit Rules To configure and apply audit rules, use the following commands starting in global configuration mode: Command
Purpose
Step 1
Router(config)# ip audit info {action [alarm] [drop] [reset]} and Router(config)# ip audit attack {action [alarm] [drop] [reset]}
Sets the default actions for info and attack signatures. Both types of signatures can take any or all of the following actions: alarm, drop, and reset. The default action is alarm.
Step 2
Router(config)# ip name audit-name {info |attack} [list standard-acl] [action [alarm] [reset]]
Creates audit rules, where audit-name is a user-defined name for an audit rule. For example:
audit
ip audit name audit-name info [drop]
ip audit name audit-name attack The default action is alarm. Note Use the same name when you assign attack and info type signatures. You can also use the ip audit name command to attach access control lists to an audit rule for filtering out sources of false alarms. In this case standard-acl is an integer representing an ACL. If you attach an ACL to an audit rule, the ACL must be defined as well: ip audit name audit-name {info|attack} list acl-list In the following example, ACL 99 is attached to the audit rule INFO, and ACL 99 is defined: ip audit name INFO info list 99 access-list 99 deny 10.1.1.0 0.0.0.255 access-list 99 permit any
Step 3
Note The ACL in the preceding example is not denying traffic from the 10.1.1.0 network (as expected if it were applied to an interface). Instead, the hosts on that network are not filtered through the audit process because they are trusted hosts. On the other hand, all other hosts, as defined by permit any, are processed by the audit rule. Router(config)# ip audit Disables individual signatures. Disabled signatures are not signature signature-id included in audit rules, as this is a global configuration {disable | list acl-list} 384
Trainer’s Handbook – Security Analyst SSC/ Q0903 change: ip audit signature signature-number disable To re-enable a disabled signature, use the no ip audit signature command, wheresignature-number is the number of the disabled signature. You can also use the ip audit signature command to apply ACLs to individual signatures for filtering out sources of false alarms. In this case signature-number is the number of a signature, and acl-list is an integer representing an ACL: ip audit signature signature-number list acl-list For example, ACL 35 is attached to the 1234 signature, and then defined: ip audit signature 1234 list 35 access-list 35 deny 10.1.1.0 0.0.0.255 access-list 35 permit any Note The ACL in the preceding example is not denying traffic from the 10.1.1.0 network (as expected if it were applied to an interface). Instead, the hosts on that network are not filtered through the signature because they are trusted hosts or are otherwise causing false positives to occur. On the other hand, all other hosts, as defined by permit any, are processed by the signature. Step 4
Enters interface configuration mode.
Step 5
Router(config-if)#interface interface-number Router(config-if)# ip audit audit-name {in | out}
Step 6
Router(config-if)# exit
Exits interface configuration mode.
Step 7
Router(config)# ip audit po protected ip-addr [to ip-addr] Router(config)# exit
Configures which network should be protected by the router. Here, ip_addr is the IP address to protect.
Step 8
Applies an audit rule at an interface. With this command, audit-name is the name of an existing audit rule, and direction is either in or out.
Exits global configuration mode.
Verifying the Configuration You can verify that Cisco IOS Firewall IDS is properly configured with the show ip audit configuration command (see Example 1). Example 1 Output from show ip audit configuration Command
385
Trainer’s Handbook – Security Analyst SSC/ Q0903
ids2611# show ip audit configuration Event notification through syslog is enabled Event notification through Net Director is enabled Default action(s) for info signatures is alarm Default action(s) for attack signatures is alarm drop reset Default threshold of recipients for spam signature is 25 Post Office: HostID:55 OrgID:123 Msg dropped:0 :Curr Event Buf Size:100 Configured:100 HID:14 OID:123 S:1 A:2 H:82 HA:49 DA:0 R:0 Q:0 ID:1 Dest:10.1.1.99:45000 Loc:172.16.58.99:45000 T:5 S:ESTAB * Audit Rule Configuration Audit name AUDIT.1 info actions alarm attack actions alarm drop reset You can verify which interfaces have audit rules applied to them with the show ip audit interface command (see Example 2). Example 2 Output from show ip audit interface Command ids2611# show ip audit interface Interface Configuration Interface Ethernet0 Inbound IDS audit rule is AUDIT.1 info actions alarm attack actions alarm drop reset Outgoing IDS audit rule is not set Interface Ethernet1 Inbound IDS audit rule is AUDIT.1 info actions alarm attack actions alarm drop reset Outgoing IDS audit rule is not set
Monitoring and Maintaining Cisco IOS Firewall IDS This section describes the EXEC commands used to monitor and maintain Cisco IOS Firewall IDS. Command Router# clear configuration
Purpose ip
audit
Disables Cisco IOS Firewall IDS, removes all intrusion detection configuration entries, and releases dynamic resources.
Router# clear ip audit statistics
Resets statistics on packets analyzed and alarms sent.
Router# show ip audit statistics
Displays the number of packets audited and the number of alarms sent, among other information.
386
Trainer’s Handbook – Security Analyst SSC/ Q0903
The following display provides sample output from the show ip audit statistics command: Signature audit statistics [process switch:fast switch] signature 2000 packets audited: [0:2] signature 2001 packets audited: [9:9] signature 2004 packets audited: [0:2] signature 3151 packets audited: [0:12] Interfaces configured for audit 2 Session creations since subsystem startup or last reset 11 Current session counts (estab/half-open/terminating) [0:0:0] Maxever session counts (estab/half-open/terminating) [2:1:0] Last session created 19:18:27 Last statistic reset never HID:1000 OID:100 S:218 A:3 H:14085 HA:7114 DA:0 R:0
Cisco IOS Firewall IDS Configuration Examples The following sections provide Cisco IOS Firewall IDS configuration examples: Cisco IOS Firewall IDS Reporting to Two Directors Example
In the following example, Cisco IOS Firewall IDS is initialized. Notice that the router is reporting to two Directors. Also notice that the AUDIT.1 audit rule will apply both info and attack signatures. ip audit smtp spam 25 ip audit notify nr-director ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit name AUDIT.1 info action alarm ip audit name AUDIT.1 attack action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in
387
Trainer’s Handbook – Security Analyst SSC/ Q0903 Adding an ACL to the Audit Rule Example
In the following example, an ACL is added to account for a Cisco Secure IDS Scanner (172.16.59.16) that scans for all types of attacks. As a result, no packets originating from the device will be audited. ip audit smtp spam 25 ip audit notify nr-director ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit name AUDIT.1 info list 90 action alarm ip audit name AUDIT.1 attack list 90 action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in
interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in access-list 90 deny 172.16.59.16 access-list 90 permit any Disabling a Signature Example The security administrator notices that the router is generating a lot of false positives for signatures 1234, 2345, and 3456. The system administrator knows that there is an application on the network that is causing signature 1234 to fire, and it is not an application that should cause security concerns. This signature can be disabled, as illustrated in the following example:
ip audit smtp spam 25 ip audit notify nr-director ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1
ip audit signature 1234 disable ip audit name AUDIT.1 info list 90 action alarm ip audit name AUDIT.1 attack list 90 action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 388
Trainer’s Handbook – Security Analyst SSC/ Q0903 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in access-list 90 deny 172.16.59.16 access-list 90 permit any Adding an ACL to Signatures Example
After further investigation, the security administrator discovers that the false positives for signatures 2345 and 3456 are caused by specific applications on hosts 10.4.1.1 and 10.4.1.2, as well as by some workstations using DHCP on the 172.16.58.0 subnetwork. Attaching an ACL that denies processing of these hosts stops the creation of false positive alarms, as illustrated in the following example: ip audit smtp spam 25 ip audit notify nr-director ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit signature 1234 disable ip audit signature 2345 list 91 ip audit signature 3456 list 91 ip audit name AUDIT.1 info list 90 action alarm ip audit name AUDIT.1 attack list 90 action alarm drop reset interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.1 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in access-list 90 deny 172.16.59.16 access-list 90 permit any access-list 91 deny host 10.4.1.1 access-list 91 deny host 10.4.1.2 access-list 91 deny 172.16.58.0 0.0.0.255 access-list 91 permit any
389
Trainer’s Handbook – Security Analyst SSC/ Q0903 Dual-Tier Signature Response Example
The company has now reorganized and has placed only trusted people on the 172.16.57.0 network. The work done by the employees on these networks must not be disrupted by Cisco IOS Firewall IDS, so attack signatures in the AUDIT.1 audit rule now will only alarm on a match. For sessions that originate from the outside network, any attack signature matches (other than the false positive ones that are being filtered out) are to be dealt with in the following manner: send an alarm, drop the packet, and reset the TCP session. This dual-tier method of signature response is accomplished by configuring two different audit specifications and applying each to a different ethernet interface, as illustrated in the following example: ip audit smtp spam 25 ip audit notify nr-director ip audit notify log ip audit po local hostid 55 orgid 123 ip audit po remote hostid 14 orgid 123 rmtaddress 10.1.1.99 localaddress 10.1.1.1 ip audit po remote hostid 15 orgid 123 rmtaddress 10.1.2.99 localaddress 10.1.1.1 ip audit signature 1234 disable ip audit signature 2345 list 91 ip audit signature 3456 list 91 ip audit name ip audit name ip audit name ip audit name
AUDIT.1 info list 90 action alarm AUDIT.1 attack list 90 action alarm AUDIT.2 info action alarm AUDIT.2 attack alarm drop reset
interface e0 ip address 10.1.1.1 255.0.0.0 ip audit AUDIT.2 in interface e1 ip address 172.16.57.1 255.255.255.0 ip audit AUDIT.1 in access-list 90 deny host 172.16.59.16 access-list 90 permit any access-list 91 deny host 10.4.1.1 access-list 91 deny host 10.4.1.2 access-list 91 deny 172.16.58.0 0.0.0.255 access-list 91 permit an
390
Trainer’s Handbook – Security Analyst SSC/ Q0903
5.4 Configuring Snort Snort is an open source network intrusion detection system (NIDS) created by Martin Roesch. Snort is a packet sniffer that monitors network traffic in real time, scrutinizing each packet closely to detect a dangerous payload or suspicious anomalies. There are two types of IDSs, host-based and network-based, Snort is a network-based IDS. This network intrusion detection and prevention system works through traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various preprocessors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. Snort can be runned in 4 modes:
- sniffer mode: snort will read the network traffic and print them to the screen. - packet logger mode: snort will record the network traffic on a file - IDS mode: network traffic matching security rules will be recorded (mode used in our tutorial) - IPS mode: also known as snort-inline (IPS = Intrusion prevention system) Another tool is needed to display the logs generated by the Snort IDS and sent into the database. This tool is BASE for Basic Analysis and Security Engine. It is in fact a php script displaying alerts on a web interface. Snort can be downloaded from http://www.snort.org/dl/. In order to install and configure Snort access the Snort Manual available at http://manual.snort.org/.
391
Trainer’s Handbook – Security Analyst SSC/ Q0903
5.5. Configuring Suricata The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. More about suricata at suricata-ids.org.
CPU chip sets. Suricata is developed for ease of implementation and accompanied by a step-by-step getting started documentation and user manual.
IDS/IPS
Development and features
Suricata is a rule-based ID/PS engine that utilises externally developed rule sets to monitor network traffic and provide alerts to the system administrator when suspicious events occur. Designed to be compatible with existing network security components, Suricata features unified output functionality and pluggable library options to accept calls from other applications. The initial release of Suricata runs on a Linux 2.6 platform that supports inline and passive traffic monitoring configuration capable of handling multiple gigabit traffic levels. Linux 2.4 is supported with reduced configuration functionality, such as no inline option. Available under Version 2 of the General Public License, Suricata eliminates the ID/PS engine cost concerns while providing a scalable option for the most complex network security architectures.
The goal of the Suricata Project Phase 1 was to have a distributable and functional ID/PS engine. The initial beta release was made available for download on January 1, 2010. The engine supports or provides the following functionality: the latest Snort VRT, Snort logging, rule language options, multi-threading, hardware acceleration (with hardware and network card dependencies/limitations), unified output enabling interaction with external log management systems, IPv6, rulebased IP reputation, library plug-ability for interaction with other applications, performance statistics output, and a simple and effective getting started user manual. By engaging the open source community and the leading ID/PS rule set resources available, OISF has built the Suricata engine to simplify the process of maintaining optimum security levels. Through strategic partnerships, OISF is leveraging the expertise of Emerging Threats (www.emergingthreats.net) and other prominent resources in the industry to provide the most current and comprehensive rule sets available. The HTP Library is an HTTP normaliser and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools.
In order to install and use Suricata please follow https://redmine.openinfosecfoundation.org/pr ojects/suricata/wiki/Suricata_Installation
Multi-threading As a multi-threaded engine, Suricata offers increased speed and efficiency in network traffic analysis. In addition to hardware acceleration (with hardware and network card limitations), the engine is build to utilise the increased processing power offered by the latest multi-core
392
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT VI IPS Configuration
This Unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 6.1 Understanding IPS Network Sensing 6.2 Overview of IPS Configuration
393
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
Outcomes To be competent, you must be able to: PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines
You need to know and understand: KA4. the organizational systems, procedures and tasks/checklists within the domain and how to use these KB1. fundamentals of information security and how to apply these, including: • networks • communication • application security
Performance Ensuring Measures
Duration (Hrs)
Work Environment / Lab Requirement
Peer group, Faculty group and Industry experts.
2 hr in class presentations
PCs/Tablets/Laptops Projection facilities
KA4, KA5. Peer group, Faculty group and Industry experts.
2Hrs classroom assessment and 10 Hrs offline Research and Learning activity.
PCs/Tablets/Laptops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security
KB1 - KB4 Group and Faculty evaluation based on anticipated out comes. Reward points to be allocated to groups.
394
Trainer’s Handbook – Security Analyst SSC/ Q0903
Suggested Learning Activities Activity 1:
Divide the students into groups and ask them to research various types of attacks and get examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get the maximum number of correct examples will get a prize. Activity 2: Ask the students to research cases of attacks over the years and impact of those attacks on the organisations where these occurred. Activity 3:
Ask the students to access the CVE and list all the types of information that they can get from there. Present the same in class and elaborate upon the various ways that information can be used.
395
Trainer’s Handbook – Security Analyst SSC/ Q0903
Training Resource Material Cisco Intrusion System
Prevention (IPS)
Sensors are network devices that perform real-time monitoring of network traffic for suspicious activities and active network attacks. The IPS sensor analyses network
packets and flows to determine whether their contents appear to indicate an attack against your network.
6.1 Understanding IPS Network Sensing Network sensing can be accomplished using Cisco IPS sensors (appliances, switch modules, network modules, and SSMs) and Cisco IOS IPS devices (Cisco IOS routers with IPS-enabled images and Cisco ISRs). These sensing platforms are components of the Cisco Intrusion Prevention System and can be managed and configured through Cisco Security Manager. These sensing platforms monitor and analyse network traffic in real time. They do this by looking for anomalies and misuse on the basis of network flow validation, an extensive embedded signature library, and anomaly detection engines. However, these platforms differ in how they can
respond to perceived intrusions. Cisco IPS sensors and Cisco IOS IPS devices are often referred to collectively as IPS devices or simply sensors. However, Cisco IOS IPS does not run the full dedicated IPS software, and its configuration does not include IPS device-specific policies. Additionally, the amount of sensing that you can perform with Cisco IOS IPS is more limited. The following sections focus on using dedicated IPS devices, including service modules installed in IOS routers, rather than Cisco IOS IPS. When an IPS device detects unauthorized network activity, it can terminate the connection, permanently block the associated host, and take other actions.
This section contains the following topics:
Capturing Network Traffic Correctly Deploying the Sensor Tuning the IPS
Capturing Network Traffic The sensor can operate in either promiscuous or inline mode. The following illustration
shows how you can deploy a combination of sensors operating in both inline (IPS) and promiscuous (IDS) modes to protect your network.
396
Trainer’s Handbook – Security Analyst SSC/ Q0903
Figure 1: Comprehensive IPS Deployment Solutions
The command and control interface is always Ethernet. This interface has an assigned IP address, which allows it to communicate with the manager workstation or network devices (Cisco switches, routers, and firewalls). Because this interface is visible on the network, you should use encryption to maintain data privacy. SSH is used to protect the CLI and TLS/SSL is used to protect the manager workstation. SSH and TLS/SSL are enabled by default on the manager workstations. When responding to attacks, the sensor can do the following:
Insert TCP resets via the sensing interface.
You should select the TCP reset action only on signatures associated with a TCPbased service. If selected as an action on non-TCP-based services, no action is taken. Additionally, TCP resets are not guaranteed to tear down an offending session because of limitations in the TCP protocol.
Make ACL changes on switches, routers, and firewalls that the sensor manages. ACLs may block only future traffic, not current traffic.
Generate IP session logs, session replay, and trigger packets display.
IP session logs are used to gather information about unauthorized use. IP log files are written when events 397
Trainer’s Handbook – Security Analyst SSC/ Q0903
occur that you have configured the appliance to look for.
Implement multiple packet drop actions to stop worms and viruses.
Correctly Deploying the Sensor Before you deploy and configure your sensors, you should understand the following about your network:
The size and complexity of your network.
Connections between your network and other networks, including the Internet.
The amount and type of traffic on your network.
This knowledge will help you determine how many sensors are required, the hardware configuration for each sensor (for example, the size and type of network interface cards), and how many managers are needed. You should always position the IPS sensor behind a perimeter-filtering device, such as a firewall or adaptive security appliance. The perimeter device filters traffic to match your security policy thus allowing acceptable traffic in to your network. Correct placement significantly reduces the number of alerts, which increases the amount of actionable data you can use to investigate security violations. If you position the IPS sensor on the edge of your network in front of a firewall, your sensor will produce alerts on every single scan and attempted attack even if they have no significance to your network implementation. You will receive hundreds, thousands, or even millions of alerts (in a large enterprise environment) that are not really critical or actionable in your environment. Analysing this type of data is time consuming and costly.
Tuning the IPS Tuning the IPS ensures that the alerts you see reflect true actionable information. Without tuning the IPS, it is difficult to do security research or forensics on your network because you will have thousands of benign events, also known as false positives. False positives are a by-product of all IPS devices, but they occur much less frequently in Cisco IPS devices because Cisco IPS devices are stateful, normalized, and use vulnerability signatures for attack evaluation. Cisco IPS devices also provide risk rating, which identifies high risk events, and policy-based management, which lets you deploy rules to enforce IPS signature actions based on risk rating. Follow these tips when tuning your IPS sensors:
Place your sensor on your network behind a perimeter-filtering device.
Proper sensor placement can reduce the number of alerts you need to examine by several thousands a day.
Deploy the sensor with the default signatures in place.
The default signature set provides you with a very high security protection posture. The Cisco signature team has spent many hours on testing the defaults to give your sensor the highest protection. If you think that you have lost these defaults, you can restore them.
Make sure that the event action override is set to drop packets with a risk rating greater than 90.
This is the default and ensures that high risk alerts are stopped immediately.
Filter out known false positives caused by specialized software, such as vulnerability scanner and load 398
Trainer’s Handbook – Security Analyst SSC/ Q0903
balancers by one of the following methods: – You can configure the sensor to ignore the alerts from the IP addresses of the scanner and load balancer. – You can configure the sensor to allow these alerts and then use Event Viewer to filter out the false positives.
Filter the Informational alerts.
These low priority events notifications could indicate that
another device is doing reconnaissance on a device protected by the IPS. Research the source IP addresses from these Informational alerts to determine what the source is.
Analyze the remaining actionable alerts: – Research the alert. – Fix the attack source. – Fix the destination host. – Modify the IPS policy to provide more information.
399
Trainer’s Handbook – Security Analyst SSC/ Q0903
6.2 Overview of IPS Configuration There are a wide variety of devices on which you can configure the Intrusion Prevention System. From a configuration point-of-view, you can separate the devices into two groups: dedicated appliances and service modules (for routers, switches, and ASA devices) that
run the full IPS software; and IPS-enabled routers running Cisco IOS Software 12.4(11)T and later (Cisco IOS IPS).The following procedure is an overview of IPS configuration on dedicated appliances and service modules.
Step 1. Install and connect the device to your network. Install the device software and perform basic device configuration. Install the licenses required for all of the services running on the device. The amount of initial configuration that you perform influences what you will need to configure in Security Manager.
Follow the instructions in the Installing Cisco Intrusion Prevention System Appliances and Modules document for the IPS version you are using. Step 2. Add the device to the Security Manager device inventory. You can discover router and Catalyst switch modules when adding the device in which the module is installed. For ASA devices, you must add the service module separately. Step 3. Configure the interfaces as described in Configuring Interfaces. You must enable the interfaces connected to your network for the device to function.
Step 4. Use the Virtual Sensors policy to assign interfaces to the virtual sensors, including the base vs0 virtual sensor that exists for all IPS devices. If the device supports it, and you have a need for it, you can also create user-defined virtual sensors so that a single device acts like multiple sensors. Most of the IPS configuration is done on the parent device, but you can configure unique settings per virtual sensor for signatures, anomaly detection, and event actions. Step 5. Configure basic device access platform policies. These policies determine who can log into the device:
For certain types of service module, there are additional policies to configure:
Router-hosted service modules— Configure the IPS Module interface settings policy on the router. IDSM—Configure the IDSM Settings Catalyst platform policy.
IPS modules on ASA devices— Configure the Platform > Service Policy Rules > IPS, QoS, and Connection Rules policy on the host ASA to specify the traffic that should be inspected.
AAA —Configure this policy if you want to use a RADIUS server to control access to the device. You can use AAA control in conjunction with local user accounts defined in the User Accounts policy. Allowed Hosts —The addresses of hosts who are allowed access. Ensure that the Security Manager server is included as an allowed 400
Trainer’s Handbook – Security Analyst SSC/ Q0903
host, or you cannot configure the device using Security Manager. SNMP —Configure this policy if you want to use an SNMP application to manage the device. Password Requirements —You can define the acceptable characteristics of a user password. User Accounts —The user accounts defined on the device.
Step 6. Configure basic server access platform policies. These policies identify the servers to which the device can connect:
External Product Interface —If you use Management Center for Cisco Security Agents, configure this policy to allow the sensor to download host postures from the application. NTP —Configure this policy if you want to use a Network Time Protocol server to control the device time. DNS, HTTP Proxy —The DNS and HTTP Proxy policies are required only if you configure global correlation. They identify a server that can resolve DNS names to IP addresses. Use the HTTP Proxy policy if your network requires the use of a proxy to make Internet connections; otherwise, use the DNS policy.
Step 7. Configure the Logging policy if you want non-default logging.
Block or Request Rate Limit event actions, configure blocking or rate limiting hosts. Step 10. Configure other desired advanced IPS services. Step 11.
Update and redeploy configurations as necessary. Apply updated signature and engine packages. Manage the device licenses. You can update and redeploy licenses, or automate license updates. Manage the certificates required for SSL (HTTPS) communication. These certificates expire, so you need to regenerate them approximately every 2 years.
Step 12.
Maintain the device:
Monitor the device:
Use the Event Viewer application to view alerts generated from the device. You can open Event Viewer from the Launch menu in Configuration Manager or Report Manager, or from the Windows Start menu. Use the Report Manager application to generate reports on IPS usage, including comparisons of inline vs. promiscuous mode, and global correlation vs. traditional inspection. You can also analyze top attackers, victims, signatures, blocked signatures, and perform target analysis.
Step 8. Configure IPS signatures and event actions. Event action policies are easier to configure than creating custom signatures, so try to use event action filters and overrides to modify signature behaviour before trying to edit specific signatures. Step 9. If you use any of the Request 401
Trainer’s Handbook – Security Analyst SSC/ Q0903
Identifying Allowed Hosts Use the Allowed Hosts policy to identify which hosts or networks have permission to access the IPS sensor. By default, no hosts are permitted to access a sensor, so you must add hosts or networks to this policy. Specifically, you must add either the IP address of the Security Manager server, or its network address, or Security Manager
Step 1 Do one of the following to open the Allowed Hosts policy:
(Device view) Select Platform > Device Admin > Device Access > Allowed Hosts from the Policy selector. (Policy view) Select IPS > Platform > Device Admin > Allowed Hosts, then select an existing policy or create a new one.
cannot configure the device. Also add the addresses of all other management hosts that you use, such as CS-MARS. If you add host addresses only, you will be limited to using those workstations to access the device. Instead, you can specify network addresses to allow all hosts connected to specific “safe” networks access.
Click Select to select an existing object or to create a new one. To use the object in this policy, it must have a single value, either a single network or a single host.
Step 2 Do one of the following:
To add an entry, click the Add Row button and fill in the Access List dialog box. You can add up to 512 entries. To edit an entry, select it and click the Edit Row button. To delete an entry, select it and click the Delete Row button.
Step 3 When adding or editing an entry, specify the host or network address in the Add or Modify Access List dialog box, then click OK. You can enter addresses using the following formats:
Host address—A simple IP address, such as 10.100.10.10. Network address—A network address and mask, such as 10.100.10.0/24 or 10.100.10.0/255.255.255.0. A network/host policy object— 402
Trainer’s Handbook – Security Analyst SSC/ Q0903
Configuring SNMP SNMP is an application layer protocol that facilitates the exchange of management information between network devices. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth. SNMP is a simple request/response protocol. The network-management system issues a request, and managed devices return responses. This behaviour is implemented by using one of four protocol operations: Get, Get Next, Set, and Trap. You can configure the sensor for monitoring by SNMP. SNMP defines a standard way for network management stations to monitor the health and status of many types of devices, including switches, routers, and sensors. You can configure the sensor to send SNMP traps. SNMP traps enable an agent to notify the management station of significant events by way of an unsolicited SNMP message. Trap-directed notification has the following advantage—if a manager is responsible for a large number of devices, Step 1 Do one of the following to open the SNMP policy:
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector.
(Policy view) Select IPS > Platform > Device Admin > Device Access > SNMP, then select an existing policy or create a new one. Step
2 On the General Configuration tab, configure at least the following options.
and each device has a large number of objects, it is impractical to poll or request information from every object on every device. The solution is for each agent on the managed device to notify the manager without solicitation. It does this by sending a message known as a trap of the event. After receiving the event, the manager displays it and can take an action based on the event. For example, the manager can poll the agent directly, or poll other associated device agents to get a better understanding of the event. Trap-directed notification results in substantial savings of network and agent resources by eliminating frivolous SNMP requests. However, it is not possible to totally eliminate SNMP polling. SNMP requests are required for discovery and topology changes. In addition, a managed device agent cannot send a trap if the device has had a catastrophic outage. This procedure describes how to configure SNMP on an IPS sensor so that you can manage the sensor with an SNMP management station, including the configuration of traps.
Enable SNMP Gets/Sets —Select this option to enable the SNMP management workstation to obtain (get) information, and to modify (set) values on the IPS sensor. If you do no t enable this option, the management workstation cannot manage this sensor.
Read-Only Community String — The community string required for read-only access to the sensor. SNMP get requests from the management station must supply this string to get responses from the sensor. This string 403
Trainer’s Handbook – Security Analyst SSC/ Q0903
gives access to all SNMP get requests.
Read-Write Community String — The community string required for read-write access to the sensor. SNMP set requests from the management station must supply this string to get responses from the sensor; it can also be used on get requests. This string gives access to all SNMP get and set requests. Step 3 If you want to configure SNMP traps, click the SNMP Trap Configuration tab and configure at least the following options.
Enable Notifications —Select this option to allow the sensor to send SNMP traps.
Trap Destinations —Add the SNMP management stations that should be trap destinations. Click the Add Row (+) button to add a new destination, or select a destination and click the Edit Row (pencil) button to change its configuration. When adding or editing a trap destination, the trap community string that you enter overrides the default community string entered on the SNMP Trap Configuration tab. The community string appears in the traps sent to this destination and is useful if you are receiving multiple types of traps from multiple agents. For example, a router or sensor could be sending the traps, and if you put something that identifies the router or sensor specifically in your community string, you can filter the traps based on the community string.
Step 4 If you configure trap destinations, you must also ensure that the desired alerts include the Request SNMP Trap action. You have the following options for adding this action:
(Easy way.) Create an event action override to add the Request SNMP Trap action to all alerts of a specified risk rating (IPS > Event Actions > Event Action Overrides policy). For example, you could generate traps for all alerts with a risk rating between 85-100. Event action overrides let you add an action without individually editing each signature.
(Precise way.) Edit the Signatures policy (IPS > Signatures > Signatures) to add the Request SNMP Trap action to the signatures for which you want to send trap notifications. Traps are sent only for signatures that you configure to send traps. If the signature has Default for the source, you have to change the source to the Local source before you can change the action. However, if you right-click the Action cell in the signatures table and select Edit Actions, then select Request SNMP Trap (along with any other desired action) and click OK, the source is automatically changed to Local. Step 5 Add the SNMP management stations to the Allowed Hosts policy. The management stations must be allowed hosts to access the sensor.
To remove a destination, select it and click the Delete Row (trash can) button. 404
Trainer’s Handbook – Security Analyst SSC/ Q0903
General SNMP Configuration Options Use the General Configuration tab on the SNMP page to configure general SNMP
parameters and apply them to IPS sensors.
Table 1: General Configuration Tab, SNMP Policy for IPS Sensors
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. Select the General Configuration tab.
(Policy view) Select IPS > Platform > Device Admin > Device Access > SNMP, then select an existing policy or create a new one. Select the General Configuration tab. Field Reference Element
Description
Enable SNMP Gets/Sets
Whether to enable the SNMP management workstation to obtain (get) information, and modify (set) values on the IPS sensor. If you do not enable this option, the management workstation cannot manage this sensor; the sensor will not respond to SNMP requests.
Read-Only Community String
The community string required for read-only access to the sensor. SNMP get requests from the management station must supply this string to get responses from the sensor. This string gives access to all SNMP get requests. Use the string to help identify the sensor.
Read-Write Community String
The community string required for read-write access to the sensor. SNMP set requests from the management station must supply this string to get responses from the sensor; it can also be used on get requests. This string gives access to all SNMP get and set requests. Use the string to help identify the sensor.
Sensor Contact
The network administrator or contact point who is responsible for this sensor.
Sensor Location
The physical location of the sensor, such as building address, name, and room number.
Sensor Agent Port
The port to use for SNMP get/set communication with the sensor. The default is 161. The valid range is 1 to 65535. Enter a port number or the name of a port list object, or click Select to select a port list object from a list or to create a new object. The port list object must identify a single port.
SNMP Agent Protocol
The protocol you are using for SNMP, either UDP (the default) or TCP. Select the protocol used by your SNMP management station.
405
Trainer’s Handbook – Security Analyst SSC/ Q0903
SNMP Trap Configuration Tab Use the SNMP Trap Communication tab on the SNMP page to configure traps and apply them to sensors and to identify
recipients that the traps should be sent to.
Table 2: SNMP Trap Configuration Tab, SNMP Policy for IPS Sensors
Navigation Path
(Device view) Select Platform > Device Admin > Device Access > SNMP from the Policy selector. Select the SNMP Trap Configuration tab.
(Policy view) Select IPS > Platform > Device Admin > Device Access > SNMP, then select an existing policy or create a new one. Select the SNMP Trap Configuration tab.
Field Reference Element
Description
Enable Notifications
Whether to enable the sensor to send trap notifications to the trap destinations whenever a specific type of event occurs in a sensor. If you do not select this option, the sensor does not send traps. Tip To have the sensor send SNMP traps, you must also select Request SNMP Trap as the event action when you configure signatures. Traps are sent only for signatures that you configure to send traps.
Error Filter
The type of events that will generate SNMP traps based on the severity of the event: fatal, error, or warning. Select all severities that you want; use Ctrl+click to select multiple values. The sensor sends notifications of events of the selected severities only.
Enable Traps
Detail
Whether to include the full text of the alert in the trap. If you do not select this option, sparse mode is used. Sparse mode includes less than 484 bytes of text for the alert.
Default Trap The community string used for the traps if no specific string has been set for the trap destination in the Trap Destinations table. Community String Tip All traps carry a community string. By default, all traps that have a community string identical to that of the destination are taken by the destination. All other traps are discarded by the destination. However, you can configure the destination to determine which trap strings to accept. Trap Destinations table
The SNMP management stations that will be sent trap notifications. The table shows the IP address of the management station, the community string added to traps from this sensor, and the port to which traps are sent.
To add a destination, click the Add Row button and fill in the Add SNMP Trap Communication dialog box
To edit a destination, select it, click the Edit Row button and make your changes.
To delete a destination, select it and click the Delete Row button.
406
Trainer’s Handbook – Security Analyst SSC/ Q0903
SNMP Trap Communication Dialog Box Use the Add or Modify SNMP Trap Communication dialog box to configure SNMP trap destinations. These are the
SNMP management stations that should receive traps from the IPS sensor.
Table 3: SNMP Trap Communication Dialog Box
Navigation Path Go to the IPS Platform > Device Admin > Device Access > SNMP policy, select the SNMP Trap Configuration tab, and click the Add Row button beneath the Trap Destinations table, or select a destination in the table and click the Edit Row button. Field Reference Element
Description
IP Address
The IP address of the SNMP management station that should receive trap notifications. Enter the IP address or the name of a network/host object, or click Select to select the object from a list or to create a new object. The network/host object must specify a single host IP address.
Trap Community String
The community string of the trap. If you do not enter a trap string, the default trap string defined on the SNMP Trap Communication tab is used for traps sent to this destination.
Trap Port
The port used by the SNMP management station to receive traps. Enter the port number or the name of a port list object, or click Select to select the object from a list or to create a new one. The port list object must identify a single port.
Managing User Accounts Password Requirements
and
You can configure user accounts and passwords, and general password requirements, for your IPS devices. You can configure local users (defined directly on the device), use a RADIUS AAA server, or use them both in conjunction. The policies used are the AAA, User Accounts, and Password Requirements policies in the Platform > Device Admin > Device Access folder. When you create or edit a local user account in Security Manager, the password you enter must satisfy the requirements defined in the Password Requirements policy. This ensures that new passwords meet your security requirements.
If you change the password requirements, and then make changes to any local user account, the new requirements must be met by all user accounts that have passwords managed by Security Manager. This is because Security Manager reconfigures the passwords for all managed accounts if any single account needs to be reconfigured. The User Accounts policy allows you to centrally manage the local user accounts for your IPS devices. Using a shared policy can help you ensure that all IPS devices contain the same accounts with the same passwords. However, it is important to understand that passwords are encrypted, so Security Manager cannot discover the 407
Trainer’s Handbook – Security Analyst SSC/ Q0903
actual passwords defined on the device. Security Manager manages the passwords for an account only if you define that
password in Security Manager. Security Manager does not manage any user accounts defined in a RADIUS AAA server.
The following topics describe IPS user accounts, and Security Manager discovery and deployment considerations, in more detail:
Understanding IPS User Roles Understanding Managed and Unmanaged IPS Passwords Understanding How IPS Passwords are Discovered and Deployed Configuring IPS User Accounts Configuring User Password Requirements Configuring AAA Access Control for IPS Devices
Understanding IPS User Roles There are four user roles for IPS user accounts:
physical
– Enable or disable control of physical interfaces.
Viewer —Users can view the device configuration and events, but they cannot modify any configuration data except their user passwords.
– Add and delete users and passwords.
Operator —Users can view everything and they can modify the following options:
Service —Only one user with service
– Signature tuning disable or enable).
– Assignment of sensing interfaces.
(priority,
–
Virtual sensor definition.
–
Managed routers.
–
Their user passwords.
Administrator —Users can view everything and they can modify all options that Operators can modify in addition to the following: – Sensor configuration.
addressing
– List of hosts allowed to connect as configuration or viewing agents.
– Generate new SSH host keys and server certificates. privileges can exist on a sensor. The service user cannot log in to IDM or IME. The service user logs in to a bash shell rather than the CLI. The service role is a special role that allows you to bypass the CLI if needed. The purpose of the Service account is to provide Cisco Technical Support access to troubleshoot unique and unusual problems. It is not needed for normal system configuration and troubleshooting. You should carefully consider whether you want to create a service account. The service account provides shell access to the system, which makes the system vulnerable. However, you can use the service account to create a password if the administrator password is lost. 408
Trainer’s Handbook – Security Analyst SSC/ Q0903
Analyse your situation to decide if you want a service account existing on the system.
Understanding Managed and Unmanaged IPS Passwords Every IPS local user account has a password, which allows secure user login to the device. These user passwords are encrypted on the IPS device. Thus, when you add an IPS device to the Security Manager inventory, Security Manager cannot read the actual user passwords. Because Security Manager cannot read the password, it is unable to deploy newly-discovered user account passwords to the device. To avoid putting user accounts into a state where the passwords are unknown and unusable, Security Manager marks discovered user account passwords as unmanaged. The status of a password is indicated in the Is Password Managed? column of the Platform > Device Admin > Device Access > User Accounts policy:
If No is indicated, the password for this account is not configured in Security Manager. When you deploy this policy, Security Manager will not attempt to configure the password for this user account.
If Yes is indicated, the password for this account was configured or updated in Security Manager. When you deploy this policy, Security Manager reconfigures the passwords for all managed accounts, not just the passwords that changed since the last deployment. Because Security Manager configures even unchanged passwords, all managed passwords must satisfy the
password requirements defined in the Password Requirements policy. Thus, you can have a mix of managed and unmanaged account passwords. For example, you can have a set of shared user accounts that are centrally managed, and manage these account passwords in Security Manager. Other accounts might be unique to individuals; if you never edit these account passwords in Security Manager, the user can manage these passwords individually on the device. If you do not want to manage any user accounts in Security Manager, ensure that the User Accounts policy is empty, or simply unassign the policy (right-click the policy and select Unassign Policy). Security Manager will not modify user account configurations.
Understanding How IPS Passwords are Discovered and Deployed Because user passwords are encrypted on IPS devices, Security Manager has to handle them with special care when discovering policies on the device or deploying configurations. When discovering or deploying user accounts on IPS devices, Security Manager does the following:
Discovery —When you add an IPS device to the inventory, or rediscover policies on it, Security Manager determines the current status of each user account, updates the User Account policy with each discovered username and associated role, and marks the user password as unmanaged.
409
Trainer’s Handbook – Security Analyst SSC/ Q0903
You cannot view the account status through Security Manager, because it is dynamic and can change. However, the Discovery Status window displays the status at discovery. Accounts can have these statuses: –
Active —This state indicates that the account is available for use. Active accounts can be accessed using an authentication token if one has been assigned to the account.
–
Expired —This state indicates that the account’s authentication token has expired and the account cannot be accessed using a token until the token has been updated.
–
Locked —This state indicates that logins to the account have been disabled due to too many failed authentication attempts. You should update the password for these accounts.
Deployment —You are warned if any deployed user accounts are in the Expired or Locked state. Any unmanaged passwords are not deployed to the device. Also, keep in mind the following points: –
–
deployment, Security Manager updates the password in the device properties to the new password. You do not need to manually update the password. To see device properties, select Tools > Device Properties.
If you make changes to any user account on the device, all user accounts with managed passwords are reconfigured. If you also changed the Password Requirements policy, all passwords are compared to the new policy and must meet the new requirements. If you change the password of the user account you defined in the device’s properties for Security Manager to use when configuring the device, after successful
This behaviour assumes that you selected Security Manager Device Credentials for the Connect to Device Using option on the Tools > Security Manager Administration > Device Communication page. If you are using the logged-in users credentials for deployment, after successful deployment, the overall deployment is marked as failed, and a message explains how to reestablish connection. –
If you use out-of-band change detection, changes to passwords are not detected. However, changes to usernames and roles are detected.
–
When previewing configurations, you can see changes to the user accounts by selecting to IPS(Delta – User Passwords). However, passwords are masked.
–
If you are rolling back configurations, the user accounts are never rolled back. The current status and configuration of user accounts does not change. The IPS sensor can accept public keys for RSA authentication when logging into the device through an SSH client. Each user has an associated list of authorized keys. Users can use these keys instead of passwords. Security Manager ignores these keys during discovery and deployment. Thus, if keys are configured, Security 410
Trainer’s Handbook – Security Analyst SSC/ Q0903
Manager does not remove the configuration.
Configuring IPS User Accounts Use the User Accounts policy to configure local user accounts for IPS devices. Users can use these accounts to log into the device. You can create new users, modify user privileges and passwords, and delete users. The user accounts policy should have at least these accounts:
cisco—An account named “cisco” must exist on the device and you cannot delete it.
An administrator account that Security Manager can use—Security Manager must be able to log into the device to configure it. Typically, you create an account for this purpose. Step 1 Do one of the following to open the User Accounts policy:
(Device view) Select Platform > Device Admin > Device Access > User Accounts from the Policy selector.
(Policy view) Select IPS > Platform > Device Admin > Device Access > User Accounts, then select an existing policy or create a new one.
The policy shows existing user accounts, including the username, role, and whether the password is managed by Security Manager.
However, you have the option of having Security Manager use the user account of the person deploying configurations to log into the device. You can configure this using the Connect to Device Using option on the Tools > Security Manager Administration > Device Communication page.
Cisco IOS IPS devices use the same user accounts that are defined for the router. This procedure does not apply to Cisco IOS IPS configurations.
If you change the password for the user defined in the device properties, which Security Manager uses to deploy configurations to the device, Security Manager uses the existing credentials defined in the device properties to log into the device and deploy changes. After successful deployment, the device properties are then changed to use your new settings. define the account.
To edit a user account, select it and click the Edit Row (pencil) button and make the required changes in the Edit User dialog box.
You cannot change a user role to or from the Service role.
To delete a user account, select it and click the Delete Row (trash can) button. You cannot delete the account named cisco.
Step 2 Do one of the following:
To add a user account, click the Add Row (+) button. This opens the Add User dialog box. Enter the information required to 411
Trainer’s Handbook – Security Analyst SSC/ Q0903
All password changes must meet the requirements of the Password Requirements policy. If you change the requirements policy, all new user accounts, or edited accounts, are tested against the new requirements. Although the passwords for existing unedited user accounts are not tested, they too must meet the password requirements if you change any user account defined in this policy, because Security Manager will
deploy all of the accounts during the next configuration deployment. Passwords are checked for conformity when you validate policies, which typically happen when you submit changes to the database. Add User and Edit User Credentials Dialog Boxes Use the Add User or Edit User Credentials dialog boxes to add or edit IPS device user accounts.
Table 4: Add or Edit User Dialog Box
Navigation Path From the IPS platform User Accounts policy, click the Add Row (+) button to create a new account, or select an existing account and click the Edit Row (pencil) button. Field Reference Element
Description
User Name
The username for the account. The name can be 1 to 64 characters, including uppercase and lowercase letters and numbers, plus the special characters
Password The password for this user account. Enter the password Confirm in both fields. The password must conform to the Password Requirements policy for IPS devices; Role
The role for this user. For an explanation of these roles When editing a user account, you cannot select the Service role. When editing an account assigned to the Service role, you cannot change the role.
() + :, _ / - ] + $. You cannot change the username when editing an account.
412
Trainer’s Handbook – Security Analyst SSC/ Q0903
Configuring User Password Requirements Use the IPS platform Password Requirements policy to configure the rules for passwords for local IPS device user accounts. All user-created sensor passwords must conform to the requirements defined in this policy. You can configure password requirements for sensor running IPS software version 6.0 or higher. The requirements you define here determine what is considered an acceptable password in the User Accounts policy. If you change this policy, it can be applied even to unchanged user accounts.
To configure IPS password requirements, select one of the following policies: (Device view) Select Platform > Device Admin > Device Access > Password Requirements from the Policy selector. (Policy view) Select IPS > Platform > Device Admin > Password Requirements from the Policy Type selector, then select an existing policy or create a new one. The following table explains the password requirement options that you can configure.
Table 5: Password Requirements Policy Element
Description
Attempt Limit
How many times a user is allowed to try to log into the device before you lock the user account due to excessive failed attempts. The default is 0, which indicates unlimited authentication attempts. For security purposes, you should change this number.
Size Range
The minimum and maximum size allowed for user passwords; separate the minimum and maximum with a hyphen. The range is 6 to 64 characters; the default is 8-64. Tip If you configure non-zero values for any of the minimum characters options, the minimum size you enter in the Size Range field must be equal to or greater than the sum of those values. For example, you cannot set a minimum password size of eight and also require that passwords must contain at least five lowercase and five uppercase characters.
Minimum Characters
Digit
The minimum number of numeric digits that must be in a password.
Minimum Uppercase Characters
The minimum number of uppercase alphabet characters that must be in a password.
Minimum Lowercase Characters
The minimum number of lowercase alphabet characters that must be in a password.
Minimum Characters
Other The minimum number of non-alphanumeric printable characters that must be in a password.
Number of Historical Passwords
The number of historical passwords that you want the sensor to remember for each account. Any attempt to change the password of an account fails if the new password matches any of the remembered passwords. If you specify 0, no previous passwords are remembered.
413
Trainer’s Handbook – Security Analyst SSC/ Q0903
Configuring AAA Access Control for IPS Devices Use the AAA policy to configure AAA access control for your IPS devices. The device must use IPS Software release 7.0(4) to configure AAA. You can configure the IPS device to use a RADIUS AAA server to authenticate user access to the device. By configuring AAA, you can reduce the number of local users defined on the device and take advantage of your existing RADIUS setup. If you configure a AAA server, you can configure the device to allow local user accounts as a fallback mechanism if the RADIUS servers are unavailable. When configuring AAA, you identify the RADIUS server using a AAA server policy object. You can create the object while configuring the policy, or you can create it in the Policy Object Manager. When you configure the AAA server object, you must adhere to the following restrictions:
Host —You must specify the IP address; you cannot use a DNS name.
Timeout —If you enter a timeout value, it must be from 1 to 512 seconds. The generic AAA server object allows higher numbers, but IPS has a more limited timeout range. The default is 3.
Key — You must specify the shared secret key that is defined on the RADIUS server. Although this field is optional for a generic AAA server object, IPS requires a key.
Port —Ensure that the RADIUS Authentication/Authorization port is correct. Note that the default port in the AAA server object is different from the IPS default, which is 1812. You will need to change the port if you want to use the IPS default. You must ensure that the user account configured in the device properties exists in the RADIUS server or as a local user account, depending on the authorization method that you use. If you switch between local and AAA modes, or change AAA servers, you must ensure that the account is defined in whatever user account database you are using. If you are using AAA with local fallback, the account should be defined in all databases. This account must exist, with the same password defined in the Security Manager device properties for the device, or deployment to the device will fail. The user account used for discovery and deployment must have administrator privileges.
Protocol —RADIUS is the only supported protocol. Step 1 Do one of the following:
(Device view) Select Platform > Device Admin > Device Access > AAA from the Policy selector.
(Policy view) Select IPS > Platform > Device Admin > AAA, then select an existing policy or create a new one.
Step 2 Configure the following basic properties:
Authentication Mode —Whether to use Local or AAA mode. Local mode uses user 414
Trainer’s Handbook – Security Analyst SSC/ Q0903
accounts defined on the IPS device only. With AAA mode, the RADIUS servers are the primary means of user authentication, and you can configure local user accounts as a fallback mechanism. The default is Local. You must select AAA to configure any other options in this policy.
Primary RADIUS Server, Secondary RADIUS Server —The main (primary) AAA server and a backup server, if any. Enter the name of the AAA server policy object that identifies the RADIUS server, or click Select to select it from a list of objects or to create a new object.
When authenticating users, the IPS device sends the user authentication attempt to the primary server. The secondary server is contacted only if the request to the primary server times out. Step 3 Configure the following optional properties if you want non-default values:
Console Authentication —How you want to authenticate users who access the IPS device through the console: o
Local—Users connected through the console port are authenticated through local user accounts.
o
Local and RADIUS—Users connected through the console port are authenticated through RADIUS first. If RADIUS fails, local authentication is attempted.
o
RADIUS—Users connected through the console port are authenticated by RADIUS. If you also select Enable Local Fallback, then users can also be authenticated through the local user accounts.
RADIUS NAS ID —The Network Access ID, which identifies the service requesting authentication. The value can be no NAS-ID, cisco-ips, or a NAS-ID already configured on the RADIUS server. The default is cisco-ips.
Enable Local Fallback —Whether you want to fall back to local user account authentication if all RADIUS servers are unavailable. This option is selected by default. Note that local authentication is not attempted if the RADIUS server responds negatively to the logon attempt; local authentication is tried only if no response is received from the RADIUS server.
Default User Role —The role to assign to users who do not have a role assigned in the RADIUS server. You can make Viewer, Operator, or Administrator the default roles, but not Service; select Unspecified to assign no default role (this is the default).
User role configuration is very important. If you do not assign a role to the user, either through the default user role or in the RADIUS server, the sensor prevents user login even if the RADIUS server
accepted the username and password. To assign roles specifically to users on the RADIUS server, you configure the Accept Message for those accounts as either ips-
role=administrator, ips-role=operator, ipsrole=viewer, or ips-role=service. You configure the Accept Message individually for each user account. An example of a Reply attribute for a given user could be 415
Trainer’s Handbook – Security Analyst SSC/ Q0903
configured to return “Hello your ips-role=operator.”
analysis. NTP is the recommended way to configure time settings on an IPS device.
If you configure a service account in the RADIUS server, you must also configure an identical service account locally on the device. For service accounts, both the RADIUS and Local accounts are checked during login.
For detailed information on how to set the time on a sensor, including how to set up a Cisco IOS router as an NTP server, refer to Configuring Time in Configuring the Cisco Intrusion Prevention System Sensor Using the Command Line Interface Version 7.0.
Identifying an NTP Server Use the NTP policy to configure a Network Time Protocol (NTP) server as the time source for the IPS device. Using NTP helps ensure synchronized time among your network devices, which can aid event
Check the time on your IPS sensor if you are having trouble updating your IPS software. If the time on the sensor is ahead of the time on the associated certificate, the certificate is rejected, and the sensor software update fails.
Step 1 Do one of the following to open the NTP policy:
(Device view) Select Platform > Device Admin > Server Access > NTP from the Policy selector. (Policy view) Select IPS > Platform > Device Admin > Server Access > NTP, then select an existing policy or create a new one.
Step 2 In the NTP Server IP Address field, enter the IP address of the NTP server. You can also enter the name of a network/host object that identifies the single host address of the server, or click Select to select the object from a list or to create a new one. Step 3 If the NTP server does not require authentication, deselect the Authenticated NTP checkbox. If the NTP server requires authentication, configure the following options: Authenticated NTP —Select this option to enable authenticated connections. Key, Confirm —The key value of the NTP server. The key is an MD5 type of key (either numeric or character); it is the key that was used to set up the NTP server. Key ID —The key ID value of the NTP server, a numeric value between 1 and 65535. The key and key ID are configured on the NTP server; you must obtain them from the NTP server configuration.
Identifying DNS Servers If you configure global correlation on an IPS 7.0+ sensor, the sensor must be able to resolve domain names to successfully connect to the update server when
downloading global correlation updates. Use the DNS policy to identify the Domain Name System (DNS) servers that the
416
Trainer’s Handbook – Security Analyst SSC/ Q0903
sensor can use to resolve domain names to IP addresses.
configure the HTTP Proxy policy instead of the DNS policy. The AIP-SSC-5 service module does not support DNS servers.
If your network requires HTTP proxies when making Internet connections, Step 1 Do one of the following to open the HTTP Proxy policy:
(Device view) Select Platform > Device Admin > Server Access > DNS from the Policy selector. (Policy view) Select IPS > Platform > Device Admin > Server Access > DNS, then select an existing policy or create a new one.
Step 2 Specify the IP addresses of up to three DNS servers in the Primary, Secondary, and Tertiary Address fields. The sensor uses the servers in the order listed ; if one server does not respond, the next server is contacted.
You can enter an IP address or the name of a network/host object that contains a server address. Click Select to select a network/host object from a list or to create a new one. The network/host object must specify a single host address.
Identifying an HTTP Proxy Server If you configure global correlation on an IPS 7.0+ sensor, and your network
requires the use of HTTP proxies to connect to the Internet, you need to configure the HTTP Proxy policy to identify a proxy that the IPS sensor can use. When downloading global correlation updates, the IPS sensor connects to the update server using this proxy. The proxy must be able to resolve DNS names. If you do not use HTTP proxies, configure DNS servers so that the IPS sensor can resolve the address of the update server. The AIP-SSC-5 service module does not support HTTP proxy servers.
Step 1 Do one of the following to open the HTTP Proxy policy:
(Device view) Select Platform > Device Admin > Server Access > HTTP Proxy from the Policy selector. (Policy view) Select IPS > Platform > Device Admin > Server Access > HTTP Proxy, then select an existing policy or create a new one.
Step 2 Configure the following options:
Enable Proxy —Select this option to tell the device to connect through the configured proxy server. IP Address —Enter the IP address of the proxy server, or the name of the network/host object that contains the server’s IP address. Click Select to select a network/host object from a list or to create a new one. The network/host object must contain a single host IP address. Port —Enter the port number used for HTTP connections to the proxy server. The default is 80. 417
Trainer’s Handbook – Security Analyst SSC/ Q0903
Configuring the Product Interface
External
Use the External Product Interface policy to configure the way that Security Manager works with Management Center for Cisco Security Agents (CSA MC). In general, the external product interface is designed to receive and process information from external security and management products. These external security and management products collect information that can be used to automatically enhance the sensor configuration information. Management Center for Cisco Security Agents is the only external product that can be configured to communicate with the IPS. At most two Management Center for Cisco Security Agents servers can be configured per IPS device. Management Center for Cisco Security Agents is no longer an active product. Configure this policy only if you are still using that application. For more information, see About CSA MC in Installing and Using Cisco Intrusion Prevention System Device Manager 6.0 and http://www.cisco.com/en/US/pro ducts/sw/cscowork/ps5212/index.html. Management Center for Cisco Security Agents enforces a security policy on network hosts. It has two components:
Agents that reside on and protect network hosts.
A management console, which3 is an application that manages agents. It downloads security policy updates to agents and uploads operational information from agents.
Before You Begin Add the external product as an allowed host so that Security Manager allows the
sensor to communicate with the external product. Step 1 Do one of the following to open the External Product Interface policy:
(Device view) Select Platform > Device Admin > Server Access > External Product Interface from the Policy selector. (Policy view) Select IPS > Platform > Device Admin > Server Access > External Product Interface, then select an existing policy or create a new one.
Step 2 Do one of the following: To add a server, click the Add Row (+) button. This opens the External Product Interface dialog box. Enter the information required to identify the server and configure the posture ACLs. You can add at most two servers.
To edit a server, select it and click the Edit Row (pencil) button and make the required changes in the External Product Interface dialog box. To delete a server, select it and click the Delete Row (trash can) button.
External Product Dialog Box
Interface
Use the Add or Edit External Product Interface dialog box to add or modify interfaces between Management Center for Cisco Security Agents (CSA MC) and the IPS device and the related posture ACLs.
418
Trainer’s Handbook – Security Analyst SSC/ Q0903 Table 6 External Product Interface Dialog Box
Navigation Path From the External Product Interface IPS platform policy, click Add Row or select an entry and click Edit Row. Field Reference Element
Description
External Product’s IP Address
The IP address, or the network/host policy object that contains the address, of the external product. Enter the IP address or object name, or click Select to select an object from a list or to create a new one.
Interface Type
Identifies the physical interface type, which is always Extended SDEE.
Enable receipt information
of
SDEE URL
Whether information is allowed to be passed from the external product to the sensor. The URL on the CSA MC the IPS uses to retrieve information using SDEE communication. You must configure the URL based on the software version of the CSA MC that the IPS is communicating with as follows:
For CSA MC version 5.0—/csamc50/sdee-server.
For CSA MC version 5.1—/csamc51/sdee-server.
For CSA MC version 5.2 and higher—/csamc/sdee-server (the default value). Port
The port, or the port list object that identifies the port, being used for communications. Enter the port or port list name, or click Select to select the object from a list or to create a new object.
User name
A username and password that can log into the external product.
Password Enable receipt of host postures
Whether to allow the receipt of host posture information from CSA MC. The host posture information received from a CSA MC is deleted if you disable this option.
Allow unreachable hosts’ postures
Whether to allow the receipt of host posture information for hosts that are not reachable by the CSA MC. A host is not reachable if the CSA MC cannot establish a connection with the host on any IP addresses in the host’s posture. This option is useful in filtering the postures whose IP addresses may not be visible to the IPS sensor or that might be duplicated across the network. This filter is most applicable in network topologies where hosts that are not reachable by the CSA MC are also not reachable by the IPS, for example if the IPS and CSA MC are on the same network segment.
Posture ACL table
Posture ACLs are network addresses for which host postures are allowed or denied. Use posture ACLs to filter postures that have IP addresses that might not be visible to the IPS or that might be duplicated across the network.
To add a posture ACL, click the Add Row (+) button. This opens the Add Posture ACL dialog box. For information on configuring the Posture 419
Trainer’s Handbook – Security Analyst SSC/ Q0903 ACL, see Posture ACL Dialog Box.
To edit a posture ACL, select it and click the Edit Row (pencil) button.
To delete a posture ACL, select it and click the Delete Row (trash can) button.
To change the priority of an ACL, select it and click the Up or Down button. ACLs are processed in order, and the action associated with the first match is applied. Enable receipt of Whether to allow the receipt of the watch list information from CSA MC. The watch listed watch list information received from a CSA MC is deleted if you disable this addresses option. Manual Watch List RR increase
The percentage of the manual watch list risk rating (RR). The default is 25, and the valid range is 0 to 35.
Session-based Watch The percentage of the session-based watch list risk rating. The default is 25, List RR Increase and the valid range is 0 to 35. Packed-based Watch The percentage of the packet-based watch list risk rating. The default is 10, List RR Increase and the valid range is 0 to 35.
Posture ACL Dialog Box Use the Add or Modify Posture ACL dialog box to configure posture ACLs for Management Center for Security Agents. Posture ACLs are network addresses for which host postures are allowed or denied. Use posture ACLs to filter postures that have IP addresses that might not be visible to the IPS or that might be duplicated across the network. Configure the following fields to define a posture ACL:
Network Address —Enter the IP address of a host or network, or the name of a network/host object that specifies one. You can click Select to select the object from a list or to create a new object.
Action —Whether host postures will be permitted or denied from the hosts on the network address. Navigation Path From the External Product Interface dialog box, click the Add Row (+) button underneath the Posture ACL table, or select a posture ACL and click the Edit
Row (pencil) button.
Configuring Policies
IPS
Logging
Use the IPS platform Logging policy to configure traffic flow notifications and Analysis Engine global variables. These settings apply to the general operation of the IPS sensor. Traffic flow notifications have to do with the flow of traffic across the interface of a sensor. You can configure the sensor to monitor the flow of packets across an interface and send notification if that flow changes (starts and stops) during a specified interval. You can configure the missed packet threshold within a specific notification interval and also configure the interface idle delay before a status event is reported. The Analysis Engine performs packet analysis and alert detection. It monitors traffic that flows through specified interfaces. For the Analysis Engine, there is only one global variable: Maximum Open IP Log Files. 420
Trainer’s Handbook – Security Analyst SSC/ Q0903
Table 7: IPS Logging Page
Navigation Path
Device view) Select Platform > Logging from the Policy selector. (Policy view) Select IPS > Platform > Logging, then select an existing policy or create a new one.
Field Reference Element
Description
Interface Notifications Tab Missed Packets Threshold
The percent of missed packets that has to occur before you want to receive notification. The default is 0, and the range is 0 to 100.
Notification Interval
The length of time, in seconds, that you want to check for the percentage of missed packets. The default is 30, and the range is 5 to 3600.
Interface Idle Threshold
The length of time, in seconds, that you will allow an interface to be idle and not receiving packets before you want to be notified. The default is 30, and the range is 5 to 3600.
Analysis Engine Tab Maximum The maximum number of open IP log files that you want to allow on the sensor. The Open IP Log default is 20, and the range is 20 to 100. Files
421
Trainer’s Handbook – Security Analyst SSC/ Q0903
422
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT VII Anti-virus and Antispam Software
This Unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 7.1 Antivirus Software 7.2 Antispam Software
423
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
Outcomes To be competent, you must be able to: PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines
You need to know and understand: KA4. the organizational systems, procedures and tasks/checklists within the domain and how to use these KB1. fundamentals of information security and how to apply these, including: • networks • communication • application security
Performance Ensuring Measures
Duration (Hrs)
Work Environment / Lab Requirement
Peer group, Faculty group and Industry experts.
2 hr in class presentations
PCs/Tablets/Laptops Projection facilities
KA4, KA5. Peer group, Faculty group and Industry experts.
2Hrs classroom assessment and 10 Hrs offline Research and Learning activity.
PCs/Tablets/Laptops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security
KB1 - KB4 Group and Faculty evaluation based on anticipated out comes. Reward points to be allocated to groups.
424
Trainer’s Handbook – Security Analyst SSC/ Q0903
Suggested Learning Activities Activity 1:
Divide the students into groups and ask them to research various types of attacks and get examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get the maximum number of correct examples will get a prize. Activity 2: Ask the students to research cases of attacks over the years and impact of those attacks on the organisations where these occurred. Activity 3:
Ask the students to access the CVE and list all the types of information that they can get from there. Present the same in class and elaborate upon the various ways that information can be used.
425
Trainer’s Handbook – Security Analyst SSC/ Q0903
Training Resource Material 7.1 Antivirus Software Antivirus software is a type of utility used for scanning and removing viruses from your computer. While many types of antivirus (or "anti-virus") programs exist, their primary purpose is to protect computers from viruses and remove any viruses that are found.
well. Antivirus software may also be bundled with firewall features, which helps prevent unauthorized access to your computer. Utilities that include both antivirus and firewall capabilities are typically branded "Internet Security" software or something similar.
Most antivirus programs include both automatic and manual scanning capabilities.
While antivirus programs are available for Windows, Macintosh, and Unix platforms, most antivirus software is sold for Windows systems. This is because most viruses are targeted towards Windows computers and therefore virus protection is especially important for Windows users. If you are a Windows user, it is smart to have at least one antivirus program installed on your computer. Examples of common antivirus programs include Norton Antivirus, Kaspersky Anti-Virus, and ZoneAlarm Antivirus.
The automatic scan may check files that are downloaded from the Internet, discs that are inserted into the computer, and files that are created by software installers. The automatic scan may also scan the entire hard drive on a regular basis. The manual scan option allows you to scan individual files or your entire system whenever you feel it is necessary. Since new viruses are constantly being created by computer hackers, antivirus programs must keep an updated database of virus types. This database includes a list of "virus definitions" that the antivirus software references when scanning files. Since new viruses are frequently distributed, it is important to keep your software's virus database up-to-date. Fortunately, most antivirus programs automatically update the virus database on a regular basis.
The most important thing to remember about virus protection is that no system is infallible. No matter how good your antivirus (AV) software is, and how stringent your security processes are, there is still the chance that a completely new virus will enter your organization and disrupt operations. Of course, completely isolating your systems from the Internet and removing them from external e-mail will greatly minimize your exposure; however, in today's digital economy that is no longer a practical option.
While antivirus software is primarily designed to protect computers against viruses, many antivirus programs now protect against other types of malware, such as spyware, adware, and rootkits as 426
Trainer’s Handbook – Security Analyst SSC/ Q0903
Protecting the Organization In order to protect your electronic messaging system, it is necessary to understand the flow of electronic messages within your organization and to provide protection at each point of vulnerability. Organizations now recognize the importance of providing dedicated virus protection for their e-mail systems.
Deploy a multi-tiered defense strategy There are multiple points of entry for infected messages to enter an organization; as a result, it is important to provide virus protection to as many points as possible. This includes the electronic messaging gateways, desktops, PDA's, wireless devices, and the e-mail server itself.
The thought was that any virus being carried by an e-mail would simply enter the network as an attachment that could either be detected as it came through the Internet SMTP gateway or by the end-user desktop AV scanner. However, over the past few years, e-mail systems have evolved significantly from simple message distribution to providing collaborative stores, Web-based user interfaces, and access from wireless devices.
Steps to be taken for Virus protection Establish an organizational anti-virus policy In order to properly select, configure, and maintain virus protection solutions, your organization must clearly define what levels of protection and countermeasures it needs. This necessitates specifying the types of data that will be permitted, what content should be filtered or barred, who is responsible for each aspect of the implementation, how communications with end-users will take place, and what actions to take in the event of virus outbreaks and hoax alerts. .
427
Trainer’s Handbook – Security Analyst SSC/ Q0903
Figure 2: Multi-tiered virus protection system
Update your anti-virus definition files and engines regularly While most organizations understand the importance of keeping their virus definition files up-to-date, not everyone understands that it is equally important to ensure that the detection engine is the most current version. Updates can typically be automated, but it is important to periodically check the log files to ensure that the updates are executing properly.
Update your desktop anti-virus software regularly Server-based e-mail virus protection is the most efficient way to provide protection within an organization, but based upon the particulars of organization's security
policy, it is not always able to provide protection for all types of messages (such as encrypted messages). As a result, it is crucial that desktop anti-virus software be updated regularly to provide security that server-based may not be able to offer. Always keep your operating system, Web browser, e-mail, and application programs up-to-date. Periodically review the security sections of your key software vendors and subscribe to any applicable electronic newsletters to notify you of any new security vulnerabilities and fixes.
Back up your files on a regular basis If a virus destroys your data, then you can restore them from your archives. E-mail backups and restores can be a bit temperamental, so it is advisable to also
428
Trainer’s Handbook – Security Analyst SSC/ Q0903
have a standard procedure to verify restores from backups periodically.
recommended actions should encounter a suspected virus.
Subscribe to an e-mail alert service that issues warnings of new virus threats
Protecting E-mail Users
Many different organizations provide this service, but the most important one will be your anti-virus vendor. The reason is that due to differences in each AV vendor's capabilities, new viruses will be rated differently and the action necessary will vary. For instance, one vendor may have already provided generic virus detection in a past update that provides protection against a new virus and so they would rate a particular virus as a low threat for their customers. However, other vendors who may not be able to provide immediate protection would rate the same virus alert as a "high" risk.
Provide anti-virus overview training to all employees Most virus outbreaks within organizations could be greatly minimized if the general staff were aware of e-mail virus vulnerabilities, preventative measures and
they
With the closer integration of e-mail and office suite applications, it is no longer sufficient to view anti-virus vulnerabilities solely from the perspective of the e-mail client application. Instead, one must also adequately protect the whole PC that the user is using - whether they are using a local copy of an e-mail application or a remotely-hosted thin client e-mail frontend. The following is a list of recommended steps that organizations can take to protect end users.
Disable the e-mail program preview pane feature Some e-mail programs, such as Microsoft Outlook and Microsoft Outlook Express, have a feature that allows users to view a message without opening it in a separate window; however, some viruses can still execute by simply being viewed because the preview pane has the ability to process embedded scripts.
429
Trainer’s Handbook – Security Analyst SSC/ Q0903
Figure 3: Changing Outlook Express Preview pane settings from the View, Layout menu
Figure 4: Changing Microsoft Outlook Preview Pane settings
Make the file NORMAL.DOT read-only
Use .RTF and .CSV instead of .DOC and .XLS
If you use Microsoft Word as your e-mail editor, then make NORMAL.DOT readonly at the operating system level. You should also change the Microsoft Word settings to "Prompt to Save Normal Template". Many viruses propagate themselves by changing the NORMAL.DOT file, but this measure can provide at least some deterrent. The permissions can always be switched off again if and when any intentional changes are required.
Use .RTF instead of .DOC formatted word processing documents and .CSV instead of .XLS formatted spreadsheets because these formats do not support the use of macros. However, even then, caution should be exercised because if the file was first created as a .DOC, it could still contain macros. When exchanging files with others, it is safest to use .RTF and .CSV formatted files, but this should not
430
Trainer’s Handbook – Security Analyst SSC/ Q0903
be relied upon as a fail-safe means of exchanging information.
Remove Windows Scripting Host If your organization does not use Windows Script Hosting (WSH), then you should consider removing or disabling it. To do this in Windows 9x, go to 'Control Panel' and choose 'Add/Remove Programs'. Click on the 'Windows Setup' tab and double click on 'Accessories'. Scroll down to 'Windows Script Host' and uncheck it and choose 'OK'. It may be necessary to reboot the system. For additional information, visit Microsoft's support Web site.
Use in-box rules to process suspicious e-mails If your organization does not use e-mail server-based content filtering, then you can use your e-mail inbox rules to automatically delete or move suspect messages into a dedicated folder.
Do not open any files attached to an e-mail from an unknown, suspicious or untrustworthy source Ensure that the source of any e-mail attachments is a legitimate and reputable one. If you're uncertain, don't download the file at all or download the file to a floppy and then scan it with your own anti-virus software. Don't pass along virus warnings from others unless you have verified that it is applicable to your organization
Due to the large number of viruses and hoaxes, unnecessary time and e-mail traffic can be wasted by people forwarding virus warnings that may not be legitimate. Before passing along warnings to others, first check your virus protection vendor's Web site to determine if your systems are already protected or if it is just a hoax.
Write-protect removable media before using them in other computers If removable media is used to ferry emails between computers (such as from work to home), then write-protecting the medium before using it in a suspect system can protect it from becoming infected.
Protecting E-mail Servers Some organizations believe that as long as they protect their e-mail gateways and internal desktop computers, they do not need e-mail server-based anti-virus solutions. While this may have been true a few years ago, with today's Web-based email access, public folders, and mapped network drive access to the stores, this stance is no longer prudent. Besides viruses entering the e-mail system from the Internet SMTP gateway, infected files can be transferred through an organization's remote Web-based interface, network-connected user devices such as PDAs, disk drives on computers without up-to-date virus protection, or copies from un-scanned archives. Once an infected item gets into the e-mail stores, then only an e-mail server-based solution will be able to detect and remove the infected item. 431
Trainer’s Handbook – Security Analyst SSC/ Q0903
The following is a list of recommendations that organizations should follow to secure their e-mail servers.
Block common attachments
infecting
Many e-mail transported infectors (a.k.a. mass-mailers) use executable files that are commonly found on most computers, such as EXE, VBS, and SHS. Most e-mail users do not need to receive attachments with these file extensions, so these can be blocked as they enter the e-mail server or gateway.
Schedule complete on-demand scans whenever you update your virus definition files Even if you keep all of your virus protection up-to-date, it is possible for a new virus to enter your organization before it has been properly identified and a new definition file created for it by your AV vendor. By scanning all of your data with the latest definitions, you can then ensure that there are no undetected infected files in your archives.
Use heuristic scanning Most of new viruses are simply variants of previously known viruses; however, providing separate detection code for every conceivable variation would be impractical. As an alternative, heuristic scanning looks for known virus characteristics. While this does provide a higher level of protection, it requires more processing time to scan items and may occasionally lead to false-positive identifications. So long as your servers are properly configured, the performance
overhead will be worth the additional protection that heuristic scanning can provide.
Use virus outbreak response features in your AV products Mass-mailer viruses can spread very quickly throughout an organization. They can also be very troublesome for administrators to eradicate while waiting for the appropriate detection driver to be obtained from an AV vendor. Some virus protection products provide features that can configure your system to automatically notify you or take corrective actions if certain virus outbreak characteristics manifest themselves. For instance, you may configure your system to send a cell phone warning if there are more than 50 similar messages received in a short period of time, automatically check the vendor's download site for the latest virus definition files, and then temporarily disable the e-mail gateway until an administrator can respond if the activity continues. This sort of outbreak response policy should be included in the organization's anti-virus policy so that there is a plan of action in place before an outbreak happens.
Archive important data for at least one month Not all viruses manifest themselves right away; depending upon where a virus is located and how your system is configured, it may take some time for the virus to be discovered. The further back that you can go in your archives, the greater the likelihood that you will be able to successfully restore an infected item if
432
Trainer’s Handbook – Security Analyst SSC/ Q0903
it cannot automatically be cleaned by your AV solution.
wherever the option exists
Antivirus software has options, some of which may not be enabled by default. It is recommended to enable them all.
If possible, remove the error-prone human element, by having infected stuff auto-quarantined or autodeleted upon detection. Shoot first, ask questions later.
Configure the virus-definition updates to run daily or more often, if the schedule is under your control
Enable heuristics options if they're user-configurable (if several levels are offered, use Maximum)
Enable scanning within compressed files and archives wherever the option exists
Set up a daily scan of all hard-drive data, to catch stuff that slipped in before the antivirus software recognized it as a threat.
Never assume that your antivirus software is infallible.
General principles configuration
of
antivirus
Choose to scan all file types wherever this option exists
Allow no exemptions from scanning,
433
Trainer’s Handbook – Security Analyst SSC/ Q0903
7.2 Antispam Software Email Spam is the electronic version of junk mail. It involves sending unwanted messages, often unsolicited advertising, to a large number of recipients. Spam is a serious security concern as it can be used to deliver Trojan horses, viruses, worms, spyware, and targeted phishing attacks.
How Do You Know Messages that do not include address in the TO: or CC: common forms of Spam Some Spam can contain language or links to Web inappropriate content.
your email fields are
offensive sites with
What to Do
Install Spam filtering/blocking software If you suspect an email is Spam, do not respond, just delete it Consider disabling the email’s preview pane and reading emails in plain text Reject all Instant Messages from persons who are not on your Buddy list Do not click on URL links within IM unless from a known source and expected Keep software and security patches up to date Your message security service detects spam by applying hundreds of rules to each message that passes through the data center. It can block obvious spam immediately, then divert more borderline spam to a Quarantine for later evaluation. From there, you or your users can review the Quarantine for any legitimate messages that were falsely quarantined and need to be
forwarded to the user’s Inbox. Otherwise, spam is deleted automatically. When your service is activated, all types of spam are typically filtered at a uniform level of aggressiveness. One group of users, however, might have its own idea about what constitutes spam, or how aggressively to filter it. A travel agency might have a zerotolerance policy for adult content, for example, but want to receive special offers, such as “trips to Hawaii.” Another group might want to change its spam disposition, by changing how its spam is quarantined, or not quarantining it at all. Filtering aggressiveness affects how the protection service handles messages that may or may not be spam. More aggressive spam filter levels will quarantine messages that are borderline cases. This will cause more spam to be caught, but may increase false positives. More lenient spam filters will allow borderline messages through, which reduces false positives but potentially let’s more spam through. For each of your organizations, you can adjust the overall aggressiveness of filtering, filter specific categories of spam more aggressively, and choose a 434
Trainer’s Handbook – Security Analyst SSC/ Q0903
spam disposition. Some of these settings are made at the org level, and some for a Default User. You can also adjust individual user’s filtering, or allow users to do this themselves at the Message Center.
About Spam Filters Your message security service detects spam by applying hundreds of rules to each message that passes through the data centre. It can block obvious spam immediately, then divert more borderline spam to a Quarantine for later evaluation. From there, you or your users can review the Quarantine for any legitimate messages that were falsely quarantined and need to be forwarded to the user’s Inbox. Otherwise, spam is deleted automatically. When your service is activated, all types of spam are typically filtered at a uniform level of aggressiveness. One group of users, however, might have its own idea about what constitutes spam, or how aggressively to filter it. A travel agency might have a zero-tolerance policy for adult content, for example, but want to receive special offers, such as “trips to Hawaii.” Another group might want to change its spam disposition, by changing how its spam is quarantined, or not quarantining it at all. Filtering aggressiveness affects how the protection service handles messages that may or may not be spam. More aggressive spam filter levels will quarantine messages that are borderline cases. This will cause more spam to be caught, but may increase false positives. More lenient spam filters will allow borderline messages through, which reduces false
positives but potentially lets more spam through. For each of your organisations, you can adjust the overall aggressiveness of filtering, filter specific categories of spam more aggressively, and choose a spam disposition. Some of these settings are made at the organisation level, and some for a Default User. You can also adjust individual user’s filtering, or allow users to do this themselves at the Message Center.
Where Spam Managed
Filtering
Is
You manage spam filtering at the following locations: Organisation level Enable Blatant Spam Blocking for users in the organisation, and choose a spam disposition—the method of disposing of filtered spam, for example, by changing how it’s quarantined, or by not quarantining it at all. Configure Null Sender Disposition to dispose of messages that do not contain an SMTP-envelop sender address. If your service is provisioned with Outbound Services, then you also have the option to turn on Null Sender Header Tag Validation. Default User Define user-level spam settings that will apply to new users added to the organisation. This includes enabling spam filtering in the first place, adjusting how aggressively to filter spam, and filtering specific spam categories even more aggressively. Making these settings for a Default User is how you apply a single filtering policy across an organisation.
435
Trainer’s Handbook – Security Analyst SSC/ Q0903
Specific User You can modify userlevel spam settings for an individual user, as well. But this isn’t recommended if you want to maintain spam filtering policies across an organisation.
Message Center You can optionally allow users to modify their own filter levels by granting them appropriate User Access permissions to the Message Center.
Types of Spam Filters When spam filtering is enabled for a user, the user’s messages are processed through the following filters:
If Blatant Spam Blocking is enabled for the user’s organisation, the user’s most obvious spam is bounced or blackholed (deleted), before it reaches your email servers. This eliminates more than half of users’ spam, so neither you nor they ever have to deal with it.
Each user (and Default User) has a Bulk Email filter that sets a base level of aggressiveness for filtering the remaining spam, which is typically sent to a separate Quarantine for review.
Each user (and Default User) can also optionally adjust four additional Category filters to filter spam containing particular content even more aggressively (sexually explicit content, special commercial offers, racially insensitive material, or get-rich-quick schemes).
Null Sender Disposition lets you choose how to dispose of messages that do not include an SMTP-envelope sender address. These types of messages are usually Non-Delivery Reports (NDRs). When the system receives an inbound message, it checks for the SMTP envelope sender address. If there is no sender address, the message is disposed of according to the Null Sender Disposition settings.
Null Sender Header Tag Validation is the process by which the system examines each inbound message for the presence of an SMTP-envelope sender address and for the message security service’s digital signature. If your message security service has been provisioned with Outbound Services and you have them configured for your mail server, then the system tags the Received field on outbound messages with a digital signature. When this filter is on and the system receives an inbound message, it checks for the SMTP-envelope sender address and for the digital signature. If there is no sender address and the message doesn’t have the system signature, then the message is disposed of according to the Null Sender Disposition settings. If the system signature is present, then the message bypasses this filter, and is evaluated by the others.
436
Trainer’s Handbook – Security Analyst SSC/ Q0903
When Spam Filters Apply
Spam category filters are applied after all other filtering, including Content Manager filters, and any applicable Approved Senders list (the user’s own list, or one defined for the organisation). Blatant Spam Blocking occurs before most filters, but doesn’t block messages from approved senders. That means:
Approved senders bypass Spam Filters Even if their messages contain spamlike content.
Messages with approved content bypass the category filters But it will be blocked if it occurs in obvious spam detected by Blatant Spam Blocking.
Messages marked as advertisements are blocked If the Subject line of a message contains the prefix “ADV:” (for “advertisement”), the message is considered spam, regardless of approved content.
Virus Blocking overrides Spam Filters Virus Blocking scans all messages that either pass through the spam filter, are allowed to bypass spam filtering or are quarantined as spam. For example, if a message is quarantined as junk, but also determined to be infected with a virus, the message will be processed according to the virus filter disposition.
How Spam Is Identified As a message passes through the spam filters, the message security service
applies hundreds of rules to the message envelope, header, and content, all in a matter of milliseconds. Each rule describes some attribute typical of spam, and has a numerical value based on the likelihood that the attribute indicates spam. An equation is then formulated based on the weighted significance and combination of all rules triggered, and the resulting value is the message’s spam score. This score is measured against the sensitivity threshold set by the user’s spam filters, and a decision is made: spam or valid email. Specifically, a Bulk Email filter sets a base level for filtering all types of spam, and individual category filters can be adjusted to filter a specific category of spam even more aggressively. The Bulk Email filter and category filters work independently of each other, but parameters from all filters collectively provide the final spam score, which can categorize the message as spam. A category filter thus multiplies the Bulk Email level and increases the number of messages that get identified as spam. You can see a message’s spam score, whether or not it’s tagged as spam, by looking at the message header.
Why Catch Rates Might Vary Developing an effective technology for filtering spam is an ongoing effort since spammers are always evolving tactics to avoid detection. To combat new and ever-changing threats, the message security service continually calibrates its 437
Trainer’s Handbook – Security Analyst SSC/ Q0903
detection and filtering mechanisms, always striking a balance between catching the most spam while lowering the rate of falsely quarantined messages. As we make adjustments, you might notice slight variances in catch rates for certain spam categories. Or you might see an increase in falsely quarantined messages. If this happens, you might want to increase or decrease your own spam filter levels accordingly: Increase sensitivity to catch more spam, or decrease levels to prevent false quarantines.
When to Use Content Manager Along With Blatant Spam Blocking If you experience messages with undesirable content like profanity not being caught by your spam filters, you can add Content Manager filters to catch those messages. If the objectionable content is limited to a few words and the other content does not score as spam, then the message would not trigger the spam filters. To stop these types of messages, you can create content filters that look for exactly the offending language you wish to prohibit.
Configure Spam Settings for an Organisation You configure Blatant Spam Blocking (BSB), which deletes the most obvious spam, and Spam Disposition, which determines how spam messages are managed for a user organisation.
You will enable spam filtering and set filter levels for the default user (the template use for an organisation).
Configure Blocking
Blatant
Spam
Blatant Spam Blocking (BSB) is an organisation level setting on the Spam Filters page that detects and deletes the most obvious spam before it reaches your email server. This feature identifies more than half of all spam. Messages are either bounced or black holed (deleted) without reaching the intended recipient or any Quarantine. Specifically, BSB calculates the message’s spam score. If the score is below 0.00001 (a perfectly valid message has a score of 100), the message is overwhelmingly deemed spam, and blocked. Blatant Spam Blocking applies to all users in an organisation, but works only for users whose Filter Status is On. The Reports page has statistics regarding how many messages are caught by Blatant Spam Blocking. To configure Blatant Spam Blocking: 1. Go to the Organisation Management page for the relevant organisation. 2. Under Inbound click Spam Filtering.
Services,
3. Under Blatant Spam Blocking, choose one of the following options.
BSB Off: Disables this feature for the organisation. Bounce: Bounces obvious spam back to the sender with the error
438
Trainer’s Handbook – Security Analyst SSC/ Q0903
message “ERROR 571 Message refused.” Blackhole: Deletes obvious spam without sending a return error. From the sender's perspective, the message has been accepted.
Note: Depending on your service package, Blatant Spam Blocking might always be set to a Black hole disposition.
Enable BSB without Additional Filtering Sometimes you might want to enable only Blatant Spam Blocking for an organisation, without any additional filtering. 1. Enable Blatant Spam Blocking for the organisation, with either the Bounce or Black hole Disposition. 2. Under Spam Disposition, select Message Header Tagging. 3. For the organisation’s Default User (and any existing users), make sure the Filter Status is On (go to Spam Filters on the user’s Overview page). All obvious spam will be eliminated without reaching the data center or your server. Any remaining spam detected by the filters is tagged with a spam score written in the Header, and then delivered to users.
Configure Disposition
Null
Sender
Null Sender Disposition is an organisation level setting on the Spam Filters page that lets you choose how to dispose of messages that do not include an SMTPenvelope sender address.
To configure Null Sender Disposition: Select one of the following options:
Ignore: Let the message bypass this filter. Other filters still apply. User Quarantine: Send the message to the recipient’s quarantine. Blackhole: Delete the message. Bounce: Return the message to the sender.
You can enter text to serve as the bounce message. If you enter text, it must begin with 4 or 5, followed by two digits, a space, and your text. This structure follows the format of SMTP reply codes. For example: 554 Transaction failed. If you leave this field blank, the following message is used: 571 Domain does not accept delivery report messages Note: In order to deliver valid messages that do not include an SMTPenvelope sender address, like voicemail or vacation responders, use Content Manager to create a custom filter.
Configure Null Sender Header Tag Validation Note: These options are available only if you have been provisioned with Outbound Services. If you configure Outbound Services for your mail server, then the system adds a digital signature to each of your outbound messages. Null Sender Header Tag Validation is the process by which the system examines NDRs for the presence of an SMTP-envelope sender address and for
439
Trainer’s Handbook – Security Analyst SSC/ Q0903
the message security service’s digital signature. While this filter is an aspect of spam filtering, it runs at the very beginning of the message filtering process to immediately dispose of messages like invalid NDRs. Whether or not you have configured Outbound Services for your mail server, we recommend that you turn this filter on. When the filter is on and it catches a message, the system looks ahead to Content Manager to see whether it is configured to let messages bypass the junk filters and allow valid email that does not have an SMTP-envelope sender address. Under these circumstances, you can let valid messages pass through to their recipients’ inboxes. If this filter is off, then the system does not look ahead to Content Manager and you do not have the option to let valid null-sender-address messages pass through to their recipients’ inboxes. To configure Null Sender Header Tag Validation: Use the following options to turn Null Sender Header Tag Validation on or off, and to set the length of time during which the system can accept the digital signature:
On/Off: Select On or Off to turn Null Sender Header Tag Validation on or off.
On: Any message that does not include an SMTP-envelope sender address, but does include the message security service’s digital signature bypasses this filter. All other messages that do not include an SMTP-envelope sender address are
disposed of according to your Null Sender Disposition settings, and according to how Content Manager is configured. Off: Any message without an SMTPenvelope sender address is disposed of according to your Null Sender Disposition settings.
Validate reports up to ___ hours after message delivery: Enter the number of hours that the digital signature is considered valid. After that number of hours, the signature expires, and messages with an expired signature are treated the same as messages with no signature.
Configure Spam Disposition for an Organisation To determine what to do with filtered spam, you select a spam disposition. Do this at the organisation level, which sets the disposition for all users in that organisation. To configure Spam Disposition: 1. Go to Management organisation.
the Organisation page for the
2. Under Inbound click Spam Filtering.
Services,
3. Choose the Spam Disposition: User Quarantine: Filtered spam for each user in the organisation is sent to a separate User Quarantine. Administrators can manage this Quarantine from the user’s Overview page. If Quarantine Summary is also enabled for the organisation (under Notifications), each user receives a periodic summary of 440
Trainer’s Handbook – Security Analyst SSC/ Q0903
recently quarantined messages. If User Access is enabled for the organisation, as well, users can manage their own quarantined messages in the Message Center.
Quarantine Redirect: Delivers all users’ filtered spam to a single administrator’s Quarantine—the one associated with the address entered here. Enter the primary address (not an alias) of a user who has been added to the message security service, has administrative privileges for this organisation, and is located under the same email config as this organisation.
Select this option if you don’t want to sort quarantined spam by user, and if you don’t want users to manage their own spam. The administrator must review and deliver all users’ legitimate messages from the shared Quarantine—either from the administrator’s User Quarantine in the Administration Console or from the administrator’s Message Center. (The Administration Console can display 5,000 messages at once, Message Center can display an unlimited number of messages, and Message Center Classic can display 500 messages.) If Quarantine Summary is enabled for the organisation (under Notifications),
this administrator receives a periodic summary of recently quarantined messages for the entire organisation. If you choose this disposition, make sure to disable User Access permissions to the Message Center for all users in the organisation. WARNING: The administrator’s Quarantine should be checked regularly to forward any legitimate messages that were accidentally quarantined.
Message Header Tagging: Sends filtered spam for this organisation to your email server with a spam score written in the header. The message can then be processed at a dedicated location on your server or on each user's email client. No spam messages are filtered. For this disposition to be effective, you must set up rules on the receiving email server for processing spam based on its spam score.
WARNING: With this disposition, all spam for users in this organisation is delivered to your email server intact, along with “good” traffic. This is an advanced setting for administrators who want to create their own rules for filtering spam, or who don’t want to filter spam beyond what is caught by Blatant Spam Blocking. This setting is not otherwise recommended.
441
Trainer’s Handbook – Security Analyst SSC/ Q0903
442
Trainer’s Handbook – Security Analyst SSC/ Q0903
UNIT VIII Web Application Security Configuration
This Unit covers: Lesson Plan Suggested Learning Activities Training Resource Material 8.1 Web Application Security Overview 8.2 Configuring Cisco Web Application Security Module 8.3 Configuring ModSecurity
443
Trainer’s Handbook – Security Analyst SSC/ Q0903
LESSON PLAN
Outcomes To be competent, you must be able to: PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines
You need to know and understand: KA4. the organizational systems, procedures and tasks/checklists within the domain and how to use these KB1. fundamentals of information security and how to apply these, including: • networks • communication • application security
Performance Ensuring Measures
Duration (Hrs)
Work Environment / Lab Requirement
Peer group, Faculty group and Industry experts.
2 hr in class presentations
PCs/Tablets/Laptops Projection facilities
KA4, KA5. Peer group, Faculty group and Industry experts.
2Hrs classroom assessment and 10 Hrs offline Research and Learning activity.
PCs/Tablets/Laptops Labs availability (24/7) Internet with WiFi (Min 2 Mbps Dedicated) Access to all security sites like ISO, PCI DSS, Center for Internet Security
KB1 - KB4 Group and Faculty evaluation based on anticipated out comes. Reward points to be allocated to groups.
444
Trainer’s Handbook – Security Analyst SSC/ Q0903
Suggested Learning Activities Activity 1:
Divide the students into groups and ask them to research various types of attacks and get examples of each type of Virus, Trojan, Worm and other malware, etc. The group that get the maximum number of correct examples will get a prize. Activity 2: Ask the students to research cases of attacks over the years and impact of those attacks on the organisations where these occurred. Activity 3:
Ask the students to access the CVE and list all the types of information that they can get from there. Present the same in class and elaborate upon the various ways that information can be used.
445
Trainer’s Handbook – Security Analyst SSC/ Q0903
Training Resource Material 8.1 Web Application Security Overview The web application security feature enables the application appliance to act as an application firewall and provide web
application protection.
security
and
intrusion
Web application security is highly configurable, and can protect against the following kinds of application attacks: •
identity theft
•
SQL, OS, and LDAP command injection
•
cross site scripting
•
meta character and format string attacks
•
buffer overflow
•
form exploitation
•
URL redirects and directory traversal
•
error message exploitation
•
cookie exploitation
•
noncompliant HTTP
•
web server fingerprinting
446
Trainer’s Handbook – Security Analyst SSC/ Q0903
8.2 Configuring Cisco Web Application Security Module You configure web application security through the management console GUI by using the menu commands under the Web Application Security folder that appears under the Cluster Configuration item under a cluster name.
4. Use the System Utilities Service Policy command to choose the active policy map.
To configure web application security, follow these basic steps:
6. If you have a cluster of application appliance nodes, use the System Utilities Publish Configuration command to publish the configuration to all nodes in the cluster.
1. Use the Traffic Class Maps command to define traffic class maps to classify web application traffic according to various parameters such as hostname, URL, cookie name and value, and so on. A traffic map specifies a set of traffic to which you want to apply a security policy. 2. Define web application security feature maps that configure security features. To define feature maps, select the individual features (URL Normalization, Cookie Protection, ID Theft Protection, Request Limits, Error/Redirect Pages, Web Cloaking, URL Tagging, Input Validation Checks, HTTP Protocol Conformance) under the Web Application Security folder. 3. Use the Policy Maps command to define policy maps that associate a traffic class with a set of security functions. A policy map defines a series of actions (functions) that you want to apply to a set of classified traffic.
5. Use the System Utilities Commit Config command to commit the configuration.
Map Summary Interface Most of the features in the Web Application Security module use the term "map" for a set of options that configure the feature in a specific way. A map is named and stored, and then it can be viewed, cloned, edited, or deleted. Every feature that uses maps presents a summary list of those that are defined when you first click on the feature command name under the Web Application Security module, as shown in Figure below. If there are no maps yet defined for the feature, then the summary says "No Maps Configured." This section describes how to interact with a map summary screen.
447
Trainer’s Handbook – Security Analyst SSC/ Q0903
Figure 5: Map Summary Example
The example in Figure shows the map summary that is displayed when you click on the Request Limits command. Every other map summary looks similar and contains similar controls. The following paragraphs describe how to use the controls on a map summary page. Each row in the summary lists one defined map. Using the controls on a summary row you can view, clone, edit, or delete the map. To view the definition of a map, click its underlined name at the left end of the row. The displayed page shows a readonly listing of the map definition. To copy a map to use as the basis of a new map, click the Clone button next to the map that you want to clone. AVS displays a map editing screen that is similar to the one shown when you are adding a new map, except that all the settings are copied from the map that you cloned. To edit a map, click the Edit button in the summary. AVS displays a map editing screen where you can change the settings in the map. To delete one or more maps, check the box in the Delete column for each map that you want to delete. Then click the Delete Maps button to delete the checked maps.
To add a new map, click the Add New Map button to display a map editing screen where you can define the map and give it a name. The sections throughout this chapter describe the unique map editing screens for each feature. You can click the links in the blue bar at the top of the frame to go directly to the screens identified by name.
Global Configuration Utilities
and
This section describes the following global configuration and utility items that appear under the Web Application Security folder in the left hand menu of the management console: •
System Utilities
•
Traffic Class Maps
•
Policy Maps
•
Pattern Definitions
System Utilities Various utilities let you manage web application security configuration, logging, and statistics. Use the System Utilities command to display a page that contains links to the system utilities, as shown in Figure below. To use a utility function, click on its link. 448
Trainer’s Handbook – Security Analyst SSC/ Q0903
Figure 6: Utilities Page
The following sections describe the two groups of items listed on the System Utilities page: •
Display Utilities
•
Configuration Utilities
Startup Configuration The Startup Configuration link displays the default web application security configuration. This information is not relevant for users; it is for debugging only.
Running Configuration Display Utilities The utilities grouped under the Display Utilities heading let you display various information. The following items are included:
The Running Configuration link displays the web application security configuration that is currently in effect. This information is not relevant for users; it is for debugging only.
•
Startup Configuration
New Configuration
•
Running Configuration
•
New Configuration
•
System Stats
•
Traffic Level Stats
•
Policy Level Stats
•
Current Log
•
Saved Log
•
Show Version
•
Show Tech Support
•
Default Config
The New Configuration link displays the web application security configuration that is being configured, but not yet committed. This information is not relevant for users; it is for debugging only.
System Stats Click System Stats to display statistics related to the web application security operation and features, as shown in Figure below.
449
Trainer’s Handbook – Security Analyst SSC/ Q0903
Figure 7: System Statistics
The statistics are initially shown for the master node, which is the first AVS 3120 node that is added to the cluster in the management console. To show statistics for a different node, click on the link with the node name in the Nodes field at the top of the screen. You can click the links above the table to jump directly to the section of the table that shows statistics for the feature named in the link. For each item in the table, the statistic shows a number of bytes or the number of times the event has occurred.
Traffic Level Stats Click Traffic Level Stats to display statistics organized by traffic classification map. The display looks similar to that shown in Figure above, but a full set of statistics is listed for each traffic class map. Links to each of the traffic class maps appear across the top of the screen; click one to jump to the statistics for that map.
The statistics are initially shown for the master node, which is the first AVS 3120 node that is added to the cluster in the management console. To show statistics for a different node, click on the l ink with the node name in the Nodes field at the top of the screen.
Policy Level Stats Click Policy Level Stats to display statistics organized by policy map. The display looks similar to that shown in Figure above, but a full set of statistics is listed for each policy map. Links to each of the policy maps appear across the top of the screen; click one to jump to the statistics for that map. The statistics are initially shown for the master node, which is the first AVS 3120 node that is added to the cluster in the management console. To show statistics for a different node, click on the link with the node name in the Nodes field at the top of the screen. 450
Trainer’s Handbook – Security Analyst SSC/ Q0903
log file of the master node (the first AVS 3120 node that was added to the cluster).
Current Log Click Current Log to display the current web application security log, as shown in the following Figure. The content of the current log varies depending on your system configuration, as follows: •
•
If you have an AVS 3180 Management Station, then Current Log displays the
If you do not have an AVS 3180 Management Station, then Current Log displays the log file of the current AVS 3120 node on which you are running the management console.
Figure 8: Current Log Display
You can scroll the log window to the right to see additional columns that include the URI, the feature responsible for the log entry, the policy map, traffic class map, feature map, and the log message. The policy map, traffic class map, and feature map names are hyperlinks, which when clicked will take you to a screen where you can edit the named map.
You can clear the current log file by using Clear Current Logs.
This page displays log entries from all web application security features by default. You can filter the displayed log items by feature by choosing the feature from the Filter By Feature drop-down list. Then click Refresh Saved Logs.
•
Saved Log Click Saved Log to display the saved log, which looks similar to the Figure above. The saved log item works differently, depending on your system configuration, as follows: If you have an AVS 3180 Management Station, then Saved Log displays the aggregate log file of all AVS 3120 nodes that are part of the cluster in the management console. (In order to aggregate log files from all nodes in 451
Trainer’s Handbook – Security Analyst SSC/ Q0903
the cluster, you must configure all nodes to send log messages to the AVS 3180 Management Station. •
If you do not have an AVS 3180 Management Station, then Saved Log displays nothing and is not useful.
The log filtering works the same as for Current Log.
Show Version Click Show Version to display version information about the web application security software.
Show Tech Support Click Show Tech Support to display information about the web application security software that can be helpful for technical support.
Default Config Click Default Config to display a page that controls the defaults for various web application security features, as shown in the following Figure.
Figure 9: Default Configuration
This page lists the web application security features and pattern definitions that can have default configurations. A
default configuration is the configuration that appears when you create a new map for a feature. 452
Trainer’s Handbook – Security Analyst SSC/ Q0903
To view the default configuration for a feature or pattern definition, click the View link next to its name. To enable the feature or pattern definition to have a default configuration, check the Enable check box. If you make any changes to this screen, click Apply Changes at the top to save your changes, or click another AVS command in the lefthand menu to exit this screen without saving your changes. You can change the default configuration for a feature or pattern definition by creating a new map for it, configuring the settings as needed, and clicking the Set As Default button. Creating a default in this way will automatically enable the default configuration if it is not already enabled. Configuration Utilities The utilities grouped under the Configuration Utilities heading let you manage the global web application security configuration and logging. The following items are included: •
System Settings
•
Cluster Control
•
Publish Configuration
•
Service Policy
•
Clear System Config
•
Commit Config
•
Force Commit
•
Save Config
•
Clear Config
•
Clear System Stats
•
Clear Traffic Stats
•
Clear Policy Stats
•
Log Server Config
•
Clear Current Logs
System Settings Click System Settings to display a page that controls overall web application security system operation, as shown in Figure below.
453
Trainer’s Handbook – Security Analyst SSC/ Q0903
Figure 10: System Settings
From the Mode of Operation drop-down list, choose one of the following operation modes for the web application security module: •
•
Inline—This mode is used for web application security only; no other AVS features can be used or should be configured, including destination mapping or SSL termination. In this mode, the application appliance acts like a transparent bridge, monitoring traffic on incoming port 3, checking security policies and taking action if necessary, then forwarding the traffic to the web servers on outgoing port 4. Ports 3 and 4 do not have IP addresses and so do not terminate TCP/IP connections. Port 1 is used for management console connectivity and port 2 is not used. Gateway—This mode is used when you want to operate other AVS features in addition to web application security. For this mode, you must configure at least destination mapping
in the application appliance. In this mode, traffic enters and leaves the application appliance on port 1, which is also used for management console connectivity. The other three ports are not used.
•
In gateway mode, SSL-encrypted HTTPS traffic that arrives at the application appliance is decrypted an d forwarded to the web servers as unencrypted HTTP traffic if the web application firewall is in use. HTTPS traffic between the application appliance and the web servers is not supported unless the web application firewall is disabled. Monitor—This mode is used for monitoring traffic only; no other AVS features can be used or should be configured. No packets are modified by the web application security module, but instead it only logs events that match security policies. You can use this mode of operation if you want to passively examine your web 454
Trainer’s Handbook – Security Analyst SSC/ Q0903
application traffic for possible security threats. Connect network traffic that you want to monitor to port 2 on the AVS 3120. For example, you can connect port 2 to the monitor port or Switched Port Analyzer (SPAN) port on a switch. Port 2 does not have an IP address and so does not terminate
TCP/IP connections. Port 1 is used for management console connectivity and ports 3 and 4 are not used. The port assignments for the various operating modes are summarized in the following Table.
Table 8: Port Assignments
Operating Mode
Port 1
Port 2
Port 3
Port 4
Inline
management console
not used
incoming client traffic
outgoing server traffic
Gateway
management not used console and web traffic
not used
not used
Monitor
management console
not used
not used
If you change operating modes, for example from inline to gateway mode, you must restart the web application security module. This is a major change that will likely also require you to reconfigure your network routing. In all of the operation modes, the application appliance inspects traffic that is going to and coming from the web servers. In the Software Auto Bypass drop-down list, choose Yes if you want to enable automatic bypass in inline mode. Automatic bypass causes the application appliance to bridge packets between the incoming and outgoing ports if the web application security module fails, which allows clients to continue to access the web servers without security checks. If you choose No and the web application security module fails, client requests will not be forwarded to the web servers.
monitored traffic
In the Old Configuration Expires After field, enter the time in seconds to allow any HTTP sessions that are in progress to finish before changing configuration when a new configuration is committed. During this grace period, the old configuration still applies to active HTTP sessions. When this period of time expires, any HTTP sessions that are still in progress are closed and the new configuration is applied. In the Servers to protect area, you must enter the IP addresses and ports of each web server that you want the web application security module to protect. Enter the IP address of a web server in the IP address field, check the Add box, and click Update Servers. Then you will see a Port field displayed under the IP address. Enter the port to protect, check the Add box next to the port, and click Update Servers. Repeat this procedure to add each port that you want to protect on the web server.
455
Trainer’s Handbook – Security Analyst SSC/ Q0903
Figure 11: Cluster Control
Repeat entering the IP address and ports of each web server that you want to protect. To delete a port or web server IP address, check the Delete check box next to the port or IP address and click Update Servers. When you are finished with this form, click Apply Changes at the top to save your changes, or click Discard Changes to This screen shows the status (Running or Stopped) of the web application security firewall module for each node in the cluster. You can run, stop, or restart the web application firewall module on the nodes in the cluster. Check the check boxes next to the nodes that you want to control, and then click Run, Stop, or Restart to perform Publish Configuration
return to the utilities main page without saving your changes. Cluster Control Click Cluster Control to display a page that allows you to stop, start or restart the web application security firewall module on individual application appliance nodes, as shown in the following Figure. that operation on the checked nodes. You can use the Include All Nodes and Exclude All Nodes buttons at the top to check or clear all check boxes. If you want to control the status of both the Condenser and web application security firewall modules, you can use the Cluster Control command under the cluster name in the left hand menu. configuration to all nodes in a cluster, as shown in Figure below.
Click Publish Configuration to display a page that allows you to publish a
456
Trainer’s Handbook – Security Analyst SSC/ Q0903
Figure 12: Publish Configuration
In the Publish Configuration area of the form, click the Publish button to publish the running configuration of the master AVS 3120 node to all other nodes in the same cluster. If there are no other nodes in the cluster, the Publish button is not shown. The master node is the first AVS 3120 node that is added to the cluster in the management console. If that node is removed, then the next added node becomes the master node, and so on. The master node is identified at the top of the Publish Configuration page. To cancel the operation and go back to the System Utilities page click Back. Use the Publish button in situations where the master node is stable and one of the other nodes restarts or a new node is added to the cluster. All AVS 3120 nodes in a cluster must have the same web application security running configuration. If you are operating a
cluster, you must publish the web application security configuration of the master node to all other nodes. In the Synchronize Configuration area of the form, click the Sync button to publish the configuration that is saved on the management console to all nodes in the same cluster. Use the Sync button in situations where the master node is restarted with a different configuration and you want to resynchronize it and all other nodes with the saved configuration that is stored in the management console. To view the saved configuration that will be published to all nodes, click the View Last committed Configuration link. Service Policy Click Service Policy to display a page that allows you to choose the active policy map, as shown in the following Figure.
457
Trainer’s Handbook – Security Analyst SSC/ Q0903
Figure 13: Service Policy
In the Select Policy Map drop-down list, choose the policy map that you want to be active. Then click Apply Changes at the top to save your changes, or click Discard Changes to discard your changes. Only one policy map can be active at a time. The setting on this screen interacts with enabling a policy map on the policy map summary screen shown in the following figure. Setting a policy to be enabled in that screen will cause it to be the selected service policy in this service policy screen. Clear System Config Click Clear System Config to clear the saved System Settings on the master AVS 3120 node. The master node is the first AVS 3120 node that is added to the cluster in the management console. You are asked in a confirmation dialog if you are sure that you want to clear the configuration. Click OK to clear or Cancel to cancel. This command clears only the system settings, not the policy configuration. To clear the policy configuration, use Clear Config. Commit Config Configuration changes that you make to web application security policies must be committed before they take effect and are applied to web traffic. Before they are committed, they are stored temporarily
by the management console but are not saved or applied to the AVS 3120 node where the web application security module operates. Click Commit Config to commit the configuration changes to the master AVS 3120 node and to save them on the management console. The master node is the first AVS 3120 node that is added to the cluster in the management console. You are asked in a confirmation dialog if you are sure that you want to commit the configuration. Click OK to commit or Cancel to cancel. If any HTTP sessions are in progress, they are given a grace period in which to finish, before the new configuration takes effect. This grace period is configurable and is described in the "System Settings" section. During this period, you normally cannot commit a second new configuration. If you need to commit another configuration before this interval has passed, use Force Commit. After committing a configuration, we recommend that you save the configuration on the master node by using Save Config. If you have a cluster of AVS 3120 nodes, you must also publish the configuration to all nodes in the cluster by using Publish Configuration. The application appliance does not support a cluster where the nodes have different web application security configurations.
458
Trainer’s Handbook – Security Analyst SSC/ Q0903
Force Commit Click Force Commit to immediately commit configuration changes, if you have recently committed another configuration and the grace period for that commit has not yet expired. See the previous section, Commit Config, for details. You are asked in a confirmation dialog if you are sure that you want to force commit the configuration. Click OK to commit or Cancel to cancel. After committing a configuration, we recommend that you save the configuration by using Save Config. If you have a cluster of AVS 3120 nodes, you must also publish the configuration to all nodes in the cluster by using Publish Configuration. The application appliance does not support a cluster where the nodes have different web application security configurations. Save Config Click Save Config to save the running configuration on the master AVS 3120 node so that it will be preserved across a reboot of that node. The master node is the first AVS 3120 node that is added to the cluster in the management console. You are asked in a confirmation dialog if you are sure that you want to save the configuration. Click OK to save or Cancel to cancel. After committing a configuration by using Commit Config, we recommend that you save the configuration by using Save Config. Clear Config Click Clear Config to clear the saved policy configuration on the master AVS 3120
node. The master node is the first AVS 3120 node that is added to the cluster in the management console. You are asked in a confirmation dialog if you are sure that you want to clear the configuration. Click OK to clear or Cancel to cancel. Clearing the configuration clears only the saved copy of the configuration on the master AVS 3120 node. It does not clear the running configuration, so the node will continue to operate with its running configuration. If it is rebooted, that configuration will be lost because it is no longer saved. Clear System Stats Resets the statistics accumulated and displayed by the System Stats command. Clear Traffic Stats Resets the statistics accumulated and displayed by the Traffic Level Stats command. Clear Policy Stats Resets the statistics accumulated and displayed by the Policy Level Stats command. Log Server Config The log server configuration page lets you configure remote logging for the web application security firewall. Web application security logs are separate from other AVS logs. Click the Log Server Config link to display the page shown in the Figure below, where you can configure remote syslog servers to which logs are sent by the web application security module.
459
Trainer’s Handbook – Security Analyst SSC/ Q0903
Figure 14: Log Server Configuration
In the IP Address field, enter the IP address of a remote server to which AVS should send web application security logs. Check the Add check box and click Update IP Addresses to add the address to the list of remote log servers. Repeat these steps to add additional remote log servers. To delete a log server from the list, check the Delete check box next to it and click Update IP Addresses. The servers that you specify must have the syslog facility running and configured to receive messages from the network. If you are managing a cluster of AVS 3120 nodes with the AVS 3180 Management Station, you must configure the AVS 3180 as one of the remote log servers. This allows the management console to display aggregated logs from all nodes in the cluster. If you do not have an AVS 3180 Management Station, you may still want to enter the IP address of at least one remote log server where logs will be aggregated, though these will not be Traffic Class Maps Traffic mapping allows you to classify HTTP request and response traffic according to a set of definable criteria. You must define a traffic map to select a
accessible through the management console interface. When you are finished with this form, click Apply Changes at the top to save your changes, or click Discard Changes to discard your changes. Clear Current Logs Clears the current log file. The current log file is different, depending on your configuration, as follows: •
If you have an AVS 3180 Management Station, then Clear Current Logs clears the log file of the first AVS 3120 node that is listed in the cluster in the management console.
•
If you do not have an AVS 3180 Management Station, then Clear Current Log clears the log file of the current AVS 3120 node on which you are running the management console.
To view the current log file, use Current Log. set of traffic before you can apply security features to the traffic in a policy map. Use the Traffic Class Maps command to display a page that summarizes the traffic classification maps that are defined, as shown in the following Figure
. 460
Trainer’s Handbook – Security Analyst SSC/ Q0903
Figure 15: Traffic Map Summary
Figure 16: Edit New Traffic Classification MAP
Each row in the summary lists one defined traffic map. From here you can view, clone, edit, or delete a traffic map, or add a new map. To view the definition of a traffic map, click its underlined name. The displayed page shows a read-only listing of the definition. The Match column lists the matching policy of the map. To copy a map to use as the basis of a new map, click the Clone button for the traffic map that you want to copy. To edit a traffic map, click the Edit button for the map that you want to edit. A form
similar to that shown in Figure below. is displayed where you can edit the traffic map. To delete one or more traffic maps, check the box in the Delete column for each map that you want to delete. Click Delete to delete the checked maps. To add a new traffic map, use the Add Traffic Class area below the summary table. Give the map a name in the Map Name field. To determine how the criteria in this map are to be applied, choose one of the following radio buttons below this field:
461
Trainer’s Handbook – Security Analyst SSC/ Q0903
•
•
Match Any Criteria—This traffic map is applied if any one of the criteria is satisfied Match All Criteria—This traffic map is applied only if all of the criteria are satisfied
Then click the Add New Map button to create the traffic map. You are returned to the map summary page where you will see the new traffic map listed. To continue the process of defining the new map, click the Edit button for the map to display the screen shown in the Figure
below. One criteria line has already been added to this traffic map. You can add criteria lines that describe one or more characteristics of the traffic that you want to classify. From the Type drop-down list, select the traffic type: Request or Response. Next select the type of HTTP data that you want to examine for a match in the Match Criteria dropdown list. The match criteria choices are listed in the following Table.
Table 9: Traffic Class Match Criteria
Type
Match Criteria
Description of Parameters
Request
cookie-name
Name of a request cookie
Request
cookie-name-value
Name and value of a request cookie
Request
cookie-value
Value of a request cookie
Request
host
Value of the Host header
Request
method
HTTP method used to make the request
Request
param-name
Name of a query parameter in the URL
Request
param-name-value
Name and value of a query parameter in the URL
Request
param-value
Value of a query parameter in the URL
Request
referer
Value of the Referer header
Request
request-body
Value of the HTTP request body
Request
request-date
Value of the Date header
Request
request-header-name
Name of a request header
Request
request-header-value
Value of a request header
Request
request-version
HTTP version of the request
Request
url
Value of the URL
Request
user-agent
Value of the User-Agent header
Response
content-encoding
Value of the Content-Encoding header
Response
content-location
Value of the Content-Location header
Response
content-type
Value of the Content-Type header
Response
reason-phrase
Value of the reason phrase
Response
response-body
Value of the HTTP response body
Response
response-date
Value of the Date header
Response
response-header-name
Name of a request header 462
Trainer’s Handbook – Security Analyst SSC/ Q0903 Response
response-header-value
Value of a request header
Response
response-version
HTTP version of the response
Response
server
Value of the Server header
Response
set-cookie-name
Name of a cookie being set
Response
set-cookie-name-value
Name and value of a cookie being set
Response
set-cookie-value
Value of a cookie being set
Response
status-code
Value of the status code
Response
transfer-encoding
Value of the Transfer-Encoding header
Next to the match criteria in the Parameter1 and Parameter2 fields, enter the values that are the match criteria. Most match criteria items require only a single value, which you enter into the Parameter1 field. A few of the match criteria items require both a name and a value, such as a cookie name and value or a parameter name and value. Enter the name into the Parameter1 field and the value into the Parameter2 field. If the Parameter2 field is not needed, then it is not shown. For example, if you choose host for the Match Criteria, then the Parameter1 value would be a host name such as www.cisco.com; the Parameter2 field is not used. If you choose param-namevalue for the Match Criteria, then the Parameter1 value would be the name of a request parameter, and the Parameter2 value would be the value of the specified request parameter. Regular expressions are allowed; Click the check box in the Negate column if you want to match all traffic that does not meet the criteria. For example, if you check Negate and enter www.cisco.com for host, this criteria matches all requests where the host does not equal www.cisco.com. Traffic maps that contain response criteria cannot be used to trigger a feature that is
operating on a request. For example, if you have a traffic map that uses the content-type criteria (a response criteria), this traffic map cannot be used in a policy where it is associated with a request limits feature map. Many features can apply to both requests and responses. Such a feature can be associated with a traffic map that contains response criteria only if it does not operate on request data. For example, if you have a traffic map that uses the setcookie-name criteria (a response criteria), this traffic map can be used in a policy where it is associated with a cookie protection map, as long as the cookie protection map operates only on response cookies. If the cookie protection map includes any request cookie operations, then the policy is invalid. When you are finished entering one criteria line, click the Update Parameters button to update the page and give you a new line on which to enter another criteria. To delete one or more criteria lines, click the Delete check box on each line that you want to delete and then click Update Parameters to delete all checked lines. When you are finished with this form, click Apply Changes to save your changes, or click Discard Changes to return to the summary page without saving your changes.
463
Trainer’s Handbook – Security Analyst SSC/ Q0903
Default Traffic Maps The system defines some default traffic class maps that you can use in policy maps. The following default maps are defined:
defined classes. At the end of an HTTP request, if no user-defined classes have matched, the actions and features in the policy map that is associated with the class-defaultrequest traffic map are executed.
•
class-all—This traffic map includes all traffic, both requests and responses. Actions and features that are associated with class-all in a policy map are always executed.
•
class-default-request—This traffic map includes all request traffic that does not match any of the user-
•
class-default-response—This traffic map includes all response traffic that does not match any of the userdefined classes. At the end of an HTTP response, if no user-defined classes have matched, the actions and features in the policy map that is associated with the class-defaultresponse traffic map are executed.
applies the individual security functions to the traffic class. Here is a summary of the steps required to create a policy map:
This traffic map can be associated with feature maps that operate only on response data. A policy map that contains the class-default-response traffic map cannot include other traffic maps that contain the response-body matching criteria (or negation of this criteria).
2. Click the Policy Maps command and use the Add New Map button to name a new policy map.
You cannot edit or delete these default traffic maps. No security features are associated with these traffic maps by default. You must use the Policy Maps command to create a policy that associates features with them. Policy Maps A policy map allows you to implement specific web application security functions associated with a traffic class. First you must create a traffic class map and one or more application security feature maps, then you can create a policy map that
In a policy map, this traffic map can be associated with feature maps that operate only on request data. A policy map that contains the class-defaultrequest traffic map cannot include other traffic maps that contain the request-body matching criteria (or negation of this criteria).
1. Create one or more traffic class maps and one or more application security feature maps that you want to apply to the traffic classes.
3. In the policy map summary page, click the Edit button to add a traffic class to the policy map. 4. In the resulting page that lists traffic maps, click the Edit button next to the newly added traffic map to associate individual security feature maps with the traffic map. The following sections describe the policy map GUI in detail. Adding a New Policy Map Use the Policy Maps command to display a page that summarizes the policy maps that are defined, as shown in Figure below.
464
Trainer’s Handbook – Security Analyst SSC/ Q0903
Figure 17: Policy Map Summary
Each row in the summary lists one defined policy map. From here you can view, clone, edit, delete, or enable a policy map, or add a new map. To view the definition of a policy map, click its underlined name. The displayed page shows a read-only listing of the definition. The Associated Traffic Maps column lists the traffic class maps that are associated with a policy. If no traffic class maps are yet associated, it reads "No Maps Associated." The Match Criteria column lists the matching policy of the map. To copy a map to use as the basis of a new map, click the Clone button for the map that you want to copy. To edit a policy map and add traffic class maps, click the Edit button for the map that you want to edit. A form similar to that shown in the following Figure is displayed where you can edit the policy map. To delete one or more policy maps, check the box in the Delete column for each map that you want to delete. Click Delete to delete the checked maps.
To enable a policy map (make it active), click the radio button in the Enable column for the map that you want to enable, then click the Enable button at the bottom of the column. You can only enable a policy map that has associated traffic class maps, and you can only enable one policy map at a time. This setting interacts with the policy map selected in the Service Policy screen of the System Utilities. Selecting a policy to be active in that screen will cause it to be displayed as enabled in this policy map summary screen. To add a new policy map, use the Add Policy area below the summary table. Give the map a name in the Map Name field. Choose when to execute the policy by clicking one of the following radio buttons: •
First Match—Execute the policy only on the first traffic map that matches the traffic
•
Match All—Execute the policy on all traffic maps that match the traffic
Then click Add New Policy Map to add the map to the summary. The new map is not 465
Trainer’s Handbook – Security Analyst SSC/ Q0903
yet configured, and to do that click the Edit button for the map. When you choose First Match for the type of traffic map matching, it is important to understand the order in which AVS matches traffic maps. Traffic matching is driven by the order in which the traffic data arrives, which is: HTTP method, HTTP version, host, URL, cookie name, and cookie value. There can be multiple cookies and they can arrive in any order, so the value of one cookie could cause a match before the name of another cookie. Say that you have a traffic map, url-class, that matches on a specific URL, and another traffic map, cookie-class that matches on a cookie name. In an incoming request, the URL arrives before any cookies, so if the URL matches url-class,
then this will cause a First Match policy to fire (if it uses this traffic map). The cookieclass might also match this request, but it is not invoked since the url-class already triggered its policy. The order in which traffic maps are listed in the traffic maps list (see Figure below) is irrelevant and does not signify the order in which traffic maps are evaluated for a match. Adding a Traffic Map to a Policy Map To define a policy map and add traffic class maps, in the map summary table click the Edit button for the map that you want to edit. A form similar to that shown in the following Figure is displayed where you can edit the policy map.
Figure 18: Edit New Policy Map
When you first edit a new policy map, there are no traffic maps included in it. To begin defining a policy, choose a traffic map from the Traffic Map Name dropdown list. Then click the Add check box to put a check in it and click the Update
List button to add the traffic map to the policy. For details on the predefined default traffic maps. After the update, the screen looks like that shown in the following figure.
466
Trainer’s Handbook – Security Analyst SSC/ Q0903
Figure 19: Traffic Map Added to Policy Map
The newly added traffic map is shown in the first row under the Traffic Map Name heading. Each row summarizes one traffic map that is part of this policy definition. The last row allows you to add a new traffic map by selecting its name from the drop-down list of traffic maps, clicking the Add check box, and clicking the Update List button.
To view the policy for a traffic map, click its underlined name. The displayed page shows a read-only listing of the policy definition.
Using the controls in the summary row for a traffic map, you can view the policy for the map, delete it, or edit it.
To edit the policy for a traffic map, click the Edit button.
To delete one or more traffic maps from this policy definition, check the box in the Delete column for each map that you want to delete. Click Update List to delete the checked maps.
Figure 20: Associating Features with a Traffic Class
When you are finished adding or editing traffic map policies, click Apply Changes to save your changes, or
click Discard Changes to return to the summary page without saving your changes. 467
Trainer’s Handbook – Security Analyst SSC/ Q0903
Associating Security Feature Maps with a Traffic Map To edit the policy for a traffic map, click the Edit button in the summary. A form similar to that shown in the Figure above is displayed where you can edit the policy definition by choosing which security feature maps to apply to the traffic class. On this screen, you choose which security features to apply to the traffic map shown in the Traffic Map Name field. You can choose a general response action and/or apply one or more feature maps to the traffic. To apply a general response action, choose one of the following actions from the Response Action drop-down list: •
None—Take no action
•
Reset client—Reset the client side of the connection
•
Drop—Drop the connection silently
•
Reset server client—Reset both the server and client sides of the connection
•
Reset server—Reset the server side of the connection
•
Error Page—Send an error page. Choose the error page to send from the next drop-down list to the right. You define such error pages by using the send page feature.
Click the Log check box to log the event. To apply a feature map to the traffic, choose a feature from the Feature dropdown list and then from the Map Name drop-down list, choose one of the feature maps that you have defined for that feature. Then click the Update List button to take you back to the screen shown in Figure above. You can add multiple feature maps to be applied to this traffic map by editing the traffic map again and following the same procedure.
Traffic maps that contain response criteria cannot be used to trigger a feature that is operating on a request. For example, if you have a traffic map that uses the content-type criteria (a response criteria), this traffic map cannot be used in a policy where it is associated with a request limits feature map. Many features can apply to both requests and responses. If such a feature operates only on response data and not on request data, then it can be associated with a traffic map that contains response criteria. For example, if you have a traffic map that uses the set-cookie-name criteria (a response criteria), this traffic map can be used in a policy where it is associated with a cookie protection map, as long as the cookie protection map operates only on response cookies. If the cookie protection map includes any request cookie operations, then the policy is invalid and will not be allowed. The default traffic map class-defaultrequest can be associated with feature maps that operate only on request data. A policy map that contains the class-defaultrequest traffic map cannot include other traffic maps that contain the request-body matching criteria. The default traffic map class-defaultresponse can be associated with feature maps that operate only on response data. A policy map that contains the classdefault-response traffic map cannot include other traffic maps that contain the response-body matching criteria. To delete an associated feature map, check the Delete check box for the map and click Update List. If you would rather cancel the changes that you made on this form, click the Discard Changes button. The following features are available in the Feature drop-down list: 468
Trainer’s Handbook – Security Analyst SSC/ Q0903
•
Cookie Protection—Protects against cookie tampering by using hashed cookies and provides cookie privacy by encrypting cookies;
•
HTTP Protocol conformance-MIME Type Controls—Validates that the content's MIME type matches the MIME type specified in the HTTP Content-type header; This features operates only on responses.
•
IV-Format String Attacks—Validates that input does not contain disallowed formatting strings;
•
IV-LDAP Injection—Validates that input does not contain disallowed LDAP strings;
•
IV-Meta Character Detection— Validates that input does not contain disallowed meta characters;
•
IV-SQL Injection—Validates that input does not contain disallowed SQL command strings;
•
ID Theft Protection—Guards against the unsolicited disclosure of social security and credit card numbers in HTTP responses to clients; This features operates only on responses.
•
HTTP Protocol conformance-Control HTTP Method—Filters traffic based on the HTTP method;
•
HTTP Protocol conformance-Generic Pattern Matcher—Filters traffic based on any user-definable criteria;
•
HTTP Protocol conformance-Header Integrity Check—Checks headers for integrity;
•
HTTP Protocol conformance-IM Controls—Filters instant messenger traffic;
Request Limits—Enforces boundary length checking on all inputs received from the client;
•
URL Normalization—Secures web applications from attacks that use the URL in HTTP requests, such as directory traversal;
•
URL Tagging—Adds information to request URLs that can be used by other downstream devices such as load balancers or application servers;.
•
Web Cloaking—Hides identifying information about the web server and application;
•
•
HTTP Protocol conformance-P2P Controls—Filters peer-to-peer file sharing traffic;
•
HTTP Protocol conformance-Transfer Encoding—Filters traffic based on the HTTP Transfer-Encoding header;
•
HTTP Protocol conformanceTunnelling Policies—Filters traffic that is tunneled over HTTP, such as ShoutCast, GoToMyPC and the like;
•
HTTP Protocol conformance-URL Black Listing—Blocks access to specific URLs;
•
IV-OS Command Injection—Validates that input does not contain disallowed command strings;
•
IV-Cross Site Scripting—Validates that input does not contain a cross site scripting attack;
Pattern Definitions Pattern definitions define regular expression sets for matching strings used by other web security features. For example, the identity theft protection feature uses regular expressions that match social security numbers and credit card numbers. Use the Pattern Definitions command to display a page that summarizes the pattern maps that are defined and to view, delete, clone, edit or add new maps. 469
Trainer’s Handbook – Security Analyst SSC/ Q0903
When you click the button to add a new map, AVS displays the screen shown in the
Figure below.
Figure 21: Add Pattern Definition
Give the new regular expression set a name in the Pattern Definition Name field. In the Type drop-down list, select the type of regular expression set that you are defining, from the following choices: •
Social Security Number—Regular expressions that describe social security numbers
•
Credit Card—Regular expressions that describe credit card numbers
•
Custom—Custom regular expression
•
Cross Site Scripting—Regular expressions that describe cross site scripting strings
•
SQL Injection—Regular expressions that describe SQL command strings
•
Command Injection—Regular expressions that describe command strings
•
LDAP Injection—Regular expressions that describe LDAP strings
•
Meta Character Detection—Regular expressions that describe meta characters
•
Format String Attacks—Regular expressions that describe format strings
Select one or more regular expressions that you want to use from the Standard Regular Expressions list and add them to the Included Regular Expressions list on the right side of the page by clicking the right arrow (-->) button. The list of standard regular expressions changes depending on the type you choose. You can also add a custom regular expression by typing it into the Custom field and clicking the right arrow (-->) button next to that field. For details on the regular expression syntax that is allowed. If you enter a value into the Custom field, in the Size field you must also enter a maximum number of characters to search for this expression in the target data. Size must be greater than 0 for the custom expression 470
Trainer’s Handbook – Security Analyst SSC/ Q0903
to be added to the Included Regular Expressions list. You can remove a regular expression from the Included Regular Expressions list by selecting it and clicking the left arrow (
