ITEC854 Security Management

Week 10 – Incidents, Response and Hardening

“If the Devil exists, he is saying ‘don’t make waves’”
Dr M. Scott Peck
Outline

Incident management and response

Operating systems hardening

How and where does this fit in your ISMS?

Concepts

“The Integrity and Availability of enabling infrastructure elements will depend largely
not on how well they are funded and implemented but rather on how well they are
secured and protected.”

“Using encryption on the Internet is the equivalent of arranging an armoured car to

deliver credit card information from someone living in a cardboard box to someone
living on a park bench.” — Gene Spafford
 Stages of incident response

Discovery & Incident Investigation/ Eradication/ Lessons

Report Confirmation Containment Recovery Learned
Roles

Security Watch Team

This will be the team to first respond to
Incident Response triggers such as an
Intrusion Detection System alert. They
will then initially evaluate the validity of
the alert, and notify the Response
Team Manager as required.
Roles…

Response Team Manager

This is the Information Security Officer
(ISO) or his/her designate. The
Response Team Manager receives
notification from the Security Watch
Team. A TRIAGE function will then be
performed, to ascertain validity of the
event, and prioritise response
resources.
Roles…

Response Team
The response team consists of subject
matter experts in host operating
systems, network applications, and
network devices. This is the team that
actually generates a response as
directed by the Response Team
Manager. This team will have full
authority to decommission miscreant
or rogue servers and disable network
connections.
Roles…

Forensic Team
The Forensic Team is tasked with event
reconstruction. Their skill will be used
to determine intrusion methodologies,
and in some cases, forensic expertise
may be required in legal proceedings.
Roles…

Public Relations
A media mouthpiece may be required
in the event that the security incident
becomes a public matter. The Incident
Response Team needs a point of
contact to deal with adverse publicity.
This person should be prepared to
serve as a media focal point, and
scripted prepared statements would be
appropriate.
Roles…

Internal Communications
Internal employee communications
should also be considered when
responding to a security event. It is
important to provide employees
guidance as to how to communicate to
vendors, customers, and other internal
stakeholders who interact with
employees on a daily basis.
Roles…

Legal
A legal liaison is required for guidance
on matter such as rules of
evidence/chain of custody, and liability.
Roles…

Law Enforcement
Contacts with cyber crime oriented law
enforcement personnel can be valuable
if an event escalates to a level within
the scope of the local judicial system.
Roles…

Partner Incident Response teams

Cooperation with partner Incident
Response Teams is beneficial to all
parties. Security events are seldom
singular, but typically affect and involve
multiple parties. Relationships with
upstream provider teams, customer
teams, and AUSCERT should be
maintained
In addition to the roles identified
above, other people/organisations may
be involved in incident discovery and
reporting, but are not directly involved
in the incident handling process.
Security Incident Categories

Category 1
Category 1 incidents include events, which cannot definitively be identified as attacks,
and have no effect on system operations, such as:
• Isolated and non-repeated scans or pings from an external uncontrolled network;
and
• Malicious code detected and removed prior to being placed on an operational
network.
Security Incident Categories…

Category 2
Category 2 incidents also have no effect on system operations, and comprise identified
but unsuccessful attempts to actively breach an information system security policy.
Such events include:
• Multiple repetitions of category 1 incidents;
• Repeated active probes or port mapping from an external uncontrolled network;
• Attempt to gain unauthorised access to resources, either from within or from an
outside network;
• Abuse of privileges or password confidentiality by employee (not extending to
superuser or root or administration privileges); and
• Malicious code found on a single system, which has been successfully contained or
removed.
Security Incident Categories…

Category 3
Category 3 incidents include any successful attempt to actively breach an information system security
policy on a single system, and may result in a minor or moderate effect on system operations. These
could include:
• Unauthorised access acquired by one or more unauthorised people to any account, at any access
level;
• Abuse of privileges or password confidentiality by an employee, extending to super user, root or
administration privileges;
• Malicious code found on more than one system, or an inability to contain and remove the code from
a single system;
• A prank, hoax or Web page attack launched from an external uncontrolled network;
• A successful attack against system services, for example, NIS, DNS, NFS, email, WWW, etc, including
denial of service attacks;
• A prank or hoax perpetrated from an external uncontrolled network.
• Unauthorised access to a firewall;
• Unauthorised modification to system files and system access controls;
• Unauthorised modification to system hardware or software without the owner's knowledge or
permission; and
• Security compromises and disclosures arising from accidental or deliberate breaches of security
policy.
Security Incident Categories…

Category 4
Category 4 incidents include any situation in excess of the examples given above,
particularly where high-level intervention or crisis management is required. Such
incidents will usually have a major effect on system operations.
User incident handling

User
Incident
Handling

Is web site yes yes yes Core Team

accessible from Is web content Is virus Incident
Internet? the same? problem? Handling

no no no

no Other
yes Web site Customer
abnormal? Support

SA Incident AA Incident
Handling Handling
End
Application incident handling

AA
Incident
Handling

Is web content yes Approved yes

changed? changes?

no Core Team
no Incident Handling

Is appl yes Is server no Scheduled appl yes

down? down? down time?
yes no
no
SA Incident
Handling
Is appl yes Backup Appl Trouble
abnormal? if possible Shooting

no

Unauth yes
no yes
access? Is appl error?
no

Other Appl Unauth yes

Support Change?
Core Team SA Incident no Core Team
Incident Handling Handling Incident Handling
Appl fix
problem

End
System incident handling

SA
Incident
Handling

Tripwire yes Approved yes

detection? changes?

no no
Is virus yes Core Team
problem? Incident Handling

no
Unauth . yes
access?
no
Is web server yes Is scheduled yes
down? down time?
no no
Problem no
Reboot sys
Resolved?
Is web site yes
Is web server yes Reboot in
accessible
yes abnormal single user mode
from Internet?
Trouble
no no Shooting Forensic
Backup
yes Determine no
Cause?
Doc/Fix
Security no problem,
Incident? if possible
yes
Is fw /router yes Report to
down? FA
Core Team
no
Incident Handling
Other SA
End
Support
Incident investigation

Core Team
Incident
Handling

Full Backup no Forensic backup yes Forensic

Done? needed? Backup
no
yes

yes
Denial of Service DoS Attack
Attack? Investigation
no

yes
Virus?
Virus
Investigation
no

yes
Unauthorized Unauth . Access
Access? Investigation
no
yes
Unauthorized Unauth . Mod.
Modification? Investigation
no

yes
Network Probing
Probing? Investigation
no

• Handle incident
• Record incident
• Define process

End
DOS attack

DoS
Attack
Investigation

yes yes
Identify Traffic Firewall
Source? Filterable? Filter Traffic

no no

Contact yes Contact src

Src Org? authority

no

yes
Is server Reboot
down? server

no

Unplug from yes Shut down yes

Escalate issue Notify PR?
network? network connection

no no
Notify PR

yes no
Attack Bring up network Record
continue? connection Incident

Investigation
End
Hostile code

Virus
Investigation

yes yes
Web Server Server Accessible Disconnect server
Infected? on Internet? from network

no no
no Distribute • Id & clean up file(s)
file w/ virus? • Full backup clean sys
yes
• Disable file download • Id virus source
• Check all files • Id possible date
• Clean infected files
• Full backup clean sys

no yes
Found virus
Notify yes source?
PR/Legal?
no yes
no Notify Put Web site Authorized no
PR/Legal back online? Source?

yes
Clean up Unauth . Mod.
Notify yes source Investigation
User?

no Notify users
Record
Incident

Investigation
End
Unauthorised access

Unauthorised
Access
Investigation

ID all live
connection

• Record all live connections

Monitor unknown connections &
• Disconnect server from network
record activities
• Escalate issues

yes
ID up/down
stream? Incident
Recovery
no yes
no
Contact up/down
stream?

Monitor/Record
Contact up/down Unknown Connections\
stream sys owners

Notify yes
Authority? no yes
Notify
Contact Authority?
no Authority
Contact
Authority

no yes
Disconnect
Network yes
Suspicious
Immediately?
Connection?

no

Investigation
End
Unauthorised modification

Unauth .
Mod.
Investigation

Web Page no Appl File no Sys File no

Changed? Changed? Changed?
yes yes yes

Take off. no Id all live

line? connections

Monitor unknown connections .

yes & record activities

• Record all live connections

• Disconnect server from network
Id up/down yes
• Escalate
stream?

Notify up/down yes

no
yes no stream?
Notify
PR?
no Contact
Notify PR
up/down stream
sys owners

Incident Notify
Recovery Authority? yes

Monitor/Record no
Contact Authority
Unknown Conn.

yes
Imm . Disconn no
Network?

Suspicious
Conn ?
yes

no
Investigation
End
Network probing

Probing
Investigation

yes yes yes

Same Recognize Authorized
Source? Source? Source?

no no no

Any Successful yes

no Over Same Unauthorized
Entry? Access
Time Period?

yes no

Potential
no Contact yes
Coordinated
Attack Source?

Contact the
source org.

no Block yes
Source?

Firewall
block source
Record
Incident

Investigation
End
Recovery

Recovery
Start

no yes
Prosecution
Needed?

Recover Prepare
System Data

• Conduct Security
Risk Assessment Contact
• Run Virus Scan Authority

no yes Legal
Problem Procedure
Found?

no yes
Fix
Problem?

yes
no Accept
Fix Problem
Risk?

• Make full backup

• Place system back in production
• Web site back online
• ID/Discard bad backup tapes

Recovery
End
Definition of hardening

Creation of a protection model to make the operating environment more secure

Generally, the following areas within the operating system are changed by this
procedure:
• System services
• Protocols, specifically IP and the ports associated with it
• File permissions and ACLs
• Verification and authorisation processing
• Geographical access restrictions
Definition of hardening…

Key protection is provided by the following steps:

Removing unwanted services
• This minimises the memory footprint for the server
• It also ensures that only the services required for the specific server functions are
available – this reduces the likelihood of a service being active on an IP port
• It also reduces the possibility of a Trojan “piggybacking” on a common service
Restricting protocols and ports
• By limiting the protocols to IP only, removing NetBIOS (if Windows) and restricting
IP protocols to TCP and ICMP, the server protects its communications channels
• Further restricting IP ports to specific named ports only reduces the ability to find
an open port to gain access
Definition of hardening…

Changing file permissions and ACLs

• Removing access to file and directory structures for anyone other than
Administrator or the Operating System reduces the opportunity for a rogue process
to access files
• Logging every action taken by the Administrator provides a formal record of what
they have done.
Changing the authentication model
• Changing all authentication to secured only reduces the ability for unauthorised
servers (such as “new” servers or unknown workstations) to initiate privileged
communication
Geographic authentication
• Removing remote and network access from the server means that if you are not in
front of it, you can’t access it, even if you have the Administrator password
Definition of hardening…

In combination, these measures mean that well written applications can function as a
system process and function normally

The only time that an Administration function can be performed is if someone is

physically in front of the server, or using a secured remote administration tool
 Hardening process

Remediation (if
necessary)
Hardening Process

Unknown Install known Scan Harden Known, Install Scan

environment components secure known
environment applications

The scope of this process

 POLICY
IT Risk Framework & Policy Privacy Policy Information Security Policy Social Media Policy

Security Services

Asset Management
Centralised Network Endpoint Security Management
Records Information Software License
Management Vulnerability Management
Management Management
Intrusion Detection/
Asset Management & Information Classification, Labelling & Malware Protection Malware Protection (inc AV)
Prevention Secure Administration
Inventory Handling
Cryptography & Key
Certificate Management DOS protection Logging Management
Management
Patch & Configuration
Security Management Access Control & Authentication Firewall Management Content Filtering Data Loss Prevention Management
Governance (Internet & Email
Operations Cryptography & Key Security Configuration
Code of Use)
(not security specific) Management (applies to all platforms)
Identity Management

STANDARDS (Technical Security)

Acceptable Use of
Technology IT Change Management
Access Control & Security Testing
Business Partner Security Authentication Management
Requirements Capacity management Security Incident
Password Standard Management
ISMF Configuration Management
Strong Authentication
Monitoring & Event
Risk Management Human Resources Mobility
Management
Data Security
Contract Provisions Employment
Incident Management Mobile Computing &
(Security) Application Security Personal Electronic Devices
Physical & Environmental Security
Service Delivery Recruitment
Compliance Framework Management Secure Coding &
Development Physical Security
Code of Conduct
Outsource Security Use of Production Data in Remote Access
DEV/ TEST
Security Roles & Service Continuity Disciplinary Process
Responsibilities Messaging Security Wireless Security
Disaster Recovery
Change of Employment

Foundational Core Executive Risk Reporting

Blueprints
Enterprise Security Architecture IT Risk Maps & Reporting
Framework Secure File Transfer Blueprint (Qrtly)

ARCHITECTURE
Security Zones of Trust Architecture Executive Security Reporting
Third Party Connectivity

Network Security Standard & Model Internet-facing systems Security Intelligence

Reports (Qrtly)
Identity & Access Architecture
Wireless Security Vulnerability Management
Report (monthly)
Cloud Security
Secure Administration Dashboard (ops & strategy)