It should also be noted that a number of technical conferences are featuring security tracks so it may be possible to find a conference in your area of interest that will also teach abou
Trang 1APPENDIX C
Resources to Learn More About Security
361
Copyright 2001 The McGraw-Hill Companies, Inc Click Here for Terms of Use
Trang 2People constantly ask about places to learn more about security Unfortunately,
there are very few places that have intensive programs The following is a list of organizations that sponsor security-related conferences This is far from an ex-haustive list but it will provide a pointer to the majority of the large security confer-ences It should also be noted that a number of technical conferences are featuring security tracks so it may be possible to find a conference in your area of interest that will also teach about security
▼ Computer Security Institute (http://www.gocsi.com) CSI runs the annual
Computer Security Conference and Exhibition as well as the NetSec conference Other seminars are held throughout the year
■ SANS Institute (http://www.sans.org) SANS runs approximately four major
and nine regional conferences each year They also have online training programs and e-mail newsletters
■ MIS Training Institute (http://www.misti.com) MIS runs a number of
conferences each year including INFOSEC and WebSEC They also hold
a number of smaller conferences targeted at specific industries, such as HealthSec, as well a smaller symposia and seminars
■ USENIX (http://www.usenix.org) USENIX runs a number of technical
conferences every year Most of them have security tracks within the larger conference USENIX also holds an annual Security Symposium
■ Forum of Incident Response and Security Teams (http://www.first.org)
FIRST holds an annual conference specially regarding incident response issues
■ IEEE Computer Society Technical Committee on Security and Privacy
(http://www.ieee-security.org) The IEEE holds an annual Symposium on Security and Privacy as well as a workshop on Computer Security Foundations
■ Recent Advances in Intrusion Detection (http://www.raid-symposium.org)
RAID holds annual conferences regarding intrusion detection These conferences are focused internationally
■ International Federation for Information Processing
(http://www.ifip.tu-graz.ac.at/TC11/) The IFIP runs an annual conference in information security The IFIP is focused internationally as well
■ Internet Society (http://www.isoc.org) The Internet Society runs an annual
conference on Internet security called the Network and Distributed System Security Symposium
▲ Annual Computer Security Applications Conference
(http://www.acsac.org) The ACSAC is an annual conference that focuses on the application of security to real-world environments
362 Network Security: A Beginner’s Guide
Trang 3APPENDIX D
Incident Response Procedure Testing
Scenarios
363
Copyright 2001 The McGraw-Hill Companies, Inc Click Here for Terms of Use
Trang 4In many sections of this book we have talked about testing plans and procedures
No-where is this more important than with the Incident Response Procedure Unfortu-nately, it is sometimes difficult to come up with testing scenarios The following scenarios are provided to be used as is or modified to suit your environment Some work well as dry runs with the team sitting around a conference table Others will work better
as live, unannounced tests Recommendations are made for how each may be used and you are free to use or to change them as you see fit for your organization
For each of the scenarios, I will provide a brief description of the event for the person running the test The “Initial Indications” section is what can be told to the incident re-sponse team “What Really Happened” provides you (the person running the test) with all of the information that you will need to give appropriate answers to team member questions In the “What the Team Will Find” section, I attempt to anticipate what the team might do to learn what is going on Provide this information to the team as they be-gin to respond to the incident In “Scenario Closeout,” I will give you a recommended end point for each scenario and key points to make to the team with regard to the scenario
SCENARIO 1—WEB PAGE HACK
Scenario 1 is the all too familiar situation of a Web site being defaced The Web server is running on Windows NT 4.0 under IIS The Web server is behind a firewall, and the firewall policy blocks all traffic to the Web server but port 80
Initial Indications
The organization is alerted to the fact that the site has been hacked by a customer who goes to the Web page over a weekend He calls the organization and tells them about it The new Web page is written in Portuguese and seems to claim the Web site has poor security
What Really Happened
Someone left Microsoft FrontPage Extensions on the system and allowed external access
to author.dll The evidence of this hack is all in the IIS log files Only the Web site files were modified The attacker could not get to any other files on the Web server
What the Team Will Find
If the firewall logs are examined, they will show normal Web traffic to the site and no other scans or dropped packets
If the organization has an intrusion detection system, it will not show any alarms
No unusual processes are running on the Web server, and the Web server event logs show no failed login attempts or unusual log messages
If the Web server logs are examined, they will show that the attacker requested the URL for author.dll Further examination of the Web server will show no other exploitable vulnerabilities, but it will show that FrontPage Extensions were left turned on
364 Network Security: A Beginner’s Guide
Trang 5Scenario Closeout
End the scenario after the team checks the Web server logs The key point in this scenario
is to check all of the available logs, not just the firewall and event logs If you allow your
organization to have an IDS in place, they will complain that the IDS should have seen the
attack The answer to this is “not necessarily,” as the URL for author.dll is not an attack
per se and thus may not be captured by many IDS detectors
Variations
Variations can make this scenario more realistic Below you can find two such variations:
Variation A adds a public relations twist while Variation Badds the possibility that
sensi-tive customer information may have been obtained by the intruder
Variation A
For an added twist if you wish to exercise your Public Relations department, the
cus-tomer called not only your organization but also the local TV station The story makes the
evening news and the TV station is calling for an interview The reporter will know that
the site was hacked and will attempt to rush information out of the organization in time
for the reporter’s deadline (say, in 30 minutes) You can use real time for this part to make
it more realistic Talk with your Public Relations department about how the reporter
should have been handled or what information should have been provided
Variation B
In addition to modifying the Web site, the logs indicate that sensitive information that
was located on the Web server was uploaded by the attacker (as part of the FrontPage
capture of the Web site) No information is available as to what the attacker may have
done with the information The information contains customer information
Recommended Use
Scenario 1 is recommended for use with the team together in a conference room talking
through the issues Provide the initial indications to them and set the stage for the event
Make sure to specify the time and day of the week of the attack (making it a weekend can
add some interest) As the team tells you what actions they take, give them the results of
these actions
SCENARIO 2—UNEXPLAINED HIGH TRAFFIC VOLUME
In this scenario, a warez site (someplace hackers place illegal copies of software) is
estab-lished on your Web server This type of situation may go unnoticed for quite some time
until the high traffic volume on the site causes problems with legitimate traffic
Trang 6366 Network Security: A Beginner’s Guide
Initial Indications
The organization’s Help Desk is getting calls about slow response from the Internet At about the same time, system administrators notice that the Web/FTP server is showing high disk utilization and little free space No alarms have been set off that might indicate the system has been hacked or that the organization might be under some type of denial-of-service attack
What Really Happened
Someone made a mistake on the FTP server configuration This mistake left a writable directory where anonymous FTP users can access it Someone noticed and placed a large amount of illegal copies of software on the system in a hidden directory The sys-tem is now being accessed from around the world and copies of the software are being downloaded
What the Team Will Find
Firewall logs show no attacks or unusual amounts of dropped traffic If complete logging
is enabled on the firewall, it will show a large amount of FTP traffic to the FTP server The logs on the FTP server are showing a lot of requests for files All requests are for files in the ~ftproot/… directory (note that there is a space after the third dot)
If a directory listing is performed before the log file is checked, make sure the admin-istrator requests an ls –a listing to show the file If the adminadmin-istrator tries to look into the file, he must make sure he changes to the correct directory (three dots and a space) Inside the directory, the administrators will find approximately five gigabytes of soft-ware including illegal copies of Windows softsoft-ware
The permissions on the FTP directory structure are wrong as they allow an anony-mous user to write files to the system
Scenario Closeout
Once the directory has been found, allow the scenario to end after the administrators look for how this came about Make sure they perform an ls –l on the directory to show the permissions
Recommended Use
Scenario 2 is recommended for use with the team together in a conference room talking through the issues Provide the initial indications to them and set the stage for the event
As the team tells you what actions they take, give them the results of these actions
SCENARIO 3—FILES MODIFIED BY UNKNOWN PERSON
This scenario can be kicked off by a file integrity checker or by an administrator noticing that files have been changed when they should not have been The issue here is that the change was caused by an employee not following proper procedure, not a hacker