Transcript XML: Part

Chapter 13: Advanced Security
and Beyond
Security+ Guide to Network Security
Fundamentals
Second Edition
Objectives
• Define computer forensics
• Respond to a computer forensics incident
• Harden security through new solutions
• List information security jobs and skills
Security+ Guide to Network Security
Fundamentals, 2e
2
Understanding Computer Forensics
• Computer forensics can attempt to retrieve
information—even if it has been altered or erased—
that can be used in the pursuit of the criminal
• The interest in computer forensics is heightened:
– High amount of digital evidence
– Increased scrutiny by legal profession
– Higher level of computer skills by criminals
Security+ Guide to Network Security
Fundamentals, 2e
3
Forensics Opportunities
and Challenges
• Computer forensics creates opportunities to uncover
evidence impossible to find using a manual process
• One reason that computer forensics specialists have
this opportunity is due to the persistence of evidence
– Electronic documents are more difficult to dispose of
than paper documents
Security+ Guide to Network Security
Fundamentals, 2e
4
Forensics Opportunities and
Challenges (continued)
• Ways computer forensics is different from standard
investigations:
– Volume of electronic evidence
– Distribution of evidence
– Dynamic content
– False leads
– Encrypted evidence
– Hidden evidence
Security+ Guide to Network Security
Fundamentals, 2e
5
Responding to a Computer
Forensics Incident
• Generally involves four basic steps similar to those of
standard forensics:
– Secure the crime scene
– Collect the evidence
– Establish a chain of custody
– Examine and preserve the evidence
Security+ Guide to Network Security
Fundamentals, 2e
6
Securing the Crime Scene
• Physical surroundings of the computer should be
clearly documented
• Photographs of the area should be taken before
anything is touched
• Cables connected to the computer should be labeled
to document the computer’s hardware components
and how they are connected
• Team takes custody of the entire computer along with
the keyboard and any peripherals
Security+ Guide to Network Security
Fundamentals, 2e
7
Preserving the Data
• Computer forensics team first captures any volatile
data that would be lost when computer is turned off
and moves data to a secure location
• Includes any data not recorded in a file on the hard
drive or an image backup:
– Contents of RAM
– Current network connections
– Logon sessions
– Network configurations
– Open files
Security+ Guide to Network Security
Fundamentals, 2e
8
Preserving the Data (continued)
• After retrieving volatile data, the team focuses on the
hard drive
• Mirror image backup (or bit-stream backup) is an
evidence-grade backup because its accuracy meets
evidence standards
• Mirror image backups are considered a primary key
to uncovering evidence; they create exact replicas of
the computer contents at the crime scene
• Mirror image backups must meet the criteria shown
on pages 452 and 453 of the text
Security+ Guide to Network Security
Fundamentals, 2e
9
Establishing the Chain of Custody
• As soon as the team begins its work, must start and
maintain a strict chain of custody
• Chain of custody documents that evidence was under
strict control at all times and no unauthorized person
was given the opportunity to corrupt the evidence
Security+ Guide to Network Security
Fundamentals, 2e
10
Examining Data for Evidence
• After a computer forensics expert creates a mirror
image of system, original system should be secured
and the mirror image examined to reveal evidence
• All exposed data should be examined for clues
• Hidden clues can be mined and exposed as well
• Microsoft Windows operating systems use Windows
page file as a “scratch pad” to write data when
sufficient RAM is not available
Security+ Guide to Network Security
Fundamentals, 2e
11
Examining Data for
Evidence (continued)
• Slack is another source of hidden data
• Windows computers use two types of slack
• RAM slack: pertains only to the last sector of a file
• If additional sectors are needed to round out the
block size for the last cluster assigned to the file, a
different type of slack is created
• File slack (sometimes called drive slack): padded
data that Windows uses comes from data stored on
the hard drive
Security+ Guide to Network Security
Fundamentals, 2e
12
Examining Data for Evidence
(continued)
Security+ Guide to Network Security
Fundamentals, 2e
13
Examining Data for Evidence
(continued)
Security+ Guide to Network Security
Fundamentals, 2e
14
Examining Data for Evidence
(continued)
Security+ Guide to Network Security
Fundamentals, 2e
15
Hardening Security Through
New Solutions
• Number of attacks reported, sophistication of attacks,
and speed at which they spread continues to grow
• Recent attacks include characteristics listed on pages
457 and 458 of the text
• Defenders are responding to the increase in the level
and number of attacks
• New techniques and security devices are helping to
defend networks and systems
• The most recent developments and announcements
are listed on pages 458 and 459 of the text
Security+ Guide to Network Security
Fundamentals, 2e
16
Exploring Information Security Jobs
and Skills
• Need for information security workers will continue to
grow for the foreseeable future
• Information security personnel are in short supply;
those in the field are being rewarded well
• Security budgets have been spared the drastic costcutting that has plagued IT since 2001
• Companies recognize the high costs associated with
weak security and have decided that prevention
outweighs cleanup
Security+ Guide to Network Security
Fundamentals, 2e
17
Exploring Information Security Jobs
and Skills (continued)
• Most industry experts agree security certifications
continue to be important
• Preparing for the Security+ certification will help you
solidify your knowledge and skills in cryptography,
firewalls, and other important security defenses
Security+ Guide to Network Security
Fundamentals, 2e
18
TCP/IP Protocol Suite
• One of the most important skills is a strong
knowledge of the foundation upon which network
communications rests, namely Transmission Control
Protocol/Internet Protocol (TCP/IP)
• Understanding TCP/IP concepts helps effectively
troubleshoot computer network problems and
diagnose possible anomalous behavior on a network
Security+ Guide to Network Security
Fundamentals, 2e
19
Packets
• No matter how clever the attacker is, they still must
send their attack to your computer with a packet
• To recognize the abnormal, you must first understand
what is normal
Security+ Guide to Network Security
Fundamentals, 2e
20
Firewalls
• Firewalls are essential tools on all networks and often
provide a first layer of defense
• Network security personnel should have a strong
background of how firewalls work, how to create
access control lists (ACLs) to mirror the
organization’s security policy, and how to tweak ACLs
to balance security with employee access
Security+ Guide to Network Security
Fundamentals, 2e
21
Routers
• Routers form the heart of a TCP/IP network
• Configuring routers for both packet transfer and
packet filtering can become very involved
Security+ Guide to Network Security
Fundamentals, 2e
22
Intrusion-Detection Systems (IDS)
• Security professionals should know how to administer
and maintain an IDS
• Capabilities of these systems has increased
dramatically since first introduced, making them
mandatory for today’s networks
• One problem is that IDS can produce an enormous
amount of data that requires checking
Security+ Guide to Network Security
Fundamentals, 2e
23
Other Skills
• A programming background is another helpful tool for
security workers
• Security workers should also be familiar with
penetration testing
– Once known as “ethical hacking,” probes vulnerabilities
in systems, networks, and applications
Security+ Guide to Network Security
Fundamentals, 2e
24
Computer Forensic Skills
• Computer forensic specialists require an additional
level of training and skills:
– Basic forensic examinations
– Advanced forensic examinations
– Incident responder skills
– Managing computer investigations
Security+ Guide to Network Security
Fundamentals, 2e
25
Summary
• Forensic science is application of science to
questions of interest to the legal profession
• Several unique opportunities give computer forensics
the ability to uncover evidence that would be
extremely difficult to find using a manual process
• Computer forensics also has a unique set of
challenges that are not found in standard evidence
gathering, including volume of electronic evidence,
how it is scattered in numerous locations, and its
dynamic content
Security+ Guide to Network Security
Fundamentals, 2e
26
Summary (continued)
• Searching for digital evidence includes looking at
“obvious” files and e-mail messages
• Need for information security workers will continue to
grow, especially in computer forensics
• Skills needed in these areas include knowledge of
TCP/IP, packets, firewalls, routers, IDS, and
penetration testing
Security+ Guide to Network Security
Fundamentals, 2e
27