Module 12: Designing Responses to Security Incidents v
Assessment
There are assessments for each lesson, located on the Student Materials
compact disc. You can use them as pre-assessments to help students identify
areas of difficulty, or you can use them as post-assessments to validate learning.
Lab A: Designing an Incident Response Procedure
To begin the lab, open Microsoft Internet Explorer and click the name of the
lab. Play the video interviews for students, and then instruct students to begin
the lab with their lab partners. Give students approximately 20 minutes to
complete this lab, and spend about 10 minutes discussing the lab answers as a
class.
For general lab suggestions, see the Instructor Notes in Module 2, “Creating a
Plan for Network Security.” Those notes contain detailed suggestions for
facilitating the lab environment used in this course.
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
This module includes only computer-based interactive lab exercises, and as a
result, there are no lab setup requirements or configuration changes that affect
replication or customization.
The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Automated Classroom Setup Guide for Course 2830A, Designing
Security for Microsoft Networks.
Lab Setup
There are no lab setup requirements that affect replication or customization.
Lab Results
There are no configuration changes on student computers that affect replication
or customization.
General lab su
gg
estions
Important
Module 12: Designing Responses to Security Incidents 1
Overview
*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Network security for an organization is an exercise in prevention. A good
security design that is properly implemented will prevent a majority of the most
common attacks. However, it is very likely that an attacker will eventually
penetrate the defenses that you design.
When an attack happens, the key to limiting damage is early detection and a
rapid and orderly response. Auditing is an important tool to help you detect
network abnormalities that may indicate attacks. An incident response
procedure is a series of steps that you design in advance to guide your
organization during a security incident.
After completing this module, you will be able to:
Explain the importance of auditing and incident response.
Design an auditing policy.
Design an incident response procedure.
Introduction
Objectives
2 Module 12: Designing Responses to Security Incidents
Lesson: Introduction to Auditing and Incident Response
*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Auditing and incident response provide you with the means to detect and
maintain a record of network events. They also give you a procedure to respond
to events that you determine are attacks.
After completing this lesson, you will be able to:
Describe the auditing process.
Explain why auditing is important.
Describe an incident response procedure.
Explain why an incident response procedure is important.
Introduction
Lesson ob
j
ectives
Module 12: Designing Responses to Security Incidents 3
The Auditing Process
*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Auditing records specific events on a network. By auditing events on computers
and applications, you can compare the audit logs on each computer to
understand the actions of a user or an attacker.
For example, consider a computer running Microsoft
® Windows® 2000 Server
and also Microsoft Internet Security and Acceleration (ISA) Server that is
functioning as a firewall. ISA Server protects a Web site on a computer running
Windows 2000 Server and Internet Information Services (IIS). When a
customer on the Internet accesses the Web server, he is authenticated by Basic
authentication over Secure Sockets Layer (SSL) to an Active Directory
®
directory services domain controller.
In this example, when you enable auditing on the computers and applications,
you can determine a user’s actions by examining the following:
1. Packet filter log file. By analyzing the packet filter log file, you determine
that a computer with the IP address 131.107.1.31 created a SSL session with
the Web server, which is published on the ISA Server firewall, for
approximately 4 minutes, from 13:27 Pacific Daylight Time (PDT) to 13:31
PDT.
2. Security event log file from the IIS server and the IIS log file. By analyzing
the Security event log file on the Web server, you determine that a user
attempted to log on by using the account Ben and failed twice before
succeeding at 13:29:07 PDT.
By analyzing the IIS log file, you determine that the computer with the IP
address 131.107.1.31 used a computer running Windows 2000 and
Microsoft Internet Explorer version 5.01 to attempt to enroll a certificate
from the Certsrv Web site.
3. Security event log file from the domain controller. By analyzing the
Security event log file on the domain controller, you determine that the user
who logged on by using the account Ben failed to log on twice due to using
a bad password before ultimately succeeding.
Key points
4 Module 12: Designing Responses to Security Incidents
To ensure that you can accurately compare audit logs from different
computers and resources, synchronize the times of all audited computers and
resources on your network.
To analyze the log files that are used in this example, see the files in the Log
files folder, under Additional Reading on the Web page on the Student
Materials CD.
Note
Additional readin
g
Module 12: Designing Responses to Security Incidents 5
Why Auditing Is Important
*****************************
ILLEGAL FOR NON-TRAINER USE******************************
An attacker locates a Simple Mail Transfer Protocol (SMTP) server in the
screened subnet of a company. The attacker generates random passwords and
runs a script that attempts to use the passwords to log on to the SMTP server.
After two weeks and several thousand attempts, the attacker discovers the
correct password for the account named Administrator. The attacker then uses
this account to create accounts to access information on the network. Because
auditing is not enabled, there is no record of the failed logon attempts or of the
creation of additional user accounts.
A help desk administrator uses administrative rights to temporarily change the
password of his supervisor’s account, and then uses the new password to log on
to the network. The help desk administrator reads his supervisor’s e-mail and
accesses her personnel records to determine the salaries of his coworkers. The
administrator changes the password to its original setting. Because auditing is
not enabled, there is no record of the security incident.
External attacker
scenario
Internal attacker
scenario
6 Module 12: Designing Responses to Security Incidents
What Is an Incident Response Procedure?
*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Incident response describes how your organization reacts to an attack or other
types of security incidents on your network. Too often, in an effort to respond
quickly, organizations respond to security incidents in an ad-hoc manner.
Mistakes due to chaotic responses can cause loss of prestige, assets, and
revenue. Poor incident response also makes it difficult to learn about the origins
of the incident or how to prevent similar incidents from occurring in the future.
By creating and using an incident response procedure, individuals in your
organization can respond efficiently during and after a security incident.
An incident response procedure can help your organization:
Prevent the mishandling of potential evidence.
Contain the spread of the security incident.
Limit the damages that may result from the security incident.
Control the release of information about the security incident.
Quickly recover from the effects of a security incident.
Key points
Module 12: Designing Responses to Security Incidents 7
Why an Incident Response Procedure Is Important
*****************************
ILLEGAL FOR NON-TRAINER USE******************************
A virus that an external attacker created penetrates the internal network from
the Internet by exploiting a known vulnerability. Despite previous virus attacks,
the organization struggles to identify the attack. Some network administrators
recognize the virus and remove it from computers, only to discover that those
computers are infected again from the network. By the time the organization
identifies the virus and communicates the information to all administrators, all
computers on the network are infected.
A company notices that a competitor appears to receive advanced knowledge
about its marketing plans. The company suspects that one of its employees is
selling confidential information to the competitor. Management attempts to
detect and isolate the chain of evidence, or the records that will indicate that the
suspect actually committed a crime. During the investigation, a routine update
to the network changes several files on the suspect’s computer and renders the
evidence on the computer inadmissible in court.
External attacker
scenario
Internal attacker
scenario
8 Module 12: Designing Responses to Security Incidents
Lesson: Designing an Audit Policy
*****************************
ILLEGAL FOR NON-TRAINER USE******************************
You use an audit policy to audit specifically for security threats. To design an
audit policy, use a framework to help you determine what to audit, how to
audit, and when and how to review the data that you collect.
After completing this lesson, you will be able to:
List steps for planning an audit policy.
Explain guidelines for creating an auditing framework.
Describe common auditing tools.
Explain guidelines for reviewing audit data.
Introduction
Lesson ob
j
ectives
Không có nhận xét nào:
Đăng nhận xét