1. Use cheat code to boot Knoppix more quickly
Boot from the disk: toram
Boot from the ISO for remastered LiveCD: bootfrom=/dev/hda1/knoppix.iso
Try another fancy cheat code:
knoppix splash Boot with fancy background splashscreen
You can also reference a list of the most frequently used cheat codes by pressing F2 at the boot prompt.
2. Hard drive and source directory preparation
Open a console and switch to super user mode: su
Mount the working directory read/write: mount –o rw /dev/hda1 /mnt/hda1
Check the free ram: free
Check the free disk space: df –h
Switch to hard drive and create appropriate directory structure:
cd /mnt/hda1
mkdir –p source/KNOPPIX
cp –a /KNOPPIX/* source/KNOPPIX
Copy resolv.conf from UnionFS to HD:
cp /etc/dhcpc/resolv.conf source/KNOPPIX/etc/dhcpc/resolv.conf
mount --bind /proc source/KNOPPIX/proc
chroot source/KNOPPIX
3. Remove OpenOffice
apt-get --purge remove openoffice-de-en
apt-get clean
apt-get update
4. Change the desktop background into my cartoon picture
Firstly, download a cartoon picture as I like and save it as ppt.jpg on Desktop. Then do following steps:
cp /home/knoppix/Desktop/ppt.jpg /mnt/hda1/master/KNOPPIX/background.jpg
Regenerate the list of checksums:
cd /mnt/hda1
cd master
rm –f KNOPPIX/md5sums
find –type f –not –name md5sums –not –name boot.cat –exec md5sum {} \; >> KNOPPIX/md5sums
cd ..
5. Install additional software
klik is the easiest way to install additional software in Knoppix. Make sure you are connected to the internet, then Press Alt-F2 to open the Run Command window and enter wget klik.atekon.de/client/install -O -|sh
Press Run.
After a while you should get a message about the klik client being successfully installed.
Now open the klik website in Konqueror. You can browse the website and point-and-klik to download and install software packages from the Klik website.
For example, browse to http://opera9.klik.atekon.de/ and click the download button.
Klik will automatically download and install Opera 9. An entry will be created under Applications (installed by klik) on the Start menu to launch the program.
If you know the name of the software you want just type klik://softwarename to directly go to the downloadpage e.g klik://firefox
All programs are downloaded as single self-contained .cmg files. To 'uninstall' a program simply delete the downloaded .cmg file.
6. Make new ISO
mkisofs –pad –l –r –J –v –V “KNOPPIX” –no-emul-boot –boot-load-size 4 –boot-info-table –b boot/isolinux/isolinux.bin –c boot/isolinux/boot.cat –hide—rr-moved –o knoppix.iso master/
Friday, April 11, 2008
Abstract for Remastering LiveCD-KNOPPIX
In this project, it provides the specific steps of remastering one of the most popular LiveCD-Knoppix 5.1.1 under “root shell”. While Knoppix 5.1.1. includes a lot of useful software, we still have additional personal needs for LiveCD, such as playing games, chatting online, or other different kinds of application we often use in daily life. This project presents the process of changing desktop to a personal picture and installing extra software to Knoppix. Moreover, it offers some cheat codes to run Knoppix faster and demonstrates the forensic tools for collecting data to monitor system network. The last step of remastering a LiveCD is burning a ISO file, and then a personalized LiveCD is created.
Online Journal-Data Remembrance
Security software wipes stolen data remotely
Data remembrance or data remanence is a problem for hard driver, flash disk, ram or some systems with sensitive data. Right now, many different kinds of security software can delete data clean like paper shredder.
But how about the lost or stolen disk, like PDA, which is more portable and more easily to be stolen. Because the owner may not protect any information stored in that before realizes it is stolen, the information will be totally discovered to the stealer. What can we do??
Kaspersky Lab has introduced software aimed at letting individual owners of lost or stolen Windows Mobile phones block access and delete data remotely. Kaspersky Mobile Security also filters SMS spam messages, scans incoming files for malware in real time, and includes a firewall.
To lock a phone (above left) or delete all its data (above right), the owner need merely send a specific code to it via SMS, Kaspersky claims. Via an "SMS Block" code, the phone is locked and becomes unusable until and unless a pre-set password is entered. Via an "SMS Clean" code, a phone's data can be erased remotely, including email, SMS messages, documents, and network settings.
Original article link: http://www.windowsfordevices.com/news/NS6852808592.html
Data remembrance or data remanence is a problem for hard driver, flash disk, ram or some systems with sensitive data. Right now, many different kinds of security software can delete data clean like paper shredder.
But how about the lost or stolen disk, like PDA, which is more portable and more easily to be stolen. Because the owner may not protect any information stored in that before realizes it is stolen, the information will be totally discovered to the stealer. What can we do??
Kaspersky Lab has introduced software aimed at letting individual owners of lost or stolen Windows Mobile phones block access and delete data remotely. Kaspersky Mobile Security also filters SMS spam messages, scans incoming files for malware in real time, and includes a firewall.
To lock a phone (above left) or delete all its data (above right), the owner need merely send a specific code to it via SMS, Kaspersky claims. Via an "SMS Block" code, the phone is locked and becomes unusable until and unless a pre-set password is entered. Via an "SMS Clean" code, a phone's data can be erased remotely, including email, SMS messages, documents, and network settings.
Original article link: http://www.windowsfordevices.com/news/NS6852808592.html
Thursday, April 3, 2008
Assignment 3-Helix for Beginners
1. What is a rootkit?
A rootkit is a series of malware applications that replace the standard windows utilites with Trojan horse program, in an attempt to take over the system. The rootkit can modify the operating system so that it can successfully hide and avoid traditional means of detection.
2. In Helix, what does the Protected Storage Viewer reveal?
It reveals the passwords stored on the host computer by Internet Explorer, Outlook Express and MSN Explorer.
3. What other way can you access this information?
IE History Viewer can access IE stored password; Network Password Viewer and Mail Password Viewer can access to Outlook password; Network Password Viewer and Messenger Password can access to MSN Explorer password.
4. Briefly discuss the pros and cons of doing corporate forensic work from a GUI rather than a CLI?
Pros: GUI tools are more user-friendly, and do not require as much specialized knowledge as command line tools. Most of the time, a computer forensics examiner can readily open a suspicious file in another window without closing the GUI tool.
Cons: Forensic work from GUI requires more system resources, and it will not fit on a floppy disk, but CLI tools will.
5. In computer forensics, for what is the dd command used?
The dd command is used in computer forensics to perform a physical backup of hardware device media. It has special flags that make is suitable for imaging block-oriented devices such as tapes.
6. What is NetCat? And for when would you use it?
NetCat is a networking utility which reads and writes data across network connections using the TCP/IP protocol. It is used to connect to or listen a port or some ports.
7. Briefly explain how a file system, such as FAT, stores data in files.
A disk formatted with FAT is allocated in clusters, whose size is determined by the size of the volume. When a file is created, an entry is created in the directory and the first cluster number containing data is established. This entry in the FAT table either indicates that this is the last cluster of the file, or points to the next cluster.
8. Briefly explain how it is possible to recover files that have been deleted from a file system, such as FAT.
Helix has such a tool named fatback, which can analyze and recover deleted FAT files. Fatback is a forensic tool for undeleting files from Microsoft FAT file systems. In fact, besides Helix toolkit, there are many other tools that can recover data from FAT, such as FTK Imager.
9. Briefly list tools contained on the Helix LiveCD that would be useful in investigating a filesystem.
Adepto, Air, Linen, Retriever, Autopsy, pyFlag, Regviewer, xhfs.
10. Briefly explain the sleuthkit.
The Sleuth Kit is a collection of UNIX-based command line file and volume system forensic analysis tools. The file system tools allow you to examine file systems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown.
A rootkit is a series of malware applications that replace the standard windows utilites with Trojan horse program, in an attempt to take over the system. The rootkit can modify the operating system so that it can successfully hide and avoid traditional means of detection.
2. In Helix, what does the Protected Storage Viewer reveal?
It reveals the passwords stored on the host computer by Internet Explorer, Outlook Express and MSN Explorer.
3. What other way can you access this information?
IE History Viewer can access IE stored password; Network Password Viewer and Mail Password Viewer can access to Outlook password; Network Password Viewer and Messenger Password can access to MSN Explorer password.
4. Briefly discuss the pros and cons of doing corporate forensic work from a GUI rather than a CLI?
Pros: GUI tools are more user-friendly, and do not require as much specialized knowledge as command line tools. Most of the time, a computer forensics examiner can readily open a suspicious file in another window without closing the GUI tool.
Cons: Forensic work from GUI requires more system resources, and it will not fit on a floppy disk, but CLI tools will.
5. In computer forensics, for what is the dd command used?
The dd command is used in computer forensics to perform a physical backup of hardware device media. It has special flags that make is suitable for imaging block-oriented devices such as tapes.
6. What is NetCat? And for when would you use it?
NetCat is a networking utility which reads and writes data across network connections using the TCP/IP protocol. It is used to connect to or listen a port or some ports.
7. Briefly explain how a file system, such as FAT, stores data in files.
A disk formatted with FAT is allocated in clusters, whose size is determined by the size of the volume. When a file is created, an entry is created in the directory and the first cluster number containing data is established. This entry in the FAT table either indicates that this is the last cluster of the file, or points to the next cluster.
8. Briefly explain how it is possible to recover files that have been deleted from a file system, such as FAT.
Helix has such a tool named fatback, which can analyze and recover deleted FAT files. Fatback is a forensic tool for undeleting files from Microsoft FAT file systems. In fact, besides Helix toolkit, there are many other tools that can recover data from FAT, such as FTK Imager.
9. Briefly list tools contained on the Helix LiveCD that would be useful in investigating a filesystem.
Adepto, Air, Linen, Retriever, Autopsy, pyFlag, Regviewer, xhfs.
10. Briefly explain the sleuthkit.
The Sleuth Kit is a collection of UNIX-based command line file and volume system forensic analysis tools. The file system tools allow you to examine file systems of a suspect computer in a non-intrusive fashion. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown.
Wednesday, April 2, 2008
Online Journal-Bring a LiveCD in your casebag
Why 'LiveCD' Should Be a Part of Every Computer User's Vocabulary
Setting up security at a public terminal
Linux based LiveCDs come in a great variety with one of the first Linux LiveCDs to appear being Knoppix. Many Linux LiveCDs like Knoppix and the Fedora and Ubuntu Live distributions load versions of Linux that closely resemble desktop installs of Linux, and provide access to robust desktop environments such as KDE or Gnome and applications such as OpenOffice.org. While these types of LiveCD distributions are great if you need all of the features of a full Linux desktop, their performance can be somewhat lacking since data often needs to be read from the CD to load certain applications. Users who are simply interested in a LiveCD distribution for purposes of accessing the Web and email may instead want to consider distributions such as Puppy Linux and Damn Small Linux, as these distributions can be completely loaded into system RAM. While not as application rich as other Linux distributions, most users will find them surprisingly feature complete given their small size, and as a result of running solely off of system RAM, they will yield extremely rapid response times.
Linux based LiveCDs come in a great variety with one of the first Linux LiveCDs to appear being Knoppix. Many Linux LiveCDs like Knoppix and the Fedora and Ubuntu Live distributions load versions of Linux that closely resemble desktop installs of Linux, and provide access to robust desktop environments such as KDE or Gnome and applications such as OpenOffice.org. While these types of LiveCD distributions are great if you need all of the features of a full Linux desktop, their performance can be somewhat lacking since data often needs to be read from the CD to load certain applications. Users who are simply interested in a LiveCD distribution for purposes of accessing the Web and email may instead want to consider distributions such as Puppy Linux and Damn Small Linux, as these distributions can be completely loaded into system RAM. While not as application rich as other Linux distributions, most users will find them surprisingly feature complete given their small size, and as a result of running solely off of system RAM, they will yield extremely rapid response times.
Before you head out the door to make a trip to the airport or even the local coffee shop, remember to grab not only your keys, but also a copy of a Linux Live CD.
Original journal is here : http://www.sys-con.com/read/514335.htm
Friday, March 28, 2008
Assignment 2- NIST Sp 800-86
Assignment Two- NIST SP 800-86
Guide to Integrating Forensic Techniques into Incident Response
- Name and briefly describe the four process phases for performing digital forensics.
Ø Collection: In this phase, related data is identified, labeled, recorded, and collected, and data integrity is preserved.
Ø Examination: In this phase, some or a combination of forensic tools and techniques are used to identify and extract the relevant information from the collected data with data integrity.
Ø Analysis: In this phase, some useful information is derived from the results of the examination by analyzing.
Ø Reporting: In this phase, the results of the analysis forms the reporting that includes performed actions description, actions need to be performed, and improvement recommendation to policies, guidelines, procedures, tools, and other aspects of the forensic process.
- Name the three organizational groups that are the primary forensic tool users.
Ø Investigators
Ø IT Professionals
Ø Incident Handlers
- What is incident (handling) response?
Incident handling/response is a computer security strategy to respond to an event by investigating suspect systems, gathering and preserving evidence, reconstructing events, and assessing the current state of an event.
- What is an incident response team?
An incident response team is a group responding to a variety of computer security incidents, like unauthorized data access, inappropriate system usage, malicious code infections, and denial of service attacks by using different kinds of forensic techniques and tools.
- When reporting an incident, what information should be provided?
Alternative explanations, audience consideration, and actionable information should be provided when reporting an incident.
- Name and describe for categories of tools that should be available to respond to an incident.
Ø Data file system analysis tools: Software that you can use to examine a file system or disk image and show the file content and other meta data.
Ø Operating system analysis tools: Software that you can use to collect, examine and analyze data from common workstation or server OSs.
Ø Network traffic analysis tools: Software that you can use to analyze network packets and traffic.
Ø Application analysis tools: Software that you can use to analyze the application data, like data from e-mail, Web browsers, and word processors.
- What is a Denial of Service (DoS) attack?
A Denial of Service attack is an action that prevents or impairs the authorized use of network, system, or applications by exhausting resources such as central processing units, memory, bandwidth, and disk space.
- Name and describe five DoS attack containment strategies.
Ø Correct the vulnerability or weakness that is being exploited: Patch the vulnerability.
Ø Implement filtering based on the characteristics of the attack: The filtering can be a border router or firewall that blocks suspect attack.
Ø Have the ISP implement filtering: Rely on ISPs to implement filtering to block DoS attack.
Ø Relocate the target: The targeted service could be transferred to a different host.
Ø Attack the attackers: Administrators may modify network or server configurations to bounce attack traffic back to its source.
- Briefly define malicious code.
Malicious code is a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the security or integrity of the host’s data.
- Briefly define an unauthorized access incident. Give several examples.
An unauthorized access incident refers that at any time a user gains access to a computer network without the consent of the computer's administrator.
Examples:
Ø Cracking passwords
Ø Copy secret data without permit
Ø Read some files without reading right
Ø Change some data without right
Ø Running backdoor software to do remote control
- Briefly describe a multiple component incident.
A multiple component incident is a single incident that encompasses two or more incidents.
Thursday, March 27, 2008
Lab Narrative for Introduction of Knoppix-Network Security Monitoring
Title: Introduction to network security monitoring with Knoppix – NSM
Time: March 16, 2008
Objective: Get to know how the Network Security Monitoring works in Knoppix-NSM to capture package stream and the differences between Knoppix and Knoppix-NSM.
Procedures & Results:
A team of two worked together on this lab session, my partner is Lee James.
I used Knoppix and Lee used Knoppix-NSM.
Knoppix boot process:
For the booting of Knoppix into the RAM, a live CD is loaded into the CD drive. The initial Knoppix screen has come up. Later I opened the Console terminal program icon which opened the Console window. In that Console window I typed in ifconfig.
My IP address is 129.7.236.112, and Lee's computer IP address is 129.7.236.230
Knoppix-NSM boot process:
Step-1:
Lee: The Knoppix-NSM CD is loaded into the CD drive and the system is turned on.
He opened the Root console and cleared all the iptables by executing the following command
/etc/init.d/iptables clear
This clears the firewall. Next the DHCP server is enabled to assign the TCP configuration information by using the pump command which is
pump –I eth0.
Step-2: Once the system is successfully booted mysql, apache2 and sguild servers are started by the following commands
/etc/init.d/mysql start
/etc/init.d/apache2 start
/etc/init.d/sguild start
Next the sguil-sensor is started by typing ‘sensor default start’
ntop is started by typing
/etc/init.d/ntop.default start.
Step-3: Start Sguil client
Open the NSM sguil client which shows up the following screen
The username and password are sguil and password respectively.
Step 4 - Start BASE client
Base client is started by opening the firefox and then type the following
https://localhost/base/
The following screen appears then enter the username as admin and the password as password.
Step 5 - View Statistical data with Ntop
Statistical data is observed by clicking on the ntop button in a new browser.
Step 6 - Test it
It is all my part of hand-on lab. I opend a console and do several Nmap scans for Lee's computer.
Null Scan
Command: nmap -sN 129.7.236.230
Screenshot:
X-mas Scan
Command I input: nmap -sX 129.7.236.230
Screenshot:
Then I used Hping2 to do a DP based ping of Lee's computer:
command: hping2 129.7.236.230
ctrl+c ->to stop hping2 command
Screenshot:
Lee monitored what I did to his computer:
Reflections:
1. What is Network Security Monitoring?
NSM can be defined as the collection analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM is a detective rather than a preventative process.
2. Briefly, compare and contrast Knoppix-NSM and Knoppix?
Knoppix is a desktop Linux system, which has a window flat for users to interact, more friendly and easily to use. But Knoppix-NSM has a focus on Network Security Monitoring, which almost gives professional users instant NSM. Knoppix has some functions to track traffic in the network like Wireshark. For Knoppix-NSM, it provides a complete package for detective tracking, including Sguil and Snort, ntop, SANCP, Wireshark and even BASE(web-based consoles).
3. How would you use Knoppix-NSM to establish a network baseline? Be specific in your answers and be sure to capture and display relevant screens.
By starting BASE client and viewing statistical data with Ntop. The process and screenshots are shown in Step 4-5.
4. Squil has several major elements. Present and define these elements.
Sguil is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to real-time events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).
5. Identify interesting traffic that you received during the lab from other people in your class.
Refer to Step 6 screenshots.
6. Identify interesting traffic that your system received from systems other than those involved in the lab.
Refer to Step 6 screenshots.
Time: March 16, 2008
Objective: Get to know how the Network Security Monitoring works in Knoppix-NSM to capture package stream and the differences between Knoppix and Knoppix-NSM.
Procedures & Results:
A team of two worked together on this lab session, my partner is Lee James.
I used Knoppix and Lee used Knoppix-NSM.
Knoppix boot process:
For the booting of Knoppix into the RAM, a live CD is loaded into the CD drive. The initial Knoppix screen has come up. Later I opened the Console terminal program icon which opened the Console window. In that Console window I typed in ifconfig.
My IP address is 129.7.236.112, and Lee's computer IP address is 129.7.236.230
Knoppix-NSM boot process:
Step-1:
Lee: The Knoppix-NSM CD is loaded into the CD drive and the system is turned on.
He opened the Root console and cleared all the iptables by executing the following command
/etc/init.d/iptables clear
This clears the firewall. Next the DHCP server is enabled to assign the TCP configuration information by using the pump command which is
pump –I eth0.
Step-2: Once the system is successfully booted mysql, apache2 and sguild servers are started by the following commands
/etc/init.d/mysql start
/etc/init.d/apache2 start
/etc/init.d/sguild start
Next the sguil-sensor is started by typing ‘sensor default start’
ntop is started by typing
/etc/init.d/ntop.default start.
Step-3: Start Sguil client
Open the NSM sguil client which shows up the following screen
The username and password are sguil and password respectively.
Step 4 - Start BASE client
Base client is started by opening the firefox and then type the following
https://localhost/base/
The following screen appears then enter the username as admin and the password as password.
Step 5 - View Statistical data with Ntop
Statistical data is observed by clicking on the ntop button in a new browser.
Step 6 - Test it
It is all my part of hand-on lab. I opend a console and do several Nmap scans for Lee's computer.
Null Scan
Command: nmap -sN 129.7.236.230
Screenshot:
X-mas Scan
Command I input: nmap -sX 129.7.236.230
Screenshot:
Then I used Hping2 to do a DP based ping of Lee's computer:
command: hping2 129.7.236.230
ctrl+c ->to stop hping2 command
Screenshot:
Lee monitored what I did to his computer:
Reflections:
1. What is Network Security Monitoring?
NSM can be defined as the collection analysis, and escalation of indications and warnings to detect and respond to intrusions. NSM is a detective rather than a preventative process.
2. Briefly, compare and contrast Knoppix-NSM and Knoppix?
Knoppix is a desktop Linux system, which has a window flat for users to interact, more friendly and easily to use. But Knoppix-NSM has a focus on Network Security Monitoring, which almost gives professional users instant NSM. Knoppix has some functions to track traffic in the network like Wireshark. For Knoppix-NSM, it provides a complete package for detective tracking, including Sguil and Snort, ntop, SANCP, Wireshark and even BASE(web-based consoles).
3. How would you use Knoppix-NSM to establish a network baseline? Be specific in your answers and be sure to capture and display relevant screens.
By starting BASE client and viewing statistical data with Ntop. The process and screenshots are shown in Step 4-5.
4. Squil has several major elements. Present and define these elements.
Sguil is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to real-time events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).
5. Identify interesting traffic that you received during the lab from other people in your class.
Refer to Step 6 screenshots.
6. Identify interesting traffic that your system received from systems other than those involved in the lab.
Refer to Step 6 screenshots.
Tuesday, March 25, 2008
Online Journal-Incident Response2
Incident response success in five quick steps
This article written by Mike Rothman talks about five quick steps for incident response.
Here, his special point is "Grace under Pressure".
The five quick steps are:
1. Write down the plan
A overview plan is a good guidance for what we should do after an incident. We can prepare more before anything bad happen. We can learn from the history, compare the fact, and draw out a plan fit for current situation.
2. Get buy-in
Once the plan is written down, it needs to be circulated amongst the organization's internal IT power brokers to make sure that everyone understands the document the same way and knows their responsibilities.
3. Understand escalation
Having someone accessible at all times to make those kinds of calls is absolutely critical.
4. Practice, practice and then practice some more
Practice always makes perfect. Even in incident response, we may not nature professionals to take calm and effective response to a security incident, but we can make us more professional through practice. We have our plans but never practiced it; then the plan will always be a plan not a practical method.
5. Learn from mistakes
Trial from fault is an important method in Learning Psychology, which is a summary from people's experience. No one can take care of all things perfectly. But we can't let the mistakes alone. Mistake in this time should be a lesson for next time. We can avoid it in the future, that means, we have less chance to make mistake.
Original article links is http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1303541,00.html
This article written by Mike Rothman talks about five quick steps for incident response.
Here, his special point is "Grace under Pressure".
The five quick steps are:
1. Write down the plan
A overview plan is a good guidance for what we should do after an incident. We can prepare more before anything bad happen. We can learn from the history, compare the fact, and draw out a plan fit for current situation.
2. Get buy-in
Once the plan is written down, it needs to be circulated amongst the organization's internal IT power brokers to make sure that everyone understands the document the same way and knows their responsibilities.
3. Understand escalation
Having someone accessible at all times to make those kinds of calls is absolutely critical.
4. Practice, practice and then practice some more
Practice always makes perfect. Even in incident response, we may not nature professionals to take calm and effective response to a security incident, but we can make us more professional through practice. We have our plans but never practiced it; then the plan will always be a plan not a practical method.
5. Learn from mistakes
Trial from fault is an important method in Learning Psychology, which is a summary from people's experience. No one can take care of all things perfectly. But we can't let the mistakes alone. Mistake in this time should be a lesson for next time. We can avoid it in the future, that means, we have less chance to make mistake.
Original article links is http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1303541,00.html
Friday, March 14, 2008
Assignment One-SP 800-61
ITEC 6322 - Assignment One
1. What is an incident?
An incident is not only a security-related adverse event, which may damage data integrity, confidentiality or availability, but also indicates a violation or imminent threat of violation of computer security policies or standard security practices.
2. Provide examples of several different types of incidents.
There are four types of incidents in today’s computer security field:
➢ Denial of service: the attacker begins the process of establishing a connection to the victim machine, but prevents the ultimate completion of the connection. The legitimate connections are denied while the victim machine is waiting to complete bogus "half-open" connections.
➢ Malicious code: A Trojan Horse code is hidden in some downloaded software to steal the host’s password.
➢ Unauthorized access: An attacker hacks a bank’s website to obtain customers’ ID and account number.
➢ Inappropriate usage: A company clerk sells out customers’ information to its competitor.
3. What is incident response?
Incident response is a process responding to a security incident quickly and efficiently.
4. Why is incident response important?
With systematical incident response, it would be a “knee-jerk” reaction to take appropriate steps to help personnel recover quickly and efficiently from security incidents with the minimum loss.
5. Describe the importance of communications during incident response.
It is a must to communicate with internal departments and outside parties to share information and investigate security incident regarding different functions. Faster and easier under proper guidelines helps to handle incident efficiently and quickly.
6. Name both external and internal entities with which communications needs to be maintained.
External: other incident response teams, law enforcement, the media, vendors and external victims.
Internal: incident response team members, human resources, and legal department.
7. What does NIST 800-61 define as a “jump kit”?
According NIST 800-61, a “jump kit” is a portable bag or case that contains materials that an incident handler may likely need during an offsite investigation. The jump kit is ready to go at all times so that when a serious incident occurs, incident handlers can grab the jump kit and go.
SP 800-61
1. What is an incident?
An incident is not only a security-related adverse event, which may damage data integrity, confidentiality or availability, but also indicates a violation or imminent threat of violation of computer security policies or standard security practices.
2. Provide examples of several different types of incidents.
There are four types of incidents in today’s computer security field:
➢ Denial of service: the attacker begins the process of establishing a connection to the victim machine, but prevents the ultimate completion of the connection. The legitimate connections are denied while the victim machine is waiting to complete bogus "half-open" connections.
➢ Malicious code: A Trojan Horse code is hidden in some downloaded software to steal the host’s password.
➢ Unauthorized access: An attacker hacks a bank’s website to obtain customers’ ID and account number.
➢ Inappropriate usage: A company clerk sells out customers’ information to its competitor.
3. What is incident response?
Incident response is a process responding to a security incident quickly and efficiently.
4. Why is incident response important?
With systematical incident response, it would be a “knee-jerk” reaction to take appropriate steps to help personnel recover quickly and efficiently from security incidents with the minimum loss.
5. Describe the importance of communications during incident response.
It is a must to communicate with internal departments and outside parties to share information and investigate security incident regarding different functions. Faster and easier under proper guidelines helps to handle incident efficiently and quickly.
6. Name both external and internal entities with which communications needs to be maintained.
External: other incident response teams, law enforcement, the media, vendors and external victims.
Internal: incident response team members, human resources, and legal department.
7. What does NIST 800-61 define as a “jump kit”?
According NIST 800-61, a “jump kit” is a portable bag or case that contains materials that an incident handler may likely need during an offsite investigation. The jump kit is ready to go at all times so that when a serious incident occurs, incident handlers can grab the jump kit and go.
SP 800-61
Wednesday, March 12, 2008
Online Journal-Incident Response
Harvard Dealing With 10,000 Hacked Applicants' Files
From this lesson, we know that the university is not a peaceful garden as it seems; therefore it also needs security incident response plan, which can be applied quickly and efficiently when any incident occurs. It is a good choice to hire a third party to handle incident due to in short of specific functional department in universities.
See the complete article
On March 13, Harvard University apologized for allowing computer files to be hacked by an ``outsider,'' potentially exposing personal information of about 10,000 graduate students or applicants. The information that may have been hijacked includes names, Social Security numbers, birth dates, addresses, e-mail addresses, telephone numbers, test scores, school records, and in some cases health information.
It happened firstly on Feb. 16 with 19 graduate application files, and Harvard reported it to FBI for investigation. Until Feb. 20, the victim numbers reached up to 6,600 include birth dates and Social Security numbers. To realize the large vulnerable extent, Harvard disabled the server, removed the sensitive information, addressed the vulnerability and brought it back online on Feb. 21. And Harvard even hired Kroll Inc. to provide identity theft- recovery services for people whose information might have been taken.
ID theft is a typical incident seen in every field. What Harvard did is efficient but not quick enough. When the intrusion happened in the first time even in small scope, the official needs to take response measures to take of that and prevent future incidents of this kind.From this lesson, we know that the university is not a peaceful garden as it seems; therefore it also needs security incident response plan, which can be applied quickly and efficiently when any incident occurs. It is a good choice to hire a third party to handle incident due to in short of specific functional department in universities.
See the complete article
Subscribe to:
Posts (Atom)
