Global Information Assurance Certification Paper
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsecThe Information Security Process
Prevention, Detection and Response
By James LaPiedra
s.
ht
Information security is a process that moves through phases building and
rig
strengthening itself along the way. Security is a journey not a destination. Although the
Information Security process has many strategies and activities, we can group them all
ull
into three distinct phases - prevention, detection, and response.
f
Each phase requiring strategies and activities that will move the process to the next
ns
phase. The dynamic growth of new threats attacking vulnerabilities requires timely
Key fingerprint
adjustments = AF19
to the FA27 2F94in998D
methodologies FDB5 DE3D
the prevention, F8B5 06E4
detection, A169 4E46
and response cycle. A
tai
change in one phase affects the entire process in some form. A proactive strategy
re
adjustment in the prevention phase will adjust the detection and response activities.
Lessons learned during the response phase will be addressed in the planning of
or
prevention measures and detection configurations. As I have indicated the Information
th
Security process is a journey, it is a living cycle that is under constant change due to the
Au
threat and vulnerability environment. For successful stewardship of the process, strategies
must be one step ahead of the advisories or at least in step with them. To accomplish this,
2,
each phase must be designed with adequate capabilities and management oversight to
00
ensure the maturity of these capabilities.
The ultimate goal of the information security process is to protect three unique
-2
attributes of information. They are:
00
• Confidentiality – Information should only be seen by those persons authorized
20
to see it. Information could be confidential because it is proprietary information
that is created and owned by the organization or it may be customers’ personal
te
information that must be kept confidential due to legal responsibilities.
tu
• Integrity – Information must not be corrupted, degraded, or modified. Measures
sti
must be taken to insulate information from accidental and deliberate change.
• Availability – Information must be kept available to authorized persons when
In
they need it.
NS
Attacks compromise systems in a number of ways that affect one if not all of
SA
these attributes. An attack on confidentiality would be unauthorized disclosure of
information. An attack on integrity would be the destruction or corruption of
©
information and an attack on availability would be a disruption or denial of services.
Information security protects these attributes by:
• Protecting confidentiality
• Ensuring
Key fingerprint integrity
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
• Maintaining availability
An organization succeeds in protecting these attributes by proper planning.
Proper planning before an incident will greatly reduce the risks of an attack and greatly
1
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.increase the capabilities of a timely and effective detection and response if an attack
occurs. Lets now examine each phase of the prevent, detect, respond cycle in turn,
illustrating the individual process and how they relate with the whole.
s.
Prevention:
ht
rig
There is an age-old advisory that says, “It’s too late to sharpen your sword when
the drum beats for battle”. Make no mistake, we are in a war and we must prepare for
ull
the cyber battles by sharpening our skills. Information security professionals must
continuously mature their capabilities by working smarter not harder. It is always better
f
to prevent, then to pursue and prosecute. Preventing an incident requires careful
ns
analysis
Key and planning.
fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
Information is an asset that requires protection commensurate with its value.
Security measures must be taken to protect information from unauthorized
re
modification, destruction, or disclosure whether accidental or intentional. During the
or
prevention phase, security policies, controls and processes should be designed and
implemented. Security policies, security awareness programs and access control
th
procedures, are all interrelated and should be developed early on. The information
Au
security policy is the cornerstone from which all else is built.
2,
Security Policy:
00
The first objective in developing a prevention strategy is to determine “what”
must be protected and document these “whats” in a formal policy. The policy must
-2
define the responsibilities of the organization, the employees and management. It
00
should also fix responsibility for implementation, enforcement, audit and review.
Additionally, the policy must be clear, concise, coherent and consistent in order to be
20
understood. Without clear understanding, the policy will be poorly implemented and
subsequent enforcement, audit and review will be ineffective. Once management
te
endorses a completed policy, the organization needs to be made aware of its
tu
requirements.
sti
In
Security Awareness:
Security awareness is a process that educates employees on the importance of
NS
security, the use of security measures, reporting procedures for security violations, and
their responsibilities as outlined in the information security policy. Security awareness
SA
programs should be utilized for this purpose. The program should be a continuous
process that maintains an awareness level for all employees. The program should be
©
designed to address organization wide issues as well as more focused specialized
training needs. The program should stress teamwork and the importance of active
participation. To motivate individuals, a recognition process should be adopted to give
out awards or rewards for employees that perform good security practices.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Access Controls:
Access is the manner by which the user utilizes the information systems to get
information. Naturally all users should not have the ability to access all systems and its
information. Access should be restricted and granted on a need to know basis. To
2
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.manage this access we establish user accounts by issuing identifiers, authentication
methods to verify these identifiers and authorization rules that limit access to resources.
• Identification – Identification is a unique identifier. It is what a user –
(person, client, software application, hardware, or network) uses to
s.
differentiate itself from other objects. A user presents identification to show
ht
who he/she is. Identifiers that are created for users should not be shared with
rig
any other users or groups. Once a user has an identifier the next step taken to
access a resource is authentication.
ull
• Authentication – Authentication is the process of validating the identity of a
f
ns
user. When a user presents its identifier, prior to gaining access, the identifier
Key fingerprint = AF19 FA27
(identification) 2F94
must 998D FDB5 DE3D
be authenticated. F8B5 06E4
Authentication A169 4E46
verifies identities
tai
thereby providing a level of trust. There are three basic factors used to
re
authenticate an identity. They are:
1. Something you know – The password is the most common form
or
used. However, secret phrases and PIN numbers are also utilized.
th
This is known as one-factor or single authentication. This form is
Au
weakened due to poor password selection and storage.
2. Something you have – This authentication factor is something
you have, such as an identification card, smartcard or token. Each
2,
requiring the user to possess “something” for authentication. A
00
more reliable authentication process would require two factors
-2
such as something you know with something you have. This form
is known as the two-factor or multilevel authentication.
00
3. Something you are – The strongest authentication factor is
20
something you are. This is a unique physical characteristic such as
a fingerprint, retina pattern or DNA. The measuring of these
te
factors is called biometrics. The strongest authentication process
tu
would require all three factors. Facilities or applications that are
sti
highly secret or sensitive will utilize all three factors to
authenticate a user. However, biometrics on the surface appears to
In
be a panacea, its not. There are weaknesses and to work the verifier
needs to verify two things. These requirements are outlined in a
NS
Counterpane.com article by Bruce Schneier, titled “Biometrics:
SA
Uses and Abuses”. The author indicates that the verifier needs to
verify two things. The first is that the biometric came from the
©
person at the time of verification and secondly, that the biometric
matches the master biometric on file. Without these two biometric
authentication requirements this factor won’t work.
• Authorization – Authorization is the process of allowing users who have
Key fingerprint
been=identified
AF19 FA27and2F94 998D FDB5
authenticated DE3D
to use F8B5
certain 06E4 A169
resources. 4E46access to
Limiting
resources by establishing permission rules provides for better control over
users actions. Authorization should be granted on the principle of least
privilege. Least privilege is granting no more privilege than is required to
3
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.perform a task/job, and the privilege should not extend beyond the minimum
time required to complete the task. This restrictive process limits access,
creates a separation of duties and increases accountability.
Once an organization has adopted a policy, created an awareness program and has
s.
established access controls, it must implement detection strategies and response plans. It
ht
would behoove an organization to take a more proactive stance in preparing for an attack
rig
or disaster rather than a reactive ad hock response to an underestimated threat.
The process of detecting malicious or accidental misuse of resources is much more
ull
than sounding an alarm. Also, responding to an incident is much more than just showing
up. An organization to be successful must know what to detect and once alerted know
f
how to effectively coordinate resources for a response. With both of these processes time
ns
is offingerprint
Key the essence.= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
Detection:
or
Detection of a system compromise is extremely critical. With the ever-
increasing threat environment, no matter what level of protection a system may have, it
th
will get compromised given a greater level of motivation and skill. There is no full proof
Au
“silver bullet” security solution. A defense in layers strategy should be deployed so when
each layer fails, it fails safely to a known state and sounds an alarm. The most important
2,
element of this strategy is timely detection and notification of a compromise. Intrusion
00
detection systems (IDS) are utilized for this purpose.
IDS have the capability of monitoring system activity and notifies responsible
-2
persons when activities warrant investigation. The systems can detect attack signatures
and also changes in files, configurations and activity. To be protected, the entire system
00
should be monitored. Intrusion detection tools should be strategically placed at the
20
network and application levels. However, monitoring a busy network or host is not a
simple task. Intrusion detection tools must have the ability to distinguish normal system
te
activity from malicious activity. This is more of an art than a science. The IDS must be
tu
fine-tuned or ‘tweaked” in order for the IDS to work in accord with a particular network
sti
or host. This tuning process must take into account known threats, as well as intruder
In
types, methods and processes.
As previously indicated, intrusion detection is much more than an alarm. Although
NS
it is an alarm, it’s an alarm with brains. Imagine a fire alarm that had the capability of
detecting a fire, distinguish the type of fire, pinpoint its source and path, alert the building
SA
occupants and fire department, and forward intelligence to the firehouse prior to their
response. All this and even having the capability of distinguishing normal activity such as
©
bad cooking. A properly configured intrusion detection system is such a device. An alarm
with brains.
Once your IDS is properly configured and strategically placed, it’s only a matter
of time before an alert will sound and notifications sent. Now what? Without a
documented response plan you will have total confusion.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
4
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Response:
For the detection process to have any value there must be a timely response. The
response to an incident should be planned well in advance. Making important decisions
or developing policy while under attack is a recipe for disaster. Many organizations spend
s.
a tremendous amount of money and time preparing for disasters such as tornados,
ht
earthquakes, fires and floods. The fact is, the chances are greater that a computer security
rig
incident will occur than any one of these scenarios. Equivalent if not more effort and
resources should be expanded on a computer security incident response plan.
ull
The response plan should be written and ratified by appropriate levels of
management. It should clearly prioritize different types of events and require a level of
f
notification and/or response suitable for the level of event/threat. A Computer Security
ns
Incident
Key Response
fingerprint TeamFA27
= AF19 (CSIRT)
2F94should
998D be established
FDB5 with specific
DE3D F8B5 roles4E46
06E4 A169 and
tai
responsibilities identified. These roles should be assigned to competent members of the
organization. A team leader/manager should be appointed and assigned the responsibility
re
of declaring an incident, coordinating the activities of the CSIRT, and communicating
or
status reports to upper management.
There are two philosophies on how an incident should be handled. An organization
th
may wish to cut off the intruder’s connection, eradicate the cause of the incident and
Au
recover the effected system. This approach would be more feasible when mission critical
machines are affected and timely recovery is a priority. Another approach would be to
2,
pursue and prosecute the attacker(s). This approach is a riskier endeavor requiring much
00
more exposure. However, due diligence may require an organization to take reasonable
investigative measures to identify an attacker or an upstream organization that may have
-2
been compromised by their system. Management must review each situation on a case-
00
by-case base and act accordingly. Whichever approach an organization decides, the
methodology of the response should be documented in the response plan. Responders
20
will be assigned tasks suited for their skill set. Whether gathering forensic evidence,
containing the attack or recovering compromised systems, individuals participating in the
te
response should possess the skills required to successfully accomplish their assignments.
tu
Other key responders will be external to the organization. Law enforcement (federal,
sti
state, local), prosecutorial agencies and the news media are all interested parties who will
In
be involved with an incident at some point. Relationships with these external parties
should be established during the planning phase of the security process and not during a
NS
crisis. This point is illustrated in a July 2000 Security Focus article written by Ben
Malisow, titled “Moment’s Notice: The Immediate Steps of Incident Handling”. The
SA
author indicates that if you are working in the private sector you need to be aware that
law enforcement may be more or less inclined to assist you, depending on the size or
©
breadth of your company. This is why, particularly if you are a small organization,
establishing a good relationship with external agencies is very important. People tend to
work well when they know one another. You could never have enough friends when
things go bad.
After an =incident
Key fingerprint has been
AF19 FA27 2F94declared and the
998D FDB5 notifications
DE3D F8B5 06E4made to responders,
A169 4E46 the
incident must be contained, the damage assessed and the system cleaned and recovered.
Each process requiring special skills and having an important role in the response phase.
However, the post incident analysis and report is the most important process towards
strengthening the information security cycle. This process is extremely important due to
5
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.the lessons learned. By examining the answers to the who, what, where, why, and when
questions and evaluating the results, an organization can incorporate lessons learned in
each of the security phases.
The Ever Maturing Cycle:
s.
To successfully defeat the attacker, whether internal or external, an organization
ht
must be properly prepared. As I have outlined, the information security process is a
rig
journey and not a destination. It is a dynamic process requiring skilled management and
flexibility. Disciplined management of the prevention, detection and response cycle is
ull
required to ensure continuous improvement. Organization wide support and involvement
is paramount in the maturing of the security strategy. It is a team effort requiring
f
unselfish cooperation. Management must buy into the big picture. In a Network
ns
Computing
Key article
fingerprint titled,FA27
= AF19 “The2F94
High998D
PriceFDB5
of Vulnerability”
DE3D F8B5by06E4GregA169
Shipley,
4E46the cost
tai
associated with “don’t want to know” management could be disastrous. One small
re
organization with fewer than 100 servers was compromised 8 hours into a monitoring
project. Management at the organization faced difficult options, all more costly than
or
instituting a plan and following simple preventive maintenance procedures. Everyone in
th
the organization must be committed.
Au
Sources:
2,
00
Schneier, Bruce. “Biometrics: Uses and Abuses.” Counterpane. August 1999. URL:
-2
http://www.counterpane.com/insiderrisks1.html
00
Malisow, Ben. “Moment’s Notice: The Immediate Steps of Incident Handling. 7 July
20
2000. URL: http://www.securityfocus.com/focus/ih/articles/moments.html
te
Shipley, Greg. “The Price of Vulnerability.” 19 February 2001. URL:
tu
http://www.nwc.com/1204/1204colshipley.html
sti
Additional sources:
In
Pipkin, L. Donald, Information Security: Protecting The Global Enterprise. (Prentice
NS
Hall), May 2000.
Schneier, Bruce, Secrets & Lies: Digital Security In The Networked World, (Wiley)
SA
August 2000.
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
6
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.s.
ht
rig
ull
f
ns
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tai
re
or
th
Au
2,
00
-2
00
20
te
tu
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
7
© SANS Institute 2000 - 2002 As part of GIAC practical repository. Author retains full rights.Last Updated: January 23rd, 2021
Upcoming Training
SANS Cyber Security West: Feb 2021 , Feb 01, 2021 - Feb 06, 2021 CyberCon
Open-Source Intelligence Summit & Training 2021 Virtual - US Eastern, Feb 08, 2021 - Feb 23, 2021 CyberCon
SANS Secure Japan 2021 , Japan Feb 22, 2021 - Mar 13, 2021 CyberCon
SANS Scottsdale: Virtual Edition 2021 , Feb 22, 2021 - Feb 27, 2021 CyberCon
Virtual - Greenwich
SANS London February 2021 Mean Time, United Feb 22, 2021 - Feb 27, 2021 CyberCon
Kingdom
SANS Cyber Security East: March 2021 , Mar 01, 2021 - Mar 06, 2021 CyberCon
SANS Secure Asia Pacific 2021 Singapore, Singapore Mar 08, 2021 - Mar 20, 2021 Live Event
SANS Secure Asia Pacific 2021 , Singapore Mar 08, 2021 - Mar 20, 2021 CyberCon
SANS Cyber Security West: March 2021 , Mar 15, 2021 - Mar 20, 2021 CyberCon
SANS Riyadh March 2021 , Kingdom Of Saudi Mar 20, 2021 - Apr 01, 2021 CyberCon
Arabia
SANS Secure Australia 2021 Canberra, Australia Mar 22, 2021 - Mar 27, 2021 Live Event
Virtual - Central
SANS Munich March 2021 European Time, Mar 22, 2021 - Mar 27, 2021 CyberCon
Germany
SANS Secure Australia 2021 Live Online , Australia Mar 22, 2021 - Mar 27, 2021 CyberCon
SANS 2021 , Mar 22, 2021 - Mar 27, 2021 CyberCon
SANS Cyber Security Mountain: April 2021 , Apr 05, 2021 - Apr 10, 2021 CyberCon
Virtual - Central
SANS SEC401 (In Spanish) April 2021 European Summer Time, Apr 12, 2021 - Apr 23, 2021 CyberCon
Spain
SANS Cyber Security East: April 2021 , Apr 12, 2021 - Apr 17, 2021 CyberCon
SANS London April 2021 Virtual - British Summer Apr 12, 2021 - Apr 17, 2021 CyberCon
Time, United Kingdom
SANS Autumn Australia 2021 Sydney, Australia Apr 12, 2021 - Apr 17, 2021 Live Event
SANS Autumn Australia 2021 - Live Online , Australia Apr 12, 2021 - Apr 17, 2021 CyberCon
SANS Secure India 2021 , Singapore Apr 19, 2021 - Apr 24, 2021 CyberCon
SANS Baltimore Spring: Virtual Edition 2021 , Apr 26, 2021 - May 01, 2021 CyberCon
SANS Cyber Security Central: May 2021 , May 03, 2021 - May 08, 2021 CyberCon
SANS Security West 2021 , May 10, 2021 - May 15, 2021 CyberCon
SANS Cyber Security East: May 2021 , May 17, 2021 - May 22, 2021 CyberCon
Virtual - Central
SANS Stockholm May 2021 European Summer Time, May 31, 2021 - Jun 05, 2021 CyberCon
Sweden
Virtual - Central
SANS In French May 2021 European Summer Time, May 31, 2021 - Jun 05, 2021 CyberCon
France
SANS Cyber Security Central: June 2021 , Jun 07, 2021 - Jun 12, 2021 CyberCon
SANS SOC Training 2021 , Jun 14, 2021 - Jun 19, 2021 CyberCon
SANS Cyber Defence Asia Pacific 2021 - Live Online , Australia Jun 28, 2021 - Jul 10, 2021 CyberConYou can also read
