Please enable JavaScript.
Coggle requires JavaScript to display documents.
CAP 17 Preventing and responding to incidents (3 Logging, monitoring and…
CAP 17 Preventing and responding to incidents
1 Managing incidente response
Incident: any event that has negative effect on CIA
Incident response steps
detection (ids,ips,anti-malware,scans,end users)
response (CIRT: computer incident response team)
mitigation (limit effect or scope of an incident)
reporting (report incident to upper level and sometimes to clients)
recovery (return the system to a fully functional state)
remediation (root cause analysis + implement methods to prevent from happening again)
lesson learned (is there a lesson to be learned?)
2 Implementing detective and preventive measures
Basic preventive measures
keep systems up-to-date
remove or disable un-needed services or protocols
use ids and ips
use firewalls
implement comfiguration and system management processes
common attacks
botnets
DOS (or DDOS) attacks
SYN Flood (cpunter measures: syn coockies, reduce time wait)
tcp reset attack
smurf and fraggle attack: smurf-> flood attack using ICMP and spoofing, Fraggle-> flood attack using UDP (counter measure: disable ICMP)
ping flood
ping of death: packet size>64kb (mainly not effective today)
teardrop (sending very fragmented traffic, not effective anymore)
land attacks: same IP for source/destination
zero day exploit
malicious code (drive-by download,etc)
MITM attacks(sniffing or store and forward)
sabotage (criminal act performed by an employee)
espionage (gathering private info about an organization)
intrusion detection and prevention systems (IDS: real time analysis of logs and events to detect intrusion attempts IPS: similat to IDS but more features to detect attacks)
IDS knowledge based or behavior based. KB use firmatures, behavior create a baseline of normal activities
SIEM: collect and store data from many systems
IDS response (passive: notification, active: change ACL)
IDS host based monitor a single host. IDS network based: can monitor large network using sensors
specific preventive measures
honeypots/honeynets: honeypot->computer created as a trap for intruders, honeynet->two or more honeypot networked (enticement/entrapment)
pseudo-flaws
padded cell: the intruder is transferred by the IDPS
warning banners (legally important)
anti-malware
whitelisting and blacklisting of applications
firewalls
sanboxing
third party security services
penetration testing (black box,white box,grey box pt)
3 Logging, monitoring and auditing
common log types
security logs
system logs
application logs
firewall logs
proxy logs
change logs
protect logs data
audit trails (created when info about events is stored in db or log files)
monitoring (process of reviewing info logs looking for something specific)
log analysis
SIEM (real time analysis of events)
sampling: extracting elements from a large data collection to construct meaningful representation
clipping levels: ignore events untul they reach a threshold
egress monitoring: monitor outgoing traffic
data loss prevention (DLP)
steganography
watermarking
auditing
auditing: methodical examination of an environment to esnure compliance and detect abnormalities
inspection audits
access review audits -> account management
user entitlement audits -> least privilege