Chapter 13: Advanced Security and Beyond - PowerPoint PPT Presentation

About This Presentation
Title:

Chapter 13: Advanced Security and Beyond

Description:

Title: XML: Part Author: Preferred Customer Last modified by: Sarah Santoro Created Date: 1/6/2003 7:04:50 PM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:109
Avg rating:3.0/5.0
Slides: 28
Provided by: Prefer106
Category:

less

Transcript and Presenter's Notes

Title: Chapter 13: Advanced Security and Beyond


1
Chapter 13 Advanced Security and Beyond
  • Security Guide to Network Security Fundamentals
  • Second Edition

2
Objectives
  • Define computer forensics
  • Respond to a computer forensics incident
  • Harden security through new solutions
  • List information security jobs and skills

3
Understanding Computer Forensics
  • Computer forensics can attempt to retrieve
    informationeven if it has been altered or
    erasedthat can be used in the pursuit of the
    criminal
  • The interest in computer forensics is heightened
  • High amount of digital evidence
  • Increased scrutiny by legal profession
  • Higher level of computer skills by criminals

4
Forensics Opportunities and Challenges
  • Computer forensics creates opportunities to
    uncover evidence impossible to find using a
    manual process
  • One reason that computer forensics specialists
    have this opportunity is due to the persistence
    of evidence
  • Electronic documents are more difficult to
    dispose of than paper documents

5
Forensics Opportunities and Challenges (continued)
  • Ways computer forensics is different from
    standard investigations
  • Volume of electronic evidence
  • Distribution of evidence
  • Dynamic content
  • False leads
  • Encrypted evidence
  • Hidden evidence

6
Responding to a Computer Forensics Incident
  • Generally involves four basic steps similar to
    those of standard forensics
  • Secure the crime scene
  • Collect the evidence
  • Establish a chain of custody
  • Examine and preserve the evidence

7
Securing the Crime Scene
  • Physical surroundings of the computer should be
    clearly documented
  • Photographs of the area should be taken before
    anything is touched
  • Cables connected to the computer should be
    labeled to document the computers hardware
    components and how they are connected
  • Team takes custody of the entire computer along
    with the keyboard and any peripherals

8
Preserving the Data
  • Computer forensics team first captures any
    volatile data that would be lost when computer is
    turned off and moves data to a secure location
  • Includes any data not recorded in a file on the
    hard drive or an image backup
  • Contents of RAM
  • Current network connections
  • Logon sessions
  • Network configurations
  • Open files

9
Preserving the Data (continued)
  • After retrieving volatile data, the team focuses
    on the hard drive
  • Mirror image backup (or bit-stream backup) is an
    evidence-grade backup because its accuracy meets
    evidence standards
  • Mirror image backups are considered a primary key
    to uncovering evidence they create exact
    replicas of the computer contents at the crime
    scene
  • Mirror image backups must meet the criteria shown
    on pages 452 and 453 of the text

10
Establishing the Chain of Custody
  • As soon as the team begins its work, must start
    and maintain a strict chain of custody
  • Chain of custody documents that evidence was
    under strict control at all times and no
    unauthorized person was given the opportunity to
    corrupt the evidence

11
Examining Data for Evidence
  • After a computer forensics expert creates a
    mirror image of system, original system should be
    secured and the mirror image examined to reveal
    evidence
  • All exposed data should be examined for clues
  • Hidden clues can be mined and exposed as well
  • Microsoft Windows operating systems use Windows
    page file as a scratch pad to write data when
    sufficient RAM is not available

12
Examining Data for Evidence (continued)
  • Slack is another source of hidden data
  • Windows computers use two types of slack
  • RAM slack pertains only to the last sector of a
    file
  • If additional sectors are needed to round out the
    block size for the last cluster assigned to the
    file, a different type of slack is created
  • File slack (sometimes called drive slack) padded
    data that Windows uses comes from data stored on
    the hard drive

13
Examining Data for Evidence (continued)
14
Examining Data for Evidence (continued)
15
Examining Data for Evidence (continued)
16
Hardening Security Through New Solutions
  • Number of attacks reported, sophistication of
    attacks, and speed at which they spread continues
    to grow
  • Recent attacks include characteristics listed on
    pages 457 and 458 of the text
  • Defenders are responding to the increase in the
    level and number of attacks
  • New techniques and security devices are helping
    to defend networks and systems
  • The most recent developments and announcements
    are listed on pages 458 and 459 of the text

17
Exploring Information Security Jobs and Skills
  • Need for information security workers will
    continue to grow for the foreseeable future
  • Information security personnel are in short
    supply those in the field are being rewarded
    well
  • Security budgets have been spared the drastic
    cost-cutting that has plagued IT since 2001
  • Companies recognize the high costs associated
    with weak security and have decided that
    prevention outweighs cleanup

18
Exploring Information Security Jobs and Skills
(continued)
  • Most industry experts agree security
    certifications continue to be important
  • Preparing for the Security certification will
    help you solidify your knowledge and skills in
    cryptography, firewalls, and other important
    security defenses

19
TCP/IP Protocol Suite
  • One of the most important skills is a strong
    knowledge of the foundation upon which network
    communications rests, namely Transmission Control
    Protocol/Internet Protocol (TCP/IP)
  • Understanding TCP/IP concepts helps effectively
    troubleshoot computer network problems and
    diagnose possible anomalous behavior on a network

20
Packets
  • No matter how clever the attacker is, they still
    must send their attack to your computer with a
    packet
  • To recognize the abnormal, you must first
    understand what is normal

21
Firewalls
  • Firewalls are essential tools on all networks and
    often provide a first layer of defense
  • Network security personnel should have a strong
    background of how firewalls work, how to create
    access control lists (ACLs) to mirror the
    organizations security policy, and how to tweak
    ACLs to balance security with employee access

22
Routers
  • Routers form the heart of a TCP/IP network
  • Configuring routers for both packet transfer and
    packet filtering can become very involved

23
Intrusion-Detection Systems (IDS)
  • Security professionals should know how to
    administer and maintain an IDS
  • Capabilities of these systems has increased
    dramatically since first introduced, making them
    mandatory for todays networks
  • One problem is that IDS can produce an enormous
    amount of data that requires checking

24
Other Skills
  • A programming background is another helpful tool
    for security workers
  • Security workers should also be familiar with
    penetration testing
  • Once known as ethical hacking, probes
    vulnerabilities in systems, networks, and
    applications

25
Computer Forensic Skills
  • Computer forensic specialists require an
    additional level of training and skills
  • Basic forensic examinations
  • Advanced forensic examinations
  • Incident responder skills
  • Managing computer investigations

26
Summary
  • Forensic science is application of science to
    questions of interest to the legal profession
  • Several unique opportunities give computer
    forensics the ability to uncover evidence that
    would be extremely difficult to find using a
    manual process
  • Computer forensics also has a unique set of
    challenges that are not found in standard
    evidence gathering, including volume of
    electronic evidence, how it is scattered in
    numerous locations, and its dynamic content

27
Summary (continued)
  • Searching for digital evidence includes looking
    at obvious files and e-mail messages
  • Need for information security workers will
    continue to grow, especially in computer
    forensics
  • Skills needed in these areas include knowledge of
    TCP/IP, packets, firewalls, routers, IDS, and
    penetration testing
Write a Comment
User Comments (0)
About PowerShow.com