Tải bản đầy đủ (.pdf) (27 trang)

Lecture Security + Guide to Network Security Fundamentals (2th edition) - Chapter 13: Advanced security and beyond

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (716.66 KB, 27 trang )

Chapter 13: Advanced Security
and Beyond
Security+ Guide to Network Security
Second Edition

• Define computer forensics
• Respond to a computer forensics incident
• Harden security through new solutions
• List information security jobs and skills

Understanding Computer Forensics
• Computer forensics can attempt to retrieve
information—even if it has been altered or erased—
that can be used in the pursuit of the criminal
• The interest in computer forensics is heightened:
– High amount of digital evidence
– Increased scrutiny by legal profession
– Higher level of computer skills by criminals

Forensics Opportunities
and Challenges
• Computer forensics creates opportunities to uncover
evidence impossible to find using a manual process
• One reason that computer forensics specialists have
this opportunity is due to the persistence of evidence
– Electronic documents are more difficult to dispose of

than paper documents

Forensics Opportunities and
Challenges (continued)
• Ways computer forensics is different from standard
– Volume of electronic evidence
– Distribution of evidence
– Dynamic content
– False leads
– Encrypted evidence
– Hidden evidence

Responding to a Computer
Forensics Incident
• Generally involves four basic steps similar to those of
standard forensics:
– Secure the crime scene
– Collect the evidence
– Establish a chain of custody
– Examine and preserve the evidence

Securing the Crime Scene
• Physical surroundings of the computer should be
clearly documented
• Photographs of the area should be taken before
anything is touched

• Cables connected to the computer should be labeled
to document the computer’s hardware components
and how they are connected
• Team takes custody of the entire computer along with
the keyboard and any peripherals

Preserving the Data
• Computer forensics team first captures any volatile
data that would be lost when computer is turned off
and moves data to a secure location
• Includes any data not recorded in a file on the hard
drive or an image backup:
– Contents of RAM
– Current network connections
– Logon sessions
– Network configurations
– Open files

Preserving the Data (continued)
• After retrieving volatile data, the team focuses on the
hard drive
• Mirror image backup (or bit-stream backup) is an
evidence-grade backup because its accuracy meets
evidence standards
• Mirror image backups are considered a primary key
to uncovering evidence; they create exact replicas of
the computer contents at the crime scene
• Mirror image backups must meet the criteria shown

on pages 452 and 453 of the text

Establishing the Chain of Custody
• As soon as the team begins its work, must start and
maintain a strict chain of custody
• Chain of custody documents that evidence was under
strict control at all times and no unauthorized person
was given the opportunity to corrupt the evidence

Examining Data for Evidence
• After a computer forensics expert creates a mirror
image of system, original system should be secured
and the mirror image examined to reveal evidence
• All exposed data should be examined for clues
• Hidden clues can be mined and exposed as well
• Microsoft Windows operating systems use Windows
page file as a “scratch pad” to write data when
sufficient RAM is not available

Examining Data for
Evidence (continued)
• Slack is another source of hidden data
• Windows computers use two types of slack
• RAM slack: pertains only to the last sector of a file
• If additional sectors are needed to round out the
block size for the last cluster assigned to the file, a
different type of slack is created

• File slack (sometimes called drive slack): padded
data that Windows uses comes from data stored on
the hard drive

Examining Data for Evidence

Examining Data for Evidence

Examining Data for Evidence

Hardening Security Through
New Solutions
• Number of attacks reported, sophistication of attacks,
and speed at which they spread continues to grow
• Recent attacks include characteristics listed on pages
457 and 458 of the text
• Defenders are responding to the increase in the level
and number of attacks
• New techniques and security devices are helping to
defend networks and systems
• The most recent developments and announcements
are listed on pages 458 and 459 of the text

Exploring Information Security Jobs
and Skills
• Need for information security workers will continue to
grow for the foreseeable future
• Information security personnel are in short supply;
those in the field are being rewarded well
• Security budgets have been spared the drastic costcutting that has plagued IT since 2001
• Companies recognize the high costs associated with
weak security and have decided that prevention
outweighs cleanup

Exploring Information Security Jobs
and Skills (continued)
• Most industry experts agree security certifications
continue to be important
• Preparing for the Security+ certification will help you
solidify your knowledge and skills in cryptography,
firewalls, and other important security defenses

TCP/IP Protocol Suite
• One of the most important skills is a strong
knowledge of the foundation upon which network
communications rests, namely Transmission Control
Protocol/Internet Protocol (TCP/IP)
• Understanding TCP/IP concepts helps effectively
troubleshoot computer network problems and
diagnose possible anomalous behavior on a network

• No matter how clever the attacker is, they still must
send their attack to your computer with a packet
• To recognize the abnormal, you must first understand
what is normal

• Firewalls are essential tools on all networks and often
provide a first layer of defense
• Network security personnel should have a strong
background of how firewalls work, how to create
access control lists (ACLs) to mirror the
organization’s security policy, and how to tweak
ACLs to balance security with employee access

• Routers form the heart of a TCP/IP network
• Configuring routers for both packet transfer and
packet filtering can become very involved

Intrusion-Detection Systems (IDS)
• Security professionals should know how to administer
and maintain an IDS
• Capabilities of these systems has increased
dramatically since first introduced, making them

mandatory for today’s networks
• One problem is that IDS can produce an enormous
amount of data that requires checking

Other Skills
• A programming background is another helpful tool for
security workers
• Security workers should also be familiar with
penetration testing
– Once known as “ethical hacking,” probes vulnerabilities
in systems, networks, and applications

Computer Forensic Skills
• Computer forensic specialists require an additional
level of training and skills:
– Basic forensic examinations
– Advanced forensic examinations
– Incident responder skills
– Managing computer investigations