Concerning security assessment, discuss the aspect of internal, external, and third-party testing minimum requirements. > Your assessment should address online

502

Chap ter 17 Pre vent ing and Re spond ing to In ci dents

THE CISSP EXAM TOP ICS COV ERED IN THIS CHAP TER IN CLUDE:

Do main 7: Se cu rity Op er a tions 7.3 Con duct log ging and mon i tor ing ac tiv i ties

7.3.1 In tru sion de tec tion and pre ven tion

7.3.2 Se cu rity In for ma tion and Event Man age ment (SIEM)

7.3.3 Con tin u ous mon i tor ing

7.3.4 Egress mon i tor ing

7.7 Con duct in ci dent man age ment

7.7.1 De tec tion

7.7.2 Re sponse

7.7.3 Mit i ga tion

7.7.4 Re port ing

7.7.5 Re cov ery

7.7.6 Re me di a tion

7.7.7 Lessons learned

7.8 Op er ate and main tain de tec tive and pre ven ta tive mea sures

7.8.1 Fire walls

7.8.2 In tru sion de tec tion and pre ven tion sys tems

7.8.3 Whitelist ing/ black list ing

7.8.4 Third-party pro vided se cu rity ser vices

7.8.5 Sand box ing

7.8.6 Hon ey pots/ hon eynets

7.8.7 Anti-mal ware

The Se cu rity Op er a tions do main for the CISSP cer ti fi ca tion exam in cludes sev eral ob jec tives di rectly re lated to in ci dent man age ment. Ef fec tive in ci dent man age ment helps an or ga ni za tion re spond ap pro pri ately when at tacks oc cur to limit the scope of an at tack. Or ga ni za tions im ple ment pre ven tive mea sures to pro tect against, and de tect, at tacks, and this chap ter cov ers many of these con trols and coun ter mea sures. Log ging, mon i tor ing, and au dit ing pro vide as sur ances that the se cu rity con trols are in place and are pro vid ing the de sired pro tec tions.

Man ag ing In ci dent Re sponse One of the pri mary goals of any se cu rity pro gram is to pre vent se cu rity in ci dents. How ever, de spite best

ef forts of in for ma tion tech nol ogy (IT) and se cu rity pro fes sion als, in ci dents do oc cur. When they hap pen, an or ga ni za tion must be able to re spond to limit or con tain the in ci dent. The pri mary goal of in ci dent re sponse is to min i mize the im pact on the or ga ni za tion.

Defin ing an In ci dent

Be fore dig ging into in ci dent re sponse, it’s im por tant to un der stand the def i ni tion of an in ci dent. Al though that may seem sim ple, you’ll find that there are dif fer ent def i ni tions de pend ing on the con text.

503

An in ci dent is any event that has a neg a tive ef fect on the con fi den tial ity, in tegrity, or avail abil ity of an or ga ni za tion’s as sets. In for ma tion Tech nol ogy In fra struc ture Li brary ver sion 3 (ITILv3) de fines an in ci dent as “an un planned in ter rup tion to an IT Ser vice or a re duc tion in the qual ity of an IT Ser vice.” No tice that these def i ni tions en com pass events as di verse as di rect at tacks, nat u ral oc cur rences such as a hur ri cane or earth quake, and even ac ci dents, such as some one ac ci den tally cut ting ca bles for a live net work.

In con trast, a com puter se cu rity in ci dent (some times called just se cu rity in ci dent) com monly refers to an in ci dent that is the re sult of an at tack, or the re sult of ma li cious or in ten tional ac tions on the part of users. For ex am ple, re quest for com ments (RFC) 2350, “Ex pec ta tions for Com puter Se cu rity In ci dent Re sponse,” de fines both a se cu rity in ci dent and a com puter se cu rity in ci dent as “any ad verse event which com pro mises some as pect of com puter or net work se cu rity.” Na tional In sti tute of Stan dards and Tech nol ogy (NIST) spe cial pub li ca tion (SP) 800-61 “Com puter Se cu rity In ci dent Han dling Guide” de fines a com puter se cu rity in ci dent as “a vi o la tion or im mi nent threat of vi o la tion of com puter se cu rity poli cies, ac cept able use poli cies, or stan dard se cu rity prac tices.” (NIST doc u ments, in clud ing SP 800-61, can be ac cessed from the NIST pub li ca tions page: https://csrc.nist.gov/Pub li ca tions).

In the con text of in ci dent re sponse, an in ci dent is re fer ring to a com puter se cu rity in ci dent. How ever, you’ll of ten see it listed as just as in ci dent. For ex am ple, within the CISSP Se cu rity Op er a tions do main, the “Con duct in ci dent man age ment” ob jec tive is clearly re fer ring to com puter se cu rity in ci dents.

In this chap ter, any ref er ence to an in ci dent refers to a com puter se cu rity in ci dent.

Or ga ni za tions han dle some in ci dents such as weather events or nat u ral dis as ters us ing other meth ods such as with a busi ness con ti nu ity plan (cov ered in Chap ter 3, “Busi ness Con ti nu ity Plan ning”) or with a dis as ter re cov ery plan (cov ered in Chap ter 18, “Dis as ter Re cov ery Plan ning”).

Or ga ni za tions com monly de fine the mean ing of a com puter se cu rity in ci dent within their se cu rity pol icy or in ci dent re sponse plans. The def i ni tion is usu ally one or two sen tences long and in cludes ex am ples of com mon events that the or ga ni za tion clas si fies as se cu rity in ci dents, such as the fol low ing:

Any at tempted net work in tru sion

Any at tempted de nial-of-ser vice at tack

Any de tec tion of ma li cious soft ware

Any unau tho rized ac cess of data

Any vi o la tion of se cu rity poli cies

In ci dent Re sponse Steps Ef fec tive in ci dent re sponse man age ment is han dled in sev eral steps or phases. Fig ure 17.1 shows the seven

steps in volved in man ag ing in ci dent re sponse as out lined in the CISSP ob jec tives. It’s im por tant to re al ize that in ci dent re sponse is an on go ing ac tiv ity and the re sults of the lessons learned stage are used to im prove de tec tion meth ods or help pre vent a re peated in ci dent. The fol low ing sec tions de scribe these steps in more depth.

FIG URE 17.1 In ci dent re sponse

You may run across doc u men ta tion that lists these steps dif fer ently. For ex am ple, SP 800-

61 is an ex cel lent re source for learn ing more about in ci dent han dling, but it iden ti fies the fol low ing four steps in the in ci dent re sponse life cy cle: 1) prepa ra tion, 2) de tec tion and anal y sis, 3) con tain ment, erad i ca tion, and re cov ery, and 4) post-in ci dent re cov ery. Still, no mat ter how doc u men ta tion lists the steps, they con tain many of the same el e ments and have the same goal of man ag ing in ci dent re sponse ef fec tively.

It’s im por tant to stress that in ci dent re sponse does not in clude a coun ter at tack against the at tacker. Launch ing at tacks on oth ers is coun ter pro duc tive and of ten il le gal. If a tech ni cian can iden tify the at tacker and launch an at tack, it will very likely re sult in an es ca la tion of the at tack by the at tacker. In other words, the at tacker may now con sider it per sonal and reg u larly launch grudge at tacks. In ad di tion, it’s likely that the

504

at tacker is hid ing be hind one or more in no cent vic tims. At tack ers of ten use spoof ing meth ods to hide their iden tity, or launch at tacks by zom bies in a bot net. Coun ter at tacks may be against an in no cent vic tim rather than an at tacker.

De tec tion

IT en vi ron ments in clude mul ti ple meth ods of de tect ing po ten tial in ci dents. The fol low ing list iden ti fies many of the com mon meth ods used to de tect po ten tial in ci dents. It also in cludes notes on how these meth ods re port the in ci dents:

In tru sion de tec tion and pre ven tion sys tems (de scribed later in this chap ter) send alerts to ad min is tra tors when an item of in ter est oc curs.

Anti-mal ware soft ware will of ten dis play a pop-up win dow to in di cate when it de tects mal ware.

Many au to mated tools reg u larly scan au dit logs look ing for pre de fined events, such as the use of spe cial priv i leges. When they de tect spe cific events, they typ i cally send an alert to ad min is tra tors.

End users some times de tect ir reg u lar ac tiv ity and con tact tech ni cians or ad min is tra tors for help. When users re port events such as the in abil ity to ac cess a net work re source or up date a sys tem, it alerts IT per son nel about a po ten tial in ci dent.

 Cell Phone Can not Be Up dated

Many se cu rity in ci dents aren’t de tected un til months af ter they oc cur. Users of ten no tice things that aren’t quite right, such as the in abil ity to up date a cell phone, but don’t re port it right away. This al lows at tack ers to main tain a pres ence on in fected de vices or net works for an ex tended pe riod of time.

As an ex am ple, re tired United States (U.S.) Ma rine Corps gen eral John Kelly turned in his cell phone to White House tech ni cal sup port per son nel dur ing the sum mer of 2017. He was the White House chief of staff at the time. Kelly re port edly was un able to do soft ware up dates, and some other func tions on his phone weren’t work ing. Af ter some in ves ti ga tion, the White House IT de part ment re port edly de ter mined that his phone was com pro mised, and the com pro mise may have oc curred as early as De cem ber 2016, while Kelly was the Sec re tary of Home land Se cu rity.

No tice that just be cause an IT pro fes sional re ceives an alert from an au to mated tool or a com plaint from a user, this doesn’t al ways mean an in ci dent has oc curred. In tru sion de tec tion and pre ven tion sys tems of ten give false alarms, and end users are prone to sim ple user er rors. IT per son nel in ves ti gate these events to de ter mine whether they are in ci dents.

Many IT pro fes sion als are clas si fied as first re spon ders for in ci dents. They are the first ones on the scene and have knowl edge on how to dif fer en ti ate typ i cal IT prob lems from se cu rity in ci dents. They are sim i lar to med i cal first re spon ders who have out stand ing skills and abil i ties to pro vide med i cal as sis tance at ac ci dent scenes, and help get the pa tients to med i cal fa cil i ties when nec es sary. The med i cal first re spon ders have spe cific train ing to help them de ter mine the dif fer ence be tween mi nor and ma jor in juries. Fur ther, they know what to do when they come across a ma jor in jury. Sim i larly, IT pro fes sion als need spe cific train ing so that they can de ter mine the dif fer ence be tween a typ i cal prob lem that needs trou bleshoot ing and a se cu rity in ci dent that they need to es ca late.

Af ter in ves ti gat ing an event and de ter min ing it is a se cu rity in ci dent, IT per son nel move to the next step: re sponse. In many cases, the in di vid ual do ing the ini tial in ves ti ga tion will es ca late the in ci dent to bring in other IT pro fes sion als to re spond.

Re sponse

Af ter de tect ing and ver i fy ing an in ci dent, the next step is re sponse. The re sponse varies de pend ing on the sever ity of the in ci dent. Many or ga ni za tions have a des ig nated in ci dent re sponse team—some times called a com puter in ci dent re sponse team (CIRT), or com puter se cu rity in ci dent re sponse team (CSIRT). The or ga ni za tion ac ti vates the team dur ing a ma jor se cu rity in ci dent but does not typ i cally ac ti vate the team for mi nor in ci dents. A for mal in ci dent re sponse plan doc u ments who would ac ti vate the team and un der what con di tions.

Team mem bers are trained on in ci dent re sponse and the or ga ni za tion’s in ci dent re sponse plan. Typ i cally, team mem bers as sist with in ves ti gat ing the in ci dent, as sess ing the dam age, col lect ing ev i dence, re port ing the in ci dent, and re cov ery pro ce dures. They also par tic i pate in the re me di a tion and lessons learned stages, and help with root cause anal y sis.

505

The quicker an or ga ni za tion can re spond to an in ci dent, the bet ter chance they have at lim it ing the dam age. On the other hand, if an in ci dent con tin ues for hours or days, the dam age is likely to be greater. For ex am ple, an at tacker may be try ing to ac cess a cus tomer data base. A quick re sponse can pre vent the at tacker from ob tain ing any mean ing ful data. How ever, if given con tin ued un ob structed ac cess to the data base for sev eral hours or days, the at tacker may be able to get a copy of the en tire data base.

Af ter an in ves ti ga tion is over, man age ment may de cide to pros e cute re spon si ble in di vid u als. Be cause of this, it’s im por tant to pro tect all data as ev i dence dur ing the in ves ti ga tion. Chap ter 19, “In ves ti ga tions and Ethics,” cov ers in ci dent han dling and re sponse in the con text of sup port ing in ves ti ga tions. If there is any pos si bil ity of pros e cu tion, team mem bers take ex tra steps to pro tect the ev i dence. This en sures the ev i dence can be used in le gal pro ce dures.

Com put ers should not be turned off when con tain ing an in ci dent. Tem po rary files and

data in volatile ran dom ac cess mem ory (RAM) will be lost if the com puter is pow ered down. Foren sics ex perts have tools they can use to re trieve data in tem po rary files and volatile RAM as long as the sys tem is kept pow ered on. How ever, this ev i dence is lost if some one turns the com puter off or un plugs it.

Mit i ga tion

Mit i ga tion steps at tempt to con tain an in ci dent. One of the pri mary goals of an ef fec tive in ci dent re sponse is to limit the ef fect or scope of an in ci dent. For ex am ple, if an in fected com puter is send ing data out its net work in ter face card (NIC), a tech ni cian can dis able the NIC or dis con nect the ca ble to the NIC. Some times con tain ment in volves dis con nect ing a net work from other net works to con tain the prob lem within a sin gle net work. When the prob lem is iso lated, se cu rity per son nel can ad dress it with out wor ry ing about it spread ing to the rest of the net work.

In some cases, re spon ders take steps to mit i gate the in ci dent, but with out let ting the at tacker know that the at tack has been de tected. This al lows se cu rity per son nel to mon i tor the at tacker’s ac tiv i ties and de ter mine the scope of the at tack.

Re port ing

Re port ing refers to re port ing an in ci dent within the or ga ni za tion and to or ga ni za tions and in di vid u als out side the or ga ni za tion. Al though there’s no need to re port a mi nor mal ware in fec tion to a com pany’s chief ex ec u tive of fi cer (CEO), up per-level man age ment does need to know about se ri ous se cu rity breaches.

As an ex am ple, the Wan naCry ran somware at tack in 2017 in fected more than 230,000 com put ers in more than 150 coun tries within a sin gle day. The mal ware dis played a mes sage of “Ooops your files have been en crypted.” The at tack re port edly in fected parts of the United King dom’s Na tional Health Ser vice (NHS) forc ing some med i cal ser vices to run on an emer gency-only ba sis. As IT per son nel learned of the im pact of the at tack, they be gan re port ing it to su per vi sors, and this re port ing very likely reached ex ec u tives the same day the at tack oc curred.

Or ga ni za tions of ten have a le gal re quire ment to re port some in ci dents out side of the or ga ni za tion. Most coun tries (and many smaller ju ris dic tions, in clud ing states and cities) have en acted reg u la tory com pli ance laws to gov ern se cu rity breaches, par tic u larly as they ap ply to sen si tive data re tained within in for ma tion sys tems. These laws typ i cally in clude a re quire ment to re port the in ci dent, es pe cially if the se cu rity breach ex posed cus tomer data. Laws dif fer from lo cale to lo cale, but all seek to pro tect the pri vacy of in di vid ual records and in for ma tion, to pro tect con sumer iden ti ties, and to es tab lish stan dards for fi nan cial prac tice and cor po rate gov er nance. Ev ery or ga ni za tion has a re spon si bil ity to know what laws ap ply to it and to abide by these laws.

Many ju ris dic tions have spe cific laws gov ern ing the pro tec tion of per son ally iden ti fi able in for ma tion (PII). If a data breach ex poses PII, the or ga ni za tion must re port it. Dif fer ent laws have dif fer ent re port ing re quire ments, but most in clude a re quire ment to no tify in di vid u als af fected by the in ci dent. In other words, if an at tack on a sys tem re sulted in an at tacker gain ing PII about you, the own ers of the sys tem have a re spon si bil ity to in form you of the at tack and what data the at tack ers ac cessed.

In re sponse to se ri ous se cu rity in ci dents, the or ga ni za tion should con sider re port ing the in ci dent to of fi cial agen cies. In the United States, this may mean no ti fy ing the Fed eral Bu reau of In ves ti ga tions (FBI), dis trict at tor ney of fices, and/or state and lo cal law en force ment agen cies. In Eu rope, or ga ni za tions may re port the in ci dent to the In ter na tional Crim i nal Po lice Or ga ni za tion (IN TER POL) or some other en tity based on the in ci dent and their lo ca tion. These agen cies may be able to as sist in in ves ti ga tions, and the data they col lect may help them pre vent fu ture at tacks against other or ga ni za tions.

Many in ci dents are not re ported be cause they aren’t rec og nized as in ci dents. This is of ten the re sult of in ad e quate train ing. The ob vi ous so lu tion is to en sure that per son nel have rel e vant train ing. Train ing should teach in di vid u als how to rec og nize in ci dents, what to do in the ini tial re sponse, and how to re port an in ci dent.

506

Re cov ery

Af ter in ves ti ga tors col lect all ap pro pri ate ev i dence from a sys tem, the next step is to re cover the sys tem, or re turn it to a fully func tion ing state. This can be very sim ple for mi nor in ci dents and may only re quire a re boot. How ever, a ma jor in ci dent may re quire com pletely re build ing a sys tem. Re build ing the sys tem in cludes restor ing all data from the most re cent backup.

When a com pro mised sys tem is re built from scratch, it’s im por tant to en sure it is con fig ured prop erly and is at least as se cure as it was be fore the in ci dent. If an or ga ni za tion has ef fec tive con fig u ra tion man age ment and change man age ment pro grams, these pro grams will pro vide nec es sary doc u men ta tion to en sure the re built sys tems are con fig ured prop erly. Some things to dou ble-check in clude ac cess con trol lists (ACLs) and en sur ing that un needed ser vices and pro to cols are dis abled or re moved, that all up-to-date patches are in stalled, that user ac counts are mod i fied from the de faults, and any com pro mises have been re versed.

In some cases, an at tacker may have in stalled ma li cious code on a sys tem dur ing an at tack.

This may not be ap par ent with out a de tailed in spec tion of the sys tem. The most se cure method of restor ing a sys tem af ter an in ci dent is to com pletely re build the sys tem from scratch. If in ves ti ga tors sus pect that an at tacker may have mod i fied code on the sys tem, re build ing a sys tem may be a good op tion.

Re me di a tion

In the re me di a tion stage, per son nel look at the in ci dent and at tempt to iden tify what al lowed it to oc cur, and then im ple ment meth ods to pre vent it from hap pen ing again. This in cludes per form ing a root cause anal y sis.

A root cause anal y sis ex am ines the in ci dent to de ter mine what al lowed it to hap pen. For ex am ple, if at tack ers suc cess fully ac cessed a data base through a web site, per son nel would ex am ine all the el e ments of the sys tem to de ter mine what al lowed the at tack ers to suc ceed. If the root cause anal y sis iden ti fies a vul ner a bil ity that can be mit i gated, this stage will rec om mend a change.

It could be that the web server didn’t have up-to-date patches, al low ing the at tack ers to gain re mote con trol of the server. Re me di a tion steps might in clude im ple ment ing a patch man age ment pro gram. Per haps the web site ap pli ca tion wasn’t us ing ad e quate in put val i da tion tech niques, al low ing a suc cess ful Struc tured Query Lan guage (SQL) in jec tion at tack. Re me di a tion would in volve up dat ing the ap pli ca tion to in clude in put val i da tion. Maybe the data base is lo cated on the web server in stead of in a back end data base server. Re me di a tion might in clude mov ing the data base to a server be hind an ad di tional fire wall.

Lessons Learned

Dur ing the lessons learned stage, per son nel ex am ine the in ci dent and the re sponse to see if there are any lessons to be learned. The in ci dent re sponse team will be in volved in this stage, but other em ploy ees who are knowl edge able about the in ci dent will also par tic i pate.

While ex am in ing the re sponse to the in ci dent, per son nel look for any ar eas where they can im prove their re sponse. For ex am ple, if it took a long time for the re sponse team to con tain the in ci dent, the ex am i na tion tries to de ter mine why. It might be that per son nel don’t have ad e quate train ing and didn’t have the knowl edge and ex per tise to re spond ef fec tively. They may not have rec og nized the in ci dent when they re ceived the first no ti fi ca tion, al low ing an at tack to con tinue longer than nec es sary. First re spon ders may not have rec og nized the need to pro tect ev i dence and in ad ver tently cor rupted it dur ing the re sponse.

Re mem ber, the out put of this stage can be fed back to the de tec tion stage of in ci dent man age ment. For ex am ple, ad min is tra tors may re al ize that at tacks are get ting through un de tected and in crease their de tec tion ca pa bil i ties and rec om mend changes to their in tru sion de tec tion sys tems.

It is com mon for the in ci dent re sponse team to cre ate a re port when they com plete a lessons learned re view. Based on the find ings, the team may rec om mend changes to pro ce dures, the ad di tion of se cu rity con trols, or even changes to poli cies. Man age ment will de cide what rec om men da tions to im ple ment and is re spon si ble for the re main ing risk for any rec om men da tions they re ject.

507

 Del e gat ing In ci dent Re sponse to Users

In one or ga ni za tion, the re spon si bil ity to re spond to com puter in fec tions was ex tended to users. Close to each com puter was a check list that iden ti fied com mon symp toms of mal ware in fec tion. If users sus pected their com put ers were in fected, the check list in structed them to dis con nect the NIC and con tact the help desk to re port the is sue. By dis con nect ing the NIC, they helped con tain the mal ware to their sys tem and stopped it from spread ing any fur ther.

This isn’t pos si ble in all or ga ni za tions, but in this case, users were part of a very large net work op er a tions cen ter and they were all in volved in some form of com puter sup port. In other words, they weren’t typ i cal end users but in stead had a sub stan tial amount of tech ni cal ex per tise.

Im ple ment ing De tec tive and Pre ven tive Mea sures Ide ally, an or ga ni za tion can avoid in ci dents com pletely by im ple ment ing pre ven tive coun ter mea sures.

This sec tion cov ers sev eral pre ven tive se cu rity con trols that can pre vent many at tacks and de scribes many com mon well-known at tacks. When an in ci dent does oc cur, an or ga ni za tion will want to de tect it as soon as pos si ble. In tru sion de tec tion and pre ven tion sys tems are one of the ways that or ga ni za tions do de tect in ci dents and are also in cluded in this sec tion, along with some spe cific mea sures or ga ni za tions can take to de tect and pre vent suc cess ful at tacks.

You may no tice the use of both pre ven ta tive and pre ven tive. While most doc u men ta tion

cur rently uses only pre ven tive, the CISSP ob jec tives in clude both us ages. For ex am ple, Do main 1 in cludes ref er ences to pre ven tive con trols. This chap ter cov ers ob jec tives from Do main 7, and Do main 7 refers to pre ven ta tive mea sures. For sim plic ity, we are us ing pre ven tive in this chap ter, ex cept when quot ing the CISSP ob jec tives.

Ba sic Pre ven tive Mea sures While there is no sin gle step you can take to pro tect against all at tacks, there are some ba sic steps you can

take that go a long way to pro tect against many types of at tacks. Many of these steps are de scribed in more depth in other ar eas of the book but are listed here as an in tro duc tion to this sec tion.

Keep sys tems and ap pli ca tions up-to-date. Ven dors reg u larly re lease patches to cor rect bugs and se cu rity flaws, but these only help when they’re ap plied. Patch man age ment (cov ered in Chap ter 16, “Man ag ing Se cu rity Op er a tions”) en sures that sys tems and ap pli ca tions are kept up-to-date with rel e vant patches.

Re move or dis able un needed ser vices and pro to cols. If a sys tem doesn’t need a ser vice or pro to col, it should not be run ning. At tack ers can not ex ploit a vul ner a bil ity in a ser vice or pro to col that isn’t run ning on a sys tem. As an ex treme con trast, imag ine a web server is run ning ev ery avail able ser vice and pro to col. It is vul ner a ble to po ten tial at tacks on any of these ser vices and pro to cols.

Use in tru sion de tec tion and pre ven tion sys tems. In tru sion de tec tion and pre ven tion sys tems ob serve ac tiv ity, at tempt to de tect at tacks, and pro vide alerts. They can of ten block or stop at tacks. These sys tems are de scribed in more depth later in this chap ter.

Use up-to-date anti-mal ware soft ware. Chap ter 21, “Ma li cious Code and Ap pli ca tion At tacks,” cov ers var i ous types of ma li cious code such as viruses and worms. A pri mary coun ter mea sure is anti-mal ware soft ware, cov ered later in this chap ter.

Use fire walls. Fire walls can pre vent many dif fer ent types of at tacks. Net work-based fire walls pro tect en tire net works and host-based fire walls pro tect in di vid ual sys tems. Chap ter 11, “Se cure Net work Ar chi tec ture and Se cur ing Net work Com po nents,” in cludes in for ma tion on us ing fire walls within a net work, and this chap ter in cludes a sec tion de scrib ing how fire walls can pre vent at tacks.

Im ple ment con fig u ra tion and sys tem man age ment pro cesses. Con fig u ra tion and sys tem man age ment pro cesses help en sure that sys tems are de ployed in a se cure man ner and re main in a se cure state through out their life times. Chap ter 16 cov ers con fig u ra tion and change man age ment pro cesses.

508

Thwart ing an at tacker’s at tempts to breach your se cu rity re quires vig i lant ef forts to keep

sys tems patched and prop erly con fig ured. Fire walls and in tru sion de tec tion and pre ven tion sys tems of ten pro vide the means to de tect and gather ev i dence to pros e cute at tack ers that have breached your se cu rity.

Un der stand ing At tacks Se cu rity pro fes sion als need to be aware of com mon at tack meth ods so that they can take proac tive steps to

pre vent them, rec og nize them when they oc cur, and re spond ap pro pri ately in re sponse to an at tack. This sec tion pro vides an over view of many com mon at tacks. The fol low ing sec tions dis cuss many of the pre ven tive mea sures used to thwart these and other at tacks.

We’ve at tempted to avoid du pli ca tion of spe cific at tacks but also pro vide a com pre hen sive

cov er age of dif fer ent types of at tacks through out this book. In ad di tion to this chap ter, you’ll see dif fer ent types of at tacks in other chap ters. For ex am ple, Chap ter 14, “Con trol ling and Mon i tor ing Ac cess,” dis cusses some spe cific at tacks re lated to ac cess con trol; Chap ter 12, “Se cure Com mu ni ca tions and Net work At tacks,” cov ers dif fer ent types of net work-based at tacks; and Chap ter 21 cov ers var i ous types of at tacks re lated to ma li cious code and ap pli ca tions.

Bot nets

Bot nets are quite com mon to day. The com put ers in a bot net are like ro bots (re ferred to as bots and some times zom bies). Mul ti ple bots in a net work form a bot net and will do what ever at tack ers in struct them to do. A bot herder is typ i cally a crim i nal who con trols all the com put ers in the bot net via one or more com mand-and-con trol servers. The bot herder en ters com mands on the server, and the zom bies check in with the com mand-and-con trol server to re ceive in struc tions. Zom bies can be pro grammed to con tact the server pe ri od i cally or re main dor mant un til a spe cific pro grammed date and time, or in re sponse to an event, such as when spe cific traf fic is de tected. Bot herders com monly in struct the bots within a bot net to launch a wide range of at tacks, send spam and phish ing emails, or rent the bot nets out to other crim i nals.

Com put ers are typ i cally joined to a bot net af ter be ing in fected with some type of ma li cious code or ma li cious soft ware. Once the com puter is in fected, it of ten gives the bot herder re mote ac cess to the sys tem and ad di tional mal ware is in stalled. In some cases, the zom bies in stall mal ware that searches for files in clud ing pass words or other in for ma tion of in ter est to the at tacker or in clude key log gers to cap ture user key strokes. Bot herders of ten is sue com mands to