SEC340ON_B

Desiree Carter Week 3 Assignment

My paper covers the reactive service of Artifact Handling. It also covers the proactive service of Technology Watching and the security quality management service of Security Consulting. An artifact is defined as An artifact is any file or object found on a system that might be involved in probing or attacking systems and networks or that is being used to defeat security measures. Artifacts can include but are not limited to computer viruses, Trojan horse programs, worms, exploit scripts, and toolkits. (Stelvio , 2002) Artifact Handling is a reactive service that is defined as the handling of artifacts that are possible threats to a computer or computer networks security. It involves receiving information about and copies of artifacts that are used in intruder attacks, reconnaissance, and other unauthorized or disruptive activities. After the artifact is received it is reviewed. The reviewing of the artifact includes analyzing the nature, mechanics, version, and use of the artifacts; and developing or at least suggesting the response strategies for the detection, removal, and the defense against the artifacts in question.

Artifact handling is implemented in three different ways they are: Artifact Analysis, Artifact Response and Artifact Response Coordination. The artifact analysis is performed by the CSIRT it is a technical examination and analysis of any artifact that is found on a system. The analysis that is performed might include identifying the file type and structure of the artifact, the comparison of the new artifact against the existing artifacts or the older versions of the same artifact to observe similarities and differences, or the reverse engineering or the disassembling of code to determine the purpose and function of the artifact. Artifact response involves the

determining the actions that are appropriate to detect and remove the artifacts that are found on a system, not counting actions to prevent artifacts from being installed on the system in question. The action of artifact response may involve creating signatures that can be added to antivirus software or Intrusion Detection Systems.

The service of Artifact response coordination involves sharing and the synthesizing of analysis results and response strategies that pertain to an artifact with the help of other researchers, CSIRTs, vendors, and other security experts. The activities of Artifact response coordination include the notification of others and synthesizing technical analysis from a variety of sources. The activities sometimes also include maintaining a public or constituent archive of known artifacts and their impact and corresponding response strategies. Artifact handling is important because it helps stop and prevent future attacks on a system through the steps of analysis, response and response coordination. The strength of artifact handling is that artifacts can be compared to others that exist or older versions in analysis and more threats can easily be found. The weakness of artifact handling is if the attack is internal the artifact or evidence can be purposely compromised to weaken the system.

Technology Watch is a proactive service. In the action of technology watch the CSIRT monitors and observes new technical developments, intruder activities, and related trends to help identify future threats. The topics that are reviews can be expanded to include legal and legislative rulings, social or political threats, and emerging technologies. The service of Technology Watching involves reading security mailing lists, security web sites, and current news and journal articles in the fields of science, technology, politics, and government to extract

the information that is relevant to the security of the constituent systems and networks. This may include communicating with other parties that are authorities in the fields listed to ensure that the best and most accurate information or interpretation is obtained. This services outcome may include some type of of announcement, guidelines, or recommendations focused at more medium- to long-term security issues. Technology watch is important because it keeps the CSIRT up to date on the latest tools and practices in the technology that will help fight, prevent and stop attacks on a system. Technology watches strength is that if one is reliable is keeping the information up to date then one will be well informed to help improve practices and keep the organization up to date. The weakness is that if one doesnt watch the technology closely the practices will become inefficient.

Security Consulting is a security quality management service. A CSIRT that provides this service is involved in preparing recommendations or identifying requirements for the purchasing, installing, or securing of new systems, network devices, software applications, or enterprise-wide business processes. The service of security consulting includes providing guidance and assistance in developing organizational or constituency security policies. It may also involve providing testimony or advice to legislative or other bodies of the government. Security consulting is important because it provides recommendations and requirements to an organizations policies. The strength of security consulting is if other practices are kept up to date then better recommendations could be provided. The weakness is that security consulting is dependent on other practices such as technology watching.

Attack Type: Insider abuse of net access Trigger: The triggering of the Intrusion Detection System Reaction force and lead: Network specialist from IT department. Notification method: Phone call Response time: 30 Minutes Actions to be taken during this response: 1. Lockout of employees out of the network except for Network Specialist. 1. Shut down network 2. Retrieval of network logs 3. Virus is isolated Incident is ended and actions cease when: It is found out who abused the network and sent the virus and appropriate disciplinarian action is taken. Actions to be taken after incident response is ended: 1. Employees are no longer locked out except for who sent the virus. 2. Network is put back online 3. Network logs are filed away 4. Virus is destroyed Incident follow-up is ended and actions after the incident are complete when: Employee that purposely sent the virus is fired. Preparation actions to be integrated into IR plans before incident response plans needed: 1. Incident is contained 2. Incident Response team is on call 4. For the same theoretical incident that you created for #2, complete a "During an attack" page for an IR Plan that is similar to the one shown in Figure 3-4 on page 124. During an Attack Users 1. If the computers antivirus software detects an attack, it will delete the virus or quarantine the file that carries it. Record the messages that the antivirus software displays and notify Technology Services immediately. If your computer starts behaving unusually or you determine that you have contracted a virus through other means, turn off the computer immediately, by pulling the plug. Notify Technology Services immediately. If users begin reporting attacks of viruses record the information provided by the users. Temporarily disconnect those users from the network at the switch.

2.

Technology Services 1. 2.

3. 4.

Begin scanning all active systems for that strain of the virus. Deploy the response team to inspect the users system.

References Stelvio, B. (2002, November 2002). Csirt services. Retrieved from http://www.cert.org/csirts/services.html