Transcript Incidents? What Incidents?

Incident Response
Strategy and Implementation
Anthony J. Scaturro
University IT Security Officer
[email protected]
September 22, 2004
Incidents? What Incidents?
• Direct targeting of University systems
– Attempts to disrupt service
– Attempts to capture confidential information
– Attempts to obtain copyrighted materials only licensed for campus use
• General attacks (viruses, worms, denial of service)
• Harassment, threats, etc.
• Copyright violations
Sedptember 22, 2004
Slide 2
How Are Incidents Detected?
• Direct targeting of University systems and general attacks are usually
detected through…
– Intrusion prevention reporting and alerts
– Unusual network activity
– Log data
• Information about harassment, threats, etc. are normally obtained
through e-mail complaints sent to Princeton’s CERT and Help Desk
calls.
• Potential copyright violation complaints are received directly from
industry associations
Sedptember 22, 2004
Slide 3
The Policy Advisor Coordinates the
University’s Incident Response Effort
•
Member of the Office of Information Technology’s (OIT) Support Services
team
– Along with Help Desk, Networking, Central and Departmental desktop support.
•
Incident Response Functions
– OIT representative to the University committee that creates policies that focus on
personal responsibilities as they relate to the use of technology.
– Engages technology teams to participate in incident investigation and resolution.
– Corresponds with persons who have issued complaints as well as individuals on
campus whose computers are disrupting the network.
– Serves as the primary contact to
• Administration, Academic Deans, etc. regarding incidents that could involve
disciplinary action.
• RIAA, MPAA and vendors on copyright-related issues.
Sedptember 22, 2004
Slide 4
The IT Security Staff Focuses on Technology
and Information Related Issues
•
IT Security Officer plus one Security Specialist
•
Incident Response Functions
– Administer firewalls and intrusion prevention systems,
– Coordinate technical response to major attacks,
– Perform computer forensic evaluations,
– Provide media with information about attacks and responses.
•
Other Functions
– Recommend information handling and technology-related policies,
– Develop operational and administrative procedures with technology teams,
– Promote security awareness,
– Advise technology teams, and administrative and academic departments,
– Research security-related technologies and solutions,
– Manage security-related projects.
Sedptember 22, 2004
Slide 5
Additional Members of the
Incident Response Team
•
Technology support teams
– Server and Workstation Support
– Network Services
– Database Services
– Application Services
•
General Counsel
•
Law Enforcement
– University’s Public Safety department
– Police, FBI, etc. (via Public Safety)
•
Human Resource Department
•
Department Heads and Academic Deans
Sedptember 22, 2004
Slide 6
Departmental Roles in the
Investigative Process
•
OIT’s role is to:
– Collect and interpret evidence,
– Inform the appropriate managers and deans of incidents affecting or originating
from their areas,
– Respond to complaints from external organizations,
– Contact “abuse” areas of other organizations for externally initiated attacks,
– Involve General Counsel and Public Safety as necessary.
•
Disciplinary action must be authorized by the appropriate department
manager or dean.
•
Potential criminal activity must involve law enforcement
– The University’s Public Safety Department coordinates with outside agencies.
Sedptember 22, 2004
Slide 7
How Do We Ensure that
All OIT Groups Are on the Same Page?
• IT Policy and Security Cross Functional Team
– Chaired by the IT Security Officer,
– Members include the Policy Advisor and representatives from all major
OIT areas,
– Security-related information exchange
• To OIT departmental staff
• From OIT to the cross functional team,
– Priority setting,
– Policy and procedural development,
– Project oversight.
Sedptember 22, 2004
Slide 8
Initiatives We Have Taken On To Better
Prevent or Mitigate the Impact of Incidents
•
General security awareness seminars, flyers, etc.
•
Password strengthening initiatives
– Strength checking
– Elimination of NIS authentication
– Elimination of telnet, ftp, pop3 and unencrypted IMAP (in progress)
•
Timely software patching
– Policy and procedures
– Microsoft’s SUS for Windows operating systems. Auto-update for others.
– Communicating patch information more effectively
•
Intrusion Prevention and Firewall services
Sedptember 22, 2004
Slide 9