ITS 4910 - Information Trends/Research and Design Project

Module 10

This lesson presents some background on the tenth week. Objectives important to this lesson:

1. What is this week about?
   
2. Current assignments
   
   

Concepts:

The topic for this class is a review from ITS 4350, which some of you were in two years ago. For the sake of brevity, let's assume we are talking about security incidents.

That week's lesson began with a horror story about a student testing a worm program. The lesson asked you to read through it and think about some questions. Who was responsible for the outbreak? What should have been done to prevent it?

This is an example of what Albert Einstein, Hans Ørsted, Ernst Mach, and others, called a Gedankenexperiment. (Nouns in German are capitalized, even when mixed with English. It means mind/thought experiment.) This is the way such an experiment (one that could get way out of hand) should be done because the consequences of carrying it out in the real world are unacceptable. You could argue that the student in this case carried out his thought experiment first, then found that the real world results were not what he expected. That is the danger in doing thought experiments: you may not know enough yet to predict the actual results.

That text made a case for gathering information while you are investigating a problem, getting everything you can, then analyzing it to make a plan for containment, eradication, and recovery. The analysis and planning stage is where the Gedankenexperimenting (which is a painful combination of Latin, German, and English) takes place.

Containment methods vary depending on what is happening.

• Is it spreading from devices on our network? Shut them down, and pull them off the network.
• Is it coming at us from the Internet? Break the connection to the Internet, identify the source and add firewall rules if possible. Can we identify IP addresses that are sending the bad traffic? Blocking those addresses may help. This is especially useful for DDoS attacks.
  

Eradication requires repair of the damage done, and removal of the various viruses, worms, altered files, and other kinds of mess left by the attacker. The text reminds us that a particularly nasty attacker may decide to leave behind software that will cause more damage after the initial attack has ended. If, on the other hand, the attacker intends to return, there is more likely to be a new back door to the system, created by the attacker to make it easy to re-enter the new favorite data source. Finding new accounts with elevated rights should make your admins wonder what else has been changed about the system.

Recovery, as usual, means restoring the state the system was in before the incident. However, in the case of an attack, the system should be better than before by being guarded against that specific attack. Recovery may mean restoration of data, reinstallation of operating systems and programs, and may also include changing any compromised attack surfaces.

Some texts discuss security incidents in terms of several categories:

• Denial of Service attack
• Malware attack
• Unauthorized access
• Inappropriate usage
• Hybrid attack, having the characteristics of two or more of the types above
  

For a DoS attack:

• Coordinate with your ISP. If you are under a denial of service attack, so is your Internet Service Provider.
• Watch for deviations in your normal network traffic to detect the attack sooner.
• Use packet filters to drop traffic that makes no sense for your network.
• Filter based on the characteristics of the actual attack once it begins.
  

For a Malware attack:

• Warn your users about malware that has been reported by protection vendors. If they have seen it recently, you may see it, too.
• Filter spam out of email. Remind users not to run programs attached to email.
• Check for antivirus solutions from your own vendor and others.
• Scan your systems for open ports that you have not opened yourself. It could indicate a malware program that has opened the port for its evil purposes.
• Audit processes running on your servers.
  

For Unauthorized access:

• Note the way your users work, which which give us behaviors to watch for, and behaviors that are unusual.
• Require passwords with increased complexity, and with shorter lifespans.
• Run regular vulnerability scans and take action on the findings.
• Deny all traffic that is not permitted by a valid rule.
• During the attack, disable compromised accounts and ports that are associated with the attack.
  

For Inappropriate use:

• This can run from the completely innocent use of company equipment to the intentional misuse of it for malevolent purposes. Use restraint in applying discipline.
• Educate your users about appropriate and inappropriate use for every kind of new equipment. Remind staff about appropriate use of old equipment from time to time.
• Collect evidence and take action that is appropriate to the level of the offense.
  

It would be ideal to have a history on what worked in defense of various attacks we and others have experienced. This sort of thing does exist, but remember that the bad guys read that stuff, too. Have a plan, but be ready to modify it. Dr. Deming said to continue to plan, to do, to check, and to act. Those who ask the difference between the do and act portions are ignoring what we are supposed to learn when we check on what we did. This relates to some wisdom that may have originated with Helmuth Karl Bernhard Graf von Moltke (portrait on the right), who observed that no plan of battle ever survives first contact with the enemy. Remain flexible. Learn from what happens, and plan what to do next.

We should make plans, and store those plans in ways that they can be accessed regardless of the disaster, regardless of the services that my be out at the time of the disaster. If we cannot access the plans, we cannot rely on them and we can only function from our memories of them and from our best judgement. We will have to do that anyway, but take advantage of your history.