Thông tin tài liệu
Contents
Overview 1
Lesson: Introduction to Auditing and
Incident Response 2
Lesson: Designing an Audit Policy 8
Lesson: Designing an Incident Response
Procedure 15
Lab A: Designing an Incident Response
Procedure 27
Course Evaluation 32
Module 12: Designing
Responses to Security
Incidents
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2002 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, BizTalk, PowerPoint, Visio,
and Windows Media
are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 12: Designing Responses to Security Incidents iii
Instructor Notes
In this module, students explore auditing and incident response as means for
detecting and responding to security incidents. When an attack happens, the key
to limiting damage is early detection and a rapid and orderly response. Auditing
is an important tool to help students detect network abnormalities that may
indicate attacks. An incident response procedure is a series of steps that
students design in advance to guide their organization during a security
incident.
After completing this module, students will be able to:
Explain the importance of auditing and incident response.
Design an auditing policy.
Design an incident response procedure.
To teach this module, you need Microsoft® PowerPoint® file 2830A_12.ppt.
It is recommended that you use PowerPoint version 2002 or later to
display the slides for this course. If you use PowerPoint Viewer or an earlier
version of PowerPoint, all of the features of the slides may not be displayed
correctly.
To prepare for this module:
Read all of the materials for this module.
Complete the practices.
Complete the lab and practice discussing the answers.
Read the additional reading for this module, located under Additional
Reading on the Web page on the Student Materials CD.
Visit the Web links that are referenced in the module.
Presentation:
45 minutes
Lab:
30 minutes
Required materials
Important
Preparation tasks
iv Module 12: Designing Responses to Security Incidents
How to Teach This Module
This section contains information that will help you to teach this module.
Lesson: Introduction to Auditing and Incident Response
This lesson introduces the concepts of auditing and incident response. It
includes features of both and examples of threats to each. This material will be
review for some students. Spend as much time as necessary on this lesson.
There is no practice for this lesson.
The log files used in the example on this page are located under Additional
Reading on the Web page on the Student Materials CD. You can print these out
before you teach this module and use the logs to generate class discussion.
Emphasize the concept of chain of evidence and explain why it is important.
Lesson: Designing an Audit Policy
This section describes the instructional methods for teaching this lesson.
Point out the additional reading listed on this page.
Answers may vary. Use the security responses that students give to generate
classroom discussion.
Use this page to review the content of the module. Students can use the
checklist as a basic job aid. The phases mentioned on the page are from
Microsoft Solutions Framework (MSF). Use this page to emphasize that
students must perform threat analysis and risk assessment on their own
networks for the topic covered in this module, and then they must design
security responses to protect the networks.
Lesson: Designing an Incident Response Procedure
This section describes the instructional methods for teaching this lesson.
Discuss root causes of security incidents and emphasize that the event that
triggers an alarm may not be the original cause of the security incident, but
merely a result of the incident.
Point out the job aid referenced under additional reading. Use it as a reference
for discussion.
Answers may vary. Use the security responses that students give to generate
classroom discussion.
Use this page to review the content of the module. Students can use the
checklist as a basic job aid. The phases mentioned on the page are from MSF.
Use this page to emphasize that students must perform threat analysis and risk
assessment on their own networks for the topic covered in this module, and then
they must design security responses to protect the networks.
The Auditin
g
Process
Why an Incident
Response Procedure Is
Important
Common Auditing Tools
and Sources
Practice: Risk and
Response
Security Policy
Checklist
Guidelines for Analyzing
a Securit
y
Incident
Methods for Limiting
Damage from an Attack
Practice: Risk and
Response
Security Policy
Checklist
Module 12: Designing Responses to Security Incidents v
Assessment
There are assessments for each lesson, located on the Student Materials
compact disc. You can use them as pre-assessments to help students identify
areas of difficulty, or you can use them as post-assessments to validate learning.
Lab A: Designing an Incident Response Procedure
To begin the lab, open Microsoft Internet Explorer and click the name of the
lab. Play the video interviews for students, and then instruct students to begin
the lab with their lab partners. Give students approximately 20 minutes to
complete this lab, and spend about 10 minutes discussing the lab answers as a
class.
For general lab suggestions, see the Instructor Notes in Module 2, “Creating a
Plan for Network Security.” Those notes contain detailed suggestions for
facilitating the lab environment used in this course.
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
This module includes only computer-based interactive lab exercises, and as a
result, there are no lab setup requirements or configuration changes that affect
replication or customization.
The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Automated Classroom Setup Guide for Course 2830A, Designing
Security for Microsoft Networks.
Lab Setup
There are no lab setup requirements that affect replication or customization.
Lab Results
There are no configuration changes on student computers that affect replication
or customization.
General lab su
gg
estions
Important
Module 12: Designing Responses to Security Incidents 1
Overview
*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Network security for an organization is an exercise in prevention. A good
security design that is properly implemented will prevent a majority of the most
common attacks. However, it is very likely that an attacker will eventually
penetrate the defenses that you design.
When an attack happens, the key to limiting damage is early detection and a
rapid and orderly response. Auditing is an important tool to help you detect
network abnormalities that may indicate attacks. An incident response
procedure is a series of steps that you design in advance to guide your
organization during a security incident.
After completing this module, you will be able to:
Explain the importance of auditing and incident response.
Design an auditing policy.
Design an incident response procedure.
Introduction
Objectives
2 Module 12: Designing Responses to Security Incidents
Lesson: Introduction to Auditing and Incident Response
*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Auditing and incident response provide you with the means to detect and
maintain a record of network events. They also give you a procedure to respond
to events that you determine are attacks.
After completing this lesson, you will be able to:
Describe the auditing process.
Explain why auditing is important.
Describe an incident response procedure.
Explain why an incident response procedure is important.
Introduction
Lesson ob
j
ectives
Module 12: Designing Responses to Security Incidents 3
The Auditing Process
*****************************
ILLEGAL FOR NON-TRAINER USE******************************
Auditing records specific events on a network. By auditing events on computers
and applications, you can compare the audit logs on each computer to
understand the actions of a user or an attacker.
For example, consider a computer running Microsoft
® Windows® 2000 Server
and also Microsoft Internet Security and Acceleration (ISA) Server that is
functioning as a firewall. ISA Server protects a Web site on a computer running
Windows 2000 Server and Internet Information Services (IIS). When a
customer on the Internet accesses the Web server, he is authenticated by Basic
authentication over Secure Sockets Layer (SSL) to an Active Directory
®
directory services domain controller.
In this example, when you enable auditing on the computers and applications,
you can determine a user’s actions by examining the following:
1. Packet filter log file. By analyzing the packet filter log file, you determine
that a computer with the IP address 131.107.1.31 created a SSL session with
the Web server, which is published on the ISA Server firewall, for
approximately 4 minutes, from 13:27 Pacific Daylight Time (PDT) to 13:31
PDT.
2. Security event log file from the IIS server and the IIS log file. By analyzing
the Security event log file on the Web server, you determine that a user
attempted to log on by using the account Ben and failed twice before
succeeding at 13:29:07 PDT.
By analyzing the IIS log file, you determine that the computer with the IP
address 131.107.1.31 used a computer running Windows 2000 and
Microsoft Internet Explorer version 5.01 to attempt to enroll a certificate
from the Certsrv Web site.
3. Security event log file from the domain controller. By analyzing the
Security event log file on the domain controller, you determine that the user
who logged on by using the account Ben failed to log on twice due to using
a bad password before ultimately succeeding.
Key points
4 Module 12: Designing Responses to Security Incidents
To ensure that you can accurately compare audit logs from different
computers and resources, synchronize the times of all audited computers and
resources on your network.
To analyze the log files that are used in this example, see the files in the Log
files folder, under Additional Reading on the Web page on the Student
Materials CD.
Note
Additional readin
g
[...]... indicate security incidents Investigate all abnormal events to determine their causes and to confirm whether the events present a security risk Additional reading For more information about investigating security incidents, see Detecting Signs of Intrusion, at: http://www.cert.org /security- improvement/ modules/m09.html 22 Module 12: Designing Responses to Security Incidents Guidelines for Analyzing a Security. .. inadmissible in court • Contoso failed to conduct a review of the security incident It never discussed how the company responded to the incident or documented what went well and what did not go well As a result, Contoso could not apply any lessons learned to its security policy or incident response plan Module 12: Designing Responses to Security Incidents 29 To avoid repeating mistakes, Contoso can: • Create... Risk strategy Security response Security incidents are reported prematurely and to inappropriate people Avoid Create a security policy that includes procedures for employees to escalate potential security incidents to approved individuals Security incidents are leaked to the media before the team has met to discuss the incidents Avoid Create and distribute a communications plan for security incidents Ensure... Attacks and Countermeasures,” in Security Operations Guide for Windows 2000 Server, under Additional Reading on the Web page on the Student Materials CD The white paper, Microsoft Security Toolkit: Compromised Systems, at: http://www.microsoft.com/technet /security/ tools/tools/detect.asp 24 Module 12: Designing Responses to Security Incidents Guidelines for Documenting Security Incidents *****************************ILLEGAL... needs to know about the incident 20 Module 12: Designing Responses to Security Incidents How team members communicate details of the incident to nonteam members For many reasons, such as shareholder confidence, your organization may choose to keep the security incident confidential To prevent information from being leaked to nonteam members or to the public, create clear guidelines about how to communicate... law enforcement early to ensure that all evidence is gathered in a manner that enables the evidence to be admissible in court • Conduct a post -security incident review to ensure that lessons learned from the incident are incorporated into security policies and the incident response plan 30 Module 12: Designing Responses to Security Incidents 2 Who should be on Contoso’s business -to- business (B2B) incident... answer to Ashley’s questions 3 Click Send to save your answers to a folder on your desktop 4 Discuss your answers as a class 28 Module 12: Designing Responses to Security Incidents Lab A: Designing an Incident Response Procedure Lab Questions and Answers Answers may vary The following are possible answers 1 What specific errors did Contoso Pharmaceuticals make during the Yalovsky incident? What can Contoso... events to monitor, the level of detail to audit, and the computers or resources to audit By creating audit statements, you ensure that you only audit events that are relevant to business goals or technical requirements Audit statements also help to ensure that you audit events on all necessary computers and network devices to capture the intended action Module 12: Designing Responses to Security Incidents. .. Documenting the incident Module 12: Designing Responses to Security Incidents 27 Lab A: Designing an Incident Response Procedure *****************************ILLEGAL FOR NON-TRAINER USE****************************** Objectives After completing this lab, you will be able to apply security design concepts to incident response procedures Scenario You are a consultant hired by Contoso Pharmaceuticals to. .. attackers 18 Module 12: Designing Responses to Security Incidents In addition, ensure that your team is: Available 24 hours a day Security incidents can occur at any time of the day or year Ensure that your team is available to provide rapid response to incidents Trained in responding to security incidents Individuals who have experience or training in responding to incidents will help your team respond . tasks
iv Module 12: Designing Responses to Security Incidents
How to Teach This Module
This section contains information that will help you to teach. their
respective owners.
Module 12: Designing Responses to Security Incidents iii
Instructor Notes
In this module, students explore auditing
Ngày đăng: 18/01/2014, 05:20
Xem thêm: Tài liệu Module 12: Designing Responses to Security Incidents doc