Đang tải... (xem toàn văn)
Advanced Security and Beyond
Chapter 13: Advanced Security and BeyondSecurity+ Guide to Network Security Fundamentals Second Edition Objectives•Define computer forensics•Respond to a computer forensics incident•Harden security through new solutions•List information security jobs and skills Understanding Computer Forensics•Computer forensics can attempt to retrieve information—even if it has been altered or erased—that can be used in the pursuit of the criminal•The interest in computer forensics is heightened:–High amount of digital evidence–Increased scrutiny by legal profession–Higher level of computer skills by criminals Forensics Opportunities and Challenges•Computer forensics creates opportunities to uncover evidence impossible to find using a manual process•One reason that computer forensics specialists have this opportunity is due to the persistence of evidence–Electronic documents are more difficult to dispose of than paper documents Forensics Opportunities and Challenges (continued)•Ways computer forensics is different from standard investigations:–Volume of electronic evidence–Distribution of evidence–Dynamic content–False leads–Encrypted evidence–Hidden evidence Responding to a Computer Forensics Incident•Generally involves four basic steps similar to those of standard forensics:–Secure the crime scene–Collect the evidence–Establish a chain of custody–Examine and preserve the evidence Securing the Crime Scene•Physical surroundings of the computer should be clearly documented•Photographs of the area should be taken before anything is touched•Cables connected to the computer should be labeled to document the computer’s hardware components and how they are connected•Team takes custody of the entire computer along with the keyboard and any peripherals Preserving the Data•Computer forensics team first captures any volatile data that would be lost when computer is turned off and moves data to a secure location•Includes any data not recorded in a file on the hard drive or an image backup:–Contents of RAM–Current network connections–Logon sessions–Network configurations–Open files Preserving the Data (continued)•After retrieving volatile data, the team focuses on the hard drive•Mirror image backup (or bit-stream backup) is an evidence-grade backup because its accuracy meets evidence standards•Mirror image backups are considered a primary key to uncovering evidence; they create exact replicas of the computer contents at the crime scene•Mirror image backups must meet the criteria shown on pages 452 and 453 of the text Establishing the Chain of Custody•As soon as the team begins its work, must start and maintain a strict chain of custody•Chain of custody documents that evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence [...]... on pages 457 and 458 of the text • Defenders are responding to the increase in the level and number of attacks • New techniques and security devices are helping to defend networks and systems • The most recent developments and announcements are listed on pages 458 and 459 of the text Forensics Opportunities and Challenges (continued) • Ways computer forensics is different from standard investigations: – Volume... Skills (continued) • Most industry experts agree security certifications continue to be important • Preparing for the Security+ certification will help you solidify your knowledge and skills in cryptography, firewalls, and other important security defenses Hardening Security Through New Solutions • Number of attacks reported, sophistication of attacks, and speed at which they spread continues to grow • Recent... hardware components and how they are connected • Team takes custody of the entire computer along with the keyboard and any peripherals Objectives • Define computer forensics • Respond to a computer forensics incident • Harden security through new solutions • List information security jobs and skills Establishing the Chain of Custody • As soon as the team begins its work, must start and maintain a strict... times and no unauthorized person was given the opportunity to corrupt the evidence Examining Data for Evidence (continued) Computer Forensic Skills • Computer forensic specialists require an additional level of training and skills: – Basic forensic examinations – Advanced forensic examinations – Incident responder skills – Managing computer investigations Exploring Information Security Jobs and. .. for digital evidence includes looking at “obvious” files and e-mail messages • Need for information security workers will continue to grow, especially in computer forensics • Skills needed in these areas include knowledge of TCP/IP, packets, firewalls, routers, IDS, and penetration testing Examining Data for Evidence (continued) Understanding Computer Forensics • Computer forensics can attempt... that are not found in standard evidence gathering, including volume of electronic evidence, how it is scattered in numerous locations, and its dynamic content Preserving the Data (continued) • After retrieving volatile data, the team focuses on the hard drive • Mirror image backup (or bit-stream backup) is an evidence-grade backup because its accuracy meets evidence standards • Mirror image backups...Examining Data for Evidence (continued) Other Skills • A programming background is another helpful tool for security workers • Security workers should also be familiar with penetration testing – Once known as “ethical hacking,” probes vulnerabilities in systems, networks, and applications Summary • Forensic science is application of science to questions of interest to the legal profession • Several... leads – Encrypted evidence – Hidden evidence Responding to a Computer Forensics Incident • Generally involves four basic steps similar to those of standard forensics: – Secure the crime scene – Collect the evidence – Establish a chain of custody – Examine and preserve the evidence Examining Data for Evidence (continued) • Slack is another source of hidden data • Windows computers use two types of slack • RAM... evidence; they create exact replicas of the computer contents at the crime scene • Mirror image backups must meet the criteria shown on pages 452 and 453 of the text Routers • Routers form the heart of a TCP/IP network • Configuring routers for both packet transfer and packet filtering can become very involved Securing the Crime Scene • Physical surroundings of the computer should be clearly documented • Photographs . Chapter 13: Advanced Security and BeyondSecurity+ Guide to Network Security Fundamentals Second Edition Objectives•Define. networks and systems•The most recent developments and announcements are listed on pages 458 and 459 of the text Exploring Information Security Jobs and Skills•Need