Investigating an Internal Case of Internet Abuse
I was recently required to investigate an incident of Internet abuse that led to the discovery that one of our own administrators was a security risk. Though this investigation was triggered by an incidence of "Internet abuse", the tools used and lessons learned are relevant for many types of security incident that require an internal investigation to discover the offender. This essay describes the detection, investigation and various tools used to collect the evidence. Lessons learned from the investigation are included, as well as some useful resources for security investigators s o they can be more prepared when they deal with internal computer security incidents.
Read the Article
|
Information Security: Handling Compromises
As the Information Systems Security Manager (ISSM) for an organization within DoD, I am responsible for ensuring the overall security stance of our network. This includes physical security and network security. Part of maintaining our security stance is ensuring that information considered sensitive to national security does not reside on the unsecured network.
Read the Article
|
Nailing the Intruder
This paper is an attempt to link the various aspects of evidence relating to computer crime, the sources of such evidence and some tips on how to identify systems compromised and cull out evidence from the same.
Read the Article
|
One Incident Of Remediating The CRC 32 sshd1 Vulnerability
The purpose of this paper is to document the process I used to respond to the CRC32 sshd1 vulnerability. My operating environment is primary Solaris and Linux, with a small percentage of HPUX and OpenBSD. Most systems are behind a corporate firewall, but a few are on the internet and used as data transfer points. This is only the process I used, and not the only acceptable response. I will document the four steps I used and my results.
Read the Article
|
Proposed Conceptual Tools for Managing Cost and Complexity When Securing Networks
This paper will describe the cost and complexity issues facing security professionals, outline the desired outcome in facing these issues, and finally will suggest initial proposals for reaching those goals.
Read the Article
|
Reporting Unauthorized Intrusions
When an incident happens you may not have the time or focus to search for the proper way of reporting it or the authorities to which it should be reported. This document will provide such information in a few simple steps.
Read the Article
|
Secure File Deletion, Fact or Fiction?
This paper will deal with how and where some of these files are created and how to securely remove them from a system. Microsoft Windows operating systems and associated applications will be the main focus. This paper is divided into two main sections, the first section is designed to be a primer on the types of information that can be found on a hard drive.
Read the Article
|
Successful Partnerships for Fighting Computer Crime
Given the wide range of possible criminal activities in the high technology arena, computer security officers need to be prepared to respond to computing incidents that are not only against the local acceptable use policy for computers and networks, but also violate federal, state or local statutes.
Read the Article
|
The Coroners Toolkit - In depth
In this paper I will describe evidence gathering on a Unix system using "The Coroners Toolkit" version 1.09 hereafter referred to as TCT. TCT can be downloaded freely from porcupine.org/forensics/tct.html. The two types of evidence I will focus on are ephemeral and static evidence. Ephemeral evidence refers to evidence, which generally doesn't last a long time.
Read the Article
|
The Enemy Within: The Role of the Security Administrator in Apprehending and Terminating the Malicious Insider
The following information is set forth to generally describe the tools available to security administrators to facilitate the apprehension and participate in the resolution of internal threats to your organization's sensitive or restricted resources. This discussion will include references to United States Labor Code and California state law. It must be stated clearly and unequivocally that I am not a lawyer. The information contained herein is meant to serve as a guideline reference. Nothing in this document should be relied upon without consulting your own or your company's counsel.
Read the Article
|
