Auflistung P097 - IMF 2006 - IT-Incident Management & IT-Forensics nach Erscheinungsdatum
1 - 10 von 13
Treffer pro Seite
Sortieroptionen
- Editiertes Buch
- KonferenzbeitragTechnical Development of Cyber Crime(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Schulz, Rolf
- KonferenzbeitragCarmentiS: A Co-Operative Approach Towards Situation Awareness and Early Warning for the Internet(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Grobauer, Bernd; Mehlau, Jens Ingo; Sander, JürgenAbstract. Although plenty of organizations collect sensor data such as IDS alerts or darknet flows, local analysis has its definite limits when it comes to derive conclusions about happenings and trends within the Internet as a whole. CarmentiS, a joint effort of the early warning working group within the German CERT association, provides an infrastructure and organizational framework for sharing, correlating and cooperatively analyzing sensor data. The infrastructure allows organizations to submit sensor data – at the moment, net flows and IDS alerts are treated – over a secure channel to a central database. Cooperative analysis of the data is made possible via a secure web front end allowing analysts of participating CERTs to create and execute analysis profiles as well as share and discuss analysis results. Thus correlating sensor data and pooling know how and resources for analysis from different sites, CarmentiS provides a framework for a co-operative approach towards situation awareness and early warning for the Internet. This article gives an overview of the CarmentiS infrastructure and organizational framework, and describes the current status of the project. It also addresses open questions that can only be solved by experimenting with co-operative analysis and gives an outlook of possible further developments of the CarmentiS approach towards improved situation awareness and early warning.
- KonferenzbeitragIncident Response and the Role of External Services(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Rigoni, AndreaManaging security is a complex task combining many aspects and services. While some of the services usually are operated internally to the hosting organisation there are others that can be outsourced to security professionals and firms specialising in IT-security services. This document provides an overview on such services and discusses their options for operation.
- KonferenzbeitragPool Allocations as an Information Source in Windows Memory Forensics(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Schuster, AndreasThe Microsoft Windows kernel provides a heap-like memory management, called "pools". Whenever some kernel-mode code requires an amount of memory, it is allocated from a pool. Ignoring the documented interface and searching the whole dump of physical memory for signatures of pool allocations allows the forensic examiner to gain information not only from currently active but also from freed and not yet overwritten allocations. Understanding the inner mechanics of memory pools enables an examiner to connect certain finds in memory to the originating piece of code. As an example this articles describes the steps necessary to detect traces of network activity in a memory dump.
- KonferenzbeitragDetecting New Patterns of Attacks — Results and Applications of Large Scale Sensoring Networks(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Voss, Torsten; Kossakowski, Klaus-PeterIt is still not clear, how large scale sensoring networks can be turned into useful ressources of incident response teams. Recent research has shown that the work of incident response teams is clearly exposed to denial of service attacks if the handling of low number / high priority incidents is not separated from the work related to high number / low priority incidents [WK05]. This would imply that handling the magnitude of data coming from large scale sensoring networks will pose concrete operational problems to any incident response team dealing with it. While there are some strategies to mitigate this problem, we believe that only selecting the ’interesting’ events through filtering is not good enough and give away useful insights that are inside the data but not yet obviously visible for an unaware observer. Therefore our research objective is to identify successful strategies of how to extract useful data automatically out of large data sets. So far we have succeeded to improve a suggested algorithm and test it’s application in an operational setting. This paper will outline the algorithm, any improvement made as well as the key insights in it’s application.
- KonferenzbeitragThe Contribution of Tool Testing to the Challenge of Responding to an IT Adversary(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Lyle, James R.The investigator is being presented with more data and more types of data to analyze. The investigator cannot work without tools. Tools are needed to acquire and analyze the data and solve the case. If the accuracy of any tools is successfully challenged in a court of law, then any results based on the tools can be suppressed and not presented. Even if an investigation is not going to any formal proceeding, the investigator wants to know the limitations of any tools used in an investigation. This can best be accomplished by an independent assessment of the tools. This paper describes the Computer Forensics Tool Testing (CFTT) project at the National Institute of Standards and Technology (NIST) in the United States. Currently, the CFTT project is developing tool specifications, test plans, test procedures, and test sets. The results provide the information necessary for toolmakers to improve tools, for users to make informed choices about acquiring and using computer forensics tools, and for interested parties to understand the tools capabilities. Our approach for testing computer forensic tools is based on well-recognized international methodologies for conformance testing and quality testing
- KonferenzbeitragEstablishing a Centre for Information Security: Experiences from the Trial Period and Recommendations to Similar Initiatives(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Line, Maria B.; Røstad, LillianThe Centre for Information Security; a national centre of competence; was initiated to reduce the overall vulnerability related to ICT systems in Norway. The trial period ran from 2002-2005, and the centre is now permanently established. This paper presents the centre as it was operated during the trial period. The main activities performed are described, together with experiences and learning made. Recommendations to similar initiatives to be established are provided.
- KonferenzbeitragMonitoring of Incident Response Management Performance(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Line, Maria B.; Albrechtsen, Eirik; Johnsen, Stig Ole; Longva, Odd Helge; Hillen, StefanieMonitoring the performance of incident response (IR) management is important input for improving the IR management system. A set of performance indicators, which assists monitoring in a proper way, is described regarding: the incident response management system; information security culture; number of incidents responded to; average time spent on responding; consequences of incidents; number of incidents of high loss; downtime of SCADA systems; total costs of incident response; and learning. The entire set of proposed indicators is well suited for monitoring the total incident response management of an organisation as it covers all parts of incident response management.
- KonferenzbeitragAutomated resolving of security incidents as a key mechanism to fight massive infections of malicious software(IT-Incident Management & IT-Forensics - IMF 2006, 2006) Kaiser, Jochen; Vitzthum, Alexander; Holleczek, Peter; Dressler, FalkoToday, many end systems are infected with malicious software (malware). Often, infections will last for a long time due to missing (auto- mated) detection or insufficient user knowledge. Even large organizations usually do not have the necessary security staff to handle all affected computers. Obviously, automated infections with malicious software cannot be handled by manual repair; new approaches are needed. One way to encounter automatic mass infections is to semi-automate the incident management. Less important security incidents should be handled by the user himself while serious incidents should be forwarded to qualified personal. To enable the end user resolving his own security incidents, both organizational and technical information have to be provided in a comprehensible way. This paper describes PRISM (Portal for Reporting Incidents and Solution Management), which consists of several components addressing the goal: a unit receiving security incidents in the IDMEF format, a component containing the logic for handling security incidents and corresponding remedies, and a component generating dynamic web pages presenting adequate solutions for recorded security incidents. PRISM was verified using case studies for universities, companies and end-user/provider scenarios.