The Experts below are selected from a list of 1569 Experts worldwide ranked by ideXlab platform
Roderick Mooi - One of the best experts on this subject based on the ideXlab platform.
-
using network flow data to analyse distributed reflection denial of service drdos attacks as observed on the south african national research and education network sanren a postmortem analysis of the memcached attack on the sanren
South African Institute of Computer Scientists and Information Technologists, 2018Co-Authors: I Burke, Alan Herbert, Roderick MooiAbstract:Distributed Denial of Service (DDoS) attacks cause significant disruption on critical networks within South Africa. Timely detection and mitigation is a key concern for the SANReN Cyber Security Incident Response Team (CSIRT). This paper presents an analysis on the Memcached reflection DDoS attack which occurred in February 2018. The attack was the largest DDoS attack to date. By analysing the attack and the impact it had on the SANReN network, this paper aims to show how network flow data can be used to detect network attacks, and perform post attack analysis to prevent future network attacks. The attack time-line is divided into three main phases: pre-attack, peek attack period and post attack residue.
-
SAICSIT - Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the South African national research and education network (SANReN): a postmortem analysis of the memcached attack on the SANReN
Proceedings of the Annual Conference of the South African Institute of Computer Scientists and Information Technologists on - SAICSIT '18, 2018Co-Authors: I Burke, Alan Herbert, Roderick MooiAbstract:Distributed Denial of Service (DDoS) attacks cause significant disruption on critical networks within South Africa. Timely detection and mitigation is a key concern for the SANReN Cyber Security Incident Response Team (CSIRT). This paper presents an analysis on the Memcached reflection DDoS attack which occurred in February 2018. The attack was the largest DDoS attack to date. By analysing the attack and the impact it had on the SANReN network, this paper aims to show how network flow data can be used to detect network attacks, and perform post attack analysis to prevent future network attacks. The attack time-line is divided into three main phases: pre-attack, peek attack period and post attack residue.
-
Context for the SA NREN Computer Security Incident Response Team
2016 IST-Africa Week Conference, 2016Co-Authors: Roderick Mooi, Reinhardt A. BothaAbstract:The South African (SA) National Research and Education Network (NREN) identified the requirement for a Computer Security Incident Response Team (CSIRT). This paper sets the context for the CSIRT by exploring the business requirements and associated decisions in five areas: the environment, constituency, authority, funding and legal considerations. The SA NREN CSIRT was categorised as an academic sector CSIRT serving the research and education community of South Africa with limited authority. The NREN is comprised of two organisations and the corresponding embedded, but distributed, organisational model makes this CSIRT case particularly interesting. Various cost recovery options and relevant South African laws and regulations were also identified. The resulting “strategic” framework sets the scene for the remainder of the establishment process. This paper is useful to anyone desiring to establish a CSIRT, or equivalent capability, who can follow a similar process to discover where to begin.
-
ISSA - Prerequisites for building a Computer Security Incident Response capability
2015 Information Security for South Africa (ISSA), 2015Co-Authors: Roderick Mooi, Reinhardt A. BothaAbstract:There are a number of considerations before one can commence with establishing a Computer Security Incident Response Team (CSIRT). This paper presents the results of a structured literature review investigating the business requirements for establishing a CSIRT. That is, the paper identifies those things that must be in place prior to commencing with the actual establishment process. These include characterising the CSIRT environment, funding, constituency, authority and legal considerations. Firstly, we identified authoritative CSIRT literature. Thereafter we identified salient aspects using a concept matrix. The study enumerates five areas of primary business requirements. Finally, a holistic view of the business requirements is provided by summarising the decisions required in each area.
Villacís-silva, César Javier - One of the best experts on this subject based on the ideXlab platform.
-
Aplicación de Inteligencia de Negocios para el análisis de vulnerabilidades en pro de incrementar el nivel de seguridad en un CSIRT académico
'Universidad Pedagogica y Tecnologica de Colombia', 2018Co-Authors: Reyes-mena, Francisco Xavier, Fuertes-díaz, Walter Marcelo, Guzmán-jaramillo, Carlos Enrique, Pérez-estévez Ernesto, Bernal-barzallo, Paúl Fernando, Villacís-silva, César JavierAbstract:This study aimed at designing a potential solution through Business Intelligence for acquiring data and information from a wide variety of sources and utilizing them in the decision-making of the vulnerability analysis of an Academic CSIRT (Computer Security Incident Response Team). This study was developed in a CSIRT that gathers a variety of Ecuadorian universities. We applied the Action-Research methodology with a qualitative approach, divided into three phases: First, we qualitatively evaluated two intrusion detection analysis tools (Passive Scanner and Snort) to verify their advantages and their ability to be exclusive or complementary; simultaneously, these tools recorded the real-time logs of the Incidents in a MySQL related database. Second, we applied the Ralph Kimball's methodology to develop several routines that allowed applying the "Extract, Transform, and Load" process of the non-normalized logs that were subsequently processed by a graphical user interface. Third, we built a software application using Scrum to connect the obtained logs to the Pentaho BI tool, and thus, generate early alerts as a strategic factor. The results demonstrate the functionality of the designed solution, which generates early alerts, and consequently, increases the security level of the CSIRT members.Esta investigación tuvo como objetivo diseñar una solución para la toma de decisiones mediante Inteligencia de Negocios, que permite adquirir datos e información de una amplia variedad de fuentes y utilizarlos en la toma de decisiones en el análisis de vulnerabilidades de un equipo de respuesta ante Incidentes informáticos (CSIRT). Este estudio se ha desarrollado en un CSIRT Académico que agrupa varias universidades miembros del Ecuador. Para llevarlo a cabo se aplicó la metodología de Investigación-Acción con un enfoque cualitativo, dividido en tres fases: Primera, se realizó una evaluación comparativa de dos herramientas de análisis de intrusos: Passive Vulnerability Scanner y Snort, que son utilizadas por el CSIRT, para verificar sus bondades y verificar si son excluyentes o complementarias; enseguida se han guardado los logs en tiempo real de los Incidentes registrados por dichas herramientas en una base de datos relacional MySQL. Segunda, se aplicó la metodología de Ralph Kimball para el desarrollo de varias rutinas que permitan aplicar el proceso “Extraer, Transformar y Cargar” de los logs no normalizados, que luego serían procesados por una interfaz gráfica. Tercera, se construyó una aplicación de software mediante la metodología Ágil Scrum, que realice un análisis inteligente con los logs obtenidos mediante la herramienta Pentaho BI, con el propósito de generar alertas tempranas como un factor estratégico. Los resultados muestran la funcionalidad de esta solución que ha generado alertas tempranas y que, en consecuencia, ha incrementado el nivel de seguridad de las universidades miembros del CSIRT académico
-
Application of business intelligence for analyzing vulnerabilities to increase the security level in an academic CSIRT
2018Co-Authors: Reyes-mena, Francisco Xavier, Fuertes-díaz, Walter Marcelo, Guzmán-jaramillo, Carlos Enrique, Pérez-estévez Ernesto, Villacís-silva, César Javier, Bernal-barzallo, Paúl FernandoAbstract:This study aimed at designing a potential solution through Business Intelligence for acquiring data and information from a wide variety of sources and utilizing them in the decision-making of the vulnerability analysis of an Academic CSIRT (Computer Security Incident Response Team). This study was developed in a CSIRT that gathers a variety of Ecuadorian universities. We applied the Action-Research methodology with a qualitative approach, divided into three phases: First, we qualitatively evaluated two intrusion detection analysis tools (Passive Scanner and Snort) to verify their advantages and their ability to be exclusive or complementary; simultaneously, these tools recorded the real-time logs of the Incidents in a MySQL related database. Second, we applied the Ralph Kimball's methodology to develop several routines that allowed applying the "Extract, Transform, and Load" process of the non-normalized logs that were subsequently processed by a graphical user interface. Third, we built a software application using Scrum to connect the obtained logs to the Pentaho BI tool, and thus, generate early alerts as a strategic factor. The results demonstrate the functionality of the designed solution, which generates early alerts, and consequently, increases the security level of the CSIRT members.Esta investigación tuvo como objetivo diseñar una solución para la toma de decisiones mediante Inteligencia de Negocios, que permite adquirir datos e información de una amplia variedad de fuentes y utilizarlos en la toma de decisiones en el análisis de vulnerabilidades de un equipo de respuesta ante Incidentes informáticos (CSIRT). Este estudio se ha desarrollado en un CSIRT Académico que agrupa varias universidades miembros del Ecuador. Para llevarlo a cabo se aplicó la metodología de Investigación-Acción con un enfoque cualitativo, dividido en tres fases: Primera, se realizó una evaluación comparativa de dos herramientas de análisis de intrusos: Passive Vulnerability Scanner y Snort, que son utilizadas por el CSIRT, para verificar sus bondades y verificar si son excluyentes o complementarias; enseguida se han guardado los logs en tiempo real de los Incidentes registrados por dichas herramientas en una base de datos relacional MySQL. Segunda, se aplicó la metodología de Ralph Kimball para el desarrollo de varias rutinas que permitan aplicar el proceso “Extraer, Transformar y Cargar” de los logs no normalizados, que luego serían procesados por una interfaz gráfica. Tercera, se construyó una aplicación de software mediante la metodología Ágil Scrum, que realice un análisis inteligente con los logs obtenidos mediante la herramienta Pentaho BI, con el propósito de generar alertas tempranas como un factor estratégico. Los resultados muestran la funcionalidad de esta solución que ha generado alertas tempranas y que, en consecuencia, ha incrementado el nivel de seguridad de las universidades miembros del CSIRT académico
-
Aplicação de Inteligência de Negócios para a análise de vulnerabilidades em prol de incrementar o nível de segurança em um CSIRT acadêmico
'Universidad Pedagogica y Tecnologica de Colombia', 2018Co-Authors: Reyes-mena, Francisco Xavier, Fuertes-díaz, Walter Marcelo, Guzmán-jaramillo, Carlos Enrique, Pérez-estévez Ernesto, Bernal-barzallo, Paúl Fernando, Villacís-silva, César JavierAbstract:1 recurso en línea (páginas 21-29).This study aimed at designing a potential solution through Business Intelligence for acquiring data and information from a wide variety of sources and utilizing them in the decision-making of the vulnerability analysis of an Academic CSIRT (Computer Security Incident Response Team). This study was developed in a CSIRT that gathers a variety of Ecuadorian universities. We applied the Action-Research methodology with a qualitative approach, divided into three phases: First, we qualitatively evaluated two intrusion detection analysis tools (Passive Scanner and Snort) to verify their advantages and their ability to be exclusive or complementary; simultaneously, these tools recorded the real-time logs of the Incidents in a MySQL related database. Second, we applied the Ralph Kimball’s methodology to develop several routines that allowed applying the “Extract, Transform, and Load” process of the non-normalized logs that were subsequently processed by a graphical user interface. Third, we built a software application using Scrum to connect the obtained logs to the Pentaho BI tool, and thus, generate early alerts as a strategic factor. The results demonstrate the functionality of the designed solution, which generates early alerts, and consequently, increases the security level of the CSIRT members.Esta pesquisa teve como objetivo desenhar uma solução para a tomada de decisões mediante Inteligência de Negócios, que permite adquirir dados e informação de uma ampla variedade de fontes e utilizá-los na tomada de decisões na análise de vulnerabilidades de um equipamento de resposta ante Incidentes informáticos (CSIRT). Este estudo tem se desenvolvido em um CSIRT Acadêmico que agrupa várias universidades embros do Equador. Para realizá-lo, aplicou-se a metodologia de Pesquisa-Ação com um enfoque qualitativo, dividido em três fases: Primeira, realizou-se uma avaliação comparativa de duas ferramentas de análise de intrusos: Pasive Vulnerability Scanner e Snort, que são utilizadas pelo CSIRT, para verificar seus benefícios e se são excludentes ou complementários; imediatamente são guardados os logs em tempo real dos Incidentes registrados por ditas ferramentas em uma base de dados relacional MySQL. Segunda, aplicou-se a metodologia de Ralph Kimball para o desenvolvimento de várias rotinas que permitam aplicar o processo “Extrair, Transformar e Carregar” dos logs não normalizados, que logo seriam processados por uma interface gráfica. Terceira, construiu-se uma aplicação de software mediante a metodologia Ágil Scrum, que realize uma análise inteligente com os logs obtidos mediante a ferramenta Pentaho BI, com o propósito de gerar alertas precoces como um fator estratégico. Os resultados mostram a funcionalidade desta solução que tem gerado alertas precoces e que, em consequência, tem incrementado o nível de segurança das universidades embros do CSIRT acadêmico.Esta investigación tuvo como objetivo diseñar una solución para la toma de decisiones mediante Inteligencia de Negocios, que permite adquirir datos e información de una amplia variedad de fuentes y utilizarlos en la toma de decisiones en el análisis de vulnerabilidades de un equipo de respuesta ante Incidentes informáticos (CSIRT). Este estudio se ha desarrollado en un CSIRT Académico que agrupa varias universidades miembros del Ecuador. Para llevarlo a cabo se aplicó la metodología de Investigación-Acción con un enfoque cualitativo, dividido en tres fases: Primera, se realizó una evaluación comparativa de dos herramientas de análisis de intrusos: Passive Vulnerability Scanner y Snort, que son utilizadas por el CSIRT, para verificar sus bondades y verificar si son excluyentes o complementarias; enseguida se han guardado los logs en tiempo real de los Incidentes registrados por dichas herramientas en una base de datos relacional MySQL. Segunda, se aplicó la metodología de Ralph Kimball para el desarrollo de varias rutinas que permitan aplicar el proceso “Extraer, Transformar y Cargar” de los logs no normalizados, que luego serían procesados por una interfaz gráfica. Tercera, se construyó una aplicación de software mediante la metodología Ágil Scrum, que realice un análisis inteligente con los logs obtenidos mediante la herramienta Pentaho BI, con el propósito de generar alertas tempranas como un factor estratégico. Los resultados muestran la funcionalidad de esta solución que ha generado alertas tempranas y que, en consecuencia, ha incrementado el nivel de seguridad de las universidades miembros del CSIRT académico.Bibliografía: página 29
Sangjun Lee - One of the best experts on this subject based on the ideXlab platform.
-
an exploratory investigation of factors affecting computer security Incident Response Team performance
Americas Conference on Information Systems, 2004Co-Authors: Younghwa Lee, Sangjun LeeAbstract:There has been a huge amount of organizational investment to cope with computer security Incidents, but the Incidents continue and are expected to increase. Computer security Incidents in organizations are primarily dealt with by computer security Incident Response Teams (CSIRT). How the Team successfully develops and operates is critical for effective and efficient Responses to the Incidents. However, no studies have been conducted in that context. This study investigates the factors affecting CSIRT performance based on Team performance and crisis management literature through conducting a field study using Delphi method and questionnaire survey. The data are analyzed using Hierarchical Linear Modeling (HLM). We expect the study will provide a useful theoretical framework and practical implications to understand CSIRT performance and thus successfully counteract computer security Incidents.
-
AMCIS - An Exploratory Investigation of Factors Affecting Computer Security Incident Response Team Performance.
2004Co-Authors: Younghwa Lee, Sangjun LeeAbstract:There has been a huge amount of organizational investment to cope with computer security Incidents, but the Incidents continue and are expected to increase. Computer security Incidents in organizations are primarily dealt with by computer security Incident Response Teams (CSIRT). How the Team successfully develops and operates is critical for effective and efficient Responses to the Incidents. However, no studies have been conducted in that context. This study investigates the factors affecting CSIRT performance based on Team performance and crisis management literature through conducting a field study using Delphi method and questionnaire survey. The data are analyzed using Hierarchical Linear Modeling (HLM). We expect the study will provide a useful theoretical framework and practical implications to understand CSIRT performance and thus successfully counteract computer security Incidents.
Heather Young - One of the best experts on this subject based on the ideXlab platform.
-
Computer Security Incident Response Team Effectiveness: A Needs Assessment.
Frontiers in psychology, 2017Co-Authors: Rick Van Der Kleij, Geert Kleinhuis, Heather YoungAbstract:Computer security Incident Response Teams (CSIRTs) respond to a computer security Incident when the need arises. Failure of these Teams can have far-reaching effects for the economy and national security. CSIRTs often have to work on an ad-hoc basis, in close cooperation with other Teams, and in time constrained environments. It could be argued that under these working conditions CSIRTs would be likely to encounter problems. A needs assessment was done to see to which extent this argument holds true. We constructed an Incident Response needs model to assist in identifying areas that require improvement. We envisioned a model consisting of four assessment categories: Organization, Team, Individual and Instrumental. Central to this is the idea that both problems and needs can have an organizational, Team, individual, or technical origin or a combination of these levels. To gather data we conducted a literature review. This resulted in an comprehensive list of challenges and needs that could hinder or improve respectively the performance of CSIRTs. Then, semi-structured in depth interviews were held with Team coordinators and Team members of five public and private sector Dutch CSIRTs to ground these findings in practice and to identify gaps between current and desired Incident handling practices. This paper presents the findings of our needs assessment and ends with a discussion of potential solutions to problems with performance in Incident Response.
Michael Erbschloe - One of the best experts on this subject based on the ideXlab platform.
-
The Role of the Incident Response Team
Physical Security for IT, 2005Co-Authors: Michael ErbschloeAbstract:This chapter discusses how the Incident Response process works and how entries should be made in the Response Team log. This chapter also covers the steps for managing Response to an Incident.. This includes the initial steps of a receipt of a first report, confirmation of the Incident, and mobilization of the Response Team. Each of the steps necessary to resolve the Incident after confirmation is covered, including notifying appropriate managers, using alert systems, informing personnel that may be affected by the Incident, preserving evidence, and calling in law enforcement. Individuals who are members of a physical IT security Incident Response Team need not work full time on the Team. In fact, most Teams are formed out of IT staff and personnel from other divisions, and go into action when an event occurs. The physical IT security Incident Response Team can have a significant role in responding to a natural disaster or a deliberate damaging Incident. The Response Team plays a role in evaluating and executing mitigation efforts. This involvement will make the Team members more aware of the environment in which they may need to respond to an Incident.
-
Developing an IT Physical Security Plan
Physical Security for IT, 2005Co-Authors: Michael ErbschloeAbstract:The chapter describes the steps to developing a physical security plan and includes an overview of the planning process and methods for plan development. Integrating the physical IT security plan with other security plans is an important part of the planning process. The integration approaches also save time and money by utilizing risk exposure analyses that have been performed. The physical security plan should be integrated with cyber security planning, disaster security planning, business continuity planning, organization risk management and insurance planning, and Incident Response Team planning and development. The material in this chapter shows how to move forward in developing physical IT plans and procedures. At the end of the chapter, steps are given that organizations can take to improve the physical security of IT assets.
-
Model Training Program for Organization Staff
Physical Security for IT, 2005Co-Authors: Michael ErbschloeAbstract:Education, training, and awareness are all necessary for the successful implementation of any information security program. These three elements are related, but they involve distinctly different levels of learning. A model training program for physical IT security is presented in this chapter. This includes training for IT professionals, how to provide basic information on physical security for IT assets, training modules for non-security employees, how to identify potential threats, what to do if there is suspicious behavior, what to expect from the Incident Response Team, how the internal alert system works, and what employees should do if the organization is on alert. The chapter discusses how one can achieve their training needs. Training for IT and security professionals is essential for effectively implementing a physical IT security program.
-
Trojans, Worms, and Spyware: A Computer Security Professional's Guide to Malicious Code
2004Co-Authors: Michael ErbschloeAbstract:Preface Dedication Acknowledgements Introduction Chapter One: Malicious Code Overview Why Malicious Code Attacks are Dangerous The Impact of Malicious Code Attacks on Corporate Security Why Malicious Code Attacks Work Flaws in Software Weaknesses in System and Network Configurations Social Engineering Human Error and Foolishness Hackers, Thieves, and Spies Action Steps to Combat Malicious Code Attacks Chapter Two: Types of Malicious Code Email Viruses Trojans Back Doors Worms Blended Threats Time Bombs Spy Ware Ad Ware Steal Ware Action Steps to Combat Malicious Code Attacks Chapter Three: Review of Malicious Code Incidents Historic Tidbits The Morris Worm Melissa Love Bug Code Red(s) SirCam Nimda Slammer The Summer of 2003 Barrage of Blaster, Sobig and More Early 2004 with MyDoom, Netsky and More Action Steps to Combat Malicious Code Attacks Chapter Four: Basic Steps to Combat Malicious Code Understanding The Risks Using Security Policies to Set Standards System and Patch Updates Establishing a Computer Incident Response Team Training for IT Professionals Training End Users Applying Social Engineering Methods in an Organization Working with Law Enforcement Agencies Action Steps to Combat Malicious Code Attacks Chapter Five: Organizing for Security, Prevention, and Response Organization of the IT Security Function Where Malicious Code Prevention fits Into the IT Security Function Staffing for Malicious Code Prevention in IT Budgeting for Malicious Code Prevention Evaluating Products for Malicious Code Prevention Establishing and Utilizing an Alert Systems Establishing and Utilizing a Reporting System Corporate Security and Malicious Code Incident Investigations Action Steps to Combat Malicious Code Attacks Chapter Six: Controlling Computer Behavior of Employees Policies on Appropriate Use of Corporate Systems Monitoring Employee Behavior Site Blockers and Internet Filters Cookie and Spyware Blockers Pop Up Blockers Controlling Downloads SPAM Control Action Steps to Combat Malicious Code Attacks Chapter Seven: Responding to a Malicious Code Incident The First Report of a Malicious Code Attack The Confirmation Process Mobilizing the Response Team Notifying Management Using an Alert system and Informing End-Users Clean up and Restoration Controlling and Capturing Malicious Code Identifying the Source of Malicious Code The Preservation of Evidence When to Call Law Enforcement Enterprise Wide Eradication Returning to Normal Operations Analyzing Lessons Learned Action Steps to Combat Malicious Code Attacks Chapter Eight: Model Training Program for End-Users Explaining why The Training is Important Explaining The Appropriate Use Policy for Computers and Networks Explaining How the Help Desk and PC Support of the Organization Works Covering the Basic Dos and Donts of Computer Usage to Prevent Attacks Providing Basic Information about Malicious Code Explaining How it Identify Potentially Malicious Code Explaining What Employees Should to do if They Suspect Code is Malicious Explaining What Employees Should Expect From the IT Department During Incident Response. Performing the Administrative Aspects of a Training Program Action Steps to Combat Malicious Code Attacks Chapter Nine: The Future of Malicious Code Military Style Information Warfare Open Source Information Warfare Militancy and Social Action Homeland Security Efforts Action Steps to Combat Malicious Code Attacks Index Appendix A: Computer Security Resources
