When an unauthorized incident occurs against your network, such as an attacker breaking though your network’s defenses, an appropriate response is required. The response to the intrusion includes using forensic science to properly respond to the event.

Forensic science, or forensics, is the application of science to problems that are of interest to the legal profession and deals mainly with the recovery and analysis of evidence. Computer forensics attempts to retrieve information that can be used in pursuit of the attacker or criminal.

Computer forensics is also called digital forensics because its uses techniques to identify, collect, examine and preserve information or evidence, which is magnetically stored or encoded.

When your team responds to a criminal event that requires an examination using computer forensics, there are generally four basic steps that are followed.

1. Secure the crime scene
2. Collect and preserve evidence
3. Establish a chain of custody
4. Examine evidence

The first step in reacting to a computer forensics incident is for the first responders to secure the crime scene. The response team should document the physical surroundings of the computer or electronic device that is suspected of containing digital evidence. This includes photographing the area from different angles before anything is touched and labeling cables connected to the computer.

Additionally, the team should interview anyone who had access to the computer and take custody of the entire computer along with the keyboard, external memory devices, and peripherals.

Since digital evidence is easily altered or destroyed, only properly trained computer evidence specialists should process computer evidence in order to ensure that integrity is maintained and the data obtained can withstand scrutiny in a court of law.

The computer forensics team should capture any data that may be lost when the computer is turned off including:

• RAM contents
• Current network connections
• Logon sessions
• Network configurations
• Open files

After the volatile data is preserved the team should create a mirror image backup of the hard drive. A mirror image backup, or bit-stream backup, is an evidence-grade backup that is admissible in court and must be done in a controlled manner by trained professional.

Establishing the chain of custody documents who had access to the evidence and when. Serial numbers should be recorded and the evidence should be kept under strict control at all times.

Finally, after the mirror image is created and the original system is secured, then the mirror image is examined to reveal evidence.

All data should be investigated for clues including:

• Word processing documents
• Spreadsheets
• Emails
• Caches
• Cookies
• Metadata
• Database entries

Additional sources of hidden clues may come from RAM Slack or Drive Slack. When Windows computers use memory to process data information that has been created, viewed, modified, downloaded, or copied it may still be available.

______________________

The author is a computer security professional with experience protecting small business and home networks. He also teaches the basics of computer network security at 365 Computer Security Training where he blogs regularly and creates video training and educational materials related to information security. Learn more at http://www.365ComputerSecurityTraining.com

______________________

Article Source: http://EzineArticles.com/

Overview:

This article will define a network management strategy for managing the network. It is necessary to define how the equipment is going to be monitored and determine if the current management strategy is adequate or if new applications, equipment, protocols and processes must be identified. Management components are then integrated with infrastructure and security. These primary elements comprise any well-defined management strategy and should be considered when developing your strategy.

Network Management Strategy

• Network Management Groups
• SNMP Applications
• Monitored Devices and Events

Network Management Groups

• Fault
• Performance
• Device
• Security
• Change
• Configuration
• Implementation

Fault Management

This describes the pro-active monitoring of devices, circuits and servers for errors. It specifies what events are monitored and thresholds for generating alarms. Once the alarms are generated, there is an escalation process for addressing any errors. It could be a circuit problem, a router interface or a server link. Service level agreements with local loop providers and long distance IXC for circuit repair are important as is vendor equipment repair contracts. Out-of-band router management allows troubleshooting and configuration of routers with an attached modem. The support technician doesn’t rely on the primary circuit to reach the router. They will utilize a separate analog dial line with a modem connected to the auxiliary port at the router. Escalation support processes are defined that are used by the network operations center (NOC) employees for effective problem resolution. These are some typical support activities:

• Established Tier support levels with job responsibilities well defined for each Tier group
• Defined severity levels and what Tier group is responsible
• Defined response times for severity levels
• Applications for trouble tickets
• Established troubleshooting procedures for employees
• Root Cause Analysis
• Survey support groups for skill levels, identify deficiencies and plan for training programs to address that

Performance Management

This describes the pro-active monitoring of device, circuit and server performance levels. That translates to monitoring and reporting on trends with device CPU, memory and link utilization, circuit bandwidth utilization, server CPU, memory and disk input/output rate. As well campus segments and device interfaces should be monitored for collisions, CRC errors and packet drops. Bandwidth capacity planning is an on-going process of monitoring bandwidth utilization trends for the enterprise network and consideration of business growth estimates. That information is utilized for developing a provisioning strategy addressing company bandwidth capacity needs. The dynamic nature of an enterprise network is such that new locations, employees and application deployments will increase network traffic and utilize available bandwidth. Trend monitoring tools are typically run from the network operations center and focus on enterprise traffic patterns and performance of circuits, routers and switches.

RMON is a popular protocol that is utilized for monitoring router, switch and campus segment performance with probes at various offices across the enterprise. Information can be collected at all layers of the OSI model for statistics on utilizations, packet size and errors. In addition there are specific SNMP applications designed for bandwidth capacity planning. The bandwidth provisioning strategy could involve faster campus and WAN equipment, increased bandwidth for circuits, quality of service protocols or a combination of any of those elements.

Security Management

This describes the management of device and server security that is consistent with the policies of the corporation. Typical devices are firewalls, routers, switches, TACACS servers and RADIUS servers. Security includes community strings, password assignment, change policy, dial security and Internet security.

Device Management

This describes the maintenance of a database inventory that lists all campus and WAN devices, modules, serial numbers, IOS versions, server documentation and design. It is important that companies keep information on these assets for support and warranty issues.

Configuration Management

This describes the process of configuring, and documenting devices, circuits and servers on the enterprise network. A process for configuring new equipment, modifying current equipment and maintaining TFTP servers should be established. Those scripts should be saved to TFTP servers and documented for later use with subsequent configurations. Build a directory structure with a folder for each equipment type and subdirectories for model types.

Change Management

This describes a process for approving and coordinating device configuration changes and is essential for network availability. Staff members that make unapproved changes without alerting affected departments can cause problems if the changes don’t work and are made during busier times of the day. Any changes to the production network should involve at least the network operation center and someone from the engineering group. As well it could be important to let the application developers know of network changes. Any change management process should have these components:

Review Process

• Affected departments consider impact of changes and discuss concerns
• Proof of concept and quality assurance testing
• Develop a timeline for changes approved by all departments
• Departments plan contingencies should there be network issues
• Approval process: software manages and records approvals from groups
• Pro-active monitoring of unauthorized changes

Implementation Management

This describes the process for managing new implementations such that there is no disruption to the production network and the implementation is efficient and effective. These are some network operations center (NOC) activities that should be part of any typical implementation management strategy. Consider vendor support contracts for support with configuration scripts, testing, and design since that will promote an effective implementation.

Standard Network Operations Center Activities:

1. Turn on circuits and ping all new devices to verify connectivity
2. Modify SNMP applications at network operations center for pro-active fault and performance monitoring of new devices
3. Verify devices are SNMP enabled and security is applied
4. Update the inventory database and save configuration scripts to a TFTP server

SNMP Applications

There are a myriad of SNMP applications on the market that focus on managing servers, devices and circuits. An enterprise customer will sometimes employ several applications including their own software that address each management group. The SNMP version that is implemented should be noted at each device and server. This is a list of popular commercial applications and how they could be utilized.

Monitored Devices and Events

Typical devices such as routers, switches and circuits are configured and monitored with SNMP applications. Thresholds are defined for each event that will trigger an alarm when that is exceeded. A polling interval is configured for each event, which describes the time interval between sending of status information from device to network management station. An example would be a router CPU utilization threshold of 60% and a polling interval of 10 minutes.

_____________

Shaun Hummel is the author of Network Planning and Design Guide and has a web site focused on information technology job search solutions and certifications:  http://www.networkjobsolutions.com

Article Source: EzineArticles.com

Monitoring network security is a task that is not just for the big computer companies. More small businesses are running a computer network that needs to be constantly checked. More people are working from home and have to network their computers. They need to make sure that their system is safe from intruders to protect their personal information as well as their client’s information.

In an age where connectivity is in the layman’s hands, where computers the world over work on the same platform, and where linkage happens on scales unimaginable a decade earlier, it’s no wonder that there is an opening in a wide, unknown universe – that of networks. It is this same ‘unknown’ element that makes this sector such a dynamic one, and protecting your ‘doors’ that open into this world is a must, through monitoring network security.

Network monitoring is the key to ensuring efficiency and to keep an eye on the proper running of all tasks pertinent to the world of networks. It enables proper monitoring of all resources and aspects of a network, whether it is a single-server system in a home, or a more complicated, extended network for an enterprise, or even on the scales of LAN and WAN networks. Monitoring network security takes place on numerous levels, and can be done by the network administrator, through dedicated software packages, and also through a remote monitoring service.

Security monitoring takes place through various means, and some of the things that are checked often are firewalls, intrusion-detection systems, log files, website and system and application events, among others.

Security options are available on all network monitoring software packages, and these scan the system for breaches and other intrusions. Bots, worms, Trojans, and sometimes viruses that escape the antivirus program’s scanning can harm a network, affecting bandwidth and performance, resulting in problems encountered by users and clients.

Security services, on the other hand, work almost in a proactive way to make sure that little problems like the big ones do not go unnoticed and are catered to in due time before a problem should occur. Security can also be compromised through ‘mundane’ happenings, such as installation of unauthorized applications and equipment, use of peer-to-peer programs, over-full hard drives, and probes and scans directed at an Internet connection from the outside.

Monitoring network security helps to prevent problems, and also aids in defense against malicious attacks, insure against unnecessary risks, and also by providing awareness as to what is really happening across a network.

___________

Free Network Monitoring Software is vital for any computer network! For simple straight forward techniques to make sure your network is working properly rush over to http://www.NetworkMonitoringServices.org/!

___________

Article Source: EzineArticles.com

Computers are vitally important to today’s society which leads to a need for greater security and people trained and certified in this type of security. If you are looking into furthering your career in security, a CISSP certification is a universally respected qualification. There are, of course, prerequisites for the certification, besides the obvious training – which can be completed through CBT.

CISSP stands for Certified Information System Security Professional and it is the qualification issued by (ISC)2, a non-profit organisation specifically created to provide an independent body to certify information security qualifications.

In order to sit for a CISSP certification, you must first have worked for a minimum of five years full-time work in information security. Alternatively four years of experience is accepted if you have a four year or advanced degree (i.e. a Masters) in the discipline or if you have any one of the approved qualifications, which include the MCSE certification.

In addition to this, as it is a security qualification, all candidates need to answer four questions about criminal history and background as a matter of course.

In order to pass the CISSP examination, you will need to have a scaled score of 700 points or more. To train for this there are computer based training options available online and on DVD so you can work the courses around your life making studying for this qualification a lot easier.

You will also require an endorsement from someone who already holds an (ISC)2 certification and can attest to your professional experience in the field. This person must be in ‘good standing’ meaning that they hold to the (ISC)2 code of ethics and maintain their maintenance payments and continuing professional education (CPE) submissions.

The CISSP certification is globally acknowledged and indicates to your employers that, not only do you understand information security, but you are committed to the profession. If you want to stand out from the crowd then CISSP might be the way to go.

To learn more about what is involved in CISSP and to find CISSP CBT options, take a look at http://www.cvision.co.uk.

Article Source: EzineArticles.com

Overview

These are the 5 primary security groups that should be considered with any enterprise security model. These include security policy, perimeter, network, transaction and monitoring security. These are all part of any effective company security strategy. Any enterprise network has a perimeter that represents all equipment and circuits that connect to external networks both public and private. The internal network is comprised of all the servers, applications, data, and devices used for company operations. The demilitarized zone (DMZ) represents a location between the internal network and the perimeter comprised of firewalls and public servers. It that allows some access for external users to those network servers and denies traffic that would get to internal servers. That doesn’t mean that all external users will be denied access to internal networks. On the contrary, a proper security strategy specifies who can access what and from where. For instance telecommuters will use VPN concentrators at the perimeter to access Windows and Unix servers. As well business partners could use an Extranet VPN connection for access to the company S/390 Mainframe. Define what security is required at all servers to protect company applications and files. Identify transaction protocols required to secure data as it travels across secure and non-secure network segments. Monitoring activities should then be defined that examine packets in real time as a defensive and pro-active strategy for protecting against internal and external attacks. A recent survey revealed that internal attacks from disgruntled employees and consultants are more prevalent than hacker attacks. Virus detection should then be addressed since allowed sessions could be carrying a virus at the application layer with an e-mail or a file transfer.

Security Policy Document

The security policy document describes various policies for all employees that use the enterprise network. It specifies what an employee is permitted to do and with what resources. The policy includes non-employees as well such as consultants, business partners, clients and terminated employees. In addition security policies are defined for Internet e-mail and virus detection. It defines what cyclical process if any is used for examining and improving security.

Perimeter Security

This describes a first line of defense that external users must deal with before authenticating to the network. It is security for traffic whose source and destination is an external network. Many components are used to secure the perimeter of a network. The assessment reviews all perimeter devices currently utilized. Typical perimeter devices are firewalls, external routers, TACACS servers, RADIUS servers, dial servers, VPN concentrators and modems.

Network Security

This is defined as all of the server and legacy host security that is implemented for authenticating and authorizing internal and external employees. When a user has been authenticated through perimeter security, it is the security that must be dealt with before starting any applications. The network exists to carry traffic between workstations and network applications. Network applications are implemented on a shared server that could be running an operating system such as Windows, Unix or Mainframe MVS. It is the responsibility of the operating system to store data, respond to requests for data and maintain security for that data. Once a user is authenticated to a Windows ADS domain with a specific user account, they have privileges that have been granted to that account. Such privileges would be to access specific directories at one or many servers, start applications, and administer some or all of the Windows servers. When the user authenticates to the Windows Active Directory Services distributed it is not any specific server. There is tremendous management and availability advantages to that since all accounts are managed from a centralized perspective and security database copies are maintained at various servers across the network. Unix and Mainframe hosts will usually require logon to a specific system, however the network rights could be distributed to many hosts.

·  Network operating system domain authentication and authorization

·  Windows Active Directory Services authentication and authorization

·  Unix and Mainframe host authentication and authorization

·  Application authorization per server

·  File and data authorization

Transaction Security

Transaction security works from a dynamic perspective. It attempts to secure each session with five primary activities. They are non-repudiation, integrity, authentication, confidentiality and virus detection. Transaction security ensures that session data is secure before being transported across the enterprise or Internet. This is important when dealing with the Internet since data is vulnerable to those that would use the valuable information without permission. E-Commerce employs some industry standards such as SET and SSL, which describe a set of protocols that provide non-repudiation, integrity, authentication and confidentiality. As well virus detection provides transaction security by examining data files for signs of virus infection before they are transported to an internal user or before they are sent across the Internet. The following describes industry standard transaction security protocols.

Non-Repudiation – RSA Digital Signatures

Integrity – MD5 Route Authentication

Authentication – Digital Certificates

Confidentiality – IPSec/IKE/3DES

Virus Detection  – McAfee/Norton Antivirus Software

Monitoring Security

Monitoring network traffic for security attacks, vulnerabilities and unusual events is essential for any security strategy. This assessment identifies what strategies and applications are being employed. The following is a list that describes some typical monitoring solutions. Intrusion detection sensors are available for monitoring real time traffic as it arrives at your perimeter. IBM Internet Security Scanner is an excellent vulnerability assessment testing tool that should be considered for your organization. Syslog server messaging is a standard Unix program found at many companies that writes security events to a log file for examination. It is important to have audit trails to record network changes and assist with isolating security issues. Big companies that utilize a lot of analog dial lines for modems sometimes employ dial scanners to determine open lines that could be exploited by security hackers. Facilities security is typical badge access to equipment and servers that host mission critical data. Badge access systems record the date time that each specific employee entered the telecom room and left. Cameras sometimes record what specific activities were conducted as well.

Intrusion Prevention Sensors (IPS)

Cisco markets intrusion prevention sensors (IPS) to enterprise clients for improving the security posture of the company network. Cisco IPS 4200 series utilize sensors at strategic locations on the inside and outside network protecting switches, routers and servers from hackers. IPS sensors will examine network traffic real time or inline, comparing packets with pre-defined signatures. If the sensor detects suspicious behavior it will send an alarm, drop the packet and take some evasive action to counter the attack. The IPS sensor can be deployed inline IPS, IDS where traffic doesn’t flow through device or a hybrid device. Most sensors inside the data center network will be designated IPS mode with its dynamic security features thwarting attacks as soon as they occur. Note that IOS intrusion prevention software is available today with routers as an option.

Vulnerability Assessment Testing (VAST)

IBM Internet Security Scanner (ISS) is a vulnerability assessment scanner focused on enterprise customers for assessing network vulnerabilities from an external and internal perspective. The software runs on agents and scans various network devices and servers for known security holes and potential vulnerabilities. The process is comprised of network discovery, data collection, analysis and reports. Data is collected from routers, switches, servers, firewalls, workstations, operating systems and network services. Potential vulnerabilities are verified through non-destructive testing and recommendations made for correcting any security problems. There is a reporting facility available with the scanner that presents the information findings to company staff.

Syslog Server Messaging

Cisco IOS has a Unix program called Syslog that reports on a variety of device activities and error conditions. Most routers and switches generate Syslog messages, which are sent to a designated Unix workstation for review. If your Network Management Console (NMS) is using the Windows platform, there are utilities that allow viewing of log files and sending Syslog files between a Unix and Windows NMS.

_________________________________