- Văn bản
- Lịch sử
Defense in-Depth: Welchia Case Stud
Defense in-Depth: Welchia Case Study
Let's see how defense in-depth can work in a real life situation. For this case study, we
review how one medium-sized organization dealt with an infection of the Welchia worm
that occurred in 2003. The key point here is that your defenses must be in place before
you are attacked. Otherwise, you may be at a significant disadvantage. Let's review how
the organization was positioned to protect from an attack, detect when it occurred, and then recover from whatever damage ensued.
Protection
The organization published policies (acceptable use and security) that laid the foundation
for computer use and risk management. (We discuss policy in detail in Chapter 8.) Key
elements of the AU policy specified that organizational computers would only be connected to the organization's networks.
The organization has a firewall between the Internet and the organizational network in
addition to a firewall on the dial-in facility to the network. Both firewalls are configured
to implement the Principle of Least Privilege - only needed services are allowed. Some of the users have personal firewalls implemented on their desktop PCs.
The network uses a Class B address space, but uses a netmask of 255.255.255.0 to create 255 subnetworks (refer to Chapter 2 for details on address classes and netmasks).
Additionally, the network is configured such that the subnets containing servers and user
SANS Institute
Defense in-Depth 63
computers do not span multiple buildings. VLANS are used only for network management.
The security group is relatively proactive in conducting periodic scans and can implement
updated tools fairly quickly. This proves to be vital in an environment that is largely unmanaged (for instance, many of the computers are not members of a domain).
The organization has a number of communication tools implemented and available:
• An email system that has a message of the day feature
• A secure extranet web server that is accessible only from within the
organization's address space
• An established mailing list of all of the organizational infosec auditors.
The final (and most important) tool in place consists of the people who configure,
operate, and maintain all of the tools mentioned previously and work together as a team when the incident occurs.
Detection
The infection spreads as soon as an employee connects to an infected laptop computer to the organizational network. The laptop has been taken offsite and connected to an ISP via
dialup. This is a violation of the organization's acceptable use policy. The infection creates an alert on personal firewalls on several PCs in the organization. It quickly
reaches a level that overloads the firewall to the Internet. At that point, the infection mechanism was not yet clearly understood so the firewall admin pulled the network cables on both interfaces and contained the problem to the site.
Recovery
Persons from the security group and the networks group (who operate the firewall)
convene a conference call and map out a strategy to contain the problem and provide as
much operational capability as possible. The high points of the plan are listed here:
• Block ICMP echo requests on the backbone and building routers (except to the
subnet for the security organization - they could observe traffic and gage the
containment progress).
• Block RPCs among all subnets except to the corporate exchange subnet, the
corporate file server subnet (both of these contained only computers that were
known to be patched), and the subnet for the security organization (as mentioned previously).
• Scan for infected computers and block them (from accessing the Internet) at the
firewall.
SANS Institute
64 Book 2 - Defense in-Depth
• Download patches, clean up tools, update AV signatures, and place them on the
extranet server located inside the firewall.
• Reconnect to the Internet (less than two hours after initial infection) and monitor
progress.
• Post a daily progress and "Next Steps" report on the extranet server.
The organization has more than 100 subnets in use. The incident handling team decides to restore full access on a subnet basis. When all computers on a subnet are scanned and come up clean, the router Access Control List (ACL) is modified to permit full access. Subnets that came up clean are back in service quickly. A few subnets have computers
that cannot be located (they are turned off, in use at a remote site, and so on) and make it difficult to get to closure. The Information Assurance Manager offers encouragement by
having the router administrator block Internet access for those subnets until the infosec administrators can either locate the computers so they can be scanned or ensure that the computers will not be reconnected to the network until after they are cleaned.
There are a few twists and turns in the incident, but it goes fairly smoothly and the
handlers learn a lot in the process. The defenses in place are not perfect by any means, but they do demonstrate that defense in-depth is key to remaining in business.
Let's see how defense in-depth can work in a real life situation. For this case study, we
review how one medium-sized organization dealt with an infection of the Welchia worm
that occurred in 2003. The key point here is that your defenses must be in place before
you are attacked. Otherwise, you may be at a significant disadvantage. Let's review how
the organization was positioned to protect from an attack, detect when it occurred, and then recover from whatever damage ensued.
Protection
The organization published policies (acceptable use and security) that laid the foundation
for computer use and risk management. (We discuss policy in detail in Chapter 8.) Key
elements of the AU policy specified that organizational computers would only be connected to the organization's networks.
The organization has a firewall between the Internet and the organizational network in
addition to a firewall on the dial-in facility to the network. Both firewalls are configured
to implement the Principle of Least Privilege - only needed services are allowed. Some of the users have personal firewalls implemented on their desktop PCs.
The network uses a Class B address space, but uses a netmask of 255.255.255.0 to create 255 subnetworks (refer to Chapter 2 for details on address classes and netmasks).
Additionally, the network is configured such that the subnets containing servers and user
SANS Institute
Defense in-Depth 63
computers do not span multiple buildings. VLANS are used only for network management.
The security group is relatively proactive in conducting periodic scans and can implement
updated tools fairly quickly. This proves to be vital in an environment that is largely unmanaged (for instance, many of the computers are not members of a domain).
The organization has a number of communication tools implemented and available:
• An email system that has a message of the day feature
• A secure extranet web server that is accessible only from within the
organization's address space
• An established mailing list of all of the organizational infosec auditors.
The final (and most important) tool in place consists of the people who configure,
operate, and maintain all of the tools mentioned previously and work together as a team when the incident occurs.
Detection
The infection spreads as soon as an employee connects to an infected laptop computer to the organizational network. The laptop has been taken offsite and connected to an ISP via
dialup. This is a violation of the organization's acceptable use policy. The infection creates an alert on personal firewalls on several PCs in the organization. It quickly
reaches a level that overloads the firewall to the Internet. At that point, the infection mechanism was not yet clearly understood so the firewall admin pulled the network cables on both interfaces and contained the problem to the site.
Recovery
Persons from the security group and the networks group (who operate the firewall)
convene a conference call and map out a strategy to contain the problem and provide as
much operational capability as possible. The high points of the plan are listed here:
• Block ICMP echo requests on the backbone and building routers (except to the
subnet for the security organization - they could observe traffic and gage the
containment progress).
• Block RPCs among all subnets except to the corporate exchange subnet, the
corporate file server subnet (both of these contained only computers that were
known to be patched), and the subnet for the security organization (as mentioned previously).
• Scan for infected computers and block them (from accessing the Internet) at the
firewall.
SANS Institute
64 Book 2 - Defense in-Depth
• Download patches, clean up tools, update AV signatures, and place them on the
extranet server located inside the firewall.
• Reconnect to the Internet (less than two hours after initial infection) and monitor
progress.
• Post a daily progress and "Next Steps" report on the extranet server.
The organization has more than 100 subnets in use. The incident handling team decides to restore full access on a subnet basis. When all computers on a subnet are scanned and come up clean, the router Access Control List (ACL) is modified to permit full access. Subnets that came up clean are back in service quickly. A few subnets have computers
that cannot be located (they are turned off, in use at a remote site, and so on) and make it difficult to get to closure. The Information Assurance Manager offers encouragement by
having the router administrator block Internet access for those subnets until the infosec administrators can either locate the computers so they can be scanned or ensure that the computers will not be reconnected to the network until after they are cleaned.
There are a few twists and turns in the incident, but it goes fairly smoothly and the
handlers learn a lot in the process. The defenses in place are not perfect by any means, but they do demonstrate that defense in-depth is key to remaining in business.
0/5000
Quốc phòng chuyên sâu: Welchia nghiên cứu điển hình Hãy xem cách quốc phòng chuyên sâu có thể làm việc trong một tình huống thực tế đời sống. Cho các nghiên cứu trường hợp này, chúng tôi xem xét làm thế nào một vừa tổ chức xử lý với một nhiễm trùng của sâu Welchia xảy ra vào năm 2003. Điểm mấu chốt ở đây là phòng thủ của bạn phải ở vị trí trước khi bạn đang bị tấn công. Nếu không, bạn có thể ở một bất lợi đáng kể. Chúng ta hãy xem xét như thế nào tổ chức được bố trí để bảo vệ từ một cuộc tấn công, phát hiện khi nó xảy ra, và sau đó phục hồi từ bất kỳ thiệt hại xảy ra sau đó. Bảo vệ Tổ chức công bố chính sách (chấp nhận được sử dụng và bảo mật) đặt nền móng Đối với máy tính sử dụng và quản lý rủi ro. (Chúng tôi thảo luận về các chính sách chi tiết trong chương 8.) Chìa khóa Các yếu tố của chính sách AU quy định tổ chức các máy tính chỉ nào được kết nối với mạng lưới của tổ chức. Tổ chức có một tường lửa giữa Internet và mạng lưới tổ chức tại ngoài một tường lửa trên cơ sở quay số vào mạng. Cả hai bức tường lửa được đặt cấu hình để thực hiện các nguyên tắc của ít nhất là đặc quyền - dịch vụ cần thiết chỉ được phép. Một số người sử dụng có tường lửa cá nhân thực hiện trên máy tính để bàn của họ. Mạng sử dụng một không gian địa chỉ lớp B, nhưng sử dụng một netmask 255.255.255.0 để tạo 255 subnetworks (tham khảo chương 2 để biết chi tiết về địa chỉ các lớp học và netmasks). Ngoài ra, mạng được cấu hình như vậy mà các mạng con có máy chủ và người sử dụng SANS viện Quốc phòng chuyên sâu 63 máy tính không trải dài nhiều tòa nhà. VLAN được sử dụng chỉ cho quản lý mạng. Nhóm bảo mật là tương đối chủ động trong việc điều hành quét định kỳ và có thể thực hiện Cập Nhật công cụ khá nhanh chóng. Điều này chứng minh là rất quan trọng trong môi trường đó là phần lớn không được quản lý (ví dụ, nhiều người trong số các máy tính không phải là thành viên của một tên miền). Tổ chức có một số công cụ truyền thông thực hiện và có sẵn: • Một hệ thống thư điện tử có một thông báo của các tính năng ngày • Một máy chủ web extranet an toàn có thể truy cập chỉ từ trong vòng các không gian địa chỉ của tổ chức • Một danh sách gửi thư được thành lập của tất cả các kiểm toán viên tổ chức infosec. Công cụ cuối cùng (và quan trọng nhất) tại chỗ bao gồm những người đặt cấu hình, hoạt động, và duy trì tất cả các công cụ được đề cập trước đó và làm việc với nhau như một đội khi sự cố xảy ra. Phát hiện Các nhiễm trùng lây lan ngay sau khi một nhân viên kết nối với một máy tính máy tính xách tay bị nhiễm bệnh để tổ chức mạng. Máy tính xách tay đã được thực hiện ngoại vi và kết nối với một ISP via quay số. Đây là một vi phạm chính sách của tổ chức sử dụng chấp nhận được. Nhiễm trùng tạo ra một cảnh báo trên các tường lửa cá nhân trên một số máy tính trong tổ chức. Nó một cách nhanh chóng đạt đến một mức độ quá tải các bức tường lửa với Internet. Vào thời điểm đó, các cơ chế lây nhiễm không chưa rõ ràng hiểu để quản trị tường lửa kéo cáp mạng trên cả hai giao diện và bao gồm vấn đề để các trang web. Phục hồi Người từ nhóm bảo mật và nhóm mạng (những người hoạt động tường lửa) triệu tập một cuộc gọi hội nghị và vạch ra một chiến lược để chứa vấn đề và cung cấp như nhiều khả năng hoạt động như là tốt. Điểm cao của kế hoạch được liệt kê ở đây: • Khối ICMP echo yêu cầu trên xương sống và xây dựng bộ định tuyến (ngoại trừ cho các subnet cho tổ chức an ninh - họ có thể quan sát lưu lượng truy cập và gage các ngăn chặn tiến bộ). • Khối RPCs trong số tất cả mạng con trừ để trao đổi công ty con, các công ty tập tin máy chủ mạng con (cả hai có duy nhất các máy tính đã " được biết đến được vá), và mạng con cho tổ chức an ninh (như đã đề cập trước đó). • Quét cho các máy tính bị nhiễm và ngăn chặn họ (từ truy cập Internet) tại các tường lửa. SANS viện 64 cuốn sách 2 - Quốc phòng chuyên sâu • Tải về bản vá lỗi, làm sạch công cụ, Cập Nhật AV chữ ký, và đặt chúng trên các extranet máy chủ nằm bên trong các bức tường lửa. • Kết nối vào Internet (ít hơn hai giờ sau khi lây nhiễm ban đầu) và màn hình tiến bộ. • Đăng một hàng ngày tiến độ và báo cáo "Bước tiếp theo" trên máy chủ extranet. Tổ chức này có hơn 100 mạng con trong sử dụng. Sự kiện xử lý nhóm quyết định để khôi phục lại truy cập trên cơ sở mạng con. Khi tất cả các máy tính trên một mạng con được quét và đi sạch sẽ, bộ định tuyến danh sách điều khiển truy nhập (ACL) được sửa đổi để cho phép truy cập đầy đủ. Mạng con đến sạch đang trở lại trong dịch vụ một cách nhanh chóng. Một vài mạng con có máy tính mà không thể được vị trí (họ bị tắt, sử dụng lúc trang web từ xa, và như vậy) và làm cho nó khó khăn để có được kết thúc. Quản lý đảm bảo thông tin cung cấp khuyến khích bởi có bộ định tuyến quản trị viên chặn truy cập Internet cho các mạng con cho đến khi các quản trị viên infosec có thể hoặc xác định vị trí các máy tính, do đó, họ có thể được quét hoặc đảm bảo rằng các máy tính sẽ không được kết nối lại vào mạng cho đến sau khi họ được làm sạch. Có một vài xoắn và quay trong sự kiện, nhưng nó đi khá trôi chảy và các xử lý học rất nhiều trong tiến trình. Phòng thủ tại chỗ không phải là hoàn hảo bằng phương tiện nào, nhưng họ chứng minh rằng quốc phòng sâu là chìa khóa để còn lại trong kinh doanh.
đang được dịch, vui lòng đợi..
Defense in-Depth: Welchia Case Study
Let's see how defense in-depth can work in a real life situation. For this case study, we
review how one medium-sized organization dealt with an infection of the Welchia worm
that occurred in 2003. The key point here is that your defenses must be in place before
you are attacked. Otherwise, you may be at a significant disadvantage. Let's review how
the organization was positioned to protect from an attack, detect when it occurred, and then recover from whatever damage ensued.
Protection
The organization published policies (acceptable use and security) that laid the foundation
for computer use and risk management. (We discuss policy in detail in Chapter 8.) Key
elements of the AU policy specified that organizational computers would only be connected to the organization's networks.
The organization has a firewall between the Internet and the organizational network in
addition to a firewall on the dial-in facility to the network. Both firewalls are configured
to implement the Principle of Least Privilege - only needed services are allowed. Some of the users have personal firewalls implemented on their desktop PCs.
The network uses a Class B address space, but uses a netmask of 255.255.255.0 to create 255 subnetworks (refer to Chapter 2 for details on address classes and netmasks).
Additionally, the network is configured such that the subnets containing servers and user
SANS Institute
Defense in-Depth 63
computers do not span multiple buildings. VLANS are used only for network management.
The security group is relatively proactive in conducting periodic scans and can implement
updated tools fairly quickly. This proves to be vital in an environment that is largely unmanaged (for instance, many of the computers are not members of a domain).
The organization has a number of communication tools implemented and available:
• An email system that has a message of the day feature
• A secure extranet web server that is accessible only from within the
organization's address space
• An established mailing list of all of the organizational infosec auditors.
The final (and most important) tool in place consists of the people who configure,
operate, and maintain all of the tools mentioned previously and work together as a team when the incident occurs.
Detection
The infection spreads as soon as an employee connects to an infected laptop computer to the organizational network. The laptop has been taken offsite and connected to an ISP via
dialup. This is a violation of the organization's acceptable use policy. The infection creates an alert on personal firewalls on several PCs in the organization. It quickly
reaches a level that overloads the firewall to the Internet. At that point, the infection mechanism was not yet clearly understood so the firewall admin pulled the network cables on both interfaces and contained the problem to the site.
Recovery
Persons from the security group and the networks group (who operate the firewall)
convene a conference call and map out a strategy to contain the problem and provide as
much operational capability as possible. The high points of the plan are listed here:
• Block ICMP echo requests on the backbone and building routers (except to the
subnet for the security organization - they could observe traffic and gage the
containment progress).
• Block RPCs among all subnets except to the corporate exchange subnet, the
corporate file server subnet (both of these contained only computers that were
known to be patched), and the subnet for the security organization (as mentioned previously).
• Scan for infected computers and block them (from accessing the Internet) at the
firewall.
SANS Institute
64 Book 2 - Defense in-Depth
• Download patches, clean up tools, update AV signatures, and place them on the
extranet server located inside the firewall.
• Reconnect to the Internet (less than two hours after initial infection) and monitor
progress.
• Post a daily progress and "Next Steps" report on the extranet server.
The organization has more than 100 subnets in use. The incident handling team decides to restore full access on a subnet basis. When all computers on a subnet are scanned and come up clean, the router Access Control List (ACL) is modified to permit full access. Subnets that came up clean are back in service quickly. A few subnets have computers
that cannot be located (they are turned off, in use at a remote site, and so on) and make it difficult to get to closure. The Information Assurance Manager offers encouragement by
having the router administrator block Internet access for those subnets until the infosec administrators can either locate the computers so they can be scanned or ensure that the computers will not be reconnected to the network until after they are cleaned.
There are a few twists and turns in the incident, but it goes fairly smoothly and the
handlers learn a lot in the process. The defenses in place are not perfect by any means, but they do demonstrate that defense in-depth is key to remaining in business.
Let's see how defense in-depth can work in a real life situation. For this case study, we
review how one medium-sized organization dealt with an infection of the Welchia worm
that occurred in 2003. The key point here is that your defenses must be in place before
you are attacked. Otherwise, you may be at a significant disadvantage. Let's review how
the organization was positioned to protect from an attack, detect when it occurred, and then recover from whatever damage ensued.
Protection
The organization published policies (acceptable use and security) that laid the foundation
for computer use and risk management. (We discuss policy in detail in Chapter 8.) Key
elements of the AU policy specified that organizational computers would only be connected to the organization's networks.
The organization has a firewall between the Internet and the organizational network in
addition to a firewall on the dial-in facility to the network. Both firewalls are configured
to implement the Principle of Least Privilege - only needed services are allowed. Some of the users have personal firewalls implemented on their desktop PCs.
The network uses a Class B address space, but uses a netmask of 255.255.255.0 to create 255 subnetworks (refer to Chapter 2 for details on address classes and netmasks).
Additionally, the network is configured such that the subnets containing servers and user
SANS Institute
Defense in-Depth 63
computers do not span multiple buildings. VLANS are used only for network management.
The security group is relatively proactive in conducting periodic scans and can implement
updated tools fairly quickly. This proves to be vital in an environment that is largely unmanaged (for instance, many of the computers are not members of a domain).
The organization has a number of communication tools implemented and available:
• An email system that has a message of the day feature
• A secure extranet web server that is accessible only from within the
organization's address space
• An established mailing list of all of the organizational infosec auditors.
The final (and most important) tool in place consists of the people who configure,
operate, and maintain all of the tools mentioned previously and work together as a team when the incident occurs.
Detection
The infection spreads as soon as an employee connects to an infected laptop computer to the organizational network. The laptop has been taken offsite and connected to an ISP via
dialup. This is a violation of the organization's acceptable use policy. The infection creates an alert on personal firewalls on several PCs in the organization. It quickly
reaches a level that overloads the firewall to the Internet. At that point, the infection mechanism was not yet clearly understood so the firewall admin pulled the network cables on both interfaces and contained the problem to the site.
Recovery
Persons from the security group and the networks group (who operate the firewall)
convene a conference call and map out a strategy to contain the problem and provide as
much operational capability as possible. The high points of the plan are listed here:
• Block ICMP echo requests on the backbone and building routers (except to the
subnet for the security organization - they could observe traffic and gage the
containment progress).
• Block RPCs among all subnets except to the corporate exchange subnet, the
corporate file server subnet (both of these contained only computers that were
known to be patched), and the subnet for the security organization (as mentioned previously).
• Scan for infected computers and block them (from accessing the Internet) at the
firewall.
SANS Institute
64 Book 2 - Defense in-Depth
• Download patches, clean up tools, update AV signatures, and place them on the
extranet server located inside the firewall.
• Reconnect to the Internet (less than two hours after initial infection) and monitor
progress.
• Post a daily progress and "Next Steps" report on the extranet server.
The organization has more than 100 subnets in use. The incident handling team decides to restore full access on a subnet basis. When all computers on a subnet are scanned and come up clean, the router Access Control List (ACL) is modified to permit full access. Subnets that came up clean are back in service quickly. A few subnets have computers
that cannot be located (they are turned off, in use at a remote site, and so on) and make it difficult to get to closure. The Information Assurance Manager offers encouragement by
having the router administrator block Internet access for those subnets until the infosec administrators can either locate the computers so they can be scanned or ensure that the computers will not be reconnected to the network until after they are cleaned.
There are a few twists and turns in the incident, but it goes fairly smoothly and the
handlers learn a lot in the process. The defenses in place are not perfect by any means, but they do demonstrate that defense in-depth is key to remaining in business.
đang được dịch, vui lòng đợi..
Các ngôn ngữ khác
Hỗ trợ công cụ dịch thuật: Albania, Amharic, Anh, Armenia, Azerbaijan, Ba Lan, Ba Tư, Bantu, Basque, Belarus, Bengal, Bosnia, Bulgaria, Bồ Đào Nha, Catalan, Cebuano, Chichewa, Corsi, Creole (Haiti), Croatia, Do Thái, Estonia, Filipino, Frisia, Gael Scotland, Galicia, George, Gujarat, Hausa, Hawaii, Hindi, Hmong, Hungary, Hy Lạp, Hà Lan, Hà Lan (Nam Phi), Hàn, Iceland, Igbo, Ireland, Java, Kannada, Kazakh, Khmer, Kinyarwanda, Klingon, Kurd, Kyrgyz, Latinh, Latvia, Litva, Luxembourg, Lào, Macedonia, Malagasy, Malayalam, Malta, Maori, Marathi, Myanmar, Mã Lai, Mông Cổ, Na Uy, Nepal, Nga, Nhật, Odia (Oriya), Pashto, Pháp, Phát hiện ngôn ngữ, Phần Lan, Punjab, Quốc tế ngữ, Rumani, Samoa, Serbia, Sesotho, Shona, Sindhi, Sinhala, Slovak, Slovenia, Somali, Sunda, Swahili, Séc, Tajik, Tamil, Tatar, Telugu, Thái, Thổ Nhĩ Kỳ, Thụy Điển, Tiếng Indonesia, Tiếng Ý, Trung, Trung (Phồn thể), Turkmen, Tây Ban Nha, Ukraina, Urdu, Uyghur, Uzbek, Việt, Xứ Wales, Yiddish, Yoruba, Zulu, Đan Mạch, Đức, Ả Rập, dịch ngôn ngữ.
- Blaster Worm - Defense in-Depth • Threat
- Then, Do you have a nephew?
- She paid me a very charming compliment o
- castable out of crucible
- unfortunate
- even rapping
- What do you need for a birthday party
- Draw pattern agan to con firm
- What Have We Learned? This is yet anothe
- 累计邀请
- castable
- Letter of Application - DefinitionA lett
- confirm
- Hãy thể hiện mình sẽ làm được gì cho côn
- 该装备已镶嵌符文,请先取出,再镶嵌新符文。
- How did your experience affect you
- Do you have a brother?
- anh không muốn quên em
- Dear Nguyen Dinh Anh,Thank you for submi
- Absolute nonsensebeat
- It felt like the other rappers were side
- are you student
- Blaster Worm - Defense in-Depth • Threat
- 累计邀请2名好友即可获得:
