Problem Solving and Security Administration

8/4/2019 Problem Solving and Security Administration

1/38

PROBLEM

SOLVIN

GAN

D

SECU

RITY

ADMIN

ISTR

ATION

Presented by

Khalid Al-

Computer Security

Protecting Digital ResourcesBy. Robert C. NewmanCHAPTER 11


2/38

Chapter Content

Understand the need and content of a baseline.

Identify the documentation required for network management.

Look at the numerous administration, troubleshooting, and problem-solving issues.

Review the requirements of a security audit.

Become familiar with computer forensic issues.

Look at the various types of situations that can affect the security and integrity of a

network. identify the various hardware and software tools used in network management.

Understand the issues and options for network management and control.


3/38

Network problems can typically be resolved in one of two ways:

Proactive prevention or, Reactive response.

pay me now or pay me later

Network management and planning should combine to form an overallsecurity plan. A baseline should be developed. Tools are a must, particularly for large networks. Network management and security are not add-ons. Troubleshooting is an art that can only be gained from experience along

with some documented methodology.

INTRODUCTION


4/38

The trend is toward an increasingly complex. More complex network environments mean that the potential for availability and

performance issues in these internetworks is high, and the source of problems is oftendifficult to pinpoint.

The keys to maintaining a secure, problem-free network environment, as well asmaintaining the ability to isolate and fix a network fault or security breach quickly, aredocumentation, planning, and communication. This requires a framework of procedures and personnel in place before the requirement for problem solving andrecovery occurs.

Establishment of policies and procedures must be developed during its planning stagesand continue throughout the networks life. Such policies should include security,hardware and software standards, upgrade guidelines, backup methods, networkintrusions, and documentation requirements.(contingency and disaster recoveryplan).

Through careful planning, it is possible to minimize the damage that results from most

predictable events and control and manage their impact on the organization.

THE NEED FOR PROBLEM SOLVING


5/38

The tasks involved in maintaining a secure network and computer systemcan be both time-consuming and difficult.

A security audit should be part of the ongoing operating processes in theorganization.

There are a number of questions that must be formulated and answered as towhat resources need protection.

THE SECURITY AUDIT


6/38

Manual or systematic measurable technical assessment of a system or application.

Manual assessments include interviewing staff, performing securityvulnerability scans, reviewing application and operating system accesscontrols, and analyzing physical access to the systems.

Automated assessments include system-generated audit reports or usingsoftware to monitor and report changes to files and settings on a system.

Categories that should be addressed are included in the following list: Physical security. Network security. Protocols/services. Passwords. User security. Data storage security.

System administration.

COMPUTER SECURITY AUDIT


7/38

A well-documented network includes everything necessary to review history,

understand the current status, plan for growth, and provide comparisons when problems occur. This is called a baseline. The following list outlines a set ofdocuments and information that should be included in a network plan:

Address list. Cable map. Capacity information. Contact list. Equipment list. Important Files and their layouts.Network history.

Network map.

Server configuration. Software configuration. Software licenses. Protocols and networkstandards. User administration.

BASELINE


8/38

It is essential to take the time during installation to ensure that all hardware andsoftware components of the network are correctly installed and accurately

recorded in the master network record. This documentation also applies to thehardware and software configuratio5 for each of the network components. Aconsiderable amount of personnel effort and time can be saved by being able toquickly find a faulty network component and having documentation on theconfiguration.Documentation should be kept in both hard-copy and electronic form so it is

readily available to anyone who needs it. This includes information on systemsthat are accessed by the telecommunications network. Complete, accurate, and up-to-date documentation will aid in troubleshooting the network, planning forgrowth, and training new employees.

BASELINE


9/38

Network-management is a collection-of activities that are required to plan, design, organize,control, maintain, and expand the communications network.

Activities that pertain to the operation, administration, maintenance, and provisioning ofnetworked systems include the following: Operation deals with keeping the networkand the services that the network provides upand running smoothly. (e.g. monitoring) Administration deals with keeping track of resources in the network and how they areassigned. It includes all the housekeeping necessary to keep the network under control. Maintenanceis concerned with performing repairs and upgrades. This includes equipmentreplacement, router patches for an operating system image, and addition of switches to anetwork. Maintenance also involves corrective and preventive measures to make themanaged network run better,. such as adjusting device configuration parameters. Provisioningis concerned with configuring resources to support a given service.For example, setting up the network so that a new customer can receive voice service.

Network Management and Monitoring


10/38

An initial step is to develop a baseline of the current state of the network and computerresources. After a baseline for the network has been developed, it will be possible tomonitor the network for changes that could indicate potential problems. It is essential to

establish what is normal in the network so abnormal situations can be readilyidentified. Network monitoring software can gather information on events, system usagestatistics, and system performance statistics.Information gathered from these monitors can assist the network administration inthe following ways: Monitoring trends in network traffic and utilization.

Developing plans to improve network performance. Providing forecasting information for growth. Identifying those network devices that create bottlenecks. Monitoring events that result from upgrades.

Management must also consider the implications of any IPS and IDS might be activein the network.

Network Management and Monitoring


11/38

Forensic analysis consists of a cycle of data gathering and processing ofevidence that has been gathered from some incident. Data collected can beused to analyze and evaluate the extent to which a network has beencompromised by an attack on intrusion. Logs are an essential source ofinformation for this type of forensic examination

Incident Response processes and tactics must be developed for a successfulreaction to some computer incident. The plan must be well documented andformally practiced. Law enforcement agencies have first responders whose

job is to secure computer evidence. A number of computer forensic tools areavailable to forensic investigators and law enforcement first responders. A noteis important here. If an incident is reported to law enforcement, theorganization loses control of the situationand it may become publicknowledge.

SECURITY INVESTIGATIONS


12/38

A computer crime investigation would begin as soon as an incident report is provided to theauthorities. 6 steps are required to determine if crime has occurred and to protect evidence:

Detection and containment review audit trails and preserve the evidence.

Notification of management report to limited number of supervisors. Preliminary investigation determine if a crime has actually occurred. Crime disclosure determination notify authorities if required or desired. Investigation process identify potential suspects and witnesses. Report generationprovide documentation to management and law enforcement

Evidenceis defined as information that would be presented in a court of law to substantiatethe charges. There are 4 general categories of evidence that might be presented incourt:

Direct evidence oral testimony or written statements. Real or physical evidence tangible objects such as tools and property. Documentary evidenceprintouts and manuals. Demonstrative evidence expert and non-expert witnesses.

Computer Investigations


13/38

Two other categories of evidence might be relevant to a computer crime or incidentcorroborative and circumstantial evidence. Corroborative evidence other case evidence,whereas circumstantial evidence is used for reasonable inferences to fact.An important concept is termed the hearsay rule. Hearsay evidence is not based onfirsthand knowledge of the witness. This information is usually obtained through some

other source and is usually not admissible in court.For evidence to be admissible in a court of law, it must pass several proofs or validations.Two important processes that must be addressed when prosecuting criminal activities arethe chain of custody and the evidence life cycle. These also apply to computer crimes.The chain of custody provides accountability and protection of evidence throughout its lifecycle. Evidence must be secured in locked areas, and documentation must follow the entire

trail, including information about who handled it and when. An evidence log would includethe following:

Individuals involved. Evidence description. Evidence location. Evidence movement

Computer Investigations


14/38

Intrusion detection techniques and equipment are utilized to detect and respond

to computer and networking misuse. Different intrusion detection techniquesprovide different benefits for different situations and environments; therefore, itis essential that the security administrator deploy the security system that bestmatches the need. Unnecessary cost can be incurred for nonessential detectiondevices. The key to selecting the right security detection system is to define thespecific security requirements first and then implement a system based on thoserequirements. In addition to detection, new products are being offered that

provide for intrusion prevention capabilities.

Intrusion Detection


15/38

Internal staff can conduct network and physical monitoring; however, there are vendors thatspecialize in security monitoring and surveillance. Some providers deploy intrusiondetection sensors at customer locations and provide security experts to monitor corporateresources such as routers and firewalls. Others place probes on the customers networks to

collect audit data from network devices. The data are transmitted in encrypted form back tothe central facility, where the data are monitored continuously.Investigation and prosecution can be aided with sufficient video evidence. Some network- based intrusion detection systems consist of sensors deployed through out a network thatprovide a data stream to a central console. Sensors may contain logic that collects network packets, searches for patterns of misuse, and then reports an alarm situation back to the

console. Two types of sensor-based architectures include the traditional sensor design andthe network node design. Sensor-based systems monitor whole network segments. They arenot widely distributed because there are relatively few segments to monitor as opposed tothe sensor-based systems that are widely distributed onto every mission-critical target. Network-node systems place an agent on each managed network computer device in thenetwork to monitor traffic bound only for that individual target.

Monitoring


16/38


17/38

Network management and administration must be proactive in the fight againstcybercrime threats and attacks. A considerable amount of information has been

presented in this book that can be used as effective approaches to counteringthese situations. Incorporating the numerous suggestions will take time andresources, but not addressing the issues can cost a lot more.

Preemptive Activities


18/38

The following list of initiatives summarizes programs and activities that might beundertaken to counter the negative impacts of computer and network incidents. Whilethis is a formidable list, not taking action is unacceptable.The categories include access controls, hardware, software, and management.Access controls:

User authentication Properly defined user rights. Prompt removal of employee accounts upon separation. Require approval by management of user authorization. Proper registry permissions.

Hardware:

Workstation screen locks. Computer keyboard locks. Firewalls. Screening routers. Properly configured routers. Properly configured modems.



19/38

Software: Anti-virus software. Anti-spyware software. Encryption.

Prompt application of patches and updates. VPN tunneling. Checksums.

Management: Change control policy. Separation of duties. -

Audit logs and log reviews. Review open ports and service. Social engineering prevention. Employee training and awareness.



20/38

Established in 1988, the Computer Emergency Readiness Team (CERT) CoordinationCenter (CERT/CC) is a center of Internet security expertise. The High Technology Crime Investigation Association (HTCIA) is designed toencourage, promote, aid, and affect the voluntary interchange of data, information,experience, ideas, and knowledge about methods, processes, and techniques relating toinvestigations and security in advanced technologies among its membership. The International Association for Computer Information Systems (IACIS) is aninternational volunteer nonprofit corporation comprised of law enforcementprofessionals dedicated to education in the field of forensic computer science. The IEEE Computer Society is the worlds leading organization of computer

professionals. Founded in 1946, it is the largest of the 37 societies of the Institute ofElectrical and Electronics Engineers (IEEE). The Internet Crime Complaint Center (lC3) is a partnership between the Federal

Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).

Computer Security Organizations


21/38

Many network problems can be solved by first verifying the status of the affectedcomputers or networking components. Taking several initial steps can help theadministrator in resolving network problems: Identify possible cockpit problems and user errors.

Ensure that all physical connections are in place. Verify that the network interface card (NIC) is working. Warm-start the device (reload the software). Cold-start the device (power cycle off and on).It is essential that a structured approach be taken when troubleshooting. These simple stepsinclude the following: Prioritize the problem in relation to all other problems in the network.

Develop information about the problem. Identify possible causes. Eliminate the possibilities, one at a time. Ensure that the fix does not cause other problems. Document the solution.

NETWORK PROBLEM SOLVING


22/38

The first step in solving a problem is to collect and document as muchinformation as possible in order to have an accurate description of the situation.

If the problem involves user interaction, it will be necessary to check thesequence of steps the user took.

Before troubleshooting the physical devices and system software, attempt to

recreate or confirm the problem to ensure the problem is not user (cockpit) error.

From the information gathered for the trouble report, a structured approach canbegin to list, prioritize, and examine possible causes of the reported incident, It isessential that the problem be logically evaluated, starting with the most basiccauses.

Collecting Information Methodology


23/38

Problemcorrected

?

Define the situation look at baseline.

Gather details

Consider alternatives

Follow methodology for troubleshooting

Observe results

Document results

Problem solved

Standard Process Flow for Troubleshoo

YES

NO


24/38

Definition of the problem: the problem should be defined in terms of a set of symptoms andpotential causes. By using the baseline, it is possible to identify the location of the problem or at leastknow where to start the troubleshooting effort.

Details of the problem:information can be collected from sources such as network management

systems, protocol analyzer traces, network monitors, and network surveillance personnel.

Alternatives assessment: now is the time to consider the possible problems based on the facts thathave been gathered. The obvious non-issues can be eliminated at this time.

Problem-solving methodology: an action plan can be developed and the most likely cause of theproblem can be identified. The plan will allow for one variable to be changed at a time until all optionsare exhausted.

Results observation: tests must be made at this module to ensure that the modifications arecorrecting the problem and not creating other problems. This process reiterates the process for each testand may require additional details for each cycle.

Problem resolution: when the problem has been solved, the next and last step of the process flowis to document the situation. If the problem has not been solved, the process is repeated.

Documentation: the final step is important because the problem may well occur again and it isessential that the troubleshooting efforts not be duplicated.

Details of Process Flow Steps


25/38

Some type of electronic tracking or journal can be maintained to accumulatetroubleshooting and problem-solving information, which will ensure that time is notwasted repeating work that has already been completed and that an audit trail isdeveloped for each trouble.

The information developed can also be utilized in requests for additional equipment,personnel, and training. It can also be a useful tool for training future network supportpersonnel.

A typical method for administering such a database is to assign some unique identifierto each problem or trouble report.

A trouble report would be generated for each incident and cross-referenced forrecurring incidents to the same network element. The trouble report documents issuesand requests for service from network users and can be used to ensure that a consistenttroubleshooting methodology is being followed.

Troubleshooting Documentation


26/38

A typical trouble report might include the following elements: A trouble report identifier.

A preliminary description of the situation. Investigation and analysis of the situation. The service actions taken to resolve the issue. A summarization of the incident.

Another source of information that can be useful in troubleshooting thenetwork is the data, usually in the form of traps or alerts, that are collected

from the managed network devices. It is essential that data collected from the managed devices be stored so that

problems can be tracked and trends can be analyzed. There are a number oftrouble-tracking products for both voice and data communication systemsavailable in the market today.

Troubleshooting Documentation


27/38

A number of aids are available for the network user to perform simpletests:

TRACEROUTE (tracert): work by sending packets with low time-to-live (TTL) fields. The

TTL value specifies how many hops the packet is allowed before it is returned. When a packetcant reach its destination because the TTL value is too low, the last host returns the packet PING: uses ICMP messages to check the physical connectivity of the machines on a network.

Note that PING can be used in a network attack. WHOIS: searches across multiple registrar databases to provide registration information on

millions of domain names with many different extensions, regardless of where they areregistered.

IPCONFIG: is a command line tool used to control the network connections on Windows. PORT SCAN: is a series of messages sent by someone attempting to break into a computer to

learn which computers the network services. These scans are associated with a well-knownport number.

Port scanning is a favorite approach of computer crackers and gives the assailant an idea ofwhere to probe for weaknesses. Essentially, a port scan consists of sending a message to each port,one at a time.

NETWORK TESTING SUPPORT AND RESOURCES

Network Utilities and Software Routines


28/38

Instead of passively gathering network statistics like auditing tools, security probesactively test various aspects of enterprise network security and report results and suggestimprovements. There are a number of security probes that perform vulnerability scanning.Three such products are SAINT, Retina, and SATAN.

Security Probes and NetworkPenetration Testing Tools


29/38

Network monitors, network analyzers, and cable testers each provide thenetwork manager and technician with a different suite of tools.

Security tools such as sniffers are also available in hardware instruments.

A network-connected device operating in promiscuous mode can capture all

frames on a network, not just frames addressed directly to it.

SECURITY TOOLS


30/38

Is a collection of activities that are required when managing the communicationsnetwork. Functions that are performed as part of network management include:

Controlling. Planning.

Allocating. Deploying. Coordinating. Network planning. Bandwidth management. Monitoring the resources of a network. Predetermined traffic routing to support load balancing.

Cryptographic key distribution authorization. Additional major management functions:

Accounting management. Configuration management. Fault management. Security management. Performance management.

MANAGING THE NETWORK


31/38

Network management tools allow for the performance of management functions such asmonitoring network traffic levels, monitoring software usage, finding efficiencies, andfinding bottlenecks.

Network managers need a comprehensive set of tools to help them perform the variousnetwork tasks. Most tools can be classified as primarily hardware or software, and mosthardware test instruments are supported by software.

Network management software is categorized into three different types:Device management, System management, andApplication management.

These management tools typically have three components: Agent: the client software part of the management tool. The agent resides on each managed network device. Manager: a centralized software component that manages the network. The management software stores theinformation collected from the managed devices in a standardized database. Administration system: the centralized management component that collects and analyzes the informationfrom the managers. Most administration systems provide information, alerts, traps, and the ability to make

programmable modifications to the network components. The two main management protocols used with network management systems are simple network

management protocol (SNMP) and common management information protocol (CMIP)

Network Management Tools


32/38

Any network, whether it is a LAN, MAN, or WAN, is really a collection of individualcomponent working together. Network management helps maintain this harmony,ensuring consistent reliability and availability of the network, as well as timelytransmission and routing of data.

A network management system (NMS) is defined as the systems or actions that helpmaintain, characterize, or troubleshoot a network.

The three primary objectives to network management are to support systems users, tokeep the network operating efficiently, and to provide cost-effective solutions to anorganizations telecommunications requirements.

A large network cannot be engineered and managed by human effort alone. The

complexity of such a system dictates the use of automated network management tools. No matter how network management is performed, it usually includes the following keyfunctions:

Network control. Network troubleshooting. Network monitoring. Network statistical reporting.

Network Management System


33/38

Network management is a collection of activities that are required to plan, design,organize, maintain, and expand the network.

A network management and control system consists of a collection of techniques,Policies procedures, and systems that are integrated to ensure that the network deliversits intended functions. At the heart of the system. is a database of information, either on paper or computerized. The database consists of several related files that allow thenetwork managers to have the information they need to exercise control over itsfunctions.

A network control system has five major functions:

Managing network information. Managing network performance. Monitoring circuits and -equipment on the network. Isolating trouble when it occurs. Restoring service to end users.

NETWORK MANAGEMENTAND CONTROL


34/38

Network management is generally concerned with monitoring the operation of

components in the network, reporting on the events that occur during the networkoperation, and controlling the operational characteristics of the network and itscomponents.

Taking preemptive precautions may be costly in the short term, but they save timeand resources when problems arise, prevent equipment problems, and ensure datasecurity. A preemptive approach can prevent additional expense and frustration

when trying to identify the causes of failures. Functions include monitoring, reporting, and controlling. Additionally, three areas ofprotection should be addressed. These include intruders, theft, and natural disasters.



35/38

MonitoringMonitoring involves determining the status and processing characteristics currentlyassociated with the different physical and logical components of the network. Depending

on the type of component in question, monitoring can be done either by continuouslychecking the operation of the component or by detecting the occurrence of extraordinaryevents that occur during the network operations.

ReportingThe results of monitoring activities must be reported, or made available, to either anetwork administrator or to network management software operating on some machine in

the network. Controllingbased on the results of monitoring and reporting functions, the network administrator ornetwork management software should be able to modify the operational characteristics ofthe network and its components These modifications should make it possible to resolveproblems, improve network performance, and continue normal operation of the network.



36/38

The International Organization for Standardizations (ISOs) approach to networkmanagement is CMIP.

This protocol defines the notion of objects, which are elements to be managed.The key areas of network management as proposed by the ISO are divided into fivespecific management functional areas (SMFAs):

Accounting management: records and reports usage of network resources. Configuration management: defines and controls network componentconfiguration and parameters.

Fault management: detects and isolates network problems. Performance management: monitors, analyzes, and controls networkdata production Security management: monitors and controls access to network resources.

COMMON MANAGEMENTINFORMATION PROTOCOL


37/38

Many organizations today deal with network management standardization. The roles

played by these organizations range from setting the network management standardsto promoting acceptance of the standards. The organizations that play a role innetwork management include:

American National Standards Institute (ANSI). International Organization for Standardization (ISO). Institute of Electrical and Electronic Engineers 802 Committee (IEEE 802). Internet Activities Board (TAB). International Telecommunications Union Telecommunications Sector (ITU-T). National Institute of Standards and Technology (NIST). Open Systems Foundation (OSF).

NETWORK MANAGEMENTSTANDARDS ORGANIZATIONS


38/38

Network administrator has a broad range of responsibilities that include network planning, monitoringand maintenance. Typical activities revolve around network configurations, user connectivity, security,data and asset protection, problem solving, and troubleshooting.Network problems and security issues can be resolved in one of two ways: preventing the situation beforeit happens through network planning and management or fixing the problem after ithappens through

troubleshooting techniques. Troubleshooting techniques that are effective in solving problems in theenterprise network include the following:

Implement a program for system upgrades and change control. Develop a baseline for the enterprise network. Use a systematic approach to isolate and correct network problems. Look at various alternatives and develop a hypothesis rather than getting tunnel vision. Change only one attribute at a time when troubleshooting and test each change thoroughly.

Document the entire troubleshooting incident with the discoveries and conclusions.Hardware and software solutions that can be utilized in the troubleshooting and problem-solvingenvironment include, protocol analyzers, monitors, sniffers, cable testers, specialty tools, and networkmanagement systems. Computer and network incidents could involve the use of forensic techniques torecover and protect evidence in the event criminal activities have occurred or are suspected. Specializeddata collection forms are used in this endeavor.

CHAPTER SUMMARY

Problem Solving and Security Administration

Documents

Transcript of Problem Solving and Security Administration