| < Day Day Up > |
|
C++, 172
Cable TV Privacy Act, 401
Cache corruption, 163
California Business and Professional Code, 64
Calling Line Identification, 474
Capability Maturity Model® (CMM), 44, 47
Cellular telephones, 145, 151
CERT, see Computer Emergency Response Team
CERT Coordination Center, 468, 484, 494
Certified Information Systems Auditor (CISA), 115
CGI, see Common Gateway Interface
Chain of custody schedule, 264
Change control management, 192
Chart(s)
Critical Path Method, 12, 13
examples, 13
Gantt, 12, 13
organizational, 122
Children's Online Privacy Protection Act (COPPA), 402, 404
CIA, see Confidentiality, integrity, and availability
CIDR, see Classless Inter-Domain Routing
CIRT
ad hoc, 327
commercial, 325
communications, 329
development life cycle, 339
funding, 328
in-house, 326
management skills, 334
people skills, 335
requirements, 327
success metrics, 338
CISA, see Certified Information Systems Auditor
Civil suits, 374
civil discovery, 376
civil processes, 375
e-mail discovery, 376
federal laws applicable to computer-related crimes, 378
plaintiff's burden of proof, 375
Classless Inter-Domain Routing (CIDR), 238, 239
Classroom training sessions, 51
CLI, see Command line interface
CMM, see Capability Maturity Model®
CMOS, see Complementary Metal Oxide Semiconductor
Coaching, 18
COBIT™, 133
Code of ethics and conduct, auditor, 115
CodeRed virus, 329
Cold sites, 30
Cold telephone calls, 67
Command line interface (CLI), 293
Command post (CP), 233
Common Gateway Interface (CGI), 23, 138
Output, 201
scanner, PERL language-based, 200
vulnerabilities, 199
Common Vulnerability and Exposure (CVE), 136, 137, 186, 202
Communications sub-team, 36
Company assets, laws affecting protection of, 8, 9
Complementary Metal Oxide Semiconductor (CMOS), 272
Computer
crime, cost of, 357
Crime and Security Survey, 230
Emergency Response Team (CERT), 1
evidence, examination of, 262
forensics examiners, 81
intrusions, 258
names, 1
Security Incident Response Teams (CSIRTs), 484
Computer Security Institute (CSI), 2, 229
Computer Security Resource Clearinghouse, 496
Confidentiality, 471
attorney-client, 64
auditor, 115
integrity, and availability (CIA), 26, 154
Consultant procedures, 88
Contract language, 88
Controls
audit trail, 158
database
concurrency, 157
existence, 158
Cookie(s), 198
caches, 297
definition of, 226
disabling of, 102
Cookie Pal, 198, 199
COPPA, see Children's Online Privacy Protection Act
Copyright(s), 344
cases, criminal actions in, 345
employee, 61
infringement, 345
laws, 61
protection, 345
sample, 62
violation, 57
Corporate espionage, 343
Corrective controls, 117
Counterfeit goods, criminal prosecution for trafficking in, 346
CP, see Command post
CPM chart, see Critical Path Method chart
Crack, 503
Credit card
authentication, 215
fraud, 218
Credit-reporting agency, 400
Crime scene investigation, 250
Criminal law, 358
allegations, 359
appeals, 374
computer evidence, 366
court orders, 364
criminal discovery, 371
criminal plea bargains, 373
criminal procedure, 370
defense arguments relative to expert witnesses, 366
electronic discovery, 372
e-mail as evidence, 372
expert testimony, 365
federal legal requirements for electronic surveillance, 367
grand juries, 360
investigation, 359
means of collecting electronic evidence, 367
search warrants, 362
sentencing, 374
subpoenas and summons, 361
testimony, 365
trials, 373
witnesses, 359
Critical assets
damage to, 3
definition of, 5
management of, 112
priority-ranked, 32
safeguarding of, 119
Critical incident analysis, parts of, 11
Critical incident response and CIRT development, 229-340
CIRT composition, 331-340
CIRT development life cycle, 339-340
CIRT management skills, 334
CIRT success metrics, 338-339
communication skills, 334-335
crisis, 336
database managers, 333
engineers/software developers, 333
human resources unit, 332
incident reporting, 335-336
IT investigative, analysis, and forensic experts, 332
IT security officers, 333
legal unit, 332
people skills, 335
public relations, 332
response steps for legal actions, 336-338
system owners, 333-334
systems administrators, 333
team skills, 334
technical skills, 334
telecommunications specialists, 333
collecting evidence, 260-267
activity log, 265
chain of custody schedule, 264
common mistakes when handling evidence, 263
definition of evidence, 260-261
evidence prioritization, 261-262
evidence tags, 265
examining computer evidence, 262-263
hostile interview environments, 267
policies and procedures, 263
recorded statements, 266
witness reports, 265-266
critical incident detection, 235-260
administrator facilitated attacks, 258-259
application logging, 241-242
attack underway, 253
business considerations before legal actions, 260
business issues, 245
critical incident checklist, 249
critical incident response personnel, 247
critical incident response tools, 246-247
critical incident symptoms, 236
determining response strategy, 252
DNS, 239
frequent backups, 242-243
hardening servers, 242
interviewing managers, 252
interviewing system administrators, 251
interviewing users, 251
interviews, 250
IP addresses, 238-239
IP addressing, 237-238
law enforcement liaison, 256-257
law enforcement relations, 254-256
legal issues, 245
locating origin of denial-of-service attacks, 240
location of attacker, 253-254
mission statement, 247-248
other relative issues, 259
political issues, 245-246
resources, 240
response to scene, 248
response strategy, 236-237
restoring service operations, 253
senior manager 's approval, 259
suspicious activity reports, 256
system map, 250
system monitoring structure, 244-245
system security architecture, 243-244
time stamps, 244
types of attacks, 257-258
UNIX logging, 240-241
user security training, 243
Windows logging, 241
critical incident management, 229-235
command post operations, 233-235
critical incident planning, 232-233
critical incident response, 230-231
critical incident response strategy, 231-232
firefighter response model, 231
evidence examination, 296-307
autocomplete entries in registry, 299-300
changing user passwords, 298-299
chronology of events, 307
cracking user passwords, 299
evidence on Windows operating systems, 296-297
going native, 298
good places for evidence, 300
legal cautions, 307
logical file review in Windows, 297-298
looking at relevant files, 306-307
looking for specific words, 306
looking at Windows registry, 299
offline log reviews, 305-306
partitions, 302
partition status, 302-303
password-protected and encrypted files, 303
print spooler files, 303-304
recycle bin, 300-302
Windows NT logging, 304-305
forensic investigation, 285-293
common e-mail headers, 292
DOS-based operating systems file deletions, 287-288
e-mail with firewall headers, 290-291
e-mail processing, 288-290
file slack and free space, 287
networking review, 292-293
network resources, 292
physical level search, 286-287
reading e-mail headers, 288
relaying, 291-292
forming critical incident response team, 324-331
added CIRT responsibilities, 328
ad hoc CIRTs, 327
CIRT, 325
CIRT communications, 329-330
CIRT funding, 328-329
CIRT requirements and roles, 327
developing critical incident cost analyses, 330-331
people supported by CIRT, 329
using in-house talent, 326-327
using outside consultants, 325-326
malicious code attacks, 315-324
anonymous remailers, 323-324
digital bloodhounds, 317-318
domain registration payments, 322
dynamic host control protocol tracing, 320-321
investigating identity of attacker, 321-322
IP addresses, 318
nicks and monikers, 322-323
resolving IP addresses, 318-319
things to do after, 317
trace route, 319-320
Trojan horses and logic bombs, 316-317
viruses, 315-316
performing forensic duplication, 267-285
attaching hard drive, 271
BIOS, 271-272
BIOS passwords, 272-274
boot disk, 282, 283
different approaches to media duplication, 269-270
disabling DRVSPACE.BIN, 283-284
EnCase, 285
forensically sound duplication tools, 281
forensic media duplication tools, 281
hard disk construction, 274-275
information hiding in Windows FAT, 278
physical write blockers, 284
Power-On Self Test, 272
producing hash values, 281-282
relative addressing, 275-276
removing target hard drive, 270-271
steps to follow when collecting evidence, 268-269
undeleting in Windows-based operating systems, 277-278
UNIX dd commands, 285
UNIX file system, 279-280
using Safeback in forensic duplications, 284-285
Windows DOS-based file allocation table, 276-277
Windows NT file system, 278-279
responding to Windows NT incidents, 293-296
collecting volatile live-time evidence, 296
data storage, 293-294
open ports and listening services, 295
processes running on target computer, 295-296
responders turned off, 294
system users, 294
tolls in tool bag, 293
UNIX-based investigations, 307-315
baseline comparison for SUID/SGID files, 314
coroner's toolkit, 309-310
data hiding techniques, 309
file recovery alternatives for UNIX/Linux, 312
file stamps, 312-314
hiding files, 310-311
log files, 314-315
steganography, 311
strong encrypted protections, 312
system configuration, 314
undeleting UNIX, 308
understanding file permissions, 312
UNIX file system analysis, 307-308
user and password accounts, 314
Critical Incident Response Team, 153
Critical Path Method (CPM) chart, 12, 13
CRM, see Customer Resource Management
Crying wolf, 232
Cryptography, 468
CSI, see Computer Security Institute
CSIRTs, see Computer Security Incident Response Teams
Customer Resource Management (CRM), 52
CVE, see Common Vulnerability and Exposure
Cybersquatters, 349
| < Day Day Up > |
|