Department of Engineering Technology College of Engineering University of Central Florida Dr. Philip Craiger

Transcription

1 Department of Engineering Technology College of Engineering University of Central Florida Dr. Philip Craiger Title: Course Description: Prerequisites: Incident Response Technologies CIS 6395 Covers security incidents and intrusions, including identifying and categorizing incidents; responding to incidents; log analysis; network traffic analysis; tools; and creating an incident response team. PR: CGS 5131 or CI. PROFESSOR Dr. Philip Craiger, CISSP Department of Engineering Technology & Assistant Director for Digital Evidence National Center for Forensic Science WebCourses ONLY Office: NCFS (Partnership Building 1) 225 Voice: (best to reach me via , leave your phone number if you need to talk to me). Office hours by appointment only Course Goals : By the end of the course a student should be able to : 1. Detect and characterize various incident types 2. Demonstrate a practical understanding of the analysis of artifacts left on a compromised system 3. Demonstrate an understanding of the complexity of and effectively respond to privileged and major event incidents. 4. Obtain practical experience in the analysis of vulnerabilities and the coordination of vulnerability handling tasks 5. Formulate effective advisories, alerts, and management briefings COURSE DELIVERY We will use both Webcourses and a wiki for this class. The primary course site is:

2 This site has links to all course materials (video lectures, textbook, required readings, etc.). We will use Webcourses for the following: 1. Discussion group postings 2. Class 3. Assignment turn in 4. Class announcements Video Lectures All lectures are delivered through video. Lectures are available in a downloadable compressed file. Uncompress the file creates a directory with the same name as the compressed file. Go to that directory and clink on the 'index.htm' file. That will bring up your browser and video will play within it. Note the format is Flash, so you must have Flash Player installed in order to view the videos. (Google for 'flash player', and the first link should be the one to download Flash Player). The videos vary from minutes in length. (Any longer than that and I lose your attention!). I am really big on demonstrating what I'm talking about, so generally I'll discuss a topic using PowerPoint slides, and then move on over to a window that has Linux running in it (see under Course Equipment how I do this), and then demonstrate what I've discussed. Course Outline : 1. Introduction to incident and intrusion handling a. Definition of incident b. Criteria for incidents c. Categories of incidents d. Types of incidents e. Response level to incidents 2. Definition of incident handling a. Purpose of incident handling b. Steps in incident handling 3. Network forensics a. TCP/IP b. Scanning/reconnaissance c. Trace evidence 4. Technical Analysis a. Log Analysis b. Configuration files c. Network Traffic analysis 5. System Devices

3 a. Windows servers b. Mac OS X servers c. Unix servers 6. Malware analysis 7. Creating a CIRT 8. Common problems a. CIRT component & constituency 9. Policies & Procedure a. Standard Operating Procedure (SOP) 10. Case Studies Textbook: Required: Grance, T., Kent, K., & Kim, B. (2004). Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology. National Institute of Standards and Technology. West-Brown, M.J., Stikvoort, D., & Kossakowski, K. (2003). Handbook for Computer Security Incident Response Teams (CSIRTs). Computer Emergency Response Team, Carnegie- Mellon University. These are free textbooks that I ve uploaded on the website. There are additional readings as well. Why do I use a free textbook you ask? 1. It has the same materials as the $120 textbooks (pretty much), and 2. I'm trying to be nice to hardworking, poor students. Contacting Me The best way to contact me depends on whether it's class or personal related. IF your question is class related and you need an answer from ME, THEN post to the "Ask the Professor" Discussion Group on WebCourses. (Why? Becuse if you have a question, odds are 5 others have the same question. It's more efficient to answer one discussion posting than 6 s). IF your question is related to a PERSONAL matter, THEN me through WebCourses. (If you me about a class-related matter, I will reply "Post this to the Ask the Prof Discussion Group." You've been warned).

4 STUDENT PRODUCTS Products include: assignments to include; analyzing and correlating log files from multiple devices to determine incident source; demonstration of procedures to recover from various incidents on various operating systems and platforms; gathering and analyzing trace evidence from an incident; create timeline. Professionally written reports are required for each assignment. Students must be able to demonstrate effective communication skills in order to pass this course. COURSE EQUIPMENT You will need access to Linux. You have several options: o (EASIEST) Download VMWare Player Player: AND o Download an Ubuntu appliance o OR o o OR o A computer that dual booted Windows (98/NT/2000/XP) and a distribution of Linux (it doesn't matter which distribution). WARNING: You can severely and irreparably hose your Windows installation! So unless you really know what you are doing, I would not suggest this option. There is a lot more information on the wiki about this. \My (strong) suggestion is download VMWare Player and a Linux appliance. (See the video VMWare Howto for more specifics regarding running VMWare player.) A Linux appliance is simply a Linux Virtual Machine, pre-made, that will run in VMWare Player. If you choose the second option, be forewarned that you should have a complete backup of your system, as it s very easy to hose your system. Unless you have created a dual-boot system previously, I would suggest going with the first option. EVALUATION Assignments are graded on the following factors: o Technical accuracy o Completeness o Professionalism The quality of communicating your ideas THIS IS CRITICAL. The overall appearance of your document

5 Grading Scale = A = B = C = D Below 60 is an F TESTS There are none. ASSIGNMENTS All assignments are individual assignments, not group work. Late assignments will NOT be accepted Assignments sent to me in any other means that WebCourses upload will NOT be accepted. Unless otherwise stated, all assignments are due no later than 11:55PM (Eastern) on the due date. Every assignment must be named in the following format: <first name>.<last name>.<assignment number>.[txt,doc] (whichever extension I request) Failure to follow this rule will result in a 25% reduction in your grade (that is, you start off with a 75). Plagiarizing someone s work will in an F for the course. If you are unsure of the meaning of plagiarism, I suggest you read: If you use someone else's words, then reference where you obtained the information. There is nothing wrong in doing this. However, it is wrong to use someone else's work without giving them credit. NETIQUETTE Use appropriate netiquette when posting to the discussion group. No flames please. Try to be helpful. At one time or another in our lives we were clueless (some more than others). DISCUSSION GROUPS

6 General Discussion for communication between/amongst students about any topic Ask the Professor for questions for me about the course, forensics, any class-related topic. ADDENDUM I reserve the right to change the syllabus or content of this course in order to provide a better quality educational product.