The study of incident response in Taiwan

Liaw, Bon-Yen

03 October 2002

Due to the enlargement of the use of Internet, computers are no longer separated systems. On the contrary, the frequency of sharing between computers¡¦ computing abilities, devices, and resources is surprisingly high in the last few decades. This situation makes people have a more convenient network situation. However, dangers also come along. Ever since the event occurred in 1988, the first computer worm (Morris Worm) makes people be aware of this issue. The computer network world has becoming an environment contains many potential dangers. Whereas the computer security incidents are increasing dramatically, many countries have established some specific organizations to solve these problems. TWCERT/CC (Taiwan Computer Emergency Response Team/ Coordination Center) is one of these organizations. The utilities of TWCERT/CC are to help people be aware of computer network dangers, to make responses and coordinate the security incidents inside and outside Taiwan, and to supervise the security circumstances in Taiwan and to announce alerts or take proper actions when the situation is serious. Responding and coordinating those incidents in TWCERT/CC is one crucial everyday job which requires a very complicated procedure. However, without a systematic method to handle the security incidents would be a heavy load for a computer security incident response team. This research is to develop a systematic method and procedure to handle incident and a system can implement this procedure. The goal is to shorten the processing time of incidents and enhance the accuracy of handling incidents, and to analyze the data collected from the system to get useful information.

computer security

security incidents

computer security incident response team

Internet

Přiměřená ochrana informací / Adequate information security

Drtil, Jan

January 2009

Abstract 1) Goal of the thesis There is an assumption that companies are nowadays spending money on IT Security not according to the importance of the information for the company. In order to prove it or not, this thesis is about to check it. In case that this is true, the aim of this thesis will be to find out the methodology that can be used to verify, whether money are spent effective and efficiently or not. 2) Aiming of the thesis From the content point of view the focus of this work is information security methodics. From the research point of view the research was conducted on medium and small organisations in automotive, mainly due to the fact that automotive industry is an important part of our national economy (approx. 8% of GDP). 3) Outcomes of the thesis From the theory point of view the definition of "adequacy" of the information security was set. Adequacy consists of two parts -- the value of information, and the importance of information. The way how to determine both value and importance was found as well. From the reality point of view there was a finding that researched organisations do not undergo any systematic approach in the information security, what can negatively impact the frequency and importance of security incidents in the organisations. One of the main results of the research is the fact that in case there is a need to make effective and efficient information security based on the support of the management of the company. Finally, the next result is creating and verification of the "Adequate information security methodology", which can be used by managers in order to increase effectiveness and efficiency of the sources spent on information security. There is an extension of this Methodology covering the individuality of the decision maker and circumstances that influence him.

Software hlášení bezpečnostních incidentů v GPON síti / GPON network security incident reporting software

Kupka, Ondřej

January 2021

This thesis focuses on development of software for security incident reporting from GPON networks. The theoretical part introduces the principles of GPON and provides an introduction to security incidents. The practical part is focused on the selection of suitable open-source systems and the design of an application in Python for the creation of alerts. The output of the work is the deployment of TheHive, Cortex and MISP systems and the creation of an application enabling the creation of various types of alerts based on prepared template. The thesis is finalized by a detailed description of deployment, custom configuration and testing.

Agregace hlášení o bezpečnostních událostech / Aggregation of Security Incident Reports

Kapičák, Daniel

January 2016

In this thesis, I present analysis of security incident reports in IDEA format from Mentat and their aggregation and correlation methods design and implementation. In data analysis, I show huge security reports diversity. Next, I show design of simple framework and system of templates. This framework and system of templates simplify aggregation and correlation methods design and implementation. Finally, I evaluate designed methods using Mentat database dumps. The results showed that designed methods can reduce the number of security reports up to 90% without loss of any significant information.

Možnosti zajištění informační bezpečnosti pomocí definice standardního chování zaměstnanců / Options to ensure information security by defining a standard behavior of employees

Dvořák, Martin

January 2009

Continually the number of transactions carried out electronically via the internet has grown, as well as the number of users of IT (information technology). In the same way are accruing transactions that may be at risk in terms of information security as well as an increasing number of security incidents threatening financial gain or thefts of sensitive information. Attackers carried out attacks in order to make financial gains using more sophisticated methods, sophisticated not only using information technology but also using social engineering techniques. This growing trend is known about by governments and measures are being taken to help increase the information security of the state. This is evidenced by the fact that the European Parliament recently approved the following Directive Directive of the European parliament and of the council concerning measures to ensure a high common level of network and information security across the Union and the ensuing law on cyber security (Act No. 181/2014 Coll.) adopted by the Parliament of the Czech Republic in the summer of 2014. This act orders organizations which are maintaining critical infrastructure to implement a system to evaluate cybersecurity events (user behavior). So far no unified approach to implement such systems has been defined. Author defines standardized methodology for implementation of systems which evaluate user behavior with focus on optimization of data which these systems have to process to ensure their efficient functionality.

Obfuskace anomálií a bezpečnostních incidentů při provozu DNS / Obfuscation of Anomalies and Security Incidents in DNS Traffic

Štěrba, Ondřej

January 2016

The work analyze current detection methods of anomalies and security incidents in DNS traffic, and than design new obfuscation techniques which are capable of evading anomaly detection. Network attacks, exploiting the DNS protocol for tunneling of other network traffic, were selected for implementation part of the work. Control of botnet is considered as malicious application of tunneling through the DNS protocol. The main result of the work is to emphasize the necessity of discovering new detection principles of anomalies and security incidents in DNS traffic.

Anotace NetFlow dat z pohledu bezpečnosti / Annotation of NetFlow Data from Perspective of Network Security

Kadletz, Lukáš

January 2016

This thesis describes design and implementation of application for offline NetFlow data annotation from perspective of network security. In this thesis is explained the NetFlow architecture in detail along with methods for security incidents detection in the captured data. The application design is based on analysis of manual annotation and supported by several UML diagrams. The Nemea system is used for detecting security events and Warden system as a source of information about reported security incidents on the network. The application uses technologies such as PHP 5, Nette framework, jQuery library and Bootstrap framework. The CESNET association provided NetFlow data for testing the application. The result of this thesis could be used for analysis and annotation of NetFlow data. Resulting data set could be used to verify proper functionality of detection tools.

An Analysis of the Relationship between Security Information Technology Enhancements and Computer Security Breaches and Incidents

Betz, Linda

01 January 2016

Financial services institutions maintain large amounts of data that include both intellectual property and personally identifiable information for employees and customers. Due to the potential damage to individuals, government regulators hold institutions accountable for ensuring that personal data are protected and require reporting of data security breaches. No company wants a data breach, but finding a security incident or breach early in the attack cycle may decrease the damage or data loss a company experiences. In multiple high profile data breaches reported in major news stories over the past few years, there is a pattern of the adversary being inside the company’s network for months, and often law enforcement is the first to inform the company of the breach. The problem that was investigated in this case study was whether new information technology (IT) utilized by Fortune 500 financial services companies led to the changes in data security incidents and breaches. The goal of this dissertation is to gain a deeper understanding on how IT can increase awareness of a security incident or breach, and can also decrease security incidents and breaches. This dissertation also explores how threat information sharing increases awareness and decreases information security incidents and breaches. The objective of the study was to understand how changes in IT can influence an increase or decrease in data security breaches. This investigation was a case study of nine Fortune 500 financial services companies to understand what types of IT increase or decrease detection of security incidents and breaches. An increase in detecting and stopping a security incident or breach may have positive effects on the security of an enterprise. The longer a hacker has access to IT systems, the more entrenched they become and the more time the hacker has to locate data with high value. Time is of the essence to detect a compromise and react. The results of the case study showed that Fortune 500 companies utilized new IT that allowed them to improve their visibility of security incidents and breaches from months and years to hours and days.

Breach

cyber

financial services

security incident

Information science

Computer Sciences

Computer Security

Databases and Information Systems

Finance and Financial Management

Management Information Systems

Portfolio and Security Analysis

Technology and Innovation

Är du beredd när det smäller? : Utmaningar inom incidenthantering med fokus på IT-konsultbolag

Nyman, Maja

January 2018

Information security incident management is important for organizations and its importance is increasing. Information security incidents are increasing both in number and in scope and in 2018 GDPR and the NIS-directive require organizations to report incidents to a supervision authority. This study highlights IT-consulting companies and their vulnerable position as subcontractors. The study aims to address the lack of empirical research in incident management and to inform future theory development. The goal of the study is to answer the research questions (1) what challenges do IT-consultancy companies experience with their incident management? (2) What challenges are specifically related to the GDPR and the NIS-directive? And (3) what challenges are specific for consulting companies? Challenges with the incident management are identified and clarified by qualitative interviews with experts and a survey. The analysis of the results shows that some of the challenges are consistent with previous studies, while some are new and that the survey partly support the experts' opinions. The conclusion of the study is that the majority of the companies’ improvement opportunities are linked to internal and external communication, cost focus, absence of a major incident, awareness, GDPR, the role of consulting company and internationally recognized difficult activities. The research contribution of the study consists of identified challenges in the field of incident management derived from IT-consultancy companies. The result of the study are recommended to IT-consultancy companies that would like to improve their incident management process by gaining an understanding of incident management issues. / En väl fungerande process för incidenthantering är och blir allt viktigare för organisationer. Informationssäkerhetsincidenter ökar både i antal och i omfattning och 2018 träder GDPR och NIS-direktivet i kraft med krav på rapportering av utpekade incidenter till en tillsynsmyndighet. Denna studie belyser IT-konsultbolag och deras utsatta position som underleverantör och syftar till att adressera bristen av empirisk forskning inom incidenthantering och att bidra till en framtida teoriutveckling. Målet med studien är att besvara forskningsfrågorna (1) vilka utmaningar upplever IT-konsultbolag med deras incidenthantering? (2) vilka utmaningar är specifikt relaterade till GDPR och NIS-direktivet? och (3) vilka utmaningar och är specifika för just konsultbolag? Resultatet bygger på kvalitativa intervjuer med experter och en enkätundersökning och resultatet identifierar och tydliggör upplevda utmaningar med bolagens incidenthantering. Analysen av resultatet visar att vissa av bolagens utmaningar överensstämmer med tidigare studier medan vissa är nya och att enkätundersökningen till viss del stödjer experternas utlåtanden. Slutsatsen av studien är att bolagen har flertalet utvecklings- och förbättringsmöjligheter som är kopplade till intern och extern kommunikation, kostnadsfokus, avsaknad av en större incident, medvetenhet, GDPR, rollen som konsultbolag och internationellt erkända svåra aktiviteter. Studiens forskningsbidrag består av identifierade utmaningar inom området incidenthantering hos IT-konsultbolag och resultatet av studien rekommenderas till IT-konsultbolag som, genom att få en förståelse av incidenthanteringens problematik, vill förbättra och utveckla sin process för hantering av incidenter.

Incident

information security incident management

IT-consultancy companies

GDPR.

Incident

GDPR

incidenthanteringsprocess

förbättringsmöjligheter

Övrig annan teknik

Forenzní analýza malware / Forensic Malware Analysis

Král, Benjamin

January 2018

This master's thesis describes methodologies used in malware forensic analysis including methods used in static and dynamic analysis. Based on those methods a tool intended to be used by Computer Security Incident Response Teams (CSIRT) is designed to allow fast analysis and decisions regarding malware samples in security incident investigations. The design of this tool is thorougly described in the work along with the tool's requirements on which the tool design is based on. Based on the design a ForensIRT tool is implemented and then used to analyze a malware sample Cridex to demonstrate its capabilities. Finally the analysis results are compared to those of other comparable available malware forensics tools.