Incident Handling and Response and Intrusion Detection and Prevention

The 2008 Data Breach Investigations Report draws from over 500 forensic engagements handled by the Verizon Business Investigative Response team over a four-year period. Tens of thousands of data points weave together the stories and statistics from compromise victims around the world. This report seeks to answer the following questions;

• Who is behind data breaches?
• How do breaches occur?
• What commonalities exist?
• Where should mitigation efforts be focused?

Presenting two best-practice models for cyber incidents: To prevent cyber incidents, learn how to use an uncomplicated cyber risk assessment to help you focus your institution's limited resources. When an incident occurs, know how to douse the effect of breach events when notification is required.

Overview of the University Network The University of Chicago's network has approximately 15,000 network devices on it, spanning across about a thousand switches. The network infrastructure is a 100 MB per second switched infrastructure with a gigabit backbone. For off campus connectivity, we currently have 155 MB/sec Internet2 connectivity, and two 40 MB/sec commodity links. We have a handful of T1 and T3 connections which connect into our campus backbone for affiliated organizations or sites away from the main campus network. Evolution of Network Forensics at the University We have been running various network forensic tools since around 1995. We started with TAMU NetLogger logging traffic on the subnet on which we had our main e-mail, Web, and other important servers. NetLogger relied on a non-switched network for logging. As the University's network swapped over to a switched network we stopped using NetLogger. Around 1998, as the university started the Network Security Center, we started searching for a way to have similar network audit logs, except to monitor traffic across the university's gateway instead of or in addition to monitoring the main servers.

The Maricopa Community Colleges consist of 10 colleges, two skill centers, and many college satellite centers, including classes being held at the Arizona state prison. More than 200,000 students are enrolled, supported by approximately 11,000 employees. This translates to roughly 25,000 network hosts. Maricopa has a decentralized administration, with each college having a president and a full complement of deans. The district office administration handles core, centralized, administrative operations such as human resources and financials. The colleges have diverse missions, from purely occupational to largely academic colleges. One college is solely distance learning.

An effective security program has a number of components. The information security program at the University of Florida (UF) has expanded over the past four years in response to the growing issues of network and data security in a connected world. Among the many important components implemented at UF are a distributed network intrusion detection system, a contact database for network and server managers, vulnerability assessment software , regular proactive scans and audits, and a number of policies . The university was able to cope with the recent wave of RPC worms using the above components.

This is the final report for the NSF Cybersecurity Summit, held December 12-13, 2005, in Tysons Corner, VA.

The fourth document is NSF's feedback on the 2005 Cybersecurity Summit final report. The response was written by Ardoth Hassler and Cliff A. Jacobs.

The presentation will identify the FBI's role in combating malicious code outbreaks and investigating computer intrusion incidents, as well as the objectives of malware analysis. The malicious code cycle of harvesting, harnessing, and executing will be explained and the status of universities as malware targets will be discussed. Finally, the presentation will offer synopses of successes, future challenges, and how organizations can assist with investigations.