制造业中的网络安全-4.5

4.5 入侵响应、恢复和取证

0:00

    [MUSIC] >> Intrusion response is the set of strategies, which organizations can follow after a breach, or security leak, to minimize the impact of the incident. The intrusion response system can be of two types, passive or active. Passive response systems do not take any actions to stop the attack. Instead, it only alerts the system administrator about a security breach. And takes the time to observe the attack progress so as to learn more about the attack and attacker strategies.

入侵响应是组织可以遵循的一组策略在发生违规或安全漏洞后，将事件的影响降至最低。入侵响应系统可以有两种类型，被动或主动。被动响应系统不采取任何行动来阻止攻击。相反，它只提醒系统管理员注意安全漏洞。并花时间观察攻击进程以了解更多关于攻击和攻击者策略的信息。

0:47

    The system administrator can thereafter take actions to prevent the system compromise or prepare for an appropriate recording procedure One way to respond to intrusions would be, to simply shut down the system or reset the system.

此后，系统管理员可以采取措施来阻止系统妥协或准备一个适当的记录程序的一种方法对入侵的反应是，简单地关闭系统或重置系统。

1:05

    Hopefully, this would bring the system back to a safe state.Active response systems can take some redefined or dynamic actions to block the intrusion attempt and notify the system administrator about the intrusion. Sometimes, such systems are referred to as system intrusion prevention systems as we saw in Lesson 3. An important action of breach response is the recovery. In situations of an intrusion or breach, the system administrator takes necessary steps to recover and establish the system back to a stable and safe state.

希望这能让系统回到安全的状态。主动响应系统可以采取一些重新定义或阻止入侵企图的动态操作，以及通知系统管理员有关入侵的信息。有时，这种系统被称为系统入侵我们在第3课中看到的预防系统。违约反应的一个重要行为是恢复。在入侵或破坏的情况下，系统管理员采取必要的步骤进行恢复将系统恢复到稳定和安全的状态。

1:53

    The response consists of six phases.One: Monitoring for attack.Monitor system state for any suspicious activity. Two: Identification of attack. Alert the system administrator for intrusion. Identify the type of attack and the areas of system which are affected by intrusion.Three: Containment of attack.Litigation steps to minimize the impact of the attack and we prevent from causing further harm.

响应包括六个阶段。一:监控攻击。监控系统状态以发现任何可疑活动。二:攻击的认定。向系统管理员发出入侵警报。确定攻击的类型和受入侵影响的系统区域。三:遏制攻击。最大限度降低攻击影响的诉讼步骤我们防止造成进一步的伤害。

2:30

    Four: Eradicate impact of attack.The steps to stop current attack and block any similar attacks.Five: Recovery from attack.Take steps to recover from the harm caused by the attack. Six: Follow up of attack. This step involves performing several forensics, identifying the security glitches, planning steps to prevent such attacks from happening in the future and recording the lessons learned.

四:根除攻击的影响。停止当前攻击和阻止任何类似攻击的步骤。五:从攻击中恢复。采取措施从攻击造成的伤害中恢复过来。六:进攻的跟进。这一步包括执行几个取证，识别安全漏洞，规划步骤来防止此类攻击防止将来发生，并记录下学到的教训。

3:09

    The final topic of this lesson which is also the final topic of this module is cyber forensics.Cyber forensics are computer forensics is the procedure to collect information and digital evidence to about any cyber crime so as to present them to law enforcement agencies. The goals of cyber forensics are one, prevention of crime from happening in the first place.

本课的最后一个主题，也是本模块的最后一个主题是网络取证。网络取证是计算机取证是收集程序任何网络犯罪的信息和数字证据把它们交给执法机构。网络取证的目标只有一个，从一开始就预防犯罪。

3:41

    Two, crime detection and analysis, and, three, resolution of disputes where evidence is stored digitally.Computer forensic investigations usually follow the following standard procedure.First, acquisition, gathering data and other evidence related to the crime activity.Second, examination, assessing gathered data and devices for authenticity.Third, analysis, thorough examination and investigation of the crime incident.Fourth, reporting, creating a report of the complete investigation which is then reported in court for further hearing.

第二，犯罪侦查和分析，第三，在证据以数字方式存储的情况下解决争议。计算机取证调查通常遵循以下标准程序。首先，采集、收集数据和与犯罪活动有关的其他证据。第二，检查、评估收集的数据和设备的真实性。第三，分析、彻查和调查犯罪事件。第四，报告，创建完整的报告然后在法庭上报告以供进一步审理的调查。

4:34

    A number of forensics tools are out there in the market. We will review some of them. One, digital forensic framework. It is a Windows-Linux based software and it can be used for digital chain of custody, accessing remote or local devices, investigating Windows or Linux operating system, and related software and recovery of hidden or deleted files.

市场上有许多取证工具。我们将回顾其中的一些。一，数字取证框架。它是基于Windows-Linux的软件，可用于数字监管链，访问远程或本地设备，调查Windows或Linux操作系统，以及相关软件和隐藏或删除文件的恢复。

5:04

    Two, Open Computer Forensics Architecture, OCFA.OCFA is another popular distributed open-source computer forensics framework.This framework was built on Linux platform and uses post SQL database for storing data. Three, X-Ways forensics, this is an advanced software used by professionals for saver investigations. It requires a lot of resource to operate. But it provides numerous functions, including disk imaging and cloning. Ability to read file system structures inside various image files.

二，开放计算机取证架构，OCFA。OCFA是另一个流行的分布式开源计算机取证框架。该框架建立在Linux平台上，并使用post SQL数据库存储数据。三、X-Ways取证，这是一个高级软件由专业人士用于储蓄调查。它需要大量的资源来运作。但是它提供了许多功能，包括磁盘映像和克隆。能够读取各种图像文件中的文件系统结构。

5:55

    Support for most of the file systems, including fact 16 and fact 32. Automatic detection of deleted or lost hard disk partition.Various data recovery techniques and powerful file carving.Finally, bulk hash calculation.X-ways is a paid tool and so are M-case and forensic tool kit also called FDK which are not new here and they provide varied services and flexible environments.This concludes the module on breach response and also the course on cyber security in manufacturing.

支持大多数文件系统，包括fact 16和fact 32。自动检测删除或丢失的硬盘分区。各种数据恢复技术和强大的文件雕刻。最后，批量哈希计算。X-ways是一个付费工具，M-case和法医工具包也叫FDK，这在这里并不新鲜，他们提供多样化的服务和灵活的环境。关于违规响应的模块到此结束，并还有制造业的网络安全课程。