Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Incident Handling

advertisement 
Incident Handling-Step by Step
The possibility of having a security incident grows more likely each day. The middle of a crisis
is not the time to develop a rational plan on how to handle an attack. Being prepared for that
incident is paramount to the survival of your network and it’s resources. Incident handling begins
with planning and establishing policies and procedures.
Developing a plan of attack for each type of security incident is crucial to the restoration of
normal operation. The most common incidents categories are:
Elevation of Privileges – a user or guest gains greater privileges
Data Alteration – files are changed by unauthorized users
Data Theft – data is removed from the system
Denial of Service – legitimate access to the system is denied
Sometimes an event will span multiple categories. For example, web site defacement would
involve elevation of privileges and data alteration. Some
Different events will require different responses. However, there are some basic steps to follow
for every incident.
1. Log every detail. Your documentation can be a word document that includes screen shots or
notes on a backboard. The goal is to capture detailed information without destroying or
contaminating potential evidence. Verify you have an incident before taking any further action.
2. Contact someone. Depending on the severity of the incident, the first call shouldn’t be to your
company president. It might be to your service provider, it might be to an internal legal
department to start a chain of custody for evidence. For each type of incident, develop of flow
chart for your contact list.
3. Contain the incident. Concentrate on limiting the extent of the damage to your network.
Determine whether the incident is still in progress and should be monitored or actions need to
taken to stop the activity. Make an official record of all of your evidence.
4. Determine the reason. Discover how the incident occurred and what steps you should take to
ensure the same event doesn’t happen again.
5. Repair the damage. Once the incident is over, the proper people have been notified and
evidence is collected. It’s time determine how to keep the incident from reoccurring. This might
be as simple as applying an operating system patch and reloading a web page. Or it might require
a complete restoration of all data.
6. Increase monitoring. Once a compromised system is restored to operation, continue to monitor
for backdoors and repeat attempts for future incidents. The fire should be out. Watch and make
the cause of the incident has been removed and the system is functioning normally.
7. Learn from the incident. Success yields a persistent hacker. Discovery to exactly what
occurred, how it occurred and what steps are necessary to ensure it doesn’t happen again.
Final Thoughts
Incident handling is not a reactionary exercise. It is a logical progression of events down a path
that you’ve determined before the situation arises. Plan well and a network security incident will
become a routine administrative task.
Related documents
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
Near Miss Incident Reporting and Investigation
Near Miss Incident Reporting and Investigation
ACADEMIC INTEGRITY VIOLATION FORM
ACADEMIC INTEGRITY VIOLATION FORM
Incident Reporting Form
Incident Reporting Form
Developmental Pathways-Early Intervention Incident Report
Developmental Pathways-Early Intervention Incident Report
illicit discharge report form - Licking Soil and Water Conservation
illicit discharge report form - Licking Soil and Water Conservation
Remove Frame - Disaster Management Centre
Remove Frame - Disaster Management Centre
PN Incident Powerpt
PN Incident Powerpt
Download
advertisement