Add to collection(s) Add to saved
  1. Math
  2. Applied Mathematics

Incident Handling Foundations

advertisement 
FORESEC Academy
FORESEC Academy Security Essentials (II)
INCIDENT HANDLING
FOUNDATIONS
FORESEC Academy
Agenda
 What is incident handling?
 Why is it important?
 What is an incident?
 Fundamentals
 The Six Step process
 Legal issues
FORESEC Academy
Incident Handling
 Incident Handling is an action plan for
dealing with intrusions, cyber-theft, denial of
service, malicious code, fire, floods, and other
security-related events
 Having procedures and policy in place so you
know what to do when an incident occurs
FORESEC Academy
Why is it Important?
 Sooner or later an incident is going to
occur. Do you know what to do?
 It is not a matter of “if” but “when”
 Planning is everything
 Similar to backups
-You might not use it every day, but if a
major problem occurs you are going to be
glad that you did
FORESEC Academy
Legal Aspects of Incident
Handling
 Plans, policies and procedures developed for
incident handling must comply with
applicable laws.
 This is not a legal course, have them reviewed
by legal counsel.
FORESEC Academy
What is an Incident?
 An “incident” is an adverse event in an
information system, and/or network, or the
threat of the occurrence of such an event.
 Incident implies harm, or the attempt to do
harm
- Incident handler reduces or minimizes harm
 The fact that an incident has occurred may
mean a law has been broken
FORESEC Academy
Types of Incidents











Bombings, Explosions
Earthquakes, Fires, Floods
Power outages, Storms
Hardware/software failures
Strikes, Employees unavailable
Hazard material spills
Cyber-theft, Intellectual property theft
Viruses, worms or other malicious software
Unauthorized use
Intrusions, Internal or external attack
Denial of Service.
FORESEC Academy
What is an Event?
 An “event” is any observable occurrence in a
system and/or network
 Examples of events include:
- the system boot sequence
- a system crash
- packet flooding within a network
 These observable events compose an incident
 All incidents are composed of events, but not all
events are incidents
FORESEC Academy
Examples of an Incident
 Which of the following is an incident:
1. An attacker running NetBIOS scans against
a Unix system.
2. An attacker exploiting Sendmail on a Unix
system.
3. A backup tape containing sensitive
information is missing.
FORESEC Academy
Overview of the
Incident Handling Process
Incident Handling is similar to first aid. The
caregiver tends to be under pressure and
mistakes can be very costly. A simple, wellunderstood approach is best. Keep the six
stages, (preparation, detection, containment,
eradication, recovery, and follow-up) in mind.
Use pre-designed forms, and call on
others for help.
FORESEC Academy
Incident Handling - 6 Steps
 Preparation
 Identification
 Containment
 Eradication
 Recovery
 Lessons Learned
FORESEC Academy
Preparation
 Planning is everything
 Policy
- Organizational approach
- Inter-organization
 Obtain management support
 Select team members
 Identify contacts in other organizations
(legal, law enforcement)
FORESEC Academy
Preparation (2)
 Update disaster recovery plan
 Compensate team members
 Provide checklists and procedures
 Have emergency communications plan
 Escrow passwords and encryption keys
 Provide training
 Have a jump bag with everything you
need to handle an incident
FORESEC Academy
Identification
 How do you identify an incident
 Be willing to alert early but do not jump
to a conclusion
- “Boy that cried wolf” syndrome
- Look at all of the facts
 Notify correct people
 Utilize help desk to track trouble tickets to
track the problem
FORESEC Academy
Signs of an Incident
 IDS tool has an alert
 Unexplained entries in a log file
 Failed events, such as logon
 Unexplained events (new accounts)
 System reboots
 Poor performance
FORESEC Academy
Identification (2)
 Assign a primary handler
 Determine whether an event is an
incident
 Identify possible witnesses and
evidence
 Make a clean backup of the system
FORESEC Academy
Containment
 An incident handler should not make




things worse, liability and negligence
Secure the area
Make a backup
Possibly pull the system off the network
Change passwords
FORESEC Academy
Eradication
 Must fix problem before putting it
back online
 Determine cause and symptom
 Improve defenses
 Perform vulnerability analysis
FORESEC Academy
Recovery
 Make sure you do not restore
compromised code
 Validate the system
 Decide when to restore operations
 Monitor the systems
Related documents
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
Near Miss Incident Reporting and Investigation
Near Miss Incident Reporting and Investigation
ACADEMIC INTEGRITY VIOLATION FORM
ACADEMIC INTEGRITY VIOLATION FORM
Incident Reporting Form
Incident Reporting Form
IRB: Incident Report
IRB: Incident Report
Developmental Pathways-Early Intervention Incident Report
Developmental Pathways-Early Intervention Incident Report
illicit discharge report form - Licking Soil and Water Conservation
illicit discharge report form - Licking Soil and Water Conservation
Remove Frame - Disaster Management Centre
Remove Frame - Disaster Management Centre
Download
advertisement