Incident - David Basham's Network Security Portfolio

advertisement
INCIDENT RESPONSE
IMPLEMENTATION
David Basham
University of Advancing Technology
Professor: Robert Chubbuck
NTS435
Incident Response: The Need
Due to an increase in the number of threats to
networks both internally and externally there is a
need not only for the detection of breaches but a
prompt response to such events. In order to help
safeguard our organization’s data and the privacy
of our clients an Incident Response plan will be
implemented based on the NIST Computer
Security Incident Handling Guide (SP 800-61)
INCIDENT RESPONSE: Policy Development
Management Commitment
In order for an Incident
Response plan to be of use
we will need to have the
commitment, coopoeration,
and support of the various
heads of management. This
will require the overall idea
to be discussed among
those managers and their
agreement.
Managers Involved
•CEO
•COO
•CAO
•CIO
•Second Level Managers
INCIDENT RESPONSE: Process of Development
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
•Establish Team
for development
of Incident
Response Plan
(IRP)
•Define scope of
policy and
Organizational
Structure of IRT.
•Prioritize the
severity of
different incidents
•Create Standard
Operating
Procedures
(SOP’s)
•Test SOP’s in
various scenarios
for soundness.
•Roll out final
Incident Response
Plan.
•Define roles of
team members.
•Define what
constitutes a
security incident.
•Identify third
parties requiring
contact.
•Develop Audit
procedures for
IRP.
•Review tests and
change SOP’s as
needed.
•Begin Selection
of IRT Members.
•Review NIST SP
800-61
•Develop drafts of
reporting and
contact forms.
•Develop
Performance
Measurements.
•Review final draft
with appropriate
Management
•Begin Training
for members of
IRT.
•Establish
timetable for
completion.
INCIDENT RESPONSE: Basic Model Selection
Team Model
•Internal
Due to the size of the organization combined with the
sensitive nature of the information that is being protected it
will be best to use a fully internal team consisting of
employees.
•Central Incident Response Team
Currently the structure of the organization does not create
the need for more than one response team. However,
furture expansion may mean converting this model to that
of Distributed Incident Response Teams .
INCIDENT RESPONSE: Suggested Basic Team Structure
Upper
Management
Incident Response
Team Lead
Public Relations
Liaison
Technical Lead
Support Staff
IT Liaison
INCIDENT RESPONSE: Interdepartmental Dependencies
The following departments will designate a liaison to work
with the IRT when needed.
•Legal Department
•Human Resources
•Facilities Management
•IT Central Support
INCIDENT RESPONSE: IRT Services
Intrusion Detection
The monitoring and detection portion of network security is handled by a group that falls under both
IRT and IT. The members that work on intrusion detection are under the management of IT, but their
services and direction fall under the IRT.
Advisory Distribution
Should our organization reach the size where destributed incident response teams are used the
notification about new threats and vulnerabilities to the other teams (and appropriate personel) will
become part of the standard operating procedures.
Education and Awareness
The IRT will contribute to the training and awareness of the organization’s users in order to
proactively combat some of the simpler avenues of attack.
INCIDENT RESPONSE: Third Party Contacts
Customers,
Constituents,
& Media
Law
Inforcement
Agencies
Internet
Service
Providers
Incident
Response Team
Trustwave:
Spider Labs
Incident Response
Statistics
Software &
Support
Vendors
INCIDENT RESPONSE: Proposed IRT Cycle
Detection
Preparation
Proactive or
Reactive
defense.
Internal checks
and training.
Review
Containment
Analyze
effectiveness
of response.
Eradication
and Recovery.
Post-Incident Activity
Contacting Third Parties
and Press Release if
needed..
Post-Activity
INCIDENT RESPONSE: Interdepartmental Exchange of Control
Network Security Group
•Monitoring for events
and informing the IRT
when one occurs.
Internal Audit
•Assumes control after
IRT cycle and reviews to
ensure completion.
Incident Response Team
•Assumes control of
Incident and directs
efforts until completion
of IRT cycle.
INCIDENT RESPONSE: Documentation
Current Status of the Incident
Upon completion of the IRT Cycle this documentation should cover the
current state of the incident and any remaining problems or suggestions.
Incident Summary
This documentations should summarize the incident in
question from its detection to final analysis.
All actions taken by the Incident Response Team
In order to keep track of changes and for reference purposes any
and all changes/actions taken by the IRT should be documented.
Impact Assessment
An analysis of the overall impact (financial, reputation, etc…) should
be included as documentation for reference and legal purposes.
Cycle Summary
A shortened summary of the important details of the IRT
cycle should be documented for reference purposes.
INCIDENT RESPONSE: Law Enforcement Involvement
Local Police
In instances of local disturbances, physical break-ins and incidents caused by
employees the findings will be turned over to local police and charges filed should it
be decided that it is warranted by the legal department.
S.L.E.D.
In instances of computer crime that does not leave the boundaries of the state of
South Carolina the South Carolina Law Enforcement Division will be notified and
brought into the investigation if deemed nescisary by the legal department.
F.B.I.
In instances of computer crime that cross state lines or if it involves the breaking of
Federal law the Federal Bureauof Investigation will be notified and brought into the
investigation if deemed nescisary by the legal department.
INCIDENT RESPONSE: Media Involvement
In certain cases a security incident may require some kind of
statement or media publication. In order to best protect our
organization no one outside the public relations department
(Senior Level Management excluded) is authorized to
represent the company in any form of media. The IRT will
coordinate with the PR, legal, and other necessary
departments to create any press and/or media releases.
Incident Response: References
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012, January 31).
Computer Security Division - Publications: Drafts. Retrieved June 9, 2012,
from National Institute of Standards and Technology:
http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp80061rev2.pdf
Henderson, C. (2011). Retrieved June 9, 2012, from Build Security In:
https://buildsecurityin.uscert.gov/swa/presentations_032011/CharlesHenderson2011GlobalSecurityStatsAndTrends.pdf
Download