Scribd
Upload
158 views

Chapter 8

The document discusses security incident management and response. It outlines goals of incident management such as containing incidents and minimizing damage. It describes first responders, evidence chain of custody, computer forensics processes, and the order in which volatile data should be collected. Guidelines are provided for responding to, recovering from, and reporting on security incidents. Damage assessment and appropriate recovery methods are also discussed.

Uploaded by

Joshua Carelo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
158 views

Chapter 8

The document discusses security incident management and response. It outlines goals of incident management such as containing incidents and minimizing damage. It describes first responders, evidence chain of custody, computer forensics processes, and the order in which volatile data should be collected. Guidelines are provided for responding to, recovering from, and reporting on security incidents. Damage assessment and appropriate recovery methods are also discussed.

Uploaded by

Joshua Carelo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 13

Troubleshooting and Managing Security Incidents

 Respond to Security Incidents


 Recover from a Security Incident

Security Incident Management


 A set of practices and procedures that govern how an organization will respond to an incident in progress.

Goals of incident management:


Contain an incident appropriately.
Ultimately minimize any damage that may occur as a result of the incident.
Incident Response Plan (IRP)
 outlines what steps are needed and who is responsible for deciding how to handle a situation
Computer Crime

First Responders
 those individuals who must ascertain whether it truly is an incident or a false alarm
Chain of Custody
 the Who, What, When, Where, and Why of evidence storage

Computer Forensics
Order of Volatility
• The order in which you need to recover data after an incident before the data deteriorates, is erased, or is
overwritten is known as the order of volatility
• Data is volatile, and the ability to retrieve or validate data after a security incident depends on where it is
stored.

The general order of volatility for storage devices is:


1. Registers, cache, and RAM.
2. Network caches and virtual memory.
3. Hard drive and flash drive.
4. CD-ROMs, DVD-ROMs, and printouts.
Basic Forensic Process

Basic Forensic Response Procedures for IT


 Capture system image
 Examine network traffic and logs
 Capture video
 Record time offset
 Take hashes
 Take screenshots
 Identify witnesses
 Track man hours and expense
Big Data
 refers to data that is too large to be dealt with by traditional database management means
 this usually means exabytes of data (a terabyte is a thousand gigabytes, a petabyte is a thousand terabytes, and
an exabyte is a thousand petabytes)

Big Data Analysis


 Difficult to forensically investigate
 Not much precedent
 What to look for:
Unformatted or incorrectly formatted data
Incomplete or missing data
Invalid data
Data that is out of range
Data that is duplicated
Guidelines for Responding to Security Incidents
 If an IRP exists, follow it.
 If an IRP doesn’t exist, appoint a primary investigator.
 Determine if the event occurred and what the effect was.
 Document the incident.
 Assess damage and determine the impact on affected systems.
 Determine if outside help is needed.
 If necessary, notify local law enforcement personnel.
 Secure the scene to isolate hardware.
 Collect necessary evidence.
 Interview personnel to collect additional information.
 Report the results of the investigation.
Basic Incident Recovery Process

Damage Assessment
• During or after a security incident, a damage assessment should be done to determine the extent of damage,
the origin or cause of the disaster, and the amount of expected downtime.
• The assessment can help determine the appropriate response strategy.
Recovery Methods
 After assessing the damage, you will know the extent of recovery that can be done.
 Recovery methods can also involve replacing hardware in the case of a physical security incident.

An Incident Report
Guidelines for Recovering from a Security Incident
Assess the damage:
Assess the area of damage.
Determine damage to facilities, hardware, systems, and networks.
For digital damage, examine log files, identify compromised accounts, and identify modified files.
For physical damage, perform inventory to identify stolen or damaged devices, and areas affected by intruders.
Verify that the attack has ended.
Guidelines for Recovering from a Security Incident (cont.)
Recover:
Replace damaged or stolen cabling.
Detect and delete malicious code from affected systems and media.
Disconnect affected systems from servers and shut down the server.
Disable access to user accounts used in the attack and search for backdoor software.
Scan networks and systems with an IDS.
Reconnect servers.
Restore data and systems from backups.
Replace compromised data and applications, or rebuild the system with a fresh OS installation.
Harden networks and servers.
Notify officials and stakeholders.
Document the recovery process.
Guidelines for Recovering from a Security Incident (cont.)
Report:
Organization name
Name and phone number of the person who discovered the incident
Names and phone numbers of first responders
Event type (physical, malicious code, or network attack)
Date and time of event
Source and destination of systems and networks
OS and antivirus software used, including version information
Methods used to detect the incident
Business impact of the incident
What steps were taken to resolve the incident

You might also like