Incident Response, BCP, DRP, Backups (Lesson 16) Flashcards
Incident Examples
A Computer Intrusion. Denial of Service Attack. Theft of information. Computer Misuse. A power failure.
Incident Response Goals
Confirms or disproves an Incident.
Accumulate accurate and timely information.
The proper retrieval and handling of Evidence.
The protection of privacy rights as established by law and policy.
Minimal disruption of business and network operations.
The legal or civil action against offenders.
Accurate reports and useful recommendation.
Incident Response Preparation
Risk Management. Host preparation. Network Preparation. Network Policies and Procedures. A Response toolkit. The Incident Response Team.
Incident Response Priorities in order of importance
P1 - Protect human life and safety.
P2 - Protect classified and sensitive data.
P3 - Protect proprietary, scientific and managerial data.
P4 - Prevent damage to systems.
P5 - Minimize service disruption of computing resources.
Incident discovery
Strange activities
System crashes Unusual hard disk activity. Unexplained Reboots. Account discrepancies Sluggish response Strange login hours. Failed logins with bad passwords. Unusual activity with the su command.
finger
a protocol to find out about an individual user or users logged onto a system.
users command
Checks the file /etc/utmp and displays the users logged onto the system. UNIX keeps track of who is logged onto the system in a file called /etc/utmp.
ps command
Provides a snapshot of all processes running on the system at any given moment.
netstat command
Lists all the active and pending TCP/IP connections between your machine and other machines.
lastcomm command
Checks the file /var/adm/acct and prints out a list of commands executed by a user.
ttywatch command
A utility that allows the System Administrator to monitor every tty on their system and allows them to record the keystrokes for later playback (similar to a VCR).
traceroute command
A utility that allows the System Administrator to trace the route of an IP packet from their host to a particular foreign host.
Stopping the Intruder.
Power Down?
-Interrupts users.
-Deletes evidence
-Damage the file systems.
Ask him/her to leave?
-Intruder may damage the system to prevent being caught.
Kill his/her processes?
-Use the ps command to list all his/her processes.
-Change all compromised account passwords.
-Use the kill command to terminate the processes.
-Check for backdoors/sniffers/undesired programs.
Break the connection?
-Interrupts other users.
What about kernel level activity?
-Changes to the kernel may negate ability to accomplish some of the checks we mentioned
Computer Forensics Principles
P1: Preserve the evidence in an unchanged state. (think Forensic Image)
P2: Thoroughly and completely document the Investigative Process. (chain-of-custody)
Four different types of Backups
Full: Backup everything every time
Differential: only backup that which has changed since the last full backup (typically)
Incremental: Only backup that which has changed since the last full or incremental backup.
Delta: backup only the portions of files that have changed since the last delta or full backup
