topic 7B : infocomm security (2) Flashcards
What is an incident response?
incident : an event/situation likely would lead to grave consequences
INCIDENT RESPONSE :
- how an organization REACTS to an unusual negative situation
- it covers the TECHNICAL AND ADMINISTRATIVE aspects of dealing with incidents
Why is an incident response needed?
- keep employees productive by ensuring business continuity with streamlined service restoration
eg: threats from physical disasters, threats from malware
- may be mandated by regulations/laws
Purposes of incident response
1) minimize overall impact
- hide from public scrutiny
- stop further progression
- involve key personnel
- control situation
2) recover quickly and efficiently
- if possible replace system with new one
- priority one : business back to normal
- ensure all participants are notified
- record everything
3) secure system
- lock down all known avenues of attack
- asses system for unseen vulnerabilities
- implement proper auditing
- implement new security measures
Describe the triggers of an incident response
1) trigger by an obvious incident
- web page defacement
- contact from perpetrator (through email, phone etc)
- system service denial
2) trigger by automatic response using
- intrusion detection system(s)
- anti-malicious code software
- firewall
- other security systems
3) trigger by outside source
- another company reporting possible links
- contact by CERT
- law enforcement
- public announcement
- news, attrition.org, hackernews.net
4) trigger by physical reports
- sensitive material found in public area
- hardware reported missing
- secure areas left unsecured
- unescorted unknown personnel
- controlled areas left unattended
Incident response policies
should be developed to outline how the organization will deal security incidents when they occur
Preparation (Incident response policies)
- steps to be taken when an incident is discovered or suspected should be established
- the POINTS OF CONTACT should be determined
- employees should be trained about the steps to take
- an incident response should be formed : the necessary equipment to detect, contain and recover from an incident should be acquired + the people using it should be adequately trained
- any additional training in areas (such as computer forensics) that are determined to be necessary should be done
- the incident response team is a critical part of the incident response plan
the necessary infrastructure should be acquired and deployed
eg:
> backup equipment and media
> IDS and other detection systems
- should be acquired and deployed to facilitate detection of malicious activities
- includes physical systems (alarms etc)
Detection (Incident response policies)
> network and security administrators are more likely to discover an incident
- they run devices such as the organization’s firewall and intrusion detection systems
- procedures should be in place : ensure potential signs and symptoms are reported to the appropriate channel
- where logs are captured, ensure regular analysis (manual/automated) is done to identify suspicious activities
> intruders use SOCIAL ENGINEERING to get information and gain access to systems, networks, physical facilities
- ANYONE in the organization may be a target
- all employees need to know what to look for when faced with this
> everyone should know WHO TO CALL and WHAT TO DO if something is suspicious
- reporting template should be given to any individual suspecting an incident
- incident response should determine if an actual incident has occurred
- each reported incident MUST be investigated and treated as a possible incident
Containment and eradication (Incident response policies)
1) problem should be quickly contained
2) decide whether to restore operations or prosecute
> if the decision is to prosecute, specific procedures need to be followed in handling potential evidence
3) how to address the containment (very urgent decision)
> if an intruder is in the system, one response is to disconnect from the internet until the system can be restored and vulnerabilities are patched
but some containment activities may cause additional “damage” such as further shutdown of functioning business operations
- need to weigh options carefully
4) where possible, eradication should be performed when containment is sufficiently completed. care must be taken to preserve evidence (depends on incident & where required)
Recovery (Incident response policies)
- the goal should be to have the organization back to normal processing as soon as possible
- keeping of backups and logs would help in the recovery of business data and operations
- having hot/warm/cold site as a standby provides a quick recovery of essential operations while activities to achieve 100% recovery is being pursued
“cold” (facility is prepared), “warm” (equipment is in place), “hot” (operational data is loaded) –- with increasing cost to implement and maintain with increasing “temperature”.
Follow-on actions
- senior-level management should be informed of the incident
- recommendations should be made to improve processes and policies so that it will not repeat
- if prosecution is desired, additional time is needed to help law enforcement agencies and in possible testimony
- training material should be developed/modified following the new policies and procedures
Computer incident response teams
CIRT = Computer Incident Response Team
CERT = Computer Emergency Response Team
- team should be created and team members notified before an incident occurs
- team should have technical and non-technical individuals, who can provide guidance on ways to handle media attention, legal issues, management issues
- consists of permanent and ad hoc members
Computer Incident Response Team
- conducts investigations of the incident and makes recommendations on how to proceed
> policies and procedures for investigation should also be worked out in advance
> advisable to have the team periodically meet to review these procedures