Understanding and Responding to Security Breaches: Incident Handling & Computer Forensics, Study Guides, Projects, Research of Computer Science

Download Understanding and Responding to Security Breaches: Incident Handling & Computer Forensics and more Study Guides, Projects, Research Computer Science in PDF only on Docsity!

Incident Handling & Computer Forensics

Understanding Incidents

Exploring the incident paradigm: classifications and meaning

Incidents: Types and functionality

Controlling Incidents

Incident Response: A Brief Overview

Incident Response: structural design

Incident Handling

Computer Security Incident Response Team (CSIRT)‏

Incident Handling - Outline

Incident Paradigm: Classifications

Incidents can be classified into 4 broad classifications which are:

Illicit/ unauthorized invasion into an IT setup

Any occurrence that compromises or corrupts Information

Any act of Intentional or Accidental infliction of viruses in a

network.

Any act of intentional or accidental disruption of service or

damage or loss of equipment.

Incidents: Types and Functionality

 Confidentiality Integrity and Availability (CIA)‏ Related

 Incidents

 Reconnaissance Attacks

 Repudiation

 Harassment

 Extortion

 Pornography Trafficking

 Organized Crime Activity

 Subversion

 Hoaxes

 Caveat

Steps to ensure Incident Handling

 Formulate and establish universal measures that should be taken

immediately after an incident’s detection.

 Organize unit functioning in a way that it is able to respond to incidents

 Scrutinize all available information to distinguish an incident

 Inform all concerned parties about the detection of the incident and

the progress made in tackling it.

 Gather and defend as much information that may be linked to the

incident

 Take immediate measures that may contain the incident for the time

being.

 Do away with all channels and ways of exposure or susceptibility

concerning the incident

 Restore systems to normal operation

 Classify, categorize and execute security lessons learned.

Controlling Incident

 Indicates the master approach to manage an incident. Includes policy

frameworks for post occurrence response entailing to preservation and

protection of human life and business data

Critical Processes involved for managing the incident are as

follows:

 Incident Management Efforts should be maintained over a consistent period of

time, in case of large incidents.

 Define ownership for each incident.

 Prepare and maintain Tracking Charts to facilitate management of multiple

incidents. Create and maintain incident database to draw from previous

experience.

 Set Priorities for incidents. Develop and Assign Security Models.

Incident Response: Preparation

First stage of incident response process: Preparation

Basic notations behind preparations:

Setting up defenses/controls

Creating procedures

Obtaining resources and personnel

Establishing an infrastructure to support incident

Response

Incident Response: Detection

Second stage of incident response process: Detection

 Determines the malicious code, files or directories Measures to be taken if an

incident is detected:

• Appropriate initial action-reaction
• Evaluate the scope of the incident
• Report the incident to concerned personnel
• Employ detection software

 Some kinds of incidents do not require detection software since the

symptoms are obvious like:

• Failed login attempts
• System crashes
• Social engineering attempts

Incident Response: Eradication

Fourth stage of incident response process: Eradication

Eradicates the root of the incident in question

If a system has been infected by malicious executables,

certain eradication procedures are to be followed issued by

the concerned department or agency like:

• Eradication in a UNIX system
• Eradication in a Linux system
• Eradication in a Windows NT system
• Eradication in a Windows 2000 system

Incident Response: Recovery

Fifth stage of incident response process: Recovery

Restore the recovered systems and network device back to normal

Recovery measures may vary for different operating systems

Recovery Methods

Execute full system restore from known media

Employ fault tolerance system hardware such as RAID

Removal of interim defensive measures that may have been

deployed as short term containment actions

Incident Response Team

Incident response team is a group of people who have the

capacity to deal with potential or actual information security

incidents.

Outsourcing of incident response efforts may include:

• (^) Leasing a Contractor or Consultancy
• This may reduce the net cost of dealing with security-related

incidents

• (^) The organization may also chose to utilize In-House Capability
• (^) This ensures capability of the response team in handling the

incidents, in accordance with the policy and cultural/political

needs of an organization

Functional Requirements

 Handle the complete control over an incident and any

computing, data resources involved Control both the incident

response team and business unit staff

 Provide a direct incident response support but limits to a purely

advisory role

 Provide indirect rather than direct support in the form of Advice

 Few additional requirements are:

• (^) Interagency coordination
• (^) Contingency planning and business continuity services
• Information security tool development
• (^) Incident response planning and analysis

Staffing Issues

Team size

Availability of financial resources may be detrimental to the

final team size.

Required skills set includes

 Managerial skills

 Technical expertise

 People skills

 Teamwork skills

 Communication skills

Barriers to a Successful Incident

Response Team

The efficacy of the Incident Response Process relies completely on the

way various barriers are tacked and the ability to fill gaps as need be.

This may include any, or a combination of the following obstacles:

 Budget

 Management Reluctance

 Organizational Resistance

 Politics

 User Awareness

 External Coordination

 Law enforcement

 Media