Академический Документы
Профессиональный Документы
Культура Документы
IT GOVERNANCE
Expositor: Osvaldo Hernndez Morales
GENERAL INFORMATION
The organization prohibits the use of peer-to-peer file sharing services. The organizations network intrusion
detection sensors have signatures enabled that can detect the usage of several popular peer-to-peer file
sharing services. On a Monday evening, an intrusion detection analyst notices that several files sharing
alerts have occurred during the past three hours, all involving the same internal IP address.
Preparation
1. Would the organization consider this activity to be an incident? If so, which of the
organizations policies does this activity violate?
2. What measures are in place to attempt to prevent this type of incident from occurring
or to limit its impact?
Use packet sniffers and protocol analyzers to capture and analyze network
traffic, like Wireshark that can be implemented with low cost in Linux
systems.
Use laptops for that activities such as analyzing data, sniffing packets, and
writing reports
The network perimeter should be configured to deny all activity that is not
expressly permitted. This includes securing all connection points, such as
virtual private networks (VPNs) and dedicated connections to other
organizations.
The users need to know how their actions could affect the organization (e.g.
the use of applications like Bit torrent and Popcorn time).
1. What precursors of the incident, if any, might the organization detect? Would any
precursors cause the organization to take action before the incident occurred?
1
Television Network, this could be monitored by a program that send alert to an
administrator when those application are installed.
2. What indicators of the incident might the organization detect? Which indicators
would cause someone to think that an incident might have occurred?
4. How would the incident response team analyze and validate this incident? What
personnel would be involved in the analysis and validation process?
5. To which people and groups within the organization would the team report the
incident?
CIO
1. What strategy should the organization take to contain the incident? Why is this
strategy preferable to others?
2
Verify the type of information that was shared.
Make a log of the incident with de local system registry or with the network
devices.
Make a solution check to redirect the attacker to a sandbox with the same
service.
5. What sources of evidence, if any, should the organization acquire? How would the
evidence be acquired? Where would it be stored? How long should it be retained?
How long it took the incident response team to respond to the initial
report of the incident.
3
Identifying which precursors and indicators of the incident were
recorded to determine how effectively the incident was logged and
identified
Post-Incident Activity
1. Who would attend the lessons learned meeting regarding this incident? What could
happen if the incident were not contained?
2. What could be done to prevent similar incidents from occurring in the future?
General Questions
1. How many incident response team members would participate in handling this
incident?
2. Besides the incident response team, what groups within the organization would be
involved in handling this incident?
3. To which external parties would the team report the incident? When would each
report occur? How would each report be made? What information would you report
or not report, and why?
5. What tools and resources would the team use in handling this incident?
6. What aspects of the handling would have been different if the incident had occurred
at a different day and time (on-hours versus off-hours)?
7. What aspects of the handling would have been different if the incident had occurred
at a different physical location (onsite versus offsite)?
Scenario Questions
1. What factors should be used to prioritize the handling of this incident (e.g., the
apparent content of the files that are being shared)?
3. How would the handling of this incident differ if the computer performing peer-to-
peer file sharing also contains sensitive personally identifiable information?