Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Troubleshooting and Managing Security Incidents

    Загружено:

    Bob Polo
    27 просмотров21 страница
    Managing Security Incidents

    Оригинальное название

    9. Troubleshooting and Managing Security Incidents (21)

    Авторское право

    © © All Rights Reserved

    Доступные форматы

    PPTX, PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    Managing Security Incidents

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PPTX, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    27 просмотров21 страница

    Troubleshooting and Managing Security Incidents

    Загружено:

    Bob Polo
    Managing Security Incidents

    Авторское право:

    © All Rights Reserved
    Скачайте в формате PPTX, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 21

    Comptia SECURITY +

    Module 09

    Troubleshooting and Managing


    Security Incidents

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 1


    Troubleshooting and Managing Security
    Incidents

     Respond to Security Incidents


     Recover from a Security Incident

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 2


    Security Incident Management

     A specific instance of a risk event occurring,


    whether or not it causes damage.
     A set of practices and procedures that govern how
    an organization will respond to an incident in
    progress.
     Goals of incident management:
     Contain an incident appropriately.
     Ultimately minimize any damage that may occur as a
    result of the incident.

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 3


    Computer Crime

    Classified Information

    Attack
    Government
    Database

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 4


    An IRP

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 5


    First Responders

    Security Human Resources IT Support


    Professional Professional Professional

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 6


    Chain of Custody

    Analyze and
    Store

    Collect Present in
    Evidence Court

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 7


    Computer Forensics

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 8


    Order of Volatility

     Data is volatile, and the ability to retrieve or validate


    data after a security incident depends on where it is
    stored.
     The order in which you need to recover data after an
    incident before the data deteriorates, is erased, or is
    overwritten is known as the order of volatility.
     The general order of volatility for storage devices is:
     Registers, cache, and RAM.
     Network caches and virtual memory.
     Hard drive and flash drive.
     CD-ROMs, DVD-ROMs, and printouts.

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 9


    Basic Forensic Process

    Collection Examination Analysis Reporting


    Phase Phase Phase Phase

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 10


    Basic Forensic Response Procedures for IT

     Capture system image


     Examine network traffic and logs
     Capture video
     Record time offset
     Take hashes
     Take screenshots
     Identify witnesses
     Track man hours and expense

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 11


    Big Data Analysis

     Difficult to forensically investigate


     Not much precedent
     What to look for:
     Unformatted or incorrectly formatted data
     Incomplete or missing data
     Invalid data
     Data that is out of range
     Data that is duplicated

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 12


    Guidelines for Responding to Security Incidents

     If an IRP exists, follow it.


     If an IRP doesn’t exist, appoint a primary investigator.
     Determine if the event occurred and what the effect was.
     Document the incident.
     Assess damage and determine the impact on affected systems.
     Determine if outside help is needed.
     If necessary, notify local law enforcement personnel.
     Secure the scene to isolate hardware.
     Collect necessary evidence.
     Interview personnel to collect additional information.
     Report the results of the investigation.

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 13


    Basic Incident Recovery Process

    Assessment Recovery Reporting


    Phase Phase Phase

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 14


    Damage Assessment

     During or after a security incident, a damage


    assessment should be done to determine the extent
    of damage, the origin or cause of the disaster, and
    the amount of expected downtime.
     The assessment can help determine the appropriate
    response strategy.

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 15


    Recovery Methods

     After assessing the damage, you will know the


    extent of recovery that can be done.
     Recovery methods can also involve replacing
    hardware in the case of a physical security incident.

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 16


    An Incident Report

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 17


    Guidelines for Recovering from a
    Security Incident

     Assess the damage:


     Assess the area of damage.
     Determine damage to facilities, hardware, systems,
    and networks.
     For digital damage, examine log files, identify
    compromised accounts, and identify modified files.
     For physical damage, perform inventory to identify
    stolen or damaged devices, and areas affected by
    intruders.
     Verify that the attack has ended.

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 18


    Guidelines for Recovering from a
    Security Incident (Cont.)
     Recover:
     Replace damaged or stolen cabling.
     Detect and delete malicious code from affected systems and media.
     Disconnect affected systems from servers and shut down the server.
     Disable access to user accounts used in the attack and search for
    backdoor software.
     Scan networks and systems with an IDS.
     Reconnect servers.
     Restore data and systems from backups.
     Replace compromised data and applications, or rebuild the system
    with a fresh OS installation.
     Harden networks and servers.
     Notify officials and stakeholders.
     Document the recovery process.

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 19


    Guidelines for Recovering from a
    Security Incident (Cont.)

     Report:
     Organization name
     Name and phone number of the person who discovered the incident
     Names and phone numbers of first responders
     Event type (physical, malicious code, or network attack)
     Date and time of event
     Source and destination of systems and networks
     OS and antivirus software used, including version information
     Methods used to detect the incident
     Business impact of the incident
     What steps were taken to resolve the incident

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 20


    Reflective Questions

    1. How many times have you had to consult an IRP, and for what
    reasons?

    2. What are some good approaches to writing an incident report?

    Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 9 - 21

    Вам также может понравиться