Incident Response Christian Seifert IMT551 31 st October 2007.

Slides:

Advertisements

Similar presentations

Identifying and Responding to Security Incidents in the Law Firm

Advertisements

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+

Systems Availability and Business Continuity Chapter Four Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc

SL21 Information Security Board Mission, Goals and Guiding Principles.

Access Control Chapter 3 Part 5 Pages 248 to 252.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

Information Security Policies and Standards

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Incidence Response & Computer Forensics, Second Edition

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Computer Security: Principles and Practice

Stephen S. Yau CSE , Fall Security Strategies.

Session 3 – Information Security Policies

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network security policy: best practices

Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.

CSIRT – Incident handling

Ensuring Information Security

Incident Response Updated 03/20/2015

Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or

APA of Isfahan University of Technology In the name of God.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

SEC835 Database and Web application security Information Security Architecture.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Thursday, January 23, :00 am – 11:30 am. Agenda  Cyber Security Center of Excellence  Project Phase  Implementation  Next Steps 2.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.

Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.

FORESEC Academy FORESEC Academy Security Essentials (II)

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Data Integrity Lesson 12. Skills Matrix Maintaining Data Integrity Maintaining data integrity is your most important responsibility. –Performing backups.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Information Systems Security Operational Control for Information Security.

Event Management & ITIL V3

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 Computer Forensics Data Recovery and Evidence Collection September.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Information Systems Security Operations Security Domain #9.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Incident Response November 2015 Navigating a Cybersecurity Incident.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.

Understand Audit Policies LESSON Security Fundamentals.

Albany Bank Corporation Security Incident Management Program.

Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.

MANAGING INCIDENT RESPONSE By: Ben Holmquist. 2 Outline Key Terms and Understanding Personnel and Plan Preparation Incident Detection Incident Response.

2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC The Anatomy of a Breach Phillip Naples, Pritchard & Jerden, Inc. Jeremy Henley, ID Experts.

Intrusion Detection MIS ALTER 0A234 Lecture 1.

Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –

Information Security in Laurier Grant Li Wilfrid Laurier University.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Washington State Auditor’s Office Cybersecurity Preparing for the Inevitable Washington State Auditor’s Office Peg Bodin, CISA, Local IS Audit Manager.

Security Incident Handling

Security Standard: “reasonable security”

Responding to Intrusions

Introduction to the Federal Defense Acquisition Regulation

Information Security Board

Unfortunately, any small business could face the risk of a data breach or cyber attack. Regardless of how big or small your business is, if your data,

Incident response and intrusion detection

Data Security and Privacy Techniques for Modern Databases

CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com

CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com

Anatomy of a Common Cyber Attack

Presentation transcript:

Incident Response Christian Seifert IMT st October 2007

Definition Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. An incident response plan includes a policy that defines, in specific terms, what constitutes an incident and provides a step-by-step process that should be followed when an incident occurs. ( 2/16

Examples Lost notebook Positive anti-virus classification on workstation Denial of Service on web server Database server sends SPAM Unauthorized access on the premise Deleted budget files on the file server 3/16

Traditional Attack Pattern Locate Gain user access Escalate privileges Cover tracks Ensure future access (backdoor) Launch further attacks (stepping stone) 4/16

Incident Response Phases Preparation Identification Containment Eradication Recovery Follow-Up Phases per incident 5/16

Preparation Create your Incident Response Plan. Form a Incident Response Team Educate users & inform management Forensic Readiness –Ability of an organization to maximize its potential to use digital evidence whilst minimizing the cost of an investigation 6/16

Incident Response Plan Background Definitions Incident classification Reporting Business Continuity Process Flow Example Incidents 7/16

Incident Classification & Handling What constitutes an incident? What happens when an incident is detected? Things to consider: –Business needs –Costs/ Resources –Legal aspects –Chain of custody 8/16

Proactive/Reactive Incident Response Term “Response” indicates a reactive setup However, proactive incident “response” is also possible and recommended: –Staying informed about vulnerabilities –Education –Auditing/ Penetration Testing 9/16

Identification Recognize and report an incident –Users via help desk –IDS/ Honeypots –Could be an outside source Determine whether it is an incident Assessment & Prioritize (Triage process) Communication KEEP A LOG BOOK! 10/16

Containment Limit the scope and magnitude of the incident Steps to take: –Stay low – do not alert the attacker –Create backups for analysis –Put your attention to systems at risk (i.e. systems the compromised system has access to or interact with regularly) 11/16

Eradication Problem is eliminated Steps to take: –Determine the problem –Determine mitigation (for example, patching the system) 12/16

Recovery System is returned into functional status Steps to take: –Restore system –Apply mitigation strategy –Closely monitor the system 13/16

Follow Up Identify lessons learned that will prevent future incidents Determine costs Steps to take –Create incident report with recommended changes –Send recommendations to management –Implement changes 14/16

Challenges Incident Response difficult to do right High level of experience required to investigate and assess technical incidents Tendency to restore systems without following incident response procedures 15/16

Resources ncident-response.htmlhttp:// ncident-response.html DOD CSIRTM Training CD-ROMs: t/disa_cirtm_cdrom.zip t/disa_cirtm_cdrom.zip 16/16