Presentation is loading. Please wait.

Presentation is loading. Please wait.

MANAGING INCIDENT RESPONSE By: Ben Holmquist. 2 Outline Key Terms and Understanding Personnel and Plan Preparation Incident Detection Incident Response.

Published byVanessa Ferguson Modified over 7 years ago

Similar presentations

Presentation on theme: "MANAGING INCIDENT RESPONSE By: Ben Holmquist. 2 Outline Key Terms and Understanding Personnel and Plan Preparation Incident Detection Incident Response."— Presentation transcript:

1 MANAGING INCIDENT RESPONSE By: Ben Holmquist

2 2 Outline Key Terms and Understanding Personnel and Plan Preparation Incident Detection Incident Response Incident Recovery

3 3 Key Terms & Understanding An incident is an unexpected event occurring when an attack, whether natural or human-made, affects information resources and/or assets, causing actual damage or disruption to a business’s assets. An incident response plan (IRP) is a detailed set of processes that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets. Then, the set of procedures, policies, and guidelines that commence at the detection of an incident is the incident response (IR).

4 4 Key Terms & Understanding It is important to point out that an IRP is one of three major components of contingency plan (CP). Contingency Planning Incident Response Disaster Recovery Business Continuity

5 5 Personnel and Plan Preparation In a large business or organization the delegation of tasks is essential to maintaining effective operations. When looking at the makeup of an IRP, a company’s CISO assumes responsibility for the creation of it. With the aid of other managers and systems administrators on the contingency planning (CP) team, the CISO should select members from each community of interest to form an independent IR team, which executes the IRP.

6 6 Personnel and Plan Preparation Contingency planners should follow this six-step process when creating each of the three CP components [IRP, DRP, and BCP]: 1.Identify the mission-or business-critical functions 2.Identify the resources that support the critical functions 3.Anticipate potential contingencies or disasters 4.Select contingency planning strategies 5.Implement the selected strategy 6.Test and revise contingency plans

7 7 Personnel and Plan Preparation In regards to step four, for every incident, the CP team creates three sets of incident-handling procedures: 1.During the incident: The planners develop and document the procedures that must be performed during the incident. 2.After the incident: Once the procedures for handling an incident are drafted, the planners develop and document the procedures that must be performed immediately after the incident has ceased. 3.Before the incident: The planners draft a third set of procedures which are tasks that must be performed to prepare for the incident.

8 8 Incident Detection It is the responsibility of the IR team to determine if an incident is a valid incident or is just the product of “normal” system use. Incident candidates can be detected and tracked by end- users through several means; intrusion detection systems (IDS), host- and network-based virus detection software, and systems administrators. It is essential end-users, help desk staff, and all security personnel are properly trained in incident reporting, so in the event of an actual incident the IR team is properly notified and can effectively execute IRP procedures.

9 9 Incident Detection Overloaded networks, computers, or servers, misbehaving computers systems or software packages may be hard to distinguish from an actual incident. Therefore, managers must insure IT professionals receive training to detect possible, probable, and definite indicators.

10 10 Incident Detection Possible Indicators: - Presence of unfamiliar files - Presence or execution of unknown programs or processes - Unusual consumption of computing resources - Unusual system crashes

11 11 Incident Detection Probable Indicators: - Activities at unexpected times - Presence of new accounts - Reported attacks - Notification from a host- or network-based intrusion detection system (IDS)

12 12 Incident Detection Definite Indicators: - Use of dormant accounts - Changes to logs - Presence of hacker tools - Notifications by business partner - Notification by hacker

13 13 Incident Response Once an actual incident has been confirmed and properly classified, the IR team needs to be directed to move from the detection phase to the reaction phase. An IR is designed to first stop the incident (if still continuing), mitigate its effects, and provide information for the recovery from the incident. An IR is designed to first stop the incident (if still continuing), mitigate its effects, and provide information for the recovery from the incident. Three key steps include:  Notification of Key personnel  Documentation of an Incident  Incident Containment strategies

14 14 Incident Response  Notification of key Personnel: - Alert Roster = document of contact information -sequential or hierarchical roster - Alert message = scripted description of incident and what components of IRP to implement

15 15 Incident Response  Documenting an Incident - Who, What, When, Where, Why, and How - Serves as a case study - improvements in IR and IRP - provide legal protection - future training simulations

16 16 Incident Response  Incident Containment Strategies - Disabling compromised user accounts - Reconfiguring a firewall to block the problem traffic - Temporarily disabling the compromised process or service - Taking down the conduit application or server—for example, the e-mail server - Stopping all computers and network devices

17 17 Incident Recovery Incident damage assessment = The immediate determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets - System logs - Intrusion detection logs - Configuration logs - Documentation from the actual incident

18 18 Incident Recovery The recovery process includes the following steps:  Identify and resolve vulnerabilities that allowed the incident to occur and spread.  Address the safeguards that failed to stop or limit the incident – install, replace, or upgrade them.  Evaluate monitoring capabilities – improve detection and reporting methods, or install new monitoring capabilities  Restore systems backups

19 19 Incident Recovery Incident recovery process steps (cont.):  Restore the services and processes in use – compromised services and processes must be examined, cleaned, then restored.  Continuously monitor the system to prevent incident from happening again. -Don’t allow your system to become the hackers playground.  Restore confidence in member’s of the organization by ensuring them appropriate measures have been taken to resolve the matter.

20 20 Incident Recovery Finally, before an organization can return to routine duties it is management’s responsibility to see that an after-action review (AAR) is conducted. - Detailed examination of events from detection to final recovery. - All parties involved give input on positives and negatives of the entire IR process. - Management should give a summary to bring the IR team’s actions to a close.

21 21 Managing Incident Response ??QUESTIONS??

22 22 REFERENCES Fitzgerald, J., & Dennis, A. (2007). Business Data Communications and Networking (9th ed.). Crawfordsville: Hermitage. Pipkin, D.L. (2000). Information Security: Protecting the Global Enterprise. Upper Saddle, NJ: Prentice Hall PTR. Taylor, L. (2002). Incident Response Planning and Management. Intranet Journal. Retrieved April 15, 2007, from http://www.intranetjournal.com/articles/200201/se_01_28_02a.html Whitman, M. E., & Mattord, H. J. (2004). Management of Information Security. Boston: Thomson.

Download ppt "MANAGING INCIDENT RESPONSE By: Ben Holmquist. 2 Outline Key Terms and Understanding Personnel and Plan Preparation Incident Detection Incident Response."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Security Controls – What Works

Security Controls – What Works
Management of Information Security Chapter 3 Planning for Contingencies Things which you do not hope happen more frequently than things which you do.

Management of Information Security Chapter 3 Planning for Contingencies Things which you do not hope happen more frequently than things which you do.
Incidence Response & Computer Forensics, Second Edition

Incidence Response & Computer Forensics, Second Edition
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Planning for Contingencies

Planning for Contingencies
Planning for Contingencies

Planning for Contingencies
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.

Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Network security policy: best practices

Network security policy: best practices
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
1 Business Continuity. 2 Continuity strategy Business impact Incident response Disaster recovery Business continuity.

1 Business Continuity. 2 Continuity strategy Business impact Incident response Disaster recovery Business continuity.
Planning for Continuity

Planning for Continuity
Contingency Planning Things which you do not hope happen more frequently than things which you do hope. -- PLAUTUS. (C. 254–184 B.C.), MOSTELLARIA, ACT.

Contingency Planning Things which you do not hope happen more frequently than things which you do hope. -- PLAUTUS. (C. 254–184 B.C.), MOSTELLARIA, ACT.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2nd ed. 12 Contingency Planning By Whitman, Mattord, & Austin © 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2nd ed. 12 Contingency Planning By Whitman, Mattord, & Austin © 2008 Course Technology.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
General Awareness Training

General Awareness Training

Similar presentations

Ads by Google