Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Published byLily Lloyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response."— Presentation transcript:

1 Module 12: Responding to Security Incidents

2 Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response Procedure

3 Lesson 1: Introduction to Auditing and Incident Response The Auditing Process Why Auditing Is Important What Is an Incident Response Procedure?

4 You can determine a user’s actions by examining the following: ISA Server packet filter log file Security event log file and the IIS log file Security event log file from the domain controller ISA Server packet filter log file Security event log file and the IIS log file Security event log file from the domain controller 1 1 3 3 2 2 The Auditing Process ISA Server IIS Server Domain Controller

5 You must dedicate time to review the logs. By enabling auditing, you can: You must dedicate time to review the logs. By enabling auditing, you can: Why Auditing Is Important Monitor events in your network Take action if there is any suspicious activity Monitor events in your network Take action if there is any suspicious activity External Attacker Internal Attacker

6 An incident response procedure includes steps such as: What Is an Incident Response Procedure? People to contact Actions for limiting damage Provisions for investigation People to contact Actions for limiting damage Provisions for investigation People Actions Provision for investigation

7 Lesson 2: Designing an Audit Policy Process for Planning an Audit Policy Guidelines for Creating a Framework for Auditing Common Auditing Tools and Sources Guidelines for Designing an Audit Review Process Activity: Risk and Response

8 When planning an audit policy, you must: Determine what types of events to audit Identify auditing tools to use Create a process for reviewing event logs Establish a retention policy for audit logs Determine what types of events to audit Identify auditing tools to use Create a process for reviewing event logs Establish a retention policy for audit logs 1 1 3 3 4 4 2 2 Process for Planning an Audit Policy

9 The following guidelines help to create a framework for auditing: Audit events and resources that you want to track Create audit statements that include: The type of event The event details Audit point Audit events and resources that you want to track Create audit statements that include: The type of event The event details Audit point Guidelines for Creating a Framework for Auditing

10 Common Auditing Tools and Sources ResourceTools and sources Operating systems Event Viewer EventComb SCOM Custom scripts Web sites IIS logs URLScan Network perimeters Router logs Firewall logs Packet filtering logs Proxy logs Applications Application-specific logs Intrusion-detection software Antivirus software SCOM

11 When designing an audit review process, define: Who is responsible for managing and analyzing events How often to analyze events How to report possible incidents to management How to preserve the chain of evidence Where to archive event logs Who is responsible for managing and analyzing events How often to analyze events How to report possible incidents to management How to preserve the chain of evidence Where to archive event logs Guidelines for Designing an Audit Review Process

12 Activity: Risk and Response For each scenario: Read the scenario Choose the best risk management strategy Determine an appropriate security response Discuss your answers as a class Read the scenario Choose the best risk management strategy Determine an appropriate security response Discuss your answers as a class

13 Lesson 3: Designing an Incident Response Procedure Process for Planning an Incident Response Procedure Guidelines for Creating an Incident Response Team What to Include in a Communication Plan Common Indicators of Security Incidents Guidelines for Analyzing a Security Incident Methods for Limiting Damage from an Attack Guidelines for Documenting Security Incidents Activity: Risk and Response

14 Process for Planning an Incident Response Procedure When planning an audit policy, you must: Create and train an incident response team Develop a communication plan Create a plan for identifying an attack Create policies to contain an attack Develop a process for reviewing incidents Create and train an incident response team Develop a communication plan Create a plan for identifying an attack Create policies to contain an attack Develop a process for reviewing incidents 1 1 3 3 4 4 2 2 5 5

15 Use these guidelines to ensure that the appropriate job roles are: In the team Available 24 hours a day Trained in responding to security incidents Competent in their areas of responsibility Able to analyze situations objectively under pressure Strong communicators In the team Available 24 hours a day Trained in responding to security incidents Competent in their areas of responsibility Able to analyze situations objectively under pressure Strong communicators Guidelines for Creating an Incident Response Team

16 Include in your communication plan: What to Include in a Communication Plan Triggers that define when to contact each member of the incident response team Contact information for all team members Substitute team members and contact information Procedures for communicating securely among team members Incident details that each team member receives How team members communicate details of the incident to non-team members Triggers that define when to contact each member of the incident response team Contact information for all team members Substitute team members and contact information Procedures for communicating securely among team members Incident details that each team member receives How team members communicate details of the incident to non-team members

17 Common Indicators of Security Incidents AreaExamples Network irregularities Network performance decreases Accounts are used at irregular times System irregularities Audited events increase significantly System performance decreases Computers crash or reboot mysteriously Direct reporting of events Users report security incidents A new virus is published Intrusion detection software detects an incident Physical indicators Hardware is missing Visible signs exist of physical compromise Business indicators Confidential information is published on the Internet or in print Competitor appears to possess trade secrets

18 Guidelines for Analyzing a Security Incident To identifyDetermine Symptoms How is the event occurring? What are the symptoms of the attack? Origin Where is the attack originating? Is the point of origin connected to the attacker? Entry point How is the attack entering the network? Is the attacker exploiting a known vulnerability? Intent What does the attacker appear to be trying to accomplish? Is there a pattern to the attack? Severity What is at risk? How serious is the risk? Exposure What systems have been compromised? In what way are the systems compromised?

19 Methods for Limiting Damage from an Attack ResourceExamples Networks Disconnect affected networks from the corporate network Disconnect corporate network from the Internet Block TCP/IP ports Computers Remove infected computers from the network Remove computers that have sensitive information from the network Deploy security hotfixes and service packs Applications Change passwords on compromised and sensitive accounts Update antivirus scanning engines and signature files Update intrusion detection systems and inspect log files Physical security Replace locks and key codes Increase physical security

20 Use these guidelines to gather any feedback and discover: The origin of the incident How the incident was detected and reported How the incident was responded to and resolved Recommended changes to policies and procedures Improvements to your incident response procedure Updates to your risk management plan The financial impact of the security incident The origin of the incident How the incident was detected and reported How the incident was responded to and resolved Recommended changes to policies and procedures Improvements to your incident response procedure Updates to your risk management plan The financial impact of the security incident Guidelines for Documenting Security Incidents

21 Activity: Risk and Response For each scenario: Read the scenario Choose the best risk management strategy Determine an appropriate security response Discuss your answers as a class Read the scenario Choose the best risk management strategy Determine an appropriate security response Discuss your answers as a class

22 Lab: Responding to Security Incidents Exercise 1 Identifying Potential Vulnerabilities Exercise 2 Implementing an Incident Response Team Exercise 3 Implementing an Incident Response Plan

23 Course Evaluation

Download ppt "Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response."

Similar presentations

Incident Response Managing Security at Microsoft Published: April 2004.

Incident Response Managing Security at Microsoft Published: April 2004.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.

Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.

Chapter 12 Network Security.
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Network security policy: best practices

Network security policy: best practices
Module 8: Implementing Administrative Templates and Audit Policy.

Module 8: Implementing Administrative Templates and Audit Policy.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
APA of Isfahan University of Technology In the name of God.

APA of Isfahan University of Technology In the name of God.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Similar presentations

Ads by Google