1. Chapter 3 Pre-Incident Preparation Spring 2016 - Incident Response & Computer Forensics

2. Preparing the Organization for Incident Response  Technical issues are not the only challenges  Others are  Identifying risks  Policies that promote a successful IR  Working with outsourced IT  Global infrastructure issues  Educating users on host-based security

3. Identifying Risks  Getting the big picture of the organization’s risk  What are critical assets?  What is their exposure?  What is the threat?  What regulatory requirements the organization has to comply with?  Risk identification helps in preparing for incidents better

4. Policies that Promote a Successful IR  Example:  Acceptable Use Policy  Security Policy  Remote Access Policy  Internet Usage Policy

5. Working with outsourced IT  What does the contract say about what they will or will not be able to provide in case of an investigation?  Without a written agreement, it is hard (in some cases impossible) to get required resources.

6. Global Infrastructure Issues  Policy and Labor Regulations  Team Coordination  Data Accessibility

7. Educating Users on Host-Based Security  What actions should or should not be taken  From Computer Security viewpoint  From IR viewpoint  Policy about software installed by users  Adhering to security measures

8. Preparing the IR Team  The core IR team composed of  IT  Investigators  Forensic examiners,  …  The team must be detail oriented, not rush the important things, and document their actions.

9. Preparing the IR Team  The mission  Conduct a complete impartial investigation  Quickly confirm or dispel whether the incident occurred  Assess damage and scope  Control and contain incident  Collect and document evidence  Provide a liaison to law enforcement and legal authorities  Maintain need confidentiality  Provide expert testimony  Provide recommendations to management

10. Preparing the IR Team  Resources for IR Team  Training University / Industry training centers  Requirement Data protection – Encrypt data using software / hardware Memory CPU I/O busses Portability Use write-blockers Use of virtual machines are better  The tools must be forensically sound

11. Preparing the IR Team  Evidence Handling  Appropriate procedures for Evidence collection Documentation Storage Shipment  Procedures must enforce integrity, provide for authentication and validation

12. Preparing the Infrastructure  Computing device configuration  Majority of evidence are found on computing devices  Results of an investigation vastly depends on device configuration  The followings are four suggested areas Asset management Performing survey Instrumentation Additional steps to improve security

13. Preparing the Infrastructure  Asset Management:  Have all information in one place  The following information must be kept  Date provisioned  Ownership  Business unit  Role or services  Physical location  Network configuration  Contact information

14. Preparing the Infrastructure  Performing Survey:  OS  Hardware  Networking technologies  Network diagram  Security software  Endpoint applications  Business applications

15. Preparing the Infrastructure  Instrumentation:  Log files are of extreme importance  Issues: what to log and for how long to keep  Centralized vs. decentralized logging Advantages and disadvantages  OS vs. application logs  Windows OS Include log-on and log-off events Log process creation and termination activities Increase local storage for each event  Unix-based OS Enable process accounting, if possible Increase local storage  In both types of OS, forward logs to a centralized location

16. Preparing the Infrastructure  Additional steps to improve security:  Establish a patching solution for OS and applications  Try to use two-factor authentication and enforce good passwords  Deploy firewall and AV solutions  Remove local administrative access