Michael Owens Uday Mathew Piyush Khanna Deepak Maddukuri Ujvala Bypa UC Technologies Incorporated Business Continuity Plan Michael Owens Uday Mathew Piyush Khanna Deepak Maddukuri Ujvala Bypa Contents Preface .......................................................................................................................................................... 3 Organizational Chart ..................................................................................................................................... 3 Scope ............................................................................................................................................................. 4 Critical Business processes............................................................................................................................ 4 Critical systems ............................................................................................................................................. 4 Michael Owens Uday Mathew Piyush Khanna Deepak Maddukuri Ujvala Bypa Preface UC Technologies receives health care applications both via secure portal on our web server and through various mail carriers (USPS, Fedex, UPS). Mailed documents are scanned into a proprietary program (Patriot Act). Once in the system workers use information from both electronically submitted documents and those scanned into the system to populate fields in the Patriot Act program. This data is exported into data bases which are used by UC Technologies’ customer to determine health care eligibility. Organizational Chart Below is the organizational chart containing all members of the BCP team along with their roles. Michael Owens Uday Mathew Piyush Khanna Deepak Maddukuri Ujvala Bypa Scope UC Technologies is responsible for gathering consumer data pertinent to determining healthcare eligibility for its customer. The organization’s main facility is located on the campus of The University of the Cumberlands in Williamsburg KY. A disaster recovery facility is located in Lexington KY. The primary facility is home to 150 student workers who comprise the staff of data entry personnel for the organization. All servers, networking infrastructure, and critical systems are housed and maintained within the primary facility. The disaster recovery facility is designed to allow UC Technologies to continue working at 100% within 72 hours should any disaster render the primary facility nonproductive. Critical Business processes Receiving eligibility documents: • Electronically submitted through web site • Mailed in by consumer (USPS, Fedex, UPS) Scanning documents using scanning equipment Processing submitted documents using processing software (Patriot Act) Sending processed metadata to databases Meeting SLA requirements set by customer (healthcare provider) Sending correspondence to consumers requesting additional information to determine eligibility Catalog and storage of both electronic and mailed in documents Critical systems Web server (for submission of electronic documents) Servers (SQL database servers, VM, AD, Electronic File storage, Application, exchange) Thin clients Thick clients used for applications (scanner hardware, administrative processes, etc.) Networking infrastructure (switches, firewalls, etc.) Mail carriers pick up/drop off Storage of physical documents Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 8 Incident Response: Recovery and Maintenance Objectives • Describe how an organization plans for and executes the recovery process when an incident occurs • Explain the need for and steps involved in the ongoing maintenance of the IR plan • List the steps involved in collecting digital evidence • Discuss the process used to analyze evidence • Explain how encryption can thwart digital forensic analysis Principles of Incident Response and Disaster Recovery, 2nd Edition 2 Introduction • Incident recovery can begin – Once the incident has been contained and system control has been regained • First task – Inform the appropriate human resources • CSIRT – Must assess the full extent of the damage to determine what must be done to restore the systems Principles of Incident Response and Disaster Recovery, 2nd Edition 3 Recovery • Incident damage assessment – Initial determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets – Can take days or weeks, depending on the extent of the damage – Damage can range from minor to severe Principles of Incident Response and Disaster Recovery, 2nd Edition 4 Identify and Resolve Vulnerabilities • Forensics – Used for intrusion analysis and as part of evidence collection and analysis – Also used to assess how the incident occurred and what vulnerabilities were exploited to cause the assessed damage • After any incident – The organization should address the safeguards that failed to stop or limit the incident Principles of Incident Response and Disaster Recovery, 2nd Edition 5 Restore Data • The IR team must: – Understand the backup strategy used by the organization – Restore the data contained in backups – Use the appropriate recovery processes from incremental backups or database journals to recreate any data that was created or modified since the last backup Principles of Incident Response and Disaster Recovery, 2nd Edition 6 Restore Services and Processes • Compromised services and processes must be examined, verified, and then restored • If services or processes were interrupted in the course of regaining control of the systems, they need to be brought back online • An organization should continuously monitor its system Principles of Incident Response and Disaster Recovery, 2nd Edition 7 Restore Confidence Across the Organization • The IR team may wish to: – Issue a short memorandum outlining the incident and assuring everyone that the incident was handled and the damage was controlled • Objective of this communication – To prevent panic or confusion from causing additional disruption to the operations of the organization Principles of Incident Response and Disaster Recovery, 2nd Edition 8 Maintenance • Maintenance of the IR plan includes: – Procedures to complete effective after-action review meetings – A process to complete comprehensive periodic plan review and maintenance – Efforts to continue the training of staff members who will be involved in IR Principles of Incident Response and Disaster Recovery, 2nd Edition 9 After-Action Review • This is a detailed examination of the events that occurred, from first detection to final recovery • Should be completed immediately after the events in question have been completed • The entire AAR should be recorded for use as a training case for future staff Principles of Incident Response and Disaster Recovery, 2nd Edition 10 After-Action Review (cont’d.) • Use AAR to document lessons learned and generate IR plan improvements – Examining the documentation of the incident should reveal • The point at which the incident was first detected • The point in time that the IR plan was enacted • How the first responders and CSIRT reacted Principles of Incident Response and Disaster Recovery, 2nd Edition 11 After-Action Review (cont’d.) • AAR as historical record of events – This may or may not be a requirement for legal proceedings • AAR as a case training tool – Even in defeat, the organization must continue to rebuild its defenses to fight another day • AAR as closure – The AAR serves as closure to an incident Principles of Incident Response and Disaster Recovery, 2nd Edition 12 Plan Review and Maintenance • Questions that might be useful in this review – Has there been any use of this plan in the past review period? – Were any AAR meetings held, and have the minutes of any such meetings been reviewed to note deficiencies that may need attention? – Have any other notices of deficiency been submitted to the plan owner, and have they been addressed yet? Principles of Incident Response and Disaster Recovery, 2nd Edition 13 Training • A systematic approach to training is needed to support the IR plan • Cross-training – Is needed to be assured that enough staff members with the proper skills are available for all realistic scenarios Principles of Incident Response and Disaster Recovery, 2nd Edition 14 Rehearsal • Plans should be rehearsed until those responding are prepared for the actions they are expected to perform • Rehearsal adds value by: – Exercising the procedures – Identifying any shortcomings – Providing the opportunity to improve the plan before it is needed Principles of Incident Response and Disaster Recovery, 2nd Edition 15 Law Enforcement Involvement • When an incident violates civil or criminal law – It is the organization’s responsibility to notify the proper authorities • Law enforcement agencies – Usually better equipped at processing evidence than a business organization • Disadvantage of law enforcement involvement – Possible loss of control of the chain of events following an incident Principles of Incident Response and Disaster Recovery, 2nd Edition 16 Reporting to Upper Management • After preliminary assessment, the CSIRT leader should: – Make a report to upper management, typically the CISO and CIO • Upper management – Usually requests assistance in drafting a press release to notify the general public and a specific notification to any stakeholders affected by the event Principles of Incident Response and Disaster Recovery, 2nd Edition 17 Loss Analysis • In determining the costs associated with an incident, consider: – Cost associated with the number of person-hours diverted from normal operations to react to the incident – Cost associated with the number of person-hours needed to recover data – Opportunity costs associated with the number of person-hours that could have been devoted to working on more productive tasks Principles of Incident Response and Disaster Recovery, 2nd Edition 18 Loss Analysis (cont’d.) • In determining the costs associated with an incident, consider (cont’d.) – Cost associated with reproducing lost data (if possible) – Legal cost associated with prosecuting offenders (if possible) – Cost associated with loss of market advantage or share due to disclosure of proprietary information – Cost associated with acquisition of additional security mechanisms ahead of budget cycle Principles of Incident Response and Disaster Recovery, 2nd Edition 19 Incident Forensics • Forensics – The use of methodical technical investigation and analysis techniques to identify, collect, preserve, and analyze objects and information of potential evidentiary value • Computer forensics – The use of forensics techniques when the source of evidence is a computer system • Digital forensics – The use of forensic techniques when the source of evidence is a digital electronic device Principles of Incident Response and Disaster Recovery, 2nd Edition 20 Legal Issues in Digital Forensics • Private organizations should employ the following procedure when searching an employee’s computer – Verify that organizational policy allows such a search to occur – Verify that the search is “justified at its inception” – Verify that the search is “permissible in its scope” – Verify that the organization has clear ownership over the container the material was discovered in – Verify that the search has been authorized by a manager or administrator in the appropriate chain of command Principles of Incident Response and Disaster Recovery, 2nd Edition 21 Digital Forensics Team • When planning a forensics operation, an organization should consider: – Cost – Response time – Data sensitivity • Division of forensic functions – First response – Analysis and presentation Principles of Incident Response and Disaster Recovery, 2nd Edition 22 Digital Forensics Team (cont’d.) • First response team – Incident manager, scribe, and imager • Analysis team – Forensic analysis function: examination and analysis – Forensic examiners • Skilled in the operations of particular tools – Forensic analysts • Know about operating systems and networks Principles of Incident Response and Disaster Recovery, 2nd Edition 23 Digital Forensics Team (cont’d.) • Some of the contents of a forensic field kit – Forensic laptops that have multiple operating systems – Call list with subject-matter experts in various IT technologies – Cell phones with extra batteries and chargers – Hard drives, blank CDs, blank DVDs, and USB flash drives – Imaging software or hardware with write blockers – Forensic software and tools – Cables, extension cords, and power strips – Evidence bags, seals, and permanent markers Principles of Incident Response and Disaster Recovery, 2nd Edition 24 Principles of Incident Response and Disaster Recovery, 2nd Edition 25 Digital Forensics Methodology • A digital investigation usually begins with some allegation of wrongdoing • Assessing the scene involves: – Interviewing the key contacts who are present and documenting the scene – Methods used include photography and field notes Principles of Incident Response and Disaster Recovery, 2nd Edition 26 Principles of Incident Response and Disaster Recovery, 2nd Edition 27 Principles of Incident Response and Disaster Recovery, 2nd Edition 28 Principles of Incident Response and Disaster Recovery, 2nd Edition 29 Digital Forensics Methodology (cont’d.) • Acquiring the evidence – An organization’s IR policy must spell out the procedures for initiating the investigative process – Digital evidence collection follows a simple four-step methodology • • • • Identify sources of evidentiary material Authenticate the evidentiary material Collect the evidentiary material Maintain a documented chain of custody Principles of Incident Response and Disaster Recovery, 2nd Edition 30 Digital Forensics Methodology (cont’d.) • Identifying sources – Information may reside on: • • • • • • • • Disks in a desktop and/or laptop computer Disks in external storage enclosures Memory sticks or cards PDA Cellular phone Storage devices, such as MP3 players Optical storage, such as CDs and DVDs Networked storage Principles of Incident Response and Disaster Recovery, 2nd Edition 31 Digital Forensics Methodology (cont’d.) • Authenticating evidence – Cryptography • One way to identify a particular digital item – When a piece of digital evidence is collected, its hash value is calculated and recorded – Hashes are acceptable for demonstrating the integrity of digital evidence – NIST is developing new hash algorithms that will be more resistant to attack Principles of Incident Response and Disaster Recovery, 2nd Edition 32 Digital Forensics Methodology (cont’d.) • Collecting evidence – The investigator must make no changes to the evidence – Evidence labels and seals are crucial to prevent doubts on evidence handling – All sterilization procedures must be codified – All media sterilization processes must be documented Principles of Incident Response and Disaster Recovery, 2nd Edition 33 Principles of Incident Response and Disaster Recovery, 2nd Edition 34 Principles of Incident Response and Disaster Recovery, 2nd Edition 35 Digital Forensics Methodology (cont’d.) • Collecting evidence (cont’d.) – In a dead acquisition • The computer is typically powered off so that its disk drives can be removed for imaging • An investigator seeks to obtain a forensic image of the disk or device – When making a forensic image of a device • Forensic investigators use bitstream copying – Write blockers • Devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the contents Principles of Incident Response and Disaster Recovery, 2nd Edition 36 Principles of Incident Response and Disaster Recovery, 2nd Edition 37 Digital Forensics Methodology (cont’d.) • Maintaining a documented chain of custody – Chain of custody • A legal record of where the evidence was at each point in its lifetime and documentation of each and every access to it – The storage facility requires • Controlled temperature and humidity • Freedom from strong electrical and magnetic fields that might damage the items • Protection from fire and other physical hazards Principles of Incident Response and Disaster Recovery, 2nd Edition 38 Principles of Incident Response and Disaster Recovery, 2nd Edition 39 Digital Forensics Methodology (cont’d.) • Analyzing evidence – First step is to obtain the evidence from the storage area and perform physical authentication – Disk images must be loaded into the particular forensic tool used by the organization – Two common tools used in forensic analysis • Forensic Toolkit (FTK) from AccessData • EnCase from Guidance Software Principles of Incident Response and Disaster Recovery, 2nd Edition 40 Digital Forensics Methodology (cont’d.) Principles of Incident Response and Disaster Recovery, 2nd Edition 41 Digital Forensics Methodology (cont’d.) • Analyzing evidence (cont’d.) – FTK • Performs extensive pre-processing of evidence items • Organizes the various items into a tabbed display • Constructs an index of terms found in the image as part of preprocessing – EnCase forensic edition • Presents an extensible forensic platform that makes it easy for trained investigators to carry out their tasks • Supports EnScripts Principles of Incident Response and Disaster Recovery, 2nd Edition 42 Principles of Incident Response and Disaster Recovery, 2nd Edition 43 Principles of Incident Response and Disaster Recovery, 2nd Edition 44 Digital Forensics Methodology (cont’d.) • Reporting the findings – Once the analysis is complete, the findings must be reported in written and often verbal form – People who will use the report • • • • Upper management Forensic expert retained by the opposition Attorneys, judges, and juries Other professionals (auditors, heads of human resources departments, and others) Principles of Incident Response and Disaster Recovery, 2nd Edition 45 eDiscovery and Anti-Forensics • Discovery – One party can obtain evidence from the opposing party through specific requests for information • eDiscovery – The search for, collection, and review of items stored in electronic format that are of potential evidentiary value based on criteria specified by a legal team • Anti-forensics – An attempt made by those who may become subject to digital forensic techniques to hide items of evidentiary value Principles of Incident Response and Disaster Recovery, 2nd Edition 46 eDiscovery and Anti-Forensics (cont’d.) • Organizations must be aware that: – Forensic tools are not just in the hands of honest professionals, they are available to everyone • Encrypted information – Poses significant challenges to forensic investigators because, by its nature, encryption conceals the content of digital material • Some forensic products – Offer brute force attacks against the encrypted information, using dictionaries of common pass phrases Principles of Incident Response and Disaster Recovery, 2nd Edition 47 Summary • IR begins once an incident has been contained and system control has been regained • After any incident, address the safeguards that failed to stop or limit the incident • Compromised services and processes must be examined, verified, and then restored • Ongoing maintenance includes – After-action review (AAR) meetings – Planning review and maintenance – Training of staff members Principles of Incident Response and Disaster Recovery, 2nd Edition 48 Summary (cont’d.) • When plan shortcomings are noted, the plan should be reviewed and revised • A systematic approach to training is needed to support the IR plan • A digital investigation begins with an allegation of wrongdoing • First-response digital forensic team – Secures and collects the devices, media, or media images that are potentially evidentiary Principles of Incident Response and Disaster Recovery, 2nd Edition 49 Summary (cont’d.) • Forensic tools – Can be used by investigators even to obtain information that has been deleted from digital media • eDiscovery – The search for, collection, and review of items stored in electronic format that are of potential evidentiary value • Anti-forensics – The attempt by those who may become subject to digital forensics techniques to hide items of evidentiary value Principles of Incident Response and Disaster Recovery, 2nd Edition 50 Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 7 Incident Response: Response Strategies Objectives • Explain what an IR reaction strategy is and list general strategies that apply to all incidents • Define incident containment and describe how it is applied to an incident • List some of the more common categories of incidents that may occur • Discuss the IR reaction strategies unique to each category of incident Principles of Incident Response and Disaster Recovery, 2nd Edition 2 Introduction • What do we do once we have detected an incident? • IR reaction strategies – Procedures for regaining control of systems and restoring operations to normalcy – Are at the heart of the IR plan and the CSIRT’s operations • How the CSIRT responds to an incident relies in part on its mission philosophy: – Protect and forget – Apprehend and prosecute Principles of Incident Response and Disaster Recovery, 2nd Edition 3 IR Response Strategies • Once the CSIRT has been notified and arrives “on scene ” – First: assess the situation – Second: begin asserting control and make positive steps to regain control over the organization’s information assets Principles of Incident Response and Disaster Recovery, 2nd Edition 4 IR Response Strategies (cont'd.) Principles of Incident Response and Disaster Recovery, 2nd Edition 5 Response Preparation • Prevention strategies – – – – – Using risk assessment to make informed decisions Acquiring and maintaining good host security Acquiring and maintaining good network security Implementing comprehensive malware prevention Thorough and ongoing training to raise user awareness Principles of Incident Response and Disaster Recovery, 2nd Edition 6 Incident Containment • Containment strategies – Monitoring system and network activities – Disabling access to compromised systems that are shared with other computers – Changing passwords or disabling accounts of compromised systems – Disabling system services, if possible Principles of Incident Response and Disaster Recovery, 2nd Edition 7 Incident Containment • Containment strategies (cont’d.) – Disconnecting compromised systems (or networks) from the local network – Temporarily shutting down compromised systems – Verifying that redundant systems and data have not been compromised Principles of Incident Response and Disaster Recovery, 2nd Edition 8 Principles of Incident Response and Disaster Recovery, 2nd Edition 9 Incident Containment (cont'd.) • Identifying the attacking hosts involves: – Verifying the IP address of the attacking system – Web-based research of the attacking host’s IP address – Incident/attack database searches – Attacker back-channel and side-channel communications Principles of Incident Response and Disaster Recovery, 2nd Edition 10 Incident Eradication • Many practitioners feel that a system, once compromised, can never be restored to a trusted state • To prevent concurrent recurrence – Team must continuously monitor the assets associated with the current incident and the remaining assets that may be susceptible to attack – The organization’s monitoring teams should be on high alert, carefully examining communications and system activities Principles of Incident Response and Disaster Recovery, 2nd Edition 11 Incident Recovery • The reestablishment of the pre-incident status of all organizational systems • Incident recovery involves: – Implementing the backup and recovery plans that should already be in place before the attack • Difficult part of recovery – The identification of data that may have been disclosed Principles of Incident Response and Disaster Recovery, 2nd Edition 12 Incident Containment and Eradication Strategies for Specific Attacks • CSIRT leader must determine appropriate response based on certain aspects of the incident – – – – – – – – Type Method of incursion Current level of success Current level of loss Expected or projected level of loss Target Target’s level of classification and/or sensitivity Any legal or regulatory impacts mandating a specific response Principles of Incident Response and Disaster Recovery, 2nd Edition 13 Incident Containment and Eradication Strategies for Specific Attacks (cont'd.) • Containment strategy should include details about how the organization will handle: – Theft or damage to assets – Whether to preserve evidence for potential criminal prosecution – Service-level commitments and contract requirements to customers – Allocation of necessary resources to activate strategy – Graduated responses that may be necessary – Duration of containment efforts Principles of Incident Response and Disaster Recovery, 2nd Edition 14 Handling Denial of Service (DoS) Incidents • Denial-of-service (DoS) attack – Occurs when an attacker’s action prevents the legitimate users of a system from using it • Distributed denial-of-service (DDoS) attack – The use of multiple systems to simultaneously attack a single target Principles of Incident Response and Disaster Recovery, 2nd Edition 15 Handling Denial of Service (DoS) Incidents (cont'd.) • Tasks to be performed before the DoS incident – Coordinating with service provider – Collaborating and coordinating with professional response agencies – Implementation of prevention technologies – Monitoring resources – Coordinating the monitoring and analysis capabilities – Setting up logging and documentation – Configuring network devices to prevent DoS incidents Principles of Incident Response and Disaster Recovery, 2nd Edition 16 Handling Denial of Service (DoS) Incidents (cont'd.) • Containment strategies during the DoS incident – – – – – Try to fix the source of the problem Change the organization’s filtering strategy Try to filter based on the characteristics of the attack Engage upstream partners Eliminate or relocate the target system Principles of Incident Response and Disaster Recovery, 2nd Edition 17 Handling Denial of Service (DoS) Incidents (cont'd.) Principles of Incident Response and Disaster Recovery, 2nd Edition 18 Principles of Incident Response and Disaster Recovery, 2nd Edition 19 Handling Denial of Service (DoS) Incidents (cont'd.) • After the DoS attack, the organization: – Should consider its overall philosophy of protect and forget or apprehend and prosecute – Will want to collect evidence to see how the incident occurred and to provide insight into how to avoid future recurrences Principles of Incident Response and Disaster Recovery, 2nd Edition 20 Principles of Incident Response and Disaster Recovery, 2nd Edition 21 Principles of Incident Response and Disaster Recovery, 2nd Edition 22 Malware • Designed to damage, destroy, or deny service to the target systems • Common instances include: – Viruses and worms, Trojan horses, logic bombs, back doors, and rootkits • Cookie – Data kept by a Web site as a means of recording that a system has visited the site • Tracking cookie – Collects valuable personal information, then sends it along to the attacker Principles of Incident Response and Disaster Recovery, 2nd Edition 23 Malware (cont'd.) • Before the malware incident : – Schedule awareness programs to inform users about current malware issues – Keep up on vendor and IR agency postings and bulletins – Implement appropriate IDPS – Conduct effective inventory and data organization – Implement and test data backup and recovery programs Principles of Incident Response and Disaster Recovery, 2nd Edition 24 Malware (cont'd.) • To search for undetected infections during the malware incident – Scan internal systems to look for active service ports – Use updated scanning and cleanup tools promptly and aggressively – Analyze logs from e-mail servers, firewalls, IDPSs, and individual host log files for anomalous items – Give network and host intrusion systems access to signature files that can indicate when certain behaviors have occurred – Conduct periodic and ongoing audits Principles of Incident Response and Disaster Recovery, 2nd Edition 25 Principles of Incident Response and Disaster Recovery, 2nd Edition 26 Principles of Incident Response and Disaster Recovery, 2nd Edition 27 Principles of Incident Response and Disaster Recovery, 2nd Edition 28 Malware (cont'd.) • Response strategies for malware outbreaks include: – Filtering e-mail based on subject, attachment type using malware signatures, or other criteria – Blocking known attackers – Interrupting some services – Severing networks from the Internet or each other – Engaging the users – Disrupting service Principles of Incident Response and Disaster Recovery, 2nd Edition 29 Malware (cont'd.) • After the malware incident – System should be constantly monitored to prevent re-infection – Distribute warnings that a particular malware incident has occurred and that it was successfully handled Principles of Incident Response and Disaster Recovery, 2nd Edition 30 Unauthorized Access • Attempts by insiders to escalate privileges and access information and other assets for which they do not explicitly have authorization • Some examples of UA – Gaining unauthorized administrative control of any server or service – Gaining unauthorized access to any network or computing resource – Defacing or unauthorized modification of any publicfacing information service Principles of Incident Response and Disaster Recovery, 2nd Edition 31 Principles of Incident Response and Disaster Recovery, 2nd Edition 32 Unauthorized Access (cont'd.) • Before the UA incident – Placing a common central log server in a more highly protected area of the network will certainly assist in post-event analyses – Implementing an effective password policy and having both a complete and usable management policy as well as technology-enforced password requirements is critical Principles of Incident Response and Disaster Recovery, 2nd Edition 33 Principles of Incident Response and Disaster Recovery, 2nd Edition 34 Unauthorized Access (cont'd.) • During the UA incident – NIST recommends the following containment strategies • • • • • Isolate Disable Block Disable Lockdown Principles of Incident Response and Disaster Recovery, 2nd Edition 35 Principles of Incident Response and Disaster Recovery, 2nd Edition 36 Principles of Incident Response and Disaster Recovery, 2nd Edition 37 Principles of Incident Response and Disaster Recovery, 2nd Edition 38 Unauthorized Access (cont'd.) • After the UA incident – The task of identifying the avenue of attack and closing any still-open repeat mechanisms begins – The organization must identify the extent of the damage and look for any residual effects – The CSIRT should always presume that if a critical information asset was accessed, the data stored within it is compromised Principles of Incident Response and Disaster Recovery, 2nd Edition 39 Principles of Incident Response and Disaster Recovery, 2nd Edition 40 Inappropriate Use • IU incidents – Predominantly characterized as a violation of policy rather than an effort to abuse existing systems • The following can be considered IU incidents – Inappropriate and/or unauthorized software or services – Organizational resources used for personal reasons – Organizational resources used to harass coworkers – Restricted company information and other assets stored in external sites Principles of Incident Response and Disaster Recovery, 2nd Edition 41 Inappropriate Use (cont'd.) • Before the IU incident – For a policy to become enforceable, it must meet the following five criteria • • • • • Dissemination (distribution) Review (reading) Comprehension (understanding) Compliance (agreement) Uniform enforcement Principles of Incident Response and Disaster Recovery, 2nd Edition 42 Inappropriate Use (cont'd.) • During the IU incident – Level of authority an individual manager has • Important thing to consider when investigating a potential IU incident – Clear policies must be in place that discuss the level of direct investigation the CSIRT may undertake – The organization should clearly define the circumstances under which the CSIRT and/or management may investigate the interior of a piece of organization equipment Principles of Incident Response and Disaster Recovery, 2nd Edition 43 Principles of Incident Response and Disaster Recovery, 2nd Edition 44 Principles of Incident Response and Disaster Recovery, 2nd Edition 45 Inappropriate Use (cont'd.) • After the IU incident – The CSIRT will typically turn copies of all documentation over to management for administrative handling, then monitor the offending systems for possible recurrences Principles of Incident Response and Disaster Recovery, 2nd Edition 46 Principles of Incident Response and Disaster Recovery, 2nd Edition 47 Hybrid or Multicomponent Incidents • Many incidents begin with one type of event, then transition to another • Timeliness is a factor in prioritizing the response • Key recommendations for handling hybrid incidents – Use software to support incident management – Prioritize each incident component as it arises – Contain each incident, then scan for others Principles of Incident Response and Disaster Recovery, 2nd Edition 48 Principles of Incident Response and Disaster Recovery, 2nd Edition 49 Automated IR Response Systems • The CSIRT must document and preserve every action, file, event, and item of potential evidentiary value • Automated IR systems to facilitate IR documentation are available through a number of vendors Principles of Incident Response and Disaster Recovery, 2nd Edition 50 Summary • IR reaction strategies – Plans for regaining control of systems and restoring operations to normality in the event of an incident • Once the CSIRT is active, the first task that must occur is an assessment of the situation • Some prevention strategies include: – Risk assessment – Acquiring and maintaining good host security – Acquiring and maintaining good network security • It is imperative to contain a confirmed incident Principles of Incident Response and Disaster Recovery, 2nd Edition 51 Summary (cont'd.) • Incident recovery – The reestablishment of the pre-incident status of all organizational systems • The selection of the appropriate reaction strategy is an exercise in risk assessment • Denial of service (DoS) – Occurs when an attacker’s action prevents the legitimate users of a system or network from using it Principles of Incident Response and Disaster Recovery, 2nd Edition 52
Purchase answer to see full attachment