Michael Owens
Uday Mathew
Piyush Khanna
Deepak Maddukuri
Ujvala Bypa
UC Technologies Incorporated
Business Continuity Plan
Michael Owens
Uday Mathew
Piyush Khanna
Deepak Maddukuri
Ujvala Bypa
Contents
Preface .......................................................................................................................................................... 3
Organizational Chart ..................................................................................................................................... 3
Scope ............................................................................................................................................................. 4
Critical Business processes............................................................................................................................ 4
Critical systems ............................................................................................................................................. 4
Michael Owens
Uday Mathew
Piyush Khanna
Deepak Maddukuri
Ujvala Bypa
Preface
UC Technologies receives health care applications both via secure portal on our web server and through
various mail carriers (USPS, Fedex, UPS). Mailed documents are scanned into a proprietary program
(Patriot Act). Once in the system workers use information from both electronically submitted
documents and those scanned into the system to populate fields in the Patriot Act program. This data is
exported into data bases which are used by UC Technologies’ customer to determine health care
eligibility.
Organizational Chart
Below is the organizational chart containing all members of the BCP team along with their roles.
Michael Owens
Uday Mathew
Piyush Khanna
Deepak Maddukuri
Ujvala Bypa
Scope
UC Technologies is responsible for gathering consumer data pertinent to determining healthcare
eligibility for its customer. The organization’s main facility is located on the campus of The University of
the Cumberlands in Williamsburg KY. A disaster recovery facility is located in Lexington KY. The primary
facility is home to 150 student workers who comprise the staff of data entry personnel for the
organization. All servers, networking infrastructure, and critical systems are housed and maintained
within the primary facility. The disaster recovery facility is designed to allow UC Technologies to
continue working at 100% within 72 hours should any disaster render the primary facility nonproductive.
Critical Business processes
Receiving eligibility documents:
•
Electronically submitted through web site
•
Mailed in by consumer (USPS, Fedex, UPS)
Scanning documents using scanning equipment
Processing submitted documents using processing software (Patriot Act)
Sending processed metadata to databases
Meeting SLA requirements set by customer (healthcare provider)
Sending correspondence to consumers requesting additional information to determine eligibility
Catalog and storage of both electronic and mailed in documents
Critical systems
Web server (for submission of electronic documents)
Servers (SQL database servers, VM, AD, Electronic File storage, Application, exchange)
Thin clients
Thick clients used for applications (scanner hardware, administrative processes, etc.)
Networking infrastructure (switches, firewalls, etc.)
Mail carriers pick up/drop off
Storage of physical documents
Principles of
Incident Response and
Disaster Recovery, 2nd Edition
Chapter 8
Incident Response: Recovery and
Maintenance
Objectives
• Describe how an organization plans for and
executes the recovery process when an incident
occurs
• Explain the need for and steps involved in the
ongoing maintenance of the IR plan
• List the steps involved in collecting digital evidence
• Discuss the process used to analyze evidence
• Explain how encryption can thwart digital forensic
analysis
Principles of Incident Response and Disaster Recovery, 2nd Edition
2
Introduction
• Incident recovery can begin
– Once the incident has been contained and system
control has been regained
• First task
– Inform the appropriate human resources
• CSIRT
– Must assess the full extent of the damage to
determine what must be done to restore the systems
Principles of Incident Response and Disaster Recovery, 2nd Edition
3
Recovery
• Incident damage assessment
– Initial determination of the scope of the breach of
confidentiality, integrity, and availability of
information and information assets
– Can take days or weeks, depending on the extent of
the damage
– Damage can range from minor to severe
Principles of Incident Response and Disaster Recovery, 2nd Edition
4
Identify and Resolve Vulnerabilities
• Forensics
– Used for intrusion analysis and as part of evidence
collection and analysis
– Also used to assess how the incident occurred and
what vulnerabilities were exploited to cause the
assessed damage
• After any incident
– The organization should address the safeguards that
failed to stop or limit the incident
Principles of Incident Response and Disaster Recovery, 2nd Edition
5
Restore Data
• The IR team must:
– Understand the backup strategy used by the
organization
– Restore the data contained in backups
– Use the appropriate recovery processes from
incremental backups or database journals to
recreate any data that was created or modified since
the last backup
Principles of Incident Response and Disaster Recovery, 2nd Edition
6
Restore Services and Processes
• Compromised services and processes must be
examined, verified, and then restored
• If services or processes were interrupted in the
course of regaining control of the systems, they
need to be brought back online
• An organization should continuously monitor its
system
Principles of Incident Response and Disaster Recovery, 2nd Edition
7
Restore Confidence Across the
Organization
• The IR team may wish to:
– Issue a short memorandum outlining the incident
and assuring everyone that the incident was handled
and the damage was controlled
• Objective of this communication
– To prevent panic or confusion from causing
additional disruption to the operations of the
organization
Principles of Incident Response and Disaster Recovery, 2nd Edition
8
Maintenance
• Maintenance of the IR plan includes:
– Procedures to complete effective after-action review
meetings
– A process to complete comprehensive periodic plan
review and maintenance
– Efforts to continue the training of staff members who
will be involved in IR
Principles of Incident Response and Disaster Recovery, 2nd Edition
9
After-Action Review
• This is a detailed examination of the events that
occurred, from first detection to final recovery
• Should be completed immediately after the events
in question have been completed
• The entire AAR should be recorded for use as a
training case for future staff
Principles of Incident Response and Disaster Recovery, 2nd Edition
10
After-Action Review (cont’d.)
• Use AAR to document lessons learned and
generate IR plan improvements
– Examining the documentation of the incident should
reveal
• The point at which the incident was first detected
• The point in time that the IR plan was enacted
• How the first responders and CSIRT reacted
Principles of Incident Response and Disaster Recovery, 2nd Edition
11
After-Action Review (cont’d.)
• AAR as historical record of events
– This may or may not be a requirement for legal
proceedings
• AAR as a case training tool
– Even in defeat, the organization must continue to
rebuild its defenses to fight another day
• AAR as closure
– The AAR serves as closure to an incident
Principles of Incident Response and Disaster Recovery, 2nd Edition
12
Plan Review and Maintenance
• Questions that might be useful in this review
– Has there been any use of this plan in the past
review period?
– Were any AAR meetings held, and have the minutes
of any such meetings been reviewed to note
deficiencies that may need attention?
– Have any other notices of deficiency been submitted
to the plan owner, and have they been addressed
yet?
Principles of Incident Response and Disaster Recovery, 2nd Edition
13
Training
• A systematic approach to training is needed to
support the IR plan
• Cross-training
– Is needed to be assured that enough staff members
with the proper skills are available for all realistic
scenarios
Principles of Incident Response and Disaster Recovery, 2nd Edition
14
Rehearsal
• Plans should be rehearsed until those responding
are prepared for the actions they are expected to
perform
• Rehearsal adds value by:
– Exercising the procedures
– Identifying any shortcomings
– Providing the opportunity to improve the plan before
it is needed
Principles of Incident Response and Disaster Recovery, 2nd Edition
15
Law Enforcement Involvement
• When an incident violates civil or criminal law
– It is the organization’s responsibility to notify the
proper authorities
• Law enforcement agencies
– Usually better equipped at processing evidence than
a business organization
• Disadvantage of law enforcement involvement
– Possible loss of control of the chain of events
following an incident
Principles of Incident Response and Disaster Recovery, 2nd Edition
16
Reporting to Upper Management
• After preliminary assessment, the CSIRT leader
should:
– Make a report to upper management, typically the
CISO and CIO
• Upper management
– Usually requests assistance in drafting a press
release to notify the general public and a specific
notification to any stakeholders affected by the event
Principles of Incident Response and Disaster Recovery, 2nd Edition
17
Loss Analysis
• In determining the costs associated with an
incident, consider:
– Cost associated with the number of person-hours
diverted from normal operations to react to the
incident
– Cost associated with the number of person-hours
needed to recover data
– Opportunity costs associated with the number of
person-hours that could have been devoted to
working on more productive tasks
Principles of Incident Response and Disaster Recovery, 2nd Edition
18
Loss Analysis (cont’d.)
• In determining the costs associated with an
incident, consider (cont’d.)
– Cost associated with reproducing lost data (if
possible)
– Legal cost associated with prosecuting offenders (if
possible)
– Cost associated with loss of market advantage or
share due to disclosure of proprietary information
– Cost associated with acquisition of additional
security mechanisms ahead of budget cycle
Principles of Incident Response and Disaster Recovery, 2nd Edition
19
Incident Forensics
• Forensics
– The use of methodical technical investigation and
analysis techniques to identify, collect, preserve, and
analyze objects and information of potential
evidentiary value
• Computer forensics
– The use of forensics techniques when the source of
evidence is a computer system
• Digital forensics
– The use of forensic techniques when the source of
evidence is a digital electronic device
Principles of Incident Response and Disaster Recovery, 2nd Edition
20
Legal Issues in Digital Forensics
• Private organizations should employ the following
procedure when searching an employee’s computer
– Verify that organizational policy allows such a search
to occur
– Verify that the search is “justified at its inception”
– Verify that the search is “permissible in its scope”
– Verify that the organization has clear ownership over
the container the material was discovered in
– Verify that the search has been authorized by a
manager or administrator in the appropriate chain of
command
Principles of Incident Response and Disaster Recovery, 2nd Edition
21
Digital Forensics Team
• When planning a forensics operation, an
organization should consider:
– Cost
– Response time
– Data sensitivity
• Division of forensic functions
– First response
– Analysis and presentation
Principles of Incident Response and Disaster Recovery, 2nd Edition
22
Digital Forensics Team (cont’d.)
• First response team
– Incident manager, scribe, and imager
• Analysis team
– Forensic analysis function: examination and analysis
– Forensic examiners
• Skilled in the operations of particular tools
– Forensic analysts
• Know about operating systems and networks
Principles of Incident Response and Disaster Recovery, 2nd Edition
23
Digital Forensics Team (cont’d.)
• Some of the contents of a forensic field kit
– Forensic laptops that have multiple operating systems
– Call list with subject-matter experts in various IT
technologies
– Cell phones with extra batteries and chargers
– Hard drives, blank CDs, blank DVDs, and USB flash
drives
– Imaging software or hardware with write blockers
– Forensic software and tools
– Cables, extension cords, and power strips
– Evidence bags, seals, and permanent markers
Principles of Incident Response and Disaster Recovery, 2nd Edition
24
Principles of Incident Response and Disaster Recovery, 2nd Edition
25
Digital Forensics Methodology
• A digital investigation usually begins with some
allegation of wrongdoing
• Assessing the scene involves:
– Interviewing the key contacts who are present and
documenting the scene
– Methods used include photography and field notes
Principles of Incident Response and Disaster Recovery, 2nd Edition
26
Principles of Incident Response and Disaster Recovery, 2nd Edition
27
Principles of Incident Response and Disaster Recovery, 2nd Edition
28
Principles of Incident Response and Disaster Recovery, 2nd Edition
29
Digital Forensics Methodology
(cont’d.)
• Acquiring the evidence
– An organization’s IR policy must spell out the
procedures for initiating the investigative process
– Digital evidence collection follows a simple four-step
methodology
•
•
•
•
Identify sources of evidentiary material
Authenticate the evidentiary material
Collect the evidentiary material
Maintain a documented chain of custody
Principles of Incident Response and Disaster Recovery, 2nd Edition
30
Digital Forensics Methodology
(cont’d.)
• Identifying sources
– Information may reside on:
•
•
•
•
•
•
•
•
Disks in a desktop and/or laptop computer
Disks in external storage enclosures
Memory sticks or cards
PDA
Cellular phone
Storage devices, such as MP3 players
Optical storage, such as CDs and DVDs
Networked storage
Principles of Incident Response and Disaster Recovery, 2nd Edition
31
Digital Forensics Methodology
(cont’d.)
• Authenticating evidence
– Cryptography
• One way to identify a particular digital item
– When a piece of digital evidence is collected, its
hash value is calculated and recorded
– Hashes are acceptable for demonstrating the
integrity of digital evidence
– NIST is developing new hash algorithms that will be
more resistant to attack
Principles of Incident Response and Disaster Recovery, 2nd Edition
32
Digital Forensics Methodology
(cont’d.)
• Collecting evidence
– The investigator must make no changes to the
evidence
– Evidence labels and seals are crucial to prevent
doubts on evidence handling
– All sterilization procedures must be codified
– All media sterilization processes must be
documented
Principles of Incident Response and Disaster Recovery, 2nd Edition
33
Principles of Incident Response and Disaster Recovery, 2nd Edition
34
Principles of Incident Response and Disaster Recovery, 2nd Edition
35
Digital Forensics Methodology
(cont’d.)
• Collecting evidence (cont’d.)
– In a dead acquisition
• The computer is typically powered off so that its disk
drives can be removed for imaging
• An investigator seeks to obtain a forensic image of the
disk or device
– When making a forensic image of a device
• Forensic investigators use bitstream copying
– Write blockers
• Devices that allow acquisition of information on a drive
without creating the possibility of accidentally
damaging the contents
Principles of Incident Response and Disaster Recovery, 2nd Edition
36
Principles of Incident Response and Disaster Recovery, 2nd Edition
37
Digital Forensics Methodology
(cont’d.)
• Maintaining a documented chain of custody
– Chain of custody
• A legal record of where the evidence was at each
point in its lifetime and documentation of each and
every access to it
– The storage facility requires
• Controlled temperature and humidity
• Freedom from strong electrical and magnetic fields
that might damage the items
• Protection from fire and other physical hazards
Principles of Incident Response and Disaster Recovery, 2nd Edition
38
Principles of Incident Response and Disaster Recovery, 2nd Edition
39
Digital Forensics Methodology
(cont’d.)
• Analyzing evidence
– First step is to obtain the evidence from the storage
area and perform physical authentication
– Disk images must be loaded into the particular
forensic tool used by the organization
– Two common tools used in forensic analysis
• Forensic Toolkit (FTK) from AccessData
• EnCase from Guidance Software
Principles of Incident Response and Disaster Recovery, 2nd Edition
40
Digital Forensics Methodology
(cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
41
Digital Forensics Methodology
(cont’d.)
• Analyzing evidence (cont’d.)
– FTK
• Performs extensive pre-processing of evidence items
• Organizes the various items into a tabbed display
• Constructs an index of terms found in the image as
part of preprocessing
– EnCase forensic edition
• Presents an extensible forensic platform that makes it
easy for trained investigators to carry out their tasks
• Supports EnScripts
Principles of Incident Response and Disaster Recovery, 2nd Edition
42
Principles of Incident Response and Disaster Recovery, 2nd Edition
43
Principles of Incident Response and Disaster Recovery, 2nd Edition
44
Digital Forensics Methodology
(cont’d.)
• Reporting the findings
– Once the analysis is complete, the findings must be
reported in written and often verbal form
– People who will use the report
•
•
•
•
Upper management
Forensic expert retained by the opposition
Attorneys, judges, and juries
Other professionals (auditors, heads of human
resources departments, and others)
Principles of Incident Response and Disaster Recovery, 2nd Edition
45
eDiscovery and Anti-Forensics
• Discovery
– One party can obtain evidence from the opposing
party through specific requests for information
• eDiscovery
– The search for, collection, and review of items stored
in electronic format that are of potential evidentiary
value based on criteria specified by a legal team
• Anti-forensics
– An attempt made by those who may become subject
to digital forensic techniques to hide items of
evidentiary value
Principles of Incident Response and Disaster Recovery, 2nd Edition
46
eDiscovery and Anti-Forensics
(cont’d.)
• Organizations must be aware that:
– Forensic tools are not just in the hands of honest
professionals, they are available to everyone
• Encrypted information
– Poses significant challenges to forensic investigators
because, by its nature, encryption conceals the
content of digital material
• Some forensic products
– Offer brute force attacks against the encrypted
information, using dictionaries of common pass
phrases
Principles of Incident Response and Disaster Recovery, 2nd Edition
47
Summary
• IR begins once an incident has been contained and
system control has been regained
• After any incident, address the safeguards that failed
to stop or limit the incident
• Compromised services and processes must be
examined, verified, and then restored
• Ongoing maintenance includes
– After-action review (AAR) meetings
– Planning review and maintenance
– Training of staff members
Principles of Incident Response and Disaster Recovery, 2nd Edition
48
Summary (cont’d.)
• When plan shortcomings are noted, the plan
should be reviewed and revised
• A systematic approach to training is needed to
support the IR plan
• A digital investigation begins with an allegation of
wrongdoing
• First-response digital forensic team
– Secures and collects the devices, media, or media
images that are potentially evidentiary
Principles of Incident Response and Disaster Recovery, 2nd Edition
49
Summary (cont’d.)
• Forensic tools
– Can be used by investigators even to obtain
information that has been deleted from digital media
• eDiscovery
– The search for, collection, and review of items stored
in electronic format that are of potential evidentiary
value
• Anti-forensics
– The attempt by those who may become subject to
digital forensics techniques to hide items of
evidentiary value
Principles of Incident Response and Disaster Recovery, 2nd Edition
50
Principles of
Incident Response and
Disaster Recovery, 2nd Edition
Chapter 7
Incident Response: Response Strategies
Objectives
• Explain what an IR reaction strategy is and list
general strategies that apply to all incidents
• Define incident containment and describe how it is
applied to an incident
• List some of the more common categories of
incidents that may occur
• Discuss the IR reaction strategies unique to each
category of incident
Principles of Incident Response and Disaster Recovery, 2nd Edition
2
Introduction
• What do we do once we have detected an
incident?
• IR reaction strategies
– Procedures for regaining control of systems and
restoring operations to normalcy
– Are at the heart of the IR plan and the CSIRT’s
operations
• How the CSIRT responds to an incident relies in
part on its mission philosophy:
– Protect and forget
– Apprehend and prosecute
Principles of Incident Response and Disaster Recovery, 2nd Edition
3
IR Response Strategies
• Once the CSIRT has been notified and arrives “on
scene ”
– First: assess the situation
– Second: begin asserting control and make positive
steps to regain control over the organization’s
information assets
Principles of Incident Response and Disaster Recovery, 2nd Edition
4
IR Response Strategies (cont'd.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
5
Response Preparation
• Prevention strategies
–
–
–
–
–
Using risk assessment to make informed decisions
Acquiring and maintaining good host security
Acquiring and maintaining good network security
Implementing comprehensive malware prevention
Thorough and ongoing training to raise user
awareness
Principles of Incident Response and Disaster Recovery, 2nd Edition
6
Incident Containment
• Containment strategies
– Monitoring system and network activities
– Disabling access to compromised systems that are
shared with other computers
– Changing passwords or disabling accounts of
compromised systems
– Disabling system services, if possible
Principles of Incident Response and Disaster Recovery, 2nd Edition
7
Incident Containment
• Containment strategies (cont’d.)
– Disconnecting compromised systems (or networks)
from the local network
– Temporarily shutting down compromised systems
– Verifying that redundant systems and data have not
been compromised
Principles of Incident Response and Disaster Recovery, 2nd Edition
8
Principles of Incident Response and Disaster Recovery, 2nd Edition
9
Incident Containment (cont'd.)
• Identifying the attacking hosts involves:
– Verifying the IP address of the attacking system
– Web-based research of the attacking host’s IP
address
– Incident/attack database searches
– Attacker back-channel and side-channel
communications
Principles of Incident Response and Disaster Recovery, 2nd Edition
10
Incident Eradication
• Many practitioners feel that a system, once
compromised, can never be restored to a trusted
state
• To prevent concurrent recurrence
– Team must continuously monitor the assets
associated with the current incident and the
remaining assets that may be susceptible to attack
– The organization’s monitoring teams should be on
high alert, carefully examining communications and
system activities
Principles of Incident Response and Disaster Recovery, 2nd Edition
11
Incident Recovery
• The reestablishment of the pre-incident status of all
organizational systems
• Incident recovery involves:
– Implementing the backup and recovery plans that
should already be in place before the attack
• Difficult part of recovery
– The identification of data that may have been
disclosed
Principles of Incident Response and Disaster Recovery, 2nd Edition
12
Incident Containment and Eradication
Strategies for Specific Attacks
• CSIRT leader must determine appropriate
response based on certain aspects of the incident
–
–
–
–
–
–
–
–
Type
Method of incursion
Current level of success
Current level of loss
Expected or projected level of loss
Target
Target’s level of classification and/or sensitivity
Any legal or regulatory impacts mandating a specific
response
Principles of Incident Response and Disaster Recovery, 2nd Edition
13
Incident Containment and Eradication
Strategies for Specific Attacks (cont'd.)
• Containment strategy should include details about
how the organization will handle:
– Theft or damage to assets
– Whether to preserve evidence for potential criminal
prosecution
– Service-level commitments and contract
requirements to customers
– Allocation of necessary resources to activate
strategy
– Graduated responses that may be necessary
– Duration of containment efforts
Principles of Incident Response and Disaster Recovery, 2nd Edition
14
Handling Denial of Service (DoS)
Incidents
• Denial-of-service (DoS) attack
– Occurs when an attacker’s action prevents the
legitimate users of a system from using it
• Distributed denial-of-service (DDoS) attack
– The use of multiple systems to simultaneously attack
a single target
Principles of Incident Response and Disaster Recovery, 2nd Edition
15
Handling Denial of Service (DoS)
Incidents (cont'd.)
• Tasks to be performed before the DoS incident
– Coordinating with service provider
– Collaborating and coordinating with professional
response agencies
– Implementation of prevention technologies
– Monitoring resources
– Coordinating the monitoring and analysis capabilities
– Setting up logging and documentation
– Configuring network devices to prevent DoS
incidents
Principles of Incident Response and Disaster Recovery, 2nd Edition
16
Handling Denial of Service (DoS)
Incidents (cont'd.)
• Containment strategies during the DoS incident
–
–
–
–
–
Try to fix the source of the problem
Change the organization’s filtering strategy
Try to filter based on the characteristics of the attack
Engage upstream partners
Eliminate or relocate the target system
Principles of Incident Response and Disaster Recovery, 2nd Edition
17
Handling Denial of Service (DoS)
Incidents (cont'd.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
18
Principles of Incident Response and Disaster Recovery, 2nd Edition
19
Handling Denial of Service (DoS)
Incidents (cont'd.)
• After the DoS attack, the organization:
– Should consider its overall philosophy of protect and
forget or apprehend and prosecute
– Will want to collect evidence to see how the incident
occurred and to provide insight into how to avoid
future recurrences
Principles of Incident Response and Disaster Recovery, 2nd Edition
20
Principles of Incident Response and Disaster Recovery, 2nd Edition
21
Principles of Incident Response and Disaster Recovery, 2nd Edition
22
Malware
• Designed to damage, destroy, or deny service to
the target systems
• Common instances include:
– Viruses and worms, Trojan horses, logic bombs,
back doors, and rootkits
• Cookie
– Data kept by a Web site as a means of recording
that a system has visited the site
• Tracking cookie
– Collects valuable personal information, then sends it
along to the attacker
Principles of Incident Response and Disaster Recovery, 2nd Edition
23
Malware (cont'd.)
• Before the malware incident :
– Schedule awareness programs to inform users
about current malware issues
– Keep up on vendor and IR agency postings and
bulletins
– Implement appropriate IDPS
– Conduct effective inventory and data organization
– Implement and test data backup and recovery
programs
Principles of Incident Response and Disaster Recovery, 2nd Edition
24
Malware (cont'd.)
• To search for undetected infections during the
malware incident
– Scan internal systems to look for active service ports
– Use updated scanning and cleanup tools promptly
and aggressively
– Analyze logs from e-mail servers, firewalls, IDPSs,
and individual host log files for anomalous items
– Give network and host intrusion systems access to
signature files that can indicate when certain
behaviors have occurred
– Conduct periodic and ongoing audits
Principles of Incident Response and Disaster Recovery, 2nd Edition
25
Principles of Incident Response and Disaster Recovery, 2nd Edition
26
Principles of Incident Response and Disaster Recovery, 2nd Edition
27
Principles of Incident Response and Disaster Recovery, 2nd Edition
28
Malware (cont'd.)
• Response strategies for malware outbreaks
include:
– Filtering e-mail based on subject, attachment type
using malware signatures, or other criteria
– Blocking known attackers
– Interrupting some services
– Severing networks from the Internet or each other
– Engaging the users
– Disrupting service
Principles of Incident Response and Disaster Recovery, 2nd Edition
29
Malware (cont'd.)
• After the malware incident
– System should be constantly monitored to prevent
re-infection
– Distribute warnings that a particular malware
incident has occurred and that it was successfully
handled
Principles of Incident Response and Disaster Recovery, 2nd Edition
30
Unauthorized Access
• Attempts by insiders to escalate privileges and
access information and other assets for which they
do not explicitly have authorization
• Some examples of UA
– Gaining unauthorized administrative control of any
server or service
– Gaining unauthorized access to any network or
computing resource
– Defacing or unauthorized modification of any publicfacing information service
Principles of Incident Response and Disaster Recovery, 2nd Edition
31
Principles of Incident Response and Disaster Recovery, 2nd Edition
32
Unauthorized Access (cont'd.)
• Before the UA incident
– Placing a common central log server in a more
highly protected area of the network will certainly
assist in post-event analyses
– Implementing an effective password policy and
having both a complete and usable management
policy as well as technology-enforced password
requirements is critical
Principles of Incident Response and Disaster Recovery, 2nd Edition
33
Principles of Incident Response and Disaster Recovery, 2nd Edition
34
Unauthorized Access (cont'd.)
• During the UA incident
– NIST recommends the following containment
strategies
•
•
•
•
•
Isolate
Disable
Block
Disable
Lockdown
Principles of Incident Response and Disaster Recovery, 2nd Edition
35
Principles of Incident Response and Disaster Recovery, 2nd Edition
36
Principles of Incident Response and Disaster Recovery, 2nd Edition
37
Principles of Incident Response and Disaster Recovery, 2nd Edition
38
Unauthorized Access (cont'd.)
• After the UA incident
– The task of identifying the avenue of attack and
closing any still-open repeat mechanisms begins
– The organization must identify the extent of the
damage and look for any residual effects
– The CSIRT should always presume that if a critical
information asset was accessed, the data stored
within it is compromised
Principles of Incident Response and Disaster Recovery, 2nd Edition
39
Principles of Incident Response and Disaster Recovery, 2nd Edition
40
Inappropriate Use
• IU incidents
– Predominantly characterized as a violation of policy
rather than an effort to abuse existing systems
• The following can be considered IU incidents
– Inappropriate and/or unauthorized software or
services
– Organizational resources used for personal reasons
– Organizational resources used to harass coworkers
– Restricted company information and other assets
stored in external sites
Principles of Incident Response and Disaster Recovery, 2nd Edition
41
Inappropriate Use (cont'd.)
• Before the IU incident
– For a policy to become enforceable, it must meet the
following five criteria
•
•
•
•
•
Dissemination (distribution)
Review (reading)
Comprehension (understanding)
Compliance (agreement)
Uniform enforcement
Principles of Incident Response and Disaster Recovery, 2nd Edition
42
Inappropriate Use (cont'd.)
• During the IU incident
– Level of authority an individual manager has
• Important thing to consider when investigating a
potential IU incident
– Clear policies must be in place that discuss the level
of direct investigation the CSIRT may undertake
– The organization should clearly define the
circumstances under which the CSIRT and/or
management may investigate the interior of a piece
of organization equipment
Principles of Incident Response and Disaster Recovery, 2nd Edition
43
Principles of Incident Response and Disaster Recovery, 2nd Edition
44
Principles of Incident Response and Disaster Recovery, 2nd Edition
45
Inappropriate Use (cont'd.)
• After the IU incident
– The CSIRT will typically turn copies of all
documentation over to management for
administrative handling, then monitor the offending
systems for possible recurrences
Principles of Incident Response and Disaster Recovery, 2nd Edition
46
Principles of Incident Response and Disaster Recovery, 2nd Edition
47
Hybrid or Multicomponent Incidents
• Many incidents begin with one type of event, then
transition to another
• Timeliness is a factor in prioritizing the response
• Key recommendations for handling hybrid incidents
– Use software to support incident management
– Prioritize each incident component as it arises
– Contain each incident, then scan for others
Principles of Incident Response and Disaster Recovery, 2nd Edition
48
Principles of Incident Response and Disaster Recovery, 2nd Edition
49
Automated IR Response Systems
• The CSIRT must document and preserve every
action, file, event, and item of potential evidentiary
value
• Automated IR systems to facilitate IR
documentation are available through a number of
vendors
Principles of Incident Response and Disaster Recovery, 2nd Edition
50
Summary
• IR reaction strategies
– Plans for regaining control of systems and restoring
operations to normality in the event of an incident
• Once the CSIRT is active, the first task that must
occur is an assessment of the situation
• Some prevention strategies include:
– Risk assessment
– Acquiring and maintaining good host security
– Acquiring and maintaining good network security
• It is imperative to contain a confirmed incident
Principles of Incident Response and Disaster Recovery, 2nd Edition
51
Summary (cont'd.)
• Incident recovery
– The reestablishment of the pre-incident status of all
organizational systems
• The selection of the appropriate reaction strategy is
an exercise in risk assessment
• Denial of service (DoS)
– Occurs when an attacker’s action prevents the
legitimate users of a system or network from using it
Principles of Incident Response and Disaster Recovery, 2nd Edition
52
Purchase answer to see full
attachment