UALR Incident Response Team Veysel ERDAG CISM CISA

  • Slides: 12
Download presentation
UALR Incident Response Team Veysel ERDAG CISM, CISA, CISSP, CCIE-Security UALR IT Services Information

UALR Incident Response Team Veysel ERDAG CISM, CISA, CISSP, CCIE-Security UALR IT Services Information Security Officer

Incident Management System Components • Incident Management Policy: Policy governing incident response is highly

Incident Management System Components • Incident Management Policy: Policy governing incident response is highly individualized to the organization. Key elements: Statement of management commitment Purpose and objectives of the policy Scope of the policy (to whom and what it applies and under what circumstances) Definition of computer security incidents and related terms Organizational structure and definition of roles, responsibilities, and levels of authority; should include the authority of the incident response team to confiscate or disconnect equipment and to monitor suspicious activity, the requirements for reporting certain types of incidents, the requirements and guidelines for external communications and information sharing (e. g. , what can be shared with whom, when, and over what channels), and the handoff and escalation points in the incident management process • Prioritization or severity ratings of incidents • Performance measures • Reporting and contact forms. • • •

Incident Management System Components • Incident Management Plan: The roadmap for implementing the incident

Incident Management System Components • Incident Management Plan: The roadmap for implementing the incident response capability. The plan should lay out the necessary resources and management support. Key elements: Mission Strategies and goals Senior management approval Organizational approach to incident response How the incident response team will communicate with the rest of the organization and with other organizations • Metrics for measuring the incident response capability and its effectiveness • Roadmap for maturing the incident response capability • How the program fits into the overall organization. • • •

Incident Management System Components • Incident Management Procedure: A delineation of specific technical processes,

Incident Management System Components • Incident Management Procedure: A delineation of specific technical processes, techniques, checklists, and forms used by the incident response team.

Need to Communicate with Outside Parties:

Need to Communicate with Outside Parties:

Incident Handling

Incident Handling

Sign of Incidents • Web server log entries that show the usage of a

Sign of Incidents • Web server log entries that show the usage of a vulnerability scanner • An announcement of a new exploit that targets a vulnerability of the organization’s mail server • A threat from a group stating that the group will attack the organization. • A network intrusion detection sensor alerts when a buffer overflow attempt occurs against a database server. • Antivirus software alerts when it detects that a host is infected with malware. • A system administrator sees a filename with unusual characters. • A host records an auditing configuration change in its log. • An application logs multiple failed login attempts from an unfamiliar remote system. • An email administrator sees a large number of bounced emails with suspicious content. • A network administrator notices an unusual deviation from typical network traffic flows.

Incident Analysis • Profile Networks and Systems. • Understand Normal Behaviors. • Create a

Incident Analysis • Profile Networks and Systems. • Understand Normal Behaviors. • Create a Log Retention Policy. • Perform Event Correlation. • Keep All Host Clocks Synchronized. • Run Packet Sniffers to Collect Additional Data.

Incident Documentation • • • The current status of the incident (new, in progress,

Incident Documentation • • • The current status of the incident (new, in progress, forwarded for investigation, resolved, etc. ) A summary of the incident Indicators related to the incident Other incidents related to this incident Actions taken by all incident handlers on this incident Chain of custody, if applicable Impact assessments related to the incident Contact information for other involved parties (e. g. , system owners, system administrators) A list of evidence gathered during the incident investigation Comments from incident handlers Next steps to be taken (e. g. , rebuild the host, upgrade an application).

Incident Notification • • • CIO Information Security Officer External incident response teams (if

Incident Notification • • • CIO Information Security Officer External incident response teams (if appropriate) System owner Human resources (for cases involving employees, such as harassment through email) Public affairs (for incidents that may generate publicity) Legal department (for incidents with potential legal ramifications) US-CERT (required for Federal agencies and systems operated on behalf of the Federal government; see Section 2. 3. 4. 3) Law enforcement (if appropriate)

Attack Vectors/Scenarios • Removable Media: An attack executed from removable media or a peripheral

Attack Vectors/Scenarios • Removable Media: An attack executed from removable media or a peripheral device. • Attrition: An attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services. • Web: An attack executed from a website or web-based application • Email: An attack executed via an email message or attachment. • Impersonation: An attack involving replacement of something benign with something malicious. • Improper Usage: Any incident resulting from violation of an organization’s acceptable usage policies by an authorized user. • Loss or Theft of Equipment: The loss or theft of a computing device or media used by the organization, such as a laptop, smartphone, or authentication token. • Other: An attack that does not fit into any of the other categories.

THANKYOU

THANKYOU

YEREL SAAT HESAPLAMALARI VEYSEL DKME VEYSEL DKME VEYSELYEREL SAAT HESAPLAMALARI VEYSEL DKME VEYSEL DKME VEYSEL
Veysel ERDAG Ph D Chief Information Security OfficerVeysel ERDAG Ph D Chief Information Security Officer
AIK VEYSEL Ak Veysel olarak bilinen asl adAIK VEYSEL Ak Veysel olarak bilinen asl ad
Ak Veysel 1894 1973 Veysel atrolu 1894te SivasnAk Veysel 1894 1973 Veysel atrolu 1894te Sivasn
Ak Veysel 1894 1973 Veysel atrolu 1894te SivasnAk Veysel 1894 1973 Veysel atrolu 1894te Sivasn
CISM Radiation Belt Models CMIT Mary Hudson CISMCISM Radiation Belt Models CMIT Mary Hudson CISM
CISM Organization Management Management Challenges CISM Organization ExecutiveCISM Organization Management Management Challenges CISM Organization Executive
Keck CISM Software Management Keck CISM and RSQSimKeck CISM Software Management Keck CISM and RSQSim
John W Lainhart IV CISA CISM CGEIT CIPPGJohn W Lainhart IV CISA CISM CGEIT CIPPG
Password War Games John Alexander CISSP CISM CISAPassword War Games John Alexander CISSP CISM CISA
Porqu surge Semillas Digitales SSDD Grupo CISA CisaPorqu surge Semillas Digitales SSDD Grupo CISA Cisa