• Like
File000119
Upcoming SlideShare
Loading in...5
×

File000119

  • 78 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
78
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
6
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Module VI – Incident Handling
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Tech Insight: Finding Common Ground For Security, IT Teams Source: http://darkreading.com/ Tips for security and IT teams to better cooperate on hot-button issues of password policies, patch management, and network security Dec 19, 2008 | 03:48 PM By John Sawyer Disagreements are a common occurrence between IT security and other IT groups, but nothing brings out their differences of opinion and practice like incident response or an emergency patch, such as Microsoft's fix this week for Internet Explorer. A security team can butt heads with other IT groups for many reasons -- anything from personality conflicts and management styles to fundamental differences in opinion about how IT systems should be managed. A few key problem areas that come up regularly in organizations of all sizes are password policies, patch management, and network security with firewalls and VPNs. Passwords are the weakest link as well as the biggest lightning rod: Users don't want complex, hard-to- remember passwords. Security wants passwords that are uncrackable. And systems admins don't want to be caught in the middle implementing a policy that results in users constantly complaining or needing regular password resets. The process of developing secure password policies almost always ends with none of the involved parties happy with the outcome. Getting all groups on the same page about passwords usually requires a compromise all around, but several things can ease the pain of implementation. Educating users on the importance of passwords, along with tips and tricks on creating a secure password, is by far the cheapest method. Self-service portals for password resets, too, can help reduce the load on the help desk and sys admins after new password policies are put into effect.
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scenario Orient Recruitment Inc. is an online human resource recruitment firm. The web server of the firm is critical for its normal business operations. Neo, the network administrator observed some unusual activity targeted towards the web server. The web server was overloaded with connection requests from huge number of different sources. Before he could realize the potential of the attack, the website of Orient Recruitment Inc. was already down due to Denial of Service Attack. The company’s management called up the local Incident Response team to look into the matter and solve the DoS issue. What steps will the incident response team take to investigate the attack?
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • What is an Incident? • Security Incidents • Incident Reporting • Incident Response • Incident handling • What is CSIRT? • Who Works in a CSIRT ? • Types of Incidents and Level of Support • How CSIRT Handles Case: Steps • World CERTs This module will familiarize you with:
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow What is an Incident? Security Incidents Incident Reporting Incident Response Incident Handling What is CSIRT? Who Works in a CSIRT ? Types of Incidents and Level of Support How CSIRT Handles Case: Steps World CERTs
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited What is an Incident Computer security incident is defined as “Any real or suspected adverse event in relation to the security of computer systems or computer networks” It also includes external threats such as gaining access to systems, disrupting their services through malicious spamming, and execution of malicious codes that destroy or corrupt systems
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Incidents • Evidence of tampering with data • Denial of service attack on the agency • Web site defacement • Unauthorized access or continuous attempts at unauthorized access (both from either internal or external sources) • Social engineering incidents • Virus attacks that badly affect servers or multiple workstations • Other incidents that could undermine the confidence and trust in the state’s information technology systems A security incident includes:
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Category of Incidents Low level Mid Level High Level There are 3 category of incidents:
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Category of Incidents: Low Level • Loss of personal password • Suspected sharing of the organization’s accounts • Unsuccessful scans and probes • Presence of any computer virus or worms They can be identified when there is: Low level incidents are the least severe kind of incidents They should be handled within one working day after the event occurs
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Category of Incidents: Mid Level • Violation of special access to a computer or computing facility • Unfriendly employee termination • Unauthorized storing and processing data • Destruction of property related to a computer incident (less than $100,000) • Personal theft of data related to a computer incident($100,000) • Computer virus or worms of comparatively larger intensity • Illegal access to buildings They can be identified by observing: The incidents at this level are comparatively more serious and thus, should be handled the same day the event occurs
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Category of Incidents: High Level • Denial of Service attacks • Suspected computer break-in • Computer virus or worms of highest intensity; e.g: Trojan, back door • Changes to system hardware, firmware, or software without authentication • Destruction of property exceeding $100,000 • Personal theft exceeding $100,000 and illegal electronic fund transfer or download/sale • Any kind of pornography, gambling, or violation of any law These include: These are the most serious incidents and are considered as “Major” in nature High level incidents should be handled immediately after the incident occurs
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Issues in Present Security Scenario Increase in the number of companies venturing into e-business coupled with high Internet usage Decrease in vendor product development cycle and product testing cycle Increase in complexity of the Internet as a network Alarming increase in intruder activities and tools, expertise of attackers, and sophistication of hacks Lack of thoroughly trained professionals as compared to the number and intensity of the security breaches
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited How to Identify an Incident A system alarm from an intrusion detection tool indicating security breach Suspicious entries in network Accounting gaps of several minutes with no accounting log Other events such as unsuccessful login attempts, unexplained new user or files, attempts to write system files, and modification or deleting of data Unusual usage patterns, such as programs being compiled in the account of users who are non-programmers
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited How to Prevent an Incident • Scanning the network/system for security loopholes • Auditing the network/system • Deploying intrusion detection/prevention systems on the network/system • Establishing defense-in-depth • Securing clients for remote users Intrusions can be prevented by: A key to preventing security incidents is to eliminate as many vulnerabilities as possible
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The diagram below illustrates the relationship between Incident Response, Incident handling, and Incident management Defining the Relationship between Incident Response, Incident Handling, and Incident Management
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Management
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Management Incident management is not just responding to an incident when it happens but includes proactive activities that help to prevent incidents by providing guidance against the potential risks and threats Includes the development of a plan of action, a set of processes that are consistent, repeatable, of high quality, measurable, and understood within the constituency Who performs Incident Management? • Human resource personnel • Legal council • The firewall manager • An outsourced service provider
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Management (cont’d) Figure : Five High-Level Incident Management Processes
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Threat Analysis and Assessment Threat analysis is a systematic detection, identification, and evaluation of vulnerabilities of a facility, operation, or system The threat analysis is a process of scrutinizing the conditions and processes that are important for business interruption • Examining the physical security processes • Creating the risk management program • Identifying and examining the threats related to customers • Providing the data, trends, methodologies, and possibility of risk actions • Identifying and defining the security process flows The critical tasks of threat analysis and assessment include:
  • 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Vulnerability Analysis • Defining and classifying network or system resources • Assigning relative levels of importance to the resources • Identifying potential threats to each resource • Developing a strategy to deal with the most serious potential problems • Defining and implementing ways to minimize the consequences if an attack occurs Steps in vulnerability analysis: Vulnerability analysis or vulnerability assessment is a process of identifying, defining, and classifying the security breaches in a computer, network, and communications infrastructure
  • 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Estimating Cost of an Incident • Lost productivity hours • Investigation and recovery efforts • Loss of business • Loss or theft of resources Tangible cost: • Corporate reputation being ruined • Loss of goodwill • Psychological damage • Directly impacted may feel victimized • May impact morale or initiate fear • Legal liability • Effect on the shareholder’s value Intangible cost:
  • 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Change Control Change control involves all procedures that handles or controls the authorized changes to the organization’s assets such as software and hardware It involves the mechanism of change request, result recording, documenting, testing the results after the changes, and gaining approval for the requests It involves analyzing the problem, updating the results, and sending a request of change to the concerned personnel or representative This is reviewed by the management which authorizes the required changes Change
  • 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Reporting
  • 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Reporting • Intensity of the security breach • Circumstances, which revealed the vulnerability • Shortcomings in the design and impact or level of weakness • Entry logs related to the intruder’s activity • Correct time-zone of the region and synchronization information of the system with a National time server via NTP (Network Time Protocol) When a user encounters any breach, report the following:
  • 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Incident Reporting
  • 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Whom to Report an Incident Incident reporting is the process of reporting the information regarding the encountered security breach in a proper format The incident should be reported to the CERT Coordination center, site security manager, or other sites It can also be reported to the law enforcement agencies such as FBI,USSS Electronic crimes branch, or Department of Defense Contractors It should be reported to receive technical assistance and raise security awareness to minimize the losses
  • 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Report a Privacy or Security Violation • Date, time, and location of the incident • The nature of the violation • Type of the private data involved • Other persons involved • Any immediate harm known or observed • Immediate corrective actions already taken Gather the following information at the time of security violation:
  • 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Preliminary Information Security Incident Reporting Form PRELIMINARY INFORMATION SECURITY INCIDENT REPORTING FORM Background Information Name of Bureau/Department : Brief description on the affected system (e.g. function, URLs): Physical location of the affected system: Within B/D Third-party service provider facility System administration/operation by: In-house IT team End user Outsourced service provider Reporting Entity Information Name: Designation: Office Contact: 24 hours Contact: Email Address: Fax Number: Incident Details Date/Time (Detected): Date/Time (Reported to OGCIO): Symptoms of Incidents: Impacts: Defacement of web site Service interruption (denial of service attack / mail bomb / system failure) Massive malicious code attack Lost/damage/unauthorized alternation of information Compromise/leakage of sensitive information Intrusion/unauthorized access Others, please specify: _______________________________ Please provide details on the impact and service interruption period, if any: Actions Taken: Current System Status: Other Information:
  • 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Why Organizations do not Report Computer Crimes? Misunderstanding of the scope of the problem • This does not happen to other organizations Fear of negative publicity • Proactive reporting and handling of the incident will allow many organizations to put their spin on the media reports Potential loss of customers Desire to handle things internally Lack of awareness of the attack
  • 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Response
  • 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Responding to a Security Incident • Identify the affected resources • Analyze the incident • Assign event identity and severity level • Assign incident task force members • Containing threats from further affecting the systems • Evidence collection • Forensic analysis Guidelines to be followed for a methodical manner of response handling stage and investigation are as follows: Computer incident response is based on the documented and untampered evidence
  • 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Response Procedure • The IIC, IL work with the system personnel to determine the area and scope that the incident covers Identify the Affected Resources • An assessment is made by the IIC combined with the IL and system personnel for determining the security levels Analyze the incident • The incidents require a unique identifier that is collision free to allow tracking and archiving of incidents for historical reference • The identity of the incident is assigned by the IIC, followed by the name assignment and severity level assigned to the incident Assign Event Identity and Severity Level The guidelines to be followed in the response handling stage are:
  • 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Response Procedure (cont’d) • IIC in combination with the IL coordinates a task force to resolve the incident • The task force consists of technical managers of resources, division managers, etc. Assign Incident Task Force Members • Threats are to be contained by removing the suspect resources from normal operations • IIC and IL are responsible for determining risks Containing Threats • The information related to the incident is taken as an evidence • Information can be collected from interviews with administrators, log files, exploit code left by the attacker Evidence Collection
  • 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Response Procedure (cont’d) • Forensic analysis and discovery of an incident should include: • The perpetrators and victims of the events • Events that took place • When and what time, the events occurred • Where the events occurred and what they infected • How the events occurred Forensic Analysis
  • 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Incident Response (Detailed Form) Contact Information and Incident Last Name:______________________ First Name: ________________________ Job Title: ____________________________________________________ Phone: __________________________ Alt Phone: _________________________ Mobile: __________________________ Pager: _____________________________ Email: ____________________________ Fax: _______________________________
  • 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Incident Response (Detailed Form) (cont’d) Incident Description Date/Time and Recovery Information Date/Time of First Attack: Date: ____________ Time: _______________ Date/Time of Attack Detected: Date: ____________ Time: _______________ Has the Attack Ended: Yes No Duration of Attack (in hours): Severity of Attack: Low Medium High Estimated Recovery Time of this Report (Clock) _________________________ Estimated Recovery Time of this Report (Staff Hours) _________________________ Estimated Damage Account as of this Report ($$$ Loss) _________________________ Number of Hosts Affected: _________________________ Number of Users Affected: _________________________
  • 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Incident Response (Detailed Form) (cont’d) Exposing Confidential/Classi fied/ Unclassified Data Theft of Information Technology Resources/ Other Assets Creating accounts Altering DNS/Website/Dat a/ Logs Destroying Data Anonymous FTP abuse Attacking Attackers/ Other Sites Credit Card Fraud Fraud Unauthorized Use/Access Using Machine Illegally Impersonation Increasing Notoriety of Attacker Installing a Back Door/Trojan Horse Attacking the Internet ICQ Abuse/IRC Abuse Life Threatening Activity Password Cracking Sniffer Don’t Know Type of Incident Detected: Other (Specify) _________________________________________________________ SB1386 – Is Email Notification Required? Yes No SB1386 - Email Notification Sent Out? Yes No Comments (Specify Incident Details and additional information): _________________________________________________________________________
  • 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Incident Response (Detailed Form) (cont’d) General Information How Did You Initially Become Aware of the Incident? Automated Software Notification Automated Review of Log Files Manual Review of Log Files System Anomaly ( i. e., Crashes, Slowness) Third Party Notification Don’t Know Other (Specify) Attack Technique (Vulnerability Exploited / Exploit Used) CVE/CERT VU or BugTraq Number Virus, Trojan Horse, Worm, or Other Malicious Code Denial of Service or Distributed Denial of Service Attack Unauthorized Access to Affected Computer Privileged Compromise (Root/Admin Access) User Account Compromise/Web Compromise (Defacement) Scanning/Probing Other Suspected perpetrator(s) or possible motivation(s) of attack: CSU staff/students/ faculty Former staff/ students/faculty External Party Unknown Other (Specify)
  • 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Incident Response (Detailed Form) (cont’d) Malicious Code Virus, Worm Name or Description of Virus _________________________________________ Is Anti-Virus Software Installed on the Affected Computer(s)? Yes (Name) No Did the Anti-Virus Software Detect the Virus? Yes No When was your Anti-Virus Software Last Updated? _________________________ Network Activity Protocols Name or Description of Virus TCP UDP ICMP IPSec IP Multicast Ipv6 Other Please Identify Source Ports Involved in the Attack: _______________________ Please Identify Destination Ports Involved in the Attack: _______________________
  • 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Incident Response (Detailed Form) (cont’d) Impact of Attack Hosts Individual Hosts Does this Host represent an Attacking or Victim Host? Victim Attacker Both Host Name: IP Address: Operating System Affected: Patch Level (if known): Applications Affected: Database: Others: Primary Purpose of this Host: User Desktop Machine User Laptop Machine Web Server Mail Server FTP Server Domain Controller Domain Name Server Time Server NFS/File System Server Database Server Application Server Other Infrastructure Services Bulk Hosts Bulk Host Information (Details): ________________________________________ Comments (Please detail incident): ______________________________________
  • 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Security Incident Response (Detailed Form) (cont’d) Data Compromised: Did the attack result in a loss/compromise of sensitive or personal information? Yes No Other Comments: ________________________________________________________________________ Did the attack result in damage to system(s) or date: Yes (Specify) No Other Comments: ________________________________________________________________________ Law Enforcement: Has Law Enforcement Been Notified? Yes No Remediation: Please detail what corrective actions have been taken (specify): Comments: ________________________________________________________________________ Did Your Detection and Response Process and Procedures Work as Intended? Comments: ________________________________________________________________________ Please provide Discovery Methods and Monitoring Procedures that would have Improved Your Ability to Detect an Intrusion. Comments: ________________________________________________________________________ Are there Improvements to Procedures and Tools that would have Aided You in the Response Process Comments: ________________________________________________________________________ Are there Improvements that would have Enhanced Your Ability to Contain an Intrusion Comments: ________________________________________________________________________ Are there Correction Procedures that would have Improved Your Effectiveness in Recovering Your Systems Comments: ________________________________________________________________________
  • 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Response Policy Clearly outline management's support for the policy Decide an organizational approach Determine outside notification procedures Address remote connections and encompass all remote employees or contractors Define partner agreements Identify the members of the incident team and describe their roles, responsibilities, and functions Develop an internal communications plan that identifies who you will notify and how you will contact them Define a method for reporting and historically archiving the incident
  • 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Response Guidelines Check if potential incident is verified Contact department/agency security staff • I.T. Manager - • [designee/others by department procedure] - Contact CSIRT’s member • Call GOVnet Beeper • GOVnet will then contact CSIRT members (csirt@.state.vt.us) • If there is no response within ten minutes, call the office of the CIO Isolate system(s) from GOVnet [unless CSIRT’s decision is to leave the system connected to monitor active attacker]
  • 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Response Guidelines (cont’d) Maintain a log book - who/ what / when / where Find out whether the incident was caused by virus, worm, or attacker Estimate the extent of the problem and the number of systems affected
  • 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Response Guidelines (cont’d) Contact local police authority with jurisdiction at the location of the incident (This MUST BE coordinated with CSIRT) Follow server/operating system specific procedures to snapshot the system Inoculate/restore the system Close the vulnerability and ensure that all patches have been installed Return to normal operations Prepare report and conduct follow-up analysis Revise prevention and screening procedures Remember to log all actions
  • 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Response Handling Roles The incident reported to a security team is set for investigation A full time member of the security team acts as Incident Investigator and Coordinator (IIC) A member of the incident response team acts as Incident Liaison (IL) IIC assigns the security level to the incident and performs investigative duties and technical analysis IIC duties require unrestricted access to resources directly affected by the incident IL acts as coordinator and liaison to the resources needed by the IIC
  • 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles and Responsibilities of SSM, ISSM, and ISSO • Maintains user’s accounts, passwords, keys, etc. • One of the major responsibilities of the senior management is to secure the organization’s computer systems • The responsibility for the success of the organization lies with the senior managers Senior System Manager (SSM): • Checks the level of security to manage the risks • Establishes the risk management process • Ensures information resources for audit requirements and participation by all levels of employees to implement policies and procedures. • Prepares disaster recovery plan for information resources and maintain it Information System Security Manager (ISSM): • Identifies threats and vulnerabilities • Identifies restricted, sensitive, and unrestricted information resources • Develops and maintains risk management processes, disaster recovery/ contingency planning for information, and updated security procedures Information System Security Officer (ISSO):
  • 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Contingency/Continuity of Operations Planning Contingency plan provides backup for documents to overcome from the disaster It is necessary for a company or business to function normally Guidelines for contingency planning are as follows: • Focuses on the development and maintenance of the plan Starting Point • Problems are analyzed • Checks what sort of problems/disasters can occur • Checks for the likelihood of occurrence of the problem • Checks for the severity of the problem Impact assessment • Developing phase is designed to structure or develop the contingency plan • It acts on the threats and regulates the business process by setting an order or priority of working Developing the plan
  • 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Contingency/Continuity of Operations Planning (cont’d) • In this phase, the developed plan is tested • Determines whether the plan can actually work in real time disaster environment • Testing results are documented for future reference Testing the plan • Personnel need to undergo training to get familiar with the plan which helps them to perform their tasks and responsibilities effectively Personnel training • Maintaining the plan involves updating • As processes are added or deleted by the organization, the plans should be updated regularly Maintaining the plan
  • 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Contingency/Continuity of Operations Planning (cont’d) • Supporting Information (past incident analysis report, vulnerability analysis reports etc.) • Notification/activation ( supplies notification procedures and offers activation of the plan) • Recovery (recovers the data with the help of backups) • Reconstitution (restores the original information after the disaster) • Plan Appendices (provides records of further analysis) Components of the contingency planning:
  • 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Contingency/Continuity of Operations Planning (cont’d) Continuity of operations provides an alternative site to the organization for a period of one month so as to recover from the disaster and perform normal organizational operations
  • 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Budget/Resource Allocation Budget and resource constraints are major roadblocks of an incident handling and response planning process Budget and resources are generally allocated according to previous experiences and perceived risk to the organizations' resources There is no standard rule or practice for budget allocation as return of investment for incident handling in information system cannot be measured Documentation of the previous incidents and losses to the organization may help decision makers to estimate the potential cost of savings
  • 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Handling
  • 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Handling Incidents Incident handling helps to find out trends and pattern related to the intruder’s activity by analyzing it It involves three basic functions: • Incident reporting • Incident analysis • Incident response It recommends network administrators for recovery, containment, and prevention to constituents It allows incident reports to be gathered in one location so that the exact trends and pattern can be recognized and recommended strategies can be employed It helps the corresponding staffs to understand the process of responding and to tackle unexpected threats and security breaches
  • 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Procedure for Handling Incident Preparation Identification Containment Eradication Recovery Follow-up The incident handling process is divided into six stages:
  • 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 1. Preparation Preparation enables easy coordination among staff Provides baseline protection Uses virus detection and eradication tools Company staff is given training at this stage
  • 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 2. Identification Identification involves validating, identifying, and reporting the incident Determining the symptoms given in ‘how to identify an incident’ Identifying nature of the incident Identifying events Protecting evidence Reporting events
  • 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 3. Containment Containment limits the extent and intensity of an incident It avoids logging as root on the compromised system It avoids conventional methods to trace back as this may alert the attackers It prepares complete backups of the infected systems It changes the passwords of all unaffected systems in the LAN
  • 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 4. Eradication Look into additional information along with the information gathered in the 3rd (Containment) phase to find out the reasons for the particular incident Use standard anti-virus tools to remove virus/worms from the storage media Improve security measures by enabling firewalls, router filters, or assigning new IP address Analyze the vulnerability
  • 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 5. Recovery Determine the course of actions Monitor and validate systems Determine the integrity of the backup itself by making an attempt to read its data Verify the success of the operation and normal condition of the system Monitor the system by network loggers, system log files, and potential back doors
  • 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 6. Follow-up • Extent to which the incidents disrupted the organization • Data lost and its value • Damaged hardware and its cost Determine the staff time required and perform the following cost analysis: Revise policies and procedures from the lessons learned from the past
  • 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited 6. Follow-up (cont’d) • Was the preparation for the incident sufficient? • Whether the detection occurred promptly or not, and why? • Using additional tools could have helped or not? • Was the incident contained? • What practical difficulties were encountered? • Was it communicated properly? Document the response to incident by finding answers to the following:
  • 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Post-Incident Activity Every incident response team should advance to reflect new threats, improved technology, and lessons learned The important aspect of these activities are updating of the incident response policies and procedures for better security Using collected incident data helps to provide several measures for the success of the incident response team • Number of incidents handled • Time per incident • Objective assessment of each incident • Subjective assessment of each incident The metrics for incident related data includes:
  • 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Post-Incident Activity (cont’d) • The policies should be created for the time the evidence from an incident has to be retained • The factors to be considered for policy creation are: • At the time of prosecuting the attacker, the evidence needs to be retained until the legal actions are completed • Most organizations have data retention policies that state how long certain types of data may be kept Evidence Retention
  • 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Education, Training, and Awareness Education, training, and awareness program educates people on how to handle computer related incidents Education and training provides skills required to implement the incident handling policies Practical training removes the developmental errors, improves procedures, and reduces the occurrence of mis- communication Well-trained members can prevent an incident or limit the resulting damage
  • 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Education, Training, and Awareness (cont’d) • Identification and operation of the utility shut-off devices • Location of the incident handling areas • Emergency responsibilities and re-assignment plans for all positions Training should be conducted at specified intervals, and it should include: • Knowledge and participation • Concerning plan's strategies • Contingency arrangements The awareness campaign should be designed for several purposes such as:
  • 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Post-Incident Report Post-Incident Report Incident Ref. No.: ________ Bureau/Department : ____________________________________________ Reporting Officer Details Report Date : ___________________________________________________ Reported By Name : ____________________________________________ Designation : _____________________________________________ Phone No. : _____________________________________________ Email Addr. : ______________________________________________ Incident Details Incident Date : ___________________________________________________ Type of Incident: System Name and Description: Summary of Incident:
  • 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Post-Incident Report (cont’d) Event Sequence: Date / Time Event Action Taken and Result: Current System Status: Personnel Involved: Name Designation Phone No. Email Eec. Role Hacker Details (if any): Computer Virus Details (if any): Other Affected Sites/Systems: Damage (including disruption/suspension of service): Cost Factor (including loss caused by the incident and the recovery cost/manpower): Recommended Action to Prevent Recurrence: Other Comments: Experience Learnt:
  • 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Procedural and Technical Countermeasures • Information is downgraded or declassified depending on the loss of sensitivity of the information due to the passage of time or on occurrence of a specific event • Declassification is not automatically an approval for public disclosure Media is Downgraded or Declassified: • Destruction of media is an ultimate form of sanitization • Once the media is destroyed, it cannot be recycled as originally intended • Media sanitization is a process of deleting confidential data from storage media, with reasonable guarantee that the data cannot be retrieved and reconstructed • The sanitization process is especially important when storage media are transferred, becomes obsolete, no longer usable, or are no longer required by an information system Destruction/Sanitization of Media: • The activity must provide the volume, level, and sensitivity of the classified material • Sensitivity of the operational assignment • Potential for aggressive action Emergency Destruction:
  • 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Vulnerability Resources • It publishes information about a wide variety of vulnerabilities including their technical descriptions impact, solutions and workarounds, and lists of the affected vendors US-CERT Vulnerability Notes Database (http://www.kb.cert.org/vuls/): • It is the U.S. government repository of standards based vulnerability management data that includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics National Vulnerability Database (http://nvd.nist.gov/): • List or dictionary of publicly known information security vulnerabilities and exposures international in scope and free for public use Common Vulnerabilities and Exposures List (http://cve.mitre.org/):
  • 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CSIRT
  • 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited What is CSIRT? • CSIRT provides 24x7 Computer Security Incident Response Services to any user, company, government agency, or organization • It provides a reliable and trusted single point of contact for reporting computer security incidents worldwide • It provides the means for reporting incidents and disseminating important incident-related information Computer Security Incident Response Team (CSIRT): Incident Response Services 24x7
  • 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CSIRT: Goals and Strategy • To manage security problems by taking a proactive approach towards customers’ security vulnerabilities and by responding effectively to potential information security incidents • To minimize and control the damage • To provide or assist with effective response and recovery • To prevent future events Goals of CSIRT: • It provides a single point of contact for reporting local problems • It identifies and analyzes what has happened including the impact and threat • It researches on solutions and mitigation strategies • It shares response options, information, and lessons learned Strategy of CSIRT:
  • 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CSIRT Vision • Identify the organization • Specify the mission, goals, and objectives of an organization • Select the services to be offered by the CSIRT • Determine how the CSIRT should be structured for the organization • Plan the budget required by the organization to implement and manage the CSIRT • Determine the resources (equipment, staff, infrastructure) to be used by CSIRT CSIRT Vision is to:
  • 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Motivation behind CSIRTs An increase in the number of computer security incidents being reported and the increase in number and type of organizations being affected by the computer security incidents A more focused awareness by organizations on the need for security policies and practices as part of their overall risk-management strategies New laws and regulations that impact how organizations are required to protect the information assets The realization that systems and network administrators alone cannot protect organizational systems and assets The realization that a prepared plan and strategy is required
  • 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Why Does an Organization Need an Incident Response Team? Incident Response Team helps organizations to recover from computer security breaches and threats It is a formalized team that performs incident response work as its major job function As an ad-hoc team, it is responsible for ongoing computer security incident
  • 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Who Works in a CSIRT? • Manager or team lead • Assistant managers, supervisors, or group leaders • Hotline, help desk, or triage staff • Incident handlers • Vulnerability handlers • Artifact analysis staff • Platform specialists • Trainers • Technology watch CSIRT staff roles may include: • Support staff • Technical writers • Network or system administrators, CSIRT infrastructure staff • Programmers or developers (to build CSIRT tools) • Web developers and maintainers • Media relations • Legal or paralegal staff or liaison • Law enforcement staff or liaison • Auditors or quality assurance staff • Marketing staff Other roles may include:
  • 78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Staffing Your Computer Security Incident Response Team: What are the Basic Skills Needed? Basic Skills: Personal Skills • Communication: • Written and oral • Presentation Skills • Diplomacy • Ability to follow policies and procedures • Team skills • Integrity • Knowing one's Limits • Coping with stress • Problem solving • Time management Technical Skills • Programming skills Incident Handling Skills
  • 79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Team Models • Central Incident Response Team • Distributed Incident Response Teams • Coordinating Team Incident response team structure models fall into one of the three categories: • Employees • Partially Outsourced • Fully Outsourced Incident response teams can also use any of the three staffing models:
  • 80. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Delegation of Authority A properly planned delegation of the authority ensures an effective response to the incidents in accordance with the organization’s response policy Members of the incident response team should be given authority according to their skills, expertise, and experience Delegation of authority include: • Allocation of tasks • Empowerment • Assignment of responsibility • Accountability
  • 81. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CSIRT Services Can be Grouped into Three Categories • These services are triggered by an event or request, such as a report of a compromised host, wide-spreading malicious code, software vulnerability, or something that was identified by an intrusion detection or logging system • They are the core component of CSIRT’s work Reactive services: • These services provide assistance and information to prepare, protect, and secure constituent systems in anticipation of attacks, problems, or events • Performance of these services will directly reduce the number of incidents in the future Proactive services:
  • 82. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CSIRT Services Can be Grouped into Three Categories (cont’d) • These services augment the existing and well-established services that are independent of incident handling and traditionally performed by other areas of an organization such as the IT, audit, or training departments • If the CSIRT performs or assists with these services, the CSIRT’s point of view and expertise can provide insight to improve the overall security of the organization and identify risks, threats, and system weaknesses • These services are generally proactive but contribute indirectly to reduce the number of incidents Security quality management services:
  • 83. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CSIRT Case Classification Incident Category Sensitivity* Description Incident Category S3 DOS or DDOS attack. Forensics S1 Any forensic work to be done by CSIRT. Compromised Information S1 Attempted or successful destruction, corruption, or disclosure of sensitive corporate information or Intellectual Property. Compromised Asset S1, S2 Compromised host (root account, Trojan, rootkit), network device, application, user account. This includes malware-infected hosts where an attacker is actively controlling the host. Unlawful activity S1 Theft / Fraud / Human Safety / Child Porn. Computer-related incidents of a criminal nature, likely involving law enforcement, Global Investigations, or Loss Prevention. Internal Hacking S1, S2, S3 Reconnaissance or Suspicious activity originating from inside the Company corporate network, excluding malware. External Hacking S1, S2, S3 Reconnaissance or Suspicious Activity originating from outside the Company corporate network (partner network, Internet), excluding malware. Malware S3 A virus or worm typically affecting multiple corporate devices. This does not include compromised hosts that are being actively controlled by an attacker via a backdoor or Trojan. (See Compromised Asset) Email S3 Spoofed email, SPAM, and other email security-related events. Consulting S1, S2, S3 Security consulting unrelated to any confirmed incident. Policy Violations S1, S2, S3 •Sharing offensive material, sharing/possession of copyright material. •Deliberate violation of Infosec policy. •Inappropriate use of corporate asset such as computer, network, or application. •Unauthorized escalation of privileges or deliberate attempt to subvert access controls. Incident Categories: All incidents managed by the CSIRT should be classified into one of the categories listed below:
  • 84. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • Threats to the physical safety of human beings • Root or system-level attacks on any machine either multi-user or dedicated- purpose • Compromise of the restricted confidential service accounts or software installations, particularly those with authorized access to the confidential data • Denial of service attacks on any of the service accounts or software installations The computer security incident response team will assign resources according to the following priorities, listed in a decreasing order: Types of Incidents and Level of Support
  • 85. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Incidents and Level of Support (cont’d) • Large-scale attacks of any kind, e.g. sniffing attacks, IRC "social engineering" attacks, password cracking attacks, and destructive virus outbursts • Compromise of the individual’s user accounts, i.e. unauthorized access to a user or service account • Forgery and misrepresentation, and other security-related violations of local rules and regulations, e.g. Netnews and e-mail forgery, unauthorized use of IRC bots • Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent The computer security incident response team will assign resources according to the following priorities, listed in a decreasing order:
  • 86. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Service Description Attributes Attribute Description Objective Purpose and nature of the service Definition Description of scope and depth of service Function Descriptions Descriptions of individual functions within the service Availability The conditions under which the service is available: to whom, when and how Quality Assurance Quality assurance parameters applicable for the service. Includes both setting and limiting of constituency expectations Interactions and Information Disclosure The interactions between the CSIRT and parties affected by the service, such as the constituency, other teams, and the media Includes setting information requirements for parties accessing the service, and defining the strategy with regards to the disclosure of information (both restricted and public) Interfaces with Other Services Define and specify the information flow exchange points between this service and other CSIRT services it interacts with Priority The relative priorities of functions within the service, and of the service versus other CSIRT services For each service provided, the CSIRT should provide its constituency with service descriptions (or formal service level agreements) in as much detail as possible In particular, any service provided by the CSIRT should include an explanation of the attributes and descriptions as outlined in the table, below:
  • 87. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Specific Procedures-I (Virus and Worm Incidents) Step 1 • Isolate the system Step 2 • Notify the appropriate people Step 3 • Identify the problem Step 4 • Prevent the virus or worm from further infecting Step 5 • Inoculate the system(s) Step 6 • Return to a normal operating mode Step 7 • Follow up analysis
  • 88. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Specific Procedures-II (Hacker Incidents) • Step 1: Identify the problem • Step 2: Notify the appropriate people • Step 3: Identify the attacker • Step 4: Notify CERT • Step 5: Follow up analysis (A) Attempted Probes into a State of Vermont System • Step 1: Notify the appropriate people • Option 1: Removal of attacker from the system • Step 2: Snap-shot the System • Step 3: Lock out the attacker • Step 4: Restore the system • Step 5: Notify other agencies • Step 6: Follow up analysis • Option 2: Monitoring of the attacker’s activity (B) Active Hacker Activity (C) Evidence of Past Incidents Log all actions in every phase*
  • 89. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Specific Procedures-III (Social Incidents, Physical Incidents) • Step 1: Identify potential risk • Log all actions* Social Incidents: • Step 2: Notify the appropriate people • Log all actions* Physical Incidents:
  • 90. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited How CSIRT Handles Case: Steps Inform the appropriate people Keep a log book Release the information Maintain a list of contacts Report Follow up analysis
  • 91. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited US-CERT Incident Reporting System US-CERT is a partnership between the department of Homeland security and the public and private sectors. Established to protect the nation's Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation. This system is used to report cyber-related incidents to US-CERT.
  • 92. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited US-CERT Incident Reporting System (Cont’d)
  • 93. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CSIRT Incident Report Form
  • 94. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CERT(R) Coordination Center: Incident Reporting Form
  • 95. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Example of CSIRT Internal CSIRT provides services to their parent organization such as bank, manufacturing company, university, or any government agencies National CSIRT provides services to the entire nation, example being Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) Analysis Centers synthesize data, determine trends, and patterns in an incident activity to predict future activity or provide early warnings Vendor teams identify vulnerabilities in software and hardware products Incidents Response Providers offer services to the paid clients
  • 96. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Best Practices for Creating a CSIRT Step 1 • Obtain management support and buy-in Step 2 • Determine the CSIRT strategic plan Step 3 • Gather relevant information Step 4 • Design the CSIRT vision Step 5 • Communicate the CSIRT vision and operational plan Step 6 • Begin CSIRT’s implementation Step 7 • Announce the operational CSIRT
  • 97. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 1: Obtain Management Support and Buy-in Without management approval and support, creating an effective incident response capability can be difficult and problematic Once the team is established, how is it maintained and expanded with budget, personnel, and equipment resources? Will the role and authority of the CSIRT continue to be backed by management across the various constituencies or parent organization?
  • 98. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 2: Determine the CSIRT Development Strategic Plan Are there specific timeframes to be met? Are they realistic, and if not, can they be changed? Is there a project group? Where do the group members come from? How do you let the organization know about the development of the CSIRT? If you have a project team, how do you record and communicate the information you are collecting, especially if the team is geographically dispersed?
  • 99. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 3: Gather Relevant Information • Business managers • Representatives from IT • Representatives from the legal department • Representatives from human resources • Representatives from public relations • Any existing security groups, including physical security • Audit and risk management specialists The stakeholders could include: Meet with key stakeholders to discuss the expectations, strategic direction, definitions, and responsibilities of the CSIRT
  • 100. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 4: Design your CSIRT Vision • Identify your constituency: Who does the CSIRT support and service? • Define your CSIRT mission, goals, and objectives: What does the CSIRT do for the identified constituency? • Select the CSIRT services to provide to the constituency (or others): How does the CSIRT support its mission? • Determine the organizational model: How is the CSIRT structured and organized? • Identify required resources: What staff, equipment, and infrastructure are needed to operate the CSIRT? • Determine your CSIRT funding: How is the CSIRT funded for its initial startup and its long-term maintenance and growth? In creating your vision, you should:
  • 101. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 5: Communicate the CSIRT Vision Communicate the CSIRT’s vision and operational plan to the management, constituency, and others who need to know and understand its operations As appropriate, make adjustments to the plan based on their feedback
  • 102. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 6: Begin CSIRT Implementation Hire and train the initial CSIRT staff Buy equipment and build any necessary network infrastructure to support the team Develop the initial set of CSIRT policies and procedures to support your services Define the specifications for and build your incident-tracking system Develop incident-reporting guidelines and forms for your constituency
  • 103. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Step 7: Announce the CSIRT When the CSIRT is operational, announce it to the constituency or parent organization It is best if this announcement comes from sponsoring management Include the contact information and hours of operation for the CSIRT in the announcement This is an excellent time to make the CSIRT incident- reporting guidelines available
  • 104. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Limits to Effectiveness in CSIRTs • A CSIRT can work smarter by investing in automation • Policy Experimentation and Future Scenarios • When a problem is well-understood, it can be solved. This is typically accomplished by altering some of the policies in the system, or by reengineering parts of it Remedy: A fundamental problem for a CSIRT is to balance a growing work load with limited human resources
  • 105. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Working Smarter by Investing in Automated Response Capability Figure: Working smarter by investing in automated response capability
  • 106. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited World CERTs
  • 107. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited World CERTs • Australia CERT (AUSCERT) • Hong Kong CERT (HKCERT/CC) • Indonesian CSIRT (ID-CERT) • Japan CERT-CC (JPCERT/CC) • Korea CERT (CERT-KR) • Malaysia CERT (MyCERT) • Pakistan CERT(PakCERT) • Singapore CERT (SingCERT) • Taiwan CERT (TWCERT) • China CERT (CNCERT/CC) Asia Pacific CERTs • CERT-CC • US-CERT • Canadian Cert • Cancert • Forum of Incident Response and Security Teams • FIRST North American CERTs • CAIS • CAIS- Brazilian Research Network CSIRT • NIC BR Security Office Brazilian CERT • NBS South American CERTs • EuroCERT • FUNET CERT • CERTA • DFN-CERT • JANET-CERT • CERT-NL • UNINETT-CERT • CERT-NASK • Swiss Academic and Research Network CERT European CERTs
  • 108. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Australia CERT (AUSCERT)
  • 109. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hong Kong CERT (HKCERT/CC)
  • 110. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Indonesian CSIRT (ID-CERT)
  • 111. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Japan CERT-CC (JPCERT/CC)
  • 112. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Singapore CERT (SingCERT)
  • 113. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Taiwan CERT (TWCERT)
  • 114. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited China CERT (CNCERT/CC)
  • 115. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CERT-CC
  • 116. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited US-CERT
  • 117. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Canadian Cert
  • 118. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forum of Incident Response and Security Teams
  • 119. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited CAIS
  • 120. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited NIC BR Security Office Brazilian CERT
  • 121. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited EuroCERT
  • 122. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited FUNET CERT
  • 123. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited DFN-CERT
  • 124. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited JANET-CERT
  • 125. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited http://www.first.org/about/organization/teams/
  • 126. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited http://www.apcert.org/about/structure/members.html
  • 127. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited IRTs Around the World Courtesy of CERT/CC ©Carnegie Mellon University 2003
  • 128. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Increase in the number of products and relative increase in the number of hacking tools has put security in the spotlight Computer security incident is defined as any real or suspected adverse event in relation to the security of computer systems or computer networks Handling Incidents involves three basic functions: incident reporting, incident analysis, and incident response Incident reporting is the process of reporting the information regarding the encountered security breach in a proper format CSIRT provides rapid response to maintain the security and integrity of the systems Without management’s approval and support, creating an effective incident response capability can be difficult and problematic
  • 129. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 130. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited