SlideShare a Scribd company logo

Operations SecurityWeek 5Incident Management, Investigatio.docx

Download as DOCX, PDF
C
cherishwinsland

Operations Security Week 5 Incident Management, Investigations, and Physical Security Incidence Response Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The Steps of Incidence Handling Triage – Is it an actual incident or a false alarm? How serious is it? Investigation – Gathering evidence Containment – Limit the damage by isolation and mitigation Analysis – Reconstruct the incident. Who is responsible? How did they do it? When did it occur? Why did they do it? Tracking – Document the incident and determine the source Recovery – Mitigate the incident and apply lessons learned to reduce risk of recurrence Triage The term Triage is used within the medical community. Triage is the art of rapidly assessing the severity of the incident and following the right protocols, in the right order, to reduce the consequences of the incident and doing it all in the midst of crisis, when every second counts. Different incidents require different responses – A Denial of Service attack (DOS) has to be addressed differently than a malware infection. Establishing baselines can help identify unusual activity. The number of indicators to potential incidents are very high, so false positives are common. Investigation The Incident Scene – The Environment where potential evidence may exist Principles of criminalistics apply Identify the scene Protect the Environment Identify evidence and potential sources of evidence Collect Evidence Minimize the degree of contamination General Guidelines All general forensic and procedural procedures must be applied Seizing digital evidence must not alter the evidence Any person accessing original digital evidence must be trained All activity relating to seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review While an individual is in possession of digital evidence, he or she is responsible for all actions Any agency responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles Roles and Responsibilities A solid foundation of knowledge and policy A properly trained response team Core areas must be represented Chain of Custody Tracks Evidence Handling A formal, well-documented procedure MUST be followed – NO EXCEPTIONS Locard’s Exchange Principle When a crime is committed, the perpetrators leave something behind and take something with them. Digital Forensics Be Authentic Be Accurate Be Complete Be Convincing Be Admissible Live Evidence Data that is dynamic and exists in processes that disappear in a relatively short time frame once the system is powered down Short Term Containment The short term goal is to prevent more damage from occurring and provide time for additional analysis and mitigation. Isolate the system from the production network and create a backup cop.

Education
1 of 10
Operations Security Week 5 Incident Management, Investigations, and Physical Security Incidence Response Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The Steps of Incidence Handling Triage – Is it an actual incident or a false alarm? How serious is it? Investigation – Gathering evidence Containment – Limit the damage by isolation and mitigation Analysis – Reconstruct the incident. Who is responsible? How did they do it? When did it occur? Why did they do it? Tracking – Document the incident and determine the source Recovery – Mitigate the incident and apply lessons learned to reduce risk of recurrence Triage The term Triage is used within the medical community. Triage is the art of rapidly assessing the severity of the incident and following the right protocols, in the right order, to reduce the consequences of the incident and doing it all in the midst of crisis, when every second counts. Different incidents require different responses – A Denial of Service attack (DOS) has to be addressed differently than a malware infection. Establishing baselines can help identify unusual activity. The
number of indicators to potential incidents are very high, so false positives are common. Investigation The Incident Scene – The Environment where potential evidence may exist Principles of criminalistics apply Identify the scene Protect the Environment Identify evidence and potential sources of evidence Collect Evidence Minimize the degree of contamination General Guidelines All general forensic and procedural procedures must be applied Seizing digital evidence must not alter the evidence Any person accessing original digital evidence must be trained All activity relating to seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review While an individual is in possession of digital evidence, he or she is responsible for all actions
Any agency responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles Roles and Responsibilities A solid foundation of knowledge and policy A properly trained response team Core areas must be represented Chain of Custody Tracks Evidence Handling A formal, well-documented procedure MUST be followed – NO EXCEPTIONS Locard’s Exchange Principle When a crime is committed, the perpetrators leave something behind and take something with them. Digital Forensics Be Authentic Be Accurate Be Complete Be Convincing Be Admissible
Live Evidence Data that is dynamic and exists in processes that disappear in a relatively short time frame once the system is powered down Short Term Containment The short term goal is to prevent more damage from occurring and provide time for additional analysis and mitigation. Isolate the system from the production network and create a backup copy for investigation. Possible short term containment steps include Remove power Unplug the NIC Change DNS entries Apply new ACL filters Isolate network segments Disconnect Internet access Apply null routing Long Term Containment If an affected system is a critical system, it may be necessary to keep it in production while a new system is built to take over its functions. After a backup of the system has been made for investigation, steps must be taken to mitigate the incident while leaving the system available. Long term containment steps include: Remove compromised accounts Apply security patches Alter firewall rules Remove Malware Place in a Dirty VLAN
Analysis Media Analysis Recovery of information or evidence from information media The media may have been overwritten, damaged, degaussed, or re-used Network Analysis Analysis and examination of network logs and activity for potential evidence The critical phase of the process is proper evidence handling and processing Software Analysis Encompasses investigative activity Malware analysis Intellectual property disputes Copyright infringements Goals Author identification Content Analysis Payload and context Analysis Recovery Eventually the necessary steps to resolve the incident will be preformed. Recovery simply implies the amount of time it may take for operations to be fully restored Reporting and Documenting One of the most important, yet overlooked, phases is the debriefing and feedback phase Security Policy Review
Which controls were inadequate or failed? How can we improve our controls? Did the Incident Management Plan function as intended? Physical Security Deter Delay Detect Assess Respond Defense in Depth The Practice of placing multiple layers of defenses (security controls) to provide redundancy in the event a control fails or a vulnerability is exploited Layered barrier designs are advantageous when they require increased knowledge, skill, and talent to circumvent them Important concept borrowed from the military and has been used since at least 216 BCE Access Control
Ensures that only authorized personnel are permitted inside the controlled area Persons subject to control include employees, visitors, customers, vendors, and the general public Authorization Mechanisms typically include Identification Badges or Cards – Something you have Magnetic Stripe, Proximity Cards, or Smart Cards Closed Circuit TV (CCTV) A collection of cameras, recorders, switches, keyboards, and monitors that allow viewing and recording of security events Provides a highly flexible method of surveillance and monitoring Can provide deterrence, detection, and Evidentiary Archives External Monitoring Infrared (IR) sensors Microwave Coaxial strain-sensitive cable Lighting Cameras Monitor displays Guards Alarm Internal Access Doors
Turnstiles Mantraps Keys Locks Safes Fire Prevention Classes of fires Data center requirements VESDA devices Classes of Fire Stages of a Fire A fire normally goes through four stages of development: Incipient (Pre-combustion) Visible smoke Fast flaming Heat
Data Center Requirements Have suppression agents such as water, carbon dioxide, FM-200 (the industry-recognized replacement for Halon 1301), etc., on hand. Install alarms and sensors (i.e., ion-based or optical smoke detectors), and fixed, or rate-of-rise temperature sensors. Data centers require particularly sensitive alarms. Instead of commercial- grade fire alarms, data centers should have devices that signal the early stages of a fire through optical or chemical sensors that may sound an alarm before a fire even starts. VESDA Detectors VESDA (an abbreviation of Very Early Smoke Detection Apparatus) is a laser based smoke detection system. Fire Protection Heating, ventilation, and air conditioning systems maintain appropriate humidity and temperature controls as well as a contaminant-free air supply Monitoring systems can detect abnormal data center temperatures, humidity, or other factors HVAC Systems Heating, ventilation, and air conditioning systems maintain appropriate humidity and temperature controls as well as a contaminant-free air supply. Monitoring systems can detect abnormal data center temperatures, humidity, or other factors. Monitoring devices alert you to a potential problem before there is a disruption in service.
Ideally, HVAC systems will have backup power and be isolated from the rest of the building. Power Electric power goals – Provide clean and steady power for data centers and include UPS (uninterruptible power supply) surge protectors and protection from transient noise, etc. Ensure that a proper electrical infrastructure is in place, and have this validated by a certified electrician. Mission-critical data centers should have alternate power sources, such as emergency generators, as well as a minimum 24-hour fuel supply.

Recommended

11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.pptabhichowdary16
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentFaheem Ul Hasan
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comphanleson
 
Automated Incident Handling Using SIM
Automated Incident Handling Using SIMAutomated Incident Handling Using SIM
Automated Incident Handling Using SIMAnton Chuvakin
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorAnton Chuvakin
 

Recommended

11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.pptabhichowdary16
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentFaheem Ul Hasan
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comphanleson
 
Automated Incident Handling Using SIM
Automated Incident Handling Using SIMAutomated Incident Handling Using SIM
Automated Incident Handling Using SIMAnton Chuvakin
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorAnton Chuvakin
 
Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationInfocyte
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management IIzapp0
 
Incident response Process in information security .pptx
Incident response Process in information security .pptxIncident response Process in information security .pptx
Incident response Process in information security .pptxSarwatDilawaiz
 
Risk Assessment Methodologies
Risk Assessment MethodologiesRisk Assessment Methodologies
Risk Assessment MethodologiesPhilippe A. R. Schaeffer
 
11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docxmoggdede
 
Cissp Study notes.pdf
Cissp Study notes.pdfCissp Study notes.pdf
Cissp Study notes.pdfMAHESHUMANATHGOPALAK
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimemuhammad awais
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxLokNathRegmi1
 
2. Improving an Existing Sec Sys
2. Improving an Existing Sec Sys2. Improving an Existing Sec Sys
2. Improving an Existing Sec SysMicheal Isreal
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Information security background
Information security backgroundInformation security background
Information security backgroundNicholas Davis
 
Business information security requirements
Business information security requirementsBusiness information security requirements
Business information security requirementsgurneyhal
 
Importance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessImportance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessAnton Chuvakin
 
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
First Responders Course - Session 3 - Monitoring and Controlling Incident CostsFirst Responders Course - Session 3 - Monitoring and Controlling Incident Costs
First Responders Course - Session 3 - Monitoring and Controlling Incident CostsPhil Huggins FBCS CITP
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Symantec
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentGary Bahadur
 
Future Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecFuture Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecCheapSSLsecurity
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyRapidSSLOnline.com
 
Based on your course reading assignments and your pending research p.docx
Based on your course reading assignments and your pending research p.docxBased on your course reading assignments and your pending research p.docx
Based on your course reading assignments and your pending research p.docxcherishwinsland
 
Based on yesterday Assignment  (Green Machine)1. Provide a Com.docx
Based on yesterday Assignment  (Green Machine)1. Provide a Com.docxBased on yesterday Assignment  (Green Machine)1. Provide a Com.docx
Based on yesterday Assignment  (Green Machine)1. Provide a Com.docxcherishwinsland
 

More Related Content

Similar to Operations SecurityWeek 5Incident Management, Investigatio.docx

Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationInfocyte
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management IIzapp0
 
Incident response Process in information security .pptx
Incident response Process in information security .pptxIncident response Process in information security .pptx
Incident response Process in information security .pptxSarwatDilawaiz
 
11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docxmoggdede
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimemuhammad awais
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxLokNathRegmi1
 
2. Improving an Existing Sec Sys
2. Improving an Existing Sec Sys2. Improving an Existing Sec Sys
2. Improving an Existing Sec SysMicheal Isreal
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Information security background
Information security backgroundInformation security background
Information security backgroundNicholas Davis
 
Business information security requirements
Business information security requirementsBusiness information security requirements
Business information security requirementsgurneyhal
 
Importance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessImportance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessAnton Chuvakin
 
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
First Responders Course - Session 3 - Monitoring and Controlling Incident CostsFirst Responders Course - Session 3 - Monitoring and Controlling Incident Costs
First Responders Course - Session 3 - Monitoring and Controlling Incident CostsPhil Huggins FBCS CITP
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Symantec
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentGary Bahadur
 
Future Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecFuture Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecCheapSSLsecurity
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyRapidSSLOnline.com
 

Similar to Operations SecurityWeek 5Incident Management, Investigatio.docx (20)

Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 Presentation
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management II
 
Incident response Process in information security .pptx
Incident response Process in information security .pptxIncident response Process in information security .pptx
Incident response Process in information security .pptx
 
Risk Assessment Methodologies
Risk Assessment MethodologiesRisk Assessment Methodologies
Risk Assessment Methodologies
 
11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx
 
Cissp Study notes.pdf
Cissp Study notes.pdfCissp Study notes.pdf
Cissp Study notes.pdf
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crime
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptx
 
2. Improving an Existing Sec Sys
2. Improving an Existing Sec Sys2. Improving an Existing Sec Sys
2. Improving an Existing Sec Sys
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Information security background
Information security backgroundInformation security background
Information security background
 
Business information security requirements
Business information security requirementsBusiness information security requirements
Business information security requirements
 
Importance Of Structured Incident Response Process
Importance Of Structured Incident Response ProcessImportance Of Structured Incident Response Process
Importance Of Structured Incident Response Process
 
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
First Responders Course - Session 3 - Monitoring and Controlling Incident CostsFirst Responders Course - Session 3 - Monitoring and Controlling Incident Costs
First Responders Course - Session 3 - Monitoring and Controlling Incident Costs
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
 
Future Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecFuture Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - Symantec
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategy
 

More from cherishwinsland

Based on your course reading assignments and your pending research p.docx
Based on your course reading assignments and your pending research p.docxBased on your course reading assignments and your pending research p.docx
Based on your course reading assignments and your pending research p.docxcherishwinsland
 
Based on yesterday Assignment  (Green Machine)1. Provide a Com.docx
Based on yesterday Assignment  (Green Machine)1. Provide a Com.docxBased on yesterday Assignment  (Green Machine)1. Provide a Com.docx
Based on yesterday Assignment  (Green Machine)1. Provide a Com.docxcherishwinsland
 
Based on what youve learned from the material on incidental teachin.docx
Based on what youve learned from the material on incidental teachin.docxBased on what youve learned from the material on incidental teachin.docx
Based on what youve learned from the material on incidental teachin.docxcherishwinsland
 
Based on what you have learned related to cybercrime and technol.docx
Based on what you have learned related to cybercrime and technol.docxBased on what you have learned related to cybercrime and technol.docx
Based on what you have learned related to cybercrime and technol.docxcherishwinsland
 
Based on what you have learned in this class, write a letter to a fu.docx
Based on what you have learned in this class, write a letter to a fu.docxBased on what you have learned in this class, write a letter to a fu.docx
Based on what you have learned in this class, write a letter to a fu.docxcherishwinsland
 
Based on what you have learned about using unified communication.docx
Based on what you have learned about using unified communication.docxBased on what you have learned about using unified communication.docx
Based on what you have learned about using unified communication.docxcherishwinsland
 
Based on what you have learned about using cloud-based office pr.docx
Based on what you have learned about using cloud-based office pr.docxBased on what you have learned about using cloud-based office pr.docx
Based on what you have learned about using cloud-based office pr.docxcherishwinsland
 
Based on week 13 reading assignment wh,describe an IT or simil.docx
Based on week 13 reading assignment wh,describe an IT or simil.docxBased on week 13 reading assignment wh,describe an IT or simil.docx
Based on week 13 reading assignment wh,describe an IT or simil.docxcherishwinsland
 
Based on the video, how do we make ourselves vulnerable or not so vu.docx
Based on the video, how do we make ourselves vulnerable or not so vu.docxBased on the video, how do we make ourselves vulnerable or not so vu.docx
Based on the video, how do we make ourselves vulnerable or not so vu.docxcherishwinsland
 
Based on the video (specifically Section 1 Understanding the Comm.docx
Based on the video (specifically Section 1 Understanding the Comm.docxBased on the video (specifically Section 1 Understanding the Comm.docx
Based on the video (specifically Section 1 Understanding the Comm.docxcherishwinsland
 
Based on the texts by Kafka and Eliot, (writing on one or the other .docx
Based on the texts by Kafka and Eliot, (writing on one or the other .docxBased on the texts by Kafka and Eliot, (writing on one or the other .docx
Based on the texts by Kafka and Eliot, (writing on one or the other .docxcherishwinsland
 
Based on the texts by Kafka and Eliot, (writing on one or the ot.docx
Based on the texts by Kafka and Eliot, (writing on one or the ot.docxBased on the texts by Kafka and Eliot, (writing on one or the ot.docx
Based on the texts by Kafka and Eliot, (writing on one or the ot.docxcherishwinsland
 
Based on the techniques discussed for hiding data on a computer, w.docx
Based on the techniques discussed for hiding data on a computer, w.docxBased on the techniques discussed for hiding data on a computer, w.docx
Based on the techniques discussed for hiding data on a computer, w.docxcherishwinsland
 
Based on the readings, there are specific components that encompass .docx
Based on the readings, there are specific components that encompass .docxBased on the readings, there are specific components that encompass .docx
Based on the readings, there are specific components that encompass .docxcherishwinsland
 
Based on the readings titled ‘Lost Trust’, ‘Chinese Port Cities’ a.docx
Based on the readings titled ‘Lost Trust’, ‘Chinese Port Cities’ a.docxBased on the readings titled ‘Lost Trust’, ‘Chinese Port Cities’ a.docx
Based on the readings titled ‘Lost Trust’, ‘Chinese Port Cities’ a.docxcherishwinsland
 
Based on the readings this week, answer the two following questions .docx
Based on the readings this week, answer the two following questions .docxBased on the readings this week, answer the two following questions .docx
Based on the readings this week, answer the two following questions .docxcherishwinsland
 
Based on the readings for the week, discuss your opinion on the need.docx
Based on the readings for the week, discuss your opinion on the need.docxBased on the readings for the week, discuss your opinion on the need.docx
Based on the readings for the week, discuss your opinion on the need.docxcherishwinsland
 
Based on the reading assignment, your experience, and personal r.docx
Based on the reading assignment, your experience, and personal r.docxBased on the reading assignment, your experience, and personal r.docx
Based on the reading assignment, your experience, and personal r.docxcherishwinsland
 
Based on the reading assignment (and in your own words), why are MNE.docx
Based on the reading assignment (and in your own words), why are MNE.docxBased on the reading assignment (and in your own words), why are MNE.docx
Based on the reading assignment (and in your own words), why are MNE.docxcherishwinsland
 
Based on the primary documents from chapter 23 of AmericanYawp, plea.docx
Based on the primary documents from chapter 23 of AmericanYawp, plea.docxBased on the primary documents from chapter 23 of AmericanYawp, plea.docx
Based on the primary documents from chapter 23 of AmericanYawp, plea.docxcherishwinsland
 

More from cherishwinsland (20)

Based on your course reading assignments and your pending research p.docx
Based on your course reading assignments and your pending research p.docxBased on your course reading assignments and your pending research p.docx
Based on your course reading assignments and your pending research p.docx
 
Based on yesterday Assignment  (Green Machine)1. Provide a Com.docx
Based on yesterday Assignment  (Green Machine)1. Provide a Com.docxBased on yesterday Assignment  (Green Machine)1. Provide a Com.docx
Based on yesterday Assignment  (Green Machine)1. Provide a Com.docx
 
Based on what youve learned from the material on incidental teachin.docx
Based on what youve learned from the material on incidental teachin.docxBased on what youve learned from the material on incidental teachin.docx
Based on what youve learned from the material on incidental teachin.docx
 
Based on what you have learned related to cybercrime and technol.docx
Based on what you have learned related to cybercrime and technol.docxBased on what you have learned related to cybercrime and technol.docx
Based on what you have learned related to cybercrime and technol.docx
 
Based on what you have learned in this class, write a letter to a fu.docx
Based on what you have learned in this class, write a letter to a fu.docxBased on what you have learned in this class, write a letter to a fu.docx
Based on what you have learned in this class, write a letter to a fu.docx
 
Based on what you have learned about using unified communication.docx
Based on what you have learned about using unified communication.docxBased on what you have learned about using unified communication.docx
Based on what you have learned about using unified communication.docx
 
Based on what you have learned about using cloud-based office pr.docx
Based on what you have learned about using cloud-based office pr.docxBased on what you have learned about using cloud-based office pr.docx
Based on what you have learned about using cloud-based office pr.docx
 
Based on week 13 reading assignment wh,describe an IT or simil.docx
Based on week 13 reading assignment wh,describe an IT or simil.docxBased on week 13 reading assignment wh,describe an IT or simil.docx
Based on week 13 reading assignment wh,describe an IT or simil.docx
 
Based on the video, how do we make ourselves vulnerable or not so vu.docx
Based on the video, how do we make ourselves vulnerable or not so vu.docxBased on the video, how do we make ourselves vulnerable or not so vu.docx
Based on the video, how do we make ourselves vulnerable or not so vu.docx
 
Based on the video (specifically Section 1 Understanding the Comm.docx
Based on the video (specifically Section 1 Understanding the Comm.docxBased on the video (specifically Section 1 Understanding the Comm.docx
Based on the video (specifically Section 1 Understanding the Comm.docx
 
Based on the texts by Kafka and Eliot, (writing on one or the other .docx
Based on the texts by Kafka and Eliot, (writing on one or the other .docxBased on the texts by Kafka and Eliot, (writing on one or the other .docx
Based on the texts by Kafka and Eliot, (writing on one or the other .docx
 
Based on the texts by Kafka and Eliot, (writing on one or the ot.docx
Based on the texts by Kafka and Eliot, (writing on one or the ot.docxBased on the texts by Kafka and Eliot, (writing on one or the ot.docx
Based on the texts by Kafka and Eliot, (writing on one or the ot.docx
 
Based on the techniques discussed for hiding data on a computer, w.docx
Based on the techniques discussed for hiding data on a computer, w.docxBased on the techniques discussed for hiding data on a computer, w.docx
Based on the techniques discussed for hiding data on a computer, w.docx
 
Based on the readings, there are specific components that encompass .docx
Based on the readings, there are specific components that encompass .docxBased on the readings, there are specific components that encompass .docx
Based on the readings, there are specific components that encompass .docx
 
Based on the readings titled ‘Lost Trust’, ‘Chinese Port Cities’ a.docx
Based on the readings titled ‘Lost Trust’, ‘Chinese Port Cities’ a.docxBased on the readings titled ‘Lost Trust’, ‘Chinese Port Cities’ a.docx
Based on the readings titled ‘Lost Trust’, ‘Chinese Port Cities’ a.docx
 
Based on the readings this week, answer the two following questions .docx
Based on the readings this week, answer the two following questions .docxBased on the readings this week, answer the two following questions .docx
Based on the readings this week, answer the two following questions .docx
 
Based on the readings for the week, discuss your opinion on the need.docx
Based on the readings for the week, discuss your opinion on the need.docxBased on the readings for the week, discuss your opinion on the need.docx
Based on the readings for the week, discuss your opinion on the need.docx
 
Based on the reading assignment, your experience, and personal r.docx
Based on the reading assignment, your experience, and personal r.docxBased on the reading assignment, your experience, and personal r.docx
Based on the reading assignment, your experience, and personal r.docx
 
Based on the reading assignment (and in your own words), why are MNE.docx
Based on the reading assignment (and in your own words), why are MNE.docxBased on the reading assignment (and in your own words), why are MNE.docx
Based on the reading assignment (and in your own words), why are MNE.docx
 
Based on the primary documents from chapter 23 of AmericanYawp, plea.docx
Based on the primary documents from chapter 23 of AmericanYawp, plea.docxBased on the primary documents from chapter 23 of AmericanYawp, plea.docx
Based on the primary documents from chapter 23 of AmericanYawp, plea.docx
 

Recently uploaded

Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppCeline George
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 

Recently uploaded (20)

Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
URLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website AppURLs and Routing in the Odoo 17 Website App
URLs and Routing in the Odoo 17 Website App
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Staff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSDStaff of Color (SOC) Retention Efforts DDSD
Staff of Color (SOC) Retention Efforts DDSD
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 

Operations SecurityWeek 5Incident Management, Investigatio.docx

  • 1. Operations Security Week 5 Incident Management, Investigations, and Physical Security Incidence Response Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The Steps of Incidence Handling Triage – Is it an actual incident or a false alarm? How serious is it? Investigation – Gathering evidence Containment – Limit the damage by isolation and mitigation Analysis – Reconstruct the incident. Who is responsible? How did they do it? When did it occur? Why did they do it? Tracking – Document the incident and determine the source Recovery – Mitigate the incident and apply lessons learned to reduce risk of recurrence Triage The term Triage is used within the medical community. Triage is the art of rapidly assessing the severity of the incident and following the right protocols, in the right order, to reduce the consequences of the incident and doing it all in the midst of crisis, when every second counts. Different incidents require different responses – A Denial of Service attack (DOS) has to be addressed differently than a malware infection. Establishing baselines can help identify unusual activity. The
  • 2. number of indicators to potential incidents are very high, so false positives are common. Investigation The Incident Scene – The Environment where potential evidence may exist Principles of criminalistics apply Identify the scene Protect the Environment Identify evidence and potential sources of evidence Collect Evidence Minimize the degree of contamination General Guidelines All general forensic and procedural procedures must be applied Seizing digital evidence must not alter the evidence Any person accessing original digital evidence must be trained All activity relating to seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review While an individual is in possession of digital evidence, he or she is responsible for all actions
  • 3. Any agency responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles Roles and Responsibilities A solid foundation of knowledge and policy A properly trained response team Core areas must be represented Chain of Custody Tracks Evidence Handling A formal, well-documented procedure MUST be followed – NO EXCEPTIONS Locard’s Exchange Principle When a crime is committed, the perpetrators leave something behind and take something with them. Digital Forensics Be Authentic Be Accurate Be Complete Be Convincing Be Admissible
  • 4. Live Evidence Data that is dynamic and exists in processes that disappear in a relatively short time frame once the system is powered down Short Term Containment The short term goal is to prevent more damage from occurring and provide time for additional analysis and mitigation. Isolate the system from the production network and create a backup copy for investigation. Possible short term containment steps include Remove power Unplug the NIC Change DNS entries Apply new ACL filters Isolate network segments Disconnect Internet access Apply null routing Long Term Containment If an affected system is a critical system, it may be necessary to keep it in production while a new system is built to take over its functions. After a backup of the system has been made for investigation, steps must be taken to mitigate the incident while leaving the system available. Long term containment steps include: Remove compromised accounts Apply security patches Alter firewall rules Remove Malware Place in a Dirty VLAN
  • 5. Analysis Media Analysis Recovery of information or evidence from information media The media may have been overwritten, damaged, degaussed, or re-used Network Analysis Analysis and examination of network logs and activity for potential evidence The critical phase of the process is proper evidence handling and processing Software Analysis Encompasses investigative activity Malware analysis Intellectual property disputes Copyright infringements Goals Author identification Content Analysis Payload and context Analysis Recovery Eventually the necessary steps to resolve the incident will be preformed. Recovery simply implies the amount of time it may take for operations to be fully restored Reporting and Documenting One of the most important, yet overlooked, phases is the debriefing and feedback phase Security Policy Review
  • 6. Which controls were inadequate or failed? How can we improve our controls? Did the Incident Management Plan function as intended? Physical Security Deter Delay Detect Assess Respond Defense in Depth The Practice of placing multiple layers of defenses (security controls) to provide redundancy in the event a control fails or a vulnerability is exploited Layered barrier designs are advantageous when they require increased knowledge, skill, and talent to circumvent them Important concept borrowed from the military and has been used since at least 216 BCE Access Control
  • 7. Ensures that only authorized personnel are permitted inside the controlled area Persons subject to control include employees, visitors, customers, vendors, and the general public Authorization Mechanisms typically include Identification Badges or Cards – Something you have Magnetic Stripe, Proximity Cards, or Smart Cards Closed Circuit TV (CCTV) A collection of cameras, recorders, switches, keyboards, and monitors that allow viewing and recording of security events Provides a highly flexible method of surveillance and monitoring Can provide deterrence, detection, and Evidentiary Archives External Monitoring Infrared (IR) sensors Microwave Coaxial strain-sensitive cable Lighting Cameras Monitor displays Guards Alarm Internal Access Doors
  • 8. Turnstiles Mantraps Keys Locks Safes Fire Prevention Classes of fires Data center requirements VESDA devices Classes of Fire Stages of a Fire A fire normally goes through four stages of development: Incipient (Pre-combustion) Visible smoke Fast flaming Heat
  • 9. Data Center Requirements Have suppression agents such as water, carbon dioxide, FM-200 (the industry-recognized replacement for Halon 1301), etc., on hand. Install alarms and sensors (i.e., ion-based or optical smoke detectors), and fixed, or rate-of-rise temperature sensors. Data centers require particularly sensitive alarms. Instead of commercial- grade fire alarms, data centers should have devices that signal the early stages of a fire through optical or chemical sensors that may sound an alarm before a fire even starts. VESDA Detectors VESDA (an abbreviation of Very Early Smoke Detection Apparatus) is a laser based smoke detection system. Fire Protection Heating, ventilation, and air conditioning systems maintain appropriate humidity and temperature controls as well as a contaminant-free air supply Monitoring systems can detect abnormal data center temperatures, humidity, or other factors HVAC Systems Heating, ventilation, and air conditioning systems maintain appropriate humidity and temperature controls as well as a contaminant-free air supply. Monitoring systems can detect abnormal data center temperatures, humidity, or other factors. Monitoring devices alert you to a potential problem before there is a disruption in service.
  • 10. Ideally, HVAC systems will have backup power and be isolated from the rest of the building. Power Electric power goals – Provide clean and steady power for data centers and include UPS (uninterruptible power supply) surge protectors and protection from transient noise, etc. Ensure that a proper electrical infrastructure is in place, and have this validated by a certified electrician. Mission-critical data centers should have alternate power sources, such as emergency generators, as well as a minimum 24-hour fuel supply.