Latihan6 comp-forensic-bab5


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Latihan6 comp-forensic-bab5

  1. 1. Incident Handling Presented By Sabto Prabowo
  2. 2. Introduction to Incident Handling An incident is an event or set of events that threatens the security of computing systems and networks. It includes system crashes, packet flooding, and unauthorized use of another user’s account.
  3. 3. Types of Incidents Incidents can be classified as one or more of the following: • Repudiation • Reconnaissance attack • Harassment • Extortion • Pornography trafficking • Organized crime activity • Subversion • Hoax • Caveat
  4. 4. Security Incidents A security incident includes the following: • Evidence of data tampering • Unauthorized access or attempts at unauthorized access from internal and external sources • Threats and attacks by an electronic medium • Defaced Web pages • Detection of some unusual activity, such as possibly malicious code or modified traffic patterns
  5. 5. Security Incidents • Denial-of-service attacks • Other malicious attacks, such as virus attacks, that damage the servers or workstations • Other types of incidents that weaken the trust and confidence in information technology systems
  6. 6. Category of Incidents: Mid Level • Unfriendly employee termination • Violation of special or privileged access to a computer or any computing facility that would normally only be accessible to administrators • Illegal access of the network • Unauthorized storing or processing of data • Destruction of property worth less than $100,000 • Personal theft of an amount less than $100,000 • Presence of computer virus or worm of higher intensity
  7. 7. Category of Incidents: High Level • Suspected computer break-in • Denial-of-service attacks • The presence of a harmful virus or worm, which can lead to serious corruption or loss of data • Changes in hardware, software, and firmware without authentication • Destruction of property worth more than $100,000 • Theft worth more than $100,000 • Child pornography • Gambling • Illegal downloads of copyrighted material, including music, videos, and software • Other illegal file downloads • Any violations of the law
  8. 8. How to Identify an Incident • Suspicious log entries • System alarms from the IDS • Presence of unexplained user accounts on the network • Presence of suspicious files or unknown file extensions on the system • Modified files or folders • Unusual services running or ports opened • Unusual system behavior • Changed drive icons • Drives not accessible • More packets received than expected
  9. 9. How to Prevent an Incident • Scanning • Auditing • Detecting intrusions • Establishing defense-in-depth • Securing clients for remote users
  10. 10. Incident Management - Threat Analysis and Assessment - Vulnerability Analysis - Estimating the Cost of an Incident - Change Control
  11. 11. Incident Reporting - Computer Incident Reporting - Where to Report an Incident - Report a Privacy or Security Violation - Preliminary Information Security Incident Reporting Form - Why Organizations Do Not Report Computer Crimes
  12. 12. Incident Response - Identification of Affected Resources - Incident Assessment - Assignment of Event Identity and Severity Level - Assignment of Incident Task Force Members - Containing Threats - Evidence Collection - Forensic Analysis - Security Incident Response - Incident Response Policy - Computer Security Incident Response Team (CSIRT) - Incident Response Checklist - Response Handling Roles - Contingency Planning - Budget/Resource Allocation
  13. 13. Incident Handling Procedure for Incident Handling: 1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Follow-up
  14. 14. CSIRT A computer security incident response team (CSIRT) is trained in dealing with security matters related to intrusions and incidents. The team secures networks from foreign attacks.
  15. 15. Types of Incidents and Levels of Support • Type and severity of the incident or issue • Type of client • Size of the user community affected • Available resources
  16. 16. Incident-Specific Procedures Virus and Worm Incidents 1. Isolate the system. 2. Notify the appropriate authorities. 3. Identify the problem. 4. Contain the virus or worm. 5. Inoculate the systems. 6. Return to a normal operating mode. 7. Perform a follow-up analysis.
  17. 17. Incident-Specific Procedures Hacker Incidents 1. Identify the problem. 2. Notify the appropriate authorities. 3. Identify the hacker. 4. Notify CERT. 5. Perform a follow-up analysis.
  18. 18. Steps for Creating a CSIRT 1. Obtain Management’s Support and Buy-In 2. Determine the CSIRT Development Strategic Plan 3. Gather Relevant Information 4. Design the CSIRT Vision 5. Communicate the CSIRT Vision 6. Begin CSIRT Implementation 7. Announce the CSIRT
  19. 19. World CERTs - APCERT (Asia Pacific Computer Emergency Response Team) - AusCERT (Australia Computer Emergency Response Team) - HKCERT (Hong Kong Computer Emergency Response Team Coordination Center) - JPCERT/CC (Japan Computer Emergency Response Team/Coordination Center) - MyCERT (Malaysian Computer Emergency Response Team - PakCERT (Pakistan Computer Emergency Response Team) - SingCERT (Singapore Computer Emergency Response Team - TWCERT/CC (Taiwan Computer Emergency Response Team/Coordination Center) - CNCERT/CC (China Computer Emergency Response Team/Coordination Center)