Downloaded 176 times
More Related Content
Similar to Incident response process
Incident response process
- 1. PRESENTED BY BHUPESHKUMAR M.V.NANHE DEPARTMENT OF FORENSIC SCIENCE, SHRI SHIVAJI COLLEGE OF ARTS, COMMERCE & SCIENCE, AKOLA (MH)
- 2. Synopsis Introduction to ComputerSecurity Incident Goals of Incident Response Experts involves in Incident Response Incident Response Methodology Pre-Incident Preparation Detection of Incident Formulate a Response Strategy Data Collection Data Analysis Reporting Resolution 02/15
- 3. Introduction to ComputerSecurity Incident Computer Security Incident as any unlawful, unauthorized or unacceptable action that involve a computer system or a computer network. Such actions can be; Email harassment Embezzlement Possession and dissemination of child pornography DoS attacks Theft of trade secretes 03/15
- 4. Goals of IncidentResponse Confirms whether an incident occurred or not Minimizes disruption of business and network operation Promote accumulation of accurate information Protect privacy rights established by law and policy Provide accurate report and useful recommendations Allows criminal or civil actions against perpetrator(s) Protect your organization’s reputation and assest Educates senior management 04/15
- 5. Experts involves inIncident Response Process Computer Security Incident Response Team (CSIRT) respond the incident and that includes followings experts. Technical experts, Cyber Security experts, Legal counsel, Corporate security officer, Business Managers, End User Human Recourses personnel Workers 05/15
- 6. Incident Response Methodology Fig.Incident Response Methodology 06/15
- 7. Pre-Incident Preparation Preparation ofOrganization Implementing host based security Implementing network based security Employing an intrusion detection system (IDS) Creating strong access control Training end user Preparation of CSIRT The hardware needed to investigate computer security incidents The software needed to investigate computer security incidents The documentation needed to investigate computer security incidents 07/15
- 8. Detection of Incident IDSDetection of remote attack Numerous failed logon attempts Logins into dormant or default accounts New account not created by system administrator Unfamiliar file and executable program Altered pages on webserver Gaps in log files Slower System performance System Crash Receipt of Email Exporting your organization Child Pornography 08/15
- 9. Initial Response Interviewing thesystem administration Interviewing business unit personnel Reviewing the IDS report and network-based logs to identify the data Reviewing the network topologies and access control list . 09/15
- 10. Formulate a ResponseStrategy Based on the results of all known facts, determine the best response and obtain management approval. Determine what civil, criminal, administrative or other actions area appropriate to take, based on the conclusion drawn from the investigation. 10/15
- 11. Data Collection 1. NetworkBased Evidence Obtain IDS logs Obtain existing router logs Obtain relevant firewall logs Perform network monitoring Obtain Backup 2. Host Based Evidence Obtain volatile data during a live response Obtain the system time/date for every file on the victim system Obtain backup 3. Other Evidence Obtain oral testimony from witnesses 11/15
- 12. Forensic Analysis Fig. ForensicAnalysis 12/15
- 13. Reporting Documents immediately Write concisely Usestandard format 13/15
- 14. Resolution Identify the organization’stop priorities and resolve them Returning all the system in operational status Implement proper computer as well as network security Restore any affected or compromised system Apply corrections required to address any host-based vulnerabilities 14/15
- 15.