Download to read offline
Uploaded byEric Vanderburg
Incident response table top exercises
An unauthorized individual accessed private confidential data on an FTP server, triggering an incident response. The response team needed to determine how the data was accessed, scope the incident, and identify impacted stakeholders. They then took steps to contain the incident by blocking IP addresses, shutting down the FTP server, changing credentials, and moving servers. The team also restored data from backups and requested clients resend information. Post-incident activities included meetings with management and IT to prevent future occurrences through measures like shortening timeouts, adding alerts and encryption, and restricting FTP server access.
More Related Content
Similar to Incident response table top exercises
Incident response table top exercises
- 1. Incident Response Table TopExercises Eric Vanderburg, MBA, CISSP June 19, 2008
- 2. Scenario • Private confidentialdata on an FTP server is accessed by an unauthorized individual • Incident: YES • Issues – Potential privacy notification is needed – More data could be viewed or stolen so the incident needs to be contained – Data needs to be replaced
- 3. Detection and Analysis •Determine access method – Stolen or sniffed password – Exploit in system • Determine the scope of the incident – Find out if the incident has happened before and never discovered. – Were other systems accessed with the same credentials – Find out which data was accessed and which stakeholders/clients are impacted by the disclosure • Determine if the data obtained is in a form that would disclose private data, can be converted into a form that would disclose private data, or can be combined with data from another incident to disclose private data.
- 4. Containment Strategies • BlockIP or IP subnet from the firewall • Shutdown FTP • Change FTP passwords • Move FTP to another server • Change FTP ports • Contact source and try to stop the distribution or use of the information
- 5. Recovery • Restore datafrom backup • Request that the client resend the data
- 6. Post-incident Activities • Attendees: –Management • CEO / Senior Partner • COO • Network Operations Manager • Litigation Support Manager – Public Relations Analyst – Sales Manager (Facilitator) – IT Staff • Senior Network Engineer • Network Engineer • FTP Administrator • Network Analyst
- 7. Preventing Future Occurrences •Set timeout on FTP site • Set alerts on FTP events • Encrypt username and password or require VPN for FTP • Set FTP server to only respond to specific IP addresses • Configure Firewall rules for FTP ports to only allow traffic from specific pre-approved IP addresses or subnets.