Incident handling involves preparing for, identifying, containing, eradicating, recovering from, and following up on security incidents. An incident is any event that threatens the security of systems and networks, such as system crashes, unauthorized access, or malware. Incident handling procedures include isolating affected systems, notifying authorities, identifying threats, containing damage, collecting evidence, and analyzing the cause of incidents. Computer security incident response teams coordinate incident response and work to secure networks from foreign attacks.

1. Incident Handling
Presented By
Sabto Prabowo

2. Introduction to Incident Handling
An incident is an event or set of
events that threatens the security of
computing systems and networks. It
includes system crashes, packet
flooding, and unauthorized use of
another user’s account.

3. Types of Incidents
Incidents can be classified as
one or more of the following:
• Repudiation
• Reconnaissance attack
• Harassment
• Extortion
• Pornography trafficking
• Organized crime activity
• Subversion
• Hoax
• Caveat

4. Security Incidents
A security incident includes the following:
• Evidence of data tampering
• Unauthorized access or attempts at
unauthorized access from internal and external
sources
• Threats and attacks by an electronic medium
• Defaced Web pages
• Detection of some unusual activity, such as
possibly malicious code or modified traffic
patterns

5. Security Incidents
• Denial-of-service attacks
• Other malicious attacks, such as virus
attacks, that damage the servers or
workstations
• Other types of incidents that weaken the
trust and confidence in information
technology systems

6. Category of Incidents: Mid Level
• Unfriendly employee termination
• Violation of special or privileged access to a
computer or any computing facility that would
normally only be accessible to administrators
• Illegal access of the network
• Unauthorized storing or processing of data
• Destruction of property worth less than $100,000
• Personal theft of an amount less than $100,000
• Presence of computer virus or worm of higher
intensity

7. Category of Incidents: High Level
• Suspected computer break-in
• Denial-of-service attacks
• The presence of a harmful virus or worm, which can lead
to serious corruption or loss of data
• Changes in hardware, software, and firmware without
authentication
• Destruction of property worth more than $100,000
• Theft worth more than $100,000
• Child pornography
• Gambling
• Illegal downloads of copyrighted material, including
music, videos, and software
• Other illegal file downloads
• Any violations of the law

8. How to Identify an Incident
• Suspicious log entries
• System alarms from the IDS
• Presence of unexplained user accounts on the network
• Presence of suspicious files or unknown file extensions
on the system
• Modified files or folders
• Unusual services running or ports opened
• Unusual system behavior
• Changed drive icons
• Drives not accessible
• More packets received than expected

9. How to Prevent an Incident
• Scanning
• Auditing
• Detecting intrusions
• Establishing defense-in-depth
• Securing clients for remote users

10. Incident Management
- Threat Analysis and Assessment
- Vulnerability Analysis
- Estimating the Cost of an Incident
- Change Control

11. Incident Reporting
- Computer Incident Reporting
- Where to Report an Incident
- Report a Privacy or Security Violation
- Preliminary Information Security Incident
Reporting Form
- Why Organizations Do Not Report Computer
Crimes

12. Incident Response
- Identification of Affected Resources
- Incident Assessment
- Assignment of Event Identity and Severity Level
- Assignment of Incident Task Force Members
- Containing Threats
- Evidence Collection
- Forensic Analysis
- Security Incident Response
- Incident Response Policy
- Computer Security Incident Response Team (CSIRT)
- Incident Response Checklist
- Response Handling Roles
- Contingency Planning
- Budget/Resource Allocation

13. Incident Handling
Procedure for Incident Handling:
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Follow-up

14. CSIRT
A computer security incident response
team (CSIRT) is trained in dealing with
security matters related to
intrusions and incidents. The team
secures networks from foreign attacks.

15. Types of Incidents and Levels of
Support
• Type and severity of the incident or
issue
• Type of client
• Size of the user community affected
• Available resources

16. Incident-Specific Procedures
Virus and Worm Incidents
1. Isolate the system.
2. Notify the appropriate authorities.
3. Identify the problem.
4. Contain the virus or worm.
5. Inoculate the systems.
6. Return to a normal operating mode.
7. Perform a follow-up analysis.

17. Incident-Specific Procedures
Hacker Incidents
1. Identify the problem.
2. Notify the appropriate authorities.
3. Identify the hacker.
4. Notify CERT.
5. Perform a follow-up analysis.

18. Steps for Creating a CSIRT
1. Obtain Management’s Support and Buy-In
2. Determine the CSIRT Development
Strategic Plan
3. Gather Relevant Information
4. Design the CSIRT Vision
5. Communicate the CSIRT Vision
6. Begin CSIRT Implementation
7. Announce the CSIRT

19. World CERTs
- APCERT (Asia Pacific Computer Emergency Response Team)
- AusCERT (Australia Computer Emergency Response Team)
- HKCERT (Hong Kong Computer Emergency Response Team
Coordination Center)
- JPCERT/CC (Japan Computer Emergency Response Team/Coordination
Center)
- MyCERT (Malaysian Computer Emergency Response Team
- PakCERT (Pakistan Computer Emergency Response Team)
- SingCERT (Singapore Computer Emergency Response Team
- TWCERT/CC (Taiwan Computer Emergency Response
Team/Coordination Center)
- CNCERT/CC (China Computer Emergency Response Team/Coordination
Center)