incident response implementation david basham university of advancing technology professor: robert...
TRANSCRIPT
![Page 1: INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435](https://reader030.vdocument.in/reader030/viewer/2022032607/56649ed55503460f94be62f6/html5/thumbnails/1.jpg)
INCIDENT RESPONSEIMPLEMENTATION
David BashamUniversity of Advancing TechnologyProfessor: Robert ChubbuckNTS435
![Page 2: INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435](https://reader030.vdocument.in/reader030/viewer/2022032607/56649ed55503460f94be62f6/html5/thumbnails/2.jpg)
Incident Response: The Need
Due to an increase in the number of threats to networks both internally and externally there is a need not only for the detection of breaches but a prompt response to such events. In order to help safeguard our organization’s data and the privacy of our clients an Incident Response plan will be implemented based on the NIST Computer Security Incident Handling Guide (SP 800-61)
![Page 3: INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435](https://reader030.vdocument.in/reader030/viewer/2022032607/56649ed55503460f94be62f6/html5/thumbnails/3.jpg)
Management Commitment In order for an Incident Response plan to be of use we will need to have the commitment, coopoeration, and support of the various heads of management. This will require the overall idea to be discussed among those managers and their agreement.
Managers Involved•CEO•COO•CAO•CIO•Second Level Managers
INCIDENT RESPONSE: Policy Development
![Page 4: INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435](https://reader030.vdocument.in/reader030/viewer/2022032607/56649ed55503460f94be62f6/html5/thumbnails/4.jpg)
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
•Establish Team for development of Incident Response Plan (IRP)
•Define scope of policy and Organizational Structure of IRT.
•Prioritize the severity of different incidents
•Create Standard Operating Procedures (SOP’s)
•Test SOP’s in various scenarios for soundness.
•Roll out final Incident Response Plan.
•Define roles of team members.
•Define what constitutes a security incident.
•Identify third parties requiring contact.
•Review tests and change SOP’s as needed.
•Begin Selection of IRT Members.
•Establish timetable for completion.
•Review NIST SP 800-61
•Develop drafts of reporting and contact forms.
•Develop Performance Measurements.
•Review final draft with appropriate Management
•Begin Training for members of IRT.
INCIDENT RESPONSE: Process of Development
•Develop Audit procedures for IRP.
![Page 5: INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435](https://reader030.vdocument.in/reader030/viewer/2022032607/56649ed55503460f94be62f6/html5/thumbnails/5.jpg)
•Internal
Team Model
INCIDENT RESPONSE: Basic Model Selection
Due to the size of the organization combined with the sensitive nature of the information that is being protected it will be best to use a fully internal team consisting of employees.
•Central Incident Response TeamCurrently the structure of the organization does not create the need for more than one response team. However, furture expansion may mean converting this model to that of Distributed Incident Response Teams .
![Page 6: INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435](https://reader030.vdocument.in/reader030/viewer/2022032607/56649ed55503460f94be62f6/html5/thumbnails/6.jpg)
Public Relations Liaison
Upper Management
IT Liaison
Incident Response Team Lead
Technical Lead
Support Staff
INCIDENT RESPONSE: Suggested Basic Team Structure
![Page 7: INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435](https://reader030.vdocument.in/reader030/viewer/2022032607/56649ed55503460f94be62f6/html5/thumbnails/7.jpg)
The following departments will designate a liaison to work with the IRT when needed. •Legal Department•Human Resources•Facilities Management•IT Central Support
INCIDENT RESPONSE: Interdepartmental Dependencies
![Page 8: INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435](https://reader030.vdocument.in/reader030/viewer/2022032607/56649ed55503460f94be62f6/html5/thumbnails/8.jpg)
Intrusion DetectionThe monitoring and detection portion of network security is handled by a group that falls under both IRT and IT. The members that work on intrusion detection are under the management of IT, but their services and direction fall under the IRT.
Advisory DistributionShould our organization reach the size where destributed incident response teams are used the notification about new threats and vulnerabilities to the other teams (and appropriate personel) will become part of the standard operating procedures.
Education and AwarenessThe IRT will contribute to the training and awareness of the organization’s users in order to proactively combat some of the simpler avenues of attack.
INCIDENT RESPONSE: IRT Services
![Page 9: INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435](https://reader030.vdocument.in/reader030/viewer/2022032607/56649ed55503460f94be62f6/html5/thumbnails/9.jpg)
Incident Response Team
Customers, Constituents,
& Media
Internet Service
Providers
Software & Support Vendors
Trustwave: Spider Labs
Incident Response Statistics
Law Inforcement
Agencies
INCIDENT RESPONSE: Third Party Contacts
![Page 10: INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435](https://reader030.vdocument.in/reader030/viewer/2022032607/56649ed55503460f94be62f6/html5/thumbnails/10.jpg)
DetectionPreparation
Rev
iew
Con
tain
men
t
Post-Activity
INCIDENT RESPONSE: Proposed IRT Cycle
ReviewAnalyze effectiveness of response.
PreparationInternal checks and training.
DetectionProactive or Reactive defense.
ContainmentEradication and Recovery.
Post-Incident ActivityContacting Third Parties and Press Release if needed..
![Page 11: INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435](https://reader030.vdocument.in/reader030/viewer/2022032607/56649ed55503460f94be62f6/html5/thumbnails/11.jpg)
Network Security Group•Monitoring for events and informing the IRT when one occurs.
Network Security Group•Monitoring for events and informing the IRT when one occurs.
Internal Audit•Assumes control after IRT cycle and reviews to ensure completion.
Internal Audit•Assumes control after IRT cycle and reviews to ensure completion.
Incident Response Team•Assumes control of Incident and directs efforts until completion of IRT cycle.
INCIDENT RESPONSE: Interdepartmental Exchange of Control
![Page 12: INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435](https://reader030.vdocument.in/reader030/viewer/2022032607/56649ed55503460f94be62f6/html5/thumbnails/12.jpg)
Current Status of the IncidentUpon completion of the IRT Cycle this documentation should cover the current state of the incident and any remaining problems or suggestions.
Incident SummaryThis documentations should summarize the incident in question from its detection to final analysis.
All actions taken by the Incident Response TeamIn order to keep track of changes and for reference purposes any and all changes/actions taken by the IRT should be documented.
Impact AssessmentAn analysis of the overall impact (financial, reputation, etc…) should be included as documentation for reference and legal purposes.
Cycle SummaryA shortened summary of the important details of the IRT cycle should be documented for reference purposes.
INCIDENT RESPONSE: Documentation
![Page 13: INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435](https://reader030.vdocument.in/reader030/viewer/2022032607/56649ed55503460f94be62f6/html5/thumbnails/13.jpg)
In instances of local disturbances, physical break-ins and incidents caused by employees the findings will be turned over to local police and charges filed should it be decided that it is warranted by the legal department.
Local Police
In instances of computer crime that does not leave the boundaries of the state of South Carolina the South Carolina Law Enforcement Division will be notified and brought into the investigation if deemed nescisary by the legal department.
S.L.E.D.
INCIDENT RESPONSE: Law Enforcement Involvement
In instances of computer crime that cross state lines or if it involves the breaking of Federal law the Federal Bureauof Investigation will be notified and brought into the investigation if deemed nescisary by the legal department.
F.B.I.
![Page 14: INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435](https://reader030.vdocument.in/reader030/viewer/2022032607/56649ed55503460f94be62f6/html5/thumbnails/14.jpg)
In certain cases a security incident may require some kind of
statement or media publication. In order to best protect our
organization no one outside the public relations department
(Senior Level Management excluded) is authorized to
represent the company in any form of media. The IRT will
coordinate with the PR, legal, and other necessary
departments to create any press and/or media releases.
INCIDENT RESPONSE: Media Involvement
![Page 15: INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435](https://reader030.vdocument.in/reader030/viewer/2022032607/56649ed55503460f94be62f6/html5/thumbnails/15.jpg)
Incident Response: References
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012, January 31). Computer Security Division - Publications: Drafts. Retrieved June 9, 2012, from National Institute of Standards and Technology: http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf
Henderson, C. (2011). Retrieved June 9, 2012, from Build Security In: https://buildsecurityin.us-cert.gov/swa/presentations_032011/CharlesHenderson-2011GlobalSecurityStatsAndTrends.pdf