incident response updated 03/20/2015. definition of terms purpose incident response flow chart tips...

Incident ResponseUpdated 03/20/2015

• Definition of Terms• Purpose• Incident Response Flow Chart• Tips to mitigate future incidents

Topics

Definition of Terms

• Incident– A security breach or attack

• Security Incident– A change in the everyday operations of your network,

service, or website, indicating that a security policy may have been violated or a security safeguard may have failed

• Incident Response– An organized approach to addressing and managing

the aftermath of a security breach or attack

Purpose

• Provide systematic methods that website administrators should follow when responding to a security incident

The incident response that will be outlined here may be interchangeable depending on the process that will work best for your agency and the nature of the attack that you will face.

Incident Response Flow Chart


• Upon confirmation, communicate the breach to other people who are part of your incident response team and your hosting provider to make them aware of the situation

• Gain an idea of the nature of the attack.– Identify the type and severity

– Determine the intent of the attack


• Common signs that your website has been compromised– Your website has been defaced

– Your website redirects to another site

– Your browser may indicate that your site may be compromised

– Your web logs has unexplained big spikes in network traffic


• Upon confirmation, communicate the breach to other people who are part of your incident response team and your hosting provider to make them aware of the situation

• Gain an idea of the nature of the attack.– Identify the type and severity

– Determine the intent of the attack


• Begin containing the damage and minimizing the risk– Record your actions thoroughly as

this may be used for documenting the incident

• Compare the cost of taking the compromised site offline against the risk of continuing operations or keeping systems online with limited connectivity


• Require an immediate change of password for all site users and accounts – CMS, DBS, FTPs, hosting control panel

• Identify compromised data– Review and examine logs

– Check for permission changes or elevated user permissions

– Check for new accounts, new URLs, new pages, new files and directories

– Check databases for suspicious content and values


• Identify compromised data– Look for unauthorized process or

applications that are currently running

– Compare your site to a clean backup copy

– Use version control, if available


• Depends on the extent of the security breach– Restore existing system?

– Completely rebuild it?


• Recovery steps for sites that have clean and updated backup– Restore clean backups

– Install any software/system upgrades, updates, or patches

– Asses installed applications and consider deleting those not in use

– Change the passwords one more time for all accounts

– Implement measures to prevent future access then bring your site back online

– Monitor for any signs of recurrence


• Recovery steps for sites that have clean but outdated backup– Make a complete backup of your

site, as reference. Mark it as “infected”

– Restore the clean backup

– Assess installed applications and consider deleting those that are not in use

– Upgrade all applications

– Identify the files that you'd like to copy from the infected copy and remove all traces of malicious code identified


• Recovery steps for sites that have clean but outdated backup– Upload the clean content to your

clean copy

– Verify that file permissions are appropriate

– Change the passwords one more time for all accounts

– Implement measures to prevent future access

– Bring your site back online

– Monitor for nay signs of weakness or recurrence


• Recovery steps for sites that have no backup available– Make two full backups of your site.

Mark each backup as “infected”

– Clean the site's content on one of the backups by removing all traces of the incident

– Verify that all file permissions are appropriate

– Clean up hacker-modified records in your databases. Perform a sanity check to make sure it looks clean


• Recovery steps for sites that have no backup available– Correct vulnerabilities that have

been found in your applications

– Change the passwords one more time. At this point, one infected backup copy should only contain clean data

– Assess installed applications and consider deleting those not in use

– Upgrade all applications

– Implement measures to prevent future access

– Monitor for signs of recurrence


• Analyze the incident and how and why it took place

• Assess the damage and make recommendations for better future response for preventing a recurrence of the attack


• Consider whether you need to notify and report the incident to other staff

Tips to mitigate future incidents


• Enforce the use of strong passwords to all users who have access to your site– Passwords should be unique and should not be

reused throughout the web

• Routinely check that all systems are up to date and have the latest patches installed

• Understand the security practices of all applications before you install them on your site– A security vulnerability in one application can

compromise the safety or your entire site


• Make regular, automated backups of your site– Be aware of where backups are maintained, who can

access them, and procedures for data restoration and system recovery

– Maintain also an offline copy of your backup

• Keep all devices that you use to log in to your site secure. Keep your operating system and web browsers up to date

• Routinely monitor and analyze site traffic and activity logs

incident response updated 03/20/2015. definition of terms purpose incident response flow chart tips...

Documents

attack slide

incident response team

failed incident response

attack security incident

available slide

definition of terms

network traffic slide

signs of recurrence