1 / 10

INCIDENT RESPONSE A very basic Overview

INCIDENT RESPONSE A very basic Overview. Dan Mares Mares and Company, LLC. FedCIRC and DOE. Federal Computer Incident Response Center (FedCIRC) http://www.fedcirc.gov/ This is the DOE incident site. Computer Incident Advisory Capability (CIAC)

brac
Download Presentation

INCIDENT RESPONSE A very basic Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. INCIDENT RESPONSEA very basic Overview • Dan Mares • Mares and Company, LLC

  2. FedCIRC and DOE • Federal Computer Incident Response Center (FedCIRC) • http://www.fedcirc.gov/ • This is the DOE incident site. • Computer Incident Advisory Capability (CIAC) • Contains bulletins and lists of vulnerabilities. • http://ciac.llnl.gov/ciac/index.html

  3. Responding • Responding to incidents will involve both management and technical personnel. • Do you have a team setup? • Information security officer (manager) • First you must determine if an incident has occurred. • Report incidents of a federal “interest” to the FedCIRC. • It is almost redundant to say, Incidents will often involve violation of some state or federal law. (Especially 18USC1030). So law enforcement should be contacted at the appropriate time.

  4. Some numbers • Reported to the FedCIRC • From: • http://www.fedcirc.gov/incidentAnalysis/incidentStatistics.html • Jan 2004, 855,000 reported incidents. • 2003, 1.4+ million. • 2002, 490,000

  5. Definitions • Incident: What is an incident? • An incident is the (real or potential) act of violating an explicit or implied security policy. • This (FedCERT) definition relies on the existence of a security policy. • An incident may also be considered an “attack” on the organization. • An “adverse” event relating to information system. • An "event" is any observable occurrence in a system and/or network • http://all.net/books/ir/nswc/P5239-19.html

  6. Incidents • These may include but are not limited to: • Increased Access: attempts (either failed or successful) to gain unauthorized access to a system or its data. • Denial of Service: unwanted disruption or denial of service. • Theft of Resources: the unauthorized use of a system for the processing or storage of data. • Corruption: changes to system hardware, firmware, or software characteristics without the owner's knowledge, instruction, or consent. • Disclosure: Disclosure or distribution of information. • Is it internal or external?

  7. Small Steps to Incident Response • Detect • Is something happening (happened). • Is it malicious or unintentional? • I.e someone cutting through a cable, or accidentally erasing data? • Assess the (potential) damage. • What is this costing you, in time and $$$.

  8. Triage and Contain the problem. • Take steps to mitigate further losses. • Its status: • Is it ongoing? • Has it stopped? (are you sure?) • What is the likelihood of it coming back? • Its scope. • How much of your enterprise is/was effected. (what is the impact?)

  9. Internal or External. • Gather evidence. • Preserve its integrity for prosecution, and analysis. • Save the evidence (archive it). • Recover from the incident • Determine what/how to fix the problem. • Implement fixes. • Check to see if the fixes are appropriate.

  10. Why? • Why do “incidents” occur? • Malicious • Sabotage • Terrorism - Politics • Ex (disgruntled) employee • $$$$ (financial gain, theft) • Hacking • Industrial espionage. • International espionage.

More Related