Download Incident Response

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
Document related concepts

Computer security wikipedia , lookup

Transcript 
KULIAH 12
INCIDENT RESPONSE
(dirangkum dari buku Incident Response:
A strategic Guide to Handling System and Network Security)
Aswin Suharsono
KOM 15008
Keamanan Jaringan
2012/2013
Definisi
• Incident: event (kejadian) yang mengancam
keamanan sistem komputer dan jaringan.
• Event adalah semua hal yang bisa diobservasi
(diukur)
• Contoh event: connect ke sistem lain dalam jaringan,
mengakses file, mengirim paket, sistem shutdown,
dsb.
• Event yang mengancam antara lain, system crashes,
packet flood, penggunaan akun oleh orang yang
tidak berhak, web deface, bencana alam, dan hal-hal
lain yang membahayakan kinerja sistem
Incident Types
• CIA related incidents:
– Confidentiality: Upaya masuk ke dalam sistem rahasia militer
– Integrity
– Availability
• Other Types
– Reconnaissance Attacks
– Repudiation
• Someone takes action and denies it later on.
Kenapa perlu incident response?
• Bagi Organisasi
 Respon yang sistematis terhadap insiden
 Recover quickly
 Mencegah insiden serupa di masa depan
 Menyiapkan langkah-langkah yang berkaitan dengan
hukum
Incident Response Scope
• Technical:
– Incident detection and investigation tools and procedures
• Management-related
– Policy
– Formation of incident response capability
• In-house vs. out-sourced
Incident Handling
Preparation
Post-incident
activity
Detection
and Analysis
Containment, Eradication
and Recovery
PDCERF incident response method
Preparation
Incident Handling: Preparation
• Incident Handler Communications and Facilities
– Contact information On-call information for other teams
within the organization, including escalation information
Incident reporting mechanisms
– Pagers or cell phones to be carried by team members for
off-hour support, onsite communications
– Encryption software
– War room for central communication and coordination
– Secure storage facility for securing evidence and other
sensitive materials
Incident Handling: Preparation
• Incident Analysis Hardware and Software
– Computer forensic workstations and/or backup devices to create disk
images, preserve log files, and save other relevant incident data
– Blank portable media
– Easily portable printer
– Packet sniffers and protocol analyzers
– Computer forensic software
– Floppies and CDs with trusted versions of programs to be used to
gather evidence from systems
– Evidence gathering accessories
• hard-bound notebooks
• digital cameras
• audio recorders
• chain of custody forms
• evidence storage bags and tags
• evidence tape
Incident Handling: Preparation
• Incident Analysis Resources
– Port lists, including commonly used ports and Trojan horse
ports
– Documentation for OSs, applications, protocols, and
intrusion detection and antivirus signatures
– Network diagrams and lists of critical assets, such as Web,
e-mail, and File Transfer Protocol (FTP) servers
– Baselines of expected network, system and application
activity
– Cryptographic hashes of critical files to speed the analysis,
verification, and eradication of incidents
Incident Handling: Preparation
• Incident Mitigation Software
– Media, including OS boot disks and CD-ROMs, OS media, and
application media
– Security patches from OS and application vendors
– Backup images of OS, applications, and data stored on secondary
media
Incident Handling:
Detection and Analysis
• Incident Categories
–
–
–
–
–
Denial of Service
Malicious code
Unauthorized access
Inappropriate usage
Multiple component incidents
Incident Handling:
Detection and Analysis
• Signs of an incident
–
–
–
–
–
Intrusion detection systems
Antivirus software
Log analyzers
File integrity checking
Third-party monitoring of critical services
• Incident indications vs. precursors
– Precursor is a sign that an incident may occur in the future
• E.g. scanning
– Indication is a sign that an incident is occurring or has occurred
Incident Handling:
Detection and Analysis
• Incident documentation
– If incident is suspected, start recording facts
• Incident Prioritization based on
– Current and potential technical effects
– Criticality of affected resources
• Incident notification
–
–
–
–
–
CIO
Head of information system
Local information security officer
Other incident teams
Other agency departments such as HR, public affairs, legal department
Incident Handling:
Containment, Eradication, Recovery
• Containment strategies
– Vary based on type of incident
– Criteria for choosing strategy include
• Potential damage / theft of resources
• Need for evidence information
• Service availability
• Resource consumption of strategy
• Effectiveness of strategy
• Duration of solution
Incident Handling:
Containment, Eradication, Recovery
• Evidence gathering
– For incident analysis
– For legal proceedings
• Chain of custody
• Authentication of evidence
Incident Handling:
Containment, Eradication, Recovery
• Attacker identification
–
–
–
–
–
Validation of attacker IP address
Scanning attacker’s system
Research attacker through search engines
Using Incident Databases
Monitoring possible attacker communication channels
Incident Handling:
Containment, Eradication, Recovery
• Eradication
– Deleting malicious code
– Disabling breached user accounts
• Recovery
– Restoration of system(s) to normal operations
•
•
•
•
•
•
•
Restoring from clean backups
Rebuilding systems from scratch
Replacing compromised files
Installing patches
Changing passwords
Tighten perimeter security
Strengthen logging
Incident Handling:
Post-Incident Activity
• Evidence Retention
– Prosecution of attacker
– Data retention policies
– Cost
That’s All
Related documents
Self Matters: Confronting Stress and Taking Care of yourself
Self Matters: Confronting Stress and Taking Care of yourself
Practice Based Improvement Log
Practice Based Improvement Log
Comprehensive All-Hazard Emergency Response Plan Overview
Comprehensive All-Hazard Emergency Response Plan Overview
PHYSICAL PLANT Incident Investigation Director’s Checklist
PHYSICAL PLANT Incident Investigation Director’s Checklist
Exposure Report
Exposure Report
EXAMPLES FOR CRITICAL INCIDENT ANALYSIS
EXAMPLES FOR CRITICAL INCIDENT ANALYSIS
Incident, injury, trauma and illness record
Incident, injury, trauma and illness record
EMT Well Being - www.pccemt.org
EMT Well Being - www.pccemt.org
kincare mission - My Flex Health
kincare mission - My Flex Health
SEAs Sept 05
SEAs Sept 05