2. A simple, easy to use, online, B2B procurement
portal for purchasing products and services to
identify, minimise and manage the security
threat to business data.
www.riskfactory.com
3. Overview
• Who cares?
• Why care?
• Success definition
• Policy & preparation work
• Procedures & forms
• Tools & training
• Incident database
• Reviews & measurements
4. Who Cares?
• Specifically? Name these stakeholders now
• Eliminate finger pointing potential after
• Establish Incident Response Team
– List stakeholders roles & responsibilities
– Contact details
– Team mission statement
– Post / Publish / Preach!
5. Why Care?
• Because incidents = lost cash £
• Iceberg tip theory
• Timely response = minimized loss
• Determine exactly who, what, when, why & how
• Inform other departments of findings
• Prevention & preparation for future
• Mitigate risk & liability
• Apprehend & prosecute
6. Define Success
Limit damage caused by incident
Minimize and/ or recover financial losses
Minimize downtime
Technological recovery
Minimize image damage
Minimize personal losses
Enable resolution of incident
Expunge virus/intruder
Improve security
Disciplinary action (solid evidence is key)
Prosecution
7. Response Team
Require wide range of technical skills
Dedicated response staff
Team makeup = skilled in applicable technology
Ad hoc team of existing sys admins
Multisite teams?
Additional duties = additional pay…
8. Policy & Preparation
Policy: “What do you do”?
Definition = critical.
Must be comprehensive
Define do’s and don’t
Deviations are incidents
Define level of incidents
Define incident response
Keep it simple
Write it down
Management sign off
9. Ramifications of Going
Solo
If you don’t define an incident = it never happens
Insufficient skills = Failure
Insufficient staff = Failure
Insufficient tools = Failure
Insufficient prep = Failure
Scapegoat….
10. Elements a Plan
• Incident definition (Major vs. Minor)
• Outline response for each type of incident
• Reporting Process (Response Team
Notification)
• Containment Process
• Eradication Process
• Restoration
• Follow-up Process
• Reporting
11.
12. Preparation:
Do you know where your data is?
Workstations
Servers (e-mail, databases)
Log files (there are many of them)
Network traffic (be careful about privacy)
Backups (can you find what you need?)
Are you prepared to preserve evidence?
Hard drives, software, spare hardware
13. Incident Response Process
• Initial observation, report, or question
• Assessment of severity and worth
• Physical assessment
• Preserve data on target systems
• Network assessment
• Preserve related evidence on network
• Develop response/investigative strategy
• Crime analysis
• Conclusions and reports
14. Procedures and Forms
Incident numbering system
CERT# 2003032201
Communication procedure
Who to notify under what circumstances
Encrypted e-mail versus phone/pager
Procedures for each incident type
Virus, DoS, intrusion, telephone system
Sexual harassment, threats
Forms to ensure consistency
Document incident details
Evidence collection and documentation
15. Procedures: Evidence
Do you have authorization?
Employee consent
Search warrant
Involve human resources & attorneys
Admissibility
Document all actions (chain of custody)
Evidence originated from its purported source
Evidence was not altered during/after collection
Associated information is accurate (e.g. dates)
To shutdown or not to shutdown?
16. Sample Procedure Outline
When incident initially reported:
Remote information gathering
Preserve evidence on network
Collecting volatile data
Step by step with tools and examples
Image hard drives
Step by step with tools and examples
Restore and secure systems
Backup data, reformat drive, rebuild, etc.
Communicate to community
17. Documentation: Forms
Expense and time logs:
dates and times working on incidents, including time to recover systems,
helps calculate cost of damage
Incident response actions taken and when:
telephone conversations
helps explain incident response years later
Employees questioned and involved:
everyone involved may be required to testify
Evidence inventory:
helps locate evidence later
18. Forms: Evidence Collection
• Memory aide, not just extra paperwork
• Incident number (#2003032201)
• Authorization
• Who collected evidence & when
• Where the evidence was located
• Details of computer systems involved
• How the evidence was collected
• File names, sizes, hash values
• Additional notes
19. Training
Understand the technology
• Hardware components
• System operation and security
• Network traffic
Train personal in evidence handling
• Do you really care about this?
Train personnel to use tools
• Media analysis
• Log analysis
• Network exploration (nmap, Nessus, scripts)
• Traffic analysis
20. Response & Measurement
• Deploy incident response team (procedures!)
• Decide whether or not to collect volatile data
• Take systems offline for forensic analysis
• Probe and monitor network
• Interview individuals
• Document everything
• Correlate data from multiple sources
• Communicate with legal counsel and police
21. 26 Dover Street
London
United Kingdom
+44 (0)20 3170 8955
+44 (0)20 3008 6011 (fax)