Scribd Logo
Upload

Welcome to Scribd!

  • Security Incident Questionnaire Cheat Sheet

    Uploaded by

    Joe
    11 views1 page
    Security Incident Survey Cheat Sheet

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Security Incident Survey Cheat Sheet

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views1 page

    Security Incident Questionnaire Cheat Sheet

    Uploaded by

    Joe
    Security Incident Survey Cheat Sheet

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    INITIALSECURITYINCIDENT

    QUESTIONNAIREFORRESPONDERS

    Whowillinterfacewithlegal,executive,public
    relations,andotherrelevantinternalteams?

    Tipsforassistingincidenthandlersinassessingthe
    situationwhenrespondingtoaqualifiedincident.

    AssesstheIncidentsScope

    UnderstandtheIncidentsBackground
    Whatisthenatureoftheproblem,asithasbeen
    observedsofar?
    Howwastheprobleminitiallydetected?Whenwasit
    detectedandbywhom?
    Whatsecurityinfrastructurecomponentsexistinthe
    affectedenvironment?(e.g.,firewall,antivirus,etc.)
    WhatisthesecuritypostureoftheaffectedIT
    infrastructurecomponents?Howrecently,ifever,was
    itassessedforvulnerabilities?
    Whatgroupsororganizationswereaffectedbythe
    incident?Aretheyawareoftheincident?

    WhatITinfrastructurecomponents(servers,websites,
    networks,etc.)aredirectlyaffectedbytheincident?

    Whatbackuprestorecapabilitiesareinplacetoassist
    inrecoveringfromtheincident?

    Areweawareofcomplianceorlegalobligationstiedto
    theincident?(e.g.,PCI,breachnotificationlaws,etc.)

    Whatarethenextstepsforrespondingtothisincident?
    (Whowilldowhatandwhen?)

    Whatarethepossibleingressandegresspointsforthe
    affectedenvironment?
    Whattheoriesexistforhowtheinitialcompromise
    occurred?

    Preparation:Gatherandlearnthenecessarytools,
    becomefamiliarwithyourenvironment.

    2.

    DoestheaffectedITinfrastructureposeanyriskto
    otherorganizations?

    Identification:Detecttheincident,determineits
    scope,andinvolvetheappropriateparties.

    3.

    Containment:Containtheincidenttominimizeits
    effectonneighboringITresources.

    4.

    Eradication:Eliminatecompromiseartifacts,if
    necessary,onthepathtorecovery.

    5.

    Recovery:Restorethesystemtonormal
    operations,possiblyviareinstallorbackup.

    6.

    Wrapup:Documenttheincidentsdetails,retail
    collecteddata,anddiscusslessonslearned.

    ReviewtheInitialIncidentSurveysResults

    DefineCommunicationParameters

    Whatcommandsortoolswereexecutedonthe
    affectedsystemsaspartoftheinitialsurvey?

    Whoisauthorizedtomakebusinessdecisionsregarding
    theaffectedoperations?(Thisisoftenanexecutive.)
    Whatmechanismswilltheteamtocommunicatewhen
    handlingtheincident?(e.g.,email,phoneconference,
    etc.)Whatencryptioncapabilitiesshouldbeused?

    Whatmeasuresweretakentocontainthescopeofthe
    incident?(e.g.,disconnectedfromthenetwork)
    Whatalertsweregeneratedbytheexistingsecurity
    infrastructurecomponents?(e.g.,IDS,antivirus,etc.)
    Iflogswerereviewed,whatsuspiciousentrieswere
    found?Whatadditionalsuspiciouseventsorstate
    information,wasobserved?

    PrepareforNextIncidentResponseSteps

    Whatisthescheduleofinternalregularprogress
    updates?Whoisresponsibleforthem?

    Doestheaffectedgroupororganizationhavespecific
    incidentresponseinstructionsorguidelines?

    Whatisthescheduleofexternalregularprogress
    updates?Whoisresponsibleforleadingthem?

    Doestheaffectedgroupororganizationwishto
    proceedwithliveanalysis,ordoesitwishtostart
    formalforensicexamination?

    Whowillconductinthefieldexaminationofthe
    affectedITinfrastructure?Notetheirname,title,phone
    (mobileandoffice),andemaildetails.

    KeyIncidentResponseSteps
    1.

    Whatanalysisactionsweretakentoduringtheinitial
    surveywhenqualifyingtheincident?

    Whoisdesignatedastheprimaryincidentresponse
    coordinator?

    WherearetheaffectedITinfrastructurecomponents
    physicallylocated?

    Whatapplicationsanddataprocessesmakeuseofthe
    affectedITinfrastructurecomponents?

    Wereothersecurityincidentsobservedontheaffected
    environmentortheorganizationrecently?
    Whichindividualsareawareoftheincident?Whatare
    theirnamesandgrouporcompanyaffiliations?

    Whatmechanismsexisttotransferfilestoandfromthe
    affectedITinfrastructurecomponentsduringthe
    analysis?(e.g.,network,USB,CDROM,etc.)

    Whattoolsareavailabletousformonitoringnetwork
    orhostbasedactivitiesintheaffectedenvironment?

    AdditionalIncidentResponseReferences
    IncidentSurveyCheatSheetforServerAdministrators
    http://zeltser.com/networkossecurity/security
    incidentsurveycheatsheet.html
    WindowsIntrusionDiscoveryCheatSheet
    http://sans.org/resources/winsacheatsheet.pdf
    CheckingWindowsforSignsofCompromise
    http://www.ucl.ac.uk/cert/win_intrusion.pdf
    LinuxIntrusionDiscoveryCheatSheet
    http://sans.org/resources/linsacheatsheet.pdf
    CheckingUnix/LinuxforSignsofCompromise
    http://www.ucl.ac.uk/cert/nix_intrusion.pdf

    AuthoredbyLennyZeltser,wholeadsasecurityconsultingteamatSAVVIS,andteachesmalwareanalysisatSANSInstitute.SpecialthanksforfeedbacktoJackMcCarthyandPatrickNolan.
    CreativeCommonsv3AttributionLicenseforthischeatsheetv.1.2.Morecheatsheets?

    You might also like