Professional Documents
Culture Documents
“The Integrity and Availability of enabling infrastructure elements will depend largely
not on how well they are funded and implemented but rather on how well they are
secured and protected.”
Response Team
The response team consists of subject
matter experts in host operating
systems, network applications, and
network devices. This is the team that
actually generates a response as
directed by the Response Team
Manager. This team will have full
authority to decommission miscreant
or rogue servers and disable network
connections.
Roles…
Forensic Team
The Forensic Team is tasked with event
reconstruction. Their skill will be used
to determine intrusion methodologies,
and in some cases, forensic expertise
may be required in legal proceedings.
Roles…
Public Relations
A media mouthpiece may be required
in the event that the security incident
becomes a public matter. The Incident
Response Team needs a point of
contact to deal with adverse publicity.
This person should be prepared to
serve as a media focal point, and
scripted prepared statements would be
appropriate.
Roles…
Internal Communications
Internal employee communications
should also be considered when
responding to a security event. It is
important to provide employees
guidance as to how to communicate to
vendors, customers, and other internal
stakeholders who interact with
employees on a daily basis.
Roles…
Legal
A legal liaison is required for guidance
on matter such as rules of
evidence/chain of custody, and liability.
Roles…
Law Enforcement
Contacts with cyber crime oriented law
enforcement personnel can be valuable
if an event escalates to a level within
the scope of the local judicial system.
Roles…
Category 1
Category 1 incidents include events, which cannot definitively be identified as attacks,
and have no effect on system operations, such as:
• Isolated and non-repeated scans or pings from an external uncontrolled network;
and
• Malicious code detected and removed prior to being placed on an operational
network.
Security Incident Categories…
Category 2
Category 2 incidents also have no effect on system operations, and comprise identified
but unsuccessful attempts to actively breach an information system security policy.
Such events include:
• Multiple repetitions of category 1 incidents;
• Repeated active probes or port mapping from an external uncontrolled network;
• Attempt to gain unauthorised access to resources, either from within or from an
outside network;
• Abuse of privileges or password confidentiality by employee (not extending to
superuser or root or administration privileges); and
• Malicious code found on a single system, which has been successfully contained or
removed.
Security Incident Categories…
Category 3
Category 3 incidents include any successful attempt to actively breach an information system security
policy on a single system, and may result in a minor or moderate effect on system operations. These
could include:
• Unauthorised access acquired by one or more unauthorised people to any account, at any access
level;
• Abuse of privileges or password confidentiality by an employee, extending to super user, root or
administration privileges;
• Malicious code found on more than one system, or an inability to contain and remove the code from
a single system;
• A prank, hoax or Web page attack launched from an external uncontrolled network;
• A successful attack against system services, for example, NIS, DNS, NFS, email, WWW, etc, including
denial of service attacks;
• A prank or hoax perpetrated from an external uncontrolled network.
• Unauthorised access to a firewall;
• Unauthorised modification to system files and system access controls;
• Unauthorised modification to system hardware or software without the owner's knowledge or
permission; and
• Security compromises and disclosures arising from accidental or deliberate breaches of security
policy.
Security Incident Categories…
Category 4
Category 4 incidents include any situation in excess of the examples given above,
particularly where high-level intervention or crisis management is required. Such
incidents will usually have a major effect on system operations.
User incident handling
User
Incident
Handling
no no no
no Other
yes Web site Customer
abnormal? Support
SA Incident AA Incident
Handling Handling
End
Application incident handling
AA
Incident
Handling
no Core Team
no Incident Handling
no
Unauth yes
no yes
access? Is appl error?
no
End
System incident handling
SA
Incident
Handling
no no
Is virus yes Core Team
problem? Incident Handling
no
Unauth . yes
access?
no
Is web server yes Is scheduled yes
down? down time?
no no
Problem no
Reboot sys
Resolved?
Is web site yes
Is web server yes Reboot in
accessible
yes abnormal single user mode
from Internet?
Trouble
no no Shooting Forensic
Backup
yes Determine no
Cause?
Doc/Fix
Security no problem,
Incident? if possible
yes
Is fw /router yes Report to
down? FA
Core Team
no
Incident Handling
Other SA
End
Support
Incident investigation
Core Team
Incident
Handling
yes
Denial of Service DoS Attack
Attack? Investigation
no
yes
Virus?
Virus
Investigation
no
yes
Unauthorized Unauth . Access
Access? Investigation
no
yes
Unauthorized Unauth . Mod.
Modification? Investigation
no
yes
Network Probing
Probing? Investigation
no
• Handle incident
• Record incident
• Define process
End
DOS attack
DoS
Attack
Investigation
yes yes
Identify Traffic Firewall
Source? Filterable? Filter Traffic
no no
no
yes
Is server Reboot
down? server
no
no no
Notify PR
yes no
Attack Bring up network Record
continue? connection Incident
Investigation
End
Hostile code
Virus
Investigation
yes yes
Web Server Server Accessible Disconnect server
Infected? on Internet? from network
no no
no Distribute • Id & clean up file(s)
file w/ virus? • Full backup clean sys
yes
• Disable file download • Id virus source
• Check all files • Id possible date
• Clean infected files
• Full backup clean sys
no yes
Found virus
Notify yes source?
PR/Legal?
no yes
no Notify Put Web site Authorized no
PR/Legal back online? Source?
yes
Clean up Unauth . Mod.
Notify yes source Investigation
User?
no Notify users
Record
Incident
Investigation
End
Unauthorised access
Unauthorised
Access
Investigation
ID all live
connection
yes
ID up/down
stream? Incident
Recovery
no yes
no
Contact up/down
stream?
Monitor/Record
Contact up/down Unknown Connections\
stream sys owners
Notify yes
Authority? no yes
Notify
Contact Authority?
no Authority
Contact
Authority
no yes
Disconnect
Network yes
Suspicious
Immediately?
Connection?
no
Investigation
End
Unauthorised modification
Unauth .
Mod.
Investigation
Incident Notify
Recovery Authority? yes
Monitor/Record no
Contact Authority
Unknown Conn.
yes
Imm . Disconn no
Network?
Suspicious
Conn ?
yes
no
Investigation
End
Network probing
Probing
Investigation
no no no
yes no
Potential
no Contact yes
Coordinated
Attack Source?
Contact the
source org.
no Block yes
Source?
Firewall
block source
Record
Incident
Investigation
End
Recovery
Recovery
Start
no yes
Prosecution
Needed?
Recover Prepare
System Data
• Conduct Security
Risk Assessment Contact
• Run Virus Scan Authority
no yes Legal
Problem Procedure
Found?
no yes
Fix
Problem?
yes
no Accept
Fix Problem
Risk?
Recovery
End
Definition of hardening
In combination, these measures mean that well written applications can function as a
system process and function normally
Remediation (if
necessary)
Hardening Process
Security Services
Asset Management
Centralised Network Endpoint Security Management
Records Information Software License
Management Vulnerability Management
Management Management
Intrusion Detection/
Asset Management & Information Classification, Labelling & Malware Protection Malware Protection (inc AV)
Prevention Secure Administration
Inventory Handling
Cryptography & Key
Certificate Management DOS protection Logging Management
Management
Patch & Configuration
Security Management Access Control & Authentication Firewall Management Content Filtering Data Loss Prevention Management
Governance (Internet & Email
Operations Cryptography & Key Security Configuration
Code of Use)
(not security specific) Management (applies to all platforms)
Identity Management
ARCHITECTURE
Security Zones of Trust Architecture Executive Security Reporting
Third Party Connectivity