Incident Response - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Incident Response

Description:

Determine if legally protected data is present. If such data is present, preserve the state of the computer at that ... Bit Defender and/or Trend Micro Online ... – PowerPoint PPT presentation

Number of Views:95
Avg rating:3.0/5.0
Slides: 17
Provided by: daniel52
Category:

less

Transcript and Presenter's Notes

Title: Incident Response


1
Incident Response
  • Proper Handling of
  • Security Incidents

2
Goals of Incident Response
  • Determine if legally protected data is present
  • If such data is present, preserve the state of
    the computer at that moment as best as possible
    without risk to the user
  • Maintain or restore normal operations status for
    the user
  • Prevent the incident from recurring

3
Definitions
  • Compromise incident resulted in unauthorized
    person(s) having the ability to access files on
    the hard disk.
  • Sensitive data legally protected data
  • Social security numbers
  • Drivers license numbers
  • Credit card numbers
  • Bank account numbers
  • HIPAA (health care)

4
Determine if the Computer has Sensitive Data
  • Always assume sensitive data is present
  • Many people are not aware that they have
    sensitive data on their computer
  • Do not run Windows Spider or any other local
    scanning tool including antivirus natively!
  • Port scanning or remote vulnerability scanning is
    okay

5
Determine if the Computer has Sensitive Data
  • Unplug the system from the network and shut down
  • One of two options
  • Forensic write blocker dock
  • Remove drive
  • Install in Forensic Write Blocker dock and
    install in another system
  • Run Windows Spider
  • Helix
  • Boot affected system on Helix
  • Follow procedure for using Spider from Helix

6
Handling Incidents With Sensitive Data
  • Document all actions by all parties
  • The IT Manager and College IT Security Officer
    will manage the incident together at this stage
  • Incident moves to highest priority
  • Determine the extent of the incident
  • Other related IT resources that may have been
    compromised
  • Other places where other sensitive data may be
    stored
  • The IT Security Officer will open a file on the
    incident
  • The Incident Response Form is filled out
  • Incident is report to ITSO. They will help
    determine how to proceed

7
Drive Imaging
  • Drives are imaged in order to
  • Simultaneously carry out forensics and recovery
  • Make a copy of the exact state of the system for
    ITSO
  • Drives can be imaged by
  • The IT Security Officer
  • ITSO (much slower turnaround time)
  • Imaging procedure must be strictly adhered to
  • Imaging of a 60gb drive can take at least half a
    day

8
What Happens Next?
  • ITSO will analyze the incident.
  • Hard drive forensics
  • Access times
  • Network logs
  • Overall situation
  • Determination will be made as to whether the Data
    Incident Response Team needs to meet regarding
    disclosure.

9
Data Incident Response Team (DIRT)
  • Determines whether a public notification needs to
    be made in the event of potential loss of
    sensitive data
  • Members
  • Polly McClure
  • Steve Schuster
  • Representatives from
  • Audit, Counsel, Police, Public Relations, Risk
    Management, data steward(s)
  • Dean of affected unit
  • Security Liaison/Officer from affected unit
  • IT Manager from affected unit

10
If Sensitive Data is not Present
  • Contact CIT (response to an alert or report the
    incident.)
  • If time permits, determine the nature of the
    compromise. This may prevent it from happening
    again and will illuminate the situation for the
    user.
  • Run forensics tools from CD or USB stick, not
    from the systems hard drive.

11
Remediation Information Gathering
  • Reinstall/reimage should be the first choice
  • Involve the College IT Security Officer if system
    cannot be redone
  • View log files
  • Event logs
  • Service logs, such as IIS, Database
  • Application-specific logs
  • Local firewall logs
  • Network firewall logs
  • ITSOs NQ and netflow logs
  • Fully inspect system with forensics tools, gather
    as much information as possible

12
Remediation Tools
It is best to rebuild/reimage a system. If a
redo is not an option, use forensics tools to
uncover the nature of the compromise and
hopefully clean it.
  • CALS Forensics CD has a number of useful tools
  • SIW one-stop shopping for many common forensic
    needs
  • Port scanner such as Nmap look for open ports
    remotely
  • TCPview ports with associated applications and
    connections, look for unusual services or many
    connections establishing and dropping
  • Process Explorer identify suspect services and
    processes
  • Autoruns identify suspect startup items
  • RKDetector look for hidden resources and other
    rootkit indicators
  • Telnet telnet to unknown listening ports to try
    to get information about the service on the port
  • Search for recent file modification dates
  • Request a Nessus vulnerability scan from the
    Security Officer

13
Helix
  • Helix Live not necessary to boot on CD.
    Provides additional forensics tools including
  • Windows Forensics Toolkit
  • Security Reports
  • Helix Linux-based forensics tools, booted from
    a known-good platform

14
Remediation Cleanup
  • Install compromised drive into a clean system
  • SAV
  • Bit Defender and/or Trend Micro Online
  • Helix Bit Defender (may find rootkit-related
    files not found by forensics tools. May not be
    able to clean.)
  • Windows Defender
  • Uninstall/reinstall SAV (clean registry keys)
  • Uninstall/reinstall Windows Defender
  • Reinstall anything flagged by RKDetector

15
Final Steps
  • Have user change all passwords
  • Calsnet/other local LAN
  • Netid
  • Local workstation
  • Any other passwords used recently
  • Contact CIT
  • Give brief synopsis of remediation steps
  • Indicate issue should be closed
  • Request removal from quarantine if applicable

16
Questions?
Write a Comment
User Comments (0)
About PowerShow.com