Introduction to Incident Response
Incident response is the collection of actions taken after an alleged security incident is identified. In many organizations, a formal incident response team coordinates response. Its members are drawn from IT, audit, security, human resources, legal, senior management, and other areas of the company. In many cases, only a few of these people are assigned to any incident, and additional employees as well as outside specialists may be recruited during specific incidents. In other companies, incident response is less formal. Teaching you how to create a crack team and detailing how to respond to every possible security incident is not the purpose of this section. Instead, its purpose is to help you identify action points that can be taken in order to formulate a response to incidents. If you already have an incident response team or process in place for incident response, your first task should be to contact them to understand what your role should be in reporting or working as part of their extended team. If you do not have any process in place, or want to review the process you do have in hopes of improving it, use the following guidelines.The classic incident response process consist of sseven elements:Detect the incident.Respond to the incident with some action.Contain the incident; don't let it continue to grow or further compromise information systems.Recover systems.Resume normal operation.Review the what, when, why, who, and how the event happened and how it was dealt with.Improve by implementing steps to prevent future incidents and by developing a better response.
However, before you can follow this path, you must develop a plan. Here are some steps that can help:List possible security incidents. Security incidents can be as devastating as malware storms in which massive infections threaten to destroy network operations to suspected misuse or sharing of logon credentials. In addition to the incidents you may hypothesize from your familiarity with current attack vectors, be sure to include the results of threat modeling that may have been done on your network operations and specific applications. Another good source of possible incidents is reviewing the event logs and other data collected as the result of tools described in this chapter. When you know what is normal, can you identify the data that might mean simple operational failure and thus need troubleshooting, from that which might point to possible attack? Add those events to your list.Categorize incidents. You may want to use several types of categories. One good category is by type. For example, various malware infections may have similar vectors, as well as similar cleanup requirements, while directed attacks are very different. The advantage of categorizing is that you can estimate the number and type of individual who will be necessary for the response.Plan operations that might reveal various incidents in progress or from the data trail they produce in various logs.Determine the type of response for each type of incident. How many people will be needed? What needs to be done? Will specific department members need to be part of the team; for example, legal may need to advise you on what information needs to be shared with the public, when to call in law enforcement, or when and what to say to customers. Human relations may need to be informed in order to work with employees in countering rumors with fact or in helping employees to deal with the affects of the attack such as finding uncompromised data and work sources, or preventing reinfection.Assign responsibility for starting and working the response process. Who takes the alleged incident, determines if it is a security incident, assigns a team, and monitors progress? Who keeps management and other team members not directly involved in the technical aspect of the response informed? Who documents activity?Plan for a post mortem. After an incident, collect all information and meet with incident response team members, both those involved with this incident and others. A lot can be learned from reviewing how the event was handled. Kudos can be given, and errors can be discussed leading to improved procedures and team efforts in the future.
|
لطفا منتظر باشید ...
Windows Server 2003 Security: A Technical ReferenceBy
Table of Contents
| Index
If you''''re a working Windows administrator, security is your #1
challenge. Now there''''s a single-source reference you can rely on
for authoritative, independent help with every Windows Server
security feature, tool, and option: Windows Server 2003
SecurityRenowned Windows security expert Roberta Bragg has brought
together information that was formerly scattered through dozens of
books and hundreds of online sources. She goes beyond facts and
procedures, sharing powerful insights drawn from decades in IT
administration and security. You''''ll find expert implementation tips
and realistic best practices for every Windows environment, from
workgroup servers to global domain architectures. Learn how to:
Reflect the core principles of information security throughout
your plans and processes
Establish effective authentication and passwords
Restrict access to servers, application software, and
data
Make the most of the Encrypting File System (EFS)
Use Active Directory''''s security features and secure Active
Directory itself
Develop, implement, and troubleshoot group policies
Deploy a secure Public Key Infrastructure (PKI)
Secure remote access using VPNs via IPSec, SSL, SMB
signing,
LDAP signing, and more
Audit and monitor your systems, detect intrusions, and respond
appropriately
Maintain security and protect business continuity on an ongoing
basis"Once again, Roberta Bragg proves why she is a leading authority
in the security field! It''''s clear that Roberta has had a great deal
of experience in real-world security design and implementation. I''''m
grateful that this book provides clarity on what is often a
baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical
Hacker
James@accusource.net"Full of relevant and insightful information. Certain to be a
staple reference book for anyone dealing with Windows Server 2003
security. Roberta Bragg''''s Windows Server 2003 Security is a
MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation
phil.cox@systemexperts.com"Few people in the security world understand and appreciate
every aspect of network security like Roberta Bragg. She is as
formidable a security mind as I have ever met, and this is
augmented by her ability to communicate the concepts clearly,
concisely, and with a rapier wit. I have enjoyed working with
Roberta more than I have on any of the other 20 some odd books to
which I have contributed. She is a giant in the field of network
security."Bob Reinsch
bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do
things and then tells you how to do it! It is a comprehensive guide
to Windows security that provides the information you need to
secure your systems. Read it and apply the information."Richard Siddaway, MCSE
rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically
accurate. It will be a valuable resource for network administrators
and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT
mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg
writes and I have ''''always'''' found her writing to be perfectly
focused on issues I ''''need'''' to know in my workplace when dealing
with my users. Her concise writing style and simple solutions bring
me back to her columns time after time. When I heard she had
written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding
common pitfalls, and her easy to follow guidelines on how to lock
down my network and user environments (those darned users!) has me
(and my clients) much more comfortable with our Win2k3 Server
deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra
Vista
AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows
Security Information Technology Consultant
harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more
than just lucid coverage of how things work, but also offers sound
advice on how to make them work better."Chris Quirk; MVP Windows shell/user
cquirke@mvps.org"This book is an invaluable resource for anyone concerned about
the security of Windows Server 2003. Despite the amount and
complexity of the material presented, Roberta delivers very
readable and clear coverage on most of the security-related aspects
of Microsoft''''s flagship operative system. Highly recommended
reading!"Valery Pryamikov, Security MVP, Harper Security Consulting
valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have
four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel
Corp.
bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized, with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron
CPCU, CCP, AAI Microsoft MVPWindows Security Information
Technology Consultant
