Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
OPERATIONS SECURITY
WEEK 5
INCIDENT MANAGEMENT, INVESTIGATIONS, AND PHYSICAL
SECURITY
INCIDENCE RESPONSE
Incident response is an organized approach to addressing and managing
the aftermath of a security breach or attack (also known as an incident).
The Steps of Incidence Handling
Triage Is it an actual incident or a false alarm? How serious is it?
Investigation Gathering evidence
Containment Limit the damage by isolation and mitigation
Analysis Reconstruct the incident. Who is responsible? How did they do it? When
did it occur? Why did they do it?
Tracking Document the incident and determine the source
Recovery Mitigate the incident and apply lessons learned to reduce risk of
recurrence
TRIAGE
The term Triage is used within the medical community. Triage is the art
of rapidly assessing the severity of the incident and following the right
protocols, in the right order, to reduce the consequences of the
incident and doing it all in the midst of crisis, when every second
counts.
Different incidents require different responses A Denial of Service
attack (DOS) has to be addressed differently than a malware infection.
Establishing baselines can help identify unusual activity. The number
of indicators to potential incidents are very high, so false positives are
common.
INVESTIGATION
The Incident Scene The Environment where potential
evidence may exist
Principles of criminalistics apply Identify
evidence and
Identify the Protect the
potential
scene Environment
sources of
evidence
Minimize the
Collect degree of
Evidence contaminatio
n
GENERAL GUIDELINES
All general forensic and procedural procedures must be applied
Seizing digital evidence must not alter the evidence
Any person accessing original digital evidence must be trained
All activity relating to seizure, access, storage, or transfer of digital
evidence must be fully documented, preserved, and available for review
While an individual is in possession of digital evidence, he or she is
responsible for all actions
Any agency responsible for seizing, accessing, storing, or transferring
digital evidence is responsible for compliance with these principles
ROLES AND RESPONSIBILITIES
Be Be Be
Authenti Accurat Complet
c e e
Be Be
Convinc Admisibl
ing e
LIVE EVIDENCE
Network Analysis
Analysis and examination of network logs and activity for potential
evidence
The critical phase of the process is proper evidence handling and
processing
SOFTWARE ANALYSIS
Encompasses investigative activity
Malware analysis
Intellectual property disputes
Copyright infringements
Goals
Author identification
Content Analysis
Payload and context Analysis
RECOVERY
Eventually the necessary steps to resolve the incident will be preformed.
Recovery simply implies the amount of time it may take for operations
to be fully restored
Reporting and Documenting
One of the most important, yet overlooked, phases is the debriefing and
feedback phase
Security Policy Review
Which controls were inadequate or failed?
How can we improve our controls?
Did the Incident Management Plan function as intended?
PHYSICAL SECURITY
Respo
Deter Delay Detect Assess
nd
DEFENSE IN DEPTH
Turnstil Mantra
Doors
es ps
Classes of fires
Data center requirements
VESDA devices
CLASSES OF FIRE
STAGES OF A FIRE