Term
| Incident response and recovery |
|
Definition
| Incident response and recovery |
|
|
Term
|
Definition
First, what are we detecting or discovering
Events - anychange of state
Network, servers, devices, laptops, applications, data
Events can be logged and monitored
Events may be collected by specific triggers to reduce data storage
CPU utalization, disk space, network utelization, malicious traffic |
|
|
Term
|
Definition
Incidents - events that pose a threat Security policy
Security policy violation, acceptable use violation intrusion detection (also includes IT operations)
Incidents can be a collection of events from diffrent sources
Not all events are incidents, but all incidents are events
|
|
|
Term
|
Definition
When prevention and protection fails
Risk management framework
Detection/discovery can be automated
Triggers and alarms
Detection/Discovery may be manual
Searching logs
customer ticket
Employee detection |
|
|
Term
|
Definition
Analyze to discover if event is truely become an incident
Determine the severity of impact and scope
Incidents should be classified by severity
Escalation - what happens next?
Based on severity and scope
Who needs to know
What actions take place |
|
|
Term
|
Definition
- Response should be immediate to mitigate damage to the organisations assets - including people
- Do not delay the response to try and track a hacker or source
- Response may include notifying a specialized response team, regulatory agencies and law enforcement
|
|
|
Term
|
Definition
Incident Response Team
Fulltime, added ad-hoc, outsourced
Trained in the response procedures and guidelines
Dosen't make accusations during an investigation
Maintained Incident response Records
Team should follow the documentation procedures and record keepingthrough to resolution |
|
|
Term
Reporting Feedback Loops (cont)
Documentation should include:
|
|
Definition
- What - what happened
- When - date and time
- Where - location and scope
- Who - detected, escalated, responded Tickect system and evidence collected
|
|
|
Term
Reporting Feedback Loops (cont)
Who needs to be identified in the loop?
|
|
Definition
Internal to the organisation
Predetermined persons in each area
Other IT staff and SME's
Department Heads
Affected Departments
Outside the organisation
Regelatory agencies
Law enforcement
Cusomers
Reporting to the outside should be done by trained and authorised personnel |
|
|
Term
Reporting Feedback Loops (cont)
Avoid releasing inappropriate or incorrect information |
|
Definition
Plan for designated communications channels
Website
Facebook
Twitter
Mitigate damage and implement controls (Countermeasures)
Riskmanagement framework
Monitor for success/failure
Review documentation and procedures
Did the documenation and procedures prove effective? |
|
|
Term
Reporting Feedback Loops (cont)
Avoid releasing inappropriate or incorrect information |
|
Definition
Plan for designated communications channels
Website
Facebook
Twitter
Mitigate damage and implement controls (Countermeasures)
Riskmanagement framework
Monitor for success/failure
Review documentation and procedures
Did the documenation and procedures prove effective? |
|
|
Term
Understand and Support Forensic Investigations
Digital Forensics |
|
Definition
The science of investigating computer related incidents
Dr. Edmond Locard's Exchange principle
"The perpetrator of a crime will bring something to a crime scene and leave with something from it"
Organisations establish guidelines regarding the identification of evidence, its collection process and examination.
Evidence collection in computer forensics is subject to the same guidelines as those in a legal court |
|
|
Term
|
Definition
First to arrive to begin process of identifying and collecting evdence
Trained personnel specifically for computer forensics
Responsible to document every aspect of the identification and collection process
Establish the scene of investigation
Incident scene
|
|
|
Term
|
Definition
|
|
Term
|
Definition
Evidence should be collected by trained forensic proffesionals
Bag it and tag it
Order of volatility
Collect the shortest living evidence first
CPU info, RAM, cached tables
Hard drive, tapes, cloud storage |
|
|
Term
|
Definition
Collect everything
Logs, network traffic, backups
CPU information, RAM, cached tables
Hard Drives, tapes, cloud storage
Be aware of collection processes
Example - Clone Hard drive data with a write blocked hard drive
Analyze systems with forensic tools |
|
|
Term
|
Definition
A witnessed, written record of all people who maintained unbroken control over the evidence
Maintain the CIA of the evidence
Imperative for use in a court room
From time collected to time present in court |
|
|
Term
|
Definition
Document and label
When, where, who
Seal in tamper evidence bags
Store secuely |
|
|
Term
|
Definition
Locard's Exchange Principle
"the perpetrator of a crime will bring something to a crime scene and leave with something from it"
Pereserve the scene of investigation
Workstation, servers, entire data centre
Remeber that evidence is volatile
Incorrect procedures con contaminate the scene and evidence |
|
|
Term
Understand and Support Business Continuity plan and DR plan
Emergency Response plans and procedures |
|
Definition
Emergency plans are greater scope than incident response plans
Buisness Continuety Plan (BPC)
Broad in scope
May include replacement locations and staff
Disaster Recovery Plans (DRP)
Recovery of specific services |
|
|
Term
| Business Impact Analysis (BIA) |
|
Definition
Determine the impact to an organisation and its operations due to a partial or complete loss
Every business is diffrent - need to determine critical from non-critical functions
Perform impact analysis to understand and correct failures |
|
|
Term
|
Definition
|
|
Term
Disaster Recovery Plan (DRP)
Documented process and procedures to recover and restore specific IT services |
|
Definition
Not the same as incident planning
Detect and stop - recover and restore
Classify disaster scenarios
Availabilty of recovery assets
Hardware, software, locations, staff, goods and services
Communication plans
Often over looked |
|
|
Term
Interim or Alternative Processing Strategies
What to do if the entire site is down |
|
Definition
Alternative locations
Giographically seperate
Can be cloud based
Diffrent level of service
Hot Site
Warm Site
Cold Site
Co-Located
Mobile Site |
|
|
Term
Restoration planning
Plan for everything it would take to recover the function for the business |
|
Definition
Power
Communications
Labor
Staff
Travel
Materials |
|
|
Term
Backup Redundancy and Implementation
|
|
Definition
Fast recovery times (RTO) and minmal data loss (RPO)
Time and cost
Data clasification
How often does it need to be backed up
Backup considerations
Encrytion
Reliability
Off site storage and recovery
Backup/Recovery methods
It isnt all going to fit on one tape
|
|
|
Term
| Backup Method: Full Backup |
|
Definition
|
|
Term
| Backup Method: Differential |
|
Definition
|
|
Term
| Backup Method: Incramental |
|
Definition
|
|
Term
|
Definition
Hish Availability
Clustering, load balancing
Mirrored Backups
Electronic Vaulting
Off site mirrored |
|
|
Term
|
Definition
Redundant Array of Independant Disks
Raid - 0 increases performance, but has no data reliability
Raid - 1 Disk mirroring
Raid 2,3,4 - not used
Raid 5 most common
Requires three disk minimum
Completely rebuild from a lost drive without data loss
Raid 10 (Raid 1+0) |
|
|
Term
|
Definition
|
|
