Expert answer:Discussion: Handling and Managing Security Inciden

Expert answer:Comment on the following statements: An incident response plan is key to mitigating damage caused to your organization by a myriad of threats. Describe some threats your incident response plan should address and how you would mitigate them. Additionally, which staff members should be included in the incident response team. Why? Support your answers with information and examples from your text and your experiences.Book:Chapter 13 in Hacker Techniques, Tools, and Incident Handling.Required:255 word (Half page)2 credible scholar source15% similarity allowed.
solomon_2014_ch13.pdf

Unformatted Attachment Preview

Microsoft Windows Incident
Handling and Management
CHAPTER
13
D
espite the best efforts to secure a computing environment, no
organization is completely safe. Sooner or later you will encounter
a security policy violation. It may be a minor violation such as a user
attempting to log on too many times after forgetting a password. Or it
could be a major incident such as an attacker destroying your organization’s
primary database. Either way, learn how to react. When you discover a security
violation, you have only one proper response—to follow your plan.
Map out your response to security violations before any occur. In this chapter,
you’ll find out how to plan for the inevitable actions that result in security
violations. You’ll learn how to recognize violations and how to develop a plan
for handling each one. You’ll study up on the Microsoft tools available to collect
information and manage a response process. Some violations are more severe and
may result in law enforcement involvement or litigation. In this chapter, you will
also learn the right ways to collect and protect evidence that is admissible in court.
Chapter 13 Topics
This chapter covers the following topics and concepts:
• How to handle security incidents involving Microsoft Windows
operating system (OS) and applications
• How to formulate an incident response plan
• How to handle incident response
• What incident handling and management tools are available
for Microsoft Windows and applications
• How to investigate Microsoft Windows and applications incidents
• How to acquire and manage incident evidence
• What the best practices are for handling Microsoft Windows OS
and applications incidents and investigations
305
Chapter 13 Goals
When you complete this chapter, you will be able to:
• Describe Microsoft Windows OS security incidents
• Use available tools to handle and manage security incidents
• Investigate incidents, including acquiring and managing evidence
Understanding and Handling Security Incidents
Involving Microsoft Windows OS and Applications
A security policy is a description of how an organization defines a secure computing
environment. It is a collection of rules that define appropriate and inappropriate behavior.
Once an organization deploys controls to govern behavior, it’s helpful to devise a method
to measure how effective the controls are. All activity in a computing environment is
made up of individual events. An event is any observable occurrence within a computer
or network. An event could be a user logging on, an application server connecting to a
database server, an authentication server rejecting a password, or an antivirus scanner
reporting a suspected virus. Any event that results in a violation of your security policy,
or poses an imminent threat to your security policy, is an incident.
The first step in responding to an incident is to recognize that an incident has occurred.
Many incidents go unnoticed because no one is looking for them. It’s common to review
operating system and application software log files after a major incident, such as data
loss or a system failure. In some cases, there is evidence of smaller incidents leading
up to the big event. Many organizations lack the procedures to identify incidents early.
Like any persistent problem, identifying incidents in a timely fashion can help contain
any damage and prevent further damage.
The adage, “An ounce of prevention is worth a pound of cure,” applies to incidents.
The best way to avoid handling incidents is to prevent them. Securing computers and
network devices is better than dealing with security incidents. The only exception is when
the cost of the controls is more than the loss you would incur if an incident did happen.
Microsoft has a lot to say about handling incidents for Windows environments and
recommends pursuing prevention first. According to Microsoft’s recommendations,
these strategies can help any organization minimize the number and impact of security
incidents:
• Develop, maintain, and enforce a clear security policy that management supports
and promotes. A security policy defines incidents and behavior that lead to incidents.
• Conduct routine vulnerability assessments to discover vulnerabilities that could
lead to incidents.
306
CHAPTER 13 | Microsoft Windows Incident Handling and Management
307
Real-Life Incidents
Security incidents can be disruptive to any organization. They end up costing a lot of money
and time. The following are three examples of recent incidents that caused substantial damage
to different organizations. Learn from these incidents. Take every opportunity to avoid being
the next example:
• T.J. Maxx exposes 94 million credit card numbers and transaction details in 2007—
http://datalossdb.org/incidents/548-hack-exposes-94-million-credit-card-numbers-and
-transaction-details.
• T-Mobile loses a disk containing customer information for 17 million customers in 2008—
http://datalossdb.org/incidents/1172-t-mobile-lost-disk-containing-data-on-17-million
-customers.
• Heartland Payment Systems loses millions of credit card payment records in 2009—
http://datalossdb.org/incidents/1518-malicious-software-hack-compromises-unknown
-number-of-credit-cards-at-fifth-largest-credit-card-processor.
If you doubt the impact one security incident can have on an organization, visit the Web sites
above and look at the stock prices for each organization after each incident.
• Train all computer system users on acceptable and unacceptable behavior.
Establish frequent and visible security awareness reminders. Use both physical
and virtual methods to notify and remind users.
• Enforce strong passwords throughout your environment.
• Frequently monitor network traffic, system performance, and all available log files
to identify any incidents or unusual events. The first logs you’d likely analyze would
be logs from your intrusion detection system or intrusion prevention system.
• Ensure you have a solid business continuity plan (BCP) and disaster recovery plan
(DRP) that you test at least annually. A serious incident will likely require that
you enact one or both of these plans.
• Create a security incident response team (SIRT). The SIRT is a team organized to
respond to incidents.
Find more information on Microsoft’s recommendations for handling incidents on the Microsoft
TechNet Web site. The incident-handling article is at http://technet.microsoft.com/en-us/library/
cc700825.aspx.
Incident Handling
and Management
• Ensure all computers and network devices have the latest available patches installed.
13
308   
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
All of the suggestions in the previous list are really just elements of good security.
These are things you should be doing already to maintain a secure environment.
The last suggestion, create a SIRT, is specific to handling incidents. This is the team
of people who will respond to any incidents. There are six separate steps to handling
incidents. Understanding and following all six steps will help you avoid many incidents
and prepare your SIRT to handle the ones that do occur. Table 13-1 lists the six steps
for handling incidents.
The most important aspect of properly handling incidents is preparing to do it right.
Once you understand what it takes to respond well to security incidents and have your
SIRT in place, you are ready to begin developing your response plan.
Table 13-1 Six steps to handling incidents.
Step
Description
Preparation
In this step, you create and train the SIRT; develop plans for handling
incidents; assign roles and responsibilities; and assemble any supplies,
hardware, and software you’ll need. In short, most of your time is spent
in this step so you’ll be ready to respond when an incident occurs.
Identification
When you suspect that an incident has occurred, validate it, then identify
the type and if possible, the source. You’ll respond differently to a Web site
defacement than to a compromised database encryption key.
Containment
Once you have identified the type of incident, the next step is to contain
the damage the incident has caused or is causing. Incidents are often
not single events, but processes that can continue to cause damage. It is
important to take action to limit the amount of damage to as small a scope
as possible. This may require removing an affected computer from your
network or other actions to keep the damage from spreading.
Eradication
Once the damage is contained, remove the vulnerability that allowed the
incident to occur. This may involve configuration changes, software updates,
or physical modifications. Eradicating an incident includes deploying any
new or modified controls to ensure the incident does not happen again.
Recovery
The recovery step includes the actions necessary to return any affected
systems to an operational state. Recovery actions will likely be driven
by your BCP and DRP.
Lessons
learned
One of the characteristics of a good team in any endeavor is that they
continually learn and improve. The step that will improve long-term
security is to document the lessons learned. The team should review their
performance in handling the incident and make any changes necessary
to the response plan to make the next response even better.
CHAPTER 13 | Microsoft Windows Incident Handling and Management
309
Formulating an Incident Response Plan
The only way to respond to incidents in a predictable manner is to follow a welldocumented plan. Your strategy for responding to incidents should be one that applies
to many different types of incidents. Continually improve this plan. A solid incident
response plan standardizes the SIRT’s actions and makes each incident response
predictable and repeatable.
Plan Like a Pilot
Plan for Anything That Could Cause Loss or Damage
The first step in properly responding to a security incident is to prepare. By the time an
incident occurs, it is too late to get organized. The preparation step includes building the
SIRT and developing a response plan. Preparing also includes assembling any supplies,
software, and hardware your team will need to respond to an incident.
Your organization should invest the resources to develop checklists and complete
plans to address the results of each likely incident. It will require substantial effort to
plan for every likely incident, but focusing on those that could cause loss or damage will
be worthwhile. Many SIRTs discover existing vulnerabilities while developing response
plans. You may find problems you can address just by planning for incidents. The greatest
reason for preparing for incident response is that your team can decide on the best course
of action for each incident when there is time to really think through the alternatives.
You probably won’t have much time to consider alternatives during an incident. A plan
increases the possibility your team can contain the damage and prevent further problems.
When developing your plan, consider every type of incident that can cause unacceptable damage. One way to develop a complete incident response plan is to think of as many
incidents as possible and rank them by importance. Base your rankings on probability
and severity. The most important incidents are those that are most likely to occur and
would have the greatest impact on your organization. Those are the incidents to prioritize
if your budget doesn’t allow developing a plan for all identified incidents.
13
Incident Handling
and Management
Trying to respond to incidents without a plan is like piloting an airplane without any
checklists. Even pilots of small aircraft use several checklists for each flight. Just a few
used by pilots of small aircraft include pre-flight, engine start, post-engine start, taxi,
run-up, pre-takeoff, and post-takeoff.
Those are the checklists just to get into the air! Since most aircraft incidents and
accidents are caused by poor planning, it makes sense to plan well. Checklists are very
important to pilots because it is easier to follow a well-documented checklist when things
are hectic than it is to remember every important detail. Pilots also carry checklists
for emergencies, such as an engine out or fire in the cockpit. At those times, they won’t
want to try to figure out what to do. Those are the times to react efficiently and calmly.
310   
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
Table 13-2 SIRT roles.
Role
Description
Team lead
Leader of the SIRT and the primary point of contact for all SIRT issues.
Incident lead
Member of the SIRT assigned to lead activities for a specific incident.
Medium and large organizations may routinely need to respond to multiple
incidents simultaneously.
IT liaison
Point of contact for communicating with the IT department. Even though
there will likely be IT department members on the SIRT, having a single point
of contact makes communicating easier. Primary responsibilities include
communicating SIRT activities to IT and keeping everyone aware of how
incident response actions might impact IT operations. The IT liaison also
helps identify the IT expertise and resources needed to respond to incidents.
Legal
representative
Generally an attorney who specializes in law related to security incidents.
The legal representative advises the SIRT on incident-handling methods
that minimize the organization’s legal liabilities. The legal representative
will also communicate with law enforcement as needed and address
evidence-handling procedures to maintain admissibility.
Public
relations
representative
Person responsible for communicating with the media and customers
regarding incident-related events. The main goal for this role is to protect
the organization’s reputation.
Management
Person with ability to authorize team activities. Without solid support
from management, the SIRT will not have the authority or resources to be
successful.
Subject matter
experts (SMEs)
As the name implies, SMEs are experts in at least one area. For example,
your team may need a network security SME, a malware SME, and an
application security SME. One person may fill multiple roles. SMEs may
be full team members or you may just consult with them as needed,
especially during the planning phases.
Build the SIRT
The first step is to identify and assemble the SIRT members. A good plan includes input
from all team members. Have your initial team in place before you begin developing the
plan. The SIRT is the group that mobilizes to respond when incidents occur. The team
should contain all of the members who will authorize, conduct, and communicate every
incident response activity. A good way to ensure you have the right team members is
to define the roles your SIRT must fulfill. Table 13-2 lists the SIRT roles.
CHAPTER 13 | Microsoft Windows Incident Handling and Management
311
The first team members to assign to your SIRT are the management representative
and the SIRT leader. These assignments originate with the team’s sponsor. The sponsor
is a member of your organization’s management who has the authority to create and fund
a SIRT. The management representative can be the team’s sponsor or another member
of management. Once the team has management support and a lead, you can start to
fill the other roles on the team.
After the initial team is in place, begin planning. Depending on the team’s existing
knowledge of security incident response, you may need to provide some training on the
subject. The idea is to give team members enough of a foundation in incident response
that they are prepared to develop your initial plan.
Plan for Communication
• Contacts and hierarchy—Include a list of every internal and external stakeholder
in your information system environment. Identify areas of interest for each one.
This list should also include media contacts. Store this information in a database or
spreadsheet to make it easy to query and sort. Storing areas of interest can cut down
on the number of people in the communication chain when efficient communication
is important. For example, assume the SIRT is responding to a Microsoft update
that causes remote client computers to crash. Remote users are very interested
in this incident but database administrators are not as interested. On the other
hand, an incident resulting from corrupted data in the central application database
would be of interest to database administrators and remote users. Also include
in this section any hierarchy of indirect communication if you use multiple points
of contact to distribute information.
TechRepublic uses Identify/React charts to document many types of malware. The charts contain
step-by-step instructions on both identifying a specific type of malware and how to react to it.
This format lends itself well to many SIRT tasks. You can find a sample Identify/React chart for
the Sober.I/Sober.J worm at http://www.techrepublic.com/i/tr/downloads/netadmin/resource
_doc/sober-chart.pdf?tag=content;siu-container.
13
Incident Handling
and Management
Before you start to develop checklists for each specific type of incident, take the time to
plan the framework. Your SIRT should handle all incidents in the same way. The severity
of incidents will change some of the team’s responses. However, the overall manner
in which the team responds should be consistent across incidents. You achieve consistent behavior by developing a response framework. One crucial part of your response
framework is your plan for communication. A simple plan for communicating SIRT
actions can reduce overall tension during an incident and may contribute to a successful
incident resolution.
Your plan for SIRT communication should include sections for each of the
following topics:
312   
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
Be creative and responsive when communicating SIRT activities. Most important, know your
audience. If your organization is largely made up of tech-savvy employees, you may find that
sending tweets is a very effective strategy to release status updates that don’t contain any
confidential or sensitive content.
• Responsibilities—Descriptions of SIRT communication responsibilities include
press releases, incident notifications, updates, and resolution notification.
This section assigns the responsibility for each type of communication to avoid
finger pointing.
• Frequency expectations—This section states the expected frequency of communication based on incident severity and type. Critical incidents require updates at
least every 15 to 30 minutes while minor incidents may only warrant daily updates.
The incident’s severity in the initial notification lets stakeholders know when
to expect an update. Consider your audience as well when determining update
frequency. You’ll likely keep management more up to date than the press.
• Methods—This section informs stakeholders of how the SIRT will communicate
with them. Avoid frustration by ensuring everyone knows where to find messages
that relate to incidents. Options include e-mail, Web site status pages, social
media methods, and physical signs or banners. This section also includes plans
for secondary communications in the case of severe incidents. A fully prepared
SIRT would likely have radios to communicate when all other methods fail.
Plan Security
When an incident occurs, the SIRT responds to it in the manner prescribed in the incident
response plan. In other words, the team follows the plan. Make sure your team has access
to the plan. Ensure the team can retrieve the most current version of the plan regardless
of the circumstances. Have multiple copies available in different formats stored in different
locations. An incident that …
Purchase answer to see full
attachment

How it works

1. Paste your instructions in the instructions box. You can also attach an instructions file
2. Select the writer category, deadline, education level and review the instructions 
3. Make a payment for the order to be assignment to a writer
4.  Download the paper after the writer uploads it 

Will the writer plagiarize my essay?

You will get a plagiarism-free paper and you can get an originality report upon request.

Is this service safe?

All the personal information is confidential and we have 100% safe payment methods. We also guarantee good grades