C842
Incident Response Automation
-The incident response automation is the process of superseding the manual IR actions with automatic IR actions using machines and tools. -Automation helps in efficient handling and response to the security incident by sending timely notification about the incident across the organization
Mobile Threats
Focus of attackers has shifted to mobile devices due to increased adoption of mobile devices for business and personal purposes and comparatively lesser security controls.
Guidelines for Preventing Malware Incidents
Following these guidelines is helpful for reducing the number of incidents that occur through malware: ▪ The IH&R team must review and update the computer security and malware prevention policies as per the report and outcome of the recent malware incident. ▪ Inform and educate users, clients, stakeholders, and employees about the recent malware attack and actions that can prevent such incidents in future. ▪ The IH&R team should subscribe and regularly follow antivirus bulletins to prevent future malware attacks and to handle them smoothly. ▪ The organization may review the procedures and points of contact for reporting malware incidents, according to the outcome of the recent malware incident. ▪ The IH&R team should ensure that the organization follows an effective data backup and recovery process. ▪ The organization should educate its employees about dealing with email attachments in a safe way. ▪ The IH&R team should deploy network-based IDSs/intrusion prevention systems (IPSs) and firewall systems to get timely alerts about any intrusion attempts into the organizational network. ▪ The organization should identify critical hosts and install host-based IDSs on them, to monitor their traffic flow and to detect anomalies. ▪ The IH&R team should ensure that all devices across the organization use latest versions of antivirus software. ▪ The responders may configure antivirus applications to block opening or executing of suspicious files, based on the malware signatures. ▪ The organization should give strict guidelines to its employees and users to check all files and attachments downloaded from the Internet for malware. ▪ It should also restrict usage of removable devices on organizational systems, unless necessary. If usage of such devices is necessary, then it should make sure that employees use clean storage devices and scan all the removable media such as USB drives, and diskettes for malware before using on a system ▪ The responders should check whether all hosts have updated firewalls and antiviruses that can block the installation of spyware software. ▪ Responders should regularly check and block suspicious ports and kill unnecessary processes to prevent possible attacks. ▪ The network share settings in an organization should be such that unnecessary window shares are not possible. Responders should check whether the network settings are accordingly or not. ▪ The organization should review and update its IH&R processes and facilities such that it can deal with malware incidents as quickly as possible with minimal losses. ▪ Responders should conduct checkups and scans of all systems in the organization and remove suspicious files. ▪ All the employees and users of the organization should have email filters that can spot and filter out spam. ▪ Responders should limit the use of unnecessary programs with FTP and eliminate sources and causes of unwanted network traffic. ▪ Users should utilize and activate the web browser's security features such as disabling JavaScript, enabling pop-up blocking, configuring, and customizing security settings as per best practices to avoid malware. ▪ The IH&R team should implement strict security features on all organizational emails and take care that mails are encrypted and transmitted securely. ▪ Organization should use secure email clients with features, such as digital signatures, PGP encryption, and scanning feature for attachments. ▪ The IH&R team should conduct regular checks and patch systems and applications across the organization. ▪ The IH&R team should check whether all hosts have proper hardening measures such as regular patching, configuration management, and security partitioning to limit the possible attacks.
Step 6: Evidence Gathering and Forensic Analysis
In this phase, the IH&R team accumulates all possible evidence related to the incident and submits that to the forensic department in order to investigate the gathered evidence. Forensic analysis of an incident would reveal details such as method of attack, vulnerabilities exploited, security mechanisms averted, network devices infected, and applications compromised.
What are the three types of information security threats?
Network Threats, Host Threats, Application Threats
Application Assessments
Tests the web infrastructure for any misconfiguration and known vulnerabilities.
Offensive Warfare Strategies
Web Application Attacks Web Server Attacks Malware Attacks MITM Attacks System Hacking
Application Flaws
are vulnerabilities in applications that are exploited by the attackers.
Risk Assessment and Management Tools
Risk assessment and management tools help incident handlers to assess and prioritize risks against organizational critical assets based on the impact and likelihood of the risk occurrence.
Risk Assessment Process
Risk assessment determines the kind of risks present, the likelihood and severity of risks, as well as the priorities and plans for risk control.
Step 1: Preparation for Incident Handling and Response- Roles and Responsibilities of IH&R Team-Network Administrators
-Analyze network traffic for signs of incidents -Perform corrective actions against the suspected intruder by blocking the network
Step 1: Preparation for Incident Handling and Response- Roles and Responsibilities of IH&R Team- Incident Coordinators
-Connect different stakeholders affected by the incidents, such as incident handling teams, legal, human resources, clients, vendors, etc.
Step 9: Risk Assessment Report
-Create and submit the risk assessment report to the authorized personnel and authorities in the organization -It must be developed in a clear and concise format so that it is easily understood by nontechnical management members The report must contain details such as 1. Clearly explain all the steps performed under the assessment approach 2. List all the resources and infrastructure evaluated 3. Mention all the threats and vulnerabilities identified for each resource along with the assessment steps 4. Include the likelihood of attacks and consequences on the business and other resources 5. Clearly state the process of business impact analysis along with financial and operational impact 6. Define the existing and new controls recommended along with method of implementation to reduce risks 7. Provide suggestions for the organization to minimize risks in future 8. Ensure that the report is clear and easy to understand
Step 1: Preparation for Incident Handling and Response- Roles and Responsibilities of IH&R Team- Incident Manager (IM)
-Handles incidents from management and technical point of view -Drives the incident response team for a focused incident containment and recovery
Step 1: Preparation for Incident Handling and Response- IH&R components that incur cost include:
-IH&R team staffing -IH&R toolkits including software and hardware -Communication systems -Space requirements -Transportation cost -Fee for third-party assistance -Power and environmental controls -Forensic investigation cost
Step 1: Preparation for Incident Handling and Response- IH&R Management Approvals and Funding
-Incident handlers should obtain proper permissions of the management, stakeholders, and other authorized personnel to perform the IH&R process -Determine the funding requirements based on empirical assumptions of various components of an incident handling and response capability -Justify the fund requirements with business analysis
Step 1: Preparation for Incident Handling and Response- Define Incident Handling Criteria
-Incident handling criteria include a set of checklists, tables, cheat-sheets, and flow charts that help in decision-making during IH&R procedures Examples of incident handling criteria: Criteria for notifying law enforcement Criteria for incident categorization Criteria to determine incident reporting time
Step 1: Preparation for Incident Handling and Response-Develop IH&R Procedures
-Incident response procedures, also referred to as standard operating procedures (SOPs), provide detailed processes to implement guidelines defined by IH&R plan and policy -IH&R procedure documents include detailed comprehensive processes, techniques, templates, and forms used by the incident response team -The main objective of developing IH&R procedures is to create a set of tasks that IH&R can repeatedly execute over a period that result in a certain degree of automation with a minimized probability of errors in plan and policy implementation
Step 1: Preparation for Incident Handling and Response- Roles and Responsibilities of IH&R Team-System Administrators
-Install and update service packages and patches -Examine system logs to identify the malicious activities
Step 1: Preparation for Incident Handling and Response- Roles and Responsibilities of IH&R Team
-Manage security issues by taking a proactive approach toward the customers' security vulnerabilities and by responding effectively to potential information security incidents. -Develop and review the processes and procedures that must be followed in response to an incident -Manage the response to an incident and ensure that all procedures are followed correctly in order to minimize and control the damage -Identify and analyze what has happened during an incident, including the impact and threat -Review changes in legal and regulatory requirements to ensure that all processes and procedures are valid -Establish relationship with local law enforcement agency, government agencies, key partners, and suppliers -Review existing controls and recommend steps and technologies to prevent future security incidents
Step 1: Preparation for Incident Handling and Response- Roles and Responsibilities of IH&R Team-Public Relations
-Play a major role in communicating with stakeholders and other personnel -Responsible for developing media messages after an event
Step 1: Preparation for Incident Handling and Response- Roles and Responsibilities of IH&R Team- Human Resources
-Responsible for counseling people after the event and notifying various people as per the company policy -Answer questions related to compensation and benefits
Step 1: Preparation for Incident Handling and Response- Roles and Responsibilities of IH&R Team- Threat Researchers
-Supplement security analysts by researching on threat intelligence data -Gather all details of prevalent incident and security issues
Step 1: Preparation for Incident Handling and Response- Roles and Responsibilities of IH&R Team- Security Analysts
-Support incident manager by working directly with the affected systems and networks -Research on the threats, attack vectors, and attack methodology to suggest response
ISO/IEC 27000 Series
-The ISO/IEC 27000 is the information security standard developed and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) -It provides a global framework for effective information security management for all types of organizations -The ISO/IEC 27000:2018 is the latest revision that defines information technology, security techniques, information security management systems, overview, and vocabulary -The ISO/IEC 27000 family contains many standards that define information security management systems
Vulnerabilities present in a system or network are classified into the following categories.....
1. Misconfigurations 2. Default Installations 3. Buffer Overflows 4. Unpatched Servers 5. Design Flaws 6. Operating System Flaws 7. Application Flaws 8. Open Services 9. Default Passwords
Incident Response Orchestration
1. Orchestration refers to the process of combining human, processes, and technologies to gain better results 2. Incident response orchestration combines the abilities of the incident response team, tools, and processes to respond and handle information security incidents efficiently 3. In this, the tools alert the responders and provide details of the attack with proper evidences and suggest containment and eradication techniques, while allowing them to take decisions based on business and other impacts
Commonly targeted assets that must be prioritized and protected by the organization include:
1. Personal Details 2. Financial Information 3. Intellectual Property 4. Sensitive Business Data 5. Login Details and IT System Information
Steps involved in the incident handling and response process
1. Preparation 2. Incident Recording and Assignment 3. Incident Triage 4. Notification 5. Containment 6. Evidence Gathering and Forensic Analysis 7. Eradication 8. Recovery 9. Post-Incident Activities- Incident Documentation -Incident Impact Assessment -Review and Revise Policies -Close the Investigation -Incident Disclosure
What two things does information security policies prevent?
1.Prevent unauthorized modifications of the data 2.Prevent wastage of company's computing resources
What two things does information security policies protect?
1.Protect confidential, proprietary information from theft, misuse, unauthorized disclosure 2.Protect an organization's computing resources
Commonly Used Correlation Techniques
1.Relating multiple incident types and sources across multiple nodes 2. Incident sequence 3. Incident persistence 4. Incident-directed data collection
Administrative security policy
Administrative security policies address how all persons should behave.
Resource Misconfiguration Abuses
An attacker exploits resource misconfiguration such as vulnerable software configurations, open proxy servers and anonymous FTP servers, misconfigured web forms and blog sites, and so on. Resource misconfiguration abuses include SQL injection attacks, bypassing authentication, malicious code execution, and so on.
Unauthorized Usage of Services:
An attacker uses another user's account to attack the system or network.
Network and Resource Abuses
An attacker uses the network and resources for obtaining critical organization details, or in some scenarios they even make the network services or resources unavailable to the legitimate users by flooding more traffic to the servers or applications.
Command-and-control Warfare (C2 warfare)
C2 warfare refers to the impact an attacker possesses over a compromised system or network that they control.
CIS Critical Security Controls
Center for Internet Security (CIS) Controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks.
Step 1: Preparation for Incident Handling and Response- Some of most commonly implemented IH&R team models are:
Central Incident Response Team-It is a single IH&R team responsible for handling and responding to incidents throughout the organization. It is appropriate for small organizations with less geographic diversity. Distributed Incident Response Teams-This model consists of multiple IH&R teams, each responsible for handling incidents for a particular logical or physical segment of the organization.T his model is effective for large organizations with more geographic diversity. Coordination Teams- It provides advisory service to other IH&R teams in the organization without having authority over them.
Integrity
Characteristic of a document, communication or any data that ensures the **quality of being genuine**
Cyber Laws that May Influence Incident Handling
Country Name- United States Laws/Acts- Section 107 of the Copyright Law mentions the doctrine of "fair use" and Online Copyright Infringement Liability Limitation Act Website- https://www.copyright.gov Laws/Acts-The Lanham (Trademark) Act (15 USC §§ 1051 - 1127 Website- https://www.uspto.gov Laws/Acts- The Electronic Communications Privacy Act and Foreign Intelligence Surveillance Act Website- https://www.fas.org Laws/Acts- Protect America Act of 2007 and United States Privacy Act of 1974 Website- https://www.justice.gov Laws/Acts- National Information Infrastructure Protection Act of 1996 Website- https://www.nrotc.navy.mil Laws/Acts- Computer Security Act of 1987 Website- https://csrc.nist.gov Laws/Acts- Freedom of Information Act (FOIA) Website-https://www.foia.gov Laws/Acts- Computer Fraud and Abuse Act Website- https://www.energy.gov Laws/Acts- Federal Identity Theft and Assumption Deterrence Act Website- https://www.ftc.gov Country Name- Australia Laws/Acts- The Trade Marks Act 1995 The Patents Act 1990 The Copyright Act 1968 Cybercrime Act 2001 Website- https://www.legislation.gov.au Country Name- United Kingdom Laws/Acts-The Copyright, etc. and Trademarks (Offenses And Enforcement) Act 2002 Trademarks Act 1994 (TMA) Regulation of Investigatory Powers Act 2000 Police and Justice Act 2006 Criminal Justice Act 2008 Financial Services Act 2012 Protection of Children Act 1978 Website- http://www.legislation.gov.uk Country Name- China Laws/Acts- Copyright Law of People's Republic of China (Amendments on October 27, 2001) Website- http://www.npc.gov.cn Laws/Acts-Trademark Law of the People's Republic of China (Amendments on October 27, 2001) Website- http://samr.saic.gov.cn Country Name- India Laws/Acts- The Patents (Amendment) Act, 1999, Trade Marks Act, 1999, The Copyright Act, 1957 Website- http://www.ipindia.nic.in Laws/Acts- Information Technology Act Website-http://www.dot.gov.in Country Name- Germany Laws/Acts- Section 202a. Data Espionage, Section 303a. Alteration of Data, Section 303b. Computer Sabotage Website- http://www.cybercrimelaw.net Country Name- Italy Laws/Acts- Penal Code Article 615 ter Website- http://www.cybercrimelaw.net Country Name- Japan Laws/Acts- The Trademark Law (Law No. 127 of 1957), Copyright Management Business Law (4.2.2.3 of 2000) Website- http://www.iip.or.jp Country Name- Singapore Laws/Acts-Computer Misuse Act Website- https://sso.agc.gov.sg Country Name- Canada Laws/Acts- Copyright Act (R.S.C., 1985, c. C-42), Trademark Law, Canadian Criminal Code Section 342.1 Website- https://laws-lois.justice.gc.ca Country Name- South Africa Laws/Acts-Trademarks Act 194 of 1993 Website-http://www.cipc.co.za Laws/Acts-Copyright Act of 1978 Website-http://www.nlsa.ac.za Country Name- South Korea Laws/Acts-Copyright Law Act No. 3916 Website-https://home.heinonline.org Laws/Acts-Industrial Design Protection Act Website-http://www.kipo.go.kr Country Name- Belgium Laws/Acts-Copyright Law, 30/06/1994 Website-https://www.wipo.int Laws/Acts-Computer Hacking Website-http://www.cybercrimelaw.net Country Name- Brazil Laws/Acts-Unauthorized modification or alteration of the information system Website- https://www.domstol.no Country Name- Hong Kong Laws/Acts-Article 139 of the Basic Law Website-https://www.basiclaw.gov.hk
Unpatched Servers
Servers are an essential component of the infrastructure of any organization. There are several cases where organizations run unpatched and misconfigured servers, compromising the security and integrity of the data in the system.
Technical security policy
Technical security policies describe the configuration of the technology for convenient use
What does defense-n-depth do?
Defense-in-depth helps to prevent direct attacks against an information system and its data because a break in one layer only leads the attacker to the next layer.
Defense-n-depth
Defense-in-depth is a security strategy in which several protection layers are placed throughout an information system
Employee Sabotage and Abuse
The actions performed by an employee to abuse systems include removing hardware or services of a computer system, intentionally making incorrect data entry, intentionally deleting data or altering data, placing logic bombs to delete information, applications, and system files, crashing systems, and so on.
File Integrity Checking Software
File integrity checking software detects and alerts when critical system files are modified. This software calculates the cryptographic checksum of the original files and modified files. It compares both the checksums for detecting changes.
Financial Losses
Financial losses faced by the organization can be either direct or indirect losses.
High-level management
In an organization the high-level management is responsible for the implementation of the organization's security policies. High-level officers involved in the implementation of the policies include the following: ▪ Director of Information Security ▪ Chief Security Officer
Automated Response
In case of attacks, such as malware, the orchestration tools will be able to contain the incident by detecting and isolating the systems from functional network. These solutions enable the responders to customize the automated responses based on their requirement.
Information Security
Information security is defined as "a state of well-being of information and infrastructure in which the possibility of theft, tampering, and disruption of information and services is kept low or tolerable." It relies on five major elements: confidentiality, integrity, availability, authenticity, and non-repudiation.
Intelligence-based Warfare
Intelligence-based warfare is a sensor-based technology that directly corrupts technological systems. A warfare that consists of the design, protection, and denial of systems that seek sufficient knowledge to dominate the battle space.
Users
Intentional or unintentional human errors may affect the security of web servers, application platform, database, and network.
risk matrix scales
Probability Consequences Insignificant Minor Moderate Major Severe 81-100% 61-80% 41-60% 21-40% 1-20% Very High Probability High Probability Equal Probability Low Probability Very Low Probability Low Low Low Low Low Medium Medium Medium Low Low Moderate High High Medium Medium Medium Major Extreme High High Medium Medium Severe Extreme Extreme High High
Fraud and Theft
Involves theft or loss of asset or equipment that contains confidential information. The motive behind fraud and theft is to gain control over and misuse the information systems such as access control systems, inventory systems, financial data, and telephone equipment.
IoT Threats
IoT devices include many software applications that are used to access the device remotely. Flaws in the IoT devices allow attackers access into the device remotely and perform various attacks.
Internet of Things (IoT)
IoT devices on the internet have very few security protection mechanisms against various emerging threats leading to potential vulnerabilities.
Incident management
Is a set of defined processes to identify, analyze, prioritize, and resolve security incidents to restore normal service operations as quickly as possible and prevent future reoccurrence of the incident.
Integrated Response
It allows responders to configure different solutions to interact and streamline incident response actions.
Contain and Eradicate
It allows responders to implement and automate countermeasures to contain the attacks and review the incident to eradicate it from happening in the future.
Remote Control
It allows responders to remotely assess the incident analysis results and manage the actions.
Detect and Alert
It automates alarms that detect the incident and alert the response personnel with details. These tools also suggest the required containment steps based on the attack and impacted resources.
Group Attribution
It deals with attributing based on the common group or association of multiple malicious actors and their attack methodologies.
Campaign Attribution
It deals with attributing based on the malware or the campaign strategy of specific malware.
Intrusion-set Attribution
It deals with attributing the attacker based on the intrusion patterns.
Nation-state Attribution
It deals with the attribution of attacks that are sponsored by any nation against another nation.
True Attribution
It deals with the identification of the specific person, society, or a country sponsoring a well-planned and executed intrusion or attack over its target.
Firewall-Management Policy
It defines access, management, and monitoring of firewalls in the organization.
Acceptable-Use Policy
It defines the acceptable use of system resources.
User-Account Policy
It defines the account creation process, and authority, rights, and responsibilities of user accounts.
Access Control Policy
It defines the resources being protected and the rules that control access to them.
Information-Protection Policy
It defines the sensitivity levels of information, who may have access, how it is stored and transmitted, and how it should be deleted from storage media.
Remote-Access Policy
It defines who can have remote access, and defines access medium and remote access security controls.
Network-Connection Policy
It defines who can install new resources on the network, approve the installation of new devices, document network changes, etc.
Loss of Business Reputation
It diminishes business reputation and leads to loss of the existing loyal customers as well as the potential to attract new customers.
Paranoid Policy
It forbids everything, no internet connection, or severely limited internet usage.
PILAR—Risk Analysis and Management
It helps incident handlers to assess risks against critical assets of the organization in several dimensions such as confidentiality, integrity, availability, authenticity, and accountability.
Analysis
It helps responders in investigating by offering centralized tools and evidences of the incident. These tools also help in sorting and prioritizing the incidents.
Damaged Customer Relationship
It impacts the customer relationship and leads to the loss of customers, decrease in sales, and drop in profits.
Risk Mitigation
It is a strategical approach to prepare for handling risks and reduce its impact on the organizations.
Insider Attack
It is an attack performed on a corporate network or on a single computer by an entrusted person (insider) who has authorized access to the network.
Email Security Policy
It is created to govern the proper usage of corporate email.
What are important characteristics of an organization's information asset?
It is recognized to be of value to the organization. ▪ It is considered as an asset to the organization. ▪ It is difficult to replace the information without cost, skills, time, and resources. ▪ It is a part of the organization's corporate identity. ▪ The data classified as information asset is confidential and proprietary. ▪ It plays a significant role in the organization's business. ▪ It is any organized documentation that motivates the organization to achieve its goals.▪ It is maintained by people working in a consistent and cooperative manner. ▪ It can be a part of the enterprise application or a unique application. ▪ The loss of information affects the investment of organization in different business activities.
Research and Acknowledgment
It is vital to analyze the vulnerability of flaw and to evaluate what actions can be taken to correct the vulnerability in order to reduce the loss caused by the risk.
Operational Impacts
It may leave the organization disabled as they disrupt the working of an entire organizational network.
Passwords Policy
It provides guidelines for using strong password protection on organization's resources.
Prudent Policy
It provides maximum security while allowing known but necessary dangers. It blocks all services and only safe/ necessary services are enabled individually; everything is logged.
Defensive Information Warfare
It refers to all strategies and actions to defend against attacks on ICT assets.
Offensive Information Warfare
It refers to information warfare that involves attacks against ICT assets of an opponent.
Risk Avoidance
It refers to preventing the risk by curbing the cause of the risk and/or consequence. Example: Whenever risks are identified, shut down the system.
Intangible Cost
It refers to the expenditures that the organization cannot calculate directly or value accurately.
Tangible Cost
It refers to the organization's direct expenditure due to an incident.
Loss of Confidentiality and Integrity
It results in loss of trustworthiness of data or resources, damage to corporate reputation, loss of goodwill, business credibility, and trust.
Legal and Compliance Issues
It results in negative publicity for an organization and affects the business's performance.
Threat contextualization refers to the process of___________________________ in various conditions
assessing the threats and their impacts
Threat Assessment allows the organizations to assess their ______________________________ by identifying flaws in their assets, the chances for exploitation using those flaws, and their origin
current threat landscape
Contextualization of threats helps the organizations in predicting the __________________ and future evolving threats
current threats
Use ______________________ such as build, version, operating system, and other details and search them on the online vulnerability research websites
details of the resource
Threat context is obtained by ___________________ the current vulnerabilities in the IT resources such as networks and information system
detecting and analyzing
Accurately ____________________________ incidents are the most challenging and essential part of the incident response process
detecting and assessing
The main objective behind threat correlation is to reduce the ___________________ rates, detect and escalate stealthy, complex attacks
false-positive alert
ISO/IEC 27002:2013
gives guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls taking into consideration the organization's information security risk environment(s)
The impact of threats is potentially __________________________ such as information, systems, processes, networks, and human resources of the organizations.
hazardous to assets
Threat intelligence
is defined as the collection and analysis of information about threats and adversaries and drawing patterns that provide an ability to make knowledgeable decisions for the preparedness, prevention, and response actions against various cyberattacks.
Threat attribution
is referred to as the process of identifying and attributing actors behind an attack, their goals and motives along with the sponsors.
Vulnerability
is the existence of a weakness, design, or an implementation error that, when exploited, leads to an unexpected and undesirable event compromising the security of the system.
control analysis
is the process of analyzing various security controls implemented by the organization to eradicate or minimize the probability of threat source exploiting a system vulnerability.
Vulnerability research
is the process of discovering vulnerabilities and design flaws that will open a network, operating system, and its applications to attack or misuse
Threat assessment
is the process of examining, filtering, transforming, and modeling of acquired threat data for extracting threat intelligence.
Remediation
is the process of reducing the severity of vulnerabilities. This phase is initiated after the successful implementation of baselining and assessment steps.
Risk Matrix
is used to scale risk by considering the probability, likelihood, and consequence/impact of the risk.
Precursors and indicators are generally obtained from ______________________ like computer security alerts, log files, and publicly available information such as news articles and people
many different sources
An incident handler needs to keep up with the most __________________and exploits in order to stay one-step ahead of attackers through vulnerability research.
recently discovered vulnerabilities
Threat target and assets
refer to the organizational resources which are attacked by the threat actors in order to gain a complete control or steal the information for launching further attacks on the organization.
Risk
refers to a degree of uncertainty or expectation of potential damage that an adverse event may cause to the system or resources under specified conditions.
Risk management
refers to a set of policies and procedures to identify, assess, prioritize, minimize, and control risks
Vulnerability assessment phase
refers to identifying vulnerabilities in the organization infrastructure, including the operating system, web applications, and web server.
Some of application threats are?
o Improper data/input validation o Authentication and authorization attacks o Security misconfiguration o Improper error handling and exception management o Information disclosure o Hidden-field manipulation o Broken session management o Buffer overflow issues o Cryptography attacks o SQL injection o Phishing
Some network threats are?
o Information gathering o Sniffing and eavesdropping o Spoofing o Session hijacking o Man-in-the-Middle attack o DNS and ARP poisoning o Password-based attacks o Denial-of-Service attack o Compromised-key attack o Firewall and IDS attack
Some of host threats are?
o Malware attacks o Footprinting o Profiling o Password attacks o Denial-of-Service attacks o Arbitrary code execution o Unauthorized access o Privilege escalation o Backdoor attacks o Physical security threats
Assets can be either ___________________________, and this could range from confidential data, such as customer data or orders database, to the company's web pages or web site availability
physical or abstract
Incident responders must identify the risks by performing __________________________ and ____________________________ as well as evaluating their impact on the business.
threat assessment and vulnerability assessment
Botnet
A botnet is a huge network of the compromised systems used by an intruder to perform various network attacks.
ICT
information and communication technologies
Non-repudiation
**Guarantee** that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message
Authenticity
**Trustworthiness of data or resources** in terms of preventing improper and unauthorized changes
Step 5: Likelihood Analysis
*Likelihood analysis is the calculation of probability that a threat source exploits an existing system vulnerability *Use the following table to categorize the risk likelihood and the level of consequence Likelihood Insignificant (Minor problem easily handled by normal day-to-day processes) Almost Certain (>90% chance) Likely (between 50% and 90% chance) Moderate (between 10% and 50% chance) Unlikely (between 3% and 10% chance) Rare (<3% chance) High Moderate Low Low Low Minor (Some disruption possible, e.g. damage equal to $500k) High High Moderate Low Low Consequences Moderate (Significant time/resources required, e.g. damage equal to $1 million) Extreme High High Moderate Moderate Major Severe (Operations severely damaged, e.g. damage equal to $10 million) Extreme Extreme Extreme High High (Business survival is at risk damage equal to $25 million) Extreme Extreme Extreme Extreme High
Step 1: Preparation for Incident Handling and Response- Roles and Responsibilities of IH&R Team- Forensic Investigators
- Help organization and law enforcement agencies to investigate and prosecute the perpetrators of cybercrimes - Assist to maintain forensics readiness and implement effective incident handling and response
Risk Management Plan Evaluation and Update
-An effective risk management plan requires a tracking and review structure to ensure effective identification and assessment of the risks as well as the use of appropriate controls and responses. -The regular evaluation and modification of the plan allow organizations to identify latest updates in cybersecurity and eradicate underlying vulnerabilities in the systems and network effectively.
Step 1: Preparation for Incident Handling and Response- Develop Incident Readiness Procedures
-Apart from preparing the IH&R team, every organization must define the incident readiness procedures in order to be equipped accordingly with necessary toolkits to fight incidents. - Building incident response toolkits, setting up a forensic lab, establishing reporting facilities, and establishing structured record keeping facilities are some of the procedures that are to be performed in order to maintain the readiness toward any incident.
Step 1: Preparation for Incident Handling and Response- Roles and Responsibilities of IH&R Team- Information Security Officer (ISO)
-Bears the responsibility of all IH&R activities in context of overall organizational information security -Provides guidance and training to incident handling teams
Step 1: Preparation for Incident Handling and Response- Roles and Responsibilities of IH&R Team-Financial Auditors
-Calculate the costs involved such as damages or losses by the incident and costs incurred in incident handling and response
Step 1: Preparation for Incident Handling and Response- Roles and Responsibilities of IH&R Team-Internal Auditors
-Check whether the information systems are in compliance with security policies and controls -Identify and report any security loopholes to the management
Examples of Intangible Cost
1. Damage to corporate reputation 2. Loss of goodwill 3. Psychological damage- Those directly impacted may feel victimized- May impact morale or initiate fear 4. Legal liability Damage to the shareholder's value
Types of Vulnerability Assessment
1. Active Assessment 2. External Assessment 3. Host-Based Assessment 4. Application Assessments 5. Passive Assessment 6. Internal Assessment 7. Network Assessments 8. Wireless Network Assessments
Best Practices: OWASP Source: https://www.owasp.org
1. Audit and Due Diligence Performing an audit will help to know how well prepared the organization is for incident response in terms of: o People o Process o Equipment and materials 2. Create a Response Team Preventing and managing attacks or incidents that can occur without prior notice is best managed by experts who belong to an incident response team. Some important things to note when creating an incident response team: o Ensure that a competent team leader is in charge and has a clear chain of command o Document the roles and responsibilities of the team members and communicate this clearly to all relevant stakeholders 3. Create a Documented Incident Response Plan An organization should have a well-documented incident response plan that would guide the incident response team during an incident. A comprehensive plan at minimum should cover roles and responsibilities, investigation, triage and mitigation, recovery, and documentation process. 4. Identify All Triggers and Indicators It is important to clearly define what can trigger an incident in the organization. Some of these events include: o Loss or theft of equipment o Loss or theft of information o Attempts to gain unauthorized access to data, computers, or information storage devices 5. Investigate the Problem A thorough investigation will require input from the incident response team and might require input from external resources. The investigation will document the incident details, including what to look for, who to involve, and how to document what is found. 6. Triage and Mitigation Investigation leads to the triage and resolution process. As the team identifies potential exposure, they should plan and execute effective mitigation accordingly. In summary, the triage process should cater for the following activities: o Classification of the incident o Incident prioritization o Assigning specific tasks to specific people 7. Recovery Recovery is a significant step for restoring whatever services or materials might have been affected during an incident. The recovery step is the transition from active incident to standard monitoring. The recovery procedure should include the steps for transition given the specifics of the firm's environment and approach. 8. Documentation and Reporting Reporting and documentation is a critical action that will always occur before, during, and after incident response. A comprehensive incident report is required in keeping with best practices and with the incident response plan. The type of reports that might be required might vary but should help in managing and reviewing incidents satisfactorily. 9. Process Review It is imperative to continuously monitor an incident and the workload/performance of the team or incident handler. Process review can help the organization to answer the following: o Should the organization increase or decrease the number of incident handlers? o Whether the organization should develop automated procedures for incident handling? o What risks did the organization identify during the incident that need to be followed up for action and monitored closely? 10. Practice Organizations should not wait for incidents to occur; rather, the incident handling teams should be always prepared. It is important that the incident response team understand how important mock drills and practice are to the firm. Sometimes the team can practice the organization's plan by simulating a live scenario. This test can be as simple as dropping a thumb drive on the floor of the office and seeing what happens to simulating a data breach or phishing attack.
PCI Data Security Standard—High Level Overview
1. Build and Maintain a Secure Network 2. Implement Strong Access Control Measures 3. Protect Cardholder Data 4. Regularly Monitor and Test Networks 5. Maintain a Vulnerability Management Program 6. Maintain an Information Security Policy
Online vulnerability research websites include
1. Common Vulnerability Scoring System (CVSS) (https://nvd.nist.gov) 2. Common Vulnerabilities and Exposures (CVE) (https://cve.mitre.org) 3.National Vulnerability Database (NVD) (https://nvd.nist.gov) 4. CVE Details (https://www.cvedetails.com) 5. Vulnerability Lab (https://www.vulnerability-lab.com)
Some of the Causes for Vulnerabilities
1. Complexity of the system 2.Improper password management 3.Insecure internet website browsing 4.Unchecked user input 5.Improper training and awareness 6.Software bugs 7.Flaws in operating system design 8.Inability to manage physical connections
Vulnerability management life cycle steps
1. Creating Baseline 2. Vulnerability Assessment 3. Risk Assessment 4. Remediation 5. Verification 6. Monitor
Role of Laws in Incident Handling
1. Cyber laws are integral to incident handling as they provide the assurance of the integrity, security, privacy, and confidentiality of information in both government and private organizations. 2. Cyber laws vary by jurisdiction and country, so implementing these laws is quite challenging. 3. Federal law requires federal agencies to report incidents to the Federal Computer Incident Response Center. It requires federal agencies to establish incident response capabilities. 4. Several levels of law enforcement agencies are available to investigate incidents.
Step 1: Preparation for Incident Handling and Response-Incident handlers should perform the following tasks to build an IH&R team:
1. Design IH&R Team Development Plan-Develop a strategic plan that defines how the IH&R team will be handling the incident response tasks such as handling geographically distributed tasks and communication among the team members. 2. Set Expectations- Communicate with all the stakeholders of the organization and list their expectations from IH&R team. This will help in setting expectations for the team. 3.Define IH&R Team Vision- Define IH&R team mission, goals, objectives, services, and constituency. 4.Communicate the IH&R Team Vision-Communicate the IH&R team's vision and operational plan to all the stakeholders and get their approval. 5.Start Building IH&R Team-Hire team members for IH&R team, provide training and resources to the newly built IH&R team. 6. Announce the IH&R Team- Inform all the stakeholders about the IH&R team, their responsibilities, services, contact details, and how they can be reached. 7. Evaluate IH&R Team Effectiveness- Schedule a regular evaluation of the team to check the effectiveness of the services and how they have reduced the impact of security incidents on the organization.
Steps in Vulnerability research
1. Discovering system design faults and weaknesses that might allow attackers to compromise a system 2. Being informed about new products and technologies in order to find news related to current exploits 3. Checking underground hacking web sites for newly discovered vulnerabilities and exploits 4. Checking newly released alerts regarding relevant innovations and product improvements for security systems
HIPAA's Administrative Simplification Statute and Rules
1. Electronic Transaction & Code Sets Standards- Requires every provider who does business electronically to use the same healthcare transactions, code sets, and identifiers. 2. Privacy Rule- Provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. 3. Security Rule- Specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information. 4. National Identifier Requirements- Requires that healthcare providers, health plans, and employers have standard national numbers that identify them on standard transactions. 5. Enforcement Rule- Provides standards for enforcing all the Administration Simplification Rules.
Gramm-Leach-Bliley Act (GLBA)
1. Enacted in 1999, Gramm-Leach-Bliley Act requires financial institutions—companies that offer consumers financial products or services like loans, financial or investment advice, or insurance-to explain their information-sharing practices to their customers and to safeguard sensitive data 2. The objective of the Gramm-Leach-Bliley Act is to ease the transfer of financial information between institutions and banks while making the rights of the individual through security requirements more specific 3. Its provisions limit when a "financial institution" may disclose a consumer's "nonpublic personal information" to nonaffiliated third parties. Under the Privacy Rule, only an institution that is "significantly engaged" in financial activities is considered a financial institution 4. It is essential for the financial institutions to notify their customers about their information-sharing practices and tell consumers of their right to "opt-out" if they don't want their information shared with certain nonaffiliated third parties 5. It helps to address incidents of unauthorized access to sensitive customer information maintained by the financial institution in a manner that could result in "substantial harm or inconvenience to any customer"
Steps involved in vulnerability assessment phase:
1. Examine and evaluate physical security 2. Check for misconfigurations and human errors 3. Run vulnerability scans using tools 4. Identify and prioritize vulnerabilities 5. Apply business and technology context to scanner results 6. Perform OSINT information gathering to validate the vulnerabilities 7. Create a vulnerability scan report
Step 4: Control Analysis
1. Host and network security 2. Authentication controls 3. Access controls 4. Physical security 5. Hardware and software security tools 6. Policies and procedures implemented 7. Data protection controls 8. Business controls 9. Backup and recovery solutions 10. Insurance and other protective measures implemented The output of this step includes the list of all existing and planned security controls used to eliminate the likelihood of a threat source exploiting system vulnerabilities.
Difference between automation and orchestration
1. IR automation converts the manual process into an automated process based on the preset instruction from the responders 2. IR orchestration involves combining automation with machine and human intelligence to build an environment that learns and evolves with changing situations.
Control the Risks
1. Identify all the existing security controls that can help organizations in reducing security risks 2. Recommend any new security controls the organization must implement 3. Use results of vulnerability and threat assessment to minimize risks, as risks are directly proportionate to them
Steps involved in creating a baseline:
1. Identify and understand business processes 2. Identify the applications, data, and services that support the business processes 3. Create an inventory of all assets, and prioritize/rank the critical assets 4. Map the network infrastructure 5. Identify the controls already in place 6. Understand policy implementation and standards compliance to the business processes 7. Define the scope of the assessment 8. Create information protection procedures to support effective planning, scheduling, coordination, and logistics
In order to evaluate the risk management plan efficiently, the incident responders must consider the following points:
1. Identify the key events included in the plan, assess the severity of the events, and identify the events that are causing serious impact 2. Compare the objectives and outcomes of the plan to check whether the objectives meet the desired results or not. If they are not giving desired outcome, then responders must update the plan 3. Check the effectiveness of the activities of the plan to identify loopholes in the plan 4. Make changes to the ineffective activities of the plan 5. Review the changes that are made to the activities and make sure that they meet the objectives of the plan
Some of the security controls that help in reducing risks include:
1. Impart security awareness to the employees 2. Place up-to-date hardware and software security solutions such as IDS, firewall, honeypot, and DMZ 3. Strengthen network, account, application, device, and physical security across the organization 4. Implement strict access controls and security policies 5. Deploy encryption for all data transfers 6. Implement an appropriate incident handling and response plan
Introduction to Incident Handling and Response (IH&R) Process
1. Incident handling and response (IH&R) process provides a focused and structured approach for restoring normal business operations as quickly as possible after an incident and with a minimal impact to the business 2. IH&R processes are initiated by organization's IH&R development project team, executive manager, head of the information security department, or any other person exclusively designated by the management. 3. The decision to establish IH&R process is affected by inputs, complaints, and queries from all the stakeholders involved in the organization's business processes. 4. IH&R processes differ from organization to organization according to their business and operating environment.
Risk Level Descriptions
1. Insignificant- Impacts non-critical systems, functions, and processes that can be replaced easily 2. Minor- Impacts non-critical systems, functions, and processes that are difficult to replace 3. Moderate- Affects systems, functions, and services containing small amounts of sensitive data 4. Major- Affects highly sensitive data and resources to impact business functionality 5. Severe- Affects mission critical data and resources, and results in severe business and financial losses
Examples of the precursor are
1. Irregular log entries in web server which show web scanner scanning for vulnerabilities 2. An announcement of a new exploit that targets a vulnerability of the organization's mail server 3. Threats from hackers stating to attack the organization
The automation of IR process assists in performing the following actions:
1. It helps in investigating the incidents, such as incident identification by providing data from different sources, for example, past incidents information, threat intelligence, and SIEM. 2. It provides a functionality where the responders can give instructions and change the configuration of various security controls. 3. The main requirement for an incident response is speed, and automation helps to achieve it, therefore, reducing the time taken for analyzing the incidents and responding to them efficiently. 4. It enables responders to pay more attention to the alerts generated by critical incidents rather than checking every alert and prioritizing them in order to respond to the most critical ones.
Examples of Tangible Cost
1. Lost productive hours 2. Investigation and recovery cost 3. Loss of business 4.Loss or theft of resources
Step 1: Preparation for Incident Handling and Response- Training and Preparing IH&R Personnel
1. Maintain sufficient staff in the organization so that the team members can have uninterrupted time to work 2.Provide the hardware and software components 3.Provide the team with appropriate books, magazines, and other technical references that offer technical knowledge 4.Prepare a training budget to maintain, enhance, and increase the proficiency in technical areas and security disciplines, including the legal aspects of the incident response by the legal experts 5.Hire external subject matter experts for training 6. Give opportunities to the team members to perform other tasks associated with incident response 7.Consider the process of rotating staff members in and out of the incident response team 8.Develop a mentoring program for senior technical staff to help less experienced staff know about incident handling process 9.Develop various scenarios on incident handling and conduct group discussions on how they would handle them 10.Conduct training and incident handling mock drills and practice sessions to make the teams familiar with the process
RFC 2196
1. Request for Comments (RFC) 2196 is a guide to setting computer security policies and procedures for sites that have systems on the internet 2.This guide lists issues and factors that a site must consider when setting their own policies 3. It makes a number of recommendations and provides discussions of relevant areas 4. This document provides guidance to system and network administrators on how to address security issues within the internet community 5. It builds on the foundation provided in RFC 1244 and is the collective work of a number of contributing authors 6. This standard is useful for developing information security, including network security, incident response, and security policies and procedures for information systems connected on the internet
Steps in Post-Assessment Phase:
1. Risk Assessment 2. Remediation 3. Verification 4. Monitoring
Step 8: Control Recommendation
1. Risk assessment teams recommend the controls based on the likelihood, impact, and criticality of risk for business operation 2. The control recommendation helps the organization in minimizing or mitigating the identified risks and reduces the impact caused on the organizational systems and data to an acceptable level 3. Senior management in the organization has to determine the effectiveness of controls based on technical feedbacks and available case studies 4. The output of this step includes the control recommendations along with various alternative solutions that can be used to mitigate or minimize the risks
Step 1: Preparation for Incident Handling and Response- IH&R policies contain:
1. Statement of management commitment to IH&R plan 2. Purpose and objectives of the policy 3. Scope of the policy 4. Definition of security incidents and their consequences within the context of the organization 5. Organizational structure and delineation of roles, responsibilities, and levels of authority 6. Guidelines for prioritization or assigning severity levels 7. Performance measures and proper project management and time management details 8. Reporting guidelines 9. Guidelines for communication within and outside of the organization
Various steps involved in the risk assessment process (9)
1. System Characterization: Identify all the resources and infrastructure boundaries 2. Threat Identification: List out all the possible threat sources applicable to the critical IT assets 3. Vulnerability Identification: List out all the vulnerabilities that can be maliciously exploited by threat sources 4. Control Analysis: Identify and analyze the existing controls 5. Likelihood Analysis: Evaluate the likelihood of attacks and consequences 6. Impact Analysis: Analyze the financial and operational impact of a threat over the business 7. Risk Determination: Determine the risk based on likelihood, impact, and capability of security controls 8. Control Recommendation: Recommend controls based on the likelihood, impact, and criticality of risk for business operation 9. Risks Assessment Report: Present the results of risk assessment in an official report
Step 3: Vulnerability Identification
1. The objective of this step is to identify and list out all the vulnerabilities existing in the IT systems that can be maliciously exploited by various threat sources 2. Identify vulnerabilities by using information gathering techniques and tools, various online vulnerability sources, system security testing, and so on. 3. Collect and check if security requirements collected during system characterization meet the planned security policies and controls 4. The output of this step includes the list of all the existing vulnerabilities that may be exploited by various threat sources
Step 1: System Characterization
1. The organization must clearly characterize the systems for which it needs to perform risk assessment 2. Under this step, define the scope of assessment including systems, devices, and networks 3. Collect details such as type of resource, data stored, location, criticality, vendor or manufacturer, interfaces and accounts, users having access and connectivity to help in assessment process 4. Describe the access and security controls, as well as stakeholders and owners of the information 5. All this information will help in understanding security requirements, assessing the threats, evaluating the effectiveness of controls, and identifying and analyzing the risks
Risk Levels
1. The risk level is an assessment of the resulted impact on the network 2. Various methods exist to differentiate risk levels depending on the risk frequency and severity 3. One of the common methods used to classify risks is to develop a two-dimensional matrix.
Step 2: Threat Identification
1. To identify possible threats, consider threat sources, potential vulnerabilities, and various security controls 2. The objective of this step is to list out all the possible threat sources applicable to the critical IT assets 3. The most common threat sources include human, natural, and environmental 4. The output of this step includes a threat statement listing out all possible threat sources that have the potential to exploit various system vulnerabilities
Examples of the indicator are
1. Warning from an antivirus or scanner about a malware Firewall, IDS, and IPS alerts about unusual network traffic 2. Web server unavailability to the users for a long period of time 3. Bounced emails with malicious and suspicious content
Step 1: Preparation for Incident Handling and Response- Setting Up a Computer Forensics Lab Part 1
A Computer Forensics Lab (CFL) is a designated location for conducting computer-based investigation of the collected evidence in order to solve the case and find the culprit. The lab houses the instruments, software and hardware tools, suspect media, and the forensic workstations required to perform investigation of all types.
Motives, Goals, and Objectives of Information Security Attacks
A motive originates out of the notion that the target system stores or processes something valuable and this leads to threat of an attack on the system. Attackers try various tools and attack techniques to exploit vulnerabilities in a computer system or security policy and controls to achieve their motives
Network Threats
A network is the collection of computers and other hardware connected by communication channels to share resources and information.
Risk Planning
A risk mitigation plan is to be developed in order to prioritize, implement, and maintain the controls.
Internal Assessment
A technique to scan the internal infrastructure to find out the exploits and vulnerabilities.
Passive Assessment
A technique used to sniff the network traffic to find out active systems, network services, applications, and vulnerabilities present.
Threat Actor
A threat actor or malicious actor is a person or entity that is responsible for the incidents or has the potential to impact the security of an organization's network
Threat
A threat is an undesired event that attempts to access, exfiltrate, manipulate, or damage the integrity, confidentiality, security, and availability of an organization's resources.
Step 8: Recovery
After eliminating the causes for the incidents, the IH&R team restores the affected systems, services, resources, and data through recovery. It is the responsibility of the incident response team to ensure that there is no disruption to the services or business of the organization owing to the incident.
Advanced Persistent Threats (APT)
APT is an attack that is focused on stealing information from the victim machine without the user being aware of it.
What does information security policies maintain?
Maintain an outline for the management and administration of network security
Email-based Abuse
An attacker creates a fake website mimicking the legitimate website and sends the website links to the users to steal sensitive information such as user credentials, bank account details, and credit card details.
Indicators
An indicator is a sign representing that the incident has probably occurred or is currently in progress
Information as Business asset
An information asset can be defined as a piece of information identified as important to an organization.
Script Kiddies
An unskilled hacker who compromises system by running scripts, tools, and software developed by real hackers.
ISO/IEC 27001:2013—(Annex A) A.16: Information Security Incident Management
Annex A.16: Information security incident management defines the controls for incident management. 1. A16.1.1 Incident Management Responsibilities: Management responsibilities and procedures shall be established for an effective incident response 2. A16.1.2 Incident Reporting: Information security events shall be reported through appropriate management channels as quickly as possible 3. A16.1.3 Vulnerability Reporting: Employees and contractors using the organization's information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services 4. A16.1.4 Incident Assessment: Information security events shall be assessed, and it shall be decided if they are to be classified as information security incidents 5. A16.1.5 Incident Response: Information security incidents shall be responded to in accordance with the documented procedures 6. A16.1.6 Learning from Incidents: Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents 7. A16.1.7 Forensics: The organization shall define and apply procedures for the identification, collection, acquisition, and preservation of information, which can serve as evidence
Antivirus/Antispam Software
Antivirus software detects, alerts, and prevents malware from infecting hosts. It detects and filters spam emails and prevents spam from reaching the inbox of users. Alerts from such software are indicators of various attack attempts.
Application Threats
Applications can be vulnerable if proper security measures are not taken while developing, deploying, and maintaining them. Attackers exploit the vulnerabilities present in an application to steal or destroy data.
External Assessment
Assesses the network from a hacker's point of view to find out what exploits and vulnerabilities are accessible to the outside world.
Confidentiality
Assurance that the information is accessible **only to those authorized to have access**
Availibility
Assurance that the systems are **accessible when required** by the authorized users.
Web Application Threats
Attackers target web applications to steal credentials, set up phishing sites, or acquire private information to threaten the performance of the website and hamper its security.
Defensive Warfare Strategies
Prevention Deterrence Alerts Detection Emergency Preparedness Response
COBIT (Control Objectives for Information and related Technology) Framework
COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues, and business risks. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the enterprise's IT governance and control framework
NIST risk management framework- Selection of the Security Controls:
Categorize the information system, and then select the baseline security controls under a NIST risk management framework. Apply tailored guidance and supplemental controls (if needed) based on risk assessment.
Cloud Computing Threats
Cloud computing is an on-demand delivery of IT capabilities where sensitive data of organizations and their clients is stored. Flaws in one client's application cloud allow attackers to access other client's data.
What is the CIA triad?
Confidentiality, integrity, and availability are together referred to as the CIA triad.
Containment of Malware Incidents
Containment strategies may vary with the nature of malware incident. Following are some of the steps IH&R personnel should follow to contain malware incidents: ▪ After confirming the presence of malware, separate the compromised host from the operational network. ▪ Incident responder must simultaneously gather and analyze network logs of the system to find the events of malware propagation through shared files and connected systems. ▪ In case the malware has compromised multiple systems, you must cut the network services of these systems and prioritize them according to the importance of the affected host for business continuity. ▪ Use separate virtual local area networks (VLAN) for infected hosts to find the processes the malware employs to join the network when connected. ▪ Allow the connections through an access control network or VPN for the non-compromised devices. ▪ Start analysis of the compromised host to find malware signature, pattern, or behavior that you can use to contain the incident. ▪ Disable the targeted services, applications, and systems until the exploited vulnerabilities are patched. ▪ Block all unnecessary ports at the host and firewall. ▪ Run host-based antivirus, firewall, and intrusion detection software. ▪ Run registry monitoring tools to find malicious registry entries added by the backdoor. ▪ Remove or uninstall the program or application installed by the backdoor Trojan or virus ▪ Remove the malicious registry entries added by the backdoor Trojan. ▪ Delete malicious files related to the backdoor Trojan.
NIST risk management framework- Monitor Security State:
Continuously track changes to the information system that may affect security controls, and reassess control effectiveness.
NIST risk management framework- Authorize the Information System:
Determine risk to organizational operations and assets, individuals, other organizations, and the nation; if acceptable, authorize the operation.
NIST risk management framework- Assess the Security Controls:
Determine security control effectiveness by ensuring correct and effective implementation of the controls as per required operation and compliance with security requirements for the information system.
Network Assessments
Determines the possible network security attacks that may occur on the organization's system.
Host-Based Assessment
Determines the vulnerabilities in a specific workstation or server by performing configuration-level check through the command line.
Wireless Network Assessments
Determines the vulnerabilities in the organization's wireless networks.
Operating System Flaws
Due to vulnerabilities in the operating systems, applications such as Trojans, worms, and viruses pose threats. These attacks are performed by using malicious code, script, or unwanted software, which result in loss of sensitive information and loss of control on computer operations. Timely patching of OS, installing minimum software applications, and use of applications with firewall capabilities are essential steps that an administrator needs to take to protect OS from any attack.
Economic Warfare
Economic information warfare can affect the economy of a business or nation by blocking the flow of information. This could be especially devastating to organizations that do a lot of business in the digital world.
Electronic Warfare
Electronic warfare uses radio electronic and cryptographic techniques to degrade communication. Radio electronic techniques attack the physical means of sending information, whereas cryptographic techniques use bits and bytes to disrupt the means of sending information.
Step 1: Preparation for Incident Handling and Response- Organizations can use one of the three incident response team staffing methods:
Employees- Organizations with sufficient skilled employees follow this approach where IH&R team work with no or a limited support from third parties. Partially Outsourced- Approach where organization outsources some of the incident response activities to third-party contractors. Fully Outsourced- Approach where organization outsources all the incident response activities to third-party contractors.
Sarbanes-Oxley Act (SOX)
Enacted in 2002, the Sarbanes-Oxley Act is designed to protect investors and the public by increasing the accuracy and reliability of corporate disclosures.
Espionage
Espionage involves stealing the proprietary information of any organization and passing the same to other organizations with the motive of negatively impacting its reputation or for some financial benefit.
Recreational Hackers
Hackers who hack to learn and explore, by exploiting or manipulating technology.
Step 1: Preparation for Incident Handling and Response- Incident Responder Toolkit Requirements- Hardware
Hardware -High-end processor, good amount of RAM, large-capacity IDE and SCSI drives, SCSI card and controller -Motherboard which supports IDE SCSI, USB/2, FireWire; slot for LAN/WAN card, laptop hard drive connectors -Spare RAM and hard disks -Graphics cards, PSI, and AGP -Monitor, keyboard, and mouse according to comfort of the investigator -Fast DVD-RW, USB, zip drives, and removable drive bays -Storage media such as CDs, DVDs, USB Flash, tape drives -Power-extension cords, an uninterruptible power supply (UPS) -SCSI cables, Parallel-to-SCSI adapters, and active terminators -Category 5 cables, ribbon cables, and hubs -A permanent marker for labeling evidence -Operating manuals for all your hardware -Digital camera, printer, and printer paper - Secure storage for evidence
Host Threats
Host threats target a particular system on which valuable information resides. Attackers try to breach the security of the information system resource.
A vulnerability assessment may be used to:
Identify weaknesses that could be exploited Predict the effectiveness of additional security measures in protecting information resources from attacks
IDPS
IDPS systems are used to detect suspicious events and log details related to the incidents, such as date and time of detection, type of incident, and source and destination IP address. Many IDPS systems generate multiple false-positive alerts; therefore, security analysts need to manually validate these security alerts by reviewing the recorded data from multiple sources.
Step 1: Preparation for Incident Handling and Response- IH&R mission
IH&R mission statements define the purpose and scope of the planned incident handling and response capabilities. Key Points: -Have an efficient incident handling and response procedure that helps to handle all types of incidents -Gain ability to contain and eradicate incidents with least disruption time and losses -Adopt state-of-the-art information security standards, processes, methods, and best practices -Protect digital resources from attacks
Step 1: Preparation for Incident Handling and Response- IH&R Plan
IH&R plan must: Address the mission and vision statements Meet the goals of incident response initiative Comply with the statement of senior management approval Include strategies to achieve set goals and timelines Have an organized approach to incident response Identify incident response key performance indicators that organization can use for future reference Provide a statement of interoperability Add value to other organizational processes Make efficient use of all the resources Strengthen the organization's security
Step 1: Preparation for Incident Handling and Response- Build IH&R Team
IH&R team is a group of technically skilled people capable of carrying various functions, such as threat intelligence, evidence analysis, and investigating the users.
Step 1: Preparation for Incident Handling and Response- IH&R Vision
IH&R vision statement reflects organization's mid-term and long-term goals for incident management capabilities. Key Points: Secure the organization resources and data from all types of attacks. Win customer trust by eliminating information security hiccups. Ensure safety of consumer and client data at all times.
There are several standards developed to implement risk management process in organizations effectively, such as........
ISO 31000 2009—Risk Management Principles and Guidelines, ISO/IEC 31010:2009—Risk Management—Risk Assessment Techniques, and COSO 2004—Enterprise Risk Management—Integrated Framework.
ISO/IEC 27001:2013
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization
ISO/IEC 27002:2013- Section 16:
Information security incident management states that information security events, incidents, and weaknesses (including near-misses) should be promptly reported and properly managed
NIST risk management framework- Implement the Security Controls:
Implement security controls within the enterprise architecture using sound system-engineering practices. Apply security configuration settings.
General Data Protection Regulation (GDRP)- Article 33(1)
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
Step 7: Eradication
In the eradication phase, the IH&R team removes or eliminates the root cause of the incident and closes all the attack vectors to prevent similar incidents in future.
Step 4: Notification
In the notification phase, the IH&R team informs various stakeholders, including management, third-party vendors, and clients, about the identified incident.
Risk Assessment
In this phase, all the serious uncertainties that are associated with the system are assessed, fixed, and permanently eliminated for ensuring a flaw-free system. Risk assessment summarizes the vulnerability and risk level identified for each of the selected asset. It determines the risk level for a particular asset, whether it is high, moderate, or low.
Creating Baseline
In this phase, critical assets are identified and prioritized to create a good baseline for the vulnerability management.
Step 2: Incident Recording and Assignment
In this phase, initial reporting and recording of the incident take places. This phase handles the identification of an incident, defines proper incident communication plans for the employees, and also includes communication methods involving informing to IT support personnel or raising an appropriate ticket.
Step 3: Incident Triage
In this phase, the identified security incidents are analyzed, validated, categorized, and prioritized. The IH&R team further analyzes the compromised device to find incident details such as the type of attack, severity, target, impact, method of propagation, and vulnerabilities it exploited.
Incident Handling and Response Requirements in PCI DSS
Incident Handling and Response Requirements in PCI DSS: ▪ 12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations ▪ 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach Failure to meet the PCI DSS requirements may result in fines or termination of payment card processing privileges.
Overview of IH&R Process Flow
Incident handling and response combines various cybersecurity processes under a single procedure for combating incidents and to gain quicker response; better control and management; ease of communication; improved use of resources; distribution of tasks evenly; efficient reporting; and so on. Incident handling is like fighting a war, but on the cyber front.
Step 1: Preparation for Incident Handling and Response- Develop IH&R Plan
Incident handling and response plan determines future course of action for establishing, managing, and strengthening incident response capabilities.
Step 1: Preparation for Incident Handling and Response- Build Incident Response Toolkit
Incident responders need a collection of hardware and software tools to detect, validate, contain, and eradicate an incident in time and reduce the impact of incident. An incident response toolkit must contain: -Computers with appropriate software tools -Up-to-date operating systems -Basic networking equipment and cables -Application media -Blank media to store evidences or extract images of the victim devices -Write-protected backup devices
Importance of IH&R Process
Incidents can happen any day, at any time and compromise crucial business data leading to heavy financial and reputational losses. With rapid increase in threats and incidents, the need for effective and structured incident handling and response (IH&R) process has become mandatory for every organization.
State-sponsored Attackers
Individuals employed by the government to penetrate and gain top-secret information and to damage information systems of other governments.
Suicide Hackers
Individuals who aim to bring down the critical infrastructure for a "cause" and are not worried about facing jail terms or any other kind of punishment.
Hacktivists
Individuals who promote a political agenda by hacking, especially by defacing or disabling websites.
Industrial Spies
Individuals who try to attack the companies for commercial purposes.
Cyber Terrorists
Individuals with a wide range of skills, motivated by religious or political beliefs to create fear of large-scale disruption of computer networks.
What does an information asset include?
Information assets may include trade secrets, patent information, a simple idea for improvement in the way an organization conducts its business, a new technique, management concept, employee/personnel information, or any other information that if leaked can negatively affect the organization's business environment.
Information Security Attacks
Information security attacks are a major security concern for any organization as they can have a severe impact on the organization's assets, resources, financial records, and other confidential data
Information Security Incident
Information security incident is a network or host activity that impacts the security of information stored on network devices or systems with respect to confidentiality, integrity, and availability. It might be any real or suspected adverse event in relation to the security of computer systems or networks. It is a violation or imminent threat that has the potential to impact computer security policies, acceptable use policies, or standard security practices.
Sarbanes-Oxley Act (SOX)- Titles 1-11
Key requirements and provisions of SOX are organized into 11 titles: 1. Title I: Public Company Accounting Oversight Board (PCAOB) establishes to provide independent oversight of public accounting firms providing audit services ("auditors"). 2. Title II: Auditor Independence establishes standards for external auditor independence, to limit conflicts of interest and addresses new auditor approval requirements, audit partner rotation, and auditor reporting requirements. 3. Title III: Corporate Responsibility mandates that senior executives take individual responsibility for the accuracy and completeness of corporate financial reports. 4. Title IV: Enhanced Financial Disclosures describes enhanced reporting requirements for financial transactions, including off-balance-sheet transactions, pro-forma figures, and stock transactions of corporate officers. 5. Title V: Analyst Conflicts of Interest consists of measures designed to help restore investor confidence in the reporting of securities analysts. 6. Title VI: Commission Resources and Authority defines practices to restore investor confidence in securities analysts. 7. Title VII: Studies and Reports include the effects of consolidation of public accounting firms, the role of credit rating agencies in the operation of securities markets, securities violations and enforcement actions, and whether investment banks assisted Enron, Global Crossing, and others to manipulate earnings and obfuscate true financial conditions. 8. Title VIII: Corporate and Criminal Fraud Accountability describes specific criminal penalties for fraud by manipulation, destruction, or alteration of financial records or other interference with investigations, while providing certain protections for whistle-blowers. 9. Title IX: White-Collar Crime Penalty Enhancement increases the criminal penalties associated with white-collar crimes and conspiracies. It recommends stronger sentencing guidelines and specifically adds failure to certify corporate financial reports as a criminal offense. 10. Title X: Corporate Tax Returns states that the Chief Executive Officer should sign the company tax return. 11. Title XI: Corporate Fraud Accountability identifies corporate fraud and records tampering as criminal offenses and joins those offenses to specific penalties. It also revises sentencing guidelines and strengthens their penalties. This enables the SEC to temporarily freeze large or unusual payments.
OS, Service, Network, and Application Logs
Log details collected from operating systems (OS), services, network, and application reveal crucial information about security incidents such as user accounts accessed, date and time of access, actions performed, IP addresses, and domain names. These logs can be analyzed and correlated to detect suspicious events and generate alerts on security incidents.
Malicious Code or Insider Threat Attacks
Malicious code attack is a type of attack that is generated by malicious programs such as viruses, Trojan horse, and worms. Insiders can also use the malicious code to gain administrative privileges, capture passwords, and alter the audit logs to cover their tracks.
What does information security policies manage?
Manage legal liabilities arising from employees or third parties
Default Passwords
Manufacturers provide default passwords to the users to access the device during initial setup and users need to change the passwords for future use. However, users forget to update the passwords and continue using the default passwords, making devices and systems vulnerable to various attacks such as brute-force and dictionary attack. Attackers exploit this vulnerability to obtain access to the system. Passwords should be kept secret; failing to protect the confidentiality of a password allows the system to be compromised with ease.
misconfigurations
Misconfiguration is the most common vulnerability that is mainly caused by human error, which allows attackers to gain unauthorized access to the system. This may happen intentionally or unintentionally, affecting web servers, application platforms, databases, and networks.
Attacks = ?
Motive (Goal) + Method + Vulnerability
NERC 1300 Cyber Security
NERC 1300 Cyber Security is the standard to reduce risks to the reliability of the bulk electric systems from any compromise of critical cyber assets. This cybersecurity standard applies to entities performing the Reliability Authority, Balancing Authority, Interchange Authority, Transmission Service Provider, Transmission Owner, Transmission Operator, Generator Owner, Generator Operator, and Load Serving Entity.
NIST Special Publication 800-61
National Institute of Standards and Technology (NIST) special publication 800-61 provides step-by-step instructions for new, or well-established, incident response teams to create a proper policy and plan. NIST recommends that each plan should have a mission statement, strategies and goals, an organizational approach to incident response, metrics for measuring the response capability, and a built-in process for updating the plan as needed.
Information obtained from the vulnerability scanner includes:
Network vulnerabilities Open ports and running services Application and services vulnerabilities Application and services configuration errors
Promiscuous Policy
No restrictions on usage of system resources
Network Devices
Not changing the default settings while deploying the network devices allows the attacker to guess the settings in order to break into the systems.
Step 9: Post-Incident Activities
Once the process is complete, the security incident requires additional review and analysis before closing the process. Conducting the final review is an important step in the IH&R process which includes: o Incident documentation o Incident impact assessment o Review and revise policies o Close the investigation o Incident disclosure
Open Services
Open ports and services may lead to loss of data, DoS attacks, and allow attackers to perform further attacks on other connected devices.
Common Targeted Assets
Organizational assets must be prioritized in order to prevent them against unauthorized access and data exfiltration.
Step 1: Preparation for Incident Handling and Response- Determine the Need for IH&R Processes
Organizations determine the need for an incident handling and response (IH&R) process based on the current security scenario, risk perception, business advantages of having such processes, legal compliance requirements, organizational policies, previous incidents, and so on.
Step 1: Preparation for Incident Handling and Response- IH&R Team Models
Organizations must plan and structure the IH&R team model based on risks, criticality of resources, type of services, availability of incident response resources, number of members in team, security evaluation report, vision, mission as well as goals for risk analysis and containment.
Threat contextualization
Organizations need to develop strategies for gaining contextual threat information that helps to deter, prevent, detect, or respond to various cyberattacks in a time efficient manner.
PCI DSS (Payment Card Industry Data Security Standard)
PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process, or transmit cardholder data
Phishing
Phishing is the practice of sending an illegitimate email falsely claiming to be from a legitimate site in an attempt to acquire a user's personal or account information.
Permissive Policy
Policy begins wide open and only known dangerous services/attacks or behaviors are blocked. It should be updated regularly to be effective
Step 1: Preparation for Incident Handling and Response- Develop IH&R Policy
Policy is a set of guidelines used to achieve goals and objectives of incident response initiative set by the IH&R plan.
Pre-Assessment Phase: Creating a Baseline
Pre-assessment phase refers to the preparatory phase, which includes defining policies and standards, defining the scope of assessment, designing appropriate information protection procedure, and identifying and prioritizing the critical assets to create a good baseline for vulnerability management.
There are two categories of incident signs
Precursor and Indicator
Precursors
Precursors indicate the possibility of occurrence of a security incident in future
Step 1: Preparation
Preparation phase includes performing audit of the resources and assets to determine the purpose of security and defining the rules, policies, and procedures that drive IH&R process. It also includes building and training an incident response team, defining incident readiness procedures, and gathering required tools as well as training the employees to secure their systems and accounts.
ISO/IEC 27035-1:2016
Presents basic concepts and phases of information security incident management Combines these concepts with principles in a structured approach for detecting, reporting, assessing, and responding to incidents, and applying lessons learnt.
Organized Hackers
Professional hackers having an aim of attacking a system for profits.
Purpose of IH&R process is to:
Protect networks and systems Ensure timely handling of incidents Ensure gathering of appropriate information Identify false positives Efficiently use resources Address legal issues Comply with local and international guidelines Train and protect personnel Develop comprehensive documentation
Psychological Warfare
Psychological warfare is the use of various techniques such as propaganda and terror to demoralize one's adversary in an attempt to succeed in the battle.
Ransomware
Ransomware restricts access to the computer system's files and folders and demands an online ransom payment to the malware creator(s) in order to remove the restrictions.
Cost of an Incident
Refers to the sum of total amount lost due to the attacks and the amount spent on recovering from the incidents.
Monitor
Regular monitoring needs to be performed for maintaining the system security using tools such as IDS/IPS and firewalls. Continuous monitoring identifies potential threats and any new vulnerabilities that have been evolved.
risk assessment
Refers to identification of risks, estimation of impact, and determining sources to recommend proper mitigation measures.
Step 1: Preparation for Incident Handling and Response- IH&R Team Staffing
The selection of a skilled team is crucial for an effective incident response.
Risk Mitigation Strategies
Risk mitigation includes all possible solutions for reducing the probability of the risk and limiting the impact of the risk if it occurs. The purpose of this step is to identify the mitigation strategies for the risks that fall outside the department's risk tolerance and provide an understanding of the level of risk with controls and treatments. It identifies the priority order in which individual risks should be mitigated, monitored, and reviewed. Risk Mitigation Strategies 1. Risk Assumption 2. Risk Avoidance 3.Risk Limitation 4. Risk Planning 5. Research and Acknowledgment 6. Risk Transference
What is Risk?
Risk= Threat x Vulnerability
SIEM
Security incident and event management (SIEM) systems are similar to IDPS systems, but they collect the log data from multiple sources, analyze the log data, and generate alerts based on the analysis.
Information Security Policies
Security policies are the foundation of the security infrastructure that defines the basic security requirements and rules to be implemented in order to protect and secure an organization's information systems
Step 1: Preparation for Incident Handling and Response- Setting Up a Computer Forensics Lab Part 2
Setting up a forensics lab includes: -Planning and Budgeting -Physical Location and Structural Design Considerations -Work area considerations -Human resource considerations -Physical security recommendations -Forensics lab licensing
Step 1: Preparation for Incident Handling and Response- Incident Responder Toolkit Requirements- Software
Software -Operating Systems such as Windows 10, Windows Server 2016, Linux / Unix / Mac OS X -Installed drivers for all of the hardware -Forensics software such as EnCase -Imaging tools such as R-drive image - Programming language applications - Graphics tools -Specialized viewers -Hashing Tools -File Recovery Programs -Encryption decoding Software -Password Cracking Software - Miscellaneous Software
NIST Risk Management Framework Stages
The six stages of the framework are: 1. Categorize 2. Select 3. Implement 4. Assess 5. Authorize 6. Monitor
IH&R Process Flow- Step 1
Step 1: Preparation for Incident Handling and Response The first phase of IH&R is to prepare to face the security issues. Preparation includes performing audit of the resources and assets to determine the purpose of security, defining the rules, policies, and procedures that drive IH&R process, building and training an incident response team, defining incident readiness procedures, and gathering required tools as well as training the employees to secure their systems and accounts.
IH&R Process Flow- Step 2
Step 2: Incident Recording and Assignment The preparation phase is followed by incident recording and assignment phase where the initial reporting and recording of the incident takes places. This phase handles the identification of an incident, defining proper incident communication plan for employees, and this can include communication methods involving informing to IT support personnel or raising an appropriate ticket. When user or employee reports any suspicious behavior of his/her system to the IT support staff, they raise a ticket or token about the irregular behavior and assign a member from incident response team to analyze issue. Based on the ticket or the IT professional's intimation, the IH&R team will look into the issue, and if it qualifies as an incident, an IH&R team will be assigned, and the compromised device will be sent to the incident handling and response team for further investigation, else the issue will be considered as resolved and the ticket will be closed.
IH&R Process Flow- Step 3
Step 3: Incident Triage In this phase, the incident will be analyzed and validated. The incident will be categorized and also prioritized in this phase. Then the notification phase occurs. The IH&R team will further analyze the compromised device to find incident details such as the type of attack, severity, target, impact, method of propagation, and vulnerabilities it exploited. These details will help the IH&R team to scale its impact and determine the priority to solve it. This will also help them to detect other targets of the incident and contain it by applying different techniques.
IH&R Process Flow- Step 4
Step 4: Notification In the notification phase, the incident information will be informed to various stakeholders, including management, third-party vendors, and clients. As soon as the incident is confirmed and validated, the incident handlers will communicate the issue to management for gaining necessary approvals and permissions.
IH&R Process Flow- Step 5
Step 5: Containment Simultaneously with the notification phase, the containment phase follows where the IH&R team will be containing the incident. Containment of incident is very crucial phase, and this has to be performed in order to stop the spreading of infection to other organizational assets. It helps the organization stop the spread of a live attack as well as reduce the damage and losses.
IH&R Process Flow- Step 6
Step 6: Evidence Gathering and Forensic Analysis After containment phase comes the evidence gathering phase where the IH&R team will work on evidence gathering. They accumulate all the possible evidence related to incident and submit that to the forensic department in order to investigate the gathered evidence. Analysis of an incident would reveal details, such as method of attack, vulnerabilities exploited, security mechanisms averted, network devices infected, and applications compromised, that have acted as pathways to the incident. Using this information about the incident, the IH&R team can eradicate the incident and its occurrence in future by blocking its propagation methods.
IH&R Process Flow- Step 7
Step 7: Eradication Next will be the eradication phase where the IH&R team will remove or eliminate the root cause of the incident and close all the attack vectors to prevent similar incidents in future. Eradication methods may include patching of vulnerabilities, replacement of malfunctioning devices, and installation of better security mechanisms including malware signature.
IH&R Process Flow- Step 8
Step 8: Recovery After eliminating the causes for the incidents, the IH&R team is responsible to restore the affected systems, services, resources, and data through recovery. It is the responsibility of the incident response team to ensure that there is no disruption to the services or business of the organization owing to the incident. Therefore, they need to recover the compromised devices, applications, systems, or terminals as soon as possible either by replacing them or fixing the issue quickly.
IH&R Process Flow- Step 9
Step 9: Post-Incident Activities Till this stage, the incident will be contained, and the systems will be recovered. All the tasks that are to be performed by the IH&R personnel after this stage fall under post-incident activities such as incident documentation, incident impact analysis, review and revise policies, and incident disclosure. o Incident Documentation The incident responders will have to document the complete process, starting from detection to recovery. This document will serve as a future reference for understanding the practices employed to handle the incident, present the report for legal counsel, submit it to the management, assess the loss, review the policies, make changes to the security, and reframe the user protocols for establishing more secure network. o Incident Impact Assessment After completing the formal process of incident handling and response from the incident recording till documentation, the IH&R team will perform the incident impact analysis where, by analyzing all the information, they will assess the impact of damage or loss created by the incident to the organization and its assets. o Review and Revise Policies After assessing the impact caused, the IH&R team will review and revise the policies, preparation and protection procedures, security controls, and so on for preventing future incidents. They will also share the identified threat information to the threat intelligence teams. o Close the Investigation By this phase, the incident will be thoroughly investigated, documented, and the appropriate policies are reviewed and revised. In this phase, the investigation is at a verge of its end and the investigation will be terminated officially in this phase. The incident evidence retention policy will be planned and implemented in this phase. o Incident Disclosure After identifying the impact of the incident, the IH&R team will close the incident. After closing the incident formally, the IH&R team will discuss with the management whether to disclose the details of the incident to the public communities, customers of the organization, media, industry intelligence, and so on. Additionally, the incident handlers are also responsible for communicating the issue with other departments of the organization, such as legal, human resources, and forensics departments.
5 key principles of COBIT
The COBIT Framework is based on five key principles for the governance and management of enterprise IT that include: ▪ Meeting stakeholder needs ▪ Covering the enterprise end-to-end ▪ Applying a single, integrated framework ▪ Enabling a holistic approach ▪ Separating governance from management
The Digital Millennium Copyright Act (DMCA) Titles
The DMCA contains five titles: ▪ Title I: WIPO TREATY IMPLEMENTATION Title I implements the WIPO treaties. First, it makes certain technical amendments to US law in order to provide appropriate references and links to the treaties. Second, it creates two new prohibitions in Title 17 of the US Code—one on circumvention of technological measures used by copyright owners to protect their works and one on tampering with copyright management information—and adds civil remedies and criminal penalties for violating the prohibitions. ▪ Title II: ONLINE COPYRIGHT INFRINGEMENT LIABILITY LIMITATION Title II of the DMCA adds a new section 512 to the Copyright Act to create four new limitations on liability for copyright infringement by online service providers. A service provider bases the limitations on the following four categories of conduct: o Transitory communications o System caching o Storage of information on systems or networks at direction of users o Information location tools New section 512 also includes special rules concerning the application of these limitations to nonprofit educational institutions. ▪ Title III: COMPUTER MAINTENANCE OR REPAIR Title III of the DMCA allows the owner of a copy of a program to make reproductions or adaptations when necessary to use the program in conjunction with a computer. The amendment permits the owner or lessee of a computer to make or authorize the making of a copy of a computer program in the course of maintaining or repairing that computer. ▪ Title IV: MISCELLANEOUS PROVISIONS Title IV contains six miscellaneous provisions, where the first provision provides Clarification of the Authority of the Copyright Office, the second provision grants exemption for the making of "ephemeral recordings", the third provision promotes distance education study, the fourth provision provides exemption for Nonprofit Libraries and Archives, the fifth provision allows Webcasting Amendments to the Digital Performance Right in Sound Recordings, and the sixth provision addresses concerns about the ability of writers, directors, and screen actors to obtain residual payments for the exploitation of motion pictures in situations where the producer is no longer able to make these payments. ▪ Title V: PROTECTION OF CERTAIN ORIGINAL DESIGNS Title V of the DMCA entitles the Vessel Hull Design Protection Act (VHDPA). It creates a new system for protecting original designs of certain useful articles that make the article attractive or distinctive in appearance. For purposes of the VHDPA, "useful articles" are limited to the hulls (including the decks) of vessels no longer than 200 feet.
The Digital Millennium Copyright Act (DMCA)
The Digital Millennium Copyright Act (DMCA) is a US copyright law that implements two 1996 treaties of the World Intellectual Property Organization (WIPO): the WIPO Copyright Treaty and the WIPO Performances and Phonograms Treaty. It defines legal prohibitions against circumvention of technological protection measures employed by copyright owners to protect their works, and against the removal or alteration of copyright management information in order to implement US treaty obligations.
General Data Protection Regulation (GDRP)
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizen's data privacy, and to reshape the way organizations across the region approach data privacy.
Best Practices: ENISA Source: https://www.enisa.europa.eu
The European Network and Information Security Agency (ENISA) provides, among many other activities related to IT security in the European Union, reference materials, good practice guides, and exercise material for CERTs. ENISA also regularly supports CERT training activities in Europe, such as TRANSITS.
Federal Information Security Management Act (FISMA)
The Federal Information Security Management Act of 2002 (FISMA) concerns several key security standards and guidelines required by Congressional legislation. The FISMA provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule permits the disclosure of health information needed for patient care and other important purposes. The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.
ISO/IEC 27002 Source: https://www.iso.org
The ISO/IEC 27002 is a standard framework that provides recommendations for implementing information security controls for organizations that initiate, implement, or maintain information security management systems (ISMS).
ISO/IEC 27035-Source: https://www.iso.org
The ISO/IEC 27035 is a standard for dealing with "Information Security Incident Management" which defines recommendations and best practices for developing an efficient incident management plan and allows organizations to prepare for the incidents. This standard is divided into three parts, such as ▪ ISO/IEC 27035-1:2016 Principles of incident management ▪ ISO/IEC 27035-2:2016 Guidelines to plan and prepare for incident response ▪ ISO/IEC 27035-3 Guidelines for incident response operations (draft)
NIST Special Publication 800 Series
The NIST's Special Publication (SP) 800 series consists of information regarding computer security. This series includes best practices, guidelines, recommendations, technical details, and annual reports of NIST's cybersecurity activities. SP 800 publications address and support the security and privacy needs of US Federal Government information and information systems. NIST develops SP 800-series publications in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. The NIST's Special Publication (SP) 800-86 defines integrating the forensic techniques into incident response approach, while the NIST's Special Publication (SP) 800-61 Rev.2 is a computer security incident handling guide.
The Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.
Standard of Good Practice from Information Security Forum (ISF)
The Standard of Good Practice for Information Security 2018 (the Standard) provides business-orientated focus on current and emerging information security topics. This includes enhanced coverage of the following hot topics: agile system development, alignment of information risk with operational risk, collaboration platforms, industrial control systems (ICS), information privacy, and threat intelligence. With its comprehensive coverage of information security controls and information risk-related guidance, it provides business leaders and their teams with an internationally recognized set of good practices. By implementing the standard, it helps organizations to: ▪ Be agile and exploit new opportunities, while ensuring that associated information risks are kept within acceptable levels ▪ Respond to rapidly evolving threats, including sophisticated cyberattacks, using threat intelligence to increase cyber resilience ▪ Identify how regulatory and compliance requirements can best be met The Standard, along with the ISF Benchmark, the ISF's comprehensive security control assessment tool, provides complete coverage of the topics set out in ISO/IEC 27002:2013, NIST Cybersecurity Framework, CIS Top 20, PCI DSS, and COBIT 5 for Information Security.
Best Practices: GPG18 and Forensic readiness planning (SPF) Source: https://www.ncsc.gov.uk
The aim of this Good Practice Guide (GPG) is to provide advice on good practice that can help to define and implement an approach to the development of forensic readiness policy and associated planning and practice activities. The guidance provided is generic and includes information on how it can be applied to suit the requirements of individual organizations.
Signs of an incident refer to?
The alerts, warnings, reports, complaints, and issues that represent an ongoing or completed security attack on an organization or its resources.
Working of Incident Response Orchestration
The diagram shown on the above slide illustrates the working of incident response orchestration usually employed in organizations. As depicted in the diagram, it can be observed that orchestration plays a vital role in the security operations center (SOC) starting from escalation to security incident enrichment to mitigation strategies. The incidents that are escalated from security alerts are stored automatically in the incident response platform (IRP) and are automatically gathered by the automatic enrichment platform. This platform performs analysis using built-in threat intelligence data and other additional sources on the gathered incidents and delivers valuable incident information. At this step, security responders have critical information about incidents and can initiate the mitigation strategies by notifying the IT help desk or by denying users access from identity management. The responders can further use additional features to manually take on certain actions regarded as critical and gather additional information about the incident manually from other security tools.
Step 1: Preparation for Incident Handling and Response- IH&R Team Placement in an Organization
The incident response team, also called as the computer security incident response team (CSIRT), plays very important role in the organization. -maintaining such a team separately can involve huge costs and other resources. -Organizations use their current employees, who are experts in their field to be part of the CSIRT apart from having few dedicated members -CSIRT can include network and system administrators, managers, stakeholders, employees, security operations center analysts, and so on.
Federal Information Processing Standards (FIPS) 200
The minimum-security requirements cover seventeen security-related areas with regard to protecting the confidentiality, integrity, and availability of federal information systems and the information processed, stored, and transmitted by those systems.
Step 1: Preparation for Incident Handling and Response- IH&R Team Selection Factors
The organization must consider the following factors for selecting the members of an incident response team. 1. Needed availability 2. Resource availability 3. Full-time versus part-time team members 4.Employee morale 5.Cost/budget 6. Staff expertise 7. Organizational structure
Case Creation
The process includes tools that create cases with a single click and the details of detection, containment, and eradication method applied.
Hacker Warfare
The purpose of this type of warfare can vary from shutdown of systems, data errors, theft of information, theft of services, system monitoring, false messaging, and access to data. Hackers generally use viruses, logic bombs, Trojan horses, and sniffers to perform these attacks.
Step 7: Risk Determination
The risk determination of specific threat or vulnerability can be defined as a function of: 1. Likelihood rating of a threat source trying to exploit a vulnerability 2. The impact caused after the threat source successfully exploits the vulnerability 3. The capability of current or planned security controls for eradicating or minimizing the risk To measure the risk, it is important to define the risk levels and risk matrix.
Seventeen Security-Related Areas of FIPS 200
The security-related areas include: 1. Access control 2. Awareness and training 3. Audit and accountability 4. Certification, accreditation, and security assessments 5. Configuration management 6. Contingency planning 7. Identification and authentication 8. Incident response 9. Maintenance 10. Media protection 11. Physical and environmental protection 12. Planning 13. Personnel security 14. Risk assessment 15. Systems and services acquisition 16. System and communications protection 17. System and information integrity
Auto Updates
The systems and devices can gather updates from various sources, as the threat landscape evolves, and alert the responders to make changes accordingly.
Information Warfare
The term "information warfare" or InfoWar refers to the use of information and communication technologies (ICT) to take competitive advantages over an opponent
Cyber Warfare
The use of information systems against the virtual personas of individuals or groups. It is the broadest of all information warfare and includes information terrorism, semantic attacks (similar to Hacker warfare, but instead of harming a system, it takes the system over and the system will be perceived as operating correctly), and simula-warfare (simulated war, for example, acquiring weapons for mere demonstration rather than actual use).
What two types of security policies are there?
There are two types of security policies: technical security and administrative security policies.
Third-Party Monitoring Services
Third-party monitoring services such as fraud detection systems will notify an organization if any of the IP addresses or domain names belonging to the organization is misused to perform attacks on other organizations.
Vulnerability Assessment phase
This is a very crucial phase in vulnerability management. In this step, the security analyst identifies the known vulnerabilities in the organization infrastructure.
NIST risk management framework- Categorization of the Information System:
This is the initial stage of the NIST risk management framework, which involves defining criticality or sensitivity of the information system according to the potential worst-case scenario. This shows the adverse impact to the mission or the business.
Risk Assumption
This method executes controls so as to reduce the risk factor and brings it to an acceptable level or accepts the potential risk and continues operating the IT system.
Step 5: Containment
This phase helps in preventing the spread of infection to other organizational assets. It helps the organization in preventing additional damage.
Verification
This phase provides a clear visibility into the firm and allows the security team to check whether all the previous phases are perfectly employed or not. Verification can be performed by using various means such as ticking systems, scanners, and reports.
Special-Access Policy
This policy defines the terms and conditions of granting special access to system resources.
Risk Limitation
This procedure implements controls to diminish the level of controls which in turn condenses the impact of a threat's exercising vulnerability. Example: Use of supporting, preventive, and detective controls.
ISO/IEC 27035-2:2016
This provides guidelines to plan and prepare for incident response: o Information security incident management policy and commitment of top management o Information security policies, including those relating to risk management, updated at both the corporate level and system, service, and network levels o Information security incident management plan o Incident response team (IRT) establishment o Establish relationships and connections with internal and external organizations o Technical and other support (including organizational and operational support) o Information security incident management awareness briefings and training o Information security incident management plan testing
Insider Threat
Threat that originates from people within the organization such as disgruntled employee, terminated employee, and undertrained staff.
Risk Transference
Transfer the risk with the help of other options in order to get compensation for the losses that occurred, such as purchasing insurance and make claims when there are losses.
To manage incidents properly, the organization must foresee the risks it is facing and manage them. True or False?
True
Unauthorized Access
Unauthorized access refers to the process of obtaining illegal access to the systems or network resources to steal or damage information.
Risk Management Plan Evaluation
Update the risk management plan on a regular basis as risks can change due to the change in business strategies, policies, and operations.
Active Assessment
Uses a network scanner to find hosts, services, and vulnerabilities.
Viruses and Worms
Viruses and worms are the most prevalent networking threat that are capable of infecting a network within seconds
Network Infrastructure
Vulnerabilities exist due to inherent weakness in the OS, printers, scanners, or other networking equipment or protocols, like, SMTP, FTP, and ICMP.
Applications
Vulnerabilities in application often lead to buffer overflow attacks, sensitive information disclosure, cross-site scripting, session hijacking, and so on.
Configuration Files
Vulnerabilities in configuration files may lead to unauthorized access to administration interfaces, configuration stores, and retrieval of clear text configuration data.
Operating System
Vulnerabilities like buffer overflow, bugs in operating system, and unpatched operating system can be exploited by attackers.
Design Flaws
Vulnerabilities that are caused due to design flaws are universal to all operating devices and systems. Design vulnerabilities such as incorrect encryption or poor validation of data refer to logical flaws in the functionality of the system that are exploited by the attackers to bypass the detection mechanism and acquire access to a secure system.
Step 6: Impact Analysis
While conducting impact analysis, qualitative and quantitative assessments are taken into account: *Qualitative impact analysis prioritizes the risks involved and identifies the immediate improvement areas *Quantitative impact analysis provides the impact's magnitude measurement which in turn is used for cost-benefit analysis of the recommended controls
Buffer overflows
are common software vulnerabilities that happen due to coding errors allowing attackers to get access to the target system.
Default installations
are usually kept user friendly, especially when the device is being used for the first time, as the primary concern is usability of the device rather than the device's security.
It recognizes, measures, and classifies security vulnerabilities in a ___________________________________________________________________________________________
computer system, network, and communication channels
Threat correlation
helps organizations to monitor, detect, and escalate various evolving threats from the organizational networks.
Threat intelligence helps an organization________________________ various business risks by converting unknown threats into known threats and helps in implementing various advanced and proactive defense strategies
identify and mitigate
Data Protection Act 2018
information relating to individuals, in connection with the Information Commissioner's functions under certain regulations relating to information, for a direct marketing code of practice, and for connected purposes. It provides protection of personal data in the following way: ▪ The GDPR, the applied GDPR, and this Act protect individuals with regard to the processing of personal data, in particular by: o Requiring personal data to be processed lawfully and fairly, on the basis of the data subject's consent or another specified basis o Conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified o Conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions ▪ When carrying out functions under the GDPR, the applied GDPR, and this Act, the Commissioner must have regard to the importance of securing an appropriate level of protection for personal data, taking account of the interests of data subjects, controllers and others, and matters of general public interest.
Threat Assessment is a process where the knowledge of ___________and _______________________ or vulnerabilities pertinent to a particular organization is matched to real-world attacks
internal and external threat information
Impact analysis
involves estimating the adverse impact caused due to the exploitation of the vulnerability by the threat source
Incident handling and response (IH&R)
is a process of taking organized and careful steps when reacting to a security incident or cyberattack.
NIST Risk Management Framework
is a structured and continuous process which integrates information security and risk management activities into the system development life cycle (SDLC).
Post-assessment phase
is also known as the recommendation phase, which is performed after the risk assessment. Post-assessment is based on the risk assessment. Risk characterization is categorized by the key criteria, which helps to prioritize the list of recommendations.
Vulnerability assessment
is an examination of the ability of a system or application, including current security procedures and controls, to withstand assault.
Vulnerability management life cycle
is an important process that helps in finding and remediating security weaknesses before they are exploited. This includes defining the risk posture and policies for an organization, creating a complete asset list of systems, scanning and assessing the environment for vulnerabilities and exposures, and taking action to mitigate the vulnerabilities that are found.
Threat actors could be a person, or an organization, having an intention to carry out an incident that can have a _________________________on the safety of an organization's infrastructure or systems
malicious or benign effect
The digitalization of these critical assets, advancement in internet technology, and increased sophistication of cyberattacks have put the ______________________________ at high risk.
organizational assets
Estimation of the expected losses after an incident helps _______________ and _____________ their incident response
organizations in prioritizing formulating
Performing regular threat assessment to its infrastructure can allow an organization to _______________ from evolving cyber threats
protect its assets
Incident handlers can ________________________ existing in the resources by performing online research
research for vulnerabilities
Risk is the potential loss, damage, or destruction as a _____________________ on an organizational asset.
result of a successful attack
Some of the additional risk assessment and management tools are......
▪ A1 Tracker (http://www.a1tracker.com) ▪ Risk Management Studio (https://www.riskmanagementstudio.com) ▪ IsoMetrix (https://www.isometrix.com) ▪ Sword Active Risk (https://www.sword-activerisk.com) ▪ iTrak (https://www.iviewsystems.com) ▪ Certainty Software (https://www.certaintysoftware.com) ▪ Resolver's ERM software (https://www.resolver.com) ▪ Isolocity (https://www.isolocity.com) ▪ Enablon (https://enablon.com)
General Data Protection Regulation (GDRP)- Article 32
▪ Article 32: Technical and organizational measures need to provide: o The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services o The ability to restore the availability and access to personal data on time in the event of a physical or technical incident o A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
The recommended practices for incident management include....
▪ Define the roles and responsibilities of various members of the incident response team in a clear and concise manner ▪ Ensure proper training of the Incident Response Team (IRT) as per the objectives of the incident management plan ▪ Implement strong objectives for collecting evidences and storing them safely ▪ Define objectives for providing incident handling reports to internal stakeholders, partners, vendors, law enforcement, and so on.
Advantages of Incident Response Orchestration (Tools)
▪ Detect and Alert ▪ Analysis ▪ Automated Response ▪ Auto Updates ▪ Integrated Response ▪ Remote Control ▪ Case Creation ▪ Contain and Eradicate
Motives behind information security attacks
▪ Disrupting business continuity ▪ Performing information theft ▪ Manipulating data ▪ Creating fear and chaos by disrupting critical infrastructures ▪ Bringing financial loss to the target ▪ Propagating religious or political beliefs ▪ Achieving the state's military objectives ▪ Damaging reputation of the target ▪ Taking revenge ▪ Demanding ransom ▪ Fun/thrill/exploration
Information security systems in an organization might require more attention in what terms of security?
▪ Encryption mechanisms ▪ Access control devices ▪ Authentication systems ▪ Firewalls ▪ Antivirus systems ▪ Websites ▪ Gateways ▪ Routers and switches
The following people perform incident management activities....
▪ Human resources personnel can take steps to fire employees suspected in harmful computer activities. ▪ Legal counsel sets the rules and regulations in an organization. These rules can influence the internal security policies and practices of the organization in case an insider or an attacker uses the organization's system for harmful or malicious activities. ▪ The firewall manager keeps filters in place where DoS attacks are made frequently. ▪ An outsourced service provider repairs systems infected by viruses and malware.
Advantages of Incident Handling and Response
▪ Identify crucial data and resources that require protection ▪ Develop incident readiness strategy for prediction of future threats and attacks ▪ Prepare to monitor different resources and attack vectors ▪ Frame and implement security and usage policies ▪ Create a centralized communication plan ▪ Find the vulnerabilities and the risks they can result in ▪ Build the ability to prevent crimes ▪ Reduce the impact of incidents ▪ Reduce the incident cost and investigation cost ▪ Easy detection and containment of incidents ▪ Prevent similar incidents in future ▪ Reduce reputational risks caused by incidents and grow client and investor confidence ▪ Comply with standards as well as local and international laws and regulations ▪ Gain confidence to face the incidents efficiently ▪ Gain trust among the customers, partners, and vendors ▪ Develop good coordination among the employees of the organization and with other organizations' security teams ▪ Increase efficiency and productivity throughout the organization
The purpose of the incident management process......
▪ Improves service quality ▪ Resolves problems proactively ▪ Reduces impact of incidents on business/organization ▪ Meets service availability requirements▪ Increases staff efficiency and productivity ▪ Improves user/customer satisfaction ▪ Assists in handling future incidents
Legal and Jurisdictional Issues when Dealing with an Incident
▪ Law enforcement agencies should be contacted through the designated individuals ▪ Incidents should be handled with the requirements of the law and the organization's procedures ▪ Organizations should not contact multiple agencies because it might result in jurisdictional conflicts ▪ Consult lawyers if an illegal act has occurred and if there are reporting responsibilities ▪ Reporting to law enforcement changes the character of the evidence handling process, such as: o Evidence can be subpoenaed by courts o Perpetrators and their lawyers can get access to it in the trial o Evidence gathering process and all actions and documentation of the investigations may also be accessible to the other party during litigation
COBIT helps enterprises of all sizes to:
▪ Maintain high-quality information to support business decisions ▪ Achieve strategic goals and realize business benefits through the effective and innovative use of IT ▪ Achieve operational excellence through reliable and efficient application of technology ▪ Maintain IT-related risk at an acceptable level ▪ Optimize the cost of IT services and technology ▪ Support compliance with relevant laws, regulations, contractual agreements, and policies
There are 12 significant principles that organizations should observe as part of adoption of forensic readiness policy, which are as follows:
▪ Principle 1: Organizations must develop and implement a forensic readiness policy in order to comply with SPF MR 9. It is also strongly recommended that all other organizations within the wider public sector either develop or adopt and implement such a policy. ▪ Principle 2: Forensic readiness policy should be owned at a director level within an organization. ▪ Principle 3: Organizations should have a recognized and consistent point of contact for establishing and maintaining relationships during planning and exercises, and to act as a focal point during investigations or crisis management. The point of contact should work closely with organizations' legal department and other relevant stakeholders during every stage of each investigation. ▪ Principle 4: Forensic readiness policy requirements and the supporting capability should be defined with regard to the level of information risk or actual business needs to undertake digital forensic investigations. ▪ Principle 5: Organizations should adopt a scenario-based forensic readiness planning approach that learns from experience gained within the business. ▪ Principle 6: Organizations should closely integrate forensic readiness plans with incident management and other related business planning activities. ▪ Principle 7: Investigations should seek to produce the best standard of digital forensic evidence. Practitioners should adopt the principles published by Association of Chief Police Officers (ACPO). ▪ Principle 8: Any internal or external digital forensic capability employed by an organization should apply formal quality assurance processes, and all staff involved in handling evidence during investigations should have an appropriate degree of competence. ▪ Principle 9: Organizations should maintain the quality and effectiveness of their records management systems in order that specific business records can be produced as evidence in court or to address any legal or regulatory requirement. ▪ Principle 10: Organizations should provide appropriate records retrieval processes and mechanisms in order that any requirement to disclose information can be efficiently and securely dealt with. Such disclosures must be handled in accordance with all relevant legislation and regulations. ▪ Principle 11: An open and collaborative approach should be adopted within organizations, wherever possible, to gain acceptance of methods used to support investigations and incident handling. All methods of investigation and detection of information security incidents must be lawful. ▪ Principle 12: Organizations should have a management review process that improves plans in accordance with experience and new knowledge.
The FISMA framework includes:
▪ Standards for categorizing information and information systems by mission impact ▪ Standards for minimum security requirements for information and information systems ▪ Guidance for selecting appropriate security controls for information systems ▪ Guidance for assessing security controls in information systems and determining security control effectiveness ▪ Guidance for the security authorization of information systems
Incident management includes the following.....
▪ Vulnerability analysis ▪ Artifact analysis ▪ Security awareness training ▪ Intrusion detection ▪ Public or technology monitoring
Following are some of the good practices provided by ENISA for incident handling:
▪ Workflow It is good practice to organize periodic (for example, twice a year) workshops to develop and review a common incident handling workflow. ▪ Incident Handling Process Organizations should start with the simple model and then, as the team becomes more experienced, develop the procedure further. ▪ Legal Officer It is good practice to train one or a few team members in the most important legal aspects related to incident activities. ▪ Incident Report o Use network monitoring systems (for example, intrusion detection systems or any other threat monitoring systems) to actively look for incidents in organizational network o Subscribe to services which provide information about compromised machines o Monitor blacklists for records from the location where the organization operates ▪ Incident Verification Cyber Emergency Response Team (CERT) should answer with some explanation of what scanning or probing is, why incident handlers do not handle it, and what to do to avoid successful attacks on the network of the incident reporter. This can also be a good method for building awareness within the geographic location of an organization. Incident handlers should archive all the reports that are rejected by an organization, as any of the rejected reports could lead to an incident or may provide useful information for other incidents. Reject an incident report when: o It has nothing to do with the constituency of the organization o An incident reporter expects services from the incident handler that can't be delivered o It is not an incident, or not one by the organizational definition at least Ignore an incident report when: o It has been reported anonymously or by an untrusted or unreliable party ▪ Final Classification o Classify incidents according to what is reported by incident reporters o Classify incidents according to what is recognized by incident handlers at the very beginning of the incident handling process ▪ Policies Next to creating and using policies, a quality review process should be in place. The feedback on policies is then used and incorporated into the existing policies to make sure these policies are up to date. ▪ Entry and Exit Procedures As CERT personnel are hard to get, organizations should make sure that new people are brought up to speed quickly and have enough challenges and variety in their jobs to ensure the organizations can retain them. Organizations should also ensure that when CERT personnel leave, proper actions are taken. Exit procedures should always be followed without question. The exit procedures should aim at the following: o Removing access to systems with confidential information (changing password, revoking certificates and keys, blocking accounts, and so on.) o Logging the actions of the employee leaving o Backing up all his work o Revoking his roles in incident management o Interviewing to hand over to the next person o Performing exit interview to learn for the future o Announcing staff change to constituents, parent organization, and other teams ▪ Eradication and Recovery If there are doubts whether the problem is eradicated, and service is recovered, it is good practice to check and verify as much as possible and/or get a positive confirmation from each party that in their opinion everything is operating normally again.
Eradication of Malware Incidents
▪Content Filtering Tools: Use the static characters of the malware, such as strings and loaders, as filters to block the malware from entering the systems, servers, emails, and other propagation elements ▪Network Security Devices: Add the malware signature to the network security devices such as firewalls and IPS to stop it from breaching the organization perimeter ▪Blacklist: Block the harmful URLs, IP addresses, and email-Ids that have acted as source for spread of malware. Blacklist the services, programs, applications, and executables that install malware onto the system ▪Antivirus Tools: Update the antivirus tools to detect the newly found malware using signature, string, or heuristics-based techniques ▪Updating the Malware Database: Include the Hashsums of the malware to the online and offline databases for future reference of organization as well as the public recognition ▪Fixing Devices: Update the browsers, applications, and operating systems as well as patch the vulnerabilities that malware had exploited as entry points ▪Manual Scan: Run a full scan of the compromised system with an updated antivirus program to remove the malicious codes, binaries, and the related registry entries
Eradication of Malware Incidents: Employee Awareness
▪Organizations aware the employees about best malware practices such as : ▪Do not open suspicious emails or attachments or click hyperlinks ▪Do not click on web browser pop-up windows ▪Do not open files with file extensions such as .bat, .com, .exe, .pif, .vbs ▪Enable security applications such as antivirus software, content filtering software, reputation software, and personal firewall ▪Do not allow unauthorized personnel to use administrator-level accounts ▪Do not download or execute applications from third-party sources
Eradication of Malware Incidents: Usage Policy
▪Organizations must define malware prevention concerns while defining policies such as acceptable usage policies along with separate malware policies. The organization must include the following: ▪Scan all types of media before connecting it to the internal systems ▪Scan all email attachments before opening ▪Restrict users from installing programs ▪Prohibit the use of removable media devices
Recovery after Malware Incidents
▪Wipe the hard disks and other impacted portable storage media such as memory cards and USB drives ▪Reimage and rebuild the compromised systems from scratch to avoid presence of malicious code ▪Restore the backups of the system only after ensuring that the backup data has no traces of malware by testing it with an updated antivirus software ▪Scan all the devices and systems with updated antivirus containing malware signature ▪Restore email services after blocking the malicious senders at server level and change the passwords of compromised accounts before using ▪Enable scanning of links and attachments in all the emails passing through the server ▪Disable automatic file sharing between the systems ▪Restore data from synchronized cloud services after scanning ▪Uninstall and install a fresh copy of an affected application ▪Restore the system functions including disabled/enabled services and open/closed ports to their original state