Midterm review chapters 11-14
What is an incident response policy? why is it useful?
An incident response policy describes the standard methods used by the organization for handling information security incidents. This is useful because it will help you focus on the incident as a whole, from start to finish without getting diverted from media and organizational pressures, including the possible consequences of any temporary controls you may have to put in place in order to contain or eradicate the threat.
Why are time stamps important in incident analysis?
It used to know when the data files were accessed and modified.
What is log analysis? What is the goal of log analysis?
Log analysis is the process of making sense out of computer-generated records (also called log or audit trail records). The process of creating such records is called data logging. The goal of log analysis is to verify the application is behaving as expected.
What are some of the benefits of log consolidation?
Log consolidation is to move logs from different locations to a centralized system and group them in a specific format. It will help in the correlation of logs.
What are the common locations of log files on Unix-based systems?
Log files are stored in /var/log/Syslog
Part 6
Management must be kept updated. It is a good idea to inform managers and other executives periodically, even if nothing has changed. This will keep phones from ringing, even those direct calls to engineers who are supposed to be dedicating their effort to the containment and eradication of the problem. Quick text messages and brief email messages with status updates are very useful in this situation.
What information is commonly available from web server logs?
Web servers may contain the list of activities it performed in the various web server pages. It has information like logins.
What is the goal of an information security policy?
A policy specifies a general direction for the organization to follow without concerns for how to get there.
What is compliance? What is its relevance for incident handling?
Compliance is the act of following applicable laws, regulations, rules, industry codes, and contractual obligations. Ideally, compliance requirements are best-practices developed to avoid well-known past mistakes. In practice though, compliance is often important because non-compliance leads to avoidable penalties. In any case, you need to be aware of any compliance requirements associated with incident response that are applicable to your context and act accordingly. Compliance is relevant for incident handling as we need to inform the concerned people about a breach, as well as superiors so that the information passes through the chain of command.
What is the difference between compliance and security?
Compliance or regulatory compliance involves following specifications put forth by policies or legal requirements mandated by state and federal laws.
Part 7
End users and customers also get very edgy when they don't know what is going on. Questions that are asked during an outage are: when will the system be back, and what happened. At times they are both difficult to answer
.What is eradication? What are some measures you can take to eradicate a virus attack?
Eradication, the removal of the causes of the adverse event. Some of the measures to take include: Remove the malicious code - If you have anti-virus software installed on your computer, update the virus definitions, and perform a manual scan of your entire system. If you do not have anti-virus software, you can purchase it at a local computer store. If the software can't locate and remove the infection, you may need to reinstall your operating system, usually with a system restore disk that is often supplied with a new computer. Note that reinstalling or restoring the operating system typically erases all your files and any additional software that you have installed on your computer. After reinstalling the operating system and any other software, install all the appropriate patches to fix known vulnerabilities.
What are the parts of a syslog selector?
Facility and priority.
Part 5
IT Personnel and the IT Help Desk should be maintained informed, especially when the event affects the availability of the asset. Users will quickly overwhelm the Help Desk with calls if the event involves an asset which criticality to the organization has been labelled essential. On a decentralized IT environment, like many large research universities across the United States, other IT organizations should also be informed to be in the lookout. For instance, if the event is a Denial of Service attack made possible thanks to an unpatched vulnerability, other units may wish to perform an emergency patching session before they also suffer the consequences of the DoS attack.
What are MAC times?
MAC times refers to the timestamps of the latest modification (mtime) or last written time, access (atime) or change (ctime) of a certain file. Unix systems maintain the interpretation of ctime as the time when certain file metadata, not its contents, were last changed, such as the file's permissions or owner. Windows systems are the only systems that use birth (btime) or creation (crtime) time, hence MACB; Modification, Access, Change and Birth.
What is risk management? List one or two activities you can perform to make the risk identified in Qs 1 more predictable.
Managing financial impacts of the unusual events. Two approaches to risk management: 1-making risks predictable 2-minimizing and preparing for these risks.
What is risk? What in your opinion are the three greatest IT risks you face in your personal life?
Risk is a quantitative measure of the potential damage caused by a specified threat. Three risks are identity theft, bank data breach a laptop stolen or lost usb or phone stolen or lost.
How are standards different from policies? How are the two similar?
Standards are different from policies in the way they focus on how to get where the policy desires to go. The two are similar in a way that they depend on each other one is the focus of how and the other is the "how to do".
Part 3
The Help Desk may be involved in the reporting as well. Maybe, during the process of resolving a problem, the help desk employee stumbled on to something. A misconfiguration of shared network drives, for instance, allowing too much access to users without need-to-know.
What are the different levels of log critically typically reported by Windows systems?
The different levels are: Information, Error, Success audit & Warning.
What are the goals of incident analysis?
The goal of the analysis is to discover all adverse events that compose the incident in order to properly and effectively manage the next phase of the cycle-containment and eradication. If the incident is not analyzed thoroughly, your organization will get stuck in a loop of detection and containment, with each iteration bringing more and more potential damage to the confidentiality, integrity, or availability of the asset involved.
What are some of the important provisions defined by the Sarbanes-Oxley (SOX) act?
The legislation, commonly referred to as SOX, sought to both improve the reliability of the public companies' financial reporting as well as restore investor confidence in the wake of high-profile cases of corporate crime. Former U.S. President George W. Bush, who signed the act into law on July 30, 2002, called the act "the most far-reaching reforms of American business practices since the time of Franklin Delano Roosevelt." SOX primarily sought to regulate financial reporting and other business practices at publicly traded companies. However, some provisions apply to all enterprises, including private companies and not-for-profit organizations. Additionally, SOX established penalties for noncompliance with its provisions.
What is an information security policy?
A policy is a document that records a high-level principle or course of action that has been decided on. The emphasis here is on high-level, policies are written I a language that is general enough to deal with routine developments in business and technology, they also provide specific actionable directions to all employees.
Part 2
Another possibility is an Anonymous Report. Organizations usually maintain processes by which someone can report an issue anonymously and not be afraid of reprisal. One such example could be allegations that a high-ranking university official is printing material of pornographic nature on university printers. An employee would not desire to see his or her name linked to such an allegation in fear of losing his or her job.
What is the authentication log in Unix? How can it be useful?
Authentication logs is used to verify success and failures in login attempts to the system. It can be used to monitor the system for unauthorized login attempts, investigating break-ins, understanding system behavior, and following user activity. It is located in the /var/log folder, "auth.log" and "messages" are the files to read.
What are some basic principles of live incident response?
Data from machine should be shipped off to the forensic machine, restore these files and obtain the files used in the attacks.
What is compliance? Why is it necessary? What are some of the laws with which your employer has to comply? (if you are not currently employed, consider your educational institution as your employer for the purposes of this question.)
Compliance is the act of following applicable laws, regulations, rules, industry codes, and contractual obligations. It is necessary to help protect important data such as SSN, bank accounts and other personal information.
How is risk management different form compliance?
Compliance it the act of following applicable laws, regulations, rules, industry codes and contractual obligations. Risk management is defined by laws and regulations. Compliance is only a subset of risk management requiring minimal set of risk-management activities to prevent catastrophe that can affect others. Compliance does not regulate risks that affect only you or your organization and ensures that your organizations conduct does not put investors at risk or other organizations.
What is containment?
Containment is the act of preventing the expansion of harm. Typically, this involves disconnecting affected computers from the network. For many incidents, there comes a point during the analysis when an event merits containment even before the analysis of the whole incident has been completed. This happens when the analyst is confident that the ongoing events merit action, and/or determines that the risk to the asset is too high for events to continue as is.
What is incident analysis? What is the goal of incident analysis?
Incident Analysis is a structured process for identifying what happened, how and why it happened, what can be done to reduce the risk of recurrence and make care safer, and what was learned. The goals of incident analysis are: Analysis & Containment.
What are the main compliance implications of FERPA for information security professionals?
FERPA Compliant Hosting for Educational Agencies With deep experience in helping companies across industry verticals, Onramp has the most secure compliant hosting solutions to meet FERPA's rules and regulations associated with protecting sensitive data. The Family Educational Rights and Privacy Act (FERPA) of 1974 is a U.S. privacy law designed to protect student records, including personally identifiable information (PII) with administrative, physical and technical safeguards. FERPA allows for educational agencies and institutions to use third-party cloud and/or IT infrastructure providers, like Onramp, for the outsourcing of information technology functions including the storage of education records.
Part 4
Finally, Self-Audit methods such as periodical vulnerability assessment and log analysis may bring to surface breaches that must be handled. One common example is that of an administrator who discovers a breach because the computer CPU load was too high, causing availability issue. Once the administrator is called to analyze the problem it is quickly apparent that a runaway FTP process is the guilty party. This FTP site stores mp3 files for hackers to share with each other and it is heavily used, causing the high CPU load. Notifications More often than not, as soon as an incident becomes problematic, people in the organization will start asking questions. This is especially true for those folks affected by the event. If the event is affecting managers and other executive leaders, the pressure for quick communication and resolution will be even greater.
What are frameworks? Why are they used in management? Very briefly (1-2 sentences) name a framework you have studied in another class. How did the use of a framework help your understanding of the topic organized by the framework?
Framework is a structure for supporting something else. In management Frameworks are used when a large number of ideas are to be organized in a manner that can be understood and memorized by many people
what are the main compliance implications of GLB for information security professionals?
GLB is comprised of two rules: The Safeguards Rule and the Privacy Rule. The safeguards rules require companies to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the company size and complexity, the nature and scope of its activities and sensitivity of the customer information it handles. As part of its plan each company must: • Designate one or more employees to coordinate its information security programs • Identify and asses the risks to customer information in each relevant area of the company's operation and evaluate the effectiveness of the current safeguards for controlling these risks • Design and implement a safeguards program and regularly monitor and test it • Select service providers that can maintain appropriate safeguards make sure your contract requires them to maintain safeguards and oversee their handling of customer information • Evaluate and adjust the program in light of relevant circumstances including changes in the firm's business or operations or the results of security testing and monitoring.
How are guidelines different from standards and policies? How are the three similar?
Guidelines are the procedures you tell units when it would be nice if things were operated or accomplished in a certain way. Guidelines are a suggestion that may later be turned into a policy. The three are similar in
What are the main compliance implications of HIPAA for information security professionals?
HIPAA privacy rule provides federal protection for personal health information held by covered entities and gives patients an array of rights with respect to that information. The security rule specifies a series of administrative, physical and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information.
Provide a brief overview of the ISO 27000 series of risk management standards developed by the International Standards Organization (ISO). How are they related to the NIST 800-39 standards? If you had to choose one of these which one would you choose as your reference standard for IT risk management? Why?
ISO 27000 is the best-known standard in the family providing requirements for an information security management system (ISMS). What are an ISMS? An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. It can help small, medium and large businesses in any sector keep information assets secure. The ISO 27000 standard also closely correlates with the US National Institute of Standards and Technology (NIST) SP 800-39 Managing Information Security Risk, which was developed for the US DoD. ISO 27005:2011 does not cover organizational risk, whereas NIST SP 800-39 does. Each have their similarity and differences, as to which I would choose would depend on the function and implementation needed. For a more structure organization and non-government I would choose ISO 27000 series, and NIST 800-30 framework for organizations that work with and for the government. I feel that it is best to use both as guidance and direction, they both are trying to reach the same goal which is to establish an understanding and implementation of security protocols.
What is IT risk assessment, as defined by NIST 800-39? What is the role of risk assessment in IT risk management?
IT risk management is the risk associated with the use of information systems in an organization. It also recommends that senior leadership be involved in IT risk management and that IT risk management be integrated in the design of business processes.
Why is it important? What are some measures you can take to contain the damage from a virus attack?
Minimize the damage - If you are at work and have access to an IT department, contact them immediately. The sooner they can investigate and clean your computer, the less damage to your computer and other computers on the network. If you are on your home computer or a laptop, disconnect your computer from the internet. By removing the internet connection, you prevent an attacker or virus from being able to access your computer and perform tasks such as locating personal data, manipulating or deleting files, or using your computer to attack other computers
What is the objective of the NIST 800-39 framework?
NIST 800-39 recommendations for managing information security risk are guidelines with inputs from the Civil, Defense and Intelligence Communities to provide an information security framework for the federal government.
What is impact assessment and vetting of a policy? Why is this activity important before a policy is adopted?
Once the policy is written it is strongly recommended that the policy reviewed by all affected stakeholders. During this phase the draft of the policy is circulated through stakeholders and feedback is requested. One of the questions posed to the stake holders is whether the new policy or change the existing policy will have an impact on their department, beneficial or not. The organization has to be able to consider also the impact of a failure to pass new policy, as well as the impact of passing the same.
What are the components of a typical information security policy?
Overview- first section in a policy the overview tells users the reason why the organization decided that it would be appropriate to have such policy. Scope-tells the user what or who is covered by the policy. Policies will always have a scope associated with it. Definitions-in the pre-policy sections the stage for actual policy you may see a separate section for definitions. Statement of policy-finally this section will explain to the readers what the actual policy wants to establish. Enforcement-usually the last section of the policy may refer to other policies for penalties and will usually mention a range of possible measures with phrases such as up to and including and appropriate measures.
What are the important activities involved in preparing for an iincidnet?
Preparation is the first step in the creation of an incident response plan, and it involves trying to think about all the possible threat scenarios that could affect the attributes of a specific asset and the appropriate response to each of these scenarios. Instead of attempting to be fully prepared to handle all the different types of treat actions against all different assets, it is more productive to identify the basic steps that are common to all events and plan the executionof eachof these steps.
What are some common issues involved in communication about incidents? Part 1
Reporting an incident for follow up Incidents may come to the IRT attention in a variety of ways. On a Direct Report, the asset owner or custodian may report the incident himself. For instance, say you look up your Social Security Number on Google from time to time. As a knowledgeable user, you look up the IT person responsible for security immediately and report that your SSN is exposed.
What is IT risk management? How is IT risk management related to an organization/s overall risk management?
Risk management is the process of identifying, assessing and controlling threats to an organization's capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters. IT security threats and data-related risks, and the risk management strategies to alleviate them, have become a top priority for digitized companies. As a result, a risk management plan increasingly includes companies' processes for identifying and controlling threats to its digital assets, including proprietary corporate data, a customer's personally identifiable information and intellectual property.
What is the Incident Response Team? How is it constituted?
The primary role of the incident response team is to protect the overall computing infrastructure of the organization, and hence its members need to be aware of the overall IT architecture of the organization. The IRT is responsible for the overall incident handling cycle including: • Quickly identifying threats to the campus data infrastructure • Assessing the level of risk • Immediately taking steps to mitigate the risks considered critical and harmful to the integrity of university information systems resources • Notifying management of the event and associated risk • Notifying local personnel of any incident involving their resources • Issuing a final report as needed
What is the scope of an information security policy? Why is it useful to define the scope of a policy?
The scope is the part of the incident response policy that specifies the targets of the policy. It is recommended that the scope should be narrow and specified as closely as possible to what is achievable. Elements of the scope include: A. which assets are covered by the policy B. are there any exclusions to the policy C. are there departments within your organization with autonomy to decline adherence to the policy D. can individual departments be more exclusive/ stricter wiht theire policy.
What are the main compliance implications of SOX to top management of firms?
With Onramp, you can ensure compliance with Sarbanes-Oxley standards. The Sarbanes-Oxley (SOX) Act of 2002 requires that publicly held companies implement adequate controls to safeguard financial data, operations, and assets. SOX sets requirements in terms of data protection, vulnerability testing, and auditing data integrity. SOX not only affects the financial side of corporations, but also IT departments charged with storing a corporation's electronic records. The act is not a set of business practices and does not specify how a business should store records; rather, it defines which records should be stored and for how long. SOX states that all business records, including electronic records and electronic messages, must be saved for "not less than five years." The consequences for noncompliance are fines, imprisonment or both. Section 802 of Sarbanes-Oxley contains the three rules that affect the management of electronic records. The first rule deals with the destruction, alteration or falsification of records, and the resulting penalties. The second rule defines the retention period for records storage. The third rule refers to the type of business records that need to be stored, including all business records and communications, including electronic communications.
During the risk identification phase of risk assessment, what are the items that need to be determined to identify a risk?
You and your team uncover, recognize and describe risks that might affect your project or its outcomes. There are a number of techniques you can use to find project risks. During this step you start to prepare your Project Risk Register