Case study: Gem Infosys a small software company has decided to better secure their computer systems after a malware attack shut down their network operations for two full days. The organization uses a firewall, three file servers, two web servers, one Windows 2008 Active Directory server for user access and authentication, ten PCs and a broadband connection to the Internet. The management at Gem needs you to formulate an incident response policy to reduce network down-time if future incidents occur. Develop an incident response policy that covers the development of incident response team, disaster recovery process and business continuity planning. This assignment requires 2 to 3 pages in length (500 words minimum), based upon the APA style of writing. Use transition words, thesis statement, Introduction, Body, Conclusion and Reference Page with at least two references. Double spaced Arial 12 Font. Class lecture below for your reference.: Incident Response Developing a Security Incident Response Team (SIRT) | Responsibilities of Team Members | Staging “Fire Drills” | Outsourcing Incident Response | Record-Keeping | After the Attack: Computer Forensics | Prosecuting Offenders Developing A Security Incident Response Team (SIRT) imageYou can respond to a security incident in a number of different ways. Your options include countermeasures designed to block intrusions to packet-filtering rules and proxy servers to block intrusions that have been detected by an Intrusion Detection System (IDS); and alterations to security policies to cover new vulnerabilities as they are detected. By developing a Security Incident Response Team (SIRT), your organization has the flexibility to implement any or all of these response options. Goals of a Security Incident Response Team (SIRT) A Security Incident Response Team (SIRT) is a group of individuals who are assigned to respond effectively to security breaches. Responsibilities of Team Members Employees who become part of a SIRT need to have the ability to stop any work they have underway in order to respond to a security incident if it occurs. They should also be given sufficient authority to make decisions if the overall security of the organization calls for it. Deciding What Roles Team Members Will Assume The SIRT should contain a range of different employees who represent a cross-section of the organization. This ensures that all parts of the organization will be represented in the process of responding to incidents. Each member can then report to his or her area within the organization. The SIRT should include one individual who is designated as the leader who calls other members to meetings, and who communicates the activities within the SIRT to others within the organization. Staffing and Training A virtual team a team that has other jobs to perform during regular business hours and that exists only during meetings or when an incident becomes sufficiently serious tends to stay on top of technical issues as part of its normal activities. In contrast, a team that is devoted solely to incident response full-time can get out of touch and need to be trained. Staging “Fire Drills” A security drill needs to be conducted not unlike the “fire drills” conducted by public and private schools. You don’t actually need someone to attack the network. Instead, pick a time for the drill to occur, and then follow a scenario in which you assume that an attack has occurred. Such drills are intended to identify any holes in the security procedures, and to make sure everyone on the SIRT knows his or her respective duties and responsibilities. Public Resource Team A number of teams around the world have been assembled in order to publish notices and articles about serious security incidents. You can notify such a team if you encounter a significant security event in order to benefit from the group’s expertise and ability to coordinate resources. Outsourcing Incident Response Someone might need to hire a company that will monitor a network and the IDS sensors and tell the company if an intrusion has occurred. Outsourcing has its advantages and disadvantages. On one hand, an organization may find that hiring an outside incident response team results in lower overall costs because the team has to deal with only actual incidents rather than managing firewalls, reviewing log files, or changing passwords and user accounts. On the down side, outsourcing systems or security functions may leave an organization at a disadvantage when it comes to timely, effective incident response procedures. How to Respond: The Incident Response Process The process of intrusion response doesn’t need to be a huge undertaking. In fact, anyone should be able to clearly describe their own process in a short document of perhaps five or six pages that the SIRT members can refer to if an event occurs and they need to know how to proceed.
* Step 1:
Preparation Risk analysis is the process of determining what the possibility of damage or loss is in a particular situation, environment, or pertaining to an individual object or set of objects. A security policy is a high-level statement that presents management’s position on security for the organization. Security policies are generalized documents which focus on the result of security not the methods. Security procedures are more detailed documents which explain the methods that will be used to meet the goals of the security policies. Using Your Risk Analysis to Prepare Your Response The risk analysis is used to prepare a security policy, which describes how the organization should respond to intrusions, who should be on the SIRT, when incidents should be escalated, when prosecution should be pursued. Active Network Monitoring Monitoring the network for suspicious traffic is one essential activity of the Incident Response Team. Monitoring involves actively testing the network to see how it reacts to scans and other events. This is done by means of a network vulnerability analyzer.
* Step 2:
Notification Notification is the process by which the appropriate members of the SIRT receive news about security incidents. You might receive notification from your firewall or IDS, from other SIRT members, or from a network administrator who detects suspicious network activity. In addition, end users in the organization should also be instructed to notify the security team member on call when a virus is detected, oddly-named files begin appearing on the user’s file system, or other signs that a security breach has occurred. After the initial response, you need to assess the level of damage, if any. Determining the scope and severity of the incident will tell you whether to escalate the incident.
* Step 3: Response First, take time to analyze all reported events. Don’t simply react to the first event you encounter. An important aspect of response is having effective escalation procedures clearly spelled out and in place. Planning is the key to efficient response. Determining Who to Notify After you have determined exactly what has happened and how severe the event is, you need to determine who else needs to be notified, or whether you can handle the incident yourself. As far as what to report, you should provide the basic facts surrounding the incident. You also need to figure out how people are going to be notified in case of attack. Following Standard Response Procedures It’s important to avoid contacting everyone by e-mail so that, if the intruder has control of your e-mail server, he or she won’t be alerted to the fact that you are responding. You may want to: * Set up a hotline * Set up a list of people to contact
* Step 4: Countermeasures Countermeasures should be taken to control any damage that has occurred. Two general types of countermeasures can be pursued: containment and eradication. Containment of Damage Containment is the process of preventing a malicious file, intruder, or compromised media from spreading to the other resources on the network. If the problem can be contained so that it only affects a single disk or computer, the hacker’s efforts will be curtailed or even prevented. Eradication of Data Introduced by an Intrusion Eradication involves the removal of any files or programs that resulted from an intrusion. Eradication usually follows containment. The process of eradicating files can be tedious and time-consuming, but it should not be rushed.
* Step 5: Recovery
Recovery describes the process of putting media, programs, or computers that have been compromised by intrusions back in server so they can function on the network once again. Don’t simply plug the machines or disk drives back in to the network and leave them to their end users. You need to monitor the restored devices for at least 24 hours to make sure the network is operating properly.
* Step 6: Follow-Up
Follow-up is the process of documenting what took place after an intrusion was detected and a response occurred. The goal of such documentation is to prevent similar intrusions from occurring again. By recording what happened in a file such as a database, information is stored in a place where future members of the SIRT who may not have been involved with the original incident can review it. Record-Keeping Record-keeping is the process or recording all of the events associated with a security incident. Such documentation has many goals. SIRT members who encounter events similar to the ones already encountered will benefit enormously by the notes. An organization’s legal representatives can also use the information in court. Reevaluating Policies Any recommendations of changes in security policies or procedures that arise as a result of security incidents should be included in the follow-up database. An organization’s security policy may specify that details about security incidents are for internal use only and not for public consumption. After the Attack: Computer Forensics Computer forensics is the set of activities associated with trying to find out who hacked into a system or who gained unauthorized access, usually with the ultimate goal of gaining enough legally admissible evidence to prosecute the person. Tracing Attacks One of the first tasks undertaken when initiating a forensics investigation is the identification of the person or persons who initiated the attack. Identification can be difficult for a number of reasons. First, the offender may intentionally falsify the IP address listed as the source of the attack. Second, the hacker may have gained control of someone else’s computer and used it to launch an attack. Forensics Toolkits Many incident handlers keep a forensics toolkit of hardware and software (sometimes called a jump kit) ready in order to respond to alerts. Such a kit might include a laptop computer, a cell phone; backup CD-ROMs or other disks; cables; hubs and trusted software for copying files, detecting viruses and Trojan horses, and searching for files. Forensics Software Whether or not you assemble a toolkit, you should certainly have forensics software that can copy media or scan the files on a disk to determine how individual end users have been using their PCs. Cloning is the process of copying the entire bit steam of a disk or removable media to a similar object. A disk image is a copy of an entire disk that is saved on another type of storage media. Using Data Mining to Discover Patterns There is no reason why you need to only react passively to attacks that have already occurred. You can use your experience to prevent future attacks. Prosecuting Offenders Forensics can identify individual computers, but not the human being sitting at that computer at the exact time an attack originated from it. Prosecution should be considered in intrusion cases that result in financial fraud, inappropriate Web usage, theft of proprietary data, or sexual harassment. image Handling Evidence When investigating an incident within a legal framework, reliable and accurate electronic findings are critical to the success of an accurate investigation.
Place an order of a custom essay for this assignment with us now. You are guaranteed; a custom premium paper being delivered within its deadline, personalized customer support and communication with your writer through out the order preparation period.
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.Read more
Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.Read more
Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.Read more
Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.Read more
By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.Read more