{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

We can never win once we have as much information as

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: s who make up the analysis team must have a variety of skills. They must also have a solid understanding of the systems affected by the incident, the system and application vulnerabilities, and the network and system configurations. Although formal education is important, real-world applied experience combined with proper training is key for these folks. One of the biggest challenges they face is the dynamic nature of logs. Most ISPs purge or overwrite their logs in a short timeframe, and time is lost the moment the incident occurs. Several hours may pass before an incident is reported or detected. Some countries are considering legislation that would require longer log file retention. However, such laws pose privacy and storage challenges. We can never win. Once we have as much information as we can get in the last stage and have answered as many questions as we can, we then move to the tracking stage. (Tracking may also take place in parallel with the analysis and examination.) We determine whether the source of the incident was internal or external and how the offender penetrated and ch10.indd ch10.indd 885 12/4/2009 11:39:11 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 CISSP All-in-One Exam Guide 886 gained access to the asset. If the attacker was external, the team would contact their ISP to help them in gathering data and possibly help in finding the source of the attack. Many times this is difficult because attackers move from one system to the next, so several ISPs may have to get involved. Thus, it is important that the analysis and tracking team have a good working relationship with third parties such as ISPs, other response teams, and law enforcement. Once the incident is understood, we move into the recovery (or follow-up) stage, which means we implement the necessary fix to ensure this type of incident cannot happen again. This may require blocking certain ports, deactivating vulnerable services or functionalities, switching over to another process...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online