AllChptLectureNotes-Johnson (1) (1)

Management of the situation and ensure someone is

This preview shows page 167 - 169 out of 184 pages.

management of the situation and ensure someone is available to make a quick decision. An important part of containment is evidence-gathering. Parts of the IRT team will be focused on stopping the attack while others take snapshots of logs, configuration, and other evidence. Remember, a successful breach is a crime scene. If there's a chance you can prosecute the attacker, it's important to gather as much evidence as possible. You should also disturb the environment as little as possible. This is very difficult when you're trying to stop an attack. However, it's important to be aware of the need to collect evidence. Cleaning Up After the Incident A core mission of the IRT is to ensure efficient recovery of the operations. Recovery includes ensuring the vulnerabilities that permitted the incident have been mitigated. The recovery phase begins once the threat has been contained. You can implement an effective recovery strategy together with the business continuity plan (BCP) representative. This may require restoring servers and rebuilding operating systems from scratch. The next step would then be to test the affected machines and data. The testing should include looking for any signs of the original incident, such as virus or malware. Once you test the servers and systems, you can certify them to be put back into production. During the containment phase, you have little time to gather evidence. You have more time in the clean-up phase. However, management may pressure you to resume operations. Image the damaged computer(s), if possible, for further analysis after operations have resumed. That way you know the exact state prior to recovery. There are forensic tools that can perform this function quickly and effectively. If your organization is successfully attacked, it may be attacked again. It's important that the security controls are hardened to withstand another attack. It is often a good idea to install additional monitoring after systems are brought back online. You can use the additional monitoring to validate that the systems have been hardened. You can also use additional monitoring to change how management approaches future attempts to breach the same systems. Documenting the Incident and Actions As a focal point for the enterprise, the IRT can gather information across the organization. The IRT assesses the information gathered during and after the 04/18/11 proquest.safaribooksonline.com/print?x… proquest.safaribooksonline.com/print?x… 5/10
Image of page 167

Subscribe to view the full document.

incident to gain insights into the threat. It's important that all status reports be issued through the IRT manager. Status reports are internal communications between the IRT and management. However, you should assume that others may end up viewing them. They might even end up in a court of law. You should avoid speculation in these reports. The reports should stay with the basic facts. These include what you know and what you are doing about it.
Image of page 168
Image of page 169

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern