The Containment, Eradication and Recovery phase is used to manage incident attacks before
they overwhelm the system and result into more fatal damages, using predetermined procedures
such as disabling system functions or shutting down the systems and disconnecting them from
the network to mitigate the effects of any attack (Cichonski et.al, 2012).
Finally the post incident activity phase is used by the organization or response team to reflect
on the new threats and use lessons learned to improve on incident response plan (Cichonski et.al,
2012).Within Target, the incident response plan created will be used in responding to a variety of
potential threats such as:
•
Unauthorized access
or unauthorized privilege escalation and data breaches,
•
Denial or Distributed Denial of Service Attacks,
•
Firewall Breaches,
•
Viruses and malware outbursts,
•
Theft or physical loss of equipment, and
•
Insider Threats (Rouse, 2014).
To mitigate these issues, some of the recommended actions that have been put in place at Target
include the following:
Incident Type
Kill Chain
Stage
Priority
Level
Recommended Action
Unauthorized Access
Exploitation &
Installation
High
Detect, monitor and investigate unautho-
rized access attempts with priority on
those that mission critical or contain sensi-
tive data.
Unauthorized Privi-
lege Escalation
Exploitation &
Installation
High
Critical systems are configured to record
all privileged escalation events and set
alarms for unauthorized privilege escala-
tion attempts.
Data Breach
System Compro-
mise
High
During a data breach, all evidence is cap-
tured carefully and evidentiary data is col-
lected. Alarms are set to alert system and
administrators and emergency system shut
down and data recovery steps is initiated.
All critical documents or data are backed
up on a different system.
Denial or Distributed
Denial of Service At-
tacks
Exploitation &
Installation
High
An IPS is implemented to monitor, detect
and automatically terminate all traffic pat-
terns that steps out of the normal behavior
of the system.
Viruses or Malware
Delivery & At-
tack
Low
Remediate any malware infections as
quickly as possible. The rest of the net-
work needs to scanned to ensure no fur-
ther compromise were associated with the
outbreak.
Insider Breach
System Compro-
mise
High
User accounts are routinely monitored us-
ing system log events and security infor-
mation and event management products
that can
generate alerts based on the anal-
ysis of log files
Theft of Physical Loss
System Compro-
mise
High
Whole disk encryption is used to protect
all laptops and mobile devices. Lockout
screen or remote wiping is lost or stolen
equipment is used to remotely remove all
critical data on stolen or lost equipment.
Firewall Breaches
System Compro-
mise
High
Technology additions and updates are
used to evaluate firewall settings and ad-
just them as needed in order to minimize
the impact on business.
You've reached the end of your free preview.
Want to read all 17 pages?
- Fall '09
- Information Security, Computer Security, Target Corporation
