12 Incident Management

7/17/2019 12 Incident Management

http://slidepdf.com/reader/full/12-incident-management 1/53

9/28/151

Incident Management



… to keep the business in business …

9/28/152

As the Information Age matures, the data residing in various ocationsbecomes more vauabe!

More vaue usua" a#a"s e$uas more attempts to stea that data!

Incident response %I&' and management is simiar to #orking an" disaster!

I& probab" gets the east respect and mone" ( unti something happens!

)eperti matang *ra Informasi, data "ang berada di berbagai okasimen+adi ebih berharga!

iai ebih biasan"a seau sama dengan ebih ban"ak upa"a untukmencuri data tersebut!

&espon insiden %I&' dan mana+emen mirip dengan beker+a bencana

apapun!I& mungkin mendapatkan rasa hormat dan setidakn"a uang ( sampai

sesuatu ter+adi!



-ase 1

9/28/15.

MegaMed is a arge medica chain distributed across 12states!

he et#ork 0peration -ommand center has +ustdetected a #orm brought in b" someone do#noading the

hack(A(Moe3 game onto a remote 4-! heir rea(time net#ork intrusion prevention s"stem and

continuous threat(monitoring s"stem notied the centerand $uarantined the s"stem!

he remote ma#are ceaner has aread" started removing

the mess and, #ithin minutes of the incident6s start, theincident is over!

&esponse reports are documented and the incident case iscosed!



-ase 2

9/28/157

anoMed, run b" oc ob and oc i, is a smamedica o:ce!

ob6s #ife does the books and i6s #ife, #ho is aregistered nurse, heps #ith the patients!

ob6s #ife rea" ikes the ne# hack(A(Moe gameshe do#noaded from the Internet!

*ver"bod" agrees that the computer is running so#erbut, #e, that6s +ust the #a" the" get!

ob and i are having dinner together #hen the"start to discuss the probem of severa customershaving reported their identities being stoen and #orr"if the"6 receive pa"ments from these customers!



4oicies and 4rocedures %1'

9/28/155

)tart #ith a statement from upper management announcing that I& is an importantpart of a pan to keep the business running, even if a ma+or securit" event occurs!

&emind peope #hat I& is b" adding sma artices to the ne#setter! hese aredesigned to keep I& on a top(of(the(mind position!

;pdate the I& poic" and procedures reguar"! It #oud be best to buid theserevie#s into the poic" itsef so that the" must be kept up(to(date!

;pdate #hen ne# management comes in! hese transition times are a greatopportunit" to e<pand a#areness b" management of the needs of I&!

Muaiah dengan sebuah pern"ataan dari mana+emen tingkat atas mengumumkanbah#a I& merupakan bagian penting dari rencana untuk men+aga bisnis ber+aan,bahkan +ika peristi#a keamanan utama ter+adi!

Ingatkan orang apa I& adaah dengan menambahkan artike keci untuk ne#setter!

Ini dirancang untuk men+aga I& pada posisi top(of(the(pikiran!Memperbarui kebi+akan dan prosedur I& teratur! Akan ebih baik untuk membangun

uasan ini ke daam kebi+akan itu sendiri sehingga mereka harus tetap up(to(date!

4erbarui ketika mana+emen baru masuk #aktu transisi ini merupakan kesempatanbesar untuk memperuas kesadaran oeh mana+emen dari kebutuhan I&!



4oicies and 4rocedures %2'

9/28/15=

)tandard operating procedures for response shoud incude technica processesto use, checkists, and forms to be used in the response!

hese procedures shoud be as detaied as possibe ( isting soft#are and ho#(to6s for each event that might occur!

;tii>ing these procedures #i hep reduce stress on the team, reduce training,and provide continuit" across the entire organi>ation!

4rocedures shoud a#a"s be mappabe to the poic" so the" can be consideredas one unit #ith t#o parts!

4rosedur operasi standar untuk respon harus mencakup proses teknis untukmenggunakan, checkist, dan bentuk "ang akan digunakan daam respon!

4rosedur ini harus sedetai mungkin ( daftar soft#are dan ho#(to untuk setiap

acara "ang mungkin ter+adi!Memanfaatkan prosedur ini akan membantu mengurangi stres pada tim,

mengurangi peatihan, dan memberikan kontinuitas di seuruh organisasi!

4rosedur harus seau mappabe kebi+akan sehingga mereka dapat dianggapsebagai satu unit dengan dua bagian!



4oicies and 4rocedures %.'

9/28/15?

-onsideration for the si>e of the organi>ation must be given indeveoping a team!

Mutinationa organi>ations su@er from regiona misunderstanding!

)ma organi>ations have fe# $uaied peope, fe#poicies/procedures, ess capita for incident management, and an

increased risk of their pan faiing!

4ertimbangan untuk ukuran organisasi harus diberikan daammengembangkan tim!

0rganisasi mutinasiona menderita kesaahpahaman regiona!

0rganisasi keci memiiki beberapa orang "ang memenuhi s"arat,beberapa kebi+akan / prosedur, kurang moda untuk mana+emeninsiden, dan peningkatan risiko gaga rencana mereka!



Modes of eam )tructures

9/28/158

-entra I& eamistributed I& eam

-oordinating eam



%1' -entra I& eam

9/28/159

;sed b" arge organi>ations that are on" minimally geographicallydistributed!

he team is ocated at a centra ocation and dispatched to needed ocations!

%' A centra sta@ #ith up(to(date skis, standardi>ed response to incidents,and set a unied poicies and procedures for the organi>ation!

%(' he dispatch time for the team, trave costs, and if the team is not

supported proper" or trained proper", the entire business gets bad service!

igunakan oeh organisasi(organisasi besar "ang han"a minima didistribusikan

secara geogras!

im ini teretak di okasi pusat dan dikirim ke okasi "ang dibutuhkan!

%' )eorang staf pusat dengan up(to(date keterampian, respon standar

insiden, dan menetapkan kebi+akan dan prosedur untuk organisasi bersatu!%(' aktu pengiriman untuk tim, bia"a per+aanan, dan +ika tim ini tidak

didukung dengan baik atau teratih, seuruh bisnis mendapat a"anan buruk!



%2' istributed I& eam

9/28/151B

his method has teams, ocated in several geographically disperse areas, #hichrespond based on ocation or business division!

A central incident control is still needed to coordinate and provide a uniedmethodoog" for a the teams!

;sua" used b" arge internationa organi>ations or nationa governments!

%' &apid response and speciai>ed teams based on securit" cearance are easier toconstruct!

%(' raining re$uirements, recruitment, and increased need for high" trained professionas!

Metode ini memiiki tim, "ang teretak di beberapa daerah geogras membubarkan, "angmenanggapi berdasarkan okasi atau divisi bisnis!

)ebuah kontro insiden pusat masih diperukan untuk mengkoordinasikan danmen"ediakan metodoogi terpadu untuk semua tim!

iasan"a digunakan oeh organisasi(organisasi internasiona besar atau pemerintahnasiona!

%' &espon cepat dan tim khusus berdasarkan i>in keamanan ebih mudah untukmembangun!

%(' 4ers"aratan peatihan, rekrutmen, dan peningkatan kebutuhan bagi para profesiona"ang sangat teratih!



%.' -oordinating eam

9/28/1511

his team structure is designed to hep ess e<perienced teams, particuar" in acompe< situation or in a #ide(scae c"ber disaster!

he coordinating team often advises other teams but has no true authorit" during theresponse!

%' hese teams are packed #ith e<perts and are #onderfu to have #atching "our back!

%(' If "ou get one of these, "ou probab" aread" have a bigger mess than "ou think!

Most teams toda" are simpe centra I& teams but consideration of a t"pes of teamsshoud be based on the t"pe of the business!

)truktur tim ini dirancang untuk membantu tim kurang berpengaaman, terutama daamsituasi "ang kompeks atau bencana c"ber skaa uas!

im koordinasi sering men"arankan tim ain namun tidak memiiki otoritas "ang se+atiseama respon!

%' im ini dikemas dengan para ahi dan indah teah menonton punggung Anda!%(' Cika Anda mendapatkan saah satu dari ini, Anda mungkin sudah memiiki kekacauan

ebih besar daripada "ang Anda pikirkan!

)ebagian besar tim saat ini adaah tim I& sentra sederhana namun pertimbangansemua +enis tim harus didasarkan pada +enis bisnis!



eam )ta:ng Modes

9/28/1512

ased on ho# often "ou utii>e the teamD

*mpo"ee )ta@ed

4artia" 0utsourced

Eu" 0utsourced



%1' *mpo"ee )ta@ed

9/28/151.

*mpo"ees #ho are specia" trained to manage incidents!;tii>ing a 27(? mode of response, these teams can be e$uated to the

re department, #hich #aits for an event and responds appropriate"!

Man" empo"ee teams are assigned additiona duties #hen the" are notin use!

hese teams can be high" stressfu and can su@er from high turnoverrate!

Far"a#an "ang secara khusus diatih untuk mengeoa insiden!

Memanfaatkan mode 27(? respon, tim(tim ini dapat disamakan denganpemadam kebakaran, "ang menunggu untuk acara dan merespon dengan

tepat!an"ak tim kar"a#an ditugaskan tugas tambahan ketika mereka tidak

digunakan!

im(tim ini bisa sangat stres dan dapat menderita tingkat turnover tinggi!



%2' 4artia" 0utsourced

9/28/1517

his team is constructed of fu(time and part(time sta@ utii>ed from a third(part"source!

oth the organi>ation6s sta@ and the outsourced sta@ #ork together to sove the event!

&e$uirements of the outsourced shoud be addressed and #e as tota cost of services!%ho pa"s for food, toos, and ots of other tin" e<penses that sho# up during an I&G'

he organi>ation6s hep desk, based on poic", usua" makes the decision to activate theoutsourced team if an event happens!

im ini dibangun dari penuh(#aktu dan paruh(#aktu staf "ang digunakan dari sumberpihak ketiga!

Fedua staf organisasi dan staf ker+a outsourcing sama untuk memecahkan acaratersebut!

4ers"aratan outsourcing harus ditangani dan serta tota bia"a a"anan! %)iapa "ang

memba"ar untuk makanan, aat(aat, dan ban"ak bia"a keci ainn"a "ang muncuseama I&G'

Hep desk organisasi, berdasarkan kebi+akan, biasan"a membuat keputusan untukmengaktifkan tim outsourcing +ika suatu peristi#a ter+adi!



%.' Eu" 0utsourced

9/28/1515

-ompanies that speciai>e in securit" services! he" often o@er monitoring 27(? re#a, intrusion prevention s"stem

%I4)', and intrusion detection s"stem %I)' services!

hen an event is noted, the" dispatch the team!

Man" managed securit" service providers use this sta:ng mode!

he contracting organi>ation is notied of an event #hen the fu"outsourced team is dispatched!

4erusahaan "ang mengkhususkan diri daam +asa keamanan!

Mereka sering mena#arkan pemantauan 27(? re#a, sistem pencegahanintrusi %I4)', dan sistem deteksi intrusi %I)' +asa!

Fetika suatu peristi#a dicatat, mereka mengirimkan tim!an"ak pen"edia a"anan keamanan dikeoa menggunakan mode

kepega#aian ini!

0rganisasi kontraktor diberitahu tentang suatu peristi#a ketika timsepenuhn"a outsourcing dikirim!



eam 4ersonne

9/28/151=

eam Managereput" eam Manager

echnica ead

Incident ead



%1' eam Manager

9/28/151?

eam boss! echnica" adept, have e<ceent communication skis, and #ork #e

under pressure and can guide others #ho are aso under pressure!

;sua" seasoned veterans of I& and set the tone for the team!

he personait"3 of the team is usua" a reJection of the team

manager! )eect this person carefu"!

os tim!

)ecara teknis mahir, memiiki kemampuan komunikasi "ang baik, danbeker+a dengan baik di ba#ah tekanan dan dapat membimbing orang

ain "ang +uga berada di ba#ah tekanan!iasan"a berpengaaman veteran I& dan mengatur nada untuk tim!

KFepribadianK dari tim biasan"a merupakan reJeksi dari mana+er tim!4iih orang ini dengan hati(hati!



%2' eput" eam Manager

9/28/1518

ackup for the team manager! he person #ho #i evove into a team manager!

he same considerations in the seection of theteam manager shoud be given to seecting this

person

ackup untuk mana+er tim!

0rang "ang akan berkembang men+adi seorangmana+er tim!

4ertimbangan "ang sama daam pemiihan mana+ertim harus diberikan untuk memiih orang ini



%.' echnica ead

9/28/1519

he techie of the team!Main +ob is the technica responsibiit" for the event!

A high eve of I& skis, a drive to continue earning, and a

gna#ing desire to get the truth from the event is needed!

his +ob rea" contros the $uait" of the team6s response!

teknisi tim!

4eker+aan utama adaah tanggung +a#ab teknis untuk acara

tersebut!

ingkat tinggi keterampian I&, dorongan untuk terus bea+ar,dan keinginan menggerogoti untuk mendapatkan kebenarandari acara "ang dibutuhkan!

4ro"ek ini benar(benar mengontro kuaitas respon tim!



%7' Incident ead

9/28/152B

ogistica support for the team!-oordinate #ith other teams and specia handers, provide updates to other groups,

ensure the team has #hat it needs, and handes the food, odging, trave, and duties asneeded3 for the team!

)ki in peope(handing and ogistics are more important than #icked good techie skis!

Lood Incident ead kno#s #hat "ou need before "ou kno# "ou need it!

)eect this team member #ith the same care as eam Manager because the" can$uick" o#er the $uait" of #ork done b" the team!

ukungan ogistik bagi tim!

erkoordinasi dengan tim ain dan penangan khusus, memberikan update untukkeompok ain, memastikan tim memiiki apa "ang dibutuhkan, dan menanganimakanan, penginapan, #isata, dan Ktugas "ang diperukanK untuk tim!

Feterampian pada orang(penanganan dan ogistik "ang ebih penting daripada +ahatketerampian teknisi "ang baik!

aik Insiden imba tahu apa "ang Anda butuhkan sebeum Anda tahu Andamembutuhkann"a!

4iih anggota tim ini dengan pera#atan "ang sama seperti eam Manager karenamereka dapat dengan cepat menurunkan kuaitas ker+a "ang diakukan oeh tim!



ho eeds to e InvovedG

9/28/1521

)enior ManagementInformation )ecurit" Area

eecommunications

I )upport

ega epartment

Human &esources

Media &eations/4ubic A@airs

4h"sica )ecurit"usiness -ontinuit" 4an

Mana+emen )enior

Informasi Area Feamanan

teekomunikasi

ukungan Iepartemen hukum

)umber a"a Manusia

Hubungan Media / 4ubic A@airs

Feamanan Eisik

-ontinuit" 4an isnis



%1' )enior Management

9/28/1522

o endorse and support the entire program!Management needs to be informed of each event and ho#

the team performed during that event!

)enior management has the responsibiit" to thesharehoders to protect the data and minimi>e the e@ects ofa computer securit" event!

;ntuk mendukung dan mendukung seuruh program!

Mana+emen peru diinformasikan dari setiap peristi#a dan

bagaimana tim diakukan seama acara itu!Mana+emen senior memiiki tanggung +a#ab kepada para

pemegang saham untuk meindungi data danmeminimakan efek dari peristi#a keamanan komputer!



%2' Information )ecurit" Area

9/28/152.

A cear denition bet#een the informationsecurit" and I& teams needs to be estabished!

he Incident ead is usua" invoved #ith thisdepartment to hep smooth an" conJicts that ma"

arise!

)ebuah denisi "ang +eas antara keamananinformasi dan tim I& peru dibangun!

he Incident imba biasan"a teribat dengandepartemen ini untuk membantu keancaransetiap konJik "ang mungkin timbu!



%.' eecommunications

9/28/1527

4roper communications bet#een the team membersand management invoves the teecommunicationsection!

)pecia phones or secure connections/communication

is needed to maintain the condence of data as #eas communications #ith outside organi>ations!

Fomunikasi "ang baik antara anggota tim dan

mana+emen meibatkan bagian teekomunikasi! eepon khusus atau koneksi "ang aman / komunikasi

diperukan untuk men+aga keperca"aan data sertakomunikasi dengan organisasi uar!



%7' I )upport

9/28/1525

aptops and toos used b" the I& team are speciai>ed and need to be morepo#erfu than a standard corporate #ord 4-!

he use of virtua machines to #ork #ith attacks is increasing and thus a argestorage capacit" is needed!

Advanced antima#are %AM' as #e as an I4) s"stem to minimi>e cross(infection bet#een compromised machines and I& team machines is of prime

importance!4roper ceaning of I& team aptops postincident is aso a arge postevent task!

aptop dan aat "ang digunakan oeh tim I& "ang khusus dan harus ebih kuatdaripada standar dunia usaha 4-!

4enggunaan mesin virtua untuk beker+a dengan serangan meningkat dan

dengan demikian kapasitas pen"impanan "ang besar diperukan!an+utan antima#are %AM' serta sistem I4) untuk meminimakan infeksi siang

antara mesin dikompromikan dan I& mesin tim adaah "ang terpenting!

4embersihan "ang tepat dari I& aptop tim postincident +uga merupakan tugaspostevent besar!



%5' ega epartment

9/28/152=

Ao#ing team members to have their $uestions ans#eredin a time" manner b" the ega department is important tokeep the team from stressing about going to +ai!

eams #ithout ade$uate ega support turn timid in theirresponse and dea" making important decisions!

Memungkinkan anggota tim untuk memiiki pertan"aanmereka di+a#ab secara tepat #aktu oeh departemenhukum penting untuk men+aga tim dari menekankan

tentang pergi ke pen+ara! im tanpa dukungan hukum "ang memadai berubah

penakut daam tanggapan mereka dan menunda membuatkeputusan penting!



%=' Human &esources

9/28/152?

Hiring, discipining, and dismissing team members are the ream ofhuman resources %H&'!

Heping H& understand the ski eves and t"pe of person #ho #i#ork #e on the team is important!

H& is aso the keeper of poicies and procedures so having their hep

in revisions and updates is vita!o# team turnover makes their +ob easier!

Mempeker+akan, mendisipinkan, dan memberhentikan anggota timadaah bidang sumber da"a manusia %)M'!

Membantu H& memahami tingkat keterampian dan tipe orang "angakan beker+a dengan baik daam tim adaah penting!

H& +uga pen+aga kebi+akan dan prosedur sehingga memiiki bantuanmereka daam revisi dan update sangat penting!

0mset tim rendah membuat peker+aan mereka ebih mudah!



%?' Media &eations/4ubic A@airs

9/28/1528

he abiit" to utii>e additiona media services to hep in the contro of theevent is critica!

;nconrmed rumors can do more damage to a business than the actua eventdoes!

*ar" press reeases reassuring customers that ever"thing is 0F is important asis a constant update of the situation!

*ven the od ongoing investigation3 comment heps reduce stress during theevent!

Femampuan untuk memanfaatkan a"anan media tambahan untuk membantudaam pengendaian acara sangat penting!

&umor beum dikonrmasi dapat meakukan ebih ban"ak kerusakan pada

bisnis daripada acara "ang sebenarn"a tidak!)iaran pers a#a me"akinkan peanggan bah#a semuan"a 0F penting seperti

update konstan situasi!

ahkan ama Kinvestigasi "ang sedang berangsungK komentar membantumengurangi stres seama acara!



%8' 4h"sica )ecurit"

9/28/1529

Feeping empo"ees or press out of the team6s #a" is vita!-ro#d contro and protecting the ph"sica evidence are great +obs for

ph"sica securit"!

4h"sica securit" is a good #a" of maintaining the condentiait" of theincident and the data invoved!

Assigning ph"sica securit" to the team for protection heps them, and the

team, fee that the" are in contro of the situation and part of the team!

Men+aga kar"a#an atau tekan keuar dari +aan tim sangat penting!

4engendaian massa dan meindungi bukti sik adaah peker+aan besarbagi keamanan sik!

Feamanan sik adaah cara "ang baik untuk men+aga kerahasiaanke+adian dan data "ang teribat!

Menetapkan keamanan sik kepada tim untuk perindungan membantumereka, dan tim, merasa bah#a mereka berada daam kendai situasi danbagian dari tim!



%9' usiness -ontinuit" 4an

9/28/15.B

-4 shoud be active during an event! his is the chance to see if "our pan #orks and the time to

see #hat modications shoud be made!

he team shoud have a cop" of the pan avaiabe to them sothat the" can verif" that the path the" are treading is correct!

-4 harus aktif seama acara!

Ini adaah kesempatan untuk meihat apakah rencana Andabeker+a dan #aktu untuk meihat apa modikasi harus

diakukan! im harus memiiki sainan rencana tersedia bagi mereka

sehingga mereka dapat memverikasi bah#a +aan merekamengin+ak benar!



)teps to *stabishing an I& eam%1'

9/28/15.1

1! *stabish I& capacit" ecide ho# man" peope are needed for a 27(? team -acuating a fu(time team

2! -reate an I& poic" hat is an incidentG Ho# to respond

ho responds

.! I& based on I& poic"

hat are the short(term/ong(term goas of the teamG hat metrics are needed to measure the team and its member6s e@ectivenessG hat #i be the sta@6s training re$uirements and the sta@6s hire re$uirements

.Membangun kapasitas I& 4utuskan berapa ban"ak orang "ang dibutuhkan untuk tim 27(? Menghitung tim penuh #aktu

.uat kebi+akan I&

Apakah "ang dimaksud dengan insidenG agaimana menanggapi "ang merespon

.I& berdasarkan kebi+akan I& Apa tu+uan short(term/ong(term timG Metrik apa "ang diperukan untuk mengukur tim dan efektivitas anggota n"aG

Apa "ang akan men+adi kebutuhan peatihan staf dan pers"aratan men"e#a staf




9/28/15.2

7! I& procedures etaied procedures that estabish ho# to #ork #ith di@erent events ased on the I& poic" and the needs of the organi>ation 4rocedures are the tasks needed to actua" correct the event

5! I& communication pan Invoves deaing #ith third parties #ho are invoved #ith the event It is better to use a trained person rather than the -*0 to deiver bad ne#s because most

-*0s have itte kno#edge of technoog" and can actua" make the situation #orse

7! prosedur I&

.4rosedur rinci "ang menetapkan bagaimana beker+a dengan berbagai aktivitas

.erdasarkan kebi+akan I& dan kebutuhan organisasi

.4rosedur adaah tugas "ang dibutuhkan untuk benar(benar memperbaiki acara

5! &encana komunikasi I&.Meibatkan berurusan dengan pihak ketiga "ang teribat dengan acara tersebut

.Ha ini ebih baik menggunakan seseorang "ang teratih daripada -*0 untukmen"ampaikan berita buruk karena keban"akan -*0 memiiki sedikit pengetahuantentang teknoogi dan benar(benar dapat membuat situasi ebih buruk



)teps to *stabishing an I& eam%.'

9/28/15..

=! )eect the team mode Is the team fu time in(houseG Eu" outsourcedG Ask other organi>ations simiar to "ours #hat mode the" are using and #hat is good/bad about the

mode &evie# the advantages and disadvantages of each mode to hep decide #hich one is best for "our

organi>ation

?! )eect the personne Einding technica" skied peope is critica to the team and nding peope #ho can hande stress #i

keep the team functiona eam(buiding e<ercises can hep a ne# team fee condent in each other and in the eaders of the team

.4iih mode tim Apakah tim penuh #aktu di rumahG Eu" outsourcingG an"akan organisasi ain "ang serupa dengan Anda apa mode "ang mereka gunakan dan apa "ang

baik / buruk tentang mode

&evie# keebihan dan kekurangan dari masing(masing mode untuk membantu memutuskan mana "ang

terbaik untuk organisasi Anda.4iih personi Menemukan orang(orang teknis terampi sangat penting untuk tim dan menemukan orang(orang "ang

dapat menangani stres akan men+aga tim fungsiona atihan membangun tim dapat membantu tim baru merasa perca"a diri daam satu sama ain dan daam

pemimpin tim




9/28/15.7

8! etermine services ecide on #hat the team shoud be #hen not in response mode )evera arge corporate teams are used as fu" outsourced teams to other organi>ations, #hereas

some +ust sta" #ithin their o#n organi>ation he si>e of an organi>ation does pa" a roe in determining the number of services o@ered

9! otif" other groups 4ubic notication of other response teams is important 4ress reeases about team services can hep the entire organi>ation understand the roes and

responsibiities of the ne# team

8! menentukan a"anan

. entukan apa "ang tim harus ketika tidak daam modus respon

.eberapa tim perusahaan besar digunakan sebagai tim sepenuhn"a outsourcing kepadaorganisasi ain, sedangkan beberapa han"a tingga daam organisasi mereka sendiri

.;kuran sebuah organisasi tidak berperan daam menentukan +umah a"anan "ang

dita#arkan

9! eritahu keompok ain

.4emberitahuan kepada pubik tim tanggap ainn"a penting

.)iaran pers tentang a"anan tim dapat membantu seuruh organisasi memahami perandan tanggung +a#ab dari tim baru



oing the &esponse

9/28/15.5

Disconnect → Clean → Verify →Return



oing the &esponse

9/28/15.=

1! 4reparation2! etection

.! Incident Ana"sis

7! Incident -ontainment

5! *radication

=! &ecover"

?! 4ostincident Activit"

8! &epeat to 4reparation



%1' 4reparation

9/28/15.?

;tii>e the team for inside testing!" performing reguar tests and risk assessment on

the organi>ation, a prevention is the best policy 3thought process can be started!

Eind the errors before "ou need the team to < them!

Memanfaatkan tim untuk di daam pengu+ian!

engan meakukan tes rutin dan peniaian risiko pada

organisasi, sebuah Kpencegahan adaah kebi+akanterbaikK proses berpikir dapat dimuai!

Menemukan kesaahan sebeum Anda peru tim untukmemperbaikin"a!



%2' etection

9/28/15.8

Fno#ing the signs of an impending or currentevent is crucia!

0ften, the organi>ation doesn6t kno# the" have aprobem unti forma audit nds evidence in a og

revie#!

Mengetahui tanda(tanda dari suatu peristi#a"ang akan datang atau saat ini adaah penting!

)eringkai, organisasi tidak tahu bah#a merekamemiiki masaah sampai pemeriksaan resmimenemukan bukti daam uasan og!



%.' Incident Ana"sis

9/28/15.9

hat is the norma tra:c proe of the net#orkGhere are the centra ogs and is there a correation of og eventsG

Are a the cocks s"nchroni>ed or do "ou have to ook for time o@sets todetermine the true time correationG

&un packet sni@ers and verif" resuts! hat does the kno#edge base sa" aboutthe dataG

*<perience is a huge benet during this stage!

agaimana pro au intas norma dari +aringanG

imana og pusat dan apakah ada koreasi peristi#a ogG

Apakah semua +am disinkronkan atau apakah Anda harus mencari #aktu o@set

untuk menentukan #aktu "ang benar koreasiG Caankan packet sni@ers dan memverikasi hasi! Apa dasar pengetahuan katakantentang dataG

4engaaman adaah keuntungan besar seama tahap ini!



%7' Incident -ontainment

9/28/157B

Ho# can "ou contain the event the fastest #ith the east residuadamageG

Ho# can "ou track #hich other machines or #hat data is missing #hen"ou can6t see the Jo# out of the infected machineG

Moving the machine to a separate s#itch can sho# "ou #hat and #here"our data is going and ho# it6s infecting other machines on "our

net#ork!

agaimana Anda dapat berisi acara "ang tercepat dengan kerusakanpaing residuaG

agaimana Anda bisa meacak mesin ain atau data apa "ang hiang

ketika Anda tidak dapat meihat airan keuar dari mesin "ang terinfeksiG4indah mesin ke sakar "ang terpisah dapat menun+ukkan apa dan di

mana data Anda akan dan bagaimana ha itu menginfeksi komputer ainpada +aringan Anda!



%5' *radication

9/28/1571

&eoad the machine from a standardi>ed I)0 image and o@ "ougo!

Monitor progress from the net#ork to make sure no othermachines are sti infected!

hen a #idespread #orm hits, puing a the machines o@ the

net#ork and rebuiding them can take severa #eeks or months,depending of the si>e of the event!

&eoad mesin dari citra I)0 standar dan pergiah!

Memonitor kema+uan dari +aringan untuk memastikan tidak ada

mesin ain "ang masih terinfeksi!Fetika cacing uas hit, menarik semua mesin dari +aringan dan

membangun kembai mereka dapat mengambi beberapaminggu atau buan, tergantung dari ukuran acara!



%=' &ecover"

9/28/1572

)evera manufacturers have a protoco for reestabishingthe needed services on the net#ork!

his shoud be done in an order" manner #ith speciaattention given to the ine of business soft#are!

he speed and accurac" of the recover" can determine ifthe business survives or not!

eberapa produsen memiiki protoko untuk membangunkembai a"anan "ang dibutuhkan pada +aringan!

Ha ini harus diakukan secara tertib dengan perhatiankhusus diberikan kepada ini bisnis perangkat unak!

Fecepatan dan akurasi pemuihan dapat menentukanapakah bisnis bertahan atau tidak!



%?' 4ostincident Activit"

9/28/157.

Lessons learned:

hat happenedG

hat coud be done soonerG

hat steps coud be improvedG

hat toos did #e needG

Ho# #e did #e doG

Assess data collection:

hat ese did #e need to kno#G

Ho# can #e use this in the futureG

hat #as the precursor of the eventG

4ea+aran "ang dipetikD

Apa "ang ter+adiG

Apa "ang bisa diakukan ebih cepatG

angkah(angkah apa "ang bisa diperbaikiG Aat apa "ang kita butuhkanG

)eberapa baik "ang kita akukanG

Meniai pengumpuan dataD

Apa agi "ang peru kita ketahuiG

agaimana kita bisa menggunakan ini di masa depanG

Apa prekursor dari acara tersebutG



%?' 4ostincident Activit"

9/28/1577

Analysisumber of incidents handed

ime per incident

ota time of incident

*apsed time to response

eam response time

id ogs and forms comp" #ith estabished poicies and proceduresG

)ub+ective feeing of team

anaisa

Cumah insiden ditangani

aktu per insiden

ota #aktu ke+adian

erau #aktu untuk respon

aktu respon eam

Apakah ka"u dan bentuk sesuai dengan kebi+akan dan prosedur "ang teah ditetapkanG

4erasaan sub+ektif dari tim



%8' &epeat to 4reparation

9/28/1575

hat happens to one business #i happen to severa of the samegenera! Are a the other areas covered against this threatG

hat precursors #ere noted before the event and ho# can amonitor be set to aert if this event starts againG

&evie# poic" and procedures to see #hat coud be improved or

#hich steps coud be eiminated to speed the process up!

Apa "ang ter+adi pada saah satu bisnis "ang akan ter+adi padabeberapa genera "ang sama! Apakah semua daerah ain diindungiterhadap ancaman iniG

4rekursor apa "ang dicatat sebeum acara dan bagaimana bisamonitor diatur untuk mengingatkan +ika acara ini dimuai agiG

Menin+au kebi+akan dan prosedur untuk meihat apa "ang bisadiperbaiki atau angkah(angkah "ang bisa dihiangkan untukmempercepat proses up!



Incident ocumentation

9/28/157=

he Incident ead is responsibe for documentation being compete andaccurate!

A ma+or probem is #hen each member documents the time based ontheir o#n timepiece! Make sure a coordinated time source shoud beseected and used b" a team members!

he argest amount of #ork is recreating an event document in #hich

di@erent time sources #ere used! hen did #hat rea" occurG

he Incident imba bertanggung +a#ab atas dokumentasi "ang engkapdan akurat!

Masaah utama adaah ketika setiap anggota mendokumentasikan #aktu

berdasarkan aro+i mereka sendiri! 4astikan sumber #aktu terkoordinasiharus dipiih dan digunakan oeh semua anggota tim!

Cumah terbesar dari peker+aan menciptakan dokumen peristi#a di manasumber #aktu "ang berbeda digunakan! Fapan apa "ang sebenarn"ater+adiG



*vent )everit"

9/28/157?

etermining the severit" of an event can hep "ou $uick"determine if e<tra hep or a proonged event is about to happen!

he severit" score rea" comes into pa" #hen "ou start decidingho# to respond!

;sua", the higher the severit" score, the onger it #i take to

response!

Menentukan tingkat keparahan dari suatu peristi#a dapatmembantu Anda dengan cepat menentukan apakah bantuantambahan atau acara "ang berkepan+angan akan ter+adi!

&ata keparahan benar(benar datang ke daam bermain ketikaAnda muai memutuskan bagaimana untuk merespon!

iasan"a, semakin tinggi skor keparahan, semakin ama #aktu"ang diperukan untuk respon!



&esponding to Incident

9/28/1578



&esponding to Incidents ( Niruses

9/28/1579

iscontinue use of the infected computer!Mark #ith ph"sica sign if needed to #ard o@ users!

;se a commercia ma#are ceaner, and verif" that no othercomputers/media #ere a@ected, especia" ;)s andmonitors for unusua activit"!

Menghentikan penggunaan komputer "ang terinfeksi!

andai dengan tanda sik +ika diperukan untuk menangkapengguna!

Lunakan pembersih ma#are komersia, dan memverikasibah#a tidak ada komputer ain / media "ang terpengaruh,terutama ;)s dan monitor untuk aktivitas "ang tidakbiasa!



&esponding to Incidents ( orms

9/28/155B

;se $uait" advanced ma#ares %AM' scanners and packetsni@ers!

Ask the user if the" have had strange messages/behavior onthe computer!

-heck re#a for strange egress or ne# ports!

)ta" current #ith threats and their detection methods!

Lunakan kuaitas ma+u ma#ares %AM' scanner dan packetsni@ers!

Meminta pengguna +ika mereka memiiki pesan(pesan aneh /periaku pada komputer!

4eriksa re#a untuk egress aneh atau port baru!

ingga saat ini dengan ancaman dan metode deteksi mereka!

& di t I id t +



&esponding to Incidents O ro+anHorse

9/28/1551

Always monitor the computer in $uestion for a time to verif" that thereis no residua e@ect from the incident! Most businesses have no idea#here their data is going because the" have no egress monitoring!

Fno# #here and ho# much of "our data is eaving the faciit"!

If there is an" strange activit", it #i act as an ear" #arning s"stemfor other creep", cra#" things on "our net#ork!

)eau memantau komputer "ang bersangkutan untuk #aktu untukmemverikasi bah#a tidak ada efek sisa dari insiden tersebut!)ebagian besar perusahaan tidak tahu di mana data mereka pergikarena mereka tidak memiiki monitoring egress!

ahu di mana dan berapa ban"ak data Anda meninggakan fasiitas! Cika ada aktivitas aneh, itu akan bertindak sebagai sistem peringatan

dini untuk binatang mera"ap "ang mengerikan ain pada +aringanAnda!

di id i ib d



&esponding to Incidents O istributedo)

9/28/1552

)tart b" checking the re#a ogs and "ou6 see ots of di@erentaddresses giving +ust part of the -4 handshake!

his threat can be reduced in the preparation stage b" modif"ing thesettings on the router, the connect time, and the response time to the

-4 handshake!

Most vendors have a ho#(to on decreasing the threat of distributed o)

Muaiah dengan memeriksa og re#a dan Anda akan meihat ban"akaamat "ang berbeda memberikan han"a bagian dari +abat tangan -4!

Ancaman ini dapat dikurangi daam tahap persiapan denganmemodikasi pengaturan pada router, #aktu connect, dan #aktu

respon untuk +abat tangan -4!Feban"akan vendor memiiki ho#(to pada menurunn"a ancaman

didistribusikan o)



)ummar"Incident managementD Ho# to minimi>e the e@ect of a securit" event

I&D isconnect P -ean P Nerif" P &eturn

Make sure "ou use an organi>ed methodoog" that #i meet a "our organi>ation6s needs

Must comp" #ith reguations, and ho# it6s done is #here the variations in methodoog" start tomeet organi>ation6s needs

4roper top(do#n design #i hep #ith panning, impementing, and maintaining a productive team

4roper seection of sta@ and ongoing e<tensive training is a must as is a functiona process #ithdeaing #ith most computer securit" events

Mana+emen insidenD agaimana untuk meminimakan efek dari peristi#a keamanan

I&D 4utus P -ean P Nerikasi P Fembai

4astikan Anda menggunakan metodoogi terorganisir "ang akan memenuhi semua kebutuhanorganisasi Anda

Harus mematuhi peraturan, dan bagaimana ha itu diakukan adaah di mana variasi daammetodoogi muai untuk memenuhi kebutuhan organisasi

4roper desain top(do#n akan membantu dengan perencanaan, peaksanaan, dan memeiharasebuah tim "ang produktif

)eeksi "ang tepat dari staf dan peatihan "ang ekstensif "ang berkean+utan adaah suatukeharusan sebagai adaah proses fungsiona dengan berurusan dengan sebagian besar peristi#akeamanan komputer

Documents

12 Incident Management