ECIH Compile

All Rights Reser ved. Repr oduction is Strictly Prohibited
News: A Delicate Balance is Required to Achieve Information Security
April 22, 200 9
David Chadw ick, Professo r of Information Systems Security at the University of Kent, cal ls
for better incident han dling and procedu res to protect sensit ive data
It d id not s tar t with the loss of the person al details of 25 million people in receipt of Child Benefit in
November 2007.1 Neither did it end in J anuary 2009 with the British Council losing a compu ter disk
containing the names, national insuran ce numbers, salary and bank account details of its 2,000 UK staff.2
Data loss has been h appening ever since computers were first invented, and it will continue to happen as
long as we have them , regardless of any legislation tha t J ack Straw might wish to impose, even legislation
that recommends jail senten ces for employees of organisations where data breaches occur.
After all, crimes t hat incur th e ha rshest of penalties still occur daily. Furthermore, da ta loss will continue
to h appen even if encryption is ubiquitously implemented. Why? Because data security depends m ore on
people and processes than on raw encryption technologies. This is eloquently illustrated in t he dat a loss
last August when th e personal details of the 8 4,00 0 prisoners in England an d Wales went m issing. This
data was held encrypted on the governm ent computer system but was downloaded unencrypted onto a
memory stick by an external contractor who then misplaced the stick.
Source: http:/ / ww w.publicservice.co.uk/
Module Objective
• Handling Incidents
• Training and Awareness

Module Flow
Incident Response and
How to Identify an Incident
Suspicious entr ies in network logs
Account ing gaps of several m inutes with no accounting log
Other events such as unsuccessful login attem pts, attempts to write, alter, or delete system
files, system failure, or performance degrada tion
Unusual usage patterns, such as programs being compiled in the account of users who are
non-programmers
Handling Incidents
• Incident reporting
• Incident analysis
• Incident response
Incident hand ling allows incident reports to be gathered in one
location so that exact tren ds and patterns can be recognized and recomm ended str ategies can be employed
It helps the corresponding staff to understan d the process of

Need for Incident Response
The purpose of incident response is to aid personnel to quickly and efficiently
recover from a security inciden t
Incident response is required to ident ify the attacks that h ave compromised personal and business information or data
• Protect systems
• Protect personnel

Goals of Incident Response
Preventing futu re attacks or incident s
Enhancing security of the computer system
Secur ing privacy rights established by law and policy
Providing accurate report s and useful recommendations
Assisting the law enforcement in prosecuting digital criminals
Protecting the organization’s reputat ion and assets

Incident Response Plan
Incident r esponse plan consists of a set of instructions to detect and r espond to an incident
It defines the areas of responsibility and creates procedures for
han ding various computer security incidents
• How information is passed to t he appropriate personnel
• Assessment of the incident
• Documentation of the incident
• Preservation of the evidence

Purpose of Incident Response Plan
The incident respon se plan gathers required resources in an organized mann er to add ress incidents r elated to the security of a computer system
It protects the organization’s resources against an attack
It protects the sensitive data on the systems
It supports legal investigations
Requirements of Incident Response Plan
• Expert teams (Computer Emergency Response
Team (CERT))
• Company’s financial support
• Executive/ upper management support
• A feasible and tested action plan
• Physical resources, such as redundant storage, standby systems, an d backup services
The r equirements of incident response plann ing are:

Preparation
Preparation is the most impor tant aspect that allows you to r espond to an
incident before it happen s
The success of an incident respon se process depends on the pre-incident preparation
• Examining security measures for networks and systems
• Intrusion Detection System (IDS)
• Communication plan
• Audit trail
It includes:
Preparation (cont’d)
It consists of security measures that an incident response team should begin to implemen t
in order t o ensure protection of the organization’s assets and inform ation
Preparing incident response team includes:
The requirement of hardware and software component s to investigate the computer security incidents
The requirement of documents such as forms an d report s to investigate the incident
Policies and operating p rocedures for backup and r ecovery

Incident Response and Handling Steps
Identification
Notifying External Agencies
Review and Update
the Response Policies
Step 1: Identification
the incident
This phase is necessary for categorizing and r esponding to incidents
Identify the incident s with the help of software packages such as
ant ivirus software and in trusion detection tools
System and n etwork audit logs may also provide sufficient

Identification (cont’d)
Incident reporting and assessment
Assign event ident ity and severity level
Other systems analysis

Step 2: Incident Recording
Inciden t recording is a process of accurately storing the details of occurrence of an inciden t
• The date and time the incident happened
• The date and time at which the incident was detected
• Who has reported the incident
• Details of the incident include:
• Description of the incident
• Back up information such as error messages, log files, etc.
The information gathered should include:

Step 3: Initial Response
The first step in investigation p rocess is to gather sufficient information required to determine a pr oper incident response
It involves:
• Initial investigation
• Notifying individuals about the incident

Step 3: Initial Response (cont’d)
• Check whether you are dealing with an actual incident or a false positive
• Gather enough information on the type and severityof attack or incident
• Record your actions and document the incident
During initial response, you should:

Step 4: Communicating the Incident
Comm unicate with th e incident response team when ever you suspect th e occurrence of any secur ity breach
In order to han dle the incident , the incident team lead will discuss the br each with their core team and other m embers
of the organization
While reducing the impact of the incident , mainta in appropr iate controls and coordination of the incident

Step 5: Containment
Conta inment focuses on limiting the scope and extent of an incident
Avoid convent ional methods to trace back; this may alert the attackers
The comm on techniques in containm ent stage are:
• Disabling of specific system services
• Changing of passwords and disabling accounts
• Complete backups of the infected system
• Temporary shutdown of the infected system
• Restoration of the infected system

Containment (cont’d)
• Protecting confidential and sensitive data
• Safeguarding business, scientific, and man agerialinformation
• Protecting hardware and software against future attacks
• Limiting the damage of the computer’s resources
The points to consider while minimizing the
risk are:
Reduce the poten tial effect or damage of the incident, by quickly
responding to it

Step 6: Formulating a Response Strategy
The response str ategy generally depends on the incident situat ion
• Are the systems seriously effected due to the incident?
• How sensitive is the compromised or stolen information?
• Who are the attackers?
• What is the unauthorized access level gained by attackers?
• What are the attacker skills?
• What is the total downtime of the system and the user?
• What is the total cost of the loss ?
Respon se strategies consider the following:

Step 7: Incident Classification
Classification of inciden ts is defined based on their severity and potent ial targets
Classify the inciden ts based on the number of factors such as:
• Nature of the incident
• Number of systems impacted by the incident
• Legal and regulatory requirements
Step 8: Incident Investigation
Investigation is a process of gathering eviden ce related to an incident from systems and networks
Examine the investigation process to ident ify:
• The incident

Step 9: Data Collection
Data collection is defined as gathering of the facts and evidence that are requ ired for forensic analysis
• Gathering data that exceeds the computer storage capacity
• Proper collection of data to ensure integrity
Data collection involves several unique
forensic challenges, such as:
Data Collection (cont’d)
Data Collection (cont’d)
• Host-based evidence consists of logs, records, documen ts, and any other information available
on the system Host-based evidence:
• Network-based evidence consists of information
gathered from IDS logs, pen-register/ trap and traces, router logs, firewall logs, and
authentication servers
Network-based evidence:
evidence gathered from the people Other evidence:

Step 10 : Forensic Analysis
Data such as log files, system files, graphic files, web history files, emails, installed app lications etc. are
gathered for analysis
• Nature of the incident
• What triggered the incident
Step 11: Evidence Protection
Protect the evidence to take legal actions against the attackers
Take complete backup of the a ffected systems with the help of new or
never-before-used media devices
Store and protect the backup in either CD-R or DVD-R to prosecute
the offender(s)
The stored backup can be used to r ecovery the data from the affected
systems

Step 12: Notify External Agencies

Step 13: Eradication
The eradication stage removes or eliminates the root cause of the incident
Vulner ability analysis is performed in this stage

Eradication (cont’d)
• Using antivirus software
• Installing latest patches
• Policy compliance checks
• Independent security audits
• Eliminating intruder’s access and identification of possible
changes completely

Step 14: Systems Recovery
Recovering a system from an incident generally depends on the extent of
the security breach
In r ecovery step, an affected system is restored to its normal operations
The computer systems and networks are mon itored and validated
Recovery stage determines th e course of actions for an incident
Run vulnerability assessment an d penetr ation testing tools to identify

Systems Recovery (cont’d)
Determine in tegrity of the backup file by making an attempt to read its data
Verify success of operation and normal cond ition of the system
Monitor th e system by network loggers, system log files, and potential back doors
The actions to be per formed in recovery stage are:
• Rebuilding the system by installing new OS
• Restoring user data from trusted backups
• Examining the protection and detection methods
• Examining security patches and system logging information

Step 15: Incident Docum entation
The incident response team should document various processes while
hand ling and responding to an incident
Document the steps and conclusion statem ents immediately after
completion of the forensic process
The document should be properly organized, examined, reviewed, and
vetted from the m anagement and legal representative
The documen tation should provide:
• Description of the security breach
• Details of action takes place such as:
• Who have handled the incident
• When the incident was handled
• Reasons behind the occurrence of an incident

Incident Documentation (cont’d)
• Prepare the r eports in such a way that it is clearly und erstood by everyone
Concise and Clear:
• Maintain a standard format that makes report writing scalable, saves time, and enhances accuracy
Standard Format:
• Ensure that t he forensic reports are edited pr operlyEditors:
The best way to prosecute the offender(s) is through p roper documentat ion
The document pr epared should be:

The two imp ortan t evidence that are required for legal prosecution are incident dam age and cost
• Costs due to loss of confidential information
• Legal costs

Step 17: Review and Update the Response Policies
Review the process after completion of both
documen tation and recovery steps
Discuss with your t eam mem bers about th e
steps that a re successfully implemen ted and the mistakes committed
Reviewing the r esponse an d updat ing policies

Training and Awareness
handling policies
Practical training removes developmental errors, impr oves procedur es, and reduces the occurrence of miscommunication
Well-trained mem bers can prevent an incident or limit the resulting dam age
• Design and planning of the awareness and trainingprogram
• Development of the awareness and training materials
• Implementation of the awareness and training programs
• Measuring the effectiveness of the program an d updating it
Security awareness and tr aining should include:

Training and Awareness (cont’d)
• Incident handling location
all employees
• Recognition and operation of utility shut -off devices
Training should be conducted at specified intervals, and it should include:
• Knowledge and participation
• Concerning plan's strategies
• Contingency arrangements

Security Awareness and Training Checklist
• Is the type and frequency of training noted?
• Are training classes for security personnel described?
• Are training classes for basic end-users described?
• Are instructors for the training classes noted?
• Is it noted that security training is tracked andlogged?
• Is it noted that all courses are evaluated by theusers?
• Are roles and respon sibilities for security awareness noted?
• Are roles and responsibilities for security training noted?
• Does the plan indicate that a r ecord of user training participation is kept?
• Does the plan indicate that users are assessed fortheir security knowledge after they undergo training?
Checklist for secur ity awareness and training:

Incident Management
Incident m anagement helps in not only responding to incident s but also helps in preventing
future incidents by minimizing the potential dam age caused by risks and threats
It consists of action plan development, consistent processes that are repeatable, measurable,
and understood within the organization
• Hum an resource personnel experienced in Incident Handling
• Legal council
Incident Management (cont’d)
The objective of the incident m anagemen t is to quickly restore the services of the computer system into norm al operat ions after an incident with little or no impact on the business
It pr ovides end-to-end man agement support on how to han dle security incidents
or events
• Equipment, tools, and supporting material
• Identifying and training qualified staff on handling security incident s
Incident m anagement involves:
Purpose of Incident Management
• Prevent incidents an d att acks by tightening the physical security of the system or infrastructure
• Create awareness by conducting training programsfor employees and users on security issues and response plans
• Monitor and test the organization’s infrastructureto ident ify the weakness and vulnerabilities
• Share the information about the incident with other teams
The incident management is required to:

Incident Management Process
• Plan and implement an initial incident management
• Follow lessons learned an d evaluate the assessmentactivities to enhance the
security of the systems
Prepare:
• Implement security measures to protect the compu ter system from incidents
• Implement infrastructure protection improvements resulting from postmortem
reviews or other process improvement mechanisms
Protect:
• Categorize, prioritize, and correlate events
• Assign events for handling or response Triage:
• Analyze the event

Incident Management Process
Source: http:/ / www.cert.org/
Incident Management Team
The incident management team provides support to all computer systems that are affected by thr eats or attacks
The incident m anagement team consists of:
Executive management
affected by the inciden t

Incident Management Team (cont’d)
• Managing internal and external commun ications
• Directing response and recovery activities
• Monitoring the recovery progress
respon sible for:
Incident Response Team
Incident response team is a group of secur ity professionals within an organization who are trained and asked to respond to a secur ity incident
The response team sh ould conta in an au thor ized secur ity personnel to take necessary actions against the secur ity incidents
• Develop or review the processes and procedures that m ust be followed in
response to an incident
• Manage the response to an incident and ensure thatall procedures are followed correctly
• Review changes in legal and regulatory requirements to ensure th at all processes and pr ocedures are valid
• Review and recomm end technologies to manage and count eract incidents
• Establish relationship with local law enforcementagency, governm ent agencies, key par tners, and supp liers
The incident respon se team should:

Incident Response Team (cont’d)
An incident r esponse team takes respon sibility for d ealing with potential or real time informat ion security incidents
The team should be made of a number of people with knowledge and skills in different areas
• IT Security

Incident Response Team Members
Information Security Officer (ISO)
Network Administrator
System Administrator
Internal Auditor
Incident Response Team Members Roles and Responsibilities
• Provides incident handling training to members
• Prepares summ ary on corrective actions taken to
hand le the incident
Information Security Officer (ISO):
team
• Develops commun ication with organizations that
are affected by security incidents
Information Privacy
• Performs corrective actions against the suspected
intruder by blocking the network
Network Adm inistrator:
Incident Response Team Members Roles and Responsibilities (cont’d)
• Updates services packages and patches
• Examines system logs to identify the malicious
activities
signs of incident
• Check the audit logs of critical servers that are vulnerable to attacks
Business Applications and Online Sales Officer:
• Checks whether the information systems are in
compliance with secur ity policies and controls
• Identify and report any security loopholes to the management
Internal Auditor:
Developing Skills in Incident Response Personnel
Appr opriate books, magazines, and oth er techn ical references should be available that help in imp roving the techn ical knowledge of the subject
Prepar e a training bud get to maintain, enh ance, and increase the proficiency in
techn ical areas an d secur ity disciplines, including the legal aspects of the incident r esponse by the legal experts

Developing Skills in Incident Response Personnel (cont’d)
Maintain sufficient staff in the organization so tha t the team m embers can have uninterrup ted time of work
Develop a men toring program for sen ior technical staff to help less experienced staff to know abou t incident h and ling pr ocess
Hire external subject matter experts for training
Develop various scenar ios on incident hand ling and condu ct group discussions on how they would handle them

Incident Response Team Structure
Incident r esponse team should handle the incident whenever an incident is identified by any person in the organization
• Analyze the incident data
• Minimize the damage and restore the system to thenormal operations
The incident response team should :
• Central incident response team
• Distributed incident response teams

Incident Response Team Structure (cont’d)
Staffing
Models
Incident Response Team Dependencies
Hum an Resources

Inciden t Response Team Services
Advisory Distr ibut ion
Defining the Relationship between Incident Response, Incident Handling, and Incident Management
Source: http:/ / www.cert.org/
Inciden t Response Best Practices
Stay calm
Form a plan for resolution
• Identify the problem
• Resolve the problem
Docum ent everything

Inciden t Response Best Practices (cont’d)
Notify the appropr iate people
Stop the incident if it is still in progress
Identify the single most important and immediate pr oblem
Preserve evidence from the incident
Wipe out a ll effects of the incident
Identify and mitigate all vulnerabilities that were exploited
Prevent reoccurrence of the incident
Review the causes and r esolution
Confirm that operations have been restored to norm al
Create a final report
Inciden t Response Policy
Decide an organizational appr oach
Determine the outside notification procedur es
Identify rem ote connections an d include rem otely operat ing employees or contr actors
Identify the members of the incident team and describe their roles, responsibilities, and functions
Prepare a comm unication plan to contact the key personnel

Incident Response Plan Checklist
Does your p lan accurately describe the systems it applies to?
Does your p lan include a contact list of key personn el?
Does your p lan include in format ion on r oles and responsibilities?
Does your plan include a diagram of the escalation framework?
Does your plan include how to contact the agency CSIRC?
Does your p lan list t he m embers of the CSIRT team?
Does your plan list the members of the CSIRC team?
Does your plan include a description of incident types?
Does your plan include guidance on severity levels?
Does your p lan include information on agency secur ity policies?
Does your plan include incident h andling guidelines?

Incident Handling System: RTIR htt p:/ / bestpr actical.com / rtir /
Reque st Tracker for Inciden t Res pon se ( RTIR) is an open source incident hand ling system
It helps in hand ling incident report s
It allows to tie multiple inciden t reports to specific incidents
It m akes it easy to launch investigations to work with law enforcement, network providers and other partners to get to the bottom of each incident
Features:
• Scripted act ion
Screenshot: RTIR
RPIER 1st Responder Framework http :/ / w w w .ohloh.net/ p/ rpier-infosec
Regimented Potential Incident Examination Repor t (RPIER ) is a secur ity tool built t o facilitate 1st r esponse p rocedures for incident h andling
It is designed to acquire commonly requested informat ion for incident handling
Features:
• Results are auto- zipped
• Email notification
• Command line configuration/ execution
RPIER 1st Responder Framework: Screenshot

Summary
The pur pose of incident response is to aid person nel to quickly and efficient ly recover from a security incident
Incident response plan consists of a set of instr uctions to detect and respon d to an incident
The incident r esponse plan gathers required resources in an organized mann er to address incidents related to th e security of a computer system
Preparat ion is the most impor tant aspect that allows you to respon d to an incident before it occurs
Training and awareness provides skills required to implement incident handling policies



News: Coun cil of Europe and OAS Step up Efforts to Counter Terrorism and Strengthen Cyber Secur ity
Source: http:// ww w.egovmonitor.com
Module Objective
• Roles of CSIRTs
• World CERTs

Module Flow
In troduction to CSIRT
What is CSIRT
CSIRT stands for Computer Security Incident Response Team
It is a service organization which pr ovides 24x7 computer secur ity incident response services
to any user, company, government agency, or organization
It pr ovides a reliable and t rusted single point of contact for repor ting computer security
incidents worldwide
It pr ovides the means for reporting incidents and d isseminating importan t incident related
information
What is the Need of an Incident Response Team (IRT)
Incident r esponse team helps organizations to recover from
computer security breaches and t hreats
This team is dedicated to understan d the incident r esponse process and take necessary actions when n eeded
It is a formalized team with its major job function as:
‘performing incident r esponse’
The team consists of experts tr ained to respond and handle
incidents
CSIRT Goals and Strategy
the customers’ security vulnerabilities and by responding effectively to potent ial informat ion security incidents
• To minimize and control the damage
• To provide or assist with effective response and recovery
• To prevent future security incidents
Goals of CSIRT:
• It provides a single point of contact for r eporting local problems
• It identifies and analyzes what has happened dur ingan incident, including the impact and threat
• It researches on solutions and mitigation strategies
Strategy of CSIRT:
CSIRT Vision
Specify the mission , goals, and objectives of an or ganization
Select the services to be offered by the CSIRT
Determine how the CSIRT should be structured for the organization
Plan the budget required by the organization to implement an d m anage the CSIRT

Common Names of CSIRT
Incident Han dling Team (IHT)
Incident Response Team (IRT)
Secur ity Inciden t Respon se Team (SIRT)

CSIRT Framework
CSIRT Mission Statement
Mission Statement provides a basic understand ing of what the team is trying to achieve
It p rovides a focus for the overall goals and objectives of the CSIRT
CSIRT should define, document, adhere to, and widely distribute a concise and clear
mission statemen t
Mission Statement must be non-ambiguous and consist of maximum three or four
sentences

CSIRT Constituency
Constituency is the r egion where the CSIRT is bound to serve
It m ight be defined in the form of a statement and may be supported by a list of domain nam es
CSIRT constituency may be bounded or unbounded by some
constraints
constituency
CSIRT Constituency (cont’d)
CSIRT Type Nature o f Mis s io n Type of Con stituen cy
Served
perspective of computer security
other CSIRTs and building a “web of
tru st” among CSIRTs
Corporation
corporation’s information
of damage resulting from intrusions
System an d network
administrators and system users
within t he corporation
product Users of the p roduct

CSIRT Constituency (cont’d)
• Gaining constituency’s trust
constituency tha t are to be addressed are:

CSIRT’s Place in an Organization
The place that a CSIRT holds in its parent organization is tightly coupled to its stated mission
It fails when placed un der the system administration departm ent of its parent organization
CSIRT may constitu te of the en tire security team for an organization, or , may be totally
distinct from an organization’s security team
The activities of CSIRT can also be carried out by the organ ization’s secur ity team

CSIRT’s Place in an Organization (cont’d)
It comm only reside swithin, or has some overlap, with the organization’s IT secur ity depar tment as shown in the figure below:
Paren t Organizatio n
CSIRT’s Relationship with Peers
Figure: CSIRT Peer Relationships, Source: www.cert.org

CSIRT Types and Roles
Types of CSIRT Environments
• Provides services to their parent organization suchas bank, manufactur ing company, un iversity, or any governm ent agencies
National CSIRT:
• Provides services to the entire nation. For example, Japan Compu ter Emergency Response Team Coordinat ion Cent er (JPCERT/ CC)
Vendor CSIRT
Governmen tal sector CSIRT
• Provides services to governm ent agencies and to the citizens in some countries
Military sector CSIRT
Small & Medium Ent erprises (SME) Sector CSIRT

Best Practices for creating a CSIRT
1 • Obtain management support and buy-in
2 • Determine the CSIRT strategic plan
3 • Gather relevant information
5 • Commun icate the CSIRT vision and operational plan
6 • Begin CSIRT implementation
8 • Evaluate CSIRT effectiveness
Step 1: Obtain Management Support and Buy-in
Without man agement approval and support, creating an effective incident respon se capability can be difficult and problematic
Consider th at the team is established:
• How is it maintained and expanded with budget, personnel, and
equipment resources?
• Will the role and authority of the CSIRT continueto be backed by
management across the various constituencies or parent
organization?
Step 2: Determine the CSIRT Development Strategic Plan
Are th ere specific timeframes t o be met? Are they realistic, and if not , can
they be changed?
Is there a p roject group? Where do the group members come from?
How do you let the organization know about the development of the CSIRT?
If you have a project team , how do you record an d communicate th e

Step 3: Gather Relevant Information
• Business managers
• Representatives from human resources
• Representatives from public relations
• Audit and risk management specialists
The stakeholders can include:

Step 4: Design your CSIRT Vision
• Iden tify your con stituen cy: Who does t he CSIRT suppor t an d give service to?
• Define yo ur CSIRT m issio n, goals, an d objectives: What does th e CSIRT do for the identified constituency?
• Select the CSIRT services to provide to the consti tuency (or o thers): How does the CSIRT support its mission?
• Determin e the organizational mo del: How is the CSIRT structured and organized?
• Identify required res ources: What staff, equipment, and infrastructure are needed to operate the CSIRT?
• Determ ine you r CSIRT fund ing: How is the CSIRT funded for its initial start up and its long-term m aintenan ce and growth?
In creating your vision, you should:

Step 5: Communicate the CSIRT Vision

Step 6: Begin CSIRT Implementation
Hire and train initial CSIRT staff
Buy equipment, and build any necessary network infrastr ucture to support
the team
Develop the in itial set of CSIRT policies and procedures to support your services
Define and build an incident-tr acking system

Step 7: Announce the CSIRT
When the CSIRT is operational, ann ounce it to the
constituency or parent organization
It is best if this announcement is made by the
sponsoring management
Include the contact information and hour s of
operation for the CSIRT in the announ cement
This is an excellent t ime to make the CSIRT incident-
repor ting guidelines available
Step 8: Evaluate CSIRT Effectiveness
Once CSIRT is operational, the man agement determ ines the effectiveness of the team
and uses evaluation results to improve CSIRT processes
It m ust ensure that the team is meeting the needs of the constituency
The CSIRT, in conjunction with managemen t and th e constituency, will need to
develop a mechanism t o perform such an evaluation

Role of CSIRTs
CSIRTs provide IT security incident centered service to their constituency, such as:
prevention, detection, correction, repression, or creating awareness building
The CSIRTs services focus on attacks tha t are propagated via the Internet tha t tun nel
their way to extranets, int ranets, and computer systems
The CSIRT repor ts pr eventive measures along with th e identified vulnerabilities to its
constituency

Roles in an Incident Response Team
• The IC connects different groups
• He/ she links the groups that are affected by the incidents,
such as legal, human resources, different business areas, and m anagement
Incident Coordinator (IC)
• The IM focuses on the incident and handles it from
managemen t and t echnical point of view
Incident Manager (IM)

Roles in an Incident Response Team (cont’d)
• Incident analysts are the technical experts in their particular
area
• The IA applies the appropriate technology and tries to eradicate and recover from th e incident
Incident Analyst (IA)
• The constituency is not a part of the incident-response team
itself, but is a stakeholder in the incident
Constituency
operat ions as quickly as possible
• Assists in the development of an alternate site asnecessary
Administration
• The HR is responsible for the “human” aspects of the disaster including post-event counseling and n ext-of-kin n otification
• It answers questions related to compensation and benefits
Hum an Resources
• The PR is responsible for developing the m edia messages regarding any event
• It is responsible for all stakeholder comm unications including the board, foundation personnel, donors, grantees suppliers/ vendors, and the m edia
Public Relations
(IC)
Incident
Coordinator
between different group s
the incident
Constituency
• Suppor t staff
• Web developers and maintainers
• Law enforcement staff or liaison
• Auditors or quality assurance staff
• Market ing staff

CSIRT Services, Policies, and
CSIRT Services
• Reactive services
• Proactive services

Reactive Services
The reactive services process th e requests for assistance
They respond to incidents repor ts from the CSIRT constitu ency

Proactive Services
• Security audit or assessment
• Configuration an d m aintenan ce of security tools, applications, infrastru ctures, and services
• Development of security tools
The services provided include:
The services improve the infrast ructure and security processes of the constituency before
any incident occurs
Secur ity Quality Management Services
• Risk analysis
• Security consulting
• Awareness building
The security quality management services are established services designed to improve the
overall security of an organization
These services incorporate feedback and lessons learned based on knowledge gained by
responding to incidents, vulnerabilities, and attacks

CSIRT Policies and Procedures
Policies are the govern ing principles adopted by the organizations or team s
• The policies of an organization need to be clearlystated
Policies and procedures are interr elated
Procedures detail how a team enacts activities within the boundaries of its policies
• Procedures make a policy successful
Members of an organization should clearly un derstand policies and pr ocedur es in order
to implement t hem
CSIRT Policies and Procedures (cont’d)
• At tr ibu tes

Attributes
A policy should be defined as a set of detailed procedures
It should outline essent ial characteristics for a specific topic area in th e manner tha t
necessary information is provided
Attr ibutes (cont’d)
Content
The content of a policy is mainly a definition of behavior in a certain topic area
It defines the features th at are the boun dary conditions for any policy
definition

Conten t (cont’d)
Validity

Implementation, Maintenance, and Enforcement
Once the policy is revised based on the feedback and it is ensured that the policy does not
require fur ther chan ges; the policy can be imp lemented
After validating the policy, feedback should be given to the policy makers so that t hey can
make revisions
How CSIRT Handles a Case
Inform the appropr iate people
Keep a log book
Release the inform ation
Report
CSIRT Incident Report Form
Incident Tracking and Reporting Systems

Application for Incident Response Teams (AIRT) http:/ / airt.leune.com/
AIRT is a web-based application designed and developed to support
the day to day operations of a computer secur ity incident response team
It support s highly autom ated processing of incident reports an d facilitates coordination of multiple inciden ts by a security operat ions
center
Features:

AIRT: Screenshot 1
AIRT: Screenshot 2
BMC Remedy Action Request System http://www.bmc.com/
• Automates service management business processes
• Integrates processes with systems across the enterprise
• Adapt s and evolves your processes to continually align with the needs of the bu siness
• Manages business process performance in real-time
• Replaces outdated manual systems with process automat ion that speeds the handling of unique processes
• Rapidly prototypes, deploys, maintains, and iterates Service
Management applications
Features:

BMC Remedy Action Request System: Screenshot

PGP Desktop Em ail http://www.pgp.com/
PGP Desktop Email provides enterpr ises with an autom atic, transparen t encryption solution for securing intern al and extern al confidential email communications
With PGP Desktop Email, organizations can minimize the risk of a data breach and comply with partner and regulatory mand ates for information secur ity and pr ivacy
Features:
• Protects sensitive email withou t changing the userexperience
• Enforced se curity pol icies
• Enforce data protection automatically with centrally man aged policies
• Accelerated deployment
• Reduced operat ion costs

PGP Desktop Email (cont’d)

The GNU Privacy Guard (GnuPG) http://www.gnupg.org/
GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880
It allows to encrypt and sign your data an d comm un ication, features a
versatile key managemen t system as well as access modules for all kind of public key directories
Features:
• Can be used as a filter program
• Decrypts and verifies PGP 5, 6 and 7 messages
• Suppor ts ElGam al, DSA, RSA, AES, 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1, RIPE-MD-160 and TIGER
• Supports key and signature expiration dates

Listserv http://www.lsoft.com/
Listserv is email list managemen t software
It provides the power, reliability, and enterprise-level performan ce you need to m anage all your opt-in email lists

Listserv (cont’d)
• List owner features:
Listserv : Screenshot
CERT
CERT
• Organizing spontaneous volunteers at a disaster site
CERT mem bers can pr ovide critical support to
first r esponder s by:
CERT stands for Comm unity Em ergency Response Team (CERT)
CERT program helps to train people to be better prepar ed to respond to emergency
situations in their commun ities

CERT-CC
CERT(R) Coordination Center: Incident Reporting Form
Source: http:// ww w.cert.org/reporting/incident_form.txt
CERT:OCTAVE
OCTAVE stan ds for Operation ally Crit ical Threat, Asset, an d Vulnerability Evaluat ion
It is a set of tools, techn iques, and m ethods for r isk-based inform ation security strat egic
assessment and plann ing

OCTAVE Method
OCTAVE meth od uses a three-phased approach to examine organizationa l and technology
issues
It compr ises of a series of workshops tha t are conducted by inter disciplinary analysis
team of three to five persons of the organ ization
• Ident ifying critical assets and the thr eats to those assets
• Ident ifying the vulnerabilities, both organizational and technological, that expose those th reats, creating risk to th e organization
• Developing a practice-based protection str ategy and risk mitigation plans to support the organ ization's mission and priorities
This method focuses on:
OCTAVE Method (cont’d)
OCTAVE-S
OCTAVE-S uses a more stream lined p rocess and different worksheets bu t p roduces the same r esult as the OCTAVE method
It requires a team of 3-5 people having understan ding on all the aspects of the compan y
This version does not start with gathering the informat ion regarding importan t assets, security requiremen ts, threats, and security practices

OCTAVE Allegro
OCTAVE Allegro is a st reamlined varian t of the OCTAVE m ethod that focuses on
informat ion assets
It can be performed in a workshop-style, collaborat ive setting
It does not su it for individuals who want t o perform risk assessmen t without extensive organizational involvemen t, expertise, or inpu t
It focuses main ly on the informat ion assets
The assets of the organization are identified and assessed based on the information assets
to which they are connected

OCTAVE Allegro (cont’d)
• Phase 1 - Assessment par ticipants develop risk measurement criteria consistent with organizational drivers: th e organization's mission, goal objectives, and crit ical success factors
• Phase 2 - Participants create a profile of each critical information asset th at establishes clear bound aries for the asset, iden tifies its security requirements, and iden tifies all of its contain ers
• Phase 3 - Participants identify threats to each inf ormat ion asset in the context of its containers
• Phase 4 - Participants identify and analyze risks toinformation assets and begin to develop m itigation app roaches
OCTAVE Allegro consists of eight steps or ganized
into four phases:
OCTAVE Allegro (cont’d)
World CERTs
• Indonesian CSIRT (ID-CERT)
• FIRST
• NIC BR Security Office Brazilian CERT
• NBS
European CERTs
Australia CERT (AUSCERT)
Hong Kong CERT (HKCERT/ CC)
Source: http://www.hkcert.org
Indonesian CSIRT (ID-CERT)
J apan CERT-CC (J PCERT/ CC)
Source: http:// ww w.jpcert.or.jp/english/
Malaysian CERT (MyCERT)
Indian CERT
Pakistan CERT (PakCERT)
Singapore CERT (SingCERT)

Taiwan CERT (TWCERT)
China CERT (CNCERT/ CC)

US-CERT
Government Forum of Incident Response and Secur ity Teams (GFIRST)
GFIRST is a group of technical and tactical practitioners of security response team s
responsible for securing governm ent inform ation t echnology systems
GFIRST members work together to understan d and handle computer security incidents
and to encourage proactive and preventat ive security practices

Canadian Cert
Source: http://www.ewa-canada.com/index.php
Forum of Incident Response and Security Teams
Source: http://www.first.org/
CAIS/ RNP
NIC BR Security Office Brazilian CERT
Source: http://www.nic.br/imprensa/clipping/2008/midia412.htm
EuroCERT
FUNET CERT
Source: http://www.csc.fi
SURFnet-CERT
DFN-CERT
JANET-CERT
CERT POLSKA
Source: http://www.cert.pl
Swiss Academ ic and Research Network CERT
Source: http://www.switch.ch/cert/
http:/ / www.first.org/ about/ orga nization/ teams/

http:/ / www.apcert.org/ about/ str ucture/ members.html

Copyright 20 04 Carnegie Mellon University
CERT® and CERT Coordination Center ® are registered in the U.S. Patent and Trademark office.
IRTs Around the World
Summary
CSIRT is a service organization which provides 24x7 computer secur ity incident r esponse services to an y user, company, governmen t agency, or organization
CSIRT should define, document, adhere to, and widely distribute a concise and clear
mission statement
Constituency is the region over which the CSIRT is bound to serve
CSIRT may constitu te the ent ire secur ity team for an organization or m ay be totally distinct
from an organization’s security team
CERT program helps train people to be better p repar ed to respond to emergency situat ions
in their communities



Module I
Batch PDF Merger
News: Num ber of Reported Cyber Incidents J umps
Source: http:/ / fcw.com/
Federal civilian agencies reported th ree times as man y cyber-related incidents in fiscal 200 8 as t hey did in fiscal 200 6 to th e
Hom eland Security Departmen t's office that coordinat es defenses and r esponses to cyberattacks. Meanwhile, an official says the
office suspects the actual nu mber of cyber incidents is higher.
The agencies rep orted to DH S’ United States Com puter Eme rgency Readine ss Team (US-CERT) a total of
18 ,050 incidents in f iscal 200 8, com pared with 12,98 6 in f iscal 200 7 and 5,144 in f iscal 20 0 6, according to
DHS o fficials. Overall , the total num ber of incidents repo rted to US-CERT from co m m ercial, foreign , private,
and federal, s tate and local governme nt sectors rose from 24,0 97 in fiscal 20 0 6 to 72,06 5 in fiscal 20 0 8.
The Federal Informat ion Security Managemen t Act requ ires agencies to report cyber incidents, which are defined as acts that
violate compu ter security or acceptable-use policies. The types of incident s include un auth orized access, denial of service,
malicious code, impr oper usage, and scans, prob es and at temp ted access.
Mischel Kwon, US-CERT’s director, said that the nu mbers repr esent both an in crease in malware and imp rovements in th e
capabilities of US-CERT and agencies to detect an d r eport cyber incident s.
“As we mature an d become m ore robu st, and we deploy more tools, incident n um bers will go up,” she said. “Both p arts of the
story are tru e: There is an increase in mal events, and th ere is an increase in capabilities in order to detect th ose mal events.”
Kwon added t hat th e num bers were a bit deceiving because the repor ts are based on man ual reportin g by agencies and th at
there ar e few security opera tions centers t hat mon itor federal agency networks. She said agencies don’t h ave the tools or

Cyber Incident Statistics
Source: http:/ / fcw.com/
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
18,000
20,000
2007
2006
2008
Num ber of cyber incidents rep orted to DH S’ United States Com puter
Em ergency Readines s Team

Incidents and Events by Category
4% 4%
Under Investigation
4% 7%
FY08 Q4 FY09 Q1

Top Five Incidents
FY08 Q4 FY09 Q1

Case Study: Incident Handling and Response
The Cas e: Xconsoft, a ma jor software developer located out of the New J ersey,
realized that the sensitive informat ion from folders shared across its network is being
accessed by un auth orized people and leaked to th ird par ties.
The Challenge s: Loss of the propr ietary informa tion could r esult in hu ge financial
losses. The compan y hired an established consultan t for incident h and ling and
response. The major challenges in front of the consultants were to contain the damage,
assess the losses and identifying the perpetra tors.
The Res ult: After condu cting a network-wide search for specific keywords an d file
nam es the consultant advised the company to isolate the systems that contained
sensitive informa tion and took possession of suspected systems for further ana lysis.
After going through a complete incident h and ling an d respon se cycle; and with th e
help of a computer forensics investigator the company was able to t race the culprits.
The consultan t ad vised th e company to develop and implement effective network
security policies an d deploy intr usion detection t ools to defend itself from various
information security incidents.
Can r isks involved in en gaging th ird party consultant s not effectively coun ter th e

Module Objective
• Signs of an Incident

Module Flow
Types of Comp uter
Computer Security Incident
A computer security incident might be any real or suspected adverse event in relation to the security of computer systems or n etworks
Source: www.cert.org

Statistics: Different Sources of Security Incidents
Source: Outlook J ournal, Januar y 2008, www.accenture.com

In formation as Business Asset
Informat ion asset is a piece of information th at is importan t for any business process
The loss of information m ay affect the investmen t of organ ization in differen t business activities
Informat ion asset can be a trade secret, patent in forma tion, employee/ personn el information, or an idea to develop the business for an organization
• It is recognized to be of value to the organization
• It requires cost, skill, time, and resource
• It is a part of the organization’s corporate identity
Char acteristics of Information Assets:

Data Classification
Data classification is the process of classifying data based on the level of sensitivity as it is created, modified, imp roved, stor ed, or transmitted
Data classification helps in iden tifying the data for business operations
• Top secr et

Common Terminologies
• Information system pr ocesses data into u seful informat ion to achieve specified organizational or individual goals
• It accepts, processes, and stores data in the formof records in a computer system and autom ates some of the information processing activities of the organization
Informat ion System:
• Information owner is th e initial owner who is capable of creating and storing information
Informat ion Owner:
Informat ion Custodian:
Information Warfare
The term In form ation Warfare or Infowar refers to the use of inform ation and inform ation systems as weapons in a conflict in which the information and inform ation systems th emselves are the targets
Information warfare is divided into two categories:
• Offens ive information warfare, where an ad versary attacks the informat ion resources to gain un due advantage

Key Concepts of Information Security
• Refers to the prevention of the unauth orized access, disclosure, and u se of inform ation, a part of the broader concept of privacy
• Confidentiality is maintained through user auth entication an d access control
Confidentiality:
• Guarantee of access to resources
• Is a critical function for companies that rely on electronic data an d communications
Availability:
Vulnerability, Threat, and Attack
Vulnerability:
• Existence of a weakness in design or implementation that can lead to an unexpected, undesirable event compromising the security of the system
Threat:
• A circumstance, event, or person with the potent ial to cause harm to a system in the form of destru ction, disclosure, data modification, and/ or Denial of Service (DoS)
Attack:

Types of Computer Security Incidents
• It includes viruses, Trojan, worms, and maliciousscripts attacks by attackers to gain privileges, captu re p asswords, and modify audit logs to perform unau thorized activity on t he victim's systems
Malicious code att acks:
• It includes various activities from improper ly logging into a user's account to gaining unau thorized access to files and directories by obtaining admin istrator p rivileges
Unauth orized access:
• Users may attem pt to tr ansfer files without au thorization or use inter-domain access mechanisms to access files an d directories belonging to an other organization's domain
Unau thorized use of services:

Types of Computer Security Incidents (cont’d)
• Information systems can be exploited by autom atingtrad itional methods of fraud
Fraud and theft:
• Intentionally entering incorrect data
• Intentionally deleting and changing data
Employee sabotage and abuse include:
• It is a condition when som eone uses compu ter resources for illegitimate pur pose such as stor ing personal in format ion in official computer
Misuse:
Examples of Computer Security Incidents

Verizon Data Breach Investigations Report - 2008
Who is behind d ata breaches?

Verizon Data Breach Investigations Report - 2008 (cont’d)
62 % 59 %
error
How do br eaches occur?

Verizon Data Breach Investigations Report - 2008 (cont’d)
Sources of Data Breaches
External:
• Internal threat sources are those originating from within the organization
Internal
• Partners include any third party sharing a business relationship with t he organization
Partner

Incidents That Required the Execution of Disaster Recovery Plans
53 %
33 %
59 %
54 %
36 %
41 %
34 %
45 %
26 %
7 %
0
10
20
30
40
50
60
70
Source: Symantec Global Disaster Recovery Survey – Jun e 200 9. http:/ / ww w.sym antec.com/
% of Responden ts
Signs of an Incident
Accurately detecting an d assessing incidents is the most challenging and essential par t of the incident response pr ocess
• A system alarm, or similar indication from an intrusion- detection
• Attempt to logon to a new user account
• DoS attack, or users not able to log into an account
• System crashes, or poor system performance
• Unauthorized operation of a program, or sniffer device to capture network traffic
• Suspicious entr ies in system, or network accoun ting or other account ing inconsistencies
Typical ind ications of the security incidents include:

Signs of an Incident (cont’d)
• A precursor is a sign of incident that may happen in the future
• Anindication is a sign of incident th at h ave already occurr ed or may be in pr ogress
Signs of an incident fall into one of the two categories:
• Web server log entries that show the u sage of a web vulnerability scanner
• An a nnouncement of a new exploit that targets a vulnerability of the organization’s mail server
• A thr eat from a hacktivist group stating that th e group will attack the organization
The examp les of precursor are:
• The antivirus software alerts when it detects thata host is infected with a worm
• The user calls the help desk to report a threatening email message
• IDS and IPS system logs indicating an u nusual deviation from typical network tr affic flows
The examples of indication are:

Incident Categories
Low level
Middle level
High level

Incident Categories: Low Level
• Loss of personal password
• Unsuccessful scans and probes
• Presence of any computer virus or worms
• Failure to download anti-virus signatures
• Suspected sharing of the organization’s accoun ts
• Minor breaches of the organization’s acceptable usage policy
Low level incidents include:
Low level inciden ts are the least severe kind of incidents

Incident Categories: Middle Level
• In-active external/ internal unauthorized access tosystems
• Violation of special access to a compu ter or computing facility
• Unfriendly employee termination
• Destruction of property related to a computer incident
• Localized worm/ virus outbreak
• Compu ter virus or worms of comparat ively larger intensity
• Illegal access to buildings
Middle level inciden ts include:

Incident Categories: High Level
• Denial of Service attacks
• Suspected computer break-in
• Compu ter virus or worm s of highest intensity; e.g.Trojan, back door
• Changes to system hardware, firmware, or softwarewithout authentication
• Destruction of property exceeding $100 ,000
• Personal theft exceeding $100,0 00 and illegal electronic fund tran sfer or download/ sale
• Any kind of pornography, gambling, or violation ofany law
These include:
High level incidents should be handled immediately after the incident

Incident Prioritization
Prioritizing han dling of the incident is critical for the incident h and ling p rocess
Incidents should not be han dled on a first-come, first-served basis
• Current and potent ia ltechnical e ffect of the incident
• Criticality of the affected resou rces
Prioritize the incidents based on two factors:

Incident Response
Incident respon se is a process of respond ing to incidents th at may have occurr ed due to security breach in th e system or network
It p lays a m ajor role when th e security of the system is compromised
The goal of the incident r esponse is to hand le the incidents in a way that minimizes the dam age and reduces recovery time and costs
• Responding to incidents systematically so that th eappropriate steps are taken
• Helping personnel to recover quickly and efficiently from security incident s, minim izing loss or theft of information and disrupt ion of services
• Using informat ion gathered du ring incident han dling to prepare for handling futur e incident s in a better way and to provide stronger protection for systems and data
• Dealing properly with legal issues that may arisedur ing incidents
It includes:
Incident Handling
Incident han dling involves all the processes, logistics, comm un ications, coordinat ion, and plann ing to respond and overcome an incident efficiently
Incident hand ling helps to find out tr ends and pattern of the intruder’s activity
Incident han dling procedures h elp network administra tors in recovery, containmen t, and prevention of incidents

Use of Disaster Recovery Technologies
92 %
100 Have in Organization Covered by DR Plan
Which of the following technology type do you have, and which a re covered by DR Plan?

Impact of Virtualization on Incident Response and Handling
Do you test virtual servers as par t of your disaster r ecovery plan?
Ye s
No

Impact of Virtualization on Incident Response and Handling (cont’d)
How are your organization’s data and mission critical applications p rotected in virtual environmen t?
43%
59%
0%
10%
20 %
30 %
40 %
50%
60 %
70%

Estimating Cost of an Incident
• Lost product ive hours
• Investigation and recovery cost
• Loss of bus iness
Tangible Cost:
• May impact morale or in it ia te fear
• Legal liability
Key Findings of Symantec Global Disaster Recovery Survey - 20 09
The average cost of executing/ implement ing disaster r ecovery plans for each downtime incident worldwide according to respondent s is US$287,600
The median cost of executing/ implement ing disaster r ecovery plans for each downtime incident worldwide ranges from approximately $100 ,00 0 to $ 500 ,00 0
In North Amer ica, the median cost is as high as $900,0 00
Globally, the median d isaster recovery cost is highest for hea lthcare and financial services organizations
In North Amer ica, the med ian cost for finan cial institu tions is $650 ,00 0

Incident Reporting
Incident repor ting is the process of repor ting an encountered secur ity breach in a proper format
The incident should be r eported to r eceive techn ical assistance and raise security awareness that would m inimize the losses
Organizations may not repor t computer crimes due to negative publicity and poten tial loss of custom ers
Incident repor ting should include:
• Intensity of the security breach
• Circumstan ces, which revealed the vulnerability
• Shortcomings in the design and impact or level ofweakness
• Entry logs related to the intruder’s activity

Incident Reporting Organizations
• Computer Security Incident Response Team (CSIRT)
• Forum for Incident Response and Security Teams (FIRST)
• Computer Incident Response Team (CIRT)
• Incident Response Center (IRC)
• Informat ion Analysis In frastructure Protection (IAIP)
• CERT Coordination Center (CERT/ CC)
• Information Sharing and Analysis Centers (ISAC)

Vulnerability Resources http :/ / w w w .kb.cert.org/ vuls/
• Descriptions of these vulnerabilities are available from this web page in a searchable dat abase format, and are published as "US-CERT Vulnerability Notes".
US-CERT Vulner ability Notes Database:

Vulnerability Resources (cont’d) http :/ / w eb.nv d.nist.gov/
• Integrates all publicly available U.S. Governm entvulnerability resources and provides references to ind ustry resour ces
NVD (Nationa l Vulner ability Database):

Summary
Compu ter security incident might be an y real or suspected adverse event in relation to the security of computer systems or networks
Informat ion system tran sforms data into useful information that support s decision making
Incident respon se is an organized approach to address and man age the aftermath of a security breach or attack
Incident hand ling refers to the opera tional procedures used to actually man ipulate the incident and purge it from the systems



News: Report Faults TSA Risk Assessment
GAO finds agency did not fol low Departme nt of Ho m eland Security process
The Transportat ion Security Admin istration lacks the structure, policies and procedures to complete an
effective risk management plan for freight an d passenger transportation, according to a report by the
Governmen t Accountability Office.
Risk management is the security watchword at the Department of Homeland Security as it attemp ts to
allocate money and oth er resources to the areas that ar e most vulnerable to a terrorist attack.
The GAO, which au dits Executive Branch pr ograms for Congress , said that TSA did n ot complete a six-
step pr ocess established by DHS to properly ident ify and pr ioritize risks to th e transportation system.
TSA collected th reat, vulnerability and consequence informat ion, but did n ot per form risk assessment
that would integrate the three component s for each mode, or the tran sportat ion system as a whole, the
GAO said .
The GAO also said TSA set its security pr iorities based on intelligence, not risk assessm ent , and DHS did
not review or validat e TSA's methodology.
In addition, the GAO said that TSA lacked an organizational structur e to direct an d cont rol its risk-
man agement efforts, a way of evaluating performance, and policies and p rocedures to int egrate with th e
overall DHS risk man agement plan.
Source: http:/ / ww w.joc.com/
Module Objective
• Risk Analysis
• Risk Mitigation

Module Flow
Risk
Risk is defined as the p robability or th reat of an incident
It is a m easure of possible inability to achieve a goal, objective, or target with in a defined secur ity, cost, plan, and technical limitations

Risk Policy
• Rules of behavior while dealing with the computersystem and th e consequences for violating these rules
• Personnel and technical controls for the computersystem
• Methods for identifying, properly limiting, and controlling interconnections with other systems and particular methods to mon itor and man age such limits
• Procedures for the on-going training of employeesauthorized to access the system
• Procedures to monitor th e efficiency of the security controls
• Provisions for continuing support if there is an interr uption in t he system or if the system crashes
Risk policy includes:

Risk Assessment
Risk Assessment
Risk assessment is the process of identifying threat sources that pose risk to the business or
project environment
It determ ines the level of risk and the resulting security requirements for each system
Risk assessment for a new system is conducted at t he beginning of the System Development
Life Cycle
Risk assessment for an existing system is conducted when there are modifications m ade to
the system’s environm ent
This process helps to ident ify the suitable controls to r educe risk in risk mitigation process
The organization should plan, implement, an d m onitor a set of security measures that need to
be under taken against the ident ified risk

NIST’s Risk Assessment Methodology
The NIST’s risk assessment methodology contains nine pr imary steps:
Vulnerability
Identification
System
Characterization
Threats
Identification
Control
Step 1: System Character ization
Identify the boun dar ies of the IT system along with the resources and the information th at
constitute th e system
Characterize the IT system so as to establish the scope of the r isk assessment effort
It describes the operat ional author ization boundar ies such as hardware, software, system
connectivity etc.
System Characterization Template
System m ission (e.g. processes performed by the system)
System & data criticality (system’s value or im portan ce to
the organization)
Users of the system
requirements, industry practices, laws)
System security architectur e
Current information storage protection that safeguards
system & data CIA
Flow of informat ion relating to th e IT system
Mana gement controls used for the IT system (e.g. security
plann ing, rules of beha vior)
Operat ional controls (e.g. back-up, contingency, and
resum ption an d recovery opera tions, personn el security…)
Physical security en vironmen t (e.g. facility security, dat a
center policies)

Step 2: Threats Identification
• Vulnerabilities of the system
To determine the likelihood of a threat, consider:
Threat r efers to a probable impact of a thr eat source exploiting the vulnerabilities in the
system
Input
Data from in telligence
Step 2: Threats Identification (cont’d)
• Incorrect data entry or omissions
• Inadver ten t acts
• Espion age
Step 2: Threats Identification (cont’d)
• Breaking passwords for un authorized access of the system r esources
• Sniffing and scanning of network traffic
• Data/ system contamination
• Malicious code infection
• Phishing that may result in loss of confidential private information
• DDoS a ttacks
• Application coding errors
• Session hijacking
Techn ical Threa ts
Step 3: Identify Vulnerabilities
Identify the vulnerabilities associated with th e system environmen t
Prepar e a list of the system vulnerabilities that thr eat source can exploit
Input
Vulnerability Report Template
criticality level specified:
Physical Security issues discovered with app ropr iate
Technical Summ ary
Step 4: Control Analysis
Identify or plan th e contr ols that a re to be implemented to minimize the threats
Derive the probability to exercise a vulnerability in the thr eat environmen t
Input
Output
Planned Controls
Step 5: Likelihood Determination
• Threat-source motivation and capability
• Nature of the vulnerability
Factors that help derive overall likelihood r ating:
Input
Step 6: Impact Analysis
Determine the impact of a thr eat when a vulnerability is successfully
exercised
Consider th e system m ission, system and data criticality, and system an d
data sensitivity to perform impact an alysis
Prioritize the impact levels tha t are associated with the compr omise of an organization’s information assets
Use qualitative or quan titat ive assessmen t to determine the sensitivity and criticality of the information assets
Input
Step 7: Risk Determination
Assess th e level of risk to th e IT system
Input
current controls
Output
Levels
The likelihood of a given threat-source’s attem pt ing to exercise a given vulnerability

Step 8: Control Recommendations
• Effectiveness of recommended options
Factors to be considered in recommending controls:
Recomm end the contr ols to be imp lemented to reduce the level of risk
The implemented controls should redu ce the ris

Documents

ECIH Compile