Notes from CPNT-260 at SAIT.
A computer incident is an anomoly or something different or abnormal. An incident can be unlawful, unauthorized, or unacceptable action that involves a computer system or a computer network.
Goals of IR
- Prevent incident mishandling.
- confirm whther an incident occurred.
- promote accumulation of accurate information.
- establish controls for proper retrieval and handling of evidence.
- protects privacy rights established by law and policy.
- minimize disruption to business and network operations.
The IR team includes resources from multiple departments of an organization.
- Human Resources
- Technical Experts
- Security Professionals
- Corporate Security Officers
- Business managers
- End users
- help desk
This team is sometimes called the CSIRT. CSIRT is Computer Security Incident Response Team.
- Pre-incident Preparation: take actions to prepare the organization and CSIRT before an incident occurs.
- Detection of incidents: identify a potential computer security incident.
- Initial response:
- perform initial investigation
- record basic details surrounding the incident
- assemble IR team.
- notify stakeholders.
- Formulate response strategy:
- determine best response
- obtain management approval
- Incident investigation
- perform thorough collection of data
- review data collected to determine what happened.
- accurately report information about the investigation
- employ security measures
- procedural changes
- record lessons learned
- develop long term changes
Detecting an incident
Look for signs of breach such as:
- account discrepancies
- data modification and deletion
- users complaining of poor performance.
- atypical traffic patterns.
- large numbers of failed login attempts.
- SIEM (Security Information and Event Management)
- Centralizing Log Systems such as SYSLOG
- IDS (Intrusion Detection Systems)
- Network Sniffers
- Process management tools
- Forensics tools
Handling an incident
Steps must be clearly defined in security policies to ensure all actions have a clear focus. The most fundamental objetive is to restore control of the affected systems and limit the impact and damage. Sometimes shutting down the system or disconnecting the system from the network is the only practical solution.
- protect human life.
- protect sensitive information.
- prevent damage to systems.
- minimize disruption of computing resources.
Recovering from an incident
- Review policies and procedures
- Evaluate the situation
- Avoid panic
- Collect information
- Take appropriate action
- Request Information
- Evaluate Situation
- Stop the attack/Secure scene
- Preserve evidence
- Organize examination
- Note findings
- Determine causes
Disk Images on Linux
Disks are physical devices. Partitions are logical divisions. File systems are format in which files are organized in the partitions.
Create an 8MB (512 byte block size * 16,000) file system: