Law Investigation, Forensics, and Ethics ◾ 379
© 2011 by Taylor & Francis Group, LLC
internal audit, and the information security function within the organization.
Depending on the circumstances, it may be necessary to involve physical security
personnel and selected personnel from other areas within the organization.
e team(s) should be decided in advance. To do this, ongoing training and bud-
get resources need to be allocated. Unless incidents are occurring on an extremely
frequent basis, it is unlikely that management will have any realistic notion of the
costs associated with the ongoing training and education of the sta involved in
the incident response and handling process. is increases the diculty of creating
an incident team and poses a challenge to management. is challenge is greatest
in small- to medium-sized organizations.
Incident response processes need to be both uncomplicated and consistent.
Management has the task of ensuring that these processes are simple to follow and
are maintained throughout the organization.
Incident response is dicult for both those technically on the ground and those
who have to manage the process. Many times organizations downplay this area and
try to sell you on the fact that it’s unimportant. is is wrong. In an increasingly
hostile network environment, an eective incident management strategy is crucial
to any organization. Management needs to review the incident handling procedures
as well as their notication procedures to ensure that the procedures are applicable
for the goals and strategies of the organization. It is management’s role to ensure
that incident handling is applied both inside the organization and to external par-
ties such as contractors. As such, contracts and other agreements with third parties
need to incorporate incident response processes. is includes the following:
◾ Acceptable SLA targets
◾ Liability of the contracting parties
◾ Regulatory requirement satisfaction
◾ Access control requirements
◾ Right to audit or contract an audit
◾ Right to monitor activity and suspend accounts
◾ Escalation procedures and contacts
◾ Maintenance responsibilities
e steps involved in handling a security incident are categorized into six stages
(Figure5.2):
1. Preparation of the system
2. Identication of the problem
3. Containment of the problem
4. Eradication of the problem
5. Recovering from the incident
6. e follow-up analysis
380 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
e 6 Phases of an Effective Incident Response Program
Stage 1
Preparation
Stage 2
Identification
Monitoring
Stage 3
Containment
Declare an Incident
Stage 4
Eradication
Stage 5
Recovery
Complete the cleanup
Stage 6
Lessons
Learned
Return to production
Oops–Back to Containment
ere are always
times when things get
out of control. Just
when you think the
incident is in
recovery….
Back to containment.
is is just a natural
part of Incident
Response.
Initiate the clean-up
All done – wait till next time...
and be prepared
Figure 5.2 The incident response process.
Law Investigation, Forensics, and Ethics ◾ 381
© 2011 by Taylor & Francis Group, LLC
e actions taken in some of these stages are common to all types of security
incidents. On a day-to-day basis, much of a team’s time will be spent looking for
events that could signal the next incident or in preparation of such events. As soon
as an incident has been identied, the team moves into containment. e inci-
dent response is like a waterfall in that it ows sequentially from each stage to the
next. As such, containment moves to eradication to recovery and nally to lessons
learned. is last stage should loop back to the beginning to preparation for the
next incident when it occurs.
A manager’s greatest challenge will come from organizational push-back with
this approach. ere will generally be pressure to jump straight to eradication
before containment. is approach, however, rarely works successfully. It is neces-
sary to contain the incident before you can completely eradicate it. Furthermore,
there will be pressure to move on from recovery without going through a lessons
learned phase. is is a mistake.
e lessons learned phase is essential to the successful preparation for future
incidents. It also acts as a period where the team can wind down from the rigor
of the containment and eradication phases. Never underestimate the importance of
these phases to the organization.
Incident Response Procedures
Logging of information is important. An incident may be just a false alarm or it
may end up in court; you never know at the start of the investigation. As such, writ-
ten logs need to be maintained throughout the process. When recording informa-
tion, ensure that it is maintained in a manner that cannot be changed. Manually
written logs, voice les, or online logs where a hash has been stored are necessary
to ensure that the information contained within them cannot be altered or deleted.
e Handbook for Computer Security Incident Response Teams (CSIRTs) lists types of
information that should be logged, which includes the following:
1. Dates and times of incident-related phone calls
2. Dates and times when incident-related events were discovered or occurred
3. Amount of time spent working on incident-related tasks
4. People you have contacted or who have contacted you
5. Names of systems, programs, or networks that have been aected
A manager’s greatest input comes from the preparation phase of incident response.
is stage of the process involves ensuring that the required training has occurred
and the processes are already in place when an incident happens. is is not if, but
when. ere are many dimensions to preparation, including the following:
◾ Personnel
◾ Policy and procedure
382 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
◾ Software and hardware
◾ Data and communications
◾ Power and environmental controls
◾ Transport
◾ Room to operate
◾ Documentation
It is generally when something goes wrong that the greatest value will be obtained
from documentation. is is also the time when it is most likely to discover holes
in the documents that describe an organization’s systems. e same occurs with
policy. It is too late to run around in a panic when an incident occurs. It is essential
to have thought through the possible consequences of an event prior to it occur-
ring. For instance, if a hacker breaks into the network, should the organi zation
contact law enforcement immediately? Issues such as this need to be addressed in
advance—it is too late when the incident occurs.
Incident Response Teams (CSIRT)
A WarRoom Research survey of 236 respondents showed major underreporting of
security incidences related to computers (Figure5.3):
◾ 6.8% always reported intrusion.
◾ 30.2% only report if anonymous.
◾ 21.7% only report if everyone else did.
◾ 37.4% only report if required by law.
◾ 3.9% only report for “other reasons, including protect self.”
Whether or not an organization decides to report, it needs to be prepared. ink
about what may happen before the event. How should you or the organization
Incident Reporting
Only report if required by law
Only report if everyone else did
Only report if anonymous
Always reported intrusion
21.70%
6.80%
3.90%
37.40%
30.20%
Figure 5.3 Not all companies report incidents.
Law Investigation, Forensics, and Ethics ◾ 383
© 2011 by Taylor & Francis Group, LLC
respond to an incident? is is a question that management needs to address. In
doing this, consideration should be placed on how a team will be put together to
deal with an incident. is needs to not only include information technology and
corporate counsel, but should incorporate other aspects of the organization such as
public aairs, public relations, and human resources.
Most importantly, teams need to be trained to stay calm. To do this, they need
to prepare before the incident. ey also need somewhere to work. One of the key
aspects of creating an instant response team is preparing a war room in advance.
is is a secure room that can facilitate discussions on the displaying of evidence in
a meaningful manner. It is important that this room has a lockable door.
In preparing the team ensure that regular drills occur. Just like re drills it is essential
to have people work through dierent scenarios in advance of an incident so that they
know how to respond during a crisis. Unannounced drills are particularly eective.
Evidence Preservation
Document everything! Maintain copious notes of everything you do. In digital
investigations, the most critical thing to remember is documentation, or maintain-
ing the chain of custody. Documentation must be maintained from the beginning
to end of the engagement. Having an improper chain of evidence is worse than
having no evidence at all!
Document the systems hardware conguration. After you have moved the sys-
tem to a secure location where an appropriate chain of custody can be maintained,
it is crucial to take the indispensable photographs from all sides. Take pictures as
documentation of the system hardware components and how the connections and
cables are arranged.
Document the system date and time. Documenting the system date and time is
extremely important. An incorrect date and time stamp can allow the refuting of evi-
dence and call into question the integrity of the ndings. Even if everything else occurs
perfectly, the mere fact that it got this point will impact the entire investigation.
Document le names, dates, and times on the system and create a timeline. e
le name, creation date, and last modied date and time are of vital importance
from an evidentiary standpoint when admitting digital evidence. e le name,
size, content, and creation and modied dates have to be documented.
Document all of the ndings. It is essential to document the results and evi-
dence sequentially as the issues are recognized and evidence is discovered. A proper
record of all the software employed in evaluation of the evidence should be pre-
pared. Include the software license and the screen prints to show how software was
used in the evidence collection process.
e admissibility of evidence in a court is determined by the relevance, reliabil-
ity, and legal permissibility of the evidence.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.