KULIAH 12 INCIDENT RESPONSE (dirangkum dari buku Incident Response: A strategic Guide to Handling System and Network Security) - PowerPoint PPT Presentation

About This Presentation
Title:

KULIAH 12 INCIDENT RESPONSE (dirangkum dari buku Incident Response: A strategic Guide to Handling System and Network Security)

Description:

KULIAH 12 INCIDENT RESPONSE (dirangkum dari buku Incident Response: A strategic Guide to Handling System and Network Security) Aswin Suharsono KOM 15008 – PowerPoint PPT presentation

Number of Views:678
Avg rating:3.0/5.0
Slides: 22
Provided by: Aswi2
Category:

less

Transcript and Presenter's Notes

Title: KULIAH 12 INCIDENT RESPONSE (dirangkum dari buku Incident Response: A strategic Guide to Handling System and Network Security)


1
KULIAH 12INCIDENT RESPONSE(dirangkum dari buku
Incident Response A strategic Guide to Handling
System and Network Security)
Aswin Suharsono
KOM 15008 Keamanan Jaringan 2012/2013
2
Definisi
  • Incident event (kejadian) yang mengancam
    keamanan sistem komputer dan jaringan.
  • Event adalah semua hal yang bisa diobservasi
    (diukur)
  • Contoh event connect ke sistem lain dalam
    jaringan, mengakses file, mengirim paket, sistem
    shutdown, dsb.
  • Event yang mengancam antara lain, system crashes,
    packet flood, penggunaan akun oleh orang yang
    tidak berhak, web deface, bencana alam, dan
    hal-hal lain yang membahayakan kinerja sistem

3
Incident Types
  • CIA related incidents
  • Confidentiality Upaya masuk ke dalam sistem
    rahasia militer
  • Integrity
  • Availability
  • Other Types
  • Reconnaissance Attacks
  • Repudiation
  • Someone takes action and denies it later on.

4
Kenapa perlu incident response?
  • Bagi Organisasi
  • Respon yang sistematis terhadap insiden
  • Recover quickly
  • Mencegah insiden serupa di masa depan
  • Menyiapkan langkah-langkah yang berkaitan dengan
    hukum

5
Incident Response Scope
  • Technical
  • Incident detection and investigation tools and
    procedures
  • Management-related
  • Policy
  • Formation of incident response capability
  • In-house vs. out-sourced

6
Incident Handling
Preparation
Detection and Analysis
Post-incident activity
Containment, Eradication and Recovery
7
PDCERF incident response method
8
Preparation
9
Incident Handling Preparation
  • Incident Handler Communications and Facilities
  • Contact information On-call information for other
    teams within the organization, including
    escalation information Incident reporting
    mechanisms
  • Pagers or cell phones to be carried by team
    members for off-hour support, onsite
    communications
  • Encryption software
  • War room for central communication and
    coordination
  • Secure storage facility for securing evidence and
    other sensitive materials

10
Incident Handling Preparation
  • Incident Analysis Hardware and Software
  • Computer forensic workstations and/or backup
    devices to create disk images, preserve log
    files, and save other relevant incident data
  • Blank portable media
  • Easily portable printer
  • Packet sniffers and protocol analyzers
  • Computer forensic software
  • Floppies and CDs with trusted versions of
    programs to be used to gather evidence from
    systems
  • Evidence gathering accessories
  • hard-bound notebooks
  • digital cameras
  • audio recorders
  • chain of custody forms
  • evidence storage bags and tags
  • evidence tape

11
Incident Handling Preparation
  • Incident Analysis Resources
  • Port lists, including commonly used ports and
    Trojan horse ports
  • Documentation for OSs, applications, protocols,
    and intrusion detection and antivirus signatures
  • Network diagrams and lists of critical assets,
    such as Web, e-mail, and File Transfer Protocol
    (FTP) servers
  • Baselines of expected network, system and
    application activity
  • Cryptographic hashes of critical files to speed
    the analysis, verification, and eradication of
    incidents

12
Incident Handling Preparation
  • Incident Mitigation Software
  • Media, including OS boot disks and CD-ROMs, OS
    media, and application media
  • Security patches from OS and application vendors
  • Backup images of OS, applications, and data
    stored on secondary media

13
Incident Handling Detection and Analysis
  • Incident Categories
  • Denial of Service
  • Malicious code
  • Unauthorized access
  • Inappropriate usage
  • Multiple component incidents

14
Incident Handling Detection and Analysis
  • Signs of an incident
  • Intrusion detection systems
  • Antivirus software
  • Log analyzers
  • File integrity checking
  • Third-party monitoring of critical services
  • Incident indications vs. precursors
  • Precursor is a sign that an incident may occur in
    the future
  • E.g. scanning
  • Indication is a sign that an incident is
    occurring or has occurred

15
Incident Handling Detection and Analysis
  • Incident documentation
  • If incident is suspected, start recording facts
  • Incident Prioritization based on
  • Current and potential technical effects
  • Criticality of affected resources
  • Incident notification
  • CIO
  • Head of information system
  • Local information security officer
  • Other incident teams
  • Other agency departments such as HR, public
    affairs, legal department

16
Incident Handling Containment, Eradication,
Recovery
  • Containment strategies
  • Vary based on type of incident
  • Criteria for choosing strategy include
  • Potential damage / theft of resources
  • Need for evidence information
  • Service availability
  • Resource consumption of strategy
  • Effectiveness of strategy
  • Duration of solution

17
Incident Handling Containment, Eradication,
Recovery
  • Evidence gathering
  • For incident analysis
  • For legal proceedings
  • Chain of custody
  • Authentication of evidence

18
Incident Handling Containment, Eradication,
Recovery
  • Attacker identification
  • Validation of attacker IP address
  • Scanning attackers system
  • Research attacker through search engines
  • Using Incident Databases
  • Monitoring possible attacker communication
    channels

19
Incident Handling Containment, Eradication,
Recovery
  • Eradication
  • Deleting malicious code
  • Disabling breached user accounts
  • Recovery
  • Restoration of system(s) to normal operations
  • Restoring from clean backups
  • Rebuilding systems from scratch
  • Replacing compromised files
  • Installing patches
  • Changing passwords
  • Tighten perimeter security
  • Strengthen logging

20
Incident Handling Post-Incident Activity
  • Evidence Retention
  • Prosecution of attacker
  • Data retention policies
  • Cost

21
Thats All
Write a Comment
User Comments (0)
About PowerShow.com