eBook - ePub
Computer Incident Response and Forensics Team Management
Conducting a Successful Incident Response
Leighton Johnson
This is a test
- 352 páginas
- English
- ePUB (apto para móviles)
- Disponible en iOS y Android
eBook - ePub
Computer Incident Response and Forensics Team Management
Conducting a Successful Incident Response
Leighton Johnson
Detalles del libro
Vista previa del libro
Índice
Citas
Información del libro
Computer Incident Response and Forensics Team Management provides security professionals with a complete handbook of computer incident response from the perspective of forensics team management. This unique approach teaches readers the concepts and principles they need to conduct a successful incident response investigation, ensuring that proven policies and procedures are established and followed by all team members.
Leighton R. Johnson III describes the processes within an incident response event and shows the crucial importance of skillful forensics team management, including when and where the transition to forensics investigation should occur during an incident response event. The book also provides discussions of key incident response components.
- Provides readers with a complete handbook on computer incident response from the perspective of forensics team management
- Identify the key steps to completing a successful computer incident response investigation
- Defines the qualities necessary to become a successful forensics investigation team member, as well as the interpersonal relationship skills necessary for successful incident response and forensics investigation teams
Preguntas frecuentes
¿Cómo cancelo mi suscripción?
¿Cómo descargo los libros?
Por el momento, todos nuestros libros ePub adaptables a dispositivos móviles se pueden descargar a través de la aplicación. La mayor parte de nuestros PDF también se puede descargar y ya estamos trabajando para que el resto también sea descargable. Obtén más información aquí.
¿En qué se diferencian los planes de precios?
Ambos planes te permiten acceder por completo a la biblioteca y a todas las funciones de Perlego. Las únicas diferencias son el precio y el período de suscripción: con el plan anual ahorrarás en torno a un 30 % en comparación con 12 meses de un plan mensual.
¿Qué es Perlego?
Somos un servicio de suscripción de libros de texto en línea que te permite acceder a toda una biblioteca en línea por menos de lo que cuesta un libro al mes. Con más de un millón de libros sobre más de 1000 categorías, ¡tenemos todo lo que necesitas! Obtén más información aquí.
¿Perlego ofrece la función de texto a voz?
Busca el símbolo de lectura en voz alta en tu próximo libro para ver si puedes escucharlo. La herramienta de lectura en voz alta lee el texto en voz alta por ti, resaltando el texto a medida que se lee. Puedes pausarla, acelerarla y ralentizarla. Obtén más información aquí.
¿Es Computer Incident Response and Forensics Team Management un PDF/ePUB en línea?
Sí, puedes acceder a Computer Incident Response and Forensics Team Management de Leighton Johnson en formato PDF o ePUB, así como a otros libros populares de Ciencia de la computación y Ciberseguridad. Tenemos más de un millón de libros disponibles en nuestro catálogo para que explores.
Información
Categoría
Ciencia de la computaciónCategoría
CiberseguridadSection 1
Introduction
This section introduces the special needs and requirements for Incident Response and Forensics Teams, their construct and development, the members and staff, and the basic framework for response and forensics teams.
Keywords
Incident response framework
When I started as the corporate Computer Security Manager for a large retail organization 15 years ago, there was no response team, no computer security awareness among the IT staff or senior management, and no driving need to implement any security activities, structures, or requirements for the corporate workers. Everyone from the CEO down thought the computer security situation was someone else’s problem and concern—the classic “not my problem” syndrome.
The first task I embarked on as the Computer Security Manager was to educate the senior executives in the need for corporate computer security and the ability to respond to potential threats to the work environment. It took almost a year, but the corporate leadership did finally accept and fund the development of an incident response capability which was that industry’s first team specifically designed to handle and manage incidents which affected the day-to-day operations of the organization and its “bottom line.”
Security Incident Response and Forensics Response Teams (SIR&FT) are needed more today than ever before during the Computer and Internet Era which has developed over the last 40 years. Today, with most security response organizations and vendors reporting an incredible 30,000–70,000 pieces of new malware being introduced each day, the need for responders and investigators is at an all-time high. Every major corporation, all governmental agencies, and most organizations operating on the Internet, using e-mail, or transacting business online require the ability to respond to an unexpected or malicious attack on their networks and infrastructure just to stay in business, let alone perform their daily tasks safely and securely.
All incidents threaten the business or government organization as a whole. The organization’s primary business process, all its other processes and reputation—they are all in jeopardy when these incidents strike. Security incident response and management seek to prevent such incidents from happening. And when they inevitably happen, to contain and resolve them, and use the response lessons learned for the next time. Therefore, security incident response and management serve both the primary response process and the organization as a whole.
Since the proliferation of malware is rampant today where the adversary eventually breaches some aspect of a corporation’s protective measures, along with the high impact of insider threat issues as evidence by recent Corporate, Intelligence and Defense incidents, the primary focus for the SIR&FT is simple but profound:
1. detect compromise as efficiently as possible;
2. respond to incidents as quickly as possible; and
3. investigate using digital forensics as effectively as possible.
The Incident Response team will become one of your most important development activities as the manager in the first days as you start up the management and oversight of the security incident response team (SIRT) and the Forensics investigation team. The team member makeup, the team charter, the corporate executive officer support, the response criteria, all make the SIRT one of the more important team-building activities you will be responsible for at the start.
These SIR&FT have very specialized management needs in order to accomplish their goals in today’s work and response environments. The SIR&FT need to be constructed with general skills and specialties; however, during the response activity, the skills needed maybe other than originally planned and the Team Manager must change the team members and the skills rapidly to meet the threat and necessary response.
This book introduces the special management needs and requirements for Incident Response and Forensics Teams, how these teams are constructed and developed, the team members and support staff, and the basic framework for managing response and forensics teams. Ensuring that proven policies and procedures are established and followed are manager level responsibilities, along with personnel certifications and levels of expertise. These will be discussed along with Incident Response Team Makeup and Management.
SIR&FT management personnel have many areas of focus to address and requirements to meet. They include:
A. First, ensuring team members are properly hired, trained, and certified. The criticality of the response always will require the best of the best to respond.
B. Second, ensuring the Incident Response Team has the proper unencumbered senior executive level support, authority, and responsibility. Full exposure and support at the top of the corporate leader is needed and required these days in the business world with Sarbanes-Oxley Law (SOX) reporting requirements, industrial espionage threats, and the competitive nature of each industry.
C. Third, proper case management activities are performed, which include:
■ Investigator time and schedule management. Each case requires detailed oversight and management to ensure full accountability and proper actions during the investigation.
■ Quality assurance processes. Ensuring the accuracy of every investigation is often the key to an investigation.
■ Chain of custody procedures. Following the proper methods for evidence collection and analysis is important to the proper prosecution of any case.
■ Change management. Making sure the software, hardware, and tools used during the case activities is vital to providing the legal framework of the case.
■ Final review of all case work. Full review of all of the case details is commonly where the manager can provide the best return on expertise and viability of the case.
D. Fourth, provide the proper response at the proper level for the currently active incident while simultaneously making sure the incident is contained, controlled, repaired, and reported on correctly and in accordance with corporate or organizational policies and guidance.
E. Fifth, ensuring all legal, regulatory, statutory, organizational, and governmental guidance for incident handling and reporting is met within the appropriate time frames.
This book is intended to provide to the SIR&FT manager the answers to the following questions to insure their activities are acceptable, legal, and complete:
a. Have the team members met their objectives?
The objectives may include incident fixed or removed, report been delivered and accepted, security posture improved as result of lessons learned about attack; and many others.
The objectives may include incident fixed or removed, report been delivered and accepted, security posture improved as result of lessons learned about attack; and many others.
b. Is the incident contained and eradicated?
The basic requirement for the security group is to “secure the data,” so now the data should be protected and controlled, the issue which prompted the SIRT response completed and the corporate equipment which was “compromised” has been either cleaned or removed from operations.
The basic requirement for the security group is to “secure the data,” so now the data should be protected and controlled, the issue which prompted the SIRT response completed and the corporate equipment which was “compromised” has been either cleaned or removed from operations.
c. Have the users returned to normal business operations?
The operational need for the SIRT is to get the normal business operations back in place and functioning, so always place that as one of the goals for any response.
The operational need for the SIRT is to get the normal business operations back in place and functioning, so always place that as one of the goals for any response.
d. Have all activities been completed in a reasonable amount of time?
Each team member will have a set of tasks to accomplish during the response, so quick completion of these will allow faster response and return to normal operations for the organization and the personnel.
Each team member will have a set of tasks to accomplish during the response, so quick completion of these will allow faster response and return to normal operations for the organization and the personnel.
e. Did the team respond quickly and efficiently?
Ensuring the timing requirements for business recovery needs to be quickly assessed during the initial stages of the response, so all actions by the response team need to be expeditious and complete.
Ensuring the timing requirements for business recovery needs to be quickly assessed during the initial stages of the response, so all actions by the response team need to be expeditious and complete.
f. Was there any time where response actions could have been performed earlier?
Looking at the response effort, the team leader needs to assess if any of the required actions could have been accomplished earlier in the actions, or if any pre-deployed tools would have assisted in the response effort.
Looking at the response effort, the team leader needs to assess if any of the required actions could have been accomplished earlier in the actions, or if any pre-deployed tools would have assisted in the response effort.
g. Were the team member’s skills applicable to incident?
One of the SIRT manager’s jobs is to assess the team in reference to the response and see if any additional skills, techniques, or knowledge would have contributed to a quicker and possibly safer resolution to the incident.
One of the SIRT manager’s jobs is to assess the team in reference to the response and see if any additional skills, techniques, or knowledge would have contributed to a quicker and possibly safer resolution to the incident.
h. Have team members followed the documented procedures?
Reviewing the generated reports and documentation allows the SIRT manager to verify the proper procedures and techniques were followed during the response.
Reviewing the generated reports and documentation allows the SIRT manager to verify the proper procedures and techniques were followed during the response.
i. Were all activities reported and written down?
All incident response actions need to be documented for after action reports, improvement of skills and abilities, and to place the organization in a strong position to handle any external or potential legal action.
All incident response actions need to be documented for after action reports, improvement of skills and abilities, and to place the organization in a strong position to handle any external or potential legal action.
j. Are team members turning in quality and defendable documentation?
Always making sure all documentation is detailed, direct, and technically strong is a criterion for all SIRT members. Does the report make sense and does it follow the events are both questions to be answered by the SIRT manager.
Always making sure all documentation is detailed, direct, and technically strong is a criterion for all SIRT members. Does the report make sense and does it follow the events are both questions to be answered by the SIRT manager.
k. Is the documentation being produced in correct format?
The SIRT manager has to have a documentation guide for each team member that they must follow during and after an event is responded to by the team.
The SIRT manager has to have a documentation guide for each team member that they must follow during and after an event is responded to by the team.
l. Is all the document content in the report?
The full and complete “picture” of all of the events making up the incident response need to be recorded and delineated within the final incident report.
The full and complete “picture” of all of the events making up the incident response need to be recorded and delineated within the final incident report.
m. Are team members performing in an efficient and effective manner?
Utilizing the skills and knowledge each has, the team members have to be evaluated to ensure they performed correctly in the response.
Utilizing the skills and knowledge each has, the team members have to be evaluated to ensure they performed correctly in the response.
n. Are the incident/forensics artifacts controlled through the proper chain of evidence?
The “chain of custody” for the gathered and retrieved artifacts must be maintained during and after the event for proper handling and so they do not become contaminated during subsequent activities.
The “chain of custody” for the gathered and retrieved artifacts must be maintained during and after the event for proper handling and so they do not become contaminated during subsequent activities.
o. Are the team members properly certified?
All team members should be professionally certified in their areas of expertise, as well as in the incident handling procedures they use during the response activity.
All team members should be professionally certified in their areas of expertise, as well as in the incident handling procedures they use during the response activity.
p. What are the lessons learned from each incident?
Conducting a “lessons learned” meeting after the completion of the response always brings new areas for training and skill development for the SIRT which will improve their abilities for the next incident response.
Conducting a “lessons learned” meeting after the completion of the response always brings new areas for training and skill development for the SIRT which will improve their abilities for the next incident response.
We will discuss all these areas and more as we explore the SIR&FT M...
Índice
Estilos de citas para Computer Incident Response and Forensics Team Management
APA 6 Citation
Johnson, L. (2013). Computer Incident Response and Forensics Team Management ([edition unavailable]). Elsevier Science. Retrieved from https://www.perlego.com/book/1810010/computer-incident-response-and-forensics-team-management-conducting-a-successful-incident-response-pdf (Original work published 2013)
Chicago Citation
Johnson, Leighton. (2013) 2013. Computer Incident Response and Forensics Team Management. [Edition unavailable]. Elsevier Science. https://www.perlego.com/book/1810010/computer-incident-response-and-forensics-team-management-conducting-a-successful-incident-response-pdf.
Harvard Citation
Johnson, L. (2013) Computer Incident Response and Forensics Team Management. [edition unavailable]. Elsevier Science. Available at: https://www.perlego.com/book/1810010/computer-incident-response-and-forensics-team-management-conducting-a-successful-incident-response-pdf (Accessed: 15 October 2022).
MLA 7 Citation
Johnson, Leighton. Computer Incident Response and Forensics Team Management. [edition unavailable]. Elsevier Science, 2013. Web. 15 Oct. 2022.