| Javascript Feeds RSS Feed Security Dashboard | SearchSecurity.com |
|
CIRT - Framework and Models In this paper I will be discussing significance of CIRT, high level framework of CIRT and describe two standards for forming a CIRT. Comparing two standards could be a topic for a PhD research.
Ajoy Kumar,
01/31/2005
|
|
Information Protection Center: Stage 1 - Active: Response Phase The highest priority task for the IPC is to respond to incidents as they occur. This may involve working with the affected organization to determine the cause of the incident and help them to become secure again, or it may involve finding a solution to a vulnerability that is actively being exploited to compromise many organizational assets. Reactive response is always done on a priority basis and involves three stages--containment, eradication and recovery-- followed by a post-incident analysis. Whatever is done must be consistent with security policies.
04/16/2004
|
|
Information Protection Center: Stage 1 - Active Protection Phase The IPC's goal is to continuously improve the organization's security posture. The most important step in this is to establish strong protection. This protection comes from knowing the threats and countermeasures, being aware of the organization's vulnerable assets and implementation of controls to protect these. Environmental scanning: The members of the center must remain vigilant and aware of the rapidly evolving security environment. The Centre must carry out environmental scanning for both new threats and new vulnerabilities. The IPC must be aware of new products, tools or software patches that become available to counter many of these threats or vulnerabilities. This is done via review of newsgroups, Internet news feeds, peer networking and paper media. Membership in FIRST will provide access to news of security incidents from other Incident Response organizations.
04/14/2004
|
|
Information Protection Center: Stage 0-Passive This particular IPC began with a relative "green field" for security. It had the creation of policies, guidelines and awareness initiative as its initial responsibilities. Most organizations will have some security group already in place handling policy and awareness programs. Organizational and Departmental Policies: The IPC's activities in environmental scanning and VA give it a unique and integrated view of the organization's security posture. The IPC will assist in policy formulation at both the departmental and organization wide level.
04/14/2004
|
|
Information Protection Centre: Stage 1 - Active: Assessment Phase Auto-Response IDS: Many ID systems can be set up to automatically respond with some predefined set of activities upon detection of specified events. In this case some reasonable assessment process must be carried out ahead of the incident. The business impact of highly malicious events is pre-assessed and it is decided that the cost of a false positive is outweighed by the impact of a successful occurrence of the specified event. For example it may be better to block the source IP address(es) when an obvious denial of service is coming at you. Some ID systems can change the access control lists in a filtering router to block or shun addresses. Then again some of those source addresses could be faked, spoofing some business partners. In this case you would be then be creating your own denial of service.
04/14/2004
|
|
Information Protection Center: Stage 2 - Integrative Scope of Improvement: At the Integrative stage the IPC either has direct or collaborative effect on passive security (policies and awareness), active security (IRT) as well as architectural decisions. The IPC has become a center of security excellence which has a say in all aspects of security. More importantly, it is in close working relations with the business managers, helping them with security solutions which enable their operations. It is only at this stage that the IPC can be truly proactive.
04/13/2004
|
|
Information Protection Center: Stage 1 - Active: Detection Phase Incidents: The IPC acts as a Point of Contact for security reporting and assistance. If someone detects some unusual or suspicious event related to the organization's networks, computers or information, they can relay the details of the incident to the IPC for investigation. The results of the investigation will be provided back to the originator and, in most cases, will be posted to the IPC's intranet web site. It is often difficult to determine if the unusual or suspicious event is symptomatic of an incident because apparent evidence of security incidents often indicates a problem with system configuration, untested application program, hardware failure, or frequently user errors. Typical indications of security incidents include any or all of the following:
04/13/2004
|
|
Information Protection Centers - An Organizational Approach to Security An IPC is a means to achieve this alignment. It is a name for an entity that carries out a wide spectrum of security activities and services necessary to secure an organization. Some of these activities may already be carried out independently or in loose coordination across the organizational structure. The IPC can start as a formal working group or virtual collaboration of the same people. What is important is that the group evolves to be a new functional unit with the blessing of senior management, both on the technical and business side. This will require a coordinated effort of service delivery and a communications campaign.
04/05/2004
|
|
IPC Overview Organizations rely on their networks and systems. Viral outbreaks are occurring sporadically. Their firewalls are being probed for vulnerabilities on a daily basis. It is highly likely that they will be victimized by a serious security incident at some time. The IPC provides the organized resources to address these incidents and thereby safeguard the Organization's Information Technology (IT) assets.
04/05/2004
|
|
How to Design a Useful Incident Response Policy Perhaps you're the Information Security Officer for your company. Or, maybe you're a technology auditor. Maybe you're in charge of data security for your university's computing department. Regardless of your title and circumstances, you've been working on implementing an information security program (you have been working on your program, right?!) Such an endeavor has a tremendous scope, requiring great feats of perception and planning. This article aims to help you with an important facet of any information security program: the incident response policy.
03/24/2004
|
|
Page: 1 2 |
