Hello,
Back again I need help with an 5-6 page essay on CIRT plan, please help.
Thank you!
Deborah
CIS527 Week 9 – Contingency Plan Essay – Instructions
Contingency Plan
DLIS needs to prepare for the prevailing computer incidents of today and tomorrow. A computer incident
response team (CIRT) plan can help prepare an organization for many computer security incidents that
might occur.
For this assignment, you will discuss a CIRT plan, which is often used as a contingency plan, for DLIS. A
system administrator noticed yesterday that several of the file servers at HQ were responding very slowly.
The DLIS headquarters (HQ) handles all incidents, so the plan will have its roots at HQ. Read a recent
article, like the latest IBM Threat Intelligence Index, to gather information on current threats and
remember to leverage the BCP and DRP you generated for the organization last week.
Write a 5-to-6-page paper in which you:
1. Describe purpose and primary elements of a CIRT plan.
2. Discuss the relationship between a CIRT plan and risk management.
3. Discuss the five W’s (who, what, where, when, and why) found in a CIRT plan in regard
to the incident given in the above scenario.
4. Explain how DLIS can leverage their BCP and DRP to develop and support its CIRT
plan.
5. Explain how you think threats will evolve to impact DLIS in the future and how the
CIRT plan should be updated to combat them.
6. Discuss at least five best practices to follow when creating a CIRT plan.
7. Use at least two quality resources in this assignment.
Note: Wikipedia and similar websites do not qualify as quality resources. The Strayer University
Library is a good source for resources.
Your assignment must follow these formatting requirements:
•
This course requires the use of Strayer Writing Standards. For assistance and information, please refer to
the Strayer Writing Standards link in the left-hand menu of your course.
Managing Risk in Information Systems:
• Chapter 15, “Mitigating Risk With a Computer Incident Response Team.”
• Gibson, D. (2015). Managing Risk in Information Systems. Burlington: Jones & Bartlett Learning.
cf_cis527_w10.pptx
cf_cis527_w10.doc
IT Risk Management
CIS527
Mitigating Risk with a Computer Incident Response
Team
Topics
• What a computer incident response team
(CIRT) plan is
• What the purpose of a CIRT is
• What the elements of a CIRT plan are
• How a CIRT plan can mitigate an
organization’s risk
• What best practices for implementing a CIRT
plan are
What Is a Computer Incident Response
Team (CIRT) Plan?
• Computer incident
– Violation or imminent threat of a violation, security
policy or practice
• Imminent threat
– Incident about to occur
• Types of computer incidents
–
–
–
–
–
Denial of service (DoS) attacks
Malicious code
Unauthorized access
Inappropriate usage
Multiple component
• CIRT
– Computer incident team
Purpose of a CIRT Plan
• Help prepare for computer incidents
• Outlines purpose of response effort
• Answers 5 W’s: what, where, who, when, why,
and lastly how
Elements of a CIRT Plan
• Commonly included elements
• Models
• Roles
Elements of a CIRT Plan, continued
• Responsibilities:
– Develop incident response procedures
– Investigate incidents
– Determine cause of incidents
– Recommend controls to prevent future
incidents
– Protect collected evidence
– Use chain of custody
Elements of a CIRT Plan, continued
• CIRT policies
– Simple policy statements or appendixes
– CIRT members should not attack back
– Police, government and military agencies may
attack back
Elements of a CIRT Plan, continued
• Incident handling process:
– Preparation
– Detection and analysis
– Containment, eradication and recovery
– Post incident recovery
– Handling DoS attack incidents
• Attacks confirmed by viewing logs
– Firewall logs
– Firewall rules modified to block traffic
Elements of a CIRT Plan, continued
• Malware incidents
–
–
–
–
Viruses
Worms
Mobile code
Trojan horses
• Anti-virus software protection
– Three-pronged approach
• Secondary protection: training and education
• Configure Web browsers and e-mail readers
Elements of a CIRT Plan, continued
• Handling unauthorized malware incidents
– Social engineering or technical attacks
– Examples
Elements of a CIRT Plan, continued
• Harden servers
–
–
–
–
Reduce attack surface
Keep systems up-to-date
Enable firewalls
Enable Intrusion Detection Systems
• Detection methods
• Some attacks not detected
• Response depends on attack
– Isolate infected system
– Disable account
Elements of a CIRT Plan, continued
• Handling inappropriate usage incidents
– Examples
• Security policy
– Acceptable Use Policy (AUP)
Elements of a CIRT Plan, continued
• Handling multiple component incidents
– Single incident includes two or more incidents
– Example
• Anti-virus software is primary protection
• Anomaly-based IDS systems
Elements of a CIRT Plan, continued
• Communication escalation procedures
– Recall CIRT team members
– Communication means critical, have backup
plan
– Use checklists after calculating impact
Elements of a CIRT Plan, continued
• Containment
• Eradication
• Recovery
– DoS incidents
specifications
– Malware incidents
specifications
Elements of a CIRT Plan, continued
– Unauthorized access incidents
• Containment: Identify attacked system and
isolate on network
• Eradication: Identify weaknesses, ensure
servers hardened, ensure strong passwords
• Recovery: Reconnect systems, verify and test
– Inappropriate usage incidents
• Containment: Disable user’s account
• Eradication: Complete user training
• Recovery: Re-enable account after appropriate
actions taken
How Does a CIRT Plan Mitigate an
Organization’s Risk?
• Helps the organization plan for incidents
• Identifies CIRT members
• Provides better understanding of skills
needed
Best Practices for Implementing a
CIRT Plan for Your Organization
• CIRT best practices:
– Define a computer security incident
– Include policies in CIRT plan to guide CIRT
members
– Provide training
– Include checklists
– Subscribe to security notifications
Summary
• What a computer incident response team
(CIRT) plan is
• What the purpose of a CIRT is
• What the elements of a CIRT plan are
• How a CIRT plan can mitigate an
organization’s risk
• What best practices for implementing a
CIRT plan are
CIS527 Week #10 IT Risk Management Mitigating Risk With a Computer Incident
Response Team
Slide #
Slide Title
Slide Narration
Slide 1
Introduction
Welcome to IT Risk Management.
In this lesson we will discuss Mitigating Risk with a Computer
Incident Response Team
Next slide
Slide 2
Topics
The following topics will be covered in this lesson:
What a computer incident response team (CIRT) plan is;
What the purpose of a CIRT is;
What the elements of a CIRT plan are;
How a CIRT plan can mitigate an organization’s risk; and
What best practices for implementing a CIRT plan are.
Next slide
Slide 3
What Is a
Computer
Incident
Response Team
(CIRT) Plan?
A computer incident is a violation, or imminent threat of a
violation, of a security policy or security practice, and
includes any adverse event or activity that affects the
security of computer systems or networks. The event may
result in loss of confidentiality, integrity, or availability.
The terms “computer incident†and “computer security
incident†mean the same thing and are used
interchangeably.
An imminent threat of violation is an incident that is about
to occur. This commonly refers to emerging threats, such as
viruses or worms that are rapidly spreading.
Multiple types of computer incidents can affect an
organization, including:
Denial of service (DoS) attack;
Malicious code;
Unauthorized access;
Inappropriate usage; and
Multiple component
A computer incident response team (CIRT) is a group of
people that will respond to Incidents. The CIRT plan is a
formal document that outlines an organization’s
response to
computer incidents.
Slide 4
Purpose of a
CIRT Plan
Next slide
The purpose of the CIRT plan is to help an organization
prepare for computer incidents. This preparation helps the
organization identify potential incidents. With the CIRT Plan,
security personnel can then identify the best responses to
reduce the potential damage.
A CIRT plan outlines the purpose of the response effort.
In general, the purpose is to identify the incident as fully
as possible. The answers to the five Ws are a good starting
point. The five Ws are what, where, who, when, and why.
For good measure, add in how it occurred.
The what identifies what type of attack occurred. The attack
could be a DoS attack, a malware attack, unauthorized access,
or inappropriate usage. Next, where the attack occurred needs
to be identified, then who launched the attack. Logs are very
useful for this. Audit logs can be checked for the system, as
well as firewall and router logs. If the user authenticated, the
logs will identify the user account used for the attack.
Identifying when an attack occurred is much more than just
identifying when the symptoms were discovered. Attackers
perform reconnaissance before an attack. Log entries may
show that the reconnaissance attacks occurred several times
over the past week from the same source, for instance.
Answering why attackers attack helps to understand their
motive.
Last, identify how the attack occurred. This helps to identify
the vulnerabilities that exist in this system. Once it is
discovered how the attack succeeded, identification as to how
to prevent it in the future can be made. In other words,
identifying how the attack succeeded helps identify controls or
countermeasures to prevent future attacks.
Next slide
Slide 5
Elements of a
CIRT Plan
CIRTs can have several different elements, but there are no
specific requirements stating that certain elements must be
included. A CIRT commonly includes information on the
membership of the CIRT and policy information, and may
also include details on communication methods and incident
response procedures.
Although a CIRT plan identifies CIRT members, these
members will be involved before the creation of the CIRT plan.
Specifically, they will help create the plan. CIRT members
include IT and security professionals who understand the risks
that threaten networks and systems. There are different models
that can be used for a CIRT. The National Institute of Standards
and Technology (NIST) regularly releases special publications
(SPs). NIST SP 800-61 identifies the following three models:
Central incident response team;
Distributed incident response team; and
Coordinating team
Roles also need to be indentified clearly. CIRT members often
hold one or more specific roles in the team. The goal is to
ensure that the team includes members from several different
areas. Roles held by the team members include team leader,
information security members, network administrators, physical
security, legal, human resources, and communications.
Next slide
Slide 6
Elements of a
CIRT Plan
(continued)
The incident response team has several responsibilities that
involve helping to develop the plan, respond to incidents, and
document the incidents. Each member of the team has special
skills and responsibilities to the team.
Some of the primary responsibilities of the CIRT include:
Develop incident response procedures;
Investigate incidents;
Determine cause of incidents;
Recommend controls to prevent future incidents;
Protect collected evidence; and
Use a chain of custody.
The CIRT plan at any organization may spell out the previous
responsibilities, and if the organization has other
responsibilities expected of the CIRT, they can be included in
the CIRT plan.
The CIRT is also accountable to the organization to provide a
proactive response to any incident. Although incidents can’t
be avoided, the team is expected to minimize the impact of the
incident.
Next slide
Slide 7
Elements of a
CIRT Plan
(continued)
A CIRT plan includes CIRT policies which may be simple
policy statements, or appendixes at the end of the plan. These
policies provide the team with guidance in the midst of any
incident.
One of the primary policies to consider is whether CIRT
members can attack back or not. During the investigation of
an incident, a team member may have the opportunity to launch
an attack on the attacker. The question is, “Should this be
done?â€ÂThe answer is almost always a resounding “No!â€Â
because if the CIRT member is caught, he or she can be
prosecuted. A defense of “but he did it first†won’t impress a
judge. Similarly, even if the attacker broke laws attacking the
organization’s network, justification is not given to break
laws to attack back.
This is not to say that an organization should never attack back.
Police, government, and military agencies may have specific
units that are trained to attack. These attacks may gather
evidence on criminal activities and may be purposeful
cyberwarfare against a government’s enemies. However, if this
isn’t the specific mission of the unit, an attack back should not
be initiated.
Next slide
Slide 8
Elements of a
CIRT Plan
(continued)
A CIRT plan identifies the incident handling process. This
process can be a large part of the plan depending on how
detailed the plan is. NIST SP 800-61 is the “Computer
Security Incident Handling Guide.†The guide outlines
distinct phases of the incident handling process, as follows:
Preparation;
Detection and analysis;
Containment, eradication and recovery;
Post incident recovery; and
Handling DoS attack incidents
A suspected attack can be confirmed by reviewing available
logs. System logs include information on system activity.
Firewall logs can show network traffic to the system.
Additionally, logs gathered by the Intrusion Detection System
(IDS) can identify many specific types of attacks. The response
depends on the type of attack. For example, if the attack is due
to a vulnerability, such as an unpatched system, the primary
response should be to fix the vulnerability. If an IDS system
doesn’t automatically respond to the attack, changes can be
made manually. The goal is to identify the source of the attack
and modify the firewall rules to block the traffic.
Next slide
Slide 9
Elements of a
CIRT Plan
Malware incidents are the result of any malicious software,
such as viruses and worms. There are many types of malware,
(continued)
and new ones appear daily. Some of the varieties include:
Viruses;
Worms;
Mobile code; and
Trojan horses.
The primary protection against malware is antivirus software.
Many organizations use a three-pronged approach. First, antiVirus software is installed on all systems in the organization.
Second, because the majority of viruses are delivered via email, AV software is installed in the e-mail server. Last, AV
software is often installed at the boundary of the network where
the intranet meets the Internet and can filter all traffic for
potential malware.
A secondary protection is training and education. Many users
are unaware of how malware is delivered. Users also do not
recognize the extent of damage possible from malware. Routine
training educates users about the types of malware threats. Last,
many organizations configure Web browsers and e-mail
readers to prevent the execution of malicious mobile code.
Next slide
Slide 11
Elements of a
CIRT Plan
(continued)
An unauthorized access incident occurs when a person gains
access to resources, even when that person is not authorized
access. Although this can be accidental, the focus is on
attackers gaining access to data or systems. Social
engineering or technical attacks are more ways hackers can
gain access through a system.
Some examples of unauthorized access incidents include:
• Attacking and defacing a Web server;
• Uploading or downloading data from a File Transfer Protocol
(FTP) server;
• Using an unattended workstation without permission;
• Viewing or copying sensitive data without authorization;
• Using social engineering techniques to collect organization
data;
• Guessing or cracking passwords and logging on with these
credentials; and finally,
• Running a packet sniffer like Wireshark to capture data
transmitted on the network.
The majority of these types of attacks originate from attackers
outside the organization. Attackers often access servers or other
internal resources through the Internet. Internet-facing servers
are most vulnerable to Internet-based attacks.
Next slide
Slide 12
Elements of a
CIRT Plan
(continued)
One of the basic protection steps you can take is to ensure that
all servers are hardened. Steps to harden a server include:
Reduce the attack surface;
Keep systems up to date;
Enable firewalls; and
Enable Intrusion Detection Systems.
Unauthorized access incidents can be detected through several
methods. IDSs often provide warnings about reconnaissance
activity before an attack. Educated users can report social
engineering attempts. A social engineer uses conning and
trickery to get a user to give up secrets. Informed users can
recognize these attempts and report them to administrators.
Some attacks are not detected. An attacker may reach in,
access data in a database, and then disappear. Even if it is
logged, the actual event may go undetected until later when
there is a realization that a problem has occurred. The stolen
data may be research and development data that is now being
used by a competitor, or the data may be customer credit
information. Until customers complain about it, the problem
may not actually be detected.
The response depends on the attack. If the attack is detected
in progress, the goal is to isolate the affected system. If the
problem is due to a compromised account, the account can be
disabled. If the account is an elevated account, such as one
with elevated permissions, there must be a check to see if other
accounts were created with this one.
Next slide
Slide 13
Elements of a
CIRT Plan
(continued)
Inappropriate usage incidents occur when users violate
internal policies. These incidents aren’t usually as serious as
external incidents, but depending on the activity, the incidents
can be serious and result in loss of money for the organization.
Examples of inappropriate usage include users who:
Spam coworkers;
Access Web sites that are prohibited;
Purposely circumvent security policies;
Use file-sharing or P2P programs;
Send files with sensitive data outside the organization; or
Launch attacks from within the organization against
other computers.
The first thing to do to help prevent these incidents is to have a
security policy. The security policy should include an
Acceptable Use Policy (AUP), or the AUP should be separate.
The AUP identifies what is acceptable usage and what is not
acceptable usage.
The use of P2P programs to download or share pirated music,
videos, or programs is also included in many AUPs. One of the
main problems with P2P programs is data leakage, which
occurs when the P2P network shares user data without the user
being aware of it.
Firewalls and proxy servers log all traffic going through them.
The logs can be scanned to determine if users are violating the
policies. A second way to detect inappropriate usage is through
other users who may receive spam from an employee
advertising his or her business or promoting a religion.
The primary response is based on the existing policies, which
include the security policy and the AUP. If policies don’t exist,
they need to be created. If an employee violates
the policy, the employee is at fault, but if a policy doesn’t exist,
the organization may be at fault.
Next slide
Slide 14
Elements of a
CIRT Plan
(continued)
A multiple component incident is a single incident that
includes two or more other incidents. These incidents are
related to each other, but that may not be apparent right away.
To consider how this works, imagine a user receives
an e-mail with a malware attachment. When the user opens the
attachment, it infects the user’s system. This is the first
incident. The malware has three objectives. First, it releases a
worm component that seeks out computers on the network and
infects them. This is the second incident. Next, it contacts a
server on the Internet that is managing a botnet. In this role, the
infected system acts as a zombie. It waits for a command from
the botnet control server and then does whatever it’s
commanded to do. Because the infected system has infected
other systems on the network, multiple systems can be are
infected. Each of these systems is looking for other systems to
infect, and acting as a zombie ready to perform the bidding of
the botnet. Next, consider that the botnet control server issues a
command to all the infected systems. This directs them to
launch an attack on a server on the Internet. All the zombies in
the network attack. This is the third incident.
In this case, the primary protection is AV software and
ensuring the AV software is up to date. Anomaly-based
intrusion detection systems may notice the increased activity
on the network. An anomaly-based IDS starts with a baseline of
normal activity. When activity increases outside the established
threshold, the IDS alerts on the anomaly.
Next slide
Slide 15
Elements of a
CIRT Plan
(continued)
Escalation occurs when an event is determined to be an
incident, and is declared an incident. One of the first steps to
take when an incident is declared is to recall the CIRT
members, either by phone tree or any other type of traditional
recall. Communication is very important during the incident
and may be hampered during the incident as well. For example,
e-mail or instant messenger systems can fail during an incident.
If these are the primary methods of communication with no
backup plan, communication will be challenging.
Solutions used for Disaster Recovery Plans can also be used for
computer incidents, such as CIRT members being issued pushto-talk phones or walkie-talkies. A war room can also be set up
for face-to-face communications. The war room can be staffed
constantly, and team members can report findings to personnel
there.
Incident handling procedures must be followed when an
incident is suspected. Checklists can be included in the CIRT
plan as procedures to use in response to incidents. IT
professionals who are first notified of a potential incident can
use these checklists, as well as CIRT members. Although
checklists cannot be created to respond to every possible
incident, they can be tailored to different types of incidents.
Calculating the impact and priority is one of the important
steps when handling an incident to identify the impact and
priority of the incident. The CIRT plan can include tools to help
personnel determine the impact and priority. Members can then
refer to these tools for clarification during the incident.
Once calculation of the impact and priority is determined,
checklists can be used. The following is a sample generic
checklist:
Verify an incident has occurred;
Determine type of incident;
Determine impact or potential impact of incident;
Report incident;
Acquire available evidence on incident;
Contain incident;
Escalate incident;
Recover from incident; and
Document incident.
Slide 16
Elements of a
CIRT Plan
(continued)
Next slide
Handling DoS attack incidents, malware incidents,
unauthorized access incidents, and inappropriate usage
incidents can be accomplished by evaluating the attack and
then designing a checklist that addresses the type of attack
specifically. The following items should be considered when
creating a checklist for any type of attack identified above:
Containment;
Eradication; and
Recovery
The following list is specific to DoS attack incidents:
Containment: Halt the DoS attack as soon as possible. There
may be the ability to add filters at routers or firewalls to block
the traffic based on the IP address, port, or protocol used in the
attack
Eradication: Identify vulnerabilities that allowed the DoS
attack. It could be because the server wasn’t adequately
hardened.
Recovery: Determine if there is any long-term damage on the
server and repair if applicable.
The following list is specific to malware incidents:
Containment: Identify all the infected systems and disconnect
them from the network. Identify why the AV software didn’t
detect the malware.
Eradication: Run full scans on the systems. AV vendors such
as Symantec and McAfee often host pages that show detailed
steps to remove multipartite viruses and other advanced
malware.
Recovery: Replace any files that were deleted or quarantined
and are needed for system operation. Verify that the system is
no longer infected.
Slide 17
Elements of a
CIRT Plan
(continued)
Next slide
The following list is specific to unauthorized access
incidents:
Containment: If the attack is discovered in process, identify
the attacked system and isolate it from the network.
Eradication: Identify the weaknesses that allowed the attack to
succeed. Ensure that all the steps to harden the server have been
completed and haven’t been modified. Ensure that strong
passwords are being used. Consider changing the passwords on
the system.
Recovery: After the vulnerabilities have been resolved,
reconnect the systems and verify they are operational. Test the
systems to ensure they are operating as expected.
The following list is specific to inappropriate usage
incidents:
Containment: Consider disabling the user’s account until
management takes action.
Eradication: Some organizations require users to complete
specific training before their access is returned. Other
organizations require supervisors to document the activity in
the employee’s record.
Recovery: If the account was disabled, you would enable it
after the appropriate action has been completed.
Slide 18
How Does a
CIRT Plan
Mitigate an
Organization’s
Risk?
Next slide
The CIRT plan helps an organization prepare for incidents.
When prepared, the organization is able to respond to the
incidents much quicker and with focused action.
One of the primary benefits of the CIRT plan is the
identification of CIRT members. The plan identifies these
individuals so that the organization knows who they are.
Once the plan and the members are identified, the organization
has a better understanding of the skills needed. The members
can be trained to ensure they have the skills needed to support
the requirements.
Without the plan, IT and security professionals don’t have the
benefit of time to analyze their response.
Next slide
Slide 19
Best Practices
for
Implementing a
CIRT Plan for
Your
Organization
When implementing a CIRT plan for your organization, you
can use several best practices. The following list shows some
of these best practices:
Define a computer security incident;
Include policies in the CIRT plan to guide CIRT members;
Provide training;
Include checklists; and
Subscribe to security notifications
Next slide
Slide 21
Summary
We have reached the end of this lesson. Let’s take a look at
what we’ve covered.
First we defined what a computer incident response team
(CIRT) plan is. We defined the team as a group of people
assigned to respond to computer incidents within an
organization, and the plan as a formal document which outlines
an organization’s response to computer incidents.
Next we discussed the purpose of the CIRT plan, which is to
help prepare for computer incidents, outline the purpose of
response efforts, and answer the five Ws – what, where, who,
when, why, and lastly how.
We then looked at the elements of a CIRT plan. We learned
that CIRT plans commonly include information on
membership, organizational policy, communication methods,
and incident response procedures. We also looked at common
CIRT models and roles in this section.
Next we learned how a CIRT plan can mitigate an
organization’s risk. Here, we learned that it helps the
organization to plan for incidents, identifies the CIRT members,
and provides a better understanding of the skills needed to
handle a computer incident.
Lastly, we considered the best practices for implementing a
CIRT plan. These included defining a computer security
incident, including policies in the CIRT plan to guide CIRT
members, providing training, including checklists, and
subscribing to security notifications.
This completes this lesson.
Purchase answer to see full
attachment
