Assignment 4.2 (post to the Week 4 Forum) This assignment is worth 50 points; 25 points for your original posting, and 25 points for participation. Using the format provided in the text, design a basic incident response plan for your home computer, modifying for home use as necessary. Include all three phases for each of the following events: • Virus attack (not caught by anti-virus software) • Power failure • Fire • Burst water pipe • ISP failure In your response to others, comment whether anything is missing from the plan, or if you have suggestions for improvement. Minimum Posting Requirements: You must post at least five messages to get credit for participation. The first message is your original posting is due by Wed. At least two of the other messages must be responses to other student original postings. This is a pass/fail type of grade. If you meet the minimum requirements you get the points. If you do not meet the minimum requirements, you'll get no points for participation. Messages must be posted on more than one day. Don't wait until the last minute! |
Basic Incident Response Plan for the Slater-Roguska Household, 2011
William Slater
CIS 608 Information Security Management
Bellevue University
Week 4, Assignment 4-2
Gary Sparks, M.S. - Instructor
September 21, 2011
Introduction
This paper contains a brief Incident response for my home computers. My wife, Joanna Roguska is the User Department and I am the Technology Services Department.
1.
Virus Attack (not caught by anti-virus software) |
Before Attack |
Users |
- Keep anti-virus software running.
- Update virus signatures at least weekly.
- Attend virus awareness training.
- Learn how to detect and take basic steps during a virus attack.
- Perform back-ups of vulnerable data on a regular basis.
- Rotate most current backup media offsite.
|
Technology Services |
- Provide education and training about virus attack awareness.
- Provide education about the dangers and attack profiles of the most prevalent kinds of malware attacks.
- Instruct users about proper method for data backups.
- Randomly test backups using restores to ensure the quality of the backup procedures, the training, and the quality of the media.
- Provide offsite backup media service.
- Ensure that a current Incident Response Plan is in place to deal with active attacks and post attack situations.
|
1.
Virus Attack (not caught by anti-virus software) |
After an Attack |
Users |
- Work with Technology services to determine the extent of data loss.
- Work with Technology Services to determine the root causes.
- Work with Technology Services to provide input updates to the Lessons Learned
- Work with Technology Services to provide input updates to the Incident Response Plan
- Work with Technology Services to provide input updates to the Security Awareness Training
- After Technology Services performs the restore, verify that the data restored properly.
|
Technology Services |
- Inspect equipment to ensure there was no permanent damage.
- Obtain current backup media from offsite.
- Assess the extent of the damage and to determine if the attack is over
- Determine if the virus has polymorphed itself into a form were it is no is a quiescent state, waiting for some random period of to launch a new attack from the inside.
- Perform a restore.
- Review the incident to determine how the incident happened.
- Determine how to increase controls to prevent future occurrences.
- Update the Lessons Learned Log.
- Update the Security Education materials to incorporate the Lessons Learned
- Update the Incident Response Plan, if necessary to incorporate Lessons Learned
|
1.
Virus Attack (not caught by anti-virus software) |
During Attack |
Users |
- Follow training instructions that tell the user what to do when a computer is identified as being under attack.
- If possible, disconnect the network cable.
- If the computer is a wireless network device, shut it down immediately.
- Do not attempt to fix the problem.
- Do not destroy or tamper with anything, because it could be evidence if a crime occurred.
|
Technology Services |
- Be available for contact at an emergency contact number in case a computer comes under attack.
- Follow the Incident response plan and help the user to remain calm.
- Do not destroy or tamper with anything, because it could be evidence if a crime occurred.
- Contact the owner to inform them that an attack is in progress.
|
2.
Power Failure |
Before Attack |
Users |
- Attend Information Security Awareness Training that includes information about procedures for handling power outages
- Ensure that all computer equipment is working normally.
- Ensure that computers with critical data have an emergency UPS power supply and it the computer is plugged into the UPS, and working properly with the UPS,
- Ensure that the battery will allow time for proper shutdown.
- Perform back-ups of vulnerable data on a regular basis.
- Rotate most current backup media offsite.
- Have a flashlight with good batteries handy in case there is a power failure.
|
Technology Services |
- Ensure that the Information Security Awareness Training that includes information about procedures for handling power outages.
- Ensure that the Information Security Awareness Training which includes information about Power Outages has been conducted with the user.
- Ensure that all computer equipment is working normally.
- Ensure that computers with critical data have an emergency UPS power supply and that the battery will allow time for proper shutdown.
- Instruct users about proper method for data backups.
- Randomly test backups using restores to ensure the quality of the backup procedures, the training, and the quality of the media.
- Provide offsite backup media service.
|
2.
Power Failure |
After an Attack |
Users |
- Work with Technology services to determine the extent of data loss.
- Work with Technology Services to determine the root causes.
- Work with Technology Services to provide input updates to the Lessons Learned
- Work with Technology Services to provide input updates to the Incident Response Plan
- Work with Technology Services to provide input updates to the Security Awareness Training
- After Technology Services performs the restore, verify that the data restored properly
|
Technology Services |
- Inspect equipment to ensure there was no permanent damage.
- Obtain current backup media from offsite.
- Assess the extent of the damage and to determine if the power outage is over
- Perform a restore.
- Review the incident to determine how the incident happened.
- Determine how to increase controls to prevent future occurrences.
- Update the Lessons Learned Log.
- Update the Security Education materials to incorporate the Lessons Learned
- Update the Incident Response Plan, if necessary to incorporate Lessons Learned
|
2.
Power Failure |
During Attack |
Users |
- Follow training instructions that tell the user what to do when a power failure occurs
- Do not attempt to fix the problem.
- Do not destroy or tamper with anything, because it could be evidence if a crime occurred.
- Use a flashlight to get to a safe place.
|
Technology Services |
- Be available for contact at an emergency contact number in case a power failure occurs.
- Follow the Incident response plan and help the user to remain calm.
- Do not destroy or tamper with anything, because it could be evidence if a crime occurred.
- Contact the owner to inform them that a fire is in progress.
|
3.
Fire |
Before Attack |
Users |
- Attend Information Security Awareness Training that includes information about procedures for handling fires
- Ensure that all computer equipment is working normally.
- Ensure that there are smoke detectors nearby.
- Ensure there are A-B-C fire extinguishers nearby.
- Take fire extinguisher training yearly.
- Perform back-ups of vulnerable data on a regular basis.
- Rotate most current backup media offsite.
- Have a flashlight with good batteries handy in case there is a power failure associated with the fire.
- Have a respiration kit handy in case there are sudden toxic fumes
|
Technology Services |
- Ensure that the Information Security Awareness Training that includes information about procedures for handling fires.
- Ensure that the Information Security Awareness Training which includes information about fires has been conducted with the user.
- Ensure that all smoke detectors are working normally.
- Instruct users about proper method for data backups.
- Randomly test backups using restores to ensure the quality of the backup procedures, the training, and the quality of the media.
- Provide offsite backup media service.
|
3.
Fire |
After an Attack |
Users |
- Work with Technology services to determine the extent of data loss.
- Work with Technology Services to determine the root causes.
- Work with Technology Services to provide input updates to the Lessons Learned
- Work with Technology Services to provide input updates to the Incident Response Plan
- Work with Technology Services to provide input updates to the Security Awareness Training
- Work with Technology Services to acquire new equipment if necessary.
- After Technology Services performs the restore, verify that the data restored properly
|
Technology Services |
- Assess the extent of the damage.
- Determine if new equipment is required. If so, work through the owner to purchase it.
- Obtain current backup media from offsite.
- Perform a restore.
- Review the incident to determine how the incident happened.
- Determine how to increase controls to prevent future occurrences.
- Update the Lessons Learned Log.
- Update the Security Education materials to incorporate the Lessons Learned.
- Update the Incident Response Plan, if necessary to incorporate Lessons Learned.
|
3.
Fire |
During Attack |
Users |
1. Call 911. 2. Follow training instructions that tell the user what to do when a fire occurs 3. If possible, use the fire extinguisher to extinguish the fire. 4. If the fire cannot successfully be extinguished, evacuate the building. 5. If necessary user emergency respirator equipment to allow for safe breathing. 6. Do not destroy or tamper with anything, because it could be evidence if a crime occurred. 7. Use a flashlight to get to a safe place. |
Technology Services |
1. Be available for contact at an emergency contact number in case a fire occurs. 2. Follow the Incident response plan and help the user to remain calm. 3. Do not destroy or tamper with anything, because it could be evidence if a crime occurred. 4. Contact the owner to inform them that a fire is in progress. |
4.
Burst Water Pipe |
Before Attack |
Users |
- Attend Information Security Awareness Training that includes information about procedures for handling burst water pipes.
- Ensure that all computer equipment is working normally.
- Ensure that there are water pressure detectors nearby.
- Perform back-ups of vulnerable data on a regular basis.
- Rotate most current backup media offsite.
- Have a flashlight with good batteries handy in case there is a power failure associated with the fire.
|
Technology Services |
- Ensure that the Information Security Awareness Training that includes information about procedures for handling burst water pipes.
- Ensure that the Information Security Awareness Training which includes information about burst water pipes has been conducted with the user.
- Ensure that all water pressure detectors are working normally.
- Instruct users about proper method for data backups.
- Randomly test backups using restores to ensure the quality of the backup procedures, the training, and the quality of the media.
- Provide offsite backup media service.
|
4.
Burst Water Pipe |
After an Attack |
Users |
- Do not destroy or tamper with anything, because it could be evidence if a crime occurred.
- Work with Technology services to determine the extent of data and equipment loss.
- Work with Technology Services to acquire new equipment if necessary.
- Work with Technology Services to determine the root causes.
- Work with Technology Services to provide input updates to the Lessons Learned
- Work with Technology Services to provide input updates to the Incident Response Plan
- Work with Technology Services to provide input updates to the Security Awareness Training
- After Technology Services performs the restore, verify that the data restored properly
|
Technology Services |
- Do not destroy or tamper with anything, because it could be evidence if a crime occurred.
- Assess the extent of the damage.
- Determine if new equipment is required. If so, work through the owner to purchase it.
- Obtain current backup media from offsite.
- Perform a restore.
- Review the incident to determine how the incident happened.
- Determine how to increase controls to prevent future occurrences.
- Update the Lessons Learned Log.
- Update the Security Education materials to incorporate the Lessons Learned.
- Update the Incident Response Plan, if necessary to incorporate Lessons Learned.
|
4.
Burst Water Pipe |
During Attack |
Users |
1. Call Technology Services. 2. Follow training instructions that tell the user what to do when a burst water pipe occurs. 3. Turn off computer equipment. 4. If the flooding becomes severe, evacuate the building. |
Technology Services |
1. Be available for contact at an emergency contact number in case a burst water pipe occurs. 2. Follow the Incident response plan and help the user to remain calm. 3. Do not destroy or tamper with anything, because it could be evidence if a crime occurred. 4. Contact the owner to inform them that a burst water pipe situation is in progress. |
5.
ISP Failure |
Before Attack |
Users |
- Attend Information Security Awareness Training that includes information about procedures for an ISP failure.
- Ensure that all computer equipment is working normally.
- Ensure that key users have USB cellular modems as a back-door Internet access.
|
Technology Services |
- Ensure that the Information Security Awareness Training that includes information about procedures for handling burst water pipes.
- Ensure that the Information Security Awareness Training which includes information ISP Failures has been conducted with the user.
- Ensure that all USB cellular modem devices are operable.
- Instruct users about the use of USB cellular modem devices are operable.
|
5.
ISP Failure |
After an Attack |
Users |
- Attend Information Security Awareness Training that includes information about procedures for ISP Failure.
- Contact Technology Services.
|
Technology Services |
- Review the incident to determine how the incident happened.
- Determine how to increase controls to prevent future occurrences.
- Update the Lessons Learned Log.
- Update the Security Education materials to incorporate the Lessons Learned.
- Update the Incident Response Plan, if necessary to incorporate Lessons Learned.
|
5.
ISP Failure |
During Attack |
Users |
1. Call Technology Services. 2. Follow training instructions that tell the user what to do when an ISP outage occurs. 3. Attempt to connect to the Internet using a cellular modem USB device as a back-door internet connection. |
Technology Services |
1. Be available for contact at an emergency contact number in case an ISP outage occurs.. 2. Follow the Incident response plan and help the user to remain calm. 3. Contact the owner to inform them that an ISP outage situation is in progress. |
References:
Whitman, M. E. and Mattford, H. J. (2010). Management of Information Security. Course Technology: Boston, MA.
Nice blog. An incident response plan is a set of instructions to help IT staff detect, respond to, and recover from network security incidents.
ReplyDelete