Lesson 6 - Reading Material - PDF Edited
Lesson 6 - Reading Material - PDF Edited
Lesson 6 - Reading Material - PDF Edited
Lesson No: 6
Let’s read:
Before we discuss incident or incidence handling, let us first define the term incident. In general, an
incident is a violation of computer security policies, acceptable use policies, or standard computer
security practices.
Incident handling is the process of detecting and analyzing incidents and limiting the incident’s effect.
For example, if an attacker breaks into a system through the Internet, the incident handling process
should detect the security breach. Incident handlers will then analyze the data and determine how
serious the attack is. The incident will be prioritized, and the incident handlers will take action to ensure
that the progress of the incident is halted and that the affected systems return to normal operation as
soon as possible.
Incidence handling pertains to the response to an attack, by a person or organization. An incident has
to be handled in an organized and careful manner to be able to recover completely from a total disaster.
In the field of computer security and information technology, incident handling or incident management
incorporates the monitoring and detection of security events on a computer or computer network, and
the execution of proper responses to those events.
There are two common forms of system attacks:
o Virus outbreak
o System compromise
The following sequence of steps should be followed in the case of both of the above types of attacks:
1 Preparation
2 Identification of Attack
3 Containment of Attack
• Preparation: The preparation to potential damage from an attack includes taking a regular backup
copies of all key data, monitoring and updating software regularly, and having a strong security
policy in place and well documented. Regularly-scheduled backups help in minimizing any major
loss of data in case of an attack. Updating of anti-virus software regularly helps in keeping system
protection up-to-date. A well-documented security policy that outlines the responses to incidents
and the responsibilities of the personnel involved will prove to be helpful in the event of an attack.
• Identification of Attack: The identification of an incident is the first important post-attach step in
incident handling. To identify an incident becomes more and more difficult as the complexity of
the attack grows. Several characteristics of an attack need to be identified – the fact that an attack
is occurring, its effects on local and remote networks and systems and its origin – before it can be
properly contained.
• Containment of Attack: In containment, the user or administrator aspires to protect other systems
and networks from the attack and limit damages done by the attack. This phase includes the
methods that are used to stop the attack or virus outbreak.
• Recovery and Analysis: During this phase, users assess the extent of damage that has been
incurred, what data has been lost; and what the current scenario in post-attack system is. Once it is
assured that the attack has been contained, it is time to conduct analysis of the attack. The questions
like – “Why did it happen?”, “Was it dealt promptly and properly?”, “Could it have been handled
better?” – have to be answered. The analysis phase helps the users and administrators to determine
the reason behind the attack and the best course of action to be taken to protect against such future
attacks.
System Compromise
o Preparation: System compromise is a system attack in which an intruder breaks into a computer
and is able to use that computer, either by sitting directly inform of it or from a remote network. The
attacker then gains total access to a systems and data contained therein including files, applications
etc. managing system compromise can prove to be more difficult than managing virus outbreaks.
Similar virus attack, all vital information should be backed up on a regular basis. Software updates
are crucial and must be maintained. To prevent unauthorized intrusion into a system, users must
implement firewalls. Firewalls are extremely important in preventing unauthorized individuals from
accessing network services and resources.
o Identification: Systems compromise attacks are usually indicated by missing or modified content
in files, any random changes to the system configuration and services, greater memory and disk
usage and unidentified network connections. The attackers usually hide any indications that reveal
of a system attack by replicating files and programs with data will protect the attacker. Applications
that act normally at one time and strangely on the other indicate an unauthorized intrusion as do the
files and programs whose time, date or size stamps may have been modified. Comparison with their
parallel backup copies may reveal changes in files.
o Containment: Administrator is responsible for containment of an intrusion. First, the administrator
must freeze the current system as soon he/she suspects an intrusion. Freezing would be to disconnect
the system from the network, stop the operating system and not allow anyone to use the system. This
is done because when an operating system runs and users work on the system, files automatically
get modified and updated depending on the open applications. Normal functioning often erases
important data that could have been used to detect and trace an intrusion. Therefore, it is very crucial
to stop the system as soon as possible after an attack is discovered.
o Recovery and Analysis: The most overwhelming process of cleaning up and recovering an attacked
system is to format the hard disk and re-install the operating system and requires software once
again. This is a faster approach towards returning a system to its normal functioning. The other
slower and more painstaking approach is to compare each and every file and program against a
backed-up copy to determine if any modifications have been made. For analysis part, it is important
to determine the cause of the intrusion and once the cause is established, changes should be made to
the system to avoid future attacks by the same source. The changes might include updating affected
software, change access control mechanism that allows only authorized users, update systems and
networks to be able to use the services like firewalls and intrusion detection systems. A combination
of these changes will provide a safer and more secure working environment and safeguard against
future intrusions.
Suggested Readings:
o Computer Security Incident Handling Guide. National Institute of Standards and Technology.
Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
o “Top Database Security Threats and How to Mitigate Them”. Retrieved from
https://www.shrm.org/resourcesandtools/hr-topics/risk-management/pages/top-database-security-
threats.aspx