For instructional purposes only.

Lesson No: 6

Lesson Title: Incidence/Incident Handling

Let’s hit these:

At the end of this lesson, you should be able to:

1. Explain the meaning of incidence handling.

2. Describe the sequence of steps for incident handling.
3. Describe the activities needed to undertake in managing virus-related incidents.
4. Explain the meaning of system compromise.
5. Describe the activities needed to undertake during a system compromise.

Let’s get started:

On a Tuesday night, a database administrator performs some off-hours maintenance on several
production database servers. The administrator notices some unfamiliar and unusual directory names
on one of the servers. After reviewing the directory listings and viewing some of the files, the
administrator concludes that the server has been attacked and calls the incident response team for
assistance. The team’s investigation determines that the attacker successfully gained root access to the
server six weeks ago.

Let’s find out:

Databases are one of the most compromised assets in an organization. In the above scenario about the
database servers, it is therefore essential that the incident be immediately patched. The attacks that
occurred in the servers would definitely make the files and other data that are confidential to the
organization put into risk. In this case, there is a need to implement an effective incident handling. It is
essential to implement security controls, enforce policies or conduct incident response processes.

Let’s read:
Before we discuss incident or incidence handling, let us first define the term incident. In general, an
incident is a violation of computer security policies, acceptable use policies, or standard computer
security practices.

Examples of incidents are:

▪ An attacker commands a botnet to send high volumes of connection requests to one of an
organization’s web servers, causing it to crash.
▪ Users are tricked into opening a “quarterly report” sent via email that is actually malware;
running the tool has infected their computers and established connections with an external host.
▪ A perpetrator obtains unauthorized access to sensitive data and threatens to release the details
to the press if the organization does not pay a designated sum of money.
▪ A user provides illegal copies of software to others through peer-to-peer file sharing services.

IS 302: IS Strategy, Management and Acquisition Page 1 of 4

 For instructional purposes only.

Incident handling is the process of detecting and analyzing incidents and limiting the incident’s effect.
For example, if an attacker breaks into a system through the Internet, the incident handling process
should detect the security breach. Incident handlers will then analyze the data and determine how
serious the attack is. The incident will be prioritized, and the incident handlers will take action to ensure
that the progress of the incident is halted and that the affected systems return to normal operation as
soon as possible.
Incidence handling pertains to the response to an attack, by a person or organization. An incident has
to be handled in an organized and careful manner to be able to recover completely from a total disaster.
In the field of computer security and information technology, incident handling or incident management
incorporates the monitoring and detection of security events on a computer or computer network, and
the execution of proper responses to those events.
There are two common forms of system attacks:
o Virus outbreak
o System compromise
The following sequence of steps should be followed in the case of both of the above types of attacks:

1 Preparation

2 Identification of Attack

3 Containment of Attack

4 Recovery and Analysis

FIGURE 16: Sequence of steps for incident handling

• Preparation: The preparation to potential damage from an attack includes taking a regular backup
copies of all key data, monitoring and updating software regularly, and having a strong security
policy in place and well documented. Regularly-scheduled backups help in minimizing any major
loss of data in case of an attack. Updating of anti-virus software regularly helps in keeping system
protection up-to-date. A well-documented security policy that outlines the responses to incidents
and the responsibilities of the personnel involved will prove to be helpful in the event of an attack.
• Identification of Attack: The identification of an incident is the first important post-attach step in
incident handling. To identify an incident becomes more and more difficult as the complexity of
the attack grows. Several characteristics of an attack need to be identified – the fact that an attack
is occurring, its effects on local and remote networks and systems and its origin – before it can be
properly contained.
• Containment of Attack: In containment, the user or administrator aspires to protect other systems
and networks from the attack and limit damages done by the attack. This phase includes the
methods that are used to stop the attack or virus outbreak.
• Recovery and Analysis: During this phase, users assess the extent of damage that has been
incurred, what data has been lost; and what the current scenario in post-attack system is. Once it is
assured that the attack has been contained, it is time to conduct analysis of the attack. The questions
like – “Why did it happen?”, “Was it dealt promptly and properly?”, “Could it have been handled
better?” – have to be answered. The analysis phase helps the users and administrators to determine
the reason behind the attack and the best course of action to be taken to protect against such future
attacks.

IS 302: IS Strategy, Management and Acquisition Page 2 of 4

 For instructional purposes only.

Incident Handling – Viruses

o Preparation: System viruses can cause irreplaceable harm to important files and records. Small
office and home users are relatively at higher risk than larger organizations because these users
usually work on one computer or store their important data in a single location. In a larger
organization, data is usually spread across many systems in several locations. Thus, a virus outbreak
in a home or small office can permanently destroy important data. Therefore creating backups of all
data is very crucial for any organizations. In addition to that backup disk must be kept in a separate
location, away from the computer, to ensure that in case of an incident like fire or theft of hardware,
a backup copy of all data is still available.
The second very crucial step in preparing for a virus attack is to install anti-virus software. A
number of anti-virus software are easily available, easy to install and operate and are affordable.
New viruses are created frequently, so users must update their anti-virus software on a regular basis.
o Identification of Virus Attack: Viruses are very strong and frightening since they spread very
quickly to “friendly” computers. Early identification of an incident of a virus attack is crucial to
ensure that the virus does not spread to other computers. It is also important that users be familiar
with the symptom of a virus attack. They might range from mass e-mailing file destruction to other
malicious actions the results of which can be seen as an immediate effect. Scheduling the anti-virus
software to do real-time scanning of files and to periodically perform complete system scans helps
in both preventing and identifying viruses.
o Containment: Containment of the virus is crucial in limiting its adverse effects. Many viruses
automatically spread themselves. The administrator, or user, must disconnect network access
including shared directories and other components that may allow the virus to infect files and
programs on other machines. In case the anti-virus software fails to clean the system or does not
have features required to perform the cleansing, it is advisable to try other software packages that
may provide more comprehensive coverage. If the system has been altered beyond repair, then the
last resort is to clear the system entirely and reinstall the operating system and software.
o Recovery and Analysis: Viruses can cause a varying degree of destruction- some viruses exist
merely to replicate; others attach to and destroy files and programs. Generally, anti-virus software
can restore files to their original state, but there are expectations. Once the systems have returned to
their full operation, analysis should be done to determine where it failed. Is it due to faulty anti-virus
software, or due to the frequency and reliability of updates? Was opening files from an unknown or
untrusted source – allowing the system to become infected? Once the attack was identified, were
appropriate and sufficient steps taken to minimize the damage that the system sustained? Thus,
analysing the incident enables the user to learn from the incident and ensure that it does not happen
again.

System Compromise
o Preparation: System compromise is a system attack in which an intruder breaks into a computer
and is able to use that computer, either by sitting directly inform of it or from a remote network. The
attacker then gains total access to a systems and data contained therein including files, applications
etc. managing system compromise can prove to be more difficult than managing virus outbreaks.
Similar virus attack, all vital information should be backed up on a regular basis. Software updates
are crucial and must be maintained. To prevent unauthorized intrusion into a system, users must
implement firewalls. Firewalls are extremely important in preventing unauthorized individuals from
accessing network services and resources.
o Identification: Systems compromise attacks are usually indicated by missing or modified content
in files, any random changes to the system configuration and services, greater memory and disk
usage and unidentified network connections. The attackers usually hide any indications that reveal
of a system attack by replicating files and programs with data will protect the attacker. Applications
that act normally at one time and strangely on the other indicate an unauthorized intrusion as do the

IS 302: IS Strategy, Management and Acquisition Page 3 of 4

 For instructional purposes only.

files and programs whose time, date or size stamps may have been modified. Comparison with their
parallel backup copies may reveal changes in files.
o Containment: Administrator is responsible for containment of an intrusion. First, the administrator
must freeze the current system as soon he/she suspects an intrusion. Freezing would be to disconnect
the system from the network, stop the operating system and not allow anyone to use the system. This
is done because when an operating system runs and users work on the system, files automatically
get modified and updated depending on the open applications. Normal functioning often erases
important data that could have been used to detect and trace an intrusion. Therefore, it is very crucial
to stop the system as soon as possible after an attack is discovered.
o Recovery and Analysis: The most overwhelming process of cleaning up and recovering an attacked
system is to format the hard disk and re-install the operating system and requires software once
again. This is a faster approach towards returning a system to its normal functioning. The other
slower and more painstaking approach is to compare each and every file and program against a
backed-up copy to determine if any modifications have been made. For analysis part, it is important
to determine the cause of the intrusion and once the cause is established, changes should be made to
the system to avoid future attacks by the same source. The changes might include updating affected
software, change access control mechanism that allows only authorized users, update systems and
networks to be able to use the services like firewalls and intrusion detection systems. A combination
of these changes will provide a safer and more secure working environment and safeguard against
future intrusions.

Suggested Readings:
o Computer Security Incident Handling Guide. National Institute of Standards and Technology.
Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

o “Top Database Security Threats and How to Mitigate Them”. Retrieved from
https://www.shrm.org/resourcesandtools/hr-topics/risk-management/pages/top-database-security-
threats.aspx

o Information Security Incident Management | IS Incident Management. Retrieved from

https://searchinform.com/infosec-blog/2019/04/14/dlp-systems-what-is-a-dlp-system-and-how-
does-it-work/Information-Security-Incident-Management/

IS 302: IS Strategy, Management and Acquisition Page 4 of 4