Responding to intrusions and security improvement approach

Sommaire: Responding to intrusions and security improvement approach

Responding to Intrusions
1. Establish policies and procedures for responding to intrusions.
2. Prepare to respond to intrusions.
3. Analyze all available information to characterize  an intrusion.
4. Communicate with all parties that need to be  made aware of an intrusion and its progress.
5. Collect and protect information associated with  an intrusion.
6. Apply short-term solutions to contain an intrusion
7. Eliminate all means of intruder access.
8. Return systems to normal operation.
9. Identify and implement security lessons learned.

Extrait du cours responding to intrusions and security improvement approach

Responding to Intrusions
Most organizations are not adequately prepared to deal with intrusions. They are likely to  address the need to prepare and respond only after a breach occurs. The result is that when  an intrusion is detected, many decisions are made in haste and can reduce an organization’s ability to
• understand the extent and source of an intrusion
• protect sensitive data contained on systems
• protect the systems, the networks, and their ability to continue operating as intended
• recover systems
• collect information to better understand what happened. Without such information, you  may inadvertently take actions that can further damage your systems.
• support legal investigations
Who should read these practices
These practices are intended primarily for system and network administrators, managers of information systems, and security personnel responsible for networked information resources.
These practices are applicable to your organization if your networked systems infrastructure includes
• host systems providing services to multiple users (file servers, timesharing systems, database servers, Internet servers, etc.)
• local-area or wide-area networks
• direct connections, gateways, or modem access to and from external networks, such as the Internet
We recommend that you read all of the practices in this module before taking any action. To successfully implement the practices, it is important that you understand the overall context and relationships among them. For instance, once you read the practices in the Handle category, it is easier to understand the Practices in the Prepare category (see the Summary of Recommended Practices table on page 4).
What these practices do not cover
These practices do not address
• preparing to detect signs of intrusion or detecting signs of intrusion. For guidance on these topics, see Preparing to Detect Signs of Intrusion [Kochmar 98] andDetecting Signs of Intrusion [Firth97a].
• securely configuring your workstations and servers. For guidance on these topics, see Securing Desktop Workstations[Simmel 99] and Securing Network Servers [Ford 99].
• responding to incidents that are not intrusions, including the analysis and characterization of such incidents
• dealing with intruder attempts to find out about your system using probes, scans, and other types of mapping methods
• responding to denial of service attacks
Security issues
Intruders are always looking for ways to break into systems. For example, they may attempt to breach your network’s perimeter defenses from external locations, or physically infiltrate your organization to gain internal access to its information resources. They may want to access your organization’s network to hide their identity and to launch an attack on another site.
Intruders seek and take advantage of newly discovered vulnerabilities in operating systems, network services, and protocols. They actively develop and use sophisticated programs to rapidly penetrate systems. As a result, intrusions, and the damage they cause, are often achieved in a matter of seconds.
Security improvement approach
The order in which practice steps are to be executed and time relationships among practices are shown in the diagram below. An intrusion occurs at time “T1” and the response process is complete at time “Tn.”
Practice titles are abbreviated in this description. The full titles can be found in the Summary of Recommended Practices table below.
The steps in the Policy and Prepare practices help you prepare to respond to an intrusion.
Ideally, you should implement them prior to exposing your networks and systems to intruders. You can implement them any time during or after a response process execution, except when the compromised status of systems involved in an intrusion prevents you from taking recommended preparation actions. You should examine and exercise the steps called out in these two practices on an ongoing basis as tools, methods, policies, and procedures change.


Si le lien ne fonctionne pas correctement, veuillez nous contacter (mentionner le lien dans votre message)
Responding to intrusions and security improvement approach (446 KO) (Cours PDF)
Responding to intrusions

Télécharger aussi :

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *