Computer security incident management

Last updated

In the fields of computer security and information technology, computer security incident management involves the monitoring and detection of security events on a computer or computer network, and the execution of proper responses to those events. Computer security incident management is a specialized form of incident management, the primary purpose of which is the development of a well understood and predictable response to damaging events and computer intrusions. [1]

Contents

Incident management requires a process and a response team which follows this process. In the United States, This definition of computer security incident management follows the standards and definitions described in the National Incident Management System (NIMS). The incident coordinator manages the response to an emergency security incident. In a Natural Disaster or other event requiring response from Emergency services, the incident coordinator would act as a liaison to the emergency services incident manager. [2]

Incident response plans

An incident response plan (IRP) is a group of policies that dictate an organizations reaction to a cyber attack. Once an security breach has been identified, for example by network intrusion detection system (NIDS) or host-based intrusion detection system (HIDS) (if configured to do so), the plan is initiated. [3] It is important to note that there can be legal implications to a data breach. Knowing local and federal laws is critical. [4] Every plan is unique to the needs of the organization, and it can involve skill sets that are not part of an IT team. [5] For example, a lawyer may be included in the response plan to help navigate legal implications to a data breach.[ citation needed ]

As mentioned above every plan is unique but most plans will include the following: [6]

Preparation

Good preparation includes the development of an incident response team (IRT). [7] Skills need to be used by this team would be, penetration testing, computer forensics, network security, etc. [8] This team should also keep track of trends in cybersecurity and modern attack strategies. [9] A training program for end users is important as well as most modern attack strategies target users on the network. [6]

Identification

This part of the incident response plan identifies if there was a security event. [10] When an end user reports information or an admin notices irregularities, an investigation is launched. An incident log is a crucial part of this step.[ citation needed ] All of the members of the team should be updating this log to ensure that information flows as fast as possible. [11] If it has been identified that a security breach has occurred the next step should be activated. [12]

Containment

In this phase, the IRT works to isolate the areas that the breach took place to limit the scope of the security event. [13] During this phase it is important to preserve information forensically so it can be analyzed later in the process. [14] Containment could be as simple as physically containing a server room or as complex as segmenting a network to not allow the spread of a virus. [15]

Eradication

This is where the threat that was identified is removed from the affected systems. [16] This could include deleting malicious files, terminating compromised accounts, or deleting other components. [17] [18] Some events do not require this step, however it is important to fully understand the event before moving to this step. [19] This will help to ensure that the threat is completely removed. [15]

Recovery

This stage is where the systems are restored back to original operation. [20] This stage could include the recovery of data, changing user access information, or updating firewall rules or policies to prevent a breach in the future. [21] [22] Without executing this step, the system could still be vulnerable to future security threats. [15]

Lessons learned

In this step information that has been gathered during this process is used to make future decisions on security. [23] This step is crucial to the ensure that future events are prevented. Using this information to further train admins is critical to the process. [24] This step can also be used to process information that is distributed from other entities who have experienced a security event. [25]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that can lead to unauthorized information disclosure, theft or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

Information security is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized or inappropriate access to data or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g., electronic or physical, tangible, or intangible. Information security's primary focus is the balanced protection of data confidentiality, integrity, and availability while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process.

<span class="mw-page-title-main">SANS Institute</span> American security company

The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing. The information security courses are developed through a consensus process involving administrators, security managers, and information security professionals. The courses cover security fundamentals and technical aspects of information security. The institute has been recognized for its training programs and certification programs. Per 2021, SANS is the world’s largest cybersecurity research and training organization. SANS is an acronym for SysAdmin, Audit, Network, and Security.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.

<span class="mw-page-title-main">Computer forensics</span> Branch of digital forensic science

Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing, and presenting facts and opinions about the digital information.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.

Security information management (SIM) is an information security industry term for the collection of data such as log files into a central repository for trend analysis.

The EINSTEIN System is a network intrusion detection and prevention system that monitors the networks of US federal government departments and agencies. The system is developed and managed by the Cybersecurity and Infrastructure Security Agency in the United States Department of Homeland Security (DHS).

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats. National Institute of Standards and Technology (NIST) definition for SIEM tool is application that provides the ability to gather security data from information system components and present that data as actionable information via a single interface.

An insider threat is a perceived threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.

A cyberattack occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.

Cyber insurance is a specialty insurance product intended to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies or at least are not specifically defined in traditional insurance products. Coverage provided by cyber-insurance policies may include first and third parties coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security-audit, post-incident public relations and investigative expenses, and criminal reward funds.

The Co-Managed IT security service model entails security monitoring, event correlation, incident response, system tuning, and compliance support across an organization's entire IT environment. Co-Management allows organizations to collaborate with their managed security service providers by blending security expertise of the provider with the contextual knowledge of the customer to optimise security posture.

Cyber threat intelligence (CTI) is a subfield of cybersecurity that focuses on the structured collection, analysis, and dissemination of data regarding potential or existing cyber threats. It provides organizations with the insights necessary to anticipate, prevent, and respond to cyberattacks by understanding the behavior of threat actors, their tactics, and the vulnerabilities they exploit. Cyber threat intelligence sources include open source intelligence, social media intelligence, human Intelligence, technical intelligence, device log files, forensically acquired data or intelligence from the internet traffic and data derived for the deep and dark web.

William "Chuck" Easttom II is an American computer scientist specializing in cyber security, cryptography, quantum computing, and systems engineering.

The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected. Information on Prime Minister Lee Hsien Loong was specifically targeted.

<span class="mw-page-title-main">TR-CERT</span>

TR-CERT is an organization within the Information and Communication Technologies Authority (ICTA) which is the national regulatory authority of the Turkish electronic communication sector. It is responsible for the analysis and risk mitigation of large-scale cyber threats and vulnerabilities, communicating information regarding malicious cyber activities or possible vulnerabilities to computer security incident response teams (CSIRT) and the public.

<span class="mw-page-title-main">Bangladesh e-Government Computer Incident Response Team</span> National cybersecurity agency of Bangladesh

The Bangladesh e-Government Computer Incident Response Team is the state-run agency of the government of Bangladesh responsible for maintaining cybersecurity in the country. Works under the Ministry of Posts, Telecommunications and Information Technology, it is the national computer emergency response team (CERT) with prim focus on receiving and reviewing, and responding to cybersecurity incidents in the country.

<span class="mw-page-title-main">Forum of Incident Response and Security Teams</span> Engineering societies based in the United States

The Forum of Incident Response and Security Teams (FIRST) is a global forum of incident response and security teams. They aim to improve cooperation between security teams on handling major cybersecurity incidents. FIRST is an association of incident response teams with global coverage.

Cybersecurity engineering is a tech discipline focused on the protection of systems, networks, and data from unauthorized access, cyberattacks, and other malicious activities. It applies engineering principles to the design, implementation, maintenance, and evaluation of secure systems, ensuring the integrity, confidentiality, and availability of information.

References

  1. "ISO 17799|ISO/IEC 17799:2005(E)". Information technology - Security techniques - Code of practice for information security management. ISO copyright office. 2005-06-15. pp. 90–94.
  2. "NIMS - The Incident Command System". National Incident Management System. Department of Homeland Security. 2004-03-01. Archived from the original on 2007-03-18. Retrieved 2007-04-08.
  3. Fowler, Kevvie (2016), "Developing a Computer Security Incident Response Plan", Data Breach Preparation and Response, Elsevier, pp. 49–77, doi:10.1016/b978-0-12-803451-4.00003-4, ISBN   978-0-12-803451-4 , retrieved 2021-06-05
  4. Bisogni, Fabio (2016). "Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution?". Journal of Information Policy. 6: 154–205. doi: 10.5325/jinfopoli.6.2016.0154 . JSTOR   10.5325/jinfopoli.6.2016.0154.
  5. "Understanding Plan for Every Part", Turbo Flow, Productivity Press, pp. 21–30, 2017-07-27, doi:10.1201/b10336-5, ISBN   978-0-429-24603-6 , retrieved 2021-06-05
  6. 1 2 Wills, Leonard (27 February 2019). "A Brief Guide to Handling a Cyber Incident". American Bar Association.
  7. Johnson, Leighton R. (2014), "Part 1. Incident Response Team", Computer Incident Response and Forensics Team Management, Elsevier, pp. 17–19, doi:10.1016/b978-1-59749-996-5.00038-8, ISBN   978-1-59749-996-5 , retrieved 2021-06-05
  8. "Computer Incident Response and Forensics Team Management". Network Security. 2014 (2): 4. February 2014. doi:10.1016/s1353-4858(14)70018-2. ISSN   1353-4858.
  9. "Cybersecurity Threat Landscape and Future Trends", Cybersecurity, Routledge, pp. 304–343, 2015-04-16, doi:10.1201/b18335-12, ISBN   978-0-429-25639-4 , retrieved 2021-06-05
  10. Information technology. Security techniques. Information security incident management, BSI British Standards, doi:10.3403/30268878u , retrieved 2021-06-05
  11. Turner, Tim (2011-09-07), "Our Beginning: Team Members Who Began the Success Story", One Team on All Levels, Productivity Press, pp. 9–36, doi:10.4324/9781466500020-2, ISBN   978-0-429-25314-0 , retrieved 2021-06-05
  12. Erlanger, Leon (2002). Defensive Strategies. PC Magazine. p. 70.
  13. "of Belgrade's main street. The event took place in absolute", Radical Street Performance, Routledge, pp. 81–83, 2013-11-05, doi:10.4324/9781315005140-28, ISBN   978-1-315-00514-0 , retrieved 2021-06-05
  14. White, Mark D. (2013). "Why Choice Matters So Much and What Can be Done to Preserve It". The Manipulation of Choice. Palgrave Macmillan. pp. 127–150. doi:10.1057/9781137313577_7. ISBN   978-1-137-31357-7.
  15. 1 2 3 "Computer Security Incident Handling Guide" (PDF). Nist.gov. 2012.
  16. Borgström, Pernilla; Strengbom, Joachim; Viketoft, Maria; Bommarco, Riccardo (4 April 2016). "Table S3: Results from linear-mixed models where non-signficant[sic] parameters have not been removed". PeerJ. 4: e1867. doi: 10.7717/peerj.1867/supp-3 .
  17. Penfold, David (2000), "Selecting, Copying, Moving and Deleting Files and Directories", ECDL Module 2: Using the Computer and Managing Files, London: Springer London, pp. 86–94, doi:10.1007/978-1-4471-0491-9_6 (inactive 3 December 2024), ISBN   978-1-85233-443-7 {{citation}}: CS1 maint: DOI inactive as of December 2024 (link)
  18. Gumus, Onur (2018). ASP. NET Core 2 Fundamentals : Build Cross-Platform Apps and Dynamic Web Services with This Server-side Web Application Framework. Packt Publishing Ltd. ISBN   978-1-78953-355-2. OCLC   1051139482.
  19. "Do the Students Understand What They Are Learning?", Trouble-shooting Your Teaching, Routledge, pp. 36–40, 2005-02-25, doi:10.4324/9780203416907-8, ISBN   978-0-203-41690-7 , retrieved 2021-06-05
  20. Enticknap, Leo (2013), "Where Are Films Restored, Where Do They Come From and Who Restores Them?", Film Restoration, Palgrave Macmillan, pp. 45–70, doi:10.1057/9781137328724_3, ISBN   978-1-137-32872-4
  21. Liao, Qi; Li, Zhen; Striegel, Aaron (2011-01-24). "Could firewall rules be public - a game theoretical perspective". Security and Communication Networks. 5 (2): 197–210. doi:10.1002/sec.307. ISSN   1939-0114.
  22. Boeckman, Philip; Greenwald, David J.; Von Bismarck, Nilufer (2013). Twelfth annual institute on securities regulation in Europe : overcoming deal-making challenges in the current markets. Practising Law Institute. ISBN   978-1-4024-1932-4. OCLC   825824220.
  23. "Figure 1.8. Spending of social security has been growing, while self-financing has been falling". doi:10.1787/888932459242 . Retrieved 2021-06-05.
  24. "Information Governance: The Crucial First Step", Safeguarding Critical E-Documents, Hoboken, NJ, US: John Wiley & Sons, Inc., pp. 13–24, 2015-09-19, doi:10.1002/9781119204909.ch2, ISBN   978-1-119-20490-9 , retrieved 2021-06-05
  25. He, Ying (December 1, 2017). "Challenges of Information Security Incident Learning: An Industrial Case Study in a Chinese Healthcare Organization" (PDF). Informatics for Health and Social Care. 42 (4): 394–395. doi:10.1080/17538157.2016.1255629. PMID   28068150. S2CID   20139345.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.