PACE-IT, Security+ 2.5: Incident Response Concepts

Incident response concepts.

Instructor, PACE-IT Program – Edmonds Community College

Areas of Expertise Industry Certifications PC Hardware Network

Administration IT Project

Management

Network Design User Training IT Troubleshooting

Qualifications Summary

Education M.B.A., IT Management, Western Governor’s University B.S., IT Security, Western Governor’s University

Entrepreneur, executive leader, and proven manger with 10+ years of experience turning complex issues into efficient and effective solutions. Strengths include developing and mentoring diverse workforces, improving processes, analyzing business needs and creating the solutions required— with a focus on technology.

Brian K. Ferrill, M.B.A.

Incident response concepts.PACE-IT.

– First responder responsibilities.

– Incident response procedures and concepts.

First responder responsibilities.Incident response concepts.

The first responder to an incident has two main responsibilities—first to assess the situation and second, to contain the damage.

When responding to an incident, the first item to evaluate is the overall situation. The first step is to judge how widespread the incident is. It may involve a single system or it may involve multiple PCs—possibly even an entire department.The second main responsibility of the first responder is to isolate the incident and contain the damage. In most cases, this can be effectively achieved by removing the affected system from the network (by unplugging the network cable from the unit). If the damage is more widespread, it may be necessary to power down a switch or other network device in order to contain the damage.

First responder responsibilities.Incident response concepts.

Incident response procedures and concepts.Incident response concepts.


– Preparation.» A security response team should be created by an

organization before an incident ever occurs.• The organization should be educated as to how

everyone needs to respond to a security incident and how the response is to be conducted.

– Incident identification.» Every member of the response team should be capable

of identifying a security incident.• All members of the organization should be educated

in how to identify a security incident (in many cases, it is the help desk personnel in an organization that will first recognize that an incident might be occurring).

– Escalation and notification.» Once a security incident has been identified, the

incident response team should be notified.• All personnel should know how to contact the security

response team.


– Mitigation steps.» After containing the incident, security response

personnel will identify steps required to mitigate the situation.

• The steps may be as simple as requiring an antivirus software package to be updated.

• The mitigation may be more complex—possibly installing a new firewall.

– Lessons learned.» Document what has occurred and how it was handled

in order to help prevent the same situation from happening in the future.

• How did this happen?• How did it get resolved and was the resolution

effective?• How can a similar occurrence be prevented in the

future?

– Reporting.» The lessons learned documentation can be used to

create a report. The report will have several uses.• Used to educate and train the security response team.• Used to educate and train end users on best

practices.


– Recovery and reconstitution procedures.

» These define how the system or systems are going to be returned to the state they were in before the security incident occurred (e.g., using a preconfigured system image that is stored on the imaging server).

– Incident isolation.» Quarantine or remove the affected device or devices to

reduce the opportunity for more damage to occur.

– Damage and loss control.» Always identify the extent of the damage to help

ensure that it is contained to only the affected system(s).

– Data breach.» A data breach is any time that sensitive data is made

available to an untrusted source.• Extremely sensitive data should never be allowed on

the network; it should be kept in offline storage.

What was covered.Incident response concepts.

The first responder has two main responsibilities. The first responsibility is to properly assess the extent of the incident (e.g., limited to a single device, or involving a whole department). The second main responsibility is to contain or isolate the damage. In most cases, this can be achieved by quarantining the device(s) by disconnecting it from the network.

Topic

First responder responsibilities.

Summary

There are several important incident response procedures and concepts. These include: preparation, incident identification, escalation and notification, mitigation steps, lessons learned documentation, reporting, recovery and reconstitution procedures, incident isolation, damage and loss control, and data breach prevention.

Incident response procedures and concepts.

THANK YOU!

This workforce solution was 100 percent funded by a $3 million grant awarded by the U.S. Department of Labor's Employment and Training Administration. The solution was created by the grantee and does not necessarily reflect the official position of the U.S. Department of Labor. The Department of Labor makes no guarantees, warranties, or assurances of any kind, express or implied, with respect to such information, including any information on linked sites and including, but not limited to, accuracy of the information or its completeness, timeliness, usefulness, adequacy, continued availability or ownership. Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53.PACE-IT is an equal opportunity employer/program and auxiliary aids and services are available upon request to individuals with disabilities. For those that are hearing impaired, a video phone is available at the Services for Students with Disabilities (SSD) office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call 425.354.3113 on a video phone for more information about the PACE-IT program. For any additional special accommodations needed, call the SSD office at 425.640.1814. Edmonds Community College does not discriminate on the basis of race; color; religion; national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran status; or genetic information in its programs and activities.

PACE-IT, Security+ 2.5: Incident Response Concepts

Education

Transcript of PACE-IT, Security+ 2.5: Incident Response Concepts