Now that we have discussed how to protect against malware and other numerous threats it is just as equally important that a good plan is in place when systems or network in general become compromised. First at foremost if you think a compromise or incident has occurred the affected systems must be taken offline immediately, this is going to reduce any further compromise. Next I would highly recommend notifying the Computer Security Incident Response Team (CSIRT), a CSIRT team is an organization that receives security incident reports and providing a detailed analysis on the said report then relays that information to the sender. A CSIRT will provide 24/7 service to any user, service, company, or organization. The great thing about CSIRT is …show more content…
CSIRT also provide various other functions to include internet abuse, computer forensics, virus response, disaster recovery, intrusion detection system solutions and incident handling among many others. CSIRT also provides an investigation into the incident determining root cause, findings, lessons learned and actions to be taken against this incident. CSIRT can be great for eradicating the root cause and moving on with business, prior to an incident though it is important to have a solid backup and restore plan in place in case data is compromised or stolen. There are several ways to backup and restore a Windows machine but I will only be discussing those tools and techniques. Windows itself houses several tools used as backups to include file backup which is going to allow users that ability to make copies of data files for all users on that computer, this is done either by letting Windows pick the files or they can be selected individually as folders, drives, etc. These backups will be created based on the schedule created. A Windows tool to restore your computer is simply called system restore which I am quite familiar with because I have used it quite often. This tool allows the computer to restore files to an earlier point in
The first case will require blocking, using the firewall, any outbound traffic initiated from within the network directed to unknown hosts. Resetting passwords for all the accounts, changing encryption keys and installing Intrusion Detection and Prevention at the host level will also help to deal with seeds left behind by the intruders.
Windows Hardening Defense, starts with the basics, Log in with least amount of privileges. Always use Firewall and AV. Monitor channels for security advisories and alerts. Know your system(s). Patch early and patch often, Unpatched Systems are the lowest of low hanging fruit. Have a patch policy documented and stick with it. Review patches as they are released and determine criticality based on the exploit, threat footprint for your system(s), and whether or not there is a POC or fully weapon exploit in the wild. When possible, test patches before rolling out in production on servers. Most clients should have automatic updates enabled for the OS and any application listening
Immediately bring down any affected systems shut them down and power down switches and/or routers to entire segment that were hacked. The servers that were hacked need to be immediately reset meaning passwords, backup system and its applications. But before doing this to any system the company should take an image of the affected systems for forensic investigation, this will be the evidence against the hacker. Virus software needs to be run as soon as possible and security patches need to be installed on the entire company’s network system. The computers that were hacked need to be shut down and retrieve specially the one from the employee that hacked the system. Reroute network traffic to back up servers. This will help the company to minimalize the incident from reoccurring. The company should also remove/reset accounts and/or backdoors left on hacked systems.
1. When you are notified that a user’s workstation or system is acting strangely and log files indicate system compromise, what is the first thing you should do to the workstation or system and why?
We are able to protect our networks from risk but never in totality, despite all our best efforts we are never 100% protected. “Of the two basic problems that rely on prevention, the first is that information security risks are multifaceted in nature, which implies that a virus arriving via e-mail, for example, may not only infect the local system but could also install a backdoor for unauthorized access to the network that can be connected to the utility provider of another country. The second problem is that true prevention requires the elimination of risk (i.e., stopping its occurrence) The only way to do that is to control most, if not all, components of the event. Not an easy task. That said, practical prevention is both the implementation of lessons learned and the application of knowledge gained to avoid the same fate in the future” (Ameri). Prevention requires reassessment of your security policy, learning and revamping of protocols to adjust with potential threats to maintain a healthy
3. Install Antivirus software (i.e. McAfee AV or Eset) with real-time protection or an internet security
You will learn to recognize security events and baseline anomalies that might indicate suspicious activity.
In December 2013, the CEO, Gregg Steinhafle, of Target announced that their company was affected by a data breach that occurred between November 27 and December 15, 2013. “Target disclosed that online thieves hacked into its computer system, stealing credit card or personal information from more than 100 million customers. Both personal data and credit card information may have been stolen from about 12 million people” (Abrams, 2014). The outcome of this breach has cost Gregg Steinhafle his job, as well as the trust of Target’s consumers, investors, and close to $150 million in breach-related costs. This breach is considered one of the largest retail data breaches in U.S. history due to the amount of personal data and credit card
Why is it a good idea to include human resources on the incident response management team?
Rootkits for both the operating system and the database are lethal and stealthy. There isn’t a sliver bullet to nail it in one shot. It’s predictable to that this arms race between rootkit developer and security vendor would last for a long time. To defense against rootkit, it’s a collective effort among all information technology departments in the organization. It’s crucial to apply defend in depth principle here. An attacker has to exploit the vulnerability that exists on the computer system first before installing rootkits to cause further damage. On the system administration side, patching the operating system and the database regularly is very important. A proper network infrastructure design to segregate the servers by their services
The security incident management policy of Blyth’s Books is quite comprehensive in the aspect of the detection and reporting of information security events. Detection and reporting of a security incident is vital for an organisation’s survival. If an organisation’s stakeholders and employees cannot detect when an incident has occurred or have detected one but cannot report owing to the fact that how and whom to report to is unknown, the remainder of the incident management procedure which is aimed at getting the organisation back on its feet information security wise cannot be put into process. No one can handle or respond to an incident they have no knowledge of. The security incident management policy of Blyth’s Books was pretty comprehensive in outlining what security incidents are and how they could be identified by those covered in the scope of the policy. A review of Norwegian organisations and institutions performed in 2005 where strategies for data security incidents were analysed demonstrated that statistics
Nearly 83% of all americans in the united states own a computer with a broadband connection to the internet and 83% of them are at risk of a cyber attack. Most computers have antivirus software installed to prevent unwanted
First we need to understand that we are the first line of defense against any type of cybercrime and need to become more proactive in helping ourselves. While there are laws in place that are being constantly revised to protect our information; for the most part they only help after the fact. The average user doesn’t have proper software setup on their home PC’s to protect their information, and even when they do they don’t keep it up-to-date. There are several very good services available for either free or a very reasonable cost such as antivirus software, adware/spyware protection, and firewall software that will help keep our information from being obtained directly from our very own computer. Once we have these items in place, it becomes as just important to configure them properly and keep them up-to-date so these programs can catch all the newest ways the criminals use to try and get around them.
Protecting yourself is only effective if you know what you are protecting your against and how to protect. There are a couple ways to start getting you more protected. The first is installing the default operating system. This would have a default password, no security patches and no virus protection. The second thing you don't want to do is use simple and common passwords like for example, password. In the 10 immutable laws below, one of the laws is someone is always trying to guess your password so make sure it's unique. A third suggestion would be to keep as many ports that you don't need closed and a firewall can do this which is covered in the 3rd section on Security Technologies. Finally, make sure you don't click on any email that you don't recognize or looks suspicions. Many viruses get spread by opening emails or clicking on the link inside. This rule would help decrease the spread
The increasing volume and sophistication of cyber security threats including targeted data theft, phishing scams and other online vulnerabilities demand that we remain vigilant about securing our systems and information.