Continuing this important subject (if not see You can do the first part by clicking here), now we will see in this second part, the “Wheel of Incident Management” which is how I call it. And this wheel is composed of the followig:

• Preparation / Prevention
• Detection / Reporting
• Containment, Eradication and Recovery
• Preliminary Analysis
• Research
• Subsequent Activities

Preparation / Prevention

If we talk about being prepared, it is important to build a sort of box with a categorization of the types of incidents, so that we can use this approach where we add the negative effects produced by the incident and the criticality of the affected resources and brings us back criticality of the incident .-

A very good practice in the preparation is to assemble a catalog of categorizing incidents, we can categorize BY TYPE OF INCIDENT and the scale of the damage caused to the left end of the post two examples of categorization .-

Other measures used may be

• Establish policies, standards and procedures .-
• Groups Prepare Incident Management and treatment .-
• Train staff .-
• Document on a map of the network architecture .-
• Document the configuration of equipment .-
• Create patterns of networks and systems .-
• Understanding the normal operation .-
• Activate the logs on systems and their applications .-
• Using a centralized collector server logs creating a log storage policy .-
• Keep all computers clocks synchronized .-
• Create cryptographic checksums of critical files systems .-
• Define and implement data backup schemes .-

We consider the use of tools for:

• Detection of events
• Monitoring systems and workstations
• Analysis of incidents
• Documentation of incidents
• Periodic analysis of risks
• Security Best Practices
• Periodic audits of the systems
• Administration may be centralized updates
• Strengthening the security of computers with properly configured Antivirus, Firewall, Host IDS, etc. .-
• Network Security
• Awareness and training of users

Detection / Reporting

In this second step is when we are faced with a detection of an incident and this can be either manually or automatically by a warning indicating that this incident or may also be a signal indicating that a system is occurring or worst incident occurred already .-

The warnings are the announcement of a web attack threat, warning or announcement of Exploit IDS and as indicators take notice of buffer overflow by an IDS, an alert for a virus that has detected malware, a firewall is alerting on repetitive ARP packets or malformed IP addresses, connectivity, slow or blocked accounts for excessive login attempts rolled identity or data on the systems themselves (E-Mail, etc.) .-

As the detection is we also have software that helps us to be monitoring, or outside agencies that we emit some kind of warning, these warnings can be generated by:

• IDS – Intrusion Detection Systems Network (NIDS) or host (HIDS)
• Antivirus software
• Software control file integrity
• Analysis of audit records (logs)
• Public information
• Users of the body

An example of the route of notification of an incident may be as follows

The initial notification message can be caused by a user or a tool that an alert this is an initial receptions (We can call the Incident Management Group), this in turn makes a categorization of the fact table based on their categorization and notification made to the owners of the relevant information affected people, systems staff, Office of Legal Resources .-

In this task we have a form with the following information:

Report data

• Identification Number
• The time
• Classification
• Brief Description
• Effects
• Detailed Description
• Responsible Care

REPORTING Data

• Name
• Charge
• Area
• Tel / Internal
• Mail

Other information to be incorporated are the state, closing date and detail the tasks, time and responsibility .-

Preliminary Analysis

Once you already have indicators or warnings need to know if it is truly a security incident or is it just a false positive, to get to see the light at the end of the road, we must make the task of gathering information. -

Collection of information to analyze

The collection of information helps us determine the extent of the incident, which networks and systems and applications that were affected, and that was what generated the incident, as occurred or is occurring, it also lets us know who originated the event, as it happened and the tools used, what vulnerabilities were exploited and any adverse impact on the company .-

Now we need to determine the extent and for this we can ask the following questions:

• How many teams were involved?
• How many networks were involved?
• How in the network managed to penetrate the attacker?
• What privilege level the attacker managed?
• What is at stake? How it impacts the organization’s activities the commitment of the teams? Are critical applications at risk?
• Who knows about the incident and how this might affect the impact of it?
• How well known is the vulnerability exploited by the attacker? Are there other computers with the same vulnerability?

 

To answer these questions we can take the following means:

make contact with the administrators of systems allows us to obtain data on abnormal events in the systems, talk to the staff provides information on abnormal events in daily activities, conduct a review of reports of intrusion detection tools will give us details of the incident also a review of communication logs, platforms and systems allows us to detect abnormal activities and finally know the network topology and access lists allows us to detect any unauthorized changes .-

Containment, response and recovery

Already in this instance have sought to the task of returning to normal systems for this we have three actions .-

CONTAINMENT Prevent the incident continues to produce damage. ERADICATION Remove the cause of the incident and all traces of damage and affected the environment RECOVERY Back to its original state .-

To carry out these actions have to have a strategy that allows us to perform operations in an organized, quick and effective but that the remedy may be worse than the disease, to have a good strategy these agents have in mind:

• Resource potential damage because of the incident
• Need for preservation of evidence
• Time and resources needed to implement the strategy
• Effectiveness of all or part of strategy
• Duration of measures to take
• Criticality of affected systems
• Characteristics of potential attackers
• If the incident is public knowledge
• Economic Loss
• Possible legal implications
• Cost-effectiveness of the strategy
• Previous experience
• Research

There is nothing better than learning from adverse events, which is why we research draws on a knowledge base that allows us to understand what happened, and how to avoid and correct it again. It never hurts to take all necessary steps in the investigation, making a correct acquisition of evidence apply at all times control of the chain of custody and validation using elements .-

To collect data we can get live with acquisition being the time of the system, running applications, network connections established, open ports, applications listening on those ports, state of the network board .-

We also have information on backups, recently copied files, network information (IDS logs, monitoring logs, information collected by sniffers, routers logs, logs of firewalls, authentication servers information (Windows domain, Samba Linux , Email, FTP, VPN, etc), we can add information testimonial by staff .-

In conclusion the entire collection of information must respect these three points

1. AUTHENTICITY: Anyone who has collected the evidence should be able to prove it is true .-
2. CHAIN OF CUSTODY: Detailed logging of the treatment of evidence, including who, how and when transported, stored and analyzed in order to avoid alterations or modifications that would compromise it.-
3. VALIDATION: Ensure that the evidence collected is the same as that presented to the authorities .-

This leads to a correct process of collecting evidence

Subsequent Activities

It is a fact that at the end of treatment and management of incidents should

• Organize meetings
• Maintain documentation
• Create knowledge bases
• Integrate incident management risk analysis
• Implement preventive controls
• Develop Dashboards

As this information we will be using to generate the pictures speak at the first point .-

Annex Boards Model Images

 

Cristian Amicelli Rivero

Dentro del marco de la seguridad de la información encontramos un punto más que importante y extenso que es la gestión y el tratamiento de los incidentes de seguridad, para ello lo vamos a dividir en 3 partes para que se puede leer e interpretar este tema.

En la primera parte nos vamos a encontrar los conceptos de la Gestión y tratamiento y sus ventajas, en una segunda partes vamos a ver los pasos en el tratamiento y por último vamos a ver algunos ejemplos.

Como ya sabemos existe la norma ISO 27001 publicada en el año 2005 que indica cómo puede una organización implantar un sistema de gestión de seguridad de la información (SGSI). y es en esta norma en la que me voy a basar.-

Es significativo contar con un plan de respuestas a incidentes. Un buen plan de respuesta a estos incidentes puede no sólo minimizar los efectos de una violación sino también, reducir la publicidad negativa de una organización.

Si lo vemos desde el punto de vista del equipo de seguridad, nos interesa saber si ocurre una violación y lo más importante es saber cuándo ocurrió. Entender que cualquier sistema es factible de una violación de seguridad permite al equipo de seguridad contar un curso de acciones para minimizar los daños potenciales. por algo Gene Spafford dijo

El único sistema seguro es aquél que esté apagado en el interior de un bloque de hormigón protegido en una habitación sellada rodeada por guardias armados y así y todo no es seguro del todo

Una vez que tenemos en cuenta esto definamos que es un incidente de seguridad.-

¿QUÉ ES UN INCIDENTE DE SEGURIDAD?

Es un hecho o amenaza que atenta contra la Confidencialidad , Integridad y Disponibilidad de un sistema informático.-

Podemos Decir que es:

Un evento es toda ocurrencia observable en un entorno informático.-

Un evento adverso es un evento con consecuencias negativas.-

Entonces como decíamos anteriormente un INCIDENTE DE SEGURIDAD es un evento adverso, que puede comprometer o compromete la disponibilidad de la información.-

También es una violación o inminente amenaza de violación de una política de seguridad de la información.-

¿QUÉ MEDIDAS TOMAR?

Medidas Preventivas son aquellas que se implementan el uso de contraseñas, Firewall, Procedimientos de Backup, Planes de continuidad, cifrado, etc.-

Con esto nos referimos a toda acción que tenga como principal medida salvaguardar nuestros activos.-

Medidas de Detección son las que tienen a controlar es decir, Registros de Auditoria, Revisiones de Seguridad, etc.-

y por último podemos hablar de las Medidas Correctivas tenientes al uso de esquemas de tolerancia a fallos, procedimientos de Restauración, etc.-

Como podemos ver estas medidas son básicas y en general la primera es la que siempre o casi siempre aplicamos, pero las otras dos también son importantes y hay que aplicarlas ya que nos permiten controlar y corregir y este conjunto que permite realizar la gestión de Incidentes.-

La Gestión de Incidentes persigue como objetivo el uso de recursos necesarios y su uso adecuado, con el afán de Realizar prevención, detección y corrección de ser necesarios al momento de atender un incidente de seguridad de la información.-

Para este fin se utilizan las siguientes pautas:

a. Prevención de incidentes

b. Detección y el reporte del incidente

c. Clasificación del incidente

d. Análisis del incidente

e. Respuesta al incidente

f. Registro de incidentes

g. Aprendizaje

Si nos basamos en este modelo nos ofrece algunos beneficios:

• Responder a los incidentes de manera sistemática, eficiente y rápida.

• Facilitar una recuperación en poco tiempo, perdiendo muy poca información.

• Realizar continuamente mejoras en la gestión y tratamiento de incidentes.

• Generar un Base de conocimientos sobre Incidentes.

• Evitar incidentes repetitivos.

• La posibilidad de apegar los incidentes acorde a legislación vigente.

 

Hasta este punto tenemos la teoría y concepto de gestión y tratamiento de Incidentes en la próxima parte vamos a ver la “Rueda del Tratamiento de Incidentes” como la llamo yo, que consta de 6 pasos.-

Cristian Amicelli Rivero