SANS 应急响应处理手册 incident-handlers-handbook 英文版在线下载,免费下载

SANS Institute Information Security Reading Room m o Incident Handler's Handbook ______________________________ Patrick Kral c . 5 h t i g b u Copyright SANS Institute 2020. Author Retains Full Rights. This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. The Incident Handlers Handbook The Incident Handlers Handbook GIAC (GCIH) Gold Certification c . 5 Author: Patrick Kral, patrick.kral@gmail.com Advisor: Dr. Craig Wright m o b u Accepted: December 5th, 2011 h t i g Abstract One of the greatest challenges facing today’s IT professionals is planning and preparing for the unexpected, especially in response to a security incident. An incident is described as any violation of policy, law, or unacceptable act that involves information assets, such as computers, networks, smartphones, etc (Bejtlich, 2005). The scope of this document is limited to the six phases of the incident handling process ("Incident handling step-‐by-‐step," 2011) and providing the basic information necessary as to what each step entails. Its overall purpose is to provide the basic foundation for IT professionals and managers to be able to create their own incident response policies, standards, and teams within their organizations. This document will also include an incident handler’s checklist (template) that one can use to ensure that each of the incident response steps is being followed during an incident. Patrick Kral 1 ©2012TheSANSI nst i t ut e Keyf horr et ai nsf ul l r i ght s. i nger pr i nt=AF19FA272F94998DFDB5DE3DF8B506E4A1694E46 Aut The Incident Handlers Handbook 1. Introduction © 20 12 SA NS I ns t i t ut e, Au t ho rr et ai ns f ul lr i gh t s. An incident is a matter of when, not if, a compromise or violation of an organization’s security will happen. The preparation of the Computer Incident Response Team (CIRT) through planning, communication, and practice of the incident response process will provide the necessary experience needed should an incident occur within your organization. Each phase from preparation to lessons learned is extremely beneficial to follow in sequence, as each one builds upon the other. The following phases will provide a basic foundation to be able to perform incident response and allow one to create their own incident response plan. m o 2. Preparation c . 5 This phase as its name implies deals with the preparing a team to be ready to handle an incident at a moment’s notice. An incident can range from anything such as a power outage or b u hardware failure to the most extreme incidents such as a violation of organizational policy by disgruntled employees or being hacked by state sponsored hackers (Bejtlich, 2005). Regardless h t i g of the cause of the incident preparation is the most crucial phase compared to all of the others, as it will determine how well your team will be able to respond in the event of a crises. There are several key elements to have implemented in this phase in order to help mitigate any potential problems that may hinder one’s ability to handle an incident. For the sake of brevity, the following should be performed: a. Policy – a policy provides a written set of principles, rules, or practices within an organization; it is one of the keystone elements that provide guidance as to whether an incident has occurred in an organization. A login banner can be one way to ensure that individuals attempting to log into an organization’s network will be aware of what is expected when utilizing an organization’s information assets; for example the login banner (dependent upon the local jurisdiction on privacy) can state that all activities will be monitored and any unauthorized users may civil or criminal penalties, etc. Without clear policies, one could leave their organization legally vulnerable to law suits, such as an employee being fired for look