CEHv6 module 57 computer forensics and incident handling

Trang 1

Ethical Hacking and Countermeasures

Version 6

Module LVIIComputer Forensics and Incident Handling

Ethical Hacking and Countermeasures v6

Module LVII: Computer Forensics and Incident handling

Exam 312-50

Trang 2

Scenario

OrientRecruitmentInc is an online human resource recruitment firm

The web server of the firm is a critical link.

Neo, the network administrator sees some unusual activity that is targeted towards the web server The web server is overloaded with connection requests from huge number of different sources.

Before he could realize the potential of the attack, the website of OrientRecruitmentInc falls prey to the much famous Denial of Service Attack.

The company management calls up the local Incident Response Team to look into the matter and solve the DoS issue.

What steps will the incident response team take to investigate the attack?

Before he could realize the potential of the attack, the website of Orient Recruitment Inc falls to the famous Denial-of-Service attack

The company management calls up the local Incident Response Team to look into the matter and solve the DoS issue

What steps will the incident response team take to investigate the attack?

Trang 3

Module Objective

• Computer Forensics

• What is an Incident

• Categories of Incidents

• Incident Response Checklist

• Procedure for Handling Incident

• Incident Management

• Incident Reporting

• What is CSIRT

• Types of Incidents and Level of Support

• Incident Specific Procedures

• Best Practices for Creating a CSIRT

Trang 4

Incident Specific Procedures

Best Practices for Creating a CSIRT Procedure for

Handling Incident

Types of Incidents and Level of Support

What is CSIRT What is an Incident

Module Flow

Trang 5

To Know More About Computer Forensics, Attend EC-Council’s CHFI

Program

Trang 6

Computer Forensics

Trang 7

What is Computer Forensics

“The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found.”

"Forensic Computing is the science of capturing, processing and investigating data from computers using a methodology whereby any evidence discovered is acceptable in a Court of Law.”

According to Steve Hailey of Cyber Security Institute, computer forensics is:

“The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting

of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found.”

Preservation

The forensic investigator must preserve the integrity of the original evidence The original evidence should not be modified or damaged The forensics examiner must make an image or a copy of the original evidence and then perform his analysis He must also compare the copy with the original evidence to identify any modifications or damages

Identification

The first and foremost step that a forensics examiner needs to take before starting with his investigations is that he must identify the evidence and its location For example, evidence may be contained in hard disks, other removable media, or even log files Every forensic examiner must understand the difference between actual evidence and evidence containers Locating and identifying information/data is a challenge for the digital forensics investigator Various examination processes such as keyword search, log files analysis, and system check help in investigation

Extraction

The immediate step after identifying the evidence is to extract data from them as soon as they are located Since volatile data can be lost at any point of time, the forensic investigator must extract these data from the copy he had made from the original evidence This extracted data must be compared with the original evidence and analyzed

Interpretation

The most important role played by a forensic examiner during investigations is to interpret what

he has actually found The analysis and inspection of the evidence must be interpreted in a lucid manner

Documentation

Trang 8

Documentation relating to evidence must be maintained from the beginning of the investigation till the end where the evidence is presented before the court of law The documentation will comprise the chain of custody form and documents relating to evidence analysis

The basic methodology consists of what one can think of as the three A’s:

Due to the growing misuse of computers in criminal activities, there must be a proper set of methodologies for investigation Apart from methodologies, forensic tools also play an important role during investigations such as enabling the forensic examiner to recover deleted files, hidden files, and temporary data that the user may not locate The evidence acquired from computers are fragile and can be easily erased or altered There is another possibility where the seized computer can be compromised if not handled using proper methodologies

The methodologies involved in computer forensics may differ depending upon the procedures, resources, and target of the company Stand-alone computers, workstations, servers and online channels are some fundamental areas; a forensic investigator must concentrate on Investigation

of stand-alone computers, workstations and other removable media can be simple, whereas examination of servers and online channels can be complicated and tricky

Auditing and logging during investigations are often not executed They play a key role during investigations They must be given due importance, as they will provide leads to the case

Trang 9

Need for Computer Forensics

“Computer forensics is equivalent of surveying a crime scene or performing an autopsy on a victim”

{Source: James Borek 2001}

Presence of a majority of electronic documents

Search and identify data in a computer

Digital Evidence can be easily destroyed, if not handled properly

For recovering Deleted, Encrypted, or Corrupted files from a system

According to James Borek (2001), “Computer Forensics is the equivalent of surveying a crime scene or performing an autopsy on a victim.”

The importance of computer forensics has developed in the present day scenario where computers are vulnerable to malicious purposes Computers are either used as a tool to commit a crime or have become a target for these attacks Computers are used to commit crimes, and crimes can be recorded on computers, including company policy breaches, fraud records, email crimes, revealing of valuable proprietary information and even terrorist activities

Law enforcement officials, network and system administrators of IT firms, attorneys and also private investigators depend upon qualified computer forensic experts to investigate their criminal and civil cases

A majority of documents these days exist in electronic format Computer evidence is delicate in nature; therefore they must be recorded to avoid loss of valuable evidence Computer forensics includes locating and recovering data that resides in a computer system and also recovering deleted, encrypted or damaged data This data will be helpful during presenting testimony before the court of law

Trang 10

Objectives of Computer Forensics

To recover, analyze and present based material in such a way that it can be presented as evidence in a court of law

computer-To identify the evidence in short time, estimate potential impact of the malicious activity on the victim, and assess the intent and identity of the perpetrator

The critical phase of a computer forensic investigation is presenting the inferences of the previous phases (acquiring and analyzing) The objective is obvious; you must present the discoveredevidence in a way that is accepted by the court of law, which increases your chances of winning the case

Other objective is to discover the evidence in short time with accuracy The impact of the crime on the victim, such as loss of reputation and data has to be estimated along with intent and identity

of the intruder

Trang 11

Stages of Forensic Investigation in Tracking Cyber Criminals

An Incident occurs in Which, the Company’s Server is compromised

The Client contacts the Company’s Advocate for Legal Advice

The Advocate contracts

an External Forensic Investigator

The Forensic Investigator Prepares First Response

of Procedures (FRP)

The FI seizes the evidences in the Crime scene & transports them to the Forensics Lab

The Forensic Investigator (FI) prepares the Bit-Stream images of the files

The Forensic Investigator creates an MD5 #

of the files

The Forensic Investigator examines the evidence files for proof of a Crime

The FI prepares Investigation reports and concludes the Investigation, enables the Advocate identify required proofs

The FI handles the sensitive Report to the Client in a secure manner

The Advocate studies the report and might press charges against the offensive in the Court of Law

The Forensic Investigator usually destroys

Trang 12

Key Steps in Forensic Investigations

1 • Computer crime is suspected

2 • Collect preliminary evidence

3 • Obtain court warrant for seizure (if required)

4 • Perform first responder procedures

5 • Seize evidence at the crime scene

6 • Transport them to the forensic laboratory

7 • Create 2 bit stream copies of the evidence

Key Steps in Forensic Investigations (cont’d)

8 • Generate MD5 checksum on the images

9 • Prepare chain of custody

10 • Store the original evidence in a secure location

11 • Analyze the image copy for evidence

12 • Prepare a forensic report

13 • Submit the report to the client

14 • If required, attend the court and testify as expert witness

The general procedure in forensic investigation is as follows:

Trang 13

10 Store the original evidence in a secure location, preferably away from an easily accessible location

11 Analyze the image copy for evidence

12 Prepare a forensic report that describes the forensic method used, recovery tools used

13 Submit the report to the client

14 If required, attend the court and testify as an expert witness

Trang 14

List of Computer Forensics Tools

Process Explorer Autoruns Irfan View Adapterwatch Necrosoft Dig Visual TimeAnalyzer Evidor

Ontrack Forensic Sorter Directory Snoop

Helix Pslist Fport Psloggedon RegScanner X-Ways Forensics Traces Viewer

Sleuth Kit SMART Penguin Sleuth Kit

The following is a list of forensics tools:

Trang 15

Incident Handling

Trang 16

Present Networking Scenario

Increase in the number of companies venturing into e-business coupled with high Internet usage

Decrease in vendor product development cycle and product testing cycle

Increase in the complexity of Internet as a network

Alarming increase in intruder activities and tools, expertise of hackers, and sophistication of hacks

Lack of thoroughly trained professionals as compared to the number and intensity of security breaches

The network of the present age is growing at somewhat at the rate of growth of the universe, propounded by the Big Bang theory The Internet as a world wide web is growing at a very fast rate, and there are lots of applications running on the Internet growing at a faster rate resulting in the increase in complexities in the Internet

Reduction in the product development cycle, coupled with a decreased testing cycle, has given way to increase in the number of bugs in software Unchecked vulnerability in a network or weakness in design paves way to intruder activities

The learning curve for carrying out network attacks is decreasing rapidly due to easy availability

of hacking tools The denial-of-service (DoS) attack directed against major websites a few years ago have brought to light the security flaws

Until recently, the need for an incident response team within every organization was never given a serious thought There is a lack of trained professionals who can respond to incidents and minimize the effects Organizations are opting for in-house incident response team This module highlights the need for an incident response team, basic procedures in handling incidents, various CSIRTs present in the world and more

Trang 17

What is an Incident

Computer security incident is defined as “Any real or suspected adverse event in relation to the security of computer systems or computer networks”

• Source: www.cert.org

It also includes external threats such as gaining access to systems, disrupting their services through malicious spamming, execution of malicious codes that destroy or corrupt systems

An incident can be an event or set of events that threatens the security in computing systems and networks in any organization It also includes system crashes, packet flooding within a network, and unauthorized use of other user’s account, gaining access to unauthorized network privilege specially the administrator’s privilege

There are various types of incidents, which are found out after a comprehensive study of security attacks and security breaches occurred from time to time in the various organizations A standard qualification of the incidents is classified in following forms:

Trang 18

These attempts are growing more now in the cyber world.

Pornographic trafficking:

The networks have become a natural source to store and transmit pornographic material The Internet governing bodies have banned pornography, and anything that involves this is therefore, illegal The electronic pornographic activity is common and is braking in everywhere

The computer and networks are being used worldwide to store, send, and receive child pornography also

The law broker’s embed the pornographic images to other images thus, making it difficult to track One famous technology used for this purpose is steganography

Organized crime activity:

Some of the organized illegal activities are done with the help of computers, such as drug trafficking making of illegal passports, running prostitution rackets and online smuggling, and providing unauthentic and illegal visas to people It also involves the illegal immigration of people without proper identity proof

Subversions:

A subversion is an incident in which a system does not behave as it was expected to It is supposed that the reason behind this kind of behavior of the system or the network is because of an attack

on the integrity of the system, network, or application, but in reality it is something more

Example of which can be putting bogus financial server to discover credit card or illegal indexing

of web pages In the case of subversion, the preparator modifies the web links so that whenever anyone connects to link he is transferred to any other location, which is unrelated or false Hoaxes:

A hoax is an email warning of some virus that may have devastating affect on the system This will

be posed as a new virus, which is unknown to anyone These emails provide false information about the virus and they also mention a company or an institution whose name is known by public to defame the company

Trang 19

Category of Incidents: Low Level Low level incidents are the least severe kind of incidents

They should be handled within one working day after the event occurs They can be identified when there is:

Loss of personal password Suspected sharing of organization’s accounts Unsuccessful scans and probes Presence of any computer virus or worms

All incidents are of different intensity and complexity and occur under different situations or conditions also known as vulnerability The incidents are then classified according to the level of their intensity and affect on the network and systems

They are classified into three levels; these are low-level incidents, mid-level incidents, and level incidents The least harmful incidents are low-level incidents and it is better to handle them within one working day

high-The low level incidents can be identified by the following symptoms:

Trang 20

Category of Incidents: Mid Level

The incidents at this level are comparatively more serious and thus, should be handled the same day the event occurs

• Violation of special access to a computer or computing facility

• Unfriendly employee termination

• Unauthorized storing and processing data

• Destruction of property related to a computer incident (less than $100,000)

• Personal theft of data related to computer incident($100,000)

• Computer virus or worms of comparatively larger intensity Illegal access to buildings

They can be identified by observing:

Mid-level incidents are more serious kind of incidents They should be handled within the same day the event occurs, that is normally two to four hours of the event that has occurred

Medium level incidents are identified by the following symptoms:

processing or storing the organization’s data

incidents

Trang 21

Category of Incidents: High LevelThese are the most serious incidents and are considered as “Major” in nature

High level incidents should be handled immediately after the incident occurs

• Denial of Service attacks

• Suspected computer break-in

• Computer virus or worms of highest intensity; e.g Trojan back door

• Changes to system hardware, firmware, or software without authentication

• Destruction of property exceeding $100,000

• Personal theft exceeding $100,000 and illegal electronic fund transfer or download/sale

• Any kind of pornography, gambling, or violation of any law

These include:

High-level incidents are the most severe kind of incidents They are considered major in nature

These incidents should be handled as soon as possible, due to their high intensity and risk to a

company’s operation

The following can identify high-level incidents:

data

pornography is a severe crime and promoting it through computer and networks

is also considered under high-level incident

materials

high-level incidents

to the computer security officer for cyber security/designate

Other kind of incidents includes isolated viruses or misuse of computer equipment and

unintentional actions, along with common, unsuccessful scans or probes The organizations

should consult with the officer of cyber security in determining whether these “other” incidents

are high, medium, or low

Trang 22

How to Identify an Incident

A system alarm from an intrusion detection tool indicating security breach

Suspicious entries in a network Accounting gaps of several minutes with no accounting log Other events like unsuccessful login attempts, unexplained new user or files, attempts to write system files, modification, or deleting of data

Unusual usage patterns, such as programs being compiled in the account of users who are non-programmers

The use of intrusion detection tools is advisable as they aid the network administrator or staffs to warn them about the security breach encountered It is a very cumbersome task to identify any intrusion manually and also it may take a lot of time, which can be saved by employing an intrusion detection system The network administrator should be alert and check the suspicious entries in the network if any Though an intrusion detection system detects incidents, relying totally on IDS’s does not ensure 100% guarantee to the systems and networks

The symptoms are:

Trang 23

How to Prevent an Incident

A key to preventing security incidents is to eliminate as many vulnerabilities

as possible

Intrusions can be prevented by:

• Scanning the network/system for security loopholes

• Auditing the network/system

• Deploying Intrusion Detection/Prevention Systems on the network/system

• Establishing Defense-in-Depth

• Securing Clients for Remote Users

A key to preventing security incidents is to eliminate the maximum possible vulnerabilities

vulnerabilities are to be placed Scanning should be performed on regularly basis People are to be trained to handle the vulnerabilities

measure is taken when the level of noncompliance surpasses the set tolerance level for vulnerabilities on that part of the network

(ISA) logs and conducts remote access audits in order to ensure that access to remote accounts is enabled to authentic owners of those accounts

defense strategy, called defense in depth that can keep the network from threats rather than a single point of protection

users trying to remotely access the network are denied if they do not have correct patches, programs, and security settings

Trang 24

Defining the Relationship between Incident Response, Incident Handling, and Incident

Management

Incident Management

Trang 25

Incident Response Checklist

Potential Incident Verified Contact department/agency security staff

• I.T Manager

• [designee/others by department procedure]

-Security designee will contact CSIRT member

• Call 802-250-0525 (GOVnet Beeper)

• GOVnet will then contact CSIRT members (csirt@.state.vt.us)

• If no response within ten minutes call the Office of the CIO

Isolate system(s) from GOVnet [unless CSIRT decision is to leave the system connected to monitor active hacker]

Begin a log book - who/ what / when / where Identify the type of Incident - Virus, worm, and hacker Preliminary estimation of extent of problem, number of systems

Incident Response Checklist

monitor active hacker]

Trang 26

 Preliminary estimation of extent of problem, number of systems

CSIRT

Trang 27

Incident handling is a set of procedures done to overcome the various kinds of incidents caused

by the various vulnerabilities in the systems To overcome those vulnerabilities the network administrator has to take some considerations for making the network of an organization safe, secure and free form vulnerabilities, which encourages the hackers to attack

Incident handling involves three basic functions:

Salient features of incident handling:

occurred

recover from the losses

with the help of incident reporting process

case of a severe incident

Trang 28

Procedure for Handling IncidentThe incident handling process is divided into six stages

Whenever an incident is encountered a certain set of procedures should be followed to keep track

of the activities or events that occur and an analysis should be performed over the incident happened that up to what extent the damage has occurred and what made the incident happened and also what security measures should be taken so that the same incident doesn’t happens in the same way

There is a particular, standardized set of activities or steps that should be taken in order to handle the incident The incident response handling process is a 6-stage process Following are the six stages:

Trang 29

Stage 1: PreparationPreparation enables easy coordination among staff Create a policy

Develop preventive measures to deal with threats Obtain resources required to deal with incidents effectively

Develop infrastructure to respond and support activities related to incident response Select team members and provide training

The company staffs should be notified for the regular changes to be taken place with the help of bulletin boards, notices and making the staffs familiar with the latest kind of virus worms and Spam and there affects and also how are they spread

Some special tools should be used to avoid potential damage and threats by the virus and worms.The systems should always be updated with the new virus detections and eradication tools to keep the systems and the network safe from the possible damages caused by these

Proper training should be provided to the staffs so that they are aware of the latest trends in the security configuration and management Periodic mock test for incidents should be conducted as

a matter of training given to the staff

Trang 30

Incident identification involves four main steps, they are:

The first thing that is to be done, when there is a chance of an incident, the symptoms of the incidents should be analyzed according to the manual present with the employees to check whether an incident has really occurred or not

Some of the important symptoms that relate to the occurrence of an incident are given under:

anomaly in the data packets sent across the network where it is placed

Trang 31

or intruders who can damage the systems, which contain important data or are important

as with respect to networking needs

Identifying nature of an incident:

The nature of incident should also be taken care of in order to take necessary action rightly suitable for particular kind of incidents It helps the incidence response team to take right kind of actions because a particular set of action had worked on an incident before So a lot of time and effort can be saved while identifying the nature of incident

Identifying the evidence:

Identifying the evidence is important in order to protect the date, number, evidence, and sign notes and printouts

Protecting the evidence:

The evidence must be preserved and proper documentation should be done indicting the sequence of individuals who had handled the incidence The exact sequence of incident handling should be maintained and evidence must be stored in a secure place

It should be taken care that there should not be any lapse of in maintaining date and time The integrity of the evidence should be taken care of well by keeping it in tamper proof media or by generating the cryptographic checksum or hash checksum

The full backup of system should be maintained The hackers are aware of the fact that there evidence is being captured so they tend to destroy the every trace of data kept in system by searching them out

Trang 32

Stage 3: ContainmentContainment limits the extent and intensity of an incident

It avoids logging as root on the compromised system

Avoid conventional methods to trace back as this may alert the attackers

Perform the backup on the system to maintain the current state of the system for facilitating the post-mortem and forensic investigation later

Change the system passwords to prevent the possibility of Spywares being installed

It is the third stage of the incident handling procedure The first step that is taken in the containment stage is dealing with the critical information obtained from identification stage about the critical information and services provided by the computer It is the job of the CSO, the computer security officer to investigate and discuss with the management to find out where to keep the organization’s sensitive data

The information should be kept in a CD or any other system that may be disconnected with the network or to pass on the relevant information data and information to any other safer network

In case, simple or well known virus is found to be the culprit who does not pose any severe threat, then the organization should use the well known and effective virus eradication and detection tools and software to get rid of them

Changing passwords:

The password on all the affected systems should be changed to minimize any further loss of data

in the network and systems Also, the passwords of all the rest of the systems, which interact with the affected system, should be changed so that there are no more infected systems The uniqueness of the password for particular system should be taken care of

Backing up the infected systems:

Damaging code should be avoided:

Trang 33

Stage 4: Eradication

Investigate further to uncover the cause of the incident by analyzing system logs

of various devices such as firewall, router, and host logs

Improve defenses on target host such as:

• Reloading of a new operating system

• Enabling firewalls

• Assigning new IP address

Install all the latest patches

Disable any unnecessary services

Install anti-virus software

Apply the Company’s security policy to the system

After the incident is identified and contained the next job is to eradicate the incident encountered

In the case of virus, the incident response team should remove the virus from all systems and media (e.g floppy disks and backup media) with the help of any of the proven virus eradication tool There are various kinds of incidents, which leave behind malicious objects that are hard to be located

Therefore the main job of the Incident response team is to locate malicious objects (like; Trojan horses) and to remove the residual of attacks done by hackers only if their presence poses a serious risk to justify the cost

Determining the cause and symptoms:

The data and information gathered during the containment phase serves as an aid in this step Most of the information regarding the type of incident, which is gathered, is useful in the eradication phase

This information can result into the termination and removal of these artifacts It may help to trace out the method by which an incident can be overcome

Improve Defenses:

The right kind of protection tools and techniques should be used such as firewalls, routers and router filters The new systems should be pointed to a new/IP address, or in extreme cases porting machines can be safer to an operating system

Vulnerability analysis:

Use real and secure or a comparable product as a vulnerability analysis tool to scan for vulnerable systems that are connected to affected systems The vulnerability tools are necessary concerning

to the intensity and capacity that an incident has or have

The vulnerability analysis is also necessary because it also provides the important information of the vulnerable points and areas present in the systems

It helps the team of professionals to track the weak areas in network designs so that it can be corrected The correction done according to vulnerabilities shown by the vulnerability tools helps

to make an effective design and it also helps to remove the anomalies present in it

Trang 34

Stage 5: RecoveryDetermine the course of actions

Monitor and validate systems

Determine integrity of the backup itself by making an attempt to read its data

Verify success of operation and normal condition of system

Monitor the system by network loggers, system log files, and potential back doors

This is the stage in which the affected system is restored to its normal form There is again some standard set of steps, which ensures that the system infected is now secure Recovery of systems involves validating the systems and monitoring them for any further infection

The recovering actions are supposed to be restored only when it found out that the vulnerability has been removed

The two steps are as follows:

The intrusion in any enterprise or any organization can be simple or complex depending upon the amount of damage or potential damage posed by the incident

First of all the integrity of the systems is determined The integrity of the backup is also determined by attempting to read its data After the data is recovered from the systems and backups, they are verified to check the success of the operations of the system and check if the system is back to normal task monitoring This is a combination of the network loggers and system log files

The system is monitored for potential back doors, which can result into the loss of data Incident recovery doesn’t deal with forensics, but it includes tools for analysis and shows readers how to use them Different incidents have different response to different systems and therefore, the

Trang 35

• Extent to which the incidents disrupted the organization

• Data lost and its value

• Damaged hardware and its cost

Determine the staff time required and perform the following cost analysis:

Stage 6: Follow-up (cont’d)

Document the response to incident by finding answers to the following:

Was the preparation for the incident sufficient?

Whether the detection occurred promptly or not, and why?

Using additional tools could have helped or not?

Was the incident contained?

What practical difficulties were encountered?

Was it communicated properly?

The process of following up an incident as soon as it recovers from the incident helps the incident response team to handle the incident in a very effective manner If more of the resources are employed than it may lead to flow large amount of money and funds into it, which will be a waste

of resources Hence, it is not cost-effective to devote more resources after an incident recovery process is over

The time required by the staff should be calculated in order to find out the correct cost A brief cost analysis should be done to find out the cost associated with the several events The cost analysis is done to determine the cost associated with the following:

organization

Trang 36

 A separate analysis should be done to find out the amount of data lost and cost incurred on that

equipments incurred due to the incidents

The time required by the internal response team to respond to the incident and associated cost should be calculated

These may lead to the following cost analysis:

The process of documentation comes to great help to the organization as it not only helps in driving the financial cost associated with the system but also helps to find the budget that is to

be associated with the future security efforts

The incident response team is also concerned with the preparation of report that is including the lessons learned from and cost analysis described above The reports obtained from these can be used for training of staffs and professionals for this purpose

The important portion of the report specified, should be reported that could be used to further the staff’s awareness without making any changes to the security changes

Policy and procedure related to systems should be revised in accordance with the change in technology

The document that is prepared regarding obtaining the information is checked that how the response team has reported to the incident

The following questions should be imposed to get the relevant information

Trang 37

Incident Management

Incident management is not just responding to an incident when it happens but includes proactive activities that help prevent incidents by providing guidance against potential risks and threats

Includes the development of a plan of action, a set of processes that are consistent, repeatable, of high quality, measurable, and understood within the constituency

Who performs Incident Management?

Human resource personnel Legal council

The firewall manager

An outsourced service provider

Incident management not only responds to the incidents but also gives alert to prevent potential risks and threats For example, the software that is open for the attacks is recognized before someone takes advantage of it

Below are the incident management activities and functions:

Conducting training sessions to spread awareness among users is a part of incident management plan This will help the end users to know more about computer security Users will be able to recognize suspicious events/incidents with ease and report the behavior of the attacker to the higher authority

The activities of the incident management are performed by the following:

he/she is suspected in doing the harmful computer activities in the organization

organization These rules can impact the security policies and practices of the organization internally when any system is used for harmful or malicious activities in the organization

made frequently So thereby he/she can prevent the attacks from proceeding further

harmful virus/malware

Trang 38

Figure source:

http://www.cert.org/archive/pdf/04tr015.pdf#search=%22Incident%20Management%20CER T%22

Tiêu đề	CEHv6 module 57 computer forensics and incident handling
Trường học	EC-Council
Chuyên ngành	Computer Forensics and Incident Handling
Thể loại	Lecture Module

Định dạng
Số trang	76
Dung lượng	2,81 MB