Assignment Two- NIST SP 800-86
Guide to Integrating Forensic Techniques into Incident Response
- Name and briefly describe the four process phases for performing digital forensics.
Ø Collection: In this phase, related data is identified, labeled, recorded, and collected, and data integrity is preserved.
Ø Examination: In this phase, some or a combination of forensic tools and techniques are used to identify and extract the relevant information from the collected data with data integrity.
Ø Analysis: In this phase, some useful information is derived from the results of the examination by analyzing.
Ø Reporting: In this phase, the results of the analysis forms the reporting that includes performed actions description, actions need to be performed, and improvement recommendation to policies, guidelines, procedures, tools, and other aspects of the forensic process.
- Name the three organizational groups that are the primary forensic tool users.
Ø Investigators
Ø IT Professionals
Ø Incident Handlers
- What is incident (handling) response?
Incident handling/response is a computer security strategy to respond to an event by investigating suspect systems, gathering and preserving evidence, reconstructing events, and assessing the current state of an event.
- What is an incident response team?
An incident response team is a group responding to a variety of computer security incidents, like unauthorized data access, inappropriate system usage, malicious code infections, and denial of service attacks by using different kinds of forensic techniques and tools.
- When reporting an incident, what information should be provided?
Alternative explanations, audience consideration, and actionable information should be provided when reporting an incident.
- Name and describe for categories of tools that should be available to respond to an incident.
Ø Data file system analysis tools: Software that you can use to examine a file system or disk image and show the file content and other meta data.
Ø Operating system analysis tools: Software that you can use to collect, examine and analyze data from common workstation or server OSs.
Ø Network traffic analysis tools: Software that you can use to analyze network packets and traffic.
Ø Application analysis tools: Software that you can use to analyze the application data, like data from e-mail, Web browsers, and word processors.
- What is a Denial of Service (DoS) attack?
A Denial of Service attack is an action that prevents or impairs the authorized use of network, system, or applications by exhausting resources such as central processing units, memory, bandwidth, and disk space.
- Name and describe five DoS attack containment strategies.
Ø Correct the vulnerability or weakness that is being exploited: Patch the vulnerability.
Ø Implement filtering based on the characteristics of the attack: The filtering can be a border router or firewall that blocks suspect attack.
Ø Have the ISP implement filtering: Rely on ISPs to implement filtering to block DoS attack.
Ø Relocate the target: The targeted service could be transferred to a different host.
Ø Attack the attackers: Administrators may modify network or server configurations to bounce attack traffic back to its source.
- Briefly define malicious code.
Malicious code is a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the security or integrity of the host’s data.
- Briefly define an unauthorized access incident. Give several examples.
An unauthorized access incident refers that at any time a user gains access to a computer network without the consent of the computer's administrator.
Examples:
Ø Cracking passwords
Ø Copy secret data without permit
Ø Read some files without reading right
Ø Change some data without right
Ø Running backdoor software to do remote control
- Briefly describe a multiple component incident.
A multiple component incident is a single incident that encompasses two or more incidents.
No comments:
Post a Comment