14.2.1 Incident Responses

Learn how to properly respond to security or privacy incidents in enterprise settings.

Data theft, malware, or unauthorized access to secure content can have major consequences on a company. That is why they all have detailed security policies that establishes what's allowed to happen on their computer networks and how to respond should a security breach happen. The security policy should define the chain of custody - i.e. how evidence of a security breach is handled and by who.

Detection

As soon as an incident happen, it's very important to document as much as you can about what happened. There are three main types of incident detection, passive, active and proactive detection.

Passive Detection

Happens when security incidents are detected while not being looked for (e.g. finding prohibited content while doing routine system maintenance; finding additional network traffic while checking logs).

Active Detection

Happens when actively searching for ongoing security incidents (e.g. when an IDS detects malicious traffic and alerts the network admin).

Proactive Detection

Happens when an organization actively researches and find flaws in their network and finds way to patch those before they can be used against it. Best examples are penetration testing and threat hunting.

Response

The organization's security policy should define who the first responder is, i.e. who gets notified immediately when an incident happen and is therefore for securing the system ASAP and documenting what happened. Make sure that whoever's handling the evidence is properly trained - any mistakes could render everything that will be collected inadmissible in court and cause major losses for the organization.

The next step is to collect evidence - as much as possible. This includes:

capturing system images and data
all information about the compromised system(s) (serial number, )
screen shots
interviewing witnesses
documenting ALL of the details (date/times, locations, etc.)
performing a sector-by-sector copy of the hard drive

When capturing data, prioritize the most volatile information. This means to capture a compromised or affected computer's RAM, since that will be erased on power-off. Then you can capture the system swap file or virtual RAM (depending on Linux vs Windows. Then you'd want to document all the active network connections that the time of the incident (connected IP addresses, browser cookies & history, and all system logs). From there, you might just want to backup the entire system itself.

#XIV

#Aplus

1.1.7 Internal Components of a PC

1.1.10 Network & Server Cabinets

2.1.1 Safety Measures

2.1.4 ESD Protection

2.2.1 Environmental Concerns

2.2.2 Environmental Facts

2.2.3 Power Concerns

2.3.1 Professionalism

2.3.4 Change Management

2.5.1 Maintenance Practices

2.6.1 PC & Networking Tools Info

2.7.1 Troubleshooting

2.8.1 Ticketing Systems

2.8.7 Asset Management

3.1.1 Network Cables

3.1.4 Wiring Standards

3.10.1 CPU Troubleshooting

3.11.1 Expansion Buses & Slots

3.11.3 Install an Expansion Card

3.11.5 Video Cards

3.11.6 Capture Cards

3.11.7 Install a Video Card

3.12.1 Digital Audio

3.12.2 Sound Cards

3.12.4 Troubleshoot Speakers

3.12.6 Sound Card Connectors

3.13.1 System Cooling

3.14.1 The Power Supply

3.14.2 Power Supply Connectors

3.14.3 Troubleshooting Power Supplies

3.2.1 External Connectors

3.2.2 USB Standards

3.2.3 USB Connectors

3.2.4 USB Device Classifications

3.2.5 Peripheral & Video Cables

3.2.7 Internal Hard Drive Cables

3.3.1 Cases & Form Factors

3.3.3 Motherboard Components

3.3.5 Install a Motherboard

3.3.6 Replace a Motherboard

3.4.1 Motherboard Issues

3.5.1 DRAM Types

3.6.1 Memory Characteristics

3.6.6 Installing Memory Modules

3.7.1 Troubleshooting Memory

3.8.1 BIOS

3.8.2 The Boot Process

3.8.4 BIOS & UEFI Settings

3.8.5 Built in System Diagnostics

3.8.6 Flash the BIOS

3.8.8. BIOS & UEFI Security

3.9.1 Processor Concepts

3.9.5 Install a Processor

3.9.4 CPU Sockets

4.1.1 Operating Systems

5.1.1 Storage Device Types

5.4.1 Raid

5.4.2 JBOD

5.5.1 File Systems

5.8.1 Storage Optimization

5.8.2 Storage Troubleshooting

5.9.1 SSD Storage Issues

6.1.3 Windows 11 Installation Methods

6.3.1 Cloud Computing

6.4.1 Virtualization

7.6.1 Software Licensing

7.6.2 Digital Rights Management

7.7.1 Windows Virtual Memory

8.6.1 System Backups

9.1.2 Common Windows File Locations

9.3.1 Data Transmission Encryption

10.3.3 Projector Troubleshooting

10.3.1 Video Troubleshooting

11.1.1 Networking Basics

11.1.2 Network Types

11.2.1 Ports and Protocols

11.3.1 Device Addressing

11.4.13 Embedded Systems

11.4.14 Industrial Control Systems

11.4.7 Internet Appliances