Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7....
Transcript of Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7....
![Page 1: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/1.jpg)
![Page 2: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/2.jpg)
Pascal Steichen ¡ Managing Director – SECURITYMADEIN.LU
Since May 2010
¡ Information Security Officer - Ministry of the Economy 2008 – 2010
¡ Head of CIRCL Since 2008
¡ Lecturer at University of Luxembourg Since 2006
¡ Management Board Member at ENISA Since 2005
¡ Lecturer at University of Lorraine (Metz) 2005 – 2012
¡ Application Developer - Canal+ Belgium 2000 – 2002
MSSI - uni.lu
2
![Page 3: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/3.jpg)
(my) Lectures ¡ M3 : Gestion de la sécurité de l'information - Politique de sécurité
[MPMSSI-83]
Information Security Management – Security Policy Incident Management
¡ M4 : Aspects techniques - Menaces, attaques et parades [MPMSSI-86]
Technical aspects – Threats, attacks and countermeasures Countermeasures and forensics analysis
MSSI - uni.lu
3
![Page 4: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/4.jpg)
Incident Management
in the context of an Information Security Policy
Management de la Sécurité des Systèmes d’Informations
4 IM - PolSec - MSSI - uni.lu
![Page 5: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/5.jpg)
Incident Management part 1
MSSI – uni.lu
IM (1) - PolSec - MSSI - uni.lu 5
![Page 6: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/6.jpg)
Introduction To protect its assets (information and systems) on a daily basis an organisation has to:
¡ organise its security by documenting the countermeasures or controls to protect the confidentiality, integrity and availability of the assets, in a security policy,
¡ with the prime goal to manage and reduce its risks.
IM (1) - PolSec - MSSI - uni.lu
6
![Page 7: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/7.jpg)
Information Security Policy → THE tool for today’s (C)ISO ←
IM (1) - PolSec - MSSI - uni.lu
7
![Page 8: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/8.jpg)
Definitions ¡ Asset anything that has value to the organization.
¡ Control means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal nature. NOTE: Control is also used as a synonym for safeguard or countermeasure.
IM (1) - PolSec - MSSI - uni.lu
8
![Page 9: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/9.jpg)
Information security policy ¡ defines the business rules, principles and
standards defining the organisation's approach to managing information security, provides management direction and support for information security in accordance with business requirements and relevant laws and regulations,
¡ defines control objectives and controls intended to be implemented to meet the requirements identified by a risk assessment,
¡ needs approval by the highest level of management.
IM (1) - PolSec - MSSI - uni.lu
9
![Page 10: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/10.jpg)
Sources to start with... 1. One source is derived from assessing risks of the
organisation : ¡ Risk = Vulnerability * Threat * Impact
2. Another source is the legal, statutory, regulatory, and contractual requirements that an organisation, its trading partners, contractors, and service providers have to satisfy, and their socio- cultural environment.
3. A further source is the particular set of principles, objectives and business requirements for information processing that an organisation has developed to support its operations.
4. Finally, already happened incidents and their lessons learned are often a very useful source too.
IM (1) - PolSec - MSSI - uni.lu
10
![Page 11: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/11.jpg)
even before… ¡ Before one can identify, quantify, and prioritise risks
it is a good practice to identify the organisation's important/critical assets on which the risks appose
(→ asset management/classification)
Examples are: ¡ business critical information, ¡ physical and logical resources (filing cabinet,
computers, network equipment, software...), ¡ staff(most important and critical resources!), ¡ image, reputation ¡ know-how, "business" intelligence
IM (1) - PolSec - MSSI - uni.lu
11
![Page 12: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/12.jpg)
Complete management lifecycle
Risk assessment
Security Policy
Control Framework
Policies Procedures
Standards Guidelines
Evaluation Audit
IM (1) - PolSec - MSSI - uni.lu
12
![Page 13: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/13.jpg)
ISO/IEC 27002:2013 "Code of practice for information security controls“ (formerly known as ISO/IEC 17799 and BS7799)
Scope ¡ "This International Standard gives guidelines for
organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s)."
¡ "The International Standard is designed to be used by organizations that intend to: ¡ select controls within the process of implementing an
Information Security Management System based on ISO/IEC 27001 ;
¡ implement commonly accepted information security controls ; ¡ develop their own information security management
guidelines.
IM (1) - PolSec - MSSI - uni.lu
13
![Page 14: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/14.jpg)
Overview
5. & 6. information security policy & organisation
18. Compliance
17. Business continuity management
7. Human resources
15. Supplier relationships
9. Access control
10. Cryptography
13 Communications security
8. Asset management
11. Physical and environmental security
14. Acquisition,
development and maintenance
12. Operations security
16. Information security incident management
IM (1) - PolSec - MSSI - uni.lu
14
![Page 15: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/15.jpg)
Core clauses
7. Human resources
15. Supplier relationships
9. Access control
10. Cryptography
13 Communications security
11. Physical and environmental security
14. Acquisition, development
and maintenance
12. Operations security
16. Information security incident management
8. Asset management
IM (1) - PolSec - MSSI - uni.lu
15
![Page 16: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/16.jpg)
Clause 16 Incident management ¡ Responsibilities and procedures
¡ Reporting information security events
¡ Reporting security weaknesses
¡ Appreciation of information security incidents and decision taking
¡ Information security incident response
¡ Learning from information security incidents
¡ Collection of evidence
IM (1) - PolSec - MSSI - uni.lu
16
![Page 17: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/17.jpg)
Clause 17 Business continuity ¡ Including information security in the business
continuity management process
¡ Business continuity planning framework
¡ Developing and implementing continuity plans including information security
¡ Testing, maintaining and re-assessing business continuity plans
¡ Redundancy and availability of information systems
IM (1) - PolSec - MSSI - uni.lu
17
![Page 18: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/18.jpg)
Clause 18 Compliance ¡ Compliance with legal requirements ¡ Identification of applicable legislation
¡ Intellectual property rights (IPR)
¡ Protection of organizational records
¡ Data protection and privacy of personal information
¡ Regulation of cryptographic controls
¡ Information security audit considerations ¡ Independent Information systems audit
¡ Compliance with security policies and standards
¡ Technical compliance checking
IM (1) - PolSec - MSSI - uni.lu
18
![Page 19: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/19.jpg)
Management of information security incidents
¡ Responsibilities and procedures
¡ Reporting information security events
¡ Reporting security weaknesses
¡ Assessment of information security incidents and decision taking
¡ Information security incident response
¡ Learning from information security incidents
¡ Collection of evidence
IM (1) - PolSec - MSSI - uni.lu
19
![Page 20: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/20.jpg)
Management vs. Handling Incident
Management Incident Handling
Response
Analysis
Triage
Detection
Before and after coordination
Announcements, Alerts
Vulnerability handling
Reporting & procedures
IM (1) - PolSec - MSSI - uni.lu
20
![Page 21: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/21.jpg)
Policies & procedures
Besides the “security policy”, others are important:
¡ information classification policy
¡ information disclosure policy
¡ media policy
¡ privacy policy
IM (1) - PolSec - MSSI - uni.lu
21
![Page 22: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/22.jpg)
Pyramid of events (ITU-T E.409)
Crisis
Security Incident
Incident
Event
IM (1) - PolSec - MSSI - uni.lu
22
![Page 23: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/23.jpg)
Definitions ¡ Event: An event is an observable occurrence which is not
possible to (completely) predict or control.
¡ Incident: An event that might have led to an occurrence or an episode which is not serious.
¡ Security incident: A security incident is any adverse event where by some aspect of security could be threatened.
¡ Crisis: A crisis is a state caused by an event, or the knowledge of a forthcoming event, that may cause severe negative consequences. ¡ During a crisis, one may, in best cases, have the possibility of taking
measures to prevent the crisis from becoming a catastrophe. When a catastrophe occurs, a Business Continuity Plan (BCP) shall exist as well as a crisis management team to handle the situation.
IM (1) - PolSec - MSSI - uni.lu
23
![Page 24: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/24.jpg)
Roles & Governance
Following: ENISA – Incident Management Guide
IM (1) - PolSec - MSSI - uni.lu
24
![Page 25: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/25.jpg)
Roles
IM (1) - PolSec - MSSI - uni.lu
25
![Page 26: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/26.jpg)
Governance ¡ CISO & CIO interactions ¡ Prevention and awareness raising ¡ Detection and reporting ¡ Escalation
¡ Escalation ¡ Clear, well-established mechanism ¡ Internal and external considerations ¡ Production/operations considerations
¡ Crisis management ¡ Mix of executives, experts, public relations and legal
counsels
IM (1) - PolSec - MSSI - uni.lu
26
![Page 27: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/27.jpg)
Management & Handling Incident
Management Incident Handling
Response
Analysis
Triage
Detection
Before and after coordination
Announcements, Alerts
Vulnerability handling
Reporting & procedures
IM (1) - PolSec - MSSI - uni.lu
27
![Page 28: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/28.jpg)
Incident reporting Following: ENISA – Incident Management Guide
IM (1) - PolSec - MSSI - uni.lu
28
![Page 29: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/29.jpg)
IM (1) - PolSec - MSSI - uni.lu
29
![Page 30: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/30.jpg)
Incident Handling Following: ITU-T E.409 – Incident organization and
security incident handling
IM (1) - PolSec - MSSI - uni.lu
30
![Page 31: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/31.jpg)
IM (1) - PolSec - MSSI - uni.lu
31
![Page 32: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/32.jpg)
Incident Resolution Cycle Following: ENISA – Incident Management Guide
IM (1) - PolSec - MSSI - uni.lu
32
![Page 33: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/33.jpg)
Incident resolution cycle
IM (1) - PolSec - MSSI - uni.lu
33
![Page 34: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/34.jpg)
Data analysis - collection ¡ From reporter: ¡ detailed contact information
¡ detailed description of the incident
¡ incident classification suggested by the incident reporter
¡ logs
¡ the exact time of the incident
¡ operating systems and network setup
¡ security systems setup (eg, antivirus software or firewall)
¡ incident severity (in the incident reporter’s opinion)
IM (1) - PolSec - MSSI - uni.lu
34
![Page 35: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/35.jpg)
Data analysis - correlation ¡ Monitoring systems: ¡ information related to the IP addresses involved in
network monitoring systems (e.g., netflow database).
¡ Referring database: ¡ check if this kind of incident or this incident reporter
are already in your incident database.
¡ Other sources: ¡ relevant log-files (routers, firewalls, proxy servers,
switches, web application, mail servers, DHCP servers, authentication servers, etc.).
IM (1) - PolSec - MSSI - uni.lu
35
![Page 36: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/36.jpg)
Research resolution ¡ Based on analysis, team brainstorming
on resolution
¡ Avoid the pitfall of perfectionism
¡ Sometimes a quick response has the same or a higher value than a comprehensive and complete understanding
IM (1) - PolSec - MSSI - uni.lu
36
![Page 37: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/37.jpg)
Proposed actions (1)
¡ Prepare a set of concrete and practical tasks for each party involved
¡ Remember to adjust your language
IM (1) - PolSec - MSSI - uni.lu
37
![Page 38: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/38.jpg)
Proposed actions (2) ¡ Attack target ¡ How to stop and mitigate an ongoing attack:
¡ turn off a service
¡ check the system for malware
¡ patch a system or an application
¡ perform or order an audit if you are not able to improve your system security yourself
¡ How to deliver more data:
¡ concrete practical instructions (e.g. how to obtain a full e-mail header)
IM (1) - PolSec - MSSI - uni.lu
38
![Page 39: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/39.jpg)
Proposed actions (3)
¡ ISP/ICP ¡ To collect, save and archive data. ¡ To monitor network traffic related to the
case and inform you if something important happens.
¡ To filter network traffic in the case of an ongoing attack if such filtering can help to stop or mitigate it.
IM (1) - PolSec - MSSI - uni.lu
39
![Page 40: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/40.jpg)
Proposed actions (4) ¡ CERTs ¡ To contact the local ISP/ICP within its
constituency
¡ To ask for advice on how to deal with an incident
¡ Law enforcement: ¡ To follow a case if it is significant (e.g. you
suspect organised crime activity)
¡ To assist the reporter of a crime if an incident is to be reported to the police
IM (1) - PolSec - MSSI - uni.lu
40
![Page 41: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/41.jpg)
Monitor action(s) performance
¡ Basic rules for monitoring the performance of actions: ¡ Is the attack target’s service turned
off? ¡ Is the attack target’s service still
vulnerable? ¡ Is the traffic which should be filtered still
visible in the network?
IM (1) - PolSec - MSSI - uni.lu
41
![Page 42: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/42.jpg)
Recovery
¡ Recover or restore to normal the service that was attacked during the incident
IM (1) - PolSec - MSSI - uni.lu
42
![Page 43: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/43.jpg)
Incident closure & improvements
IM (1) - PolSec - MSSI - uni.lu
43
![Page 44: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/44.jpg)
Information disclosure TLP (Traffic Light Protocol)
IM (1) - PolSec - MSSI - uni.lu
44
![Page 45: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/45.jpg)
Incident Taxonomy
IM (1) - PolSec - MSSI - uni.lu
45
![Page 46: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/46.jpg)
Exercise Triage and Basic Incident Handling
IM (1) - PolSec - MSSI - uni.lu
46
![Page 47: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/47.jpg)
Set-up ¡ Only brain is needed
¡ « World set-up »: ¡ 10/8 are networks located in Utopia
¡ 10.187/16 are networks of Utopia NREN
¡ .ut is Utopia’s top-level domain
IM (1) - PolSec - MSSI - uni.lu
47
![Page 48: Pascal Steichen - pst.libre.lu1)-MSSI-uni.lu_v2015.pdf · 17. Business continuity management 7. Human resources 10. Cryptography 15. Supplier relationships 9. Access control 13 Communications](https://reader035.fdocuments.net/reader035/viewer/2022070821/5f1f8fc00a182206bf00ddb8/html5/thumbnails/48.jpg)
Description The exercise simulates the initial phases of incident handling with 10 real-life incident reports. These phases include:
¡ verification of the report (did the incident actually occur?);
¡ interpretation (what actually happened?);
¡ determination of the scope of incident (what are the actual and possible consequences for your constituency and others?);
¡ classification;
and
¡ prioritization (based on the previous factors).
IM (1) - PolSec - MSSI - uni.lu
48