BIS 634
Steps to Effectively Respond to a Security Incident and Threats on a Wireless Network
Incident response is usually one of those security areas that tend to be impromptucompanies don 't think about it until they have to. But that needs to change. In this paper I will discuss five steps - identification, containment, eradication, and recovery and follow up a business use to effectively response to a security threat and I will suggest four actions -use encryption and passwords, e-mail protection, install antivirus software, install workstation firewalls a businesses can take to effectively prevent a security incident in the future.
Businesses today must manage growing risks to their mission critical networks from attacks such as spyware, rogue wireless LANs, compromised remote/VPN users, DDOS attacks, system misconfigurations, and unpatched OS 's, all of which increase the risk of a network breach and interruption to both sales and business operations.
Does your business operate a network that has public access? If you monitor that networkyou are monitoring your network, right?then sooner or later, you 're going to have a security incident. How you respond to such an incident often decides how long your network will continue to function as a part of your business.
Incident response is usually one of those security areas that tend to be impromptuyou don 't think about it until you have to. But that needs to change. Every organization should develop an incident response policy (IRP). Security incidents don 't wait for organizations to have their ducks in a row. In fact, they tend to occur at the most inopportune times.
Let 's look at five steps businesses can take to effectively respond to a security incident.
Identification
First, identify the traffic to determine whether it poses a threat to your network. If your logs (i.e., IDS, firewall, event, etc.) uncover an issue or a user reports a problem, analyze the information to determine whether it 's accurate and if it has the potential to disrupt or deny network services. Once you 've completed the analysis and determined the information is credible and includes the potential for harm, classify the event as an incidentany adverse event that compromises some aspect of computer or network security.
Containment
After you 've identified a security incident, the next step is to contain the damage and prevent harm from spreading further throughout the networkor even harming networks outside your security boundary. The most immediate means of containment is either to disconnect the infected machine and isolate it from the network or to stop the service that 's causing the incident. Make sure you 've documented who has the authority to disconnect systems and possibly disrupt business needs. This need to be in writing, and the designated authority should be available 24/7.
Eradicate
After you 've taken steps to contain the incident and its effects, eradication is the next step. Your security technician 's goal is to permanently remove any evidence of the incident from the network. This could involve removing hard drives and creating a chain of custody for that data for law enforcement involvement. Or it could mean reformatting those hard drives and restoring the systems to operations. The important thing is to decide how to remove the damage from your network. Another step to eradicate incidents for happening is to embrace encryption and passwords
If the computer or PDA accessing your network supports encryption, then, by all means, use it. PDAs and wireless computers are accessing your company 's information, and you need to make sure to safeguard it. If the device doesn 't support passwords, it doesn 't belong on your network.
Recovery
The next step is recovery. The extent of the damage and your chosen method for eradication will help dictate recovery. Most corporate networks simply require reformatting and reloading the systems, applying the appropriate patches, and restoring the data from a known good backup. If the problem isn 't system-specific and involves network changes or changes in the security architecture, then this is the time to submit changes requests and seek approval for the changes.
Follow-up
After you 've recovered from the security incident, the final step is to learn what you can from the actual incident. Every incident provides a potential for learning from that experience. It also gives you the opportunity to modify procedures and operations to mitigate the likelihood of the incident reoccurring.
For example, let 's say the security incident involved not applying patches in a timely manner. You need to modify your change management process and patch testing procedures to be able to respond more quickly to threats in the future.
Sometimes the overall problem is a lack of training on the part of the people responsible for the affected systems. This could include users who open attachments from unknown sources or system administrators working with operating systems who don 't have the proper training.
Let look at these four steps to protect your network from mobile security threats
If you cannot present a true business justification, then there should be no IT support for wireless PDA 's and laptops You should then treat these devices as unauthorized devices and take steps to prevent users from installing these rogue devices on the network.
Encryption and passwords
If the PDA 's and laptops support encryption, then, by all means, use it. Theses devices are accessing your company 's information, and you need to make sure to safeguard it. If the device doesn 't support passwords, it doesn 't belong on your network.
Preach E-mail protection
Educate users about security best practices, and urge them to be vigilant about e-mail and attachments. While they should know better than to open unexpected e-mail from an unknown source; you must enforce this rule particularly when it comes to mobile computing platforms.
Use antivirus software
If the mobile device is capable of e-mail, then it needs to be capable of loading some type of antivirus client software. You don 't allow workstations or laptops to operate without antivirus softwaredon 't make an exception for mobile devices.
Implement firewalls
Because mobile devices are wireless-capable and spend time connected to internal networks, treat them as DMZ devices by implementing a workstation firewall. When a user connects to your organization 's LAN using a PDA, a workstation firewall helps ensure that they can 't spread any infection to their workstations and the rest of the network.
Finally
Mobile computing devices have earned their place on the corporate network. However, organizations can 't allow users to treat PDAs and laptops as toys. They are powerful computing platforms that demand the same protection as any machine that spends time on a public network and returns to the corporate network.
Treat PDAs and laptops like workstations and use policy and software to protect your network from potential problems they might introduce whenever possible. And, as always, train users on how they can minimize security risks when using these devices.
After any security incident, you should create an action report that includes three simple goals. Identify how the incident occurred. Identify what actions you took after identifying the incident. Identify what you 've done to prevent this type of incident from reoccurring.
How you respond to incidents and what you learn from those incidents has a serious business implication. That 's why it 's important to make sure you 're prepared before they happen and to learn from your mistakes.
References
www.symantec.com http://www.microsoft.com/smallbusiness/support/computer-security.mspx www.cnet.com www.pcmagazine.com www.cert.org
References: www.symantec.com http://www.microsoft.com/smallbusiness/support/computer-security.mspx www.cnet.com www.pcmagazine.com www.cert.org
You May Also Find These Documents Helpful
-
274. UFIT Security Incident Response Procedures, Standards and Guidelines. (n.d.). Retrieved January 2014, from UF Information Technology University of Florida: http://www.it.ufl.edu/policies/security/incident-response/…
- 4846 Words
- 17 Pages
Powerful Essays -
Defense in Depth provides the university several layers of protection. Starting at the endpoints, host intrusion protection (HIPS), should be installed on each Device. Properly installed, HIPS will not permit the installation of unauthorized programs. This was the root cause of the (D)DoS recently experienced. At the routers access control lists (ACLs) must be put in place to allow only traffic with a legitimate protocol and destination. Between the routers and the endpoint a firewall solution must be put in place. The firewall must be configured to allow only allowed protocols and port numbers to communicate with specific destinations. Between the firewall and endpoint a (D)DoS a detection tool (such as Arbor’s Prevail) must be put in place. This measure not only allows for quick detection of (D)DoS it also permits the automatic mitigation of the…
- 569 Words
- 2 Pages
Good Essays -
Develop incident response procedures – Procedures of how they will respond to any types of incidents.…
- 1535 Words
- 6 Pages
Powerful Essays -
Monitoring traffic will help for see intrusions into the network. Any traffic that is out of the ordinary will…
- 634 Words
- 3 Pages
Better Essays -
Network: The network should be designed with security in mind. Its structure must support the company’s policies, relevant laws and regulations, without impairing the organization’s ability to conduct business. The network should be logically and physically separated into distinct and manageable security zones. Traffic between the security zones must be inspected and filtered, to ensure that only authorized network use is permitted, and all access is recorded for future auditing. Multiple devices and methods should be used to ensure security across all parts of the network. In preparing this recommendation, network security design principles have been drawn from the Cisco SAFE Reference Guide [33] and the Council on CyberSecurity’s Critical Security Controls for Effective Cyber Defense Version 5.1 [34].…
- 598 Words
- 3 Pages
Good Essays -
3.2.B. Outline the actions to take in response to in the following situations; security incident…
- 293 Words
- 2 Pages
Satisfactory Essays -
Awareness of these kinds of attacks is the key and to be prepared on the part of management and the user. They must be made aware of the consequences of their actions while using the network and accessing the data. The users of the network and system need to be prepared in case of an attack and have knowledge of…
- 3468 Words
- 14 Pages
Powerful Essays -
The advancement in network technology has led to its share of security risks. Attacks against networks, user’s personal information and corporate information have changed how the world deals with network security. The idea of Network Security is no longer an afterthought but the driving force in all network designs. IT managers are now concerned with securing data, ensuring only authorized end users have access to resources, and protecting the integrity of hardware, software and devices.…
- 522 Words
- 2 Pages
Satisfactory Essays -
After further review to three relevant sections: hardware, software and policy, Aircraft Solutions needs special attention to hardware and policy relates processes. The Defense Division is routed through Headquarters, the Commercial Division is however directly connected to the Internet, but no firewall has been setup. This action is a concern for Aircraft Solutions. A policy vulnerability that has been noticed is the rule that states “routers and firewalls rule-sets would be evaluated once in every two years”. With today’s world and technology changing ever so often security threats happen by Internet hackers, on an everyday basis. This is a rather impractical and long time span for a company to ensure that their security measures are up-to-date. These weaknesses are detailed in the sections below:…
- 745 Words
- 3 Pages
Good Essays -
An automated response approach, in contrast, provides immediate response to detected incidents without human intervention. An automated response essentially addresses the shortcomings of a notification and manual response approach by mitigating the vulnerability between detecting and responding. Although notification and manual responses are inadequate due to its inability to address attacks in real time, there are still drawbacks for the automated response approach. The complications prevalent to the automated response approach includes false…
- 107 Words
- 1 Page
Good Essays -
People will always be tempted to go onto the network and to browse the web on their own. Employees can dowload music or videos and possibly games which hand affect the security contols sometimes when those who don’t have authorized access to the network, they will continuously try to attempt to connect. Its best to notify anyone who is authorized on the network to know that there is an unauthorized attempt to log in. there are created policies that are made just to inform employees of risk managing and prevention. Notify are very important to the workstation. All employees must be able to know when there is authentication failure. Viewing log files can show all the security events which allow an administrator to check into it and find he root causes.…
- 564 Words
- 2 Pages
Satisfactory Essays -
Companies can elect to use physical security as part of their contingency planning measures. Physical security measures will include perimeter boundaries, surveillance devices, secure entry points and identifications checks, and secure access for internal sensitive areas. The organization might decide to bring in a specialist response team to help with a variety of threats, whether industrial, medical or any security related incident. Regular security checks on locations and materials should be conducted to deter or identify breaches of security, and strong links with external agencies are useful to augment a company’s resources, as well as share risk. Some considerations related to physical security risk management measures follow (Deutsch).…
- 1927 Words
- 8 Pages
Better Essays -
Organisations are full of expensive equipment, so security procedures help to keep that equipment safe from thieves.…
- 636 Words
- 3 Pages
Satisfactory Essays -
A computer security career is a highly diverse and important position, where you could work anywhere from a College Campus to a Hospital Administration building, all the way up to the Government Agencies all over the world. With so many new businesses’ opening daily, worldwide, the job market will be forever expanding. Whenever a business’s computer system acts up it’s the job of their computer security specialist to carefully take all the required steps to identify and resolve the specific issue, combining many people into one, saving the company lots of money. These specialists have and exceptional and advanced overall knowledge of all things computer.…
- 525 Words
- 3 Pages
Good Essays -
For this assignment I must be able to understand priorities and responses in dealing with incidents and emergencies; I am in my workplace setting when I come across a particular incident. I need to deal with the incident in order to minimise any risk to myself and other individuals within the setting as efficiently as possible, ensuring that I adhere to any relevant legislation, policies and procedures. It is required of me that I need to deal with the incident that I are presented with, ensuring that I discuss the health, safety and security concerns that I may have, explain possible priorities and responses and then justify why I have dealt with the incidents in the way I have.…
- 1491 Words
- 4 Pages
Good Essays