1 / 8

Incident Handling and Response

This document provides a detailed overview of recommendations for incident handling and response protocols, including inter-site notification mechanisms, common response procedures, international security cooperation, and focus on high-risk threats. Suggestions cover training, procedures, taxonomy clarification, and best practices for large sites.

abeyer
Download Presentation

Incident Handling and Response

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Incident Handling and Response Breakout Overview

  2. Recommendation I NSF should fund a formal inter-site notification mechanism. • Look to REN-ISAC or computer security incident working group at I2 as models. • Use as a trusted clearinghouse for time sensitive security information. • Formalize a simple way to exchange data, i.e. not a complete IODEF/RFC 3067. • Set policy regarding information sharing requirements with NSF.

  3. Recommendation II Create a set of common Incident Response Procedures, and training. • Maybe based on a simplified version of NIST 800-61. • Have a incident response “playbook” available consisting of a short summary of what do immediately after an attack. • Establish Training specifically designed for system administrators and site security personal which focuses on incident response and basic forensic analysis. • DOE has IPWAR (DOE M 205.1-C, Incident Prevention, Warning, and Response)

  4. Recommendation II (cont) Details in implementing Suggestion II: • Getting sites to agree to follow procedures. • Security staff having authority to implement procedures. • Conforming with site policies. • Taxonomy of security: clarify “Incident”, “Event” etc to normalize usage in reporting. • Identifying Inter-Site Events -- your compromise might affect me. • Fire drills -- practice, practice, practice.

  5. Recommendation III Fund a workshop designed to solve the “Small Facility” problem. • Opportunistic threat to Large Facilities. • Typical problems include lack of security staff and resources to deal with even simple problems.

  6. Recommendation IV Develop an agenda for increasing international security cooperation to support international science. • How to respond to international security issues? • Organize a workshop addressing the impact of security issues on global science. • Invite I2, ESnet, FIRST and EU counterparts.

  7. Recommendation V Focus security efforts on high risk/impact threats. • Nature of incidents are changing: • More skilled attackers with greater resources – example Organized Crime. • Awareness of counter-intelligence attacks. • Credential loss and the insider threat. • DDoS hasn’t been much of an issue.

  8. Recommendation VI Develop Large Site Best Practices • 10+ Gig networks. • How to monitor data stream? • Bulk recording. • Host based IDS. • Dealing with asymmetric routing. • Connection record storage and use for large data sets ( > 1e9 records).

More Related