ECIH Compile

Sample
EC-Council Certified
Incident Handler
Version 1
Mo d u le III
Batch PDF Merger
Incident Response and

Handling Steps
News: A Delicate Balance is Required

to Achieve Inform ation Security
April 22, 20 0 9
D avid Ch ad w ick, Pro fe s s o r o f In fo rm atio n Sys te m s Se cu rity at th e U n ive rs ity o f Ke n t, calls
fo r be tte r in cid e n t h an d lin g an d p ro ce d u re s to p ro te ct s e n s itive d ata
It did not start with the loss of the personal details of 25 m illion people in receipt of Child Benefit in
Novem ber 20 0 7.1 Neither did it end in J anuary 20 0 9 with the British Council losing a com puter disk
containing the nam es, national insurance num bers, salary and bank account details of its 2,0 0 0 UK staff.2
Data loss has been happening ever since com puters were first invented, and it will continue to happen as
long as we have them , regardless of any legislation that J ack Straw m ight wish to im pose, even legislation
that recom m ends jail sentences for em ployees of organisations where data breaches occur.
After all, crim es that incur the harshest of penalties still occur daily. Furtherm ore, data loss will continue
to happen even if encryption is ubiquitously im plem ented. Why? Because data security depends m ore on
people and processes than on raw encryption technologies. This is eloquently illustrated in the data loss
last August when the personal details of the 84,0 0 0 prisoners in England and Wales went m issing. This
data was held encrypted on the governm ent com puter system but was downloaded unencrypted onto a
m em ory stick by an external contractor who then m isplaced the stick.
Source: http:/ / w w w .publicservice.co.uk/
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
This m odule will fam iliarize you with:
EC-Council
Handling Incidents
Need for Incident Response
Goals of Incident Response
Incident Response Plan
Incident Response and Handling Steps
Training and Awareness
Incident Managem ent
Incident Response Team
Incident Response Best Practices
Incident Response Plan Checklist
Module Flow
EC-Council
Handling Incidents
Incident Response and

Handling Steps
Incident Managem en t
Incident Response
Best Practices
Incident Response
Plan Checklist
How to Identify an Incident

Suspicious entries in network logs
Accounting gaps of several m inutes with n o accounting log
Other events such as unsuccessful login attem pts, attem pts to write, alter, or delete system
files, system failure, or perform ance degradation
Unusual usage patterns, such as program s being com piled in the account of users who are
non-program m ers
EC-Council
Handling Incidents
Incident handling involves :
Incident reporting
Incident analysis
Incident response
Incident handling allows incident reports to be gathered in one

location so that exact trends and patterns can be recognized and
recom m ended strategies can be em ployed
It helps the corresponding staff to understand the process of

responding and to tackle unexpected threats and security breaches
EC-Council

The purpose of incident response is to aid personnel to quickly and efficiently
recover from a security incident
Incident response is required to identify the attacks that have com prom ised
personal and business inform ation or data
Incident response is required to:
EC-Council
Protect system s
Protect personnel
Efficiently use the resources
Deal with legal issues

Exam ining the incident
Minim izing the im pact of incident
Preventing future attacks or incidents
Enhancing security of the com puter system
Securing privacy rights established by law and policy
Providing accurate reports and useful recom m endations
Assisting the law enforcem ent in prosecuting digital crim inals
Protecting the organizations reputation and assets
EC-Council

Incident response plan consists of a set of instructions to detect
and respond to an incident
It defines the areas of responsibility and creates procedures for

handing various com puter security incidents
The incident response plan covers:
EC-Council
How inform ation is passed to the appropriate personnel

Assessm ent of the incident
Minim izing dam age and response strategy
Docum entation of the incident
Preservation of the evidence
Purpose of Incident Response

Plan
The incident response plan gathers required resources in
an organized m anner to address incidents related to the
security of a com puter system
It protects the organizations resources against an attack
It protects the sensitive data on the system s
It supports legal investigations
EC-Council
Requirem ents of Incident

Response Plan
The requirem ents of incident

response planning are:
Expert team s (Com puter Em ergency Response

Team (CERT))
Legal review and approved strategy
Com panys financial support
Executive/ upper m anagem ent support
A feasible and tested action plan
Physical resources, such as redundant storage,
standby system s, and backup services
EC-Council
Preparation
Preparation is the m ost im portant aspect that allows you to respond to an
incident before it happens
The success of an incident response process depends on the pre-incident

preparation
It includes:
EC-Council
Exam ining security m easures for networks and system s

Intrusion Detection System (IDS)
Creating access control
Vulnerability assessm ents
Perform ing regular backups
Baseline protection by updating patches and antivir us
Com m unication plan
Audit trail
Preparation (contd)
It consists of security m easures that an incident response team should begin to im plem ent
in order to ensure protection of the organizations assets and inform ation
Preparing incident response team includes:
The requirem ent of hardware and software com ponents to investigate the com puter
security incidents
The requirem ent of docum ents such as form s and reports to investigate the incident
Policies and operating procedures for backup and recovery
Training the staff and users on how to respond to incidents
EC-Council
Incident Response and Handling

Steps
Identification
Incident Recording
Initial Response
Form ulating a
Response Strategy
Containm ent
Com m unicating the Incident
Incident Classification
Incident Investigation
Data Collection
Notifying External Agencies
Evidence Protection
Forensic Analysis
Eradication
System s Recovery
Incident Docum entation
Review and Update

the Response Policies
Incident Dam age

and Cost Assessm ent
EC-Council
Step 1: Identification
Identification stage involves validating, identifying, and reporting
the incident
This phase is necessary for categorizing and responding to incidents
Identify the incidents with the help of software packages such as

antivirus software and in trusion detection tools
System and network audit logs m ay also provide sufficient

inform ation to decide whether unauthorized activity has occurred or
not
EC-Council
Identification (contd)
Audit log collection, exam ination, and analysis
Incident reporting and assessm ent
Collect and protect system inform ation
The actions taken in

identification phase include:
Assign event identity and severity level
Other system s analysis
Assign incident task force m em bers
EC-Council
Step 2: Incident Recording

Incident recording is a process of accurately storing the details of
occurrence of an incident
The inform ation gathered should include:
The date and tim e the incident happened

The date and tim e at which the incident was detecte d
Who has reported the incident
Details of the incident include:
Description of the incident
System s involved
Back up inform ation such as error m essages, log files, etc.
EC-Council
Step 3: Initial Response

The first step in investigation process is to gather sufficient inform ation
required to determ ine a proper incident response
It involves:
Initial investigation
Details of the incident
Creating incident response team
Notifying individuals about the incident
The purpose of the initial response phase is to docum ent steps to be followed
in responding an incident
EC-Council
Step 3: Initial Response (contd)
During initial response, you should:
Check whether you are dealing with an actual incident or a false

positive
Gather enough inform ation on the type and severityof attack or
incident
Record your actions and docum ent the incident
EC-Council
Step 4: Com m unicating the

Incident
Com m unicate with the incident response team whenever
you suspect the occurrence of any security breach
In order to handle the incident, the incident team lead will

discuss the breach with their core team and other m em bers
of the organization
While reducing the im pact of the incident, m aintain

appropriate controls and coordination of the incident
Discuss the incident with legal representative to file a

lawsuit against the perpetrators
EC-Council
Step 5: Containm ent

Containm ent focuses on lim iting the scope and extent of an incident
Avoid conventional m ethods to trace back; this m ay alert the attackers
The com m on techniques in containm ent stage are:
Disabling of specific system services

Changing of passwords an d disabling accounts
Com plete backups of the infected system
Tem porary shutdown of the infected system
Restoration of the infected system
EC-Council
Containm ent (contd)

Reduce the potential effect or dam age of the incident, by quickly
responding to it
The response generally depends on the organization and nature of the
incident occurred
The points to consider while m inim izing the

risk are:
EC-Council
Providing security and safety to hum an life

Protecting confidential and sensitive data
Safeguarding business, scientific, and m anagerialinform ation
Protecting hardware an d software against future att acks
Lim iting the dam age of the com puters resources
Step 6: Form ulating a Response

Strategy
The response strategy generally depends on the incident situation
Response strategies consider the following:
EC-Council
Are the system s seriously effected due to the incid ent?

How sensitive is the com prom ised or stolen inform ation?
Who are the attackers?
Is the public aware of the incident?
What is the unauthorized access level gain ed by atta ckers?
What are the attacker skills?
What is the total downtim e of the system and the user?
What is the total cost of the loss ?
Step 7: Incident Classification
Classification of incidents is defined based on their severity and

potential targets
Classify the incidents based on the num ber of factors such as:
EC-Council
Nature of the incident

Criticality of the system s being im pacted
Num ber of system s im pacted by the incident
Legal and regulatory requirem ents
Step 8: Incident Investigation
Investigation is a process of gathering evidence related

to an incident from system s and networks
Exam ine the investigation process to identify:
The incident
Tim e of the incident
Perpetrator of the incident?
Mitigation steps to prevent future occurrence
EC-Council
Step 9: Data Collection
Data collection is defined as gathering of the facts and evidence that

are required for forensic analysis
Data collection involves several unique

forensic challenges, such as:
Gathering data that exceeds the com puter storage capacity

Proper collection of data to ensure integrity
EC-Council
Data Collection (contd)
Evidence Classification:
Host-based evidence
EC-Council
Network-based
evidence
Other evidence
Data Collection (contd)
Host-based evidence:
Host-based evidence consists of logs, records,

docum ents, and any other inform ation available
on the system
Network-based evidence:
Network-based evidence con sists of inform ation

gathered from IDS logs, pen-register/ trap and
traces, router logs, firewall logs, and
authentication servers
Other evidence:
EC-Council
Other evidence consists of inform ation and

evidence gathered from the people
Step 10 : Forensic Analysis
Data such as log files, system files, graphic files, web

history files, em ails, installed applications etc. are
gathered for analysis
Forensic analysis should attem pt to determ ine:
The victim s and attackers of the incident

Nature of the incident
Tim e and location of the incident
What triggered the incident
EC-Council
Step 11: Evidence Protection

Protect the evidence to take legal actions against the attackers
Take com plete backup of the affected system s with the help of new or
never-before-used m edia devices
Store and protect the backup in either CD-R or DVD-R to prosecute

the offender(s)
The stored backup can be used to recovery the data from the affected
system s
Backups should be stored in a physically secure location

EC-Council
Step 12: Notify External Agencies

Once sufficient evidence is gathered, external agencies should be
notified to file a case and prosecute the perpetrator
The external agencies include local and national law enforcem ent,
external security agencies, and security experts
EC-Council
Step 13: Eradication

The eradication stage rem oves or elim inates the root cause of the incident
Vulnerability analysis is perform ed in this stage
It lists counterm easures to thwart further dam age thereby securing the
organizations assets
EC-Council
Eradication (contd)
The possible counterm easures include:
Using antivirus software

Installing latest patches
Policy com pliance checks
Independent security audits
Disabling unnecessary services
Updating security policies and procedures
Changing passwords of com prom ised system s
Elim inating intruders access and identification of possible
changes com pletely
Reinstalling com prom ised system s
Rebuilding system s
EC-Council
Step 14: System s Recovery

Recovering a system from an incident generally depends on the extent of
the security breach
In recovery step, an affected system is restored to its norm al operations
The com puter system s and networks are m on itored and validated
Recovery stage determ ines the course of actions for an incident
Run vulnerability assessm ent and penetration testing tools to identify

the possible vulnerabilities present in the system or network
EC-Council
System s Recovery (contd)

Determ ine integrity of the backup file by m aking an attem pt
to read its data
Verify success of operation and norm al condition of the
system
Monitor the system by network loggers, system log files, and
potential back doors
The actions to be perform ed in recovery stage are:
Rebuilding the system by installing new OS

Restoring user data from trusted backups
Exam ining the protection and detection m ethods
Exam ining security patches and system logging inform ation
EC-Council
Step 15: Incident Docum entation

The incident response team should docum ent various processes while
handling and responding to an incident
Docum ent the steps and conclusion statem ents im m ediately after
com pletion of the forensic process
The docum ent should be properly organized, exam ined, reviewed, and
vetted from the m anagem ent and legal representative
The docum entation should provide:

Description of the security breach
Details of action takes place such as:
Who have handled the incident
When the incident was handled
Reasons behind the occurrence of an incident
EC-Council
Incident Docum entation (contd)

The best way to prosecute the offender(s) is through proper docum entation
The docum ent prepared should be:
Concise and Clear:
Prepare the reports in such a way that it is clearly

understood by everyone
Standard Form at:
Maintain a standard form at that m akes report writin g

scalable, saves tim e, and enhances accuracy
Editors:
EC-Council
Ensure that the forensic reports are edited properly
Step 16: Incident Dam age and

Cost Assessm ent
The two im portant evidence that are required for legal
prosecution are incident dam age and cost
Costs include:
EC-Council
Costs due to loss of con fidential inform ation

Legal costs
Labor costs
System downtim e cost
Installation cost
Step 17: Review and Update

the Response Policies
Review the process after com pletion of both
docum entation and recovery steps
Discuss with your team m em bers about the

steps that are successfully im plem ented and the
m istakes com m itted
Reviewing the response and updating policies

will reduce the im pact of incident and helps
you to handle future incidents
EC-Council

Training and awareness provides skills required to im plem ent incident
handling policies
Practical training rem oves developm ental errors, im proves procedures, and
reduces the occurrence of m iscom m unication
Well-trained m em bers can prevent an incident or lim it the resulting dam age
Security awareness and training should include:
EC-Council
Design and planning of the awareness and trainingprogram

Developm ent of the awareness and training m aterials
Im plem entation of the awareness and training progra m s
Measuring the effectiveness of the program an d updating it
Training and Awareness (contd)

Training should be conducted at
specified intervals, and it should include:
Incident handling location

Pre-assignm ent plans to handle the em ergency situation by
all em ployees
Recognition and operation of utility shut-off devices
The awareness cam paign should be

designed for several purposes such as:
Knowledge and participation

Concerning plan's strategies
Contingency arrangem ents
EC-Council
Security Awareness and Training

Checklist
Checklist for security awareness and training:
Is the type and frequency of training noted?

Are training classes for security personnel describ ed?
Are training classes for basic end-users described?
Are instructors for the training classes noted?
Is it noted that security training is tracked andlogged?
Is it noted that all courses are evaluated by theusers?
Are roles and responsibilities for security awareness noted?
Are roles and responsibilities for security trainin g noted?
Does the plan indicate that a record of user training participation
is kept?
Does the plan indicate that users are assessed fortheir security
knowledge after they undergo training?
EC-Council
Incident Managem ent

Incident m anagem ent helps in not only responding to incident s but also helps in preventing
future incidents by m in im izing the potential dam age caused by risks and threats
It consists of action plan developm ent, consistent processes that are repeatable, m easurable,
and understood within the organization
Who perform s Incident Managem ent?
EC-Council
Hum an resource personnel experienced in Incident Handling

Legal council
The Security Manager
An outsourced service provider
Incident Managem ent (contd)

The objective of the incident m anagem ent is to quickly restore the services of the
com puter system into norm al operations after an incident with little or no
im pact on the business
It provides end-to-end m anagem ent support on how to handle security incidents

or events
Incident m anagem ent involves:
EC-Council
Security policies and procedures for defining a pro cess

Assigning roles and responsibilities to incident re sponse team
Equipm ent, tools, and supporting m aterial
Identifying and training qualified staff on handlin g security incidents
Purpose of Incident Managem ent

The incident m anagem ent is required to:
Prevent incidents and attacks by tightening the physical security of the
system or infrastructure
Create awareness by conducting training program sfor em ployees and
users on security issues and response plan s
Monitor and test the organizations infrastructureto identify the
weakness and vulnerabilities
Share the inform ation about the incident with other team s
EC-Council
Incident Managem ent Process

Prepare:
Plan and im plem ent an initial incident m anagem ent

Follow lessons learned and evaluate the assessm entactivities to enhance the
security of the system s
Protect:
Im plem ent security m easures to protect the com puter system from incidents
Im plem ent infrastructure protection im provem ents re sulting from postm ortem
reviews or other process im provem ent m echanism s
Detect:
Notice events and report those events

Receive the reports of events
Triage:
Categorize, prioritize, and correlate events

Assign events for handling or response
Respond:
EC-Council
Analyze the event

Plan a response strategy
Incident Managem ent Process

Figure : Five High-Level Incident Managem ent Processes
Source: http:/ / w w w .cert.org/
EC-Council
Incident Managem ent Team
The incident m anagem ent team provides support to all com puter
system s that are affected by threats or attacks
The incident m anagem ent team consists of:
Executive m anagem ent
EC-Council
Staff support
departm ent
representatives
Departm ent heads

whose departm ents
have been directly
affected by the incident
Incident Managem ent Team

(contd)
The incident m anagem ent team is

responsible for:
EC-Council
Managing internal and external com m unications

Directing response and recovery activities
Monitoring the recovery progress
Providing or reallocating recovery resources

Incident response team is a group of security professionals within an
organization who are trained and asked to respond to a security incident
The response team should contain an authorized security personnel to take
necessary actions against the security incidents
The incident response team should:
Develop or review the processes and procedures that m ust be followed in
response to an incident
Manage the response to an incident and ensure thatall procedures are
followed correctly
Review changes in legal and regulatory requirem ents to ensure that all
processes and procedures are valid
Review and recom m end technologies to m an age and counteract incidents
Establish relationship with local law enforcem entagency, governm ent
agencies, key partners, and suppliers
EC-Council

(contd)
An incident response team takes responsibility for dealing with potential or
real tim e inform ation security incidents
The team should be m ade of a num ber of people with knowledge and skills in
different areas
The representatives of incident
response team are:
EC-Council
IT Security
IT Operations
Physical Security
Hum an Resources
Legal Departm ent
Public Relations
External Expertise

Mem bers
Inform ation Security Officer (ISO)
Inform ation Technology Officer (ITOC)
Inform ation Privacy Officer (IPO)
Network Adm inistrator
System Adm inistrator
Business Applications and Online Sales Officer
Internal Auditor
EC-Council
Incident Response Team Mem bers

Roles and Responsibilities
Inform ation Security
Officer (ISO):
Inform ation Technology

Officer:
Provides incident handling training to m em bers

Prepares sum m ary on corrective actions taken to
handle the incident
Point of contact for various security incidents

Inform s the ISO to provide incident response
team
Inform ation Privacy

Officer:
Organizes security activities with ISO

Develops com m unication with organizations that
are affected by security incidents
Network Adm inistrator:
Analyzes network traffic for signs of incidents

Perform s corrective actions against the suspected
intruder by blocking the n etwork
EC-Council
Incident Response Team Mem bers

Roles and Responsibilities (contd)
System Adm inistrator:
Updates services packages and patches

Exam ines system logs to identify the m alicious
activities
Business Applications
and Online Sales Officer:
Review business applications and services for

signs of incident
Check the audit logs of critical servers that are
vulnerable to attacks
Internal Auditor:
EC-Council
Checks whether the inform ation system s are in

com pliance with security policies and controls
Identify and report any security loopholes to the
m anagem ent
Developing Skills in Incident

Response Personnel
Appropriate books, m agazines, and other technical references should be
available that help in im proving the technical knowledge of the subject
Prepare a training budget to m aintain, enhance, and increase the proficiency in

technical areas and security disciplines, including the legal aspects of the
incident response by the legal experts
Give opportunities to the team m em bers to perform other tasks associated with
incident response
Consider the process of rotating staff m em bers who are in and out of the
incident response team
EC-Council
Developing Skills in Incident

Response Personnel (contd)
Maintain sufficient staff in the organization so that the team m em bers can
have uninterrupted tim e of work
Develop a m entoring program for senior technical staff to help less
experienced staff to know about incident handling process
Hire external subject m atter experts for training
Develop various scenarios on incident handling and conduct group

discussions on how they would handle them
Conduct incident handling m ock drills for the team s

EC-Council

Structure
Incident response team should handle the incident whenever an incident is
identified by any person in the organization
The incident response team should :
Analyze the incident data

Exam ine the im pact of the incident
Minim ize the dam age and restore the system to thenorm al operations
The incident response team includes:
Central incident response team

Distributed incident response team s
Coordinating team
EC-Council

Structure (contd)
Staffin g
Mo d e ls
2 4 / 7 Availability
Em p lo ye e s
Partially
Ou ts o u rce d
Fu lly
Ou ts o u rce d
Te am m o d e l
s e le ctio n :
Em p lo ye e Mo rale
Co s t
Staff Exp e rtis e
Organ izatio n al
Stru ctu re
EC-Council

Dependencies
Managem ent
Telecom m unications
IT Support
Legal Departm ent
Public Affairs and Media Relation s
Hum an Resources
Business Continuity Plann ing
Physical Security and Facilities Managem ent
EC-Council
Incident Response Team Services

Advisory Distribution
Vulnerability Assessm ent
Intrusion Detection
Education and Awareness
Technology Watch
Patch Managem ent
EC-Council
Defining the Relationship between Incident

Response, Incident Handling, and Incident
Managem ent
EC-Council

Stay calm
Assess the situation
Identify the people to handle the incident
Form a plan for resolution

Identify the problem
Do not cause any dam age
Resolve the problem
Docum ent everything
Analyze the evidence to confirm that an incident has occurred

EC-Council

(contd)
Notify the appropriate people
Stop the incident if it is still in progress
Identify the single m ost im portant and im m ediate problem
Preserve evidence from the incident
Wipe out all effects of the incident
Identify and m itigate all vulnerabilities that were exploited
Prevent reoccurrence of the incident
Review the causes and resolution
Confirm that operations have been restored to norm al
Create a final report
EC-Council
Incident Response Policy

Im plem ent incident response policy supported by the m anagem ent
Decide an organizational approach
Determ ine the outside n otification procedures
Identify rem ote connections and include rem otely operating em ployees or contractors
Identify the m em bers of the incident team and describe their roles, responsibilities,
and functions
Prepare a com m unication plan to contact the key personnel
Define and follow a m ethod for reporting and archiving the in cidents
EC-Council
Incident Response Plan Checklist

Does your plan accurately describe the system s it applies to?
Does your plan include a contact list of key personnel?
Does your plan include inform ation on roles and responsibilities?
Does your plan include a diagram of the escalation fram ework?
Does your plan include how to contact the agency CSIRC?
Does your plan list the m em bers of the CSIRT team ?
Does your plan list the m em bers of the CSIRC team ?
Does your plan include a description of incident types?
Does your plan include guidance on severity levels?
Does your plan include inform ation on agency security policies?
Does your plan include incident handling guidelines?
EC-Council
Incident Handling System : RTIR

http:/ / bestpractical.com / rtir/
Re qu e s t Tracke r fo r In cid e n t Re s p o n s e ( RTIR) is an open source

incident handling system
It helps in handling incident reports
It allows to tie m ultiple incident reports to specific incidents
It m akes it easy to launch investigations to work with law enforcem ent,
network providers and other partners to get to the bottom of each incident
Features:
Incident response workflow
Easy and clickable m etadata lookups
Scripted action
EC-Council
Screenshot: RTIR
EC-Council
RPIER 1st Responder Fram ework

http:/ / w w w .ohloh.net/ p/ rpier-infosec
Regim ented Potential Incident Exam ination Report (RPIER ) is a security

tool built to facilitate 1st response procedures for incident handling
It is designed to acquire com m only requested inform ation for incident
handling
Features:
EC-Council
Fully configurable GUI

Auto-update functionality with SHA1 verification
Results are auto- zipped
Results are auto- uploaded to central secured repository
Em ail notification
Pre/ post run integrity check
Com m and line configuration/ execution
RPIER 1st Responder

Fram ework: Screenshot
EC-Council
Sum m ary
The purpose of incident response is to aid personnel to quickly and efficiently recover from a
security incident
Incident response plan consists of a set of instructions to detect and respond to an incident
The incident response plan gathers required resources in an organized m anner to address incidents
related to the security of a com puter system
Preparation is the m ost im portant aspect that allows you to respond to an incident before it occurs
Training and awareness provides skills required to im plem ent incident handling policies
Incident m anagem ent not only responds to an incident but also prevents the occurrence of future
incidents by m inim izing the potential dam age caused by risks and threats
EC-Council
EC-Council
EC-Council
Incident Handler
Version 1
Mo d u le IV
CSIRT
News: Council of Europe and OAS Step up

Efforts to Counter Terrorism and
Strengthen Cyber Security
Source: http:/ / w w w .egov m onitor.com
EC-Council
Module Objective
EC-Council
CSIRT
CSIRT Goals and Strategy
CSIRT Vision
CSIRT Mission Statem ent
CSIRT Constituency
Types of CSIRT Environm ents
Best Practices for Creating a CSIRT
Roles of CSIRTs
CSIRT Services
CSIRT Policies and Procedures
CSIRT Incident Report Form
CERT
CERT(R) Coordination Center: Incident Reporting Form
World CERTs
Module Flow
CSIRT
CSIRT Goals and

Strategy
CSIRT Vision
Types of CSIRT
Environm ents
CSIRT Constituency
CSIRT Mission
Statem ent
Best Practices for

Creating a CSIRT
Roles of CSIRTs
CSIRT Services
CERT
CSIRT Incident
Report Form
CSIRT Policies and

Procedures
CERT(R)
Coordination Center:
Incident Reporting Form
World CERTs
EC-Council
Introduction to CSIRT
EC-Council
What is CSIRT
CSIRT stands for Com puter Security Incident Response Team
It is a service organization which provides 24x7 com puter security incident response services
to any user, com pany, governm ent agency, or organization
It provides a reliable and trusted single point of contact for reporting com puter security
incidents worldwide
It provides the m eans for reporting incidents and dissem inating im portant incident related
inform ation
EC-Council
What is the Need of an Incident

Response Team (IRT)
Incident response team helps organizations to recover from
com puter security breaches and threats
This team is dedicated to understand the incident response

process and take necessary actions when n eeded
It is a form alized team with its m ajor job function as:

perform ing incident response
The team consists of experts trained to respond an d handle

incidents
EC-Council
CSIRT Goals and Strategy

Goals of CSIRT:
To m anage security problem s by taking a proactiveapproach towards
the custom ers security vulnerabilities and by responding effectively
to potential inform ation security incidents
To m inim ize and control the dam age
To provide or assist with effective response and re covery
To prevent future security incidents
Strategy of CSIRT:
It provides a single point of contact for reporting local problem s
It identifies and analyzes what has happened duringan incident,
including the im pact an d threat
It researches on solutions and m itigation strategie s
EC-Council
CSIRT Vision
Identify the organization
Specify the m ission, goals, and objectives of an organization
Select the services to be offered by the CSIRT
Determ ine how the CSIRT should be structured for the organization
Plan the budget required by the organization to im plem ent an d m anage the CSIRT
Determ ine the resources (equipm ent, staff, infrastructure) to be used by CSIRT
EC-Council
Com m on Nam es of CSIRT

Com puter Incident Response Team (CIRT)
Incident Handling Team (IHT)
Incident Response Team (IRT)
Security Em ergency Response Team (SERT)
Security Incident Response Team (SIRT)
EC-Council
CSIRT Fram ework
EC-Council
CSIRT Mission Statem ent

Mission Statem ent provides a basic understanding of what the team is trying to achieve
It provides a focus for the overall goals an d objectives of the CSIRT

CSIRT should define, docum ent, adhere to, and widely distribute a con cise and clear
m ission statem ent
Mission Statem ent m ust be non-am biguous and con sist of m axim um three or four
sentences
It should specify the m ission with which the CSIRT is charged
EC-Council
CSIRT Constituency
Constituency is the region where the CSIRT is bound to serve
It m ight be defined in the form of a statem ent an d m ay be

supported by a list of dom ain nam es
CSIRT constituency m ay be bounded or unboun ded by som e

constraints
CSIRT defines its constituency and its relationship to that

constituency
EC-Council
CSIRT Constituency (contd)

Typ e o f Co n s titu e n cy
Se rve d
CSIRT Typ e
N atu re o f Mis s io n
International Coordination
Center
Obtain a knowledge base with a global

perspective of com puter security
threats through coordination with
other CSIRTs and building a web of
trust am ong CSIRTs
Other CSIRTs around the world
Corporation
Im prove the security of the

corporations inform ation
infrastructure and m inim ize the threat
of damage resulting from intrusions
System and network

adm inistrators and system users
within the corporation
Technical
Im prove the security of a given IT

product
Users of the product
Table: CSIRT Types With Associated Missions and Constituencies; Source: w w w .cert.org
EC-Council
CSIRT Constituency (contd)

The issues relating to the
constituency that are to be
addressed are:
EC-Council
Overlapping constituencies
Relationship to constituency
Prom oting the CSIRT to the constituency
Gaining constituencys trust
CSIRTs Place in an Organization

The place that a CSIRT holds in its parent organization is tightly coupled to its stated
m ission
It fails when placed un der the system adm inistration departm ent of its parent organization
CSIRT m ay constitute of the entire security team for an organization, or, m ay be totally
distinct from an organizations security team
The activities of CSIRT can also be carried out by the organizations security team
CSIRT m ust be well em bedded within the organizations business structure
EC-Council
CSIRTs Place in an Organization

(contd)
It com m only reside swithin, or has som e overlap, with the organizations IT
security departm ent as shown in the figure below:
Pare n t Organ izatio n
Source: w w w .cert.org
EC-Council
CSIRTs Relationship with Peers
Figure: CSIRT Peer Relationships, Source: w w w .cert.org
EC-Council
CSIRT Types and Roles
EC-Council
Types of CSIRT Environm ents

Internal CSIRT :
Provides services to their parent organization suchas bank, m anufacturing
com pany, university, or any governm ent agencies
National CSIRT:
Provides services to the entire nation. For exam ple , J apan Com puter Em ergency
Response Team Coordination Center (J PCERT/ CC)
Vendor CSIRT
Identifies vulnerabilities in software and hardware products
Governm ental sector CSIRT

Provides services to governm ent agencies and to the citizens in som e countries
Military sector CSIRT

Provides services to m ilitary organizations with responsibilities for IT
infrastructure
Sm all & Medium Enterprises (SME) Sector CSIRT

Provides its services to its own business branch or sim ilar user group
EC-Council
Best Practices for creating a

CSIRT
1
2
3
4
5
6
7
8
EC-Council
Obtain m anagem ent support and buy-in

Determ ine the CSIRT strategic plan
Gather relevant inform ation
Design the CSIRT vision
Com m unicate the CSIRT vision and operational plan
Begin CSIRT im plem entation
Announce the operational CSIRT
Evaluate CSIRT effectiveness
Step 1: Obtain Managem ent

Support and Buy-in
Without m anagem ent approval and support, creating an
effective incident response capability can be difficult and
problem atic
Consider that the team is established:

How is it m aintained an d expanded with budget, pers onnel, an d
equipm ent resources?
Will the role and authority of the CSIRT continueto be backed by
m anagem ent across the various constituencies or parent
organization?
EC-Council
Step 2: Determ ine the CSIRT

Developm ent Strategic Plan
Are there specific tim efram es to be m et? Are they realistic, and if not, can
they be changed?
Is there a project group? Where do the group m em bers com e from ?
How do you let the organization know about the developm ent of the CSIRT?
If you have a project team , how do you record and com m unicate the
inform ation you are collecting, especially if the team is geographically
dispersed?
EC-Council
Step 3: Gather Relevant

Inform ation
Meet with the key stakeholders to discuss the expectations, strategic direction, definitions, and
responsibilities of the CSIRT
The stakeholders can include:
Business m anagers
Representatives from IT
Representatives from the legal departm ent
Representatives from hum an resources
Representatives from public relations
Any existing security groups, including physical
security
Audit and risk m anagem ent specialists
EC-Council
Step 4: Design your CSIRT

Vision
In creating your vision, you should:

Id e n tify yo u r co n s titu e n cy: Who does the CSIRT support and give service to?
D e fin e yo ur CSIRT m is s io n , go als , an d o bje ctive s : What does the CSIRT do
for the identified constituency?
Se le ct th e CSIRT s e rvice s to p ro vid e to th e co n s titu e n cy ( o r o th e rs ) : How
does the CSIRT support its m ission?
D e te rm in e th e o rgan izatio n al m o d e l: How is the CSIRT structured and
organized?
Id e n tify re qu ire d re s o u rce s : What staff, equipm ent, and infrastructure are
needed to operate the CSIRT?
D e te rm in e yo u r CSIRT fu n d in g: How is the CSIRT funded for its initial startup
and its long-term m aintenance and growth?
EC-Council
Step 5: Com m unicate the

CSIRT Vision
Com m unicate the CSIRTs vision and operational plan to m anagem ent, constituency,
and others who need to know and understand its operations
As appropriate, m ake adjustm ents to the plan based on their feedback
EC-Council
Step 6: Begin CSIRT

Im plem entation
Hire and train initial CSIRT staff
Buy equipm ent, and build any necessary network infrastructure to support
the team
Develop the initial set of CSIRT policies an d procedures to support your

services
Define and build an incident-tracking system
Develop incident-reporting guidelines and form s for your constituen cy
EC-Council
Step 7: Announce the CSIRT

When the CSIRT is operational, announce it to the
constituency or parent organization
It is best if this announcem ent is m ade by the

sponsoring m anagem ent
Include the contact in form ation and hours of

operation for the CSIRT in the announcem ent
This is an excellent tim e to m ake the CSIRT incidentreporting guidelines available

EC-Council
Step 8: Evaluate CSIRT

Effectiveness
Once CSIRT is operational, the m anagem ent determ ines the effectiveness of the team
and uses evaluation results to im prove CSIRT processes
It m ust ensure that the team is m eeting the needs of the constituency
The CSIRT, in conjunction with m anagem ent and the constituency, will need to
develop a m echanism to perform such an evaluation
EC-Council
Role of CSIRTs
CSIRTs provide IT security incident centered service to their constituency, such as:
prevention, detection, correction, repression, or creating awareness building
The CSIRTs services focus on attacks that are propagated via the Internet that tunnel
their way to extranets, in tranets, and com puter system s
The CSIRT reports preventive m easures along with the identified vulnerabilities to its
constituency
The CSIRTs provide best kind of services like:
Awareness building
Detection
Correction
EC-Council
Roles in an Incident Response

Team
Except for som e com m on roles, the roles in an IRT are distinct for
every organization:
Incident Coordinator (IC)

The IC connects different groups
He/ she links the groups that are affected by the ni cidents,
such as legal, hum an resources, different business areas,
and m anagem ent
Incident Manager (IM)

The IM focuses on the incident and handles it from
m anagem ent and technical point of view
EC-Council

Team (contd)
Incident Analyst (IA)
Incident analysts are the technical experts in their particular
area
The IA applies the appropriate technology and tries to
eradicate and recover from the incident
Constituency
The constituency is not a part of the incident-resp onse team
itself, but is a stakeholder in the incident
Adm inistration
Ensures that the foundation s offices are returnedto norm al
operations as quickly as possible
Assists in the developm ent of an alternate site asnecessary
EC-Council

Team (contd)
Hum an Resources
The HR is responsible for the hum an aspects of ht e disaster
including post-event counseling and next-of-kin notification
It answers questions related to com pensation an d benefits
Public Relations
The PR is responsible for developing the m edia m ess ages regarding
any event
It is responsible for all stakeholder com m unications including the
board, foundation personnel, donors, grantees suppliers/ vendors,
and the m edia
EC-Council

Team (contd)
CSIRT
IC acts as a link
between different groups
(IC)
Incident
Coordinator
Handles an incident from

m anagem ent and technical
point of view
Eradicates and recovers

from the incident
EC-Council
It is a stakeholder in
the incident
Constituency
Ad m in is tratio n
(IM)
Incident
Manager
Responsible for hum an

aspects of disaster
Hum an
Resources
Ensures that the

office operations return
to a norm al situation
(IA)
Incident
Analyst
Responsible for
stakeholder
Com m unications
Public
Relations

Team (contd)
Other roles m ay include:
EC-Council
Support staff
Technical writers
Network or system adm inistrators,
CSIRT infrastructure staff
Program m ers or developers (to build CSIRT tools)
Web developers and m aintain ers
Media relations
Legal or paralegal staff or liaison
Law enforcem ent staff or liaison
Auditors or quality assurance staff
Marketing staff
CSIRT Services, Policies, and

Procedures
EC-Council
CSIRT Services
CSIRT services are grouped into the

following three categories:
Reactive services
Proactive services
Security quality m anagem ent services
EC-Council
Reactive Services
The reactive services process the requests for assistance
They respond to incidents reports from the CSIRT constituency
They identify and rectify any threats or attacks against the CSIRT system s
The services provided include:
EC-Council
Alerts and warnings

Incident handling
Vulnerability handling
Artifact handling
Proactive Services
The services im prove the infrastructure and security processes of the constituency before
any incident occurs
The services provided include:
Announcem ents
Technology watch
Security audit or assessm ent
Configuration and m aintenance of security tools, applications, infrastructures, and
services
Developm ent of security tools
Intrusion detection services
Security-related inform ation dissem ination
EC-Council
Security Quality Managem ent

Services
The security quality m anagem ent services are established services designed to im prove the
overall security of an organization
These services incorporate feedback and lessons learned based on knowledge gained by
responding to incidents, vulnerabilities, an d attacks
The services include:
EC-Council
Risk analysis
Business continuity and disaster recovery planning
Security consulting
Awareness building
Education/ training
Product evaluation or certification

Policies are the governing principles adopted by the organizations or team s
The policies of an organization need to be clearlystated
Policies and procedures are interrelated
Procedures detail how a team enacts activities within the boundaries of its policies
Procedures m ake a policy successful
Mem bers of an organization should clearly understand policies and procedures in order
to im plem ent them
EC-Council

(contd)
A policy can be defined with:
EC-Council
Attributes
Content
Validation
Im plem entation
Maintenance, and
Enforcem ent
Attributes
A policy should be defined as a set of detailed procedures
It should outline essential characteristics for a specific topic area in the m anner that
necessary inform ation is provided
EC-Council
Attributes (contd)
Source: w w w .sei.cm u.edu
EC-Council
Content
The content of a policy is m ainly a definition of behavior in a certain topic area
It defines the features that are the boun dary conditions for any policy
definition
The policy content features are listed in the following table:
EC-Council
Content (contd)
Source: w w w .sei.cm u.edu
EC-Council
Validity
After a policy has been defined, it is advisable to check its

validity in practice before actually im plem enting it
Validity check finds out if all the ideas in the policy can
actually be translated into real-life behavior
EC-Council
Im plem entation, Maintenance,

and Enforcem ent
After validating the policy, feedback should be given to the policy m akers so that they can
m ake revisions
Once the policy is revised based on the feedback and it is ensured that the policy does not
require further changes; the policy can be im plem ented
EC-Council
How CSIRT Handles a Case

Keep a log book
Inform the appropriate people
Maintain a list of contacts
Release the inform ation
Follow up analysis
Report
EC-Council
CSIRT Incident Report Form
EC-Council
Incident Tracking and Reporting

System s
EC-Council
Application for Incident Response

Team s (AIRT)
http:/ / airt.leune.com /
AIRT is a web-based application designed and developed to support

the day to day operations of a com puter security incident response
team
It supports highly autom ated processing of incident reports and
facilitates coordination of m ultiple incidents by a security operations
center
Features:
EC-Council
Identify owners of networks

Track incidents
Autom atically im port incident reports
Prepare outgoing em ails based on incident tem plates
AIRT: Screenshot 1
EC-Council
AIRT: Screenshot 2
EC-Council
BMC Rem edy Action Request System

http:/ / w w w .bm c.com /
BMC Rem edy Action Request System provides a consolidated service

process m anagem ent platform for autom ating and m anaging service
m anagem ent business processes
Features:
Autom ates service m anagem ent business processes
Integrates processes with system s across the enterp rise
Adapts and evolves your processes to continually align with the needs of
the business
Manages business process perform ance in real-tim e
Replaces outdated m anual system s with process autom ation that speeds
the handling of unique processes
Rapidly prototypes, deploys, m aintains, and iterate s Service
Managem ent applications
Captures and tracks critical business data
EC-Council
BMC Rem edy Action Request

System : Screenshot
EC-Council
PGP Desktop Em ail

http:/ / w w w .pgp.com /
PGP Desktop Em ail provides enterprises with an autom atic, transparent
encryption solution for securing internal and external confidential em ail
com m unications
With PGP Desktop Em ail, organizations can m inim ize the risk of a data
breach and com ply with partner and regulatory m andates for inform ation
security and privacy
Features:
Eas y, au to m atic o p e ratio n
Protects sensitive em ail without changing the userexperience
En fo rce d s e cu rity p o licie s

Enforce data protection autom atically with centrally m anaged policies
Acce le rate d d e p lo ym e n t
Achieves end-to-end em ail encryption using the exis ting infrastructure
Re d u ce d o p e ratio n co s ts
Result from centralized autom ation of em ail encryption policies
EC-Council
PGP Desktop Em ail (contd)
EC-Council
The GNU Privacy Guard (GnuPG)

http:/ / w w w .gnupg.org/
GnuPG is the GNU project's com plete and free im plem entation of the
OpenPGP standard as defined by RFC4880
It allows to encrypt and sign your data and com m unication, features a
versatile key m anagem ent system as well as access m odules for all kind of
public key directories
Features:
Does not use any patented algorithm s

Can be used as a filter program
Decrypts and verifies PGP 5, 6 and 7 m essages
Supports ElGam al, DSA, RSA, AES, 3DES, Blowfish, Twofish, CAST5, MD5, SHA-1,
RIPE-MD-160 and TIGER
Supports key and signature expiration dates
EC-Council
Listserv
http:/ / w w w .lsoft.com /
Listserv is em ail list m anagem ent software
It provides the power, reliability, and enterprise-level perform ance you need
to m anage all your opt-in em ail lists
Its Web interface sim plifies em ail list and server m anagem ent, allowing you
to control your lists and adm inister your server from anywhere on the
Internet
EC-Council
Listserv (contd)
Features and benefits
List owner features:
Supports all list types

Autom atic subscriptions
Autom atic bounce handling
Personalization
Searchable web archives
RSS support
Site adm inistrator features
EC-Council
Multiple license sizes

Virus protection
Deliverability
Spam control
Database connectivity
Custom izable web interface
Listserv : Screenshot
EC-Council
CERT
EC-Council
CERT
CERT stands for Com m unity Em ergency Response Team (CERT)
CERT program helps to train people to be better prepared to respond to em ergency
situations in their com m unities
CERT m em bers can provide critical support to

first responders by:
Providing imm ediate assistance to victim s
Organizing spontaneous volunteers at a disaster site
EC-Council
CERT-CC
EC-Council
CERT(R) Coordination Center:

Source: http:/ / w w w .cert.org/ reporting/ incident_ form .txt
EC-Council
CERT:OCTAVE
OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation
It is a set of tools, techniques, and m ethods for risk-based inform ation security strategic
assessm ent and plannin g
There are three octave m ethods:
OCTAVE Method
OCTAVE-S
OCTAVE-Allegro
EC-Council
OCTAVE Method
OCTAVE m ethod uses a three-phased approach to exam ine organization al and technology
issues
It com prises of a series of workshops that are conducted by in terdisciplinary an alysis

team of three to five persons of the organ ization
This m ethod focuses on:
Identifying critical assets and the threats to those assets

Identifying the vulnerabilities, both organizational and technological, that expose
those threats, creating risk to the organization
Developing a practice-based protection strategy and risk m itigation plans to support
the organization's m ission and priorities
EC-Council
OCTAVE Method (contd)
EC-Council
OCTAVE-S
OCTAVE-S uses a m ore stream lined process and different worksheets but produces the sam e result
as the OCTAVE m ethod
It requires a team of 3-5 people having understanding on all the aspects of the com pany
This version does not start with gathering the inform ation regarding im portant assets, security
requirem ents, threats, and security practices
The assum ption is that the analysis team is aware of this inform ation
OCTAVE-S includes only a lim ited exploration of the com puting infrastructure
EC-Council
OCTAVE Allegro
OCTAVE Allegro is a stream lined variant of the OCTAVE m ethod that focuses on
inform ation assets
It can be perform ed in a workshop-style, collaborative setting
It does not suit for individuals who want to perform risk assessm ent without extensive
organizational involvem ent, expertise, or input
It focuses m ainly on the inform ation assets
The assets of the organization are identified and assessed based on the inform ation assets
to which they are conn ected
EC-Council
OCTAVE Allegro (contd)
OCTAVE Allegro consists of eight steps organized

into four phases:
Phase 1 - Assessm ent participants develop risk m easu rem ent criteria
consistent with organizational drivers: the organization's m ission, goal
objectives, and critical success factors
Phase 2 - Participants create a profile of each critical inform ation asset that
establishes clear boundaries for the asset, identifies its security requirem ents,
and identifies all of its containers
Phase 3 - Participants identify threats to each info rm ation asset in the context
of its containers
Phase 4 - Participants identify and analyze risks toinform ation assets and
begin to develop m itigation approaches
EC-Council
OCTAVE Allegro (contd)
EC-Council
World CERTs
Asia Pacific CERTs
Australia CERT (AUSCERT)

Hong Kong CERT (HKCERT/ CC)
Indonesian CSIRT (ID-CERT)
J apan CERT-CC (J PCERT/ CC)
Korea CERT (CERT-KR)
Malaysia CERT (MyCERT)
Pakistan CERT(PakCERT)
Singapore CERT (SingCERT)
Taiwan CERT (TWCERT)
China CERT (CNCERT/ CC)
North Am erican CERTs
CERT-CC
US-CERT
Canadian Cert
Cancert
Forum of Incident Response and Security
Team s
FIRST
EC-Council
South Am erican CERTs

CAIS
CAIS- Brazilian Research Network
CSIRT
NIC BR Security Office Brazilian CERT
NBS
European CERTs
EuroCERT
FUNET CERT
CERTA
DFN-CERT
J ANET-CERT
CERT-NL
UNINETT-CERT
CERT-NASK
Swiss Academ ic and Research Network
CERT
Australia CERT (AUSCERT)
Source: http:/ / w w w .auscert.org.au/ index.htm l
EC-Council
Hong Kong CERT (HKCERT/ CC)
Source: http:/ / w w w .hkcert.org
EC-Council
Indonesian CSIRT (ID-CERT)
Source: http:/ / w w w .cert.or.id/
EC-Council
J apan CERT-CC (J PCERT/ CC)
EC-Council
Source: http:/ / w w w .jpcert.or.jp/ english/
Malaysian CERT (MyCERT)
Source: http:/ / w w w .m y cert.org.m y / en/
EC-Council
Indian CERT
EC-Council
Pakistan CERT (PakCERT)
Source: http:/ / w w w .pakcert.org/
EC-Council
Singapore CERT (SingCERT)
Source: http:/ / w w w .singcert.org.sg/ index.php?option=com _ m jfrontpage&Item id=30
EC-Council
Taiwan CERT (TWCERT)
Source: http:/ / w w w .cert.org.tw / eng/
EC-Council
China CERT (CNCERT/ CC)
Source: http:/ / w w w .cert.org.cn/ english_ w eb/
EC-Council
US-CERT
Source: http:/ / w w w .us-cert.gov/
EC-Council
Governm ent Forum of Incident

Response and Security Team s (GFIRST)
GFIRST is a group of technical and tactical practitioners of security response team s
responsible for securing governm ent inform ation technology system s
GFIRST m em bers work together to understand and handle com puter security incidents
and to encourage proactive and preventative security practices
EC-Council
Canadian Cert
EC-Council
Source: http:/ / w w w .ew a-canada.com / index.php
Forum of Incident Response and

Security Team s
EC-Council
Source: http:/ / w w w .first.org/
CAIS/ RNP
Source: http:/ / w w w .rnp.br/ en/
EC-Council
NIC BR Security Office Brazilian

CERT
Source: http:/ / w w w .nic.br/ im prensa/ clipping/ 20 0 8/ m idia412.htm
EC-Council
EuroCERT
Source: http:/ / w w w .eurocert.ie/
EC-Council
FUNET CERT
Source: http:/ / w w w .csc.fi
EC-Council
SURFnet-CERT
Source: http:/ / cert.surfnet.nl/ hom e-eng.htm l
EC-Council
DFN-CERT
Source: http:/ / www.dfn-cert.de/
EC-Council
J ANET-CERT
EC-Council
Source: http:/ / w w w .ja.net/ index.htm l
CERT POLSKA
EC-Council
Source: http:/ / w w w .cert.pl
Swiss Academ ic and Research

Network CERT
Source: http:/ / w w w .sw itch.ch/ cert/
EC-Council
http:/ / www.first.org/ about/ orga

nization/ team s/
EC-Council
http:/ / www.apcert.org/ about/ str

ucture/ m em bers.htm l
EC-Council
IRTs Around the World
Copyrigh t 20 0 4 Carnegie Mellon University

CERT and CERT Coordination Cen ter are registered in the U.S. Patent and Tradem ark office.
EC-Council
Sum m ary
CSIRT is a service organization which provides 24x7 com puter security incident response
services to any user, com pany, governm ent agency, or organization
CSIRT should define, docum ent, adhere to, and widely distribute a con cise and clear
m ission statem ent
Constituency is the region over which the CSIRT is bound to serve
CSIRT m ay constitute the entire security team for an organization or m ay be totally distinct
from an organizations security team
CERT program helps train people to be better prepared to respond to em ergency situations
in their com m unities
Security accreditation refers to the acceptance an d m anagem ent of risk
EC-Council
EC-Council
EC-Council
Sample
Incident Handler
Version 1
Mo d u le I
Introduction to Incident
Response and Handling
Batch PDF Merger
News: Num ber of Reported

Cyber Incidents J um ps
Federal civilian agencies reported three tim es as m any cyber-related incidents in fiscal 20 0 8 as they did in fiscal 20 0 6 to the
Hom eland Security Departm ent's office that coordinates defenses and responses to cyberattacks. Meanwhile, an official says the
office suspects the actual num ber of cyber incidents is higher.
Th e age n cie s re p o rte d to D H S U n ite d State s Co m p u te r Em e rge n cy Re ad in e s s Te am ( U S-CERT) a to tal o f
18 ,0 50 in cide n ts in fis cal 2 0 0 8 , co m p are d w ith 12 ,9 8 6 in fis cal 2 0 0 7 an d 5,14 4 in fis cal 2 0 0 6 , acco rd in g to
D H S o fficials . Ove rall, th e to tal n u m be r o f in cid e n ts re p o rte d to U S-CERT fro m co m m e rcial, fo re ign , p rivate ,
an d fe de ral, s tate an d lo cal go ve rn m e n t s e cto rs ro s e fro m 2 4 ,0 9 7 in fis cal 2 0 0 6 to 72 ,0 6 5 in fis cal 2 0 0 8 .
The Federal Inform ation Security Managem ent Act requires agencies to report cyber incidents, which are defined as acts that
violate com puter security or acceptable-use policies. The types of incidents include unauthorized access, denial of service,
m alicious code, im proper usage, and scans, probes and attem pted access.
Mischel Kwon, US-CERTs director, said that the num bers represent both an increase in m alware and improvem ents in the
capabilities of US-CERT and agencies to detect and report cyber incidents.
As we m ature and becom e m ore robust, and we deploy m ore tools, incident num bers will go up, she said. Both parts of the
story are true: There is an increase in m al events, and there is an increase in capabilities in order to detect those m al events.
Kwon added that the num bers were a bit deceiving because the reports are based on m anual reporting by agencies and that
there are few security operations centers that m onitor federal agency networks. She said agencies dont have the tools or
analysts to review data to determ ine if incidents have occurred.
Source: http:/ / fcw .com /
EC-Council
Cyber Incident Statistics

N u m be r o f cybe r in cid e n ts re p o rte d to D H S U n ite d State s Co m p u te r
Em e rge n cy Re ad in e s s Te am
20 ,0 0 0
20 0 8
18,0 0 0
16,0 0 0
14,0 0 0
20 0 7
12,0 0 0
10 ,0 0 0
8,0 0 0
6,0 0 0
20 0 6
4,0 0 0
2,0 0 0
0
Source: http:/ / fcw .com /
EC-Council
Incidents and Events by

Category
10%
4% 4%
5%
Unauthorized Access
10%
4%
7%
6%
Malicious Code
Improper Usage
Scans, Probes and
Attempted Access
77%
FY0 8 Q4
Under Investigation
73%
FY0 9 Q1
Cyber Security Trends, QUARTERLY TRENDS AND ANALYSIS REPORT, http:/ / w w w .us-cert.gov/
EC-Council
Top Five Incidents

Phishing
10%
4%
9%
4%
Malware
5%
4%
5%
Policy Violation
5%
5%
Non-Cyber
7%
72%
FY0 8 Q4
Suspicious Network
Activity
Others
70%
FY0 9 Q1
Cyber Security Trends, QUARTERLY TRENDS AND ANALYSIS REPORT, http:/ / w w w .us-cert.gov/
EC-Council
Case Study: Incident Handling

and Response
Th e Cas e : Xconsoft, a m ajor software developer located out of the New J ersey,
realized that the sensitive inform ation from folders shared across its network is being
accessed by unauthorized people and leaked to third parties.
Th e Ch alle n ge s : Loss of the proprietary inform ation could result in huge financial
losses. The com pany hired an established consultant for incident handling and
response. The m ajor challenges in front of the consultants were to contain the dam age,
assess the losses and identifying the perpetrators.
Th e Re s u lt: After conducting a network-wide search for specific keywords and file
nam es the consultant advised the com pany to isolate the system s that contained
sensitive inform ation and took possession of suspected system s for further analysis.
After going through a com plete incident handling and response cycle; and with the
help of a com puter forensics investigator the com pany was able to trace the culprits.
The consultant advised the com pany to develop and im plem ent effective network
security policies an d deploy intrusion detection tools to defend itself from various
inform ation security incidents.
Can risks involved in engaging third party consultants not effectively counter the
apprehension about ROI in developing an in-house incident handling and response team ?
EC-Council
Module Objective
EC-Council
Com puter Security Incident

Data Classification
Inform ation Warfare
Key Concepts of Inform ation Security
Types of Com puter Security Incidents
Signs of an Incident
Incident Response
Incident Handling
Incident Reporting Organizations
Module Flow
Data Classification
Key Concepts of
Types of Com puter

Security Incidents
Incident Handling
Incident Response
Incident Reporting
Organizations
EC-Council

A com puter security incident m ight be any real or suspected adverse event in
relation to the security of com puter system s or networks
Source: w w w .cert.org
It is a violation or im m inent threat of violation of com puter security policies,

acceptable use policies, or standard security practices
EC-Council
Statistics: Different Sources of

Security Incidents
Source: Outlook J ournal, J anuary 20 0 8, w w w .accenture.com
EC-Council
Inform ation as Business Asset

Inform ation asset is a piece of inform ation that is im portant for any business process
The loss of inform ation m ay affect the in vestm ent of organization in different business
activities
Inform ation asset can be a trade secret, patent inform ation, em ployee/ personnel
inform ation, or an idea to develop the business for an organization
Characteristics of Inform ation Assets:

It is recognized to be of value to the organization
It requires cost, skill, tim e, and resource
It is a part of the organizations corporate identity
EC-Council
Data Classification
Data classification is the process of classifying data based on the
level of sensitivity as it is created, m odified, im proved, stored, or
transm itted
Data classification helps in identifying the data for business

operations
Data can be classified into five levels:
EC-Council
Top secret
Confidential inform ation
Proprietary inform ation
Inform ation for internal use
Public docum ents
Com m on Term inologies

Inform ation System :
Inform ation system processes data into useful information to achieve specified
organizational or individual goals
It accepts, processes, and stores data in the formof records in a com puter system
and autom ates som e of the inform ation processing activities of the organization
Inform ation Owner:

Inform ation owner is the initial owner who is capable of creating and storing
inform ation
Inform ation Custodian:

Inform ation custodian is responsible for im plem enting and controlling the security
m easures of an inform ation system
EC-Council

The term Inform ation Warfare or Infowar refers to the use of inform ation
and inform ation system s as weapons in a conflict in which the inform ation
and inform ation system s them selves are the targets
Inform ation warfare is divided into two categories:

Offe n s ive in fo rm atio n w arfare , where an adversary attacks the inform ation
resources to gain un due advantage
D e fe n s ive in fo rm atio n w arfare , is an attem pt to protect the inform ation assets
against attacks
EC-Council
Key Concepts of Inform ation

Security
Confidentiality:
Integrity:
Availability:
EC-Council
Refers to the prevention of the unauthorized access,

disclosure, and use of inform ation, a part of the broader
concept of privacy
Confidentiality is m aintain ed through user
authentication and access control
Refers to the reliability and trustworthiness of ht e

inform ation
Prevention of the unauthorized changes to the data
Guarantee of access to resources

Is a critical function for com panies that rely on
electronic data and com m un ications
Vulnerability, Threat, and

Attack
Vulnerability:
Threat:
Attack:
Existence of a weakness in
design or im plem entation
that can lead to an
unexpected, undesirable
event com prom ising the
security of the system
A circumstance, event, or
person with the potential to
cause harm to a system in
the form of destruction,
disclosure, data
m odification, and/ or Denial
of Service (DoS)
An assault on system
security that is derived from
an intelligent threat
EC-Council
Types of Com puter Security

Incidents
Malicious code attacks:
It includes viruses, Trojan, worm s, and m aliciousscripts attacks by attackers to gain
privileges, capture passwords, and m odify audit logs to perform unauthorized activity
on the victim 's system s
Unauthorized access:
It includes various activities from im properly logging into a user's account to gaining
unauthorized access to files and directories by obtaining adm inistrator privileges
Unauthorized use of services:

Users m ay attem pt to transfer files without authorization or use inter-dom ain access
m echanism s to access files and directories belonging to another organization's
dom ain
EC-Council
Types of Com puter Security

Incidents (contd)
Fraud and theft:
Inform ation system s can be exploited by autom atingtraditional m ethods of fraud
Em ployee sabotage an d abuse include:
Destroying hardware or facilities

Planting logic bom bs that destroy program s or data
Intentionally entering incorrect data
Crashing system s
Intentionally deleting and changing data
Misuse:
It is a condition when som eone uses com puter resources for illegitim ate purpose such
as storing personal inform ation in official com puter
EC-Council
Exam ples of Com puter Security

Incidents
EC-Council
Verizon Data Breach

Investigations Report - 20 0 8
Who is behind data breaches?
Source: Verizons Data Breach Investigations Report, 20 0 8. w w w .verizon.com
EC-Council
Verizon Data Breach Investigations

Report - 20 0 8 (contd)
How do breaches occur?
70
62 %
60
59 %
50
40
31 %
30
22 %
20
15 %
10
0
Were att ributed
to a significant
error
Resulted from
hacking and
intru sions
Incorporated
m alicious code
Exploited a
vulnerability
Were due to
physical thr eats
EC-Council
Verizon Data Breach Investigations

Report - 20 0 8 (contd)
Sources of Data Breaches
External:
Intuitively, external threats originate from
sources outside the organization
Internal
Internal threat sources are those originating from
within the organization
Partner
Partners include any third party sharing a
business relationship with the organization
EC-Council
Incidents That Required the

Execution of Disaster Recovery Plans
70
% of Respondents
59 %
60
54 %
53 %
50
45 %
41 %
40
36 %
33 %
39 %
37 %
34 %
30
26 %
20
10
7%
Source: Sym antec Global Disaster Recovery Survey J une 20 0 9. http:/ / w w w .sy m antec.com /
EC-Council
Accurately detecting and assessing incidents is the m ost challenging and
essential part of the incident response process
Typical indications of the security

incidents include:
A system alarm , or sim ilar indication from an intru sion detection

Attem pt to logon to a n ew user account
DoS attack, or users not able to log into an account
System crashes, or poor system perform ance
Unauthorized operation of a program , or sniffer device to
capture network traffic
Suspicious entries in system , or network accoun ting or
other accounting inconsistencies
EC-Council
Signs of an Incident (contd)

Signs of an incident fall into one of the two categories:
Aprecursor is a sign of incident that m ay happen in the future
Anindication is a sign of incident that have already occurred or m ay be in progress
The exam ples of precursor are:

Web server log entries that show the usage of a web vulnerability scanner
An announcem ent of a new exploit that targets a vulnerability of the organizations
m ail server
A threat from a hacktivist group stating that the group will attack the organization
The exam ples of in dication are:

The antivirus software alerts when it detects thata host is infected with a worm
The user calls the help desk to report a threatenin g em ail m essage
IDS and IPS system logs indicating an unusual devia tion from typical network traffic
flows
EC-Council
Incident Categories
There are 3 category of incidents:
Low level
Middle level
High level
EC-Council
Incident Categories: Low Level

Low level incidents are the least severe kind of incidents
They should be handled within one day after the event occurs
Low level incidents include:
EC-Council
Loss of personal password

Unsuccessful scans and probes
Request to review security logs
Presence of any com puter virus or worm s
Failure to download an ti-virus signatures
Suspected sharing of the organizations accoun ts
Minor breaches of the organizations acceptable usa ge
policy
Incident Categories: Middle Level

The incidents at this level are com paratively m ore serious and
thus, should be handled the sam e day the event occurs
Middle level incidents include:
EC-Council
In-active external/ internal unauthorized access tosystem s

Violation of special access to a com puter or com puting facility
Unfriendly em ployee term ination
Unauthorized storing and processing data
Destruction of property related to a com puter incid ent
Localized worm / virus outbreak
Personal theft of data related to a com puter incident
Com puter virus or worm s of com paratively larger intensity
Illegal access to buildings
Breach of the organizations acceptable usage policy
Incident Categories: High Level

High level incidents should be handled im m ediately after the
incident
It poses an im m ediate threat to various system s that lead to
crim inal charges, regulatory fines, or bad nam e to the organization
These include:
Denial of Service attacks

Suspected com puter break-in
Com puter virus or worm s of highest intensity; e.g.Trojan, back door
Changes to system hardware, firm ware, or softwarewithout authentication
Destruction of property exceeding $ 10 0 ,0 0 0
Personal theft exceeding $ 10 0 ,0 0 0 and illegal electronic fund transfer or
download/ sale
Any kind of pornography, gam bling, or violation ofany law
EC-Council
Incident Prioritization
Prioritizing handling of the incident is critical for the incident handling process
Incidents should not be handled on a first-com e, first-served basis
Prioritize the incidents based on two factors:
Current and potentialte ch n ical e ffe ct of the incident

Criticality of the affected resources
EC-Council
Incident Response
Incident response is a process of responding to incidents that m ay have occurred due to
security breach in the system or network
It plays a m ajor role when the security of the system is com prom ised
The goal of the incident response is to handle the in cidents in a way that m inim izes the
dam age and reduces recovery tim e and costs
It includes:
Responding to incidents system atically so that theappropriate steps are taken
Helping personnel to recover quickly and efficiently from security incidents, m inim izing
loss or theft of inform ation and disruption of services
Using inform ation gathered during incident handling to prepare for handling future
incidents in a better way and to provide stronger protection for system s and data
Dealing properly with legal issues that m ay ariseduring incidents
EC-Council
Incident Handling
Incident handling involves all the processes, logistics, com m un ications, coordination, and
planning to respond and overcom e an incident efficiently
Incident handling helps to find out trends and pattern of the intruders activity
Incident handling procedures help network adm inistrators in recovery, containm ent, and
prevention of incidents
Incident handling policies help the corresponding staffs to understand the process of
responding and tackling unexpected threats and security breaches
EC-Council
Use of Disaster Recovery

Technologies
Which of the following technology type do you have, and which are covered by DR Plan?
Have in Organization
10 0
Covered by DR Plan
92 %
90
83 %
82 %
79 %
81 %
80
77 %
70
66 %
62 %
60
61 %
56 %
66 %
61 %
51 %
50
40
46 %
44 %
39 %
33 %
30
24 %
20
10
0
EC-Council
Im pact of Virtualization on
Incident Response and Handling
Do you test virtual servers as part of your disaster recovery plan?
No
27%
Ye s
No
Ye s
73 %
EC-Council
Im pact of Virtualization on Incident

Response and Handling (contd)
How are your organizations data and m ission critical applications protected in virtual environm ent?
70 %
59%
60 %
50 %
40 %
30 %
49%
43%
41%
42%
38%
27%
29%
20 %
10 %
0%
EC-Council
Estim ating Cost of an Incident

Tangible Cost:
Lost productive hours

Investigation and recovery cost
Loss of business
Loss or theft of resources
Intangible Cost:
Dam age to corporate reputation
Loss of goodwill
Psychological dam age
Those directly im pacted m ay feel victim ized
May im pact m orale or initiate fear
Legal liability
Effect on shareholder value
EC-Council
Key Findings of Sym antec Global

Disaster Recovery Survey - 20 0 9
The average cost of executing/ im plem enting disaster recovery plans for each downtim e
incident worldwide according to respondents is US$ 287,60 0
The m edian cost of executing/ im plem enting disaster recovery plans for each downtim e
incident worldwide ranges from approxim ately $ 10 0 ,0 0 0 to $ 50 0 ,0 0 0
In North Am erica, the m edian cost is as high as $ 90 0 ,0 0 0
Globally, the m edian disaster recovery cost is highest for healthcare and financial
services organizations
In North Am erica, the m edian cost for financial institutions is $ 650 ,0 0 0
EC-Council
Incident Reporting
Incident reporting is the process of reporting an encountered
security breach in a proper form at
The incident should be reported to receive technical assistance
and raise security awareness that would m inim ize the losses
Organizations m ay not report com puter crim es due to negative
publicity and potential loss of custom ers
Incident reporting should include:
Intensity of the security breach

Circum stances, which revealed the vulnerability
Shortcom ings in the design and im pact or level ofweakness
Entry logs related to the intruders activity
EC-Council
Incident Reporting Organizations
The organizations that deal with com puter security

incidents are:
EC-Council
Com puter Em ergency Response Team (CERT)

Com puter Security Incident Response Team (CSIRT)
Forum for Incident Response and Security Team s (FIR ST)
Com puter Incident Response Team (CIRT)
Incident Response Center (IRC)
Security Em ergency Response Team (SERT)
Security Incident Response Team (SIRT)
Inform ation Analysis In frastructure Protection (IAIP)
CERT Coordination Center (CERT/ CC)
Inform ation Sharing and An alysis Centers (ISAC)
Vulnerability Resources
http:/ / w w w .kb.cert.org/ vuls/
US-CERT Vulnerability Notes Database:
Descriptions of these vulnerabilities are available from this web page in a searchable
database form at, and are published as "US-CERT Vulnerability Notes".
EC-Council
Vulnerability Resources (contd)

http:/ / w eb.nvd.nist.gov/
NVD (National Vulnerability Database):
Integrates all publicly available U.S. Governm entvulnerability resources and
provides references to industry resources
EC-Council
Sum m ary
Com puter security incident m ight be any real or suspected adverse event in relation to
the security of com puter system s or networks
Inform ation system transform s data into useful in form ation that supports decision
m aking
Incident response is an organized approach to address and m anage the afterm ath of a
security breach or attack
Incident handling refers to the operational procedures used to actually m anipulate the
incident and purge it from the system s
Incident reporting is the process of reporting the inform ation regarding the
encountered security breach in a proper form at
EC-Council
EC-Council
EC-Council
Incident Handler
Version 1
Mo d u le II
Risk Assessm ent
News: Report Faults TSA Risk

Assessm ent
GAO fin d s age n cy d id n o t fo llo w D e p artm e n t o f H o m e lan d Se cu rity p ro ce s s
The Transportation Security Adm inistration lacks the structure, policies and procedures to com plete an
effective risk m anagem ent plan for freight and passenger transportation, according to a report by the
Governm ent Accountability Office.
Risk m anagem ent is the security watchword at the Departm ent of Hom eland Security as it attem pts to
allocate m oney and other resources to the areas that are m ost vulnerable to a terrorist attack.
The GAO, which audits Executive Branch program s for Congress, said that TSA did not com plete a sixstep process established by DHS to properly identify and prioritize risks to the transportation system .
TSA collected threat, vulnerability and consequence inform ation, but did not perform risk assessm ent
that would integrate the three com ponents for each m ode, or the transportation system as a whole, the
GAO said.
The GAO also said TSA set its security priorities based on intelligence, not risk assessm ent, and DHS did
not review or validate TSA's m ethodology.
In addition, the GAO said that TSA lacked an organizational structure to direct and control its riskm anagem ent efforts, a way of evaluating perform ance, and policies and procedures to integrate with the
overall DHS risk m anagem ent plan.
Source: http:/ / w w w .joc.com /
EC-Council
Module Objective
EC-Council
Risk
Risk Policy
Risk Assessm ent
NIST Risk Assessm ent Methodology
Steps to Assess Risks at Workplace
Risk Analysis
Risk Mitigation
Cost/ Benefit Analysis
Residual Risk
Module Flow
Risk
Risk Policy
NIST Risk Assessm ent

Methodology
Risk Assessm ent
Steps to Assess
Risks at Workplace
Risk Analysis
Risk Mitigation
Residual Risk
EC-Council
Risk
Risk is defined as the probability or threat of an incident
It is a m easure of possible inability to achieve a goal,

objective, or target within a defined security, cost, plan,
and technical lim itations
It adversely affects the organizations operations and

revenues
EC-Council
Risk Policy
Risk policy is a set of ideas to be im plem ented to overcom e the risk
Risk policy includes:
Rules of behavior while dealing with the com putersystem and the consequences for
violating these rules
Personnel and technical controls for the com putersystem
Methods for identifying, properly lim iting, and controlling interconnections with
other system s and particular m ethods to m onitor and m anage such lim its
Procedures for the on-going training of em ployeesauthorized to access the system
Procedures to m onitor the efficiency of the security controls
Provisions for continuing support if there is an ni terruption in the system or if the
system crashes
EC-Council
Risk Assessm ent
EC-Council
Risk Assessm ent

Risk assessm ent is the process of identifying threat sources that pose risk to the business or
project environm ent
It determ ines the level of risk and the resulting security requirem ents for each system
Risk assessm ent for a new system is conducted at the beginning of the System Developm ent
Life Cycle
Risk assessm ent for an existing system is conducted when there are m odifications m ade to
the system s environm ent
This process helps to identify the suitable controls to reduce risk in risk m itigation process
The organization should plan , im plem ent, an d m onitor a set of security m easures that need to
be undertaken against the identified risk
EC-Council
NISTs Risk Assessm ent Methodology

The NISTs risk assessm ent m ethodology contains nine prim ary steps:
Sys te m
Ch aracte rizatio n
Im p act
An alys is
Ris k
D e te rm in atio n
Th re ats
Id e n tificatio n
Vu ln e rability
Id e n tificatio n
Like lih o o d
D e te rm in atio n
Co n tro l
An alys is
Co n tro l
Re co m m e n d atio n s
Re s u lts
D o cu m e n tatio n
Source: http:/ / csrc.nist.gov/
EC-Council
Step 1: System Characterization

Identify the boundaries of the IT system along with the resources and the inform ation that
constitute the system
Characterize the IT system so as to establish the scope of the risk assessm ent effort
It describes the operational authorization boundaries such as hardware, software, system

connectivity etc.
In p u t
Hardware
Software
System interfaces
Data and inform ation
People
System m ission
EC-Council
Ste p 1.
Sys te m Ch aracte rizatio n
Ou tp u t
System Boundary
System Functions
System and Data
Criticality
System and Data
Sensitivity
System Characterization Tem plate

System Nam e:
Hardware
Software
System Interfaces
Data & Inform ation
Persons who support the IT system
System m ission (e.g. processes perform ed by the system )
System & data criticality (system s value or im portance to
the organization)
Functional requirem ents of the IT system
Users of the system
System Security policies (organizational policies, federal
requirem ents, industry practices, laws)
System security architecture
Current network topology (e.g. network diagram )
Current inform ation storage protection that safeguards
system & data CIA
Flow of inform ation relating to the IT system
Managem ent controls used for the IT system (e.g. security
planning, rules of behavior)
Operational controls (e.g. back-up, contingency, and
resum ption and recovery operations, personnel security)
Physical security environm ent (e.g. facility security, data
center policies)
Environm ental security (tem perature control, water, power)
EC-Council
Step 2: Threats Identification

Threat refers to a probable im pact of a threat source exploiting the vulnerabilities in the
system
To determ ine the likelihood of a threat, consider:
Vulnerabilities of the system

Threat sources
In p u t
History of system attack
Data from intelligence
agencies, NIPC, OIG,
FedCIRC, m ass m edia
EC-Council
Ste p 2 .
Th re at Id e n tificatio n
Ou tp u t
Threat Statem ent

(contd)
Hum an Threats
EC-Council
Incorrect data entry or om issions

Inadvertent acts
Eavesdropping
Im personation
Shoulder surfing
User abuse or fraud
Theft, sabotage, vandalism , or physical intrusions
Espionage

(contd)
Technical Threats
EC-Council
Breaking passwords for unauthorized access of the system resources

Sniffing and scanning of network traffic
Data/ system contam ination
Malicious code infection
Spam and m ail frauds
Phishing that m ay result in loss of confidential private inform ation
DDoS attacks
Application coding errors
Unauthorized m odification of a database
Session hijacking
System and application errors, failures
Step 3: Identify Vulnerabilities

Identify the vulnerabilities associated with the system environm ent
Prepare a list of the system vulnerabilities that threat source can exploit
In p u t
Reports from prior risk
assessm ents
Any audit com m ents
Security requirem ents
Security test results
EC-Council
Ste p 3 .
Vu ln e rability Id e n tificatio n
Ou tp u t
List of Potential
Vulnerabilities
Vulnerability Report Tem plate

In tro d u ctio n
Date carried out:
Testing Team details:
Network Details:
Scope of test:
Exe cu tive Su m m ary
OS Security issues discovered with appropriate
criticality level specified:
Application Security issues discovered with
appropriate criticality level specified:
Physical Security issues discovered with appropriate
Personnel Security issues discovered with appropriate
General Security issues discovered with appropriate
Te ch n ical Su m m ary
An n e xe s
EC-Council
OS Security issues discovered:

Web Server Security:
Database Server Security :
General Application Security:
Business Continuity Policy:
1:
2:
3:
Step 4: Control Analysis

Identify or plan the controls that are to be im plem ented to m inim ize the threats
Derive the probability to exercise a vulnerability in the threat environm ent
In p u t
Current controls
Planned controls
EC-Council
Ste p 4 . Co n tro l An alys is
Ou tp u t
List of Current and
Planned Controls
Step 5: Likelihood Determ ination

Factors that help derive overall likelihood rating:
Threat-source m otivation and capability
Nature of the vulnerability
Existence and effectiveness of the current controls
In p u t
Threat-source m otivation
Threat capacity
Nature of vulnerability
Current controls
Ste p 5.
Like lih o o d D e te rm in atio n
EC-Council
Ou tp u t
Likelihood Rating
Step 6: Im pact Analysis

Determ ine the im pact of a threat when a vuln erability is successfully
exercised
Consider the system m ission, system and data criticality, and system and
data sensitivity to perform im pact analysis
Prioritize the im pact levels that are associated with the com prom ise of an
organizations inform ation assets
Use qualitative or quantitative assessm ent to determ ine the sensitivity and
criticality of the inform ation assets
In p u t
Mission im pact analysis
Asset criticality assessm ent
Data criticality
Data sensitivity
EC-Council
Ste p 6 . Im p act An alys is

Loss of Integrity
Loss of Availability
Loss of Confidentiality
Ou tp u t
Im pact Rating
Step 7: Risk Determ ination

Assess the level of risk to the IT system
The likelihood of a given threat-sources attem pting to exercise a given vulnerability
The im pact of a threat-source when it successfully

exercises the vulnerability
In p u t
Likelihood of threat
exploitation
Magnitude of im pact
Adequacy of planned or
current controls
EC-Council
The adequacy of planned or existing security

controls for reducing or elim inating risk
Ste p 7. Ris k D e te rm in atio n
Ou tp u t
Risks and
Associated Risk
Levels
Step 8: Control Recom m endations

Recom m end the controls to be im plem ented to reduce the level of risk
The im plem ented controls should reduce the risk to an acceptable level
Factors to be considered in
recom m ending controls:
Effectiveness of recom m ended options

Legislation and regulation
Organizational policy
Operational im pact
Safety and reliability
EC-Council
In p u t
Ste p 8 .
Co n tro l
Ou tp u t
Recom m ended
Controls
Step 9: Results Docum entation

Results of risk assessm ent should be presented in an official report or briefing
Result docum ent should be m ade available to the concerned staff, risk control
developers, and risk auditors
Risk assessm ent report should
include:
List of the identified vulnerabilities and risks

Risk sum m ary
Risk likelihood rating
Risk im pact rating
Overall risk rating
Analysis of the relevant controls
List of the recom m ended controls
Appendix section containing incident logs and
reports of initial risk assessm ent phase
EC-Council
In p u t
Ste p 9 .
Re s u lts
D o cu m e n tatio n
Ou tp u t
Risk Assessm ent
Report
Risk Assessm ent Report

Tem plate
Ris k
No.
Vu ln e rability
EC-Council
Th re at
Ris k
Ris k
Su m m ary
Ris k
Like lih o o d
Ratin g
Ris k
Im p act
Ratin g
Ove rall
Ris k
Ratin g
An alys is o f
Re le van t
Co n tro ls
an d Oth e r
Facto rs
Steps to Assess Risks at Work

Place
The steps involved in risk assessm ent at work place are:
Hazards identification
Decide who will be harm ed and how
Analyze risks and check for precautions
Im plem ent results of the risk assessm ent
Review risk assessm ent
EC-Council
5
Step1: Identify Hazards

A hazard is anything that m ay cause harm
Check out the hazards you com e across at a work place
Identify the things that cause harm at the work place
Take the em ployees opinion
Take the guidance of a trade association if you are a m em ber
EC-Council
Step 2: Determ ine Who Will be

Harm ed and How
For each hazard, identify who m ight be harm ed
Identify how they m ight be harm ed
Extra thought will be needed for som e hazards
Do not forget to think of anyone
Ask the staff if anyone is left
EC-Council
Step 3: Analyze Risks and Check for

Precautions
Analyze risks and check for precautions
After spotting all the hazards, think about the precautions to be taken
Try a less risky option
Prevent access to the hazard
Issue personal protective equipm ent
Provide welfare facilities
EC-Council
Step 4: Im plem ent Results of Risk

Assessm ent
Risk assessm ent m ust be suitable and sufficient
Im plem ent a tem porary solution until m ore reliable controls are
in place
Identify a long term solution to the risks that im pact m ore critical
infrastructure
Train the em ployees on the identified risks and their control

m easures
Frequently check whether the control m easures stay in place
EC-Council
Step 5: Review Risk Assessm ent
Revisit your risk assessm ent plan
Find out if any changes are to be m ade
Enquire if any workers have spotted a problem
Make sure the risk assessm ent is up to date
EC-Council
Risk Analysis
EC-Council
Risk Analysis
Risk analysis involves the process of defining and evaluating the dangers
It is used to determ ine all possible and significant risks for your particular business
Risk analysis should be con ducted properly in order to put a proper response in place,
based on the am ount of risk
Ris k An alys is = Ris k As s e s s m e n t + Ris k Man age m e n t + Ris k Co m m u n icatio n
EC-Council
Need for Risk Analysis

Risk analysis identifies risks within the organization and the potential losses associated
with these risks
It is required to define procedures through which an organization can survive or reduce
the probability of risks
It helps in analyzing five elem ents:
EC-Council
Assets (resources of an organization)

Disruptive events ( threat to an organization)
Vulnerabilities (weakness of an organization)
Losses (due to occurrence of the adversity)
Safeguards (preventive m easures against vulnerabilities)
Risk Analysis: Approach

There are two approaches of risk analysis:
Quantitative risk analysis

It is num erical determ ination of the probability of an adverse event and the extent of
the losses due to the event
It assigns num eric values to the com ponents of therisk assessm ent and potential loss
Ris k = Pro bability o f Lo s s X Lo s s
Qualitative risk analysis

It does not use num erical m ethods to determ ine the probability of an adverse event
and the extent of the losses
Here,
Ris k = ( Attack Su cce s s + Criticality) ( Co u n te rm e as u re s )
EC-Council
Risk Mitigation
EC-Council
Risk Mitigation
Risk m itigation includes all possible solutions for reducing the probability of the
risk and lim iting the im pact of the risk if it occurs
It involves the im plem entation of risk control m easures outlined in risk

assessm ent process
Apply a least cost approach and im plem ent appropriate controls to reduce risks
EC-Council
Risk Mitigation Strategies

Risk m itigation strategy determ ines the circum stances under which the action
has to be taken to m inim ize and overcom e risks
Risk m itigation strategies are selected according to discovered and exploited
vulnerability, and the expected im pact of the risk
Organization can use one or m ore of the following strategies:
Risk assum ption

It is a risk m itigation strategy where an organization absorbs m inor risks
while preparing to respond to m ajor ones
Risk avoidance
It is a strategy to avoid risks either by engagin gin alternate activities or
preventing specific exposure from the risk sources
EC-Council
Risk Mitigation Strategies

(contd)
Risk lim itation
This strategy focuses on lim iting the exposure tothe risk
Risk planning
This strategy focuses on com prehensive plan developm ent for risk
assessm ent and m itigation
Research and acknowledgm ent

This strategy focuses on m inim izing the probabilityof risks and losses by
searching vulnerabilities in system and appropriate controls
Risk transference
It is a strategy where loss is m inim ized by transferring risks to other
parties either in the form of insurance or contract
EC-Council
Risk Mitigation Strategy (contd)
EC-Council

Cost/ benefit analysis is done for each proposed control to find out which control is required
and suitable under the given circum stances
It is the process of analyzing the business decisions
It can be qualitative or quantitative
A cost benefit analysis finds, quantifies, and adds all the positive factors and subtracts all the
negative factors and produces the net result
It dem onstrates that the costs of im plem enting the controls can be justified by the reduction
in the level of risk
EC-Council
NIST Approach for Control

Im plem entation
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
EC-Council
Prioritize actions
Evaluate recom m ended control options
Conduct cost-beneficial analysis
Select control
Assign responsibility
Develop a safeguard im plem entation plan
Im plem ent selected controls

Residual Risk
Risk that rem ains after im plem entation of all the possible risk control m easures is called as
residual risk
The im plem ented risk con trol m easure cann ot rem ove the risks com pletely
They are intended to reduce the risk level to zero
Re s id u al Ris k= ( In h e re n t Ris k) X ( Co n tro l Ris k)
Wherein h e re n t ris k = ( th re ats x vu ln e rability)
EC-Council
Residual Risk (contd)

The relationship between control im plem entation and residual risk is illustrated by
a flowchart below:
EC-Council
Risk Managem ent Tools
CRAMM
Acuity STREAM
Callio Secura 17799
EAR / Pilar
EC-Council
CRAMM
http:/ / w w w .cram m .com /
CRAMM helps in assessing, designing, and m anaging inform ation security

strategy
CRAMM is based on the UK Governm ent's preferred risk assessm ent
m ethodology
Features:
A com prehensive risk assessm ent tool in com pliancewith ISO 270 0 1
Supports inform ation security m anagers to plan andm anage security
Tool wizards create pro-form a inform ation securitypolicies and other related
docum entation
Supports key processes in business contin uity m anagem ent
A database of over 30 0 0 security controls referenced to relevant risks and ranked
by effectiveness and cost
EC-Council
Working of CRAMM
CRAMM provides a staged approach em bracing both technical (e.g. IT hardware an d
software) and non-technical (e.g. physical an d hum an) aspects of security
CRAMM follows a three stage approach:
Asset identification an d valuation
CRAMM enables the reviewer to identify the physical (e.g. IT hardware), software (e.g..
application packages), data (e.g. the inform ation held on the IT system ) and location assets
that m ake up the inform ation system
Data and software assets are valued in term s of the im pact that would result if the
inform ation were to be unavailable, destroyed, disclosed or m odified
Threat and vulnerability assessm ent

CRAMM covers the full range of deliberate and accid ental threats that m ay affect inform ation
system s including hacking, viruses, failures of equipm ent or software, willful dam age or
terrorism and errors by people
Counterm easure selection and recom m endation

CRAMM contains a large counterm easure library consisting of over 30 0 0 detailed
counterm easures organized into over 70 logical groupings
EC-Council
CRAMM: Screenshot
EC-Council
Acuity STREAM
http:/ / w w w .acuity rm .com /
STREAM autom ates the com plex processes

involved in m anaging com pliance with standards
and delivering effective risk m anagem ent
It is a m ulti-concurrent user, role based software

tool, with a central database, used in real-tim e by
risk m anagers, risk analysts, business
stakeholders, control owners, and internal
auditors
It provides inform ation for senior m anagers, on
the status of com pliance across the business with
key control standards, and on the level of residual
risk m easured in relation to defined business
appetites
EC-Council
Com ponents of STREAM
EC-Council
STREAM: Screenshot
EC-Council
Callio Secura 17799

http:/ / w w w .callio.com /
Callio Secura 17799 is software that enables com panies to com ply with the ISO
17799/ BS 7799 inform ation security m anagem ent standard
It helps in:
Managing threats, vulnerabilities and controls
Managing various types of evaluation criteria, such as confidentiality, availability, integrity and legal
com pliance
Custom izing the vuln erability, occurrence and criterion scales used during the asset evaluation and risk
assessm ent processes
Verifying level of com pliance with ISO 17799 (gapanalysis)
Com piling an inventory of your com panys m ost im portant assets;
Defining the structures and processes within yourISMS
Mitigating the risks to each asset;
Defining scenarios for the im plem entation of contro ls
Drafting security policies
Managing policy docum ents
Making policies, standards and procedures electronically available
Verifying whether ISMS m eets the requirem ents forBS 7799-2 certification;
Docum enting and justifying the application of theISO 17799 standards 127 controls to m anagem ent
fram ework
EC-Council
Screenshot: Callio Secura 17799
EC-Council
Screenshot: Callio Secura 17799
Define unlim ited num ber of team s that m anage

access to docum ent m anagem ent
Define user roles

within each team
Link team s with

any ISMS
EC-Council
EAR / Pilar
http:/ / w w w .ar-tools.com /
EAR / PILAR is designed to support the risk m anagem ent process along long
periods, providing increm ental analysis as the safeguards im prove
Its functionalities include:
Quantitative and qualitative risk analysis

Managem ent quantitative and qualitative business m
i pact analysis &
continuity of operations
EC-Council
Screenshot: Pilar
EC-Council
Screenshots: Pilar
EC-Council
Sum m ary
Risk is defined as the probability or threat of an incident
Risk policy is a set of ideas to be im plem ented to overcom e the risk
Risk assessm ent is identifying the resources that pose a threat to the business or project
environm ent
Risk analysis involves the process of defining and evaluating the dangers
Risk m itigation involves im plem enting the risk reducing controls that reduces the level of
the risk
EC-Council
EC-Council
EC-Council
Sample
Incident Handler
Version 1
Mo d u le V
Batch PDF Merger
Handling Network Security

Incident
News: Microsoft Responds to Xbox

Live Denial-of-service Attack
EC-Council
Source: w w w . arstechnica.com
Module Objective
EC-Council
Handling Denial-of-Service Incidents

Handling Unauthorized Access Incidents
Handling Inappropriate Usage Incidents
Handling Multiple Com ponent Incidents
Module Flow
Denial-of-Service
Incidents
Detecting DoS Attacks
Incident Handling
Preparation for DoS
Unauthorized Access
Incident
Preventing DoS Incidents
DoS Response Strategies
Detecting Unauthorized
Access Incident
Preventing Unauthorized
Access Incident
Inappropriate Usage
Incidents
Prevention of Inappropriate
Usage Incidents
Handling and Prevention of

Inappropriate Usage Incidents
Detecting Inappropriate
Usage Incidents
Multiple Com ponent

Incidents
Containm ent Strategy for

Multiple Com ponent Incidents
EC-Council
Handling Denial-of-Service Incidents
EC-Council
Denial-of-Service Incidents
Denial-of-Service (DoS) attack prevents the authorized users to access networks,
system s, or applications by exhausting the network resources
DoS attack involves:
Consum ing all available bandwidth by generating huge network traffic

Making m any processor-intensive requests so that ht e servers processing
resources are fully consum ed
Sending m alform ed TCP/ IP server requests that resu lts in servers
operating system crash
Sending illegal requests to an application
Establishing sim ultaneous login sessions to a server so that other users
cannot start login sessions
Consum ing all available disk space by creating m any large files
EC-Council
Distributed Denial-of-Service
Attack
Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large num ber of com prom ised system s,
known as botnet, attack a single target to cause a Denial-of-Service for the users of the targeted system
In a DDoS attack, attackers first infect s m ultiple system s called zom bies, which are then used to attack a
particular target
Attacker infects handler

system s
Handler system s then
infect num erous
system s (zom bies)
Attacke d
Zom bies then attack
the target system
together
EC-Council
Detecting DoS Attack
Indications for a network-based DoS attack :

Reports of the users regarding system and serviceunavailability
Undefined connection losses
Alert from network intrusion detection system
Alert from host intrusion detection system
Increase in utilization of the networks bandwidth
A host having num ber of connections
Asym m etric network traffic pattern
Unusual Log entries of firewall and router and OS
Data Packets with unusual source addresses
Data Packets with unusual destination addresses
EC-Council
Incident Handling Preparation

for DoS
1
Contact Internet Service Providers (ISP) and theirsecond tier agents to determ ine how they can help
in handling network based DoS attack
Contact organizations such as CERT and Internet Crim e Com plaint Center (IC3) to for help in
handling the DoS attack
Configure and deploy IDS (Intrusion Detection Syste m ) and prevention software to detect DoS traffic
Perform ongoing resource m onitoring to establish ht e network bandwidth utilization
Check various web sites that provide statistics onlatency between various ISPs and between various
physical locations which is referred to as Internet health m onitoring
Discuss with network infrastructure adm inistratorsregarding the m ethod by which they can assist in
analyzing and containing network-based DoS and DDoS attacks
Create and m aintain updated docum entation of incident handling process
EC-Council
DoS Response Strategies

Absorbing the attack
Using additional capacity to absorb attack; it requires preplanning and
additional resources
Degrading services
Identifying critical services and stopping n on critical services
Shutting down the services

Shut down all the services until the attack has subsided
EC-Council
Preventing a DoS Incident

The network perim eter should be configured in such a way that it denies all
incom ing and outgoing traffic/ services that are not required
DoS attack can be prevented :
By blocking Echo services; that is used for DoS att ack

Through filtering and blocking the entrance and exit ports
By blocking traffic from unassigned IP address ranges
By following the firewall rules and router accesscontrol lists to block traffic properly
Configuring the border routers so that directed broadcasts are n ot forwarded
By lim iting the incom ing and outgoin g ICMP trafficfor the necessary types and codes
By jam m ing outgoin g connections to com m on IRC, peer-to-peer service, and instant
m essaging ports if the usage of such services is not perm itted
EC-Council
Preventing a DoS Incident

(contd)
Restricting certain protocols such as ICMP to consum e only a pre-determ ined percentage
of the total bandwidth
Im plem ent redundancy for key functions
Make sure that networks or system s are n ot running at threshold capacity since it would
be easy for a m inor DoS attack to take up the rem aining resources
EC-Council
Following the Containm ent

Strategy to Stop DoS
The exploited vulnerability or weakness should be
corrected
Im plem ent the filters after determ ining the
m ethod of attack
Im plem ent the ISP filtering
Reposition the attack host
Attack the attackers
EC-Council
Following the Containm ent

Strategy to Stop DoS (contd)
Configure router and firewall rules
Establish a well docum ented m ethod for seeking assistance from
ISPs and second-tier providers in responding to network based DoS
attacks
Configure security software such as IPS and IDS to detect DoS
attacks
Monitor network traffic using tools such as EtherApe, SolarWinds
and Nagios
Restrict all incom ing and outgoing traffic that is not required
Prepare a containm ent strategy which includes several solutions in
sequence
EC-Council
Handling Unauthorized Access Incidents
EC-Council
Unauthorized Access Incident

Unauthorized access is a condition where a person gains access to system and
network resources which he/ she was not authorized to have
Exam ples of unauthorized access incidents:
EC-Council
Perform ing the rem ote root com prom ise on the em ailserver
Changing the web server contents
By guessing or cracking passwords of application
Copying sensitive data without authorization
Installing and runnin g packet sniffer on the workstation
Using the FTP server to distribute the pirated software and m usic files
For gaining the internal network access by dialingthe unsecured m odem
Accessing the workstation using a false ID
Detecting Unauthorized Access

Incident
Indications of root
com prom ise in a host:
Suspicious tools or exploits are found
Strange network traffic
System configuration changes, including:
EC-Council
Modifications or additions of services

Unpredicted open ports
Network interface card set to prom iscuous m ode
Suddenly, system shuts down and restarts
Changes in log and audit policies
Creation of new adm inistrative level user account
or group

Incident (contd)
Indications of root com prom ise
in a host
Change in significant files such as OS files,

System library
Usage of secret account
Increase in the usage of resources
User reports of system unavailability
Alerts of network and host intrusion detection
Creation of new files or directories with unusual
nam es
Log m essages of the operating system and
application
Attackers inform ing of com prom ising a host
EC-Council

Incident (contd)
Unauthorized data m odification
Alert of network and host IDS

Increase in the usage of resource
Reports of users regarding unexpected data m odifications
Changes in critical files
Creation of new files or directories with unusualnam es
Unauthorized usage of standard user account

Unauthorized access attem pts to the im portant files
Usage of secret account
Log entries of the web proxy which shows the downlo ading of the attackers
tool
EC-Council

Incident (contd)
Physical intruder
Report of the user regarding network or system
unavailability
System status changes
Misplaced hardware parts
Unauthorized hardware found
Unauthorized data access

IDS, IPS, and firewall alert for data access
through FTP, HTTP, and other protocols
Logs entries showing access attem pts to the
critical files
EC-Council

1
2
3
4
EC-Council
Configure network based and host based IDPS to identify and alert any attem pt to gain
unauthorized access
Use centralized log servers so that the im portant ni form ation from hosts across the organization
is stored in a particular safe location
A well docum ented password policy should be created for all users of applications, system s, trust
dom ains, or the organization
Make system adm inistrators aware of their responsib ilities in handling unauthorized access
incidents
Incident Prevention
Network Security
Design the network in such a way that it
blocks the suspicious traffic
Properly secure all rem ote access m ethods,
including m odem s and VPNs
Move all publicly accessible system s and
services to secured Dem ilitarized Zone
(DMZ)
Use private IP addresses for all hosts located
on internal networks
EC-Council
Incident Prevention
Host Security
Perform regular vulnerability assessm ents to identify serious risks and m itigate the risks
to an acceptable level
Disable all un wanted services on hosts
Run services with the least privileges possible toreduce the im m ediate im pact of
successful exploits
Use host-based/ personal firewall software to lim itthe individual hosts exposure to
attacks
Lim it unauthorized physical access to logged-in syst em s by requiring hosts to lock idle
screens autom atically and asking users to log off before leaving the office
Regularly verify the perm ission settings for critical resources, including password files,
sensitive databases, and public web pages
EC-Council
Incident Prevention (contd)
Authentication and Authorization
Prepare the appropriate password policy

Strong authentication should be required for accessing critical
resources
Create authentication and authorization standards of r em ployees
and contractors to follow when evaluating or developing software
Establish procedures for provisioning and de-provis ioning user
accounts
EC-Council
Incident Prevention (contd)
Physical Security
Restrict access to critical resources by
im plem enting physical security m easures
EC-Council
Following the Containm ent Strategy

to Stop Unauthorized Access
Isolate the affected system s
Disable the affected service
Elim inate the attackers route into the network
Disable user accounts that m ay have been used in the attack
Enhance physical security m easures

EC-Council
Eradication and Recovery

Eradicate the incident
Identify and m itigate all vulnerabilities that were
exploited
Patch the system s
Rem ove com ponents of the incident from system s
Recover from the incident

Return affected system s to an operations ready state
Confirm that the affected system s are function ing
norm ally
Im plem ent additional m onitoring to look for related
activity in future
Form ulate and regularly update security policies
EC-Council
Recom m endations
Install the IDS for alerting the attem pts regarding unauthorized
access
Configure centralized logging for all users
Establish password security policy such that users change their

passwords regularly
Design the network in such a way that it blocks the suspicious traffic
Secure all rem ote access m ethods including VPNs
Use DMZ to host publically accessed system s and services

EC-Council
Recom m endations ( contd)

Disable the unwanted services
Install the host-based firewall software to lim it the individual
hosts exposure to attacks
Create and im plem ent a password policy
Provide the details of the m anagem ent change to the IRT

Select m itigation strategies considering both short and long
term business objectives
Restore or reinstall system s that appear to have suffered a root
com prom ise
EC-Council
Handling Inappropriate Usage Incidents
EC-Council

An inappropriate usage incident occurs when a user perform s
actions that violate the acceptable com puting use policies
Exam ples :
Installing password cracking tools

Downloading pornography m aterial
Sending spam m ails which prom ote the personal busin ess
Sending em ails to colleagues which irritates them
Hosting unauthorized websites on the com panys com puter
Using sharing services to distribute or acquire pir ated
m aterials
Sending critical data outside the com pany
EC-Council

(contd)
Inappropriate usage incidents directed at outside parties m ay cause m ore loss
to organizations in the form of dam age to reputation and legal liabilities
Exam ples :
An internal user changing the content of another organization public

website
An internal user purchasing item s from online retailers by using the stolen
credit card num bers
Sending the em ail to the third party with the spoofed source em ail address
from the com pany
Perform ing the DoS attack against any other organization using the
com panys resources
EC-Council
Detecting the Inappropriate

Usage Incidents
Unauthorized service usage
Alert from the intrusion detection system

Unusual network traffic
Installation of the new process and software runnin g on a host
Creation of the new files or directories with abnorm al nam es
Increase in the resource utilization
Report of the user
Log entries of application
Access to inappropriate m aterials

Report of the user
Log entries of the application
Inappropriate files on com puters, servers, and onthe rem ovable m edia
Attack against external party

Reports of outside party
Log entries of network, host, and application
EC-Council

Form ulate security policies in coordination with the hum an resources and legal
departm ent representatives to handle the inappropriate usage incidents
Discuss with the m em ber of the organizations physical security team regarding
internal users behavior
Meet with the concerned person of the legal departm ent regarding the liability
issue particularly with those type of incidents that are targeted to outside parties
EC-Council
Install IDS, em ail content filtering software, security

controls tools to identify certain types of activity, including:
Anti-Virus
Using the unauthorized services like peer-to-peerfile and m usic

sharing
Spam
File with suspicious file extension
Reconnaissance activity
Outbound attack
Register the log of user activities such as FTP com m ands,

web requests, and em ail headers
EC-Council
Incident Prevention
Install firewall and intrusion detection an d prevention system s to block
the use of service which violate the organ izations policy
Organize the Em ail server in such a way that they cannot be used for
sending spam
Install the spam filter software
Filter the URL to prevent the access of inappropriate websites
Im plem ent the outboun d connection which use the encrypted protocols
such as HTTP secure, secure shell, and IP security protocol
EC-Council
Recom m endations
Meet with the hum an resources and legal departm ents representative for
discussing the handling of inappropriate usage incidents
Meet with the representative of the organizations legal departm ent to
discuss liability issues
Install IDS to detect certain types of inappropriate usage
Register the log of the users activity
Filter the em ail server to prevent relaying of the unauthorized m ail
Use the spam filter software to filter the spam on the em ail server
Install the URL filtering software

EC-Council
Handling Multiple Com ponent Incidents
EC-Council

The m ultiple com ponent incidents consist of com bination of two
or m ore attacks in a system
Exam ples of m ultiple com ponent incident

are:
Malicious code attacks using em ails

The additional workstation and servers gets infecte d using
that m alicious code by the attacker
These workstation can be used by the attacker as ahost to
launch DDoS attack against another organization
EC-Council

(contd)
EC-Council
Preparation for Multiple

Com ponent Incidents
It is difficult to analyze the m ultiple com pon ent incidents, since the
incident handler m ay not be aware that the incident is com posed of
several stages
Ask the incident handling team to review the scenarios involving m ultiple
com ponent incidents
Centralized logging and IDS software should be used to analyze the

incident
When all the precursors an d indications are accessible from a single

point, then the incident handler m ust con sider that the in cident is of
m ultiple com ponents
EC-Council
Following the Containm ent Strategy to

Stop Multiple Com ponent Incidents
Any incident can turn out to be the m ultiple com ponent
incident hence the incident handler should not stop after
getting signs of a particular incident
Discovering and containing all com ponents of an incident

require extra tim e and effort
Good and experienced handlers can guess whether an incident

has other com ponents
EC-Council
Recom m endations
Use the centralized logging and event correlation
software
Search for the signs of other com ponents after

controlling the incident
Separately prioritize the handling of each incident

com ponent
EC-Council
Network Traffic Monitoring Tools
EC-Council
ntop
http:/ / w w w .ntop.org/
ntop is a network traffic probe that shows the network usage,

sim ilar to what the popular top Unix com m and does
Features:
EC-Council
Sort network traffic according to m any protocols

Show network traffic sorted according to various criteria
Display traffic statistics
Store on disk persistent traffic statistics in RRDform at
Identify the identity (e.g. em ail address) of com puter users
Passively (i.e. without sending probe packets) identify the host OS
Show IP traffic distribution am ong the various protocols
ntop: Screenshot
EC-Council
EtherApe
http:/ / etherape.sourceforge.net/
EtherApe is a graphical network m onitor for Unix m odel and displays

network activity graphically
It can filter traffic to be shown and can read traffic from a file as well
as live from the network
Features:
EC-Council
Data display can be refined using a network filter

Nam e resolution is done using standard libc functio ns
Protocol sum m ary dialog shows global traffic statis tics by protocol
Live data can be read from Ethernet, FDDI, PPP andSLIP interfaces
Clicking on a node/ link opens a detail dialog showin g protocol breakdown
and other traffic statistics
EtherApe: Screenshot
EC-Council
Ngrep
http:/ / ngrep.sourceforge.net/
ngrep is a pcap-aware tool that allows you to specify extended

regular or hexadecim al expressions to m atch against data payloads
of packets
It is used to debug plaintext protocol interactions such as HTTP,
SMTP, FTP, etc., to identify and analyze anom alous network
com m unications
It is used to do the m ore mundane plaintext credential collection as
with HTTP Basic Authentication, FTP, or POP3 authentication
EC-Council
SolarWinds: Orion NetFlow Traffic

Analyzer
http:/ / w w w .solarw inds.com /
Orion NetFlow Traffic Analyzer (NTA) analyzes NetFlow, J -Flow, and sFlow
data and perform s CBQoS m onitoring to deliver a com plete picture of
network traffic
It enables you to quantify exactly how your network is being used, by whom ,
and for what purpose
Features:
Quickly and easily identifies which users, applications, and
protocols are consum ing the m ost network bandwidth
Monitors network traffic by capturing flow data fro m network
devices
Perform s Class-Based Quality of Service (CBQoS) m onitoring to
ensure that your traffic prioritization policies are effective
Enables you to quickly drill-down into traffic onspecific
network elem ents
Generates network traffic reports
EC-Council
SolarWinds: Orion NetFlow

Traffic Analyzer: Screenshot 1
EC-Council
SolarWinds: Orion NetFlow

Traffic Analyzer: Screenshot 2
EC-Council
Nagios: op5 Monitor

http:/ / w w w .op5.com /
op5 Monitor is an easy to use network m onitoring

system that finds and handles any problem s that
m ay arise in your IT environm ent
It creates a com prehensive, easy to understand
overview that enables sim ple root cause analysis
It helps you identify the prim ary cause of potential
problem s in your network before m ajor dam age is
done
It com m unicates with devices on the network and
collects data about their operational status
EC-Council
Nagios: op5 Monitor (contd)

Features:
Capable of m onitoring network devices, workstation, servers,
services, and software applications
Autom atic back-up and restore of specific configura tion files
Enhanced security with SSL encryption and m ulti use r access
capabilities
Monitor all layers of virtual environm ents from one tactical
overview
Enables users to define exceptions in a given tim eperiod
Easy to use graphical user interface (GUI) for m anagem ent
and configuration
Notifications and escalations sent via, Em ail, SMS,and Pager
Schedule functionality with autom atic weekly and monthly em ail distribution in PDF form at
EC-Council
op5 Monitor: Screenshot 1
EC-Council
op5 Monitor: Screenshot 2
EC-Council
CyberCop Scanner
http:/ / w w w .nss.co.uk/
CyberCop Scanner is the network security assessm ent com ponent that can
scan devices on the network for m ore than 70 0 vulnerabilities
It can be configured to search for the vulnerabilities that are of particular

concern in accordance with the corporate security policy
It is known as a s e n s o r com ponent because it is essentially concerned with

m onitoring and collecting data
It can run on either a Windows (NT or 20 0 0 ) or Unix (Red Hat Linux)

platform
EC-Council
CyberCop Scanner (contd)

Reporting and analysis:
Allows com parison of results for two hosts specifie d by IP
address
Allows com parison of results for two scan sessionsspecified by
date and tim e
Provides a graphical sum m ary report with pie charts for
different report categories (Com plexity, Ease of Fix, Im pact,
Popularity, Risk Factor, Root Cause)
Displays results by the difficulty involved in exploiting a
vulnerability (Low, Medium , High)
Displays results by the specific threat posed by avulnerability
(System Integrity, Confidentiality, Accountability, Data
Integrity, Authorization, Availability, Intelligence)
Displays results by the likelihood that a vulnerability will be
exploited (Obscure, Widespread, Popular)
EC-Council
CyberCop Scanner: Screenshot 1
EC-Council
CyberCop Scanner: Screenshot 2
EC-Council
Network Auditing Tools
EC-Council
Nessus
http:/ / w w w .nessus.org/
The Nessus vulnerability scanner is active scanners featuring high speed
discovery, configuration auditing, asset profiling, sensitive data discovery,
and vulnerability analysis of your security posture
It is distributed throughout an entire enterprise, inside DMZs, and across

physically separate networks
Features:
EC-Council
Credentialed and un-credentialed port scanning

Network based vulnerability scanning
Credentialed based patch audits for Windows and m ost UNIX platform s
Credentialed configuration auditing of m ost Windows and UNIX platform s
Custom and em bedded web application vulnerabilitytesting
Nessus: Screenshot
EC-Council
Security Adm inistrator's Integrated

Network Tool (SAINT)
http:/ / w w w .saintcorporation.com /
SAINT is a vulnerability scanner that scans network to detect

anything that could allow an attacker to gain unauthorized access,
create a denial-of-service, or gain sensitive inform ation about the
network
SAINT vulnerability scanner can:
Detect and fix possible weaknesses in your networks security
before they can be exploited by intruders
Anticipate and prevent com m on system vulnerabilitie s
Dem onstrate com pliance with current governm ent regulations
such as FISMA, SOX, GLBA, HIPAA, and COPPA and with
industry regulations such as PCI DSS
EC-Council
Security Adm inistrator's Integrated

Network Tool (SAINT)
Features
Lets you exploit vulnerabilities found by the scanner with the
integrated penetration testing tool, SAINTexploit
Shows you how to fix the vulnerabilities, and where to begin
rem ediation efforts with the exploitable vulnerabilities
Lets you scan and exploit both IPv4 and IPv6 addresses
Shows you if the network is com pliant with PCI security
standards
Allows you to design and generate vulnerability ass essm ent
reports quickly and easily
Shows you if your network security is im proving over tim e by
using the trend analysis report
Provides autom atic updates at least every two weeks, or sooner
for a critical vulnerability announcem ent
EC-Council
SAINT: Screenshot
EC-Council
Security Auditor's Research Assistant

(SARA)
http:/ / w w w -arc.com /
Security Auditor's Research Assistant (SARA) is a is a third

generation network security analysis tool
Features:
Operates under Unix, Linux, MAC OS/ X or Windows (th rough
coLinux) OS
Integrates the National Vulnerability Database (NVD)
Perform s SQL injection tests
Perform s exhaustive XSS tests
CVE standards support
Supports rem ote self scan and API facilities
EC-Council
SARA: Screenshot
EC-Council
Nm ap
http:/ / nm ap.org/
Nm ap ("Network Mapper") is a free and open source (license) utility

for network exploration or security auditing
It rapidly scans large networks and runs on all m ajor com puter
operating system s
It uses raw IP packets in novel ways to determ ine:
EC-Council
What
What
What
What
hosts are available on the network

services (application nam e and version) thosehosts are offering
operating system s (and OS versions) they arerunning
type of packet filters/ firewalls are in use
Nm ap: Screenshot
EC-Council
Netcat
http:/ / netcat.sourceforge.net/
Netcat is a featured networking utility which reads and writes data

across network connections, using the TCP/ IP protocol
It is designed to be a reliable "back-end" tool that can be used directly
or easily driven by other program s and scripts
Features:
Outbound and inbound connections, TCP or UDP, to or from any ports
Featured tunneling m ode which allows also specialtunneling such as UDP
to TCP, with the possibility of specifying all network param eters
Built-in port-scanning capabilities with random izer
EC-Council
Wireshark
http:/ / w w w .w ireshark.org/
Wireshark is the network protocol analyzer, and is the de facto (and often de
jure) standard across m any industries and educational institutions
Features:
Deep inspection of hundreds of protocols, with m ore being added all the tim e
Live capture and offline an alysis
Standard three-pane packet browser
Multi-platform
Captured network data can be browsed via a GUI, orvia the TTY-m ode TShark
utility
Read/ write m any different capture file form ats
Capture files com pressed with gzip can be decom press ed on the fly
Decryption support for m any protocols, in cluding IP sec, ISAKMP, Kerberos,
SNMPv3, SSL/ TLS, WEP, an d WPA/ WPA2
EC-Council
Wireshark: Screenshot
EC-Council
Argus - Audit Record Generation and

Utilization System
http:/ / w w w .qosient.com / argus/
Argus- network audit record generation and utilization system support
network operations, perform ance and security m anagem ent
It processes packets (either capture files or live packet data) and generates
detailed status reports of the 'flows' that it detects in the packet stream
For m any sites, it is used to establish network activity audits that are then
used to supplem ent traditional IDS based network security
The Argus audit data is used for network forensics, non-repudiation, network
asset, and service inventory
EC-Council
Snort
http:/ / w w w .snort.org/
Snort is an open source network intrusion prevention and detection system

(IDS/ IPS)
It uses a rule-driven language which com bines the benefits of signature,

protocol and anom aly-based inspection m ethods
It is capable of perform ing real-tim e traffic analysis and packet logging on IP

networks
It can perform protocol analysis, content searching/ m atching, and can be

used to detect a variety of attacks and probes
EC-Council
Snort: Screenshot
EC-Council
Network Protection Tools
EC-Council
Iptables
http:/ / w w w .netfilter.org/
ip table s is the userspace com m and line program used to configure the
Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset
iptables package includes ip6tables which is used for configuring the IPv6
packet filter
It requires a kernel that features the ip_ tables packet filter
Features:
Listing the contents of the packet filter ruleset
Adding/ rem oving/ m odifying rules in the packet filte r ruleset
Listing/ zeroing per-rule counters of the packet filter ruleset
EC-Council
Proventia Network Intrusion Prevention

System (IPS)
http:/ / w w w .ibm .com /
IBM Proventia Network Intrusion Prevention System (IPS) stops Internet

threats before they im pact your business and delivers protection to all three
layers of the network: core, perim eter and rem ote segm ents
The IBM Proventia Network Intrusion Prevention System (IPS) delivers

network protection that is designed to:
Stop threats before im pact without sacrificing high-speed n etwork perform ance
Provide a platform for security convergence that helps reduce the cost of deploying
and m anaging point solution s
Protect networks, servers, desktops and revenue-gen erating applications from
m alicious threats
Conserve network bandwidth and prevents network m si use/ abuse from in stant
m essaging and peer-to-peer file sharing
Prevent data loss and aids com pliance efforts
EC-Council
IPS: Screenshot
EC-Council
NetDetector
http:/ / w w w .niksun.com /
NetDetector is a full-featured appliance for network security surveillance,

signature-based anom aly detection, analytics and forensics
It acts as a security cam era and m otion detector for your network by
continuously capturing and warehousing network traffic (both packets and
statistics)
Features:
EC-Council
Continuous, in-depth real-tim e surveillance

Capture network events the first tim e and store events for post-event an alysis
Signature and statistical an om aly detection
Superior drill-down forensic analysis down to packet level
Advanced reconstruction of web, em ail, instant m ess aging, FTP, Telnet, VoIP and
other TCP/ IP applications
TigerGuard
http:/ / w w w .tigertools.net/
TigerGuard is designed to centrally m anage events and logs, alerts

from IDS devices, m onitor network and wireless traffic, and
perform discovery, vulnerability assessm ents, event logging, and
com pliancy reporting
Features:
EC-Council
Sensor console
Firewall console
Network console
WiFi console
Event console
TigerGuard: Screenshot 1
EC-Council
TigerGuard: Screenshot 2
EC-Council
Sum m ary
Denial-of-Service (DoS) attack prevents the authorized users to access networks, system s,
or applications by exhausting the network resources
Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large num ber of
com prom ised system s, known as botnet, attack a single target to cause a Denial-of-Service
for the users of the targeted system
Unauthorized Access is condition where a person gains access to system and network
resources which he/ she was not authorized to have
An inappropriate usage in cident occurs when a user perform s actions that violate the
acceptable com puting use policies
A m ultiple com ponent in cident is a single incident that en com passes two or m ore incidents
EC-Council
EC-Council
EC-Council
Incident Handler
Version 1
Mo d u le VI
Handling Malicious Code
Incidents
News: Malicious Program

Targets Macs
( CN N ) -- Mac com puters are known for their near-im m unity to m alicious com puter program s that plague PCs.
But that m ay be changing som ewhat, according to com puter security researchers. It seem s that as sleek Mac com puters
becom e m ore popular, they're also m ore sought-after targets for the authors of harmful program s.
"The bad guys generally go toward the biggest target, what will get them the biggest bang for their buck," said Kevin Haley, a
director of security response at Sym antec.
Until recently, the big target always was Microsoft Windows, and Apple com puters were protected by "relative obscurity," he
said.
But blogs are buzzing this week about what two Sym antec researchers have called the first harm ful com puter program to
strike specifically at Mac.
This Trojan horse program, dubbed the "iBotnet," has infected only a few thousand Mac m achines, but it represents a step in
the evolution of m alicious com puter software, Haley said.
The iBotnet is a sign that harm ful programs are moving toward Mac, said Paul Henry, a forensics and security analyst at
Lum ension Security in Arizona.
"We all knew it was going to happen," he said. "It was just a m atter of tim e, and, personally, I think we're going to see a lot
m ore of it."
The m alicious software was first reported in J anuary. It didn't gain widespread attention until recently, when Mario Ballano
Barcena and Alfredo Pesoli of Sym antec, m aker of the popular Norton antivirus products, detailed the software in a
publication called "Virus Bulletin.
EC-Council
Source: http:/ / w w w .cnn.com
News: Handling Malicious Hackers

and Assessing Risk in Real Tim e
Im agin e th is
A hacker creates a look-alike website of a well-known bank. He sends across e-m ails to custom ers requesting for confidential
inform ation claim ing the banks website is undergoing a revam p or reconstruction. The inform ation sought is confidential
custom er data. The e-m ail has a link em bedded in it, which, by default, directs the custom er to the fake site that the hacker
has created. The custom er, thinking it to be a genuine com m unication from the bank, provides the details, which the hacker
saves and later uses for fraudulent transactions such as m oney transfers or procuring critical passwords.
N o t a Se cu re Situ atio n to be in
The rapid growth of online com m erce has brought increasing sophistication to Internet fraud. Frauds are executed across
m ultiple access channels. Threats from Phishing (crim inally fraudulent process of attem pting to acquire sensitive inform ation
such as usernam es, passwords and credit card details, by m asquerading as a trustworthy entity in an electronic
com m unication), Pharm ing (a hackers attack aim ing to redirect a websites traffic to another bogus website), Trojans (a type
of m alicious software), Key Logging (used to retrieve online password entries), and Proxy Attacks, com bined with regulations
and m andates (HIPAA, PCI) governing online data piracy place online security at a prem ium . If you take a closer look at the
illustration in the beginning of this article, you will realize that a sim ple login procedure m akes it easy for a hacker to access
online accounts and transactions. To thwart hackers, banks are adopting stringent levels of login procedures, which are m ore
personalized and secure. Som e of them include the introduction of additional levels of passwords, personalized background
im age for login, virtual keyboards, or even a virtual mouse am ong others.
Whatever you type on the physical keyboard can be tapped by hacking, through keylogging. Keylogging provides a m eans to
obtain passwords or encryption keys by bypassing security m easures. To prevent this, financial transaction sites are installing
virtual keypads and virtual mouse. Instead of typing the password on the keyboard the norm al way, as part of the login
process the user will be able to use the cursor to select his or her password on the virtual keyboard. This process helps
circum vent the key locking setup enforced by the hacker.
EC-Council
Source: http:/ / businessm irror.com .ph
Module Objective
EC-Council
Virus
Trojans and Spywares
Incident Prevention
Detection and Analysis
Evidence Gathering and Handling
Recom m endations
Module Flow
Virus
Trojans and Spyware
Incident Prevention
Detection and Analysis
Evidence Gathering and Handling
Recom m endations
EC-Council
Count of Malware Sam ples
Source: http:/ / w w w .avertlabs.com
EC-Council
Virus
Com puter viruses are m alicious software program s that infect
com puters and corrupt or delete the data on them
Viruses spread through em ail attachm ents, instant m essages,

downloads from the Internet, contam inated m edia etc.
Viruses are generally categorized as:

File infectors: Attach them selves to program files
System or boot-record in fectors: Infect executable code
found in certain system areas on a disk
Macro viruses: Infect Microsoft Word application
EC-Council
Worm s
A worm is a self-replicating virus that does not alter files but resides in active
m em ory and duplicates itself
It takes advantage of file or inform ation transport features on the system to

travel independently
A worm spreads through the infected network autom atically
EC-Council
Trojans and Spywares

Trojans:
Trojan horse is a m alicious, security-breaking program that
is disguised as any useful program
Trojans are executable program s that is installedwhen a file
is opened
Trojans get activated without the intervention ofthe user
Sim ilar to viruses, Trojans do not distribute itself from one
system to another
Trojans allow others to con trol a users system
Spyware:
Spywares are software in stalled on the com puter without the
knowledge of the user
Spywares pretend to be program s that offer useful
applications, but they actually acquire the inform ation of the
com puter and send it to the attacker who can access it
rem otely
Spywares are also known as adware
EC-Council

1
Establish m alicious code security policy
Install antivirus software
Check all files and attachm ents from websites
Check all the rem ovable m edia such as USB, diskette s etc.
Users m ust be aware of m alicious code issues
Study the antivirus vendor bulletins
Install host based intrusion detection system s oncritical hosts
Collect m alware incident analysis resources
Acquire m alware incident m itigation software
10
Establish the procedure for reporting m alicious code incident
EC-Council
Incident Prevention
Use antivirus software
Design a point of contact for reporting m alicious code
Block the installation of spyware software
Rem ove suspicious files
Filter spam
Lim it the use of unnecessary program s with FTP
Alert users for handling em ail attachm ents
Close the open windows shares
Use the web browsers security to edge m alicious code
Prevent the open transm it of e-m ail
Secure the e-m ail clients
EC-Council
Detection of Malicious Code

Case 1. Host is infected by the virus which is delivered via e-m ail
Signs of the presence of m alicious code

include:
EC-Council
Antivirus software detects the infected files

Increase in the num ber of e-m ails sent an d received
Change in the Tem plate of word processing docum ent
Deletion or corruption of files
System files becom e inaccessible
Old m essage and graphics will appear on screen
Som e program s start and run slowly, or do not runat all
System becom es instable or crashes
Indication of root com prom ise of a host if the viru s achieves
root level access

(Contd)
Case 2. Host is infected by worm s that propagates through a vulnerable
service
Signs of the presence of m alicious code include:
EC-Council
Antivirus software detects the infected files

Failure in connection attem pts targeted at the vuln erable services
Increase in network usage
Program s start and run slowly, or do not run at all
System becom es instable or crashes

(Contd)
Case 3. Trojan horse gets installed and runs on a host
Signs of the presence of m alicious code include:
Antivirus software will detect the Trojan horse versions of files

Network IDS alerts the Trojan horse client-servercom m unications
Log entries of the firewall and router for Trojanhorse client-server
com m unications
Host and unknown rem ote system s network connections
Unusual open ports
Unknown running processes
Program s start and run slowly, or do not run at all
System becom e instable or crashes
Indication of root com prom ise of a host if the Trojan achieves root level
access
EC-Council

(Contd)
Case 4. Host infected with virus, worm , or Trojan horse
using m alicious m obile code on a website
Strange dialog box will appear requesting for permission to run any program
Abnorm al graphics will appear such as overlappingand overlaid m essage boxes
Case 5. Malicious m obile code on a web site exploits

vulnerabilities on a host
EC-Council
Strange dialog box will appear requesting for permission to run program s
Abnorm al graphics will appear such as overlappingand overlaid m essage boxes
Increase in the num ber of em ails being sent or received
Host and unknown rem ote system s network connections
Indication of root com prom ise of a host if the m obile code achieves root level access

(Contd)
Case 6. When the user receives the virus hoax
m essage
The original source appears as from the governm entagency or as
from an im portant official person
It does not link to outside sources
Message requires an urgent action
It prom pts to delete certain files or forwarded m assages
EC-Council
Containm ent Strategy

Recognize and separate the infected hosts from the inform ation system
Register the unidentified m alicious code to antivirus vendors
Configure em ail servers and clients to block em ails
Block particular hosts
Shut down the em ail servers
Isolate networks from the Internet
Ensure the users participation
Disable services
Disable connectivity
EC-Council
Evidence Gathering and

Handling
Forensic Identification
It is the practice of identifying the infected

system s by looking for the evidence of the latest
infection
Active Identification
This m ethod is used to identify the hosts which

are currently infected
Manual Identification
Labor intensive, but it is im portant as it provides

appropriate identity of the infected hosts
EC-Council

Antivirus and antispyware software can identify infected files but som e of the
infected files cannot be recovered
If the m alicious code provides attackers with root-level access, then it becom es
hard to determ ine what other actions the attackers have perform ed
In som e of the cases, infected files are restored from a previous uninfected
backup or can be rebuilt from scratch
EC-Council
Recom m endations
Establish m alicious code security policy
Users m ust be aware of m alicious code issues
Study antivirus bulletins
Install host based intrusion detection system s on critical hosts
Use antivirus software, an d keep it updated with the latest virus
signatures
Configure software to block suspicious files
Close the open window share
Deal with m alicious code incidents as quickly as possible
EC-Council
Antivirus System s
EC-Council
Sym antec: Norton AntiVirus 20 0 9

http:/ / w w w .sy m antec.com /
Sym antec Norton AntiVirus 20 0 9 protects com puter system from

m alicious program s such as virus, worm s, Trojan, spyware, etc.
Features:
Protects against viruses, spyware, Trojan horses,worm s, bots, and rootkits

Pulse updates every 5 to 15 m inutes or faster
Intelligence-driven technology for faster, fewer,shorter scans
Blocks browser, OS, and application threats; protects against infected Web
sites
Protects against the latest threats with proactivem ultilayered protection
system
Real-tim e SONAR technology detects em erging spyware and viruses before
traditional definitions are available
EC-Council
Norton AntiVirus 20 0 9:
Screenshot
EC-Council
Kaspersky Anti-Virus 20 10
http:/ / w w w .kaspersky .com /
Kaspersky Anti-Virus 20 10 offers real-tim e autom ated protection from a

range of IT threats
Features:
Real-tim e scanning of files, web pages, and e-m essa ges

Disabling of links to m alicious websites
Blocking of suspicious program s based on their behavior
Protection from hijacking of your PC
Toolbar for Internet browsers to warn you about infected or unsafe websites
Urgent Detection System to stop fast em erging threats
Scan system and installed applications for vulnerabilities
Enter logins and passwords using secure Virtual Keyboard
Rem ove activity traces in your Internet browser (history, cookies, etc.)
Identity theft by key loggers and screen capture malware
EC-Council
Kaspersky Anti-Virus 20 10 :
Screenshot
EC-Council
AVG Anti-Virus
http:/ / w w w .avg.com /
AVG anti-virus protects com puter system from m alicious program s such as
virus, worm s, Trojan, spyware, etc.
Features:
EC-Council
An ti-Viru s : protection against viruses, worm s, and Trojans

An ti-Sp yw are : protection against spyware, adware, and identity-theft
An ti-Ro o tkit: protection against hidden threats (rootkits)
W e b Sh ie ld an d Lin kScan n e r: protection against m alicious websites
Real-tim e security while you surf and chat online
AVG Anti-virus: Screenshot
EC-Council
McAfee VirusScan Plus

http:/ / hom e.m cafee.com /
McAfee VirusScan Plus offers essential PC security with accelerated

perform ance
Features
Anti-virus, anti-spyware, and SiteAdvisor protectyou from m alicious
software
Firewall blocks outsiders from hacking into your PC
SiteAdvisor rates web site safety before you clickwith red, yellow or
green colors
Online account m anagem ent lets you easily add other PCs to your
subscription
QuickClean safely rem oves junk files that slow your PC and take up
space on your hard drive
EC-Council
McAfee VirusScan Plus:

Screenshot
EC-Council
BitDefender Antivirus 20 0 9
http:/ / w w w .bitdefender.com /
BitDefender Antivirus 20 0 9 provides advanced proactive protection

against viruses, spyware, phishing attacks and identity theft
Features:
Scans all web, e-m ail, and instant m essaging traffic for viruses
and spyware, in real-tim e
Protects against new virus outbreaks using advanced heuristics
Blocks attem pted identity theft (phishing)
Prevents personal inform ation from leaking via e-mail, web, or
instant m essaging
Reduces the system load and avoids requesting userinteraction
during gam es
EC-Council
BitDefender Antivirus 20 0 9:
Screenshot
EC-Council
F-Secure Anti-Virus 20 0 9
http:/ / w w w .f-secure.com /
F-Secure Anti-Virus 20 0 9 provides advanced and affordable protection
against viruses, spyware intrusions, and infected e-m ail
Its autom atic updates and DeepGuard 2.0 cloud com puting technology
provides protection against new threats
Features:
EC-Council
Protection against viruses, worm s, rootkits an d oth er m alware

Real-tim e protection again st spyware
Provides instant protection against new threats (DeepGuard 2.0 )
Scans e-m ail for viruses an d m alicious code
Autom atic updates for both virus definitions and ht e software
F-Secure Anti-Virus 20 0 9:
Screenshot
EC-Council
Trend Micro AntiVirus plus AntiSpyware

20 0 9
http:/ / w w w .trendm icro.com /
Trend Micro AntiVirus plus AntiSpyware 20 09 safeguards data

and files from m alicious activities
Features:
Protects against current and future viruses
Defends your personal inform ation with anti-spyware
technology
Provides real-tim e protection with autom ated com puter scans
Prevents unauthorized changes
Cleans browser history, cookies and unnecessary files
Provides custom izable security warnings
Quarantines suspicious files
EC-Council
Trend Micro AntiVirus plus

AntiSpyware 20 0 9: Screenshot
EC-Council
HijackThis
http:/ / w w w .trendsecure.com /
HijackThis is a free utility which quickly

scans System s running Windows OS to
find settings that m ay have been
changed by spyware, m alware, or other
unwanted program s
It creates a report with the results of the

scan
EC-Council
Tripwire Enterprise
http:/ / w w w .tripw ire.com /
Tripwire Enterprise com bines configuration assessm ent and change

auditing in a single infrastructure m anagem ent solution that delivers
enterprise-wide control of physical and virtual configurations
It com es with policies that cover such diverse regulatory standards as

Paym ent Card Industry (PCI) and Sarbanes-Oxley (SOX), as well as
security standards like those form the National Institute of Standards and
Technology (NIST)
Features:
Change auditing
Configuration assessm ent
Sam ple reports
EC-Council
Tripwire Enterprise: Screenshot
EC-Council
Stinger
http:/ / vil.nai.com /
Stinger is a stand-alone
utility used to detect and
rem ove specific viruses
It utilizes next generation

scan engine technology,
including process scanning,
digitally signed DAT files,
and scan perform ance
optim izations
EC-Council
Sum m ary
Com puter viruses are the software program s m eant to infect com puters, corrupt, or delete
the data
A worm is a self-replicating virus that does not alter files but resides in active m em ory and
duplicate itself
Forensic identification is the practice of identifying infected system s by looking for

evidence of recent infections
Antivirus and antispyware software can identify the infected files but som e the infected
files cannot be recovered
Deploy host-based intrusion detection an d prevention system s, including file integrity

checkers, to critical hosts
EC-Council
EC-Council
EC-Council
Sample
Incident Handler
Version 1
Mo d u le VIII
Forensic Analysis and
Incident Response
Batch PDF Merger
News: Microsoft Com puter Online

Forensic Evidence Extractor Free for
Interpol
The Microsoft COFEE evidence extracting tool will be m ade available to Interpol for free, per an agreement between the
Redm ond com pany and the International Crim inal Police Organization. The software giant announced that the Com puter
Online Forensic Evidence Extractor would be distributed by Interpol internationally, in no less than 187 m arkets worldwide.
The m ove is just one aspect of a broader Microsoft strategy designed to protect people both physically and virtually in
collaboration with governm ents around the world. In this regard, the Redm ond com pany used the Worldwide Public Safety
Sym posium to launch the Citizen Safety Architecture as well as to prom ise support for Interpol's Security Initiative (GSI).
Given the direct correlation between the declining econom y and the rise of public safety concerns, there is a pressing need
for innovative, collaborative and integrated solutions, like Citizen Safety Architecture, that deliver to governm ents the tools
they need to ensure the safety of their citizens, explained Tim Bloechl, m anaging director for worldwide public safety and
national security at Microsoft.
The Citizen Safety Architecture has at its basis a variety of tools dedicated to not just cutting costs, but also boosting what
Microsoft referred to as m ultiagency operational effectiveness, as well as stream line collaboration and inform ation sharing.
The Redm ond com pany indicated that the Citizen Safety Architecture was based on Microsoft Single View Platform (SVP),
Microsoft FusionX, Eagle, Microsoft Intelligence Fram ework, the Microsoft Incident Response Platform and Global
Security Operations Centers (GSOCs).
Microsoft and INTERPOL recognize the strong synergies between Citizen Safety Architecture and GSI, and our pledge to
develop a long-term relationship with organizations like INTERPOL supports the overall goal of Citizen Safety Architecture,
Bloechl added.
In addition to the Citizen Safety Architecture fram ework, the software giant will also provide Interpol with COFEE, a tool
designed to extract forensic evidence from live com puter activity. In this m anner, Interpol officers will be able to harvest and
then use evidence that would otherwise not be available through traditional offline forensic analysis, Microsoft underlined.
Source: http:/ / new s.softpedia.com /
EC-Council
Module Objective
EC-Council
Com puter Forensics

Forensic Readiness
Types of Com puter Forensics
Com puter Forensics Process
Digital Evidence
Collecting Electronic Evidence
Forensic Policies
Forensic Analysis Guidelines
Module Flow
EC-Council
Com puter Forensics
Forensics Preparedness
Digital Evidence
Forensic Policies
Com puter Forensics
A m ethodical series of techniques and procedures for gathering

evidence, from com puting equipm ent and various storage devices and
digital m edia, that can be presented in a court of law in a coherent and
- Dr. H.B. W olfe
m eaningful form at
EC-Council
Objectives of Forensic Analysis
To recover, analyze, and preserve com puter and related

m aterials in such a way that it can be presented as evidence
in a court of law
To identify the evidence in short tim e, estim ate the potential

im pact of the m alicious activity on the victim , and assess the
intent and identity of the perpetrator
EC-Council
Role of Forensic Analysis in

Incident Response
Forensic analysis helps in determ ining the exact cause of an incident
It helps in generating a tim eline for the in cident which helps in correlating
different incidents
Forensic analysis of the affected system helps in determ ining the n ature of
incidents and im pact of the incident
It helps in tracking the perpetrators of the crim e or incident
It extracts, processes, and interprets the factual evidence so that it proves the
attackers actions in the court
It saves the organizations m oney and tim e by conducting a dam age
assessm ent of the victim ized network
It also saves organizations from legal liabilities and lawsuits
EC-Council
Forensic Readiness
Forensic readiness m ay be defined as a state of incident response
preparedness that enables an organization to m axim ize its
potential to use digital evidence while m inim izing the cost of an
investigation
It also m inim izes the risk of internal threat and acts as a preem ptive m easure
Objectives:
Maxim izing an environm ents ability to collect credible digital

evidence
Minim izing the cost of forensics during an in cidentresponse
EC-Council
Forensic Readiness And

Business Continuity
Forensic readiness allows businesses to:
Quickly determ ine the in cidents
Understand the relevant inform ation
Minim ize the required resources
Rem ove the threat of repeated incidents
Quickly recover from dam age with less down tim e
Lack of forensic readiness m ay result in:

Loss of clients thereby dam aging the organization sreputation
System downtim e
Data m anipulation, deletion, and theft
EC-Council

Disk Forensics
It is the process of acquiring and analyzing the data stored on physical storage m edia
Network Forensics
It can be defined as sniffing, recording, acquisition, and analysis of network traffic and event logs
in order to investigate a network security incident
E-m ail Forensics

It is the process of studying the source and content of an em ail
Internet (Web) Forensics

It is the application of scientific and legally sound m ethods for the investigation of Internet
crim es
Source Code Forensics

It is the process of determ ining the software ownership and copyright issues
EC-Council
Com puter Forensic Investigator
Com puter forensic in vestigator m ust have knowledge of gen eral com puter
skills such as hardware, software, O.S, applications, etc.
The investigator m ust perform a proper in vestigation to protect the digital

evidence
The investigator m ust be certified from authorized organization s
EC-Council
People Involved in Com puter

Forensics
Attorney:
Gives legal advise on collection,

preservation and presentation of evidence
Photographer:
Photographs the crim e scene and the

evidence gathered
Incident Responder:
Responsible for incident handling and

response
Decision Maker:
EC-Council
Responsible for authorization of a policy or

procedure for the investigation process
People Involved in Com puter

Forensics (contd)
Incident Analyzer:
Analyzes the incidents based on their

occurrence
Evidence
Exam iner/ Investigator:
Exam ines the evidence acquired, and sorts

useful evidence
Evidence Docum enter:
Docum ents all the evidence and the phases

present in the investigation process
EC-Council
Evidence Manager:
Manages the evidence in such a way as to

m ake a procedural way of evidence found
Expert Witness:
Offers a form al opinion as a testim ony in

the court of law

Preparation
It enables easy coordination am ong staff and provides baseline protection
Collection
It is the process of identifying, labeling, recording, and acquiring data from all possible
sources
Exam ination
It involves processing of large am ount of collected data using a com bination of
autom ated and m anual m ethods
EC-Council

(contd)
Analysis
It is the process of analyzing the results of the investigation using legally justifiable
m ethods and techniques
Reporting
In this phase, the analysis results are reported and recom m endations are provided for
im proving policies, guidelines, procedures, tools, and other aspects of the forensic process
EC-Council
Digital Evidence
Digital evidence is defined as any inform ation of
probative value that is either stored or transm itted in a
digital form
Digital evidence is found in the files, such as:
Graphics files
Audio and video recording and files
Web browser history
Server logs
Word processing and spreadsheet files
E-m ails
Log files
EC-Council
Characteristics of Digital Evidence

Adm issible
Evidence m ust be related to the fact being proved
Authentic
Evidence m ust be real an d related to the incidentin a proper way
Com plete
Evidence m ust prove the attackers actions
Reliable
Evidence m ust not cast doubt on the authenticity and veracity of the
evidence
Believable
Evidence m ust be clear and understandable by the uj dges
EC-Council

List the system s involved in the incident and from which
system s evidence can be collected
For each system , obtain the relevant order of volatility
Record the extent of the system 's clock drift
Collect the evidence from all the people who affected by the
incident
EC-Council
Collecting Electronic
Evidence (contd)
Electronic evidence resides in:
Data Files:
Office desktop com puter/ workstation

Notebook com puter
Hom e com puter
Com puter of personal assistants/ secretary/ staff
Palm top devices
Network file servers/ m ainfram es/ m ini-com puters
Backup Tapes:
System -wide backups (m onthly/ weekly/ increm ental)
Disaster recovery backups (stored off site)
Personal or ad hoc backups (look for diskettes and other portable
m edia)
EC-Council
Collecting Electronic
Evidence (contd)
Other Media Sources:
Tape archives
Replaced/ rem oved drives
Floppy diskettes and other portable m edia (e.g., CDs, Zip cartridges)
EC-Council
Evidence Collection Form

Tem plate
Fo re n s ic An alys t Makin g Se izu re
Full Nam e:
Title:
Phone:
Departm ent
Com m ents:
Signature:
Date and tim e:

W itn e s s Sign atu re
Full Nam e:
Title:
Phone:
Departm ent
Full Address:
Signature:
EC-Council
Room No
Building
Address Line 1
Address Line 2
Address Line 3
Address Line 4
Post code
Date and tim e:
Evidence Collection Form

Tem plate (contd)
S.No.
Evidences
Make
Details
1
2
3
4
5
6
7
8
9
10
EC-Council
Challenging Aspects of Digital

Evidence
Digital evidence are fragile in nature
During the investigation of the crim e scene, if the com puter is turned off,
the data which is not saved can be lost perm anently
During the investigation, digital evidence can be altered m aliciously or

unintentionally without leaving any clear signs of alteration
Digital evidence is circum stantial that m akes it difficult for the forensics
investigator to differentiate the system s activity
After the incident, if a user writes som e data to the system , it m ay overwrite
the crim e evidence
EC-Council
Forensic Policy
Forensic policy is a set of procedures describing the actions to be taken when
an incident is observed
It defines the roles and responsibilities of all people perform ing or assisting
the forensic activities
It should include all internal and external parties that m ay be involved and
also indicates who should contact which parties
It explains what actions should and should not be perform ed under norm al
and special conditions
EC-Council
Forensic Policy (contd)

Organizations should ensure that their policies contain clear statem ents that
address all m ajor forensic considerations
They should allow authorized personnel to m onitor system s and networks

and perform investigations
Separate policies should be m aintained for incident handlers and others with
predefined forensic roles
Organizations forensic policy should be consistent with the other policies
EC-Council
Forensics in the Inform ation

System Life Cycle
Regular backups of system s should be perform ed
For securing centralized log servers, audit reports should be forwarded by auditing the
workstations, servers, and network devices
For auditing, m ission critical applications should be configured
Maintain a database of file hashes for the files of com m on OS and application
deploym ents
File integrity checking software should be used for protecting im portant assets
Network and system con figurations records should be m aintained

Data retention policies supporting system and network activities should be
im plem ented
EC-Council
Organizations should:
Have a capability to perform com puter and networkforensics
Determ ine which parties should handle each aspectof
forensics
Create and m aintain guidelines and procedures for
perform ing forensic tasks
Perform forensics using a consistent process
Be proactive in collecting useful data
Adhere to standard operating procedure as specified by local
laws and standard m aking bodies such as IOCE & SWGDE
while collecting digital evidence
EC-Council
Forensics Analysis Tools
EC-Council
Helix
http:/ / w w w .e-fense.com /
Helix is a bootable com puter forensic tool kit providing incident response, com puter
forensics and e-discovery in one interface
Helix is a custom ized distribution of the Knoppix Live Linux CD
You can boot into a custom ized Linux environm ent that includes custom ized Linux kernels,
excellent hardware detection and m any applications dedicated to Incident Response and
Forensics
Helix has been m odified very carefully to NOT touch the host com puter in any way and it is
forensically sound
Helix has a special Windows autorun side for Incident Response and Forensics
Helix focuses on Incident Response & Forensics tools
EC-Council
Tools Present in Helix CD for

Windows Forensics
Windows Forensics Toolchest (WFT)
Incident Response Collection Report (IRCR2)
Putty SSH
Screen Capture
Messenger Password
First Responders Evidence Disk (FRED)

Mail Password Viewer
First Responder Utility (FRU)
Protected Storage Viewer
Security Reports (SecReport)
Network Password Viewer
Md5 Generator
Registry Viewer
Com m and Shell
Asterisk Logger
File Recovery recover deleted files
IE History Viewer
Rootkit Revealer
VNC Server
EC-Council
IE Cookie Viewer
Mozilla Cookie Viewer
Helix: Screenshot 1
EC-Council
Helix: Screenshot 2
EC-Council
Helix: Screenshot 3
EC-Council
Windows Forensic Toolchest

http:/ / w w w .foolm oon.net/
Windows Forensic Toolchest (WFT) is designed to provide a structured and repeatable

autom ated Live Forensic Response, Incident Response, or Audit on a Windows system
while collecting security-relevant inform ation from the system
It is essentially a forensically enhanced batch processing shell capable of running other

security tools and producing HTML based reports in a forensically sound m anner
It provides extensive logging of all its actions along with com puting the MD5/ SHA1
checksum s along the way to ensure that its output is verifiable
EC-Council
Windows Forensic Toolchest

(contd)
Features:
Provides structured and repeatable live forensic re sponse,
incident response, or audit
Ability to run locally, via CD/ DVD, or thum b drive
Verification of all executed tools
Support for m d5 hash
Ability to verify WFT configuration files
Autom atic updating of WFT hash values for tools
User-editable configuration file controls execution
Generation of both raw text and htm l reports
Ability to run com m ands based on run-tim e OS
EC-Council
Windows Forensic Toolchest:

Screenshot 1
EC-Council
Windows Forensic Toolchest:

Screenshot 2
EC-Council
Knoppix Linux
http:/ / w w w .knopper.net/
KNOPPIX is a bootable Live system on CD or DVD,

consisting of a representative collection of
GNU/ Linux software

Autom atic hardware detection
Support for m any graphics cards, sound cards, SCSIand USB
devices and other peripherals
It can be used as a productive Linux system for the

desktop, educational CD, rescue system , or adapted and
used as a platform for com m ercial software product
dem os
EC-Council
Knoppix Linux: Screenshot
EC-Council
The Coroner's Toolkit (TCT)

http:/ / w w w .porcupine.org/
TCT is a collection of program s by Dan Farm er and Wietse Venem a for a

post-m ortem analysis of a UNIX system after break-in
TCT com ponents are:
EC-Council
Grave-robber tool: This tool captures inform ation

Ils and m actim e tools: These tools display accesspatterns of files dead or alive
Unrm and lazarus tools: These tools recover deletedfiles
Findkey tool: This tool recovers cryptographic keys from a runnin g process or
from files
EnCase Forensic
http:/ / w w w .guidancesoftw are.com /
EnCase Forensic is an in vestigation platform that collects digital data, perform s
analysis, reports on findings, and preserves them in a court validated, forensically
sound form at
It gives investigators the ability to im age a drive and preserve it in a forensic m anner
using the EnCase evidence file form at (LEF or E0 1)
Features:
Advanced search options

Internet and em ail investigation support
Court validated logical evidence file form at
Multiple viewers
Instant m essage analysis
EnScript program m ing
Bookm arking
Reporting
Support for the m ost system files
Multiple acquisition options
EC-Council
EnCase Forensic: Screenshot 1
EC-Council
EnCase Forensic: Screenshot 2
EC-Council
THE FARMER'S BOOT CD (FBCD)

http:/ / w w w .forensicbootcd.com /
The FBCD provides with a forensic environm ent to safely and quickly preview data stored
within various storage m edia (such as internal and external hard drives, USB thum b drives,
digital m usic players, digital cam eras, SD and com pact flash cards, etc.)
Using The FBCD, you can:
Mount file system s in a forensically sound m anner,using a GUI

Preview data using a single, unified GUI (Delve)
Authenticate, Acquire and Analyze storage m edia
Decrypt EFS-encrypted files
Access and parse the Windows Registry
Generate thum bnails for graphics files
Dum p file m eta-data (graphics files, PDF docum ents, etc.)
Obtain the passwords for system users
Undelete files from the ext2, FAT, and NTFS file system types
Identify and reset Host Protected Areas (HPA) on IDE drives Dum p the system BIOS tables
Parse the Windows pagefile.sys file for e-m ail addresses and URLs
Dum p file system m eta-data (initialized date, lastm ount date, etc.)
Read various Windows and Linux log files
Parse web browser cache files for history and cookie inform ation
EC-Council
FBCD: Screenshot1
EC-Council
FBCD: Screenshot2
EC-Council
Dum pReg
http:/ / w w w .sy stem tools.com /
Dum pReg is a program for Windows that dum ps the registry, m aking it easy
to find keys and values containing a string
The registry entries can be sorted by reverse order of last m odified tim e,
m aking it easy to see changes m ade by recently installed software
EC-Council
Dum pSec
Dum pSec is a security auditing program for

Microsoft Windows NT/ XP/ 20 0 x
It dum ps the perm issions (DACLs) and audit

settings (SACLs) for the file system , registry,
printers, and shares in a concise, readable
form at, so that holes in system security are
readily apparent
It also dum ps user, group and replication

inform ation
EC-Council
Dum pEvt
Som arSoft's Dum pEvt is a Windows NT/ 20 0 x program to dum p the event
log in a form at suitable for im porting into a database
It is sim ilar to the DUMPEL utility in the Microsoft Windows Resource Kit,
but without som e of the lim itations
It allows dum ping of Windows 20 0 x event logs (DNS, File Replication, and
Directory Service)
EC-Council
Foundstone Forensic ToolKit

http:/ / w w w .foundstone.com /
Foundstone Forensic ToolKit contains several Win32 Com m and line tools that
can help you exam ine the files on a NTFS disk partition for unauthorized
activity
Features:
AFin d allows you to search for access tim es between certain tim e fram es
H Fin d scans the disk for hidden files
SFin d scans the disk for hidden data stream s an d lists the last access tim es
File Stat is a quick dum p of all file and security attributes
H u n t is a quick way to see if a server reveals too m uch info via NULL sessions
EC-Council
Sysinternals Suite
http:/ / technet.m icrosoft.com /
The Sysinternals suite is a bundle of som e of the following selected Sysinternals utilities:
AccessChk
Gives specific users or groups access inform ation
AccessEnum
Gives a full view of your file system and Registry security settings
AdExplorer
Explore an AD database, define favorite locations, view object properties and attributes
AdRestore
Enum erates the deleted objects in a dom ain
Autologon
Enables you to easily configure Windows built-in autologon m echanism
Autoruns
Shows what program s are configured to run during system bootup or login
CacheSet
Allows to m anipulate the working-set param eters of the system file cache
LDMDum p
Shows the contents of the LDM database
ListDLLs
Show you the full path nam es of loaded m odules
PsLogList
Dum p the contents of an Event Log on the local or a rem ote com puter
PsPasswd
Allows changing of account passwords on the local or rem ote system s in batches
PsService
Service viewer and controller for Windows
NTFSInfo
Shows you inform ation about NTFS volum es
RegMon
It is a Registry m onitoring utility
RootkitRevealer
Advanced rootkit detection utility
EC-Council
NSLOOKUP
http:/ / w w w .kloth.net/
NSLOOKUP is an online service to look up inform ation in the DNS (Dom ain
Nam e System [RFC10 34, RFC10 35, and RFC10 33])
It is a program to query Internet dom ain nam e servers
It has two m odes:

In te ractive m o d e : This m ode allows the user to query n am e servers for
inform ation about various hosts and dom ains
N o n -in te ractive m o d e : This m ode is used to print just the nam e and requested
inform ation for a host
EC-Council
dig DNS Lookup Utility

http:/ / m em bers.shaw .ca/
dig (dom ain inform ation groper) is a flexible tool for interrogating DNS nam e servers
It perform s DNS lookups and displays the answers that are returned from the nam e server(s) that
were queried
It is norm ally used with com m and-line argum ents
It also has a batch m ode of operation for reading lookup requests from a file
Dig Synopsis
d ig [ @s e rve r ] [ -b address ] [ -c class ] [ -f filenam e ] [ -k filenam e ] [ -p port# ] [ -t ty pe ] [ x addr ] [ -y nam e:key ] [ n am e ] [ typ e ] [ clas s ] [ qu e ryo p t... ]
d ig [ -h ]
d ig [ glo bal-qu e ryo p t... ] [ qu e ry... ]
A typical invocation of d ig looks like:

d ig @s e rve r n am e typ e
EC-Council
Whois
http:/ / w w w .nsauditor.com /
Whois com m unicates with WHOIS servers located around the world to
obtain dom ain registration inform ation
It supports IP address queries and autom atically selects the appropriate

whois server for IP addresses
This tool looks up inform ation on a dom ain, IP address, or dom ain
registration inform ation
EC-Council
Whois: Screenshot
EC-Council
VisualRoute
http:/ / w w w .visualroute.com /
VisualRoute trace route software provides IPv4 and IPv6 traceroute, ping test, m ultiple
route discovery and connectivity analysis reports
It also helps in determ ining actual cause of conn ectivity problem pinpoints in the
network where a problem occurs
Features:
EC-Council
Graphical view of traceroute, ping, reverse DNS connectivity analysis

IP location reporting
Whois lookups, network provider reporting
Om nipath m ultiple path discovery
Netvu multiple route topology graph
Application port testing, port probing, DNS perform ance testing
Continuous connection testing with report history
VisualRoute: Screenshot
EC-Council
Netstat Com m and

http:/ / chiht.dfn-cert.de/
n e ts tat is a useful tool for checking network configuration and activity

The netstat com m and provides inform ation from various data structures in
the network stack
This inform ation can include current network connections and listening
servers, routing tables, ARP caches etc.
EC-Council
Linux: DD Com m and

The dd com m and is used to m ake binary copies of com puter m edia
It is used as a sim ple disk im aging tool if given a raw disk device as its input
Forensic Investigators use the built- in Linux com m and dd to copy data
from a disk drive
The dd com m and can copy data from any disk that Linux can m ount and
access
Other forensic tools such as AccessData FTK and Ilook can read dd im age
files
EC-Council
Linux: Find Com m and

The find com m and is built in to m any versions of Unix, but is

also available as part of the GNU binutils package for both
Unix and Windows
Find can be used to search through a directory tree looking for
files that have particular nam es, perm issions, or alm ost any
other com bination of attributes
Syntax
find [-H] [-L] [-P] [path...] [expression]
EC-Council
Linux: Arp Com m and

The Address Resolution Protocol is used by com puters to translate IP

addresses for m achines on the local network segm ent into Ethernet addresses
It describes the standard for m apping Ethernet addresses in the local subnet
to IP addresses
Most operating system s m aintain a cache of this inform ation, and the arp
com m and can be used to print out the current contents of this cache
Syntax:
C:\>arp -a
EC-Council
Linux: ps, ls, lsof, and ifconfig

Com m ands
ps is a basic Unix com m and that report the status of processes
Unix ls com m and is used to list files and directories on a filesystem
Lsof is a com m and used to list files which are currently open on a Unix
system s
ifconfig is a com m and is used to report the state of network interfaces

on Unix system s
EC-Council
Linux: Top Com m and

The top com m and is a system m onitor tool that displays and updates
inform ation about the top cpu processes on a Unix system
It displays the top 15 processes on the system and periodically updates this
inform ation
EC-Council
Linux: Grep Com m and

The Unix grep com m and searches text files for patterns m atching
regular expressions
It is used to extract interesting inform ation from log files
It is a built-in com m and on m any Unix system s, or an open source

version is available as part of the GNU project
Syntax
grep [options] PATTERN [FILE...]
grep [options] [-e PATTERN | -f FILE] [FILE...]
EC-Council
Linux: Strings Com m and

Strings is a com m and which displays the strings contained in a binary file
It is used to search unknown binaries for any hints about its function
Syntax
strings [-afo] [-n number] [file ...]
EC-Council
Sum m ary
Com puter forensic In vestigator m ust have knowledge of gen eral com puter skills such as
hardware, software, O.S, application s, etc.
Com puter forensics helps to recover, analyze, and preserve com puter and related
m aterials in such a way that it can be presented as evidence in a court of law
Forensic readiness is ability of an organization to m axim ize its potential to use digital
evidence while m inim izing the cost of an investigation
Digital evidence is defined as any inform ation of probative value that is either stored or
transm itted in a digital form
Forensic policy defines the roles and responsibilities of all people perform ing or assisting
the forensic activities
Separate policies should be m aintained for incident handlers and others with forensic
roles
EC-Council
EC-Council
EC-Council
Incident Handler
Version 1
Mo d u le VII
Handling Insider Threats
News: Malicious Insider Attacks

to Rise
Source: http:/ / new svote.bbc.co.uk/
EC-Council
News: Experts Say Layoffs, Cost-Cutting

Increase Insider Cyber Threat
Source: http:/ / w w w .cqpolitics.com /
EC-Council
Module Objective
EC-Council
Insider Threats
Anatom y of an Insider Attack
Insider Threats Detection
Insider Threats Response
Guidelines for Detecting and Preventing Insider Threats
Module Flow
EC-Council
Insider Threats
Insiders Threat Response
Insider Threat Detection
Guidelines for Detecting and

Preventing Insider Threats
Insider Threats
Insiders with their authorized privileges can m isuse the resource that
directly affects the confidentiality, integrity, and availability of the
inform ation system
Insiders could be current em ployee, disgruntled system adm inistrators,

hum an resources, contractors, business partners etc.
Insiders indulge in m alicious activities on the organizations network,

system , and database
These activities im pact business operations and dam ages the

organizations reputation and profit
EC-Council

Understand business process
Gain credentials and trust
Install logic bom bs, rootkits, key loggers
Activate logic bom bs and rootkits
Dam age, publicize and/ or pass inform ation to com petitors

for financial gain or personal revenge
EC-Council
Insider Risk Matrix

If an attacker has technical literacy with process knowledge, there is the
highest risk of insider attack
Process Knowledge
Technical
Literacy
High
Low
High
Greatest Threat
Dem onized But

Insignificant
Low
Significant Threat
Insignificant
Source: GartnerGroup Report 560 5
EC-Council
Insider Threats Detection

Insider threats can be detected by observing concerning behaviors exhibited by the
insiders such as conflicts with supervisors an d coworkers, decline in perform ance,
tardiness, or unexplained absenteeism
Insider threats can be identified by exam ining the system event logs including database
logs, em ail logs, application logs, file access logs, and rem ote access logs
Applications such as firewalls, routers, and intrusion detection system s can be used to
identify insider threats
The techniques used to detect insider threats are:

Correlation
Detecting anom aly
Discovering pattern
EC-Council
Insider Threats Response

Response depends on the nature of insider threats and the organizations policy
Response can be autom ated or needs hum an involvem ent
The techniques used to respond to an insider threat include:
Placing m alicious users in quarantine network, sothat attack cannot be spread

Preventing m alicious users from accessing sensitive inform ation
Disabling the com puter system s from network connection
Blocking m alicious user accounts and physically restricting them from entering access control areas
EC-Council
Insiders Incident Response Plan

Insiders incident response plan helps the organization to m inim ize or lim it the dam age
caused due to m alicious insiders
Organizations should ensure that the in sider perpetrators are not included in response
team or not aware of the progress
The organizations should consider the rights of every em ployee or user while
developing incident response plan
The plan should depict the process to be followed and responsibilities of the m em bers
involved in the response team
The organization should n ot share or provide the details of the insiders incident
response plan with all em ployees
EC-Council
Guidelines for Detecting and Preventing

Insider Threats: Hum an Resources
Conduct background checks on all users and em ployees who are in
sensitive positions
Exam ine and respond to suspicious behavior of em ployees beginn ing
with the hiring process
Anticipate and m anage negative workplace issues
Em ploym ent verification and credit checks
Prepare an inform ation security policy docum ent
Monitor and secure the organizations physical environm ent

EC-Council

Insider Threats: Network Security
Com puter networks should be secured by con figuring firewalls and m onitoring outbound
traffic to HTTP and HTTPS services
Create rules to reduce the outbound transfer of files to an authorized set of users and
system s
Prevent file sharing, instant m essaging, and other features am ong em ployees that allows
unauthorized access to corporate networks
Scan all outgoing and incom in g m ails for sensitive inform ation and m alicious codes
Establish strict password policies
Im plem ent account m anagem ent policies and procedures
EC-Council

Insider Threats: Access Controls
Access privileges should be enabled to em ployees or users based on the
routine perform ance of their job roles
The access requests granted to users should be docum ented an d vetted

by a supervisor
Em ployees should take perm ission from data owners before accessing
the sensitive system s
Establish change controls on the users system
When an em ployee is term inated from the job, the em ployers should
disable all access rights to physical locations, networks, system s,
applications, and data
EC-Council
Guidelines for Detecting and Preventing Insider

Threats: Security Awareness Program
Identify and report the m alicious behavior of insiders
Exam ine the organizations policies and controls
Im plem ent proper system adm inistration safeguards for critical

servers
Provide consistency for defined security policies and controls
Enforce separation of duties in order to lim it the m isuse of

resources
Im plem ent secure backups and recovery m ethods to ensure
data availability
EC-Council

Threats: Adm inistrators and Privileged Users
Disable the default adm inistrative accounts to
provide accountability
Ensure that adm inistrators use unique account

during installation process
Im plem ent non-repudiation technique to view all the
actions perform ed by adm inistrators and privileged
users
Monitor the activities of system adm inistrators and
privileged users who have perm issions to access
sensitive inform ation
Use encryption m ethods to prevent adm inistrators
and privileged users from accessing backup tapes and
sensitive inform ation
EC-Council

Insider Threats: Backups
Organizations should im plem ent secure backup and recovery
processes to continue business operations when the system s
are com prom ised
Regularly take backups and test it for integrity and availability
Secure the backup m edia and its content from alteration, theft,
or destruction
Im plem ent separation of duties and configuration
m anagem ent procedures to perform backups on com puter
system s, networks, and databases
Im plem ent backup policies to secure the backup process and
m edia
EC-Council

Threats: Audit Trails and Log Monitoring
Enforce account and password policies an d procedures to identify the onlin e actions
perform ed by insiders
Periodic logging, m on itoring, and auditing process helps organization to identify and
investigate suspicious in sider actions
Audit trails should be con figured for network devices, operating system s, com m ercial
software, and custom applications
Auditing should review and exam ine the changes perform ed on critical assets of any
organization
Protect the audit files through file perm issions and store the files in central host server
to avoid alterations
Im plem ent intrusion detection and file integrity software to detect and m onitor
suspicious activity on sensitive data
EC-Council
Em ployee Monitoring Tools
EC-Council
Activity Monitor
http:/ / w w w .softactivity .com /
Activity Monitor is a com puter m onitoring software and key logger
It allows you to track any LAN, giving you the detailed inform ation on
what, how, and when your network users perform ed
Features:
Live view of rem ote desktops

Easy Internet usage m onitoring
Monitor software usage
Record activity log for all workplaces in one centr alized location on m ain
com puter with Activity Monitor installed
Store com plete history of com m unications for everyuser
Track any users keystrokes on your screen in realtim e m ode
EC-Council
Activity Monitor: Screenshot 1
EC-Council
Activity Monitor: Screenshot 2
EC-Council
Net Spy Pro

http:/ / w w w .net-m onitoring-softw are.com /
Net Spy Pro is the em ployee and student network m onitoring software
It allows you to m onitor all user activity on your network in real tim e from
your own workstation
Features:
Allows the adm inistrator to view an actual screensh ot of one, som e or all
workstations instantly
Shows a list of the favorites on a user's InternetExplorer Browser to the
adm inistrator
Shows you a list of all files in the tem porary hist ory (cache) of the Internet
Explorer browser
Allows an adm inistrator to view all open ports ona workstation
Shows a full list of processes and services run ning on the rem ote m achine to the
adm inistrator
Show a list of recent docum ents opened by a user ot the adm inistrator
EC-Council
Net Spy Pro: Screenshot 1
EC-Council
Net Spy Pro: Screenshot 2
EC-Council
Spector Pro
http:/ / w w w .spectorsoft.com /
Spector Pro is m onitoring and recording software for every detail of PC and
Internet activity - in your hom e or in your office
Features:
EC-Council
Keystrokes typed recording

MySpace and Facebook recording
Online searches recording
Web sites visited recording
Sum m ary reports
Em ail activity recording
Program activity recording
Keywords detected recording
Files transferred recording
User activity recording
Spector Pro: Screenshot 1
EC-Council
Spector Pro: Screenshot 2
EC-Council
SpyAgent
http:/ / w w w .spy tech-w eb.com /
Spytech SpyAgent is com puter spy software that allows you to m onitor
everything users do on your com puter
Features:
EC-Council
Keystroke logging
Em ails sent and received m onitoring
Events tim eline loggin g
Internet chat conversations m onitoring
Website activity m onitoring
Application usage m onitoring
Com puter usage loggin g
Intelligent screenshot capturing
Internet traffic data m on itoring
Files uploaded and downloaded m onitoring
Files/ docum ents accessed logging
SpyAgent: Screenshot 1
EC-Council
SpyAgent: Screenshot 2
EC-Council
Handy Keylogger
http:/ / w w w .handy -key logger.com /
Handy Keylogger is a user-friendly spy key logger
It capture all key strokes, m onitor internet usage, enable screenshots grabbing by tim e
and interval, m onitor clipboard, and send the logs to your e-m ail address invisibly
Features:
EC-Council
Monitor every key stroke on your keyboard

Grab key strokes under all user accounts
Log all clipboard events: text and graphics copiedto the clipboard
Record Internet/ websites activity
Log chats and e-m ails typed on your PC
Record instant m essengers
Capture all passwords
Invisibly send logs to your m ailbox
Handy Keylogger: Screenshot 1
EC-Council
Handy Keylogger: Screenshot 2
EC-Council
Anti Keylogger
http:/ / w w w .anti-key loggers.com /
Anti-keylogger is a dedicated anti-keylogging product for Microsoft Windows
It protects com puters against inform ation-stealing program s and m odules
Features:
EC-Council
Prevents online identity theft

Prevents Internet banking fraud
Secures em ail com m unication, instant m essaging andchat
Elim inates leakage of confidential or proprietaryinform ation
Keeps usernam es, passwords, PINs, etc. safe
Reduces security breaches
Enforces com puter an d Internet Acceptable Use Policies (AUP)
Disables espionage software of your com petitors
Anti Keylogger: Screenshot
EC-Council
Actual Spy
http:/ / w w w .actualspy .com /
Actual Spy is a keylogger which allows you to find out what other users do on
your com puter in your absence
It is capable of catching all keystrokes, capturing the screen, logging the
program s being run and closed, m onitoring the clipboard contents
Features:
EC-Council
Logs all keystrokes

Makes screenshots within the specified tim e interval
Saves the applications run ning and closing
Watches clipboard conten ts
Records all print activity
Records disk changes
Records internet connection s
Records all websites visited
Actual Spy: Screenshot 1
EC-Council
Actual Spy: Screenshot 2
EC-Council
Iam BigBrother
http:/ / w w w .iam bigbrother.com /
Iam BigBrother is an internet m onitoring software for both hom es and

business
It runs in stealth m ode where it is not detected by the user of the com puter
It records all of the internet activity for m any program s including Am erica
Online, MSN, Outlook Express, etc.
Features:
EC-Council
Chat and instant m essage recording

Em ail recording
Web site viewed
Keystroke recording
Screen capture
Iam BigBrother: Screenshot 1
EC-Council
Iam BigBrother: Screenshot 2
EC-Council
0 0 7 Spy Software
http:/ / w w w .e-spy -softw are.com /
0 0 7 Spy Software is com puter m onitoring software which allows you to

secretly record all activities of com puter and takes screen snapshot at set
intervals
Features:
EC-Council
Capability of overriding Anti-Spy program s such asAd-aware

View logs rem otely with your favorite browsers from anywhere at an ytim e
Support user filter to spy on specific users
View all user's Logs with a Single Login
Capture screen at the highest speed
Autom atically startup in active and stealth Mode
Powerful keylogger engine to capture all passwords
Built-in slide show for screen snapshot pictures
0 0 7 Spy Software: Screenshot 1
EC-Council
0 0 7 Spy Software: Screenshot 2
EC-Council
SpyBuddy
http:/ / w w w .exploreany w here.com /
SpyBuddy 20 0 9 is a com puter m onitoring software that reveals what your

em ployee is really doing on the com puter
It secretly records all internet and com puter related activities and present
inform ation to you
Features:
EC-Council
Chat blocking
Websites blocking
Clipboard activity m onitoring
Screenshot recording
Keystrokes typed recording
Online search recording
Print activity m onitoring
SpyBuddy 20 0 9: Screenshot 1
EC-Council
SpyBuddy 20 0 9: Screenshot 2
EC-Council
SoftActivity Keylogger
http:/ / w w w .softactivity .com /
SoftActivity Keylogger is a spying engine that runs in the background and

secretly records URLs visited in browser, keystrokes in any program , chat
conversations, received and sent em ail
It captures screenshots of the desktop at a preset period of tim e
Features:
EC-Council
Logs everything
Screenshots recording with advanced IntelliSnap et chnology
Enhanced reporting features
Works secretly
Receive reports in em ail
Com plete com patibility
SoftActivity Keylogger:
Screenshot 1
EC-Council
SoftActivity Keylogger:
Screenshot 2
EC-Council
Elite Keylogger
http:/ / w w w .w idestep.com /
Elite Keystroke is keylogger for m onitoring and recording every detail of

PC and Internet activity everywhere: at hom e or in the office
Features:
EC-Council
Keystroke recording
Undetectable
Chats, IMs, E-m ail recording
Clipboard m onitoring
Application activity recording
Winlogon and passwords m onitoring
Screenshots recording
Elite Keylogger: Screenshot 1
EC-Council
Elite Keylogger: Screenshot 2
EC-Council
Spy Sweeper
http:/ / w w w .w ebroot.com /
Spy Sweeper is an antispyware software that blocks and rem oves

spyware
It delivers the advanced spyware detection available to beat dangerous
spyware program s
Features:
EC-Council
Advanced detection and rem oval capabilities

Real-tim e threat protection
Enhanced rootkit discovery m ethods
Minim al im pact on com puter perform ance
Windows vista com patible
Multiple user protection
Up-to-date spyware news and inform ation
Spy Sweeper: Screenshot
EC-Council
Sum m ary
Insiders perform m alicious activities on the organizations network, system , and
database
Response depends on the nature of the insider threats and the organizations policy
Insider threats can be detected by exam ining the system event logs including database
logs, em ail logs, application logs, file access logs, and rem ote access logs
Access privileges should be enabled to em ployees or users based on the routine

perform ance of their job roles
Organizations should im plem ent secure backup and recovery processes to continue
business operations when the system s are com prom ised
EC-Council
EC-Council
EC-Council
Sample
Sample
Incident Handler
Version 1
Mo d u le IX
Incident Reporting
Batch PDF
Batch
PDF Merger
Merger
News: Infosec 20 0 9 Experts Discuss

the Cyber Crim e Landscape
28 Apr 20 0 9
Every person who goes online has a part to play in helping to reduce e-crim e and better secure
cyberspace, according to a panel of experts speaking at the Infosecurity Europe show in London.
Philip Virgo, secretary general of Eurim , began the panel debate by highlighting the developm ent of
today's real-world law enforcem ent agencies, which were originally created by businesses such as rail
com panies and banks rather than by governm ents.
Virgo believes that we cannot expect governm ents to shoulder all the responsibility for policing the
internet. He believes that only by users, agencies, security firm s and organisations working together
can the huge problem of cyber crim e begin to be addressed.
His call was echoed by Charlie McMurdie, detective superintendent of the newly form ed Police
Central e-Crim e Unit (PceU), who is pushing for greater interaction between the various
stakeholders, both public and private, across various countries.
"Currently, everyone is doing different things in different ways," she said. "We need to develop
structure, standards and training, not only for the 43 police forces across the UK, but all the
organisations involved in helping detect, prevent and track down illegal online behaviour."
This will help to speed up investigations, and help elim inate duplication, thereby freeing up m ore of
the lim ited resources, according to McMurdie.
The PceU is pushing for end users to get involved as well by reporting even relatively m inor
instances of e-crim e, as these can help to locate and identify the large organised crim inal gangs.
Source: http:/ / w w w .vnunet.com /
EC-Council
Module Objective
EC-Council
Incident Reporting
Why to Report an Incident
Whom to Report an Incident
Federal Agency Incident Categories
Organizations to Report Com puter Incident
Incident Reporting Guidelines
Module Flow
EC-Council
Incident Reporting
Federal Agency
Incident Categories
Organizations to
Report Com puter Incident
Incident Reporting
Incident reporting is the process of reporting the inform ation

regarding the encountered security breach in a proper form at
Incidents that should be reported include:
Logs of unauthorized access showing failed or successful attem pts

Unwanted disruption
Denial of service
Use of a system for processing or storage of data
Changes m ade to the system s hardware or software
EC-Council
It is necessary to report an incident in order to:
Receive technical assistance including guidance on detecting and

handling the incidents
Im prove awareness on IT security issues and prevent other nuisance
Provide stronger protection for system s and data
Deal properly with legal issues
Know the inform ation regarding new threats and in cident trends
Be prepared for handling future incidents
EC-Council
Why Organizations do not

Report Com puter Crim es
Misunderstanding of the scope of the problem
Misconception that this does not happen to other organizations
Fear of negative publicity

Proactive reporting and handling of the incident will allow m any
organizations to put their spin on the m edia reports
Potential loss of custom ers
Desire to handle things internally
Lack of awareness of the attack

EC-Council

Head of inform ation security
Local inform ation security officer

Incident response team s in the organization
Hum an resources
Public affairs officer
Legal departm ent
CERT
EC-Council
How to Report an Incident
Incidents are reported using:
EC-Council
Electronic Mail
Online reporting form s
Telephone calls
Facsim ile (FAX)
In person
Voice m ailbox greeting
Paper (e.g., post notices on bulletin boards and doors, hand out
notices at all entrance points)
Details to be Reported
Details to be reported include:
EC-Council
Date, tim e, and location of the incident

Contact inform ation
Intensity of the incident
Circum stances that revealed the incident
Sum m ary of hosts involved
Description of the activity
The nature of the violation
Type of private data involved
Other persons involved
Any im m ediate harm known or observed
Im m ediate corrective actions already taken
Prelim inary Inform ation Security

Sys te m In fo rm atio n
Nam e of the Departm ent : _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Brief description on the affected system : _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Physical location of the affected system : _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
System adm inistration/ operation by: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Co n tact In fo rm atio n
Nam e:_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Designation:_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Telephone Num ber: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Mobile Num ber: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Em ail Address: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Fax Num ber: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
In cid e n t D e tails
Date/ Tim e (Detected):_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Sym ptom s of Incidents: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Im pacts:
Defacem ent of web site
Service interruption (denial of service attack / m ail bom b / system failure)
Massive m alicious code attack
Lost/ dam age/ unauthorized alternation of inform ation
Com prom ise/ leakage of sensitive inform ation
Intrusion/ unauthorized access
Others, please specify: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Please provide details on the im pact and service interruption period, if any:
Actions Taken: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Current System Status: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Other Inform ation: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
EC-Council
CERT Incident Reference

Num bers
CERT assigns reference num bers for every reported activity
These num bers help CERT to track correspondence and identify related
activity
These num bers are unique and selected random ly
These num bers should be m entioned clearly in the subject line of any m ail
m essages regarding the incident
e.g. CERT# XXXX, US CERT-0 6-0 0 0 1 reference num ber shows that it was
the first case registered at US CERT in 20 0 6
EC-Council
Contact Inform ation

Contact inform ation should include at least an em ail address and
telephone num ber
If possible include fax num ber and a cellular telephone num ber
Tim e zone from where the reporting is m ade, should be

m entioned
It is good to specify an alternate contact in case the victim is

unavailable
EC-Council
Sam ple Report Showing Contact

Inform ation
Contact Inform ation
Source: https:/ / form s.us-cert.gov/
EC-Council
Sum m ary of Hosts Involved

Hosts involved in the incident or related activity is the m ost obvious
inform ation to be noted
Som e tim es, hosts used in one incident m ay have been used earlier
Sum m ary of IP addresses and hostnam es involved in the incident should be

included in the report
Hosts involved in the incident m ust be identified and the inform ation m ust
be released as per the organizations policies and procedures
EC-Council
Sam ple Report Showing

Sum m ary of Hosts Involved
Sum m ary of Hosts
EC-Council
Description of the Activity
Activity description should include:
EC-Council
Date
Methods of intrusion
Intruder tools involved
Software versions and patch levels
Intruder tool output
Details of vulnerabilities exploited
Source of attack
And other relevant inform ation
Sam ple Report Showing

Description of the Activity
Description of Activity
Source: http:/ / w w w .nitc.state.ne.us/
EC-Council
Log Extracts Showing the

Activity
Logs provide significantly m ore details than the description
Log entries showing the activity should be in cluded along with the report
To avoid confusion, rem ove the log entries that are not related with the
incident
Ensure that the non disclosure policies are not violated while sending log
entries to other sites
EC-Council
Exam ple Showing the Log

Extracts of an Activity
Source: http:/ / w w w .kerio.co.uk/
EC-Council
Tim e Zone
Dates, tim es, and tim e zones are confusing when used casually in
international com m unications; hence clearly identify the date, tim e, an d
location of the incident
A tim e zone reference relative to GMT (or UTC) such as GMT5 is

preferred, since less form al tim e zone designations can be m isinterpreted
Inaccuracy in tim e should be m entioned in the report if it exceeds by a

m inute or two
If the system was synchronized with a national tim e server via Network
Tim e Protocol, the sam e should be m entioned in the report
EC-Council
Federal Agency Incident

Categories
Cate go ry
N am e
CAT 0
Exercise/ Network
Defense Testing
This category is used during state, federal, national, international

exercises and approved activity testing of internal/ external network
defenses or responses.
Not Applicable; this category is for

each agency's internal use during
exercises.
CAT 1
Unauthorized
Access
In this category an individual gains logical or physical access without

perm ission to a federal agency network, system , application, data, or other
resource
Within one (1) hour of

discovery/ detection.
Denial of Service
(DoS)
An attack that successfully prevents or im pairs the norm al authorized

functionality of networks, system s or applications by exhausting
resources. This activity includes being the victim or participating in the
DoS.
Within two (2) hours of

discovery/ detection if the
successful attack is still ongoing
and the agency is unable to
successfully m itigate activity.
CAT 3
Malicious Code
Successful installation of m alicious software (e.g., virus, worm , Trojan

horse, or other code-based m alicious entity) that infects an operating
system or application. Agencies are NOT required to report m alicious logic
that has been successfully quarantined by antivirus (AV) software.
Daily
Note: Within one (1) hour of
discovery/ detection if widespread
across agency.
CAT 4
Im proper Usage
A person violates acceptable com puting use policies.
Weekly
CAT 5
Scans/ Probes/ Att

em pted Access
This category includes any activity that seeks to access or identify a federal
agency com puter, open ports, protocols, service, or any com bination for
later exploit. This activity does not directly result in a com prom ise or
denial of service.
Monthly
Note: If system is classified, report
within one (1) hour of discovery.
Investigation
Unconfirm ed incidents that are potentially m alicious or anom alous

activity deem ed by the reporting entity to warrant further review.
Not Applicable; this category is for

each agency's use to categorize a
potential incident that is currently
being investigated.
CAT 2
CAT 6
EC-Council
D e s crip tio n
Source: http:/ / w w w .us-cert.gov/
Re p o rtin g Tim e fram e
Organizations to Report
Com puter Incident
United State Internet Crim e Task
Force
Internet Crim e Com plaint Center

(IC3)
Com puter Crim e and Intellectual

Property Section (CCIPS)
Internet Watch Foundation (IWF)
EC-Council
United State Internet Crim e Task Force

http:/ / w w w .usict.org/ services.asp
EC-Council
Internet Crim e Com plaint Center (IC3)

http:/ / w w w .ic3.gov/
EC-Council
Com puter Crim e & Intellectual Property

Section
http:/ / w w w .usdoj.gov/ crim inal/ cy bercrim e/ reporting.htm
EC-Council
Internet Watch Foundation (IWF)

http:/ / w w w .iw f.org.uk/
EC-Council
Victim should attem pt to gather the following

inform ation before reporting:
Nam e and address of the reporting agency
Nam e, address, e-m ail address, and phone n um ber(s)of the reporting
person
Nam e, address, e-m ail address, and phone n um ber(s)of the victim
Nam e, address, e-m ail address, and phone n um ber(s)of the alternate
contact (e.g., alternate inform ation security officer's, system
adm inistrator, etc.)
Description of the incident
Date and tim e of the incident occurred
Date and tim e the incident was discovered
Any actions at, and following the tim e of discovery that were taken prior
to calling CERT
Source: http:/ / w w w .chp.ca.gov/
EC-Council

(contd)
Additional inform ation that should
be gathered by the victim :
Make / m odel of the affected com puter(s)

Serial and state asset identification num bers of ht e
affected devices
IP address of the affected com puter(s)
Assigned nam e of the affected com puter(s)
Operating system of the affected com puter(s)
Location of the affected com puter(s)
EC-Council
Sam ple Incident Reporting

Form 1
EC-Council
Source: http:/ / w w w .nbt.nhs.uk/

Form 2
EC-Council
Source: http:/ / w w w .neola.com /

Form 2 (contd)
EC-Council

Form 2 (contd)
EC-Council

Form 3
Source: http:/ / w w w .occs.odu.edu/
EC-Council
Sam ple Post Incident Report

Form
Source: http:/ / w w w .ogcio.gov.hk/
EC-Council
Post Incident Report (contd)
Source: http:/ / w w w .ogcio.gov.hk/
EC-Council
Sum m ary
Incident reporting is the process of reporting the inform ation regarding the encountered
security breach in a proper form at
Incidents should be reported in order to receive technical assistance including guidance
on detecting and handling the incidents
CERT incident reference n um bers help CERT to track correspondence and identify related
activity
Contact inform ation should include at least an em ail address and telephone n um ber
Hosts involved in the in cident or related activity is the m ost obvious inform ation to be
noted
Logs provide significantly m ore details than the description
United State Internet Crim e Task Force is a n on-profit, governm ent assist, and victim
advocate agency
EC-Council
EC-Council
EC-Council
Incident Handler
Version 1
Mo d u le X
Incident Recovery
Police Seek Grant for Com m unications

and Com puter Equipm ent
0 5/ 0 7/ 20 0 9
In part of the 20 0 9 Am erican Recovery and Reinvestm ent Act, the J ustice Departm ent will be funding a
num ber of grants for law enforcem ent. The Watertown Police Departm ent will be applying to receive
$ 24,0 0 0 in funding from the Edward Byrne Mem orial J ustice Assistance Grant.
According to Chief J ohn Gavallas, the Police Departm ent intends to use the funding to purchase
equipm ent to operate a critical incident com m and center and briefing room . Purchases will include
telephone system s, com puters, com puter m onitors, printers, upgrades to the IT system s, presentation
equipm ent, m ultiple internet access points, audio-visual equipm ent including televisions, DVD and video
players and projectors.
"This will allow us to conduct roll call training in the briefing room and the equipm ent will provide
incident com manders the equipm ent in managing a critical incident in town," said Chief Gavallas.
The two principal requirem ents of the grant are public notice and that authorization to apply for the grant
is given by the governing authority of the town. The Town Council gave approval for the grant application
during its regular May 4 m eeting.
The grant is nam ed in honor of New York City Police Officer Edwin Byrne, who was killed in the line of
duty while conducting a stakeout to m onitor drug activity in 1988.
Source: http:/ / w w w .zw ire.com /
EC-Council
Module Objective
EC-Council
Incident Recovery
Principles of Incident Recovery
Incident Recovery Steps
Contingency/ Continuity of Operations Planning
Business Continuity Planning
Incident Recovery Plan
Incident Recovery Planning Team
Business Im pact Analysis
Module Flow
EC-Council
Incident Recovery
Contingency/ Continuity of
Operations Planning
Incident Recovery
Incident recovery is a process of rebuilding and restoring the com puter
system s affected by an incident to norm al operational stage
System recovery involves all processes, policies, and tools that are used to
restore norm al business functions
Incident recovery m easures depend on the severity of incidents, criticality of
the affected system s or processes, im pact on business revenues, and available
resources
EC-Council

Support and involvem ent of upper level m anagers lead to a robust
incident recovery plan
Assess the organization on a regular basis
Policies and procedures adopted m ust be docum ented and m ade

available to the intended staff to m eet the business operational
needs
Determ ine the m anagers responsible for declaring, responding, and
recovering from an incident
Restrict com m unications am on g internal and external supporters of

the organizations
EC-Council

(contd)
Train em ployees against unforeseen crisis
Procedures m ust be tested and rehearsed to detect the

vulnerabilities in the plan
Planners m ust identify new threats and update plans

accordingly
Evaluate the effectiveness of the procedure and m onitor

safety and hygienic issues of the em ployees
EC-Council

System restoration
Step 1:
System validation
Step2:
System operations
Step3:
System m onitoring
Step4:
EC-Council
Operations Planning
Contingency plan is a set of specific strategies, guidelines and processes to recover from an incident
resulting due to a particular problem or em ergency
It is necessary for a com pany or business to function norm ally
Guidelines for contingency planning are as follows:
Starting Point
Focuses on the developm ent and m aintenance of theplan
Im pact assessm ent
Problem s analysis
Checks what sort of problem s/ incidents can occur
Checks for the likelihood of the occurrence of theproblem
Checks for the severity of the problem
Plan developm ent

Contingency plan is developed in this phase by considering the system threats and available resources
It regulates the business process by setting an ord er or priority of the organizational processes
EC-Council
Operations Planning (contd)
Testing the plan
In this phase, the developed plan is tested to determ ine whether
the plan can actually work in real tim e environm ent
Testing results are docum ented for future reference
Personnel training
Personnel needs to undergo training to get fam iliar with the plan
which helps them to perform their tasks and responsibilities
effectively
Maintaining the plan

As processes are added or deleted by the organizatio n, the plans
should be updated regularly
EC-Council
Com ponents of contingency planning:
Supporting Inform ation

Notification/ Activation ( supplies notification pro cedures and offers
activation of the plan)
Recovery (recovers the data with the help of backups)
Reconstitution (restores original inform ation after the in cident)
Plan Appendices (provides records of further analysis)
EC-Council
Continuity of operations provides an alternative site to the organization for a
period of one m onth so as to recover from the incident and perform norm al
organizational operations
EC-Council

Business continuity is defined as the ability of an organization to continue to function
even after a disastrous event, accom plished through the deploym ent of redundant
hardware and software, the use of fault tolerant system s, as well as a solid backup and
recovery strategy
Source: http:/ / w w w .m icrosoft.com /
It provides a planning m ethodology that allows continuity in business operations before,

during, and after an in cident or event
Som e other plans that are included in business continuity plan are:
Incident/ disaster recovery plan

Business recovery plan
Business resum ption plan
Contingency plan
EC-Council

An incident recovery plan is a statem ent of actions that should be taken before, during,
or after an incident
Docum ent and test the plan in order to ensure the continuity of operations an d
availability of resources during a incident
The planning process should ensure continuity of operations, som e level of

organizational stability, and an orderly recovery from the incident occurred
The objectives of incident recovery plan are:
EC-Council
Providing security to com puters

Optim izing the risks
Providing assurance to reliability of system s
Providing a standard for testing the plan
Reducing the decision m aking during an incident
Incident Recovery Planning

Process
Establish the incident recovery planning team
Perform business im pact an alysis to assess risks
Delegate responsibilities across the organization
Develop policies and procedures
Docum ent the incident recovery procedures
Handle incidents
Train staff and test the plan

EC-Council

The incident recovery plan ning team m ust have m em bers
representing different departm ents within the organization
Mem bers of the incident recovery team s should have required

skills, business process kn owledge, and experience
Each departm ent m ust m aintain its own recovery planning

group to conduct research, assess, and im plem ent the plan
IT and network m anagers m ust address enterprise and specific

departm ent and business issues
EC-Council

Business im pact analysis identifies the im pact of uncontrolled and nonspecific events on the business process
Steps in business im pact analysis are as

follows:
Identify key business processes and functions

Establish requirem ents for business recovery
Determ ine resource interdependencies
Determ ine impact on operations
Develop priorities and classification of businessprocesses and
functions
Develop recovery tim e requirem ents
Determ ine financial, operational, and legal im pactof
disruption
EC-Council
Business Im pact Analysis (BIA)

Tem plate
Organization:
Date BIA Com pleted:
System Nam e:
BIA POC:
System Manager Point of Contact (POC):

System Description: {Discussion of the system purpose and architecture, including system diagram s}
A. Id e n tify Sys te m POCs
Ro le
Internal {Identify the individuals, positions, or offices within your organization that depend on or support the system ;
also specify their relationship to the system }
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
External {Identify the individuals, positions, or offices outside your organization that depend on or support the system ;
also specify their relationship to the system }
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
EC-Council
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Tem plate (contd)
B. Id e n tify Sys te m Re s o u rce s {Identify the specific hardware, software, and other resources that com prise the
system ; include quantity and type}
Hardware
Software
Other resources
C. Id e n tify critical ro le s {List the roles identified in Section A that are deem ed critical}
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
D . Lin k critical ro le s to critical re s o u rce s {Identify the IT resources needed to accom plish the roles listed in Section
C}
Critical Ro le
Critical Re s o u rce s
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
EC-Council
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Tem plate (contd)
E. Id e n tify o u tage im p acts an d allo w able o u tage tim e s {Characterize the im pact on critical roles if a critical
resource is unavailable; also, identify the m aximum acceptable period that the resource could be unavailable before
unacceptable im pacts resulted}
Re s o u rce
Ou tage Im p act
Allo w able Ou tage Tim e
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
F. Prio ritize re s o u rce re co ve ry {List the priority associated with recovering a specific resource, based on the outage
im pacts and allowable outage tim es provided in Section E. Use quantitative or qualitative scale (e.g., high/ m edium / low, 15, A/ B/ C)}
Re s o u rce
Re co ve ry Prio rity
EC-Council

Im plem entation
Allocate tasks for im plem entation
Create an im plem entation schedule
Allocate the incident recovery

docum entation
Evaluate the worth and efficiency of

m itigation steps
EC-Council
Incident Recovery Training
Train the staff to research on incident recovery issues
Organizations should identify the required skills and appoint

suitable people in the planning process
Organizations should prepare an agenda for the team and set

tasks for achieving goals
Highly centralized an d structured inform ation m anagem ent

departm ent can process at a faster pace
EC-Council
Incident Recovery Testing

Test determ ines the effectiveness of policies and procedures when im plem ented
Procedure audits:
Live walk-throughs of
procedures:
Live walk-throughs of related

process:
Scenario testing:
EC-Council
Em ployees view the procedure to determ ine its

authenticity and efficiency in executing procedures
Determ ines the procedures effectiveness
Related procedures are im plem ented to check their

effectiveness
Creates a m ock incident that inspects the workingprocess

of the events
Incident Recovery Testing

(contd)
Work group-level tests:
Creates a m ock incident for a specific group of people
Departm ent-level tests:
Creates a m ock incident for which the entire depart m ent

m ust respond
Facility-level tests:
Enterprise-level tests:
EC-Council
Creates a m ock incident for which an entire facility is

liable
Creates a m ock incident for which the entire organization

m ust respond
Sum m ary
Incident recovery is a process of restoring and rebuilding the com puter
system into norm al operations that are affected by an incident
Contingency plan provides backup for docum ents to overcom e from an

incident
Business continuity is the ability of an organization to continue to function

even after a disastrous event
An incident recovery plan is a statem ent of actions that should be taken

before, during, or after an incident
EC-Council
EC-Council
EC-Council
Incident Handler
Version 1
Mo d u le XI
Security Policies and Laws
Module Objective
EC-Council
Key elem ents of Security Policy

Purpose of a Security Policy
Design of Security Policy
Exam ples of Security Policies
Acceptable Use Policy
Role of Law in Incident Handling
Legal issues when dealing with an Incident
Laws and Acts
Intellectual Property Laws
Module Flow
Key Elem ents of Security Policy
Purpose of a Security Policy
Acceptable Use Policy
Role of Law in
Incident Handling
Laws and Acts
Legal Issues When

Dealing With an Incident
EC-Council
Security Policies
EC-Council
Security Policy
A security policy is a docum ent that states in writing how a com pany
plans to protect its physical and inform ation technology assets
It defines what business objectives and security goals are desired by the
m anagem ent
It is a living docum ent as the docum ent is never finished, but is

continuously updated depending upon technology and em ployee
requirem ents
It depicts the basic architecture of the com panys security environm ent
EC-Council
Key Elem ents of Security Policy
Clear com m unication

Brief and clear inform ation
Defined scope and applicability
Enforceable by law
Recognizes areas of responsibility
Sufficient guidance
Top m anagem ent involvem ent
EC-Council
Goals of a Security Policy

Security policies help in protecting the organizations
system and inform ation assets from abuse and
inappropriate use
It sets the guidelines for responding to internal and external

incidents
Security policies help in establishing m echanism s for the

organization to satisfy its legal and ethical responsibilities
Security policies provide an outline for the m anagem ent and

adm inistration of organizations security
EC-Council
Characteristics of a Security
Policy
They m ust be im plem entable through system adm inistration
procedures, publishing of acceptable use guidelines, or other
appropriate m ethods
They m ust be enforceable with security tools, where appropriate, and

with sanctions, where actual prevention is n ot technically feasible
They m ust clearly define the areas of responsibility for the users,
adm inistrators, and m anagem ent
They m ust be docum ented, distributed, and com m unicated
EC-Council
Security policy structure should contain:
EC-Council
A detailed description of the policy issues

Description about the status of the policy
Functionalities of those affected by the policy
Com patibility level of the policy
Applicability of the policy to the environm ent
Im plem enting Security Policies

Im plem entation follows after building, revision, and updating of the
security policy
Final version m ust be m ade available to all of the staff m em bers in the
organization
For effective im plem entation, there m ust be rotation of the job so that
data handling m ust not be restricted to a set of people
Proper security awareness program , cooperation, an d coordination

am ong em ployees is required
EC-Council
EC-Council
Access Control Policy

Access control policy authorizes perm ission for a user to
perform a set of actions on a set of resources
It authorizes access on a need to use basis, by an appropriate

approval process
Access to resources is based on the necessity and if a

particular person whose job role responsibilities require the
use of those resources
Unauthorized access is prevented by im plem enting m anaged

controls
EC-Council
Sam ple Access Control Policy
Source: http:/ / w w w .qgcio.qld.gov.au/
EC-Council
Sam ple Access Control Policy

(contd)
EC-Council
Source: http:/ / w w w .qgcio.qld.gov.au/
Im portance of Access Control

Policies
Protects the system by im plem enting the personnel procedures set by
the m anagem ent
Protects the system autom atically by im plem enting the software and
hardware controls
Dictates the policies, procedures, and accountability to control the

system s use
Acts as detective in in vestigation to find out the act that has already
occurred
EC-Council
Acceptable Use Policy (AUP)

An acceptable use policy is a set of rules applied by an organization, network, or Internet
to restrict their usage
In som e cases, these docum ents are nam ed as Internet and E-m ail policy, Internet AUP,
or Network AUP and also Acceptable IT Use Policy
The m ost im portant part of an AUP docum ent is the code of conduct governing the
behavior of a user whilst con nected to the organization, network, or Internet
They are sim ilar to and often doing the sam e job as a docum ent labeled Term s of
Service
EC-Council
Personal Com puter Acceptable

Use Policy
EC-Council
Source: http:/ / w w w .w atchguard.com /
Adm inistrative Security Policy

Adm inistrative security policy ensures that the
organizations resources are properly m anaged, used,
protected, and controlled
It defines the security and protection requirem ents for

inform ation and inform ation system s
It specifies the responsibility to m anage the inform ation

security risk of the organization
EC-Council
Im portance of Adm inistrative

Security Policies
Safeguards valuable, confidential or proprietary inform ation from
unauthorized access, or from revealing the data
Elim inates strong legal liability from em ployees or third parties
Ensures the data availability and processing resources
Ensures the integrity of the inform ation, and prevents it from unauthorized
and undetected m odification, m anipulation, insertion, and deletion
EC-Council
Asset Control Policy

Asset control policy is designed to protect the organizational
resources on the network by establishing the policies and
procedures
It enables organizational assets to be tracked concerning their

location and who is using them
An asset tracking database is created to track assets which includes

all inform ation on the Asset Transfer Checklist table and the date
of the asset change
When an asset is acquired, an ID (Internal tracking num ber) is

assigned for the asset and its inform ation is entered into the asset
tracking database
EC-Council
Audit Trail Policy

Audit trail policy m aintains a record of system activities such as records of com puter events,
operating system , application, or users activities
Maintains regular system operations by im plem enting m anagem ent, operational, and
technical controls
Audit trail policies help in detecting security violations, perform ance problem s and flaws
It sets internal controls an d audit requirem ents such as:
EC-Council
Individual accountability
Reconstructing event
Problem m onitoring
Intrusion detection
Sam ple Audit Trail Policy
EC-Council
Im portance of Audit Trail Policy

Helps in various regulatory laws, rules, and guidelines
Individual actions are tracked and renders users to be personally accountable for
their actions
Am ount of dam age occurred during the incident can be calculated
Helps in intrusion detection
Helps to reconstruct the events after a problem has occurred
Detects disk failures, network outages and over utilization of system resources
EC-Council
Logging Policy
Logging policy defines which set of events needs to be logged
It captures and reviews the im portant data in a tim ely m anner
It includes
Notification procedures
Guidelines for log review intervals
Retention standards
Response tim e expectations
Specific procedures to retrieve the logs and n ecessary logging are

stated in the policy
EC-Council
Im portance of Logging Policies

Detects intrusions and com prom ises
Detects equipm ent failures and prevents down tim e
Maintains the proper levels of personnel
Provides qualitative data for capacity planning
Helpful in crim inal and civil investigations

EC-Council
Docum entation Policy

Docum entation policy determ ines the requirem ents and procedures for docum entation of
organizations operations and resources such as networks and servers
Network docum entation defines the docum entation of networking devices and operations
Server docum entation defines the docum entation of server configuration inform ation and
running services
Both the server and network docum entation

policies define:
Who has the authority to access, read, and changethe network or server
docum entation
Defines the authorized person to be notified aboutthe changes m ade in
the network or server
EC-Council
Docum entation Policy (contd)

In server docum entation, the list of item s to be
docum ented and reviewed are:
EC-Council
Nam e, location, and fun ction of the server

Hardware com ponents of the system
List of software running on the server
Configuration inform ation about the sever
Types of data and the owners of the data stored onthe server
Data on the server that is to be backed up
Users or groups having the access to the data store d on the server and
their authentication process and protocols
Adm inistrators on the server and the authentication process and protocols
Data and authentication encryption requirem ents
User accessing data from rem ote locations
Adm inistrators adm inistrating the server from rem ote locations
Docum entation Policy (contd)
Network docum entation includes:
Locations and IP addresses of all hubs, switches,routers, and firewalls on

the network
Various security zones on the network and devices ht at control access
between them
Locations of every network drop and the associatedswitch and port on the
switch supplying that connection
Interrelationship between all network devices showing lines runnin g
between the network devices
All subnets on the network and their relationships
All Wide Area Network (WAN) or Metropolitan Area Network (MAN)
Network devices configuration inform ation
DHCP server settings
EC-Council
Evidence Collection Policy

Evidence should be collected, preserved, accessed and transported
properly in order to preserve its integrity
Every steps, m ethods or tools used for handling the evidence should be
thoroughly docum ented
For each system , obtain the relevant order of volatility and persistent
data
Maintain a precise chain of custody
Methods used to collect evidence should be transparent and reproducible
Docum ent all findings an d actions perform ed during the process

EC-Council
Evidence Preservation Policy

The evidence preservation policy should
address the following requirem ents:
Evidence m ust be preserved in its original state
Evidence should be protected from m echanical or ele ctrom agnetic
dam age
At least two copies of evidence should be m ade
Bit stream backups are to be m ade as they are thoro ugh than the
standard backups
Collected hardware evidence should be sealed in polythene bags and
properly labeled for identification
All the evidence should be item ized, with the following inform ation:
Evidence tag num ber
Tim e and date discovered
Nam e of the person
Evidence description
Storage notes
EC-Council
Inform ation Security Policy

Inform ation security policies strengthens the security of inform ation
resources
It allows the organization to satisfy its legal and ethical responsibilities
It incorporates the security practices like the m anagem ent of

vulnerable points and system file security
Inform ation security policies set the fram ework for regular
vulnerability and risk assessm ent
It provides guidelines for effective im plem entation of control

m easures to respond to the security incidents
EC-Council
Inform ation Security Policy:

University of California
Source: http:/ / w w w .ucop.edu/
EC-Council

Pearce & Pearce, Inc.
EC-Council
Source: https:/ / w w w .pearceandpearce.com /

Pearce & Pearce, Inc. (contd)
EC-Council
Im portance of Inform ation

Security Policy
Inform ation security policies help in m inim izing wastage and m isuse of organizations
resources
It helps in safeguarding and protecting valuable, confidential, and proprietary

inform ation from unauthorized access
Security policies help in ensuring availability of data and processing resources
It helps in protecting the confidentiality an d integrity of the inform ation
Inform ation security policies helps in im proving overall security posture of the
organization
EC-Council
National Inform ation Assurance

Certification & Accreditation Process
(NIACAP) Policy
NIACAP sets up a standard national process, set of activities, general tasks, and a
m anagem ent structure
It certifies and recognizes system s which m aintain inform ation assurance and security
posture
The NIACAP process accom plishes the requirem ents of the docum ented security policy
Accredited security posture is m aintained all through the system life cycle
The process com prises of existing system certifications and product evaluations
Process users m ust arrange the process with their program strategies and incorporate the
activities into their en terprise system life cycle
EC-Council
National Inform ation Assurance

Certification & Accreditation Process
(NIACAP) Policy (contd)
Agreem ent between the IS program m anager, Designated Approving Authority (DAA),
certification agent (certifier), and user representative is the m ain aspect of NIACAP
Critical schedule, budget, security, functionality, and perform ance issues are determ ined
by these individuals
System Security Authorization Agreem ent (SSAA) contains the docum entation of
NIACAP agreem ents
The results of Certification and Accreditation (C&A) are docum ented using SSAA
The objective is to use the SSAA to establish an evolving yet binding agreem ent on the
level of security required before the system developm ent begins or changes
EC-Council
Im portance of The National Inform ation

Assurance (IA) Certification &
Accreditation (C&A) Policy
Describes the operating environm ent, system security architecture, and
threat
Establishes the C&A boundary of the system to be accredited
Form s the baseline security configuration docum ent
Docum ents all requirem ents necessary for accreditation, test plan s and
procedures, certification results, and residual risk
Minim izes docum entation requirem ents by consolidating applicable
inform ation into the SSAA (security policy, concept of operations,
architecture description, test procedures, etc.)
EC-Council
Physical Security Policy

Physical security policy helps to control and m onitor the physical access to inform ation
resource facilities
Physical access to all restricted facilities are docum ented and m anaged
Every individual who has physical access to inform ation resource facilities should sign the
access and non-disclosure agreem ents
Access cards and/ or keys m ust not be shared or loaned to others
All access to the inform ation resources should be tracked with a sign in/ out log
EC-Council
Sam ple Physical Security Policy 1
EC-Council
Source: http:/ / trustedtoolkit.com /
Sam ple Physical Security Policy 1 (contd)
EC-Council
Source: http:/ / trustedtoolkit.com /
Sam ple Physical Security Policy 2
EC-Council
Source: http:/ / w w w .cnc.police.uk/
Im portance of Physical Security

Policies
Controls access to the facilities and com puters
Protects assets from in ternational abuse, m isuse, or destruction

by em ployees, contractors, or consultants
Protects inform ation processing facilities by reducing risk of

hum an error, fraud, and theft
Monitors how well personnel com ply with contractual security

provisions
EC-Council
Physical Security Guidelines

System s should be protected against environm ental factors such as fire, power, excessive
heat, and hum idity
System s should have alternate power supply during power losses such as an UPS
Com puting devices should be placed in order to protect them from shoulder surfing
Monitoring system s should be installed to m onitor the work area and office prem ises
While in transit, laptops should be placed in secure storage
Workstations should be locked when left un attended
EC-Council
Personnel Security Policies &

Guidance
Personnel security policies include the safety m easures to be taken regarding
com pany em ployees
Manager should im plem ent the

personnel security policies to:
Ensure trustworthiness of the people in the postswho

require access to official inform ation
Protect the official inform ation before granting ht em
access
Enforce term s and condition s to the em ployee access ing
official inform ation
EC-Council

Guidance (contd)
Elem ents of personnel security are:
Personal Screening:
It is a pre-em ploym ent check which involves the employees background
check
This is done even as the em ployee is given accessto the official inform ation
While recruiting em ployee for a perm anent staff position, he m ust be
checked for:
Satisfactory character referees
Accuracy of the curriculum vitae and qualifications
Before appointing an em ployee after he/ she is recru ited, verify details of
the em ployee such as:
Identity and character confirm ation through referees
Crim inal background check from police
Sim ilarly, em ployee being recruited for a tem porary staff position can be
checked through a verifying agency
EC-Council

Guidance (contd)
Granting access:
Chief executives need to grant access the perm anent staff to access official
inform ation after clearance from :
Pre-em ploym ent checks

Periodic reviews
Approval procedures
Sound term s & conditions of the em ploym ent
Avoid granting access to the m ost sensitive sitesas there are chances of
indirect exposure by staff or visitors
Access granted individuals m ust be issued a pass or access or identity card
A "Basic Check" can be don e further after the pre-em ploym ent check,
about staff or contractors who need a frequent access to sensitive sites
EC-Council
Law and Incident Handling
EC-Council
Role of Law in Incident Handling

Federal law requires federal agencies to report incidents to the Federal
Com puter Incident Response Center
It requires federal agen cies to establish incident response capabilities
Incident response team should be fam iliar with the reporting

procedures for all relevant law enforcem ent agencies and well
prepared to recom m end suitable agency and contact details
Several levels of law enforcem ent agencies are available to in vestigate

incidents
EC-Council
Legal Issues When Dealing With

an Incident
Law enforcem ent should be contacted through designated individuals in a m anner
consistent with the requirem ents of the law and the organizations procedures
Organizations should not contact m ultiple agencies because it m ight result in

jurisdictional conflicts
Consult lawyers if an illegal act has occurred
Reporting to law enforcem ent changes the character of the evidence handling process
Evidence can be subpoenaed by courts
Perpetrators and their lawyers can get access to ti in the trial
Evidence gathering process and all actions and docum entation of the investigations m ay also be
accessible to the other party during litigation
EC-Council
Law Enforcem ent Agencies
Federal investigatory agencies (e.g.,

the FBI and the U.S. Secret Service)
District attorney offices
State law enforcem ent
Local law enforcem ent
EC-Council
U.S. Law Enforcem ent Agencies
EC-Council
Laws and Acts
EC-Council
Searching and Seizing

Com puters without a Warrant
The Fourth Am endm ent of USA PATRIOT Act of 20 0 1
lim its the ability of governm ent agents to search for
evidence without a warrant
If the governm ents conduct does not violate a persons

Reasonable Expectation Of Privacy, then form ally it
does not constitute a Fourth Am endm ent search and no
warrant is required
EC-Council
A: Fourth Am endm ents Reasonable

Expectation of Privacy in Cases Involving
Com puters: General Principles
A search is constitutional if it does not violate a persons

reasonable or legitim ate expectation of privacy
Katz v. United States, 389 U.S. 347, 362 (1967) (Harlan, J.,
concurring). This inquiry em braces two discrete questions:
First, whether the individuals conduct reflects an actual (subjective)
expectation of privacy,
Second, whether the individuals subjective expectation of privacy is
one that society is prepared to recognize as reasonable.
EC-Council
A.4: Private Searches

The Fourth Am endm ent does not apply to searches conducted by private parties
who are not acting as agents of the governm ent
In United States v. J acobsen, 466 U.S. 10 9 (1984), the Suprem e Court presented
the fram ework that should guide agents seeking to uncover evidence as a result of
a private search
Even if courts follow the m ore restrictive approach, the inform ation gleaned from
the private search will often be useful in providing the probable cause needed to
obtain a warrant for a further search
The fact that the person conducting a search is not a governm ent em ployee does
not always m ean that the search is private for Fourth Am endm ent purposes
EC-Council
The Privacy Protection Act

When agents have reason to believe that a search m ay result in a
seizure of m aterials relating to First Am endm ent activities such as
publishing or posting materials on the World Wide Web, they m ust
consider the effect of the Privacy Protection Act (PPA), 42 U.S.C.
20 0 0 aa
Brief History:
Before the Suprem e Court decided Warden v. Hayden, 387 U.S. 294,
30 9 (1967), law enforcem ent officers could not obtain search warrants
to search for and seize m ere evidence of crim e. Warrants were
perm itted only to seize contraband, instrum entalities, or fruits of
crim e
This ruling set the stage for a collision between law enforcem ent and
the press
By freeing the Fourth Am en dm ent from Boyd's restrictive regim e,
Hayden created the possibility that law enforcem ent could use search
warrants to target the press for evidence of crim e it had collected in
the course of investigating an d reporting news stories
EC-Council
Federal Inform ation Security

Managem ent Act (FISMA)
Title III of the E-Governm ent Act, entitled the Federal Inform ation
Security Managem ent Act (FISMA), requires each Federal agency
to develop, docum ent, and im plem ent an agency-wide inform ation
security program to provide inform ation security for the
inform ation and inform ation system s that support the operations
and assets of the agency, including those provided or m anaged by
another agency, contractor, or other source. The inform ation
security program m ust include
Periodic assessm ents of the risk and m agnitude of the harm that
could result from the unauthorized access, use, disclosure, disruption,
m odification, or destruction of inform ation and inform ation system s
that support the operations and assets of the agency;
Source: http:/ / csrc.nist.gov
EC-Council

Managem ent Act (FISMA) (contd)
EC-Council
Policies and procedures that are based on risk assessm ents, cost-effectively
reduce inform ation security risks to an acceptable level, and ensure that
inform ation security is addressed throughout the life cycle of each agency
inform ation system ;
Subordinate plans for providing adequate inform ation security for networks,
facilities, inform ation system s, or groups of inform ation system s, as
appropriate;
Security awareness training to inform personnel (including contractors and
other users of inform ation system s that support the operations and assets of
the agency) of the inform ation security risks associated with their activities and
their responsibilities in com plying with agency policies and procedures
designed to reduce these risks;
Periodic testing and evaluation of the effectiveness of inform ation security
policies, procedures, and practices (including the m anagem ent, operational,
and technical controls of every agency inform ation system identified in their
inventory) to be perform ed with a frequency depending on risk, but no less
than annually;

Managem ent Act (FISMA) (contd)
EC-Council
A process for planning, im plem enting, evaluating, and

docum enting rem edial action to address any deficiencies in the
inform ation security policies, procedures and practices of the
agency;
Procedures for detecting, reporting, and responding to security
incidents (including m itigating risks associated with such incidents
before substantial dam age is done and notifying and consulting
with the Federal inform ation security incident response center,
and as appropriate, law enforcem ent agencies, relevant Offices of
Inspector General, and any other agency or office, in accordance
with law or as directed by the President; and
Plans and procedures to ensure continuity of operations for
inform ation system s that support the operations and assets of the
agency.
Mexico
Se ctio n 3 0 -4 5-5 U n au th o rize d co m p u te r u s e
A person who knowingly, willfully and without authorization, or
having obtained authorization, uses the opportunity the
authorization provides for purposes to which the authorization
does not extend, directly or indirectly accesses, uses, takes,
transfers, conceals, obtains, copies or retains possession of any
com puter, com puter network, com puter property, com puter
service, com puter system or any part thereof, when the
dam age to the com puter property or com puter service has a value of
two hundred fifty dollars ($ 250 ) or less, is guilty of a petty
m isdem eanor;
dam age to the com puter property or com puter service has a value of
m ore than two hundred fifty dollars ($ 250 ) but not m ore than five
hundred dollars ($ 50 0 ), is guilty of a m isdem eanor;
EC-Council
Source: http:/ / law .justia.com /
Mexico (contd)
dam age to the com puter property or com puter service has
a value of m ore than five hundred dollars ($ 50 0 ) but not
m ore than two thousand five hundred dollars ($ 2,50 0 ), is
guilty of a fourth degree felony;
a value of m ore than two thousand five hundred dollars
($ 2,50 0 ) but not m ore than twenty thousand dollars
($ 20 ,0 0 0 ), is guilty of a third degree felony;
a value of m ore than twenty thousand dollars ($ 20 ,0 0 0 ),
is guilty of a second degree felony
EC-Council
Brazilian Laws
ENTRY OF FALSE DATA INTO THE INFORMATION SYSTEM

Art. 313-A. Entry, or facilitation on the part of an authorized em ployee
of the entry, of false data, im proper alteration or exclusion of correct
data with respect to the inform ation system or the data bank of the
Public Managem ent for purposes of achieving an im proper advantage
for him self or for som e other person, or of causing dam ages
Penalty-im prisonm ent for 2 to 12 years, and fines

UNAUTHORIZED MODIFICATION OR ALTERATION OF THE
INFORMATION SYSTEM
Art. 313-B. Modification or alteration of the inform ation system or
com puter program by an em ployee, without authorization by or at the
request of a com petent authority
EC-Council
Penalty-detention for 3 m onths to 2 years, and fines
Source: http:/ / w w w .m osstingrett.no/
Canadian Laws
Canadian Crim inal Code Section 342.1 states:

(1) Every one who, fraudulently and without color of right,
(a) obtains, directly or indirectly, any com puter service,
(b) by m eans of an electro-m agnetic, acoustic, m echan ical or other
device, intercepts or causes to be intercepted, directly or indirectly ,
any function of a com puter system
(c) uses or causes to be used, directly or indirectly, a com puter system
with intent to com m it an offence under paragraph (a) or (b) or an
offence under section 430 in relation to data or a com puter system
Person to com m it an offence under paragraph (a), (b) or (c) is

guilty of an indictable offence and liable to im prisonm ent for a
term not exceeding ten years
EC-Council
United Kingdom s Laws

Co m p u te r Mis u s e Act 19 9 0
(1) A person is guilty of an offense if(a) he causes a com puter to perform any function with the intent to secure access to
any program or data held in any com puter,
(b) the access he intends to secure is unauthorized, and
(c) he knows at the tim e when he causes the com puter to perform the function that
that is the case
(2) The intent a person has to have to com m it an offense under this section
need not to be directed at:
(a) any particular program or data,
(b) a program or data of any particular kind, or
(c) a program or data held in any particular com puter
(3) A person guilty of an offense under this section shall be liable on sum m ary
conviction to im prisonm ent for a term not exceeding six m onths or to a
fine not exceeding level 5 on the standard scale or to both
Source: http:/ / w w w .opsi.gov.uk
EC-Council
United Kingdom s Laws (contd)

(4) A person is guilty of an offense under this section if he com m its an
offense under section 1 above (" the unauthorized access offense") with
intent
(a) to com m it an offense to which this section applies; or
(b) to facilitate the com m ission of such an offen se and the offense he intends
to com m it or facilitate is referred to below in this section as the further offense
(5) This section applies to offences

(a) for which the sentence is fixed by law; or
(b) for which a person of twenty-one years of age or over (not previously
convicted) m ay be sentenced to im prisonm en t for a term of five years
(6) It is im m aterial for the purposes of this section whether the further
offense is to be com m itted on the sam e occasion as the unauthorized
access offense or on any future occasion
(7) A person m ay be guilty of an offense under this section even though
the facts are such that the com m ission of the further offense is
im possible
EC-Council
United Kingdom s Laws (contd)

(8) A person guilty of an offense under this section shall be liable
(a) on sum m ary conviction, to im prison m ent for a term n ot exceedin g the
statutory m axim um or to both; and
(b) on conviction on indictm ent, to im prisonm ent for a term not exceeding
five years or to a fine or to both
(9) A person is guilty of an offense if (a) he does an y act which causes an unauthorized m odification of the contents
of any com puter; and (b) at the tim e when he does the act he has the requisite in tent and the
requisite knowledge.
(10 ) For the purposes of subsection (1)(b) above the requisite intent is an
intent to cause a m odification of the contents of any and by so doing (a) to im pair the operation of any com puter;
(b) to prevent or hinder access to any program or data held in any com puter;
or
(c) to im pair the operation of any such program or the reliability of any such
data
EC-Council
Belgium Laws
EC-Council
COMPUTER HACKING
Article 550 (b) of the Crim inal Code:
1. Any person who, aware that he is not authorised, accesses or
m aintains his access to a com puter system , m ay be sentenced to a
term of im prisonm ent of 3 m onths to 1 year and to a fine of (Bfr
5,20 0 -5m ) or to one of these sentences
If the offence specified in 1 above is com m itted with intention to
defraud, the term of im prisonm ent m ay be from 6 m onths to 2
years
2. Any person who, with the intention to defraud or with the
intention to cause harm , exceeds his power of access to a com puter
system , m ay be sentenced to a term of im prisonm ent of 6 m onths
to 2 years and to a fine of (BFr 5,20 0 -20 m ) or to one of these
sentences
Germ an Laws
Penal Code Section 20 2a. Data Espionage:

(1) Any person who obtains without authorization, for him self or for
another, data which are not m eant for him and which are specially
protected against unauthorized access, shall be liable to im prisonm ent for
a term not exceeding three years or to a fine
(2) Data within the m eaning of subsection 1 are only such as are stored or
transm itted electronically or m agnetically or in any form not directly
visible
Penal Code Section 30 3a: Alteration of Data

(1) Any person who unlawfully erases, suppresses, renders useless, or
alters data (section 20 2a(2)) shall be liable to im prisonm ent for a term not
exceeding two years or to a fine
(2) The attem pt shall be punishable
EC-Council
Italian Laws
Penal Code Article 615 ter: Unauthorized access into a com puter or
telecom m unication system s:
Anyone who enters unauthorized into a com puter or
telecom m unication system protected by security m easures, or rem ains
in it against the expressed or im plied will of the on e who has the right
to exclude him , shall be sentenced to im prison m ent not exceeding
three years
The im prisonm ent is from one until five years
if the crim e is com m itted by a public official or by an officer of a public
service, through abuse of power or through violation of the duties
concerning the function or the service, or by a person who practices even without a licen ce - the profession of a private investigator, or with
abuse of the capacity of a system operator
EC-Council
Cybercrim e Act 20 0 1
The Cybercrim e Act 20 0 1 am ended the Crim inal Code Act 1995
to replace existing oudated com puter offences
478.1 Unauthorized access to, or m odification of, restricted data
(1) A person is guilty of an offence if:
(a) the person causes any unauthorized access to, or m odification
of, restricted data; and
(b) the person intends to cause the access or m odification; and
(c) the person knows that the access or m odification is
unauthorized; and
(d) one or m ore of the following applies:
(i) the restricted data is held in a Com m onwealth com puter;
(ii) the restricted data is held on behalf of the Com m onwealth;
(iii) the access to, or m odification of, the restricted data is
caused by m eans of a telecom m unications service
EC-Council
Source: http:/ / w w w .cy bercrim elaw .net/
Cybercrim e Act 20 0 1 (contd)

Penalty: 2 years im prisonm ent
(2) Absolute liability applies to paragraph (1)(d)
(3) In this section: restricted data m eans data
(a) held in a com puter; an d
(b) to which access is restricted by an access control system
associated with a function of the com puter
EC-Council
Inform ation Technology Act

THE INFORMATION TECHNOLOGY ACT, 20 0 0 (No. 21 of 20 0 0 )
CHAPTER XI
OFFENCES
66.Hacking with com puter system
(1) Whoever with the intent to cause or knowing that he is likely to
wrongful loss or dam age to the public or any person destroys
alters any inform ation residing in a com puter resource
utility or affects it injuriously by any m eans,
cause
or deletes or
or dim ishes its value or
com m its hack
(2) Whoever com m its hacking shall be punished with im prisonm ent
up to
three years, or with fine which m ay extend upto two lakh rupees, or with both
Source: http:/ / law m in.nic.in/
EC-Council
Singapore Laws
Chapter 50 A: Com puter m isuse Act
Section 3 (1) Any person who knowingly causes a com puter to perform any
function for the purpose of securing access without authority, shall be liable on
conviction to a fine n ot exceeding $ 5.0 0 0 or to im prisonm ent for a term n ot
exceeding 2 years or to both.
(2) If an y dam age is caused as a restut of an offence under this section, a
person convicted of the offence shall be liable to a fine not exceeding $ 50 .0 0 0 or
to im prisonm ent for a term n ot exceeding 7 years or to both
Section 4: Access with intent to com m it or facilitate com m ission of offence
(1) This section shall apply to an offence involvin g property, fraud,
dishonesty or which causes bodily harm and which is punishable on conviction
with im prisonm ent for a term of n ot less than 2 years.
(2) Any person guilty of an offence under this section shall be liable on
conviction to a not exceeding $ 50 .0 0 0 or to im prisonm ent for a term n ot
exceeding 10 years or to both
EC-Council
Sarbanes-Oxley Act
Title I Pu blic Co m p an y Acc o u n tin g Ove rs igh t Bo ard ( PCAOB) consists of

nine sections an d establishes the Public Com pany Accounting Oversight Board, to
provide independent oversight of public accoun ting firm s providing audit services
("auditors")
Title II Au d ito r In d e p e n d e n ce consists of nin e sections and establishes
standards for external auditor independence, to lim it conflicts of interest and
addresses new auditor approval requirem ents, audit partner rotation, an d auditor
reporting requirem ents
Title III Co rp o rate Re s p o n s ibility consists of eight sections and m andates that
senior executives take individual responsibility for the accuracy and com pleteness
of corporate financial reports
EC-Council
Source: http:/ / frw ebgate.access.gpo.gov/
Sarbanes-Oxley Act (contd)
Title IV En h an ce d Fin an cial D is clo s u re s consists of nine

sections and describes enhanced reporting requirem ents for
financial transactions, including off-balance-sheet transactions,
pro-form a figures and stock transactions of corporate officers
Title V An alys t Co n flicts o f In te re s t consists of only one
section, which includes m easures designed to help restore investor
confidence in the reporting of securities analysts
Title VI Co m m is s io n Re s o u rce s an d Au th o rity consists of
four sections and defines practices to restore investor confidence in
securities analysts
EC-Council
EC-Council
Title VII Stu d ie s an d Re p o rts consists of five sections and it

include the effects of consolidation of public accounting firm s, the
role of credit rating agencies in the operation of securities markets,
securities violations and enforcem ent actions, and whether
investm ent banks assisted Enron, Global Crossing and others to
m anipulate earnings and obfuscate true financial conditions
Title VIII Co rp o rate an d Crim in al Frau d Acco u n tability
consists of seven sections and is also referred to as the Corporate
and Crim inal Fraud Act of 20 0 2. It describes specific crim inal
penalties for fraud by m anipulation, destruction or alteration of
financial records or other interference with investigations, while
providing certain protections for whistle-blowers.
EC-Council
Title IX W h ite Co llar Crim e Pe n alty En h an ce m e n t consists of

two sections. This section is also called the White Collar Crim e
Penalty Enhancem ent Act of 20 0 2. This section increases the crim inal
penalties associated with white-collar crim es and conspiracies. It
recom m ends stronger sentencing guidelines and specifically adds
failure to certify corporate financial reports as a crim inal offense.
Title X Corporate Tax Returns consists of one section. Section 10 0 1
states that the Chief Executive Officer should sign the com pany tax
return.
Title XI Co rp o rate Frau d Acco u n tability consists of seven
sections. Section 110 1 recom m ends a nam e for this title as Corporate
Fraud Accountability Act of 20 0 2. It identifies corporate fraud and
records tam pering as crim inal offenses and joins those offenses to
specific penalties. It also revises sentencing guidelines and strengthens
their penalties. This enables the SEC to tem porarily freeze large or
unusual paym ents.
Social Security Act

Sec. 464. [42 U.S.C. 664] (a)(1) Upon receiving notice from a State agency adm inistering a
plan approved under this part that a nam ed individual owes past-due support which has been
assigned to such State pursuant to section 40 8(a)(3) or section 471(a)(17), the Secretary of the
Treasury shall determ ine whether any am ounts, as refunds of Federal taxes paid, are payable
to such individual (regardless of whether such individual filed a tax return as a m arried or
unm arried individual). If the Secretary of the Treasury finds that any such am ount is payable,
he shall withhold from such refunds an am ount equal to the past-due support, shall
concurrently send notice to such individual that the withholding has been m ade (including in
or with such notice a notification to any other person wh o m ay have filed a joint return with
such individual of the steps which such other person m ay take in order to secure his or her
proper share of the refund), and shall pay such am ount to the State agency (together with
notice of the individual's hom e address) for distribution in accordance with section 457. This
subsection m ay be executed by the disbursing official of the Departm ent of the Treasury.
EC-Council
Source: http:/ / w w w .ssa.gov/
Social Security Act (contd)

Sec. 1137. [42 U.S.C. 1320 b 7] (a) In order to m eet the requirem ents of this section, a
State m ust have in effect an incom e and eligibility verification system which m eets the
requirem ents of subsection (d) and un der which
(1) the State shall require, as a condition of eligibility for benefits under any program
listed in subsection (b), that each applicant for or recipient of benefits under that
program furnish to the State his social security account n um ber (or num bers, if he has
m ore than on e such num ber), and the State shall utilize such account num bers in the
adm inistration of that program so as to enable the association of the records pertaining
to the applicant or recipient with his accoun t num ber;
(2) wage inform ation from agencies adm inistering State unem ploym ent com pensation
laws available pursuant to section 330 4(a)(16) of the In ternal Revenue Code of
1954[71], wage inform ation reported pursuant to paragraph (3) of this subsection, and
wage, incom e, and other inform ation from the Social Security Adm inistration and the
Internal Revenue Service available pursuant to section 610 3(l)(7) of such Code[72],
shall be requested and utilized to the extent that such inform ation m ay be useful in
verifying eligibility for, and the am ount of, benefits available under any program listed
in subsection (b), as determ ined by the Secretary of Health and Hum an Services (or, in
the case of the unem ploym ent com pensation program , by the Secretary of Labor, or, in
the case of the supplem ental nutrition assistance program [73], by the Secretary of
Agriculture);
EC-Council
Social Security Act (contd)
EC-Council
(3) em ployers (as defined in section 453A(a)(2)(B)) (including State and local
governm ental entities and labor organizations) in such State are required,
effective Septem ber 30 , 1988, to m ake quarterly wage reports to a State agency
(which m ay be the agency adm inistering the State's unem ploym ent
com pensation law) except that the Secretary of Labor (in consultation with the
Secretary of Health and Hum an Services and the Secretary of Agriculture) m ay
waive the provisions of this paragraph if he determ ines that the State has in
effect an alternative system which is as effective and tim ely for purposes of
providing em ploym ent related incom e and eligibility data for the purposes
described in paragraph (2), and except that no report shall be filed with respect
to an em ployee of a State or local agency perform ing intelligence or
counterintelligence functions, if the head of such agency has determ ined that
filing such a report could endanger the safety of the em ployee or com prom ise
an ongoing investigation or intelligence m ission, and except that in the case of
wage reports with respect to dom estic service em ploym ent, a State m ay perm it
em ployers (as so defined) that m ake returns with respect to such em ploym ent
on a calendar year basis pursuant to section 3510 of the Internal Revenue Code
of 1986 to m ake such reports on an annual basis;
Gram m -Leach-Bliley Act
EC-Council
The GLB Act gives authority to eight federal agencies and the states to
adm inister and enforce the Financial Privacy Rule and the Safeguards Rule
Fin an cial Privacy Ru le requires financial institutions to provide each
consum er with a privacy notice at the tim e the consum er relationship is
established and annually thereafter. The privacy notice m ust explain the
inform ation collected about the consum er, where that inform ation is shared,
how that inform ation is used, and how that inform ation is protected. The
notice m ust also identify the consum ers right to opt-out of the inform ation
being shared with unaffiliated parties per the Fair Credit Reporting Act. Should
the privacy policy change at any point in tim e, the consum er m ust be notified
again for acceptance. Each tim e the privacy notice is reestablished, the
consum er has the right to opt-out again. The unaffiliated parties receiving the
nonpublic inform ation are held to the acceptance term s of the consum er under
the original relationship agreem ent. In sum m ary, the financial privacy rule
provides for a privacy policy agreem ent between the com pany and the
consum er pertaining to the protection of the consum ers personal nonpublic
inform ation.
Source: http:/ / w w w .ftc.gov/
Gram m -Leach-Bliley Act (contd)
EC-Council
Safe gu ard s Ru le requires financial institution s to develop a written

inform ation security plan that describes how the com pany is prepared for,
and plans to continue to protect clients nonpublic personal inform ation.
(The Safeguards Rule also applies to inform ation of those no longer
consum ers of the finan cial institution.) This plan m ust include:
Denoting at least one em ployee to m anage the safeguards,
Constructing a thorough [risk m anagem ent] on each departm ent handling the
nonpublic inform ation,
Develop, m onitor, and test a program to secure the inform ation, and
Change the safeguards as needed with the changes in how inform ation is collected,
stored, and used.
This rule is intended to do what m ost businesses should already be doing:

protecting their clients. The Safeguards Rule forces financial institutions
to take a closer look at how they m anage private data and to do a risk
analysis on their current processes. No process is perfect, so this has
m eant that every financial institution has had to m ake som e effort to
com ply with the GLBA.
Health Insurance Portability

and Accountability Act (HIPAA)
Ensure integrity, confidentiality and availability of electronic protected health
inform ation
Protect against reasonably anticipated threats or hazards, and im proper use or

disclosure
Protect against any reasonably anticipated uses or disclosures of such

inform ation that are not perm itted or required
Pe n alty: Fine up to $ 50 ,0 0 0 , im prisoned not m ore than 1 year, or both
Source: http:/ / w w w .hhs.gov/
EC-Council
EC-Council
Intellectual Property
Intellectual property is the product of intellect that has
com m ercial value and includes copyrights and
tradem arks
Com m on types of intellectual property include:
Copyrights
Tradem arks
Patents
Industrial design rights
Trade secrets
Under intellectual property law, owners are granted

certain exclusive rights to a variety of intangible assets
EC-Council
US Laws for Tradem arks

and Copyright
The Digital Millennium Copyright
Act (DMCA) of 1998
This Act creates lim itations on the liability of online
service providers for copyright infringem ent
The Lanham (Tradem ark) Act (15

USC 10 51 - 1127)
This Act prohibits a n um ber of activities, includin g
tradem ark infringem ent, tradem ark dilution , and false
advertising
EC-Council
US Laws for Tradem arks and

Copyright (contd)
Doctrine of Fair Use
Section 10 7 of the Copyright Law m entions the doctrine of fair use
The doctrine is a result of a num ber of court decisions over the years
Reproduction of a particular work for criticism , news reporting, com m ent, teaching,
scholarship, and research is considered as fair according to Section 10 7 of the Copyright
Law
EC-Council
US Laws for Tradem arks and

Copyright (contd)
Online Copyright Infringem ent Liability
Lim itation Act:
Sec. 512. Lim itations on liability relating to m ate rial on-line
Lim itation- Notwithstanding the provisions of sectio n 10 6, a provider
shall not be liable for:
Direct infringem ent
m onetary relief under section 50 4 or 50 5 for contributory infringem ent or
vicarious liability based solely on conduct
m onetary relief under section 50 4 or 50 5 for contributory infringem ent or
vicarious liability, based solely on providing access to m aterial over that
provider's system or network
Protection of privacy
Lim itation based upon rem oving or disabling accessto infringin g
m aterial
EC-Council
Australia Laws For

Tradem arks and Copyright
The Trade Marks Act 1995
This Act grants protection to a letter, word, phrase, sound, sm ell,
shape, logo, picture, aspect of packaging or com bination of these,
used by traders on their goods and services to indicate their
origin
The Patents Act 1990

This Act grants m onopoly rights to inventors of new inventions
such as im proved products or devices and substances
The Copyright Act 1968

This Act relates to copyright and the protection of certain
perform ances and for other purposes
EC-Council
UK Laws for Tradem arks

and Copyright
The Copyright, Etc. And Trade Marks
(Offences And Enforcem ent) Act 20 0 2
This Act am ends the crim inal provisions in intellectual
property law, law relating to copyright, rights in
perform ances, fraudulent reception of conditional
access transm issions by use of unauthorized decoders
and trade m arks
Tradem arks Act 1994 (TMA)

This Act provides the honest use of ones own nam eor
address is a defense
EC-Council
China Laws for Tradem arks

and Copyright
Copyright Law of Peoples Republic of China
(Am endm ents on October 27, 20 0 1)
Article 1: The purpose of protecting the copyrightof authors in their literary, artistic
and scientific works and the copyright-related rights and interests
Article 2: Works of Chinese citizens, legal entities or other organizations, whether
published or not, shall enjoy copyright in accordance with this Law
Tradem ark Law of the People's Republic of China

(Am endm ents on October 27, 20 0 1)
This Law is enacted for the purposes of im provingthe adm inistration of tradem arks,
protecting the exclusive right to use tradem arks, and of encouraging producers and
operators to guarantee the quality of their goods and services and m aintaining the
reputation of their tradem arks, with a view to protecting the interests of consum ers,
producers and operators and to prom oting the developm ent of the socialist m arket
econom y
EC-Council
Indian Laws for Tradem arks

and Copyright
The Patents (Am endm ent) Act, 1999
This Act provides establishm ent of a m ail box syste m to file patents
Trade Marks Act, 1999

This Act provides registration of tradem arks relating to goods and services
The Copyright Act, 1957

This Act prescribes m andatory punishm ent for piracy of copyrighted
m atter appropriate with the gravity of the offense with an effect to deter
infringem ent
EC-Council
J apanese Laws for

The Tradem ark Law (Law No. 127 of 1957):
This Law applies only to registered tradem arks
The Tradem ark Law (N.S. 187 of 1999):

According to this law, tradem arks are distinguishable and are not indispensable to
secure the function of the goods or their packaging
Copyright Managem ent Business Law (4.2.2.3 of 20 0 0 ):

This law facilitates the establishm ent of new copyright m anagem ent businesses, in order
to "respond to the developm ent of digital technologies and com m unication networks"
EC-Council
Canada Laws for

Copyright Act ( R.S., 1985, c. C-42 )
This Act grants protection to a architectural work, artistic work, Berne
convention country, com m ission, book, broadcaster, choreographic work,
cinem atographic work, collective society, work or com bination of these,
used by traders on their goods and services to indicate their origin
Tradem ark Law

It states that if a m ark is used by a person as atrade-m ark for any of the
purposes or in any of the m anners, it shall n ot be held invalid m erely on
the ground that the person or a predecessor in title uses it or has used it
for any other of those purposes or in any other of those m ann ers
EC-Council
South African Laws for

Tradem arks Act 194 of 1993
It is the act to provide the registration of tradem arks, certification trade
m arks and collective trade m arks and to provide for incidental m atters
Copyright Act of 1978

It is the act to regulate copyright and to providefor m atters in cidental
thereto
Patents Act No. 57 of 1978

To provide for the registration and granting of letters patent for
inventions and for m atters connected therewith
EC-Council
South Korean Laws for

Copyright law Act No. 3916
The purpose of this Act is to protect the rights of authors an d the rights
neighboring on them and to prom ote fair use of works in order to
contribute to the im provem ent and developm ent of culture
Industrial Design Protection Act

The purpose of this act is to encourage the creatio n of designs by ensuring
their protection and utilization so as to contribute to the developm ent of
industry
EC-Council
Belgium Laws for

Copyright Law, 30 / 0 6/ 1994
The purpose of the act is to protect the literaryor artistic work from unauthorized
usage
The author of a work alone shall have the right toreproduce his work or to have it
reproduced in any m anner or form whatsoever
Tradem ark Law, 30 / 0 6/ 1969

It is the law approving the Benelux Convention Concerning Tradem arks and Annex,
signed in Brussels on March 19, 1962
The high contracting parties shall incorporate into their dom estic legislation, in one or
both of the original texts, the Benelux Uniform Law on Trade Marks annexed to this
Convention and shall establish an adm inistration com m on to their countries under the
nam e "Benelux Trade Marks Bureau"
EC-Council
Hong Kong Laws for

Intellectual Property
Hong Kongs IP laws are based on constitutional or Basic Law provisions
Article 139 of the Basic Law

Governm ent shall form ulate policies on science an dtechnology an d
protect achievem ents in scientific research
Article 140 of the basic law

It protects the rights of authors in their literary and artistic creations
EC-Council
Sum m ary
A security policy is a docum ent that states in writing how a com pany plans to protect its physical and
inform ation technology assets
Security policy ensures custom ers integrity and prevents unauthorized m odifications of the data
Federal law requires Federal agencies to report incidents to the Federal Com puter Incident Response
Center
Organizations should not contact m ultiple agencies because it m ight result in jurisdictional conflicts
Under intellectual property law, owners are granted certain exclusive rights to a variety of intangible
assets
An acceptable use policy is a set of rules applied by organization, network, or Internet to restrict their
usage
Evidence should be collected according to procedures that m eet all applicable laws and regulations, in
order to be adm issible in court
Chain of custody is a docum entation showing the seizure, custody, control, transfer, analysis, and
disposition of evidence
EC-Council
EC-Council
EC-Council

ECIH Compile

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ECIH Compile

Încărcat de

Drepturi de autor:

Formate disponibile

Sample

Batch PDF Merger

Incident Response and

News: A Delicate Balance is Required

Source: http:/ / w w w .publicservice.co.uk/

This m odule will fam iliarize you with:

Need for Incident Response

Incident Response Plan

Goals of Incident Response

Incident Response and

Training and Awareness

Incident Response Team

How to Identify an Incident

Accounting gaps of several m inutes with n o accounting log

Incident handling allows incident reports to be gathered in one

It helps the corresponding staff to understand the process of

Need for Incident Response

Incident response is required to:

Goals of Incident Response

Incident Response Plan

It defines the areas of responsibility and creates procedures for

The incident response plan covers:

How inform ation is passed to the appropriate personnel

Purpose of Incident Response

It protects the organizations resources against an attack

It protects the sensitive data on the system s

It supports legal investigations

Requirem ents of Incident

The requirem ents of incident

Expert team s (Com puter Em ergency Response

The success of an incident response process depends on the pre-incident

Exam ining security m easures for networks and system s

Preparing incident response team includes:

Policies and operating procedures for backup and recovery

Training the staff and users on how to respond to incidents

Incident Response and Handling

Com m unicating the Incident

Notifying External Agencies

Incident Docum entation

Review and Update

Incident Dam age

This phase is necessary for categorizing and responding to incidents

Identify the incidents with the help of software packages such as

System and network audit logs m ay also provide sufficient

Incident reporting and assessm ent

Collect and protect system inform ation

The actions taken in

Other system s analysis

Assign incident task force m em bers

Step 2: Incident Recording

The inform ation gathered should include:

The date and tim e the incident happened

Step 3: Initial Response

Step 3: Initial Response (contd)

During initial response, you should:

Check whether you are dealing with an actual incident or a false

Step 4: Com m unicating the

In order to handle the incident, the incident team lead will

While reducing the im pact of the incident, m aintain

Discuss the incident with legal representative to file a

Step 5: Containm ent

Avoid conventional m ethods to trace back; this m ay alert the attackers

The com m on techniques in containm ent stage are:

Disabling of specific system services