Documente Academic
Documente Profesional
Documente Cultură
EC-Council Certified
Incident Handler
Version 1
Mo d u le III
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
EC-Council
Handling Incidents
Need for Incident Response
Goals of Incident Response
Incident Response Plan
Incident Response and Handling Steps
Training and Awareness
Incident Managem ent
Incident Response Team
Incident Response Best Practices
Incident Response Plan Checklist
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
EC-Council
Handling Incidents
Incident Managem en t
Incident Response
Best Practices
Incident Response
Plan Checklist
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Other events such as unsuccessful login attem pts, attem pts to write, alter, or delete system
files, system failure, or perform ance degradation
Unusual usage patterns, such as program s being com piled in the account of users who are
non-program m ers
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Handling Incidents
Incident handling involves :
Incident reporting
Incident analysis
Incident response
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Incident response is required to identify the attacks that have com prom ised
personal and business inform ation or data
EC-Council
Protect system s
Protect personnel
Efficiently use the resources
Deal with legal issues
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Preparation
Preparation is the m ost im portant aspect that allows you to respond to an
incident before it happens
It includes:
EC-Council
Preparation (contd)
It consists of security m easures that an incident response team should begin to im plem ent
in order to ensure protection of the organizations assets and inform ation
The requirem ent of hardware and software com ponents to investigate the com puter
security incidents
The requirem ent of docum ents such as form s and reports to investigate the incident
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Incident Recording
Initial Response
Form ulating a
Response Strategy
Containm ent
Incident Classification
Incident Investigation
Data Collection
Evidence Protection
Forensic Analysis
Eradication
System s Recovery
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1: Identification
Identification stage involves validating, identifying, and reporting
the incident
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Identification (contd)
Audit log collection, exam ination, and analysis
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
It involves:
Initial investigation
Details of the incident
Creating incident response team
Notifying individuals about the incident
The purpose of the initial response phase is to docum ent steps to be followed
in responding an incident
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Classify the incidents based on the num ber of factors such as:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The incident
Tim e of the incident
Perpetrator of the incident?
Mitigation steps to prevent future occurrence
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Classification:
Host-based evidence
EC-Council
Network-based
evidence
Other evidence
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Host-based evidence:
Network-based evidence:
Other evidence:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Take com plete backup of the affected system s with the help of new or
never-before-used m edia devices
The stored backup can be used to recovery the data from the affected
system s
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The external agencies include local and national law enforcem ent,
external security agencies, and security experts
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
It lists counterm easures to thwart further dam age thereby securing the
organizations assets
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Eradication (contd)
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The com puter system s and networks are m on itored and validated
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Docum ent the steps and conclusion statem ents im m ediately after
com pletion of the forensic process
The docum ent should be properly organized, exam ined, reviewed, and
vetted from the m anagem ent and legal representative
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Editors:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Costs include:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Well-trained m em bers can prevent an incident or lim it the resulting dam age
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
It consists of action plan developm ent, consistent processes that are repeatable, m easurable,
and understood within the organization
EC-Council
EC-Council
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Protect:
Im plem ent security m easures to protect the com puter system from incidents
Im plem ent infrastructure protection im provem ents re sulting from postm ortem
reviews or other process im provem ent m echanism s
Detect:
Triage:
Respond:
EC-Council
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The incident m anagem ent team provides support to all com puter
system s that are affected by threats or attacks
EC-Council
Staff support
departm ent
representatives
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
IT Security
IT Operations
Physical Security
Hum an Resources
Legal Departm ent
Public Relations
External Expertise
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Internal Auditor
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Business Applications
and Online Sales Officer:
Internal Auditor:
EC-Council
Give opportunities to the team m em bers to perform other tasks associated with
incident response
Consider the process of rotating staff m em bers who are in and out of the
incident response team
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Em p lo ye e s
Partially
Ou ts o u rce d
Fu lly
Ou ts o u rce d
Te am m o d e l
s e le ctio n :
Em p lo ye e Mo rale
Co s t
Organ izatio n al
Stru ctu re
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Identify rem ote connections and include rem otely operating em ployees or contractors
Identify the m em bers of the incident team and describe their roles, responsibilities,
and functions
Prepare a com m unication plan to contact the key personnel
Define and follow a m ethod for reporting and archiving the in cidents
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: RTIR
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary
The purpose of incident response is to aid personnel to quickly and efficiently recover from a
security incident
Incident response plan consists of a set of instructions to detect and respond to an incident
The incident response plan gathers required resources in an organized m anner to address incidents
related to the security of a com puter system
Preparation is the m ost im portant aspect that allows you to respond to an incident before it occurs
Training and awareness provides skills required to im plem ent incident handling policies
Incident m anagem ent not only responds to an incident but also prevents the occurrence of future
incidents by m inim izing the potential dam age caused by risks and threats
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Certified
Incident Handler
Version 1
Mo d u le IV
CSIRT
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
This m odule will fam iliarize you with:
EC-Council
CSIRT
CSIRT Goals and Strategy
CSIRT Vision
CSIRT Mission Statem ent
CSIRT Constituency
Types of CSIRT Environm ents
Best Practices for Creating a CSIRT
Roles of CSIRTs
CSIRT Services
CSIRT Policies and Procedures
CSIRT Incident Report Form
CERT
CERT(R) Coordination Center: Incident Reporting Form
World CERTs
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
CSIRT
CSIRT Vision
Types of CSIRT
Environm ents
CSIRT Constituency
CSIRT Mission
Statem ent
Roles of CSIRTs
CSIRT Services
CERT
CSIRT Incident
Report Form
CERT(R)
Coordination Center:
Incident Reporting Form
World CERTs
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Introduction to CSIRT
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
What is CSIRT
CSIRT stands for Com puter Security Incident Response Team
It is a service organization which provides 24x7 com puter security incident response services
to any user, com pany, governm ent agency, or organization
It provides a reliable and trusted single point of contact for reporting com puter security
incidents worldwide
It provides the m eans for reporting incidents and dissem inating im portant incident related
inform ation
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Strategy of CSIRT:
It provides a single point of contact for reporting local problem s
It identifies and analyzes what has happened duringan incident,
including the im pact an d threat
It researches on solutions and m itigation strategie s
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Vision
Determ ine how the CSIRT should be structured for the organization
Plan the budget required by the organization to im plem ent an d m anage the CSIRT
Determ ine the resources (equipm ent, staff, infrastructure) to be used by CSIRT
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Constituency
Constituency is the region where the CSIRT is bound to serve
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Typ e
N atu re o f Mis s io n
International Coordination
Center
Corporation
Technical
Table: CSIRT Types With Associated Missions and Constituencies; Source: w w w .cert.org
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Overlapping constituencies
Relationship to constituency
Prom oting the CSIRT to the constituency
Gaining constituencys trust
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
It fails when placed un der the system adm inistration departm ent of its parent organization
CSIRT m ay constitute of the entire security team for an organization, or, m ay be totally
distinct from an organizations security team
The activities of CSIRT can also be carried out by the organizations security team
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Source: w w w .cert.org
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
National CSIRT:
Provides services to the entire nation. For exam ple , J apan Com puter Em ergency
Response Team Coordination Center (J PCERT/ CC)
Vendor CSIRT
Identifies vulnerabilities in software and hardware products
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
How do you let the organization know about the developm ent of the CSIRT?
If you have a project team , how do you record and com m unicate the
inform ation you are collecting, especially if the team is geographically
dispersed?
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Business m anagers
Representatives from IT
Representatives from the legal departm ent
Representatives from hum an resources
Representatives from public relations
Any existing security groups, including physical
security
Audit and risk m anagem ent specialists
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Buy equipm ent, and build any necessary network infrastructure to support
the team
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
It m ust ensure that the team is m eeting the needs of the constituency
The CSIRT, in conjunction with m anagem ent and the constituency, will need to
develop a m echanism to perform such an evaluation
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Role of CSIRTs
CSIRTs provide IT security incident centered service to their constituency, such as:
prevention, detection, correction, repression, or creating awareness building
The CSIRTs services focus on attacks that are propagated via the Internet that tunnel
their way to extranets, in tranets, and com puter system s
The CSIRT reports preventive m easures along with the identified vulnerabilities to its
constituency
Awareness building
Detection
Correction
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Public Relations
The PR is responsible for developing the m edia m ess ages regarding
any event
It is responsible for all stakeholder com m unications including the
board, foundation personnel, donors, grantees suppliers/ vendors,
and the m edia
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IC acts as a link
between different groups
(IC)
Incident
Coordinator
EC-Council
It is a stakeholder in
the incident
Constituency
Ad m in is tratio n
(IM)
Incident
Manager
Responsible for
stakeholder
Com m unications
Public
Relations
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Support staff
Technical writers
Network or system adm inistrators,
CSIRT infrastructure staff
Program m ers or developers (to build CSIRT tools)
Web developers and m aintain ers
Media relations
Legal or paralegal staff or liaison
Law enforcem ent staff or liaison
Auditors or quality assurance staff
Marketing staff
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CSIRT Services
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Reactive Services
The reactive services process the requests for assistance
They identify and rectify any threats or attacks against the CSIRT system s
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Proactive Services
The services im prove the infrastructure and security processes of the constituency before
any incident occurs
Announcem ents
Technology watch
Security audit or assessm ent
Configuration and m aintenance of security tools, applications, infrastructures, and
services
Developm ent of security tools
Intrusion detection services
Security-related inform ation dissem ination
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
These services incorporate feedback and lessons learned based on knowledge gained by
responding to incidents, vulnerabilities, an d attacks
EC-Council
Risk analysis
Business continuity and disaster recovery planning
Security consulting
Awareness building
Education/ training
Product evaluation or certification
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Procedures detail how a team enacts activities within the boundaries of its policies
Procedures m ake a policy successful
Mem bers of an organization should clearly understand policies and procedures in order
to im plem ent them
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Attributes
Content
Validation
Im plem entation
Maintenance, and
Enforcem ent
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Attributes
It should outline essential characteristics for a specific topic area in the m anner that
necessary inform ation is provided
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Attributes (contd)
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Content
The content of a policy is m ainly a definition of behavior in a certain topic area
It defines the features that are the boun dary conditions for any policy
definition
The policy content features are listed in the following table:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Content (contd)
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Validity
Validity check finds out if all the ideas in the policy can
actually be translated into real-life behavior
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Once the policy is revised based on the feedback and it is ensured that the policy does not
require further changes; the policy can be im plem ented
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Follow up analysis
Report
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Features:
EC-Council
AIRT: Screenshot 1
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AIRT: Screenshot 2
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Features:
Autom ates service m anagem ent business processes
Integrates processes with system s across the enterp rise
Adapts and evolves your processes to continually align with the needs of
the business
Manages business process perform ance in real-tim e
Replaces outdated m anual system s with process autom ation that speeds
the handling of unique processes
Rapidly prototypes, deploys, m aintains, and iterate s Service
Managem ent applications
Captures and tracks critical business data
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acce le rate d d e p lo ym e n t
Achieves end-to-end em ail encryption using the exis ting infrastructure
Re d u ce d o p e ratio n co s ts
Result from centralized autom ation of em ail encryption policies
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
GnuPG is the GNU project's com plete and free im plem entation of the
OpenPGP standard as defined by RFC4880
It allows to encrypt and sign your data and com m unication, features a
versatile key m anagem ent system as well as access m odules for all kind of
public key directories
Features:
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Listserv
http:/ / w w w .lsoft.com /
It provides the power, reliability, and enterprise-level perform ance you need
to m anage all your opt-in em ail lists
Its Web interface sim plifies em ail list and server m anagem ent, allowing you
to control your lists and adm inister your server from anywhere on the
Internet
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Listserv (contd)
Features and benefits
List owner features:
EC-Council
Listserv : Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CERT
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CERT
CERT stands for Com m unity Em ergency Response Team (CERT)
CERT program helps to train people to be better prepared to respond to em ergency
situations in their com m unities
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CERT-CC
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CERT:OCTAVE
OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation
It is a set of tools, techniques, and m ethods for risk-based inform ation security strategic
assessm ent and plannin g
OCTAVE Method
OCTAVE-S
OCTAVE-Allegro
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
OCTAVE Method
OCTAVE m ethod uses a three-phased approach to exam ine organization al and technology
issues
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
OCTAVE-S
OCTAVE-S uses a m ore stream lined process and different worksheets but produces the sam e result
as the OCTAVE m ethod
It requires a team of 3-5 people having understanding on all the aspects of the com pany
This version does not start with gathering the inform ation regarding im portant assets, security
requirem ents, threats, and security practices
The assum ption is that the analysis team is aware of this inform ation
OCTAVE-S includes only a lim ited exploration of the com puting infrastructure
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
OCTAVE Allegro
OCTAVE Allegro is a stream lined variant of the OCTAVE m ethod that focuses on
inform ation assets
It does not suit for individuals who want to perform risk assessm ent without extensive
organizational involvem ent, expertise, or input
The assets of the organization are identified and assessed based on the inform ation assets
to which they are conn ected
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
World CERTs
Asia Pacific CERTs
CERT-CC
US-CERT
Canadian Cert
Cancert
Forum of Incident Response and Security
Team s
FIRST
EC-Council
European CERTs
EuroCERT
FUNET CERT
CERTA
DFN-CERT
J ANET-CERT
CERT-NL
UNINETT-CERT
CERT-NASK
Swiss Academ ic and Research Network
CERT
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Indian CERT
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
US-CERT
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Canadian Cert
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CAIS/ RNP
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EuroCERT
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
FUNET CERT
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SURFnet-CERT
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DFN-CERT
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
J ANET-CERT
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CERT POLSKA
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary
CSIRT is a service organization which provides 24x7 com puter security incident response
services to any user, com pany, governm ent agency, or organization
CSIRT should define, docum ent, adhere to, and widely distribute a con cise and clear
m ission statem ent
CSIRT m ay constitute the entire security team for an organization or m ay be totally distinct
from an organizations security team
CERT program helps train people to be better prepared to respond to em ergency situations
in their com m unities
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample
EC-Council Certified
Incident Handler
Version 1
Mo d u le I
Introduction to Incident
Response and Handling
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
20 0 8
18,0 0 0
16,0 0 0
14,0 0 0
20 0 7
12,0 0 0
10 ,0 0 0
8,0 0 0
6,0 0 0
20 0 6
4,0 0 0
2,0 0 0
0
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
4% 4%
5%
Unauthorized Access
10%
4%
7%
6%
Malicious Code
Improper Usage
Scans, Probes and
Attempted Access
77%
FY0 8 Q4
Under Investigation
73%
FY0 9 Q1
Cyber Security Trends, QUARTERLY TRENDS AND ANALYSIS REPORT, http:/ / w w w .us-cert.gov/
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
10%
4%
9%
4%
Malware
5%
4%
5%
Policy Violation
5%
5%
Non-Cyber
7%
72%
FY0 8 Q4
Suspicious Network
Activity
Others
70%
FY0 9 Q1
Cyber Security Trends, QUARTERLY TRENDS AND ANALYSIS REPORT, http:/ / w w w .us-cert.gov/
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Th e Cas e : Xconsoft, a m ajor software developer located out of the New J ersey,
realized that the sensitive inform ation from folders shared across its network is being
accessed by unauthorized people and leaked to third parties.
Th e Ch alle n ge s : Loss of the proprietary inform ation could result in huge financial
losses. The com pany hired an established consultant for incident handling and
response. The m ajor challenges in front of the consultants were to contain the dam age,
assess the losses and identifying the perpetrators.
Th e Re s u lt: After conducting a network-wide search for specific keywords and file
nam es the consultant advised the com pany to isolate the system s that contained
sensitive inform ation and took possession of suspected system s for further analysis.
After going through a com plete incident handling and response cycle; and with the
help of a com puter forensics investigator the com pany was able to trace the culprits.
The consultant advised the com pany to develop and im plem ent effective network
security policies an d deploy intrusion detection tools to defend itself from various
inform ation security incidents.
Can risks involved in engaging third party consultants not effectively counter the
apprehension about ROI in developing an in-house incident handling and response team ?
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Com puter Security Incident
Data Classification
Key Concepts of
Inform ation Security
Signs of an Incident
Incident Handling
Incident Response
Incident Reporting
Organizations
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The loss of inform ation m ay affect the in vestm ent of organization in different business
activities
Inform ation asset can be a trade secret, patent inform ation, em ployee/ personnel
inform ation, or an idea to develop the business for an organization
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Classification
Data classification is the process of classifying data based on the
level of sensitivity as it is created, m odified, im proved, stored, or
transm itted
EC-Council
Top secret
Confidential inform ation
Proprietary inform ation
Inform ation for internal use
Public docum ents
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Integrity:
Availability:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerability:
Threat:
Attack:
Existence of a weakness in
design or im plem entation
that can lead to an
unexpected, undesirable
event com prom ising the
security of the system
A circumstance, event, or
person with the potential to
cause harm to a system in
the form of destruction,
disclosure, data
m odification, and/ or Denial
of Service (DoS)
An assault on system
security that is derived from
an intelligent threat
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Unauthorized access:
It includes various activities from im properly logging into a user's account to gaining
unauthorized access to files and directories by obtaining adm inistrator privileges
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Misuse:
It is a condition when som eone uses com puter resources for illegitim ate purpose such
as storing personal inform ation in official com puter
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
62 %
60
59 %
50
40
31 %
30
22 %
20
15 %
10
0
Were att ributed
to a significant
error
Resulted from
hacking and
intru sions
Incorporated
m alicious code
Exploited a
vulnerability
Were due to
physical thr eats
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
External:
Intuitively, external threats originate from
sources outside the organization
Internal
Internal threat sources are those originating from
within the organization
Partner
Partners include any third party sharing a
business relationship with the organization
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
% of Respondents
59 %
60
54 %
53 %
50
45 %
41 %
40
36 %
33 %
39 %
37 %
34 %
30
26 %
20
10
7%
Source: Sym antec Global Disaster Recovery Survey J une 20 0 9. http:/ / w w w .sy m antec.com /
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Signs of an Incident
Accurately detecting and assessing incidents is the m ost challenging and
essential part of the incident response process
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Incident Categories
There are 3 category of incidents:
Low level
Middle level
High level
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
They should be handled within one day after the event occurs
EC-Council
EC-Council
These include:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Incident Prioritization
Prioritizing handling of the incident is critical for the incident handling process
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response
Incident response is a process of responding to incidents that m ay have occurred due to
security breach in the system or network
It plays a m ajor role when the security of the system is com prom ised
The goal of the incident response is to handle the in cidents in a way that m inim izes the
dam age and reduces recovery tim e and costs
It includes:
Responding to incidents system atically so that theappropriate steps are taken
Helping personnel to recover quickly and efficiently from security incidents, m inim izing
loss or theft of inform ation and disruption of services
Using inform ation gathered during incident handling to prepare for handling future
incidents in a better way and to provide stronger protection for system s and data
Dealing properly with legal issues that m ay ariseduring incidents
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Incident Handling
Incident handling involves all the processes, logistics, com m un ications, coordination, and
planning to respond and overcom e an incident efficiently
Incident handling helps to find out trends and pattern of the intruders activity
Incident handling procedures help network adm inistrators in recovery, containm ent, and
prevention of incidents
Incident handling policies help the corresponding staffs to understand the process of
responding and tackling unexpected threats and security breaches
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
10 0
Covered by DR Plan
92 %
90
83 %
82 %
79 %
81 %
80
77 %
70
66 %
62 %
60
61 %
56 %
66 %
61 %
51 %
50
40
46 %
44 %
39 %
33 %
30
24 %
20
10
0
Source: Sym antec Global Disaster Recovery Survey J une 20 0 9. http:/ / w w w .sy m antec.com /
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Im pact of Virtualization on
Incident Response and Handling
Do you test virtual servers as part of your disaster recovery plan?
No
27%
Ye s
No
Ye s
73 %
Source: Sym antec Global Disaster Recovery Survey J une 20 0 9. http:/ / w w w .sy m antec.com /
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
60 %
50 %
40 %
30 %
49%
43%
41%
42%
38%
27%
29%
20 %
10 %
0%
Source: Sym antec Global Disaster Recovery Survey J une 20 0 9. http:/ / w w w .sy m antec.com /
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Intangible Cost:
Dam age to corporate reputation
Loss of goodwill
Psychological dam age
Those directly im pacted m ay feel victim ized
May im pact m orale or initiate fear
Legal liability
Effect on shareholder value
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The m edian cost of executing/ im plem enting disaster recovery plans for each downtim e
incident worldwide ranges from approxim ately $ 10 0 ,0 0 0 to $ 50 0 ,0 0 0
Globally, the m edian disaster recovery cost is highest for healthcare and financial
services organizations
Source: Sym antec Global Disaster Recovery Survey J une 20 0 9. http:/ / w w w .sy m antec.com /
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Incident Reporting
Incident reporting is the process of reporting an encountered
security breach in a proper form at
The incident should be reported to receive technical assistance
and raise security awareness that would m inim ize the losses
Organizations m ay not report com puter crim es due to negative
publicity and potential loss of custom ers
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerability Resources
http:/ / w w w .kb.cert.org/ vuls/
US-CERT Vulnerability Notes Database:
Descriptions of these vulnerabilities are available from this web page in a searchable
database form at, and are published as "US-CERT Vulnerability Notes".
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary
Com puter security incident m ight be any real or suspected adverse event in relation to
the security of com puter system s or networks
Inform ation system transform s data into useful in form ation that supports decision
m aking
Incident response is an organized approach to address and m anage the afterm ath of a
security breach or attack
Incident handling refers to the operational procedures used to actually m anipulate the
incident and purge it from the system s
Incident reporting is the process of reporting the inform ation regarding the
encountered security breach in a proper form at
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Certified
Incident Handler
Version 1
Mo d u le II
Risk Assessm ent
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
EC-Council
Risk
Risk Policy
Risk Assessm ent
NIST Risk Assessm ent Methodology
Steps to Assess Risks at Workplace
Risk Analysis
Risk Mitigation
Cost/ Benefit Analysis
Residual Risk
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Risk
Risk Policy
Steps to Assess
Risks at Workplace
Risk Analysis
Risk Mitigation
Residual Risk
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Risk
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Risk Policy
Risk policy is a set of ideas to be im plem ented to overcom e the risk
Rules of behavior while dealing with the com putersystem and the consequences for
violating these rules
Personnel and technical controls for the com putersystem
Methods for identifying, properly lim iting, and controlling interconnections with
other system s and particular m ethods to m onitor and m anage such lim its
Procedures for the on-going training of em ployeesauthorized to access the system
Procedures to m onitor the efficiency of the security controls
Provisions for continuing support if there is an ni terruption in the system or if the
system crashes
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
It determ ines the level of risk and the resulting security requirem ents for each system
Risk assessm ent for a new system is conducted at the beginning of the System Developm ent
Life Cycle
Risk assessm ent for an existing system is conducted when there are m odifications m ade to
the system s environm ent
This process helps to identify the suitable controls to reduce risk in risk m itigation process
The organization should plan , im plem ent, an d m onitor a set of security m easures that need to
be undertaken against the identified risk
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sys te m
Ch aracte rizatio n
Im p act
An alys is
Ris k
D e te rm in atio n
Th re ats
Id e n tificatio n
Vu ln e rability
Id e n tificatio n
Like lih o o d
D e te rm in atio n
Co n tro l
An alys is
Co n tro l
Re co m m e n d atio n s
Re s u lts
D o cu m e n tatio n
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Characterize the IT system so as to establish the scope of the risk assessm ent effort
In p u t
Hardware
Software
System interfaces
Data and inform ation
People
System m ission
EC-Council
Ste p 1.
Sys te m Ch aracte rizatio n
Ou tp u t
System Boundary
System Functions
System and Data
Criticality
System and Data
Sensitivity
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
In p u t
History of system attack
Data from intelligence
agencies, NIPC, OIG,
FedCIRC, m ass m edia
EC-Council
Ste p 2 .
Th re at Id e n tificatio n
Ou tp u t
Threat Statem ent
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hum an Threats
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Prepare a list of the system vulnerabilities that threat source can exploit
In p u t
Reports from prior risk
assessm ents
Any audit com m ents
Security requirem ents
Security test results
EC-Council
Ste p 3 .
Vu ln e rability Id e n tificatio n
Ou tp u t
List of Potential
Vulnerabilities
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
An n e xe s
EC-Council
In p u t
Current controls
Planned controls
EC-Council
Ou tp u t
List of Current and
Planned Controls
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
In p u t
Threat-source m otivation
Threat capacity
Nature of vulnerability
Current controls
Ste p 5.
Like lih o o d D e te rm in atio n
EC-Council
Ou tp u t
Likelihood Rating
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
In p u t
Mission im pact analysis
Asset criticality assessm ent
Data criticality
Data sensitivity
EC-Council
Ou tp u t
Im pact Rating
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
In p u t
Likelihood of threat
exploitation
Magnitude of im pact
Adequacy of planned or
current controls
EC-Council
Ou tp u t
Risks and
Associated Risk
Levels
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The im plem ented controls should reduce the risk to an acceptable level
Factors to be considered in
recom m ending controls:
EC-Council
In p u t
Ste p 8 .
Co n tro l
Re co m m e n d atio n s
Ou tp u t
Recom m ended
Controls
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Result docum ent should be m ade available to the concerned staff, risk control
developers, and risk auditors
Risk assessm ent report should
include:
EC-Council
In p u t
Ste p 9 .
Re s u lts
D o cu m e n tatio n
Ou tp u t
Risk Assessm ent
Report
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Vu ln e rability
EC-Council
Th re at
Ris k
Ris k
Su m m ary
Ris k
Like lih o o d
Ratin g
Ris k
Im p act
Ratin g
Ove rall
Ris k
Ratin g
An alys is o f
Re le van t
Co n tro ls
an d Oth e r
Facto rs
Re co m m e n d atio n s
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Hazards identification
EC-Council
5
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Im plem ent a tem porary solution until m ore reliable controls are
in place
Identify a long term solution to the risks that im pact m ore critical
infrastructure
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Risk Analysis
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Risk Analysis
Risk analysis involves the process of defining and evaluating the dangers
It is used to determ ine all possible and significant risks for your particular business
Risk analysis should be con ducted properly in order to put a proper response in place,
based on the am ount of risk
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Risk Mitigation
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Risk Mitigation
Risk m itigation includes all possible solutions for reducing the probability of the
risk and lim iting the im pact of the risk if it occurs
Apply a least cost approach and im plem ent appropriate controls to reduce risks
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Risk planning
This strategy focuses on com prehensive plan developm ent for risk
assessm ent and m itigation
Risk transference
It is a strategy where loss is m inim ized by transferring risks to other
parties either in the form of insurance or contract
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
A cost benefit analysis finds, quantifies, and adds all the positive factors and subtracts all the
negative factors and produces the net result
It dem onstrates that the costs of im plem enting the controls can be justified by the reduction
in the level of risk
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
EC-Council
Prioritize actions
Select control
Assign responsibility
Residual Risk
Risk that rem ains after im plem entation of all the possible risk control m easures is called as
residual risk
The im plem ented risk con trol m easure cann ot rem ove the risks com pletely
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CRAMM
Acuity STREAM
EAR / Pilar
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CRAMM
http:/ / w w w .cram m .com /
Features:
A com prehensive risk assessm ent tool in com pliancewith ISO 270 0 1
Supports inform ation security m anagers to plan andm anage security
Tool wizards create pro-form a inform ation securitypolicies and other related
docum entation
Supports key processes in business contin uity m anagem ent
A database of over 30 0 0 security controls referenced to relevant risks and ranked
by effectiveness and cost
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Working of CRAMM
CRAMM provides a staged approach em bracing both technical (e.g. IT hardware an d
software) and non-technical (e.g. physical an d hum an) aspects of security
CRAMM follows a three stage approach:
Asset identification an d valuation
CRAMM enables the reviewer to identify the physical (e.g. IT hardware), software (e.g..
application packages), data (e.g. the inform ation held on the IT system ) and location assets
that m ake up the inform ation system
Data and software assets are valued in term s of the im pact that would result if the
inform ation were to be unavailable, destroyed, disclosed or m odified
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CRAMM: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acuity STREAM
http:/ / w w w .acuity rm .com /
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
STREAM: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Callio Secura 17799 is software that enables com panies to com ply with the ISO
17799/ BS 7799 inform ation security m anagem ent standard
It helps in:
Managing threats, vulnerabilities and controls
Managing various types of evaluation criteria, such as confidentiality, availability, integrity and legal
com pliance
Custom izing the vuln erability, occurrence and criterion scales used during the asset evaluation and risk
assessm ent processes
Verifying level of com pliance with ISO 17799 (gapanalysis)
Com piling an inventory of your com panys m ost im portant assets;
Defining the structures and processes within yourISMS
Mitigating the risks to each asset;
Defining scenarios for the im plem entation of contro ls
Drafting security policies
Managing policy docum ents
Making policies, standards and procedures electronically available
Verifying whether ISMS m eets the requirem ents forBS 7799-2 certification;
Docum enting and justifying the application of theISO 17799 standards 127 controls to m anagem ent
fram ework
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EAR / Pilar
http:/ / w w w .ar-tools.com /
EAR / PILAR is designed to support the risk m anagem ent process along long
periods, providing increm ental analysis as the safeguards im prove
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: Pilar
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshots: Pilar
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary
Risk is defined as the probability or threat of an incident
Risk assessm ent is identifying the resources that pose a threat to the business or project
environm ent
Risk analysis involves the process of defining and evaluating the dangers
Risk m itigation involves im plem enting the risk reducing controls that reduces the level of
the risk
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample
EC-Council Certified
Incident Handler
Version 1
Mo d u le V
EC-Council
Source: w w w . arstechnica.com
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
This m odule will fam iliarize you with:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Denial-of-Service
Incidents
Incident Handling
Preparation for DoS
Unauthorized Access
Incident
Detecting Unauthorized
Access Incident
Preventing Unauthorized
Access Incident
Inappropriate Usage
Incidents
Prevention of Inappropriate
Usage Incidents
Detecting Inappropriate
Usage Incidents
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Denial-of-Service Incidents
Denial-of-Service (DoS) attack prevents the authorized users to access networks,
system s, or applications by exhausting the network resources
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Distributed Denial-of-Service
Attack
Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large num ber of com prom ised system s,
known as botnet, attack a single target to cause a Denial-of-Service for the users of the targeted system
In a DDoS attack, attackers first infect s m ultiple system s called zom bies, which are then used to attack a
particular target
Attacke d
Zom bies then attack
the target system
together
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Contact Internet Service Providers (ISP) and theirsecond tier agents to determ ine how they can help
in handling network based DoS attack
Contact organizations such as CERT and Internet Crim e Com plaint Center (IC3) to for help in
handling the DoS attack
Configure and deploy IDS (Intrusion Detection Syste m ) and prevention software to detect DoS traffic
Check various web sites that provide statistics onlatency between various ISPs and between various
physical locations which is referred to as Internet health m onitoring
Discuss with network infrastructure adm inistratorsregarding the m ethod by which they can assist in
analyzing and containing network-based DoS and DDoS attacks
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Degrading services
Identifying critical services and stopping n on critical services
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Make sure that networks or system s are n ot running at threshold capacity since it would
be easy for a m inor DoS attack to take up the rem aining resources
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Perform ing the rem ote root com prom ise on the em ailserver
Changing the web server contents
By guessing or cracking passwords of application
Copying sensitive data without authorization
Installing and runnin g packet sniffer on the workstation
Using the FTP server to distribute the pirated software and m usic files
For gaining the internal network access by dialingthe unsecured m odem
Accessing the workstation using a false ID
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Configure network based and host based IDPS to identify and alert any attem pt to gain
unauthorized access
Use centralized log servers so that the im portant ni form ation from hosts across the organization
is stored in a particular safe location
A well docum ented password policy should be created for all users of applications, system s, trust
dom ains, or the organization
Make system adm inistrators aware of their responsib ilities in handling unauthorized access
incidents
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Incident Prevention
Network Security
Design the network in such a way that it
blocks the suspicious traffic
Properly secure all rem ote access m ethods,
including m odem s and VPNs
Move all publicly accessible system s and
services to secured Dem ilitarized Zone
(DMZ)
Use private IP addresses for all hosts located
on internal networks
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Incident Prevention
Host Security
Perform regular vulnerability assessm ents to identify serious risks and m itigate the risks
to an acceptable level
Disable all un wanted services on hosts
Run services with the least privileges possible toreduce the im m ediate im pact of
successful exploits
Use host-based/ personal firewall software to lim itthe individual hosts exposure to
attacks
Lim it unauthorized physical access to logged-in syst em s by requiring hosts to lock idle
screens autom atically and asking users to log off before leaving the office
Regularly verify the perm ission settings for critical resources, including password files,
sensitive databases, and public web pages
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Physical Security
Restrict access to critical resources by
im plem enting physical security m easures
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Recom m endations
Install the IDS for alerting the attem pts regarding unauthorized
access
Design the network in such a way that it blocks the suspicious traffic
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Exam ples :
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Exam ples :
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Discuss with the m em ber of the organizations physical security team regarding
internal users behavior
Meet with the concerned person of the legal departm ent regarding the liability
issue particularly with those type of incidents that are targeted to outside parties
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Anti-Virus
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Incident Prevention
Install firewall and intrusion detection an d prevention system s to block
the use of service which violate the organ izations policy
Organize the Em ail server in such a way that they cannot be used for
sending spam
Im plem ent the outboun d connection which use the encrypted protocols
such as HTTP secure, secure shell, and IP security protocol
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Recom m endations
Meet with the hum an resources and legal departm ents representative for
discussing the handling of inappropriate usage incidents
Meet with the representative of the organizations legal departm ent to
discuss liability issues
Install IDS to detect certain types of inappropriate usage
Use the spam filter software to filter the spam on the em ail server
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ask the incident handling team to review the scenarios involving m ultiple
com ponent incidents
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Recom m endations
Use the centralized logging and event correlation
software
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ntop
http:/ / w w w .ntop.org/
Features:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ntop: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EtherApe
http:/ / etherape.sourceforge.net/
Features:
EC-Council
EtherApe: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ngrep
http:/ / ngrep.sourceforge.net/
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
CyberCop Scanner
http:/ / w w w .nss.co.uk/
CyberCop Scanner is the network security assessm ent com ponent that can
scan devices on the network for m ore than 70 0 vulnerabilities
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Nessus
http:/ / w w w .nessus.org/
The Nessus vulnerability scanner is active scanners featuring high speed
discovery, configuration auditing, asset profiling, sensitive data discovery,
and vulnerability analysis of your security posture
Features:
EC-Council
Nessus: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SAINT: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SARA: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Nm ap
http:/ / nm ap.org/
EC-Council
What
What
What
What
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Nm ap: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Netcat
http:/ / netcat.sourceforge.net/
Features:
Outbound and inbound connections, TCP or UDP, to or from any ports
Featured tunneling m ode which allows also specialtunneling such as UDP
to TCP, with the possibility of specifying all network param eters
Built-in port-scanning capabilities with random izer
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireshark
http:/ / w w w .w ireshark.org/
Wireshark is the network protocol analyzer, and is the de facto (and often de
jure) standard across m any industries and educational institutions
Features:
Deep inspection of hundreds of protocols, with m ore being added all the tim e
Live capture and offline an alysis
Standard three-pane packet browser
Multi-platform
Captured network data can be browsed via a GUI, orvia the TTY-m ode TShark
utility
Read/ write m any different capture file form ats
Capture files com pressed with gzip can be decom press ed on the fly
Decryption support for m any protocols, in cluding IP sec, ISAKMP, Kerberos,
SNMPv3, SSL/ TLS, WEP, an d WPA/ WPA2
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Wireshark: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
It processes packets (either capture files or live packet data) and generates
detailed status reports of the 'flows' that it detects in the packet stream
For m any sites, it is used to establish network activity audits that are then
used to supplem ent traditional IDS based network security
The Argus audit data is used for network forensics, non-repudiation, network
asset, and service inventory
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Snort
http:/ / w w w .snort.org/
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Snort: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Iptables
http:/ / w w w .netfilter.org/
ip table s is the userspace com m and line program used to configure the
Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset
iptables package includes ip6tables which is used for configuring the IPv6
packet filter
Features:
Listing the contents of the packet filter ruleset
Adding/ rem oving/ m odifying rules in the packet filte r ruleset
Listing/ zeroing per-rule counters of the packet filter ruleset
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IPS: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NetDetector
http:/ / w w w .niksun.com /
Features:
EC-Council
TigerGuard
http:/ / w w w .tigertools.net/
Features:
EC-Council
Sensor console
Firewall console
Network console
WiFi console
Event console
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
TigerGuard: Screenshot 1
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
TigerGuard: Screenshot 2
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary
Denial-of-Service (DoS) attack prevents the authorized users to access networks, system s,
or applications by exhausting the network resources
Distributed Denial-of-Service (DDoS) attack is a DoS attack where a large num ber of
com prom ised system s, known as botnet, attack a single target to cause a Denial-of-Service
for the users of the targeted system
Unauthorized Access is condition where a person gains access to system and network
resources which he/ she was not authorized to have
An inappropriate usage in cident occurs when a user perform s actions that violate the
acceptable com puting use policies
A m ultiple com ponent in cident is a single incident that en com passes two or m ore incidents
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Certified
Incident Handler
Version 1
Mo d u le VI
Handling Malicious Code
Incidents
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
EC-Council
Virus
Trojans and Spywares
Incident Handling Preparation
Incident Prevention
Detection and Analysis
Evidence Gathering and Handling
Eradication and Recovery
Recom m endations
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Virus
Incident Prevention
Recom m endations
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Virus
Com puter viruses are m alicious software program s that infect
com puters and corrupt or delete the data on them
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Worm s
A worm is a self-replicating virus that does not alter files but resides in active
m em ory and duplicates itself
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Spyware:
Spywares are software in stalled on the com puter without the
knowledge of the user
Spywares pretend to be program s that offer useful
applications, but they actually acquire the inform ation of the
com puter and send it to the attacker who can access it
rem otely
Spywares are also known as adware
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check all the rem ovable m edia such as USB, diskette s etc.
10
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Incident Prevention
Use antivirus software
Design a point of contact for reporting m alicious code
Block the installation of spyware software
Rem ove suspicious files
Filter spam
Lim it the use of unnecessary program s with FTP
Alert users for handling em ail attachm ents
Close the open windows shares
Use the web browsers security to edge m alicious code
Prevent the open transm it of e-m ail
Secure the e-m ail clients
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Strange dialog box will appear requesting for permission to run any program
Abnorm al graphics will appear such as overlappingand overlaid m essage boxes
EC-Council
Strange dialog box will appear requesting for permission to run program s
Abnorm al graphics will appear such as overlappingand overlaid m essage boxes
Increase in the num ber of em ails being sent or received
Host and unknown rem ote system s network connections
Indication of root com prom ise of a host if the m obile code achieves root level access
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Disable services
Disable connectivity
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Identification
Active Identification
Manual Identification
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
If the m alicious code provides attackers with root-level access, then it becom es
hard to determ ine what other actions the attackers have perform ed
In som e of the cases, infected files are restored from a previous uninfected
backup or can be rebuilt from scratch
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Recom m endations
Establish m alicious code security policy
Users m ust be aware of m alicious code issues
Study antivirus bulletins
Install host based intrusion detection system s on critical hosts
Use antivirus software, an d keep it updated with the latest virus
signatures
Configure software to block suspicious files
Close the open window share
Deal with m alicious code incidents as quickly as possible
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Antivirus System s
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Features:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Norton AntiVirus 20 0 9:
Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Kaspersky Anti-Virus 20 10
http:/ / w w w .kaspersky .com /
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Kaspersky Anti-Virus 20 10 :
Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
AVG Anti-Virus
http:/ / w w w .avg.com /
AVG anti-virus protects com puter system from m alicious program s such as
virus, worm s, Trojan, spyware, etc.
Features:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Features
Anti-virus, anti-spyware, and SiteAdvisor protectyou from m alicious
software
Firewall blocks outsiders from hacking into your PC
SiteAdvisor rates web site safety before you clickwith red, yellow or
green colors
Online account m anagem ent lets you easily add other PCs to your
subscription
QuickClean safely rem oves junk files that slow your PC and take up
space on your hard drive
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BitDefender Antivirus 20 0 9
http:/ / w w w .bitdefender.com /
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
BitDefender Antivirus 20 0 9:
Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
F-Secure Anti-Virus 20 0 9
http:/ / w w w .f-secure.com /
F-Secure Anti-Virus 20 0 9 provides advanced and affordable protection
against viruses, spyware intrusions, and infected e-m ail
Its autom atic updates and DeepGuard 2.0 cloud com puting technology
provides protection against new threats
Features:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
F-Secure Anti-Virus 20 0 9:
Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
HijackThis
http:/ / w w w .trendsecure.com /
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tripwire Enterprise
http:/ / w w w .tripw ire.com /
Features:
Change auditing
Configuration assessm ent
Sam ple reports
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Stinger
http:/ / vil.nai.com /
Stinger is a stand-alone
utility used to detect and
rem ove specific viruses
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary
Com puter viruses are the software program s m eant to infect com puters, corrupt, or delete
the data
A worm is a self-replicating virus that does not alter files but resides in active m em ory and
duplicate itself
Antivirus and antispyware software can identify the infected files but som e the infected
files cannot be recovered
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample
EC-Council Certified
Incident Handler
Version 1
Mo d u le VIII
Forensic Analysis and
Incident Response
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
EC-Council
Forensics Preparedness
Digital Evidence
Forensic Policies
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Readiness
Forensic readiness m ay be defined as a state of incident response
preparedness that enables an organization to m axim ize its
potential to use digital evidence while m inim izing the cost of an
investigation
It also m inim izes the risk of internal threat and acts as a preem ptive m easure
Objectives:
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Network Forensics
It can be defined as sniffing, recording, acquisition, and analysis of network traffic and event logs
in order to investigate a network security incident
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Com puter forensic in vestigator m ust have knowledge of gen eral com puter
skills such as hardware, software, O.S, applications, etc.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Photographer:
Incident Responder:
Decision Maker:
EC-Council
Evidence
Exam iner/ Investigator:
EC-Council
Evidence Manager:
Expert Witness:
Collection
It is the process of identifying, labeling, recording, and acquiring data from all possible
sources
Exam ination
It involves processing of large am ount of collected data using a com bination of
autom ated and m anual m ethods
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Reporting
In this phase, the analysis results are reported and recom m endations are provided for
im proving policies, guidelines, procedures, tools, and other aspects of the forensic process
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Digital Evidence
Digital evidence is defined as any inform ation of
probative value that is either stored or transm itted in a
digital form
Graphics files
Audio and video recording and files
Web browser history
Server logs
Word processing and spreadsheet files
E-m ails
Log files
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Authentic
Evidence m ust be real an d related to the incidentin a proper way
Com plete
Evidence m ust prove the attackers actions
Reliable
Evidence m ust not cast doubt on the authenticity and veracity of the
evidence
Believable
Evidence m ust be clear and understandable by the uj dges
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collect the evidence from all the people who affected by the
incident
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Electronic
Evidence (contd)
Electronic evidence resides in:
Data Files:
Backup Tapes:
System -wide backups (m onthly/ weekly/ increm ental)
Disaster recovery backups (stored off site)
Personal or ad hoc backups (look for diskettes and other portable
m edia)
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting Electronic
Evidence (contd)
Other Media Sources:
Tape archives
Replaced/ rem oved drives
Floppy diskettes and other portable m edia (e.g., CDs, Zip cartridges)
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Title:
Phone:
Departm ent
Com m ents:
Signature:
Full Nam e:
Title:
Phone:
Departm ent
Full Address:
Signature:
EC-Council
Room No
Building
Address Line 1
Address Line 2
Address Line 3
Address Line 4
Post code
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidences
Make
Details
1
2
3
4
5
6
7
8
9
10
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
During the investigation of the crim e scene, if the com puter is turned off,
the data which is not saved can be lost perm anently
Digital evidence is circum stantial that m akes it difficult for the forensics
investigator to differentiate the system s activity
After the incident, if a user writes som e data to the system , it m ay overwrite
the crim e evidence
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Policy
Forensic policy is a set of procedures describing the actions to be taken when
an incident is observed
It defines the roles and responsibilities of all people perform ing or assisting
the forensic activities
It should include all internal and external parties that m ay be involved and
also indicates who should contact which parties
It explains what actions should and should not be perform ed under norm al
and special conditions
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Separate policies should be m aintained for incident handlers and others with
predefined forensic roles
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Organizations should:
Have a capability to perform com puter and networkforensics
Determ ine which parties should handle each aspectof
forensics
Create and m aintain guidelines and procedures for
perform ing forensic tasks
Perform forensics using a consistent process
Be proactive in collecting useful data
Adhere to standard operating procedure as specified by local
laws and standard m aking bodies such as IOCE & SWGDE
while collecting digital evidence
Source: http:/ / csrc.nist.gov/
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Helix
http:/ / w w w .e-fense.com /
Helix is a bootable com puter forensic tool kit providing incident response, com puter
forensics and e-discovery in one interface
Helix is a custom ized distribution of the Knoppix Live Linux CD
You can boot into a custom ized Linux environm ent that includes custom ized Linux kernels,
excellent hardware detection and m any applications dedicated to Incident Response and
Forensics
Helix has been m odified very carefully to NOT touch the host com puter in any way and it is
forensically sound
Helix has a special Windows autorun side for Incident Response and Forensics
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Putty SSH
Screen Capture
Messenger Password
EC-Council
IE Cookie Viewer
Mozilla Cookie Viewer
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Helix: Screenshot 1
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Helix: Screenshot 2
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Helix: Screenshot 3
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
It provides extensive logging of all its actions along with com puting the MD5/ SHA1
checksum s along the way to ensure that its output is verifiable
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Knoppix Linux
http:/ / w w w .knopper.net/
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EnCase Forensic
http:/ / w w w .guidancesoftw are.com /
EnCase Forensic is an in vestigation platform that collects digital data, perform s
analysis, reports on findings, and preserves them in a court validated, forensically
sound form at
It gives investigators the ability to im age a drive and preserve it in a forensic m anner
using the EnCase evidence file form at (LEF or E0 1)
Features:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
FBCD: Screenshot1
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
FBCD: Screenshot2
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dum pReg
http:/ / w w w .sy stem tools.com /
Dum pReg is a program for Windows that dum ps the registry, m aking it easy
to find keys and values containing a string
The registry entries can be sorted by reverse order of last m odified tim e,
m aking it easy to see changes m ade by recently installed software
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dum pSec
http:/ / w w w .sy stem tools.com /
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dum pEvt
http:/ / w w w .sy stem tools.com /
Som arSoft's Dum pEvt is a Windows NT/ 20 0 x program to dum p the event
log in a form at suitable for im porting into a database
It is sim ilar to the DUMPEL utility in the Microsoft Windows Resource Kit,
but without som e of the lim itations
It allows dum ping of Windows 20 0 x event logs (DNS, File Replication, and
Directory Service)
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Foundstone Forensic ToolKit contains several Win32 Com m and line tools that
can help you exam ine the files on a NTFS disk partition for unauthorized
activity
Features:
AFin d allows you to search for access tim es between certain tim e fram es
H Fin d scans the disk for hidden files
SFin d scans the disk for hidden data stream s an d lists the last access tim es
File Stat is a quick dum p of all file and security attributes
H u n t is a quick way to see if a server reveals too m uch info via NULL sessions
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sysinternals Suite
http:/ / technet.m icrosoft.com /
The Sysinternals suite is a bundle of som e of the following selected Sysinternals utilities:
AccessChk
AccessEnum
Gives a full view of your file system and Registry security settings
AdExplorer
Explore an AD database, define favorite locations, view object properties and attributes
AdRestore
Autologon
Autoruns
Shows what program s are configured to run during system bootup or login
CacheSet
Allows to m anipulate the working-set param eters of the system file cache
LDMDum p
ListDLLs
PsLogList
Dum p the contents of an Event Log on the local or a rem ote com puter
PsPasswd
Allows changing of account passwords on the local or rem ote system s in batches
PsService
NTFSInfo
RegMon
RootkitRevealer
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NSLOOKUP
http:/ / w w w .kloth.net/
NSLOOKUP is an online service to look up inform ation in the DNS (Dom ain
Nam e System [RFC10 34, RFC10 35, and RFC10 33])
It is a program to query Internet dom ain nam e servers
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
dig (dom ain inform ation groper) is a flexible tool for interrogating DNS nam e servers
It perform s DNS lookups and displays the answers that are returned from the nam e server(s) that
were queried
It is norm ally used with com m and-line argum ents
It also has a batch m ode of operation for reading lookup requests from a file
Dig Synopsis
d ig [ @s e rve r ] [ -b address ] [ -c class ] [ -f filenam e ] [ -k filenam e ] [ -p port# ] [ -t ty pe ] [ x addr ] [ -y nam e:key ] [ n am e ] [ typ e ] [ clas s ] [ qu e ryo p t... ]
d ig [ -h ]
d ig [ glo bal-qu e ryo p t... ] [ qu e ry... ]
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Whois
http:/ / w w w .nsauditor.com /
Whois com m unicates with WHOIS servers located around the world to
obtain dom ain registration inform ation
This tool looks up inform ation on a dom ain, IP address, or dom ain
registration inform ation
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Whois: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VisualRoute
http:/ / w w w .visualroute.com /
VisualRoute trace route software provides IPv4 and IPv6 traceroute, ping test, m ultiple
route discovery and connectivity analysis reports
It also helps in determ ining actual cause of conn ectivity problem pinpoints in the
network where a problem occurs
Features:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
VisualRoute: Screenshot
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The dd com m and is used to m ake binary copies of com puter m edia
It is used as a sim ple disk im aging tool if given a raw disk device as its input
Forensic Investigators use the built- in Linux com m and dd to copy data
from a disk drive
The dd com m and can copy data from any disk that Linux can m ount and
access
Other forensic tools such as AccessData FTK and Ilook can read dd im age
files
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Syntax
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
It describes the standard for m apping Ethernet addresses in the local subnet
to IP addresses
Most operating system s m aintain a cache of this inform ation, and the arp
com m and can be used to print out the current contents of this cache
Syntax:
C:\>arp -a
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Lsof is a com m and used to list files which are currently open on a Unix
system s
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The Unix grep com m and searches text files for patterns m atching
regular expressions
It is used to extract interesting inform ation from log files
Syntax
grep [options] PATTERN [FILE...]
grep [options] [-e PATTERN | -f FILE] [FILE...]
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Strings is a com m and which displays the strings contained in a binary file
It is used to search unknown binaries for any hints about its function
Syntax
strings [-afo] [-n number] [file ...]
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary
Com puter forensic In vestigator m ust have knowledge of gen eral com puter skills such as
hardware, software, O.S, application s, etc.
Com puter forensics helps to recover, analyze, and preserve com puter and related
m aterials in such a way that it can be presented as evidence in a court of law
Forensic readiness is ability of an organization to m axim ize its potential to use digital
evidence while m inim izing the cost of an investigation
Digital evidence is defined as any inform ation of probative value that is either stored or
transm itted in a digital form
Forensic policy defines the roles and responsibilities of all people perform ing or assisting
the forensic activities
Separate policies should be m aintained for incident handlers and others with forensic
roles
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Certified
Incident Handler
Version 1
Mo d u le VII
Handling Insider Threats
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
EC-Council
Insider Threats
Anatom y of an Insider Attack
Insider Threats Detection
Insider Threats Response
Handling Insider Threats
Guidelines for Detecting and Preventing Insider Threats
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
EC-Council
Insider Threats
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Insider Threats
Insiders with their authorized privileges can m isuse the resource that
directly affects the confidentiality, integrity, and availability of the
inform ation system
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Process Knowledge
Technical
Literacy
High
Low
High
Greatest Threat
Low
Significant Threat
Insignificant
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Organizations should ensure that the in sider perpetrators are not included in response
team or not aware of the progress
The organizations should consider the rights of every em ployee or user while
developing incident response plan
The plan should depict the process to be followed and responsibilities of the m em bers
involved in the response team
The organization should n ot share or provide the details of the insiders incident
response plan with all em ployees
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scan all outgoing and incom in g m ails for sensitive inform ation and m alicious codes
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Em ployees should take perm ission from data owners before accessing
the sensitive system s
When an em ployee is term inated from the job, the em ployers should
disable all access rights to physical locations, networks, system s,
applications, and data
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Secure the backup m edia and its content from alteration, theft,
or destruction
Im plem ent separation of duties and configuration
m anagem ent procedures to perform backups on com puter
system s, networks, and databases
Im plem ent backup policies to secure the backup process and
m edia
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Activity Monitor
http:/ / w w w .softactivity .com /
It allows you to track any LAN, giving you the detailed inform ation on
what, how, and when your network users perform ed
Features:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Spector Pro
http:/ / w w w .spectorsoft.com /
Spector Pro is m onitoring and recording software for every detail of PC and
Internet activity - in your hom e or in your office
Features:
EC-Council
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SpyAgent
http:/ / w w w .spy tech-w eb.com /
Spytech SpyAgent is com puter spy software that allows you to m onitor
everything users do on your com puter
Features:
EC-Council
Keystroke logging
Em ails sent and received m onitoring
Events tim eline loggin g
Internet chat conversations m onitoring
Website activity m onitoring
Application usage m onitoring
Com puter usage loggin g
Intelligent screenshot capturing
Internet traffic data m on itoring
Files uploaded and downloaded m onitoring
Files/ docum ents accessed logging
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SpyAgent: Screenshot 1
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SpyAgent: Screenshot 2
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Handy Keylogger
http:/ / w w w .handy -key logger.com /
It capture all key strokes, m onitor internet usage, enable screenshots grabbing by tim e
and interval, m onitor clipboard, and send the logs to your e-m ail address invisibly
Features:
EC-Council
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Anti Keylogger
http:/ / w w w .anti-key loggers.com /
Features:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Actual Spy
http:/ / w w w .actualspy .com /
Actual Spy is a keylogger which allows you to find out what other users do on
your com puter in your absence
It is capable of catching all keystrokes, capturing the screen, logging the
program s being run and closed, m onitoring the clipboard contents
Features:
EC-Council
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Iam BigBrother
http:/ / w w w .iam bigbrother.com /
EC-Council
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
0 0 7 Spy Software
http:/ / w w w .e-spy -softw are.com /
Features:
EC-Council
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SpyBuddy
http:/ / w w w .exploreany w here.com /
Features:
EC-Council
Chat blocking
Websites blocking
Clipboard activity m onitoring
Screenshot recording
Keystrokes typed recording
Online search recording
Print activity m onitoring
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SpyBuddy 20 0 9: Screenshot 1
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SpyBuddy 20 0 9: Screenshot 2
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SoftActivity Keylogger
http:/ / w w w .softactivity .com /
Features:
EC-Council
Logs everything
Screenshots recording with advanced IntelliSnap et chnology
Enhanced reporting features
Works secretly
Receive reports in em ail
Com plete com patibility
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SoftActivity Keylogger:
Screenshot 1
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
SoftActivity Keylogger:
Screenshot 2
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Elite Keylogger
http:/ / w w w .w idestep.com /
Features:
EC-Council
Keystroke recording
Undetectable
Chats, IMs, E-m ail recording
Clipboard m onitoring
Application activity recording
Winlogon and passwords m onitoring
Screenshots recording
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Spy Sweeper
http:/ / w w w .w ebroot.com /
Features:
EC-Council
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary
Insiders perform m alicious activities on the organizations network, system , and
database
Response depends on the nature of the insider threats and the organizations policy
Insider threats can be detected by exam ining the system event logs including database
logs, em ail logs, application logs, file access logs, and rem ote access logs
Organizations should im plem ent secure backup and recovery processes to continue
business operations when the system s are com prom ised
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample
Sample
EC-Council Certified
Incident Handler
Version 1
Mo d u le IX
Incident Reporting
Batch PDF
Batch
PDF Merger
Merger
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
EC-Council
Incident Reporting
Why to Report an Incident
Whom to Report an Incident
Federal Agency Incident Categories
Organizations to Report Com puter Incident
Incident Reporting Guidelines
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
EC-Council
Incident Reporting
Federal Agency
Incident Categories
Organizations to
Report Com puter Incident
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Incident Reporting
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Electronic Mail
Online reporting form s
Telephone calls
Facsim ile (FAX)
In person
Voice m ailbox greeting
Paper (e.g., post notices on bulletin boards and doors, hand out
notices at all entrance points)
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Details to be Reported
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Co n tact In fo rm atio n
Nam e:_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Designation:_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Telephone Num ber: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
In cid e n t D e tails
Date/ Tim e (Detected):_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Sym ptom s of Incidents: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Im pacts:
Defacem ent of web site
Service interruption (denial of service attack / m ail bom b / system failure)
Massive m alicious code attack
Lost/ dam age/ unauthorized alternation of inform ation
Com prom ise/ leakage of sensitive inform ation
Intrusion/ unauthorized access
Others, please specify: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Please provide details on the im pact and service interruption period, if any:
Actions Taken: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Current System Status: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Other Inform ation: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
These num bers help CERT to track correspondence and identify related
activity
These num bers should be m entioned clearly in the subject line of any m ail
m essages regarding the incident
e.g. CERT# XXXX, US CERT-0 6-0 0 0 1 reference num ber shows that it was
the first case registered at US CERT in 20 0 6
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
If possible include fax num ber and a cellular telephone num ber
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Som e tim es, hosts used in one incident m ay have been used earlier
Hosts involved in the incident m ust be identified and the inform ation m ust
be released as per the organizations policies and procedures
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Date
Methods of intrusion
Intruder tools involved
Software versions and patch levels
Intruder tool output
Details of vulnerabilities exploited
Source of attack
And other relevant inform ation
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Description of Activity
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Log entries showing the activity should be in cluded along with the report
To avoid confusion, rem ove the log entries that are not related with the
incident
Ensure that the non disclosure policies are not violated while sending log
entries to other sites
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tim e Zone
Dates, tim es, and tim e zones are confusing when used casually in
international com m unications; hence clearly identify the date, tim e, an d
location of the incident
If the system was synchronized with a national tim e server via Network
Tim e Protocol, the sam e should be m entioned in the report
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
N am e
CAT 0
Exercise/ Network
Defense Testing
CAT 1
Unauthorized
Access
Denial of Service
(DoS)
CAT 3
Malicious Code
Daily
Note: Within one (1) hour of
discovery/ detection if widespread
across agency.
CAT 4
Im proper Usage
Weekly
CAT 5
This category includes any activity that seeks to access or identify a federal
agency com puter, open ports, protocols, service, or any com bination for
later exploit. This activity does not directly result in a com prom ise or
denial of service.
Monthly
Note: If system is classified, report
within one (1) hour of discovery.
Investigation
CAT 2
CAT 6
EC-Council
D e s crip tio n
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Organizations to Report
Com puter Incident
United State Internet Crim e Task
Force
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary
Incident reporting is the process of reporting the inform ation regarding the encountered
security breach in a proper form at
Incidents should be reported in order to receive technical assistance including guidance
on detecting and handling the incidents
CERT incident reference n um bers help CERT to track correspondence and identify related
activity
Contact inform ation should include at least an em ail address and telephone n um ber
Hosts involved in the in cident or related activity is the m ost obvious inform ation to be
noted
Logs provide significantly m ore details than the description
United State Internet Crim e Task Force is a n on-profit, governm ent assist, and victim
advocate agency
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Certified
Incident Handler
Version 1
Mo d u le X
Incident Recovery
In part of the 20 0 9 Am erican Recovery and Reinvestm ent Act, the J ustice Departm ent will be funding a
num ber of grants for law enforcem ent. The Watertown Police Departm ent will be applying to receive
$ 24,0 0 0 in funding from the Edward Byrne Mem orial J ustice Assistance Grant.
According to Chief J ohn Gavallas, the Police Departm ent intends to use the funding to purchase
equipm ent to operate a critical incident com m and center and briefing room . Purchases will include
telephone system s, com puters, com puter m onitors, printers, upgrades to the IT system s, presentation
equipm ent, m ultiple internet access points, audio-visual equipm ent including televisions, DVD and video
players and projectors.
"This will allow us to conduct roll call training in the briefing room and the equipm ent will provide
incident com manders the equipm ent in managing a critical incident in town," said Chief Gavallas.
The two principal requirem ents of the grant are public notice and that authorization to apply for the grant
is given by the governing authority of the town. The Town Council gave approval for the grant application
during its regular May 4 m eeting.
The grant is nam ed in honor of New York City Police Officer Edwin Byrne, who was killed in the line of
duty while conducting a stakeout to m onitor drug activity in 1988.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
EC-Council
Incident Recovery
Principles of Incident Recovery
Incident Recovery Steps
Contingency/ Continuity of Operations Planning
Business Continuity Planning
Incident Recovery Plan
Incident Recovery Planning Team
Business Im pact Analysis
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
EC-Council
Incident Recovery
Contingency/ Continuity of
Operations Planning
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Incident Recovery
Incident recovery is a process of rebuilding and restoring the com puter
system s affected by an incident to norm al operational stage
System recovery involves all processes, policies, and tools that are used to
restore norm al business functions
Incident recovery m easures depend on the severity of incidents, criticality of
the affected system s or processes, im pact on business revenues, and available
resources
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 1:
System validation
Step2:
System operations
Step3:
System m onitoring
Step4:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Contingency/ Continuity of
Operations Planning
Contingency plan is a set of specific strategies, guidelines and processes to recover from an incident
resulting due to a particular problem or em ergency
It is necessary for a com pany or business to function norm ally
Guidelines for contingency planning are as follows:
Starting Point
Focuses on the developm ent and m aintenance of theplan
Problem s analysis
Checks what sort of problem s/ incidents can occur
Checks for the likelihood of the occurrence of theproblem
Checks for the severity of the problem
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Contingency/ Continuity of
Operations Planning (contd)
Testing the plan
In this phase, the developed plan is tested to determ ine whether
the plan can actually work in real tim e environm ent
Testing results are docum ented for future reference
Personnel training
Personnel needs to undergo training to get fam iliar with the plan
which helps them to perform their tasks and responsibilities
effectively
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Contingency/ Continuity of
Operations Planning (contd)
Com ponents of contingency planning:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Contingency/ Continuity of
Operations Planning (contd)
Continuity of operations provides an alternative site to the organization for a
period of one m onth so as to recover from the incident and perform norm al
organizational operations
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Som e other plans that are included in business continuity plan are:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Docum ent and test the plan in order to ensure the continuity of operations an d
availability of resources during a incident
EC-Council
Handle incidents
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
System Nam e:
BIA POC:
Ro le
Internal {Identify the individuals, positions, or offices within your organization that depend on or support the system ;
also specify their relationship to the system }
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
External {Identify the individuals, positions, or offices outside your organization that depend on or support the system ;
also specify their relationship to the system }
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
EC-Council
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
EC-Council
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Source: http:/ / csrc.nist.gov/
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ou tage Im p act
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
_ _ _ _ _ _ _ _
F. Prio ritize re s o u rce re co ve ry {List the priority associated with recovering a specific resource, based on the outage
im pacts and allowable outage tim es provided in Section E. Use quantitative or qualitative scale (e.g., high/ m edium / low, 15, A/ B/ C)}
Re s o u rce
Re co ve ry Prio rity
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Procedure audits:
Live walk-throughs of
procedures:
Scenario testing:
EC-Council
Facility-level tests:
Enterprise-level tests:
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary
Incident recovery is a process of restoring and rebuilding the com puter
system into norm al operations that are affected by an incident
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Certified
Incident Handler
Version 1
Mo d u le XI
Security Policies and Laws
Module Objective
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Role of Law in
Incident Handling
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Security Policies
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Security Policy
A security policy is a docum ent that states in writing how a com pany
plans to protect its physical and inform ation technology assets
It defines what business objectives and security goals are desired by the
m anagem ent
It depicts the basic architecture of the com panys security environm ent
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Characteristics of a Security
Policy
They m ust be im plem entable through system adm inistration
procedures, publishing of acceptable use guidelines, or other
appropriate m ethods
They m ust clearly define the areas of responsibility for the users,
adm inistrators, and m anagem ent
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Final version m ust be m ade available to all of the staff m em bers in the
organization
For effective im plem entation, there m ust be rotation of the job so that
data handling m ust not be restricted to a set of people
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Protects the system autom atically by im plem enting the software and
hardware controls
Acts as detective in in vestigation to find out the act that has already
occurred
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
In som e cases, these docum ents are nam ed as Internet and E-m ail policy, Internet AUP,
or Network AUP and also Acceptable IT Use Policy
The m ost im portant part of an AUP docum ent is the code of conduct governing the
behavior of a user whilst con nected to the organization, network, or Internet
They are sim ilar to and often doing the sam e job as a docum ent labeled Term s of
Service
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ensures the integrity of the inform ation, and prevents it from unauthorized
and undetected m odification, m anipulation, insertion, and deletion
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Audit trail policies help in detecting security violations, perform ance problem s and flaws
EC-Council
Individual accountability
Reconstructing event
Problem m onitoring
Intrusion detection
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Detects disk failures, network outages and over utilization of system resources
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Logging Policy
Logging policy defines which set of events needs to be logged
It includes
Notification procedures
Guidelines for log review intervals
Retention standards
Response tim e expectations
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Network docum entation defines the docum entation of networking devices and operations
Server docum entation defines the docum entation of server configuration inform ation and
running services
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Inform ation security policies set the fram ework for regular
vulnerability and risk assessm ent
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Inform ation security policies helps in im proving overall security posture of the
organization
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The NIACAP process accom plishes the requirem ents of the docum ented security policy
Accredited security posture is m aintained all through the system life cycle
The process com prises of existing system certifications and product evaluations
Process users m ust arrange the process with their program strategies and incorporate the
activities into their en terprise system life cycle
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Critical schedule, budget, security, functionality, and perform ance issues are determ ined
by these individuals
System Security Authorization Agreem ent (SSAA) contains the docum entation of
NIACAP agreem ents
The results of Certification and Accreditation (C&A) are docum ented using SSAA
The objective is to use the SSAA to establish an evolving yet binding agreem ent on the
level of security required before the system developm ent begins or changes
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Docum ents all requirem ents necessary for accreditation, test plan s and
procedures, certification results, and residual risk
Minim izes docum entation requirem ents by consolidating applicable
inform ation into the SSAA (security policy, concept of operations,
architecture description, test procedures, etc.)
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Physical access to all restricted facilities are docum ented and m anaged
Every individual who has physical access to inform ation resource facilities should sign the
access and non-disclosure agreem ents
All access to the inform ation resources should be tracked with a sign in/ out log
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
System s should have alternate power supply during power losses such as an UPS
Com puting devices should be placed in order to protect them from shoulder surfing
Monitoring system s should be installed to m onitor the work area and office prem ises
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Personal Screening:
It is a pre-em ploym ent check which involves the employees background
check
This is done even as the em ployee is given accessto the official inform ation
While recruiting em ployee for a perm anent staff position, he m ust be
checked for:
Satisfactory character referees
Accuracy of the curriculum vitae and qualifications
Before appointing an em ployee after he/ she is recru ited, verify details of
the em ployee such as:
Identity and character confirm ation through referees
Crim inal background check from police
Sim ilarly, em ployee being recruited for a tem porary staff position can be
checked through a verifying agency
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chief executives need to grant access the perm anent staff to access official
inform ation after clearance from :
Avoid granting access to the m ost sensitive sitesas there are chances of
indirect exposure by staff or visitors
Access granted individuals m ust be issued a pass or access or identity card
A "Basic Check" can be don e further after the pre-em ploym ent check,
about staff or contractors who need a frequent access to sensitive sites
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Reporting to law enforcem ent changes the character of the evidence handling process
Evidence can be subpoenaed by courts
Perpetrators and their lawyers can get access to ti in the trial
Evidence gathering process and all actions and docum entation of the investigations m ay also be
accessible to the other party during litigation
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
In United States v. J acobsen, 466 U.S. 10 9 (1984), the Suprem e Court presented
the fram ework that should guide agents seeking to uncover evidence as a result of
a private search
Even if courts follow the m ore restrictive approach, the inform ation gleaned from
the private search will often be useful in providing the probable cause needed to
obtain a warrant for a further search
The fact that the person conducting a search is not a governm ent em ployee does
not always m ean that the search is private for Fourth Am endm ent purposes
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Policies and procedures that are based on risk assessm ents, cost-effectively
reduce inform ation security risks to an acceptable level, and ensure that
inform ation security is addressed throughout the life cycle of each agency
inform ation system ;
Subordinate plans for providing adequate inform ation security for networks,
facilities, inform ation system s, or groups of inform ation system s, as
appropriate;
Security awareness training to inform personnel (including contractors and
other users of inform ation system s that support the operations and assets of
the agency) of the inform ation security risks associated with their activities and
their responsibilities in com plying with agency policies and procedures
designed to reduce these risks;
Periodic testing and evaluation of the effectiveness of inform ation security
policies, procedures, and practices (including the m anagem ent, operational,
and technical controls of every agency inform ation system identified in their
inventory) to be perform ed with a frequency depending on risk, but no less
than annually;
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Mexico
Se ctio n 3 0 -4 5-5 U n au th o rize d co m p u te r u s e
A person who knowingly, willfully and without authorization, or
having obtained authorization, uses the opportunity the
authorization provides for purposes to which the authorization
does not extend, directly or indirectly accesses, uses, takes,
transfers, conceals, obtains, copies or retains possession of any
com puter, com puter network, com puter property, com puter
service, com puter system or any part thereof, when the
dam age to the com puter property or com puter service has a value of
two hundred fifty dollars ($ 250 ) or less, is guilty of a petty
m isdem eanor;
dam age to the com puter property or com puter service has a value of
m ore than two hundred fifty dollars ($ 250 ) but not m ore than five
hundred dollars ($ 50 0 ), is guilty of a m isdem eanor;
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Mexico (contd)
dam age to the com puter property or com puter service has
a value of m ore than five hundred dollars ($ 50 0 ) but not
m ore than two thousand five hundred dollars ($ 2,50 0 ), is
guilty of a fourth degree felony;
dam age to the com puter property or com puter service has
a value of m ore than two thousand five hundred dollars
($ 2,50 0 ) but not m ore than twenty thousand dollars
($ 20 ,0 0 0 ), is guilty of a third degree felony;
dam age to the com puter property or com puter service has
a value of m ore than twenty thousand dollars ($ 20 ,0 0 0 ),
is guilty of a second degree felony
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Brazilian Laws
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Canadian Laws
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
(2) The intent a person has to have to com m it an offense under this section
need not to be directed at:
(a) any particular program or data,
(b) a program or data of any particular kind, or
(c) a program or data held in any particular com puter
(3) A person guilty of an offense under this section shall be liable on sum m ary
conviction to im prisonm ent for a term not exceeding six m onths or to a
fine not exceeding level 5 on the standard scale or to both
Source: http:/ / w w w .opsi.gov.uk
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
(6) It is im m aterial for the purposes of this section whether the further
offense is to be com m itted on the sam e occasion as the unauthorized
access offense or on any future occasion
(7) A person m ay be guilty of an offense under this section even though
the facts are such that the com m ission of the further offense is
im possible
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
(9) A person is guilty of an offense if (a) he does an y act which causes an unauthorized m odification of the contents
of any com puter; and (b) at the tim e when he does the act he has the requisite in tent and the
requisite knowledge.
(10 ) For the purposes of subsection (1)(b) above the requisite intent is an
intent to cause a m odification of the contents of any and by so doing (a) to im pair the operation of any com puter;
(b) to prevent or hinder access to any program or data held in any com puter;
or
(c) to im pair the operation of any such program or the reliability of any such
data
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Belgium Laws
EC-Council
COMPUTER HACKING
Article 550 (b) of the Crim inal Code:
1. Any person who, aware that he is not authorised, accesses or
m aintains his access to a com puter system , m ay be sentenced to a
term of im prisonm ent of 3 m onths to 1 year and to a fine of (Bfr
5,20 0 -5m ) or to one of these sentences
If the offence specified in 1 above is com m itted with intention to
defraud, the term of im prisonm ent m ay be from 6 m onths to 2
years
2. Any person who, with the intention to defraud or with the
intention to cause harm , exceeds his power of access to a com puter
system , m ay be sentenced to a term of im prisonm ent of 6 m onths
to 2 years and to a fine of (BFr 5,20 0 -20 m ) or to one of these
sentences
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Germ an Laws
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Italian Laws
Penal Code Article 615 ter: Unauthorized access into a com puter or
telecom m unication system s:
Anyone who enters unauthorized into a com puter or
telecom m unication system protected by security m easures, or rem ains
in it against the expressed or im plied will of the on e who has the right
to exclude him , shall be sentenced to im prison m ent not exceeding
three years
The im prisonm ent is from one until five years
if the crim e is com m itted by a public official or by an officer of a public
service, through abuse of power or through violation of the duties
concerning the function or the service, or by a person who practices even without a licen ce - the profession of a private investigator, or with
abuse of the capacity of a system operator
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Cybercrim e Act 20 0 1
The Cybercrim e Act 20 0 1 am ended the Crim inal Code Act 1995
to replace existing oudated com puter offences
478.1 Unauthorized access to, or m odification of, restricted data
(1) A person is guilty of an offence if:
(a) the person causes any unauthorized access to, or m odification
of, restricted data; and
(b) the person intends to cause the access or m odification; and
(c) the person knows that the access or m odification is
unauthorized; and
(d) one or m ore of the following applies:
(i) the restricted data is held in a Com m onwealth com puter;
(ii) the restricted data is held on behalf of the Com m onwealth;
(iii) the access to, or m odification of, the restricted data is
caused by m eans of a telecom m unications service
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
cause
or deletes or
(2) Whoever com m its hacking shall be punished with im prisonm ent
up to
three years, or with fine which m ay extend upto two lakh rupees, or with both
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Singapore Laws
Chapter 50 A: Com puter m isuse Act
Section 3 (1) Any person who knowingly causes a com puter to perform any
function for the purpose of securing access without authority, shall be liable on
conviction to a fine n ot exceeding $ 5.0 0 0 or to im prisonm ent for a term n ot
exceeding 2 years or to both.
(2) If an y dam age is caused as a restut of an offence under this section, a
person convicted of the offence shall be liable to a fine not exceeding $ 50 .0 0 0 or
to im prisonm ent for a term n ot exceeding 7 years or to both
Section 4: Access with intent to com m it or facilitate com m ission of offence
(1) This section shall apply to an offence involvin g property, fraud,
dishonesty or which causes bodily harm and which is punishable on conviction
with im prisonm ent for a term of n ot less than 2 years.
(2) Any person guilty of an offence under this section shall be liable on
conviction to a not exceeding $ 50 .0 0 0 or to im prisonm ent for a term n ot
exceeding 10 years or to both
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sarbanes-Oxley Act
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
EC-Council
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
(3) em ployers (as defined in section 453A(a)(2)(B)) (including State and local
governm ental entities and labor organizations) in such State are required,
effective Septem ber 30 , 1988, to m ake quarterly wage reports to a State agency
(which m ay be the agency adm inistering the State's unem ploym ent
com pensation law) except that the Secretary of Labor (in consultation with the
Secretary of Health and Hum an Services and the Secretary of Agriculture) m ay
waive the provisions of this paragraph if he determ ines that the State has in
effect an alternative system which is as effective and tim ely for purposes of
providing em ploym ent related incom e and eligibility data for the purposes
described in paragraph (2), and except that no report shall be filed with respect
to an em ployee of a State or local agency perform ing intelligence or
counterintelligence functions, if the head of such agency has determ ined that
filing such a report could endanger the safety of the em ployee or com prom ise
an ongoing investigation or intelligence m ission, and except that in the case of
wage reports with respect to dom estic service em ploym ent, a State m ay perm it
em ployers (as so defined) that m ake returns with respect to such em ploym ent
on a calendar year basis pursuant to section 3510 of the Internal Revenue Code
of 1986 to m ake such reports on an annual basis;
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
The GLB Act gives authority to eight federal agencies and the states to
adm inister and enforce the Financial Privacy Rule and the Safeguards Rule
Fin an cial Privacy Ru le requires financial institutions to provide each
consum er with a privacy notice at the tim e the consum er relationship is
established and annually thereafter. The privacy notice m ust explain the
inform ation collected about the consum er, where that inform ation is shared,
how that inform ation is used, and how that inform ation is protected. The
notice m ust also identify the consum ers right to opt-out of the inform ation
being shared with unaffiliated parties per the Fair Credit Reporting Act. Should
the privacy policy change at any point in tim e, the consum er m ust be notified
again for acceptance. Each tim e the privacy notice is reestablished, the
consum er has the right to opt-out again. The unaffiliated parties receiving the
nonpublic inform ation are held to the acceptance term s of the consum er under
the original relationship agreem ent. In sum m ary, the financial privacy rule
provides for a privacy policy agreem ent between the com pany and the
consum er pertaining to the protection of the consum ers personal nonpublic
inform ation.
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Constructing a thorough [risk m anagem ent] on each departm ent handling the
nonpublic inform ation,
Develop, m onitor, and test a program to secure the inform ation, and
Change the safeguards as needed with the changes in how inform ation is collected,
stored, and used.
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Intellectual Property
Intellectual property is the product of intellect that has
com m ercial value and includes copyrights and
tradem arks
Copyrights
Tradem arks
Patents
Industrial design rights
Trade secrets
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
The doctrine is a result of a num ber of court decisions over the years
Reproduction of a particular work for criticism , news reporting, com m ent, teaching,
scholarship, and research is considered as fair according to Section 10 7 of the Copyright
Law
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Protection of privacy
Lim itation based upon rem oving or disabling accessto infringin g
m aterial
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sum m ary
A security policy is a docum ent that states in writing how a com pany plans to protect its physical and
inform ation technology assets
Security policy ensures custom ers integrity and prevents unauthorized m odifications of the data
Federal law requires Federal agencies to report incidents to the Federal Com puter Incident Response
Center
Organizations should not contact m ultiple agencies because it m ight result in jurisdictional conflicts
Under intellectual property law, owners are granted certain exclusive rights to a variety of intangible
assets
An acceptable use policy is a set of rules applied by organization, network, or Internet to restrict their
usage
Evidence should be collected according to procedures that m eet all applicable laws and regulations, in
order to be adm issible in court
Chain of custody is a docum entation showing the seizure, custody, control, transfer, analysis, and
disposition of evidence
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited