2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	691/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 687 688 689 690 691 692 693 694 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Recovery
After investigators collect all appropriate evidence from a system, the next step is to recover
the system, or return it to a fully functioning state. This can be very simple for minor inci-
dents and may only require a reboot. However, a major incident may require completely
rebuilding a system. Rebuilding the system includes restoring all data from the most recent
backup.
When a compromised system is rebuilt from scratch, it’s important to ensure it is confi g-
ured properly and is at least as secure as it was before the incident. If an organization has
effective confi guration management and change management programs, these programs will
provide necessary documentation to ensure the rebuilt systems are confi gured properly. Some
things to double-check include access control lists (ACLs) and ensuring that unneeded services
and protocols are disabled or removed, that all up-to-date patches are installed, that user
accounts are modifi ed from the defaults, and any compromises have been reversed.
In some cases, an attacker may have installed malicious code on a system
during an attack. This may not be apparent without a detailed inspection
of the system. The most secure method of restoring a system after an
incident is to completely rebuild the system from scratch. If investigators
suspect that an attacker may have modified code on the system, rebuilding
a system may be a good option.

744
Chapter 17
■
Preventing and Responding to Incidents
Remediation
In the remediation stage, personnel look at the incident and attempt to identify what
allowed it to occur, and then implement methods to prevent it from happening again. This
includes performing a root cause analysis.
A root cause analysis examines the incident to determine what allowed it to happen. For
example, if attackers successfully accessed a database through a website, personnel would
examine all the elements of the system to determine what allowed the attackers to succeed.
If the root cause analysis identifies a vulnerability that can be mitigated, this stage will rec-
ommend a change.
It could be that the web server didn’t have up-to-date patches, allowing the attackers to
gain remote control of the server. Remediation steps might include implementing a patch
management program. Perhaps the website application wasn’t using adequate input valida-
tion techniques, allowing a successful Structured Query Language (SQL) injection attack.
Remediation would involve updating the application to include input validation. Maybe the
database is located on the web server instead of in a backend database server. Remediation
might include moving the database to a server behind an additional firewall.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 687 688 689 690 691 692 693 694 ... 881