2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	688/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 684 685 686 687 688 689 690 691 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Detection
IT environments include multiple methods of detecting potential incidents. The follow-
ing list identifi es many of the common methods used to detect potential incidents. It also
includes notes on how these methods report the incidents:
■
Intrusion detection and prevention systems (described later in this chapter) send alerts
to administrators when an item of interest occurs.
■
Anti-malware software will often display a pop-up window to indicate when it detects
malware.
■
Many automated tools regularly scan audit logs looking for predefined events, such as
the use of special privileges. When they detect specific events, they typically send an
alert to administrators.
■
End users sometimes detect irregular activity and contact technicians or administrators
for help. When users report events such as the inability to access a network resource or
update a system, it alerts IT personnel about a potential incident.
Cell Phone Cannot Be updated
Many security incidents aren’t detected until months after they occur. Users often notice
things that aren’t quite right, such as the inability to update a cell phone, but don’t report
it right away. This allows attackers to maintain a presence on infected devices or net-
works for an extended period of time.

Managing Incident Response
741
As an example, retired United States (U.S.) Marine Corps general John Kelly turned in his
cell phone to White House technical support personnel during the summer of 2017. He
was the White House chief of staff at the time. Kelly reportedly was unable to do software
updates, and some other functions on his phone weren’t working. After some investiga-
tion, the White House IT department reportedly determined that his phone was compro-
mised, and the compromise may have occurred as early as December 2016, while Kelly
was the Secretary of Homeland Security.
Notice that just because an IT professional receives an alert from an automated tool or a
complaint from a user, this doesn’t always mean an incident has occurred. Intrusion detec-
tion and prevention systems often give false alarms, and end users are prone to simple user
errors. IT personnel investigate these events to determine whether they are incidents.
Many IT professionals are classified as first responders for incidents. They are the first
ones on the scene and have knowledge on how to differentiate typical IT problems from
security incidents. They are similar to medical first responders who have outstanding skills
and abilities to provide medical assistance at accident scenes, and help get the patients to
medical facilities when necessary. The medical first responders have specific training to help
them determine the difference between minor and major injuries. Further, they know what
to do when they come across a major injury. Similarly, IT professionals need specific train-
ing so that they can determine the difference between a typical problem that needs trouble-
shooting and a security incident that they need to escalate.
After investigating an event and determining it is a security incident, IT personnel move
to the next step: response. In many cases, the individual doing the initial investigation will
escalate the incident to bring in other IT professionals to respond.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 684 685 686 687 688 689 690 691 ... 881