Incident Response - For Sysadmins

From Security Wiki
Revision as of 02:45, 7 March 2012 by Ssakai (talk | contribs)
Jump to navigationJump to search

Scope

The policy and procedure in this document applies to all individuals authorized to use SDSC's IT resources. The prescribed actions and processes described in this document apply to situations involving any SDSC Host (as defined in the SDSC Security Policy) as well as any of the IT resources provided by SDSC.

Note that this document does not authorize all affected individuals to act upon the procedures described here. The policy in this document authorizes actions for only specific roles. For those not included in those roles, this document is purely informational.

Background

After detection, incident response focuses upon two general activities: containment and eradication. Containment attempts to restrict the influence of an attacker while trying to learn the attacker's goals and methods. Eradication attempts to remove the attacker's influence and restore the affected systems to a secure state. Both activities require the oversight of security personnel as well as cooperation between security personnel, service administrators, and host administrators. However, containment places a greater emphasis on effort from security personnel, whereas eradication places a greater emphasis on effort from service and system administrators.

Incident response involves both activities, containment, then eradication, in that order. Depending on the nature of the incident and attack, one may have priority over the other. We must strive to understand an attack to reduce the chance of future attacks, but must also balance that effort against the security needs (confidentiality, integrity, availability) of the affected system. This policy outlines the criteria for striking that balance, but leaves the final judgement in the hands of the incident responder.

Goals (of this policy)

  • Establish roles, timelines, and key procedures for post-detection incident response efforts.
  • Explain the reasoning behind the stipulations of this policy.

Goals (of the procedures in this policy)

  • Acquire and preserve information that may help understand an attack.
  • Address the security needs of the affected service or host.
  • Remove the influence of the attacker.
  • Restore the affected service or host to a secure state.

Roles

Security Personnel

These are members of the SDSC's security group (sometimes known as "Security Technologies"), or individuals designated by SDSC's CISO as members of the incident response team. Incident response team members may oversee a response effort until relieved by a member of SDSC's security group.

Service Administrators

Service administrators are personnel responsible for the maintenance, configuration and administration of a service or group of services running on a host operating system. In some cases, a service administrator may also serve as a system administrator for the same host; though in most cases, service administrators have restricted administrative privileges and do not maintain the underlying host operating system.

System Administrators

System administrators are personnel responsible for the maintenance, configuration, and administration of a host operating system and its core services (e.g. ssh). System administrators have full administrative privileges on the host they manage, and bear ultimate responsibility for the proper operation of their hosts.

=

Retrieved from "https://security.sdsc.edu/mediawiki/index.php?title=Incident_Response_-_For_Sysadmins&oldid=2828"