2.2 Carry out appropriate risk mitigation strategies
Change management refers to a methodology for making modifications and keeping track of those changes. In some instances, changes to network or system configurations are made haphazardly to alleviate a pressing problem. Without proper documentation, a future change may negate or diminish a previous change or even unknowingly create a security vulnerability. Change management seeks to approach changes systematically and provide the necessary documentation of the changes.
Incident management can be defined as the "framework" and functions required to enable incident response and incident handling within an organization. The objective of incident management is to restore normal operations as quickly as possible with the least possible impact on either the business or the users
Routine system audits will check for user rights and permissions as well as analyze log files, for example, the Security log in Windows. The development and implementation of the security policy that enabled the security log should have been done long before actual auditing takes place.
2.3 Execute appropriate incident response procedures
Order Of Volatility: The sequence of volatile data that must be preserved in a computer forensics investigation
Register, cache
routing table, AP cache, process table, kernel statistics, memory
Temporary file system
Disk
Remote logging and monitoring data that is relevant to system
Physical configuration, network topology
Archival media
Capture system Image: Forensic imagining program is used to create bit stream image copy of a storage device. The image copy will be stored onto a forensically clean storage device. Hash calculation of original media is performed before and after image coping is performed
Network traffic and logs: In some network environments it may be possible to maintain an ongoing recording of network traffic. Since this would result in huge storage requirement these recording will only maintain a sliding window in minutes or hours of recent network activity
Capture Video: If there are security cameras present then recording of security violation should be preserved. Another is video recording of investigation being performed to collect physical and logical evidences. Theses can be used for later reviews.
Chain of custody: The chain of custody documents that the evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence. A chain of custody includes documenting all of the serial numbers of the systems involved, who handled and had custody of the systems and for what length of time, how the computer was shipped, and any other steps in the process.
Copyright © Anand Software and Training Private Limited.