I have been writing a report on Incifent handling for my school assignment its kinds short right now i have to submit about 10-15 pages what do you guys think i should add to it . is the format okay or doe's dos the format needs to be changed. it's bacically on detecting a incident after completing this i have to write another one on Recovering from a incident and the Post Incident Measures

What is a Incident

An incedent refers to a situation in which the occurrence of an event either damages or has the potential to damage a resource. In a computer related environment it refrs to an event that has an impact on the security of a network. an incedent can result in different consequences, such as fraud, information leakage, or destruction of network resources. An incedent can occur because of various reasons. Some of the common incedents that effect the security of the network are:

* Attack from a malicious code, such as a virus and Trojan.
* Intrusion by employee.
* Intrusion by people from outside the organization

all such incedents can be a serious threat to system and networks of an organization. althogh the actual damage caused by these incidents cannot be predicted, it can range from disrupting work on a computer to harming the computing capability of large networks.

Need for Incident Handling

in the current technological scenario, there are an incresing number of people who have the knowledge to break into a network illegaly for either $ or fun. Yhe organization that rely heavily on Internet are especially susceptible to hacking attacks. It is almost impossible to predict the number and types of hacking incedents that can occur. therefore, an organization needs to prepare itself to handle incedents with minium effort and cost. a list of reasons in support of the need for incedent handling:

  • It equips the organisation with the procedure that can be followed if incidents occur
  • It saves the time and effort required to fix the incident at the time when the
    organization network has been affected due to the occurrence of an incident.
  • It he;ps the organization to derive lessons that helps prevent similar incedents in
    future.
  • It helps an organization to assess, in advance, the skills requited and to equip the
    organization to handle all types of incidents.
  • It provides the data that can be used by the organization to fix any incidents that
    might occur in the future.


Types of Incidents

various types of Incidents can occur to a network or a computer. These incidents can be classified into various categories based on their type and extent of damage they can do. Some common types incidents are:
  • Intrusion
  • Malicious Code
  • Fraud and Theft
  • Errors and omissions
  • Denial-of-Service attacks
  • Defaced pages
  • Quite Intrusion.


Phases of Incident handling

The importantpahses of incident handking are:

  • Preparation
  • Identification
  • Reporting and Communication
  • Eradication
  • Recovery
  • follow Up


Preparing for Incident Handling

The steps that need to be implementsd to minimize the impact of an incident needs to be defined in advance. A lot of foresight is required by the organization to initiate the fixing methodology at the earliest to handle the incident. The organization needs to prepare a plicy that guides the administrators to handle incidents. This planning includes the identification of people who have the skills to fix issues generated by inidents. The planner needs to consider all possible situations and their remedies. The preparation phase includes the following actions.

  • Formulation of a incident handling policy
  • Formulation of a incident handling team.


Formulation of an Incident-Handling Policy

An organization needs to devise a formal incident-handling plicy as a guideline document, which can be used in the case of incidents. This policy needs to define the lillowing.
  • Purpose: The purpose defines the areas in which this policy may be used as a guideline document.
  • Coverage: Coverage defines the people who are affected by the policy and who meed to offer skills in the case of an incident.
  • Network and System Details: In this section of te policy, details regarding the technology used needs to be provided. the policy makers may also add the details regarding the possible known vulnerabilities in the existing system and the patches that have been added to the loopholes for which a solution has been identified. As possible list of incidents is avalible in this section the administrator might be able to identify the problem quickly.
  • Procedure: This section is the most important section and needs to include all the intricate details of the steps that an incident handler needs to take. this saction defines all the possible incidents and the methods to fix these incidents.
  • history documents: A location of the document detailing the history of incident and the technoques used to fix that incisdent meeds to be mentioned here. This helps an incident handler to locate the refrence focument to identify the best practices in relation to fixing problems.


    Identifying Incidents

    The first step in incident handling is to identify wether or not an incident has occured. An error or bur on the network need not necessarily be an incident. it can be simply an event that has occured by mistake or coincidence. Considiring such events as incidents can resultin confusion and loss of effort and $. the experts need to perform various steps ansd use certain techniques to identify the type of incident. these steps and techniques include:

  • System and network logging function.
  • Detection tools.


System and network logging function.

this step includes checking the various log files in order to estain the type of incident that has occured. the first check needs to be made on the network data, network data refers to the file generated to record the data regarding the applications, user activities, and network traffic. These log files can reveal data regarding any suspicious or unusual activities on the network. these log files provide evidence that can be used to trace the cracker. the data in the log files can also provide information om the extent of harm that might have been caused by the incident. there are various log files that can be viewed to collect the required information. Some example of the log files in Unix and Windows NT are:

UNIX
  • Sulog: The su command is used to obtain superuser privileges. the sulog command log records the detail about each user using this command.
  • System Logs: The various log files in a system includes syslog message, mail information and warnings. a check must be made to identify any unauthorized access. For example, checking for segment fault message indicates that the incident is of the Buffer Overflow type.
  • Sniffer logs: Check for the presence of any sniffer files. the presence of any sniffer files indicats intrusion on the network


WindowsNT
  • Event Viewer: This contains three logs system, security and application logs. this tool can be viewed from the Administrator Tools options in WindowsNT.
  • Web Server Logs: these logs contains information rgarding the connections to applications such as Cold Fusion, IIS, and Microsoft FrontPage.


Detection Tools

Various detection tools are needed to be installed on the network to ensure that the incident can be detected in early stages before it harms the network resources. therefore the network must be constantly monitored for possible incidents. A list of few tools is given below:

[list=1]
[1] System Monitoring Tools:

  • The Computer Oracle and Password System (COPS) package from Purdue University. Examines a system for a number of known weaknesses and alerts the system administrator to them; in some cases it can automatically correct these problems
  • Check Promicious Mode(cpm): The cpm program from Carnegie Mellon University. Checks a system for any network interfaces in promiscuous mode; this may indicate that an attacker has broken in and started a packet snooping program
  • Watcher: The Watcher package by Kenneth Ingham. A configurable and extensible system monitoring tool that issues a number of user-specified commands, parses the output, checks for items of significance, and reports them to the system administrator
  • RIACS Intelligent Auditing and Categorizing System


[2] Network analysis Tools:


[3] Log Analysis Tools


Assessing the Severity of an Incident
This is a very critical step in incident handling because it determines the steps that needs to be taken to resolve the incident. Severity refers to the level and type of harm an incident can cause to the network. The severity level is determined on the basis of the amount of loss the incident can bear on the network in relation to money, goodwill and effort. there are certain criteria that help determine the level of severiry:
  • Type of attack:
  • Number of Computer Affected
  • Replication Factor[/b]: there can be attacks that might have the capability of replicating itself. for example a Virusthat can replicate itself through e-mail. this kind of attack makes it difficult to determine the number of computers that might be affected.
  • Intentins of the incident: