NIST: Computer Security Incident Handling Guide (versione definitiva)
<!--StartFragment --><!--StartFragment --> Il 7 marzo 2008 il Computer Security Resourcer center (CSRC) del National Institute of Standards and Technology (NIST) ha pubblicato la versione definitiva della propria guida per la gestione degli incidenti informatici. Si tratta del Computer Security Incident Handling Guide (pdf,1.9 M, 147 pp), segnalato anche sul blog di Marco Misitano. La guida vuole aiutare le aziende a mitigare i rischi derivanti dagli incidenti informatici fornendo suggerimenti e procedure per affrontare, risolvere e gestire tali evenienze in modo efficace ed efficiente. Il focus principale della guida riguarda come intercettare, analizzare, decidere la priorità di intervento e gestire gli incidenti. I tipi di incidente preso in considerazione sono:
- Denial of Service (DoS)
- Malicious Code (virus, worm, Trojan horse, eccetera)
- Unauthorized Access
- Inappropriate Usage
- Multiple Component (cioè la concatenazione di più incidenti contemporaneamente)
Indice
Executive Summary
1. Introduction
1.1 Authority
1.2 Purpose and Scope
1.3 Audience
1.4 Document Structure
2. Organizing A Computer Security Incident Response Capability
2.1 Events and Incidents
2.2 Need for Incident Response
2.3 Incident Response Policy, Plan, and Procedure Creation
2.3.1 Policy Elements
2.3.2 Plan Elements
2.3.3 Procedure Elements
2.3.4 Sharing Information With Outside Parties
2.4 Incident Response Team Structure
2.4.1 Team Models
2.4.2 Team Model Selection
2.4.3 Incident Response Personnel
2.4.4 Dependencies Within Organizations
2.5 Incident Response Team Services
2.6 Recommendations
3. Handling an Incident
3.1 Preparation
3.1.1 Preparing to Handle Incidents
3.1.2 Preventing Incidents
3.2 Detection and Analysis
3.2.1 Incident Categories
3.2.2 Signs of an Incident
3.2.3 Sources of Precursors and Indications
3.2.4 Incident Analysis
3.2.5 Incident Documentation
3.2.6 Incident Prioritization
3.2.7 Incident Notification
3.3 Containment, Eradication, and Recovery
3.3.1 Choosing a Containment Strategy
3.3.2 Evidence Gathering and Handling
3.3.3 Identifying the Attacker
3.3.4 Eradication and Recovery
3.4 Post-Incident Activity
3.4.1 Lessons Learned
3.4.2 Using Collected Incident Data
3.4.3 Evidence Retention
3.5 Incident Handling Checklist
3.6 Recommendations
COMPUTER SECURITY INCIDENT HANDLING GUIDE
4. Handling Denial of Service Incidents
4.1 Incident Definition and Examples
4.1.1 Reflector Attacks
4.1.2 Amplifier Attacks
4.1.3 Flood Attacks
4.2 Preparation
4.2.1 Incident Handling Preparation
4.2.2 Incident Prevention
4.3 Detection and Analysis
4.4 Containment, Eradication, and Recovery
4.4.1 Choosing a Containment Strategy
4.4.2 Evidence Gathering and Handling
4.5 Checklist for Handling Denial of Service Incidents
4.6 Recommendations
5. Handling Malicious Code Incidents
5.1 Incident Definition and Examples
5.1.1 Viruses
5.1.2 Worms
5.1.3 Trojan Horses
5.1.4 Malicious Mobile Code
5.1.5 Blended Attack
5.1.6 Tracking Cookies
5.1.7 Attacker Tools
5.1.8 Non-Malware Threats
5.2 Preparation
5.2.1 Incident Handling Preparation
5.2.2 Incident Prevention
5.3 Detection and Analysis
5.4 Containment, Eradication, and Recovery
5.4.1 Choosing a Containment Strategy
5.4.2 Evidence Gathering and Handling
5.4.3 Eradication and Recovery
5.5 Checklist for Handling Malicious Code Incidents
5.6 Recommendations
6. Handling Unauthorized Access Incidents
6.1 Incident Definition and Examples
6.2 Preparation
6.2.1 Incident Handling Preparation
6.2.2 Incident Prevention
6.3 Detection and Analysis
6.4 Containment, Eradication, and Recovery
6.4.1 Choosing a Containment Strategy
6.4.2 Evidence Gathering and Handling
6.4.3 Eradication and Recovery
6.5 Checklist for Handling Unauthorized Access Incidents
6.6 Recommendations
7. Handling Inappropriate Usage Incidents
COMPUTER SECURITY INCIDENT HANDLING GUIDE
7.1 Incident Definition and Examples
7.2 Preparation
7.2.1 Incident Handling Preparation
7.2.2 Incident Prevention
7.3 Detection and Analysis
7.4 Containment, Eradication, and Recovery
7.5 Checklist for Handling Inappropriate Usage Incidents
7.6 Recommendations
8. Handling Multiple Component Incidents
8.1 Incident Definition and Examples
8.2 Preparation, Detection, and Analysis
8.3 Containment, Eradication, and Recovery
8.4 Checklist for Handling Multiple Component Incidents
8.5 Recommendations
List of Appendices
Appendix A— Recommendations
A.1 Organizing a Computer Security Incident Response Capability
A.2 Preparation
A.3 Detection and Analysis
A.4 Containment, Eradication, and Recovery
A.5 Post-Incident Activity
Appendix B— Incident Handling Scenarios
B.1 Scenario Questions
B.2 Scenarios
Appendix C— Incident-Related Data Fields
C.1 Basic Data Fields
C.2 Incident Handler Data Fields
Appendix D— Glossary
Appendix E— Acronyms
Appendix F— Print Resources
Appendix G— Online Tools And Resources
Appendix H— Frequently Asked Questions
Appendix I— Crisis Handling Steps
Appendix J— Federal Agency Incident Reporting Categories
Articoli collegati
- Ultimi articoli su NIST:
- NIST: Draft SP 800-60 – Categorizzare secondo la sicurezza le informazioni ed i sistemi informativi:
- NIST: Managing Risk from Information Systems, An Organizational Perspective
- NIST: nuova versione della guida per la sicurezza dei siti web pubblici (SP800-44v2)
- NIST: New Tools to Help Configure Secure Operating Systems (via Feliciano Intini’s blog)
- NIST: The Common Vulnerability Scoring System (CVSS)
- NIST: Special Publication 800-95 - Guide to Secure Web Services
- NIST: le nuove frontiere della sicurezza delle informazioni
- Ultimi articoli su sicurezza:
Link
- Computer Security Resourcer center (CSRC)
- National Institute of Standards and Technology (NIST)
- Computer Security Incident Handling Guide (pdf,1.9 M, 147 pp)
Vota quest'articolo
Ti è piaciuto l'articolo? Votalo su Oknotizie
- 14444 letture
- Versione stampabile
- Send to friend
- PDF version