1. 1. Computer Security Incident
1.1. Real or suspected adverse event of computer systems or networks
1.2. Include
1.2.1. unsuccessfil login attempts
1.2.2. System and application crashes
1.2.2.1. DoS attacks
1.2.3. Unauthorized use of system
1.2.4. Unintentional modifications to SW, FW,HW...
1.2.5. Unauthorized use of other users account
1.2.6. Privilege unauthorized
1.3. major-cause
1.3.1. Human interface
2. 2. Data Clasification
2.1. Level of sensitivity
2.1.1. 1. Top Secret
2.1.2. 2. Confidential information
2.1.3. 3. Proprietary Information
2.1.4. 4. Information for internal use
2.1.5. 5. Public documents
3. 3. Information Warfare or Infowar
3.1. Defensive
3.1.1. Attempt to protect the information assets
3.2. Offensive
3.2.1. Electronic Jamming
3.2.2. Nano machines and Microbes
3.2.3. Malware
3.3. Refers use of information and IS
4. 4. Key Concepts IS
4.1. CIA
4.1.1. Confidentiality
4.1.1.1. Unauthorized access
4.1.2. Integrity
4.1.2.1. Alteration or corruption
4.1.3. Availability
4.1.3.1. Is up and running
4.2. Vulnerability
4.2.1. Flaw, Weakness or Bugs
4.2.1.1. ej. Weak passwords
4.3. Threat
4.3.1. Event, person or circumstance
4.3.1.1. ej. Disclosure of personal information
4.4. Attack
4.4.1. Exploiting or action
4.4.1.1. ej. DoS or DDoS
5. 5. Types of Incidents
5.1. Malicious Code
5.1.1. Malware
5.1.1.1. ej. Worms, Troyan, Viruses, Ramsomware...
5.2. Unauthorized access
5.2.1. Escalate privileges
5.2.1.1. ej. Pass of Guest to Administrator in Operative System
5.3. Unauthorized use of Services
5.3.1. Transfer files or dirs to another organization's domain
5.4. Fraud and theft
5.4.1. Exploited by automating trandional methods of fraud
5.4.1.1. ej. Phising or Pharming attack
5.5. Espionage
5.5.1. Stealing information with negatively impacting its reputation
5.5.1.1. Confidential
5.5.1.2. Proprietary
5.5.1.3. Top Secret
5.6. Employee sabotage and abuse
5.6.1. action to abuse system
5.6.1.1. ej. Modified System, Software, Firmware o Hardware...
5.7. DoS Attack
5.7.1. attemp to prevent authorized usage
5.7.1.1. System
5.7.1.2. Networks
5.7.1.3. Apps
5.8. Misuse
5.8.1. accomplish personal benefits
5.8.1.1. ej. Pirated software
6. Information as Business Asset
6.1. important for any business process
6.1.1. ej. patent information, trade secret, employee information
7. Common Terminologies
7.1. Information System
7.1.1. Input data, processing and output information for achieve goals
7.2. Information Owner
7.2.1. Creating
7.2.2. Storing
7.2.3. Control access
7.3. Information Custodian
7.3.1. Implementing
7.3.2. Security measures
8. 6. Signs Incident
8.1. Detecting and assessing incidents
8.2. Typical Indications
8.2.1. Alarm or Event in IDS
8.2.1.1. security team reacts
8.2.2. Attempt to logon new user
8.2.3. System Crashes or poor system performance
8.2.4. Unauthorized operation program
8.2.4.1. ej. Sniffer
8.2.5. Suspicious entries
8.2.5.1. Network
8.2.5.2. System
8.2.5.3. other accounting inconsistencies
8.3. Categories
8.3.1. Precursor
8.3.1.1. Sign of the future
8.3.1.1.1. ej. Hacktivist group
8.3.1.1.2. Use of vulnerability scanner (ej. Nessus)
8.3.1.1.3. New found of vulnerability
8.3.1.2. possibility occurrence
8.3.1.3. proactive focus
8.3.2. Indications
8.3.2.1. Sign that have already occurred or in progress
8.3.2.1.1. Antivirus software alert
8.3.2.1.2. Logs of IDS or IPS
8.3.2.1.3. Detection of network traffic capturing
8.3.2.1.4. Network slowdown
8.3.2.1.5. Unusual occurrence or patherns
8.3.2.1.6. Report malicious email
8.3.2.2. reactive focus
8.4. Incident Categories
8.4.1. According to
8.4.1.1. Severity
8.4.1.2. Origin
8.4.2. Levels
8.4.2.1. Low
8.4.2.1.1. least severe kind
8.4.2.2. Middle
8.4.2.2.1. more serius
8.4.2.3. High
8.4.2.3.1. most severe kind
8.4.3. Incident Priorization
8.4.3.1. Two factors
8.4.3.1.1. Criticality of the affected resources
8.4.3.1.2. Technical effect
8.4.3.2. most function critical for the incident handling
8.4.3.3. reduce the impact of business and minimize of losses
8.4.3.4. Impact Business
9. 8. Incident Handling
9.1. Help to find out threads and partter
9.2. Help in...
9.2.1. prevention
9.2.2. containment
9.2.3. recovery
9.3. Refers to a set to procedures and policies
9.4. Handle unexpexcted threats and security breaches
9.5. Includes activities
9.5.1. prior to, during and after
9.5.1.1. Host, webstite or network, asset of information
9.6. Estimating Cost
9.6.1. Tangible
9.6.1.1. Loss productivity hours
9.6.1.2. Investigation and recovery efforts
9.6.1.3. Loss or thetf of resources
9.6.1.4. Loss of business
9.6.2. Intangible
9.6.2.1. damage to corporate recuperation
9.6.2.2. Lost of goodwill
9.6.2.3. Phycological damage
9.6.2.3.1. Those directly impacted me feel victimized
9.6.2.3.2. May impact moral and initiate fear
9.6.2.4. Legal liability
9.6.2.5. Damages of the shareholder value
9.7. Involes all the processes
9.7.1. Logistics
9.7.2. Communication
9.7.3. Coordination
9.7.4. Planning
10. 7. Incident Response
10.1. Computer System is compromised
10.2. Structured approach to address and manage various
10.3. Goal
10.3.1. Handle the security incident
10.3.1.1. reduces the damage
10.3.1.2. minimizes the cost and time
10.3.1.3. recover from incident
10.4. Depends
10.4.1. actions to minimize the damage
10.4.2. restore resources
10.5. Includes
10.5.1. Step by step response
10.5.2. Recovery resulting from interruption in services
10.5.3. Preparing for handling future incident
10.5.4. Legal preparedness for issues
11. 9. Incident Reporting
11.1. Reported to
11.1.1. CERT Coordination Center
11.1.2. Site Security agencies (ej, FBI, USSS ECB
11.2. Process of reporting information of incident
11.3. Encountered by user
11.3.1. Intensity of the security breach
11.3.2. Circunstances
11.3.3. Shortcomings in the desing and impact
11.3.4. Entry logs
11.3.5. Correct time-zone of the region and synchronization of system affected
11.4. Incident Reporting Organizations
11.4.1. CERT
11.4.2. CSIRT
11.4.3. FIRST
11.4.4. CIRT
11.4.5. IRC
11.4.6. SERT
11.4.7. SIRT
11.4.8. IAIP
11.4.9. CERT/CC
11.4.10. ISAC