Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Incident Response / Forensic Decision Tree

From: Brian J Smith-Sweeney <bsmithsweeney () NYU EDU>
Date: Wed, 8 May 2013 15:28:29 -0400
Here's ours:

http://www.nyu.edu/its/policies/sec_breach.html

I can provide some internal details offline if you like.

Cheers,
Brian

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Smith-Sweeney                                     Assistant Director
ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


On Mon, May 6, 2013 at 1:07 PM, Bryan Zimmer <bzimmer () ucsc edu> wrote:

Hi All,
Does anyone have an Incident Response decision tree or process flow they can
share? I'd like to see the whole flow from "We think we have a compromised
box" to "Lessons Learned meeting." I'm especially interested in how you
decide whether or not to do full forensics and/or malware analysis on
compromised systems that access or store sensitive data. Right now we do a
basic check of malware's capabilities by Googling for the name, and also
upload the file to Anubis. However making the judgement call of "are we
reasonably sure sensitive data was not accessed" can be difficult based on
this info alone. That's when we in theory would send the system to a 3rd
party for analysis, but if we don't carefully quantify that decision we
could be spending a lot of money that isn't necessary.

Any guidance would be greatly appreciated.
Thanks,
-Bryan

----
Bryan Zimmer
Senior Security Analyst
UCSC Security Team
Previous By Date Next
Previous By Thread Next

Current thread: