Re: Incident Response / Forensic Decision Tree

[Valerie Vogel <vvogel () EDUCAUSE EDU>]

Hi Bryan,

We have developed a Sensitive Data Exposure Incident Checklist that you may find useful: 
https://wiki.internet2.edu/confluence/display/itsg2/Incident+Checklist

There is an online checklist, but you can also download a copy.

Thank you,
Valerie

Valerie Vogel Program Manager

EDUCAUSE<http://www.educause.edu/>
Uncommon Thinking for the Common Good
direct: 202.331.5374 | main: 202.872.4200 | twitter: @HEISCouncil | educause.edu<http://www.educause.edu/>

From: Bryan Zimmer <bzimmer () UCSC EDU<mailto:bzimmer () UCSC EDU>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Monday, May 6, 2013 10:07 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Incident Response / Forensic Decision Tree

Hi All,
Does anyone have an Incident Response decision tree or process flow they can share? I'd like to see the whole flow from 
"We think we have a compromised box" to "Lessons Learned meeting." I'm especially interested in how you decide whether 
or not to do full forensics and/or malware analysis on compromised systems that access or store sensitive data. Right 
now we do a basic check of malware's capabilities by Googling for the name, and also upload the file to Anubis. However 
making the judgement call of "are we reasonably sure sensitive data was not accessed" can be difficult based on this 
info alone. That's when we in theory would send the system to a 3rd party for analysis, but if we don't carefully 
quantify that decision we could be spending a lot of money that isn't necessary.

Any guidance would be greatly appreciated.
Thanks,
-Bryan

----
Bryan Zimmer
Senior Security Analyst
UCSC Security Team