This paper describes the types of logs that are maintained at B-Concepts, the log management system and discusses the advantages of security logs.
Three types of security logs are maintained at B-Concepts: Security process logs are records of the security procedure and security policy application. These logs are recorded in the normal condition. Security fault logs are recorded in absence of security policy and risk management strategy. Security breach logs are the records of security policy breach.
The CONcept of OPerations on information security incident is based on the severity and impact of the incident. "An incident can be thought of as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices" (GRANCE, KENT & KIM, 2004).
"ISO 17799 refers to hundreds of best-practice information security control measures that organizations should consider to satisfy the stated control objectives" (ISO 17799, 2005). The standards propose that an organization must identify the information assets and make a risk assessment for these assets. The computer security incident response policies for B-Concepts are defined in the security policy document based on the function/business and infrastructure of the organization.
All members of the CIRT are prepared to interact with medi...
Computer Incident Response Team (CIRT)
CIRT structure can be based on any of the 3 models:
1. Central Incident Response Team - a single team to handle incidents throughout the organization.
2. Distributed Incident Response Team - multiple teams for handling incidents of particular logical or physical segments of the organization.
3. Coordinating Team - A team that provides guidance and advice to individuals or department wide teams.
The CIRT team can be partially/fully outsourced or staffed with internal employees.
Roles and responsibilities:
All members of the CIRT are prepared to interact with media. One member of CIRT is nominated as POC for media and law enforcement. The members of CIRT are accessible to anyone who suspects or discovers a computer security incident that involves organization interest (GRANCE and et al., 2004).
Fig 1. Incident Response Lifecycle (GRANCE and et al., 2004)
The responsibilities of CIRT in the incident lifecycle are:
Preparation requires acquiring tools & resources, for incident handling, making a jump-kit1 and risk assessment of systems and applications for incident prevention.
Detection: incident categorization based on type2 and signs (precursor3 or incident4). Analysis is done by profiling5 and understanding the network systems behavior, studying the logs and security alerts. CIRT must create a centralized logging system & log policy, it must be able to correlate events, conduct research to gain information, collect data by packet sniffers and data filtering. CIRT is also responsible for the documentation of incident information, incident prioritization to determine the impact on affected resources and notification to the concerned authorities.
Containment: physical isolation of the affected resource,