The Attached DRAFT Document (provided Here For . -
The attached DRAFT document (provided here for historical purposes) has been superseded bythe following publication:Publication Number:NIST Special Publication (SP) 800-61 Revision 2Title:Computer Security Incident Handling GuidePublication Date:08/08/2012 Final Publication: https://doi.org/10.6028/NIST.SP.800-61r2 (which links ions/NIST.SP.800-61r2.pdf). Information on other NIST Computer Security Division publications andprograms can be found at: http://csrc.nist.gov/
The following information was posted with the attached DRAFT document:Jan. 31, 2012SP 800-61 Rev. 2DRAFT Computer Security Incident Handling GuideNIST announces the public comment release of draft Special Publication (SP) 800-61 Revision 2, ComputerSecurity Incident Handling Guide. It seeks to assist organizations in mitigating the risks from computersecurity incidents by providing practical guidelines on responding to incidents effectively and efficiently. Thepublication includes guidelines on establishing an effective incident response program, as well as detecting,analyzing, prioritizing, and handling incidents. SP 800-61 Revision 2 updates the previous revision, whichwas released in 2008. A detailed change-log is provided in Appendix H.NIST requests comments on draft SP 800-61 Revision 2 by March 16th, 2012. Please submit commentsto 800-61rev2-comments@nist.gov with "Comments SP 800-61" in the subject line.
Special Publication 800-61Revision 2 (Draft)Computer SecurityIncident Handling Guide(Draft)Recommendations of the National Instituteof Standards and TechnologyPaul CichonskiTom MillarTim GranceKaren Scarfone
NIST Special Publication 800-61Revision 2 (Draft)Computer Security Incident HandlingGuide (Draft)Recommendations of the NationalInstitute of Standards and TechnologyPaul CichonskiTom MillarTim GranceKaren ScarfoneC O M P U T E RS E C U R I T YComputer Security DivisionInformation Technology LaboratoryNational Institute of Standards and TechnologyGaithersburg, MD 20899-8930January 2012U.S. Department of CommerceJohn Bryson, SecretaryNational Institute of Standards and TechnologyPatrick D. Gallagher,Under Secretary for Standards and Technologyand Director
COMPUTER SECURITY INCIDENT HANDLING GUIDE (DRAFT)Reports on Computer Systems TechnologyThe Information Technology Laboratory (ITL) at the National Institute of Standards and Technology(NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’smeasurement and standards infrastructure. ITL develops tests, test methods, reference data, proof ofconcept implementations, and technical analysis to advance the development and productive use ofinformation technology. ITL’s responsibilities include the development of technical, physical,administrative, and management standards and guidelines for the cost-effective security and privacy ofsensitive unclassified information in Federal computer systems. This Special Publication 800-seriesreports on ITL’s research, guidance, and outreach efforts in computer security and its collaborativeactivities with industry, government, and academic organizations.NIST Special Publication 800-61 Revision 2 (Draft)63 pages (Jan. 2012)Certain commercial entities, equipment, or materials may be identified in thisdocument in order to describe an experimental procedure or concept adequately.Such identification is not intended to imply recommendation or endorsement by theNational Institute of Standards and Technology, nor is it intended to imply that theentities, materials, or equipment are necessarily the best available for the purpose.ii
COMPUTER SECURITY INCIDENT HANDLING GUIDE (DRAFT)AcknowledgmentsThe authors, Paul Cichonski of the National Institute of Standards and Technology (NIST), Tom Millar ofthe United States Computer Emergency Readiness Team (US-CERT), Tim Grance of NIST, and KarenScarfone of Scarfone Cybersecurity wish to thank their colleagues who reviewed drafts of this documentand contributed to its technical content, including Mark Austin, Brian DeWyngaert, Andrew Fuller, ChrisHallenbeck, Sharon Kim, and Lee Rock of US-CERT, and Marcos Osorno of the Johns HopkinsUniversity Applied Physics Laboratory. A special acknowledgment goes to Brent Logan of US-CERT forhis graphics assistance.The authors would also like to acknowledge the individuals that contributed to the previous versions ofthe publication. A special thanks goes to Brian Kim of Booz Allen Hamilton, who co-authored theoriginal version; to Kelly Masone of Blue Glacier Management Group, who co-authored the first revision;and also to Rick Ayers, Chad Bloomquist, Vincent Hu, Peter Mell, Scott Rose, Murugiah Souppaya, GaryStoneburner, and John Wack of NIST; Don Benack and Mike Witt of US-CERT; and Debra Banning,Pete Coleman, Alexis Feringa, Tracee Glass, Kevin Kuhlkin, Bryan Laird, Chris Manteuffel, RonRitchey, and Marc Stevens of Booz Allen Hamilton for their keen and insightful assistance throughout thedevelopment of the document, as well as Ron Banerjee and Gene Schultz for their work on a preliminarydraft of the document. The authors would also like to express their thanks to security experts Tom Baxter(NASA), Mark Bruhn (Indiana University), Brian Carrier (CERIAS, Purdue University), Eoghan Casey,Johnny Davis, Jr. (Department of Veterans Affairs), Jim Duncan (BB&T), Dean Farrington (Wells FargoBank), John Hale (University of Tulsa), Georgia Killcrece (CERT /CC), Barbara Laswell (CERT /CC),Pascal Meunier (CERIAS, Purdue University), Jeff Murphy (University of Buffalo), Todd O’Boyle(MITRE), Marc Rogers (CERIAS, Purdue University), Steve Romig (Ohio State University), RobinRuefle (CERT /CC), Gene Schultz (Lawrence Berkeley National Laboratory), Michael Smith (USCERT), Holt Sorenson, Eugene Spafford (CERIAS, Purdue University), Ken van Wyk, and Mark Zajicek(CERT /CC), as well as representatives of the Department of the Treasury, for their particularly valuablecomments and suggestions.iii
COMPUTER SECURITY INCIDENT HANDLING GUIDE (DRAFT)Table of ContentsExecutive Summary . 11.Introduction . 41.11.21.31.42.Organizing A Computer Security Incident Response Capability . 62.12.22.32.42.52.63.Authority . 4Purpose and Scope . 4Audience . 4Document Structure . 4Events and Incidents . 6Need for Incident Response . 6Incident Response Policy, Plan, and Procedure Creation . 72.3.1 Policy Elements. 72.3.2 Plan Elements . 82.3.3 Procedure Elements. 82.3.4 Sharing Information With Outside Parties . 9Incident Response Team Structure . 122.4.1 Team Models .122.4.2 Team Model Selection.132.4.3 Incident Response Personnel.152.4.4 Dependencies Within Organizations.16Incident Response Team Services . 17Recommendations . 18Handling an Incident .193.13.23.33.43.53.6Preparation. 193.1.1 Preparing to Handle Incidents .193.1.2 Preventing Incidents.21Detection and Analysis . 223.2.1 Incident Categories .223.2.2 Signs of an Incident .233.2.3 Sources of Precursors and Indicators.243.2.4 Incident Analysis .253.2.5 Incident Documentation.283.2.6 Incident Prioritization .293.2.7 Incident Notification .31Containment, Eradication, and Recovery. 323.3.1 Choosing a Containment Strategy .323.3.2 Evidence Gathering and Handling .333.3.3 Identifying the Attacking Hosts .343.3.4 Eradication and Recovery .34Post-Incident Activity . 353.4.1 Lessons Learned.353.4.2 Using Collected Incident Data .363.4.3 Evidence Retention .38Incident Handling Checklist . 39Recommendations . 39iv
COMPUTER SECURITY INCIDENT HANDLING GUIDE (DRAFT)List of AppendicesAppendix A— Incident Handling Scenarios .42A.1 Scenario Questions . 42A.2 Scenarios . 43Appendix B— Incident-Related Data Elements .48B.1 Basic Data Elements . 48B.2 Incident Handler Data Elements . 49Appendix C— Glossary .50Appendix D— Acronyms .51Appendix E— Resources.53Appendix F— Frequently Asked Questions .54Appendix G— Crisis Handling Steps .56Appendix H— Change Log .57List of FiguresFigure 2-1. Communications with Outside Parties . 9Figure 3-1. Incident Response Life Cycle .19Figure 3-2. Incident Response Life Cycle (Detection and Analysis).22Figure 3-3. Incident Response Life Cycle (Containment, Eradication, and Recovery) .32Figure 3-4. Incident Response Life Cycle (Post-Incident Activity) .35List of TablesTable 3-1. Tools and Resources for Incident Handlers .20Table 3-2. Common Sources of Precursors and Indicators .24Table 3-3. Functional Impact Categories .30Table 3-4. Information Impact Categories .30Table 3-5. Recoverability Effort Categories .30Table 3-6. Incident Handling Checklist .39v
COMPUTER SECURITY INCIDENT HANDLING GUIDE (DRAFT)Executive SummaryComputer security incident response has become an important component of information technology (IT)programs. Security-related threats have become not only more numerous and diverse but also moredamaging and disruptive. New types of security-related incidents emerge frequently. Preventativeactivities based on the results of risk assessments can lower the number of incidents, but not all incidentscan be prevented. An incident response capability is therefore necessary for rapidly detecting incidents,minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computingservices. To that end, this publication provides guidelines for incident handling, particularly for analyzingincident-related data and determining the appropriate response to each incident. The guidelines can befollowed independently of particular hardware platforms, operating systems, protocols, or applications.Because performing incident response effectively is a complex undertaking, establishing a successfulincident response capability requires substantial planning and resources. Continually monitoring threatsthrough intrusion detection and prevention systems (IDPSs) and other mechanisms is essential.Establishing clear procedures for prioritizing the handling of incidents is critical, as is implementingeffective methods of collecting, analyzing, and reporting data. It is also vital to build relationships andestablish suitable means of communication with other internal groups (e.g., human resources, legal) andwith external groups (e.g., other incident response teams, law enforcement).This publication seeks to help both established and newly formed incident response teams. Thispublication assists organizations in establishing computer security incident response capabilities andhandling incidents efficiently and effectively. This revision of the publication, Revision 2, updatesmaterial throughout the publication to reflect the changes in threats and incidents. Unlike most threatsseveral years ago, which tended to be short-lived and easy to notice, many of today’s threats are morestealthy, specifically designed to quietly, slowly spread to other hosts, gathering information overextended periods of time and eventually leading to exfiltration of sensitive data and other negativeimpacts. Identifying these threats in their early stages is key to preventing subsequent compromises, andsharing information among organizations regarding the signs of these threats is an increasingly effectiveway to identify them.Implementing the following requirements and recommendations should facilitate efficient and effectiveincident response for Federal departments and agencies.Organizations must create, provision, and operate a formal incident response capability. Federallaw requires Federal agencies to report incidents to the United States Computer EmergencyReadiness Team (US-CERT) office within the Department of Homeland Security.The Federal Information Security Management Act (FISMA) requires Federal agencies to establishincident response capabilities. Each Federal civilian agency must designate a primary and secondary pointof contact (POC) with US-CERT and report all incidents consistent with the agency’s incident responsepolicy. Each agency is responsible for determining how to fulfill these requirements.Establishing an incident response capability should include the following actions: Creating an incident response policy and plan Developing procedures for performing incident handling and reporting Setting guidelines for communicating with outside parties regarding incidents Selecting a team structure and staffing model1
COMPUTER SECURITY INCIDENT HANDLING GUIDE (DRAFT) Establishing relationships between the incident response team and other groups, both internal (e.g.,legal department) and external (e.g., law enforcement agencies) Determining what services the incident response team should provide Staffing and training the incident response team.Organizations should reduce the frequency of incidents by effectively securing networks, systems,and applications.Preventing problems is less costly and more effective than reacting to them after they occur. Thus,incident prevention is an important complement to an incident response capability. If security controls areinsufficient, high volumes of incidents may occur. This could overwhelm the resources and capacity forresponse, which would result in delayed or incomplete recovery and possibly more extensive damage andlonger periods of service and data unavailability. Incident handling can be performed more effectively iforganizations complement their incident response capability with adequate resources to actively maintainthe security of networks, systems, and applications.Organizations should document their guidelines for interactions with other organizations regardingincidents.During incident handling, the organization will need to communicate with outside parties, such as otherincident response teams, law enforcement, the media, vendors, and external victims. Because thesecommunications often need to occur quickly, organizations should predetermine communicationguidelines so that only the appropriate information is shared with the right parties.Organizations should prepare generally to handle any type of incident and more specifically tohandle common incident types.Incidents can occur in countless ways, so it is infeasible to develop step-by-step instructions for handlingevery incident. This publication defines several incident categories, based on common methods of attack;these categories are not comprehensive nor intended to provide definitive classification for incidents, butrather to be used as a basis for defining more specific handling procedures. The categories are: External/Removable Media: An attack executed from removable media or a peripheral device. Attrition: An attack that employs brute force methods to compromise, degrade, or destroy systems,networks, or services. Web: An attack executed from a website or web-based application. Email: An attack executed via an email message or attachment. Improper Usage: Any incident resulting from violation of an organization’s acceptable usagepolicies by an authorized user, excluding the above categories. Loss or Theft of Equipment: The loss or theft of a computing device or media used by theorganization, such as a laptop or smartphone. Other: An attack that does not fit into any of the other categories.Organizations should emphasize the importance of incident detection and analysis throughout theorganization.2
COMPUTER SECURITY INCIDENT HANDLING GUIDE (DRAFT)In an organization, millions of possible signs of incidents may occur each day, recorded mainly bylogging and computer security software. Automation is needed to perform an initial analysis of the dataand select events of interest for human review. Event correlation software can be of great value inautomating the analysis process. However, the effectiveness of the process depends on the quality of thedata that goes into it. Organizations should establish logging standards and procedures to ensure thatadequate information is collected by logs and security software and that the data is reviewed regularly.Organizations should create written guidelines for prioritizing incidents.Prioritizing the handling of individual incidents is a critical decision point in the incident responseprocess. Incidents should be prioritized based on the relevant factors, such as the functional impact of theincident (e.g., current and likely future negative impact to business functions), the information impact ofthe incident (e.g., effect on the confidentiality, integrity, and availability of the organization’sinformation), and the recoverability from the incident (e.g., the time and types of resources that must bespent on recovering from the incident).Organizations should use the lessons learned process to gain value from incidents.After a major incident has been handled, the organization should hold a lessons learned meeting to reviewhow effective the incident handling process was and identify necessary improvements to existing securitycontrols and practices. Lessons learned meetings can also be held periodically for lesser incidents asresources permit. The information accumulated from all lessons learned meetings should be used toidentify systemic security weaknesses and deficiencies in policies and procedures. Follow-up reportsgenerated for each resolved incident can be important not only for evidentiary purposes but also forreference in handling future incidents and in training new team members.3
COMPUTER SECURITY INCIDENT HANDLING GUIDE (DRAFT)1.Introduction1.1AuthorityThe National Institute of Standards and Technology (NIST) developed this document in furtherance of itsstatutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002,Public Law 107-347.NIST is responsible for developing standards and guidelines, including minimum requirements, forproviding adequate information security for all agency operations and assets, but such standards andguidelines shall not apply to national security systems. This guideline is consistent with the requirementsof the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), “Securing AgencyInformation Systems,” as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplementalinformation is provided in A-130, Appendix III.This guideline has been prepared for use by Federal agencies. It may be used by nongovernmentalorganizations on a voluntary basis and is not subject to copyright, though attribution is desired.Nothing in this document should be taken to contradict standards and guidelines made mandatory andbinding on Federal agencies by the Secretary of Commerce under statutory authority, nor should theseguidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce,Director of the OMB, or any other Federal official.1.2Purpose and ScopeThis publication seeks to assist organizations in mitigating the risks from computer security incidents byproviding practical guidelines on responding to incidents effectively and efficiently. It includes guidelineson establishing an effective incident response program, but the primary focus of the document isdetecting, analyzing, prioritizing, and handling incidents. Organizations are encouraged to tailor therecommended guidelines and solutions to meet their specific security and mission requirements.1.3AudienceThis document has been created for computer security incident response teams (CSIRTs), system andnetwork administrators, security staff, technical support staff, chief information officers (CIOs), computersecurity program managers, and others who are responsible for preparing for, or responding to, securityincidents.1.4Document StructureThe remainder of this document is organized into the following sections and appendices: Section 2 discusses the need for incident response, outlines possible incident response teamstructures, and highlights other groups within an organization that may participate in incidenthandling. Section 3 reviews the basic incident handling steps and provides advice for performing incidenthandling more effectively, particularly incident detection and analysis. Appendix A contains incident response scenarios and questions for use in incident response tabletopdiscussions.4
COMPUTER SECURITY INCIDENT HANDLING GUIDE (DRAFT) Appendix B provides lists of suggested data fields to collect for each incident. Appendices C and D contain a glossary and acronym list, respectively. Appendix E identifies resources that may be useful in planning and performing incident response. Appendix F covers frequently asked questions about incident response. Appendix G lists the major steps to follow when handling a computer security incident-related crisis. Appendix H contains a change log listing significant changes since the previous revision.5
COMPUTER SECURITY INCIDENT HANDLING GUIDE (DRAFT)2.Organizing A Computer Security Incident Response CapabilityOrganizing an effective computer security incident response capability (CSIRC) involves several majordecisions and actions. One of the first considerations should be to create an organization-specificdefinition of the term “incident” so that the scope of the term is clear. The organization should decidewhat services the incident response team should provide, consider which team structures and models canprovide those services, and select and implement one or more incident response teams. Incident responseplan, policy, and procedure creation is an important part of establishing a team, so that incident responseis performed effectively, efficiently, and consistently. The plan, policies, and procedures should reflectthe team’s interactions with other teams within the organization as well as with outside parties, such aslaw enforcement, the media, and other incident response organizations. This section provides not onlyguidelines that should be helpful to organizations that are establishing incident response capabilities, butalso advice on maintaining and enhancing existing capabilities.2.1Events and IncidentsAn event is any observable occurrence in a system or network. Events include a user connecting to a fileshare, a server receiving a request for a web page, a user sending email, and a firewall blocking aconnection attempt. Adverse events are events with a negative consequence, such as system crashes,packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and executionof malware that destroys data. This guide addresses only adverse events that are computer securityrelated, not those caused by natural disasters, power failures, etc.A computer security incident is a violation or imminent threat of violation1 of computer security policies,acceptable use policies, or standard security practices. Examples of incidents2 are: An attacker commands a botnet to send high volumes of connection requests to a web server, causingit to crash. Users are tricked into opening a “quarterly report” sent via email that is actually malware; running thetool has infected their computers and established connections with an external host. An attacker obtains sensitive data and threatens that the details will be released publicly if theorganization does not pay a designated sum of money. A user provides illegal copies of software to others through peer-to-peer file sharing services.2.2Need for Incident ResponseIncident response is needed because attacks frequently compromise personal and business data. It iscritically important to respond quickly and efficiently when security breaches occur, so the concept ofcomputer security incident response has become widely accepted and implemented. One of the benefits ofhaving an incident response capability is that it supports responding to incidents systematically (i.e.,following a consistent incident handling methodology) so that the appropriate actions are taken. Incidentresponse helps personnel to minimize loss or theft of information and disruption of services caused byincidents. Another benefit of incident response is the ability to use information gained during incidenthandling to better prepare for handling future incidents and to provide stronger protection for systems and12An “imminent threat of violation” refers to a situation in which the organization has a factual basis for believing that aspecific incident is about to occur. For example, the antivirus software maintainers may receive a bulletin from the softwarevendor, warning them of new malware that is rapidly spreading across the Internet.For the remainder of this document, the terms “incident” and “comp
NIST Special Publication 800-61 Revision 2 (Draft) 63 pages (Jan. 2012) C OMPUTER S ECURITY I NCIDENT H ANDLING G UIDE (DRAFT) iii Acknowledgments The authors, Paul Cichonski of the National Institute of Standards and Technology (NIST), Tom Millar ofFile Size: 1MBPage Count: 65
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. Crawford M., Marsh D. The driving force : food in human evolution and the future.
Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. 3 Crawford M., Marsh D. The driving force : food in human evolution and the future.
