Security Incident Response Plan
migVisor must make reasonable efforts and act competently to respond to a potential incident in a way that reduces the loss of information and potential harm to customers, partners, and the organization itself. migVisor incident response framework is comprised of six phases that ensure a consistent and systematic approach.
Preparation includes those activities that enable migVisor to respond to an incident.
MigVisor utilizes several mechanisms to prevent, prepare and respond to an incident:
Security Awareness Training: All personnel are required to take IT Security and Awareness training for Employees and subcontractors
Malware/Antivirus/Spyware Protections: All information system terminals, as well as key information flow points on the network are protected by continuous defense against malware/antivirus/spyware and other known malicious attacks.
Firewalls and Intrusion Prevention Devices (IPD): Multiple firewalls and IPD are in place within the network to provide the necessary depth of defense.
Event Logs: Event logging is maintained at all applicable levels, capturing all the required events.
Patching/Updating: Systems shall be patched and updated as new security patches and hot fixes are released.
Detection and Analysis
Detection is the discovery of an event with security tools or through notification by an inside or outside party about a suspected incident.
The determination of a security incident can arise from one or several circumstances simultaneously.
Means by which detection can occur include:
Trained personnel reviewing collected event data for evidence of compromise.
Monitoring tools alerting to unusual network or port traffic.
Observing suspicious or abnormal activity.
It is critical in this phase, to:
Detect whether a security incident has occurred.
Determine the method of attack.
Determine the impact of the incident to the mission, systems, and personnel involved in the incident.
Obtain or create intelligence products regarding attack modes and methods.
Analysis of the incident indicators will be performed in a manner consistent with the type of incident. These analyses can be performed either manually or utilizing automated tools dependent upon the situation, timeliness, and availability of resources.
Containment, Eradication and Recovery
Containment activities for security incidents involve decision-making and the application of strategies to help control attacks and damage, cease attack activities, or reduce the impact or damage caused by the incident.
Eradication efforts for a security incident involve:
Removal of latent threats from systems (such as malware on the system and user accounts that may have been created)
Identifying and mitigating potential vulnerabilities or misconfigurations that may have been exploited
Identification of other hosts that may have been affected within the organization.
Recovery efforts for incidents will involve the restoration of affected systems to normal operation. This is dependent upon the type of incident experienced but may include actions such as:
Restoring systems from backups
Replacing compromised files with clean versions
Increasing network perimeter and host-based security.
Post-incident activities will occur after the detection, analysis, containment, eradication, and recovery from a security incident.
Important items to be reviewed and considered for documentation are:
What exactly happened, and at what time(s)?
How well did staff and management perform in dealing with the incident?
What information was needed sooner?
What should be done differently the next time a similar incident occurs?
What corrective actions can prevent similar actions in the future?
What precursors or indicators should be watched for in the future to detect similar incidents?
What additional tools or resources are needed to detect, analyze, and mitigate future incidents?