Scribd Logo
Upload

Welcome to Scribd!

  • Security Incident Response Long Form

    Uploaded by

    Brian Knowlton
    93 views3 pages
    Security incident form

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Security incident form

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    93 views3 pages

    Security Incident Response Long Form

    Uploaded by

    Brian Knowlton
    Security incident form

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    APPENDIX II

    AIM HIGHER COLLEGE


    SECURITY INCIDENT RESPONSE

    Tracking # ________

    The following is a sample incident report. The report is an example of the types of information and incident details that will be
    used to track and report security incidents for AHC. The format of this report is subject to change as reporting standards and
    capabilities are further developed.

    Contact Information and Incident


    Last Name:
    Job Title:
    Phone:
    Mobile:
    Email:

    First Name:
    Alt Phone:
    Pager:
    Fax:

    Incident Description
    Date/Time and Recovery Information
    Date/Time of First Attack:
    Date/Time of Attack Detected:
    Has the Attack Ended:
    Duration of Attack (in hours):
    Severity of Attack:
    Estimated Recovery Time of this Report (Clock)
    Estimated Recovery Time of this Report (Staff Hours)
    Estimated Damage Account as of this Report ($$$ Loss)
    Number of Hosts Affected:
    Number of Users Affected:
    Type of Incident Detected:
    Exposing
    Confidential/Classified/
    Unclassified Data
    Anonymous FTP abuse
    Using Machine Illegally
    ICQ Abuse/IRC Abuse
    Other (Specify)
    SB1386 Is Email
    Notification Required?
    Comments (Specify Incident
    Details and additional
    information):

    Theft of Information
    Technology
    Resources/ Other
    Assets
    Attacking Attackers/
    Other Sites
    Impersonation
    Life Threatening
    Activity
    Yes

    No

    Date:

    Time:
    Time:

    Yes

    No

    Low

    Medium

    High

    Creating accounts

    Altering
    DNS/Website/Data/
    Logs

    Destroying Data

    Credit Card Fraud

    Fraud

    Increasing
    Notoriety of
    Attacker
    Password Cracking

    Installing a Back
    Door/Trojan Horse

    Unauthorized
    Use/Access
    Attacking the Internet

    SB1386 - Email
    Notification Sent Out?

    Sniffer

    Yes

    Dont Know

    No

    General Information
    How Did You Initially Become Aware of the Incident?
    Automated Software
    Notification

    Automated Review
    of Log Files

    Dont Know

    Other (Specify)

    Manual Review of
    Log Files

    Attack Technique (Vulnerability Exploited / Exploit Used)

    System Anomaly (i.


    e., Crashes,
    Slowness)

    Third Party
    Notification

    CVE/CERT VU or
    BugTraq Number

    Virus, Trojan Horse,


    Worm, or Other
    Malicious Code

    Scanning/Probing

    Other

    Denial of Service or
    Distributed Denial of
    Service Attack

    Unauthorized Access to Affected Computer


    Privileged Compromise (Root/Admin
    Access) User Account Compromise/Web
    Compromise (Defacement)

    Suspected perpetrator(s) or possible motivation(s) of attack:


    CSU staff/students/
    faculty
    Other (Specify)

    Former staff/
    students/faculty

    External Party

    Unknown

    Malicious Code
    Virus, Worm
    Name or Description of Virus
    Yes (Provide
    Is Anti-Virus Software Installed on the
    Name)
    Affected Computer(s)?
    Yes
    Did the Anti-Virus Software Detect the
    Virus?
    When was your Anti-Virus Software Last Updated?

    No
    No

    Network Activity
    Protocols
    Name or Description of Virus
    TCP
    Other

    UDP

    ICMP

    IPSec

    IP Multicast

    Ipv6

    Please Identify Source Ports Involved in the Attack:


    Please Identify Destination Ports Involved in the Attack:

    Impact of Attack
    Hosts
    Individual Hosts
    Does this Host represent an Attacking or Victim Host?
    Host Name:
    Operating System Affected:
    Applications Affected:
    Others:
    Primary Purpose of this Host:
    User Desktop Machine
    Domain Controller
    Application Server

    Victim
    IP Address:
    Patch Level (if known):
    Database:

    User Laptop Machine


    Web Server
    Domain Name Server
    Time Server
    Other Infrastructure Services

    Mail Server
    NFS/File System Server

    Bulk Hosts
    Bulk Host Information
    (Details):
    Comments (Please detail
    incident):
    Data Compromised:
    Did the attack result in a loss/compromise
    of sensitive or personal information?
    Comments:

    Did the attack result in damage to


    system(s) or date:
    Comments:

    Attacker

    Yes (Specify)

    No

    Other

    Yes (Specify)

    No

    Other

    Both

    FTP Server
    Database Server

    Law Enforcement
    Yes
    No
    Has Law Enforcement Been Notified?
    Remediation:
    Please detail what corrective actions have been taken (specify):
    Comments:

    Lessons Learned Information (Optional)


    Did Your Detection and Response Process and Procedures Work as
    Intended?
    Comments:

    Please provide Discovery Methods and Monitoring Procedures that


    would have Improved Your Ability to Detect an Intrusion.

    Comments:

    Are there Improvements to Procedures and Tools that would have


    Aided You in the Response Process?
    Comments:

    Are there Improvements that would have Enhanced Your Ability to


    Contain an Intrusion?
    Comments:

    Are there Correction Procedures that would have Improved Your


    Effectiveness in Recovering Your Systems?
    Comments:

    You might also like