Steps in incident handling
Incident handling or response is the structured procedure of addressing security breaches and all incidents related to cyber-attacks. For a well-structured incident handling, the plan has to allow for valid identification, minimize the damage, and should be able to reduce the associated while at the same looking into fixing loopholes to prevent potential attacks in the future.
The top step is advance preparation by establishing a concrete response plan. This plan should undergo a test before exposing the program is exposed to a significant attack or a data breach strikes. The planning phases include the development of documentation of proper policies, provision of communication guidelines, incorporation of intelligent surveillance, and the carrying out of cyber hunting (Cichonski et al., 2012). Planning is followed by detecting and reporting to report any potential risks. Triage and analysis follow to ensure proper picking up and review of any security. Here resources are employed to gather data from all systems geared towards early identification of indicators of compromise. After a threat is recognized, containment and neutralization of the invasion are activated. This stage is very critical, whose basis is on the data indicators of compromise gathered in the previous step. Once the system is restored and verified, the normal operations can as well resume. Finally, there is a need to look at the post-incident activity. It is imperative to have a comprehensive incident report to enable system developers to monitor the post-incident. For instance, logins need to be systematically reviewed to gain an insight into anomalous and unusual activities in the system. Events at this stage involve the update of threat intelligence, identification of remedial measures, and critical coordination.
Best practices in handling digital evidence
The volatile and fragile of digital evidence, improper handling of the same easily tamper with it. There are protocols that have to be followed to ensure authenticity during collection, storage, and the transfer of data for analysis. The best practice, therefore, is to follow these four towards achieving valid evidence. Initially, there should be identification, collection, and preservation of the evidence.
At identification, the very first information is retrieved concerning the crime even before gathering digital evidence. A number of questions need to be answered at this level, like who were the culprits, what the issue was, and when the crime occurred. This gives investigators a chance to decide the agencies that need to be involved. Collection of information that can be used as evidence follows immediately, and this is not limited to the location of the devices used in the act but also extends to servers and systems that handled the information. Evidence is acquired either from hard disks, smartphones, or optical devices. This points to two types of pieces of evidence; logical and physical, of which all are documented (Maras & Miranda, 2017).
Documents from computers, emails, images, and internet communication are sources of electronic information that can be used as evidence. The evidence collected can either be logical or physical. In logical data, existing deleted files are retrieved, or physical data involves the location of data from the actual residence of the data.
References
Maras, M. H., & Miranda, M. D. (2017). Overlooking forensic evidence? A review of the 2014 International Protocol on the Documentation and Investigation of Sexual Violence in Conflict. Global Security: Health, Science, and Policy, 2(1), 10-21.
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide. NIST Special Publication, 800(6