@ISACA Volume 25  16 December 2015

The Tools Available for Incident Response

By Leighton Johnson, CISA, CISM, CIFI, CISSP

There are a series of tools needed in today’s cyberincident response efforts. Incident handlers should be familiar with each of these to properly respond to and handle various types of incidents that occur in the corporate environment:

  1. File system navigation tools—Many operating systems come with an embedded file navigation mechanism. There are also many external third-party tools available for use during incidents and investigations. Each tool has features and components that allow users to search for specific file extensions, file metadata and other file parameters.
  2. Imaging tools for bit-stream image copies—One of the basic requirements for any incident response (IR) investigation is to capture the data in a format that allows for examination of the complete data set being retrieved. There are 2 primary areas where this process is applied in incident handling:
    • Bit copy image that covers the entire media where the data are found
    • File system imaging where the data structures are defined and stored
    Disk imaging is the process of making a bit-by-bit copy of a disk. Imaging (in more general terms) can apply to anything that can be considered as a bit-stream (e.g., a physical or logical volume, network streams, file directories). There are many tools and programs available to conduct these bit-stream image activities. However, always ensure that the organization has tested and validated the tools before using them in a real-time capture event.
  3. Hashing tools—Each and every time an evidence component is captured, it is to be cryptographically signed to ensure its integrity. This process is known as hashing. It is called “hashing” because the process of one-way encryption of the file structure to a fixed-length output utilizes encryption algorithms known as hashes. Remember that the primary purpose is for integrity—to scientifically prove the data have been unaltered when reviewing and examining them. The integrity hash does not indicate where in the data the alteration has occurred. By recalculating the integrity hash at a later time, one can determine if the data in the disk image have been changed.
  4. Binary search tools—The tools used for binary search have the purpose of examining files to reveal bit patterns within. These tools look for specific patterns and types of data sequences found in known and unknown file types. Expecting data to be altered during storage and transmittal is a common mechanism the incident handler must be aware of and look for when performing the evaluation of the files and data components, and these types of tools assist in that endeavor.
  5. File chain and directory navigation tools—File chain and directory navigation tools are designed to trace dependencies and linking of files across systems and applications. These tools help determine possible alternate data streams and assist in the review of binding of files and libraries to executables.
  6. Log management tools—With the advent of big data and advanced persistent threat (APT) analysis efforts, there are now a series of tools that receive log files from various devices on the network and correlate them by time and event. This allows dashboard reviews by handlers and managers, and it provides automated detailed analysis and the ability to conduct deep data search efforts and actions.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security and Forensics Management Team of Bath, South Carolina, USA.


Volunteer at Your Convenience


The role of volunteers is vital to the ongoing work of ISACA, and new volunteer opportunities are being created throughout the year. By signing up to volunteer, you contribute to the momentum of ISACA, build your professional portfolio and expand your global network of colleagues.

Volunteer time commitments range from year-long engagements to increments as short as an hour of your time. ISACA projects allow for you to be involved when it is most convenient according to the demands of your personal and professional life.

Here are new opportunities of varying time commitments now available:

Chapter Communication Award Working Group
Estimated time commitment: 2 months; 8-10 hours per month
The Communication Award Working Group will judge all eligible chapters for the annual chapter communication award. The Communication Award was developed to recognize ISACA chapters that plan and execute great communication with their constituents. The working group will also review and suggest enhancements to the Communication Award submission process and provide suggested improvements to the judging process.

Communities Working Group
Estimated time commitment: 6 months to 1 year; 1-5 hours per month
The Communities Working Group will identify and support activities to encourage participation in ISACA online communities. The group will develop new programs to promote awareness and growth of the online communities and support ongoing programs, including the topic leader and badge incentive programs.

Digital Business Strategy Working Group
Estimated time commitment: 3 to 6 months; 1-5 hours per month
The Digital Business Strategy Working Group will participate in the development of a strategy to support the digital business research area. Specifically, the group will help ISACA understand market needs in the governance and technology transformation space, identify ISACA’s position in the marketplace in these areas, and identify the nature of products that will be useful to ISACA members and that will attract new engaged professionals from new communities.

K. Wayne Snipes Award Judging Working Group
Estimated time commitment: 2 months; 8-10 hours per month
The K. Wayne Snipes Award Judging Working Group will judge all eligible chapters for the annual K. Wayne Snipes Award. Established in 1989, the K. Wayne Snipes Chapter Recognition Award provides recognition to ISACA chapters that meet or exceed service goals by actively supporting local membership and, thus, ISACA.

For more information on these and other opportunities and to sign up, visit the Volunteering page of the ISACA web site.


Standing Out With a CISM Certification

Teju Oyewole, CISA, CISM, CRISC, CISSP, CSOE, ISO 27001 LA, MBCS, Shares His Experience as a CISM

Teju Oyewole has never feared having all eyes on him. Throughout his career, Oyewole has tried to stand out and make his presence known, and his Certified Information Security Manager (CISM) certification has helped him accomplish this goal. “As a CISM, so many eyes are always on me within the organization,” he says. “I am responsible for providing governance and management of information security, demonstrating expertise to ensure regulatory security compliance, conducting security reviews, evaluating risk, and developing security policies and processes. Most importantly, I work with C-level executives and turn the strategic plan into actionable tasks.”

The rapidly changing nature of information security presents a challenge to enterprises, but Oyewole feels that his CISM certification has helped him develop a strong control management style. “The threat landscapes are changing in an exponential manner. However, information risk still needs to be kept at acceptable level, and this poses a huge challenge in management of information security,” he says. “But, by virtue of my CISM certification, I have the expertise to deliver the ultimate objectives: risk optimization, resource optimization and benefits realization.”

While the CISM certification has shaped Oyewole’s career, he also applies the skills from the certification to his daily life. Oyewole always considers safety and security. “Rigorous preparation for my CISM certification has tweaked my thinking, so I also approach nonsecurity issues using professional skepticism to realize risk reduction.”

Oyewole encourages those interested in pursuing the CISM certification to think about the credibility the certifications lends. Because of the CISM certification, “I am well-identified and pride myself on my achievements in my chosen career,” he says. “Simply put, my CISM certification commands respect and honor for me.”

To learn more about ISACA certifications, visit the Certification page of the ISACA web site.


Book Review:  Blindsided: A Manager’s Guide to Crisis Leadership

Reviewed by Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA

Numerous disasters and incidents over the past century have affected nations, businesses and societies, leaving government and business leaders perplexed about how to handle the resultant chaos and damage. The lack of adequate information on this topic has left some firms ruined because of inadequate crisis reaction plans. This is where Blindsided: A Manager’s Guide to Crisis Leadership can play a valuable role for enterprises.

The book breaks down dominant paradigms in crisis management and unveils 2 crisis leadership strategies: crisis response and crisis preparedness. The author articulates the techniques and skills required to create a preparedness program, as proactive planning can help enterprises avoid errors related to crisis issues.

Key highlights of the book include chapter action checklists that provide rapid-response implementation guidelines. A valuable list of do’s and don’ts for communicating tragic events is included. The book also contains incident management checklists for major crises such as accidental death, civil unrest, natural disasters and more. There are also practical case studies and team dynamics scenarios to prepare crisis teams for eventualities.

Crisis intelligence is now more critical than ever to information systems auditors business leaders, and IT governance, security and administrative professionals because anything that halts entire branch operation goes beyond the confines of traditional crisis approaches and extends to postevent handling, media interface tactics, branding techniques, diplomacy and people management. This content is simple, offering concrete applicable techniques that boost the reader’s crisis intelligence and skill set.

The book is essentially 2 books in 1. The 1st part covers response once the event has happened. Here the author shares his extensive experience, tools and methods to ensure that the reader and crisis teams are not blindsided by the incident. The leadership techniques tested by the author for major global companies and governments are useful and relevant to all business sectors.

The 2nd part deals with crisis preparedness and the processes that are geared to preserve establishments from danger. The forecasting and predictive skills for this purpose are outlined to help users develop a master plan for crisis response before a crisis hits the organization. Overall, this book is valuable complementary material for disaster recovery and business continuity plans.

Blindsided: A Manager's Guide to Crisis Leadership is available from the ISACA Bookstore. For more information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA, is a corporate governance, internal controls, fraud and enterprise risk assurance professional. Etea also serves as a member on the advisory council of the Association of Certified Fraud Examiners (ACFE).