Incident Response Containment Strategy

Steps to respond to the incident

Buffer overflow is a vulnerability was first detected in 1980s when Robert Morris created a worm which infected ten percent of the internet in two days. The vulnerability that deals with buffers which are the smallest memory locations for programs that allow for direct access to write and read memory (Foster, 2005). Buffer overflow occurs when the data to be stored in a particular buffer overwrites to subsequent spaces causing overwriting or excess data reading. In our case, the incident response strategic decisions team has learnt about a potential worm that may compromise the safety of Microsoft IIS servers. Our team has to act fast since the worm situation may get out of hand in a very short while and the effects may be disastrous.

First, the team has to identify that the threat is real meaning we should test to determine the vulnerability. While looking at the source code, our focus is on the areas that require buffer access, modification and use. For example, areas where there is input supplied by a user pose a potential point for stack overflow since it is easy to exploit (McGraw, 2004).

Code example:

void askquestion () {

char client_answer [4];

Printf (“Was this information helpful? Please answer yes or no:”);

gets (client_answer);

}

The code above asks a question to the user prompting a yes or no answer. The user may input ‘not-really’ forcing the program to crash instead of displaying an error message and prompting the question again.

Process flow diagram to determine strategy to use.

Process flow diagram to determine when to relay information to upper management.

Upper management should be notified immediately the suspicion is confirmed since the potential threat could turn into a disaster within moments.

Incident recovery process

Types of disasters, response and recovery.

Stack attacks

The smallest in it of memory is a stack. The worm overloads the stack and tricks the program to open malware they have saved elsewhere. The computer then implements what the code dictates.

Heap attacks

Are associated with larger memory spaces such as those used to store pictures and texts. Such an attack is hard for the attacker to implement since the heap has no direct access to executable code memory

Arithmetic attacks

Comes from the improper handling of signed and unsigned numbers in C

Format attacks

When operating systems require automatic conversion of text string s from small text format to a larger format, the code may be manipulated such that a buffer overflow is reached.

Mitigation techniques include;

Developing stronger apps in teams and utilizing recent programming languages such as python and java.

Updating security systems regularly

Constantly checking for malware and loopholes for hackers.

Techniques for different disasters.

Since we have successfully identified the problem, we identify the best strategy to resolve the problem. Protection techniques can be categorized into;

Static- Offers correction to the software with tools such as STOBO and RATS (Viega, 2003).

Dynamic- (hardware and software) monitor and protect data at the source or the other end of an overflow

Isolation- not executing in stack memory and limiting the space of a process. (using SPEF and sandboxing)

Issues in disaster recovery

The main issue in disaster recovery is unpreparedness. Individuals and organizations should be prepared for disaster with back up storages in the cloud while utilizing data duplication tools to reduce storage costs (Patterson, 2013).

Back up plans should be put in place carrying out the back ups in small chunks over short periods to ensure viability.