CEHv6 Module 57 Computer Forensics and Incident Handling pdf pdf

Ethical Hacking and

Counterm easures Counterm easures Version 6

Mo d u le LVII Com puter Forensics

and Incident Handling g

Scenario OrientRecruitm entInc is an online hum an resource recruitm ent firm

The web server of the firm is a critical link. Neo, the network adm inistrator sees som e unusual activity that is targeted towards the web server. The web server is overloaded with a ge ed o a ds e eb se e e eb se e s o e oaded connection requests from huge num ber of different sources. Before he could realize the potential of the attack, the website of O i OrientRecruitm entInc falls prey to the m uch fam ous Denial of tR it tI f ll t th h f D i l f Service Attack.

The com pany m anagem ent calls up the local Incident Response Team to look into the m atter and solve the DoS issue.

What steps will the incident response team take to investigate the attack? attack?

Module Objective

This m odule will fam iliarize you with: This m odule will fam iliarize you with:

Com puter Forensics • What is an Incident • What is an Incident • Categories of Incidents • Incident Response Checklist • Procedure for Handling Incident g
Incident Managem ent
Incident Reporting • What is CSIRT
Types of Incidents and Level of Support • Incident Specific Procedures • Best Practices for Creating a CSIRT
World CERTs W ld CERT

Module Flow

Com puter Forensics Incident Reporting

What is CSIRT What is an Incident Categories of Incidents

Types of Incidents and Level of Support

Incident Response Checklist Incident Specific Procedures

Best Practices for Creating a CSIRT Procedure for

Handling Incident World CERTs

Incident Managem ent

To Kn o w Mo re Ab o u t To Kn o w Mo re Ab o u t Co m p u te r Fo re n s ics , A d EC C il’ CH FI Atte n d EC-Co u n cil’s CH FI

P ro gra m P ro gra m

Com puter Forensics C t F i

What is Com puter Forensics

“The preservation, identification, extraction, interpretation, and docum entation of com puter evidence, to include the rules of evidence, docum entation of com puter evidence to include the rules of evidence legal processes, integrity of evidence, factual reporting of the inform ation found, and providing expert opinion in a court of law or other legal and/ or adm inistrative proceeding as to what was found.” "Forensic Com puting is the science of capturing, processing and investigating data from com puters using a m ethodology whereby any investigating data from com puters using a m ethodology whereby any evidence discovered is acceptable in a Court of Law.”

Need for Com puter Forensics

“Com puter forensics is equivalent of surveying a crim e scene or perform ing an autopsy on a victim ” p y {Source: J am es Borek 20 0 1} Presence of a m ajority of electronic docum ents Presence of a m ajority of electronic docum ents

Search and identify data in a com puter Search and identify data in a com puter Digital Evidence can be easily destroyed, if not handled properly Digital Evidence can be easily destroyed if not handled properly For recovering Deleted, Encrypted, or Corrupted files from a system For recovering Deleted Encrypted or Corrupted files from a system

Objectives of Com puter Forensics To recover, analyze and present com puter To recover, analyze and present com puter- based m aterial in such a way that it can be p re s e n te d a s e vid e n ce in a co u rt o f la w To identify the evidence in short tim e, estim ate potential im pact of the m alicious activity on the victim , and assess the intent and identity of y the perpetrator

Stages of Forensic Investigation in Tracking Cyber Crim inals Tracking Cyber Crim inals

An Incident occurs in Whi h h C ’

The Client contacts the

C ’ Ad

The Advocate contracts E l F i Which, the Com pany’s Server is com prom ised

Com pany’s Advocate

for Legal Advice

an External Forensic

Investigator The Forensic Investigator Prepares First Response of Procedures (FRP)

The FI seizes the

evidences in the Crim e

scene & transports

them to the Forensics Lab

The Forensic Investigator (FI) prepares the Bit-Stream im ages of the files The Forensic Investigator creates an MD5 # of the files

The Forensic Investigator

exam ines the evidence

files for proof of a Crim e

The FI prepares Investigation reports and concludes the Investigation, enables the

Advocate identify required proofs dvocate de t y equ ed p oo s The FI handles the sensitive Report to the The Advocate studies the

report and m ight press charges

The Forensic Investigator usually destroys sensitive Report to the Client in a secure m anner

against the offensive in

the Court of Law

usually destroys all the evidences

Key Steps in Forensic Investigations Investigations

Com puter crim e is suspected

Collect prelim inary evidence
Obtain court warrant for seizure (if required)
Perform first responder procedures
Seize evidence at the crim e scene
Transport them to the forensic laboratory
Create 2 bit stream copies of the evidence

p p

Key Steps in Forensic Investigations (cont’d) Investigations (cont d)

Generate MD5 checksum on the im ages

Prepare chain of custody

Store the original evidence in a secure location

Analyze the im age copy for evidence

Prepare a forensic report

Subm it the report to the client

If required, attend the court and testify as expert witness

List of Com puter Forensics Tools

Process Explorer Helix Autoruns Irfan View

Pslist Fport Adapterwatch Necrosoft Dig

Psloggedon RegScanner Visual Tim eAnalyzer Evidor

X-Ways Forensics Traces Viewer Ontrack Forensic Sorter

Sleuth Kit SMART Directory Snoop Penguin Sleuth Kit

Incident Handling I id H dli

Present Networking Scenario

Increase in the num ber of com panies venturing into e-business coupled with high Internet usage l d ith hi h I t t Decrease in vendor product developm ent cycle and product testing cycle i l Increase in the com plexity of Internet as a network Increase in the com plexity of Internet as a network Alarm ing increase in intruder activities and tools, expertise of g

, p hackers, and sophistication of hacks Lack of thoroughly trained professionals as com pared to the Lack of thoroughly trained professionals as com pared to the num ber and intensity of security breaches What is an Incident Com puter security incident is defined as “Any real or suspected adverse event in relation to the security of com puter system s or com puter event in relation to the security of com puter system s or com puter networks”

Source: www.cert.org

It also includes external threats such as gaining access to system s, disrupting their services through m alicious spam m ing, execution of m alicious codes that destroy or corrupt system s m alicious codes that destroy or corrupt system s

Category of Incidents: Low Level Low level incidents are the least severe kind of incidents Low level incidents are the least severe kind of incidents They should be handled within one working day after the event occurs They should be handled within one working day after the event occurs

They can be identified when there is:

Loss of personal password Suspected sharing of organization s accounts Suspected sharing of organization ’s accounts

Unsuccessful scans and probes Presence of any com puter virus or worm s Category of Incidents: Mid Level The incidents at this level are com paratively m ore serious and thus, should be h i id hi l l i l i d h h ld b handled the sam e day the event occurs

They can be identified by observing:

Violation of special access to a com puter or com puting

Violation of special access to a com puter or com puting facility

Unfriendly em ployee term ination
Unauthorized storing and processing data
Destruction of property related to a com puter incident (less p p y p ( than $ 10 0 ,0 0 0 )
Personal theft of data related to com puter incident($ 10 0 ,0 0 0 )
Com puter virus or worm s of com paratively larger intensity

Ill l t b ildi Illegal access to buildings

Category of Incidents: High Level These are the m ost serious incidents and are considered as “Major” in nature High level incidents should be handled im m ediately after the incident occurs

These include:

Denial of Service attacks
Suspected com puter break-in
Com puter virus or worm s of highest intensity; e.g. Trojan back door back door
Changes to system hardware, firm ware, or software without authentication
Destruction of property exceeding $ 10 0 ,0 0 0
Personal theft exceedin g $ 10 0 ,0 0 0 and illegal electronic g g fund transfer or download/ sale
Any kind of pornography, gam bling, or violation of any law

How to Identify an Incident

A system alarm from an intrusion detection tool indicating security breach Suspicious entries in a network Accounting gaps of several m inutes with no accounting log Other events like unsuccessful login attem pts, unexplained new user or files, attem pts to write system files, m odification, or deleting of data s stem files m odification or deleting of data Unusual usage patterns, such as program s bein g com piled in the account of users who are non-program m ers

How to Prevent an Incident

A key to preventing security incidents is to elim inate as m any vulnerabilities

as possible ibl

Intrusions can be prevented by: Intrusions can be prevented by:

Scanning the network/ system for security loopholes
Auditing the network/ system
Deploying Intrusion Detection/ Prevention System s on the network/ system
Establishing Defense-in-Depth
Securing Clients for Rem ote Users

Defining the Relationship between Incident Response, Incident Handling, and Incident Managem ent Managem ent

Incident Response Checklist

Potential Incident Verified Contact departm ent/ agency security staff

I.T. Manager -
[designee/ others by departm ent procedure] - [ g / y p p ]

Security designee will contact CSIRT m em ber

Call 8 0 2-250 -0 525 (GOVnet Beeper)
GOVnet will then contact CSIRT m em bers (csirt@.state.vt.us) ( @ )
If no response within ten m inutes call the Office of the CIO

Isolate system (s) from GOVnet [unless CSIRT decision is to leave the system connected to m onitor active hacker] Begin a log book - who/ what / when / where Identify the type of Incident - Virus, worm , and hacker Prelim inary estim ation of extent of problem , num ber of system s

Incident Response Checklist (cont d) (cont’d) Contact local police authority with jurisdiction at location of incident (This MUST BE coordinated with CSIRT) Follow server/ operating system specific procedures to snapshot the system Inoculate/ restore the system Inoculate/ restore the system Close the vulnerability and ensure that all patches have been installed Return to norm al operations Prepare report and conduct follow-up analysis Revise prevention and screening procedures Re m e m be r to lo g a ll a ctio n s !

Handling Incidents

Incident handling helps to find out trends and patterns regarding intruder activity by analyzing it intruder activity by analyzing it It involves three basic functions:

Incident reporting,
Incident analysis, and
Incident response

It recom m ends network adm inistrators for recovery, containm ent, and prevention to constituents It allows incident reports to be gathered in one location so that exact It ll i id t t t b th d i l ti th t t trends and pattern can be recognized and recom m ended strategies can be em ployed I h l It helps the corresponding staffs to understand the process of h di ff d d h f responding and to tackle unexpected threats and security breaches

Procedure for Handling Incident

The incident handling process is divided into six stages These stages are:

Preparation • Identification • Containm ent
Eradication E di ti
Recovery • Follow-up

Stage 1: Preparation

Preparation enables easy coordination am on g staff p y g Create a policy Develop preventive m easures to deal with threats Obtain resources required to deal with incidents effectively Develop infrastructure to respond and support Develop infrastructure to respond and support activities related to incident response Select team m em bers and provide training Select team m em bers and provide training

Stage 2: Identification

Identification involves validating, identifying, and reporting the incident reporting the incident Determ ining the sym ptom s given in ‘how to identify an incident’ Identifying the nature of the incident Identifying events Protecting evidence Reporting events

Stage 3: Containm ent

Containm ent lim its the extent and intensity of an incident Containm ent lim its the extent and intensity of an incident It avoids logging as root on the com prom ised system It avoids logging as root on the com prom ised system Avoid conventional m ethods to trace back as this m ay alert the attackers k Perform the backup on the system to m aintain the current state of the system for facilitating the post-m ortem and forensic the system for facilitating the post-m ortem and forensic investigation later Change the system passwords to prevent the possibility of g y p p p y Spywares being installed

Stage 4: Eradication

Investigate further to uncover the cause of the incident by analyzing system logs

of various devices such as firewall, router, and host logs Im prove defenses on target host such as:

Reloading of a new operating system Reloading of a new operating system
Enabling firewalls
Assigning new IP address

Install all the latest patches Install all the latest patches Disable any unnecessary services Install anti-virus software Apply the Com pany’s security policy to the system

Stage 5: Recovery

Determ ine the course of actions Determ ine the course of actions Monitor and validate system s y Determ ine integrity of the backup itself by m aking an attem pt to read its data attem pt to read its data Verify success of operation and norm al condition of system Monitor the system by network loggers, system log files, and potential back doors potential back doors

Stage 6: Follow-up

Post-m ortem analysis:

Perform a detailed investigation of the incident to identify the extent of the incident and potential im pact prevention m echanism s

Revise policies and procedures from the lessons learned from the past Determ ine the staff tim e required and perform the following cost analysis: f th f ll i t l i

Extent to which the incidents disrupted the organization
Data lost and its value
Dam aged hardware and its cost

Stage 6: Follow-up (cont’d)

Docum ent the response to incident by finding answers to the following:

Was the preparation for the incident sufficient? Whether the detection occurred prom ptly or not, and why? Using additional tools could have helped or not? Using additional tools could have helped or not? Was the incident contained? What practical difficulties were encountered? Was it com m unicated properly?

Incident Managem ent Incident m anagem ent is not just responding to an incident when it happens but includes proactive activities that help prevent incidents by providing guidance includes proactive activities that help prevent incidents by providing guidance against potential risks and threats Includes the developm ent of a plan of action, a set of processes that are consistent, p p , p

, repeatable, of high quality, m easurable, and understood within the constituency

Who perform s Incident Managem ent?

Hum an resource personnel Legal council The firewall m anager An outsourced service provider

Incident Managem ent (cont’d) Figure : Five High-Level Incident Managem ent Processes g g g

Why don’t Organizations Report Com puter Crim es Com puter Crim es Misunderstanding the scope of the problem

This does not happen to other organizations

Proactive reporting and handling of the incident will allow m any organizations to put their spin on the m edia reports Potential loss of custom ers Desire to handle things internally Lack of awareness of the attack

Estim ating Cost of an Incident Tangible: Can be quantified g q

Lost productivity hours
Investigation and recovery efforts
Loss of business L f b i
Loss or theft of resources

Intangible: More difficult to identify and Intangible: More difficult to identify and quantify

Dam age to corporate reputation
Loss of goodwill Loss of goodwill
Psychological dam>Those directly im pacted m ay feel victim ized
May im pact m orale or initiate >Legal liability Legal liability
Effect on shareholder value

Whom to Report an Incident

Incident reporting is the process of reporting the inform ation regarding p g p p g g g the encountered security breach in a proper form at The incident should be reported to the CERT Coordination center, site security m anager, or other sites It can also be reported to law enforcem ent agencies such as FBI,USSS Electronic crim es branch, or Departm ent of Defense Contractors It should be reported to receive technical assistance and to raise security awareness to m inim ize the losses

Incident Reporting

When a user encounters any breach, report the following:

Intensity the security breach Circum stances, which revealed the vulnerability Sh Shortcom ings in the design and im pact or level of weakness t i i th d i d i t l l f k Entry logs related to intruder’s activity Specific help needed should be clearly defined Correct tim e-zone of the region an d synchronization inform ation of the system with a Nation al tim e server via NTP

Vulnerability Resources

US-CERT Vulnerability Notes Database:

Descriptions of these vulnerabilities are available from this web page in a searchable database form at, and are published as "US-CERT Vulnerability Notes".

NVD (National Vulnerability Database):

Integrates all publicly available U.S. Governm ent vulnerability resources and provides references to industry resources

CVE (Com m on Vulnerabilities and Exposures List):

List or dictionary of publicly known in form ation security vulnerabilities and exposures international in scope an d free for public use l d f f bl

OVAL (Open Vulnerability Assessm ent Language):

A three-leveled vulnerability handling m ethod consisting of a characteristics schem a for collecting configuration data from system s for testing

What is CSIRT

Com puter Security Incident Response Team (CSIRT): p y p ( ) Incident Response Services 24x7 CSIRT provides 24x7 Com puter Security Incident Response Services to any user, com pany, governm ent agency or organization CSIRT provides a reliable and trusted single point of contact for reporting com puter security incidents worldwide security incidents worldwide CSIRT provides the m eans for reporting incidents and for dissem inating im portant i id d f di i i i incident-related inform ation

CSIRT: Goals and Strategy

CSIRT’s goals: CS s goa s:

To organize the m anagem ent of security problem s by taking a proactive approach to our custom ers’ security vulnerabilities and by responding effectively to potential inform ation security incidents i id t
To m inim ize and control the dam age
To provide or assist with effective response and recovery
To help prevent future events

Strategy of CSIRT:

It provides a single point of contact for reporting local t p o des a s g e po t o co tact o epo t g oca problem s
It identifies and analyzes what has happened including the im pact and threat
It researches solutions and m itigation strategies g g
It shares response options, inform ation, and lessons learned

Why an Organization needs an Incident Response Team Incident Response Team

Incident Response T h l It i f li d t A d h t it Team helps organizations to recover from com puter security b h d h

It is a form alized team

that perform s incident

response work as its

m ajor job function

As an ad-hoc team , it is responsible for ongoing com puter security incident breaches and threats

CSIRT Case Classification In cid e n t Ca te go rie s : All incidents m anaged by the CSIRT should be classified into one of the categories listed in the table below Types of Incidents and Level of Support The Com puter Security Incident Response Team will assign resources according to the following priorities, listed in the

Support

resources according to the following priorities, listed in the decreasing order:

Threats to the physical safety of hum an beings
Root or system -level attacks on an y m achine either m ulti-user or dedicated-

y y purpose

Com prom ise restricted confidential service accounts or software installations, in particular those with authorized access to confidential data
Denial of service attacks on any of the above two item s e a o se v ce attac s o a y o t e above t o te s
Large-scale attacks of any kind, e.g. sniffing attacks, IRC "social engineering" attacks, password cracking attacks, and destructive virus outbursts
Com prom ise of individual user accounts, i.e. unauthorized access to a user or service account service account
Forgery and m isrepresentation, and other security-related violations of local rules and regulations, e.g. Netnews and e-m ail forgery, unauthorized use of

IRC bots

Types of incidents other than those m entioned above will be prioritized Types of incidents other than those m entioned above will be prioritized according to their apparent severity and extent

Incident Specific Procedures-I (Virus and Worm Incidents) (Virus and Worm Incidents)

Step 1: Isolate the system Step 2: Notify appropriate people Step 3: Identify the problem Step 4: Include the virus or worm

Step 5: Inoculate the system (s) Step 6: Return to a norm al operating m ode Step 7: Follow up analysis p 7 p y

Incident Specific Procedures-II (Hacker Incidents) (Hacker Incidents)

(A) Attem pted Probes into a State of Verm ont System

Step 1: Identify the problem
Step 2: Notify appropriate people
Step 3: Identify the Hacker • Step 4: Notify CERT
Step 5: Follow up analysis • Step 5: Follow up analysis

(B) Active Hacker Activity

Step 1: Notify Appropriate People p y pp p p
Option 1: Rem oval of Hacker from the sy
Step 2: Snap-shot the System • Step 3: Lock out the Hacker • Step 4: Restore the System • Step 5: Notify other Agencies • Step 5: Notify other Agencies • Step 6: Follow up Analysis • Option 2: Monitoring of Hacker Activity

Incident Specific Procedures-III (Social Incidents, Physical Incidents) (Social Incidents, Physical Incidents)

Social Incidents:

Step 1: Identify Potential Risk • Log all actions* Physical Incidents:
Step 2: Notify Appropriate People • Step 2: Notify Appropriate People • Log all actions*

How CSIRT Handles Case: Steps

KEEP A LOG BOOK

INFORM THE APPROPRIATE PEOPLE MAINTAIN LIST OF CONTACTS RELEASE THE

INFORMATION O FOLLOW UP ANALYSIS REPORT Exam ple of CSIRT In te rn a l CS IRT provides services to their parent organization such as

bank, m anufacturing com pany, university, or any governm ent agencies

N a tio n a l CS IRT

provides services to the entire nation exam ple being J apan Com puter Em ergency Response Team Coordination Center J apan Com puter Em ergency Response Team Coordination Center (J PCERT/ CC)

An a lys is Ce n te rs

synthesize data, determ ine trends, and patterns in an incident activity to predict future activity or provide early warnings

Ve n d o r te a m s Ve n d o r te a m s

identify vulnerabilities in software and hardware products identify vulnerabilities in software and hardware products

In cid e n ts Re s p o n s e P ro vid e rs In cid e n ts Re s p o n s e P ro vid e rs

offer services to paid clients offer services to paid clients

Best Practices for Creating a CSIRT CSIRT

Obtain m anagem ent support and buy-in

Determ ine the CSIRT strategic plan
Gather relevant inform ation
Design the CSIRT vision
Com m unicate the CSIRT vision and operational plan
Begin CSIRT im plem entation
Announce the operational CSIRT

Step 1: Obtain Managem ent Support and Buy-in Support and Buy in

Without m anagem ent approval and support, creating an effective incident response capability can be extrem ely difficult and problem atic Once the team is established, how is it m aintained and expanded with budget, personnel, and equipm ent resources? d d ith b d t l d q i t ? Will the role and authority of the CSIRT continue to be backed by m anagem ent across the various constituencies or parent organization?

Step 2: Determ ine the CSIRT Developm ent Strategic Plan Developm ent Strategic Plan

Are there specific tim efram es to be m et? Are they realistic, and if p y , not, can they be changed?

Is there a project group? Where do the group m em bers com e from ? How do you let the organization know about the developm ent of the CSIRT? If you have a project team , how do you record and com m unicate the inform ation you are collecting, especially if the team is geographically dispersed? hi ll di d?

Step 3: Gather Relevant Inform ation Inform ation

Meet with key stakeholders to discuss the expectations, strategic direction, definitions, and responsibilities of the CSIRT The stakeholders could include:

Business m anagers i
Representatives from IT
Representatives from the legal departm ent
Representatives from hum an resources Representatives from hum an resources
Representatives from public relations
Any existing security groups, including physical security
Audit and risk m anagem ent specialists

Step 4: Design your CSIRT Vision Vision In creating your vision you should:

In creating your vision, you should:

Identify your constituency: Who does the CSIRT support and service?
Define your CSIRT m ission, goals, and objectives: What does the CSIRT do

y , g , j for the identified constituency?

Select the CSIRT services to provide to the constituency (or others): How does the CSIRT support its m ission?
Determ ine the organizational m odel: How is the CSIRT structured and g organized?
Identify required resources: What staff, equipm ent, and infrastructure is needed to operate the CSIRT?
Determ ine your CSIRT funding: How is the CSIRT funded for its initial Determ ine your CSIRT funding: How is the CSIRT funded for its initial startup and its long-term m aintenance and growth?

Step 5: Com m unicate the CSIRT Vision Vision

Com m unicate the CSIRT vision Com m unicate the CSIRT vision and operational plan to As appropriate, m ake adjustm ents m anagem ent, constituency, and to the plan based on their feedback others who need to know and understand its operations understand its operations

Step 6: Begin CSIRT Im plem entation Im plem entation

Hire and train initial CSIRT staff Hire and train initial CSIRT staff Buy equipm ent and build any necessary network infrastructure to support y q p y y pp the team

Develop the initial set of CSIRT policies and procedures to support your Develop the initial set of CSIRT policies and procedures to support your services D fi Define the specifications for and build your incident-tracking system h ifi i f d b ild i id ki Develop incident-reporting guidelin es and form s for your constituency

Step 7: Announce the CSIRT

When the CSIRT is operational, announce it to the constituency or parent organization It is best if this announcem ent com es from sponsoring m anagem ent Include the contact inform ation and hours of operation for the CSIRT in the announcem ent This is an excellent tim e to m ake the CSIRT incident-reporting guidelines available

World CERTs http:/ / www.trusted-introducer.nl/ team s/ country.htm l http:/ / www.trusted introducer.nl/ team s/ country.htm l

Asia Pacific CERTs

Australia CERT (AUSCERT)
Hong Kong CERT (HKCERT/ CC)
Indonesian CSIRT (ID-CERT)
J apan CERT-CC (J PCERT/ CC) p /
Korea CERT (CERT-KR)
Malaysia CERT (MyCERT)
Pakistan CERT(PakCERT)
Singapore CERT (SingCERT)
Taiwan CERT (TWCERT) • Taiwan CERT (TWCERT)
China CERT (CNCERT/ CC)

North Am erican CERTs

CERT-CC
US-CERT
Canadian Cert • Cancert Cancert • Forum of Incident Response and Security Team s
FIRST

World CERTs (cont’d) South Am erican CERTs

CAIS
CAIS- Brazilian Research Network CSIRT
NIC BR Security Office Brazilian CERT y
NBS

European CERTs

EuroCERT
FUNET CERT
CERTA
DFN-CERT
J ANET-CERT
CERT-NL
UNINETT-CERT
CERT-NASK
Swiss Academ ic and Research Network CERT

http:/ / www.first.org/ about/ organization/ team s//

http:/ / www.apcert.org/ about/ structure/ m e m bers.htm l

Sum m ary

Increase in the num ber of products and relative increase in the num ber of hacking tools has put security in the spotlight hacking tools has put security in the spotlight Com puter security incident is defined as any real or suspected adverse event in relation to the security of com puter system s or com puter networks Handling Incidents involves three basic functions: incident reporting, incident analysis, and incident response Incident reporting is the process of reporting the inform ation regarding the encountered security breach in a proper form at CSIRT provides rapid response to m aintain the security and integrity of the system s Without m anagem ent approval and support, creating an effective incident Without m anagem ent approval and support creating an effective incident response capability can be difficult and problem atic