|
Incidence Response Management
Montu Das
Most of the magazines and web sites that deal with information technology have highlighted computer security incident response as an important component of information technology (IT) programs. This can be seen a direct repercussion of the phenomenal changes that security related threats have undergone. These threats have not only increased in number, they have become more diverse, and have gained the ability to damage an disrupt. New types of security-related incidents emerge frequently. The rising concern, of how to tackle these threats, can be addressed through a preventive approach.
Preventive approach involves implementing controls that are designed based on the results of risk assessments. These controls, if implemented and maintained effectively, can lower the number of incidents. However, not all incidents can be prevented. An incident response capability is necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services. In order to get the most out of the incident response program, the organization would require designing guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines would need to address particular hardware platforms, operating systems, protocols, or applications, which are being used at the organization.
The design, creation and maintenance of an incident response program effectively is a complex undertaking. It requires:
Substantial planning and resources. Continuous monitoring of threats through intrusion detection systems and other mechanisms available.
Establishing clear precedures for assessing the current and potential business impact of incidents. z Implementing effective methods of collecting, analyzing, and reporting data.
Building relationships and establishing suitable means of communication with other internal groups (e.g human resources, legal) and with external groups (e.g., other incident response teams, law enforcement) are vital.
Organizations need to establish computer security incident response capabilities and handling incidents efficiently and effectively. More specifically, they need to perform the following:
Organizing a computer security incident response capability.
Establishing incident response policies and procedures. Structuring an incident response team, including outsourcing considerations.
Recognizing which additional personnel may be called on to participate in incident response.
Handling incidents from initial preparation through the post-incident lessons learned phase. Handling specific types of Incidents
Denial of Service (DoS)- an attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting
resources. Malicious Code-a virus, worm, Trojan horse, or other code-based malicious entity that infects a host.
Unauthorized Access-a person gains logical or phyical access without permission to a network, system, application, data, or other resource.
Inappropriate Usage-a person violates acceptable computing use policies.
Multiple Component-a single incident that encompasses two or more incidents; for example, a malicious code infection leads to unauthorized access to a host, which is then used to gain unauthorized access to additional hosts.
|
