When it comes to security, one can see how an enterprise is like the human body. Measures are taken to avoid injury, but if a wound occurs, there are mechanisms in place to minimize the damage.
For example, the body has white blood cells to attack invading bacteria. Companies need computer incident response teams (CIRTs) to fend off invading viruses and worms.
Many companies are required to have CIRTs (or something like them) because of regulations. Others that are not obligated to have them may question whether they need a formal CIRT. Those companies believe there is in-house expertise to sort out incidents, but they should ask themselves whether there is a system to alert the necessary people when an incident occurs.
In other words, do all employees know whom to call if they think their systems have been compromised? If the answer is "no," then there may be problems.
"That is like a fire department with all the latest equipment that just sits in a garage somewhere because there is no system to notify it of a fire," said Nanette Poulios, director of education and training at the International Institute for Digital Forensics Studies.
There is no cookie-cutter approach to creating a CIRT. At some companies, CIRTs only respond to incidents. At others, they also handle user-awareness training. But CIRTs must keep their missions in perspective.
The first job for a CIRT is to assess the scope of damage and figure out how to lessen it, not necessarily gather evidence. There will be plenty of time for that later, Poulios said. Once the systems are safe, then evidence gathering can begin. Generally, it's not the CIRT's job to remove viruses from systems or install patches. It also isn't a disciplinary body.
"It is an investigative body. It does not make the decision of what to do with the person who brought the virus into the network," Poulios said.
The optimal CIRT would consist of core members from IT auditing, information security and corporate security, in additional to the legal department. Each group brings a different skill set to the team. Technical gurus can be brought in when needed, but they probably shouldn't be permanent members of the team, Poulios said: "Why have a Unix person on the team [if] your Windows server is attacked?"
IT audit people bring to the CIRT the ability to log and document things. "If someone questions the CIRT team's response, then the auditor will make sure the report is auditable," Poulios said.
As such, they should probably handle the evidence gathering so the chain of custody is preserved. If evidence has to be handed over to law enforcement, then it's imperative that everything about it is documented. "You should treat every investigation like it was going to court," Poulios said. "Once you lose the chain of custody, there is no getting it back."
Members of the CIRT will need materials like technology for imaging hard drives and evidence bags. Having a member from corporate security on the team is helpful, because corporate security staff often have law enforcement experience, which comes in handy if employees need to be interviewed.
Having an information security person on the team is imperative, Poulios said. Information security staff often have computer forensics skills. Also, they will be able to explain to the business side of the house why certain steps must be taken to deal with an incident. "But they have to report this information in a way [a] layperson can understand," she said.
A CIRT would also benefit from having a lawyer, at least in an advisory capacity. Investigating an incident may involve things that affect privacy and human resources policy. It's important that members of the team understand what they can or can't do, legally.
Governance of the CIRT can be a tricky issue. Optimally, the CIRT should be authorized by the board of directors or CEO, in order to give it the clout it needs to get the job done. "You're not sure where the investigation will take you," Poulios said. "You really need some teeth and someone to back you up."
FEEDBACK: Does your organization have a CIRT? If so, how is it set up?
Send your feedback to the SearchSecurity.com news team.