The following excerpt is from Chapter 8, The Puzzle in Action of The Effective Incident Response Team, written by Julie Lucas and Brian Moeller and published by Addison-Wesley.
Read the entire chapter here (Chapter 8 begins on page 17).
In the simplest form, everything with computers can be broken down into ones and zeros. Similarly, computer security initiatives should always be able to be broken down into their simplest form, policies. Policies identify what is authorized and what is not, assign organizational responsibilities, communicate acceptable levels of risks and much more. The policies may be expanded in the form of procedures, which provide the step-by-step guidelines for putting the policies into action. From there, it's a matter of implementing and configuring systems appropriately, purchasing and adding security tools to monitor and safeguard the systems, and training and authorizing end users to use the resources appropriately.
When the policies and procedures are violated, then a computer incident (e.g., unauthorized access, denial of service) may have occurred. To detect and respond to these violations of the organization's security policies, incident response policies and procedures should be in place. These policies may be in the form of stand-alone documentation, or they may be incorporated into other documentation such as company security policies or disaster recovery plans.
NOTE: Unfortunately, not all organizations have existing computer security policies. Many people view the writing of a security policy as a huge undertaking that is nearly impossible to accomplish. Depending on the level of support from upper management, the task may be more daunting to complete in some organizations as compared to others. In the ideal situation, the organization has a security policy and is serious about covering all facets of the security equation. If the organization does not have existing policies, however, this omission should not stop the development of a CIRT. Ideally the organization will develop security policies in the near future or simultaneously as the CIRT is developed, but policies should not be viewed as a mandatory requirement for the formation of a CIRT.
This chapter focuses on the operational aspects of computer incident response. Considerations that should be given to specific incident-handling procedures will be described in detail, as will the lifecycle of an incident. The information provided in this chapter can, in turn, be used to write computer incident policies and procedures. Together, these policies and procedures complete the incident response puzzle by filling in the center piece. Because computer security begins with policies, what better place to envision this piece of the puzzle than in the center where it belongs.
ABOUT THE BOOK
When an intruder, worm, virus or automated attack persists in targeting a computer system, having specific controls in place and a plan of action for responding to the attack or computer incident can greatly reduce the resultant costs to an organization. The implementation of a Computer Incident Response Team, whether it's formed with internal or external resources, is one safeguard that can have a large return on investment during a crisis situation. This book serves as a guide to anyone contemplating or being tasked with forming a Computer Incident Response Team. The creation of such a team is not a trivial matter and there are many issues that must be addressed up front to help ensure a smooth implementation. This book will try to identify most of these issues to help with the creation process. Once the team is formed and operational, this guide will continue to serve as a resource while the team evolves to respond to the ever-changing types of vulnerabilities.
Julie Lucas, CISSP, is the Security Practice Director at Global Network Technology Services in Columbus, Ohio. As the director, she designs and implements their computer security service offerings. Prior to GNTS, she became the first Naval Computer Incident Response Team (NAVCIRT) officer. She developed the NAVCIRT into a world-class incident response team responsible for detecting and reacting to computer security threats on Navy and Marine Corps systems worldwide. Brian Moeller, CISSP, is a Firewall and Network Security Consultant for the Ohio State University Network Security/Incident Response Team.
This was first published in September 2003