Incident Management and Handling

Incident Management


As organizations begin to exploit the benefits of the Internet and Web technologies, they are quickly realizing that there are inherent risks involved with connecting their networks to the Internet.

It is this risk that organizations must be prepared to address through an incident management process. ISO 17799, or former BS 7799, states “Incident management responsibilities and procedures should be established to ensure a quick, effective, and orderly response to security incidents”.

Security incidents can occur any time and cause significant outages, damage, and financial loss to an organization. The incidents are frequently extremely complex. For this reason, it is essential that the incident response process be developed and integrated with the deployment of the security architecture.

An incident management and response plan must address the following issues:

  • Incident preparedness
  • Alerting
  • Report and notification
  • Preliminary investigation
  • Decision and resource allocation
  • Response
  • Recovery
  • Lessons learned

Incident Preparedness


A computer security incident response team must be established. This team includes representatives from at least the following departments: IT Security, System and Network Administration, Disaster Recovery, Human Resources, Legal, Public Relations, and Corporate Security.

Incident handling requires specialized skills and therefore education and training is essential.

Alerting


Alerts can come not only from technology sources such as firewalls and intrusion detection devices, but also from sources such as human resources, internal and external end-users, attackers, and Internet service providers.

Report and Notification


Visual devices, e-mail, pager, phone, personnel, and other resources can receive Alerts.

To ensure that incidents are reported in a timely manner, an incident reporting and communications process should be defined and disseminated. This will ensure that incidents are identified and that appropriate management channels are used.

Preliminary Investigation


As a result of the callout process, roles and responsibilities are applied to managing the incident.

The examination of activity logs, interviews with users and/or administrative staff, and the examination of policies can help to determine whether an incident is “real” and whether it is pervasive in nature. Specially trained personnel must perform the investigation to avoid contamination or destruction of evidence.

Decision and Resource Allocation


As a result of the preliminary investigation, a state of emergency can be declared. Additional staff can be assigned and budgetary resources can be allocated.

An incident handling coordinator is designated to coordinate the response to the incident.

Methods of response are dictated by the requirements of any legal action. If legal action is planned, additional procedures must be followed to preserve evidence for admissibility in court.

Response


The preliminary investigation is expanded as necessary. Additional personnel, other companies and law enforcement can be included.

To prevent the incident from spreading, compromised systems may be isolated and /or disabled.

Depending on the type of incident, it may be necessary to involve corporate legal council, public and media relations, human resources, etc.

If the incident impairs users, they may need to be informed.

Recovery


Remains of the incident must be removed from the system(s) affected by the incident.

Affected systems must be rebuilt, recovered, or replaced.

System vulnerabilities and inadequate controls exploited by the attacker must be addressed.

Lessons Learned


The incident, its causes, and its effects must be documented. Actions taken during the response must be documented and analyzed for successes and failures.

The incident response process should be reviewed and updated as necessary.

The costs associated with the incident should be determined. This may impact future budget allocations for information security.

Responding to an incident may reveal the need for additional staff or the need to better educate and train existing staff.

The financial impact analysis may reveal the justification for additional money for preventive security measures.

The overall organizational approach to information security should be reviewed and enhanced as necessary to ensure that adequate controls are in place and monitored.

Incident management and response can be outsourced, allowing organizations to obtain assistance from entire teams of subject-matter experts at a lower cost than duplicating the entire team in-house.

Incident Handling


Securing an infrastructure is a complex task of balancing business needs against security risks. Almost every day there a new vulnerabilities discovered, and there is always the potential for an intrusion.

It is required that a solid methodology is in place in order to get systems and services back online as quickly and secure as possible.

Through a consensus process involving experienced incident handlers from corporations, government agencies, and educational institutes, a proven Step-by-Step Incident Handling process has been created. One needs to follow to prepare for and deal with a computer incident, using the following six steps:

  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned