It is important that an incident response
plan is formulated, supported throughout the organization, and
is regularly tested. A good incident response plan can minimize not
only the affects of the actual security breach, but it may also
reduce the negative publicity.
From a security team perspective, it does not matter whether a
breach occurs (as such occurrences are an eventual part of doing
business using an untrusted carrier network, such as the Internet),
but rather, when a breach occurs. Do not
think of a system as weak and vulnerable; it is important to
realize that given enough time and resources, someone can break
into even the most security-hardened system or network. You do not
need to look any further than the Security
Focus website, https://www.securityfocus.com/, for updated and detailed
information concerning recent security breaches and
vulnerabilities, such as the frequent defacement of corporate
webpages or the 2002 attacks on the root DNS nameservers.
The positive aspect of realizing the inevitability of a system
breach is that it allows the security team to develop a course of
action that minimizes any potential damage. Combining a course of
action with expertise allows the team to respond to adverse
conditions in a formal and responsive manner.
The incident response plan itself can be separated into four
Immediate action to stop or minimize the incident
Investigation of the incident
Restoration of affected resources
Reporting the incident to the proper channels
An incident response must be decisive and executed quickly.
Because there is little room for error, it is critical that
practice emergencies are staged and response times measured. This
way it is possible to develop a methodology that fosters speed and
accuracy, minimizing the impact of resource unavailability and
potential damage in the event of an actual system compromise.
An incident response plan has a number of requirements,
A team of in-house experts (a Computer
Emergency Response Team)
A legally reviewed and approved strategy
Financial support from the company
Executive/upper management support
A feasible and tested action plan
Physical resources, such as redundant storage, standby systems,
and backup services
The Computer Emergency Response Team (CERT) is a group of in-house experts who are
prepared to act quickly in the event of a catastrophic computer
event. Finding the core competencies for a CERT can be a challenge.
The concept of appropriate personnel goes beyond technical
expertise and includes logistics such as location, availability,
and desire to put the organization ahead of ones personal life when
an emergency occurs. An emergency is never a planned event; it can
happen at any moment and all CERT members must accept the
responsibility that is required of them to respond to an emergency
at any hour.
CERT teams typically include system and network administrators
as well as information security experts. System administrators
provide the knowledge and expertise of system resources, including
data backups, backup hardware available for use, and more. Network
administrators provide their knowledge of network protocols and the
ability to re-route network traffic dynamically. Information
security personnel are useful for thoroughly tracking and tracing
security issues as well as performing a post-mortem (after the attack) analysis of
Although it may not always be feasible, there should be
personnel redundancy within a CERT. If depth in core areas is not
applicable to an organization, then cross-training should be
implemented wherever possible. Note, if only one person owns the
key to data safety and integrity, then the entire enterprise
becomes helpless in that one person's absence.
Some important aspects of an incident response to consider
include legal ramifications. Security plans should be developed
with members of legal staff or some form of general counsel. Just
as every company should have their own corporate security policy,
every company should have its own way of handling incidents from a
legal perspective. Local, state, and federal regulatory issues are
beyond the scope of this document, but are mentioned because the
methodology for performing a post-mortem analysis, at least in
part, is dictated by (or in conjunction with) legal counsel.
General counsel can alert technical staff of the legal
ramifications of security breaches; the hazards of leaking a
client's personal, medical, or financial records; and the
importance of restoring service in mission-critical environments
such as hospitals and banks.