Creating an Incident Response Plan
It is very important that an incident response
plan is formulated, supported throughout the organization, put
into action, and regularly tested. A good incident response plan that is
thoroughly tested and acted upon quickly may minimize the effects of a
breach. Furthermore, it may even reduce the negative publicity and focus
attention on quick reaction time.
From a security team perspective, it does not matter whether a breach
occurs (as such occurrences are an eventual part of doing business using
an untrusted carrier network such as the Internet), but rather,
when a breach will occur. Do not think of a system
as weak and vulnerable; realize that given enough time and resources
someone, somewhere, some day, will breach even the most security-hardened
system or network.
The positive aspect of realizing the inevitability of a system breach
is that it allows the security team to develop a course of action that
minimizes any potential damage. Combining a course of action with
expertise allows the team to respond to adverse conditions in a formal and
responsive manner.
The incident response plan can be separated into four sections:
Immediate Response
Investigation
Restoring
Reporting
Incident response must be decisive and executed quickly. There is
little room for error in most cases, and by staging practice emergencies
and measuring response times it is possible to develop a methodology
that fosters speed and accuracy. Reacting quickly may minimize the
impact of resource unavailability and the potential damage caused by
system compromise.
An incident response plan has a number of requirements,
including;
Appropriate personnel (in-house experts)
Financial support
Executive support
A feasible plan of action
Physical resources such as hard drives, systems, and backup systems
The Computer Emergency Response Team (CERT)
The term appropriate personnel refers to
people who will comprise a Computer Emergency Response
Team (CERT). Finding the core
competencies for a CERT can be a challenge. The concept of
appropriate personnel goes beyond technical expertise and includes
logistics such as location, availability, and desire to put the
organization ahead of ones personal life when an emergency occurs. An
emergency is never a planned event; it can happen at any moment, and
all CERT members must be willing to accept the responsibility that is
required of them to respond to an emergency at any hour.
It may not always be feasible, but there should be personnel
redundancy within a CERT. If depth in core areas is not applicable to
an organization, then cross-training should be implemented wherever
possible. Note that if only one person owns the key to data safety
and integrity then the entire enterprise becomes helpless in that
person's absence.
Typical CERT members include system and network administrators as
well as members from the information security department. System
administrators will provide the knowledge and expertise of the
systems, including data backups, backup hardware available for use,
and more. Network administrators provide their knowledge of network
protocols, in addition to being able to re-route traffic dynamically.
Information Security personnel are useful in tracking and tracing
security issues as well as performing post-mortem analysis of
media.
Legal Issues
Another important aspect of incident response are legal issues.
Security plans should be developed with members of legal staff or some
form of legal counsel. Just as every company should have their own
corporate security policy, every company has its own way of handling
incidents from a legal perspective. Local, state, and federal
regulatory issues are beyond the scope of this document, but are
mentioned because the methodology for performing a post-mortem
analysis, at least in part, will be dictated by (or in conjunction
with) legal counsel.
