96


Chapter 11. Incident Response


ology that fosters speed and accuracy. Reacting quickly may minimize the impact of resource unavail 


ability and the potential damage caused by system compromise.


An incident response plan has a number of requirements, including;


Appropriate personnel (in house experts)


Financial support


Executive support


A feasible plan of action


Physical resources such as hard drives, systems, and backup systems


11.2.1. The Computer Emergency Response Team (CERT)


The term appropriate personnel refers to people who will comprise a Computer Emergency Response


Team (CERT). Finding the core competencies for a CERT can be a challenge. The concept of appro 


priate personnel goes beyond technical expertise and includes logistics such as location, availability,


and desire to put the organization ahead of ones personal life when an emergency occurs. An emer 


gency is never a planned event; it can happen at any moment, and all CERT members must be willing


to accept the responsibility that is required of them to respond to an emergency at any hour.


It may not always be feasible, but there should be personnel redundancy within a CERT. If depth


in core areas is not applicable to an organization, then cross training should be implemented wher 


ever possible. Note that if only one person owns the key to data safety and integrity then the entire


enterprise becomes helpless in that person's absence.


Typical CERT members include system and network administrators as well as members from the in 


formation security department. System administrators will provide the knowledge and expertise of


the systems, including data backups, backup hardware available for use, and more. Network admin 


istrators provide their knowledge of network protocols, in addition to being able to re route traffic


dynamically. Information Security personnel are useful in tracking and tracing security issues as well


as performing post mortem analysis of media.


11.2.2. Legal Issues


Another important aspect of incident response are legal issues. Security plans should be developed


with members of legal staff or some form of legal counsel. Just as every company should have their


own corporate security policy, every company has its own way of handling incidents from a legal


perspective. Local, state, and federal regulatory issues are beyond the scope of this document, but are


mentioned because the methodology for performing a post mortem analysis, at least in part, will be


dictated by (or in conjunction with) legal counsel.


11.3. Implementing the Incident Response Plan


Once a plan of action is created, it must be agreed upon and actively implemented. Any aspect of


the plan that is questioned during active implementation will most likely result in poor response time


and downtime in the event of breach. This is where practice exercises become invaluable. Unless


something is brought to attention before the plan is actively set in production, implementation should


be expedited.


If a breach is detected while the CERT is present for quick action, potential response can vary. The


team can decide to pull the network connections, disconnect the affected system or systems, patch the


exploit, and then reconnect quickly without further potential complication. The team can also watch


the perpetrator and track his actions. The team could even redirect the perpetrator to a honeypot  








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      web hosting comparison

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved