96
Chapter 11. Incident Response
ology that fosters speed and accuracy. Reacting quickly may minimize the impact of resource unavail 
ability and the potential damage caused by system compromise.
An incident response plan has a number of requirements, including;
Appropriate personnel (in house experts)
Financial support
Executive support
A feasible plan of action
Physical resources such as hard drives, systems, and backup systems
11.2.1. The Computer Emergency Response Team (CERT)
The term appropriate personnel refers to people who will comprise a Computer Emergency Response
Team (CERT). Finding the core competencies for a CERT can be a challenge. The concept of appro 
priate personnel goes beyond technical expertise and includes logistics such as location, availability,
and desire to put the organization ahead of ones personal life when an emergency occurs. An emer 
gency is never a planned event; it can happen at any moment, and all CERT members must be willing
to accept the responsibility that is required of them to respond to an emergency at any hour.
It may not always be feasible, but there should be personnel redundancy within a CERT. If depth
in core areas is not applicable to an organization, then cross training should be implemented wher 
ever possible. Note that if only one person owns the key to data safety and integrity then the entire
enterprise becomes helpless in that person's absence.
Typical CERT members include system and network administrators as well as members from the in 
formation security department. System administrators will provide the knowledge and expertise of
the systems, including data backups, backup hardware available for use, and more. Network admin 
istrators provide their knowledge of network protocols, in addition to being able to re route traffic
dynamically. Information Security personnel are useful in tracking and tracing security issues as well
as performing post mortem analysis of media.
11.2.2. Legal Issues
Another important aspect of incident response are legal issues. Security plans should be developed
with members of legal staff or some form of legal counsel. Just as every company should have their
own corporate security policy, every company has its own way of handling incidents from a legal
perspective. Local, state, and federal regulatory issues are beyond the scope of this document, but are
mentioned because the methodology for performing a post mortem analysis, at least in part, will be
dictated by (or in conjunction with) legal counsel.
11.3. Implementing the Incident Response Plan
Once a plan of action is created, it must be agreed upon and actively implemented. Any aspect of
the plan that is questioned during active implementation will most likely result in poor response time
and downtime in the event of breach. This is where practice exercises become invaluable. Unless
something is brought to attention before the plan is actively set in production, implementation should
be expedited.
If a breach is detected while the CERT is present for quick action, potential response can vary. The
team can decide to pull the network connections, disconnect the affected system or systems, patch the
exploit, and then reconnect quickly without further potential complication. The team can also watch
the perpetrator and track his actions. The team could even redirect the perpetrator to a honeypot  






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

web hosting comparison

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved