You can respond to a security incident in a number of different ways. Your options include countermeasures designed to block intrusions to packet-filtering rules and proxy servers to block intrusions that have been detected by an Intrusion Detection System (IDS); and alterations to security policies to cover new vulnerabilities as they are detected. By developing a Security Incident Response Team (SIRT), your organization has the flexibility to implement any or all of these response options. Goals of a Security Incident Response Team (SIRT) A Security Incident Response Team (SIRT) is a group of individuals who are assigned to respond effectively to security breaches. Responsibilities of Team Members Employees who become part of a SIRT need
…show more content…
The goal of such documentation is to prevent similar intrusions from occurring again. By recording what happened in a file such as a database, information is stored in a place where future members of the SIRT who may not have been involved with the original incident can review it. Record-Keeping Record-keeping is the process or recording all of the events associated with a security incident. Such documentation has many goals. SIRT members who encounter events similar to the ones already encountered will benefit enormously by the notes. An organization’s legal representatives can also use the information in court. Reevaluating Policies Any recommendations of changes in security policies or procedures that arise as a result of security incidents should be included in the follow-up database. An organization’s security policy may specify that details about security incidents are for internal use only and not for public consumption. After the Attack: Computer Forensics Computer forensics is the set of activities associated with trying to find out who hacked into a system or who gained unauthorized access, usually with the ultimate goal of gaining enough legally admissible evidence to prosecute the person. Tracing Attacks One of the first tasks undertaken when initiating a forensics investigation is the identification of the person or persons who initiated the attack. Identification can be difficult for a number of reasons. First, the offender may intentionally falsify the IP address listed as the source of the attack. Second, the hacker may have gained control of someone else’s computer and used it to launch an attack. Forensics Toolkits Many incident handlers keep a forensics toolkit of hardware and software (sometimes called a jump kit) ready in order to respond to alerts. Such a kit might include a laptop computer, a cell phone; backup CD-ROMs or other
The goal of such documentation is to prevent similar intrusions from occurring again. By recording what happened in a file such as a database, information is stored in a place where future members of the SIRT who may not have been involved with the original incident can review it. Record-Keeping Record-keeping is the process or recording all of the events associated with a security incident. Such documentation has many goals. SIRT members who encounter events similar to the ones already encountered will benefit enormously by the notes. An organization’s legal representatives can also use the information in court. Reevaluating Policies Any recommendations of changes in security policies or procedures that arise as a result of security incidents should be included in the follow-up database. An organization’s security policy may specify that details about security incidents are for internal use only and not for public consumption. After the Attack: Computer Forensics Computer forensics is the set of activities associated with trying to find out who hacked into a system or who gained unauthorized access, usually with the ultimate goal of gaining enough legally admissible evidence to prosecute the person. Tracing Attacks One of the first tasks undertaken when initiating a forensics investigation is the identification of the person or persons who initiated the attack. Identification can be difficult for a number of reasons. First, the offender may intentionally falsify the IP address listed as the source of the attack. Second, the hacker may have gained control of someone else’s computer and used it to launch an attack. Forensics Toolkits Many incident handlers keep a forensics toolkit of hardware and software (sometimes called a jump kit) ready in order to respond to alerts. Such a kit might include a laptop computer, a cell phone; backup CD-ROMs or other