[ Pobierz całość w formacie PDF ]

10.2. Creating an Incident Response Plan
It is important that an incident response plan is formulated, supported throughout the organization, and is
regularly tested. A good incident response plan can minimize not only the affects of the actual security
breach, but it may also reduce the negative publicity.
From a security team perspective, it does not matter whether a breach occurs (as such occurrences are
an eventual part of doing business using an untrusted carrier network, such as the Internet), but rather,
when a breach occurs. Do not think of a system as weak and vulnerable; it is important to realize that
given enough time and resources, someone can break into even the most security-hardened system or
network. You do not need to look any further than the Security Focus website,
http://www.securityfocus.com/, for updated and detailed information concerning recent security breaches
and vulnerabilities, such as the frequent defacement of corporate webpages or the 2002 attacks on the
[7]
root DNS nameservers .
The positive aspect of realizing the inevitability of a system breach is that it allows the security team to
develop a course of action that minimizes any potential damage. Combining a course of action with
expertise allows the team to respond to adverse conditions in a formal and responsive manner.
The incident response plan itself can be separated into four phases:
Immediate action to stop or minimize the incident
Investigation of the incident
Restoration of affected resources
Reporting the incident to the proper channels
An incident response must be decisive and executed quickly. Because there is little room for error, it is
critical that practice emergencies are staged and response times measured. This way it is possible to
91
Red Hat Enterprise Linux 4 Security Guide
critical that practice emergencies are staged and response times measured. This way it is possible to
develop a methodology that fosters speed and accuracy, minimizing the impact of resource unavailability
and potential damage in the event of an actual system compromise.
An incident response plan has a number of requirements, including:
A team of in-house experts (a Computer Emergency Response Team)
A legally reviewed and approved strategy
Financial support from the company
Executive/upper management support
A feasible and tested action plan
Physical resources, such as redundant storage, standby systems, and backup services
10.2.1. The Computer Emergency Response Team (CERT)
The Computer Emergency Response Team (CERT) is a group of in-house experts who are prepared to
act quickly in the event of a catastrophic computer event. Finding the core competencies for a CERT can
be a challenge. The concept of appropriate personnel goes beyond technical expertise and includes
logistics such as location, availability, and desire to put the organization ahead of ones personal life
when an emergency occurs. An emergency is never a planned event; it can happen at any moment and
all CERT members must accept the responsibility that is required of them to respond to an emergency at
any hour.
CERT teams typically include system and network administrators as well as information security experts.
System administrators provide the knowledge and expertise of system resources, including data
backups, backup hardware available for use, and more. Network administrators provide their knowledge
of network protocols and the ability to re-route network traffic dynamically. Information security personnel
are useful for thoroughly tracking and tracing security issues as well as performing a post-mortem (after
the attack) analysis of compromised systems.
Although it may not always be feasible, there should be personnel redundancy within a CERT. If depth in
core areas is not applicable to an organization, then cross-training should be implemented wherever
possible. Note, if only one person owns the key to data safety and integrity, then the entire enterprise
becomes helpless in that one person's absence.
10.2.2. Legal Considerations
Some important aspects of an incident response to consider include legal ramifications. Security plans
should be developed with members of legal staff or some form of general counsel. Just as every
company should have their own corporate security policy, every company should have its own way of
handling incidents from a legal perspective. Local, state, and federal regulatory issues are beyond the
scope of this document, but are mentioned because the methodology for performing a post-mortem
analysis, at least in part, is dictated by (or in conjunction with) legal counsel. General counsel can alert [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • anapro.xlx.pl

    • Archiwum

    Home
    William Wharton Nie ustawaj w biegu
    Hingston Peter Wielka ksiega marketingu
    Baum, L Frank Oz 19 The Lost King of Oz
    0505. Merritt Jackie Osaczona
    James Axler Outlander 01 Exile to Hell
    The Best of L. Sprague de Camp L. Sprague de Camp
    Anne Weale Wedding of the Year (pdf)
    Edward Lasker Szachy i warcaby Droga do mistrzostwa
    James M. Ward The Pool 3 Pool of Twilight
    Schone Robin Kochanek 02 Kobieta Gabriela
  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • burdelmama.opx.pl