Can your business respond in a crisis?

ANALYSIS

Most enterprise-level businesses and many medium-sized ones have taken a proactive approach to computer and network security and created incident response teams to streamline the handling of an intrusion or attack. You may not think about scalability in regard to incident response, but a good incident response strategy needs to be scalable in several different ways:

  • The incident response plan needs to be effective and efficient whether the incident is relatively minor, such as the defacement of a single Web site, a large scale attack that threatens to bring down the entire multi-site network or something in between.
  • The incident response plan must take into account future growth of your organisation, and you must be able to adapt the plan as the number of users, network bandwidth and number of physical locations changes.
  • The incident response plan should contain contingencies for changes in the network infrastructure, hardware and software and services (such as Internet service provider) that may cause new vulnerabilities and affect the mode of response.

There are two important elements that make up your incident response strategy: the policy and the team that carries it out.

Creating and developing the incident response policy
If you're creating an incident response policy from scratch, you can ensure that scalability is built in by thinking outside the current box and anticipating the state of your network — and new technologies and vulnerabilities that may not even exist yet — a year, five years, even ten years from now. Even when you're considering current response, think big.

Here's what we mean: instead of writing into the policy document that the response team will consist of five members, identify the number of different roles that you need members to play. In the future, a role that can be handled by one person now may require several people to carry out its tasks if your network grows large and spreads to multiple sites, or if an incident affects hundreds of your computers instead of only a few.

Your incident response policy should contain broad procedural guidelines that are applicable to all (or at least the great majority of) security incidents and cover the following steps:

  • Incident recognition: the first step in responding is to recognise that a security breach has occurred or is in the process of occurring.
  • Containment: The next step is to stop the attack or reduce the attack surface (for instance, by isolating the server or network segment on which the attack is occurring or taking it offline completely).
  • Identification: At this point, you can begin to investigate and identify the exact nature of the problem, something that may be impossible while you're in the process of containing the damage.
  • Eradication: Next you need to patch the vulnerability or otherwise prevent the problem from occurring again
  • Recovery: This step involves getting affected systems back up and running, reinstalling software, restoring lost data, or whatever needs to be done to recover from the incident. 

Your policy should also address such issues as:

  • Whether, when, and how to call in law enforcement
  • Preservation of evidence and maintaining a chain of custody
  • Information flow before, during, and after an incident
  • Post-incident assessment/evaluation of the response

The policy should also define the scope of the response team's services. Obviously, the team will respond to security incidents, but some...

For more, click here... 

Post your comment

In order to post a comment you need to be registered and logged in

Log in or create your ZDNet UK account below

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Membership FAQ

ZDNet UK Live

apexwm

Fedora is the same way as well. The yum update system uses "presto" which shrinks the amount of data needed for download. It's a great system....

3 hours ago by apexwm on Can you believe it - 2765 kB will be freed?
cybfor

Updated ID cards considered for 2012: [zdnet.co.uk] The government is considering introducing a new generation of ID... http://dlvr.it/KpBZ

cybfor

Google, Viacom trade blows in YouTube copyright spat: [zdnet.co.uk] Google and the US media giant Viacom have issued... http://dlvr.it/Knht

CIMITL

Be sure to include an audio option - eg. a beep tone - to intensify and reiterate the action. This will greatly benefit some consumers and give...

5 hours ago by CIMITL
DataSecurityUK

Data disposal is really important to get right. There are standards set by UK and US federal governments to ensure that data is kept secure. If...

5 hours ago by DataSecurityUK
chaycon1

Online Fiber Optic Certification Join a talented group of professionals, who are dedicated to Fiber Optic Networking technology. The online course...

7 hours ago by chaycon1 on BT launches 40Mbps fibre-based broadband
chaycon1

Online Fiber Optic Certification Join a talented group of professionals, who are dedicated to Fiber Optic Networking technology. The online course...

7 hours ago by chaycon1 on Google to build gigabit broadband to the home
J.A. Watson

Hi Dava, I'm glad to hear from you, and glad that you see things from the other side. I think that is the most important point of the whole...

8 hours ago by J.A. Watson on Ubuntu 10.04 (Lucid Lynx) and the Latest Tempest
dava4444

please please please please please please kill that spam bot.

8 hours ago by dava4444 on ZDNet UK: faster, smarter, still IT all the way
253chelisa253

hi

9 hours ago by 253chelisa253 on How security will look in 10 years
lezlow

it is only greedy[microsoft]?

10 hours ago by lezlow on Researchers break into BitLocker
dava4444

it didn't post the link it's 'Ubuntu 10.04 Lucid Lynx Beta-1 First Look' on youtube :) Dava

11 hours ago by dava4444 on Ubuntu 10.04 (Lucid Lynx) and the Latest Tempest
dava4444

Hi James I disagree, Ubuntu needs a GUI update and this one IMO is quite good. your pics show a low res. here's a high res. on YouTube* The...

11 hours ago by dava4444 on Ubuntu 10.04 (Lucid Lynx) and the Latest Tempest
dava4444

Hi any news on the comment bot? knocking me back from my own blog is a bit cheeky lol *Mulder to Scully* "I think it has an agenda.." I know, I...

12 hours ago by dava4444 on ZDNet UK: faster, smarter, still IT all the way
benny boy

if you look at the Brentwood exchange on samknows it servers 21,000 residential propertiesm, Lowestoft serves 31,000! Come on BT sort yourselves...

13 hours ago by benny boy on BT fibre broadband coming to 69 more towns
pbreddit

[programming] H.264 - a sting in the tail http://reddit.com/bfu4q [zdnet.co.uk]

reddit

H.264 - a sting in the tail [programming] 13 points, submitted by zigzag [zdnet.co.uk] http://reddit.com/bfu4q

cybfor

Malware infects second Vodafone HTC phone: [zdnet.co.uk] A second Android-based HTC Magic from Vodafone has been... http://dlvr.it/KhKx

miyabi81

Chatter preview http://www.zdnet.co.uk/news/application-development/2010/03/17/salesforce-opens-up-chatter-developer-preview-40088348/

cybfor

US gov t considers undercover social networking: [zdnet.co.uk] The Obama administration has considered sending... http://dlvr.it/Kh3L

Featured white papers

Achieving PCI Compliance for:Privileged Password Management & Remote Vendor Access

For multi-store outlets, including retail, banking, grocery, gas, hospitality, convenience stores and others, reducing (or avoiding) the cost of in-store system support and maintenance while maintaining compliance with PCI and other requirements has become a strategic challenge.

Download now

Web 2.0 Security Threats: How to Protect Your Enterprise Network

Speaker: Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc. As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing.

Download now

MindManager - Tutorial for New Users - Short

This tutorial is for new MindManager users and teaches you how to get started, by creating maps, reading maps and organizing your information.

Download now