Responding to Customer's Security Incidents, Part 1: Establishing Teams and a Policy
: Establishing Teams and a Policy
There have been several large-scale worm attacks on the Internet since 1988 as well as highly visible and coordinated denial-of-service attacks in the last few years causing billions of dollars in damage. These attacks indicate that responding, if anything, to such incidents is increasingly more complex, and requires technical knowledge, communication, and coordination among the staff responding to an incident, along with an adherence to applicable standards.
A security incident response involves several aspects of preventive, detective, and recovery measures. A preventive measure primarily involves risk control that avoids or deters the occurrence of an undesirable event. Examples of preventive measures are passwords, keycards, badges, contingency plans, policies, firewalls, and encryption. A detective measure identifies the occurrence of an undesirable event. Examples of detective measures are visitor logs, audit trails, motion sensors, closed-circuit TV, and security reviews. Detective measures also provide a means for reporting the occurrence of events. A recovery measure is a risk control that will, in a traditional sense, include control policies, processes, or mechanisms that restore the integrity, availability, and confidentiality of information assets to their expected state. Examples of recovery measures are fault tolerance, backup, and disaster recovery plans.
Since the late eighties and early nineties, a substantial amount of information has been published on the topic of security incident response from the following organizations:
National Institute of Standards and Technology (NIST), http://www.nist.gov
Purdue University's Computer Incident Advisory Capability (CIAC), which is funded by the Department of Energy, http://www.ciac.org/ciac
Carnegie Mellon University's Software Engineering Institute's Computer Emergency Response Team/Coordination Center (CERT/CC), which was initiated by the Defense Advanced Research Projects Agency (DARPA), http://www.cert.org
Internet Engineering Task Force (IETF) in the form of RFCs
In 1990, NIST, in conjunction with CERT/CC, CIAC, NASA, and other agency response teams, organized a cooperative activity known as the Forum of Incident Response and Security Teams (FIRST), at: http://www.first.org
": Establishing Teams and a Policy" is the first of a series of articles that discuss building teams, establishing a security incident response policy, and executing it. These articles are not intended to include all of the material from the above efforts. They are intended to capture the salient points of the security incident response process and to present them in the context of a business entity that serves its constituents (that is, its customers).
This document is intended to provide highlights and best practices information about computer security incident response, building teams to process security incidents, and developing important factors in establishing a security incident response policy framework. The primary audience consists of computer security managers, security policy developers, system administrators, and other related staff responsible for the creation or operation of a computer incident response team and/or a computer security incident response (CSIR) policy and service.