GCIH Gold Certification
Author: Terry Morreale
Introduction
Incident handling is more than managing a breach instigated by an outside intruder. It is the ability to manage a variety of incidents that range from a minor virus infestation to a major loss of data and productivity initiated by a malicious user inside or outside the organization. Many organizations consider themselves safe from incidents because they process data that is not particularly useful to outside parties, they are so small that they can’t imagine someone in the outside world finding them much less attacking them, or they simply do not believe they have enough resources to worry about an incident unless they find one. All of these assumptions are fallacies. One particularly harsh reality is that according to the 2007 FBI Computer Crime Survey, insider abuse of network access or email was the most prevalent security problem at 52% to 59% of total incidents. Additionally, the average annual loss reported due to security incidents has skyrocketed to $350,424. These are staggering numbers, especially given the amount of resources that organizations typically spend on externally facing vs. internally facing security. Thus, it is critical that organizations take a holistic approach to security that allows for all types of threats, not just the ones that get the most media attention. Sooner or later, all organizations have an incident – and the organizations that are well prepared are the ones that will come out of the incident with the least amount of damage.
The remainder of this paper describes the six step process heralded by SANS as the recommended way to deal with an incident when it does occur. However, this paper primarily focuses on small to medium enterprises. Such organizations have limited IT resources and frequently have little to no ability to dedicate any of those precious resources to planning for or handling an incident. This paper will analyze each of the recommended steps and make modified suggestions as to how to handle an incident. Additionally, modified tools can be found at the end of this paper tailored to the needs of a small to medium enterprise.
Outline of Article
1. Introduction
2. Overview of the Six Steps (Skoudis, 2006)
2.1 Preparation
2.2 Identification
2.3 Containment
2.4 Eradication
2.5 Recovery
2.6 Lessons Learned
3. Analysis of the Six Steps for Small to Medium Enterprises
3.1 Preparation
3.1.1 Know who will handle the incident
3.1.2 Develop Incident Handling Instructions (AppliedTrust, 2005)
3.1.3 Tools for the Preparation phase
3.2 Identification
3.3 Containment
3.3.1 Short Term Containment
3.4 Eradication
3.5 Recovery
3.6 Lessons Learned
4. Conclusion
4.1 Preparation
4.2 Identification
4.3 Containment
4.4 Eradication
4.5 Recovery
4.6 Lessons Learned
5. Appendix – Sample Incident Handing Instructions
5.1 Call List
5.2 Initial Response
5.3 Response Strategy
5.4 Lessons Learned Report
6. References
Click here to read the full article on the SANS web site.
Services
Clients
Resources
Jobs
Open Positions
- DevOps Engineer - Boulder
- DevOps Engineer - Philadelphia
- InfoSec Engineer - Boulder
- IT Infrastructure Engineer - Boulder
- Jr. System Administrator - Boulder
- Jr. System Administrator - Dallas
- Jr. System Administrator - Jenkintown
- Jr. Network Administrator – Boulder
- System Administrator - Boulder
- Systems Engineer - Boulder
Company