Basic Incident Response

 Incident Response, Risk Assessment  Add comments
Nov 042006
 

I once helped put together and run a computer security incident response team. The team was unique in drawing a specialist or two from each of the major technical and risk management groups (Windows server support, mail infrastructure, firewall & network security, network, etc.) as well as from the existing financial fraud and internal affairs investigation organization.

Much of our time was spend developing the individual policies and procedures outlining the IRT’s responsibilities, defining authority and basically selling ourselves to both management and the line teams–an investment that paid off pretty well; by involving everyone closely in what we were doing, we received a lot more cooperation than we could have expected had we just been imposed on the company as a fait accompli. In the end we ended up handling several high profile cases pretty successfully. I’ll be writing more on this topic in the future, but the following is a partial outline of what I see as an IRT’s basic responsibilities:
- threat investigation, categorization and warning/announcement

- vulnerability management (a monthly vulnerability board meeting to discuss these)

- investigation of external attacks, bank-related fraud, phishing, etc.

- internal forensics (e.g. information leaks, sabotage, harassment)

We started out essentially from scratch and within the space of about 6 months had a fully functioning organization. Lesson learned: always handle budget and authority first. Lesson #2: PR is as important as substance. Frequently, PR (i.e. keeping people informed clearly and concisely of threats, vulnerabilities and your activities) IS substance, there’s no reason why you can’t combine the two.

Another thing we figured out is that every CSIRT is a tailor-made affair; even in a large corporation, some massaging and diplomacy is required to exert authority in subsidiary companies — again, involving their staff and management and keeping them informed goes a long way towards fostering acceptance.

A few of the links that got us started:

- CERT and it’s “creating a CSIRT” page:

http://www.cert.org/

http://www.cert.org/csirts/Creating-A-CSIRT.html

- The CMU CSIRT handbook:

http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html

- RFC 2350, Expectations for Computer Security Incident Response:

http://www.ietf.org/rfc/rfc2350.txt

 Posted by john at 5:15 pm

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 
© 2012 Chakraborty Software Suffusion theme by Sayontan Sinha