General Incident-Handling Principles
There are six general principles that apply when handling all types of incidents, which are covered in the following sections.
Identify the CIRT Team
Every organization dependent upon computers should establish a Computer Incident Response Team (CIRT). This team possesses the training, knowledge, and authority to properly react to computer security incidents as they occur. The senior technical official in an organization (for example, CIO, CTO, IT Director) normally serves as the team leader. The remainder of the team is composed of technical experts and representatives of other organization divisions, as appropriate.
Declare an Incident
One of the most important functions of the team is to lay down policies outlining criteria for declaring a computer security incident. Usually, when front-line personnel notice suspicious activity, they contact a designated member of the team who evaluates the circumstances and determines whether an incident should be declared. If this person declares an incident, the entire team should assemble and begin incident-handling procedures.
WARNING
Incident Response The TICSA exam usually includes several questions on incident response. Be sure to know the six general principles and the steps required to adhere to them.
Contain the Incident
After declaring an incident, the first necessary response is to contain the incident to a specific system or portion of the network. For example, if a worm is spreading on a certain segment of the LAN, it might be advisable to disconnect that segment from the remainder of the network to minimize the number of systems that are affected by the incident.
Eradicate the Problem
After administrators contain the incident, steps should be taken to eradicate the problem. This normally involves determining what security vulnerability allowed the incident to take place and taking steps to correct the vulnerability. In the case of our worm example, eradication involves determining what mechanisms the worm uses to spread from system to system and securing all systems on the network to prevent the worm from infecting additional systems.
Recover the Affected System(s)
When eradication is complete, administrators should recover any systems that were affected during the incident. This may involve restoring files from backup, reinstalling software, or even completely rebuilding systems. The level of recovery required is totally dependent upon the level of destruction that took place during the incident.
Review the Lessons Learned
As soon as possible after the incident, the CIRT should gather to discuss the lessons learned from handling the incident. These roundtable sessions are extremely valuable as they help the team assess the vulnerabilities that led to the incident and put policies and procedures in place to tighten future network security.