Information Security in Today's Digital Culture

The Importance of an Incident Response Plan

October 31st, 2011 | Posted by Brett Edgar in Incident Response | Monitoring

Most organizations are going to experience a computer security incident each year. Those organizations that don’t experience an incident only avoid doing so by being blind to what is going on in their information systems. If you are even casually looking at your computers and networks, you will find incidents. At the very least someone is going to plug an infected USB device they received as a Christmas/birthday present into their work computer. At worst, an attacker is going to be rummaging around on your internal network. Most organizations are going to experience something in between those two extremes, like a “drive by” web attack on an unsuspecting user who was searching Google for a good deal on Chuck Taylors. It’s going to happen. Accept it.

Now that you’ve accepted that it’s going to happen, you better be prepared to handle the situation. How you react depends on the criticality of the information stored on the compromised system(s) or network(s). If your CEO’s administrative assistant gets malware on his/her computer, but the only access they have is to the Internet, then your response is pretty easy: clean the machine or reinstall it from a clean image. Done. If your accountant’s computer gets malware, then you have some bigger issues. You’re going to need to do some research to see if any of your accounting data has been exfiltrated, including, perhaps, account numbers of your business partners or customers. That would be bad.

The point is that you need to have a plan on how to escalate the handling of the incident. Do you pull compromised machines off the network immediately? Who gets involved, and when? Who makes those hard decisions like shutting down the compromised database server that powers your e-commerce website? Every organization needs to at least have a start at outlining this process. You’re also going to need to have a general idea of where your data rests, and how critical that data is.

If you wait until your first incident to start thinking about this, you’re response is pretty much guaranteed to fail. So start now. NIST has produced a document, SP800-61, that goes into some depth about incident response plans and procedures. While following that document is going to be overkill for small organizations, at least having a familiarity with it will help you in writing your own basic incident response plan.

Brett Edgar

Brett Edgar

Brett is a Founder and the former Director of Managed Security Services at TRUE. He has been working in the system and network forensics field since graduating from the University of Tulsa with a B.S. Computer Science in 2003. He speaks hexadecimal fluently and is TRUE's resident human Ethernet transceiver. He holds CISSP, CSSLP, and CNSS 4011-4015 certificates, loves MLB and NCAA Football, and when he gets tired of hexadecimal, he goes home to hang out with his wife and kid.

More Posts - Twitter

You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback.

Leave a Reply