Computer Incident Response Teams Are Needed for Controlling the Impact of a Security Breach - Research Paper Example

1. Introduction It is always beneficial for organizations to be predictive rather than reactive in conducting its business. To remain competitive in the industry, an organization must foresee what will come ahead and in turn plan for it. A reactive organization on the other hand responds to the situation as it arises. When we talk about security, a predictive setting and plan must already be in place for a security breach. Even if one is prepared, a quick response is necessary before any damage can be done. "Since more than the money on the line, companies that fail to react quickly to security incidents stand to suffer damage to their reputations and lose customers". (Vijayan, 2002) 2. CIRT CIRT or Computer Incident Response Teams are specially those kinds of teams that are formed for the purpose of minimizing and controlling the impact of a security breach or other emergency (Brussin, Cobb, & Miora, 2003). They are also known as CERT (Computer Emergency Response Teams) and CSIRT (Computer Security Incident Response Teams), but they basically attempt to do the same in case of a computer security threat. 3. Do we need a CIRT This question can only be truly answered by predicting the trends in intrusion and the level of threats expected. Usually, the answer is yes to the above question since an organization rather be safe than sorry! With the increasing number of viruses, spywares, backdoors in the systems being detected, having a CIRT is a must for any organization having informational data on the computers. 4. The CIRT Plan Before assigning the team and its task, the management needs to make a proper business plan in case of an incident. The plan includes all the details about the CIRT and all the information that the CIRT need to know. Furthermore, for the plan to be successful, the strategy must be feasible, approved and legally reviewed. "It is critical that practice emergencies are staged and response times measured. This would require financial and executive/upper management support and commitment to the CIRT need". (RHE, 2004) 4.1 Policies Policies regarding the computer system must be in place before hand. The breach would usually occur when that policy is not obeyed, thus it is imperative to have policies so that the root cause of the problems can be found. These policies need to be documented and provided to every member of the organization so that everyone is aware of security guidelines and the procedures for emergency situations. (Lucas & Moeller, 2003) 4.2 Human Resource An emergency is never planned so the people in the CIRT must accept the responsibility that is required of them to respond to an emergency at any hour. In selecting the human resources to assign the responsibility of computer security, only trust worth people should be selected. The people on the team must have a desire to rescue their company from the danger. "The technical expertise is of no use if a person who is supposed to do his job, ignores the emergency signal. Also sometimes due to time or financial constraints, the human resource includes logistics such as location and availability of technical workers". (RHE, 2004) On the CIRT teams, usually system and network administrators are used as well as information security experts. "System administrators provide the knowledge and expertise of system resources, including data backups, backup hardware available for use, and more. Network administrators provide their knowledge of network protocols and the ability to re-route network traffic dynamically. Information security personnel are useful for thoroughly tracking and tracing security issues as well as performing a post-mortem (after the attack) analysis of compromised systems" (RHE, 2004). To be sure of the human capability, additional personnel should be kept for backup in case some member doesn't show up. Although this option may not always be feasible, an organization should at least try to then cross-train their workers so that they can substitute a place if someone is absent in the need of the hour. (RHE, 2004) 4.3 Department The CIRT should ideally be an independent division of the organization that although independent, works homogeneously with all other departments. However due to management difficulties and financial restrictions, many companies put the team within the IT group or to the security or audit group (Vijayan, 2002). Whichever department they may be situated in, it is imperative that they work as a team and respond quickly to situations. 4.4 Response to an Emergency The basic purpose of the CIRT is done in this part of the plan. It includes 4.4.1 Immediate Action: The CIRT must be put on active monitoring so that as soon as an emergency comes up, the response it immediate (Brussin, Cobb, & Miora, 2003). The team members would be contacted and required to appear on the scene to inspect and minimize the loss. (RHE, 2004) 4.4.2 Intrusion Detection and Digital Forensics: The CIRT would inspect to check where the intrusion was initiated. The network connections and all other affected systems would be temporarily disconnected to stop the problem from spreading. The specialist digital forensics people will thoroughly validate the clues provided by the initial investigators and then determine the full extent of the system penetration and give ideas as to what can be done to solve it (Chapin & Maciag, 2004). 4.4.3 Restoration of affected resources: While the investigation is in progress, some of the team members should start to recover data and system information. This is where the backups and data storage come in use. When the problem has been caught, the team members would start patching the affected network/system to restore it for use. (RHE, 2004) 4.4.4 Reporting the incident to the proper channels. The system shupdown and breach would have caused some problem for the orgnizatoin and its customers (RHE, 2004). From the notes about the response taken by the team, a full report on the loss should be given. This would help in informing the relevant authortis especially the insurance companies and law enforcement agencies. (Himma & Dittrich, 2005) 5. Putting the Strategy Inplace Finally the policies, people and the plan must be in place so that incase a security breach occurs, CIRT would be prepared to deal with it. The secret of the quickness of response lies in the active monitoring of the system at all times. Works Cited 1. Brussin, D., Cobb, S., & Miora, M. (2003). Generic Computer Incident Response Team Plan. 2. Chapin, S. J., & Maciag, C. J. (2004). Forensic Analysis of Windows Systems. 3. Himma, K. E., & David Dittrich. (2005). Active Response to Computer Intrusions. 4. Lucas, J., & Moeller, B. (2003). The Effective Incident Response Team: Chapter 8, The Puzzle in Action. Addison-Wesley. 5. RHE. (2004). Creating an Incident Response Plan. Retrieved January 16, 2008, from Red Hat Enterprise Linux: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-response-plan.htmlhttp://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-response-plan.html 6. Vijayan, J. (2002). Build a Computer Incident Response Team. Retrieved January 16, 2008, from Computer World: http://www.computerworld.com/securitytopics/security/story/0,10801,72637,00.html Read More