Computer Security Incident Response Teams (CSIRTs)

Raymond R. Panko, University of Hawaii, Manoa

Introduction

Before the Incident

Justifying the CSIRT

Organizing the CSIRT

Technology Base

The Problem of Communication

The Decision to Prosecute

During the Attack

Discovery and Escalation

Initial Analysis (Triage)

Containment

Recovery

Protection Against Subsequent Attacks

After the Attack

Sanctions

Postmortem Analysis

Conclusion

Glossary

Cross References

References

Further Reading

INTRODUCTION

Almost all corporations today protect themselves with layered defenses consisting of firewalls, antivirus systems, hardened hosts, and other protections. Even so, security incidents (also called security breaches) sometimes occur.

The firm's on-duty staff may be tasked to handle minor incidents because they can respond immediately and generally effectively. For major incidents, however, such as a major virus attack, a major denial-of-service attack, or the hacking (takeover) of important servers, the firm needs a team approach to stop the breach and get the firm back to normal. To handle major incidents, many firms create computer security incident response teams (CSIRTS), also known as computer emergency response teams (CERTs) and computer incident response teams (CIRTs). The term computer emergency response team (CERT) is a registered trademark of the CERT/Coordination Center at Carnegie-Mellon University (http://www.cert.org) and may only be used with permission.

A critical success factor ...

Get Handbook of Information Security: Threats, Vulnerabilities, Prevention, Detection, and Management, Volume 3 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.