Preface

As businesses and other institutions increase their online presence and dependency on information assets, the number of computer incidents also rises. Consequently, these organizations are finally increasing their security postures. This is accomplished in three stages. First, organizations must develop and implement security plans and controls in a proactive effort. Secondly, they must work to ensure their plans and controls are effective by continually reviewing and adapting them to ensure that appropriate security is always in place. And finally, when controls are bypassed either intentionally or unintentionally, organizations must be prepared to act quickly and effectively to minimize the impact of situations. The goal is to prevent an operational security problem from becoming a business problem that impacts revenue. This book provides guidelines to help organizations plan their responses to incidents and minimize any negative impact to their businesses.

When responding to an incident, there are a number of considerations:

  • What happened?

  • What has been damaged?

  • What business process are being impacted and how do we minimize those impacts?

  • Who did it and what did they do?

  • How did they do it?

  • Can and should any forensic information be preserved?

  • What are the legal issues?

  • Is the damage continuing or has the activity been contained?

Waiting until the incident occurs is too late to begin planning how to address the situation. Incident response planning requires both administrative and technical roles. The relationship between these roles takes time to flourish if they are to be truly effective during an incident. Both parties need to be familiar with the other’s role, responsibilities, and capabilities. Administrators and managers need to understand the value and function of an incident response team in order to support the technical people regardless of whether an incident is actually occurring. In addition, the technical people need to have a current understanding both of the specific environment of the organization and of the current state of the attacks that are likely to be experienced.

Thus, Incident Response is written for administrators and managers, as well as technical people, all who need to plan for and understand the response to computer incidents. As you will soon see, effective incident response is a team effort.

Organization of This Book

This book contains eight chapters.

Chapter 1 provides an introduction to incident response and is appropriate for both managers and system administrators.

Chapter 2 describes and compares four types of incident response teams: public, private, commercial, and vendor. We offer suggestions about how to choose the appropriate type for your organization. Also included is an introduction to the international Forum of Incident Response and Security Teams (FIRST).

Chapter 3 provides information about setting up, managing, and funding the team. The chapter contains strategies for navigating numerous corporate issues involved in establishing successful incident response teams, based on extensive experience in a large number of organizations.

Chapter 4 describes the staffing issues, as well as other management issues of an incident response team.

Chapter 5 [1] covers the state of the hack and what that means for incident response team members. Types of attacks and techniques to minimize the damage are included.

Chapter 6 describes the types of things that an incident response team should do when there is an attack.

Chapter 7 describes several types of tools for handling incidents, as well as specific examples of each type.

Chapter 8 provides information about a variety of resources, including online resources, special resources specifically for incident response teams, commercial incident response service providers, anti-virus products, mailing lists, government resources, training and conference resources, and legal resources.

Appendix A contains information on the Forum of Incident Response and Security Teams (FIRST).

Appendix B shows a sample incident report regarding a real-world situation.



[1] State of the Hack® is a federally registered service mark of Para-Protect Services, Inc.

Get Incident Response now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.