CHAPTER 11 Incident Handling

Introduction

In this chapter we will wrap up many of the concepts and ideas we reviewed in the past chapters into the narrative of an incident. Incident handling is an important facet of security, since it involves minimizing the adverse effects of the incident on the assets, implementing controls needed to decrease the exposure of the assets to the existing threats, and ultimately restoring IT services with as little impact to the organization as possible. By the end of the chapter you should be able to:

• Identify the major components of dealing with an incident
• Understand the incident handling lifecycle
• Prepare a basic policy outlining a methodology for the handling of an incident
• Use material seen so far to properly identify and classify an incident
• Judge when to start the process of containment and eradication of the incident
• Report on the incident to improve preparation for a similar incident in the future
• Know the elements of disaster recovery and business continuity planning

Incidents overview

According to NIST 800-61 rev2, a computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of incidents include:

• An attacker commands a botnet to send high volumes of connection requests to your organization's web server, causing it to crash.
• Some users in your organization are tricked into opening a “quarterly report” sent via email that is ...