Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 15: Mitigating Risk with a Computer Incident Response Team Plan -…
Chapter 15: Mitigating Risk with a Computer Incident Response Team Plan
What the elements of a CIRT plan are
Details on communication
Details on incident response features
Policy information
Members of the CIRT
Team Models
Central incident response team - Organizations in a single location can use a single team, which will respond to all incidents. A single team may even cover multiple locations, and all members will have remote access to all of them
Distributed incident response teams - If the organization has major computing facilities in multiple locations, it might choose to have a single team in each location with all teams centrally managed.
Coordinating team - This team includes knowledgeable personnel who provide advice to other teams. Team members don't have any authority over the other teams.
Network administrators - The network administrators understand the details of a network, such as what systems are connected and how they're connected and what systems are accessible from the Internet.
Information security members - These individuals could be experts on boundary protection, which include firewalls and routers on the edge of the network. They are able to identify the source of breaches and recommend solutions.
Physical security - Because attackers can be social engineers and might be on company property, physical security personnel need to be on the team. They know what physical property, physical security personnel need to be ont he team. They know what physical security controls the organization uses, where they are located, and their purpose. They also know the different types of surveillance methods used within the organization, such as video cameras and their capabilities.
Team leader - The team leader is responsible for the team's actions and is usually a senior manager with expertise in security. However, some CIRTs identify the team leader as the first team member who arrives on the scene
Legal - Legal personnel provide advice on the organization's legal responsibilities and legal remedies before, during, and after an incident. Legal personnel understand what legal actions are possible against the attackers and the requirements necessary to pursue legal actions.
Human resources (HR) - If the attack originated from an employee, HR needs to be involved because HR understands the organization's policies and is aware of the available enforcement methods. For example, if an employee violates the AUP, the first offense may result in a formal written warning, and a second or third offense may result in termination. HR personnel would know whether the employee has been previously warned.
Communications - Public relations (PR) personnel become the face of the organization if the incident becomes public. They help to present an image of resolve, even if everything is not quite under control. If PR reps aren't used, team members might express frustration or confusion about the attack, which can present a poor image to customers, vendors, and stockholders of the organization.
What best practices for implementing a CIRT plan are
Including policies in the CIRT plan to guide CIRT members - These policies can be related to the CIRT members attacking the back at attackers and can include statements regarding the use of chain of custody or otherwise protecting evidence and policies related to communications and safety, which depend on what is important to the organizations.
Providing training - CIRT members and end users must be trained. The CIRT members should understand their responsibilities and know the best way to respond to different types of incidents, and all personnel should understand the threats as well as basic steps they can take to mitigate them.
Defining a computer security incident - Incidents are interpreted differently by different organizations. When incidents are defined in the CIRT plan, all parties are clear as to which events are incidents.
Including checklists - The checklists can be formal step-by-step instructions that must be performed in a specific order or informal bullet statements designed to help ensure the CIRT members don't overlook key data.
Subscribing to security notifications - Many security bulletins that describe different types of threats, including new emerging threats, are availble through email subscriptions.
How a CIRT plan can mitigate an organization's risk
The CIRT plan helps an organization prepare for incidents. When the organization is prepared it responds to incidents much quicker and with focused action. One of the primary benefits of the CIRT plan is the identification of CIRT members so that the organization knows who they are and the individuals on the team know their roles and responsibilities. Once the plan and the members have been identified, the organization has a better understanding of the skills needed to support the requirements, and the members can be trained to ensure that they do.
What a computer incident response team (CIRT) plan is
Computer incident - A violation or imminent threat of a violation of a security policy or security practice - Any adverse event or activity that affects the security of a computer systems or networks.
Types of computer incidents that affect organization
Unauthorized access - Unauthorized access occurs any time an attacker is able to access data without authorization. Unauthorized access can be gained from different types of social engineering attacks and from technical attacks used to gain access or control to systems.
Inappropriate usage - Inappropriate usage - Inappropriate usage occurs when employees or internal users violate acceptable use policies (AUPs) or other internal policies
Malicious code - Malicious code is any type of malicious software or malware, which includes viruses, worms, Trojan horses, and other types of software intended to infect a system.
Multiple component - Multiple component is an incident that includes two or more incidents at the same time.
Denial of service (DoS) attack - A DoS attack is an attack that prevents a system from providing a service. A DoS attack comes from a single attacker
A computer incident response team (CIRT) is a group of people who respond to incidents. The CIRT team can be designed in advance or formed as needed. For example, a large organization may have a group of security professionals designated as the CIRT
What the purpose of a CIRT plan is
Purpose
To help organizations identify and prepare for computer incidents. Security personnel can then identify the best responses to reduce the potential damage.
Similar to the purpose of a disaster recovery plan (DRP).
By taking the time to create a plan, critical thinking can be applied to potential problems, the advice of experts can be sought, and the best types of responses can be researched.
A CIRT plan outlines the purpose of the response effort, which is, in general, to identify the incident as fully as possible and then contain it. Answering the five W's is a good starting point.?
Where?
Who?
What?
When?
Why?