ABSTRACT
Computer viruses, worms, denial of service attacks, equipment failures, vandalism, theft and other unwelcome events can send your computer services staff scrambling and cause a variety of problems for your user community. Even the least of these situations can be a distraction for your staff. The most severe can provide an unscheduled opportunity to test your disaster recovery procedure! How does your organization react to these events? Do you have a clearly-defined process in place to deal with unexpected incidents that threaten the security or operation of your systems.Eastern Connecticut State University is a public liberal arts institution with an enrollment of about 5000 students. Our Information Technology Services (ITS) group has implemented a process that provides a framework for an orderly response to unexpected events. The process is an adaptation of security incident response recommendations from the National Institute of Standards and Technology, Internet Security Systems, Inc. and other resources, which have been tailored for our institutional needs. At the core of the process is the Incident Response Team, which consists of a team manager, a technical leader and other ad hoc team members, depending on the nature and severity of the event. The team concept takes advantage of institutional expertise from law enforcement, human resources, audit, public relations, facilities management, legal services and other technical resources within ITS. The team manages information gathering, analysis, recovery and administrative functions to ensure a controlled, coordinated approach to incident response.Our presentation will focus on the phases of the incident response process and the role of the Incident Response Team. Flexibility, wise use of resources, effective communications and analytical skills are contributing factors to a successful response effort. We will draw upon our own experiences in discussing communication with the user community, severity level guidelines, evidence gathering, essential documentation, and lessons learned along the way.
- "CERT® /CC Statistics 1988-2003." Carnegie Mellon University Software Engineering Institute, CERT Coordination Center. <http://www.cert.org/stats/> (3 July 2003).Google Scholar
- Wack, John P. "Establishing a Computer Security Incident Response Capability" (Special Publication 800-3). NIST Computer Security Resource Center - CSD, November 1991. <http://csrc.nist.gov/publications/nistpubs/> (3 July 2003).Google Scholar
- "Computer Security Incident Response Planning: Preparing for the Inevitable." Internet Security Systems, Inc., 2001. <http://www.iss.net/support/documentation/whitepapers/technical.php> (3 July 2003).Google Scholar
- "Computer Security Incident Response Planning: Preparing for the Inevitable." Internet Security Systems, Inc., 2001. <http://www.iss.net/support/documentation/whitepapers/technical.php> (3 July 2003).Google Scholar
- Wada, Kent. "IT Security on Campus: A Fragile Equilibrium." Syllabus, Vol. 16, No. 10 (May 2003), 17--20.Google Scholar
Index Terms
- Incident handling: an orderly response to unexpected events
Recommendations
SoK: Applications and Challenges of using Recommender Systems in Cybersecurity Incident Handling and Response
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and SecurityIncident handling, a fundamental activity of a cybersecurity incident response team, is a complex discipline that consumes a significant amount of personnel’s time and costs. There are continuous efforts to facilitate incident handling and response in ...
Towards incident handling in the cloud: challenges and approaches
CCSW '10: Proceedings of the 2010 ACM workshop on Cloud computing security workshopSecurity incident handling, an integral part of security management, treats detection and analysis of security incidents as well as the subsequent response (i.e., containment, eradication, and recovery.) Existing processes and methods for incident ...
A forensic approach to incident response
InfoSecCD '10: 2010 Information Security Curriculum Development ConferenceAn incident response plan is critical for the detection and removal of information security threats. Incident response involves many aspects other than technical issues. There are management, legal, and social issues that an incident response team needs ...
Comments