An important component of information technology (IT) programs is Computer Security Incident Response. Not all incidents can be prevented and attacks have become more frequent, diverse, disruptive, and damaging. Incident response capability is necessary to quickly detect, contain, mitigate weaknesses, minimize loss or destruction, and restore services.
What is Incident Handling?
Incident Handling is the steps taken to address an incident. To understand Incident Handling, you must be know what an incident is and understand the difference between an event and an incident. An Event is a change of state that is anything observable in a network, system, or application. An event can be a user accessing a file, a web server receiving a request for a web page, a user sending an e-mail, or a firewall blocking a connection. These types of events are typically found in network, system, and application logs. An Incident is a change of state caused by an adverse event with negative consequences. An incident can be a system crash, packet floods, unauthorized use of system privileges, or unauthorized access to sensitive data.
What are the steps taken in Incident Handling?
- Preparation: Having the people and training to recognize an incident, process to support incident response with policy, and technology to detect, prevent, or correct an incident.
- Identification: Verify the incident is not false positive. Identify the scope of the incident - understand what services are impacted, where the equipment is located logically and physically, and who is impacted.
- Prioritize: Prioritize incidents if there are multiple incidents occurring simultaneously.
- Notification: Notify necessary people.
- Containment: Isolate the impact immediately while minimizing business impact. Actions such as disabling a user account, blocking at a firewall, or disconnecting a host computer.
- Eradication: Eliminate the cause of the incident. Remove malicious code with virus software, re-image host computer, change passwords or create a new user account.
- Recovery: Return back to a normal state. Verify systems meet security standards prior to reinstatement to the operational environment. Monitor for any signs of anomalous behavior.
- Lessons Learned: Debrief with a report summary of the incident, what happened, why, how it could be prevented, and what could have been done differently to prevent or handle the incident.
Tips for Incident Handling:
- Create an incident response policy
- Create an incident response plan to support incident response policy
- Develop incident procedures for different types of incidents
- Develop a communication plan to notify the necessary people
- Educate and Train staff on policies, plans, and procedures