- An incident is any event that has a negative effect on the confidentiality, integrity, or availability of an organization’s assets.
- One of the primary goals of any security program is to prevent security incidents. However, despite best efforts of information technology (IT) and security professionals, incidents do occur. When they happen, an organization must be able to respond to limit or contain the incident.
The primary goal of incident response is to minimize the impact on the organization.
Incident Response Steps
- Detection: Incident is triggered and admin is notified. Admin verifies if it really is an incident of interest Response: Response varies depending on severity of the incident. CIRT handles
- Mitigation: contain an incident. E.g. disconnecting a network
- Reporting: within/outside organization. Upper management need to know about serious security breaches.
- Recovery: recover the system to a fully functioning state. simple reboot/rebuilding a system. If investigators suspect an attacker may have modified code, rebuilding system may be a good option
- Remediation: root cause analysis. identify what allowed it to occur, and implement methods to prevent it from happening again
- Lesson Learned: it took a long time to contain incident, why? personnel don’t have adequate training?
No comments:
Post a Comment