Parameters of Investigation
Security incidents can come in many forms. It could be an honest mistake by an employee who thought he was helping, or it could be the result of an intentional attack. Whatever the motive or reason, the response should always be the same. Security breaches should be investigated in a structured, methodical manner. Most companies would not operate a business without training their employees how to respond to fires, but many companies do not build good incident-response and investigation procedures.
Computer Crime Investigation
Investigating computer crime is a complex and involved one made up of these steps:
|
1. |
Plan and prepare by means of procedures, policies, and training.
|
|
2. |
Secure and isolate the scene, to prevent contamination.
|
|
3. |
Record the scene by taking photographs and recording data in an investigator's notebook.
|
|
4. |
Interview suspects and witnesses.
|
|
5. |
Systematically search for other physical evidence.
|
|
6. |
Collect or seize the suspected system or media.
|
|
7. |
Package and transport evidence.
|
|
8. |
Submit evidence to the lab for analysis.
|
Incident-Response Procedures
Good incident-response procedures give the organization an effective and efficient means of dealing with the situation in a manner that reduces the potential impact. These procedures should also provide management with sufficient information to decide on an appropriate course of action. By having these procedures in place, the organization can maintain or restore business continuity, defend against future attacks, and deter attacks by prosecuting violators.
The primary goal of incident response is to contain the damage, find out what happened, and prevent it from reoccurring. This list identifies the basic steps of incident response:
|
1. |
Identify Detect the event. Is it a real event or simply a false positive? A range of mechanisms is used here, including IDS, firewalls, audits, logging, and employee observations.
|
|
2. |
Coordinate This is where preplanning kicks in, with the use of predeveloped procedures. The incident-response plan should detail what action is to be taken by whom. Your incident-response team will need to have had the required level of training to properly handle the response.
|
|
3. |
Mitigate The damage must be contained, and the next course of action must be determined.
|
|
4. |
Investigate What happened? When the investigation is complete, a report, either formal or informal, must be prepared. This is needed to evaluate any necessary changes to the incident response policies.
|
|
5. |
Educate At this final step, all those involved must review what happened and why. Most important is determining what changes must be put in place to prevent future problems. Learning from what happened is the only way to prevent it from happening again.
|
Incident-Response Team
Incident-response team members need to have diverse skill sets. Internal teams should include representation from various departments:
- Information security
- Legal
- Human resources
- Public relations
- Physical security
- Network and system administration
- Internal auditors