Incident Response: A Strategic Guide to Handling System and Network Security Breaches
‚ < ‚ Free Open Study ‚ > ‚ |
One major advance in the field of incident response is the rise of incident response as a professional discipline. Incidents are increasingly handled by dedicated teams , either part of the company or external consultants . This trend really began as a response to the Morris Internet worm and has continued as organizations recognize that security- related incidents are here to stay and can cripple an organization. Law enforcement agencies have established specific teams to deal with security incidents, including forensics specialists and legal experts versed in the intricacies of computer crime and international law. The press has discovered that security incidents make good news, so companies and agencies have been forced to deal publicly with issues that, until recently, might have been brushed under the rug. There is an international organization of incident response teams, the Forum of Security and Incident Response Teams (FIRST). Established in 1990, FIRST now has more than 90 members. These members include corporate teams (representing internal incident response teams), government agencies (representing either an entire national government, such as Australia, or an agency, such as NASA), consulting companies (that provide external incident response support), and nonprofit teams (such as the Computer Emergency Response Coordination Center [CERT/CC] discussed in Chapter 1,"An Introduction to Incident Response"). More details about FIRST are available at www.first.org. Whereas early incidents were primarily handled by a combination of general law enforcement agents and systems administrators, major incidents today might involve a multiagency task force teamed with incident response teams from national agencies, Internet service providers, and major corporations. The FBI, U.S. Secret Service, New Scotland Yard, and many state and local law enforcement agencies now have dedicated computer incident investigators . Unfortunately, getting these agencies involved requires that the incident violate a certain statute and that, quite frankly, a law enforcement representative (such as a U.S. attorney) deem the incident worthy of investigation and prosecution . Certification
A number of professional certifications are available in the field of computer security. Although most of these do not directly equate to incident response, they are applicable to it in many ways and illustrate the continuing trend toward specialization in the field. It is likely that certifications will become more important as the field of incident response (and computer security in general) matures. CISSP
The Certified Information Systems Security Professional, or CISSP, is the oldest certification program in the field of computer security. The program is offered by the Information Systems Security Consortium (ISC2, www.isc2.org). The certification is modeled after the certified public accountant program and consists of a requirement of three years of experience, a test covering 10 subject areas, and a requirement for continuing education. The 10 subject areas, called the Common Body of Knowledge (CBK) are covered in the following sidebar. CISSPs must also agree to abide by a code of ethics.
[3] Information Systems Security Consortium Code of Ethics, www.isc2.org. The certification has been criticized as not technical enough, but the CISSP is targeted specifically at managers. Hands-on administrators can earn the Systems Security Certified Practitioner certification. This exam is directed at network and security administrators. ISC2 differentiates the two as follows : "The CISSP certification identifies you as a security professional who has met a certain standard of knowledge and experience and who continues to keep his/her knowledge current and relevant to what is happening the field of Information Security. CISSPs must have a minimum of three years experience in one or more of the 10 CBK domains. The CISSP program certifies IT professionals who are responsible for developing the information security policies, standards, and procedures and managing their implementation across an organization. "The SSCP certification identifies you as a security practitioner who has met a certain standard of knowledge and experience and who continues to keep his/her knowledge current and relevant to what is happening in the practice of Information Security. SSCPs must have a minimum of one year of experience on one or more of the seven CBK domains. The certification is targeted at network and systems security administrators. Network and systems security administrators provide day-to-day support of the security infrastructure." [4] [4] Information Systems Security Consortium, SSCP White Paper, www.isc2.org/sscp/index.html.
[5] Information Systems Security Consortium, www.isc2.org. Although certification is not currently a requirement by any organization for employment, it is increasingly becoming a discriminator, and many employment advertisements state that certification is an asset. Some consulting organizations are now advertising the number of CISSPs on staff. SANS
The SANS Institute has recently begun a certification program. In 1999, SANS formed the Global Incident and Analysis Center (GIAC) to gather and analyze Y2K incident data. In late 2000, SANS announced a certification program as part of this center. GIAC certification begins with a course called "SANS Security Essentials," designed to prepare professionals for the subject area modules. The GIAC Security Essentials Certification (GSEC) covers security basics but assumes that students have some familiarity with computers and networking concepts. Six subject area modules provide in-depth training in specialized subjects. These courses assume the student has a basic working knowledge of each area:
Following the successful completion of the GSEC and at least one subject area module, students are eligible to sit for the GIAC Security Engineer (GSE) certification. Training consists of a combination of coursework offered at the conferences, practical exercises, and an examination. Recertification is required periodically, depending on the subject area. The recertification period ranges from one to four years; professionals must retake the certification examination. Forensics
The major certifying body in the field of computer forensics is the International Association for Computer Investigative Specialists (IACIS, www.cops.org). Membership in IACIS is limited to law enforcement personnel. The organization offers a two-year certification program for investigators called the Certified Forensics Computer Examiner (CFCE). The major advantage to CFCE certification is that it has been recognized by legal precedent as specifying a certain level of expertise. This makes it much simpler to introduce a CFCE as an expert witness in litigation. Until recently, CFCE certification has been limited to IACIS members (and by extension, to law enforcement only). In March of 2001, however, IACIS announced an external certification program in which the CFCE program will be offered to nonmembers. This certification program consists of a series of hands-on tests in which the applicant must recover data from floppy and hard disks, followed by an examination on forensics techniques and procedures. The disks must be examined and reports prepared that indicate that the applicant used proper forensics and investigative measures. The entire process (six floppy disks, one hard disk, and the examination) must be completed within five months. IACIS offers a training program for its members, but no instruction is available for nonmembers. Other Certifications
Other certification programs are available that do not directly relate to the field of information security. For example, a person can become a Certified Fraud Examiner (CFE) or a Certified Information Systems Auditor (CISA). Most of these programs have their roots in financial audit and were originally designed to support an audit program. |
‚ < ‚ Free Open Study ‚ > ‚ |