Incident Handling and Response Capability: An IT Security Safeguard Part 1: Are You Ready to Support an Incident Response Capability?

  • Written By:
  • Published:


An employee logs in at the beginning of the workday and notices the company website was defaced, who would be notified? Common sense dictates to call the IT department or perhaps the webmaster and the next course of action would probably be to take the website off-line, restore the original file, and put it back on-line. Would there be any type of investigation to determine the cause of the defacement, will anyone look for hidden programs or malicious code introduced at the time the website was defaced? If someone working inside the company caused this, how would it be handled? Without an Incident Handling process, this type of activity can and will be repeated and could damage the company's reputation.

Business operations are completely reliant on the stability of the network function. The invention of the network was to provide rapid information process and access, and did not take into account the evolution of computer crimes from internal and external sources. The Internet has few boundaries, thus each business is required to build and implement their own safeguards. Unfortunately, most IT department's requests for security technology and training are turned down, UNTIL a system security incident occurs. Then the cost to implement countermeasures in addition to the cost of manpower to repair the damage from the incident is a significant blow to the company budget. The cost of implementing the solution prior to the incident would be far less painless for the IT budget (and the staff). The most common reaction is to completely assume a security technology solution will be the holy grail. The unresolved issue for most business operations is to find a security solution that provides not only a reactive but also a proactive process as well.

Look back to the Melissa Virus, an incident which had worldwide impact and forced many businesses to shut down their e-mail for days. Look at the Government websites such as NASA, White House that have been defaced. Identify thefts are on the rise and stealing credit card information is becoming a serious issue. Why then would any business which relies on network operations to survive decide an Incident Response capability is not a wise investment. Most who have invested have done so because they experienced an attack or virus (or several) and realized the need by attrition. Perhaps an auditor has recommended an Incident Response program or it is a Federal Regulation for those in the banking and health care industry. For the majority in the commercial industry, it is a financial investment that can't provide a return on investment dollar figure.

This, Part 1 of a 2-part article on IT Security, discusses the technologies and programs an organization needs to benefit from an Incident and Response Capability.
Part 2 details the necessary steps to establish an Incident Handling and Response Capability.

Recognizing the Need

An Incident Response capability, modeled after the Carnegie Mellon Computer Emergency Response Team (CERT) concept, details the process of incident detection, personnel notification, incident investigation and system restoration. If there is no Incident Response process in place, the executive management of a company faced with the scenario above would not be notified of a situation that could result in disabling the network infrastructure.

Although most IT security departments grasp the concept of an Incident Response capability, few have the resources or management commitment to develop an internal capability. Even fewer have the ability to determine where to begin in implementing an Incident Response operational capability which is usually an additional project given to an already over-tasked security team. For most businesses, a "virtual" Incident Handling Capability built from existing resources is sufficient, however, designing the capability and enlisting support from the various departments to participate is often the biggest hurdle to overcome.

Responding to the Need

What are some of the technologies/programs that need to be in place for an organization to benefit from an Incident Handling and Response capability?

Corporate Security Policies

Internal security infractions have become the largest threat in most organizations. Corporate policy needs to define what is an acceptable and unacceptable use of corporate IT resources. Even better, HR can explain this policy as part of new employee in-processing. Should a computer security infraction occur, employers have more legal power to take action against employees who knowingly and willingly put the company at risk by violating well-understood security policies and procedures. This prevention action, which alerts employees there are consequences to such violations, in itself is often a deterrent. It is quite disappointing to respond to an incident, quickly analyze the evidence, identify the source of the attack and find nothing can be done to get retribution for the damage because a policy was not made known.

Critical Assets

Identify which systems are the most critical to the business operations. Incident Handling requires prioritizing the responses based on which system/systems the incident has affected. Prioritization also influences how events/incidents are escalated up the organization management chain. For most, the critical asset study has been completed when choosing the system security technology.

Intrusion Detection Technology

For those organizations who monitor their own Intrusion Detection System the Incident Handling Team may be one in the same. Choosing the technology influences how effective the team will be able to react to alerts and its ability to change detection profiles based on threat trends. Without the appropriate IDS technology in place, the Incident Handling capability cannot react to a timely system security alerting mechanism. What about a Managed Security Service Provider? A growing number of businesses (and even the government) are looking at this option as a viable solution. It is certainly a great benefit to enlist a vendor who has security experts to monitor the tools and inform their clients of certain events on the wire. Realistically, an organization needs to determine how to handle the events/incidents for itself based on its unique business needs. The details of how an incident occurred and how it was handled is proprietary information and should be protected accordingly.

Security Awareness and Training

Educating employees on system security practices and providing direction on how they report breaches expands the organization's level of effort to prevent such infractions. There are certain practices, which require action from the Incident Handlers, that cannot be detected through security software. Be sure to include in the training a method for employees to report such infractions to the Incident Handlers. Provide recurring training to alert employees of changes to the company security practices and to inform them of current threats.

This concludes Part 1 of a 2-part article on IT Security, discusses the technologies and programs an organization needs to benefit from an Incident and Response Capability.
Part 2 details the necessary steps to establish an Incident Handling and Response Capability.

About the Author

Catherine Woodbury has more than five years' experience in network security consulting and almost 20 years total in the security field. Her experience includes working at the Air Force Intelligence Agency, where she was responsible for data analysis, critical reporting and dissemination of events related to military intelligence operations. She conducted job proficiency evaluations for personnel assigned to a 24-hour operations facility.

Woodbury has also worked as a contractor for the Defense Information Systems Agency as a member of the Regional CERT Implementation Team. The team was responsible for establishing the five Regional CERTs around the world for DISA. Since June 2000, she has been responsible for the Incident Handling and Response consulting service for AXENT Technologies and Symantec Corporation. She provides proposal development, project costing, project planning and client service delivery for the Incident Handling and Response service. Ms Woodbury can be reached at

For more information consult the Symantec web site:

comments powered by Disqus