Page 447 - Using MIS
P. 447
Q8 How Should Organizations Respond to Security Incidents? 415
Many companies create honeypots, which are false targets for computer criminals to attack. To
an intruder, a honeypot looks like a particularly valuable resource, such as an unprotected Web
site, but in actuality the only site content is a program that determines the attacker’s IP address.
Organizations can then trace the IP address back using free online tools, like DNSstuff, to deter-
12
mine who has attacked them. If you are technically minded, detail-oriented, and curious, a career
as a security specialist in this field is almost as exciting as it appears on CSI. To learn more, check
out DNSstuff, Nessus, or Security AppScan. See also Applied Information Security, 2nd ed. 13
Another important monitoring function is to investigate security incidents. How did the
problem occur? Have safeguards been created to prevent a recurrence of such problems? Does
the incident indicate vulnerabilities in other portions of the security system? What else can be
learned from the incident?
Security systems reside in a dynamic environment. Organization structures change.
Companies are acquired or sold; mergers occur. New systems require new security measures.
New technology changes the security landscape, and new threats arise. Security personnel must
constantly monitor the situation and determine if the existing security policy and safeguards are
adequate. If changes are needed, security personnel need to take appropriate action.
Security, like quality, is an ongoing process. There is no final state that represents a secure
system or company. Instead, companies must monitor security on a continuing basis.
Q8 How Should Organizations Respond
to Security Incidents?
The last component of a security plan that we will consider is incident response. Figure 10-17
lists the major factors. First, every organization should have an incident-response plan as part
of the security program. No organization should wait until some asset has been lost or compro-
mised before deciding what to do. The plan should include how employees are to respond to
security problems, whom they should contact, the reports they should make, and steps they can
take to reduce further loss.
Consider, for example, a virus. An incident-response plan will stipulate what an employee
should do when he notices the virus. It should specify whom to contact and what to do. It may
stipulate that the employee should turn off his computer and physically disconnect from the
network. The plan should also indicate what users with wireless computers should do.
The plan should provide centralized reporting of all security incidents. Such reporting will
enable an organization to determine if it is under systematic attack or whether an incident is
isolated. Centralized reporting also allows the organization to learn about security threats, take
consistent actions in response, and apply specialized expertise to all security problems.
• Have plan in place
• Centralized reporting
• Specific responses
– Speed
– Preparation pays
Figure 10-17 – Don’t make problem worse
Factors in Incident Response • Practice
12 For this reason, do not attempt to scan servers for fun. It won’t take the organization very long to find you, and it
will not be amused!
13 Randall Boyle and Jeffrey Proudfoot, Applied Information Security, 2nd ed. (Upper Saddle River, NJ: Pearson
Education, 2014).
