Page 649 - StudyBook.pdf
P. 649
Operational and Organizational Security: Incident Response • Chapter 11 633
sics. Members of the Incident Response Team should be experienced in handling
issues relating to unauthorized access, denial or disruptions of service, viruses, unau-
thorized changes to systems or data, critical system failures, or attempts to breach
the policies and/or security of an organization. Specific members of this team who
will conduct investigations should also be well versed in the tools and techniques of
computer forensics, so they can quickly respond to situations requiring these skills.
If the incident is of a criminal nature, the policy should also specify at what point
law enforcement should be contacted to take control of the investigation.The
policy should also provide basic procedures for users to follow when an incident
occurs. Upon realizing an issue exists, users should notify their supervisor, a desig-
nated person, or a designated department, who then contacts the Incident
Response Team.While awaiting the team’s arrival, the scene of the incident should
be vacated and any technologies involved should be left as they were.The users
should also document what they observed when the incident occurred, and list
anyone who was in the area when the incident occurred.
Management and employees need to be aware of the need to support computer
forensic examinations. Funding should be available for tools and ongoing training
in examination procedures, or to hire outside parties to perform an investigation.
Since the corporate world revolves around budgets, management may initially balk
at such an expense, until they realize that these skills provide day-to-day services for
data recovery.Anytime someone has corrupt or deleted data, the skills and training
can be used to restore the data, which could save significant amounts of money for
the business if the data was important enough. If law enforcement is called in, there
are no direct costs, but there is still the need to cooperate with investigators.
Because digital evidence may be damaged or destroyed by improper handling
or examination, management must be aware that considerable time may be
involved to effectively investigate an incident.Vital systems or facilities might be
unavailable while evidence is being gathered, and it may be necessary for equip-
ment to be removed from service to be examined and stored as evidence until a
criminal case has reached its conclusion. Because personnel may need to be inter-
viewed and employees may be unable to do their jobs for periods of time, man-
agers may become impatient and hinder the investigation by attempting to rush it
along and get people back to work.The goal of management should be to assist the
investigation in any way possible, and an atmosphere of cooperation should be nur-
tured to help the investigation proceed quickly and effectively.
To address how a company should handle intrusions and other incidents, it is
important that a contingency plan be created.The contingency plan should address
how the company will continue to function during the investigation, such as when
www.syngress.com
