Page 652 - StudyBook.pdf
P. 652

636    Chapter 11 • Operational and Organizational Security: Incident Response

             What Your Role Is

             While law enforcement agencies perform investigations and gather evidence with
             the understanding that the goal is to find, arrest, prosecute, and convict a suspect,
             the motivation is not always clear in businesses.A network administrator’s job is to
             ensure the network is up and running, while a Web master works to make sure the
             e-commerce site is working.Why would computer forensics be important to these
             jobs? Because if a hacker takes down a Web site or network, they may continue to
             do so until they are caught. Identifying and dealing with threats is a cornerstone of
             security, whether those threats are electronic or physical in nature.
                 Even when police have been called in to investigate a crime, a number of
             people are involved. Members of the IT staff assigned to an Incident Response
             Team are generally the first people to respond to an incident, who then work with
             investigators to provide access to systems and expertise, if needed. Senior staff
             members are notified to deal with the effects of the incident, and any inability to
             conduct normal business.A company’s Public Information Officer may be
             involved, if the incident becomes known to the media and is deemed newsworthy.
                 If police are not called in, and the matter is handled internally, the Incident
             Response Team deals with a much broader range of roles. Not only will team
             members deal with the initial response to the incident, but they will also conduct
             the investigation and provide evidence to an internal authority.This authority may
             be senior staff, or in the case of a law enforcement agency, an Internal Affairs
             department. Even though no police may be involved in the situation, the proce-
             dures used in the forensic examination should be the same.
                 When conducting an investigation, a person must be designated as being in
             charge of the scene.This person should be knowledgeable in forensics, and directly
             involved in the investigation. In other words, just because the owner of the com-
             pany is available, they should not be in charge if they are computer illiterate and/or
             unfamiliar with the procedures.The person in charge should have the authority to
             make final decisions on how the scene is secured and how evidence is searched,
             handled, and processed.
                 There are three major roles that people perform when conducting an investiga-
             tion.These roles are:
                  ■   First responder

                  ■   Investigator
                  ■   Crime scene technician





          www.syngress.com
   647   648   649   650   651   652   653   654   655   656   657