Re: Intrusion Response

["Dominick Glavach" <glavach () ctc com>]

David:

Here are some useful steps to build an effect Incident Responce team.

0.  Incident Responce is a team sport.

1.  Identify an Incident Responce team.  The members should include a member
of Upper level management, HR Manager (for Internal incidents), technical
staff,
security engineers and the lead IS security

2.  Develop an Incident Responce procedure.  Outline the steps of your Incident
responce. For example. 1. Verification (Is this really a compromise?) 2. CIRT
deployment (who, how many, remember to keep a written log of all actions) 3.
Regain control of the compromise (network isolation, shutdown) ... Your last
step should be the Incident wrap-up meeting with your CIRT.  Go over the
Incident and improve your process and then I write up a Incident Report.

3.  User awareness.  Inform people who to contact.

4. Contact your local law agencies (local police, FBI, etc).  Get to know
them in the event you need their support.

5. Work through a couple of dry-runs with your CIRT.

This should get you started.

--
-----------------------------------------------------------------------
Dominick Glavach,  IS Security/System Engineer          glavach () ctc com
Concurrent Technologies Corporation                     814/269-2469


PGP fingerprint: F1 EB F3 DE 69 93 80 BF  00 14 77 E9 8B 61 A8 73
PGP Public Key : ftp.ctc.com/pub/PGP-keys/glavach.asc
-----------------------------------------------------------------------